diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml index 3dc6e157..e8f065e6 100644 --- a/group_vars/nginx.yml +++ b/group_vars/nginx.yml @@ -1,6 +1,7 @@ --- glob_nginx: contact: contact@crans.org + extra_params: [] who: "L'équipe technique du Cr@ns" service_name: service ssl: diff --git a/group_vars/wiki.yml b/group_vars/wiki.yml index 47419505..cfbd7aeb 100644 --- a/group_vars/wiki.yml +++ b/group_vars/wiki.yml @@ -1,8 +1,53 @@ --- glob_moinmoin: + data_dir: /var/local/wiki/data + front_page: PageAccueil + interwikiname: CransWiki + ip_autorised: + - ip.startswith('185.230.76.') # IPv4 Crans + - ip.startswith('185.230.77.') + - ip.startswith('185.230.78.') + - ip.startswith('185.230.79.') + - ip.startswith('172.16.') # IPv4 local + - ip.startswith('138.231.') + - ip.startswith('45.66.108.') # IPv4 Aurore + - ip.startswith('45.66.109.') + - ip.startswith('45.66.110.') + - ip.startswith('45.66.111.') + - ip.startswith('2a0c:700:') # IPv6 Crans + - ip.startswith('2a09:6840:') # IPv6 Aurore + mail: + from: Crans Wiki + server: smtp.adm.crans.org main: false + new_account_ip: + - 45.66.108.0/22, # IPv4 Aurore + - 100.64.0.0/10, # IPv4 adherents + - 138.231.175.203/32, # IPv4 PC Kfet + - 172.16.0.0/16, # IPv4 local + - 185.230.76.0/22, # IPv4 Crans + - 2a0c:700::/32, # IPv6 Crans + - 2a09:6840::/32, # IPv6 Aurore + site_name: Crans Wiki + superuser: + - u"Benjamin" + - u"DsAc" + - u"PeBecue" + - u"SolalNathan" + - u"VanilleNiven" + - u"WikiAeltheos" + - u"WikiBleizi" + - u"WikiGabo" + - u"WikiKorenstin" + - u"WikiLzebulon" + - u"WikiPigeonMoelleux" + - u"WikiPollion" + - u"WikiShirenn" + - u"Wiki20-100" loc_nginx: + extra_params: + - "limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;" service_name: wiki ssl: [] servers: @@ -33,6 +78,7 @@ loc_nginx: - filter: "/" params: + - "limit_req zone=mylimit burst=100 nodelay" - "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket" - "include uwsgi_params" diff --git a/hosts b/hosts index a1a188b3..d3d467be 100644 --- a/hosts +++ b/hosts @@ -41,6 +41,10 @@ reverseproxy virtu vsftpd_mirror +# Catégorie des VM de test/dev +[dev] +re2o-dev.crans.org + [dhcp:children] routeurs_vm diff --git a/plays/borgbackup_client.yml b/plays/borgbackup_client.yml index 9f6dcc0d..1df5b5be 100755 --- a/plays/borgbackup_client.yml +++ b/plays/borgbackup_client.yml @@ -2,7 +2,7 @@ --- - import_playbook: ssh_known_hosts.yml -- hosts: server,!apprentis.adm.crans.org +- hosts: server,!dev,!apprentis.adm.crans.org vars: borg: "{{ glob_borg | default({}) | combine(loc_borg | default({})) }}" roles: diff --git a/plays/restic_client.yml b/plays/restic_client.yml index 27fa65a9..b5593525 100755 --- a/plays/restic_client.yml +++ b/plays/restic_client.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- -- hosts: server +- hosts: server,!dev vars: restic: "{{ glob_restic | default({}) | combine(loc_restic | default({}), recursive=true) }}" roles: diff --git a/roles/moinmoin/README.md b/roles/moinmoin/README.md index 5dd880f6..29168bdb 100644 --- a/roles/moinmoin/README.md +++ b/roles/moinmoin/README.md @@ -4,4 +4,17 @@ Installe et configure le wiki (avec hardcode) ## Variables -moinmoin.main: booléen +```yaml +moinmoin: + data_dir: dossier contenant les données + front_page: nom de la page d'accueil + interwikiname: nom + ip_autorised: liste de conditions que l'ip doit vérifier + mail: + from: email du wiki + server: adresse du serveur + main: booléen + new_account_ip: liste de range ip + site_name: nom du site + superuser: liste des noms wiki des superusers +``` diff --git a/roles/moinmoin/templates/moin/mywiki.py.j2 b/roles/moinmoin/templates/moin/mywiki.py.j2 index 2295ac02..cb6c07b7 100644 --- a/roles/moinmoin/templates/moin/mywiki.py.j2 +++ b/roles/moinmoin/templates/moin/mywiki.py.j2 @@ -24,8 +24,8 @@ from MoinMoin import config class Config(FarmConfig): # basic options (you normally need to change these) - sitename = u'Crans Wiki' - interwikiname = 'CransWiki' + sitename = u'{{ moinmoin.site_name }}' + interwikiname = '{{ moinmoin.interwikiname }}' # name of entry page / front page [Unicode], choose one of those: @@ -33,9 +33,9 @@ class Config(FarmConfig): #page_front_page = u"MyStartingPage" # b) if wiki content is maintained in many languages - page_front_page = u"PageAccueil" + page_front_page = u"{{ moinmoin.front_page }}" - data_dir = '/var/local/wiki/data' + data_dir = '{{ moinmoin.data_dir }}' # From here every parameters was added by the Crans -- data_underlay_dir = '/var/local/wiki/underlay/' @@ -47,13 +47,13 @@ class Config(FarmConfig): charset='utf-8' # Mailing - mail_from = u"Crans Wiki " - mail_smarthost='smtp.adm.crans.org' + mail_from = u"{{ moinmoin.mail.from }}" + mail_smarthost='{{ moinmoin.mail.server }}' # This is checked by some rather critical and potentially harmful actions, # like despam or PackageInstaller action: # WikiShirenn is a giant avocado https://youtu.be/UJeH8gcjuj0 - superuser= [u"PeBecue", u"Wiki20-100", u"Benjamin", u"WikiPollion", u"WikiErdnaxe", u"WikiShirenn", u"WikiYnerant", u"DsAc", u"VanilleNiven", u"WikiAeltheos", u"WikiBleizi", u"SolalNathan"] + superuser= [{{ moinmoin.superuser | join(", ")}}] # Custom logo logo_string = u'Crans' @@ -77,6 +77,12 @@ class Config(FarmConfig): solenoid_userprefs = True solenoid_theme_credit = False + page_credits = [ + u'Propulsé par MoinMoin', + u'Mentions légales' + ]; + + chart_options = {'width': 600, 'height': 300} refresh = (0, 'external') @@ -99,9 +105,8 @@ class Config(FarmConfig): # Barre de navigation navi_bar = [ u"[[ModificationsRécentes|Modifications récentes]]", - u"[[RechercherUnePage|Rechercher]]", + u"[[RechercherUnePage|Recherche avancée]]", u"[[SommaireDeL'Aide|Aide]]", - u"[[MentionsLégales|Mentions Légales]]" ] # Lock @@ -134,7 +139,7 @@ class Config(FarmConfig): # Import auth methods import sys - sys.path.append('/var/local/wiki/data') + sys.path.append('{{ moinmoin.data_dir }}') from plugin.auth import categorie_public, ip_range, cas, moin # Si la methode d'authentification est trusted @@ -152,13 +157,9 @@ class Config(FarmConfig): ), ip_range.IpRange( local_nets=[ - '185.230.76.0/22', # IPv4 Crans - '172.16.0.0/16', # IPv4 local - '100.64.0.0/10', # IPv4 adherents - '2a0c:700::/32', # IPv6 Crans - '45.66.108.0/22', # IPv4 Aurore - '2a09:6840::/32', # IPv6 Aurore - '138.231.175.203/32', # IPv4 PC Kfet +{% for ip_range in moinmoin.new_account_ip %} + '{{ ip_range }}', +{% endfor %} ], actions=['newaccount'], actions_msg={'newaccount':"La création de comptes n'est autorisée que depuis le réseau du Crans ou sur zamok."}, @@ -172,19 +173,7 @@ class Config(FarmConfig): def ip_autorised_create_account(self, ip): {% if moinmoin.main %} - return ip.startswith('185.230.76.') \ - or ip.startswith('185.230.77.') \ - or ip.startswith('185.230.78.') \ - or ip.startswith('185.230.79.') \ - or ip.startswith('172.16.') \ - or ip.startwith('138.231.') \ - or ip.startwith('45.66.108.') \ - or ip.startwith('45.66.109.') \ - or ip.startwith('45.66.110.') \ - or ip.startwith('45.66.111.') \ - or ip.startswith('2a0c:700:') \ - or ip.startswith('2a09:6840:') \ - or ip.startswith("138.231.175.203") + return {{ moinmoin.ip_autorised | join(" \\\n or ")}} {% else %} return False {% endif %} @@ -195,3 +184,9 @@ class Config(FarmConfig): 'newaccount', 'recoverpass' ] {% endif %} + + # up the cookie lifetime since we fixed ACL linked to cookies and people + # are gettings disconnected more often, default is (0,12), which means 12h + # for logged in users and disabled for anonymous. + cookie_lifetime = (0, 7*24) + diff --git a/roles/moinmoin/templates/uwsgi/apps-available/moinmoin.ini.j2 b/roles/moinmoin/templates/uwsgi/apps-available/moinmoin.ini.j2 index 65fd8532..e06845d9 100644 --- a/roles/moinmoin/templates/uwsgi/apps-available/moinmoin.ini.j2 +++ b/roles/moinmoin/templates/uwsgi/apps-available/moinmoin.ini.j2 @@ -2,12 +2,13 @@ plugin = python chdir = /usr/share/moin/server/ wsgi-file = /usr/share/moin/server/moin.wsgi -max-request = 50 +max-request = 50 harakiri = 300 cheaper = 1 cheaper-initial = 1 die-on-term workers = 5 +processes = 5 reload-on-rss = 200M evil-reload-on-rss = 300M ksm = true diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 0fa1db51..b4291500 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -44,6 +44,7 @@ notify: Reload nginx - name: Create log directories + when: reverseproxy is defined file: path: /var/log/nginx/{{ item.from }} state: directory diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2 index 66c95249..0d7be7e7 100644 --- a/roles/nginx/templates/nginx/sites-available/service.j2 +++ b/roles/nginx/templates/nginx/sites-available/service.j2 @@ -7,6 +7,10 @@ map $http_upgrade $connection_upgrade { '' close; } +{% for param in nginx.extra_params %} +{{ param }} +{% endfor %} + {% for upstream in nginx.upstreams -%} upstream {{ upstream.name }} { # Path of the server