Bump local settings version to push to wiki.social.coop.

to MW only seeing the internal docker networking addresses for incoming
traffic.

.env.sample

@@ -1,6 +1,7 @@
 TYPE=mediawiki
 
 DOMAIN=mediawiki.example.com
+COMPOSE_FILE="compose.yml"
 
 #EXTRA_DOMAINS=', `www.wiki.example.com`'
 LETS_ENCRYPT_ENV=production
@@ -11,21 +12,35 @@ MEDIAWIKI_EMAIL_CONTACT="info@wiki.example.com"
 MEDIAWIKI_EMAIL_FROM="wiki@wiki.example.com"
 MEDIAWIKI_LOGO_FILE='$wgResourceBasePath/resources/assets/wiki.png'
 
+# list of language options (without ".json"):
+# https://gerrit.wikimedia.org/g/mediawiki/core/%2B/HEAD/languages/i18n
+MEDIAWIKI_LANGUAGE="en"
+
 MEDIAWIKI_IS_PRIVATE=1
+MEDIAWIKI_ALLOW_REGISTRATION=0
 
 MEDIAWIKI_DEBUG=0
 
-## SMTP
-#SMTP_HOST=postfix_relay_app
-#SMTP_HOST=mailu_front
-
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_MEDIAWIKI_SECRET_KEY_VERSION=v1 # length=64
 
+# SMTP
+
+## via local postfix/mailu
+#SMTP_HOST=postfix_relay_app
+#SMTP_HOST=mailu_front
+
+## via remote email provider
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+#SMTP_HOST="mail.example.com"
+#SMTP_PORT=587
+#SMTP_USER="${MEDIAWIKI_EMAIL_FROM}"
+#SECRET_SMTP_PASSWORD_VERSION=v1
+
 # SAML
 
-#COMPOSE_FILE="compose.yml:compose.simplesaml.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.simplesaml.yml"
 
 #SAML_ENABLED=1
 #SAML_CONTACT_NAME="Sam Ell"
@@ -41,7 +56,7 @@ SECRET_MEDIAWIKI_SECRET_KEY_VERSION=v1 # length=64
 
 ## OpenID Connect
 # OPENID_ENABLED=1
-# COMPOSE_FILE="compose.yml:compose.openid.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.openid.yml"
 # OPENID_KEYCLOAK_URL="https://keycloak.local:8080/realms/acme/"
 # OPENID_CLIENT_ID="mediawiki"
 # SECRET_OPENID_CLIENT_SECRET_VERSION=v1

LocalSettings.php.tmpl

@@ -84,7 +84,7 @@ $wgShellLocale = "C.UTF-8";
 #$wgCacheDirectory = "$IP/cache";
 
 # Site language code, should be one of the list in ./languages/data/Names.php
-$wgLanguageCode = "en";
+$wgLanguageCode = "{{ env "MEDIAWIKI_LANGUAGE" }}";
 
 $wgSecretKey = rtrim(file_get_contents('/run/secrets/mediawiki_secret_key'));
 
@@ -106,8 +106,13 @@ $wgRightsIcon = "";
 # Path to the GNU diff3 utility. Used for conflict resolution.
 $wgDiff3 = "/usr/bin/diff3";
 
-# The following permissions were set based on your choice in the installer
+{{ if eq (env "MEDIAWIKI_ALLOW_REGISTRATION") "1" }}
+$wgGroupPermissions['*']['createaccount'] = true;
+$wgEmailConfirmToEdit = true;
+{{ else }}
 $wgGroupPermissions['*']['createaccount'] = false;
+{{ end }}
+
 $wgGroupPermissions['*']['edit'] = false;
 {{ if eq (env "MEDIAWIKI_IS_PRIVATE") "1" }}
 $wgGroupPermissions['*']['read'] = false;
@@ -115,6 +120,13 @@ $wgGroupPermissions['*']['read'] = false;
 $wgGroupPermissions['*']['read'] = true;
 {{ end }}
 
+{{ if ne (env "MEDIAWIKI_PROXY_SERVERS") "" }}
+// In LocalSettings.php
+$wgUseCdn = true;
+$wgCdnServersNoPurge = [];
+$wgCdnServersNoPurge[] = "{{ env "MEDIAWIKI_PROXY_SERVERS" }}";
+{{ end }}
+
 # Enabled skins.
 # The following skins were automatically enabled:
 wfLoadSkin( 'MonoBook' );
@@ -179,8 +191,13 @@ $wgGroupPermissions['*']['createaccount'] = false;
 $wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";
 $wgShowExceptionDetails = true;
 $wgDebugToolbar = true;
+{{ else }}
+$wgShowDebug = false;
+$wgDevelopmentWarnings = false;
+$wgDeprecationReleaseLimit = '1.0';
 {{ end }}
 
+
 {{ if eq (env "OPENID_ENABLED") "1" }}
 wfLoadExtension( 'PluggableAuth' );
 wfLoadExtension( 'OpenIDConnect' );
@@ -200,11 +217,15 @@ $wgGroupPermissions['*']['createaccount'] = false;
 
 {{ if env "SMTP_HOST" }}
 $wgSMTP = [
-    'host'     => '{{ env "SMTP_HOST" }}', // could also be an IP address. Where the SMTP server is located
-    'port'     => 25,                 // Port to use when connecting to the SMTP server
-    'auth'     => false,               // Should we use SMTP authentication (true or false)
-    #'username' => 'my_user_name',     // Username to use for SMTP authentication (if being used)
-    #'password' => 'my_password'       // Password to use for SMTP authentication (if being used)
+    'host'     => '{{ env "SMTP_HOST" }}',       // could also be an IP address. Where the SMTP server is located
+    'port'     => {{ env "SMTP_PORT" }},         // Port to use when connecting to the SMTP server
+{{ if env "SMTP_USER" }}
+    'auth'     => true,                          // Should we use SMTP authentication (true or false)
+    'username' => '{{ env "SMTP_USER" }}',       // Username to use for SMTP authentication (if being used)
+    'password' => '{{ secret "smtp_password" }}' // Password to use for SMTP authentication (if being used)
+{{ else }}
+    'auth'     => false
+{{ end }}
 ];
 {{ end }}
 
@@ -239,3 +260,15 @@ $wgFileExtensions = array(
 
 $wgUploadSizeWarning = 1000000000;
 $wgMaxUploadSize = 1000000000;
+
+# Greatly relax IP-based throttling for logging in while we work around docker networking issues.
+# https://social.coop/@flancian/110980993608947217
+$wgPasswordAttemptThrottle = [
+	// Short term limit
+	[ 'count' => 9999, 'seconds' => 300 ],
+	// Long term limit. We need to balance the risk
+	// of somebody using this as a DoS attack to lock someone
+	// out of their account, and someone doing a brute force attack.
+	[ 'count' => 999999, 'seconds' => 60 * 60 * 48 ],
+];
+

README.md

@@ -27,6 +27,8 @@
 
 ## Email
 
+### Coop Cloud mailu or postfix
+
 1. `abra app config YOURAPPDOMAIN` - edit `.envrc` and uncomment the `SMTP` lines. Set `SMTP_HOST` to
    `postfix_relay` for `coop-cloud/postfix_relay`, or `mailu_front` for
    `coop-cloud/mailu` (assuming default stack names)
@@ -34,6 +36,14 @@
    `postfix_relay`. This doesn't seem to be required for Mailu.
 3. `abra app deploy YOURAPPDOMAIN`
 
+### Remote provider
+
+1. `abra app config YOURAPPDOMAIN` - uncomment `SMTP` under the "remote email provider" section and set values for `SMTP_HOST`, `SMTP_PORT` and `SMTP_USER`
+2. `abra app secret insert YOURAPPDOMAIN smtp_password v1 YOURSMTPPASSWORD`
+3. `abra app deploy YOURAPPDOMAIN`
+
+Note: Only STARTTLS is supported, TLS won't work.
+
 ## Single Sign On
 
 ### SimpleSAMLphp

abra.sh

@@ -1,45 +1,7 @@
-export LOCAL_SETTINGS_CONF_VERSION=v20
+export LOCAL_SETTINGS_CONF_VERSION=v27
 export HTACCESS_CONF_VERSION=v1
-export ENTRYPOINT_CONF_VERSION=v20
+export ENTRYPOINT_CONF_VERSION=v21
 export COMPOSER_LOCAL_CONF_VERSION=v5
 export PHP_INI_VERSION=v4
 
 export SAML_ENTRYPOINT_CONF_VERSION=v3
-
-abra_backup_app() {
-  _abra_backup_dir "app:/var/www/html/images"
-}
-
-abra_backup_db() {
-  _abra_backup_mysql "db" "mediawiki"
-}
-
-abra_backup() {
-  abra_backup_app && abra_backup_db
-}
-
-abra_restore_app() {
-  # shellcheck disable=SC2034
-  {
-	abra__src_="-"
-	abra__dst_="app:/var/www/html/"
-  }
-
-  zcat "$@" | sub_app_cp
-
-  success "Restored 'app'"
-}
-
-abra_restore_db() {
-  # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
-  # got this far..
-
-  # shellcheck disable=SC2034
-  abra___no_tty="true"
-
-  DB_ROOT_PASSWORD="$(sub_app_run cat /run/secrets/db_root_password)"
-
-  zcat "$@" | sub_app_run mysql -u root -p"$DB_ROOT_PASSWORD" wordpress
-
-  success "Restored 'db'"
-}

