diff --git a/README.md b/README.md index a387b3c..47ee475 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,17 @@ $ nix develop .#linkcheck $ ./checks/linkcheck/lychee.sh ``` +## interactive VM + +You can also run the wiki in an interactive vm by running + +```nix +nix run .#interactive-vm +``` + +you can then access the wiki at localhost:4360 follow the output of the script +for more details (like passwords) + ## FAQ: ### When logging in with "GitHub auth", the app shows "Act on your behalf" as a permission. diff --git a/flake.nix b/flake.nix index 179135a..dacfb6f 100644 --- a/flake.nix +++ b/flake.nix @@ -35,10 +35,16 @@ ./targets/flake-module.nix ./modules/flake-module.nix ./checks/flake-module.nix + ./vm/flake-module.nix ./formatter.nix ]; perSystem = - { self', system, ... }: + { + self', + system, + pkgs, + ... + }: { checks = diff --git a/modules/nixos-wiki/default.nix b/modules/nixos-wiki/default.nix index a0b2ce2..c61f703 100644 --- a/modules/nixos-wiki/default.nix +++ b/modules/nixos-wiki/default.nix @@ -38,6 +38,11 @@ in type = lib.types.str; description = "default Reply-To address in emails"; }; + testMode = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Enable test mode, which disables github login and uses a fixed admin password"; + }; }; }; @@ -49,7 +54,7 @@ in database.type = "postgres"; nginx.hostName = config.services.nixos-wiki.hostname; uploadsDir = "/var/lib/mediawiki-uploads/"; - passwordFile = cfg.adminPasswordFile; + passwordFile = if cfg.testMode then pkgs.writeText "pass" "nixos-wiki00" else cfg.adminPasswordFile; extensions = { SyntaxHighlight_GeSHi = null; # provides tags @@ -89,15 +94,17 @@ in #$wgShowExceptionDetails = true; # allow local login - $wgAuthManagerOAuthConfig = [ - 'github' => [ - 'clientId' => '${cfg.githubClientId}', - 'clientSecret' => file_get_contents("${cfg.githubClientSecretFile}"), - 'urlAuthorize' => 'https://github.com/login/oauth/authorize', - 'urlAccessToken' => 'https://github.com/login/oauth/access_token', - 'urlResourceOwnerDetails' => 'https://api.github.com/user' - ], - ]; + ${lib.optionalString (!cfg.testMode) '' + $wgAuthManagerOAuthConfig = [ + 'github' => [ + 'clientId' => '${cfg.githubClientId}', + 'clientSecret' => file_get_contents("${cfg.githubClientSecretFile}"), + 'urlAuthorize' => 'https://github.com/login/oauth/authorize', + 'urlAccessToken' => 'https://github.com/login/oauth/access_token', + 'urlResourceOwnerDetails' => 'https://api.github.com/user' + ], + ]; + ''} # Enable account creation globally $wgGroupPermissions['*']['createaccount'] = true; @@ -150,9 +157,11 @@ in $wgEmailConfirmToEdit = false; $wgAllowHTMLEmail = false; - $wgEmergencyContact = "${cfg.emergencyContact}"; - $wgPasswordSender = "${cfg.passwordSender}"; - $wgNoReplyAddress = "${cfg.noReplyAddress}"; + ${lib.optionalString (!cfg.testMode) '' + $wgEmergencyContact = "${cfg.emergencyContact}"; + $wgPasswordSender = "${cfg.passwordSender}"; + $wgNoReplyAddress = "${cfg.noReplyAddress}"; + ''} # To purge all page cache increase this using: date +%Y%m%d%H%M%S $wgCacheEpoch = 20231115172319; @@ -244,8 +253,8 @@ in limit_req_status 429; ''; services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = { - enableACME = lib.mkDefault true; - forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault (!cfg.testMode); + forceSSL = lib.mkDefault (!cfg.testMode); extraConfig = '' limit_req zone=ip burst=20 nodelay; ''; diff --git a/vm/flake-module.nix b/vm/flake-module.nix new file mode 100644 index 0000000..548fa20 --- /dev/null +++ b/vm/flake-module.nix @@ -0,0 +1,80 @@ +{ self, lib, ... }: +{ + perSystem = + { pkgs, ... }: + { + packages = lib.optionalAttrs pkgs.stdenv.isLinux { + interactive-vm = pkgs.writeShellApplication { + name = "interactive-vm"; + runtimeInputs = [ + ]; + text = + let + debugVm = + { modulesPath, ... }: + { + imports = [ + # The qemu-vm NixOS module gives us the `vm` attribute that we will later + # use, and other VM-related settings + "${modulesPath}/virtualisation/qemu-vm.nix" + ]; + + # Forward the hosts's port 2222 to the guest's SSH port. + # Also, forward the other ports 1:1 from host to guest. + virtualisation.forwardPorts = [ + { + from = "host"; + host.port = 2222; + guest.port = 22; + } + { + from = "host"; + host.port = 4360; + guest.port = 4360; + } + ]; + virtualisation.memorySize = 2048; + + # Root user without password and enabled SSH for playing around + networking.firewall.enable = false; + services.openssh.enable = true; + services.openssh.permitRootLogin = "yes"; + users.extraUsers.root.password = "nixos-wiki00"; # same as the admin user on the test wiki + environment.systemPackages = with pkgs; [ + iptables + ]; + services.nginx.defaultListen = [ + { + addr = "0.0.0.0"; + port = 4360; + } + ]; + networking.firewall.allowedTCPPorts = [ 4360 ]; + }; + vmConfig = pkgs.nixos [ + debugVm + self.nixosModules.nixos-wiki + { + security.acme.defaults.email = "example@example.com"; + security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + services.nixos-wiki = { + hostname = "localhost:4360"; + testMode = true; + }; + } + ]; + in + '' + NIXOS_DISK_IMAGE=/tmp/wiki-vm.qcow2 + export NIXOS_DISK_IMAGE + echo 'access the wiki after startup at http://localhost:4360' + echo 'user: admin, password: nixos-wiki00' + echo 'you can also SSH into the VM with: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhost -p 2222' + echo 'password: nixos-wiki00' + ${vmConfig.config.system.build.vm}/bin/run-nixos-vm + # TODO maybe clean up the qcow image? + ''; + }; + }; + }; +}