diff --git a/env.yml b/env.yml index eca0ae7..c5068e9 100644 --- a/env.yml +++ b/env.yml @@ -70,7 +70,6 @@ projects_to_backup: borg_repodir: "{{ cifs_mounts['backups']['path'] }}/borg" borg_passphrase_file: /etc/borg-passphrase.txt -hedgedoc_mysql_root_password_file: "/etc/hedgedoc-mysql-root-password.txt" borg_prune_options: | --keep-within=1d --keep-daily=7 @@ -114,7 +113,6 @@ users: coturn: 666 etebase: 373 hedgedoc: 1004 - hedgedoc_mysql: 1005 homepage: 8686 lldap: 1007 mailserver: 8 @@ -133,8 +131,7 @@ volumes: coturn_tls_certificate_file: "/etc/letsencrypt/live/turn.{{ domain }}/fullchain.pem" coturn_tls_certificate_key_file: "/etc/letsencrypt/live/turn.{{ domain }}/privkey.pem" etebase_datadir: /mnt/etebasedata - hedgedoc_mysql_datadir: /mnt/hedgedoc/mysql-data - hedgedoc_configdir: /mnt/hedgedoc/config + hedgedoc_uploadsdir: /mnt/hedgedocuploads lldap_datadir: /mnt/lldapdata mailserver_datadir: /mnt/mailserverdata mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem" diff --git a/roles/borg-init/tasks/main.yml b/roles/borg-init/tasks/main.yml index 11b05f5..3d31f18 100644 --- a/roles/borg-init/tasks/main.yml +++ b/roles/borg-init/tasks/main.yml @@ -22,20 +22,6 @@ mode: '600' when: not borg_stat_passphrase_file_result.stat.exists or borg_update_passphrase | default(false) | bool - - name: Get Hedgedoc MySQL root password file stat - stat: - path: "{{ hedgedoc_mysql_root_password_file }}" - register: hedgedoc_mysql_root_password_file_result - - - name: "Template hedgedoc-mysql-root-password.txt to {{ hedgedoc_mysql_root_password_file }}" - template: - src: hedgedoc-mysql-root-password.txt - dest: "{{ hedgedoc_mysql_root_password_file }}" - owner: root - group: root - mode: '600' - when: not hedgedoc_mysql_root_password_file_result.stat.exists or hedgedoc_update_mysql_root_password | default(false) | bool - - name: Get borg repository stat stat: path: "{{ borg_repodir }}" diff --git a/roles/borg-init/templates/hedgedoc-mysql-root-password.txt b/roles/borg-init/templates/hedgedoc-mysql-root-password.txt deleted file mode 100644 index 13e5932..0000000 --- a/roles/borg-init/templates/hedgedoc-mysql-root-password.txt +++ /dev/null @@ -1 +0,0 @@ -{{ hedgedoc_secrets['mysql_root_password'] }} diff --git a/roles/hedgedoc/tasks/backup.yml b/roles/hedgedoc/tasks/backup.yml index fed2a18..1b86794 100644 --- a/roles/hedgedoc/tasks/backup.yml +++ b/roles/hedgedoc/tasks/backup.yml @@ -1,22 +1,15 @@ -- name: Backup MySQL database - community.docker.docker_container_exec: - container: hedgedoc-mysql - docker_host: "{{ docker_host }}" - argv: - - /bin/bash - - "-c" - - "mysqldump hedgedoc > /var/lib/mysql/hedgedoc-dump.sql" - env: - MYSQL_PWD: "{{ hedgedoc_secrets['mysql_root_password'] if hedgedoc_secrets['mysql_root_password'] is defined else lookup('ansible.builtin.file', hedgedoc_mysql_root_password_file) }}" - -- name: Create borg backup - command: - cmd: | - borg create - --compression=lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - {{ volumes['hedgedoc_mysql_datadir'] }}/hedgedoc-dump.sql +- name: "Backup PostgreSQL hedgedoc database & {{ volumes['hedgedoc_uploadsdir'] }} directory" + shell: > + docker exec postgres + pg_dump -c {{ role_name }} | + borg create + --compression lzma + "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" + "{{ volumes['hedgedoc_uploadsdir'] }}" + - + --stdin-name dump_{{ role_name }}.sql environment: + DOCKER_HOST: "{{ docker_host }}" BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" become: true diff --git a/roles/hedgedoc/tasks/update.yml b/roles/hedgedoc/tasks/update.yml