From bf2d334aa8c6e545788b0f4739de1a6308815fc7 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 18 Mar 2020 14:42:38 +0100 Subject: [PATCH 1/2] CKAN: some cleanups, fix the version of some python modules. --- library/roles/ckan/ckan/defaults/main.yml | 4 +- .../roles/ckan/ckan/tasks/ckan-plugins.yml | 82 ++++++++++++------- 2 files changed, 54 insertions(+), 32 deletions(-) diff --git a/library/roles/ckan/ckan/defaults/main.yml b/library/roles/ckan/ckan/defaults/main.yml index 2a30769..9636c34 100644 --- a/library/roles/ckan/ckan/defaults/main.yml +++ b/library/roles/ckan/ckan/defaults/main.yml @@ -42,6 +42,7 @@ ckan_geoview_url: ckanext-geoview ckan_geoview_name: resource_proxy ckan_dcat: False ckan_dcat_url: 'git+https://github.com/ckan/ckanext-dcat.git#egg=ckanext-dcat' +ckan_dcat_1_0_0_url: 'git+https://github.com/ckan/ckanext-dcat.git@v1.0.0#egg=ckanext-dcat' # dcat implement harvesters too. # ckan_dcat_name: 'dcat dcat_rdf_harvester dcat_json_harvester dcat_json_interface' ckan_dcat_name: 'dcat dcat_json_interface' @@ -85,6 +86,7 @@ ckan_ga_plugin_state: '{{ ckan_plugins_state }}' ckan_google_analytics_name: googleanalytics ckan_google_analytics_url: 'git+https://github.com/ckan/ckanext-googleanalytics.git#egg=ckanext-googleanalytics' ckan_google_analytics_fixed_file: 'http://svn.research-infrastructures.eu/public/d4science/gcube/trunk/data-catalogue/ckan-d4science-extension/{{ ckan_version }}/ckan-default/plugins/googleanalytics/plugin.py' +#CKANEXT-RATING ckan_star_ratings: False ckan_star_ratings_state: present ckan_star_ratings_name: rating @@ -131,7 +133,6 @@ ckan_pip_dependencies: - 'urllib3[secure]' - bleach - pyOpenSSL - - cryptography - idna - certifi - xmltodict @@ -140,6 +141,7 @@ ckan_pip_dependencies: ckan_pip_versioned_dependencies: - { name: 'SQLAlchemy', version: '0.9.6', state: 'present' } + - { name: 'cryptography', version: '2.8', state: 'present' } # apache_additional_packages: diff --git a/library/roles/ckan/ckan/tasks/ckan-plugins.yml b/library/roles/ckan/ckan/tasks/ckan-plugins.yml index 31159c7..3807f4c 100644 --- a/library/roles/ckan/ckan/tasks/ckan-plugins.yml +++ b/library/roles/ckan/ckan/tasks/ckan-plugins.yml @@ -17,7 +17,7 @@ - name: Download the CKAN ckanext-harvest plugin pip: name='{{ ckan_ckanext_harvester_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True - when: ckan_geonetwork_harvester + when: ckan_geonetwork_harvester | bool register: ckanext_harvest_install notify: - Restart CKAN @@ -26,7 +26,7 @@ - name: Download the CKAN ckanext-harvest requirements pip: requirements={{ ckan_virtenv }}/src/ckanext-harvest/pip-requirements.txt virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} - when: ckan_geonetwork_harvester + when: ckan_geonetwork_harvester | bool notify: Restart fetch and gather consumers tags: [ 'ckan', 'geonetwork', 'ckan_plugins' ] @@ -34,50 +34,60 @@ shell: . /usr/lib/ckan/default/bin/activate ; paster --plugin=ckanext-harvest harvester initdb --config={{ ckan_config_file }} when: - ckanext_harvest_install is changed - - ckan_init_db_and_solr + - ckan_init_db_and_solr | bool notify: Restart fetch and gather consumers tags: [ 'ckan', 'geonetwork', 'ckan_plugins' ] - name: Download the CKAN ckanext-spatial plugin pip: name='{{ ckan_ckanext_spatial_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True notify: Restart CKAN - when: ckan_geonetwork_harvester + when: ckan_geonetwork_harvester | bool register: ckanext_spatial_install tags: [ 'ckan', 'ckan_spatial', 'ckan_plugins' ] - name: Download the CKAN ckanext-spatial requirements pip: requirements={{ ckan_virtenv }}/src/ckanext-spatial/pip-requirements.txt virtualenv={{ ckan_virtenv }} state=present - when: ckan_geonetwork_harvester + when: ckan_geonetwork_harvester | bool tags: [ 'ckan', 'ckan_spatial', 'ckan_plugins' ] - name: Initialize the CKAN ckanext-spatial plugin shell: . /usr/lib/ckan/default/bin/activate ; paster --plugin=ckanext-spatial spatial initdb --config={{ ckan_config_file }} when: - ckanext_spatial_install is changed - - ckan_init_db_and_solr + - ckan_init_db_and_solr | bool tags: [ 'ckan', 'ckan_spatial', 'ckan_plugins' ] - name: Download the CKAN ckanext-geoview plugin pip: name='{{ ckan_geoview_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} notify: Restart CKAN - when: ckan_geoview + when: ckan_geoview | bool tags: [ 'ckan', 'ckan_geoview', 'ckan_plugins' ] - - name: Download the CKAN ckanext-dcat plugin code + - name: Download the latest version of the CKAN ckanext-dcat plugin code on CKAN version >= 2.8 pip: name={{ ckan_dcat_url }} virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True - when: ckan_dcat + when: + - ckan_dcat | bool + - ckan_version is version_compare('2.8', '>=') + notify: Restart CKAN + tags: [ 'ckan', 'ckan_dcat', 'ckan_plugins' ] + + - name: Download the CKAN ckanext-dcat plugin code. Stick to version 1.0.0 on CKAN < 2.8 + pip: name={{ ckan_dcat_1_0_0_url }} virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True + when: + - ckan_dcat | bool + - ckan_version is version_compare('2.8', '<') notify: Restart CKAN tags: [ 'ckan', 'ckan_dcat', 'ckan_plugins' ] - name: Download the CKAN ckanext-dcat requirements pip: requirements={{ ckan_virtenv }}/src/ckanext-dcat/requirements.txt virtualenv={{ ckan_virtenv }} state=present - when: ckan_dcat + when: ckan_dcat | bool notify: Restart CKAN tags: [ 'ckan', 'ckan_dcat', 'ckan_plugins' ] - name: Download the CKAN Geonetwork plugin code git: repo={{ ckan_geonetwork_harvester_url }} dest=/usr/lib/ckan/default/src/ckanext-geonetwork force=yes update={{ ckan_git_plugins_state }} - when: ckan_geonetwork_harvester + when: ckan_geonetwork_harvester | bool register: install_geonetwork_harvester tags: [ 'ckan', 'ckan_geonetwork', 'ckan_plugins' ] @@ -89,41 +99,51 @@ - name: Install the script that updates the tracking data template: src=tracker_update.sh.j2 dest={{ ckan_virtenv }}/bin/tracker_update owner={{ ckan_shell_user }} group={{ ckan_shell_user }} mode=0555 - when: ckan_geonetwork_harvester + when: ckan_geonetwork_harvester | bool tags: [ 'ckan', 'ckan_geonetwork', 'ckan_plugins', 'tracker' ] - name: Install the cron job that runs the tracker update script cron: name="tracker update" minute="0" hour="3" job="{{ ckan_virtenv }}/bin/tracker_update > {{ ckan_logdir }}/tracker_update.log 2>&1" user={{ ckan_shell_user }} - when: ckan_geonetwork_harvester + when: ckan_geonetwork_harvester | bool tags: [ 'ckan', 'ckan_geonetwork', 'ckan_plugins', 'tracker' ] - name: Download the CKAN PDF viewer plugin pip: name='{{ ckan_ckanext_pdfview_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} - when: ckan_pdfview + when: ckan_pdfview | bool notify: Restart CKAN tags: [ 'ckan', 'ckan_pdfview', 'ckan_plugins' ] - - name: Download the CKAN Privatedatasets extension + - name: Download the CKAN Privatedatasets extension for CKAN 2.8 pip: name='{{ ckan_privatedatasets_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} - when: ckan_privatedatasets + when: + - ckan_privatedatasets | bool + - ckan_version is version_compare('2.8', '>=') notify: Restart CKAN tags: [ 'ckan', 'ckan_privdatasets', 'ckan_plugins' ] - + + - name: Download the CKAN Privatedatasets extension for CKAN 2.6 + pip: name='{{ ckan_privatedatasets_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} version=0.2.19 + when: + - ckan_privatedatasets | bool + - ckan_version is version_compare('2.8', '<') + notify: Restart CKAN + tags: [ 'ckan', 'ckan_privdatasets', 'ckan_plugins' ] + - name: Download the CKAN hierarchy plugin code pip: name='{{ ckan_hierarchy_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True - when: ckan_hierarchy + when: ckan_hierarchy | bool notify: Restart CKAN tags: [ 'ckan', 'ckan_hierarchy', 'ckan_plugins' ] - name: Download the CKAN pages plugin code pip: name='{{ ckan_pages_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True - when: ckan_pages + when: ckan_pages | bool notify: Restart CKAN tags: [ 'ckan', 'ckan_pages', 'ckan_plugins' ] - name: Download the CKAN LDAP plugin code git: repo={{ ckan_ldap_url }} dest=/usr/lib/ckan/default/src/ckanext-ldap force=yes update={{ ckan_git_plugins_state }} - when: ckan_ldap + when: ckan_ldap | bool register: install_ldap_plugin tags: [ 'ckan', 'ckan_ldap', 'ckan_plugins' ] @@ -135,7 +155,7 @@ - name: Download the CKAN LIRE plugin code git: repo={{ ckan_ckanext_lire_url }} dest={{ ckan_virtenv }}/src/ckanext-lire force=yes update={{ ckan_git_plugins_state }} - when: ckan_ckanext_lire + when: ckan_ckanext_lir | boole register: install_lire_plugin tags: [ 'ckan', 'ckan_lire', 'ckan_plugins' ] @@ -147,19 +167,19 @@ - name: Download the CKAN OAI-PMH plugin pip: name='{{ ckan_oai_pmh_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True - when: ckan_oai_pmh + when: ckan_oai_pmh | bool notify: Restart CKAN tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ] - name: Download the CKAN google analytics plugin python requirements pip: name='genshi' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} - when: ckan_google_analytics + when: ckan_google_analytics | bool notify: Restart CKAN tags: [ 'ckan', 'ckan_google_analytics', 'ckan_plugins' ] - name: Download the CKAN google analytics plugin pip: name='{{ ckan_google_analytics_url }}' virtualenv={{ ckan_virtenv }} editable=true state={{ ckan_ga_plugin_state }} - when: ckan_google_analytics + when: ckan_google_analytics | bool register: install_ckan_google_analytics notify: Restart CKAN tags: [ 'ckan', 'ckan_google_analytics', 'ckan_plugins' ] @@ -172,7 +192,7 @@ - name: Download the CKAN google analytics reports plugin pip: name='{{ ckan_ga_reports_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True - when: ckan_ga_reports + when: ckan_ga_reports | bool register: install_ckan_ga_reports tags: [ 'ckan', 'ckan_google_analytics', 'ckan_ga_reports', 'ckan_plugins' ] @@ -180,14 +200,14 @@ shell: . /usr/lib/ckan/default/bin/activate ; cd /usr/lib/ckan/default/src/ckanext-ga-report ; paster initdb --config={{ ckan_config_file }} when: - install_ckan_ga_reports is changed - - ckan_init_db_and_solr + - ckan_init_db_and_solr | bool notify: Restart CKAN tags: [ 'ckan', 'ckan_google_analytics', 'ckan_ga_reports', 'ckan_plugins' ] - name: Download the CKAN star ratings plugin pip: name='{{ ckan_star_ratings_url }}' virtualenv={{ ckan_virtenv }} editable=true state={{ ckan_star_ratings_state }} notify: Restart CKAN - when: ckan_star_ratings + when: ckan_star_ratings | bool register: install_ckan_star_ratings tags: [ 'ckan', 'ckan_star_ratings', 'ckan_plugins' ] @@ -196,24 +216,24 @@ notify: Restart CKAN when: - install_ckan_star_ratings is changed - - ckan_star_ratings + - ckan_star_ratings | bool tags: [ 'ckan', 'ckan_star_ratings', 'ckan_plugins' ] - name: Install the CKAN profiler plugin pip: name='{{ ckan_profiler_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True - when: ckan_profiler + when: ckan_profiler | bool notify: Restart CKAN tags: [ 'ckan', 'ckan_profiler', 'ckan_plugins' ] - name: Create the profiler plugin log directory become_user: root file: dest=/var/log/ckan-profiler owner=www-data group=www-data state=directory - when: ckan_profiler + when: ckan_profiler | bool tags: [ 'ckan', 'ckan_profiler', 'ckan_plugins' ] - name: Download the CKAN-DATESEARCH plugin code git: repo={{ ckan_datesearch_url }} dest=/usr/lib/ckan/default/src/ckanext-datesearch force=yes update={{ ckan_git_plugins_state }} - when: ckan_datesearch + when: ckan_datesearch | bool register: install_datesearch_plugin tags: [ 'ckan', 'ckan_datesearch', 'ckan_plugins' ] From dacad8da2357b999409f0641919ba519a97b24ab Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 19 Mar 2020 11:58:55 +0100 Subject: [PATCH 2/2] nginx: more modern TLS ciphers. --- library/roles/nginx/templates/nginx-server-ssl.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/roles/nginx/templates/nginx-server-ssl.conf.j2 b/library/roles/nginx/templates/nginx-server-ssl.conf.j2 index 6511d8b..f09f52e 100644 --- a/library/roles/nginx/templates/nginx-server-ssl.conf.j2 +++ b/library/roles/nginx/templates/nginx-server-ssl.conf.j2 @@ -23,7 +23,7 @@ ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; {% else %} ssl_protocols TLSv1.1 TLSv1.2; {% endif %} -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers off; {% endif %} {% if nginx_ssl_level == 'modern' %} @@ -34,7 +34,7 @@ ssl_protocols TLSv1.2 TLSv1.3; {% else %} ssl_protocols TLSv1.2; {% endif %} -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; {% endif %} {% if ansible_distribution_version is version_compare('14.04', '>=') %}