Merge branch 'master' of https://git.electricmandarine.cloud/nicolo/ansible-lab

inventory/lab/inventory.yml

@@ -10,3 +10,12 @@ all:
         debi13:
           ansible_host: 127.0.0.1
           ansible_port: 2224
+
+    fail2ban:
+      hosts:
+       debi13:
+          ansible_host: 127.0.0.1
+          ansible_port: 2224
+       alma9:
+          ansible_host: 127.0.0.1
+          ansible_port: 2222

playbooks/fail2ban.yml

@@ -0,0 +1,10 @@
+---
+- name: Install fail2ban on Linux hosts
+  hosts:
+    - fail2ban
+  become: true
+
+  roles:
+    - fail2ban
+
+

playbooks/heriverse.yml

@@ -0,0 +1,11 @@
+---
+- name: Configure webserver with Docker, Heriverse and Caddy
+  hosts:
+    - localhost
+  become: true
+  vars:
+    server_name: "heriverse.stratigraph"
+
+  roles:
+    - docker
+    - heriverse

roles/fail2ban/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Ensure epel-release is installed (RedHat)
+  ansible.builtin.package:
+    name: epel-release
+    state: present
+    update_cache: yes
+  when: ansible_os_family == 'RedHat'
+
+- name: Ensure fail2ban is installed
+  ansible.builtin.package:
+    name: fail2ban
+    state: present
+    update_cache: yes
+
+- name: Start fail2ban for RedHat
+  ansible.builtin.systemd_service:
+    name: fail2ban
+    state: started
+    enabled: true
+  when: ansible_os_family == 'RedHat'

roles/heriverse/defaults/main.yml

@@ -0,0 +1,3 @@
+heriverse_repo_url: "https://git.3dresearch.it/stratigraph/docker-heriverse"
+# Note: replace with the domain name for Caddy config
+#server_name: "heriverse.stratigraph"

roles/heriverse/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart Caddy
+  ansible.builtin.service:
+    name: caddy
+    state: restarted

roles/heriverse/tasks/main.yml

@@ -0,0 +1,78 @@
+---
+- name: Ensure ACL is installed
+  ansible.builtin.package:
+    name:
+      - acl
+    state: present
+    update_cache: yes
+
+- name: Ensure git is installed
+  ansible.builtin.package:
+    name:
+      - git
+    state: present
+    update_cache: yes
+
+- name: Ensure Caddy is installed
+  ansible.builtin.package:
+    name:
+      - caddy
+    state: present
+    update_cache: yes
+
+- name: Create Heriverse user
+  ansible.builtin.user:
+    name: heriverse
+    shell: /usr/sbin/nologin
+    home: /opt/heriverse
+    create_home: true
+    password: '*'
+
+- name: Ensure Heriverse directory exists
+  ansible.builtin.file:
+    path: /opt/heriverse/docker-herivese
+    state: directory
+    owner: heriverse
+    group: heriverse
+    mode: "0755"
+
+- name: Clone Heriverse repo
+  ansible.builtin.git:
+    repo: "{{ heriverse_repo_url }}"
+    dest: /opt/heriverse/docker-heriverse
+    clone: true
+  become: true
+  become_user: heriverse
+
+# Temporary
+- name: Replace docker-compose.yml for prod
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: "/opt/heriverse/docker-heriverse"
+    owner: root
+    group: root
+    force: true
+    mode: '0644'
+
+- name: Create and start all Heriverse services
+  community.docker.docker_compose_v2:
+    project_src: /opt/heriverse/docker-heriverse
+    pull: missing
+  register: output
+
+- name: Execute entrypoint script
+  ansible.builtin.command:
+    chdir: /opt/heriverse/docker-heriverse
+    cmd: './entrypoint.sh'
+  become: true
+  become_user: heriverse
+  
+- name: Copy Caddy config file
+  ansible.builtin.template:
+    src: Caddyfile.j2
+    dest: "/etc/caddy/Caddyfile"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart Caddy
+  

roles/heriverse/templates/Caddyfile.j2

@@ -0,0 +1,25 @@
+{{ server_name }} {
+    # Don't show ATON's frontend home page
+    redir / /a/heriverse 302
+
+    request_body {
+        max_size 2GB # This can be made configurable
+    }
+
+    # `handle_path` is required where URIs must be rewritten
+    handle_path /server/* {
+        reverse_proxy localhost:3000
+    }
+
+    handle /auth* {
+        reverse_proxy localhost:8080
+    }
+
+    handle_path /couchdb/* {
+        reverse_proxy localhost:5984
+    }
+
+    handle /* {
+        reverse_proxy localhost:8081
+    }
+}

roles/heriverse/templates/docker-compose.yml.j2

@@ -0,0 +1,94 @@
+services:
+
+  # =======================
+  # FRONTEND
+  # =======================
+  heriverse:
+    image: git.3dresearch.it:5050/cnr-h2iosc/heriverse/heriverse-wapp:latest
+    container_name: heriverse
+    ports:
+      - "8081:8080"
+    depends_on:
+      - heriverse-server
+      - keycloak
+    volumes:
+      - ./mount/heriverse/config/Utils.js:/aton/wapps/heriverse/config/Utils.js
+    networks:
+      - backend
+    restart: always
+
+  # =======================
+  # BACKEND / API SERVER
+  # =======================
+  heriverse-server:
+    image: git.3dresearch.it:5050/stratigraph/heriverse-server:latest
+    container_name: heriverse-server
+    ports:
+      - "3000:3000"
+    depends_on:
+      - couchdb
+      - keycloak
+    volumes:
+      - ./mount/server/uploads:/app/uploads
+      - ./mount/server/config:/app/conf
+    networks:
+      - backend
+    restart: always
+  # =======================
+  # DATABASE
+  # =======================
+  couchdb:
+    image: apache/couchdb:3
+    container_name: couchdb
+    environment:
+      - COUCHDB_USER=admin
+      - COUCHDB_PASSWORD=admin
+      - COUCHDB_SECRET=heriversesecret
+      - COUCHDB_SINGLE_NODE=true
+    ports:
+      - "5984:5984"
+    volumes:
+      - couchdb_data:/opt/couchdb/data
+      - couchdb_config:/opt/couchdb/etc/local.d
+    networks:
+      - backend
+    restart: always
+  keycloak:
+    image: quay.io/keycloak/keycloak:24.0.4
+    container_name: keycloak
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_DB: dev-file
+      KC_PROXY: edge
+      KC_HTTP_ENABLED: "true"
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+    ports:
+      - "8080:8080"
+    command:
+      - start-dev
+      - --import-realm
+      - --http-relative-path=/auth
+      - --proxy-headers=xforwarded
+      - --hostname={{ server_name }}
+      - --hostname-strict=false
+      - --hostname-strict-https=false
+      - --http-enabled=true
+    volumes:
+      - keycloak_data:/opt/keycloak/data
+      - ./mount/keycloak/realms/realm-heriverse.json:/opt/keycloak/data/import/realm-heriverse.json
+    networks:
+      - backend
+    restart: always
+# =======================
+# NETWORK AND VOLUMES
+# =======================
+networks:
+  backend:
+    driver: bridge
+
+volumes:
+  couchdb_data:
+  couchdb_config:
+  keycloak_data:

roles/iiif-manif/defaults/main.yml

@@ -0,0 +1 @@
+iiif_repo_url: "https://git.electricmandarine.cloud/nicolo/greek-manifests"

roles/iiif-manif/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart PM2
+  ansible.builtin.command: '/home/nicolo/node_modules/bin/pm2 restart all --update-env'
+  become: true
+  become_user: nicolo

roles/iiif-manif/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+- name: Ensure ACL is installed
+  ansible.builtin.package:
+    name:
+      - acl
+    state: present
+    update_cache: yes
+  when: ansible_os_family == 'RedHat'
+
+- name: Ensure git is installed
+  ansible.builtin.package:
+    name:
+      - git
+    state: present
+    update_cache: yes
+
+- name: Pull from manifest repo
+  ansible.builtin.git:
+    repo: "{{ iiif_repo_url }}"
+    # To be changed!!
+    dest: /home/nicolo/greek-manifests
+    update: true
+    clone: false
+    version: master
+  become: true
+  become_user: nicolo
+
+- name: Install Yarn dependencies based on package.json
+  community.general.yarn:
+    # To be changed!!
+    path: /home/nicolo/greek-manifests
+    executable: /home/nicolo/node_modules/bin/yarn
+    production: true
+  become: true
+  become_user: nicolo
+  # this should alwasy notify 'Restart PM2'
+  changed_when: true
+  notify: Restart PM2