Merge pull request #16 from Mic92/ci

improve CI

README.md

@@ -19,9 +19,3 @@ systemctl start wiki-backup.service && systemctl start wiki-restore
 ```
 
 Note that `nixos-wiki-backup` will do this restore every night.
-
-## Outstanding patches
-
-I have encountered some regressions in mediawiki's latest release.
-Patches are included in this repository.
-The patches have been sent to upstream here: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/971581

checks/flake-module.nix

@@ -0,0 +1,15 @@
+{ self, ... }: {
+  perSystem =
+    { pkgs
+    , ...
+    }: {
+      checks =
+        let
+          # this gives us a reference to our flake but also all flake inputs
+          checkArgs = { inherit self pkgs; };
+        in
+        {
+          test = import ./test.nix checkArgs;
+        };
+    };
+}

checks/lib.nix

@@ -0,0 +1,20 @@
+# tests/lib.nix
+# The first argument to this function is the test module itself
+test:
+# These arguments are provided by `flake.nix` on import, see checkArgs
+{ pkgs, self }:
+let
+  inherit (pkgs) lib;
+  # this imports the nixos library that contains our testing framework
+  nixos-lib = import (pkgs.path + "/nixos/lib") { };
+in
+(nixos-lib.runTest {
+  hostPkgs = pkgs;
+  # This speeds up the evaluation by skipping evaluating documentation (optional)
+  defaults.documentation.enable = lib.mkDefault false;
+  # This makes `self` available in the NixOS configuration of our virtual machines.
+  # This is useful for referencing modules or packages from your own flake
+  # as well as importing from other flakes.
+  node.specialArgs = { inherit self; };
+  imports = [ test ];
+}).config.result

checks/test.nix

@@ -0,0 +1,35 @@
+(import ./lib.nix) {
+  name = "nixos-wiki";
+  nodes = {
+    # `self` here is set by using specialArgs in `lib.nix`
+    wiki = { self, pkgs, config, ... }: {
+      imports = [
+        self.nixosModules.nixos-wiki
+      ];
+      security.acme.defaults.email = "admin@example.com";
+      services.nixos-wiki = {
+        hostname = "nixos-wiki.example.com";
+        adminPasswordFile = pkgs.writeText "adminPasswordFile" "Creation-Fabric-Untrimmed3";
+        githubClientId = "Iv1.95ed182c83df1d22";
+        githubClientSecretFile = pkgs.writeText "githubClientSecretFile" "secret";
+        emergencyContact = "nixos-wiki@thalheim.io";
+        passwordSender = "nixos-wiki@thalheim.io";
+        noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
+      };
+      services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
+        enableACME = false;
+        forceSSL = false;
+      };
+    };
+  };
+  # This is the test code that will check if our service is running correctly:
+  testScript = ''
+    start_all()
+
+    machine.wait_for_unit("phpfpm-mediawiki.service")
+    machine.wait_for_unit("nginx.service")
+
+    page = machine.succeed("curl -vL http://localhost/")
+    assert "MediaWiki has been installed" in page
+  '';
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699483000,
+        "lastModified": 1699781810,
-        "narHash": "sha256-zWEj1e6r2KNJFTdj4/vpnpoJc2l+v3JHwlQCzrtkojU=",
+        "narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "72bc1526268fda374cd17315e37b64ba340c5bf2",
+        "rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df",
         "type": "github"
       },
       "original": {
@@ -42,11 +42,11 @@
     },
     "nixos-23_05": {
       "locked": {
-        "lastModified": 1699291058,
+        "lastModified": 1699994397,
-        "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=",
+        "narHash": "sha256-xxNeIcMNMXH2EA9IAX6Cny+50mvY22LhIBiGZV363gc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "41de143fda10e33be0f47eab2bfe08a50f234267",
+        "rev": "d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8",
         "type": "github"
       },
       "original": {
@@ -58,11 +58,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1699099776,
+        "lastModified": 1700204040,
-        "narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
+        "narHash": "sha256-xSVcS5HBYnD3LTer7Y2K8ZQCDCXMa3QUD1MzRjHzuhI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
+        "rev": "c757e9bd77b16ca2e03c89bf8bc9ecb28e0c06ad",
