17f1b2a20a
It creates a folder, the nginx vhost for certbot and HTTP redirects, and also runs certbot and recreates the nginx vhost that includes the TLS cert
224 lines
7.2 KiB
Ruby
224 lines
7.2 KiB
Ruby
#
|
|
# Cookbook Name:: kosmos-mediawiki
|
|
# Recipe:: default
|
|
#
|
|
# Copyright 2016, Kosmos
|
|
#
|
|
# All rights reserved - Do Not Redistribute
|
|
#
|
|
|
|
include_recipe 'apt'
|
|
include_recipe 'ark'
|
|
include_recipe 'composer'
|
|
|
|
server_name = 'wiki.kosmos.org'
|
|
|
|
# FIXME: For now run the update script manually after updating:
|
|
#
|
|
# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
|
|
node.override['mediawiki']['version'] = "1.28.0"
|
|
node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
|
|
node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
|
|
node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.28/#{node['mediawiki']['tarball']['name']}"
|
|
node.override['mediawiki']['language_code'] = 'en'
|
|
node.override['mediawiki']['server_name'] = server_name
|
|
node.override['mediawiki']['site_name'] = 'Kosmos Wiki'
|
|
protocol = node.chef_environment == "development" ? "http" : "https"
|
|
node.override['mediawiki']['server'] = "#{protocol}://#{server_name}"
|
|
mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
|
|
mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
|
|
|
|
node.override['mediawiki']['db']['root_password'] = mysql_credentials["root_password"]
|
|
node.override['mediawiki']['db']['pass'] = mediawiki_credentials["db_pass"]
|
|
|
|
# Fix bug in php cookbook
|
|
if platform?('ubuntu') && node[:platform_version].to_f == 14.04
|
|
node.override['php']['ext_conf_dir'] = '/etc/php5/mods-available'
|
|
end
|
|
|
|
directory "#{node['mediawiki']['webdir']}/skins/common/images" do
|
|
owner node['nginx']['user']
|
|
group node['nginx']['group']
|
|
recursive true
|
|
mode 0750
|
|
end
|
|
|
|
cookbook_file "#{node['mediawiki']['webdir']}/skins/common/images/kosmos.png" do
|
|
source 'kosmos.png'
|
|
owner node['nginx']['user']
|
|
group node['nginx']['group']
|
|
mode 0640
|
|
end
|
|
|
|
directory "#{node['mediawiki']['webdir']}/.well-known/acme-challenge" do
|
|
owner node["nginx"]["user"]
|
|
group node["nginx"]["group"]
|
|
recursive true
|
|
action :create
|
|
end
|
|
|
|
include_recipe "mediawiki"
|
|
include_recipe "kosmos-nginx"
|
|
include_recipe "mediawiki::nginx"
|
|
|
|
ssl_cert = "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem"
|
|
ssl_key = "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem"
|
|
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
|
source "nginx.conf.erb"
|
|
variables(
|
|
docroot: node['mediawiki']['webdir'],
|
|
server_name: server_name,
|
|
ssl_cert: ssl_cert,
|
|
ssl_key: ssl_key
|
|
)
|
|
action :create
|
|
notifies :reload, "service[nginx]", :delayed
|
|
end
|
|
|
|
# Legacy vhost
|
|
nginx_site 'mediawiki' do
|
|
action :disable
|
|
end
|
|
|
|
nginx_site server_name do
|
|
action :enable
|
|
end
|
|
|
|
nginx_certbot_site server_name
|
|
|
|
#
|
|
# Extensions
|
|
#
|
|
|
|
mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
|
|
|
|
#
|
|
# Cleantalk Antispam
|
|
#
|
|
|
|
ark "antispam" do
|
|
url "https://github.com/CleanTalk/mediawiki-antispam/archive/2.1.zip"
|
|
path "#{node['mediawiki']['webdir']}/extensions/Antispam"
|
|
owner node["nginx"]["user"]
|
|
group node["nginx"]["group"]
|
|
mode 0750
|
|
action :dump
|
|
end
|
|
|
|
#
|
|
# MediawikiHubot extension
|
|
#
|
|
|
|
# requires curl extension
|
|
if platform?('ubuntu') && node[:platform_version].to_f < 16.04
|
|
package "php5-curl"
|
|
else
|
|
package "php-curl"
|
|
end
|
|
|
|
ark "MediawikiHubot" do
|
|
url "https://github.com/67P/mediawiki-hubot/archive/master.zip"
|
|
path "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot"
|
|
creates "MediawikiHubot/MediawikiHubot.php"
|
|
action :cherry_pick
|
|
end
|
|
|
|
hal8000_freenode_data_bag_item = Chef::EncryptedDataBagItem.load('credentials', 'hal8000_freenode')
|
|
webhook_token = hal8000_freenode_data_bag_item['webhook_token']
|
|
|
|
template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig.php" do
|
|
source "MediawikiHubot/DefaultConfig.php.erb"
|
|
variables webhook_url: "http://localhost:8080/incoming/#{webhook_token}",
|
|
room_name: "#kosmos",
|
|
wiki_url: "https://wiki.kosmos.org/"
|
|
end
|
|
|
|
ruby_block "configuration" do
|
|
block do
|
|
file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
|
|
file.search_file_replace_line(%r{\$wgLogo\ =\ \"\$wgResourceBasePath\/resources\/assets\/wiki.png\";},
|
|
"$wgLogo = \"$wgResourceBasePath/skins/common/images/kosmos.png\";")
|
|
file.insert_line_if_no_match(/# Our config/,
|
|
<<-EOF
|
|
# Our config
|
|
$wgGroupPermissions['*']['edit'] = false;
|
|
$wgGroupPermissions['team'] = $wgGroupPermissions['user'];
|
|
$wgGroupPermissions['user' ]['edit'] = false;
|
|
$wgGroupPermissions['user']['editsemiprotected'] = false;
|
|
$wgGroupPermissions['autoconfirmed']['editsemiprotected'] = false;
|
|
$wgGroupPermissions['team']['edit'] = true;
|
|
$wgGroupPermissions['team']['protect'] = true;
|
|
$wgGroupPermissions['team']['editsemiprotected'] = true;
|
|
$wgGroupPermissions['team']['editprotected'] = true;
|
|
$wgGroupPermissions['sysop']['edit'] = true;
|
|
$wgEnableUploads = true;
|
|
|
|
$wgExtraNamespaces[100] = "Feature";
|
|
$wgNamespacesWithSubpages[100] = true;
|
|
$wgExtraNamespaces[101] = "Feature_Talk";
|
|
# Only allow sysops to edit "Feature" namespace
|
|
$wgGroupPermissions['team']['editfeature'] = true;
|
|
$wgGroupPermissions['sysop']['editfeature'] = true;
|
|
$wgNamespaceProtection[100] = array( 'editfeature' );
|
|
$wgSMTP = array (
|
|
'IDHost' => 'kosmos.org', //this is used to build the Message-ID mail header
|
|
'host' => 'localhost', //this is the outgoing mail server name (SMTP server)
|
|
'port' => 25, //this is the port used by the SMTP server
|
|
'auth' => false, //in my case, authentication is not required by the mail server for outgoing mail
|
|
);
|
|
$wgPasswordReminderResendTime = 0;
|
|
$wgArticlePath = "/$1";
|
|
EOF
|
|
)
|
|
file.insert_line_if_no_match(/Antispam\.php/,
|
|
"require_once \"$IP/extensions/Antispam/Antispam.php\";")
|
|
file.insert_line_if_no_match(/wgCTAccessKey/,
|
|
"$wgCTAccessKey = \"#{mediawiki_credentials['antispam_key']}\";")
|
|
file.insert_line_if_no_match(/MediawikiHubot\.php/,
|
|
"require_once \"$IP/extensions/MediawikiHubot/MediawikiHubot.php\";")
|
|
|
|
file.insert_line_if_no_match(/Mermaid/,
|
|
"wfLoadExtension( 'Mermaid' );")
|
|
|
|
file.write_file
|
|
end
|
|
end
|
|
|
|
#
|
|
# Composer dependencies
|
|
#
|
|
|
|
file "#{node['mediawiki']['webdir']}/composer.local.json" do
|
|
requires = { "require": {
|
|
"mediawiki/mermaid": "~1.0"
|
|
}}.to_json
|
|
content requires
|
|
owner node['nginx']['user']
|
|
group node['nginx']['group']
|
|
end
|
|
|
|
composer_project node['mediawiki']['webdir'] do
|
|
dev false
|
|
quiet true
|
|
prefer_dist false
|
|
user node['nginx']['user']
|
|
group node['nginx']['group']
|
|
action :install
|
|
end
|
|
|
|
#
|
|
# Backup
|
|
#
|
|
|
|
unless node.chef_environment == "development"
|
|
node.override["backup"]["mysql"]["host"] = "localhost"
|
|
node.override["backup"]["mysql"]["username"] = "root"
|
|
node.override["backup"]["mysql"]["password"] = node["mediawiki"]["db"]["root_password"]
|
|
unless node["backup"]["mysql"]["databases"].include? 'mediawikidb'
|
|
node.override["backup"]["mysql"]["databases"] =
|
|
node["backup"]["mysql"]["databases"].to_a << "mediawikidb"
|
|
end
|
|
|
|
include_recipe "backup"
|
|
end
|