Andrew Bogott has uploaded a new change for review.
https://gerrit.wikimedia.org/r/53989
Change subject: First pass at a labsconsole puppet setup
......................................................................
First pass at a labsconsole puppet setup
Change-Id: I9319c46b1cc45595d3211cc31fdea8603b1861b8
---
M manifests/openstack.pp
A manifests/role/labsconsole.pp
M modules/mediawiki_singlenode/manifests/init.pp
A templates/labsconsole/Debug.php.erb
A templates/labsconsole/Local.php.erb
A templates/labsconsole/Private.php.erb
A templates/labsconsole/Settings.php.erb
A templates/labsconsole/labsconsole.php.erb
M templates/ldap/base.ldif.erb
A templates/mediawiki/labsconsole.php.erb
10 files changed, 757 insertions(+), 10 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/89/53989/1
diff --git a/manifests/openstack.pp b/manifests/openstack.pp
index 7d81118..16e2af0 100644
--- a/manifests/openstack.pp
+++ b/manifests/openstack.pp
@@ -438,6 +438,11 @@
group => root,
content =>
template('apache/sites/wikitech.wikimedia.org.erb'),
ensure => present;
+ "/a":
+ mode => 755,
+ owner => root,
+ group => root,
+ ensure => directory;
"/a/backup":
mode => 755,
owner => root,
diff --git a/manifests/role/labsconsole.pp b/manifests/role/labsconsole.pp
new file mode 100644
index 0000000..32bf047
--- /dev/null
+++ b/manifests/role/labsconsole.pp
@@ -0,0 +1,87 @@
+# Configure a labsconsole test instance: Openstack, Mediawiki,
Openstackmanager
+#
+# Globals you will want to set:
+# $::mariadb = False
+# $::openstack_version = "essex"
+# $::dns_auth_ipaddress = "127.0.0.1"
+# $::dns_auth_soa_name = "wmflabs.org"
+# $::ldap_certificate = "star.wmflabs"
+# $::ldap_first_master = true
+# $::ldap_server_bind_ips = "127.0.0.1 10.4.0.82"
+
+class role::labsconsole::labs {
+ include passwords::openstack::nova
+
+ $db_host = $realm ? {
+ "production" => "virt0.wikimedia.org",
+ "labs" => "localhost",
+ }
+ $ldap_server_primary = $realm ? {
+ "production" => 'virt0.wikimedia.org',
+ "labs" => 'localhost',
+ }
+ $ldap_server_secondary = $realm ? {
+ "production" => 'virt1000.wikimedia.org',
+ "labs" => 'localhost',
+ }
+
+ $wiki_name = "labsconsole-test"
+
+ file { ["/var/www", "/var/www/srv", "/var/www/srv/org",
"/var/www/srv/org/wikimedia", "/var/www/srv/org/wikimedia/controller",
"/var/www/srv/org/wikimedia/controller/wikis",
"/var/www/srv/org/wikimedia/controller/wikis/config"]:
+ ensure => 'directory',
+ }
+
+ class { "mediawiki_singlenode":
+ ensure => present,
+ wiki_name => $wiki_name,
+ mysql_pass =>
$passwords::openstack::nova::controller_mysql_root_pass,
+ role_requires => [
+ '\'/srv/org/wikimedia/controller/wikis/config/Settings.php\'',
+ '\'/srv/org/wikimedia/controller/wikis/config/Private.php\'',
+ '\'/srv/org/wikimedia/controller/wikis/config/Local.php\'',
+ '\'/srv/org/wikimedia/controller/wikis/config/Debug.php\'',
+ ],
+ require =>
File["/var/www/srv/org/wikimedia/controller/wikis/config"],
+ install_path => "/srv/org/wikimedia/controller/wikis/w";
+ }
+
+ mw-extension { [ "Echo", "CentralAuth", "Collection", "DynamicSidebar",
+ "LdapAuthentication", "OATHAuth",
"OpenStackManager",
+ "SemanticForms", "SemanticMediaWiki",
"SemanticResultFormats",
+ "Validator", "WikiEditor",
"CodeEditor", "Scribunto",
+ "Renameuser", "SyntaxHighlight_GeSHi",
+ "Cite", "Vector", "Gadgets",
"CategoryTree", "ParserFunctions",
+ "TitleBlacklist", "DataValues"]:
+ ensure => present,
+ install_path => "/srv/org/wikimedia/controller/wikis/w";
+ }
+
+ $host_address = $labs_mediawiki_hostname
+
+
+ file {"/srv/org/wikimedia/controller/wikis/config":
+ ensure => directory;
+ }
+ file {"/srv/org/wikimedia/controller/wikis/config/Settings.php":
+ content => template("labsconsole/Settings.php.erb"),
+ require => file["/srv/org/wikimedia/controller/wikis/config"],
+ ensure => present;
+ }
+ file {"/srv/org/wikimedia/controller/wikis/config/Local.php":
+ content => template("labsconsole/Local.php.erb"),
+ require => file["/srv/org/wikimedia/controller/wikis/config"],
+ ensure => present;
+ }
+ file {"/srv/org/wikimedia/controller/wikis/config/Debug.php":
+ content => template("labsconsole/Debug.php.erb"),
+ require => file["/srv/org/wikimedia/controller/wikis/config"],
+ ensure => present;
+ }
+ file {"/srv/org/wikimedia/controller/wikis/config/Copy-to-Private.php":
+ content => template("labsconsole/Private.php.erb"),
+ require => file["/srv/org/wikimedia/controller/wikis/config"],
+ ensure => present;
+ }
+
+ include role::ldap::server::labs, role::nova::compute,
role::nova::controller
+}
diff --git a/modules/mediawiki_singlenode/manifests/init.pp
b/modules/mediawiki_singlenode/manifests/init.pp
index d53a1bd..dcfbd3d 100644
--- a/modules/mediawiki_singlenode/manifests/init.pp
+++ b/modules/mediawiki_singlenode/manifests/init.pp
@@ -17,6 +17,7 @@
$role_requires = [],
$install_path = "/srv/mediawiki",
$role_config_lines = [],
+ $mysql_pass = '',
$memcached_size = 128) {
if !defined(Class["webserver::php5"]) {
class {'webserver::php5': ssl => 'true'; }
@@ -58,12 +59,8 @@
ensure => present;
}
- file { "/var/www/srv":
- ensure => 'directory';
- }
-
file { "/var/www/${install_path}":
- require => [File['/var/www/srv'], git::clone['mediawiki']],
+ require => git::clone['mediawiki'],
ensure => 'link',
target => $install_path;
}
@@ -88,7 +85,7 @@
exec { 'mediawiki_setup':
require => [git::clone["mediawiki"],
File["${install_path}/orig"], exec['password_gen']],
creates => "${install_path}/orig/LocalSettings.php",
- command => "/usr/bin/php
${install_path}/maintenance/install.php $wiki_name admin --dbname
$database_name --dbuser root --passfile \"${install_path}/orig/adminpass\"
--server $mwserver --scriptpath \"${install_path}\" --confpath
\"${install_path}/orig/\"",
+ command => "/usr/bin/php
${install_path}/maintenance/install.php $wiki_name admin --dbname
$database_name --dbuser root --passfile \"${install_path}/orig/adminpass\"
--server $mwserver --installdbuser=\"root\" --installdbpass \"${mysql_pass}\"
--scriptpath \"${install_path}\" --confpath \"${install_path}/orig/\"",
logoutput => "on_failure",
}
diff --git a/templates/labsconsole/Debug.php.erb
b/templates/labsconsole/Debug.php.erb
new file mode 100644
index 0000000..80f26f0
--- /dev/null
+++ b/templates/labsconsole/Debug.php.erb
@@ -0,0 +1,7 @@
+<?php
+
+#$wgPasswordReminderResendTime = 0;
+#$wgPasswordAttemptThrottle = false;
+$wgShowExceptionDetails = true;
+#$wgLDAPDebug = 5;
+#$wgDebugLogGroups["ldap"] = "/tmp/ldap-s-1-debug.log";
diff --git a/templates/labsconsole/Local.php.erb
b/templates/labsconsole/Local.php.erb
new file mode 100644
index 0000000..4aa0bbc
--- /dev/null
+++ b/templates/labsconsole/Local.php.erb
@@ -0,0 +1,134 @@
+<?php
+$wgDBserver = "<%= db_host %>";
+$wgDBname = "labswiki";
+
+$wgSitename = "Labs";
+$wgPasswordSenderName = "Wikimedia Labs Mail";
+
+$wgCookieDomain = "labsconsole.wikimedia.org";
+
+$wgLogo =
"https://labsconsole.wikimedia.org/w/images/c/cf/Labslogo_thumb.png";;
+
+# Only sysops can create new accounts.
+$wgGroupPermissions['*']['createaccount'] = true;
+
+$wgGroupPermissions['cloudadmin']['listall'] = true;
+$wgGroupPermissions['bureaucrat']['manageproject'] = true;
+$wgGroupPermissions['cloudadmin']['managednsdomain'] = true;
+$wgGroupPermissions['cloudadmin']['manageglobalpuppet'] = true;
+$wgGroupPermissions['shell']['loginviashell'] = true;
+
+$wgImportSources[] = "wikitech";
+
+enableSemantics('labsconsole');
+
+require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
+$wgAuth = new LdapAuthenticationPlugin();
+$wgLDAPDomainNames = array( 'labs');
+$wgLDAPServerNames = array( 'labs' => "<%= ldap_server_primary %> <%=
ldap_server_secondary %>" );
+$wgLDAPSearchAttributes = array( 'labs' => 'cn');
+$wgLDAPBaseDNs = array( 'labs' => 'dc=wikimedia,dc=org' );
+$wgLDAPUserBaseDNs = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' );
+$wgLDAPEncryptionType = array( 'labs' => 'tls');
+$wgLDAPWriteLocation = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' );
+$wgLDAPAddLDAPUsers = array( 'labs' => true );
+$wgLDAPUpdateLDAP = array( 'labs' => true );
+$wgLDAPPasswordHash = array( 'labs' => 'clear' );
+// 'invaliddomain' is set to true so that mail password options
+// will be available on user creation and password mailing
+$wgLDAPMailPassword = array( 'labs' => true, 'invaliddomain' => true );
+$wgLDAPPreferences = array( 'labs' => array( "email"=>"mail" ) );
+$wgLDAPUseFetchedUsername = array( 'labs' => true );
+$wgLDAPLowerCaseUsernameScheme = array( 'labs' => false, 'invaliddomain' =>
false );
+$wgLDAPLowerCaseUsername = array( 'labs' => false, 'invaliddomain' => false );
+// Only enable UseLocal if you need to promote an LDAP user
+#$wgLDAPUseLocal = true;
+$wgMinimalPasswordLength = 1;
+
+require_once( "$IP/extensions/OATHAuth/OATHAuth.php" );
+
+require_once( "$IP/extensions/OpenStackManager/OpenStackManager.php" );
+$wgOpenStackManagerNovaKeypairStorage = 'ldap';
+$wgOpenStackManagerNovaIdentityURI = "http://<%= db_host %>:35357/v2.0";
+$wgOpenStackManagerLDAPDomain = 'labs';
+$wgOpenStackManagerLDAPProjectBaseDN = 'ou=projects,dc=wikimedia,dc=org';
+$wgOpenStackManagerLDAPProjectGroupBaseDN = "ou=groups,dc=wikimedia,dc=org";
+$wgOpenStackManagerLDAPInstanceBaseDN = 'ou=hosts,dc=wikimedia,dc=org';
+$wgOpenStackManagerLDAPDefaultGid = '500';
+$wgOpenStackManagerLDAPDefaultShell = '/usr/local/bin/sillyshell';
+$wgOpenStackManagerLDAPUseUidAsNamingAttribute = true;
+$wgOpenStackManagerDNSOptions = array(
+ 'enabled' => true,
+ 'servers' => array( 'primary' => "<%= ldap_server_primary %>",
'secondary' => "<%= ldap_server_secondary %>" ),
+ 'soa' => array( 'hostmaster' => 'hostmaster.wikimedia.org',
'refresh' => '1800', 'retry' => '3600', 'expiry' => '86400', 'minimum' =>
'7200' ),
+ );
+$wgOpenStackManagerPuppetOptions = array(
+ 'enabled' => true,
+ 'defaultclasses' => array( 'base', 'ldap::client::wmf-test-cluster',
'exim::simple-mail-sender', 'sudo::labs_project' ),
+ 'defaultvariables' => array( 'realm' => 'labs' ),
+ );
+$wgOpenStackManagerInstanceUserData = array(
+ 'cloud-config' => array(
+ #'puppet' => array( 'conf' => array( 'puppetd' => array(
'server' => 'labsconsole.wikimedia.org', 'certname' => '%i' ) ) ),
+ #'apt_upgrade' => 'true',
+ 'apt_update' => 'false', // Puppet will cause this
+ #'apt_mirror' => 'http://ubuntu.wikimedia.org/ubuntu/',
+ ),
+ 'scripts' => array(
+ 'runpuppet.sh' =>
'/srv/org/wikimedia/controller/scripts/runpuppet.sh',
+ ),
+ 'upstarts' => array(
+ 'ttyS0.conf' =>
'/srv/org/wikimedia/controller/upstarts/ttyS0.conf',
+ 'ttyS1.conf' =>
'/srv/org/wikimedia/controller/upstarts/ttyS1.conf',
+ ),
+ );
+$wgOpenStackManagerDefaultSecurityGroupRules = array(
+ # Allow all traffic within the project
+ array( 'group' => 'default' ),
+ # Allow ping from everywhere
+ array( 'fromport' => '-1',
+ 'toport' => '-1',
+ 'protocol' => 'icmp',
+ 'range' => '0.0.0.0/0' ),
+ # Allow ssh from all projects
+ array( 'fromport' => '22',
+ 'toport' => '22',
+ 'protocol' => 'tcp',
+ 'range' => '10.4.0.0/21' ),
+ # Allow nrpe access from all projects (access is limited in config)
+ array( 'fromport' => '5666',
+ 'toport' => '5666',
+ 'protocol' => 'tcp',
+ 'range' => '10.4.0.0/21' ),
+ );
+$wgOpenStackManagerInstanceDefaultImage =
"a84558b0-ffaa-4dcd-a020-281b45a87af5";
+$wgOpenStackManagerInstanceBannedImages = array(
+ "b1bec070-81de-4ad5-9c1d-a5b0f7d28819", //lucid loader
+ "c80a63f0-62b0-4f3c-a495-01e2d8a46ade", //lucid kernel
+ "167350c0-0410-4336-9a94-9c8da55f26a3", //natty
+ "a3ee8fe3-b9f6-4a96-bad2-8bac64affde0", //oneiric
+ "e6c0d0ea-a1a3-40a7-8039-641f96b14023", //oneric
+ );
+$wgOpenStackManagerInstanceBannedInstanceTypes = array(
+ "m1.tiny",
+ "s1.tiny",
+ "s1.small",
+ "s1.medium",
+ "s1.large",
+ "s1.xlarge",
+ );
+$wgOpenStackManagerInstanceDefaultImage =
"a84558b0-ffaa-4dcd-a020-281b45a87af5";
+
+# Enable doc links on the 'configure instance' page
+$wgOpenStackManagerPuppetDocBase =
'http://doc.wikimedia.org/puppet/classes/__site__/';
+
+$smwgNamespacesWithSemanticLinks[NS_NOVA_RESOURCE] = true;
+$wgNamespacesWithSubpages[NS_NOVA_RESOURCE] = true;
+$wgNamespacesToBeSearchedDefault[NS_NOVA_RESOURCE] = true;
+$wgNamespacesToBeSearchedDefault[NS_HELP] = true;
+
+#require_once("$IP/extensions/OpenID/OpenID.php");
+$wgOpenIDClientOnly = false;
+$wgHideOpenIDLoginLink = true;
+$wgOpenIDConsumerAllow = '';
+$wgOpenIDConsumerDenyByDefault = true;
diff --git a/templates/labsconsole/Private.php.erb
b/templates/labsconsole/Private.php.erb
new file mode 100644
index 0000000..3dcce48
--- /dev/null
+++ b/templates/labsconsole/Private.php.erb
@@ -0,0 +1,17 @@
+<?php
+
+# These values are most likely already set in orig/LocalSettings.php
+#$wgDBuser = "wikiuser";
+#$wgDBpassword = "REDACTED";
+#$wgSecretKey = "REDACTED";
+#$wgUpgradeKey = "REDACTED";
+
+
+$wgCaptchaSecret = "REDACTED";
+$wgLDAPProxyAgent = array( 'labs' =>
'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' );
+$wgLDAPProxyAgentPassword = array( 'labs' => 'REDACTED' );
+$wgLDAPWriterDN = array( 'labs' =>
'uid=novaadmin,ou=people,dc=wikimedia,dc=org' );
+$wgLDAPWriterPassword = array( 'labs' => 'REDACTED' );
+$wgOpenStackManagerLDAPUser = 'uid=novaadmin,ou=people,dc=wikimedia,dc=org';
+$wgOpenStackManagerLDAPUsername = 'novaadmin';
+$wgOpenStackManagerLDAPUserPassword = 'REDACTED';
diff --git a/templates/labsconsole/Settings.php.erb
b/templates/labsconsole/Settings.php.erb
new file mode 100644
index 0000000..95195e3
--- /dev/null
+++ b/templates/labsconsole/Settings.php.erb
@@ -0,0 +1,160 @@
+<?php
+
+$wgScriptPath = "/w";
+$wgScriptExtension = ".php";
+$wgArticlePath = '/wiki/$1';
+
+$wgStylePath = "$wgScriptPath/skins";
+
+$wgEnableEmail = true;
+$wgEnableUserEmail = true;
+
+$wgEmergencyContact = "n...@wikimedia.org";
+$wgPasswordSender = "n...@wikimedia.org";
+
+$wgEnotifUserTalk = true;
+$wgEnotifWatchlist = true;
+$wgEmailAuthentication = true;
+
+$wgEnableUploads = true;
+$wgUseImageMagick = true;
+$wgImageMagickConvertCommand = "/usr/bin/convert";
+
+$wgUseInstantCommons = true;
+
+$wgShellLocale = "en_US.utf8";
+
+$wgUseTeX = false;
+
+$wgLanguageCode = "en";
+
+$wgDefaultSkin = "vector";
+
+$wgEnableCreativeCommonsRdf = true;
+$wgRightsPage = "";
+$wgRightsUrl = "http://creativecommons.org/licenses/by-sa/3.0/";;
+$wgRightsText = "Creative Commons Attribution Share Alike";
+$wgRightsIcon = "{$wgStylePath}/common/images/cc-by-sa.png";
+
+$wgDiff3 = "/usr/bin/diff3";
+
+$wgDBtype = "mysql";
+$wgDBprefix = "";
+$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
+$wgDBmysql5 = false;
+
+$wgJobRunRate = 0;
+
+$wgCacheDirectory = "$IP/cache";
+
+$wgMainCacheType = CACHE_MEMCACHED;
+$wgParserCacheType = CACHE_MEMCACHED;
+$wgMessageCacheType = CACHE_MEMCACHED;
+$wgSessionsInMemcached = true;
+$wgMemCachedServers = array( '127.0.0.1:11000' );
+
+$wgInterwikiCache = "$wgCacheDirectory/interwiki.cdb";
+
+$wgCacheEpoch = "20120611221408";
+
+$wgCookieSecure = true;
+# 7 days max login token. Keystone is set to 7.1 days. If either changes
+# then both need to be adjusted
+$wgCookieExpiration = 604800;
+
+$wgShowIPinHeader = false;
+$wgDisableCounters = true;
+
+$wgAllowUserCss = true;
+$wgAllowUserJs = true;
+
+# Anons can't edit
+$wgGroupPermissions['*']['edit'] = false;
+
+# Give another group import rights
+$wgGroupPermissions['importers']['import'] = true;
+$wgGroupPermissions['importers']['importupload'] = true;
+
+#$wgGroupPermissions['accountcreators']['createaccount'] = true;
+
+$wgGroupPermissions['contentadmin']['protect'] = true;
+$wgGroupPermissions['contentadmin']['editprotected'] = true;
+$wgGroupPermissions['contentadmin']['bigdelete'] = true;
+$wgGroupPermissions['contentadmin']['delete'] = true;
+$wgGroupPermissions['contentadmin']['undelete'] = true;
+$wgGroupPermissions['contentadmin']['block'] = true;
+$wgGroupPermissions['contentadmin']['blockemail'] = true;
+$wgGroupPermissions['contentadmin']['patrol'] = true;
+$wgGroupPermissions['contentadmin']['autopatrol'] = true;
+$wgGroupPermissions['contentadmin']['import'] = true;
+$wgGroupPermissions['contentadmin']['importupload'] = true;
+$wgGroupPermissions['contentadmin']['upload_by_url'] = true;
+$wgGroupPermissions['contentadmin']['movefile'] = true;
+$wgGroupPermissions['contentadmin']['suppressredirect'] = true;
+$wgGroupPermissions['contentadmin']['rollback'] = true;
+$wgGroupPermissions['contentadmin']['browsearchive'] = true;
+$wgGroupPermissions['contentadmin']['deletedhistory'] = true;
+$wgGroupPermissions['contentadmin']['deletedtext'] = true;
+$wgGroupPermissions['contentadmin']['autoconfirmed'] = true;
+
+require_once( "$IP/extensions/WikiEditor/WikiEditor.php" );
+
+require_once( "$IP/extensions/Echo/Echo.php" );
+
+require_once( "$IP/extensions/CodeEditor/CodeEditor.php" );
+
+require_once( "$IP/extensions/Scribunto/Scribunto.php" );
+$wgScribuntoDefaultEngine = 'luastandalone';
+$wgScribuntoUseGeSHi = true;
+$wgScribuntoUseCodeEditor = true;
+
+require_once( "$IP/extensions/ConfirmEdit/ConfirmEdit.php" );
+#require_once( "$IP/extensions/ConfirmEdit/FancyCaptcha.php" );
+#$wgCaptchaClass = 'FancyCaptcha';
+#$wgCaptchaDirectory = '/srv/org/wikimedia/controller/wikis/captcha';
+#$wgCaptchaDirectoryLevels = 0;
+#$wgCaptchaWhitelist =
'#^(https?:)?//([.a-z0-9-]+\\.)?((wikidata|wikimedia|wikipedia|wiktionary|wikiquote|wikibooks|wikisource|wikispecies|mediawiki|wikimediafoundation|wikinews|wikiversity|wikivoyage)\.org|dnsstuff\.com|completewhois\.com|wikimedia\.de|toolserver\.org)(/|$)#i';
+$wgGroupPermissions['accountcreators']['skipcaptcha'] = true;
+$wgGroupPermissions['bots']['skipcaptcha'] = true;
+
+require_once( "$IP/extensions/Renameuser/Renameuser.php" );
+
+require_once( "$IP/extensions/DynamicSidebar/DynamicSidebar.php" );
+
+require_once( "$IP/extensions/SyntaxHighlight_GeSHi/SyntaxHighlight_GeSHi.php"
);
+
+require_once( "$IP/extensions/Cite/Cite.php" );
+
+require_once( "$IP/extensions/Vector/Vector.php" );
+$wgDefaultUserOptions['vector-collapsiblenav'] = 1;
+$wgVectorUseSimpleSearch = true;
+
+require_once( "$IP/extensions/WikiEditor/WikiEditor.php" );
+$wgDefaultUserOptions['usebetatoolbar'] = 1;
+$wgDefaultUserOptions['usebetatoolbar-cgd'] = 1;
+
+require_once( "$IP/extensions/Gadgets/Gadgets.php" );
+
+require_once( "$IP/extensions/CategoryTree/CategoryTree.php" );
+
+require_once( "$IP/extensions/ParserFunctions/ParserFunctions.php");
+
+require_once( "$IP/extensions/TitleBlacklist/TitleBlacklist.php" );
+$wgTitleBlacklistSources = array(
+ array(
+ 'type' => TBLSRC_LOCALPAGE,
+ 'src' => 'MediaWiki:Titleblacklist',
+ ),
+);
+
+include_once("$IP/extensions/Validator/Validator.php");
+include_once("$IP/extensions/SemanticMediaWiki/SemanticMediaWiki.php");
+
+include_once("$IP/extensions/SemanticForms/SemanticForms.php");
+
+# SemanticResultFormats, an extra set of printers for SMW
+require_once("$IP/extensions/SemanticResultFormats/SemanticResultFormats.php");
+
+require_once( "Local.php" );
+require_once( "Private.php" );
+require_once( "Debug.php" );
diff --git a/templates/labsconsole/labsconsole.php.erb
b/templates/labsconsole/labsconsole.php.erb
new file mode 100644
index 0000000..c93cf4c
--- /dev/null
+++ b/templates/labsconsole/labsconsole.php.erb
@@ -0,0 +1,170 @@
+<?php
+
+$wgShowIPinHeader = false;
+$wgDisableCounters = true;
+
+## Shared memory settings
+$wgMainCacheType = CACHE_MEMCACHED;
+$wgParserCacheType = CACHE_MEMCACHED;
+$wgMessageCacheType = CACHE_MEMCACHED;
+$wgSessionsInMemcached = true;
+$wgMemCachedServers = array( '127.0.0.1:11000' );
+
+require_once( "$IP/extensions/Echo/Echo.php" );
+
+require_once( "$IP/extensions/DynamicSidebar/DynamicSidebar.php" );
+
+# Direct puppet docs to our doc site
+$wgOpenStackManagerPuppetDocBase = "doc.wikimedia.org/puppet";
+
+
+require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
+$wgAuth = new LdapAuthenticationPlugin();
+$wgLDAPDomainNames = array( 'labs');
+$wgLDAPServerNames = array( 'labs' => 'localhost' );
+$wgLDAPSearchAttributes = array( 'labs' => 'cn');
+$wgLDAPBaseDNs = array( 'labs' => 'dc=wikimedia,dc=org' );
+$wgLDAPUserBaseDNs = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' );
+$wgLDAPEncryptionType = array( 'labs' => 'clear');
+$wgLDAPProxyAgent = array( 'labs' =>
'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' );
+$wgLDAPProxyAgentPassword = array( 'labs' => $ldaproxypswd );
+$wgLDAPWriterDN = array( 'labs' =>
'uid=novaadmin,ou=people,dc=wikimedia,dc=org' );
+$wgLDAPWriterPassword = array( 'labs' => $ldapwriterpswd );
+$wgLDAPWriteLocation = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' );
+$wgLDAPAddLDAPUsers = array( 'labs' => true );
+$wgLDAPUpdateLDAP = array( 'labs' => true );
+$wgLDAPPasswordHash = array( 'labs' => 'clear' );
+// 'invaliddomain' is set to true so that mail password options
+// will be available on user creation and password mailing
+$wgLDAPMailPassword = array( 'labs' => true, 'invaliddomain' => true );
+$wgLDAPPreferences = array( 'labs' => array( "email"=>"mail" ) );
+$wgLDAPUseFetchedUsername = array( 'labs' => true );
+$wgLDAPLowerCaseUsernameScheme = array( 'labs' => false, 'invaliddomain' =>
false );
+$wgLDAPLowerCaseUsername = array( 'labs' => false, 'invaliddomain' => false );
+// Only enable UseLocal if you need to promote an LDAP user
+#$wgLDAPUseLocal = true;
+$wgMinimalPasswordLength = 1;
+
+
+
+require_once( "$IP/extensions/OpenStackManager/OpenStackManager.php" );
+
+$wgOpenStackManagerNovaKeypairStorage = 'ldap';
+$wgOpenStackManagerNovaIdentityURI = "http://<%=host_address%>:35357/v2.0";
+$wgOpenStackManagerLDAPDomain = 'labs';
+$wgOpenStackManagerLDAPUser = 'uid=novaadmin,ou=people,dc=wikimedia,dc=org';
+$wgOpenStackManagerLDAPUsername = 'novaadmin';
+$wgOpenStackManagerLDAPUserPassword = $ldapuserpswd;
+$wgOpenStackManagerLDAPProjectBaseDN = 'ou=projects,dc=wikimedia,dc=org';
+$wgOpenStackManagerLDAPProjectGroupBaseDN = "ou=groups,dc=wikimedia,dc=org";
+$wgOpenStackManagerLDAPInstanceBaseDN = 'ou=hosts,dc=wikimedia,dc=org';
+$wgOpenStackManagerLDAPDefaultGid = '500';
+$wgOpenStackManagerLDAPDefaultShell = '/usr/local/bin/sillyshell';
+$wgOpenStackManagerLDAPUseUidAsNamingAttribute = true;
+$wgOpenStackManagerDNSOptions = array(
+ 'enabled' => true,
+ 'servers' => array( 'primary' => "<%=host_address%>"),
+ 'soa' => array( 'hostmaster' => 'hostmaster.wikimedia.org',
'refresh' => '1800', 'retry' => '3600', 'expiry' => '86400', 'minimum' =>
'7200' ),
+ );
+$wgOpenStackManagerPuppetOptions = array(
+ 'enabled' => true,
+ 'defaultclasses' => array( 'base', 'ldap::client::wmf-test-cluster',
'exim::simple-mail-sender', 'sudo::labs_project' ),
+ 'defaultvariables' => array( 'realm' => 'labs' ),
+ );
+
+$wgOpenStackManagerInstanceUserData = array(
+ 'cloud-config' => array(
+ 'apt_update' => 'false', // Puppet will cause this
+ ),
+ 'scripts' => array(
+ 'runpuppet.sh' =>
'/srv/org/wikimedia/controller/scripts/runpuppet.sh',
+ ),
+ 'upstarts' => array(
+ 'ttyS0.conf' =>
'/srv/org/wikimedia/controller/upstarts/ttyS0.conf',
+ 'ttyS1.conf' =>
'/srv/org/wikimedia/controller/upstarts/ttyS1.conf',
+ ),
+ );
+
+$wgOpenStackManagerDefaultSecurityGroupRules = array(
+ # Allow all traffic within the project
+ array( 'group' => 'default' ),
+ # Allow ping from everywhere
+ array( 'fromport' => '-1',
+ 'toport' => '-1',
+ 'protocol' => 'icmp',
+ 'range' => '0.0.0.0/0' ),
+ # Allow ssh from all projects
+ array( 'fromport' => '22',
+ 'toport' => '22',
+ 'protocol' => 'tcp',
+ 'range' => '10.4.0.0/21' ),
+ # Allow nrpe access from all projects (access is limited in config)
+ array( 'fromport' => '5666',
+ 'toport' => '5666',
+ 'protocol' => 'tcp',
+ 'range' => '10.4.0.0/21' ),
+ );
+
+$wgLogo = "https://<%=host_address%>/w/images/c/cf/Labslogo_thumb.png";
+
+include_once("$IP/extensions/SemanticMediaWiki/SemanticMediaWiki.php");
+enableSemantics(<%=wiki_name%>);
+
+include_once("$IP/extensions/SemanticForms/SemanticForms.php");
+
+#SemanticResultFormats, an extra set of printers for SMW
+require_once("$IP/extensions/SemanticResultFormats/SemanticResultFormats.php");
+
+
+# Only sysops can create new accounts.
+$wgGroupPermissions['*']['createaccount'] = true;
+
+# # Anons can't edit
+$wgGroupPermissions['*']['edit'] = false;
+
+# # Give another group import rights
+$wgGroupPermissions['importers']['import'] = true;
+$wgGroupPermissions['importers']['importupload'] = true;
+$wgGroupPermissions['cloudadmin']['listall'] = true;
+$wgGroupPermissions['bureaucrat']['manageproject'] = true;
+$wgGroupPermissions['cloudadmin']['managednsdomain'] = true;
+$wgGroupPermissions['cloudadmin']['manageglobalpuppet'] = true;
+$wgGroupPermissions['shell']['loginviashell'] = true;
+$wgGroupPermissions['contentadmin']['protect'] = true;
+$wgGroupPermissions['contentadmin']['editprotected'] = true;
+$wgGroupPermissions['contentadmin']['bigdelete'] = true;
+$wgGroupPermissions['contentadmin']['delete'] = true;
+$wgGroupPermissions['contentadmin']['undelete'] = true;
+$wgGroupPermissions['contentadmin']['block'] = true;
+$wgGroupPermissions['contentadmin']['blockemail'] = true;
+$wgGroupPermissions['contentadmin']['patrol'] = true;
+$wgGroupPermissions['contentadmin']['autopatrol'] = true;
+$wgGroupPermissions['contentadmin']['import'] = true;
+$wgGroupPermissions['contentadmin']['importupload'] = true;
+$wgGroupPermissions['contentadmin']['upload_by_url'] = true;
+$wgGroupPermissions['contentadmin']['movefile'] = true;
+$wgGroupPermissions['contentadmin']['suppressredirect'] = true;
+$wgGroupPermissions['contentadmin']['rollback'] = true;
+$wgGroupPermissions['contentadmin']['browsearchive'] = true;
+$wgGroupPermissions['contentadmin']['deletedhistory'] = true;
+$wgGroupPermissions['contentadmin']['deletedtext'] = true;
+$wgGroupPermissions['contentadmin']['autoconfirmed'] = true;
+$wgGroupPermissions['accountcreators']['createaccount'] = true;
+
+$wgImportSources[] = "wikitech";
+
+require_once( "$IP/extensions/OATHAuth/OATHAuth.php" );
+
