From cae37fb97c08f6e0cb5caa18c991f9c88bdcb941 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 3 Jul 2015 18:58:27 +0200 Subject: [PATCH] d4science-ghn-cluster: Install a single couchdb instance on accounting-d4s.d4science.org. library/roles/couchdb: Add support for https. --- couchdb/defaults/main.yml | 24 ++++++++++++++++++++++-- couchdb/tasks/couchdb-old-package.yml | 26 ++++++++++++++++++++++++-- 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/couchdb/defaults/main.yml b/couchdb/defaults/main.yml index da6107df..2fedb852 100644 --- a/couchdb/defaults/main.yml +++ b/couchdb/defaults/main.yml @@ -9,10 +9,11 @@ # # Set it to true if you want the old 1.6 release -couchdb_use_old_package: False +couchdb_use_old_package: True +couchdb_ssl_enabled: False couchdb_pkg_state: installed -couchdb_pkg_version: 1.6.1 +couchdb_pkg_version: 1.6.1-0ubuntu5 couchdb_ppa: "ppa:couchdb/stable" couchdb_pkgs: - couchdb={{ couchdb_pkg_version }} @@ -24,6 +25,7 @@ couchdb_https_port: 6984 couchdb_bind_address: 127.0.0.1 couchdb_local_ini_d: /etc/couchdb couchdb_open_files: 4096 +couchdb_log_level: info couchdb_set_admin: False #couchdb_admin_pwd: Put it in a vault file @@ -35,7 +37,25 @@ couchdb_default_options: - { section: 'couch_httpd_auth', option: 'require_valid_user', value: 'true', state: 'present' } # - { section: 'httpd', option: 'config_whitelist', value: '"[{httpd,config_whitelist},{log,level}]"', state: 'present' } - { section: 'log', option: 'include_sasl', value: 'true', state: 'present' } + - { section: 'log', option: 'level', value: '{{ couchdb_log_level }}', state: 'present' } +couchdb_ssl_options: + - { section: 'daemons', option: 'httpsd', value: '"{couch_httpd, start_link, [https]}"', state: 'present' } + - { section: 'daemons', option: 'httpd', value: '"{couch_httpd, start_link, []}"', state: 'absent' } + - { section: 'ssl', option: 'cert_file', value: '{{ pki_dir }}/ssl/{{ ansible_fqdn }}.pem', state: 'present' } + - { section: 'ssl', option: 'key_file', value: '{{ pki_dir }}/ssl/{{ ansible_fqdn }}.key', state: 'present' } + - { section: 'ssl', option: 'cacert_file', value: 'accounting-{{ pki_dir }}/ssl/{{ ansible_fqdn }}.pem', state: 'present' } + - { section: 'ssl', option: 'port', value: '{{ couchdb_https_port }}', state: 'present' } + - { section: 'ssl', option: 'ssl_certificate_max_depth', value: '3', state: 'present' } + - { section: 'ssl', option: 'verify_ssl_certificates', value: 'False', state: 'present' } + +couchdb_ssl_default_remove: + - { section: 'daemons', option: 'httpd', value: '"{couch_httpd, start_link, []}"', state: 'absent' } + +couchdb_disable_ssl_options: + - { section: 'daemons', option: 'httpsd', value: '"{couch_httpd, start_link, [https]}"', state: 'absent' } + - { section: 'daemons', option: 'httpd', value: '"{couch_httpd, start_link, []}"', state: 'present' } + couchdb_replicator_options: - { section: 'replicator', option: 'db', value: '_replicator', state: 'present' } - { section: 'replicator', option: 'use_checkpoints', value: 'true', state: 'present' } diff --git a/couchdb/tasks/couchdb-old-package.yml b/couchdb/tasks/couchdb-old-package.yml index 190e1ebb..790508fa 100644 --- a/couchdb/tasks/couchdb-old-package.yml +++ b/couchdb/tasks/couchdb-old-package.yml @@ -3,12 +3,12 @@ # - name: Add the ppa for couchdb apt_repository: repo='{{ couchdb_ppa }}' - register: update_apt_cache + register: install_ppa tags: couchdb - name: Update the apt cache if needed apt: update_cache=yes - when: (update_apt_cache|changed) + when: ( install_ppa | changed ) tags: couchdb - name: Install the couchdb packages @@ -22,6 +22,7 @@ # # Couchdb changes the admin password with a hash, so we need to not overwrite the file at each playbook run +# Note: we have chosen to distribute the hashed password - name: Create the admin config file, once copy: content="[admins]\n" dest={{ couchdb_local_ini_d }}/local.d/admin.ini force=no when: couchdb_set_admin @@ -49,6 +50,27 @@ notify: Restart couchdb tags: [ 'couchdb', 'couch_opts'] +- name: Activate ssl for couchdb + ini_file: dest={{ couchdb_local_ini_d }}/local.ini section={{ item.section }} option={{ item.option }} value={{ item.value }} owner=couchdb group=couchdb mode=0640 state={{ item.state }} + with_items: couchdb_ssl_options + when: couchdb_ssl_enabled + notify: Restart couchdb + tags: [ 'couchdb', 'couch_opts'] + +- name: Activate ssl for couchdb + ini_file: dest={{ couchdb_local_ini_d }}/default.ini section={{ item.section }} option={{ item.option }} value={{ item.value }} owner=couchdb group=couchdb mode=0640 state={{ item.state }} + with_items: couchdb_ssl_default_remove + when: couchdb_ssl_enabled + notify: Restart couchdb + tags: [ 'couchdb', 'couch_opts'] + +- name: Disable ssl for couchdb + ini_file: dest={{ couchdb_local_ini_d }}/local.ini section={{ item.section }} option={{ item.option }} value={{ item.value }} owner=couchdb group=couchdb mode=0640 state={{ item.state }} + with_items: couchdb_disable_ssl_options + when: not couchdb_ssl_enabled + notify: Restart couchdb + tags: [ 'couchdb', 'couch_opts'] + - name: Custom couchdb configuration ini_file: dest={{ couchdb_local_ini_d }}/local.ini section={{ item.section }} option={{ item.option }} value={{ item.value }} owner=couchdb group=couchdb mode=0640 state={{ item.state }} with_items: couchdb_custom_options