From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Sat, 4 Feb 2023 01:23:43 -0500 Subject: initial commit --- roles/mediawiki/tasks/database.yml | 50 ++++++++++++++ roles/mediawiki/tasks/extension.yml | 12 ++++ roles/mediawiki/tasks/freeipa.yml | 40 +++++++++++ roles/mediawiki/tasks/main.yml | 134 ++++++++++++++++++++++++++++++++++++ 4 files changed, 236 insertions(+) create mode 100644 roles/mediawiki/tasks/database.yml create mode 100644 roles/mediawiki/tasks/extension.yml create mode 100644 roles/mediawiki/tasks/freeipa.yml create mode 100644 roles/mediawiki/tasks/main.yml (limited to 'roles/mediawiki/tasks') diff --git a/roles/mediawiki/tasks/database.yml b/roles/mediawiki/tasks/database.yml new file mode 100644 index 0000000..b00a8a1 --- /dev/null +++ b/roles/mediawiki/tasks/database.yml @@ -0,0 +1,50 @@ +- name: create postgresql database + postgresql_db: + name: '{{ mediawiki_db_name }}' + state: present + delegate_to: "{{ postgresql_host.split('.')[0] }}" + become: True + become_user: postgres + +- name: create postgresql user + postgresql_user: + name: '{{ mediawiki_user }}' + db: '{{ mediawiki_db_name }}' + priv: ALL + state: present + delegate_to: "{{ postgresql_host.split('.')[0] }}" + become: True + become_user: postgres + +- name: check if database schema is initialized + postgresql_query: + login_user: '{{ mediawiki_user }}' + login_host: '{{ mediawiki_db_host }}' + db: '{{ mediawiki_db_name }}' + query: SELECT 1 FROM mediawiki.page + become: True + become_user: apache + environment: + GSS_USE_PROXY: 'yes' + register: mediawiki_check_db + failed_when: false + +- name: initialize database schema + command: > + php {{ mediawiki_home }}/maintenance/install.php + --server {{ mediawiki_url }} + --dbuser {{ mediawiki_user }} + --dbname {{ mediawiki_db_name }} + --dbserver {{ mediawiki_db_host }} + --dbtype postgres + --pass {{ mediawiki_admin_password | quote }} + --scriptpath / + {{ mediawiki_site_name | quote }} + {{ mediawiki_admin_username }} + become: True + become_user: apache + environment: + GSS_USE_PROXY: 'yes' + when: + - mediawiki_check_db.msg is defined + - mediawiki_check_db.msg is search('relation "mediawiki.page" does not exist') diff --git a/roles/mediawiki/tasks/extension.yml b/roles/mediawiki/tasks/extension.yml new file mode 100644 index 0000000..02f5dc3 --- /dev/null +++ b/roles/mediawiki/tasks/extension.yml @@ -0,0 +1,12 @@ +- name: get url for extension tarball + uri: + url: 'https://www.mediawiki.org/w/index.php?title=Special:ExtensionDistributor&extdistname={{ extension_name }}&extdistversion={{ extension_version }}' + register: extension_distributor_resp + +- name: extract extension tarball + unarchive: + src: "{{ extension_distributor_resp.refresh.split(';') | map('trim') | select('search', '^url=') | first | regex_replace('^url=', '') }}" + remote_src: yes + dest: '{{ mediawiki_home }}/extensions' + owner: apache + group: apache diff --git a/roles/mediawiki/tasks/freeipa.yml b/roles/mediawiki/tasks/freeipa.yml new file mode 100644 index 0000000..565cdca --- /dev/null +++ b/roles/mediawiki/tasks/freeipa.yml @@ -0,0 +1,40 @@ +- name: create mediawiki user + ipauser: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ mediawiki_user }}' + loginshell: /sbin/nologin + homedir: '{{ mediawiki_home }}' + givenname: MediaWiki + sn: Service Account + state: present + run_once: True + +- name: create mediawiki groups + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ item }}' + nonposix: yes + state: present + run_once: True + loop: + - '{{ mediawiki_access_group }}' + - '{{ mediawiki_admin_group }}' + +- name: retrieve mediawiki user keytab + include_role: + name: freeipa_keytab + vars: + keytab_principal: '{{ mediawiki_user }}' + keytab_path: '{{ mediawiki_keytab }}' + +- name: configure gssproxy for kerberized postgres + include_role: + name: gssproxy_client + vars: + gssproxy_name: mediawiki + gssproxy_section: service/php-fpm + gssproxy_client_keytab: '{{ mediawiki_keytab }}' + gssproxy_cred_usage: initiate + gssproxy_euid: apache diff --git a/roles/mediawiki/tasks/main.yml b/roles/mediawiki/tasks/main.yml new file mode 100644 index 0000000..d0c3820 --- /dev/null +++ b/roles/mediawiki/tasks/main.yml @@ -0,0 +1,134 @@ +- name: install packages + dnf: + name: '{{ mediawiki_packages }}' + state: present + +- name: set PHP APC cache size + lineinfile: + path: /etc/php.d/40-apcu.ini + regexp: ^apc\.shm_size= + line: apc.shm_size={{ mediawiki_apc_shm_size }} + state: present + notify: restart php-fpm + +- import_tasks: freeipa.yml + tags: freeipa + +- name: create mediawiki webroot + file: + path: '{{ mediawiki_home }}' + state: directory + +- name: get current mediawiki version + command: php {{ mediawiki_home }}/maintenance/version.php + become: True + become_user: apache + environment: + GSS_USE_PROXY: 'yes' + changed_when: no + failed_when: no + register: mediawiki_current_version + +- name: extract mediawiki tarball + unarchive: + src: '{{ mediawiki_tarball }}' + remote_src: yes + dest: '{{ mediawiki_home }}' + owner: apache + group: apache + extra_opts: + - '--strip-components=1' + +- name: set permissions on writeable directories + file: + path: '{{ mediawiki_home }}/{{ item }}' + state: directory + mode: 0770 + owner: apache + group: apache + setype: _default + loop: '{{ mediawiki_writable_dirs }}' + +- name: set selinux context for writeable directories + sefcontext: + target: '{{ mediawiki_home }}/{{ item }}(/.*)?' + setype: httpd_sys_rw_content_t + state: present + loop: '{{ mediawiki_writable_dirs }}' + register: mediawiki_writeable_sefcontext + tags: selinux + +- name: apply selinux context to writeable directories + command: 'restorecon -R {{ mediawiki_home }}/{{ item }}' + when: mediawiki_writeable_sefcontext.results[index].changed + loop: '{{ mediawiki_writable_dirs }}' + loop_control: + index_var: index + tags: selinux + +- name: set selinux context for executable directories + sefcontext: + target: '{{ mediawiki_home }}/{{ item }}(/.*)?' + setype: httpd_sys_script_exec_t + state: present + loop: '{{ mediawiki_executable_dirs }}' + register: mediawiki_executable_sefcontext + tags: selinux + +- name: apply selinux context to executable directories + command: 'restorecon -R {{ mediawiki_home }}/{{ item }}' + when: mediawiki_executable_sefcontext.results[index].changed + loop: '{{ mediawiki_executable_dirs }}' + loop_control: + index_var: index + tags: selinux + +- import_tasks: database.yml + tags: database + +- name: generate LocalSettings.php + template: + src: '{{ mediawiki_home[1:] }}/LocalSettings.php.j2' + dest: '{{ mediawiki_home }}/LocalSettings.php' + owner: root + group: apache + mode: 0640 + register: mediawiki_localsettings + +- name: install extensions + include_tasks: extension.yml + vars: + extension_name: '{{ item if item is string else item.name }}' + extension_version: '{{ mediawiki_extension_version if item is string else (item.version | default(mediawiki_extension_version)) }}' + loop: '{{ mediawiki_extensions }}' + +- name: update database schema + command: php {{ mediawiki_home }}/maintenance/update.php --quick + become: yes + become_user: apache + environment: + GSS_USE_PROXY: 'yes' + when: mediawiki_localsettings.changed or (mediawiki_current_version.rc == 0 and not mediawiki_current_version.stdout is search(mediawiki_version)) + +- name: copy robots.txt + copy: + src: '{{ mediawiki_home[1:] }}/robots.txt' + dest: '{{ mediawiki_home }}/robots.txt' + +- name: copy 1x logo + copy: + src: '{{ mediawiki_logo_1x }}' + dest: '{{ mediawiki_home }}/resources/assets/{{ mediawiki_logo_1x | basename }}' + when: mediawiki_logo_1x is defined + +- name: copy icon logo + copy: + src: '{{ mediawiki_logo_icon }}' + dest: '{{ mediawiki_home }}/resources/assets/{{ mediawiki_logo_icon | basename }}' + when: mediawiki_logo_icon is defined + +- name: copy favicon + copy: + src: '{{ mediawiki_favicon }}' + dest: '{{ mediawiki_home }}/resources/assets/{{ mediawiki_favicon | basename }}' + when: mediawiki_favicon is defined -- cgit