hedgedoc_ prefix for role vars
This commit is contained in:
Mathieu Gauthier-Pilote
parent
bdb6ccb02d
commit
0ce1e1d701
|
|
@ -1,15 +1,15 @@
|
|||
---
|
||||
# defaults file for mastodon
|
||||
system_dep: "['apt-transport-https', 'postgresql', 'python3-psycopg2', 'nginx', 'git', 'wget', 'certbot', 'npm']"
|
||||
git_url: 'https://github.com/hedgedoc/hedgedoc.git'
|
||||
git_version: '1.9.7'
|
||||
node_version: 'node_18.x' # Node 18 is NOT supported as of May 2023; See https://docs.hedgedoc.org/setup/manual-setup/
|
||||
node_port: '3000'
|
||||
service: 'example'
|
||||
domains: ['example.domain.org']
|
||||
certbot_admin_email: 'mgauthier@evolix.ca'
|
||||
hedgedoc_system_dep: "['apt-transport-https', 'postgresql', 'python3-psycopg2', 'nginx', 'git', 'wget', 'certbot']"
|
||||
hedgedoc_git_url: 'https://github.com/hedgedoc/hedgedoc.git'
|
||||
hedgedoc_git_version: '1.9.9'
|
||||
hedgedoc_node_version: 'node_18.x'
|
||||
hedgedoc_node_port: '3000'
|
||||
hedgedoc_service: 'example'
|
||||
hedgedoc_domains: ['example.domain.org']
|
||||
hedgedoc_certbot_admin_email: 'security@example.org'
|
||||
|
||||
db_host: 'localhost'
|
||||
db_user: "{{ service }}"
|
||||
db_name: "{{ service }}"
|
||||
db_password: 'CHANGE_ME'
|
||||
hedgedoc_db_host: 'localhost'
|
||||
hedgedoc_db_user: "{{ hedgedoc_service }}"
|
||||
hedgedoc_db_name: "{{ hedgedoc_service }}"
|
||||
hedgedoc_db_password: 'CHANGE_ME'
|
||||
|
|
|
|||
|
|
@ -3,45 +3,45 @@
|
|||
|
||||
- name: Install main system dependencies
|
||||
apt:
|
||||
name: "{{ system_dep }}"
|
||||
name: "{{ hedgedoc_system_dep }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Install node-gyp from npm
|
||||
shell: npm install --global node-gyp corepack
|
||||
#- name: Install node-gyp from npm
|
||||
# shell: npm install --global node-gyp corepack
|
||||
|
||||
- name: Enable yarn (via corepack)
|
||||
shell: "corepack enable"
|
||||
#- name: Enable yarn (via corepack)
|
||||
# shell: "corepack enable"
|
||||
|
||||
- name: Fix permissions
|
||||
file:
|
||||
path: /usr/local/lib/node_modules
|
||||
mode: g+rx,o+rx
|
||||
recurse: yes
|
||||
#- name: Fix permissions
|
||||
# file:
|
||||
# path: /usr/local/lib/node_modules
|
||||
# mode: g+rx,o+rx
|
||||
# recurse: yes
|
||||
|
||||
- name: Add UNIX account
|
||||
user:
|
||||
name: "{{ service }}"
|
||||
name: "{{ hedgedoc_service }}"
|
||||
shell: /bin/bash
|
||||
|
||||
- name: Add PostgreSQL user
|
||||
postgresql_user:
|
||||
name: "{{ db_user }}"
|
||||
password: "{{ db_password }}"
|
||||
name: "{{ hedgedoc_db_user }}"
|
||||
password: "{{ hedgedoc_db_password }}"
|
||||
no_password_changes: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Add PostgreSQL database
|
||||
postgresql_db:
|
||||
name: "{{ db_name }}"
|
||||
owner: "{{ db_user }}"
|
||||
name: "{{ hedgedoc_db_name }}"
|
||||
owner: "{{ hedgedoc_db_user }}"
|
||||
become_user: postgres
|
||||
|
||||
- block:
|
||||
- name: Clone hedgedoc repo (git)
|
||||
git:
|
||||
repo: "{{ git_url }}"
|
||||
repo: "{{ hedgedoc_git_url }}"
|
||||
dest: "~/hedgedoc/"
|
||||
version: "{{ git_version | default(omit) }}"
|
||||
version: "{{ hedgedoc_git_version | default(omit) }}"
|
||||
update: yes
|
||||
umask: '0022'
|
||||
# - name: Set cache dir for yarn
|
||||
|
|
@ -60,30 +60,30 @@
|
|||
shell: "yarn build"
|
||||
args:
|
||||
chdir: "~/hedgedoc"
|
||||
become_user: "{{ service }}"
|
||||
become_user: "{{ hedgedoc_service }}"
|
||||
|
||||
- name: Template json config file
|
||||
template:
|
||||
src: "config.json.j2"
|
||||
dest: "~{{ service }}/hedgedoc/config.json"
|
||||
owner: "{{ service }}"
|
||||
group: "{{ service }}"
|
||||
dest: "~{{ hedgedoc_service }}/hedgedoc/config.json"
|
||||
owner: "{{ hedgedoc_service }}"
|
||||
group: "{{ hedgedoc_service }}"
|
||||
mode: "0640"
|
||||
|
||||
- name: Add systemd unit
|
||||
template:
|
||||
src: "hedgedoc.service.j2"
|
||||
dest: "/etc/systemd/system/{{ service }}.service"
|
||||
dest: "/etc/systemd/system/{{ hedgedoc_service }}.service"
|
||||
|
||||
- name: Enable systemd units
|
||||
systemd:
|
||||
name: "{{ service }}.service"
|
||||
name: "{{ hedgedoc_service }}.service"
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
|
||||
- name: Start service
|
||||
service:
|
||||
name: "{{ service }}.service"
|
||||
name: "{{ hedgedoc_service }}.service"
|
||||
state: restarted
|
||||
|
||||
- name: Template nginx snippet for Let's Encrypt/Certbot
|
||||
|
|
@ -93,7 +93,7 @@
|
|||
|
||||
- name: Check if SSL certificate is present and register result
|
||||
stat:
|
||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||
path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
|
||||
register: ssl
|
||||
|
||||
- name: Generate certificate only if required (first time)
|
||||
|
|
@ -101,11 +101,11 @@
|
|||
- name: Template vhost without SSL for successfull LE challengce
|
||||
template:
|
||||
src: "vhost.conf.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ service }}"
|
||||
dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||
- name: Enable temporary nginx vhost for LE
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ service }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ service }}"
|
||||
src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
|
||||
state: link
|
||||
- name: Reload nginx conf
|
||||
service:
|
||||
|
|
@ -117,7 +117,7 @@
|
|||
state: directory
|
||||
mode: '0755'
|
||||
- name: Generate certificate with certbot
|
||||
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
|
||||
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ hedgedoc_certbot_admin_email }} -d {{ hedgedoc_domains |first }}
|
||||
- name: Create the ssl dir if needed
|
||||
file:
|
||||
path: /etc/nginx/ssl
|
||||
|
|
@ -126,23 +126,23 @@
|
|||
- name: Template ssl bloc for nginx vhost
|
||||
template:
|
||||
src: "ssl.conf.j2"
|
||||
dest: "/etc/nginx/ssl/{{ domains |first }}.conf"
|
||||
dest: "/etc/nginx/ssl/{{ hedgedoc_domains |first }}.conf"
|
||||
when: ssl.stat.exists != true
|
||||
|
||||
- name: (Re)check if SSL certificate is present and register result
|
||||
stat:
|
||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||
path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
|
||||
register: ssl
|
||||
|
||||
- name: (Re)template conf file for nginx vhost with SSL
|
||||
template:
|
||||
src: "vhost.conf.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ service }}"
|
||||
dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||
|
||||
- name: Enable nginx vhost for hedgedoc
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ service }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ service }}"
|
||||
src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
|
||||
state: link
|
||||
|
||||
- name: Reload nginx conf
|
||||
|
|
|
|||
|
|
@ -3,22 +3,22 @@
|
|||
|
||||
- name: Dump database to a file with compression
|
||||
postgresql_db:
|
||||
name: "{{ service }}"
|
||||
name: "{{ hedgedoc_service }}"
|
||||
state: dump
|
||||
target: "~/{{ service }}.sql.gz"
|
||||
target: "~/{{ hedgedoc_service }}.sql.gz"
|
||||
become_user: postgres
|
||||
|
||||
- name: Stop service
|
||||
service:
|
||||
name: "{{ service }}.service"
|
||||
name: "{{ hedgedoc_service }}.service"
|
||||
state: stopped
|
||||
|
||||
- block:
|
||||
- name: Clone hedgedoc repo (git)
|
||||
git:
|
||||
repo: "{{ git_url }}"
|
||||
repo: "{{ hedgedoc_git_url }}"
|
||||
dest: "~/hedgedoc/"
|
||||
version: "{{ git_version }}"
|
||||
version: "{{ hedgedoc_git_version }}"
|
||||
update: yes
|
||||
- name: Run setup
|
||||
shell: "bin/setup"
|
||||
|
|
@ -32,11 +32,11 @@
|
|||
shell: "yarn build"
|
||||
args:
|
||||
chdir: "~/hedgedoc"
|
||||
become_user: "{{ service }}"
|
||||
become_user: "{{ hedgedoc_service }}"
|
||||
|
||||
- name: Restart services
|
||||
service:
|
||||
name: "{{ service }}.service"
|
||||
name: "{{ hedgedoc_service }}.service"
|
||||
state: restarted
|
||||
|
||||
- name: Define variable to skip next task by default
|
||||
|
|
@ -45,7 +45,7 @@
|
|||
|
||||
- name: Remove database dump
|
||||
file:
|
||||
path: "~/{{ service }}.sql.gz"
|
||||
path: "~/{{ hedgedoc_service }}.sql.gz"
|
||||
state: absent
|
||||
become_user: postgres
|
||||
when: keep_db_dump is undefined
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
"urlAddPort": true
|
||||
},
|
||||
"production": {
|
||||
"domain": "{{ domains }}",
|
||||
"domain": "{{ hedgedoc_domains }}",
|
||||
"loglevel": "info",
|
||||
"protocolUseSSL": "true",
|
||||
"urlAddPort": false,
|
||||
|
|
@ -35,10 +35,10 @@
|
|||
},
|
||||
"cookiePolicy": "lax",
|
||||
"db": {
|
||||
"username": "{{ db_user }}",
|
||||
"password": "{{ db_password }}",
|
||||
"database": "{{ db_name }}",
|
||||
"host": "{{ db_host }}",
|
||||
"username": "{{ hedgedoc_db_user }}",
|
||||
"password": "{{ hedgedoc_db_password }}",
|
||||
"database": "{{ hedgedoc_db_name }}",
|
||||
"host": "{{ hedgedoc_db_host }}",
|
||||
"port": "5432",
|
||||
"dialect": "postgres"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,9 +35,9 @@ SystemCallArchitectures=native
|
|||
SystemCallFilter=@system-service
|
||||
|
||||
# You may have to adjust these settings
|
||||
User={{service}}
|
||||
Group={{service}}
|
||||
WorkingDirectory=/home/{{service}}/hedgedoc
|
||||
User={{ hedgedoc_service }}
|
||||
Group={{ hedgedoc_service }}
|
||||
WorkingDirectory=/home/{{ hedgedoc_service }}/hedgedoc
|
||||
|
||||
# Example: local storage for uploads and SQLite
|
||||
# ReadWritePaths=/opt/hedgedoc/public/uploads /opt/hedgedoc/db
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@
|
|||
# Certificates
|
||||
# you need a certificate to run in production. see https://letsencrypt.org/
|
||||
##
|
||||
ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ hedgedoc_domains | first }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ hedgedoc_domains | first }}/privkey.pem;
|
||||
|
||||
##
|
||||
# Security hardening (as of Nov 15, 2020)
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ map $http_upgrade $connection_upgrade {
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ domains |first }};
|
||||
server_name {{ hedgedoc_domains |first }};
|
||||
|
||||
# For certbot
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
|
|
@ -21,16 +21,16 @@ server {
|
|||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ domains |first }};
|
||||
server_name {{ hedgedoc_domains |first }};
|
||||
|
||||
access_log /var/log/nginx/{{ service }}.access.log;
|
||||
error_log /var/log/nginx/{{ service }}.error.log;
|
||||
access_log /var/log/nginx/{{ hedgedoc_service }}.access.log;
|
||||
error_log /var/log/nginx/{{ hedgedoc_service }}.error.log;
|
||||
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
include /etc/nginx/ssl/{{ domains | first }}.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ node_port }};
|
||||
proxy_pass http://127.0.0.1:{{ hedgedoc_node_port }};
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
|
@ -38,7 +38,7 @@ server {
|
|||
}
|
||||
|
||||
location /socket.io/ {
|
||||
proxy_pass http://127.0.0.1:{{ node_port }};
|
||||
proxy_pass http://127.0.0.1:{{ hedgedoc_node_port }};
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
|
|
|||
Loading…
Reference in a new issue