Skip to content

GitLab

Commit 0cf8267c authored by Hugo Hörnquist's avatar Hugo Hörnquist
Browse files

Migrated from old puppet.

parents
Hide whitespace changes
Inline Side-by-side
files/AuthPAM.php 0 → 100644
View file @ 0cf8267c
<?php
/**
* @package MediaWiki
*/
# Copyright (C) 2004 Brion Vibber <brion@pobox.com>
# http://www.mediawiki.org/
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# http://www.gnu.org/copyleft/gpl.html
require_once("AuthPlugin.php");
/**
* Authentication plug-in for authenticating against PAM.
*
* Requires pam_auth from http://www.math.ohio-state.edu/~ccunning/pam_auth/.
*
* @package MediaWiki
*/
class AuthPAM extends AuthPlugin {
/**
* Check whether there exists a user account with the given name.
* The name will be normalized to MediaWiki's requirements, so
* you might need to munge it (for instance, for lowercase initial
* letters).
*
* @param string $username
* @return bool
* @access public
*/
public function userExists( $username ) {
return true;
}
/**
* Check if a username+password pair is a valid login.
* The name will be normalized to MediaWiki's requirements, so
* you might need to munge it (for instance, for lowercase initial
* letters).
*
* @param string $username
* @param string $password
* @return bool
* @access public
*/
public function authenticate( $username, $password ) {
#replace all spaces with underscore as MediaWiki does the opposite somewhere internally and such makes it impossible to login with usernames containing underscores.
#//joakim_tosteberg 2008-04-21
$desc = array(
0 => array("pipe","r"),
1 => array("pipe","w"),
2 => array("file","/tmp/error.out","a")
);
$proc = proc_open('/usr/lib/squid3/basic_pam_auth -o -1 -n datorhandbok',$desc, $pipes);
if (is_resource($proc)) {
fwrite($pipes[0],strtolower(str_replace(' ', '_', $username)));
fwrite($pipes[0]," ");
fwrite($pipes[0],$password);
fwrite($pipes[0],"\n");
fclose($pipes[0]);
$response = stream_get_contents($pipes[1]);
fclose($pipes[1]);
}
$retval = proc_close($proc);
#return pam_auth(strtolower(str_replace(' ', '_', $username)), $password, &$error);
return ($response == "OK \n");
}
/**
* Return true if the wiki should create a new local account automatically
* when asked to login a user who doesn't exist locally but does in the
* external auth database.
*
* If you don't automatically create accounts, you must still create
* accounts in some way. It's not possible to authenticate without
* a local account.
*
* This is just a question, and shouldn't perform any actions.
*
* @return bool
* @access public
*/
public function autoCreate() {
return true;
}
/**
* Can users change their passwords?
*
* @return bool
*/
public function allowPasswordChange() {
return false;
}
/**
* Set the given password in the authentication database.
* Return true if successful.
*
* @param string $password
* @return bool
* @access public
*/
function setPassword( $password ) {
return false;
}
/**
* Update user information in the external authentication database.
* Return true if successful.
*
* @param User $user
* @return bool
* @access public
*/
function updateExternalDB( $user ) {
return false;
}
/**
* Add a user to the external authentication database.
* Return true if successful.
*
* @param User $user
* @param string $password
* @return bool
* @access public
*/
function addUser( $user, $password ) {
return false;
}
/**
* Return true to prevent logins that don't authenticate here from being
* checked against the local database's password fields.
*
* This is just a question, and shouldn't perform any actions.
*
* @return bool
* @access public
*/
function strict() {
return true;
}
/**
* When creating a user account, optionally fill in preferences and such.
* For instance, you might pull the email address or real name from the
* external user database.
*
* The User object is passed by reference so it can be modified; don't
* forget the & on your function declaration.
*
* @param User $user
* @access public
*/
function initUser( &$user ) {
$user->mEmail = strtolower(str_replace(' ', '_', $user->mName)) . "@lysator.liu.se";
}
/**
* If you want to munge the case of an account name before the final
* check, now is your chance.
*/
function getCanonicalName( $username ) {
return $username;
}
}
?>
files/pam 0 → 100644
View file @ 0cf8267c
auth required pam_krb5.so use_first_pass minimum_uid=100
account required pam_krb5.so minimum_uid=100
manifests/init.pp 0 → 100644
View file @ 0cf8267c
class profiles::datorhandbok {
ensure_packages([
'apache2',
'mysql-server',
'mediawiki',
'imagemagick',
# squid is needed for pam_auth binary
'squid3',
'certbot',
],
{ ensule => installed, })
service { 'apache2':
ensure => running,
enabled => true,
hasstatus => true,
require => Package['apache2'],
}
service { 'mysql':
ensure => running,
enabled => true,
hasstatus => true,
require => Package['mysql-server'],
}
service { 'squid':
ensure => stopped,
enabled => false,
require => Package['squid3'],
}
# ┌───────────────────────────────┤ Configuring mariadb-server-10.1 ├───────────────────────────────┐
# │ │
# │ Important note for NIS/YP users │
# │ │
# │ Using MariaDB under NIS/YP requires a mysql user account to be added on the local system with: │
# │ │
# │ adduser --system --group --home /var/lib/mysql mysql │
# │ │
# │ │
# │ You should also check the permissions and ownership of the /var/lib/mysql directory: │
# │ │
# │ /var/lib/mysql: drwxr-xr-x mysql mysql │
# │ │
# │ <Ok> │
# │ │
# └─────────────────────────────────────────────────────────────────────────────────────────────────┘
cron { 'backup-mysql':
command => 'TMPFILE=`/bin/mktemp /var/tmp/fulldump.sql.XXX` && /usr/bin/mysqldump --all-databases --events > "$ TMPFILE" && mv "$TMPFILE" /var/lib/mysql-dump/fulldump.sql',
user => 'root',
hour => 3,
minute => 11;
}
file { '/etc/apache2/mods-enabled/rewrite.load':
ensure => symlink,
target => '/etc/apache2/mods-available/rewrite.load',
owner => root,
group => root,
notify => Service['apache2'],
require => Package['apache2'],
}
file { '/etc/apache2/mods-enabled/ssl.load':
ensure => symlink,
target => '/etc/apache2/mods-available/ssl.load',
owner => root,
group => root,
notify => Service['apache2'],
require => Package['apache2'],
}
lyscert::letsencrypt { 'letsencrypt-certonly':
email => 'root@lysator.liu.se',
webserver => 'apache2',
}
file { '/etc/apache2/sites-available/datorhandbok.lysator.liu.se.conf':
ensure => file,
owner => root,
group => root,
mode => '0444',
notify => Service['apache2'],
require => Package['apache2'],
content => epp('datorhandbok/datorhandbok.lysator.liu.se',
{
# 'SSLCertificateFile' => '/etc/ssl/certs/datorhandbok.lysator.liu.se/datorhandbok.lysator.liu.se.pem',
# 'SSLCertificateKeyFile' => '/etc/ssl/certs/datorhandbok.lysator.liu.se/datorhandbok.lysator.liu.se.key',
# 'SSLCertificateChainFile' => '/etc/ssl/certs/DigiCertCA.crt',
'SSLCertificateFile' => "/etc/letsencrypt/live/${facts['networking']['fqdn']}/fullchain.pem",
'SSLCertificateKeyFile' => "/etc/letsencrypt/live/${facts['networking']['fqdn']}/privkey.pem",
'SSLCertificateChainFile' => "/etc/letsencrypt/live/${facts['networking']['fqdn']}/fullchain.pem",
}),
}
file { '/etc/apache2/sites-enabled/datorhandbok.lysator.liu.se.conf':
ensure => symlink,
target => '/etc/apache2/sites-available/datorhandbok.lysator.liu.se.conf',
owner => root,
group => root,
notify => Service['apache2'],
require => File['/etc/apache2/sites-available/datorhandbok.lysator.liu.se.conf'],
}
file { '/etc/apache2/sites-enabled/000-default':
ensure => absent,
notify => Service['apache2'],
}
# TODO the file requires @pupsecrets.
# reenable once figured out
# file { '/etc/mediawiki/LocalSettings.php':
# ensure => file,
# owner => root,
# group => www-data,
# mode => '0440',
# content => template("datorhandbok/LocalSettings.php.erb"),
# require => Package['mediawiki'],
# }
file { '/var/lib/mediawiki/skins/lyslogo-liten.png':
ensure => file,
owner => www-data,
group => www-data,
source => "puppet:///modules/datorhandbok/lyslogo-liten.png",
require => Package['mediawiki'],
}
file { '/var/lib/mediawiki/favicon.ico':
ensure => file,
owner => root,
group => root,
source => "puppet:///modules/datorhandbok/favicon.ico",
require => Package['mediawiki'],
}
file { '/var/lib/mediawiki/extensions/AuthPAM.php':
ensure => file,
owner => www-data,
group => www-data,
source => "puppet:///modules/datorhandbok/AuthPAM.php",
require => Package['mediawiki'],
}
file { '/etc/pam.d/datorhandbok':
ensure => file,
owner => root,
group => root,
mode => '0444',
source => "puppet:///modules/datorhandbok/pam",
}
file { '/etc/mediawiki-extensions/extensions-enabled/RSSReader.php':
ensure => symlink,
target => '/etc/mediawiki-extensions/extensions-available/RSSReader.php',
require => Package['mediawiki'],
}
file { '/usr/lib/squid3/basic_pam_auth':
ensure => file,
mode => '2755',
require => Package['squid3'],
}
}
templates/LocalSettings.php.erb 0 → 100644
View file @ 0cf8267c
<?php
# This file was automatically generated by the MediaWiki installer.
# If you make manual changes, please keep track in case you need to
# recreate them later.
$IP = "/var/lib/mediawiki";
ini_set( "include_path", ".:$IP:$IP/includes:$IP/languages" );
require_once( "includes/DefaultSettings.php" );
//include_once("$IP/extensions/intersection/DynamicPageList.php");
include_once("$IP/extensions/ImageMap/ImageMap.php");
//include_once("$IP/extensions/DynamicPageList/DynamicPageListMigration.php");
include_once("$IP/extensions/DynamicPageList/DynamicPageList.php");
# If PHP's memory limit is very low, some operations may fail.
# ini_set( 'memory_limit', '20M' );
if ( $wgCommandLineMode ) {
if ( isset( $_SERVER ) && array_key_exists( 'REQUEST_METHOD', $_SERVER ) ) {
die( "This script must be run from the command line\n" );
}
} elseif ( empty( $wgNoOutputBuffer ) ) {
## Compress output if the browser supports it
if( !ini_get( 'zlib.output_compression' ) ) @ob_start( 'ob_gzhandler' );
}
$wgSitename = "Datorhandbok";
$wgScriptPath = "";
$wgScript = "$wgScriptPath/index.php";
$wgRedirectScript = "$wgScriptPath/redirect.php";
## If using PHP as a CGI module, use the ugly URLs
$wgArticlePath = "$wgScript/$1";
# $wgArticlePath = "$wgScript?title=$1";
$wgStylePath = "$wgScriptPath/skins";
$wgStyleDirectory = "$IP/skins";
$wgLogo = "$wgScriptPath/skins/lyslogo-liten.png";
$wgUploadPath = "$wgScriptPath/images";
$wgUploadDirectory = "$IP/images";
$wgEnableEmail = false;
$wgEnableUserEmail = false;
$wgEmergencyContact = "root@lysator.liu.se";
$wgPasswordSender = "root@lysator.liu.se";
## For a detailed description of the following switches see
## http://meta.wikimedia.org/Enotif and http://meta.wikimedia.org/Eauthent
## There are many more options for fine tuning available see
## /includes/DefaultSettings.php
## UPO means: this is also a user preference option
$wgEnotifUserTalk = true; # UPO
$wgEnotifWatchlist = true; # UPO
$wgEmailAuthentication = false;
$wgDBserver = "localhost";
$wgDBname = "datorhandbok";
$wgDBuser = "datorhandbok";
$wgDBpassword = "<%= import(@pupsecrets + "/mediawiki_mysql") %>";
$wgDBprefix = "";
# If you're on MySQL 3.x, this next line must be FALSE:
$wgDBmysql4 = false;
# Experimental charset support for MySQL 4.1/5.0.
#$wgDBmysql5 = false;
$wgDBmysql5 = true;
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = array();
## To enable image uploads, make sure the 'images' directory
## is writable, then uncomment this:
$wgEnableUploads = true;
$wgUseImageResize = true;
$wgUseImageMagick = false;
$wgImageMagickConvertCommand = "/usr/bin/convert";
$wgCustomConvertCommand = "/usr/bin/convert -resize %wx%h %s %d";
## If you want to use image uploads under safe mode,
## create the directories images/archive, images/thumb and
## images/temp, and make them all writable. Then uncomment
## this, if it's not already uncommented:
# $wgHashedUploadDirectory = false;
## If you have the appropriate support software installed
## you can enable inline LaTeX equations:
$wgUseTeX = true;
$wgMathPath = "{$wgUploadPath}/math";
$wgMathDirectory = "{$wgUploadDirectory}/math";
$wgTmpDirectory = "{$wgUploadDirectory}/tmp";
$wgLocalInterwiki = $wgSitename;
$wgLanguageCode = "sv";
$wgSecretKey = "<%= import(@pupsecrets + "/mediawiki_mysql") %>";
## Default skin: you can change the default skin. Use the internal symbolic
## names, ie 'standard', 'nostalgia', 'cologneblue', 'monobook':
wfLoadSkin( 'Vector' );
# $wgDefaultSkin = 'monobook';
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
# $wgEnableCreativeCommonsRdf = true;
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";
# $wgRightsCode = ""; # Not yet used
$wgDiff3 = "/usr/bin/diff3";
## Disable anonymous accounts and edits
$wgGroupPermissions['*' ]['createaccount'] = false;
$wgGroupPermissions['*' ]['edit'] = false;
$wgGroupPermissions['*' ]['read'] = true;
$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['user']['move'] = false;
$wgGroupPermissions['user']['read'] = true;
$wgGroupPermissions['user']['upload'] = false;
## Allow autocreation of accounts by extensions such as authpam
$wgGroupPermissions['*']['autocreateaccount'] = true;
## Lysatorspecifika grupper:
## www kan skriva och ndra texter.
## root r systemadministratrer.
$wgGroupPermissions['www' ]['edit'] = true;
$wgGroupPermissions['www' ]['move'] = true;
$wgGroupPermissions['www' ]['read'] = true;
$wgGroupPermissions['www' ]['upload'] = true;
$wgGroupPermissions['root']['block'] = true;
$wgGroupPermissions['root']['createaccount'] = true;
$wgGroupPermissions['root']['delete'] = true;
$wgGroupPermissions['root']['edit'] = true;
$wgGroupPermissions['root']['editinterface'] = true;
$wgGroupPermissions['root']['import'] = true;
$wgGroupPermissions['root']['importupload'] = true;
$wgGroupPermissions['root']['move'] = true;
$wgGroupPermissions['root']['patrol'] = true;
$wgGroupPermissions['root']['protect'] = true;
$wgGroupPermissions['root']['read'] = true;
$wgGroupPermissions['root']['rollback'] = true;
$wgGroupPermissions['root']['upload'] = true;
$wgGroupPermissions['root']['userrights'] = true;
## Autentisera mot PAM
require_once("extensions/AuthPAM.php");
$wgAuth = new AuthPAM();
## Visa tiden i Sveriges tidszon.
$wgLocalTZoffset = date("Z") / 3600;
## Gr skrivskyddad.
#$wgReadOnly = "Systemunderhll pgr, Datorhandboken skrivskyddad!";
//$wgShowExceptionDetails = true;
templates/datorhandbok.lysator.liu.se 0 → 100644
View file @ 0cf8267c
<%- |
String $SSLCertificateFile,
String $SSLCertificateKeyFile,
String $SSLCertificateChainFile,
| -%>
<Directory /var/lib/mediawiki/>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# some directories must be protected
<Directory /var/lib/mediawiki/config>
Options -FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/lib/mediawiki/upload>
Options -FollowSymLinks
AllowOverride None
</Directory>
<VirtualHost datorhandbok.lysator.liu.se:443>
ServerName datorhandbok.lysator.liu.se
DocumentRoot /var/lib/mediawiki
CustomLog /var/log/apache2/datorhandbok.lysator.liu.se.log combined
ErrorLog /var/log/apache2/datorhandbok.lysator.liu.se-error.log
SSLCertificateFile <%= $SSLCertificateFile $>
SSLCertificateKeyFile <%= $SSLCertificateKeyFile %>
SSLCertificateChainFile <%= $SSLCertificateChainFile %>
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Header always set Strict-Transport-Security max-age=31536000
# Note that 'unsafe-inline' is required by MediaWiki due to inline scripts and styles.
Header always set Content-Security-Policy: "default-src 'self' 'unsafe-inline'; img-src https: data:; upgrade-insecure-requests"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options DENY
SSLEngine on
</VirtualHost>
<VirtualHost *:80>
ServerName datorhandbok.lysator.liu.se
DocumentRoot /var/lib/mediawiki
RewriteEngine on
RewriteRule ^/(.*) https://datorhandbok.lysator.liu.se/$1
</VirtualHost>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment