Assorted changesHEADmaster

- add hooks between webserver and gitserver:
    git->website and wiki->git work now,
    git->wiki is still missing,
      https://ikiwiki.info/tips/Hosting_Ikiwiki_and_master_git_repository_on_different_machines/
    should contain the right info for that
- actually configure repo_service
- replace LDAP auth with dummy password auth for now

9 files changed, 174 insertions, 11 deletions

diff --git a/roles/sublab_web/defaults/main.yaml b/roles/sublab_web/defaults/main.yaml
index 55f5b5f..2122383 100644
--- a/roles/sublab_web/defaults/main.yaml
+++ b/roles/sublab_web/defaults/main.yaml
@@ -1,2 +1,114 @@
----
-sublab_web_server_name: "{{inventory_hostname}}"
+$ANSIBLE_VAULT;1.1;AES256
+33643763303764333037643462663530636364373132666663353165383739636563393636346136
+6634613765343031363935363233663833373238346431360a316133303361313631373732643665
+37343631363437643663306537323039363835636135363537323063386566383832323933646535
+6163623431306139320a343161356565613665623834396465353530383265313565663962333131
+62363737633463303736313034373639383661373566386264303938353532393436366564316262
+64353137316639313464663230346663313639636365663434643637303336373836623865343633
+30623530383761636462326335363635386434313830393130613366386161333230383531646139
+37336631326137663332353930616665623265643835356433343137383334393961356664366366
+66396430396366383133613130616231306333636631376366633137356535373339373539383865
+34626561326331613831636362313563353264336466366161376634363236653638396632343930
+61363531333166336131323133613662373933393665316365633536333864623737616333363161
+63616433393437656438633636663635653433396330313730333437316337363839383935393561
+33343166616161626464623837643262653934643032653563653632653933343764336161356364
+30333261393134373062616561363762616262306661373264333762643039613966323539326233
+30386564316330633565393865663561323036356163313430616235386661373465383039663631
+31316461346339323263363830373438653430333830656332346437626436633333333864356461
+61363532636134306335363936316331663930626462353738656535613736373364626233656436
+38333535326631336165363263663565656537333363303638356632306430363563383031636661
+34346436366539306236653264383731393430313765376161613234633162376634656563316339
+62633832643738643733323165323262613466353332353661616634303037623935616235383233
+37653735633564373739656538633563393265316663303132623139663439613964613738346366
+35376131376537303038613135653938396133626338306137346331356463373361343065633431
+36616462386666656566346230303235393634666261316262663939306338393635333338346435
+61393834623835393065366563323932653539623439626662633032306165636565393337313038
+37346237393435383232343236653836323666333838623132383537376230646666643338366564
+34306461663434626562303435313532613565643935356361616332383661306633356435653564
+62363332643639336430326161663663303038633364356237373265623433333062386135366161
+31633236373664383939393162326638316533663334366431393930333337626336353539393364
+64356366666366383962346138333436353232383563373332306339306532613532613337376335
+62383235373635316161656166616433633761626462316136613861643161313237316239353164
+30666637653039306431353737336635356532336662363361386538306563333432303461303235
+35316362643765353433306464393764313863303230656631323864363736653636356134373537
+31363339343137373536363134333761616133656339373263373866666333643262336331303838
+38633265366662643966616262653736626339393566343938646638323862333461393366623936
+66343964323137653238336661333039323334366135383837333038393336373332613937623633
+35383835643737306366623831653838323433353763653866393532623165633634366238383731
+37643930666462666434646336383631646135353436363161306335643064353730616462653537
+62303838323839333163653038303238353738336337363461396635373439333139376636353034
+62323832356538613664346239623533383564363264373464326433623065396239316334633332
+37336364363362343832633063626236666661303464303631653733393539386330656361346334
+36616131353336353062353934393234376633633138383332663130343230626536353465356264
+35356266646165303638663837656230373839396137646366636330323735366466623061333030
+37346162336538363130303839346561363336613266623738353065383263626433326433643937
+35656162636531363364313337666635333261343539636432333763653033363839356562653331
+32396536343630366538343764623561363461643431663861613139343965303664376631636432
+33306330373538383038373966343839383737326535333136316565623737373630323265326666
+30386533373637343538313734333361353766656536306638373633326236643038326432386563
+30616437343465323531663737343833373336663366313839616238653065386137306434396232
+36383435623434353035313161363730306533386533366234626531306131613862343463613936
+66303664333434623932333764633063353236303364353166303036333439666630323137343365
+36663831633131383438336639353833613439623434613164613066653361613330366164336233
+63656139373630316639326561386233653634333564616432613063383930376232656264323363
+39353934386335373532623463663637346466393636346131356631343830343931663064326138
+31323236396162323335643036343936633332393966396662303530663535313366353061653831
+34613536333462646463326461643463396162393934666433376136373933363465643866643939
+66356135653038316137666264306666623464306664323530316334663236306262623338663262
+30313636623434646366356632643566376333353633653232643130666561643663386661663336
+62316366626261636534313962373832383661623937313864383031363032623761353139316637
+32323035653964623961363766383966643964653365316530393339363264363133663833396466
+33633834396565326634366364313062336630646666653537623066626137343537653031396630
+35666463633264376664623765666536663630613338356236373133336365316432353362633731
+34373531373764343064346562346461366436336433313764393964356665323337316435353932
+66633734323035313835366439343763336565303833623830366439333432663837373262643030
+61633039313565313761653466383066346231666333323662336132313165666531356637383031
+37313962313965623665313436306430376637666334626335643366653935313336323632636433
+36643863613764653161613432633436313535333436336565383932393034656231633031623564
+35633865666139336337336535663464303437636161323566633839643263396138376636623636
+39633636363133336430383962313765636463316532633238653366653637636561323064303466
+61356664313035643935383734623462386439393562626161383130656238343734636134653564
+35353430316133373433393235313261303434363364303563383839386137646465616464393366
+34323962373036646530313362383766316464336461343935333166303630653133333561316265
+36366531326465323839633434656363383563343138373862666666653865376637333932343136
+62383439396231306133353833663738333462383766666337366566343136313731623437323530
+39306165636564336338616635666239346661373831386437663066343664326438313135616230
+63353062636133656566666364343630316564316233393664353938356434356332346631386163
+35663334356235346539393966616663303163323033653330343335323762353637333965366262
+39346136613635363831393734303832316234326536316165373235636531303562663762393766
+66376364323635623233666330663764616263366236393032393138643038353634316132663166
+37343163386164663233356237346561656665363638373835333763666537613939393434393364
+36353763306635353239346566613966343836336236653432313833393631616161303330656531
+36386264383234303135386137633166323438386435346337393032393865613038303264393435
+62363663343064336362623532383262373231616133396164643032653161646639613030623833
+61336436363666356236396533356666656463333536386335346330613263316636303561396433
+62653236393432376135663565633431656437333266343264323435653030363262633439633434
+34333931393465313831346434373837373138626538633262306464366634626234363963396165
+36663862626634626634623330643830646235323334636139633564646139353336653962366537
+33303764323034663630306265636136363838393630653731323137313964386463643563383662
+34393030326361373138356161303363383637343162646331326133336138313038326664623338
+65326466343131323538333661346538333338646433366365663637303832323265363939373434
+30623264373934313538646334633766363731663163633633386565336335653261663533363839
+65393638613430623938356131323837653739363066306566613065653330343064666163306563
+64356363653337343733343239336635643634303532353034353434333935336662386139643261
+33376365613065306566626135306235393938316337343464636333623165373931633038616133
+64636266393538663361353632303433616562393266346266613831346431306464666633383834
+37366330663561303164373937613064386566643164383433333539356534346136356339623265
+63323431626264366431336435316562623735633131633033313335616231616663346231656363
+30393931376635393366376464366135626339663461306663353037376566616365343066386235
+39613236316663363639613630333939326231643135373362666432666535663630353033616235
+65616435316464326134623666313632373932636439653334366235656461623532613037393430
+35393537316264313963386334646539383038326664643064366430326261383335646638616238
+62653633633838643366323533666165353631666339323036373733333438663863306337306464
+39643337616431363164393433356264616132666665373464383966306135636634623064633166
+32316334363134323932663763366638373234356230333139393535353266373530343065623361
+62313363663233323132643163663163326639303436336165363132633766356237333638336162
+66323232366538656330336463663132323832343737386665353063323163323030643032313162
+30323039346337613834356361616237323166303430363638623863323238653630313630633331
+38643035363464313034626537653061633339613665363539323566663039633130303130376365
+30633665346463656133306465343463383832626562663638343365353338643937306161653762
+37363634343165383333656461396636353963323166383362663036633431373733313963303930
+38346663393431363330396433386462353332353634313336313436386465613830333632333234
+33346361396563616163356333653661613861623863346537313136343865323638313065656333
+66393236323339646633663433396166636537323232323238666635356464623031313139623432
+34656237366633646464306163373230383864316565663438343262343333393765
diff --git a/roles/sublab_web/files/htpasswd b/roles/sublab_web/files/htpasswd
new file mode 100644
index 0000000..4ba5edb
--- /dev/null
+++ b/roles/sublab_web/files/htpasswd
@@ -0,0 +1 @@
+webuser:$apr1$CTQ3rSnN$MTEV4h/Y.9HBT1Apjey1t0
diff --git a/roles/sublab_web/meta/main.yaml b/roles/sublab_web/meta/main.yaml
index f185875..3d84cbe 100644
--- a/roles/sublab_web/meta/main.yaml
+++ b/roles/sublab_web/meta/main.yaml
@@ -2,3 +2,4 @@
 dependencies:
   - role: apache
   - role: subdap
+  - role: git_server_rpc
diff --git a/roles/sublab_web/tasks/as_webuser.yaml b/roles/sublab_web/tasks/as_webuser.yaml
index 859c1bf..c6725aa 100644
--- a/roles/sublab_web/tasks/as_webuser.yaml
+++ b/roles/sublab_web/tasks/as_webuser.yaml
@@ -11,7 +11,7 @@
 - name: Clone sublab website
   git:
     dest="/var/www/{{sublab_web_server_name}}/htdocs"
-    repo=git://git.sublab.org/website
+    repo="git://{{ groups['gitservers'][0] }}/website"
     accept_hostkey=yes
     update=no
   notify: Rebuild subweb website
diff --git a/roles/sublab_web/tasks/as_wikiuser.yaml b/roles/sublab_web/tasks/as_wikiuser.yaml
index adfa473..bd30e9d 100644
--- a/roles/sublab_web/tasks/as_wikiuser.yaml
+++ b/roles/sublab_web/tasks/as_wikiuser.yaml
@@ -22,12 +22,39 @@
     src=ikiwiki-editpage.tmpl
     dest="/home/wiki-{{sublab_web_server_name}}/templates/editpage.tmpl"
 
+- name: Create .ssh dir
+  file:
+    path="/home/wiki-{{sublab_web_server_name}}/.ssh"
+    state=directory
+    mode=0700
+
+# This ssh keypair is authorized to push to the git-server wiki repo
+- name: Put ssh pubkey
+  copy:
+    dest="/home/wiki-{{sublab_web_server_name}}/.ssh/id_rsa.pub"
+    content="{{wiki_user_pubkey}}"
+    mode=0644
+
+- name: Put ssh privkey
+  copy:
+    dest="/home/wiki-{{sublab_web_server_name}}/.ssh/id_rsa"
+    content="{{wiki_user_privkey}}"
+    mode=0600
+
+# Configure git
+- name: Configure git push for wikiuser
+  command: git config --global push.default simple
+- name: Configure git name
+  command: git config --global user.name "Wiki User {{ansible_hostname}}"
+- name:
+  command: git config --global user.email "nobody@nowhere.ws"
+
 # Updates to git are pushed automatically and should not
 # go through ansible - this is for initial deployment only
 - name: Clone wiki git
   git:
     dest="/home/wiki-{{sublab_web_server_name}}/wiki"
-    repo=git://git.sublab.org/ikiwiki
+    repo=git+ssh://git@{{groups['gitservers'][0]}}/ikiwiki
     accept_hostkey=yes
     update=no
   notify: Rebuild ikiwiki
diff --git a/roles/sublab_web/tasks/main.yaml b/roles/sublab_web/tasks/main.yaml
index 7416cba..145c549 100644
--- a/roles/sublab_web/tasks/main.yaml
+++ b/roles/sublab_web/tasks/main.yaml
@@ -31,6 +31,10 @@
   - wiki.conf
   notify: Reload apache
 
