diff --git a/bundles/hedgedoc/files/config.json b/bundles/hedgedoc/files/config.json new file mode 100644 index 0000000..211f951 --- /dev/null +++ b/bundles/hedgedoc/files/config.json @@ -0,0 +1,3 @@ +<% + from bundlewrap.metadata import metadata_to_json +%>${metadata_to_json(repo.libs.faults.resolve_faults(node.metadata.get('hedgedoc/config')))} diff --git a/bundles/hedgedoc/files/hedgedoc.service b/bundles/hedgedoc/files/hedgedoc.service new file mode 100644 index 0000000..37adb3c --- /dev/null +++ b/bundles/hedgedoc/files/hedgedoc.service @@ -0,0 +1,47 @@ +[Unit] +Description=HedgeDoc - The best platform to write and share markdown. +Documentation=https://docs.hedgedoc.org/ +After=network.target +# Uncomment if you use MariaDB/MySQL +# After=mysql.service +# Uncomment if you use PostgreSQL +After=postgresql.service + +[Service] +Type=exec +Environment=NODE_ENV=production +Restart=always +RestartSec=2s +ExecStart=/opt/hedgedoc/node_modules/yarn/bin/yarn start --production +CapabilityBoundingSet= +NoNewPrivileges=true +PrivateDevices=true +RemoveIPC=true +LockPersonality=true +ProtectControlGroups=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectClock=true +ProtectHostname=true +ProtectProc=noaccess +RestrictRealtime=true +RestrictSUIDSGID=true +RestrictNamespaces=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +SystemCallArchitectures=native +SystemCallFilter=@system-service + +# You may have to adjust these settings +User=hedgedoc +Group=hedgedoc +WorkingDirectory=/opt/hedgedoc + +# Example: local storage for uploads and SQLite +ReadWritePaths=/var/opt/hedgedoc + +[Install] +WantedBy=multi-user.target diff --git a/bundles/hedgedoc/items.py b/bundles/hedgedoc/items.py new file mode 100644 index 0000000..69389a0 --- /dev/null +++ b/bundles/hedgedoc/items.py @@ -0,0 +1,85 @@ +repo.libs.tools.require_bundle(node, 'nodejs') + +directories = { + '/opt/hedgedoc': {} +} + +git_deploy = { + '/opt/hedgedoc': { + 'rev': node.metadata.get('hedgedoc/version'), + 'repo': 'https://github.com/hedgedoc/hedgedoc.git', + 'needs': { + 'directory:/opt/hedgedoc', + }, + 'triggers': { + 'action:hedgedoc_yarn', + 'svc_systemd:hedgedoc:restart', + }, + }, +} + +files = { + '/opt/hedgedoc/config.json': { + 'content_type': 'mako', + 'needs': { + 'git_deploy:/opt/hedgedoc', + }, + 'triggers': { + 'svc_systemd:hedgedoc:restart', + }, + }, + '/etc/systemd/system/hedgedoc.service': { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:hedgedoc:restart', + }, + } +} + +directories = { + '/opt/hedgedoc': {}, + '/var/opt/hedgedoc': { + 'owner': 'hedgedoc', + 'group': 'hedgedoc', + }, + '/opt/hedgedoc/.yarn': { + 'owner': 'hedgedoc', + 'group': 'hedgedoc', + }, +} + +actions = { + 'hedgedoc_yarn': { + 'command': ' && '.join([ + 'cd /opt/hedgedoc', + 'npm install yarn', + 'node_modules/yarn/bin/yarn install --production=true --pure-lockfile', + 'node_modules/yarn/bin/yarn install', + 'node_modules/yarn/bin/yarn build', + ]), + 'needs': { + 'file:/opt/hedgedoc/config.json', + 'git_deploy:/opt/hedgedoc', + 'pkg_apt:nodejs', + }, + 'triggered': True, + }, +} + +svc_systemd = { + 'hedgedoc': { + 'needs': { + 'file:/opt/hedgedoc/config.json', + 'directory:/var/opt/hedgedoc', + 'directory:/opt/hedgedoc/.yarn', + 'action:hedgedoc_yarn', + 