initial commit

9 files changed, 278 insertions, 0 deletions

diff --git a/roles/photostructure/defaults/main.yml b/roles/photostructure/defaults/main.yml
new file mode 100644
index 0000000..9813abc
--- /dev/null
+++ b/roles/photostructure/defaults/main.yml
@@ -0,0 +1,11 @@
+photostructure_port: 8080
+photostructure_scan_interval_hours: 24
+photostructure_max_cpu_percent: 95
+photostructure_log_level: warn
+photostructure_backup_interval_minutes: 30
+photostructure_version: alpha
+
+photostructure_user: s-photostructure
+photostructure_file_access_group: role-photo-admin
+
+photostructure_kerberized_cidrs: '{{ kerberized_cidrs }}'
diff --git a/roles/photostructure/handlers/main.yml b/roles/photostructure/handlers/main.yml
new file mode 100644
index 0000000..5148595
--- /dev/null
+++ b/roles/photostructure/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart photostructure
+  systemd:
+    name: photostructure
+    state: restarted
diff --git a/roles/photostructure/meta/main.yml b/roles/photostructure/meta/main.yml
new file mode 100644
index 0000000..e167af1
--- /dev/null
+++ b/roles/photostructure/meta/main.yml
@@ -0,0 +1,7 @@
+dependencies:
+  - role: yum
+    yum_repositories:
+      - epel
+      - rpmfusion-free
+      - rpmfusion-nonfree
+    tags: yum
diff --git a/roles/photostructure/tasks/freeipa.yml b/roles/photostructure/tasks/freeipa.yml
new file mode 100644
index 0000000..66d99e7
--- /dev/null
+++ b/roles/photostructure/tasks/freeipa.yml
@@ -0,0 +1,47 @@
+- name: create user
+  ipauser:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ photostructure_user }}'
+    loginshell: /sbin/nologin
+    homedir: '{{ photostructure_home }}'
+    givenname: Photostructure
+    sn: Service Account
+    state: present
+  run_once: yes
+
+- name: retrieve user keytab
+  include_role:
+    name: freeipa_keytab
+  vars:
+    keytab_principal: '{{ photostructure_user }}'
+    keytab_path: '{{ photostructure_keytab }}'
+
+- name: configure gssproxy for kerberized NFS
+  include_role:
+    name: gssproxy_client
+  vars:
+    gssproxy_name: photostructure
+    gssproxy_section: service/photostructure
+    gssproxy_keytab: /etc/krb5.keytab
+    gssproxy_client_keytab: '{{ photostructure_keytab }}'
+    gssproxy_cred_usage: initiate
+    gssproxy_euid: '{{ photostructure_user }}'
+
+- name: add user to file access group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ photostructure_file_access_group }}'
+    user: '{{ photostructure_user }}'
+    action: member
+    state: present
+  run_once: yes
+
+- name: create access group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ photostructure_access_group }}'
+    state: present
+  run_once: yes
diff --git a/roles/photostructure/tasks/main.yml b/roles/photostructure/tasks/main.yml
new file mode 100644
index 0000000..2b37aed
--- /dev/null
+++ b/roles/photostructure/tasks/main.yml
@@ -0,0 +1,78 @@
+- name: install packages
+  dnf:
+    name: '{{ photostructure_packages }}'
+    state: present
+
+- import_tasks: freeipa.yml
+  tags: freeipa
+
+- name: create home directory
+  file:
+    path: '{{ photostructure_home }}'
+    owner: '{{ photostructure_user }}'
+    group: '{{ photostructure_user }}'
+    mode: 0700
+    state: directory
+
+- name: clone git repository
+  git:
+    repo: '{{ photostructure_repo }}'
+    dest: '{{ photostructure_install_dir }}'
+    update: no
+    version: '{{ photostructure_version }}'
+  become: yes
+  become_user: '{{ photostructure_user }}'
+  register: photostructure_git
+
+- name: build photostructure
+  shell:
+    cmd: >-
+      mkdir -p "$HOME/.config/PhotoStructure" &&
+      rm -rf node_modules "$HOME/.electron" "$HOME/.electron-gyp" "$HOME/.npm/_libvips" "$HOME/.node-gyp" "$HOME/.cache/yarn/*/*sharp*" &&
+      npx --yes yarn install --silent
+    chdir: '{{ photostructure_install_dir }}'
+  become: true
+  become_user: '{{ photostructure_user }}'
+  when: photostructure_git.changed
+
+- name: create systemd unit file
+  template:
+    src: etc/systemd/system/photostructure.service.j2
+    dest: /etc/systemd/system/photostructure.service
