Commit 579dc2ad authored by Thomas Schneider's avatar Thomas Schneider
Browse files

Merge branch 'hedgedoc' into 'master'

Hedgedoc

See merge request !24
parents caf279e4 8075bbbf
Pipeline #3289 passed with stage
in 1 minute and 28 seconds
---
hedgedoc_data_root: /var/lib/hedgedoc
hedgedoc_install_root: /opt/hedgedoc
hedgedoc_version: "1.8.2"
# https://docs.hedgedoc.org/configuration
hedgedoc_db:
dialect: sqlite
storage: "{{ hedgedoc_data_root }}/db.sqlite"
hedgedoc_domain: hedgedoc.example.org
hedgedoc_urlPath: null
hedgedoc_allowGravatar: false
hedgedoc_protocolUseSSL: true
# hedgedoc_csp
# hedgedoc_cookiePolicy
# hedgedoc_extra_config
# hedgedoc_db:
# dialect: postgres
# host: /run/postgresql
# database: hedgedoc
---
- name: Reload systemd
systemd:
daemon_reload: true
- name: Restart hedgedoc
systemd:
name: hedgedoc.service
state: restarted
---
- name: Install required packages
apt:
name:
- nodejs
- yarnpkg
- npm
- name: Create system group
group:
name: hedgedoc
system: true
state: present
- name: Create system user
user:
name: hedgedoc
group: hedgedoc
system: true
home: "{{ hedgedoc_data_root }}"
shell: /usr/bin/nologin
state: present
- import_tasks: postgres.yml
when:
- hedgedoc_db.dialect == "postgres"
- hedgedoc_db.host[0] == '/'
tags:
- postgresql
- name: Install systemd service file
template:
src: hedgedoc.service.j2
dest: /etc/systemd/system/hedgedoc.service
owner: root
group: root
mode: "0644"
notify:
- Reload systemd
- Restart hedgedoc
- name: Get installed version package.json
slurp:
src: "{{ hedgedoc_install_root }}/package.json"
register: installed_package_json
ignore_errors: true
- when: >-
installed_package_json.failed or
installed_package_json.content|b64decode|from_json|json_query('version')|trim
!= hedgedoc_version
block:
- name: Create temporary directory
tempfile:
state: directory
register: tempdir
- name: Fetch and extract HedgeDoc
unarchive:
# yamllint disable-line rule:line-length
src: "https://github.com/hedgedoc/hedgedoc/releases/download/{{ hedgedoc_version }}/hedgedoc-{{ hedgedoc_version }}.tar.gz"
dest: "{{ tempdir.path }}"
remote_src: true
- name: Move HedgeDoc to target directory
copy:
src: "{{ tempdir.path }}/hedgedoc/"
dest: "{{ hedgedoc_install_root }}-{{ hedgedoc_version }}"
remote_src: true
- name: yarn install
command:
cmd: yarnpkg install --production=true --pure-lockfile
chdir: "{{ hedgedoc_install_root }}-{{ hedgedoc_version }}"
- name: Get old install target
stat:
path: "{{ hedgedoc_install_root }}"
register: install_root
- name: Stop service for upgrade
systemd:
name: hedgedoc.service
state: stopped
- name: Replace install root symlink
file:
src: "{{ hedgedoc_install_root }}-{{ hedgedoc_version }}"
dest: "{{ hedgedoc_install_root }}"
state: link
follow: false
force: true
- name: Remove old version
file:
path: "{{ install_root.stat.lnk_source }}"
state: absent
when: install_root.stat.islnk is defined and install_root.stat.islnk
- name: Remove temporary directory
file:
path: "{{ tempdir.path }}"
state: absent
- name: Install config
template:
src: "config.json.j2"
dest: "{{ hedgedoc_install_root }}/config.json"
owner: root
group: hedgedoc
mode: "0640"
notify:
- Restart hedgedoc
- name: Enable and start service
systemd:
name: hedgedoc.service
state: started
enabled: true
---
- become: true
become_user: postgres
block:
- name: Create the postgres user
postgresql_user:
name: hedgedoc
state: present
- name: Create the database
postgresql_db:
name: "{{ hedgedoc_db.database }}"
owner: hedgedoc
state: present
- name: Ensure postgres is running
service:
name: postgresql
state: started
enabled: true
{
"production": {
"domain": "{{ hedgedoc_domain }}",
"urlPath": {{ hedgedoc_urlPath|to_json }},
"path": "/run/hedgedoc/hedgedoc.sock",
"loglevel": "info",
"uploadsPath": "{{ hedgedoc_data_root }}/uploads",
"allowGravatar": {{ hedgedoc_allowGravatar|to_json }},
"protocolUseSSL": {{ hedgedoc_protocolUseSSL|to_json }},
{% if hedgedoc_csp is defined %}
"csp": {{ hedgedoc_csp|to_json }},
{% endif %}
{% if hedgedoc_cookiePolicy is defined %}
"cookiePolicy": "{{ hedgedoc_cookiePolicy }}",
{% endif %}
"db": {{ hedgedoc_db|to_nice_json|indent(8, false) }}
{% if hedgedoc_extra_config is defined -%}
{% for k, v in hedgedoc_extra_config.items() %}
, "{{ k }}": {{ v|to_nice_json|indent(8, false) }}
{% endfor %}
{%- endif %}
}
}
# Adapted from upstream example:
# https://github.com/hedgedoc/hedgedoc/blob/2fb83e5a345a2d7ad829784e60fba3e8e5cab6a9/docs/content/setup/manual-setup.md#systemd-unit-example
[Unit]
Description=HedgeDoc – The best platform to write and share markdown.
Documentation=https://docs.hedgedoc.org/
After=network.target
{% if hedgedoc_db.dialect == "postgres" %}
After=postgresql.service
{% elif hedgedoc_db.dialect == "mariadb" %}
After=mariadb.service
{% endif %}
[Service]
Type=exec
Environment=NODE_ENV=production
Restart=always
RestartSec=2s
ExecStart=/usr/bin/yarnpkg start --production
ExecStartPost=/bin/sh -c "while ! test -e ${RUNTIME_DIRECTORY}/hedgedoc.sock; do sleep 2; done; chmod 666 ${RUNTIME_DIRECTORY}/hedgedoc.sock"
CapabilityBoundingSet=
NoNewPrivileges=true
PrivateDevices=true
RemoveIPC=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectClock=true
ProtectHostname=true
ProtectProc=noaccess
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
RuntimeDirectory=hedgedoc
# You may have to adjust these settings
User=hedgedoc
Group=hedgedoc
WorkingDirectory={{ hedgedoc_install_root }}
ReadWritePaths={{ hedgedoc_data_root }}
[Install]
WantedBy=multi-user.target
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment