From 8c710546af86b2545b467e7e468e60a062260acc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?kleines=20Filmr=C3=B6llchen?= Date: Wed, 22 Jan 2025 14:17:16 +0100 Subject: [PATCH] current config --- README.md | 8 +- fastcgi.conf | 27 ++++ nginx.conf | 62 ++++++++ orga_mediawiki/LocalSettings.php | 192 +++++++++++++++++++++++ orga_mediawiki/composer.local.json | 21 +++ orga_mediawiki/orga_mediawiki.conf | 40 +++++ pgtune.conf | 25 +++ public_mediawiki/LocalSettings.php | 204 +++++++++++++++++++++++++ public_mediawiki/composer.local.json | 21 +++ public_mediawiki/public_mediawiki.conf | 40 +++++ 10 files changed, 639 insertions(+), 1 deletion(-) create mode 100644 fastcgi.conf create mode 100644 nginx.conf create mode 100644 orga_mediawiki/LocalSettings.php create mode 100644 orga_mediawiki/composer.local.json create mode 100644 orga_mediawiki/orga_mediawiki.conf create mode 100644 pgtune.conf create mode 100755 public_mediawiki/LocalSettings.php create mode 100644 public_mediawiki/composer.local.json create mode 100644 public_mediawiki/public_mediawiki.conf diff --git a/README.md b/README.md index c402fc3..49401aa 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,9 @@ # mediawiki -Config for wiki.ctbk.de and other MediaWiki deployments \ No newline at end of file +Config for wiki.ctbk.de and the upcoming Orgawiki deployment. + +For deployment documentation refer to [the Wiki](https://wiki.ctbk.de/Dienste/Wiki). + +Files for the wiki.ctbk.de public deployment are found in `public_mediawiki`. Files for the internal deployment (not yet in production) are found in `orga_mediawiki`. Some common files are found in the root directory. + +Note that while some files may look identical between the deployments, they are not shared to allow easier modifications to both deployments independently. diff --git a/fastcgi.conf b/fastcgi.conf new file mode 100644 index 0000000..d53a628 --- /dev/null +++ b/fastcgi.conf @@ -0,0 +1,27 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param REMOTE_USER $remote_user; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..bac1998 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,62 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +error_log /var/log/nginx/error.log; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php new file mode 100644 index 0000000..ecda7c4 --- /dev/null +++ b/orga_mediawiki/LocalSettings.php @@ -0,0 +1,192 @@ + "$wgResourceBasePath/resources/assets/change-your-logo.svg", + 'icon' => "$wgResourceBasePath/resources/assets/change-your-logo.svg", +]; + +## UPO means: this is also a user preference option + +$wgEnableEmail = true; +$wgEnableUserEmail = true; # UPO + +$wgEmergencyContact = ""; +$wgPasswordSender = ""; + +$wgEnotifUserTalk = false; # UPO +$wgEnotifWatchlist = false; # UPO +$wgEmailAuthentication = true; + +## Database settings +$wgDBtype = "postgres"; +$wgDBserver = "localhost"; +$wgDBname = "orga_mediawiki"; +$wgDBuser = "mediawiki"; +# password is in secret settings + +# Postgres specific settings +$wgDBport = "5432"; +$wgDBmwschema = "mediawiki"; + +# Shared database table +# This has no effect unless $wgSharedDB is also set. +$wgSharedTables[] = "actor"; + +## Shared memory settings +$wgMainCacheType = CACHE_ACCEL; +$wgMemCachedServers = []; + +## To enable image uploads, make sure the 'images' directory +## is writable, then set this to true: +$wgEnableUploads = true; +$wgUseImageMagick = true; +$wgImageMagickConvertCommand = "/usr/bin/convert"; + +# InstantCommons allows wiki to use images from https://commons.wikimedia.org +$wgUseInstantCommons = false; + +# Periodically send a pingback to https://www.mediawiki.org/ with basic data +# about this MediaWiki instance. The Wikimedia Foundation shares this data +# with MediaWiki developers to help guide future development efforts. +$wgPingback = false; + +# Site language code, should be one of the list in ./includes/languages/data/Names.php +$wgLanguageCode = "de"; + +# Time zone +$wgLocaltimezone = "Europe/Berlin"; + +## Set $wgCacheDirectory to a writable directory