Setup ikiwiki host

config/hosts/ikiwiki/configuration.nix

@@ -0,0 +1,27 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {    
+    hostName = "ikiwiki";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 8443 ];
+    };
+  };
+
+  fileSystems = {
+    # partition data disk with `sudo mkfs.ext4 /dev/vdx`
+    # label data disk with `e2label /dev/vdx "data"`
+    "/mnt/data" = {
+      device = "/dev/disk/by-label/data";
+      fsType = "ext4";
+      autoResize = true;
+    };
+  };
+
+  system.stateVersion = "24.05";
+}

config/hosts/ikiwiki/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./ikiwiki.nix
+    ./nginx.nix
+  ];
+}

config/hosts/ikiwiki/ikiwiki.nix

@@ -0,0 +1,158 @@
+{ pkgs, config, ... }:
+let
+  ikiwikiBootstrapTheme = pkgs.fetchgit {
+    url = "https://github.com/dequis/ikiwiki-bootstrap-theme.git";
+    rev = "afaedf8460d03664be6f590cf632b8be05de77dc";
+    hash = "sha256-iX/onqrsvzJdDrJ7WoQMnlAQtOA+rmi+esv25/IOsq8=";
+  }; # TODO: fork and set link color to #6d2bff or something
+  ikiwikiDataPath = "/mnt/data/ikiwiki";
+  ikiwikiSettingsHeader = pkgs.writeText "ikiwiki-settings-header" ''
+    # IkiWiki::Setup::Yaml - YAML formatted setup file
+  '';
+  ikiwikiSettings = {
+    wikiname = "fi-zone";
+    adminemail = "fiona@grzb.de";
+    adminuser = [
+      "fi"
+    ];
+    banned_users = [];
+    srcdir = "${ikiwikiDataPath}/fi-zone";
+    destdir = "${ikiwikiDataPath}/public_html/fi-zone";
+    url = "https://fi.nekover.se/";
+    cgiurl = "https://fi.nekover.se/ikiwiki.cgi";
+    reverse_proxy = 0;
+    cgi_wrapper = "${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi";
+    cgiauthurl = "https://fi.nekover.se/auth/ikiwiki.cgi";
+    cgi_wrappermode = "06755";
+    cgi_overload_delay = "";
+    cgi_overload_message = "";
+    only_committed_changes = 0;
+    rcs = "";
+    add_plugins = [
+      "goodstuff"
+      "websetup"
+      "httpauth"
+    ];
+    disable_plugins = [];
+    templatedir = "${ikiwikiBootstrapTheme}";
+    underlaydir = "${pkgs.ikiwiki-full}/share/ikiwiki/basewiki";
+    usedirs = 1;
+    prefix_directives = 1;
+    indexpages = 0;
+    discussion = 0;
+    html5 = 1;
+    sslcookie = 1;
+    default_pageext = "mdwn";
+    htmlext = "html";
+    timeformat = "%c";
+    userdir = "";
+    numbacklinks = 10;
+    hardlink = 0;
+    libdirs = [];
+    libdir = "${ikiwikiDataPath}/.ikiwiki";
+    ENV = {};
+    timezone = ":/etc/localtime";
+    wiki_file_chars = "-[:alnum:]+/.:_";
+    allow_symlinks_before_srcdir = 0;
+    cookiejar = {
+      file = "${ikiwikiDataPath}/.ikiwiki/cookies";
+    };
+    useragent = "ikiwiki/${pkgs.ikiwiki-full.version}";
+    responsive_layout = 1;
+    deterministic = 0;
+    rss = 1;
+    atom = 1;
+    blogspam_pagespec = "postcomment(*)";
+    locked_pages = "* and !postcomment(*)";
+    comments_pagespec = "posts/* and !*/Discussion";
+    archive_pagespec = "page(posts/*) and !*/Discussion";
+    global_sidebars = 0;
+    tagbase = "tags";
+  };
+  ikiwikiSettingsFile = pkgs.concatText "fi-zone.setup" [
+    ikiwikiSettingsHeader
+    ((pkgs.formats.yaml { }).generate "fi-zone-settings" ikiwikiSettings)
+  ];
+in
+{
+  environment.systemPackages = with pkgs; [
+    ikiwiki-full
+  ];
+
+  users = {
+    users.ikiwiki = {
+      isSystemUser = true;
+      group = "ikiwiki";
+    };
+    groups.ikiwiki = {};
+  };
+
+  services.fcgiwrap.instances."ikiwiki" = {
+    socket = {
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
+    process = {
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
+  };
+
+  systemd.services.ikiwiki-directory-setup = {
+    description = "Setup ikiwiki directory structure.";
+
+    script = ''
+      mkdir -p ${ikiwikiDataPath}
+      mkdir -p ${ikiwikiDataPath}/fi-zone/.ikiwiki
+      touch ${ikiwikiDataPath}/fi-zone/.ikiwiki/lockfile
+      chown -R ${config.users.users.ikiwiki.name}:${config.users.users.ikiwiki.group} ${ikiwikiDataPath}
+    '';
+
+    serviceConfig = {
+      Type = "simple";
+      User = "root";
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+
+  systemd.services.ikiwiki-settings-setup = {
+    description = "Setup ikiwiki with configuration managed by NixOS.";
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${pkgs.ikiwiki-full}/bin/ikiwiki --setup ${ikiwikiSettingsFile}";
+      User = config.users.users.ikiwiki.name;
+      Group = config.users.users.ikiwiki.group;
+      Requires = [ "ikiwiki-directory-setup.service" ];
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+
+  systemd.services.ikiwiki-auth-setup = {
+    description = "Setup auth subdirectory for ikiwiki.cgi";
+
+    script = ''
+      mkdir -p ${ikiwikiSettings.destdir}/auth
+      if [ ! -f ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi ]; then
+        ln -s ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi
+      fi
+    '';
+
+    serviceConfig = {
+      Type = "simple";
+      User = config.users.users.ikiwiki.name;
+      Group = config.users.users.ikiwiki.group;
+      Requires = [ "ikiwiki-settings-setup.service" ];
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+}

config/hosts/ikiwiki/nginx.nix

@@ -0,0 +1,47 @@
+{ pkgs, config, ... }:
+let
+  ikiwikiDataPath = "/mnt/data/ikiwiki";
+in
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."fi.nekover.se" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+      root = "${ikiwikiDataPath}/public_html/fi-zone";
+      locations = {
+        "/" = {
+          tryFiles = "$uri $uri/ =404";
+        };
+        "~ .cgi" = {
+          basicAuthFile = "/secrets/ikiwiki-auth-file.secret";
+          extraConfig = ''
+            gzip off;
+            fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address};
+            fastcgi_index ikiwiki.cgi;
+            fastcgi_param SCRIPT_FILENAME ${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi;
+            fastcgi_param DOCUMENT_ROOT ${ikiwikiDataPath}/public_html/fi-zone;
+            fastcgi_param REMOTE_USER $remote_user if_not_empty;
+            include ${pkgs.nginx}/conf/fastcgi_params;
+          '';
+        };
+      };
+      extraConfig = ''
+        set_real_ip_from 10.202.41.100;
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}

config/hosts/ikiwiki/secrets.nix

@@ -0,0 +1,11 @@
+{ keyCommandEnv, ... }:
+{
+  deployment.keys."ikiwiki-auth-file.secret" = {
+    keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ];
+    destDir = "/secrets";
+    user = "nginx";
+    group = "nginx";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}

config/hosts/web-public-2/nginx.nix

@@ -20,6 +20,7 @@
           birdsite.nekover.se 10.202.41.107:8443;
           cloud.nekover.se 10.202.41.122:8443;
           element.nekover.se 127.0.0.1:8443;
+          fi.nekover.se 10.202.41.125:8443;
           gameserver.grzb.de 127.0.0.1:8443;
           git.grzb.de 127.0.0.1:8443;
           git.nekover.se 10.202.41.106:8443;

config/hosts/web-public-2/virtualHosts/acme-challenge.nix

@@ -7,6 +7,7 @@ let
     "netbox.grzb.de" = "netbox.vs.grzb.de";
     "git.nekover.se" = "forgejo.vs.grzb.de";
     "grafana.grzb.de" = "metrics.vs.grzb.de";
+    "fi.nekover.se" = "ikiwiki.vs.grzb.de";
     "jackett.grzb.de" = "torrent.vs.grzb.de";
     "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de";
     "keycloak-admin.nekover.se" = "keycloak.vs.grzb.de";