library/roles/mediawiki: raw playbook that downloads and unpack a mediawiki installation and installs some of the php dependencies.

library/roles/mysql: role that installs a mysql db, secure the configuration and manage the databases.
library/roles/php-fpm: installs php-fpm and configures all the workers.
d4science-gcube: playbook to install and configure a mediawiki system.

mediawiki/defaults/main.yml

@@ -0,0 +1,23 @@
+---
+#
+# This playbook depends on the php-fpm, mysql role and nginx or apache2
+#
+mw_install_from_package: False
+mw_version: 1.25
+mw_minor_minor: 1
+mw_download_url: http://releases.wikimedia.org/mediawiki/{{ mw_version }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }}.tar.gz
+mw_download_dir: /srv/mediawiki
+mw_install_dir: /var/www
+mw_conf_dir: /etc/mediawiki
+
+mw_php_prereq:
+  - php5-intl
+  - php5-cli
+  - php5-mysqlnd
+  - php-apc
+  - php-pear
+  - imagemagick
+
+# This choice is not recommended. The package has a poor list of dependencies. We do not want to deal with those
+mw_package:
+  - mediawiki

mediawiki/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+- name: Install the php prerequisites
+  apt: name={{ item }} state=present
+  with_items: mw_php_prereq
+  tags: mediawiki
+
+- name: Ensure that the download and install dirs exist
+  file: path={{ item }} state=directory
+  with_items:
+    - '{{ mw_download_dir }}'
+    - '{{ mw_install_dir }}'
+  tags: mediawiki
+  
+- name: Download the mediawiki tar file
+  get_url: url={{ mw_download_url }} dest={{ mw_download_dir }}
+  when: not mw_install_from_package
+  register: mw_download
+  tags: mediawiki
+
+- name: Unpack the mediawiki tar file
+  unarchive: copy=no src={{ mw_download_dir }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }}.tar.gz dest={{ mw_install_dir }}
+  when: ( mw_download | changed )
+  tags: mediawiki
+
+- name: Rename the mediawiki directory
+  command: mv {{ mw_install_dir }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }} {{ mw_install_dir }}/mediawiki
+  when: ( mw_download | changed )
+  tags: mediawiki
+
+- name: Create the mediawiki conf dir
+  file: path={{ mw_conf_dir }} state=directory
+  tags: mediawiki

mysql/defaults/main.yml

@@ -0,0 +1,37 @@
+---
+mysql_enabled: True
+mysql_pkg_state: present
+mysql_conf_dir: /etc/mysql/conf.d
+
+# python-mysqldb is needed by ansible to manage users and databases
+mysql_packages_list:
+  - mysql-server
+  - mysql-client
+  - mytop
+  - python-mysqldb
+
+mysql_db_name: db_name
+mysql_db_user: db_user
+mysql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault"
+
+# Alternatives: utf8
+mysql_default_encoding: utf8mb4
+# Alternatives: utf8_unicode_ci utf8_bin
+mysql_default_collation: utf8mb4_unicode_ci
+mysql_db_host: localhost
+mysql_db_port: 3306
+mysql_db_max_connections: 100
+mysqld_db_read_buffer_size: 128K
+mysql_db_read_rnd_buffer_size: 256K
+mysql_db_innodb_data_file_path: 'ibdata1:10M:autoextend'
+mysql_db_innodb_buffer_pool_size: 256M
+mysql_db_innodb_additional_mem_pool_size: 5M
+# Set .._log_file_size to 25 % of buffer pool size
+mysql_db_innodb_log_file_size: 64M
+mysql_db_innodb_log_buffer_size: 9M
+mysql_safe_open_files_limit: 1024
+
+mysql_listen_on_ext_int: False
+#mysql_db_data:
+#  - { name: '{{ mysql_db_name }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user: '{{ mysql_db_user }}', pwd: '{{ mysql_db_pwd }}', user_grant: 'ALL', allowed_hosts: [ 'localhost', 'yyy.yyy.yyy.yyy/32' ] }
+

mysql/files/mysql-backup.cron

@@ -0,0 +1 @@
+0 0 * * * root /usr/local/bin/mysql-backup > /var/log/mysql-backup.log 2>&1

mysql/files/mysql-backup.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+if [ ! -f /root/.my.cnf ] ; then
+    exit 1
+fi
+
+MY_BACKUP_DIR=/var/lib/mysql-backup
+umask 0077
+MY_DATA_DIR=/var/lib/mysql
+LOCKFILE=$MY_DATA_DIR/.mysqldump.lock
+
+
+if [ ! -d $MY_BACKUP_DIR ] ; then
+    mkdir -p $MY_BACKUP_DIR
+fi
+if [ ! -d $MY_BACKUP_DIR/log ] ; then
+    mkdir -p $MY_BACKUP_DIR/log
+fi
+if [ ! -d $MY_BACKUP_DIR/old ] ; then
+    mkdir -p $MY_BACKUP_DIR/old
+fi
+chmod -R 700 $MY_BACKUP_DIR
+
+if [ ! -f $LOCKFILE ] ; then
+    touch $LOCKFILE
+    for db in $( /bin/ls -1 /var/lib/mysql/ ) ; do
+   	if [ -d /var/lib/mysql/$db ] ; then
+            if [ -f $MY_BACKUP_DIR/$db.sql ] ; then
+            	mv -f $MY_BACKUP_DIR/$db.sql $MY_BACKUP_DIR/old
+            fi
+            #mysqldump -uroot -f --opt -p$MYSQLPASS $db > $MY_BACKUP_DIR/$db.sql 2> $MY_BACKUP_DIR/log/$db.log
+            mysqldump -f --opt $db > $MY_BACKUP_DIR/$db.sql 2> $MY_BACKUP_DIR/log/$db.log
+            chmod 600 $MY_BACKUP_DIR/$db.sql
+    	fi
+    done
+    # Do a "flush-hosts" after the backup
+    mysqladmin flush-hosts 2> $MY_BACKUP_DIR/log/flush-hosts.log
+    rm -f $LOCKFILE
+fi
+
+exit 0

mysql/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart mysql
+  service: name=mysql state=restarted
+
+- name: Reload mysql
+  service: name=mysql state=reloaded

mysql/tasks/configure_root_access.yml

@@ -0,0 +1,46 @@
+---
+# 'localhost' needs to be the last item for idempotency, the mysql_user docs
+- name: Secure the mysql root user
+  mysql_user: name=root host={{ item }} password={{ mysql_root_password }}
+  when: mysql_root_password is defined
+  with_items:
+    - '{{ ansible_hostname }}'
+    - 127.0.0.1
+    - ::1
+    - localhost
+  ignore_errors: True
+  tags:
+    - mysql
+
+- name: Secure the mysql root user
+  mysql_user: name=root host={{ item }} password=""
+  when: mysql_root_password is not defined
+  with_items:
+    - '{{ ansible_hostname }}'
+    - 127.0.0.1
+    - ::1
+    - localhost
+  ignore_errors: True
+  tags:
+    - mysql
+
+- name: Install the .my.cnf file with root password credentials
+  template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400
+  when: mysql_root_password is defined
+  tags:
+    - mysql
+
+- name: delete anonymous MySQL server user for {{ server_hostname }}
+  mysql_user: user="" host="{{ ansible_hostname }}" state="absent"
+  tags:
+    - mysql
+
+- name: delete anonymous MySQL server user for localhost
+  mysql_user: user="" state="absent"
+  tags:
+    - mysql
+
+- name: remove the MySQL test database
+  mysql_db: db=test state=absent
+  tags:
+    - mysql

mysql/tasks/disable-mariadb-service.yml

@@ -0,0 +1,7 @@
+---
+- name: Stop and disable the mysql server if we do not want it running
+  service: name=mysql state=stopped enabled=no
+  when: not mysql_enabled
+  tags:
+    - mysql
+

mysql/tasks/disable-mysql-service.yml

@@ -0,0 +1,7 @@
+---
+- name: Stop and disable the mysql server if we do not want it running
+  service: name=mysql state=stopped enabled=no
+  when: not mysql_enabled
+  tags:
+    - mysql
+

mysql/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- include: packages.yml
+- include: mysql-conf.yml
+  when: mysql_enabled
+- include: disable-mysql-service.yml
+  when: not mysql_enabled
+- include: configure_root_access.yml
+  when: mysql_enabled
+- include: manage_my_db.yml
+  when: mysql_enabled
+- include: mysql-backup.yml
+  when: mysql_enabled
+

mysql/tasks/manage_my_db.yml

@@ -0,0 +1,23 @@
+---
+- name: Add databases to mysql, if any
+  mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present
+  with_items: mysql_db_data
+  when:
+    - mysql_db_data is defined
+    - item.name is defined
+  tags:
+    - mysql
+    - mysql_db
+
+- name: Add a user for the databases
+  mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv={{ item.0.name }}.*:"{{ item.0.user_grant }}" state=present
+  with_subelements:
+    - mysql_db_data
+    - allowed_hosts
+  when:
+    - mysql_db_data is defined
+    - item.0.name is defined
+  tags:
+    - mysql
+    - mysql_db
+

mysql/tasks/mysql-backup.yml

@@ -0,0 +1,10 @@
+---
+- name: Install a script that performs mysql dumps
+  copy: src=mysql-backup.sh dest=/usr/local/bin/mysql-backup owner=root group=root mode=0750
+  tags:
+    - mysql
+
+- name: Cron job that executes mysql nightly backups
+  copy: src=mysql-backup.cron dest=/etc/cron.d/mysql-backup owner=root group=root mode=0644
+  tags:
+    - mysql

mysql/tasks/mysql-conf.yml

@@ -0,0 +1,13 @@
+---
+- name: Install the main configuration files.
+  template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644
+  with_items:
+    - client
+    - server
+    - mysql-clients
+  when: mysql_enabled
+  notify: Restart mysql
+  tags:
+    - mysql
+    - mariadb
+    - mysql-conf