+  register: photostructure_unit
+  notify: restart photostructure
+
+- name: reload systemd units
+  systemd:
+    daemon_reload: yes
+  when: photostructure_unit.changed
+
+- name: generate environment file
+  template:
+    src: etc/sysconfig/photostructure
+    dest: /etc/sysconfig/photostructure
+    owner: root
+    group: '{{ photostructure_user }}'
+  notify: restart photostructure
+
+- name: start photostructure
+  systemd:
+    name: photostructure
+    state: started
+    enabled: yes
+
+- name: generate update script
+  template:
+    src: '{{ photostructure_home[1:] }}/photostructure-update.sh.j2'
+    dest: '{{ photostructure_home }}/photostructure-update.sh'
+    mode: 0555
+
+- name: set up photostructure-update timer
+  include_role:
+    name: systemd_timer
+  vars:
+    timer_name: photostructure-update
+    timer_description: Update photostructure
+    timer_after: network.target nss-user-lookup.target
+    timer_on_calendar: '{{ photostructure_update_on_calendar }}'
+    timer_exec: '{{ photostructure_home }}/photostructure-update.sh'
diff --git a/roles/photostructure/templates/etc/sysconfig/photostructure b/roles/photostructure/templates/etc/sysconfig/photostructure
new file mode 100644
index 0000000..b1143d2
--- /dev/null
+++ b/roles/photostructure/templates/etc/sysconfig/photostructure
@@ -0,0 +1,18 @@
+PS_COPY_ASSETS_TO_LIBRARY="false"
+PS_SCAN_ALL_DRIVES="false"
+PS_LIBRARY_DIR="{{ photostructure_library }}"
+PS_LOG_DIR="{{ photostructure_home }}/logs"
+PS_LOG_COLOR="false"
+PS_LOG_LEVEL="{{ photostructure_log_level }}"
+PS_SCAN_PATHS='{{ ([photostructure_scan_paths] if photostructure_scan_paths is string else photostructure_scan_paths) | to_json }}'
+PS_EXPOSE_NETWORK_WITHOUT_AUTH="false"
+PS_UPGRADE_INSECURE_REQUESTS="true"
+PS_HTTP_PORT="{{ photostructure_port }}"
+PS_TRUST_PROXY="loopback"
+PS_CPU_LOAD_PERCENT="{{ photostructure_max_cpu_percent }}"
+PS_ENABLE_VIPS_CACHE="true"
+PS_SYNC_INTERVAL_HOURS="{{ photostructure_scan_interval_hours }}"
+PS_REPORT_ERRORS="false"
+PS_DB_BACKUP_INTERVAL_MINUTES="{{ photostructure_backup_interval_minutes }}"
+PS_TAG_LENS="false"
+PS_TAG_DATE_FROM_STAT="false"
diff --git a/roles/photostructure/templates/etc/systemd/system/photostructure.service.j2 b/roles/photostructure/templates/etc/systemd/system/photostructure.service.j2
new file mode 100644
index 0000000..67700c3
--- /dev/null
+++ b/roles/photostructure/templates/etc/systemd/system/photostructure.service.j2
@@ -0,0 +1,19 @@
+[Unit]
+Description=PhotoStructure for Servers
+Documentation=https://photostructure.com/servers/
+Requires=network.target nss-user-lookup.target autofs.service
+After=network.target nss-user-lookup.target autofs.service
+
+[Service]
+User={{ photostructure_user }}
+Group={{ photostructure_user }}
+EnvironmentFile=/etc/sysconfig/photostructure
+WorkingDirectory={{ photostructure_install_dir }}
+ExecStart=/usr/bin/node ./photostructure
+Type=simple
+Restart=on-failure
+TimeoutSec=2min
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/photostructure/templates/opt/photostructure/photostructure-update.sh.j2 b/roles/photostructure/templates/opt/photostructure/photostructure-update.sh.j2
new file mode 100644
index 0000000..114a145
--- /dev/null
+++ b/roles/photostructure/templates/opt/photostructure/photostructure-update.sh.j2
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+set -Eeu -o pipefail
+
+SRCDIR={{ photostructure_install_dir | quote }}
+PHOTOSTRUCTURE_USER={{ photostructure_user | quote }}
+PHOTOSTRUCTURE_INSTALL_DIR={{ photostructure_install_dir | quote }}
+PHOTOSTRUCTURE_HOME={{ photostructure_home | quote }}
+
+as-photostructure() {
+  runuser -u "$PHOTOSTRUCTURE_USER" -- "$@"
+}
+
+if (( $EUID != 0 )); then
+  echo 'must be superuser' 1>&2
+  exit 1
+fi
+
+cd "$SRCDIR"
+
+as-photostructure git fetch
+
+local_rev=$(git rev-parse HEAD)
+upstream_rev=$(git rev-parse '@{u}')
+
+echo "local: $local_rev"
+echo "upstream: $upstream_rev"
+
+if [ "$local_rev" != "$upstream_rev" ]; then
+  systemctl stop photostructure
+
+  as-photostructure git pull --ff-only
+
+  echo "building photostructure..."
