Merge branch 'develop' into master_merge_develop_v3

 Major refactoring for robustness and including Let's Encrypt support

  Fixes #62 #63

README.md

@@ -61,8 +61,8 @@ All variables have sane defaults set in [`defaults/main.yml`](defaults/main.yml)
 | `rocket_chat_service_host` | `"{{ ansible_fqdn }}"` | The FQDN of the Rocket.Chat system |
 | `rocket_chat_service_port` | 3000 | The TCP port Rocket.Chat listens on |
 | `rocket_chat_node_version` | `4.5.0` | The version of NodeJS to install that `n` understands |
-| `rocket_chat_node_path` | `/usr/local/n/versions/node/{{ rocket_chat_node_version }}/bin` | The path to the `node` binary directory that n installs |
-| `rocket_chat_node_orig_npm` | `/usr/bin/npm` | The path to the original `npm` binary, before n installs any Node versions |
+| `rocket_chat_node_prefix` | `/usr/local/n/versions/node/{{ rocket_chat_node_version }}` | The path to the `node` binary directory that n installs |
+| `rocket_chat_npm_dist` | `/usr/bin/npm` | The path to the original `npm` binary, before n installs any Node versions |
 | `rocket_chat_include_mongodb` | true | A boolean value that determines whether or not to deploy MongoDB |
 | `rocket_chat_mongodb_keyserver` | keyserver.ubuntu.com | The GPG key server to use when importing the MongoDB repo key |
 | `rocket_chat_mongodb_gpg_key` | `7F0CEB10` | The GPG key fingerprint to import for the MongoDB repo |

defaults/main.yml

@@ -16,8 +16,11 @@ rocket_chat_service_group: rocketchat
 rocket_chat_service_host: "{{ ansible_fqdn }}"
 rocket_chat_service_port: 3000
 rocket_chat_node_version: 8.9.4
-rocket_chat_node_path: /usr/local/n/versions/node/{{ rocket_chat_node_version }}/bin
-rocket_chat_node_orig_npm: /usr/bin/npm
+rocket_chat_node_prefix: /usr/local/n/versions/node/{{ rocket_chat_node_version }}
+rocket_chat_node_path: "{{ rocket_chat_node_prefix }}/bin/node"
+rocket_chat_npm_version: 5.6.0
+rocket_chat_npm_path: "{{ rocket_chat_node_prefix }}/bin/npm"
+rocket_chat_npm_dist: /usr/bin/npm
 
 # MongoDB settings
 rocket_chat_mongodb_packages: mongodb
@@ -41,3 +44,14 @@ rocket_chat_nginx_generate_pfs_key: true
 rocket_chat_nginx_pfs_key_numbits: 2048
 rocket_chat_nginx_pfs_key_path: /etc/nginx/rocket_chat.pem
 rocket_chat_nginx_pfs_file: ~
+
+# letsencrypt settings
+rocket_chat_include_letsencrypt: false
+rocket_chat_letsencrypt_email: ~
+rocket_chat_letsencrypt_account_key: /etc/nginx/acme-tiny_account.key
+rocket_chat_letsencrypt_csr: /etc/nginx/acme-tiny_{{ rocket_chat_service_host }}.csr
+rocket_chat_letsencrypt_domain: "{{ rocket_chat_service_host }}"
+rocket_chat_letsencrypt_acmetiny_path: /opt/acme-tiny
+rocket_chat_letsencrypt_wellknown_path: /var/www/letsencrypt
+rocket_chat_letsencrypt_ca_cert: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
+rocket_chat_letsencrypt_force_renew: false

meta/main.yml

@@ -1,6 +1,8 @@
 ---
 galaxy_info:
- author: Calum MacRae
+ author:
+ - Calum MacRae
+ - Michael Goodwin
  description: Deploy Rocket.Chat
  #company: your company (optional)
  # If the issue tracker for your role is not on github, uncomment the

tasks/letsencrypt.yml

@@ -0,0 +1,62 @@
+---
+
+# possibly just copy the script into files and include it w/ the role?
+- name: Clone acme-tiny to /opt [Let's Encrypt!]
+ git:
+ dest: "{{ rocket_chat_letsencrypt_acmetiny_path }}"
+ repo: https://github.com/diafygi/acme-tiny.git
+ force: yes
+ update: yes
+
+- name: Ensure letsencrypt well-known dir exists [Let's Encrypt!]
+ file:
+ path: "{{ rocket_chat_letsencrypt_wellknown_path }}"
+ state: directory
+ owner: "{{ rocket_chat_nginx_process_user }}"
+ setype: httpd_sys_content_t
+ recurse: yes
+
+- name: Restore SELinux contexts for well-know dir [Let's Encrypt!:SELinux]
+ command: restorecon -R "{{ rocket_chat_letsencrypt_wellknown_path }}"
+ when: ansible_selinux.status | default(None) | lower == "enabled"
+
+- name: Generate acme-tiny Let's Encrypt account key [Let's Encrypt!]
+ shell: >-
+ openssl genrsa -out {{ rocket_chat_letsencrypt_account_key }} 4096
+ args:
+ creates: "{{ rocket_chat_letsencrypt_account_key }}"
+
+- name: Check if acme-tiny Let's Encrypt CSR exists [Let's Encrypt!]
+ stat:
+ path: "{{ rocket_chat_letsencrypt_csr }}"
+ register: csr_path
+
+- name: Generate acme-tiny Let's Encrypt CSR [Let's Encrypt!]
+ shell: >-
+ openssl req -new -sha256 -key {{ rocket_chat_ssl_key_path }}
+ -subj "/CN={{ rocket_chat_letsencrypt_domain | default(rocket_chat_service_host) }}"
+ -out {{ rocket_chat_letsencrypt_csr }}
+ when:
+ - (key_gen_result | changed) or
+ not csr_path.stat.exists
+ register: csr_gen_result
+
+- name: Setup script in cron.daily [Let's Encrypt!]
+ copy:
+ dest: /etc/cron.monthly/acme-tiny_renew.sh
+ mode: 0755
+ content: |
+ #!/bin/bash
+ python {{ rocket_chat_letsencrypt_acmetiny_path }}/acme_tiny.py \
+ --account-key {{ rocket_chat_letsencrypt_account_key }} \
+ --csr {{ rocket_chat_letsencrypt_csr }} \
+ --acme-dir {{ rocket_chat_letsencrypt_wellknown_path }} \
+ > {{ rocket_chat_ssl_cert_path }} || exit
+ curl -s {{ rocket_chat_letsencrypt_ca_cert }} \
+ >> {{ rocket_chat_ssl_cert_path }} &&
+ nginx -t && nginx -s reload
+
+- name: Run acme-tiny_renew.sh (first run cert creation) [Let's Encrypt!]
+ shell: /etc/cron.monthly/acme-tiny_renew.sh
+ notify: Reload the Nginx service
+ when: (csr_gen_result | changed) or rocket_chat_letsencrypt_force_renew

tasks/main.yml

@@ -1,14 +1,53 @@
 ---
 # tasks/main.yml: Main tasks for RocketChat.Ansible
 
+ - name: Ensure the Rocket.Chat service group is present
+ group:
+ name: "{{ rocket_chat_service_group }}"
+ state: present
+ system: true
+
+ - name: Ensure the Rocket.Chat service user is present
+ user:
+ comment: Rocket.Chat Service User
+ name: "{{ rocket_chat_service_user }}"
+ group: "{{ rocket_chat_service_group }}"
+ home: "{{ rocket_chat_application_path }}"
+ createhome: true
+ shell: /bin/false
+ state: present
+ system: true
+
+ - name: Check for adequate privilege escalation rights
+ ping:
+ become: yes
+ become_user: "{{ rocket_chat_service_user }}"
+ register: result
+ ignore_errors: true
+ - assert:
+ that: result|succeeded
+ msg: >
+ Check your sudo configuration to ensure that your connecting user
+ can assume the identities of other users without prompting.
+
  - include_vars: "{{ item }}"
  with_first_found:
  - "{{ ansible_distribution }}.yml"
  - "{{ ansible_os_family }}.yml"
  tags: vars
 
+ - include_vars: "{{ item }}"
+ with_first_found:
+ - "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
+ # Below is for example: Fedora_2x.yml = 20-29
+ - "{{ ansible_distribution }}_{{ ansible_distribution_major_version[:1] ~ 'x' }}.yml"
+ - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
+ tags: vars
+
  - include: repo_RedHat.yml
- when: ansible_os_family == "RedHat"
+ when:
+ - ansible_os_family|lower == "redhat"
+ - not ansible_distribution|lower == "fedora"
  tags: repo
 
  - name: Ensure APT cache has been updated recently
@@ -21,26 +60,16 @@
  when: rocket_chat_include_mongodb|bool
  tags: mongodb
 
- - name: Ensure the Rocket.Chat service group is present
- group:
- name: "{{ rocket_chat_service_group }}"
- state: present
- system: true
-
- - name: Ensure the Rocket.Chat service user is present
- user:
- comment: Rocket.Chat Service User
- name: "{{ rocket_chat_service_user }}"
- group: "{{ rocket_chat_service_group }}"
- home: "{{ rocket_chat_application_path }}"
- createhome: true
- shell: /bin/false
- state: present
- system: true
-
  - name: Ensure Rocket.Chat dependencies are installed
  package:
- name: "{{ rocket_chat_dep_packages }}"
+ name:
+ "{{
+ (ansible_virtualization_type != 'docker') |
+ ternary(
+ rocket_chat_dep_packages,
+ rocket_chat_dep_packages | difference('[\"cron\"]')
+ )
+ }}"
  state: present
  register: result
  until: result | succeeded
@@ -53,21 +82,36 @@
  state: link
  when: ansible_os_family == "RedHat"
 
- - name: Ensure n (NodeJS) is installed
+ - name: Ensure n (NodeJS) is installed (bootstrap correct version of NodeJS)
  npm:
  name: n
  global: true
- executable: "{{ rocket_chat_node_orig_npm }}"
+ executable: "{{ rocket_chat_npm_dist }}"
 
- - name: Check to see if n has installed the required 'node' binary
+ - name: Check to see if n has installed the required binaries in {{ rocket_chat_node_prefix }}
  stat:
- path: "{{ rocket_chat_node_path }}/node"
+ path: "{{ rocket_chat_node_path }}"
  register: n_node_bin
 
- - name: Install the supported NodeJS environment via n
+ - name: "Install the supported NodeJS environment via n [Version: {{ rocket_chat_node_version }}]"
  shell: n {{ rocket_chat_node_version }}
  when: not n_node_bin.stat.exists|bool
 
+ - name: Check to see if the proper npm version has already been installed
+ command: "{{ rocket_chat_npm_path }} --version"
+ changed_when: false
+ register: current_npm_version
+
+ - name: "Install the supported NPM version via npm [Version: {{ rocket_chat_npm_version }}]"
+ npm:
+ name: npm
+ version: "{{ rocket_chat_npm_version }}"
+ path: "{{ rocket_chat_node_prefix }}/lib"
+ executable: "{{ rocket_chat_npm_path }}"
+ environment:
+ PATH: "{{ rocket_chat_node_prefix }}/bin:{{ ansible_env.PATH }}"
+ when: current_npm_version != rocket_chat_npm_version
+
  - name: "Configure /etc/hosts"
  lineinfile:
  dest: /etc/hosts
@@ -101,11 +145,11 @@
  dest: "{{ rocket_chat_application_path }}/rocket.chat-{{ rocket_chat_version }}.tgz"
  timeout: "{{ rocket_chat_tarball_fetch_timeout }}"
  validate_certs: "{{ rocket_chat_tarball_validate_remote_cert }}"
+ owner: "{{ rocket_chat_service_user }}"
+ group: "{{ rocket_chat_service_group }}"
  # Temp fix for ansible/ansible#15915 ( Broken include in handlers )
  # https://github.com/ansible/ansible/issues/15915
  #notify: Upgrade Rocket.Chat
- become: true
- become_user: "{{ rocket_chat_service_user }}"
  register: result
  retries: 2
  until: result | succeeded
@@ -128,17 +172,20 @@
  src: "{{ rocket_chat_application_path }}/rocket.chat-{{ rocket_chat_version }}.tgz"
  dest: "{{ rocket_chat_application_path }}"
  creates: "{{ rocket_chat_application_path }}/bundle"
- become: true
- become_user: "{{ rocket_chat_service_user }}"
+  owner: "{{ rocket_chat_service_user }}"
+  group: "{{ rocket_chat_service_group }}"
  tags: build
 
  - name: Install Rocket.Chat via NPM
  npm:
  state: present
  path: "{{ rocket_chat_application_path }}/bundle/programs/server"
- executable: "{{ rocket_chat_node_orig_npm }}"
+ executable: "{{ rocket_chat_npm_path }}"
+ production: true
  become: true
  become_user: "{{ rocket_chat_service_user }}"
+ environment:
+ PATH: "{{ rocket_chat_node_prefix }}/bin:{{ ansible_env.PATH }}"
  tags: build
 
