diff options
author | Christian Pointner <equinox@spreadspace.org> | 2021-04-21 23:27:31 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2021-04-21 23:27:31 +0200 |
commit | b73cb91101a6d7bcf0cd17f0b40443be1c87c7e3 (patch) | |
tree | 827f1e252767306987aaa72e975242651c05c51e /roles/apps | |
parent | enable zfs snapshotting for keycloak (diff) | |
parent | onlyoffice: enable jwt auth (diff) |
Merge branch 'topic/onlyoffice'
Diffstat (limited to 'roles/apps')
-rw-r--r-- | roles/apps/onlyoffice/defaults/main.yml | 30 | ||||
-rw-r--r-- | roles/apps/onlyoffice/tasks/main.yml | 149 | ||||
-rw-r--r-- | roles/apps/onlyoffice/templates/pod-spec.yml.j2 | 104 |
3 files changed, 283 insertions, 0 deletions
diff --git a/roles/apps/onlyoffice/defaults/main.yml b/roles/apps/onlyoffice/defaults/main.yml new file mode 100644 index 00000000..1ea4773a --- /dev/null +++ b/roles/apps/onlyoffice/defaults/main.yml @@ -0,0 +1,30 @@ +--- +# onlyoffice_app_uid: "960" +# onlyoffice_app_gid: "960" + +onlyoffice_db_uid: "961" +onlyoffice_db_gid: "961" + +# onlyoffice_amqp_uid: "962" +# onlyoffice_amqp_gid: "962" + +# onlyoffice_base_path: /srv/onlyoffice + +# onlyoffice_zfs: +# pool: storage +# name: onlyoffice +# properties: +# compression: lz4 + +# onlyoffice_instances: +# example: +# version: 6.2.1.24 +# port: 8600 +# hostname: office.example.com +# jwt_secret: very-secure-password +# database: +# version: 9.5.25 +# password: secret +# amqp: +# version: 3.8.14 +# password: secret diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml new file mode 100644 index 00000000..da253a77 --- /dev/null +++ b/roles/apps/onlyoffice/tasks/main.yml @@ -0,0 +1,149 @@ +--- +- name: create zfs datasets + when: onlyoffice_zfs is defined + block: + - name: create zfs base dataset + zfs: + name: "{{ onlyoffice_zfs.pool }}/{{ onlyoffice_zfs.name }}" + state: present + extra_zfs_properties: "{{ onlyoffice_zfs.properties | default(omit) }}" + + - name: create zfs volumes for instances + loop: "{{ onlyoffice_instances | dict2items }}" + loop_control: + label: "{{ item.key }} ({{ (item.value.zfs_properties | default({})).items() | map('join', '=') | join(', ') }})" + zfs: + name: "{{ onlyoffice_zfs.pool }}/{{ onlyoffice_zfs.name }}/{{ item.key }}" + state: present + extra_zfs_properties: "{{ item.value.zfs_properties | default(omit) }}" + + - name: configure onlyoffice base bath + set_fact: + onlyoffice_base_path: "{{ (zfs_pools[onlyoffice_zfs.pool].mountpoint, onlyoffice_zfs.name) | path_join }}" + + +- name: create instance subdirectories + when: onlyoffice_zfs is not defined + loop: "{{ onlyoffice_instances | list }}" + file: + path: "{{ onlyoffice_base_path }}/{{ item }}" + state: directory + + +# TODO: run documentserver components as non-root +# - name: add group for onlyoffice app +# group: +# name: oo-app +# gid: "{{ onlyoffice_app_gid }}" + +# - name: add user for onlyoffice app +# user: +# name: oo-app +# uid: "{{ onlyoffice_app_uid }}" +# group: oo-app +# password: "!" + +# - name: create onlyoffice app subdirectory +# loop: "{{ onlyoffice_instances | list }}" +# file: +# path: "{{ onlyoffice_base_path }}/{{ item }}/onlyoffice" +# owner: "{{ onlyoffice_app_uid }}" +# group: "{{ onlyoffice_app_gid }}" +# state: directory + + +- name: add group for onlyoffice db + group: + name: oo-db + gid: "{{ onlyoffice_db_gid }}" + +- name: add user for onlyoffice db + user: + name: oo-db + uid: "{{ onlyoffice_db_uid }}" + group: oo-db + password: "!" + +- name: create onlyoffice database subdirectory + loop: "{{ onlyoffice_instances | dict2items}}" + loop_control: + label: "{{ item.key }}" + file: + path: "{{ onlyoffice_base_path }}/{{ item.key }}/postgres" + owner: "{{ onlyoffice_db_uid }}" + group: "{{ onlyoffice_db_gid }}" + state: directory + + +# TODO: run documentserver components as non-root +# - name: add group for onlyoffice aqmp +# group: +# name: oo-aqmp +# gid: "{{ onlyoffice_aqmp_gid }}" + +# - name: add user for onlyoffice aqmp +# user: +# name: oo-aqmp +# uid: "{{ onlyoffice_aqmp_uid }}" +# group: oo-aqmp +# password: "!" + +# - name: create onlyoffice aqmp subdirectory +# loop: "{{ onlyoffice_instances | list }}" +# file: +# path: "{{ onlyoffice_base_path }}/{{ item }}/onlyoffice" +# owner: "{{ onlyoffice_aqmp_uid }}" +# group: "{{ onlyoffice_aqmp_gid }}" +# state: directory + +# TODO: AQMP config? +# - name: create onlyoffice rabbitmq subdirectory +# loop: "{{ onlyoffice_instances | dict2items}}" +# loop_control: +# label: "{{ item.key }}" +# file: +# path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq" +# state: directory + +# - name: install rabbitmq config snipped +# loop: "{{ onlyoffice_instances | dict2items}}" +# loop_control: +# label: "{{ item.key }}" +# copy: +# dest: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config" +# content: | +# management.tcp.ip = 127.0.0.1 + + +- name: install pod manifest + loop: "{{ onlyoffice_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" + vars: + kubernetes_standalone_pod: + name: "onlyoffice-{{ item.key }}" + spec: "{{ lookup('template', 'pod-spec.yml.j2') }}" + mode: "0600" +# TODO: AQMP config? +# config_hash_items: +# - path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config" +# properties: +# - checksum + include_role: + name: kubernetes/standalone/pod + +- name: configure nginx vhost + loop: "{{ onlyoffice_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" + vars: + nginx_vhost: + name: "onlyoffice-{{ item.key }}" + template: generic-proxy-no-buffering-with-acme + acme: true + hostnames: + - "{{ item.value.hostname }}" + client_max_body_size: "0" + proxy_pass: "http://127.0.0.1:{{ item.value.port }}" + include_role: + name: nginx/vhost diff --git a/roles/apps/onlyoffice/templates/pod-spec.yml.j2 b/roles/apps/onlyoffice/templates/pod-spec.yml.j2 new file mode 100644 index 00000000..74fb1ab6 --- /dev/null +++ b/roles/apps/onlyoffice/templates/pod-spec.yml.j2 @@ -0,0 +1,104 @@ +{# TODO: +securityContext: + allowPrivilegeEscalation: false +#} +terminationGracePeriodSeconds: 120 +containers: +{# TODO: only listen to localhost #} +- name: documentserver + image: "onlyoffice/documentserver:{{ item.value.version }}" + resources: + limits: + memory: "4Gi" +{# TODO: + securityContext: + allowPrivilegeEscalation: false + runAsUser: {{ onlyoffice_amqp_uid }} + runAsGroup: {{ onlyoffice_amqp_gid }} +#} + env: + - name: "DB_TYPE" + value: "postgres" + - name: "DB_HOST" + value: "127.0.0.1" + - name: "DB_PORT" + value: "5432" + - name: "DB_NAME" + value: "onlyoffice" + - name: "DB_USER" + value: "onlyoffice" + - name: "DB_PWD" + value: "{{ item.value.database.password }}" + - name: "AMQP_TYPE" + value: "rabbitmq" + - name: "AMQP_URI" + value: "amqp://onlyoffice:{{ item.value.amqp.password }}@127.0.0.1:5672" +{% if 'jwt_secret' in item.value %} + - name: "JWT_ENABLED" + value: "true" + - name: "JWT_SECRET" + value: "{{ item.value.jwt_secret }}" +{% endif %} + ports: + - containerPort: 80 + hostPort: {{ item.value.port }} + hostIP: 127.0.0.1 + +- name: postgresql + image: "postgres:{{ item.value.database.version }}" + args: + - postgres + - -c + - listen_addresses=127.0.0.1 + securityContext: + allowPrivilegeEscalation: false + runAsUser: {{ onlyoffice_db_uid }} + runAsGroup: {{ onlyoffice_db_gid }} + env: + - name: "POSTGRES_DB" + value: "onlyoffice" + - name: "POSTGRES_USER" + value: "onlyoffice" + - name: "POSTGRES_PASSWORD" + value: "{{ item.value.database.password }}" + volumeMounts: + - name: postgres + mountPath: /var/lib/postgresql/data + +{# TODO: only listen to localhost #} +- name: rabbitmq + image: "rabbitmq:{{ item.value.amqp.version }}" +{# TODO: + securityContext: + allowPrivilegeEscalation: false + runAsUser: {{ onlyoffice_amqp_uid }} + runAsGroup: {{ onlyoffice_amqp_gid }} +#} + env: + - name: "RABBITMQ_NODENAME" + value: "rabbit@localhost" + - name: "RABBITMQ_NODE_IP_ADDRESS" + value: "127.0.0.1" + - name: "RABBITMQ_DEFAULT_USER" + value: "onlyoffice" + - name: "RABBITMQ_DEFAULT_PASS" + value: "{{ item.value.amqp.password }}" +{# TODO: AQMP config? + volumeMounts: + - name: rabbitmq + mountPath: /etc/rabbitmq/conf.d/k8s.conf + subPath: config + readOnly: true +#} + +volumes: +- name: postgres + hostPath: + path: "{{ onlyoffice_base_path }}/{{ item.key }}/postgres" + type: Directory +{# TODO: AQMP config? +- name: rabbitmq + hostPath: + path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq" + type: Directory +#} |