From 5ccb94e621b3b0a01e84b602438fac43bd8637d3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 29 Mar 2019 19:25:11 +0100 Subject: [PATCH] Simplify Matrix appservices --- .../defaults/main.yml | 15 +++++ .../tasks/1_user_group.yml | 26 --------- .../matrix-appservice-discord/tasks/main.yml | 58 +++++++++++-------- .../tasks/service_user.yml | 19 ++++++ roles/matrix-appservice-irc/defaults/main.yml | 15 +++++ .../tasks/1_user_group.yml | 26 --------- roles/matrix-appservice-irc/tasks/main.yml | 42 +++++++++----- .../tasks/service_user.yml | 19 ++++++ .../defaults/main.yml | 15 +++++ .../tasks/1_user_group.yml | 26 --------- .../matrix-appservice-webhooks/tasks/main.yml | 57 +++++++++--------- .../tasks/service_user.yml | 19 ++++++ 12 files changed, 192 insertions(+), 145 deletions(-) create mode 100644 roles/matrix-appservice-discord/defaults/main.yml delete mode 100644 roles/matrix-appservice-discord/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-discord/tasks/service_user.yml create mode 100644 roles/matrix-appservice-irc/defaults/main.yml delete mode 100644 roles/matrix-appservice-irc/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-irc/tasks/service_user.yml create mode 100644 roles/matrix-appservice-webhooks/defaults/main.yml delete mode 100644 roles/matrix-appservice-webhooks/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-webhooks/tasks/service_user.yml diff --git a/roles/matrix-appservice-discord/defaults/main.yml b/roles/matrix-appservice-discord/defaults/main.yml new file mode 100644 index 0000000..d282592 --- /dev/null +++ b/roles/matrix-appservice-discord/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# appservice_name is the name of the project on GitHub +appservice_name: matrix-appservice-discord + +# URL to clone +appservice_repo: https://github.com/Half-Shot/matrix-appservice-discord.git + +# name of the service user +# It means that you will have to `sudo -u THISUSER zsh` to debug +appservice_user: "{{ appservice_name }}" +appservice_homedir: "/var/local/{{ appservice_name }}" + +# appservice_path is where the project is cloned +# It can't be the home directory because of user hidden files. +appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" diff --git a/roles/matrix-appservice-discord/tasks/1_user_group.yml b/roles/matrix-appservice-discord/tasks/1_user_group.yml deleted file mode 100644 index 42cac54..0000000 --- a/roles/matrix-appservice-discord/tasks/1_user_group.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Security #1 -- name: Create matrix-appservice-discord system group - group: - name: matrix-appservice-discord - system: true - state: present - -# Security #2 -- name: Create matrix-appservice-discord user - user: - name: matrix-appservice-discord - group: matrix-appservice-discord - home: /var/local/matrix-appservice-discord - comment: Matrix Appservice Discord - system: true - state: present - -# Security #3 -- name: Secure matrix-appservice-discord home directory - file: - path: /var/local/matrix-appservice-discord - state: directory - owner: matrix-appservice-discord - group: matrix-appservice-discord - mode: 0750 diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index a1330b0..0ee9eb7 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -1,23 +1,23 @@ --- -# Create CodiMD user and group -- include_tasks: 1_user_group.yml +# Create service user +- include_tasks: service_user.yml -# Download CodiMD -- name: Clone matrix-appservice-discord project +- name: "Clone {{ appservice_name }} project" git: - repo: https://github.com/Half-Shot/matrix-appservice-discord.git - dest: /var/local/matrix-appservice-discord/matrix-appservice-discord + repo: "{{ appservice_repo }}" + dest: "{{ appservice_path }}" version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76 become: true - become_user: matrix-appservice-discord + become_user: "{{ appservice_user }}" # Setup dependencies # May create issues with package-lock.json not in gitignore -- name: Install matrix-appservice-discord dependencies +- name: "Install {{ appservice_name }} dependencies" npm: - path: /var/local/matrix-appservice-discord/matrix-appservice-discord + path: "{{ appservice_path }}" + production: true become: true - become_user: matrix-appservice-discord + become_user: "{{ appservice_user }}" register: npm_result retries: 3 until: npm_result is succeeded @@ -26,34 +26,44 @@ - name: Compile matrix-appservice-discord command: ./node_modules/.bin/tsc args: - chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord + chdir: "{{ appservice_path }}" register: npm_build_result changed_when: npm_build_result become: true - become_user: matrix-appservice-discord + become_user: "{{ appservice_user }}" -# Configure -- name: Configure matrix-appservice-discord +- name: "Configure {{ appservice_name }}" template: src: config.yaml.j2 - dest: /var/local/matrix-appservice-discord/matrix-appservice-discord/config.yaml - owner: matrix-appservice-discord - group: matrix-appservice-discord + dest: "{{ appservice_path }}/config.yaml" + owner: "{{ appservice_user }}" + group: nogroup mode: 0600 # Service file -- name: Install matrix-appservice-discord systemd unit +- name: "Install {{ appservice_name }} systemd unit" template: src: systemd/matrix-appservice-discord.service.j2 - dest: /etc/systemd/system/matrix-appservice-discord.service + dest: "/etc/systemd/system/{{ appservice_name }}.service" owner: root group: root mode: 0644 notify: Reload systemd daemons +# TODO generate registration + +- name: Copy appservice registration file + copy: + src: "{{ appservice_path }}/discord-registration.yaml" + dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" + owner: matrix-synapse + group: nogroup + mode: 0600 + remote_src: yes + # Run -#- name: Ensure that matrix-appservice-discord is started -# service: -# name: matrix-appservice-discord -# state: started -# enabled: true +- name: "Ensure that {{ appservice_name }} is started" + service: + name: "{{ appservice_name }}" + state: started + enabled: true diff --git a/roles/matrix-appservice-discord/tasks/service_user.yml b/roles/matrix-appservice-discord/tasks/service_user.yml new file mode 100644 index 0000000..4d73739 --- /dev/null +++ b/roles/matrix-appservice-discord/tasks/service_user.yml @@ -0,0 +1,19 @@ +--- +# Having a custom group is useless so use nogroup +- name: "Create {{ appservice_user }} user" + user: + name: "{{ appservice_user }}" + group: nogroup + home: "{{ appservice_homedir }}" + system: true + shell: /bin/false + state: present + +# Only service user should be able to go there +- name: "Secure {{ appservice_user }} home directory" + file: + path: "{{ appservice_homedir }}" + state: directory + owner: "{{ appservice_user }}" + group: nogroup + mode: 0700 diff --git a/roles/matrix-appservice-irc/defaults/main.yml b/roles/matrix-appservice-irc/defaults/main.yml new file mode 100644 index 0000000..517275e --- /dev/null +++ b/roles/matrix-appservice-irc/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# appservice_name is the name of the project on GitHub +appservice_name: matrix-appservice-irc + +# URL to clone +appservice_repo: https://github.com/matrix-org/matrix-appservice-irc.git + +# name of the service user +# It means that you will have to `sudo -u THISUSER zsh` to debug +appservice_user: "{{ appservice_name }}" +appservice_homedir: "/var/local/{{ appservice_name }}" + +# appservice_path is where the project is cloned +# It can't be the home directory because of user hidden files. +appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" diff --git a/roles/matrix-appservice-irc/tasks/1_user_group.yml b/roles/matrix-appservice-irc/tasks/1_user_group.yml deleted file mode 100644 index 4c28899..0000000 --- a/roles/matrix-appservice-irc/tasks/1_user_group.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Security #1 -- name: Create matrix-appservice-irc system group - group: - name: matrix-appservice-irc - system: true - state: present - -# Security #2 -- name: Create matrix-appservice-irc user - user: - name: matrix-appservice-irc - group: matrix-appservice-irc - home: /var/local/matrix-appservice-irc - comment: Matrix Appservice IRC - system: true - state: present - -# Security #3 -- name: Secure matrix-appservice-irc home directory - file: - path: /var/local/matrix-appservice-irc - state: directory - owner: matrix-appservice-irc - group: matrix-appservice-irc - mode: 0750 diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 5db1c1b..971ca21 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -1,45 +1,55 @@ --- -# Create matrix-appservice-irc user and group -- include_tasks: 1_user_group.yml +# Create service user +- include_tasks: service_user.yml -- name: Clone matrix-appservice-irc project +- name: "Clone {{ appservice_name }} project" git: - repo: https://github.com/matrix-org/matrix-appservice-irc.git - dest: /var/local/matrix-appservice-irc/matrix-appservice-irc + repo: "{{ appservice_repo }}" + dest: "{{ appservice_path }}" version: 0.11.2 become: true - become_user: matrix-appservice-irc + become_user: "{{ appservice_user }}" # Setup dependencies -- name: Install matrix-appservice-irc dependencies +- name: "Install {{ appservice_name }} dependencies" npm: - path: /var/local/matrix-appservice-irc/matrix-appservice-irc + path: "{{ appservice_path }}" production: true become: true - become_user: matrix-appservice-irc + become_user: "{{ appservice_user }}" register: npm_result retries: 3 until: npm_result is succeeded -# Configure -- name: Configure matrix-appservice-irc +- name: "Configure {{ appservice_name }}" template: src: config.yaml.j2 - dest: /var/local/matrix-appservice-irc/matrix-appservice-irc/config.yaml - owner: matrix-appservice-irc - group: matrix-appservice-irc + dest: "{{ appservice_path }}/config.yaml" + owner: "{{ appservice_user }}" + group: nogroup mode: 0600 # Service file -- name: Install matrix-appservice-irc systemd unit +- name: "Install {{ appservice_name }} systemd unit" template: src: systemd/matrix-appservice-irc.service.j2 - dest: /etc/systemd/system/matrix-appservice-irc.service + dest: "/etc/systemd/system/{{ appservice_name }}.service" owner: root group: root mode: 0644 notify: Reload systemd daemons +# TODO generate registration + +#- name: Copy appservice registration file +# copy: +# src: "{{ appservice_path }}/discord-registration.yaml" +# dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" +# owner: matrix-synapse +# group: nogroup +# mode: 0600 +# remote_src: yes + # Run #- name: Ensure that matrix-appservice-irc is started # service: diff --git a/roles/matrix-appservice-irc/tasks/service_user.yml b/roles/matrix-appservice-irc/tasks/service_user.yml new file mode 100644 index 0000000..4d73739 --- /dev/null +++ b/roles/matrix-appservice-irc/tasks/service_user.yml @@ -0,0 +1,19 @@ +--- +# Having a custom group is useless so use nogroup +- name: "Create {{ appservice_user }} user" + user: + name: "{{ appservice_user }}" + group: nogroup + home: "{{ appservice_homedir }}" + system: true + shell: /bin/false + state: present + +# Only service user should be able to go there +- name: "Secure {{ appservice_user }} home directory" + file: + path: "{{ appservice_homedir }}" + state: directory + owner: "{{ appservice_user }}" + group: nogroup + mode: 0700 diff --git a/roles/matrix-appservice-webhooks/defaults/main.yml b/roles/matrix-appservice-webhooks/defaults/main.yml new file mode 100644 index 0000000..ba9de6d --- /dev/null +++ b/roles/matrix-appservice-webhooks/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# appservice_name is the name of the project on GitHub +appservice_name: matrix-appservice-webhooks + +# URL to clone +appservice_repo: https://github.com/turt2live/matrix-appservice-webhooks.git + +# name of the service user +# It means that you will have to `sudo -u THISUSER zsh` to debug +appservice_user: "{{ appservice_name }}" +appservice_homedir: "/var/local/{{ appservice_name }}" + +# appservice_path is where the project is cloned +# It can't be the home directory because of user hidden files. +appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" diff --git a/roles/matrix-appservice-webhooks/tasks/1_user_group.yml b/roles/matrix-appservice-webhooks/tasks/1_user_group.yml deleted file mode 100644 index 642cf9f..0000000 --- a/roles/matrix-appservice-webhooks/tasks/1_user_group.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Security #1 -- name: Create matrix-appservice-webhooks system group - group: - name: matrix-appservice-webhooks - system: true - state: present - -# Security #2 -- name: Create matrix-appservice-webhooks user - user: - name: matrix-appservice-webhooks - group: matrix-appservice-webhooks - home: /var/local/matrix-appservice-webhooks - comment: Matrix Appservice WebHooks - system: true - state: present - -# Security #3 -- name: Secure matrix-appservice-webhooks home directory - file: - path: /var/local/matrix-appservice-webhooks - state: directory - owner: matrix-appservice-webhooks - group: matrix-appservice-webhooks - mode: 0750 diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml index a0b9e43..9780b60 100644 --- a/roles/matrix-appservice-webhooks/tasks/main.yml +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -1,55 +1,58 @@ --- -# Create matrix-appservice-webhooks user and group -- include_tasks: 1_user_group.yml +# Create service user +- include_tasks: service_user.yml -- name: Clone matrix-appservice-webhooks project +- name: "Clone {{ appservice_name }} project" git: - repo: https://github.com/turt2live/matrix-appservice-webhooks.git - dest: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks + repo: "{{ appservice_repo }}" + dest: "{{ appservice_path }}" version: master become: true - become_user: matrix-appservice-webhooks + become_user: "{{ appservice_user }}" # Setup dependencies -- name: Install matrix-appservice-webhooks dependencies +- name: "Install {{ appservice_name }} dependencies" npm: - path: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks + path: "{{ appservice_path }}" production: true become: true - become_user: matrix-appservice-webhooks + become_user: "{{ appservice_user }}" register: npm_result retries: 3 until: npm_result is succeeded -# Configure -- name: Configure matrix-appservice-webhooks +- name: "Configure {{ appservice_name }}" template: src: config.yaml.j2 - dest: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/config/config.yaml - owner: matrix-appservice-webhooks - group: matrix-appservice-webhooks + dest: "{{ appservice_path }}/config/config.yaml" + owner: "{{ appservice_user }}" + group: nogroup mode: 0600 # Service file -- name: Install matrix-appservice-webhooks systemd unit +- name: "Install {{ appservice_name }} systemd unit" template: src: systemd/matrix-appservice-webhooks.service.j2 - dest: /etc/systemd/system/matrix-appservice-webhooks.service + dest: "/etc/systemd/system/{{ appservice_name }}.service" owner: root group: root mode: 0644 notify: Reload systemd daemons -# TODO -# node index.js -r -u "http://localhost:9000" -c config/config.yaml -# cp /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/appservice-registration-webhooks.yaml -# > /etc/matrix-synapse/appservice-registration-webhooks.yaml -# chown matrix-synapse:nogroup /etc/matrix-synapse/appservice-registration-webhooks.yaml 440 -# /etc/matrix-synapse/conf.d/app_service_config_files.yaml +# TODO generate registration + +- name: Copy appservice registration file + copy: + src: "{{ appservice_path }}/appservice-registration-webhooks.yaml" + dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" + owner: matrix-synapse + group: nogroup + mode: 0600 + remote_src: yes # Run -#- name: Ensure that matrix-appservice-webhooks is started -# service: -# name: matrix-appservice-webhooks -# state: started -# enabled: true +- name: "Ensure that {{ appservice_name }} is started" + service: + name: "{{ appservice_name }}" + state: started + enabled: true diff --git a/roles/matrix-appservice-webhooks/tasks/service_user.yml b/roles/matrix-appservice-webhooks/tasks/service_user.yml new file mode 100644 index 0000000..4d73739 --- /dev/null +++ b/roles/matrix-appservice-webhooks/tasks/service_user.yml @@ -0,0 +1,19 @@ +--- +# Having a custom group is useless so use nogroup +- name: "Create {{ appservice_user }} user" + user: + name: "{{ appservice_user }}" + group: nogroup + home: "{{ appservice_homedir }}" + system: true + shell: /bin/false + state: present + +# Only service user should be able to go there +- name: "Secure {{ appservice_user }} home directory" + file: + path: "{{ appservice_homedir }}" + state: directory + owner: "{{ appservice_user }}" + group: nogroup + mode: 0700