From 359b6a455308704d78de461ef6c8f97445a14651 Mon Sep 17 00:00:00 2001
From: ynerant <ynerant@crans.org>
Date: Wed, 17 Feb 2021 11:57:10 +0100
Subject: [PATCH 1/6] [belenios] Deploy belenios
Signed-off-by: ynerant <ynerant@crans.org>
---
group_vars/belenios.yml | 8 ++
group_vars/reverseproxy.yml | 2 +-
host_vars/belenios.adm.crans.org.yml | 4 +
hosts | 5 +-
plays/belenios.yml | 9 ++
roles/belenios/handlers/main.yml | 5 +
roles/belenios/tasks/main.yml | 123 ++++++++++++++++++
.../ocsigenserver/conf.d/belenios.conf.j2 | 79 +++++++++++
8 files changed, 233 insertions(+), 2 deletions(-)
create mode 100644 group_vars/belenios.yml
create mode 100644 host_vars/belenios.adm.crans.org.yml
create mode 100755 plays/belenios.yml
create mode 100644 roles/belenios/handlers/main.yml
create mode 100644 roles/belenios/tasks/main.yml
create mode 100644 roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2
diff --git a/group_vars/belenios.yml b/group_vars/belenios.yml
new file mode 100644
index 00000000..e23df08e
--- /dev/null
+++ b/group_vars/belenios.yml
@@ -0,0 +1,8 @@
+---
+glob_belenios:
+ domain: belenios.crans.org
+ email_contact: contact@crans.org
+ email_from: root@crans.org
+ cas:
+ name: CAS Cr@ns
+ server: https://cas.crans.org/
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index fca4ddbe..49f1ed78 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -39,7 +39,7 @@ nginx:
- {from: hedgedoc.crans.org, to: "172.16.10.128:3000"}
- {from: owncloud.crans.org, to: 172.16.10.136}
- {from: linx.crans.org, to: "172.16.10.119:8080"}
- # - {from: belenios.crans.org, to: 172.16.10.111}
+ - {from: belenios.crans.org, to: 172.16.10.111}
# - {from: mailman.crans.org, to: 10.231.136.180}
# Zamok
diff --git a/host_vars/belenios.adm.crans.org.yml b/host_vars/belenios.adm.crans.org.yml
new file mode 100644
index 00000000..92076e1a
--- /dev/null
+++ b/host_vars/belenios.adm.crans.org.yml
@@ -0,0 +1,4 @@
+---
+interfaces:
+ adm: ens18
+ srv_nat: ens19
diff --git a/hosts b/hosts
index d032fd9f..397f791c 100644
--- a/hosts
+++ b/hosts
@@ -17,6 +17,9 @@ tealc.adm.crans.org
[bdd]
tealc.adm.crans.org
+[belenios]
+belenios.adm.crans.org
+
[certbot:children]
dovecot
git
@@ -141,7 +144,7 @@ baie
virtu
[crans_vm]
-#belenios.adm.crans.org
+belenios.adm.crans.org
#bigbluebutton.adm.crans.org
boeing.adm.crans.org
cas.adm.crans.org
diff --git a/plays/belenios.yml b/plays/belenios.yml
new file mode 100755
index 00000000..a55b3f87
--- /dev/null
+++ b/plays/belenios.yml
@@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: belenios
+ vars:
+ belenios: "{{ glob_belenios | default({}) | combine(loc_belenios | default({})) }}"
+ nullmailer: "{{ glob_nullmailer | default({}) | combine(loc_nullmailer | default({})) }}"
+ roles:
+ - belenios
+ - nullmailer
diff --git a/roles/belenios/handlers/main.yml b/roles/belenios/handlers/main.yml
new file mode 100644
index 00000000..552e8142
--- /dev/null
+++ b/roles/belenios/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart ocsigenserver
+ systemd:
+ name: ocsigenserver
+ state: restarted
diff --git a/roles/belenios/tasks/main.yml b/roles/belenios/tasks/main.yml
new file mode 100644
index 00000000..bd80f572
--- /dev/null
+++ b/roles/belenios/tasks/main.yml
@@ -0,0 +1,123 @@
+---
+- name: Install Belenios dependencies from APT
+ apt:
+ update_cache: true
+ install_recommends: false
+ name:
