Move CodiMD to Docker

2019-07-22 19:14:43 +02:00 · 2019-07-22 19:14:43 +02:00 · a45ca1a890
commit a45ca1a890
parent 9a35650166
14 changed files with 42 additions and 250 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -10,8 +10,6 @@ ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}"
 ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
 ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
 ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}"
 ldap_codimd_bind_dn: "cn=codimd,ou=service-users,{{ ldap_base }}"
 ldap_codimd_password: "{{ vault_ldap_codimd_password }}"
 ldap_matrix_bind_dn: "cn=matrix,ou=service-users,{{ ldap_base }}"
 ldap_matrix_password: "{{ vault_ldap_matrix_password }}"
 ldap_replica_password: "{{ vault_ldap_replica_password }}"
--- a/2
+++ b/2
@ -9,9 +9,7 @@
 horus.adm.auro.re
 [ovh-container]
 riot.adm.auro.re
 synapse.adm.auro.re
 codimd.adm.auro.re
 services-bdd.adm.auro.re
 phabricator.adm.auro.re
 wiki.adm.auro.re
--- a/nginx-reverse-proxy.yml
+++ b/nginx-reverse-proxy.yml
@ -1,34 +0,0 @@
 ---
 # Install NGINX with reverse proxy conf
 - hosts: proxy.adm.auro.re
  vars:
    reversed_proxy_subdomains:
      - name: re2o
        from: re2o.auro.re
        to: re2o-server.adm.auro.re
      - name: intranet
        from: intranet.auro.re
        to: re2o-server.adm.auro.re
      - name: pad
        from: pad.auro.re
        to: pad.adm.auro.re:9001
      - name: phabricator
        from: phabricator.auro.re
        to: phabricator.adm.auro.re
      - name: wiki
        from: wiki.auro.re
        to: wiki.adm.auro.re
      - name: www
        from: www.auro.re
        to: www.adm.auro.re
      - name: re2o-test
        from: re2o-test.auro.re
        to: re2o-test.adm.auro.re
      - name: riot
        from: riot.auro.re
        to: riot.adm.auro.re
      - name: codimd
        from: codimd.auro.re
        to: codimd.adm.auro.re:8080
  roles:
    - nginx-reverse-proxy
--- a/passbolt.yml
+++ b/passbolt.yml
@ -1,5 +0,0 @@
 ---
 # Deploy Passbolt
 - hosts: passbolt.adm.auro.re
  roles:
    - passbolt
--- a/roles/codimd/defaults/main.yml
+++ b/roles/codimd/defaults/main.yml
@ -1,15 +0,0 @@
 ---
 # service_name is the name of the project on GitHub
 service_name: codimd
 # URL to clone
 service_repo: https://github.com/hackmdio/codimd.git
 # name of the service user
 # It means that you will have to `sudo -u THISUSER zsh` to debug
 service_user: "{{ service_name }}"
 service_homedir: "/var/local/{{ service_name }}"
 # service_path is where the project is cloned
 # It can't be the home directory because of user hidden files.
 service_path: "{{ service_homedir }}/{{ service_name }}"
--- a/roles/codimd/handlers/main.yml
+++ b/roles/codimd/handlers/main.yml
@ -1,9 +0,0 @@
 ---
 # Build front-end bundle
 # This can take very long and requires > 2GB of RAM
 - name: Build front-end for CodiMD
  command: yarn run build
  args:
    chdir: /var/local/codimd/codimd
  become: true
  become_user: codimd
--- a/roles/codimd/tasks/0_apt_dependencies.yml
+++ b/roles/codimd/tasks/0_apt_dependencies.yml
@ -1,34 +0,0 @@
 ---
 # For HTTPS apt
 - name: Install HTTPS apt
  apt:
    update_cache: true
    name: apt-transport-https
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Configure the apt key
  apt_key:
    url: https://dl.yarnpkg.com/debian/pubkey.gpg
    id: 1646B01B86E50310
    state: present
  register: apt_key_result
  retries: 3
  until: apt_key_result is succeeded
 - name: Configure Yarn repository
  apt_repository:
    repo: deb https://dl.yarnpkg.com/debian/ stable main
    state: present
 # Install CodiMD dependencies
 - name: Install required packages
  apt:
    update_cache: true
    name: yarn
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
--- a/roles/codimd/tasks/main.yml
+++ b/roles/codimd/tasks/main.yml
@ -1,60 +0,0 @@
 ---
 # Install APT dependencies
 - include_tasks: 0_apt_dependencies.yml
 # Create service user
 - include_tasks: service_user.yml
 - name: "Clone {{ service_name }} project"
  git:
    repo: "{{ service_repo }}"
    dest: "{{ service_path }}"
    version: 1.3.0
  become: true
  become_user: "{{ service_user }}"
  notify: Build front-end for CodiMD
 # Setup dependencies
 - name: "Install {{ service_name }} dependencies"
  yarn:
    path: "{{ service_path }}"
    production: true
  become: true
  become_user: "{{ service_user }}"
  register: yarn_result
  retries: 3
  until: yarn_result is succeeded
 # Connection to database
 - name: Connect CodiMD to PostgreSQL db
  template:
    src: sequelizerc.j2
    dest: "{{ service_path }}/.sequelizerc"
    owner: "{{ service_user }}"
    group: nogroup
    mode: 0600
 - name: "Configure {{ service_name }}"
  template:
    src: config.json.j2
    dest: "{{ service_path }}/config.json"
    owner: "{{ service_user }}"
    group: nogroup
    mode: 0600
 # Service file
 - name: "Install {{ service_name }} systemd unit"
  template:
    src: systemd/codimd.service.j2
    dest: "/etc/systemd/system/{{ service_name }}.service"
    owner: root
    group: root
    mode: 0644
 # Run
 - name: "Ensure that {{ service_name }} is started"
  systemd:
    name: "{{ service_name }}"
    state: started
    enabled: true
    daemon_reload: true
--- a/roles/codimd/tasks/service_user.yml
+++ b/roles/codimd/tasks/service_user.yml
@ -1,19 +0,0 @@
 ---
 # Having a custom group is useless so use nogroup
 - name: "Create {{ service_user }} user"
  user:
    name: "{{ service_user }}"
    group: nogroup
    home: "{{ service_homedir }}"
    system: true
    shell: /bin/false
    state: present
 # Only service user should be able to go there
 - name: "Secure {{ service_user }} home directory"
  file:
    path: "{{ service_homedir }}"
    state: directory
    owner: "{{ service_user }}"
    group: nogroup
    mode: 0700
--- a/roles/codimd/templates/apt/nodejs.j2
+++ b/roles/codimd/templates/apt/nodejs.j2
@ -1,5 +0,0 @@
 # {{ ansible_managed }}
 Package: node* libuv1*
 Pin: release a=stretch-backports
 Pin-Priority: 600
--- a/roles/codimd/templates/config.json.j2
+++ b/roles/codimd/templates/config.json.j2
@ -1,39 +0,0 @@
 {
    "production": {
        "domain": "codimd.auro.re",
        "debug": false,
        "port": 8080,
        "useSSL": false,
        "protocolUseSSL": true,
        "useCDN": false,
        "csp": {
            "enable": true,
            "directives": {
            },
            "upgradeInsecureRequests": "auto",
            "addDefaults": true
        },
        "db": {
            "username": "codimd",
            "password": "{{ postgresql_codimd_passwd }}",
            "database": "codimd",
            "host": "{{ postgresql_services_url }}",
            "port": "5432",
            "dialect": "postgres"
        },
        "email": false,
        "ldap": {
            "url": "{{ ldap_master_uri }}",
            "bindDn": "{{ ldap_codimd_bind_dn }}",
            "bindCredentials": "{{ ldap_codimd_password }}",
            "searchBase": "cn=Utilisateurs,dc=auro,dc=re",
            "searchFilter": "(uid={% raw %}{{username}}{% endraw %})",
            "searchAttributes": ["uid", "givenName", "mail"],
            "usernameField": "uid",
            "useridField": "uid",
            "providerName": "Compte Aurore"
        },
        "allowFreeURL": true
    }
 }
--- a/roles/codimd/templates/sequelizerc.j2
+++ b/roles/codimd/templates/sequelizerc.j2
@ -1,8 +0,0 @@
 var path = require('path');
 module.exports = {
    'config':          path.resolve('config.json'),
    'migrations-path': path.resolve('lib', 'migrations'),
    'models-path':     path.resolve('lib', 'models'),
    'url':             'postgres://codimd:{{ postgresql_codimd_passwd }}@{{ postgresql_services_url }}:5432/codimd'
 }
--- a/roles/codimd/templates/systemd/codimd.service.j2
+++ b/roles/codimd/templates/systemd/codimd.service.j2
@ -1,18 +0,0 @@
 # {{ ansible_managed }}
 [Unit]
 Description=CodiMD
 After=syslog.target network-online.target mysql.service postgresql.service
 Conflicts=shutdown.target
 [Service]
 Type=simple
 User={{ service_user }}
 WorkingDirectory={{ service_path }}
 Environment="NODE_ENV=production"
 ExecStart=/usr/bin/nodejs ./app.js
 Restart=always
 RestartSec=3
 [Install]
 WantedBy=multi-user.target
--- a/services_web.yml
+++ b/services_web.yml
@ -3,3 +3,45 @@
 - hosts: docker-ovh.adm.auro.re
  roles:
    - docker
 # Deploy Passbolt
 - hosts: passbolt.adm.auro.re
  roles:
    - passbolt
 # Install NGINX with reverse proxy conf
 - hosts: proxy.adm.auro.re
  vars:
    reversed_proxy_subdomains:
      - name: re2o
        from: re2o.auro.re
        to: re2o-server.adm.auro.re
      - name: intranet
        from: intranet.auro.re
        to: re2o-server.adm.auro.re
      - name: pad
        from: pad.auro.re
        to: pad.adm.auro.re:9001
      - name: phabricator
        from: phabricator.auro.re
        to: phabricator.adm.auro.re
      - name: wiki
        from: wiki.auro.re
        to: wiki.adm.auro.re
      - name: www
        from: www.auro.re
        to: www.adm.auro.re
      - name: re2o-test
        from: re2o-test.auro.re
        to: re2o-test.adm.auro.re
      - name: riot
        from: riot.auro.re
        to: docker-ovh.adm.auro.re:8080
      - name: codimd
        from: codimd.auro.re
        to: docker-ovh.adm.auro.re:8081
      - name: grafana
        from: grafana.auro.re
        to: docker-ovh.adm.auro.re:8082
  roles:
    - nginx-reverse-proxy