Make CodiMD role more generic

2019-03-30 13:34:25 +01:00 · 2019-03-30 13:34:25 +01:00 · 88b9356f7d
commit 88b9356f7d
parent 48d521fb00
5 changed files with 59 additions and 53 deletions
--- a/roles/codimd/defaults/main.yml
+++ b/roles/codimd/defaults/main.yml
@ -0,0 +1,15 @@
+---
+# service_name is the name of the project on GitHub
+service_name: codimd
+
+# URL to clone
+service_repo: https://github.com/hackmdio/codimd.git
+
+# name of the service user
+# It means that you will have to `sudo -u THISUSER zsh` to debug
+service_user: "{{ service_name }}"
+service_homedir: "/var/local/{{ service_name }}"
+
+# service_path is where the project is cloned
+# It can't be the home directory because of user hidden files.
+service_path: "{{ service_homedir }}/{{ service_name }}"
--- a/roles/codimd/tasks/1_user_group.yml
+++ b/roles/codimd/tasks/1_user_group.yml
@ -1,26 +0,0 @@
---
-# Security #1
- name: Create CodiMD system group
-  group:
-    name: codimd
-    system: true
-    state: present
-
-# Security #2
- name: Create CodiMD user
-  user:
-    name: codimd
-    group: codimd
-    home: /var/local/codimd
-    comment: CodiMD
-    system: true
-    state: present
-
-# Security #3
- name: Secure CodiMD home directory
-  file:
-    path: /var/local/codimd
-    state: directory
-    owner: codimd
-    group: codimd
-    mode: 0750
--- a/roles/codimd/tasks/main.yml
+++ b/roles/codimd/tasks/main.yml
@ -2,26 +2,25 @@
 # Install APT dependencies
 - include_tasks: 0_apt_dependencies.yml

-# Create CodiMD user and group
- include_tasks: 1_user_group.yml
+# Create service user
+- include_tasks: service_user.yml

-# Download CodiMD
- name: Clone CodiMD project
+- name: "Clone {{ service_name }} project"
  git:
-    repo: https://github.com/hackmdio/codimd.git
-    dest: /var/local/codimd/codimd
+    repo: "{{ service_repo }}"
+    dest: "{{ service_path }}"
    version: 1.3.0
  become: true
-  become_user: codimd
+  become_user: "{{ service_user }}"
  notify: Build front-end for CodiMD

-# Setup dependencies and configs
- name: Install CodiMD dependencies
+# Setup dependencies
+- name: "Install {{ service_name }} dependencies"
  yarn:
-    path: /var/local/codimd/codimd
+    path: "{{ service_path }}"
    production: true
  become: true
-  become_user: codimd
+  become_user: "{{ service_user }}"
  register: yarn_result
  retries: 3
  until: yarn_result is succeeded
@ -30,33 +29,32 @@
 - name: Connect CodiMD to PostgreSQL db
  template:
    src: sequelizerc.j2
-    dest: /var/local/codimd/codimd/.sequelizerc
-    owner: codimd
-    group: codimd
+    dest: "{{ service_path }}/.sequelizerc"
+    owner: "{{ service_user }}"
+    group: nogroup
    mode: 0600

-# Configure
- name: Configure CodiMD
+- name: "Configure {{ service_name }}"
  template:
    src: config.json.j2
-    dest: /var/local/codimd/codimd/config.json
-    owner: codimd
-    group: codimd
+    dest: "{{ service_path }}/config.json"
+    owner: "{{ service_user }}"
+    group: nogroup
    mode: 0600

 # Service file
- name: Install CodiMD systemd unit
+- name: "Install {{ service_name }} systemd unit"
  template:
    src: systemd/codimd.service.j2
-    dest: /etc/systemd/system/codimd.service
+    dest: "/etc/systemd/system/{{ service_name }}.service"
    owner: root
    group: root
    mode: 0644
  notify: Reload systemd daemons

 # Run
- name: Ensure that CodiMD is started
+- name: "Ensure that {{ service_name }} is started"
  service:
-    name: codimd
+    name: "{{ service_name }}"
    state: started
    enabled: true
--- a/roles/codimd/tasks/service_user.yml
+++ b/roles/codimd/tasks/service_user.yml
@ -0,0 +1,19 @@
+---
+# Having a custom group is useless so use nogroup
+- name: "Create {{ service_user }} user"
+  user:
+    name: "{{ service_user }}"
+    group: nogroup
+    home: "{{ service_homedir }}"
+    system: true
+    shell: /bin/false
+    state: present
+
+# Only service user should be able to go there
+- name: "Secure {{ service_user }} home directory"
+  file:
+    path: "{{ service_homedir }}"
+    state: directory
+    owner: "{{ service_user }}"
+    group: nogroup
+    mode: 0700
--- a/roles/codimd/templates/systemd/codimd.service.j2
+++ b/roles/codimd/templates/systemd/codimd.service.j2
@ -7,12 +7,12 @@ Conflicts=shutdown.target

 [Service]
 Type=simple
-User=codimd
-Group=codimd
-WorkingDirectory=/var/local/codimd/codimd
+User={{ service_user }}
+WorkingDirectory={{ service_path }}
 Environment="NODE_ENV=production"
-ExecStart=/usr/bin/nodejs /var/local/codimd/codimd/app.js
+ExecStart=/usr/bin/nodejs ./app.js
 Restart=always
+RestartSec=3

 [Install]
 WantedBy=multi-user.target