debfranca
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-roles

This commit is contained in:
Franca Debole 2020-02-18 12:28:48 +01:00
parent eb874d0a32 ea743ed95e
commit 02e4dd8c39
94 changed files with 677 additions and 951 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
library/bootstrap-roles/centos-common/meta/main.yml
View File

@ -1,6 +1,7 @@
---
dependencies:
- role: '../../library/centos/roles/centos-bootstrap'
- role: '../../library/roles/rsyslog'
- role: '../../library/roles/dell-server-utilities'
- role: '../../library/roles/sshd_config'
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }

5
library/bootstrap-roles/deb-ubuntu-common/meta/main.yml
View File

@ -1,12 +1,13 @@
---
dependencies:
- role: '../../library/roles/ubuntu-deb-general'
- role: '../../library/roles/rsyslog'
- { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" }
- role: '../../library/roles/tmpreaper'
- role: '../../library/roles/iptables'
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
- role: '../../library/roles/sshd_config'
- { role: '../library/roles/letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
- { role: '../../library/roles/nagios', when: nagios_enabled is defined }
- { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled }
- { role: '../../library/roles/nagios', when: nagios_enabled is defined and nagios_enabled }
- { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled is defined and prometheus_enabled }

113
library/centos/roles/nginx/defaults/main.yml
View File

@ -1,113 +0,0 @@
---
nginx_enabled: True
nginx_package_state: installed
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
nginx_ssl_level: intermediate
nginx_snippets_dir: /etc/nginx/snippets
nginx_default_conf_dir: /etc/nginx/default.d
nginx_conf_snippets:
- nginx-compression.conf
- nginx-websockets.conf
- nginx-browser-cache.conf
- letsencrypt-proxy.conf
- nginx-proxy-params.conf
- nginx-server-ssl.conf
- nginx-cors.conf
nginx_old_snippets:
- compression.conf
nginx_workers: 4
nginx_worker_connections: 1024
nginx_multi_accept: 'off'
nginx_worker_rlimit_nofile: 2048
nginx_server_tokens: 'off'
nginx_large_client_header_buffers: 4 8k
nginx_enable_compression: True
nginx_gzip_vary: "on"
nginx_gzip_proxied: any
nginx_gzip_comp_level: 6
nginx_gzip_buffers: 16 8k
nginx_gzip_http_version: 1.1
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
nginx_enable_browser_cache: True
nginx_cache_control: public
nginx_html_cache_expire: -1
nginx_feed_cache_expire_enabled: False
nginx_feed_cache_expire: 1h
nginx_media_cache_expire: 1M
nginx_css_js_cache_expire: -1
nginx_reverse_proxy: False
nginx_define_x_real_ip: False
nginx_proxy_buffering: "on"
nginx_proxy_redirect: "off"
nginx_proxy_buffer_size: 128k
nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}'
nginx_proxy_busy_buffers_size: 256k
nginx_proxy_connect_timeout: 30s
nginx_proxy_read_timeout: 480s
nginx_proxy_send_timeout: 120s
nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
nginx_client_max_body_size: 100M
nginx_client_body_timeout: 240s
nginx_cors_limit_origin: True
nginx_cors_extended_rules: False
nginx_cors_acl_origin: 'http?://(localhost)'
# Find a set of acceptable defaults for the cache setup
nginx_cache_enabled: False
nginx_use_ldap_pam_auth: False
nginx_pam_svc_name: nginx
nginx_ldap_uri: "ldap://ldap.example.org"
nginx_ldap_base_dn: "dc=example,dc=org"
nginx_basic_auth: False
nginx_basic_auth_users:
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
# nginx_ldap_login_attribute: uid
# nginx_ldap_pam_groupdn:
nginx_letsencrypt_managed: True
nginx_websockets_support: False
nginx_use_common_virthost: False
# Use 'ssl http2' if the nginx version supports it
nginx_ssl_type: ssl http2
# When we do not use letsencrypt:
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
# Virtualhost example
# nginx_virthosts:
# - virthost_name: '{{ ansible_fqdn }}'
# listen: '{{ http_port }}'
# server_name: '{{ ansible_fqdn }}'
# server_aliases: ''
# index: index.html
# error_page: /path_to_error_page.html
# ssl_enabled: False
# ssl_only: False
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
# root: /usr/share/nginx/html/
# server_tokens: 'off'
# proxy_standard_setup: True
# proxy_additional_options:
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
# proxies:
# - location: /
# target: http://localhost:{{ local_http_port }};
#
# extra_parameters: |
# location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# }

25
library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/nginx.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log
fi
echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log
if [ -x /bin/systemctl ] ; then
systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1
else
service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/nginx.log
exit 0

26
library/centos/roles/nginx/files/nginx.pam
View File

@ -1,26 +0,0 @@
#
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so
auth requisite pam_deny.so
auth required pam_permit.so
#
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
#
password [success=1 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
#
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so

7
library/centos/roles/nginx/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload nginx
service: name=nginx state=reloaded
- name: Restart nginx
service: name=nginx state=restarted

12
library/centos/roles/nginx/tasks/basic-auth.yml
View File

@ -1,12 +0,0 @@
---
- block:
- name: Install the python passlib library
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
- name: Create the htpasswd file needed by the basic auth
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
with_items: '{{ nginx_basic_auth_users }}'
when: nginx_basic_auth
tags: nginx

21
library/centos/roles/nginx/tasks/main.yml
View File

@ -1,21 +0,0 @@
---
- import_tasks: nginx.yml
- import_tasks: nginx-config.yml
- import_tasks: nginx-virtualhosts.yml
when: nginx_use_common_virthost
- import_tasks: nginx-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: basic-auth.yml
- import_tasks: pam-ldap.yml
- name: Ensure that the webserver is running and enabled at boot time
service: name=nginx state=started enabled=yes
when: nginx_enabled
ignore_errors: True
tags: nginx
- name: Ensure that the webserver is stopped and disabled
service: name=nginx state=stopped enabled=no
when: not nginx_enabled
ignore_errors: True
tags: nginx

29
library/centos/roles/nginx/tasks/nginx-config.yml
View File

@ -1,29 +0,0 @@
---
- block:
- name: Create the snippets directory
file: dest={{ nginx_snippets_dir }} state=directory
- name: Create the pki directory
file: dest={{ {{ pki_dir }}/nginx }} state=directory
- name: Create a dhparams file 2048 bits long
shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048
args:
creates: '{{ pki_dir }}/nginx/dhparams.pem'
when: nginx_ssl_level == 'intermediate'
notify: Reload nginx
- name: Install the supported configuration snippets
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
with_items: '{{ nginx_conf_snippets }}'
- name: Install the main nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
notify: Reload nginx
- name: Remove the old configuration snippets
file: dest=/etc/nginx/conf.d/{{ item }} state=absent
with_items: '{{ nginx_old_snippets }}'
when: nginx_enabled
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

20
library/centos/roles/nginx/tasks/nginx-letsencrypt.yml
View File

@ -1,20 +0,0 @@
---
- block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook for nginx
copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]
- block:
- name: Remove the letsencrypt hook for nginx
file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent
when: not nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]

7
library/centos/roles/nginx/tasks/nginx-virtualhosts.yml
View File

@ -1,7 +0,0 @@
---
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
tags: [ 'nginx', 'virtualhost' ]

7
library/centos/roles/nginx/tasks/nginx.yml
View File

@ -1,7 +0,0 @@
---
- name: Install the nginx web server
yum: pkg={{ item }} state={{ nginx_package_state }}
with_items:
- nginx
tags: nginx

8
library/centos/roles/nginx/tasks/pam-ldap.yml
View File

@ -1,8 +0,0 @@
---
- name: Install pam service for nginx
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
notify: Reload nginx
when: nginx_use_ldap_pam_auth
tags:
- nginx

16
library/centos/roles/nginx/templates/ldap.conf.j2
View File

@ -1,16 +0,0 @@
# The distinguished name of the search base.
base {{ nginx_ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
uri {{ nginx_ldap_uri }}
if {% nginx_ldap_login_attribute is defined %}
pam_login_attribute {{ nginx_ldap_login_attribute }}
{% endif %}
if {% nginx_ldap_pam_groupdn is defined %}
pam_groupdn
{% endif %}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

9
library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2
View File

@ -1,9 +0,0 @@
# Include this one inside a "server" directive listening on port 80, this way:
# include /etc/nginx/snippets/letsencrypt-proxy.conf;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge;
access_log /var/log/nginx/letsencrypt_acmetool_access.log;
error_log /var/log/nginx/letsencrypt_acmetool_error.log;
}

27
library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2
View File

@ -1,27 +0,0 @@
# include inside a 'server' directive
#
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires {{ nginx_html_cache_expire }};
}
{% if nginx_feed_cache_expire_enabled %}
#
location ~* \.(?:rss|atom)$ {
expires {{ nginx_feed_cache_expire }};
add_header Cache-Control "{{ nginx_cache_control }}";
}
{% endif %}
#
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires {{ nginx_media_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}
#
location ~* \.(?:css|js)$ {
expires {{ nginx_css_js_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}

6
library/centos/roles/nginx/templates/nginx-compression.conf.j2
View File

@ -1,6 +0,0 @@
gzip_vary {{ nginx_gzip_vary }};
gzip_proxied {{ nginx_gzip_proxied }};
gzip_comp_level {{ nginx_gzip_comp_level }};
gzip_buffers {{ nginx_gzip_buffers }};
gzip_http_version {{ nginx_gzip_http_version }};
gzip_types {{ nginx_gzip_types }};

60
library/centos/roles/nginx/templates/nginx-cors.conf.j2
View File

@ -1,60 +0,0 @@
{% if nginx_cors_extended_rules %}
if ($request_method = 'OPTIONS') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
if ($request_method = 'GET') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
{% else %}
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
{% if nginx_cors_limit_origin %}
}
if ($request_method = 'OPTIONS') {
return 204;
}
{% endif %}
{% endif %}

