Retrait hardcode et mise à jour de la conf wiki, création du groupe dev

group_vars/nginx.yml

@@ -1,6 +1,7 @@
 ---
 glob_nginx:
   contact: contact@crans.org
+  extra_params: []
   who: "L'équipe technique du Cr@ns"
   service_name: service
   ssl:

group_vars/wiki.yml

@@ -1,8 +1,53 @@
 ---
 glob_moinmoin:
+  data_dir: /var/local/wiki/data
+  front_page: PageAccueil
+  interwikiname: CransWiki
+  ip_autorised:
+    - ip.startswith('185.230.76.') # IPv4 Crans
+    - ip.startswith('185.230.77.')
+    - ip.startswith('185.230.78.')
+    - ip.startswith('185.230.79.')
+    - ip.startswith('172.16.')     # IPv4 local
+    - ip.startswith('138.231.')
+    - ip.startswith('45.66.108.')  # IPv4 Aurore
+    - ip.startswith('45.66.109.')
+    - ip.startswith('45.66.110.')
+    - ip.startswith('45.66.111.')
+    - ip.startswith('2a0c:700:')   # IPv6 Crans
+    - ip.startswith('2a09:6840:')  # IPv6 Aurore
+  mail:
+    from: Crans Wiki <wiki@crans.org>
+    server: smtp.adm.crans.org
   main: false
+  new_account_ip:
+    - 45.66.108.0/22,     # IPv4 Aurore
+    - 100.64.0.0/10,      # IPv4 adherents
+    - 138.231.175.203/32, # IPv4 PC Kfet
+    - 172.16.0.0/16,      # IPv4 local
+    - 185.230.76.0/22,    # IPv4 Crans
+    - 2a0c:700::/32,      # IPv6 Crans
+    - 2a09:6840::/32,     # IPv6 Aurore
+  site_name: Crans Wiki
+  superuser:
+    - u"Benjamin"
+    - u"DsAc"
+    - u"PeBecue"
+    - u"SolalNathan"
+    - u"VanilleNiven"
+    - u"WikiAeltheos"
+    - u"WikiBleizi"
+    - u"WikiGabo"
+    - u"WikiKorenstin"
+    - u"WikiLzebulon"
+    - u"WikiPigeonMoelleux"
+    - u"WikiPollion"
+    - u"WikiShirenn"
+    - u"Wiki20-100"
 
 loc_nginx:
+  extra_params:
+    - "limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;"
   service_name: wiki
   ssl: []
   servers:
@@ -33,6 +78,7 @@ loc_nginx:
 
         - filter: "/"
           params:
+            - "limit_req zone=mylimit burst=100 nodelay"
             - "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket"
             - "include uwsgi_params"
 

hosts

@@ -41,6 +41,10 @@ reverseproxy
 virtu
 vsftpd_mirror
 
+# Catégorie des VM de test/dev
+[dev]
+re2o-dev.crans.org
+
 [dhcp:children]
 routeurs_vm
 

plays/borgbackup_client.yml

@@ -2,7 +2,7 @@
 ---
 - import_playbook: ssh_known_hosts.yml
 
-- hosts: server,!apprentis.adm.crans.org
+- hosts: server,!dev,!apprentis.adm.crans.org
   vars:
     borg: "{{ glob_borg | default({}) | combine(loc_borg | default({})) }}"
   roles:

plays/restic_client.yml

@@ -1,7 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 
-- hosts: server
+- hosts: server,!dev
   vars:
     restic: "{{ glob_restic | default({}) | combine(loc_restic | default({}), recursive=true) }}"
   roles:

roles/moinmoin/README.md

@@ -4,4 +4,17 @@ Installe et configure le wiki (avec hardcode)
 
 ## Variables
 
-moinmoin.main: booléen
+```yaml
+moinmoin:
+  data_dir: dossier contenant les données
+  front_page: nom de la page d'accueil
+  interwikiname: nom
+  ip_autorised: liste de conditions que l'ip doit vérifier
+  mail:
+    from: email du wiki
+    server: adresse du serveur
+  main: booléen
+  new_account_ip: liste de range ip
+  site_name: nom du site
+  superuser: liste des noms wiki des superusers
+```

roles/moinmoin/templates/moin/mywiki.py.j2

@@ -24,8 +24,8 @@ from MoinMoin import config
 class Config(FarmConfig):
 
     # basic options (you normally need to change these)
-    sitename = u'Crans Wiki'
+    sitename = u'{{ moinmoin.site_name }}'
-    interwikiname = 'CransWiki'
+    interwikiname = '{{ moinmoin.interwikiname }}'
 
     # name of entry page / front page [Unicode], choose one of those:
 
@@ -33,9 +33,9 @@ class Config(FarmConfig):
     #page_front_page = u"MyStartingPage"
 
     # b) if wiki content is maintained in many languages
-    page_front_page = u"PageAccueil"
+    page_front_page = u"{{ moinmoin.front_page }}"
 
-    data_dir = '/var/local/wiki/data'
+    data_dir = '{{ moinmoin.data_dir }}'
 
     # From here every parameters was added by the Crans --
     data_underlay_dir = '/var/local/wiki/underlay/'
@@ -47,13 +47,13 @@ class Config(FarmConfig):
     charset='utf-8'
 
     # Mailing
-    mail_from = u"Crans Wiki <wiki@crans.org>"
+    mail_from = u"{{ moinmoin.mail.from }}"
-    mail_smarthost='smtp.adm.crans.org'
+    mail_smarthost='{{ moinmoin.mail.server }}'
 
     # This is checked by some rather critical and potentially harmful actions,
     # like despam or PackageInstaller action:
     # WikiShirenn is a giant avocado https://youtu.be/UJeH8gcjuj0
-    superuser= [u"PeBecue", u"Wiki20-100", u"Benjamin", u"WikiPollion", u"WikiErdnaxe", u"WikiShirenn", u"WikiYnerant", u"DsAc", u"VanilleNiven", u"WikiAeltheos", u"WikiBleizi", u"SolalNathan"]
+    superuser= [{{ moinmoin.superuser | join(", ")}}]
 
     # Custom logo
     logo_string = u'<img src="/wiki/logo.svg" alt="Crans" height="60">'
@@ -77,6 +77,12 @@ class Config(FarmConfig):
     solenoid_userprefs = True
     solenoid_theme_credit = False
 
+    page_credits = [
+      u'<a href="http://moinmo.in/" title="Ce site utilise le logiciel MoinMoin.">Propulsé par MoinMoin</a>',
+      u'<a href="/MentionsLégales" title="Voir les mentions légales.">Mentions légales</a>'
+    ];
+
+
     chart_options = {'width': 600, 'height': 300}
 
     refresh = (0, 'external')
@@ -99,9 +105,8 @@ class Config(FarmConfig):
     # Barre de navigation
     navi_bar = [
         u"[[ModificationsRécentes|Modifications récentes]]",
-        u"[[RechercherUnePage|Rechercher]]",
+        u"[[RechercherUnePage|Recherche avancée]]",
         u"[[SommaireDeL'Aide|Aide]]",
-        u"[[MentionsLégales|Mentions Légales]]"
     ]
 
     # Lock
@@ -134,7 +139,7 @@ class Config(FarmConfig):
 
     # Import auth methods
     import sys
-    sys.path.append('/var/local/wiki/data')
+    sys.path.append('{{ moinmoin.data_dir }}')
     from plugin.auth import categorie_public, ip_range, cas, moin
 
     # Si la methode d'authentification est trusted
@@ -152,13 +157,9 @@ class Config(FarmConfig):
         ),
         ip_range.IpRange(
             local_nets=[
-                '185.230.76.0/22', # IPv4 Crans
+{% for ip_range in moinmoin.new_account_ip %}
-                '172.16.0.0/16',   # IPv4 local
+                '{{ ip_range }}',
-                '100.64.0.0/10',   # IPv4 adherents
+{% endfor %}
-                '2a0c:700::/32',   # IPv6 Crans
-                '45.66.108.0/22',  # IPv4 Aurore
-                '2a09:6840::/32',  # IPv6 Aurore
-                '138.231.175.203/32', # IPv4 PC Kfet
             ],
             actions=['newaccount'],
             actions_msg={'newaccount':"La cr&eacute;ation de comptes n'est autoris&eacute;e que depuis le r&eacute;seau du Crans ou sur zamok."},
@@ -172,19 +173,7 @@ class Config(FarmConfig):
 
     def ip_autorised_create_account(self, ip):
 {% if moinmoin.main %}
-        return ip.startswith('185.230.76.') \
+        return {{ moinmoin.ip_autorised | join(" \\\n                or ")}}
-                or ip.startswith('185.230.77.') \
-                or ip.startswith('185.230.78.') \
-                or ip.startswith('185.230.79.') \
-                or ip.startswith('172.16.') \
-                or ip.startwith('138.231.') \
-                or ip.startwith('45.66.108.') \
-                or ip.startwith('45.66.109.') \
-                or ip.startwith('45.66.110.') \
-                or ip.startwith('45.66.111.') \
-                or ip.startswith('2a0c:700:') \
-                or ip.startswith('2a09:6840:') \
-                or ip.startswith("138.231.175.203")
 {% else %}
         return False
 {% endif %}
@@ -195,3 +184,9 @@ class Config(FarmConfig):
         'newaccount', 'recoverpass'
     ]
 {% endif %}
+
+    # up the cookie lifetime since we fixed ACL linked to cookies and people
+    # are gettings disconnected more often, default is (0,12), which means 12h
+    # for logged in users and disabled for anonymous.
+    cookie_lifetime = (0, 7*24)
+

roles/moinmoin/templates/uwsgi/apps-available/moinmoin.ini.j2

@@ -8,6 +8,7 @@ cheaper = 1
 cheaper-initial = 1
 die-on-term
 workers = 5
+processes = 5
 reload-on-rss = 200M
 evil-reload-on-rss = 300M
 ksm = true

roles/nginx/tasks/main.yml

@@ -44,6 +44,7 @@
   notify: Reload nginx
 
 - name: Create log directories
+  when: reverseproxy is defined
   file:
     path: /var/log/nginx/{{ item.from }}
     state: directory

roles/nginx/templates/nginx/sites-available/service.j2

@@ -7,6 +7,10 @@ map $http_upgrade $connection_upgrade {
     ''      close;
 }
 
+{% for param in nginx.extra_params %}
+{{ param }}
+{% endfor %}
+
 {% for upstream in nginx.upstreams -%}
 upstream {{ upstream.name }} {
     # Path of the server