MediaWiki: runtime patch for LocalSettings.php (URL, DB, lang) + safe quoting

- Add 03_patch_settings.yml to sync $wgServer/$wgCanonicalServer, DB vars, and language
- Use single-quoted PHP strings with proper escaping; idempotent grep guards
- Wire task into main.yml; rename 03_admin→04_admin and 04_extensions→05_extensions

Ref: https://chatgpt.com/share/68c3649a-e830-800f-a059-fc8eda8f76bb

roles/web-app-mediawiki/tasks/03_patch_settings.yml

@@ -0,0 +1,65 @@
+# roles/web-app-mediawiki/tasks/03_patch_settings.yml
+- name: "MEDIAWIKI | Ensure LocalSettings.php has correct base settings"
+  vars:
+    _lsp_path: "{{ MEDIAWIKI_HTML_DIR }}/LocalSettings.php"
+    _server_url: "{{ MEDIAWIKI_URL | regex_replace('/+$', '') }}"
+    # Pre-escape single quotes for safe insertion into PHP single-quoted strings:
+    _server_url_sq: "{{ _server_url | replace(\"'\", \"'\\\\''\") }}"
+    _db_name_sq:    "{{ database_name | replace(\"'\", \"'\\\\''\") }}"
+    _db_user_sq:    "{{ database_username | replace(\"'\", \"'\\\\''\") }}"
+    _db_pass_sq:    "{{ database_password | replace(\"'\", \"'\\\\''\") }}"
+    _db_host_sq:    "{{ (database_host ~ ':' ~ database_port) | replace(\"'\", \"'\\\\''\") }}"
+    _lang_sq:       "{{ HOST_LL | replace(\"'\", \"'\\\\''\") }}"
+  shell: |
+    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }} bash -lc '
+      set -euo pipefail
+      LSP="{{ _lsp_path }}"
+      SERVER='\''{{ _server_url_sq }}'\''
+      DBNAME='\''{{ _db_name_sq }}'\''
+      DBUSER='\''{{ _db_user_sq }}'\''
+      DBPASS='\''{{ _db_pass_sq }}'\''
+      DBHOST='\''{{ _db_host_sq }}'\''
+      LANG='\''{{ _lang_sq }}'\''
+      [ -f "$LSP" ] || { echo "LocalSettings.php not found, skipping."; exit 0; }
+
+      need=0
+
+      check_line() {
+        local key="$1" val="$2"
+        grep -Eq "^[[:space:]]*\$${key}[[:space:]]*=[[:space:]]*'\''${val}'\'';" "$LSP" || need=1
+      }
+
+      check_line wgServer "$SERVER"
+      check_line wgCanonicalServer "$SERVER"
+      check_line wgDBname "$DBNAME"
+      check_line wgDBuser "$DBUSER"
+      check_line wgDBpassword "$DBPASS"
+      check_line wgDBserver "$DBHOST"
+      check_line wgLanguageCode "$LANG"
+
+      if [ "$need" -eq 1 ]; then
+        tmp="$(mktemp)"
+        # Remove any existing definitions for these keys
+        grep -Ev "^[[:space:]]*\$(wgServer|wgCanonicalServer|wgDBname|wgDBuser|wgDBpassword|wgDBserver|wgLanguageCode)[[:space:]]*=" "$LSP" > "$tmp" || true
+
+        {
+          printf "\n\$wgServer = '\''%s'\'';\n"           "$SERVER"
+          printf "\$wgCanonicalServer = '\''%s'\'';\n"    "$SERVER"
+          printf "\$wgDBname = '\''%s'\'';\n"             "$DBNAME"
+          printf "\$wgDBuser = '\''%s'\'';\n"             "$DBUSER"
+          printf "\$wgDBpassword = '\''%s'\'';\n"         "$DBPASS"
+          printf "\$wgDBserver = '\''%s'\'';\n"           "$DBHOST"
+          printf "\$wgLanguageCode = '\''%s'\'';\n"       "$LANG"
+        } >> "$tmp"
+
+        cat "$tmp" > "$LSP"
+        rm -f "$tmp"
+        echo CHANGED
+      fi
+    '
+  args:
+    executable: /bin/bash
+  register: mw_lsp_update
+  changed_when: "'CHANGED' in (mw_lsp_update.stdout | default(''))"
+  failed_when: mw_lsp_update.rc != 0
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

roles/web-app-mediawiki/tasks/main.yml

@@ -22,11 +22,14 @@
     require_path: "{{ MEDIAWIKI_LOCAL_PATH }}/debug.php"
   when: MODE_DEBUG | bool
 
+- name: "MEDIAWIKI | Sync LocalSettings.php with Ansible vars"
+  include_tasks: 03_patch_settings.yml
+
 - name: "Load admin setup procedures for '{{ application_id }}''"
-  include_tasks: 03_admin.yml
+  include_tasks: 04_admin.yml
 
 - name: "Load extensions procedures for '{{ application_id }}''"
-  include_tasks: "04_extensions.yml"
+  include_tasks: "05_extensions.yml"
   when: MEDIAWIKI_OIDC_ENABLED | bool
 
 - name: "OIDC | Ensure require_once(oidc.php) present"