Browse Source

forum: initial version

copy/pasted from https://lab.securedrop.club/main/securedrop-club/merge_requests/178
keep-around/092701cc33f784b5fb85317b45036b2429312efd
Loïc Dachary 3 years ago
parent
commit
f3e346b3fa
Signed by: dachary GPG Key ID: 283AFA30CA7F55A4
  1. 1
      enough-community-playbook.yml
  2. 2
      inventory/02-all.yml
  3. 2
      inventory/host_vars/forum-host/forum.yml
  4. 1
      molecule/forum/create.yml
  5. 1
      molecule/forum/destroy.yml
  6. 24
      molecule/forum/forum-playbook.yml
  7. 1
      molecule/forum/forum_group_vars/all/domain.yml
  8. 1
      molecule/forum/forum_group_vars/all/with_fake_LE.yml
  9. 1
      molecule/forum/forum_group_vars/all/with_https.yml
  10. 43
      molecule/forum/molecule.yml
  11. 12
      molecule/forum/playbook.yml
  12. 37
      molecule/forum/roles/discourse/files/0001-open-json-unlimited-rate-access.patch
  13. 42
      molecule/forum/roles/discourse/tasks/main.yml
  14. 73
      molecule/forum/roles/discourse/templates/app.yml.j2
  15. 11
      molecule/forum/tests/test_discourse.py
  16. 58
      molecule/forum/tests/test_icinga.py
  17. 5
      molecule/preprod/molecule.yml

1
enough-community-playbook.yml

@ -19,4 +19,5 @@
- import_playbook: molecule/chat/chat-playbook.yml
- import_playbook: molecule/cloud/cloud-playbook.yml
- import_playbook: molecule/website/website-playbook.yml
- import_playbook: molecule/forum/forum-playbook.yml
- import_playbook: molecule/misc/commit_etc-playbook.yml

2
inventory/02-all.yml

@ -8,3 +8,5 @@ pets:
weblate-host:
packages-host:
chat-host:
forum-host:

2
inventory/host_vars/forum-host/forum.yml

@ -0,0 +1,2 @@
---
forum_vhost_fqdn: forum.{{ domain }}

1
molecule/forum/create.yml

@ -0,0 +1 @@
../infrastructure/create.yml

1
molecule/forum/destroy.yml

@ -0,0 +1 @@
../infrastructure/destroy.yml

24
molecule/forum/forum-playbook.yml

@ -0,0 +1,24 @@
---
- name: install Discourse forum
hosts: forum-host
roles:
- role: docker_filesystem
- role: ansible-role-docker
docker_install_compose: false
- role: docker
- role: discourse
forum_name: SecureDrop
repository: https://github.com/discourse/discourse_docker
branch: master
- role: monitor_http_vhost
http_vhost_name: Forum
http_vhost_fqdn: "{{ forum_vhost_fqdn }}"
http_vhost_uri: "/"
http_vhost_string: "All things related to the SecureDrop whistleblower submission system"
become: True

1
molecule/forum/forum_group_vars/all/domain.yml

@ -0,0 +1 @@
../../../../inventory/group_vars/all/domain.yml

1
molecule/forum/forum_group_vars/all/with_fake_LE.yml

@ -0,0 +1 @@
with_fake_LE: true

1
molecule/forum/forum_group_vars/all/with_https.yml

@ -0,0 +1 @@
with_https: true

43
molecule/forum/molecule.yml

@ -0,0 +1,43 @@
---
driver:
name: openstack
lint:
name: yamllint
platforms:
- name: bind-host
flavor: "s1-2"
- name: postfix-host
flavor: "s1-2"
- name: icinga-host
flavor: "s1-2"
- name: forum-host
flavor: "s1-2"
volumes:
- name: cloud-volume
size: 10
provisioner:
name: ansible
lint:
name: ansible-lint
env:
ANSIBLE_ROLES_PATH: roles:../infrastructure/roles:../postfix/roles:../bind/roles:../icinga/roles:../backup/roles:../misc/roles:../packages/roles:../jdauphant.nginx/roles
inventory:
links:
# Path is relative to directory in which this molecule.yml file resides
group_vars: forum_group_vars
host_vars: ../../inventory/host_vars
scenario:
name: forum
test_sequence:
- destroy
- create
- converge
- verify
- destroy
verifier:
name: testinfra
options:
v: True
s: True
lint:
name: flake8

