Simplify Matrix appservices

This commit is contained in:
Alexandre Iooss 2019-03-29 19:25:11 +01:00
parent d9aab6cfd2
commit 5ccb94e621
No known key found for this signature in database
GPG key ID: 6C79278F3FCDCC02
12 changed files with 192 additions and 145 deletions

View file

@ -0,0 +1,15 @@
---
# appservice_name is the name of the project on GitHub
appservice_name: matrix-appservice-discord
# URL to clone
appservice_repo: https://github.com/Half-Shot/matrix-appservice-discord.git
# name of the service user
# It means that you will have to `sudo -u THISUSER zsh` to debug
appservice_user: "{{ appservice_name }}"
appservice_homedir: "/var/local/{{ appservice_name }}"
# appservice_path is where the project is cloned
# It can't be the home directory because of user hidden files.
appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}"

View file

@ -1,26 +0,0 @@
---
# Security #1
- name: Create matrix-appservice-discord system group
group:
name: matrix-appservice-discord
system: true
state: present
# Security #2
- name: Create matrix-appservice-discord user
user:
name: matrix-appservice-discord
group: matrix-appservice-discord
home: /var/local/matrix-appservice-discord
comment: Matrix Appservice Discord
system: true
state: present
# Security #3
- name: Secure matrix-appservice-discord home directory
file:
path: /var/local/matrix-appservice-discord
state: directory
owner: matrix-appservice-discord
group: matrix-appservice-discord
mode: 0750

View file

@ -1,23 +1,23 @@
--- ---
# Create CodiMD user and group # Create service user
- include_tasks: 1_user_group.yml - include_tasks: service_user.yml
# Download CodiMD - name: "Clone {{ appservice_name }} project"
- name: Clone matrix-appservice-discord project
git: git:
repo: https://github.com/Half-Shot/matrix-appservice-discord.git repo: "{{ appservice_repo }}"
dest: /var/local/matrix-appservice-discord/matrix-appservice-discord dest: "{{ appservice_path }}"
version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76 version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76
become: true become: true
become_user: matrix-appservice-discord become_user: "{{ appservice_user }}"
# Setup dependencies # Setup dependencies
# May create issues with package-lock.json not in gitignore # May create issues with package-lock.json not in gitignore
- name: Install matrix-appservice-discord dependencies - name: "Install {{ appservice_name }} dependencies"
npm: npm:
path: /var/local/matrix-appservice-discord/matrix-appservice-discord path: "{{ appservice_path }}"
production: true
become: true become: true
become_user: matrix-appservice-discord become_user: "{{ appservice_user }}"
register: npm_result register: npm_result
retries: 3 retries: 3
until: npm_result is succeeded until: npm_result is succeeded
@ -26,34 +26,44 @@
- name: Compile matrix-appservice-discord - name: Compile matrix-appservice-discord
command: ./node_modules/.bin/tsc command: ./node_modules/.bin/tsc
args: args:
chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord chdir: "{{ appservice_path }}"
register: npm_build_result register: npm_build_result
changed_when: npm_build_result changed_when: npm_build_result
become: true become: true
become_user: matrix-appservice-discord become_user: "{{ appservice_user }}"
# Configure - name: "Configure {{ appservice_name }}"
- name: Configure matrix-appservice-discord
template: template:
src: config.yaml.j2 src: config.yaml.j2
dest: /var/local/matrix-appservice-discord/matrix-appservice-discord/config.yaml dest: "{{ appservice_path }}/config.yaml"
owner: matrix-appservice-discord owner: "{{ appservice_user }}"
group: matrix-appservice-discord group: nogroup
mode: 0600 mode: 0600
# Service file # Service file
- name: Install matrix-appservice-discord systemd unit - name: "Install {{ appservice_name }} systemd unit"
template: template:
src: systemd/matrix-appservice-discord.service.j2 src: systemd/matrix-appservice-discord.service.j2
dest: /etc/systemd/system/matrix-appservice-discord.service dest: "/etc/systemd/system/{{ appservice_name }}.service"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Reload systemd daemons notify: Reload systemd daemons
# TODO generate registration
- name: Copy appservice registration file
copy:
src: "{{ appservice_path }}/discord-registration.yaml"
dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml"
owner: matrix-synapse
group: nogroup
mode: 0600
remote_src: yes
# Run # Run
#- name: Ensure that matrix-appservice-discord is started - name: "Ensure that {{ appservice_name }} is started"
# service: service:
# name: matrix-appservice-discord name: "{{ appservice_name }}"
# state: started state: started
# enabled: true enabled: true

View file

@ -0,0 +1,19 @@
---
# Having a custom group is useless so use nogroup
- name: "Create {{ appservice_user }} user"
user:
name: "{{ appservice_user }}"
group: nogroup
home: "{{ appservice_homedir }}"
system: true
shell: /bin/false
state: present
# Only service user should be able to go there
- name: "Secure {{ appservice_user }} home directory"
file:
path: "{{ appservice_homedir }}"
state: directory
owner: "{{ appservice_user }}"
group: nogroup
mode: 0700

View file

@ -0,0 +1,15 @@
---
# appservice_name is the name of the project on GitHub
appservice_name: matrix-appservice-irc
# URL to clone
appservice_repo: https://github.com/matrix-org/matrix-appservice-irc.git
# name of the service user
# It means that you will have to `sudo -u THISUSER zsh` to debug
appservice_user: "{{ appservice_name }}"
appservice_homedir: "/var/local/{{ appservice_name }}"
# appservice_path is where the project is cloned
# It can't be the home directory because of user hidden files.
appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}"

View file

@ -1,26 +0,0 @@
---
# Security #1
- name: Create matrix-appservice-irc system group
group:
name: matrix-appservice-irc
system: true
state: present
# Security #2
- name: Create matrix-appservice-irc user
user:
name: matrix-appservice-irc
group: matrix-appservice-irc
home: /var/local/matrix-appservice-irc
comment: Matrix Appservice IRC
system: true
state: present
# Security #3
- name: Secure matrix-appservice-irc home directory
file:
path: /var/local/matrix-appservice-irc
state: directory
owner: matrix-appservice-irc
group: matrix-appservice-irc
mode: 0750

View file

@ -1,45 +1,55 @@
--- ---
# Create matrix-appservice-irc user and group # Create service user
- include_tasks: 1_user_group.yml - include_tasks: service_user.yml
- name: Clone matrix-appservice-irc project - name: "Clone {{ appservice_name }} project"
git: git:
repo: https://github.com/matrix-org/matrix-appservice-irc.git repo: "{{ appservice_repo }}"
dest: /var/local/matrix-appservice-irc/matrix-appservice-irc dest: "{{ appservice_path }}"
version: 0.11.2 version: 0.11.2
become: true become: true
become_user: matrix-appservice-irc become_user: "{{ appservice_user }}"
# Setup dependencies # Setup dependencies
- name: Install matrix-appservice-irc dependencies - name: "Install {{ appservice_name }} dependencies"
npm: npm:
path: /var/local/matrix-appservice-irc/matrix-appservice-irc path: "{{ appservice_path }}"
production: true production: true
become: true become: true
become_user: matrix-appservice-irc become_user: "{{ appservice_user }}"
register: npm_result register: npm_result
retries: 3 retries: 3
until: npm_result is succeeded until: npm_result is succeeded
# Configure - name: "Configure {{ appservice_name }}"
- name: Configure matrix-appservice-irc
template: template:
src: config.yaml.j2 src: config.yaml.j2
dest: /var/local/matrix-appservice-irc/matrix-appservice-irc/config.yaml dest: "{{ appservice_path }}/config.yaml"
owner: matrix-appservice-irc owner: "{{ appservice_user }}"
group: matrix-appservice-irc group: nogroup
mode: 0600 mode: 0600
# Service file # Service file
- name: Install matrix-appservice-irc systemd unit - name: "Install {{ appservice_name }} systemd unit"
template: template:
src: systemd/matrix-appservice-irc.service.j2 src: systemd/matrix-appservice-irc.service.j2
dest: /etc/systemd/system/matrix-appservice-irc.service dest: "/etc/systemd/system/{{ appservice_name }}.service"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Reload systemd daemons notify: Reload systemd daemons
# TODO generate registration
#- name: Copy appservice registration file
# copy:
# src: "{{ appservice_path }}/discord-registration.yaml"
# dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml"
# owner: matrix-synapse
# group: nogroup
# mode: 0600
# remote_src: yes
# Run # Run
#- name: Ensure that matrix-appservice-irc is started #- name: Ensure that matrix-appservice-irc is started
# service: # service:

View file

@ -0,0 +1,19 @@
---
# Having a custom group is useless so use nogroup
- name: "Create {{ appservice_user }} user"
user:
name: "{{ appservice_user }}"
group: nogroup
home: "{{ appservice_homedir }}"
system: true
shell: /bin/false
state: present
# Only service user should be able to go there
- name: "Secure {{ appservice_user }} home directory"
file:
path: "{{ appservice_homedir }}"
state: directory
owner: "{{ appservice_user }}"
group: nogroup
mode: 0700

View file

@ -0,0 +1,15 @@
---
# appservice_name is the name of the project on GitHub
appservice_name: matrix-appservice-webhooks
# URL to clone
appservice_repo: https://github.com/turt2live/matrix-appservice-webhooks.git
# name of the service user
# It means that you will have to `sudo -u THISUSER zsh` to debug
appservice_user: "{{ appservice_name }}"
appservice_homedir: "/var/local/{{ appservice_name }}"
# appservice_path is where the project is cloned
# It can't be the home directory because of user hidden files.
appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}"

View file

@ -1,26 +0,0 @@
---
# Security #1
- name: Create matrix-appservice-webhooks system group
group:
name: matrix-appservice-webhooks
system: true
state: present
# Security #2
- name: Create matrix-appservice-webhooks user
user:
name: matrix-appservice-webhooks
group: matrix-appservice-webhooks
home: /var/local/matrix-appservice-webhooks
comment: Matrix Appservice WebHooks
system: true
state: present
# Security #3
- name: Secure matrix-appservice-webhooks home directory
file:
path: /var/local/matrix-appservice-webhooks
state: directory
owner: matrix-appservice-webhooks
group: matrix-appservice-webhooks
mode: 0750

View file

@ -1,55 +1,58 @@
--- ---
# Create matrix-appservice-webhooks user and group # Create service user
- include_tasks: 1_user_group.yml - include_tasks: service_user.yml
- name: Clone matrix-appservice-webhooks project - name: "Clone {{ appservice_name }} project"
git: git:
repo: https://github.com/turt2live/matrix-appservice-webhooks.git repo: "{{ appservice_repo }}"
dest: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks dest: "{{ appservice_path }}"
version: master version: master
become: true become: true
become_user: matrix-appservice-webhooks become_user: "{{ appservice_user }}"
# Setup dependencies # Setup dependencies
- name: Install matrix-appservice-webhooks dependencies - name: "Install {{ appservice_name }} dependencies"
npm: npm:
path: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks path: "{{ appservice_path }}"
production: true production: true
become: true become: true
become_user: matrix-appservice-webhooks become_user: "{{ appservice_user }}"
register: npm_result register: npm_result
retries: 3 retries: 3
until: npm_result is succeeded until: npm_result is succeeded
# Configure - name: "Configure {{ appservice_name }}"
- name: Configure matrix-appservice-webhooks
template: template:
src: config.yaml.j2 src: config.yaml.j2
dest: /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/config/config.yaml dest: "{{ appservice_path }}/config/config.yaml"
owner: matrix-appservice-webhooks owner: "{{ appservice_user }}"
group: matrix-appservice-webhooks group: nogroup
mode: 0600 mode: 0600
# Service file # Service file
- name: Install matrix-appservice-webhooks systemd unit - name: "Install {{ appservice_name }} systemd unit"
template: template:
src: systemd/matrix-appservice-webhooks.service.j2 src: systemd/matrix-appservice-webhooks.service.j2
dest: /etc/systemd/system/matrix-appservice-webhooks.service dest: "/etc/systemd/system/{{ appservice_name }}.service"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Reload systemd daemons notify: Reload systemd daemons
# TODO # TODO generate registration
# node index.js -r -u "http://localhost:9000" -c config/config.yaml
# cp /var/local/matrix-appservice-webhooks/matrix-appservice-webhooks/appservice-registration-webhooks.yaml - name: Copy appservice registration file
# > /etc/matrix-synapse/appservice-registration-webhooks.yaml copy:
# chown matrix-synapse:nogroup /etc/matrix-synapse/appservice-registration-webhooks.yaml 440 src: "{{ appservice_path }}/appservice-registration-webhooks.yaml"
# /etc/matrix-synapse/conf.d/app_service_config_files.yaml dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml"
owner: matrix-synapse
group: nogroup
mode: 0600
remote_src: yes
# Run # Run
#- name: Ensure that matrix-appservice-webhooks is started - name: "Ensure that {{ appservice_name }} is started"
# service: service:
# name: matrix-appservice-webhooks name: "{{ appservice_name }}"
# state: started state: started
# enabled: true enabled: true

View file

@ -0,0 +1,19 @@
---
# Having a custom group is useless so use nogroup
- name: "Create {{ appservice_user }} user"
user:
name: "{{ appservice_user }}"
group: nogroup
home: "{{ appservice_homedir }}"
system: true
shell: /bin/false
state: present
# Only service user should be able to go there
- name: "Secure {{ appservice_user }} home directory"
file:
path: "{{ appservice_homedir }}"
state: directory
owner: "{{ appservice_user }}"
group: nogroup
mode: 0700