From c06d80fc6300c4e0f882892e36948f9e60c56792 Mon Sep 17 00:00:00 2001
From: wizzdom <wizzdom@redbrick.dcu.ie>
Date: Tue, 6 Aug 2024 00:34:31 +0100
Subject: [PATCH] add wiki.redbrick.dcu.ie (#49)

Adds `mediawiki.hcl`
- migrated to latest mediawiki LTS
- using php-fpm and nginx

Adds `mediawiki-backup.hcl`
- backup of mariadb
- full xml dump of mediawiki

Co-authored-by: Ayden <info@aydenjahola.com>
---
 jobs/services/mediawiki-backup.hcl |  89 ++++++
 jobs/services/mediawiki.hcl        | 438 +++++++++++++++++++++++++++++
 2 files changed, 527 insertions(+)
 create mode 100644 jobs/services/mediawiki-backup.hcl
 create mode 100644 jobs/services/mediawiki.hcl

diff --git a/jobs/services/mediawiki-backup.hcl b/jobs/services/mediawiki-backup.hcl
new file mode 100644
index 0000000..bbef3e3
--- /dev/null
+++ b/jobs/services/mediawiki-backup.hcl
@@ -0,0 +1,89 @@
+job "mediawiki-backup" {
+  datacenters = ["aperture"]
+  type        = "batch"
+
+  periodic {
+    crons            = ["0 */3 * * * *"]
+    prohibit_overlap = true
+  }
+
+  group "db-backup" {
+    task "mysql-backup" {
+      driver = "raw_exec"
+
+      config {
+        command = "/bin/bash"
+        args    = ["local/mysql-backup.sh"]
+      }
+
+      template {
+        data = <<EOH
+#!/bin/bash
+
+file=/storage/backups/nomad/wiki/mysql/rbwiki-mysql-$(date +%Y-%m-%d_%H-%M-%S).sql
+
+mkdir -p /storage/backups/nomad/wiki/mysql
+
+alloc_id=$(nomad job status mediawiki | grep running | tail -n 1 | cut -d " " -f 1)
+
+job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
+
+nomad alloc exec -task rbwiki-db $alloc_id mariadb-dump -u {{ key "mediawiki/db/username" }} -p'{{ key "mediawiki/db/password"}}' {{ key "mediawiki/db/name" }} > "${file}"
+
+find /storage/backups/nomad/wiki/mysql/rbwiki-mysql* -ctime +3 -exec rm {} \; || true
+
+if [ -s "$file" ]; then # check if file exists and is not empty
+  echo "Backup successful"
+  exit 0
+else
+  rm $file
+  curl -H "Content-Type: application/json" -d \
+  '{"content": "<@&585512338728419341> `MySQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
+  {{ key "mysql/webhook/discord" }}
+fi
+EOH
+        destination = "local/mysql-backup.sh"
+      }
+    }
+  }
+  group "xml-dump" {
+    task "xml-dump" {
+      driver = "raw_exec"
+
+      config {
+        command = "/bin/bash"
+        args    = ["local/xml-dump.sh"]
+      }
+
+      template {
+        data = <<EOH
+#!/bin/bash
+
+file=/storage/backups/nomad/wiki/xml/rbwiki-dump-$(date +%Y-%m-%d_%H-%M-%S).xml
+
+mkdir -p /storage/backups/nomad/wiki/xml
+
+alloc_id=$(nomad job status mediawiki | grep running | tail -n 1 | cut -d " " -f 1)
+
+job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
+
+nomad alloc exec -task rbwiki-php $alloc_id /usr/local/bin/php /var/www/html/maintenance/dumpBackup.php --full --include-files --uploads > "${file}"
+
+find /storage/backups/nomad/wiki/xml/rbwiki-dump* -ctime +3 -exec rm {} \; || true
+
+if [ -n "$(find ${file} -prune -size +100000000c)" ]; then # check if file exists and is not empty
+  echo "Backup successful"
+  exit 0
+else
+  rm $file
+  curl -H "Content-Type: application/json" -d \
+  '{"content": "<@&585512338728419341> `dumpBackup.php` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
+  {{ key "mysql/webhook/discord" }}
+fi
+EOH
+        destination = "local/xml-dump.sh"
+      }
+    }
+  }
+}
+
diff --git a/jobs/services/mediawiki.hcl b/jobs/services/mediawiki.hcl
new file mode 100644
index 0000000..458998f
--- /dev/null
+++ b/jobs/services/mediawiki.hcl
@@ -0,0 +1,438 @@
+job "mediawiki" {
+  datacenters = ["aperture"]
+  type = "service"
+
+  meta {
+    domain = "wiki.redbrick.dcu.ie"
+  }
+
+  group "rbwiki" {
+    count = 1
+
+    network {
+      mode = "bridge"
+      port "http" {
+        to = 80
+      }
+      port "fpm" {
+        to = 9000
+      }
+      port "db" {
+        to = 3306
+      }
+    }
+
+    service {
+      name = "rbwiki-web"
+      port = "http"
+
+      check {
+        type = "http"
+        path = "/Main_Page"
+        interval = "10s"
+        timeout = "5s"
+      }
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.port=${NOMAD_PORT_http}",
+        "traefik.http.routers.rbwiki.rule=Host(`${NOMAD_META_domain}`)",
+        "traefik.http.routers.rbwiki.entrypoints=web,websecure",
+        "traefik.http.routers.rbwiki.tls.certresolver=lets-encrypt",
+        "traefik.http.routers.rbwiki.middlewares=redirect-short-url",
+        "traefik.http.middlewares.redirect-short-url.redirectregex.regex=https://wiki\\.redbrick\\.dcu\\.ie/index\\.php\\?title=(.*)",
+        "traefik.http.middlewares.redirect-short-url.redirectregex.replacement=https://wiki.redbrick.dcu.ie/$1",
+        "traefik.http.routers.rbwiki.middlewares=redirect-root",
+        "traefik.http.middlewares.redirect-root.redirectregex.regex=^https://wiki\\.redbrick\\.dcu\\.ie/?$",
+        "traefik.http.middlewares.redirect-root.redirectregex.replacement=https://wiki.redbrick.dcu.ie/Main_Page",
+        # "traefik.http.routers.rbwiki.middlewares=redirect-mw",
+        # "traefik.http.middlewares.redirect-mw.redirectregex.regex=https://wiki\\.redbrick\\.dcu\\.ie/Mw/(.*)",
+        # "traefik.http.middlewares.redirect-mw.redirectregex.replacement=https://wiki.redbrick.dcu.ie/$1",
+      ]
+    }
+
+    task "rbwiki-nginx" {
+      driver = "docker"
+      config {
+        image = "nginx:alpine"
+        ports = ["http"]
+        volumes = [
+          "local/nginx.conf:/etc/nginx/nginx.conf",
+          "/storage/nomad/mediawiki/extensions:/var/www/html/extensions",
+          "/storage/nomad/mediawiki/images:/var/www/html/images",
+          "/storage/nomad/mediawiki/skins:/var/www/html/skins",
+          "/storage/nomad/mediawiki/resources/assets:/var/www/html/Resources/assets",
+        ]
+      }
+      resources {
+          cpu    = 200
+          memory = 100
+        }
+      template {
+        data = <<EOH
+# user www-data www-data;
+error_log /dev/stderr error;
+events {
+    worker_connections 1024;
+}
+http {
+    include /etc/nginx/mime.types;
+    server_tokens off;
+    error_log /dev/stderr error;
+    access_log /dev/stdout;
+    charset utf-8;
+
+    server {
+      server_name {{ env "NOMAD_META_domain" }};
+      listen 80;
+      listen [::]:80;
+      root /var/www/html;
+      index index.php index.html index.htm;
+
+      client_max_body_size 5m;
+      client_body_timeout 60;
+
+      # MediaWiki short URLs
+      location / {
+        try_files $uri $uri/ @rewrite;
+      }
+
+      location @rewrite {
+        rewrite ^/(.*)$ /index.php?title=$1&$args;
+      }
+
+      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|otf|eot|ico)$ {
+        try_files $uri /index.php;
+        expires max;
+        log_not_found off;
+      }
+
+      # Pass the PHP scripts to FastCGI server
+      location ~ \.php$ {
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass {{ env "NOMAD_HOST_ADDR_fpm" }};
+        fastcgi_index index.php;
+      }
+
+      location ~ /\.ht {
+        deny all;
+      }
+    }
+}
+EOH
+        destination = "local/nginx.conf"
+      }
+    }
+
+    task "rbwiki-php" {
+      driver = "docker"
+
+      config {
+        image = "ghcr.io/wizzdom/mediawiki-fpm-ldap-alpine:latest"
+        ports = ["fpm"]
+
+        volumes = [
+          "/storage/nomad/mediawiki/extensions:/var/www/html/extensions",
+          "/storage/nomad/mediawiki/images:/var/www/html/images",
+          "/storage/nomad/mediawiki/skins:/var/www/html/skins",
+          "/storage/nomad/mediawiki/resources/assets:/var/www/html/Resources/assets",
+          "local/LocalSettings.php:/var/www/html/LocalSettings.php",
+          "local/ldapprovider.json:/etc/mediawiki/ldapprovider.json"
+        ]
+      }
+
+      resources {
+          cpu    = 4000
+          memory = 1200
+        }
+
+      template {
+        data = <<EOH
+{
+  "LDAP": {
+    "authorization": {
+      "rules": {
+        "groups": {
+          "required": []
+        }
+      }
+    },
+    "connection": {
+      "server": "{{ key "mediawiki/ldap/server" }}",
+      "user": "{{ key "mediawiki/ldap/user" }}",
+      "pass": "{{ key "mediawiki/ldap/password" }}",
+      "options": {
+        "LDAP_OPT_DEREF": 1
+      },
+      "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMemberUid::factory",
+      "basedn": "o=redbrick",
+      "groupbasedn": "ou=groups,o=redbrick",
+      "userbasedn": "ou=accounts,o=redbrick",
+      "searchattribute": "uid",
+      "searchstring": "uid=USER-NAME,ou=accounts,o=redbrick",
+      "usernameattribute": "uid",
+      "realnameattribute": "cn",
+      "emailattribute": "altmail"
+    }
+  }
+}
+EOH
+
+        destination = "local/ldapprovider.json"
+      }
+
+      template {
+        data = <<EOH
+<?php
+# Protect against web entry
+if ( !defined( 'MEDIAWIKI' ) ) {
+	exit;
+}
+
+$wgSitename = "Redbrick Wiki";
+
+$wgScriptPath = "";
+$wgArticlePath = "/$1";
+$wgUsePathInfo = true;
+$wgScriptExtension = ".php";
+
+$wgServer = "https://{{ env "NOMAD_META_domain" }}";
+
+## The URL path to static resources (images, scripts, etc.)
