Andrew Bogott has uploaded a new change for review. https://gerrit.wikimedia.org/r/53989
Change subject: First pass at a labsconsole puppet setup ...................................................................... First pass at a labsconsole puppet setup Change-Id: I9319c46b1cc45595d3211cc31fdea8603b1861b8 --- M manifests/openstack.pp A manifests/role/labsconsole.pp M modules/mediawiki_singlenode/manifests/init.pp A templates/labsconsole/Debug.php.erb A templates/labsconsole/Local.php.erb A templates/labsconsole/Private.php.erb A templates/labsconsole/Settings.php.erb A templates/labsconsole/labsconsole.php.erb M templates/ldap/base.ldif.erb A templates/mediawiki/labsconsole.php.erb 10 files changed, 757 insertions(+), 10 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/89/53989/1 diff --git a/manifests/openstack.pp b/manifests/openstack.pp index 7d81118..16e2af0 100644 --- a/manifests/openstack.pp +++ b/manifests/openstack.pp @@ -438,6 +438,11 @@ group => root, content => template('apache/sites/wikitech.wikimedia.org.erb'), ensure => present; + "/a": + mode => 755, + owner => root, + group => root, + ensure => directory; "/a/backup": mode => 755, owner => root, diff --git a/manifests/role/labsconsole.pp b/manifests/role/labsconsole.pp new file mode 100644 index 0000000..32bf047 --- /dev/null +++ b/manifests/role/labsconsole.pp @@ -0,0 +1,87 @@ +# Configure a labsconsole test instance: Openstack, Mediawiki, Openstackmanager +# +# Globals you will want to set: +# $::mariadb = False +# $::openstack_version = "essex" +# $::dns_auth_ipaddress = "127.0.0.1" +# $::dns_auth_soa_name = "wmflabs.org" +# $::ldap_certificate = "star.wmflabs" +# $::ldap_first_master = true +# $::ldap_server_bind_ips = "127.0.0.1 10.4.0.82" + +class role::labsconsole::labs { + include passwords::openstack::nova + + $db_host = $realm ? { + "production" => "virt0.wikimedia.org", + "labs" => "localhost", + } + $ldap_server_primary = $realm ? { + "production" => 'virt0.wikimedia.org', + "labs" => 'localhost', + } + $ldap_server_secondary = $realm ? { + "production" => 'virt1000.wikimedia.org', + "labs" => 'localhost', + } + + $wiki_name = "labsconsole-test" + + file { ["/var/www", "/var/www/srv", "/var/www/srv/org", "/var/www/srv/org/wikimedia", "/var/www/srv/org/wikimedia/controller", "/var/www/srv/org/wikimedia/controller/wikis", "/var/www/srv/org/wikimedia/controller/wikis/config"]: + ensure => 'directory', + } + + class { "mediawiki_singlenode": + ensure => present, + wiki_name => $wiki_name, + mysql_pass => $passwords::openstack::nova::controller_mysql_root_pass, + role_requires => [ + '\'/srv/org/wikimedia/controller/wikis/config/Settings.php\'', + '\'/srv/org/wikimedia/controller/wikis/config/Private.php\'', + '\'/srv/org/wikimedia/controller/wikis/config/Local.php\'', + '\'/srv/org/wikimedia/controller/wikis/config/Debug.php\'', + ], + require => File["/var/www/srv/org/wikimedia/controller/wikis/config"], + install_path => "/srv/org/wikimedia/controller/wikis/w"; + } + + mw-extension { [ "Echo", "CentralAuth", "Collection", "DynamicSidebar", + "LdapAuthentication", "OATHAuth", "OpenStackManager", + "SemanticForms", "SemanticMediaWiki", "SemanticResultFormats", + "Validator", "WikiEditor", "CodeEditor", "Scribunto", + "Renameuser", "SyntaxHighlight_GeSHi", + "Cite", "Vector", "Gadgets", "CategoryTree", "ParserFunctions", + "TitleBlacklist", "DataValues"]: + ensure => present, + install_path => "/srv/org/wikimedia/controller/wikis/w"; + } + + $host_address = $labs_mediawiki_hostname + + + file {"/srv/org/wikimedia/controller/wikis/config": + ensure => directory; + } + file {"/srv/org/wikimedia/controller/wikis/config/Settings.php": + content => template("labsconsole/Settings.php.erb"), + require => file["/srv/org/wikimedia/controller/wikis/config"], + ensure => present; + } + file {"/srv/org/wikimedia/controller/wikis/config/Local.php": + content => template("labsconsole/Local.php.erb"), + require => file["/srv/org/wikimedia/controller/wikis/config"], + ensure => present; + } + file {"/srv/org/wikimedia/controller/wikis/config/Debug.php": + content => template("labsconsole/Debug.php.erb"), + require => file["/srv/org/wikimedia/controller/wikis/config"], + ensure => present; + } + file {"/srv/org/wikimedia/controller/wikis/config/Copy-to-Private.php": + content => template("labsconsole/Private.php.erb"), + require => file["/srv/org/wikimedia/controller/wikis/config"], + ensure => present; + } + + include role::ldap::server::labs, role::nova::compute, role::nova::controller +} diff --git a/modules/mediawiki_singlenode/manifests/init.pp b/modules/mediawiki_singlenode/manifests/init.pp index d53a1bd..dcfbd3d 100644 --- a/modules/mediawiki_singlenode/manifests/init.pp +++ b/modules/mediawiki_singlenode/manifests/init.pp @@ -17,6 +17,7 @@ $role_requires = [], $install_path = "/srv/mediawiki", $role_config_lines = [], + $mysql_pass = '', $memcached_size = 128) { if !defined(Class["webserver::php5"]) { class {'webserver::php5': ssl => 'true'; } @@ -58,12 +59,8 @@ ensure => present; } - file { "/var/www/srv": - ensure => 'directory'; - } - file { "/var/www/${install_path}": - require => [File['/var/www/srv'], git::clone['mediawiki']], + require => git::clone['mediawiki'], ensure => 'link', target => $install_path; } @@ -88,7 +85,7 @@ exec { 'mediawiki_setup': require => [git::clone["mediawiki"], File["${install_path}/orig"], exec['password_gen']], creates => "${install_path}/orig/LocalSettings.php", - command => "/usr/bin/php ${install_path}/maintenance/install.php $wiki_name admin --dbname $database_name --dbuser root --passfile \"${install_path}/orig/adminpass\" --server $mwserver --scriptpath \"${install_path}\" --confpath \"${install_path}/orig/\"", + command => "/usr/bin/php ${install_path}/maintenance/install.php $wiki_name admin --dbname $database_name --dbuser root --passfile \"${install_path}/orig/adminpass\" --server $mwserver --installdbuser=\"root\" --installdbpass \"${mysql_pass}\" --scriptpath \"${install_path}\" --confpath \"${install_path}/orig/\"", logoutput => "on_failure", } diff --git a/templates/labsconsole/Debug.php.erb b/templates/labsconsole/Debug.php.erb new file mode 100644 index 0000000..80f26f0 --- /dev/null +++ b/templates/labsconsole/Debug.php.erb @@ -0,0 +1,7 @@ +<?php + +#$wgPasswordReminderResendTime = 0; +#$wgPasswordAttemptThrottle = false; +$wgShowExceptionDetails = true; +#$wgLDAPDebug = 5; +#$wgDebugLogGroups["ldap"] = "/tmp/ldap-s-1-debug.log"; diff --git a/templates/labsconsole/Local.php.erb b/templates/labsconsole/Local.php.erb new file mode 100644 index 0000000..4aa0bbc --- /dev/null +++ b/templates/labsconsole/Local.php.erb @@ -0,0 +1,134 @@ +<?php +$wgDBserver = "<%= db_host %>"; +$wgDBname = "labswiki"; + +$wgSitename = "Labs"; +$wgPasswordSenderName = "Wikimedia Labs Mail"; + +$wgCookieDomain = "labsconsole.wikimedia.org"; + +$wgLogo = "https://labsconsole.wikimedia.org/w/images/c/cf/Labslogo_thumb.png"; + +# Only sysops can create new accounts. +$wgGroupPermissions['*']['createaccount'] = true; + +$wgGroupPermissions['cloudadmin']['listall'] = true; +$wgGroupPermissions['bureaucrat']['manageproject'] = true; +$wgGroupPermissions['cloudadmin']['managednsdomain'] = true; +$wgGroupPermissions['cloudadmin']['manageglobalpuppet'] = true; +$wgGroupPermissions['shell']['loginviashell'] = true; + +$wgImportSources[] = "wikitech"; + +enableSemantics('labsconsole'); + +require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); +$wgAuth = new LdapAuthenticationPlugin(); +$wgLDAPDomainNames = array( 'labs'); +$wgLDAPServerNames = array( 'labs' => "<%= ldap_server_primary %> <%= ldap_server_secondary %>" ); +$wgLDAPSearchAttributes = array( 'labs' => 'cn'); +$wgLDAPBaseDNs = array( 'labs' => 'dc=wikimedia,dc=org' ); +$wgLDAPUserBaseDNs = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' ); +$wgLDAPEncryptionType = array( 'labs' => 'tls'); +$wgLDAPWriteLocation = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' ); +$wgLDAPAddLDAPUsers = array( 'labs' => true ); +$wgLDAPUpdateLDAP = array( 'labs' => true ); +$wgLDAPPasswordHash = array( 'labs' => 'clear' ); +// 'invaliddomain' is set to true so that mail password options +// will be available on user creation and password mailing +$wgLDAPMailPassword = array( 'labs' => true, 'invaliddomain' => true ); +$wgLDAPPreferences = array( 'labs' => array( "email"=>"mail" ) ); +$wgLDAPUseFetchedUsername = array( 'labs' => true ); +$wgLDAPLowerCaseUsernameScheme = array( 'labs' => false, 'invaliddomain' => false ); +$wgLDAPLowerCaseUsername = array( 'labs' => false, 'invaliddomain' => false ); +// Only enable UseLocal if you need to promote an LDAP user +#$wgLDAPUseLocal = true; +$wgMinimalPasswordLength = 1; + +require_once( "$IP/extensions/OATHAuth/OATHAuth.php" ); + +require_once( "$IP/extensions/OpenStackManager/OpenStackManager.php" ); +$wgOpenStackManagerNovaKeypairStorage = 'ldap'; +$wgOpenStackManagerNovaIdentityURI = "http://<%= db_host %>:35357/v2.0"; +$wgOpenStackManagerLDAPDomain = 'labs'; +$wgOpenStackManagerLDAPProjectBaseDN = 'ou=projects,dc=wikimedia,dc=org'; +$wgOpenStackManagerLDAPProjectGroupBaseDN = "ou=groups,dc=wikimedia,dc=org"; +$wgOpenStackManagerLDAPInstanceBaseDN = 'ou=hosts,dc=wikimedia,dc=org'; +$wgOpenStackManagerLDAPDefaultGid = '500'; +$wgOpenStackManagerLDAPDefaultShell = '/usr/local/bin/sillyshell'; +$wgOpenStackManagerLDAPUseUidAsNamingAttribute = true; +$wgOpenStackManagerDNSOptions = array( + 'enabled' => true, + 'servers' => array( 'primary' => "<%= ldap_server_primary %>", 'secondary' => "<%= ldap_server_secondary %>" ), + 'soa' => array( 'hostmaster' => 'hostmaster.wikimedia.org', 'refresh' => '1800', 'retry' => '3600', 'expiry' => '86400', 'minimum' => '7200' ), + ); +$wgOpenStackManagerPuppetOptions = array( + 'enabled' => true, + 'defaultclasses' => array( 'base', 'ldap::client::wmf-test-cluster', 'exim::simple-mail-sender', 'sudo::labs_project' ), + 'defaultvariables' => array( 'realm' => 'labs' ), + ); +$wgOpenStackManagerInstanceUserData = array( + 'cloud-config' => array( + #'puppet' => array( 'conf' => array( 'puppetd' => array( 'server' => 'labsconsole.wikimedia.org', 'certname' => '%i' ) ) ), + #'apt_upgrade' => 'true', + 'apt_update' => 'false', // Puppet will cause this + #'apt_mirror' => 'http://ubuntu.wikimedia.org/ubuntu/', + ), + 'scripts' => array( + 'runpuppet.sh' => '/srv/org/wikimedia/controller/scripts/runpuppet.sh', + ), + 'upstarts' => array( + 'ttyS0.conf' => '/srv/org/wikimedia/controller/upstarts/ttyS0.conf', + 'ttyS1.conf' => '/srv/org/wikimedia/controller/upstarts/ttyS1.conf', + ), + ); +$wgOpenStackManagerDefaultSecurityGroupRules = array( + # Allow all traffic within the project + array( 'group' => 'default' ), + # Allow ping from everywhere + array( 'fromport' => '-1', + 'toport' => '-1', + 'protocol' => 'icmp', + 'range' => '0.0.0.0/0' ), + # Allow ssh from all projects + array( 'fromport' => '22', + 'toport' => '22', + 'protocol' => 'tcp', + 'range' => '10.4.0.0/21' ), + # Allow nrpe access from all projects (access is limited in config) + array( 'fromport' => '5666', + 'toport' => '5666', + 'protocol' => 'tcp', + 'range' => '10.4.0.0/21' ), + ); +$wgOpenStackManagerInstanceDefaultImage = "a84558b0-ffaa-4dcd-a020-281b45a87af5"; +$wgOpenStackManagerInstanceBannedImages = array( + "b1bec070-81de-4ad5-9c1d-a5b0f7d28819", //lucid loader + "c80a63f0-62b0-4f3c-a495-01e2d8a46ade", //lucid kernel + "167350c0-0410-4336-9a94-9c8da55f26a3", //natty + "a3ee8fe3-b9f6-4a96-bad2-8bac64affde0", //oneiric + "e6c0d0ea-a1a3-40a7-8039-641f96b14023", //oneric + ); +$wgOpenStackManagerInstanceBannedInstanceTypes = array( + "m1.tiny", + "s1.tiny", + "s1.small", + "s1.medium", + "s1.large", + "s1.xlarge", + ); +$wgOpenStackManagerInstanceDefaultImage = "a84558b0-ffaa-4dcd-a020-281b45a87af5"; + +# Enable doc links on the 'configure instance' page +$wgOpenStackManagerPuppetDocBase = 'http://doc.wikimedia.org/puppet/classes/__site__/'; + +$smwgNamespacesWithSemanticLinks[NS_NOVA_RESOURCE] = true; +$wgNamespacesWithSubpages[NS_NOVA_RESOURCE] = true; +$wgNamespacesToBeSearchedDefault[NS_NOVA_RESOURCE] = true; +$wgNamespacesToBeSearchedDefault[NS_HELP] = true; + +#require_once("$IP/extensions/OpenID/OpenID.php"); +$wgOpenIDClientOnly = false; +$wgHideOpenIDLoginLink = true; +$wgOpenIDConsumerAllow = ''; +$wgOpenIDConsumerDenyByDefault = true; diff --git a/templates/labsconsole/Private.php.erb b/templates/labsconsole/Private.php.erb new file mode 100644 index 0000000..3dcce48 --- /dev/null +++ b/templates/labsconsole/Private.php.erb @@ -0,0 +1,17 @@ +<?php + +# These values are most likely already set in orig/LocalSettings.php +#$wgDBuser = "wikiuser"; +#$wgDBpassword = "REDACTED"; +#$wgSecretKey = "REDACTED"; +#$wgUpgradeKey = "REDACTED"; + + +$wgCaptchaSecret = "REDACTED"; +$wgLDAPProxyAgent = array( 'labs' => 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' ); +$wgLDAPProxyAgentPassword = array( 'labs' => 'REDACTED' ); +$wgLDAPWriterDN = array( 'labs' => 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' ); +$wgLDAPWriterPassword = array( 'labs' => 'REDACTED' ); +$wgOpenStackManagerLDAPUser = 'uid=novaadmin,ou=people,dc=wikimedia,dc=org'; +$wgOpenStackManagerLDAPUsername = 'novaadmin'; +$wgOpenStackManagerLDAPUserPassword = 'REDACTED'; diff --git a/templates/labsconsole/Settings.php.erb b/templates/labsconsole/Settings.php.erb new file mode 100644 index 0000000..95195e3 --- /dev/null +++ b/templates/labsconsole/Settings.php.erb @@ -0,0 +1,160 @@ +<?php + +$wgScriptPath = "/w"; +$wgScriptExtension = ".php"; +$wgArticlePath = '/wiki/$1'; + +$wgStylePath = "$wgScriptPath/skins"; + +$wgEnableEmail = true; +$wgEnableUserEmail = true; + +$wgEmergencyContact = "n...@wikimedia.org"; +$wgPasswordSender = "n...@wikimedia.org"; + +$wgEnotifUserTalk = true; +$wgEnotifWatchlist = true; +$wgEmailAuthentication = true; + +$wgEnableUploads = true; +$wgUseImageMagick = true; +$wgImageMagickConvertCommand = "/usr/bin/convert"; + +$wgUseInstantCommons = true; + +$wgShellLocale = "en_US.utf8"; + +$wgUseTeX = false; + +$wgLanguageCode = "en"; + +$wgDefaultSkin = "vector"; + +$wgEnableCreativeCommonsRdf = true; +$wgRightsPage = ""; +$wgRightsUrl = "http://creativecommons.org/licenses/by-sa/3.0/"; +$wgRightsText = "Creative Commons Attribution Share Alike"; +$wgRightsIcon = "{$wgStylePath}/common/images/cc-by-sa.png"; + +$wgDiff3 = "/usr/bin/diff3"; + +$wgDBtype = "mysql"; +$wgDBprefix = ""; +$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary"; +$wgDBmysql5 = false; + +$wgJobRunRate = 0; + +$wgCacheDirectory = "$IP/cache"; + +$wgMainCacheType = CACHE_MEMCACHED; +$wgParserCacheType = CACHE_MEMCACHED; +$wgMessageCacheType = CACHE_MEMCACHED; +$wgSessionsInMemcached = true; +$wgMemCachedServers = array( '127.0.0.1:11000' ); + +$wgInterwikiCache = "$wgCacheDirectory/interwiki.cdb"; + +$wgCacheEpoch = "20120611221408"; + +$wgCookieSecure = true; +# 7 days max login token. Keystone is set to 7.1 days. If either changes +# then both need to be adjusted +$wgCookieExpiration = 604800; + +$wgShowIPinHeader = false; +$wgDisableCounters = true; + +$wgAllowUserCss = true; +$wgAllowUserJs = true; + +# Anons can't edit +$wgGroupPermissions['*']['edit'] = false; + +# Give another group import rights +$wgGroupPermissions['importers']['import'] = true; +$wgGroupPermissions['importers']['importupload'] = true; + +#$wgGroupPermissions['accountcreators']['createaccount'] = true; + +$wgGroupPermissions['contentadmin']['protect'] = true; +$wgGroupPermissions['contentadmin']['editprotected'] = true; +$wgGroupPermissions['contentadmin']['bigdelete'] = true; +$wgGroupPermissions['contentadmin']['delete'] = true; +$wgGroupPermissions['contentadmin']['undelete'] = true; +$wgGroupPermissions['contentadmin']['block'] = true; +$wgGroupPermissions['contentadmin']['blockemail'] = true; +$wgGroupPermissions['contentadmin']['patrol'] = true; +$wgGroupPermissions['contentadmin']['autopatrol'] = true; +$wgGroupPermissions['contentadmin']['import'] = true; +$wgGroupPermissions['contentadmin']['importupload'] = true; +$wgGroupPermissions['contentadmin']['upload_by_url'] = true; +$wgGroupPermissions['contentadmin']['movefile'] = true; +$wgGroupPermissions['contentadmin']['suppressredirect'] = true; +$wgGroupPermissions['contentadmin']['rollback'] = true; +$wgGroupPermissions['contentadmin']['browsearchive'] = true; +$wgGroupPermissions['contentadmin']['deletedhistory'] = true; +$wgGroupPermissions['contentadmin']['deletedtext'] = true; +$wgGroupPermissions['contentadmin']['autoconfirmed'] = true; + +require_once( "$IP/extensions/WikiEditor/WikiEditor.php" ); + +require_once( "$IP/extensions/Echo/Echo.php" ); + +require_once( "$IP/extensions/CodeEditor/CodeEditor.php" ); + +require_once( "$IP/extensions/Scribunto/Scribunto.php" ); +$wgScribuntoDefaultEngine = 'luastandalone'; +$wgScribuntoUseGeSHi = true; +$wgScribuntoUseCodeEditor = true; + +require_once( "$IP/extensions/ConfirmEdit/ConfirmEdit.php" ); +#require_once( "$IP/extensions/ConfirmEdit/FancyCaptcha.php" ); +#$wgCaptchaClass = 'FancyCaptcha'; +#$wgCaptchaDirectory = '/srv/org/wikimedia/controller/wikis/captcha'; +#$wgCaptchaDirectoryLevels = 0; +#$wgCaptchaWhitelist = '#^(https?:)?