on the web server +## to make your wiki go slightly faster. The directory should not +## be publicly accessible from the web. +$wgCacheDirectory = "/var/cache/orga_mediawiki"; + +# Changing this will log out all existing sessions. +$wgAuthenticationTokenVersion = "1"; + +## For attaching licensing metadata to pages, and displaying an +## appropriate copyright notice / icon. GNU Free Documentation +## License and Creative Commons licenses are supported so far. +$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright +$wgRightsUrl = ""; +$wgRightsText = "Alle Rechte vorbehalten"; +$wgRightsIcon = ""; + +# Path to the GNU diff3 utility. Used for conflict resolution. +$wgDiff3 = "/usr/bin/diff3"; + +## Default skin +# For MinervaNeue it’s "minerva" +$wgDefaultSkin = "citizen"; +$wgDefaultMobileSkin = 'citizen'; + +# Enabled skins. +wfLoadSkin( 'MinervaNeue' ); +# TODO: set theme color +wfLoadSkin( 'Citizen' ); + +# Enabled extensions. Most of the extensions are enabled by adding +# wfLoadExtension( 'ExtensionName' ); +# to LocalSettings.php. Check specific extension documentation for more details. +# The following extensions were automatically enabled: +wfLoadExtension( 'CategoryTree' ); +wfLoadExtension( 'CodeEditor' ); +wfLoadExtension( 'ImageMap' ); +wfLoadExtension( 'Interwiki' ); +wfLoadExtension( 'InputBox' ); +wfLoadExtension( 'Math' ); +wfLoadExtension( 'Nuke' ); +wfLoadExtension( 'ParserFunctions' ); +wfLoadExtension( 'Poem' ); +wfLoadExtension( 'PdfHandler' ); +wfLoadExtension( 'ReplaceText' ); +wfLoadExtension( 'SpamBlacklist' ); +wfLoadExtension( 'TemplateData' ); +wfLoadExtension( 'TitleBlacklist' ); +wfLoadExtension( 'VisualEditor' ); +wfLoadExtension( 'WikiEditor' ); + +wfLoadExtension( 'PluggableAuth' ); +wfLoadExtension( 'OpenIDConnect' ); + +wfLoadExtension( 'SemanticMediaWiki' ); +enableSemantics( 'orgawiki.ctbk.de' ); + +# Add more configuration options below. + +# Disable account creation - we only use SSO accounts +$wgGroupPermissions['*']['autocreateaccount'] = true; +$wgGroupPermissions['sysop']['autocreateaccount'] = true; +$wgGroupPermissions['*']['createaccount'] = false; +$wgGroupPermissions['sysop']['createaccount'] = true; +# Also disable reading/editing by non-logged-in users, making the wiki properly private +$wgGroupPermissions['*']['read'] = false; +$wgGroupPermissions['*']['edit'] = false; + +# SSO config +# necessary to allow admin user(s) to login +$wgPluggableAuth_EnableLocalLogin = true; +$wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ + 'plugin' => 'OpenIDConnect', + 'data' => [ + 'providerURL' => 'https://idp.ctbk.de/realms/ctbk/', + 'clientID' => 'orga_mediawiki', + 'clientsecret' => $ctbkClientSecret + ] +]; + +# for better error reporting - disable while in production +#error_reporting( -1 ); +#ini_set( 'display_errors', 1 ); +#$wgShowExceptionDetails = true; +#$wgShowDBErrorBacktrace = true; diff --git a/orga_mediawiki/composer.local.json b/orga_mediawiki/composer.local.json new file mode 100644 index 0000000..489afd2 --- /dev/null +++ b/orga_mediawiki/composer.local.json @@ -0,0 +1,21 @@ +{ + "repositories": [ + { + "type": "vcs", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect" + } + ], + "require": { + "starcitizentools/citizen-skin": "^2.39", + "mediawiki/pluggable-auth": "^7", + "mediawiki/openidconnect": "^8", + "mediawiki/semantic-compound-queries": "^2.2", + "mediawiki/semantic-extra-special-properties": "^3", + "mediawiki/semantic-media-wiki": "^4.2", + "mediawiki/semantic-result-formats": "^4.2" + }, + "config": { + "preferred-install": "source", + "optimize-autoloader": true + } +} diff --git a/orga_mediawiki/orga_mediawiki.conf b/orga_mediawiki/orga_mediawiki.conf new file mode 100644 index 0000000..e7fb257 --- /dev/null +++ b/orga_mediawiki/orga_mediawiki.conf @@ -0,0 +1,40 @@ +# Public Chaostreff MediaWiki + +server { + listen 81; + listen [::]:81; + root /var/lib/orga_mediawiki; + charset utf-8; + client_max_body_size 100m; + client_body_timeout 60; + index index.php index.html index.htm; + + location ~ \.ht { + deny all; + } + + location / { + try_files $uri $uri/ @rewrite; + } + + location @rewrite { + rewrite ^/(.