From 2b58c9a4e0cd4b848aa2c6d1b37c171cc07b40dc Mon Sep 17 00:00:00 2001 From: Sidney Kuyateh Date: Wed, 29 Jan 2025 22:01:03 +0100 Subject: [PATCH 01/24] Add SVG file handling --- public_mediawiki/LocalSettings.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index 54c0411..ee29bf5 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -202,3 +202,8 @@ $wgHideInterlanguageLinks = false; # uncomment this if Semantic MediaWiki property locking is broken #$smwgChangePropagationProtection = false; + +# SVG config +$wgFileExtensions[] = 'svg'; +# This extension will no longer be needed in MediaWiki >= 1.41, then $wgSVGNativeRendering can be used +wfLoadExtension( 'NativeSvgHandler' ); From 7146d40ea28db8f596658b4ebdd057ffad4a77a3 Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Sun, 2 Feb 2025 12:52:38 +0100 Subject: [PATCH 02/24] minor settings updates and job runners --- orga_mediawiki/LocalSettings.php | 1 + public_mediawiki/LocalSettings.php | 25 +++++++++++++++++++++++-- smw-jobs.sh | 25 +++++++++++++++++++++++++ system/mediawiki-jobrunner@.service | 18 ++++++++++++++++++ system/semantic-mediawiki-jobs@.service | 13 +++++++++++++ system/semantic-mediawiki-jobs@.timer | 13 +++++++++++++ 6 files changed, 93 insertions(+), 2 deletions(-) create mode 100755 smw-jobs.sh create mode 100644 system/mediawiki-jobrunner@.service create mode 100644 system/semantic-mediawiki-jobs@.service create mode 100644 system/semantic-mediawiki-jobs@.timer diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index ecda7c4..4b2f7eb 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -188,5 +188,6 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ # for better error reporting - disable while in production #error_reporting( -1 ); #ini_set( 'display_errors', 1 ); + #$wgShowExceptionDetails = true; #$wgShowDBErrorBacktrace = true; diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index 54c0411..3551693 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -163,10 +163,13 @@ wfLoadExtension( 'WikiEditor' ); wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'OpenIDConnect' ); +$wgPFEnableStringFunctions = true; + +# SMW config wfLoadExtension( 'SemanticMediaWiki' ); enableSemantics( 'wiki.ctbk.de' ); - -# Add more configuration options below. +$smwgQueryResultCacheType = CACHE_ANYTHING; +$wgGroupPermissions['sysop']['smw-admin'] = true; # Disable account creation - we only use SSO accounts $wgGroupPermissions['*']['autocreateaccount'] = true; @@ -185,7 +188,19 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ 'data' => [ 'providerURL' => 'https://idp.ctbk.de/realms/ctbk/', 'clientID' => 'public_mediawiki', + 'scope' => [ 'openid', 'profile', 'email', 'groups' ], 'clientsecret' => $ctbkClientSecret + ], + # use Keycloak group definitions to manage groups centrally + 'groupsyncs' => [ + [ + 'type' => 'mapped', + 'map' => [ + 'sysop' => [ 'groups' => '/mediawiki/admins' ], + 'buerocrat' => [ 'groups' => '/mediawiki/admins' ], + 'interface-admin' => [ 'groups' => '/mediawiki/admins' ] + ] + ] ] ]; @@ -202,3 +217,9 @@ $wgHideInterlanguageLinks = false; # uncomment this if Semantic MediaWiki property locking is broken #$smwgChangePropagationProtection = false; + +# SVG config +$wgFileExtensions[] = 'svg'; +# This extension will no longer be needed in MediaWiki >= 1.41, then $wgSVGNativeRendering can be used +wfLoadExtension( 'NativeSvgHandler' ); + diff --git a/smw-jobs.sh b/smw-jobs.sh new file mode 100755 index 0000000..000cf0e --- /dev/null +++ b/smw-jobs.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +# ignore single script failures +set +e + +SMW_PATH=$1 + +set -x + +# not needed in our current config according to the documentation +#php "${SMW_PATH}/maintenance/updateSpecialPages.php" --quiet + +# recommended daily jobs +php "${SMW_PATH}/maintenance/rebuildData.php" --shallow-update +php "${SMW_PATH}/maintenance/disposeOutdatedEntities.php" +php "${SMW_PATH}/maintenance/rebuildPropertyStatistics.php" +php "${SMW_PATH}/maintenance/rebuildConceptCache.php" --update --create + +# recommended weekly jobs — we still run them daily to simplify the timers +php "${SMW_PATH}/maintenance/rebuildData.php" -d 100 +php "${SMW_PATH}/maintenance/setupStore.php" --skip-import + +# recommended monthly jobs +php "${SMW_PATH}/maintenance/removeDuplicateEntities.php" + diff --git a/system/mediawiki-jobrunner@.service b/system/mediawiki-jobrunner@.service new file mode 100644 index 0000000..4de5700 --- /dev/null +++ b/system/mediawiki-jobrunner@.service @@ -0,0 +1,18 @@ +[Unit] +Description=MediaWiki job runner %I +Documentation=https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:RunJobs.php + +[Service] +User=www-data +Group=www-data +ExecStart=/usr/bin/php /var/lib/%i/maintenance/runJobs.php --wait --maxjobs=50 +Restart=always +RestartSec=15 +RuntimeMaxSec=300 +PrivateDevices=true +PrivateTmp=true +ProtectHome=read-only + +[Install] +WantedBy=multi-user.target + diff --git a/system/semantic-mediawiki-jobs@.service b/system/semantic-mediawiki-jobs@.service new file mode 100644 index 0000000..ce8fcd9 --- /dev/null +++ b/system/semantic-mediawiki-jobs@.service @@ -0,0 +1,13 @@ +[Unit] +Description=Semantic MediaWiki job runner %I +Documentation=https://www.semantic-mediawiki.org/wiki/Help:Cron_jobs + +[Service] +User=www-data +Group=www-data +ExecStart=/usr/local/bin/smw-jobs /var/lib/%i/extensions/SemanticMediaWiki +RestartSec=15 +PrivateDevices=true +PrivateTmp=true +ProtectHome=read-only + diff --git a/system/semantic-mediawiki-jobs@.timer b/system/semantic-mediawiki-jobs@.timer new file mode 100644 index 0000000..9b15214 --- /dev/null +++ b/system/semantic-mediawiki-jobs@.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Semantic MediaWiki job timer %I +Documentation=https://www.semantic-mediawiki.org/wiki/Help:Cron_jobs + +[Timer] +# run the jobs in the morning, after the backups happen +OnCalendar=*-*-* 04:00:00 +RandomizedDelaySec=1h +Unit=semantic-mediawiki-jobs@%i.service + +[Install] +WantedBy=timers.target + From 236009f7483f6147ca03e4b9651733cbc6f58a9b Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Sun, 2 Feb 2025 13:33:29 +0100 Subject: [PATCH 03/24] add installation script --- install.sh | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100755 install.sh diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..8ff826c --- /dev/null +++ b/install.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +scriptdir=$(dirname $(realpath $0)) + +set +e + +ln -fs "$scriptdir/smw-jobs.sh" /usr/local/bin/smw-jobs +ln -fs "$scriptdir/nginx.conf" /etc/nginx/nginx.conf +ln -fs "$scriptdir/fastcgi.conf" /etc/nginx/fastcgi.conf +ln -fs "$scriptdir/public_mediawiki/public_mediawiki.conf" /etc/nginx/sites-enabled/public_mediawiki.conf +ln -fs "$scriptdir/orga_mediawiki/orga_mediawiki.conf" /etc/nginx/sites-enabled/orga_mediawiki.conf +ln -fs "$scriptdir/pgtune.conf" "/etc/postgresql/15/main/conf.d/pgtune.conf" + +for file in "$scriptdir/system"/*; do + filename=$(basename "$file") + ln -fs "$file" "/etc/systemd/system/$filename" +done + +for file in "$scriptdir/public_mediawiki"/*; do + filename=$(basename "$file") + ln -fs "$file" "/etc/public_mediawiki/$filename" +done + +for file in "$scriptdir/orga_mediawiki"/*; do + filename=$(basename "$file") + ln -fs "$file" "/etc/orga_mediawiki/$filename" +done + From a3d2b272860b408fe7e2343ce41f5388fc416e47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?kleines=20Filmr=C3=B6llchen?= Date: Sun, 2 Feb 2025 14:51:17 +0100 Subject: [PATCH 04/24] expanded readme --- README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 49401aa..7c4dbfd 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,15 @@ # mediawiki -Config for wiki.ctbk.de and the upcoming Orgawiki deployment. +Config for [wiki.ctbk.de](https://wiki.ctbk.de) and the upcoming Orgawiki deployment. For deployment documentation refer to [the Wiki](https://wiki.ctbk.de/Dienste/Wiki). -Files for the wiki.ctbk.de public deployment are found in `public_mediawiki`. Files for the internal deployment (not yet in production) are found in `orga_mediawiki`. Some common files are found in the root directory. +Files for the [wiki.ctbk.de](https://wiki.ctbk.de) public deployment are found in `public_mediawiki`. Files for the internal deployment (not yet in production) are found in `orga_mediawiki`. Some common files are found in the root directory. Note that while some files may look identical between the deployments, they are not shared to allow easier modifications to both deployments independently. + +The [`install.sh`](install.sh) script replaces all relevant system files with symlinks to the files in this repository. + +## License + +The files in this repository are licensed under the BSD 2-clause license. The contents of the Wiki have different license(s), [see here](https://wiki.ctbk.de/Wiki:Urheberrechte). From c5a5a2dff5d4ad3243893f9c2d4bf1d833b22476 Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Tue, 4 Feb 2025 13:32:20 +0100 Subject: [PATCH 05/24] forward haproxy forwarded ip to php correctly --- fastcgi.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fastcgi.conf b/fastcgi.conf index d53a628..927fe5b 100644 --- a/fastcgi.conf +++ b/fastcgi.conf @@ -16,7 +16,7 @@ fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; -fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_ADDR $http_x_forwarded_for; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param REMOTE_USER $remote_user; fastcgi_param SERVER_ADDR $server_addr; From 5d19eacf95f4994c81e1d4663760fba10224b43f Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Tue, 4 Feb 2025 20:21:07 +0100 Subject: [PATCH 06/24] robots.txt --- install.sh | 1 + orga_mediawiki/orga_mediawiki.conf | 11 ++++++++--- public_mediawiki/public_mediawiki.conf | 11 ++++++++--- robots.txt | 3 +++ 4 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 robots.txt diff --git a/install.sh b/install.sh index 8ff826c..c2561e3 100755 --- a/install.sh +++ b/install.sh @@ -7,6 +7,7 @@ set +e ln -fs "$scriptdir/smw-jobs.sh" /usr/local/bin/smw-jobs ln -fs "$scriptdir/nginx.conf" /etc/nginx/nginx.conf ln -fs "$scriptdir/fastcgi.conf" /etc/nginx/fastcgi.conf +ln -fs "$scriptdir/robots.txt" /etc/nginx/robots.txt ln -fs "$scriptdir/public_mediawiki/public_mediawiki.conf" /etc/nginx/sites-enabled/public_mediawiki.conf ln -fs "$scriptdir/orga_mediawiki/orga_mediawiki.conf" /etc/nginx/sites-enabled/orga_mediawiki.conf ln -fs "$scriptdir/pgtune.conf" "/etc/postgresql/15/main/conf.d/pgtune.conf" diff --git a/orga_mediawiki/orga_mediawiki.conf b/orga_mediawiki/orga_mediawiki.conf index e7fb257..fa2a08f 100644 --- a/orga_mediawiki/orga_mediawiki.conf +++ b/orga_mediawiki/orga_mediawiki.conf @@ -9,9 +9,14 @@ server { client_body_timeout 60; index index.php index.html index.htm; - location ~ \.ht { - deny all; - } + location ~ \.ht { + deny all; + } + + location /robots.txt { + root /etc/nginx; + try_files /robots.txt =404; + } location / { try_files $uri $uri/ @rewrite; diff --git a/public_mediawiki/public_mediawiki.conf b/public_mediawiki/public_mediawiki.conf index 8d36cb6..c89ff63 100644 --- a/public_mediawiki/public_mediawiki.conf +++ b/public_mediawiki/public_mediawiki.conf @@ -9,9 +9,14 @@ server { client_body_timeout 60; index index.php index.html index.htm; - location ~ \.ht { - deny all; - } + location ~ \.ht { + deny all; + } + + location /robots.txt { + root /etc/nginx; + try_files /robots.txt =404; + } location / { try_files $uri $uri/ @rewrite; diff --git a/robots.txt b/robots.txt new file mode 100644 index 0000000..b93e3f5 --- /dev/null +++ b/robots.txt @@ -0,0 +1,3 @@ +User-Agent: * +Disallow: / + From f3ca94de27aae1b4b8aa7bc9a2cefeced1985fbf Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Tue, 4 Feb 2025 21:17:46 +0100 Subject: [PATCH 07/24] more extensions! --- public_mediawiki/LocalSettings.php | 15 ++++++++++ public_mediawiki/composer.local.json | 42 +++++++++++++++++++++++++++- 2 files changed, 56 insertions(+), 1 deletion(-) diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index 3551693..96b2a41 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -159,6 +159,10 @@ wfLoadExtension( 'TemplateData' ); wfLoadExtension( 'TitleBlacklist' ); wfLoadExtension( 'VisualEditor' ); wfLoadExtension( 'WikiEditor' ); +wfLoadExtension( 