fix dingen op chat.bitlair.nl

.config/ansible-lint.yml

@@ -1,8 +0,0 @@
----
-skip_list:
-  - fqcn[action-core]
-  - name[casing]
-  - name[missing]
-
-exclude_paths:
-  - .forgejo

.forgejo/workflows/test.yaml

@@ -1,19 +0,0 @@
-name: Test
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-
-  build:
-    runs-on: docker
-    container:
-      image: alpine:latest
-
-    steps:
-      - run: apk add nodejs ansible ansible-lint
-      - uses: actions/checkout@v4
-
-      - run: ansible-lint

authorized_keys/blackdragon.keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLZGbt/we3JQ482/NYcdOKGoKDOj1MgmYFP2GDmjLw/ kyan@flandre

bitlair.yaml

@@ -26,7 +26,7 @@
 
 - hosts: git-ci
   roles:
-    - { role: "git_ci", tags: ["git_ci"] }
+    - { role: "git-ci", tags: ["git-ci"] }
 
 - hosts: git
   roles:

chat.yaml

@@ -0,0 +1,7 @@
+- hosts: chat
+  roles:
+    - { role: "common", tags: [ "common" ] }
+    - { role: "nft", tags: [ "nft" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "chat", tags: [ "chat" ] }

git-ci.yaml

@@ -3,4 +3,4 @@
 - hosts: git-ci
   roles:
     - { role: "common", tags: [ "common" ] }
-    - { role: "git_ci", tags: [ "git_ci" ] }
+    - { role: "git-ci", tags: [ "git-ci" ] }

group_vars/all.yaml

@@ -36,6 +36,3 @@ mqtt_public_host: bitlair.nl
 debian_repourl: "http://deb.debian.org/debian/"
 debian_securityurl: "http://security.debian.org/debian-security"
 
-deb_forgejo_repos:
-  - host: git.polyfloyd.net
-    owner: polyfloyd

group_vars/chat.yaml

@@ -0,0 +1,68 @@
+---
+root_access:
+  - blackdragon
+  - ak
+  - foobar
+  - polyfloyd
+nodejs_version: 22.x
+thelounge_version: "4.4.3"
+thelounge_ldap_url: ldaps://ldap.bitlair.nl
+thelounge_ldap_filter: (objectClass=inetOrgPerson)
+thelounge_ldap_base: ou=Members,dc=bitlair,dc=nl
+chat_hostname: chat.bitlair.nl
+
+acme_domains:
+ - "{{ chat_hostname }}"
+
+nginx_sites:
+  - server_name: "{{ chat_hostname }}"
+    config:
+      - |-
+        location / {
+          proxy_pass http://127.0.0.1:9000/;
+          proxy_http_version 1.1;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto $scheme;
+
+          # by default nginx times out connections in one minute
+          proxy_read_timeout 1d;
+        }
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"
+  - "tcp dport 113 accept # Allow identd from world"
+---
+root_access:
+  - blackdragon
+  - ak
+  - foobar
+  - polyfloyd
+nodejs_version: 22.x
+thelounge_version: "4.4.3"
+thelounge_ldap_url: ldaps://ldap.bitlair.nl
+thelounge_ldap_filter: (objectClass=inetOrgPerson)
+thelounge_ldap_base: ou=Members,dc=bitlair,dc=nl
+chat_hostname: chat.bitlair.nl
+acme_domains:
+ - "{{ chat_hostname }}"
+
+nginx_sites:
+  - server_name: "{{ chat_hostname }}"
+    config:
+      - |-
+        location / {
+          proxy_pass http://127.0.0.1:9000/;
+          proxy_http_version 1.1;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto $scheme;
+
+          # by default nginx times out connections in one minute
+          proxy_read_timeout 1d;
+        }
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"

inventory

@@ -17,8 +17,7 @@ blockchain.bitlair.nl
 git.bitlair.nl
 
 [git-ci]
-git-ci01.bitlair.nl
-git-ci02.bitlair.nl
+git-ci.bitlair.nl
 
 [pad]
 pad.bitlair.nl

monitoring.yaml

@@ -4,6 +4,5 @@
   roles:
     - { role: "common", tags: [ "common" ] }
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "deb_forgejo", tags: [ "deb_forgejo" ] }
     - { role: "nginx", tags: [ "nginx" ] }
     - { role: "monitoring", tags: [ "monitoring" ] }

