StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

readme docs

Browse source
This commit is contained in:
goeranh 2026-03-13 16:59:54 +01:00
parent 6e0d407b1c
commit 9466ab3656
No known key found for this signature in database
6 changed files with 1872 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

297
hosts/wiki/README.md Normal file
View file

@ -0,0 +1,297 @@
# Wiki Host - MediaWiki
MediaWiki instance at 141.56.51.13 running in an LXC container.
## Overview
- **Hostname**: wiki
- **FQDN**: wiki.htw.stura-dresden.de
- **IP Address**: 141.56.51.13
- **Type**: Proxmox LXC Container
- **Services**: MediaWiki, MariaDB, Apache httpd, PHP-FPM
## Services
### MediaWiki
The StuRa HTW Dresden wiki runs MediaWiki with extensive customization:
- **Name**: Wiki StuRa HTW Dresden
- **Language**: German (de)
- **Default skin**: Vector (classic)
- **Session timeout**: 3 hours (10800 seconds)
- **ImageMagick**: Enabled for image processing
- **Instant Commons**: Enabled (access to Wikimedia Commons images)
### Custom Namespaces
The wiki defines several custom namespaces for organizational purposes:
| Namespace | ID | Purpose |
|-----------|-----|---------|
| StuRa | 100 | Standard StuRa content |
| Intern | 102 | Internal (non-public) StuRa content |
| Admin | 104 | Administrative wiki content |
| Person | 106 | Individual person pages (non-public) |
| Faranto | 108 | Faranto e.V. content |
| ET | 212 | ET Fachschaft content |
| ET_intern | 412 | ET internal content |
| LaUCh | 216 | LaUCh Fachschaft content |
| LaUCh_intern | 416 | LaUCh internal content |
Each namespace has a corresponding discussion namespace (odd numbered ID).
### User Groups and Permissions
**Custom user groups:**
- **intern**: Access to Intern and Person namespaces
- **ET**: Access to ET_intern namespace
- **LUC**: Access to LaUCh_intern namespace
These groups have the same base permissions as standard users (move pages, edit, upload, etc.) plus access to their respective restricted namespaces.
### Spam Prevention
**QuestyCaptcha** is configured to prevent automated spam:
- Challenges users with questions about HTW and StuRa
- Triggered on: edit, create, createtalk, addurl, createaccount, badlogin
- Questions are specific to local knowledge (e.g., "Welche Anzahl an Referaten hat unser StuRa geschaffen?")
### Extensions
The following extensions are installed:
- **Lockdown**: Restricts namespace access by user group
- **ContributionScores**: Statistics of contributions by user
- **UserMerge**: Merge and delete user accounts (for spam cleanup)
- **Interwiki**: Use interwiki links (e.g., Wikipedia references)
- **Cite**: Reference system (footnotes)
- **ConfirmEdit/QuestyCaptcha**: CAPTCHA challenges
## Deployment
See the [main README](../../README.md) for deployment methods.
### Initial Installation
**Using nixos-anywhere:**
```bash
nix run github:nix-community/nixos-anywhere -- --flake .#wiki --target-host root@141.56.51.13
```
**Using container tarball:**
```bash
nix build .#containers-wiki
scp result/tarball/nixos-system-x86_64-linux.tar.xz root@proxmox-host:/var/lib/vz/template/cache/
pct create 113 /var/lib/vz/template/cache/nixos-system-x86_64-linux.tar.xz \
--hostname wiki \
--net0 name=eth0,bridge=vmbr0,ip=141.56.51.13/24,gw=141.56.51.254 \
--memory 2048 \
--cores 2 \
--rootfs local-lvm:10 \
--unprivileged 1 \
--features nesting=1
pct start 113
```
### Updates
```bash
# From local machine
nixos-rebuild switch --flake .#wiki --target-host root@141.56.51.13
# Or use auto-generated script
nix run .#wiki-update
```
## Post-Deployment Steps
After deploying for the first time:
1. **Set admin password:**
```bash
echo "your-secure-password" > /var/lib/mediawiki/mediawiki-password
chmod 600 /var/lib/mediawiki/mediawiki-password
```
2. **Set database password:**
```bash
echo "your-db-password" > /var/lib/mediawiki/mediawiki-dbpassword
chmod 600 /var/lib/mediawiki/mediawiki-dbpassword
```
3. **Access the web interface:**
```
https://wiki.htw.stura-dresden.de
```
4. **Complete initial setup:**
- Log in with admin credentials
- Configure additional settings via Special:Version
- Set up main page
5. **Configure namespace permissions:**
- Add users to `intern`, `ET`, or `LUC` groups via Special:UserRights
- Verify namespace restrictions work correctly
- Test that non-members cannot access restricted namespaces
6. **Add users to appropriate groups:**
- Navigate to Special:UserRights
- Select user
- Add to: intern, ET, LUC, sysop, bureaucrat (as needed)
7. **Upload logo and favicon** (optional):
- Place files in `/var/lib/mediawiki/images/`
- Files: `logo.png`, `logo.svg`, `favicon.png`
## Integration with Proxy
The central proxy at 141.56.51.1 handles:
- **SNI routing**: Routes HTTPS traffic for wiki.htw.stura-dresden.de
- **HTTP routing**: Routes HTTP traffic and redirects to HTTPS
- **ACME challenges**: Forwards certificate verification requests
This host manages its own ACME certificates. Apache httpd handles TLS termination.
## Troubleshooting
### Locale warnings
When accessing the container with `pct enter`, you may see:
```
sh: warning: setlocale: LC_CTYPE: cannot change locale (en_US.UTF-8): No such file or directory
sh: warning: setlocale: LC_COLLATE: cannot change locale (en_US.UTF-8): No such file or directory
```
**This is a known issue and can be safely ignored.** It only affects the interactive shell environment, not the running services. Regular SSH access provides a proper shell with correct locale settings.
### Database connection issues
If MediaWiki cannot connect to the database:
```bash
# Check MariaDB status
systemctl status mysql
# Check database exists
mysql -u root -e "SHOW DATABASES;"
# Check user permissions
mysql -u root -e "SHOW GRANTS FOR 'mediawiki'@'localhost';"
# View MediaWiki logs
journalctl -u mediawiki -f
```
**Solution**: Ensure the database password in `/var/lib/mediawiki/mediawiki-dbpassword` matches the database user password.
### Extension loading problems
If extensions are not working:
```bash
# Check extension files exist
ls -l /nix/store/*-mediawiki-extensions/
# View PHP errors
tail -f /var/log/httpd/error_log
# Test MediaWiki configuration
php /var/lib/mediawiki/maintenance/checkSetup.php
```
**Solution**: Verify extensions are properly defined in the configuration and compatible with the MediaWiki version.
### ImageMagick configuration
If image uploads or thumbnails fail:
```bash
# Check ImageMagick installation
which convert
/run/current-system/sw/bin/convert --version
# Test image conversion
/run/current-system/sw/bin/convert input.png -resize 100x100 output.png
# Check MediaWiki image directory permissions
ls -ld /var/lib/mediawiki/images/
```
**Solution**: Ensure ImageMagick path is set correctly (`$wgImageMagickConvertCommand`) and the images directory is writable.
### Namespace permission issues
If users can access restricted namespaces:
```bash
# Check Lockdown extension is loaded
grep -i lockdown /var/lib/mediawiki/LocalSettings.php
# Verify user group membership
# Log in as admin and check Special:UserRights
# Check namespace permission configuration
grep -A 5 "wgNamespacePermissionLockdown" /var/lib/mediawiki/LocalSettings.php
```
**Solution**: Verify the Lockdown extension is installed and `$wgNamespacePermissionLockdown` is configured correctly for each restricted namespace.
### ACME certificate issues
If HTTPS is not working:
```bash
# Check ACME certificate status
systemctl status acme-wiki.htw.stura-dresden.de
# View ACME logs
journalctl -u acme-wiki.htw.stura-dresden.de -f
# Check Apache HTTPS configuration
httpd -t -D DUMP_VHOSTS
```
**Solution**: Ensure DNS points to proxy (141.56.51.1) and the proxy forwards ACME challenges to this host.
## Files and Directories
- **MediaWiki data**: `/var/lib/mediawiki/`
- **Password file**: `/var/lib/mediawiki/mediawiki-password`
- **DB password file**: `/var/lib/mediawiki/mediawiki-dbpassword`
- **Images**: `/var/lib/mediawiki/images/`
- **LocalSettings**: `/var/lib/mediawiki/LocalSettings.php` (generated)
- **Extensions**: `/nix/store/.../mediawiki-extensions/`
- **Database**: MariaDB stores data in `/var/lib/mysql/`
## Network
- **Interface**: eth0 (LXC container)
- **IP**: 141.56.51.13/24
- **Gateway**: 141.56.51.254
- **Firewall**: Ports 80, 443 allowed
## Configuration Details
- **Time zone**: Europe/Berlin
- **Table prefix**: sturawiki
- **Emergency contact**: wiki@stura.htw-dresden.de
- **Password sender**: wiki@stura.htw-dresden.de
- **External images**: Allowed
- **File uploads**: Enabled
- **Email notifications**: Enabled (user talk, watchlist)
## Automatic Maintenance
- **Auto-upgrade**: Enabled (system automatically updates)
- **Auto-reboot**: Allowed (system may reboot for updates)
- **Store optimization**: Automatic
- **Garbage collection**: Automatic
## See Also
- [Main README](../../README.md) - Deployment methods and architecture
- [Proxy README](../proxy/README.md) - How the central proxy routes traffic
- [MediaWiki Documentation](https://www.mediawiki.org/wiki/Documentation)
- [NixOS MediaWiki Options](https://search.nixos.org/options?query=services.mediawiki)
- [Extension:Lockdown](https://www.mediawiki.org/wiki/Extension:Lockdown)
- [Extension:QuestyCaptcha](https://www.mediawiki.org/wiki/Extension:QuestyCaptcha)