Merge branch 'topic/onlyoffice'

3 files changed, 283 insertions, 0 deletions

diff --git a/roles/apps/onlyoffice/defaults/main.yml b/roles/apps/onlyoffice/defaults/main.yml
new file mode 100644
index 00000000..1ea4773a
--- /dev/null
+++ b/roles/apps/onlyoffice/defaults/main.yml
@@ -0,0 +1,30 @@
+---
+# onlyoffice_app_uid: "960"
+# onlyoffice_app_gid: "960"
+
+onlyoffice_db_uid: "961"
+onlyoffice_db_gid: "961"
+
+# onlyoffice_amqp_uid: "962"
+# onlyoffice_amqp_gid: "962"
+
+# onlyoffice_base_path: /srv/onlyoffice
+
+# onlyoffice_zfs:
+#   pool: storage
+#   name: onlyoffice
+#   properties:
+#     compression: lz4
+
+# onlyoffice_instances:
+#   example:
+#     version: 6.2.1.24
+#     port: 8600
+#     hostname: office.example.com
+#     jwt_secret: very-secure-password
+#     database:
+#       version: 9.5.25
+#       password: secret
+#     amqp:
+#       version: 3.8.14
+#       password: secret
diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml
new file mode 100644
index 00000000..da253a77
--- /dev/null
+++ b/roles/apps/onlyoffice/tasks/main.yml
@@ -0,0 +1,149 @@
+---
+- name: create zfs datasets
+  when: onlyoffice_zfs is defined
+  block:
+  - name: create zfs base dataset
+    zfs:
+      name: "{{ onlyoffice_zfs.pool }}/{{ onlyoffice_zfs.name }}"
+      state: present
+      extra_zfs_properties: "{{ onlyoffice_zfs.properties | default(omit) }}"
+
+  - name: create zfs volumes for instances
+    loop: "{{ onlyoffice_instances | dict2items }}"
+    loop_control:
+      label: "{{ item.key }} ({{ (item.value.zfs_properties | default({})).items() | map('join', '=') | join(', ') }})"
+    zfs:
+      name: "{{ onlyoffice_zfs.pool }}/{{ onlyoffice_zfs.name }}/{{ item.key }}"
+      state: present
+      extra_zfs_properties: "{{ item.value.zfs_properties | default(omit) }}"
+
+  - name: configure onlyoffice base bath
+    set_fact:
+      onlyoffice_base_path: "{{ (zfs_pools[onlyoffice_zfs.pool].mountpoint, onlyoffice_zfs.name) | path_join }}"
+
+
+- name: create instance subdirectories
+  when: onlyoffice_zfs is not defined
+  loop: "{{ onlyoffice_instances | list }}"
+  file:
+    path: "{{ onlyoffice_base_path }}/{{ item }}"
+    state: directory
+
+
+# TODO: run documentserver components as non-root
+# - name: add group for onlyoffice app
+#   group:
+#     name: oo-app
+#     gid: "{{ onlyoffice_app_gid }}"
+
+# - name: add user for onlyoffice app
+#   user:
+#     name: oo-app
+#     uid: "{{ onlyoffice_app_uid }}"
+#     group: oo-app
+#     password: "!"
+
+# - name: create onlyoffice app subdirectory
+#   loop: "{{ onlyoffice_instances | list }}"
+#   file:
+#     path: "{{ onlyoffice_base_path }}/{{ item }}/onlyoffice"
+#     owner: "{{ onlyoffice_app_uid }}"
+#     group: "{{ onlyoffice_app_gid }}"
+#     state: directory
+
+
+- name: add group for onlyoffice db
+  group:
+    name: oo-db
+    gid: "{{ onlyoffice_db_gid }}"
+
+- name: add user for onlyoffice db
+  user:
+    name: oo-db
+    uid: "{{ onlyoffice_db_uid }}"
+    group: oo-db
+    password: "!"
+
+- name: create onlyoffice database subdirectory
+  loop: "{{ onlyoffice_instances | dict2items}}"
+  loop_control:
+    label: "{{ item.key }}"
+  file:
+    path: "{{ onlyoffice_base_path }}/{{ item.key }}/postgres"
+    owner: "{{ onlyoffice_db_uid }}"
+    group: "{{ onlyoffice_db_gid }}"
+    state: directory
+
+
+# TODO: run documentserver components as non-root
+# - name: add group for onlyoffice aqmp
+#   group:
+#     name: oo-aqmp
+#     gid: "{{ onlyoffice_aqmp_gid }}"
+
+# - name: add user for onlyoffice aqmp
+#   user:
+#     name: oo-aqmp
+#     uid: "{{ onlyoffice_aqmp_uid }}"
+#     group: oo-aqmp
+#     password: "!"
+
+# - name: create onlyoffice aqmp subdirectory
+#   loop: "{{ onlyoffice_instances | list }}"
+#   file:
+#     path: "{{ onlyoffice_base_path }}/{{ item }}/onlyoffice"
+#     owner: "{{ onlyoffice_aqmp_uid }}"
+#     group: "{{ onlyoffice_aqmp_gid }}"
+#     state: directory
+
+# TODO: AQMP config?