+  rm -rf "${PHOTOSTRUCTURE_INSTALL_DIR}/node_modules" \
+    "$PHOTOSTRUCTURE_HOME/.electron"                  \
+    "$PHOTOSTRUCTURE_HOME/.electron-gyp"              \
+    "$PHOTOSTRUCTURE_HOME/.npm/_libvips"              \
+    "$PHOTOSTRUCTURE_HOME/.node-gyp"                  \
+    "$PHOTOSTRUCTURE_HOME/.cache/yarn/*/*sharp*"
+
+  cd "$PHOTOSTRUCTURE_INSTALL_DIR"
+  as-photostructure npx yarn install --yes
+
+  systemctl start photostructure
+else
+  echo "photostructure is already up to date"
+fi
diff --git a/roles/photostructure/vars/main.yml b/roles/photostructure/vars/main.yml
new file mode 100644
index 0000000..d05ed42
--- /dev/null
+++ b/roles/photostructure/vars/main.yml
@@ -0,0 +1,46 @@
+photostructure_packages:
+  - nodejs
+  - ffmpeg
+  - libjpeg-turbo-utils
+  - libheif
+  - python3-devel
+  - git
+  - perl
+
+photostructure_repo: https://github.com/photostructure/photostructure-for-servers.git
+photostructure_home: /opt/photostructure
+photostructure_library: '{{ photostructure_home }}/library'
+photostructure_keytab: /var/lib/gssproxy/clients/{{ photostructure_user }}.keytab
+photostructure_install_dir: '{{ photostructure_home }}/photostructure-for-servers'
+
+photostructure_update_script_path: /usr/local/sbin/photostructure-update.sh
+photostructure_update_on_calendar: weekly
+
+photostructure_apache_config: |
+  ProxyPass        / http://127.0.0.1:{{ photostructure_port }}/
+  ProxyPassReverse / http://127.0.0.1:{{ photostructure_port }}/
+  ProxyTimeout 3600
+  {{ apache_proxy_config }}
+
+  <Location />
+    AuthName "FreeIPA Single Sign-On"
+    <If "{% for cidr in photostructure_kerberized_cidrs %}-R '{{ cidr }}'{% if not loop.last %} || {% endif %}{% endfor %}">
+      AuthType GSSAPI
+      GssapiLocalName On
+      {{ apache_gssapi_session_config }}
+    </If>
+    <Else>
+      AuthType Basic
+      AuthBasicProvider ldap
+    </Else>
+    {{ apache_ldap_config }}
+    Require ldap-attribute memberof=cn={{ photostructure_access_group }},{{ freeipa_group_basedn }}
+  </Location>
+
+photostructure_archive_shell: >-
+  systemctl stop photostructure;
+  TIMESTAMP=$(date +%Y%m%d%H%M%S);
+  tar cf "photostructure-${TIMESTAMP}.tar"
+  --transform "s|^\.|photostructure-${TIMESTAMP}|"
+  -C {{ photostructure_library | quote }} . ;
+  systemctl start photostructure