Serivce mattermost

2020-04-22 22:54:07 +02:00 · 2020-04-22 22:54:07 +02:00 · 43afec97ae
commit 43afec97ae
parent 5e5e4a0ef6
12 changed files with 180 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+host*
+*.retry
+
--- a/bim!chat.yml
+++ b/bim!chat.yml
@ -1,12 +1,14 @@
 ---

- hosts: test
+- hosts: mattermost
  roles:
+    - common
    - postgresql
    - nginx
+    - mattermost
+   
  # déclaration de la variables globales
  vars:
    email: contact@iloth.net
-    http_port: 80
    domain: chat.bim.land
-    hostname: chat
+    cthostname: chat
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@ -1,6 +1,5 @@
 ---
 commonRequirePackages:
-  - htop
  - vim
  - man
  - bash-completion
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -7,7 +7,7 @@
 - name: Install common required packages
  apt:
    name: "{{ commonRequirePackages }}"
-
+    state: present

 - name: Remove useless stuff
  apt:
--- a/roles/mattermost/defaults/main.yml
+++ b/roles/mattermost/defaults/main.yml
@ -8,3 +8,7 @@ requredPackages:
 mattermost_version: 5.21.0

 mattermost_user: mmuser
+
+db_name: mattermostdb
+db_user: mmuser
+db_pass: MatterMost_default_Password
--- a/roles/mattermost/files/pg_hba.conf
+++ b/roles/mattermost/files/pg_hba.conf
@ -0,0 +1,13 @@
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     trust
+# IPv4 local connections:
+host    all             all             127.0.0.1/32            password
+# IPv6 local connections:
+host    all             all             ::1/128                 ident
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+#local   replication     postgres                                peer
+#host    replication     postgres        127.0.0.1/32            ident
+#host    replication     postgres        ::1/128                 ident
--- a/roles/mattermost/tasks/main.yml
+++ b/roles/mattermost/tasks/main.yml
@ -6,7 +6,7 @@

 - name: unpack mattermost archive
  unarchive:
-    src: /tmp/mattermost-team-{{ mattermost_version }}-linux-amd64.tar.gz
+    src: /tmp/mattermost-{{ mattermost_version }}-linux-amd64.tar.gz
    dest: /opt/
    copy: no
  args:
@ -23,14 +23,14 @@
  lineinfile:
    dest: /opt/mattermost/config/config.json
    regexp: '"DataSource":'
-    line: '        "DataSource": "postgres://{{ db_user }}:{{ db_password }}@127.0.0.1:5432/{{ db_name }}?sslmode=disable&connect_timeout=10",'
+    line: '"DataSource": "postgres://{{ db_user }}:{{ db_pass }}@127.0.0.1:5432/{{ db_name }}?sslmode=disable&connect_timeout=10",'
    backrefs: yes

 - name: Create mattermost user
  user:
    name: "{{ mattermost_user }}"
    system: yes
-    createhome: no
+    createhome: yes

 - name: Change mattermost directory permissions
  file:
@ -39,3 +39,73 @@
    owner: "{{ mattermost_user }}"
    group: "{{ mattermost_user }}"
    recurse: yes
+
+- name: Create data directory for Mattermost
+  file:
+    path: /opt/mattermost/data
+    state: directory
+    mode: '0755'
+
+- name: Edit /
+  lineinfile:
+    dest: /etc/postgresql/11/main/pg_hba.conf
+    regexp: 'local   all             postgres                                peer'
+    line: 'local   all             postgres                                trust'
+    backrefs: yes
+
+- name: ensure postgresql is running
+  service:
+    name: postgresql
+    state: restarted
+
+- name: ensure database is created
+  become: yes
+  become_user: "{{ mattermost_user }}"
+  postgresql_db:
+    name: "{{ db_name }}"
+
+- name: ensure user has access to database
+  become: yes
+  become_user: "{{ mattermost_user }}"
+  postgresql_user:
+    db: "{{ db_name }}"
+    name: "{{ db_user }}"
+    password: "{{ db_pass }}"
+    priv: ALL
+
+- name: ensure user does not have unnecessary privilege
+  become: yes
+  become_user: "{{ mattermost_user }}"
+  postgresql_user:
+    name: "{{ db_user }}"
+    role_attr_flags: NOSUPERUSER,NOCREATEDB
+
+- name: Create nginx configuration
+  template:
+    src: mattermost.conf.j2
+    dest: /etc/nginx/sites-available/mattermost.conf
+    owner: root
+    group: root
+    mode: 0664
+
+- name: Create a symbolic link
+  file:
+    src: /etc/nginx/sites-available/mattermost.conf
+    dest: /etc/nginx/sites-enabled/mattermost.conf
+    owner: root
+    group: root
+    state: link
+
+- name: Create mattermost systemd service
+  template:
+    src: mattermost.service.j2
+    dest: /etc/systemd/system/mattermost.service
+    owner: root
+    group: root
+    mode: 0664
+
+- name: Enable Mattermost service
+  service:
+    name: mattermost
+    enabled: yes
+    state: started
--- a/roles/mattermost/templates/mattermost.conf.j2
+++ b/roles/mattermost/templates/mattermost.conf.j2
@ -0,0 +1,51 @@
+upstream backend {
+   server {{ ansible_default_ipv4.address }}:8065;
+   keepalive 32;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
+
+server {
+   listen 80;
+   server_name  {{ domain }};
+
+   location ~ /api/v[0-9]+/(users/)?websocket$ {
+       proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Connection "upgrade";
+       client_max_body_size 50M;
+       proxy_set_header Host $http_host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Frame-Options SAMEORIGIN;
+       proxy_buffers 256 16k;
+       proxy_buffer_size 16k;
+       client_body_timeout 60;
+       send_timeout 300;
+       lingering_timeout 5;
+       proxy_connect_timeout 90;
+       proxy_send_timeout 300;
+       proxy_read_timeout 90s;
+       proxy_pass http://backend;
+   }
+
+   location / {
+       client_max_body_size 50M;
+       proxy_set_header Connection "";
+       proxy_set_header Host $http_host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Frame-Options SAMEORIGIN;
+       proxy_buffers 256 16k;
+       proxy_buffer_size 16k;
+       proxy_read_timeout 600s;
+       proxy_cache mattermost_cache;
+       proxy_cache_revalidate on;
+       proxy_cache_min_uses 2;
+       proxy_cache_use_stale timeout;
+       proxy_cache_lock on;
+       proxy_http_version 1.1;
+       proxy_pass http://backend;
+   }
+}
--- a/roles/mattermost/templates/mattermost.service.j2
+++ b/roles/mattermost/templates/mattermost.service.j2
@ -0,0 +1,19 @@
+[Unit]
+Description=Mattermost
+After=network.target
+After=postgresql.service
+Requires=postgresql.service
+
+[Service]
+Type=notify
+ExecStart=/opt/mattermost/bin/mattermost
+TimeoutStartSec=3600
+Restart=always
+RestartSec=10
+WorkingDirectory=/opt/mattermost
+User={{ mattermost_user }}
+Group={{ mattermost_user }}
+LimitNOFILE=49152
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -7,3 +7,8 @@
  apt:
    name: python3-certbot-nginx
  when: installCertbot == True
+
+- name: Allow http and https connexions
+  ufw:
+    rule: allow
+    name: 'Nginx Full'
--- a/roles/postgresql/handlers/main.yml
+++ b/roles/postgresql/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: restart apache
+  service:
+    name: postgresql
+    state: restarted
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@ -5,3 +5,4 @@
    name:
      - postgresql
      - postgresql-contrib
+      - python-psycopg2