*)$ /index.php; + } + + location ^~ /maintenance/ { + return 403; + } + # Restrictions based on the .htaccess files + location ~ ^/(cache|includes|maintenance|languages|serialized|tests|images/deleted)/ { + deny all; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi.conf; + + fastcgi_pass unix:/run/php/php-fpm.sock; + fastcgi_index index.php; + + try_files $uri @rewrite; + } +} diff --git a/pgtune.conf b/pgtune.conf new file mode 100644 index 0000000..408c820 --- /dev/null +++ b/pgtune.conf @@ -0,0 +1,25 @@ +# PGTune configuration +# conf.d/pgtune.conf + +# DB Version: 15 +# OS Type: linux +# DB Type: web +# Total Memory (RAM): 2 GB +# CPUs num: 2 +# Connections num: 20 +# Data Storage: ssd + +max_connections = 20 +shared_buffers = 512MB +effective_cache_size = 1536MB +maintenance_work_mem = 128MB +checkpoint_completion_target = 0.9 +wal_buffers = 16MB +default_statistics_target = 100 +random_page_cost = 1.1 +effective_io_concurrency = 200 +work_mem = 13107kB +huge_pages = off +min_wal_size = 1GB +max_wal_size = 4GB + diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php new file mode 100755 index 0000000..54c0411 --- /dev/null +++ b/public_mediawiki/LocalSettings.php @@ -0,0 +1,204 @@ + "$wgResourceBasePath/resources/assets/logo.svg", + 'icon' => "$wgResourceBasePath/resources/assets/logo.svg", +]; +$wgFavicon = "$wgResourceBasePath/resources/assets/favicon.ico"; + +## UPO means: this is also a user preference option + +$wgEnableEmail = true; +$wgEnableUserEmail = true; # UPO + +$wgEmergencyContact = ""; +$wgPasswordSender = ""; + +$wgEnotifUserTalk = false; # UPO +$wgEnotifWatchlist = false; # UPO +$wgEmailAuthentication = true; + +## Database settings +$wgDBtype = "postgres"; +$wgDBserver = "localhost"; +$wgDBname = "public_mediawiki"; +$wgDBuser = "mediawiki"; +# password is in secret settings + +# Postgres specific settings +$wgDBport = "5432"; +$wgDBmwschema = "mediawiki"; + +# Shared database table +# This has no effect unless $wgSharedDB is also set. +$wgSharedTables[] = "actor"; + +## Shared memory settings +$wgMainCacheType = CACHE_ACCEL; +$wgMemCachedServers = []; + +## To enable image uploads, make sure the 'images' directory +## is writable, then set this to true: +$wgEnableUploads = true; +$wgAllowCopyUploads = true; +$wgCopyUploadsFromSpecialUpload = true; +$wgUseImageMagick = true; +$wgImageMagickConvertCommand = "/usr/bin/convert"; + +# InstantCommons allows wiki to use images from https://commons.wikimedia.org +$wgUseInstantCommons = false; + +# Periodically send a pingback to https://www.mediawiki.org/ with basic data +# about this MediaWiki instance. The Wikimedia Foundation shares this data +# with MediaWiki developers to help guide future development efforts. +$wgPingback = false; + +# Site language code, should be one of the list in ./includes/languages/data/Names.php +$wgLanguageCode = "de"; + +# Time zone +$wgLocaltimezone = "Europe/Berlin"; + +## Set $wgCacheDirectory to a writable directory on the web server +## to make your wiki go slightly faster. The directory should not +## be publicly accessible from the web. +$wgCacheDirectory = "/var/cache/public_mediawiki"; + +# Changing this will log out all existing sessions. +$wgAuthenticationTokenVersion = "1"; + +## For attaching licensing metadata to pages, and displaying an +## appropriate copyright notice / icon. GNU Free Documentation +## License and Creative Commons licenses are supported so far. +$wgRightsPage = "Wiki:Urheberrechte"; +$wgRightsUrl = "https://creativecommons.org/licenses/by/4.0/"; +$wgRightsText = "Creative Commons „Namensnennung“"; +$wgRightsIcon = "$wgResourceBasePath/resources/assets/licenses/cc-by.png"; + +# allow nonstandard display titles, which we want to have for a few pages +$wgRestrictDisplayTitle = false; + +# Path to the GNU diff3 utility. Used for conflict resolution. +$wgDiff3 = "/usr/bin/diff3"; + +## Default skin +# For MinervaNeue it’s "minerva" +$wgDefaultSkin = "citizen"; +$wgDefaultMobileSkin = 'citizen'; + +# Enabled skins. +wfLoadSkin( 'MinervaNeue' ); +wfLoadSkin( 'Citizen' ); +# keep this up-to-date with website theme color +$wgCitizenThemeColor = "#f9c827"; + +# Enabled extensions. Most of the extensions are enabled by adding +# wfLoadExtension( 'ExtensionName' ); +# to LocalSettings.php. Check specific extension documentation for more details. +# The following extensions were automatically enabled: +wfLoadExtension( 'CategoryTree' ); +wfLoadExtension( 'CodeEditor' ); +wfLoadExtension( 'ImageMap' ); +wfLoadExtension( 'Interwiki' ); +wfLoadExtension( 'InputBox' ); +wfLoadExtension( 'Math' ); +wfLoadExtension( 'Nuke' ); +wfLoadExtension( 'ParserFunctions' ); +wfLoadExtension( 'Poem' ); +wfLoadExtension( 'PdfHandler' ); +wfLoadExtension( 'ReplaceText' ); +wfLoadExtension( 'Renameuser' ); +wfLoadExtension( 'SpamBlacklist' ); +wfLoadExtension( 'SyntaxHighlight_GeSHi' ); +wfLoadExtension( 'TemplateData' ); +wfLoadExtension( 'TitleBlacklist' ); +wfLoadExtension( 'VisualEditor' ); +wfLoadExtension( 'WikiEditor' ); + +wfLoadExtension( 'PluggableAuth' ); +wfLoadExtension( 'OpenIDConnect' ); + +wfLoadExtension( 'SemanticMediaWiki' ); +enableSemantics( 'wiki.ctbk.de' ); + +# Add more configuration options below. + +# Disable account creation - we only use SSO accounts +$wgGroupPermissions['*']['autocreateaccount'] = true; +$wgGroupPermissions['sysop']['autocreateaccount'] = true; +$wgGroupPermissions['*']['createaccount'] = false; +$wgGroupPermissions['sysop']['createaccount'] = true; + +# allow copy uploads by anyone +$wgGroupPermissions['user']['upload_by_url'] = true; + +# SSO config +# necessary to allow admin user(s) to login +$wgPluggableAuth_EnableLocalLogin = true; +$wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ + 'plugin' => 'OpenIDConnect', + 'data' => [ + 'providerURL' => 'https://idp.ctbk.de/realms/ctbk/', + 'clientID' => 'public_mediawiki', + 'clientsecret' => $ctbkClientSecret + ] +]; + +# interwiki config +$wgGroupPermissions['sysop']['interwiki'] = true; +$wgInterwikiMagic = true; +$wgHideInterlanguageLinks = false; + +# for better error reporting - disable while in production +#error_reporting( -1 ); +#ini_set( 'display_errors', 1 ); +#$wgShowExceptionDetails = true; +#$wgShowDBErrorBacktrace = true; + +# uncomment this if Semantic MediaWiki property locking is broken +#$smwgChangePropagationProtection = false; diff --git a/public_mediawiki/composer.local.json b/public_mediawiki/composer.local.json new file mode 100644 index 0000000..489afd2 --- /dev/null +++ b/public_mediawiki/composer.local.json @@ -0,0 +1,21 @@ +{ + "repositories": [ + { + "type": "vcs", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect" + } + ], + "require": { + "starcitizentools/citizen-skin": "^2.39", + "mediawiki/pluggable-auth": "^7", + "mediawiki/openidconnect": "^8", + "mediawiki/semantic-compound-queries": "^2.2", + "mediawiki/semantic-extra-special-properties": "^3", + "mediawiki/semantic-media-wiki": "^4.2", + "mediawiki/semantic-result-formats": "^4.2" + }, + "config": { + "preferred-install": "source", + "optimize-autoloader": true + } +} diff --git a/public_mediawiki/public_mediawiki.conf b/public_mediawiki/public_mediawiki.conf new file mode 100644 index 0000000..8d36cb6 --- /dev/null +++ b/public_mediawiki/public_mediawiki.conf @@ -0,0 +1,40 @@ +# Public Chaostreff MediaWiki + +server { + listen 80; + listen [::]:80; + root /var/lib/public_mediawiki; + charset utf-8; + client_max_body_size 100m; + client_body_timeout 60; + index index.php index.html index.htm; + + location ~ \.ht { + deny all; + } + + location / { + try_files $uri $uri/ @rewrite; + } + + location @rewrite { + rewrite ^/(.*)$ /index.php; + } + + location ^~ /maintenance/ { + return 403; + } + # Restrictions based on the .htaccess files + location ~ ^/(cache|includes|maintenance|languages|serialized|tests|images/deleted)/ { + deny all; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi.conf; + + fastcgi_pass unix:/run/php/php-fpm.sock; + fastcgi_index index.php; + + try_files $uri @rewrite; + } +}