'postgres_db:hedgedoc', + }, + }, +} + +users = { + 'hedgedoc': { + 'home': '/opt/hedgedoc', + }, +} diff --git a/bundles/hedgedoc/metadata.py b/bundles/hedgedoc/metadata.py new file mode 100644 index 0000000..e35d845 --- /dev/null +++ b/bundles/hedgedoc/metadata.py @@ -0,0 +1,129 @@ +defaults = { + 'backups': { + 'paths': { + '/var/opt/hedgedoc', + }, + }, + 'hedgedoc': { + 'config': { + "production": { + "loglevel": "info", + "hsts": { + "enable": False, + }, + "csp": { + "enable": True, + "directives": {}, + "upgradeInsecureRequests": "auto", + "addDefaults": True, + "addDisqus": False, + "addGoogleAnalytics": False + }, + "cookiePolicy": "lax", + "db": { + "username": "hedgedoc", + "password": repo.vault.password_for('{} postgresql hedgedoc'.format(node.name)), + "database": "hedgedoc", + "host": "localhost", + "port": "5432", + "dialect": "postgres" + }, + 'imageUploadType': 'filesystem', + 'uploadsPath': '/var/opt/hedgedoc', + 'allowAnonymous': False, + 'allowFreeURL': True, + 'requireFreeURLAuthentication': True, + 'sessionSecret': repo.vault.password_for('{} hedgedoc sessionSecret'.format(node.name)), + 'allowEmailRegister': False, + 'protocolUseSSL': True, + }, + }, + }, + 'postgresql': { + 'roles': { + 'hedgedoc': { + 'password': repo.vault.password_for('{} postgresql hedgedoc'.format(node.name)), + }, + }, + 'databases': { + 'hedgedoc': { + 'owner': 'hedgedoc', + }, + }, + }, + 'zfs': { + 'datasets': { + 'tank/hedgedoc': {}, + 'tank/hedgedoc/install': { + 'mountpoint': '/opt/hedgedoc', + 'needed_by': { + 'directory:/opt/hedgedoc', + }, + }, + 'tank/hedgedoc/uploads': { + 'mountpoint': '/var/opt/hedgedoc', + 'needed_by': { + 'directory:/var/opt/hedgedoc', + }, + }, + }, + }, +} + + +@metadata_reactor.provides( + 'icinga2_api/hedgedoc/services', +) +def icinga_check_for_new_release(metadata): + return { + 'icinga2_api': { + 'hedgedoc': { + 'services': { + 'HEDGEDOC UPDATE': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release hedgedoc/hedgedoc {}'.format(metadata.get('hedgedoc/version')), + 'vars.notification.mail': True, + 'check_interval': '60m', + }, + }, + }, + }, + } + + +@metadata_reactor.provides( + 'nginx/vhosts', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + locations = { + '/': { + 'target': 'http://127.0.0.1:3000', + 'proxy_set_header': { + 'X-Real-IP': '$remote_addr', + }, + }, + '/socket.io/': { + 'target': 'http://127.0.0.1:3000', + 'websockets': True, + 'proxy_set_header': { + 'X-Real-IP': '$remote_addr', + }, + }, + } + + vhosts = { + 'hedgedoc': { + 'domain': metadata.get('hedgedoc/config/production/domain'), + 'locations': locations, + 'website_check_path': '/', + 'website_check_string': 'HedgeDoc', + }, + } + + return { + 'nginx': { + 'vhosts': vhosts + }, + } diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index fed24e4..e93e59c 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -4,6 +4,7 @@ nodes['htz-cloud.miniserver'] = { 'bundles': { 'element-web', + 'hedgedoc', 'matrix-dimension', 'matrix-media-repo', 'matrix-synapse', @@ -81,6 +82,14 @@ nodes['htz-cloud.miniserver'] = { }, }, }, + 'hedgedoc': { + 'version': '1.8.2', + 'config': { + 'production': { + 'domain': 'pad.sophies-kitchen.eu', + }, + }, + }, 'icinga_options': { 'pretty_name': 'sophies-kitchen.eu', 'vars.notification.sms': False,