hedgedoc_ prefix for role vars
This commit is contained in:
parent
bdb6ccb02d
commit
0ce1e1d701
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
# defaults file for mastodon
|
# defaults file for mastodon
|
||||||
system_dep: "['apt-transport-https', 'postgresql', 'python3-psycopg2', 'nginx', 'git', 'wget', 'certbot', 'npm']"
|
hedgedoc_system_dep: "['apt-transport-https', 'postgresql', 'python3-psycopg2', 'nginx', 'git', 'wget', 'certbot']"
|
||||||
git_url: 'https://github.com/hedgedoc/hedgedoc.git'
|
hedgedoc_git_url: 'https://github.com/hedgedoc/hedgedoc.git'
|
||||||
git_version: '1.9.7'
|
hedgedoc_git_version: '1.9.9'
|
||||||
node_version: 'node_18.x' # Node 18 is NOT supported as of May 2023; See https://docs.hedgedoc.org/setup/manual-setup/
|
hedgedoc_node_version: 'node_18.x'
|
||||||
node_port: '3000'
|
hedgedoc_node_port: '3000'
|
||||||
service: 'example'
|
hedgedoc_service: 'example'
|
||||||
domains: ['example.domain.org']
|
hedgedoc_domains: ['example.domain.org']
|
||||||
certbot_admin_email: 'mgauthier@evolix.ca'
|
hedgedoc_certbot_admin_email: 'security@example.org'
|
||||||
|
|
||||||
db_host: 'localhost'
|
hedgedoc_db_host: 'localhost'
|
||||||
db_user: "{{ service }}"
|
hedgedoc_db_user: "{{ hedgedoc_service }}"
|
||||||
db_name: "{{ service }}"
|
hedgedoc_db_name: "{{ hedgedoc_service }}"
|
||||||
db_password: 'CHANGE_ME'
|
hedgedoc_db_password: 'CHANGE_ME'
|
||||||
|
|
|
@ -3,45 +3,45 @@
|
||||||
|
|
||||||
- name: Install main system dependencies
|
- name: Install main system dependencies
|
||||||
apt:
|
apt:
|
||||||
name: "{{ system_dep }}"
|
name: "{{ hedgedoc_system_dep }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Install node-gyp from npm
|
#- name: Install node-gyp from npm
|
||||||
shell: npm install --global node-gyp corepack
|
# shell: npm install --global node-gyp corepack
|
||||||
|
|
||||||
- name: Enable yarn (via corepack)
|
#- name: Enable yarn (via corepack)
|
||||||
shell: "corepack enable"
|
# shell: "corepack enable"
|
||||||
|
|
||||||
- name: Fix permissions
|
#- name: Fix permissions
|
||||||
file:
|
# file:
|
||||||
path: /usr/local/lib/node_modules
|
# path: /usr/local/lib/node_modules
|
||||||
mode: g+rx,o+rx
|
# mode: g+rx,o+rx
|
||||||
recurse: yes
|
# recurse: yes
|
||||||
|
|
||||||
- name: Add UNIX account
|
- name: Add UNIX account
|
||||||
user:
|
user:
|
||||||
name: "{{ service }}"
|
name: "{{ hedgedoc_service }}"
|
||||||
shell: /bin/bash
|
shell: /bin/bash
|
||||||
|
|
||||||
- name: Add PostgreSQL user
|
- name: Add PostgreSQL user
|
||||||
postgresql_user:
|
postgresql_user:
|
||||||
name: "{{ db_user }}"
|
name: "{{ hedgedoc_db_user }}"
|
||||||
password: "{{ db_password }}"
|
password: "{{ hedgedoc_db_password }}"
|
||||||
no_password_changes: true
|
no_password_changes: true
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
- name: Add PostgreSQL database
|
- name: Add PostgreSQL database
|
||||||
postgresql_db:
|
postgresql_db:
|
||||||
name: "{{ db_name }}"
|
name: "{{ hedgedoc_db_name }}"
|
||||||
owner: "{{ db_user }}"
|
owner: "{{ hedgedoc_db_user }}"
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Clone hedgedoc repo (git)
|
- name: Clone hedgedoc repo (git)
|
||||||
git:
|
git:
|
||||||
repo: "{{ git_url }}"
|
repo: "{{ hedgedoc_git_url }}"
|
||||||
dest: "~/hedgedoc/"
|
dest: "~/hedgedoc/"
|
||||||
version: "{{ git_version | default(omit) }}"
|
version: "{{ hedgedoc_git_version | default(omit) }}"
|
||||||
update: yes
|
update: yes
|
||||||
umask: '0022'
|
umask: '0022'
|
||||||
# - name: Set cache dir for yarn
|