roles/chat/tasks/main.yaml

@@ -0,0 +1,143 @@
+- name: Install dependencies
+  ansible.builtin.apt:
+    state: present
+    pkg: 
+      - gpg
+      - apt-transport-https
+      - build-essential
+
+- name: Import nodesource signing key
+  ansible.builtin.shell:
+    cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
+      -o /usr/share/keyrings/nodesource.gpg
+  args:
+    creates: /usr/share/keyrings/nodesource.gpg
+  notify: Apt update
+
+- name: Install nodesource source list
+  ansible.builtin.template:
+    src: nodesource.list
+    dest: /etc/apt/sources.list.d/nodesource.list
+    owner: root
+    group: root
+    mode: 0644
+  notify: Apt update
+
+- name: Install nodejs apt preference
+  ansible.builtin.template:
+    src: nodejs-apt-pref
+    dest: /etc/apt/preferences.d/nodejs
+    owner: root
+    group: root
+    mode: 0644
+  notify: Apt update
+
+- ansible.builtin.meta: flush_handlers
+
+- name: Install nodejs
+  ansible.builtin.apt:
+    name: nodejs
+
+- name: Install yarn
+  ansible.builtin.shell:
+    cmd: npm install --global yarn
+
+- stat: path=/opt/thelounge
+  register: src_path
+
+- name: Retreive thelounge source
+  block:
+    - name: Checkout source
+      ansible.builtin.git:
+        repo: 'https://github.com/revspace/thelounge.git'
+        dest: /opt/thelounge
+        version: 9d6dc83
+        force: true
+
+    - name: Copy patch
+      ansible.builtin.template:
+        src: thelounge-bitlair.patch    
+        dest: /tmp/thelounge-bitlair.patch
+
+    - name: Apply patch
+      ansible.builtin.shell:
+        chdir: /opt/thelounge
+        cmd: git apply /tmp/thelounge-bitlair.patch
+  when: not src_path.stat.exists
+
+- name: Build and install thelounge
+  ansible.builtin.shell:
+    chdir: /opt/thelounge
+    cmd: yarn add sharp --ignore-engines && yarn install --include-optional sharp && NODE_ENV=production yarn build && ln -sf $(pwd)/index.js /usr/local/bin/thelounge
+
+- name: Ensure user thelounge is present
+  user:
+    name: thelounge
+    createhome: no
+    comment: The Lounge (IRC client)
+    system: yes
+    state: present
+  become: yes
+      
+- name: Ensure JS and JSON syntax checking packages are installed
+  yarn:
+    name: "{{ item }}"
+    global: yes
+    state: latest # FIXME: Remove when https://github.com/ansible/ansible/pull/39557 makes it in
+  with_items:
+    - esprima
+    - jsonlint
+  become: yes
+  changed_when: no # FIXME: Remove when https://github.com/ansible/ansible/pull/39557 makes it in
+
+- name: Ensure thelounge configuration directory is present
+  file:
+    path: /etc/thelounge
+    owner: thelounge
+    group: thelounge
+    state: directory
+  become: yes
+
+- name: Ensure The Lounge is configured
+  template:
+    src: config.js.j2
+    dest: /etc/thelounge/config.js
+    owner: thelounge
+    group: thelounge
+    validate: 'esvalidate %s'
+  become: yes
+
+- name: Ensure user configuration directory is present
+  file:
+    path: /var/local/thelounge/users
+    owner: thelounge
+    group: thelounge
+    state: directory
+  become: yes
+
+- name: Ensure preview storage directory is present
+  file:
+    path: /var/local/thelounge/storage
+    owner: thelounge
+    group: thelounge
+    mode: "0770"
+    state: directory
+  become: yes
+
+- name: Copy service file to systemd directory
+  ansible.builtin.template:
+    src: thelounge.service    # Path to your service file in your Ansible project
+    dest: /etc/systemd/system/thelounge.service
+    owner: root
+    group: root
+    mode: '0644'
+  
+- name: Reload systemd daemon to read new service file
+  ansible.builtin.systemd:
+    daemon_reload: yes
+
+- name: Enable and start the service
+  ansible.builtin.systemd:
+    name: thelounge
+    state: started
+    enabled: yes

