finialize node-red role for now

author: Christian Pointner <equinox@spreadspace.org> 2023-12-28 13:32:11 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2023-12-28 13:32:11 +0100
commit: 626027250e3f1724be7018bdb7f78b13fd5d1eb5 (patch)
tree: 7674397b1fb214541f34c08b2be4fe822412ffbd
parent: fix node-red combined with whawty-sso nginx/auth (diff)
4 files changed, 104 insertions, 27 deletions
diff --git a/chaos-at-home/host_vars/ch-apps.yml b/chaos-at-home/host_vars/ch-apps.yml
index 2113cccb..6612b6e6 100644
--- a/chaos-at-home/host_vars/ch-apps.yml
+++ b/chaos-at-home/host_vars/ch-apps.yml
@@ -1,13 +1,10 @@
 $ANSIBLE_VAULT;1.2;AES256;chaos-at-home
-66616135616662353431383534356431653465623632333438366435613935343230396533383437
-3438633761653436623362666239653733363066653866620a363533363036633434626263343062
-39393733633261323964626438613864333836366637663662323961643465383463326265636337
-3835373439326466370a343739383966383364636432336538383736373631323632343064333938
-37613637393734353435323465633134626265663863323764343461373761363561343130333633
-32643364653930383030386636643564616534623332633839326330326164346464393138653736
-31323363633339393263356162396236623033313961326465306438323634333735636162663935
-35306435363137616633326337376236663536316163646562646435353939393833653932626339
-30373438376266323265623833333331653739663334353434303634646533636337373034636238
-34646263363864643937313132663336393735313363336637656363363236366431303039383639
-66303539633963333831323230646535346439646437343333353362626330386230653665646361
-32633630623162646238
+64313462623435636236323762663236393166616439313030353639613936303665383032623862
+6365383936653466313063623332363665643436326231350a366338323064666431653135323838
+37303262343831333130376331653234626131393865643633613963343235613530626533653435
+3365643437663862380a633038343239313235346130613338613334663436326433313730636635
+66616165336261613264353738363336643461643932326538643035656432663033333137616434
+39666666353266346138366462633936323064376139323362613534356535633665393936346439
+39633666336332356266313632656163353639643938353764303031646432346139613266623936
+61373430363064306336613539336335376361363239393235356239633234333961323533363361
+6163
diff --git a/inventory/host_vars/ch-apps/node-red.yml b/inventory/host_vars/ch-apps/node-red.yml
index 249e7f7a..ee11a495 100644
--- a/inventory/host_vars/ch-apps/node-red.yml
+++ b/inventory/host_vars/ch-apps/node-red.yml
@@ -3,6 +3,7 @@ node_red_instances:
   test:
     version: 3.1.3
     port: 1880
+    credential_secret: "{{ vault_nodered_credential_secrets['test'] }}"
     mqtt_tls:
       certificate_provider: managed-ca
       certificate_config:
@@ -64,4 +65,4 @@ node_red_instances:
           default: {
               permissions: "read"
           }
-      }
+      },
diff --git a/roles/apps/node-red/defaults/main.yml b/roles/apps/node-red/defaults/main.yml
new file mode 100644
index 00000000..7117882b
--- /dev/null
+++ b/roles/apps/node-red/defaults/main.yml
@@ -0,0 +1,64 @@
+---
+# node_red_instances:
+#   test:
+#     version: 3.1.3
+#     port: 1880
+#     credential_secret: "do-not-tell-anyone"
+#     mqtt_tls:
+#       certificate_provider: managed-ca
+#       certificate_config:
+#         ca:
+#           host: iot
+#           name: mqtt
+#         cert:
+#           common_name: test
+#           extended_key_usage:
+#           - clientAuth
+#           extended_key_usage_critical: yes
+#           create_subject_key_identifier: yes
+#           not_after: +100w
+#     publish:
+#       zone: "{{ apps_publish_zone__foo }}"
+#       hostnames:
+#       - node-red.example.com
+#       tls:
+#         certificate_provider: ...
+#       vhost_extra_directives: |
+#         include snippets/whawty-sso-foo.conf;
+
+#         location = /healthz {
+#            auth_request off;
+#            return 200;
+#         }
+#       location_extra_directives: |
+#         auth_request_set $username $upstream_http_x_username;
+#         proxy_set_header X-Username $username;
+#     custom_image:
+#       dockerfile: |
+#         RUN npm install passport-trusted-header
+#     extra_settings: |
+#       adminAuth: {
+#           type: "strategy",
+#           strategy: {
+#               name: "trusted-header",
+#               label: "SSO login",
+#               autoLogin: true,
+#               strategy: require("passport-trusted-header").Strategy,
+#               options: {
+#                   headers: ['x-username'],
+#                   verify: function(requestHeaders, done) {
+#                       var username = requestHeaders['x-username']
+#                       if(username === '') {
+#                           done("x-username HTTP-Header is empty", null)
+#                       }
+#                       done(null, { username: username });
+#                   }
+#               },
+#           },
+#           users: [
+#               { username: "equinox", permissions: ["*"] }
+#           ],
+#           default: {
+#               permissions: "read"
+#           }
+#       }
diff --git a/roles/apps/node-red/instance/tasks/main.yml b/roles/apps/node-red/instance/tasks/main.yml
index 3533ab09..38547f58 100644
--- a/roles/apps/node-red/instance/tasks/main.yml
+++ b/roles/apps/node-red/instance/tasks/main.yml
@@ -109,20 +109,10 @@
         network: host
         pull: yes
 
-## TODO: settings.js:
-#
-#  module.exports = {
-#    credentialSecret: "geheim",
-#    https: {
-#      key: require("fs").readFileSync('/tls/publish-key.pem'),
-#      cert: require("fs").readFileSync('/tls/publish-crt.pem'),
-#      ca: require("fs").readFileSync('/tls/publish-ca-crt.pem'),
-#      requestCert: true,
-#      minVersion: 'TLSv1.3'
-#    },
-#    {{ node_red_instances[node_red_instance].extra_settings }}
-#  }
-#
+- name: test if settings.js already exists
+  stat:
+    path: "{{ node_red_instance_basepath }}/data/settings.js"
+  register: node_red_settings_js
 
 - name: install pod manifest
   vars:
@@ -176,3 +166,28 @@
     name: nginx/vhost
     apply:
       delegate_to: "{{ node_red_instances[node_red_instance].publish.zone.publisher }}"
+
+
+- name: print info for new instance
+  when: not node_red_settings_js.stat.exists
+  pause:
+    seconds: 5
+    prompt: |
+      ************* {{ node_red_instance }} is a new instance
+      **
+      **  Wait for default settings.js to be populated and then add the following options:
+
+          credentialSecret: "{{ node_red_instances[node_red_instance].credential_secret }}",
+
+          https: {
+            key: require("fs").readFileSync('/tls/publish-key.pem'),
+            cert: require("fs").readFileSync('/tls/publish-crt.pem'),
+            ca: require("fs").readFileSync('/tls/publish-ca-crt.pem'),
+            requestCert: true,
+            minVersion: 'TLSv1.3'
+          },
+
+          {{ node_red_instances[node_red_instance].extra_settings | indent(4) }}
+
+      **
+      ****************************************
author	Christian Pointner <equinox@spreadspace.org>	2023-12-28 13:32:11 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2023-12-28 13:32:11 +0100
commit	626027250e3f1724be7018bdb7f78b13fd5d1eb5 (patch)
tree	7674397b1fb214541f34c08b2be4fe822412ffbd
parent	fix node-red combined with whawty-sso nginx/auth (diff)