refactor(web-app-mediawiki): unify debug & oidc handling via _ensure_require, introduce host-side prep, switch to bind mounts

- Removed obsolete Installation.md, TODO.md, 02_debug.yml, 05_oidc.yml and legacy debug enable/disable tasks
- Added 01_prep.yml to render debug.php/oidc.php on host side before container start
- Introduced _ensure_require.yml for generic require_once management in LocalSettings.php
- Renamed 01_install.yml -> 02_install.yml to align with new numbering
- Updated docker-compose.yml.j2 to bind-mount mw-local into /opt/mw-local
- Adjusted vars/main.yml to define MEDIAWIKI_LOCAL_MOUNT_DIR and MEDIAWIKI_LOCAL_PATH
- Templates debug.php.j2 and oidc.php.j2 now gated by MODE_DEBUG and MEDIAWIKI_OIDC_ENABLED
- main.yml now orchestrates prep, install, debug, extensions, oidc require, admin consistently

Ref: https://chatgpt.com/share/68b57db2-efcc-800f-a733-aca952298437

roles/web-app-mediawiki/tasks/01_prep.yml

@@ -0,0 +1,20 @@
+---
+- name: "PREP | Ensure mw-local mount directory exists on host"
+  file:
+    path: "{{ MEDIAWIKI_LOCAL_MOUNT_DIR }}"
+    state: directory
+    mode: "0755"
+
+- name: "PREP | Render oidc.php (host side)"
+  when: MEDIAWIKI_OIDC_ENABLED | bool
+  template:
+    src: "oidc.php.j2"
+    dest: "{{ MEDIAWIKI_LOCAL_MOUNT_DIR }}/oidc.php"
+    mode: "0644"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+- name: "PREP | Render debug.php (host side, always; content gated by MODE_DEBUG)"
+  template:
+    src: "debug.php.j2"
+    dest: "{{ MEDIAWIKI_LOCAL_MOUNT_DIR }}/debug.php"
+    mode: "0644"

roles/web-app-mediawiki/tasks/02_debug.yml

@@ -1,11 +0,0 @@
----
-# Aktiviert Debug, wenn MODE_DEBUG=true; entfernt es sauber, wenn false.
-
-- name: "DEBUG | Enable block when MODE_DEBUG=true"
-  when: MODE_DEBUG | bool
-  include_tasks: _debug_enable.yml
-
-- name: "DEBUG | Disable block when MODE_DEBUG=false"
-  when: not (MODE_DEBUG | bool)
-  include_tasks: _debug_disable.yml
-

roles/web-app-mediawiki/tasks/05_oidc.yml

@@ -1,61 +0,0 @@
----
-# All operations remain INSIDE the running container.
-# Template is rendered into docker_compose.directories.config on the host.
-# Change detection is based on checksum comparison vs. container file.
-
-- name: "OIDC | Ensure local config directory exists"
-  file:
-    path: "{{ MEDIAWIKI_CONFIG_DIR }}"
-    state: directory
-    mode: "0755"
-
-- name: "OIDC | Render oidc.php locally (template into config dir)"
-  template:
-    src: "oidc.php.j2"
-    dest: "{{ MEDIAWIKI_OIDC_FILE }}"
-    mode: "0644"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
-- name: "OIDC | Compute local checksum"
-  stat:
-    path: "{{ MEDIAWIKI_OIDC_FILE }}"
-    checksum_algorithm: sha256
-  register: _local_oidc
-
-- name: "OIDC | Compute container checksum (if exists)"
-  shell: >
-    docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc
-    "test -f {{ MEDIAWIKI_HTML_DIR }}/oidc.php &&
-     sha256sum {{ MEDIAWIKI_HTML_DIR }}/oidc.php | awk '{print $1}' || echo MISSING"
-  args:
-    executable: /bin/bash
-  register: _remote_oidc
-  changed_when: false
-
-- name: "OIDC | Copy oidc.php into container docroot only if different"
-  shell: >
-    if [ "{{ (_remote_oidc.stdout | default('') | trim) }}" != "{{ _local_oidc.stat.checksum }}" ]; then
-      docker cp "{{ MEDIAWIKI_OIDC_FILE }}" "{{ MEDIAWIKI_CONTAINER }}:{{ MEDIAWIKI_HTML_DIR }}/oidc.php" &&
-      docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc "chown {{ MEDIAWIKI_USER }}:{{ MEDIAWIKI_USER }} {{ MEDIAWIKI_HTML_DIR }}/oidc.php && chmod 0644 {{ MEDIAWIKI_HTML_DIR }}/oidc.php" &&
-      echo COPIED;
-    fi
-  args:
-    executable: /bin/bash
-  register: _cp_oidc
-  changed_when: "'COPIED' in (_cp_oidc.stdout | default(''))"
-
-- name: "OIDC | Require oidc.php once inside LocalSettings.php"
-  shell: |
-    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }} bash -lc '
-      LSP={{ MEDIAWIKI_HTML_DIR }}/LocalSettings.php
-      LINE="require_once __DIR__ . '\''/oidc.php'\'';"
-      if ! grep -Fqx -- "$LINE" "$LSP"; then
-        printf "%s\n" "$LINE" >> "$LSP"
-        echo ADDED_REQUIRE
-      fi
-    '
-  args:
-    executable: /bin/bash
-  register: _mw_oidc_req
-  changed_when: "'ADDED_REQUIRE' in (_mw_oidc_req.stdout | default(''))"
-

roles/web-app-mediawiki/tasks/_debug_disable.yml

@@ -1,27 +0,0 @@
-- name: "Remove require_once line from LocalSettings.php (if present)"
-  shell: |
-    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }} bash -lc '
-      LSP={{ MEDIAWIKI_HTML_DIR }}/LocalSettings.php
-      if [ -f "$LSP" ]; then
-        if grep -Fqx -- "require_once __DIR__ . '\''/debug.php'\'';" "$LSP"; then
-          sed -i "\#require_once __DIR__ . '/debug.php';#d" "$LSP"
-          echo REMOVED_REQUIRE
-        fi
-      fi
-    '
-  args: { executable: /bin/bash }
-  register: _dbg_rm_req
-  changed_when: "'REMOVED_REQUIRE' in (_dbg_rm_req.stdout | default(''))"
-
-- name: "Remove debug.php from container (if present)"
-  shell: >
-    docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc
-    "if [ -f {{ MEDIAWIKI_HTML_DIR }}/debug.php ]; then rm -f {{ MEDIAWIKI_HTML_DIR }}/debug.php; echo REMOVED_FILE; fi"
-  args: { executable: /bin/bash }
-  register: _dbg_rm_file
-  changed_when: "'REMOVED_FILE' in (_dbg_rm_file.stdout | default(''))"
-
-- name: "Remove local debug.php (if present)"
-  file:
-    path: "{{ MEDIAWIKI_CONFIG_DIR }}/debug.php"
-    state: absent

roles/web-app-mediawiki/tasks/_debug_enable.yml

@@ -1,45 +0,0 @@
-- name: "Render debug.php locally"
-  template:
-    src: "debug.php.j2"
-    dest: "{{ MEDIAWIKI_CONFIG_DIR }}/debug.php"
-    mode: "0644"
-
-- name: "Compute local checksum"
-  stat:
-    path: "{{ MEDIAWIKI_CONFIG_DIR }}/debug.php"
-    checksum_algorithm: sha256
-  register: _dbg_local
-
-- name: "Compute container checksum (if exists)"
-  shell: >
-    docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc
-    "test -f {{ MEDIAWIKI_HTML_DIR }}/debug.php &&
-      sha256sum {{ MEDIAWIKI_HTML_DIR }}/debug.php | awk '{print $1}' || echo MISSING"
-  args: { executable: /bin/bash }
-  register: _dbg_remote
-  changed_when: false
-
-- name: "Copy debug.php into container only if different"
-  shell: >
-    if [ "{{ (_dbg_remote.stdout | default('') | trim) }}" != "{{ _dbg_local.stat.checksum }}" ]; then
-      docker cp "{{ MEDIAWIKI_CONFIG_DIR }}/debug.php" "{{ MEDIAWIKI_CONTAINER }}:{{ MEDIAWIKI_HTML_DIR }}/debug.php" &&
-      docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc "chown {{ MEDIAWIKI_USER }}:{{ MEDIAWIKI_USER }} {{ MEDIAWIKI_HTML_DIR }}/debug.php && chmod 0644 {{ MEDIAWIKI_HTML_DIR }}/debug.php" &&
-      echo COPIED;
-    fi
-  args: { executable: /bin/bash }
-  register: _dbg_cp
-  changed_when: "'COPIED' in (_dbg_cp.stdout | default(''))"
-
-- name: "require_once debug.php in LocalSettings.php"
-  shell: |
-    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }} bash -lc '
-      LSP={{ MEDIAWIKI_HTML_DIR }}/LocalSettings.php
-      LINE="require_once __DIR__ . '\''/debug.php'\'';"
-      if ! grep -Fqx -- "$LINE" "$LSP"; then
-        printf "%s\n" "$LINE" >> "$LSP"
-        echo ADDED_DEBUG_REQUIRE
-      fi
-    '
-  args: { executable: /bin/bash }
-  register: _dbg_req
-  changed_when: "'ADDED_DEBUG_REQUIRE' in (_dbg_req.stdout | default(''))"

roles/web-app-mediawiki/tasks/_ensure_require.yml

@@ -0,0 +1,29 @@
+---
+# Inputs (per include übergeben):
+# - ensure_present: bool (true => sicherstellen, dass Zeile existiert; false => entfernen)
+# - require_path:   string (z. B. "{{ MEDIAWIKI_LOCAL_PATH }}/debug.php")
+
+- name: "Ensure require_once('{{ require_path }}') present/absent in LocalSettings.php"
+  shell: |
+    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER}} bash -lc '
+      set -e
+      LSP={{ MEDIAWIKI_HTML_DIR }}/LocalSettings.php
+      LINE="require_once '\''{{ require_path }}'\'';"
+      test -f "$LSP" || exit 0
+      if {{ (ensure_present | bool) | ternary("true","false") }}; then
+        if ! grep -Fqx -- "$LINE" "$LSP"; then
+          printf "%s\n" "$LINE" >> "$LSP"
+          echo ADDED_REQUIRE
+        fi
+      else
+        if grep -Fqx -- "$LINE" "$LSP"; then
+          sed -i "\#require_once '{{ require_path }}';#d" "$LSP"
+          echo REMOVED_REQUIRE
+        fi
+      fi
+    '
+  args: { executable: /bin/bash }
+  register: _req_mut
+  changed_when: >
+    'ADDED_REQUIRE' in (_req_mut.stdout | default('')) or
+    'REMOVED_REQUIRE' in (_req_mut.stdout | default(''))

roles/web-app-mediawiki/tasks/main.yml

@@ -3,20 +3,35 @@
   include_role: 
     name: sys-stk-full-stateful
   vars:
-    docker_compose_flush_handlers: true
+    docker_compose_flush_handlers: false
+
+- name: "Prepare host files for '{{ application_id }}'"
+  include_tasks: 01_prep.yml
+
+- name: "flush handlers for '{{ application_id }}' after preparation finished"
+  meta: flush_handlers
 
 - name: "Load install procedures for '{{ application_id }}''"
-  include_tasks: 01_install.yml
+  include_tasks: 02_install.yml
 
-- name: "Load debug procedures for '{{ application_id }}''"
-  include_tasks: 02_debug.yml
+
+- name: "DEBUG | Ensure require_once(debug.php) matches MODE_DEBUG"
+  include_tasks: _ensure_require.yml
+  vars:
+    ensure_present: "{{ MODE_DEBUG | bool }}"
+    require_path: "{{ MEDIAWIKI_LOCAL_PATH }}/debug.php"
+  when: MODE_DEBUG | bool
 
 - name: "Load admin setup procedures for '{{ application_id }}''"
   include_tasks: 03_admin.yml
 
-- name: "Load OIDC procedures for '{{ application_id }}''"
-  include_tasks: "{{ item }}"
-  loop:
-    - 04_extensions.yml
-    - 05_oidc.yml
-  when: MEDIAWIKI_OIDC_ENABLED | bool
+- name: "Load extensions procedures for '{{ application_id }}''"
+  include_tasks: "04_extensions.yml"
+  when: MEDIAWIKI_OIDC_ENABLED | bool
+
+- name: "OIDC | Ensure require_once(oidc.php) present"
+  include_tasks: _ensure_require.yml
+  vars:
+    ensure_present: true
+    require_path: "{{ MEDIAWIKI_LOCAL_PATH }}/oidc.php"
+  when: MEDIAWIKI_OIDC_ENABLED | bool