Listen on localhost

Reviewed-on: bitlair/ansible#6
Reviewed-by: Mark Janssen <mark@sig-io.nl>

authorized_keys/blackdragon.keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLZGbt/we3JQ482/NYcdOKGoKDOj1MgmYFP2GDmjLw/ kyan@flandre

bitlair.yaml

@@ -65,3 +65,9 @@
     - { role: "acme", tags: ["acme"] }
     - { role: "nginx", tags: ["nginx"] }
     - { role: "www", tags: ["www"] }
+
+- hosts: chat
+  roles:
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "chat", tags: [ "chat" ] }

chat.yaml

@@ -1,3 +1,5 @@
+---
+
 - hosts: chat
   roles:
     - { role: "common", tags: [ "common" ] }

group_vars/chat.yaml

@@ -1,9 +1,11 @@
 ---
+
 root_access:
   - blackdragon
   - ak
   - foobar
   - polyfloyd
+
 nodejs_version: 22.x
 thelounge_version: "4.4.3"
 thelounge_ldap_url: ldaps://ldap.bitlair.nl
@@ -31,4 +33,4 @@ nginx_sites:
         }
 
 group_nft_input:
-  - "tcp dport { http, https } accept # Allow web-traffic from world"
+  - "tcp dport { http, https } accept # Allow web-traffic from world"

roles/chat/defaults/main.yaml

@@ -0,0 +1,5 @@
+---
+
+chat_user: thelounge
+chat_group: thelounge
+chat_configdir: "/etc/thelounge"

roles/chat/handlers/main.yaml

@@ -0,0 +1,11 @@
+---
+
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: yes
+
+- name: Restart thelounge
+  ansible.builtin.systemd:
+    name: thelounge
+    state: restarted
+    enabled: true

roles/chat/tasks/main.yaml

@@ -1,7 +1,9 @@
+---
+
 - name: Install dependencies
   ansible.builtin.apt:
     state: present
-    pkg: 
+    pkg:
       - gpg
       - apt-transport-https
       - build-essential
@@ -14,25 +16,30 @@
     creates: /usr/share/keyrings/nodesource.gpg
   notify: Apt update
 
-- name: Install nodesource source list
+- name: Ensure directories are present
-  ansible.builtin.template:
+  ansible.builtin.file:
-    src: nodesource.list
+    path: "{{ item.path }}"
-    dest: /etc/apt/sources.list.d/nodesource.list
+    owner: "{{ chat_user }}"
-    owner: root
+    group: "{{ chat_group }}"
-    group: root
+    state: "{{ item.state | default('directory') }}"
-    mode: 0644
+    mode: "{{ item.mode | default('0770') }}"
-  notify: Apt update
+  with_items:
+    - { path: "{{ chat_configdir }}" }
+    - { path: "/var/local/thelounge/users" }
+    - { path: "/var/local/thelounge/storage" }
+  notify:
+    - Restart thelounge
 
-- name: Install nodejs apt preference
+- name: Configure templates
   ansible.builtin.template:
-    src: nodejs-apt-pref
+    src: "{{ item.src }}"
-    dest: /etc/apt/preferences.d/nodejs
+    dest: "{{ item.dest }}"
-    owner: root
+    owner: "{{ item.owner | default( chat_user ) }}"
-    group: root
+    group: "{{ item.group | default( chat_group ) }}"
-    mode: 0644
+    mode: "{{ item.mode | default('0640') }}"
-  notify: Apt update
+  with_items:
-
+    - { src: "nodesource.list", dest: "/etc/apt/sources.list.d/nodesource.list", owner: root, group: root }
-- ansible.builtin.meta: flush_handlers
+    - { src: "nodejs-apt-pref", dest: "/etc/apt/preferences.d/nodejs", owner: root, group: root }
 
 - name: Install nodejs
   ansible.builtin.apt:
@@ -56,7 +63,7 @@
 
     - name: Copy patch
       ansible.builtin.template:
-        src: thelounge-bitlair.patch    
+        src: thelounge-bitlair.patch
         dest: /tmp/thelounge-bitlair.patch
 
     - name: Apply patch
@@ -69,16 +76,17 @@
   ansible.builtin.shell:
     chdir: /opt/thelounge
     cmd: yarn add sharp --ignore-engines && yarn install --include-optional sharp && NODE_ENV=production yarn build && ln -sf $(pwd)/index.js /usr/local/bin/thelounge
+  notify:
+    - Restart thelounge
 
 - name: Ensure user thelounge is present
-  user:
+  ansible.builtin.user:
     name: thelounge
     createhome: no
     comment: The Lounge (IRC client)
     system: yes
     state: present
-  become: yes
+
-      
 - name: Ensure JS and JSON syntax checking packages are installed
   yarn:
     name: "{{ item }}"
@@ -87,57 +95,18 @@
   with_items:
     - esprima
     - jsonlint
-  become: yes
   changed_when: no # FIXME: Remove when https://github.com/ansible/ansible/pull/39557 makes it in
 
-- name: Ensure thelounge configuration directory is present
+- name: Configure templates
-  file:
-    path: /etc/thelounge
-    owner: thelounge
-    group: thelounge
-    state: directory
-  become: yes
-
-- name: Ensure The Lounge is configured
-  template:
-    src: config.js.j2
-    dest: /etc/thelounge/config.js
-    owner: thelounge
-    group: thelounge
-    validate: 'esvalidate %s'
-  become: yes
-
-- name: Ensure user configuration directory is present
-  file:
-    path: /var/local/thelounge/users
-    owner: thelounge
-    group: thelounge
-    state: directory
-  become: yes
-
-- name: Ensure preview storage directory is present
-  file:
-    path: /var/local/thelounge/storage
-    owner: thelounge
-    group: thelounge
-    mode: "0770"
-    state: directory
-  become: yes
-
-- name: Copy service file to systemd directory
   ansible.builtin.template:
-    src: thelounge.service    # Path to your service file in your Ansible project
+    src: "{{ item.src }}"
-    dest: /etc/systemd/system/thelounge.service
+    dest: "{{ item.dest }}"
-    owner: root
+    owner: "{{ item.owner | default( chat_user ) }}"
-    group: root
+    group: "{{ item.group | default( chat_group ) }}"
-    mode: '0644'
+    mode: "{{ item.mode | default('0640') }}"
-  
+    validate: "{{ item.validate | default([]) }}"
-- name: Reload systemd daemon to read new service file
+  with_items:
-  ansible.builtin.systemd:
+    - { src: "config.js.j2", dest: "/etc/thelounge/config.js", validate: 'esvalidate %s' }
-    daemon_reload: yes
+    - { src: "thelounge.service", dest: "/etc/systemd/system/thelounge.service", owner: root, group: root, notify: "Reload systemd" }
+  notify: "{{ item.notify | default('Restart thelounge') }}"
 
-- name: Enable and start the service
-  ansible.builtin.systemd:
-    name: thelounge
-    state: started
-    enabled: yes

roles/chat/templates/config.js.j2

@@ -3,7 +3,7 @@
 module.exports = {
     public: false,
     port: 9000,
-    bind: "0.0.0.0",
+    bind: "127.0.0.1",
     reverseProxy: true,
     lockNetwork: true,
     maxHistory: 10000,
@@ -49,8 +49,8 @@ module.exports = {
         url: "{{ thelounge_ldap_url }}",
         primaryKey: "uid",
         searchDN: {
-            rootDN: "{{ thelounge_ldap_rootDN }}",
+            rootDN: "{{ lookup('passwordstore', 'chat/thelounge/ldap_rootDN subkey=binddn') }}",
-            rootPassword: "{{ thelounge_ldap_rootPassword }}",
+            rootPassword: "{{ lookup('passwordstore', 'chat/thelounge/ldap_rootDN') }}",
             filter: "{{ thelounge_ldap_filter }}",
             base: "{{ thelounge_ldap_base }}",
         },

roles/chat/templates/thelounge.service

@@ -4,8 +4,8 @@ After=network-online.target
 Wants=network-online.target
 
 [Service]
-User=thelounge
+User={{ chat_user }}
-Group=thelounge
+Group={{ chat_group }}
 Type=simple
 Environment=THELOUNGE_HOME=/var/local/thelounge
 ExecStart=/usr/local/bin/thelounge start