current config

README.md

@@ -1,3 +1,9 @@
 # mediawiki
 
-Config for wiki.ctbk.de and other MediaWiki deployments
+Config for wiki.ctbk.de and the upcoming Orgawiki deployment.
+
+For deployment documentation refer to [the Wiki](https://wiki.ctbk.de/Dienste/Wiki).
+
+Files for the wiki.ctbk.de public deployment are found in `public_mediawiki`. Files for the internal deployment (not yet in production) are found in `orga_mediawiki`. Some common files are found in the root directory.
+
+Note that while some files may look identical between the deployments, they are not shared to allow easier modifications to both deployments independently.

fastcgi.conf

@@ -0,0 +1,27 @@
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  REMOTE_USER        $remote_user;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

nginx.conf

@@ -0,0 +1,62 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+

orga_mediawiki/LocalSettings.php

@@ -0,0 +1,192 @@
+<?php
+# Internal wiki settings
+
+# This file was automatically generated by the MediaWiki 1.39.10
+# installer. If you make manual changes, please keep track in case you
+# need to recreate them later.
+#
+# See docs/Configuration.md for all configurable settings
+# and their default values, but don't forget to make changes in _this_
+# file, not there.
+#
+# Further documentation for configuration settings may be found at:
+# https://www.mediawiki.org/wiki/Manual:Configuration_settings
+
+# Protect against web entry
+if ( !defined( 'MEDIAWIKI' ) ) {
+	exit;
+}
+
+## Include platform/distribution defaults
+#require_once "$IP/includes/PlatformSettings.php";
+
+## Server secrets file
+require_once "/etc/orga_mediawiki/SecretSettings.php";
+
+## Uncomment this to disable output compression
+# $wgDisableOutputCompression = true;
+
+$wgSitename = "CTBK Orgawiki";
+$wgMetaNamespace = "Wiki";
+
+## The URL base path to the directory containing the wiki;
+## defaults for all runtime URL paths are based off of this.
+## For more information on customizing the URLs
+## (like /w/index.php/Page_title to /wiki/Page_title) please see:
+## https://www.mediawiki.org/wiki/Manual:Short_URL
+$wgScriptPath       = "";
+$wgArticlePath      = "/$1";
+$wgUsePathInfo      = true;
+$wgScriptExtension  = ".php";
+
+## The protocol and server name to use in fully-qualified URLs
+# TODO: should be the public domain eventually
+#$wgServer = "https://orgawiki.ctbk.de";
+$wgServer = "http://wiki.chaos:81";
+
+## The URL path to static resources (images, scripts, etc.)
+$wgResourceBasePath = $wgScriptPath;
+
+## The URL paths to the logo.  Make sure you change this from the default,
+## or else you'll overwrite your logo when you upgrade!
+# TODO: Chaostreff logo
+$wgLogos = [
+	'1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
+	'icon' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
+];
+
+## UPO means: this is also a user preference option
+
+$wgEnableEmail = true;
+$wgEnableUserEmail = true; # UPO
+
+$wgEmergencyContact = "";
+$wgPasswordSender = "";
+
+$wgEnotifUserTalk = false; # UPO
+$wgEnotifWatchlist = false; # UPO
+$wgEmailAuthentication = true;
+
+## Database settings
+$wgDBtype = "postgres";
+$wgDBserver = "localhost";
+$wgDBname = "orga_mediawiki";
+$wgDBuser = "mediawiki";
+# password is in secret settings
+
+# Postgres specific settings
+$wgDBport = "5432";
+$wgDBmwschema = "mediawiki";
+
+# Shared database table
+# This has no effect unless $wgSharedDB is also set.
+$wgSharedTables[] = "actor";
+
+## Shared memory settings
+$wgMainCacheType = CACHE_ACCEL;
+$wgMemCachedServers = [];
+
+## To enable image uploads, make sure the 'images' directory
+## is writable, then set this to true:
+$wgEnableUploads = true;
+$wgUseImageMagick = true;
+$wgImageMagickConvertCommand = "/usr/bin/convert";
+
+# InstantCommons allows wiki to use images from https://commons.wikimedia.org
+$wgUseInstantCommons = false;
+
+# Periodically send a pingback to https://www.mediawiki.org/ with basic data
+# about this MediaWiki instance. The Wikimedia Foundation shares this data
+# with MediaWiki developers to help guide future development efforts.
+$wgPingback = false;
+
+# Site language code, should be one of the list in ./includes/languages/data/Names.php
+$wgLanguageCode = "de";
+
+# Time zone
+$wgLocaltimezone = "Europe/Berlin";
+
+## Set $wgCacheDirectory to a writable directory on the web server
+## to make your wiki go slightly faster. The directory should not
+## be publicly accessible from the web.
+$wgCacheDirectory = "/var/cache/orga_mediawiki";
+
+# Changing this will log out all existing sessions.
+$wgAuthenticationTokenVersion = "1";
+
+## For attaching licensing metadata to pages, and displaying an
+## appropriate copyright notice / icon. GNU Free Documentation
+## License and Creative Commons licenses are supported so far.
+$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
+$wgRightsUrl = "";
+$wgRightsText = "Alle Rechte vorbehalten";
+$wgRightsIcon = "";
+
+# Path to the GNU diff3 utility. Used for conflict resolution.
+$wgDiff3 = "/usr/bin/diff3";
+
+## Default skin
+# For MinervaNeue it’s "minerva"
+$wgDefaultSkin = "citizen";
+$wgDefaultMobileSkin = 'citizen';
+
+# Enabled skins.
+wfLoadSkin( 'MinervaNeue' );
+# TODO: set theme color
+wfLoadSkin( 'Citizen' );
+
+# Enabled extensions. Most of the extensions are enabled by adding
+# wfLoadExtension( 'ExtensionName' );
+# to LocalSettings.php. Check specific extension documentation for more details.
+# The following extensions were automatically enabled:
+wfLoadExtension( 'CategoryTree' );
+wfLoadExtension( 'CodeEditor' );
+wfLoadExtension( 'ImageMap' );
+wfLoadExtension( 'Interwiki' );
+wfLoadExtension( 'InputBox' );
+wfLoadExtension( 'Math' );
+wfLoadExtension( 'Nuke' );
+wfLoadExtension( 'ParserFunctions' );
+wfLoadExtension( 'Poem' );
+wfLoadExtension( 'PdfHandler' );
+wfLoadExtension( 'ReplaceText' );
+wfLoadExtension( 'SpamBlacklist' );
+wfLoadExtension( 'TemplateData' );
+wfLoadExtension( 'TitleBlacklist' );
+wfLoadExtension( 'VisualEditor' );
+wfLoadExtension( 'WikiEditor' );
+
+wfLoadExtension( 'PluggableAuth' );
+wfLoadExtension( 'OpenIDConnect' );
+
+wfLoadExtension( 'SemanticMediaWiki' );
+enableSemantics( 'orgawiki.ctbk.de' );
+
+# Add more configuration options below.
+
+# Disable account creation - we only use SSO accounts
+$wgGroupPermissions['*']['autocreateaccount'] = true;
+$wgGroupPermissions['sysop']['autocreateaccount'] = true;
+$wgGroupPermissions['*']['createaccount'] = false;
+$wgGroupPermissions['sysop']['createaccount'] = true;
+# Also disable reading/editing by non-logged-in users, making the wiki properly private
+$wgGroupPermissions['*']['read'] = false;
+$wgGroupPermissions['*']['edit'] = false;
+
+# SSO config
+# necessary to allow admin user(s) to login
+$wgPluggableAuth_EnableLocalLogin = true;
+$wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [
+    'plugin' => 'OpenIDConnect',
+    'data' => [
+        'providerURL' => 'https://idp.ctbk.de/realms/ctbk/',
+	'clientID' => 'orga_mediawiki',
+        'clientsecret' => $ctbkClientSecret
+    ]
+];
+
+# for better error reporting - disable while in production
+#error_reporting( -1 );
+#ini_set( 'display_errors', 1 );
+#$wgShowExceptionDetails = true;
+#$wgShowDBErrorBacktrace = true;

