- add python-sqlalchemy-continuum as new dependency
- call database upgrade target after each deploy
- outsource version identifier into a variable

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

The latest tag removes the $wgLogo url which reduces one request per
page load.

With apcu caching the wiki get's ~ 40 req/s more and the latency of the
wiki lowers.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Enables TLS 1.3.

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites

Where http does not redirect to https. These are package mirrors and
the web key directory.

Levente Polyak authored 5 years ago and Jelle van der Waa committed 5 years ago

Protect from simple privilege escalation attacks on scripts that are
granted privileged execution for unprivileged users by restricting
the PATH to a static set.
Without doing so, it is a trivial attack to provide a binary used
by a privileged script that executes former without an absolute path
to escalate privileges by gaining code execution through that binary.

Anything run with elevated privileges through sudo shall never ever
have the possibility to pass on the unsanatized PATH from an
unprivileged user.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

This bans all requests exceeding 1/min in a time period of 30 minutes.
This might be too harse and can be adjusted later.

These are static requests for JS/CSS assets which are the topmost
request for the wiki. Caching these in nginx helps a lot to turn down
the load.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

This reverts commit 9809d84d.

I forgot our package already does this.