From c230c6632aba600c34301e1664a4b16acec050e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 5 Jun 2018 23:53:22 +0200 Subject: Add etherpad role --- modules/role/manifests/etherpad.pp | 129 +++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 modules/role/manifests/etherpad.pp (limited to 'modules') diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp new file mode 100644 index 0000000..826525e --- /dev/null +++ b/modules/role/manifests/etherpad.pp @@ -0,0 +1,129 @@ +class role::etherpad ( +) { + $password_seed = lookup("base_installation::puppet_pass_seed") + + include "base_installation" + + include "profile::tools" + include "profile::postgresql" + include "profile::apache" + + ensure_packages(["npm"]) + ensure_packages(["abiword"]) + ensure_packages(["libreoffice-fresh", "libreoffice-fresh-fr", "java-runtime-common", "jre8-openjdk"]) + ensure_packages(["tidy"]) + aur::package { "etherpad-lite": } + + $modules = [ + "ep_aa_file_menu_toolbar", + "ep_adminpads", + "ep_align", + "ep_bookmark", + "ep_clear_formatting", + "ep_colors", + "ep_copy_paste_select_all", + "ep_cursortrace", + "ep_embedmedia", + "ep_font_family", + "ep_font_size", + "ep_headings2", + "ep_ldapauth", + "ep_line_height", + "ep_markdown", + "ep_previewimages", + "ep_ruler", + "ep_scrollto", + "ep_set_title_on_pad", + "ep_subscript_and_superscript", + "ep_timesliderdiff" + ] + + $modules.each |$module| { + exec { "npm_install_$module": + command => "/usr/bin/npm install $module", + unless => "/usr/bin/test -d /usr/share/etherpad-lite/node_modules/$module", + cwd => "/usr/share/etherpad-lite/", + environment => "HOME=/root", + require => Aur::Package["etherpad-lite"], + before => Service["etherpad-lite"], + notify => Service["etherpad-lite"], + } + -> + file { "/usr/share/etherpad-lite/node_modules/$module/.ep_initialized": + ensure => present, + mode => "0644", + before => Service["etherpad-lite"], + } + } + + service { "etherpad-lite": + enable => true, + ensure => "running", + require => Aur::Package["etherpad-lite"], + subscribe => Aur::Package["etherpad-lite"], + } + + $web_host = "outils-1.v.immae.eu" + $pg_db = "etherpad-lite" + $pg_user = "etherpad-lite" + $pg_password = generate_password(24, $password_seed, "postgres_etherpad") + + file { "/var/lib/postgres/data/certs": + ensure => directory, + mode => "0700", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => File["/var/lib/postgres"], + } + + file { "/var/lib/postgres/data/certs/cert.pem": + source => "file:///etc/letsencrypt/live/$web_host/cert.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] + } + + file { "/var/lib/postgres/data/certs/privkey.pem": + source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] + } + + postgresql::server::config_entry { "wal_level": + value => "logical", + } + + postgresql::server::config_entry { "ssl": + value => "on", + require => Letsencrypt::Certonly[$web_host], + } + + postgresql::server::config_entry { "ssl_cert_file": + value => "/var/lib/postgres/data/certs/cert.pem", + require => Letsencrypt::Certonly[$web_host], + } + + postgresql::server::config_entry { "ssl_key_file": + value => "/var/lib/postgres/data/certs/privkey.pem", + require => Letsencrypt::Certonly[$web_host], + } + + postgresql::server::db { $pg_db: + user => $pg_user, + password => postgresql_password($pg_user, $pg_password), + } + + postgresql::server::pg_hba_rule { "allow local access to $pg_user user": + type => 'local', + database => $pg_db, + user => $pg_user, + auth_method => 'ident', + order => "05-01", + } + +} -- cgit v1.2.3 From a1c3146595f8f6c7b78adfca8388dd35083b4c7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 18 Jun 2018 10:40:00 +0200 Subject: Patch libreoffice --- modules/role/files/etherpad/libreoffice_patch.diff | 11 +++++++++++ modules/role/manifests/etherpad.pp | 3 +++ 2 files changed, 14 insertions(+) create mode 100644 modules/role/files/etherpad/libreoffice_patch.diff (limited to 'modules') diff --git a/modules/role/files/etherpad/libreoffice_patch.diff b/modules/role/files/etherpad/libreoffice_patch.diff new file mode 100644 index 0000000..dbfdf1a --- /dev/null +++ b/modules/role/files/etherpad/libreoffice_patch.diff @@ -0,0 +1,11 @@ +--- a/LibreOffice.js 2018-06-18 09:54:15.087161212 +0200 ++++ b/LibreOffice.js 2018-06-18 10:33:27.534055021 +0200 +@@ -63,6 +63,7 @@ + '--invisible', + '--nologo', + '--nolockcheck', ++ '-env:UserInstallation=file:///tmp/', + '--convert-to', task.type, + task.srcFile, + '--outdir', tmpDir + diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp index 826525e..476a210 100644 --- a/modules/role/manifests/etherpad.pp +++ b/modules/role/manifests/etherpad.pp @@ -13,6 +13,9 @@ class role::etherpad ( ensure_packages(["libreoffice-fresh", "libreoffice-fresh-fr", "java-runtime-common", "jre8-openjdk"]) ensure_packages(["tidy"]) aur::package { "etherpad-lite": } + -> patch::file { "/usr/share/etherpad-lite/src/node/utils/LibreOffice.js": + diff_source => "puppet:///modules/role/etherpad/libreoffice_patch.diff", + } $modules = [ "ep_aa_file_menu_toolbar", -- cgit v1.2.3 From f568173a3d8a43ac30fa9294a75c260042b9e415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 18 Jun 2018 14:09:05 +0200 Subject: Add postgresql_master profile --- .../profile/files/postgresql_master/pam_postgresql | 3 + modules/profile/manifests/postgresql_master.pp | 116 +++++++++++++++++++++ .../postgresql_master/pam_ldap_postgresql.conf.erb | 6 ++ modules/role/manifests/etherpad.pp | 52 ++------- 4 files changed, 131 insertions(+), 46 deletions(-) create mode 100644 modules/profile/files/postgresql_master/pam_postgresql create mode 100644 modules/profile/manifests/postgresql_master.pp create mode 100644 modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb (limited to 'modules') diff --git a/modules/profile/files/postgresql_master/pam_postgresql b/modules/profile/files/postgresql_master/pam_postgresql new file mode 100644 index 0000000..70a90ae --- /dev/null +++ b/modules/profile/files/postgresql_master/pam_postgresql @@ -0,0 +1,3 @@ +auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf +account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf + diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp new file mode 100644 index 0000000..3f68890 --- /dev/null +++ b/modules/profile/manifests/postgresql_master.pp @@ -0,0 +1,116 @@ +define profile::postgresql_master ( + $letsencrypt_host = undef, + $backup_hosts = [], +) { + $password_seed = lookup("base_installation::puppet_pass_seed") + + ensure_resource("file", "/var/lib/postgres/data/certs", { + ensure => directory, + mode => "0700", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => File["/var/lib/postgres"], + }) + + ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", { + source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] + }) + + ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", { + source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] + }) + + ensure_resource("postgresql::server::config_entry", "wal_level", { + value => "logical", + }) + + ensure_resource("postgresql::server::config_entry", "ssl", { + value => "on", + require => Letsencrypt::Certonly[$letsencrypt_host], + }) + + ensure_resource("postgresql::server::config_entry", "ssl_cert_file", { + value => "/var/lib/postgres/data/certs/cert.pem", + require => Letsencrypt::Certonly[$letsencrypt_host], + }) + + ensure_resource("postgresql::server::config_entry", "ssl_key_file", { + value => "/var/lib/postgres/data/certs/privkey.pem", + require => Letsencrypt::Certonly[$letsencrypt_host], + }) + + $backup_hosts.each |$backup_host| { + ensure_packages(["pam_ldap"]) + + $facts["ldapvar"]["other"].each |$host| { + if ($host["cn"][0] == $backup_host) { + $host["ipHostNumber"].each |$ip| { + $infos = split($ip, "/") + $ipaddress = $infos[0] + if (length($infos) == 1 and $ipaddress =~ /:/) { + $mask = "128" + } elsif (length($infos) == 1) { + $mask = "32" + } else { + $mask = $infos[1] + } + + postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": + type => 'hostssl', + database => 'replication', + user => $backup_host, + address => "$ipaddress/$mask", + auth_method => 'pam', + order => "06-01", + } + } + + postgresql::server::role { $backup_host: + replication => true, + } + + postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): + ensure => present + } + } + } + + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $ldap_attribute = "cn" + + file { "/etc/pam_ldap.d": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } -> + file { "/etc/pam_ldap.d/postgresql.conf": + ensure => "present", + mode => "0600", + owner => $::profile::postgresql::pg_user, + group => "root", + content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), + } -> + file { "/etc/pam.d/postgresql": + ensure => "present", + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/profile/postgresql_master/pam_postgresql" + } + } + +} diff --git