diff --git a/data/hostname/bardo.internal.admin.swh.network.yaml b/data/hostname/bardo.internal.admin.swh.network.yaml --- a/data/hostname/bardo.internal.admin.swh.network.yaml +++ b/data/hostname/bardo.internal.admin.swh.network.yaml @@ -1,14 +1,3 @@ -groups: - hedgedoc: - gid: 6000 - -users: - hedgedoc: - uid: 6000 - shell: /bin/bash - groups: - - hedgedoc - hedgedoc::db::host: localhost hedgedoc::db::database: hedgedoc hedgedoc::db::username: hedgedoc @@ -36,13 +25,10 @@ name: "%{alias('hedgedoc::db::database')}" user: "%{alias('hedgedoc::db::username')}" -hedgedoc::release::version: 1.7.1 -hedgedoc::release::digest: 17e7092430b36c96059309fdd03f9244f6a13611e28ced153d9dbf97e109d5ba +hedgedoc::release::version: 1.7.2 +hedgedoc::release::digest: 8bb66ba9c839a4d81f72267b91a201f97a48f16aa95434586d6dd6be40502d6d hedgedoc::release::digest_type: sha256 -hedgedoc::user: hedgedoc -hedgedoc::group: hedgedoc - hedgedoc::allow_anonymous: true hedgedoc::allow_anonymous_edits: true @@ -50,6 +36,7 @@ hedgedoc::allow_email: true hedgedoc::allow_email_register: false hedgedoc::enable_keycloak: true +hedgedoc::keycloak::provider_name: Software Heritage hedgedoc::keycloak::domain: auth.softwareheritage.org hedgedoc::keycloak::realm: SoftwareHeritage hedgedoc::keycloak::client::id: hedgedoc diff --git a/site-modules/profile/manifests/hedgedoc.pp b/site-modules/profile/manifests/hedgedoc.pp --- a/site-modules/profile/manifests/hedgedoc.pp +++ b/site-modules/profile/manifests/hedgedoc.pp @@ -1,19 +1,64 @@ # deploy a hedgedoc instance class profile::hedgedoc { + include profile::hedgedoc::apt_config + include profile::hedgedoc::user - $packages = [ - 'npm', 'yarn', 'node-gyp' - ] + $user = $::profile::hedgedoc::user::user + $group = $::profile::hedgedoc::user::group - $keyid = lookup('yarn::apt_config::keyid') - $key = lookup('yarn::apt_config::key') + # ---- install + $version = lookup('hedgedoc::release::version') + $archive_url = "https://github.com/hedgedoc/hedgedoc/releases/download/${version}/hedgedoc-${version}.tar.gz" + $archive_digest = lookup('hedgedoc::release::digest') + $archive_digest_type = lookup('hedgedoc::release::digest_type') - # ---- configuration - $user = lookup('hedgedoc::user') - $group = lookup('hedgedoc::group') + $install_basepath = "/opt/hedgedoc" + $install_dir = "${install_basepath}/${version}" + $install_db_dump = "${install_basepath}/db-backup_pre-${version}.sql.gz" + $install_flag = "${install_dir}/setup_done" - $base_url = lookup('swh::deploy::hedgedoc::base_url') + $uploads_dir = "${install_basepath}/uploads" + + $yarn_cachedir = "/var/cache/hedgedoc-yarn" + + $archive_path = "${install_basepath}/${version}.tar.gz" + $current_symlink = "${install_basepath}/current" + + $service_name = "hedgedoc" + $unit_name = "${service_name}.service" + + file { [$install_basepath, $install_dir, $uploads_dir]: + ensure => 'directory', + owner => $user, + group => $group, + mode => '0644', + } + + file { $yarn_cachedir: + ensure => 'directory', + owner => $user, + group => $group, + mode => '0600', + } + + archive { 'hedgedoc': + path => $archive_path, + extract => true, + extract_command => 'tar xzf %s --strip-components=1 --no-same-owner --no-same-permissions', + source => $archive_url, + extract_path => $install_dir, + checksum => $archive_digest, + checksum_type => $archive_digest_type, + creates => "${install_dir}/bin/setup", + cleanup => true, + user => $user, + group => $group, + require => File[$install_dir], + notify => Exec['hedgedoc-setup'], + } + + # ---- configuration $db_host = lookup('hedgedoc::db::host') $db_name = lookup('hedgedoc::db::database') $db_user = lookup('hedgedoc::db::username') @@ -21,6 +66,22 @@ $db_port = lookup('swh::postgresql::port') $db_url = "postgres://${db_user}:${db_password}@${db_host}:${db_port}/${db_name}" + $sequelizerc_path = "${install_dir}/.sequelizerc" + + file {$sequelizerc_path: + ensure => present, + owner => $user, + group => $group, + mode => '0644', + content => template("profile/hedgedoc/sequelizerc.erb"), + notify => Service[$service_name], + } + + $base_url = lookup('swh::deploy::hedgedoc::base_url') + + $runtime_environment = lookup('hedgedoc::runtime_environment') + $log_level = lookup('hedgedoc::log_level') + $session_secret = lookup('hedgedoc::session_secret') $allow_anonymous = lookup('hedgedoc::allow_anonymous') @@ -30,75 +91,13 @@ $enable_keycloak = lookup('hedgedoc::enable_keycloak', Boolean, 'first', false) $keycloak_domain = lookup('hedgedoc::keycloak::domain') + $keycloak_provider_name = lookup('hedgedoc::keycloak::provider_name') $keycloak_realm = lookup('hedgedoc::keycloak::realm') $keycloak_client_id = lookup('hedgedoc::keycloak::client::id') $keycloak_client_secret = lookup('hedgedoc::keycloak::client::secret') - $runtime_environment = lookup('hedgedoc::runtime_environment') - $log_level = lookup('hedgedoc::log_level') - - # ---- install - $version = lookup('hedgedoc::release::version') - $archive_url = "https://github.com/hedgedoc/hedgedoc/releases/download/${version}/hedgedoc-${version}.tar.gz" - $archive_digest = lookup('hedgedoc::release::digest') - $archive_digest_type = lookup('hedgedoc::release::digest_type') - $archive_path = "/tmp/hedgedoc-${version}.tar.gz" - $root_install_path = "/opt" - $install_path = "${root_install_path}/hedgedoc" - $upgrade_flag_path = "${install_path}/hedgedoc-${version}-upgrade" - - $sequelizerc_path = "${install_path}/.sequelizerc" - $config_json_path = "${install_path}/config.json" - - $service_name = "hedgedoc" - $unit_name = "${service_name}.service" - - apt::source { 'yarn': - location => "https://dl.yarnpkg.com/debian/", - release => 'stable', - repos => 'main', - key => { - id => $keyid, - content => $key, - }, - } -> - package { $packages: - ensure => present, - notify => Archive['hedgedoc'], - } - - file { $install_path: - ensure => 'directory', - owner => $user, - group => $group, - mode => '0644', - require => [User[$user], Group[$group]], - } + $config_json_path = "${install_dir}/config.json" - archive { 'hedgedoc': - path => $archive_path, - extract => true, - source => $archive_url, - extract_path => $root_install_path, - creates => $install_path, - checksum => $archive_digest, - checksum_type => $archive_digest_type, - cleanup => true, - user => 'root', - group => 'root', - notify => File[$install_path], - } ~> - exec {'active-initialize': - command => "touch ${upgrade_flag_path}", - path => '/usr/bin', - refreshonly => true, - } ~> - exec {'hedgedoc-flag-upgrade': - command => "$install_path/bin/setup", - cwd => $install_path, - require => Postgresql::Server::Db[$db_name], - refreshonly => true, - } ~> file {$config_json_path: ensure => present, owner => $user, @@ -106,43 +105,57 @@ # Contains credentials mode => '0600', content => template("profile/hedgedoc/config.json.erb"), - } ~> - file {$sequelizerc_path: - ensure => present, - owner => $user, - group => $group, - mode => '0644', - content => template("profile/hedgedoc/sequelizerc.erb"), - } ~> - exec {'yarn-build': - command => "yarn run build", - cwd => $install_path, - path => '/usr/bin', - onlyif => "test -f ${upgrade_flag_path}", - refreshonly => true, - } ~> - exec {'hegdedoc-flag-upgrade-done': - command => "rm ${upgrade_flag_path}", - cwd => $install_path, - path => '/usr/bin', - onlyif => "test -f ${upgrade_flag_path}", - refreshonly => true, + notify => Service[$service_name], + } + + exec {'hedgedoc-dump-db': + command => "pg_dump ${db_name} | gzip -9 > ${install_db_dump}", + path => ["/bin", "/usr/bin"], + environment => [ + "PGHOST=${db_host}", + "PGUSER=${db_user}", + "PGPORT=${db_port}", + "PGPASSWORD=${db_password}", + ], + creates => $install_db_dump, + user => $user, + umask => '0066', + require => [ + Postgresql::Server::Db[$db_name], + ], + } + + -> exec {'hedgedoc-setup': + command => "${install_dir}/bin/setup && touch ${install_flag}", + cwd => $install_dir, + require => [ + Postgresql::Server::Db[$db_name], + File[$config_json_path], + File[$sequelizerc_path], + ], + environment => [ + "YARN_CACHE_FOLDER=${yarn_cachedir}", + ], + creates => $install_flag, + user => $user, + } + + -> file {$current_symlink: + ensure => 'link', + target => $install_dir, notify => Service[$service_name], } - systemd::unit_file {$unit_name: + -> systemd::unit_file {$unit_name: ensure => present, content => template('profile/hedgedoc/hedgedoc.service.erb'), } - service {$service_name: + -> service {$service_name: ensure => 'running', enable => true, require => [ - Systemd::Unit_file[$unit_name], - Package[$packages], - Archive['hedgedoc'], + Class['profile::hedgedoc::apt_config'], ], } - } diff --git a/site-modules/profile/manifests/hedgedoc/apt_config.pp b/site-modules/profile/manifests/hedgedoc/apt_config.pp new file mode 100644 --- /dev/null +++ b/site-modules/profile/manifests/hedgedoc/apt_config.pp @@ -0,0 +1,23 @@ +# APT configuration for hedgedoc +class profile::hedgedoc::apt_config { + $packages = [ + 'npm', 'yarn', 'node-gyp' + ] + + $keyid = lookup('yarn::apt_config::keyid') + $key = lookup('yarn::apt_config::key') + + apt::source { 'yarn': + location => "https://dl.yarnpkg.com/debian/", + release => 'stable', + repos => 'main', + key => { + id => $keyid, + content => $key, + }, + } -> + package { $packages: + ensure => present, + notify => Archive['hedgedoc'], + } +} diff --git a/site-modules/profile/manifests/hedgedoc/user.pp b/site-modules/profile/manifests/hedgedoc/user.pp new file mode 100644 --- /dev/null +++ b/site-modules/profile/manifests/hedgedoc/user.pp @@ -0,0 +1,24 @@ +# Create the system user for hedgedoc +class profile::hedgedoc::user { + $user = 'hedgedoc' + $group = 'hedgedoc' + + group {$group: + system => true, + } + + user {$user: + system => true, + gid => $group, + shell => '/usr/sbin/nologin', + home => '/nonexistent', + } + + # Cleanup for old versions of this manifest + file {'/home/hedgedoc': + ensure => absent, + purge => true, + recurse => true, + force => true, + } +} diff --git a/site-modules/profile/templates/hedgedoc/config.json.erb b/site-modules/profile/templates/hedgedoc/config.json.erb --- a/site-modules/profile/templates/hedgedoc/config.json.erb +++ b/site-modules/profile/templates/hedgedoc/config.json.erb @@ -12,6 +12,7 @@ "allowEmailRegister": <%= @allow_email_register %>, <% if @enable_keycloak -%> "oauth2": { + "providerName": "<%= @keycloak_provider_name %>", "baseURL": "https://<%= @keycloak_domain %>/", "userProfileURL": "https://<%= @keycloak_domain %>/auth/realms/<%= @keycloak_realm %>/protocol/openid-connect/userinfo", "userProfileUsernameAttr": "preferred_username", @@ -23,6 +24,7 @@ "clientSecret": "<%= @keycloak_client_secret %>" }, <% end -%> + "uploadsPath": "<%= @uploads_dir %>", "hsts": { "enable": true, "maxAgeSeconds": 31536000, diff --git a/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb b/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb --- a/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb +++ b/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb @@ -8,10 +8,9 @@ Type=simple User=<%= @user %> Group=<%= @group %> -Environment=CMD_ALLOW_ANONYMOUS=<%= @allow_anonymous %> -Environment=CMD_ALLOW_ANONYMOUS_EDITS=<%= @allow_anonymous_edits %> Environment=NODE_ENV=<%= @runtime_environment %> -WorkingDirectory=<%= @install_path %> +Environment=YARN_CACHE_FOLDER=<%= @yarn_cachedir %> +WorkingDirectory=<%= @current_symlink %> ExecStart=/usr/bin/yarn start