First import of the old role.

README.md

@@ -1,31 +1,41 @@
 Role Name
 =========
 
-A brief description of the role goes here.
-
-Requirements
-------------
-
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+A role that installs the tomcat packages
 
 Role Variables
 --------------
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+The most important variables are listed below:
+
+``` yaml
+tomcat_min_heap_size: 2048m
+tomcat_heap_size: '{{ tomcat_min_heap_size }}'
+tomcat_other_java_opts: ""
+tomcat_javamelody: False
+tomcat_install_admin: False
+tomcat_manager_gui_user_enabled: True
+tomcat_manager_gui_user: guiadmin
+tomcat_manager_gui_r: "manager-gui"
+#tomcat_manager_gui_pwd: *See the vault file*
+tomcat_manager_script_user_enabled: False
+tomcat_manager_script_user: scriptadmin
+tomcat_manager_script_r: "manager-script"
+#tomcat_manager_script_pwd: *See the vault file*
+tomcat_manager_jmx_user_enabled: False
+tomcat_manager_jmx_user: jmxadmin
+tomcat_manager_jmx_r: "manager-jmx"
+#tomcat_manager_jmx_pwd: *See the vault file*
+tomcat_manager_status_user_enabled: False
+tomcat_manager_status_user: statusadmin
+tomcat_manager_status_r: "manager-status"
+#tomcat_manager_status_pwd: *See the vault file*
+```
 
 Dependencies
 ------------
 
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
-
-Example Playbook
-----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
-    - hosts: servers
-      roles:
-         - { role: username.rolename, x: 42 }
+openjdk, <git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-openjdk.git>
 
 License
 -------
@@ -35,4 +45,4 @@ EUPL-1.2
 Author Information
 ------------------
 
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

defaults/main.yml

@@ -1,2 +1,135 @@
 ---
-# defaults file for ansible-role-template
+# The tomcat version is set at runtime. It changes from one distribution to the other.
+#tomcat_version: 7
+# To force a tomcat version set the following variable:
+# tomcat_fixed_version: 9
+tomcat_pkg_state: present
+tomcat_service_enabled: True
+tomcat_pkgs:
+  - 'tomcat{{ tomcat_version }}'
+  - 'libtomcat{{ tomcat_version }}-java'
+  - 'tomcat{{ tomcat_version }}-common'
+  - libapr1
+
+tomcat8_additional_pkgs:
+  - jsvc
+  - libcommons-daemon-java
+
+tomcat_user: 'tomcat{{ tomcat_version }}'
+tomcat_max_threads: 200
+
+tomcat_min_heap_size: 2048m
+tomcat_permgen_defined: True
+tomcat_heap_size: '{{ tomcat_min_heap_size }}'
+tomcat_permgen_size: 512m
+tomcat_file_encoding: 'UTF-8'
+tomcat_java_opts: "-Xms{{ tomcat_min_heap_size }} -Xmx{{ tomcat_heap_size }}"
+tomcat_additional_java_8_opts: "-XX:+CrashOnOutOfMemoryError"
+tomcat_java_gc_opts: "-XX:+UseConcMarkSweepGC"
+#tomcat_other_java_opts: "-Djsse.enableSNIExtension=false"
+tomcat_proxy_enabled: False
+tomcat_proxy_http_host: 'localhost'
+tomcat_proxy_http_port: '3128'
+tomcat_proxy_https_host: '{{ tomcat_proxy_http_host }}'
+tomcat_proxy_https_port: '{{ tomcat_proxy_http_port }}'
+tomcat_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_proxy_https_port }}"
+tomcat_other_java_opts: ""
+tomcat_install_server_xml: True
+tomcat_install_default_conf: True
+tomcat_load_additional_default_conf: True
+tomcat_http_enabled: True
+tomcat_http_port: 8080
+tomcat_http_address: 0.0.0.0
+tomcat_webapps_autodeploy: False
+tomcat_webapps_unpack: False
+tomcat_ajp_enabled: False
+tomcat_ajp_port: 8009
+tomcat_ajp_address: 127.0.0.1
+tomcat_direct_access: False
+tomcat_reverse_proxy_name_enabled: False
+tomcat_reverse_proxy_name: '{{ ansible_fqdn }}'
+tomcat_reverse_proxy_port: '{{ http_port | default(80) }}'
+# There is a bug that kills tomcat after 50 days if the shutdown port is enabled
+# Disable the shutdown port by default
+#tomcat_shutdown_port: 8005
+tomcat_shutdown_port: -1
+tomcat_shutdown_pwd: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits') }}"
+tomcat_restart_timeout: 300
+tomcat_max_post_size: 1000000
+tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
+tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}'
+tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}'
+tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps'
+tomcat_common_dir: '{{ tomcat_catalina_base_dir }}/common/'
+tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes'
+tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat'
+
+# JMX and debugging
+tomcat_enable_remote_debugging: False
+tomcat_remote_debugging_host: '0.0.0.0'
+tomcat_remote_debugging_port: ':8100'
+tomcat_remote_debugging_uri: '{{ tomcat_remote_debugging_host }}:{{ tomcat_remote_debugging_port }}'
+#
+tomcat_jmx_enabled: False
+tomcat_jmx_auth_enabled: False
+tomcat_jmx_port: 8082
+tomcat_jmx_auth_dir: '{{ tomcat_conf_dir }}'
+tomcat_jmx_use_ssl: False
+# The following work with jdk >= 7.0.25 only
+tomcat_jmx_disable_additional_ports: True
+tomcat_jmx_localhost_only: False
+# tomcat_jmx_monitorpass: define_in_a_vault_file
+# tomcat_jmx_controlpass: define_in_a_vault_file
+
+# Metrics monitoring via javamelody
+tomcat_javamelody: False
+#tomcat_javamelody_version: latest
+tomcat_javamelody_version: 1.82.0
+
+# tomcat logging
+tomcat_logdir: '/var/log/tomcat{{ tomcat_version }}'
+tomcat_use_log4j: True
+tomcat_install_the_log4j_properties: True
+tomcat_retain_old_logs: 30
+tomcat_log_rotation_threshold: "ALL"
+tomcat_log_max_file_size: "100MB"
+tomcat_log_level: INFO
+tomcat_log_logger: CATALINA
+tomcat_access_log_enabled: True
+tomcat_access_log_rotation_freq: "daily"
+#
+# Define them if you want to send all the logs to an ELK installation
+tomcat_send_to_logstash: False
+tomcat_logstash_collector_host: logstash
+tomcat_logstash_collector_socketappender_port: 4560
+tomcat_logstash_collector_socketappender_reconndelay: 10000
+# Set to LOGSTASH only if you do not want local logs
+tomcat_logstash_logger: CATALINA, LOGSTASH
+
+
+#tomcat_access_log_file_name: localhost_access.log
+#
+# Administrative interface
+tomcat_install_admin: False
+tomcat_manager_gui_user_enabled: True
+tomcat_manager_gui_user: guiadmin
+tomcat_manager_gui_r: "manager-gui"
+#tomcat_manager_gui_pwd: *See the vault file*
+tomcat_manager_script_user_enabled: False
+tomcat_manager_script_user: scriptadmin
+tomcat_manager_script_r: "manager-script"
+#tomcat_manager_script_pwd: *See the vault file*
+tomcat_manager_jmx_user_enabled: False
+tomcat_manager_jmx_user: jmxadmin
+tomcat_manager_jmx_r: "manager-jmx"
+#tomcat_manager_jmx_pwd: *See the vault file*
+tomcat_manager_status_user_enabled: False
+tomcat_manager_status_user: statusadmin
+tomcat_manager_status_r: "manager-status"
+#tomcat_manager_status_pwd: *See the vault file*
+#
+tomcat_install_jdbc: False
+tomcat_install_pg_jdbc: '{{ tomcat_install_jdbc }}'
+# Not used yet
+tomcat_install_mysql_jdbc: False
+

files/catalina.properties

@@ -0,0 +1,131 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageAccess unless the
+# corresponding RuntimePermission ("accessClassInPackage."+package) has
+# been granted.
+package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageDefinition unless the
+# corresponding RuntimePermission ("defineClassInPackage."+package) has
+# been granted.
+#
+# by default, no packages are restricted for definition, and none of
+# the class loaders supplied with the JDK call checkPackageDefinition.
+#
+package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+
+#
+#
+# List of comma-separated paths defining the contents of the "common"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank,the JVM system loader will be used as Catalina's "common"
+# loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/common/classes,${catalina.home}/common/*.jar,${catalina.base}/common/classes,${catalina.base}/common/*.jar
+
+#
+# List of comma-separated paths defining the contents of the "server"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank, the "common" loader will be used as Catalina's "server"
+# loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+server.loader=${catalina.home}/server/classes,${catalina.home}/server/*.jar,${catalina.base}/server/classes,${catalina.base}/server/*.jar
+
+#
+# List of comma-separated paths defining the contents of the "shared"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
+# the "common" loader will be used as Catalina's "shared" loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+# Please note that for single jars, e.g. bar.jar, you need the URL form
+# starting with file:.
+shared.loader=${catalina.home}/shared/classes,${catalina.home}/shared/*.jar,${catalina.base}/shared/classes,${catalina.base}/shared/*.jar
+
+# List of JAR files that should not be scanned using the JarScanner
+# functionality. This is typically used to scan JARs for configuration
+# information. JARs that do not contain such information may be excluded from
+# the scan to speed up the scanning process. This is the default list. JARs on
+# this list are excluded from all scans. Scan specific lists (to exclude JARs
+# from individual scans) follow this. The list must be a comma separated list of
+# JAR file names.
+# The JARs listed below include:
+# - Tomcat Bootstrap JARs
+# - Tomcat API JARs
+# - Catalina JARs
+# - Jasper JARs
+# - Tomcat JARs
+# - Common non-Tomcat JARs
+# - Test JARs (JUnit, Cobertura and dependencies)
+tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
+bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
+annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
+catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
+jasper.jar,jasper-el.jar,ecj-*.jar,\
+tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
+tomcat-jni.jar,tomcat-spdy.jar,\
+tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
+tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
+tomcat-jdbc.jar,\
+tools.jar,\
+commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
+commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
+commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
+commons-math*.jar,commons-pool*.jar,\
+jstl.jar,\
+geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
+ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
+jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\
+xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
+junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\
+cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
+jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
+xom-*.jar
+
+# Additional JARs (over and above the default JARs listed above) to skip when
+# scanning for Servlet 3.0 pluggability features. These features include web
+# fragments, annotations, SCIs and classes that match @HandlesTypes. The list
+# must be a comma separated list of JAR file names.
+org.apache.catalina.startup.ContextConfig.jarsToSkip=
+
+# Additional JARs (over and above the default JARs listed above) to skip when
+# scanning for TLDs. The list must be a comma separated list of JAR file names.
+org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar
+
+#
+# String cache configuration.
+tomcat.util.buf.StringCache.byte.enabled=true
+#tomcat.util.buf.StringCache.char.enabled=true
+#tomcat.util.buf.StringCache.trainThreshold=500000
+#tomcat.util.buf.StringCache.cacheSize=5000

