implement dokuwiki role

4c6581bf · Lars Beckers · edce28e6 · 4c6581bf · 4c6581bf · 4c6581bf
Commit 4c6581bf authored Aug 13, 2018 by Lars Beckers
--- a/dokuwiki/defaults/main.yml
+++ b/dokuwiki/defaults/main.yml
+---
+
+dokuwiki:
+  - path: /var/www/dokuwiki
+    user: dokuwiki
+    group: dokuwiki
+    version: 2018-04-22a
+    ad: no
+    ad_domain: example.com
+    ad_basedn: dc=example,dc=com
+    ad_controller: ad.example.com
+    ad_user: user
+    ad_password: password
+    ad_superuser: @admins
+    ad_manager: @admins
+    mail: it@example.com
--- a/dokuwiki/handlers/main.yml
+++ b/dokuwiki/handlers/main.yml
+---
+
+- name: delete unused files
+  command: "{{ item.path }}/bin/delete_old_files.py"
+  args:
+    chdir: "{{ item.path }}"
+  become: yes
+  become_user: "{{ item.user }}"
+  with_items: "{{ dokuwiki }}"
+
+- name: drop caches
+  file:
+    path: "{{ item.path }}/conf/local.php"
+    state: touch
+    owner: "{{ item.user }}"
+    group: "{{ item.group }}"
+    mode: '0664'
+  with_items: "{{ dokuwiki }}"
+
+- name: reindex search
+  command: /usr/local/sbin/dokuwiki-indexer.sh
+
+- name: update blacklist
+  command: /usr/local/sbin/dokuwiki-blacklist.sh
+
+- name: backup on update
+  command: rsnapshot -c /etc/rsnapshot-dokuwiki.conf daily
--- a/dokuwiki/tasks/main.yml
+++ b/dokuwiki/tasks/main.yml
+---
+
+- name: ensure php packages are installed
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - php
+    - php-mbstring
+    - php-gd
+    - php-zip
+    - php-mcrypt
+    - php-xml
+
+- name: ensure groups for dokuwiki exist
+  group:
+    name: "{{ item.group }}"
+    state: present
+    system: yes
+  with_items: "{{ dokuwiki }}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure users for dokuwiki exist
+  user:
+    name: "{{ item.user }}"
+    group: "{{ item.group }}"
+    state: present
+    system: yes
+    shell: /usr/bin/nologin
+    home: "{{ item.path }}"
+    createhome: no
+  with_items: "{{ dokuwiki }}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure directories for dokuwiki exist
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.user }}"
+    group: "{{ item.group }}"
+    mode: 0755
+  with_items: "{{ dokuwiki }}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure a backup configuration is present
+  template:
+    src: rsnapshot.conf.j2
+    dest: /etc/rsnapshot-dokuwiki.conf
+    owner: root
+    group: root
+    mode: '0664'
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: gather installed versions
+  command: "cat {{ item.path }}/VERSION"
+  ignore_errors: yes
+  changed_when: no
+  register: versions
+  with_items: "{{ dokuwiki }}"
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: backup dokuwiki data on update
+  command: /bin/true
+  changed_when: yes
+  when: item.1.failed or item.0.version != item.1.stdout|regex_replace(' .*')
+  with_together:
+    - "{{ dokuwiki }}"
+    - "{{ versions }}"
+  notify:
+    - backup on update
+  tags:
+    - dokuwiki
+    - webservices
+
+- meta: flush_handlers
+
+- name: ensure dokuwiki files are in place
+  unarchive:
+    src: "https://download.dokuwiki.org/src/dokuwiki/dokuwiki-{{ item.version }}.tgz"
+    remote_src: yes
+    dest: "{{ item.0.path }}"
+    owner: "{{ item.0.owner }}"
+    group: "{{ item.0.group }}"
+    extra_opts:
+      - --strip-components=1
+      - --overwrite
+      - -p
+  when: item.1.failed or item.0.version != item.1.stdout|regex_replace(' .*')
+  with_together:
+    - "{{ dokuwiki }}"
+    - "{{ versions }}"
+  notify:
+    - delete unused files
+    - update blacklist
+    - reindex search
+    - drop caches
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure the unused file deletion utility is available
+  template:
+    src: delete_old_files.py.j2
+    dest: "{{ item.path }}/bin/delete_old_files.py"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: '0774'
+  with_items: "{{ dokuwiki }}"
+  notify:
+    - delete unused files
+  tags:
+    - dokuwiki
+    - webservices
+
+# TODO this needs sendfile disabled as nginx cannot access the data
+- name: ensure correct permissions on config and data directories
+  file:
+    path: "{{ item[0].path }}/{{ item[1] }}"
+    state: directory
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: '0770'
+  with_nested:
+    - "{{ dokuwiki }}"
+    - [ 'conf', 'data' ]
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure some protected config is present
+  template:
+    src: local.protected.php.j2
+    dest: "{{ item.path }}/conf/local.protected.php"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: '0664'
+  with_items: "{{ dokuwiki }}"
+  notify:
+    - reindex search
+    - drop caches
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure some plugin config is present
+  template:
+    src: plugins.local.php.j2
+    dest: "{{ item.path }}/conf/plugins.local.php"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: '0664'
+    force: no
+  with_items: "{{ dokuwiki }}"
+  notify:
+    - reindex search
+    - drop caches
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure some maintenance scripts are available
+  template:
+    src: "{{ item }}".sh.j2
+    dest: "/usr/local/sbin/dokuwiki-{{ item }}.sh"
+    owner: root
+    group: root
+    mode: '0775'
+  with_items:
+    - update
+    - indexer
+    - cleanup
+    - blacklist
+  notify:
+    - update blacklist
+  tags:
+    - dokuwiki
+    - webservices
+
+- name: ensure we have cronjobs for the maintenance
+  template:
+    src: crontab.j2
+    dest: /etc/cron.d/dokuwiki
+    owner: root
+    group: root
+    mode: '0664'
+  tags:
+    - dokuwiki
+    - webservices
--- a/dokuwiki/templates/blacklist.sh.j2
+++ b/dokuwiki/templates/blacklist.sh.j2
+#!/bin/sh
+
+blacklist="https://meta.wikimedia.org/wiki/Spam_blacklist?action=raw"
+
+{% for dw in dokuwiki %}
+curl --silent ${blacklist} | grep -E -v '<?pre>' > {{ dw.path }}/conf/wordblock.local.conf
+{% endfor %}
--- a/dokuwiki/templates/cleanup.sh.j2
+++ b/dokuwiki/templates/cleanup.sh.j2
+#!/bin/sh
+
+function cleanup()
+{
+    local data_path="$1"        # full path to data directory of wiki
+    local retention_days="$2"   # number of days after which old files are to be removed
+
+    # purge files older than ${retention_days} days from attic and media_attic (old revisions)
+    find "${data_path}"/{media_,}attic/ -type f -mtime +${retention_days} -delete
+
+    # remove stale lock files (files which are 1-2 days old)
+    find "${data_path}"/locks/ -name '*.lock' -type f -mtime +1 -delete
+
+    # remove empty directories
+    find "${data_path}"/{attic,cache,index,locks,media,media_attic,media_meta,meta,pages,tmp}/ \
+        -mindepth 1 -type d -empty -delete
+
+    # remove files older than ${retention_days} days from the cache
+    if [ -e "${data_path}/cache/?/" ]
+    then
+        find "${data_path}"/cache/?/ -type f -mtime +${retention_days} -delete
+    fi
+}
+
+# Cleanup DokuWiki installations (path to datadir, number of days)
+{% for dw in dokuwiki %}
+cleanup {{ dw.path }}/data 180
+{% endfor %}
--- a/dokuwiki/templates/crontab.j2
+++ b/dokuwiki/templates/crontab.j2
+27 0 * * * root rsnapshot -c /etc/rsnapshot-dokuwiki.conf daily
+39 2 * * * root /usr/local/sbin/dokuwiki-update.sh
+39 3 * * * root /usr/local/sbin/dokuwiki-cleanup.sh
+39 4 * * * root /usr/local/sbin/dokuwiki-blacklist.sh
+39 5 * * * root /usr/local/sbin/dokuwiki-indexer.sh
--- a/dokuwiki/templates/delete_old_files.py.j2
+++ b/dokuwiki/templates/delete_old_files.py.j2
+#!/usr/bin/env python3
+import os
+import os.path
+import shutil
+
+def exists_casesensitive(path):
+    if not os.path.exists(path):
+        return False
+    directory, filename = os.path.split(path)
+    return filename in os.listdir(directory)
+
+cwd = os.getcwd()
+os.chdir("{{ item.path }}")
+with open("{{ item.path }}/data/deleted.files") as file:
+    for line in file:
+        line = line.strip()
+        if line and not line.startswith('#'):
+            path = line.rstrip(os.linesep)
+            if exists_casesensitive(path):
+                if os.path.isdir(path):
+                    shutil.rmtree(path)
+                    print('Directory removed =>  ' + path)
+                else:
+                    os.remove(path)
+                    print('File removed =>  ' + path)
+os.chdir(cwd)
--- a/dokuwiki/templates/indexer.sh.j2
+++ b/dokuwiki/templates/indexer.sh.j2
+#!/bin/sh
+
+cwd=$PWD
+
+{% for dw in dokuwiki %}
+cd {{ dw.path }}
+sudo -u {{ dw.user }} php {{ dw.path }}/bin/indexer.php -c -q
+{% endfor %}
+
+cd ${cwd}
--- a/dokuwiki/templates/local.protected.php.j2
+++ b/dokuwiki/templates/local.protected.php.j2
+<?php
+
+{% if item.ad %}
+$conf['authtype'] = 'authad';
+$conf['plugin']['authad']['account_suffix'] = '@{{ item.ad_domain }}';
+$conf['plugin']['authad']['base_dn'] = '{{ item.ad_basedn }}';
+$conf['plugin']['authad']['domain_controllers'] = '{{ item.ad_controller }}';
+$conf['plugin']['authad']['admin_username'] = '{{ item.ad_user }}';
+$conf['plugin']['authad']['admin_password'] = '{{ item.ad_password }}';
+$conf['plugin']['authad']['use_tls'] = 1;
+$conf['plugin']['authad']['recursive_groups'] = '1';
+$conf['disableactions'] = 'register,profile_delete';
+$conf['superuser'] = '{{ item.ad_superuser }}';
+$conf['manager'] = '{{ item.ad_manager }}';
+{% endif %}
+
+$conf['passcrypt'] = 'ssha';
+$conf['mailfrom'] = '{{ item.mail }}';
+$conf['htmlmail'] = 0;
+$conf['userewrite'] = '1';
+$conf['gzip_output'] = 1;
+$conf['xsendfile'] = 0;
+$conf['updatecheck'] = 0;
--- a/dokuwiki/templates/plugins.local.php.j2
+++ b/dokuwiki/templates/plugins.local.php.j2
+<?php
+
+$plugins['authldap'] = 0;
+$plugins['authmysql'] = 0;
+$plugins['authpdo'] = 0;
+$plugins['authpgsql'] = 0;
+$plugins['popularity'] = 0;
--- a/dokuwiki/templates/rsnapshot.conf.j2
+++ b/dokuwiki/templates/rsnapshot.conf.j2
+#################################################
+# rsnapshot.conf - rsnapshot configuration file #
+#################################################
+#                                               #
+# PLEASE BE AWARE OF THE FOLLOWING RULE:        #
+#                                               #
+# This file requires tabs between elements      #
+#                                               #
+#################################################
+
+#######################
+# CONFIG FILE VERSION #
+#######################
+
+config_version	1.2
+
+###########################
+# SNAPSHOT ROOT DIRECTORY #
+###########################
+
+# All snapshots will be stored under this root directory.
+#
+snapshot_root	/var/backups/
+
+# If no_create_root is enabled, rsnapshot will not automatically create the
+# snapshot_root directory. This is particularly useful if you are backing
+# up to removable media, such as a FireWire or USB drive.
+#
+#no_create_root	1
+
+#################################
+# EXTERNAL PROGRAM DEPENDENCIES #
+#################################
+
+# LINUX USERS:   Be sure to uncomment "cmd_cp". This gives you extra features.
+# EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
+#
+# See the README file or the man page for more details.
+#
+cmd_cp		/bin/cp
+
+# uncomment this to use the rm program instead of the built-in perl routine.
+#
+cmd_rm		/bin/rm
+
+# rsync must be enabled for anything to work. This is the only command that
+# must be enabled.
+#
+cmd_rsync	/usr/bin/rsync
+
+# Uncomment this to enable remote ssh backups over rsync.
+#
+#cmd_ssh	/usr/bin/ssh
+
+# Comment this out to disable syslog support.
+#
+cmd_logger	/usr/bin/logger
+
+# Uncomment this to specify the path to "du" for disk usage checks.
+# If you have an older version of "du", you may also want to check the
+# "du_args" parameter below.
+#
+#cmd_du		/usr/bin/du
+
+# Uncomment this to specify the path to rsnapshot-diff.
+#
+#cmd_rsnapshot_diff	/usr/bin/rsnapshot-diff
+
+# Specify the path to a script (and any optional arguments) to run right
+# before rsnapshot syncs files
+#
+#cmd_preexec	/path/to/preexec/script
+
+# Specify the path to a script (and any optional arguments) to run right
+# after rsnapshot syncs files
+#
+#cmd_postexec	/path/to/postexec/script
+
+# Paths to lvcreate, lvremove, mount and umount commands, for use with
+# Linux LVMs.
+#
+#linux_lvm_cmd_lvcreate	/sbin/lvcreate
+#linux_lvm_cmd_lvremove	/sbin/lvremove
+#linux_lvm_cmd_mount	/bin/mount
+#linux_lvm_cmd_umount	/bin/umount
+
+#########################################
+#     BACKUP LEVELS / INTERVALS         #
+# Must be unique and in ascending order #
+# e.g. alpha, beta, gamma, etc.         #
+#########################################
+
+retain	daily	7
+
+############################################
+#              GLOBAL OPTIONS              #
+# All are optional, with sensible defaults #
+############################################
+
+# Verbose level, 1 through 5.
+# 1     Quiet           Print fatal errors only
+# 2     Default         Print errors and warnings only
+# 3     Verbose         Show equivalent shell commands being executed
+# 4     Extra Verbose   Show extra verbose information
+# 5     Debug mode      Everything
+#
+verbose		2
+
+# Same as "verbose" above, but controls the amount of data sent to the
+# logfile, if one is being used. The default is 3.
+# If you want the rsync output, you have to set it to 4
+#
+loglevel	3
+
+# If you enable this, data will be written to the file you specify. The
+# amount of data written is controlled by the "loglevel" parameter.
+#
+#logfile	/var/log/rsnapshot.log
+
+# If enabled, rsnapshot will write a lockfile to prevent two instances
+# from running simultaneously (and messing up the snapshot_root).
+# If you enable this, make sure the lockfile directory is not world
+# writable. Otherwise anyone can prevent the program from running.
+#
+lockfile	/var/run/rsnapshot.pid
+
+# By default, rsnapshot check lockfile, check if PID is running
+# and if not, consider lockfile as stale, then start
+# Enabling this stop rsnapshot if PID in lockfile is not running
+#
+#stop_on_stale_lockfile		0
+
+# Default rsync args. All rsync commands have at least these options set.
+#
+#rsync_short_args	-a
+#rsync_long_args	--delete --numeric-ids --relative --delete-excluded
+
+# ssh has no args passed by default, but you can specify some here.
+#
+#ssh_args	-p 22
+
+# Default arguments for the "du" program (for disk space reporting).
+# The GNU version of "du" is preferred. See the man page for more details.
+# If your version of "du" doesn't support the -h flag, try -k flag instead.
+#
+#du_args	-csh
+
+# If this is enabled, rsync won't span filesystem partitions within a
+# backup point. This essentially passes the -x option to rsync.
+# The default is 0 (off).
+#
+#one_fs		0
+
+# The include and exclude parameters, if enabled, simply get passed directly
+# to rsync. If you have multiple include/exclude patterns, put each one on a
+# separate line. Please look up the --include and --exclude options in the
+# rsync man page for more details on how to specify file name patterns. 
+# 
+#include	???
+#include	???
+#exclude	???
+#exclude	???
+
+# The include_file and exclude_file parameters, if enabled, simply get
+# passed directly to rsync. Please look up the --include-from and
+# --exclude-from options in the rsync man page for more details.
+#
+#include_file	/path/to/include/file
+#exclude_file	/path/to/exclude/file
+
+# If your version of rsync supports --link-dest, consider enabling this.
+# This is the best way to support special files (FIFOs, etc) cross-platform.
+# The default is 0 (off).
+#
+#link_dest	0
+
+# When sync_first is enabled, it changes the default behaviour of rsnapshot.
+# Normally, when rsnapshot is called with its lowest interval
+# (i.e.: "rsnapshot alpha"), it will sync files AND rotate the lowest
+# intervals. With sync_first enabled, "rsnapshot sync" handles the file sync,
+# and all interval calls simply rotate files. See the man page for more
+# details. The default is 0 (off).
+#
+#sync_first	0
+
+# If enabled, rsnapshot will move the oldest directory for each interval
+# to [interval_name].delete, then it will remove the lockfile and delete
+# that directory just before it exits. The default is 0 (off).
+#
+#use_lazy_deletes	0
+
+# Number of rsync re-tries. If you experience any network problems or
+# network card issues that tend to cause ssh to fail with errors like
+# "Corrupted MAC on input", for example, set this to a non-zero value
+# to have the rsync operation re-tried.
+#
+#rsync_numtries 0
+
+# LVM parameters. Used to backup with creating lvm snapshot before backup
+# and removing it after. This should ensure consistency of data in some special
+# cases
+#
+# LVM snapshot(s) size (lvcreate --size option).
+#
+#linux_lvm_snapshotsize	100M
+
+# Name to be used when creating the LVM logical volume snapshot(s).
+#
+#linux_lvm_snapshotname	rsnapshot
+
+# Path to the LVM Volume Groups.
+#
+#linux_lvm_vgpath	/dev
+
+# Mount point to use to temporarily mount the snapshot(s).
+#
+#linux_lvm_mountpath	/path/to/mount/lvm/snapshot/during/backup
+
+###############################
+### BACKUP POINTS / SCRIPTS ###
+###############################
+
+{% for dw in dokuwiki %}
+backup {{ dw.path }}/conf dokuwiki/
+backup {{ dw.path }}/data/pages dokuwiki/
+backup {{ dw.path }}/data/meta dokuwiki/
+backup {{ dw.path }}/data/media dokuwiki/
+backup {{ dw.path }}/data/media_meta dokuwiki/
+backup {{ dw.path }}/data/attic dokuwiki/
+backup {{ dw.path }}/data/media_attic dokuwiki/
+{% endfor %}
--- a/dokuwiki/templates/update.sh.j2
+++ b/dokuwiki/templates/update.sh.j2
+#!/bin/sh
+
+cwd=$PWD
+
+{% for dw in dokuwiki %}
+cd {{ dw.path }}
+curl -s https://update.dokuwiki.org/check/$(grep updateVersion doku.php | sed -E 's/\$updateVersion = "(.*)";/\1/g')
+{% endfor %}
+
+cd ${cwd}