# - name: Set cache dir for yarn
|
||||||
|
@ -60,30 +60,30 @@
|
||||||
shell: "yarn build"
|
shell: "yarn build"
|
||||||
args:
|
args:
|
||||||
chdir: "~/hedgedoc"
|
chdir: "~/hedgedoc"
|
||||||
become_user: "{{ service }}"
|
become_user: "{{ hedgedoc_service }}"
|
||||||
|
|
||||||
- name: Template json config file
|
- name: Template json config file
|
||||||
template:
|
template:
|
||||||
src: "config.json.j2"
|
src: "config.json.j2"
|
||||||
dest: "~{{ service }}/hedgedoc/config.json"
|
dest: "~{{ hedgedoc_service }}/hedgedoc/config.json"
|
||||||
owner: "{{ service }}"
|
owner: "{{ hedgedoc_service }}"
|
||||||
group: "{{ service }}"
|
group: "{{ hedgedoc_service }}"
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
|
|
||||||
- name: Add systemd unit
|
- name: Add systemd unit
|
||||||
template:
|
template:
|
||||||
src: "hedgedoc.service.j2"
|
src: "hedgedoc.service.j2"
|
||||||
dest: "/etc/systemd/system/{{ service }}.service"
|
dest: "/etc/systemd/system/{{ hedgedoc_service }}.service"
|
||||||
|
|
||||||
- name: Enable systemd units
|
- name: Enable systemd units
|
||||||
systemd:
|
systemd:
|
||||||
name: "{{ service }}.service"
|
name: "{{ hedgedoc_service }}.service"
|
||||||
enabled: yes
|
enabled: yes
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
|
|
||||||
- name: Start service
|
- name: Start service
|
||||||
service:
|
service:
|
||||||
name: "{{ service }}.service"
|
name: "{{ hedgedoc_service }}.service"
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: Template nginx snippet for Let's Encrypt/Certbot
|
- name: Template nginx snippet for Let's Encrypt/Certbot
|
||||||
|
@ -93,7 +93,7 @@
|
||||||
|
|
||||||
- name: Check if SSL certificate is present and register result
|
- name: Check if SSL certificate is present and register result
|
||||||
stat:
|
stat:
|
||||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
|
||||||
register: ssl
|
register: ssl
|
||||||
|
|
||||||
- name: Generate certificate only if required (first time)
|
- name: Generate certificate only if required (first time)
|
||||||
|
@ -101,11 +101,11 @@
|
||||||
- name: Template vhost without SSL for successfull LE challengce
|
- name: Template vhost without SSL for successfull LE challengce
|
||||||
template:
|
template:
|
||||||
src: "vhost.conf.j2"
|
src: "vhost.conf.j2"
|
||||||
dest: "/etc/nginx/sites-available/{{ service }}"
|
dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||||
- name: Enable temporary nginx vhost for LE
|
- name: Enable temporary nginx vhost for LE
|
||||||
file:
|
file:
|
||||||
src: "/etc/nginx/sites-available/{{ service }}"
|
src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||||
dest: "/etc/nginx/sites-enabled/{{ service }}"
|
dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
|
||||||
state: link
|
state: link
|
||||||
- name: Reload nginx conf
|
- name: Reload nginx conf
|
||||||
service:
|
service:
|
||||||
|
@ -117,7 +117,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
- name: Generate certificate with certbot
|
- name: Generate certificate with certbot
|
||||||
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
|
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ hedgedoc_certbot_admin_email }} -d {{ hedgedoc_domains |first }}
|
||||||
- name: Create the ssl dir if needed
|
- name: Create the ssl dir if needed
|
||||||
file:
|
file:
|
||||||
path: /etc/nginx/ssl
|
path: /etc/nginx/ssl
|
||||||
|
@ -126,23 +126,23 @@
|
||||||
- name: Template ssl bloc for nginx vhost
|
- name: Template ssl bloc for nginx vhost
|
||||||
template:
|
template:
|
||||||
src: "ssl.conf.j2"
|
src: "ssl.conf.j2"
|
||||||
dest: "/etc/nginx/ssl/{{ domains |first }}.conf"
|
dest: "/etc/nginx/ssl/{{ hedgedoc_domains |first }}.conf"
|
||||||
when: ssl.stat.exists != true
|
when: ssl.stat.exists != true
|
||||||
|
|
||||||
- name: (Re)check if SSL certificate is present and register result
|
- name: (Re)check if SSL certificate is present and register result
|
||||||
stat:
|
stat:
|
||||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
|
||||||
register: ssl
|
register: ssl
|
||||||
|
|
||||||
- name: (Re)template conf file for nginx vhost with SSL
|
- name: (Re)template conf file for nginx vhost with SSL
|
||||||
template:
|
template:
|
||||||
src: "vhost.conf.j2"
|
src: "vhost.conf.j2"
|
||||||
dest: "/etc/nginx/sites-available/{{ service }}"
|
dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||||
|
|
||||||
- name: Enable nginx vhost for hedgedoc
|
- name: Enable nginx vhost for hedgedoc
|
||||||
file:
|
file:
|
||||||
src: "/etc/nginx/sites-available/{{ service }}"
|
src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
|
||||||
dest: "/etc/nginx/sites-enabled/{{ service }}"
|
dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
|
||||||
state: link
|
state: link
|
||||||
|
|
||||||
- name: Reload nginx conf
|
- name: Reload nginx conf
|
||||||
|
|
|
@ -3,22 +3,22 @@
|
||||||
|
|
||||||
- name: Dump database to a file with compression
|
- name: Dump database to a file with compression
|
||||||
postgresql_db:
|
postgresql_db:
|
||||||
name: "{{ service }}"
|
name: "{{ hedgedoc_service }}"
|
||||||
state: dump
|
state: dump
|
||||||
target: "~/{{ service }}.sql.gz"
|
target: "~/{{ hedgedoc_service }}.sql.gz"
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
- name: Stop service
|
- name: Stop service
|
||||||
service:
|
service:
|
||||||
name: "{{ service }}.service"
|
name: "{{ hedgedoc_service }}.service"
|
||||||
state: stopped
|
state: stopped
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Clone hedgedoc repo (git)
|
- name: Clone hedgedoc repo (git)
|
||||||
git:
|
git:
|
||||||
repo: "{{ git_url }}"
|
repo: "{{ hedgedoc_git_url }}"
|
||||||
dest: "~/hedgedoc/"
|
dest: "~/hedgedoc/"
|
||||||
version: "{{ git_version }}"
|
version: "{{ hedgedoc_git_version }}"
|
||||||
update: yes
|
update: yes
|
||||||
- name: Run setup
|
- name: Run setup
|
||||||
shell: "bin/setup"
|
shell: "bin/setup"
|
||||||
|
@ -32,11 +32,11 @@
|
||||||
shell: "yarn build"
|
shell: "yarn build"
|
||||||
args:
|
args:
|
||||||
chdir: "~/hedgedoc"
|
chdir: "~/hedgedoc"
|
||||||
become_user: "{{ service }}"
|
become_user: "{{ hedgedoc_service }}"
|
||||||
|
|
||||||
- name: Restart services
|
- name: Restart services
|
||||||
service:
|
service:
|
||||||
name: "{{ service }}.service"
|
name: "{{ hedgedoc_service }}.service"
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: Define variable to skip next task by default
|
- name: Define variable to skip next task by default
|
||||||
|
@ -45,7 +45,7 @@
|
||||||
|
|
||||||
- name: Remove database dump
|
- name: Remove database dump
|
||||||
file:
|
file:
|
||||||
path: "~/{{ service }}.sql.gz"
|
path: "~/{{ hedgedoc_service }}.sql.gz"
|
||||||
state: absent
|
state: absent
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
when: keep_db_dump is undefined
|
when: keep_db_dump is undefined
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
"urlAddPort": true
|
"urlAddPort": true
|
||||||
},
|
},
|
||||||
"production": {
|
"production": {
|
||||||
"domain": "{{ domains }}",
|
"domain": "{{ hedgedoc_domains }}",
|
||||||
"loglevel": "info",
|
"loglevel": "info",
|
||||||
"protocolUseSSL": "true",
|
"protocolUseSSL": "true",
|
||||||
"urlAddPort": false,
|
"urlAddPort": false,
|
||||||
|
@ -35,10 +35,10 @@
|
||||||
},
|
},
|
||||||
"cookiePolicy": "lax",
|
"cookiePolicy": "lax",
|
||||||
"db": {
|
"db": {
|
||||||
"username": "{{ db_user }}",
|
"username": "{{ hedgedoc_db_user }}",
|
||||||
"password": "{{ db_password }}",
|
"password": "{{ hedgedoc_db_password }}",
|
||||||
"database": "{{ db_name }}",
|
"database": "{{ hedgedoc_db_name }}",
|
||||||
"host": "{{ db_host }}",
|
"host": "{{ hedgedoc_db_host }}",
|
||||||
"port": "5432",
|
"port": "5432",
|
||||||
"dialect": "postgres"
|
"dialect": "postgres"
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,9 +35,9 @@ SystemCallArchitectures=native
|
||||||
SystemCallFilter=@system-service
|
SystemCallFilter=@system-service
|
||||||
|
|
||||||
# You may have to adjust these settings
|
# You may have to adjust these settings
|
||||||
User={{service}}
|
User={{ hedgedoc_service }}
|
||||||
Group={{service}}
|
Group={{ hedgedoc_service }}
|
||||||
WorkingDirectory=/home/{{service}}/hedgedoc
|
WorkingDirectory=/home/{{ hedgedoc_service }}/hedgedoc
|
||||||
|
|
||||||
# Example: local storage for uploads and SQLite
|
# Example: local storage for uploads and SQLite
|
||||||
# ReadWritePaths=/opt/hedgedoc/public/uploads /opt/hedgedoc/db
|
# ReadWritePaths=/opt/hedgedoc/public/uploads /opt/hedgedoc/db
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
# Certificates
|
# Certificates
|
||||||
# you need a certificate to run in production. see https://letsencrypt.org/
|
# you need a certificate to run in production. see https://letsencrypt.org/
|
||||||
##
|
##
|
||||||
ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/{{ hedgedoc_domains | first }}/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/{{ hedgedoc_domains | first }}/privkey.pem;
|
||||||
|
|
||||||
##
|
##
|
||||||
# Security hardening (as of Nov 15, 2020)
|
# Security hardening (as of Nov 15, 2020)
|
||||||
|
|
|
@ -6,7 +6,7 @@ map $http_upgrade $connection_upgrade {
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
server_name {{ domains |first }};
|
server_name {{ hedgedoc_domains |first }};
|
||||||
|
|
||||||
# For certbot
|
# For certbot
|
||||||
include /etc/nginx/snippets/letsencrypt.conf;
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
|
@ -21,16 +21,16 @@ server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
server_name {{ domains |first }};
|
server_name {{ hedgedoc_domains |first }};
|
||||||
|
|
||||||
access_log /var/log/nginx/{{ service }}.access.log;
|
access_log /var/log/nginx/{{ hedgedoc_service }}.access.log;
|
||||||
error_log /var/log/nginx/{{ service }}.error.log;
|
error_log /var/log/nginx/{{ hedgedoc_service }}.error.log;
|
||||||
|
|
||||||
include /etc/nginx/snippets/letsencrypt.conf;
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
include /etc/nginx/ssl/{{ domains | first }}.conf;
|
include /etc/nginx/ssl/{{ domains | first }}.conf;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://127.0.0.1:{{ node_port }};
|
proxy_pass http://127.0.0.1:{{ hedgedoc_node_port }};
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
@ -38,7 +38,7 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location /socket.io/ {
|
location /socket.io/ {
|
||||||
proxy_pass http://127.0.0.1:{{ node_port }};
|
proxy_pass http://127.0.0.1:{{ hedgedoc_node_port }};
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
Loading…
Reference in a new issue