holm/nixos-wiki-infra
1
0
Fork 0
forked from extern/nixos-wiki-infra
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #16 from Mic92/ci

Browse Source 
improve CI
This commit is contained in:
Jörg Thalheim 2023-11-19 11:46:01 +01:00 committed by GitHub
commit c4f64d53c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 156 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -19,9 +19,3 @@ systemctl start wiki-backup.service && systemctl start wiki-restore
```
Note that `nixos-wiki-backup` will do this restore every night.
## Outstanding patches
I have encountered some regressions in mediawiki's latest release.
Patches are included in this repository.
The patches have been sent to upstream here: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/971581

15
checks/flake-module.nix Normal file
View File

@ -0,0 +1,15 @@
{ self, ... }: {
perSystem =
{ pkgs
, ...
}: {
checks =
let
# this gives us a reference to our flake but also all flake inputs
checkArgs = { inherit self pkgs; };
in
{
test = import ./test.nix checkArgs;
};
};
}

20
checks/lib.nix Normal file
View File

@ -0,0 +1,20 @@
# tests/lib.nix
# The first argument to this function is the test module itself
test:
# These arguments are provided by `flake.nix` on import, see checkArgs
{ pkgs, self }:
let
inherit (pkgs) lib;
# this imports the nixos library that contains our testing framework
nixos-lib = import (pkgs.path + "/nixos/lib") { };
in
(nixos-lib.runTest {
hostPkgs = pkgs;
# This speeds up the evaluation by skipping evaluating documentation (optional)
defaults.documentation.enable = lib.mkDefault false;
# This makes `self` available in the NixOS configuration of our virtual machines.
# This is useful for referencing modules or packages from your own flake
# as well as importing from other flakes.
node.specialArgs = { inherit self; };
imports = [ test ];
}).config.result

35
checks/test.nix Normal file
View File

@ -0,0 +1,35 @@
(import ./lib.nix) {
name = "nixos-wiki";
nodes = {
# `self` here is set by using specialArgs in `lib.nix`
wiki = { self, pkgs, config, ... }: {
imports = [
self.nixosModules.nixos-wiki
];
security.acme.defaults.email = "admin@example.com";
services.nixos-wiki = {
hostname = "nixos-wiki.example.com";
adminPasswordFile = pkgs.writeText "adminPasswordFile" "Creation-Fabric-Untrimmed3";
githubClientId = "Iv1.95ed182c83df1d22";
githubClientSecretFile = pkgs.writeText "githubClientSecretFile" "secret";
emergencyContact = "nixos-wiki@thalheim.io";
passwordSender = "nixos-wiki@thalheim.io";
noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
};
services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
enableACME = false;
forceSSL = false;
};
};
};
# This is the test code that will check if our service is running correctly:
testScript = ''
start_all()
machine.wait_for_unit("phpfpm-mediawiki.service")
machine.wait_for_unit("nginx.service")
page = machine.succeed("curl -vL http://localhost/")
assert "MediaWiki has been installed" in page
'';
}

36
flake.lock
View File

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1699483000,
"narHash": "sha256-zWEj1e6r2KNJFTdj4/vpnpoJc2l+v3JHwlQCzrtkojU=",
"lastModified": 1699781810,
"narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=",
"owner": "nix-community",
"repo": "disko",
"rev": "72bc1526268fda374cd17315e37b64ba340c5bf2",
"rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df",
"type": "github"
},
"original": {
@ -42,11 +42,11 @@
},
"nixos-23_05": {
"locked": {
"lastModified": 1699291058,
"narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=",
"lastModified": 1699994397,
"narHash": "sha256-xxNeIcMNMXH2EA9IAX6Cny+50mvY22LhIBiGZV363gc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "41de143fda10e33be0f47eab2bfe08a50f234267",
"rev": "d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8",
"type": "github"
},
"original": {
@ -58,11 +58,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1699099776,
"narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
"lastModified": 1700204040,
"narHash": "sha256-xSVcS5HBYnD3LTer7Y2K8ZQCDCXMa3QUD1MzRjHzuhI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
"rev": "c757e9bd77b16ca2e03c89bf8bc9ecb28e0c06ad",
"type": "github"
},
"original": {
@ -90,11 +90,11 @@
"nixpkgs-stable": []
},
"locked": {
"lastModified": 1699311858,
"narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=",
"lastModified": 1700362823,
"narHash": "sha256-/H7XgvrYM0IbkpWkcdfkOH0XyBM5ewSWT1UtaLvOgKY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "664187539871f63857bda2d498f452792457b998",
"rev": "49a87c6c827ccd21c225531e30745a9a6464775c",
"type": "github"
},
"original": {
@ -111,11 +111,11 @@
]
},
"locked": {
"lastModified": 1699537893,
"narHash": "sha256-alxdKClexvQRwzZh09FpRlrYijLSHJZl/SmolBXHUcE=",
"lastModified": 1700099573,
"narHash": "sha256-4zjIWPenAMaBlZnCaQvnBdMyWDX/mTgT2fe+CVFajW8=",
"owner": "numtide",
"repo": "srvos",
"rev": "a0d29fdb2f27b1bd9979810ebccb3b4d9fcda977",
"rev": "48010180015cbda0b6cacf4555fcdd360054158d",
"type": "github"
},
"original": {
@ -131,11 +131,11 @@
]
},
"locked": {
"lastModified": 1699656829,
"narHash": "sha256-aqz/YOrllfsUF88FG+xhm+ywB+KxSE8FpPWSY6QnDvY=",
"lastModified": 1699786194,
"narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "8b25ad882a6fc9905fa515c2b61d196b42ca79a3",
"rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
"type": "github"
},
"original": {

27
flake.nix
View File

@ -21,28 +21,33 @@
};
outputs = inputs@{ flake-parts, ... }:
flake-parts.lib.mkFlake { inherit inputs; } ({ lib, ... }: {
systems = lib.systems.flakeExposed;
flake-parts.lib.mkFlake { inherit inputs; } ({ self, lib, ... }: {
systems = [
"aarch64-linux"
"x86_64-linux"
"riscv64-linux"
"x86_64-darwin"
"aarch64-darwin"
];
imports = [
inputs.treefmt-nix.flakeModule
./targets/flake-module.nix
./modules/flake-module.nix
./checks/flake-module.nix
];
perSystem = { config, pkgs, ... }: {
perSystem = { config, self', system, pkgs, ... }: {
treefmt = {
projectRootFile = "flake.nix";
programs.hclfmt.enable = true;
programs.nixpkgs-fmt.enable = true;
};
packages.default =
let
terraformHalal = pkgs.terraform.overrideAttrs (_old: { meta = _old.meta // { license = lib.licenses.free; }; });
in
pkgs.mkShell {
packages = [
pkgs.bashInteractive
pkgs.sops
(terraformHalal.withPlugins (p: [
(pkgs.opentofu.withPlugins (p: [
p.netlify
p.hcloud
p.null
@ -51,6 +56,14 @@
]))
];
};
checks =
let
nixosMachines = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
in
nixosMachines // packages // devShells;
};
});
}

44
modules/nixos-wiki/default.nix
View File

@ -1,4 +1,7 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.nixos-wiki;
in
{
options = {
services.nixos-wiki = {
@ -6,31 +9,49 @@
type = lib.types.str;
description = "The hostname of the wiki";
};
adminPasswordFile = lib.mkOption {
type = lib.types.path;
description = "The password file for the wiki admin";
};
githubClientId = lib.mkOption {
type = lib.types.str;
description = "The github client id for the wiki";
};
githubClientSecretFile = lib.mkOption {
type = lib.types.path;
description = "The github client secret for the wiki";
};
emergencyContact = lib.mkOption {
type = lib.types.str;
description = "The emergency contact for the wiki";
};
passwordSender = lib.mkOption {
