diff options
Diffstat (limited to 'ansible/roles')
16 files changed, 248 insertions, 443 deletions
diff --git a/ansible/roles/apache/defaults/main.yml b/ansible/roles/apache/defaults/main.yml new file mode 100644 index 0000000..e28958f --- /dev/null +++ b/ansible/roles/apache/defaults/main.yml @@ -0,0 +1,2 @@ +apache__template: +apache__copy: diff --git a/ansible/roles/apache/handlers/main.yml b/ansible/roles/apache/handlers/main.yml new file mode 100644 index 0000000..9a5a629 --- /dev/null +++ b/ansible/roles/apache/handlers/main.yml @@ -0,0 +1,11 @@ +- name: systemctl reload apache + become: yes + systemd: + name: apache2 + state: reloaded + +- name: systemctl restart apache + become: yes + systemd: + name: apache2 + state: restarted diff --git a/ansible/roles/apache/tasks/main.yml b/ansible/roles/apache/tasks/main.yml new file mode 100644 index 0000000..2bb953d --- /dev/null +++ b/ansible/roles/apache/tasks/main.yml @@ -0,0 +1,32 @@ +- become: yes + tags: + - apache + block: + - name: packages + vars: + items: + - apache2 + apt: + name: "{{ items }}" + install_recommends: no + +- become: yes + tags: + - apache + - apache-config + block: + - name: "fill /etc/apache2" + with_items: "{{ apache__copy }}" + when: item is defined and item + notify: systemctl reload apache + copy: + dest: "/etc/apache2/{{ item }}" + src: "{{ item }}" + + - name: "fill /etc/apache2" + with_items: "{{ apache__template }}" + when: item is defined and item + notify: systemctl reload apache + template: + dest: "/etc/apache2/{{ item|replace(apache__template_prefix, '') }}" + src: "{{ item }}" diff --git a/ansible/roles/mediawiki/defaults/main.yml b/ansible/roles/mediawiki/defaults/main.yml new file mode 100644 index 0000000..5858563 --- /dev/null +++ b/ansible/roles/mediawiki/defaults/main.yml @@ -0,0 +1,2 @@ +mediawiki__enable_local_composer: no +mediawiki__force_update: no diff --git a/ansible/roles/mw-backend/files/bin/mw-dump-backup b/ansible/roles/mediawiki/files/bin/mw-dump-backup index 0e21eb2..eb98d7d 100644 --- a/ansible/roles/mw-backend/files/bin/mw-dump-backup +++ b/ansible/roles/mediawiki/files/bin/mw-dump-backup @@ -2,7 +2,7 @@ set -euo pipefail -exec php /usr/share/mediawiki/maintenance/dumpBackup.php \ +exec sudo -u www-data php /usr/share/mediawiki/maintenance/dumpBackup.php \ --full \ --include-files \ --uploads \ diff --git a/ansible/roles/mw-backend/files/bin/mw-dump-db b/ansible/roles/mediawiki/files/bin/mw-dump-db index 5a6699a..5a6699a 100644 --- a/ansible/roles/mw-backend/files/bin/mw-dump-db +++ b/ansible/roles/mediawiki/files/bin/mw-dump-db diff --git a/ansible/roles/mediawiki/files/systemd/mediawiki-jobqueue.service b/ansible/roles/mediawiki/files/systemd/mediawiki-jobqueue.service new file mode 100644 index 0000000..a27891e --- /dev/null +++ b/ansible/roles/mediawiki/files/systemd/mediawiki-jobqueue.service @@ -0,0 +1,13 @@ +[Unit] +Description=MediaWiki job runner + +[Service] +WorkingDirectory=/opt/mediawiki/mediawiki/maintenance +# 900 is 15 minutes, this task is triggered every 15 minutes +ExecStart=/usr/bin/php runJobs.php --conf ../LocalSettings.php --maxtime=800 --wait +User=www-data +Group=www-data +StandardOutput=journal + +Nice=10 +OOMScoreAdjust=500 diff --git a/ansible/roles/mw-backend/files/etc/systemd/system/mw-jobqueue.timer b/ansible/roles/mediawiki/files/systemd/mediawiki-jobqueue.timer index 1d12500..1d12500 100644 --- a/ansible/roles/mw-backend/files/etc/systemd/system/mw-jobqueue.timer +++ b/ansible/roles/mediawiki/files/systemd/mediawiki-jobqueue.timer diff --git a/ansible/roles/mediawiki/handlers/main.yml b/ansible/roles/mediawiki/handlers/main.yml new file mode 100644 index 0000000..8735482 --- /dev/null +++ b/ansible/roles/mediawiki/handlers/main.yml @@ -0,0 +1,10 @@ +- name: systemd daemon-reload + become: yes + systemd: + daemon_reload: true + +- name: service restart php-fpm + become: yes + service: + name: php7.0-fpm + state: restarted diff --git a/ansible/roles/mediawiki/tasks/main.yml b/ansible/roles/mediawiki/tasks/main.yml new file mode 100644 index 0000000..6d1850b --- /dev/null +++ b/ansible/roles/mediawiki/tasks/main.yml @@ -0,0 +1,177 @@ +- become: yes + tags: + - mediawiki + - mediawiki-packages + block: + - name: packages + vars: + items: + - composer + - php-apcu + - php-gd + - php-intl + - php-mbstring + - php-pgsql + - php-xml + - php-zip + apt: + name: "{{ items }}" + install_recommends: no + +- become: yes + tags: + - mediawiki + - mediawiki-php + block: + - name: increase maximum file size (for uploads) to 20M + notify: service restart php-fpm + ini_file: + path: /etc/php/7.0/fpm/php.ini + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + with_items: + - option: upload_max_filesize + value: 20M + - option: post_max_size + value: 20M + +- become: yes + tags: + - mediawiki + - mediawiki-clone + block: + - name: mkdir /opt/mediawiki + file: + path: /opt/mediawiki + state: directory + + - name: mkdir /opt/mediawiki/mediawiki + file: + path: /opt/mediawiki/mediawiki + state: directory + owner: www-data + + - name: git clone + become: yes + become_user: www-data + vars: + ansible_ssh_pipelining: true + git: + repo: https://github.com/bitraf/mediawiki + dest: /opt/mediawiki/mediawiki + version: "{{ mediawiki__version }}" + update: "{{ 'yes' if mediawiki__force_update else 'no' }}" + force: "{{ 'yes' if mediawiki__force_update else 'no' }}" + +- become: yes + tags: + - mediawiki + - mediawiki-composer + block: + - name: mkdirs + with_items: + - /var/www/.ansible + - /var/www/.composer + file: + path: "{{ item }}" + state: directory + group: www-data + owner: www-data + + - name: Create composer.local.json + when: mediawiki__composer_require is defined + vars: + content: | + {{ '{ "require": {' }} + {% for k, v in mediawiki__composer_require.items() %} + "{{ k }}": "{{ v }}"{% if not loop.last %},{% endif %} + {% endfor %} + {{ '} }' }} + copy: + dest: /opt/mediawiki/mediawiki/composer.local.json + content: "{{ content | to_nice_json }}" + + - name: run composer + become: yes + become_user: www-data + vars: + ansible_ssh_pipelining: true + composer: + command: update + working_dir: /opt/mediawiki/mediawiki + +- name: "Extensions" + become: yes + tags: + - mediawiki + - mediawiki-extensions + with_items: "{{ mediawiki__extensions }}" + git: + repo: "{{ item.repo }}" + dest: "/opt/mediawiki/mediawiki/extensions/{{ item.dest }}" + version: "{{ item.version }}" + +- become: yes + tags: + - mediawiki + - mediawiki-backup + block: + # TODO: install systemd timer and service to run these + - name: mkdir + file: + state: directory + path: "/opt/mediawiki/backup" + - copy: + src: "{{ item }}" + dest: "/{{ item }}" + mode: a+rx + with_items: + - bin/mw-dump-backup + - bin/mw-dump-db + +- become: yes + tags: + - mediawiki + - mediawiki-config + block: + - file: + path: /etc/mediawiki + state: directory + - file: + dest: /opt/mediawiki/mediawiki/LocalSettings.php + src: /etc/mediawiki/LocalSettings.php + state: link + force: yes + + - name: mediawiki systemd timer + notify: systemd daemon-reload + copy: + src: "systemd/{{ item }}" + dest: "/etc/systemd/system/{{ item }}" + with_items: + - mediawiki-jobqueue.service + - mediawiki-jobqueue.timer + +- meta: flush_handlers + +- become: yes + tags: + - mediawiki + - mediawiki-config + block: + - systemd: + enabled: true + state: started + name: mediawiki-jobqueue.timer + +- become: yes + tags: + - mediawiki + - mediawiki-config + - update-password + block: + - name: LocalSettings.php + template: + dest: /etc/mediawiki + src: "{{ mediawiki__local_settings }}" diff --git a/ansible/roles/mw-backend/files/bin/mw-make-backup b/ansible/roles/mw-backend/files/bin/mw-make-backup deleted file mode 100644 index e99b909..0000000 --- a/ansible/roles/mw-backend/files/bin/mw-make-backup +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -exec borg create /opt/mediawiki/borg::mediawiki-{now:%Y%m%d-%H%M%S} /opt/mediawiki/backup diff --git a/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf deleted file mode 100644 index 0af172a..0000000 --- a/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf +++ /dev/null @@ -1,60 +0,0 @@ -# Based on /etc/apache2/conf-available/mediawiki.conf - -<VirtualHost *:80> - ServerName mw.trygvis.io - - ServerAdmin webmaster@trygvis.io - DocumentRoot /var/www/mw.trygvis.io - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - Alias /w /var/lib/mediawiki - Alias /wiki /var/lib/mediawiki/index.php - RedirectMatch permanent ^/$ /wiki/Main_Page - -<Directory /var/lib/mediawiki/> - Options +FollowSymLinks - AllowOverride All - <IfVersion >= 2.3> - Require all granted - </IfVersion> - <IfVersion < 2.3> - order allow,deny - allow from all - </IfVersion> -</Directory> - -# some directories must be protected -<Directory /var/lib/mediawiki/config> - Options -FollowSymLinks - AllowOverride None - <IfModule mod_php7.c> - php_admin_flag engine off - </IfModule> - <IfModule mod_php5.c> - php_admin_flag engine off - </IfModule> -</Directory> -<Directory /var/lib/mediawiki/images> - Options -FollowSymLinks - AllowOverride None - <IfModule mod_php7.c> - php_admin_flag engine off - </IfModule> - <IfModule mod_php5.c> - php_admin_flag engine off - </IfModule> -</Directory> -<Directory /var/lib/mediawiki/upload> - Options -FollowSymLinks - AllowOverride None - <IfModule mod_php7.c> - php_admin_flag engine off - </IfModule> - <IfModule mod_php5.c> - php_admin_flag engine off - </IfModule> -</Directory> -</VirtualHost> -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/ansible/roles/mw-backend/files/etc/systemd/system/mw-jobqueue.service b/ansible/roles/mw-backend/files/etc/systemd/system/mw-jobqueue.service deleted file mode 100644 index a944443..0000000 --- a/ansible/roles/mw-backend/files/etc/systemd/system/mw-jobqueue.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=MediaWiki Job runner - -[Service] -WorkingDirectory=/var/lib/mediawiki/maintenance -ExecStart=/usr/bin/php runJobs.php --maxjobs 100 -User=www-data -Group=www-data -StandardOutput=journal - -Nice=10 -OOMScoreAdjust=500 diff --git a/ansible/roles/mw-backend/handlers/main.yml b/ansible/roles/mw-backend/handlers/main.yml deleted file mode 100644 index a8bccb6..0000000 --- a/ansible/roles/mw-backend/handlers/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: update apt cache - apt: - update_cache: yes - -- name: reload apache - service: - name: apache2 - state: reloaded - -- name: systemd daemon-reload - systemd: - daemon_reload: true diff --git a/ansible/roles/mw-backend/tasks/main.yml b/ansible/roles/mw-backend/tasks/main.yml deleted file mode 100644 index f5d3e67..0000000 --- a/ansible/roles/mw-backend/tasks/main.yml +++ /dev/null @@ -1,164 +0,0 @@ ---- -- name: apt setup - tags: - - mw-backend - - packages - block: - - file: - dest: /etc/apt/apt.conf.d/99force-ipv4 - state: absent - - name: configure debian repositories - notify: update apt cache - copy: - dest: /etc/apt/sources.list - content: | - deb http://httpredir.debian.org/debian/ stretch main contrib non-free - deb http://security.debian.org/debian-security stretch/updates main contrib non-free - deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free - deb http://httpredir.debian.org/debian/ stretch-backports main contrib non-free - - - meta: flush_handlers - -# TODO: Remove, use unix-machine instead - - name: packages - apt: - name: "{{ item }}" - install_recommends: no - with_items: - - git - - etckeeper - -- name: system setup - tags: - - mw-backend - - packages - block: - - name: misc packages - apt: - name: "{{ item }}" - install_recommends: no - with_items: - - iputils-ping - - vim-nox - - host - - less - - file: - dest: /var/www/.ansible - state: directory - owner: www-data - mode: u=rwX,go= - -- name: Mediawiki - tags: - - mw-backend - - mediawiki - block: - - name: packages - notify: reload apache - apt: - name: "{{ item }}" - install_recommends: no - with_items: - - git - - php-pgsql - - php-intl - - php-gd - - php-apcu - - composer - - php-zip - - mediawiki # TODO: this should be replaced with composer - - name: /var/www/mw.trygvis.io - tags: apache-config - file: - state: directory - path: "/var/www/mw.trygvis.io" - owner: root - group: root - - name: apache config - notify: reload apache - tags: apache-config - copy: - src: etc/apache2/sites-enabled/000-default.conf - dest: /etc/apache2/sites-enabled/000-default.conf - - name: mediawiki config - template: - src: etc/mediawiki/LocalSettings.php.j2 - dest: /etc/mediawiki/LocalSettings.php - - name: mediawiki job systemd service - notify: systemd daemon-reload - copy: - src: etc/systemd/system/mw-jobqueue.service - dest: /etc/systemd/system/mw-jobqueue.service - - name: mediawiki job systemd timer - notify: systemd daemon-reload - copy: - src: etc/systemd/system/mw-jobqueue.timer - dest: /etc/systemd/system/mw-jobqueue.timer - - systemd: - enabled: true - state: started - name: mw-jobqueue.timer - -- name: Mediawiki extensions - tags: mw-extensions - block: - - name: directories - file: - state: directory - path: /opt/mediawiki/extensions - owner: www-data - group: root - - - name: run composer install scribunto - with_items: "{{ mediawiki_extensions }}" - become: yes - become_user: www-data - composer: - command: require - arguments: "{{ item.package }} {{ item.version }}" - working_dir: /opt/mediawiki/extensions - - - name: symlink extensions into mediawiki - with_items: "{{ mediawiki_extensions }}" - file: - state: link - dest: "/var/lib/mediawiki/extensions/{{ item.extension }}" - src: "/opt/mediawiki/extensions/extensions/{{ item.extension }}" - - - name: symlink maintenance into smw - file: - state: link - dest: "/opt/mediawiki/extensions/maintenance" - src: "/var/lib/mediawiki/maintenance" - owner: root - group: root - -- name: Mediawiki Backup - tags: - - mw-backend - - mediawiki-backup - block: - - name: packages - apt: - name: "{{ item }}" - install_recommends: no - with_items: - - borgbackup - - name: mkdir - file: - state: directory - path: "/opt/mediawiki/backup" - - - name: borgbackup init - shell: borgbackup init -e none /opt/mediawiki/borg - args: - creates: /opt/mediawiki/borg - - - copy: - src: "{{ item }}" - dest: "/{{ item }}" - mode: a+rx - with_items: - - bin/mw-dump-backup - - bin/mw-dump-db - - bin/mw-make-backup diff --git a/ansible/roles/mw-backend/templates/etc/mediawiki/LocalSettings.php.j2 b/ansible/roles/mw-backend/templates/etc/mediawiki/LocalSettings.php.j2 deleted file mode 100644 index 450dfab..0000000 --- a/ansible/roles/mw-backend/templates/etc/mediawiki/LocalSettings.php.j2 +++ /dev/null @@ -1,188 +0,0 @@ -<?php -# This file was automatically generated by the MediaWiki 1.27.4 -# installer. If you make manual changes, please keep track in case you -# need to recreate them later. -# -# See includes/DefaultSettings.php for all configurable settings -# and their default values, but don't forget to make changes in _this_ -# file, not there. -# -# Further documentation for configuration settings may be found at: -# https://www.mediawiki.org/wiki/Manual:Configuration_settings - -# Protect against web entry -if ( !defined( 'MEDIAWIKI' ) ) { - exit; -} - -## Uncomment this to disable output compression -# $wgDisableOutputCompression = true; - -$wgSitename = "Trygvis's notes to self"; -$wgMetaNamespace = "Project"; - -## The URL base path to the directory containing the wiki; -## defaults for all runtime URL paths are based off of this. -## For more information on customizing the URLs -## (like /w/index.php/Page_title to /wiki/Page_title) please see: -## https://www.mediawiki.org/wiki/Manual:Short_URL -$wgScriptPath = "/w"; -$wgArticlePath = "/wiki/$1"; - -## The protocol and server name to use in fully-qualified URLs -$wgServer = "https://mw.trygvis.io"; - -## The URL path to static resources (images, scripts, etc.) -$wgResourceBasePath = $wgScriptPath; - -## The URL path to the logo. Make sure you change this from the default, -## or else you'll overwrite your logo when you upgrade! -$wgLogo = "$wgResourceBasePath/resources/assets/wiki.png"; - -## UPO means: this is also a user preference option - -$wgEnableEmail = true; -$wgEnableUserEmail = true; # UPO - -$wgEmergencyContact = "postmaster@trygvis.io"; -$wgPasswordSender = "postmaster@trygvis.io"; - -$wgEnotifUserTalk = true; # UPO -$wgEnotifWatchlist = true; # UPO -$wgEmailAuthentication = true; - -## Database settings -$wgDBtype = "postgres"; -$wgDBserver = "10.0.3.1"; -$wgDBname = "mediawiki"; -$wgDBuser = "mediawiki"; -$wgDBpassword = "{{ mediawiki_secrets.mediawiki_password }}"; - -# Postgres specific settings -$wgDBport = "5432"; -$wgDBmwschema = "public"; - -## Shared memory settings -$wgMainCacheType = CACHE_ANYTHING; -$wgMemCachedServers = []; - -## To enable image uploads, make sure the 'images' directory -## is writable, then set this to true: -$wgEnableUploads = true; -#$wgUseImageMagick = true; -#$wgImageMagickConvertCommand = "/usr/bin/convert"; -$wgFileExtensions[] = 'pdf'; - -# InstantCommons allows wiki to use images from https://commons.wikimedia.org -$wgUseInstantCommons = true; - -## If you use ImageMagick (or any other shell command) on a -## Linux server, this will need to be set to the name of an -## available UTF-8 locale -$wgShellLocale = "en_US.utf8"; - -## Set $wgCacheDirectory to a writable directory on the web server -## to make your wiki go slightly faster. The directory should not -## be publically accessible from the web. -#$wgCacheDirectory = "$IP/cache"; - -# Site language code, should be one of the list in ./languages/data/Names.php -$wgLanguageCode = "en"; - -$wgSecretKey = "{{ mediawiki_secrets.secret_key }}"; - -# Changing this will log out all existing sessions. -$wgAuthenticationTokenVersion = "1"; - -# Site upgrade key. Must be set to a string (default provided) to turn on the -# web installer while LocalSettings.php is in place -$wgUpgradeKey = "4eb6000bab511b23"; - -## For attaching licensing metadata to pages, and displaying an -## appropriate copyright notice / icon. GNU Free Documentation -## License and Creative Commons licenses are supported so far. -$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright -$wgRightsUrl = "https://creativecommons.org/publicdomain/zero/1.0/"; -$wgRightsText = "Creative Commons Zero (Public Domain)"; -$wgRightsIcon = "$wgResourceBasePath/resources/assets/licenses/cc-0.png"; - -# Path to the GNU diff3 utility. Used for conflict resolution. -$wgDiff3 = "/usr/bin/diff3"; - -# The following permissions were set based on your choice in the installer -$wgGroupPermissions['*']['createaccount'] = false; -$wgGroupPermissions['*']['edit'] = false; - -## Default skin: you can change the default skin. Use the internal symbolic -## names, ie 'vector', 'monobook': -$wgDefaultSkin = "vector"; - -# Enabled skins. -# The following skins were automatically enabled: - -wfLoadExtension( 'Scribunto' ); -$wgScribuntoDefaultEngine = 'luastandalone'; - -wfLoadSkin( 'CologneBlue' ); -wfLoadSkin( 'Modern' ); -wfLoadSkin( 'MonoBook' ); -wfLoadSkin( 'Vector' ); - - -# Enabled extensions. Most of the extensions are enabled by adding -# wfLoadExtensions('ExtensionName'); -# to LocalSettings.php. Check specific extension documentation for more details. -# The following extensions were automatically enabled: -wfLoadExtension( 'Cite' ); -wfLoadExtension( 'ParserFunctions' ); - -# Doesnt work yet: wfLoadExtension( 'SemanticMediaWiki' ); -require_once "/opt/mediawiki/extensions/vendor/autoload.php"; - -# End of automatically generated settings. -# Add more configuration options below. - -# Debian specific generated settings -# Use system mimetypes -$wgMimeTypeFile = '/etc/mime.types'; -# Load legacy extensions -if ( is_file( "/etc/mediawiki-extensions/extensions.php" ) ) { - include "/etc/mediawiki-extensions/extensions.php"; -} -# Add a "powered by Debian" footer icon -$wgFooterIcons['poweredby']['debian'] = [ - "src" => "/w/resources/assets/debian/poweredby_debian_1x.png", - "url" => "https://www.debian.org/", - "alt" => "Powered by Debian", - "srcset" => - "/w/resources/assets/debian/poweredby_debian_1_5x.png 1.5x, " . - "/w/resources/assets/debian/poweredby_debian_2x.png 2x", -]; -# End Debian specific generated settings -# Add more configuration options below. - -$wgUseCategoryBrowser = true; - -// Define constants for my additional namespaces. -define("NS_CHIP", 3000); // This MUST be even. -define("NS_CHIP_TALK", 3001); // This MUST be the following odd integer. -define("NS_BOARD", 3002); // This MUST be even. -define("NS_BOARD_TALK", 3003); // This MUST be the following odd integer. - -enableSemantics( 'https://mw.trygvis.io/wiki/', true ); - -$smwgShowFactbox = SMW_FACTBOX_NONEMPTY; - -// Add "Chip" namespace -$wgExtraNamespaces[NS_CHIP] = "Chip"; -$wgExtraNamespaces[NS_CHIP_TALK] = "Chip_talk"; // Note underscores in the namespace name. -$wgContentNamespaces[] = NS_CHIP; -$smwgNamespacesWithSemanticLinks[NS_CHIP] = true; - -$wgExtraNamespaces[NS_BOARD] = "Board"; -$wgExtraNamespaces[NS_BOARD_TALK] = "Board_talk"; // Note underscores in the namespace name. -$wgContentNamespaces[] = NS_BOARD; -$smwgNamespacesWithSemanticLinks[NS_BOARD] = true; - -# https://www.mediawiki.org/wiki/Manual:$wgSMTP -$wgSMTP = array('host' => '10.0.3.1', 'auth' => false); |