path: root/roles
diff options
authorGuilhem Moulin <>2015-05-31 23:10:53 +0200
committerGuilhem Moulin <>2015-06-07 02:54:00 +0200
commitacb068b4a5af0654d21c2830655b7c6156a2b845 (patch)
treee39d16f7bfa6c631271a9a5bf5720fdc0ea9f5ca /roles
parente63885bcc0d46bfe58a32fcfc1d02daae8735929 (diff)
Configure ikiwiki (website + wiki).
Diffstat (limited to 'roles')
7 files changed, 633 insertions, 1 deletions
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 8812537..c729e1a 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -52,7 +52,7 @@ in tcp {{ postfix_instance.lists.port }}
{% if 'MSA' in group_names %}
in tcp 587 # SMTP-AUTH
{% endif %}
-{% if 'webmail' in group_names or 'lists' in group_names or 'website' in group_names %}
+{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names %}
in tcp 80,443 # HTTP/HTTPS
{% endif %}
{% if 'webmail' in group_names and 'IMAP' not in group_names %}
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
new file mode 100644
index 0000000..a4abdce
--- /dev/null
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -0,0 +1,42 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name;
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+ return 301 https://$host$request_uri;
+server {
+ listen 443;
+ listen [::]:443;
+ server_name;
+ include ssl/config;
+ # include the intermediate certificate, see
+ # -
+ # -
+ ssl_certificate /etc/nginx/ssl/;
+ ssl_certificate_key /etc/nginx/ssl/;
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+ location / {
+ try_files $uri $uri/ =404;
+ index index.html;
+ root /var/lib/ikiwiki/public_html/fripost-wiki/website;
+ }
+ location /static/ {
+ alias /var/lib/ikiwiki/public_html/fripost-wiki/static/;
+ }
+ location = /ikiwiki.cgi {
+ return 403;
+ }
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
new file mode 100644
index 0000000..304ea1a
--- /dev/null
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -0,0 +1,54 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name;
+ access_log /var/log/nginx/wiki.access.log;
+ error_log /var/log/nginx/wiki.error.log info;
+ location / {
+ location ~ ^/website(/.*)?$ { return 302 $scheme://$1; }
+ try_files $uri $uri/ =404;
+ index index.html;
+ root /var/lib/ikiwiki/public_html/fripost-wiki;
+ }
+ location = /ikiwiki.cgi {
+ return 302 https://$host$request_uri;
+ }
+server {
+ listen 443;
+ listen [::]:443;
+ server_name;
+ include ssl/config;
+ # include the intermediate certificate, see
+ # -
+ # -
+ ssl_certificate /etc/nginx/ssl/;
+ ssl_certificate_key /etc/nginx/ssl/;
+ access_log /var/log/nginx/wiki.access.log;
+ error_log /var/log/nginx/wiki.error.log info;
+ location / {
+ location ~ ^/website(/.*)?$ { return 302 $scheme://$1; }
+ try_files $uri $uri/ =404;
+ index index.html;
+ root /var/lib/ikiwiki/public_html/fripost-wiki;
+ }
+ location = /ikiwiki.cgi {
+ fastcgi_param DOCUMENT_ROOT /var/lib/ikiwiki/public_html/fripost-wiki;
+ fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi;
+ fastcgi_index ikiwiki.cgi;
+ include fastcgi/params;
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ gzip off;
+ }
diff --git a/roles/wiki/files/var/lib/ikiwiki/IkiWiki/Plugin/ b/roles/wiki/files/var/lib/ikiwiki/IkiWiki/Plugin/
new file mode 100644
index 0000000..c602fd9
--- /dev/null
+++ b/roles/wiki/files/var/lib/ikiwiki/IkiWiki/Plugin/
@@ -0,0 +1,18 @@
+package IkiWiki::Plugin::isWebsite;
+use warnings;
+use strict;
+use IkiWiki 3.00;
+sub import {
+ hook(type => "pagetemplate", id => "isWebsite", call => \&pagetemplate);
+sub pagetemplate (@) {
+ my %params = @_;
+ $params{template}->param(ISWEBSITE => 1) if $params{page} =~ /^website(?:\/.*)?$/;
diff --git a/roles/wiki/files/var/lib/ikiwiki/fripost-wiki.setup b/roles/wiki/files/var/lib/ikiwiki/fripost-wiki.setup
new file mode 100644
index 0000000..dc82e28
--- /dev/null
+++ b/roles/wiki/files/var/lib/ikiwiki/fripost-wiki.setup
@@ -0,0 +1,411 @@
+# IkiWiki::Setup::Yaml - YAML formatted setup file
+# Setup file for ikiwiki.
+# Passing this to ikiwiki --setup will make ikiwiki generate
+# wrappers and build the wiki.
+# Remember to re-run ikiwiki --setup any time you edit this file.
+# name of the wiki
+wikiname: Fripost wiki
+# contact email for wiki
+# users who are wiki admins
+ - gustaveek
+ - Grégoire
+ - moza
+# users who are banned from the wiki
+banned_users: []
+# where the source of the wiki is located
+srcdir: /var/lib/ikiwiki/fripost-wiki
+# where to build the wiki
+destdir: /var/lib/ikiwiki/public_html/fripost-wiki
+# base url to the wiki
+# url to the ikiwiki.cgi
+# do not adjust cgiurl if CGI is accessed via different URL
+reverse_proxy: 0
+# filename of cgi wrapper to generate
+cgi_wrapper: /var/lib/ikiwiki/public_html/ikiwiki.cgi
+# mode for cgi_wrapper (can safely be made suid)
+cgi_wrappermode: 06755
+# number of seconds to delay CGI requests when overloaded
+cgi_overload_delay: ''
+# message to display when overloaded (may contain html)
+cgi_overload_message: ''
+# enable optimization of only refreshing committed changes?
+only_committed_changes: 0
+# rcs backend to use
+rcs: git
+# plugins to add to the default configuration
+ - goodstuff
+ - websetup
+ - 404
+ - remove
+ - attachment
+ - highlight
+ - toc
+ - htmlbalance
+ ###
+ - isWebsite
+# plugins to disable
+ - smiley
+# additional directory to search for template files
+templatedir: /usr/share/ikiwiki/templates
+# base wiki source location
+underlaydir: /usr/share/ikiwiki/basewiki
+# display verbose messages?
+#verbose: 1
+# log to syslog?
+syslog: 1
+# create output files named page/index.html?
+usedirs: 1
+# use '!'-prefixed preprocessor directives?
+prefix_directives: 1
+# use page/index.mdwn source files
+indexpages: 0
+# enable Discussion pages?
+discussion: 1
+# name of Discussion pages
+discussionpage: Discussion
+# generate HTML5?
+html5: 1
+# only send cookies over SSL connections?
+sslcookie: 1
+# extension to use for new pages
+default_pageext: mdwn
+# extension to use for html files
+htmlext: html
+# strftime format string to display date
+timeformat: '%c'
+# UTF-8 locale to use
+#locale: en_US.UTF-8
+# put user pages below specified page
+userdir: ''
+# how many backlinks to show before hiding excess (0 to show all)
+numbacklinks: 10
+# attempt to hardlink source files? (optimisation for large files)
+hardlink: 0
+# force ikiwiki to use a particular umask (keywords public, group or private, or a number)
+#umask: public
+# group for wrappers to run in
+wrappergroup: ikiwiki
+# extra library and plugin directory
+libdir: /var/lib/ikiwiki
+# environment variables
+ENV: {}
+# time zone name
+#timezone: US/Eastern
+# regexp of normally excluded files to include
+#include: ^\.htaccess$
+# regexp of files that should be skipped
+#exclude: ^(*\.private|Makefile)$
+# specifies the characters that are allowed in source filenames
+wiki_file_chars: -[:alnum:]+/.:_
+# allow symlinks in the path leading to the srcdir (potentially insecure)
+allow_symlinks_before_srcdir: 0
+# cookie control
+ file: /var/lib/ikiwiki/.ikiwiki/cookies
+# set custom user agent string for outbound HTTP requests e.g. when fetching aggregated RSS feeds
+useragent: ikiwiki/3.20141016.2
+# core plugins
+# (editpage, git, htmlscrubber, inline, link, meta, parentlinks,
+# templatebody)
+# git plugin
+# git hook to generate
+git_wrapper: /var/lib/ikiwiki/
+# shell command for git_wrapper to run, in the background
+#git_wrapper_background_command: git push github
+# mode for git_wrapper (can safely be made suid)
+#git_wrappermode: 06755
+# git pre-receive hook to generate
+#git_test_receive_wrapper: /git/wiki.git/hooks/pre-receive
+# unix users whose commits should be checked by the pre-receive hook
+#untrusted_committers: []
+# gitweb url to show file history ([[file]] substituted)
+# gitweb url to show a diff ([[file]], [[sha1_to]], [[sha1_from]], [[sha1_commit]], and [[sha1_parent]] substituted)
+# where to pull and push changes (set to empty string to disable)
+gitorigin_branch: origin
+# branch that the wiki is stored in
+gitmaster_branch: master
+# htmlscrubber plugin
+# PageSpec specifying pages not to scrub
+#htmlscrubber_skip: '!*/Discussion'
+# inline plugin
+# enable rss feeds by default?
