sky: homepage: set up the frontpage of labitat.dk

esmil:
- use timer to update the homepage
- git clone/update and install gems as the homepage user

7 files changed, 148 insertions, 0 deletions

diff --git a/roles/sky/files/update-homepage.service b/roles/sky/files/update-homepage.service
new file mode 100644
index 0000000..d4fc777
--- /dev/null
+++ b/roles/sky/files/update-homepage.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Update Homepage
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/home/homepage/homepage/make
+WorkingDirectory=/home/homepage/homepage
+User=homepage
+Group=homepage
+ProtectSystem=full
+PrivateTmp=yes
diff --git a/roles/sky/files/update-homepage.timer b/roles/sky/files/update-homepage.timer
new file mode 100644
index 0000000..34a6a57
--- /dev/null
+++ b/roles/sky/files/update-homepage.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update homepage every minute
+
+[Timer]
+Unit=update-homepage.service
+OnBootSec=1min
+OnUnitActiveSec=1min
+AccuracySec=1min
+Persistent=no
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/sky/handlers/main.yml b/roles/sky/handlers/main.yml
new file mode 100644
index 0000000..a73bd25
--- /dev/null
+++ b/roles/sky/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- name: restart update-homepage
+  systemd:
+    name: update-homepage.timer
+    state: restarted
+    daemon_reload: yes
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/sky/tasks/homepage.yml b/roles/sky/tasks/homepage.yml
new file mode 100644
index 0000000..54872ed
--- /dev/null
+++ b/roles/sky/tasks/homepage.yml
@@ -0,0 +1,82 @@
+---
+- name: Create homepage user
+  user:
+    comment: 'user for homepage'
+    name: homepage
+    group: homepage
+    uid: 3000
+    shell: '/bin/bash'
+
+- name: Clone/update homepage git repo
+  git:
+    dest: '~homepage/homepage'
+    repo: 'https://github.com/labitat/homepage'
+    version: main
+    remote: origin
+    #single_branch: yes
+    #accept_newhostkey: yes
+    clone: yes
+    update: yes
+  become_user: homepage
+  register: homepage_git
+
+- name: Deploy new homepage
+  block:
+  - name: Delete old gems
+    file:
+      path: '~homepage/homepage/{{ item }}'
+      state: absent
+    with_items:
+    - Gemfile.lock
+    - lib
+    - bin
+  - name: Install dependencies
+    command: /usr/bin/bundle
+    args:
+      chdir: '~homepage/homepage'
+    become_user: homepage
+  - name: Create build and out directories
+    file:
+      path: '~homepage/homepage/{{ item }}'
+      state: directory
+      owner: homepage
+      group: homepage
+      mode: 0755
+    with_items:
+    - build
+    - out
+  when: homepage_git is changed
+
+- name: Create update-homepage service and timer
+  copy:
+    dest: '/etc/systemd/system/{{ item }}'
+    src: '{{ item }}'
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+  - update-homepage.service
+  - update-homepage.timer
+  notify:
+  - restart update-homepage
+
+- name: Enable update-homepage timer
+  systemd:
+    name: update-homepage.timer
+    enabled: yes
+    masked: no
+    state: started
+
+- name: Install nginx site for homepage
+  template:
+    dest: '/etc/nginx/sites-enabled/homepage'
+    src: homepage.nginx.j2
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+  - reload nginx
+  tags:
+  - nginx
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/sky/tasks/main.yml b/roles/sky/tasks/main.yml
index 6144e82..9d04b9f 100644
--- a/roles/sky/tasks/main.yml
+++ b/roles/sky/tasks/main.yml
@@ -11,5 +11,7 @@
 
 - import_tasks: certbot.yml
   tags: certbot
+- import_tasks: homepage.yml
+  tags: homepage
 
 # vim: set ts=2 sw=2 et:
diff --git a/roles/sky/templates/homepage.nginx.j2 b/roles/sky/templates/homepage.nginx.j2
new file mode 100644
index 0000000..cf31da9
--- /dev/null
+++ b/roles/sky/templates/homepage.nginx.j2
@@ -0,0 +1,28 @@
+# generated 2023-01-14, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+	listen *:443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name {{ domain_name }};
+
+	ssl_certificate         /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
+	ssl_certificate_key     /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
+	ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
+
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_timeout 1d;
+	ssl_session_tickets off;
+
+	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+	add_header Strict-Transport-Security "max-age=63072000" always;
+
+	# OCSP stapling
+	ssl_stapling on;
+	ssl_stapling_verify on;
+
+	root /home/homepage/homepage/build;
+
+	location = / {
+		try_files $uri /out.html;
+	}
+}
diff --git a/roles/sky/vars/main.yml b/roles/sky/vars/main.yml
index ecdaefa..fdb1fbe 100644
--- a/roles/sky/vars/main.yml
+++ b/roles/sky/vars/main.yml
@@ -35,6 +35,9 @@ apt_sources_role:
 apt_packages_role:
   'nginx': present
   'certbot': present
+  'ruby': present
+  'bundler': present
+  'curl': present
 
 journald_conf_role:
   'Journal.Storage': 'persistent'