Add MEDIAWIKI_PROXY_SERVERS setting

Disable throttling temporarily to work around too-eager-throttling due
to MW only seeing the internal docker networking addresses for incoming traffic.
2023-09-03 17:07:10 +02:00 · 2023-09-01 17:41:25 +02:00
4 changed files with 62 additions and 12 deletions
--- a/LocalSettings.php.tmpl
+++ b/LocalSettings.php.tmpl
@ -255,3 +255,15 @@ $wgFileExtensions = array(

 $wgUploadSizeWarning = 1000000000;
 $wgMaxUploadSize = 1000000000;
+
+# Greatly relax IP-based throttling for logging in while we work around docker networking issues.
+# https://social.coop/@flancian/110980993608947217
+$wgPasswordAttemptThrottle = [
+	// Short term limit
+	[ 'count' => 9999, 'seconds' => 300 ],
+	// Long term limit. We need to balance the risk
+	// of somebody using this as a DoS attack to lock someone
+	// out of their account, and someone doing a brute force attack.
+	[ 'count' => 999999, 'seconds' => 60 * 60 * 48 ],
+];
+
--- a/abra.sh
+++ b/abra.sh
@ -1,7 +1,45 @@
-export LOCAL_SETTINGS_CONF_VERSION=v23
+export LOCAL_SETTINGS_CONF_VERSION=v25
 export HTACCESS_CONF_VERSION=v1
-export ENTRYPOINT_CONF_VERSION=v21
+export ENTRYPOINT_CONF_VERSION=v20
 export COMPOSER_LOCAL_CONF_VERSION=v5
 export PHP_INI_VERSION=v4

 export SAML_ENTRYPOINT_CONF_VERSION=v3
+
+abra_backup_app() {
+  _abra_backup_dir "app:/var/www/html/images"
+}
+
+abra_backup_db() {
+  _abra_backup_mysql "db" "mediawiki"
+}
+
+abra_backup() {
+  abra_backup_app && abra_backup_db
+}
+
+abra_restore_app() {
+  # shellcheck disable=SC2034
+  {
+	abra__src_="-"
+	abra__dst_="app:/var/www/html/"
+  }
+
+  zcat "$@" | sub_app_cp
+
+  success "Restored 'app'"
+}
+
+abra_restore_db() {
+  # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
+  # got this far..
+
+  # shellcheck disable=SC2034
+  abra___no_tty="true"
+
+  DB_ROOT_PASSWORD="$(sub_app_run cat /run/secrets/db_root_password)"
+
+  zcat "$@" | sub_app_run mysql -u root -p"$DB_ROOT_PASSWORD" wordpress
+
+  success "Restored 'db'"
+}
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: mediawiki:1.40.1
+    image: mediawiki:1.39.3
    environment:
      - DOMAIN
      - STACK_NAME
@ -47,13 +47,13 @@ services:
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.version=2.7.3+1.40.1"
+        - "coop-cloud.${STACK_NAME}.version=2.5.0+1.39.3"
        - "backupbot.backup=true"
        - "backupbot.backup.path=/var/www/html/images"
    entrypoint: /docker-entrypoint2.sh

  db:
-    image: mariadb:11.1
+    image: mariadb:10.10
    environment:
      - MYSQL_USER=mediawiki
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -48,14 +48,14 @@ init_db() {
 init_extensions() {

 	if [ ! -d /var/www/html/extensions/PluggableAuth ]; then
-		git clone --depth 1 -b REL1_40 \
+		git clone --depth 1 -b REL1_39 \
 			https://gerrit.wikimedia.org/r/p/mediawiki/extensions/PluggableAuth \
 			/var/www/html/extensions/PluggableAuth
 	fi

 	if [ -n "${SAML_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/SimpleSAMLphp ]; then
-			git clone --depth 1 -b REL1_40 \
+			git clone --depth 1 -b REL1_39 \
 				https://gerrit.wikimedia.org/r/p/mediawiki/extensions/SimpleSAMLphp \
 				/var/www/html/extensions/SimpleSAMLphp
 		fi
@ -63,7 +63,7 @@ init_extensions() {

 	if [ -n "${OPENID_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/OpenIDConnect ]; then
-			git clone --depth 1 -b REL1_40 \
+			git clone --depth 1 -b REL1_39 \
 				https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect \
 				/var/www/html/extensions/OpenIDConnect
 		fi
@ -71,7 +71,7 @@ init_extensions() {

 	if [ -n "${MOBILEFRONTEND_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/MobileFrontend ]; then
-			git clone --depth 1 -b REL1_40 \
+			git clone --depth 1 -b REL1_39 \
 				https://github.com/wikimedia/mediawiki-extensions-MobileFrontend.git \
 				/var/www/html/extensions/MobileFrontend
 		fi
@ -79,7 +79,7 @@ init_extensions() {

 	if [ -n "${MSU_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/MsUpload ]; then
-			git clone --depth 1 -b REL1_40 \
+			git clone --depth 1 -b REL1_39 \
 				https://gerrit.wikimedia.org/r/mediawiki/extensions/MsUpload \
 				/var/www/html/extensions/MsUpload
 		fi
@ -87,7 +87,7 @@ init_extensions() {

 	if [ -n "${PAGEFORMS_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/PageForms ]; then
-			git clone --depth 1 -b REL1_40 \
+			git clone --depth 1 -b REL1_39 \
 				https://gerrit.wikimedia.org/r/mediawiki/extensions/PageForms \
 				/var/www/html/extensions/PageForms
 		fi
@ -95,7 +95,7 @@ init_extensions() {

 	if [ -n "${PAGESCHEMAS_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/PageSchemas ]; then
-			git clone --depth 1 -b REL1_40 \
+			git clone --depth 1 -b REL1_39 \
 				https://gerrit.wikimedia.org/r/mediawiki/extensions/PageSchemas \
 				/var/www/html/extensions/PageSchemas
 		fi
Author	SHA1	Message	Date
3wc	dd623d7e43	Add MEDIAWIKI_PROXY_SERVERS setting	2023-09-03 17:07:10 +02:00
Flancian	19125b7b27	Disable throttling temporarily to work around too-eager-throttling due to MW only seeing the internal docker networking addresses for incoming traffic.	2023-09-01 17:41:25 +02:00