Add MEDIAWIKI_PROXY_SERVERS setting

Reviewed-on: #34

.drone.yml

@@ -0,0 +1,49 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: mediawiki
+      networks:
+       - proxy
+      purge: true
+      generate_secrets: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+    environment:
+      DOMAIN: mediawiki.swarm-test.autonomic.zone
+      STACK_NAME: mediawiki
+      LETS_ENCRYPT_ENV: production
+      MEDIAWIKI_SITENAME: "Example Wiki"
+      MEDIAWIKI_SITENAMESPACE: "Example_Wiki"
+      MEDIAWIKI_EMAIL_CONTACT: "info@wiki.example.com"
+      MEDIAWIKI_EMAIL_FROM: "wiki@wiki.example.com"
+      MEDIAWIKI_LOGO_FILE: '$wgResourceBasePath/resources/assets/wiki.png'
+      SECRET_DB_ROOT_PASSWORD_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_MEDIAWIKI_SECRET_KEY_VERSION: v1
+      LOCAL_SETTINGS_CONF_VERSION: v1
+      ENTRYPOINT_CONF_VERSION: v1
+      PHP_INI_VERSION: v1
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -0,0 +1,87 @@
+TYPE=mediawiki
+
+DOMAIN=mediawiki.example.com
+COMPOSE_FILE="compose.yml"
+
+#EXTRA_DOMAINS=', `www.wiki.example.com`'
+LETS_ENCRYPT_ENV=production
+
+MEDIAWIKI_SITENAME="Example Wiki"
+MEDIAWIKI_SITENAMESPACE="Example_Wiki"
+MEDIAWIKI_EMAIL_CONTACT="info@wiki.example.com"
+MEDIAWIKI_EMAIL_FROM="wiki@wiki.example.com"
+MEDIAWIKI_LOGO_FILE='$wgResourceBasePath/resources/assets/wiki.png'
+
+# list of language options (without ".json"):
+# https://gerrit.wikimedia.org/g/mediawiki/core/%2B/HEAD/languages/i18n
+MEDIAWIKI_LANGUAGE="en"
+
+MEDIAWIKI_IS_PRIVATE=1
+MEDIAWIKI_ALLOW_REGISTRATION=0
+
+MEDIAWIKI_DEBUG=0
+
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_MEDIAWIKI_SECRET_KEY_VERSION=v1 # length=64
+
+# SMTP
+
+## via local postfix/mailu
+#SMTP_HOST=postfix_relay_app
+#SMTP_HOST=mailu_front
+
+## via remote email provider
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+#SMTP_HOST="mail.example.com"
+#SMTP_PORT=587
+#SMTP_USER="${MEDIAWIKI_EMAIL_FROM}"
+#SECRET_SMTP_PASSWORD_VERSION=v1
+
+# SAML
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.simplesaml.yml"
+
+#SAML_ENABLED=1
+#SAML_CONTACT_NAME="Sam Ell"
+#SAML_CONTACT_EMAIL="saml@example.com"
+
+#SAML_EMAIL_ATTRIBUTE=mail
+#SAML_REAL_NAME_ATTRIBUTE=realname
+#SAML_AUTH_SOURCE_ID=default-sp
+#SAML_USERNAME_ATTRIBUTE=user
+
+#SECRET_SAML_ADMIN_PASSWORD_VERSION=v1
+#SECRET_SAML_SECRET_SALT_VERSION=v1 # length=64
+
+## OpenID Connect
+# OPENID_ENABLED=1
+# COMPOSE_FILE="$COMPOSE_FILE:compose.openid.yml"
+# OPENID_KEYCLOAK_URL="https://keycloak.local:8080/realms/acme/"
+# OPENID_CLIENT_ID="mediawiki"
+# SECRET_OPENID_CLIENT_SECRET_VERSION=v1
+
+## WikiMarkdown
+#MARKDOWN_ENABLED=1
+
+## MobileFrontend
+#MOBILEFRONTEND_ENABLED=1
+
+## MsUpload
+#MSU_ENABLED=1
+
+## PageForms
+#PAGEFORMS_ENABLED=1
+
+## PageSchemas
+#PAGESCHEMAS_ENABLED=1
+
+## SemanticMediaWiki
+#SEMANTICMW_ENABLED=1
+
+## WikiMarkdown
+#MARKDOWN_ENABLED=1
+
+## Tweeki skin
+#TWEEKI_ENABLED=0
+

.envrc.sample

@@ -1,15 +0,0 @@
-export DOMAIN=wiki.example.com
-export STACK_NAME=example_wiki
-
-export LETS_ENCRYPT_ENV=production
-
-export MEDIAWIKI_SITENAME="Example Wiki"
-export MEDIAWIKI_SITENAMESPACE="Example_Wiki"
-export MEDIAWIKI_EMAIL_CONTACT="info@wiki.example.com"
-export MEDIAWIKI_EMAIL_FROM="wiki@wiki.example.com"
-
-export DB_ROOT_PASSWORD_VERSION=v1
-export DB_PASSWORD_VERSION=v1
-export LOCAL_SETTINGS_CONF_VERSION=v1
-export HTACCESS_CONF_VERSION=v1
-export ENTRYPOINT_CONF_VERSION=v1

LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2019 Revian Labs
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

LocalSettings.php.tmpl

@@ -1,21 +1,10 @@
 <?php
-# This file was automatically generated by the MediaWiki 1.32.1
-# installer. If you make manual changes, please keep track in case you
-# need to recreate them later.
-#
-# See includes/DefaultSettings.php for all configurable settings
-# and their default values, but don't forget to make changes in _this_
-# file, not there.
-#
-# Further documentation for configuration settings may be found at:
-# https://www.mediawiki.org/wiki/Manual:Configuration_settings
 
 # Protect against web entry
 if ( !defined( 'MEDIAWIKI' ) ) {
 	exit;
 }
 
-
 ## Uncomment this to disable output compression
 # $wgDisableOutputCompression = true;
 
@@ -39,7 +28,7 @@ $wgResourceBasePath = $wgScriptPath;
 
 ## The URL path to the logo.  Make sure you change this from the default,
 ## or else you'll overwrite your logo when you upgrade!
-$wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";
+$wgLogo = "{{ env "MEDIAWIKI_LOGO_FILE" }}";
 
 ## UPO means: this is also a user preference option
 
@@ -55,9 +44,9 @@ $wgEmailAuthentication = true;
 
 ## Database settings
 $wgDBtype = "mysql";
-$wgDBserver = "mariadb";
-$wgDBname = "mediawiki";
-$wgDBuser = "mediawiki";
+$wgDBserver = "{{ env "DB_HOST" }}";
+$wgDBname = "{{ env "DB_NAME" }}";
+$wgDBuser = "{{ env "DB_USER" }}";
 $wgDBpassword = rtrim(file_get_contents('/run/secrets/db_password'));
 
 # MySQL specific settings
@@ -95,9 +84,9 @@ $wgShellLocale = "C.UTF-8";
 #$wgCacheDirectory = "$IP/cache";
 
 # Site language code, should be one of the list in ./languages/data/Names.php
-$wgLanguageCode = "en";
+$wgLanguageCode = "{{ env "MEDIAWIKI_LANGUAGE" }}";
 
-$wgSecretKey = "8a83180cd66683c2a379882211187d6f79a1d40749b962598148f67893ff10cf";
+$wgSecretKey = rtrim(file_get_contents('/run/secrets/mediawiki_secret_key'));
 
 # Changing this will log out all existing sessions.
 $wgAuthenticationTokenVersion = "1";
@@ -117,21 +106,48 @@ $wgRightsIcon = "";
 # Path to the GNU diff3 utility. Used for conflict resolution.
 $wgDiff3 = "/usr/bin/diff3";
 
-# The following permissions were set based on your choice in the installer
+{{ if eq (env "MEDIAWIKI_ALLOW_REGISTRATION") "1" }}
+$wgGroupPermissions['*']['createaccount'] = true;
+$wgEmailConfirmToEdit = true;
+{{ else }}
 $wgGroupPermissions['*']['createaccount'] = false;
-$wgGroupPermissions['*']['edit'] = false;
-$wgGroupPermissions['*']['read'] = false;
+{{ end }}
 
-## Default skin: you can change the default skin. Use the internal symbolic
-## names, ie 'vector', 'monobook':
-$wgDefaultSkin = "vector";
+$wgGroupPermissions['*']['edit'] = false;
+{{ if eq (env "MEDIAWIKI_IS_PRIVATE") "1" }}
+$wgGroupPermissions['*']['read'] = false;
+{{ else }}
+$wgGroupPermissions['*']['read'] = true;
+{{ end }}
+
+{{ if ne (env "MEDIAWIKI_PROXY_SERVERS") "" }}
+// In LocalSettings.php
+$wgUseCdn = true;
+$wgCdnServersNoPurge = [];
+$wgCdnServersNoPurge[] = "{{ env "MEDIAWIKI_PROXY_SERVERS" }}";
+{{ end }}
 
 # Enabled skins.
 # The following skins were automatically enabled:
 wfLoadSkin( 'MonoBook' );
 wfLoadSkin( 'Timeless' );
 wfLoadSkin( 'Vector' );
+wfLoadSkin( 'MinervaNeue' );
 
+## Default skin: you can change the default skin. Use the internal symbolic
+## names, ie 'vector', 'monobook':
+
+{{ if eq (env "TWEEKI_ENABLED") "1" }}
+wfLoadSkin( 'Tweeki' );
+$wgDefaultSkin = "tweeki";
+{{ else }}
+$wgDefaultSkin = "vector";
+{{ end }}
+
+{{ if eq (env "MOBILEFRONTEND_ENABLED") "1" }}
+wfLoadExtension( 'MobileFrontend' );
+$wgDefaultMobileSkin = 'minerva';
+{{ end }}
 
 # Enabled extensions. Most of the extensions are enabled by adding
 # wfLoadExtensions('ExtensionName');
@@ -139,6 +155,10 @@ wfLoadSkin( 'Vector' );
 # The following extensions were automatically enabled:
 wfLoadExtension( 'VisualEditor' );
 
+wfLoadExtension( 'Interwiki' );
+wfLoadExtension( 'Cite' );
+wfLoadExtension( 'ParserFunctions' );
+
 # End of automatically generated settings.
 # Add more configuration options below.
 
@@ -146,19 +166,92 @@ $wgDefaultUserOptions['visualeditor-enable'] = 1;
 
 $wgVisualEditorAllowLossySwitching = false;
 
-$wgVirtualRestConfig['modules']['parsoid'] = [
-	// URL to the Parsoid instance - use port 8142 if you use the Debian package - the parameter 'URL' was first used but is now deprecated (string)
-	'url' => 'http://localhost:8000/',
-	// Parsoid "domain" (string, optional) - MediaWiki >= 1.26
-	'domain' => 'localhost',
-	// Parsoid "prefix" (string, optional) - deprecated since MediaWiki 1.26, use 'domain'
-	'prefix' => 'localhost',
-	// Forward cookies in the case of private wikis (string or false, optional)
-	'forwardCookies' => true,
-	// request timeout in seconds (integer or null, optional)
-	'timeout' => null,
-	// Parsoid HTTP proxy (string or null, optional)
-	'HTTPProxy' => null,
-	// whether to parse URL as if they were meant for RESTBase (boolean or null, optional)
-	'restbaseCompat' => null,
+{{ if eq (env "SAML_ENABLED") "1" }}
+wfLoadExtension( 'PluggableAuth' );
+
+wfLoadExtension( 'SimpleSAMLphp' );
+
+$wgSimpleSAMLphp_InstallDir = "/var/simplesamlphp/";
+
+$wgPluggableAuth_Config['Log in using my SAML'] = [
+  'plugin' => 'SimpleSAMLphp',
+  'data' => [
+	'authSourceId' => '{{ env "SAML_AUTH_SOURCE_ID" }}',
+	'usernameAttribute' => '{{ env "SAML_USERNAME_ATTRIBUTE" }}',
+	'realNameAttribute' => '{{ env "SAML_REAL_NAME_ATTRIBUTE" }}',
+	'emailAttribute' => '{{ env "SAML_EMAIL_ATTRIBUTE" }}'
+  ]
 ];
+
+$wgGroupPermissions['*']['autocreateaccount'] = true;
+$wgGroupPermissions['*']['createaccount'] = false;
+{{ end }}
+
+{{ if eq (env "MEDIAWIKI_DEBUG") "1" }}
+$wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";
+$wgShowExceptionDetails = true;
+$wgDebugToolbar = true;
+{{ end }}
+
+{{ if eq (env "OPENID_ENABLED") "1" }}
+wfLoadExtension( 'PluggableAuth' );
+wfLoadExtension( 'OpenIDConnect' );
+
+$wgPluggableAuth_Config[] = [
+    'plugin' => 'OpenIDConnect',
+    'data' => [
+        'providerURL' => '{{ env "OPENID_KEYCLOAK_URL" }}',
+        'clientID' => '{{ env "OPENID_CLIENT_ID"}}',
+        'clientsecret' => '{{ secret "openid_client_secret" }}'
+    ]
+];
+
+$wgGroupPermissions['*']['autocreateaccount'] = true;
+$wgGroupPermissions['*']['createaccount'] = false;
+{{ end }}
+
+{{ if env "SMTP_HOST" }}
+$wgSMTP = [
+    'host'     => '{{ env "SMTP_HOST" }}',       // could also be an IP address. Where the SMTP server is located
+    'port'     => {{ env "SMTP_PORT" }},         // Port to use when connecting to the SMTP server
+{{ if env "SMTP_USER" }}
+    'auth'     => true,                          // Should we use SMTP authentication (true or false)
+    'username' => '{{ env "SMTP_USER" }}',       // Username to use for SMTP authentication (if being used)
+    'password' => '{{ secret "smtp_password" }}' // Password to use for SMTP authentication (if being used)
+{{ else }}
+    'auth'     => false
+{{ end }}
+];
+{{ end }}
+
+{{ if eq (env "MSU_ENABLED") "1" }}
+wfLoadExtension( 'MsUpload' );
+$wgAllowJavaUploads = true; // Solves problem with Office 2007 and newer files (docx, xlsx, etc.)
+{{ end }}
+
+{{ if eq (env "PAGEFORMS_ENABLED") "1" }}
+wfLoadExtension( 'PageForms' );
+{{ end }}
+
+{{ if eq (env "PAGESCHEMAS_ENABLED") "1" }}
+wfLoadExtension( 'PageSchemas' );
+{{ end }}
+
+{{ if eq (env "SEMANTICMW_ENABLED") "1" }}
+wfLoadExtension( 'SemanticMediaWiki' );
+enableSemantics( '{{ env "DOMAIN" }}' );
+{{ end }}
+
+{{ if eq (env "MARKDOWN_ENABLED") "1" }}
+wfLoadExtension( 'WikiMarkdown' );
+$wgAllowMarkdownExtra = true; // allows usage of Parsedown Extra
+$wgAllowMarkdownExtended = true; // allows usage of Parsedown Extended
+{{ end }}
+
+$wgFileExtensions = array(
+    'png', 'gif', 'jpg', 'jpeg', 'doc', 'xls', 'mpp', 'pdf', 'ppt', 'tiff',
+    'bmp', 'docx', 'xlsx', 'pptx', 'ps', 'odt', 'ods', 'odp', 'odg'
+);
+
+$wgUploadSizeWarning = 1000000000;
+$wgMaxUploadSize = 1000000000;

