Add MEDIAWIKI_PROXY_SERVERS setting

to MW only seeing the internal docker networking addresses for incoming
traffic.

.drone.yml

@@ -3,10 +3,12 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: mediawiki
+      networks:
+       - proxy
       purge: true
       generate_secrets: true
       deploy_key:
@@ -31,11 +33,17 @@ trigger:
     - main
 ---
 kind: pipeline
-name: recipe release
+name: generate recipe catalogue
 steps:
   - name: release a new version
-    image: thecoopcloud/drone-abra:latest
+    image: plugins/downstream
     settings:
-      command: recipe mediawiki release
-      deploy_key:
-        from_secret: abra_bot_deploy_key
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,6 +1,7 @@
 TYPE=mediawiki
 
 DOMAIN=mediawiki.example.com
+COMPOSE_FILE="compose.yml"
 
 #EXTRA_DOMAINS=', `www.wiki.example.com`'
 LETS_ENCRYPT_ENV=production
@@ -11,19 +12,35 @@ MEDIAWIKI_EMAIL_CONTACT="info@wiki.example.com"
 MEDIAWIKI_EMAIL_FROM="wiki@wiki.example.com"
 MEDIAWIKI_LOGO_FILE='$wgResourceBasePath/resources/assets/wiki.png'
 
-MEDIAWIKI_IS_PRIVATE=1
+# list of language options (without ".json"):
+# https://gerrit.wikimedia.org/g/mediawiki/core/%2B/HEAD/languages/i18n
+MEDIAWIKI_LANGUAGE="en"
 
-## SMTP
-#SMTP_HOST=postfix_relay_app
-#SMTP_HOST=mailu_front
+MEDIAWIKI_IS_PRIVATE=1
+MEDIAWIKI_ALLOW_REGISTRATION=0
+
+MEDIAWIKI_DEBUG=0
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_MEDIAWIKI_SECRET_KEY_VERSION=v1 # length=64
 
+# SMTP
+
+## via local postfix/mailu
+#SMTP_HOST=postfix_relay_app
+#SMTP_HOST=mailu_front
+
+## via remote email provider
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+#SMTP_HOST="mail.example.com"
+#SMTP_PORT=587
+#SMTP_USER="${MEDIAWIKI_EMAIL_FROM}"
+#SECRET_SMTP_PASSWORD_VERSION=v1
+
 # SAML
 
-#COMPOSE_FILE="compose.yml:compose.simplesaml.yml"
+#COMPOSE_FILE="$COMPOSE_FILE:compose.simplesaml.yml"
 
 #SAML_ENABLED=1
 #SAML_CONTACT_NAME="Sam Ell"
@@ -39,7 +56,32 @@ SECRET_MEDIAWIKI_SECRET_KEY_VERSION=v1 # length=64
 
 ## OpenID Connect
 # OPENID_ENABLED=1
-# COMPOSE_FILE="compose.yml:compose.openid.yml"
-# OPENID_KEYCLOAK_URL="https://keycloak.local:8080/auth/realms/acme/"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.openid.yml"
+# OPENID_KEYCLOAK_URL="https://keycloak.local:8080/realms/acme/"
 # OPENID_CLIENT_ID="mediawiki"
 # SECRET_OPENID_CLIENT_SECRET_VERSION=v1
+
+## WikiMarkdown
+#MARKDOWN_ENABLED=1
+
+## MobileFrontend
+#MOBILEFRONTEND_ENABLED=1
+
+## MsUpload
+#MSU_ENABLED=1
+
+## PageForms
+#PAGEFORMS_ENABLED=1
+
+## PageSchemas
+#PAGESCHEMAS_ENABLED=1
+
+## SemanticMediaWiki
+#SEMANTICMW_ENABLED=1
+
+## WikiMarkdown
+#MARKDOWN_ENABLED=1
+
+## Tweeki skin
+#TWEEKI_ENABLED=0
+

LocalSettings.php.tmpl

@@ -5,7 +5,6 @@ if ( !defined( 'MEDIAWIKI' ) ) {
 	exit;
 }
 
-
 ## Uncomment this to disable output compression
 # $wgDisableOutputCompression = true;
 
@@ -85,7 +84,7 @@ $wgShellLocale = "C.UTF-8";
 #$wgCacheDirectory = "$IP/cache";
 
 # Site language code, should be one of the list in ./languages/data/Names.php
-$wgLanguageCode = "en";
+$wgLanguageCode = "{{ env "MEDIAWIKI_LANGUAGE" }}";
 
 $wgSecretKey = rtrim(file_get_contents('/run/secrets/mediawiki_secret_key'));
 
@@ -107,8 +106,13 @@ $wgRightsIcon = "";
 # Path to the GNU diff3 utility. Used for conflict resolution.
 $wgDiff3 = "/usr/bin/diff3";
 
-# The following permissions were set based on your choice in the installer
+{{ if eq (env "MEDIAWIKI_ALLOW_REGISTRATION") "1" }}
+$wgGroupPermissions['*']['createaccount'] = true;
+$wgEmailConfirmToEdit = true;
+{{ else }}
 $wgGroupPermissions['*']['createaccount'] = false;
+{{ end }}
+
 $wgGroupPermissions['*']['edit'] = false;
 {{ if eq (env "MEDIAWIKI_IS_PRIVATE") "1" }}
 $wgGroupPermissions['*']['read'] = false;
@@ -116,15 +120,34 @@ $wgGroupPermissions['*']['read'] = false;
 $wgGroupPermissions['*']['read'] = true;
 {{ end }}
 
-## Default skin: you can change the default skin. Use the internal symbolic
-## names, ie 'vector', 'monobook':
-$wgDefaultSkin = "vector";
+{{ if ne (env "MEDIAWIKI_PROXY_SERVERS") "" }}
+// In LocalSettings.php
+$wgUseCdn = true;
+$wgCdnServersNoPurge = [];
+$wgCdnServersNoPurge[] = "{{ env "MEDIAWIKI_PROXY_SERVERS" }}";
+{{ end }}
 
 # Enabled skins.
 # The following skins were automatically enabled:
 wfLoadSkin( 'MonoBook' );
 wfLoadSkin( 'Timeless' );
 wfLoadSkin( 'Vector' );
+wfLoadSkin( 'MinervaNeue' );
+
+## Default skin: you can change the default skin. Use the internal symbolic
+## names, ie 'vector', 'monobook':
+
+{{ if eq (env "TWEEKI_ENABLED") "1" }}
+wfLoadSkin( 'Tweeki' );
+$wgDefaultSkin = "tweeki";
+{{ else }}
+$wgDefaultSkin = "vector";
+{{ end }}
+
+{{ if eq (env "MOBILEFRONTEND_ENABLED") "1" }}
+wfLoadExtension( 'MobileFrontend' );
+$wgDefaultMobileSkin = 'minerva';
+{{ end }}
 
 # Enabled extensions. Most of the extensions are enabled by adding
 # wfLoadExtensions('ExtensionName');
@@ -143,47 +166,44 @@ $wgDefaultUserOptions['visualeditor-enable'] = 1;
 
 $wgVisualEditorAllowLossySwitching = false;
 
-$wgVirtualRestConfig['modules']['parsoid'] = [
-	// URL to the Parsoid instance - use port 8142 if you use the Debian package - the parameter 'URL' was first used but is now deprecated (string)
-	'url' => 'http://parsoid:8000/',
-	// Parsoid "domain" (string, optional) - MediaWiki >= 1.26
-	'domain' => 'localhost',
-	// Parsoid "prefix" (string, optional) - deprecated since MediaWiki 1.26, use 'domain'
-	'prefix' => 'localhost',
-	// Forward cookies in the case of private wikis (string or false, optional)
-	'forwardCookies' => true,
-	// request timeout in seconds (integer or null, optional)
-	'timeout' => null,
-	// Parsoid HTTP proxy (string or null, optional)
-	'HTTPProxy' => null,
-	// whether to parse URL as if they were meant for RESTBase (boolean or null, optional)
-	'restbaseCompat' => null,
-];
-
 {{ if eq (env "SAML_ENABLED") "1" }}
 wfLoadExtension( 'PluggableAuth' );
 
 wfLoadExtension( 'SimpleSAMLphp' );
 
 $wgSimpleSAMLphp_InstallDir = "/var/simplesamlphp/";
-$wgSimpleSAMLphp_AuthSourceId = "{{ env "SAML_AUTH_SOURCE_ID" }}";
-$wgSimpleSAMLphp_RealNameAttribute = "{{ env "SAML_REAL_NAME_ATTRIBUTE" }}";
-$wgSimpleSAMLphp_EmailAttribute = "{{ env "SAML_EMAIL_ATTRIBUTE" }}";
-$wgSimpleSAMLphp_UsernameAttribute = "{{ env "SAML_USERNAME_ATTRIBUTE" }}";
+
+$wgPluggableAuth_Config['Log in using my SAML'] = [
+  'plugin' => 'SimpleSAMLphp',
+  'data' => [
+	'authSourceId' => '{{ env "SAML_AUTH_SOURCE_ID" }}',
+	'usernameAttribute' => '{{ env "SAML_USERNAME_ATTRIBUTE" }}',
+	'realNameAttribute' => '{{ env "SAML_REAL_NAME_ATTRIBUTE" }}',
+	'emailAttribute' => '{{ env "SAML_EMAIL_ATTRIBUTE" }}'
+  ]
+];
 
 $wgGroupPermissions['*']['autocreateaccount'] = true;
 $wgGroupPermissions['*']['createaccount'] = false;
+{{ end }}
 
+{{ if eq (env "MEDIAWIKI_DEBUG") "1" }}
 $wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";
+$wgShowExceptionDetails = true;
+$wgDebugToolbar = true;
 {{ end }}
 
 {{ if eq (env "OPENID_ENABLED") "1" }}
 wfLoadExtension( 'PluggableAuth' );
 wfLoadExtension( 'OpenIDConnect' );
 
-$wgOpenIDConnect_Config['{{ env "OPENID_KEYCLOAK_URL" }}'] = [
-  'clientID' => '{{ env "OPENID_CLIENT_ID"}}',
-  'clientsecret' => '{{ secret "openid_client_secret" }}'
+$wgPluggableAuth_Config[] = [
+    'plugin' => 'OpenIDConnect',
+    'data' => [
+        'providerURL' => '{{ env "OPENID_KEYCLOAK_URL" }}',
+        'clientID' => '{{ env "OPENID_CLIENT_ID"}}',
+        'clientsecret' => '{{ secret "openid_client_secret" }}'
+    ]
 ];
 
 $wgGroupPermissions['*']['autocreateaccount'] = true;
@@ -192,14 +212,42 @@ $wgGroupPermissions['*']['createaccount'] = false;
 
 {{ if env "SMTP_HOST" }}
 $wgSMTP = [
-    'host'     => '{{ env "SMTP_HOST" }}', // could also be an IP address. Where the SMTP server is located
-    'port'     => 25,                 // Port to use when connecting to the SMTP server
-    'auth'     => false,               // Should we use SMTP authentication (true or false)
-    #'username' => 'my_user_name',     // Username to use for SMTP authentication (if being used)
-    #'password' => 'my_password'       // Password to use for SMTP authentication (if being used)
+    'host'     => '{{ env "SMTP_HOST" }}',       // could also be an IP address. Where the SMTP server is located
+    'port'     => {{ env "SMTP_PORT" }},         // Port to use when connecting to the SMTP server
+{{ if env "SMTP_USER" }}
+    'auth'     => true,                          // Should we use SMTP authentication (true or false)
+    'username' => '{{ env "SMTP_USER" }}',       // Username to use for SMTP authentication (if being used)
+    'password' => '{{ secret "smtp_password" }}' // Password to use for SMTP authentication (if being used)
+{{ else }}
+    'auth'     => false
+{{ end }}
 ];
 {{ end }}
 
+{{ if eq (env "MSU_ENABLED") "1" }}
+wfLoadExtension( 'MsUpload' );
+$wgAllowJavaUploads = true; // Solves problem with Office 2007 and newer files (docx, xlsx, etc.)
+{{ end }}
+
+{{ if eq (env "PAGEFORMS_ENABLED") "1" }}
+wfLoadExtension( 'PageForms' );
+{{ end }}
+
+{{ if eq (env "PAGESCHEMAS_ENABLED") "1" }}
+wfLoadExtension( 'PageSchemas' );
+{{ end }}
+
+{{ if eq (env "SEMANTICMW_ENABLED") "1" }}
+wfLoadExtension( 'SemanticMediaWiki' );
+enableSemantics( '{{ env "DOMAIN" }}' );
+{{ end }}
+
+{{ if eq (env "MARKDOWN_ENABLED") "1" }}
+wfLoadExtension( 'WikiMarkdown' );
+$wgAllowMarkdownExtra = true; // allows usage of Parsedown Extra
+$wgAllowMarkdownExtended = true; // allows usage of Parsedown Extended
+{{ end }}
+
 $wgFileExtensions = array(
     'png', 'gif', 'jpg', 'jpeg', 'doc', 'xls', 'mpp', 'pdf', 'ppt', 'tiff',
     'bmp', 'docx', 'xlsx', 'pptx', 'ps', 'odt', 'ods', 'odp', 'odg'
@@ -207,3 +255,15 @@ $wgFileExtensions = array(
 
 $wgUploadSizeWarning = 1000000000;
 $wgMaxUploadSize = 1000000000;
+
+# Greatly relax IP-based throttling for logging in while we work around docker networking issues.
+# https://social.coop/@flancian/110980993608947217
+$wgPasswordAttemptThrottle = [
+	// Short term limit
+	[ 'count' => 9999, 'seconds' => 300 ],
+	// Long term limit. We need to balance the risk
+	// of somebody using this as a DoS attack to lock someone
+	// out of their account, and someone doing a brute force attack.
+	[ 'count' => 999999, 'seconds' => 60 * 60 * 48 ],
+];
+

README.md

@@ -1,8 +1,6 @@
 # Mediawiki
 
-[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/mediawiki/status.svg)](https://drone.autonomic.zone/coop-cloud/mediawiki)
-
-Mediawiki [version 1.35][mediawiki-1.35]
+[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/mediawiki/status.svg)](https://build.coopcloud.tech/coop-cloud/mediawiki)
 
 <!-- metadata -->
 * **Category**: Apps
@@ -21,20 +19,30 @@ Mediawiki [version 1.35][mediawiki-1.35]
 2. Deploy [`coop-cloud/traefik`][traefik]
 3. `abra app new mediawiki --secrets`  (optionally with `--pass` if you'd like
    to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
+4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
+5. `abra app deploy YOURAPPDOMAIN`
 6. Create an initial admin user:
-   `abra app YOURAPPDOMAIN run app php /var/www/html/maintenance/createAndPromote.php --sysop YourUsername YourPassword`
+   `abra app run YOURAPPDOMAIN app php /var/www/html/maintenance/createAndPromote.php --sysop YourUsername YourPassword`
 
 ## Email
 
-1. `abra app YOURAPPDOMAIN config` - edit `.envrc` and uncomment the `SMTP` lines. Set `SMTP_HOST` to
+### Coop Cloud mailu or postfix
+
+1. `abra app config YOURAPPDOMAIN` - edit `.envrc` and uncomment the `SMTP` lines. Set `SMTP_HOST` to
    `postfix_relay` for `coop-cloud/postfix_relay`, or `mailu_front` for
    `coop-cloud/mailu` (assuming default stack names)
 2. For `postfix_relay`, add the domain to your email config – `EXTRA_SENDER_DOMAINS` in
    `postfix_relay`. This doesn't seem to be required for Mailu.
-3. `abra app YOURAPPDOMAIN deploy`
+3. `abra app deploy YOURAPPDOMAIN`
+
+### Remote provider
+
+1. `abra app config YOURAPPDOMAIN` - uncomment `SMTP` under the "remote email provider" section and set values for `SMTP_HOST`, `SMTP_PORT` and `SMTP_USER`
+2. `abra app secret insert YOURAPPDOMAIN smtp_password v1 YOURSMTPPASSWORD`
+3. `abra app deploy YOURAPPDOMAIN`
+
+Note: Only STARTTLS is supported, TLS won't work.
 
 ## Single Sign On
 
@@ -48,13 +56,13 @@ This app includes optional SAML Single Sign On using
 NOTE: currently, if you enable SAML then it'll disable Mediawiki's own user account
 system. Patches to make this configurable are welcome!
 
-1. `abra app YOURAPPDOMAIN config` - uncomment lines in the `SAML` section (including `COMPOSE_FILE`)
+1. `abra app config YOURAPPDOMAIN` - uncomment lines in the `SAML` section (including `COMPOSE_FILE`)
 2. Generate secrets: (add `--pass` if you want to store secrets in `pass`)
    ```
    abra app YOURAPPDOMAIN secret generate saml_admin_password v1
    abra app YOURAPPDOMAIN secret generate saml_secret_salt v1 "pwgen -n 64 1"
    ```
-3. `abra app YOURAPPDOMAIN deploy`
+3. `abra app deploy YOURAPPDOMAIN`
 4. Copy your SimpleSAMLphp metadata and certificates to the container (assuming
    you have local `metadata` and `cert` folders:
    ```
@@ -72,14 +80,14 @@ system. Patches to make this configurable are welcome!
 
 ### OpenID Connect
 
-1. `abra app YOURAPPDOMAIN config` - uncomment lines in the `OPENID` section (including `COMPOSE_FILE`)
+1. `abra app config YOURAPPDOMAIN` - uncomment lines in the `OPENID` section (including `COMPOSE_FILE`)
 2. Store your Keycloak-generated client secret in Docker:
 
 ```
 abra app YOURAPPDOMAIN secret insert openid_client_secret v1 put-your-secret-here
 ```
 
-3. `abra app YOURAPPDOMAIN deploy`
+3. `abra app deploy YOURAPPDOMAIN`
 
 ## License
 

abra.sh

@@ -1,10 +1,10 @@
-export LOCAL_SETTINGS_CONF_VERSION=v2
+export LOCAL_SETTINGS_CONF_VERSION=v25
 export HTACCESS_CONF_VERSION=v1
-export ENTRYPOINT_CONF_VERSION=v2
-export COMPOSER_LOCAL_CONF_VERSION=v1
-export PHP_INI_VERSION=v1
+export ENTRYPOINT_CONF_VERSION=v20
+export COMPOSER_LOCAL_CONF_VERSION=v5
+export PHP_INI_VERSION=v4
 
-export SAML_ENTRYPOINT_CONF_VERSION=v1
+export SAML_ENTRYPOINT_CONF_VERSION=v3
 
 abra_backup_app() {
   _abra_backup_dir "app:/var/www/html/images"

compose.simplesaml.yml

@@ -5,7 +5,12 @@ services:
   app:
     volumes:
       - "simplesaml:/var/simplesamlphp/"
+      - "simplesaml_cert:/var/simplesamlphp/cert"
+      - "simplesaml_config:/var/simplesamlphp/config"
+      - "simplesaml_data:/var/simplesamlphp/data"
       - "simplesaml_log:/var/simplesamlphp/log"
+      - "simplesaml_metadata:/var/simplesamlphp/metadata"
+      - "simplesaml_modules:/var/simplesamlphp/modules"
     environment:
       - SAML_AUTH_SOURCE_ID
       - SAML_EMAIL_ATTRIBUTE
@@ -14,7 +19,8 @@ services:
       - SAML_USERNAME_ATTRIBUTE
 
   simplesaml:
-    image: venatorfox/simplesamlphp:1.18.3
+    # image: unicon/simplesamlphp:1.19.6
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/simplesamlphp:1.19.7
     secrets:
       - saml_admin_password
       - saml_secret_salt
@@ -47,7 +53,12 @@ services:
         mode: 0555
     volumes:
       - simplesaml:/var/simplesamlphp/
-      - simplesaml_log:/var/simplesamlphp/log
+      - "simplesaml_cert:/var/simplesamlphp/cert"
+      - "simplesaml_config:/var/simplesamlphp/config"
+      - "simplesaml_data:/var/simplesamlphp/data"
+      - "simplesaml_log:/var/simplesamlphp/log"
+      - "simplesaml_metadata:/var/simplesamlphp/metadata"
+      - "simplesaml_modules:/var/simplesamlphp/modules"
     networks:
       - proxy
     entrypoint: /docker-entrypoint.simplesaml.sh
@@ -62,7 +73,12 @@ services:
 
 volumes:
   simplesaml:
+  simplesaml_cert:
+  simplesaml_config:
+  simplesaml_data:
   simplesaml_log:
+  simplesaml_metadata:
+  simplesaml_modules:
 
 secrets:
   saml_admin_password:

compose.smtp.yml

@@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - SMTP_USER
+    secrets:
+      - smtp_password
+
+secrets:
+  smtp_password:
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
+    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: mediawiki:1.39.1
+    image: mediawiki:1.39.3
     environment:
       - DOMAIN
       - STACK_NAME
@@ -13,12 +13,15 @@ services:
       - MEDIAWIKI_SITENAMESPACE
       - MEDIAWIKI_LOGO_FILE
       - MEDIAWIKI_IS_PRIVATE
+      - MEDIAWIKI_DEBUG
+      - MEDIAWIKI_LANGUAGE=${MEDIAWIKI_LANGUAGE:-en}
       - SAML_ENABLED
       - OPENID_ENABLED
       - DB_HOST=db
       - DB_USER=mediawiki
       - DB_NAME=mediawiki
       - SMTP_HOST
+      - SMTP_PORT=${SMTP_PORT:-25}
     volumes:
       - "mediawiki_images:/var/www/html/images"
     configs:
@@ -44,7 +47,9 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.version=2.2.0+1.39.1"
+        - "coop-cloud.${STACK_NAME}.version=2.5.0+1.39.3"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/var/www/html/images"
     entrypoint: /docker-entrypoint2.sh
 
   db:
@@ -61,14 +66,14 @@ services:
       - db_password
     networks:
       - internal
-
-  parsoid:
-    image: thenets/parsoid:0.11.0
-    hostname: parsoidserver
-    networks:
-      - internal
-    environment:
-      PARSOID_DOMAIN_localhost: http://app:80/api.php
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.path: "/tmp/dump.sql.gz"
+        backupbot.backup.pre-hook: "sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" mediawiki | gzip > /tmp/dump.sql.gz'"
+        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
+        backupbot.restore: "true"
+        backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" mediawiki < /tmp/dbdump.sql && rm -f /tmp/dbdump.sql'"
 
 volumes:
   mariadb:

composer.local.json.tmpl

@@ -1,4 +1,9 @@
 {
+{{ if eq (env "SEMANTICMW_ENABLED") "1" }}
+  "require": {
+    "mediawiki/semantic-media-wiki": "^4.1.0"
+  },
+{{ end }}
   "extra": {
     "merge-plugin": {
       "include": [

entrypoint.sh.tmpl

@@ -8,7 +8,7 @@ init_composer() {
 	if ! type composer > /dev/null 2>&1; then
 		apt update -yqq && apt install -yqq curl git unzip zip
 		curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
-		php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=1.10.15
+		php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=2.5.4
 		composer -V
 	fi
 }
@@ -40,25 +40,22 @@ init_db() {
 		php /var/www/html/maintenance/sql.php /var/www/html/maintenance/tables.sql
 		php /var/www/html/maintenance/sql.php /var/www/html/maintenance/interwiki.sql
 		# FIXME run createAndPromote.php with $ADMIN_USERNAME
-	else
-		php /var/www/html/maintenance/update.php --quick
 	fi
 
-	if [ -n "${OPENID_ENABLED-}" ]; then
-		php /var/www/html/maintenance/update.php --quick
-	fi
+	php /var/www/html/maintenance/update.php --quick
 }
 
 init_extensions() {
+
 	if [ ! -d /var/www/html/extensions/PluggableAuth ]; then
-		git clone --depth 1 -b REL1_32 \
+		git clone --depth 1 -b REL1_39 \
 			https://gerrit.wikimedia.org/r/p/mediawiki/extensions/PluggableAuth \
 			/var/www/html/extensions/PluggableAuth
 	fi
 
 	if [ -n "${SAML_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/SimpleSAMLphp ]; then
-			git clone --depth 1 -b REL1_32 \
+			git clone --depth 1 -b REL1_39 \
 				https://gerrit.wikimedia.org/r/p/mediawiki/extensions/SimpleSAMLphp \
 				/var/www/html/extensions/SimpleSAMLphp
 		fi
@@ -66,17 +63,72 @@ init_extensions() {
 
 	if [ -n "${OPENID_ENABLED-}" ]; then
 		if [ ! -d /var/www/html/extensions/OpenIDConnect ]; then
-			git clone --depth 1 -b REL1_35 \
+			git clone --depth 1 -b REL1_39 \
 				https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect \
 				/var/www/html/extensions/OpenIDConnect
 		fi
 	fi
+
+	if [ -n "${MOBILEFRONTEND_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/MobileFrontend ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://github.com/wikimedia/mediawiki-extensions-MobileFrontend.git \
+				/var/www/html/extensions/MobileFrontend
+		fi
+	fi
+
+	if [ -n "${MSU_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/MsUpload ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://gerrit.wikimedia.org/r/mediawiki/extensions/MsUpload \
+				/var/www/html/extensions/MsUpload
+		fi
+	fi
+
+	if [ -n "${PAGEFORMS_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/PageForms ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://gerrit.wikimedia.org/r/mediawiki/extensions/PageForms \
+				/var/www/html/extensions/PageForms
+		fi
+	fi
+
+	if [ -n "${PAGESCHEMAS_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/PageSchemas ]; then
+			git clone --depth 1 -b REL1_39 \
+				https://gerrit.wikimedia.org/r/mediawiki/extensions/PageSchemas \
+				/var/www/html/extensions/PageSchemas
+		fi
+	fi
+
+	if [ -n "${MARKDOWN_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/extensions/WikiMarkdown ]; then
+			git clone --depth 1 \
+				https://github.com/kuenzign/WikiMarkdown \
+				/var/www/html/extensions/WikiMarkdown
+		fi
+	fi
+
 }
 
+init_skins() {
+
+	if [ -n "${TWEEKI_ENABLED-}" ]; then
+		if [ ! -d /var/www/html/skins/Tweeki ]; then
+			git clone --depth 1 \
+				https://github.com/thaider/Tweeki \
+				/var/www/html/skins/Tweeki
+		fi
+	fi
+
+}
+
+
 main() {
 	set -eu
 
 	init_extensions
+	init_skins
 	init_composer
 	composer_install
 	init_db

php.ini.tmpl

@@ -2,3 +2,9 @@ upload_max_filesize = 10M
 post_max_size = 10M
 max_execution_time = 7200
 max_file_uploads = 1000
+
+{{ if eq (env "MEDIAWIKI_DEBUG") "0" }}
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+{{ else }}
+error_reporting = E_ALL
+{{ end }}