Update to 2021-03-19 14:00

3 years ago · cd5c73586b
parent d54f0f244d
commit cd5c73586b
22 changed files with 396 additions and 4 deletions
--- a/roles/documize/defaults/main.yml
+++ b/roles/documize/defaults/main.yml
@ -0,0 +1,35 @@
+---
+
+# Version of cocumize to deploy
+documize_version: 3.8.2
+# URL of the binary to install
+documize_bin_url: https://github.com/documize/community/releases/download/v{{ documize_version }}/documize-community-linux-amd64
+# Expected sha1 of the binary
+documize_bin_sha1: 5378947731dcd1ce8be28710573201632f6186f9
+
+# Should documize handle upgrades or only initial install ?
+documize_manage_upgrade: True
+
+# Root directory where documize will be installed
+documize_root_dir: /opt/documize
+
+# User under which documize will run
+documize_user: documize
+
+# port on which documize will listen
+documize_port: 5001
+
+# List of IP / CIDR allowed to access documize port
+documize_src_ip: []
+
+# Database settings
+documize_db_engine: 'mysql'
+documize_db_server: "{{ (documize_db_engine == 'postgres') | ternary(pg_server,mysql_server) | default('localhost') }}"
+documize_db_port: "{{ (documize_db_engine == 'postgres') | ternary('5432','3306') }}"
+documize_db_user: documize
+documize_db_name: documize
+# If password is not defined, a random one will be generated and stored in meta/ansible_dbpass
+# documize_db_pass: S3Cr3t.
+
+# Salt for documize. A random one will be generated if not defined
+# documize_salt: tsu3Acndky8cdTNx3
--- a/roles/documize/handlers/main.yml
+++ b/roles/documize/handlers/main.yml
@ -0,0 +1,5 @@
+---
+
+- name: restart documize
+  service: name=documize state=restarted
+  when: not documize_started.changed
--- a/roles/documize/meta/main.yml
+++ b/roles/documize/meta/main.yml
@ -0,0 +1,8 @@
+---
+
+allow_duplicates: True
+dependencies:
+  - role: mysql_server
+    when: documize_db_engine == 'mysql' and documize_db_server in ['127.0.0.1','localhost']
+  - role: postgresql_server
+    when: documize_db_engine == 'postgres' and documize_db_server in ['127.0.0.1','localhost']
--- a/roles/documize/tasks/archive_post.yml
+++ b/roles/documize/tasks/archive_post.yml
@ -0,0 +1,10 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ documize_root_dir }}/archives/{{ documize_current_version }}.tar.zst --use-compress-program=zstd ./
+  args:
+    chdir: "{{ documize_root_dir }}/archives/{{ documize_current_version }}"
+    warn: False
+  environment:
+    ZSTD_CLEVEL: 10
+  tags: documize
--- a/roles/documize/tasks/archive_pre.yml
+++ b/roles/documize/tasks/archive_pre.yml
@ -0,0 +1,40 @@
+---
+
+- name: Create the archive dir
+  file: path={{ documize_root_dir }}/archives/{{ documize_current_version }} state=directory
+  tags: documize
+
+- name: Backup previous version
+  copy: src={{ documize_root_dir }}/bin/documize dest={{ documize_root_dir }}/archives/{{ documize_current_version }}/ remote_src=True
+  tags: documize
+
+- name: Backup the database
+  command: >
+    /usr/pgsql-13/bin/pg_dump
+    --clean
+    --host={{ documize_db_server }}
+    --port={{ documize_db_port }}
+    --username={{ documize_db_user }}
+    {{ documize_db_name }}
+    --file={{ documize_root_dir }}/archives/{{ documize_current_version }}/{{ documize_db_name }}.sql
+  environment:
+    - PGPASSWORD: "{{ documize_db_pass }}"
+  when: documize_db_engine == 'postgres'
+  tags: documize
+
+- name: Archive the database
+  mysql_db:
+    state: dump
+    name: "{{ documize_db_name }}"
