Provide service unit and fix up permissions. Leaving repo in a broken, but still helpful state for now.
This commit is contained in:
parent
9004749b67
commit
c2466e2ea3
31
README.md
31
README.md
@ -1,6 +1,18 @@
|
|||||||
# Ansible Role: snort
|
# Ansible Role: snort
|
||||||
|
|
||||||
This Ansible Role builds and installs the [snort](https://github.com/v0l/snort) Typescript frontend assets. It is intended to be composed with a separate role for the web proxy configuration.
|
This Ansible Role builds and installs [snort](https://github.com/v0l/snort). It is intended to be composed with a separate role for the web proxy configuration.
|
||||||
|
|
||||||
|
**Warning**: This role is incomplete. Yarn seems problematic to run via Ansible. The build step must be done manually. After running this role and the nginx configuration, the manual steps are as follows:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
systemctl stop snort
|
||||||
|
cd /var/www/snort
|
||||||
|
doas -u snort yarn
|
||||||
|
doas -u snort yarn build
|
||||||
|
doas -u snort yarn workspace @snort/app intl-extract
|
||||||
|
doas -u snort yarn workspace @snort/app intl-compile
|
||||||
|
systemctl start snort
|
||||||
|
```
|
||||||
|
|
||||||
Tested on:
|
Tested on:
|
||||||
|
|
||||||
@ -9,11 +21,10 @@ Tested on:
|
|||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
Install node anyway you like, or let this role do it for you:
|
* `nodejs` - version 20 is fine,
|
||||||
|
* `yarn`
|
||||||
|
|
||||||
* [ansible-role-nodejs](https://github.com/bleetube/ansible-role-nodejs)
|
You can use [ansible-role-nodejs](https://github.com/bleetube/ansible-role-nodejs) if you want to. Here is an example `requirements.yml` for that:
|
||||||
|
|
||||||
`requirements.yml`:
|
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
roles:
|
roles:
|
||||||
@ -21,31 +32,29 @@ roles:
|
|||||||
name: bleetube.nodejs
|
name: bleetube.nodejs
|
||||||
```
|
```
|
||||||
|
|
||||||
It will set up node, npm, yarn, and n using the nodesource Debian repositories.
|
It will set up `node`, `npm`, `yarn`, and `n` using the nodesource Debian repositories. But you can also install those by any other method.
|
||||||
|
|
||||||
## Dependencies
|
## Dependencies
|
||||||
|
|
||||||
* [nginx_conf](docs/examples/nginx_conf.yml) (optional)
|
* [nginx_conf](docs/examples/nginx_conf.yml) (optional)
|
||||||
|
|
||||||
|
Any similarly configured web proxy may suffice.
|
||||||
|
|
||||||
## Role Variables
|
## Role Variables
|
||||||
|
|
||||||
See the role [defaults](defaults/main.yml). For a working example, see this [homelab stack](https://github.com/bleetube/satstack).
|
See the role [defaults](defaults/main.yml). For a working example, see this [homelab stack](https://github.com/bleetube/satstack).
|
||||||
|
|
||||||
## Example Playbook
|
## Example Playbook
|
||||||
|
|
||||||
This role should not be run as root.
|
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- hosts: snort
|
- hosts: snort
|
||||||
|
become: yes
|
||||||
roles:
|
roles:
|
||||||
- role: nginxinc.nginx_core.nginx
|
- role: nginxinc.nginx_core.nginx
|
||||||
become: yes
|
|
||||||
- role: bleetube.nodejs
|
- role: bleetube.nodejs
|
||||||
become: yes
|
|
||||||
tags: nodejs
|
tags: nodejs
|
||||||
- role: bleetube.snort
|
- role: bleetube.snort
|
||||||
tags: snort
|
tags: snort
|
||||||
tasks:
|
tasks:
|
||||||
- import_tasks: nginx_conf.yml
|
- import_tasks: nginx_conf.yml
|
||||||
become: yes
|
|
||||||
```
|
```
|
||||||
|
@ -1,7 +1,8 @@
|
|||||||
---
|
---
|
||||||
node_version: 16
|
|
||||||
snort_root_path: /var/www/snort
|
|
||||||
snort_repository_url: https://github.com/v0l/snort.git
|
snort_repository_url: https://github.com/v0l/snort.git
|
||||||
snort_version: main # follow main branch
|
snort_version: main # follow main branch
|
||||||
snort_devmode: no
|
snort_install_path: /var/www/snort
|
||||||
snort_repository_path: "{{ ansible_env.HOME }}/src/snort"
|
snort_system_user: snort
|
||||||
|
snort_system_group: snort
|
||||||
|
snort_always_build: no
|
||||||
|
snort_dangerously: no
|
6
handlers/main.yml
Normal file
6
handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: restart snort
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: snort
|
||||||
|
state: restarted
|
||||||
|
become: yes
|
17
tasks/git.yml
Normal file
17
tasks/git.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure our target installation directory is owned by the appropriate user
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ snort_install_path }}"
|
||||||
|
owner: "{{ snort_system_user }}"
|
||||||
|
group: "{{ snort_system_group }}"
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: Clone git repository
|
||||||
|
ansible.builtin.git:
|
||||||
|
force: true # write into an existing directory
|
||||||
|
repo: "{{ snort_repository_url }}"
|
||||||
|
dest: "{{ snort_install_path }}"
|
||||||
|
version: "{{ snort_version }}"
|
||||||
|
become_user: "{{ snort_system_user }}"
|
||||||
|
register: git_repository
|
@ -1,24 +1,48 @@
|
|||||||
---
|
---
|
||||||
- name: Ensure requirements using yarn
|
- name: Install service unit
|
||||||
ansible.builtin.command:
|
ansible.builtin.template:
|
||||||
cmd: yarn
|
src: snort.service
|
||||||
chdir: "{{ snort_repository_path }}"
|
dest: /etc/systemd/system/snort.service
|
||||||
when: snort_devmode or git_repository.changed
|
|
||||||
|
|
||||||
- name: Build the frontend assets using yarn build
|
|
||||||
ansible.builtin.command:
|
|
||||||
cmd: yarn build
|
|
||||||
chdir: "{{ snort_repository_path }}"
|
|
||||||
when: snort_devmode or git_repository.changed
|
|
||||||
|
|
||||||
- name: Copy frontend assets for the web proxy to serve directly
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: "{{ snort_repository_path }}/{{ item }}"
|
|
||||||
dest: "{{ snort_root_path }}"
|
|
||||||
remote_src: yes
|
|
||||||
become: yes
|
become: yes
|
||||||
loop:
|
register: service_unit
|
||||||
- packages/app/public/
|
|
||||||
- packages/app/build/
|
- name: Reload systemd
|
||||||
changed_when: false
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: yes
|
||||||
|
when: service_unit.changed
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
# Note: You would think become_user would be enough, but it's not. We only seem to get by when running doas/sudo directly.
|
||||||
|
|
||||||
|
- name: Build snort
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "{{ ansible_become_method }} -u {{ snort_system_user }} {{ item }}"
|
||||||
|
chdir: "{{ snort_install_path }}"
|
||||||
|
become_user: "{{ snort_system_user }}"
|
||||||
|
#when: git_repository.changed or snort_always_build
|
||||||
|
when: snort_dangerously
|
||||||
|
loop:
|
||||||
|
- yarn
|
||||||
|
- yarn build
|
||||||
|
- yarn workspace @snort/app intl-extract
|
||||||
|
- yarn workspace @snort/app intl-compile
|
||||||
|
|
||||||
|
#- name: Build the frontend assets using yarn build
|
||||||
|
# ansible.builtin.command:
|
||||||
|
# cmd: "{{ ansible_become_method }} -u {{ snort_system_user }} yarn build"
|
||||||
|
# chdir: "{{ snort_install_path }}"
|
||||||
|
# when: git_repository.changed or snort_always_build
|
||||||
|
# notify: restart snort
|
||||||
|
# become_user: "{{ snort_system_user }}"
|
||||||
|
|
||||||
|
#- name: Copy frontend assets for the web proxy to serve directly
|
||||||
|
# ansible.builtin.copy:
|
||||||
|
# src: "{{ snort_repository_path }}/{{ item }}"
|
||||||
|
# dest: "{{ snort_root_path }}"
|
||||||
|
# remote_src: yes
|
||||||
|
# become: yes
|
||||||
|
# loop:
|
||||||
|
# - packages/app/public/
|
||||||
|
# - packages/app/build/
|
||||||
|
# changed_when: false
|
||||||
|
|
@ -1,9 +1,6 @@
|
|||||||
---
|
---
|
||||||
- name: Assert that we are not logged in as root
|
- import_tasks: setup-user.yml
|
||||||
assert:
|
become: yes
|
||||||
that:
|
- import_tasks: git.yml
|
||||||
- ansible_user_id != 'root'
|
become: yes
|
||||||
fail_msg: "This role builds Javascript assets and should not be run as root. It will escalate privileges as needed."
