diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dc7b3f2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +host* +*.retry + diff --git a/bim!chat.yml b/bim!chat.yml index d9f0937..97f5e27 100644 --- a/bim!chat.yml +++ b/bim!chat.yml @@ -1,12 +1,14 @@ --- -- hosts: test +- hosts: mattermost roles: + - common - postgresql - nginx + - mattermost + # déclaration de la variables globales vars: email: contact@iloth.net - http_port: 80 domain: chat.bim.land - hostname: chat + cthostname: chat diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 2f17ee5..fd080d6 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,6 +1,5 @@ --- commonRequirePackages: - - htop - vim - man - bash-completion diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index b00113e..cea5b6d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -7,7 +7,7 @@ - name: Install common required packages apt: name: "{{ commonRequirePackages }}" - + state: present - name: Remove useless stuff apt: diff --git a/roles/mattermost/defaults/main.yml b/roles/mattermost/defaults/main.yml index a2bb332..b48e9b8 100644 --- a/roles/mattermost/defaults/main.yml +++ b/roles/mattermost/defaults/main.yml @@ -8,3 +8,7 @@ requredPackages: mattermost_version: 5.21.0 mattermost_user: mmuser + +db_name: mattermostdb +db_user: mmuser +db_pass: MatterMost_default_Password diff --git a/roles/mattermost/files/pg_hba.conf b/roles/mattermost/files/pg_hba.conf new file mode 100644 index 0000000..708d496 --- /dev/null +++ b/roles/mattermost/files/pg_hba.conf @@ -0,0 +1,13 @@ +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all trust +# IPv4 local connections: +host all all 127.0.0.1/32 password +# IPv6 local connections: +host all all ::1/128 ident +# Allow replication connections from localhost, by a user with the +# replication privilege. +#local replication postgres peer +#host replication postgres 127.0.0.1/32 ident +#host replication postgres ::1/128 ident diff --git a/roles/mattermost/tasks/main.yml b/roles/mattermost/tasks/main.yml index 6be56c1..0d93514 100644 --- a/roles/mattermost/tasks/main.yml +++ b/roles/mattermost/tasks/main.yml @@ -6,7 +6,7 @@ - name: unpack mattermost archive unarchive: - src: /tmp/mattermost-team-{{ mattermost_version }}-linux-amd64.tar.gz + src: /tmp/mattermost-{{ mattermost_version }}-linux-amd64.tar.gz dest: /opt/ copy: no args: @@ -23,14 +23,14 @@ lineinfile: dest: /opt/mattermost/config/config.json regexp: '"DataSource":' - line: ' "DataSource": "postgres://{{ db_user }}:{{ db_password }}@127.0.0.1:5432/{{ db_name }}?sslmode=disable&connect_timeout=10",' + line: '"DataSource": "postgres://{{ db_user }}:{{ db_pass }}@127.0.0.1:5432/{{ db_name }}?sslmode=disable&connect_timeout=10",' backrefs: yes - name: Create mattermost user user: name: "{{ mattermost_user }}" system: yes - createhome: no + createhome: yes - name: Change mattermost directory permissions file: @@ -39,3 +39,73 @@ owner: "{{ mattermost_user }}" group: "{{ mattermost_user }}" recurse: yes + +- name: Create data directory for Mattermost + file: + path: /opt/mattermost/data + state: directory + mode: '0755' + +- name: Edit / + lineinfile: + dest: /etc/postgresql/11/main/pg_hba.conf + regexp: 'local all postgres peer' + line: 'local all postgres trust' + backrefs: yes + +- name: ensure postgresql is running + service: + name: postgresql + state: restarted + +- name: ensure database is created + become: yes + become_user: "{{ mattermost_user }}" + postgresql_db: + name: "{{ db_name }}" + +- name: ensure user has access to database + become: yes + become_user: "{{ mattermost_user }}" + postgresql_user: + db: "{{ db_name }}" + name: "{{ db_user }}" + password: "{{ db_pass }}" + priv: ALL + +- name: ensure user does not have unnecessary privilege + become: yes + become_user: "{{ mattermost_user }}" + postgresql_user: + name: "{{ db_user }}" + role_attr_flags: NOSUPERUSER,NOCREATEDB + +- name: Create nginx configuration + template: + src: mattermost.conf.j2 + dest: /etc/nginx/sites-available/mattermost.conf + owner: root + group: root + mode: 0664 + +- name: Create a symbolic link + file: + src: /etc/nginx/sites-available/mattermost.conf + dest: /etc/nginx/sites-enabled/mattermost.conf + owner: root + group: root + state: link + +- name: Create mattermost systemd service + template: + src: mattermost.service.j2 + dest: /etc/systemd/system/mattermost.service + owner: root + group: root + mode: 0664 + +- name: Enable Mattermost service + service: + name: mattermost + enabled: yes + state: started diff --git a/roles/mattermost/templates/mattermost.conf.j2 b/roles/mattermost/templates/mattermost.conf.j2 new file mode 100644 index 0000000..0fd24da --- /dev/null +++ b/roles/mattermost/templates/mattermost.conf.j2 @@ -0,0 +1,51 @@ +upstream backend { + server {{ ansible_default_ipv4.address }}:8065; + keepalive 32; +} + +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off; + +server { + listen 80; + server_name {{ domain }}; + + location ~ /api/v[0-9]+/(users/)?websocket$ { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + client_max_body_size 50M; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + client_body_timeout 60; + send_timeout 300; + lingering_timeout 5; + proxy_connect_timeout 90; + proxy_send_timeout 300; + proxy_read_timeout 90s; + proxy_pass http://backend; + } + + location / { + client_max_body_size 50M; + proxy_set_header Connection ""; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_cache mattermost_cache; + proxy_cache_revalidate on; + proxy_cache_min_uses 2; + proxy_cache_use_stale timeout; + proxy_cache_lock on; + proxy_http_version 1.1; + proxy_pass http://backend; + } +} diff --git a/roles/mattermost/templates/mattermost.service.j2 b/roles/mattermost/templates/mattermost.service.j2 new file mode 100644 index 0000000..4bf3a2a --- /dev/null +++ b/roles/mattermost/templates/mattermost.service.j2 @@ -0,0 +1,19 @@ +[Unit] +Description=Mattermost +After=network.target +After=postgresql.service +Requires=postgresql.service + +[Service] +Type=notify +ExecStart=/opt/mattermost/bin/mattermost +TimeoutStartSec=3600 +Restart=always +RestartSec=10 +WorkingDirectory=/opt/mattermost +User={{ mattermost_user }} +Group={{ mattermost_user }} +LimitNOFILE=49152 + +[Install] +WantedBy=multi-user.target diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 48e1f08..7f197df 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -7,3 +7,8 @@ apt: name: python3-certbot-nginx when: installCertbot == True + +- name: Allow http and https connexions + ufw: + rule: allow + name: 'Nginx Full' diff --git a/roles/postgresql/handlers/main.yml b/roles/postgresql/handlers/main.yml new file mode 100644 index 0000000..ddb5001 --- /dev/null +++ b/roles/postgresql/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart apache + service: + name: postgresql + state: restarted diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml index 139751e..f37efd1 100644 --- a/roles/postgresql/tasks/main.yml +++ b/roles/postgresql/tasks/main.yml @@ -5,3 +5,4 @@ name: - postgresql - postgresql-contrib + - python-psycopg2