diff --git a/README.md b/README.md index e1d441c..9a67981 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,3 @@ systemctl start wiki-backup.service && systemctl start wiki-restore ``` Note that `nixos-wiki-backup` will do this restore every night. - -## Outstanding patches - -I have encountered some regressions in mediawiki's latest release. -Patches are included in this repository. -The patches have been sent to upstream here: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/971581 diff --git a/checks/flake-module.nix b/checks/flake-module.nix new file mode 100644 index 0000000..d205b1b --- /dev/null +++ b/checks/flake-module.nix @@ -0,0 +1,15 @@ +{ self, ... }: { + perSystem = + { pkgs + , ... + }: { + checks = + let + # this gives us a reference to our flake but also all flake inputs + checkArgs = { inherit self pkgs; }; + in + { + test = import ./test.nix checkArgs; + }; + }; +} diff --git a/checks/lib.nix b/checks/lib.nix new file mode 100644 index 0000000..f930aa7 --- /dev/null +++ b/checks/lib.nix @@ -0,0 +1,20 @@ +# tests/lib.nix +# The first argument to this function is the test module itself +test: +# These arguments are provided by `flake.nix` on import, see checkArgs +{ pkgs, self }: +let + inherit (pkgs) lib; + # this imports the nixos library that contains our testing framework + nixos-lib = import (pkgs.path + "/nixos/lib") { }; +in +(nixos-lib.runTest { + hostPkgs = pkgs; + # This speeds up the evaluation by skipping evaluating documentation (optional) + defaults.documentation.enable = lib.mkDefault false; + # This makes `self` available in the NixOS configuration of our virtual machines. + # This is useful for referencing modules or packages from your own flake + # as well as importing from other flakes. + node.specialArgs = { inherit self; }; + imports = [ test ]; +}).config.result diff --git a/checks/test.nix b/checks/test.nix new file mode 100644 index 0000000..07c2b6f --- /dev/null +++ b/checks/test.nix @@ -0,0 +1,35 @@ +(import ./lib.nix) { + name = "nixos-wiki"; + nodes = { + # `self` here is set by using specialArgs in `lib.nix` + wiki = { self, pkgs, config, ... }: { + imports = [ + self.nixosModules.nixos-wiki + ]; + security.acme.defaults.email = "admin@example.com"; + services.nixos-wiki = { + hostname = "nixos-wiki.example.com"; + adminPasswordFile = pkgs.writeText "adminPasswordFile" "Creation-Fabric-Untrimmed3"; + githubClientId = "Iv1.95ed182c83df1d22"; + githubClientSecretFile = pkgs.writeText "githubClientSecretFile" "secret"; + emergencyContact = "nixos-wiki@thalheim.io"; + passwordSender = "nixos-wiki@thalheim.io"; + noReplyAddress = "nixos-wiki-no-reply@thalheim.io"; + }; + services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = { + enableACME = false; + forceSSL = false; + }; + }; + }; + # This is the test code that will check if our service is running correctly: + testScript = '' + start_all() + + machine.wait_for_unit("phpfpm-mediawiki.service") + machine.wait_for_unit("nginx.service") + + page = machine.succeed("curl -vL http://localhost/") + assert "MediaWiki has been installed" in page + ''; +} diff --git a/flake.lock b/flake.lock index 82e015b..53b14fb 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1699483000, - "narHash": "sha256-zWEj1e6r2KNJFTdj4/vpnpoJc2l+v3JHwlQCzrtkojU=", + "lastModified": 1699781810, + "narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=", "owner": "nix-community", "repo": "disko", - "rev": "72bc1526268fda374cd17315e37b64ba340c5bf2", + "rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df", "type": "github" }, "original": { @@ -42,11 +42,11 @@ }, "nixos-23_05": { "locked": { - "lastModified": 1699291058, - "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=", + "lastModified": 1699994397, + "narHash": "sha256-xxNeIcMNMXH2EA9IAX6Cny+50mvY22LhIBiGZV363gc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "41de143fda10e33be0f47eab2bfe08a50f234267", + "rev": "d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8", "type": "github" }, "original": { @@ -58,11 +58,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699099776, - "narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=", + "lastModified": 1700204040, + "narHash": "sha256-xSVcS5HBYnD3LTer7Y2K8ZQCDCXMa3QUD1MzRjHzuhI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb", + "rev": "c757e9bd77b16ca2e03c89bf8bc9ecb28e0c06ad", "type": "github" }, "original": { @@ -90,11 +90,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1699311858, - "narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=", + "lastModified": 1700362823, + "narHash": "sha256-/H7XgvrYM0IbkpWkcdfkOH0XyBM5ewSWT1UtaLvOgKY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "664187539871f63857bda2d498f452792457b998", + "rev": "49a87c6c827ccd21c225531e30745a9a6464775c", "type": "github" }, "original": { @@ -111,11 +111,11 @@ ] }, "locked": { - "lastModified": 1699537893, - "narHash": "sha256-alxdKClexvQRwzZh09FpRlrYijLSHJZl/SmolBXHUcE=", + "lastModified": 1700099573, + "narHash": "sha256-4zjIWPenAMaBlZnCaQvnBdMyWDX/mTgT2fe+CVFajW8=", "owner": "numtide", "repo": "srvos", - "rev": "a0d29fdb2f27b1bd9979810ebccb3b4d9fcda977", + "rev": "48010180015cbda0b6cacf4555fcdd360054158d", "type": "github" }, "original": { @@ -131,11 +131,11 @@ ] }, "locked": { - "lastModified": 1699656829, - "narHash": "sha256-aqz/YOrllfsUF88FG+xhm+ywB+KxSE8FpPWSY6QnDvY=", + "lastModified": 1699786194, + "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "8b25ad882a6fc9905fa515c2b61d196b42ca79a3", + "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 0180fa7..249d1d8 100644 --- a/flake.nix +++ b/flake.nix @@ -21,28 +21,33 @@ }; outputs = inputs@{ flake-parts, ... }: - flake-parts.lib.mkFlake { inherit inputs; } ({ lib, ... }: { - systems = lib.systems.flakeExposed; + flake-parts.lib.mkFlake { inherit inputs; } ({ self, lib, ... }: { + systems = [ + "aarch64-linux" + "x86_64-linux" + "riscv64-linux" + + "x86_64-darwin" + "aarch64-darwin" + ]; imports = [ inputs.treefmt-nix.flakeModule ./targets/flake-module.nix ./modules/flake-module.nix + ./checks/flake-module.nix ]; - perSystem = { config, pkgs, ... }: { + perSystem = { config, self', system, pkgs, ... }: { treefmt = { projectRootFile = "flake.nix"; programs.hclfmt.enable = true; programs.nixpkgs-fmt.enable = true; }; packages.default = - let - terraformHalal = pkgs.terraform.overrideAttrs (_old: { meta = _old.meta // { license = lib.licenses.free; }; }); - in pkgs.mkShell { packages = [ pkgs.bashInteractive pkgs.sops - (terraformHalal.withPlugins (p: [ + (pkgs.opentofu.withPlugins (p: [ p.netlify p.hcloud p.null @@ -51,6 +56,14 @@ ])) ]; }; + + checks = + let + nixosMachines = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations); + packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages; + devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells; + in + nixosMachines // packages // devShells; }; }); } diff --git a/modules/nixos-wiki/default.nix b/modules/nixos-wiki/default.nix index d1b662c..e2631f9 100644 --- a/modules/nixos-wiki/default.nix +++ b/modules/nixos-wiki/default.nix @@ -1,4 +1,7 @@ { config, pkgs, lib, ... }: +let + cfg = config.services.nixos-wiki; +in { options = { services.nixos-wiki = { @@ -6,31 +9,49 @@ type = lib.types.str; description = "The hostname of the wiki"; }; + adminPasswordFile = lib.mkOption { + type = lib.types.path; + description = "The password file for the wiki admin"; + }; githubClientId = lib.mkOption { type = lib.types.str; description = "The github client id for the wiki"; }; + githubClientSecretFile = lib.mkOption { + type = lib.types.path; + description = "The github client secret for the wiki"; + }; + emergencyContact = lib.mkOption { + type = lib.types.str; + description = "The emergency contact for the wiki"; + }; + passwordSender = lib.mkOption { + type = lib.types.str; + description = "default FROM address in emails"; + }; + noReplyAddress = lib.mkOption { + type = lib.types.str; + description = "default Reply-To address in emails"; + }; }; }; config = { - sops.secrets."nixos-wiki".owner = config.services.phpfpm.pools.mediawiki.user; - sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user; services.mediawiki = { enable = true; webserver = "nginx"; database.type = "postgres"; nginx.hostName = config.services.nixos-wiki.hostname; uploadsDir = "/var/lib/mediawiki-uploads/"; - passwordFile = config.sops.secrets."nixos-wiki".path; + passwordFile = cfg.adminPasswordFile; extensions.SyntaxHighlight_GeSHi = null; # provides tags extensions.ParserFunctions = null; extensions.Cite = null; extensions.VisualEditor = null; extensions.AuthManagerOAuth = pkgs.fetchzip { - url = "https://github.com/Mic92/AuthManagerOAuth/releases/download/vendor-bugfix/AuthManagerOAuth.zip"; - hash = "sha256-Xq56QxBYpAG51HQw4TJLnzwHWztv0EhTGXk/i3w2+fs="; + url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.2/AuthManagerOAuth.zip"; + hash = "sha256-hr/DLyL6IzQs67eA46RdmuVlfCiAbq+eZCRLfjLxUpc="; }; # Github login extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha extensions.StopForumSpam = pkgs.fetchzip { @@ -44,8 +65,8 @@ # allow local login $wgAuthManagerOAuthConfig = [ 'github' => [ - 'clientId' => '${config.services.nixos-wiki.githubClientId}', - 'clientSecret' => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"), + 'clientId' => '${cfg.githubClientId}', + 'clientSecret' => file_get_contents("${cfg.githubClientSecretFile}"), 'urlAuthorize' => 'https://github.com/login/oauth/authorize', 'urlAccessToken' => 'https://github.com/login/oauth/access_token', 'urlResourceOwnerDetails' => 'https://api.github.com/user' @@ -95,9 +116,10 @@ $wgEnableEmail = true; $wgAllowHTMLEmail = false; - $wgEmergencyContact = "nixos-wiki-emergency@thalheim.io"; - $wgPasswordSender = "nixos-wiki@thalheim.io"; # Default FROM address - $wgNoReplyAddress = "nixos-wiki-no-reply@thalheim.io"; # Default Reply-To address + + $wgEmergencyContact = "${cfg.emergencyContact}"; + $wgPasswordSender = "${cfg.passwordSender}"; + $wgNoReplyAddress = "${cfg.noReplyAddress}"; # To purge all page cache increase this using: date +%Y%m%d%H%M%S $wgCacheEpoch = 20231115172319; @@ -108,7 +130,7 @@ security.acme.acceptTerms = true; services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = { enableACME = lib.mkDefault true; - forceSSL = true; + forceSSL = lib.mkDefault true; locations."=/nixos.png".alias = ./nixos.png; }; }; diff --git a/targets/nixos-wiki2.thalheim.io/configuration.nix b/targets/nixos-wiki2.thalheim.io/configuration.nix index 9d8ddab..eec88d0 100644 --- a/targets/nixos-wiki2.thalheim.io/configuration.nix +++ b/targets/nixos-wiki2.thalheim.io/configuration.nix @@ -1,4 +1,4 @@ -{ self, lib, ... }: +{ self, lib, config, ... }: let nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); in @@ -10,9 +10,21 @@ in ]; users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; system.stateVersion = "23.11"; - services.nixos-wiki.hostname = "nixos-wiki2.thalheim.io"; security.acme.defaults.email = "joerg.letsencrypt@thalheim.io"; - services.nixos-wiki.githubClientId = "Iv1.95ed182c83df1d22"; + + sops.secrets.nixos-wiki.owner = config.services.phpfpm.pools.mediawiki.user; + sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user; + + services.nixos-wiki = { + hostname = "nixos-wiki2.thalheim.io"; + adminPasswordFile = config.sops.secrets.nixos-wiki.path; + githubClientId = "Iv1.95ed182c83df1d22"; + githubClientSecretFile = config.sops.secrets.nixos-wiki-github-client-secret.path; + emergencyContact = "nixos-wiki@thalheim.io"; + passwordSender = "nixos-wiki@thalheim.io"; + noReplyAddress = "nixos-wiki-no-reply@thalheim.io"; + }; + sops.defaultSopsFile = ./secrets.yaml; boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ]; }