From e2bd95f2c23284540f3cd869ce682914e7e9afc0 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 17 Jan 2020 17:30:44 +0100 Subject: [PATCH 01/26] Role that setups remote logging in rsyslog. --- .../centos-common/meta/main.yml | 1 + .../deb-ubuntu-common/meta/main.yml | 1 + library/roles/rsyslog/defaults/main.yml | 25 +++++++ library/roles/rsyslog/handlers/main.yml | 5 ++ library/roles/rsyslog/tasks/main.yml | 70 +++++++++++++++++++ .../templates/rsyslog-remote-socket.conf.j2 | 34 +++++++++ 6 files changed, 136 insertions(+) create mode 100644 library/roles/rsyslog/defaults/main.yml create mode 100644 library/roles/rsyslog/handlers/main.yml create mode 100644 library/roles/rsyslog/tasks/main.yml create mode 100644 library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2 diff --git a/library/bootstrap-roles/centos-common/meta/main.yml b/library/bootstrap-roles/centos-common/meta/main.yml index ec6ddc94..ccac7dc3 100644 --- a/library/bootstrap-roles/centos-common/meta/main.yml +++ b/library/bootstrap-roles/centos-common/meta/main.yml @@ -1,6 +1,7 @@ --- dependencies: - role: '../../library/centos/roles/centos-bootstrap' + - role: '../../library/centos/roles/rsyslog' - role: '../../library/roles/dell-server-utilities' - role: '../../library/roles/sshd_config' - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks } diff --git a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml index 91308486..053a8f7f 100644 --- a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml +++ b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml @@ -1,6 +1,7 @@ --- dependencies: - role: '../../library/roles/ubuntu-deb-general' + - role: '../../library/roles/rsyslog' - { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" } - role: '../../library/roles/tmpreaper' - role: '../../library/roles/iptables' diff --git a/library/roles/rsyslog/defaults/main.yml b/library/roles/rsyslog/defaults/main.yml new file mode 100644 index 00000000..60332ab2 --- /dev/null +++ b/library/roles/rsyslog/defaults/main.yml @@ -0,0 +1,25 @@ +--- +rsyslog_enable_remote_socket: False +rsyslog_enable_remote_udp: 'enabled' +rsyslog_enable_remote_tcp: 'disabled' + +rsyslog_remote_path: /var/log/remote +rsyslog_tls_status: 'disabled' +rsyslog_tls_deb_pkgs: + - 'rsyslog-gnutls' + +rsyslog_tls_rh_pkgs: + - 'rsyslog-gnutls' + +rsyslog_udp_port: 514 +rsyslog_tcp_port: 514 + +rsyslog_send_to_remote: False + +rsyslog_firewalld_services: + - { service: 'syslog', state: '{{ rsyslog_enable_remote_udp }}', zone: '{{ firewalld_default_zone }}' } + - { service: 'syslog-tls', state: '{{ rsyslog_tls_status }}', zone: '{{ firewalld_default_zone }}' } + +rsyslog_firewalld_ports: + - { port: '{{ rsyslog_tcp_port }}', protocol: 'tcp', state: '{{ rsyslog_enable_remote_tcp }}', zone: '{{ firewalld_default_zone }}' } + diff --git a/library/roles/rsyslog/handlers/main.yml b/library/roles/rsyslog/handlers/main.yml new file mode 100644 index 00000000..1d11ad27 --- /dev/null +++ b/library/roles/rsyslog/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart rsyslog + service: name=rsyslog state=restarted + + diff --git a/library/roles/rsyslog/tasks/main.yml b/library/roles/rsyslog/tasks/main.yml new file mode 100644 index 00000000..2d87b612 --- /dev/null +++ b/library/roles/rsyslog/tasks/main.yml @@ -0,0 +1,70 @@ +--- +- name: Configure rsyslog so that it accepts logs from remote services + block: + - name: Ensure that the rsyslog package is installed. deb/ubuntu + apt: pkg=rsyslog state=present cache_valid_time=1800 + when: ansible_distribution_file_variety == "Debian" + + - name: Ensure that the rsyslog package is installed. centos/rhel + yum: pkg=rsyslog state=present + when: ansible_distribution_file_variety == "RedHat" + + - name: Create the additional rsyslog directory + file: dest={{ rsyslog_remote_path }} state=directory owner=syslog group=adm + + - name: Install the rsyslog configuration + template: src=rsyslog-remote-socket.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote-socket.conf + notify: Restart rsyslog + + - name: Ensure that rsyslog is running and enabled + service: name=rsyslog state=started enabled=yes + + when: rsyslog_enable_remote_socket | bool + tags: [ 'syslog', 'rsyslog', 'remote_syslog' ] + +- name: Install the rsyslog TLS package on deb/ubuntu + block: + - name: Install the rsyslog TLS support + apt: pkg={{ rsyslog_tls_deb_pkgs }} state=present cache_valid_time=1800 + notify: Restart rsyslog + + when: + - rsyslog_enable_remote_socket | bool + - rsyslog_tls_status == 'enabled' + - ansible_distribution_file_variety == "Debian" + tags: [ 'syslog', 'rsyslog', 'remote_syslog' ] + +- name: Install the rsyslog TLS package on RHEL/CentOS + block: + - name: Install the rsyslog TLS support + yum: pkg={{ rsyslog_tls_rh_pkgs }} state=present + notify: Restart rsyslog + + when: + - rsyslog_enable_remote_socket | bool + - rsyslog_tls_status == 'enabled' + - ansible_distribution_file_variety == "RedHat" + tags: [ 'syslog', 'rsyslog', 'remote_syslog' ] + +- name: Configure SELinux and firewalld on RHEL/CentOS + block: + - name: SELinux udp port + seport: ignore_selinux_state=yes ports=514 proto=udp setype=syslogd_port_t state=present + when: rsyslog_enable_remote_udp == 'enabled' + + - name: SELinux tcp port + seport: ignore_selinux_state=yes ports=514 proto=tcp setype=syslogd_port_t state=present + when: rsyslog_enable_remote_tcp == 'enabled' + + - name: rsyslog firewalld services + firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(True) }} state={{ item.state }} immediate=True + with_items: '{{ rsyslog_firewalld_services }}' + + - name: rsyslog firewalld ports + firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True + with_items: '{{ rsyslog_firewalld_ports }}' + + when: + - rsyslog_enable_remote_socket | bool + - ansible_distribution_file_variety == "RedHat" + tags: [ 'syslog', 'rsyslog', 'remote_syslog', 'selinux', 'firewalld' ] diff --git a/library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2 b/library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2 new file mode 100644 index 00000000..bedbb6de --- /dev/null +++ b/library/roles/rsyslog/templates/rsyslog-remote-socket.conf.j2 @@ -0,0 +1,34 @@ +# +# The order counts +# +{% if rsyslog_enable_remote_udp == 'enabled' %} +# Provides UDP syslog reception +module(load="imudp") # needs to be done just once +# input(type="imudp" port="{{ rsyslog_udp_port }}") +{% endif %} + +{% if rsyslog_enable_remote_tcp == 'enabled' %} +# Provides TCP syslog reception +module(load="imtcp") # needs to be done just once +# input(type="imtcp" port="{{ rsyslog_tcp_port }}") +{% endif %} + +# log every host in its own directory +$template RemoteHost,"{{ rsyslog_remote_path }}/%HOSTNAME%/syslog.log" +$RuleSet remote +*.* ?RemoteHost + +{% if rsyslog_enable_remote_udp == 'enabled' %} +# bind the ruleset to the udp listener +$InputUDPServerBindRuleset remote +# and activate it: +$UDPServerRun {{ rsyslog_udp_port }} +{% endif %} + +{% if rsyslog_enable_remote_tcp == 'enabled' %} +# bind the ruleset to the tcp listener +$InputTCPServerBindRuleset remote +# and activate it: +$InputTCPServerRun {{ rsyslog_tcp_port }} +{% endif %} + From 4c06ae5b2de5b2fd4c406ea5632db63dd2392992 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 20 Jan 2020 12:27:21 +0100 Subject: [PATCH 02/26] One variable to manage the max attachment size. --- library/roles/roundcube/defaults/main.yml | 3 +++ library/roles/roundcube/templates/nginx-virthost.conf.j2 | 3 +++ library/roles/roundcube/vars/main.yml | 7 +++++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/library/roles/roundcube/defaults/main.yml b/library/roles/roundcube/defaults/main.yml index 142478eb..b2ca7ddf 100644 --- a/library/roles/roundcube/defaults/main.yml +++ b/library/roles/roundcube/defaults/main.yml @@ -137,3 +137,6 @@ roundcube_identity_smtp_name: identity_smtp roundcube_additional_plugins: [] #roundcube_additional_plugins: # - identity_smtp + +# In Megabytes. This affects both the