Update to 2021-12-01 19:13

2025-09-13 19:14:49 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/seafile/tasks/archive_post.yml
+++ b/roles/seafile/tasks/archive_post.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Compress previous version
+  command: tar cJf {{ seafile_root_dir }}/archives/{{ seafile_current_version.stdout }}.txz ./
+  environment:
+    XZ_OPT: -T0
+  args:
+    chdir: "{{ seafile_root_dir }}/archives/{{ seafile_current_version.stdout }}"
+    warn: False
+  tags: seafile
+
+- name: Remove archive directory
+  file: path={{ seafile_root_dir }}/archives/{{ seafile_current_version.stdout }} state=absent
+  tags: seafile
+
--- a/roles/seafile/tasks/archive_pre.yml
+++ b/roles/seafile/tasks/archive_pre.yml
@@ -0,0 +1,41 @@
+---
+
+- name: Create archive directory
+  file: path={{ seafile_root_dir }}/archives/{{ seafile_current_version.stdout }} state=directory
+  tags: seafile
+
+- name: Stop services during upgrade
+  systemd: name={{ item }} state=stopped
+  loop:
+    - seafile.service
+    - seahub.service
+    - seafile-clean-db.timer
+    - seafile-gc.timer
+  tags: seafile
+
+- name: Backup the databases
+  mysql_db:
+    state: dump
+    name: "{{ item }}"
+    target: "{{ seafile_root_dir }}/archives/{{ seafile_current_version.stdout }}/{{ item }}.sql"
+    login_host: "{{ seafile_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    quick: True
+    single_transaction: True
+  with_items:
+    - "{{ seafile_db_seafile }}"
+    - "{{ seafile_db_ccnet }}"
+    - "{{ seafile_db_seahub }}"
+  tags: seafile
+
+- name: Archive seafile server
+  synchronize:
+    src: "{{ seafile_root_dir }}/seafile-server"
+    dest: "{{ seafile_root_dir }}/archives/{{ seafile_current_version.stdout }}/"
+    recursive: True
+    delete: True
+    compress: False
+  delegate_to: "{{ inventory_hostname }}"
+  tags: seafile
+
--- a/roles/seafile/tasks/cleanup.yml
+++ b/roles/seafile/tasks/cleanup.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ seafile_root_dir }}/tmp/seafile-server_{{ seafile_version }}_x86-64.tar.gz"
+    - "{{ seafile_root_dir }}/tmp/seafile-server-{{ seafile_version }}"
+    - "{{ seafile_root_dir }}/tmp/seafile-pro-server_{{ seafile_version }}_x86-64_CentOS.tar.gz"
+    - "{{ seafile_root_dir }}/tmp/seafile-pro-server-{{ seafile_version }}"
+    - "{{ seafile_data_dir }}/db_dumps"
+    - "{{ seafile_data_dir }}/backup"
+    # All these are obsoletes backup hooks
+    - /etc/backup/pre.d/seafile_dump_db.sh
+    - /etc/backup/pre.d/seafile_mount_fuse.sh
+    - /etc/backup/post.d/seafile_rm_dumps.sh
+    - /etc/backup/post.d/seafile_umount_fuse.sh
+    # Old cron job, replaced with systemd timers
+    - /etc/cron.d/seafile_gc
+    # This one has a typo in even older versions of the role
+    - /etc/cron.d/seafil_gc
+  tags: seafile
--- a/roles/seafile/tasks/conf.yml
+++ b/roles/seafile/tasks/conf.yml
@@ -0,0 +1,49 @@
+---
+
+- name: Generate an RSA private key
+  command: openssl genrsa -out {{ seafile_root_dir }}/ccnet/mykey.peer 2048
+  args:
+    creates: "{{ seafile_root_dir }}/ccnet/mykey.peer"
+  tags: seafile
+
+- name: Deploy seafile configuration
+  template: src={{ item }}.j2 dest={{ seafile_root_dir }}/conf/{{ item }} group={{ seafile_group }} mode=640
+  with_items:
+    - ccnet.conf
+    - seafdav.conf
+    - seafile.conf
+    - seahub_settings.py
+    - gunicorn.conf.py
+  notify:
+    - restart seafile
+    - restart seahub
+  tags: seafile
+
+- name: Deploy seafile pro configuration
+  template: src={{ item }}.j2 dest={{ seafile_root_dir }}/conf/{{ item }} group={{ seafile_group }} mode=640
+  with_items:
+    - seafevents.conf
+  when: seafile_license is defined
+  notify:
+    - restart seafile
+    - restart seahub
+  tags: seafile
+
+- name: Deploy ccnet ini file
+  copy:
+    content: |
+      {{ seafile_data_dir }}
+    dest: "{{ seafile_root_dir }}/ccnet/seafile.ini"
+  notify:
+    - restart seafile
