From c51bc2b05c810db3a4c42353b97799733709106c Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 28 Dec 2023 03:43:54 +0100
Subject: apps/node-red: 80% done but still (WIP)

---
 roles/apps/node-red/instance/tasks/main.yml        | 126 ++++++++++++++++++++-
 .../node-red/instance/templates/pod-spec.yml.j2    |   4 +
 2 files changed, 129 insertions(+), 1 deletion(-)

(limited to 'roles/apps/node-red/instance')

diff --git a/roles/apps/node-red/instance/tasks/main.yml b/roles/apps/node-red/instance/tasks/main.yml
index ec9b9dff..3533ab09 100644
--- a/roles/apps/node-red/instance/tasks/main.yml
+++ b/roles/apps/node-red/instance/tasks/main.yml
@@ -16,7 +16,7 @@
     owner: 1000
     mode: 0700
 
-- name: generate/install/fetch TLS certificate
+- name: generate/install/fetch TLS certificates for mqtt
   when: "'mqtt_tls' in node_red_instances[node_red_instance]"
   vars:
     x509_certificate_name: "node-red-{{ node_red_instance }}_mqtt"
@@ -45,6 +45,85 @@
   include_role:
     name: "x509/{{ node_red_instances[node_red_instance].mqtt_tls.certificate_provider }}/cert"
 
+- name: generate/install TLS certificates for publishment
+  vars:
+    x509_certificate_name: "node-red-{{ node_red_instance }}_publish"
+    x509_certificate_hostnames: []
+    x509_certificate_config:
+      ca: "{{ node_red_instances[node_red_instance].publish.zone.certificate_ca_config }}"
+      cert:
+        common_name: "node-red-{{ node_red_instance }}"
+        extended_key_usage:
+        - serverAuth
+        extended_key_usage_critical: yes
+        create_subject_key_identifier: yes
+        not_after: +100w
+    x509_certificate_renewal:
+      install:
+      - dest: "{{ node_red_instance_basepath }}/tls/publish-crt.pem"
+        src:
+        - fullchain
+        owner: root
+        group: 1000
+        mode: "0644"
+      - dest: "{{ node_red_instance_basepath }}/tls/publish-key.pem"
+        src:
+        - key
+        owner: root
+        group: 1000
+        mode: "0640"
+      - dest: "{{ node_red_instance_basepath }}/tls/publish-ca-crt.pem"
+        src:
+        - ca_cert
+        owner: root
+        group: 1000
+        mode: "0644"
+  include_role:
+    name: "x509/{{ node_red_instances[node_red_instance].publish.zone.certificate_provider }}/cert"
+
+- name: build custom image
+  when: "'custom_image' in node_red_instances[node_red_instance]"
+  block:
+  - name: create build directory for custom image
+    file:
+      path: "{{ node_red_instance_basepath }}/build"
+      state: directory
+
+  - name: generate Dockerfile for custom image
+    copy:
+      content: |
+        FROM {{ node_red_instances[node_red_instance].custom_image.from | default('nodered/node-red:' + node_red_instances[node_red_instance].version + '-debian') }}
+
+        {{ node_red_instances[node_red_instance].custom_image.dockerfile }}
+      dest: "{{ node_red_instance_basepath }}/build/Dockerfile"
+    register: node_red_custom_image_docker
+
+  - name: build custom image
+    docker_image:
+      name: "nodered/node-red/{{ node_red_instance }}:{{ node_red_instances[node_red_instance].version }}-debian"
+      state: present
+      force_source: "{{ node_red_custom_image_docker is changed }}"
+      source: build
+      build:
+        path: "{{ node_red_instance_basepath }}/build"
+        network: host
+        pull: yes
+
+## TODO: settings.js:
+#
+#  module.exports = {
+#    credentialSecret: "geheim",
+#    https: {
+#      key: require("fs").readFileSync('/tls/publish-key.pem'),
+#      cert: require("fs").readFileSync('/tls/publish-crt.pem'),
+#      ca: require("fs").readFileSync('/tls/publish-ca-crt.pem'),
+#      requestCert: true,
+#      minVersion: 'TLSv1.3'
+#    },
+#    {{ node_red_instances[node_red_instance].extra_settings }}
+#  }
+#
+
 - name: install pod manifest
   vars:
     kubernetes_standalone_pod:
@@ -52,3 +131,48 @@
       spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
   include_role:
     name: kubernetes/standalone/pod
+
+- name: configure nginx vhost for publishment
+  vars:
+    nginx_vhost__yaml: |
+      {% if node_red_instances[node_red_instance].publish.zone.publisher == inventory_hostname %}
+      name: "node-red-{{ node_red_instance }}"
+      {% else %}
+      name: "node-red-{{ node_red_instance }}-{{ inventory_hostname }}"
+      {% endif %}
+      template: generic
+      {% if 'tls' in node_red_instances[node_red_instance].publish %}
+      tls:
+        {{ node_red_instances[node_red_instance].publish.tls | to_nice_yaml(indent=2) | indent(2) }}
+      {% endif %}
+      hostnames:
+      {% for hostname in node_red_instances[node_red_instance].publish.hostnames %}
+      - {{ hostname }}
+      {% endfor %}
+      locations:
+        '/':
+      {% if node_red_instances[node_red_instance].publish.zone.publisher == inventory_hostname %}
+          proxy_pass: "https://127.0.0.1:{{ node_red_instances[node_red_instance].port }}"
+      {% else %}
+          proxy_pass: "https://{{ ansible_default_ipv4.address }}:{{ node_red_instances[node_red_instance].port }}"
+      {% endif %}
+          proxy_ssl:
+            certificate: "/etc/ssl/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}-crt.pem"
+            certificate_key: "/etc/ssl/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}-key.pem"
+            trusted_certificate: "/etc/ssl/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}-ca-crt.pem"
+            verify: "on"
+            name: "node-red-{{ node_red_instance }}"
+            protocols: "TLSv1.3"
+      {% if 'location_extra_directives' in node_red_instances[node_red_instance].publish %}
+          extra_directives: |
+            {{ node_red_instances[node_red_instance].publish.location_extra_directives | indent(6) }}
+      {% endif %}
+      {% if 'vhost_extra_directives' in node_red_instances[node_red_instance].publish %}
+      extra_directives: |
+        {{ node_red_instances[node_red_instance].publish.vhost_extra_directives | indent(2) }}
+      {% endif %}
+    nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}"
+  include_role:
+    name: nginx/vhost
+    apply:
+      delegate_to: "{{ node_red_instances[node_red_instance].publish.zone.publisher }}"
diff --git a/roles/apps/node-red/instance/templates/pod-spec.yml.j2 b/roles/apps/node-red/instance/templates/pod-spec.yml.j2
index 29f2161a..1e60c122 100644
--- a/roles/apps/node-red/instance/templates/pod-spec.yml.j2
+++ b/roles/apps/node-red/instance/templates/pod-spec.yml.j2
@@ -1,6 +1,10 @@
 containers:
 - name: node-red
+{% if 'custom_image' in node_red_instances[node_red_instance] %}
+  image: "nodered/node-red/{{ node_red_instance }}:{{ node_red_instances[node_red_instance].version }}-debian"
+{% else %}
   image: "nodered/node-red:{{ node_red_instances[node_red_instance].version }}-debian"
+{% endif %}
   volumeMounts:
   - name: tls
     mountPath: /tls
-- 
cgit v1.2.3