compose.smtp.yml

@@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - SMTP_USER
+    secrets:
+      - smtp_password
+
+secrets:
+  smtp_password:
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
+    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: mediawiki:1.39.3
+    image: mediawiki:1.40.1
     environment:
       - DOMAIN
       - STACK_NAME
@@ -14,12 +14,14 @@ services:
       - MEDIAWIKI_LOGO_FILE
       - MEDIAWIKI_IS_PRIVATE
       - MEDIAWIKI_DEBUG
+      - MEDIAWIKI_LANGUAGE=${MEDIAWIKI_LANGUAGE:-en}
       - SAML_ENABLED
       - OPENID_ENABLED
       - DB_HOST=db
       - DB_USER=mediawiki
       - DB_NAME=mediawiki
       - SMTP_HOST
+      - SMTP_PORT=${SMTP_PORT:-25}
     volumes:
       - "mediawiki_images:/var/www/html/images"
     configs:
@@ -45,11 +47,13 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.version=2.3.0+1.39.3"
+        - "coop-cloud.${STACK_NAME}.version=2.7.3+1.40.1"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/var/www/html/images"
     entrypoint: /docker-entrypoint2.sh
 
   db:
-    image: mariadb:10.10
+    image: mariadb:11.1
     environment:
       - MYSQL_USER=mediawiki
       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
@@ -62,6 +66,14 @@ services:
       - db_password
     networks:
       - internal
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.path: "/tmp/dump.sql.gz"
+        backupbot.backup.pre-hook: "sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" mediawiki | gzip > /tmp/dump.sql.gz'"
+        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
+        backupbot.restore: "true"
+        backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" mediawiki < /tmp/dbdump.sql && rm -f /tmp/dbdump.sql'"
 
 volumes:
   mariadb:

entrypoint.sh.tmpl

@@ -48,14 +48,14 @@ init_db() {
 init_extensions() {
 
 	if [ ! -d /var/www/html/extensions/PluggableAuth ]; then
-		git clone --depth 1 -b REL1_39 \
+		git clone --depth 1 -b REL1_40 \
 			https://gerrit.wikimedia.org/r/p/mediawiki/extensions/PluggableAuth \
 			/var/www/html/extensions/PluggableAuth
 	fi
 
 	if [ -n "${SAML_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/SimpleSAMLphp ]; then
-			git clone --depth 1 -b REL1_39 \
+			git clone --depth 1 -b REL1_40 \
 				https://gerrit.wikimedia.org/r/p/mediawiki/extensions/SimpleSAMLphp \
 				/var/www/html/extensions/SimpleSAMLphp
 		fi
@@ -63,7 +63,7 @@ init_extensions() {
 
 	if [ -n "${OPENID_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/OpenIDConnect ]; then
-			git clone --depth 1 -b REL1_39 \
+			git clone --depth 1 -b REL1_40 \
 				https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect \
 				/var/www/html/extensions/OpenIDConnect
 		fi
@@ -71,7 +71,7 @@ init_extensions() {
 
 	if [ -n "${MOBILEFRONTEND_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/MobileFrontend ]; then
-			git clone --depth 1 -b REL1_39 \
+			git clone --depth 1 -b REL1_40 \
 				https://github.com/wikimedia/mediawiki-extensions-MobileFrontend.git \
 				/var/www/html/extensions/MobileFrontend
 		fi
@@ -79,7 +79,7 @@ init_extensions() {
 
 	if [ -n "${MSU_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/MsUpload ]; then
-			git clone --depth 1 -b REL1_39 \
+			git clone --depth 1 -b REL1_40 \
 				https://gerrit.wikimedia.org/r/mediawiki/extensions/MsUpload \
 				/var/www/html/extensions/MsUpload
 		fi
@@ -87,7 +87,7 @@ init_extensions() {
 
 	if [ -n "${PAGEFORMS_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/PageForms ]; then
-			git clone --depth 1 -b REL1_39 \
+			git clone --depth 1 -b REL1_40 \
 				https://gerrit.wikimedia.org/r/mediawiki/extensions/PageForms \
 				/var/www/html/extensions/PageForms
 		fi
@@ -95,7 +95,7 @@ init_extensions() {
 
 	if [ -n "${PAGESCHEMAS_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/PageSchemas ]; then
-			git clone --depth 1 -b REL1_39 \
+			git clone --depth 1 -b REL1_40 \
 				https://gerrit.wikimedia.org/r/mediawiki/extensions/PageSchemas \
 				/var/www/html/extensions/PageSchemas
 		fi