Prefix variables with mattermost_
This commit is contained in:
parent
be33260c47
commit
0454f29dac
|
@ -1,13 +1,13 @@
|
|||
---
|
||||
# defaults file for vars
|
||||
system_dep: "['git', 'nginx', 'postgresql', 'python3-psycopg2', 'certbot', 'acl']"
|
||||
version: '7.8.1'
|
||||
download_url: "https://releases.mattermost.com/{{ version }}/mattermost-team-{{ version }}-linux-amd64.tar.gz"
|
||||
domains: ['example.domain.org']
|
||||
certbot_admin_email: 'mgauthier@evolix.ca'
|
||||
home_base: '/home'
|
||||
mm_port: '8065'
|
||||
db_host: '127.0.0.1'
|
||||
db_name: "{{ service }}"
|
||||
db_user: "{{ service }}"
|
||||
db_password: 'UQ6_CHANGE_ME_Gzb'
|
||||
mattermost_system_dep: "['git', 'nginx', 'postgresql', 'python3-psycopg2', 'certbot', 'acl']"
|
||||
mattermost_version: '7.8.1'
|
||||
mattermost_download_url: "https://releases.mattermost.com/{{ mattermost_version }}/mattermost-team-{{ mattermost_version }}-linux-amd64.tar.gz"
|
||||
mattermost_domains: ['example.domain.org']
|
||||
mattermost_certbot_admin_email: 'mgauthier@evolix.ca'
|
||||
mattermost_home_base: '/home'
|
||||
mattermost_app_port: '8065'
|
||||
mattermost_db_host: '127.0.0.1'
|
||||
mattermost_db_name: "{{ mattermost_service }}"
|
||||
mattermost_db_user: "{{ mattermost_service }}"
|
||||
mattermost_db_password: 'UQ6_CHANGE_ME_Gzb'
|
||||
|
|
|
@ -3,47 +3,47 @@
|
|||
|
||||
- name: Install main system dependencies
|
||||
apt:
|
||||
name: "{{ system_dep }}"
|
||||
name: "{{ mattermost_system_dep }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Add UNIX account
|
||||
user:
|
||||
name: "{{ service }}"
|
||||
name: "{{ mattermost_service }}"
|
||||
shell: /bin/bash
|
||||
home: "{{ home_base }}/{{ service }}"
|
||||
home: "{{ mattermost_home_base }}/{{ mattermost_service }}"
|
||||
|
||||
- name: Add PostgreSQL user
|
||||
postgresql_user:
|
||||
name: "{{ db_user }}"
|
||||
password: "{{ db_password }}"
|
||||
name: "{{ mattermost_db_user }}"
|
||||
password: "{{ mattermost_db_password }}"
|
||||
no_password_changes: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Add PostgreSQL database
|
||||
postgresql_db:
|
||||
name: "{{ db_name }}"
|
||||
owner: "{{ db_user }}"
|
||||
name: "{{ mattermost_db_name }}"
|
||||
owner: "{{ mattermost_db_user }}"
|
||||
become_user: postgres
|
||||
|
||||
- name: Unarchive mattermost archive
|
||||
unarchive:
|
||||
src: "{{ download_url }}"
|
||||
src: "{{ mattermost_download_url }}"
|
||||
dest: ~/
|
||||
remote_src: yes
|
||||
become_user: "{{ service }}"
|
||||
become_user: "{{ mattermost_service }}"
|
||||
|
||||
- name: Create the mattermost data dir if needed
|
||||
file:
|
||||
path: ~/mattermost/data
|
||||
state: directory
|
||||
mode: '0750'
|
||||
become_user: "{{ service }}"
|
||||
become_user: "{{ mattermost_service }}"
|
||||
|
||||
- name: Template mattermost conf file
|
||||
template:
|
||||
src: "config.json.j2"
|
||||
dest: "~/mattermost/config/config.json"
|
||||
become_user: "{{ service }}"
|
||||
become_user: "{{ mattermost_service }}"
|
||||
|
||||
- name: Template mattermost systemd unit
|
||||
template:
|
||||
|
@ -52,7 +52,7 @@
|
|||
|
||||
- name: Start mattermost systemd unit
|
||||
service:
|
||||
name: "mattermost@{{ service }}"
|
||||
name: "mattermost@{{ mattermost_service }}"
|
||||
state: restarted
|
||||
|
||||
- name: Template nginx snippet for Let's Encrypt/Certbot
|
||||
|
@ -62,7 +62,7 @@
|
|||
|
||||
- name: Check if SSL certificate is present and register result
|
||||
stat:
|
||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||
path: "/etc/letsencrypt/live/{{ mattermost_domains |first }}/fullchain.pem"
|
||||
register: ssl
|
||||
|
||||
- name: Generate certificate only if required (first time)
|
||||
|
@ -70,11 +70,11 @@
|
|||
- name: Template vhost without SSL for successfull LE challengce
|
||||
template:
|
||||
src: "vhost.conf.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||
