bundles/hedgedoc add new bundle

This commit is contained in:
Sophie Schiller 2021-09-11 19:47:28 +02:00
parent 25d7657e7d
commit 478a8da9f4
3 changed files with 264 additions and 0 deletions

View file

@ -0,0 +1,47 @@
[Unit]
Description=HedgeDoc - The best platform to write and share markdown.
Documentation=https://docs.hedgedoc.org/
After=network.target
# Uncomment if you use MariaDB/MySQL
# After=mysql.service
# Uncomment if you use PostgreSQL
After=postgresql.service
[Service]
Type=exec
Environment=NODE_ENV=production
Restart=always
RestartSec=2s
ExecStart=/opt/hedgedoc/node_modules/yarn/bin/yarn start --production
CapabilityBoundingSet=
NoNewPrivileges=true
PrivateDevices=true
RemoveIPC=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectClock=true
ProtectHostname=true
ProtectProc=noaccess
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
# You may have to adjust these settings
User=hedgedoc
Group=hedgedoc
WorkingDirectory=/opt/hedgedoc
# Example: local storage for uploads and SQLite
ReadWritePaths=/var/opt/hedgedoc
[Install]
WantedBy=multi-user.target

87
bundles/hedgedoc/items.py Normal file
View file

@ -0,0 +1,87 @@
from bundlewrap.metadata import metadata_to_json
repo.libs.tools.require_bundle(node, 'nodejs')
directories = {
'/opt/hedgedoc': {}
}
git_deploy = {
'/opt/hedgedoc': {
'rev': node.metadata.get('hedgedoc/version'),
'repo': 'https://github.com/hedgedoc/hedgedoc.git',
'needs': {
'directory:/opt/hedgedoc',
},
'triggers': {
'action:hedgedoc_yarn',
'svc_systemd:hedgedoc:restart',
},
},
}
files = {
'/opt/hedgedoc/config.json': {
'content': metadata_to_json(node.metadata.get('hedgedoc/config')),
'needs': {
'git_deploy:/opt/hedgedoc',
},
'triggers': {
'svc_systemd:hedgedoc:restart',
},
},
'/etc/systemd/system/hedgedoc.service': {
'triggers': {
'action:systemd-reload',
'svc_systemd:hedgedoc:restart',
},
}
}
directories = {
'/opt/hedgedoc': {},
'/var/opt/hedgedoc': {
'owner': 'hedgedoc',
'group': 'hedgedoc',
},
'/opt/hedgedoc/.yarn': {
'owner': 'hedgedoc',
'group': 'hedgedoc',
},
}
actions = {
'hedgedoc_yarn': {
'command': ' && '.join([
'cd /opt/hedgedoc',
'npm install yarn',
'node_modules/yarn/bin/yarn install --production=true --pure-lockfile',
'node_modules/yarn/bin/yarn install',
'node_modules/yarn/bin/yarn build',
]),
'needs': {
'file:/opt/hedgedoc/config.json',
'git_deploy:/opt/hedgedoc',
'pkg_apt:nodejs',
},
'triggered': True,
},
}
svc_systemd = {
'hedgedoc': {
'needs': {
'file:/opt/hedgedoc/config.json',
'directory:/var/opt/hedgedoc',
'directory:/opt/hedgedoc/.yarn',
'action:hedgedoc_yarn',
'postgres_db:hedgedoc',
},
},
}
users = {
'hedgedoc': {
'home': '/opt/hedgedoc',
},
}

View file

@ -0,0 +1,130 @@
defaults = {
'backups': {
'paths': {
'/var/opt/hedgedoc',
},
},
'hedgedoc': {
'config': {
"production": {
"loglevel": "info",
"hsts": {
"enable": False,
},
"csp": {
"enable": True,
"directives": {
},
"upgradeInsecureRequests": "auto",
"addDefaults": True,
"addDisqus": False,
"addGoogleAnalytics": False
},
"cookiePolicy": "lax",
"db": {
"username": "hedgedoc",
"password": repo.vault.password_for('{} postgresql hedgedoc'.format(node.name)),
"database": "hedgedoc",
"host": "localhost",
"port": "5432",
"dialect": "postgres"
},
'imageUploadType': 'filesystem',
'uploadsPath': '/var/opt/hedgedoc',
'allowAnonymous': False,
'allowFreeURL': True,
'requireFreeURLAuthentication': True,
'sessionSecret': repo.vault.password_for('{} hedgedoc sessionSecret'.format(node.name)),
'allowEmailRegister': False,
'protocolUseSSL': True,
},
},
},
'postgresql': {
'roles': {
'hedgedoc': {
'password': repo.vault.password_for('{} postgresql hedgedoc'.format(node.name)),
},
},
'databases': {
'hedgedoc': {
'owner': 'hedgedoc',
},
},
},
'zfs': {
'datasets': {
'tank/hedgedoc': {},
'tank/hedgedoc/install': {
'mountpoint': '/opt/hedgedoc',
'needed_by': {
'directory:/opt/hedgedoc',
},
},
'tank/hedgedoc/uploads': {
'mountpoint': '/var/opt/hedgedoc',
'needed_by': {
'directory:/var/opt/hedgedoc',
},
},
},
},
}
@metadata_reactor.provides(
'icinga2_api/hedgedoc/services',
)
def icinga_check_for_new_release(metadata):
return {
'icinga2_api': {
'hedgedoc': {
'services': {
'HEDGEDOC UPDATE': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release hedgedoc/hedgedoc {}'.format(metadata.get('hedgedoc/version')),
'vars.notification.mail': True,
'check_interval': '60m',
},
},
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
if not node.has_bundle('nginx'):
raise DoNotRunAgain
locations = {
'/': {
'target': 'http://127.0.0.1:3000',
'proxy_set_header': {
'X-Real-IP': '$remote_addr',
},
},
'/socket.io/': {
'target': 'http://127.0.0.1:3000',
'websockets': True,
'proxy_set_header': {
'X-Real-IP': '$remote_addr',
},
},
}
vhosts = {
'hedgedoc': {
'domain': metadata.get('hedgedoc/config/production/domain'),
'locations': locations,
'website_check_path': '/_matrix/static/',
'website_check_string': 'Synapse is running',
},
}
return {
'nginx': {
'vhosts': vhosts
},
}