files/jmxremote.access

@@ -0,0 +1,2 @@
+monitorRole readonly
+controlRole readwrite

files/logging.properties

@@ -0,0 +1,49 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+############################################################
+# Handler specific properties.
+# Describes specific configuration info for Handlers.
+############################################################
+
+1catalina.org.apache.juli.FileHandler.level = FINE
+1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+1catalina.org.apache.juli.FileHandler.prefix = catalina.
+
+2localhost.org.apache.juli.FileHandler.level = FINE
+2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+2localhost.org.apache.juli.FileHandler.prefix = localhost.
+
+java.util.logging.ConsoleHandler.level = FINE
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+
+############################################################
+# Facility specific properties.
+# Provides extra control for each logger.
+############################################################
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
+
+# For example, set the com.xyz.foo logger to only log SEVERE
+# messages:
+#org.apache.catalina.startup.ContextConfig.level = FINE
+#org.apache.catalina.startup.HostConfig.level = FINE
+#org.apache.catalina.session.ManagerBase.level = FINE
+#org.apache.catalina.core.AprLifecycleListener.level=FINE

handlers/main.yml

@@ -1,2 +1,12 @@
 ---
-# handlers file for ansible-role-template
+- name: tomcat restart
+  service: name='tomcat{{ tomcat_version }}' state=restarted sleep=20
+  when: tomcat_service_enabled
+
+- name: enable tomcat
+  service: name='tomcat{{ tomcat_version }}' state=started enabled=yes
+  when: tomcat_service_enabled
+
+- name: disable tomcat
+  service: name='tomcat{{ tomcat_version }}' state=started enabled=no
+  when: not tomcat_service_enabled

meta/main.yml

@@ -1,61 +1,28 @@
 galaxy_info:
-  author: your name
-  description: your description
+  author: Andrea Dell'Amico
+  description: Systems Architect
   company: ISTI-CNR
 
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
   issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
 
-  # Some suggested licenses:
-  # - BSD (default)
-  # - MIT
-  # - GPLv2
-  # - GPLv3
-  # - Apache
-  # - CC-BY
-  license: EUPL-1.2
+  license: EUPL 1.2+
 
   min_ansible_version: 2.8
 
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
-
-  # Optionally specify the branch Galaxy will use when accessing the GitHub
-  # repo for this role. During role install, if no tags are available,
-  # Galaxy will use this branch. During import Galaxy will access files on
-  # this branch. If Travis integration is configured, only notifications for this
-  # branch will be accepted. Otherwise, in all cases, the repo's default branch
-  # (usually master) will be used.
-  #github_branch:
-
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions.
-  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
   # To view available platforms and versions (or releases), visit:
   # https://galaxy.ansible.com/api/v1/platforms/
   #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - 25
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - 1.0
-  #   - 7
-  #   - 99.99
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
 
-  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes
-    # and categorizes the role. Users find roles by searching for tags. Be sure to
-    # remove the '[]' above, if you add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
+  galaxy_tags:
+    - tomcat
 
-dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.
+dependencies:
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-openjdk.git
+    version: master
+    name: openjdk
+    state: latest
 

tasks/access_log.yml

@@ -0,0 +1,6 @@
+---
+- name: Install a logrotate entry for the access log file
+  template: src=tomcat_access.logrotate.j2 dest=/etc/logrotate.d/tomcat_access owner=root group=root mode=0644
+  when: tomcat_access_log_enabled
+  tags: tomcat
+

tasks/main.yml

@@ -1,2 +1,24 @@
 ---
-# tasks file for ansible-role-template
+- import_tasks: tomcat-pkgs.yml
+- import_tasks: tomcat-admin.yml
+  when: tomcat_install_admin
+- import_tasks: tomcat-jmx.yml
+  when:
+    - tomcat_jmx_enabled
+    - tomcat_jmx_auth_enabled
+  tags: [ 'tomcat', 'jmx' ]
+- import_tasks: tomcat-log4j-logging.yml
+  when:
+    - tomcat_use_log4j
+    - tomcat_version <= 7
+  tags: [ 'tomcat', 'tomcat_log4j' ]
+- import_tasks: tomcat-logger-logging.yml
+  when: not tomcat_use_log4j or tomcat_version > 7
+- import_tasks: access_log.yml
+  when: tomcat_access_log_enabled
+- import_tasks: pgsql_jdbc.yml
+  when: tomcat_install_pg_jdbc
+- import_tasks: not_pgsql_jdbc.yml
+  when: not tomcat_install_pg_jdbc
+
+

tasks/not_pgsql_jdbc.yml

@@ -0,0 +1,9 @@
+---
+- name: Do not load the postgresql jdbc driver on tomcat if not needed
+  file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
+  with_items:
+    - postgresql-jdbc4.jar
+  when: not tomcat_install_pg_jdbc
+  notify: tomcat restart
+  tags: tomcat
+

tasks/pgsql_jdbc.yml

@@ -0,0 +1,16 @@
+---
+# Postgresql JDBC
+- name: Install the jdbc package if needed
+  apt: pkg=libpostgresql-jdbc-java state=present
+  when: tomcat_install_pg_jdbc
+  tags: [ 'tomcat', 'tomcat_jdbc' ]
+
+- name: Configure tomcat to use the global postgresql jdbc driver
+  file: src=/usr/share/java/{{ item }} dest=/usr/share/tomcat{{ tomcat_version }}/lib/{{ item }} state=link
+  with_items:
+    - postgresql-jdbc4.jar
+  when: tomcat_install_pg_jdbc
+  notify:
+    tomcat restart
+  tags: [ 'tomcat', 'tomcat_jdbc' ]
+

tasks/tomcat-admin.yml

@@ -0,0 +1,10 @@
+---
+- name: Install the tomcat console management package
+  apt: pkg=tomcat{{ tomcat_version }}-admin state={{ tomcat_pkg_state }}
+  tags: tomcat
+
+- name: Install the tomcat users file
+  template: src=tomcat-users.xml.j2 dest={{ tomcat_conf_dir }}/tomcat-users.xml owner=root group={{ tomcat_user }} mode=0640
+  notify: tomcat restart
+  tags: tomcat
+

tasks/tomcat-jmx.yml

@@ -0,0 +1,16 @@
+---
+- name: Distribute the jmx authorization file
+  template: src=jmxremote.passwd.j2 dest={{ tomcat_jmx_auth_dir }}/jmxremote.passwd owner={{ tomcat_user }} mode=0600
+  when:
+    - tomcat_jmx_enabled
+    - tomcat_jmx_auth_enabled
+  notify: tomcat restart
+  tags: [ 'tomcat', 'jmx' ]
+
+- name: Distribute the jmx role file
+  copy: src=jmxremote.access dest={{ tomcat_jmx_auth_dir }}/jmxremote.access owner=root mode=0644
+  when:
+    - tomcat_jmx_enabled
+    - tomcat_jmx_auth_enabled
+  notify: tomcat restart
+  tags: [ 'tomcat', 'jmx' ]

tasks/tomcat-log4j-logging.yml

@@ -0,0 +1,41 @@
+---
+# Manage tomcat internal logs with log4j
+- name: Install log4j
+  apt: pkg=liblog4j1.2-java state={{ tomcat_pkg_state }}
+  notify: tomcat restart
+  tags: [ 'tomcat', 'tomcat_log4j' ]
+
+- name: Install tomcat-juli-adapters
+  copy: src=tomcat{{ tomcat_version }}-juli-adapters.jar dest=/usr/share/java/tomcat-juli-adapters.jar
+  tags: [ 'tomcat', 'tomcat_log4j' ]
+
+- name: Install tomcat-juli
+  copy: src=tomcat{{ tomcat_version }}-juli-log4j.jar dest=/usr/share/java/tomcat-juli-log4j.jar
+  tags: [ 'tomcat', 'tomcat_log4j' ]
+
+- name: Configure tomcat to use the log4j system library
+  file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=link
+  with_items:
+    - log4j-1.2.jar
+    - tomcat-juli-adapters.jar
+  notify: tomcat restart
+  tags: [ 'tomcat', 'tomcat_log4j' ]
+
+- name: Configure tomcat to use the log4j version of the juli library
+  file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/tomcat-juli.jar state=link
+  with_items:
+    - tomcat-juli-log4j.jar
+  notify: tomcat restart
+  tags: [ 'tomcat', 'tomcat_log4j' ]
+
+- name: Install log4j.properties
+  template: src=log4j.properties.j2 dest={{ tomcat_catalina_home_dir }}/lib/log4j.properties mode=0644 owner=root group=root
+  when: tomcat_install_the_log4j_properties
+  notify: tomcat restart
+  tags: [ 'tomcat', 'tomcat_log4j' ]
+
+- name: Remove logging.properties
+  file: dest=/etc/tomcat{{ tomcat_version }}/logging.properties state=absent
+  notify: tomcat restart
+  tags: [ 'tomcat', 'tomcat_log4j' ]
+

tasks/tomcat-logger-logging.yml

@@ -0,0 +1,26 @@
+---
+- name: Remove the system log4j library from the tomcat libdir
+  file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
+  with_items:
+    - log4j-1.2.jar
+    - tomcat-juli-adapters.jar
+  notify: tomcat restart
+  tags: tomcat
+
+- name: Configure tomcat to use the standard version of the juli library
+  file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/{{ item }} state=link
+  with_items:
+    - 'tomcat{{ tomcat_version }}-juli.jar'
+  notify: tomcat restart
+  tags: tomcat
+
+- name: Remove the system log4j.properties
+  file: dest={{ tomcat_catalina_home_dir }}/lib/log4j.properties state=absent
+  notify: tomcat restart
+  tags: tomcat
+
+- name: Install logging.properties
+  copy: src=logging.properties dest=/etc/tomcat{{ tomcat_version }}/logging.properties owner=root group=root mode=0644
+  notify: tomcat restart
+  tags: tomcat
+

tasks/tomcat-pkgs.yml

@@ -0,0 +1,111 @@
+---
+- name: Set the tomcat version for ubuntu Trusy
+  set_fact:
+    tomcat_version: 7
+  when:
+    - ansible_distribution_major_version <= '16'
+    - tomcat_fixed_version is not defined
+  tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
+
+- name: Set the tomcat version for Ubuntu bionic
+  set_fact:
+    tomcat_version: 8
+  when:
+    - ansible_distribution_major_version == '18'
+    - tomcat_fixed_version is not defined
+  tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
+
+- name: Impose a tomcat version
+  set_fact:
+    tomcat_version: '{{ tomcat_fixed_version }}'
+  when: tomcat_fixed_version is defined
+  tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
+
+- name: Print the Tomcat version
+  debug:
+      msg: "The Tomcat version we are going to install is {{ tomcat_version }}"
+  tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
+
+- name: Install the tomcat packages
+  apt: pkg={{ tomcat_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800
+  tags: tomcat
+
+- name: Install additional packages needed by tomcat 8+
+  apt: pkg={{ tomcat8_additional_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800
+  when: tomcat_version >= 8
+  tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf', 'tomcat_javamelody' ]
+
+- name: Create the tomcat tmp directory
+  file: dest={{ tomcat_tmp_dir }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }}
+  notify: tomcat restart
+  tags: tomcat
+  
+- name: Create the catalina temp directory, if different from the default
+  file: dest={{ catalina_tmp_directory }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }}
+  when: catalina_tmp_directory is defined
+  notify: tomcat restart 
+  tags: tomcat
+  
+- name: Configure tomcat defaults
+  template: src=tomcat-default.j2 dest=/etc/default/tomcat{{ tomcat_version }}
+  when: tomcat_install_default_conf | bool
+  notify: tomcat restart
+  tags: [ 'tomcat', 'tomcat_default' ]
+
+- name: Configure tomcat server.xml
+  template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml
+  when: tomcat_install_server_xml | bool
+  notify: tomcat restart
+  tags: [ 'tomcat', 'tomcat_serverxml' ]
+
+- name: Configure tomcat web.xml
+  template: src=tomcat-web.xml.j2 dest={{ tomcat_conf_dir }}/web.xml
+  notify: tomcat restart
+  tags: [ 'tomcat', 'tomcat_serverxml' ]
+
+- name: Install a slightly modified catalina.properties
+  copy: src=catalina.properties dest={{ tomcat_conf_dir }}/catalina.properties owner=root group={{ tomcat_user }} mode=0644
+  when: tomcat_install_default_conf | bool
+  notify: tomcat restart
+  tags: [ 'tomcat', 'tomcat_catalinaprops' ]
+
+- name: Create some directories that the package do not creates itself
+  file: dest={{ tomcat_catalina_home_dir }}/{{ item }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} mode=0755
+  with_items:
+    - common/classes
+    - server/classes
+    - shared/classes
+  tags: tomcat
+
+- name: On tomcat8, create a link to commons-daemon.jar to avoid exceptions at startup
+  file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/{{ item }} state=link owner=root group=root  mode=0644
+  with_items:
+    - commons-daemon.jar
+  when: tomcat_version >= 8
+  tags: [ 'tomcat', 'tomcat_conf' ]
+
+- name: Install the javamelody dependency jar into the Java shared libs directory
+  maven_artifact: artifact_id=jrobin version=latest group_id=org.jrobin extension=jar dest=/usr/share/java/jrobin.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2
+  when: tomcat_javamelody | bool
+  tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
+
+- name: Install the javamelody-core jar into the Java shared libs directory
+  maven_artifact: artifact_id=javamelody-core version={{ tomcat_javamelody_version }} group_id=net.bull.javamelody extension=jar dest=/usr/share/java/javamelody-core.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2
+  when: tomcat_javamelody | bool
+  tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
+
+- name: Create a link to the the javamelody jar and its dependencies if the javamelody support is enabled
+  file: src=../../java/{{ item }} dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=link owner=root group=root  mode=0644
+  with_items:
+    - javamelody-core.jar
+    - jrobin.jar
+  when: tomcat_javamelody | bool
+  tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
+
+- name: Remove the javamelody jar and its dependencies if the javamelody support is disabled
+  file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
+  with_items:
+    - javamelody-core.jar
+    - jrobin.jar
+  when: not tomcat_javamelody | bool
+  tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]

templates/jmxremote.passwd.j2

@@ -0,0 +1,2 @@
+monitorRole {{ tomcat_jmx_monitorpass }}
+controlRole {{ tomcat_jmx_controlpass }}

templates/log4j.properties.j2

@@ -0,0 +1,68 @@
+{% if tomcat_send_to_logstash %}
+log4j.rootLogger = {{ tomcat_log_level }}, {{ tomcat_logstash_logger }}
+{% else %}
+log4j.rootLogger = {{ tomcat_log_level }}, {{ tomcat_log_logger }}
+{% endif %}
+
+# Define all the appenders
+log4j.appender.CATALINA = org.apache.log4j.RollingFileAppender
+log4j.appender.CATALINA.File = ${catalina.base}/logs/catalina.log
+log4j.appender.CATALINA.Append = true
+log4j.appender.CATALINA.Encoding = UTF-8
+log4j.appender.CATALINA.Threshold = {{ tomcat_log_rotation_threshold }}
+log4j.appender.CATALINA.MaxFileSize = {{ tomcat_log_max_file_size }}
+log4j.appender.CATALINA.MaxBackupIndex = {{ tomcat_retain_old_logs }}
+log4j.appender.CATALINA.layout = org.apache.log4j.PatternLayout
+log4j.appender.CATALINA.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
+
+log4j.appender.LOCALHOST = org.apache.log4j.RollingFileAppender
+log4j.appender.LOCALHOST.File = ${catalina.base}/logs/localhost.log
+log4j.appender.LOCALHOST.Append = true
+log4j.appender.LOCALHOST.Encoding = UTF-8
+log4j.appender.LOCALHOST.Threshold = {{ tomcat_log_rotation_threshold }}
+log4j.appender.LOCALHOST.MaxFileSize = {{ tomcat_log_max_file_size }}
+log4j.appender.LOCALHOST.MaxBackupIndex = {{ tomcat_retain_old_logs }}
+log4j.appender.LOCALHOST.layout = org.apache.log4j.PatternLayout
+log4j.appender.LOCALHOST.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
+
+log4j.appender.MANAGER = org.apache.log4j.RollingFileAppender
+log4j.appender.MANAGER.File = ${catalina.base}/logs/manager.log
+log4j.appender.MANAGER.Append = true
+log4j.appender.MANAGER.Encoding = UTF-8
+log4j.appender.MANAGER.Threshold = {{ tomcat_log_rotation_threshold }}
+log4j.appender.MANAGER.MaxFileSize = {{ tomcat_log_max_file_size }}
+log4j.appender.MANAGER.MaxBackupIndex = {{ tomcat_retain_old_logs }}
+log4j.appender.MANAGER.layout = org.apache.log4j.PatternLayout
+log4j.appender.MANAGER.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
+
+log4j.appender.HOST-MANAGER = org.apache.log4j.RollingFileAppender
+log4j.appender.HOST-MANAGER.File = ${catalina.base}/logs/host-manager.log
+log4j.appender.HOST-MANAGER.Append = true
+log4j.appender.HOST-MANAGER.Encoding = UTF-8
+log4j.appender.HOST-MANAGER.Threshold = {{ tomcat_log_rotation_threshold }}
+log4j.appender.HOST-MANAGER.MaxFileSize = {{ tomcat_log_max_file_size }}
+log4j.appender.HOST-MANAGER.MaxBackupIndex = {{ tomcat_retain_old_logs }}
+log4j.appender.HOST-MANAGER.layout = org.apache.log4j.PatternLayout
+log4j.appender.HOST-MANAGER.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
+
+{% if tomcat_send_to_logstash %}
+log4j.appender.LOGSTASH=org.apache.log4j.net.SocketAppender
+log4j.appender.LOGSTASH.remoteHost={{ tomcat_logstash_collector_host }}
+log4j.appender.LOGSTASH.port={{ tomcat_logstash_collector_socketappender_port }}
+log4j.appender.LOGSTASH.ReconnectionDelay={{ tomcat_logstash_collector_socketappender_reconndelay }}
+log4j.appender.LOGSTASH.LocationInfo=true
+log4j.appender.LOGSTASH.layout = org.apache.log4j.PatternLayout
+log4j.appender.LOGSTASH.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
+{% endif %}
+
+log4j.appender.CONSOLE = org.apache.log4j.ConsoleAppender
+log4j.appender.CONSOLE.Encoding = UTF-8
+log4j.appender.CONSOLE.layout = org.apache.log4j.PatternLayout
+log4j.appender.CONSOLE.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
+
+# Configure which loggers log to which appenders
+log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost] = {{ tomcat_log_level }}, LOCALHOST
+log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager] =\
+  {{ tomcat_log_level }}, MANAGER
+log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager] =\
+  {{ tomcat_log_level }}, HOST-MANAGER

templates/tomcat-default.j2

@@ -0,0 +1,71 @@
+{% if limits_nofile_value is defined %}
+ulimit -Hn {{ limits_nofile_value }}
+ulimit -Sn {{ limits_nofile_value }}
+{% endif %}
+
+# Run Tomcat as this user ID. Not setting this or leaving it blank will use the
+# default of tomcat{{ tomcat_version}}.
+TOMCAT{{ tomcat_version}}_USER={{ tomcat_user }}
+
+# Run Tomcat as this group ID. Not setting this or leaving it blank will use
+# the default of tomcat{{ tomcat_version}}.
+TOMCAT{{ tomcat_version}}_GROUP={{ tomcat_user }}
+
+# The home directory of the Java development kit (JDK). You need at least
+# JDK version 1.5. If JAVA_HOME is not set, some common directories for 
+# OpenJDK, the Sun JDK, and various J2SE 1.5 versions are tried.
+{% if jdk_java_home is defined %}
+JAVA_HOME={{ jdk_java_home }}
+{% endif %}
+
+JAVA_OPTS="-server -Djava.awt.headless=true  -Dfile.encoding={{ tomcat_file_encoding }}"
+{% if jdk_default <= 7 %}
+{% if tomcat_permgen_defined %}
+{% if tomcat_permgen_size is defined %}
+JAVA_OPTS="-XX:MaxPermSize={{ tomcat_permgen_size }} $JAVA_OPTS"
+{% endif %}
+{% endif %}
+{% endif %}
+{% if jdk_default >= 8 %}
+JAVA_OPTS="{{ tomcat_additional_java_8_opts }} $JAVA_OPTS"
+{% endif %}
+{% if tomcat_java_opts is defined %}
+JAVA_OPTS="{{ tomcat_java_opts }} $JAVA_OPTS"
+{% endif %}
+{% if tomcat_java_gc_opts is defined %}
+JAVA_OPTS="${JAVA_OPTS} {{ tomcat_java_gc_opts }}"
+{% endif %}
+{% if tomcat_proxy_enabled %}
+JAVA_OPTS="${JAVA_OPTS} {{ tomcat_proxy_opts }}"
+{% endif %}
+{% if tomcat_other_java_opts is defined %}
+JAVA_OPTS="${JAVA_OPTS} {{ tomcat_other_java_opts }}"
+{% endif %}
+{% if tomcat_jmx_enabled %}
+JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ tomcat_jmx_port }} -Dcom.sun.management.jmxremote.ssl={{ tomcat_jmx_use_ssl }} -Dcom.sun.management.jmxremote.local.only={{ tomcat_jmx_localhost_only }}"
+{% if tomcat_jmx_auth_enabled %}
+JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file={{ tomcat_jmx_auth_dir }}/jmxremote.password -Dcom.sun.management.jmxremote.access.file={{ tomcat_jmx_auth_dir }}/jmxremote.access"
+{% else %}
+JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
+{% endif %}
+{% if tomcat_jmx_disable_additional_ports %}
+JAVA_OPTS="${JAVA_OPTS} -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote.rmi.port={{ tomcat_jmx_port }}"
+{% endif %}
+{% endif %}
+{% if tomcat_enable_remote_debugging %}
+# You will be able to use a java debugger on URI {{ tomcat_remote_debugging_uri }}.
+JAVA_OPTS="${JAVA_OPTS} -agentlib:jdwp=transport=dt_socket,address={{ tomcat_remote_debugging_uri }},server=y,suspend=n"
+# Obsolete
+#JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,address={{ tomcat_remote_debugging_uri }},server=y,suspend=n"
+{% endif %}
+# Location of the JVM temporary directory
+# WARNING: This directory will be destroyed and recreated at every startup !
+JVM_TMP={{ tomcat_tmp_dir }}
+{% if catalina_tmp_directory is defined %}
+export CATALINA_TMPDIR={{ catalina_tmp_directory }}
+{% endif %}
+{% if tomcat_load_additional_default_conf %}
+if [ -f /etc/default/tomcat.local ] ; then
+    . /etc/default/tomcat.local
+fi
+{% endif %}