'CodeMirror' ); +wfLoadExtension( 'TemplateStyles' ); +wfLoadExtension( 'TemplateStylesExtender' ); +wfLoadExtension( 'Widgets' ); wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'OpenIDConnect' ); @@ -180,6 +184,10 @@ $wgGroupPermissions['sysop']['createaccount'] = true; # allow copy uploads by anyone $wgGroupPermissions['user']['upload_by_url'] = true; +# disallow widget editing by anyone except sysops +$wgGroupPermissions['*']['editwidgets'] = false; +$wgGroupPermissions['sysop']['editwidgets'] = true; + # SSO config # necessary to allow admin user(s) to login $wgPluggableAuth_EnableLocalLogin = true; @@ -204,6 +212,8 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ ] ]; +$wgDefaultUserOptions['usecodemirror'] = 1; + # interwiki config $wgGroupPermissions['sysop']['interwiki'] = true; $wgInterwikiMagic = true; @@ -223,3 +233,8 @@ $wgFileExtensions[] = 'svg'; # This extension will no longer be needed in MediaWiki >= 1.41, then $wgSVGNativeRendering can be used wfLoadExtension( 'NativeSvgHandler' ); +# do not sanitize my CSS +#$wgTemplateStylesAutoParseContent = false; +$wgTemplateStylesExtenderEnablePrefersColorScheme = true; +$wgTemplateStylesExtenderEnableCssVars = true; + diff --git a/public_mediawiki/composer.local.json b/public_mediawiki/composer.local.json index 489afd2..45dfb59 100644 --- a/public_mediawiki/composer.local.json +++ b/public_mediawiki/composer.local.json @@ -3,6 +3,42 @@ { "type": "vcs", "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect" + }, + { + "type": "package", + "package": { + "name": "mediawiki/codemirror", + "version": "6.0.0", + "source": { + "type": "git", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/CodeMirror.git", + "reference": "REL1_39" + } + } + }, + { + "type": "package", + "package": { + "name": "mediawiki/templatestyles", + "version": "1.0.0", + "source": { + "type": "git", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/TemplateStyles", + "reference": "REL1_39" + } + } + }, + { + "type": "package", + "package": { + "name": "mediawiki/widgets", + "version": "1.6.0", + "source": { + "type": "git", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/Widgets", + "reference": "1.6.0" + } + } } ], "require": { @@ -12,7 +48,11 @@ "mediawiki/semantic-compound-queries": "^2.2", "mediawiki/semantic-extra-special-properties": "^3", "mediawiki/semantic-media-wiki": "^4.2", - "mediawiki/semantic-result-formats": "^4.2" + "mediawiki/semantic-result-formats": "^4.2", + "mediawiki/codemirror": "^6", + "mediawiki/templatestyles": "^1", + "octfx/template-styles-extender": "^1.2", + "mediawiki/widgets": "^1.6" }, "config": { "preferred-install": "source", From ee27bc59a632e10967e3934a15a9d282e4d912e1 Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Wed, 5 Feb 2025 16:17:35 +0100 Subject: [PATCH 08/24] subpages everywhere --- public_mediawiki/LocalSettings.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index 96b2a41..8eaa8fb 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -238,3 +238,7 @@ wfLoadExtension( 'NativeSvgHandler' ); $wgTemplateStylesExtenderEnablePrefersColorScheme = true; $wgTemplateStylesExtenderEnableCssVars = true; +# enable namespaces everywhere we need them +$wgNamespacesWithSubpages[NS_MAIN] = true; +$wgNamespacesWithSubpages[NS_TEMPLATE] = true; + From 45a907235dae18eb54a8a148c4b363b21cfa76c9 Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Fri, 7 Feb 2025 23:55:46 +0100 Subject: [PATCH 09/24] proper proxy configuration --- fastcgi.conf | 2 +- nginx.conf | 8 ++++++-- public_mediawiki/LocalSettings.php | 5 +++++ 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/fastcgi.conf b/fastcgi.conf index 927fe5b..d53a628 100644 --- a/fastcgi.conf +++ b/fastcgi.conf @@ -16,7 +16,7 @@ fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; -fastcgi_param REMOTE_ADDR $http_x_forwarded_for; +fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param REMOTE_USER $remote_user; fastcgi_param SERVER_ADDR $server_addr; diff --git a/nginx.conf b/nginx.conf index bac1998..4532678 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,7 +1,6 @@ user www-data; worker_processes auto; pid /run/nginx.pid; -error_log /var/log/nginx/error.log; include /etc/nginx/modules-enabled/*.conf; events { @@ -37,7 +36,12 @@ http { # Logging Settings ## - access_log /var/log/nginx/access.log; + log_format main '$http_x_forwarded_for [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent"'; + + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log; ## # Gzip Settings diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index 8eaa8fb..cabac03 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -242,3 +242,8 @@ $wgTemplateStylesExtenderEnableCssVars = true; $wgNamespacesWithSubpages[NS_MAIN] = true; $wgNamespacesWithSubpages[NS_TEMPLATE] = true; +# use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For +$wgUsePrivateIPs = true; +# ingress haproxy +$wgCdnServersNoPurge = [ '10.140.0.1' ]; + From 37e72d512990d44fffc0a3509cd05f1766b4c333 Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Sun, 15 Jun 2025 18:33:14 +0200 Subject: [PATCH 10/24] interwiki perms + public url for orgawiki --- orga_mediawiki/LocalSettings.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index 4b2f7eb..fb3fc36 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -41,8 +41,8 @@ $wgScriptExtension = ".php"; ## The protocol and server name to use in fully-qualified URLs # TODO: should be the public domain eventually -#$wgServer = "https://orgawiki.ctbk.de"; -$wgServer = "http://wiki.chaos:81"; +$wgServer = "https://orgawiki.ctbk.de"; +#$wgServer = "http://wiki.chaos:81"; ## The URL path to static resources (images, scripts, etc.) $wgResourceBasePath = $wgScriptPath; @@ -185,9 +185,13 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ ] ]; +# interwiki config +$wgGroupPermissions['sysop']['interwiki'] = true; +$wgInterwikiMagic = true; +$wgHideInterlanguageLinks = false; + # for better error reporting - disable while in production #error_reporting( -1 ); #ini_set( 'display_errors', 1 ); - #$wgShowExceptionDetails = true; #$wgShowDBErrorBacktrace = true; From 0c0b63a400e9fffa3d3d70a7c08a28e75d154f16 Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Sat, 21 Jun 2025 20:13:47 +0200 Subject: [PATCH 11/24] namespaces and proxy --- orga_mediawiki/LocalSettings.