From aa798535cdd76257ba2ec54a53bd9baf8a54a68a Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 17 Oct 2019 20:02:22 +0200
Subject: basic etherpad installation works now

---
 roles/etherpad-lite/defaults/main.yml              |  29 +++++
 roles/etherpad-lite/tasks/main.yml                 | 128 +++++++++++++++++++++
 roles/etherpad-lite/templates/nginx-vhost.conf.j2  |  57 +++++++++
 .../templates/pod-with-mariadb.yml.j2              |  57 +++++++++
 4 files changed, 271 insertions(+)
 create mode 100644 roles/etherpad-lite/defaults/main.yml
 create mode 100644 roles/etherpad-lite/tasks/main.yml
 create mode 100644 roles/etherpad-lite/templates/nginx-vhost.conf.j2
 create mode 100644 roles/etherpad-lite/templates/pod-with-mariadb.yml.j2

(limited to 'roles/etherpad-lite')

diff --git a/roles/etherpad-lite/defaults/main.yml b/roles/etherpad-lite/defaults/main.yml
new file mode 100644
index 00000000..5281c739
--- /dev/null
+++ b/roles/etherpad-lite/defaults/main.yml
@@ -0,0 +1,29 @@
+---
+etherpad_lite_app_uid: "940"
+etherpad_lite_app_gid: "940"
+
+etherpad_lite_db_uid: "941"
+etherpad_lite_db_gid: "941"
+
+# etherpad_lite_base_path: /srv/etherpad_lite
+
+# etherpad_lite_zfs:
+#   pool: storage
+#   name: etherpad_lite
+#   size: 20G
+
+# etherpad_lite_instances:
+#   example:
+#     version: 1.7.5
+#     port: 8300
+#     hostnames:
+#       - pad.example.com
+#     quota: 40G
+#     settings:
+#        ....
+#     credentials:
+#        ....
+#     database:
+#       type: mariadb
+#       version: 10.4.8
+#       password: "{{ vault_etherpad_lite_database_passwords['example'] }}"
diff --git a/roles/etherpad-lite/tasks/main.yml b/roles/etherpad-lite/tasks/main.yml
new file mode 100644
index 00000000..05bf32ce
--- /dev/null
+++ b/roles/etherpad-lite/tasks/main.yml
@@ -0,0 +1,128 @@
+---
+- name: create zfs datasets
+  when: etherpad_lite_zfs is defined
+  block:
+  - name: create zfs base dataset
+    zfs:
+      name: "{{ etherpad_lite_zfs.pool }}/{{ etherpad_lite_zfs.name }}"
+      state: present
+      extra_zfs_properties:
+        quota: "{{ etherpad_lite_zfs.size }}"
+
+  - name: create zfs volumes for instances
+    loop: "{{ etherpad_lite_instances | dict2items }}"
+    loop_control:
+      label: "{{ item.key }} ({{ item.value.quota }})"
+    zfs:
+      name: "{{ etherpad_lite_zfs.pool }}/{{ etherpad_lite_zfs.name }}/{{ item.key }}"
+      state: present
+      extra_zfs_properties:
+        quota: "{{ item.value.quota }}"
+
+  - name: configure etherpad_lite base bath
+    set_fact:
+      etherpad_lite_base_path: "{{ zfs_zpools[etherpad_lite_zfs.pool].mountpoint }}/{{ etherpad_lite_zfs.name }}"
+
+
+- name: create instance subdirectories
+  when: etherpad_lite_zfs is not defined
+  loop: "{{ etherpad_lite_instances | list }}"
+  file:
+    path: "{{ etherpad_lite_base_path }}/{{ item }}"
+    state: directory
+
+
+
+- name: add group for etherpad-lite app
+  group:
+    name: epl-app
+    gid: "{{ etherpad_lite_app_gid }}"
+
+- name: add user for etherpad-lite app
+  user:
+    name: epl-app
+    uid: "{{ etherpad_lite_app_uid }}"
+    group: epl-app
+    password: "!"
+
+- name: create etherpad_lite app subdirectory
+  loop: "{{ etherpad_lite_instances | list }}"
+  file:
+    path: "{{ etherpad_lite_base_path }}/{{ item }}/etherpad-lite"
+    owner: "{{ etherpad_lite_app_uid }}"
+    group: "{{ etherpad_lite_app_gid }}"
+    state: directory
+
+
+- name: add group for etherpad-lite db
+  group:
+    name: epl-db
+    gid: "{{ etherpad_lite_db_gid }}"
+
+- name: add user for etherpad-lite db
+  user:
+    name: epl-db
+    uid: "{{ etherpad_lite_db_uid }}"
+    group: epl-db
+    password: "!"
+
+- name: create etherpad-lite database subdirectory
+  loop: "{{ etherpad_lite_instances | dict2items}}"
+  loop_control:
+    label: "{{ item.key }} ({{ item.value.database.type }})"
+  file:
+    path: "{{ etherpad_lite_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+    owner: "{{ etherpad_lite_db_uid }}"
+    group: "{{ etherpad_lite_db_gid }}"
+    state: directory
+
+
+- name: create etherpad-lite config directory
+  loop: "{{ etherpad_lite_instances | list }}"
+  file:
+    path: "{{ etherpad_lite_base_path }}/{{ item }}/config"
+    state: directory
+
+- name: create settings json
+  loop: "{{ etherpad_lite_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: "{{ item.value.settings | combine({'ip': '0.0.0.0', 'port': 9001}) | to_nice_json }}"
+    dest: "{{ etherpad_lite_base_path }}/{{ item.key }}/config/settings.json"
+    mode: 0644
+    owner: "{{ etherpad_lite_app_uid }}"
+    group: "{{ etherpad_lite_app_gid }}"
+
+- name: create db credentials json
+  loop: "{{ etherpad_lite_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: "{{ item.value.credentials | to_nice_json }}"
+    dest: "{{ etherpad_lite_base_path }}/{{ item.key }}/config/credentials.json"
+    mode: 0600
+    owner: "{{ etherpad_lite_app_uid }}"
+    group: "{{ etherpad_lite_app_gid }}"
+
+
+- name: generate pod manifests
+  loop: "{{ etherpad_lite_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  template:
+    src: "pod-with-{{ item.value.database.type }}.yml.j2"
+    dest: "/etc/kubernetes/manifests/etherpad-lite-{{ item.key }}.yml"
+    mode: 0600
+
+
+- name: configure nginx vhost
+  loop: "{{ etherpad_lite_instances | dict2items }}"
+  include_role:
+    name: nginx/vhost
+  vars:
+    nginx_vhost:
+      name: "etherpad-lite-{{ item.key }}"
+      content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}"
+      acme: true
+      hostnames: "{{ item.value.hostnames }}"
diff --git a/roles/etherpad-lite/templates/nginx-vhost.conf.j2 b/roles/etherpad-lite/templates/nginx-vhost.conf.j2
new file mode 100644
index 00000000..9bca4f22
--- /dev/null
+++ b/roles/etherpad-lite/templates/nginx-vhost.conf.j2
@@ -0,0 +1,57 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ item.value.hostnames | join(' ') }};
+
+    include snippets/acmetool.conf;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{ item.value.hostnames | join(' ') }};
+
+    include snippets/acmetool.conf;
+    include snippets/ssl.conf;
+    ssl_certificate     /var/lib/acme/live/{{ item.value.hostnames[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ item.value.hostnames[0] }}/privkey;
+    include snippets/hsts.conf;
+
+    location / {
+        rewrite ^/$ / break;
+        rewrite ^/locales/(.*) /locales/$1 break;
+        rewrite ^/locales.json /locales.json break;
+        rewrite ^/admin(.*) /admin$1 break;
+        rewrite ^/p/(.*) /p/$1 break;
+        rewrite ^/static/(.*) /static/$1 break;
+        rewrite ^/pluginfw/(.*) /pluginfw/$1 break;
+        rewrite ^/javascripts/(.*) /javascripts/$1 break;
+        rewrite ^/socket.io/(.*) /socket.io/$1 break;
+        rewrite ^/ep/(.*) /ep/$1 break;
+        rewrite ^/minified/(.*) /minified/$1 break;
+        rewrite ^/api/(.*) /api/$1 break;
+        rewrite ^/ro/(.*) /ro/$1 break;
+        rewrite ^/error/(.*) /error/$1 break;
+        rewrite ^/jserror(.*) /jserror$1 break;
+        rewrite ^/redirect(.*) /redirect$1 break;
+        rewrite /favicon.ico /favicon.ico break;
+        rewrite /robots.txt /robots.txt break;
+        rewrite /(.*) /p/$1;
+
+        include snippets/proxy-nobuff.conf;
+
+        proxy_set_header Host $host;
+        include snippets/proxy-forward-headers.conf;
+        proxy_pass_header Server;
+
+        # for websockets
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        proxy_pass http://127.0.0.1:{{ item.value.port }};
+    }
+}
diff --git a/roles/etherpad-lite/templates/pod-with-mariadb.yml.j2 b/roles/etherpad-lite/templates/pod-with-mariadb.yml.j2
new file mode 100644
index 00000000..0e0b6b8b
--- /dev/null
+++ b/roles/etherpad-lite/templates/pod-with-mariadb.yml.j2
@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "etherpad-lite-{{ item.key }}"
+spec:
+  securityContext:
+    allowPrivilegeEscalation: false
+  containers:
+  - name: etherpad-lite
+    image: etherpad/etherpad:{{ item.value.version }}
+    # securityContext:
+    #   runAsUser: {{ etherpad_lite_app_uid }}
+    #   runAsGroup: {{ etherpad_lite_app_gid }}
+    resources:
+      limits:
+        memory: "4Gi"
+    volumeMounts:
+    - name: config
+      mountPath: /opt/etherpad/settings.json
+      subPath: settings.json
+      readOnly: true
+    - name: config
+      mountPath: /opt/etherpad/credentials.json
+      subPath: credentials.json
+      readOnly: true
+    ports:
+    - containerPort: 9001
+      hostPort: {{ item.value.port }}
+  - name: database
+    image: "mariadb:{{ item.value.database.version }}"
+    securityContext:
+      runAsUser: {{ etherpad_lite_db_uid }}
+      runAsGroup: {{ etherpad_lite_db_gid }}
+    resources:
+      limits:
+        memory: "4Gi"
+    env:
+    - name: MYSQL_RANDOM_ROOT_PASSWORD
+      value: "true"
+    - name: MYSQL_DATABASE
+      value: etherpad-lite
+    - name: MYSQL_USER
+      value: etherpad-lite
+    - name: MYSQL_PASSWORD
+      value: "{{ item.value.database.password }}"
+    volumeMounts:
+    - name: database
+      mountPath: /var/lib/mysql
+  volumes:
+  - name: config
+    hostPath:
+      path: "{{ etherpad_lite_base_path }}/{{ item.key }}/config/"
+      type: Directory
+  - name: database
+    hostPath:
+      path: "{{ etherpad_lite_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+      type: Directory
-- 
cgit v1.2.3