+    - restart seahub
+  tags: seafile
+
+- name: Deploy initial admin info
+  template: src=admin.txt.j2 dest={{ seafile_root_dir }}/conf/admin.txt group={{ seafile_group }} mode=640
+  when: seafile_install_mode == 'install'
+  tags: seafile
+
+- name: Deploy logrotate configuration
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/seafile
+  tags: seafile
--- a/roles/seafile/tasks/directories.yml
+++ b/roles/seafile/tasks/directories.yml
@@ -0,0 +1,39 @@
+---
+
+- name: Create directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(seafile_user) }} group={{ item.group | default(seafile_user) }} mode={{ item.mode | default(omit) }}
+  with_items:
+    - dir: "{{ seafile_root_dir }}/tmp"
+      mode: 700
+      owner: root
+      group: root
+    - dir: "{{ seafile_root_dir }}/meta"
+      mode: 700
+      owner: root
+      group: root
+    - dir: "{{ seafile_root_dir }}/archives"
+      mode: 700
+      owner: root
+      group: root
+    - dir: "{{ seafile_root_dir }}"
+    - dir: "{{ seafile_root_dir }}/fuse"
+    - dir: "{{ seafile_root_dir }}/seafile-server"
+    - dir: "{{ seafile_root_dir }}/conf"
+    - dir: "{{ seafile_root_dir }}/ccnet"
+      mode: 770
+    - dir: "{{ seafile_root_dir }}/logs"
+    - dir: "{{ seafile_root_dir }}/pids"
+    - dir: "{{ seafile_data_dir }}"
+      mode: 770
+    - dir: "{{ seafile_data_dir }}/thumbnails"
+    - dir: "{{ seafile_data_dir }}/seahub"
+    - dir: "{{ seafile_data_dir }}/seahub/custom"
+    - dir: "{{ seafile_data_dir }}/seahub/cache"
+    - dir: "{{ seafile_data_dir }}/seahub/avatars"
+    - dir: "{{ seafile_data_dir }}/pro"
+    - dir: "{{ seafile_root_dir }}/backup"
+      mode: 700
+      owner: root
+      group: root
+  ignore_errors: True # So we can run when the fuse mount point is active
+  tags: seafile
--- a/roles/seafile/tasks/facts.yml
+++ b/roles/seafile/tasks/facts.yml
@@ -0,0 +1,90 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: seafile
+
+- name: Set default install mode
+  set_fact: seafile_install_mode='none'
+  tags: seafile
+
+# Makes sur we do not have a trailing / on the public url
+- set_fact: seafile_public_url={{ seafile_public_url | regex_replace('/$','') }}
+  tags: seafile
+
+- name: Check if seafile is installed
+  stat: path={{ seafile_root_dir }}/meta/ansible_version
+  register: seafile_version_file
+  tags: seafile
+
+- name: Check installed version
+  command: cat {{ seafile_root_dir }}/meta/ansible_version
+  register: seafile_current_version
+  when: seafile_version_file.stat.exists
+  changed_when: False
+  tags: seafile
+
+- name: Set install mode to install
+  set_fact: seafile_install_mode='install'
+  when: not seafile_version_file.stat.exists
+  tags: seafile
+
+- name: Set install mode to upgrade
+  set_fact: seafile_install_mode='upgrade'
+  when:
+    - seafile_version_file.stat.exists
+    - seafile_current_version is defined
+    - seafile_current_version.stdout != seafile_version
+  tags: seafile
+
+# Needed to have consistent behaviour with the various components
+# which do not all support unix socket
+- name: Set DB server to 127.0.0.1
+  set_fact: seafile_db_server="127.0.0.1"
+  when: seafile_db_server == 'localhost'
+  tags: seafile
+
+- name: Generate an ID for seahub
+  shell: date | sha1sum | awk '{ print $1 }' > {{ seafile_root_dir }}/meta/ansible_ccnet_id
+  args:
+    creates: "{{ seafile_root_dir }}/meta/ansible_ccnet_id"
+  when: seafile_ccnet_id is not defined
+  tags: seafile
+
+- name: Read seahub ID
+  command: cat {{ seafile_root_dir }}/meta/ansible_ccnet_id
+  register: seafile_seahub_rand_id
+  when: seafile_ccnet_id is not defined
+  changed_when: False
+  tags: seafile
+
+- name: Set seahub ID
+  set_fact: seafile_ccnet_id={{ seafile_seahub_rand_id.stdout }}
+  when: seafile_ccnet_id is not defined
+  tags: seafile
+
+- name: Generate a password for the database
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ seafile_root_dir }}/meta/ansible_dbpass"
+        - complex: False
+    - set_fact: seafile_db_pass={{ rand_pass }}
+  when: seafile_db_pass is not defined
+  tags: seafile
+
+- name: Set seafile ports
+  set_fact:
+    seafile_ports: "[ {{ seafile_seafile_port }}, {{ seafile_seahub_port }} ]"
+  tags: seafile
+
+- name: Add webdav port
+  set_fact:
+    seafile_ports: "{{ seafile_ports }} + [ {{ seafile_webdav_port }} ]"
+  when: seafile_webdav == True
+  tags: seafile
+
--- a/roles/seafile/tasks/filebeat.yml
+++ b/roles/seafile/tasks/filebeat.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Deploy filebeat configuration
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/seafile.yml
+  tags: seafile,log
--- a/roles/seafile/tasks/install.yml
+++ b/roles/seafile/tasks/install.yml
@@ -0,0 +1,286 @@
+---
+
+- name: Install RPM dependencies
+  yum: name={{ seafile_packages }}
+  tags: seafile
+
+- name: Install MariaDB libs
+  yum:
+    name:
+      - MariaDB-shared
+  when:
+    - mysql_mariadb_version is defined
+    - mysql_mariadb_version != 'default'
+  tags: seafile
+
+- name: Check if py2 venv is setup
+  stat: path={{ seafile_root_dir }}/bin/python2
+  register: seafile_py2
+  tags: seafile
+
+- name: Clear the venv as we migrate to py3
+  file: path={{ seafile_root_dir }}/{{ item }} state=absent
+  loop:
+    - lib
+    - lib64
+    - bin
+    - include
+  when: seafile_py2.stat.exists
+  tags: seafile
+
+- name: Install or update python modules in the virtualenv
+  pip:
+    state: "{{ (seafile_install_mode == 'upgrade') | ternary('latest', 'present') }}"
+    virtualenv: "{{ seafile_root_dir }}"
+    virtualenv_command: /usr/bin/virtualenv-3
+    virtualenv_python: /usr/bin/python3
+    name: "{{ seafile_python_libs }}"
+  notify:
+    - restart seafile
+    - restart seahub
+  tags: seafile
+
+- name: Install Seafile pro license
+  copy: content={{ seafile_license }} dest={{ seafile_root_dir }}/seafile-license.txt
+  when:
+    - seafile_license is defined
+    - seafile_license != '' # defining an empty license means using the Free for 3 user offer
+  notify:
+    - restart seafile
+    - restart seahub
+  tags: seafile
+
+- name: Download seafile archive
+  get_url:
+    url: "{{ seafile_archive_url }}"
+    dest: "{{ seafile_root_dir }}/tmp/seafile-server_{{ seafile_version }}_x86-64.tar.gz"
+    checksum: "sha1:{{ seafile_archive_sha1 }}"
+  when:
+    - seafile_install_mode != 'none'
+    - seafile_license is not defined
+  tags: seafile
+
+- name: Copy Seafile pro archive
+  copy: src=seafile-pro-server_{{ seafile_version }}_x86-64_CentOS.tar.gz dest={{ seafile_root_dir }}/tmp/
+  when:
+    - seafile_install_mode != 'none'
+    - seafile_license is defined
+  tags: seafile
+
+- name: Extract seafile archive
+  unarchive:
+    src: "{{ seafile_root_dir }}/tmp/{{ seafile_license is defined | ternary('seafile-pro-server_' ~ seafile_version ~ '_x86-64_CentOS.tar.gz','seafile-server_' ~ seafile_version ~ '_x86-64.tar.gz') }}"
+    dest: "{{ seafile_root_dir }}/tmp"
+    remote_src: yes
+  when: seafile_install_mode != 'none'
+  tags: seafile
+
+- name: Move seafile to the correct location
+  synchronize:
+    src: "{{ seafile_root_dir }}/tmp/seafile-{{ seafile_license is defined | ternary('pro-','') }}server-{{ seafile_version }}/"
+    dest: "{{ seafile_root_dir }}/seafile-server/"
+    recursive: True
+    delete: True
+    compress: False
+  delegate_to: "{{ inventory_hostname }}"
+  when: seafile_install_mode != 'none'
+  tags: seafile
+
+- name: Chown seafile install dir
+  shell: chown -R {{ seafile_user }}:{{ seafile_group }} {{ seafile_root_dir }}/seafile-server/*
+  args:
+    warn: False
+  when: seafile_install_mode != 'none'
+  tags: seafile
+
+- name: Check if avatar is a dir or a link
+  stat: path={{ seafile_root_dir }}/seafile-server/seahub/media/avatars
+  register: seafile_avatar
+  tags: seafile
+
+- name: Remove default avatar directory
+  file: path={{ seafile_root_dir }}/seafile-server/seahub/media/avatars state=absent
+  when: seafile_avatar.stat.isdir is defined and seafile_avatar.stat.isdir
+  tags: seafile
+
+- name: Create seahub symlinks
+  file: src={{ seafile_data_dir }}/seahub/{{ item.src }} dest={{ seafile_root_dir }}/seafile-server/seahub/media/{{ item.dest }} state=link force=True
+  with_items:
+    - src: custom
+      dest: custom
+    - src: cache
+      dest: CACHE
+    - src: avatars
+      dest: avatars
+  tags: seafile
+
+- name: Create data dir link
+  file: src={{ seafile_data_dir }} dest={{ seafile_root_dir }}/seafile-data state=link
+  tags: seafile
+
+- name: Create pro-data link
+  file: src={{ seafile_data_dir }}/pro dest={{ seafile_root_dir }}/pro-data state=link force=True
+  when: seafile_license is defined
+  tags: seafile
+
+- name: Set permissions on seahub runtime directory
+  file: path={{ seafile_root_dir }}/seafile-server/runtime state=directory owner={{ seafile_user }} mode=700
+  tags: seafile
+
+- name: Create library-template
+  file: path={{ seafile_data_dir }}/library-template state=directory
+  when: seafile_install_mode == 'install'
+  tags: seafile
+
+- name: Copy default avatars
+  copy: src=avatars/ dest={{ seafile_data_dir }}/seahub/avatars/
+  tags: seafile
+
+  # Needed since CentOS 7.5 so ldaps can be used
+- name: Remove bundled libs
+  file: path={{ seafile_root_dir }}/seafile-server/seafile/lib/{{ item }} state=absent
+  loop: "{{ seafile_rm_libs }}"
+  notify: restart seafile
+  tags: seafile
+
+- name: Copy documentation
+  copy: src={{ seafile_root_dir }}/tmp/seafile-{{ (seafile_license is defined) | ternary('pro-','') }}server-{{ seafile_version }}/seafile/docs/seafile-tutorial.doc dest={{ seafile_data_dir }}/library-template remote_src=True
+  when: seafile_install_mode == 'install'
+  tags: seafile
+
+- name: Generate a secret for seahub
+  shell: "{{ seafile_root_dir }}/bin/python {{ seafile_root_dir }}/seafile-server/seahub/tools/secret_key_generator.py > {{ seafile_root_dir }}/meta/ansible_hub_secret"
+  args:
+    creates: "{{ seafile_root_dir }}/meta/ansible_hub_secret"
+  when: seafile_seahub_secret is not defined
+  tags: seafile
+
+- name: Read seahub secret
+  command: cat {{ seafile_root_dir }}/meta/ansible_hub_secret
+  register: seafile_seahub_rand_secret
+  when: seafile_seahub_secret is not defined
+  changed_when: False
+  tags: seafile
+
+- name: Set seahub secret key
+  set_fact: seafile_seahub_secret={{ seafile_seahub_rand_secret.stdout }}
+  when: seafile_seahub_secret is not defined
+  tags: seafile
+
+- name: Create the databases
+  mysql_db:
+    name: "{{ item }}"
+    login_host: "{{ seafile_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    encoding: utf8
+    collation: utf8_general_ci
+    state: present
+  with_items:
+    - "{{ seafile_db_seafile }}"
+    - "{{ seafile_db_ccnet }}"
+    - "{{ seafile_db_seahub }}"
+  tags: seafile
+
+- name: Create database user
+  mysql_user:
+    name: "{{ seafile_db_user }}"
+    password: "{{ seafile_db_pass }}"
+    priv: "{{ seafile_db_seafile }}.*:ALL/{{ seafile_db_ccnet }}.*:ALL/{{ seafile_db_seahub }}.*:ALL"
+    host: "{{ item }}"
+    login_host: "{{ seafile_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    state: present
+  with_items: "{{ (seafile_db_server == '127.0.0.1') | ternary(['127.0.0.1','localhost'],ansible_all_ipv4_addresses) }}"
+  tags: seafile
+
+- name: Load database schema schema
+  mysql_db:
+    state: import
+    target: "{{ item.file }}"
+    name: "{{ item.db }}"
+    login_host: "{{ seafile_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+  loop:
+    - db: "{{ seafile_db_seahub }}"
+      file: "{{ seafile_root_dir }}/seafile-server/seahub/sql/mysql.sql"
+    - db: "{{ seafile_db_seafile }}"
+      file: "{{ seafile_root_dir }}/seafile-server/sql/mysql/seafile.sql"
