Etherpad works

SURFscz · Jan 25, 2024 · 8be5f8e · 8be5f8e
1 parent e11bfd3
commit 8be5f8e
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 19 deletions.
diff --git a/environments/docker/group_vars/demo1.yml b/environments/docker/group_vars/demo1.yml
@@ -1,4 +1,11 @@
 ---
+# Ugly docker deploy hack
+environment_name: vm
+letsencrypt_enabled: false
+# letsencrypt_staging: false
+
+sram_conf_dir: "/opt/sram"
+
 internal_network: sram
 
 containers:
@@ -13,5 +20,10 @@ demo_hosts:
 ports:
   etherpad: 9001
 
-letsencrypt_hosts:
-  - "{{ hostsnames.etherpad }}"
+# oidc:
+#   etherpad:
+#     client_id: client
+#     client_secret: secret
+
+# letsencrypt_hosts:
+#   - "{{ hostsnames.etherpad }}"
diff --git a/provision.yml b/provision.yml
@@ -184,7 +184,7 @@
     - { role: docker,               tags: ['demo1','demo-docker'] }
     - { role: demo-apache,          tags: ['demo1','demo-apache']  }
     - { role: letsencrypt,          tags: ['demo1','demo-letsencrypt'],
-        when: environment_name!='vm' }
+        when: letsencrypt_enabled }
     - { role: demo-etherpad,        tags: ['demo1','demo-etherpad']  }
     # - { role: demo-wordpress,       tags: ['demo1','demo-wordpress'] }
 

diff --git a/roles/demo-apache/tasks/main.yml b/roles/demo-apache/tasks/main.yml
@@ -4,6 +4,7 @@
     state: present
     name:
       - apache2
+      - libapache2-mod-auth-openidc
 
 - name: Enable apache modules
   apache2_module:
@@ -15,3 +16,16 @@
     - proxy_http
     - headers
   notify: "restart apache"
+
+- name: Remove default apache config
+  file:
+    path: "/etc/apache2/sites-enabled/000-default.conf"
+    state: "absent"
+  notify: "restart apache"
+
+- name: copy apache proxy config
+  template:
+    src: apache.conf.j2
+    dest: /etc/apache2/sites-enabled/10-demo1.conf
+    mode: 0644
+  notify: "restart apache"
diff --git a/roles/demo-etherpad/templates/apache.conf.j2 → roles/demo-apache/templates/apache.conf.j2 b/roles/demo-etherpad/templates/apache.conf.j2 → roles/demo-apache/templates/apache.conf.j2
@@ -1,29 +1,30 @@
-{% if environment_name !=  'vm' %}
-Listen 443
+{% if letsencrypt_enabled %}
 <VirtualHost *:443>
 {% else %}
 <VirtualHost *:80>
 {% endif %}
-        ServerName {{demo_hosts.etherpad}}
+        ServerName {{ demo_hosts.etherpad }}
 
         ServerAdmin webmaster@localhost
         DocumentRoot /var/www/html
 
+        Alias /.well-known/acme-challenge/ /var/www/certbot/.well-known/acme-challenge/
+
         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined
 
-{% if environment_name !=  'vm' %}
+{% if letsencrypt_enabled %}
         SSLEngine on
         SSLCertificateFile    /etc/letsencrypt/live/{{demo_hosts.etherpad}}/fullchain.pem
         SSLCertificateKeyFile /etc/letsencrypt/live/{{demo_hosts.etherpad}}/privkey.pem
 {% endif %}
 
         # Authentication Header
-{% if environment_name !=  'vm' %}
+{% if letsencrypt_enabled %}
         # Remove OIDC option when using Basic Auth
         OIDCProviderMetadataURL https://proxy.sram.surf.nl/.well-known/openid-configuration
-        OIDCClientID {{ client_id }}
-        OIDCClientSecret {{ client_secret }}
+        OIDCClientID {{ oidc.etherpad.client_id }}
+        OIDCClientSecret {{ oidc.etherpad.client_secret }}
         OIDCResponseType "code"
         OIDCResponseMode "query"
         OIDCScope "openid profile uid"
@@ -41,8 +42,8 @@ Listen 443
             AuthType openid-connect
         </Location>
 {% else %}
-        RequestHeader set X-Authenticated-User "martin"
-        RequestHeader set X-Authenticated-Name "Martin"
+        RequestHeader set X-Authenticated-User "demo1"
+        RequestHeader set X-Authenticated-Name "Demo1"
 {% endif %}
 
         ProxyRequests On
@@ -60,3 +61,8 @@ Listen 443
             RewriteRule /ep/(.*) http://localhost:9001/$1 [P,L]
         </LocationMatch>
 </VirtualHost>
+
+# Letsencrypt fallback
+<VirtualHost *:80>
+        DocumentRoot /var/www/certbot
+</VirtualHost>
diff --git a/roles/demo-etherpad/tasks/main.yml b/roles/demo-etherpad/tasks/main.yml
@@ -30,10 +30,3 @@
       - "{{ etherpad_basedir }}/settings.json:/opt/etherpad-lite/settings.json"
     networks:
       - name: "bridge"
-
-- name: copy apache proxy config
-  template:
-    src: apache.conf.j2
-    dest: /etc/apache2/sites-enabled/10-etherpad.conf
-    mode: 0644
-  notify: restart apache
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+# Do not restart docker, this breaks SBS migrate
+- name: "start docker"
+  ansible.builtin.systemd:
+    name: "docker"
+    state: "started"
+    enabled: true
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
@@ -40,6 +40,7 @@
                                 --keep-until-expiring
                                 --renew-with-new-domains
                                 --domains={{item}}
+  register: result
   changed_when: "'Your certificate and chain have been saved' in result.stdout"
   with_items: "{{ letsencrypt_hosts }}"
   when: "no_cert_yet.changed"