ISTI-ansible-roles
/
ansible-roles
4
0
Fork 3
Code Issues Pull Requests Releases Wiki Activity

Merge pull request 'sync with the d4science ansible library.' (#207) from adellam/ansible-roles:master into master

This commit is contained in:
Andrea Dell'Amico 2020-05-25 19:40:18 +02:00
parent bda5dd7295 e448415ec8
commit 1b887b7606
31 changed files with 279 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
library/roles/ELK/elasticsearch/tasks/plugins.yml
View File

@ -1,16 +0,0 @@
---
- block:
- name: Manage a list of elasticsearch plugins
elasticsearch_plugin: name="{{ item.name }}" state={{ item.state }} plugin_bin={{ elasticsearch_plugin_bin }} url={{ item.url|default(omit) }} version={{ item.version|default(omit) }}
with_items: '{{ elasticsearch_plugins | default ([]) }}'
- name: Install the elasticsearch HQ plugin
elasticsearch_plugin: name="{{ item.name }}" state={{ item.state }} plugin_bin={{ elasticsearch_plugin_bin }} url={{ item.url|default(omit) }} version={{ item.version|default(omit) }}
with_items: '{{ elasticsearch_hq_plugin | default ([]) }}'
when:
- elasticsearch_major_version <= 2
- elasticsearch_hq_install
when: elasticsearch_plugins is defined
tags: [ 'elasticsearch', 'es_plugins' ]

4
library/roles/R/defaults/main.yml
View File

@ -10,8 +10,8 @@
# The install/remove script has been taken from here: http://adamj.eu/tech/2014/07/19/installing-and-removing-r-packages-with-ansible/
#
# Set to present if you want install from CRAN
r_install_cran_repo: absent
# Set to True if you want install from the CRAN deb repository
r_install_cran_repo: False
#r_cran_mirror_site: http://cran.rstudio.com
r_cran_set_default_mirror: True
r_cran_mirror_site: https://cran.mirror.garr.it/mirrors/CRAN/

18
library/roles/R/tasks/r-installation.yml
View File

@ -1,10 +1,20 @@
---
- name: Manage the cran repository key
apt_key: id=E084DAB9 keyserver=keyserver.ubuntu.com state={{ r_install_cran_repo }}
- block:
- name: Add the cran repository key
apt_key: id=E084DAB9 keyserver=keyserver.ubuntu.com state=present
tags: [ 'r_software', 'r_repo', 'r_repo_key' ]
- name: Manage the cran repository definition
apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state={{ r_install_cran_repo }} update_cache=yes
- name: Add the CRAN repository
apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=present update_cache=yes
when: r_install_cran_repo | bool
tags: [ 'r_software', 'r_repo' ]
- block:
- name: Remove the CRAN repository
apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=absent update_cache=yes
when: not r_install_cran_repo | bool
tags: [ 'r_software', 'r_repo' ]
- name: Remove the hold state from the debian R packages

6
library/roles/apache/tasks/apache-letsencrypt.yml
View File

@ -25,8 +25,8 @@
copy: src=apache-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/apache2 owner=root group=root mode=4555
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- apache_letsencrypt_managed
- letsencrypt_acme_install is defined and letsencrypt_acme_install | bool
- apache_letsencrypt_managed | bool
tags: [ 'apache', 'letsencrypt' ]
- block:
@ -38,6 +38,6 @@
- name: Remove the letsencrypt hook for apache
file: path={{ letsencrypt_acme_services_scripts_dir }}/apache2 state=absent
when: not apache_letsencrypt_managed
when: not apache_letsencrypt_managed | bool
tags: [ 'apache', 'letsencrypt' ]

