From 359b6a455308704d78de461ef6c8f97445a14651 Mon Sep 17 00:00:00 2001
From: ynerant <ynerant@crans.org>
Date: Wed, 17 Feb 2021 11:57:10 +0100
Subject: [PATCH] [belenios] Deploy belenios

Signed-off-by: ynerant <ynerant@crans.org>
---
 group_vars/belenios.yml                       |   8 ++
 group_vars/reverseproxy.yml                   |   2 +-
 host_vars/belenios.adm.crans.org.yml          |   4 +
 hosts                                         |   5 +-
 plays/belenios.yml                            |   9 ++
 roles/belenios/handlers/main.yml              |   5 +
 roles/belenios/tasks/main.yml                 | 123 ++++++++++++++++++
 .../ocsigenserver/conf.d/belenios.conf.j2     |  79 +++++++++++
 8 files changed, 233 insertions(+), 2 deletions(-)
 create mode 100644 group_vars/belenios.yml
 create mode 100644 host_vars/belenios.adm.crans.org.yml
 create mode 100755 plays/belenios.yml
 create mode 100644 roles/belenios/handlers/main.yml
 create mode 100644 roles/belenios/tasks/main.yml
 create mode 100644 roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2

diff --git a/group_vars/belenios.yml b/group_vars/belenios.yml
new file mode 100644
index 00000000..e23df08e
--- /dev/null
+++ b/group_vars/belenios.yml
@@ -0,0 +1,8 @@
+---
+glob_belenios:
+  domain: belenios.crans.org
+  email_contact: contact@crans.org
+  email_from: root@crans.org
+  cas:
+    name: CAS Cr@ns
+    server: https://cas.crans.org/
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index fca4ddbe..49f1ed78 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -39,7 +39,7 @@ nginx:
     - {from: hedgedoc.crans.org, to: "172.16.10.128:3000"}
     - {from: owncloud.crans.org, to: 172.16.10.136}
     - {from: linx.crans.org, to: "172.16.10.119:8080"}
-    # - {from: belenios.crans.org, to: 172.16.10.111}
+    - {from: belenios.crans.org, to: 172.16.10.111}
     # - {from: mailman.crans.org, to: 10.231.136.180}
 
     # Zamok
diff --git a/host_vars/belenios.adm.crans.org.yml b/host_vars/belenios.adm.crans.org.yml
new file mode 100644
index 00000000..92076e1a
--- /dev/null
+++ b/host_vars/belenios.adm.crans.org.yml
@@ -0,0 +1,4 @@
+---
+interfaces:
+  adm: ens18
+  srv_nat: ens19
diff --git a/hosts b/hosts
index d032fd9f..397f791c 100644
--- a/hosts
+++ b/hosts
@@ -17,6 +17,9 @@ tealc.adm.crans.org
 [bdd]
 tealc.adm.crans.org
 
+[belenios]
+belenios.adm.crans.org
+
 [certbot:children]
 dovecot
 git
@@ -141,7 +144,7 @@ baie
 virtu
 
 [crans_vm]
-#belenios.adm.crans.org
+belenios.adm.crans.org
 #bigbluebutton.adm.crans.org
 boeing.adm.crans.org
 cas.adm.crans.org
diff --git a/plays/belenios.yml b/plays/belenios.yml
new file mode 100755
index 00000000..a55b3f87
--- /dev/null
+++ b/plays/belenios.yml
@@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: belenios
+  vars:
+    belenios: "{{ glob_belenios | default({}) | combine(loc_belenios | default({})) }}"
+    nullmailer: "{{ glob_nullmailer | default({}) | combine(loc_nullmailer | default({})) }}"
+  roles:
+    - belenios
+    - nullmailer
diff --git a/roles/belenios/handlers/main.yml b/roles/belenios/handlers/main.yml
new file mode 100644
index 00000000..552e8142
--- /dev/null
+++ b/roles/belenios/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart ocsigenserver
+  systemd:
+    name: ocsigenserver
+    state: restarted
diff --git a/roles/belenios/tasks/main.yml b/roles/belenios/tasks/main.yml
new file mode 100644
index 00000000..bd80f572
--- /dev/null
+++ b/roles/belenios/tasks/main.yml
@@ -0,0 +1,123 @@
+---
+- name: Install Belenios dependencies from APT
+  apt:
+    update_cache: true
+    install_recommends: false
+    name:
+      - bubblewrap
+      - build-essential
+      - libgmp-dev
+      - libpcre3-dev
+      - pkg-config
+      - m4
+      - libssl-dev
+      - libsqlite3-dev
+      - wget
+      - ca-certificates
+      - zip
+      - unzip
+      - libncurses-dev
+      - zlib1g-dev
+      - libgd-securityimage-perl
+      - cracklib-runtime
+      - jq
+
+      # OCamL build dependencies
+      - dune
+      - libatdgen-ocaml-dev
+      - libzarith-ocaml-dev
+      - libcryptokit-ocaml-dev
+      - libcmdliner-ocaml-dev
+      - libcalendar-ocaml-dev
+      - eliom
+      - libcsv-ocaml-dev
+      - libgettext-ocaml-dev
+
+      # Web server dependencies
+      - ocsigenserver
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Start ocsigenserver at boot
+  lineinfile:
+    path: /etc/default/ocsigenserver
+    regexp: "^LAUNCH_AT_STARTUP="
+    line: "LAUNCH_AT_STARTUP=true"
+  notify: Restart ocsigenserver
+
+- name: Clone belenios into /opt/belenios
+  git:
+    repo: https://gitlab.inria.fr/belenios/belenios.git
+    dest: /opt/belenios
+    version: "1.14"
+    force: true
+  register: git_result
+
+- name: Make belenios project
+  when: git_result.changed
+  make:
+    chdir: /opt/belenios
+    target: build-release-server
+  notify: Restart ocsigenserver
+
+- name: Create belenios data directories
+  file:
+    path: "{{ item }}"
+    owner: ocsigen
+    group: ocsigen
+    mode: 0755
+    state: directory
+  loop:
+    - "/etc/ocsigenserver/conf.d"
+    - "/var/lib/belenios"
+    - "/var/lib/belenios/data"
+    - "/var/lib/belenios/upload"
+    - "/var/lib/belenios/spool"
+    - "/var/log/belenios"
+
+- name: Link ocsigenserver database
+  file:
+    src: "/opt/belenios/_run/lib/ocsidb"
+    path: "/var/lib/belenios/data/ocsidb"
+    owner: ocsigen
+    group: ocsigen
+    mode: 0644
+    state: link
+
+- name: Link belenios directories into proper locations
+  file:
+    src: "{{ item.src }}"
+    path: "{{ item.path }}"
+    owner: root
+    group: root
+    mode: 0755
+    state: link
+  loop:
+    - src: "/opt/belenios/_run/usr/bin/belenios-tool"
+      path: "/usr/bin/belenios-tool"
+
+    - src: "/opt/belenios/_run/usr/lib/belenios"
+      path: "/usr/lib/ocaml/belenios"
+    - src: "/opt/belenios/_run/usr/lib/belenios-platform"
+      path: "/usr/lib/ocaml/belenios-platform"
+    - src: "/opt/belenios/_run/usr/lib/belenios-platform-js"
+      path: "/usr/lib/ocaml/belenios-platform-js"
+    - src: "/opt/belenios/_run/usr/lib/belenios-platform-native"
+      path: "/usr/lib/ocaml/belenios-platform-native"
+    - src: "/opt/belenios/_run/usr/lib/belenios-server"
+      path: "/usr/lib/ocaml/belenios-server"
+    - src: "/opt/belenios/_run/usr/lib/belenios-tool"
+      path: "/usr/lib/ocaml/belenios-tool"
+
+    - src: "/opt/belenios/_run/usr/share/belenios-server"
+      path: "/usr/share/belenios-server"
+
+- name: Deploy ocsigenserver configuration
+  template:
+    src: ocsigenserver/conf.d/belenios.conf.j2
+    dest: /etc/ocsigenserver/conf.d/belenios.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart ocsigenserver
diff --git a/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2 b/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2
new file mode 100644
index 00000000..fa41d367
--- /dev/null
+++ b/roles/belenios/templates/ocsigenserver/conf.d/belenios.conf.j2
@@ -0,0 +1,79 @@
+{{ ansible_header | comment('xml') }}
+
+<!-- -*- Mode: Xml -*- -->
+<ocsigen>
+
+  <server>
+
+    <port>8001</port>
+
+    <logdir>/var/log/belenios</logdir>
+    <datadir>/var/lib/belenios/data</datadir>
+
+    <uploaddir>/var/lib/belenios/upload</uploaddir>
+
+    <!--
+      The following limits are there to avoid flooding the server.
+      <maxuploadfilesize> might need to be increased for handling large
+      elections.
+      <maxconnected> is related to the number of simultaneous voters
+      visiting the server.
+    -->
+    <maxuploadfilesize>1024kB</maxuploadfilesize>
+    <maxconnected>500</maxconnected>
+
+    <commandpipe>/var/run/belenios/ocsigenserver_command</commandpipe>
+
+    <charset>utf-8</charset>
+
+    <findlib path="/usr/lib/ocaml"/>
+
+    <extension findlib-package="ocsigenserver.ext.staticmod"/>
+    <extension findlib-package="ocsigenserver.ext.redirectmod"/>
+
+    <extension findlib-package="ocsigenserver.ext.ocsipersist-sqlite">
+      <database file="/var/lib/belenios/data/ocsidb"/>
+    </extension>
+
+    <extension findlib-package="eliom.server"/>
+    <extension findlib-package="belenios-platform-native"/>
+
+    <host charset="utf-8" hostfilter="*" defaulthostname="{{ belenios.domain }}">
+      <!-- <redirect suburl="^$" dest="http://www.example.org"/> -->
+      <site path="static" charset="utf-8">
+        <static dir="/usr/share/belenios-server" cache="0"/>
+      </site>
+      <site path="monitor">
+        <eliom findlib-package="eliom.server.monitor.start"/>
+      </site>
+      <eliom findlib-package="belenios-server">
+        <!-- Domain name used in Message-ID -->
+        <domain name="https://{{ belenios.domain }}/"/>
+        <!--
+          The following can be adjusted to the capacity of your system.
+          If <maxrequestbodysizeinmemory> is too small, large elections
+          might fail, in particular with so-called alternative questions
+          with many voters.
+          <maxmailsatonce> depends heavily on how sending emails is
+          handled by your system.
+        -->
+        <maxrequestbodysizeinmemory value="1048576"/>
+        <maxmailsatonce value="1000"/>
+        <uuid length="14"/>
+        <gdpr uri="https://www.belenios.org/rgpd.html"/>
+        <contact uri="mailto:{{ belenios.email_contact }}"/>
+        <server mail="{{ belenios.email_from }}"/>
+        <auth name="{{ belenios.cas.name }}"><cas server="{{ belenios.cas.server }}"/></auth>
+        <source file="/usr/share/belenios-server/belenios.tar.gz"/>
+        <default-group file="/usr/share/belenios-server/groups/default.json"/>
+        <nh-group file="/usr/share/belenios-server/groups/rfc3526-2048.json"/>
+        <log file="/var/log/belenios/security.log"/>
+        <locales dir="/usr/share/belenios-server/locales"/>
+        <spool dir="/var/lib/belenios/spool"/>
+        <!-- <warning file="/opt/belenios/belenios/_run/warning.html"/> -->
+      </eliom>
+    </host>
+
+  </server>
+
+</ocsigen>