|
|
||||||
|
|
||||||
- import_tasks: setup.yml
|
|
||||||
- import_tasks: install.yml
|
- import_tasks: install.yml
|
||||||
|
37
tasks/setup-user.yml
Normal file
37
tasks/setup-user.yml
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
- name: Get nologin path
|
||||||
|
ansible.builtin.find:
|
||||||
|
paths:
|
||||||
|
- /bin
|
||||||
|
- /sbin
|
||||||
|
- /usr/bin
|
||||||
|
- /usr/sbin
|
||||||
|
patterns: nologin
|
||||||
|
register: nologin_bin
|
||||||
|
|
||||||
|
- name: Create the group
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "{{ snort_system_group }}"
|
||||||
|
state: present
|
||||||
|
system: yes
|
||||||
|
when: snort_system_group != "root"
|
||||||
|
|
||||||
|
- name: Create the system user
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ snort_system_user }}"
|
||||||
|
groups: "{{ snort_system_group }}"
|
||||||
|
shell: "{{ nologin_bin.files[0].path }}"
|
||||||
|
system: yes
|
||||||
|
create_home: no
|
||||||
|
#home: "{{ snort_install_path }}" # this results in a .ansible directory which prevents us from cloning into the install path
|
||||||
|
#home: /nonexistent # this results in .yarn not being writable when we try to run yarn
|
||||||
|
home: /var/lib/snort
|
||||||
|
when: snort_system_user != "root"
|
||||||
|
|
||||||
|
- name: Create the home directory
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /var/lib/snort
|
||||||
|
owner: "{{ snort_system_user }}"
|
||||||
|
group: "{{ snort_system_group }}"
|
||||||
|
state: directory
|
||||||
|
when: snort_system_user != "root"
|
@ -1,23 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Ensure root path
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ snort_root_path }}"
|
|
||||||
state: directory
|
|
||||||
mode: '0755'
|
|
||||||
become: yes
|
|
||||||
|
|
||||||
- name: Clone git repository
|
|
||||||
ansible.builtin.git:
|
|
||||||
repo: "{{ snort_repository_url }}"
|
|
||||||
dest: "{{ snort_repository_path }}"
|
|
||||||
version: "{{ snort_version }}"
|
|
||||||
force: true
|
|
||||||
register: git_repository
|
|
||||||
when: not snort_devmode
|
|
||||||
|
|
||||||
- name: "Ensure node is version {{ node_version }}"
|
|
||||||
ansible.builtin.command:
|
|
||||||
cmd: "n {{ node_version }}"
|
|
||||||
chdir: "{{ snort_repository_path }}"
|
|
||||||
when: snort_devmode or git_repository.changed
|
|
||||||
become: yes
|
|
13
templates/snort.service
Normal file
13
templates/snort.service
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Snort nostr web client
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User={{ snort_system_user }}
|
||||||
|
Group={{ snort_system_group }}
|
||||||
|
WorkingDirectory={{ snort_install_path }}
|
||||||
|
ExecStart=yarn start
|
||||||
|
Restart=always
|
||||||
|
RestartSec=30
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user