25
library/roles/ckan/ckan/defaults/main.yml
View File

@ -75,11 +75,23 @@ ckan_ldap_fallback: True
ckan_ckanext_lire: False
ckan_ckanext_lire_n: lire
ckan_ckanext_lire_url: 'https://github.com/milicp/ckanext-lire.git'
# OAI-PMH
ckan_oai_pmh: False
# Kata OAI-PMH
ckan_kata_oai_pmh: False
ckan_oai_pmh_name: oaipmh
ckan_oai_pmh_state: absent
ckan_oai_pmh_url: 'git+https://github.com/florenthemmi/ckanext-oaipmh#egg=ckanext-oaipm'
ckan_oai_pmh_url: 'git+https://github.com/kata-csc/ckanext-oaipmh#egg=ckanext-oaipmh'
ckan_oai_pmh_kata_plugin_url: 'git+https://github.com/kata-csc/ckanext-kata.git#egg=ckanext-kata'
ckan_oai_pmh_kata_ini_state: 'present'
ckan_oai_pmh_kata_ini_options:
- { section: 'app:main', option: 'kata.storage.malware_scan', value: 'false', state: '{{ ckan_oai_pmh_kata_ini_state }}' }
- { section: 'app:main', option: 'kata.ldap.enabled', value: 'false', state: '{{ ckan_oai_pmh_kata_ini_state }}' }
- { section: 'app:main', option: 'kata.disable_contact', value: 'true', state: '{{ ckan_oai_pmh_kata_ini_state }}' }
# OLD OAI-PMH
ckan_oai_pm: False
ckan_oai_pm_name: oaipmh
ckan_oai_pm_state: absent
ckan_oai_pm_url: 'git+https://github.com/florenthemmi/ckanext-oaipmh#egg=ckanext-oaipm'
# Google analytics
ckan_google_analytics: False
ckan_ga_plugin_state: '{{ ckan_plugins_state }}'
@ -93,6 +105,10 @@ ckan_star_ratings_name: rating
ckan_star_ratings_url: 'git+https://github.com/6aika/ckanext-rating.git#egg=ckanext-rating'
ckan_memcache_sessions: False
ckan_memcache_deb_pkgs:
- libmemcached10
- libmemcached-dev
ckan_memcache_ini_opts:
- { section: 'app:main', option: 'beaker.session.type', value: 'ext:memcached', state: 'present' }
- { section: 'app:main', option: 'beaker.session.url ', value: "{{ mc_ipaddress | default('127.0.0.1') }}:{{ mc_port | default('11211') }}", state: 'present' }
@ -138,6 +154,9 @@ ckan_pip_dependencies:
- xmltodict
- ndg-httpsclient
- pyasn1
- enum
- ipaddress
- x509
ckan_pip_versioned_dependencies:
- { name: 'SQLAlchemy', version: '0.9.6', state: 'present' }

10
library/roles/ckan/ckan/tasks/ckan-config.yml
View File

@ -1,9 +1,17 @@
---
- name: Configure the CKAN plugins list into the configuration file
ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} backup=yes
ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} backup=no
with_items: '{{ ckan_production_ini_plugins_opts }}'
notify:
- Restart CKAN
- Restart fetch and gather consumers
tags: [ 'ckan', 'ckan_ini', 'ckan_plugins' ]
- name: Configure the CKAN options used by the KATA plugin
ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} backup=no
with_items: '{{ ckan_oai_pmh_kata_ini_options }}'
notify:
- Restart CKAN
- Restart fetch and gather consumers
tags: [ 'ckan', 'ckan_ini', 'ckan_plugins', 'ckan_oai_pmh' ]

10
library/roles/ckan/ckan/tasks/ckan-memcache.yml
View File

@ -1,4 +1,11 @@
---
- block:
- name: Install the memcache library deb package
apt: pkg={{ ckan_memcache_deb_pkgs }} state=present cache_valid_time=1800
when: ckan_memcache_sessions is defined and ckan_memcache_sessions
tags: [ 'ckan', 'ckan_sessions', 'ckan_memcache' ]
- block:
- name: Install the memcache library
pip: name=pylibmc virtualenv={{ ckan_virtenv }} state=present
@ -9,9 +16,6 @@
tags: [ 'ckan', 'ckan_sessions', 'ckan_memcache' ]
- block:
- name: Install the memcache library deb package
apt: pkg=libmemcached10 state=present update_cache=yes cache_valid_time=1800
- name: Configure CKAN so that it uses memcache for its sessions
ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }}
with_items: '{{ ckan_memcache_ini_opts }}'

32
library/roles/ckan/ckan/tasks/ckan-plugins.yml
View File

@ -6,6 +6,10 @@
tags: [ 'ckan', 'geonetwork', 'ckan_plugins', 'ckan_pip_deps' ]
- block:
- name: Upgrade pip inside the virtualenv
pip: name=pip virtualenv={{ ckan_virtenv }} state=latest
tags: [ 'ckan', 'geonetwork', 'ckan_plugins', 'ckan_pip_deps' ]
- name: Install some python versioned plugins dependencies inside the CKAN virtualenv
pip: name={{ item.name }} virtualenv={{ ckan_virtenv }} version={{ item.version }} state={{ item.state }}
with_items: '{{ ckan_pip_versioned_dependencies }}'
@ -165,12 +169,36 @@
notify: Restart CKAN
tags: [ 'ckan', 'ckan_lire', 'ckan_plugins' ]
- name: Download the CKAN OAI-PMH plugin
- name: Download the KATA CKAN OAI-PMH plugin
pip: name='{{ ckan_oai_pmh_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True
when: ckan_oai_pmh | bool
when: ckan_kata_oai_pmh | bool
notify: Restart CKAN
tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ]
- name: Download the KATA CKAN ckanext-oaiphm requirements
pip: requirements={{ ckan_virtenv }}/src/ckanext-oaipmh/requirements.txt virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }}
when: ckan_kata_oai_pmh | bool
notify: Restart CKAN
tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ]
- name: Download the KATA CKAN plugin
pip: name='{{ ckan_oai_pmh_kata_plugin_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True
when: ckan_kata_oai_pmh | bool
notify: Restart CKAN
tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ]
- name: Download the KATA CKAN requirements
pip: requirements={{ ckan_virtenv }}/src/ckanext-kata/requirements.txt virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }}
when: ckan_kata_oai_pmh | bool
notify: Restart CKAN
tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ]
- name: Download the opendatasoft CKAN OAI-PMH plugin
pip: name='{{ ckan_oai_pm_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True
when: ckan_oai_pm | bool
notify: Restart CKAN
tags: [ 'ckan', 'ckan_oai_pm', 'ckan_plugins' ]
- name: Download the CKAN google analytics plugin python requirements
pip: name='genshi' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }}
when: ckan_google_analytics | bool

17
library/roles/deb-set-hostname/tasks/main.yml
View File

@ -1,17 +0,0 @@
---
- name: Set the hostname when different from the inventory one.
hostname: name={{ hostname }}
when: hostname is defined
tags: [ 'bootstrap', 'set_hostname' ]
- name: Set the hostname as defined in the inventory
hostname: name={{ inventory_hostname }}
when: hostname is not defined
tags: [ 'bootstrap', 'set_hostname' ]
- name: Add the hostname to /etc/hosts
shell: grep -v {{ ansible_default_ipv4.address }} /etc/hosts > /etc/hosts.tmp ; echo "{{ ansible_default_ipv4.address }} {{ hostname }} {{ ansible_hostname }}" >> /etc/hosts.tmp ; /bin/mv /etc/hosts.tmp /etc/hosts
when:
- hostname is defined
- ansible_virtualization_type == 'xen'
tags: [ 'bootstrap', 'set_hostname' ]

8
library/roles/deb-set-locale/defaults/main.yml
View File

@ -1,8 +0,0 @@
---
deb_default_locale: "en_US.UTF-8"
deb_locales_list:
- { name: '{{ deb_default_locale }}' }
- { name: 'en_US' }
- { name: 'it_IT.UTF-8' }
- { name: 'it_IT' }

10
library/roles/deb-set-locale/tasks/main.yml
View File

@ -1,10 +0,0 @@
---
- block:
- name: Add/remove a list of locales
locale_gen: name={{ item.name }} state={{ item.state | default('present') }}
with_items: '{{ deb_locales_list }}'
- name: Set the default locale
shell: update-locale LANG={{ deb_default_locale }}
tags: locale

8
library/roles/geonetwork/geonetwork/templates/3.2-web.xml.j2
View File

@ -330,11 +330,13 @@
</init-param>
<!--
Specified what geonetwork data directory to use.
Specified what geonetwork data directory to use. -->
<init-param>
<param-name>geonetwork.dir</param-name>
<param-value>/app/geonetwork_data_dir</param-value>
</init-param>-->
<param-value>{{ geonetwork_data_directory }}</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>

6
library/roles/hdf5/defaults/main.yml
View File

@ -7,3 +7,9 @@ hdf5_pkgs_list:
- hdf5-helpers
- libhdf5-10
- libhdf5-dev
hdf5_bionic_pkgs_list:
- hdf5-tools
- hdf5-helpers
- libhdf5-100
- libhdf5-dev

11
library/roles/hdf5/tasks/main.yml
View File

@ -7,7 +7,14 @@
apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/trusty-infrascience {{ ansible_distribution_release }} main' update_cache=yes
- name: Install the hdf5 packages
apt: pkg={{ item }} state={{ hdf5_pkg_state }} update_cache=yes cache_valid_time=3600
with_items: '{{ hdf5_pkgs_list }}'
apt: pkg={{ hdf5_pkgs_list }} state={{ hdf5_pkg_state }} update_cache=yes cache_valid_time=3600
when: ansible_distribution_release == 'trusty'
tags: [ 'hdf5' ]
- block:
- name: Install the hdf5 packages
apt: pkg={{ hdf5_bionic_pkgs_list }} state={{ hdf5_pkg_state }} update_cache=yes cache_valid_time=3600
when: ansible_distribution_release == 'bionic'
tags: [ 'hdf5' ]

2
library/roles/motd/tasks/deb_motd.yml
View File

@ -15,4 +15,6 @@
creates: /etc/.custom_motd
ignore_errors: True
when:
- ( ansible_distribution == 'Ubuntu' ) or ( ansible_distribution == 'Debian' and ansible_distribution_major_version >= '9' )
tags: motd

15
library/roles/pandoc/tasks/main.yml
View File

@ -1,8 +1,17 @@
---
- name: Get the pandoc deb package
- block:
- name: Get the pandoc deb package
get_url: url={{pandoc_pkg_url}} dest=/srv/{{ pandoc_pkg_file }}
- name: Install the pandoc deb package
apt: deb=/srv/{{ pandoc_pkg_file }}
when: ansible_facts['distribution_version'] is version('16.04', '<')
tags: pandoc
- name: Install the pandoc deb package
apt: deb=/srv/{{ pandoc_pkg_file }}
- block:
- name: Install the pandoc deb package, distribution version
apt: pkg=pandoc state=present cache_valid_time=3600
when: ansible_facts['distribution_version'] is version('16.04', '>=')
tags: pandoc

22
library/roles/python-env/tasks/main.yml
View File

@ -4,33 +4,31 @@
apt: name={{ py_env_basic_pkgs | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600
when:
- py_env_install
- is_not_trusty
- py_env_install | bool
- ansible_facts['distribution_version'] is version('16.04', '>=')
tags: [ "python", "py_env" ]
- block:
- name: Remove python deb packages
apt: name={{ py_env_dpkg_toremove | default([]) }} state=absent
when:
- py_env_install
when: py_env_install | bool
tags: [ "python", "py_env", "py_env_pkgs" ]
- block:
- name: Install python deb packages
apt: name={{ py_env_dpkg | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600
- name: Install deb packages needed to compile the pip modules
apt: name={{ py_pip_deps | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600
- name: Install a list of pip packages
pip: name={{ py_env_pip_pkgs | default ([]) }} state=latest
- name: Install a list of versioned pip packages
pip: name={{ item.pkg }} version={{ item.version }}
with_items: '{{ py_env_versioned_pip_pkgs | default ([]) }}'
when:
- py_env_install
- name: Install a list of pip packages
pip: name={{ py_env_pip_pkgs | default ([]) }} state=latest
- name: Install python deb packages
apt: name={{ py_env_dpkg | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600
when: py_env_install | bool
tags: [ "python", "py_env", "py_env_pkgs" ]

3
library/roles/timezone/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
timezone: "Europe/Rome"

16
library/roles/timezone/tasks/main.yml
View File

@ -1,16 +0,0 @@
---
- name: Set the timezone on Ubuntu >=18
command: timedatectl set-timezone {{ timezone }}
when: ansible_distribution_version is version_compare('18.04', '>=')
tags: timezone
- name: Write the timezone file
template: src=etc-timezone.j2 dest=/etc/timezone owner=root group=root mode=0644
register: set_timezone
tags: timezone
- name: Reconfigure the system tzdata
command: dpkg-reconfigure --frontend noninteractive tzdata
when: set_timezone is changed
tags: timezone

1
library/roles/timezone/templates/etc-timezone.j2
View File

@ -1 +0,0 @@
{{ timezone }}

9
library/roles/tomcat-multiple-instances/defaults/main.yml
View File

@ -59,7 +59,12 @@ tomcat_m_java_gc_opts: "-XX:+UseConcMarkSweepGC"
tomcat_m_reverse_proxy_name_enabled: False
tomcat_m_reverse_proxy_name: '{{ ansible_fqdn }}'
tomcat_m_reverse_proxy_port: '{{ http_port | default(80) }}'
tomcat_m_proxy_enabled: False
tomcat_m_proxy_http_host: 'localhost'
tomcat_m_proxy_http_port: '3128'
tomcat_m_proxy_https_host: '{{ tomcat_m_proxy_http_host }}'
tomcat_m_proxy_https_port: '{{ tomcat_m_proxy_http_port }}'
tomcat_m_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_m_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_m_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_m_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_m_proxy_https_port }}"
tomcat_m_other_java_opts: ""
tomcat_m_webapps_autodeploy: False
tomcat_m_webapps_unpack: False
@ -89,5 +94,5 @@ tomcat_m_jmx_ip_address: '{{ ansible_default_ipv4.address }}'
# This is only an example. Insert a line for each tomcat instance. 'app_contexts' can be used to automatically configure apache or nginx virtualhost http/ajp proxy
#
#tomcat_m_instances:
# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] }
# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', proxy_enabled: '{{ tomcat_m_proxy_enabled }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] }

7
library/roles/tomcat-multiple-instances/templates/tomcat-default.j2
View File

@ -29,6 +29,13 @@ JAVA_OPTS="{{ item.java_opts }} $JAVA_OPTS $JAVA_HEAP $JAVA_PERMGEN"
{% if item.java_gc_opts is defined %}
JAVA_OPTS="{{ item.java_gc_opts }} $JAVA_OPTS"
{% endif %}
{% if item.proxy_enabled is defined and item.proxy_enabled %}
{% if item.proxy_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ item.proxy_opts }}"
{% else %}
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_m_proxy_opts }}"
{% endif %}
{% endif %}
{% if item.other_java_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ item.other_java_opts }}"
{% endif %}

6
library/roles/tomcat/defaults/main.yml
View File

@ -27,6 +27,12 @@ tomcat_java_opts: "-Xms{{ tomcat_min_heap_size }} -Xmx{{ tomcat_heap_size }}"
tomcat_additional_java_8_opts: "-XX:+CrashOnOutOfMemoryError"
tomcat_java_gc_opts: "-XX:+UseConcMarkSweepGC"
#tomcat_other_java_opts: "-Djsse.enableSNIExtension=false"
tomcat_proxy_enabled: False
tomcat_proxy_http_host: 'localhost'
tomcat_proxy_http_port: '3128'
tomcat_proxy_https_host: '{{ tomcat_proxy_http_host }}'
tomcat_proxy_https_port: '{{ tomcat_proxy_http_port }}'
tomcat_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_proxy_https_port }}"
tomcat_other_java_opts: ""
tomcat_install_server_xml: True
tomcat_install_default_conf: True

3
library/roles/tomcat/templates/tomcat-default.j2
View File

@ -35,6 +35,9 @@ JAVA_OPTS="{{ tomcat_java_opts }} $JAVA_OPTS"
{% if tomcat_java_gc_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_java_gc_opts }}"
{% endif %}
{% if tomcat_proxy_enabled %}
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_proxy_opts }}"
{% endif %}
{% if tomcat_other_java_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_other_java_opts }}"
{% endif %}

5
library/roles/ubuntu-deb-general/defaults/main.yml
View File

@ -34,6 +34,8 @@ common_packages:
default_python_packages_trusty:
- python-software-properties
- python-lxml
- python-boto
default_python_packages:
- python-lxml
@ -144,9 +146,6 @@ default_security_limits: '{{ root_security_limits }}'
# - ':msg, contains, "icmp6_send: no reply to icmp error" ~'
# - ':msg, contains, "[PYTHON] Can\'t call the metric handler function for" ~'
#
infrascience_internal_ppa: False
#
# debian/ubuntu distributions controllers
#

6
library/roles/ubuntu-deb-general/meta/main.yml
View File

@ -1,10 +1,8 @@
---
dependencies:
- role: '../../library/roles/deb-apt-setup'
- role: '../../library/roles/ubuntu-python-setup'
- role: '../../library/roles/deb-set-hostname'
- role: '../../library/roles/deb-set-locale'
- role: '../../library/roles/timezone'
- { role: '../../library/roles/ubuntu-python-setup', when: ansible_distribution_release == "trusty" }
- role: 'basic-system-setup'
- role: '../../library/roles/motd'
- role: '../../library/roles/ntp'
- role: '../../library/roles/linux-kernel-sysctl'

57
library/roles/ubuntu-deb-general/tasks/packages.yml
View File

@ -3,18 +3,24 @@
apt: pkg=aptitude state=present cache_valid_time=1800
tags: packages
- name: Install the basic python packages
apt: pkg={{ default_python_packages }} state=present update_cache=yes cache_valid_time=1800
- name: Install the basic python packages. Not Trusty
apt: pkg={{ default_python_packages }} state=present cache_valid_time=1800
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_release != "trusty"
tags: packages
- name: Install the basic python packages on trusty
apt: pkg={{ default_python_packages_trusty }} state=present update_cache=yes cache_valid_time=1800
when: is_trusty | bool
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_release == "trusty"
tags: packages
- name: Install software-properties-common if needed
apt: pkg=software-properties-common state=present update_cache=yes cache_valid_time=1800
when: is_ubuntu | bool
when:
- ansible_distribution == "Ubuntu"
tags: packages
- name: Default the backports repository on debian 7
@ -32,49 +38,6 @@
when: is_debian8 | bool
tags: jessie-backports
- name: apt key for the internal ppa repository
apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
when:
- is_ubuntu | bool
- egi_image is not defined or not egi_image
- infrascience_internal_ppa | bool
ignore_errors: True
tags: packages
- name: Remove the broken system apt repository
apt_repository: repo='deb http://ppa.research-infrastructures.eu/system stable main' state=absent
when: is_ubuntu | bool
tags: packages
- name: setup system apt repository
apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/system stable main' update_cache=yes
when:
- is_ubuntu | bool
- infrascience_internal_ppa | bool
ignore_errors: True
tags: packages
- name: Remove the broken system apt repository for specific distributions
apt_repository: repo='deb http://ppa.research-infrastructures.eu/system {{ ansible_distribution_release }} main' state=absent
when: is_trusty | bool
tags: packages
- name: setup system apt repository for specific distributions
apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/system {{ ansible_distribution_release }} main' update_cache=yes
when:
- is_trusty | bool
- infrascience_internal_ppa | bool
ignore_errors: True
tags: packages
- name: Setup the infrascience trusty repository
apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/trusty-infrascience {{ ansible_distribution_release }} main' update_cache=yes
when:
- is_trusty | bool
- infrascience_internal_ppa | bool
ignore_errors: True
tags: packages
- name: install common packages
apt: pkg={{ common_packages }} state={{ pkg_state }} update_cache=yes cache_valid_time=1800
tags: [ 'packages', 'common_pkgs' ]