a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb new file mode 100644 index 0000000..f3d9674 --- /dev/null +++ b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb @@ -0,0 +1,6 @@ +host <%= @ldap_server %> + +base <%= @ldap_base %> +binddn <%= @ldap_dn %> +bindpw <%= @ldap_password %> +pam_login_attribute <%= @ldap_attribute %> diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp index 476a210..a43f146 100644 --- a/modules/role/manifests/etherpad.pp +++ b/modules/role/manifests/etherpad.pp @@ -66,54 +66,14 @@ class role::etherpad ( subscribe => Aur::Package["etherpad-lite"], } - $web_host = "outils-1.v.immae.eu" - $pg_db = "etherpad-lite" - $pg_user = "etherpad-lite" + $web_host = "outils-1.v.immae.eu" + $pg_db = "etherpad-lite" + $pg_user = "etherpad-lite" $pg_password = generate_password(24, $password_seed, "postgres_etherpad") - file { "/var/lib/postgres/data/certs": - ensure => directory, - mode => "0700", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => File["/var/lib/postgres"], - } - - file { "/var/lib/postgres/data/certs/cert.pem": - source => "file:///etc/letsencrypt/live/$web_host/cert.pem", - mode => "0600", - links => "follow", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] - } - - file { "/var/lib/postgres/data/certs/privkey.pem": - source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", - mode => "0600", - links => "follow", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] - } - - postgresql::server::config_entry { "wal_level": - value => "logical", - } - - postgresql::server::config_entry { "ssl": - value => "on", - require => Letsencrypt::Certonly[$web_host], - } - - postgresql::server::config_entry { "ssl_cert_file": - value => "/var/lib/postgres/data/certs/cert.pem", - require => Letsencrypt::Certonly[$web_host], - } - - postgresql::server::config_entry { "ssl_key_file": - value => "/var/lib/postgres/data/certs/privkey.pem", - require => Letsencrypt::Certonly[$web_host], + profile::postgresql_master { "postgresql master for etherpad": + letsencrypt_host => $web_host, + backup_hosts => ["backup-1"], } postgresql::server::db { $pg_db: -- cgit v1.2.3 From 580bd7fc5d4b078f8dec2fd440e5989b5f963f61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 23 Jun 2018 14:02:48 +0200 Subject: Add json file --- modules/role/manifests/etherpad.pp | 26 +++++-- modules/role/templates/etherpad/settings.json.erb | 93 +++++++++++++++++++++++ 2 files changed, 114 insertions(+), 5 deletions(-) create mode 100644 modules/role/templates/etherpad/settings.json.erb (limited to 'modules') diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp index a43f146..109da96 100644 --- a/modules/role/manifests/etherpad.pp +++ b/modules/role/manifests/etherpad.pp @@ -1,6 +1,20 @@ class role::etherpad ( ) { $password_seed = lookup("base_installation::puppet_pass_seed") + $web_host = lookup("base_installation::real_hostname") + $web_listen = "0.0.0.0" + $web_port = 18000 + $pg_db = "etherpad-lite" + $pg_user = "etherpad-lite" + $pg_password = generate_password(24, $password_seed, "postgres_etherpad") + + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_account_pattern = "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))" + $ldap_group_pattern = "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)" + $ldap_password = generate_password(24, $password_seed, "ldap") + include "base_installation" @@ -16,6 +30,13 @@ class role::etherpad ( -> patch::file { "/usr/share/etherpad-lite/src/node/utils/LibreOffice.js": diff_source => "puppet:///modules/role/etherpad/libreoffice_patch.diff", } + -> file { "/etc/etherpad-lite/settings.json": + ensure => present, + owner => "etherpad-lite", + group => "etherpad-lite", + notify => Service["etherpad-lite"], + content => template("role/etherpad/settings.json.erb"), + } $modules = [ "ep_aa_file_menu_toolbar", @@ -66,11 +87,6 @@ class role::etherpad ( subscribe => Aur::Package["etherpad-lite"], } - $web_host = "outils-1.v.immae.eu" - $pg_db = "etherpad-lite" - $pg_user = "etherpad-lite" - $pg_password = generate_password(24, $password_seed, "postgres_etherpad") - profile::postgresql_master { "postgresql master for etherpad": letsencrypt_host => $web_host, backup_hosts => ["backup-1"], diff --git a/modules/role/templates/etherpad/settings.json.erb b/modules/role/templates/etherpad/settings.json.erb new file mode 100644 index 0000000..dfd69c1 --- /dev/null +++ b/modules/role/templates/etherpad/settings.json.erb @@ -0,0 +1,93 @@ +{ + "title": "Etherpad", + "favicon": "favicon.ico", + + "ip": "<%= @web_listen %>", + "port" : <%= @web_port %>, + "showSettingsInAdminPage" : false, + "dbType" : "postgres", + "dbSettings" : { + "user" : "<%= @pg_user %>", + "host" : "/run/postgresql", + "password": "", + "database": "<%= @pg_db %>", + "charset" : "utf8mb4" + }, + + "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", + "padOptions": { + "noColors": false, + "showControls": true, + "showChat": true, + "showLineNumbers": true, + "useMonospaceFont": false, + "userName": false, + "userColor": false, + "rtl": false, + "alwaysShowChat": false, + "chatAndUsers": false, + "lang": "en-gb" + }, + + "suppressErrorsInPadText" : false, + "requireSession" : false, + "editOnly" : false, + "sessionNoPassword" : false, + "minify" : true, + "maxAge" : 21600, + "abiword" : "/usr/bin/abiword", + "soffice" : "/usr/bin/soffice", + "tidyHtml" : "/usr/bin/tidy", + "allowUnknownFileEnds" : true, + "requireAuthentication" : false, + "requireAuthorization" : false, + "trustProxy" : false, + "disableIPlogging" : false, + "automaticReconnectionTimeout" : 0, + "scrollWhenFocusLineIsOutOfViewport": { + "percentage": { + "editionAboveViewport": 0, + "editionBelowViewport": 0 + }, + "duration": 0, + "scrollWhenCaretIsInTheLastLineOfViewport": false, + "percentageToScrollWhenUserPressesArrowUp": 0 + }, + "users": { + "ldapauth": { + "url": "ldaps://<%= @ldap_server %>", + "accountBase": "<%= @ldap_base %>", + "accountPattern": "<%= @ldap_account_pattern %>", + "displayNameAttribute": "cn", + "searchDN": "<%= @ldap_dn %>", + "searchPWD": "<%= @ldap_password %>", + "groupSearchBase": "<%= @ldap_base %>", + "groupAttribute": "member", + "groupAttributeIsDN": true, + "searchScope": "sub", + "groupSearch": "<%= @ldap_group_pattern %>", + "anonymousReadonly": false + } + }, + "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], + "loadTest": false, + "indentationOnNewLine": false, + "toolbar": { + "left": [ + ["bold", "italic", "underline", "strikethrough"], + ["orderedlist", "unorderedlist", "indent", "outdent"], + ["undo", "redo"], + ["clearauthorship"] + ], + "right": [ + ["importexport", "timeslider", "savedrevision"], + ["settings", "embed"], + ["showusers"] + ], + "timeslider": [ + ["timeslider_export", "timeslider_returnToPad"] + ] + }, + "loglevel": "INFO", + "logconfig" : { "appenders": [ { "type": "console" } ] } +} -- cgit v1.2.3 From 9313fa2ea3c7b796b448f6249f13a588c6618889 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 26 Jun 2018 00:27:26 +0200 Subject: Add find_host function to help finding host --- modules/profile/manifests/postgresql_master.pp | 51 +++++++++++++------------- 1 file changed, 25 insertions(+), 26 deletions(-) (limited to 'modules') diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp index 3f68890..9966f0d 100644 --- a/modules/profile/manifests/postgresql_master.pp +++ b/modules/profile/manifests/postgresql_master.pp @@ -52,36 +52,35 @@ define profile::postgresql_master ( $backup_hosts.each |$backup_host| { ensure_packages(["pam_ldap"]) - $facts["ldapvar"]["other"].each |$host| { - if ($host["cn"][0] == $backup_host) { - $host["ipHostNumber"].each |$ip| { - $infos = split($ip, "/") - $ipaddress = $infos[0] - if (length($infos) == 1 and $ipaddress =~ /:/) { - $mask = "128" - } elsif (length($infos) == 1) { - $mask = "32" - } else { - $mask = $infos[1] - } - - postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": - type => 'hostssl', - database => 'replication', - user => $backup_host, - address => "$ipaddress/$mask", - auth_method => 'pam', - order => "06-01", - } + $host = find_host($facts["ldapvar"]["other"], $backup_host) + unless empty($host) { + $host["ipHostNumber"].each |$ip| { + $infos = split($ip, "/") + $ipaddress = $infos[0] + if (length($infos) == 1 and $ipaddress =~ /:/) { + $mask = "128" + } elsif (length($infos) == 1) { + $mask = "32" + } else { + $mask = $infos[1] } - postgresql::server::role { $backup_host: - replication => true, + postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": + type => 'hostssl', + database => 'replication', + user => $backup_host, + address => "$ipaddress/$mask", + auth_method => 'pam', + order => "06-01", } + } - postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): - ensure => present - } + postgresql::server::role { $backup_host: + replication => true, + } + + postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): + ensure => present } } -- cgit v1.2.3