|
| 1 | +{ hostConfig, config, pkgs, lib, ... }: |
| 2 | + |
| 3 | +let |
| 4 | + cfg = hostConfig.services.hawiki; |
| 5 | + |
| 6 | + # Shared between wikimedia config and nginx config |
| 7 | + uploadPath = "/wikiupload"; |
| 8 | + staticPath = "/wikistatic"; |
| 9 | + |
| 10 | + # ?? |
| 11 | + wikistatic = ../wikistatic; |
| 12 | +in { |
| 13 | + |
| 14 | +system.stateVersion = "24.05"; |
| 15 | + |
| 16 | +networking.useDHCP = false; |
| 17 | +networking = { |
| 18 | + firewall = { |
| 19 | + enable = true; |
| 20 | + allowedTCPPorts = [ 8081 ]; |
| 21 | + }; |
| 22 | + useHostResolvConf = lib.mkForce false; |
| 23 | +}; |
| 24 | +systemd.services.mediawiki = { |
| 25 | + serviceConfig.LoadCredential = [ "hawiki-pass-file:hawiki-pass-file" ]; |
| 26 | + serviceConfig.Environment = [ "HAWIKI_PASS_FILE=%d/hawiki-pass-file" ]; |
| 27 | +}; |
| 28 | +services.mediawiki = { |
| 29 | + enable = true; |
| 30 | + webserver = "none"; |
| 31 | + url = "${if cfg.secure then "https" else "http"}://${cfg.url}"; |
| 32 | + name = "HaskellWiki"; |
| 33 | + passwordSender = "haskell-cafe@haskell.org"; |
| 34 | + passwordFile = "/var/lib/mediawiki/hawiki-pass"; |
| 35 | + |
| 36 | + nginx.hostName = cfg.url; |
| 37 | + |
| 38 | + extraConfig = |
| 39 | + '' |
| 40 | + $wgEmergencyContact = "haskell-cafe@haskell.org"; |
| 41 | +
|
| 42 | + $wgMainCacheType = CACHE_MEMCACHED; |
| 43 | + $wgMemCachedServers = array( "127.0.0.1:11211" ); |
| 44 | + $wgSessionsInObjectCache = true; |
| 45 | + $wgSessionCacheType = CACHE_MEMCACHED; |
| 46 | + $wgSessionsInMemcached = true; |
| 47 | + $wgEnableSidebarCache = true; |
| 48 | +
|
| 49 | + $wgDisableCounters = true; |
| 50 | +
|
| 51 | + $wgEnableCreativeCommonsRdf = true; |
| 52 | + $wgRightsPage = "HaskellWiki:Copyrights"; |
| 53 | + $wgRightsUrl = "https://wiki.haskell.org/HaskellWiki:Copyrights"; |
| 54 | + $wgRightsText = "simple permissive license"; |
| 55 | +
|
| 56 | + $wgMathValidModes = ['source', 'native', 'mathjax' ]; |
| 57 | + $wgDefaultUserOptions['math'] = 'native'; |
| 58 | +
|
| 59 | + unset( $wgFooterIcons['poweredby'] ); |
| 60 | +
|
| 61 | + # Edit and user-creation restrictions |
| 62 | +
|
| 63 | + ## Don't allow anonymous users to edit |
| 64 | + $wgGroupPermissions['*']['edit'] = false; |
| 65 | +
|
| 66 | + ## Don't even let them sign up |
| 67 | + $wgGroupPermissions['*']['createaccount'] = false; |
| 68 | +
|
| 69 | + ## Somewhat redundantly, require email confirmation to edit |
| 70 | + $wgEmailConfirmToEdit = true; |
| 71 | +
|
| 72 | + ## The createaccount group, for users who can always create accounts |
| 73 | + $wgAvailableRights[] = 'createaccount'; |
| 74 | + $wgGroupPermissions['createaccount']['createaccount'] = true; |
| 75 | +
|
| 76 | +
|
| 77 | + # This is used to render URLs to uploaded files. |
| 78 | + $wgUploadPath = '${uploadPath}'; |
| 79 | +
|
| 80 | + # Let users opt in to various notifications |
| 81 | + $wgEnotifUserTalk = true; |
| 82 | + $wgEnotifWatchlist = true; |
| 83 | +
|
| 84 | + # This is the default, but timezones are scary so let's be |
| 85 | + # specific. |
| 86 | + $wgLocaltimezone = 'UTC'; |
| 87 | +
|
| 88 | + # Duplicate earlier legacy settings. |
| 89 | + $wgNamespacesWithSubpages[NS_MAIN] = true; |
| 90 | + $wgNamespacesWithSubpages[NS_CATEGORY] = true; |
| 91 | +
|
| 92 | + # Disable cache-busting that Nix defeats anyway |
| 93 | + $wgInvalidateCacheOnLocalSettingsChange = false; |
| 94 | +
|
| 95 | + # Static assets |
| 96 | + $wgLogos = [ |
| 97 | + # Not enabled cause it is not square and looks like garbage |
| 98 | + # after getting squashed. |
| 99 | + # 'icon' => "${staticPath}/haskellwiki_logo.png", |
| 100 | + '1x' => "${staticPath}/haskellwiki_logo.png", |
| 101 | + '2x' => "${staticPath}/haskellwiki_logo.png", |
| 102 | + ]; |
| 103 | + $wgFavicon = "${staticPath}/favicon.ico"; |
| 104 | + ''; |
| 105 | + |
| 106 | + extensions = { |
| 107 | + Cite = null; |
| 108 | + SyntaxHighlight_GeSHi = null; |