+ - bubblewrap
+ - build-essential
+ - libgmp-dev
+ - libpcre3-dev
+ - pkg-config
+ - m4
+ - libssl-dev
+ - libsqlite3-dev
+ - wget
+ - ca-certificates
+ - zip
+ - unzip
+ - libncurses-dev
+ - zlib1g-dev
+ - libgd-securityimage-perl
+ - cracklib-runtime
+ - jq
+
+ # OCamL build dependencies
+ - dune
+ - libatdgen-ocaml-dev
+ - libzarith-ocaml-dev
+ - libcryptokit-ocaml-dev
+ - libcmdliner-ocaml-dev
+ - libcalendar-ocaml-dev
+ - eliom
+ - libcsv-ocaml-dev
+ - libgettext-ocaml-dev
+
+ # Web server dependencies
+ - ocsigenserver
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Start ocsigenserver at boot
+ lineinfile:
+ path: /etc/default/ocsigenserver
+ regexp: "^LAUNCH_AT_STARTUP="
+ line: "LAUNCH_AT_STARTUP=true"
+ notify: Restart ocsigenserver
+
+- name: Clone belenios into /opt/belenios
+ git:
+ repo: https://gitlab.inria.fr/belenios/belenios.git
+ dest: /opt/belenios
+ version: "1.14"
+ force: true
+ register: git_result
+
+- name: Make belenios project
+ when: git_result.changed
+ make:
+ chdir: /opt/belenios
+ target: build-release-server
+ notify: Restart ocsigenserver
+
+- name: Create belenios data directories
+ file:
+ path: "{{ item }}"
+ owner: ocsigen
+ group: ocsigen
+ mode: 0755
+ state: directory
+ loop:
+ - "/etc/ocsigenserver/conf.d"
+ - "/var/lib/belenios"
+ - "/var/lib/belenios/data"
+ - "/var/lib/belenios/upload"
+ - "/var/lib/belenios/spool"
+ - "/var/log/belenios"
+
+- name: Link ocsigenserver database
+ file:
+ src: "/opt/belenios/_run/lib/ocsidb"
+ path: "/var/lib/belenios/data/ocsidb"
+ owner: ocsigen
+ group: ocsigen
+ mode: 0644
+ state: link
+
+- name: Link belenios directories into proper locations
+ file:
+ src: "{{ item.src }}"
+ path: "{{ item.path }}"
+ owner: root
+ group: root
+ mode: 0755
+ state: link
+ loop:
+ - src: "/opt/belenios/_run/usr/bin/belenios-tool"
+ path: "/usr/bin/belenios-tool"
+
+ - src: "/opt/belenios/_run/usr/lib/belenios"
+ path: "/usr/lib/ocaml/belenios"
+ - src: "/opt/belenios/_run/usr/lib/belenios-platform"
+ path: "/usr/lib/ocaml/belenios-platform"
+ - src: "/opt/belenios/_run/usr/lib/belenios-platform-js"
+ path: "/usr/lib/ocaml/belenios-platform-js"
+ - src: "/opt/belenios/_run/usr/lib/belenios-platform-native"
+ path: "/usr/lib/ocaml/belenios-platform-native"
+ - src: "/opt/belenios/_run/usr/lib/belenios-server"
+ path: "/usr/lib/ocaml/belenios-server"
+ - src: "/opt/belenios/_run/usr/lib/belenios-tool"
+ path: "/usr/lib/ocaml/belenios-tool"
+
+ - src: "/opt/belenios/_run/usr/share/belenios-server"
+ path: "/usr/share/belenios-server"
+
+- name: Deploy ocsigenserver configuration
+ template:
+ src: ocsigenserver/conf.d/belenios.conf.j2
+ dest: /etc/ocsigenserver/conf.d/belenios.conf
+ owner: root
+ group: root
+ mode: 0644
+ notify: Restart ocsigenserver
diff --git a/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2 b/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2
new file mode 100644
index 00000000..fa41d367
--- /dev/null
+++ b/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2
@@ -0,0 +1,79 @@
+{{ ansible_header | comment('xml') }}
+
+<!-- -*- Mode: Xml -*- -->
+<ocsigen>
+
+ <server>
+
+ <port>8001</port>
+
+ <logdir>/var/log/belenios</logdir>
+ <datadir>/var/lib/belenios/data</datadir>
+
+ <uploaddir>/var/lib/belenios/upload</uploaddir>
+
+ <!--
+ The following limits are there to avoid flooding the server.
