From 344139e75c5c3f4c34b35275338f1169d33173f0 Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Mon, 9 Apr 2018 21:28:36 +0200
Subject: [PATCH] hackmd: new role (not finished yet)

---
 group_vars/all                           |  5 ++
 hosts                                    |  1 +
 roles/hackmd/defaults/main.yml           |  3 +
 roles/hackmd/handlers/main.yml           | 10 ++++
 roles/hackmd/meta_/main.yml              |  5 ++
 roles/hackmd/tasks/main.yml              | 76 ++++++++++++++++++++++++
 roles/hackmd/templates/certs.j2          | 15 +++++
 roles/hackmd/templates/config.json.j2    | 41 +++++++++++++
 roles/hackmd/templates/hackmd.service.j2 | 13 ++++
 roles/hackmd/templates/vhost.j2          | 32 ++++++++++
 site.yml                                 |  5 ++
 11 files changed, 206 insertions(+)
 create mode 100644 roles/hackmd/defaults/main.yml
 create mode 100644 roles/hackmd/handlers/main.yml
 create mode 100644 roles/hackmd/meta_/main.yml
 create mode 100644 roles/hackmd/tasks/main.yml
 create mode 100644 roles/hackmd/templates/certs.j2
 create mode 100644 roles/hackmd/templates/config.json.j2
 create mode 100644 roles/hackmd/templates/hackmd.service.j2
 create mode 100644 roles/hackmd/templates/vhost.j2

diff --git a/group_vars/all b/group_vars/all
index 3143e9d..4f78c18 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -7,6 +7,11 @@ gogs_dbname: gogs
 gogs_dbuser: gogs
 gogs_dbpass: UbRoiq4fuRL3MvxghPww
 
+hackmd_domain: pad.binary-kitchen.de
+hackmd_dbname: hackmd
+hackmd_dbuser: hackmd
+hackmd_dbpass: oepaich3haob7AoY
+
 ldap_ca: /etc/ldap/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
 ldap_host: ldap.binary.kitchen
diff --git a/hosts b/hosts
index da9de63..6373733 100644
--- a/hosts
+++ b/hosts
@@ -16,3 +16,4 @@ boron.binary-kitchen.net
 carbon.binary-kitchen.net
 nitrogen.binary-kitchen.net
 oxygen.binary-kitchen.net
+fluorine.binary-kitchen.net
diff --git a/roles/hackmd/defaults/main.yml b/roles/hackmd/defaults/main.yml
new file mode 100644
index 0000000..417bf28
--- /dev/null
+++ b/roles/hackmd/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+hackmd_version: 1.1.0-ce
diff --git a/roles/hackmd/handlers/main.yml b/roles/hackmd/handlers/main.yml
new file mode 100644
index 0000000..4ea4684
--- /dev/null
+++ b/roles/hackmd/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Restart hackmd
+  service: name=hackmd state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Reload systemd
+  command: systemctl daemon-reload
diff --git a/roles/hackmd/meta_/main.yml b/roles/hackmd/meta_/main.yml
new file mode 100644
index 0000000..8d2c010
--- /dev/null
+++ b/roles/hackmd/meta_/main.yml
@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: certmgr }
+- { role: nginx, nginx_ssl: True }
diff --git a/roles/hackmd/tasks/main.yml b/roles/hackmd/tasks/main.yml
new file mode 100644
index 0000000..f97c914
--- /dev/null
+++ b/roles/hackmd/tasks/main.yml
@@ -0,0 +1,76 @@
+---
+
+- name: Create user
+  user: name=hackmd
+
+- name: Enable https for apt
+  apt: name=apt-transport-https
+
+- name: Enable nodesource apt-key
+  apt_key: url='https://deb.nodesource.com/gpgkey/nodesource.gpg.key'
+
+- name: Enable nodesource repository
+  apt_repository: repo='deb https://deb.nodesource.com/node_8.x stretch main'
+
+- name: Install packages
+  apt: name={{ item }}
+  with_items:
+  - build-essential
+  - git
+  - nodejs
+  - postgresql
+  - python-psycopg2
+
+- name: Unpack hackmd
+  unarchive: src=https://github.com/hackmdio/hackmd/archive/{{hackmd_version}}.tar.gz dest=/opt owner=hackmd remote_src=yes creates=/opt/hackmd-{{hackmd_version}}
+  register: hackmd_unarchive
+
+- name: Setup hackmd
+  command: bin/setup chdir=/opt/hackmd-{{hackmd_version}} creates=/opt/hackmd-{{hackmd_version}}/config.json
+  become: true
+  become_user: hackmd
+
+- name: Configure hackmd
+  template: src=config.json.j2 dest=/opt/hackmd-{{hackmd_version}}/config.json owner=hackmd
+  notify: Restart hackmd
+  register: hackmd_config
+
+- name: Build hackmd frontend
+  command: /usr/bin/npm run build chdir=/opt/hackmd-{{hackmd_version}}
+  become: true
+  become_user: hackmd
+  when: hackmd_unarchive.changed or hackmd_config.changed
+
+- name: Configure PostgreSQL database
+  postgresql_db: name={{ hackmd_dbname }}
+  become: true
+  become_user: postgres
+
+- name: Configure PostgreSQL user
+  postgresql_user: db={{ hackmd_dbname }} name={{ hackmd_dbuser }} password={{ hackmd_dbpass }} priv=ALL state=present
+  become: true
+  become_user: postgres
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hackmd_domain }}.key -out /etc/nginx/ssl/{{ hackmd_domain }}.crt -days 730 -subj "/CN={{ hackmd_domain }}" creates=/etc/nginx/ssl/{{ hackmd_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for hackmd
+  template: src=certs.j2 dest=/etc/acme/domains.d/{{ hackmd_domain }}.conf
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/hackmd
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/hackmd dest=/etc/nginx/sites-enabled/hackmd state=link
+  notify: Restart nginx
+
+- name: Systemd unit for hackmd
+  template: src=hackmd.service.j2 dest=/etc/systemd/system/hackmd.service
+  notify:
+  - Reload systemd
+  - Restart hackmd
+
+- name: Start the hackmd service
+  service: name=hackmd state=started enabled=yes
diff --git a/roles/hackmd/templates/certs.j2 b/roles/hackmd/templates/certs.j2
new file mode 100644
index 0000000..649e94a
--- /dev/null
+++ b/roles/hackmd/templates/certs.j2
@@ -0,0 +1,15 @@
+---
+
+{{ hackmd_domain }}:
+- path: /etc/nginx/ssl/{{ hackmd_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ hackmd_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
diff --git a/roles/hackmd/templates/config.json.j2 b/roles/hackmd/templates/config.json.j2
new file mode 100644
index 0000000..b7d7430
--- /dev/null
+++ b/roles/hackmd/templates/config.json.j2
@@ -0,0 +1,41 @@
+{
+    "production": {
+        "_domain": "{{ hackmd_domain }}",
+        "_hsts": {
+            "enable": true,
+            "maxAgeSeconds": "31536000",
+            "includeSubdomains": true,
+            "preload": true
+        },
+        "csp": {
+            "enable": true,
+            "directives": {
+            },
+            "upgradeInsecureRequests": "auto",
+            "addDefaults": true,
+            "addDisqus": true,
+            "addGoogleAnalytics": true
+        },
+        "db": {
+            "username": "{{ hackmd_dbuser }}",
+            "password": "{{ hackmd_dbpass }}",
+            "database": "{{ hackmd_dbname }}",
+            "host": "localhost",
+            "port": "5432",
+            "dialect": "postgres"
+        },
+        "ldap": {
+            "url": "{{ ldap_uri }}",
+            "bindDn": "{{ ldap_binddn }}",
+            "bindCredentials": "{{ ldap_bindpw }}",
+            "searchBase": "{{ ldap_base }}",
+            "searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
+            "searchAttributes": ["cn"],
+            "usernameField": "cn",
+            "useridField": "uid",
+            "tlsOptions": {
+                "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback"
+            }
+        }
+    }
+}
diff --git a/roles/hackmd/templates/hackmd.service.j2 b/roles/hackmd/templates/hackmd.service.j2
new file mode 100644
index 0000000..157357a
--- /dev/null
+++ b/roles/hackmd/templates/hackmd.service.j2
@@ -0,0 +1,13 @@
+[Unit]
+Description=HackMD
+After=network.target
+
+[Service]
+Environment=NODE_ENV=production
+Type=simple
+User=hackmd
+ExecStart=/usr/bin/node /opt/hackmd-{{hackmd_version}}/app.js
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/hackmd/templates/vhost.j2 b/roles/hackmd/templates/vhost.j2
new file mode 100644
index 0000000..9718af8
--- /dev/null
+++ b/roles/hackmd/templates/vhost.j2
@@ -0,0 +1,32 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ hackmd_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ hackmd_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ hackmd_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;
+
+
+	location / {
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://localhost:3000;
+	}
+
+}
diff --git a/site.yml b/site.yml
index 9361b33..8200079 100644
--- a/site.yml
+++ b/site.yml
@@ -61,3 +61,8 @@
   roles:
   - ldap-pam
   - member-sw
+
+- name: Setup hackmd server
+  hosts: fluorine.binary-kitchen.net
+  roles:
+  - hackmd