[MediaWiki-commits] [Gerrit] Add piwik role - change (operations/puppet)

Wed, 23 Dec 2015 12:55:23 -0800 

Ori.livneh has submitted this change and it was merged.

Change subject: Add piwik role
......................................................................


Add piwik role

* Provision behind misc-varnish as piwik.wikimedia.org.
* Restrict access at Apache level by using mod_authnz_ldap.

There is no piwik module yet, because piwik is not configurable from the
command line. Going through the web installer is a requirement for setting up
the database. The only alternative is to make puppet import a dump of an empty
(but fully initialized) piwik database, and we don't have good abstractions for
that.

Bug: T103577
Change-Id: I136ab0a38339544f461a73154d1e4ad5a0679b0e
---
A manifests/role/piwik.pp
M manifests/site.pp
M modules/role/manifests/cache/misc.pp
A templates/apache/sites/piwik.wikimedia.org.erb
M templates/varnish/misc-backend.inc.vcl.erb
M templates/varnish/misc-common.inc.vcl.erb
6 files changed, 96 insertions(+), 0 deletions(-)

Approvals:
  Ori.livneh: Verified; Looks good to me, approved



diff --git a/manifests/role/piwik.pp b/manifests/role/piwik.pp
new file mode 100644
index 0000000..88c5a97
--- /dev/null
+++ b/manifests/role/piwik.pp
@@ -0,0 +1,48 @@
+# == Class: role::piwik
+#
+# piwik is an open-source analytics platform.
+# It powers <https://piwik.wikimedia.org>.
+#
+# Q: Why is there no piwik module?
+# A: Piwik has no good configuration mechanism apart from the web installer.
+#
+class role::piwik {
+    include ::apache::mod::authnz_ldap
+    include ::apache::mod::headers
+    include ::apache::mod::php5
+    include ::apache::mod::rewrite
+
+    include ::passwords::ldap::production
+    include ::base::firewall
+
+    require_package('piwik')
+
+    ferm::service { 'piwik_http':
+        proto => 'tcp',
+        port  => '80',
+    }
+
+    # LDAP configuration. Interpolated into the Apache site template
+    # to provide mod_authnz_ldap-based user authentication.
+    $auth_ldap = {
+        name          => 'nda/ops/wmf',
+        bind_dn       => 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org',
+        bind_password => $passwords::ldap::production::proxypass,
+        url           => 'ldaps://ldap-labs.eqiad.wikimedia.org 
ldap-labs.codfw.wikimedia.org/ou=people,dc=wikimedia,dc=org?cn',
+        groups        => [
+            'cn=ops,ou=groups,dc=wikimedia,dc=org',
+            'cn=nda,ou=groups,dc=wikimedia,dc=org',
+            'cn=wmf,ou=groups,dc=wikimedia,dc=org',
+        ],
+    }
+
+    apache::site { 'piwik.wikimedia.org':
+        content => template('apache/sites/piwik.wikimedia.org.erb'),
+        require => Class['::piwik'],
+    }
+
+    monitoring::service { 'piwik':
+        description   => 'piwik.wikimedia.org',
+        check_command => 'check_http_url!piwik.wikimedia.org!/',
+    }
+}
diff --git a/manifests/site.pp b/manifests/site.pp
index 2b27f8d..3ef0413 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -229,6 +229,7 @@
 }
 
 node 'bohrium.eqiad.wmnet' {
+    role piwik
     include standard
 }
 
diff --git a/modules/role/manifests/cache/misc.pp 
b/modules/role/manifests/cache/misc.pp
index 6e936f6..6168293 100644
--- a/modules/role/manifests/cache/misc.pp
+++ b/modules/role/manifests/cache/misc.pp
@@ -38,6 +38,11 @@
                 'type' => 'random',
                 'backends' => ['bromine.eqiad.wmnet'],
             },
+            'bohrium' => {
+                'dynamic' => 'no',
+                'type' => 'random',
+                'backends' => ['bohrium.eqiad.wmnet'],
+            },
             'caesium' => {
                 'dynamic' => 'no',
                 'type' => 'random',
diff --git a/templates/apache/sites/piwik.wikimedia.org.erb 
b/templates/apache/sites/piwik.wikimedia.org.erb
new file mode 100644
index 0000000..b871606
--- /dev/null
+++ b/templates/apache/sites/piwik.wikimedia.org.erb
@@ -0,0 +1,39 @@
+# Apache configuration for Piwik.
+# This file is managed by Puppet.
+<VirtualHost *:80>
+  ServerName piwik.wikimedia.org
+  DocumentRoot /usr/share/piwik
+
+  RewriteEngine On
+  RewriteCond %{HTTP:X-Forwarded-Proto} !https
+  RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
+  Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+  Header always set Strict-Transport-Security "max-age=31536000"
+
+  <Directory "/usr/share/piwik">
+    php_admin_flag engine on
+
+    AuthName "<%= @auth_ldap['name'] %>"
+    AuthType Basic
+    AuthBasicProvider ldap
+    AuthLDAPBindDN <%= @auth_ldap['bind_dn'] %>
+    AuthLDAPBindPassword <%= @auth_ldap['bind_password'] %>
+    AuthLDAPURL "<%= @auth_ldap['url'] %>"
+    <% @auth_ldap['groups'].each do |group| -%>
+    Require ldap-group <%= group %>
+    <% end -%>
+  </Directory>
+
+  <Files "console">
+    Require all denied
+  </Files>
+
+  <Directory "/usr/share/piwik/misc">
+    Require all denied
+  </Directory>
+
+  <Directory "/usr/share/piwik/vendor">
+    Require all denied
+  </Directory>
+
+</VirtualHost>
diff --git a/templates/varnish/misc-backend.inc.vcl.erb 
b/templates/varnish/misc-backend.inc.vcl.erb
index 2b8b92a..1912cb3 100644
--- a/templates/varnish/misc-backend.inc.vcl.erb
+++ b/templates/varnish/misc-backend.inc.vcl.erb
@@ -21,6 +21,8 @@
         set req.backend = caesium;
     } elsif (req.http.Host == "gdash.wikimedia.org") {
         set req.backend = krypton;
+    } elsif (req.http.Host == "piwik.wikimedia.org") {
+        set req.backend = bohrium;
     } elsif (req.http.Host == "grafana.wikimedia.org" || req.http.host == 
"grafana-admin.wikimedia.org") {
         set req.backend = krypton;
     } elsif (req.http.Host == "parsoid-tests.wikimedia.org") {
diff --git a/templates/varnish/misc-common.inc.vcl.erb 
b/templates/varnish/misc-common.inc.vcl.erb
index 7e9c38f..f5e0787 100644
--- a/templates/varnish/misc-common.inc.vcl.erb
+++ b/templates/varnish/misc-common.inc.vcl.erb
@@ -4,6 +4,7 @@
            req.http.Host == "gerrit.wikimedia.org"
         || req.http.Host == "grafana.wikimedia.org" || req.http.host == 
"grafana-admin.wikimedia.org"
         || req.http.Host == "static-bugzilla.wikimedia.org" || req.http.Host 
== "annual.wikimedia.org" || req.http.Host == "transparency.wikimedia.org"
+        || req.http.Host == "piwik.wikimedia.org"
         || req.http.Host == "otrs-test.wikimedia.org" // No caching of OTRS 
for now
         || req.http.Host == "people.wikimedia.org" // No caching of 
public_html dirs
         || req.http.Host == "datasets.wikimedia.org" // No caching of 
datasets.  They can be larger than misc varnish can deal with.

-- 
To view, visit https://gerrit.wikimedia.org/r/259601
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I136ab0a38339544f461a73154d1e4ad5a0679b0e
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to