<?php
# Internal wiki settings

# This file was automatically generated by the MediaWiki 1.39.10
# installer. If you make manual changes, please keep track in case you
# need to recreate them later.
#
# See docs/Configuration.md for all configurable settings
# and their default values, but don't forget to make changes in _this_
# file, not there.
#
# Further documentation for configuration settings may be found at:
# https://www.mediawiki.org/wiki/Manual:Configuration_settings

# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
	exit;
}

## Include platform/distribution defaults
#require_once "$IP/includes/PlatformSettings.php";

## Server secrets file
require_once "/etc/orga_mediawiki/SecretSettings.php";

## Uncomment this to disable output compression
# $wgDisableOutputCompression = true;

$wgSitename = "CTBK Orgawiki";
$wgMetaNamespace = "Wiki";

## The URL base path to the directory containing the wiki;
## defaults for all runtime URL paths are based off of this.
## For more information on customizing the URLs
## (like /w/index.php/Page_title to /wiki/Page_title) please see:
## https://www.mediawiki.org/wiki/Manual:Short_URL
$wgScriptPath       = "";
$wgArticlePath      = "/$1";
$wgUsePathInfo      = true;
$wgScriptExtension  = ".php";

## The protocol and server name to use in fully-qualified URLs
$wgServer = "https://orgawiki.ctbk.de";

## The URL path to static resources (images, scripts, etc.)
$wgResourceBasePath = $wgScriptPath;

## The URL paths to the logo.  Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
# TODO: Chaostreff logo
$wgLogos = [
	'1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
	'icon' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
];

## UPO means: this is also a user preference option

$wgEnableEmail = true;
$wgEnableUserEmail = true; # UPO

$wgEmergencyContact = "";
$wgPasswordSender = "";

$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
$wgEmailAuthentication = true;

## Database settings
$wgDBtype = "postgres";
$wgDBserver = "localhost";
$wgDBname = "orga_mediawiki";
$wgDBuser = "mediawiki";
# password is in secret settings

# Postgres specific settings
$wgDBport = "5432";
$wgDBmwschema = "mediawiki";

# Shared database table
# This has no effect unless $wgSharedDB is also set.
$wgSharedTables[] = "actor";

## Shared memory settings
$wgMainCacheType = CACHE_ACCEL;
$wgMemCachedServers = [];

## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
$wgEnableUploads = true;
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = "/usr/bin/convert";

# InstantCommons allows wiki to use images from https://commons.wikimedia.org
$wgUseInstantCommons = false;

# Periodically send a pingback to https://www.mediawiki.org/ with basic data
# about this MediaWiki instance. The Wikimedia Foundation shares this data
# with MediaWiki developers to help guide future development efforts.
$wgPingback = false;

# Site language code, should be one of the list in ./includes/languages/data/Names.php
$wgLanguageCode = "de";

# Time zone
$wgLocaltimezone = "Europe/Berlin";

## Set $wgCacheDirectory to a writable directory on the web server
## to make your wiki go slightly faster. The directory should not
## be publicly accessible from the web.
$wgCacheDirectory = "/var/cache/orga_mediawiki";

# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "1";

## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "Alle Rechte vorbehalten";
$wgRightsIcon = "";

# Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff3 = "/usr/bin/diff3";

## Default skin
# For MinervaNeue it’s "minerva"
$wgDefaultSkin = "citizen";
$wgDefaultMobileSkin = 'citizen';

# Enabled skins.
wfLoadSkin( 'MinervaNeue' );
# TODO: set theme color
wfLoadSkin( 'Citizen' );

# Enabled extensions. Most of the extensions are enabled by adding
# wfLoadExtension( 'ExtensionName' );
# to LocalSettings.php. Check specific extension documentation for more details.
# The following extensions were automatically enabled:
wfLoadExtension( 'CategoryTree' );
wfLoadExtension( 'CodeEditor' );
wfLoadExtension( 'ImageMap' );
wfLoadExtension( 'Interwiki' );
wfLoadExtension( 'InputBox' );
wfLoadExtension( 'Math' );
wfLoadExtension( 'Nuke' );
wfLoadExtension( 'ParserFunctions' );
wfLoadExtension( 'Poem' );
wfLoadExtension( 'PdfHandler' );
wfLoadExtension( 'ReplaceText' );
wfLoadExtension( 'SpamBlacklist' );
wfLoadExtension( 'TemplateData' );
wfLoadExtension( 'TitleBlacklist' );
wfLoadExtension( 'VisualEditor' );
wfLoadExtension( 'WikiEditor' );

wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'OpenIDConnect' );

wfLoadExtension( 'SemanticMediaWiki' );
enableSemantics( 'orgawiki.ctbk.de' );

wfLoadExtension( 'Lockdown' );

#### Namespace config
define('NS_FSCK', 100);
define('NS_FSCK_TALK', 101);
define('NS_VEREIN', 200);
define('NS_VEREIN_TALK', 201);
$wgExtraNamespaces[NS_FSCK] = 'FSCK';
$wgExtraNamespaces[NS_FSCK_TALK] = 'FSCK_Diskussion';
$wgExtraNamespaces[NS_VEREIN] = 'Verein';
$wgExtraNamespaces[NS_VEREIN_TALK] = 'Verein_Diskussion';

#### Permissions

# Disable account creation - we only use SSO accounts
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['sysop']['autocreateaccount'] = true;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = true;
# Also disable reading/editing by non-logged-in users, making the wiki properly private
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
# Remove tons of permissions from standard users
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['user']['read'] = false;
$wgGroupPermissions['user']['createpage'] = false;
$wgGroupPermissions['user']['createtalk'] = false;
$wgGroupPermissions['user']['upload'] = false;
$wgGroupPermissions['user']['reupload'] = false;
$wgGroupPermissions['user']['reupload-shared'] = false;
$wgGroupPermissions['user']['movefile'] = false;
$wgGroupPermissions['user']['move-rootuserpages'] = false;
$wgGroupPermissions['user']['move-categorypages'] = false;
$wgGroupPermissions['user']['move-subpages'] = false;
$wgGroupPermissions['user']['move'] = false;
# give all the user groups basic rights -- taken away by Lockdown again mostly, but Lockdown cannot give permissions that don’t exist on the user
$wgGroupPermissions['orga-users']['edit'] = true;
$wgGroupPermissions['orga-users']['read'] = true;
$wgGroupPermissions['orga-users']['createpage'] = true;
$wgGroupPermissions['orga-fsck']['edit'] = true;
$wgGroupPermissions['orga-fsck']['read'] = true;
$wgGroupPermissions['orga-fsck']['createpage'] = true;
$wgGroupPermissions['orga-verein']['edit'] = true;
$wgGroupPermissions['orga-verein']['read'] = true;
$wgGroupPermissions['orga-verein']['createpage'] = true;

# sysop rights
$wgGroupPermissions['sysop']['edit'] = true;
$wgGroupPermissions['sysop']['read'] = true;
$wgGroupPermissions['sysop']['createpage'] = true;

#### Lockdown configuration
$wgSpecialPageLockdown['Export'] = ['user'];
$wgSpecialPageLockdown['Recentchanges'] = ['user'];

# remove most namespace permissions
$wgNamespacePermissionLockdown['*']['read'] = ['sysop'];
$wgNamespacePermissionLockdown['*']['edit'] = ['sysop'];
$wgNamespacePermissionLockdown['*']['createpage'] = ['sysop'];

# limit template workaround
$wgNonincludableNamespaces[] = [ NS_MAIN, NS_PROJECT, NS_VEREIN, NS_FSCK ];

# FSCK namespace
$wgNamespacePermissionLockdown[NS_FSCK]['read'] = [ 'orga-fsck' ];
$wgNamespacePermissionLockdown[NS_FSCK]['edit'] = [ 'orga-fsck' ];
$wgNamespacePermissionLockdown[NS_FSCK]['createpage'] = [ 'orga-fsck' ];

# Verein namespace
$wgNamespacePermissionLockdown[NS_VEREIN]['read'] = [ 'orga-verein' ];
$wgNamespacePermissionLockdown[NS_VEREIN]['edit'] = [ 'orga-verein' ];
$wgNamespacePermissionLockdown[NS_VEREIN]['createpage'] = [ 'orga-verein' ];

#### SSO config
# necessary to allow admin user(s) to login
$wgPluggableAuth_EnableLocalLogin = true;
$wgPluggableAuth_Config["Chaostreff Backnang IdP"] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://idp.ctbk.de/realms/ctbk/',
	'clientID' => 'orga_mediawiki',
	'scope' => [ 'openid', 'profile', 'email', 'groups' ],
        'clientsecret' => $ctbkClientSecret
    ],
    'groupsyncs' => [
      [
       'type' => 'mapped',
       'map' => [
         'sysop' => [ 'groups' => '/mediawiki/admins' ],
         'bureaucrat' => [ 'groups' => '/mediawiki/admins' ],
	 'interface-admin' => [ 'groups' => '/mediawiki/admins' ],
	 'orga-users' => [ 'groups' => '/orgawiki/users' ],
	 'orga-fsck' => [ 'groups' => '/todo-fsck-orga' ],
	 'orga-verein' => [ 'groups' => '/todo-verein-orga' ]
       ]
      ]
    ]
];

# interwiki config
$wgGroupPermissions['sysop']['interwiki'] = true;
$wgInterwikiMagic = true;
$wgHideInterlanguageLinks = false;

# for better error reporting - disable while in production
#error_reporting( -1 );
#ini_set( 'display_errors', 1 );
#$wgShowExceptionDetails = true;
#$wgShowDBErrorBacktrace = true;

$wgNamespacesWithSubpages[NS_MAIN] = true;
$wgNamespacesWithSubpages[NS_FSCK] = true;
$wgNamespacesWithSubpages[NS_VEREIN] = true;
$wgNamespacesWithSubpages[NS_TEMPLATE] = true;

# use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For
$wgUsePrivateIPs = true;
# ingress haproxy
$wgCdnServersNoPurge = [ '10.140.0.1' ];