Update to 2022-03-07 16:00

roles/unmaintained/itop/README.md

@@ -0,0 +1,38 @@
+# iTop CMDB
+
+[iTop](https://www.combodo.com/itop) is a Configuration Management Database written in PHP, developped by combodo
+
+## Installation
+
+The installation is not fully automatic. This ansible role will take care of creating the DB, install the app, configure PHP, httpd etc.
+But you'll have to finish the setup manually by going to the /setup path.
+Note : if you run iTop beind a reverse proxy, you'll have to temporarily edit web/application/utils.inc.php. In this file, the GetDefaultUrlAppRoot will return port 80 instead of 443 (because the httpd instance is running on port 80, but the client uses port 443 to contact the reverse proxy). Just change the line :
+
+```
+$iPort = isset($_SERVER['SERVER_PORT']) ? $_SERVER['SERVER_PORT'] : 80;
+```
+
+to
+
+```
+//$iPort = isset($_SERVER['SERVER_PORT']) ? $_SERVER['SERVER_PORT'] : 80;
+$iPort = 443;
+```
+
+You can revert this change once the installation is done. For the installation, you need to use a MySQL account with the SUPER privilege (which is not the case of the default user created).
+
+## Upgrade
+
+For upgrades, there are several manual steps to be done. First, you need to grant write access to the config file
+
+```
+chmod 660 /opt/itop_1/web/conf/production/itop-config.php
+```
+
+Then go to /setup and follow the steps. Note : the upgrade needs a user with the SUPER privilege on MySQL. This is not the case of the default user created by this role for security reason. So you should use your SQL admin for the upgrade process. Once the upgrade is done, you can restrict again permissions. note during the upgrade, you'll have to fixe the URL if you're running behind a rev proxy, because iTop will force the port to be 80 !
+
+```
+chmod 660 /opt/itop_1/web/conf/production/itop-config.php
+```
+
+And edit /opt/itop_1/web/conf/env-production/itop-config.php to set back the itop_1 user and password (as it'll have the sqladmin user here)

roles/unmaintained/itop/defaults/main.yml

@@ -0,0 +1,37 @@
+---
+
+itop_id: 1
+itop_manage_upgrade: True
+itop_version: 2.7.5-1
+itop_build: 7770
+itop_archive_url: https://sourceforge.net/projects/itop/files/itop/{{ itop_version }}/iTop-{{ itop_version }}-{{ itop_build }}.zip
+itop_archive_sha1: edff7fb8d5a79ed31a8065f4b7350d4ae4686af1
+
+itop_php_cas_version: 1.4.0
+itop_php_cas_archive_url: https://github.com/apereo/phpCAS/releases/download/{{ itop_php_cas_version }}/CAS-{{ itop_php_cas_version }}.tgz
+itop_php_cas_archive_sha1: 9052431246c95c17b4d67775af7b5b2fb482be44
+
+itop_root_dir: /opt/itop_{{ itop_id }}
+itop_php_user: php-itop_{{ itop_id }}
+itop_php_version: 74
+
+# If you prefer using a custom PHP FPM pool, set it's name.
+# You might need to adjust itop_php_user
+# itop_php_fpm_pool: custom_itop
+
+
+itop_db_server: "{{ mysql_server | default('localhost') }}"
+# itop_db_port: 3306
+itop_db_name: itop_{{ itop_id }}
+itop_db_user: itop_{{ itop_id }}
+# If not defined, a random pass will be generated and stored in the meta directory (under itop_root_dir)
+# itop_db_pass: itop
+
+# itop_alias: itop
+# itop_src_ip: []
+#   - 192.168.7.0/24
+#   - 10.2.0.0/24
+
+# Cron task needs a user and a pass, so it won't be enabled until you set it
+# itop_cron_user: cron
+# itop_cron_pass: secret

roles/unmaintained/itop/meta/main.yml

@@ -0,0 +1,9 @@
+---
+
+allow_duplicates: True
+dependencies:
+  - role: mkdir
+  - role: httpd_php
+  - role: mysql_server
+    when: itop_db_server in [ 'localhost', '127.0.0.1' ]
+

roles/unmaintained/itop/tasks/archive_post.yml

@@ -0,0 +1,9 @@
+---
+
+- import_tasks: ../includes/webapps_compress_archive.yml
+  vars:
+    - root_dir: "{{ itop_root_dir }}"
+    - version: "{{ itop_current_version }}"
+  when: itop_install_mode == 'upgrade'
+  tags: itop
+

roles/unmaintained/itop/tasks/archive_pre.yml

@@ -0,0 +1,10 @@
+---
+
+- import_tasks: ../includes/webapps_archive.yml
+  vars:
+    - root_dir: "{{ itop_root_dir }}"
+    - version: "{{ itop_current_version }}"
+    - db_name: "{{ itop_db_name }}"
+    - db_server: "{{ itop_db_server }}"
+  tags: itop
+

roles/unmaintained/itop/tasks/cleanup.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Remove temp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ itop_root_dir }}/tmp/iTop-{{ itop_version }}-{{ itop_build }}.zip"
+    - "{{ itop_root_dir }}/tmp/web"
+    - "{{ itop_root_dir }}/tmp/INSTALL"
+    - "{{ itop_root_dir }}/tmp/README"
+    - "{{ itop_root_dir }}/tmp/LICENSE"
+    - "{{ itop_root_dir }}/tmp/CAS-{{ itop_php_cas_version }}"
+    - "{{ itop_root_dir }}/tmp/CAS-{{ itop_php_cas_version }}.tgz"
+  tags: itop

roles/unmaintained/itop/tasks/conf.yml

@@ -0,0 +1,12 @@
+---
+
+- import_tasks: ../includes/webapps_webconf.yml
+  vars:
+    - app_id: itop_{{ itop_id }}
+    - php_version: "{{ itop_php_version }}"
+    - php_fpm_pool: "{{ itop_php_fpm_pool | default('') }}"
+  tags: itop
+
+- name: Deploy cron param file
+  template: src=cron.param.j2 dest={{ itop_root_dir }}/etc/cron.params group={{ itop_php_user }} mode=640
+  tags: itop

roles/unmaintained/itop/tasks/directories.yml

@@ -0,0 +1,29 @@
+---
+
+- name: Create directory structure
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  with_items:
+    - dir: "{{ itop_root_dir }}"
+    - dir: "{{ itop_root_dir }}/archives"
+      mode: 700
+    - dir: "{{ itop_root_dir }}/tmp"
+      owner: "{{ itop_php_user }}"
+      mode: 700
+    - dir: "{{ itop_root_dir }}/sessions"
+      owner: "{{ itop_php_user }}"
+      mode: 700
+    - dir: "{{ itop_root_dir }}/meta"
+      mode: 700
+    - dir: "{{ itop_root_dir }}/backup"
+      mode: 700
+    - dir: "{{ itop_root_dir }}/etc"
+      group: "{{ itop_php_user }}"
+      mode: 750
+    - dir: "{{ itop_root_dir }}/web/data"
+    - dir: "{{ itop_root_dir }}/web/conf"
+    - dir: "{{ itop_root_dir }}/web/env-production"
+    - dir: "{{ itop_root_dir }}/web/env-production-build"
+    - dir: "{{ itop_root_dir }}/web/log"
+    - dir: "{{ itop_root_dir }}/web/extensions"
+  tags: itop
+

roles/unmaintained/itop/tasks/facts.yml

@@ -0,0 +1,19 @@
+---
+
+- block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ itop_root_dir }}"
+        - version: "{{ itop_version }}"
+    - set_fact: itop_install_mode={{ (install_mode == 'upgrade' and not itop_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: itop_current_version={{ current_version | default('') }}
+  tags: itop
+
+- when: itop_db_pass is not defined
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ itop_root_dir }}/meta/ansible_dbpass"
+    - set_fact: itop_db_pass={{ rand_pass }}
+  tags: itop
+

roles/unmaintained/itop/tasks/filebeat.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Deploy filebeat configuration
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/itop_{{ itop_id }}.yml
+  tags: itop,log

roles/unmaintained/itop/tasks/install.yml

@@ -0,0 +1,122 @@
+---
+
+- name: Install needed tools
+  yum:
+    name:
+      - tar
+      - mariadb
+      - acl
+      - graphviz
+  tags: itop
+
+- when: itop_install_mode != 'none'
+  block:
+    - name: Download iTop
+      get_url:
+        url: "{{ itop_archive_url }}"
+        dest: "{{ itop_root_dir }}/tmp/"
+        checksum: "sha1:{{ itop_archive_sha1 }}"
+    
+    - name: Extract iTop archive
+      unarchive:
+        src: "{{ itop_root_dir }}/tmp/iTop-{{ itop_version }}-{{ itop_build }}.zip"
+        dest: "{{ itop_root_dir }}/tmp"
+        remote_src: yes
+
+    - name: Remove previous install
+      file: path={{ itop_root_dir }}/web/{{ item }} state=absent
+      loop:
+        - addons
+        - datamodels
+        - images
+        - lib
+        - manifest.xml
+        - portal
+        - application
+        - core
+        - dictionnaries
+        - env-test
+        - index.php
+        - navigator
+        - setup
+        - webservices
+        - approot.inc.php
+        - css
+        - js
+        - pages
+        - synchro
+        - sources
+        - documentation
+    
+    - name: Install new version of iTop
+      synchronize:
+        src: "{{ itop_root_dir }}/tmp/web/"
+        dest: "{{ itop_root_dir }}/web/"
+        recursive: True
+      delegate_to: "{{ inventory_hostname }}"
+
+    - name: Download php CAS lib
+      get_url:
+        url: "{{ itop_php_cas_archive_url }}"
+        checksum: sha1:{{ itop_php_cas_archive_sha1 }}
+        dest: "{{ itop_root_dir }}/tmp"
+
+    - name: Extract php CAS lib
+      unarchive:
+        src: "{{ itop_root_dir }}/tmp/CAS-{{ itop_php_cas_version }}.tgz"
+        dest: "{{ itop_root_dir }}/tmp"
+        remote_src: True
+
+    - name: Install php CAS lib
+      synchronize:
+        src: "{{ itop_root_dir }}/tmp/CAS-{{ itop_php_cas_version }}/{{ item }}"
+        dest: "{{ itop_root_dir }}/web/lib/"
+        recursive: True
+      delegate_to: "{{ inventory_hostname }}"
+      loop:
+        - CAS.php
+        - CAS
+
+  tags: itop
+
+- name: Ensure env-production directories exist
+  file: path={{ itop_root_dir }}/web/{{ item }} state=directory
+  loop:
+    - env-production
+    - env-production-build
+  tags: itop
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ itop_db_name }}"
+    - db_user: "{{ itop_db_user }}"
+    - db_server: "{{ itop_db_server }}"
+    - db_pass: "{{ itop_db_pass }}"
+  tags: itop
+
+- name: Install backup hooks
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/itop_{{ itop_id }} mode=700
+  loop:
+    - pre
+    - post
+  tags: itop
+
+- name: Install systemd units
+  template: src=itop.{{ item }}.j2 dest=/etc/systemd/system/itop_{{ itop_id }}.{{ item }}
+  loop:
+    - service
+    - timer
+  register: itop_units
+  tags: itop
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: itop_units.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: itop
+
+- name: Enable iTop timer
+  systemd:
+    name: itop_{{ itop_id }}.timer
+    state: "{{ (itop_cron_user is defined and itop_cron_pass is defined) | ternary('started','stopped') }}"
+    enabled: "{{ (itop_cron_user is defined and itop_cron_pass is defined) | ternary(True,False) }}"
+  tags: itop

roles/unmaintained/itop/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+
+- include_tasks: user.yml
+  tags: always
+
+- include_tasks: directories.yml
+  tags: always
+
+- include_tasks: facts.yml
+  tags: always
+
+- include_tasks: archive_pre.yml
+  when: itop_install_mode | dfefault('none') == 'upgrade'
+  tags: always
+
+- include_tasks: install.yml
+  tags: always
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: archive_post.yml
+  when: itop_install_mode | default('none') == 'upgrade'
+  tags: always
+
+- include_tasks: write_version.yml
+  tags: always
+
+- include_tasks: cleanup.yml
+  tags: always
+
+- include_tasks: filebeat.yml
+  tags: always

roles/unmaintained/itop/tasks/user.yml

@@ -0,0 +1,8 @@
+---
+
+- import_tasks: ../includes/create_system_user.yml
+  vars:
+    - user: "{{ itop_php_user }}"
+    - comment: "PHP FPM for itop {{ itop_id }}"
+  tags: itop
+

roles/unmaintained/itop/tasks/write_version.yml

@@ -0,0 +1,8 @@
+---
+
+- import_tasks: ../includes/webapps_post.yml
+  vars:
+    - root_dir: "{{ itop_root_dir }}"
+    - version: "{{ itop_version }}"
+  tags: itop
+

roles/unmaintained/itop/templates/cron.param.j2

@@ -0,0 +1,7 @@
+{% if itop_cron_user is defined and itop_cron_pass is defined %}
+auth_user = {{ itop_cron_user }}
+auth_pwd = {{ itop_cron_pass }}
+{% endif %}
+
+size_min = 20 # in MB
+time_limit = 40 # in minutes

roles/unmaintained/itop/templates/filebeat.yml.j2

@@ -0,0 +1,6 @@
+---
+
+- type: log
+  enabled: True
+  paths:
+    - {{ itop_root_dir }}/web/log/setup.log

roles/unmaintained/itop/templates/httpd.conf.j2

@@ -0,0 +1,26 @@
+{% if itop_alias is defined %}
+Alias /{{ itop_alias }} {{ itop_root_dir }}/web/
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+RewriteEngine On
+# Upgrading DB schema can be very long, so makes sure httpd will wait for a response long enough
+ProxyTimeout 1800
+<Directory {{ itop_root_dir }}/web/>
+  AllowOverride All
+  Options FollowSymLinks
+{% if itop_src_ip is defined %}
+  Require ip {{ itop_src_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ itop_php_fpm_pool  | default('itop_' + itop_id | string) }}.sock|fcgi://localhost"
+  </FilesMatch>
+</Directory>
+{% for dir in ['log','env-production','env-production-build','data','conf'] %}
+<Directory {{ itop_root_dir }}/web/{{ dir }}>
+  Require all denied
+</Directory>
+{% endfor %}

roles/unmaintained/itop/templates/itop.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=iTop {{ itop_id }} background tasks
+
+[Service]
+Type=oneshot
+ExecStart=/bin/php{{ itop_php_version }} \
+            -d memory_limit=512M \
+            -d session.save_path={{ itop_root_dir }}/sessions \
+            {{ itop_root_dir }}/web/webservices/cron.php \
+            --param_file={{ itop_root_dir }}/etc/cron.params \
+            --verbose=1
+User={{ itop_php_user }}
+Group={{ itop_php_user }}
+
+

roles/unmaintained/itop/templates/itop.timer.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=iTop {{ itop_id }} background tasks
+
+[Timer]
+OnCalendar=*:0/5
+
+[Install]
+WantedBy=timers.target

roles/unmaintained/itop/templates/perms.sh.j2

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+restorecon -R {{ itop_root_dir }}
+chown -R root:root {{ itop_root_dir }}/web/
+find {{ itop_root_dir }}/web/ -type d -exec chmod 755 "{}" \;
+find {{ itop_root_dir }}/web/ -type f -exec chmod 644 "{}" \;
+{% for dir in ['data', 'conf', 'log', 'env-production', 'env-production-build', 'extensions'] %}
+chmod 700 {{ itop_root_dir }}/web/{{ dir }}
+setfacl -k -b -R {{ itop_root_dir }}/web/{{ dir }}
+chown -R {{ itop_php_user }}:{{ itop_php_user }} {{ itop_root_dir }}/web/{{ dir }}
+{% if dir == 'conf' %}
+find {{ itop_root_dir }}/web/{{ dir }} -type d -exec chmod 750 "{}" \;
+find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chown root:{{ itop_php_user }} "{}" \; -exec chmod 640 "{}" \;
+{% else %}
+find {{ itop_root_dir }}/web/{{ dir }} -type d -exec chmod 750 "{}" \;
+find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chmod 640 "{}" \;
+setfacl -R -m u:{{ httpd_user | default('apache') }}:rX,d:u:{{ httpd_user | default('apache') }}:rX {{ itop_root_dir }}/web/{{ dir }}
+{% endif %}
+{% endfor %}
+find {{ itop_root_dir }}/web/ -type f -name .htaccess -exec chown root:root "{}" \; -exec chmod 644 "{}" \;

roles/unmaintained/itop/templates/php.conf.j2

@@ -0,0 +1,39 @@
+; {{ ansible_managed }}
+
+[itop_{{ itop_id }}]
+
+listen.owner = root
+listen.group = {{ httpd_user | default('apache') }}
+listen.mode = 0660
+listen = /run/php-fpm/itop_{{ itop_id }}.sock
+user = {{ itop_php_user }}
+group = {{ itop_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 60m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 512M
+php_admin_value[session.save_path] = {{ itop_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ itop_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ itop_root_dir }}/tmp
+php_admin_value[post_max_size] = 21M
+php_admin_value[upload_max_filesize] = 20M
+php_admin_value[disable_functions] = system, show_source, symlink, dl, shell_exec, passthru, phpinfo, escapeshellcmd
+php_admin_value[open_basedir] = {{ itop_root_dir }}:/etc/pki/tls/cert.pem:/usr/bin/dot
+; DB schema upgrade can be very long
+php_admin_value[max_execution_time] = 1800
+php_admin_value[max_input_time] = 120
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = on
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on
+

roles/unmaintained/itop/templates/post-backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ itop_root_dir }}/backup/*

roles/unmaintained/itop/templates/pre-backup.sh.j2

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -eo pipefail
+
+/usr/bin/mysqldump \
+{% if itop_db_server not in ['127.0.0.1','localhost'] %}
+    --user={{ itop_db_user }} \
+    --password={{ itop_db_pass | quote }} \
+    --host={{ itop_db_server }} \
+{% if itop_db_port is defined %}
+    --port={{ itop_db_port }} \
+{% endif %}
+{% endif %}
+    --quick --single-transaction \
+    --add-drop-table {{ itop_db_name }} | zstd -c > {{ itop_root_dir }}/backup/{{ itop_db_name }}.sql.zst