Ori.livneh has uploaded a new change for review. https://gerrit.wikimedia.org/r/259601
Change subject: [WIP] Add piwik module and role ...................................................................... [WIP] Add piwik module and role * Provision behind misc-varnish as piwik.wikimedia.org. * Restrict access at Apache level by using mod_authnz_ldap. TODO: * Figure out where database will be hosted. Bug: T103577 Change-Id: I136ab0a38339544f461a73154d1e4ad5a0679b0e --- A manifests/role/piwik.pp A modules/piwik/manifests/init.pp A templates/apache/sites/piwik.wikimedia.org.erb M templates/varnish/misc-backend.inc.vcl.erb M templates/varnish/misc-common.inc.vcl.erb 5 files changed, 120 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/01/259601/1 diff --git a/manifests/role/piwik.pp b/manifests/role/piwik.pp new file mode 100644 index 0000000..1f640f1 --- /dev/null +++ b/manifests/role/piwik.pp @@ -0,0 +1,62 @@ +# == Class: role::piwik +# +# piwik is an open-source analytics platform. +# It powers <https://piwik.wikimedia.org>. +# +class role::piwik { + include ::apache::mod::authnz_ldap + include ::apache::mod::headers + include ::apache::mod::php5 + include ::apache::mod::rewrite + + include ::passwords::piwik + include ::passwords::ldap::production + + include base::firewall + + class { '::piwik': + settings => { + database => { + host => 'FIXME', + username => $paswords::piwik::db_user, + password => $paswords::piwik::db_pass, + dbname => 'FIXME', + tables_prefix => 'FIXME', + port => 3306, + adapter => 'PDO\MYSQL', + type => 'InnoDB', + schema => 'Mysql', + charset => 'utf8', + } + } + } + + ferm::service { 'piwik_http': + proto => 'tcp', + port => '80', + } + + # LDAP configuration. Interpolated into the Apache site template + # to provide mod_authnz_ldap-based user authentication. + $auth_ldap = { + name => 'nda/ops/wmf', + bind_dn => 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org', + bind_password => $passwords::ldap::production::proxypass, + url => 'ldaps://ldap-labs.eqiad.wikimedia.org ldap-labs.codfw.wikimedia.org/ou=people,dc=wikimedia,dc=org?cn', + groups => [ + 'cn=ops,ou=groups,dc=wikimedia,dc=org', + 'cn=nda,ou=groups,dc=wikimedia,dc=org', + 'cn=wmf,ou=groups,dc=wikimedia,dc=org', + ], + } + + apache::site { 'piwik.wikimedia.org': + content => template('apache/sites/piwik.wikimedia.org.erb'), + require => Class['::piwik'], + } + + monitoring::service { 'piwik': + description => 'piwik.wikimedia.org', + check_command => 'check_http_url!piwik.wikimedia.org!/', + } +} diff --git a/modules/piwik/manifests/init.pp b/modules/piwik/manifests/init.pp new file mode 100644 index 0000000..7d95ec8 --- /dev/null +++ b/modules/piwik/manifests/init.pp @@ -0,0 +1,16 @@ +# == Class: piwik +# +# Piwik is an open-source analytics platform. +# FIXME: document +# +class piwik( $settings ) { + require_package('piwik') + + file { '/etc/piwik/config.ini.php': + content => php_ini($settings), + owner => 'root', + group => 'www-data', + mode => '0444', + require => Package['piwik'], + } +} diff --git a/templates/apache/sites/piwik.wikimedia.org.erb b/templates/apache/sites/piwik.wikimedia.org.erb new file mode 100644 index 0000000..b871606 --- /dev/null +++ b/templates/apache/sites/piwik.wikimedia.org.erb @@ -0,0 +1,39 @@ +# Apache configuration for Piwik. +# This file is managed by Puppet. +<VirtualHost *:80> + ServerName piwik.wikimedia.org + DocumentRoot /usr/share/piwik + + RewriteEngine On + RewriteCond %{HTTP:X-Forwarded-Proto} !https + RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] + Header always merge Vary X-Forwarded-Proto env=ProtoRedirect + Header always set Strict-Transport-Security "max-age=31536000" + + <Directory "/usr/share/piwik"> + php_admin_flag engine on + + AuthName "<%= @auth_ldap['name'] %>" + AuthType Basic + AuthBasicProvider ldap + AuthLDAPBindDN <%= @auth_ldap['bind_dn'] %> + AuthLDAPBindPassword <%= @auth_ldap['bind_password'] %> + AuthLDAPURL "<%= @auth_ldap['url'] %>" + <% @auth_ldap['groups'].each do |group| -%> + Require ldap-group <%= group %> + <% end -%> + </Directory> + + <Files "console"> + Require all denied + </Files> + + <Directory "/usr/share/piwik/misc"> + Require all denied + </Directory> + + <Directory "/usr/share/piwik/vendor"> + Require all denied + </Directory> + +</VirtualHost> diff --git a/templates/varnish/misc-backend.inc.vcl.erb b/templates/varnish/misc-backend.inc.vcl.erb index 2b8b92a..188082c 100644 --- a/templates/varnish/misc-backend.inc.vcl.erb +++ b/templates/varnish/misc-backend.inc.vcl.erb @@ -21,6 +21,8 @@ set req.backend = caesium; } elsif (req.http.Host == "gdash.wikimedia.org") { set req.backend = krypton; + } elsif (req.http.Host == "piwik.wikimedia.org") { + set req.backend = krypton; } elsif (req.http.Host == "grafana.wikimedia.org" || req.http.host == "grafana-admin.wikimedia.org") { set req.backend = krypton; } elsif (req.http.Host == "parsoid-tests.wikimedia.org") { diff --git a/templates/varnish/misc-common.inc.vcl.erb b/templates/varnish/misc-common.inc.vcl.erb index 7e9c38f..f5e0787 100644 --- a/templates/varnish/misc-common.inc.vcl.erb +++ b/templates/varnish/misc-common.inc.vcl.erb @@ -4,6 +4,7 @@ req.http.Host == "gerrit.wikimedia.org" || req.http.Host == "grafana.wikimedia.org" || req.http.host == "grafana-admin.wikimedia.org" || req.http.Host == "static-bugzilla.wikimedia.org" || req.http.Host == "annual.wikimedia.org" || req.http.Host == "transparency.wikimedia.org" + || req.http.Host == "piwik.wikimedia.org" || req.http.Host == "otrs-test.wikimedia.org" // No caching of OTRS for now || req.http.Host == "people.wikimedia.org" // No caching of public_html dirs || req.http.Host == "datasets.wikimedia.org" // No caching of datasets. They can be larger than misc varnish can deal with. -- To view, visit https://gerrit.wikimedia.org/r/259601 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I136ab0a38339544f461a73154d1e4ad5a0679b0e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ori.livneh <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
