From 767adc1e83ec69131da06d04698fbb1b4ef849ea Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Fri, 18 Feb 2022 16:00:06 +0100 Subject: [PATCH] Update to 2022-02-18 16:00 --- roles/pgweb/defaults/main.yml | 37 ++++++++++++++++++++++++ roles/pgweb/handlers/main.yml | 4 +++ roles/pgweb/tasks/archive_post.yml | 10 +++++++ roles/pgweb/tasks/archive_pre.yml | 10 +++++++ roles/pgweb/tasks/cleanup.yml | 13 +++++++++ roles/pgweb/tasks/conf.yml | 20 +++++++++++++ roles/pgweb/tasks/directories.yml | 25 ++++++++++++++++ roles/pgweb/tasks/facts.yml | 20 +++++++++++++ roles/pgweb/tasks/install.yml | 40 ++++++++++++++++++++++++++ roles/pgweb/tasks/iptables.yml | 8 ++++++ roles/pgweb/tasks/main.yml | 17 +++++++++++ roles/pgweb/tasks/services.yml | 5 ++++ roles/pgweb/tasks/user.yml | 9 ++++++ roles/pgweb/tasks/write_version.yml | 5 ++++ roles/pgweb/templates/bookmark.toml.j2 | 18 ++++++++++++ roles/pgweb/templates/pgweb.service.j2 | 34 ++++++++++++++++++++++ roles/pgweb/vars/RedHat-8.yml | 5 ++++ roles/postfix/templates/main.cf.j2 | 2 +- roles/postfix/templates/relay_auth.j2 | 2 +- 19 files changed, 282 insertions(+), 2 deletions(-) create mode 100644 roles/pgweb/defaults/main.yml create mode 100644 roles/pgweb/handlers/main.yml create mode 100644 roles/pgweb/tasks/archive_post.yml create mode 100644 roles/pgweb/tasks/archive_pre.yml create mode 100644 roles/pgweb/tasks/cleanup.yml create mode 100644 roles/pgweb/tasks/conf.yml create mode 100644 roles/pgweb/tasks/directories.yml create mode 100644 roles/pgweb/tasks/facts.yml create mode 100644 roles/pgweb/tasks/install.yml create mode 100644 roles/pgweb/tasks/iptables.yml create mode 100644 roles/pgweb/tasks/main.yml create mode 100644 roles/pgweb/tasks/services.yml create mode 100644 roles/pgweb/tasks/user.yml create mode 100644 roles/pgweb/tasks/write_version.yml create mode 100644 roles/pgweb/templates/bookmark.toml.j2 create mode 100644 roles/pgweb/templates/pgweb.service.j2 create mode 100644 roles/pgweb/vars/RedHat-8.yml diff --git a/roles/pgweb/defaults/main.yml b/roles/pgweb/defaults/main.yml new file mode 100644 index 0000000..e2cf034 --- /dev/null +++ b/roles/pgweb/defaults/main.yml @@ -0,0 +1,37 @@ +--- + +# Version of pgweb to install +pgweb_version: 0.11.10 +# URL of the archive +pgweb_archive_url: https://github.com/sosedoff/pgweb/releases/download/v{{ pgweb_version }}/pgweb_linux_amd64.zip +# Expected sha256 of the archive +pgweb_archive_sha256: 9aa0ae44a2512fc8960fccb96003bec169abce5dc92aaf285bf73b48e3022558 +# Where will pgweb be installed +pgweb_root_dir: /opt/pgweb +# SHould ansible handle upgrades or just initial install +pgweb_manage_upgrade: True + +# User under which pgweb will run (will be created) +pgweb_user: pgweb + +# Port on which pgweb will listen +pgweb_port: 8086 +# List of IP adddresses/CIDR for which the port will be opened (if iptables_manage == True) +pgweb_src_ip: [] + +# pgweb_bookmarks: +# - name: my_db +# url: postgres://user:url_encoded_pass@server.example.org:5432/db_name?sslmode=disabled +# - name: other_db +# host: postgres.example.org # mandatory (if url isn't given) +# database: db_name # mandatory (if url isn't given) +# port: 5433 +# user: sqladmin +# pass: S3cr3t. +pgweb_bookmarks: [] +# Set it to another location if you want to manage bookmarks independently +pg_web_bookmark_dir: "{{ pgweb_root_dir }}/bookmarks" + +# If connections with SSH tunnels is allowed +pgweb_ssh_tunnels: False + diff --git a/roles/pgweb/handlers/main.yml