hackmd: new role (not finished yet)

2018-04-09 21:28:36 +02:00 · 2018-04-09 21:28:36 +02:00 · 344139e75c
commit 344139e75c
parent 37137ae18c
11 changed files with 206 additions and 0 deletions
--- a/group_vars/all
+++ b/group_vars/all
@ -7,6 +7,11 @@ gogs_dbname: gogs
 gogs_dbuser: gogs
 gogs_dbpass: UbRoiq4fuRL3MvxghPww
 hackmd_domain: pad.binary-kitchen.de
 hackmd_dbname: hackmd
 hackmd_dbuser: hackmd
 hackmd_dbpass: oepaich3haob7AoY
 ldap_ca: /etc/ldap/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
 ldap_host: ldap.binary.kitchen
--- a/1
+++ b/1
@ -16,3 +16,4 @@ boron.binary-kitchen.net
 carbon.binary-kitchen.net
 nitrogen.binary-kitchen.net
 oxygen.binary-kitchen.net
 fluorine.binary-kitchen.net
--- a/roles/hackmd/defaults/main.yml
+++ b/roles/hackmd/defaults/main.yml
@ -0,0 +1,3 @@
 ---
 hackmd_version: 1.1.0-ce
--- a/roles/hackmd/handlers/main.yml
+++ b/roles/hackmd/handlers/main.yml
@ -0,0 +1,10 @@
 ---
 - name: Restart hackmd
  service: name=hackmd state=restarted
 - name: Restart nginx
  service: name=nginx state=restarted
 - name: Reload systemd
  command: systemctl daemon-reload
--- a/roles/hackmd/meta_/main.yml
+++ b/roles/hackmd/meta_/main.yml
@ -0,0 +1,5 @@
 ---
 dependencies:
 - { role: certmgr }
 - { role: nginx, nginx_ssl: True }
--- a/roles/hackmd/tasks/main.yml
+++ b/roles/hackmd/tasks/main.yml
@ -0,0 +1,76 @@
 ---
 - name: Create user
  user: name=hackmd
 - name: Enable https for apt
  apt: name=apt-transport-https
 - name: Enable nodesource apt-key
  apt_key: url='https://deb.nodesource.com/gpgkey/nodesource.gpg.key'
 - name: Enable nodesource repository
  apt_repository: repo='deb https://deb.nodesource.com/node_8.x stretch main'
 - name: Install packages
  apt: name={{ item }}
  with_items:
  - build-essential
  - git
  - nodejs
  - postgresql
  - python-psycopg2
 - name: Unpack hackmd
  unarchive: src=https://github.com/hackmdio/hackmd/archive/{{hackmd_version}}.tar.gz dest=/opt owner=hackmd remote_src=yes creates=/opt/hackmd-{{hackmd_version}}
  register: hackmd_unarchive
 - name: Setup hackmd
  command: bin/setup chdir=/opt/hackmd-{{hackmd_version}} creates=/opt/hackmd-{{hackmd_version}}/config.json
  become: true
  become_user: hackmd
 - name: Configure hackmd
  template: src=config.json.j2 dest=/opt/hackmd-{{hackmd_version}}/config.json owner=hackmd
  notify: Restart hackmd
  register: hackmd_config
 - name: Build hackmd frontend
  command: /usr/bin/npm run build chdir=/opt/hackmd-{{hackmd_version}}
  become: true
  become_user: hackmd
  when: hackmd_unarchive.changed or hackmd_config.changed
 - name: Configure PostgreSQL database
  postgresql_db: name={{ hackmd_dbname }}
  become: true
  become_user: postgres
 - name: Configure PostgreSQL user
  postgresql_user: db={{ hackmd_dbname }} name={{ hackmd_dbuser }} password={{ hackmd_dbpass }} priv=ALL state=present
  become: true
  become_user: postgres
 - name: Ensure certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hackmd_domain }}.key -out /etc/nginx/ssl/{{ hackmd_domain }}.crt -days 730 -subj "/CN={{ hackmd_domain }}" creates=/etc/nginx/ssl/{{ hackmd_domain }}.crt
  notify: Restart nginx
 - name: Configure certificate manager for hackmd
  template: src=certs.j2 dest=/etc/acme/domains.d/{{ hackmd_domain }}.conf
 - name: Configure vhost
