servo: install mediawiki

hosts/servo/services/default.nix

@@ -19,5 +19,6 @@
     ./prosody.nix
     ./transmission.nix
     ./trust-dns
+    ./wikipedia.nix
   ];
 }

hosts/servo/services/nginx.nix

@@ -291,6 +291,39 @@ in
     locations."/".proxyPass = "http://127.0.0.1:4533";
   };
 
+  services.nginx.virtualHosts."w.uninsane.org" = {
+    forceSSL = true;
+    enableACME = true;
+    inherit kTLS;
+    locations."/".proxyPass = "http://127.0.0.1:8013";
+  };
+
+  # services.nginx.virtualHosts."w.uninsane.org" = let
+  #   fpm = config.services.phpfpm.pools.mediawiki;
+  # in {
+  #   forceSSL = true;
+  #   enableACME = true;
+  #   inherit kTLS;
+  #   # we want fcgi, actually
+  #   # locations."~ ^.+?\.php(/.*)?$".extraConfig = ''
+  #   locations."/".extraConfig = ''
+  #     # fastcgi_pass unix:${fpm.socket}|fcgi://localhost/;
+  #     fastcgi_pass unix:${fpm.socket};
+  #     # some of this might be wrong
+  #     fastcgi_split_path_info ^(.+\.php)(/.*)$;
+  #     set $path_info $fastcgi_path_info;
+  #     fastcgi_param PATH_INFO $path_info;
+  #     include ${pkgs.nginx}/conf/fastcgi_params;
+  #     include ${pkgs.nginx}/conf/fastcgi.conf;
+  #   '';
+
+  #   # locations."/" = {
+  #   #   tryFiles = "$uri $uri/ index.php";
+  #   #   index = "index.php index.html index.htm";
+  #   # };
+  #   # TODO: consider /images directory
+  # };
+
   services.nginx.virtualHosts."rss.uninsane.org" = {
     addSSL = true;
     enableACME = true;

hosts/servo/services/trust-dns/uninsane.org.zone

@@ -50,6 +50,7 @@ nixcache        CNAME   native
 pl-dev          CNAME   native
 rss             CNAME   native
 sink            CNAME   native
+w               CNAME   native
 
 xmpp            CNAME   native
 conference.xmpp CNAME   native

hosts/servo/services/wikipedia.nix

@@ -0,0 +1,62 @@
+# docs: <https://nixos.wiki/wiki/MediaWiki>
+{ config, lib, ... }:
+
+{
+  sops.secrets."mediawiki_pw" = {
+    owner = config.users.users.mediawiki.name;
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+  # # mediawiki wants to serv itself over apache httpd:
+  # # that doesn't work because nginx already binds port 80
+  # services.httpd.enable = lib.mkForce false;
+  # services.httpd.user = "nginx";
+  # services.httpd.group = "nginx";
+
+  users.users.mediawiki.uid = config.sane.allocations.mediawiki-uid;
+
+  services.mediawiki.enable = true;
+  services.mediawiki.name = "Uninsane Wiki";
+  services.mediawiki.passwordFile = config.sops.secrets.mediawiki_pw.path;
+  services.mediawiki.extraConfig = ''
+    # Disable anonymous editing
+    $wgGroupPermissions['*']['edit'] = false;
+  '';
+  services.mediawiki.virtualHost.listen = [
+    {
+      ip = "127.0.0.1";
+      port = 8013;
+      ssl = false;
+    }
+  ];
+  services.mediawiki.virtualHost.hostName = "w.uninsane.org";
+  services.mediawiki.virtualHost.adminAddr = "admin+mediawiki@uninsane.org";
+  # services.mediawiki.extensions = TODO: wikipedia sync extension?
+
+  # original apache config for MW
+  # services.httpd = {
+  #   enable = true;
+  #   extraModules = [ "proxy_fcgi" ];
+  #   virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost {
+  #     documentRoot = mkForce "${pkg}/share/mediawiki";
+  #     extraConfig = ''
+  #       <Directory "${pkg}/share/mediawiki">
+  #         <FilesMatch "\.php$">
+  #           <If "-f %{REQUEST_FILENAME}">
+  #             SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
+  #           </If>
+  #         </FilesMatch>
+
+  #         Require all granted
+  #         DirectoryIndex index.php
+  #         AllowOverride All
+  #       </Directory>
+  #     '' + optionalString (cfg.uploadsDir != null) ''
+  #       Alias "/images" "${cfg.uploadsDir}"
+  #       <Directory "${cfg.uploadsDir}">
+  #         Require all granted
+  #       </Directory>
+  #     '';
+  #   } ];
+  # };
+
+}

modules/allocations.nix

@@ -23,8 +23,10 @@ in
     sane.allocations.greeter-uid = mkId 999;
     sane.allocations.greeter-gid = mkId 999;
 
+    # new servo users
     sane.allocations.freshrss-uid = mkId 2401;
     sane.allocations.freshrss-gid = mkId 2401;
+    sane.allocations.mediawiki-uid = mkId 2402;
 
     sane.allocations.colin-uid = mkId 1000;
     sane.allocations.guest-uid = mkId 1100;

secrets/servo.yaml

@@ -1,3 +1,4 @@
+mediawiki_pw: ENC[AES256_GCM,data:g7qM+CMU12apnGQ=,iv:q5K8sBAaUi47Hr0DAWiU1o5CVIO6zkdVVGJ5Zk4P9HA=,tag:CFpSmsflkNFG4kIBzrr5yQ==,type:str]
 duplicity_passphrase: ENC[AES256_GCM,data:LgPORB0HhIAfpJdQrwjS+/TWdOeddQ2YNYqfRbWhhuNlImuOlniPzrPaaFv+Mfght7OHs7rnuVr3tOHfeIEBo9S2z05ABOulttHEyeuyJZPE1/0t8IBz2gcNNWs4nhCYbVX3y/rSAG8bhz1Vdb2B/MiCicfJEZAqpXkRilQELXTR5cF5NnmEcR7zOso=,iv:NvwZhBbkYnTDt3izwwQPj4U4XAmiOD5Dv3sF50JA97o=,tag:HSJ5xr/WXn6MQdyV8QYWYw==,type:str]
 #ENC[AES256_GCM,data:5uf2kYCg8ZqoOLv50QNI73MYV0HDl4ML2xEKHPOEvCf/Z3aeM6ED,iv:ljqw6IBTPDodejMO2dcjLYyv+LlS/7r9nQ7RyiKC2Dg=,tag:Jko9tIhER4ByDbv5qhsfaQ==,type:comment]
 ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU3TQcHJutz9lCl0wBdWs+FybY0sZcnaH0=,tag:7O6EIob2/if1fcVDVEkVzQ==,type:str]
@@ -59,8 +60,8 @@ sops:
             cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
             aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-08T14:21:43Z"
-    mac: ENC[AES256_GCM,data:Hvc2H6aRvdZEjm1yqZRxxSFQ35CBHHgvwkXCyFwiC2SfFinM//ncRrh3j8uvXPXmA1BZ0eieP4RN5JwgwmvXLd3B46XO5gx4RQBqHBiFLeJ7ox24ePrCm77Mx8YWJdlRC5PJhMvcdqHa5R/q164dR1ebhx6lqUtKcz61/rKLHRs=,iv:VGcjU+tqPC4Des3yfAo6nxPIzlPxhztEvGy/XSHlvuw=,tag:w7nZlT01DC82F3/CmFLb9A==,type:str]
+    lastmodified: "2022-12-15T09:12:44Z"
+    mac: ENC[AES256_GCM,data:QQiTsQogs6MP9X0lrpf2FeSia6SeQP5/9dtUrWQOd2Vh/s0fBJfIGUdLeLgt5itvaD5QywY6lN9Rsx++BUN0rrwUu/uF42KOMC7wjHdSv07CYuDfvlFZItuIo5eWlfcEq9+p6/VwUXY0TU3M6Ex+mABT5XK67tnLuh/SoHUl+DA=,iv:12sa+wFdO5T7pZrLM3mnEwoJ0WmXZZLKpucEgMYQHMI=,tag:zZEz6+vTma6KDMwXi/fNZA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3