12
molecule/forum/playbook.yml

@ -0,0 +1,12 @@
---
- import_playbook: ../misc/history-playbook.yml
- import_playbook: ../misc/sexy-debian-playbook.yml
- import_playbook: ../misc/sshd-playbook.yml
- import_playbook: ../icinga/test-icinga-playbook.yml
- import_playbook: ../bind/bind-playbook.yml
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: ../postfix/postfix-playbook.yml
- import_playbook: forum-playbook.yml
- import_playbook: ../misc/commit_etc-playbook.yml

37
molecule/forum/roles/discourse/files/0001-open-json-unlimited-rate-access.patch

@ -0,0 +1,37 @@
From 619e01df1eef419486bc36bed74bb9cceebdd8c4 Mon Sep 17 00:00:00 2001
From: Ubuntu <ubuntu@mail.securedrop.club>
Date: Wed, 18 Apr 2018 17:00:23 +0000
Subject: [PATCH] open json unlimited rate access
---
templates/web.ratelimited.template.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/templates/web.ratelimited.template.yml b/templates/web.ratelimited.template.yml
index ae9cd63..9c4dbfd 100644
--- a/templates/web.ratelimited.template.yml
+++ b/templates/web.ratelimited.template.yml
@@ -24,3 +24,20 @@ run:
limit_conn connperip $conn_per_ip;
limit_req zone=flood burst=$burst_per_second nodelay;
limit_req zone=bot burst=$burst_per_minute nodelay;
+ - replace:
+ filename: "/etc/nginx/conf.d/discourse.conf"
+ from: "# we need buffering off for message bus"
+ to: |
+ # we bypass limits for json
+ location ~ ^/(latest|t/).*\.json {
+ add_header Referrer-Policy 'no-referrer-when-downgrade';
+ add_header Strict-Transport-Security 'max-age=31536042'; # remember the certificate for a year and automatically connect to HTTPS for this domain
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $thescheme;
+ proxy_pass http://discourse;
+ break;
+ }
+
+ # we need buffering off for message bus
--
2.9.3

42
molecule/forum/roles/discourse/tasks/main.yml

@ -0,0 +1,42 @@
---
- name: mkdir /srv/forum
file:
state: directory
path: /srv/forum
owner: debian
become: true
- name: git clone -b {{ branch }} {{ repository }}
git:
update: no
repo: "{{ repository }}"
version: "{{ branch }}"
dest: "/srv/forum/{{ forum_name }}"
become: false
- name: copy code patche
copy:
src: files/0001-open-json-unlimited-rate-access.patch
dest: "/srv/forum/{{ forum_name }}"
become: false
- name: apply patch
command: git apply 0001-open-json-unlimited-rate-access.patch --3way
args:
chdir: "/srv/forum/{{ forum_name }}"
become: false
- name: deploy configuration
template:
src: "templates/app.yml.j2"
dest: "/srv/forum/{{ forum_name }}/containers/app.yml"
become: false
register: app_config
- name: rebuild and launch discourse
command: ./launcher rebuild app
args:
chdir: "/srv/forum/{{ forum_name }}"
become: false
when: app_config|changed