  template: src=vhost.j2 dest=/etc/nginx/sites-available/hackmd
  notify: Restart nginx
 - name: Enable vhost
  file: src=/etc/nginx/sites-available/hackmd dest=/etc/nginx/sites-enabled/hackmd state=link
  notify: Restart nginx
 - name: Systemd unit for hackmd
  template: src=hackmd.service.j2 dest=/etc/systemd/system/hackmd.service
  notify:
  - Reload systemd
  - Restart hackmd
 - name: Start the hackmd service
  service: name=hackmd state=started enabled=yes
--- a/roles/hackmd/templates/certs.j2
+++ b/roles/hackmd/templates/certs.j2
@ -0,0 +1,15 @@
 ---
 {{ hackmd_domain }}:
 - path: /etc/nginx/ssl/{{ hackmd_domain }}.key
  user: root
  group: root
  perm: '400'
  format: key
  action: '/usr/sbin/service nginx restart'
 - path: /etc/nginx/ssl/{{ hackmd_domain }}.crt
  user: root
  group: root
  perm: '400'
  format: crt,ca
  action: '/usr/sbin/service nginx restart'
--- a/roles/hackmd/templates/config.json.j2
+++ b/roles/hackmd/templates/config.json.j2
@ -0,0 +1,41 @@
 {
    "production": {
        "_domain": "{{ hackmd_domain }}",
        "_hsts": {
            "enable": true,
            "maxAgeSeconds": "31536000",
            "includeSubdomains": true,
            "preload": true
        },
        "csp": {
            "enable": true,
            "directives": {
            },
            "upgradeInsecureRequests": "auto",
            "addDefaults": true,
            "addDisqus": true,
            "addGoogleAnalytics": true
        },
        "db": {
            "username": "{{ hackmd_dbuser }}",
            "password": "{{ hackmd_dbpass }}",
            "database": "{{ hackmd_dbname }}",
            "host": "localhost",
            "port": "5432",
            "dialect": "postgres"
        },
        "ldap": {
            "url": "{{ ldap_uri }}",
            "bindDn": "{{ ldap_binddn }}",
            "bindCredentials": "{{ ldap_bindpw }}",
            "searchBase": "{{ ldap_base }}",
            "searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
            "searchAttributes": ["cn"],
            "usernameField": "cn",
            "useridField": "uid",
            "tlsOptions": {
                "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback"
            }
        }
    }
 }
--- a/roles/hackmd/templates/hackmd.service.j2
+++ b/roles/hackmd/templates/hackmd.service.j2
@ -0,0 +1,13 @@
 [Unit]
 Description=HackMD
 After=network.target
 [Service]
 Environment=NODE_ENV=production
 Type=simple
 User=hackmd
 ExecStart=/usr/bin/node /opt/hackmd-{{hackmd_version}}/app.js
 Restart=on-failure
 [Install]
 WantedBy=multi-user.target
--- a/roles/hackmd/templates/vhost.j2
+++ b/roles/hackmd/templates/vhost.j2
@ -0,0 +1,32 @@
 server {
 	listen 80;
 	listen [::]:80;
 	server_name {{ hackmd_domain }};
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
 		alias /var/www/acme-challenge;
 	}
 	location / {
 		return 301 https://{{ hackmd_domain }}$request_uri;
 	}
 }
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	server_name {{ hackmd_domain }};
 	ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;
 	location / {
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_pass http://localhost:3000;
 	}
 }
--- a/site.yml
+++ b/site.yml
@ -61,3 +61,8 @@
  roles:
  - ldap-pam
  - member-sw
 - name: Setup hackmd server
  hosts: fluorine.binary-kitchen.net
  roles:
  - hackmd