Add hedgedoc as new service

This adds a collaborative markdown editor as newly offered service which is available via login for all Arch Linux Staff with an option to allow anonymous edits by users (not default). Users are managed via keycloak and require the Staff role to be allowed in, non staff keycloak users currently will receive an internal server error due to an upstream issue.

Add hedgedoc as new service
3124cfd9 · Jelle van der Waa · 5739a6b6 · 3124cfd9 · 3124cfd9 · 3124cfd9
Verified Commit 3124cfd9 authored 4 years ago by Jelle van der Waa
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -138,6 +138,12 @@ Medium-fast-ish packet.net Arch Linux box.
 ### Services
  - archwiki

+## md.archlinux.org
+
+  Online collborative markdwown editor for Arch Linux Staff.
+
+### Services
+  - [hedgedoc](https://hedgedoc.org/)

 ## Archive Mirrors


--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -207,6 +207,17 @@
 256 MD5:f6:40:bf:89:89:1a:dc:50:86:d6:0d:cc:d4:ae:15:a1 root@archlinux-packer (ED25519)
 3072 MD5:db:7c:b7:7b:d6:4a:d9:9f:aa:84:ba:17:e1:a1:d8:b0 root@archlinux-packer (RSA)

+# md.archlinux.org
+1024 SHA256:BR7Kn7TsXpaszgByF227yoLlI8OpQ5aGHqptYsUwWgE root@archlinux-packer (DSA)
+256 SHA256:vYhOL93Q0MSdaSD7PoW30twqhW6JwhO/5ylyQ9sYzhU root@archlinux-packer (ECDSA)
+256 SHA256:x/WWvtqZx4HZtxyWmXihvcFRAvZTlWAUbeHxyYzxEZU root@archlinux-packer (ED25519)
+3072 SHA256:d3PQVarjHA2iuopomsGtK26hMG5h6JN4+Lt+X8WdMis root@archlinux-packer (RSA)
+
+1024 MD5:23:3a:a6:c6:81:ab:bd:22:80:83:cd:91:4b:3d:16:a0 root@archlinux-packer (DSA)
+256 MD5:29:95:e6:56:59:36:d6:f9:05:ca:3b:13:38:79:70:48 root@archlinux-packer (ECDSA)
+256 MD5:35:57:8e:de:29:d4:76:7a:3b:b6:57:ff:c3:2f:9d:e0 root@archlinux-packer (ED25519)
+3072 MD5:0d:cb:e7:c6:38:c1:c9:bd:6f:74:9e:bf:f1:3f:9c:f5 root@archlinux-packer (RSA)
+
 # mirror.pkgbuild.com
 1024 SHA256:O7TKGcsfAsOiY8YFNEGX8Tma5kvQFe/lGd6+StnpmAM root@archlinux-packer (DSA)
 256 SHA256:6hikXsqiWU9Oqf7FSsi2iBgeeiL8/hifuaFpotiGz4U root@archlinux-packer (ECDSA)

--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -93,6 +93,11 @@ matrix.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbml
 matrix.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPm0Ing8aSqaw/FGvPD5NqmqZjCo99xKMq1lBdfY4NdX
 matrix.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbcTp/+cwo7sKcgDjxJ1sUDQwU4xAWajOna1hC5Vnie4Kpo13hStIWmBUMHn0PkS9XbJC5hFEfE87l8ciemIiWZbxwCx93iVD2+M2S1Arso+0xvKJKEkmLdwx7Lr8bnqOnpyCt3fPCHaPoKVXWnYYvNSqkLh2QgtPv7QXnTZhhFmFmzf8dbQqJXFPpPN28y/SQ0w4iFpfuVAbVwK9UmYmjdK8FyN6V1S+8U6zZXYqaAI6wBNsa5zkczfmSM3AUy71T6DE7uceWx2hARaytf8yPyj/E6B0II7jvwa9CbcrQxvm2MStwIhuULG0ILcNfdOgYc5ddqy+m8XKN4b7WKgClfZc53FeFzBrsFrK9fRNp6mjZesj+MthKChF5M6sTpYt5Qn8c3dfhA5SmulD23K/zLxGPpluDReoEfXPZDqaNQh9JoemrBuBMCkN5MKgJBFGgkO/YnUVPpwLZAELg4zw7ON2q9Bw2CUPXMsi6CxUG0pb0dpGn+VK66YHyCyT4vbc=