+$wgResourceBasePath = $wgScriptPath;
+$wgLogo = "$wgResourceBasePath/Resources/assets/logo.png";
+$wgFavicon = "$wgResourceBasePath/Resources/assets/favicon.ico";
+$wgAllowExternalImages = true;
+
+
+## UPO: this is also a user preference option
+$wgEnableEmail = false;
+$wgEnableUserEmail = false; # UPO
+
+$wgEmergencyContact = "{{ key "mediawiki/mail/emergency/contact" }}";
+$wgPasswordSender = "{{ key "mediawiki/mail/password/sender" }}";
+
+$wgEnotifUserTalk = false; # UPO
+$wgEnotifWatchlist = false; # UPO
+$wgEmailAuthentication = true;
+
+## Database settings
+$wgDBtype = "mysql";
+$wgDBserver = "{{ env "NOMAD_ALLOC_IP_db" }}";
+$wgDBport = "{{ env "NOMAD_ALLOC_PORT_db" }}";
+$wgDBname = "{{ key "mediawiki/db/name" }}";
+$wgDBuser = "{{ key "mediawiki/db/username" }}";
+$wgDBpassword = "{{ key "mediawiki/db/password" }}";
+# MySQL specific settings
+$wgDBprefix = "rbwiki_";
+# MySQL table options to use during installation or update
+$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
+
+## Shared memory settings
+$wgMainCacheType = CACHE_NONE;
+$wgMemCachedServers = [];
+
+$wgEnableUploads = true;
+$wgUseImageMagick = true;
+$wgImageMagickConvertCommand = "/usr/bin/convert";
+$wgUploadPath = "$wgScriptPath/images";
+$wgUploadDirectory = "{$IP}/images";
+$wgHashedUploadDirectory = true;
+$wgDirectoryMode = 0755;
+umask(0022);
+
+# InstantCommons allows wiki to use images from https://commons.wikimedia.org
+$wgUseInstantCommons = false;
+
+$wgPingback = false;
+
+$wgShellLocale = "C.UTF-8";
+
+$wgLanguageCode = "en";
+
+$wgSecretKey = "{{ key "mediawiki/key/secret" }}";
+
+# Changing this will log out all existing sessions.
+$wgAuthenticationTokenVersion = "1";
+
+# Site upgrade key. Must be set to a string (default provided) to turn on the
+# web installer while LocalSettings.php is in place
+$wgUpgradeKey = "{{ key "mediawiki/key/upgrade" }}";
+
+$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
+$wgRightsUrl = "";
+$wgRightsText = "";
+$wgRightsIcon = "";
+
+$wgDiff3 = "/usr/bin/diff3";
+
+$wgDefaultSkin = "citizen";
+$wgDefaultMobileSkin = 'citizen';
+
+# Enabled skins.
+wfLoadSkin( 'Vector' );
+wfLoadSkin( 'Citizen' );
+wfLoadSkin( 'Timeless' );
+wfLoadSkin( 'MinervaNeue' );
+
+$wgCitizenThemeColor = "#a81e22";
+$wgCitizenShowPageTools = "permission";
+$wgCitizenSearchDescriptionSource = "pagedescription";
+
+$wgLocalisationUpdateDirectory = "$IP/cache";
+
+# load extensions
+wfLoadExtension( 'HitCounters' );
+wfLoadExtension( 'LDAPProvider' );
+wfLoadExtension( 'LDAPAuthentication2' );
+wfLoadExtension( 'PluggableAuth' );
+$wgPluggableAuth_ButtonLabel = "Redbrick Log In";
+wfLoadExtension( 'LDAPAuthorization' );
+wfLoadExtension( 'OpenGraphMeta' );
+wfLoadExtension( 'Description2' );
+$wgEnableMetaDescriptionFunctions = true;
+wfLoadExtension( 'PageImages' );
+$wgPageImagesOpenGraphFallbackImage = $wgLogo;
+wfLoadExtension( 'Plausible' );
+$wgPlausibleDomain = "https://plausible.redbrick.dcu.ie";
+$wgPlausibleDomainKey = "wiki.redbrick.dcu.ie";
+$wgPlausibleTrackOutboundLinks = true;
+$wgPlausibleTrackLoggedIn = true;
+$wgPlausibleTrack404 = true;
+$wgPlausibleTrackSearchInput = true;
+$wgPlausibleTrackCitizenSearchLinks = true;
+$wgPlausibleTrackCitizenMenuLinks = true;
+wfLoadExtension( 'WikiMarkdown' );
+$wgAllowMarkdownExtra = true;
+$wgAllowMarkdownExtended = true;
+wfLoadExtension( 'RSS' );
+wfLoadExtension( 'SyntaxHighlight_GeSHi' );
+wfLoadExtension( 'WikiEditor' );
+wfLoadExtension( 'MobileFrontend' );
+
+
+$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";
+
+$wgPluggableAuth_Config['Redbrick Log In'] = [
+    'plugin' => 'LDAPAuthentication2',
+    'data' => [
+        'domain' => 'LDAP'
+    ],
+];
+
+# RBOnly Namespace
+# To allow semi-public pages
+$wgExtraNamespaces = array(100 => "RBOnly", 101 => "RBOnly_talk");
+$wgNamespacesWithSubpages = array( -1 => 0, 0 => 0, 1 => 1, 2 => 1, 3 => 1, 4 => 0, 5 => 1, 6 => 0, 7 => 1, 8 => 0, 9 => 1, 10 => 0, 11 => 1,100 => 1,101 => 1);
+$wgNamespacesToBeSearchedDefault = array( -1 => 0, 0 => 1, 1 => 0, 2 => 0, 3 => 0, 4 => 0, 5 => 0, 6 => 0, 7 => 0, 8 => 0, 9 => 0, 10 => 0, 11 => 0,100 => 0,101 => 0);
+$wgNonincludableNamespaces[] = 100;
+
+$wgGroupPermissions['*']['readrbonly'] = false;
+$wgGroupPermissions['sysop']['readrbonly'] = true;
+
+$wgNamespaceProtection[ 100 ] = array( 'readrbonly' );
+
+# group permissions
+$wgGroupPermissions['*']['autocreateaccount'] = true;
+$wgGroupPermissions['*']['createaccount']   = false;
+$wgGroupPermissions['*']['read']            = true;
+$wgGroupPermissions['*']['edit']            = false;
+
+# Exclude user group page views from counting.
+$wgGroupPermissions['sysop']['hitcounter-exempt'] = true;
+
+# When set to true, it adds the PageId to the special page "PopularPages". The default value is false.
+$wgEnableAddPageId = false;
+
+# When set to true, it adds the TextLength to the special page "PopularPages". The default value is false.
+$wgEnableAddTextLength = true;
+
+# debug logs
+# $wgDebugDumpSql = true;
+$wgShowExceptionDetails = true;
+$wgShowDBErrorBacktrace = true;
+$wgShowSQLErrors = true;
+$wgDebugLogFile = "/dev/stderr";
+EOH
+
+        destination = "local/LocalSettings.php"
+      }
+    }
+
+    service {
+      name = "rbwiki-db"
+      port = "db"
+
+      check {
+        name = "mariadb_probe"
+        type = "tcp"
+        interval = "10s"
+        timeout = "2s"
+      }
+    }
+
+    task "rbwiki-db" {
+      driver = "docker"
+
+      constraint {
+        attribute = "${attr.unique.hostname}"
+        value     = "glados"
+      }
+
+      config {
+        image = "mariadb"
+        ports = ["db"]
+
+        volumes = [
+          "/opt/mediawiki-db:/var/lib/mysql",
+          "/oldstorage/wiki_backups:/wiki-backups/backup",
+          "local/conf.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf",
+        ]
+      }
+
+      template {
+        data = <<EOH
+[mysqld]
+max_connections = 100
+key_buffer_size = 2G
+query_cache_size = 0
+innodb_buffer_pool_size = 6G
+innodb_log_file_size = 512M
+innodb_flush_log_at_trx_commit = 1
+innodb_flush_method = O_DIRECT
+innodb_io_capacity = 200
+tmp_table_size = 5242K
+max_heap_table_size = 5242K
+innodb_log_buffer_size = 16M
+innodb_file_per_table = 1
+
+bind-address = 0.0.0.0
+# Logging
+slow_query_log = 1
+slow_query_log_file = /var/log/mysql/slow.log
+long_query_time = 1
+EOH
+
+        destination = "local/conf.cnf"
+      }
+
+      resources {
+          cpu    = 800
+          memory = 1200
+        }
+
+      template {
+        data = <<EOH
+MYSQL_DATABASE={{ key "mediawiki/db/name" }}
+MYSQL_USER={{ key "mediawiki/db/username" }}
+MYSQL_PASSWORD={{ key "mediawiki/db/password" }}
+MYSQL_RANDOM_ROOT_PASSWORD=yes
+EOH
+
+        destination = "local/.env"
+        env = true
+      }
+    }
+  }
+}