Installing Nodered using Ansible

Recently I've been playing around with Vagrant and Ansible to configure my home server. The server runs a few local network services and I'm working on some home automation stuff which I hope to base on NodeRed, in this post I'll describe how I've used Ansible to install NodeRed with git.

Installation

Dependencies

Since Nodered is a NodeJS application, we need to install a few dependencies first, I'm using apt and npm to do this but the method can be easily modified to the appropriate package manager:

- name: Add node key
  sudo: yes
  apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key state=present

- name: Add repos
  sudo: yes
  apt_repository: repo='deb https://deb.nodesource.com/node precise main'
  
- name: Install packages
  sudo: yes
  apt: upgrade=dist
  apt: pkg= state=installed update_cache=yes
  with_items:
 
  - nodejs
  - git-core

- name: Setup Forever
  sudo: yes
  npm: name=forever global=yes
  

NodeRed

There are a few ways to install Nodered; from a downloaded archive, using git or plain npm, I've chosen git as it allows me to easily upgrade just by changing the version tag and rerunning Ansible. All the functionality to get the code is built into Ansible:

- name: GetNodeRed
  sudo: yes
  sudo_user: oliversmith
  git: repo=https://github.com/node-red/node-red.git dest=/home/oliversmith/NodeRed version=0.9.0

- name: Install NodeRed
  sudo: yes
  sudo_user: oliversmith
  npm: name=npm global=yes registry=http://registry.npmjs.org state=latest
  npm: path=/home/oliversmith/NodeRed/ production=yes

Running

Launching node applications from the command line is tricky as if they crash the application doesn't have a mechanism to recover, I've chosen to use forever to solve this issue, however it won't make the application start on boot so further configuration would be required to enable that.

Forever has already been installed using npm (above) so after installation we can dive straight into running it:

- name: Run NodeRed
  sudo: yes
  sudo_user: oliversmith
  shell: forever start red.js
  args:
    chdir: /home/oliversmith/NodeRed/

Dandong, China 2014

I recently traveled to Dandong, China as a side trip from Beijing. I choose Dandong as I wanted to visit a normal Chinese city not usually on the tourist trail. Dandong is certainly a normal city and not one which sees millions of Western visitors every week. I also have an intermittent fascination with North Korea and Dandong happens to be one of the main crossing points into North Korea.

I spent most of my time exploring town and riverside areas including visiting the Korean War Museum (Museum of the War to Resist U.S. Aggression and Aid North Korea) and stopping at a remote outpost of Tesco to pick up supplies. There isn't a tonne of stuff to do in Dandong but enough to fill a weekend. If you're feeling more energetic than I (I'd hurt my ankle a few days before in Beijing) you can take a bus or taxi to see the most easterly section of the Great Wall.

Below are a few highlights of my trip:

The broken Yalu River bridge (alongside the working Friendship Bridge):

Bridges over the Yalu River, Dandong

View from the broken bridge over the Yalu river looking towards North Korea

North Korean boats on the river:

North Korean cargo ships moored on the Yalu River, Dandong

Walking the streets of Dandong:

Walking through the city to the war museum showed Dandong is very detached from the more vibrant and shiny areas of Beijing and lived up to my expectations of being slightly gritty and dirty.

Apartments seen while walking in Dandong

A typical street, Dandong

While I was taking this photo someone on an upper floor threw something large and glass out of the window and it smashed in the middle of the road, fortunatly not hitting anything.

Museum of the War to Resist U.S. Aggression and Aid North Korea:

While not very photogenic this is a very interesting museum if you're into history, it covers the Korean War from the Chinese angle and portrays America in a very different light to what most Western visitors will be used to. It's fully translated into English and has a wide selection of artifacts from the war as well as an outdoor display of military hardware.

Museum of the War to Resist U.S. Aggression and Aid North Korea

Statues inside The Museum of the War to Resist U.S. Aggression and Aid North Korea

On my way back to the hotel I picked up some local beer from Tesco, it wasn't great - I think I'll stick to TsingTao in future

Yalu River Beer

I stayed at the Crowne Plaza Hotel and can thoroughly recommend it, it's a little outside the CBD but a pleasant 30 minute walk along the river or a few minutes taxi ride. The concierges were particularly helpful and unlike their Beijing counterparts haven't grown to expect American style tipping (yet). Below are some views from my room, N. Korea is on the far bank:

View of the Yalu river and North Korea from my room in the Crown Plaza Hotel, Dandong

View of the Yalu river and North Korea from my room in the Crown Plaza Hotel, Dandong

You can even watch North Korean TV live on the TV, that was quite surreal!

