bundlewrap/bundles/hedgedoc/metadata.py
Sophie Schiller eef463afbd
Some checks failed
kunsi/bundlewrap/pipeline/head There was a failure building this commit
hedgedoc: forbid access to metrics and stats
2021-11-09 11:58:11 +01:00

163 lines
4.6 KiB
Python

defaults = {
'backups': {
'paths': {
'/var/opt/hedgedoc',
},
},
'hedgedoc': {
'config': {
'production': {
'loglevel': 'info',
'hsts': {
'enable': False,
},
'csp': {
'enable': True,
'directives': {},
'addDefaults': True,
'addDisqus': False,
'addGoogleAnalytics': False,
'upgradeInsecureRequests': 'auto',
'reportURI': 'undefined',
'allowFraming': False,
'allowPDFEmbed': False,
},
'cookiePolicy': 'lax',
'db': {
'username': 'hedgedoc',
'password': repo.vault.password_for('{} postgresql hedgedoc'.format(node.name)),
'database': 'hedgedoc',
'host': 'localhost',
'port': '5432',
'dialect': 'postgres'
},
'imageUploadType': 'filesystem',
'uploadsPath': '/var/opt/hedgedoc',
'allowAnonymous': False,
'allowFreeURL': True,
'requireFreeURLAuthentication': True,
'sessionSecret': repo.vault.password_for('{} hedgedoc sessionSecret'.format(node.name)),
'allowEmailRegister': False,
'protocolUseSSL': True,
},
},
},
'postgresql': {
'roles': {
'hedgedoc': {
'password': repo.vault.password_for('{} postgresql hedgedoc'.format(node.name)),
},
},
'databases': {
'hedgedoc': {
'owner': 'hedgedoc',
},
},
},
'zfs': {
'datasets': {
'tank/hedgedoc': {},
'tank/hedgedoc/install': {
'mountpoint': '/opt/hedgedoc',
'needed_by': {
'directory:/opt/hedgedoc',
},
},
'tank/hedgedoc/uploads': {
'mountpoint': '/var/opt/hedgedoc',
'needed_by': {
'directory:/var/opt/hedgedoc',
},
},
},
},
}
if node.has_bundle('telegraf'):
defaults['telegraf'] = {
'input_plugins': {
'builtin': {
'http': [{
'urls': [
'http://127.0.0.1:3000/status'
],
'data_format': 'json',
'name_override': 'hedgedoc_status',
}],
'prometheus': [{
'urls': [
'http://127.0.0.1:3000/metrics'
],
'name_override': 'hedgedoc_metrics',
'metric_version': 2,
}],
},
},
}
@metadata_reactor.provides(
'icinga2_api/hedgedoc/services',
)
def icinga_check_for_new_release(metadata):
return {
'icinga2_api': {
'hedgedoc': {
'services': {
'HEDGEDOC UPDATE': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release hedgedoc/hedgedoc {}'.format(metadata.get('hedgedoc/version')),
'vars.notification.mail': True,
'check_interval': '60m',
},
},
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
if not node.has_bundle('nginx'):
raise DoNotRunAgain
locations = {
'/': {
'target': 'http://127.0.0.1:3000',
'proxy_set_header': {
'X-Real-IP': '$remote_addr',
},
},
'/socket.io/': {
'target': 'http://127.0.0.1:3000',
'websockets': True,
'proxy_set_header': {
'X-Real-IP': '$remote_addr',
},
},
'/metrics': {
'return': 'forbidden',
'mode': 403,
},
'/status': {
'return': 'forbidden',
'mode': 403,
},
}
vhosts = {
'hedgedoc': {
'domain': metadata.get('hedgedoc/config/production/domain'),
'locations': locations,
'website_check_path': '/',
'website_check_string': 'HedgeDoc',
},
}
return {
'nginx': {
'vhosts': vhosts
},
}