+require_once( "$IP/extensions/Collection/Collection.php" );
+
+require_once( "$IP/skins/strapping/strapping.php" );
+$wgDefaultSkin = "strapping";
+$wgStrappingSkinLogoLocation = 'navbar';
+$wgStrappingSkinLoginLocation = 'navbar';
+$wgStrappingSkinAnonNavbar = true;
+$wgStrappingSkinUseStandardLayout = true;
+$wgStrappingSkinDisplaySidebarNavigation = true;
+
+$wgLDAPDebug = 5;
+$wgDebugLogGroups["ldap"] = "/tmp/ldap-s-1-debug.log" ;
+$wgPasswordAttemptThrottle = false;
diff --git a/templates/ldap/base.ldif.erb b/templates/ldap/base.ldif.erb
index 46aa8c3..66d9654 100644
--- a/templates/ldap/base.ldif.erb
+++ b/templates/ldap/base.ldif.erb
@@ -1,8 +1,8 @@
# This is the root of the directory tree
-#dn: <%= base_dn %>
-#dc: <%= domain %>
-#objectClass: top
-#objectClass: domain
+dn: <%= base_dn %>
+dc: <%= domain %>
+objectClass: top
+objectClass: domain
# Subtree for users
dn: ou=people,<%= base_dn %>
diff --git a/templates/mediawiki/labsconsole.php.erb
b/templates/mediawiki/labsconsole.php.erb
new file mode 100644
index 0000000..c93cf4c
--- /dev/null
+++ b/templates/mediawiki/labsconsole.php.erb
@@ -0,0 +1,170 @@
+<?php
+
+$wgShowIPinHeader = false;
+$wgDisableCounters = true;
+
+## Shared memory settings
+$wgMainCacheType = CACHE_MEMCACHED;
+$wgParserCacheType = CACHE_MEMCACHED;
+$wgMessageCacheType = CACHE_MEMCACHED;
+$wgSessionsInMemcached = true;
+$wgMemCachedServers = array( '127.0.0.1:11000' );
+
+require_once( "$IP/extensions/Echo/Echo.php" );
+
+require_once( "$IP/extensions/DynamicSidebar/DynamicSidebar.php" );
+
+# Direct puppet docs to our doc site
+$wgOpenStackManagerPuppetDocBase = "doc.wikimedia.org/puppet";
+
+
+require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
+$wgAuth = new LdapAuthenticationPlugin();
+$wgLDAPDomainNames = array( 'labs');
+$wgLDAPServerNames = array( 'labs' => 'localhost' );
+$wgLDAPSearchAttributes = array( 'labs' => 'cn');
+$wgLDAPBaseDNs = array( 'labs' => 'dc=wikimedia,dc=org' );
+$wgLDAPUserBaseDNs = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' );
+$wgLDAPEncryptionType = array( 'labs' => 'clear');
+$wgLDAPProxyAgent = array( 'labs' =>
'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' );
+$wgLDAPProxyAgentPassword = array( 'labs' => $ldaproxypswd );
+$wgLDAPWriterDN = array( 'labs' =>
'uid=novaadmin,ou=people,dc=wikimedia,dc=org' );
+$wgLDAPWriterPassword = array( 'labs' => $ldapwriterpswd );
+$wgLDAPWriteLocation = array( 'labs' => 'ou=people,dc=wikimedia,dc=org' );
+$wgLDAPAddLDAPUsers = array( 'labs' => true );
+$wgLDAPUpdateLDAP = array( 'labs' => true );
+$wgLDAPPasswordHash = array( 'labs' => 'clear' );
+// 'invaliddomain' is set to true so that mail password options
+// will be available on user creation and password mailing
+$wgLDAPMailPassword = array( 'labs' => true, 'invaliddomain' => true );
+$wgLDAPPreferences = array( 'labs' => array( "email"=>"mail" ) );
+$wgLDAPUseFetchedUsername = array( 'labs' => true );
+$wgLDAPLowerCaseUsernameScheme = array( 'labs' => false, 'invaliddomain' =>
false );
+$wgLDAPLowerCaseUsername = array( 'labs' => false, 'invaliddomain' => false );
+// Only enable UseLocal if you need to promote an LDAP user
+#$wgLDAPUseLocal = true;
+$wgMinimalPasswordLength = 1;
+
+
+
+require_once( "$IP/extensions/OpenStackManager/OpenStackManager.php" );
+
+$wgOpenStackManagerNovaKeypairStorage = 'ldap';
+$wgOpenStackManagerNovaIdentityURI = "http://<%=host_address%>:35357/v2.0";
+$wgOpenStackManagerLDAPDomain = 'labs';
+$wgOpenStackManagerLDAPUser = 'uid=novaadmin,ou=people,dc=wikimedia,dc=org';
+$wgOpenStackManagerLDAPUsername = 'novaadmin';
+$wgOpenStackManagerLDAPUserPassword = $ldapuserpswd;
+$wgOpenStackManagerLDAPProjectBaseDN = 'ou=projects,dc=wikimedia,dc=org';
+$wgOpenStackManagerLDAPProjectGroupBaseDN = "ou=groups,dc=wikimedia,dc=org";
+$wgOpenStackManagerLDAPInstanceBaseDN = 'ou=hosts,dc=wikimedia,dc=org';
+$wgOpenStackManagerLDAPDefaultGid = '500';
+$wgOpenStackManagerLDAPDefaultShell = '/usr/local/bin/sillyshell';
+$wgOpenStackManagerLDAPUseUidAsNamingAttribute = true;
+$wgOpenStackManagerDNSOptions = array(
+ 'enabled' => true,
+ 'servers' => array( 'primary' => "<%=host_address%>"),
+ 'soa' => array( 'hostmaster' => 'hostmaster.wikimedia.org',
'refresh' => '1800', 'retry' => '3600', 'expiry' => '86400', 'minimum' =>
'7200' ),
+ );
+$wgOpenStackManagerPuppetOptions = array(
+ 'enabled' => true,
+ 'defaultclasses' => array( 'base', 'ldap::client::wmf-test-cluster',
'exim::simple-mail-sender', 'sudo::labs_project' ),
+ 'defaultvariables' => array( 'realm' => 'labs' ),
+ );
+
+$wgOpenStackManagerInstanceUserData = array(
+ 'cloud-config' => array(
+ 'apt_update' => 'false', // Puppet will cause this
+ ),
+ 'scripts' => array(
+ 'runpuppet.sh' =>
'/srv/org/wikimedia/controller/scripts/runpuppet.sh',
+ ),
+ 'upstarts' => array(
+ 'ttyS0.conf' =>
'/srv/org/wikimedia/controller/upstarts/ttyS0.conf',
+ 'ttyS1.conf' =>
'/srv/org/wikimedia/controller/upstarts/ttyS1.conf',
+ ),
+ );
+
+$wgOpenStackManagerDefaultSecurityGroupRules = array(
+ # Allow all traffic within the project
+ array( 'group' => 'default' ),
+ # Allow ping from everywhere
+ array( 'fromport' => '-1',
+ 'toport' => '-1',
+ 'protocol' => 'icmp',
+ 'range' => '0.0.0.0/0' ),
+ # Allow ssh from all projects
+ array( 'fromport' => '22',
+ 'toport' => '22',
+ 'protocol' => 'tcp',
+ 'range' => '10.4.0.0/21' ),
+ # Allow nrpe access from all projects (access is limited in config)
+ array( 'fromport' => '5666',
+ 'toport' => '5666',
+ 'protocol' => 'tcp',
+ 'range' => '10.4.0.0/21' ),
+ );
+
+$wgLogo = "https://<%=host_address%>/w/images/c/cf/Labslogo_thumb.png";
+
+include_once("$IP/extensions/SemanticMediaWiki/SemanticMediaWiki.php");
+enableSemantics(<%=wiki_name%>);
+
+include_once("$IP/extensions/SemanticForms/SemanticForms.php");
+
+#SemanticResultFormats, an extra set of printers for SMW
+require_once("$IP/extensions/SemanticResultFormats/SemanticResultFormats.php");
+
+
+# Only sysops can create new accounts.
+$wgGroupPermissions['*']['createaccount'] = true;
+
+# # Anons can't edit
+$wgGroupPermissions['*']['edit'] = false;
+
+# # Give another group import rights
+$wgGroupPermissions['importers']['import'] = true;
+$wgGroupPermissions['importers']['importupload'] = true;
+$wgGroupPermissions['cloudadmin']['listall'] = true;
+$wgGroupPermissions['bureaucrat']['manageproject'] = true;
+$wgGroupPermissions['cloudadmin']['managednsdomain'] = true;
+$wgGroupPermissions['cloudadmin']['manageglobalpuppet'] = true;
+$wgGroupPermissions['shell']['loginviashell'] = true;
+$wgGroupPermissions['contentadmin']['protect'] = true;
+$wgGroupPermissions['contentadmin']['editprotected'] = true;
+$wgGroupPermissions['contentadmin']['bigdelete'] = true;
+$wgGroupPermissions['contentadmin']['delete'] = true;
+$wgGroupPermissions['contentadmin']['undelete'] = true;
+$wgGroupPermissions['contentadmin']['block'] = true;
+$wgGroupPermissions['contentadmin']['blockemail'] = true;
+$wgGroupPermissions['contentadmin']['patrol'] = true;
+$wgGroupPermissions['contentadmin']['autopatrol'] = true;
+$wgGroupPermissions['contentadmin']['import'] = true;
+$wgGroupPermissions['contentadmin']['importupload'] = true;
+$wgGroupPermissions['contentadmin']['upload_by_url'] = true;
+$wgGroupPermissions['contentadmin']['movefile'] = true;
+$wgGroupPermissions['contentadmin']['suppressredirect'] = true;
+$wgGroupPermissions['contentadmin']['rollback'] = true;
+$wgGroupPermissions['contentadmin']['browsearchive'] = true;
+$wgGroupPermissions['contentadmin']['deletedhistory'] = true;
+$wgGroupPermissions['contentadmin']['deletedtext'] = true;
+$wgGroupPermissions['contentadmin']['autoconfirmed'] = true;
+$wgGroupPermissions['accountcreators']['createaccount'] = true;
+
+$wgImportSources[] = "wikitech";
+
+require_once( "$IP/extensions/OATHAuth/OATHAuth.php" );
+
+require_once( "$IP/extensions/Collection/Collection.php" );
+
+require_once( "$IP/skins/strapping/strapping.php" );
+$wgDefaultSkin = "strapping";
+$wgStrappingSkinLogoLocation = 'navbar';
+$wgStrappingSkinLoginLocation = 'navbar';
+$wgStrappingSkinAnonNavbar = true;
+$wgStrappingSkinUseStandardLayout = true;
+$wgStrappingSkinDisplaySidebarNavigation = true;
+
+$wgLDAPDebug = 5;
+$wgDebugLogGroups["ldap"] = "/tmp/ldap-s-1-debug.log" ;
+$wgPasswordAttemptThrottle = false;
--
To view, visit https://gerrit.wikimedia.org/r/53989
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9319c46b1cc45595d3211cc31fdea8603b1861b8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
![https://labsconsole.wikimedia.org/w/images/c/cf/Labslogo_thumb.png"](https://labsconsole.wikimedia.org/w/images/c/cf/Labslogo_thumb.png"){kind=link}