Merge branch 'dev-hedgedoc' into 'main'

Rolle | Hedgedoc See merge request misc/ansible-base!5
2023-12-17 23:20:54 +00:00 · 2023-12-17 23:20:54 +00:00 · f2c004a530
commit f2c004a530
parent 821625388d bf4afbdc7a
19 changed files with 492 additions and 0 deletions
--- a/ansible/roles/authelia-for-hedgedoc/defaults/main.json
+++ b/ansible/roles/authelia-for-hedgedoc/defaults/main.json
@ -0,0 +1,5 @@
+{
+	"var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org",
+	"var_authelia_for_hedgedoc_client_id": "hedgedoc",
+	"var_authelia_for_hedgedoc_client_secret": "REPLACE_ME"
+}
--- a/ansible/roles/authelia-for-hedgedoc/info.md
+++ b/ansible/roles/authelia-for-hedgedoc/info.md
@ -0,0 +1,10 @@
+## Beschreibung
+
+Um [Hedgedoc](../hedgedoc) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [Authelia-Dokumentation | Configuration: OpenID Connect: Client](https://www.authelia.com/configuration/identity-providers/open-id-connect/#clients)
+- [Hedgedoc-Dokumentation | Authelia](https://docs.hedgedoc.org/guides/auth/authelia/)
+- [Hedgedoc-Dokumentation | Conf: OAuth2 Login](https://docs.hedgedoc.org/configuration/#oauth2-login)
--- a/ansible/roles/authelia-for-hedgedoc/tasks/main.json
+++ b/ansible/roles/authelia-for-hedgedoc/tasks/main.json
@ -0,0 +1,25 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "authelia-client-conf.json.j2",
+			"dest": "/etc/authelia/conf.d/clients/hedgedoc.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]
--- a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
+++ b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
@ -0,0 +1,28 @@
+{
+	"id": "{{var_authelia_for_hedgedoc_client_id}}",
+	"description": "Hedgedoc",
+	"secret": "{{var_authelia_for_hedgedoc_client_secret}}",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"redirect_uris": [
+		"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
+	],
+	"grant_types": [
+		"refresh_token",
+		"authorization_code"
+	],
+	"response_types": [
+		"code"
+	],
+	"response_modes": [
+		"form_post",
+		"query",
+		"fragment"
+	],
+	"userinfo_signing_algorithm": "none"
+}
--- a/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json
+++ b/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json
@ -0,0 +1,4 @@
+{
+	"var_hedgedoc_and_lighttpd_domain": "hedgedoc.example.org",
+	"var_hedgedoc_and_lighttpd_tls_enable": true
+}
--- a/ansible/roles/hedgedoc-and-lighttpd/info.md
+++ b/ansible/roles/hedgedoc-and-lighttpd/info.md
@ -0,0 +1,8 @@
+## Beschreibung
+
+- zur Einrichtung von [Lighttpd](../lighttpd) als Reverse-Proxy für [Hedgedoc](../hedgedoc)
+
+
+## Verweise
+
+- [Hedgedoc-Dokumentation | Using a Reverse Proxy](https://docs.hedgedoc.org/guides/reverse-proxy/)
--- a/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json
+++ b/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json
@ -0,0 +1,34 @@
+[
+	{
+		"name": "activate proxy module",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "lighttpd-enable-mod proxy || exit 0"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf",
+			"dest": "/etc/lighttpd/conf-enabled/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "restart lighttpd",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "lighttpd"
+		}
+	}
+]
--- a/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2
+++ b/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2
@ -0,0 +1,33 @@
+$HTTP["host"] == "{{var_hedgedoc_and_lighttpd_domain}}" {
+	server.name = "{{var_hedgedoc_and_lighttpd_domain}}"
+	proxy.server = (
+		"" => (
+			"" => (
+				"host" => "127.0.0.1",
+				"port" => 2400
+			)
+		)
+	)
+	proxy.header = (
+		"upgrade" => "enable"
+	)
+	
+{% if var_hedgedoc_and_lighttpd_tls_enable %}
+	## alle Anfragen auf Port 80
+	$SERVER["socket"] == ":80" {
+		## auf HTTPS umleiten
+		url.redirect = ("^/(.*)$" => "https://{{var_hedgedoc_and_lighttpd_domain}}/$1")
+	}
+	
+	## alle Anfragen auf Port 443
+	$SERVER["socket"] == ":443" {
+		## mit dem SSL-Kram beglücken
+		ssl.engine  = "enable"
+		ssl.pemfile = "/etc/ssl/certs/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.privkey = "/etc/ssl/keys/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.ca-file = "/etc/ssl/fullchains/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.use-sslv2 = "disable"
+		ssl.use-sslv3 = "disable"
+	}
+{% endif %}
+}
--- a/ansible/roles/hedgedoc-and-nginx/defaults/main.json
+++ b/ansible/roles/hedgedoc-and-nginx/defaults/main.json
@ -0,0 +1,3 @@
+{
+	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org"
+}
--- a/ansible/roles/hedgedoc-and-nginx/info.md
+++ b/ansible/roles/hedgedoc-and-nginx/info.md
@ -0,0 +1,8 @@
+## Beschreibung
+
+Um [Hedgedoc](../hedgedoc) mit mittels [nginx](../nginx)-reverse-proxy laufen zu lassen
+
+
+## Verweise
+
+- [Hedgedoc-Dokumentation](https://docs.hedgedoc.org/guides/reverse-proxy/#nginx)
--- a/ansible/roles/hedgedoc-and-nginx/tasks/main.json
+++ b/ansible/roles/hedgedoc-and-nginx/tasks/main.json
@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]
--- a/ansible/roles/hedgedoc-and-nginx/templates/conf.j2
+++ b/ansible/roles/hedgedoc-and-nginx/templates/conf.j2
@ -0,0 +1,32 @@
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	'' close;
+}
+
+server {
+	server_name {{var_hedgedoc_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
+	
+	location / {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host; 
+		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+	
+	location /socket.io/ {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host; 
+		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}
--- a/ansible/roles/hedgedoc/defaults/main.json
+++ b/ansible/roles/hedgedoc/defaults/main.json
@ -0,0 +1,24 @@
+{
+	"var_hedgedoc_user_name": "hedgedoc",
+	"var_hedgedoc_directory": "/opt/hedgedoc",
+	"var_hedgedoc_version": "1.9.9",
+	"var_hedgedoc_session_secret": "REPLACE_ME",
+	"var_hedgedoc_database_kind": "sqlite",
+	"var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite",
+	"var_hedgedoc_database_data_postgresql_host": "localhost",
+	"var_hedgedoc_database_data_postgresql_port": 5432,
+	"var_hedgedoc_database_data_postgresql_username": "hedgedoc_user",
+	"var_hedgedoc_database_data_postgresql_password": "REPLACE_ME",
+	"var_hedgedoc_database_data_postgresql_schema": "hedgedoc",
+	"var_hedgedoc_domain": "hedgedoc.example.org",
+	"var_hedgedoc_oauth2_enable": false,
+	"var_hedgedoc_oauth2_provider_name": "external auth",
+	"var_hedgedoc_oauth2_client_id": "hedgedoc",
+	"var_hedgedoc_oauth2_client_secret": "REPLACE_ME",
+	"var_hedgedoc_oauth2_user_profile_url": "https://auth.example.org/profile",
+	"var_hedgedoc_oauth2_token_url": "https://auth.example.org/token",
+	"var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization",
+	"var_hedgedoc_guest_allow_create": false,
+	"var_hedgedoc_guest_allow_change": false,
+	"var_hedgedoc_free_names_mode": "authed"
+}
--- a/ansible/roles/hedgedoc/info.md
+++ b/ansible/roles/hedgedoc/info.md
@ -0,0 +1,14 @@
+## Beschreibung
+
+Kollaborativer Editor [Hedgedoc](https://docs.hedgedoc.org/)
+
+
+## Verweise
+
+- [Dokumentation | Manual Installation](https://docs.hedgedoc.org/setup/manual-setup/)
+- [Dokumentation | Configuration](https://docs.hedgedoc.org/configuration/)
+
+
+## Bemerkungen
+
+- Login über OAuth2 funktioniert vermutlich nicht mit abgelehnten TLS-Zertifikaten (z.B. selbst-signierten)
--- a/ansible/roles/hedgedoc/tasks/main.json
+++ b/ansible/roles/hedgedoc/tasks/main.json
@ -0,0 +1,102 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pkg": [
+				"acl",
+				"git",
+				"nodejs",
+				"npm",
+				"yarnpkg"
+			]
+		}
+	},
+	{
+		"name": "yarn link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/usr/bin/yarnpkg",
+			"dest": "/usr/bin/yarn"
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"ansible.builtin.user": {
+			"name": "{{var_hedgedoc_user_name}}",
+			"create_home": true
+		}
+	},
+	{
+		"name": "download",
+		"become": false,
+		"ansible.builtin.get_url": {
+			"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz",
+			"dest": "/tmp/hedgedoc.tar.gz"
+		}
+	},
+	{
+		"name": "extract",
+		"become": true,
+		"ansible.builtin.unarchive": {
+			"remote_src": true,
+			"src": "/tmp/hedgedoc.tar.gz",
+			"dest": "{{var_hedgedoc_directory | dirname}}",
+			"owner": "{{var_hedgedoc_user_name}}"
+		}
+	},
+	{
+		"name": "setup script",
+		"become": true,
+		"become_user": "hedgedoc",
+		"ansible.builtin.command": {
+			"chdir": "{{var_hedgedoc_directory}}",
+			"cmd": "bin/setup"
+		}
+	},
+	{
+		"name": "var directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_hedgedoc_database_path | dirname}}",
+			"owner": "{{var_hedgedoc_user_name}}"
+		}
+	},
+	{
+		"name": "database",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "touch",
+			"path": "{{var_hedgedoc_database_path}}",
+			"owner": "{{var_hedgedoc_user_name}}"
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "config.json.j2",
+			"dest": "{{var_hedgedoc_directory}}/config.json"
+		}
+	},
+	{
+		"name": "systemd unit",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "systemd-unit.j2",
+			"dest": "/etc/systemd/system/hedgedoc.service"
+		}
+	},
+	{
+		"name": "start",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"enabled": true,
+			"state": "started",
+			"name": "hedgedoc"
+		}
+	}
+]
--- a/ansible/roles/hedgedoc/templates/config.json.j2
+++ b/ansible/roles/hedgedoc/templates/config.json.j2
@ -0,0 +1,63 @@
+{
+	"production": {
+		"loglevel": "error",
+{% if var_hedgedoc_database_kind == 'sqlite' %}
+		"db": {
+			"dialect": "sqlite",
+			"storage": "{{var_hedgedoc_database_path}}"
+		},
+{% endif %}
+{% if var_hedgedoc_database_kind == 'postgresql' %}
+		"db": {
+			"dialect": "postgres",
+			"host": "{{var_hedgedoc_database_data_postgresql_host}}",
+			"port": {{var_hedgedoc_database_data_postgresql_port | to_json}},
+			"username": "{{var_hedgedoc_database_data_postgresql_username}}",
+			"password": "{{var_hedgedoc_database_data_postgresql_password}}",
+			"database": "{{var_hedgedoc_database_data_postgresql_schema}}"
+		},
+{% endif %}
+		"sessionSecret": "{{var_hedgedoc_session_secret}}",
+		"host": "localhost",
+		"allowOrigin": [
+			"localhost"
+		],
+		"domain": "{{var_hedgedoc_domain}}",
+		"urlAddPort": false,
+		"protocolUseSSL": true,
+{% if var_hedgedoc_oauth2_enable %}
+		"oauth2": {
+			"providerName": "{{var_hedgedoc_oauth2_provider_name}}",
+			"clientID": "{{var_hedgedoc_oauth2_client_id}}",
+			"clientSecret": "{{var_hedgedoc_oauth2_client_secret}}",
+			"scope": "openid email profile",
+			"userProfileUsernameAttr": "sub",
+			"userProfileDisplayNameAttr": "name",
+			"userProfileEmailAttr": "email",
+			"userProfileURL": "{{var_hedgedoc_oauth2_user_profile_url}}",
+			"tokenURL": "{{var_hedgedoc_oauth2_token_url}}",
+			"authorizationURL": "{{var_hedgedoc_oauth2_authorization_url}}"
+		},
+		"email": false,
+		"allowEmailRegister": false,
+{% else %}
+		"email": true,
+		"allowEmailRegister": true,
+{% endif %}
+		"allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}},
+		"allowAnonymousEdits": {{var_hedgedoc_guest_allow_edit | to_json}},
+{% if var_hedgedoc_free_names_mode == 'never' %}
+		"allowFreeURL": false,
+		"requireFreeURLAuthentication": false,
+{% endif %}
+{% if var_hedgedoc_free_names_mode == 'authed' %}
+		"allowFreeURL": true,
+		"requireFreeURLAuthentication": true,
+{% endif %}
+{% if var_hedgedoc_free_names_mode == 'always' %}
+		"allowFreeURL": true,
+		"requireFreeURLAuthentication": false,
+{% endif %}
+		"defaultPermission": "editable"
+	}
+}
--- a/ansible/roles/hedgedoc/templates/systemd-unit.j2
+++ b/ansible/roles/hedgedoc/templates/systemd-unit.j2
@ -0,0 +1,14 @@
+[Unit]
+Description=Hedgedoc
+After=multi-user.target
+
+[Service]
+WorkingDirectory={{var_hedgedoc_directory}}
+User={{var_hedgedoc_user_name}}
+Environment="NODE_ENV=production"
+ExecStart=yarn start
+SyslogIdentifier=hedgedoc
+
+[Install]
+WantedBy=multi-user.target
+
--- a/ansible/roles/postgresql-for-hedgedoc/defaults/main.json
+++ b/ansible/roles/postgresql-for-hedgedoc/defaults/main.json
@ -0,0 +1,5 @@
+{
+	"var_postgresql_for_hedgedoc_username": "hedgedoc_user",
+	"var_postgresql_for_hedgedoc_password": "REPLACE_ME",
+	"var_postgresql_for_hedgedoc_schema": "hedgedoc"
+}
--- a/ansible/roles/postgresql-for-hedgedoc/tasks/main.json
+++ b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json
@ -0,0 +1,45 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pkg": [
+				"acl",
+				"python3-psycopg2"
+			]
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_user": {
+			"state": "present",
+			"name": "{{var_postgresql_for_hedgedoc_username}}",
+			"password": "{{var_postgresql_for_hedgedoc_password}}"
+		}
+	},
+	{
+		"name": "schema",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_db": {
+			"state": "present",
+			"name": "{{var_postgresql_for_hedgedoc_schema}}",
+			"owner": "{{var_postgresql_for_hedgedoc_username}}"
+		}
+	},
+	{
+		"name": "rights",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_privs": {
+			"state": "present",
+			"db": "{{var_postgresql_for_hedgedoc_schema}}",
+			"objs": "ALL_IN_SCHEMA",
+			"roles": "{{var_postgresql_for_hedgedoc_username}}",
+			"privs": "ALL",
+			"grant_option": true
+		}
+	}
+]