Merge branch 'generic_services' into 'master'

Generic services

See merge request aurore/ansible!37
This commit is contained in:
Alexandre IOOSS 2019-04-01 17:53:49 +02:00
commit 98c6364394
20 changed files with 174 additions and 178 deletions

View file

@ -0,0 +1,15 @@
---
# service_name is the name of the project on GitHub
service_name: codimd
# URL to clone
service_repo: https://github.com/hackmdio/codimd.git
# name of the service user
# It means that you will have to `sudo -u THISUSER zsh` to debug
service_user: "{{ service_name }}"
service_homedir: "/var/local/{{ service_name }}"
# service_path is where the project is cloned
# It can't be the home directory because of user hidden files.
service_path: "{{ service_homedir }}/{{ service_name }}"

View file

@ -1,26 +0,0 @@
---
# Security #1
- name: Create CodiMD system group
group:
name: codimd
system: true
state: present
# Security #2
- name: Create CodiMD user
user:
name: codimd
group: codimd
home: /var/local/codimd
comment: CodiMD
system: true
state: present
# Security #3
- name: Secure CodiMD home directory
file:
path: /var/local/codimd
state: directory
owner: codimd
group: codimd
mode: 0750

View file

@ -2,26 +2,25 @@
# Install APT dependencies # Install APT dependencies
- include_tasks: 0_apt_dependencies.yml - include_tasks: 0_apt_dependencies.yml
# Create CodiMD user and group # Create service user
- include_tasks: 1_user_group.yml - include_tasks: service_user.yml
# Download CodiMD - name: "Clone {{ service_name }} project"
- name: Clone CodiMD project
git: git:
repo: https://github.com/hackmdio/codimd.git repo: "{{ service_repo }}"
dest: /var/local/codimd/codimd dest: "{{ service_path }}"
version: 1.3.0 version: 1.3.0
become: true become: true
become_user: codimd become_user: "{{ service_user }}"
notify: Build front-end for CodiMD notify: Build front-end for CodiMD
# Setup dependencies and configs # Setup dependencies
- name: Install CodiMD dependencies - name: "Install {{ service_name }} dependencies"
yarn: yarn:
path: /var/local/codimd/codimd path: "{{ service_path }}"
production: true production: true
become: true become: true
become_user: codimd become_user: "{{ service_user }}"
register: yarn_result register: yarn_result
retries: 3 retries: 3
until: yarn_result is succeeded until: yarn_result is succeeded
@ -30,33 +29,32 @@
- name: Connect CodiMD to PostgreSQL db - name: Connect CodiMD to PostgreSQL db
template: template:
src: sequelizerc.j2 src: sequelizerc.j2
dest: /var/local/codimd/codimd/.sequelizerc dest: "{{ service_path }}/.sequelizerc"
owner: codimd owner: "{{ service_user }}"
group: codimd group: nogroup
mode: 0600 mode: 0600
# Configure - name: "Configure {{ service_name }}"
- name: Configure CodiMD
template: template:
src: config.json.j2 src: config.json.j2
dest: /var/local/codimd/codimd/config.json dest: "{{ service_path }}/config.json"
owner: codimd owner: "{{ service_user }}"
group: codimd group: nogroup
mode: 0600 mode: 0600
# Service file # Service file
- name: Install CodiMD systemd unit - name: "Install {{ service_name }} systemd unit"
template: template:
src: systemd/codimd.service.j2 src: systemd/codimd.service.j2
dest: /etc/systemd/system/codimd.service dest: "/etc/systemd/system/{{ service_name }}.service"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Reload systemd daemons notify: Reload systemd daemons
# Run # Run
- name: Ensure that CodiMD is started - name: "Ensure that {{ service_name }} is started"
service: service:
name: codimd name: "{{ service_name }}"
state: started state: started
enabled: true enabled: true

View file

@ -0,0 +1,19 @@
---
# Having a custom group is useless so use nogroup
- name: "Create {{ service_user }} user"
user:
name: "{{ service_user }}"
group: nogroup
home: "{{ service_homedir }}"
system: true
shell: /bin/false
state: present
# Only service user should be able to go there
- name: "Secure {{ service_user }} home directory"
file:
path: "{{ service_homedir }}"
state: directory
owner: "{{ service_user }}"
group: nogroup
mode: 0700

View file

@ -7,12 +7,12 @@ Conflicts=shutdown.target
[Service] [Service]
Type=simple Type=simple
User=codimd User={{ service_user }}
Group=codimd WorkingDirectory={{ service_path }}
WorkingDirectory=/var/local/codimd/codimd
Environment="NODE_ENV=production" Environment="NODE_ENV=production"
ExecStart=/usr/bin/nodejs /var/local/codimd/codimd/app.js ExecStart=/usr/bin/nodejs ./app.js
Restart=always Restart=always
RestartSec=3
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -1,15 +1,15 @@
--- ---
# appservice_name is the name of the project on GitHub # service_name is the name of the project on GitHub
appservice_name: matrix-appservice-discord service_name: matrix-appservice-discord
# URL to clone # URL to clone
appservice_repo: https://github.com/Half-Shot/matrix-appservice-discord.git service_repo: https://github.com/Half-Shot/matrix-appservice-discord.git
# name of the service user # name of the service user
# It means that you will have to `sudo -u THISUSER zsh` to debug # It means that you will have to `sudo -u THISUSER zsh` to debug
appservice_user: "{{ appservice_name }}" service_user: "{{ service_name }}"
appservice_homedir: "/var/local/{{ appservice_name }}" service_homedir: "/var/local/{{ service_name }}"
# appservice_path is where the project is cloned # service_path is where the project is cloned
# It can't be the home directory because of user hidden files. # It can't be the home directory because of user hidden files.
appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" service_path: "{{ service_homedir }}/{{ service_name }}"

View file

@ -2,22 +2,22 @@
# Create service user # Create service user
- include_tasks: service_user.yml - include_tasks: service_user.yml
- name: "Clone {{ appservice_name }} project" - name: "Clone {{ service_name }} project"
git: git:
repo: "{{ appservice_repo }}" repo: "{{ service_repo }}"
dest: "{{ appservice_path }}" dest: "{{ service_path }}"
version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76 version: 14cf2829510e8b7b99b3238e2deaddf296ab4b76
become: true become: true
become_user: "{{ appservice_user }}" become_user: "{{ service_user }}"
# Setup dependencies # Setup dependencies
# May create issues with package-lock.json not in gitignore # May create issues with package-lock.json not in gitignore
- name: "Install {{ appservice_name }} dependencies" - name: "Install {{ service_name }} dependencies"
npm: npm:
path: "{{ appservice_path }}" path: "{{ service_path }}"
production: true production: true
become: true become: true
become_user: "{{ appservice_user }}" become_user: "{{ service_user }}"
register: npm_result register: npm_result
retries: 3 retries: 3
until: npm_result is succeeded until: npm_result is succeeded
@ -26,25 +26,25 @@
- name: Compile matrix-appservice-discord - name: Compile matrix-appservice-discord
command: ./node_modules/.bin/tsc command: ./node_modules/.bin/tsc
args: args:
chdir: "{{ appservice_path }}" chdir: "{{ service_path }}"
register: npm_build_result register: npm_build_result
changed_when: npm_build_result changed_when: npm_build_result
become: true become: true
become_user: "{{ appservice_user }}" become_user: "{{ service_user }}"
- name: "Configure {{ appservice_name }}" - name: "Configure {{ service_name }}"
template: template:
src: config.yaml.j2 src: config.yaml.j2
dest: "{{ appservice_path }}/config.yaml" dest: "{{ service_path }}/config.yaml"
owner: "{{ appservice_user }}" owner: "{{ service_user }}"
group: nogroup group: nogroup
mode: 0600 mode: 0600
# Service file # Service file
- name: "Install {{ appservice_name }} systemd unit" - name: "Install {{ service_name }} systemd unit"
template: template:
src: systemd/matrix-appservice-discord.service.j2 src: systemd/appservice.service.j2
dest: "/etc/systemd/system/{{ appservice_name }}.service" dest: "/etc/systemd/system/{{ service_name }}.service"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
@ -54,16 +54,16 @@
- name: Copy appservice registration file - name: Copy appservice registration file
copy: copy:
src: "{{ appservice_path }}/discord-registration.yaml" src: "{{ service_path }}/discord-registration.yaml"
dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml"
owner: matrix-synapse owner: matrix-synapse
group: nogroup group: nogroup
mode: 0600 mode: 0600
remote_src: yes remote_src: yes
# Run # Run
- name: "Ensure that {{ appservice_name }} is started" - name: "Ensure that {{ service_name }} is started"
service: service:
name: "{{ appservice_name }}" name: "{{ service_name }}"
state: started state: started
enabled: true enabled: true

View file

@ -1,19 +1,19 @@
--- ---
# Having a custom group is useless so use nogroup # Having a custom group is useless so use nogroup
- name: "Create {{ appservice_user }} user" - name: "Create {{ service_user }} user"
user: user:
name: "{{ appservice_user }}" name: "{{ service_user }}"
group: nogroup group: nogroup
home: "{{ appservice_homedir }}" home: "{{ service_homedir }}"
system: true system: true
shell: /bin/false shell: /bin/false
state: present state: present
# Only service user should be able to go there # Only service user should be able to go there
- name: "Secure {{ appservice_user }} home directory" - name: "Secure {{ service_user }} home directory"
file: file:
path: "{{ appservice_homedir }}" path: "{{ service_homedir }}"
state: directory state: directory
owner: "{{ appservice_user }}" owner: "{{ service_user }}"
group: nogroup group: nogroup
mode: 0700 mode: 0700

View file

@ -7,12 +7,12 @@ Conflicts=shutdown.target
[Service] [Service]
Type=simple Type=simple
User=matrix-appservice-discord User={{ service_user }}
Group=matrix-appservice-discord WorkingDirectory={{ service_path }}
WorkingDirectory=/var/local/matrix-appservice-discord/matrix-appservice-discord
Environment="NODE_ENV=production" Environment="NODE_ENV=production"
ExecStart=/usr/bin/nodejs ./build/src/discordas.js -p 9005 -c config.yaml ExecStart=/usr/bin/nodejs ./build/src/discordas.js -p 9005 -c config.yaml
Restart=always Restart=always
RestartSec=3
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -1,15 +1,15 @@
--- ---
# appservice_name is the name of the project on GitHub # service_name is the name of the project on GitHub
appservice_name: matrix-appservice-irc service_name: matrix-appservice-irc
# URL to clone # URL to clone
appservice_repo: https://github.com/matrix-org/matrix-appservice-irc.git service_repo: https://github.com/matrix-org/matrix-appservice-irc.git
# name of the service user # name of the service user
# It means that you will have to `sudo -u THISUSER zsh` to debug # It means that you will have to `sudo -u THISUSER zsh` to debug
appservice_user: "{{ appservice_name }}" service_user: "{{ service_name }}"
appservice_homedir: "/var/local/{{ appservice_name }}" service_homedir: "/var/local/{{ service_name }}"
# appservice_path is where the project is cloned # service_path is where the project is cloned
# It can't be the home directory because of user hidden files. # It can't be the home directory because of user hidden files.
appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" service_path: "{{ service_homedir }}/{{ service_name }}"

View file

@ -2,38 +2,38 @@
# Create service user # Create service user
- include_tasks: service_user.yml - include_tasks: service_user.yml
- name: "Clone {{ appservice_name }} project" - name: "Clone {{ service_name }} project"
git: git:
repo: "{{ appservice_repo }}" repo: "{{ service_repo }}"
dest: "{{ appservice_path }}" dest: "{{ service_path }}"
version: 0.11.2 version: 0.11.2
become: true become: true
become_user: "{{ appservice_user }}" become_user: "{{ service_user }}"
# Setup dependencies # Setup dependencies
- name: "Install {{ appservice_name }} dependencies" - name: "Install {{ service_name }} dependencies"
npm: npm:
path: "{{ appservice_path }}" path: "{{ service_path }}"
production: true production: true
become: true become: true
become_user: "{{ appservice_user }}" become_user: "{{ service_user }}"
register: npm_result register: npm_result
retries: 3 retries: 3
until: npm_result is succeeded until: npm_result is succeeded
- name: "Configure {{ appservice_name }}" - name: "Configure {{ service_name }}"
template: template:
src: config.yaml.j2 src: config.yaml.j2
dest: "{{ appservice_path }}/config.yaml" dest: "{{ service_path }}/config.yaml"
owner: "{{ appservice_user }}" owner: "{{ service_user }}"
group: nogroup group: nogroup
mode: 0600 mode: 0600
# Service file # Service file
- name: "Install {{ appservice_name }} systemd unit" - name: "Install {{ service_name }} systemd unit"
template: template:
src: systemd/matrix-appservice-irc.service.j2 src: systemd/appservice.service.j2
dest: "/etc/systemd/system/{{ appservice_name }}.service" dest: "/etc/systemd/system/{{ service_name }}.service"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
@ -43,16 +43,16 @@
#- name: Copy appservice registration file #- name: Copy appservice registration file
# copy: # copy:
# src: "{{ appservice_path }}/discord-registration.yaml" # src: "{{ service_path }}/discord-registration.yaml"
# dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" # dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml"
# owner: matrix-synapse # owner: matrix-synapse
# group: nogroup # group: nogroup
# mode: 0600 # mode: 0600
# remote_src: yes # remote_src: yes
# Run # Run
#- name: Ensure that matrix-appservice-irc is started #- name: "Ensure that {{ service_name }} is started"
# service: # service:
# name: matrix-appservice-irc # name: "{{ service_name }}"
# state: started # state: started
# enabled: true # enabled: true

View file

@ -1,19 +1,19 @@
--- ---
# Having a custom group is useless so use nogroup # Having a custom group is useless so use nogroup
- name: "Create {{ appservice_user }} user" - name: "Create {{ service_user }} user"
user: user:
name: "{{ appservice_user }}" name: "{{ service_user }}"
group: nogroup group: nogroup
home: "{{ appservice_homedir }}" home: "{{ service_homedir }}"
system: true system: true
shell: /bin/false shell: /bin/false
state: present state: present
# Only service user should be able to go there # Only service user should be able to go there
- name: "Secure {{ appservice_user }} home directory" - name: "Secure {{ service_user }} home directory"
file: file:
path: "{{ appservice_homedir }}" path: "{{ service_homedir }}"
state: directory state: directory
owner: "{{ appservice_user }}" owner: "{{ service_user }}"
group: nogroup group: nogroup
mode: 0700 mode: 0700

View file

@ -1,5 +0,0 @@
# {{ ansible_managed }}
Package: node* libuv1*
Pin: release a=stretch-backports
Pin-Priority: 600

View file

@ -0,0 +1,17 @@
# {{ ansible_managed }}
[Unit]
Description=A bridge between Matrix and IRC
After=syslog.target network-online.target mysql.service postgresql.service
Conflicts=shutdown.target
[Service]
Type=simple
User={{ service_user }}
WorkingDirectory={{ service_path }}
ExecStart=/usr/bin/nodejs ./app.js -c config.yaml -f my_registration_file.yaml -p 9999
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target

View file

@ -1,17 +0,0 @@
# {{ ansible_managed }}
[Unit]
Description=A bridge between Matrix and IRC
After=syslog.target network-online.target mysql.service postgresql.service
Conflicts=shutdown.target
[Service]
Type=simple
User=matrix-appservice-irc
Group=matrix-appservice-irc
WorkingDirectory=/var/local/matrix-appservice-irc/matrix-appservice-irc
ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-irc/matrix-appservice-irc/app.js -c config.yaml -f my_registration_file.yaml -p 9999
Restart=always
[Install]
WantedBy=multi-user.target

View file

@ -1,15 +1,15 @@
--- ---
# appservice_name is the name of the project on GitHub # service_name is the name of the project on GitHub
appservice_name: matrix-appservice-webhooks service_name: matrix-appservice-webhooks
# URL to clone # URL to clone
appservice_repo: https://github.com/turt2live/matrix-appservice-webhooks.git service_repo: https://github.com/turt2live/matrix-appservice-webhooks.git
# name of the service user # name of the service user
# It means that you will have to `sudo -u THISUSER zsh` to debug # It means that you will have to `sudo -u THISUSER zsh` to debug
appservice_user: "{{ appservice_name }}" service_user: "{{ service_name }}"
appservice_homedir: "/var/local/{{ appservice_name }}" service_homedir: "/var/local/{{ service_name }}"
# appservice_path is where the project is cloned # service_path is where the project is cloned
# It can't be the home directory because of user hidden files. # It can't be the home directory because of user hidden files.
appservice_path: "{{ appservice_homedir }}/{{ appservice_name }}" service_path: "{{ service_homedir }}/{{ service_name }}"

View file

@ -2,38 +2,38 @@
# Create service user # Create service user
- include_tasks: service_user.yml - include_tasks: service_user.yml
- name: "Clone {{ appservice_name }} project" - name: "Clone {{ service_name }} project"
git: git:
repo: "{{ appservice_repo }}" repo: "{{ service_repo }}"
dest: "{{ appservice_path }}" dest: "{{ service_path }}"
version: master version: master
become: true become: true
become_user: "{{ appservice_user }}" become_user: "{{ service_user }}"
# Setup dependencies # Setup dependencies
- name: "Install {{ appservice_name }} dependencies" - name: "Install {{ service_name }} dependencies"
npm: npm:
path: "{{ appservice_path }}" path: "{{ service_path }}"
production: true production: true
become: true become: true
become_user: "{{ appservice_user }}" become_user: "{{ service_user }}"
register: npm_result register: npm_result
retries: 3 retries: 3
until: npm_result is succeeded until: npm_result is succeeded
- name: "Configure {{ appservice_name }}" - name: "Configure {{ service_name }}"
template: template:
src: config.yaml.j2 src: config.yaml.j2
dest: "{{ appservice_path }}/config/config.yaml" dest: "{{ service_path }}/config/config.yaml"
owner: "{{ appservice_user }}" owner: "{{ service_user }}"
group: nogroup group: nogroup
mode: 0600 mode: 0600
# Service file # Service file
- name: "Install {{ appservice_name }} systemd unit" - name: "Install {{ service_name }} systemd unit"
template: template:
src: systemd/matrix-appservice-webhooks.service.j2 src: systemd/appservice.service.j2
dest: "/etc/systemd/system/{{ appservice_name }}.service" dest: "/etc/systemd/system/{{ service_name }}.service"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
@ -43,16 +43,16 @@
- name: Copy appservice registration file - name: Copy appservice registration file
copy: copy:
src: "{{ appservice_path }}/appservice-registration-webhooks.yaml" src: "{{ service_path }}/appservice-registration-webhooks.yaml"
dest: "/etc/matrix-synapse/{{ appservice_name }}-registration.yaml" dest: "/etc/matrix-synapse/{{ service_name }}-registration.yaml"
owner: matrix-synapse owner: matrix-synapse
group: nogroup group: nogroup
mode: 0600 mode: 0600
remote_src: yes remote_src: yes
# Run # Run
- name: "Ensure that {{ appservice_name }} is started" - name: "Ensure that {{ service_name }} is started"
service: service:
name: "{{ appservice_name }}" name: "{{ service_name }}"
state: started state: started
enabled: true enabled: true

View file

@ -1,19 +1,19 @@
--- ---
# Having a custom group is useless so use nogroup # Having a custom group is useless so use nogroup
- name: "Create {{ appservice_user }} user" - name: "Create {{ service_user }} user"
user: user:
name: "{{ appservice_user }}" name: "{{ service_user }}"
group: nogroup group: nogroup
home: "{{ appservice_homedir }}" home: "{{ service_homedir }}"
system: true system: true
shell: /bin/false shell: /bin/false
state: present state: present
# Only service user should be able to go there # Only service user should be able to go there
- name: "Secure {{ appservice_user }} home directory" - name: "Secure {{ service_user }} home directory"
file: file:
path: "{{ appservice_homedir }}" path: "{{ service_homedir }}"
state: directory state: directory
owner: "{{ appservice_user }}" owner: "{{ service_user }}"
group: nogroup group: nogroup
mode: 0700 mode: 0700

View file

@ -1,5 +0,0 @@
# {{ ansible_managed }}
Package: node* libuv1*
Pin: release a=stretch-backports
Pin-Priority: 600

View file

@ -7,11 +7,11 @@ Conflicts=shutdown.target
[Service] [Service]
Type=simple Type=simple
User=matrix-appservice-webhooks User={{ service_user }}
Group=matrix-appservice-webhooks WorkingDirectory={{ service_path }}
WorkingDirectory=/var/local/matrix-appservice-webhooks/matrix-appservice-webhooks
ExecStart=/usr/bin/nodejs index.js -p 9000 -c config/config.yaml -f appservice-registration-webhooks.yaml ExecStart=/usr/bin/nodejs index.js -p 9000 -c config/config.yaml -f appservice-registration-webhooks.yaml
Restart=always Restart=always
RestartSec=3
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target