+    target: "{{ documize_root_dir }}/archives/{{ documize_current_version }}/{{ documize_db_name }}.sql.xz"
+    login_host: "{{ documize_db_server | default(mysql_server) }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    quick: True
+    single_transaction: True
+  environment:
+    XZ_OPT: -T0
+  when: documize_db_engine == 'mysql'
+  tags: documize
+
+
--- a/roles/documize/tasks/cleanup.yml
+++ b/roles/documize/tasks/cleanup.yml
@ -0,0 +1,7 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ documize_root_dir }}/archives/{{ documize_current_version }}"
+  tags: documize
--- a/roles/documize/tasks/conf.yml
+++ b/roles/documize/tasks/conf.yml
@ -0,0 +1,6 @@
+---
+
+- name: Deploy documize configuration
+  template: src=documize.conf.j2 dest={{ documize_root_dir }}/etc/documize.conf group={{ documize_user }} mode=640
+  notify: restart documize
+  tags: documize
--- a/roles/documize/tasks/directories.yml
+++ b/roles/documize/tasks/directories.yml
@ -0,0 +1,18 @@
+---
+
+- name: Create needed directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ documize_root_dir }}"
+    - dir: "{{ documize_root_dir }}/tmp"
+    - dir: "{{ documize_root_dir }}/bin"
+    - dir: "{{ documize_root_dir }}/etc"
+      group: "{{ documize_user }}"
+      mode: 750
+    - dir: "{{ documize_root_dir }}/meta"
+      mode: 700
+    - dir: "{{ documize_root_dir }}/backup"
+      mode: 700
+    - dir: "{{ documize_root_dir }}/archives"
+      mode: 700
+  tags: documize
--- a/roles/documize/tasks/facts.yml
+++ b/roles/documize/tasks/facts.yml
@ -0,0 +1,33 @@
+---
+
+# Detect installed version (if any)
+- block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ documize_root_dir }}"
+        - version: "{{ documize_version }}"
+    - set_fact: documize_install_mode={{ (install_mode == 'upgrade' and not documize_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: documize_current_version={{ current_version | default('') }}
+  tags: documize
+
+# Create a random pass for the DB if needed
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ documize_root_dir }}/meta/ansible_db_pass"
+        - complex: False
+    - set_fact: documize_db_pass={{ rand_pass }}
+  when: documize_db_pass is not defined
+  tags: documize
+
+# Create a random salt if needed
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ documize_root_dir }}/meta/ansible_salt"
+        - complex: False
+        - pass_size: 17
+    - set_fact: documize_salt={{ rand_pass }}
+  when: documize_salt is not defined
+  tags: documize
+
--- a/roles/documize/tasks/install.yml
+++ b/roles/documize/tasks/install.yml
@ -0,0 +1,71 @@
+---
+
+- name: Install needed tools
+  package:
+    name:
+      - tar
+      - zstd
+      - postgresql13
+  tags: documize
+
+- name: Download documize
+  get_url:
+    url: "{{ documize_bin_url }}"
+    dest: "{{ documize_root_dir }}/bin/documize"
+    checksum: sha1:{{ documize_bin_sha1 }}
+    mode: 755
+  when: documize_install_mode != 'none'
+  notify: restart documize
+  tags: documize
+
+- name: Install systemd unit
+  template: src=documize.service.j2 dest=/etc/systemd/system/documize.service
+  register: documize_unit
+  tags: documize
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: documize_unit.changed
+  tags: documize
+
+- when: documize_db_engine == 'postgres'
+  block:
+    - name: Create the PostgreSQL role
+      postgresql_user:
+        db: postgres
+        name: "{{ miniflux_db_user }}"
+        password: "{{ miniflux_db_pass }}"
+        login_host: "{{ miniflux_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+    
+    - name: Create the PostgreSQL database
+      postgresql_db:
+        name: "{{ miniflux_db_name }}"
+        encoding: UTF-8
+        lc_collate: C
+        lc_ctype: C
+        template: template0
+        owner: "{{ miniflux_db_user }}"
+        login_host: "{{ miniflux_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+
+  tags: miniflux
+
+  # Create MySQL database
+- when: documize_db_engine == 'mysql'
+  import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ documize_db_name }}"
+    - db_user: "{{ documize_db_user }}"
+    - db_server: "{{ documize_db_server }}"
+    - db_pass: "{{ documize_db_pass }}"
+  tags: documize
+
+- name: Deploy backup hooks
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/documize mode=700
+  loop:
+    - pre
+    - post
+  tags: documize
--- a/roles/documize/tasks/iptables.yml
+++ b/roles/documize/tasks/iptables.yml
@ -0,0 +1,8 @@
+---
+
+- name:  Handle documize port in the firewall
+  iptables_raw:
+    name: documize_port
+    state: "{{ (documize_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ documize_port }} -s {{ documize_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,documize
--- a/roles/documize/tasks/main.yml
+++ b/roles/documize/tasks/main.yml
@ -0,0 +1,16 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: documize_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: documize_install_mode == 'upgrade'
+- include: cleanup.yml
--- a/roles/documize/tasks/services.yml
+++ b/roles/documize/tasks/services.yml
@ -0,0 +1,7 @@
+---
+
+- name: Start and enable the service
+  service: name=documize state=started enabled=True
+  register: documize_started
+  tags: documize
+
--- a/roles/documize/tasks/user.yml
+++ b/roles/documize/tasks/user.yml
@ -0,0 +1,5 @@
+---
+
+- name: Create user account
+  user: name={{ documize_user }} system=True shell=/sbin/nologin home={{ documize_root_dir }}
+  tags: documize
--- a/roles/documize/tasks/write_version.yml
+++ b/roles/documize/tasks/write_version.yml
@ -0,0 +1,5 @@
+---
+
+- name: Write installed version
+  copy: content={{ documize_version }} dest={{ documize_root_dir }}/meta/ansible_version
+  tags: documize
--- a/roles/documize/templates/documize.conf.j2
+++ b/roles/documize/templates/documize.conf.j2
@ -0,0 +1,15 @@
+[http]
+port = {{ documize_port }}
+
+[database]
+{% if documize_db_engine == 'mysql' %}
+type = "mysql"
+connection = "{{ documize_db_user }}:{{ documize_db_pass }}@tcp({{ documize_db_server }}:{{ documize_db_port }})/{{ documize_db_name }}"
+{% elif documize_db_engine == 'postgres' %}
+type = "postgresql"
+connection = "host={{ documize_db_server }} port={{ documize_db_port }} dbname={{ documize_db_name }} user={{ documize_db_user }} password={{ documize_db_pass }} sslmode=disable"
+{% endif %}
+salt = "{{ documize_salt }}"
+
+[install]
+location = "selfhost"
--- a/roles/documize/templates/documize.service.j2
+++ b/roles/documize/templates/documize.service.j2
@ -0,0 +1,23 @@
+[Unit]
+Description=Documize Documentation Manager
+After=network.target postgresql.service mariadb.service
+
+[Service]
+Type=simple
+User={{ documize_user }}
+ExecStart={{ documize_root_dir }}/bin/documize {{ documize_root_dir }}/etc/documize.conf
+Restart=always
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictRealtime=true
+ReadWritePaths=/run
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+
--- a/roles/documize/templates/post-backup.j2
+++ b/roles/documize/templates/post-backup.j2