orga_mediawiki/composer.local.json

@@ -0,0 +1,21 @@
+{
+	"repositories": [
+		{
+			"type": "vcs",
+			"url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect"
+		}
+	],
+	"require": {
+		"starcitizentools/citizen-skin": "^2.39",
+		"mediawiki/pluggable-auth": "^7",
+		"mediawiki/openidconnect": "^8",
+		"mediawiki/semantic-compound-queries": "^2.2",
+		"mediawiki/semantic-extra-special-properties": "^3",
+		"mediawiki/semantic-media-wiki": "^4.2",
+		"mediawiki/semantic-result-formats": "^4.2"
+	},
+	"config": {
+		"preferred-install": "source",
+		"optimize-autoloader": true
+	}
+}

orga_mediawiki/orga_mediawiki.conf

@@ -0,0 +1,40 @@
+# Public Chaostreff MediaWiki
+
+server { 
+        listen 81;
+        listen [::]:81;
+        root /var/lib/orga_mediawiki;
+        charset utf-8;
+        client_max_body_size 100m;
+        client_body_timeout 60;
+        index index.php index.html index.htm;
+
+        location ~ \.ht {                 
+                deny all;   
+        }                         
+
+        location / {
+                try_files $uri $uri/ @rewrite;
+        }
+
+        location @rewrite {
+                rewrite ^/(.*)$ /index.php;
+        }
+                                              
+	location ^~ /maintenance/ {
+	        return 403;
+	}
+        # Restrictions based on the .htaccess files
+        location ~ ^/(cache|includes|maintenance|languages|serialized|tests|images/deleted)/ {
+                deny all;
+        }
+
+        location ~ \.php$ {
+                include /etc/nginx/fastcgi.conf;
+
+                fastcgi_pass unix:/run/php/php-fpm.sock;
+                fastcgi_index index.php;
+
+                try_files $uri @rewrite;
+        }
+}

pgtune.conf

@@ -0,0 +1,25 @@
+# PGTune configuration
+# conf.d/pgtune.conf
+
+# DB Version: 15
+# OS Type: linux
+# DB Type: web
+# Total Memory (RAM): 2 GB
+# CPUs num: 2
+# Connections num: 20
+# Data Storage: ssd
+
+max_connections = 20
+shared_buffers = 512MB
+effective_cache_size = 1536MB
+maintenance_work_mem = 128MB
+checkpoint_completion_target = 0.9
+wal_buffers = 16MB
+default_statistics_target = 100
+random_page_cost = 1.1
+effective_io_concurrency = 200
+work_mem = 13107kB
+huge_pages = off
+min_wal_size = 1GB
+max_wal_size = 4GB
+

public_mediawiki/LocalSettings.php

@@ -0,0 +1,204 @@
+<?php
+# This file was automatically generated by the MediaWiki 1.39.10
+# installer. If you make manual changes, please keep track in case you
+# need to recreate them later.
+#
+# See docs/Configuration.md for all configurable settings
+# and their default values, but don't forget to make changes in _this_
+# file, not there.
+#
+# Further documentation for configuration settings may be found at:
+# https://www.mediawiki.org/wiki/Manual:Configuration_settings
+
+# Protect against web entry
+if ( !defined( 'MEDIAWIKI' ) ) {
+	exit;
+}
+
+## Include platform/distribution defaults
+#require_once "$IP/includes/PlatformSettings.php";
+
+## Server secrets file
+require_once "/etc/public_mediawiki/SecretSettings.php";
+
+## Uncomment this to disable output compression
+# $wgDisableOutputCompression = true;
+
+$wgSitename = "Chaostreff Backnang Wiki";
+$wgMetaNamespace = "Wiki";
+
+## The URL base path to the directory containing the wiki;
+## defaults for all runtime URL paths are based off of this.
+## For more information on customizing the URLs
+## (like /w/index.php/Page_title to /wiki/Page_title) please see:
+## https://www.mediawiki.org/wiki/Manual:Short_URL
+$wgScriptPath       = "";
+$wgArticlePath      = "/$1";
+$wgUsePathInfo      = true;
+$wgScriptExtension  = ".php";
+
+## The protocol and server name to use in fully-qualified URLs
+$wgServer = "https://wiki.ctbk.de";
+
+## The URL path to static resources (images, scripts, etc.)
+$wgResourceBasePath = $wgScriptPath;
+
+## The URL paths to the logo.  Make sure you change this from the default,
+## or else you'll overwrite your logo when you upgrade!
+$wgLogos = [
+	'1x' => "$wgResourceBasePath/resources/assets/logo.svg",
+	'icon' => "$wgResourceBasePath/resources/assets/logo.svg",
+];
+$wgFavicon = "$wgResourceBasePath/resources/assets/favicon.ico";
+
+## UPO means: this is also a user preference option
+
+$wgEnableEmail = true;
+$wgEnableUserEmail = true; # UPO
+
+$wgEmergencyContact = "";
+$wgPasswordSender = "";
+
+$wgEnotifUserTalk = false; # UPO
+$wgEnotifWatchlist = false; # UPO
+$wgEmailAuthentication = true;
+
+## Database settings
+$wgDBtype = "postgres";
+$wgDBserver = "localhost";
+$wgDBname = "public_mediawiki";
+$wgDBuser = "mediawiki";
+# password is in secret settings
+
+# Postgres specific settings
+$wgDBport = "5432";
+$wgDBmwschema = "mediawiki";
+
+# Shared database table
+# This has no effect unless $wgSharedDB is also set.
+$wgSharedTables[] = "actor";
+
+## Shared memory settings
+$wgMainCacheType = CACHE_ACCEL;
+$wgMemCachedServers = [];
+
+## To enable image uploads, make sure the 'images' directory
+## is writable, then set this to true:
+$wgEnableUploads = true;
+$wgAllowCopyUploads = true;
+$wgCopyUploadsFromSpecialUpload = true;
+$wgUseImageMagick = true;
+$wgImageMagickConvertCommand = "/usr/bin/convert";
+
+# InstantCommons allows wiki to use images from https://commons.wikimedia.org
+$wgUseInstantCommons = false;
+
+# Periodically send a pingback to https://www.mediawiki.org/ with basic data
+# about this MediaWiki instance. The Wikimedia Foundation shares this data
+# with MediaWiki developers to help guide future development efforts.
+$wgPingback = false;
+
+# Site language code, should be one of the list in ./includes/languages/data/Names.php
+$wgLanguageCode = "de";
+
+# Time zone
+$wgLocaltimezone = "Europe/Berlin";
+
