jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 00:05:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2021-12-01 19:13

Browse Source
This commit is contained in:
Daniel Berteaud
2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
roles/includes/create_selfsigned_cert.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Ensure openssl is installed
package: name=openssl
- name: Create cert dir
file: path={{ cert_path | dirname }} state=directory
- name: Create private key directory
file: path={{ cert_key_path | dirname }} state=directory owner={{ cert_user | default(omit) }}
- name: Create the self signed certificate
command: openssl req -x509 -newkey rsa:{{ cert_key_size | default(4096) }} \
-subj "{{ cert_subj | default('/C=FR/ST=Aquitaine/L=Firewall Services/O=IT Security/CN=' + inventory_hostname) }}" \
-nodes -keyout {{ cert_key_path }} -out {{ cert_path }} -days {{ cert_validity | default(3650) }}
args:
creates: "{{ cert_path }}"
- name: Restrict permissions of the private key
file: path={{ cert_key_path }} owner={{ cert_user | default(omit) }} group={{ cert_user | default(omit) }} mode=600

8
roles/includes/create_system_user.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Create system user account
user:
name: "{{ user }}"
comment: "{{ comment | default(user) }}"
system: True
shell: "{{ shell | default('/sbin/nologin') }}"
home: "{{ home | default(omit) }}"

10
roles/includes/disable_selinux.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Disable SELinux
lineinfile: regexp='^SELINUX=.*' line='SELINUX=disabled' path=/etc/selinux/config
register: selinux_disabled
when: ansible_selinux.status == 'enabled' and ansible_selinux.mode != 'permissive'
- name: Set permissive mode
command: setenforce 0
when: ansible_selinux.status == 'enabled' and ansible_selinux.mode != 'permissive'

24
roles/includes/get_rand_pass.yml Normal file
View File

@@ -0,0 +1,24 @@
---
# Check if a password has already been created
- name: Check if password exists
stat: path={{ pass_file }}
register: current_pass
# When no pass exist, create a new one
- name: Install pwgen
package: name=pwgen
- when: not current_pass.stat.exists
block:
- shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1
register: rand_pass
# Now write this new pass
- copy: content={{ rand_pass.stdout | trim }} dest={{ pass_file }} mode=600
# When pass already exists, just read it
- name: Read the password
slurp: src={{ pass_file }}
register: rand_pass
- set_fact: rand_pass={{ rand_pass.content | b64decode | trim }}

5
roles/includes/vars/Debian.yml Normal file
View File

@@ -0,0 +1,5 @@
---
webapps_mysql_packages:
- python-mysqldb
- mariadb-client

5
roles/includes/vars/RedHat-7.yml Normal file
View File

@@ -0,0 +1,5 @@
---
webapps_mysql_packages:
- MySQL-python
- "{{ (mysql_engine is defined and mysql_engine == 'mysql') | ternary('mysql','mariadb') }}"

6
roles/includes/vars/RedHat-8.yml Normal file
View File

@@ -0,0 +1,6 @@
---
webapps_mysql_packages:
- python3-mysql
- "{{ (mysql_engine is defined and mysql_engine == 'mysql') | ternary('mysql','mariadb') }}"

27
roles/includes/webapps_archive.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Create archive dir
file: path={{ root_dir }}/archives/{{ version }} state=directory mode=700
- name: Archive previous version
synchronize:
src: "{{ root_dir }}/web"
dest: "{{ root_dir }}/archives/{{ version }}/"
compress: False
delete: True
delegate_to: "{{ inventory_hostname }}"
- name: Dump the database
mysql_db:
state: dump
name: "{{ db_name }}"
target: "{{ root_dir }}/archives/{{ version }}/{{ db_name }}.sql.xz"
login_host: "{{ db_server | default(mysql_server) }}"
login_user: sqladmin
login_password: "{{ mysql_admin_pass }}"
quick: True
single_transaction: True
environment:
XZ_OPT: -T0
when: db_name is defined