+ <maxuploadfilesize> might need to be increased for handling large
+ elections.
+ <maxconnected> is related to the number of simultaneous voters
+ visiting the server.
+ -->
+ <maxuploadfilesize>1024kB</maxuploadfilesize>
+ <maxconnected>500</maxconnected>
+
+ <commandpipe>/var/run/belenios/ocsigenserver_command</commandpipe>
+
+ <charset>utf-8</charset>
+
+ <findlib path="/usr/lib/ocaml"/>
+
+ <extension findlib-package="ocsigenserver.ext.staticmod"/>
+ <extension findlib-package="ocsigenserver.ext.redirectmod"/>
+
+ <extension findlib-package="ocsigenserver.ext.ocsipersist-sqlite">
+ <database file="/var/lib/belenios/data/ocsidb"/>
+ </extension>
+
+ <extension findlib-package="eliom.server"/>
+ <extension findlib-package="belenios-platform-native"/>
+
+ <host charset="utf-8" hostfilter="*" defaulthostname="{{ belenios.domain }}">
+ <!-- <redirect suburl="^$" dest="http://www.example.org"/> -->
+ <site path="static" charset="utf-8">
+ <static dir="/usr/share/belenios-server" cache="0"/>
+ </site>
+ <site path="monitor">
+ <eliom findlib-package="eliom.server.monitor.start"/>
+ </site>
+ <eliom findlib-package="belenios-server">
+ <!-- Domain name used in Message-ID -->
+ <domain name="https://{{ belenios.domain }}/"/>
+ <!--
+ The following can be adjusted to the capacity of your system.
+ If <maxrequestbodysizeinmemory> is too small, large elections
+ might fail, in particular with so-called alternative questions
+ with many voters.
+ <maxmailsatonce> depends heavily on how sending emails is
+ handled by your system.
+ -->
+ <maxrequestbodysizeinmemory value="1048576"/>
+ <maxmailsatonce value="1000"/>
+ <uuid length="14"/>
+ <gdpr uri="https://www.belenios.org/rgpd.html"/>
+ <contact uri="mailto:{{ belenios.email_contact }}"/>
+ <server mail="{{ belenios.email_from }}"/>
+ <auth name="{{ belenios.cas.name }}"><cas server="{{ belenios.cas.server }}"/></auth>
+ <source file="/usr/share/belenios-server/belenios.tar.gz"/>
+ <default-group file="/usr/share/belenios-server/groups/default.json"/>
+ <nh-group file="/usr/share/belenios-server/groups/rfc3526-2048.json"/>
+ <log file="/var/log/belenios/security.log"/>
+ <locales dir="/usr/share/belenios-server/locales"/>
+ <spool dir="/var/lib/belenios/spool"/>
+ <!-- <warning file="/opt/belenios/belenios/_run/warning.html"/> -->
+ </eliom>
+ </host>
+
+ </server>
+
+</ocsigen>
--
GitLab
From 094bb497f4a7b630e77149da95e5cf7c0a8fec4f Mon Sep 17 00:00:00 2001
From: ynerant <ynerant@crans.org>
Date: Wed, 17 Feb 2021 12:07:50 +0100
Subject: [PATCH 2/6] [belenios] Sort APT dependencies
Signed-off-by: ynerant <ynerant@crans.org>
---
roles/belenios/tasks/main.yml | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/roles/belenios/tasks/main.yml b/roles/belenios/tasks/main.yml
index bd80f572..e69ec1b7 100644
--- a/roles/belenios/tasks/main.yml
+++ b/roles/belenios/tasks/main.yml
@@ -6,32 +6,32 @@
name:
- bubblewrap
- build-essential
+ - ca-certificates
+ - cracklib-runtime
+ - jq
+ - libgd-securityimage-perl
- libgmp-dev
+ - libncurses-dev
- libpcre3-dev
- - pkg-config
- - m4
- libssl-dev
- libsqlite3-dev
+ - m4
+ - pkg-config
+ - unzip
- wget
- - ca-certificates
- zip
- - unzip
- - libncurses-dev
- zlib1g-dev
- - libgd-securityimage-perl
- - cracklib-runtime
- - jq
# OCamL build dependencies
- dune
+ - eliom
- libatdgen-ocaml-dev
- - libzarith-ocaml-dev
- - libcryptokit-ocaml-dev
- - libcmdliner-ocaml-dev
- libcalendar-ocaml-dev
- - eliom
+ - libcmdliner-ocaml-dev