         "type": "github"
       },
       "original": {
@@ -90,11 +90,11 @@
         "nixpkgs-stable": []
       },
       "locked": {
-        "lastModified": 1699311858,
+        "lastModified": 1700362823,
-        "narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=",
+        "narHash": "sha256-/H7XgvrYM0IbkpWkcdfkOH0XyBM5ewSWT1UtaLvOgKY=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "664187539871f63857bda2d498f452792457b998",
+        "rev": "49a87c6c827ccd21c225531e30745a9a6464775c",
         "type": "github"
       },
       "original": {
@@ -111,11 +111,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699537893,
+        "lastModified": 1700099573,
-        "narHash": "sha256-alxdKClexvQRwzZh09FpRlrYijLSHJZl/SmolBXHUcE=",
+        "narHash": "sha256-4zjIWPenAMaBlZnCaQvnBdMyWDX/mTgT2fe+CVFajW8=",
         "owner": "numtide",
         "repo": "srvos",
-        "rev": "a0d29fdb2f27b1bd9979810ebccb3b4d9fcda977",
+        "rev": "48010180015cbda0b6cacf4555fcdd360054158d",
         "type": "github"
       },
       "original": {
@@ -131,11 +131,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699656829,
+        "lastModified": 1699786194,
-        "narHash": "sha256-aqz/YOrllfsUF88FG+xhm+ywB+KxSE8FpPWSY6QnDvY=",
+        "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "8b25ad882a6fc9905fa515c2b61d196b42ca79a3",
+        "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
         "type": "github"
       },
       "original": {

flake.nix

@@ -21,28 +21,33 @@
   };
 
   outputs = inputs@{ flake-parts, ... }:
-    flake-parts.lib.mkFlake { inherit inputs; } ({ lib, ... }: {
+    flake-parts.lib.mkFlake { inherit inputs; } ({ self, lib, ... }: {
-      systems = lib.systems.flakeExposed;
+      systems = [
+        "aarch64-linux"
+        "x86_64-linux"
+        "riscv64-linux"
+
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
       imports = [
         inputs.treefmt-nix.flakeModule
         ./targets/flake-module.nix
         ./modules/flake-module.nix
+        ./checks/flake-module.nix
       ];
-      perSystem = { config, pkgs, ... }: {
+      perSystem = { config, self', system, pkgs, ... }: {
         treefmt = {
           projectRootFile = "flake.nix";
           programs.hclfmt.enable = true;
           programs.nixpkgs-fmt.enable = true;
         };
         packages.default =
-          let
-            terraformHalal = pkgs.terraform.overrideAttrs (_old: { meta = _old.meta // { license = lib.licenses.free; }; });
-          in
           pkgs.mkShell {
             packages = [
               pkgs.bashInteractive
               pkgs.sops
-              (terraformHalal.withPlugins (p: [
+              (pkgs.opentofu.withPlugins (p: [
                 p.netlify
                 p.hcloud
                 p.null
@@ -51,6 +56,14 @@
               ]))
             ];
           };
+
+        checks =
+          let
+            nixosMachines = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
+            packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
+            devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
+          in
+          nixosMachines // packages // devShells;
       };
     });
 }

modules/nixos-wiki/default.nix

@@ -1,4 +1,7 @@
 { config, pkgs, lib, ... }:
+let
+  cfg = config.services.nixos-wiki;
+in
 {
   options = {
     services.nixos-wiki = {
@@ -6,31 +9,49 @@
         type = lib.types.str;
         description = "The hostname of the wiki";
       };
+      adminPasswordFile = lib.mkOption {
+        type = lib.types.path;
+        description = "The password file for the wiki admin";
+      };
       githubClientId = lib.mkOption {
         type = lib.types.str;
         description = "The github client id for the wiki";
       };
+      githubClientSecretFile = lib.mkOption {
+        type = lib.types.path;
+        description = "The github client secret for the wiki";
+      };
+      emergencyContact = lib.mkOption {
+        type = lib.types.str;
+        description = "The emergency contact for the wiki";
+      };
+      passwordSender = lib.mkOption {
+        type = lib.types.str;
+        description = "default FROM address in emails";
+      };
+      noReplyAddress = lib.mkOption {
+        type = lib.types.str;
+        description = "default Reply-To address in emails";
+      };
     };
   };
 
   config = {
-    sops.secrets."nixos-wiki".owner = config.services.phpfpm.pools.mediawiki.user;
-    sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
     services.mediawiki = {
       enable = true;
       webserver = "nginx";
       database.type = "postgres";
       nginx.hostName = config.services.nixos-wiki.hostname;
       uploadsDir = "/var/lib/mediawiki-uploads/";
-      passwordFile = config.sops.secrets."nixos-wiki".path;
+      passwordFile = cfg.adminPasswordFile;
 
       extensions.SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags
       extensions.ParserFunctions = null;
       extensions.Cite = null;
       extensions.VisualEditor = null;
       extensions.AuthManagerOAuth = pkgs.fetchzip {
-        url = "https://github.com/Mic92/AuthManagerOAuth/releases/download/vendor-bugfix/AuthManagerOAuth.zip";
+        url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.2/AuthManagerOAuth.zip";
-        hash = "sha256-Xq56QxBYpAG51HQw4TJLnzwHWztv0EhTGXk/i3w2+fs=";
+        hash = "sha256-hr/DLyL6IzQs67eA46RdmuVlfCiAbq+eZCRLfjLxUpc=";
       }; # Github login
       extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha
       extensions.StopForumSpam = pkgs.fetchzip {
@@ -44,8 +65,8 @@
         # allow local login
         $wgAuthManagerOAuthConfig = [
           'github' => [
-            'clientId'                => '${config.services.nixos-wiki.githubClientId}',
+            'clientId'                => '${cfg.githubClientId}',
-            'clientSecret'            => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"),
+            'clientSecret'            => file_get_contents("${cfg.githubClientSecretFile}"),
             'urlAuthorize'            => 'https://github.com/login/oauth/authorize',
             'urlAccessToken'          => 'https://github.com/login/oauth/access_token',
             'urlResourceOwnerDetails' => 'https://api.github.com/user'
@@ -95,9 +116,10 @@
 
         $wgEnableEmail = true;
         $wgAllowHTMLEmail = false;
-        $wgEmergencyContact = "nixos-wiki-emergency@thalheim.io";
+
-        $wgPasswordSender   = "nixos-wiki@thalheim.io";           # Default FROM address
+        $wgEmergencyContact = "${cfg.emergencyContact}";
-        $wgNoReplyAddress   = "nixos-wiki-no-reply@thalheim.io";  # Default Reply-To address
+        $wgPasswordSender   = "${cfg.passwordSender}";
+        $wgNoReplyAddress   = "${cfg.noReplyAddress}";
 
         # To purge all page cache increase this using: date +%Y%m%d%H%M%S
         $wgCacheEpoch = 20231115172319;
@@ -108,7 +130,7 @@
     security.acme.acceptTerms = true;
     services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
       enableACME = lib.mkDefault true;
-      forceSSL = true;
+      forceSSL = lib.mkDefault true;
       locations."=/nixos.png".alias = ./nixos.png;
     };
   };

targets/nixos-wiki2.thalheim.io/configuration.nix

@@ -1,4 +1,4 @@
-{ self, lib, ... }:
+{ self, lib, config, ... }:
 let
   nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
 in
@@ -10,9 +10,21 @@ in
   ];
   users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
   system.stateVersion = "23.11";
-  services.nixos-wiki.hostname = "nixos-wiki2.thalheim.io";
   security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";
-  services.nixos-wiki.githubClientId = "Iv1.95ed182c83df1d22";
+
+  sops.secrets.nixos-wiki.owner = config.services.phpfpm.pools.mediawiki.user;
+  sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
+
+  services.nixos-wiki = {
+    hostname = "nixos-wiki2.thalheim.io";
+    adminPasswordFile = config.sops.secrets.nixos-wiki.path;
+    githubClientId = "Iv1.95ed182c83df1d22";
+    githubClientSecretFile = config.sops.secrets.nixos-wiki-github-client-secret.path;
+    emergencyContact = "nixos-wiki@thalheim.io";
+    passwordSender = "nixos-wiki@thalheim.io";
+    noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
+  };
+
   sops.defaultSopsFile = ./secrets.yaml;
   boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
 }