feat(mediawiki): Refactor OIDC + debug; install Composer deps in-container; modularize role

Discussion: https://chatgpt.com/share/68b10c0a-c308-800f-93ac-2ffb386cf58b

- Split tasks into 01_install, 02_debug, 03_admin, 04_extensions, 05_oidc.
- Ensure unzip+git+composer on demand in the container; run Composer as www-data with COMPOSER_HOME=/tmp/composer.
- Idempotently unpack/install PluggableAuth & OpenIDConnect; run composer install only if vendor/ is missing.
- Add sanity check for Jumbojett\OpenIDConnectClient.
- Copy oidc.php only when changed and append a single require_once to LocalSettings.php.
- Use REL1_44-compatible numeric array for $wgPluggableAuth_Config; set $wgPluggableAuth_ButtonLabelMessage.
- Debug: add debug.php that logs to STDERR (visible via docker logs); toggle cleanly with MODE_DEBUG.
- Enable OIDC feature in config; add paths/OIDC/extension vars in vars/main.yml.

fix(services): include SYS_SERVICE_GROUP_CLEANUP in StartPre lock (ssd-hdd, docker-hard).

fix(desktop/joomla): simplify MODE_DEBUG templating.

chore: minor cleanups and renames.

roles/web-app-mediawiki/tasks/main.yml

@@ -1,73 +1,22 @@
 ---
-- name: "load docker, db and proxy for {{ application_id }}"
+- name: "load docker, db and proxy for '{{ application_id }}'"
   include_role: 
     name: sys-stk-full-stateful
   vars:
     docker_compose_flush_handlers: true
 
-- name: "Wait for DB to be reachable"
-  command: >
-    docker exec {{ MEDIAWIKI_CONTAINER }}
-    php /var/www/html/maintenance/sql.php --query "SELECT 1;"
-  register: mw_db_ready
-  retries: 15
-  delay: 2
-  until: mw_db_ready.rc == 0
-  changed_when: false
-  failed_when: false
+- name: "Load install procedures for '{{ application_id }}''"
+  include_tasks: 01_install.yml
 
-- name: "Install MediaWiki if no schema exists"
-  command: >
-    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }}
-    php /var/www/html/maintenance/install.php
-    --dbname="{{ database_name }}"
-    --dbuser="{{ database_username }}"
-    --dbpass="{{ database_password }}"
-    --dbserver="{{ database_host }}:{{ database_port }}"
-    --installdbuser="{{ database_username }}"
-    --installdbpass="{{ database_password }}"
-    --server="{{ MEDIAWIKI_URL }}"
-    --scriptpath=""
-    --lang={{ HOST_LL }}
-    --pass="{{ MEDIAWIKI_ADMINISTRATOR_PASSWORD }}"
-    "{{ MEDIAWIKI_SITENAME }}"
-    "{{ MEDIAWIKI_ADMINISTRATOR_NAME }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-  register: mw_install
-  changed_when: mw_install.rc == 0
-  failed_when: >
-    mw_install.rc != 0 and
-    ('LocalSettings.php file has been detected' not in (((mw_install.stdout | default('')) ~ (mw_install.stderr | default(''))))) and
-    ('run update.php instead' not in (((mw_install.stdout | default('')) ~ (mw_install.stderr | default('')))))
+- name: "Load debug procedures for '{{ application_id }}''"
+  include_tasks: 02_debug.yml
 
-- name: "Initialize / migrate MediaWiki database schema"
-  command: >
-    docker exec
-    -u {{ MEDIAWIKI_USER }}
-    {{ MEDIAWIKI_CONTAINER }}
-    php /var/www/html/maintenance/update.php --quick
-  register: mw_update
-  changed_when: "'...done.' in (mw_update.stdout | default(''))"
-  failed_when: mw_update.rc != 0
+- name: "Load admin setup procedures for '{{ application_id }}''"
+  include_tasks: 03_admin.yml
 
-- name: "Create MediaWiki admin user"
-  command: >
-    docker exec
-    -u {{ MEDIAWIKI_USER }}
-    {{ MEDIAWIKI_CONTAINER }}
-    php /var/www/html/maintenance/createAndPromote.php
-    --bureaucrat --sysop
-    {{ MEDIAWIKI_ADMINISTRATOR_NAME }}
-    {{ MEDIAWIKI_ADMINISTRATOR_PASSWORD }}
-    {{ MEDIAWIKI_ADMINISTRATOR_EMAIL }}
-  register: create_admin
-  changed_when: >
-    ('created' in ((create_admin.stdout | default('')) ~ (create_admin.stderr | default('')))) or
-    ('Created' in ((create_admin.stdout | default('')) ~ (create_admin.stderr | default(''))))
-  failed_when: >
-    create_admin.rc != 0 and
-    ('already exists' not in ((create_admin.stdout | default('')) ~ (create_admin.stderr | default('')))) and
-    ('Account exists' not in ((create_admin.stdout | default('')) ~ (create_admin.stderr | default(''))))
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+- name: "Load OIDC procedures for '{{ application_id }}''"
+  include_tasks: "{{ item }}"
+  loop:
+    - 04_extensions.yml
+    - 05_oidc.yml
+  when: MEDIAWIKI_OIDC_ENABLED | bool