hackmd: use docker instead of native setup

group_vars/all/vars.yml

@@ -35,8 +35,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
 
 hedgedoc_domain: pad.binary-kitchen.de
-hedgedoc_dbname: hackmd
-hedgedoc_dbuser: hackmd
+hedgedoc_dbname: hedgedoc
+hedgedoc_dbuser: hedgedoc
 hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
 hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
 

roles/hackmd/defaults/main.yml

@@ -1,4 +0,0 @@
----
-
-hedgedoc_version: 1.9.3
-hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz

roles/hackmd/tasks/main.yml

@@ -1,84 +1,25 @@
 ---
 
-- name: Create user
-  user: name=hackmd
-
-- name: Enable nodesource apt-key
-  apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
-
-- name: Enable nodesource repository
-  apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
-
-- name: Enable yarnpkg apt-key
-  apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
-
-- name: Enable yarnpkg repository
-  apt_repository: repo="deb https://dl.yarnpkg.com/debian/ stable main"
-
-- name: Pin nodejs repository
-  blockinfile:
-    path: /etc/apt/preferences.d/nodejs
-    create: yes
-    block: |
-      Package: *
-      Pin: origin deb.nodesource.com
-      Pin-Priority: 600
-
 - name: Install packages
   apt:
     name:
-    - build-essential
-    - git
-    - nodejs
-    - postgresql
-    - python3-psycopg2
-    - yarn
+    - docker-compose
 
-- name: Unpack hedgedoc
-  unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
-  register: hedgedoc_unarchive
+- name: Create hedgedoc group
+  group: name=hedgedoc
 
-- name: Create hedgedoc upload path
-  file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
+- name: Create hedgedoc user
+  user:
+    name: hedgedoc
+    home: /opt/hedgedoc
+    shell: /bin/bash
+    group: hedgedoc
+    groups: docker
 
-- name: Remove old hedgedoc upload path
-  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
-
-- name: Link hedgedoc upload path
-  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
-
-- name: Setup hedgedoc
-  command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
-  become: true
-  become_user: hackmd
-
-- name: Configure hedgedoc
-  template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
-  register: hedgedoc_config
+- name: Configure hedgedoc container
+  template: src=docker-compose.yml.j2 dest=/opt/hedgedoc/docker-compose.yml
   notify: Restart hedgedoc
 
-- name: Install hedgedoc frontend deps
-  command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
-  become: true
-  become_user: hackmd
-  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
-
-- name: Build hedgedoc frontend
-  command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
-  become: true
-  become_user: hackmd
-  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ hedgedoc_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
 - name: Ensure certificates are available
   command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
   notify: Restart nginx

roles/hackmd/templates/config.json.j2

@@ -1,45 +0,0 @@
-{
-    "production": {
-        "domain": "{{ hedgedoc_domain }}",
-        "protocolUseSSL": true,
-        "allowAnonymous": false,
-        "allowAnonymousEdits": true,
-        "allowFreeURL": true,
-        "sessionSecret": "{{ hedgedoc_secret }}",
-        "hsts": {
-            "enable": true,
-            "maxAgeSeconds": 2592000,
-            "includeSubdomains": true,
-            "preload": true
-        },
-        "csp": {
-            "enable": true,
-            "directives": {
-            },
-            "upgradeInsecureRequests": "auto",
-            "addDefaults": true,
-            "addDisqus": true,
-            "addGoogleAnalytics": true
-        },
-        "db": {
-            "username": "{{ hedgedoc_dbuser }}",
-            "password": "{{ hedgedoc_dbpass }}",
-            "database": "{{ hedgedoc_dbname }}",
-            "host": "localhost",
-            "port": "5432",
-            "dialect": "postgres"
-        },
-        "ldap": {
-            "url": "{{ ldap_uri }}",
-            "bindDn": "{{ ldap_binddn }}",
-            "bindCredentials": "{{ ldap_bindpw }}",
-            "searchBase": "{{ ldap_base }}",
-            "searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
-            "searchAttributes": ["cn", "uid"],
-            "usernameField": "cn",
-            "useridField": "uid",
-            "tlsca": "/etc/ssl/certs/ca-certificates.crt"
-        },
-        "email": false
-    }
-}

roles/hackmd/templates/docker-compose.yml.j2

@@ -0,0 +1,45 @@
+version: "3"
+services:
+  database:
+    image: postgres:13.4-alpine
+    environment:
+      - POSTGRES_USER={{ hedgedoc_dbuser }}
+      - POSTGRES_PASSWORD={{ hedgedoc_dbpass }}
+      - POSTGRES_DB={{ hedgedoc_dbname }}
+    volumes:
+      - ./database:/var/lib/postgresql/data
+    restart: unless-stopped
+  app:
+    image: quay.io/hedgedoc/hedgedoc:1.9.3
+    environment:
+      - CMD_DOMAIN={{ hedgedoc_domain }}
+      - CMD_PROTOCOL_USESSL=true
+      - CMD_ALLOW_ANONYMOUS=false
+      - CMD_ALLOW_ANONYMOUS_EDITS=true
+      - CMD_ALLOW_FREEURL=true
+      - CMD_SESSION_SECRET={{ hedgedoc_secret }}
+      - CMD_HSTS_ENABLE=true
+      - CMD_HSTS_MAX_AGE=2592000
+      - CMD_HSTS_INCLUDE_SUBDOMAINS=true
+      - CMD_HSTS_PRELOAD=true
+      - CMD_CSP_ENABLE=true
+      - CMD_DB_URL=postgres://{{ hedgedoc_dbuser }}:{{ hedgedoc_dbpass }}@database:5432/{{ hedgedoc_dbname }}
+      - CMD_LDAP_URL={{ ldap_uri }}
+      - CMD_LDAP_BINDDN={{ ldap_binddn }}
+      - CMD_LDAP_BINDCREDENTIALS={{ ldap_bindpw }}
+      - CMD_LDAP_SEARCHBASE={{ ldap_base }}
+      - CMD_LDAP_SEARCHFILTER=(uid={{ '{{' }}username{{ '}}' }})
+      - CMD_LDAP_SEARCHATTRIBUTES=cn,uid
+      - CMD_LDAP_USERIDFIELD=uid
+      - CMD_LDAP_USERNAMEFIELD=cn
+      - CMD_LDAP_TLS_CA=/etc/ssl/certs/ca-certificates.crt
+      - CMD_EMAIL=false
+    volumes:
+      - /etc/hosts:/etc/hosts:ro
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - ./uploads:/hedgedoc/public/uploads
+    ports:
+      - "127.0.0.1:3000:3000"
+    restart: unless-stopped
+    depends_on:
+      - database

roles/hackmd/templates/hedgedoc.service.j2

@@ -1,14 +1,28 @@
 [Unit]
-Description=HedgeDoc
-After=network.target
+Description=hedgedoc service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
 
 [Service]
-Environment=NODE_ENV=production
-WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
 Type=simple
-User=hackmd
-ExecStart=/usr/bin/yarn start
-Restart=on-failure
+
+User=hedgedoc
+Group=hedgedoc
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/hedgedoc
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
 
 [Install]
 WantedBy=multi-user.target