+rss: 1
+# enable atom feeds by default?
+atom: 1
+# allow rss feeds to be used?
+#allowrss: 0
+# allow atom feeds to be used?
+#allowatom: 0
+# urls to ping (using XML-RPC) on feed update
+# auth plugins
+# (anonok, blogspam, httpauth, lockedit, moderatedcomments,
+# opendiscussion, openid, passwordauth, signinedit)
+# anonok plugin
+# PageSpec to limit which pages anonymous users can edit
+#anonok_pagespec: '*/discussion'
+# blogspam plugin
+# PageSpec of pages to check for spam
+#blogspam_pagespec: postcomment(*)
+# options to send to blogspam server
+#blogspam_options: blacklist=,blacklist=,max-links=10
+# blogspam server JSON url
+#blogspam_server: ''
+# httpauth plugin
+# url to redirect to when authentication is needed
+# PageSpec of pages where only httpauth will be used for authentication
+#httpauth_pagespec: '!*/Discussion'
+# lockedit plugin
+# PageSpec controlling which pages are locked
+locked_pages: glob(static/*) or glob(images/*) or glob(minutes/*) or glob(material/*) or glob(website/*)
+# moderatedcomments plugin
+# PageSpec matching users or comment locations to moderate
+#moderate_pagespec: '*'
+# openid plugin
+# url pattern of openid realm (default is cgiurl)
+#openid_realm: ''
+# url to ikiwiki cgi to use for openid authentication (default is cgiurl)
+#openid_cgiurl: ''
+# passwordauth plugin
+# a password that must be entered when signing up for an account
+#account_creation_password: s3cr1t
+# cost of generating a password using Authen::Passphrase::BlowfishCrypt
+#password_cost: 8
+# format plugins
+# (creole, highlight, hnb, html, mdwn, otl, rawhtml, rst, textile, txt)
+# highlight plugin
+# types of source files to syntax highlight
+tohighlight: .c .h .cpp .pl .py .sh .patch .diff Makefile:make
+# location of highlight's filetypes.conf
+#filetypes_conf: /etc/highlight/filetypes.conf
+# location of highlight's langDefs directory
+#langdefdir: /usr/share/highlight/langDefs
+# mdwn plugin
+# enable multimarkdown features?
+#multimarkdown: 0
+# disable use of markdown discount?
+#nodiscount: 0
+# special-purpose plugins
+# (osm, underlay)
+# osm plugin
+# the default zoom when you click on the map link
+#osm_default_zoom: 15
+# the icon shown on links and on the main map
+#osm_default_icon: ikiwiki/images/osm.png
+# the alt tag of links, defaults to empty
+#osm_alt: ''
+# the output format for waypoints, can be KML, GeoJSON or CSV (one or many, comma-separated)
+#osm_format: KML
+# the icon attached to a tag, displayed on the map for tagged pages
+#osm_tag_default_icon: icon.png
+# Url for the OpenLayers.js file
+# Layers to use in the map. Can be either the 'OSM' string or a type option for Google maps (GoogleNormal, GoogleSatellite, GoogleHybrid or GooglePhysical). It can also be an arbitrary URL in a syntax acceptable for OpenLayers.Layer.OSM.url parameter.
+# OSM: GoogleSatellite
+# Google maps API key, Google layer not used if missing, see to get an API key
+#osm_google_apikey: ''
+# underlay plugin
+# extra underlay directories to add
+#- /var/lib/ikiwiki/wiki.underlay
+# web plugins
+# (404, attachment, comments, editdiff, edittemplate, getsource, google,
+# goto, mirrorlist, remove, rename, repolist, search, theme, userlist,
+# websetup, wmd)
+# attachment plugin
+# enhanced PageSpec specifying what attachments are allowed
+#allowed_attachments: virusfree() and mimetype(image/*) and maxsize(50kb)
+allowed_attachments: virusfree() and (mimetype(application/mbox) or mimetype(text/plain) or mimetype(text/calendar) or mimetype(text/x-patch) or mimetype(image/* )) and maxsize(512kb)
+# virus checker program (reads STDIN, returns nonzero if virus found)
+virus_checker: clamdscan -
+# comments plugin
+# PageSpec of pages where comments are allowed
+#comments_pagespec: blog/* and !*/Discussion
+# PageSpec of pages where posting new comments is not allowed
+#comments_closed_pagespec: blog/controversial or blog/flamewar
+# Base name for comments, e.g. "comment_" for pages like "sandbox/comment_12"
+#comments_pagename: ''
+# Interpret directives in comments?
+#comments_allowdirectives: 0
+# Allow anonymous commenters to set an author name?
+#comments_allowauthor: 0
+# commit comments to the VCS
+#comments_commit: 1
+# Restrict formats for comments to (no restriction if empty)
+#comments_allowformats: mdwn txt
+# getsource plugin
+# Mime type for returned source.
+#getsource_mimetype: text/plain; charset=utf-8
+# mirrorlist plugin
+# list of mirrors
+#mirrorlist: {}
+# generate links that point to the mirrors' ikiwiki CGI
+#mirrorlist_use_cgi: 1
+# repolist plugin
+# URIs of repositories containing the wiki's source
+#- svn://
+# search plugin
+# path to the omega cgi program
+#omega_cgi: /usr/lib/cgi-bin/omega/omega
+# use google site search rather than internal xapian index?
+#google_search: 1
+# theme plugin
+# name of theme to enable
+#theme: actiontabs
+# websetup plugin
+# list of plugins that cannot be enabled/disabled via the web interface
+#websetup_force_plugins: []
+# list of additional setup field keys to treat as unsafe
+#websetup_unsafe: []
+# show unsafe settings, read-only, in web interface?
+#websetup_show_unsafe: 1
+# widget plugins
+# (calendar, color, conditional, cutpaste, date, format, fortune,
+# graphviz, haiku, headinganchors, img, linkmap, listdirectives, map,
+# more, orphans, pagecount, pagestats, poll, polygen, postsparkline,
+# progress, shortcut, sparkline, table, template, teximg, toc, toggle,
+# version)
+# calendar plugin
+# base of the archives hierarchy
+#archivebase: archives
+# PageSpec of pages to include in the archives; used by ikiwiki-calendar command
+#archive_pagespec: page(posts/*) and !*/Discussion
+# listdirectives plugin
+# directory in srcdir that contains directive descriptions
+#directive_description_dir: ikiwiki/directive
+# teximg plugin
+# Should teximg use dvipng to render, or dvips and convert?
+#teximg_dvipng: ''
+# LaTeX prefix for teximg plugin
+#teximg_prefix: '\documentclass{article}
+# \usepackage[utf8]{inputenc}
+# \usepackage{amsmath}
+# \usepackage{amsfonts}
+# \usepackage{amssymb}
+# \pagestyle{empty}
+# \begin{document}
+# LaTeX postfix for teximg plugin
+#teximg_postfix: \end{document}
+# other plugins
+# (aggregate, autoindex, brokenlinks, camelcase, ddate, embed, favicon,
+# filecheck, flattr, goodstuff, htmlbalance, localstyle, notifyemail,
+# pagetemplate, pingee, pinger, prettydate, recentchanges,
+# recentchangesdiff, relativedate, rsync, sidebar, smiley,
+# sortnaturally, tag, testpagespec, trail, transient)
+# aggregate plugin
+# enable aggregation to internal pages?
+#aggregateinternal: 1
+# allow aggregation to be triggered via the web?
+#aggregate_webtrigger: 0
+# autoindex plugin
+# commit autocreated index pages
+#autoindex_commit: 1
+# camelcase plugin
+# list of words to not turn into links
+#camelcase_ignore: []
+# flattr plugin
+# userid or user name to use by default for Flattr buttons
+#flattr_userid: joeyh
+# pinger plugin
+# how many seconds to try pinging before timing out
+#pinger_timeout: 15
+# prettydate plugin
+# format to use to display date
+#prettydateformat: '%X, %B %o, %Y'
+# recentchanges plugin
+# name of the recentchanges page
+#recentchangespage: recentchanges
+# number of changes to track
+#recentchangesnum: 100
+# rsync plugin
+# command to run to sync updated pages
+#rsync_command: rsync -qa --delete . user@host:/path/to/docroot/
+# sidebar plugin
+# show sidebar page on all pages?
+#global_sidebars: 1
+# tag plugin
+# parent page tags are located under
+#tagbase: tag
+# autocreate new tag pages?
