From 322037af650a8b921b5d91c7ce7781e0742c8882 Mon Sep 17 00:00:00 2001 From: Olivier Navas Date: Tue, 26 Apr 2022 00:07:08 +0200 Subject: [PATCH] Premier commit --- README.md | 33 +++++++++++++++++++ defaults/main.yml | 1 + handlers/main.yml | 10 ++++++ tasks/configure_reverse_proxy.yml | 10 ++++++ tasks/main.yml | 15 +++++++++ templates/0_vhost.conf | 2 ++ templates/2_mds_exclusion.conf | 16 +++++++++ templates/definition.yml | 55 +++++++++++++++++++++++++++++++ templates/docker-compose.yml | 55 +++++++++++++++++++++++++++++++ 9 files changed, 197 insertions(+) create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 tasks/configure_reverse_proxy.yml create mode 100644 tasks/main.yml create mode 100644 templates/0_vhost.conf create mode 100644 templates/2_mds_exclusion.conf create mode 100644 templates/definition.yml create mode 100644 templates/docker-compose.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..600016a --- /dev/null +++ b/README.md @@ -0,0 +1,33 @@ +# Role : docker_wikijs + + +## Services fournis + +- main.yml : Installation de wikijs sur un serveur docker_host +- configure_reverse_proxy.yml : Configuration d'un reverse proxy préalablement installé par le role reverse_proxy + + +## Variables + +Fournir les variables suivantes. Par exemple : + +```yaml +docker_wikijs_fqdn: wiki.libretic.fr +docker_wikijs_data_dir: /data1 +docker_wikijs_service_id: wikijs +docker_wikijs_rp_cert: LE +docker_wikijs_docker_host: machine.domaine.local +``` + +| Option | Valeur par défaut | Description | +|------------------------------|-------------------|-------------------------------------------------------------------------------------------| +| docker_wikijs_fqdn | | Le nom de domaine pour lequel le service wikijs répond | +| docker_wikijs_data_dir | | L'emplacement dans lequel se trouvent les volumes de donnees docker pour le service | +| docker_wikijs_service_id | | Le nom de service souhaité : conditionne le nommage des volumes et le routage par traefik | +| docker_wikijs_rp_docker_host | | pour configure_reverse_proxy.yml: fqdn de la machine contenant le conteneur docker | +| docker_wikijs_rp_cert | LE | Type de certificat pour le reverse proxy (LE = letsencrypt) | + + + + + diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..a66fe3c --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1 @@ +docker_wikijs_rp_cert: LE diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..1ea83ba --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,10 @@ +- name: docker-compose-up + shell: | + docker-compose up -d + args: + chdir: /opt/{{ docker_wikijs_service_id }}/ + +- name: reverse-proxy-reload + service: + name: apache2 + state: reloaded diff --git a/tasks/configure_reverse_proxy.yml b/tasks/configure_reverse_proxy.yml new file mode 100644 index 0000000..d36de6e --- /dev/null +++ b/tasks/configure_reverse_proxy.yml @@ -0,0 +1,10 @@ +- name: prepare reverse_proxy + template: + src: "{{ item }}" + dest: /etc/apache2/vhosts.d/{{ docker_wikijs_fqdn }}/ + with_items: + - 0_vhost.conf + - 2_mds_exclusion.conf + notify: reverse-proxy-reload + + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..3d45884 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,15 @@ +- name: docker directory + file: + path: /opt/{{ docker_wikijs_service_id }}/ + state: directory + +- name: prepare docker-compose.yml + template: + src: "{{ item }}" + dest: /opt/{{ docker_wikijs_service_id }}/ + with_items: + - docker-compose.yml + - definition.yml + notify: docker-compose-up + + diff --git a/templates/0_vhost.conf b/templates/0_vhost.conf new file mode 100644 index 0000000..0b4555e --- /dev/null +++ b/templates/0_vhost.conf @@ -0,0 +1,2 @@ +# {{ ansible_managed }} +Use vhost_HTTPS_Generic {{ docker_wikijs_fqdn }} {{ docker_wikijs_rp_cert }} http {{ docker_wikijs_rp_docker_host }} info OpenAccessPolicy AllowCrawlerIndexing On diff --git a/templates/2_mds_exclusion.conf b/templates/2_mds_exclusion.conf new file mode 100644 index 0000000..c9c86b1 --- /dev/null +++ b/templates/2_mds_exclusion.conf @@ -0,0 +1,16 @@ +# {{ ansible_managed }} +SecRuleRemoveById 200002 +SecRuleRemoveById 200004 +SecRuleRemoveById 921110 +SecRuleRemoveById 920220 +SecRuleRemoveById 921110 +SecRuleRemoveById 930120 +SecRuleRemoveById 932100 +SecRuleRemoveById 932105 +SecRuleRemoveById 932110 +SecRuleRemoveById 932115 +SecRuleRemoveById 932160 +SecRuleRemoveById 933210 +SecRuleRemoveById 942190 +SecRuleRemoveById 949110 +SecRuleRemoveById 980130 diff --git a/templates/definition.yml b/templates/definition.yml new file mode 100644 index 0000000..9233905 --- /dev/null +++ b/templates/definition.yml @@ -0,0 +1,55 @@ +key: oidc +title: Generic OpenID Connect / OAuth2 +description: OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. +author: requarks.io +logo: https://static.requarks.io/logo/oidc.svg +color: blue-grey darken-2 +website: http://openid.net/connect/ +isAvailable: true +useForm: false +scopes: + - profile + - libreticMail +props: + clientId: + type: String + title: Client ID + hint: Application Client ID + order: 1 + clientSecret: + type: String + title: Client Secret + hint: Application Client Secret + order: 2 + authorizationURL: + type: String + title: Authorization Endpoint URL + hint: Application Authorization Endpoint URL + order: 3 + tokenURL: + type: String + title: Token Endpoint URL + hint: Application Token Endpoint URL + order: 4 + userInfoURL: + type: String + title: User Info Endpoint URL + hint: User Info Endpoint URL + order: 5 + issuer: + type: String + title: Issuer + hint: Issuer URL + order: 6 + emailClaim: + type: String + title: Email Claim + hint: Field containing the email address + default: email + maxWidth: 500 + order: 7 + logoutURL: + type: String + title: Logout URL + hint: (optional) Logout URL on the OAuth2 provider where the user will be redirected to complete the logout process. + order: 8 diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml new file mode 100644 index 0000000..02a9909 --- /dev/null +++ b/templates/docker-compose.yml @@ -0,0 +1,55 @@ +# {{ ansible_managed }} + +version: '3.1' + +services: + db: + image: postgres:13 + environment: + POSTGRES_DB: {{ docker_wikijs_db_name }} + POSTGRES_PASSWORD: {{ docker_wikijs_db_password }} + POSTGRES_USER: {{ docker_wikijs_db_user }} + TZ: Europe/Paris + logging: + driver: "none" + restart: unless-stopped + volumes: + - /data1/{{ docker_wikijs_service_id }}/db_data:/var/lib/postgresql/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + networks: + - wikijs + + wiki: + image: ghcr.io/requarks/wiki:2.5.277 + volumes: + - ./definition.yml:/wiki/server/modules/authentication/oidc/definition.yml + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + depends_on: + - db + environment: + DB_TYPE: postgres + DB_HOST: db + DB_PORT: 5432 + DB_USER: {{ docker_wikijs_db_user }} + DB_PASS: {{ docker_wikijs_db_password }} + DB_NAME: {{ docker_wikijs_db_name }} + TZ: Europe/Paris + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.docker.network=traefik" + - "traefik.http.routers.{{ docker_wikijs_service_id }}.entrypoints=web" + - "traefik.http.routers.{{ docker_wikijs_service_id }}.rule=Host(`{{ docker_wikijs_fqdn }}`)" + - "traefik.http.services.{{ docker_wikijs_service_id }}.loadbalancer.server.port=3000" + networks: + - traefik + - wikijs + + +networks: + traefik: + external: true + wikijs: + internal: true