Merge pull request 'sync with the d4science ansible library.' (#207) from adellam/ansible-roles:master into master

library/roles/ELK/elasticsearch/tasks/plugins.yml

@@ -1,16 +0,0 @@
----
-- block:
-    - name: Manage a list of elasticsearch plugins
-      elasticsearch_plugin: name="{{ item.name }}" state={{ item.state }} plugin_bin={{ elasticsearch_plugin_bin }} url={{ item.url|default(omit) }} version={{ item.version|default(omit) }}
-      with_items: '{{ elasticsearch_plugins | default ([]) }}'
-
-    - name: Install the elasticsearch HQ plugin
-      elasticsearch_plugin: name="{{ item.name }}" state={{ item.state }} plugin_bin={{ elasticsearch_plugin_bin }} url={{ item.url|default(omit) }} version={{ item.version|default(omit) }}
-      with_items: '{{ elasticsearch_hq_plugin | default ([]) }}'
-      when:
-        - elasticsearch_major_version <= 2
-        - elasticsearch_hq_install
-
-  when: elasticsearch_plugins is defined
-  tags: [ 'elasticsearch', 'es_plugins' ]
-    

library/roles/R/defaults/main.yml

@@ -10,8 +10,8 @@
 # The install/remove script has been taken from here: http://adamj.eu/tech/2014/07/19/installing-and-removing-r-packages-with-ansible/
 #
 
-# Set to present if you want install from CRAN
-r_install_cran_repo: absent
+# Set to True if you want install from the CRAN deb repository
+r_install_cran_repo: False
 #r_cran_mirror_site: http://cran.rstudio.com
 r_cran_set_default_mirror: True
 r_cran_mirror_site: https://cran.mirror.garr.it/mirrors/CRAN/

library/roles/R/tasks/r-installation.yml

@@ -1,10 +1,20 @@
 ---
-- name: Manage the cran repository key
-  apt_key: id=E084DAB9 keyserver=keyserver.ubuntu.com state={{ r_install_cran_repo }}
+- block:
+  - name: Add the cran repository key
+    apt_key: id=E084DAB9 keyserver=keyserver.ubuntu.com state=present
     tags: [ 'r_software', 'r_repo', 'r_repo_key' ]
 
-- name: Manage the cran repository definition
-  apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state={{ r_install_cran_repo }} update_cache=yes
+  - name: Add the CRAN repository
+    apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=present update_cache=yes
+
+  when: r_install_cran_repo | bool
+  tags: [ 'r_software', 'r_repo' ]
+
+- block:
+  - name: Remove the CRAN repository
+    apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=absent update_cache=yes
+
+  when: not r_install_cran_repo | bool
   tags: [ 'r_software', 'r_repo' ]
 
 - name: Remove the hold state from the debian R packages

library/roles/apache/tasks/apache-letsencrypt.yml

@@ -25,8 +25,8 @@
       copy: src=apache-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/apache2 owner=root group=root mode=4555
 
   when:
-    - letsencrypt_acme_install is defined and letsencrypt_acme_install
-    - apache_letsencrypt_managed
+    - letsencrypt_acme_install is defined and letsencrypt_acme_install | bool
+    - apache_letsencrypt_managed | bool
   tags: [ 'apache', 'letsencrypt' ]
 
 - block:
@@ -38,6 +38,6 @@
     - name: Remove the letsencrypt hook for apache
       file: path={{ letsencrypt_acme_services_scripts_dir }}/apache2 state=absent
 
