Meza/Secret config

The secret config directory, located at, holds information about multiple Meza environments. Within each environment sub-directory is contained the following info:


 * (encrypted)
 * The  file, AKA "Inventory" file (not encrypted)
 * SSL certs (encrypted)

secret.yml
The secret config file, located at, is used to hold sensitive information like passwords.

What's in this file that users want to change?

 * : This is the fully qualified domain name for your server. If you're using Vagrant, it's just the virtual machine's IP address (probably ). For enterprisemediawiki.org this value is
 * Add SAML info per Meza/Setup SAML authentication

Editing the encrypted file
The secret.yml file is encrypted automatically by Meza because it stores passwords and other sensitive information. This allows the file to be stored in version control systems with greater security. It makes it more difficult to use, however, because you must use special commands to edit the file. To do so, perform the steps below. It is well understood that this is an incredibly cumbersome process and it needs to be simplified.


 * 1) First, set a variable called   to your desired Meza environment. This is likely   or   but could be anything if you explicitly setup an environment. For example, paste the following into your terminal if your environment is  :
 * 2) Then run the following   command which will de-crypt the   file and automatically begin editing it (Note the path below may not be correct. Use find /opt/conf-meza/ -name "*vault*" to locate the file):
 * 3) Edit the file using the Vi editor.
 * 4) Save the file by typing.
 * 5) Do   to apply your configuration changes to your server

Variable-level encryption
Your secret.yml file may not be fully encrypted. Instead, it may only encrypt the variables. Read this documentation for details.

If you need to view an encrypted variable, this reference is helpful. Here's an example: sudo ansible localhost -m debug -a var='my_password' -e "/opt/conf-meza/secret/$meza_env/secret.yml" --vault-password-file "/opt/conf-meza/vault/vault-pass-$meza_env.txt"

file
The hosts file determines where all the parts of your Meza installation go. On a standard "monolithic" installation everything is installed on. See the next section below. A more interesting setup may distribute parts of the install across many servers. See the second section below.

A standard "monolith" hosts file

 * 1) Ansible inventory (AKA "hosts") file
 * 2) http://docs.ansible.com/ansible/intro_inventory.html
 * 1) http://docs.ansible.com/ansible/intro_inventory.html

localhost ansible_connection=local
 * 1) Tell Ansible to use a local connection for localhost

[load-balancers] localhost

[app-servers] localhost

[memcached-servers] localhost

[db-master] localhost

[db-slaves]
 * 1) Note: db-slaves needs to be in the form:
 * 2) 1.2.3.4   mysql_server_id=2   # ids must be unique and greater than 1

[parsoid-servers] localhost

[elastic-servers] localhost

[backup-servers] localhost

[logging-servers] localhost

A multi-server hosts file
This hosts file defines a more complicated setup. It does not use Meza's load balancer, but relies on an external one. It has two app servers (running PHP and MediaWiki) that are also functioning as Memcached servers and the location that backups are dumped. It has one database master and one database replica (slave). Two separate servers are running Parsoid, and two are running Elasticsearch. Additionally, it is setup to pull backups from example.com.


 * 1) Ansible inventory (AKA "hosts") file
 * 2) http://docs.ansible.com/ansible/intro_inventory.html
 * 1) http://docs.ansible.com/ansible/intro_inventory.html

localhost ansible_connection=local
 * 1) Tell Ansible to use a local connection for localhost

[load-balancers]

[load-balancers-unmanaged] 255.1.255.140 255.1.255.141 255.1.255.142

[app-servers] 1.2.3.160 1.2.3.161

[memcached-servers] 1.2.3.160 1.2.3.161

[db-master] 1.2.3.166

[db-slaves] 1.2.3.167 mysql_server_id=2
 * 1) Note: db-slaves needs to be in the form:
 * 2) 1.2.3.4   mysql_server_id=2   # ids must be unique and greater than 1

[parsoid-servers] 1.2.3.164 1.2.3.165

[elastic-servers] 1.2.3.162 1.2.3.163

[backup-servers] 1.2.3.160 1.2.3.161

[logging-servers]

[db-src] example.com alt_remote_user=src-meza-ansible
 * 1) Sourcing from example.com

[backup-src] example.com alt_remote_user=src-meza-ansible

[exclude-all] example.com

SSL cert
SSL certs are contained here, but  puts them where the load balancer needs them.