11 files changed, 127 insertions, 62 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6921293
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+prod-vars.yml
diff --git a/README.org b/README.org
index 7554082..799bc1a 100644
--- a/README.org
+++ b/README.org
@@ -3,34 +3,38 @@ for various pieces of the EmacsConf infrastructure.
 
 ansible-galaxy collection install community.general
 
+Production: needs prod-vars.yml, see prod-vars.yml.sample
+
 * Front - publishing
 ** Prod
 To run the playbook and publish the main schedule:
-ansible-playbook -i inventory.yaml prod-playbook.yaml
+ansible-playbook -i inventory.yml prod-playbook.yml
 
 Update a specific talk's before/nav and the main schedule: (ex: wayland)
-ansible-playbook playbook.yaml -e '{"slug": "wayland"}' -i inventory.yaml
+ansible-playbook playbook.yml -e '{"slug": "wayland"}' -i inventory.yml
 ** Docker
 Creating:
-- ansible-playbook -i docker-inventory.yaml docker-playbook.yaml
+- ansible-playbook -i docker-inventory.yml docker-playbook.yml
 
 Reusing:
-- ansible-playbook -i docker-inventory.yaml docker-reuse-playbook.yaml
+- ansible-playbook -i docker-inventory.yml docker-reuse-playbook.yml
 With docker:
 https://stackoverflow.com/questions/24738264/how-to-test-ansible-playbook-using-docker
 * Pad
+** Production
+ansible-playbook -i inventory.yml prod-playbook.yml --tags pad
 ** Docker
 Creating:
-ansible-playbook -i docker-inventory.yaml docker-playbook.yaml --tags pad
+ansible-playbook -i docker-inventory.yml docker-playbook.yml --tags pad
 
 Reusing an existing container:
-ansible-playbook -i docker-inventory.yaml docker-reuse-playbook.yaml --tags pad
+ansible-playbook -i docker-inventory.yml docker-reuse-playbook.yml --tags pad
 
 Connecting:
 docker exec -it emacsconf-pad /bin/bash
 
 Creating pads
-ansible-playbook -i docker-inventory.yaml docker-reuse-playbook.yaml --tags create-pads
+ansible-playbook -i docker-inventory.yml docker-reuse-playbook.yml --tags create-pads
 
 file:/docker:emacsconf-pad:/home/etherpad/etherpad/
 
@@ -46,6 +50,7 @@ docker exec  emacsconf-pad cat /home/etherpad/etherpad/APIKEY.txt
 b7a15dc34cc7f6917cca6cd9a2b4b92145af7c7cd9b341af34869ab8cd3568be
 :end:
 
