coop-cloud/mediawiki
coop-cloud
/
mediawiki
6
0
Fork 3
Code Issues 6 Pull Requests Releases Wiki Activity

Compare commits

base: coop-cloud:main
Branches Tags
coop-cloud:main
coop-cloud:proxy_ips
coop-cloud:fix-new-deploy
coop-cloud:genealogy
coop-cloud:healthcheck
coop-cloud:2.7.3+1.40.1
coop-cloud:2.7.2+1.40.0
coop-cloud:2.7.1+1.40.0
coop-cloud:2.7.0+1.40.0
coop-cloud:2.6.0+1.39.3
coop-cloud:2.5.0+1.39.3
coop-cloud:2.4.0+1.39.3
coop-cloud:2.3.0+1.39.3
coop-cloud:2.2.3+1.39.3
coop-cloud:2.2.2+1.39.1
coop-cloud:2.2.1+1.39.1
coop-cloud:2.2.0+1.39.1
coop-cloud:2.1.0+1.37.1
coop-cloud:2.0.0+1.36.2
coop-cloud:1.0.0+1.36.1
..
compare: coop-cloud:healthcheck
Branches Tags
coop-cloud:main
coop-cloud:proxy_ips
coop-cloud:fix-new-deploy
coop-cloud:genealogy
coop-cloud:healthcheck
coop-cloud:2.7.3+1.40.1
coop-cloud:2.7.2+1.40.0
coop-cloud:2.7.1+1.40.0
coop-cloud:2.7.0+1.40.0
coop-cloud:2.6.0+1.39.3
coop-cloud:2.5.0+1.39.3
coop-cloud:2.4.0+1.39.3
coop-cloud:2.3.0+1.39.3
coop-cloud:2.2.3+1.39.3
coop-cloud:2.2.2+1.39.1
coop-cloud:2.2.1+1.39.1
coop-cloud:2.2.0+1.39.1
coop-cloud:2.1.0+1.37.1
coop-cloud:2.0.0+1.36.2
coop-cloud:1.0.0+1.36.1

1 Commits
main ... healthchec

Author SHA1 Message Date
3wc 26ca41aa91 Add healthcheck 2020-09-08 12:03:24 +02:00
17 changed files with 171 additions and 776 deletions
Show Stats Expand all files Collapse all files

49
.drone.yml
View File

@ -1,49 +0,0 @@
---
kind: pipeline
name: deploy to swarm-test.autonomic.zone
steps:
- name: deployment
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
settings:
host: swarm-test.autonomic.zone
stack: mediawiki
networks:
- proxy
purge: true
generate_secrets: true
deploy_key:
from_secret: drone_ssh_swarm_test
environment:
DOMAIN: mediawiki.swarm-test.autonomic.zone
STACK_NAME: mediawiki
LETS_ENCRYPT_ENV: production
MEDIAWIKI_SITENAME: "Example Wiki"
MEDIAWIKI_SITENAMESPACE: "Example_Wiki"
MEDIAWIKI_EMAIL_CONTACT: "info@wiki.example.com"
MEDIAWIKI_EMAIL_FROM: "wiki@wiki.example.com"
MEDIAWIKI_LOGO_FILE: '$wgResourceBasePath/resources/assets/wiki.png'
SECRET_DB_ROOT_PASSWORD_VERSION: v1
SECRET_DB_PASSWORD_VERSION: v1
SECRET_MEDIAWIKI_SECRET_KEY_VERSION: v1
LOCAL_SETTINGS_CONF_VERSION: v1
ENTRYPOINT_CONF_VERSION: v1
PHP_INI_VERSION: v1
trigger:
branch:
- main
---
kind: pipeline
name: generate recipe catalogue
steps:
- name: release a new version
image: plugins/downstream
settings:
server: https://build.coopcloud.tech
token:
from_secret: drone_abra-bot_token
fork: true
repositories:
- coop-cloud/auto-recipes-catalogue-json
trigger:
event: tag