  - name: Ensure the Rocket.Chat log file symlink is present [Ubuntu 14]
@@ -153,12 +200,11 @@
  - ansible_distribution_major_version == "14"
 
  - name: Ensure the Rocket.Chat application data permissions are correct
- file:
- path: "{{ rocket_chat_application_path }}"
- state: directory
- owner: "{{ rocket_chat_service_user }}"
- group: "{{ rocket_chat_service_user }}"
- recurse: true
+ command: >-
+ chown {{ rocket_chat_service_user }}.{{ rocket_chat_service_group }}
+ -R {{ rocket_chat_application_path | quote }}
+ args:
+ warn: no
  tags: build
 
  - include_vars: "{{ item }}"
@@ -208,3 +254,7 @@
  - include: nginx.yml
  when: rocket_chat_include_nginx|bool
  tags: nginx
+
+ - include: letsencrypt.yml
+ when: rocket_chat_include_letsencrypt|bool
+ tags: letsencrypt

tasks/mongodb.yml

@@ -1,11 +1,5 @@
 ---
 # tasks/mongodb.yml: MongoDB configuration for RocketChat.Ansible
- - include_vars: "{{ item }}"
- with_first_found:
- - "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
- - "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
- - "{{ ansible_distribution }}.yml"
- - "{{ ansible_os_family }}.yml"
 
  - name: Ensure the MongoDB repository key has been imported
  apt_key:

tasks/nginx.yml

@@ -11,13 +11,29 @@
  name: nginx
  state: present
 
+ - name: Check if Nginx was compiled with the HTTP/2 module
+ shell: nginx -V 2>&1 | grep -q 'with-http_v2_module'
+ register: nginx_http2_module
+ changed_when: false
+ failed_when: false
+
+ - name: Gather the current Nginx version string
+ shell: nginx -v 2>&1 | awk 'BEGIN{ FS="/" } { print $2 }'
+ register: nginx_version_string
+ changed_when: false
+ failed_when: false
+
  - name: Deploy Nginx configuration
  template:
  src: "{{ item.src }}"
  dest: "{{ item.dest }}"
  with_items:
- - { src: nginx.conf.j2, dest: /etc/nginx/nginx.conf }
- - { src: rocket_chat.conf.j2, dest: /etc/nginx/conf.d/rocket_chat.conf }
+ - src: nginx.conf.j2
+ dest: /etc/nginx/nginx.conf
+ - src: ssl.inc.j2
+ dest: /etc/nginx/conf.d/ssl.inc
+ - src: rocket_chat.conf.j2
+ dest: /etc/nginx/conf.d/rocket_chat.conf
  notify: Reload the Nginx service
 
  - name: Ensure provided SSL certs have been deployed
@@ -36,16 +52,19 @@
 
  - name: Ensure SSL certs have been generated
  shell: >-
- openssl req -x509 -newkey rsa:2048 -nodes
+ openssl req -x509 -newkey rsa:4096 -nodes
  -subj "/CN={{ rocket_chat_service_host }}/
  /C=NA/ST=NA/L=NA/O=NA/OU=NA"
  -keyout {{ rocket_chat_ssl_key_path }}
  -out {{ rocket_chat_ssl_cert_path }}
  -days 3650
- when: rocket_chat_ssl_generate_certs|bool
+ when:
+ - rocket_chat_include_letsencrypt|bool
+ or rocket_chat_ssl_generate_certs|bool
  args:
  creates: "{{ rocket_chat_ssl_key_path }}"
  notify: Reload the Nginx service
+ register: key_gen_result
 
  - name: Ensure provided PFS key has been deployed
  copy:

tasks/upgrade.yml

@@ -18,7 +18,7 @@
  - name: Back up the current Rocket.Chat instance [UPGRADE]
  shell: >-
  mv {{ rocket_chat_application_path }}/bundle
- {{ rocket_chat_upgrade_backup_path }}/backup_{{ ansible_date_time.date }}
+ {{ rocket_chat_upgrade_backup_path }}/backup_{{ ansible_date_time.date }}_{{ (1000|random|string|hash)[:8] }}
  when: rocket_chat_upgrade_backup|bool
 
  - name: Delete the current Rocket.Chat instance [UPGRADE]