initial commit

4 files changed, 236 insertions, 0 deletions

diff --git a/roles/mediawiki/tasks/database.yml b/roles/mediawiki/tasks/database.yml
new file mode 100644
index 0000000..b00a8a1
--- /dev/null
+++ b/roles/mediawiki/tasks/database.yml
@@ -0,0 +1,50 @@
+- name: create postgresql database
+  postgresql_db:
+    name: '{{ mediawiki_db_name }}'
+    state: present
+  delegate_to: "{{ postgresql_host.split('.')[0] }}"
+  become: True
+  become_user: postgres
+
+- name: create postgresql user
+  postgresql_user:
+    name: '{{ mediawiki_user }}'
+    db: '{{ mediawiki_db_name }}'
+    priv: ALL
+    state: present
+  delegate_to: "{{ postgresql_host.split('.')[0] }}"
+  become: True
+  become_user: postgres
+
+- name: check if database schema is initialized
+  postgresql_query:
+    login_user: '{{ mediawiki_user }}'
+    login_host: '{{ mediawiki_db_host }}'
+    db: '{{ mediawiki_db_name }}'
+    query: SELECT 1 FROM mediawiki.page
+  become: True
+  become_user: apache
+  environment:
+    GSS_USE_PROXY: 'yes'
+  register: mediawiki_check_db
+  failed_when: false
+
+- name: initialize database schema
+  command: >
+    php {{ mediawiki_home }}/maintenance/install.php
+    --server {{ mediawiki_url }}
+    --dbuser {{ mediawiki_user }}
+    --dbname {{ mediawiki_db_name }}
+    --dbserver {{ mediawiki_db_host }}
+    --dbtype postgres
+    --pass {{ mediawiki_admin_password | quote }}
+    --scriptpath /
+    {{ mediawiki_site_name | quote }}
+    {{ mediawiki_admin_username }}
+  become: True
+  become_user: apache
+  environment:
+    GSS_USE_PROXY: 'yes'
+  when:
+    - mediawiki_check_db.msg is defined
+    - mediawiki_check_db.msg is search('relation "mediawiki.page" does not exist')
diff --git a/roles/mediawiki/tasks/extension.yml b/roles/mediawiki/tasks/extension.yml
new file mode 100644
index 0000000..02f5dc3
--- /dev/null
+++ b/roles/mediawiki/tasks/extension.yml
@@ -0,0 +1,12 @@
+- name: get url for extension tarball
+  uri:
+    url: 'https://www.mediawiki.org/w/index.php?title=Special:ExtensionDistributor&extdistname={{ extension_name }}&extdistversion={{ extension_version }}'
+  register: extension_distributor_resp
+
+- name: extract extension tarball
+  unarchive:
+    src: "{{ extension_distributor_resp.refresh.split(';') | map('trim') | select('search', '^url=') | first | regex_replace('^url=', '') }}"
+    remote_src: yes
+    dest: '{{ mediawiki_home }}/extensions'
+    owner: apache
+    group: apache
diff --git a/roles/mediawiki/tasks/freeipa.yml b/roles/mediawiki/tasks/freeipa.yml
new file mode 100644
index 0000000..565cdca
--- /dev/null
+++ b/roles/mediawiki/tasks/freeipa.yml
@@ -0,0 +1,40 @@
+- name: create mediawiki user
+  ipauser:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ mediawiki_user }}'
+    loginshell: /sbin/nologin
+    homedir: '{{ mediawiki_home }}'
+    givenname: MediaWiki
+    sn: Service Account
+    state: present
+  run_once: True
+
+- name: create mediawiki groups
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ item }}'
+    nonposix: yes
+    state: present
+  run_once: True
+  loop:
+    - '{{ mediawiki_access_group }}'
+    - '{{ mediawiki_admin_group }}'
+
+- name: retrieve mediawiki user keytab
+  include_role:
+    name: freeipa_keytab
+  vars:
+    keytab_principal: '{{ mediawiki_user }}'
+    keytab_path: '{{ mediawiki_keytab }}'
+
+- name: configure gssproxy for kerberized postgres
+  include_role:
+    name: gssproxy_client
+  vars:
+    gssproxy_name: mediawiki
+    gssproxy_section: service/php-fpm
+    gssproxy_client_keytab: '{{ mediawiki_keytab }}'
+    gssproxy_cred_usage: initiate
+    gssproxy_euid: apache
diff --git a/roles/mediawiki/tasks/main.yml b/roles/mediawiki/tasks/main.yml
new file mode 100644
index 0000000..d0c3820
--- /dev/null
+++ b/roles/mediawiki/tasks/main.yml
@@ -0,0 +1,134 @@
+- name: install packages
+  dnf:
+    name: '{{ mediawiki_packages }}'
+    state: present
+
+- name: set PHP APC cache size
+  lineinfile:
+    path: /etc/php.d/40-apcu.ini
+    regexp: ^apc\.shm_size=
+    line: apc.shm_size={{ mediawiki_apc_shm_size }}
+    state: present
+  notify: restart php-fpm
+
+- import_tasks: freeipa.yml
+  tags: freeipa
+
+- name: create mediawiki webroot
+  file:
+    path: '{{ mediawiki_home }}'
+    state: directory
+
+- name: get current mediawiki version
+  command: php {{ mediawiki_home }}/maintenance/version.php
+  become: True
+  become_user: apache
+  environment:
+    GSS_USE_PROXY: 'yes'
+  changed_when: no
+  failed_when: no
+  register: mediawiki_current_version
+
+- name: extract mediawiki tarball
+  unarchive:
+    src: '{{ mediawiki_tarball }}'
+    remote_src: yes
+    dest: '{{ mediawiki_home }}'
+    owner: apache
+    group: apache
+    extra_opts:
+      - '--strip-components=1'
+
+- name: set permissions on writeable directories
+  file:
+    path: '{{ mediawiki_home }}/{{ item }}'
+    state: directory
+    mode: 0770
+    owner: apache
+    group: apache
+    setype: _default
+  loop: '{{ mediawiki_writable_dirs }}'
+
+- name: set selinux context for writeable directories
+  sefcontext:
+    target: '{{ mediawiki_home }}/{{ item }}(/.*)?'
+    setype: httpd_sys_rw_content_t
+    state: present
+  loop: '{{ mediawiki_writable_dirs }}'
+  register: mediawiki_writeable_sefcontext
+  tags: selinux
+
+- name: apply selinux context to writeable directories
+  command: 'restorecon -R {{ mediawiki_home }}/{{ item }}'
+  when: mediawiki_writeable_sefcontext.results[index].changed
+  loop: '{{ mediawiki_writable_dirs }}'
+  loop_control:
+    index_var: index
+  tags: selinux
+
+- name: set selinux context for executable directories
+  sefcontext:
+    target: '{{ mediawiki_home }}/{{ item }}(/.*)?'
+    setype: httpd_sys_script_exec_t
+    state: present
+  loop: '{{ mediawiki_executable_dirs }}'
+  register: mediawiki_executable_sefcontext
+  tags: selinux
+
+- name: apply selinux context to executable directories
+  command: 'restorecon -R {{ mediawiki_home }}/{{ item }}'
+  when: mediawiki_executable_sefcontext.results[index].changed
+  loop: '{{ mediawiki_executable_dirs }}'
+  loop_control:
+    index_var: index
+  tags: selinux
+
+- import_tasks: database.yml
+  tags: database
+
+- name: generate LocalSettings.php
+  template:
+    src: '{{ mediawiki_home[1:] }}/LocalSettings.php.j2'
+    dest: '{{ mediawiki_home }}/LocalSettings.php'
+    owner: root
+    group: apache
+    mode: 0640
+  register: mediawiki_localsettings
+
+- name: install extensions
+  include_tasks: extension.yml
+  vars:
+    extension_name: '{{ item if item is string else item.name }}'
+    extension_version: '{{ mediawiki_extension_version if item is string else (item.version | default(mediawiki_extension_version)) }}'
+  loop: '{{ mediawiki_extensions }}'
+
+- name: update database schema
+  command: php {{ mediawiki_home }}/maintenance/update.php --quick
+  become: yes
+  become_user: apache
+  environment:
+    GSS_USE_PROXY: 'yes'
+  when: mediawiki_localsettings.changed or (mediawiki_current_version.rc == 0 and not mediawiki_current_version.stdout is search(mediawiki_version))
+
+- name: copy robots.txt
+  copy:
+    src: '{{ mediawiki_home[1:] }}/robots.txt'
+    dest: '{{ mediawiki_home }}/robots.txt'
+
+- name: copy 1x logo
+  copy:
+    src: '{{ mediawiki_logo_1x }}'
+    dest: '{{ mediawiki_home }}/resources/assets/{{ mediawiki_logo_1x | basename }}'
+  when: mediawiki_logo_1x is defined
+
+- name: copy icon logo
+  copy:
+    src: '{{ mediawiki_logo_icon }}'
+    dest: '{{ mediawiki_home }}/resources/assets/{{ mediawiki_logo_icon | basename }}'
+  when: mediawiki_logo_icon is defined
+
+- name: copy favicon
+  copy:
+    src: '{{ mediawiki_favicon }}'
+    dest: '{{ mediawiki_home }}/resources/assets/{{ mediawiki_favicon | basename }}'
+  when: mediawiki_favicon is defined