-
Notifications
You must be signed in to change notification settings - Fork 0
/
oauth.yml
331 lines (285 loc) · 10.9 KB
/
oauth.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
---
- name: Initial bootstrap
hosts: all
vars:
disktype: sd
base_packages:
- apache2
- libapache2-mod-php8.2
- mariadb-server
- redis
- htop
- aptitude
- php-mbstring
- php-xml
- php-redis
- php-mysql
- php-intl
- php-curl
- composer
- python3-pymysql
tasks:
- name: Make db filesystem
community.general.filesystem:
fstype: ext4
dev: "/dev/{{disktype}}b"
opts: "-L oauth-db"
- name: Create www mountpoint
ansible.builtin.file:
path: "/var/www"
state: directory
mode: '0755'
- name: Create db mountpoint
ansible.builtin.file:
path: "/var/lib/mysql"
state: directory
mode: '0755'
- name: Mount db disk
ansible.posix.mount:
path: "/var/lib/mysql"
src: "LABEL=oauth-db"
fstype: ext4
state: mounted
- name: Install packages
apt:
update_cache: yes
name: "{{ base_packages }}"
notify: Restart apache2
- name: Remove default vhost
ansible.builtin.file:
path: /etc/apache2/sites-enabled/000-default.conf
state: absent
notify: Restart apache2
- name: Deploy MediaWiki vhost
ansible.builtin.copy:
src: mediawiki.conf
dest: /etc/apache2/sites-enabled/mediawiki.conf
owner: root
group: root
mode: '0644'
notify: Restart apache2
- name: Fix FS permissions for /var/lib/mysql
ansible.builtin.file:
path: /var/lib/mysql
state: directory
recurse: yes
owner: mysql
group: mysql
notify: Restart mariadb
handlers:
- name: Restart mariadb
service:
name: mariadb
state: restarted
- name: Restart apache2
service:
name: apache2
state: restarted
- name: Deploy MediaWiki
hosts: all
vars:
wgServer: localhost
urlScheme: https
version: REL1_42
tasks:
- name: check if LocalSettings.php exists
stat:
path: /var/www/www/w/LocalSettings.php
register: localsettings
- name: Create www mountpoint
ansible.builtin.file:
path: "/var/www/www"
state: directory
mode: '0755'
- name: Root redirect
ansible.builtin.copy:
content: '<?php header("Location: /w/index.php");'
dest: /var/www/www/index.php
- name: Create MySQL user
community.mysql.mysql_user:
state: present
name: wikiuser
password: wikiuser
priv:
'wikidb.*': 'ALL'
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Create wiki database
community.mysql.mysql_db:
name: wikidb
state: present
login_unix_socket: /var/run/mysqld/mysqld.sock
register: wikidb
- name: MediaWiki git checkout
ansible.builtin.git:
repo: https://gerrit.wikimedia.org/r/mediawiki/core.git
dest: /var/www/www/w
version: "{{version}}"
recursive: false
accept_hostkey: true
force: yes
depth: 1
- name: AntiSpoof git checkout
ansible.builtin.git:
repo: https://gerrit.wikimedia.org/r/p/mediawiki/extensions/AntiSpoof.git
dest: /var/www/www/w/extensions/AntiSpoof
version: "{{version}}"
accept_hostkey: true
force: yes
depth: 1
- name: CheckUser git checkout
ansible.builtin.git:
repo: https://gerrit.wikimedia.org/r/p/mediawiki/extensions/CheckUser.git
dest: /var/www/www/w/extensions/CheckUser
version: "{{version}}"
accept_hostkey: true
force: yes
depth: 1
- name: TitleBlacklist git checkout
ansible.builtin.git:
repo: https://gerrit.wikimedia.org/r/p/mediawiki/extensions/TitleBlacklist.git
dest: /var/www/www/w/extensions/TitleBlacklist
version: "{{version}}"
accept_hostkey: true
force: yes
depth: 1
- name: OAuth git checkout
ansible.builtin.git:
repo: https://gerrit.wikimedia.org/r/p/mediawiki/extensions/OAuth.git
dest: /var/www/www/w/extensions/OAuth
version: "{{version}}"
accept_hostkey: true
force: yes
depth: 1
- name: Vector git checkout
ansible.builtin.git:
repo: https://gerrit.wikimedia.org/r/mediawiki/skins/Vector.git
dest: /var/www/www/w/skins/Vector
version: "{{version}}"
accept_hostkey: true
force: yes
depth: 1
- name: Composer
include_tasks: composer.yml
loop:
- /var/www/www/w/
- /var/www/www/w/extensions/CheckUser/
- /var/www/www/w/extensions/TitleBlacklist/
- /var/www/www/w/extensions/OAuth/
- /var/www/www/w/extensions/AntiSpoof/
- name: Create logs directory
ansible.builtin.file:
path: "/var/log/mediawiki"
state: directory
mode: '0755'
owner: www-data
group: www-data
- name: Install MediaWiki
ansible.builtin.shell:
cmd: php maintenance/run.php install --dbname=wikidb --dbpass=wikiuser --server="{{urlScheme}}://{{wgServer}}" --scriptpath=/w --lang=en --pass=Adminpassword "OAuth Test Wiki" Admin
chdir: /var/www/www/w
when: wikidb.changed
- name: Local settings
ansible.builtin.copy:
content: |
<?php
# This file was generated by MediaWiki 1.38.5
# Managed by Ansible
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
$wgSitename = "OAuth Test Wiki";
$wgMetaNamespace = "OAuth_Test_Wiki";
$wgScriptPath = "/w";
$wgServer = "{{urlScheme}}://" . (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : "{{wgServer}}");
$wgResourceBasePath = $wgScriptPath;
$wgLogos = [
'1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
'icon' => "$wgResourceBasePath/resources/assets/change-your-logo-icon.svg",
];
$wgEmergencyContact = "apache@{{wgServer}}";
$wgPasswordSender = "apache@{{wgServer}}";
$wgDBpassword = "wikiuser";
$wgDBname = "wikidb";
$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
$wgSharedTables[] = "actor";
$wgMemCachedServers = [];
$wgLocaltimezone = "UTC";
$wgSecretKey = "e773a8f14c0ec3bd76585a06707607ef5446aef4fdecc667077c484697be67d1";
$wgAuthenticationTokenVersion = "1";
$wgRightsPage = "";
$wgRightsUrl = "https://creativecommons.org/publicdomain/zero/1.0/";
$wgRightsText = "Creative Commons Zero (Public Domain)";
$wgRightsIcon = "$wgResourceBasePath/resources/assets/licenses/cc-0.png";
$wgDefaultSkin = "vector";
wfLoadSkin( 'Vector' );
wfLoadExtension( 'AntiSpoof' );
wfLoadExtension( 'CheckUser' );
wfLoadExtension( 'OAuth' );
wfLoadExtension( 'TitleBlacklist' );
// Caching setup
$wgObjectCaches['redis'] = array(
'class' => 'RedisBagOStuff',
'servers' => array( '127.0.0.1:6379' ),
);
$wgMainCacheType = 'redis';
$wgSessionCacheType = 'redis'; // same as WMF prod
// OAuth setup
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['mwoauthproposeconsumer'] = true;
$wgGroupPermissions['user']['mwoauthupdateownconsumer'] = true;
$wgGroupPermissions['user']['mwoauthmanageconsumer'] = true;
$wgGroupPermissions['user']['mwoauthmanagemygrants'] = true;
$wgGroupPermissions['suppress']['mwoauthsuppress'] = true;
$wgGroupPermissions['suppress']['mwoauthviewsuppressed'] = true;
$wgGroupPermissions['checkuser']['mwoauthviewprivate'] = true;
$wgMWOAuthSecureTokenTransfer = false;
$wgEmailAuthentication = false;
$wgShowExceptionDetails = true;
$wgBlockDisablesLogin = true;
$wgDebugLogFile = "/var/log/mediawiki/debug.log";
$wgDebugLogGroups = array(
'exception' => '/var/log/mediawiki/exception.log',
'error' => '/var/log/mediawiki/error.log',
'OAuth' => '/var/log/mediawiki/OAuth.log',
);
dest: /var/www/www/w/LocalSettings.php
- name: Update MediaWiki
ansible.builtin.shell:
cmd: php maintenance/run.php update --quick
chdir: /var/www/www/w
- name: Update Main Page
ansible.builtin.shell:
cmd: php maintenance/edit.php -b --user "Ansible playbook" "Main Page"
chdir: /var/www/www/w
stdin: |
This wiki is intended for testing OAuth applications against MediaWiki. If you need access to experiment with OAuth, contact [[Special:ListUsers/sysop|an existing user with access]] for an account.
== OAuth consumers ==
* [[Special:OAuthConsumerRegistration/propose|Propose a consumer]]
* [[Special:OAuthManageConsumers/proposed|Approve the consumer]]
* [[Special:OAuthConsumerRegistration/list|My registered consumers]]
* [[Special:OAuthManageMyGrants|Consumers approved to access my account]]
== All consumers ==
* [[Special:OAuthManageConsumers/proposed|All proposed consumers]]
* [[Special:OAuthManageConsumers/approved|All approved consumers]]
* [[Special:OAuthManageConsumers/disabled|All disabled consumers]]
* [[Special:OAuthManageConsumers/rejected|All rejected consumers]]
* [[Special:OAuthManageConsumers/expired|All expired consumers]]
- name: Update Title blacklist
ansible.builtin.shell:
cmd: php maintenance/edit.php -b --user "Ansible playbook" "MediaWiki:Titleblacklist"
chdir: /var/www/www/w
stdin: |
# This is a disallowed titles list. Titles and usernames that match a regular expression here cannot be created.
# Use "#" for comments.
# This is case-insensitive by default
.*blacklist.* <newaccountonly>
- name: Update copyright
ansible.builtin.shell:
cmd: php maintenance/edit.php -b --user "Ansible playbook" "MediaWiki:Copyright"
chdir: /var/www/www/w
stdin: |
Content is available under $1 unless otherwise noted.
<div style="background-color: #FFE0E0; border: 2px dashed #AA0000; padding: 0.5em; margin-top:1em">
<b>Warning: this is <u>not</u> a live Wikimedia Foundation project.</b> This site is used only for testing and development purposes. This site is not covered by the Wikimedia Foundation’s Terms of Use or Privacy Policy. Do not disclose personal information on this site and do not use this site to post any illegal or harmful content. For more information on this test environment, see <a href="https://wikitech.wikimedia.org">Wikimedia Cloud Services</a>.
</div>