From 01db7e1f231ea14ada02a736257dbea0d6d2154f Mon Sep 17 00:00:00 2001
From: colin <colin@uninsane.org>
Date: Thu, 15 Dec 2022 10:07:07 +0000
Subject: [PATCH] servo: install mediawiki

---
 hosts/servo/services/default.nix              |  1 +
 hosts/servo/services/nginx.nix                | 33 ++++++++++
 .../services/trust-dns/uninsane.org.zone      |  1 +
 hosts/servo/services/wikipedia.nix            | 62 +++++++++++++++++++
 modules/allocations.nix                       |  2 +
 secrets/servo.yaml                            |  5 +-
 6 files changed, 102 insertions(+), 2 deletions(-)
 create mode 100644 hosts/servo/services/wikipedia.nix

diff --git a/hosts/servo/services/default.nix b/hosts/servo/services/default.nix
index e6033f2f..0118594a 100644
--- a/hosts/servo/services/default.nix
+++ b/hosts/servo/services/default.nix
@@ -19,5 +19,6 @@
     ./prosody.nix
     ./transmission.nix
     ./trust-dns
+    ./wikipedia.nix
   ];
 }
diff --git a/hosts/servo/services/nginx.nix b/hosts/servo/services/nginx.nix
index daa79671..8da4d0db 100644
--- a/hosts/servo/services/nginx.nix
+++ b/hosts/servo/services/nginx.nix
@@ -291,6 +291,39 @@ in
     locations."/".proxyPass = "http://127.0.0.1:4533";
   };
 
+  services.nginx.virtualHosts."w.uninsane.org" = {
+    forceSSL = true;
+    enableACME = true;
+    inherit kTLS;
+    locations."/".proxyPass = "http://127.0.0.1:8013";
+  };
+
+  # services.nginx.virtualHosts."w.uninsane.org" = let
+  #   fpm = config.services.phpfpm.pools.mediawiki;
+  # in {
+  #   forceSSL = true;
+  #   enableACME = true;
+  #   inherit kTLS;
+  #   # we want fcgi, actually
+  #   # locations."~ ^.+?\.php(/.*)?$".extraConfig = ''
+  #   locations."/".extraConfig = ''
+  #     # fastcgi_pass unix:${fpm.socket}|fcgi://localhost/;
+  #     fastcgi_pass unix:${fpm.socket};
+  #     # some of this might be wrong
+  #     fastcgi_split_path_info ^(.+\.php)(/.*)$;
+  #     set $path_info $fastcgi_path_info;
+  #     fastcgi_param PATH_INFO $path_info;
+  #     include ${pkgs.nginx}/conf/fastcgi_params;
+  #     include ${pkgs.nginx}/conf/fastcgi.conf;
+  #   '';
+
+  #   # locations."/" = {
+  #   #   tryFiles = "$uri $uri/ index.php";
+  #   #   index = "index.php index.html index.htm";
+  #   # };
+  #   # TODO: consider /images directory
+  # };
+
   services.nginx.virtualHosts."rss.uninsane.org" = {
     addSSL = true;
     enableACME = true;
diff --git a/hosts/servo/services/trust-dns/uninsane.org.zone b/hosts/servo/services/trust-dns/uninsane.org.zone
index 79a0e52b..a9633647 100644
--- a/hosts/servo/services/trust-dns/uninsane.org.zone
+++ b/hosts/servo/services/trust-dns/uninsane.org.zone
@@ -50,6 +50,7 @@ nixcache        CNAME   native
 pl-dev          CNAME   native
 rss             CNAME   native
 sink            CNAME   native
+w               CNAME   native
 
 xmpp            CNAME   native
 conference.xmpp CNAME   native
diff --git a/hosts/servo/services/wikipedia.nix b/hosts/servo/services/wikipedia.nix
new file mode 100644
index 00000000..b342d27d
--- /dev/null
+++ b/hosts/servo/services/wikipedia.nix
@@ -0,0 +1,62 @@
+# docs: <https://nixos.wiki/wiki/MediaWiki>
+{ config, lib, ... }:
+
+{
+  sops.secrets."mediawiki_pw" = {
+    owner = config.users.users.mediawiki.name;
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+  # # mediawiki wants to serv itself over apache httpd:
+  # # that doesn't work because nginx already binds port 80
+  # services.httpd.enable = lib.mkForce false;
+  # services.httpd.user = "nginx";
+  # services.httpd.group = "nginx";
+
+  users.users.mediawiki.uid = config.sane.allocations.mediawiki-uid;
+
+  services.mediawiki.enable = true;
+  services.mediawiki.name = "Uninsane Wiki";
+  services.mediawiki.passwordFile = config.sops.secrets.mediawiki_pw.path;
+  services.mediawiki.extraConfig = ''
+    # Disable anonymous editing
+    $wgGroupPermissions['*']['edit'] = false;
+  '';
+  services.mediawiki.virtualHost.listen = [
+    {
+      ip = "127.0.0.1";
+      port = 8013;
+      ssl = false;
+    }
+  ];
+  services.mediawiki.virtualHost.hostName = "w.uninsane.org";
+  services.mediawiki.virtualHost.adminAddr = "admin+mediawiki@uninsane.org";
+  # services.mediawiki.extensions = TODO: wikipedia sync extension?
+
+  # original apache config for MW
+  # services.httpd = {
+  #   enable = true;
+  #   extraModules = [ "proxy_fcgi" ];
+  #   virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost {
+  #     documentRoot = mkForce "${pkg}/share/mediawiki";
+  #     extraConfig = ''
+  #       <Directory "${pkg}/share/mediawiki">
+  #         <FilesMatch "\.php$">
+  #           <If "-f %{REQUEST_FILENAME}">
+  #             SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
+  #           </If>
+  #         </FilesMatch>
+
+  #         Require all granted
+  #         DirectoryIndex index.php
+  #         AllowOverride All
+  #       </Directory>
+  #     '' + optionalString (cfg.uploadsDir != null) ''
+  #       Alias "/images" "${cfg.uploadsDir}"
+  #       <Directory "${cfg.uploadsDir}">
+  #         Require all granted
+  #       </Directory>
+  #     '';
+  #   } ];
+  # };
+
+}
diff --git a/modules/allocations.nix b/modules/allocations.nix
index 544fb7a5..883b06b1 100644
--- a/modules/allocations.nix
+++ b/modules/allocations.nix
@@ -23,8 +23,10 @@ in
     sane.allocations.greeter-uid = mkId 999;
     sane.allocations.greeter-gid = mkId 999;
 
+    # new servo users
     sane.allocations.freshrss-uid = mkId 2401;
     sane.allocations.freshrss-gid = mkId 2401;
+    sane.allocations.mediawiki-uid = mkId 2402;
 
     sane.allocations.colin-uid = mkId 1000;
     sane.allocations.guest-uid = mkId 1100;
diff --git a/secrets/servo.yaml b/secrets/servo.yaml
index 28f0d960..8c94c264 100644
--- a/secrets/servo.yaml
+++ b/secrets/servo.yaml
@@ -1,3 +1,4 @@
+mediawiki_pw: ENC[AES256_GCM,data:g7qM+CMU12apnGQ=,iv:q5K8sBAaUi47Hr0DAWiU1o5CVIO6zkdVVGJ5Zk4P9HA=,tag:CFpSmsflkNFG4kIBzrr5yQ==,type:str]
 duplicity_passphrase: ENC[AES256_GCM,data:LgPORB0HhIAfpJdQrwjS+/TWdOeddQ2YNYqfRbWhhuNlImuOlniPzrPaaFv+Mfght7OHs7rnuVr3tOHfeIEBo9S2z05ABOulttHEyeuyJZPE1/0t8IBz2gcNNWs4nhCYbVX3y/rSAG8bhz1Vdb2B/MiCicfJEZAqpXkRilQELXTR5cF5NnmEcR7zOso=,iv:NvwZhBbkYnTDt3izwwQPj4U4XAmiOD5Dv3sF50JA97o=,tag:HSJ5xr/WXn6MQdyV8QYWYw==,type:str]
 #ENC[AES256_GCM,data:5uf2kYCg8ZqoOLv50QNI73MYV0HDl4ML2xEKHPOEvCf/Z3aeM6ED,iv:ljqw6IBTPDodejMO2dcjLYyv+LlS/7r9nQ7RyiKC2Dg=,tag:Jko9tIhER4ByDbv5qhsfaQ==,type:comment]
 ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU3TQcHJutz9lCl0wBdWs+FybY0sZcnaH0=,tag:7O6EIob2/if1fcVDVEkVzQ==,type:str]
@@ -59,8 +60,8 @@ sops:
             cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
             aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-08T14:21:43Z"
-    mac: ENC[AES256_GCM,data:Hvc2H6aRvdZEjm1yqZRxxSFQ35CBHHgvwkXCyFwiC2SfFinM//ncRrh3j8uvXPXmA1BZ0eieP4RN5JwgwmvXLd3B46XO5gx4RQBqHBiFLeJ7ox24ePrCm77Mx8YWJdlRC5PJhMvcdqHa5R/q164dR1ebhx6lqUtKcz61/rKLHRs=,iv:VGcjU+tqPC4Des3yfAo6nxPIzlPxhztEvGy/XSHlvuw=,tag:w7nZlT01DC82F3/CmFLb9A==,type:str]
+    lastmodified: "2022-12-15T09:12:44Z"
+    mac: ENC[AES256_GCM,data:QQiTsQogs6MP9X0lrpf2FeSia6SeQP5/9dtUrWQOd2Vh/s0fBJfIGUdLeLgt5itvaD5QywY6lN9Rsx++BUN0rrwUu/uF42KOMC7wjHdSv07CYuDfvlFZItuIo5eWlfcEq9+p6/VwUXY0TU3M6Ex+mABT5XK67tnLuh/SoHUl+DA=,iv:12sa+wFdO5T7pZrLM3mnEwoJ0WmXZZLKpucEgMYQHMI=,tag:zZEz6+vTma6KDMwXi/fNZA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3