diff --git a/pillar/role/wiki.sls b/pillar/role/wiki.sls
index 5561874..4d9923e 100644
--- a/pillar/role/wiki.sls
+++ b/pillar/role/wiki.sls
@@ -6,6 +6,9 @@ apparmor:
httpd2-prefork:
source: salt://profile/wiki/files/httpd2-prefork.apparmor
template: jinja
+ magick:
+ source: salt://profile/wiki/files/magick.apparmor
+ template: jinja
memcached:
source: salt://profile/wiki/files/memcached.apparmor
pygmentize:
@@ -14,7 +17,7 @@ apparmor:
# list of wikis running MediaWiki 1.27 (this will allow us to migrate to a new version one by one later)
mediawiki:
default_version: '1_37'
- elasticsearch_server: water.infra.opensuse.org
+ elasticsearch_server: water4.infra.opensuse.org
mysql_server: 192.168.47.4:3307
wikis:
# availale options:
@@ -53,7 +56,6 @@ mediawiki:
skin: Chameleon
robots: robots-disallow.txt
site_notice: 'This is a test wiki. You are more than welcome to do test edits, but please keep in mind that all changes will be lost when we import a newer database dump.'
- version: '1_27-git'
es:
dbpass: not_in_salt_yet
site_notice: 'The wikis are now using the new authentication system.
If you did not migrate your account yet, visit https://idp-portal-info.suse.com/
'
@@ -150,7 +152,8 @@ zypper:
apache2-prefork: {}
# needed for deploying en-test without going through packaging
git: {}
- mediawiki_1_27-openSUSE: {}
+ ImageMagick: {}
+ mediawiki_1_37-openSUSE: {}
mariadb-client: {}
check_mk-agent-apache_status: {}
# needed for migration to unpack tarballs
diff --git a/salt/profile/wiki/docroot.sls b/salt/profile/wiki/docroot.sls
index 3d05273..66df708 100644
--- a/salt/profile/wiki/docroot.sls
+++ b/salt/profile/wiki/docroot.sls
@@ -43,6 +43,7 @@
- target: mediawiki_src/{{ symlink }}
{%endfor%}
+{% if version != '1_27' %} # don't deploy LocalSettings.php and wiki_settings.php for wikis still using 1_27
/srv/www//{{ wiki }}.opensuse.org/public/LocalSettings.php:
file.managed:
- source: salt://profile/wiki/files/LocalSettings.php
@@ -53,9 +54,11 @@
data: {{ data }}
mysql_server: {{ pillar['mediawiki']['mysql_server'] }}
elasticsearch_server: {{ pillar['mediawiki']['elasticsearch_server'] }}
+ wgserver: {{ data.get('wgserver', 'https://' + wiki + '.opensuse.org') }}
wiki: {{ wiki }}
- source: salt://profile/wiki/files/wiki_settings.php
- template: jinja
+{% endif %}
/srv/www//{{ wiki }}.opensuse.org/public/robots.txt:
file.managed:
diff --git a/salt/profile/wiki/files/LocalSettings.php b/salt/profile/wiki/files/LocalSettings.php
index 32dcee5..521b4fe 100644
--- a/salt/profile/wiki/files/LocalSettings.php
+++ b/salt/profile/wiki/files/LocalSettings.php
@@ -101,8 +101,8 @@ $wgLocalInterwiki = $wgSitename;
## License and Creative Commons licenses are supported so far.
# $wgEnableCreativeCommonsRdf = true;
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
-$wgRightsUrl = "";
-$wgRightsText = "";
+$wgRightsUrl = "https://www.gnu.org/licenses/fdl-1.2.html";
+$wgRightsText = "GNU Free Documentation License 1.2";
$wgRightsIcon = "";
# $wgRightsCode = ""; # Not yet used
@@ -248,33 +248,33 @@ $wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
# UserMerge ------------------------
-require_once( "$IP/extensions/UserMerge/UserMerge.php" );
+wfLoadExtension('UserMerge');
// By default nobody can use this function, enable for bureaucrat?
$wgGroupPermissions['bureaucrat']['usermerge'] = true;
# WikiEditor -----------------------
-require_once("$IP/extensions/WikiEditor/WikiEditor.php");
+wfLoadExtension('WikiEditor');
$wgDefaultUserOptions['usebetatoolbar'] = 1;
$wgDefaultUserOptions['usebetatoolbar-cgd'] = 1;
$wgDefaultUserOptions['wikieditor-preview'] = 1;
-# Intersection ---------------------
-include("$IP/extensions/intersection/DynamicPageList.php");
+# Intersection / DynamicPageList ---------------------
+wfLoadExtension('intersection');
# RSS -----------------------
-include("$IP/extensions/RSS/RSS.php");
+wfLoadExtension('RSS');
$wgRSSUrlWhitelist = array('*');
$wgRSSUrlNumberOfAllowedRedirects = 2; # poo#67195
# InputBox -------------------------
-require_once($IP.'/extensions/InputBox/InputBox.php');
+wfLoadExtension('InputBox');
# ParserFunctions -----------------
-require_once( "$IP/extensions/ParserFunctions/ParserFunctions.php" );
+wfLoadExtension('ParserFunctions');
# CategoryTree.php ----------------
-require_once("$IP/extensions/CategoryTree/CategoryTree.php");
-$wgCategoryTreeMaxDepth = array(CT_MODE_PAGES => 2, CT_MODE_ALL => 2, CT_MODE_CATEGORIES => 3);
+wfLoadExtension('CategoryTree');
+$wgCategoryTreeMaxDepth = array(/*CT_MODE_PAGES*/ 10 => 2, /*CT_MODE_ALL*/ 20 => 2, /*CT_MODE_CATEGORIES*/ 0 => 3);
# EventCountdown ------------------
require_once("$IP/extensions/EventCountdown.php");
@@ -285,10 +285,10 @@ $wgMultiBoilerplateOptions = false;
$wgMultiBoilerplatePerNamespace = true;
# Replace Text ----------------------------------------------
-require_once( "$IP/extensions/ReplaceText/ReplaceText.php" );
+wfLoadExtension('ReplaceText');
# Interwiki links management ----------------------------------
-require_once("$IP/extensions/Interwiki/Interwiki.php");
+wfLoadExtension('Interwiki');
$wgInterwikiMagic=true;
$wgHideInterlanguageLinks=false;
$wgGroupPermissions['*']['interwiki'] = false;
@@ -298,7 +298,7 @@ $wgGroupPermissions['sysop']['interwiki'] = true;
require_once("extensions/videoflash.php");
# Syntax highlighting ----------------------------------
-require_once("$IP/extensions/SyntaxHighlight_GeSHi/SyntaxHighlight_GeSHi.php");
+wfLoadExtension('SyntaxHighlight_GeSHi');
# Hide page title ----------------------------------
require_once("$IP/extensions/notitle.php");
@@ -314,7 +314,7 @@ $GLOBALS['egMapsGMaps3ApiKey'] = $google_maps_key;
#$GLOBALS['egMapsDefaultService'] = 'leaflet';
# protect user pages ----------------------------------
-include_once( "$IP/extensions/UserPageEditProtection/UserPageEditProtection.php" );
+wfLoadExtension('UserPageEditProtection');
$wgOnlyUserEditUserPage = true; /* Set this to true to turn on user page protection */
$wgGroupPermissions['sysop']['editalluserpages'] = true; /* Set this to allow sysops to edit all user pages */
@@ -322,10 +322,10 @@ $wgGroupPermissions['sysop']['editalluserpages'] = true; /* Set this to allow sy
include("$IP/extensions/google-coop.php");
# mass deletion ----------------------------------
-include_once( "$IP/extensions/Nuke/Nuke.php");
+wfLoadExtension('Nuke');
# spam filter ----------------------------------
-include_once( "$IP/extensions/AbuseFilter/AbuseFilter.php");
+wfLoadExtension('AbuseFilter');
# set higher EmergencyDisable limits to prevent spam filter from getting disabled with
# "Warning: This filter was automatically disabled as a safety measure. It reached the limit of matching more than 5.00% of actions."
$wgAbuseFilterEmergencyDisableThreshold['default'] = 0.50; # default 0.05
@@ -347,7 +347,7 @@ require_once("$IP/extensions/GitHub/GitHub.php");
# search ----------------------------------
wfLoadExtension( 'Elastica' );
-require_once "$IP/extensions/CirrusSearch/CirrusSearch.php";
+wfLoadExtension('CirrusSearch');
$wgCirrusSearchServers = array($elasticsearch_server);
$wgSearchType = 'CirrusSearch';
@@ -367,9 +367,3 @@ $wgCirrusSearchNamespaceWeights = array(
);
# ----------------------------------
-
-# hotfix from 2021-12-15 security announcement to disable vulnerable code
- $wgActions['mcrundo'] = false;
- $wgActions['mcrrestore'] = false;
- $wgWhitelistRead = [];
- $wgWhitelistReadRegexp = [];
diff --git a/salt/profile/wiki/files/apache-vhost.conf b/salt/profile/wiki/files/apache-vhost.conf
index f406583..11ac322 100644
--- a/salt/profile/wiki/files/apache-vhost.conf
+++ b/salt/profile/wiki/files/apache-vhost.conf
@@ -21,6 +21,8 @@
# make suse PHP sees that https is used
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
+ # ensure MediaWiki finds LocalSettings.php
+ SetEnv MW_INSTALL_PATH "/srv/www/{{ wiki }}.opensuse.org/public/"
php_admin_flag engine on
{%- if wiki == 'en-test' %}
diff --git a/salt/profile/wiki/files/httpd2-prefork.apparmor b/salt/profile/wiki/files/httpd2-prefork.apparmor
index 913ddb6..2daf4cd 100644
--- a/salt/profile/wiki/files/httpd2-prefork.apparmor
+++ b/salt/profile/wiki/files/httpd2-prefork.apparmor
@@ -35,6 +35,8 @@ profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_discon
capability sys_ptrace,
capability sys_tty_config,
+ signal send set=usr1 peer=httpd2-prefork//*,
+
/ rw,
/bin/bash rix,
/dev/random r,
@@ -83,7 +85,7 @@ profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_discon
/var/lib/apache2/ssl_mutex w,
/var/log/apache2/* rwl,
- ^DEFAULT_URI flags=(complain,attach_disconnected) {
+ ^DEFAULT_URI flags=(attach_disconnected) {
#include
/proc/meminfo r,
@@ -97,6 +99,8 @@ profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_discon
^HANDLING_UNTRUSTED_INPUT flags=(complain,attach_disconnected) {
#include
+ signal receive set=usr1 peer=httpd2-prefork,
+
/**/.htaccess r,
/dev/urandom r,
/proc/*/attr/current w,
@@ -112,9 +116,17 @@ profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_discon
}
- ^vhost_files flags=(complain,attach_disconnected) {
+ ^localhost flags=(complain,attach_disconnected) {
+ /proc/*/attr/current rw,
+ /proc/loadavg r,
+ /var/log/apache2/access_log w,
+ }
+
+ ^vhost_files flags=(attach_disconnected) {
#include
+ signal receive set=usr1 peer=httpd2-prefork,
+
/var/log/apache2/files-access_log w,
/var/log/apache2/files-access_log-20[12][0-9][01][0-9][0-3][0-9] w,
/var/log/apache2/error_log w,
@@ -128,6 +140,8 @@ profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_discon
#include
#include
+ signal receive set=usr1 peer=httpd2-prefork,
+
/ r,
/bin/bash rix,
/dev/tty rw,
@@ -159,7 +173,9 @@ profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_discon
/srv/www/{{wiki}}.opensuse.org/tmp/php* rw,
/srv/www/{{wiki}}.opensuse.org/secrets.php r,
/srv/www/{{wiki}}.opensuse.org/wiki_settings.php r,
+ /usr/share/icu/*/icudt*l.dat r,
/usr/share/mediawiki_1_*/** r,
+ /usr/bin/magick Px -> magick-{{wiki}},
}
# {% endfor %}
diff --git a/salt/profile/wiki/files/magick.apparmor b/salt/profile/wiki/files/magick.apparmor
new file mode 100644
index 0000000..3f342c3
--- /dev/null
+++ b/salt/profile/wiki/files/magick.apparmor
@@ -0,0 +1,33 @@
+#include
+
+# {% for wiki in pillar['mediawiki']['wikis']|sort %}
+
+profile magick-{{wiki}} flags=(complain) {
+ #include
+ #include
+
+ deny network inet stream,
+
+ deny /var/cache/fontconfig/ w,
+
+ /bin/bash mrix,
+ /dev/tty rw,
+ /etc/ImageMagick-7-SUSE/*.xml r,
+ /etc/nsswitch.conf r,
+ /etc/passwd r,
+ /proc/filesystems r,
+ /usr/bin/magick mr,
+ /usr/lib64/ImageMagick-7.0.7/modules-7_Q16HDRI6/coders/png.so mr,
+ /usr/lib64/ImageMagick-7.0.7/modules-7_Q16HDRI6/coders/svg.so mr,
+ owner /srv/www/{{wiki}}.opensuse.org/cache/l10n_cache-en.cdb r,
+ owner /srv/www/{{wiki}}.opensuse.org/public/?????? w,
+ owner /srv/www/{{wiki}}.opensuse.org/public/images/**.svg r,
+ owner /srv/www/{{wiki}}.opensuse.org/public/images/temp/transform_*.png rw,
+ owner /tmp/magick-* rw,
+ owner /var/lib/wwwrun/.cache/ w,
+
+}
+
+# {% endfor %}
+
+# vim: ft=apparmor expandtab
diff --git a/salt/profile/wiki/files/pygmentize.apparmor b/salt/profile/wiki/files/pygmentize.apparmor
index 3960ad6..50f1841 100644
--- a/salt/profile/wiki/files/pygmentize.apparmor
+++ b/salt/profile/wiki/files/pygmentize.apparmor
@@ -16,6 +16,10 @@ profile pygmentize /usr/share/mediawiki_*/extensions/SyntaxHighlight_GeSHi/pygme
#include
#include
+# file_inherit
+ audit deny network inet stream,
+ audit deny /srv/www/*.opensuse.org/cache/l10n_cache-*.cdb r,
+
/etc/nsswitch.conf r,
/etc/passwd r,
/proc/meminfo r,
diff --git a/salt/profile/wiki/files/wiki_settings.php b/salt/profile/wiki/files/wiki_settings.php
index af04eeb..a028b21 100644
--- a/salt/profile/wiki/files/wiki_settings.php
+++ b/salt/profile/wiki/files/wiki_settings.php
@@ -32,3 +32,5 @@ $wgDBmysql5 = true;
{%- endif %}
$wgDefaultSkin = "{{ data.get('skin', 'chameleon') }}";
+
+$wgServer = '{{ wgserver }}';