From 82a5758c55a5d8c1502c3498c5766aed5eeb7cc3 Mon Sep 17 00:00:00 2001 From: Erik Gustafson Date: Sat, 2 Apr 2022 19:42:16 +0200 Subject: [PATCH] Template for mediawiki --- mediawiki/Bastillefile | 23 +++++ mediawiki/LocalSettings.php | 152 ++++++++++++++++++++++++++++ mediawiki/nginx_site/mediawiki.conf | 90 ++++++++++++++++ nginx-php/Bastillefile | 7 ++ nginx/Bastillefile | 8 ++ nginx/nginx.conf | 123 ++++++++++++++++++++++ setup.sh | 3 + 7 files changed, 406 insertions(+) create mode 100644 mediawiki/LocalSettings.php create mode 100644 mediawiki/nginx_site/mediawiki.conf create mode 100644 nginx-php/Bastillefile create mode 100644 nginx/Bastillefile create mode 100644 nginx/nginx.conf create mode 100755 setup.sh diff --git a/mediawiki/Bastillefile b/mediawiki/Bastillefile index 095555b..214fd20 100644 --- a/mediawiki/Bastillefile +++ b/mediawiki/Bastillefile @@ -1 +1,24 @@ +ARG WEBSITE.NAME=mediawiki +ARG WEBSITE.PORT=80 +ARG DB.HOST=localhost +ARG DB.PORT=3306 +ARG DB.DB=mediawiki +ARG DB.USER=mediawiki +ARG DB.PASSWORD=mediawiki + +ARG SITE.ADDRESS=http://${JAIL_IP}:${WEBSITE.PORT} +ARG SITE.SECRET_KEY="; die("Secret key missing"); $a=" + + +INCLUDE public/nginx-php PKG mediawiki137-php80 +PKG git +PKG ImageMagick7-nox11 + +CP nginx_site/mediawiki.conf /usr/local/etc/nginx/sites-enabled/${WEBSITE.NAME}.conf +RENDER /usr/local/etc/nginx/sites-enabled/${WEBSITE.NAME}.conf + +CP LocalSettings.php /usr/local/www/mediawiki/LocalSettings.php +RENDER /usr/local/www/mediawiki/LocalSettings.php + +SERVICE nginx reload diff --git a/mediawiki/LocalSettings.php b/mediawiki/LocalSettings.php new file mode 100644 index 0000000..fc17885 --- /dev/null +++ b/mediawiki/LocalSettings.php @@ -0,0 +1,152 @@ + "$wgResourceBasePath/resources/assets/wiki.png" ]; + +## UPO means: this is also a user preference option + +$wgEnableEmail = true; +$wgEnableUserEmail = true; # UPO + +$wgEmergencyContact = "apache@🌻.invalid"; +$wgPasswordSender = "apache@🌻.invalid"; + +$wgEnotifUserTalk = false; # UPO +$wgEnotifWatchlist = false; # UPO +$wgEmailAuthentication = true; + +## Database settings +$wgDBtype = "mysql"; +$wgDBserver = "${DB.HOST}"; +$wgDBname = "${DB.DB}"; +$wgDBuser = "${DB.USER}"; +$wgDBpassword = "${DB.PASSWORD}"; + +# MySQL specific settings +$wgDBprefix = ""; + +# MySQL table options to use during installation or update +$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary"; + +# Shared database table +# This has no effect unless $wgSharedDB is also set. +$wgSharedTables[] = "actor"; + +## Shared memory settings +$wgMainCacheType = CACHE_NONE; +$wgMemCachedServers = []; + +## To enable image uploads, make sure the 'images' directory +## is writable, then set this to true: +$wgEnableUploads = false; +$wgUseImageMagick = true; +$wgImageMagickConvertCommand = "/usr/local/bin/convert"; + +# InstantCommons allows wiki to use images from https://commons.wikimedia.org +$wgUseInstantCommons = false; + +# Periodically send a pingback to https://www.mediawiki.org/ with basic data +# about this MediaWiki instance. The Wikimedia Foundation shares this data +# with MediaWiki developers to help guide future development efforts. +$wgPingback = false; + +## If you use ImageMagick (or any other shell command) on a +## Linux server, this will need to be set to the name of an +## available UTF-8 locale. This should ideally be set to an English +## language locale so that the behaviour of C library functions will +## be consistent with typical installations. Use $wgLanguageCode to +## localise the wiki. +$wgShellLocale = "C.UTF-8"; + +# Site language code, should be one of the list in ./languages/data/Names.php +$wgLanguageCode = "en-gb"; + +# Time zone +$wgLocaltimezone = "UTC"; + +## Set $wgCacheDirectory to a writable directory on the web server +## to make your wiki go slightly faster. The directory should not +## be publicly accessible from the web. +#$wgCacheDirectory = "$IP/cache"; + +$wgSecretKey = "${SITE.SECRET_KEY}"; + +# Changing this will log out all existing sessions. +$wgAuthenticationTokenVersion = "1"; + +# Site upgrade key. Must be set to a string (default provided) to turn on the +# web installer while LocalSettings.php is in place +#$wgUpgradeKey = "ee098ac0832bbd5e"; + +## For attaching licensing metadata to pages, and displaying an +## appropriate copyright notice / icon. GNU Free Documentation +## License and Creative Commons licenses are supported so far. +$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright +$wgRightsUrl = ""; +$wgRightsText = ""; +$wgRightsIcon = ""; + +# Path to the GNU diff3 utility. Used for conflict resolution. +$wgDiff3 = "/usr/bin/diff3"; + +# The following permissions were set based on your choice in the installer +$wgGroupPermissions['*']['createaccount'] = false; +$wgGroupPermissions['*']['edit'] = false; + +## Default skin: you can change the default skin. Use the internal symbolic +## names, e.g. 'vector' or 'monobook': +$wgDefaultSkin = "vector"; + +# Enabled skins. +# The following skins were automatically enabled: +wfLoadSkin( 'MonoBook' ); +wfLoadSkin( 'Timeless' ); +wfLoadSkin( 'Vector' ); + + +# Enabled extensions. Most of the extensions are enabled by adding +# wfLoadExtension( 'ExtensionName' ); +# to LocalSettings.php. Check specific extension documentation for more details. +# The following extensions were automatically enabled: +wfLoadExtension( 'CodeEditor' ); +wfLoadExtension( 'VisualEditor' ); +wfLoadExtension( 'WikiEditor' ); + + +# End of automatically generated settings. +# Add more configuration options below. diff --git a/mediawiki/nginx_site/mediawiki.conf b/mediawiki/nginx_site/mediawiki.conf new file mode 100644 index 0000000..17b7847 --- /dev/null +++ b/mediawiki/nginx_site/mediawiki.conf @@ -0,0 +1,90 @@ +server { + listen ${WEBSITE.PORT}; + root /usr/local/www/${WEBSITE.NAME}; + index index.php; + + # Location for wiki's entry points + location ~ ^/(index|load|api|thumb|opensearch_desc|rest|img_auth)\.php$ { + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + # include the fastcgi_param setting + include fastcgi_params; + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line: + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + # Images + location /images { + # Separate location for images/ so .php execution won't apply + } + location /images/deleted { + # Deny access to deleted images folder + deny all; + } + # MediaWiki assets (usually images) + location ~ ^/resources/(assets|lib|src) { + try_files $uri 404; + add_header Cache-Control "public"; + expires 7d; + } + # Assets, scripts and styles from skins and extensions + location ~ ^/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|wasm)$ { + try_files $uri 404; + add_header Cache-Control "public"; + expires 7d; + } + # Favicon + location = /favicon.ico { + alias /images/6/64/Favicon.ico; + add_header Cache-Control "public"; + expires 7d; + } + + # License and credits files + location ~ ^/(COPYING|CREDITS)$ { + default_type text/plain; + } + + ## Uncomment the following code if you wish to use the installer/updater + ## installer/updater + location /mw-config/ { + # Do this inside of a location so it can be negated + location ~ \.php$ { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on + } + } + + # Handling for Mediawiki REST API, see [[mw:API:REST_API]] + location /rest.php/ { + try_files $uri $uri/ /rest.php?$query_string; + } + + ## Uncomment the following code for handling image authentication + ## Also add "deny all;" in the location for /w/images above + #location /w/img_auth.php/ { + # try_files $uri $uri/ /w/img_auth.php?$query_string; + #} + + + # Allow robots.txt in case you have one + location = /robots.txt { + } + # Explicit access to the root website, redirect to main page (adapt as needed) + location = / { + return 301 /index.php; + } + + # Every other entry point will be disallowed. + # Add specific rules for other entry points/images as needed above this + location / { + return 404; + } +} + diff --git a/nginx-php/Bastillefile b/nginx-php/Bastillefile new file mode 100644 index 0000000..3290128 --- /dev/null +++ b/nginx-php/Bastillefile @@ -0,0 +1,7 @@ +INCLUDE public/nginx + + +CMD cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini + +SYSRC php_fpm_enable=YES +SERVICE php-fpm start diff --git a/nginx/Bastillefile b/nginx/Bastillefile new file mode 100644 index 0000000..89ca2f6 --- /dev/null +++ b/nginx/Bastillefile @@ -0,0 +1,8 @@ +PKG nginx + +CMD mkdir /usr/local/etc/nginx/sites-enabled +CP nginx.conf /usr/local/etc/nginx/nginx.conf + +SYSRC nginx_enable=YES + +SERVICE nginx start diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..dd37a1f --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,123 @@ + +#user nobody; +worker_processes 1; + +# This default error log path is compiled-in to make sure configuration parsing +# errors are logged somewhere, especially during unattended boot when stderr +# isn't normally logged anywhere. This path will be touched on every nginx +# start regardless of error log location configured here. See +# https://trac.nginx.org/nginx/ticket/147 for more info. +# +#error_log /var/log/nginx/error.log; +# + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + +# server { +# listen 80; +# server_name localhost; +# +# #charset koi8-r; +# +# #access_log logs/host.access.log main; +# +# location / { +# root /usr/local/www/nginx; +# index index.html index.htm; +# } +# +# #error_page 404 /404.html; +# +# # redirect server error pages to the static page /50x.html +# # +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# root /usr/local/www/nginx-dist; +# } +# +# # proxy the PHP scripts to Apache listening on 127.0.0.1:80 +# # +# #location ~ \.php$ { +# # proxy_pass http://127.0.0.1; +# #} +# +# # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 +# # +# #location ~ \.php$ { +# # root html; +# # fastcgi_pass 127.0.0.1:9000; +# # fastcgi_index index.php; +# # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; +# # include fastcgi_params; +# #} +# +# # deny access to .htaccess files, if Apache's document root +# # concurs with nginx's one +# # +# #location ~ /\.ht { +# # deny all; +# #} +# } + + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + include sites-enabled/*.conf; +} diff --git a/setup.sh b/setup.sh new file mode 100755 index 0000000..020076e --- /dev/null +++ b/setup.sh @@ -0,0 +1,3 @@ +#!/bin/sh +set -e +ln -s $PWD /usr/local/bastille/templates/public