+    - db: "{{ seafile_db_ccnet }}"
+      file: "{{ seafile_root_dir }}/seafile-server/sql/mysql/ccnet.sql"
+  when: seafile_install_mode == 'install'
+  tags: seafile
+
+- name: Deploy systemd services
+  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }}
+  with_items:
+    - seafile.service
+    - seahub.service
+    - seafile-clean-db.service
+    - seafile-clean-db.timer
+    - seafile-gc.service
+    - seafile-gc.timer
+  notify:
+    - restart seafile
+    - restart seahub
+  register: seafile_systemd_unit
+  tags: seafile
+
+- name: Reload systemd
+  command: systemctl daemon-reload
+  when: seafile_systemd_unit.changed
+  tags: seafile
+
+- name: Deploy pre and post backup hooks
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/seafile.sh mode=700
+  loop:
+    - pre
+    - post
+  tags: seafile
+
+- name: Check if there are custom office templates
+  local_action: stat path=config/{{ inventory_hostname }}/seafile/office-template/empty.{{ item }}
+  register: seafile_custom_office_template
+  vars:
+    ansible_become: False
+  loop:
+    - docx
+    - pptx
+    - xlsx
+  tags: seafile
+
+- name: Override office templates
+  copy:
+    src: "{{ item.stat.exists | ternary('config/' + inventory_hostname + '/seafile/office-template/empty.','office-template/empty.' ) }}{{ item.item }}"
+    dest: "{{ seafile_root_dir }}/seafile-server/seahub/media/office-template/"
+  loop: "{{ seafile_custom_office_template.results }}"
+  tags: seafile
+
+- name: Deploy a clamdscan wrapper script
+  copy:
+    content: |
+      #!/bin/bash -e
+      /bin/clamdscan -c /etc/clamd.conf $@
+    dest: "{{ seafile_root_dir }}/seafile-server/clamdscan.sh"
+    mode: 0755
+  tags: seafile
+
+- name: Deploy a python wrapper for Seafile
+  copy:
+    content: |
+      #!/bin/bash -e
+      export PYTHONPATH={{ seafile_root_dir }}/lib/python3.6/site-packages/
+      {{ seafile_root_dir }}/bin/python3 $@
+    dest: /usr/local/bin/seafpy
+    mode: 0755
+  tags: seafile
+
+- name: Deploy maintenance scripts
+  template: src={{ item }}.sh.j2 dest={{ seafile_root_dir }}/bin/{{ item }}.sh mode=0700
+  loop:
+    - gc
+    - clean_db
+  tags: seafile
+
--- a/roles/seafile/tasks/iptables.yml
+++ b/roles/seafile/tasks/iptables.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Handle seafile ports
+  iptables_raw:
+    name: seafile_ports
+    state: "{{ (seafile_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ seafile_ports | join(',') }} -s {{ seafile_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: seafile
+
--- a/roles/seafile/tasks/main.yml
+++ b/roles/seafile/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: seafile_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+- include: services.yml
+- include: archive_post.yml
+  when: seafile_install_mode == 'upgrade'
+- include: write_version.yml
+- include: cleanup.yml
+- include: filebeat.yml
--- a/roles/seafile/tasks/services.yml
+++ b/roles/seafile/tasks/services.yml
@@ -0,0 +1,17 @@
+---
+
+- name: Start and enable services
+  service: name={{ item }} state=started enabled=True
+  loop:
+    - seafile
+    - seahub
+  when: seafile_install_mode != 'upgrade' # We need to run upgrade script manually
+  tags: seafile
+
+- name: Start and enable timers
+  systemd: name={{ item }}.timer state=started enabled=True
+  loop:
+    - seafile-clean-db
+    - seafile-gc
+  tags: seafile
+
--- a/roles/seafile/tasks/user.yml
+++ b/roles/seafile/tasks/user.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Create user account
+  user: name={{ seafile_user }} comment="Seafile user account" system=True shell=/sbin/nologin
+  tags: seafile
+
--- a/roles/seafile/tasks/write_version.yml
+++ b/roles/seafile/tasks/write_version.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Write version
+  copy: content={{ seafile_version }} dest={{ seafile_root_dir }}/meta/ansible_version
+  when: seafile_install_mode != 'none'
+  tags: seafile