Update to 2021-12-01 19:13

roles/openproject/defaults/main.yml

@@ -0,0 +1,25 @@
+---
+
+openproject_db_server: "{{ pg_server | default('localhost') }}"
+openproject_db_port: 5432
+openproject_db_name: openproject
+openproject_db_user: openproject
+# a random one will be created if not defined
+# openproject_db_pass: S3cret.
+
+# openproject_secret_key_base: <random string>
+# openproject_secret_token: <random_string>
+
+openproject_memcached_server: 127.0.0.1:11211
+openproject_admin_email: openproject@{{ ansible_domain }}
+
+openproject_data_dir: /var/db/openproject
+
+openproject_port: 6000
+openproject_src_ip: []
+
+# SSO integration.
+# Define an optional header where your revproxy / loadbalancer
+# set the loggedin username. Must be passed as $user:$secret
+# openproject_sso_header: Auth-User
+# openproject_sso_secret: 

roles/openproject/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: restart openproject
+  service: name={{ item }} state=restarted
+  loop:
+    - openproject
+    - openproject-worker

roles/openproject/meta/main.yml

@@ -0,0 +1,7 @@
+---
+
+dependencies:
+  - role: mkdir
+  - role: repo_openproject
+  - role: memcached_server
+    when: openproject_memcached_server is search('^localhost') or openproject_memcached_server is search('127\.0\.0\.1')

roles/openproject/tasks/conf.yml

@@ -0,0 +1,22 @@
+---
+
+- name: List conf fragment
+  shell: find /etc/openproject/conf.d -maxdepth 1 -mindepth 1 -type f -exec basename "{}" \;
+  register: openproject_conf_fragments
+  changed_when: False
+  tags: openproject
+
+- name: Remove unmanaged conf fragments
+  file: path=/etc/openproject/conf.d/{{ item }} state=absent
+  loop: "{{ openproject_conf_fragments.stdout_lines }}"
+  when: item != 'ansible'
+  tags: openproject
+
+- name: Deploy configuration
+  template: src={{ item }}.j2 dest=/etc/openproject/{{ item }} owner=openproject group=openproject mode=640
+  loop:
+    - installer.dat
+    - conf.d/ansible
+  notify:
+    - restart openproject
+  tags: openproject

roles/openproject/tasks/directories.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Create directories
+  file: path={{ item.path }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - path: /opt/openproject/meta
+      mode: 700
+    - path: "{{ openproject_data_dir }}"
+      owner: openproject
+      group: openproject
+      mode: 700
+  tags: openproject

roles/openproject/tasks/facts.yml

@@ -0,0 +1,28 @@
+---
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: /opt/openproject/meta/ansible_dbpass
+  when: openproject_db_pass is not defined
+  tags: openproject
+- set_fact: openproject_db_pass={{ rand_pass }}
+  when: openproject_db_pass is not defined
+  tags: openproject
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: /opt/openproject/meta/ansible_secret_key_base
+  when: openproject_secret_key_base is not defined
+  tags: openproject
+- set_fact: openproject_secret_key_base={{ rand_pass }}
+  when: openproject_secret_key_base is not defined
+  tags: openproject
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: /opt/openproject/meta/ansible_secret_token
+  when: openproject_secret_token is not defined
+  tags: openproject
+- set_fact: openproject_secret_token={{ rand_pass }}
+  when: openproject_secret_token is not defined
+  tags: openproject

roles/openproject/tasks/install.yml

@@ -0,0 +1,48 @@
+---
+
+- name: Install openproject
+  yum:
+    name:
+      - openproject
+      - python-psycopg2
+      - pgloader-ccl
+      - postgresql11
+  tags: openproject
+
+- name: Create the PostgreSQL role
+  postgresql_user:
+    db: postgres
+    name: "{{ openproject_db_user }}"
+    password: "{{ openproject_db_pass }}"
+    login_host: "{{ openproject_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: openproject
+
+- name: Create the PostgreSQL database
+  postgresql_db:
+    name: "{{ openproject_db_name }}"
+    encoding: UTF-8
+    lc_collate: C
+    lc_ctype: C
+    template: template0
+    owner: "{{ openproject_db_user }}"
+    login_host: "{{ openproject_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: openproject
+
+- name: Install pre/post backup hooks
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/openproject mode=755
+  loop:
+    - pre
+    - post
+  tags: openproject
+
+- name: Make openproject user a member of postdrop group
+  user:
+    name: openproject
+    groups: postdrop
+    append: True
+  notify: restart openproject
+  tags: openproject

roles/openproject/tasks/iptables.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Handle ports for openproject
+  iptables_raw:
+    name: openproject_ports
+    state: "{{ (openproject_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -p tcp --dport {{ openproject_port }} -s {{ openproject_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: firewall,openproject

roles/openproject/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- include: directories.yml
+- include: facts.yml
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+- include: service.yml

roles/openproject/tasks/service.yml

@@ -0,0 +1,26 @@
+---
+
+- name: Cleanup systemd units
+  file: path=/etc/systemd/system/{{ item }} state=absent
+  loop:
+    - openproject-worker-1.service
+    - openproject-web-1.service
+  register: openproject_rm_units
+  tags: openproject
+
+- name: Deploy clean systemd units
+  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }}
+  register: openproject_ansible_units
+  loop:
+    - openproject.service
+    - openproject-worker.service
+  tags: openproject
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: openproject_rm_units.results | selectattr('changed','equalto',True) | list | length > 0 or openproject_ansible_units.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: openproject
+
+- name: Start and enable the service
+  service: name=openproject state=started enabled=True
+  tags: openproject

roles/openproject/templates/conf.d/ansible.j2

@@ -0,0 +1,17 @@
+export DATABASE_URL='postgres://{{ openproject_db_user }}:{{ openproject_db_pass | urlencode | regex_replace('/','%2F') }}@{{ openproject_db_server }}:{{ openproject_db_port }}/{{ openproject_db_name }}'
+export EXECJS_RUNTIME='Node'
+export RAILS_CACHE_STORE='memcache'
+export OPENPROJECT_CACHE__MEMCACHE__SERVER='{{ openproject_memcached_server }}'
+export ATTACHMENTS_STORAGE_PATH='{{ openproject_data_dir }}'
+export HOST='0.0.0.0'
+export PORT='{{ openproject_port }}'
+export WEB_TIMEOUT='300'
+export SECRET_KEY_BASE='{{ openproject_secret_key_base }}'
+export SECRET_TOKEN='{{ openproject_secret_token }}'
+export OPENPROJECT_INSTALLATION__TYPE='packager'
+export EMAIL_DELIVERY_METHOD='sendmail'
+export ADMIN_EMAIL='{{ openproject_admin_email }}'
+{% if openproject_sso_header is defined and openproject_sso_secret is defined %}
+export OPENPROJECT_AUTH__SOURCE__SSO_HEADER='{{ openproject_sso_header }}'
+export OPENPROJECT_AUTH__SOURCE__SSO_SECRET='{{ openproject_sso_secret }}'
+{% endif %}

roles/openproject/templates/installer.dat.j2

@@ -0,0 +1,11 @@
+postgres/autoinstall reuse
+postgres/db_host {{ openproject_db_server }}
+postgres/db_port {{ openproject_db_port }}
+postgres/db_username {{ openproject_db_user }}
+postgres/db_password {{ openproject_db_pass }}
+postgres/db_name {{ openproject_db_name }}
+server/autoinstall skip
+smtp/autoinstall sendmail
+smtp/admin_email {{ openproject_admin_email }}
+memcached/autoinstall skip
+server/ssl no

roles/openproject/templates/openproject-worker.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description=Openproject worker service
+After=memcached.service postgresql.service postgresql-11.service
+Wants=openproject-wroker.service
+
+[Service]
+User=openproject
+Group=openproject
+ExecStart=/usr/bin/openproject run worker
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=2048M
+SyslogIdentifier=openproject-worker
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/openproject/templates/openproject.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description=Openproject web service
+After=memcached.service postgresql.service postgresql-11.service
+Wants=openproject-wroker.service
+
+[Service]
+User=openproject
+Group=openproject
+ExecStart=/usr/bin/openproject run web
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=2048M
+SyslogIdentifier=openproject-web
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/openproject/templates/post-backup.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash -e
+
+rm -f {{ openproject_data_dir }}/backup/*
+umount /home/lbkp/openproject

roles/openproject/templates/pre-backup.sh.j2

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -eo pipefail
+
+mkdir -p /home/lbkp/openproject
+mount -o bind,ro {{ openproject_data_dir }}/backup /home/lbkp/openproject
+openproject run backup