templates/tomcat-server.xml.j2

@@ -0,0 +1,176 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+     -->
+{% if tomcat_shutdown_port == -1 %}
+<Server port="{{ tomcat_shutdown_port }}"
+        shutdown="TOMCAT_SHUTDOWN_DISABLED">
+{% else %}
+<Server port="{{ tomcat_shutdown_port }}" shutdown="{{ tomcat_shutdown_pwd }}">
+ {% endif %}
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <!--
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  -->
+  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+  <Listener className="org.apache.catalina.core.JasperListener" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+{% if tomcat_http_enabled %}
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <Executor name="tomcatThreadPool"
+              namePrefix="catalina-exec-"
+              maxQueueSize="{{ tomcat_max_queue_size | default(32767) }}"
+              maxThreads="{{ tomcat_max_threads }}"
+              minSpareThreads="10"/>
+{% endif %}
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL HTTP/1.1 Connector on port 8080
+    -->
+{% if tomcat_http_enabled %}
+    <!-- A http "Connector" using the shared thread pool-->
+    <Connector executor="tomcatThreadPool"
+	       enableLookups="false"
+               maxQueueSize="{{ tomcat_max_queue_size | default(32767) }}"
+               maxThreads="{{ tomcat_max_threads }}" connectionTimeout="60000"
+	       URIEncoding="UTF-8"
+               useBodyEncodingForURI="true"
+               bindOnInit="false" address="{{ tomcat_http_address }}"
+               port="{{ tomcat_http_port }}" protocol="HTTP/1.1"
+               maxPostSize="{{ tomcat_max_post_size | default(104857600) }}"
+               {% if tomcat_reverse_proxy_name_enabled %}
+               proxyName="{{ tomcat_reverse_proxy_name }}"
+               proxyPort="{{ tomcat_reverse_proxy_port }}"
+               {% endif %}
+               maxHttpHeaderSize="8192"
+               disableUploadTimeout="true"
+               />
+
+{% endif %}
+{% if tomcat_ajp_enabled %}
+    <!-- Define an AJP 1.3 Connector on port {{ tomcat_ajp_port }} -->
+    <Connector port="{{ tomcat_ajp_port }}" protocol="AJP/1.3"
+	       enableLookups="false" address="{{ tomcat_ajp_address }}"
+               maxQueueSize="{{ tomcat_max_queue_size | default(32767) }}"
+               URIEncoding="UTF-8"
+               useBodyEncodingForURI="true"
+               maxThreads="{{ tomcat_max_threads }}"
+               connectionTimeout="60000"
+               maxPostSize="{{ tomcat_max_post_size | default(104857600) }}"
+               {% if tomcat_reverse_proxy_name_enabled %}
+               proxyName="{{ tomcat_reverse_proxy_name }}"
+               proxyPort="{{ tomcat_reverse_proxy_port }}"
+               {% endif %}
+               maxHttpHeaderSize="8192"
+               disableUploadTimeout="true"
+	       bindOnInit="false" />
+{% endif %}
+    
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="{{ tomcat_webapps_unpack }}" autoDeploy="{{ tomcat_webapps_autodeploy }}">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+{% if tomcat_access_log_enabled %}
+        <!-- Automatically substitutes the IP with the one contained
+             in the x-forwarded-for header if that header is set -->
+        <Valve className="org.apache.catalina.valves.RemoteIpValve" />
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="combined" -->
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access." suffix="log"
+{% if tomcat_direct_access %}
+               pattern="combined"
+{% else %}
+               pattern="%t %{org.apache.catalina.AccessLog.RemoteAddr}r %{X-AUSERNAME}o %I %s &quot;%r&quot; %b %{User-Agent}i"
+	           rotatable="False"
+{% endif %}
+	       />
+{% endif %}
+      </Host>
+    </Engine>
+  </Service>
+</Server>

templates/tomcat-users.xml.j2

@@ -0,0 +1,40 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<tomcat-users>
+<!--
+  NOTE:  By default, no user is included in the "manager-gui" role required
+  to operate the "/manager/html" web application.  If you wish to use this app,
+  you must define such a user - the username and password are arbitrary.
+-->
+{% if tomcat_manager_gui_user_enabled %}
+  <role rolename="{{ tomcat_manager_gui_r }}"/>
+  <user username="{{ tomcat_manager_gui_user }}" password="{{ tomcat_manager_gui_pwd }}" roles="{{ tomcat_manager_gui_r }}"/>
+{% endif %}
+{% if tomcat_manager_script_user_enabled %}
+  <role rolename="{{ tomcat_manager_script_r }}"/>
+  <user username="{{ tomcat_manager_script_user }}" password="{{ tomcat_manager_script_pwd }}" roles="{{ tomcat_manager_script_r }}"/>
+{% endif %}
+{% if tomcat_manager_jmx_user_enabled %}
+  <role rolename="{{ tomcat_manager_jmx_r }}"/>
+  <user username="{{ tomcat_manager_jmx_user }}" password="{{ tomcat_manager_jmx_pwd }}" roles="{{ tomcat_manager_jmx_r }}"/>
+{% endif %}
+{% if tomcat_manager_status_user_enabled %}
+  <role rolename="{{ tomcat_manager_status_r }}"/>
+  <user username="{{ tomcat_manager_status_user }}" password="{{ tomcat_manager_status_pwd }}" roles="{{ tomcat_manager_status_r }}"/>
+{% endif %}
+</tomcat-users>

templates/tomcat_access.logrotate.j2

@@ -0,0 +1,8 @@
+{{ tomcat_logdir }}/localhost_access.log {
+  copytruncate
+  {{ tomcat_access_log_rotation_freq }}
+  rotate {{ tomcat_retain_old_logs }}
+  compress
+  missingok
+  create 640 {{ tomcat_user }} adm
+}