73
molecule/forum/roles/discourse/templates/app.yml.j2

@ -0,0 +1,73 @@
templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/web.template.yml"
- "templates/web.ratelimited.template.yml"
{% if with_https is defined and with_https == true %}
- "templates/web.ssl.template.yml"
- "templates/web.letsencrypt.ssl.template.yml"
{% endif %}
expose:
- "80:80" # http
- "443:443" # https
params:
db_default_text_search_config: "pg_catalog.english"
version: stable
env:
LANG: en_US.UTF-8
## How many concurrent web requests are supported? Depends on memory and CPU cores.
## will be set automatically by bootstrap based on detected CPUs, or you can override
UNICORN_WORKERS: 2
## The domain name this Discourse instance will respond to
DISCOURSE_HOSTNAME: '{{ forum_vhost_fqdn }}'
## Uncomment if you want the container to be started with the same
## hostname (-h option) as specified above (default "$hostname-$config")
DOCKER_USE_HOSTNAME: true
## List of comma delimited emails that will be made admin and developer
## on initial signup example 'user1@example.com,user2@example.com'
DISCOURSE_DEVELOPER_EMAILS: admin@{{ domain }}
## The SMTP mail server used to validate new accounts and send notifications
DISCOURSE_SMTP_ADDRESS: 127.0.0.1
DISCOURSE_SMTP_PORT: 25
DISCOURSE_SMTP_USER_NAME: false
DISCOURSE_SMTP_AUTHENTICATION: false
DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none
DISCOURSE_SMTP_PASSWORD: false
DISCOURSE_SMTP_ENABLE_START_TLS: false
## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
LETSENCRYPT_ACCOUNT_EMAIL: admin@{{ domain }}
## The Docker container is stateless; all data is stored in /shared
volumes:
- volume:
host: /srv/forum/{{ forum_name }}/shared/standalone
guest: /shared
- volume:
host: /srv/forum/{{ forum_name }}/shared/standalone/log/var-log
guest: /var/log
## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
after_code:
- exec:
cd: $home/plugins
cmd:
- git clone https://github.com/discourse/docker_manager.git
- git clone https://github.com/discourse/discourse-chat-integration.git
- git clone https://github.com/angusmcleod/discourse-events.git
- git clone https://github.com/angusmcleod/discourse-locations.git
## Any custom commands to run after building
run:
- exec: echo "Beginning of custom commands"
- exec: echo "End of custom commands"

11
molecule/forum/tests/test_discourse.py

@ -0,0 +1,11 @@
testinfra_hosts = ['forum-host']
def test_discourse(host):
cmd = host.run("""
set -xe
d=/dev/sdb
test -e /dev/sdb || d=/dev/vda
mount | grep $d | grep /var/lib/docker
curl --silent https://forum.$(hostname -d) | grep --quiet 'Congratulations, you installed Discourse!'
""")
assert 0 == cmd.rc

58
molecule/forum/tests/test_icinga.py

@ -0,0 +1,58 @@
import urllib3
import re
import requests
import yaml
testinfra_hosts = ['icinga-host']
def get_auth(host):
with host.sudo():
f = host.file("/etc/icinga2/conf.d/api-users.conf")
return (
re.search('ApiUser "(.*)"', f.content_string).group(1),
re.search('password = "(.*)"', f.content_string).group(1)
)
def get_master_address(host):
inventory = yaml.load(open(host.backend.ansible_inventory))
address = inventory['all']['hosts']['icinga-host']['ansible_host']
return address
def sloppy_get(url, headers={}, auth=None):
s = requests.Session()
s.auth = auth
s.headers.update(headers)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
r = s.get(url, verify=False, timeout=5)
r.raise_for_status()
return r
def test_icinga_api_hosts(host):
address = get_master_address(host)
r = sloppy_get(
'https://{address}:5665/v1/objects/hosts/forum-host'.format(
address=address),
{'Accept': 'application/json'},
get_auth(host),
)
answer = r.json()
assert len(answer['results']) == 1
assert answer['results'][0]['name'] == 'forum-host'
def test_icinga_api_services(host):
address = get_master_address(host)
r = sloppy_get(
'https://{address}:5665/v1/objects/services?host=forum-host'.format(
address=address),
{'Accept': 'application/json'},
get_auth(host),
)
answer = r.json()
assert len(answer['results']) > 10
assert len([s for s in answer['results']
if 'forum-host!Forum' == s['name']]) == 1

5
molecule/preprod/molecule.yml

@ -27,6 +27,11 @@ platforms:
volumes:
- name: cloud-volume
size: 100
- name: forum-host
flavor: "s1-4"
volumes:
- name: cloud-volume
size: 20
provisioner:
name: ansible
lint:

Loading…
Cancel
Save