From 3be8cce6d84137e6139af515008dca9d5640d102 Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Thu, 22 Jul 2021 16:51:57 +0200
Subject: [PATCH] workadventure: new role for workadventure

---
 group_vars/all/vars.yml                       |  2 +
 host_vars/barium.binary-kitchen.net           |  2 +
 roles/workadventure/handlers/main.yml         | 13 ++++
 roles/workadventure/meta/main.yml             |  6 ++
 roles/workadventure/tasks/main.yml            | 29 +++++++
 roles/workadventure/templates/certs.j2        | 15 ++++
 roles/workadventure/templates/vhost.j2        | 76 +++++++++++++++++++
 .../templates/workadventure.service.j2        | 27 +++++++
 site.yml                                      |  4 +-
 9 files changed, 171 insertions(+), 3 deletions(-)
 create mode 100644 host_vars/barium.binary-kitchen.net
 create mode 100644 roles/workadventure/handlers/main.yml
 create mode 100644 roles/workadventure/meta/main.yml
 create mode 100644 roles/workadventure/tasks/main.yml
 create mode 100644 roles/workadventure/templates/certs.j2
 create mode 100644 roles/workadventure/templates/vhost.j2
 create mode 100644 roles/workadventure/templates/workadventure.service.j2

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 346d3cf..ae01429 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -150,3 +150,5 @@ root_keys:
 slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
+
+workadventure_domain: wa.binary-kitchen.de
diff --git a/host_vars/barium.binary-kitchen.net b/host_vars/barium.binary-kitchen.net
new file mode 100644
index 0000000..62ab007
--- /dev/null
+++ b/host_vars/barium.binary-kitchen.net
@@ -0,0 +1,2 @@
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
diff --git a/roles/workadventure/handlers/main.yml b/roles/workadventure/handlers/main.yml
new file mode 100644
index 0000000..8eba7bd
--- /dev/null
+++ b/roles/workadventure/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Restart workadventure
+  service: name=workadventure state=restarted
diff --git a/roles/workadventure/meta/main.yml b/roles/workadventure/meta/main.yml
new file mode 100644
index 0000000..d801fb5
--- /dev/null
+++ b/roles/workadventure/meta/main.yml
@@ -0,0 +1,6 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: docker }
+- { role: nginx, nginx_ssl: True }
diff --git a/roles/workadventure/tasks/main.yml b/roles/workadventure/tasks/main.yml
new file mode 100644
index 0000000..c88b434
--- /dev/null
+++ b/roles/workadventure/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+
+# TODO
+# source code is not yet checked out from git
+
+- name: Install systemd unit
+  template: src=workadventure.service.j2 dest=/lib/systemd/system/workadventure.service
+  notify:
+  - Reload systemd
+  - Restart workadventure
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ workadventure_domain }}.key -out /etc/nginx/ssl/{{ workadventure_domain }}.crt -days 730 -subj "/CN={{ workadventure_domain }}" creates=/etc/nginx/ssl/{{ workadventure_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for workadventure
+  template: src=certs.j2 dest=/etc/acertmgr/{{ workadventure_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/workadventure
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/workadventure dest=/etc/nginx/sites-enabled/workadventure state=link
+  notify: Restart nginx
+
+- name: Enable workadventure
+  service: name=workadventure enabled=yes
diff --git a/roles/workadventure/templates/certs.j2 b/roles/workadventure/templates/certs.j2
new file mode 100644
index 0000000..d741e5e
--- /dev/null
+++ b/roles/workadventure/templates/certs.j2
@@ -0,0 +1,15 @@
+---
+
+{{ workadventure_domain }} play.{{ workadventure_domain }} pusher.{{ workadventure_domain }} uploader.{{ workadventure_domain }}:
+- path: /etc/nginx/ssl/{{ workadventure_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ workadventure_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
diff --git a/roles/workadventure/templates/vhost.j2 b/roles/workadventure/templates/vhost.j2
new file mode 100644
index 0000000..4837879
--- /dev/null
+++ b/roles/workadventure/templates/vhost.j2
@@ -0,0 +1,76 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ workadventure_domain }} play.{{ workadventure_domain }} pusher.{{ workadventure_domain }} uploader.{{ workadventure_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ workadventure_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
+
+	location / {
+		root /opt/workadventure/source/landing/dist;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name play.{{ workadventure_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
+
+	location / {
+		root /opt/workadventure/source/front/dist;
+		try_files $uri uri/ /index.html?$args;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name pusher.{{ workadventure_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:8002;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "Upgrade";
+		proxy_set_header Host $host;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name uploader.{{ workadventure_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:8005;
+	}
+}
diff --git a/roles/workadventure/templates/workadventure.service.j2 b/roles/workadventure/templates/workadventure.service.j2
new file mode 100644
index 0000000..79acd43
--- /dev/null
+++ b/roles/workadventure/templates/workadventure.service.j2
@@ -0,0 +1,27 @@
+[Unit]
+Description=WorkAdventure service using docker compose
+Requires=docker.service
+After=docker.service
+
+[Service]
+Type=simple
+
+User=workadventure
+Group=workadventure
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/workadventure/source/
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose -f docker-compose.bk.yaml down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose -f docker-compose.bk.yaml up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose -f docker-compose.bk.yaml down -v
+
+[Install]
+WantedBy=multi-user.target
diff --git a/site.yml b/site.yml
index 890eb82..72dbe4a 100644
--- a/site.yml
+++ b/site.yml
@@ -124,6 +124,4 @@
 - name: Setup WorkAdventure host
   hosts: barium.binary-kitchen.net
   roles:
-  - acertmgr
-  - nginx
-  - docker
+  - workadventure