+# - name: create onlyoffice rabbitmq subdirectory
+#   loop: "{{ onlyoffice_instances | dict2items}}"
+#   loop_control:
+#     label: "{{ item.key }}"
+#   file:
+#     path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq"
+#     state: directory
+
+# - name: install rabbitmq config snipped
+#   loop: "{{ onlyoffice_instances | dict2items}}"
+#   loop_control:
+#     label: "{{ item.key }}"
+#   copy:
+#     dest: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config"
+#     content: |
+#       management.tcp.ip = 127.0.0.1
+
+
+- name: install pod manifest
+  loop: "{{ onlyoffice_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    kubernetes_standalone_pod:
+      name: "onlyoffice-{{ item.key }}"
+      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
+      mode: "0600"
+# TODO: AQMP config?
+#       config_hash_items:
+#       - path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq/config"
+#         properties:
+#         - checksum
+  include_role:
+    name: kubernetes/standalone/pod
+
+- name: configure nginx vhost
+  loop: "{{ onlyoffice_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    nginx_vhost:
+      name: "onlyoffice-{{ item.key }}"
+      template: generic-proxy-no-buffering-with-acme
+      acme: true
+      hostnames:
+      - "{{ item.value.hostname }}"
+      client_max_body_size: "0"
+      proxy_pass: "http://127.0.0.1:{{ item.value.port }}"
+  include_role:
+    name: nginx/vhost
diff --git a/roles/apps/onlyoffice/templates/pod-spec.yml.j2 b/roles/apps/onlyoffice/templates/pod-spec.yml.j2
new file mode 100644
index 00000000..74fb1ab6
--- /dev/null
+++ b/roles/apps/onlyoffice/templates/pod-spec.yml.j2
@@ -0,0 +1,104 @@
+{# TODO:
+securityContext:
+  allowPrivilegeEscalation: false
+#}
+terminationGracePeriodSeconds: 120
+containers:
+{# TODO: only listen to localhost #}
+- name: documentserver
+  image: "onlyoffice/documentserver:{{ item.value.version }}"
+  resources:
+    limits:
+      memory: "4Gi"
+{# TODO:
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: {{ onlyoffice_amqp_uid }}
+    runAsGroup: {{ onlyoffice_amqp_gid }}
+#}
+  env:
+  - name: "DB_TYPE"
+    value: "postgres"
+  - name: "DB_HOST"
+    value: "127.0.0.1"
+  - name: "DB_PORT"
+    value: "5432"
+  - name: "DB_NAME"
+    value: "onlyoffice"
+  - name: "DB_USER"
+    value: "onlyoffice"
+  - name: "DB_PWD"
+    value: "{{ item.value.database.password }}"
+  - name: "AMQP_TYPE"
+    value: "rabbitmq"
+  - name: "AMQP_URI"
+    value: "amqp://onlyoffice:{{ item.value.amqp.password }}@127.0.0.1:5672"
+{% if 'jwt_secret' in item.value %}
+  - name: "JWT_ENABLED"
+    value: "true"
+  - name: "JWT_SECRET"
+    value: "{{ item.value.jwt_secret }}"
+{% endif %}
+  ports:
+  - containerPort: 80
+    hostPort: {{ item.value.port }}
+    hostIP: 127.0.0.1
+
+- name: postgresql
+  image: "postgres:{{ item.value.database.version }}"
+  args:
+  - postgres
+  - -c
+  - listen_addresses=127.0.0.1
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: {{ onlyoffice_db_uid }}
+    runAsGroup: {{ onlyoffice_db_gid }}
+  env:
+  - name: "POSTGRES_DB"
+    value: "onlyoffice"
+  - name: "POSTGRES_USER"
+    value: "onlyoffice"
+  - name: "POSTGRES_PASSWORD"
+    value: "{{ item.value.database.password }}"
+  volumeMounts:
+  - name: postgres
+    mountPath: /var/lib/postgresql/data
+
+{# TODO: only listen to localhost #}
+- name: rabbitmq
+  image: "rabbitmq:{{ item.value.amqp.version }}"
+{# TODO:
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: {{ onlyoffice_amqp_uid }}
+    runAsGroup: {{ onlyoffice_amqp_gid }}
+#}
+  env:
+  - name: "RABBITMQ_NODENAME"
+    value: "rabbit@localhost"
+  - name: "RABBITMQ_NODE_IP_ADDRESS"
+    value: "127.0.0.1"
+  - name: "RABBITMQ_DEFAULT_USER"
+    value: "onlyoffice"
+  - name: "RABBITMQ_DEFAULT_PASS"
+    value: "{{ item.value.amqp.password }}"
+{# TODO: AQMP config?
+  volumeMounts:
+  - name: rabbitmq
+    mountPath: /etc/rabbitmq/conf.d/k8s.conf
+    subPath: config
+    readOnly: true
+#}
+
+volumes:
+- name: postgres
+  hostPath:
+    path: "{{ onlyoffice_base_path }}/{{ item.key }}/postgres"
+    type: Directory
+{# TODO: AQMP config?
+- name: rabbitmq
+  hostPath:
+    path: "{{ onlyoffice_base_path }}/{{ item.key }}/rabbitmq"
+    type: Directory
+#}