nginx/apache and php configurations +roundcube_max_attachments_size: 5 diff --git a/library/roles/roundcube/templates/nginx-virthost.conf.j2 b/library/roles/roundcube/templates/nginx-virthost.conf.j2 index 7d339866..6bba5efb 100644 --- a/library/roles/roundcube/templates/nginx-virthost.conf.j2 +++ b/library/roles/roundcube/templates/nginx-virthost.conf.j2 @@ -41,6 +41,9 @@ server { index index.php; + # This determines the max size of attachments. Configure the corresponding php options accordingly + client_max_body_size {{ nginx_client_max_body_size }}; + # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this # topic first. diff --git a/library/roles/roundcube/vars/main.yml b/library/roles/roundcube/vars/main.yml index 0d7c4810..722e7008 100644 --- a/library/roles/roundcube/vars/main.yml +++ b/library/roles/roundcube/vars/main.yml @@ -1,7 +1,10 @@ --- nginx_use_common_virthost: False +nginx_client_max_body_size: '{{ roundcube_max_attachments_size * 2 }}M' + phpfpm_default_user: '{{ roundcube_user }}' phpfpm_default_pool_name: roundcube +phpfpm_default_memory_limit: '{{ roundcube_max_attachments_size * 4 }}M' redis_install: False http_port: 80 https_port: 443 @@ -29,8 +32,8 @@ phpfpm_default_memory_limit: "64M" php_global_settings: - { option: 'zlib.output_compression', value: 'Off' } - - { option: 'post_max_size', value: '6M' } - - { option: 'upload_max_filesize', value: '5M' } + - { option: 'post_max_size', value: '{{ roundcube_max_attachments_size }}M' } + - { option: 'upload_max_filesize', value: '{{ roundcube_max_attachments_size }}M' } - { option: 'session.auto_start', value: 'Off' } - { option: 'suhosin.session.encrypt', value: 'Off' } - { option: 'session.gc_maxlifetime', value: '21600' } From 5c6253e917c0669a4f7a86df8a0a815f7f03cbc7 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 22 Jan 2020 14:37:31 +0100 Subject: [PATCH 03/26] Only one nginx role. --- .../centos-common/meta/main.yml | 2 +- library/centos/roles/nginx/defaults/main.yml | 113 ----------- .../nginx/files/nginx-letsencrypt-acme.sh | 25 --- library/centos/roles/nginx/files/nginx.pam | 26 --- library/centos/roles/nginx/handlers/main.yml | 7 - .../centos/roles/nginx/tasks/basic-auth.yml | 12 -- library/centos/roles/nginx/tasks/main.yml | 21 -- .../centos/roles/nginx/tasks/nginx-config.yml | 29 --- .../roles/nginx/tasks/nginx-letsencrypt.yml | 20 -- .../roles/nginx/tasks/nginx-virtualhosts.yml | 7 - library/centos/roles/nginx/tasks/nginx.yml | 7 - library/centos/roles/nginx/tasks/pam-ldap.yml | 8 - .../centos/roles/nginx/templates/ldap.conf.j2 | 16 -- .../nginx/templates/letsencrypt-proxy.conf.j2 | 9 - .../templates/nginx-browser-cache.conf.j2 | 27 --- .../nginx/templates/nginx-compression.conf.j2 | 6 - .../roles/nginx/templates/nginx-cors.conf.j2 | 60 ------ .../templates/nginx-proxy-params.conf.j2 | 25 --- .../nginx/templates/nginx-server-ssl.conf.j2 | 24 --- .../roles/nginx/templates/nginx-virthost.j2 | 184 ------------------ .../nginx/templates/nginx-websockets.conf.j2 | 4 - .../roles/nginx/templates/nginx.conf.j2 | 102 ---------- library/roles/nginx/defaults/main.yml | 2 - library/roles/nginx/tasks/basic-auth.yml | 11 +- library/roles/nginx/tasks/main.yml | 7 +- library/roles/nginx/tasks/nginx-config.yml | 16 +- library/roles/nginx/tasks/nginx-deb.yml | 27 +++ library/roles/nginx/tasks/nginx-rh.yml | 7 + .../roles/nginx/tasks/nginx-virtualhosts.yml | 15 ++ library/roles/nginx/tasks/nginx.yml | 26 --- library/roles/nginx/tasks/pam-ldap.yml | 3 +- library/roles/nginx/templates/nginx.conf.j2 | 30 ++- 32 files changed, 100 insertions(+), 778 deletions(-) delete mode 100644 library/centos/roles/nginx/defaults/main.yml delete mode 100644 library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh delete mode 100644 library/centos/roles/nginx/files/nginx.pam delete mode 100644 library/centos/roles/nginx/handlers/main.yml delete mode 100644 library/centos/roles/nginx/tasks/basic-auth.yml delete mode 100644 library/centos/roles/nginx/tasks/main.yml delete mode 100644 library/centos/roles/nginx/tasks/nginx-config.yml delete mode 100644 library/centos/roles/nginx/tasks/nginx-letsencrypt.yml delete mode 100644 library/centos/roles/nginx/tasks/nginx-virtualhosts.yml delete mode 100644 library/centos/roles/nginx/tasks/nginx.yml delete mode 100644 library/centos/roles/nginx/tasks/pam-ldap.yml delete mode 100644 library/centos/roles/nginx/templates/ldap.conf.j2 delete mode 100644 library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2 delete mode 100644 library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2 delete mode 100644 library/centos/roles/nginx/templates/nginx-compression.conf.j2 delete mode 100644 library/centos/roles/nginx/templates/nginx-cors.conf.j2 delete mode 100644 library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2 delete mode 100644 library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2 delete mode 100644 library/centos/roles/nginx/templates/nginx-virthost.j2 delete mode 100644 library/centos/roles/nginx/templates/nginx-websockets.conf.j2 delete mode 100644 library/centos/roles/nginx/templates/nginx.conf.j2 create mode 100644 library/roles/nginx/tasks/nginx-deb.yml create mode 100644 library/roles/nginx/tasks/nginx-rh.yml delete mode 100644 library/roles/nginx/tasks/nginx.yml diff --git a/library/bootstrap-roles/centos-common/meta/main.yml b/library/bootstrap-roles/centos-common/meta/main.yml index ccac7dc3..861006ce 100644 --- a/library/bootstrap-roles/centos-common/meta/main.yml +++ b/library/bootstrap-roles/centos-common/meta/main.yml @@ -1,7 +1,7 @@ --- dependencies: - role: '../../library/centos/roles/centos-bootstrap' - - role: '../../library/centos/roles/rsyslog' + - role: '../../library/roles/rsyslog' - role: '../../library/roles/dell-server-utilities' - role: '../../library/roles/sshd_config' - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks } diff --git a/library/centos/roles/nginx/defaults/main.yml b/library/centos/roles/nginx/defaults/main.yml deleted file mode 100644 index 37a3569a..00000000 --- a/library/centos/roles/nginx/defaults/main.yml +++ /dev/null @@ -1,113 +0,0 @@ ---- -nginx_enabled: True -nginx_package_state: installed -# See https://mozilla.github.io/server-side-tls/ssl-config-generator/ -nginx_ssl_level: intermediate - -nginx_snippets_dir: /etc/nginx/snippets -nginx_default_conf_dir: /etc/nginx/default.d - -nginx_conf_snippets: - - nginx-compression.conf - - nginx-websockets.conf - - nginx-browser-cache.conf - - letsencrypt-proxy.conf - - nginx-proxy-params.conf - - nginx-server-ssl.conf - - nginx-cors.conf - -nginx_old_snippets: - - compression.conf - -nginx_workers: 4 -nginx_worker_connections: 1024 -nginx_multi_accept: 'off' -nginx_worker_rlimit_nofile: 2048 -nginx_server_tokens: 'off' - -nginx_large_client_header_buffers: 4 8k - -nginx_enable_compression: True -nginx_gzip_vary: "on" -nginx_gzip_proxied: any -nginx_gzip_comp_level: 6 -nginx_gzip_buffers: 16 8k -nginx_gzip_http_version: 1.1 -nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript" - -nginx_enable_browser_cache: True -nginx_cache_control: public -nginx_html_cache_expire: -1 -nginx_feed_cache_expire_enabled: False -nginx_feed_cache_expire: 1h -nginx_media_cache_expire: 1M -nginx_css_js_cache_expire: -1 - -nginx_reverse_proxy: False -nginx_define_x_real_ip: False -nginx_proxy_buffering: "on" -nginx_proxy_redirect: "off" -nginx_proxy_buffer_size: 128k -nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}' -nginx_proxy_busy_buffers_size: 256k -nginx_proxy_connect_timeout: 30s -nginx_proxy_read_timeout: 480s -nginx_proxy_send_timeout: 120s -nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}' -nginx_client_max_body_size: 100M -nginx_client_body_timeout: 240s - -nginx_cors_limit_origin: True -nginx_cors_extended_rules: False -nginx_cors_acl_origin: 'http?://(localhost)' - -# Find a set of acceptable defaults for the cache setup -nginx_cache_enabled: False - -nginx_use_ldap_pam_auth: False -nginx_pam_svc_name: nginx -nginx_ldap_uri: "ldap://ldap.example.org" -nginx_ldap_base_dn: "dc=example,dc=org" -nginx_basic_auth: False -nginx_basic_auth_users: - - { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' } -# nginx_ldap_login_attribute: uid -# nginx_ldap_pam_groupdn: -nginx_letsencrypt_managed: True -nginx_websockets_support: False -nginx_use_common_virthost: False -# Use 'ssl http2' if the nginx version supports it -nginx_ssl_type: ssl http2 -# When we do not use letsencrypt: -# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt' -# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key' - -# Virtualhost example -# nginx_virthosts: -# - virthost_name: '{{ ansible_fqdn }}' -# listen: '{{ http_port }}' -# server_name: '{{ ansible_fqdn }}' -# server_aliases: '' -# index: index.html -# error_page: /path_to_error_page.html -# ssl_enabled: False -# ssl_only: False -# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}' -# root: /usr/share/nginx/html/ -# server_tokens: 'off' -# proxy_standard_setup: True -# proxy_additional_options: -# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;' -# proxies: -# - location: / -# target: http://localhost:{{ local_http_port }}; -# -# extra_parameters: | -# location ~ \.php$ { -# fastcgi_split_path_info ^(.+\.php)(/.+)$; -# fastcgi_pass unix:/var/run/php5-fpm.sock; -# fastcgi_index index.php; -# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# include fastcgi_params; -# } - diff --git a/library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh b/library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh deleted file mode 100644 index d18314b3..00000000 --- a/library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks -LE_LOG_DIR=/var/log/letsencrypt -DATE=$( date ) - -[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR -echo "$DATE" >> $LE_LOG_DIR/nginx.log - -if [ -f /etc/default/letsencrypt ] ; then - . /etc/default/letsencrypt -else - echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log -fi - -echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log -if [ -x /bin/systemctl ] ; then - systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1 -else - service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1 -fi - -echo "Done." >> $LE_LOG_DIR/nginx.log - -exit 0 diff --git a/library/centos/roles/nginx/files/nginx.pam b/library/centos/roles/nginx/files/nginx.pam deleted file mode 100644 index f94005a8..00000000 --- a/library/centos/roles/nginx/files/nginx.pam +++ /dev/null @@ -1,26 +0,0 @@ - -# -auth [success=2 default=ignore] pam_unix.so nullok_secure -auth [success=1 default=ignore] pam_ldap.so -auth requisite pam_deny.so -auth required pam_permit.so - -# -account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so -account [success=1 default=ignore] pam_ldap.so -account requisite pam_deny.so -account required pam_permit.so - -# -password [success=1 default=ignore] pam_unix.so obscure sha512 -password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass -password requisite pam_deny.so -password required pam_permit.so - -# -session [default=1] pam_permit.so -session requisite pam_deny.so -session required pam_permit.so -session optional pam_umask.so -session required pam_unix.so -session optional pam_ldap.so diff --git a/library/centos/roles/nginx/handlers/main.yml b/library/centos/roles/nginx/handlers/main.yml deleted file mode 100644 index 04c7fb28..00000000 --- a/library/centos/roles/nginx/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Reload nginx - service: name=nginx state=reloaded - -- name: Restart nginx - service: name=nginx state=restarted - diff --git a/library/centos/roles/nginx/tasks/basic-auth.yml b/library/centos/roles/nginx/tasks/basic-auth.yml deleted file mode 100644 index cdf35c61..00000000 --- a/library/centos/roles/nginx/tasks/basic-auth.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- block: - - name: Install the python passlib library - apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600 - - - name: Create the htpasswd file needed by the basic auth - htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }} - with_items: '{{ nginx_basic_auth_users }}' - - when: nginx_basic_auth - tags: nginx - diff --git a/library/centos/roles/nginx/tasks/main.yml b/library/centos/roles/nginx/tasks/main.yml deleted file mode 100644 index 4bbac35f..00000000 --- a/library/centos/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- import_tasks: nginx.yml -- import_tasks: nginx-config.yml -- import_tasks: nginx-virtualhosts.yml - when: nginx_use_common_virthost -- import_tasks: nginx-letsencrypt.yml - when: letsencrypt_acme_install is defined and letsencrypt_acme_install -- import_tasks: basic-auth.yml -- import_tasks: pam-ldap.yml - -- name: Ensure that the webserver is running and enabled at boot time - service: name=nginx state=started enabled=yes - when: nginx_enabled - ignore_errors: True - tags: nginx - -- name: Ensure that the webserver is stopped and disabled - service: name=nginx state=stopped enabled=no - when: not nginx_enabled - ignore_errors: True - tags: nginx diff --git a/library/centos/roles/nginx/tasks/nginx-config.yml b/library/centos/roles/nginx/tasks/nginx-config.yml deleted file mode 100644 index d633a41c..00000000 --- a/library/centos/roles/nginx/tasks/nginx-config.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- block: - - name: Create the snippets directory - file: dest={{ nginx_snippets_dir }} state=directory - - - name: Create the pki directory - file: dest={{ {{ pki_dir }}/nginx }} state=directory - - - name: Create a dhparams file 2048 bits long - shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048 - args: - creates: '{{ pki_dir }}/nginx/dhparams.pem' - when: nginx_ssl_level == 'intermediate' - notify: Reload nginx - - - name: Install the supported configuration snippets - template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444 - with_items: '{{ nginx_conf_snippets }}' - - - name: Install the main nginx.conf - template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444 - notify: Reload nginx - - - name: Remove the old configuration snippets - file: dest=/etc/nginx/conf.d/{{ item }} state=absent - with_items: '{{ nginx_old_snippets }}' - - when: nginx_enabled - tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] diff --git a/library/centos/roles/nginx/tasks/nginx-letsencrypt.yml b/library/centos/roles/nginx/tasks/nginx-letsencrypt.yml deleted file mode 100644 index 2c57d94a..00000000 --- a/library/centos/roles/nginx/tasks/nginx-letsencrypt.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- block: - - name: Create the acme hooks directory if it does not yet exist - file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root - - - name: Install a letsencrypt hook for nginx - copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555 - - when: - - letsencrypt_acme_install is defined and letsencrypt_acme_install - - nginx_letsencrypt_managed - tags: [ 'nginx', 'letsencrypt' ] - -- block: - - name: Remove the letsencrypt hook for nginx - file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent - - when: not nginx_letsencrypt_managed - tags: [ 'nginx', 'letsencrypt' ] - diff --git a/library/centos/roles/nginx/tasks/nginx-virtualhosts.yml b/library/centos/roles/nginx/tasks/nginx-virtualhosts.yml deleted file mode 100644 index 8946a579..00000000 --- a/library/centos/roles/nginx/tasks/nginx-virtualhosts.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Install the nginx virtualhost files - template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444 - with_items: '{{ nginx_virthosts | default(omit) }}' - notify: Reload nginx - tags: [ 'nginx', 'virtualhost' ] - diff --git a/library/centos/roles/nginx/tasks/nginx.yml b/library/centos/roles/nginx/tasks/nginx.yml deleted file mode 100644 index 23eebb29..00000000 --- a/library/centos/roles/nginx/tasks/nginx.