diff options
Diffstat (limited to 'ansible/roles')
6 files changed, 149 insertions, 15 deletions
diff --git a/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf new file mode 100644 index 0000000..3823cf1 --- /dev/null +++ b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf @@ -0,0 +1,56 @@ +# Based on /etc/apache2/conf-available/mediawiki.conf + +<VirtualHost *:80> + ServerName mw.trygvis.io + + ServerAdmin webmaster@trygvis.io + DocumentRoot /var/lib/mediawiki + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + +<Directory /var/lib/mediawiki/> + Options +FollowSymLinks + AllowOverride All + <IfVersion >= 2.3> + Require all granted + </IfVersion> + <IfVersion < 2.3> + order allow,deny + allow from all + </IfVersion> +</Directory> + +# some directories must be protected +<Directory /var/lib/mediawiki/config> + Options -FollowSymLinks + AllowOverride None + <IfModule mod_php7.c> + php_admin_flag engine off + </IfModule> + <IfModule mod_php5.c> + php_admin_flag engine off + </IfModule> +</Directory> +<Directory /var/lib/mediawiki/images> + Options -FollowSymLinks + AllowOverride None + <IfModule mod_php7.c> + php_admin_flag engine off + </IfModule> + <IfModule mod_php5.c> + php_admin_flag engine off + </IfModule> +</Directory> +<Directory /var/lib/mediawiki/upload> + Options -FollowSymLinks + AllowOverride None + <IfModule mod_php7.c> + php_admin_flag engine off + </IfModule> + <IfModule mod_php5.c> + php_admin_flag engine off + </IfModule> +</Directory> +</VirtualHost> +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/ansible/roles/mw-backend/handlers/main.yml b/ansible/roles/mw-backend/handlers/main.yml index 0298ff9..3588f2b 100644 --- a/ansible/roles/mw-backend/handlers/main.yml +++ b/ansible/roles/mw-backend/handlers/main.yml @@ -1,5 +1,9 @@ --- - name: update apt cache - become: yes apt: update_cache: yes + +- name: reload apache + service: + name: apache2 + state: reloaded diff --git a/ansible/roles/mw-backend/tasks/main.yml b/ansible/roles/mw-backend/tasks/main.yml index 799f0e5..a60f08d 100644 --- a/ansible/roles/mw-backend/tasks/main.yml +++ b/ansible/roles/mw-backend/tasks/main.yml @@ -1,21 +1,66 @@ --- - name: apt setup - tags: packages - become: yes + tags: + - mw-backend + - packages block: - copy: dest: /etc/apt/apt.conf.d/99force-ipv4 content: 'Acquire::ForceIPv4 "true";' notify: update apt cache + - name: configure debian repositories + notify: update apt cache + copy: + dest: /etc/apt/sources.list + content: | + deb http://httpredir.debian.org/debian/ stretch main contrib non-free + deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free + + deb http://security.debian.org/debian-security stretch/updates main contrib non-free + deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free + + deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free + deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free - meta: flush_handlers -# - name: packages -# tags: packages -# become: yes -# apt: -# name: "{{ item }}" -# install_recommends: no -# with_items: -# - ping -# - apache2 + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - git + - etckeeper + + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - iputils-ping + - vim-nox + - host + - less + +- name: Mediawiki + tags: + - mw-backend + - mediawiki + block: + - name: packages + notify: reload apache + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - git + - php-pgsql + - php-intl + - php-gd + - php-apcu + - mediawiki + - name: apache config + notify: reload apache + copy: + src: etc/apache2/sites-enabled/000-default.conf + dest: /etc/apache2/sites-enabled/000-default.conf diff --git a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf index 533c559..210cf2f 100644 --- a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf +++ b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf @@ -20,11 +20,12 @@ allow from all </Directory> + ProxyTimeout 600 ProxyPreserveHost On - ProxyPass / http://mw.trygvis.io/ + ProxyPass / http://10.0.3.2/ - SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io/fullchain.pem - SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io/privkey.pem + SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io-0001/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io-0001/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> diff --git a/ansible/roles/mw-frontend/handlers/main.yml b/ansible/roles/mw-frontend/handlers/main.yml new file mode 100644 index 0000000..1b2172f --- /dev/null +++ b/ansible/roles/mw-frontend/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload apache + service: + name: apache2 + state: reloaded diff --git a/ansible/roles/mw-frontend/tasks/main.yml b/ansible/roles/mw-frontend/tasks/main.yml index 40906ea..ee54719 100644 --- a/ansible/roles/mw-frontend/tasks/main.yml +++ b/ansible/roles/mw-frontend/tasks/main.yml @@ -1,8 +1,31 @@ --- - name: Apache config become: yes + tags: + - mw-frontend block: - name: apache config copy: src: etc/apache2/sites-available/mw.trygvis.io-ssl.conf dest: /etc/apache2/sites-available/mw.trygvis.io-ssl.conf + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - python-psycopg2 + - name: postgresql db + become: yes + become_user: postgres + vars: + ansible_ssh_pipelining: true + block: + - name: CREATE ROLE mediawiki + postgresql_user: + name: "mediawiki" + password: "{{ mediawiki_secrets.mediawiki_password }}" + encrypted: yes + - name: CREATE DATABASE mediawiki + postgresql_db: + name: "mediawiki" + encoding: "utf-8" |