-  when: not apache_letsencrypt_managed
+  when: not apache_letsencrypt_managed | bool
   tags: [ 'apache', 'letsencrypt' ]
 

library/roles/ckan/ckan/defaults/main.yml

@@ -75,11 +75,23 @@ ckan_ldap_fallback: True
 ckan_ckanext_lire: False
 ckan_ckanext_lire_n: lire
 ckan_ckanext_lire_url: 'https://github.com/milicp/ckanext-lire.git'
-# OAI-PMH
-ckan_oai_pmh: False
+# Kata OAI-PMH
+ckan_kata_oai_pmh: False
 ckan_oai_pmh_name: oaipmh
 ckan_oai_pmh_state: absent
-ckan_oai_pmh_url: 'git+https://github.com/florenthemmi/ckanext-oaipmh#egg=ckanext-oaipm'
+ckan_oai_pmh_url: 'git+https://github.com/kata-csc/ckanext-oaipmh#egg=ckanext-oaipmh'
+ckan_oai_pmh_kata_plugin_url: 'git+https://github.com/kata-csc/ckanext-kata.git#egg=ckanext-kata'
+ckan_oai_pmh_kata_ini_state: 'present'
+ckan_oai_pmh_kata_ini_options:
+  - { section: 'app:main', option: 'kata.storage.malware_scan', value: 'false', state: '{{ ckan_oai_pmh_kata_ini_state }}' }
+  - { section: 'app:main', option: 'kata.ldap.enabled', value: 'false', state: '{{ ckan_oai_pmh_kata_ini_state }}' }
+  - { section: 'app:main', option: 'kata.disable_contact', value: 'true', state: '{{ ckan_oai_pmh_kata_ini_state }}' }
+
+# OLD OAI-PMH
+ckan_oai_pm: False
+ckan_oai_pm_name: oaipmh
+ckan_oai_pm_state: absent
+ckan_oai_pm_url: 'git+https://github.com/florenthemmi/ckanext-oaipmh#egg=ckanext-oaipm'
 # Google analytics
 ckan_google_analytics: False
 ckan_ga_plugin_state: '{{ ckan_plugins_state }}'
@@ -93,6 +105,10 @@ ckan_star_ratings_name: rating
 ckan_star_ratings_url: 'git+https://github.com/6aika/ckanext-rating.git#egg=ckanext-rating'
 
 ckan_memcache_sessions: False
+ckan_memcache_deb_pkgs:
+  - libmemcached10
+  - libmemcached-dev
+
 ckan_memcache_ini_opts:
   - { section: 'app:main', option: 'beaker.session.type', value: 'ext:memcached', state: 'present' }
   - { section: 'app:main', option: 'beaker.session.url ', value: "{{ mc_ipaddress | default('127.0.0.1') }}:{{ mc_port | default('11211') }}", state: 'present' }
@@ -138,6 +154,9 @@ ckan_pip_dependencies:
   - xmltodict
   - ndg-httpsclient
   - pyasn1
+  - enum
+  - ipaddress
+  - x509
 
 ckan_pip_versioned_dependencies:
   - { name: 'SQLAlchemy', version: '0.9.6', state: 'present' }

library/roles/ckan/ckan/tasks/ckan-config.yml

@@ -1,9 +1,17 @@
 ---
 - name: Configure the CKAN plugins list into the configuration file
-  ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} backup=yes
+  ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} backup=no
   with_items: '{{ ckan_production_ini_plugins_opts }}'
   notify:
     - Restart CKAN
     - Restart fetch and gather consumers
   tags: [ 'ckan', 'ckan_ini', 'ckan_plugins' ]
 
+- name: Configure the CKAN options used by the KATA plugin 
+  ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} backup=no
+  with_items: '{{ ckan_oai_pmh_kata_ini_options }}'
+  notify:
+    - Restart CKAN
+    - Restart fetch and gather consumers
+  tags: [ 'ckan', 'ckan_ini', 'ckan_plugins', 'ckan_oai_pmh' ]
+

library/roles/ckan/ckan/tasks/ckan-memcache.yml

@@ -1,4 +1,11 @@
 ---
+- block:
+  - name: Install the memcache library deb package
+    apt: pkg={{ ckan_memcache_deb_pkgs }} state=present cache_valid_time=1800
+
+  when: ckan_memcache_sessions is defined and ckan_memcache_sessions
+  tags: [ 'ckan', 'ckan_sessions', 'ckan_memcache' ]
+
 - block:
   - name: Install the memcache library
     pip: name=pylibmc virtualenv={{ ckan_virtenv }} state=present
@@ -9,9 +16,6 @@
   tags: [ 'ckan', 'ckan_sessions', 'ckan_memcache' ]
 
 - block:
-  - name: Install the memcache library deb package
-    apt: pkg=libmemcached10 state=present update_cache=yes cache_valid_time=1800
-
   - name: Configure CKAN so that it uses memcache for its sessions
     ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }}
     with_items: '{{ ckan_memcache_ini_opts }}'

library/roles/ckan/ckan/tasks/ckan-plugins.yml

@@ -6,6 +6,10 @@
   tags: [ 'ckan', 'geonetwork', 'ckan_plugins', 'ckan_pip_deps' ]
 
 - block:
+    - name: Upgrade pip inside the virtualenv
+      pip: name=pip virtualenv={{ ckan_virtenv }} state=latest
+      tags: [ 'ckan', 'geonetwork', 'ckan_plugins', 'ckan_pip_deps' ]
+
     - name: Install some python versioned plugins dependencies inside the CKAN virtualenv
       pip: name={{ item.name }} virtualenv={{ ckan_virtenv }} version={{ item.version }} state={{ item.state }}
       with_items: '{{ ckan_pip_versioned_dependencies }}'
@@ -165,12 +169,36 @@
       notify: Restart CKAN 
       tags: [ 'ckan', 'ckan_lire', 'ckan_plugins' ]
 
-    - name: Download the CKAN OAI-PMH plugin
+    - name: Download the KATA CKAN OAI-PMH plugin
       pip: name='{{ ckan_oai_pmh_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True
-      when: ckan_oai_pmh | bool
+      when: ckan_kata_oai_pmh | bool
       notify: Restart CKAN 
       tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ]
 
+    - name: Download the KATA CKAN ckanext-oaiphm requirements
+      pip: requirements={{ ckan_virtenv }}/src/ckanext-oaipmh/requirements.txt virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }}
+      when: ckan_kata_oai_pmh | bool
+      notify: Restart CKAN 
+      tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ]
+
+    - name: Download the KATA CKAN plugin
+      pip: name='{{ ckan_oai_pmh_kata_plugin_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True
+      when: ckan_kata_oai_pmh | bool
+      notify: Restart CKAN 
+      tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ]
+
+    - name: Download the KATA CKAN  requirements
+      pip: requirements={{ ckan_virtenv }}/src/ckanext-kata/requirements.txt virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }}
+      when: ckan_kata_oai_pmh | bool
+      notify: Restart CKAN 
+      tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ]
+
+    - name: Download the opendatasoft CKAN OAI-PMH plugin
+      pip: name='{{ ckan_oai_pm_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True
+      when: ckan_oai_pm | bool
+      notify: Restart CKAN 
+      tags: [ 'ckan', 'ckan_oai_pm', 'ckan_plugins' ]
+
     - name: Download the CKAN google analytics plugin python requirements
       pip: name='genshi' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }}
       when: ckan_google_analytics | bool

library/roles/deb-set-hostname/tasks/main.yml

@@ -1,17 +0,0 @@
----
-- name: Set the hostname when different from the inventory one.
-  hostname: name={{ hostname }}
-  when: hostname is defined
-  tags: [ 'bootstrap', 'set_hostname' ]
-
-- name: Set the hostname as defined in the inventory
-  hostname: name={{ inventory_hostname  }}
-  when: hostname is not defined
-  tags: [ 'bootstrap', 'set_hostname' ]
-
-- name: Add the hostname to /etc/hosts
-  shell: grep -v {{ ansible_default_ipv4.address }} /etc/hosts > /etc/hosts.tmp ; echo "{{ ansible_default_ipv4.address }} {{ hostname }} {{ ansible_hostname }}" >> /etc/hosts.tmp ; /bin/mv /etc/hosts.tmp /etc/hosts
-  when:
-    - hostname is defined
-    - ansible_virtualization_type == 'xen'
-  tags: [ 'bootstrap', 'set_hostname' ]

library/roles/deb-set-locale/defaults/main.yml

@@ -1,8 +0,0 @@
----
-deb_default_locale: "en_US.UTF-8"
-deb_locales_list:
-  - { name: '{{ deb_default_locale }}' }
-  - { name: 'en_US' }
-  - { name: 'it_IT.UTF-8' }
-  - { name: 'it_IT' }
-

library/roles/deb-set-locale/tasks/main.yml

@@ -1,10 +0,0 @@
----
-- block:
-    - name: Add/remove a list of locales
-      locale_gen: name={{ item.name }} state={{ item.state | default('present') }}
-      with_items: '{{ deb_locales_list }}'
-
-    - name: Set the default locale
-      shell: update-locale LANG={{ deb_default_locale }}
-
-  tags: locale

library/roles/geonetwork/geonetwork/templates/3.2-web.xml.j2

@@ -330,11 +330,13 @@
     </init-param>
 
     <!--
-        Specified what geonetwork data directory to use.
+        Specified what geonetwork data directory to use. -->
         <init-param>
         <param-name>geonetwork.dir</param-name>
-        <param-value>/app/geonetwork_data_dir</param-value>
-    </init-param>-->
+        <param-value>{{ geonetwork_data_directory }}</param-value>
+    </init-param>
+
+
     <load-on-startup>1</load-on-startup>
   </servlet>
 

library/roles/hdf5/defaults/main.yml

@@ -7,3 +7,9 @@ hdf5_pkgs_list:
   - hdf5-helpers
   - libhdf5-10
   - libhdf5-dev
+
+hdf5_bionic_pkgs_list:
+  - hdf5-tools
+  - hdf5-helpers
+  - libhdf5-100
+  - libhdf5-dev

library/roles/hdf5/tasks/main.yml

@@ -7,7 +7,14 @@
     apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/trusty-infrascience {{ ansible_distribution_release }} main' update_cache=yes
 
   - name: Install the hdf5 packages 
-    apt: pkg={{ item }} state={{ hdf5_pkg_state }} update_cache=yes cache_valid_time=3600
-    with_items: '{{ hdf5_pkgs_list }}'
+    apt: pkg={{ hdf5_pkgs_list }} state={{ hdf5_pkg_state }} update_cache=yes cache_valid_time=3600
 
+  when: ansible_distribution_release == 'trusty'
+  tags: [ 'hdf5' ]
+
+- block:
+  - name: Install the hdf5 packages 
+    apt: pkg={{ hdf5_bionic_pkgs_list }} state={{ hdf5_pkg_state }} update_cache=yes cache_valid_time=3600
+
+  when: ansible_distribution_release == 'bionic'
   tags: [ 'hdf5' ]

library/roles/motd/tasks/deb_motd.yml

@@ -15,4 +15,6 @@
       creates: /etc/.custom_motd
     ignore_errors: True  
 
+  when:
+    - ( ansible_distribution == 'Ubuntu' ) or ( ansible_distribution == 'Debian' and ansible_distribution_major_version >= '9' )
   tags: motd

library/roles/pandoc/tasks/main.yml

@@ -1,8 +1,17 @@
 ---
+- block:
   - name: Get the pandoc deb package
     get_url: url={{pandoc_pkg_url}} dest=/srv/{{ pandoc_pkg_file }}
-  tags: pandoc
 
   - name: Install the pandoc deb package
     apt: deb=/srv/{{ pandoc_pkg_file }}
+
+  when: ansible_facts['distribution_version'] is version('16.04', '<')
+  tags: pandoc
+
+- block:
+  - name: Install the pandoc deb package, distribution version
+    apt: pkg=pandoc state=present cache_valid_time=3600
+
+  when: ansible_facts['distribution_version'] is version('16.04', '>=')
   tags: pandoc

library/roles/python-env/tasks/main.yml

@@ -4,33 +4,31 @@
       apt: name={{ py_env_basic_pkgs | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600
 
   when:
-    - py_env_install
-    - is_not_trusty
+    - py_env_install | bool
+    - ansible_facts['distribution_version'] is version('16.04', '>=')
   tags: [ "python", "py_env" ]
   
 - block:
     - name: Remove python deb packages
       apt: name={{ py_env_dpkg_toremove | default([]) }} state=absent
 
-  when:
-    - py_env_install
+  when: py_env_install | bool
   tags: [ "python", "py_env", "py_env_pkgs" ]
 
 - block:
-    - name: Install python deb packages
-      apt: name={{ py_env_dpkg | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600
-
     - name: Install deb packages needed to compile the pip modules
       apt: name={{ py_pip_deps | default([]) }} state={{ py_env_pkgs_state }}  update_cache=yes cache_valid_time=600
 
-    - name: Install a list of pip packages
-      pip: name={{ py_env_pip_pkgs | default ([]) }} state=latest
-
     - name: Install a list of versioned pip packages
       pip: name={{ item.pkg }} version={{ item.version }}
       with_items: '{{ py_env_versioned_pip_pkgs | default ([]) }}'
 
-  when:
-    - py_env_install
+    - name: Install a list of pip packages
+      pip: name={{ py_env_pip_pkgs | default ([]) }} state=latest
+
+    - name: Install python deb packages
+      apt: name={{ py_env_dpkg | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600
+
+  when: py_env_install | bool
   tags: [ "python", "py_env", "py_env_pkgs" ]
 

library/roles/timezone/defaults/main.yml

@@ -1,3 +0,0 @@
----
-timezone: "Europe/Rome"
-

library/roles/timezone/tasks/main.yml

@@ -1,16 +0,0 @@
----
-- name: Set the timezone on Ubuntu >=18
-  command: timedatectl set-timezone {{ timezone }}
-  when: ansible_distribution_version is version_compare('18.04', '>=')
-  tags: timezone
-
-- name: Write the timezone file
-  template: src=etc-timezone.j2 dest=/etc/timezone owner=root group=root mode=0644
-  register: set_timezone
-  tags: timezone
-
-- name: Reconfigure the system tzdata
-  command: dpkg-reconfigure --frontend noninteractive tzdata
-  when: set_timezone is changed
-  tags: timezone
-

library/roles/timezone/templates/etc-timezone.j2

@@ -1 +0,0 @@
-{{ timezone }}

library/roles/tomcat-multiple-instances/defaults/main.yml

@@ -59,7 +59,12 @@ tomcat_m_java_gc_opts: "-XX:+UseConcMarkSweepGC"
 tomcat_m_reverse_proxy_name_enabled: False
 tomcat_m_reverse_proxy_name: '{{ ansible_fqdn }}'
 tomcat_m_reverse_proxy_port: '{{ http_port | default(80) }}'
-
+tomcat_m_proxy_enabled: False
+tomcat_m_proxy_http_host: 'localhost'
+tomcat_m_proxy_http_port: '3128'
+tomcat_m_proxy_https_host: '{{ tomcat_m_proxy_http_host }}'
+tomcat_m_proxy_https_port: '{{ tomcat_m_proxy_http_port }}'
+tomcat_m_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_m_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_m_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_m_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_m_proxy_https_port }}"
 tomcat_m_other_java_opts: ""
 tomcat_m_webapps_autodeploy: False
 tomcat_m_webapps_unpack: False
@@ -89,5 +94,5 @@ tomcat_m_jmx_ip_address: '{{ ansible_default_ipv4.address }}'
 # This is only an example. Insert a line for each tomcat instance. 'app_contexts' can be used to automatically configure apache or nginx virtualhost http/ajp proxy
 #
 #tomcat_m_instances:
-#  - {  http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] }
+#  - {  http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', proxy_enabled: '{{ tomcat_m_proxy_enabled }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] }
 

library/roles/tomcat-multiple-instances/templates/tomcat-default.j2

@@ -29,6 +29,13 @@ JAVA_OPTS="{{ item.java_opts }} $JAVA_OPTS $JAVA_HEAP $JAVA_PERMGEN"
 {% if item.java_gc_opts is defined %}
 JAVA_OPTS="{{ item.java_gc_opts }} $JAVA_OPTS"
 {% endif %}
+{% if item.proxy_enabled is defined and item.proxy_enabled %}
+{% if item.proxy_opts is defined  %}
+JAVA_OPTS="${JAVA_OPTS} {{ item.proxy_opts }}"
+{% else %}
+JAVA_OPTS="${JAVA_OPTS} {{ tomcat_m_proxy_opts }}"
+{% endif %}
+{% endif %}
 {% if item.other_java_opts is defined %}
 JAVA_OPTS="${JAVA_OPTS} {{ item.other_java_opts }}"
 {% endif %}

library/roles/tomcat/defaults/main.yml

@@ -27,6 +27,12 @@ tomcat_java_opts: "-Xms{{ tomcat_min_heap_size }} -Xmx{{ tomcat_heap_size }}"
 tomcat_additional_java_8_opts: "-XX:+CrashOnOutOfMemoryError"
 tomcat_java_gc_opts: "-XX:+UseConcMarkSweepGC"
 #tomcat_other_java_opts: "-Djsse.enableSNIExtension=false"
+tomcat_proxy_enabled: False
+tomcat_proxy_http_host: 'localhost'
+tomcat_proxy_http_port: '3128'
+tomcat_proxy_https_host: '{{ tomcat_proxy_http_host }}'
+tomcat_proxy_https_port: '{{ tomcat_proxy_http_port }}'
+tomcat_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_proxy_https_port }}"
 tomcat_other_java_opts: ""
 tomcat_install_server_xml: True
 tomcat_install_default_conf: True

library/roles/tomcat/templates/tomcat-default.j2

@@ -35,6 +35,9 @@ JAVA_OPTS="{{ tomcat_java_opts }} $JAVA_OPTS"
 {% if tomcat_java_gc_opts is defined %}
 JAVA_OPTS="${JAVA_OPTS} {{ tomcat_java_gc_opts }}"
 {% endif %}
+{% if tomcat_proxy_enabled %}
+JAVA_OPTS="${JAVA_OPTS} {{ tomcat_proxy_opts }}"
+{% endif %}
 {% if tomcat_other_java_opts is defined %}
 JAVA_OPTS="${JAVA_OPTS} {{ tomcat_other_java_opts }}"
 {% endif %}

library/roles/ubuntu-deb-general/defaults/main.yml

@@ -34,6 +34,8 @@ common_packages:
 
 default_python_packages_trusty:
   - python-software-properties
+  - python-lxml
+  - python-boto
 
 default_python_packages:
   - python-lxml
@@ -144,9 +146,6 @@ default_security_limits: '{{ root_security_limits }}'
 #   - ':msg, contains, "icmp6_send: no reply to icmp error" ~'
 #   - ':msg, contains, "[PYTHON] Can\'t call the metric handler function for" ~'
 
-#
-infrascience_internal_ppa: False
-
 #
 # debian/ubuntu distributions controllers
 #

library/roles/ubuntu-deb-general/meta/main.yml

@@ -1,10 +1,8 @@
 ---
 dependencies:
   - role: '../../library/roles/deb-apt-setup'
-  - role: '../../library/roles/ubuntu-python-setup'
-  - role: '../../library/roles/deb-set-hostname'
-  - role: '../../library/roles/deb-set-locale'
-  - role: '../../library/roles/timezone'
+  - { role: '../../library/roles/ubuntu-python-setup', when: ansible_distribution_release == "trusty" }
+  - role: 'basic-system-setup'
   - role: '../../library/roles/motd'
   - role: '../../library/roles/ntp'
   - role: '../../library/roles/linux-kernel-sysctl'

library/roles/ubuntu-deb-general/tasks/packages.yml

@@ -3,18 +3,24 @@
   apt: pkg=aptitude state=present cache_valid_time=1800
   tags: packages
 
-- name: Install the basic python packages
-  apt: pkg={{ default_python_packages }} state=present update_cache=yes cache_valid_time=1800
+- name: Install the basic python packages. Not Trusty
+  apt: pkg={{ default_python_packages }} state=present cache_valid_time=1800
+  when:
+    - ansible_distribution == "Ubuntu"
+    - ansible_distribution_release != "trusty"
   tags: packages
 
 - name: Install the basic python packages on trusty
   apt: pkg={{ default_python_packages_trusty }} state=present update_cache=yes cache_valid_time=1800
-  when: is_trusty | bool
+  when:
+    - ansible_distribution == "Ubuntu"
+    - ansible_distribution_release == "trusty"
   tags: packages
 
 - name: Install software-properties-common if needed
   apt: pkg=software-properties-common state=present update_cache=yes cache_valid_time=1800
-  when: is_ubuntu | bool
+  when:
+    - ansible_distribution == "Ubuntu"
   tags: packages
 
 - name: Default the backports repository on debian 7
@@ -32,49 +38,6 @@
   when: is_debian8 | bool
   tags: jessie-backports
 
-- name: apt key for the internal ppa repository
-  apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
-  when:
-    - is_ubuntu | bool
-    - egi_image is not defined or not egi_image
-    - infrascience_internal_ppa | bool
-  ignore_errors: True
-  tags: packages
-
-- name: Remove the broken system apt repository
-  apt_repository: repo='deb http://ppa.research-infrastructures.eu/system stable main' state=absent
-  when: is_ubuntu | bool
-  tags: packages
-
-- name: setup system apt repository
-  apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/system stable main' update_cache=yes
-  when:
-    - is_ubuntu | bool
-    - infrascience_internal_ppa | bool
-  ignore_errors: True
-  tags: packages
-
-- name: Remove the broken system apt repository for specific distributions
-  apt_repository: repo='deb http://ppa.research-infrastructures.eu/system {{ ansible_distribution_release }} main' state=absent
-  when: is_trusty | bool
-  tags: packages
-
-- name: setup system apt repository for specific distributions
-  apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/system {{ ansible_distribution_release }} main' update_cache=yes
-  when:
-    - is_trusty | bool
-    - infrascience_internal_ppa | bool
-  ignore_errors: True
-  tags: packages
-
-- name: Setup the infrascience trusty repository
-  apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/trusty-infrascience {{ ansible_distribution_release }} main' update_cache=yes
-  when:
-    - is_trusty | bool
-    - infrascience_internal_ppa | bool
-  ignore_errors: True
-  tags: packages
-
 - name: install common packages
   apt: pkg={{ common_packages }} state={{ pkg_state }} update_cache=yes cache_valid_time=1800
   tags: [ 'packages', 'common_pkgs' ]

library/roles/ubuntu-deb-general/templates/ntp.conf.j2

@@ -0,0 +1,69 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+# Specify one or more NTP servers.
+
+# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
+# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
+# more information.
+pool 0.ubuntu.pool.ntp.org iburst
+pool 1.ubuntu.pool.ntp.org iburst
+pool 2.ubuntu.pool.ntp.org iburst
+pool 3.ubuntu.pool.ntp.org iburst
+
+# Use Ubuntu's ntp server as a fallback.
+pool ntp.ubuntu.com
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery limited
+restrict -6 default kod notrap nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Needed for adding pool entries
+restrict source notrap nomodify noquery
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+{% if nagios_monitoring_server_ip is defined %}
+{% for ip in nagios_monitoring_server_ip %}
+restrict {{ ip }} mask 255.255.255.255
+{% endfor %}
+{% endif %}
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
+
+#Changes recquired to use pps synchonisation as explained in documentation:
+#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918
+
+#server 127.127.8.1 mode 135 prefer    # Meinberg GPS167 with PPS
+#fudge 127.127.8.1 time1 0.0042        # relative to PPS for my hardware
+
+#server 127.127.22.1                   # ATOM(PPS)
+#fudge 127.127.22.1 flag3 1            # enable PPS API

library/roles/ubuntu-python-setup/defaults/main.yml

@@ -1,10 +1,12 @@
 ---
 python_pkgs_state: present
 python_get_pip_url: https://bootstrap.pypa.io/get-pip.py
-python_force_pip_fix: False
+force_python_fix: False
 
 python_basic_pkgs:
   - python-pip
+  - python-requests
+  - python-lxml
 
 python_pip_dev_packages:
   - libpython-dev
@@ -19,4 +21,5 @@ python_pip_fix_ssl_warnings:
   - ndg-httpsclient
   - urllib3
   - pyasn1
-
+  - ipaddress
+  - enum

library/roles/ubuntu-python-setup/tasks/main.yml

@@ -1,7 +1,16 @@
 ---
 - block:
+    - name: Check if the pip downloader is already installed
+      stat:
+        path: '/usr/local/lib/get-pip.py'
+        get_checksum: yes
+        follow: no
+        checksum_algorithm: sha256
+      register: get_pip_file
+
     - name: Install the get-pip.py pip downloader
-      get_url: url={{ python_get_pip_url }} dest=/usr/local/lib/get-pip.py
+      get_url: url={{ python_get_pip_url }} dest=/usr/local/lib/get-pip.py #checksum="sha256:{{ get_pip_file.stat.checksum }}"
+      when: not get_pip_file.stat.exists
 
     - name: Install a script that fixes the broken trusty pip package
       copy: src=pip-fixer.sh dest=/usr/local/bin/python-pip-fixer mode=0755 owner=root group=root
@@ -9,7 +18,7 @@
 
     - name: Fix the trusty pip installation
       shell: /usr/local/bin/python-pip-fixer
-      when: python_pip_fixer is changed or python_force_pip_fix
+      when: python_pip_fixer is changed or force_python_fix | bool
 
     - name: Install the python dev headers and other dev requirements
       apt: pkg={{ python_pip_dev_packages }} state={{ python_pkgs_state }} update_cache=yes cache_valid_time=1800
@@ -27,5 +36,5 @@
       pip: name={{ python_pip_fix_ssl_warnings | default ([]) }} state={{ python_pkgs_state }}
       register: python_pip_env_workaround
 
-  when: is_trusty
+  when: ansible_distribution_release == "trusty"
   tags: [ "python", 'py_env', 'ansible_setup' ]

library/roles/users/tasks/main.yml

@@ -47,7 +47,17 @@
       with_items: '{{ users_system_users }}'
       when:
         - item.ssh_key is defined
-        - ( item.log_as_root is defined ) and ( item.log_as_root )
+        - item.log_as_root is defined
+        - item.log_as_root
+
+    - name: ensure that the users can not login with their ssh keys as root
+      authorized_key: user=root key="{{ item.ssh_key }}" state=absent
+      with_items: '{{ users_system_users }}'
+      when:
+        - item.ssh_key is defined
+        - item.log_as_root is defined
+        - not item.log_as_root
+
 
   when: users_system_users is defined
   tags: users
@@ -81,7 +91,16 @@
       with_items: '{{ users_system_users_adjunct }}'
       when:
         - item.ssh_key is defined
-        - ( item.log_as_root is defined ) and ( item.log_as_root )
+        - item.log_as_root is defined
+        - item.log_as_root
+
+    - name: ensure that the additional users cannot login with their ssh keys as root
+      authorized_key: user=root key="{{ item.ssh_key }}" state=absent
+      with_items: '{{ users_system_users_adjunct }}'
+      when:
+        - item.ssh_key is defined
+        - item.log_as_root is defined
+        - not item.log_as_root
 
   when: users_system_users_adjunct is defined
   tags: users