From fdd1e5ce35f7f19e0066ca21e71a639780bf110e Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 2 Feb 2021 22:02:44 +0000 Subject: [PATCH] Handle nginx configuration in mediawiki role --- roles/mediawiki/defaults/main.yml | 25 ++++++++++++- roles/mediawiki/tasks/main.yml | 16 +++++++-- roles/mediawiki/templates/nginx.j2 | 58 ++++++++++++++++++++++++++++++ 3 files changed, 96 insertions(+), 3 deletions(-) create mode 100644 roles/mediawiki/templates/nginx.j2 diff --git a/roles/mediawiki/defaults/main.yml b/roles/mediawiki/defaults/main.yml index 40462d4..47b4883 100644 --- a/roles/mediawiki/defaults/main.yml +++ b/roles/mediawiki/defaults/main.yml @@ -1,5 +1,8 @@ --- -mediawiki_path: /var/www/wiki.ccchb.de/webroot/w +mediawiki_domain: wiki.ccchb.de + +mediawiki_webroot: /var/www/wiki.ccchb.de/webroot +mediawiki_path: /w mediawiki_extensions: - CategoryTree @@ -21,3 +24,23 @@ mediawiki_skins: mediawiki_sitename: "CCC Bremen" mediawiki_email: "webmaster@ccchb.de" + +mediawiki_install_nginx: true +mediawiki_php_socket: "unix:/run/php/php7.3-fpm.sock" + +mediawiki_nginx_conf: | + listen [::]:443 ssl http2; + listen 443 ssl http2; + + server_name {{ mediawiki_domain }}; + + root {{ mediawiki_webroot }}; + + ssl_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ mediawiki_domain }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/chain.pem; + + client_max_body_size 100M; + + include snippets/certbot.conf; +... diff --git a/roles/mediawiki/tasks/main.yml b/roles/mediawiki/tasks/main.yml index a64064b..b73b458 100644 --- a/roles/mediawiki/tasks/main.yml +++ b/roles/mediawiki/tasks/main.yml @@ -2,8 +2,20 @@ - name: Configure Mediawiki template: src: LocalSettings.php.j2 - dest: "{{ mediawiki_path }}/LocalSettings.php" + dest: "{{ mediawiki_webroot }}/{{ mediawiki_path }}/LocalSettings.php" owner: www-data group: www-data mode: '0600' - + +- name: Install nginx site + template: + src: nginx.j2 + dest: /etc/nginx/sites-available/{{ mediawiki_domain }} + when: mediawiki_install_nginx + +- name: Activate site {{ mediawiki_install_nginx }} + file: + src: /etc/nginx/sites-available/{{ mediawiki_domain }} + dest: /etc/nginx/sites-enabled/{{ mediawiki_domain }} + when: mediawiki_install_nginx +... diff --git a/roles/mediawiki/templates/nginx.j2 b/roles/mediawiki/templates/nginx.j2 new file mode 100644 index 0000000..0f0433b --- /dev/null +++ b/roles/mediawiki/templates/nginx.j2 @@ -0,0 +1,58 @@ +# {{ ansible_managed }} + +server { + {{ mediawiki_nginx_conf }} + + location ~ ^{{ mediawiki_path }}/(index|load|api|thumb|opensearch_desc|rest|img_auth)\.php$ { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass {{ mediawiki_php_socket }}; + } + + # Images + location {{ mediawiki_path }}/images { + # Separate location for images/ so .php execution won't apply + } + location {{ mediawiki_path }}/images/deleted { + # Deny access to deleted images folder + deny all; + } + # MediaWiki assets (usually images) + location ~ ^{{ mediawiki_path }}/resources/(assets|lib|src) { + try_files $uri 404; + add_header Cache-Control "public"; + expires 7d; + } + # Assets, scripts and styles from skins and extensions + location ~ ^{{ mediawiki_path }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|wasm)$ { + try_files $uri 404; + add_header Cache-Control "public"; + expires 7d; + } + # Favicon + location = /favicon.ico { + add_header Cache-Control "public"; + expires 7d; + } + + location {{ mediawiki_path }}/rest.php/ { + try_files $uri $uri/ {{ mediawiki_path }}/rest.php?$query_string; + } + + # Handling for the article path (pretty URLs) + location /wiki/ { + rewrite ^/wiki/(?.*)$ {{ mediawiki_path }}/index.php; + } + + # Allow robots.txt in case you have one + location = /robots.txt { + } + # Explicit access to the root website, redirect to main page (adapt as needed) + location = / { + return 301 /wiki/Hauptseite; + } + + location / { + return 404; + } +}