Add Commento to blog task and add example index page for webhosting.

README.md

@@ -34,6 +34,7 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   [Monit](http://mmonit.com/monit/) to keep everything running smoothly (and alert you when it’s not).
 -   Web hosting (ex: for your blog) via [Apache](https://www.apache.org/).
 -   Statistics for the website using [Fathom](https://github.com/usefathom/fathom).
+-   Comments for the website using [Commento](https://gitlab.com/commento/commento).
 -   Firewall management via [Uncomplicated Firewall (ufw)](https://wiki.ubuntu.com/UncomplicatedFirewall).
 -   Intrusion prevention via [fail2ban](http://www.fail2ban.org/) and rootkit detection via [rkhunter](http://rkhunter.sourceforge.net).
 -   SSH configuration preventing root login and insecure password authentication

roles/blog/defaults/main.yml

@@ -3,16 +3,29 @@ secret_root: '{{ inventory_dir | realpath }}'
 secret_name: 'secret'
 secret: '{{ secret_root + "/" + secret_name }}'
 
-# must match values in roles/common
-db_admin_username: 'postgres'
-db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"
+fathom_admin_username: "{{ admin_email }}"
+fathom_admin_password: "{{ lookup('password', secret + '/' + 'fathom_admin_password length=32') }}"
+
+fathom_version: '1.2.1'
+fathom_release: "https://github.com/usefathom/fathom/releases/download/v{{ fathom_version }}/fathom_{{ fathom_version }}_linux_amd64.tar.gz"
 
 fathom_db_username: 'fathom'
 fathom_db_password: "{{ lookup('password', secret + '/' + 'fathom_db_password length=32') }}"
 fathom_db_database: 'fathom'
-fathom_admin_username: "{{ admin_email }}"
-fathom_admin_password: "{{ lookup('password', secret + '/' + 'fathom_admin_password length=32') }}"
+
 fathom_internal_port: '9000'
 fathom_secret: "{{ lookup('password', secret + '/' + 'fathom_secret length=32') }}"
-fathom_version: '1.2.1'
-fathom_release: "https://github.com/usefathom/fathom/releases/download/v{{ fathom_version }}/fathom_{{ fathom_version }}_linux_amd64.tar.gz"
+
+commento_version: '1.6.2'
+commento_release: "https://commento-release.s3.amazonaws.com/commento-linux-amd64-v{{ commento_version }}.tar.gz"
+
+commento_subdomain: 'comments'
+commento_internal_port: '9100'
+
+commento_db_username: 'commentouser'
+commento_db_password: "{{ lookup('password', secret + '/' + 'commento_db_password length=32') }}"
+commento_db_database: 'commento'
+
+# must match values in roles/common
+db_admin_username: 'postgres'
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"

roles/blog/tasks/blog.yml

@@ -17,6 +17,15 @@
   command: a2enconf well-known.conf creates=/etc/apache2/conf-enabled/well-known.conf.conf
   notify: restart apache
 
+- name: Create an example blog index page
+  template:
+    src=var_www_blog_index.j2
+    dest={{ item.doc_root }}/index.html
+    owner=www-data
+    group=www-data
+    force=no
+  with_items: "{{ virtual_domains }}"
+
 - name: Create the Apache blog sites config files
   template:
     src=etc_apache2_sites-available_blog.j2

roles/blog/tasks/commento.yml

@@ -0,0 +1,74 @@
+- name: Create temporary commento directories
+  file: state=directory path={{ item }}
+  with_items:
+    - /root/commento
+    - /root/commento/commento-{{ commento_version }}
+
+- name: Download commento {{ commento_version }} release
+  get_url:
+    url="{{ commento_release }}"
+    dest=/root/commento/commento-{{ commento_version }}.tar.gz
+
+- name: Decompress commento release
+  unarchive: src=/root/commento/commento-{{ commento_version }}.tar.gz
+             dest=/root/commento/commento-{{ commento_version }} copy=no
+             creates=/root/commento/commento-{{ commento_version }}/commento
+
+- name: Create commento working directory
+  file: state=directory path=/home/{{ main_user_name }}/commento
+
+- name: Stop old commento instance
+  service: name=commento state=stopped
+  ignore_errors: True
+
+- name: Copy commento data to working directory
+  shell: cp -r commento/commento-{{ commento_version }}/* /home/{{ main_user_name }}/commento/ chdir=/root
+
+- name: Setup permissions for commento
+  file: path=/home/{{ main_user_name }}/commento owner={{ main_user_name }} group=www-data recurse=yes
+
+- name: Add commento postgres user
+  postgresql_user:
+    login_host=localhost
+    login_user={{ db_admin_username }}
+    login_password="{{ db_admin_password }}"
+    name={{ commento_db_username }}
+    password="{{ commento_db_password }}"
+    encrypted=yes
+    state=present
+
+- name: Create commento database
+  postgresql_db:
+    login_host=localhost
+    login_user={{ db_admin_username }}
+    login_password="{{ db_admin_password }}"
+    name={{ commento_db_database }}
+    state=present
+    owner={{ commento_db_username }}
+
+- name: Add systemd service to start commento automatically
+  template:
+    src=etc_systemd_system_commento.j2
+    dest=/etc/systemd/system/commento.service
+    owner=root
+    group=root
+
+- name: Register new commento service
+  systemd: name=commento daemon_reload=yes enabled=yes
+
+- name: Start new commento instance
+  service: name=commento state=started
+
+- name: Create the Apache Commento sites config files
+  template:
+    src=etc_apache2_sites-available_commento.j2
+    dest=/etc/apache2/sites-available/commento_{{ item.name }}.conf
+    owner=root
+    group=root
+  notify: restart apache
+  with_items: "{{ virtual_domains }}"
+
+- name: Enable Apache sites (creates new sites-enabled symlinks)
+  command: a2ensite commento_{{ item }}.conf creates=/etc/apache2/sites-enabled/commento_{{ item }}.conf
+  notify: restart apache
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"

roles/blog/tasks/main.yml

@@ -1,2 +1,3 @@
 - include: blog.yml tags=blog
 - include: fathom.yml tags=blog
+- include: commento.yml tags=blog

roles/blog/templates/etc_apache2_sites-available_commento.j2

@@ -0,0 +1,20 @@
+<VirtualHost *:80>
+    ServerName {{ commento_subdomain }}.{{ item.name }}
+
+    Redirect temp / https://{{ commento_subdomain }}.{{ item.name }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ commento_subdomain }}.{{ item.name }}
+
+    SSLEngine               On
+    DocumentRoot            "{{ item.doc_root }}"
+    DirectoryIndex          index.html
+    Options                 -Indexes
+    HostnameLookups         Off
+
+    ProxyRequests           On
+    ProxyPreserveHost       On
+    ProxyPass               / http://localhost:{{ commento_internal_port }}/
+    ProxyPassReverse        / http://localhost:{{ commento_internal_port }}/
+</VirtualHost>

roles/blog/templates/etc_systemd_system_commento.j2

@@ -0,0 +1,24 @@
+[Unit]
+Description=Commento daemon service
+After=network.target postgresql.service
+
+[Service]
+Type=simple
+User={{ main_user_name }}
+Restart=always
+RestartSec=3
+WorkingDirectory=/home/{{ main_user_name }}/commento
+ExecStart=/home/{{ main_user_name }}/commento/commento
+Environment=COMMENTO_ORIGIN=https://{{ commento_subdomain }}.{{ domain }}
+Environment=COMMENTO_PORT={{ commento_internal_port }}
+Environment=COMMENTO_POSTGRES=postgres://{{ commento_db_username }}:{{ commento_db_password }}@localhost:5432/{{ commento_db_database }}?sslmode=disable
+Environment=COMMENTO_STATIC=/home/{{ main_user_name }}/commento
+Environment=COMMENTO_BIND_ADDRESS=127.0.0.1
+Environment=COMMENTO_SMTP_HOST=localhost
+Environment=COMMENTO_SMTP_PORT=25
+Environment=COMMENTO_SMTP_USERNAME=example@gmail.com
+Environment=COMMENTO_SMTP_PASSWORD=hunter2
+Environment=COMMENTO_SMTP_FROM_ADDRESS=no-reply@{{ commento_subdomain }}.{{ domain }}
+
+[Install]
+WantedBy=multi-user.target

roles/blog/templates/var_www_blog_index.j2

@@ -0,0 +1,31 @@
+<html>
+	<head>
+		<title>{{ item.name }}</title>
+	</head>
+	<body>
+		<h1>{{ item.name }}</h1>
+		<p>Bitte gehen Sie weiter, hier gibt es nichts zu sehen!</p>
+		<p>Please go along, there is nothing to see here!</p>
+
+		<!-- Commento comments (Disqus alternative) -->
+		<div id="commento"></div>
+		<script src="https://{{ commento_subdomain }}.{{ domain }}/js/commento.js"></script>
+
+		<!-- Fathom - simple website analytics - https://github.com/usefathom/fathom -->
+		<!-- TODO: replace 'JTPIK' with your correct site-id in fathom -->
+		<script>
+(function(f, a, t, h, o, m){
+	a[h]=a[h]||function(){
+		(a[h].q=a[h].q||[]).push(arguments)
+	};
+	o=f.createElement('script'),
+	m=f.getElementsByTagName('script')[0];
+	o.async=1; o.src=t; o.id='fathom-script';
+	m.parentNode.insertBefore(o,m)
+})(document, window, '//fathom.{{ domain }}/tracker.js', 'fathom');
+fathom('set', 'siteId', 'JTPIK');
+fathom('trackPageview');
+		</script>
+		<!-- / Fathom -->
+	</body>
+</html>

roles/common/files/letsencrypt-gencert

@@ -17,7 +17,7 @@ for domain in "$@"; do
   fi
 
   # subdomains - www.foo.com mail.foo.com ...
-  for sub in www mail autoconfig fathom news cloud git matrix status social; do
+  for sub in www mail autoconfig fathom news cloud git matrix status social comments; do
     # only add if the DNS entry for the subdomain does actually exist
     if (getent hosts $sub.$domain > /dev/null); then
       if [ -z "$d" ]; then

roles/monitoring/files/etc_monit_conf.d_commento

@@ -0,0 +1,8 @@
+check process commento matching "commento"
+  group www
+  start program = "/bin/systemctl start commento"
+  stop program = "/bin/systemctl stop commento"
+  if failed port 9100 protocol http
+    with timeout 10 seconds
+    then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/tasks/monit.yml

@@ -48,6 +48,10 @@
   stat: path=/home/mastodon/mastodon
   register: mastodon_config_file
 
+- name: Determine if Commento is installed
+  stat: path=/home/{{ main_user_name }}/commento/commento
+  register: commento_config_file
+
 - name: Copy ZNC monit service config files into place
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
   notify: restart monit
@@ -88,6 +92,11 @@
   notify: restart monit
   when: mastodon_config_file.stat.exists == True
 
+- name: Copy Commento monit service config files into place
+  copy: src=etc_monit_conf.d_commento dest=/etc/monit/conf.d/commento
+  notify: restart monit
+  when: commento_config_file.stat.exists == True
+
 - name: Copy monit service config files into place
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
   with_items: