¶ wiki.js Docker
¶ Manually
docker pull postgres:15
docker pull requarks/wiki:latest
docker pull requarks/wiki-update-companion:latest
# Create installation directory for Wiki.js
mkdir -p /etc/wiki
# Generate DB secret
openssl rand -base64 32 | sudo tee /etc/wiki/.db-secret >/dev/null
# Create internal docker network
docker network create wikinet
# Create data volume for PostgreSQL
docker volume create pgdata
# Create the containers
docker create --name=db -e POSTGRES_DB=wiki -e POSTGRES_USER=wiki -e POSTGRES_PASSWORD_FILE=/etc/wiki/.db-secret -v /etc/wiki/.db-secret:/etc/wiki/.db-secret:ro -v pgdata:/var/lib/postgresql/data --restart=unless-stopped -h db --network=wikinet postgres:15
docker volume create wikidata
docker create --name=wiki -e DB_TYPE=postgres -e DB_HOST=db -e DB_PORT=5432 -e DB_PASS_FILE=/etc/wiki/.db-secret -v /etc/wiki/.db-secret:/etc/wiki/.db-secret:ro -v wikidata:/wiki/data/content -e DB_USER=wiki -e DB_NAME=wiki -e UPGRADE_COMPANION=1 --restart=unless-stopped -h wiki --network=wikinet -p 8080:3000 requarks/wiki:latest
# Optional
docker create --name=wiki-update-companion -v /var/run/docker.sock:/var/run/docker.sock:ro --restart=unless-stopped -h wiki-update-companion --network=wikinet requarks/wiki-update-companion:latest
docker start db
docker start wiki
# Optional
docker start wiki-update-companion¶ Compose.ymal
services:
wiki:
container_name: wikijs
image: requarks/wiki:latest
restart: unless-stopped
hostname: wikijs
ports:
- 8080:3000
volumes:
- wiki_vol:/wiki/data/content
- /etc/wiki/.db-secret:/etc/wiki/.db-secret:ro
networks:
- default
environment:
- DB_TYPE=postgres
- DB_HOST=wikidb
- DB_PORT=5432
- DB_PASS_FILE=/etc/wiki/.db-secret
- DB_USER=wiki
- DB_NAME=wiki
- UPGRADE_COMPANION=1
depends_on:
- postgres
postgres:
container_name: wikidb
image: postgres:15
restart: unless-stopped
hostname: pgdb
volumes:
- pg_vol:/var/lib/postgresql/data
- /etc/wiki/.db-secret:/etc/wiki/.db-secret:ro
networks:
- default
environment:
- POSTGRES_DB=wiki
- POSTGRES_USER=wiki
- POSTGRES_PASSWORD_FILE=/etc/wiki/.db-secret
networks:
default:
external: true
name: wikinet
volumes:
wiki_vol:
external: true
name: wikidata
pg_vol:
external: true
name: pgdata
¶ 身份认证(Authentication)
¶ OIDC (Open Connect)配置
配置Authelia configuration.yaml,配置wiki.js OIDC参数,测试验证发现无法登录成功,报如下这些错误:
1. Missing or invalid email address from profile.
2. Failed to fetch user profile
3. Invalid email / username or password.折腾一天,不管怎么修改Authelia配置,还是修改Wikijs OIDC配置,都行不通,放弃…
从github先clone wiki源代码,参考https://docs.requarks.io/dev里面的调试方法,却能够通过Authelia认证,也没有上面的报错
docker-compose -f dev/containers/docker-compose.yml up -d
docker exec wiki-app yarn # only necessary the first time
docker exec wiki-app yarn dev在wiki/server/models/users.js里面添加一些调试打印信息,证明了能够从Authelia获取到profile和email等信息
2025-08-03T08:44:04.731Z [MASTER] error: [processProfile] 开始处理: {"providerKey":"fedca3cd-15dd-4518-a7ca-a55129ef1f32","profileId":"44df2d7a-3e7b-4795-8c27-b037fa7676bf"}
2025-08-03T08:44:04.732Z [MASTER] error: [processProfile] provider信息: {"config":{"clientId":"wikijs","clientSecret":"zF3k4xJ4oB6okCUWWCU","authorizationURL":"https://auth.abitacc.com/api/oidc/authorization","tokenURL":"https://auth.abitacc.com/api/oidc/token","userInfoURL":"https://auth.abitacc.com/api/oidc/userinfo","skipUserProfile":false,"issuer":"https://auth.abitacc.com","emailClaim":"email","displayNameClaim":"name","mapGroups":false,"groupsClaim":"groups","logoutURL":"","acrValues":"","callbackURL":"https://wiki.abitacc.com/login/fedca3cd-15dd-4518-a7ca-a55129ef1f32/callback","key":"fedca3cd-15dd-4518-a7ca-a55129ef1f32"},"key":"fedca3cd-15dd-4518-a7ca-a55129ef1f32","isEnabled":true,"selfRegistration":true,"domainWhitelist":[],"autoEnrollGroups":[1],"order":1,"strategyKey":"oidc","displayName":"Authlia"}