index 358acae..a6305b8 100644 --- a/roles/hedgedoc/tasks/update.yml +++ b/roles/hedgedoc/tasks/update.yml @@ -1,32 +1,26 @@ -- name: "Create {{ project_dir }} project directory" +- name: "Create {{ project_dir }} directory" file: path: "{{ project_dir }}" state: directory -- name: Template docker-compose.yaml to project directory +- name: Template docker-compose.yaml & .env to project directory template: - src: docker-compose.yaml - dest: "{{ project_dir }}/docker-compose.yaml" + src: "{{ item }}" + dest: "{{ project_dir }}/{{ item }}" owner: "{{ host_uid }}" group: "{{ host_uid }}" - mode: '640' + mode: '600' + loop: + - docker-compose.yaml + - .env -- name: "Create directory {{ volumes['hedgedoc_configdir'] }} with correct permissions" +- name: "Create (if not exists) directory {{ volumes['hedgedoc_uploadsdir'] }} & set permissions" file: - path: "{{ volumes['hedgedoc_configdir'] }}" + path: "{{ volumes['hedgedoc_uploadsdir'] }}" state: directory owner: "{{ users['hedgedoc'] + uid_shift }}" group: "{{ users['hedgedoc'] + uid_shift }}" - mode: '770' - become: true - -- name: "Create directory {{ volumes['hedgedoc_mysql_datadir'] }} with correct permissions" - file: - path: "{{ volumes['hedgedoc_mysql_datadir'] }}" - state: directory - owner: "{{ users['hedgedoc_mysql'] + uid_shift }}" - group: "{{ users['hedgedoc_mysql'] + uid_shift }}" - mode: '770' + mode: '700' become: true - name: Pull project services diff --git a/roles/hedgedoc/templates/.env b/roles/hedgedoc/templates/.env new file mode 100644 index 0000000..ad9bb2d --- /dev/null +++ b/roles/hedgedoc/templates/.env @@ -0,0 +1,8 @@ +CMD_DB_DIALECT=postgres +CMD_DB_HOST='postgres.{{ domain }}' +CMD_DB_DATABASE=hedgedoc +CMD_DB_USERNAME='{{ hedgedoc_secrets["postgres_user"] }}' +CMD_DB_PASSWORD='{{ hedgedoc_secrets["postgres_password"] }}' +CMD_DOMAIN='hedgedoc.{{ domain }}' +CMD_PROTOCOL_USESSL=true +CMD_SESSION_SECRET='{{ hedgedoc_secrets["session_secret"] }}' diff --git a/roles/hedgedoc/templates/docker-compose.yaml b/roles/hedgedoc/templates/docker-compose.yaml index b8ba4fa..31c16fd 100644 --- a/roles/hedgedoc/templates/docker-compose.yaml +++ b/roles/hedgedoc/templates/docker-compose.yaml @@ -1,33 +1,11 @@ services: hedgedoc: container_name: hedgedoc - image: lscr.io/linuxserver/hedgedoc:latest + image: quay.io/hedgedoc/hedgedoc:1.9.9 restart: always - environment: - - PUID={{ users['hedgedoc'] }} - - PGID={{ users['hedgedoc'] }} - - TZ={{ timezone }} - - DB_HOST=hedgedoc-mysql - - DB_PORT=3306 - - DB_USER=root - - DB_PASS={{ hedgedoc_secrets['mysql_root_password'] }} - - DB_NAME=hedgedoc - - CMD_DOMAIN=hedgedoc.{{ domain }} - - CMD_PROTOCOL_USESSL=true + user: {{ users['hedgedoc'] }}:{{ users['hedgedoc'] }} + env_file: .env ports: - 127.0.0.1:{{ ports['hedgedoc'] }}:3000 volumes: - - {{ volumes['hedgedoc_configdir'] }}:/config - - mysql: - container_name: hedgedoc-mysql - image: docker.io/library/mysql:latest - restart: always - user: {{ users['hedgedoc_mysql'] }}:{{ users['hedgedoc_mysql'] }} - environment: - MYSQL_DATABASE: hedgedoc - MYSQL_ROOT_PASSWORD: "{{ hedgedoc_secrets['mysql_root_password'] }}" - volumes: - - {{ volumes['hedgedoc_mysql_datadir'] }}:/var/lib/mysql - - + - {{ volumes['hedgedoc_uploadsdir'] }}:/hedgedoc/public/uploads diff --git a/secrets.yml.example b/secrets.yml.example index a55376e..ba5b80b 100644 --- a/secrets.yml.example +++ b/secrets.yml.example @@ -25,7 +25,9 @@ coturn_secrets: static_auth_secret: hedgedoc_secrets: - mysql_root_password: + postgres_user: + postgres_password: + session_secret: lldap_secrets: jwt_secret: