Installs and configures Gallery v3.0.x, a web based (LAMP) Image/Video/File gallery, as well as gallery-contrib modules and themes. http://galleryproject.org/
- Linux
- Apache 2.2+
- Mysql 5+
- PHP 5.2.3+
http://codex.galleryproject.org/Gallery3:Requirements
- Ubuntu 12.04+
- Debian 7.0+
Requires Opscode's openssl, mysql, database, git, php, ark, certificate, and apache2 cookbooks. See Attributes and Usage for more information.
node['gallery']['dbname']- MySQL Database name to use for this gallery installation (defaults to "gallerydb")node['gallery']['dbuser']- Username gallery will use when communicating with a local or remote MySQL server (defaults to "galleryuser")node['gallery']['dbpass']- Gallery user's MySQL database password randomly generated by OpenSSLnode['gallery']['dbhost']- Hostname gallery will use when communicating with a local or remote MySQL server (defaults to "localhost")node['gallery']['dbrole']- Chef role name the gallery cookbook can search to get node data for a remote MySQL database server, only applies whennode['gallery']['uselocalmysqld]is falsenode['gallery']['userlocalmysqld']- Set this attribute to true if you want to install a local instance of mysqld on the same server that will run gallery. If set to false you will need to modify other gallery database attributes to point at the remote database server
node['gallery']['wwwname']- Hostname users will use to reach this gallery installation (default is "gallery3.example.com")node['gallery']['wwwdir']- The install directory which is also served via Apache2 (defaults to "/var/www/gallery")node['gallery']['adminemail']- Email address of the gallery site administrator (defaults to "postmaster@example.com")node['gallery']['webserver_apache2']- Toggle whether to install and configure Apache2 for the Gallery install or to perform no webserver installation at all (default is "true" to install Apache2)node['gallery']['adminpass']- Randomly generated password credentials for the 'admin' user in the Gallery Administrative Web UI. This is a local non-LDAP account created inside the gallerydb during gallery installationnode['gallery']['apachessl']- Toggle between using SSL/HTTPS or not. Recommended for live/production authentication however by default SSL/HTTPS will not be used for easy testing without getting bogged down with certificate management (default is false)node['gallery']['sslcertmode']- The mode 'none' skips any kind of certificate management, 'default', 'wildcard', and 'manage_by_attributes' all behave as recipes in the http://community.opscode.com/cookbooks/certificate cookbook. (default is none)node['gallery']['sslcertfile']- The PEM formatted SSL certificate file used in HTTPS communications (default is "/etc/ssl/certs/#{node[:fqdn]}.pem")node['gallery']['sslkeyfile']- The SSL certificate private key file used in HTTPS communications (default is "/etc/ssl/private/#{node[:fqdn]}.key")node['gallery']['sslchainfile']- The PEM formatted SSL certificate file used in HTTPS communications to complete the chain of trust between web browsers, web servers, and your chosen Certificate Authorities (default is "/etc/ssl/certs/#{node[:hostname]}-bundle.crt")
node['gallery']['gitinstall']- Toggle between installing gallery via Git or an HTTP URL to an official gallery zip file on some other repository. Mostly useful if you want to be less reliant on external repositories and bring them in-house (default is true)node['gallery']['version']- The current gallery version being managed (default is "3.0.9")node['gallery']['gitrepo']- Git repository for Gallery 3 install files (default is "git://github.com/gallery/gallery3.git")node['gallery']['zipurl']- HTTP URL for Gallery 3 install files (default is "https://github.com/gallery/gallery3/archive/3.0.x.zip")node['gallery']['contribzipurl']- HTTP URL for Gallery 3 contrib modules and theme files (default is "https://github.com/gallery/gallery3-contrib/archive/master.zip")node['gallery']['gitcontribrepo']- Git repository for Gallery 3 contrib modules and theme files (default is "git://github.com/gallery/gallery3-contrib.git")
node['gallery']['php']['upload_max_filesize']- The PHP directive to limit the maximum size of an uploaded file (default is "256M")node['gallery']['php']['memory_limit']- The PHP directive to limit the amount of memory in bytes that a script is allowed to allocate (default is "512M")node['gallery']['php']['post_max_size']- The PHP directive to limit the post data allowed (default is "256M")node['gallery']['php']['max_file_uploads']- The PHP directive to set the number of allowed simultaneus uploads (default "25")
node['gallery']['contribthemes']- Toggle whether you want to install any of the contrib themes or not (default is true)node['gallery']['themeslist']- An array of each contrib theme to copy from the contrib-themes install directory into the current gallery install (default is all of them ['browny_admin_wind','browny_wind','pear4gallery3','smk','sobriety','three_nids'])
By default almost all modules will be installed but there are attributes for each module if you want more granular control.
Note: Once a module is installed it still needs to be activated in the Admini -> Modules section of the Gallery Web UI.
Warning: The gallery contrib modules and themes are unsupported. Certain combinations will cause upload problems, break authentication systems badly, and set fire to your precious data. Test modules carefully on another machine before using them on your primary gallery servers. The LDAP module was especially attractive to me, but failing to configure the module correctly against my LDAP server completely broke all access until I got the LDAP module's config exactly right or restored the db to revert the change
-
node['gallery']['contribmodules']- Toggle whether you want to install any of the contrib modules or not. Contrib modules are unsupported by the gallery team and certain combinations can interact badly, use with care but some are very useful (default is true) -
node['gallery']['module']['modulename']- Toggle whether you want to install a particular module or not (default is to install almost all modules). Note that you still must activate individual modules in Gallery's Administrative Web UI -
node['gallery']['ldapmodule']['allgroups']- Fill this array with all of the LDAP groups you want to be mapped to gallery groups. At a minimum you might want to have 1 non-authenticated user group (an 'everybody group') and 1 registered users group (default is [ " Administrators", "Guest" ]) -
node['gallery']['ldapmodule']['everybody_group']- Often a 'guest' type group, this is used by non-authenticated users (default is "Guest") -
node['gallery']['ldapmodule']['regusergroup']- Any members of this LDAP group are deemed 'registered' by Gallery (default is "Administrators") -
node['gallery']['ldapmodule']['adminusers']- Any LDAP users listed in this array are granted full administrative privileges to Gallery. Note activation of the LDAP module completely disables the local galleryadmin user (default is [ "joe", "bob" ] ) -
node['gallery']['ldapmodule']['ldaphost']- LDAP protocol URI to the LDAP server's hostname or ip address (default is "ldaps://ldap1.example.com") -
node['gallery']['ldapmodule']['groupdn']- Distinguished Name for setting LDAP Group Search Scope (default is "ou=Groups,dc=example,dc=com") -
node['gallery']['ldapmodule']['userdn']- Distinguished Name for setting LDAP User Search Scope (default is "ou=People,dc=example,dc=com")
If node['gallery']['sslcertmode'] is set to 'none' (the default) no encrypted data bags or certificate deployment will occur. Use this if you want to manage certificate deploys some other way than the certificate cookbook.
Any other sslcertmode will use the certificate cookbook for certificate deploys in a 'default', 'wildcard', and 'managed by attributes' recipes which depend on encrypted data bags as documented here http://community.opscode.com/cookbooks/certificate
The certificate cookbook does not create any certificates, it just deploys certs, keys, and chain files stored in encrypted data bags. Note that when bootstrapping new servers that use the certificate cookbook for ssl certificate deployment you will need to copy the encrypted_key_file to both the server and any knife management clients that update the certificates
recipe[gallery] in your run_list should build a stand-alone Gallery installation.
It is recommended to make a role which includes recipe[gallery] and sets override_attributes for the wwwname attribute at a minimum. Once Gallery is installed use knife to examine the node data for the Gallery server 'knife node show gallery3.example.com -Fj' and look for the node['gallery']['adminpass']. Now login as 'admin' with the node data adminpass.
Below is a more complex config that deploys an unlimited wildcard ssl certificate/key/CA chain files from an encrypted data bag and also configures anonymous bind openldap LDAP/ssl authentication
$ cat roles/gallery.json
{
name: "gallery",
description: "Apache2 Web Gallery",
run_list: [
"recipe[gallery]"
],
override_attributes": {
"gallery": {
"wwwname": "gallery3.example.com",
"adminemail": "postmaster@example.com",
"apachessl": true,
"sslcertmode": "wildcard",
"ldapmodule": {
"allgroups": [ "sysadmin", "guest" ],
"regusergroup": "sysadmin",
"everybody_group": "guest",
"adminusers": [ "joe", "bob" ],
"ldaphost": "ldaps://ldap.domain.com/",
"userdn": "ou=People,dc=domain,dc=com",
"groupdn": "ou=Groups,dc=domain,dc=com"
}
}
}
)
- Author:: Ian Garrison garrison@technoendo.net
- Author:: Pauly Comtois
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.