Update to 2022-03-07 14:00

2025-07-27 00:05:44 +02:00 · 2022-03-07 14:00:06 +01:00
parent c55f851cbd
commit 8b7e505180
58 changed files with 1119 additions and 89 deletions
--- a/roles/unmaintained/wh_backend/tasks/main.yml
+++ b/roles/unmaintained/wh_backend/tasks/main.yml
@@ -0,0 +1,207 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: web
+
+- name: Install needed tools
+  yum: name{{ wh_backend_packages }}
+  tags: web
+
+- set_fact: wh_app_dir=[]
+  tags: web
+- name: Build a list of app root
+  set_fact:
+    wh_app_dir: "{{ wh_app_dir }} + [ '/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}' ]"
+  loop: "{{ wh_clients | subelements('apps') }}"
+  when: item.1.backend | default(item.0.backend) | default(wh_defaults.backend) == inventory_hostname
+  tags: web
+
+- name: Create unix accounts
+  user:
+    name: "wh-{{ item.name }}"
+    comment: "Unix account for {{ item.name }}"
+    system: True
+    shell: "{{ shell | default('/sbin/nologin') }}"
+    home: /opt/wh/{{ item.name }}
+  loop: "{{ wh_clients }}"
+  tags: web
+
+- name: Create ssh directories
+  file: path=/etc/ssh/wh/{{ item.name }}/ state=directory mode=755
+  loop: "{{ wh_clients }}"
+  tags: web
+
+- name: Deploy SSH keys
+  authorized_key:
+    user: root
+    key: "{{ item.ssh_keys | default([]) | join(\"\n\") }}"
+    path: /etc/ssh/wh/{{ item.name }}/authorized_keys
+    manage_dir: False
+    exclusive: True
+  loop: "{{ wh_clients }}"
+  tags: web
+
+- name: Set correct permissions on authorized_key files
+  file: path=/etc/ssh/wh/{{ item.name }}/authorized_keys owner=root group=root mode=644
+  loop: "{{ wh_clients }}"
+  when: item.ssh_keys | default([]) | length > 0
+  tags: web
+
+- name: List all authorized keys directories
+  shell: ls -1 /etc/ssh/wh | xargs -n1 basename
+  register: wh_existing_ssh_keys
+  changed_when: False
+  tags: web
+
+- name: Remove unmanaged ssh keys
+  file: path=/etc/ssh/wh/{{ item }} state=absent
+  with_items: "{{ wh_existing_ssh_keys.stdout_lines | default([]) }}"
+  when: item not in wh_clients | map(attribute='name')
+  tags: web
+
+- name: Create applications directories
+  file: path={{ item.0 }}/{{ item.1 }} state=directory
+  loop: "{{ wh_app_dir | product(['web','data','tmp','logs','archives','bin','info', 'db_dumps']) | list }}"
+  notify: reset permissions
+  tags: web
+
+- name: Set correct SELinux context for apps directories
+  sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: httpd_sys_content_t
+    state: present
+  when: ansible_selinux.status == 'enabled'
+  loop: "{{ wh_app_dir }}"
+  notify: reset permissions
+  tags: web
+
+- name: Deploy PHP FPM pools
+  template: src=php-fpm.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/wh.conf
+  vars:
+    wh_php_version: "{{ item }}"
+  loop: "{{ httpd_php_versions }}"
+  notify: restart php-fpm
+  tags: web
+
+- name: Deploy httpd configuration
+  template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/31-wh.conf
+  notify: reload httpd
+  tags: web
+
+- name: Deploy permissions scripts
+  template: src=perms.sh.j2 dest=/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}/bin/perms.sh
+  loop: "{{ wh_clients | subelements('apps') }}"
+  when: item.1.backend | default(item.0.backend) | default(wh_defaults.backend) == inventory_hostname
+  notify: reset permissions
+  tags: web
+
+- name: Create databases
+  mysql_db:
+    name: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}"
+    login_host: "{{ (wh_default_app | combine(item.1)).database.server | default(mysql_server) }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    collation: "{{ (wh_default_app | combine(item.1)).database.collation  }}"
+    encoding: "{{ (wh_default_app | combine(item.1)).database.encoding  }}"
+    state: present
+  loop: "{{ wh_clients | subelements('apps') }}"
+  when:
+    - (wh_default_app | combine(item.1)).database.enabled
+    - (wh_default_app | combine(item.1)).database.engine == 'mysql'
+    - item.1.backend | default(item.0.backend) | default(wh_defaults.backend) == inventory_hostname
+  tags: web
+
+- name: Create applications database users
+  mysql_user:
+    name: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}"
+    password: "{{ (wh_default_app | combine(item.1)).database.pass | default((wh_pass_seed | password_hash('sha256', 65534 | random(seed=item.0.name + item.1.name) | string))[9:27] ) }}"
+    priv: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}.*:ALL"
+    host: "%"
+    login_host: "{{ (wh_default_app | combine(item.1)).database.server | default(mysql_server) }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    state: present
+  loop: "{{ wh_clients | subelements('apps') }}"
+  when:
+    - (wh_default_app | combine(item.1)).database.enabled
+    - (wh_default_app | combine(item.1)).database.engine == 'mysql'
+    - item.1.backend | default(item.0.backend) | default(wh_defaults.backend) == inventory_hostname
+  tags: web
+
+- name: Create clients database user
+  mysql_user:
+    name: "{{ item.0.name[0:15] }}"
+    password: "{{ item.0.db_pass | default((wh_pass_seed | password_hash('sha256', 65534 | random(seed=item.0.name) | string))[9:27]) }}"
+    priv: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}.*:ALL"
+    host: "%"
+    login_host: "{{ (wh_default_app | combine(item.1)).database.server | default(mysql_server) }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    append_privs: True
+    state: present
+  loop: "{{ wh_clients | subelements('apps')}}"
+  when:
+    - (wh_default_app | combine(item.1)).database.enabled
+    - (wh_default_app | combine(item.1)).database.engine == 'mysql'
+    - item.1.backend | default(item.0.backend) | default(wh_defaults.backend) == inventory_hostname
+  tags: web
+
+- name: Deploy databases info file
+  template: src=database.txt.j2 dest=/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}/info/database.txt
+  loop: "{{ wh_clients | subelements('apps') }}"
+  when: item.1.backend | default(item.0.backend) | default(wh_defaults.backend) == inventory_hostname
+  notify: reset permissions
+  tags: web
+
+- name: Deploy per app backup scripts
+  template: src=backup.sh.j2 dest=/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}/bin/backup.sh mode=750
+  loop: "{{ wh_clients | subelements('apps') }}"
+  when: item.1.backend | default(item.0.backend) | default(wh_defaults.backend) == inventory_hostname
+  tags: web
+
+- name: Deploy wh_create_archives script to archive all the hosted apps
+  template: src=wh_create_archives.sh.j2 dest=/usr/local/bin/wh_create_archives.sh mode=750
+  tags: web
+
+- name: Setup a daily cronjob to take automatic archives of webapps
+  cron:
+    name: wh_backups
+    special_time: daily
+    user: root
+    job: 'systemd-cat /usr/local/bin/wh_create_archives.sh'
+    cron_file: wh
+    state: present
+  tags: web
+
+- name: Deploy global pre/post backup scripts
+  template: src={{ item }}_backup.sh.j2 dest=/etc/backup/{{ item }}.d/wh.sh mode=700
+  loop: [ 'pre', 'post' ]
+  tags: web
+
+- name: Deploy logrotate snippet
+  template: src=logrotate.j2 dest=/etc/logrotate.d/wh
+  tags: web
+
+- name: Deploy wh-acld
+  template: src=wh-acld.j2 dest=/usr/local/bin/wh-acld mode=750
+  notify: restart wh-acld
+  tags: web
+
+- name: Deploy wh-acld service unit
+  template: src=wh-acld.service.j2 dest=/etc/systemd/system/wh-acld.service
+  register: wh_acld_unit
+  tags: web
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: wh_acld_unit.changed
+  tags: web
+
+- name: Start and enable wh-acld
+  service: name=wh-acld state=started enabled=True
+  tags: web