13
roles/includes/webapps_compress_archive.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Compress previous version
command: tar cf {{ root_dir }}/archives/{{ version }}.tar.zst --use-compress-program=zstd ./
environment:
ZSTD_CLEVEL: 10
args:
chdir: "{{ root_dir }}/archives/{{ version }}"
warn: False
- name: Remove archive dir
file: path={{ root_dir }}/archives/{{ version }} state=absent

39
roles/includes/webapps_create_mysql_db.yml Normal file
View File

@@ -0,0 +1,39 @@
---
- include_vars: "{{ item }}"
with_first_found:
- ../includes/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- ../includes/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
- ../includes/vars/{{ ansible_distribution }}.yml
- ../includes/vars/{{ ansible_os_family }}.yml
- ../includes/vars/defaults.yml
- name: Install MySQL tools
package: name={{ webapps_mysql_packages }}
- name: Create MySQL database
mysql_db:
name: "{{ db_name }}"
login_host: "{{ db_server | default(mysql_server) }}"
login_port: "{{ db_port | default(omit) }}"
login_user: sqladmin
login_password: "{{ mysql_admin_pass }}"
state: present
encoding: "{{ db_encoding | default('utf8mb4') }}"
collation: "{{ db_collation | default('utf8mb4_general_ci') }}"
register: db_created
- name: Create MySQL User
mysql_user:
name: "{{ db_user }}"
password: "{{ db_pass }}"
priv: "{{ db_name }}.*:ALL"
append_privs: "{{ append_privs | default(False) }}"
host: "{{ ( db_server == 'localhost' ) | ternary('localhost', item ) }}"
login_host: "{{ db_server }}"
login_port: "{{ db_port | default(omit) }}"
login_user: sqladmin
login_password: "{{ mysql_admin_pass }}"
state: present
with_items: "{{ ansible_all_ipv4_addresses }}"

18
roles/includes/webapps_post.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Deploy permission script
template: src=perms.sh.j2 dest={{ root_dir }}/perms.sh mode=755
- name: Set correct SELinux context
sefcontext:
target: "{{ root_dir }}(/.*)?"
setype: httpd_sys_content_t
state: present
when: ansible_selinux.status == 'enabled'
- name: Set optimal permissions
command: "{{ root_dir }}/perms.sh"
changed_when: False
- name: Write version
copy: content={{ version }} dest={{ root_dir }}/meta/ansible_version

27
roles/includes/webapps_set_install_mode.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- set_fact: install_mode='none'
- set_fact: current_version=''
- name: Check if app is installed
stat: path={{ root_dir }}/meta/{{ version_file | default('ansible_version') }}
register: version_file_stat
- name: Check installed version
slurp: src={{ root_dir }}/meta/{{ version_file | default('ansible_version') }}
register: current_version
when: version_file_stat.stat.exists
- set_fact: current_version={{ current_version.content | b64decode | trim }}
when: version_file_stat.stat.exists
- name: Set install mode to install
set_fact: install_mode='install'
when: not version_file_stat.stat.exists
- name: Set install mode to upgrade
set_fact: install_mode='upgrade'
when:
- version_file_stat.stat.exists
- current_version | string != version | string
- manage_upgrade | default(True)

21
roles/includes/webapps_webconf.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: Deploy httpd configuration
template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/10-{{ app_id }}.conf
notify: reload httpd
- name: Deploy PHP config
template: src=php.conf.j2 dest=/etc/opt/remi/php{{ php_version }}/php-fpm.d/{{ app_id }}.conf
when: php_fpm_pool is not defined or php_fpm_pool == ''
notify: restart php-fpm
- name: Remove PHP config from other versions
file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/{{ app_id }}.conf state=absent
with_items: "{{ httpd_php_versions | difference([ php_version ]) }}"
notify: restart php-fpm
- name: Remove PHP config (using a custom pool)
file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/{{ app_id }}.conf state=absent
with_items: "{{ httpd_php_versions }}"
when: php_fpm_pool != ''
notify: restart php-fpm