From 344139e75c5c3f4c34b35275338f1169d33173f0 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 9 Apr 2018 21:28:36 +0200 Subject: [PATCH] hackmd: new role (not finished yet) --- group_vars/all | 5 ++ hosts | 1 + roles/hackmd/defaults/main.yml | 3 + roles/hackmd/handlers/main.yml | 10 ++++ roles/hackmd/meta_/main.yml | 5 ++ roles/hackmd/tasks/main.yml | 76 ++++++++++++++++++++++++ roles/hackmd/templates/certs.j2 | 15 +++++ roles/hackmd/templates/config.json.j2 | 41 +++++++++++++ roles/hackmd/templates/hackmd.service.j2 | 13 ++++ roles/hackmd/templates/vhost.j2 | 32 ++++++++++ site.yml | 5 ++ 11 files changed, 206 insertions(+) create mode 100644 roles/hackmd/defaults/main.yml create mode 100644 roles/hackmd/handlers/main.yml create mode 100644 roles/hackmd/meta_/main.yml create mode 100644 roles/hackmd/tasks/main.yml create mode 100644 roles/hackmd/templates/certs.j2 create mode 100644 roles/hackmd/templates/config.json.j2 create mode 100644 roles/hackmd/templates/hackmd.service.j2 create mode 100644 roles/hackmd/templates/vhost.j2 diff --git a/group_vars/all b/group_vars/all index 3143e9d..4f78c18 100644 --- a/group_vars/all +++ b/group_vars/all @@ -7,6 +7,11 @@ gogs_dbname: gogs gogs_dbuser: gogs gogs_dbpass: UbRoiq4fuRL3MvxghPww +hackmd_domain: pad.binary-kitchen.de +hackmd_dbname: hackmd +hackmd_dbuser: hackmd +hackmd_dbpass: oepaich3haob7AoY + ldap_ca: /etc/ldap/ssl/BKCA.crt ldap_uri: ldaps://ldap.binary.kitchen/ ldap_host: ldap.binary.kitchen diff --git a/hosts b/hosts index da9de63..6373733 100644 --- a/hosts +++ b/hosts @@ -16,3 +16,4 @@ boron.binary-kitchen.net carbon.binary-kitchen.net nitrogen.binary-kitchen.net oxygen.binary-kitchen.net +fluorine.binary-kitchen.net diff --git a/roles/hackmd/defaults/main.yml b/roles/hackmd/defaults/main.yml new file mode 100644 index 0000000..417bf28 --- /dev/null +++ b/roles/hackmd/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +hackmd_version: 1.1.0-ce diff --git a/roles/hackmd/handlers/main.yml b/roles/hackmd/handlers/main.yml new file mode 100644 index 0000000..4ea4684 --- /dev/null +++ b/roles/hackmd/handlers/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Restart hackmd + service: name=hackmd state=restarted + +- name: Restart nginx + service: name=nginx state=restarted + +- name: Reload systemd + command: systemctl daemon-reload diff --git a/roles/hackmd/meta_/main.yml b/roles/hackmd/meta_/main.yml new file mode 100644 index 0000000..8d2c010 --- /dev/null +++ b/roles/hackmd/meta_/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: certmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/hackmd/tasks/main.yml b/roles/hackmd/tasks/main.yml new file mode 100644 index 0000000..f97c914 --- /dev/null +++ b/roles/hackmd/tasks/main.yml @@ -0,0 +1,76 @@ +--- + +- name: Create user + user: name=hackmd + +- name: Enable https for apt + apt: name=apt-transport-https + +- name: Enable nodesource apt-key + apt_key: url='https://deb.nodesource.com/gpgkey/nodesource.gpg.key' + +- name: Enable nodesource repository + apt_repository: repo='deb https://deb.nodesource.com/node_8.x stretch main' + +- name: Install packages + apt: name={{ item }} + with_items: + - build-essential + - git + - nodejs + - postgresql + - python-psycopg2 + +- name: Unpack hackmd + unarchive: src=https://github.com/hackmdio/hackmd/archive/{{hackmd_version}}.tar.gz dest=/opt owner=hackmd remote_src=yes creates=/opt/hackmd-{{hackmd_version}} + register: hackmd_unarchive + +- name: Setup hackmd + command: bin/setup chdir=/opt/hackmd-{{hackmd_version}} creates=/opt/hackmd-{{hackmd_version}}/config.json + become: true + become_user: hackmd + +- name: Configure hackmd + template: src=config.json.j2 dest=/opt/hackmd-{{hackmd_version}}/config.json owner=hackmd + notify: Restart hackmd + register: hackmd_config + +- name: Build hackmd frontend + command: /usr/bin/npm run build chdir=/opt/hackmd-{{hackmd_version}} + become: true + become_user: hackmd + when: hackmd_unarchive.changed or hackmd_config.changed + +- name: Configure PostgreSQL database + postgresql_db: name={{ hackmd_dbname }} + become: true + become_user: postgres + +- name: Configure PostgreSQL user + postgresql_user: db={{ hackmd_dbname }} name={{ hackmd_dbuser }} password={{ hackmd_dbpass }} priv=ALL state=present + become: true + become_user: postgres + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hackmd_domain }}.key -out /etc/nginx/ssl/{{ hackmd_domain }}.crt -days 730 -subj "/CN={{ hackmd_domain }}" creates=/etc/nginx/ssl/{{ hackmd_domain }}.crt + notify: Restart nginx + +- name: Configure certificate manager for hackmd + template: src=certs.j2 dest=/etc/acme/domains.d/{{ hackmd_domain }}.conf + +- name: Configure vhost + template: src=vhost.j2 dest=/etc/nginx/sites-available/hackmd + notify: Restart nginx + +- name: Enable vhost + file: src=/etc/nginx/sites-available/hackmd dest=/etc/nginx/sites-enabled/hackmd state=link + notify: Restart nginx + +- name: Systemd unit for hackmd + template: src=hackmd.service.j2 dest=/etc/systemd/system/hackmd.service + notify: + - Reload systemd + - Restart hackmd + +- name: Start the hackmd service + service: name=hackmd state=started enabled=yes diff --git a/roles/hackmd/templates/certs.j2 b/roles/hackmd/templates/certs.j2 new file mode 100644 index 0000000..649e94a --- /dev/null +++ b/roles/hackmd/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ hackmd_domain }}: +- path: /etc/nginx/ssl/{{ hackmd_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ hackmd_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/roles/hackmd/templates/config.json.j2 b/roles/hackmd/templates/config.json.j2 new file mode 100644 index 0000000..b7d7430 --- /dev/null +++ b/roles/hackmd/templates/config.json.j2 @@ -0,0 +1,41 @@ +{ + "production": { + "_domain": "{{ hackmd_domain }}", + "_hsts": { + "enable": true, + "maxAgeSeconds": "31536000", + "includeSubdomains": true, + "preload": true + }, + "csp": { + "enable": true, + "directives": { + }, + "upgradeInsecureRequests": "auto", + "addDefaults": true, + "addDisqus": true, + "addGoogleAnalytics": true + }, + "db": { + "username": "{{ hackmd_dbuser }}", + "password": "{{ hackmd_dbpass }}", + "database": "{{ hackmd_dbname }}", + "host": "localhost", + "port": "5432", + "dialect": "postgres" + }, + "ldap": { + "url": "{{ ldap_uri }}", + "bindDn": "{{ ldap_binddn }}", + "bindCredentials": "{{ ldap_bindpw }}", + "searchBase": "{{ ldap_base }}", + "searchFilter": "(uid={{ '{{' }}username{{ '}}' }})", + "searchAttributes": ["cn"], + "usernameField": "cn", + "useridField": "uid", + "tlsOptions": { + "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback" + } + } + } +} diff --git a/roles/hackmd/templates/hackmd.service.j2 b/roles/hackmd/templates/hackmd.service.j2 new file mode 100644 index 0000000..157357a --- /dev/null +++ b/roles/hackmd/templates/hackmd.service.j2 @@ -0,0 +1,13 @@ +[Unit] +Description=HackMD +After=network.target + +[Service] +Environment=NODE_ENV=production +Type=simple +User=hackmd +ExecStart=/usr/bin/node /opt/hackmd-{{hackmd_version}}/app.js +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/hackmd/templates/vhost.j2 b/roles/hackmd/templates/vhost.j2 new file mode 100644 index 0000000..9718af8 --- /dev/null +++ b/roles/hackmd/templates/vhost.j2 @@ -0,0 +1,32 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ hackmd_domain }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://{{ hackmd_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ hackmd_domain }}; + + ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt; + + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://localhost:3000; + } + +} diff --git a/site.yml b/site.yml index 9361b33..8200079 100644 --- a/site.yml +++ b/site.yml @@ -61,3 +61,8 @@ roles: - ldap-pam - member-sw + +- name: Setup hackmd server + hosts: fluorine.binary-kitchen.net + roles: + - hackmd