diff --git a/authorized_keys/blackdragon.keys b/authorized_keys/blackdragon.keys new file mode 100644 index 0000000..d488f52 --- /dev/null +++ b/authorized_keys/blackdragon.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLZGbt/we3JQ482/NYcdOKGoKDOj1MgmYFP2GDmjLw/ kyan@flandre diff --git a/bitlair.yaml b/bitlair.yaml index 4016241..19de646 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -65,3 +65,9 @@ - { role: "acme", tags: ["acme"] } - { role: "nginx", tags: ["nginx"] } - { role: "www", tags: ["www"] } + +- hosts: chat + roles: + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "chat", tags: [ "chat" ] } diff --git a/chat.yaml b/chat.yaml index 9560585..a5b4c42 100644 --- a/chat.yaml +++ b/chat.yaml @@ -1,3 +1,5 @@ +--- + - hosts: chat roles: - { role: "common", tags: [ "common" ] } diff --git a/group_vars/chat.yaml b/group_vars/chat.yaml index 8caf096..08a3480 100644 --- a/group_vars/chat.yaml +++ b/group_vars/chat.yaml @@ -1,9 +1,11 @@ --- + root_access: - blackdragon - ak - foobar - polyfloyd + nodejs_version: 22.x thelounge_version: "4.4.3" thelounge_ldap_url: ldaps://ldap.bitlair.nl @@ -31,4 +33,4 @@ nginx_sites: } group_nft_input: - - "tcp dport { http, https } accept # Allow web-traffic from world" \ No newline at end of file + - "tcp dport { http, https } accept # Allow web-traffic from world" diff --git a/roles/chat/defaults/main.yaml b/roles/chat/defaults/main.yaml index e69de29..4e52991 100644 --- a/roles/chat/defaults/main.yaml +++ b/roles/chat/defaults/main.yaml @@ -0,0 +1,5 @@ +--- + +chat_user: thelounge +chat_group: thelounge +chat_configdir: "/etc/thelounge" diff --git a/roles/chat/handlers/main.yaml b/roles/chat/handlers/main.yaml new file mode 100644 index 0000000..e03963e --- /dev/null +++ b/roles/chat/handlers/main.yaml @@ -0,0 +1,11 @@ +--- + +- name: Reload systemd + ansible.builtin.systemd: + daemon_reload: yes + +- name: Restart thelounge + ansible.builtin.systemd: + name: thelounge + state: restarted + enabled: true diff --git a/roles/chat/tasks/main.yaml b/roles/chat/tasks/main.yaml index 6fa26d1..7b74982 100644 --- a/roles/chat/tasks/main.yaml +++ b/roles/chat/tasks/main.yaml @@ -1,7 +1,9 @@ +--- + - name: Install dependencies ansible.builtin.apt: state: present - pkg: + pkg: - gpg - apt-transport-https - build-essential @@ -14,25 +16,30 @@ creates: /usr/share/keyrings/nodesource.gpg notify: Apt update -- name: Install nodesource source list - ansible.builtin.template: - src: nodesource.list - dest: /etc/apt/sources.list.d/nodesource.list - owner: root - group: root - mode: 0644 - notify: Apt update +- name: Ensure directories are present + ansible.builtin.file: + path: "{{ item.path }}" + owner: "{{ chat_user }}" + group: "{{ chat_group }}" + state: "{{ item.state | default('directory') }}" + mode: "{{ item.mode | default('0770') }}" + with_items: + - { path: "{{ chat_configdir }}" } + - { path: "/var/local/thelounge/users" } + - { path: "/var/local/thelounge/storage" } + notify: + - Restart thelounge -- name: Install nodejs apt preference +- name: Configure templates ansible.builtin.template: - src: nodejs-apt-pref - dest: /etc/apt/preferences.d/nodejs - owner: root - group: root - mode: 0644 - notify: Apt update - -- ansible.builtin.meta: flush_handlers + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner | default( chat_user ) }}" + group: "{{ item.group | default( chat_group ) }}" + mode: "{{ item.mode | default('0640') }}" + with_items: + - { src: "nodesource.list", dest: "/etc/apt/sources.list.d/nodesource.list", owner: root, group: root } + - { src: "nodejs-apt-pref", dest: "/etc/apt/preferences.d/nodejs", owner: root, group: root } - name: Install nodejs ansible.builtin.apt: @@ -56,7 +63,7 @@ - name: Copy patch ansible.builtin.template: - src: thelounge-bitlair.patch + src: thelounge-bitlair.patch dest: /tmp/thelounge-bitlair.patch - name: Apply patch @@ -69,16 +76,17 @@ ansible.builtin.shell: chdir: /opt/thelounge cmd: yarn add sharp --ignore-engines && yarn install --include-optional sharp && NODE_ENV=production yarn build && ln -sf $(pwd)/index.js /usr/local/bin/thelounge + notify: + - Restart thelounge - name: Ensure user thelounge is present - user: + ansible.builtin.user: name: thelounge createhome: no comment: The Lounge (IRC client) system: yes state: present - become: yes - + - name: Ensure JS and JSON syntax checking packages are installed yarn: name: "{{ item }}" @@ -87,57 +95,18 @@ with_items: - esprima - jsonlint - become: yes changed_when: no # FIXME: Remove when https://github.com/ansible/ansible/pull/39557 makes it in -- name: Ensure thelounge configuration directory is present - file: - path: /etc/thelounge - owner: thelounge - group: thelounge - state: directory - become: yes - -- name: Ensure The Lounge is configured - template: - src: config.js.j2 - dest: /etc/thelounge/config.js - owner: thelounge - group: thelounge - validate: 'esvalidate %s' - become: yes - -- name: Ensure user configuration directory is present - file: - path: /var/local/thelounge/users - owner: thelounge - group: thelounge - state: directory - become: yes - -- name: Ensure preview storage directory is present - file: - path: /var/local/thelounge/storage - owner: thelounge - group: thelounge - mode: "0770" - state: directory - become: yes - -- name: Copy service file to systemd directory +- name: Configure templates ansible.builtin.template: - src: thelounge.service # Path to your service file in your Ansible project - dest: /etc/systemd/system/thelounge.service - owner: root - group: root - mode: '0644' - -- name: Reload systemd daemon to read new service file - ansible.builtin.systemd: - daemon_reload: yes + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner | default( chat_user ) }}" + group: "{{ item.group | default( chat_group ) }}" + mode: "{{ item.mode | default('0640') }}" + validate: "{{ item.validate | default([]) }}" + with_items: + - { src: "config.js.j2", dest: "/etc/thelounge/config.js", validate: 'esvalidate %s' } + - { src: "thelounge.service", dest: "/etc/systemd/system/thelounge.service", owner: root, group: root, notify: "Reload systemd" } + notify: "{{ item.notify | default('Restart thelounge') }}" -- name: Enable and start the service - ansible.builtin.systemd: - name: thelounge - state: started - enabled: yes \ No newline at end of file diff --git a/roles/chat/templates/config.js.j2 b/roles/chat/templates/config.js.j2 index c606576..ba12695 100644 --- a/roles/chat/templates/config.js.j2 +++ b/roles/chat/templates/config.js.j2 @@ -3,7 +3,7 @@ module.exports = { public: false, port: 9000, - bind: "0.0.0.0", + bind: "127.0.0.1", reverseProxy: true, lockNetwork: true, maxHistory: 10000, @@ -49,8 +49,8 @@ module.exports = { url: "{{ thelounge_ldap_url }}", primaryKey: "uid", searchDN: { - rootDN: "{{ thelounge_ldap_rootDN }}", - rootPassword: "{{ thelounge_ldap_rootPassword }}", + rootDN: "{{ lookup('passwordstore', 'chat/thelounge/ldap_rootDN subkey=binddn') }}", + rootPassword: "{{ lookup('passwordstore', 'chat/thelounge/ldap_rootDN') }}", filter: "{{ thelounge_ldap_filter }}", base: "{{ thelounge_ldap_base }}", }, diff --git a/roles/chat/templates/thelounge.service b/roles/chat/templates/thelounge.service index 3fc7396..26a11ea 100644 --- a/roles/chat/templates/thelounge.service +++ b/roles/chat/templates/thelounge.service @@ -4,8 +4,8 @@ After=network-online.target Wants=network-online.target [Service] -User=thelounge -Group=thelounge +User={{ chat_user }} +Group={{ chat_group }} Type=simple Environment=THELOUNGE_HOME=/var/local/thelounge ExecStart=/usr/local/bin/thelounge start