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Install the nginx web server - yum: pkg={{ item }} state={{ nginx_package_state }} - with_items: - - nginx - tags: nginx - diff --git a/library/centos/roles/nginx/tasks/pam-ldap.yml b/library/centos/roles/nginx/tasks/pam-ldap.yml deleted file mode 100644 index 9f37f629..00000000 --- a/library/centos/roles/nginx/tasks/pam-ldap.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Install pam service for nginx - copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }} - notify: Reload nginx - when: nginx_use_ldap_pam_auth - tags: - - nginx - diff --git a/library/centos/roles/nginx/templates/ldap.conf.j2 b/library/centos/roles/nginx/templates/ldap.conf.j2 deleted file mode 100644 index b748f415..00000000 --- a/library/centos/roles/nginx/templates/ldap.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -# The distinguished name of the search base. -base {{ nginx_ldap_base_dn }} - -# Another way to specify your LDAP server is to provide an -uri {{ nginx_ldap_uri }} -if {% nginx_ldap_login_attribute is defined %} -pam_login_attribute {{ nginx_ldap_login_attribute }} -{% endif %} -if {% nginx_ldap_pam_groupdn is defined %} -pam_groupdn -{% endif %} -# The LDAP version to use (defaults to 3 -# if supported by client library) -ldap_version 3 - -nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data diff --git a/library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2 b/library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2 deleted file mode 100644 index d385cf19..00000000 --- a/library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# Include this one inside a "server" directive listening on port 80, this way: -# include /etc/nginx/snippets/letsencrypt-proxy.conf; - location ^~ /.well-known/acme-challenge { - proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge; - access_log /var/log/nginx/letsencrypt_acmetool_access.log; - error_log /var/log/nginx/letsencrypt_acmetool_error.log; - } - - diff --git a/library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2 b/library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2 deleted file mode 100644 index ade01328..00000000 --- a/library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# include inside a 'server' directive -# -location ~* \.(?:manifest|appcache|html?|xml|json)$ { - expires {{ nginx_html_cache_expire }}; -} - -{% if nginx_feed_cache_expire_enabled %} -# -location ~* \.(?:rss|atom)$ { - expires {{ nginx_feed_cache_expire }}; - add_header Cache-Control "{{ nginx_cache_control }}"; -} -{% endif %} - -# -location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { - expires {{ nginx_media_cache_expire }}; - access_log off; - add_header Cache-Control "{{ nginx_cache_control }}"; -} - -# -location ~* \.(?:css|js)$ { - expires {{ nginx_css_js_cache_expire }}; - access_log off; - add_header Cache-Control "{{ nginx_cache_control }}"; -} diff --git a/library/centos/roles/nginx/templates/nginx-compression.conf.j2 b/library/centos/roles/nginx/templates/nginx-compression.conf.j2 deleted file mode 100644 index 4a06955b..00000000 --- a/library/centos/roles/nginx/templates/nginx-compression.conf.j2 +++ /dev/null @@ -1,6 +0,0 @@ -gzip_vary {{ nginx_gzip_vary }}; -gzip_proxied {{ nginx_gzip_proxied }}; -gzip_comp_level {{ nginx_gzip_comp_level }}; -gzip_buffers {{ nginx_gzip_buffers }}; -gzip_http_version {{ nginx_gzip_http_version }}; -gzip_types {{ nginx_gzip_types }}; diff --git a/library/centos/roles/nginx/templates/nginx-cors.conf.j2 b/library/centos/roles/nginx/templates/nginx-cors.conf.j2 deleted file mode 100644 index b3e8f4bc..00000000 --- a/library/centos/roles/nginx/templates/nginx-cors.conf.j2 +++ /dev/null @@ -1,60 +0,0 @@ -{% if nginx_cors_extended_rules %} -if ($request_method = 'OPTIONS') { -{% if nginx_cors_limit_origin %} - add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; - add_header 'Access-Control-Allow-Credentials' 'true'; -{% else %} - add_header 'Access-Control-Allow-Origin' '*'; -{% endif %} - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - # - # Custom headers and headers various browsers *should* be OK with but aren't - # - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; - # - # Tell client that this pre-flight info is valid for 20 days - # - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; -} -if ($request_method = 'POST') { -{% if nginx_cors_limit_origin %} - add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; - add_header 'Access-Control-Allow-Credentials' 'true'; -{% else %} - add_header 'Access-Control-Allow-Origin' '*'; -{% endif %} - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; - add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; -} -if ($request_method = 'GET') { -{% if nginx_cors_limit_origin %} - add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; - add_header 'Access-Control-Allow-Credentials' 'true'; -{% else %} - add_header 'Access-Control-Allow-Origin' '*'; -{% endif %} - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; - add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; -} -{% else %} -{% if nginx_cors_limit_origin %} -add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; -add_header 'Access-Control-Allow-Credentials' 'true'; -{% else %} -add_header 'Access-Control-Allow-Origin' '*'; -{% endif %} -add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; -add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With'; -{% if nginx_cors_limit_origin %} -} -if ($request_method = 'OPTIONS') { - return 204; -} -{% endif %} -{% endif %} - diff --git a/library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2 b/library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2 deleted file mode 100644 index 572c2530..00000000 --- a/library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2 +++ /dev/null @@ -1,25 +0,0 @@ -# Proxy stuff -# include /etc/nginx/snippets/nginx-proxy-params.conf; -proxy_http_version 1.1; -{% if haproxy_ips is defined %} -proxy_set_header Host $http_host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-Host $remote_addr; -proxy_set_header X-Forwarded-Server $host; -{% else %} -proxy_set_header Host $host; -{% if nginx_define_x_real_ip %} -proxy_set_header X-Real-IP $remote_addr; -{% endif %} -{% endif %} -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_buffering {{ nginx_proxy_buffering }}; -proxy_buffer_size {{ nginx_proxy_buffer_size }}; -proxy_buffers {{ nginx_proxy_buffers }}; -proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }}; -proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }}; -proxy_redirect {{ nginx_proxy_redirect }}; -proxy_connect_timeout {{ nginx_proxy_connect_timeout }}; -proxy_read_timeout {{ nginx_proxy_read_timeout }}; -proxy_send_timeout {{ nginx_proxy_send_timeout }}; diff --git a/library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2 b/library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2 deleted file mode 100644 index 9bd227e8..00000000 --- a/library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2 +++ /dev/null @@ -1,24 +0,0 @@ -{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %} -ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain; -ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey; -{% else %} -ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }}; -ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }}; -{% endif %} -ssl_session_cache shared:SSL:10m; -ssl_session_timeout 10m; -{% if nginx_ssl_level == 'intermediate' %} -ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem; -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; -{% endif %} -{% if nginx_ssl_level == 'modern' %} -ssl_session_tickets off; -# modern configuration. tweak to your needs. -ssl_protocols TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; -{% endif %} -ssl_prefer_server_ciphers on; -ssl_stapling on; -ssl_stapling_verify on; -add_header Strict-Transport-Security max-age=15768000; diff --git a/library/centos/roles/nginx/templates/nginx-virthost.j2 b/library/centos/roles/nginx/templates/nginx-virthost.j2 deleted file mode 100644 index 0328527a..00000000 --- a/library/centos/roles/nginx/templates/nginx-virthost.j2 +++ /dev/null @@ -1,184 +0,0 @@ -server { - listen {{ item.http_port | default (80) }}; - server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; -{% if letsencrypt_acme_install %} - include /etc/nginx/snippets/letsencrypt-proxy.conf; -{% endif %} - {% if item.access_log is defined %} - access_log {{ item.access_log }}; - {% else %} - access_log /var/log/nginx/{{ item.server_name }}_access.log; - {% endif %} - {% if item.error_log is defined %} - error_log {{ item.error_log }}; - {% else %} - error_log /var/log/nginx/{{ item.server_name }}_error.log; - {% endif %} - server_tokens {{ item.server_tokens | default('off') }}; -{% if item.ssl_enabled and item.ssl_only %} - location / { - return 301 https://{{ item.server_name }}$request_uri; - } -{% else %} - # This is the default for nginx on Ubuntu 14.04 - root {{ item.root | default('/usr/share/nginx/html/') }}; - index {{ item.index | default('index.html index.htm') }}; - error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }}; - location = /50x.html { - root /usr/share/nginx/html; - } - location = /favicon.ico { - log_not_found off; - access_log off; - } - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - {% if haproxy_ips is defined %} - # We are behind haproxy - {% for ip in haproxy_ips %} - set_real_ip_from {{ ip }}; - {% endfor %} - real_ip_header X-Forwarded-For; - {% endif %} - {% if item.max_body is defined %} - client_max_body_size {{ item.max_body }}; - {% else %} - client_max_body_size {{ nginx_client_max_body_size }}; - {% endif %} - {% if item.body_timeout is defined %} - client_body_timeout {{ item.body_timeout }}; - {% else %} - client_body_timeout {{ nginx_client_body_timeout }}; - {% endif %} - - {% if item.additional_options is defined %} - {% for add_opt in item.additional_options %} - - {{ add_opt }}; - - {% endfor %} - {% endif %} - - {% if item.websockets is defined and item.websockets %} - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - {% endif %} - {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} - # Proxy stuff - include /etc/nginx/snippets/nginx-proxy-params.conf; - {% if item.proxy_additional_options is defined %} - {% for popt in item.proxy_additional_options %} - {{ popt }}; - {% endfor %} - {% endif %} - {% if item.locations is defined %} - {% for location in item.locations %} - location {{ location.location }} { - {% if location.target is defined %} - proxy_pass {{ location.target }}; - {% endif %} - {% if location.extra_conf is defined %} - {{ location.extra_conf }} - {% endif %} - {% if location.other_opts is defined %} - {% for opt in location.other_opts %} - {{ opt }}; - {% endfor %} - {% endif %} - } - {% endfor %} - {% endif %} - {% endif %} - {% if item.extra_parameters is defined %} - {{ item.extra_parameters }} - {% endif %} -{% endif %} - -} - -{% if item.ssl_enabled %} -server { - listen {{ https_port | default(443) }} {{ nginx_ssl_type }}; - server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; - {% if item.access_log is defined %} - access_log {{ item.access_log }}; - {% else %} - access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log; - {% endif %} - {% if item.error_log is defined %} - error_log {{ item.error_log }}; - {% else %} - error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log; - {% endif %} - root {{ item.root | default('/usr/share/nginx/html/') }}; - index {{ item.index | default('index.html index.htm') }}; - error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }}; - location = /50x.html { - root /usr/share/nginx/html; - } - location = /favicon.ico { - log_not_found off; - access_log off; - } - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - {% if haproxy_ips is defined %} - # We are behind haproxy - {% for ip in haproxy_ips %} - set_real_ip_from {{ ip }}; - {% endfor %} - real_ip_header X-Forwarded-For; - {% endif %} - {% if item.max_body is defined %} - client_max_body_size {{ item.max_body }}; - {% else %} - client_max_body_size {{ nginx_client_max_body_size }}; - {% endif %} - {% if item.body_timeout is defined %} - client_body_timeout {{ item.body_timeout }}; - {% else %} - client_body_timeout {{ nginx_client_body_timeout }}; - {% endif %} - server_tokens {{ item.server_tokens | default('off') }}; - - include /etc/nginx/snippets/nginx-server-ssl.conf; - - {% if item.websockets is defined and item.websockets %} - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - {% endif %} - {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} - # Proxy stuff - include /etc/nginx/snippets/nginx-proxy-params.conf; - {% if item.proxy_additional_options is defined %} - {% for popt in item.proxy_additional_options %} - {{ popt }} - {% endfor %} - {% endif %} - {% if item.locations is defined %} - {% for location in item.locations %} - location {{ location.location }} { - {% if location.target is defined %} - proxy_pass {{ location.target }}; - {% endif %} - {% if location.other_opts is defined %} - {% for opt in location.other_opts %} - {{ opt }}; - {% endfor %} - {% endif %} - } - {% endfor %} - {% endif %} - {% endif %} - {% if item.extra_parameters is defined %} - {{ item.extra_parameters }} - {% endif %} -} - -{% endif %} diff --git a/library/centos/roles/nginx/templates/nginx-websockets.conf.j2 b/library/centos/roles/nginx/templates/nginx-websockets.conf.j2 deleted file mode 100644 index 32af4c3c..00000000 --- a/library/centos/roles/nginx/templates/nginx-websockets.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} diff --git a/library/centos/roles/nginx/templates/nginx.conf.j2 b/library/centos/roles/nginx/templates/nginx.conf.j2 deleted file mode 100644 index df7ffcfb..00000000 --- a/library/centos/roles/nginx/templates/nginx.conf.j2 +++ /dev/null @@ -1,102 +0,0 @@ -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections {{ nginx_worker_connections }}; - multi_accept {{ nginx_multi_accept }}; -} -worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }}; - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - server_tokens {{ nginx_server_tokens }}; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - large_client_header_buffers {{ nginx_large_client_header_buffers }}; - -{% if nginx_enable_compression %} - include /etc/nginx/snippets/nginx-compression.conf; -{% endif %} -{% if nginx_websockets_support %} - include /etc/nginx/snippets/nginx-websockets.conf; -{% endif %} - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - # server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /usr/share/nginx/html; - - # # Load configuration files for the default server block. - # include /etc/nginx/default.d/*.conf; - - # location / { - # } - - # error_page 404 /404.html; - # location = /40x.html { - # } - - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - # } - - # Settings for a TLS enabled server. - # - # server { - # listen 443 ssl http2 default_server; - # listen [::]:443 ssl http2 default_server; - # server_name _; - # root /usr/share/nginx/html; - # - # ssl_certificate "/etc/pki/nginx/server.crt"; - # ssl_certificate_key "/etc/pki/nginx/private/server.key"; - # ssl_session_cache shared:SSL:1m; - # ssl_session_timeout 10m; - # ssl_ciphers HIGH:!aNULL:!MD5; - # ssl_prefer_server_ciphers on; - # - # # Load configuration files for the default server block. - # include /etc/nginx/default.d/*.conf; - # - # location / { - # } - # - # error_page 404 /404.html; - # location = /40x.html { - # } - # - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - # } -} - - - diff --git a/library/roles/nginx/defaults/main.yml b/library/roles/nginx/defaults/main.yml index bdf9240b..63913015 100644 --- a/library/roles/nginx/defaults/main.yml +++ b/library/roles/nginx/defaults/main.yml @@ -6,8 +6,6 @@ nginx_package_state: present # See https://mozilla.github.io/server-side-tls/ssl-config-generator/ nginx_ssl_level: intermediate -#nginx_virthosts: [] - nginx_snippets_dir: /etc/nginx/snippets nginx_conf_snippets: diff --git a/library/roles/nginx/tasks/basic-auth.yml