MediaWiki: runtime patch for LocalSettings.php (URL, DB, lang) + safe quoting

- Add 03_patch_settings.yml to sync $wgServer/$wgCanonicalServer, DB vars, and language - Use single-quoted PHP strings with proper escaping; idempotent grep guards - Wire task into main.yml; rename 03_admin→04_admin and 04_extensions→05_extensions Ref: https://chatgpt.com/share/68c3649a-e830-800f-a059-fc8eda8f76bb
2025-09-14 14:26:04 +02:00 · 2025-09-12 02:09:33 +02:00
parent a0c2245bbd
commit 57ca6adaec
4 changed files with 70 additions and 2 deletions
--- a/roles/web-app-mediawiki/tasks/05_extensions.yml
+++ b/roles/web-app-mediawiki/tasks/05_extensions.yml
@@ -0,0 +1,147 @@
+---
+# Install PluggableAuth + OpenIDConnect INTO the running container (idempotent)
+# Downloads on host (config dir), copy+extract inside container.
+
+- name: "EXT | Ensure local download dir exists"
+  file:
+    path: "{{ MEDIAWIKI_EXT_CFG_BASE }}"
+    state: directory
+    mode: "0755"
+
+- name: "EXT | Download extension tarballs ({{ MEDIAWIKI_EXT_BRANCH }})"
+  get_url:
+    url: "{{ ext.url }}"
+    dest: "{{ MEDIAWIKI_EXT_CFG_BASE }}/{{ ext.name }}.tar.gz"
+    mode: "0644"
+  loop: "{{ MEDIAWIKI_EXT_LIST }}"
+  loop_control:
+    loop_var: ext
+    label: "{{ ext.name }}"
+
+- name: "EXT | Copy & extract into container if not installed"
+  shell: >
+    docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc '
+      set -e
+      dst="{{ MEDIAWIKI_HTML_DIR }}/extensions/{{ ext.name }}"
+      if [ ! -f "$dst/extension.json" ]; then
+        rm -rf "$dst" && mkdir -p "$dst"
+      fi
+    '
+    && docker cp "{{ MEDIAWIKI_EXT_CFG_BASE }}/{{ ext.name }}.tar.gz" "{{ MEDIAWIKI_CONTAINER }}:/tmp/{{ ext.name }}.tar.gz"
+    && docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc '
+      set -e
+      dst="{{ MEDIAWIKI_HTML_DIR }}/extensions/{{ ext.name }}"
+      if [ ! -f "$dst/extension.json" ]; then
+        tar -xzf /tmp/{{ ext.name }}.tar.gz -C "$dst" --strip-components=1
+        chown -R {{ MEDIAWIKI_USER }}:{{ MEDIAWIKI_USER }} "$dst"
+        rm -f /tmp/{{ ext.name }}.tar.gz
+        echo INSTALLED:{{ ext.name }}
+      else
+        rm -f /tmp/{{ ext.name }}.tar.gz
+        echo PRESENT:{{ ext.name }}
+      fi
+    '
+  args:
+    executable: /bin/bash
+  loop: "{{ MEDIAWIKI_EXT_LIST }}"
+  loop_control:
+    loop_var: ext
+    label: "{{ ext.name }}"
+  register: _install_results
+  changed_when: "'INSTALLED:' in (stdout | default(''))"
+
+- name: "EXT | Determine if any extension was installed"
+  set_fact:
+    _any_installed: >-
+      {{ _install_results.results
+         | map(attribute='stdout')
+         | select('search', 'INSTALLED:')
+         | list | length > 0 }}
+
+# Ensure unzip + git are available in the container (idempotent)
+- name: "EXT | Ensure unzip+git available in container"
+  shell: |
+    docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc '
+      set -e
+      need=0
+      command -v unzip >/dev/null 2>&1 || need=1
+      command -v git   >/dev/null 2>&1 || need=1
+      if [ "$need" -eq 1 ]; then
+        export DEBIAN_FRONTEND=noninteractive
+        apt-get update -y
+        apt-get install -y --no-install-recommends unzip git ca-certificates
+        rm -rf /var/lib/apt/lists/*
+        echo INSTALLED_TOOLS
+      fi
+    '
+  args:
+    executable: /bin/bash
+  register: _tools
+  changed_when: "'INSTALLED_TOOLS' in (_tools.stdout | default(''))"
+
+# Ensure Composer is available inside the container (idempotent)
+- name: "EXT | Ensure Composer available in container"
+  shell: |
+    docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc '
+      if ! command -v composer >/dev/null 2>&1; then
+        php -r "copy(\"https://getcomposer.org/installer\", \"composer-setup.php\");"
+        php composer-setup.php --install-dir=/usr/local/bin --filename=composer
+        rm -f composer-setup.php
+        echo INSTALLED_COMPOSER
+      fi
+    '
+  args:
+    executable: /bin/bash
+  register: _composer
+  changed_when: "'INSTALLED_COMPOSER' in (_composer.stdout | default(''))"
+
+# Install dependencies per extension (only if vendor is missing)
+# Use /tmp/composer for HOME/CACHE to avoid /var/www permission issues.
+- name: "EXT | composer install in each extension when needed"
+  shell: |
+    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }} bash -lc '
+      set -e
+      d="{{ MEDIAWIKI_HTML_DIR }}/extensions/{{ ext.name }}"
+      if [ -f "$d/composer.json" ] && [ ! -f "$d/vendor/autoload.php" ]; then
+        install -d -m 0775 /tmp/composer/cache
+        export COMPOSER_HOME=/tmp/composer
+        export COMPOSER_CACHE_DIR=/tmp/composer/cache
+        cd "$d"
+        composer install --no-dev -n --prefer-dist
+        echo COMPOSER_INSTALLED:{{ ext.name }}
+      fi
+    '
+  args:
+    executable: /bin/bash
+  loop: "{{ MEDIAWIKI_EXT_LIST }}"
+  loop_control:
+    loop_var: ext
+    label: "{{ ext.name }}"
+  register: _ext_composer
+  changed_when: "'COMPOSER_INSTALLED:' in (stdout | default(''))"
+
+# Sanity check: Jumbojett OIDC client must be loadable
+- name: "EXT | Sanity check: Jumbojett OpenIDConnect client present"
+  shell: >
+    docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc
+    'php -r "(@require \"{{ MEDIAWIKI_HTML_DIR }}/vendor/autoload.php\"); @require \"{{ MEDIAWIKI_HTML_DIR }}/extensions/OpenIDConnect/vendor/autoload.php\"; exit(class_exists(\"Jumbojett\\\\OpenIDConnectClient\")?0:1);"'
+  args:
+    executable: /bin/bash
+  register: _oidc_class
+  changed_when: false
+  failed_when: _oidc_class.rc != 0
+
+# Run MediaWiki updates (changed if something installed)
+- name: "EXT | Run update.php (safe to run repeatedly)"
+  shell: >
+    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }}
+    php {{ MEDIAWIKI_HTML_DIR }}/maintenance/update.php --quick
+  args:
+    executable: /bin/bash
+  register: _mw_upd
+  changed_when: >
+    (_any_installed) or
+    (_ext_composer is defined and
+     (_ext_composer.results | map(attribute='stdout')
+                            | select('search','COMPOSER_INSTALLED:')
+                            | list | length > 0))