+# md.archlinux.org
+md.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHsMS3c+QGKLT7/rcnOrx5kI7J6zxf5djtgKYEWnqaK5LZi52KalVo2ID68xYBEtuPFKRQ8dRN+7QNQqWQWCIPU=
+md.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqqsOIUGWwIz1OqclbHeREBrujf43B28MEeuEWVvgc2
+md.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4r5WR6WQ9WjIx1bbRkygM7jQvZB2kM/D7GiEWIhyvK9g2va39MKHWEaZ9xVtkxPN4ob1/5MYDlEb6MoXLktFQwTGhi0mBSvBqjRaotsiqgdxCDjM3gaOznKDafBBE5a2pu5uQ3Nt2pwX6inNWUK9AWZjmHqcTkjdQZoPsKsu/zBuiGOC2rjhMBq2AfIJDJvYLXEbNVWx6hn7cstSPPX+4aa6miu1buJrbVQxF7aq5/vhR2dANdicerl+rnhneMKRfxmFQ2UEa5mKCW4eVYFXGxCjdIj6OEzjvcCSK+9cOaLqsF9//70qfq//jai8PrI4SAsdPyNKkouHgJ04kpE3zfu1WZ2zzWnFZBC11YccIPOAEJYeg641VxMa4gWa+t4H1P+CTNpuPZ4bxktPYCIFkgj4qzz4v5XvVpP9mOj23lm3tXLjai2NXm80MraJ95WDd2Ozf0tZn7fWZ3T0lNVqMoU522ImRrUrOIsPhjZhgowWK06/wU3FZZOA49GFnYwk=
+
 # mirror.pkgbuild.com
 mirror.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCBew2WqfyvxwKSnfnVrZiwnwogBFmYMMejOFP7aVT7qMXP6xT1qZ6daJEgXKI81j54TEVoGIU1lZIuvhi7hqT0=
 mirror.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBkcn0PYBn4cqwQDhyiel4kx0EkNp//usdKVbcfT9GO+

--- a/group_vars/all/vault_hedgedoc.yml
+++ b/group_vars/all/vault_hedgedoc.yml
+$ANSIBLE_VAULT;1.1;AES256
+63373465656232323265643638376633383230643139323535656565396362636330396130663263
+6233666233646537363536323032366337613765336530350a336130303663383337643737323665
+66393863666135616430643931376239616266616664623034653134303563306239653736616464
+3666386534306434640a386261383039643937316564303561666133643536353839346262353833
+63313264363162336166666361366533336265386433376136623435666661363861663239303236
+32623930393838323964646166393037633564343262336565383331636633666230313434326635
+35366433313636646466303565356138386436323266316534343231303861336462343637383065
+66643663356363356466613933376331656432306434393432643163326663343161636333303134
+62383362393933636164363666613230316439396235383636346530343536636432343330623330
+33373135343033623437613836393564376366613366636662383337623534386161623663386631
+356435336630613834356535646239616139
--- a/group_vars/all/vault_postgres.yml
+++ b/group_vars/all/vault_postgres.yml
 $ANSIBLE_VAULT;1.1;AES256
-63366165396562363135333830643834663532353865653138636334343664343138313365336436
-6436383535623062656466646461303365373533363430610a373930366237326137613362336164
-34633732376464646437356137343631353434396432623633353036663738343538303966353464
-6535383735323763330a633436646331623131633564393130376139363061663139626366666634
-66643763376463386231663832303664633632613530633266313431646333316534326237373137
-36663233303561313965633333313738643331396465666263663034336163303339383437353332
-64626462393336623130316535303531623634656235313939636232653930303432636364386330
-61613736356239613935323430396233323335363862353039343936653631656562656231323237
-65336663666166326630663565353032303461613431343662326535363761333665336137316161
-62366561383736326338346362333939386332356137653866383334333262663839313438363631
-31663062373366383133343063313931366637346131626338656538613166656664393930373733
-62336639356361663962373039366362343966616363653838313538623039666665633565323765
-62346337636336663333613766396436313238346565633133383030633931613965396261333766
-31326337646438623631616639383764636332336336353830616633396336333536623861356637
-333839656139326135636238643561356366
+33396466383935313930366561313862626233306538393832646563343039313536306464363534
+6233653830383738333733666230396233626132303532310a313864373236346464353233653337
+66646461356531373033393031396464663965373036663266366463333735633061646138316138
+3538663833656636370a316430636238326631363937393865373836616633303564646530356530
+33626639303738343137353161633735356161353839616236313565663938663539653166656262
+62623565626239363766653733663361643737386239613838323537636631333431336165613639
+62306166383735663732313438313234306637393237623930383561346233363064316664366234
+62383166346534373863303866646562386330313932343238306232366466383165663339306633
+35613534386663633034313032363765343864366634663733393666643435383064643133653630
+39346563396661353666313732663538663334616166316163643536616535306336653639656431
+64333532616636376661663465323763346566623830643533663533363161646234333365643134
+32663437613831366339646531366234386665626231653864363138356638346139646134393865
+39616535656665363434633338646334356562323432346562613562616361646262616237376632
+39393264356137326335333433643266343639366630356366646165333165613331623034653462
+64383930376664393938363835373131636437396330366532616262656565306161663239383566
+37326164343637303764343833373764316232303039303762633861336465323864383934323538
+3165
--- a/host_vars/md.archlinux.org
+++ b/host_vars/md.archlinux.org
+---
+filesystem: btrfs
--- a/hosts
+++ b/hosts
@@ -45,6 +45,7 @@ mail.archlinux.org
 wiki.archlinux.org
 patchwork.archlinux.org
 security.archlinux.org
+md.archlinux.org

