diff --git a/defaults/main.yml b/defaults/main.yml index 89e0a63..6aa5e86 100755 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,3 +1,18 @@ --- # harden by default harden_os: true + +# latest as of 7/7/2022 +rc_version: 4.8.1 + +# WIP to get to 5.0 +mongo_version: 4.2 + +# WIP to get to 5.0 +prev_mongo_version: 4.2 + +# if true set feature compability version to prev_mongo_version +set_feature_compat_version: true + +# backup by default - saves to /home/{{ main_user }}/rocketchat/data/dump/2015-07-09T16:59:26Z" (iso8601 of current date) +backup_db: true \ No newline at end of file diff --git a/files/docker-compose.yml b/files/docker-compose.yml deleted file mode 100755 index 71ec563..0000000 --- a/files/docker-compose.yml +++ /dev/null @@ -1,93 +0,0 @@ -version: '2' - -services: - rocketchat: - image: registry.rocket.chat/rocketchat/rocket.chat:latest - command: > - bash -c - "for i in `seq 1 30`; do - node main.js && - s=$$? && break || s=$$?; - echo \"Tried $$i times. Waiting 5 secs...\"; - sleep 5; - done; (exit $$s)" - restart: unless-stopped - volumes: - - ./uploads:/app/uploads - environment: - - PORT=3000 - - ROOT_URL=http://localhost:3000 - - MONGO_URL=mongodb://mongo:27017/rocketchat - - MONGO_OPLOG_URL=mongodb://mongo:27017/local - - REG_TOKEN=${REG_TOKEN} -# - MAIL_URL=smtp://smtp.email -# - HTTP_PROXY=http://proxy.domain.com -# - HTTPS_PROXY=http://proxy.domain.com - depends_on: - - mongo - ports: - - 3000:3000 - labels: - - "traefik.backend=rocketchat" - - "traefik.frontend.rule=Host: your.domain.tld" - - mongo: - image: mongo:4.0 - restart: unless-stopped - volumes: - - ./data/db:/data/db - - ./data/dump:/dump - command: mongod --smallfiles --oplogSize 128 --replSet rs0 --storageEngine=mmapv1 - labels: - - "traefik.enable=false" - - # this container's job is just run the command to initialize the replica set. - # it will run the command and remove himself (it will not stay running) - mongo-init-replica: - image: mongo:4.0 - command: > - bash -c - "for i in `seq 1 30`; do - mongo mongo/rocketchat --eval \" - rs.initiate({ - _id: 'rs0', - members: [ { _id: 0, host: 'localhost:27017' } ]})\" && - s=$$? && break || s=$$?; - echo \"Tried $$i times. Waiting 5 secs...\"; - sleep 5; - done; (exit $$s)" - depends_on: - - mongo - - nginx - - nginx: - image: nginx:latest - container_name: webserver - restart: unless-stopped - ports: - - 80:80 - - 443:443 - volumes: - - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf - - ./nginx/ssl/:/ssl/ - - ./nginx/ssl/:/etc/nginx/ - #traefik: - # image: traefik:latest - # restart: unless-stopped - # command: > - # traefik - # --docker - # --acme=true - # --acme.domains='your.domain.tld' - # --acme.email='your@email.tld' - # --acme.entrypoint=https - # --acme.storagefile=acme.json - # --defaultentrypoints=http - # --defaultentrypoints=https - # --entryPoints='Name:http Address::80 Redirect.EntryPoint:https' - # --entryPoints='Name:https Address::443 TLS.Certificates:' - # ports: - # - 80:80 - # - 443:443 - # volumes: - # - /var/run/docker.sock:/var/run/docker.sock diff --git a/tasks/docker.yml b/tasks/docker.yml index b6af838..4d57b6c 100644 --- a/tasks/docker.yml +++ b/tasks/docker.yml @@ -1,10 +1,8 @@ --- - -# install docker using geerlingguy docker role +# install docker using geerlingguy docker role - this whole task file is under tag install-docker - name: 'Use geerlingguy.docker role' include_role: name: ansible-role-docker - tags: docker - name: 'Use geerlingguy.pip role to install docker via pip' vars: @@ -14,7 +12,6 @@ include_role: name: ansible-role-pip - tags: docker - name: Add adminstrator to docker group user: diff --git a/tasks/main.yml b/tasks/main.yml index 8172679..c78bb86 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,19 +1,13 @@ --- -# tasks file for setting up an assetto server on ubuntu20.04 +# tasks file for setting up a rocketchat server on ubuntu20.04 - include: ssh_port_fallback.yml + - include: harden.yml # become: true when: harden_os tags: harden - include: docker.yml -# become: true -# apply tags,become -# when: harden_os -# tags: harden + tags: install-docker - include: rocketchat.yml -# become: true -# apply tags,become -# when: harden_os -# tags: harden diff --git a/tasks/rocketchat.yml b/tasks/rocketchat.yml index 9aff2bc..060c91e 100644 --- a/tasks/rocketchat.yml +++ b/tasks/rocketchat.yml @@ -1,9 +1,5 @@ --- -- name: Install unzip using apt - become: true - apt: name=unzip state=latest update_cache=yes force_apt_get=yes - -- name: "NOTSCORED | 3.5.1.6 | PATCH | Ensure firewall rules exist for all open ports" +- name: "Open ports for RocketChat" become: true ufw: rule: allow @@ -31,17 +27,46 @@ group: "{{ main_user }}" mode: 0775 -- name: copy docker compose to server - become_user: "{{ main_user }}" - copy: - src: files/docker-compose.yml - dest: /home/{{ main_user }}/rocketchat/ +- name: Creates directory structure for upload data + become: true + file: + path: /home/{{ main_user }}/rocketchat/uploads + state: directory + owner: "{{ main_user }}" + group: "{{ main_user }}" + mode: 0775 + +- name: Creates backup directory outside of docker volumes to move dumps more easily off of server + file: + path: /home/{{ main_user }}/backups + state: directory + owner: "{{ main_user }}" + group: "{{ main_user }}" + mode: 0775 + +- name: Ensure mmap to wiredTiger mongoDB repo checkout exists + ansible.builtin.git: + repo: 'https://github.com/RocketChat/docker-mmap-to-wiredtiger-migration.git' + dest: /home/{{ main_user }}/rocketchat/rocketchat-migration + update: no + +- name: Copy docker folder from mmap to wiredTiger mongoDB migration repo + ansible.builtin.copy: + src: /home/{{ main_user }}/rocketchat/rocketchat-migration/docker + dest: /home/{{ main_user }}/rocketchat/docker + remote_src: yes + +- name: copy docker compose to server (from template) + template: + src: templates/docker-compose.yml.j2 + dest: /home/{{ main_user }}/rocketchat/docker-compose.yml - name: bring down rocketchat docker-compose become_user: "{{ main_user }}" docker_compose: project_src: /home/{{ main_user }}/rocketchat/ state: absent + remove_orphans: true register: __remove_rocketchat tags: - bring-down @@ -68,10 +93,65 @@ state: present register: __rocketchat +- name: Get the current datetime + debug: + var: ansible_date_time + +- name: Backup existing RocketChat mongo database + when: backup_db + community.docker.docker_container_exec: + container: rocketchat_mongo_1 + command: mongodump --archive=/dump/{{ ansible_date_time.iso8601 }} --gzip + # chdir: /home/{{ main_user }}/rocketchat + # chdir: / + register: __backup_result + tags: mongodump + +- name: Copy backup we just took to home/{{ main_user }}/backups + when: backup_db and not __backup_result.failed + ansible.builtin.copy: + src: /home/{{ main_user }}/rocketchat/data/dump/{{ ansible_date_time.iso8601 }} + dest: /home/{{ main_user }}/backups/{{ ansible_date_time.iso8601 }}.gzip + remote_src: yes + tags: mongodump + +- name: Pull newly created mongodump into local backups directory + when: backup_db and not __backup_result.failed + ansible.builtin.fetch: + src: /home/{{ main_user }}/backups/{{ ansible_date_time.iso8601 }}.gzip + dest: "{{ local_backup_dir }}" + tags: mongodump + +- name: Set feature compability version if we are upgrading mongoDB + when: set_feature_compat_version + community.docker.docker_container_exec: + container: rocketchat_mongo_1 + command: > + bash -c 'mongo --eval "db.adminCommand( { setFeatureCompatibilityVersion: \"{{ prev_mongo_version }}\" } )"' + # chdir: /home/{{ main_user }}/rocketchat + # chdir: / + #docker-compose exec mongo + register: __set_feature_compability_version_mongo + tags: mongoupgrade + - name: debug docker compose down debug: var: __remove_rocketchat + tags: bring-down - name: debug docker compose up debug debug: var: __rocketchat + +- name: debug mongo backup + when: backup_db + debug: + var: __backup_result + tags: mongodump + + +- name: debug mongo upgrade set feature compatability version + when: set_feature_compat_version + debug: + var: __set_feature_compability_version_mongo + tags: mongoupgrade \ No newline at end of file diff --git a/templates/docker-compose.yml.j2 b/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..34a5ca2 --- /dev/null +++ b/templates/docker-compose.yml.j2 @@ -0,0 +1,68 @@ +version: '3.7' + +services: + rocketchat: + image: rocket.chat:{{ rc_version }} + command: > + bash -c + "for (( ; ; )); do + node main.js && + s=$$? && break || s=$$?; + echo \"Could not start Rocket.Chat. Waiting 5 secs...\"; + sleep 5; + done; (exit $$s)" + restart: unless-stopped + volumes: + - ./uploads:/app/uploads + environment: + - PORT=3000 + - ROOT_URL=http://localhost:3000 + - MONGO_URL=mongodb://mongo:27017/rocketchat + - MONGO_OPLOG_URL=mongodb://mongo:27017/local + - MAIL_URL=smtp://smtp.email + depends_on: + - mongo + ports: + - 3000:3000 + labels: + - "traefik.backend=rocketchat" + - "traefik.frontend.rule=Host: your.domain.tld" + + mongo: + image: mongo:{{ mongo_version }} + restart: unless-stopped + volumes: + - ./data/db:/data/db + - ./data/dump:/dump + command: > + bash -c + "while [ ! -f /data/db/WiredTiger ]; do + echo \"wiredTiger migration hasn't started yet. Waiting 30 secs...\"; + sleep 30; + done; + docker-entrypoint.sh mongod --oplogSize 128 --replSet rs0 --storageEngine=wiredTiger;" + depends_on: + - migrator + labels: + - "traefik.enable=false" + + migrator: + build: ./docker/ + volumes: + - ./data/db:/data/db + + mongo-init-replica: + image: mongo:{{ mongo_version }} + command: > + bash -c + "for (( ; ; )); do + mongo mongo/rocketchat --eval \" + rs.initiate({ + _id: 'rs0', + members: [ { _id: 0, host: 'localhost:27017' } ]})\" && + s=$$? && break || s=$$?; + echo \"Could not reach MongoDB. Waiting 5 secs ...\"; + sleep 5; + done; (exit $$s)" + depends_on: + - mongo \ No newline at end of file