jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 08:15:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2021-12-01 19:13

Browse Source
This commit is contained in:
Daniel Berteaud
2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
roles/wapt_server/defaults/main.yml Normal file
View File

@@ -0,0 +1,13 @@
---
wapt_ports:
- 8080
- 80
wapt_src_ip: []
wapt_db_server: "{{ pg_server | default('localhost') }}"
wapt_db_name: wapt
wapt_db_user: wapt
# A random password is generated unless defined here
# wapt_db_pass: SeCret

13
roles/wapt_server/handlers/main.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: restart postgresql
service: name=postgresql-9.6 state=restarted
- name: restart nginx
service: name=nginx state=restarted
- name: restart wapt
service: name={{ item }} state=restarted
with_items:
- waptserver
#- wapttasks

5
roles/wapt_server/meta/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
dependencies:
- role: repo_wapt
- role: postgresql_server
when: wapt_db_server in ['localhost','127.0.0.1']

218
roles/wapt_server/tasks/main.yml Normal file
View File

@@ -0,0 +1,218 @@
---
- include_vars: "{{ item }}"
with_first_found:
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
tags: wapt
- name: Install packages
yum: name={{ wapt_packages }}
tags: wapt
- name: Create directories
file: path={{ item.path }} state=directory mode={{ item.mode | default(omit) }} owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }}
loop:
- path: /opt/wapt/meta
mode: 700
- path: /opt/wapt/backup
mode: 700
- path: /var/www/html/ssl
mode: 750
owner: wapt
group: nginx
tags: wapt
- import_tasks: ../includes/get_rand_pass.yml
vars:
- pass_file: "/opt/wapt/meta/ansible_dbpass"
when: wapt_db_pass is not defined
tags: wapt
- set_fact: wapt_db_pass={{ rand_pass }}
when: wapt_db_pass is not defined
tags: wapt
- name: Create wapt DB user
postgresql_user:
db: postgres
name: "{{ wapt_db_user }}"
password: "{{ wapt_db_pass }}"
login_host: "{{ wapt_db_server }}"
login_user: sqladmin
login_password: "{{ pg_admin_pass }}"
tags: wapt
- name: Create the PostgreSQL database
postgresql_db:
name: wapt
encoding: UTF-8
template: template0
owner: "{{ wapt_db_user }}"
login_host: "{{ wapt_db_server }}"
login_user: sqladmin
login_password: "{{ pg_admin_pass }}"
tags: wapt
- name: Enable the hstore extension
postgresql_ext:
db: "{{ wapt_db_name }}"
login_host: "{{ wapt_db_server }}"
login_user: sqladmin
login_password: "{{ pg_admin_pass }}"
name: hstore
tags: wapt
- name: Configure SELinux
seboolean: name={{ item }} state=True persistent=True
with_items:
- httpd_can_network_connect
- httpd_setrlimit
when: ansible_selinux.status == 'enabled'
tags: wapt
- name: Set SELinux context on repo dir
sefcontext:
target: '/var/www/html/wapt(\-host)?(/.*)?'
setype: httpd_sys_content_t
when: ansible_selinux.status == 'enabled'
tags: wapt
- name: Reset SELinux contexts
command: restorecon -Rv /var/www/html
changed_when: False
tags: wapt
- import_tasks: ../includes/get_rand_pass.yml
vars:
- pass_file: "/opt/wapt/meta/ansible_secret_key"
tags: wapt
- set_fact: wapt_secret_key={{ rand_pass }}
tags: wapt
- name: Configure WAPT server
ini_file: path=/opt/wapt/conf/waptserver.ini section=options option={{ item.option }} value={{ item.value }}
with_items:
- option: db_name
value: "{{ wapt_db_name }}"
- option: db_host
value: "{{ wapt_db_server }}"
- option: db_user
value: "{{ wapt_db_user }}"
- option: db_password
value: "{{ wapt_db_pass }}"
- option: waptwua_folder
value: /var/www/html/waptwua
- option: server_uuid
value: "{{ inventory_hostname | to_uuid }}"
- option: allow_unauthenticated_connect
value: 'False'
- option: allow_unauthenticated_registration
value: 'False'
- option: secret_key
value: "{{ wapt_secret_key }}"
- option: use_kerberos
value: 'False'
notify: restart wapt
tags: wapt
- name: Create unit snippet dir
file: path=/etc/systemd/system/waptserver.service.d state=directory
tags: wapt
- name: Tune wapt to restart indefinitely
copy:
content: |
[Service]
Restart=on-failure
StartLimitInterval=0
RestartSec=20
dest: /etc/systemd/system/waptserver.service.d/restart.conf
register: wapt_unit
tags: wapt
- name: Reload systemd
systemd: daemon_reload=True
when: wapt_unit.changed
tags: wapt
- name: Configure system proxy
ini_file: path=/opt/wapt/conf/waptserver.ini section=options option=http_proxy value={{ system_proxy }}
when: system_proxy is defined and system_proxy != ''
notify: restart wapt
tags: wapt
- name: Check if admin password is set
command: grep -qP '^wapt_password' /opt/wapt/conf/waptserver.ini
ignore_errors: True
register: wapt_admin_pass_set
changed_when: False
tags: wapt
- name: Hash the WAPT admin password
command: python -c 'from passlib.hash import pbkdf2_sha256; print pbkdf2_sha256.hash("admin".encode("utf8"))'
register: wapt_admin_pass_hash
environment:
- PYTHONPATH: /opt/wapt/lib/python2.7/site-packages/
when: wapt_admin_pass_set.rc != 0
changed_when: False
tags: wapt
- set_fact: wapt_admin_pass_hash={{ wapt_admin_pass_hash.stdout }}
when: wapt_admin_pass_set.rc != 0
tags: wapt
- name: Set default admin password
ini_file: path=/opt/wapt/conf/waptserver.ini section=options option=wapt_password value={{ wapt_admin_pass_hash }}
when: wapt_admin_pass_set.rc != 0
notify: restart wapt
tags: wapt
- name: Set correct ownership for wapt configuration
file: path=/opt/wapt/conf/waptserver.ini owner=wapt mode=0600
tags: wapt
- name: Deploy nginx config
template: src={{ item.src }}.j2 dest={{ item.dest }}
with_items:
- src: nginx.conf
dest: /etc/nginx/nginx.conf
- src: wapt.conf
dest: /etc/nginx/conf.d/wapt.conf
notify: restart nginx
tags: wapt
- name: Start and enable nginx
service: name=nginx state=started enabled=True
tags: wapt
- name: Start and enable WAPT services
service: name={{ item }} state=started enabled=True
with_items:
- waptserver
#- wapttasks
tags: wapt
- name: Handle ports
iptables_raw:
name: wapt_ports
state: "{{ (wapt_src_ip is defined and wapt_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ wapt_ports | join(',') }} -s {{ wapt_src_ip | join(',') }} -j ACCEPT"
when: iptables_manage | default(True)
tags: wapt
- name: Create DB dump directory
file: path=/opt/wapt/backup state=directory mode=0700
tags: wapt
- name: Deploy pre and post backup scripts
template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/wapt.sh mode=0755
with_items:
- pre
- post
tags: wapt
- name: Remove tmp and obsolete files
file: path={{ item }} state=absent
loop:
- /opt/wapt/db_dumps
tags: wapt

23
roles/wapt_server/templates/nginx.conf.j2 Normal file
View File

@@ -0,0 +1,23 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
worker_rlimit_nofile 32768;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}

3
roles/wapt_server/templates/post-backup.sh.j2 Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
rm -f /opt/wapt/backup/*

10
roles/wapt_server/templates/pre-backup.sh.j2 Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
set -eo pipefail
PGPASSWORD={{ wapt_db_pass | quote }} /usr/pgsql-14/bin/pg_dump \
--clean \
--create \
--username={{ wapt_db_user | quote }} \
--host={{ wapt_db_server | quote }} \
{{ wapt_db_name | quote }} | zstd -c > /opt/wapt/backup/{{ wapt_db_name }}.sql.zst

56
roles/wapt_server/templates/wapt.conf.j2 Normal file
View File

@@ -0,0 +1,56 @@
server {
listen 80;
server_name _;
gzip_min_length 1000;
gzip_buffers 4 8k;
gzip_http_version 1.0;
gzip_disable "msie6";
gzip_types text/plain text/css application/json;
gzip_vary on;
index index.html;
location ~ ^/wapt.* {
proxy_set_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
proxy_set_header Pragma "no-cache";
proxy_set_header Expires "Sun, 19 Nov 1978 05:00:00 GMT";
root "/var/www/html";
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 4096m;
client_body_timeout 1800;
location /add_host_kerberos {
return 403;
}
location ~ ^/(api/v3/upload_packages|api/v3/upload_hosts/|upload_waptsetup) {
proxy_pass http://127.0.0.1:8080;
client_max_body_size 4096m;
client_body_timeout 1800;
}
location /wapt-host/Packages {
return 403;
}
location / {
proxy_pass http://127.0.0.1:8080;
}
location /socket.io {
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://127.0.0.1:8080/socket.io;
}
}
}

7
roles/wapt_server/vars/RedHat-7.yml Normal file
View File

@@ -0,0 +1,7 @@
---
wapt_packages:
- tis-waptserver
- tis-waptsetup
- postgresql14
- python-psycopg2 # Needed to manage PG with ansible

7
roles/wapt_server/vars/RedHat-8.yml Normal file
View File

@@ -0,0 +1,7 @@
---
wapt_packages:
- tis-waptserver
# - tis-waptsetup
- postgresql14
- python3-psycopg2 # Needed to manage PG with ansible