From: Christian Pointner <equinox@realraum.at>
Date: Sat, 6 Jul 2019 22:34:00 +0000 (+0200)
Subject: dokuwiki is now running as seperate user
X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=e222b7e43ec41c7f9d09edf1aa4b5ad4b487a900;p=noc.git

dokuwiki is now running as seperate user
---

diff --git a/ansible/roles/web/dokuwiki/handlers/main.yml b/ansible/roles/web/dokuwiki/handlers/main.yml
new file mode 100644
index 0000000..52aa315
--- /dev/null
+++ b/ansible/roles/web/dokuwiki/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+## TODO: fix hardcoded php version...
+- name: reload php-fpm
+  service:
+    name: php7.3-fpm.service
+    state: reloaded
+
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
diff --git a/ansible/roles/web/dokuwiki/tasks/main.yml b/ansible/roles/web/dokuwiki/tasks/main.yml
index 30e634f..6d9d221 100644
--- a/ansible/roles/web/dokuwiki/tasks/main.yml
+++ b/ansible/roles/web/dokuwiki/tasks/main.yml
@@ -6,67 +6,43 @@
       - php-fpm
     state: present
 
-- name: install nginx vhost config
-  template:
-    src: nginx.j2
-    dest: "/etc/nginx/sites-available/{{ dokuwiki_urls[0] }}"
-  notify: reload nginx
-
-- name: eanble nginx vhost config
+- name: create dokuwiki service user
+  user:
+    name: dokuwiki
+    home: /srv/dokuwiki
+    system: yes
+    shell: /bin/false
+
+- name: create dokuwiki data and acl directory
+  with_items:
+    - data
+    - acl
   file:
-    src: "../sites-available/{{ dokuwiki_urls[0] }}"
-    dest: "/etc/nginx/sites-enabled/{{ dokuwiki_urls[0] }}"
-    state: link
-  notify: reload nginx
-
-- name: check if acme certs already exists
-  stat:
-    path: "/var/lib/acme/live/{{ item }}"
-  with_items: "{{ dokuwiki_urls }}"
-  register: acme_cert_stat
-
-- name: set acmecert_missing_hostnames variable
-  set_fact:
-    acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(dokuwiki_urls) }}"
-
-- name: link nonexistent hostnames to self-signed interim cert
-  when: acmecert_missing_hostnames | length > 0
-  block:
-    - name: get id of existing selfsigned interim certificate
-      command: cat /var/lib/acme/.selfsigned-interim-cert
-      changed_when: false
-      check_mode: false
-      register: selfsigned_interim_cert_id
-
-    - name: set selfsigned_interim_cert_id variable
-      set_fact:
-        selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
+    path: "/srv/dokuwiki/{{ item }}"
+    state: directory
+    owner: dokuwiki
+    group: dokuwiki
+    mode: 0700
+
+## TODO: fix hardcoded php version...
+- name: install php-fpm config
+  template:
+    src: php-fpm.conf.j2
+    dest: /etc/php/7.3/fpm/pool.d/dokuwiki.conf
+  notify: reload php-fpm
 
-    - name: link to snakeoil cert for nonexistent hostnames
-      file:
-        src: "../certs/{{ selfsigned_interim_cert_id }}"
-        dest: "/var/lib/acme/live/{{ item }}"
-        state: link
-      with_items: "{{ acmecert_missing_hostnames }}"
 
-- name: enable vhost config using acme cert
-  file:
-    src: "../sites-available/{{ dokuwiki_urls[0] }}"
-    dest: "/etc/nginx/sites-enabled/{{ dokuwiki_urls[0] }}"
-    state: link
+## TODO: apply config options, at least to the following:
+##       set $conf['savedir'] to '/srv/dokuwiki/data'
+##       update acl symlinks in '/etc/dokuwiki' to '/srv/dokuwiki/acl'
 