87
.env.sample
View File

@ -1,87 +0,0 @@
TYPE=mediawiki
DOMAIN=mediawiki.example.com
COMPOSE_FILE="compose.yml"
#EXTRA_DOMAINS=', `www.wiki.example.com`'
LETS_ENCRYPT_ENV=production
MEDIAWIKI_SITENAME="Example Wiki"
MEDIAWIKI_SITENAMESPACE="Example_Wiki"
MEDIAWIKI_EMAIL_CONTACT="info@wiki.example.com"
MEDIAWIKI_EMAIL_FROM="wiki@wiki.example.com"
MEDIAWIKI_LOGO_FILE='$wgResourceBasePath/resources/assets/wiki.png'
# list of language options (without ".json"):
# https://gerrit.wikimedia.org/g/mediawiki/core/%2B/HEAD/languages/i18n
MEDIAWIKI_LANGUAGE="en"
MEDIAWIKI_IS_PRIVATE=1
MEDIAWIKI_ALLOW_REGISTRATION=0
MEDIAWIKI_DEBUG=0
SECRET_DB_ROOT_PASSWORD_VERSION=v1
SECRET_DB_PASSWORD_VERSION=v1
SECRET_MEDIAWIKI_SECRET_KEY_VERSION=v1 # length=64
# SMTP
## via local postfix/mailu
#SMTP_HOST=postfix_relay_app
#SMTP_HOST=mailu_front
## via remote email provider
#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
#SMTP_HOST="mail.example.com"
#SMTP_PORT=587
#SMTP_USER="${MEDIAWIKI_EMAIL_FROM}"
#SECRET_SMTP_PASSWORD_VERSION=v1
# SAML
#COMPOSE_FILE="$COMPOSE_FILE:compose.simplesaml.yml"
#SAML_ENABLED=1
#SAML_CONTACT_NAME="Sam Ell"
#SAML_CONTACT_EMAIL="saml@example.com"
#SAML_EMAIL_ATTRIBUTE=mail
#SAML_REAL_NAME_ATTRIBUTE=realname
#SAML_AUTH_SOURCE_ID=default-sp
#SAML_USERNAME_ATTRIBUTE=user
#SECRET_SAML_ADMIN_PASSWORD_VERSION=v1
#SECRET_SAML_SECRET_SALT_VERSION=v1 # length=64
## OpenID Connect
# OPENID_ENABLED=1
# COMPOSE_FILE="$COMPOSE_FILE:compose.openid.yml"
# OPENID_KEYCLOAK_URL="https://keycloak.local:8080/realms/acme/"
# OPENID_CLIENT_ID="mediawiki"
# SECRET_OPENID_CLIENT_SECRET_VERSION=v1
## WikiMarkdown
#MARKDOWN_ENABLED=1
## MobileFrontend
#MOBILEFRONTEND_ENABLED=1
## MsUpload
#MSU_ENABLED=1
## PageForms
#PAGEFORMS_ENABLED=1
## PageSchemas
#PAGESCHEMAS_ENABLED=1
## SemanticMediaWiki
#SEMANTICMW_ENABLED=1
## WikiMarkdown
#MARKDOWN_ENABLED=1
## Tweeki skin
#TWEEKI_ENABLED=0

15
.envrc.sample Normal file
View File

@ -0,0 +1,15 @@
export DOMAIN=wiki.example.com
export STACK_NAME=example_wiki
export LETS_ENCRYPT_ENV=production
export MEDIAWIKI_SITENAME="Example Wiki"
export MEDIAWIKI_SITENAMESPACE="Example_Wiki"
export MEDIAWIKI_EMAIL_CONTACT="info@wiki.example.com"
export MEDIAWIKI_EMAIL_FROM="wiki@wiki.example.com"
export DB_ROOT_PASSWORD_VERSION=v1
export DB_PASSWORD_VERSION=v1
export LOCAL_SETTINGS_CONF_VERSION=v1
export HTACCESS_CONF_VERSION=v1
export ENTRYPOINT_CONF_VERSION=v1

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2019 Revian Labs
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

165
LocalSettings.php.tmpl
View File

@ -1,10 +1,21 @@
<?php
# This file was automatically generated by the MediaWiki 1.32.1
# installer. If you make manual changes, please keep track in case you
# need to recreate them later.
#
# See includes/DefaultSettings.php for all configurable settings
# and their default values, but don't forget to make changes in _this_
# file, not there.
#
# Further documentation for configuration settings may be found at:
# https://www.mediawiki.org/wiki/Manual:Configuration_settings
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
## Uncomment this to disable output compression
# $wgDisableOutputCompression = true;
@ -28,7 +39,7 @@ $wgResourceBasePath = $wgScriptPath;
## The URL path to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogo = "{{ env "MEDIAWIKI_LOGO_FILE" }}";
$wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";
## UPO means: this is also a user preference option
@ -44,9 +55,9 @@ $wgEmailAuthentication = true;
## Database settings
$wgDBtype = "mysql";
$wgDBserver = "{{ env "DB_HOST" }}";
$wgDBname = "{{ env "DB_NAME" }}";
$wgDBuser = "{{ env "DB_USER" }}";
$wgDBserver = "mariadb";
$wgDBname = "mediawiki";
$wgDBuser = "mediawiki";
$wgDBpassword = rtrim(file_get_contents('/run/secrets/db_password'));
# MySQL specific settings
@ -84,9 +95,9 @@ $wgShellLocale = "C.UTF-8";
#$wgCacheDirectory = "$IP/cache";
# Site language code, should be one of the list in ./languages/data/Names.php
$wgLanguageCode = "{{ env "MEDIAWIKI_LANGUAGE" }}";
$wgLanguageCode = "en";
$wgSecretKey = rtrim(file_get_contents('/run/secrets/mediawiki_secret_key'));
$wgSecretKey = "8a83180cd66683c2a379882211187d6f79a1d40749b962598148f67893ff10cf";
# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "1";
@ -106,48 +117,21 @@ $wgRightsIcon = "";
# Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff3 = "/usr/bin/diff3";
{{ if eq (env "MEDIAWIKI_ALLOW_REGISTRATION") "1" }}
$wgGroupPermissions['*']['createaccount'] = true;
$wgEmailConfirmToEdit = true;
{{ else }}
# The following permissions were set based on your choice in the installer
$wgGroupPermissions['*']['createaccount'] = false;
{{ end }}
$wgGroupPermissions['*']['edit'] = false;
{{ if eq (env "MEDIAWIKI_IS_PRIVATE") "1" }}
$wgGroupPermissions['*']['read'] = false;
{{ else }}
$wgGroupPermissions['*']['read'] = true;
{{ end }}
{{ if ne (env "MEDIAWIKI_PROXY_SERVERS") "" }}
// In LocalSettings.php
$wgUseCdn = true;
$wgCdnServersNoPurge = [];
$wgCdnServersNoPurge[] = "{{ env "MEDIAWIKI_PROXY_SERVERS" }}";
{{ end }}
## Default skin: you can change the default skin. Use the internal symbolic
## names, ie 'vector', 'monobook':
$wgDefaultSkin = "vector";
# Enabled skins.
# The following skins were automatically enabled:
wfLoadSkin( 'MonoBook' );
wfLoadSkin( 'Timeless' );
wfLoadSkin( 'Vector' );
wfLoadSkin( 'MinervaNeue' );
## Default skin: you can change the default skin. Use the internal symbolic
## names, ie 'vector', 'monobook':
{{ if eq (env "TWEEKI_ENABLED") "1" }}
wfLoadSkin( 'Tweeki' );
$wgDefaultSkin = "tweeki";
{{ else }}
$wgDefaultSkin = "vector";
{{ end }}
{{ if eq (env "MOBILEFRONTEND_ENABLED") "1" }}
wfLoadExtension( 'MobileFrontend' );
$wgDefaultMobileSkin = 'minerva';
{{ end }}
# Enabled extensions. Most of the extensions are enabled by adding
# wfLoadExtensions('ExtensionName');
@ -155,10 +139,6 @@ $wgDefaultMobileSkin = 'minerva';
# The following extensions were automatically enabled:
wfLoadExtension( 'VisualEditor' );
wfLoadExtension( 'Interwiki' );
wfLoadExtension( 'Cite' );
wfLoadExtension( 'ParserFunctions' );
# End of automatically generated settings.
# Add more configuration options below.
@ -166,92 +146,19 @@ $wgDefaultUserOptions['visualeditor-enable'] = 1;
$wgVisualEditorAllowLossySwitching = false;
{{ if eq (env "SAML_ENABLED") "1" }}
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'SimpleSAMLphp' );
$wgSimpleSAMLphp_InstallDir = "/var/simplesamlphp/";
$wgPluggableAuth_Config['Log in using my SAML'] = [
'plugin' => 'SimpleSAMLphp',
'data' => [
'authSourceId' => '{{ env "SAML_AUTH_SOURCE_ID" }}',
'usernameAttribute' => '{{ env "SAML_USERNAME_ATTRIBUTE" }}',
'realNameAttribute' => '{{ env "SAML_REAL_NAME_ATTRIBUTE" }}',
'emailAttribute' => '{{ env "SAML_EMAIL_ATTRIBUTE" }}'
]
$wgVirtualRestConfig['modules']['parsoid'] = [
// URL to the Parsoid instance - use port 8142 if you use the Debian package - the parameter 'URL' was first used but is now deprecated (string)
'url' => 'http://localhost:8000/',
// Parsoid "domain" (string, optional) - MediaWiki >= 1.26
'domain' => 'localhost',
// Parsoid "prefix" (string, optional) - deprecated since MediaWiki 1.26, use 'domain'
'prefix' => 'localhost',
// Forward cookies in the case of private wikis (string or false, optional)
'forwardCookies' => true,
// request timeout in seconds (integer or null, optional)
'timeout' => null,
// Parsoid HTTP proxy (string or null, optional)
'HTTPProxy' => null,
// whether to parse URL as if they were meant for RESTBase (boolean or null, optional)
'restbaseCompat' => null,
];
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['*']['createaccount'] = false;
{{ end }}
{{ if eq (env "MEDIAWIKI_DEBUG") "1" }}
$wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";
$wgShowExceptionDetails = true;
$wgDebugToolbar = true;
{{ end }}
{{ if eq (env "OPENID_ENABLED") "1" }}
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'OpenIDConnect' );
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => '{{ env "OPENID_KEYCLOAK_URL" }}',
'clientID' => '{{ env "OPENID_CLIENT_ID"}}',
'clientsecret' => '{{ secret "openid_client_secret" }}'
]
];
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['*']['createaccount'] = false;
{{ end }}
{{ if env "SMTP_HOST" }}
$wgSMTP = [
'host' => '{{ env "SMTP_HOST" }}', // could also be an IP address. Where the SMTP server is located
'port' => {{ env "SMTP_PORT" }}, // Port to use when connecting to the SMTP server
{{ if env "SMTP_USER" }}
'auth' => true, // Should we use SMTP authentication (true or false)
'username' => '{{ env "SMTP_USER" }}', // Username to use for SMTP authentication (if being used)
'password' => '{{ secret "smtp_password" }}' // Password to use for SMTP authentication (if being used)
{{ else }}
'auth' => false
{{ end }}
];
{{ end }}
{{ if eq (env "MSU_ENABLED") "1" }}
wfLoadExtension( 'MsUpload' );
$wgAllowJavaUploads = true; // Solves problem with Office 2007 and newer files (docx, xlsx, etc.)
{{ end }}
{{ if eq (env "PAGEFORMS_ENABLED") "1" }}
wfLoadExtension( 'PageForms' );
{{ end }}
{{ if eq (env "PAGESCHEMAS_ENABLED") "1" }}
wfLoadExtension( 'PageSchemas' );
{{ end }}
{{ if eq (env "SEMANTICMW_ENABLED") "1" }}
wfLoadExtension( 'SemanticMediaWiki' );
enableSemantics( '{{ env "DOMAIN" }}' );
{{ end }}
{{ if eq (env "MARKDOWN_ENABLED") "1" }}
wfLoadExtension( 'WikiMarkdown' );
$wgAllowMarkdownExtra = true; // allows usage of Parsedown Extra
$wgAllowMarkdownExtended = true; // allows usage of Parsedown Extended
{{ end }}
$wgFileExtensions = array(
'png', 'gif', 'jpg', 'jpeg', 'doc', 'xls', 'mpp', 'pdf', 'ppt', 'tiff',
'bmp', 'docx', 'xlsx', 'pptx', 'ps', 'odt', 'ods', 'odp', 'odg'
);
$wgUploadSizeWarning = 1000000000;
$wgMaxUploadSize = 1000000000;

102
README.md
View File

@ -1,101 +1,27 @@
# Mediawiki
[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/mediawiki/status.svg)](https://build.coopcloud.tech/coop-cloud/mediawiki)
Mediawiki [version 1.32.1][mediawiki-1.32]
<!-- metadata -->
* **Category**: Apps
* **Status**: 1, alpha
* **Image**: [`mediawiki`](https://hub.docker.com/_/mediawiki), 4, upstream
* **Healthcheck**: No
* **Backups**: Yes
* **Email**: 3
* **Tests**: 2
* **SSO**: 2 (OAuth, SAML)
<!-- endmetadata -->
Requires Docker version 1.11.2 or above to run.
## Basic usage
Based on [`mediawiki-ve-bundle`][mediawiki-ve].
1. Set up Docker Swarm and [`abra`][abra]
2. Deploy [`coop-cloud/traefik`][traefik]
3. `abra app new mediawiki --secrets` (optionally with `--pass` if you'd like
to save secrets in `pass`)
4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
2. Deploy [`compose-stacks/traefik`][compose-traefik]
2. `cp .envrc.sample .envrc`
3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
your Docker swarm box
5. `abra app deploy YOURAPPDOMAIN`
6. Create an initial admin user:
`abra app run YOURAPPDOMAIN app php /var/www/html/maintenance/createAndPromote.php --sysop YourUsername YourPassword`
## Email
### Coop Cloud mailu or postfix
1. `abra app config YOURAPPDOMAIN` - edit `.envrc` and uncomment the `SMTP` lines. Set `SMTP_HOST` to
`postfix_relay` for `coop-cloud/postfix_relay`, or `mailu_front` for
`coop-cloud/mailu` (assuming default stack names)
2. For `postfix_relay`, add the domain to your email config `EXTRA_SENDER_DOMAINS` in
`postfix_relay`. This doesn't seem to be required for Mailu.
3. `abra app deploy YOURAPPDOMAIN`
### Remote provider
1. `abra app config YOURAPPDOMAIN` - uncomment `SMTP` under the "remote email provider" section and set values for `SMTP_HOST`, `SMTP_PORT` and `SMTP_USER`
2. `abra app secret insert YOURAPPDOMAIN smtp_password v1 YOURSMTPPASSWORD`
3. `abra app deploy YOURAPPDOMAIN`
Note: Only STARTTLS is supported, TLS won't work.
## Single Sign On
### SimpleSAMLphp
This app includes optional SAML Single Sign On using
[SimpleSAMLphp][simplesamlphp] and Mediawiki's
[Extension:SimpleSAMLphp][mw-simplesamlphp], based on the
[`venatorfox/simplesamlphp`][venatorfox-simplesamlphp] image.
NOTE: currently, if you enable SAML then it'll disable Mediawiki's own user account
system. Patches to make this configurable are welcome!
1. `abra app config YOURAPPDOMAIN` - uncomment lines in the `SAML` section (including `COMPOSE_FILE`)
2. Generate secrets: (add `--pass` if you want to store secrets in `pass`)
```
abra app YOURAPPDOMAIN secret generate saml_admin_password v1
abra app YOURAPPDOMAIN secret generate saml_secret_salt v1 "pwgen -n 64 1"
```
3. `abra app deploy YOURAPPDOMAIN`
4. Copy your SimpleSAMLphp metadata and certificates to the container (assuming
you have local `metadata` and `cert` folders:
```
abra app YOURAPPDOMAIN cp metadata simplesaml:/var/simplesamlphp/
abra app YOURAPPDOMAIN cp cert simplesaml:/var/simplesamlphp/
```
5. You can log into SimpleSAMLphp using the password you generated at
https://$DOMAIN/simplesaml/ and test authentication
6. Edit SimpleSAMLphp's `config.php` and change `store.sql.dsn`:
```
abra app YOURAPPDOMAIN run simplesaml vi /var/simplesamlphp/config/config.php
# find 'store.sql.dsn' and edit to:
# 'sqlite:/var/simplesamlphp/data/simplesamlphp.sq3'
```
### OpenID Connect
1. `abra app config YOURAPPDOMAIN` - uncomment lines in the `OPENID` section (including `COMPOSE_FILE`)
2. Store your Keycloak-generated client secret in Docker:
```
abra app YOURAPPDOMAIN secret insert openid_client_secret v1 put-your-secret-here
```
3. `abra app deploy YOURAPPDOMAIN`
4. `direnv allow` (or `. .envrc`)
5. `abra secret_generate db_password v1 && abra secret_generate db_root_password v2`
6. `abra deploy`
7. `abra service_run mediawiki /bin/bash` to open a shell
8. `php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword`
## License
MIT License
[mediawiki-1.35]: https://www.mediawiki.org/wiki/Release_notes/1.35
[mediawiki-1.32]: https://www.mediawiki.org/wiki/Release_notes/1.32.1
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
[traefik]: https://git.autonomic.zone/coop-cloud/traefik
[simplesamlphp]: https://simplesamlphp.org/
[mw-simplesamlphp]: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp
[venatorfox-simplesamlphp]: https://hub.docker.com/r/venatorfox/simplesamlphp
[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
[mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle

7
abra.sh
View File

@ -1,7 +0,0 @@
export LOCAL_SETTINGS_CONF_VERSION=v23
export HTACCESS_CONF_VERSION=v1
export ENTRYPOINT_CONF_VERSION=v21
export COMPOSER_LOCAL_CONF_VERSION=v5
export PHP_INI_VERSION=v4
export SAML_ENTRYPOINT_CONF_VERSION=v3

24
compose.openid.yml
View File

@ -1,24 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- OPENID_KEYCLOAK_URL
- OPENID_CLIENT_ID
secrets:
- openid_client_secret
configs:
- source: composer_local_conf
target: /var/www/html/composer.local.json
secrets:
openid_client_secret:
name: ${STACK_NAME}_openid_client_secret_${SECRET_OPENID_CLIENT_SECRET_VERSION}
external: true
configs:
composer_local_conf:
name: ${STACK_NAME}_composer_local_${COMPOSER_LOCAL_CONF_VERSION}
file: composer.local.json.tmpl
template_driver: golang

95
compose.simplesaml.yml
View File

@ -1,95 +0,0 @@
---
version: "3.8"
services:
app:
volumes:
- "simplesaml:/var/simplesamlphp/"
- "simplesaml_cert:/var/simplesamlphp/cert"
- "simplesaml_config:/var/simplesamlphp/config"
- "simplesaml_data:/var/simplesamlphp/data"
- "simplesaml_log:/var/simplesamlphp/log"
- "simplesaml_metadata:/var/simplesamlphp/metadata"
- "simplesaml_modules:/var/simplesamlphp/modules"
environment:
- SAML_AUTH_SOURCE_ID
- SAML_EMAIL_ATTRIBUTE
- SAML_REAL_NAME_ATTRIBUTE
- SAML_SERVICE_PROVIDER
- SAML_USERNAME_ATTRIBUTE
simplesaml:
# image: unicon/simplesamlphp:1.19.6
image: git.coopcloud.tech/coop-cloud-chaos-patchs/simplesamlphp:1.19.7
secrets:
- saml_admin_password
- saml_secret_salt
environment:
- DOMAIN
- CONFIG_BASEURLPATH=https://${DOMAIN}/simplesaml/
- CONFIG_AUTHADMINPASSWORD_FILE=/run/secrets/saml_admin_password
- CONFIG_SECRETSALT_FILE=/run/secrets/saml_secret_salt
- CONFIG_TECHNICALCONTACT_NAME
- CONFIG_TECHNICALCONTACT_EMAIL
- CONFIG_SHOWERRORS=true
- CONFIG_ERRORREPORTING=true
- CONFIG_ADMINPROTECTINDEXPAGE=true
- CONFIG_LOGGINGLEVEL=INFO
- CONFIG_ENABLESAML20IDP=true
- CONFIG_STORETYPE=sql
#- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
#- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'memcached']\n ],
- OPENLDAP_TLS_REQCERT=allow
- MTA_NULLCLIENT=true
- POSTFIX_MYHOSTNAME=${DOMAIN}
- POSTFIX_MYORIGIN=$$mydomain
- POSTFIX_INETINTERFACES=loopback-only
- DOCKER_REDIRECTLOGS=false
# Required if DOCKER_REDIRECTLOGS=true
# tty: true
configs:
- source: entrypoint_saml_conf
target: /docker-entrypoint.simplesaml.sh
mode: 0555
volumes:
- simplesaml:/var/simplesamlphp/
- "simplesaml_cert:/var/simplesamlphp/cert"
- "simplesaml_config:/var/simplesamlphp/config"
- "simplesaml_data:/var/simplesamlphp/data"
- "simplesaml_log:/var/simplesamlphp/log"
- "simplesaml_metadata:/var/simplesamlphp/metadata"
- "simplesaml_modules:/var/simplesamlphp/modules"
networks:
- proxy
entrypoint: /docker-entrypoint.simplesaml.sh
deploy:
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.services.${STACK_NAME}_simplesaml.loadbalancer.server.port=80"
- "traefik.http.routers.${STACK_NAME}_simplesaml.rule=(Host(`${DOMAIN}`) && PathPrefix(`/simplesaml`))"
- "traefik.http.routers.${STACK_NAME}_simplesaml.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}_simplesaml.tls.certresolver=${LETS_ENCRYPT_ENV}"
volumes:
simplesaml:
simplesaml_cert:
simplesaml_config:
simplesaml_data:
simplesaml_log:
simplesaml_metadata:
simplesaml_modules:
secrets:
saml_admin_password:
name: ${STACK_NAME}_saml_admin_password_${SECRET_SAML_ADMIN_PASSWORD_VERSION}
external: true
saml_secret_salt:
name: ${STACK_NAME}_saml_secret_salt_${SECRET_SAML_SECRET_SALT_VERSION}
external: true
configs:
entrypoint_saml_conf:
name: ${STACK_NAME}_entrypoint_saml_${SAML_ENTRYPOINT_CONF_VERSION}
file: entrypoint.simplesaml.sh.tmpl
template_driver: golang

14
compose.smtp.yml
View File

@ -1,14 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- SMTP_USER
secrets:
- smtp_password
secrets:
smtp_password:
name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
external: true

128
compose.yml
View File

@ -1,83 +1,76 @@
---
version: "3.8"
version: '3.8'
services:
app:
image: mediawiki:1.40.1
environment:
- DOMAIN
- STACK_NAME
- MEDIAWIKI_EMAIL_CONTACT
- MEDIAWIKI_EMAIL_FROM
- MEDIAWIKI_SITENAME
- MEDIAWIKI_SITENAMESPACE
- MEDIAWIKI_LOGO_FILE
- MEDIAWIKI_IS_PRIVATE
- MEDIAWIKI_DEBUG
- MEDIAWIKI_LANGUAGE=${MEDIAWIKI_LANGUAGE:-en}
- SAML_ENABLED
- OPENID_ENABLED
- DB_HOST=db
- DB_USER=mediawiki
- DB_NAME=mediawiki
- SMTP_HOST
- SMTP_PORT=${SMTP_PORT:-25}
volumes:
- "mediawiki_images:/var/www/html/images"
configs:
- source: LocalSettings_conf
target: /var/www/html/LocalSettings.php
- source: php_ini
target: /usr/local/etc/php/conf.d/mediawiki.ini
- source: entrypoint2_conf
target: /docker-entrypoint2.sh
mode: 0555
secrets:
- db_password
- mediawiki_secret_key
networks:
- proxy
- internal
deploy:
update_config:
failure_action: rollback
labels:
- "traefik.enable=true"
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "coop-cloud.${STACK_NAME}.version=2.7.3+1.40.1"
- "backupbot.backup=true"
- "backupbot.backup.path=/var/www/html/images"
entrypoint: /docker-entrypoint2.sh
db:
image: mariadb:11.1
mariadb:
image: 'mariadb:10.5'
environment:
- MYSQL_USER=mediawiki
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
- MYSQL_PASSWORD_FILE=/run/secrets/db_password
- MYSQL_DATABASE=mediawiki
volumes:
- "mariadb:/var/lib/mysql"
- 'mariadb:/var/lib/mysql'
secrets:
- db_root_password
- db_password
networks:
- internal
deploy:
restart_policy:
condition: on-failure
delay: "60s"
max_attempts: 3
window: 120s
mediawiki:
image: 'revianlabs/mediawiki-ve-bundle'
environment:
- DOMAIN=${DOMAIN}
- STACK_NAME=${STACK_NAME}
- MEDIAWIKI_EMAIL_CONTACT=${MEDIAWIKI_EMAIL_CONTACT}
- MEDIAWIKI_EMAIL_FROM=${MEDIAWIKI_EMAIL_FROM}
- MEDIAWIKI_SITENAME=${MEDIAWIKI_SITENAME}
- MEDIAWIKI_SITENAMESPACE=${MEDIAWIKI_SITENAMESPACE}
volumes:
- 'mediawiki_images:/var/www/html/images'
- 'parsoid:/usr/lib/parsoid'
configs:
- source: LocalSettings_conf
target: /var/www/html/LocalSettings.php
- source: htaccess_conf
target: /var/www/html/.htaccess
- source: entrypoint2_conf
target: /docker-entrypoint2.sh
mode: 0555
depends_on:
- mariadb
secrets:
- db_password
networks:
- proxy
- internal
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost"]
interval: 30s
timeout: 10s
retries: 10
start_period: 1m
deploy:
update_config:
failure_action: rollback
order: start-first
labels:
backupbot.backup: "true"
backupbot.backup.path: "/tmp/dump.sql.gz"
backupbot.backup.pre-hook: "sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" mediawiki | gzip > /tmp/dump.sql.gz'"
backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
backupbot.restore: "true"
backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" mediawiki < /tmp/dbdump.sql && rm -f /tmp/dbdump.sql'"
- "traefik.enable=true"
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
entrypoint: /docker-entrypoint2.sh
volumes:
mariadb:
mediawiki_images:
parsoid:
networks:
proxy:
@ -86,13 +79,10 @@ networks:
secrets:
db_root_password:
name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
external: true
db_password:
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
external: true
mediawiki_secret_key:
name: ${STACK_NAME}_mediawiki_secret_key_${SECRET_MEDIAWIKI_SECRET_KEY_VERSION}
name: ${STACK_NAME}_db_password_${DB_PASSWORD_VERSION}
external: true
configs:
@ -100,11 +90,11 @@ configs:
name: ${STACK_NAME}_local_settings_${LOCAL_SETTINGS_CONF_VERSION}
file: LocalSettings.php.tmpl
template_driver: golang
htaccess_conf:
name: ${STACK_NAME}_htaccess_${HTACCESS_CONF_VERSION}
file: htaccess.tmpl
template_driver: golang
entrypoint2_conf:
name: ${STACK_NAME}_entrypoint2_${ENTRYPOINT_CONF_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang
php_ini:
name: ${STACK_NAME}_php_ini_${PHP_INI_VERSION}
file: php.ini.tmpl
template_driver: golang