+
 #+begin_src sh :var padkey=pad-key
 echo curl "http://localhost:9001/api/1/createPad?apikey=$padkey&padID=emacsconf-2022"
 curl "http://localhost:9001/api/1/createPad?apikey=$padkey&padID=emacsconf-2022"
diff --git a/docker-destroy.yaml b/docker-destroy.yml
index f401dba..f401dba 100644
--- a/docker-destroy.yaml
+++ b/docker-destroy.yml
diff --git a/docker-inventory.yaml b/docker-inventory.yml
index b1be91e..b1be91e 100644
--- a/docker-inventory.yaml
+++ b/docker-inventory.yml
diff --git a/docker-playbook.yaml b/docker-playbook.yml
index 6235624..124c55d 100644
--- a/docker-playbook.yaml
+++ b/docker-playbook.yml
@@ -1,4 +1,10 @@
 ---
+- name: Load vars
+  hosts: all
+  tags: always
+  tasks:
+    - include_vars:
+        file: docker-vars.yml
 - name: Create a front container to be provisioned later
   tags: docker-front
   hosts: localhost
diff --git a/docker-reuse-playbook.yaml b/docker-reuse-playbook.yml
index c187817..10df7d6 100644
--- a/docker-reuse-playbook.yaml
+++ b/docker-reuse-playbook.yml
@@ -1,4 +1,10 @@
 ---
+- name: Load vars
+  hosts: all
+  tags: always
+  tasks:
+    - include_vars:
+        file: docker-vars.yml
 - name: Load talks
   hosts: localhost
   tags: create-pads
diff --git a/inventory.yaml b/inventory.yml
index 69b3213..1e7f55e 100644
--- a/inventory.yaml
+++ b/inventory.yml
@@ -7,5 +7,7 @@ prod:
       ansible_host: front0.emacsconf.org
       remote_user: orga
     pad:
-      ansible_host: front0.emacsconf.org
+      ansible_host: live0.emacsconf.org
       remote_user: orga
+      ansible_ssh_user: orga
+      ansible_python_interpreter: /usr/bin/python3
diff --git a/pad/defaults/main.yml b/pad/defaults/main.yml
index 386abf7..9d2e294 100644
--- a/pad/defaults/main.yml
+++ b/pad/defaults/main.yml
@@ -1,11 +1,9 @@
 ---
 # defaults file for pad
 etherpad_path: /home/etherpad/etherpad
-etherpad_database_password: cgdh23dho
 etherpad_database_name: emacsconf_pad
 etherpad_database_user: etherpad
 etherpad_user: etherpad
 etherpad_group: etherpad
-etherpad_api_key: b7a15dc34cc7f6917cca6cd9a2b4b92145af7c7cd9b341af34869ab8cd3568be
 etherpad_base: emacsconf
 etherpad_year: 2022
diff --git a/pad/tasks/main.yml b/pad/tasks/main.yml
index 8637406..bb3209d 100644
--- a/pad/tasks/main.yml
+++ b/pad/tasks/main.yml
@@ -1,70 +1,91 @@
 ---
 # tasks file for pad
-- name: Add nodesource key
-  apt_key:
-    url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
-    state: present
-- name: Add nodesource repository
-  ansible.builtin.apt_repository:
-    repo: deb https://deb.nodesource.com/node_13.x buster main
-    update_cache: yes
-- name: Install packages
-  apt:
-    update_cache: yes
-    name:
-      - systemd
-      - sudo
-      - nodejs
-      - mariadb-server
-      - mariadb-client
-    state: present
-- name: Create etherpad user
-  user:
-    name: etherpad
-    home: /home/etherpad
-    shell: /bin/bash
-    state: present
-- name: Install etherpad
-  git:
-    repo: https://github.com/ether/etherpad-lite.git
-    dest: "{{ etherpad_path }}"
-    depth: 1
+- name: Set up packages as root
   become: true
-  become_user: etherpad
-- name: Configure etherpad
-  template:
-    src: templates/settings.json
-    dest: "{{ etherpad_path }}/settings.json"
-- name: Set etherpad API key
-  copy:
-    content: "{{ etherpad_api_key }}"
-    dest: "{{ etherpad_path }}/APIKEY.txt"
-    owner: "{{ etherpad_user }}"
-    mode: "0600"
-- name: Install dependencies
-  shell: cd {{ etherpad_path }}; . src/bin/functions.sh; src/bin/installDeps.sh
+  block:
+  - name: Add nodesource key
+    apt_key:
+      url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
+      state: present
+  - name: Add nodesource repository
+    ansible.builtin.apt_repository:
+      repo: deb https://deb.nodesource.com/node_13.x buster main
+      update_cache: yes
+  - name: Install packages
+    apt:
+      update_cache: yes
+      name:
+        - systemd
+        - sudo
+        - nodejs
+        - mariadb-server
+        - mariadb-client
+      state: present
+  - name: Create etherpad user
+    user:
+      name: etherpad
+      home: /home/etherpad
+      shell: /bin/bash
+      state: present
+- include: mariadb.yml
   become: true
-  become_user: etherpad
-- name: Install etherpad plugins
-  npm:
-    name: ep_pad-lister
-    path: "{{ etherpad_path }}"
+- name: Set up etherpad as the etherpad user
+  tags: etherpad-src
   become: true
-  become_user: etherpad
-- include: mariadb.yml
+  block:
+  - name: Install etherpad
+    git:
+      repo: https://github.com/ether/etherpad-lite.git
+      dest: "{{ etherpad_path }}"
+      depth: 1
+  - name: Configure etherpad
+    template:
+      src: templates/settings.json
+      dest: "{{ etherpad_path }}/settings.json"
+  - name: Install dependencies
+    shell: cd {{ etherpad_path }}; . src/bin/functions.sh; src/bin/installDeps.sh
+  - name: Install etherpad plugins
+    npm:
+      name: ep_pad-lister
+      path: "{{ etherpad_path }}"
+  - name: Change ownership
+    file:
+      dest: /home/etherpad/etherpad
+      owner: "{{ etherpad_user }}"
+      group: "{{ etherpad_group }}"
+      recurse: true
+  - name: Set etherpad API key
+    copy:
+      content: "{{ etherpad_api_key }}"
+      dest: "{{ etherpad_path }}/APIKEY.txt"
+      owner: "{{ etherpad_user }}"
+      mode: "0600"
 - name: Install init.d configuration
   tags: system
+  become: true
   template:
     src: etherpad.init.d
     dest: /etc/init.d/etherpad
     owner: root
     group: root
+    mode: 0644
+  when: use_initd is defined
+- name: Install systemd configuration
+  tags: system
+  become: true
+  template:
+    src: etherpad.service
+    dest: /etc/systemd/system/etherpad.service
+    owner: root
+    group: root
     mode: 0755
+  when: use_initd is not defined
 - name: Start Etherpad
   tags: system
+  become: true
   service:
     name: etherpad
-    state: started
+    state: restarted
 - tags: create-pads
   include_vars:
     file: talks.json
diff --git a/pad/tasks/mariadb.yml b/pad/tasks/mariadb.yml
index 7a406c9..8e613b6 100644
--- a/pad/tasks/mariadb.yml
+++ b/pad/tasks/mariadb.yml
@@ -5,10 +5,30 @@
       - mariadb-server
       - mariadb-client
       - python3-mysqldb
+- name: Ensure anonymous users are not in the database
+  mysql_user:
+    name: ""
+    host: "{{ item }}"
+    state: absent
+  with_items:
+    - localhost
+    - 127.0.0.1
+    - ::1
+    - "%"
+- name: Ensure mysql is configured to bind only to localhost
+  ini_file:
+    dest: /etc/mysql/my.cnf
+    section: mysqld
+    option: "bind-address"
+    value: "127.0.0.1"
 - name: Start MariaDB
   service:
     name: mysql
-    state: started
+    state: restarted
+    enabled: yes
+    runlevel:
+      - 3
+      - 5
 - name: Ensure emacsconf-pad database exists
   mysql_db:
     name: "{{ etherpad_database_name }}"
diff --git a/prod-playbook.yaml b/prod-playbook.yml
index 83f7e7f..eb12597 100644
--- a/prod-playbook.yaml
+++ b/prod-playbook.yml
@@ -1,9 +1,15 @@
+- name: Load vars
+  hosts: all
+  tags: always
+  tasks:
+    - include_vars:
+        file: prod-vars.yml
 - name: Set up wiki for publishing
   hosts: publish
   roles:
     - wiki-edit
 - name: Set up pad
   hosts: pad
-  vars_files: prod-vars.yml
+  tags: pad
   roles:
     - pad