25
library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2
View File

@ -1,25 +0,0 @@
# Proxy stuff
# include /etc/nginx/snippets/nginx-proxy-params.conf;
proxy_http_version 1.1;
{% if haproxy_ips is defined %}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-Server $host;
{% else %}
proxy_set_header Host $host;
{% if nginx_define_x_real_ip %}
proxy_set_header X-Real-IP $remote_addr;
{% endif %}
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering {{ nginx_proxy_buffering }};
proxy_buffer_size {{ nginx_proxy_buffer_size }};
proxy_buffers {{ nginx_proxy_buffers }};
proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }};
proxy_redirect {{ nginx_proxy_redirect }};
proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
proxy_read_timeout {{ nginx_proxy_read_timeout }};
proxy_send_timeout {{ nginx_proxy_send_timeout }};

24
library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2
View File

@ -1,24 +0,0 @@
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
{% else %}
ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
{% endif %}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
{% if nginx_ssl_level == 'intermediate' %}
ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
{% endif %}
{% if nginx_ssl_level == 'modern' %}
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
{% endif %}
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

184
library/centos/roles/nginx/templates/nginx-virthost.j2
View File

@ -1,184 +0,0 @@
server {
listen {{ item.http_port | default (80) }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if letsencrypt_acme_install %}
include /etc/nginx/snippets/letsencrypt-proxy.conf;
{% endif %}
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_error.log;
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
{% if item.ssl_enabled and item.ssl_only %}
location / {
return 301 https://{{ item.server_name }}$request_uri;
}
{% else %}
# This is the default for nginx on Ubuntu 14.04
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root /usr/share/nginx/html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
{% if item.additional_options is defined %}
{% for add_opt in item.additional_options %}
{{ add_opt }};
{% endfor %}
{% endif %}
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }};
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations %}
location {{ location.location }} {
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% endif %}
{% if location.extra_conf is defined %}
{{ location.extra_conf }}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
{% endif %}
}
{% if item.ssl_enabled %}
server {
listen {{ https_port | default(443) }} {{ nginx_ssl_type }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
{% endif %}
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root /usr/share/nginx/html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
include /etc/nginx/snippets/nginx-server-ssl.conf;
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }}
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations %}
location {{ location.location }} {
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
}
{% endif %}

4
library/centos/roles/nginx/templates/nginx-websockets.conf.j2
View File

@ -1,4 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

102
library/centos/roles/nginx/templates/nginx.conf.j2
View File

@ -1,102 +0,0 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections {{ nginx_worker_connections }};
multi_accept {{ nginx_multi_accept }};
}
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens {{ nginx_server_tokens }};
include /etc/nginx/mime.types;
default_type application/octet-stream;
large_client_header_buffers {{ nginx_large_client_header_buffers }};
{% if nginx_enable_compression %}
include /etc/nginx/snippets/nginx-compression.conf;
{% endif %}
{% if nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /usr/share/nginx/html;
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
# location / {
# }
# error_page 404 /404.html;
# location = /40x.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

3
library/roles/ELK/elasticsearch/defaults/main.yml
View File

@ -31,6 +31,9 @@ elasticsearch_define_heap_size: False
elasticsearch_heap_size: 2g
elasticsearch_additional_java_opts: '-server -Djava.awt.headless=true -Dfile.encoding=UTF-8'
elasticsearch_max_open_files: 65536
elasticsearch_cluster_routing_allocation_disk_threshold_enabled: 'true'
elasticsearch_cluster_routing_allocation_disk_watermark_low: '85%'
elasticsearch_cluster_routing_allocation_disk_watermark_high: '90%'
# Compatibility with kernels <= 3.5. Set to False if you are using a newer kernel
elasticsearch_disable_bootstrap_syscall_filter: True

4
library/roles/ELK/elasticsearch/tasks/elasticsearch.yml
View File

@ -7,8 +7,7 @@
apt_repository: repo='{{ elasticsearch_repo }}' state=present update_cache=yes
- name: Install the elasticsearch deb packages
apt: name='{{ item }}' state={{ elasticsearch_package_state }} update_cache=yes cache_valid_time=1800
with_items: '{{ elasticsearch_packages }}'
apt: name='{{ elasticsearch_packages }}' state={{ elasticsearch_package_state }} update_cache=yes cache_valid_time=1800
- name: Install the elasticsearch startup default
template: src=elasticsearch-default.j2 dest=/etc/default/elasticsearch owner=root group=elasticsearch mode=0640
@ -24,5 +23,4 @@
notify: Restart elasticsearch
tags: [ 'ELK', 'elasticsearch', 'elk', 'elasticsearch_conf' ]
tags: [ 'ELK', 'elasticsearch', 'elk' ]

7
library/roles/ELK/elasticsearch/templates/elasticsearch.yml.j2
View File

@ -24,7 +24,7 @@ node.name: {{ ansible_fqdn }}
{% if elasticsearch_major_version >= 7 %}
cluster.initial_master_nodes:
{% for n in elasticsearch_bootstrap_known_masters 5}
{% for n in elasticsearch_bootstrap_known_masters %}
- {{ n }}
{% endfor %}
{% endif %}
@ -106,6 +106,11 @@ node.max_local_storage_nodes: {{ elasticsearch_max_local_storage_nodes }}
#
action.destructive_requires_name: {{ elasticsearch_destructive_requires_name }}
#
cluster.routing.allocation.disk.threshold_enabled: {{ elasticsearch_cluster_routing_allocation_disk_threshold_enabled }}
cluster.routing.allocation.disk.watermark.low: {{ elasticsearch_cluster_routing_allocation_disk_watermark_low }}
cluster.routing.allocation.disk.watermark.high: {{ elasticsearch_cluster_routing_allocation_disk_watermark_high }}
{% if elasticsearch_disable_bootstrap_syscall_filter %}
# When using an old kernel
bootstrap.system_call_filter: false

2
library/roles/ELK/elasticsearch/templates/jvm.options.j2
View File

@ -71,7 +71,9 @@
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
{% if elasticsearch_major_version >= 6 %}
-Djava.io.tmpdir=${ES_TMPDIR}
{% endif %}
## heap dumps

2
library/roles/jenkins/common/tasks/main.yml
View File

@ -18,6 +18,8 @@
user: name={{ jenkins_username }} generate_ssh_key=True
delegate_to: '{{ item }}'
with_items: '{{ groups.jenkins_master }}'
when: ansible_fqdn == '{{ jenkins_master_hostname }}'
run_once: True
- name: Get the master ssh keys
become: True

2
library/roles/jenkins/master/tasks/jenkins_plugins.yml
View File

@ -35,12 +35,14 @@
when: item.version is not defined
with_items: '{{ jenkins_plugins }}'
notify: Restart jenkins
ignore_errors: True
- name: Install plugins with a specific version
jenkins_plugin: name="{{ item.name }}" state={{ item.state | default('latest') }} version='{{ item.version }}' url={{ jenkins_local_url }} url_username={{ jenkins_access_params.url_username }} url_password={{ jenkins_access_params.url_password }}
when: item.version is defined
with_items: '{{ jenkins_plugins }}'
notify: Restart jenkins
ignore_errors: True
become: True
become_user: '{{ jenkins_username }}'

15
library/roles/keepalived/defaults/main.yml
View File

@ -21,6 +21,9 @@ keepalived_script1_name: keepalived_check_service_status
# We set haproxy as the default because most of our keepalived use is haproxy related
keepalived_service_to_check: 'haproxy'
keepalived_script1_check: '/bin/pidof {{ keepalived_service_to_check }}'
keepalived_instance1_name: 'VRRP_1'
keepalived_interface1_name: '{{ ansible_default_ipv4.interface }}'
keepalived_initial_state: 'MASTER'
keepalived_inst_priority: 100
keepalived_vrouter_id: 51
keepalived_non_local_bind: True
@ -28,6 +31,7 @@ keepalived_non_local_bind: True
keepalived_enable_script_security: True
keepalived_script_username: keepalived_script
keepalived_script_user_home: '/var/lib/keepalived'
keepalived_runtime_dir: /run/keepalived
keepalived_nagios_check: False
keepalived_notify_script: /usr/local/bin/keepalived_notify
@ -43,15 +47,16 @@ keepalived_scripts:
weight: 2
keepalived_instances:
- name: VI_1
interface: eth0
state: MASTER
- name: '{{ keepalived_instance1_name }}'
interface: '{{ keepalived_interface1_name }}'
state: '{{ keepalived_initial_state }}'
vrouter_id: '{{ keepalived_vrouter_id }}'
notify: '{{ keepalived_notify_script }}'
priority: '{{ keepalived_inst_priority }}'
nopreempt: True
v_addr:
- '{{ keepalived_floating_ip1 }}'
track_script:
- '{{ keepalived_script1_name }}'
#track_interface:
# - eth0
track_interface:
- '{{ keepalived_interface1_name }}'

28
library/roles/keepalived/tasks/main.yml
View File

@ -7,12 +7,22 @@
- name: Install the keepalived package
apt: name={{ keepalived_pkgs }} state={{ keepalived_pkg_state }} cache_valid_time=1800
tags: keepalived
when:
- keepalived_install | bool
- ansible_distribution_file_variety == "Debian"
- block:
- name: Install the user that the keepalived scripts will run under
user: name={{ keepalived_script_username }} home={{ keepalived_script_user_home }} createhome=no shell=/usr/sbin/nologin system=yes
- name: Create the keepalive script user directory
file: dest={{ keepalived_script_user_home }} state=directory owner={{ keepalived_script_username }} group={{ keepalived_script_username }} mode=0750
- name: Create the tmpfile entry for the keepalived runtime directory
template: src=tmpfile_keepalived.conf.j2 dest=/usr/lib/tmpfiles.d/keepalived.conf owner=root group=root mode=0644
when: ansible_service_mgr == 'systemd'
- name: Install the keepalived configuration
template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf owner=root group=root mode=0600
notify: restart keepalived
@ -33,7 +43,7 @@
sysctl_set: yes
sysctl_file: /etc/sysctl.d/90-keepalived
value: 1
when: keepalived_non_local_bind
when: keepalived_non_local_bind | bool
- name: Disable the kernel net.ipv4.ip_nonlocal_bind sysctl if not needed
sysctl:
@ -43,18 +53,18 @@
sysctl_set: yes
sysctl_file: /etc/sysctl.d/90-keepalived
value: 1
when: not keepalived_non_local_bind
when: not keepalived_non_local_bind | bool
- name: Ensure that keepalived is started and enabled
service: name=keepalived state=started enabled=yes
when: keepalived_enabled
when: keepalived_enabled | bool
- name: Ensure that keepalived is stopped and disabled
service: name=keepalived state=stopped enabled=no
when: not keepalived_enabled
when: not keepalived_enabled | bool
tags: keepalived
when: keepalived_install
tags: [ 'keepalived', 'keepalived_conf' ]
when: keepalived_install | bool
- block:
- name: Install the keepalived NRPE nagios check
@ -67,8 +77,8 @@
tags: keepalived
when:
- keepalived_install
- keepalived_nagios_check
- keepalived_install | bool
- keepalived_nagios_check | bool
- block:
- name: Remove the keepalived package if we do not want it
@ -86,5 +96,5 @@
file: dest={{ nrpe_include_dir }}/keepalived-nrpe.cfg state=absent
tags: keepalived
when: not keepalived_install
when: not keepalived_install | bool

13
library/roles/keepalived/templates/keepalived.conf.j2
View File

@ -1,10 +1,13 @@
global_defs {
{% if keepalived_enable_script_security %}
{% if keepalived_enable_script_security %}
enable_script_security
{% if ansible_distribution_file_variety == "Debian" and ansible_distribution_major_version == '18' %}
script_user root
{% else %}
script_user {{ keepalived_script_username }}
{% endif %}
{% endif %}
{% endif %}
}
{% for script in keepalived_scripts %}
@ -22,9 +25,13 @@ vrrp_script {{ script.name }} {
vrrp_instance {{ instance.name }} {
interface {{ instance.interface }}
{% if instance.state is defined %}
{% if instance.nopreempt is defined and instance.nopreempt %}
state BACKUP
{% else %}
state {{ instance.state }}
{% endif %}
{% endif %}
virtual_router_id {{ instance.vrouter_id }}
priority {{ instance.priority }}

16
library/roles/keepalived/templates/keepalived_check_service_status.sh.j2
View File

@ -1,4 +1,18 @@
!#/bin/bash
#!/bin/bash
{% if ansible_distribution_file_variety == "Debian" and ansible_distribution_major_version == '18' %}
am_i_master=$( grep MASTER {{ keepalived_runtime_dir }}/keepalive.state )
keepalive_master=$?
if [ $keepalive_master -eq 0 ] ; then
{% for instance in keepalived_instances %}
{% for addr in instance.v_addr %}
float_ip=$( ip addr show | grep {{ addr }} )
retval=$?
[ $retval -eq 1 ] && /bin/systemctl restart keepalived
{% endfor %}
{% endfor %}
fi
{% endif %}
{{ keepalived_script1_check }}

2
library/roles/keepalived/templates/keepalived_notify.sh.j2
View File

@ -13,7 +13,7 @@ RETVAL=0
{{ keepalived_notify_extra_params }}
{% endif %}
echo "$TYPE $NAME is in $STATE state" > {{ keepalived_script_user_home }}/keepalive.state
echo "$TYPE $NAME is in $STATE state" > {{ keepalived_runtime_dir }}/keepalive.state
exit $RETVAL

1
library/roles/keepalived/templates/tmpfile_keepalived.conf.j2 Normal file
View File

@ -0,0 +1 @@
d {{ keepalived_runtime_dir }} 0775 {{ keepalived_script_username }} {{ keepalived_script_username }}

2
library/roles/letsencrypt-acme-sh-client/defaults/main.yml
View File

@ -9,6 +9,8 @@ letsencrypt_acme_user_home: /var/lib/acme
letsencrypt_acme_git_dest_dir: '{{ letsencrypt_acme_user_home }}/acme_sh_dist'
letsencrypt_acme_sh_user_home: '{{ letsencrypt_acme_user_home }}'
letsencrypt_acme_sh_base_data_dir: '{{ letsencrypt_acme_sh_user_home }}/acme_data'
letsencrypt_acme_sh_certs_data_prefix: '{{ ansible_fqdn }}'
letsencrypt_acme_sh_certs_data_path: '{{ letsencrypt_acme_sh_base_data_dir }}/certs/{{ letsencrypt_acme_sh_certs_data_prefix }}'
letsencrypt_acme_sh_certificates_install_dir: '{{ ansible_fqdn }}'
letsencrypt_acme_sh_certificates_install_base_path: '{{ letsencrypt_acme_sh_user_home }}/live'
letsencrypt_acme_sh_certificates_install_path: '{{ letsencrypt_acme_sh_certificates_install_base_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}'

7
library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script
View File

@ -13,7 +13,12 @@ else
fi
chown -R acme:acme "$ACME_SH_HOME"
sudo -u acme -s /bin/bash /usr/local/bin/acme-sh-cron-command
if [ "$ACME_SH_HTTP_BIND_PORT" -eq 80 ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then
/usr/local/bin/acme-sh-cron-command
chown -R acme:acme "$ACME_SH_HOME"
else
sudo -u acme -s /bin/bash /usr/local/bin/acme-sh-cron-command
fi
if [ "$ACME_SH_INSTALL_CERTS" == "True" ] ; then
$ACME_SH_BIN $ACME_SH_INSTALL_CERT_REQUEST > "$ACME_SH_INSTALL_LOG_FILE" 2>&1

15
library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert
View File

@ -17,7 +17,7 @@ else
fi
RETVAL=
if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then
if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then
# First request. Try to shut down all the services running on port 80
if [ -x /bin/systemctl ] ; then
/bin/systemctl stop nginx >/dev/null 2>&1
@ -30,6 +30,15 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then
fi
$ACME_SH_BIN $ACME_SH_FIRST_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
RETVAL=$?
if [ -x /bin/systemctl ] ; then
/bin/systemctl start nginx >/dev/null 2>&1
/bin/systemctl start apache2 >/dev/null 2>&1
/bin/systemctl start httpd >/dev/null 2>&1
else
service nginx start
service apache2 start
service httpd start
fi
else
$ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
RETVAL=$?
@ -39,4 +48,8 @@ if [ $RETVAL -eq 0 ] ; then
touch "$ACME_SH_CONFIG_HOME/ok_certificate_issued"
fi
if [ $RETVAL -eq 2 ] ; then
# There is a valid certificate already
exit 0
fi
exit $RETVAL

12
library/roles/letsencrypt-acme-sh-client/tasks/main.yml
View File

@ -114,10 +114,20 @@
- name: Install the certificates
shell: /usr/local/bin/acme-sh-install-certs
when:
- letsencrypt_acme_sh_explicitly_install_certs
- letsencrypt_acme_sh_explicitly_install_certs | bool
- acme_sh_certificate_issued is defined
- acme_sh_certificate_issued is changed
ignore_errors: True
- name: Fix the http port in the configuration. Needed when we renew using the http protocol and we are behind a web server
lineinfile:
path: '{{ letsencrypt_acme_sh_certs_data_path }}/{{ letsencrypt_acme_sh_certs_data_prefix }}.conf'
create: no
state: present
regexp: "^Le_HTTPPort="
line: "Le_HTTPPort='{{ letsencrypt_acme_standalone_port }}'"
when: not letsencrypt_acme_sh_use_dns_provider | bool
tags: [ 'letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_http_port' ]
when: letsencrypt_acme_sh_install | bool
tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ]

2
library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2
View File

@ -1,5 +1,5 @@
{% if letsencrypt_acme_sh_log_enabled %}
LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs"
LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs/cert_request.log"
LOG_LEVEL=1
{% endif %}

2
library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2
View File

@ -11,6 +11,8 @@ ACME_SH_CRON_LOG_FILE={{ letsencrypt_acme_sh_base_data_dir }}/logs/cron.log
ACME_SH_INSTALL_LOG_FILE={{ letsencrypt_acme_sh_log_dir }}/cert_install.log
ACME_SH_GIT_DIST_DIR={{ letsencrypt_acme_git_dest_dir }}
ACME_LETSENCRYPT_HOOKS_DIR={{ letsencrypt_acme_services_scripts_dir }}
ACME_SH_HTTP_BIND_PORT={{ letsencrypt_acme_standalone_port }}
ACME_SH_USE_DNS_PROVIDER="{{ letsencrypt_acme_sh_use_dns_provider }}"
ACME_SH_INSTALL_CERTS={{ letsencrypt_acme_sh_explicitly_install_certs }}

1
library/roles/mongodb-org/defaults/main.yml
View File

@ -86,3 +86,4 @@ mongodb_ganglia_auth_enabled: False
mongodb_ganglia_db: admin
mongodb_ganglia_auth_mechanism: MONGODB-CR
# User and password are stored in the variables mongo_monitoring_u and mongo_monitoring_pwd

1
library/roles/mongodb-org/handlers/main.yml
View File

@ -5,5 +5,6 @@
- name: Restart mongodb
service: name=mongodb state=restarted
ignore_errors: true
when: "'{{ mongodb_start_server }}' == 'yes'"

1
library/roles/mongodb-org/tasks/main.yml
View File

@ -3,3 +3,4 @@
- import_tasks: mongodb-letsencrypt-acmetool.yml
when: mongodb_ssl_letsencrypt_managed

16
library/roles/mongodb-org/tasks/mongodb.yml
View File

@ -37,7 +37,7 @@
template: src=mongod-{{ mongodb_version }}.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0444 backup=yes
when: mongodb_install_conf
notify: Restart mongodb
tags: [ 'mongodb', 'mongodb_update_conf' ]
tags: [ 'mongodb', 'mongodb_update_conf', 'mongodb_keyfile' ]
when:
- mongodb_install_server
@ -75,7 +75,7 @@
- name: Install/Update the mongodb configuration
template: src=mongod-{{ mongodb_version }}.conf.j2 dest=/etc/mongodb.conf owner=root group=root mode=0444 backup=yes
when: mongodb_install_conf
notify: Restart mongodb
notify: Restart mongod
tags: [ 'mongodb', 'mongodb_update_conf' ]
when:
@ -100,6 +100,18 @@
when: mongodb_install_server
tags: mongodb
- block:
- name: Create the mongodb conf directory
file: dest={{ mongodb_conf_path }} state=directory owner={{ mongodb_user }} group={{ mongodb_group }} mode=0755
- name: Install the keyfile if it is a replica cluster
copy: src='vault-{{ mongodb_replicaset }}-keyfile' dest={{ mongodb_conf_path }}/{{ mongodb_keyfile_name }} owner=mongodb group=mongodb mode=0400
notify: Restart mongod
when: mongodb_cluster_enabled
tags: [ 'mongodb', 'mongodb_keyfile', 'mongodb_update_conf' ]
- block:
- name: Ensure mongodb is started and enabled
service: name=mongodb state=started enabled=yes

2
library/roles/nginx/defaults/main.yml
View File

@ -6,8 +6,6 @@ nginx_package_state: present
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
nginx_ssl_level: intermediate
#nginx_virthosts: []
nginx_snippets_dir: /etc/nginx/snippets
nginx_conf_snippets:

11
library/roles/nginx/tasks/basic-auth.yml
View File

@ -1,8 +1,13 @@
---
- block:
- name: Install the python passlib library
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
- name: Install the python passlib library on deb based distributions
apt: pkg=python-passlib state=present cache_valid_time=3600
when: ansible_distribution_file_variety == "Debian"
- name: Install the python passlib library on RH based distributions
yum: pkg=python-passlib state=present
when: ansible_distribution_file_variety == "RedHat"
- name: Create the htpasswd file needed by the basic auth
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
with_items: '{{ nginx_basic_auth_users }}'

7
library/roles/nginx/tasks/main.yml
View File

@ -1,8 +1,11 @@
---
- import_tasks: nginx.yml
- import_tasks: nginx-deb.yml
when: ansible_distribution_file_variety == "Debian"
- import_tasks: nginx-rh.yml
when: ansible_distribution_file_variety == "RedHat"
- import_tasks: nginx-config.yml
- import_tasks: nginx-virtualhosts.yml
when: nginx_use_common_virthost
when: nginx_use_common_virthost | bool
- import_tasks: nginx-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: basic-auth.yml

16
library/roles/nginx/tasks/nginx-config.yml
View File

@ -17,10 +17,6 @@
when: nginx_ssl_level == 'intermediate'
notify: Reload nginx
- name: remove nginx default virtualhost
file: dest=/etc/nginx/sites-enabled/default state=absent
notify: Reload nginx
- name: Install the supported configuration snippets
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
with_items: '{{ nginx_conf_snippets }}'
@ -35,5 +31,15 @@
with_items: '{{ nginx_old_snippets }}'
notify: Reload nginx
when: nginx_enabled
when: nginx_enabled | bool
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
- block:
- name: remove nginx default virtualhost
file: dest=/etc/nginx/sites-enabled/default state=absent
notify: Reload nginx
when:
- nginx_enabled | bool
- ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

27
library/roles/nginx/tasks/nginx-deb.yml Normal file
View File

@ -0,0 +1,27 @@
---
- block:
- name: Install the Ubuntu PPA for nginx
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
when:
- nginx_use_ppa
- "'{{ ansible_distribution }}' == 'Ubuntu'"
tags: [ 'nginx', 'nginx_ppa' ]
- name: Install the nginx web server
apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800
when:
- not nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server if we need ldap auth via pam
apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800
when:
- nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server on Ubuntu >= 16.04
apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800
when: ansible_distribution_major_version >= '16'
when: ansible_distribution_file_variety == "Debian"
tags: nginx

7
library/roles/nginx/tasks/nginx-rh.yml Normal file
View File

@ -0,0 +1,7 @@
---
- block:
- name: Install the nginx web server
yum: pkg=nginx state={{ nginx_package_state }}
when: ansible_distribution_file_variety == "RedHat"
tags: nginx

15
library/roles/nginx/tasks/nginx-virtualhosts.yml
View File

@ -4,6 +4,10 @@
file: dest={{ nginx_webroot }} state=directory mode=0755
when: nginx_webroot != '/usr/share/nginx/html'
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on Deb based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
@ -14,4 +18,15 @@
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on RH based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'nginx', 'virtualhost' ]

26
library/roles/nginx/tasks/nginx.yml
View File

@ -1,26 +0,0 @@
---
- name: Install the Ubuntu PPA for nginx
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
when:
- nginx_use_ppa
- "'{{ ansible_distribution }}' == 'Ubuntu'"
tags: [ 'nginx', 'nginx_ppa' ]
- name: Install the nginx web server
apt: pkg=nginx-full state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
when:
- not nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
tags: nginx
- name: Install the nginx web server if we need ldap auth via pam
apt: pkg=nginx-extras state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
when:
- nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
tags: nginx
- name: Install the nginx web server on Ubuntu >= 16.04
apt: pkg=nginx state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
when: ansible_distribution_major_version >= '16'
tags: nginx

3
library/roles/nginx/tasks/pam-ldap.yml
View File

@ -3,6 +3,5 @@
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
notify: Reload nginx
when: nginx_use_ldap_pam_auth
tags:
- nginx
tags: nginx

30
library/roles/nginx/templates/nginx.conf.j2
View File

@ -1,11 +1,21 @@
user www-data;
pid /run/nginx.pid;
{% if nginx_use_ppa %}
{% if ansible_distribution_file_variety == "Debian" %}
user www-data;
{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %}
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;
{% else %}
worker_processes {{ nginx_workers }};
{% endif %}
{% endif %}
{% if ansible_distribution_file_variety == "RedHat" %}
user nginx;
worker_processes auto;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
{% endif %}
events {
worker_connections {{ nginx_worker_connections }};
@ -14,6 +24,9 @@ events {
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
@ -31,13 +44,20 @@ http {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/conf.d/*.conf;
{% if nginx_enable_compression %}
include /etc/nginx/snippets/nginx-compression.conf;
{% endif %}
{% if nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
include /etc/nginx/sites-enabled/*;
}
include /etc/nginx/conf.d/*.conf;
{% if ansible_distribution_file_variety == "RedHat" %}
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
{% endif %}
{% if ansible_distribution_file_variety == "Debian" %}
include /etc/nginx/sites-enabled/*;
{% endif %}
}

2
library/roles/php-fpm/templates/php-fpm.conf.j2
View File

@ -17,7 +17,7 @@
[global]
; Pid file
; Default Value: none
pid = /var/run/php5-fpm.pid
pid = /run/php/php{{ php_version }}-fpm.pid
; Error log file
; If it's set to "syslog", log is sent to syslogd instead of being written

6
library/roles/postfix-relay/tasks/postfix-letsencrypt-hook.yml
View File

@ -1,4 +1,8 @@
---
- name: Create the acme hooks directory if it does not exist
file: dest=/usr/lib/acme/hooks state=directory
tags: [ 'postfix', 'postfix-relay', 'postfix_letsencrypt', 'letsencrypt' ]
- name: Install a hook for letsencrypt
template: src=postfix-letsencrypt-hook dest=/usr/lib/acme/hooks/postfix owner=root group=root mode=4555
tags: [ 'postfix', 'postfix-relay' ]
tags: [ 'postfix', 'postfix-relay', 'postfix_letsencrypt', 'letsencrypt' ]

2
library/roles/postfix-relay/templates/main.cf.j2
View File

@ -55,6 +55,7 @@ inet_interfaces = localhost
inet_protocols = ipv4
{% endif %}
mailbox_size_limit = 0
message_size_limit = {{ postfix_message_size_limit }}
recipient_delimiter = +
default_destination_concurrency_limit = {{ postfix_default_destination_concurrency_limit }}
{% if postfix_use_sasl_auth %}
@ -77,7 +78,6 @@ smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }}
smtpd_helo_required = yes
mynetworks = {{ postfix_mynetworks }}
inet_interfaces = {{ postfix_interfaces }}
message_size_limit = {{ postfix_message_size_limit }}
# Don't talk to mail systems that don't know their own hostname.
smtpd_helo_restrictions = reject_unknown_helo_hostname

36
library/roles/postfix/defaults/main.yml
View File

@ -62,6 +62,9 @@ postfix_milter_action: tempfail
# SMTP server that not accept authenticated clients.
#############################################################################
postfix_smtpd_server: False
# SMTP server that routes emails coming from outside
#############################################################################
postfix_mx_server: False
#############################################################################
# SMTP submission server: accepts authenticated clients
#############################################################################
@ -106,12 +109,25 @@ postfix_sasl_ldap_referrals: no
#
postfix_use_domain_name: False
postfix_inet_lmtp_enabled: False
postfix_inet_lmtp_host: '127.0.0.1'
postfix_inet_lmtp_port: 24
postfix_virtual_transport_enabled: False
postfix_virtual_transport_protocol: 'lmtp'
postfix_lmtp_protocol: 'inet'
postfix_lmtp_host: '127.0.0.1'
postfix_lmtp_port: 24
postfix_delivery_soft_bounce: False
postfix_recipient_delimiter: '+'
postfix_local_recipients: False
postfix_transport_map_enabled: False
postfix_transport_maps:
- 'hash:/etc/postfix/transport'
postfix_transport_data: []
#
# Example:
# postfix_transport_data:
# - { domain: 'example.com', action: 'smtp:[dest.smtp.example.com]:25' }
postfix_rbl_enabled: True
postfix_rbl_list: 'zen.spamhaus.org'
postfix_mynetworks: hash:/etc/postfix/network_table
postfix_mynetworks_data:
@ -125,9 +141,23 @@ postfix_alias_databases: '{{ postfix_alias_maps }}'
postfix_virtual_addresses: False
postfix_virtual_mailbox_domains: 'hash:/etc/postfix/virtual_domains'
postfix_virtual_mailbox_domains_data: []
#
# Example. The 'action' part is optional:
# postfix_virtual_mailbox_domains_data:
# - { domain: 'example.com', action: 'OK' }
postfix_virtual_mailbox_maps:
- 'hash:/etc/postfix/vmailbox_maps'
postfix_virtual_domains: False
postfix_virtual_alias_domains: 'hash:/etc/postfix/virtual_domains'
postfix_virtual_alias_domains_data: []
#
# Example. The 'action' part is optional:
# postfix_virtual_alias_domains_data:
# - { domain: 'example.com', action: 'OK' }
postfix_virtual_alias_maps:
- 'hash:/etc/postfix/virtual'

1
library/roles/postfix/tasks/main.yml
View File

@ -1,5 +1,6 @@
---
- import_tasks: smtp-common-packages.yml
- import_tasks: smtp-configuration.yml
- import_tasks: postfix_firewalld.yml
when: ansible_distribution_file_variety == "RedHat"
- import_tasks: smtp-sasl-auth.yml

22
library/roles/postfix/tasks/postfix-letsencrypt-hook.yml
View File

@ -1,8 +1,18 @@
---
- name: Create the acme hooks directory if it does not exist
file: dest=/usr/lib/acme/hooks/postfix state=directory
tags: [ 'postfix', 'postfix-relay', 'letsencrypt' ]
- name: Manage the letsencrypt hook for postfix
block:
- name: Create the acme hooks directory if it does not exist
file: dest=/usr/lib/acme/hooks state=directory
- name: Install a hook for letsencrypt
template: src=postfix-letsencrypt-hook dest=/usr/lib/acme/hooks/postfix owner=root group=root mode=4555
tags: [ 'postfix', 'postfix-relay', 'letsencrypt' ]
- name: In the past we created a directory instead of a file. Check if it's the case
stat: path=/usr/lib/acme/hooks/postfix
register: postfix_hookdir
- name: Remove the wrong directory if it's present
file: dest=/usr/lib/acme/hooks/postfix state=absent
when: postfix_hookdir.stat.isdir is defined and postfix_hookdir.stat.isdir
- name: Install a hook for letsencrypt
template: src=postfix-letsencrypt-hook dest=/usr/lib/acme/hooks/postfix owner=root group=root mode=0555
tags: [ 'postfix', 'postfix_letsencrypt', 'letsencrypt' ]

30
library/roles/postfix/tasks/smtp-common-packages.yml
View File

@ -26,38 +26,9 @@
when: postfix_tls_encryption_level != "old"
notify: Reload postfix
- name: Write the postfix main configuration file
template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444
register: postfix_main_restart_needed
- name: The postfix master.cf file adapts to the service role
template: src=master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
register: postfix_master_restart_needed
- name: Write the postfix network_table map
template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444
register: postfix_network_table_status
when: postfix_install_packages | bool
tags: [ 'postfix', 'postfix_conf' ]
- block:
- name: Ensure that postfix is started and enabled
service: name=postfix state=started enabled=yes
- name: Update the network hash table
shell: postmap hash:/etc/postfix/network_table
when: postfix_network_table_status is changed
- name: Restart postfix
service: name=postfix state=restarted
when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed )
when:
- postfix_install_packages | bool
- postfix_enabled | bool
tags: [ 'postfix', 'postfix_conf' ]
- block:
- name: Ensure that postfix is stopped and disabled
service: name=postfix state=stopped enabled=no
@ -67,7 +38,6 @@
- not postfix_enabled | bool
tags: postfix
- block:
- name: Install the postfix NRPE nagios check
copy: src={{ item }} dest={{ nagios_plugins_dir }}/{{ item }} owner=root group=nagios mode=0555

54
library/roles/postfix/tasks/smtp-configuration.yml Normal file
View File

@ -0,0 +1,54 @@
---
- name: Postfix main configuration
block:
- name: Write the postfix main configuration file
template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444
register: postfix_main_restart_needed
- name: The postfix master.cf file adapts to the service role
template: src=master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
register: postfix_master_restart_needed
when: postfix_enabled | bool
tags: [ 'postfix', 'postfix_conf' ]
- name: Postfix maps installation
block:
- name: Write the postfix network_table map
template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444
register: postfix_network_table_status
- name: Write the postfix virtual_domains map
template: src=virtual_domains.j2 dest=/etc/postfix/virtual_domains owner=root group=root mode=0444
register: postfix_virtual_domains_status
- name: Write the postfix transport map
template: src=transport.j2 dest=/etc/postfix/transport owner=root group=root mode=0444
register: postfix_transport_table_status
when: postfix_transport_map_enabled | bool
- name: Update the network hash table
shell: postmap hash:/etc/postfix/network_table
when: postfix_network_table_status is changed
- name: Update the virtual_domains
shell: postmap hash:/etc/postfix/virtual_domains
when: postfix_virtual_domains_status is changed
- name: Update the transport hash table
shell: postmap hash:/etc/postfix/transport
when: postfix_transport_table_status is changed
when: postfix_enabled | bool
tags: [ 'postfix', 'postfix_conf', 'postfix_maps' ]
- block:
- name: Ensure that postfix is started and enabled
service: name=postfix state=started enabled=yes
- name: Restart postfix
service: name=postfix state=restarted
when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed )
when: postfix_enabled | bool
tags: [ 'postfix', 'postfix_conf' ]

2
library/roles/postfix/tasks/smtp-sasl-auth.yml
View File

@ -1,7 +1,7 @@
---
- name: Write sasl hash file
template: src=sasl_passwd.j2 dest=/etc/postfix/sasl_passwd owner=root group=root mode=0400
when: postfix_use_sasl_auth
when: postfix_use_sasl_auth | bool
register: update_sasl_hash
tags: postfix-relay

37
library/roles/postfix/templates/main.cf.j2
View File

@ -177,8 +177,10 @@ mydestination = {{ ansible_fqdn }}, localhost
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
{% if not postfix_local_recipients %}
{% if postfix_virtual_transport_enabled %}
local_recipient_maps =
{% elif not postfix_local_recipients %}
#local_recipient_maps =
{% endif %}
# The unknown_local_recipient_reject_code specifies the SMTP server
@ -343,6 +345,10 @@ relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }}
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
{% if postfix_transport_map_enabled %}
transport_maps = {% for tmap in postfix_transport_maps %}{{ tmap }}{% if not loop.last %}, {% endif %}{% endfor %}
{% endif %}
# ALIAS DATABASE
#
@ -478,14 +484,18 @@ recipient_delimiter = {{ postfix_recipient_delimiter }}
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
{% if postfix_inet_lmtp_enabled %}
virtual_transport = lmtp:inet:{{ postfix_inet_lmtp_host }}:{{ postfix_inet_lmtp_port }}
{% endif %}
{% if postfix_virtual_transport_enabled %}
virtual_transport = {{ postfix_virtual_transport_protocol }}:{{ postfix_lmtp_protocol }}:{{ postfix_lmtp_host }}:{{ postfix_lmtp_port }}
{% if postfix_virtual_addresses %}
virtual_mailbox_domains = {{ postfix_virtual_mailbox_domains }}
virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap }} {% endfor %}
{% endif %}
{% if postfix_virtual_domains %}
virtual_alias_domains = {{ postfix_virtual_alias_domains }}
{% endif %}
{% if postfix_virtual_addresses %}
virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %}
virtual_mailbox_limit = {{ postfix_message_size_limit }}
@ -570,7 +580,24 @@ smtpd_client_restrictions =
{% if postfix_submission_server %}
permit_sasl_authenticated
{% endif %}
{% if postfix_mx_server %}
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_invalid_hostname
# reject_non_fqdn_hostname
reject_unauth_destination
reject_unknown_recipient_domain
reject_unlisted_recipient
{% if postfix_rbl_enabled %}
reject_rbl_client {{ postfix_rbl_list }}
{% endif %}
{% endif %}
{% if postfix_mx_server %}
permit
{% else %}
reject
{% endif %}
{% if postfix_submission_server %}
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes

3
library/roles/postfix/templates/transport.j2 Normal file
View File

@ -0,0 +1,3 @@
{% for map in postfix_transport_data %}
{{ map.domain }} {{ map.action }}
{% endfor %}

11
library/roles/postfix/templates/virtual_domains.j2 Normal file
View File

@ -0,0 +1,11 @@
{% if postfix_virtual_domains | bool %}
{% for dom in postfix_virtual_alias_domains_data %}
{{ dom.domain }} OK
{% endfor %}
{% elif postfix_virtual_addresses | bool %}
{% for dom in postfix_virtual_mailbox_domains_data %}
{{ dom.domain }} OK
{% endfor %}
{% else %}
localdomain OK
{% endif %}

2
library/roles/postgresql/defaults/main.yml
View File

@ -184,7 +184,7 @@ pgpool_enable_ssl: False
pgpool_letsencrypt_managed: True
pgpool_ssl_key: /etc/pki/pgpool2/pgpool2.key
pgpool_ssl_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/fullchain'
pgpool_ssl_ca_dir: /etc/ssl/certs
pgpool_virtual_ip: 127.0.0.1
pgpool_virtual_netmask: 24

8
library/roles/roundcube/defaults/main.yml
View File

@ -65,6 +65,8 @@ roundcube_show_images: 0
# 3 - on forward or reply to HTML message
# 4 - always, except when replying to plain text message
roundcube_html_editor: 0
# In minutes
roundcube_session_lifetime: 60
roundcube_default_plugins:
- acl
@ -137,3 +139,9 @@ roundcube_identity_smtp_name: identity_smtp
roundcube_additional_plugins: []
#roundcube_additional_plugins:
# - identity_smtp
# In Megabytes. This affects both the nginx/apache and php configurations
roundcube_max_attachments_size: 5
# This one is represented in bytes instead.
roundcube_max_db_allowed_packet: '{{ roundcube_max_attachments_size * 1024 * 1024 * 5 }}'

25
library/roles/roundcube/templates/config.inc.php.j2
View File

@ -27,6 +27,12 @@ $config = array();
// or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
$config['db_dsnw'] = '{{ roundcube_db }}://{{ roundcube_db_user }}:{{ roundcube_db_pwd }}@{{ roundcube_db_host }}/{{ roundcube_db_name}}';
// It is possible to specify database variable values e.g. some limits here.
// Use them if your server is not MySQL or for better performance.
// For example Roundcube uses max_allowed_packet value (in bytes)
// which limits query size for database cache operations.
$config['db_max_allowed_packet'] = '{{ roundcube_max_db_allowed_packet }}';
// The IMAP host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
@ -80,7 +86,7 @@ $config['des_key'] = '{{ roundcube_crypt_key }}';
$config['cipher_method'] = 'AES-256-CBC';
// List of active plugins (in plugins/ directory)
$config['plugins'] = array({% for plug in roundcube_default_plugins %}'{{ plug }}', {% endfor %}{% for opt_plug in roundcube_optional_plugins %}'{{ opt_plug }}', {% endfor %}{% for add_plug in roundcube_additional_plugins %}'{{ add_plug }}', {% endfor %}{% if roundcube_install_enigma %}{{ roundcube_enigma_plugin }}{% endif %});
$config['plugins'] = array({% for plug in roundcube_default_plugins %}'{{ plug }}', {% endfor %}{% for opt_plug in roundcube_optional_plugins %}'{{ opt_plug }}', {% endfor %}{% for add_plug in roundcube_additional_plugins %}'{{ add_plug }}', {% endfor %}{% if roundcube_install_enigma %}'{{ roundcube_enigma_plugin }}'{% endif %});
{% if roundcube_install_enigma %}
// Enigma Plugin options
@ -201,6 +207,11 @@ $config['apc_max_allowed_packet'] = '2M';
$config['redis_max_allowed_packet'] = '2M';
{% endif %}
// Message size limit. Note that SMTP server(s) may use a different value.
// This limit is verified when user attaches files to a composed message.
// Size in bytes (possible unit suffix: K, M, G)
$config['max_message_size'] = '{{ roundcube_max_attachments_size }}M';
// THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
// ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
$config['enable_installer'] = false;
@ -290,6 +301,18 @@ $config['login_lc'] = {{ roundcube_login_lc }};
$config['display_product_info'] = 0;
// Session lifetime in minutes
$config['session_lifetime'] = {{ roundcube_session_lifetime }};
// Session domain: .example.org
$config['session_domain'] = '';
// Session name. Default: 'roundcube_sessid'
$config['session_name'] = null;
// Session authentication cookie name. Default: 'roundcube_sessauth'
$config['session_auth_name'] = null;
{% if roundcube_use_memcache %}
$config['session_storage'] = 'memcache';
{% elif roundcube_use_redis %}

3
library/roles/roundcube/templates/nginx-virthost.conf.j2
View File

@ -41,6 +41,9 @@ server {
index index.php;
# This determines the max size of attachments. Configure the corresponding php options accordingly
client_max_body_size {{ nginx_client_max_body_size }};
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.

11
library/roles/roundcube/vars/main.yml
View File

@ -1,7 +1,10 @@
---
nginx_use_common_virthost: False
nginx_client_max_body_size: '{{ roundcube_max_attachments_size * 2 }}M'
phpfpm_default_user: '{{ roundcube_user }}'
phpfpm_default_pool_name: roundcube
phpfpm_default_memory_limit: '{{ roundcube_max_attachments_size * 10 }}M'
redis_install: False
http_port: 80
https_port: 443
@ -25,12 +28,10 @@ php_additional_packages:
- postgresql-client
- 'php{{ php_version }}-memcache'
phpfpm_default_memory_limit: "64M"
php_global_settings:
- { option: 'zlib.output_compression', value: 'Off' }
- { option: 'post_max_size', value: '6M' }
- { option: 'upload_max_filesize', value: '5M' }
- { option: 'post_max_size', value: '{{ roundcube_max_attachments_size }}M' }
- { option: 'upload_max_filesize', value: '{{ roundcube_max_attachments_size }}M' }
- { option: 'session.auto_start', value: 'Off' }
- { option: 'suhosin.session.encrypt', value: 'Off' }
- { option: 'session.gc_maxlifetime', value: '21600' }
@ -52,5 +53,5 @@ php_global_settings:
php_cli_global_settings: '{{ php_global_settings }}'
phpfpm_pools:
- { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', doc_root: '{{ roundcube_web_root }}/public_html', req_term_timeout: '240s', virthost: '{{ roundcube_servername }}', nginx_servername: '{{ roundcube_servername }}' }
- { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', upload_max_filesize: '{{ roundcube_max_attachments_size }}M', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', doc_root: '{{ roundcube_web_root }}/public_html', req_term_timeout: '240s', virthost: '{{ roundcube_servername }}', nginx_servername: '{{ roundcube_servername }}' }

2
library/roles/rstudio-server/defaults/main.yml
View File

@ -1,7 +1,7 @@
---
rstudio_install_server: False
rstudio_enabled: True
rstudio_file: rstudio-server-1.0.143-amd64.deb
rstudio_file: rstudio-server-1.1.463-amd64.deb
rstudio_download_url: 'https://download2.rstudio.org/{{ rstudio_file }}'
rstudio_install_kill_script: True

25
library/roles/rsyslog/defaults/main.yml Normal file
View File

@ -0,0 +1,25 @@
---
rsyslog_enable_remote_socket: False
rsyslog_enable_remote_udp: 'enabled'
rsyslog_enable_remote_tcp: 'disabled'
rsyslog_remote_path: /var/log/remote
rsyslog_tls_status: 'disabled'
rsyslog_tls_deb_pkgs:
- 'rsyslog-gnutls'
rsyslog_tls_rh_pkgs:
- 'rsyslog-gnutls'
rsyslog_udp_port: 514
rsyslog_tcp_port: 514
rsyslog_send_to_remote: False
rsyslog_firewalld_services:
- { service: 'syslog', state: '{{ rsyslog_enable_remote_udp }}', zone: '{{ firewalld_default_zone }}' }
- { service: 'syslog-tls', state: '{{ rsyslog_tls_status }}', zone: '{{ firewalld_default_zone }}' }
rsyslog_firewalld_ports:
- { port: '{{ rsyslog_tcp_port }}', protocol: 'tcp', state: '{{ rsyslog_enable_remote_tcp }}', zone: '{{ firewalld_default_zone }}' }

5
library/roles/rsyslog/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Restart rsyslog
service: name=rsyslog state=restarted

70
library/roles/rsyslog/tasks/main.yml Normal file
View File

@ -0,0 +1,70 @@
---
- name: Configure rsyslog so that it accepts logs from remote services
block:
- name: Ensure that the rsyslog package is installed. deb/ubuntu
apt: pkg=rsyslog state=present cache_valid_time=1800
when: ansible_distribution_file_variety == "Debian"
- name: Ensure that the rsyslog package is installed. centos/rhel
yum: pkg=rsyslog state=present
when: ansible_distribution_file_variety == "RedHat"
- name: Create the additional rsyslog directory
file: dest={{ rsyslog_remote_path }} state=directory owner=syslog group=adm
- name: Install the rsyslog configuration
template: src=rsyslog-remote-socket.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote-socket.conf
notify: Restart rsyslog
- name: Ensure that rsyslog is running and enabled
service: name=rsyslog state=started enabled=yes
when: rsyslog_enable_remote_socket | bool
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
- name: Install the rsyslog TLS package on deb/ubuntu
block:
- name: Install the rsyslog TLS support
apt: pkg={{ rsyslog_tls_deb_pkgs }} state=present cache_valid_time=1800
notify: Restart rsyslog
when:
- rsyslog_enable_remote_socket | bool
- rsyslog_tls_status == 'enabled'
- ansible_distribution_file_variety == "Debian"
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
- name: Install the rsyslog TLS package on RHEL/CentOS
block:
- name: Install the rsyslog TLS support
yum: pkg={{ rsyslog_tls_rh_pkgs }} state=present
notify: Restart rsyslog
when:
- rsyslog_enable_remote_socket | bool
- rsyslog_tls_status == 'enabled'
- ansible_distribution_file_variety == "RedHat"
tags: [ 'syslog', 'rsyslog', 'remote_syslog' ]
- name: Configure SELinux and firewalld on RHEL/CentOS
block:
- name: SELinux udp port
seport: ignore_selinux_state=yes ports=514 proto=udp setype=syslogd_port_t state=present
when: rsyslog_enable_remote_udp == 'enabled'
- name: SELinux tcp port
seport: ignore_selinux_state=yes ports=514 proto=tcp setype=syslogd_port_t state=present
when: rsyslog_enable_remote_tcp == 'enabled'
- name: rsyslog firewalld services
firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(True) }} state={{ item.state }} immediate=True
with_items: '{{ rsyslog_firewalld_services }}'
- name: rsyslog firewalld ports
firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ rsyslog_firewalld_ports }}'
when:
- rsyslog_enable_remote_socket | bool
- ansible_distribution_file_variety == "RedHat"
tags: [ 'syslog', 'rsyslog', 'remote_syslog', 'selinux', 'firewalld' ]

34
library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2 Normal file
View File

@ -0,0 +1,34 @@
#
# The order counts
#
{% if rsyslog_enable_remote_udp == 'enabled' %}
# Provides UDP syslog reception
module(load="imudp") # needs to be done just once
# input(type="imudp" port="{{ rsyslog_udp_port }}")
{% endif %}
{% if rsyslog_enable_remote_tcp == 'enabled' %}
# Provides TCP syslog reception
module(load="imtcp") # needs to be done just once
# input(type="imtcp" port="{{ rsyslog_tcp_port }}")
{% endif %}
# log every host in its own directory
$template RemoteHost,"{{ rsyslog_remote_path }}/%HOSTNAME%/syslog.log"
$RuleSet remote
*.* ?RemoteHost
{% if rsyslog_enable_remote_udp == 'enabled' %}
# bind the ruleset to the udp listener
$InputUDPServerBindRuleset remote
# and activate it:
$UDPServerRun {{ rsyslog_udp_port }}
{% endif %}
{% if rsyslog_enable_remote_tcp == 'enabled' %}
# bind the ruleset to the tcp listener
$InputTCPServerBindRuleset remote
# and activate it:
$InputTCPServerRun {{ rsyslog_tcp_port }}
{% endif %}

5
library/roles/simplesaml/defaults/main.yml
View File

@ -24,6 +24,11 @@ simplesaml_protectindexpage: 'true'
simplesaml_protectmetadata: 'false'
# ERR, WARNING, NOTICE, INFO, DEBUG
simplesaml_loglevel: NOTICE
simplesaml_debug_saml: 'false'
simplesaml_debug_backtraces: 'true'
simplesaml_debug_validatexml: 'false'
simplesaml_php_show_errors: 'false'
simplesaml_error_reporting: 'false'
# Change this one when we are setting up a cluster of simplesaml servers
simplesaml_create_self_signed_cert_host: '{{ ansible_fqdn }}'

8
library/roles/simplesaml/tasks/main.yml
View File

@ -63,19 +63,19 @@
tags: [ 'simplesaml', 'simplesaml_php', 'simplesaml_config' ]
- name: Install the simplesaml config files
template: src={{ item }}.php dest={{ simplesaml_install_dir }}/config/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640
template: src={{ item }}.php.j2 dest={{ simplesaml_install_dir }}/config/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640
with_items:
- config
- authsources
tags: [ 'simplesaml', 'simplesaml_php', 'simplesaml_config' ]
- name: Install some metadata files
template: src={{ item }}.php dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640
template: src={{ item }}.php.j2 dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640
with_items:
- saml20-idp-hosted
- name: Install some metadata files
template: src={{ item }}.php dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640
template: src={{ item }}.php.j2 dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640
with_items:
- saml20-sp-remote
when: simplesaml_global_sp_remote_template
@ -109,7 +109,7 @@
- block:
- name: Install the nginx virtualhosts
template: src=nginx-virthost.conf dest=/etc/nginx/sites-available/{{ item.virthost }} owner=root group=root mode=0444
template: src=nginx-virthost.conf.j2 dest=/etc/nginx/sites-available/{{ item.virthost }} owner=root group=root mode=0444
with_items: '{{ phpfpm_pools }}'
notify: Reload nginx

0
library/roles/simplesaml/templates/authsources.php → library/roles/simplesaml/templates/authsources.php.j2
View File

21
library/roles/simplesaml/templates/config.php → library/roles/simplesaml/templates/config.php.j2
View File

@ -66,7 +66,7 @@ $config = [
* root directory.
*/
{% endraw %}
'certdir' => '{{ simplesaml_cert_dir }}',
'certdir' => '{{ simplesaml_cert_dir }}',
'loggingdir' => '{{ simplesaml_log_dir }}',
'datadir' => '{{ simplesaml_data_dir }}',
'tempdir' => '{{ simplesaml_tmp_dir }}',
@ -96,8 +96,6 @@ $config = [
*/
'timezone' => null,
/**********************************
| SECURITY CONFIGURATION OPTIONS |
**********************************/
@ -231,10 +229,11 @@ $config = [
* If you want to disable debugging completely, unset this option or set it to an
* empty array.
*/
{% endraw %}
'debug' => [
'saml' => false,
'backtraces' => true,
'validatexml' => false,
'saml' => {{ simplesaml_debug_saml}},
'backtraces' => {{ simplesaml_debug_backtraces }},
'validatexml' => {{ simplesaml_debug_validatexml }},
],
/*
@ -244,9 +243,9 @@ $config = [
* When 'errorreporting' is enabled, a form will be presented for the user to report
* the error to 'technicalcontact_email'.
*/
'showerrors' => true,
'errorreporting' => true,
'showerrors' => {{ simplesaml_php_show_errors }},
'errorreporting' => {{ simplesaml_error_reporting }},
{% raw %}
/*
* Custom error show function called from SimpleSAML\Error\Error::show.
* See docs/simplesamlphp-errorhandling.txt for function code example.
@ -730,7 +729,9 @@ $config = [
'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh',
],
'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'],
{% endraw %}
'language.default' => '{{ simplesaml_language_default }}',
{% raw %}
/*
* Options to override the default settings for the language parameter
@ -1112,7 +1113,7 @@ $config = [
* The hostname and port of the Redis datastore instance.
*/
{% endraw %}
'store.redis.host' => '{{ simplesaml_redis_host }}',
'store.redis.host' => '{{ simplesaml_redis_host }}',
'store.redis.port' => 6379,
{% raw %}

0
library/roles/simplesaml/templates/nginx-virthost.conf → library/roles/simplesaml/templates/nginx-virthost.conf.j2
View File

0
library/roles/simplesaml/templates/saml20-idp-hosted.php → library/roles/simplesaml/templates/saml20-idp-hosted.php.j2
View File

0
library/roles/simplesaml/templates/saml20-sp-remote.php → library/roles/simplesaml/templates/saml20-sp-remote.php.j2
View File

1
library/roles/solr-tomcat-core-conf/defaults/main.yml
View File

@ -1,7 +1,6 @@
---
solr_http_port: 8983
tomcat_load_additional_default_conf: True
tomcat_version: 7
# solr needs a lot of time to start if it needs to rebuild its indices
tomcat_restart_timeout: 100000

22
library/roles/solr-tomcat-core-conf/tasks/main.yml
View File

@ -1,4 +1,26 @@
---
- name: Set the tomcat version for ubuntu Trusy
set_fact:
tomcat_version: 7
when:
- ansible_distribution_major_version <= '16'
- tomcat_fixed_version is not defined
tags: [ solr, tomcat, solr_core ]
- name: Set the tomcat version for Ubuntu bionic
set_fact:
tomcat_version: 8
when:
- ansible_distribution_major_version == '18'
- tomcat_fixed_version is not defined
tags: [ solr, tomcat, solr_core ]
- name: Impose a tomcat version
set_fact:
tomcat_version: '{{ tomcat_fixed_version }}'
when: tomcat_fixed_version is defined
tags: [ solr, tomcat, solr_core ]
- block:
- name: Create the solr cores data directories
file: dest={{ solr_collections_base_dir }}/{{ item }} state=directory owner={{ solr_user }} group={{ solr_user }}

3
library/roles/thredds/defaults/main.yml
View File

@ -20,3 +20,6 @@ thredds_host_institution_name: 'ORG'
thredds_host_institution_web: ''
thredds_force_ssl_for_user_data: False
thredds_palettes_customisation: False
thredds_abstract: 'Scientific Data'
thredds_contact_name: 'Support'
thredds_google_analytics_key: ''

12
library/roles/thredds/tasks/main.yml
View File

@ -22,15 +22,23 @@
register: thredds_skip_conf
tags: [ 'thredds', 'tomcat', 'thredds_conf' ]
- name: Install the Thredds data configuration files
- name: Install the Thredds data configuration files -only at initialization-
template: src={{ item[1] }}.j2 dest={{ thredds_data_content_dir }}/thredds/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=644
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'threddsConfig.xml', 'catalog.xml', 'wmsConfig.xml' ]
- ['catalog.xml', 'wmsConfig.xml' ]
notify: tomcat instances restart
when: not thredds_skip_conf.stat.exists
tags: [ 'thredds', 'tomcat', 'thredds_conf' ]
- name: Install-update the Thredds data configuration files
template: src={{ item[1] }}.j2 dest={{ thredds_data_content_dir }}/thredds/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=644
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'threddsConfig.xml']
notify: tomcat instances restart
tags: [ 'thredds', 'tomcat', 'thredds_conf' ]
- name: Create the file that states that the thredds instance has been configured
copy: content="initialized by ansible" dest={{ thredds_data_content_dir }}/thredds/.conf_initialized mode=0400
register: thredds_skip_conf

8
library/roles/thredds/templates/threddsConfig.xml.j2
View File

@ -6,13 +6,13 @@
<serverInformation>
<name>{{ thredds_server_name }}</name>
<logoUrl>{{ thredds_logo_url }}</logoUrl>
<logoAltText>{{ thredds_server_name }}</logoAltText>
<logoAltText>{{ thredds_logo_alt_text }}</logoAltText>
<abstract>Scientific Data</abstract>
<abstract>{{ thredds_abstract }}</abstract>
<keywords>meteorology, atmosphere, climate, ocean, earth science</keywords>
<contact>
<name>Support</name>
<name>{{ thredds_contact_name}}</name>
<organization>{{ thredds_organization }}</organization>
<email>{{ thredds_email }}</email>
<!--phone></phone-->
@ -55,7 +55,7 @@
* webpages associated with THREDDS. This will not track WMS or DAP
* requests for data, only browsing the catalog.
-->
<googleTrackingCode></googleTrackingCode>
<googleTrackingCode>{{ thredds_google_analytics_key }}</googleTrackingCode>
</htmlSetup>

70
library/roles/tomcat-multiple-instances/tasks/main.yml
View File

@ -11,7 +11,7 @@
user: name={{ item.user }} home={{ item.user_home }} createhome=false shell={{ item.user_shell | default('/bin/false') }}
with_items: '{{ tomcat_m_instances }}'
when:
- not tomcat_m_use_default_user
- not tomcat_m_use_default_user | bool
- item.user != "tomcat{{ tomcat_version }}"
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
@ -19,7 +19,7 @@
- name: Create a tomcat user if needed
user: name={{ tomcat_m_default_user }} home={{ tomcat_m_instances_base_path }} createhome=false shell={{ tomcat_m_default_user_shell }}
when:
- tomcat_m_use_default_user
- tomcat_m_use_default_user | bool
- tomcat_m_default_user != "tomcat{{ tomcat_version }}"
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
@ -68,8 +68,7 @@
- '{{ tomcat_m_instances }}'
- [ 'context.xml' ]
register: restart_needed
notify:
- tomcat restart instances with changed configs
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Install catalina.properties
@ -78,8 +77,7 @@
- '{{ tomcat_m_instances }}'
- [ 'catalina.properties' ]
register: restart_needed
notify:
- tomcat restart instances with changed configs
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_catalina_properties' ]
- name: Populate the instances conf/policy.d directory
@ -88,8 +86,7 @@
- '{{ tomcat_m_instances }}'
- [ '01system.policy', '02debian.policy', '03catalina.policy', '04webapps.policy', '50local.policy' ]
register: restart_needed
notify:
- tomcat restart instances with changed configs
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Install logging.properties if we do not use log4j for the tomcat logging
@ -99,57 +96,51 @@
- [ 'logging.properties' ]
when:
- tomcat_use_log4j is defined
- not tomcat_use_log4j
- not tomcat_use_log4j | bool
register: restart_needed
notify:
- tomcat restart instances with changed configs
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Install the server.xml conf file
template: src=tomcat-server.xml.j2 dest={{ item.instance_path }}/conf/server.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify:
- tomcat restart instances with changed configs
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ]
- name: Install the web.xml file
template: src=tomcat-web.xml.j2 dest={{ item.instance_path }}/conf/web.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify:
- tomcat restart instances with changed configs
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ]
- name: Install the tomcat-admin package if the host-manager or manager apps are required
apt: pkg=tomcat{{ tomcat_version }}-admin state={{ tomcat_pkg_state }} cache_valid_time=1800 update_cache=yes
when: tomcat_m_host_manager_install or tomcat_m_manager_install
when: tomcat_m_host_manager_install | bool or tomcat_m_manager_install | bool
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
- name: Install the catalina configuration for the tomcat manager
template: src=tomcat-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
when: tomcat_m_manager_install
notify:
- tomcat restart instances with changed configs
when: tomcat_m_manager_install | bool
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_manager' ]
- name: Install the catalina configuration for the tomcat host manager
template: src=tomcat-host-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/host-manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
when: tomcat_m_host_manager_install
notify:
- tomcat restart instances with changed configs
when: tomcat_m_host_manager_install | bool
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager' ]
- name: Install the catalina configuration for the tomcat manager
template: src=tomcat-users.xml.j2 dest={{ item.instance_path }}/conf/tomcat-users.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify:
- tomcat restart instances with changed configs
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
- name: Install the instances startup scripts
@ -166,15 +157,16 @@
- name: Reload the systemd daemon if we are running on a systemd-backed server
command: systemctl daemon-reload
when: ansible_service_mgr == 'systemd'
when:
- ansible_service_mgr == 'systemd'
- reload_systemd | bool
- name: Install a custom context.xml file
template: src=tomcat-context.xml.j2 dest={{ item.instance_path }}/conf/context.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify:
- tomcat restart instances with changed configs
when: tomcat_m_jndi_pool
notify: tomcat restart instances with changed configs
when: tomcat_m_jndi_pool | bool
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_contextxml', 'jdk' ]
- name: Install a logrotate entry for the access log file
@ -188,11 +180,10 @@
when:
- item.jmx_enabled is defined
- item.jmx_auth_enabled is defined
- item.jmx_enabled
- item.jmx_auth_enabled
- item.jmx_enabled | bool
- item.jmx_auth_enabled | bool
register: jmx_restart_needed
notify:
- tomcat restart instances with changed jmx config
notify: tomcat restart instances with changed jmx config
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ]
- name: Install the jmx role file
@ -201,24 +192,23 @@
when:
- item.jmx_enabled is defined
- item.jmx_auth_enabled is defined
- item.jmx_enabled
- item.jmx_auth_enabled
register: jmx restart_needed
notify:
- tomcat restart instances with changed jmx config
- item.jmx_enabled | bool
- item.jmx_auth_enabled | bool
register: jmx_restart_needed
notify: tomcat restart instances with changed jmx config
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ]
- name: Start all the tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' state=started sleep=20
with_items: '{{ tomcat_m_instances }}'
when:
- tomcat_first_install.changed
- tomcat_m_start_instances
- tomcat_first_install.changed | bool
- tomcat_m_start_instances | bool
tags: [ 'tomcat', 'tomcat_instances']
ignore_errors: True
- name: Enable all the tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' enabled=yes
with_items: '{{ tomcat_m_instances }}'
when: tomcat_m_enable_instances
when: tomcat_m_enable_instances | bool
tags: [ 'tomcat', 'tomcat_instances']

2
library/roles/tomcat/defaults/main.yml
View File

@ -77,6 +77,8 @@ tomcat_jmx_localhost_only: False
# Metrics monitoring via javamelody
tomcat_javamelody: True
#tomcat_javamelody_version: latest
tomcat_javamelody_version: 1.79.0
# tomcat logging
tomcat_logdir: '/var/log/tomcat{{ tomcat_version }}'

41
library/roles/tomcat/tasks/tomcat-pkgs.yml
View File

@ -5,7 +5,7 @@
when:
- ansible_distribution_major_version <= '16'
- tomcat_fixed_version is not defined
tags: [ 'tomcat', 'tomcat_ver' ]
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Set the tomcat version for Ubuntu bionic
set_fact:
@ -13,13 +13,18 @@
when:
- ansible_distribution_major_version == '18'
- tomcat_fixed_version is not defined
tags: [ 'tomcat', 'tomcat_ver' ]
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Impose a tomcat version
set_fact:
tomcat_version: '{{ tomcat_fixed_version }}'
when: tomcat_fixed_version is defined
tags: [ 'tomcat', 'tomcat_ver' ]
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Print the Tomcat version
debug:
msg: "The Tomcat version we are going to install is {{ tomcat_version }}"
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Install the tomcat packages
apt: pkg={{ tomcat_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800
@ -28,7 +33,7 @@
- name: Install additional packages needed by tomcat 8+
apt: pkg={{ tomcat8_additional_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800
when: tomcat_version >= 8
tags: [ 'tomcat', 'tomcat_javamelody' ]
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Create the tomcat tmp directory
file: dest={{ tomcat_tmp_dir }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }}
@ -43,13 +48,13 @@
- name: Configure tomcat defaults
template: src=tomcat-default.j2 dest=/etc/default/tomcat{{ tomcat_version }}
when: tomcat_install_default_conf
when: tomcat_install_default_conf | bool
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_default' ]
- name: Configure tomcat server.xml
template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml
when: tomcat_install_server_xml
when: tomcat_install_server_xml | bool
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_serverxml' ]
@ -60,7 +65,7 @@
- name: Install a slightly modified catalina.properties
copy: src=catalina.properties dest={{ tomcat_conf_dir }}/catalina.properties owner=root group={{ tomcat_user }} mode=0644
when: tomcat_install_default_conf
when: tomcat_install_default_conf | bool
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_catalinaprops' ]
@ -77,30 +82,30 @@
with_items:
- commons-daemon.jar
when: tomcat_version >= 8
tags: [ 'tomcat', 'tomcat_javamelody' ]
tags: [ 'tomcat', 'tomcat_conf' ]
- name: Install the javamelody dependency jar into the Java shared libs directory
maven_artifact: artifact_id=jrobin version=latest group_id=org.jrobin extension=jar dest=/usr/share/java/jrobin.jar verify_checksum=always mode=0644 owner=root group=root
when: tomcat_javamelody
tags: [ 'tomcat', 'tomcat_javamelody' ]
maven_artifact: artifact_id=jrobin version=latest group_id=org.jrobin extension=jar dest=/usr/share/java/jrobin.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2
when: tomcat_javamelody | bool
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
- name: Install the javamelody-core jar into the Java shared libs directory
maven_artifact: artifact_id=javamelody-core version={{ tomcat_javamelody_version }} group_id=net.bull.javamelody extension=jar dest=/usr/share/java/javamelody-core.jar verify_checksum=always mode=0644 owner=root group=root
when: tomcat_javamelody
tags: [ 'tomcat', 'tomcat_javamelody' ]
maven_artifact: artifact_id=javamelody-core version={{ tomcat_javamelody_version }} group_id=net.bull.javamelody extension=jar dest=/usr/share/java/javamelody-core.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2
when: tomcat_javamelody | bool
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
- name: Create a link to the the javamelody jar and its dependencies if the javamelody support is enabled
file: src=../../java/{{ item }} dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=link owner=root group=root mode=0644
with_items:
- javamelody-core.jar
- jrobin.jar
when: tomcat_javamelody
tags: [ 'tomcat', 'tomcat_javamelody' ]
when: tomcat_javamelody | bool
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
- name: Remove the javamelody jar and its dependencies if the javamelody support is disabled
file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
with_items:
- javamelody-core.jar
- jrobin.jar
when: not tomcat_javamelody
tags: [ 'tomcat', 'tomcat_javamelody' ]
when: not tomcat_javamelody | bool
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]

2
library/roles/ubuntu-deb-general/defaults/main.yml
View File

@ -34,8 +34,6 @@ common_packages:
default_python_packages_trusty:
- python-software-properties
- python-lxml
- python-boto
default_python_packages:
- python-lxml

6
library/roles/ubuntu-deb-general/tasks/packages.yml
View File

@ -5,7 +5,6 @@
- name: Install the basic python packages
apt: pkg={{ default_python_packages }} state=present update_cache=yes cache_valid_time=1800
when: not is_trusty
tags: packages
- name: Install the basic python packages on trusty
@ -13,11 +12,6 @@
when: is_trusty | bool
tags: packages
- name: Install python-lxml on bionic
apt: pkg=python-lxml state=present update_cache=yes cache_valid_time=1800
when: is_bionic | bool
tags: packages
- name: Install software-properties-common if needed
apt: pkg=software-properties-common state=present update_cache=yes cache_valid_time=1800
when: is_ubuntu | bool