diff --git a/roles/codimd/defaults/main.yml b/roles/codimd/defaults/main.yml new file mode 100644 index 0000000..b90bf62 --- /dev/null +++ b/roles/codimd/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# service_name is the name of the project on GitHub +service_name: codimd + +# URL to clone +service_repo: https://github.com/hackmdio/codimd.git + +# name of the service user +# It means that you will have to `sudo -u THISUSER zsh` to debug +service_user: "{{ service_name }}" +service_homedir: "/var/local/{{ service_name }}" + +# service_path is where the project is cloned +# It can't be the home directory because of user hidden files. +service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/codimd/tasks/1_user_group.yml b/roles/codimd/tasks/1_user_group.yml deleted file mode 100644 index 8acc968..0000000 --- a/roles/codimd/tasks/1_user_group.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Security #1 -- name: Create CodiMD system group - group: - name: codimd - system: true - state: present - -# Security #2 -- name: Create CodiMD user - user: - name: codimd - group: codimd - home: /var/local/codimd - comment: CodiMD - system: true - state: present - -# Security #3 -- name: Secure CodiMD home directory - file: - path: /var/local/codimd - state: directory - owner: codimd - group: codimd - mode: 0750 diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml index f176b95..f304fad 100644 --- a/roles/codimd/tasks/main.yml +++ b/roles/codimd/tasks/main.yml @@ -2,26 +2,25 @@ # Install APT dependencies - include_tasks: 0_apt_dependencies.yml -# Create CodiMD user and group -- include_tasks: 1_user_group.yml +# Create service user +- include_tasks: service_user.yml -# Download CodiMD -- name: Clone CodiMD project +- name: "Clone {{ service_name }} project" git: - repo: https://github.com/hackmdio/codimd.git - dest: /var/local/codimd/codimd + repo: "{{ service_repo }}" + dest: "{{ service_path }}" version: 1.3.0 become: true - become_user: codimd + become_user: "{{ service_user }}" notify: Build front-end for CodiMD -# Setup dependencies and configs -- name: Install CodiMD dependencies +# Setup dependencies +- name: "Install {{ service_name }} dependencies" yarn: - path: /var/local/codimd/codimd + path: "{{ service_path }}" production: true become: true - become_user: codimd + become_user: "{{ service_user }}" register: yarn_result retries: 3 until: yarn_result is succeeded @@ -30,33 +29,32 @@ - name: Connect CodiMD to PostgreSQL db template: src: sequelizerc.j2 - dest: /var/local/codimd/codimd/.sequelizerc - owner: codimd - group: codimd + dest: "{{ service_path }}/.sequelizerc" + owner: "{{ service_user }}" + group: nogroup mode: 0600 -# Configure -- name: Configure CodiMD +- name: "Configure {{ service_name }}" template: src: config.json.j2 - dest: /var/local/codimd/codimd/config.json - owner: codimd - group: codimd + dest: "{{ service_path }}/config.json" + owner: "{{ service_user }}" + group: nogroup mode: 0600 # Service file -- name: Install CodiMD systemd unit +- name: "Install {{ service_name }} systemd unit" template: src: systemd/codimd.service.j2 - dest: /etc/systemd/system/codimd.service + dest: "/etc/systemd/system/{{ service_name }}.service" owner: root group: root mode: 0644 notify: Reload systemd daemons # Run -- name: Ensure that CodiMD is started +- name: "Ensure that {{ service_name }} is started" service: - name: codimd + name: "{{ service_name }}" state: started enabled: true diff --git a/roles/codimd/tasks/service_user.yml b/roles/codimd/tasks/service_user.yml new file mode 100644 index 0000000..0818676 --- /dev/null +++ b/roles/codimd/tasks/service_user.yml @@ -0,0 +1,19 @@ +--- +# Having a custom group is useless so use nogroup +- name: "Create {{ service_user }} user" + user: + name: "{{ service_user }}" + group: nogroup + home: "{{ service_homedir }}" + system: true + shell: /bin/false + state: present + +# Only service user should be able to go there +- name: "Secure {{ service_user }} home directory" + file: + path: "{{ service_homedir }}" + state: directory + owner: "{{ service_user }}" + group: nogroup + mode: 0700 diff --git a/roles/codimd/templates/systemd/codimd.service.j2 b/roles/codimd/templates/systemd/codimd.service.j2 index 8468dfd..4b80a5b 100644 --- a/roles/codimd/templates/systemd/codimd.service.j2 +++ b/roles/codimd/templates/systemd/codimd.service.j2 @@ -7,12 +7,12 @@ Conflicts=shutdown.target [Service] Type=simple -User=codimd -Group=codimd -WorkingDirectory=/var/local/codimd/codimd +User={{ service_user }} +WorkingDirectory={{ service_path }} Environment="NODE_ENV=production" -ExecStart=/usr/bin/nodejs /var/local/codimd/codimd/app.js +ExecStart=/usr/bin/nodejs ./app.js Restart=always +RestartSec=3 [Install] WantedBy=multi-user.target diff --git a/roles/matrix-appservice-discord/defaults/main.yml b/roles/matrix-appservice-discord/defaults/main.yml index d282592..6ad40a4 100644 --- a/roles/matrix-appservice-discord/defaults/main.yml +++ b/roles/matrix-appservice-discord/defaults/main.yml @@ -1,15 +1,15 @@ --- -# appservice_name is the name of the project on GitHub -appservice_name: matrix-appservice-discord +# service_name is the name of the project on GitHub +service_name: matrix-appservice-discord # URL to clone -appservice_repo: https://github.com/Half-Shot/matrix-appservice-discord.git +service_repo: https://github.com/Half-Shot/matrix-appservice-discord.git # name of the service user # It means that you will have to `sudo -u THISUSER zsh` to debug -appservice_user: "{{ appservice_name }}" -appservice_homedir: "/var/local/{{ appservice_name }}" +service_user: "{{ service_name }}" +service_homedir: "/var/local/{{ service_name }}" -# appservice_path is where the project is cloned +# service_path is where the project is cloned # It can't be the home directory because of user hidden files. -appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" +service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml index 0ee9eb7..b7cb95b 100644 --- a/roles/matrix-appservice-discord/tasks/main.yml +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -2,22 +2,22 @@ # Create service user - include_tasks: service_user.yml -- name: "Clone {{ appservice_name }} project" +- name: "Clone {{ service_name }} project" git: - repo: "{{ appservice_repo }}" - dest: "{{ appservice_path }}" + repo: "{{ service_repo }}" + dest: "{{ service_path }}" version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76 become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" # Setup dependencies # May create issues with package-lock.json not in gitignore -- name: "Install {{ appservice_name }} dependencies" +- name: "Install {{ service_name }} dependencies" npm: - path: "{{ appservice_path }}" + path: "{{ service_path }}" production: true become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" register: npm_result retries: 3 until: npm_result is succeeded @@ -26,25 +26,25 @@ - name: Compile matrix-appservice-discord command: ./node_modules/.bin/tsc args: - chdir: "{{ appservice_path }}" + chdir: "{{ service_path }}" register: npm_build_result changed_when: npm_build_result become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" -- name: "Configure {{ appservice_name }}" +- name: "Configure {{ service_name }}" template: src: config.yaml.j2 - dest: "{{ appservice_path }}/config.yaml" - owner: "{{ appservice_user }}" + dest: "{{ service_path }}/config.yaml" + owner: "{{ service_user }}" group: nogroup mode: 0600 # Service file -- name: "Install {{ appservice_name }} systemd unit" +- name: "Install {{ service_name }} systemd unit" template: - src: systemd/matrix-appservice-discord.service.j2 - dest: "/etc/systemd/system/{{ appservice_name }}.service" + src: systemd/appservice.service.j2 + dest: "/etc/systemd/system/{{ service_name }}.service" owner: root group: root mode: 0644 @@ -54,16 +54,16 @@ - name: Copy appservice registration file copy: - src: "{{ appservice_path }}/discord-registration.yaml" - dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" + src: "{{ service_path }}/discord-registration.yaml" + dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml" owner: matrix-synapse group: nogroup mode: 0600 remote_src: yes # Run -- name: "Ensure that {{ appservice_name }} is started" +- name: "Ensure that {{ service_name }} is started" service: - name: "{{ appservice_name }}" + name: "{{ service_name }}" state: started enabled: true diff --git a/roles/matrix-appservice-discord/tasks/service_user.yml b/roles/matrix-appservice-discord/tasks/service_user.yml index 4d73739..0818676 100644 --- a/roles/matrix-appservice-discord/tasks/service_user.yml +++ b/roles/matrix-appservice-discord/tasks/service_user.yml @@ -1,19 +1,19 @@ --- # Having a custom group is useless so use nogroup -- name: "Create {{ appservice_user }} user" +- name: "Create {{ service_user }} user" user: - name: "{{ appservice_user }}" + name: "{{ service_user }}" group: nogroup - home: "{{ appservice_homedir }}" + home: "{{ service_homedir }}" system: true shell: /bin/false state: present # Only service user should be able to go there -- name: "Secure {{ appservice_user }} home directory" +- name: "Secure {{ service_user }} home directory" file: - path: "{{ appservice_homedir }}" + path: "{{ service_homedir }}" state: directory - owner: "{{ appservice_user }}" + owner: "{{ service_user }}" group: nogroup mode: 0700 diff --git a/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 similarity index 71% rename from roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 rename to roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 index be11020..29ebdb6 100644 --- a/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-appservice-discord/templates/systemd/appservice.service.j2 @@ -7,12 +7,12 @@ Conflicts=shutdown.target [Service] Type=simple -User=matrix-appservice-discord -Group=matrix-appservice-discord -WorkingDirectory=/var/local/matrix-appservice-discord/matrix-appservice-discord +User={{ service_user }} +WorkingDirectory={{ service_path }} Environment="NODE_ENV=production" ExecStart=/usr/bin/nodejs ./build/src/discordas.js -p 9005 -c config.yaml Restart=always +RestartSec=3 [Install] WantedBy=multi-user.target diff --git a/roles/matrix-appservice-irc/defaults/main.yml b/roles/matrix-appservice-irc/defaults/main.yml index 517275e..845dbab 100644 --- a/roles/matrix-appservice-irc/defaults/main.yml +++ b/roles/matrix-appservice-irc/defaults/main.yml @@ -1,15 +1,15 @@ --- -# appservice_name is the name of the project on GitHub -appservice_name: matrix-appservice-irc +# service_name is the name of the project on GitHub +service_name: matrix-appservice-irc # URL to clone -appservice_repo: https://github.com/matrix-org/matrix-appservice-irc.git +service_repo: https://github.com/matrix-org/matrix-appservice-irc.git # name of the service user # It means that you will have to `sudo -u THISUSER zsh` to debug -appservice_user: "{{ appservice_name }}" -appservice_homedir: "/var/local/{{ appservice_name }}" +service_user: "{{ service_name }}" +service_homedir: "/var/local/{{ service_name }}" -# appservice_path is where the project is cloned +# service_path is where the project is cloned # It can't be the home directory because of user hidden files. -appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" +service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml index 971ca21..7c77af0 100644 --- a/roles/matrix-appservice-irc/tasks/main.yml +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -2,38 +2,38 @@ # Create service user - include_tasks: service_user.yml -- name: "Clone {{ appservice_name }} project" +- name: "Clone {{ service_name }} project" git: - repo: "{{ appservice_repo }}" - dest: "{{ appservice_path }}" + repo: "{{ service_repo }}" + dest: "{{ service_path }}" version: 0.11.2 become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" # Setup dependencies -- name: "Install {{ appservice_name }} dependencies" +- name: "Install {{ service_name }} dependencies" npm: - path: "{{ appservice_path }}" + path: "{{ service_path }}" production: true become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" register: npm_result retries: 3 until: npm_result is succeeded -- name: "Configure {{ appservice_name }}" +- name: "Configure {{ service_name }}" template: src: config.yaml.j2 - dest: "{{ appservice_path }}/config.yaml" - owner: "{{ appservice_user }}" + dest: "{{ service_path }}/config.yaml" + owner: "{{ service_user }}" group: nogroup mode: 0600 # Service file -- name: "Install {{ appservice_name }} systemd unit" +- name: "Install {{ service_name }} systemd unit" template: - src: systemd/matrix-appservice-irc.service.j2 - dest: "/etc/systemd/system/{{ appservice_name }}.service" + src: systemd/appservice.service.j2 + dest: "/etc/systemd/system/{{ service_name }}.service" owner: root group: root mode: 0644 @@ -43,16 +43,16 @@ #- name: Copy appservice registration file # copy: -# src: "{{ appservice_path }}/discord-registration.yaml" -# dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" +# src: "{{ service_path }}/discord-registration.yaml" +# dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml" # owner: matrix-synapse # group: nogroup # mode: 0600 # remote_src: yes # Run -#- name: Ensure that matrix-appservice-irc is started +#- name: "Ensure that {{ service_name }} is started" # service: -# name: matrix-appservice-irc +# name: "{{ service_name }}" # state: started # enabled: true diff --git a/roles/matrix-appservice-irc/tasks/service_user.yml b/roles/matrix-appservice-irc/tasks/service_user.yml index 4d73739..0818676 100644 --- a/roles/matrix-appservice-irc/tasks/service_user.yml +++ b/roles/matrix-appservice-irc/tasks/service_user.yml @@ -1,19 +1,19 @@ --- # Having a custom group is useless so use nogroup -- name: "Create {{ appservice_user }} user" +- name: "Create {{ service_user }} user" user: - name: "{{ appservice_user }}" + name: "{{ service_user }}" group: nogroup - home: "{{ appservice_homedir }}" + home: "{{ service_homedir }}" system: true shell: /bin/false state: present # Only service user should be able to go there -- name: "Secure {{ appservice_user }} home directory" +- name: "Secure {{ service_user }} home directory" file: - path: "{{ appservice_homedir }}" + path: "{{ service_homedir }}" state: directory - owner: "{{ appservice_user }}" + owner: "{{ service_user }}" group: nogroup mode: 0700 diff --git a/roles/matrix-appservice-irc/templates/apt/nodejs.j2 b/roles/matrix-appservice-irc/templates/apt/nodejs.j2 deleted file mode 100644 index 65e5110..0000000 --- a/roles/matrix-appservice-irc/templates/apt/nodejs.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -Package: node* libuv1* -Pin: release a=stretch-backports -Pin-Priority: 600 diff --git a/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 b/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 new file mode 100644 index 0000000..0680720 --- /dev/null +++ b/roles/matrix-appservice-irc/templates/systemd/appservice.service.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +[Unit] +Description=A bridge between Matrix and IRC +After=syslog.target network-online.target mysql.service postgresql.service +Conflicts=shutdown.target + +[Service] +Type=simple +User={{ service_user }} +WorkingDirectory={{ service_path }} +ExecStart=/usr/bin/nodejs ./app.js -c config.yaml -f my_registration_file.yaml -p 9999 +Restart=always +RestartSec=3 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 deleted file mode 100644 index 1f25539..0000000 --- a/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ /dev/null @@ -1,17 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=A bridge between Matrix and IRC -After=syslog.target network-online.target mysql.service postgresql.service -Conflicts=shutdown.target - -[Service] -Type=simple -User=matrix-appservice-irc -Group=matrix-appservice-irc -WorkingDirectory=/var/local/matrix-appservice-irc/matrix-appservice-irc -ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-irc/matrix-appservice-irc/app.js -c config.yaml -f my_registration_file.yaml -p 9999 -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-appservice-webhooks/defaults/main.yml b/roles/matrix-appservice-webhooks/defaults/main.yml index ba9de6d..e4425c8 100644 --- a/roles/matrix-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-appservice-webhooks/defaults/main.yml @@ -1,15 +1,15 @@ --- -# appservice_name is the name of the project on GitHub -appservice_name: matrix-appservice-webhooks +# service_name is the name of the project on GitHub +service_name: matrix-appservice-webhooks # URL to clone -appservice_repo: https://github.com/turt2live/matrix-appservice-webhooks.git +service_repo: https://github.com/turt2live/matrix-appservice-webhooks.git # name of the service user # It means that you will have to `sudo -u THISUSER zsh` to debug -appservice_user: "{{ appservice_name }}" -appservice_homedir: "/var/local/{{ appservice_name }}" +service_user: "{{ service_name }}" +service_homedir: "/var/local/{{ service_name }}" -# appservice_path is where the project is cloned +# service_path is where the project is cloned # It can't be the home directory because of user hidden files. -appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" +service_path: "{{ service_homedir }}/{{ service_name }}" diff --git a/roles/matrix-appservice-webhooks/tasks/main.yml b/roles/matrix-appservice-webhooks/tasks/main.yml index 9780b60..e8ef646 