feat(pm/wiki): factor into ingredient · freshlybakedca.ke/patisserie@6a85078

freshlybakedca.ke / patisserie

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

Your one-stop-cake-shop for everything Freshly Baked has to offer

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

feat(pm/wiki): factor into ingredient

I want to have a private copy of the wiki on umber and a public copy on
teal. It would be good to share configs between them, so we should use
an ingredient for this

Skyler Grey 3 months ago 6a85078f 2afc3a90

packetmix-npins-duplicate-check.yml

failed 3m 6s

packetmix-treefmt.yaml

failed 5s

reuse.yml

failed 3m 7s

+441 -348

18 changed files

expand all collapse all

packetmix

systems

default.nix

teal

headscale.nix

wiki.nix

umber

postgresql.nix

wiki.nix

wiki

CirrusSearch.composer.lock

CirrusSearch.composer.lock.license

Elastica.composer.lock

Elastica.composer.lock.license

Network.composer.lock

Network.composer.lock.license

OpenIDConnect.composer.lock

OpenIDConnect.composer.lock.license

favicon.ico

favicon.ico.license

icon.svg

icon.svg.license

wiki.nix

packetmix/systems/default.nix

reviewed

··· 90 90 ingredients = [ 91 91 "freshlybakedcake" 92 92 "server" 93 93 + "wiki" 93 94 ]; 94 95 args = { 95 96 system = "x86_64-linux"; ··· 101 102 ingredients = [ 102 103 "freshlybakedcake" 103 104 "server" 105 105 + "wiki" 104 106 ]; 105 107 args = { 106 108 system = "x86_64-linux";

packetmix/systems/teal/headscale.nix

reviewed

··· 125 125 type = "A"; 126 126 value = "100.64.0.37"; 127 127 } 128 128 + { 129 129 + # wiki.starrysky.fyi -> umber 130 130 + name = "wiki.starrysky.fyi"; 131 131 + type = "A"; 132 132 + value = "100.64.0.48"; 133 133 + } 128 134 ]; 129 135 nameservers.global = [ 130 136 "1.1.1.1"

+6 -348

packetmix/systems/teal/wiki.nix

reviewed

··· 1 1 # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 2 + # SPDX-FileCopyrightText: 2026 Collabora Productivity Limited 2 3 # 3 4 # SPDX-License-Identifier: MIT 4 5 5 6 { 6 6 - project, 7 7 - system, 8 8 - config, 9 9 - pkgs, 10 10 - lib, 11 11 - ... 12 12 - }: 13 13 - { 14 14 - clicks.storage.impermanence.persist.directories = [ 15 15 - { 16 16 - directory = "/var/lib/mediawiki"; 17 17 - mode = "0700"; 18 18 - user = "mediawiki"; 19 19 - defaultPerms.mode = "0700"; 20 20 - } 21 21 - { 22 22 - directory = "/var/lib/private/opensearch"; 23 23 - mode = "0700"; 24 24 - user = "opensearch"; 25 25 - defaultPerms.mode = "0700"; 26 26 - } 27 27 - ]; 28 28 - 29 29 - services.mediawiki = { 30 30 - enable = true; 31 31 - package = project.inputs.nixos-unstable.result.${system}.mediawiki; # header auth master requires mediawiki unstable - header auth stable is broken on missing Hooks (recently removed in stable MW version) 32 32 - phpPackage = pkgs.php83.withExtensions ({ enabled, all }: enabled ++ [ all.luasandbox ]); 33 33 - database.type = "postgres"; 34 34 - path = [ 35 35 - pkgs.diffutils 36 36 - pkgs.imagemagick 37 37 - pkgs.python3Packages.pygments 38 38 - ]; 39 39 - extensions = { 40 40 - AdvancedSearch = project.inputs.AdvancedSearch.src; 41 41 - Auth_remoteuser = project.inputs.Auth_remoteuser.src; # header auth 42 42 - AutoCreateCategoryPages = project.inputs.AutoCreateCategoryPages.src; 43 43 - Cargo = project.inputs.Cargo.src; # queries and soforth 44 44 - CategoryTree = null; 45 45 - CheckUser = null; 46 46 - Cite = null; 47 47 - CiteThisPage = null; 48 48 - CirrusSearch = "${ 49 49 - pkgs.php.buildComposerProject { 50 50 - pname = "CirrusSearch"; 51 51 - version = "0.0.3665"; 52 52 - src = project.inputs.CirrusSearch.src; 53 53 - vendorHash = "sha256-MLD/3hvzX1aqR4knajJ1amb6K5SVtxlfy+UZWoSi1Bk="; 54 54 - composerLock = ./wiki/CirrusSearch.composer.lock; 55 55 - } 56 56 - }/share/php/CirrusSearch"; # needed for advancedsearch 57 57 - CodeEditor = null; 58 58 - DiscussionTools = null; 59 59 - Echo = null; 60 60 - EditNotify = project.inputs.EditNotify.src; 61 61 - Elastica = "${ 62 62 - pkgs.php.buildComposerProject { 63 63 - pname = "Elastica"; 64 64 - version = "0.0.3665"; 65 65 - src = project.inputs.Elastica.src; 66 66 - vendorHash = "sha256-4kp8njLTqPeFCREnGharCB/pmYBnXLJR4TdD6EH6WCI="; 67 67 - composerLock = ./wiki/Elastica.composer.lock; 68 68 - } 69 69 - }/share/php/Elastica"; # needed for cirrussearch 70 70 - Linter = null; 71 71 - Math = null; 72 72 - MobileFrontend = project.inputs.MobileFrontend.src; 73 73 - NamespacePreload = project.inputs.NamespacePreload.src; 74 74 - Network = "${ 75 75 - config.services.phpfpm.pools.mediawiki.phpPackage.buildComposerProject { 76 76 - pname = "Network"; 77 77 - version = "0.0.3665"; 78 78 - src = project.inputs.Network.src; 79 79 - vendorHash = "sha256-JHa6PW5xO3pcwn/2jbGXM0wGhr6UmtqFdxaGCgpaYb0="; 80 80 - composerLock = ./wiki/Network.composer.lock; 81 81 - } 82 82 - }/share/php/Network"; # for page connection graphs 83 83 - OpenIDConnect = "${ 84 84 - pkgs.php.buildComposerProject { 85 85 - pname = "OpenIDConnect"; 86 86 - version = "0.0.3665"; 87 87 - src = project.inputs.OpenIDConnect.src; 88 88 - vendorHash = "sha256-DjxyOK21tbBEj6hFfhVNDxeNu4a26hvMRHgD/u24ZT0="; 89 89 - composerLock = ./wiki/OpenIDConnect.composer.lock; 90 90 - 91 91 - postInstall = '' 92 92 - cat sql/postgres/ChangePrimaryKey.sql | sed 's/DROP INDEX "primary"/ALTER TABLE openid_connect DROP CONSTRAINT openid_connect_pkey/' > $out/share/php/OpenIDConnect/sql/postgres/ChangePrimaryKey.sql 93 93 - ''; 94 94 - } 95 95 - }/share/php/OpenIDConnect"; 96 96 - ParserFunctions = null; 97 97 - PluggableAuth = project.inputs.PluggableAuth.src; # needed for OIDC 98 98 - Poem = null; 99 99 - ReplaceText = null; 100 100 - Scribunto = null; 101 101 - SecureLinkFixer = null; 102 102 - SimpleTooltip = project.inputs.SimpleTooltip.src; 103 103 - SyntaxHighlight_GeSHi = null; 104 104 - TemplateData = null; 105 105 - TemplateStyles = null; 106 106 - Thanks = null; 107 107 - UserMerge = project.inputs.UserMerge.src; 108 108 - VisualEditor = null; 109 109 - WikiEditor = null; 110 110 - }; 111 111 - extraConfig = '' 112 112 - $wgMaxUploadSize = 1024*1024*1024*8; 113 113 - $wgGroupPermissions['autoconfirmed']['upload_by_url'] = true; 114 114 - $wgGroupPermissions['autoconfirmed']['interwiki'] = true; // https://wiki.freshly.space/wiki/Special:Interwiki - edit shortlink prefixes, crazy-strong permission but we trust our friends 115 115 - $wgAllowCopyUploads = true; 116 116 - $wgCopyUploadsFromSpecialUpload = true; 117 117 - 118 118 - $wgSMTP = [ 119 119 - 'host' => 'ssl://mail.freshly.space', 120 120 - 'IDHost' => 'wiki.freshly.space', 121 121 - 'localhost' => 'wiki.freshly.space', 122 122 - 'port' => 465, 123 123 - 'auth' => true, 124 124 - 'username' => 'automated@freshly.space', 125 125 - 'password' => trim(file_get_contents('/secrets/mediawiki/mail_password.txt')) 126 126 - ]; 127 127 - $wgLocalInterwikis = [ 128 128 - 'fbc' 129 129 - ]; 130 130 - 131 131 - $wgWhitelistReadRegexp = [ 132 132 - '/^Main Page$/', 133 133 - '/^Public:/', 134 134 - '/^User:/' 135 135 - ]; 136 136 - $wgGroupPermissions['*']['read'] = false; 137 137 - $wgGroupPermissions['*']['edit'] = false; 138 138 - $wgGroupPermissions['*']['createaccount'] = false; 139 139 - $wgGroupPermissions['*']['autocreateaccount'] = true; 140 140 - 141 141 - $wgGroupPermissions['bureaucrat']['usermerge'] = true; 142 142 - 143 143 - $wgAuthRemoteuserUserName = function () { 144 144 - if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) { 145 145 - return ""; 146 146 - } 147 147 - 148 148 - if ($_SERVER['HTTP_X_WEBAUTH_LOGIN'] === 'hyperneutrino') { 149 149 - return 'HyperNeutrino'; 150 150 - } 151 151 - 152 152 - return $_SERVER['HTTP_X_WEBAUTH_LOGIN']; 153 153 - }; 154 154 - $wgAuthRemoteuserPriority = MediaWiki\Session\SessionInfo::MAX_PRIORITY; 155 155 - 156 156 - $wgUseCdn = true; 157 157 - $wgCdnServersNoPurge = [ 158 158 - '127.0.0.1' 159 159 - ]; 160 160 - $wgUsePrivateIPs = true; 161 161 - 162 162 - $wgUseInstantCommons = true; 163 163 - $wgPingback = false; 164 164 - 165 165 - $wgPluggableAuth_Config = [ 166 166 - 'Freshly Baked Cake Kanidm' => [ 167 167 - 'plugin' => 'OpenIDConnect', 168 168 - 'data' => [ 169 169 - 'providerURL' => 'https://idm.freshly.space/oauth2/openid/mediawiki', 170 170 - 'clientID' => 'mediawiki', 171 171 - 'clientsecret' => trim(file_get_contents('/secrets/mediawiki/oidc_client_secret.txt')), 172 172 - 'codeChallengeMethod' => 'S256' 173 173 - ] 174 174 - ] 175 175 - ]; 176 176 - 177 177 - $wgOpenIDConnect_MigrateUsersByUserName = true; 178 178 - 179 179 - $wgLogos = [ 180 180 - 'icon' => '/icon.svg', 181 181 - 'svg' => '/icon.svg' 182 182 - ]; 183 183 - 184 184 - $wgPygmentizePath = '${pkgs.python3Packages.pygments}/bin/pygmentize'; 185 185 - 186 186 - $wgScribuntoDefaultEngine = 'luasandbox'; 187 187 - 188 188 - $wgNamespacesWithSubpages[NS_MAIN] = true; 189 189 - 190 190 - $wgNamespacePreloadDoExpansion = false; // This can't expand {{PAGENAME}} (or like) correctly, making it very nearly useless 191 191 - 192 192 - $wgCirrusSearchServers = [ 193 193 - [ 194 194 - "host" => '127.0.0.1', 195 195 - "port" => 1037 196 196 - ] 197 197 - ]; 198 198 - $wgSearchType = 'CirrusSearch'; 199 199 - $wgNamespacesToBeSearchedDefault[NS_CATEGORY] = true; 200 200 - 201 201 - $wgUrlProtocols[] = "rad:"; 202 202 - 203 203 - $wgSVGNativeRendering = true; 204 204 - 205 205 - $wgRCWatchCategoryMembership = true; 206 206 - 207 207 - $wgCargoPageDataColumns[] = 'creationDate'; 208 208 - $wgCargoPageDataColumns[] = 'modificationDate'; 209 209 - $wgCargoPageDataColumns[] = 'creator'; 210 210 - $wgCargoPageDataColumns[] = 'lastEditor'; 211 211 - $wgCargoPageDataColumns[] = 'displayTitle'; 212 212 - $wgCargoPageDataColumns[] = 'categories'; 213 213 - $wgCargoPageDataColumns[] = 'numRevisions'; 214 214 - $wgCargoPageDataColumns[] = 'outgoingLinks'; 215 215 - $wgCargoPageDataColumns[] = 'isRedirect'; 216 216 - $wgCargoPageDataColumns[] = 'pageNameOrRedirect'; 217 217 - $wgCargoPageDataColumns[] = 'pageIDOrRedirect'; 218 218 - 219 219 - $wgCargoFileDataColumns[] = 'mediaType'; 220 220 - $wgCargoFileDataColumns[] = 'path'; 221 221 - $wgCargoFileDataColumns[] = 'lastUploadDate'; 222 222 - 223 223 - $wgFixDoubleRedirects = true; 224 224 - 225 225 - $wgMFAutodetectMobileView = true; 226 226 - $wgMFEnableMobilePreferences = true; 227 227 - wfLoadSkin( 'MinervaNeue' ); 228 228 - 229 229 - $wgShowExceptionDetails = true; 230 230 - $wgDevelopmentWarnings = true; 231 231 - ''; 232 232 - webserver = "nginx"; 233 233 - url = "https://wiki.freshly.space"; 234 234 - nginx.hostName = "wiki.freshly.space"; 235 235 - name = "Freshly Wiki"; 236 236 - database.createLocally = true; 237 237 - 238 238 - passwordSender = "wiki@freshly.space"; 239 239 - 240 240 - passwordFile = "/secrets/mediawiki/initial_admin_password.txt"; 241 241 - }; 242 242 - 243 243 - systemd.timers.mediawiki-maintenance = { 244 244 - wantedBy = [ "timers.target" ]; 245 245 - timerConfig = { 246 246 - OnUnitActiveSec = "30"; 247 247 - OnBootSec = "30"; 248 248 - Persistent = false; 249 249 - Unit = "mediawiki-maintenance.service"; 250 250 - }; 251 251 - }; 252 252 - 253 253 - systemd.services.mediawiki-maintenance = { 254 254 - script = '' 255 255 - ${config.services.phpfpm.pools.mediawiki.phpPackage}/bin/php ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php runJobs --memory-limit 1G --maxtime 30 256 256 - ''; 257 257 - serviceConfig = { 258 258 - Type = "oneshot"; 259 259 - RemainAfterExit = false; 260 260 - User = "mediawiki"; 261 261 - Group = "nginx"; 262 262 - PrivateTmp = true; 263 263 - Environment = "MEDIAWIKI_CONFIG=${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG}"; 264 264 - }; 265 265 - }; 266 266 - 267 267 - services.opensearch = { 268 268 - # needed for cirrussearch 269 269 - enable = true; 270 270 - package = project.packages.opensearch.result.${system}; 271 271 - settings = { 272 272 - "http.port" = 1037; 273 273 - "path.data" = "/var/lib/private/opensearch/data"; 274 274 - "path.logs" = "/var/lib/private/opensearch/logs"; 275 275 - }; 276 276 - }; 277 277 - 278 278 - services.nginx.enable = true; 279 7 services.headscale.settings.dns.extra_records = [ 280 8 { 281 9 # wiki.freshly.space -> teal ··· 284 12 value = "100.64.0.5"; 285 13 } 286 14 ]; 287 287 - services.nginx.virtualHosts."wiki.freshly.space" = { 288 288 - listen = [ 289 289 - { 290 290 - addr = "127.0.0.1"; 291 291 - port = 1036; 292 292 - } 293 293 - ]; 294 15 295 295 - locations = { 296 296 - "= /" = lib.mkForce { 297 297 - extraConfig = '' 298 298 - return 301 https://wiki.freshly.space/wiki/; 299 299 - ''; # overriding nixpkgs /wiki/ redirect since as our double-proxy makes it redirect to :1036 300 300 - }; 301 301 - "= /favicon.ico".alias = ./wiki/favicon.ico; 302 302 - "= /icon.svg".alias = ./wiki/icon.svg; 303 303 - }; 304 304 - 305 305 - extraConfig = '' 306 306 - client_max_body_size 1024M; 307 307 - ''; 308 308 - }; 309 309 - services.nginx.virtualHosts."external.wiki.freshly.space" = { 310 310 - listenAddresses = [ 311 311 - "0.0.0.0" 312 312 - "[::0]" 313 313 - ]; 314 314 - 315 315 - serverName = "wiki.freshly.space"; 316 316 - 317 317 - addSSL = true; 318 318 - enableACME = true; 319 319 - acmeRoot = null; 320 320 - 321 321 - locations."/" = { 322 322 - proxyPass = "http://127.0.0.1:1036"; 323 323 - recommendedProxySettings = true; 324 324 - proxyWebsockets = true; 325 325 - 326 326 - extraConfig = '' 327 327 - proxy_set_header X-Webauth-Login ""; 328 328 - proxy_cache off; 329 329 - ''; 330 330 - }; 331 331 - 332 332 - extraConfig = '' 333 333 - client_max_body_size 1024M; 334 334 - ''; 335 335 - }; 336 336 - services.nginx.virtualHosts."internal.wiki.freshly.space" = { 337 337 - listenAddresses = [ "localhost.tailscale" ]; 338 338 - 339 339 - serverName = "wiki.freshly.space"; 340 340 - 341 341 - addSSL = true; 342 342 - enableACME = true; 343 343 - acmeRoot = null; 344 344 - 345 345 - locations."/" = { 346 346 - proxyPass = "http://127.0.0.1:1036"; 347 347 - recommendedProxySettings = true; 348 348 - proxyWebsockets = true; 349 349 - 350 350 - extraConfig = '' 351 351 - proxy_cache off; 352 352 - ''; 353 353 - }; 354 354 - 355 355 - extraConfig = '' 356 356 - client_max_body_size 1024M; 357 357 - ''; 358 358 - }; 359 359 - 360 360 - services.nginx.tailscaleAuth = { 361 361 - enable = true; 362 362 - virtualHosts = [ "internal.wiki.freshly.space" ]; 16 16 + ingredient.wiki.wiki = { 17 17 + hostname = "wiki.freshly.space"; 18 18 + email = "wiki@freshly.space"; 19 19 + enablePublicInternet = true; 20 20 + enableAutoRegistration = true; 363 21 }; 364 22 }

packetmix/systems/teal/wiki/CirrusSearch.composer.lock packetmix/systems/wiki/wiki/CirrusSearch.composer.lock

reviewed

packetmix/systems/teal/wiki/CirrusSearch.composer.lock.license packetmix/systems/wiki/wiki/CirrusSearch.composer.lock.license

reviewed

packetmix/systems/teal/wiki/Elastica.composer.lock packetmix/systems/wiki/wiki/Elastica.composer.lock

reviewed

packetmix/systems/teal/wiki/Elastica.composer.lock.license packetmix/systems/wiki/wiki/Elastica.composer.lock.license

reviewed

packetmix/systems/teal/wiki/Network.composer.lock packetmix/systems/wiki/wiki/Network.composer.lock

reviewed

packetmix/systems/teal/wiki/Network.composer.lock.license packetmix/systems/wiki/wiki/Network.composer.lock.license

reviewed

packetmix/systems/teal/wiki/OpenIDConnect.composer.lock packetmix/systems/wiki/wiki/OpenIDConnect.composer.lock

reviewed

packetmix/systems/teal/wiki/OpenIDConnect.composer.lock.license packetmix/systems/wiki/wiki/OpenIDConnect.composer.lock.license

reviewed

packetmix/systems/teal/wiki/favicon.ico packetmix/systems/wiki/wiki/favicon.ico

reviewed

packetmix/systems/teal/wiki/favicon.ico.license packetmix/systems/wiki/wiki/favicon.ico.license

reviewed

packetmix/systems/teal/wiki/icon.svg packetmix/systems/wiki/wiki/icon.svg

reviewed

packetmix/systems/teal/wiki/icon.svg.license packetmix/systems/wiki/wiki/icon.svg.license

reviewed

packetmix/systems/umber/postgresql.nix

reviewed

··· 1 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 2 + # 3 3 + # SPDX-License-Identifier: MIT 4 4 + 5 5 + { 6 6 + clicks.storage.impermanence.persist.directories = [ 7 7 + "/var/lib/postgresql" 8 8 + ]; 9 9 + }

+11

packetmix/systems/umber/wiki.nix

reviewed

··· 1 1 + # SPDX-FileCopyrightText: 2026 Collabora Productivity Limited 2 2 + # 3 3 + # SPDX-License-Identifier: MIT 4 4 + 5 5 + { 6 6 + ingredient.wiki.wiki = { 7 7 + name = "Starry Sky Wiki"; 8 8 + hostname = "wiki.starrysky.fyi"; 9 9 + email = "wiki@starrysky.fyi"; 10 10 + }; 11 11 + }

+407

packetmix/systems/wiki/wiki.nix

reviewed

··· 1 1 + # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 2 + # SPDX-FileCopyrightText: 2026 Collabora Productivity Limited 3 3 + # 4 4 + # SPDX-License-Identifier: MIT 5 5 + 6 6 + # This ingredient has some default values (including OIDC config/etc.) that make it probably unsuitable for use outside of Freshly Baked. Sorry. 7 7 + { 8 8 + project, 9 9 + system, 10 10 + config, 11 11 + pkgs, 12 12 + lib, 13 13 + ... 14 14 + }: 15 15 + { 16 16 + options.ingredient.wiki.wiki = { 17 17 + name = lib.mkOption { 18 18 + type = lib.types.str; 19 19 + description = "What should your wiki be called"; 20 20 + default = "Freshly Wiki"; 21 21 + }; 22 22 + hostname = lib.mkOption { 23 23 + type = lib.types.str; 24 24 + description = "Where your wiki should be hosted"; 25 25 + }; 26 26 + email = lib.mkOption { 27 27 + type = lib.types.str; 28 28 + description = "What email should notifications/password resets/etc. come from"; 29 29 + }; 30 30 + enablePublicInternet = lib.mkEnableOption "Allow access from the public internet with authentication via OIDC"; 31 31 + enableAutoRegistration = lib.mkEnableOption "Allow unregistered users to automatically register via OIDC or Tailscale"; 32 32 + }; 33 33 + 34 34 + config = { 35 35 + clicks.storage.impermanence.persist.directories = [ 36 36 + { 37 37 + directory = "/var/lib/mediawiki"; 38 38 + mode = "0700"; 39 39 + user = "mediawiki"; 40 40 + defaultPerms.mode = "0700"; 41 41 + } 42 42 + { 43 43 + directory = "/var/lib/private/opensearch"; 44 44 + mode = "0700"; 45 45 + user = "opensearch"; 46 46 + defaultPerms.mode = "0700"; 47 47 + } 48 48 + ]; 49 49 + 50 50 + services.mediawiki = { 51 51 + enable = true; 52 52 + package = project.inputs.nixos-unstable.result.${system}.mediawiki; # header auth master requires mediawiki unstable - header auth stable is broken on missing Hooks (recently removed in stable MW version) 53 53 + phpPackage = pkgs.php83.withExtensions ({ enabled, all }: enabled ++ [ all.luasandbox ]); 54 54 + database.type = "postgres"; 55 55 + path = [ 56 56 + pkgs.diffutils 57 57 + pkgs.imagemagick 58 58 + pkgs.python3Packages.pygments 59 59 + ]; 60 60 + extensions = { 61 61 + AdvancedSearch = project.inputs.AdvancedSearch.src; 62 62 + Auth_remoteuser = project.inputs.Auth_remoteuser.src; # header auth 63 63 + AutoCreateCategoryPages = project.inputs.AutoCreateCategoryPages.src; 64 64 + Cargo = project.inputs.Cargo.src; # queries and soforth 65 65 + CategoryTree = null; 66 66 + CheckUser = null; 67 67 + Cite = null; 68 68 + CiteThisPage = null; 69 69 + CirrusSearch = "${ 70 70 + pkgs.php.buildComposerProject { 71 71 + pname = "CirrusSearch"; 72 72 + version = "0.0.3665"; 73 73 + src = project.inputs.CirrusSearch.src; 74 74 + vendorHash = "sha256-MLD/3hvzX1aqR4knajJ1amb6K5SVtxlfy+UZWoSi1Bk="; 75 75 + composerLock = ./wiki/CirrusSearch.composer.lock; 76 76 + } 77 77 + }/share/php/CirrusSearch"; # needed for advancedsearch 78 78 + CodeEditor = null; 79 79 + DiscussionTools = null; 80 80 + Echo = null; 81 81 + EditNotify = project.inputs.EditNotify.src; 82 82 + Elastica = "${ 83 83 + pkgs.php.buildComposerProject { 84 84 + pname = "Elastica"; 85 85 + version = "0.0.3665"; 86 86 + src = project.inputs.Elastica.src; 87 87 + vendorHash = "sha256-4kp8njLTqPeFCREnGharCB/pmYBnXLJR4TdD6EH6WCI="; 88 88 + composerLock = ./wiki/Elastica.composer.lock; 89 89 + } 90 90 + }/share/php/Elastica"; # needed for cirrussearch 91 91 + Linter = null; 92 92 + Math = null; 93 93 + MobileFrontend = project.inputs.MobileFrontend.src; 94 94 + NamespacePreload = project.inputs.NamespacePreload.src; 95 95 + Network = "${ 96 96 + config.services.phpfpm.pools.mediawiki.phpPackage.buildComposerProject { 97 97 + pname = "Network"; 98 98 + version = "0.0.3665"; 99 99 + src = project.inputs.Network.src; 100 100 + vendorHash = "sha256-JHa6PW5xO3pcwn/2jbGXM0wGhr6UmtqFdxaGCgpaYb0="; 101 101 + composerLock = ./wiki/Network.composer.lock; 102 102 + } 103 103 + }/share/php/Network"; # for page connection graphs 104 104 + OpenIDConnect = lib.mkIf config.ingredient.wiki.wiki.enablePublicInternet "${ 105 105 + pkgs.php.buildComposerProject { 106 106 + pname = "OpenIDConnect"; 107 107 + version = "0.0.3665"; 108 108 + src = project.inputs.OpenIDConnect.src; 109 109 + vendorHash = "sha256-DjxyOK21tbBEj6hFfhVNDxeNu4a26hvMRHgD/u24ZT0="; 110 110 + composerLock = ./wiki/OpenIDConnect.composer.lock; 111 111 + 112 112 + postInstall = '' 113 113 + cat sql/postgres/ChangePrimaryKey.sql | sed 's/DROP INDEX "primary"/ALTER TABLE openid_connect DROP CONSTRAINT openid_connect_pkey/' > $out/share/php/OpenIDConnect/sql/postgres/ChangePrimaryKey.sql 114 114 + ''; 115 115 + } 116 116 + }/share/php/OpenIDConnect"; 117 117 + ParserFunctions = null; 118 118 + PluggableAuth = lib.mkIf config.ingredient.wiki.wiki.enablePublicInternet project.inputs.PluggableAuth.src; # needed for OIDC 119 119 + Poem = null; 120 120 + ReplaceText = null; 121 121 + Scribunto = null; 122 122 + SecureLinkFixer = null; 123 123 + SimpleTooltip = project.inputs.SimpleTooltip.src; 124 124 + SyntaxHighlight_GeSHi = null; 125 125 + TemplateData = null; 126 126 + TemplateStyles = null; 127 127 + Thanks = null; 128 128 + UserMerge = project.inputs.UserMerge.src; 129 129 + VisualEditor = null; 130 130 + WikiEditor = null; 131 131 + }; 132 132 + extraConfig = '' 133 133 + $wgMaxUploadSize = 1024*1024*1024*8; 134 134 + $wgGroupPermissions['autoconfirmed']['upload_by_url'] = true; 135 135 + $wgGroupPermissions['autoconfirmed']['interwiki'] = true; // Special:Interwiki - edit shortlink prefixes, crazy-strong permission but we trust our friends 136 136 + $wgAllowCopyUploads = true; 137 137 + $wgCopyUploadsFromSpecialUpload = true; 138 138 + 139 139 + $wgSMTP = [ 140 140 + 'host' => 'ssl://mail.freshly.space', 141 141 + 'IDHost' => '${config.ingredient.wiki.wiki.hostname}', 142 142 + 'localhost' => '${config.ingredient.wiki.wiki.hostname}', 143 143 + 'port' => 465, 144 144 + 'auth' => true, 145 145 + 'username' => 'automated@freshly.space', 146 146 + 'password' => trim(file_get_contents('/secrets/mediawiki/mail_password.txt')) 147 147 + ]; 148 148 + $wgLocalInterwikis = [ 149 149 + 'fbc' 150 150 + ]; 151 151 + 152 152 + $wgWhitelistReadRegexp = [ 153 153 + '/^Main Page$/', 154 154 + '/^Public:/', 155 155 + '/^User:/' 156 156 + ]; 157 157 + $wgGroupPermissions['*']['read'] = false; 158 158 + $wgGroupPermissions['*']['edit'] = false; 159 159 + $wgGroupPermissions['*']['createaccount'] = false; 160 160 + $wgGroupPermissions['*']['autocreateaccount'] = ${ 161 161 + if config.ingredient.wiki.wiki.enableAutoRegistration then "true" else "false" 162 162 + }; 163 163 + 164 164 + $wgGroupPermissions['bureaucrat']['usermerge'] = true; 165 165 + 166 166 + $wgAuthRemoteuserUserName = function () { 167 167 + if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) { 168 168 + return ""; 169 169 + } 170 170 + 171 171 + if ($_SERVER['HTTP_X_WEBAUTH_LOGIN'] === 'hyperneutrino') { 172 172 + return 'HyperNeutrino'; 173 173 + } 174 174 + 175 175 + return $_SERVER['HTTP_X_WEBAUTH_LOGIN']; 176 176 + }; 177 177 + $wgAuthRemoteuserPriority = MediaWiki\Session\SessionInfo::MAX_PRIORITY; 178 178 + 179 179 + $wgUseCdn = true; 180 180 + $wgCdnServersNoPurge = [ 181 181 + '127.0.0.1' 182 182 + ]; 183 183 + $wgUsePrivateIPs = true; 184 184 + 185 185 + $wgUseInstantCommons = true; 186 186 + $wgPingback = false; 187 187 + 188 188 + ${ 189 189 + if config.ingredient.wiki.wiki.enablePublicInternet then 190 190 + '' 191 191 + $wgPluggableAuth_Config = [ 192 192 + 'Freshly Baked Cake Kanidm' => [ 193 193 + 'plugin' => 'OpenIDConnect', 194 194 + 'data' => [ 195 195 + 'providerURL' => 'https://idm.freshly.space/oauth2/openid/mediawiki', 196 196 + 'clientID' => 'mediawiki', 197 197 + 'clientsecret' => trim(file_get_contents('/secrets/mediawiki/oidc_client_secret.txt')), 198 198 + 'codeChallengeMethod' => 'S256' 199 199 + ] 200 200 + ] 201 201 + ]; 202 202 + '' 203 203 + else 204 204 + "" 205 205 + } 206 206 + 207 207 + $wgOpenIDConnect_MigrateUsersByUserName = true; 208 208 + 209 209 + $wgLogos = [ 210 210 + 'icon' => '/icon.svg', 211 211 + 'svg' => '/icon.svg' 212 212 + ]; 213 213 + 214 214 + $wgPygmentizePath = '${pkgs.python3Packages.pygments}/bin/pygmentize'; 215 215 + 216 216 + $wgScribuntoDefaultEngine = 'luasandbox'; 217 217 + 218 218 + $wgNamespacesWithSubpages[NS_MAIN] = true; 219 219 + 220 220 + $wgNamespacePreloadDoExpansion = false; // This can't expand {{PAGENAME}} (or like) correctly, making it very nearly useless 221 221 + 222 222 + $wgCirrusSearchServers = [ 223 223 + [ 224 224 + "host" => '127.0.0.1', 225 225 + "port" => 1037 226 226 + ] 227 227 + ]; 228 228 + $wgSearchType = 'CirrusSearch'; 229 229 + $wgNamespacesToBeSearchedDefault[NS_CATEGORY] = true; 230 230 + 231 231 + $wgUrlProtocols[] = "rad:"; 232 232 + 233 233 + $wgSVGNativeRendering = true; 234 234 + 235 235 + $wgRCWatchCategoryMembership = true; 236 236 + 237 237 + $wgCargoPageDataColumns[] = 'creationDate'; 238 238 + $wgCargoPageDataColumns[] = 'modificationDate'; 239 239 + $wgCargoPageDataColumns[] = 'creator'; 240 240 + $wgCargoPageDataColumns[] = 'lastEditor'; 241 241 + $wgCargoPageDataColumns[] = 'displayTitle'; 242 242 + $wgCargoPageDataColumns[] = 'categories'; 243 243 + $wgCargoPageDataColumns[] = 'numRevisions'; 244 244 + $wgCargoPageDataColumns[] = 'outgoingLinks'; 245 245 + $wgCargoPageDataColumns[] = 'isRedirect'; 246 246 + $wgCargoPageDataColumns[] = 'pageNameOrRedirect'; 247 247 + $wgCargoPageDataColumns[] = 'pageIDOrRedirect'; 248 248 + 249 249 + $wgCargoFileDataColumns[] = 'mediaType'; 250 250 + $wgCargoFileDataColumns[] = 'path'; 251 251 + $wgCargoFileDataColumns[] = 'lastUploadDate'; 252 252 + 253 253 + $wgFixDoubleRedirects = true; 254 254 + 255 255 + $wgMFAutodetectMobileView = true; 256 256 + $wgMFEnableMobilePreferences = true; 257 257 + wfLoadSkin( 'MinervaNeue' ); 258 258 + 259 259 + $wgShowExceptionDetails = true; 260 260 + $wgDevelopmentWarnings = true; 261 261 + ''; 262 262 + webserver = "nginx"; 263 263 + url = "https://${config.ingredient.wiki.wiki.hostname}"; 264 264 + nginx.hostName = config.ingredient.wiki.wiki.hostname; 265 265 + inherit (config.ingredient.wiki.wiki) name; 266 266 + database = { 267 267 + passwordFile = builtins.toFile "unused-mediawiki-postgress-password" "userpass"; # This isn't actually needed for running a wiki, but some of the initialization scripts do require it. It's not a real password. 268 268 + createLocally = false; # We can't use createLocally with passwordFile, which is needed during initialization... we'll ensure the database ourself below :( 269 269 + 270 270 + socket = "/run/postgresql"; 271 271 + }; 272 272 + 273 273 + passwordSender = config.ingredient.wiki.wiki.email; 274 274 + 275 275 + passwordFile = "/secrets/mediawiki/initial_admin_password.txt"; 276 276 + }; 277 277 + 278 278 + services.postgresql = { 279 279 + enable = true; 280 280 + ensureDatabases = [ config.services.mediawiki.database.name ]; 281 281 + ensureUsers = [ 282 282 + { 283 283 + name = config.services.mediawiki.database.user; 284 284 + ensureDBOwnership = true; 285 285 + } 286 286 + ]; 287 287 + }; 288 288 + systemd.services.mediawiki-init.after = [ "postgresql.target" ]; 289 289 + systemd.services.httpd.after = [ "postgresql.target" ]; 290 290 + 291 291 + systemd.timers.mediawiki-maintenance = { 292 292 + wantedBy = [ "timers.target" ]; 293 293 + timerConfig = { 294 294 + OnUnitActiveSec = "30"; 295 295 + OnBootSec = "30"; 296 296 + Persistent = false; 297 297 + Unit = "mediawiki-maintenance.service"; 298 298 + }; 299 299 + }; 300 300 + 301 301 + systemd.services.mediawiki-maintenance = { 302 302 + script = '' 303 303 + ${config.services.phpfpm.pools.mediawiki.phpPackage}/bin/php ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php runJobs --memory-limit 1G --maxtime 30 304 304 + ''; 305 305 + serviceConfig = { 306 306 + Type = "oneshot"; 307 307 + RemainAfterExit = false; 308 308 + User = "mediawiki"; 309 309 + Group = "nginx"; 310 310 + PrivateTmp = true; 311 311 + Environment = "MEDIAWIKI_CONFIG=${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG}"; 312 312 + }; 313 313 + }; 314 314 + 315 315 + services.opensearch = { 316 316 + # needed for cirrussearch 317 317 + enable = true; 318 318 + package = project.packages.opensearch.result.${system}; 319 319 + settings = { 320 320 + "http.port" = 1037; 321 321 + "path.data" = "/var/lib/private/opensearch/data"; 322 322 + "path.logs" = "/var/lib/private/opensearch/logs"; 323 323 + }; 324 324 + }; 325 325 + 326 326 + services.nginx.enable = true; 327 327 + services.nginx.virtualHosts.${config.ingredient.wiki.wiki.hostname} = { 328 328 + listen = [ 329 329 + { 330 330 + addr = "127.0.0.1"; 331 331 + port = 1036; 332 332 + } 333 333 + ]; 334 334 + 335 335 + locations = { 336 336 + "= /" = lib.mkForce { 337 337 + extraConfig = '' 338 338 + return 301 https://${config.ingredient.wiki.wiki.hostname}/wiki/; 339 339 + ''; # overriding nixpkgs /wiki/ redirect since as our double-proxy makes it redirect to :1036 340 340 + }; 341 341 + "= /favicon.ico".alias = ./wiki/favicon.ico; 342 342 + "= /icon.svg".alias = ./wiki/icon.svg; 343 343 + }; 344 344 + 345 345 + extraConfig = '' 346 346 + client_max_body_size 1024M; 347 347 + ''; 348 348 + }; 349 349 + services.nginx.virtualHosts."external.${config.ingredient.wiki.wiki.hostname}" = 350 350 + lib.mkIf config.ingredient.wiki.wiki.enablePublicInternet 351 351 + { 352 352 + listenAddresses = [ 353 353 + "0.0.0.0" 354 354 + "[::0]" 355 355 + ]; 356 356 + 357 357 + serverName = config.ingredient.wiki.wiki.hostname; 358 358 + 359 359 + addSSL = true; 360 360 + enableACME = true; 361 361 + acmeRoot = null; 362 362 + 363 363 + locations."/" = { 364 364 + proxyPass = "http://127.0.0.1:1036"; 365 365 + recommendedProxySettings = true; 366 366 + proxyWebsockets = true; 367 367 + 368 368 + extraConfig = '' 369 369 + proxy_set_header X-Webauth-Login ""; 370 370 + proxy_cache off; 371 371 + ''; 372 372 + }; 373 373 + 374 374 + extraConfig = '' 375 375 + client_max_body_size 1024M; 376 376 + ''; 377 377 + }; 378 378 + services.nginx.virtualHosts."internal.${config.ingredient.wiki.wiki.hostname}" = { 379 379 + listenAddresses = [ "localhost.tailscale" ]; 380 380 + 381 381 + serverName = config.ingredient.wiki.wiki.hostname; 382 382 + 383 383 + addSSL = true; 384 384 + enableACME = true; 385 385 + acmeRoot = null; 386 386 + 387 387 + locations."/" = { 388 388 + proxyPass = "http://127.0.0.1:1036"; 389 389 + recommendedProxySettings = true; 390 390 + proxyWebsockets = true; 391 391 + 392 392 + extraConfig = '' 393 393 + proxy_cache off; 394 394 + ''; 395 395 + }; 396 396 + 397 397 + extraConfig = '' 398 398 + client_max_body_size 1024M; 399 399 + ''; 400 400 + }; 401 401 + 402 402 + services.nginx.tailscaleAuth = { 403 403 + enable = true; 404 404 + virtualHosts = [ "internal.${config.ingredient.wiki.wiki.hostname}" ]; 405 405 + }; 406 406 + }; 407 407 + }