README.md

@@ -1,27 +1,101 @@
 # Mediawiki
 
-Mediawiki [version 1.32.1][mediawiki-1.32]
+[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/mediawiki/status.svg)](https://build.coopcloud.tech/coop-cloud/mediawiki)
 
-Requires Docker version 1.11.2 or above to run.
+<!-- metadata -->
+* **Category**: Apps
+* **Status**: 1, alpha
+* **Image**: [`mediawiki`](https://hub.docker.com/_/mediawiki), 4, upstream
+* **Healthcheck**: No
+* **Backups**: Yes
+* **Email**: 3
+* **Tests**: 2
+* **SSO**: 2 (OAuth, SAML)
+<!-- endmetadata -->
 
-Based on [`mediawiki-ve-bundle`][mediawiki-ve].
+## Basic usage
 
 1. Set up Docker Swarm and [`abra`][abra]
-2. Deploy [`compose-stacks/traefik`][compose-traefik]
-2. `cp .envrc.sample .envrc`
-3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
+2. Deploy [`coop-cloud/traefik`][traefik]
+3. `abra app new mediawiki --secrets`  (optionally with `--pass` if you'd like
+   to save secrets in `pass`)
+4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-4. `direnv allow` (or `. .envrc`)
-5. `abra secret_generate db_password v1 && abra secret_generate db_root_password v2`
-6. `abra deploy`
-7. `abra service_run mediawiki /bin/bash` to open a shell
-8. `php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword`
+5. `abra app deploy YOURAPPDOMAIN`
+6. Create an initial admin user:
+   `abra app run YOURAPPDOMAIN app php /var/www/html/maintenance/createAndPromote.php --sysop YourUsername YourPassword`
+
+## Email
+
+### Coop Cloud mailu or postfix
+
+1. `abra app config YOURAPPDOMAIN` - edit `.envrc` and uncomment the `SMTP` lines. Set `SMTP_HOST` to
+   `postfix_relay` for `coop-cloud/postfix_relay`, or `mailu_front` for
+   `coop-cloud/mailu` (assuming default stack names)
+2. For `postfix_relay`, add the domain to your email config – `EXTRA_SENDER_DOMAINS` in
+   `postfix_relay`. This doesn't seem to be required for Mailu.
+3. `abra app deploy YOURAPPDOMAIN`
+
+### Remote provider
+
+1. `abra app config YOURAPPDOMAIN` - uncomment `SMTP` under the "remote email provider" section and set values for `SMTP_HOST`, `SMTP_PORT` and `SMTP_USER`
+2. `abra app secret insert YOURAPPDOMAIN smtp_password v1 YOURSMTPPASSWORD`
+3. `abra app deploy YOURAPPDOMAIN`
+
+Note: Only STARTTLS is supported, TLS won't work.
+
+## Single Sign On
+
+### SimpleSAMLphp
+
+This app includes optional SAML Single Sign On using
+[SimpleSAMLphp][simplesamlphp] and Mediawiki's
+[Extension:SimpleSAMLphp][mw-simplesamlphp], based on the
+[`venatorfox/simplesamlphp`][venatorfox-simplesamlphp] image.
+
+NOTE: currently, if you enable SAML then it'll disable Mediawiki's own user account
+system. Patches to make this configurable are welcome!
+
+1. `abra app config YOURAPPDOMAIN` - uncomment lines in the `SAML` section (including `COMPOSE_FILE`)
+2. Generate secrets: (add `--pass` if you want to store secrets in `pass`)
+   ```
+   abra app YOURAPPDOMAIN secret generate saml_admin_password v1
+   abra app YOURAPPDOMAIN secret generate saml_secret_salt v1 "pwgen -n 64 1"
+   ```
+3. `abra app deploy YOURAPPDOMAIN`
+4. Copy your SimpleSAMLphp metadata and certificates to the container (assuming
+   you have local `metadata` and `cert` folders:
+   ```
+   abra app YOURAPPDOMAIN cp metadata simplesaml:/var/simplesamlphp/
+   abra app YOURAPPDOMAIN cp cert simplesaml:/var/simplesamlphp/
+   ```
+5. You can log into SimpleSAMLphp using the password you generated at
+   https://$DOMAIN/simplesaml/ and test authentication
+6. Edit SimpleSAMLphp's `config.php` and change `store.sql.dsn`:
+   ```
+   abra app YOURAPPDOMAIN run simplesaml vi /var/simplesamlphp/config/config.php
+   # find 'store.sql.dsn' and edit to:
+   # 'sqlite:/var/simplesamlphp/data/simplesamlphp.sq3'
+   ```
+
+### OpenID Connect
+
+1. `abra app config YOURAPPDOMAIN` - uncomment lines in the `OPENID` section (including `COMPOSE_FILE`)
+2. Store your Keycloak-generated client secret in Docker:
+
+```
+abra app YOURAPPDOMAIN secret insert openid_client_secret v1 put-your-secret-here
+```
+
+3. `abra app deploy YOURAPPDOMAIN`
 