roles/chat/templates/config.js.j2

@@ -0,0 +1,58 @@
+"use strict";
+
+module.exports = {
+    public: false,
+    port: 9000,
+    bind: "0.0.0.0",
+    reverseProxy: true,
+    lockNetwork: true,
+    maxHistory: 10000,
+    leaveMessage: "Doei!",
+    defaults: {
+        name: "Smurfnet",
+        password: "",
+        rejectUnauthorized: true,
+        nick: "",
+        username: "",
+        realname: "",
+        join: "#bitlair",
+    },
+    messageStorage: ["sqlite", "text"],
+    fileUpload: {
+        enable: true,
+    },
+    networks: {
+        Smurfnet: {
+            host: "irc.smurfnet.ch",
+            port: 6697,
+            tls: true,
+            rejectUnauthorized: false,
+        },
+        "Libera.Chat": {
+            host: "irc.libera.chat",
+            port: 6697,
+            tls: true,
+            rejectUnauthorized: true,
+        },
+        OFTC: {
+            host: "irc.oftc.net",
+            port: 6697,
+            tls: true,
+            rejectUnauthorized: true,
+        },
+    },
+    identd: {
+        enable: false,
+    },
+    ldap: {
+        enable: true,
+        url: "{{ thelounge_ldap_url }}",
+        primaryKey: "uid",
+        searchDN: {
+            rootDN: "{{ thelounge_ldap_rootDN }}",
+            rootPassword: "{{ thelounge_ldap_rootPassword }}",
+            filter: "{{ thelounge_ldap_filter }}",
+            base: "{{ thelounge_ldap_base }}",
+        },
+    },
+};

roles/chat/templates/nodejs-apt-pref

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+Package: nodejs
+Pin: origin deb.nodesource.com
+Pin-Priority: 1000

roles/chat/templates/nodesource.list

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+deb [arch=amd64 signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_{{ nodejs_version }} nodistro main

roles/chat/templates/thelounge-bitlair.patch

@@ -0,0 +1,28 @@
+diff --git a/package.json b/package.json
+index 2991a6ec..dac43f16 100644
+--- a/package.json
++++ b/package.json
+@@ -84,9 +84,7 @@
+     "ua-parser-js": "1.0.33",
+     "uuid": "8.3.2",
+     "web-push": "3.4.5",
+-    "yarn": "1.22.17"
+-  },
+-  "optionalDependencies": {
++    "yarn": "1.22.17",
+     "sqlite3": "5.1.7"
+   },
+   "devDependencies": {
+diff --git a/server/plugins/auth/ldap.ts b/server/plugins/auth/ldap.ts
+index e6093b0f..d30b9a1c 100644
+--- a/server/plugins/auth/ldap.ts
++++ b/server/plugins/auth/ldap.ts
+@@ -134,7 +134,7 @@ const ldapAuth: AuthHandler = (manager, client, user, password, callback) => {
+ 	// auth plugin API
+ 	function callbackWrapper(valid: boolean) {
+ 		if (valid && !client) {
+-			manager.addUser(user, null, false);
++			manager.addUser(user, null, true);
+ 		}
+ 
+ 		callback(valid);

roles/chat/templates/thelounge.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=The Lounge (IRC client)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=thelounge
+Group=thelounge
+Type=simple
+Environment=THELOUNGE_HOME=/var/local/thelounge
+ExecStart=/usr/local/bin/thelounge start
+ProtectSystem=yes
+ProtectHome=yes
+PrivateTmp=yes
+
+[Install]
+WantedBy=multi-user.target

roles/common/handlers/main.yaml

@@ -3,7 +3,7 @@
   ansible.builtin.command:
     cmd: update-grub
 
-- name: apt update
+- name: Apt update
   ansible.builtin.apt:
     update_cache: true
 

roles/common/tasks/main.yaml

@@ -79,6 +79,7 @@
       - unattended-upgrades
       - apt-listchanges
       - sudo-ldap
+      - cron
 