100644 --- a/roles/matrix-appservice-webhooks/tasks/main.yml +++ b/roles/matrix-appservice-webhooks/tasks/main.yml @@ -2,38 +2,38 @@ # Create service user - include_tasks: service_user.yml -- name: "Clone {{ appservice_name }} project" +- name: "Clone {{ service_name }} project" git: - repo: "{{ appservice_repo }}" - dest: "{{ appservice_path }}" + repo: "{{ service_repo }}" + dest: "{{ service_path }}" version: master become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" # Setup dependencies -- name: "Install {{ appservice_name }} dependencies" +- name: "Install {{ service_name }} dependencies" npm: - path: "{{ appservice_path }}" + path: "{{ service_path }}" production: true become: true - become_user: "{{ appservice_user }}" + become_user: "{{ service_user }}" register: npm_result retries: 3 until: npm_result is succeeded -- name: "Configure {{ appservice_name }}" +- name: "Configure {{ service_name }}" template: src: config.yaml.j2 - dest: "{{ appservice_path }}/config/config.yaml" - owner: "{{ appservice_user }}" + dest: "{{ service_path }}/config/config.yaml" + owner: "{{ service_user }}" group: nogroup mode: 0600 # Service file -- name: "Install {{ appservice_name }} systemd unit" +- name: "Install {{ service_name }} systemd unit" template: - src: systemd/matrix-appservice-webhooks.service.j2 - dest: "/etc/systemd/system/{{ appservice_name }}.service" + src: systemd/appservice.service.j2 + dest: "/etc/systemd/system/{{ service_name }}.service" owner: root group: root mode: 0644 @@ -43,16 +43,16 @@ - name: Copy appservice registration file copy: - src: "{{ appservice_path }}/appservice-registration-webhooks.yaml" - dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" + src: "{{ service_path }}/appservice-registration-webhooks.yaml" + dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml" owner: matrix-synapse group: nogroup mode: 0600 remote_src: yes # Run -- name: "Ensure that {{ appservice_name }} is started" +- name: "Ensure that {{ service_name }} is started" service: - name: "{{ appservice_name }}" + name: "{{ service_name }}" state: started enabled: true diff --git a/roles/matrix-appservice-webhooks/tasks/service_user.yml b/roles/matrix-appservice-webhooks/tasks/service_user.yml index 4d73739..0818676 100644 --- a/roles/matrix-appservice-webhooks/tasks/service_user.yml +++ b/roles/matrix-appservice-webhooks/tasks/service_user.yml @@ -1,19 +1,19 @@ --- # Having a custom group is useless so use nogroup -- name: "Create {{ appservice_user }} user" +- name: "Create {{ service_user }} user" user: - name: "{{ appservice_user }}" + name: "{{ service_user }}" group: nogroup - home: "{{ appservice_homedir }}" + home: "{{ service_homedir }}" system: true shell: /bin/false state: present # Only service user should be able to go there -- name: "Secure {{ appservice_user }} home directory" +- name: "Secure {{ service_user }} home directory" file: - path: "{{ appservice_homedir }}" + path: "{{ service_homedir }}" state: directory - owner: "{{ appservice_user }}" + owner: "{{ service_user }}" group: nogroup mode: 0700 diff --git a/roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 b/roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 deleted file mode 100644 index 65e5110..0000000 --- a/roles/matrix-appservice-webhooks/templates/apt/nodejs.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -Package: node* libuv1* -Pin: release a=stretch-backports -Pin-Priority: 600 diff --git a/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-appservice-webhooks/templates/systemd/appservice.service.j2 similarity index 71% rename from roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 rename to roles/matrix-appservice-webhooks/templates/systemd/appservice.service.j2 index 9d8c6b6..48239a8 100644 --- a/roles/matrix-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-appservice-webhooks/templates/systemd/appservice.service.j2 @@ -7,11 +7,11 @@ Conflicts=shutdown.target [Service] Type=simple -User=matrix-appservice-webhooks -Group=matrix-appservice-webhooks -WorkingDirectory=/var/local/matrix-appservice-webhooks/matrix-appservice-webhooks +User={{ service_user }} +WorkingDirectory={{ service_path }} ExecStart=/usr/bin/nodejs index.js -p 9000 -c config/config.yaml -f appservice-registration-webhooks.yaml Restart=always +RestartSec=3 [Install] WantedBy=multi-user.target