type = lib.types.str;
description = "default FROM address in emails";
};
noReplyAddress = lib.mkOption {
type = lib.types.str;
description = "default Reply-To address in emails";
};
};
};
config = {
sops.secrets."nixos-wiki".owner = config.services.phpfpm.pools.mediawiki.user;
sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
services.mediawiki = {
enable = true;
webserver = "nginx";
database.type = "postgres";
nginx.hostName = config.services.nixos-wiki.hostname;
uploadsDir = "/var/lib/mediawiki-uploads/";
passwordFile = config.sops.secrets."nixos-wiki".path;
passwordFile = cfg.adminPasswordFile;
extensions.SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags
extensions.ParserFunctions = null;
extensions.Cite = null;
extensions.VisualEditor = null;
extensions.AuthManagerOAuth = pkgs.fetchzip {
url = "https://github.com/Mic92/AuthManagerOAuth/releases/download/vendor-bugfix/AuthManagerOAuth.zip";
hash = "sha256-Xq56QxBYpAG51HQw4TJLnzwHWztv0EhTGXk/i3w2+fs=";
url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.2/AuthManagerOAuth.zip";
hash = "sha256-hr/DLyL6IzQs67eA46RdmuVlfCiAbq+eZCRLfjLxUpc=";
}; # Github login
extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha
extensions.StopForumSpam = pkgs.fetchzip {
@ -44,8 +65,8 @@
# allow local login
$wgAuthManagerOAuthConfig = [
'github' => [
'clientId' => '${config.services.nixos-wiki.githubClientId}',
'clientSecret' => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"),
'clientId' => '${cfg.githubClientId}',
'clientSecret' => file_get_contents("${cfg.githubClientSecretFile}"),
'urlAuthorize' => 'https://github.com/login/oauth/authorize',
'urlAccessToken' => 'https://github.com/login/oauth/access_token',
'urlResourceOwnerDetails' => 'https://api.github.com/user'
@ -95,9 +116,10 @@
$wgEnableEmail = true;
$wgAllowHTMLEmail = false;
$wgEmergencyContact = "nixos-wiki-emergency@thalheim.io";
$wgPasswordSender = "nixos-wiki@thalheim.io"; # Default FROM address
$wgNoReplyAddress = "nixos-wiki-no-reply@thalheim.io"; # Default Reply-To address
$wgEmergencyContact = "${cfg.emergencyContact}";
$wgPasswordSender = "${cfg.passwordSender}";
$wgNoReplyAddress = "${cfg.noReplyAddress}";
# To purge all page cache increase this using: date +%Y%m%d%H%M%S
$wgCacheEpoch = 20231115172319;
@ -108,7 +130,7 @@
security.acme.acceptTerms = true;
services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
enableACME = lib.mkDefault true;
forceSSL = true;
forceSSL = lib.mkDefault true;
locations."=/nixos.png".alias = ./nixos.png;
};
};

18
targets/nixos-wiki2.thalheim.io/configuration.nix
View File

@ -1,4 +1,4 @@
{ self, lib, ... }:
{ self, lib, config, ... }:
let
nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
in
@ -10,9 +10,21 @@ in
];
users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
system.stateVersion = "23.11";
services.nixos-wiki.hostname = "nixos-wiki2.thalheim.io";
security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";
services.nixos-wiki.githubClientId = "Iv1.95ed182c83df1d22";
sops.secrets.nixos-wiki.owner = config.services.phpfpm.pools.mediawiki.user;
sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
services.nixos-wiki = {
hostname = "nixos-wiki2.thalheim.io";
adminPasswordFile = config.sops.secrets.nixos-wiki.path;
githubClientId = "Iv1.95ed182c83df1d22";
githubClientSecretFile = config.sops.secrets.nixos-wiki-github-client-secret.path;
emergencyContact = "nixos-wiki@thalheim.io";
passwordSender = "nixos-wiki@thalheim.io";
noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
};
sops.defaultSopsFile = ./secrets.yaml;
boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
}