b/roles/pgweb/handlers/main.yml new file mode 100644 index 0000000..c69fa45 --- /dev/null +++ b/roles/pgweb/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: restart pgweb + service: name=pgweb state=restarted diff --git a/roles/pgweb/tasks/archive_post.yml b/roles/pgweb/tasks/archive_post.yml new file mode 100644 index 0000000..9ee932e --- /dev/null +++ b/roles/pgweb/tasks/archive_post.yml @@ -0,0 +1,10 @@ +--- + +- name: Compress previous version + command: tar cf {{ pgweb_root_dir }}/archives/{{ pgweb_current_version }}.tar.zst --use-compress-program=zstd ./ + args: + chdir: "{{ pgweb_root_dir }}/archives/{{ pgweb_current_version }}" + warn: False + environment: + ZSTD_CLEVEL: 10 + tags: pgweb diff --git a/roles/pgweb/tasks/archive_pre.yml b/roles/pgweb/tasks/archive_pre.yml new file mode 100644 index 0000000..92a131b --- /dev/null +++ b/roles/pgweb/tasks/archive_pre.yml @@ -0,0 +1,10 @@ +--- + +- name: Create archive directory + file: path={{ pgweb_root_dir }}/archives/{{ pgweb_current_version }} state=directory mode=700 + tags: pgweb,pg + +- name: Archive previous version + copy: src={{ pgweb_root_dir }}/bin/pgweb dest={{ pgweb_root_dir }}/archives/{{ pgweb_current_version }} remote_src=True + tags: pgweb,pg + diff --git a/roles/pgweb/tasks/cleanup.yml b/roles/pgweb/tasks/cleanup.yml new file mode 100644 index 0000000..6cfd2e8 --- /dev/null +++ b/roles/pgweb/tasks/cleanup.yml @@ -0,0 +1,13 @@ +--- + +- name: Remove tmp and obsolete files + file: path={{ item }} state=absent + loop: + - "{{ pgweb_root_dir }}/tmp/pgweb_linux_amd64" + - "{{ pgweb_root_dir }}/tmp/pgweb_linux_amd64.zip" + tags: pgweb,pg + +- name: Remove temp previous version dir + file: path={{ pgweb_root_dir }}/archives/{{ pgweb_current_version }} state=absent + when: pgweb_install_mode == 'upgrade' + tags: pgweb,pg diff --git a/roles/pgweb/tasks/conf.yml b/roles/pgweb/tasks/conf.yml new file mode 100644 index 0000000..9a23ce3 --- /dev/null +++ b/roles/pgweb/tasks/conf.yml @@ -0,0 +1,20 @@ +--- + +- name: List existing bookmarks + shell: ls -1 {{ pgweb_root_dir }}/bookmarks/ | perl -pe 's/\.toml$//' + register: pgweb_current_bookmarks + changed_when: False + tags: pgweb,pg + +- name: Remove unmanaged bookmarks + file: path={{ pgweb_root_dir }}/bookmarks/{{ item }}.toml state=absent + loop: "{{ pgweb_current_bookmarks.stdout_lines }}" + when: not item in pgweb_bookmarks | map(attribute='name') | list + notify: restart pgweb + tags: pgweb,pg + +- name: Configure bookmarks + template: src=bookmark.toml.j2 dest={{ pgweb_root_dir }}/bookmarks/{{ item.name }}.toml owner=root group={{ pgweb_user }} mode=640 + loop: "{{ pgweb_bookmarks }}" + notify: restart pgweb + tags: pgweb,pg diff --git a/roles/pgweb/tasks/directories.yml b/roles/pgweb/tasks/directories.yml new file mode 100644 index 0000000..0917101 --- /dev/null +++ b/roles/pgweb/tasks/directories.yml @@ -0,0 +1,25 @@ +--- + +- name: Create directories + file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} + loop: + - dir: "{{ pgweb_root_dir }}" + - dir: "{{ pgweb_root_dir }}/bin" + - dir: "{{ pgweb_root_dir }}/bookmarks" + - dir: "{{ pgweb_root_dir }}/archives" + owner: root + group: root + mode: 700 + - dir: "{{ pgweb_root_dir }}/backup" + owner: root + group: root + mode: 700 + - dir: "{{ pgweb_root_dir }}/meta" + owner: root + group: root + mode: 700 + - dir: "{{ pgweb_root_dir }}/tmp" + owner: "{{ pgweb_user }}" + group: "{{ pgweb_user }}" + mode: 700 + tags: pgweb,pg diff --git a/roles/pgweb/tasks/facts.yml b/roles/pgweb/tasks/facts.yml new file mode 100644 index 0000000..9b4141e --- /dev/null +++ b/roles/pgweb/tasks/facts.yml @@ -0,0 +1,20 @@ +--- + +- include_vars: "{{ item }}" + with_first_found: + - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" + tags: pgweb,pg + +# Detect installed version (if any) and detect if it's an install / upgrade / nothing +- block: + - import_tasks: ../includes/webapps_set_install_mode.yml + vars: + - root_dir: "{{ pgweb_root_dir }}" + - version: "{{ pgweb_version }}" + - set_fact: pgweb_install_mode={{ (install_mode == 'upgrade' and not pgweb_manage_upgrade) | ternary('none',install_mode) }} + - set_fact: pgweb_current_version={{ current_version | default('') }} + tags: pgweb,pg + diff --git a/roles/pgweb/tasks/install.yml b/roles/pgweb/tasks/install.yml new file mode 100644 index 0000000..78bb05e --- /dev/null +++ b/roles/pgweb/tasks/install.yml @@ -0,0 +1,40 @@ +--- + +- name: Install dependencies + package: name={{ pgweb_packages }} + tags: pgweb,pg + +- when: pgweb_install_mode != 'none' + block: + - name: Download pgweb + get_url: + url: "{{ pgweb_archive_url }}" + dest: "{{ pgweb_root_dir }}/tmp/" + checksum: sha256:{{ pgweb_archive_sha256 }} + + - name: Extract archive + unarchive: + src: "{{ pgweb_root_dir }}/tmp/pgweb_linux_amd64.zip" + dest: "{{ pgweb_root_dir }}/tmp/" + remote_src: True + + - name: Install pgweb binary + copy: + src: "{{ pgweb_root_dir }}/tmp/pgweb_linux_amd64" + dest: "{{ pgweb_root_dir }}/bin/pgweb" + remote_src: True + mode: 755 + notify: restart pgweb + + tags: pgweb,pg + +- name: Install systemd unit + template: src=pgweb.service.j2 dest=/etc/systemd/system/pgweb.service + register: pgweb_unit + notify: restart pgweb + tags: pgweb,pg + +- name: Reload systemd + systemd: daemon_reload=True + when: pgweb_unit.changed + tags: pgweb,pg diff --git a/roles/pgweb/tasks/iptables.yml b/roles/pgweb/tasks/iptables.yml new file mode 100644 index 0000000..9f35347 --- /dev/null +++ b/roles/pgweb/tasks/iptables.yml @@ -0,0 +1,8 @@ +--- + +- name: Handle pgweb ports in the firewall + iptables_raw: + name: pgweb_port + state: "{{ (pgweb_src_ip | length > 0) | ternary('present','absent') }}" + rules: "-A INPUT -m state --state NEW -p tcp --dport {{ pgweb_port }} -s {{ pgweb_src_ip | join(',') }} -j ACCEPT" + tags: firewall,pgweb,pg diff --git a/roles/pgweb/tasks/main.yml b/roles/pgweb/tasks/main.yml new file mode 100644 index 0000000..08a899b --- /dev/null +++ b/roles/pgweb/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- include: user.yml +- include: directories.yml +- include: facts.yml +- include: archive_pre.yml + when: pgweb_install_mode == 'upgrade' +- include: install.yml +- include: conf.yml +- include: iptables.yml + when: iptables_manage | default(True) +- include: services.yml +- include: archive_post.yml + when: pgweb_install_mode == 'upgrade' +- include: write_version.yml +- include: cleanup.yml + diff --git a/roles/pgweb/tasks/services.yml b/roles/pgweb/tasks/services.yml new file mode 100644 index 0000000..2bd9edd --- /dev/null +++ b/roles/pgweb/tasks/services.yml @@ -0,0 +1,5 @@ +--- + +- name: Start and enable service + service: name=pgweb state=started enabled=True + tags: pgweb,pg diff --git a/roles/pgweb/tasks/user.yml b/roles/pgweb/tasks/user.yml new file mode 100644 index 0000000..c432cf2 --- /dev/null +++ b/roles/pgweb/tasks/user.yml @@ -0,0 +1,9 @@ +--- + +- name: Create user account + user: + name: "{{ pgweb_user }}" + system: True + home: "{{ pgweb_root_dir }}" + shell: /sbin/nologin + tags: pgweb,pg diff --git a/roles/pgweb/tasks/write_version.yml b/roles/pgweb/tasks/write_version.yml new file mode 100644 index 0000000..2d7c06e --- /dev/null +++ b/roles/pgweb/tasks/write_version.yml @@ -0,0 +1,5 @@ +--- + +- name: Write installed version + copy: content={{ pgweb_version }} dest={{ pgweb_root_dir }}/meta/ansible_version + tags: pgweb,pg diff --git a/roles/pgweb/templates/bookmark.toml.j2 b/roles/pgweb/templates/bookmark.toml.j2 new file mode 100644 index 0000000..7889f96 --- /dev/null +++ b/roles/pgweb/templates/bookmark.toml.j2 @@ -0,0 +1,18 @@ +{% if item.url is defined %} +url = "{{ item.url }}" +{% else %} +host = "{{ item.host }}" +database = "{{ item.database }}" +{% if item.port is defined %} +port = {{ item.port }} +{% endif %} +{% if item.user is defined %} +user = "{{ item.user }}" +{% endif %} +{% if item.pass is defined %} +password = "{{ item.pass }}" +{% endif %} +{% if item.ssl is defined %} +ssl = "{{ item.ssl }}" +{% endif %} +{% endif %} diff --git a/roles/pgweb/templates/pgweb.service.j2 b/roles/pgweb/templates/pgweb.service.j2 new file mode 100644 index 0000000..7ec41aa --- /dev/null +++ b/roles/pgweb/templates/pgweb.service.j2 @@ -0,0 +1,34 @@ +[Unit] +Description=PgWeb Postgres Browser +After=network.target + +[Service] +Type=simple +User={{ pgweb_user }} +Group={{ pgweb_user }} +ExecStart={{ pgweb_root_dir }}/bin/pgweb \ + --listen {{ pgweb_port }} \ + --bind {{ (pgweb_src_ip | length > 0) | ternary('0.0.0.0','127.0.0.1') }} \ + --bookmarks-dir={{ pgweb_bookmarks_dir }} \ +{% if not pgweb_ssh_tunnels %} + --no-ssh \ +{% endif %} + --sessions +RuntimeDirectory=pgweb +RestartSec=30 +Restart=always +NoNewPrivileges=true +PrivateDevices=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RestrictRealtime=true +RestrictNamespaces=yes +ReadWritePaths=/run +PrivateTmp=true +MemoryDenyWriteExecute=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/pgweb/vars/RedHat-8.yml b/roles/pgweb/vars/RedHat-8.yml new file mode 100644 index 0000000..6f8faac --- /dev/null +++ b/roles/pgweb/vars/RedHat-8.yml @@ -0,0 +1,5 @@ +--- + +pgweb_packages: + - tar + - zstd diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 index 1e8874d..5c4f7e6 100644 --- a/roles/postfix/templates/main.cf.j2 +++ b/roles/postfix/templates/main.cf.j2 @@ -18,7 +18,7 @@ mydestination = {{ postfix_mydestination | default(['$myhostname', 'localhost.$m mynetworks = {{ postfix_mynetworks | default([ '127.0.0.0/8' ]) | join (', ') }} smtpd_recipient_restrictions = permit_mynetworks,reject -{% if postfix_relay_host is defined %} +{% if postfix_relay_host is defined and postfix_relay_host != False %} relayhost = {{ postfix_relay_host }} {% if postfix_relay_user is defined and postfix_relay_pass is defined %} smtp_sasl_auth_enable = yes diff --git a/roles/postfix/templates/relay_auth.j2 b/roles/postfix/templates/relay_auth.j2 index 84098e0..d729903 100644 --- a/roles/postfix/templates/relay_auth.j2 +++ b/roles/postfix/templates/relay_auth.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -{% if postfix_relay_host is defined and postfix_relay_user is defined and postfix_relay_pass is defined %} +{% if postfix_relay_host is defined and postfix_relay_host != False and postfix_relay_user is defined and postfix_relay_pass is defined %} {{ postfix_relay_host }} {{ postfix_relay_user }}:{{ postfix_relay_pass }} {% endif %}