//([.a-z0-9-]+\\.)?((wikidata|wikimedia|wikipedia|wiktionary|wikiquote|wikibooks|wikisource|wikispecies|mediawiki|wikimediafoundation|wikinews|wikiversity|wikivoyage)\.org|dnsstuff\.com|completewhois\.com|wikimedia\.de|toolserver\.org)(/|$)#i'; +$wgGroupPermissions['accountcreators']['skipcaptcha'] = true; +$wgGroupPermissions['bots']['skipcaptcha'] = true; + +require_once( "$IP/extensions/Renameuser/Renameuser.php" ); + +require_once( "$IP/extensions/DynamicSidebar/DynamicSidebar.php" ); + +require_once( "$IP/extensions/SyntaxHighlight_GeSHi/SyntaxHighlight_GeSHi.php" ); + +require_once( "$IP/extensions/Cite/Cite.php" ); + +require_once( "$IP/extensions/Vector/Vector.php" ); +$wgDefaultUserOptions['vector-collapsiblenav'] = 1; +$wgVectorUseSimpleSearch = true; + +require_once( "$IP/extensions/WikiEditor/WikiEditor.php" ); +$wgDefaultUserOptions['usebetatoolbar'] = 1; +$wgDefaultUserOptions['usebetatoolbar-cgd'] = 1; + +require_once( "$IP/extensions/Gadgets/Gadgets.php" ); + +require_once( "$IP/extensions/CategoryTree/CategoryTree.php" ); + +require_once( "$IP/extensions/ParserFunctions/ParserFunctions.php"); + +require_once( "$IP/extensions/TitleBlacklist/TitleBlacklist.php" ); +$wgTitleBlacklistSources = array( + array( + 'type' => TBLSRC_LOCALPAGE, + 'src' => 'MediaWiki:Titleblacklist', + ), +); + +include_once("$IP/extensions/Validator/Validator.php"); +include_once("$IP/extensions/SemanticMediaWiki/SemanticMediaWiki.php"); + +include_once("$IP/extensions/SemanticForms/SemanticForms.php"); + +# SemanticResultFormats, an extra set of printers for SMW +require_once("$IP/extensions/SemanticResultFormats/SemanticResultFormats.php"); + +require_once( "Local.php" ); +require_once( "Private.php" ); +require_once( "Debug.php" ); diff --git a/templates/labsconsole/labsconsole.php.erb b/templates/labsconsole/labsconsole.php.erb new file mode 100644 index 0000000..c93cf4c --- /dev/null +++ b/templates/labsconsole/labsconsole.php.erb @@ -0,0 +1,170 @@ +<?php + +$wgShowIPinHeader = false; +$wgDisableCounters = true; + +## Shared memory settings +$wgMainCacheType = CACHE_MEMCACHED; +$wgParserCacheType = CACHE_MEMCACHED; +$wgMessageCacheType = CACHE_MEMCACHED; +$wgSessionsInMemcached = true; +$wgMemCachedServers = array( '127.0.0.1:11000' ); + +require_once( "$IP/extensions/Echo/Echo.php" ); + +require_once( "$IP/extensions/DynamicSidebar/DynamicSidebar.php" ); + +# Direct puppet docs to our doc site +$wgOpenStackManagerPuppetDocBase = "doc.wikimedia.org/puppet"; + + +require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); +$wgAuth = new LdapAuthenticationPlugin(); +$wgLDAPDomainNames = array( 'labs'); +$wgLDAPServerNames = array( 'labs' => 'localhost' ); +$wgLDAPSearchAttributes = array( 'labs' => 'cn'); +$wgLDAPBaseDNs = array( 'labs' => 'dc=wikimedia,dc=org' ); +$wgLDAPUserBaseDNs = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' ); +$wgLDAPEncryptionType = array( 'labs' => 'clear'); +$wgLDAPProxyAgent = array( 'labs' => 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' ); +$wgLDAPProxyAgentPassword = array( 'labs' => $ldaproxypswd ); +$wgLDAPWriterDN = array( 'labs' => 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' ); +$wgLDAPWriterPassword = array( 'labs' => $ldapwriterpswd ); +$wgLDAPWriteLocation = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' ); +$wgLDAPAddLDAPUsers = array( 'labs' => true ); +$wgLDAPUpdateLDAP = array( 'labs' => true ); +$wgLDAPPasswordHash = array( 'labs' => 'clear' ); +// 'invaliddomain' is set to true so that mail password options +// will be available on user creation and password mailing +$wgLDAPMailPassword = array( 'labs' => true, 'invaliddomain' => true ); +$wgLDAPPreferences = array( 'labs' => array( "email"=>"mail" ) ); +$wgLDAPUseFetchedUsername = array( 'labs' => true ); +$wgLDAPLowerCaseUsernameScheme = array( 'labs' => false, 'invaliddomain' => false ); +$wgLDAPLowerCaseUsername = array( 'labs' => false, 'invaliddomain' => false ); +// Only enable UseLocal if you need to promote an LDAP user +#$wgLDAPUseLocal = true; +$wgMinimalPasswordLength = 1; + + + +require_once( "$IP/extensions/OpenStackManager/OpenStackManager.php" ); + +$wgOpenStackManagerNovaKeypairStorage = 'ldap'; +$wgOpenStackManagerNovaIdentityURI = "http://<%=host_address%>:35357/v2.0"; +$wgOpenStackManagerLDAPDomain = 'labs'; +$wgOpenStackManagerLDAPUser = 'uid=novaadmin,ou=people,dc=wikimedia,dc=org'; +$wgOpenStackManagerLDAPUsername = 'novaadmin'; +$wgOpenStackManagerLDAPUserPassword = $ldapuserpswd; +$wgOpenStackManagerLDAPProjectBaseDN = 'ou=projects,dc=wikimedia,dc=org'; +$wgOpenStackManagerLDAPProjectGroupBaseDN = "ou=groups,dc=wikimedia,dc=org"; +$wgOpenStackManagerLDAPInstanceBaseDN = 'ou=hosts,dc=wikimedia,dc=org'; +$wgOpenStackManagerLDAPDefaultGid = '500'; +$wgOpenStackManagerLDAPDefaultShell = '/usr/local/bin/sillyshell'; +$wgOpenStackManagerLDAPUseUidAsNamingAttribute = true; +$wgOpenStackManagerDNSOptions = array( + 'enabled' => true, + 'servers' => array( 'primary' => "<%=host_address%>"), + 'soa' => array( 'hostmaster' => 'hostmaster.wikimedia.org', 'refresh' => '1800', 'retry' => '3600', 'expiry' => '86400', 'minimum' => '7200' ), + ); +$wgOpenStackManagerPuppetOptions = array( + 'enabled' => true, + 'defaultclasses' => array( 'base', 'ldap::client::wmf-test-cluster', 'exim::simple-mail-sender', 'sudo::labs_project' ), + 'defaultvariables' => array( 'realm' => 'labs' ), + ); + +$wgOpenStackManagerInstanceUserData = array( + 'cloud-config' => array( + 'apt_update' => 'false', // Puppet will cause this + ), + 'scripts' => array( + 'runpuppet.sh' => '/srv/org/wikimedia/controller/scripts/runpuppet.sh', + ), + 'upstarts' => array( + 'ttyS0.conf' => '/srv/org/wikimedia/controller/upstarts/ttyS0.conf', + 'ttyS1.conf' => '/srv/org/wikimedia/controller/upstarts/ttyS1.conf', + ), + ); + +$wgOpenStackManagerDefaultSecurityGroupRules = array( + # Allow all traffic within the project + array( 'group' => 'default' ), + # Allow ping from everywhere + array( 'fromport' => '-1', + 'toport' => '-1', + 'protocol' => 'icmp', + 'range' => '0.0.0.0/0' ), + # Allow ssh from all projects + array( 'fromport' => '22', + 'toport' => '22', + 'protocol' => 'tcp', + 'range' => '10.4.0.0/21' ), + # Allow nrpe access from all projects (access is limited in config) + array( 'fromport' => '5666', + 'toport' => '5666', + 'protocol' => 'tcp', + 'range' => '10.4.0.0/21' ), + ); + +$wgLogo = "https://<%=host_address%>/w/images/c/cf/Labslogo_thumb.png"; + +include_once("$IP/extensions/SemanticMediaWiki/SemanticMediaWiki.php"); +enableSemantics(<%=wiki_name%>); + +include_once("$IP/extensions/SemanticForms/SemanticForms.php"); + +#SemanticResultFormats, an extra set of printers for SMW +require_once("$IP/extensions/SemanticResultFormats/SemanticResultFormats.php"); + + +# Only sysops can create new accounts. +$wgGroupPermissions['*']['createaccount'] = true; + +# # Anons can't edit +$wgGroupPermissions['*']['edit'] = false; + +# # Give another group import rights +$wgGroupPermissions['importers']['import'] = true; +$wgGroupPermissions['importers']['importupload'] = true; +$wgGroupPermissions['cloudadmin']['listall'] = true; +$wgGroupPermissions['bureaucrat']['manageproject'] = true; +$wgGroupPermissions['cloudadmin']['managednsdomain'] = true; +$wgGroupPermissions['cloudadmin']['manageglobalpuppet'] = true; +$wgGroupPermissions['shell']['loginviashell'] = true; +$wgGroupPermissions['contentadmin']['protect'] = true; +$wgGroupPermissions['contentadmin']['editprotected'] = true; +$wgGroupPermissions['contentadmin']['bigdelete'] = true; +$wgGroupPermissions['contentadmin']['delete'] = true; +$wgGroupPermissions['contentadmin']['undelete'] = true; +$wgGroupPermissions['contentadmin']['block'] = true; +$wgGroupPermissions['contentadmin']['blockemail'] = true; +$wgGroupPermissions['contentadmin']['patrol'] = true; +$wgGroupPermissions['contentadmin']['autopatrol'] = true; +$wgGroupPermissions['contentadmin']['import'] = true; +$wgGroupPermissions['contentadmin']['importupload'] = true; +$wgGroupPermissions['contentadmin']['upload_by_url'] = true; +$wgGroupPermissions['contentadmin']['movefile'] = true; +$wgGroupPermissions['contentadmin']['suppressredirect'] = true; +$wgGroupPermissions['contentadmin']['rollback'] = true; +$wgGroupPermissions['contentadmin']['browsearchive'] = true; +$wgGroupPermissions['contentadmin']['deletedhistory'] = true; +$wgGroupPermissions['contentadmin']['deletedtext'] = true; +$wgGroupPermissions['contentadmin']['autoconfirmed'] = true; +$wgGroupPermissions['accountcreators']['createaccount'] = true; + +$wgImportSources[] = "wikitech"; + +require_once( "$IP/extensions/OATHAuth/OATHAuth.php" ); + +require_once( "$IP/extensions/Collection/Collection.php" ); + +require_once( "$IP/skins/strapping/strapping.php" ); +$wgDefaultSkin = "strapping"; +$wgStrappingSkinLogoLocation = 'navbar'; +$wgStrappingSkinLoginLocation = 'navbar'; +$wgStrappingSkinAnonNavbar = true; +$wgStrappingSkinUseStandardLayout = true; +$wgStrappingSkinDisplaySidebarNavigation = true; + +$wgLDAPDebug = 5; +$wgDebugLogGroups["ldap"] = "/tmp/ldap-s-1-debug.log" ; +$wgPasswordAttemptThrottle = false; diff --git a/templates/ldap/base.ldif.erb b/templates/ldap/base.ldif.erb index 46aa8c3..66d9654 100644 --- a/templates/ldap/base.ldif.erb +++ b/templates/ldap/base.ldif.erb @@ -1,8 +1,8 @@ # This is the root of the directory tree -#dn: <%= base_dn %> -#dc: <%= domain %> -#objectClass: top -#objectClass: domain +dn: <%= base_dn %> +dc: <%= domain %> +objectClass: top +objectClass: domain # Subtree for users dn: ou=people,<%= base_dn %> diff --git a/templates/mediawiki/labsconsole.php.erb b/templates/mediawiki/labsconsole.php.erb new file mode 100644 index 0000000..c93cf4c --- /dev/null +++ b/templates/mediawiki/labsconsole.php.erb @@ -0,0 +1,170 @@ +<?php + +$wgShowIPinHeader = false; +$wgDisableCounters = true; + +## Shared memory settings +$wgMainCacheType = CACHE_MEMCACHED; +$wgParserCacheType = CACHE_MEMCACHED; +$wgMessageCacheType = CACHE_MEMCACHED; +$wgSessionsInMemcached = true; +$wgMemCachedServers = array( '127.0.0.1:11000' ); + +require_once( "$IP/extensions/Echo/Echo.php" ); + +require_once( "$IP/extensions/DynamicSidebar/DynamicSidebar.php" ); + +# Direct puppet docs to our doc site +$wgOpenStackManagerPuppetDocBase = "doc.wikimedia.org/puppet"; + + +require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); +$wgAuth = new LdapAuthenticationPlugin(); +$wgLDAPDomainNames = array( 'labs'); +$wgLDAPServerNames = array( 'labs' => 'localhost' ); +$wgLDAPSearchAttributes = array( 'labs' => 'cn'); +$wgLDAPBaseDNs = array( 'labs' => 'dc=wikimedia,dc=org' ); +$wgLDAPUserBaseDNs = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' ); +$wgLDAPEncryptionType = array( 'labs' => 'clear'); +$wgLDAPProxyAgent = array( 'labs' => 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' ); +$wgLDAPProxyAgentPassword = array( 'labs' => $ldaproxypswd ); +$wgLDAPWriterDN = array( 'labs' => 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' ); +$wgLDAPWriterPassword = array( 'labs' => $ldapwriterpswd ); +$wgLDAPWriteLocation = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' ); +$wgLDAPAddLDAPUsers = array( 'labs' => true ); +$wgLDAPUpdateLDAP = array( 'labs' => true ); +$wgLDAPPasswordHash = array( 'labs' => 'clear' ); +// 'invaliddomain' is set to true so that mail password options +// will be available on user creation and password mailing +$wgLDAPMailPassword = array( 'labs' => true, 'invaliddomain' => true ); +$wgLDAPPreferences = array( 'labs' => array( "email"=>"mail" ) ); +$wgLDAPUseFetchedUsername = array( 'labs' => true ); +$wgLDAPLowerCaseUsernameScheme = array( 'labs' => false, 'invaliddomain' => false ); +$wgLDAPLowerCaseUsername = array( 'labs' => false, 'invaliddomain' => false ); +// Only enable UseLocal if you need to promote an LDAP user +#$wgLDAPUseLocal = true; +$wgMinimalPasswordLength = 1; + + + +require_once( "$IP/extensions/OpenStackManager/OpenStackManager.php" ); + +$wgOpenStackManagerNovaKeypairStorage = 'ldap'; +$wgOpenStackManagerNovaIdentityURI = "http://<%=host_address%>:35357/v2.0"; +$wgOpenStackManagerLDAPDomain = 'labs'; +$wgOpenStackManagerLDAPUser = 'uid=novaadmin,ou=people,dc=wikimedia,dc=org'; +$wgOpenStackManagerLDAPUsername = 'novaadmin'; +$wgOpenStackManagerLDAPUserPassword = $ldapuserpswd; +$wgOpenStackManagerLDAPProjectBaseDN = 'ou=projects,dc=wikimedia,dc=org'; +$wgOpenStackManagerLDAPProjectGroupBaseDN = "ou=groups,dc=wikimedia,dc=org"; +$wgOpenStackManagerLDAPInstanceBaseDN = 'ou=hosts,dc=wikimedia,dc=org'; +$wgOpenStackManagerLDAPDefaultGid = '500'; +$wgOpenStackManagerLDAPDefaultShell = '/usr/local/bin/sillyshell'; +$wgOpenStackManagerLDAPUseUidAsNamingAttribute = true; +$wgOpenStackManagerDNSOptions = array( + 'enabled' => true, + 'servers' => array( 'primary' => "<%=host_address%>"), + 'soa' => array( 'hostmaster' => 