2025-08-03T08:44:04.742Z [MASTER] error: [processProfile] 查询providerId用户: undefined
2025-08-03T08:44:04.744Z [MASTER] error: Received profile for email processing: {"emails":[{"value":"wangkart@aliyun.com"}],"email":"wangkart@aliyun.com"}
2025-08-03T08:44:04.745Z [MASTER] error: [processProfile] 从emails数组提取primaryEmail: {"primaryEmail":"wangkart@aliyun.com","emails":[{"value":"wangkart@aliyun.com"}]}
2025-08-03T08:44:04.746Z [MASTER] error: [processProfile] 最终primaryEmail: {"primaryEmail":"wangkart@aliyun.com"}
2025-08-03T08:44:04.754Z [MASTER] error: [processProfile] 查询pending social用户: undefined
2025-08-03T08:44:04.755Z [MASTER] error: [processProfile] 使用profile.displayName: {"displayName":"汪新露"}
2025-08-03T08:44:04.756Z [MASTER] error: [processProfile] 提取pictureUrl: {"pictureUrl":""}
2025-08-03T08:44:04.758Z [MASTER] error: [processProfile] 授权判断: {"selfRegistration":true,"userFound":false,"providerKey":"fedca3cd-15dd-4518-a7ca-a55129ef1f32","primaryEmail":"wangkart@aliyun.com"}
2025-08-03T08:44:04.760Z [MASTER] error: [processProfile] 允许自注册: {"config":{"clientId":"wikijs","clientSecret":"zF3k4xJ4oB6okCUWWCU","authorizationURL":"https://auth.abitacc.com/api/oidc/authorization","tokenURL":"https://auth.abitacc.com/api/oidc/token","userInfoURL":"https://auth.abitacc.com/api/oidc/userinfo","skipUserProfile":false,"issuer":"https://auth.abitacc.com","emailClaim":"email","displayNameClaim":"name","mapGroups":false,"groupsClaim":"groups","logoutURL":"","acrValues":"","callbackURL":"https://wiki.abitacc.com/login/fedca3cd-15dd-4518-a7ca-a55129ef1f32/callback","key":"fedca3cd-15dd-4518-a7ca-a55129ef1f32"},"key":"fedca3cd-15dd-4518-a7ca-a55129ef1f32","isEnabled":true,"selfRegistration":true,"domainWhitelist":[],"autoEnrollGroups":[1],"order":1,"strategyKey":"oidc","displayName":"Authlia"}
2025-08-03T08:44:04.826Z [MASTER] error: [processProfile] 新用户已创建: {"providerKey":"fedca3cd-15dd-4518-a7ca-a55129ef1f32","providerId":"44df2d7a-3e7b-4795-8c27-b037fa7676bf","email":"wangkart@aliyun.com","name":"汪新露","pictureUrl":"","localeCode":"zh","defaultEditor":"markdown","tfaIsActive":false,"isSystem":false,"isActive":true,"isVerified":true,"createdAt":"2025-08-03T08:44:04.790Z","updatedAt":"2025-08-03T08:44:04.790Z","id":3,"password":null,"tfaSecret":null,"jobTitle":"","location":"","timezone":"America/New_York","mustChangePwd":false,"lastLoginAt":null,"dateFormat":"","appearance":""}
2025-08-03T08:44:04.858Z [MASTER] error: [processProfile] 用户自动加入组: {"groups":[1]}
开放注册选项一定要开,不打开的话,就会报You are not authorized to login.的错误:
2025-08-03T08:35:47.747Z [MASTER] error: [processProfile] 开始处理: {"providerKey":"fedca3cd-15dd-4518-a7ca-a55129ef1f32","profileId":"44df2d7a-3e7b-4795-8c27-b037fa7676bf"}
2025-08-03T08:35:47.748Z [MASTER] error: [processProfile] provider信息: {"config":{"clientId":"wikijs","clientSecret":"zF3k4xJ4oB6okCUWWCU","authorizationURL":"https://auth.abitacc.com/api/oidc/authorization","tokenURL":"https://auth.abitacc.com/api/oidc/token","userInfoURL":"https
://auth.abitacc.com/api/oidc/userinfo","skipUserProfile":false,"issuer":"https://auth.abitacc.com","emailClaim":"email","displayNameClaim":"name","mapGroups":false,"groupsClaim":"groups","logoutURL":"","acrValues":"","callbackURL":"https://wiki.abitacc.com/login/fedca3cd-15dd-4518-a7ca-a55129ef1f32/callback","key":"fedca3cd-15dd-4518-a7ca-a55129ef1f32"},"key":"fedca3cd-15dd-4518-a7ca-a55129ef1f32","isEnabled":true,"selfRegistration":false,"domainWhitelist":[],"autoEnrollGroups":[],"order":1,"strategyKey":"oidc","displayName":"Authlia"}
2025-08-03T08:35:47.758Z [MASTER] error: [processProfile] 查询providerId用户: undefined
2025-08-03T08:35:47.759Z [MASTER] error: Received profile for email processing: {"emails":[{"value":"wangkart@aliyun.com"}],"email":"wangkart@aliyun.com"}
2025-08-03T08:35:47.761Z [MASTER] error: [processProfile] 从emails数组提取primaryEmail: {"primaryEmail":"wangkart@aliyun.com","emails":[{"value":"wangkart@aliyun.com"}]}
2025-08-03T08:35:47.762Z [MASTER] error: [processProfile] 最终primaryEmail: {"primaryEmail":"wangkart@aliyun.com"}
2025-08-03T08:35:47.771Z [MASTER] error: [processProfile] 查询pending social用户: undefined
2025-08-03T08:35:47.772Z [MASTER] error: [processProfile] 使用profile.displayName: {"displayName":"汪新露"}
2025-08-03T08:35:47.775Z [MASTER] error: [processProfile] 提取pictureUrl: {"pictureUrl":""}
2025-08-03T08:35:47.775Z [MASTER] error: [processProfile] 未授权登录: {"providerKey":"fedca3cd-15dd-4518-a7ca-a55129ef1f32","profile":{"id":"44df2d7a-3e7b-4795-8c27-b037fa7676bf","displayName":"汪新露","username":"wangxinlu","name":{"familyName":"汪新露","givenName":"wangxinlu"},"emails":[{"value":"wangkart@aliyun.com"}],"_raw":"{\"email\":\"wangkart@aliyun.com\",\"email_verified\":true,\"family_name\":\"汪新露\",\"given_name\":\"wangxinlu\",\"name\":\"汪新露\",\"nickname\":\"wangxinlu\",\"preferred_username\":\"wangxinlu\",\"rat\":1754210142,\"sub\":\"44df2d7a-3e7b-4795-8c27-b037fa7676bf\",\"updated_at\":1754210147}\n","_json":{"email":"wangkart@aliyun.com","email_verified":true,"family_name":" 汪新露","given_name":"wangxinlu","name":"汪新露","nickname":"wangxinlu","preferred_username":"wangxinlu","rat":1754210142,"sub":"44df2d7a-3e7b-4795-8c27-b037fa7676bf","updated_at":1754210147},"email":"wangkart@aliyun.com"}}
2025-08-03T08:35:47.778Z [MASTER] error: Authentication strategy returned an error: You are not authorized to login.
2025-08-03T08:40:52.229Z [MASTER] error: Authentication strategy returned an error: Invalid email / username or password.
开放注册:允许任何成功获得登录方式授权的用户访问 wiki。
¶ LDAP配置
这种认证方式就很容易,把对应配置OK,认证都是OK的
在Wiki.js的LDAP配置页面填写如下参数:
- 服务器地址:
ldap://ldap.abitacc.com:636 - 绑定DN:
cn=admin,dc=abitacc,dc=com - 绑定密码:
your_admin_password - 用户搜索基准DN:
ou=people,dc=abitacc,dc=com - 用户过滤器:
(|(uid={{username}})(mail={{username}}))表示只要uid或mail属性匹配即可。 - 用户名属性:
uid - 邮件属性:
mail - 显示名称属性:
cn
注意:要把开放注册选项打开,不然使用LDAP无法登录到Wiki.js,小心授于这些新用户的权限
¶ S3 Generic配置
使用兼容S3的对象存储服务minio
¶ minio侧配置
为了安全,我们不直接使用 MINIO_ROOT_USER。我们将创建一个新用户wikijs 并授予其仅能访问 wikijs 存储桶的权限。
创建一个名为wikijs-policy.json 策略文件 ,内容如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::wikijs/*",
"arn:aws:s3:::wikijs"
]
}
]
}命令如下:
# Copy wikijs-policy.json into minio-client container
docker cp wikijs-policy.json minio-client:/root/
# Add policy
docker exec minio-client mc admin policy create minio wikijs-policy /root/wikijs-policy.json
# Create new user
docker exec minio-client mc admin user add minio wikijs "your-strong-password"
# attaches the wikijs policy to the user wikijs
docker exec minio-client mc admin policy attach minio wikijs --user=wikijs注意:your-strong-password替换成你自己的密码token
¶ wiki.js侧配置
- Endpoint URL: http://192.168.0.110:9040
- Bucket name: wikijs
- Access Key ID: wikijs (使用mc创建的username)
- Secret Access Key: “
your-strong-password” - Force Path Style: 勾选此项,MinIO 默认使用路径风格的 URL (例如 http://192.168.0.110:9000/wikijs/image.png),而不是虚拟主机风格 (例如 http://wikijs.oss.abitacc.com:9000/image.png)
- Use SSL: 不要勾选
- Single Bucket Endpoint: 不要勾选,指示提供的 Endpoint URL地址本身是否是存储桶的地址,如果勾选了,Bucket name就可以不填写