Watching North Korean TV in the hotel

At the time of visiting there was a daily Air China flight to/from Beijing and less frequent services to Harbin, Shanghai and Shenzhen. Dandong Airport has just opened a shiny new terminal which was deserted until an hour or so before my flight.

Dandong Airport Terminal

Dandong Airport Terminal

Configuring SSL and Gitlab through an Apache Reverse Proxy

I've recently started to use Gitlab as an alternative to a Github paid account for projects I don't wish to make public. I wanted to install Gitlab on a server which is used for a few other applications which all use Apache, while Gitlab is really easy to install it installs nginx by default and expects to run on port 80. Normally in this situation I would configure Nginx to point to a non standard port, proxy through apache on the same server and terminate the SSL at apache, however there are some quirks in Gitlab which make this difficult; in this post I'll describe how to proxy Gitlab through apache using SSL.

The Problem

While Gitlab can be manually installed to work with apache this makes upgrades / changes difficult, it comes with a very nice Chef based installer but it assumes it's the only thing installed, if a simple HTTPS proxy is configured (terminating the SLL at Apache) then Gitlab will still mix in some non SSL URLs as it thinks it's still using an unencrypted connection, while not a huge risk this is untidy and annoyed me.

The Solution

The solution is to configure Gitlab to use SSL too and enable an SSL proxy in Apache, this involves defining options in two files:

gitlab.rb

external_url 'https://<url>:4443'
nginx['ssl_certificate'] = "/etc/ssl/localcerts/<certname>.crt"
nginx['ssl_certificate_key'] = "/etc/ssl/localcerts/<keyname>.key"

After which don't forget to run

 sudo gitlab-ctl reconfigure 
to push the changes into the nginx config

Apache vhost

<VirtualHost <ip>:443>

        ServerName <server url>
        SSLEngine on
        SSLCertificateFile /etc/ssl/localcerts/<certname>.crt
        SSLCertificateKeyFile /etc/ssl/localcerts/<keyname>.key
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLProxyEngine on
    ProxyRequests Off
    ProxyPass / https://<url>:4443/
    ProxyPassReverse / https://<url>/

    Header edit Location ^http://<url>/ https://<url>/
    RequestHeader set X-Forwarded-Proto "https"

</VirtualHost>

Dynamic DNS with the Linode CLI - Version 2

A while back I posted a method of creating your own Dynamic DNS server using the Linode API, shortly after they tweeted me with a tip which greatly simplifies the code. Now no remote service is required to provide your external IP address and it becomes an elegant one liner:

linode domain record-update -l oliversmith.io -t A -m lan -T 5 -R [remote_addr] 

Dynamic DNS with the Linode CLI

I've posted an improved method here here

For a while I've been looking for an elegant (and free) solution to mapping a custom DNS record for domains I own to the dynamic IP address of my ADSL connection, mainly for convenient remote access when traveling. I use Linode for my web hosting and DNS so it seemed logical to try and find a solution there. Today when Linode released their new CLI tool it provided me with the inspiration I needed.

In this post I'll show how I wrote a bash script to get my external IP address and update the Linode DNS A record pointing to my home network.

Getting the IP

As the external IP address of most ASDL connections is not the same one mapped to the machine you'll be running this script from an external service is required. A quick Google search reveals many APIs which simply echo back the IP address from which the request came, this saves parsing a page like whatismyip. A list is available here. Curl can then be used to get this address into the script.

Updating the DNS

Most decent DNS hosting services have an API from which DNS records can be modified. Linode have a conventional HTTP API, but the new CLI tool makes it even easier to work with. The API / CLI tools can view and modify most settings of your VMs but in this case the command to update an A record named lan is:

linode domain record-update -l oliversmith.io -t A -m lan -T 5 -R 1.1.1.1

This command looks for the lan A record of oliversmith.io and updates the IP it points to, to 1.1.1.1 with a TTL of 5 minutes. A low TTL will stop DNS servers caching an incorrect IP address for more than 5 minutes. Full API documentation can be found on the Linode Github

Note: I thought it best to manually configure the A record first then update from there, creation is slightly different

Code

These two simple tools can be combined together into a bash script. This can then be set to run periodically as a cron job.

#!/bin/bash

# Get the IP address from anywhere that will echo it
ip=`curl -s http://ipecho.net/plain`
echo "Your current IP Address is: "$ip

linode domain record-update -l oliversmith.io -t A -m lan -T 5 -R $ip

It's a good idea to be respectful to the nice people who provide these free services and poll only a few times an hour, not every second! If you require more frequent updates it'd be easy to add a script on a web server to show you the current external IP.