Merge pull request #266 from NixOS/interactive_vm

Lassulus · web-flow · commit 0ececb1ddd9d · 2025-06-15T15:32:52.000+02:00
add interactive VM script
diff --git a/README.md b/README.md
@@ -77,6 +77,17 @@ $ nix develop .#linkcheck
 $ ./checks/linkcheck/lychee.sh
 ```
 
+## interactive VM
+
+You can also run the wiki in an interactive vm by running
+
+```nix
+nix run .#interactive-vm
+```
+
+you can then access the wiki at localhost:4360 follow the output of the script
+for more details (like passwords)
+
 ## FAQ:
 
 ### When logging in with "GitHub auth", the app shows "Act on your behalf" as a permission.
diff --git a/flake.nix b/flake.nix
@@ -35,10 +35,16 @@
           ./targets/flake-module.nix
           ./modules/flake-module.nix
           ./checks/flake-module.nix
+          ./vm/flake-module.nix
           ./formatter.nix
         ];
         perSystem =
-          { self', system, ... }:
+          {
+            self',
+            system,
+            pkgs,
+            ...
+          }:
           {
 
             checks =
diff --git a/modules/nixos-wiki/default.nix b/modules/nixos-wiki/default.nix
@@ -38,6 +38,11 @@ in
         type = lib.types.str;
         description = "default Reply-To address in emails";
       };
+      testMode = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Enable test mode, which disables github login and uses a fixed admin password";
+      };
     };
   };
 
@@ -49,7 +54,7 @@ in
       database.type = "postgres";
       nginx.hostName = config.services.nixos-wiki.hostname;
       uploadsDir = "/var/lib/mediawiki-uploads/";
-      passwordFile = cfg.adminPasswordFile;
+      passwordFile = if cfg.testMode then pkgs.writeText "pass" "nixos-wiki00" else cfg.adminPasswordFile;
 
       extensions = {
         SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags
@@ -89,15 +94,17 @@ in
         #$wgShowExceptionDetails = true;
 
         # allow local login
-        $wgAuthManagerOAuthConfig = [
-          'github' => [
-            'clientId'                => '${cfg.githubClientId}',
-            'clientSecret'            => file_get_contents("${cfg.githubClientSecretFile}"),
-            'urlAuthorize'            => 'https://github.com/login/oauth/authorize',
-            'urlAccessToken'          => 'https://github.com/login/oauth/access_token',
-            'urlResourceOwnerDetails' => 'https://api.github.com/user'
-          ],
-        ];
+        ${lib.optionalString (!cfg.testMode) ''
+          $wgAuthManagerOAuthConfig = [
+            'github' => [
+              'clientId'                => '${cfg.githubClientId}',
+              'clientSecret'            => file_get_contents("${cfg.githubClientSecretFile}"),
+              'urlAuthorize'            => 'https://github.com/login/oauth/authorize',
+              'urlAccessToken'          => 'https://github.com/login/oauth/access_token',
+              'urlResourceOwnerDetails' => 'https://api.github.com/user'
+            ],
+          ];
+        ''}
 
         # Enable account creation globally
         $wgGroupPermissions['*']['createaccount'] = true;
@@ -150,9 +157,11 @@ in
         $wgEmailConfirmToEdit = false;
         $wgAllowHTMLEmail = false;
 
-        $wgEmergencyContact = "${cfg.emergencyContact}";
-        $wgPasswordSender   = "${cfg.passwordSender}";
-        $wgNoReplyAddress   = "${cfg.noReplyAddress}";
+        ${lib.optionalString (!cfg.testMode) ''
+          $wgEmergencyContact = "${cfg.emergencyContact}";
+          $wgPasswordSender   = "${cfg.passwordSender}";
+          $wgNoReplyAddress   = "${cfg.noReplyAddress}";
+        ''}
 
         # To purge all page cache increase this using: date +%Y%m%d%H%M%S
         $wgCacheEpoch = 20231115172319;
@@ -244,8 +253,8 @@ in
       limit_req_status 429;
     '';
     services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
-      enableACME = lib.mkDefault true;
-      forceSSL = lib.mkDefault true;
+      enableACME = lib.mkDefault (!cfg.testMode);
+      forceSSL = lib.mkDefault (!cfg.testMode);
       extraConfig = ''
         limit_req zone=ip burst=20 nodelay;
       '';
diff --git a/vm/flake-module.nix b/vm/flake-module.nix
@@ -0,0 +1,80 @@
+{ self, lib, ... }:
+{
+  perSystem =
+    { pkgs, ... }:
+    {
+      packages = lib.optionalAttrs pkgs.stdenv.isLinux {
+        interactive-vm = pkgs.writeShellApplication {
+          name = "interactive-vm";
+          runtimeInputs = [
+          ];
+          text =
+            let
+              debugVm =
+                { modulesPath, ... }:
+                {
+                  imports = [
+                    # The qemu-vm NixOS module gives us the `vm` attribute that we will later
+                    # use, and other VM-related settings
+                    "${modulesPath}/virtualisation/qemu-vm.nix"
+                  ];
+
+                  # Forward the hosts's port 2222 to the guest's SSH port.
+                  # Also, forward the other ports 1:1 from host to guest.
+                  virtualisation.forwardPorts = [
+                    {
+                      from = "host";
+                      host.port = 2222;
+                      guest.port = 22;
+                    }
+                    {
+                      from = "host";
+                      host.port = 4360;
+                      guest.port = 4360;
+                    }
+                  ];
+                  virtualisation.memorySize = 2048;
+
+                  # Root user without password and enabled SSH for playing around
+                  networking.firewall.enable = false;
+                  services.openssh.enable = true;
+                  services.openssh.permitRootLogin = "yes";
+                  users.extraUsers.root.password = "nixos-wiki00"; # same as the admin user on the test wiki
+                  environment.systemPackages = with pkgs; [
+                    iptables
+                  ];
+                  services.nginx.defaultListen = [
+                    {
+                      addr = "0.0.0.0";
+                      port = 4360;
+                    }
+                  ];
+                  networking.firewall.allowedTCPPorts = [ 4360 ];
+                };
+              vmConfig = pkgs.nixos [
+                debugVm
+                self.nixosModules.nixos-wiki
+                {
+                  security.acme.defaults.email = "example@example.com";
+                  security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+                  services.nixos-wiki = {
+                    hostname = "localhost:4360";
+                    testMode = true;
+                  };
+                }
+              ];
+            in
+            ''
+              NIXOS_DISK_IMAGE=/tmp/wiki-vm.qcow2
+              export NIXOS_DISK_IMAGE
+              echo 'access the wiki after startup at http://localhost:4360'
+              echo 'user: admin, password: nixos-wiki00'
+              echo 'you can also SSH into the VM with: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhost -p 2222'
+              echo 'password: nixos-wiki00'
+              ${vmConfig.config.system.build.vm}/bin/run-nixos-vm
+              # TODO maybe clean up the qcow image?
+            '';
+        };
+      };
+    };
+}
