Cradicle Explorer
hive
/ cells / core / nixosProfiles / wiki-test / default.nix
default.nix
  1  # SPDX-FileCopyrightText: 2024-2025 sntx <sntx@sntx.space>
  2  # SPDX-License-Identifier: AGPL-3.0-or-later
  3  
  4  { config, inputs, ... }:
  5  let
  6    inherit (inputs.cells.meta.lib) l;
  7  
  8    id = 3;
  9    name = "wiki-test";
 10    port = 80;
 11  in
 12  {
 13    warnings = l.mkIf (config.networking.nat.externalInterface == null) [
 14      "You haven't set `config.networking.nat.externalInterface`. ${name} will not have internet access."
 15    ];
 16  
 17    age.secrets."${name}-admin-pw" = {
 18      file = "${config.secrets.dir}/services/invidious/dbpw.age";
 19      mode = "777";
 20    };
 21  
 22    services.nginx.virtualHosts."${name}.${config.networking.domain}" = rec {
 23      enableACME = config.networking.domain != "localhost";
 24      forceSSL = enableACME;
 25      locations."/".proxyPass = "http://192.168.100.${toString (id * 2 + 11)}:${toString port}";
 26    };
 27  
 28    networking.nat = {
 29      enable = true;
 30      internalInterfaces = [ "ve-${name}" ];
 31    };
 32  
 33    environment.persistence.${config.persist.dir}.directories = [
 34      "/var/lib/${name}/mediawiki"
 35      "/var/lib/${name}/mysql"
 36    ];
 37  
 38    containers.${name} = {
 39      autoStart = true;
 40  
 41      privateNetwork = true;
 42      hostAddress = "192.168.100.${toString (id * 2 + 10)}";
 43      localAddress = "192.168.100.${toString (id * 2 + 11)}";
 44  
 45      ephemeral = true;
 46      bindMounts = {
 47        mediawiki-admin-pw = {
 48          hostPath = config.age.secrets."${name}-admin-pw".path;
 49          mountPoint = config.age.secrets."${name}-admin-pw".path;
 50        };
 51        data = {
 52          hostPath = "/var/lib/${name}/mediawiki";
 53          isReadOnly = false;
 54          mountPoint = "/var/lib/mediawiki";
 55        };
 56        db = {
 57          hostPath = "/var/lib/${name}/mysql";
 58          isReadOnly = false;
 59          mountPoint = "/var/lib/mysql";
 60        };
 61      };
 62  
 63      config = {
 64        services.mediawiki = {
 65          inherit name;
 66  
 67          enable = true;
 68          url = "https://${name}.${config.networking.domain}";
 69          httpd.virtualHost = {
 70            hostName = "localhost";
 71            adminAddr = "root@localhost";
 72          };
 73  
 74          # Administrator account username is admin.
 75          passwordFile = config.age.secrets."${name}-admin-pw".path;
 76  
 77          extraConfig = ''
 78            ## General
 79  
 80            # Disable reading by anonymous users
 81            $wgGroupPermissions['*']['read'] = false;
 82  
 83            # Disable anonymous editing
 84            $wgGroupPermissions['*']['edit'] = false;
 85  
 86            # Prevent new user registrations except by sysops
 87            $wgGroupPermissions['*']['createaccount'] = false;
 88  
 89            # All blocked users will be signed out and future attempts to sign in will fail
 90            $wgBlockDisablesLogin = true;
 91  
 92            ## Style
 93  
 94            # $wgLogo = $wgScriptPath . '<path>';
 95  
 96            wfLoadSkin( 'Citizen' );
 97            $wgDefaultMobileSkin = 'citizen';
 98            $wgDefaultSkin = 'citizen';
 99  
100            ## Debug
101  
102            # $wgShowExceptionDetails = true;
103          '';
104  
105          # extensions = {
106          #   # some extensions are included and can enabled by passing null
107          #   VisualEditor = null;
108  
109          #   # https://www.mediawiki.org/wiki/Extension:TemplateStyles
110          #   TemplateStyles = inputs.nixpkgs.fetchzip {
111          #     url = "https://extdist.wmflabs.org/dist/extensions/TemplateStyles-REL1_40-5c3234a.tar.gz";
112          #     hash = "sha256-IygCDgwJ+hZ1d39OXuJMrkaxPhVuxSkHy9bWU5NeM/E=";
113          #   };
114          # };
115  
116          skins = {
117            Citizen = inputs.mediawiki-skin-Citizen;
118          };
119        };
120  
121        networking = {
122          firewall = {
123            enable = true;
124            allowedTCPPorts = [ 80 ];
125          };
126  
127          # Use systemd-resolved inside the container
128          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
129          useHostResolvConf = l.mkForce false;
130          nameservers = [
131            "9.9.9.9"
132            "149.112.112.112"
133          ];
134        };
135  
136        system.stateVersion = config.system.stateVersion;
137      };
138    };
139  }