+#tag_autocreate: 1
+# commit autocreated tag pages
+#tag_autocreate_commit: 1
diff --git a/roles/wiki/handlers/main.yml b/roles/wiki/handlers/main.yml
new file mode 100644
index 0000000..42ae6ef
--- /dev/null
+++ b/roles/wiki/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: Restart Nginx
+ service: name=nginx state=restarted
+- name: Refresh ikiwiki
+ sudo_user: ikiwiki
+ command: ikiwiki --setup /var/lib/ikiwiki/fripost-wiki.setup --refresh --wrappers
diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml
new file mode 100644
index 0000000..8622ebd
--- /dev/null
+++ b/roles/wiki/tasks/main.yml
@@ -0,0 +1,100 @@
+- name: Install ikiwiki
+ apt: pkg={{ item }}
+ with_items:
+ - ikiwiki
+ - highlight-common
+ - libhighlight-perl
+ - fcgiwrap
+- name: Create a user 'ikiwiki'
+ user: name=ikiwiki system=yes
+ home=/var/lib/ikiwiki
+ shell=/usr/sbin/nologin
+ password=!
+ state=present
+ generate_ssh_key=yes
+ ssh_key_comment=ikiwiki@{{ ansible_fqdn }}
+- name: Add 'www-data' to the group 'ikiwiki'
+ user: name=www-data groups=ikiwiki append=yes
+- name: Create directory ~ikiwiki/IkiWiki/Plugin
+ file: path=/var/lib/ikiwiki/IkiWiki/Plugin
+ state=directory
+ owner=ikiwiki group=ikiwiki
+ mode=0755
+- name: Copy isWebsite plugin
+ copy: src=var/lib/ikiwiki/IkiWiki/Plugin/
+ dest=/var/lib/ikiwiki/IkiWiki/Plugin/
+ owner=root group=root
+ mode=0644
+ notify:
+ - Refresh ikiwiki
+# Add the ikiwiki git wrapper as a post-update hook in the git repos in
+# gitolite: "config hook.ikiwiki-wrapper = /var/lib/ikiwiki/"
+# where the 'git_wrapper' can be found in
+# /var/lib/ikiwiki/fripost-wiki.setup
+# To create a new wiki:
+# $ /usr/bin/sudo -u ikiwiki git config --global "Fripost Admins"
+# $ /usr/bin/sudo -u ikiwiki git config --global ""
+# $ /usr/bin/sudo -u ikiwiki ikiwiki --setup /etc/ikiwiki/auto.setup
+# ## Add ikiwiki's key to gitolite
+# sudo ln -s /var/lib/ikiwiki/ /var/lib/gitolite/repositories/fripost-wiki.git/hooks/post-update
+# $ /usr/bin/sudo -u ikiwiki git clone ssh://gitolite@localhost/fripost-wiki.git
+- name: Configure ikiwiki
+ copy: src=var/lib/ikiwiki/fripost-wiki.setup
+ dest=/var/lib/ikiwiki/fripost-wiki.setup
+ owner=root group=root
+ mode=0644
+ notify:
+ - Refresh ikiwiki
+- name: Add fripost-wiki to /etc/ikiwiki/wikilist
+ lineinfile: dest=/etc/ikiwiki/wikilist
+ "line=ikiwiki /var/lib/ikiwiki/fripost-wiki.setup"
+ owner=root group=root
+ mode=0644
+- meta: flush_handlers
+- name: Generate a private key and a X.509 certificate for Nginx
+ command: x509
+ --pubkey=/etc/nginx/ssl/
+ --privkey=/etc/nginx/ssl/
+ --ou=WWW
+ -t rsa -b 4096 -h sha512
+ register: r1
+ changed_when: r1.rc == 0
+ failed_when: r1.rc > 1
+ notify:
+ - Restart Nginx
+ tags:
+ - genkey
+- name: Copy /etc/nginx/sites-available/{wiki,website}
+ copy: src=etc/nginx/sites-available/{{ item }}
+ dest=/etc/nginx/sites-available/{{ item }}
+ owner=root group=root
+ mode=0644
+ register: r2
+ with_items:
+ - website
+ - wiki
+ notify:
+ - Restart Nginx
+- name: Create /etc/nginx/sites-enabled/{wiki,website}
+ file: src=../sites-available/{{ item }}
+ dest=/etc/nginx/sites-enabled/{{ item }}
+ owner=root group=root
+ state=link force=yes
+ register: r3
+ with_items:
+ - website
+ - wiki
+ notify:
+ - Restart Nginx