Tag: 2017 source edit |
Tag: 2017 source edit |
||
| Line 101: | Line 101: | ||
== Step 2: Set up environment variables == | == Step 2: Set up environment variables == | ||
Based on the sample file <code>.env.sample</code>, please create your new <code>.env</code> config file or edit your existing config file. | |||
Example: | Example: | ||
<pre> | |||
DATADIR=/data/bluespice | |||
VERSION=5.1.1 | |||
EDITION=free | |||
BACKUP_HOUR=04 | |||
WIKI_NAME=BlueSpice | |||
WIKI_LANG=en | |||
WIKI_PASSWORDSENDER=no-reply@wiki.company.local | |||
WIKI_EMERGENCYCONTACT=no-reply@wiki.company.local | |||
WIKI_HOST=wiki.company.local | |||
WIKI_PORT=443 | |||
WIKI_PROTOCOL=https | |||
WIKI_BASE_PATH= | |||
DB_USER=bluespice | |||
DB_PASS=...(mandatory field) | |||
DB_ROOT_USER=root | |||
DB_ROOT_PASS=$DB_PASS | |||
DB_HOST=database | |||
DB_NAME=bluespice | |||
DB_PREFIX= | |||
SMTP_HOST=mail.company.local | |||
SMTP_PORT=25 | |||
SMTP_USER=... | |||
SMTP_PASS=... | |||
SMTP_ID_HOST=... | |||
{{Textbox|boxtype=note|header=Different editions|text= | |||
LETSENCRYPT=false | |||
</pre> | |||
{{Textbox|boxtype=note|header=Different editions|text=To deploy <code>pro</code> or <code>farm</code> edition, you will need credentials to the private registry <code>docker.bluespice.com</code>. <br>Please login in by running <code>docker login docker.bluespice.com</code>.|icon=yes}} | |||
== Step 3: Start the stack == | == Step 3: Start the stack == | ||
Revision as of 12:26, 21 July 2025
Overview
Starting with version 4.5, BlueSpice MediaWiki can be installed with a stack of Docker container images.
Everything is built in a modular way to allow different types of setups.
The most common cases are:
- "All-in-one" (with and without Let's Encrypt)
- Custom database and search service
- Custom load balancer / proxy
Architecture
Notes
- Internal HTTP connections may use non-standard ports. Those are noted next to the respective services.
- HTTP (in-secure) is only used for internal communication within the virtual network the stack is operated in. All connections to the client use TLS.
- Proprietary ports (esp. for database connections) are noted next to the respective services.
- There may be additional services and ports in use, based on the setup. Some examples:
- When using LDAP based authentication an LDAPS connection (port
636) is used from thebluespice/wikicontainers to the LDAP-Server - When using Kerberos authentication, a connection (port
88) is used from thebluespice/kerberos-proxycontainers to the Kerberos-Server - When using DeepL or OpenAI services, a HTTPS connection (port
443) is used from thebluespice/wikicontainers to to the respective service - When using OpenIDConnect authentication, a HTTPS connection (port
443) is used from thebluespice/wiki"task" container to to the authentication provider - When using "Let's Encrypt" Certbot, a HTTPS connection (port
443) is used from theacme-companioncontainer to the "Let's Encrypt" service
- When using LDAP based authentication an LDAPS connection (port
Step 1: Get the stack
Get "docker-compose" files from https://github.com/hallowelt/bluespice-deploy/releases/latest
Example:
wget https://github.com/hallowelt/bluespice-deploy/archive/refs/tags/5.1.1.zip \ && unzip 5.1.1.zip \ && cd bluespice-deploy-5.1.1/compose
bluespice/wiki needs to be obtained differently. See Pro and Farm edition for details
The directory contains the following files:
| Filename | Type | Mandatory | Comment |
|---|---|---|---|
bluespice-deploy
|
bash-script | false | Wrapper for general start-up of needed containers |
docker-compose.main.yml
|
yml | true | Main application services/ run by bluespice-deploy
|
docker-compose.persistent-data-services.yml
|
yml | false | Database and search/ run by bluespice-deploy
|
docker-compose.stateless-services.yml
|
yml | true | PDF-Renderer/Cache/Formula/Diagram-Service |
docker-compose.helper-service.yml
|
yml | true | Provides different helper containers for Filesystem-preparation, major-upgrades and backups |
docker-compose.proxy.yml
|
yml | false, but recommended | Proxy Service |
docker-compose.proxy-letsencrypt.yml
|
yml | false | Additional auto-renewal service for "Let's Encrypt" certificates |
docker-compose.kerberos-proxy.yml
|
yml | false | Additional proxy for Kerberos based authentication |
docker-compose.collabpads-service.yml
|
yml | false | Provides back-end services for CollabPads (included in Pro and Farm editions) |
.env.sample
|
text | true | Sample for creating .env that defines key environment variables
|
bluespice.service.demo
|
service script | false | A Demo-file for control the BlueSpice stack as systemctl service |
For convenience, the bluespice-deploy script wraps the first five yml files by default. This includes the main wiki application and also required backend services, like a database, search and application cache. Additional service yml files can be loaded by adding -f <filename> .
Step 2: Set up environment variables
Based on the sample file .env.sample, please create your new .env config file or edit your existing config file.
Example:
DATADIR=/data/bluespice VERSION=5.1.1 EDITION=free BACKUP_HOUR=04 WIKI_NAME=BlueSpice WIKI_LANG=en WIKI_PASSWORDSENDER=no-reply@wiki.company.local WIKI_EMERGENCYCONTACT=no-reply@wiki.company.local WIKI_HOST=wiki.company.local WIKI_PORT=443 WIKI_PROTOCOL=https WIKI_BASE_PATH= DB_USER=bluespice DB_PASS=...(mandatory field) DB_ROOT_USER=root DB_ROOT_PASS=$DB_PASS DB_HOST=database DB_NAME=bluespice DB_PREFIX= SMTP_HOST=mail.company.local SMTP_PORT=25 SMTP_USER=... SMTP_PASS=... SMTP_ID_HOST=... LETSENCRYPT=false
pro or farm edition, you will need credentials to the private registry docker.bluespice.com. Please login in by running
docker login docker.bluespice.com.
Step 3: Start the stack
wiki-task container will automatically perform the installation. It may take a couple of minutes for the process to set up the database and complete. Once it is finished, the password for the default Admin user can be found in $DATADIR/wiki/initialAdminPassword.Use bluespice-deploy up -d to start the stack, once the .env file and the "data directories" are ready. Once all containers are shown as "ready" you can navigate to $WIKI_PROTOCOL://$WIKI_HOST:$WIKI_PORT (e.g. https://wiki.company.local) in your favorite web browser and start using the application.
Additional options
SSL certificates
For using Let's Encrypt certificates just set variable LETSENCRYPT to true in your .env file.
<bluespice-wiki.com>.crt and <bluespice-wiki.com>.key with the exact name of your Wikis URL in ${DATADIR}/proxy/certs
Operating system level service
expand the ExecStart parameter in the /etc/systemd/system/bluespice.service
Example:
ExecStart=<WORKDIR>/bluespice-deploy -f docker-compose.proxy-letsencrypt.yml up -f -d --remove-orphans
Custom wiki application configuration
After the initial installation, the ${DATADIR}/wiki/bluespice/ contains two files that can be used to set custom application configuration as it may be found on mediawiki.org:
pre-init-settings.php- Can be used to set config that can be picked up by the init processpost-init-settings.php- Can be used to manipulate configs that have been set by the init process
Custom database and search
If you have a MySQL/MariaDB and an OpenSearch server running in your local network, you can remove docker-compose.persistent-data-services.yml entirely from your bluespice-deploy file. Make sure to set the proper variables in the .env file.
Kerberos proxy
For implicit authenticationusing Kerberos, an additional proxy must be used: bluespice/kerberos-proxy . The file docker-compose.kerberos-proxy.yml contains a common configuration. It can be used instead of the regular docker-compose.proxy.yml file inside bluespice-deploy .
Make sure to have the files
${DATADIR}/kerberos/krb5.conf${DATADIR}/kerberos/kerberos.keytab
set up properly.
The file ${DATADIR}/wiki/bluespice/pre-init-settings.php can then be used to set up "Extension:Auth_remoteuser" and the LDAP stack extensions.
SAML authentication
During the initial installation a certificate for message signing will automatically be created. It can be found in ${DATADIR}/wiki/simplesamlphp/certs/.
In order to configure a remote IdP, one must copy the IdP metadata XML to a file called ${DATADIR}/wiki/simplesamlphp/saml_idp_metadata.xml. The SP metadata can then be obtained via https://{{$WIKI_HOST}}/_sp/module.php/saml/sp/metadata.php/default-sp. It must be configured in the remote IdP.
https://{{$WIKI_HOST}}/_sp/module.php/admin and log in with admin and the INTERNAL_SIMPLESAMLPHP_ADMIN_PASS found in ${DATADIR}/wiki/.wikienv
Next, the extensions "PluggableAuth" and "SimpleSAMLphp" must be enabled on the wiki. To do so, add
wfLoadExtensions( [
'PluggableAuth',
'SimpleSAMLphp'
] );
to the ${DATADIR}/wiki/bluespice/post-init-settings.php. Run
./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick
to complete the installation.
After that, the authentication plugin configuration can be applied in Special:BlueSpiceConfigManager under "Authentication".
OpenID Connect authentication
The extensions "PluggableAuth" and "OpenIDConnect" must be enabled on the wiki. To do so, add
wfLoadExtensions( [
'PluggableAuth',
'OpenIDConnect'
] );
to the ${DATADIR}/wiki/bluespice/post-init-settings.php. Run
./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick
to complete the installation.
After that, the authentication plugin configuration can be applied in Special:BlueSpiceConfigManager under "Authentication".