mysql/tasks/packages.yml

@@ -0,0 +1,14 @@
+---
+- name: install the mysql packages
+  apt: pkg={{ item }} state={{ mysql_pkg_state }}
+  with_items: mysql_packages_list
+  tags:
+    - mysql
+
+- name: Ensure that the mysql server is enabled and running
+  service: name=mysql state=started enabled=yes
+  when: mysql_enabled
+  tags:
+    - mysql
+    - mariadb
+

mysql/templates/client.cnf.j2

@@ -0,0 +1,6 @@
+# The following options will be passed to all MariaDB clients
+[client]
+#password       = your_password
+port            = 3306
+socket          = /var/lib/mysql/mysql.sock
+

mysql/templates/dot_my.cnf.j2

@@ -0,0 +1,4 @@
+[client]
+user=root
+password={{ mysql_root_password }}
+

mysql/templates/mysql-clients.cnf.j2

@@ -0,0 +1,20 @@
+
+[mysql]
+
+[mysql_upgrade]
+
+[mysqladmin]
+
+[mysqlbinlog]
+
+[mysqlcheck]
+
+[mysqldump]
+quick
+max_allowed_packet = 16M
+
+[mysqlimport]
+
+[mysqlshow]
+
+[mysqlslap]

mysql/templates/mysql_backup-default.j2

@@ -0,0 +1,13 @@
+PG_SERVICE='postgresql-{{ psql_version }}'
+PG_VERSION='{{ psql_version }}'
+PG_DUMP_BIN='{{ pg_backup_pgdump_bin }}'
+PG_BCK_BIN='{{ pg_backup_bin }}'
+USE_NAGIOS='{{ pg_backup_use_nagios }}'
+LOG_DIR='{{ pg_backup_logdir }}'
+LOG_FILE='{{ pg_backup_logfile}}'
+N_DAYS_TO_SPARE='{{ pg_backup_retain_copies }}'
+BUILD_DBLIST='{{ pg_backup_build_db_list }}'
+DB_LIST="{{ pg_backup_db_list }}"
+PG_USE_AUTH='{{ pg_backup_use_auth }}'
+PG_PASS_FILE='{{ pg_backup_pass_file }}'
+BACKUPDIR='{{ pg_backup_destdir }}'

mysql/templates/server.cnf.j2

@@ -0,0 +1,52 @@
+# Here follows entries for some specific programs
+
+# The MariaDB server
+[mysqld]
+port            = {{ mysql_db_port }}
+socket          = /var/lib/mysql/mysql.sock
+max_connections	= {{ mysql_db_max_connections }}
+skip-external-locking
+key_buffer_size = 16M
+max_allowed_packet = 1M
+table_open_cache = 512
+sort_buffer_size = 8M
+net_buffer_length = 8K
+read_buffer_size = {{ mysqld_db_read_buffer_size }}
+read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }}
+myisam_sort_buffer_size = 16M
+
+# Point the following paths to different dedicated disks
+#tmpdir         = /tmp/
+
+# Don't listen on a TCP/IP port at all. This can be a security enhancement,
+# if all processes that need to connect to mysqld run on the same host.
+# All interaction with mysqld must be made via Unix sockets or named pipes.
+# Note that using this option without enabling named pipes on Windows
+# (via the "enable-named-pipe" option) will render mysqld useless!
+#
+#skip-networking
+
+# Enable binary logging. This is required for acting as a MASTER in a
+# replication configuration. You also need the binary log if you need
+# the ability to do point in time recovery from your latest backup.
+log-bin=mysql-bin
+
+# binary logging format - mixed recommended
+binlog_format=mixed
+
+# Uncomment the following if you are using InnoDB tables
+innodb_data_home_dir = /var/lib/mysql
+innodb_data_file_path = {{ mysql_db_innodb_data_file_path }}
+innodb_log_group_home_dir = /var/lib/mysql
+# You can set .._buffer_pool_size up to 50 - 80 %
+# of RAM but beware of setting memory usage too high
+innodb_buffer_pool_size = {{ mysql_db_innodb_buffer_pool_size }}
+innodb_additional_mem_pool_size = {{ mysql_db_innodb_additional_mem_pool_size }}
+# Set .._log_file_size to 25 % of buffer pool size
+innodb_log_file_size = {{ mysql_db_innodb_log_file_size }}
+innodb_log_buffer_size = {{ mysql_db_innodb_log_buffer_size }}
+innodb_flush_log_at_trx_commit = 1
+innodb_lock_wait_timeout = 50
+
+[mysqld_safe]
+open-files-limit = {{ mysql_safe_open_files_limit }}

php-fpm/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 # php as a standalone service
-- name: The nagios and ganglia web interfaces use php-fpm
+- name: Install the php-fpm package
   apt: pkg={{ item }} state=present
   with_items: php_fpm_packages
   tags: