diff --git a/roles/documize/defaults/main.yml b/roles/documize/defaults/main.yml new file mode 100644 index 0000000..a16ed95 --- /dev/null +++ b/roles/documize/defaults/main.yml @@ -0,0 +1,35 @@ +--- + +# Version of cocumize to deploy +documize_version: 3.8.2 +# URL of the binary to install +documize_bin_url: https://github.com/documize/community/releases/download/v{{ documize_version }}/documize-community-linux-amd64 +# Expected sha1 of the binary +documize_bin_sha1: 5378947731dcd1ce8be28710573201632f6186f9 + +# Should documize handle upgrades or only initial install ? +documize_manage_upgrade: True + +# Root directory where documize will be installed +documize_root_dir: /opt/documize + +# User under which documize will run +documize_user: documize + +# port on which documize will listen +documize_port: 5001 + +# List of IP / CIDR allowed to access documize port +documize_src_ip: [] + +# Database settings +documize_db_engine: 'mysql' +documize_db_server: "{{ (documize_db_engine == 'postgres') | ternary(pg_server,mysql_server) | default('localhost') }}" +documize_db_port: "{{ (documize_db_engine == 'postgres') | ternary('5432','3306') }}" +documize_db_user: documize +documize_db_name: documize +# If password is not defined, a random one will be generated and stored in meta/ansible_dbpass +# documize_db_pass: S3Cr3t. + +# Salt for documize. A random one will be generated if not defined +# documize_salt: tsu3Acndky8cdTNx3 diff --git a/roles/documize/handlers/main.yml b/roles/documize/handlers/main.yml new file mode 100644 index 0000000..4ad147b --- /dev/null +++ b/roles/documize/handlers/main.yml @@ -0,0 +1,5 @@ +--- + +- name: restart documize + service: name=documize state=restarted + when: not documize_started.changed diff --git a/roles/documize/meta/main.yml b/roles/documize/meta/main.yml new file mode 100644 index 0000000..9eac46c --- /dev/null +++ b/roles/documize/meta/main.yml @@ -0,0 +1,8 @@ +--- + +allow_duplicates: True +dependencies: + - role: mysql_server + when: documize_db_engine == 'mysql' and documize_db_server in ['127.0.0.1','localhost'] + - role: postgresql_server + when: documize_db_engine == 'postgres' and documize_db_server in ['127.0.0.1','localhost'] diff --git a/roles/documize/tasks/archive_post.yml b/roles/documize/tasks/archive_post.yml new file mode 100644 index 0000000..cc23f14 --- /dev/null +++ b/roles/documize/tasks/archive_post.yml @@ -0,0 +1,10 @@ +--- + +- name: Compress previous version + command: tar cf {{ documize_root_dir }}/archives/{{ documize_current_version }}.tar.zst --use-compress-program=zstd ./ + args: + chdir: "{{ documize_root_dir }}/archives/{{ documize_current_version }}" + warn: False + environment: + ZSTD_CLEVEL: 10 + tags: documize diff --git a/roles/documize/tasks/archive_pre.yml b/roles/documize/tasks/archive_pre.yml new file mode 100644 index 0000000..ff6f100 --- /dev/null +++ b/roles/documize/tasks/archive_pre.yml @@ -0,0 +1,40 @@ +--- + +- name: Create the archive dir + file: path={{ documize_root_dir }}/archives/{{ documize_current_version }} state=directory + tags: documize + +- name: Backup previous version + copy: src={{ documize_root_dir }}/bin/documize dest={{ documize_root_dir }}/archives/{{ documize_current_version }}/ remote_src=True + tags: documize + +- name: Backup the database + command: > + /usr/pgsql-13/bin/pg_dump + --clean + --host={{ documize_db_server }} + --port={{ documize_db_port }} + --username={{ documize_db_user }} + {{ documize_db_name }} + --file={{ documize_root_dir }}/archives/{{ documize_current_version }}/{{ documize_db_name }}.sql + environment: + - PGPASSWORD: "{{ documize_db_pass }}" + when: documize_db_engine == 'postgres' + tags: documize + +- name: Archive the database + mysql_db: + state: dump + name: "{{ documize_db_name }}" + target: "{{ documize_root_dir }}/archives/{{ documize_current_version }}/{{ documize_db_name }}.sql.xz" + login_host: "{{ documize_db_server | default(mysql_server) }}" + login_user: sqladmin + login_password: "{{ mysql_admin_pass }}" + quick: True + single_transaction: True + environment: + XZ_OPT: -T0 + when: documize_db_engine == 'mysql' + tags: documize + + diff --git a/roles/documize/tasks/cleanup.yml b/roles/documize/tasks/cleanup.yml new file mode 100644 index 0000000..5f2933e --- /dev/null +++ b/roles/documize/tasks/cleanup.yml @@ -0,0 +1,7 @@ +--- + +- name: Remove tmp and obsolete files + file: path={{ item }} state=absent + loop: + - "{{ documize_root_dir }}/archives/{{ documize_current_version }}" + tags: documize diff --git a/roles/documize/tasks/conf.yml b/roles/documize/tasks/conf.yml new file mode 100644 index 0000000..dee1305 --- /dev/null +++ b/roles/documize/tasks/conf.yml @@ -0,0 +1,6 @@ +--- + +- name: Deploy documize configuration + template: src=documize.conf.j2 dest={{ documize_root_dir }}/etc/documize.conf group={{ documize_user }} mode=640 + notify: restart documize + tags: documize diff --git a/roles/documize/tasks/directories.yml b/roles/documize/tasks/directories.yml new file mode 100644 index 0000000..e5b29e5 --- /dev/null +++ b/roles/documize/tasks/directories.yml @@ -0,0 +1,18 @@ +--- + +- name: Create needed directories + file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} + loop: + - dir: "{{ documize_root_dir }}" + - dir: "{{ documize_root_dir }}/tmp" + - dir: "{{ documize_root_dir }}/bin" + - dir: "{{ documize_root_dir }}/etc" + group: "{{ documize_user }}" + mode: 750 + - dir: "{{ documize_root_dir }}/meta" + mode: 700 + - dir: "{{ documize_root_dir }}/backup" + mode: 700 + - dir: "{{ documize_root_dir }}/archives" + mode: 700 + tags: documize diff --git a/roles/documize/tasks/facts.yml b/roles/documize/tasks/facts.yml new file mode 100644 index 0000000..d4e0c93 --- /dev/null +++ b/roles/documize/tasks/facts.yml @@ -0,0 +1,33 @@ +--- + +# Detect installed version (if any) +- block: + - import_tasks: ../includes/webapps_set_install_mode.yml + vars: + - root_dir: "{{ documize_root_dir }}" + - version: "{{ documize_version }}" + - set_fact: documize_install_mode={{ (install_mode == 'upgrade' and not documize_manage_upgrade) | ternary('none',install_mode) }} + - set_fact: documize_current_version={{ current_version | default('') }} + tags: documize + +# Create a random pass for the DB if needed +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ documize_root_dir }}/meta/ansible_db_pass" + - complex: False + - set_fact: documize_db_pass={{ rand_pass }} + when: documize_db_pass is not defined + tags: documize + +# Create a random salt if needed +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ documize_root_dir }}/meta/ansible_salt" + - complex: False + - pass_size: 17 + - set_fact: documize_salt={{ rand_pass }} + when: documize_salt is not defined + tags: documize + diff --git a/roles/documize/tasks/install.yml b/roles/documize/tasks/install.yml new file mode 100644 index 0000000..ee7a3be --- /dev/null +++ b/roles/documize/tasks/install.yml @@ -0,0 +1,71 @@ +--- + +- name: Install needed tools + package: + name: + - tar + - zstd + - postgresql13 + tags: documize + +- name: Download documize + get_url: + url: "{{ documize_bin_url }}" + dest: "{{ documize_root_dir }}/bin/documize" + checksum: sha1:{{ documize_bin_sha1 }} + mode: 755 + when: documize_install_mode != 'none' + notify: restart documize + tags: documize + +- name: Install systemd unit + template: src=documize.service.j2 dest=/etc/systemd/system/documize.service + register: documize_unit + tags: documize + +- name: Reload systemd + systemd: daemon_reload=True + when: documize_unit.changed + tags: documize + +- when: documize_db_engine == 'postgres' + block: + - name: Create the PostgreSQL role + postgresql_user: + db: postgres + name: "{{ miniflux_db_user }}" + password: "{{ miniflux_db_pass }}" + login_host: "{{ miniflux_db_server }}" + login_user: sqladmin + login_password: "{{ pg_admin_pass }}" + + - name: Create the PostgreSQL database + postgresql_db: + name: "{{ miniflux_db_name }}" + encoding: UTF-8 + lc_collate: C + lc_ctype: C + template: template0 + owner: "{{ miniflux_db_user }}" + login_host: "{{ miniflux_db_server }}" + login_user: sqladmin + login_password: "{{ pg_admin_pass }}" + + tags: miniflux + + # Create MySQL database +- when: documize_db_engine == 'mysql' + import_tasks: ../includes/webapps_create_mysql_db.yml + vars: + - db_name: "{{ documize_db_name }}" + - db_user: "{{ documize_db_user }}" + - db_server: "{{ documize_db_server }}" + - db_pass: "{{ documize_db_pass }}" + tags: documize + +- name: Deploy backup hooks + template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/documize mode=700 + loop: + - pre + - post + tags: documize diff --git a/roles/documize/tasks/iptables.yml b/roles/documize/tasks/iptables.yml new file mode 100644 index 0000000..16b927a --- /dev/null +++ b/roles/documize/tasks/iptables.yml @@ -0,0 +1,8 @@ +--- + +- name: Handle documize port in the firewall + iptables_raw: + name: documize_port + state: "{{ (documize_src_ip | length > 0) | ternary('present','absent') }}" + rules: "-A INPUT -m state --state NEW -p tcp --dport {{ documize_port }} -s {{ documize_src_ip | join(',') }} -j ACCEPT" + tags: firewall,documize diff --git a/roles/documize/tasks/main.yml b/roles/documize/tasks/main.yml new file mode 100644 index 0000000..14d37ac --- /dev/null +++ b/roles/documize/tasks/main.yml @@ -0,0 +1,16 @@ +--- + +- include: user.yml +- include: directories.yml +- include: facts.yml +- include: archive_pre.yml + when: documize_install_mode == 'upgrade' +- include: install.yml +- include: conf.yml +- include: iptables.yml + when: iptables_manage | default(True) +- include: services.yml +- include: write_version.yml +- include: archive_post.yml + when: documize_install_mode == 'upgrade' +- include: cleanup.yml diff --git a/roles/documize/tasks/services.yml b/roles/documize/tasks/services.yml new file mode 100644 index 0000000..9caf56f --- /dev/null +++ b/roles/documize/tasks/services.yml @@ -0,0 +1,7 @@ +--- + +- name: Start and enable the service + service: name=documize state=started enabled=True + register: documize_started + tags: documize + diff --git a/roles/documize/tasks/user.yml b/roles/documize/tasks/user.yml new file mode 100644 index 0000000..53e17ac --- /dev/null +++ b/roles/documize/tasks/user.yml @@ -0,0 +1,5 @@ +--- + +- name: Create user account + user: name={{ documize_user }} system=True shell=/sbin/nologin home={{ documize_root_dir }} + tags: documize diff --git a/roles/documize/tasks/write_version.yml b/roles/documize/tasks/write_version.yml new file mode 100644 index 0000000..0a10a51 --- /dev/null +++ b/roles/documize/tasks/write_version.yml @@ -0,0 +1,5 @@ +--- + +- name: Write installed version + copy: content={{ documize_version }} dest={{ documize_root_dir }}/meta/ansible_version + tags: documize diff --git a/roles/documize/templates/documize.conf.j2 b/roles/documize/templates/documize.conf.j2 new file mode 100644 index 0000000..676d0fe --- /dev/null +++ b/roles/documize/templates/documize.conf.j2 @@ -0,0 +1,15 @@ +[http] +port = {{ documize_port }} + +[database] +{% if documize_db_engine == 'mysql' %} +type = "mysql" +connection = "{{ documize_db_user }}:{{ documize_db_pass }}@tcp({{ documize_db_server }}:{{ documize_db_port }})/{{ documize_db_name }}" +{% elif documize_db_engine == 'postgres' %} +type = "postgresql" +connection = "host={{ documize_db_server }} port={{ documize_db_port }} dbname={{ documize_db_name }} user={{ documize_db_user }} password={{ documize_db_pass }} sslmode=disable" +{% endif %} +salt = "{{ documize_salt }}" + +[install] +location = "selfhost" diff --git a/roles/documize/templates/documize.service.j2 b/roles/documize/templates/documize.service.j2 new file mode 100644 index 0000000..1b44683 --- /dev/null +++ b/roles/documize/templates/documize.service.j2 @@ -0,0 +1,23 @@ +[Unit] +Description=Documize Documentation Manager +After=network.target postgresql.service mariadb.service + +[Service] +Type=simple +User={{ documize_user }} +ExecStart={{ documize_root_dir }}/bin/documize {{ documize_root_dir }}/etc/documize.conf +Restart=always +NoNewPrivileges=true +PrivateDevices=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RestrictRealtime=true +ReadWritePaths=/run +PrivateTmp=true + +[Install] +WantedBy=multi-user.target + diff --git a/roles/documize/templates/post-backup.j2 b/roles/documize/templates/post-backup.j2 new file mode 100644 index 0000000..4c1304a --- /dev/null +++ b/roles/documize/templates/post-backup.j2 @@ -0,0 +1,3 @@ +#!/bin/bash -e + +rm -f {{ documize_root_dir }}/backup/* diff --git a/roles/documize/templates/pre-backup.j2 b/roles/documize/templates/pre-backup.j2 new file mode 100644 index 0000000..279591b --- /dev/null +++ b/roles/documize/templates/pre-backup.j2 @@ -0,0 +1,23 @@ +#!/bin/bash -e + +{% if documize_db_engine == 'mysql' %} +/usr/bin/mysqldump \ +{% if documize_db_server not in ['127.0.0.1','localhost'] %} + --user={{ documize_db_user | quote }} \ + --password={{ documize_db_pass | quote }} \ + --host={{ documize_db_server | quote }} \ +{% endif %} + --quick --single-transaction \ + --add-drop-table {{ documize_db_name | quote }} | zstd -c > "{{ documize_root_dir }}/backup/{{ documize_db_name }}.sql.zst" +{% elif documize_db_engine == 'postgres' %} +{% if documize_db_server not in ['127.0.0.1','localhost'] %} +PGPASSWORD='{{ documize_db_pass }}' /usr/pgsql-13/bin/pg_dump \ + --clean \ + --username={{ documize_db_user | quote }} \ + --host={{ documize_db_server | quote }} \ + {{ documize_db_name | quote }} | \ +{% else %} +su - postgres -c "/usr/pgsql-13/bin/pg_dump --clean {{ documize_db_name | quote }}" | \ +{% endif %} + zstd -c > "{{ documize_root_dir }}/backup/{{ documize_db_name }}.sql.zst" +{% endif %} diff --git a/roles/mysql_server/tasks/main.yml b/roles/mysql_server/tasks/main.yml index 72ec556..45bb257 100644 --- a/roles/mysql_server/tasks/main.yml +++ b/roles/mysql_server/tasks/main.yml @@ -13,10 +13,17 @@ tags: mysql - name: Deploy backup scripts - template: src={{ item.script }}.j2 dest=/etc/backup/{{ item.hook }}.d/{{ item.script }} mode=755 - with_items: - - { script: 'mariadb_create_dumps.sh', hook: pre } - - { script: 'mariadb_delete_dumps.sh', hook: post } + template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mariadb mode=755 + loop: + - pre + - post + tags: mysql + +- name: Remove old backup hooks + file: path=/etc/backup/{{ item }} state=absent + loop: + - pre.d/mariadb_create_dumps.sh + - post.d/mariadb_delete_dumps.sh tags: mysql - name: Create system override directory diff --git a/roles/mysql_server/templates/post-backup.j2 b/roles/mysql_server/templates/post-backup.j2 new file mode 100644 index 0000000..bebf888 --- /dev/null +++ b/roles/mysql_server/templates/post-backup.j2 @@ -0,0 +1,7 @@ +#!/bin/sh + +set -e + +{% if mysql_remove_dump_after_backup | default(True) %} +rm -f /home/lbkp/mysql/*.sql* +{% endif %} diff --git a/roles/mysql_server/templates/pre-backup.j2 b/roles/mysql_server/templates/pre-backup.j2 new file mode 100644 index 0000000..d261305 --- /dev/null +++ b/roles/mysql_server/templates/pre-backup.j2 @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +# Get the .my.cnf from root +HOME=/root +PATH=/usr/bin:$PATH +DEST=/home/lbkp/mysql + +[ -d $DEST ] || mkdir -p $DEST + +for DB in $(/usr/bin/mysqlshow | /bin/awk '{print $2}' | /bin/grep -v Databases) +do +{% for db in mysql_skip_backup %} + # {{ db }} is configured not to be backed up + if [[ "$DB" == "{{ db }}" ]]; then + continue + fi +{% endfor %} +{% if mysql_compress_cmd %} +{% if mysql_compress_cmd is search('p?xz') %} +{% set compext = 'xz' %} +{% elif mysql_compress_cmd is search('p?bzip2') %} +{% set compext = 'bz2' %} +{% elif mysql_compress_cmd is search('(pi)?gz') %} +{% set compext = 'gz' %} +{% elif mysql_compress_cmd is search('lzop') %} +{% set compext = 'lzo' %} +{% elif mysql_compress_cmd is search('lz4') %} +{% set compext = 'lz4' %} +{% elif mysql_compress_cmd is search('zstd') %} +{% set compext = 'zst' %} +{% else %} +{% set compext = 'z' %} +{% endif %} + /usr/bin/mysqldump --ignore-table=mysql.event --single-transaction --add-drop-table $DB | /bin/nice -n 10 {{ mysql_compress_cmd }} > $DEST/$DB.sql.{{ compext }} +{% else %} + /usr/bin/mysqldump --ignore-table=mysql.event --single-transaction --add-drop-table $DB -r $DEST/$DB.sql +{% endif %} +done