Make CodiMD role more generic
This commit is contained in:
parent
48d521fb00
commit
88b9356f7d
5 changed files with 59 additions and 53 deletions
15
roles/codimd/defaults/main.yml
Normal file
15
roles/codimd/defaults/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
# service_name is the name of the project on GitHub
|
||||
service_name: codimd
|
||||
|
||||
# URL to clone
|
||||
service_repo: https://github.com/hackmdio/codimd.git
|
||||
|
||||
# name of the service user
|
||||
# It means that you will have to `sudo -u THISUSER zsh` to debug
|
||||
service_user: "{{ service_name }}"
|
||||
service_homedir: "/var/local/{{ service_name }}"
|
||||
|
||||
# service_path is where the project is cloned
|
||||
# It can't be the home directory because of user hidden files.
|
||||
service_path: "{{ service_homedir }}/{{ service_name }}"
|
|
@ -1,26 +0,0 @@
|
|||
---
|
||||
# Security #1
|
||||
- name: Create CodiMD system group
|
||||
group:
|
||||
name: codimd
|
||||
system: true
|
||||
state: present
|
||||
|
||||
# Security #2
|
||||
- name: Create CodiMD user
|
||||
user:
|
||||
name: codimd
|
||||
group: codimd
|
||||
home: /var/local/codimd
|
||||
comment: CodiMD
|
||||
system: true
|
||||
state: present
|
||||
|
||||
# Security #3
|
||||
- name: Secure CodiMD home directory
|
||||
file:
|
||||
path: /var/local/codimd
|
||||
state: directory
|
||||
owner: codimd
|
||||
group: codimd
|
||||
mode: 0750
|
|
@ -2,26 +2,25 @@
|
|||
# Install APT dependencies
|
||||
- include_tasks: 0_apt_dependencies.yml
|
||||
|
||||
# Create CodiMD user and group
|
||||
- include_tasks: 1_user_group.yml
|
||||
# Create service user
|
||||
- include_tasks: service_user.yml
|
||||
|
||||
# Download CodiMD
|
||||
- name: Clone CodiMD project
|
||||
- name: "Clone {{ service_name }} project"
|
||||
git:
|
||||
repo: https://github.com/hackmdio/codimd.git
|
||||
dest: /var/local/codimd/codimd
|
||||
repo: "{{ service_repo }}"
|
||||
dest: "{{ service_path }}"
|
||||
version: 1.3.0
|
||||
become: true
|
||||
become_user: codimd
|
||||
become_user: "{{ service_user }}"
|
||||
notify: Build front-end for CodiMD
|
||||
|
||||
# Setup dependencies and configs
|
||||
- name: Install CodiMD dependencies
|
||||
# Setup dependencies
|
||||
- name: "Install {{ service_name }} dependencies"
|
||||
yarn:
|
||||
path: /var/local/codimd/codimd
|
||||
path: "{{ service_path }}"
|
||||
production: true
|
||||
become: true
|
||||
become_user: codimd
|
||||
become_user: "{{ service_user }}"
|
||||
register: yarn_result
|
||||
retries: 3
|
||||
until: yarn_result is succeeded
|
||||
|
@ -30,33 +29,32 @@
|
|||
- name: Connect CodiMD to PostgreSQL db
|
||||
template:
|
||||
src: sequelizerc.j2
|
||||
dest: /var/local/codimd/codimd/.sequelizerc
|
||||
owner: codimd
|
||||
group: codimd
|
||||
dest: "{{ service_path }}/.sequelizerc"
|
||||
owner: "{{ service_user }}"
|
||||
group: nogroup
|
||||
mode: 0600
|
||||
|
||||
# Configure
|
||||
- name: Configure CodiMD
|
||||
- name: "Configure {{ service_name }}"
|
||||
template:
|
||||
src: config.json.j2
|
||||
dest: /var/local/codimd/codimd/config.json
|
||||
owner: codimd
|
||||
group: codimd
|
||||
dest: "{{ service_path }}/config.json"
|
||||
owner: "{{ service_user }}"
|
||||
group: nogroup
|
||||
mode: 0600
|
||||
|
||||
# Service file
|
||||
- name: Install CodiMD systemd unit
|
||||
- name: "Install {{ service_name }} systemd unit"
|
||||
template:
|
||||
src: systemd/codimd.service.j2
|
||||
dest: /etc/systemd/system/codimd.service
|
||||
dest: "/etc/systemd/system/{{ service_name }}.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: Reload systemd daemons
|
||||
|
||||
# Run
|
||||
- name: Ensure that CodiMD is started
|
||||
- name: "Ensure that {{ service_name }} is started"
|
||||
service:
|
||||
name: codimd
|
||||
name: "{{ service_name }}"
|
||||
state: started
|
||||
enabled: true
|
||||
|
|
19
roles/codimd/tasks/service_user.yml
Normal file
19
roles/codimd/tasks/service_user.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
# Having a custom group is useless so use nogroup
|
||||
- name: "Create {{ service_user }} user"
|
||||
user:
|
||||
name: "{{ service_user }}"
|
||||
group: nogroup
|
||||
home: "{{ service_homedir }}"
|
||||
system: true
|
||||
shell: /bin/false
|
||||
state: present
|
||||
|
||||
# Only service user should be able to go there
|
||||
- name: "Secure {{ service_user }} home directory"
|
||||
file:
|
||||
path: "{{ service_homedir }}"
|
||||
state: directory
|
||||
owner: "{{ service_user }}"
|
||||
group: nogroup
|
||||
mode: 0700
|
|
@ -7,12 +7,12 @@ Conflicts=shutdown.target
|
|||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=codimd
|
||||
Group=codimd
|
||||
WorkingDirectory=/var/local/codimd/codimd
|
||||
User={{ service_user }}
|
||||
WorkingDirectory={{ service_path }}
|
||||
Environment="NODE_ENV=production"
|
||||
ExecStart=/usr/bin/nodejs /var/local/codimd/codimd/app.js
|
||||
ExecStart=/usr/bin/nodejs ./app.js
|
||||
Restart=always
|
||||
RestartSec=3
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
Loading…
Reference in a new issue