 ## License
 
 MIT License
 
-[mediawiki-1.32]: https://www.mediawiki.org/wiki/Release_notes/1.32.1
+[mediawiki-1.35]: https://www.mediawiki.org/wiki/Release_notes/1.35
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
-[mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle
+[traefik]: https://git.autonomic.zone/coop-cloud/traefik
+[simplesamlphp]: https://simplesamlphp.org/
+[mw-simplesamlphp]: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp
+[venatorfox-simplesamlphp]: https://hub.docker.com/r/venatorfox/simplesamlphp

abra.sh

@@ -0,0 +1,45 @@
+export LOCAL_SETTINGS_CONF_VERSION=v23
+export HTACCESS_CONF_VERSION=v1
+export ENTRYPOINT_CONF_VERSION=v20
+export COMPOSER_LOCAL_CONF_VERSION=v5
+export PHP_INI_VERSION=v4
+
+export SAML_ENTRYPOINT_CONF_VERSION=v3
+
+abra_backup_app() {
+  _abra_backup_dir "app:/var/www/html/images"
+}
+
+abra_backup_db() {
+  _abra_backup_mysql "db" "mediawiki"
+}
+
+abra_backup() {
+  abra_backup_app && abra_backup_db
+}
+
+abra_restore_app() {
+  # shellcheck disable=SC2034
+  {
+	abra__src_="-"
+	abra__dst_="app:/var/www/html/"
+  }
+
+  zcat "$@" | sub_app_cp
+
+  success "Restored 'app'"
+}
+
+abra_restore_db() {
+  # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
+  # got this far..
+
+  # shellcheck disable=SC2034
+  abra___no_tty="true"
+
+  DB_ROOT_PASSWORD="$(sub_app_run cat /run/secrets/db_root_password)"
+
+  zcat "$@" | sub_app_run mysql -u root -p"$DB_ROOT_PASSWORD" wordpress
+
+  success "Restored 'db'"
+}

compose.openid.yml

@@ -0,0 +1,24 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - OPENID_KEYCLOAK_URL
+      - OPENID_CLIENT_ID
+    secrets:
+      - openid_client_secret
+    configs:
+      - source: composer_local_conf
+        target: /var/www/html/composer.local.json
+
+secrets:
+  openid_client_secret:
+    name: ${STACK_NAME}_openid_client_secret_${SECRET_OPENID_CLIENT_SECRET_VERSION}
+    external: true
+
+configs:
+  composer_local_conf:
+    name: ${STACK_NAME}_composer_local_${COMPOSER_LOCAL_CONF_VERSION}
+    file: composer.local.json.tmpl
+    template_driver: golang