dest: "/etc/nginx/sites-available/{{ mattermost_service }}.conf"
|
||||
- name: Enable temporary nginx vhost for mattermost
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
|
||||
src: "/etc/nginx/sites-available/{{ mattermost_service }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ mattermost_service }}.conf"
|
||||
state: link
|
||||
- name: Reload nginx conf
|
||||
service:
|
||||
|
@ -86,7 +86,7 @@
|
|||
state: directory
|
||||
mode: '0755'
|
||||
- name: Generate certificate with certbot
|
||||
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
|
||||
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ mattermost_certbot_admin_email }} -d {{ mattermost_domains |first }}
|
||||
- name: Create the ssl dir if needed
|
||||
file:
|
||||
path: /etc/nginx/ssl
|
||||
|
@ -95,23 +95,23 @@
|
|||
- name: Template ssl bloc for nginx vhost
|
||||
template:
|
||||
src: "ssl.conf.j2"
|
||||
dest: "/etc/nginx/ssl/{{ domains |first }}.conf"
|
||||
dest: "/etc/nginx/ssl/{{ mattermost_domains |first }}.conf"
|
||||
when: ssl.stat.exists != true
|
||||
|
||||
- name: (Re)check if SSL certificate is present and register result
|
||||
stat:
|
||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||
path: "/etc/letsencrypt/live/{{ mattermost_domains |first }}/fullchain.pem"
|
||||
register: ssl
|
||||
|
||||
- name: (Re)template conf file for nginx vhost with SSL
|
||||
template:
|
||||
src: "vhost.conf.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||
dest: "/etc/nginx/sites-available/{{ mattermost_service }}.conf"
|
||||
|
||||
- name: Enable nginx vhost for mattermost
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
|
||||
src: "/etc/nginx/sites-available/{{ mattermost_service }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ mattermost_service }}.conf"
|
||||
state: link
|
||||
|
||||
- name: Reload nginx conf
|
||||
|
|
|
@ -3,29 +3,29 @@
|
|||
|
||||
- name: Start mattermost systemd unit
|
||||
service:
|
||||
name: "mattermost@{{ service }}"
|
||||
name: "mattermost@{{ mattermost_service }}"
|
||||
state: stopped
|
||||
|
||||
- name: set current date and time as a fact
|
||||
set_fact: backup_date="{{ ansible_date_time.iso8601_basic_short }}"
|
||||
|
||||
- name: backup current mattermost files
|
||||
command: "mv ~/mattermost/ ~/mattermost_{{ backup_date }}"
|
||||
become_user: "{{ service }}"
|
||||
command: "mv ~/mattermost/ ~/mattermost_{{ mattermost_backup_date }}"
|
||||
become_user: "{{ mattermost_service }}"
|
||||
|
||||
- name: Dump database to a file with compression
|
||||
postgresql_db:
|
||||
name: "{{ db_name }}"
|
||||
name: "{{ mattermost_db_name }}"
|
||||
state: dump
|
||||
target: "~/{{ db_name }}.sql.gz"
|
||||
target: "~/{{ mattermost_db_name }}.sql.gz"
|
||||
become_user: postgres
|
||||
|
||||
- name: Unarchive new mattermost archive
|
||||
unarchive:
|
||||
src: "{{ download_url }}"
|
||||
src: "{{ mattermost_download_url }}"
|
||||
dest: ~/
|
||||
remote_src: yes
|
||||
become_user: "{{ service }}"
|
||||
become_user: "{{ mattermost_service }}"
|
||||
|
||||
- name: restore dirs from backup
|
||||
copy:
|
||||
|
@ -33,16 +33,16 @@
|
|||
dest: ~/mattermost
|
||||
remote_src: true
|
||||
loop:
|
||||
- "~/mattermost_{{ backup_date }}/config"
|
||||
- "~/mattermost_{{ backup_date }}/data"
|
||||
- "~/mattermost_{{ backup_date }}/logs"
|
||||
- "~/mattermost_{{ backup_date }}/plugins"
|
||||
- "~/mattermost_{{ backup_date }}/client/plugins"
|
||||
become_user: "{{ service }}"
|
||||
- "~/mattermost_{{ mattermost_backup_date }}/config"
|
||||
- "~/mattermost_{{ mattermost_backup_date }}/data"
|
||||
- "~/mattermost_{{ mattermost_backup_date }}/logs"
|
||||
- "~/mattermost_{{ mattermost_backup_date }}/plugins"
|
||||
- "~/mattermost_{{ mattermost_backup_date }}/client/plugins"
|
||||
become_user: "{{ mattermost_service }}"
|
||||
|
||||
- name: Start mattermost systemd unit
|
||||
service:
|
||||
name: "mattermost@{{ service }}"
|
||||
name: "mattermost@{{ mattermost_service }}"
|
||||
state: restarted
|
||||
|
||||
- name: Reload nginx conf
|
||||
|
@ -56,7 +56,7 @@
|
|||
|
||||
- name: Remove database dump
|
||||
file:
|
||||
path: "~/{{ db_name }}.sql.gz"
|
||||
path: "~/{{ mattermost_db_name }}.sql.gz"
|
||||
state: absent
|
||||
become_user: postgres
|
||||
when: keep_db_dump is undefined
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
{
|
||||
"ServiceSettings": {
|
||||
"SiteURL": "http://{{ domains | first }}",
|
||||
"SiteURL": "http://{{ mattermost_domains | first }}",
|
||||
"WebsocketURL": "",
|
||||
"LicenseFileLocation": "",
|
||||
"ListenAddress": "127.0.0.1:{{ mm_port }}",
|
||||
"ListenAddress": "127.0.0.1:{{ mattermost_app_port }}",
|
||||
"ConnectionSecurity": "",
|
||||
"TLSCertFile": "",
|
||||
"TLSKeyFile": "",
|
||||
|
@ -136,7 +136,7 @@
|
|||
},
|
||||
"SqlSettings": {
|
||||
"DriverName": "postgres",
|
||||
"DataSource": "postgres://{{ db_user }}:{{ db_password }}@{{ db_host }}:5432/{{ db_name }}?sslmode=disable&connect_timeout=10",
|
||||
"DataSource": "postgres://{{ mattermost_db_user }}:{{ mattermost_db_password }}@{{ mattermost_db_host }}:5432/{{ mattermost_db_name }}?sslmode=disable&connect_timeout=10",
|
||||
"DataSourceReplicas": [],
|
||||
"DataSourceSearchReplicas": [],
|
||||
"MaxIdleConns": 20,
|
||||
|
|
|
@ -7,8 +7,8 @@ Requires=postgresql.service
|
|||
[Service]
|
||||
Type=notify
|
||||
Restart=always
|
||||
WorkingDirectory={{ home_base }}/%i/mattermost
|
||||
ExecStart=/{{ home_base }}/%i/mattermost/bin/mattermost
|
||||
WorkingDirectory={{ mattermost_home_base }}/%i/mattermost
|
||||
ExecStart=/{{ mattermost_home_base }}/%i/mattermost/bin/mattermost
|
||||
TimeoutStartSec=3600
|
||||
LimitNOFILE=49152
|
||||
RestartSec=10
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
# Certificates
|
||||
# you need a certificate to run in production. see https://letsencrypt.org/
|
||||
##
|
||||
ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ mattermost_domains | first }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ mattermost_domains | first }}/privkey.pem;
|
||||
|
||||
##
|
||||
# Security hardening (as of Nov 15, 2020)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
upstream backend_{{ service }} {
|
||||
server 127.0.0.1:{{ mm_port }};
|
||||
upstream backend_{{ mattermost_service }} {
|
||||
server 127.0.0.1:{{ mattermost_app_port }};
|
||||
keepalive 32;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ domains | first }};
|
||||
server_name {{ mattermost_domains | first }};
|
||||
|
||||
# For certbot
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
|
@ -21,13 +21,13 @@ server {
|
|||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name {{ domains | first }};
|
||||
server_name {{ mattermost_domains | first }};
|
||||
|
||||
access_log /var/log/nginx/{{ service }}.access.log;
|
||||
error_log /var/log/nginx/{{ service }}.error.log;
|
||||
access_log /var/log/nginx/{{ mattermost_service }}.access.log;
|
||||
error_log /var/log/nginx/{{ mattermost_service }}.error.log;
|
||||
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
include /etc/nginx/ssl/{{ domains | first }}.conf;
|
||||
include /etc/nginx/ssl/{{ mattermost_domains | first }}.conf;
|
||||
|
||||
location ~ /api/v[0-9]+/(users/)?websocket$ {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
|
@ -46,7 +46,7 @@ server {
|
|||
proxy_connect_timeout 90;
|
||||
proxy_send_timeout 300;
|
||||
proxy_read_timeout 90s;
|
||||
proxy_pass http://backend_{{ service }};
|
||||
proxy_pass http://backend_{{ mattermost_service }};
|
||||
}
|
||||
|
||||
location / {
|
||||
|
@ -67,7 +67,7 @@ server {
|
|||
#proxy_cache_use_stale timeout;
|
||||
#proxy_cache_lock on;
|
||||
proxy_http_version 1.1;
|
||||
proxy_pass http://backend_{{ service }};
|
||||
proxy_pass http://backend_{{ mattermost_service }};
|
||||
}
|
||||
}
|
||||
{% endif %}
|
||||
|
|
Loading…
Reference in a new issue