-- name: make sure nginx config has been loaded
-  meta: flush_handlers
-
-- name: get certificate using acmetool
-  import_role:
-    name: acmetool/cert
-  vars:
-    acmetool_cert_name: "{{ dokuwiki_urls[0] }}"
-    acmetool_cert_hostnames: "{{ dokuwiki_urls }}"
+## TODO: install dokuwiki data backup
+## TODO: install dokuwiki acl backup
 
 - name: install dokuwiki plugins
   import_tasks: plugins.yml
 
 - name: install dokuwiki templates
   import_tasks: templates.yml
+
+- import_tasks: nginx.yml
diff --git a/ansible/roles/web/dokuwiki/tasks/nginx.yml b/ansible/roles/web/dokuwiki/tasks/nginx.yml
new file mode 100644
index 0000000..940ea17
--- /dev/null
+++ b/ansible/roles/web/dokuwiki/tasks/nginx.yml
@@ -0,0 +1,59 @@
+---
+- name: install nginx vhost config
+  template:
+    src: nginx.j2
+    dest: "/etc/nginx/sites-available/{{ dokuwiki_urls[0] }}"
+  notify: reload nginx
+
+- name: eanble nginx vhost config
+  file:
+    src: "../sites-available/{{ dokuwiki_urls[0] }}"
+    dest: "/etc/nginx/sites-enabled/{{ dokuwiki_urls[0] }}"
+    state: link
+  notify: reload nginx
+
+- name: check if acme certs already exists
+  stat:
+    path: "/var/lib/acme/live/{{ item }}"
+  with_items: "{{ dokuwiki_urls }}"
+  register: acme_cert_stat
+
+- name: set acmecert_missing_hostnames variable
+  set_fact:
+    acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(dokuwiki_urls) }}"
+
+- name: link nonexistent hostnames to self-signed interim cert
+  when: acmecert_missing_hostnames | length > 0
+  block:
+    - name: get id of existing selfsigned interim certificate
+      command: cat /var/lib/acme/.selfsigned-interim-cert
+      changed_when: false
+      check_mode: false
+      register: selfsigned_interim_cert_id
+
+    - name: set selfsigned_interim_cert_id variable
+      set_fact:
+        selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
+
+    - name: link to snakeoil cert for nonexistent hostnames
+      file:
+        src: "../certs/{{ selfsigned_interim_cert_id }}"
+        dest: "/var/lib/acme/live/{{ item }}"
+        state: link
+      with_items: "{{ acmecert_missing_hostnames }}"
+
+- name: enable vhost config using acme cert
+  file:
+    src: "../sites-available/{{ dokuwiki_urls[0] }}"
+    dest: "/etc/nginx/sites-enabled/{{ dokuwiki_urls[0] }}"
+    state: link
+
+- name: make sure nginx config has been loaded
+  meta: flush_handlers
+
+- name: get certificate using acmetool
+  import_role:
+    name: acmetool/cert
+  vars:
+    acmetool_cert_name: "{{ dokuwiki_urls[0] }}"
+    acmetool_cert_hostnames: "{{ dokuwiki_urls }}"
diff --git a/ansible/roles/web/dokuwiki/templates/nginx.j2 b/ansible/roles/web/dokuwiki/templates/nginx.j2
index 2ddea1c..0db80ad 100644
--- a/ansible/roles/web/dokuwiki/templates/nginx.j2
+++ b/ansible/roles/web/dokuwiki/templates/nginx.j2
@@ -41,6 +41,6 @@ server {
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param REDIRECT_STATUS 200;
-        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        fastcgi_pass unix:/var/run/dokuwiki-php-fpm.sock;
     }
 }
diff --git a/ansible/roles/web/dokuwiki/templates/php-fpm.conf.j2 b/ansible/roles/web/dokuwiki/templates/php-fpm.conf.j2
new file mode 100644
index 0000000..c1b7efa
--- /dev/null
+++ b/ansible/roles/web/dokuwiki/templates/php-fpm.conf.j2
@@ -0,0 +1,16 @@
+[dokuwiki]
+user = dokuwiki
+group = dokuwiki
+
+listen = /var/run/dokuwiki-php-fpm.sock
+
+listen.owner = www-data
+listen.group = www-data
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+chdir = /