+- name: Place wiki htpasswd
+  copy: dest=/etc/apache2/sites/{{ sublab_web_server_name }}/htpasswd
+        src=htpasswd
+
 - include: ../../apache/tasks/ssl.yaml
   vars:
     ssl_server_name: "{{sublab_web_server_name}}"
diff --git a/roles/sublab_web/templates/subdap-ssl.conf.j2 b/roles/sublab_web/templates/subdap-ssl.conf.j2
index bec8c54..2e543b8 100644
--- a/roles/sublab_web/templates/subdap-ssl.conf.j2
+++ b/roles/sublab_web/templates/subdap-ssl.conf.j2
@@ -1,3 +1,4 @@
+{% if 0 %}
 <Location "/subdap/">
     ProxyPass "http://127.0.0.1:8001/"
 </Location>
@@ -11,3 +12,7 @@ Alias /subdap/static /var/subdap/src/static
   AllowOverride None
   Require all granted
 </Directory>
+{% else %}
+RedirectMatch temp ^/(subdap(/?|/.*))$   https://{{ sublab_web_server_name }}/account-creation-suspended
+{% endif %}
+
diff --git a/roles/sublab_web/templates/website-rebuild.sh.j2 b/roles/sublab_web/templates/website-rebuild.sh.j2
index ac29e3d..5cd3964 100644
--- a/roles/sublab_web/templates/website-rebuild.sh.j2
+++ b/roles/sublab_web/templates/website-rebuild.sh.j2
@@ -3,6 +3,10 @@
 # {{ ansible_managed }}
 #
 
+if [ "$USER" != "sublab_web" ]; then
+	exec sudo -u sublab_web /var/www/{{sublab_web_server_name}}/website-rebuild.sh
+fi
+
 cd /var/www/{{sublab_web_server_name}}/htdocs
 
 if [ x"$1" != x"-l" ]; then
diff --git a/roles/sublab_web/templates/wiki.conf.j2 b/roles/sublab_web/templates/wiki.conf.j2
index 5328335..a5c47ba 100644
--- a/roles/sublab_web/templates/wiki.conf.j2
+++ b/roles/sublab_web/templates/wiki.conf.j2
@@ -6,14 +6,23 @@ Alias /wiki/ /home/wiki-{{ sublab_web_server_name }}/wiki-html/
         Options +ExecCGI
 </Directory>
 <Directory /home/wiki-{{ sublab_web_server_name }}/wiki-html/auth>
+#
+#  Disable LDAP auth for now :/
+#
+#        AuthType basic
+#        AuthBasicProvider ldap
+#        AuthName "LDAP Login"
+#        AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org"
+#        AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}"
+#        AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org"
+#        # AuthzLDAPAuthoritative on
+#        # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org
+#        Require valid-user
+
+#  And use basic auth instead
         AuthType basic
-        AuthBasicProvider ldap
-        AuthName "LDAP Login"
-        AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org"
-        AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}"
-        AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org"
-        # AuthzLDAPAuthoritative on
-        # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org
+        AuthName "Wiki Login"
+        AuthUserFile "/etc/apache2/sites/{{ sublab_web_server_name }}/htpasswd"
         Require valid-user
 </Directory>
 LDAPTrustedMode TLS