 - name: Configure FZF for Bash
   ansible.builtin.lineinfile:

roles/deb_forgejo/defaults/main.yaml

@@ -1 +0,0 @@
-deb_private_host: git.polyfloyd.net

roles/deb_forgejo/handlers/default.yaml

@@ -1,3 +0,0 @@
----
-- ansible.builtin.import_tasks:
-    file: ../../common/handlers/main.yaml

roles/deb_forgejo/tasks/main.yaml

@@ -1,26 +0,0 @@
----
-- tags: deb_forgejo
-  block:
-    - name: Install dependencies
-      apt:
-        name: apt-transport-https
-        state: present
-
-    - name: Install packaging key
-      get_url:
-        url: https://{{ item.host }}/api/packages/{{ item.owner }}/debian/repository.key
-        dest: /etc/apt/keyrings/{{ item.host }}-{{ item.owner }}.asc
-        mode: "0644"
-      with_items: "{{ deb_forgejo_repos }}"
-      notify: apt update
-
-    - name: Install sources.list
-      template:
-        src: sources.list
-        dest: /etc/apt/sources.list.d/deb-forgejo.list
-        owner: root
-        group: root
-        mode: "0644"
-      notify: apt update
-
-    - meta: flush_handlers

roles/deb_forgejo/templates/sources.list

@@ -1,5 +0,0 @@
-# {{ ansible_managed }}
-
-{% for repo in deb_forgejo_repos %}
-deb [signed-by=/etc/apt/keyrings/{{ repo.host }}-{{ repo.owner }}.asc] https://{{ repo.host }}/api/packages/{{ repo.owner }}/debian {{ repo.distro | default('stable') }} {{ repo.component | default('main') }}
-{% endfor %}

roles/etherpad/tasks/main.yaml

@@ -15,7 +15,7 @@
       -o /usr/share/keyrings/nodesource.gpg
   args:
     creates: /usr/share/keyrings/nodesource.gpg
-  notify: apt update
+  notify: Apt update
 
 - name: Install nodesource source list
   ansible.builtin.template:
@@ -24,7 +24,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: apt update
+  notify: Apt update
 
 - name: Install nodejs apt preference
   ansible.builtin.template:
@@ -33,7 +33,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: apt update
+  notify: Apt update
 
 - ansible.builtin.meta: flush_handlers
 

roles/git-ci/defaults/main.yaml

@@ -0,0 +1,2 @@
+runner_wd: /var/lib/forgejo-runner
+runner_version: 6.3.0

roles/git-ci/handlers/main.yaml

@@ -3,6 +3,6 @@
     file: ../../common/handlers/main.yaml
 
 - name: restart forgejo-runner
-  systemd:
+  ansible.builtin.systemd:
     name: forgejo-runner
     state: restarted

roles/git-ci/tasks/main.yaml

@@ -0,0 +1,50 @@
+---
+
+- name: Install dependencies
+  ansible.builtin.apt:
+    name: docker.io
+
+- name: Download forgejo-runner
+  ansible.builtin.get_url:
+    url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
+    dest: /usr/local/bin/forgejo-runner
+    mode: 0755
+  notify: restart forgejo-runner
+
+- name: Create runner dir
+  ansible.builtin.file:
+    state: directory
+    path: "{{ runner_wd }}"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Register runner
+  ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
+  args:
+    chdir: "{{ runner_wd }}"
+    creates: "{{ runner_wd }}/.runner"
+
+- name: Install service file
+  ansible.builtin.template:
+    src: forgejo-runner.service
+    dest: /etc/systemd/system/forgejo-runner.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart forgejo-runner
+
+- name: Enable service
+  ansible.builtin.systemd:
+    name: forgejo-runner
+    enabled: true
+    daemon_reload: true
+
+- name: Start service
+  ansible.builtin.systemd:
+    name: forgejo-runner
+    state: started
+    daemon_reload: true
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/git-ci/templates/forgejo-runner.service

@@ -6,7 +6,7 @@ After=network.target
 
 [Service]
 ExecStart=/usr/local/bin/forgejo-runner daemon
-WorkingDirectory={{ git_ci_runner_wd }}
+WorkingDirectory={{ runner_wd }}
 Restart=on-failure
 RestartSec=10s
 

roles/git_ci/defaults/main.yaml

@@ -1,2 +0,0 @@
----
-git_ci_runner_wd: /var/lib/forgejo-runner

roles/git_ci/tasks/main.yaml

@@ -1,83 +0,0 @@
----
-- tags: git_ci
-  block:
-    - name: Install dependencies
-      apt:
-        name: docker.io
-
-    - name: Query latest forgejo-runner version
-      uri:
-        url: https://code.forgejo.org/api/v1/repos/forgejo/runner/tags
-        return_content: true
-      register: response
-      changed_when: false
-      check_mode: false
-      failed_when: "response is failed or 'json' not in response"
-
-    - name: Format forgejo-runner latest version
-      set_fact:
-        forgejo_runner_version: "{{ response['json'][0]['name'] | trim('v') }}"
-
-    - name: Detect installed forgejo-runner version
-      shell:
-        cmd: |
-          set -o pipefail
-          forgejo-runner --version | grep --color=never -Po '\d\.\d+(\.\d+)?' || echo none
-        executable: /bin/bash
-      register: forgejo_runner_installed_version_shell
-      changed_when: false
-      check_mode: false
-
-    - name: Format installed forgejo-runner version
-      set_fact:
-        forgejo_runner_installed_version: "{{ forgejo_runner_installed_version_shell.stdout }}"
-
-    - debug:
-        msg:
-          - "Forgejo Runner latest version: {{ forgejo_runner_version }}"
-          - "Forgejo Runner installed version: {{ forgejo_runner_installed_version }}"
-
-    - name: Download forgejo-runner
-      get_url:
-        url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ forgejo_runner_version }}/forgejo-runner-{{ forgejo_runner_version }}-linux-amd64"
-        dest: /usr/local/bin/forgejo-runner
-        mode: "0755"
-      notify: restart forgejo-runner
-      when: forgejo_runner_installed_version != forgejo_runner_version
-
-    - name: Create runner dir
-      file:
-        state: directory
-        path: "{{ git_ci_runner_wd }}"
-        owner: root
-        group: root
-        mode: "0755"
-
-    - name: Register runner
-      command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
-      args:
-        chdir: "{{ git_ci_runner_wd }}"
-        creates: "{{ git_ci_runner_wd }}/.runner"
-
-    - name: Install service file
-      template:
-        src: forgejo-runner.service
-        dest: /etc/systemd/system/forgejo-runner.service
-        owner: root
-        group: root
-        mode: "0644"
-      notify: restart forgejo-runner
-
-    - name: Enable service
-      systemd:
-        name: forgejo-runner
-        enabled: true
-        daemon_reload: true
-
-    - name: Start service
-      systemd:
-        name: forgejo-runner
-        state: started
-        daemon_reload: true
-
-    - meta: flush_handlers

roles/monitoring/tasks/mqtt_exporter.yaml

@@ -1,22 +1,47 @@
 ---
+- name: Clone source
+  ansible.builtin.git:
+    repo: https://github.com/polyfloyd/mqtt-exporter.git
+    version: main
+    dest: /opt/mqtt_exporter
+    accept_hostkey: yes
+  notify: restart mqtt_exporter
+
 - name: Install apt dependencies
   ansible.builtin.apt:
-    name: mqtt-exporter
+    name:
+      - jq
+      - python3-paho-mqtt
+      - python3-prometheus-client
+      - python3-yaml
     state: present
 
+- name: Install service
+  ansible.builtin.template:
+    src: mqtt_exporter.service
+    dest: /etc/systemd/system/mqtt_exporter.service
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Daemon reload
+    - restart mqtt_exporter
+
 - name: Install config file
   ansible.builtin.template:
     src: mqtt_exporter_config.yaml
-    dest: /etc/mqtt-exporter.yaml
+    dest: /etc/mqtt_exporter.yaml
     owner: root
     group: root
     mode: 0644
-  notify: restart mqtt_exporter
+  notify:
+    - Daemon reload
+    - restart mqtt_exporter
 
 - ansible.builtin.meta: flush_handlers
 
 - name: Start service
   ansible.builtin.systemd:
-    name: mqtt-exporter
+    name: mqtt_exporter
     state: started
     enabled: true