120 lines
4.2 KiB
120 lines
4.2 KiB
{ config, pkgs, ... }:
domain = "wiki.${config.networking.domain}";
listenPort = 8080;
sops.secrets = {
"mediawiki/initial_admin".owner = config.users.users.mediawiki.name;
"mediawiki/oidc_secret".owner = config.users.users.mediawiki.name;
systemd.services.mediawiki-init.after = [ "postgresql.service" ];
services = {
mediawiki = {
enable = true;
passwordFile = config.sops.secrets."mediawiki/initial_admin".path;
database.type = "postgres";
url = "https://${domain}";
httpd.virtualHost = {
adminAddr = "root@ifsr.de";
listen = [{
ip = "";
port = listenPort;
ssl = false;
# Short url support (e.g. https://wiki.ifsr.de/Page instead of .../index.php?title=Page)
# Recommended config taken from https://www.mediawiki.org/wiki/Manual:Short_URL/Apache
# See paragraph "If you are using a root url ..."
extraConfig = ''
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/rest\.php
RewriteCond %{REQUEST_URI} !^/images
RewriteRule ^(.*)$ %{DOCUMENT_ROOT}/index.php [L]
extraConfig = ''
$wgSitename = "FSR Wiki";
$wgArticlePath = '/$1';
$wgLogo = "/images/3/3b/LogoiFSR.png";
$wgLanguageCode = "de";
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['sysop']['userrights'] = true;
$wgGroupPermissions['sysop']['deletelogentry'] = true;
$wgGroupPermissions['sysop']['deleterevision'] = true;
$wgEnableAPI = true;
$wgAllowUserCss = true;
$wgUseAjax = true;
$wgEnableMWSuggest = true;
$wgDefaultSkin = 'timeless';
//TODO what about $wgUpgradeKey ?
# Auth
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
$wgOpenIDConnect_MigrateUsersByEmail = true;
//$wgOpenIDConnect_MigrateUsersByUserName = true;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_Config["iFSR Login"] = [
"plugin" => "OpenIDConnect",
"data" => [
"providerURL" => "https://sso.ifsr.de/realms/internal",
"clientID" => "wiki",
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
extensions = {
# some extensions are included and can enabled by passing null
VisualEditor = null;
# the dir in the mediawiki-1.42.3.tar.gz inside of the extension folder is called "SyntaxHighlight_GeSHi" not "SyntaxHighlight"
SyntaxHighlight_GeSHi = null;
# fetching from gerrit is broken
PluggableAuth = pkgs.fetchFromGitHub {
owner = "wikimedia";
repo = "mediawiki-extensions-PluggableAuth";
rev = "7.3.0";
hash = "sha256-d9hztPSdAcyNxaxiB5Bfb4UhfLrjqpJbkto+pxfSPMY=";
OpenIDConnect = pkgs.fetchFromGitHub {
owner = "wikimedia";
repo = "mediawiki-extensions-OpenIDConnect";
rev = "8.2.0";
hash = "sha256-wVlAEMcBphw/MoREjiG90UWpQrV3aGAdhPd3rCrI/+Y=";
nginx = {
recommendedProxySettings = true;
virtualHosts.${domain} = {
locations."/robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
locations."/" = {
proxyPass = "${toString listenPort}";
proxyWebsockets = true;
locations."~ ^/ese(/?[^\\n|\\r]*)$".return = "301 https://wiki.ese.ifsr.de$1";
locations."~ ^/fsr(/?[^\\n|\\r]*)$".return = "301 https://wiki.ifsr.de$1";
locations."~ ^/vernetzung(/?[^\\n|\\r]*)$".return = "301 https://vernetzung.ifsr.de$1";