From 530087cf0574545cb22f39d636065204d3c7f78c Mon Sep 17 00:00:00 2001 From: Jade Date: Wed, 3 May 2023 00:01:02 +0200 Subject: [PATCH] get mediawiki working finally with auth and permissions --- flake.lock | 82 +++++++++++++++++++++++-- flake.nix | 13 ++-- modules/containers/default.nix | 1 + modules/containers/penpot.nix | 92 ++++++++++++++++++++++++++++ modules/containers/phtanumb-wiki.nix | 27 ++++++-- modules/proxy.nix | 44 ++++++++++--- 6 files changed, 237 insertions(+), 22 deletions(-) create mode 100644 modules/containers/penpot.nix diff --git a/flake.lock b/flake.lock index 05520eb..4d59e10 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,85 @@ { "nodes": { + "arion": { + "inputs": { + "flake-parts": "flake-parts", + "haskell-flake": "haskell-flake", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1682181677, + "narHash": "sha256-El8WQ2ccxWwkSrjuwKNR0gD/O7vS/KLBY4Q2/nF8m1c=", + "owner": "hercules-ci", + "repo": "arion", + "rev": "6a1f03329c400327b3b2e0ed5e1efff11037ba67", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "arion", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "arion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1675933616, + "narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "47478a4a003e745402acf63be7f9a092d51b83d7", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "haskell-flake": { + "locked": { + "lastModified": 1675296942, + "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=", + "owner": "srid", + "repo": "haskell-flake", + "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e", + "type": "github" + }, + "original": { + "owner": "srid", + "ref": "0.1.0", + "repo": "haskell-flake", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1682303062, - "narHash": "sha256-x+KAADp27lbxeoPXLUMxKcRsUUHDlg+qVjt5PjgBw9A=", + "lastModified": 1676300157, + "narHash": "sha256-1HjRzfp6LOLfcj/HJHdVKWAkX9QRAouoh6AjzJiIerU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f5364316e314436f6b9c8fd50592b18920ab18f9", + "rev": "545c7a31e5dedea4a6d372712a18e00ce097d462", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1683028696, + "narHash": "sha256-saPKTDj+HB9aPvB59wGcJ64CifRuiIt2CHvSbh7UHz8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5dab6490fe6d72b3f120ae8660181e20f396fbdf", "type": "github" }, "original": { @@ -18,7 +91,8 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "arion": "arion", + "nixpkgs": "nixpkgs_2" } } }, diff --git a/flake.nix b/flake.nix index 7f81e1e..5e27324 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,15 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; + #nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + arion.url = "github:hercules-ci/arion"; }; outputs = { self, nixpkgs, ... }@inputs: let - pkgs = import nixpkgs { system = "x86_64-linux"; }; + hostPkgs = import nixpkgs { system = "x86_64-linux"; }; in { - devShell."x86_64-linux" = with pkgs; mkShell { + devShell."x86_64-linux" = with hostPkgs; mkShell { buildInputs = [ colmena ]; }; colmena = { @@ -16,9 +18,12 @@ system = "aarch64-linux"; overlays = []; }; + specialArgs = { + inherit inputs; + }; }; - katzencafe = { name, nodes, pkgs, ... }: { + katzencafe = { name, nodes, pkgs, inputs, ... }: { deployment = { targetHost = "katzen.cafe"; buildOnTarget = true; @@ -27,7 +32,7 @@ ./modules/base-stuff.nix ./modules/proxy.nix ./modules/postgres.nix - #./modules/jitsi.nix + ./modules/jitsi.nix ./modules/containers ./modules/keycloak.nix ]; diff --git a/modules/containers/default.nix b/modules/containers/default.nix index f264e83..211976a 100644 --- a/modules/containers/default.nix +++ b/modules/containers/default.nix @@ -2,5 +2,6 @@ { imports = [ ./phtanumb-wiki.nix + ./penpot.nix ]; } diff --git a/modules/containers/penpot.nix b/modules/containers/penpot.nix new file mode 100644 index 0000000..dc85a23 --- /dev/null +++ b/modules/containers/penpot.nix @@ -0,0 +1,92 @@ +{ pkgs, inputs, ... }: +{ + imports = [ inputs.arion.nixosModules.arion ]; + virtualisation.docker.enable = true; + virtualisation.arion = { + backend = "docker"; + projects.penpot.settings = { + networks.penpot.name = "penpot"; + services = { + "penpot-backend".service = { + image = "penpotapp/backend:latest"; + volumes = [ "/penpot/assets:/opt/data/assets" ]; + depends_on = [ "penpot-postgres" "penpot-redis" ]; + networks = [ "penpot" ]; + environment = { + "PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc"; + "PENPOT_PREPL_HOST" = "0.0.0.0"; + + "PENPOT_PUBLIC_URI" = "https://design.katzen.cafe/"; + + "PENPOT_DATABASE_URI" = "postgresql://penpot-postgres/penpot"; + "PENPOT_DATABASE_USERNAME" = "penpot"; + "PENPOT_DATABASE_PASSWORD" = "penpot"; + "PENPOT_REDIS_URI" = "redis://penpot-redis/0"; + + "PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs"; + "PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/opt/data/assets"; + #"PENPOT_OIDC_NAME_ATTR" = "username"; + + "PENPOT_TELEMETRY_ENABLED" = "false"; + + "PENPOT_OIDC_CLIENT_ID" = "penpot"; + "PENPOT_OIDC_BASE_URI" = "https://auth.katzen.cafe/realms/master/"; + #"PENPOT_OIDC_" = ""; + + #"PENPOT_SMTP_DEFAULT_FROM" = "Penpot "; + #"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot "; + #"PENPOT_SMTP_HOST" = "smtp.migadu.com"; + #"PENPOT_SMTP_PORT" = "587"; + #"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de"; + #"PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}"; + #"PENPOT_SMTP_TLS" = "true"; + #"PENPOT_SMTP_SSL" = "false"; + }; + env_file = [ "/penpot/secret/oidcPpSecret" ]; + }; + "penpot-frontend".service = { + image = "penpotapp/frontend:latest"; + ports = [ "9001:80" ]; + volumes = [ "/penpot/assets:/opt/data/assets" ]; + depends_on = [ "penpot-backend" "penpot-exporter" ]; + networks = [ "penpot" ]; + environment = { + "PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc"; + }; + }; + "penpot-exporter".service = { + image = "penpotapp/exporter:latest"; + networks = [ "penpot" ]; + environment = { + "PENPOT_PUBLIC_URI" = "http://penpot-frontend"; + "PENPOT_REDIS_URI" = "redis://penpot-redis/0"; + }; + }; + "penpot-postgres".service = { + image = "postgres:15"; + stop_signal = "SIGINT"; + volumes = [ "/penpot/postgres_v15:/var/lib/postgresql/data" ]; + networks = [ "penpot" ]; + environment = { + "POSTGRES_INITDB_ARGS" = "--data-checksums"; + "POSTGRES_DB" = "penpot"; + "POSTGRES_USER" = "penpot"; + "POSTGRES_PASSWORD" = "penpot"; + }; + }; + "penpot-redis".service = { + image = "redis:7"; + networks = [ "penpot" ]; + }; + }; + }; + }; + deployment.keys = { + "oidcPpSecret" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/penpot-keycloak-secret" ]; + destDir = "/penpot/secret/"; + }; + }; +} + + diff --git a/modules/containers/phtanumb-wiki.nix b/modules/containers/phtanumb-wiki.nix index 20b0351..512f206 100644 --- a/modules/containers/phtanumb-wiki.nix +++ b/modules/containers/phtanumb-wiki.nix @@ -36,15 +36,33 @@ virtualHost.adminAddr = "admin@katzen.cafe"; passwordFile = "/var/mediawiki/passwordFile"; extraConfig = '' + # $wgShowExceptionDetails = true; + # $wgDebugToolbar = true; + # $wgShowDebug = true; + # $wgDevelopmentWarnings = true; + # Disable anonymous editing $wgGroupPermissions['*']['edit'] = false; + $wgGroupPermissions['oidc_editor']['edit'] = true; + $wgGroupPermissions['oidc_editor']['createpage'] = true; + + $wgGroupPermissions['oidc_interface_admin'] = $wgGroupPermissions['interface_admin']; + $wgGroupPermissions['oidc_admin'] = $wgGroupPermissions['sysop']; + $wgGroupPermissions['oidc_admin']['userrights'] = true; + $wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log"; - $wgPluggableAuth_Config["katzen.cafe authentication"] = [ + + $oidcClientSecret = file_get_contents('/var/mediawiki/keycloakClientSecret', false, null, 0, 32); + + $wgPluggableAuth_Config[] = [ 'plugin' => 'OpenIDConnect', 'data' => [ - 'providerURL' => 'https://auth.katzen.cafe/realms/master/', + 'providerURL' => 'https://auth.katzen.cafe/realms/phtanum-b', 'clientID' => 'phtanumb-wiki', - 'clientsecret' => '/var/mediawiki/keycloakClientSecret', + # hack to try dynamically get the secret + 'clientsecret' => $oidcClientSecret, + 'global_roles' => ['property' => ['realm_access', 'roles']], + 'wiki_roles' => ['property' => ['resource_access', 'phtanumb-wiki', 'roles']] ] ]; ''; @@ -65,12 +83,13 @@ }; deployment.keys = { "passwordFile" = { - keyCommand = [ "cat" "/home/jade/keys/phtanumb-wiki/passwordFile" ]; + keyCommand = [ "cat" "/home/jade/keys-tmp/phtanumb-wiki-passwordFile" ]; destDir = "/phtanum-b/wiki"; }; "keycloakClientSecret" = { keyCommand = [ "cat" "/home/jade/keys-tmp/phtanumb-wiki-keycloak-secret" ]; destDir = "/phtanum-b/wiki"; + permissions = "0604"; }; }; } diff --git a/modules/proxy.nix b/modules/proxy.nix index 7c4ebfb..96b06b2 100644 --- a/modules/proxy.nix +++ b/modules/proxy.nix @@ -7,10 +7,10 @@ webroot = "/var/lib/acme/acme-challenge"; }; certs = { - #"meet.katzen.cafe" = { - #group = "nginx"; - #keyType = "rsa4096"; - #}; + "meet.katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; "wiki.phtanum-b.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; @@ -19,10 +19,20 @@ group = "nginx"; keyType = "rsa4096"; }; + "design.katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; }; }; services.nginx = { enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + virtualHosts = { "wiki.phtanum-b.katzen.cafe" = { forceSSL = true; @@ -36,14 +46,28 @@ enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8080"; + extraConfig = '' + proxy_buffers 4 256k; + proxy_buffer_size 128k; + proxy_busy_buffers_size 256k; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_protocol_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + #extraConfig = '' + #''; + }; + "design.katzen.cafe" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:9001"; + proxyWebsockets = true; }; - extraConfig = '' - proxy_set_header X-Forwarded-For $proxy_protocol_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - ''; }; }; - }; }