14
composer.local.json.tmpl
View File

@ -1,14 +0,0 @@
{
{{ if eq (env "SEMANTICMW_ENABLED") "1" }}
"require": {
"mediawiki/semantic-media-wiki": "^4.1.0"
},
{{ end }}
"extra": {
"merge-plugin": {
"include": [
"extensions/OpenIDConnect/composer.json"
]
}
}
}

137
entrypoint.sh.tmpl
View File

@ -2,138 +2,29 @@
set -eu -o pipefail
init_composer() {
set -eu
if ! type composer > /dev/null 2>&1; then
apt update -yqq && apt install -yqq curl git unzip zip
curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=2.5.4
composer -V
fi
}
composer_install() {
set -eu
cd /var/www/html/ && composer update && composer install
}
init_db() {
set -eu
set -eu
if ! type mysql > /dev/null 2>&1; then
apt update -qq && apt install -yqq mariadb-client
fi
apt update && apt install -y mariadb-client
PASSWORD=$(cat /run/secrets/db_password)
# FIXME 3wc: replace with sql.php, not sure how to parse output:
# stdClass Object
#(
# [TOTAL] => 58
#)
TABLE_COUNT=$(mysql -u "${DB_USER}" --password="$PASSWORD" -h "${DB_HOST}" "${DB_NAME}" -e "SELECT count(*) AS TOTAL FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'mediawiki';" -N -B)
PASSWORD=`cat /run/secrets/db_password`
TABLE_COUNT=$(mysql -u mediawiki --password="$PASSWORD" -h mariadb mediawiki -e "SELECT count(*) AS TOTAL FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'mediawiki';" -N -B)
if [[ "${TABLE_COUNT}" == "0" ]]; then
php /var/www/html/maintenance/generateSchemaSql.php
php /var/www/html/maintenance/sql.php /var/www/html/maintenance/tables-generated.sql
php /var/www/html/maintenance/sql.php /var/www/html/maintenance/tables.sql
php /var/www/html/maintenance/sql.php /var/www/html/maintenance/interwiki.sql
# FIXME run createAndPromote.php with $ADMIN_USERNAME
fi
php /var/www/html/maintenance/update.php --quick
if [[ "${TABLE_COUNT}" == "0" ]]; then
mysql -u mediawiki --password="$PASSWORD" -h mariadb mediawiki < /var/www/html/maintenance/tables.sql
else
php /var/www/html/maintenance/update.php
fi
}
init_extensions() {
if [ ! -d /var/www/html/extensions/PluggableAuth ]; then
git clone --depth 1 -b REL1_40 \
https://gerrit.wikimedia.org/r/p/mediawiki/extensions/PluggableAuth \
/var/www/html/extensions/PluggableAuth
fi
if [ -n "${SAML_ENABLED-}" ]; then
if [ ! -d /var/www/html/extensions/SimpleSAMLphp ]; then
git clone --depth 1 -b REL1_40 \
https://gerrit.wikimedia.org/r/p/mediawiki/extensions/SimpleSAMLphp \
/var/www/html/extensions/SimpleSAMLphp
fi
fi
if [ -n "${OPENID_ENABLED-}" ]; then
if [ ! -d /var/www/html/extensions/OpenIDConnect ]; then
git clone --depth 1 -b REL1_40 \
https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect \
/var/www/html/extensions/OpenIDConnect
fi
fi
if [ -n "${MOBILEFRONTEND_ENABLED-}" ]; then
if [ ! -d /var/www/html/extensions/MobileFrontend ]; then
git clone --depth 1 -b REL1_40 \
https://github.com/wikimedia/mediawiki-extensions-MobileFrontend.git \
/var/www/html/extensions/MobileFrontend
fi
fi
if [ -n "${MSU_ENABLED-}" ]; then
if [ ! -d /var/www/html/extensions/MsUpload ]; then
git clone --depth 1 -b REL1_40 \
https://gerrit.wikimedia.org/r/mediawiki/extensions/MsUpload \
/var/www/html/extensions/MsUpload
fi
fi
if [ -n "${PAGEFORMS_ENABLED-}" ]; then
if [ ! -d /var/www/html/extensions/PageForms ]; then
git clone --depth 1 -b REL1_40 \
https://gerrit.wikimedia.org/r/mediawiki/extensions/PageForms \
/var/www/html/extensions/PageForms
fi
fi
if [ -n "${PAGESCHEMAS_ENABLED-}" ]; then
if [ ! -d /var/www/html/extensions/PageSchemas ]; then
git clone --depth 1 -b REL1_40 \
https://gerrit.wikimedia.org/r/mediawiki/extensions/PageSchemas \
/var/www/html/extensions/PageSchemas
fi
fi
if [ -n "${MARKDOWN_ENABLED-}" ]; then
if [ ! -d /var/www/html/extensions/WikiMarkdown ]; then
git clone --depth 1 \
https://github.com/kuenzign/WikiMarkdown \
/var/www/html/extensions/WikiMarkdown
fi
fi
}
init_skins() {
if [ -n "${TWEEKI_ENABLED-}" ]; then
if [ ! -d /var/www/html/skins/Tweeki ]; then
git clone --depth 1 \
https://github.com/thaider/Tweeki \
/var/www/html/skins/Tweeki
fi
fi
}
main() {
set -eu
set -eu
init_extensions
init_skins
init_composer
composer_install
init_db
a2enmod rewrite
init_db
}
main
apache2-foreground
/docker-entrypoint.sh apache2-foreground "$@"

61
entrypoint.simplesaml.sh.tmpl
View File

@ -1,61 +0,0 @@
#!/usr/bin/env bash
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
export "$var"="$val"
unset "$fileVar"
}
load_vars() {
file_env "CONFIG_AUTHADMINPASSWORD"
file_env "CONFIG_SECRETSALT"
}
generate_certs() {
CERT_DIR=/var/simplesamlphp/cert
if [ -f "$CERT_DIR/saml.crt" ] && [ -f "$CERT_DIR/saml.pem" ]; then
return
fi
if ! type openssl > /dev/null 2>&1; then
yum install -q -y openssl
fi
openssl req -newkey rsa:4096 -new -x509 \
-days 3652 -nodes \
-out "$CERT_DIR/saml.crt" \
-keyout "$CERT_DIR/saml.pem" \
-subj "/C=XX/ST=/L=/O=/OU=SimpleSAML/CN=${DOMAIN}"
}
enable_plugins() {
touch /var/simplesamlphp/modules/cas/enable
}
main() {
set -eu
load_vars
enable_plugins
generate_certs
}
main
/init "$@"

12
htaccess.tmpl Normal file
View File

@ -0,0 +1,12 @@
# Generated using https://shorturls.redwerks.org
RewriteEngine On
RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
RewriteRule ^/?images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ %{DOCUMENT_ROOT}/thumb.php?f=$1&width=$2 [L,QSA,B]
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
RewriteRule ^/?images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ %{DOCUMENT_ROOT}/thumb.php?f=$1&width=$2&archived=1 [L,QSA,B]

10
php.ini.tmpl
View File

@ -1,10 +0,0 @@
upload_max_filesize = 10M
post_max_size = 10M
max_execution_time = 7200
max_file_uploads = 1000
{{ if eq (env "MEDIAWIKI_DEBUG") "0" }}
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
{{ else }}
error_reporting = E_ALL
{{ end }}

6
renovate.json
View File

@ -1,6 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
]
}