'hostmaster.wikimedia.org', 'refresh' => '1800', 'retry' => '3600', 'expiry' => '86400', 'minimum' => '7200' ), + ); +$wgOpenStackManagerPuppetOptions = array( + 'enabled' => true, + 'defaultclasses' => array( 'base', 'ldap::client::wmf-test-cluster', 'exim::simple-mail-sender', 'sudo::labs_project' ), + 'defaultvariables' => array( 'realm' => 'labs' ), + ); + +$wgOpenStackManagerInstanceUserData = array( + 'cloud-config' => array( + 'apt_update' => 'false', // Puppet will cause this + ), + 'scripts' => array( + 'runpuppet.sh' => '/srv/org/wikimedia/controller/scripts/runpuppet.sh', + ), + 'upstarts' => array( + 'ttyS0.conf' => '/srv/org/wikimedia/controller/upstarts/ttyS0.conf', + 'ttyS1.conf' => '/srv/org/wikimedia/controller/upstarts/ttyS1.conf', + ), + ); + +$wgOpenStackManagerDefaultSecurityGroupRules = array( + # Allow all traffic within the project + array( 'group' => 'default' ), + # Allow ping from everywhere + array( 'fromport' => '-1', + 'toport' => '-1', + 'protocol' => 'icmp', + 'range' => '0.0.0.0/0' ), + # Allow ssh from all projects + array( 'fromport' => '22', + 'toport' => '22', + 'protocol' => 'tcp', + 'range' => '10.4.0.0/21' ), + # Allow nrpe access from all projects (access is limited in config) + array( 'fromport' => '5666', + 'toport' => '5666', + 'protocol' => 'tcp', + 'range' => '10.4.0.0/21' ), + ); + +$wgLogo = "https://<%=host_address%>/w/images/c/cf/Labslogo_thumb.png"; + +include_once("$IP/extensions/SemanticMediaWiki/SemanticMediaWiki.php"); +enableSemantics(<%=wiki_name%>); + +include_once("$IP/extensions/SemanticForms/SemanticForms.php"); + +#SemanticResultFormats, an extra set of printers for SMW +require_once("$IP/extensions/SemanticResultFormats/SemanticResultFormats.php"); + + +# Only sysops can create new accounts. +$wgGroupPermissions['*']['createaccount'] = true; + +# # Anons can't edit +$wgGroupPermissions['*']['edit'] = false; + +# # Give another group import rights +$wgGroupPermissions['importers']['import'] = true; +$wgGroupPermissions['importers']['importupload'] = true; +$wgGroupPermissions['cloudadmin']['listall'] = true; +$wgGroupPermissions['bureaucrat']['manageproject'] = true; +$wgGroupPermissions['cloudadmin']['managednsdomain'] = true; +$wgGroupPermissions['cloudadmin']['manageglobalpuppet'] = true; +$wgGroupPermissions['shell']['loginviashell'] = true; +$wgGroupPermissions['contentadmin']['protect'] = true; +$wgGroupPermissions['contentadmin']['editprotected'] = true; +$wgGroupPermissions['contentadmin']['bigdelete'] = true; +$wgGroupPermissions['contentadmin']['delete'] = true; +$wgGroupPermissions['contentadmin']['undelete'] = true; +$wgGroupPermissions['contentadmin']['block'] = true; +$wgGroupPermissions['contentadmin']['blockemail'] = true; +$wgGroupPermissions['contentadmin']['patrol'] = true; +$wgGroupPermissions['contentadmin']['autopatrol'] = true; +$wgGroupPermissions['contentadmin']['import'] = true; +$wgGroupPermissions['contentadmin']['importupload'] = true; +$wgGroupPermissions['contentadmin']['upload_by_url'] = true; +$wgGroupPermissions['contentadmin']['movefile'] = true; +$wgGroupPermissions['contentadmin']['suppressredirect'] = true; +$wgGroupPermissions['contentadmin']['rollback'] = true; +$wgGroupPermissions['contentadmin']['browsearchive'] = true; +$wgGroupPermissions['contentadmin']['deletedhistory'] = true; +$wgGroupPermissions['contentadmin']['deletedtext'] = true; +$wgGroupPermissions['contentadmin']['autoconfirmed'] = true; +$wgGroupPermissions['accountcreators']['createaccount'] = true; + +$wgImportSources[] = "wikitech"; + +require_once( "$IP/extensions/OATHAuth/OATHAuth.php" ); + +require_once( "$IP/extensions/Collection/Collection.php" ); + +require_once( "$IP/skins/strapping/strapping.php" ); +$wgDefaultSkin = "strapping"; +$wgStrappingSkinLogoLocation = 'navbar'; +$wgStrappingSkinLoginLocation = 'navbar'; +$wgStrappingSkinAnonNavbar = true; +$wgStrappingSkinUseStandardLayout = true; +$wgStrappingSkinDisplaySidebarNavigation = true; + +$wgLDAPDebug = 5; +$wgDebugLogGroups["ldap"] = "/tmp/ldap-s-1-debug.log" ; +$wgPasswordAttemptThrottle = false; -- To view, visit https://gerrit.wikimedia.org/r/53989 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9319c46b1cc45595d3211cc31fdea8603b1861b8 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits