diff --git a/data/hostname/bardo.softwareheritage.org.yaml b/data/hostname/bardo.softwareheritage.org.yaml index 93b6425b..a3e8ed6c 100644 --- a/data/hostname/bardo.softwareheritage.org.yaml +++ b/data/hostname/bardo.softwareheritage.org.yaml @@ -1,34 +1,51 @@ groups: hedgedoc: gid: 6000 users: hedgedoc: uid: 6000 shell: /bin/bash groups: - hedgedoc +hedgedoc::db::database: hedgedoc +hedgedoc::db::username: hedgedoc +# hedgedoc::db::password: in private-data + swh::postgresql::version: '12' swh::postgresql::port: 5433 swh::postgresql::cluster_name: "%{lookup('swh::postgresql::version')}/main" swh::postgresql::datadir_base: "%{lookup('swh::base_directory')}/postgres" swh::postgresql::datadir: "%{lookup('swh::postgresql::datadir_base')}/%{lookup('swh::postgresql::cluster_name')}" swh::postgresql::listen_addresses: - 0.0.0.0 swh::postgresql::network_accesses: - 192.168.100.0/24 # Monitoring - 192.168.130.0/24 # Staging services postgresql::globals::version: "%{alias('swh::postgresql::version')}" postgresql::server::config_entries: shared_buffers: "%{alias('swh::postgresql::shared_buffers')}" cluster_name: "%{alias('swh::postgresql::cluster_name')}" swh::dbs: hedgedoc: - name: hedgedoc - user: hedgedoc + name: "%{alias('hedgedoc::db::db_name')}" + user: "%{alias('hedgedoc::db::username')}" + +hedgedoc::host: bardo.softwareheritage.org +hedgedoc::port: 3000 +hedgedoc::user: hedgedoc +hedgedoc::group: hedgedoc + +hedgedoc::db::db_name: hedgedoc +hedgedoc::db::username: hedgedoc + +hedgedoc::allow_anonymous: true +hedgedoc::allow_anonymous_edits: true +hedgedoc::runtime_environment: production +hedgedoc::log_level: debug hedgedoc::vhost::letsencrypt_cert: hedgedoc diff --git a/manifests/site.pp b/manifests/site.pp index 0466a91b..6e28414f 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1,202 +1,202 @@ node 'louvre.internal.softwareheritage.org' { include role::swh_server } node /^(orsay|beaubourg|hypervisor\d+|branly|pompidou|uffizi)\.(internal\.)?softwareheritage\.org$/ { include role::swh_hypervisor } node 'pergamon.softwareheritage.org' { include role::swh_sysadmin include profile::export_archive_counters } node 'tate.softwareheritage.org' { include role::swh_forge } node 'moma.softwareheritage.org' { include role::swh_rp_webapps } node 'webapp0.softwareheritage.org' { include role::swh_rp_webapp } node 'saatchi.internal.softwareheritage.org' { include role::swh_scheduler } node /^(belvedere|somerset).(internal.)?softwareheritage.org$/ { include role::swh_database include profile::pgbouncer } node 'banco.softwareheritage.org' { include role::swh_backup include role::postgresql_backup } node /^esnode\d+.(internal.)?softwareheritage.org$/ { include role::swh_elasticsearch } node /^kafka\d+\./ { include role::swh_kafka_broker } node /^cassandra\d+\./ { include role::swh_cassandra_node } node 'granet.internal.softwareheritage.org' { include role::swh_graph_backend } node /^(unibo-prod|vangogh).(euwest.azure.)?(internal.)?softwareheritage.org$/ { include role::swh_vault } node /^saam\.(internal\.)?softwareheritage\.org$/ { include role::swh_storage_baremetal } node 'storage01.euwest.azure.internal.softwareheritage.org' { include role::swh_storage_cloud } node 'storage02.euwest.azure.internal.softwareheritage.org' { include role::swh_storage_cassandra } node /^getty.(internal.)?softwareheritage.org$/ { include role::swh_journal_orchestrator } node /^worker\d+\.(internal\.)?softwareheritage\.org$/ { include role::swh_worker_inria } node /^worker\d+\..*\.azure\.internal\.softwareheritage\.org$/ { include role::swh_worker_azure } node /^dbreplica(0|1)\.euwest\.azure\.internal\.softwareheritage\.org$/ { include role::swh_database } node /^ceph-osd\d+\.internal\.softwareheritage\.org$/ { include role::swh_ceph_osd } node /^ceph-mon\d+\.internal\.softwareheritage\.org$/ { include role::swh_ceph_mon } node /^ns\d+\.(.*\.azure\.)?internal\.softwareheritage\.org/ { include role::swh_nameserver_secondary } node 'thyssen.internal.softwareheritage.org' { include role::swh_ci_server } node 'riverside.internal.softwareheritage.org' { include role::swh_sentry } node /^jenkins-debian\d+\.internal\.softwareheritage\.org$/ { include role::swh_ci_agent_debian } node 'logstash0.internal.softwareheritage.org' { include role::swh_logstash_instance } node 'kibana0.internal.softwareheritage.org' { include role::swh_kibana_instance } node 'kelvingrove.internal.softwareheritage.org' { include role::swh_idp_primary } node 'giverny.softwareheritage.org' { include role::swh_desktop } node /^db\d\.internal\.staging\.swh\.network$/ { include role::swh_database include profile::postgresql::server include profile::pgbouncer include profile::postgresql::client } -node bardo.softwareheritage.org { +node "bardo.softwareheritage.org" { include role::swh_hedgedoc } node 'scheduler0.internal.staging.swh.network' { include role::swh_scheduler include profile::postgresql::client } node 'gateway.internal.staging.swh.network' { include role::swh_gateway } node /^storage\d\.internal\.staging\.swh\.network$/ { include role::swh_base_storage include profile::postgresql::client include profile::swh::deploy::journal::backfill } node /^worker\d\.internal\.staging\.swh\.network$/ { include role::swh_worker_inria } node /^search-esnode\d\.internal\.staging\.swh\.network$/ { include role::swh_elasticsearch } node /^search\d\.internal\.staging\.swh\.network$/ { include role::swh_search_with_journal_client } node 'webapp.internal.staging.swh.network' { include role::swh_webapp } node 'deposit.internal.staging.swh.network' { include role::swh_deposit } node 'vault.internal.staging.swh.network' { include role::swh_vault } node /^rp\d\.internal\.staging\.swh\.network$/ { include role::swh_reverse_proxy } node 'journal0.internal.staging.swh.network' { include role::swh_journal_allinone } # Read-only storage for mirrors node 'objstorage0.internal.staging.swh.network' { include role::swh_remote_objstorage } node 'bojimans.internal.softwareheritage.org' { include role::swh_netbox } node 'clearly-defined.internal.staging.swh.network' { include role::swh_db_client } node default { include role::swh_base } diff --git a/site-modules/profile/manifests/hedgedoc.pp b/site-modules/profile/manifests/hedgedoc.pp index 9ace8954..5689c4e9 100644 --- a/site-modules/profile/manifests/hedgedoc.pp +++ b/site-modules/profile/manifests/hedgedoc.pp @@ -1,28 +1,134 @@ # deploy a hedgedoc instance class profile::hedgedoc { $packages = [ 'npm', 'yarn', 'node-gyp' ] $keyid = lookup('yarn::apt_config::keyid') $key = lookup('yarn::apt_config::key') + # ---- configuration + $user = lookup('hedgedoc::user') + $group = lookup('hedgedoc::group') + $host = lookup('hedgedoc::host') + $port = lookup('hedgedoc::port') + $base_url = "${host}:${port}" + + $db_name = lookup('hedgedoc::db::db_name') + $db_user = lookup('hedgedoc::db::username') + $db_password = lookup('swh::deploy::hedgedoc::db::password') + $db_port = lookup('swh::postgresql::port') + $db_url = "postgres://${db_user}:${db_password}@${host}:${db_port}/${db_name}" + + $allow_anonymous = lookup('hedgedoc::allow_anonymous') + $allow_anonymous_edits = lookup('hedgedoc::allow_anonymous_edits') + $runtime_environment = lookup('hedgedoc::runtime_environment') + $log_level = lookup('hedgedoc::log_level') + + # ---- install + $version = "1.7.0" + $archive_url = "https://github.com/hedgedoc/hedgedoc/releases/download/${version}/hedgedoc-${version}.tar.gz" + $archive_path = "/tmp/hedgedoc-${version}.tar.gz" + $root_install_path = "/opt" + $install_path = "${root_install_path}/hedgedoc" + $upgrade_flag_path = "${install_path}/hedgedoc-${version}-upgrade" + + $sequelizerc_config_sequelizerc_path = "${install_path}/.sequelizerc" + $sequelizerc_config_json_path = "${install_path}/config.json" + + $service_name = "hedgedoc" + $unit_name = "${service_name}.service" + apt::source { 'yarn': location => "https://dl.yarnpkg.com/debian/", release => 'stable', repos => 'main', key => { id => $keyid, content => $key, }, + } -> + package { $packages: + ensure => present, + notify => Archive['hedgedoc'], } - ensure_packages ( $packages ) + file { $install_path: + ensure => 'directory', + owner => $user, + group => $group, + mode => '0644', + require => [User[$user], Group[$group]], + } + + archive { 'hedgedoc': + path => $archive_path, + extract => true, + source => $archive_url, + extract_path => $root_install_path, + creates => $install_path, + checksum => 'ab1fc7ddf260ca6caff52f3400fc38815481fe353d0edc08de721765f15071f6', + checksum_type => 'sha256', + cleanup => true, + user => 'root', + group => 'root', + notify => File[$install_path], + } ~> + exec {'active-initialize': + command => "touch ${upgrade_flag_path}", + path => '/usr/bin', + refreshonly => true, + } ~> + exec {'hedgedoc-flag-upgrade': + command => "$install_path/bin/setup", + cwd => $install_path, + require => Postgresql::Server::Db[$db_name], + refreshonly => true, + } ~> + file {$sequelizerc_config_json_path: + ensure => present, + owner => $user, + group => $group, + mode => '0644', + content => template("profile/hedgedoc/config.json.erb"), + } ~> + file {$sequelizerc_config_sequelizerc_path: + ensure => present, + owner => $user, + group => $group, + mode => '0644', + content => template("profile/hedgedoc/sequelizerc.erb"), + } ~> + exec {'yarn-build': + command => "yarn run build", + cwd => $install_path, + path => '/usr/bin', + onlyif => "test -f ${upgrade_flag_path}", + refreshonly => true, + } ~> + exec {'hegdedoc-flag-upgrade-done': + command => "rm ${upgrade_flag_path}", + cwd => $install_path, + path => '/usr/bin', + onlyif => "test -f ${upgrade_flag_path}", + refreshonly => true, + notify => Service[$service_name], + } + + systemd::unit_file {$unit_name: + ensure => present, + content => template('profile/hedgedoc/hedgedoc.service.erb'), + } + + service {$service_name: + ensure => 'running', + enable => true, + require => [ + Systemd::Unit_file[$unit_name], + Package[$packages], + Archive['hedgedoc'], + ], + } - # packages { $packages: - # ensure => present, - # require => Apt::source['yarn'], - # } } -s diff --git a/site-modules/profile/templates/hedgedoc/config.json.erb b/site-modules/profile/templates/hedgedoc/config.json.erb new file mode 100644 index 00000000..32b13424 --- /dev/null +++ b/site-modules/profile/templates/hedgedoc/config.json.erb @@ -0,0 +1,104 @@ +{ + "<%= @runtime_environment %>": { + "sessionSecret": "change-this-secret", + "allowAnonymous": <%= @allow_anonymous %>, + "allowAnonymousEdit": <%= @allow_anonymous_edits %>, + "allowFreeURL": true, + "domain": "<%= @base_url %>", + "loglevel": "<%= @log_level %>", + "allowOrigin": [ "localhost", "<%= @base_url %>"], + "hsts": { + "enable": true, + "maxAgeSeconds": 31536000, + "includeSubdomains": true, + "preload": true + }, + "csp": { + "enable": true, + "directives": { + }, + "upgradeInsecureRequests": "auto", + "addDefaults": true, + "addDisqus": true, + "addGoogleAnalytics": true + }, + "cookiePolicy": "lax", + "db": { + "username": "<%= @db_user %>", + "password": "<%= @db_password %>", + "database": "<%= @db_name %>", + "host": "<%= @host %>", + "port": "<%= @db_port %>", + "dialect": "postgres" + }, + "facebook": { + "clientID": "change this", + "clientSecret": "change this" + }, + "twitter": { + "consumerKey": "change this", + "consumerSecret": "change this" + }, + "github": { + "clientID": "change this", + "clientSecret": "change this" + }, + "gitlab": { + "baseURL": "change this", + "clientID": "change this", + "clientSecret": "change this", + "scope": "use 'read_user' scope for auth user only or remove this property if you need gitlab snippet import/export support (will result to be default scope 'api')", + "version": "v4" + }, + "mattermost": { + "baseURL": "change this", + "clientID": "change this", + "clientSecret": "change this" + }, + "dropbox": { + "clientID": "change this", + "clientSecret": "change this", + "appKey": "change this" + }, + "google": { + "clientID": "change this", + "clientSecret": "change this", + "apiKey": "change this" + }, + "ldap": { + "url": "ldap://change_this", + "bindDn": null, + "bindCredentials": null, + "searchBase": "change this", + "searchFilter": "change this", + "searchAttributes": ["change this"], + "usernameField": "change this e.g. cn", + "useridField": "change this e.g. uid", + "tlsOptions": { + "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback" + } + }, + "imgur": { + "clientID": "change this" + }, + "minio": { + "accessKey": "change this", + "secretKey": "change this", + "endPoint": "change this", + "secure": true, + "port": 9000 + }, + "s3": { + "accessKeyId": "change this", + "secretAccessKey": "change this", + "region": "change this" + }, + "s3bucket": "change this", + "azure": + { + "connectionString": "change this", + "container": "change this" + }, + "linkifyHeaderStyle": "gfm" + } +} diff --git a/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb b/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb new file mode 100644 index 00000000..9db72b73 --- /dev/null +++ b/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb @@ -0,0 +1,23 @@ +[Unit] +Description=Hedgedoc +Documentation=https://github.com/hedgedoc/hedgedoc +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=<%= @user %> +Group=<%= @group %> +Environment=CMD_ALLOW_ANONYMOUS=<%= @allow_anonymous %> +Environment=CMD_ALLOW_ANONYMOUS_EDITS=<%= @allow_anonymous_edits %> +Environment=NODE_ENV=<%= @runtime_environment %> +WorkingDirectory=<%= @install_path %> + +ExecStart=/usr/bin/yarn start + +Restart=on-failure +RestartSec=10 +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/site-modules/profile/templates/hedgedoc/sequelizerc.erb b/site-modules/profile/templates/hedgedoc/sequelizerc.erb new file mode 100644 index 00000000..e3bcea2b --- /dev/null +++ b/site-modules/profile/templates/hedgedoc/sequelizerc.erb @@ -0,0 +1,8 @@ +var path = require('path'); + +module.exports = { + 'config': path.resolve('config.json'), + 'migrations-path': path.resolve('lib', 'migrations'), + 'models-path': path.resolve('lib', 'models'), + 'url': '<%= @db_url %>' +}