From 4b5303dad5d09447b0b7f0592b14ac608328bc0d Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Mon, 26 Sep 2016 18:17:45 +0200
Subject: [PATCH] library/roles/d4s_user_services_perms: Add a series of task
 that configure a generic service to be managed by an unprivileged user.

---
 d4s_user_services_perms/README.md             | 20 +++++++++++++------
 d4s_user_services_perms/defaults/main.yml     | 17 ++++++++++++++++
 .../tasks/d4s-service-node.yml                | 18 +++++++++++++++++
 d4s_user_services_perms/tasks/main.yml        |  8 +++++---
 .../templates/README-service.j2               |  4 ++++
 .../templates/d4science-sudoers.j2            |  2 ++
 .../templates/startservice.j2                 |  5 +++++
 .../templates/stopservice.j2                  |  5 +++++
 8 files changed, 70 insertions(+), 9 deletions(-)
 create mode 100644 d4s_user_services_perms/tasks/d4s-service-node.yml
 create mode 100644 d4s_user_services_perms/templates/README-service.j2
 create mode 100644 d4s_user_services_perms/templates/d4science-sudoers.j2
 create mode 100644 d4s_user_services_perms/templates/startservice.j2
 create mode 100644 d4s_user_services_perms/templates/stopservice.j2

diff --git a/d4s_user_services_perms/README.md b/d4s_user_services_perms/README.md
index 17649040..e5196064 100644
--- a/d4s_user_services_perms/README.md
+++ b/d4s_user_services_perms/README.md
@@ -1,12 +1,20 @@
-This role assumes that only one tomcat instance is defined and running on the system.
+Four different scenarios are covered.
 
-Important note: the variable 'http_port' needs to be defined earlier in the calling playbook.
+1. One smartgears tomcat instance, installed inside the user's home
+2. One or more tomcat instances, each instance installed inside its
+   user's home
+3. One service, not tomcat based, installed inside the user's home
+4. One service, installed inside the user's home, not managed by other
+   ansible playbooks (only the user is created)
+
+Important note: the variable 'http_port(s)' needs to be defined earlier in the calling playbook.
 
 What the role does:
 
-- Install the sudoers config that permits the tomcat user to restart
-the service
-- Install the script that allows the tomcat user to start and stop the
+- Installs the sudoers config that permits the user to restart the
+service
+- Installs the script that allows the user to start and stop the
 service without using the full path
-- Install the README file that explains where the options files are
+- Installs the README file that explains where the options files are
 placed and how start/stop the service
+- The default open files limits are increased
diff --git a/d4s_user_services_perms/defaults/main.yml b/d4s_user_services_perms/defaults/main.yml
index 128037dc..fbe3330a 100644
--- a/d4s_user_services_perms/defaults/main.yml
+++ b/d4s_user_services_perms/defaults/main.yml
@@ -3,6 +3,10 @@ d4science_user: gcube
 d4science_user_create_home: True
 d4science_user_home: '/home/{{ d4science_user }}'
 d4science_user_shell: /bin/bash
+d4s_service_node: False
+smartgears_node: False
+d4s_tomcat_node: False
+gcore_node: False
 
 d4science_sudoers_commands:
   - /etc/init.d/tomcat-instance-*
@@ -11,6 +15,19 @@ d4science_tomcat_options_files:
   - '/etc/default/tomcat-instance-{{ item.0.http_port }}'
   - '/etc/default/tomcat-instance-{{ item.0.http_port }}.local'
 
+
+d4science_service_commands:
+  - /etc/init.d/*
+
+d4science_user_service_scripts:
+  - startservice
+  - stopservice
+
+d4science_service_start_command:
+
+d4science_service_stop_command:
+
+
 limits_nofile_value: 16000
 security_limits:
   - { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' }
diff --git a/d4s_user_services_perms/tasks/d4s-service-node.yml b/d4s_user_services_perms/tasks/d4s-service-node.yml
new file mode 100644
index 00000000..acb8045d
--- /dev/null
+++ b/d4s_user_services_perms/tasks/d4s-service-node.yml
@@ -0,0 +1,18 @@
+---
+- block:
+    - name: Install the README file that explains where the options files are placed and how start/stop the service
+      template: src={{ item }}-service.j2 dest={{ d4science_user_home }}/{{ item }} mode=0444
+      with_items:
+        - 'README-service'
+
+    - name: Install the script that allows the d4science user to start and stop the service without using the full path
+      template: src={{ item }}.j2 dest=/home/{{ d4science_user }}/{{ item }} owner={{ d4science_user }} group={{ d4science_user }} mode=0755
+      with _items: '{{ d4science_user_service_scripts }}'
+
+    - name: Install the sudoers config that permits the tomcat user to restart the service
+      become: False
+      template: src=d4science-sudoers.j2 dest=/etc/sudoers.d/d4science-services owner=root group=root mode=0440
+
+  become: True
+  become_user: '{{ d4science_user }}'
+  tags: [ 'd4science', 'd4s_readme', 'sudo', 'startup_cmd' ]
diff --git a/d4s_user_services_perms/tasks/main.yml b/d4s_user_services_perms/tasks/main.yml
index 6e97633d..cf555365 100644
--- a/d4s_user_services_perms/tasks/main.yml
+++ b/d4s_user_services_perms/tasks/main.yml
@@ -1,8 +1,10 @@
 ---
 - include: d4s-smartgears-node.yml
-  when: smartgears_node is defined and smartgears_node
+  when: smartgears_node
 - include: d4s-tomcat-node.yml
-  when: d4s_tomcat_node is defined and d4s_tomcat_node
+  when: d4s_tomcat_node
+- include: d4s-service-node.yml
+  when: d4s_service_node
 - include: d4s-basic-node.yml
-  when: gcore_node is defined and gcore_node
+  when: gcore_node
 - include: security_limits.yml
diff --git a/d4s_user_services_perms/templates/README-service.j2 b/d4s_user_services_perms/templates/README-service.j2
new file mode 100644
index 00000000..a10a9a83
--- /dev/null
+++ b/d4s_user_services_perms/templates/README-service.j2
@@ -0,0 +1,4 @@
+The commands that start and stop the service are:
+{% for cmd in d4science_user_service_scripts %}
+{{ d4science_user_home }}/{{ cmd }}
+{% endfor %}
diff --git a/d4s_user_services_perms/templates/d4science-sudoers.j2 b/d4s_user_services_perms/templates/d4science-sudoers.j2
new file mode 100644
index 00000000..3662d7e0
--- /dev/null
+++ b/d4s_user_services_perms/templates/d4science-sudoers.j2
@@ -0,0 +1,2 @@
+{{ d4science_user }}  ALL=(ALL) NOPASSWD:  {% for cmd in d4science_service_commands %}{{ cmd }}{% if not loop.last %},{% endif %}{% endfor %}
+
diff --git a/d4s_user_services_perms/templates/startservice.j2 b/d4s_user_services_perms/templates/startservice.j2
new file mode 100644
index 00000000..d49bf239
--- /dev/null
+++ b/d4s_user_services_perms/templates/startservice.j2
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sudo {{ d4science_service_start_command }}
+
+exit $?
diff --git a/d4s_user_services_perms/templates/stopservice.j2 b/d4s_user_services_perms/templates/stopservice.j2
new file mode 100644
index 00000000..a4d82397
--- /dev/null
+++ b/d4s_user_services_perms/templates/stopservice.j2
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sudo {{ d4science_service_stop_command }}
+
+exit $?