Provide service unit and fix up permissions. Leaving repo in a broken, but still helpful state for now.

This commit is contained in:
Brian Lee 2023-10-14 13:40:20 -07:00
parent 9004749b67
commit c2466e2ea3
9 changed files with 146 additions and 65 deletions

View File

@ -1,6 +1,18 @@
# Ansible Role: snort # Ansible Role: snort
This Ansible Role builds and installs the [snort](https://github.com/v0l/snort) Typescript frontend assets. It is intended to be composed with a separate role for the web proxy configuration. This Ansible Role builds and installs [snort](https://github.com/v0l/snort). It is intended to be composed with a separate role for the web proxy configuration.
**Warning**: This role is incomplete. Yarn seems problematic to run via Ansible. The build step must be done manually. After running this role and the nginx configuration, the manual steps are as follows:
```shell
systemctl stop snort
cd /var/www/snort
doas -u snort yarn
doas -u snort yarn build
doas -u snort yarn workspace @snort/app intl-extract
doas -u snort yarn workspace @snort/app intl-compile
systemctl start snort
```
Tested on: Tested on:
@ -9,11 +21,10 @@ Tested on:
## Requirements ## Requirements
Install node anyway you like, or let this role do it for you: * `nodejs` - version 20 is fine,
* `yarn`
* [ansible-role-nodejs](https://github.com/bleetube/ansible-role-nodejs) You can use [ansible-role-nodejs](https://github.com/bleetube/ansible-role-nodejs) if you want to. Here is an example `requirements.yml` for that:
`requirements.yml`:
```yaml ```yaml
roles: roles:
@ -21,31 +32,29 @@ roles:
name: bleetube.nodejs name: bleetube.nodejs
``` ```
It will set up node, npm, yarn, and n using the nodesource Debian repositories. It will set up `node`, `npm`, `yarn`, and `n` using the nodesource Debian repositories. But you can also install those by any other method.
## Dependencies ## Dependencies
* [nginx_conf](docs/examples/nginx_conf.yml) (optional) * [nginx_conf](docs/examples/nginx_conf.yml) (optional)
Any similarly configured web proxy may suffice.
## Role Variables ## Role Variables
See the role [defaults](defaults/main.yml). For a working example, see this [homelab stack](https://github.com/bleetube/satstack). See the role [defaults](defaults/main.yml). For a working example, see this [homelab stack](https://github.com/bleetube/satstack).
## Example Playbook ## Example Playbook
This role should not be run as root.
```yaml ```yaml
- hosts: snort - hosts: snort
become: yes
roles: roles:
- role: nginxinc.nginx_core.nginx - role: nginxinc.nginx_core.nginx
become: yes
- role: bleetube.nodejs - role: bleetube.nodejs
become: yes
tags: nodejs tags: nodejs
- role: bleetube.snort - role: bleetube.snort
tags: snort tags: snort
tasks: tasks:
- import_tasks: nginx_conf.yml - import_tasks: nginx_conf.yml
become: yes
``` ```

View File

@ -1,7 +1,8 @@
--- ---
node_version: 16
snort_root_path: /var/www/snort
snort_repository_url: https://github.com/v0l/snort.git snort_repository_url: https://github.com/v0l/snort.git
snort_version: main # follow main branch snort_version: main # follow main branch
snort_devmode: no snort_install_path: /var/www/snort
snort_repository_path: "{{ ansible_env.HOME }}/src/snort" snort_system_user: snort
snort_system_group: snort
snort_always_build: no
snort_dangerously: no

6
handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart snort
ansible.builtin.service:
name: snort
state: restarted
become: yes

17
tasks/git.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Ensure our target installation directory is owned by the appropriate user
ansible.builtin.file:
path: "{{ snort_install_path }}"
owner: "{{ snort_system_user }}"
group: "{{ snort_system_group }}"
state: directory
mode: '0755'
- name: Clone git repository
ansible.builtin.git:
force: true # write into an existing directory
repo: "{{ snort_repository_url }}"
dest: "{{ snort_install_path }}"
version: "{{ snort_version }}"
become_user: "{{ snort_system_user }}"
register: git_repository

View File

@ -1,24 +1,48 @@
--- ---
- name: Ensure requirements using yarn - name: Install service unit
ansible.builtin.command: ansible.builtin.template:
cmd: yarn src: snort.service
chdir: "{{ snort_repository_path }}" dest: /etc/systemd/system/snort.service
when: snort_devmode or git_repository.changed
- name: Build the frontend assets using yarn build
ansible.builtin.command:
cmd: yarn build
chdir: "{{ snort_repository_path }}"
when: snort_devmode or git_repository.changed
- name: Copy frontend assets for the web proxy to serve directly
ansible.builtin.copy:
src: "{{ snort_repository_path }}/{{ item }}"
dest: "{{ snort_root_path }}"
remote_src: yes
become: yes become: yes
loop: register: service_unit
- packages/app/public/
- packages/app/build/ - name: Reload systemd
changed_when: false ansible.builtin.systemd:
daemon_reload: yes
when: service_unit.changed
become: yes
# Note: You would think become_user would be enough, but it's not. We only seem to get by when running doas/sudo directly.
- name: Build snort
ansible.builtin.command:
cmd: "{{ ansible_become_method }} -u {{ snort_system_user }} {{ item }}"
chdir: "{{ snort_install_path }}"
become_user: "{{ snort_system_user }}"
#when: git_repository.changed or snort_always_build
when: snort_dangerously
loop:
- yarn
- yarn build
- yarn workspace @snort/app intl-extract
- yarn workspace @snort/app intl-compile
#- name: Build the frontend assets using yarn build
# ansible.builtin.command:
# cmd: "{{ ansible_become_method }} -u {{ snort_system_user }} yarn build"
# chdir: "{{ snort_install_path }}"
# when: git_repository.changed or snort_always_build
# notify: restart snort
# become_user: "{{ snort_system_user }}"
#- name: Copy frontend assets for the web proxy to serve directly
# ansible.builtin.copy:
# src: "{{ snort_repository_path }}/{{ item }}"
# dest: "{{ snort_root_path }}"
# remote_src: yes
# become: yes
# loop:
# - packages/app/public/
# - packages/app/build/
# changed_when: false

View File

@ -1,9 +1,6 @@
--- ---
- name: Assert that we are not logged in as root - import_tasks: setup-user.yml
assert: become: yes
that: - import_tasks: git.yml
- ansible_user_id != 'root' become: yes
fail_msg: "This role builds Javascript assets and should not be run as root. It will escalate privileges as needed."
- import_tasks: setup.yml
- import_tasks: install.yml - import_tasks: install.yml

37
tasks/setup-user.yml Normal file
View File

@ -0,0 +1,37 @@
---
- name: Get nologin path
ansible.builtin.find:
paths:
- /bin
- /sbin
- /usr/bin
- /usr/sbin
patterns: nologin
register: nologin_bin
- name: Create the group
ansible.builtin.group:
name: "{{ snort_system_group }}"
state: present
system: yes
when: snort_system_group != "root"
- name: Create the system user
ansible.builtin.user:
name: "{{ snort_system_user }}"
groups: "{{ snort_system_group }}"
shell: "{{ nologin_bin.files[0].path }}"
system: yes
create_home: no
#home: "{{ snort_install_path }}" # this results in a .ansible directory which prevents us from cloning into the install path
#home: /nonexistent # this results in .yarn not being writable when we try to run yarn
home: /var/lib/snort
when: snort_system_user != "root"
- name: Create the home directory
ansible.builtin.file:
path: /var/lib/snort
owner: "{{ snort_system_user }}"
group: "{{ snort_system_group }}"
state: directory
when: snort_system_user != "root"

View File

@ -1,23 +0,0 @@
---
- name: Ensure root path
ansible.builtin.file:
path: "{{ snort_root_path }}"
state: directory
mode: '0755'
become: yes
- name: Clone git repository
ansible.builtin.git:
repo: "{{ snort_repository_url }}"
dest: "{{ snort_repository_path }}"
version: "{{ snort_version }}"
force: true
register: git_repository
when: not snort_devmode
- name: "Ensure node is version {{ node_version }}"
ansible.builtin.command:
cmd: "n {{ node_version }}"
chdir: "{{ snort_repository_path }}"
when: snort_devmode or git_repository.changed
become: yes

13
templates/snort.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Snort nostr web client
[Service]
User={{ snort_system_user }}
Group={{ snort_system_group }}
WorkingDirectory={{ snort_install_path }}
ExecStart=yarn start
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target