Since November 2017 we use ansible to test and deploy Hitchwiki. It can provision a local vagrant box or deploy to a remote server. Feel free to subscribe and add reports related to our ansible playbooks!
[-] ~MW ignores the requested url and rewrites it to beta.hitchwiki.org. To preserve the .onion address a proxy is necessary~ $wgServer is commented out now because it is detected automatically
[X] turn off logging of IP addresses in apache (removeip module)
[ ] apache configs for each domain (currently we have domain and domain2 in settings. if both are set it could make sense, to create separate apache config files with vhosts for port 80 and 443)
restructuring the domain variable(s) affects following files:
Strict-Transport-Security | HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; includeSubDomains".
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
scripts/ansible/roles/hitchwiki/tasks/tls.yml:# TODO check for release of: Let's Encrypt - apache mod md (We use Certbot which works well, so there currently is no reason to change it.)
scripts/ansible/roles/hitchwiki/tasks/tls_md.yml:# TODO untested - "unless it's at least beta-level, we should use just letsencrypt's certbot+cron"
[ ] figure out why cached facts are not loaded automatically when stored in /etc/ansible/facts.d/file.yml
we can switch from spyc to symfony (both are already implemented. it's merely a performance decision, see "Load Hitchwiki Config" in mediawiki.php), affected files:
mediawiki.php`
status.sh
hitchwiki/tasks/main.yml
system.yml
composer.json
mw-postgres: discourse needs postgres, to save ram it might be worth to use postgres for MW as well
nginx: is nginx an option and what would be the benefits?
Future OS
[ ] currently xenial is LTS stable, to change later, uncomment other versions in .travis on a new branch and check if they build with travis
[ ] check why php-apcu is not in ubuntu artful
use package module if we deploy to non-debian derived systems (probably won't happen)
Since November 2017 we use ansible to test and deploy Hitchwiki. It can provision a local vagrant box or deploy to a remote server. Feel free to subscribe and add reports related to our ansible playbooks!
Test it!
For details see INSTALL.md and ansible/README.md.
See it live on beta.hitchwiki.org (experimental:
6pna4byhdcdyprdc.onion
)Workflow
feature -> testing -> ansible -> HW master -> production
beta.hitchwiki.org
is deployed from testing or ansible branchhitchwiki.org
has it's own repository and is updated after some time when beta looks stable enoughTo be merged into ansible branch
6pna4byhdcdyprdc.onion
ncwpcjalalxyxj2247b6ts45dsqlt6ihi5dmb6uuv5c5e45pkfgxm6qd.onion
(needs TBB 7.5.x)beta.hitchwiki.org
. To preserve the .onion address a proxy is necessary~ $wgServer is commented out now because it is detected automaticallyIn progress
Tasks for HWv3: project roadmap, upcoming: #136 HW gathering in Berlin
development is currently stalled because of a bug in vagrant
Would be nice
scripts/ansible/roles/discourse/tasks/main.yml
rgrep 'TODO' scripts/ configs/
to check the code for TODOsdev: beta
as a pre-step towards production with TLS and maildev enabledSecurity and stability
ignore_errors: yes
: runrgrep 'ignore_errors: yes'
and check that every line has a comment with a good explanationTLS
Tests
Later / low priority
/etc/ansible/facts.d/file.yml
Future OS
php-apcu
is not in ubuntu artful