+## Set $wgCacheDirectory to a writable directory on the web server
+## to make your wiki go slightly faster. The directory should not
+## be publicly accessible from the web.
+$wgCacheDirectory = "/var/cache/public_mediawiki";
+
+# Changing this will log out all existing sessions.
+$wgAuthenticationTokenVersion = "1";
+
+## For attaching licensing metadata to pages, and displaying an
+## appropriate copyright notice / icon. GNU Free Documentation
+## License and Creative Commons licenses are supported so far.
+$wgRightsPage = "Wiki:Urheberrechte";
+$wgRightsUrl = "https://creativecommons.org/licenses/by/4.0/";
+$wgRightsText = "Creative Commons „Namensnennung“";
+$wgRightsIcon = "$wgResourceBasePath/resources/assets/licenses/cc-by.png";
+
+# allow nonstandard display titles, which we want to have for a few pages
+$wgRestrictDisplayTitle = false;
+
+# Path to the GNU diff3 utility. Used for conflict resolution.
+$wgDiff3 = "/usr/bin/diff3";
+
+## Default skin
+# For MinervaNeue it’s "minerva"
+$wgDefaultSkin = "citizen";
+$wgDefaultMobileSkin = 'citizen';
+
+# Enabled skins.
+wfLoadSkin( 'MinervaNeue' );
+wfLoadSkin( 'Citizen' );
+# keep this up-to-date with website theme color
+$wgCitizenThemeColor = "#f9c827";
+
+# Enabled extensions. Most of the extensions are enabled by adding
+# wfLoadExtension( 'ExtensionName' );
+# to LocalSettings.php. Check specific extension documentation for more details.
+# The following extensions were automatically enabled:
+wfLoadExtension( 'CategoryTree' );
+wfLoadExtension( 'CodeEditor' );
+wfLoadExtension( 'ImageMap' );
+wfLoadExtension( 'Interwiki' );
+wfLoadExtension( 'InputBox' );
+wfLoadExtension( 'Math' );
+wfLoadExtension( 'Nuke' );
+wfLoadExtension( 'ParserFunctions' );
+wfLoadExtension( 'Poem' );
+wfLoadExtension( 'PdfHandler' );
+wfLoadExtension( 'ReplaceText' );
+wfLoadExtension( 'Renameuser' );
+wfLoadExtension( 'SpamBlacklist' );
+wfLoadExtension( 'SyntaxHighlight_GeSHi' );
+wfLoadExtension( 'TemplateData' );
+wfLoadExtension( 'TitleBlacklist' );
+wfLoadExtension( 'VisualEditor' );
+wfLoadExtension( 'WikiEditor' );
+
+wfLoadExtension( 'PluggableAuth' );
+wfLoadExtension( 'OpenIDConnect' );
+
+wfLoadExtension( 'SemanticMediaWiki' );
+enableSemantics( 'wiki.ctbk.de' );
+
+# Add more configuration options below.
+
+# Disable account creation - we only use SSO accounts
+$wgGroupPermissions['*']['autocreateaccount'] = true;
+$wgGroupPermissions['sysop']['autocreateaccount'] = true;
+$wgGroupPermissions['*']['createaccount'] = false;
+$wgGroupPermissions['sysop']['createaccount'] = true;
+
+# allow copy uploads by anyone
+$wgGroupPermissions['user']['upload_by_url'] = true;
+
+# SSO config
+# necessary to allow admin user(s) to login
+$wgPluggableAuth_EnableLocalLogin = true;
+$wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [
+    'plugin' => 'OpenIDConnect',
+    'data' => [
+        'providerURL' => 'https://idp.ctbk.de/realms/ctbk/',
+	'clientID' => 'public_mediawiki',
+        'clientsecret' => $ctbkClientSecret
+    ]
+];
+
+# interwiki config
+$wgGroupPermissions['sysop']['interwiki'] = true;
+$wgInterwikiMagic = true;
+$wgHideInterlanguageLinks = false;
+
+# for better error reporting - disable while in production
+#error_reporting( -1 );
+#ini_set( 'display_errors', 1 );
+#$wgShowExceptionDetails = true;
+#$wgShowDBErrorBacktrace = true;
+
+# uncomment this if Semantic MediaWiki property locking is broken
+#$smwgChangePropagationProtection = false;

public_mediawiki/composer.local.json

@@ -0,0 +1,21 @@
+{
+	"repositories": [
+		{
+			"type": "vcs",
+			"url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect"
+		}
+	],
+	"require": {
+		"starcitizentools/citizen-skin": "^2.39",
+		"mediawiki/pluggable-auth": "^7",
+		"mediawiki/openidconnect": "^8",
+		"mediawiki/semantic-compound-queries": "^2.2",
+		"mediawiki/semantic-extra-special-properties": "^3",
+		"mediawiki/semantic-media-wiki": "^4.2",
+		"mediawiki/semantic-result-formats": "^4.2"
+	},
+	"config": {
+		"preferred-install": "source",
+		"optimize-autoloader": true
+	}
+}

public_mediawiki/public_mediawiki.conf

@@ -0,0 +1,40 @@
+# Public Chaostreff MediaWiki
+
+server { 
+        listen 80;
+        listen [::]:80;
+        root /var/lib/public_mediawiki;
+        charset utf-8;
+        client_max_body_size 100m;
+        client_body_timeout 60;
+        index index.php index.html index.htm;
+
+        location ~ \.ht {                 
+                deny all;   
+        }                         
+
+        location / {
+                try_files $uri $uri/ @rewrite;
+        }
+
+        location @rewrite {
+                rewrite ^/(.*)$ /index.php;
+        }
+                                              
+	location ^~ /maintenance/ {
+	        return 403;
+	}
+        # Restrictions based on the .htaccess files
+        location ~ ^/(cache|includes|maintenance|languages|serialized|tests|images/deleted)/ {
+                deny all;
+        }
+
+        location ~ \.php$ {
+                include /etc/nginx/fastcgi.conf;
+
+                fastcgi_pass unix:/run/php/php-fpm.sock;
+                fastcgi_index index.php;
+
+                try_files $uri @rewrite;
+        }
+}