 [borg_hosts]
 prio.ch-s012.rsync.net
@@ -139,6 +140,7 @@ america.mirror.pkgbuild.com
 europe.mirror.pkgbuild.com
 repro2.pkgbuild.com
 runner1.archlinux.org
+md.archlinux.org

 [kape_servers]
 asia.mirror.pkgbuild.com

--- a/playbooks/md.archlinux.org.yml
+++ b/playbooks/md.archlinux.org.yml
+---
+
+- name: setup hedgedoc server
+  hosts: md.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: tools }
+    - { role: firewalld }
+    - { role: sshd }
+    - { role: unbound }
+    - { role: root_ssh }
+    - { role: borg_client, tags: ["borg"] }
+    - { role: nginx }
+    - { role: certbot }
+    - role: postgres
+      postgres_max_connections: 100
+      postgres_ssl: 'off'
+      postgres_shared_buffers: 512MB
+      postgres_effective_cache_size: 1GB
+    - { role: hedgedoc, hedgedoc_domain: "md.archlinux.org" }
+    - { role: prometheus_exporters }
--- a/roles/hedgedoc/defaults/main.yml
+++ b/roles/hedgedoc/defaults/main.yml
+hedgedoc_nginx_conf: /etc/nginx/nginx.d/hedgedoc.conf
+hedgedoc_domain: md.archlinux.org
--- a/roles/hedgedoc/tasks/main.yml
+++ b/roles/hedgedoc/tasks/main.yml
+---
+
+- name: install hedgedoc
+  pacman: name=hedgedoc state=present
+
+- name: add hedgedoc postgres db
+  postgresql_db: db=hedgedoc
+  become: yes
+  become_user: postgres
+  become_method: su
+
+- name: add hedgedoc postgres user
+  postgresql_user: db=hedgedoc name=hedgedoc password={{ vault_postgres_users.hedgedoc }} encrypted=true
+  become: yes
+  become_user: postgres
+  become_method: su
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ hedgedoc_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest={{ hedgedoc_nginx_conf }} owner=root group=root mode=644
+  notify: reload nginx
+  tags: ['nginx']
+
+- name: add hedgedoc.service.d dir
+  file: state=directory path=/etc/systemd/system/hedgedoc.service.d owner=root group=root mode=0755
+
+- name: install hedgedoc.service snippet for configuration
+  template: src=hedgedoc.service.d.j2 dest=/etc/systemd/system/hedgedoc.service.d/local.conf owner=root group=root mode=0644
+
+- name: install hedgedoc config file
+  template: src=config.json.j2 dest=/etc/webapps/hedgedoc/config.json owner=root group=root mode=0644
+
+- name: install hedgedoc sequelizerc file
+  template: src=sequelizerc.j2 dest=/etc/webapps/hedgedoc/sequelizerc owner=root group=root mode=0644
+
+- name: start and enable hedgedoc
+  service: name=hedgedoc.service enabled=yes state=started
--- a/roles/hedgedoc/templates/config.json.j2
+++ b/roles/hedgedoc/templates/config.json.j2
+{
+    "production": {
+        "sessionSecret": "{{ vault_hedgedoc_session_secret }}",
+        "email": false,
+        "domain": "{{ hedgedoc_domain }}",
+        "loglevel": "info",
+        "protocolUseSSL": true,
+        "allowAnonymous": false,
+	"allowAnonymousEdits": true,
+	"defaultPermission": "limited",
+        "hsts": {
+            "enable": true,
+            "maxAgeSeconds": 31536000,
+            "includeSubdomains": true,
+            "preload": true
+        },
+        "csp": {
+            "enable": true,
+            "directives": {},
+            "upgradeInsecureRequests": "true",
+            "addDefaults": true,
+            "addDisqus": false,
+            "addGoogleAnalytics": false
+        },
+        "cookiePolicy": "lax",
+        "db": {
+            "dialect": "postgres",
+            "username": "hedgedoc",
+            "password": "{{ vault_postgres_users.hedgedoc }}",
+            "database": "hedgedoc",
+            "host": "localhost",
+            "port": "5432",
+            "dialect": "postgres"
+        },
+        "linkifyHeaderStyle": "gfm"
+    }
+}
--- a/roles/hedgedoc/templates/hedgedoc.service.d.j2
+++ b/roles/hedgedoc/templates/hedgedoc.service.d.j2
+[Service]
+Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
+Environment=CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
+Environment=CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
+Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
+Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
+Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
+Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
+Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
+Environment=CMD_OAUTH2_ROLES_CLAIM=roles
+Environment=CMD_OAUTH2_ACCESS_ROLE=Staff
+Environment=CMD_OAUTH2_PROVIDERNAME=Keycloak
+Environment=CMD_DOMAIN=md.archlinux.org
+Environment=CMD_PROTOCOL_USESSL=true
+Environment=CMD_URL_ADDPORT=false
--- a/roles/hedgedoc/templates/nginx.d.conf.j2
+++ b/roles/hedgedoc/templates/nginx.d.conf.j2
+upstream hedgedoc {
+    server localhost:3000;
+}
+
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ hedgedoc_domain }};
+
+    access_log   /var/log/nginx/{{ hedgedoc_domain }}/access.log main;
+    error_log    /var/log/nginx/{{ hedgedoc_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        rewrite ^(.*) https://{{ hedgedoc_domain }}$1 permanent;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ hedgedoc_domain }};
+
+    access_log   /var/log/nginx/{{ hedgedoc_domain }}/access.log main;
+    error_log    /var/log/nginx/{{ hedgedoc_domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ hedgedoc_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ hedgedoc_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ hedgedoc_domain }}/chain.pem;
+
+    location / {
+       proxy_pass http://hedgedoc;
+       proxy_set_header Host $host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /socket.io/ {
+       proxy_pass http://hedgedoc;
+       proxy_set_header Host $host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+   }
+}
--- a/roles/hedgedoc/templates/sequelizerc.j2
+++ b/roles/hedgedoc/templates/sequelizerc.j2
+var path = require('path');
+
+module.exports = {
+    'config':          path.resolve('config.json'),
+    'migrations-path': path.resolve('lib', 'migrations'),
+    'models-path':     path.resolve('lib', 'models'),
+    'url':             'postgres://hedgedoc:{{ vault_postgres_users.hedgedoc }}@localhost:5432/hedgedoc'
+}
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -139,6 +139,10 @@ locals {
      domain      = "mirror"
      zone        = hetznerdns_zone.pkgbuild.id
    }
+    "md.archlinux.org" = {
+      server_type = "cx11"
+      domain      = "md"
+    }
  }

  # This creates gitlab pages varification entries.
@@ -489,4 +493,3 @@ resource "hcloud_volume" "homedir" {
  size      = 100
  server_id = hcloud_server.machine["homedir.archlinux.org"].id
 }
-
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -33,6 +33,12 @@ data "external" "vault_monitoring" {
  "--format", "json"]
 }

+data "external" "vault_hedgedoc" {
+  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_hedgedoc.yml",
+    "vault_hedgedoc_client_secret",
+  "--format", "json"]
+}
+
 provider "keycloak" {
  client_id = "admin-cli"
  username  = data.external.vault_keycloak.result.vault_keycloak_admin_user
@@ -785,3 +791,29 @@ resource "keycloak_openid_client_scope" "email" {
  include_in_token_scope = true
  consent_screen_text    = "$${emailScopeConsentText}"
 }
+
+resource "keycloak_openid_client" "hedgedoc_openid_client" {
+  realm_id      = "archlinux"
+  client_id     = "openid_hedgedoc"
+  client_secret = data.external.vault_hedgedoc.result.vault_hedgedoc_client_secret
+
+  name    = "Hedgedoc"
+  enabled = true
+
+  access_type           = "CONFIDENTIAL"
+  standard_flow_enabled = true
+  valid_redirect_uris = [
+    "https://md.archlinux.org/*",
+  ]
+}
+
+resource "keycloak_openid_user_realm_role_protocol_mapper" "hedgedoc_user_realm_role_mapper" {
+  realm_id  = "archlinux"
+  client_id = keycloak_openid_client.hedgedoc_openid_client.id
+  name      = "user realms"
+
+  claim_name          = "roles"
+  multivalued         = true
+  add_to_id_token     = false
+  add_to_access_token = false
+}