From 37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a Mon Sep 17 00:00:00 2001
From: Trygve Laugstøl <trygvis@inamo.no>
Date: Sun, 25 Feb 2018 07:15:53 +0100
Subject: wip

---
 .../etc/apache2/sites-enabled/000-default.conf     | 56 ++++++++++++++++++
 ansible/roles/mw-backend/handlers/main.yml         |  6 +-
 ansible/roles/mw-backend/tasks/main.yml            | 67 ++++++++++++++++++----
 .../apache2/sites-available/mw.trygvis.io-ssl.conf |  7 ++-
 ansible/roles/mw-frontend/handlers/main.yml        |  5 ++
 ansible/roles/mw-frontend/tasks/main.yml           | 23 ++++++++
 6 files changed, 149 insertions(+), 15 deletions(-)
 create mode 100644 ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf
 create mode 100644 ansible/roles/mw-frontend/handlers/main.yml

(limited to 'ansible/roles')

diff --git a/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf
new file mode 100644
index 0000000..3823cf1
--- /dev/null
+++ b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf
@@ -0,0 +1,56 @@
+# Based on /etc/apache2/conf-available/mediawiki.conf
+
+<VirtualHost *:80>
+        ServerName mw.trygvis.io
+
+        ServerAdmin webmaster@trygvis.io
+        DocumentRoot /var/lib/mediawiki
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+<Directory /var/lib/mediawiki/>
+        Options +FollowSymLinks
+        AllowOverride All
+        <IfVersion >= 2.3>
+                Require all granted
+        </IfVersion>
+        <IfVersion < 2.3>
+                order allow,deny
+                allow from all
+        </IfVersion>
+</Directory>
+
+# some directories must be protected
+<Directory /var/lib/mediawiki/config>
+        Options -FollowSymLinks
+        AllowOverride None
+    <IfModule mod_php7.c>
+        php_admin_flag engine off
+    </IfModule>
+    <IfModule mod_php5.c>
+        php_admin_flag engine off
+    </IfModule>
+</Directory>
+<Directory /var/lib/mediawiki/images>
+        Options -FollowSymLinks
+        AllowOverride None
+    <IfModule mod_php7.c>
+        php_admin_flag engine off
+    </IfModule>
+    <IfModule mod_php5.c>
+        php_admin_flag engine off
+    </IfModule>
+</Directory>
+<Directory /var/lib/mediawiki/upload>
+        Options -FollowSymLinks
+        AllowOverride None
+    <IfModule mod_php7.c>
+        php_admin_flag engine off
+    </IfModule>
+    <IfModule mod_php5.c>
+        php_admin_flag engine off
+    </IfModule>
+</Directory>
+</VirtualHost>
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/ansible/roles/mw-backend/handlers/main.yml b/ansible/roles/mw-backend/handlers/main.yml
index 0298ff9..3588f2b 100644
--- a/ansible/roles/mw-backend/handlers/main.yml
+++ b/ansible/roles/mw-backend/handlers/main.yml
@@ -1,5 +1,9 @@
 ---
 - name: update apt cache
-  become: yes
   apt:
     update_cache: yes
+
+- name: reload apache
+  service:
+    name: apache2
+    state: reloaded
diff --git a/ansible/roles/mw-backend/tasks/main.yml b/ansible/roles/mw-backend/tasks/main.yml
index 799f0e5..a60f08d 100644
--- a/ansible/roles/mw-backend/tasks/main.yml
+++ b/ansible/roles/mw-backend/tasks/main.yml
@@ -1,21 +1,66 @@
 ---
 - name: apt setup
-  tags: packages
-  become: yes
+  tags: 
+    - mw-backend
+    - packages
   block:
     - copy:
         dest: /etc/apt/apt.conf.d/99force-ipv4
         content: 'Acquire::ForceIPv4 "true";'
       notify: update apt cache
+    - name: configure debian repositories
+      notify: update apt cache
+      copy:
+        dest: /etc/apt/sources.list
+        content: |
+          deb     http://httpredir.debian.org/debian/ stretch main contrib non-free
+          deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free
+
+          deb     http://security.debian.org/debian-security stretch/updates main contrib non-free
+          deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free
+
+          deb     http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
+          deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
 
     - meta: flush_handlers
 
-#    - name: packages
-#      tags: packages
-#      become: yes
-#      apt:
-#        name: "{{ item }}"
-#        install_recommends: no
-#      with_items:
-#        - ping
-#        - apache2
+    - name: packages
+      apt:
+        name: "{{ item }}"
+        install_recommends: no
+      with_items:
+        - git
+        - etckeeper
+
+    - name: packages
+      apt:
+        name: "{{ item }}"
+        install_recommends: no
+      with_items:
+        - iputils-ping
+        - vim-nox
+        - host
+        - less
+
+- name: Mediawiki
+  tags:
+    - mw-backend
+    - mediawiki
+  block:
+    - name: packages
+      notify: reload apache
+      apt:
+        name: "{{ item }}"
+        install_recommends: no
+      with_items:
+        - git
+        - php-pgsql
+        - php-intl
+        - php-gd
+        - php-apcu
+        - mediawiki
+    - name: apache config
+      notify: reload apache
+      copy:
+        src: etc/apache2/sites-enabled/000-default.conf
+        dest: /etc/apache2/sites-enabled/000-default.conf
diff --git a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf
index 533c559..210cf2f 100644
--- a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf
+++ b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf
@@ -20,11 +20,12 @@
     allow from all
   </Directory>
 
+  ProxyTimeout 600
   ProxyPreserveHost On
-  ProxyPass / http://mw.trygvis.io/
+  ProxyPass / http://10.0.3.2/
 
-  SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io/fullchain.pem
-  SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io/privkey.pem
+  SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io-0001/fullchain.pem
+  SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io-0001/privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf
 </VirtualHost>
 </IfModule>
diff --git a/ansible/roles/mw-frontend/handlers/main.yml b/ansible/roles/mw-frontend/handlers/main.yml
new file mode 100644
index 0000000..1b2172f
--- /dev/null
+++ b/ansible/roles/mw-frontend/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload apache
+  service:
+    name: apache2
+    state: reloaded
diff --git a/ansible/roles/mw-frontend/tasks/main.yml b/ansible/roles/mw-frontend/tasks/main.yml
index 40906ea..ee54719 100644
--- a/ansible/roles/mw-frontend/tasks/main.yml
+++ b/ansible/roles/mw-frontend/tasks/main.yml
@@ -1,8 +1,31 @@
 ---
 - name: Apache config
   become: yes
+  tags:
+    - mw-frontend
   block:
     - name: apache config
       copy:
         src: etc/apache2/sites-available/mw.trygvis.io-ssl.conf
         dest: /etc/apache2/sites-available/mw.trygvis.io-ssl.conf
+    - name: packages
+      apt:
+        name: "{{ item }}"
+        install_recommends: no
+      with_items:
+        - python-psycopg2
+    - name: postgresql db
+      become: yes
+      become_user: postgres
+      vars:
+        ansible_ssh_pipelining: true
+      block:
+        - name: CREATE ROLE mediawiki
+          postgresql_user: 
+            name: "mediawiki"
+            password: "{{ mediawiki_secrets.mediawiki_password }}"
+            encrypted: yes
+        - name: CREATE DATABASE mediawiki
+          postgresql_db:
+            name: "mediawiki"
+            encoding: "utf-8"
-- 
cgit v1.2.3