| 109 | + Math = null; |
| 110 | + Interwiki = null; |
| 111 | + WikiEditor = null; |
| 112 | + CiteThisPage = null; |
| 113 | + ConfirmEdit = null; |
| 114 | + Gadgets = null; |
| 115 | + ImageMap = null; |
| 116 | + InputBox = null; |
| 117 | + Nuke = null; |
| 118 | + ParserFunctions = null; |
| 119 | + Poem = null; |
| 120 | + |
| 121 | + # TODO: Remove this manual installation of TemplateStyles once MediaWiki is upgraded to 1.44 or later, |
| 122 | + # since the TemplateStyles extension will be bundled by default starting from that version. |
| 123 | + |
| 124 | + TemplateStyles = builtins.fetchGit { |
| 125 | + url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/TemplateStyles.git"; |
| 126 | + rev = "f7da7be4e6d1cd314b4980e16364bb68f8ad8c8e"; |
| 127 | + }; |
| 128 | + SpamBlacklist = null; |
| 129 | + TitleBlacklist = null; |
| 130 | + SimpleMathJax = builtins.fetchGit |
| 131 | + { url = "https://github.com/jmnote/SimpleMathJax.git"; |
| 132 | + rev = "fab35e6ac66e1f5abd3c91a57719f8180dd346ef"; |
| 133 | + }; |
| 134 | + CollapsibleVector = pkgs.fetchgit |
| 135 | + { url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/CollapsibleVector"; |
| 136 | + rev = "3fddfb23f86061bbfafda6554b1d7c5f11edfcac"; |
| 137 | + sha256 = "0fl80l3xi4fl98msmbwdi8vzynaaa9r6lp37hpb7faxhpkzb9wxh"; |
| 138 | + }; |
| 139 | + SyntaxHighlightHaskellAlias = ../SyntaxHighlightHaskellAlias; |
| 140 | + }; |
| 141 | + |
| 142 | + database = { |
| 143 | + type = "mysql"; |
| 144 | + createLocally = true; |
| 145 | + }; |
| 146 | +}; |
| 147 | + |
| 148 | +services.memcached = { |
| 149 | + enable = true; |
| 150 | +}; |
| 151 | + |
| 152 | +systemd.services.nginx.serviceConfig = { |
| 153 | + SupplementaryGroups = [ config.users.groups.mediawiki.name ]; |
| 154 | +}; |
| 155 | + |
| 156 | +services.nginx = { |
| 157 | + enable = true; |
| 158 | + # inspired by https://www.mediawiki.org/wiki/Manual:Short_URL/Nginx |
| 159 | + virtualHosts.${config.services.mediawiki.nginx.hostName} = { |
| 160 | + root = "${config.services.mediawiki.finalPackage}/share/mediawiki"; |
| 161 | + listen = [ |
| 162 | + { |
| 163 | + addr = "127.0.0.1"; |
| 164 | + port = 8081; |
| 165 | + } |
| 166 | + ]; |
| 167 | + locations = let |
| 168 | + withTrailingSlash = str: if lib.hasSuffix "/" str then str else "${str}/"; |
| 169 | + in { |
| 170 | + "~ ^/(index|load|api|thumb|opensearch_desc|rest|img_auth)\\.php$".extraConfig = '' |
| 171 | + include ${config.services.nginx.package}/conf/fastcgi.conf; |
| 172 | + fastcgi_index index.php; |
| 173 | + fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; |
| 174 | + ''; |
| 175 | + "${uploadPath}/".alias = withTrailingSlash config.services.mediawiki.uploadsDir; |
| 176 | + # Deny access to deleted images folder |
| 177 | + "${uploadPath}/deleted".extraConfig = '' |
| 178 | + deny all; |
| 179 | + ''; |
| 180 | + # MediaWiki assets (usually images) |
| 181 | + "~ ^/resources/(assets|lib|src)".extraConfig = '' |
| 182 | + rewrite ^/w(/.*) $1 break; |
| 183 | + add_header Cache-Control "public"; |
| 184 | + expires 7d; |
| 185 | + ''; |
| 186 | + # Assets, scripts and styles from skins and extensions |
| 187 | + "~ ^/(skins|extensions)/.+\\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2)$".extraConfig = '' |
| 188 | + rewrite ^(/.*) $1 break; |
| 189 | + add_header Cache-Control "public"; |
| 190 | + expires 7d; |
| 191 | + ''; |
| 192 | + |
| 193 | + # Handling for Mediawiki REST API, see [[mw:API:REST_API]] |
| 194 | + "/rest.php/".tryFiles = "$uri $uri/ /rest.php?$query_string"; |
| 195 | + |
| 196 | + # Custom modification used on Haskell wiki |
| 197 | + "^~ ${staticPath}/".alias = withTrailingSlash wikistatic; |
| 198 | + |
| 199 | + # Handling for the article path (pretty URLs) |
| 200 | + "/".extraConfig = '' |
| 201 | + rewrite ^/(?<pagename>.*)$ /index.php?title=$1; |
| 202 | + ''; |
| 203 | + }; |
| 204 | + }; |
| 205 | +}; |
| 206 | +} |
0 commit comments