seperate site specific variables from nixos module

This commit is contained in:
Jörg Thalheim 2023-11-19 11:13:15 +01:00
parent 7946236abf
commit 7ec347b5c5
2 changed files with 48 additions and 14 deletions

View File

@ -1,4 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
cfg = config.services.nixos-wiki;
in
{ {
options = { options = {
services.nixos-wiki = { services.nixos-wiki = {
@ -6,31 +9,49 @@
type = lib.types.str; type = lib.types.str;
description = "The hostname of the wiki"; description = "The hostname of the wiki";
}; };
adminPasswordFile = lib.mkOption {
type = lib.types.path;
description = "The password file for the wiki admin";
};
githubClientId = lib.mkOption { githubClientId = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "The github client id for the wiki"; description = "The github client id for the wiki";
}; };
githubClientSecretFile = lib.mkOption {
type = lib.types.path;
description = "The github client secret for the wiki";
};
emergencyContact = lib.mkOption {
type = lib.types.str;
description = "The emergency contact for the wiki";
};
passwordSender = lib.mkOption {
type = lib.types.str;
description = "default FROM address in emails";
};
noReplyAddress = lib.mkOption {
type = lib.types.str;
description = "default Reply-To address in emails";
};
}; };
}; };
config = { config = {
sops.secrets."nixos-wiki".owner = config.services.phpfpm.pools.mediawiki.user;
sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
services.mediawiki = { services.mediawiki = {
enable = true; enable = true;
webserver = "nginx"; webserver = "nginx";
database.type = "postgres"; database.type = "postgres";
nginx.hostName = config.services.nixos-wiki.hostname; nginx.hostName = config.services.nixos-wiki.hostname;
uploadsDir = "/var/lib/mediawiki-uploads/"; uploadsDir = "/var/lib/mediawiki-uploads/";
passwordFile = config.sops.secrets."nixos-wiki".path; passwordFile = cfg.adminPasswordFile;
extensions.SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags extensions.SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags
extensions.ParserFunctions = null; extensions.ParserFunctions = null;
extensions.Cite = null; extensions.Cite = null;
extensions.VisualEditor = null; extensions.VisualEditor = null;
extensions.AuthManagerOAuth = pkgs.fetchzip { extensions.AuthManagerOAuth = pkgs.fetchzip {
url = "https://github.com/Mic92/AuthManagerOAuth/releases/download/vendor-bugfix/AuthManagerOAuth.zip"; url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.2/AuthManagerOAuth.zip";
hash = "sha256-Xq56QxBYpAG51HQw4TJLnzwHWztv0EhTGXk/i3w2+fs="; hash = "sha256-hr/DLyL6IzQs67eA46RdmuVlfCiAbq+eZCRLfjLxUpc=";
}; # Github login }; # Github login
extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha
extensions.StopForumSpam = pkgs.fetchzip { extensions.StopForumSpam = pkgs.fetchzip {
@ -44,8 +65,8 @@
# allow local login # allow local login
$wgAuthManagerOAuthConfig = [ $wgAuthManagerOAuthConfig = [
'github' => [ 'github' => [
'clientId' => '${config.services.nixos-wiki.githubClientId}', 'clientId' => '${cfg.githubClientId}',
'clientSecret' => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"), 'clientSecret' => file_get_contents("${cfg.githubClientSecretFile}"),
'urlAuthorize' => 'https://github.com/login/oauth/authorize', 'urlAuthorize' => 'https://github.com/login/oauth/authorize',
'urlAccessToken' => 'https://github.com/login/oauth/access_token', 'urlAccessToken' => 'https://github.com/login/oauth/access_token',
'urlResourceOwnerDetails' => 'https://api.github.com/user' 'urlResourceOwnerDetails' => 'https://api.github.com/user'
@ -95,9 +116,10 @@
$wgEnableEmail = true; $wgEnableEmail = true;
$wgAllowHTMLEmail = false; $wgAllowHTMLEmail = false;
$wgEmergencyContact = "nixos-wiki-emergency@thalheim.io";
$wgPasswordSender = "nixos-wiki@thalheim.io"; # Default FROM address $wgEmergencyContact = "${cfg.emergencyContact}";
$wgNoReplyAddress = "nixos-wiki-no-reply@thalheim.io"; # Default Reply-To address $wgPasswordSender = "${cfg.passwordSender}";
$wgNoReplyAddress = "${cfg.noReplyAddress}";
# To purge all page cache increase this using: date +%Y%m%d%H%M%S # To purge all page cache increase this using: date +%Y%m%d%H%M%S
$wgCacheEpoch = 20231115172319; $wgCacheEpoch = 20231115172319;
@ -108,7 +130,7 @@
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = { services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
enableACME = lib.mkDefault true; enableACME = lib.mkDefault true;
forceSSL = true; forceSSL = lib.mkDefault true;
locations."=/nixos.png".alias = ./nixos.png; locations."=/nixos.png".alias = ./nixos.png;
}; };
}; };

View File

@ -1,4 +1,4 @@
{ self, lib, ... }: { self, lib, config, ... }:
let let
nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
in in
@ -10,9 +10,21 @@ in
]; ];
users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
system.stateVersion = "23.11"; system.stateVersion = "23.11";
services.nixos-wiki.hostname = "nixos-wiki2.thalheim.io";
security.acme.defaults.email = "joerg.letsencrypt@thalheim.io"; security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";
services.nixos-wiki.githubClientId = "Iv1.95ed182c83df1d22";
sops.secrets.nixos-wiki.owner = config.services.phpfpm.pools.mediawiki.user;
sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
services.nixos-wiki = {
hostname = "nixos-wiki2.thalheim.io";
adminPasswordFile = config.sops.secrets.nixos-wiki.path;
githubClientId = "Iv1.95ed182c83df1d22";
githubClientSecretFile = config.sops.secrets.nixos-wiki-github-client-secret.path;
emergencyContact = "nixos-wiki@thalheim.io";
passwordSender = "nixos-wiki@thalheim.io";
noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
};
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ]; boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
} }