From c2466e2ea3cca004d7715c2a26e7bfafda092110 Mon Sep 17 00:00:00 2001 From: Brian Lee Date: Sat, 14 Oct 2023 13:40:20 -0700 Subject: [PATCH] Provide service unit and fix up permissions. Leaving repo in a broken, but still helpful state for now. --- README.md | 31 +++++++++++++------- defaults/main.yml | 9 +++--- handlers/main.yml | 6 ++++ tasks/git.yml | 17 +++++++++++ tasks/install.yml | 64 ++++++++++++++++++++++++++++------------- tasks/main.yml | 11 +++---- tasks/setup-user.yml | 37 ++++++++++++++++++++++++ tasks/setup.yml | 23 --------------- templates/snort.service | 13 +++++++++ 9 files changed, 146 insertions(+), 65 deletions(-) create mode 100644 handlers/main.yml create mode 100644 tasks/git.yml create mode 100644 tasks/setup-user.yml delete mode 100644 tasks/setup.yml create mode 100644 templates/snort.service diff --git a/README.md b/README.md index cfacd6a..7ee854b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,18 @@ # Ansible Role: snort -This Ansible Role builds and installs the [snort](https://github.com/v0l/snort) Typescript frontend assets. It is intended to be composed with a separate role for the web proxy configuration. +This Ansible Role builds and installs [snort](https://github.com/v0l/snort). It is intended to be composed with a separate role for the web proxy configuration. + +**Warning**: This role is incomplete. Yarn seems problematic to run via Ansible. The build step must be done manually. After running this role and the nginx configuration, the manual steps are as follows: + +```shell +systemctl stop snort +cd /var/www/snort +doas -u snort yarn +doas -u snort yarn build +doas -u snort yarn workspace @snort/app intl-extract +doas -u snort yarn workspace @snort/app intl-compile +systemctl start snort +``` Tested on: @@ -9,11 +21,10 @@ Tested on: ## Requirements -Install node anyway you like, or let this role do it for you: +* `nodejs` - version 20 is fine, +* `yarn` -* [ansible-role-nodejs](https://github.com/bleetube/ansible-role-nodejs) - -`requirements.yml`: +You can use [ansible-role-nodejs](https://github.com/bleetube/ansible-role-nodejs) if you want to. Here is an example `requirements.yml` for that: ```yaml roles: @@ -21,31 +32,29 @@ roles: name: bleetube.nodejs ``` -It will set up node, npm, yarn, and n using the nodesource Debian repositories. +It will set up `node`, `npm`, `yarn`, and `n` using the nodesource Debian repositories. But you can also install those by any other method. ## Dependencies * [nginx_conf](docs/examples/nginx_conf.yml) (optional) +Any similarly configured web proxy may suffice. + ## Role Variables See the role [defaults](defaults/main.yml). For a working example, see this [homelab stack](https://github.com/bleetube/satstack). ## Example Playbook -This role should not be run as root. - ```yaml - hosts: snort + become: yes roles: - role: nginxinc.nginx_core.nginx - become: yes - role: bleetube.nodejs - become: yes tags: nodejs - role: bleetube.snort tags: snort tasks: - import_tasks: nginx_conf.yml - become: yes ``` diff --git a/defaults/main.yml b/defaults/main.yml index b215821..0e64e22 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,8 @@ --- -node_version: 16 -snort_root_path: /var/www/snort snort_repository_url: https://github.com/v0l/snort.git snort_version: main # follow main branch -snort_devmode: no -snort_repository_path: "{{ ansible_env.HOME }}/src/snort" \ No newline at end of file +snort_install_path: /var/www/snort +snort_system_user: snort +snort_system_group: snort +snort_always_build: no +snort_dangerously: no \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..e27e975 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart snort + ansible.builtin.service: + name: snort + state: restarted + become: yes diff --git a/tasks/git.yml b/tasks/git.yml new file mode 100644 index 0000000..2dd6958 --- /dev/null +++ b/tasks/git.yml @@ -0,0 +1,17 @@ +--- +- name: Ensure our target installation directory is owned by the appropriate user + ansible.builtin.file: + path: "{{ snort_install_path }}" + owner: "{{ snort_system_user }}" + group: "{{ snort_system_group }}" + state: directory + mode: '0755' + +- name: Clone git repository + ansible.builtin.git: + force: true # write into an existing directory + repo: "{{ snort_repository_url }}" + dest: "{{ snort_install_path }}" + version: "{{ snort_version }}" + become_user: "{{ snort_system_user }}" + register: git_repository \ No newline at end of file diff --git a/tasks/install.yml b/tasks/install.yml index d968c2e..0d29f65 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,24 +1,48 @@ --- -- name: Ensure requirements using yarn - ansible.builtin.command: - cmd: yarn - chdir: "{{ snort_repository_path }}" - when: snort_devmode or git_repository.changed - -- name: Build the frontend assets using yarn build - ansible.builtin.command: - cmd: yarn build - chdir: "{{ snort_repository_path }}" - when: snort_devmode or git_repository.changed - -- name: Copy frontend assets for the web proxy to serve directly - ansible.builtin.copy: - src: "{{ snort_repository_path }}/{{ item }}" - dest: "{{ snort_root_path }}" - remote_src: yes +- name: Install service unit + ansible.builtin.template: + src: snort.service + dest: /etc/systemd/system/snort.service become: yes + register: service_unit + +- name: Reload systemd + ansible.builtin.systemd: + daemon_reload: yes + when: service_unit.changed + become: yes + +# Note: You would think become_user would be enough, but it's not. We only seem to get by when running doas/sudo directly. + +- name: Build snort + ansible.builtin.command: + cmd: "{{ ansible_become_method }} -u {{ snort_system_user }} {{ item }}" + chdir: "{{ snort_install_path }}" + become_user: "{{ snort_system_user }}" + #when: git_repository.changed or snort_always_build + when: snort_dangerously loop: - - packages/app/public/ - - packages/app/build/ - changed_when: false + - yarn + - yarn build + - yarn workspace @snort/app intl-extract + - yarn workspace @snort/app intl-compile + +#- name: Build the frontend assets using yarn build +# ansible.builtin.command: +# cmd: "{{ ansible_become_method }} -u {{ snort_system_user }} yarn build" +# chdir: "{{ snort_install_path }}" +# when: git_repository.changed or snort_always_build +# notify: restart snort +# become_user: "{{ snort_system_user }}" + +#- name: Copy frontend assets for the web proxy to serve directly +# ansible.builtin.copy: +# src: "{{ snort_repository_path }}/{{ item }}" +# dest: "{{ snort_root_path }}" +# remote_src: yes +# become: yes +# loop: +# - packages/app/public/ +# - packages/app/build/ +# changed_when: false \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index fd27f64..a9b0b47 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,9 +1,6 @@ --- -- name: Assert that we are not logged in as root - assert: - that: - - ansible_user_id != 'root' - fail_msg: "This role builds Javascript assets and should not be run as root. It will escalate privileges as needed." - -- import_tasks: setup.yml +- import_tasks: setup-user.yml + become: yes +- import_tasks: git.yml + become: yes - import_tasks: install.yml diff --git a/tasks/setup-user.yml b/tasks/setup-user.yml new file mode 100644 index 0000000..8bd6c3a --- /dev/null +++ b/tasks/setup-user.yml @@ -0,0 +1,37 @@ +--- +- name: Get nologin path + ansible.builtin.find: + paths: + - /bin + - /sbin + - /usr/bin + - /usr/sbin + patterns: nologin + register: nologin_bin + +- name: Create the group + ansible.builtin.group: + name: "{{ snort_system_group }}" + state: present + system: yes + when: snort_system_group != "root" + +- name: Create the system user + ansible.builtin.user: + name: "{{ snort_system_user }}" + groups: "{{ snort_system_group }}" + shell: "{{ nologin_bin.files[0].path }}" + system: yes + create_home: no + #home: "{{ snort_install_path }}" # this results in a .ansible directory which prevents us from cloning into the install path + #home: /nonexistent # this results in .yarn not being writable when we try to run yarn + home: /var/lib/snort + when: snort_system_user != "root" + +- name: Create the home directory + ansible.builtin.file: + path: /var/lib/snort + owner: "{{ snort_system_user }}" + group: "{{ snort_system_group }}" + state: directory + when: snort_system_user != "root" diff --git a/tasks/setup.yml b/tasks/setup.yml deleted file mode 100644 index 9dd9597..0000000 --- a/tasks/setup.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Ensure root path - ansible.builtin.file: - path: "{{ snort_root_path }}" - state: directory - mode: '0755' - become: yes - -- name: Clone git repository - ansible.builtin.git: - repo: "{{ snort_repository_url }}" - dest: "{{ snort_repository_path }}" - version: "{{ snort_version }}" - force: true - register: git_repository - when: not snort_devmode - -- name: "Ensure node is version {{ node_version }}" - ansible.builtin.command: - cmd: "n {{ node_version }}" - chdir: "{{ snort_repository_path }}" - when: snort_devmode or git_repository.changed - become: yes diff --git a/templates/snort.service b/templates/snort.service new file mode 100644 index 0000000..f374b27 --- /dev/null +++ b/templates/snort.service @@ -0,0 +1,13 @@ +[Unit] +Description=Snort nostr web client + +[Service] +User={{ snort_system_user }} +Group={{ snort_system_group }} +WorkingDirectory={{ snort_install_path }} +ExecStart=yarn start +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target