@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ documize_root_dir }}/backup/*
--- a/roles/documize/templates/pre-backup.j2
+++ b/roles/documize/templates/pre-backup.j2
@ -0,0 +1,23 @@
+#!/bin/bash -e
+
+{% if documize_db_engine == 'mysql' %}
+/usr/bin/mysqldump \
+{% if documize_db_server not in ['127.0.0.1','localhost'] %}
+  --user={{ documize_db_user | quote }} \
+  --password={{ documize_db_pass | quote }} \
+  --host={{ documize_db_server | quote }} \
+{% endif %}
+  --quick --single-transaction \
+  --add-drop-table {{ documize_db_name | quote }} | zstd -c > "{{ documize_root_dir }}/backup/{{ documize_db_name }}.sql.zst"
+{% elif documize_db_engine == 'postgres' %}
+{% if documize_db_server not in ['127.0.0.1','localhost'] %}
+PGPASSWORD='{{ documize_db_pass }}' /usr/pgsql-13/bin/pg_dump \
+  --clean \
+  --username={{ documize_db_user | quote }} \
+  --host={{ documize_db_server | quote }} \
+  {{ documize_db_name | quote }} | \
+{% else %}
+su - postgres -c "/usr/pgsql-13/bin/pg_dump --clean {{ documize_db_name | quote }}" | \
+{% endif %}
+  zstd -c > "{{ documize_root_dir }}/backup/{{ documize_db_name }}.sql.zst"
+{% endif %}
--- a/roles/mysql_server/tasks/main.yml
+++ b/roles/mysql_server/tasks/main.yml
@ -13,10 +13,17 @@
  tags: mysql

 - name: Deploy backup scripts
-  template: src={{ item.script }}.j2 dest=/etc/backup/{{ item.hook }}.d/{{ item.script }} mode=755
-  with_items:
-    - { script: 'mariadb_create_dumps.sh', hook: pre }
-    - { script: 'mariadb_delete_dumps.sh', hook: post }
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mariadb mode=755
+  loop:
+    - pre
+    - post
+  tags: mysql
+
+- name: Remove old backup hooks
+  file: path=/etc/backup/{{ item }} state=absent
+  loop:
+    - pre.d/mariadb_create_dumps.sh
+    - post.d/mariadb_delete_dumps.sh
  tags: mysql

 - name: Create system override directory
--- a/roles/mysql_server/templates/post-backup.j2
+++ b/roles/mysql_server/templates/post-backup.j2
@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+{% if mysql_remove_dump_after_backup | default(True) %}
+rm -f /home/lbkp/mysql/*.sql*
+{% endif %}
--- a/roles/mysql_server/templates/pre-backup.j2
+++ b/roles/mysql_server/templates/pre-backup.j2
@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+# Get the .my.cnf from root
+HOME=/root
+PATH=/usr/bin:$PATH
+DEST=/home/lbkp/mysql
+
+[ -d $DEST ] || mkdir -p $DEST
+
+for DB in $(/usr/bin/mysqlshow | /bin/awk '{print $2}' | /bin/grep -v Databases)
+do
+{% for db in mysql_skip_backup %}
+  # {{ db }} is configured not to be backed up
+  if [[ "$DB" == "{{ db }}" ]]; then
+    continue
+  fi
+{% endfor %}
+{% if mysql_compress_cmd %}
+{% if mysql_compress_cmd is search('p?xz') %}
+{% set compext = 'xz' %}
+{% elif mysql_compress_cmd is search('p?bzip2') %}
+{% set compext = 'bz2' %}
+{% elif mysql_compress_cmd is search('(pi)?gz') %}
+{% set compext = 'gz' %}
+{% elif mysql_compress_cmd is search('lzop') %}
+{% set compext = 'lzo' %}
+{% elif mysql_compress_cmd is search('lz4') %}
+{% set compext = 'lz4' %}
+{% elif mysql_compress_cmd is search('zstd') %}
+{% set compext = 'zst' %}
+{% else %}
+{% set compext = 'z' %}
+{% endif %}
+  /usr/bin/mysqldump --ignore-table=mysql.event --single-transaction --add-drop-table $DB | /bin/nice -n 10 {{ mysql_compress_cmd }} > $DEST/$DB.sql.{{ compext }}
+{% else %}
+  /usr/bin/mysqldump --ignore-table=mysql.event --single-transaction --add-drop-table $DB -r $DEST/$DB.sql
+{% endif %}
+done