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index fb3fc36..17aa4af 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -195,3 +195,11 @@ $wgHideInterlanguageLinks = false; #ini_set( 'display_errors', 1 ); #$wgShowExceptionDetails = true; #$wgShowDBErrorBacktrace = true; + +$wgNamespacesWithSubpages[NS_MAIN] = true; +$wgNamespacesWithSubpages[NS_TEMPLATE] = true; + +# use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For +$wgUsePrivateIPs = true; +# ingress haproxy +$wgCdnServersNoPurge = [ '10.140.0.1' ]; From a3ca9281306a3bc6c943739d1225f4c18e73dfc6 Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Tue, 1 Jul 2025 21:23:57 +0200 Subject: [PATCH 12/24] update to mediawiki 1.39.13 --- orga_mediawiki/LocalSettings.php | 2 -- orga_mediawiki/composer.local.json | 4 ++-- public_mediawiki/LocalSettings.php | 1 + public_mediawiki/composer.local.json | 9 +++++---- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index 17aa4af..b15a49c 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -40,9 +40,7 @@ $wgUsePathInfo = true; $wgScriptExtension = ".php"; ## The protocol and server name to use in fully-qualified URLs -# TODO: should be the public domain eventually $wgServer = "https://orgawiki.ctbk.de"; -#$wgServer = "http://wiki.chaos:81"; ## The URL path to static resources (images, scripts, etc.) $wgResourceBasePath = $wgScriptPath; diff --git a/orga_mediawiki/composer.local.json b/orga_mediawiki/composer.local.json index 489afd2..aa17e7b 100644 --- a/orga_mediawiki/composer.local.json +++ b/orga_mediawiki/composer.local.json @@ -7,8 +7,8 @@ ], "require": { "starcitizentools/citizen-skin": "^2.39", - "mediawiki/pluggable-auth": "^7", - "mediawiki/openidconnect": "^8", + "mediawiki/pluggable-auth": "7.0.0", + "mediawiki/openidconnect": "8.2.0", "mediawiki/semantic-compound-queries": "^2.2", "mediawiki/semantic-extra-special-properties": "^3", "mediawiki/semantic-media-wiki": "^4.2", diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index cabac03..02c6fbc 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -1,4 +1,5 @@ Date: Sun, 9 Nov 2025 23:35:15 +0100 Subject: [PATCH 13/24] access configuration, Lockdown extension --- orga_mediawiki/LocalSettings.php | 84 +++++++++++++++++++++++++++++- orga_mediawiki/composer.local.json | 21 +++++++- 2 files changed, 101 insertions(+), 4 deletions(-) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index b15a49c..e4dc7f6 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -160,7 +160,19 @@ wfLoadExtension( 'OpenIDConnect' ); wfLoadExtension( 'SemanticMediaWiki' ); enableSemantics( 'orgawiki.ctbk.de' ); -# Add more configuration options below. +wfLoadExtension( 'Lockdown' ); + +#### Namespace config +define('NS_FSCK', 100); +define('NS_FSCK_TALK', 101); +define('NS_VEREIN', 200); +define('NS_VEREIN_TALK', 201); +$wgExtraNamespaces[NS_FSCK] = 'FSCK'; +$wgExtraNamespaces[NS_FSCK_TALK] = 'FSCK_Diskussion'; +$wgExtraNamespaces[NS_VEREIN] = 'Verein'; +$wgExtraNamespaces[NS_VEREIN_TALK] = 'Verein_Diskussion'; + +#### Permissions # Disable account creation - we only use SSO accounts $wgGroupPermissions['*']['autocreateaccount'] = true; @@ -170,8 +182,60 @@ $wgGroupPermissions['sysop']['createaccount'] = true; # Also disable reading/editing by non-logged-in users, making the wiki properly private $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['*']['edit'] = false; +$wgGroupPermissions['*']['createpage'] = false; +$wgGroupPermissions['*']['createtalk'] = false; +# Remove tons of permissions from standard users +$wgGroupPermissions['user']['edit'] = false; +$wgGroupPermissions['user']['read'] = false; +$wgGroupPermissions['user']['createpage'] = false; +$wgGroupPermissions['user']['createtalk'] = false; +$wgGroupPermissions['user']['upload'] = false; +$wgGroupPermissions['user']['reupload'] = false; +$wgGroupPermissions['user']['reupload-shared'] = false; +$wgGroupPermissions['user']['movefile'] = false; +$wgGroupPermissions['user']['move-rootuserpages'] = false; +$wgGroupPermissions['user']['move-categorypages'] = false; +$wgGroupPermissions['user']['move-subpages'] = false; +$wgGroupPermissions['user']['move'] = false; +# give all the user groups basic rights -- taken away by Lockdown again mostly, but Lockdown cannot give permissions that don’t exist on the user +$wgGroupPermissions['orga-users']['edit'] = true; +$wgGroupPermissions['orga-users']['read'] = true; +$wgGroupPermissions['orga-users']['createpage'] = true; +$wgGroupPermissions['orga-fsck']['edit'] = true; +$wgGroupPermissions['orga-fsck']['read'] = true; +$wgGroupPermissions['orga-fsck']['createpage'] = true; +$wgGroupPermissions['orga-verein']['edit'] = true; +$wgGroupPermissions['orga-verein']['read'] = true; +$wgGroupPermissions['orga-verein']['createpage'] = true; -# SSO config +# sysop rights +$wgGroupPermissions['sysop']['edit'] = true; +$wgGroupPermissions['sysop']['read'] = true; +$wgGroupPermissions['sysop']['createpage'] = true; + +#### Lockdown configuration +$wgSpecialPageLockdown['Export'] = ['user']; +$wgSpecialPageLockdown['Recentchanges'] = ['user']; + +# remove most namespace permissions +$wgNamespacePermissionLockdown['*']['read'] = ['sysop']; +$wgNamespacePermissionLockdown['*']['edit'] = ['sysop']; +$wgNamespacePermissionLockdown['*']['createpage'] = ['sysop']; + +# limit template workaround +$wgNonincludableNamespaces[] = [ NS_MAIN, NS_PROJECT, NS_VEREIN, NS_FSCK ]; + +# FSCK namespace +$wgNamespacePermissionLockdown[NS_FSCK]['read'] = [ 'orga-fsck' ]; +$wgNamespacePermissionLockdown[NS_FSCK]['edit'] = [ 'orga-fsck' ]; +$wgNamespacePermissionLockdown[NS_FSCK]['createpage'] = [ 'orga-fsck' ]; + +# Verein namespace +$wgNamespacePermissionLockdown[NS_VEREIN]['read'] = [ 'orga-verein' ]; +$wgNamespacePermissionLockdown[NS_VEREIN]['edit'] = [ 'orga-verein' ]; +$wgNamespacePermissionLockdown[NS_VEREIN]['createpage'] = [ 'orga-verein' ]; + +#### SSO config # necessary to allow admin user(s) to login $wgPluggableAuth_EnableLocalLogin = true; $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ @@ -179,7 +243,21 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ 'data' => [ 'providerURL' => 'https://idp.ctbk.de/realms/ctbk/', 'clientID' => 'orga_mediawiki', + 'scope' => [ 'openid', 'profile', 'email', 'groups' ], 'clientsecret' => $ctbkClientSecret + ], + 'groupsyncs' => [ + [ + 'type' => 'mapped', + 'map' => [ + 'sysop' => [ 'groups' => '/mediawiki/admins' ], + 'bureaucrat' => [ 'groups' => '/mediawiki/admins' ], + 'interface-admin' => [ 'groups' => '/mediawiki/admins' ], + 'orga-users' => [ 'groups' => '/orgawiki/users' ], + 'orga-fsck' => [ 'groups' => '/todo-fsck-orga' ], + 'orga-verein' => [ 'groups' => '/todo-verein-orga' ] + ] + ] ] ]; @@ -195,6 +273,8 @@ $wgHideInterlanguageLinks = false; #$wgShowDBErrorBacktrace = true; $wgNamespacesWithSubpages[NS_MAIN] = true; +$wgNamespacesWithSubpages[NS_FSCK] = true; +$wgNamespacesWithSubpages[NS_VEREIN] = true; $wgNamespacesWithSubpages[NS_TEMPLATE] = true; # use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For diff --git a/orga_mediawiki/composer.local.json b/orga_mediawiki/composer.local.json index aa17e7b..725a8aa 100644 --- a/orga_mediawiki/composer.local.json +++ b/orga_mediawiki/composer.local.json @@ -3,7 +3,23 @@ { "type": "vcs", "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect" - } + }, + { + "type": "package", + "package": { + "name": "x-mediawiki/lockdown", + "version": "1.0.0", + "type": "mediawiki-extension", + "extra": { + "installer-name": "Lockdown" + }, + "source": { + "type": "git", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/Lockdown", + "reference": "REL1_39" + } + } + } ], "require": { "starcitizentools/citizen-skin": "^2.39", @@ -12,7 +28,8 @@ "mediawiki/semantic-compound-queries": "^2.2", "mediawiki/semantic-extra-special-properties": "^3", "mediawiki/semantic-media-wiki": "^4.2", - "mediawiki/semantic-result-formats": "^4.2" + "mediawiki/semantic-result-formats": "^4.2", + "x-mediawiki/lockdown": "^1" }, "config": { "preferred-install": "source", From 6ac5881e90622ae8bd6fbadfb00ab8d3cdbe1a58 Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Sun, 9 Nov 2025 23:35:36 +0100 Subject: [PATCH 14/24] proper install for job runner service --- system/semantic-mediawiki-jobs@.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system/semantic-mediawiki-jobs@.service b/system/semantic-mediawiki-jobs@.service index ce8fcd9..c0b8181 100644 --- a/system/semantic-mediawiki-jobs@.service +++ b/system/semantic-mediawiki-jobs@.service @@ -11,3 +11,6 @@ PrivateDevices=true PrivateTmp=true ProtectHome=read-only +[Install] +WantedBy=default.target + From d1abf4b0a46593e19773808a74f7e882cf94e1ad Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Mon, 10 Nov 2025 00:16:05 +0100 Subject: [PATCH 15/24] configure SMW correctly in new namespaces --- orga_mediawiki/LocalSettings.php | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index e4dc7f6..f53d013 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -29,6 +29,16 @@ require_once "/etc/orga_mediawiki/SecretSettings.php"; $wgSitename = "CTBK Orgawiki"; $wgMetaNamespace = "Wiki"; +#### Namespace config +define('NS_FSCK', 100); +define('NS_FSCK_TALK', 101); +define('NS_VEREIN', 200); +define('NS_VEREIN_TALK', 201); +$wgExtraNamespaces[NS_FSCK] = 'FSCK'; +$wgExtraNamespaces[NS_FSCK_TALK] = 'FSCK_Diskussion'; +$wgExtraNamespaces[NS_VEREIN] = 'Verein'; +$wgExtraNamespaces[NS_VEREIN_TALK] = 'Verein_Diskussion'; + ## The URL base path to the directory containing the wiki; ## defaults for all runtime URL paths are based off of this. ## For more information on customizing the URLs @@ -162,15 +172,6 @@ enableSemantics( 'orgawiki.ctbk.de' ); wfLoadExtension( 'Lockdown' ); -#### Namespace config -define('NS_FSCK', 100); -define('NS_FSCK_TALK', 101); -define('NS_VEREIN', 200); -define('NS_VEREIN_TALK', 201); -$wgExtraNamespaces[NS_FSCK] = 'FSCK'; -$wgExtraNamespaces[NS_FSCK_TALK] = 'FSCK_Diskussion'; -$wgExtraNamespaces[NS_VEREIN] = 'Verein'; -$wgExtraNamespaces[NS_VEREIN_TALK] = 'Verein_Diskussion'; #### Permissions @@ -223,7 +224,10 @@ $wgNamespacePermissionLockdown['*']['edit'] = ['sysop']; $wgNamespacePermissionLockdown['*']['createpage'] = ['sysop']; # limit template workaround -$wgNonincludableNamespaces[] = [ NS_MAIN, NS_PROJECT, NS_VEREIN, NS_FSCK ]; +$wgNonincludableNamespaces[] = NS_MAIN; +$wgNonincludableNamespaces[] = NS_PROJECT; +$wgNonincludableNamespaces[] = NS_VEREIN; +$wgNonincludableNamespaces[] = NS_FSCK; # FSCK namespace $wgNamespacePermissionLockdown[NS_FSCK]['read'] = [ 'orga-fsck' ]; @@ -272,10 +276,18 @@ $wgHideInterlanguageLinks = false; #$wgShowExceptionDetails = true; #$wgShowDBErrorBacktrace = true; +### Namespace attributes $wgNamespacesWithSubpages[NS_MAIN] = true; $wgNamespacesWithSubpages[NS_FSCK] = true; $wgNamespacesWithSubpages[NS_VEREIN] = true; $wgNamespacesWithSubpages[NS_TEMPLATE] = true; +# SMW enabled on custom namespaces +$smwgNamespacesWithSemanticLinks[NS_FSCK] = true; +$smwgNamespacesWithSemanticLinks[NS_FSCK_TALK] = true; +$smwgNamespacesWithSemanticLinks[NS_VEREIN] = true; +$smwgNamespacesWithSemanticLinks[NS_VEREIN_TALK] = true; +$wgContentNamespaces[] = NS_FSCK; +$wgContentNamespaces[] = NS_VEREIN; # use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For $wgUsePrivateIPs = true; From 8f9a3f6bdaab2e89d974e71aea037ac5165ad25f Mon Sep 17 00:00:00 2001 From: MediaWiki Date: Mon, 5 Jan 2026 22:49:03 +0100 Subject: [PATCH 16/24] re-fix fsck groups and use same logo as public wiki --- orga_mediawiki/LocalSettings.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index f53d013..7857585 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -57,10 +57,9 @@ $wgResourceBasePath = $wgScriptPath; ## The URL paths to the logo. Make sure you change this from the default, ## or else you'll overwrite your logo when you upgrade! -# TODO: Chaostreff logo $wgLogos = [ - '1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg", - 'icon' => "$wgResourceBasePath/resources/assets/change-your-logo.svg", + '1x' => "$wgResourceBasePath/resources/assets/logo.svg", + 'icon' => "$wgResourceBasePath/resources/assets/logo.svg", ]; ## UPO means: this is also a user preference option @@ -258,7 +257,7 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ 'bureaucrat' => [ 'groups' => '/mediawiki/admins' ], 'interface-admin' => [ 'groups' => '/mediawiki/admins' ], 'orga-users' => [ 'groups' => '/orgawiki/users' ], - 'orga-fsck' => [ 'groups' => '/todo-fsck-orga' ], + 'orga-fsck' => [ 'groups' => '/ctbk/fsck' ], 'orga-verein' => [ 'groups' => '/todo-verein-orga' ] ] ] From a88c2ff5d0cf353c40c1d2badfb650d1472db52b Mon Sep 17 00:00:00 2001 From: autinerd Date: Fri, 16 Jan 2026 15:28:59 +0000 Subject: [PATCH 17/24] Allow webcal URLs as links --- public_mediawiki/LocalSettings.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index 02c6fbc..cc8de31 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -229,6 +229,9 @@ $wgHideInterlanguageLinks = false; # uncomment this if Semantic MediaWiki property locking is broken #$smwgChangePropagationProtection = false; +# Allow webcal:// URLs +$wgUrlProtocols[] = 'webcal://'; + # SVG config $wgFileExtensions[] = 'svg'; # This extension will no longer be needed in MediaWiki >= 1.41, then $wgSVGNativeRendering can be used From 9a5bd1484139fe6183d85f65d7128b9310590a1f Mon Sep 17 00:00:00 2001 From: MediaWiki Date: Tue, 27 Jan 2026 16:58:50 +0100 Subject: [PATCH 18/24] updates and better URI schemes --- orga_mediawiki/LocalSettings.php | 3 +++ orga_mediawiki/composer.local.json | 20 ++++++++++---------- orga_mediawiki/orga_mediawiki.conf | 3 ++- public_mediawiki/LocalSettings.php | 5 ++++- public_mediawiki/composer.local.json | 26 +++++++++++++------------- public_mediawiki/public_mediawiki.conf | 1 + 6 files changed, 33 insertions(+), 25 deletions(-) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index 7857585..b238e71 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -275,6 +275,9 @@ $wgHideInterlanguageLinks = false; #$wgShowExceptionDetails = true; #$wgShowDBErrorBacktrace = true; +$wgUrlProtocols[] = 'webcal://'; +$smwgURITypeSchemeList = array_merge($smwgURITypeSchemeList, ['matrix']); + ### Namespace attributes $wgNamespacesWithSubpages[NS_MAIN] = true; $wgNamespacesWithSubpages[NS_FSCK] = true; diff --git a/orga_mediawiki/composer.local.json b/orga_mediawiki/composer.local.json index 725a8aa..0c6de64 100644 --- a/orga_mediawiki/composer.local.json +++ b/orga_mediawiki/composer.local.json @@ -8,7 +8,7 @@ "type": "package", "package": { "name": "x-mediawiki/lockdown", - "version": "1.0.0", + "version": "1.1.0", "type": "mediawiki-extension", "extra": { "installer-name": "Lockdown" @@ -16,20 +16,20 @@ "source": { "type": "git", "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/Lockdown", - "reference": "REL1_39" + "reference": "REL1_43" } } } ], "require": { - "starcitizentools/citizen-skin": "^2.39", - "mediawiki/pluggable-auth": "7.0.0", - "mediawiki/openidconnect": "8.2.0", - "mediawiki/semantic-compound-queries": "^2.2", - "mediawiki/semantic-extra-special-properties": "^3", - "mediawiki/semantic-media-wiki": "^4.2", - "mediawiki/semantic-result-formats": "^4.2", - "x-mediawiki/lockdown": "^1" + "starcitizentools/citizen-skin": "^3", + "mediawiki/pluggable-auth": "^7", + "mediawiki/openidconnect": "^8.3", + "mediawiki/semantic-compound-queries": "^3", + "mediawiki/semantic-extra-special-properties": "^4", + "mediawiki/semantic-media-wiki": "^6", + "mediawiki/semantic-result-formats": "^5", + "x-mediawiki/lockdown": "^1.1" }, "config": { "preferred-install": "source", diff --git a/orga_mediawiki/orga_mediawiki.conf b/orga_mediawiki/orga_mediawiki.conf index fa2a08f..904933f 100644 --- a/orga_mediawiki/orga_mediawiki.conf +++ b/orga_mediawiki/orga_mediawiki.conf @@ -1,4 +1,4 @@ -# Public Chaostreff MediaWiki +# Orga Chaostreff MediaWiki server { listen 81; @@ -19,6 +19,7 @@ server { } location / { + add_header 'X-Content-Type-Options' 'nosniff'; try_files $uri $uri/ @rewrite; } diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index cc8de31..d1ba7cc 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -91,6 +91,9 @@ $wgCopyUploadsFromSpecialUpload = true; $wgUseImageMagick = true; $wgImageMagickConvertCommand = "/usr/bin/convert"; +# compiled widgets +$wgWidgetsCompileDir = "/var/cache/mediawiki/compiled_templates/"; + # InstantCommons allows wiki to use images from https://commons.wikimedia.org $wgUseInstantCommons = false; @@ -153,7 +156,6 @@ wfLoadExtension( 'ParserFunctions' ); wfLoadExtension( 'Poem' ); wfLoadExtension( 'PdfHandler' ); wfLoadExtension( 'ReplaceText' ); -wfLoadExtension( 'Renameuser' ); wfLoadExtension( 'SpamBlacklist' ); wfLoadExtension( 'SyntaxHighlight_GeSHi' ); wfLoadExtension( 'TemplateData' ); @@ -231,6 +233,7 @@ $wgHideInterlanguageLinks = false; # Allow webcal:// URLs $wgUrlProtocols[] = 'webcal://'; +$smwgURITypeSchemeList = array_merge($smwgURITypeSchemeList, ['matrix']); # SVG config $wgFileExtensions[] = 'svg'; diff --git a/public_mediawiki/composer.local.json b/public_mediawiki/composer.local.json index aaf165c..1c8044e 100644 --- a/public_mediawiki/composer.local.json +++ b/public_mediawiki/composer.local.json @@ -12,7 +12,7 @@ "source": { "type": "git", "url": "https://github.com/wikimedia/mediawiki-extensions-CodeMirror.git", - "reference": "REL1_39" + "reference": "REL1_43" } } }, @@ -24,7 +24,7 @@ "source": { "type": "git", "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/TemplateStyles", - "reference": "REL1_39" + "reference": "REL1_43" } } }, @@ -32,27 +32,27 @@ "type": "package", "package": { "name": "mediawiki/widgets", - "version": "1.6.0", + "version": "1.7.0", "source": { "type": "git", "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/Widgets", - "reference": "1.6.0" + "reference": "1.7.0" } } } ], "require": { - "starcitizentools/citizen-skin": "^2.39", - "mediawiki/pluggable-auth": "7.0.0", - "mediawiki/openidconnect": "8.2.0", - "mediawiki/semantic-compound-queries": "^2.2", - "mediawiki/semantic-extra-special-properties": "^3", - "mediawiki/semantic-media-wiki": "^4.2", - "mediawiki/semantic-result-formats": "^4.2", + "starcitizentools/citizen-skin": "^3", + "mediawiki/pluggable-auth": "^7", + "mediawiki/openidconnect": "^8.3", + "mediawiki/semantic-compound-queries": "^3", + "mediawiki/semantic-extra-special-properties": "^4", + "mediawiki/semantic-media-wiki": "^6", + "mediawiki/semantic-result-formats": "^5", "mediawiki/codemirror": "^6", "mediawiki/templatestyles": "^1", - "octfx/template-styles-extender": "^1.2", - "mediawiki/widgets": "^1.6" + "octfx/template-styles-extender": "^2.1", + "mediawiki/widgets": "^1.7" }, "config": { "preferred-install": "source", diff --git a/public_mediawiki/public_mediawiki.conf b/public_mediawiki/public_mediawiki.conf index c89ff63..81521d2 100644 --- a/public_mediawiki/public_mediawiki.conf +++ b/public_mediawiki/public_mediawiki.conf @@ -19,6 +19,7 @@ server { } location / { + add_header 'X-Content-Type-Options' 'nosniff'; try_files $uri $uri/ @rewrite; } From ea01550b665ead332a30f45d1d3d76cdfe49c161 Mon Sep 17 00:00:00 2001 From: filmroellchen Date: Sat, 7 Feb 2026 16:20:15 +0000 Subject: [PATCH 19/24] update orgawiki state --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7c4dbfd..de37612 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Config for [wiki.ctbk.de](https://wiki.ctbk.de) and the upcoming Orgawiki deploy For deployment documentation refer to [the Wiki](https://wiki.ctbk.de/Dienste/Wiki). -Files for the [wiki.ctbk.de](https://wiki.ctbk.de) public deployment are found in `public_mediawiki`. Files for the internal deployment (not yet in production) are found in `orga_mediawiki`. Some common files are found in the root directory. +Files for the [wiki.ctbk.de](https://wiki.ctbk.de) public deployment are found in `public_mediawiki`. Files for [orgawiki.ctbk.de](https://orgawiki.ctbk.de) are found in `orga_mediawiki`. Some common files are found in the root directory. Note that while some files may look identical between the deployments, they are not shared to allow easier modifications to both deployments independently. From d207d0c008d1e5bc0200e8f199e8c52da809276d Mon Sep 17 00:00:00 2001 From: autinerd Date: Sat, 7 Feb 2026 18:08:47 +0100 Subject: [PATCH 20/24] Add UserFunctions to orgawiki --- orga_mediawiki/LocalSettings.php | 4 ++ orga_mediawiki/composer.local.json | 89 ++++++++++++++++++------------ 2 files changed, 57 insertions(+), 36 deletions(-) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index b238e71..ce49c92 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -170,6 +170,7 @@ wfLoadExtension( 'SemanticMediaWiki' ); enableSemantics( 'orgawiki.ctbk.de' ); wfLoadExtension( 'Lockdown' ); +wfLoadExtension( 'UserFunctions' ); #### Permissions @@ -291,6 +292,9 @@ $smwgNamespacesWithSemanticLinks[NS_VEREIN_TALK] = true; $wgContentNamespaces[] = NS_FSCK; $wgContentNamespaces[] = NS_VEREIN; +# Allow user functions in all namespaces, needed for main page based on group membership +$wgUFAllowedNamespaces = array_fill( 0, 300, true ); + # use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For $wgUsePrivateIPs = true; # ingress haproxy diff --git a/orga_mediawiki/composer.local.json b/orga_mediawiki/composer.local.json index 0c6de64..d38bb2c 100644 --- a/orga_mediawiki/composer.local.json +++ b/orga_mediawiki/composer.local.json @@ -1,38 +1,55 @@ { - "repositories": [ - { - "type": "vcs", - "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect" - }, - { - "type": "package", - "package": { - "name": "x-mediawiki/lockdown", - "version": "1.1.0", - "type": "mediawiki-extension", - "extra": { - "installer-name": "Lockdown" - }, - "source": { - "type": "git", - "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/Lockdown", - "reference": "REL1_43" - } - } - } - ], - "require": { - "starcitizentools/citizen-skin": "^3", - "mediawiki/pluggable-auth": "^7", - "mediawiki/openidconnect": "^8.3", - "mediawiki/semantic-compound-queries": "^3", - "mediawiki/semantic-extra-special-properties": "^4", - "mediawiki/semantic-media-wiki": "^6", - "mediawiki/semantic-result-formats": "^5", - "x-mediawiki/lockdown": "^1.1" - }, - "config": { - "preferred-install": "source", - "optimize-autoloader": true - } + "repositories": [ + { + "type": "vcs", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect" + }, + { + "type": "package", + "package": { + "name": "x-mediawiki/lockdown", + "version": "1.1.0", + "type": "mediawiki-extension", + "extra": { + "installer-name": "Lockdown" + }, + "source": { + "type": "git", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/Lockdown", + "reference": "REL1_43" + } + } + }, + { + "type": "package", + "package": { + "name": "x-mediawiki/userfunctions", + "version": "2.8.1", + "type": "mediawiki-extension", + "extra": { + "installer-name": "UserFunctions" + }, + "source": { + "type": "git", + "url": "https://gerrit.wikimedia.org/r/mediawiki/extensions/UserFunctions", + "reference": "REL1_43" + } + } + } + ], + "require": { + "starcitizentools/citizen-skin": "^3", + "mediawiki/pluggable-auth": "^7", + "mediawiki/openidconnect": "^8.3", + "mediawiki/semantic-compound-queries": "^3", + "mediawiki/semantic-extra-special-properties": "^4", + "mediawiki/semantic-media-wiki": "^6", + "mediawiki/semantic-result-formats": "^5", + "x-mediawiki/lockdown": "^1.1", + "x-mediawiki/userfunctions": "^2.8" + }, + "config": { + "preferred-install": "source", + "optimize-autoloader": true + } } From de1ccbf399557ce9353c5b157b862bfabaabdea7 Mon Sep 17 00:00:00 2001 From: MediaWiki Date: Sun, 8 Feb 2026 19:22:37 +0100 Subject: [PATCH 21/24] add verein substructure with group sync --- orga_mediawiki/LocalSettings.php | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index ce49c92..33f1244 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -32,12 +32,12 @@ $wgMetaNamespace = "Wiki"; #### Namespace config define('NS_FSCK', 100); define('NS_FSCK_TALK', 101); -define('NS_VEREIN', 200); -define('NS_VEREIN_TALK', 201); +define('NS_VORSTAND', 200); +define('NS_VORSTAND_TALK', 201); $wgExtraNamespaces[NS_FSCK] = 'FSCK'; $wgExtraNamespaces[NS_FSCK_TALK] = 'FSCK_Diskussion'; -$wgExtraNamespaces[NS_VEREIN] = 'Verein'; -$wgExtraNamespaces[NS_VEREIN_TALK] = 'Verein_Diskussion'; +$wgExtraNamespaces[NS_VORSTAND] = 'Vorstand'; +$wgExtraNamespaces[NS_VORSTAND_TALK] = 'Vorstand_Diskussion'; ## The URL base path to the directory containing the wiki; ## defaults for all runtime URL paths are based off of this. @@ -205,6 +205,9 @@ $wgGroupPermissions['orga-users']['createpage'] = true; $wgGroupPermissions['orga-fsck']['edit'] = true; $wgGroupPermissions['orga-fsck']['read'] = true; $wgGroupPermissions['orga-fsck']['createpage'] = true; +$wgGroupPermissions['orga-vorstand']['edit'] = true; +$wgGroupPermissions['orga-vorstand']['read'] = true; +$wgGroupPermissions['orga-vorstand']['createpage'] = true; $wgGroupPermissions['orga-verein']['edit'] = true; $wgGroupPermissions['orga-verein']['read'] = true; $wgGroupPermissions['orga-verein']['createpage'] = true; @@ -217,6 +220,7 @@ $wgGroupPermissions['sysop']['createpage'] = true; #### Lockdown configuration $wgSpecialPageLockdown['Export'] = ['user']; $wgSpecialPageLockdown['Recentchanges'] = ['user']; +$wgNamespacePermissionLockdown[NS_MAIN]['read'] = ['orga-users']; # remove most namespace permissions $wgNamespacePermissionLockdown['*']['read'] = ['sysop']; @@ -226,7 +230,7 @@ $wgNamespacePermissionLockdown['*']['createpage'] = ['sysop']; # limit template workaround $wgNonincludableNamespaces[] = NS_MAIN; $wgNonincludableNamespaces[] = NS_PROJECT; -$wgNonincludableNamespaces[] = NS_VEREIN; +$wgNonincludableNamespaces[] = NS_VORSTAND; $wgNonincludableNamespaces[] = NS_FSCK; # FSCK namespace @@ -235,9 +239,9 @@ $wgNamespacePermissionLockdown[NS_FSCK]['edit'] = [ 'orga-fsck' ]; $wgNamespacePermissionLockdown[NS_FSCK]['createpage'] = [ 'orga-fsck' ]; # Verein namespace -$wgNamespacePermissionLockdown[NS_VEREIN]['read'] = [ 'orga-verein' ]; -$wgNamespacePermissionLockdown[NS_VEREIN]['edit'] = [ 'orga-verein' ]; -$wgNamespacePermissionLockdown[NS_VEREIN]['createpage'] = [ 'orga-verein' ]; +$wgNamespacePermissionLockdown[NS_VORSTAND]['read'] = [ 'orga-vorstand' ]; +$wgNamespacePermissionLockdown[NS_VORSTAND]['edit'] = [ 'orga-vorstand' ]; +$wgNamespacePermissionLockdown[NS_VORSTAND]['createpage'] = [ 'orga-vorstand' ]; #### SSO config # necessary to allow admin user(s) to login @@ -259,7 +263,8 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ 'interface-admin' => [ 'groups' => '/mediawiki/admins' ], 'orga-users' => [ 'groups' => '/orgawiki/users' ], 'orga-fsck' => [ 'groups' => '/ctbk/fsck' ], - 'orga-verein' => [ 'groups' => '/todo-verein-orga' ] + 'orga-vorstand' => [ 'groups' => '/ctbk/vorstand' ], + 'orga-verein' => [ 'groups' => '/ctbk/members' ] ] ] ] @@ -282,15 +287,15 @@ $smwgURITypeSchemeList = array_merge($smwgURITypeSchemeList, ['matrix']); ### Namespace attributes $wgNamespacesWithSubpages[NS_MAIN] = true; $wgNamespacesWithSubpages[NS_FSCK] = true; -$wgNamespacesWithSubpages[NS_VEREIN] = true; +$wgNamespacesWithSubpages[NS_VORSTAND] = true; $wgNamespacesWithSubpages[NS_TEMPLATE] = true; # SMW enabled on custom namespaces $smwgNamespacesWithSemanticLinks[NS_FSCK] = true; $smwgNamespacesWithSemanticLinks[NS_FSCK_TALK] = true; -$smwgNamespacesWithSemanticLinks[NS_VEREIN] = true; -$smwgNamespacesWithSemanticLinks[NS_VEREIN_TALK] = true; +$smwgNamespacesWithSemanticLinks[NS_VORSTAND] = true; +$smwgNamespacesWithSemanticLinks[NS_VORSTAND_TALK] = true; $wgContentNamespaces[] = NS_FSCK; -$wgContentNamespaces[] = NS_VEREIN; +$wgContentNamespaces[] = NS_VORSTAND; # Allow user functions in all namespaces, needed for main page based on group membership $wgUFAllowedNamespaces = array_fill( 0, 300, true ); From e5a4bfe2a16476df45266dbdf4f7de9120ee4c15 Mon Sep 17 00:00:00 2001 From: MediaWiki Date: Mon, 16 Feb 2026 01:19:02 +0100 Subject: [PATCH 22/24] increase default user login times --- orga_mediawiki/LocalSettings.php | 4 ++++ public_mediawiki/LocalSettings.php | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/orga_mediawiki/LocalSettings.php b/orga_mediawiki/LocalSettings.php index 33f1244..a620443 100644 --- a/orga_mediawiki/LocalSettings.php +++ b/orga_mediawiki/LocalSettings.php @@ -270,6 +270,10 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ ] ]; +# keep users logged in for extended amounts of time +$wgObjectCacheSessionExpiry = 5 * 24 * 60 * 60; +$wgExtendedLoginCookieExpiration = 365 * 24 * 60 * 60; + # interwiki config $wgGroupPermissions['sysop']['interwiki'] = true; $wgInterwikiMagic = true; diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index d1ba7cc..55d46c0 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -215,6 +215,10 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ ] ]; +# keep users logged in for extended amounts of time +$wgObjectCacheSessionExpiry = 5 * 24 * 60 * 60; +$wgExtendedLoginCookieExpiration = 365 * 24 * 60 * 60; + $wgDefaultUserOptions['usecodemirror'] = 1; # interwiki config From 8a2ad45dca35797fc6065620a976d7472e526ee1 Mon Sep 17 00:00:00 2001 From: MediaWiki Date: Tue, 17 Feb 2026 00:10:43 +0100 Subject: [PATCH 23/24] increase recent changes history --- public_mediawiki/LocalSettings.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index 55d46c0..4fc7e14 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -219,6 +219,8 @@ $wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [ $wgObjectCacheSessionExpiry = 5 * 24 * 60 * 60; $wgExtendedLoginCookieExpiration = 365 * 24 * 60 * 60; +$wgRCMaxAge = 180 * 24 * 3600; + $wgDefaultUserOptions['usecodemirror'] = 1; # interwiki config From 9356c8d6ec2039ae804eac747bb31fe141b62f98 Mon Sep 17 00:00:00 2001 From: MediaWiki Date: Thu, 26 Feb 2026 19:13:01 +0100 Subject: [PATCH 24/24] allow hiding revisions for admins --- public_mediawiki/LocalSettings.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/public_mediawiki/LocalSettings.php b/public_mediawiki/LocalSettings.php index 4fc7e14..bef90d6 100755 --- a/public_mediawiki/LocalSettings.php +++ b/public_mediawiki/LocalSettings.php @@ -191,6 +191,10 @@ $wgGroupPermissions['user']['upload_by_url'] = true; $wgGroupPermissions['*']['editwidgets'] = false; $wgGroupPermissions['sysop']['editwidgets'] = true; +# allow admins and mods to delete revisions +$wgGroupPermissions['sysop']['deleterevision'] = true; +$wgGroupPermissions['sysop']['deletelogentry'] = true; + # SSO config # necessary to allow admin user(s) to login $wgPluggableAuth_EnableLocalLogin = true;