compose.simplesaml.yml

@@ -0,0 +1,95 @@
+---
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - "simplesaml:/var/simplesamlphp/"
+      - "simplesaml_cert:/var/simplesamlphp/cert"
+      - "simplesaml_config:/var/simplesamlphp/config"
+      - "simplesaml_data:/var/simplesamlphp/data"
+      - "simplesaml_log:/var/simplesamlphp/log"
+      - "simplesaml_metadata:/var/simplesamlphp/metadata"
+      - "simplesaml_modules:/var/simplesamlphp/modules"
+    environment:
+      - SAML_AUTH_SOURCE_ID
+      - SAML_EMAIL_ATTRIBUTE
+      - SAML_REAL_NAME_ATTRIBUTE
+      - SAML_SERVICE_PROVIDER
+      - SAML_USERNAME_ATTRIBUTE
+
+  simplesaml:
+    # image: unicon/simplesamlphp:1.19.6
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/simplesamlphp:1.19.7
+    secrets:
+      - saml_admin_password
+      - saml_secret_salt
+    environment:
+      - DOMAIN
+      - CONFIG_BASEURLPATH=https://${DOMAIN}/simplesaml/
+      - CONFIG_AUTHADMINPASSWORD_FILE=/run/secrets/saml_admin_password
+      - CONFIG_SECRETSALT_FILE=/run/secrets/saml_secret_salt
+      - CONFIG_TECHNICALCONTACT_NAME
+      - CONFIG_TECHNICALCONTACT_EMAIL
+      - CONFIG_SHOWERRORS=true
+      - CONFIG_ERRORREPORTING=true
+      - CONFIG_ADMINPROTECTINDEXPAGE=true
+      - CONFIG_LOGGINGLEVEL=INFO
+      - CONFIG_ENABLESAML20IDP=true
+      - CONFIG_STORETYPE=sql
+      #- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
+      #- CONFIG_MEMCACHESTORESERVERS=    'memcache_store.servers' => [\n        [\n             ['hostname' => 'memcached']\n        ],
+      - OPENLDAP_TLS_REQCERT=allow
+      - MTA_NULLCLIENT=true
+      - POSTFIX_MYHOSTNAME=${DOMAIN}
+      - POSTFIX_MYORIGIN=$$mydomain
+      - POSTFIX_INETINTERFACES=loopback-only
+      - DOCKER_REDIRECTLOGS=false
+    # Required if DOCKER_REDIRECTLOGS=true
+    # tty: true
+    configs:
+      - source: entrypoint_saml_conf
+        target: /docker-entrypoint.simplesaml.sh
+        mode: 0555
+    volumes:
+      - simplesaml:/var/simplesamlphp/
+      - "simplesaml_cert:/var/simplesamlphp/cert"
+      - "simplesaml_config:/var/simplesamlphp/config"
+      - "simplesaml_data:/var/simplesamlphp/data"
+      - "simplesaml_log:/var/simplesamlphp/log"
+      - "simplesaml_metadata:/var/simplesamlphp/metadata"
+      - "simplesaml_modules:/var/simplesamlphp/modules"
+    networks:
+      - proxy
+    entrypoint: /docker-entrypoint.simplesaml.sh
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.services.${STACK_NAME}_simplesaml.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}_simplesaml.rule=(Host(`${DOMAIN}`) && PathPrefix(`/simplesaml`))"
+        - "traefik.http.routers.${STACK_NAME}_simplesaml.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}_simplesaml.tls.certresolver=${LETS_ENCRYPT_ENV}"
+
+volumes:
+  simplesaml:
+  simplesaml_cert:
+  simplesaml_config:
+  simplesaml_data:
+  simplesaml_log:
+  simplesaml_metadata:
+  simplesaml_modules:
+
+secrets:
+  saml_admin_password:
+    name: ${STACK_NAME}_saml_admin_password_${SECRET_SAML_ADMIN_PASSWORD_VERSION}
+    external: true
+  saml_secret_salt:
+    name: ${STACK_NAME}_saml_secret_salt_${SECRET_SAML_SECRET_SALT_VERSION}
+    external: true
+
+configs:
+  entrypoint_saml_conf:
+    name: ${STACK_NAME}_entrypoint_saml_${SAML_ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.simplesaml.sh.tmpl
+    template_driver: golang

compose.smtp.yml

@@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - SMTP_USER
+    secrets:
+      - smtp_password
+
+secrets:
+  smtp_password:
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
+    external: true

compose.yml

@@ -1,51 +1,40 @@
 ---
-version: '3.8'
+version: "3.8"
 
 services:
-  mariadb:
-    image: 'mariadb:10.5'
+  app:
+    image: mediawiki:1.39.3
     environment:
-      - MYSQL_USER=mediawiki
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
-      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
-      - MYSQL_DATABASE=mediawiki
+      - DOMAIN
+      - STACK_NAME
+      - MEDIAWIKI_EMAIL_CONTACT
+      - MEDIAWIKI_EMAIL_FROM
+      - MEDIAWIKI_SITENAME
+      - MEDIAWIKI_SITENAMESPACE
+      - MEDIAWIKI_LOGO_FILE
+      - MEDIAWIKI_IS_PRIVATE
+      - MEDIAWIKI_DEBUG
+      - MEDIAWIKI_LANGUAGE=${MEDIAWIKI_LANGUAGE:-en}
+      - SAML_ENABLED
+      - OPENID_ENABLED
+      - DB_HOST=db
+      - DB_USER=mediawiki
+      - DB_NAME=mediawiki
+      - SMTP_HOST
+      - SMTP_PORT=${SMTP_PORT:-25}
     volumes:
-      - 'mariadb:/var/lib/mysql'
-    secrets:
-      - db_root_password
-      - db_password
-    networks:
-      - internal
-    deploy:
-      restart_policy:
-        condition: on-failure
-        delay: "60s"
-        max_attempts: 3
-        window: 120s
-  mediawiki:
-    image: 'revianlabs/mediawiki-ve-bundle'
-    environment:
-      - DOMAIN=${DOMAIN}
-      - STACK_NAME=${STACK_NAME}
-      - MEDIAWIKI_EMAIL_CONTACT=${MEDIAWIKI_EMAIL_CONTACT}
-      - MEDIAWIKI_EMAIL_FROM=${MEDIAWIKI_EMAIL_FROM}
-      - MEDIAWIKI_SITENAME=${MEDIAWIKI_SITENAME}
-      - MEDIAWIKI_SITENAMESPACE=${MEDIAWIKI_SITENAMESPACE}
-    volumes:
-      - 'mediawiki_images:/var/www/html/images'
-      - 'parsoid:/usr/lib/parsoid'
+      - "mediawiki_images:/var/www/html/images"
     configs:
       - source: LocalSettings_conf
         target: /var/www/html/LocalSettings.php
-      - source: htaccess_conf
-        target: /var/www/html/.htaccess
+      - source: php_ini
+        target: /usr/local/etc/php/conf.d/mediawiki.ini
       - source: entrypoint2_conf
         target: /docker-entrypoint2.sh
         mode: 0555
-    depends_on:
-      - mariadb
     secrets:
       - db_password
+      - mediawiki_secret_key
     networks:
       - proxy
       - internal
@@ -55,15 +44,40 @@ services:
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "coop-cloud.${STACK_NAME}.version=2.5.0+1.39.3"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/var/www/html/images"
     entrypoint: /docker-entrypoint2.sh
 
+  db:
+    image: mariadb:10.10
+    environment:
+      - MYSQL_USER=mediawiki
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - MYSQL_DATABASE=mediawiki
+    volumes:
+      - "mariadb:/var/lib/mysql"
+    secrets:
+      - db_root_password
+      - db_password
+    networks:
+      - internal
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.path: "/tmp/dump.sql.gz"
+        backupbot.backup.pre-hook: "sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" mediawiki | gzip > /tmp/dump.sql.gz'"
+        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
+        backupbot.restore: "true"
+        backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" mediawiki < /tmp/dbdump.sql && rm -f /tmp/dbdump.sql'"
+
 volumes:
   mariadb:
   mediawiki_images:
-  parsoid:
 
 networks:
   proxy:
@@ -72,10 +86,13 @@ networks:
 
 secrets:
   db_root_password:
-    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
     external: true
   db_password:
-    name: ${STACK_NAME}_db_password_${DB_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    external: true
+  mediawiki_secret_key:
+    name: ${STACK_NAME}_mediawiki_secret_key_${SECRET_MEDIAWIKI_SECRET_KEY_VERSION}
     external: true
 
 configs:
@@ -83,11 +100,11 @@ configs:
     name: ${STACK_NAME}_local_settings_${LOCAL_SETTINGS_CONF_VERSION}
     file: LocalSettings.php.tmpl
     template_driver: golang
-  htaccess_conf:
-    name: ${STACK_NAME}_htaccess_${HTACCESS_CONF_VERSION}
-    file: htaccess.tmpl
-    template_driver: golang
   entrypoint2_conf:
     name: ${STACK_NAME}_entrypoint2_${ENTRYPOINT_CONF_VERSION}
     file: entrypoint.sh.tmpl
     template_driver: golang
+  php_ini:
+    name: ${STACK_NAME}_php_ini_${PHP_INI_VERSION}
+    file: php.ini.tmpl
+    template_driver: golang

composer.local.json.tmpl

@@ -0,0 +1,14 @@
+{
+{{ if eq (env "SEMANTICMW_ENABLED") "1" }}
+  "require": {
+    "mediawiki/semantic-media-wiki": "^4.1.0"
+  },
+{{ end }}
+  "extra": {
+    "merge-plugin": {
+      "include": [
+        "extensions/OpenIDConnect/composer.json"
+      ]
+    }
+  }
+}

entrypoint.sh.tmpl

@@ -2,29 +2,138 @@
 
 set -eu -o pipefail
 
-init_db() {
-		set -eu
+init_composer() {
+	set -eu
 
-		apt update && apt install -y mariadb-client
-
-		PASSWORD=`cat /run/secrets/db_password`
-		TABLE_COUNT=$(mysql -u mediawiki --password="$PASSWORD" -h mariadb mediawiki -e "SELECT count(*) AS TOTAL FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'mediawiki';" -N -B)
-
-    if [[ "${TABLE_COUNT}" == "0" ]]; then
-			mysql -u mediawiki --password="$PASSWORD" -h mariadb mediawiki < /var/www/html/maintenance/tables.sql
-		else
-			php /var/www/html/maintenance/update.php
-		fi
+	if ! type composer > /dev/null 2>&1; then
+		apt update -yqq && apt install -yqq curl git unzip zip
+		curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
+		php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=2.5.4
+		composer -V
+	fi
 }
 
+composer_install() {
+	set -eu
+
+	cd /var/www/html/ && composer update && composer install
+}
+
+init_db() {
+	set -eu
+
+	if ! type mysql > /dev/null 2>&1; then
+		apt update -qq && apt install -yqq mariadb-client
+	fi
+
+	PASSWORD=$(cat /run/secrets/db_password)
+	# FIXME 3wc: replace with sql.php, not sure how to parse output:
+	# stdClass Object
+	#(
+	#    [TOTAL] => 58
+	#)
+	TABLE_COUNT=$(mysql -u "${DB_USER}" --password="$PASSWORD" -h "${DB_HOST}" "${DB_NAME}" -e "SELECT count(*) AS TOTAL FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'mediawiki';" -N -B)
+
+	if [[ "${TABLE_COUNT}" == "0" ]]; then
+		php /var/www/html/maintenance/generateSchemaSql.php
+		php /var/www/html/maintenance/sql.php /var/www/html/maintenance/tables-generated.sql
+		php /var/www/html/maintenance/sql.php /var/www/html/maintenance/tables.sql
+		php /var/www/html/maintenance/sql.php /var/www/html/maintenance/interwiki.sql
+		# FIXME run createAndPromote.php with $ADMIN_USERNAME
+	fi
+
+	php /var/www/html/maintenance/update.php --quick
+}
+
+init_extensions() {
+
+	if [ ! -d /var/www/html/extensions/PluggableAuth ]; then
+		git clone --depth 1 -b REL1_39 \
+			https://gerrit.wikimedia.org/r/p/mediawiki/extensions/PluggableAuth \
+			/var/www/html/extensions/PluggableAuth
+	fi
+
+	if [ -n "${SAML_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/SimpleSAMLphp ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://gerrit.wikimedia.org/r/p/mediawiki/extensions/SimpleSAMLphp \
+				/var/www/html/extensions/SimpleSAMLphp
+		fi
+	fi
+
+	if [ -n "${OPENID_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/OpenIDConnect ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect \
+				/var/www/html/extensions/OpenIDConnect
+		fi
+	fi
+
+	if [ -n "${MOBILEFRONTEND_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/MobileFrontend ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://github.com/wikimedia/mediawiki-extensions-MobileFrontend.git \
+				/var/www/html/extensions/MobileFrontend
+		fi
+	fi
+
+	if [ -n "${MSU_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/MsUpload ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://gerrit.wikimedia.org/r/mediawiki/extensions/MsUpload \
+				/var/www/html/extensions/MsUpload
+		fi
+	fi
+
+	if [ -n "${PAGEFORMS_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/PageForms ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://gerrit.wikimedia.org/r/mediawiki/extensions/PageForms \
+				/var/www/html/extensions/PageForms
+		fi
+	fi
+
+	if [ -n "${PAGESCHEMAS_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/PageSchemas ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://gerrit.wikimedia.org/r/mediawiki/extensions/PageSchemas \
+				/var/www/html/extensions/PageSchemas
+		fi
+	fi
+
+	if [ -n "${MARKDOWN_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/WikiMarkdown ]; then
+			git clone --depth 1 \
+				https://github.com/kuenzign/WikiMarkdown \
+				/var/www/html/extensions/WikiMarkdown
+		fi
+	fi
+
+}
+
+init_skins() {
+
+	if [ -n "${TWEEKI_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/skins/Tweeki ]; then
+			git clone --depth 1 \
+				https://github.com/thaider/Tweeki \
+				/var/www/html/skins/Tweeki
+		fi
+	fi
+
+}
+
+
 main() {
-		set -eu
+	set -eu
 
-		a2enmod rewrite
-
-		init_db
+	init_extensions
+	init_skins
+	init_composer
+	composer_install
+	init_db
 }
 
 main
 
-/docker-entrypoint.sh apache2-foreground "$@"
+apache2-foreground

entrypoint.simplesaml.sh.tmpl

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+   local val="$def"
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+load_vars() {
+   file_env "CONFIG_AUTHADMINPASSWORD"
+   file_env "CONFIG_SECRETSALT"
+}
+
+generate_certs() {
+   CERT_DIR=/var/simplesamlphp/cert
+
+   if [ -f "$CERT_DIR/saml.crt" ] && [ -f "$CERT_DIR/saml.pem" ]; then
+      return
+   fi
+
+    if ! type openssl > /dev/null 2>&1; then
+        yum install -q -y openssl
+    fi
+
+   openssl req -newkey rsa:4096 -new -x509 \
+      -days 3652 -nodes \
+      -out "$CERT_DIR/saml.crt" \
+      -keyout "$CERT_DIR/saml.pem" \
+      -subj "/C=XX/ST=/L=/O=/OU=SimpleSAML/CN=${DOMAIN}"
+}
+
+enable_plugins() {
+   touch /var/simplesamlphp/modules/cas/enable
+}
+
+main() {
+    set -eu
+
+    load_vars
+
+    enable_plugins
+
+    generate_certs
+}
+
+main
+
+/init "$@"

htaccess.tmpl

@@ -1,12 +0,0 @@
-# Generated using https://shorturls.redwerks.org
-
-RewriteEngine On
-RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
-
-RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
-RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
-RewriteRule ^/?images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ %{DOCUMENT_ROOT}/thumb.php?f=$1&width=$2 [L,QSA,B]
-
-RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
-RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
-RewriteRule ^/?images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ %{DOCUMENT_ROOT}/thumb.php?f=$1&width=$2&archived=1 [L,QSA,B]

php.ini.tmpl

@@ -0,0 +1,10 @@
+upload_max_filesize = 10M
+post_max_size = 10M
+max_execution_time = 7200
+max_file_uploads = 1000
+
+{{ if eq (env "MEDIAWIKI_DEBUG") "0" }}
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+{{ else }}
+error_reporting = E_ALL
+{{ end }}

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}