+ - libcryptokit-ocaml-dev
- libcsv-ocaml-dev
- libgettext-ocaml-dev
+ - libzarith-ocaml-dev
# Web server dependencies
- ocsigenserver
--
GitLab
From d83613c514988aab0c81166e63f469e4d7eba9bd Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Wed, 17 Feb 2021 23:43:47 +0100
Subject: [PATCH 3/6] [belenios] Use proper network interface names
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
host_vars/belenios.adm.crans.org.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/host_vars/belenios.adm.crans.org.yml b/host_vars/belenios.adm.crans.org.yml
index 92076e1a..2eb6f993 100644
--- a/host_vars/belenios.adm.crans.org.yml
+++ b/host_vars/belenios.adm.crans.org.yml
@@ -1,4 +1,4 @@
---
interfaces:
- adm: ens18
- srv_nat: ens19
+ adm: eth0
+ srv_nat: eth1
--
GitLab
From 2bdd00b385a6045baaccfaba8d3dd7d28829cd5a Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Wed, 17 Feb 2021 23:44:38 +0100
Subject: [PATCH 4/6] [belenios] Don't need to link the ocsidb file
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
roles/belenios/tasks/main.yml | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/roles/belenios/tasks/main.yml b/roles/belenios/tasks/main.yml
index e69ec1b7..6d037e90 100644
--- a/roles/belenios/tasks/main.yml
+++ b/roles/belenios/tasks/main.yml
@@ -76,15 +76,6 @@
- "/var/lib/belenios/spool"
- "/var/log/belenios"
-- name: Link ocsigenserver database
- file:
- src: "/opt/belenios/_run/lib/ocsidb"
- path: "/var/lib/belenios/data/ocsidb"
- owner: ocsigen
- group: ocsigen
- mode: 0644
- state: link
-
- name: Link belenios directories into proper locations
file:
src: "{{ item.src }}"
--
GitLab
From 601a52132e5ccebf400709810a73fd88826d5e6f Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Thu, 18 Feb 2021 11:24:40 +0100
Subject: [PATCH 5/6] [belenios] Move ocsigenserver command pipe
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2 b/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2
index fa41d367..f852bb41 100644
--- a/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2
+++ b/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2
@@ -22,7 +22,7 @@
<maxuploadfilesize>1024kB</maxuploadfilesize>
<maxconnected>500</maxconnected>
- <commandpipe>/var/run/belenios/ocsigenserver_command</commandpipe>
+ <commandpipe>/var/run/ocsigenserver_command</commandpipe>
<charset>utf-8</charset>
--
GitLab
From ae163d6bc9caf03afeb4216fa826c0670fc60fdc Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Thu, 18 Feb 2021 11:25:02 +0100
Subject: [PATCH 6/6] [nullmailer] Define allmailfrom to always send mails as
root
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
group_vars/all/nullmailer.yml | 1 +
roles/nullmailer/tasks/main.yml | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/group_vars/all/nullmailer.yml b/group_vars/all/nullmailer.yml
index 5c63dbc4..48b48c66 100644
--- a/group_vars/all/nullmailer.yml
+++ b/group_vars/all/nullmailer.yml
@@ -3,3 +3,4 @@ glob_nullmailer:
root: root@crans.org
smtp_server: smtp.adm.crans.org
defaulthost: crans.org
+ allmailfrom: root@crans.org
diff --git a/roles/nullmailer/tasks/main.yml b/roles/nullmailer/tasks/main.yml
index 2d354bba..864b2f5a 100644
--- a/roles/nullmailer/tasks/main.yml
+++ b/roles/nullmailer/tasks/main.yml
@@ -26,3 +26,9 @@
content: "{{ nullmailer.defaulthost }}\n"
dest: /etc/nullmailer/defaulthost
mode: 0644
+
+- name: Set nullmailer allmailfrom
+ copy:
+ content: "{{ nullmailer.allmailfrom }}\n"
+ dest: /etc/nullmailer/allmailfrom
+ mode: 0644
--
GitLab