69
library/roles/ubuntu-deb-general/templates/ntp.conf.j2 Normal file
View File

@ -0,0 +1,69 @@
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Specify one or more NTP servers.
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
pool 0.ubuntu.pool.ntp.org iburst
pool 1.ubuntu.pool.ntp.org iburst
pool 2.ubuntu.pool.ntp.org iburst
pool 3.ubuntu.pool.ntp.org iburst
# Use Ubuntu's ntp server as a fallback.
pool ntp.ubuntu.com
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Needed for adding pool entries
restrict source notrap nomodify noquery
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
{% if nagios_monitoring_server_ip is defined %}
{% for ip in nagios_monitoring_server_ip %}
restrict {{ ip }} mask 255.255.255.255
{% endfor %}
{% endif %}
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
#Changes recquired to use pps synchonisation as explained in documentation:
#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918
#server 127.127.8.1 mode 135 prefer # Meinberg GPS167 with PPS
#fudge 127.127.8.1 time1 0.0042 # relative to PPS for my hardware
#server 127.127.22.1 # ATOM(PPS)
#fudge 127.127.22.1 flag3 1 # enable PPS API

7
library/roles/ubuntu-python-setup/defaults/main.yml
View File

@ -1,10 +1,12 @@
---
python_pkgs_state: present
python_get_pip_url: https://bootstrap.pypa.io/get-pip.py
python_force_pip_fix: False
force_python_fix: False
python_basic_pkgs:
- python-pip
- python-requests
- python-lxml
python_pip_dev_packages:
- libpython-dev
@ -19,4 +21,5 @@ python_pip_fix_ssl_warnings:
- ndg-httpsclient
- urllib3
- pyasn1
- ipaddress
- enum

15
library/roles/ubuntu-python-setup/tasks/main.yml
View File

@ -1,7 +1,16 @@
---
- block:
- name: Check if the pip downloader is already installed
stat:
path: '/usr/local/lib/get-pip.py'
get_checksum: yes
follow: no
checksum_algorithm: sha256
register: get_pip_file
- name: Install the get-pip.py pip downloader
get_url: url={{ python_get_pip_url }} dest=/usr/local/lib/get-pip.py
get_url: url={{ python_get_pip_url }} dest=/usr/local/lib/get-pip.py #checksum="sha256:{{ get_pip_file.stat.checksum }}"
when: not get_pip_file.stat.exists
- name: Install a script that fixes the broken trusty pip package
copy: src=pip-fixer.sh dest=/usr/local/bin/python-pip-fixer mode=0755 owner=root group=root
@ -9,7 +18,7 @@
- name: Fix the trusty pip installation
shell: /usr/local/bin/python-pip-fixer
when: python_pip_fixer is changed or python_force_pip_fix
when: python_pip_fixer is changed or force_python_fix | bool
- name: Install the python dev headers and other dev requirements
apt: pkg={{ python_pip_dev_packages }} state={{ python_pkgs_state }} update_cache=yes cache_valid_time=1800
@ -27,5 +36,5 @@
pip: name={{ python_pip_fix_ssl_warnings | default ([]) }} state={{ python_pkgs_state }}
register: python_pip_env_workaround
when: is_trusty
when: ansible_distribution_release == "trusty"
tags: [ "python", 'py_env', 'ansible_setup' ]

23
library/roles/users/tasks/main.yml
View File

@ -47,7 +47,17 @@
with_items: '{{ users_system_users }}'
when:
- item.ssh_key is defined
- ( item.log_as_root is defined ) and ( item.log_as_root )
- item.log_as_root is defined
- item.log_as_root
- name: ensure that the users can not login with their ssh keys as root
authorized_key: user=root key="{{ item.ssh_key }}" state=absent
with_items: '{{ users_system_users }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- not item.log_as_root
when: users_system_users is defined
tags: users
@ -81,7 +91,16 @@
with_items: '{{ users_system_users_adjunct }}'
when:
- item.ssh_key is defined
- ( item.log_as_root is defined ) and ( item.log_as_root )
- item.log_as_root is defined
- item.log_as_root
- name: ensure that the additional users cannot login with their ssh keys as root
authorized_key: user=root key="{{ item.ssh_key }}" state=absent
with_items: '{{ users_system_users_adjunct }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- not item.log_as_root
when: users_system_users_adjunct is defined
tags: users