From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Sat, 4 Feb 2023 01:23:43 -0500 Subject: initial commit --- roles/photostructure/defaults/main.yml | 11 +++ roles/photostructure/handlers/main.yml | 4 ++ roles/photostructure/meta/main.yml | 7 ++ roles/photostructure/tasks/freeipa.yml | 47 +++++++++++++ roles/photostructure/tasks/main.yml | 78 ++++++++++++++++++++++ .../templates/etc/sysconfig/photostructure | 18 +++++ .../etc/systemd/system/photostructure.service.j2 | 19 ++++++ .../opt/photostructure/photostructure-update.sh.j2 | 48 +++++++++++++ roles/photostructure/vars/main.yml | 46 +++++++++++++ 9 files changed, 278 insertions(+) create mode 100644 roles/photostructure/defaults/main.yml create mode 100644 roles/photostructure/handlers/main.yml create mode 100644 roles/photostructure/meta/main.yml create mode 100644 roles/photostructure/tasks/freeipa.yml create mode 100644 roles/photostructure/tasks/main.yml create mode 100644 roles/photostructure/templates/etc/sysconfig/photostructure create mode 100644 roles/photostructure/templates/etc/systemd/system/photostructure.service.j2 create mode 100644 roles/photostructure/templates/opt/photostructure/photostructure-update.sh.j2 create mode 100644 roles/photostructure/vars/main.yml (limited to 'roles/photostructure') diff --git a/roles/photostructure/defaults/main.yml b/roles/photostructure/defaults/main.yml new file mode 100644 index 0000000..9813abc --- /dev/null +++ b/roles/photostructure/defaults/main.yml @@ -0,0 +1,11 @@ +photostructure_port: 8080 +photostructure_scan_interval_hours: 24 +photostructure_max_cpu_percent: 95 +photostructure_log_level: warn +photostructure_backup_interval_minutes: 30 +photostructure_version: alpha + +photostructure_user: s-photostructure +photostructure_file_access_group: role-photo-admin + +photostructure_kerberized_cidrs: '{{ kerberized_cidrs }}' diff --git a/roles/photostructure/handlers/main.yml b/roles/photostructure/handlers/main.yml new file mode 100644 index 0000000..5148595 --- /dev/null +++ b/roles/photostructure/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart photostructure + systemd: + name: photostructure + state: restarted diff --git a/roles/photostructure/meta/main.yml b/roles/photostructure/meta/main.yml new file mode 100644 index 0000000..e167af1 --- /dev/null +++ b/roles/photostructure/meta/main.yml @@ -0,0 +1,7 @@ +dependencies: + - role: yum + yum_repositories: + - epel + - rpmfusion-free + - rpmfusion-nonfree + tags: yum diff --git a/roles/photostructure/tasks/freeipa.yml b/roles/photostructure/tasks/freeipa.yml new file mode 100644 index 0000000..66d99e7 --- /dev/null +++ b/roles/photostructure/tasks/freeipa.yml @@ -0,0 +1,47 @@ +- name: create user + ipauser: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ photostructure_user }}' + loginshell: /sbin/nologin + homedir: '{{ photostructure_home }}' + givenname: Photostructure + sn: Service Account + state: present + run_once: yes + +- name: retrieve user keytab + include_role: + name: freeipa_keytab + vars: + keytab_principal: '{{ photostructure_user }}' + keytab_path: '{{ photostructure_keytab }}' + +- name: configure gssproxy for kerberized NFS + include_role: + name: gssproxy_client + vars: + gssproxy_name: photostructure + gssproxy_section: service/photostructure + gssproxy_keytab: /etc/krb5.keytab + gssproxy_client_keytab: '{{ photostructure_keytab }}' + gssproxy_cred_usage: initiate + gssproxy_euid: '{{ photostructure_user }}' + +- name: add user to file access group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ photostructure_file_access_group }}' + user: '{{ photostructure_user }}' + action: member + state: present + run_once: yes + +- name: create access group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ photostructure_access_group }}' + state: present + run_once: yes diff --git a/roles/photostructure/tasks/main.yml b/roles/photostructure/tasks/main.yml new file mode 100644 index 0000000..2b37aed --- /dev/null +++ b/roles/photostructure/tasks/main.yml @@ -0,0 +1,78 @@ +- name: install packages + dnf: + name: '{{ photostructure_packages }}' + state: present + +- import_tasks: freeipa.yml + tags: freeipa + +- name: create home directory + file: + path: '{{ photostructure_home }}' + owner: '{{ photostructure_user }}' + group: '{{ photostructure_user }}' + mode: 0700 + state: directory + +- name: clone git repository + git: + repo: '{{ photostructure_repo }}' + dest: '{{ photostructure_install_dir }}' + update: no + version: '{{ photostructure_version }}' + become: yes + become_user: '{{ photostructure_user }}' + register: photostructure_git + +- name: build photostructure + shell: + cmd: >- + mkdir -p "$HOME/.config/PhotoStructure" && + rm -rf node_modules "$HOME/.electron" "$HOME/.electron-gyp" "$HOME/.npm/_libvips" "$HOME/.node-gyp" "$HOME/.cache/yarn/*/*sharp*" && + npx --yes yarn install --silent + chdir: '{{ photostructure_install_dir }}' + become: true + become_user: '{{ photostructure_user }}' + when: photostructure_git.changed + +- name: create systemd unit file + template: + src: etc/systemd/system/photostructure.service.j2 + dest: /etc/systemd/system/photostructure.service + register: photostructure_unit + notify: restart photostructure + +- name: reload systemd units + systemd: + daemon_reload: yes + when: photostructure_unit.changed + +- name: generate environment file + template: + src: etc/sysconfig/photostructure + dest: /etc/sysconfig/photostructure + owner: root + group: '{{ photostructure_user }}' + notify: restart photostructure + +- name: start photostructure + systemd: + name: photostructure + state: started + enabled: yes + +- name: generate update script + template: + src: '{{ photostructure_home[1:] }}/photostructure-update.sh.j2' + dest: '{{ photostructure_home }}/photostructure-update.sh' + mode: 0555 + +- name: set up photostructure-update timer + include_role: + name: systemd_timer + vars: + timer_name: photostructure-update + timer_description: Update photostructure + timer_after: network.target nss-user-lookup.target + timer_on_calendar: '{{ photostructure_update_on_calendar }}' + timer_exec: '{{ photostructure_home }}/photostructure-update.sh' diff --git a/roles/photostructure/templates/etc/sysconfig/photostructure b/roles/photostructure/templates/etc/sysconfig/photostructure new file mode 100644 index 0000000..b1143d2 --- /dev/null +++ b/roles/photostructure/templates/etc/sysconfig/photostructure @@ -0,0 +1,18 @@ +PS_COPY_ASSETS_TO_LIBRARY="false" +PS_SCAN_ALL_DRIVES="false" +PS_LIBRARY_DIR="{{ photostructure_library }}" +PS_LOG_DIR="{{ photostructure_home }}/logs" +PS_LOG_COLOR="false" +PS_LOG_LEVEL="{{ photostructure_log_level }}" +PS_SCAN_PATHS='{{ ([photostructure_scan_paths] if photostructure_scan_paths is string else photostructure_scan_paths) | to_json }}' +PS_EXPOSE_NETWORK_WITHOUT_AUTH="false" +PS_UPGRADE_INSECURE_REQUESTS="true" +PS_HTTP_PORT="{{ photostructure_port }}" +PS_TRUST_PROXY="loopback" +PS_CPU_LOAD_PERCENT="{{ photostructure_max_cpu_percent }}" +PS_ENABLE_VIPS_CACHE="true" +PS_SYNC_INTERVAL_HOURS="{{ photostructure_scan_interval_hours }}" +PS_REPORT_ERRORS="false" +PS_DB_BACKUP_INTERVAL_MINUTES="{{ photostructure_backup_interval_minutes }}" +PS_TAG_LENS="false" +PS_TAG_DATE_FROM_STAT="false" diff --git a/roles/photostructure/templates/etc/systemd/system/photostructure.service.j2 b/roles/photostructure/templates/etc/systemd/system/photostructure.service.j2 new file mode 100644 index 0000000..67700c3 --- /dev/null +++ b/roles/photostructure/templates/etc/systemd/system/photostructure.service.j2 @@ -0,0 +1,19 @@ +[Unit] +Description=PhotoStructure for Servers +Documentation=https://photostructure.com/servers/ +Requires=network.target nss-user-lookup.target autofs.service +After=network.target nss-user-lookup.target autofs.service + +[Service] +User={{ photostructure_user }} +Group={{ photostructure_user }} +EnvironmentFile=/etc/sysconfig/photostructure +WorkingDirectory={{ photostructure_install_dir }} +ExecStart=/usr/bin/node ./photostructure +Type=simple +Restart=on-failure +TimeoutSec=2min +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/photostructure/templates/opt/photostructure/photostructure-update.sh.j2 b/roles/photostructure/templates/opt/photostructure/photostructure-update.sh.j2 new file mode 100644 index 0000000..114a145 --- /dev/null +++ b/roles/photostructure/templates/opt/photostructure/photostructure-update.sh.j2 @@ -0,0 +1,48 @@ +#!/usr/bin/env bash + +set -Eeu -o pipefail + +SRCDIR={{ photostructure_install_dir | quote }} +PHOTOSTRUCTURE_USER={{ photostructure_user | quote }} +PHOTOSTRUCTURE_INSTALL_DIR={{ photostructure_install_dir | quote }} +PHOTOSTRUCTURE_HOME={{ photostructure_home | quote }} + +as-photostructure() { + runuser -u "$PHOTOSTRUCTURE_USER" -- "$@" +} + +if (( $EUID != 0 )); then + echo 'must be superuser' 1>&2 + exit 1 +fi + +cd "$SRCDIR" + +as-photostructure git fetch + +local_rev=$(git rev-parse HEAD) +upstream_rev=$(git rev-parse '@{u}') + +echo "local: $local_rev" +echo "upstream: $upstream_rev" + +if [ "$local_rev" != "$upstream_rev" ]; then + systemctl stop photostructure + + as-photostructure git pull --ff-only + + echo "building photostructure..." + rm -rf "${PHOTOSTRUCTURE_INSTALL_DIR}/node_modules" \ + "$PHOTOSTRUCTURE_HOME/.electron" \ + "$PHOTOSTRUCTURE_HOME/.electron-gyp" \ + "$PHOTOSTRUCTURE_HOME/.npm/_libvips" \ + "$PHOTOSTRUCTURE_HOME/.node-gyp" \ + "$PHOTOSTRUCTURE_HOME/.cache/yarn/*/*sharp*" + + cd "$PHOTOSTRUCTURE_INSTALL_DIR" + as-photostructure npx yarn install --yes + + systemctl start photostructure +else + echo "photostructure is already up to date" +fi diff --git a/roles/photostructure/vars/main.yml b/roles/photostructure/vars/main.yml new file mode 100644 index 0000000..d05ed42 --- /dev/null +++ b/roles/photostructure/vars/main.yml @@ -0,0 +1,46 @@ +photostructure_packages: + - nodejs + - ffmpeg + - libjpeg-turbo-utils + - libheif + - python3-devel + - git + - perl + +photostructure_repo: https://github.com/photostructure/photostructure-for-servers.git +photostructure_home: /opt/photostructure +photostructure_library: '{{ photostructure_home }}/library' +photostructure_keytab: /var/lib/gssproxy/clients/{{ photostructure_user }}.keytab +photostructure_install_dir: '{{ photostructure_home }}/photostructure-for-servers' + +photostructure_update_script_path: /usr/local/sbin/photostructure-update.sh +photostructure_update_on_calendar: weekly + +photostructure_apache_config: | + ProxyPass / http://127.0.0.1:{{ photostructure_port }}/ + ProxyPassReverse / http://127.0.0.1:{{ photostructure_port }}/ + ProxyTimeout 3600 + {{ apache_proxy_config }} + + + AuthName "FreeIPA Single Sign-On" + + AuthType GSSAPI + GssapiLocalName On + {{ apache_gssapi_session_config }} + + + AuthType Basic + AuthBasicProvider ldap + + {{ apache_ldap_config }} + Require ldap-attribute memberof=cn={{ photostructure_access_group }},{{ freeipa_group_basedn }} + + +photostructure_archive_shell: >- + systemctl stop photostructure; + TIMESTAMP=$(date +%Y%m%d%H%M%S); + tar cf "photostructure-${TIMESTAMP}.tar" + --transform "s|^\.|photostructure-${TIMESTAMP}|" + -C {{ photostructure_library | quote }} . ; + systemctl start photostructure -- cgit