b/library/roles/nginx/tasks/basic-auth.yml index cdf35c61..13579097 100644 --- a/library/roles/nginx/tasks/basic-auth.yml +++ b/library/roles/nginx/tasks/basic-auth.yml @@ -1,8 +1,13 @@ --- - block: - - name: Install the python passlib library - apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600 - + - name: Install the python passlib library on deb based distributions + apt: pkg=python-passlib state=present cache_valid_time=3600 + when: ansible_distribution_file_variety == "Debian" + + - name: Install the python passlib library on RH based distributions + yum: pkg=python-passlib state=present + when: ansible_distribution_file_variety == "RedHat" + - name: Create the htpasswd file needed by the basic auth htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }} with_items: '{{ nginx_basic_auth_users }}' diff --git a/library/roles/nginx/tasks/main.yml b/library/roles/nginx/tasks/main.yml index 4bbac35f..b0ed6145 100644 --- a/library/roles/nginx/tasks/main.yml +++ b/library/roles/nginx/tasks/main.yml @@ -1,8 +1,11 @@ --- -- import_tasks: nginx.yml +- import_tasks: nginx-deb.yml + when: ansible_distribution_file_variety == "Debian" +- import_tasks: nginx-rh.yml + when: ansible_distribution_file_variety == "RedHat" - import_tasks: nginx-config.yml - import_tasks: nginx-virtualhosts.yml - when: nginx_use_common_virthost + when: nginx_use_common_virthost | bool - import_tasks: nginx-letsencrypt.yml when: letsencrypt_acme_install is defined and letsencrypt_acme_install - import_tasks: basic-auth.yml diff --git a/library/roles/nginx/tasks/nginx-config.yml b/library/roles/nginx/tasks/nginx-config.yml index 2ae899cb..1f3b45e1 100644 --- a/library/roles/nginx/tasks/nginx-config.yml +++ b/library/roles/nginx/tasks/nginx-config.yml @@ -17,10 +17,6 @@ when: nginx_ssl_level == 'intermediate' notify: Reload nginx - - name: remove nginx default virtualhost - file: dest=/etc/nginx/sites-enabled/default state=absent - notify: Reload nginx - - name: Install the supported configuration snippets template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444 with_items: '{{ nginx_conf_snippets }}' @@ -35,5 +31,15 @@ with_items: '{{ nginx_old_snippets }}' notify: Reload nginx - when: nginx_enabled + when: nginx_enabled | bool + tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] + +- block: + - name: remove nginx default virtualhost + file: dest=/etc/nginx/sites-enabled/default state=absent + notify: Reload nginx + + when: + - nginx_enabled | bool + - ansible_distribution_file_variety == "Debian" tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] diff --git a/library/roles/nginx/tasks/nginx-deb.yml b/library/roles/nginx/tasks/nginx-deb.yml new file mode 100644 index 00000000..5ddc9b76 --- /dev/null +++ b/library/roles/nginx/tasks/nginx-deb.yml @@ -0,0 +1,27 @@ +--- +- block: + - name: Install the Ubuntu PPA for nginx + apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes + when: + - nginx_use_ppa + - "'{{ ansible_distribution }}' == 'Ubuntu'" + tags: [ 'nginx', 'nginx_ppa' ] + + - name: Install the nginx web server + apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800 + when: + - not nginx_use_ldap_pam_auth + - ansible_distribution_major_version <= '14' + + - name: Install the nginx web server if we need ldap auth via pam + apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800 + when: + - nginx_use_ldap_pam_auth + - ansible_distribution_major_version <= '14' + + - name: Install the nginx web server on Ubuntu >= 16.04 + apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800 + when: ansible_distribution_major_version >= '16' + + when: ansible_distribution_file_variety == "Debian" + tags: nginx \ No newline at end of file diff --git a/library/roles/nginx/tasks/nginx-rh.yml b/library/roles/nginx/tasks/nginx-rh.yml new file mode 100644 index 00000000..57211c2d --- /dev/null +++ b/library/roles/nginx/tasks/nginx-rh.yml @@ -0,0 +1,7 @@ +--- +- block: + - name: Install the nginx web server + yum: pkg=nginx state={{ nginx_package_state }} + + when: ansible_distribution_file_variety == "RedHat" + tags: nginx diff --git a/library/roles/nginx/tasks/nginx-virtualhosts.yml b/library/roles/nginx/tasks/nginx-virtualhosts.yml index 1bc8a12f..1615c602 100644 --- a/library/roles/nginx/tasks/nginx-virtualhosts.yml +++ b/library/roles/nginx/tasks/nginx-virtualhosts.yml @@ -4,6 +4,10 @@ file: dest={{ nginx_webroot }} state=directory mode=0755 when: nginx_webroot != '/usr/share/nginx/html' + tags: [ 'nginx', 'virtualhost' ] + +- name: Install and enable the nginx virtualhost files on Deb based systems + block: - name: Install the nginx virtualhost files template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444 with_items: '{{ nginx_virthosts | default(omit) }}' @@ -14,4 +18,15 @@ with_items: '{{ nginx_virthosts | default(omit) }}' notify: Reload nginx + when: ansible_distribution_file_variety == "Debian" + tags: [ 'nginx', 'virtualhost' ] + +- name: Install and enable the nginx virtualhost files on RH based systems + block: + - name: Install the nginx virtualhost files + template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444 + with_items: '{{ nginx_virthosts | default(omit) }}' + notify: Reload nginx + + when: ansible_distribution_file_variety == "RedHat" tags: [ 'nginx', 'virtualhost' ] diff --git a/library/roles/nginx/tasks/nginx.yml b/library/roles/nginx/tasks/nginx.yml deleted file mode 100644 index 7b1ee0ba..00000000 --- a/library/roles/nginx/tasks/nginx.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Install the Ubuntu PPA for nginx - apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes - when: - - nginx_use_ppa - - "'{{ ansible_distribution }}' == 'Ubuntu'" - tags: [ 'nginx', 'nginx_ppa' ] - -- name: Install the nginx web server - apt: pkg=nginx-full state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 - when: - - not nginx_use_ldap_pam_auth - - ansible_distribution_major_version <= '14' - tags: nginx - -- name: Install the nginx web server if we need ldap auth via pam - apt: pkg=nginx-extras state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 - when: - - nginx_use_ldap_pam_auth - - ansible_distribution_major_version <= '14' - tags: nginx - -- name: Install the nginx web server on Ubuntu >= 16.04 - apt: pkg=nginx state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 - when: ansible_distribution_major_version >= '16' - tags: nginx diff --git a/library/roles/nginx/tasks/pam-ldap.yml b/library/roles/nginx/tasks/pam-ldap.yml index 9f37f629..ae253511 100644 --- a/library/roles/nginx/tasks/pam-ldap.yml +++ b/library/roles/nginx/tasks/pam-ldap.yml @@ -3,6 +3,5 @@ copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }} notify: Reload nginx when: nginx_use_ldap_pam_auth - tags: - - nginx + tags: nginx diff --git a/library/roles/nginx/templates/nginx.conf.j2 b/library/roles/nginx/templates/nginx.conf.j2 index 36850fe3..9dc53920 100644 --- a/library/roles/nginx/templates/nginx.conf.j2 +++ b/library/roles/nginx/templates/nginx.conf.j2 @@ -1,11 +1,21 @@ -user www-data; pid /run/nginx.pid; -{% if nginx_use_ppa %} +{% if ansible_distribution_file_variety == "Debian" %} +user www-data; +{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %} worker_processes auto; include /etc/nginx/modules-enabled/*.conf; + {% else %} worker_processes {{ nginx_workers }}; {% endif %} +{% endif %} + +{% if ansible_distribution_file_variety == "RedHat" %} +user nginx; +worker_processes auto; +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; +{% endif %} events { worker_connections {{ nginx_worker_connections }}; @@ -14,6 +24,9 @@ events { worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }}; http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; tcp_nopush on; tcp_nodelay on; @@ -31,13 +44,20 @@ http { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; - include /etc/nginx/conf.d/*.conf; {% if nginx_enable_compression %} include /etc/nginx/snippets/nginx-compression.conf; {% endif %} {% if nginx_websockets_support %} include /etc/nginx/snippets/nginx-websockets.conf; {% endif %} - include /etc/nginx/sites-enabled/*; -} + include /etc/nginx/conf.d/*.conf; +{% if ansible_distribution_file_variety == "RedHat" %} + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; +{% endif %} + +{% if ansible_distribution_file_variety == "Debian" %} + include /etc/nginx/sites-enabled/*; +{% endif %} +} From c036b0bf8b12fc6981b4fbac0602c87704e53857 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 23 Jan 2020 11:39:29 +0100 Subject: [PATCH 04/26] Fix the management of the size of the attachments. --- library/roles/roundcube/defaults/main.yml | 3 +++ library/roles/roundcube/templates/config.inc.php.j2 | 13 ++++++++++++- library/roles/roundcube/vars/main.yml | 6 ++---- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/library/roles/roundcube/defaults/main.yml b/library/roles/roundcube/defaults/main.yml index b2ca7ddf..43b3722f 100644 --- a/library/roles/roundcube/defaults/main.yml +++ b/library/roles/roundcube/defaults/main.yml @@ -140,3 +140,6 @@ roundcube_additional_plugins: [] # In Megabytes. This affects both the nginx/apache and php configurations roundcube_max_attachments_size: 5 +# This one is represented in bytes instead. +roundcube_max_db_allowed_packet: '{{ roundcube_max_attachments_size * 1024 * 1024 * 5 }}' + diff --git a/library/roles/roundcube/templates/config.inc.php.j2 b/library/roles/roundcube/templates/config.inc.php.j2 index 1571aa4b..52944e93 100644 --- a/library/roles/roundcube/templates/config.inc.php.j2 +++ b/library/roles/roundcube/templates/config.inc.php.j2 @@ -27,6 +27,12 @@ $config = array(); // or (Windows): 'sqlite:///C:/full/path/to/sqlite.db' $config['db_dsnw'] = '{{ roundcube_db }}://{{ roundcube_db_user }}:{{ roundcube_db_pwd }}@{{ roundcube_db_host }}/{{ roundcube_db_name}}'; +// It is possible to specify database variable values e.g. some limits here. +// Use them if your server is not MySQL or for better performance. +// For example Roundcube uses max_allowed_packet value (in bytes) +// which limits query size for database cache operations. +$config['db_max_allowed_packet'] = '{{ roundcube_max_db_allowed_packet }}'; + // The IMAP host chosen to perform the log-in. // Leave blank to show a textbox at login, give a list of hosts // to display a pulldown menu or set one host as string. @@ -80,7 +86,7 @@ $config['des_key'] = '{{ roundcube_crypt_key }}'; $config['cipher_method'] = 'AES-256-CBC'; // List of active plugins (in plugins/ directory) -$config['plugins'] = array({% for plug in roundcube_default_plugins %}'{{ plug }}', {% endfor %}{% for opt_plug in roundcube_optional_plugins %}'{{ opt_plug }}', {% endfor %}{% for add_plug in roundcube_additional_plugins %}'{{ add_plug }}', {% endfor %}{% if roundcube_install_enigma %}{{ roundcube_enigma_plugin }}{% endif %}); +$config['plugins'] = array({% for plug in roundcube_default_plugins %}'{{ plug }}', {% endfor %}{% for opt_plug in roundcube_optional_plugins %}'{{ opt_plug }}', {% endfor %}{% for add_plug in roundcube_additional_plugins %}'{{ add_plug }}', {% endfor %}{% if roundcube_install_enigma %}'{{ roundcube_enigma_plugin }}'{% endif %}); {% if roundcube_install_enigma %} // Enigma Plugin options @@ -201,6 +207,11 @@ $config['apc_max_allowed_packet'] = '2M'; $config['redis_max_allowed_packet'] = '2M'; {% endif %} +// Message size limit. Note that SMTP server(s) may use a different value. +// This limit is verified when user attaches files to a composed message. +// Size in bytes (possible unit suffix: K, M, G) +$config['max_message_size'] = '{{ roundcube_max_attachments_size }}M'; + // THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA. // ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING! $config['enable_installer'] = false; diff --git a/library/roles/roundcube/vars/main.yml b/library/roles/roundcube/vars/main.yml index 722e7008..264cafd6 100644 --- a/library/roles/roundcube/vars/main.yml +++ b/library/roles/roundcube/vars/main.yml @@ -4,7 +4,7 @@ nginx_client_max_body_size: '{{ roundcube_max_attachments_size * 2 }}M' phpfpm_default_user: '{{ roundcube_user }}' phpfpm_default_pool_name: roundcube -phpfpm_default_memory_limit: '{{ roundcube_max_attachments_size * 4 }}M' +phpfpm_default_memory_limit: '{{ roundcube_max_attachments_size * 10 }}M' redis_install: False http_port: 80 https_port: 443 @@ -28,8 +28,6 @@ php_additional_packages: - postgresql-client - 'php{{ php_version }}-memcache' -phpfpm_default_memory_limit: "64M" - php_global_settings: - { option: 'zlib.output_compression', value: 'Off' } - { option: 'post_max_size', value: '{{ roundcube_max_attachments_size }}M' } @@ -55,5 +53,5 @@ php_global_settings: php_cli_global_settings: '{{ php_global_settings }}' phpfpm_pools: - - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', doc_root: '{{ roundcube_web_root }}/public_html', req_term_timeout: '240s', virthost: '{{ roundcube_servername }}', nginx_servername: '{{ roundcube_servername }}' } + - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', upload_max_filesize: '{{ roundcube_max_attachments_size }}M', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', doc_root: '{{ roundcube_web_root }}/public_html', req_term_timeout: '240s', virthost: '{{ roundcube_servername }}', nginx_servername: '{{ roundcube_servername }}' } From d53b569189abde0f258cc4d98a5b0349fae7a2c3 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 24 Jan 2020 13:03:07 +0100 Subject: [PATCH 05/26] Manage the transport and virtual_domains maps. --- library/roles/postfix/defaults/main.yml | 36 +++++++++++-- library/roles/postfix/tasks/main.yml | 1 + .../postfix/tasks/smtp-common-packages.yml | 30 ----------- .../postfix/tasks/smtp-configuration.yml | 54 +++++++++++++++++++ library/roles/postfix/templates/main.cf.j2 | 32 +++++++++-- library/roles/postfix/templates/transport.j2 | 3 ++ .../postfix/templates/virtual_domains.j2 | 11 ++++ 7 files changed, 130 insertions(+), 37 deletions(-) create mode 100644 library/roles/postfix/tasks/smtp-configuration.yml create mode 100644 library/roles/postfix/templates/transport.j2 create mode 100644 library/roles/postfix/templates/virtual_domains.j2 diff --git a/library/roles/postfix/defaults/main.yml b/library/roles/postfix/defaults/main.yml index fdf25b7d..1070768c 100644 --- a/library/roles/postfix/defaults/main.yml +++ b/library/roles/postfix/defaults/main.yml @@ -62,6 +62,9 @@ postfix_milter_action: tempfail # SMTP server that not accept authenticated clients. ############################################################################# postfix_smtpd_server: False +# SMTP server that routes emails coming from outside +############################################################################# +postfix_mx_server: False ############################################################################# # SMTP submission server: accepts authenticated clients ############################################################################# @@ -106,12 +109,25 @@ postfix_sasl_ldap_referrals: no # postfix_use_domain_name: False -postfix_inet_lmtp_enabled: False -postfix_inet_lmtp_host: '127.0.0.1' -postfix_inet_lmtp_port: 24 +postfix_virtual_transport_enabled: False +postfix_virtual_transport_protocol: 'lmtp' +postfix_lmtp_protocol: 'inet' +postfix_lmtp_host: '127.0.0.1' +postfix_lmtp_port: 24 postfix_delivery_soft_bounce: False postfix_recipient_delimiter: '+' postfix_local_recipients: False +postfix_transport_map_enabled: False +postfix_transport_maps: + - 'hash:/etc/postfix/transport' + +postfix_transport_data: [] +# +# Example: +# postfix_transport_data: +# - { domain: 'example.com', action: 'smtp:[dest.smtp.example.com]:25' } +postfix_rbl_enabled: True +postfix_rbl_list: 'zen.spamhaus.org' postfix_mynetworks: hash:/etc/postfix/network_table postfix_mynetworks_data: @@ -125,9 +141,23 @@ postfix_alias_databases: '{{ postfix_alias_maps }}' postfix_virtual_addresses: False postfix_virtual_mailbox_domains: 'hash:/etc/postfix/virtual_domains' +postfix_virtual_mailbox_domains_data: [] +# +# Example. The 'action' part is optional: +# postfix_virtual_mailbox_domains_data: +# - { domain: 'example.com', action: 'OK' } + postfix_virtual_mailbox_maps: - 'hash:/etc/postfix/vmailbox_maps' +postfix_virtual_domains: False +postfix_virtual_alias_domains: 'hash:/etc/postfix/virtual_domains' +postfix_virtual_alias_domains_data: [] +# +# Example. The 'action' part is optional: +# postfix_virtual_alias_domains_data: +# - { domain: 'example.com', action: 'OK' } + postfix_virtual_alias_maps: - 'hash:/etc/postfix/virtual' diff --git a/library/roles/postfix/tasks/main.yml b/library/roles/postfix/tasks/main.yml index 87cdd912..4bb6b7d4 100644 --- a/library/roles/postfix/tasks/main.yml +++ b/library/roles/postfix/tasks/main.yml @@ -1,5 +1,6 @@ --- - import_tasks: smtp-common-packages.yml +- import_tasks: smtp-configuration.yml - import_tasks: postfix_firewalld.yml when: ansible_distribution_file_variety == "RedHat" - import_tasks: smtp-sasl-auth.yml diff --git a/library/roles/postfix/tasks/smtp-common-packages.yml b/library/roles/postfix/tasks/smtp-common-packages.yml index 5db5e324..618488a0 100644 --- a/library/roles/postfix/tasks/smtp-common-packages.yml +++ b/library/roles/postfix/tasks/smtp-common-packages.yml @@ -26,38 +26,9 @@ when: postfix_tls_encryption_level != "old" notify: Reload postfix - - name: Write the postfix main configuration file - template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444 - register: postfix_main_restart_needed - - - name: The postfix master.cf file adapts to the service role - template: src=master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444 - register: postfix_master_restart_needed - - - name: Write the postfix network_table map - template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444 - register: postfix_network_table_status - when: postfix_install_packages | bool tags: [ 'postfix', 'postfix_conf' ] -- block: - - name: Ensure that postfix is started and enabled - service: name=postfix state=started enabled=yes - - - name: Update the network hash table - shell: postmap hash:/etc/postfix/network_table - when: postfix_network_table_status is changed - - - name: Restart postfix - service: name=postfix state=restarted - when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed ) - - when: - - postfix_install_packages | bool - - postfix_enabled | bool - tags: [ 'postfix', 'postfix_conf' ] - - block: - name: Ensure that postfix is stopped and disabled service: name=postfix state=stopped enabled=no @@ -67,7 +38,6 @@ - not postfix_enabled | bool tags: postfix - - block: - name: Install the postfix NRPE nagios check copy: src={{ item }} dest={{ nagios_plugins_dir }}/{{ item }} owner=root group=nagios mode=0555 diff --git a/library/roles/postfix/tasks/smtp-configuration.yml b/library/roles/postfix/tasks/smtp-configuration.yml new file mode 100644 index 00000000..f6ebdb8e --- /dev/null +++ b/library/roles/postfix/tasks/smtp-configuration.yml @@ -0,0 +1,54 @@ +--- +- name: Postfix main configuration + block: + - name: Write the postfix main configuration file + template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444 + register: postfix_main_restart_needed + + - name: The postfix master.cf file adapts to the service role + template: src=master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444 + register: postfix_master_restart_needed + + when: postfix_enabled | bool + tags: [ 'postfix', 'postfix_conf' ] + +- name: Postfix maps installation + block: + - name: Write the postfix network_table map + template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444 + register: postfix_network_table_status + + - name: Write the postfix virtual_domains map + template: src=virtual_domains.j2 dest=/etc/postfix/virtual_domains owner=root group=root mode=0444 + register: postfix_virtual_domains_status + + - name: Write the postfix transport map + template: src=transport.j2 dest=/etc/postfix/transport owner=root group=root mode=0444 + register: postfix_transport_table_status + when: postfix_transport_map_enabled | bool + + - name: Update the network hash table + shell: postmap hash:/etc/postfix/network_table + when: postfix_network_table_status is changed + + - name: Update the virtual_domains + shell: postmap hash:/etc/postfix/virtual_domains + when: postfix_virtual_domains_status is changed + + - name: Update the transport hash table + shell: postmap hash:/etc/postfix/transport + when: postfix_transport_table_status is changed + + when: postfix_enabled | bool + tags: [ 'postfix', 'postfix_conf', 'postfix_maps' ] + +- block: + - name: Ensure that postfix is started and enabled + service: name=postfix state=started enabled=yes + + - name: Restart postfix + service: name=postfix state=restarted + when: ( postfix_main_restart_needed is changed ) or ( postfix_master_restart_needed is changed ) + + when: postfix_enabled | bool + tags: [ 'postfix', 'postfix_conf' ] diff --git a/library/roles/postfix/templates/main.cf.j2 b/library/roles/postfix/templates/main.cf.j2 index d72c3177..d4db78f6 100644 --- a/library/roles/postfix/templates/main.cf.j2 +++ b/library/roles/postfix/templates/main.cf.j2 @@ -343,6 +343,9 @@ relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }} # TRANSPORT MAP # # See the discussion in the ADDRESS_REWRITING_README document. +{% if postfix_transport_map_enabled %} +transport_maps = {% for tmap in postfix_transport_maps %}{{ tmap }}{% if not loop.last %}, {% endif %}{% endfor %} +{% endif %} # ALIAS DATABASE # @@ -478,14 +481,18 @@ recipient_delimiter = {{ postfix_recipient_delimiter }} # #fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp #fallback_transport = -{% if postfix_inet_lmtp_enabled %} -virtual_transport = lmtp:inet:{{ postfix_inet_lmtp_host }}:{{ postfix_inet_lmtp_port }} -{% endif %} +{% if postfix_virtual_transport_enabled %} +virtual_transport = {{ postfix_virtual_transport_protocol }}:{{ postfix_lmtp_protocol }}:{{ postfix_lmtp_host }}:{{ postfix_lmtp_port }} -{% if postfix_virtual_addresses %} virtual_mailbox_domains = {{ postfix_virtual_mailbox_domains }} virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap }} {% endfor %} +{% endif %} + +{% if postfix_virtual_domains %} +virtual_alias_domains = = {{ postfix_virtual_alias_domains }} +{% endif %} +{% if postfix_virtual_addresses %} virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %} virtual_mailbox_limit = {{ postfix_message_size_limit }} @@ -570,7 +577,24 @@ smtpd_client_restrictions = {% if postfix_submission_server %} permit_sasl_authenticated {% endif %} +{% if postfix_mx_server %} + reject_unknown_sender_domain + reject_non_fqdn_sender + reject_non_fqdn_recipient + reject_invalid_hostname +# reject_non_fqdn_hostname + reject_unauth_destination + reject_unknown_recipient_domain + reject_unlisted_recipient +{% if postfix_rbl_enabled %} + reject_rbl_client {{ postfix_rbl_list }} +{% endif %} +{% endif %} +{% if postfix_mx_server %} + permit +{% else %} reject +{% endif %} {% if postfix_submission_server %} smtpd_sasl_path = smtpd smtpd_sasl_auth_enable = yes diff --git a/library/roles/postfix/templates/transport.j2 b/library/roles/postfix/templates/transport.j2 new file mode 100644 index 00000000..c84f3bf3 --- /dev/null +++ b/library/roles/postfix/templates/transport.j2 @@ -0,0 +1,3 @@ +{% for map in postfix_transport_data %} +{{ map.domain }} {{ map.action }} +{% endfor %} diff --git a/library/roles/postfix/templates/virtual_domains.j2 b/library/roles/postfix/templates/virtual_domains.j2 new file mode 100644 index 00000000..bbb82600 --- /dev/null +++ b/library/roles/postfix/templates/virtual_domains.j2 @@ -0,0 +1,11 @@ +{% if postfix_virtual_domains | bool %} +{% for dom in postfix_virtual_alias_domains_data %} +{{ dom.domain }} OK +{% endfor %} +{% elif postfix_virtual_addresses | bool %} +{% for dom in postfix_virtual_mailbox_domains_data %} +{{ dom.domain }} OK +{% endfor %} +{% else %} +localdomain OK +{% endif %} From c90043d44a857df83a1317ed2c3a7d2851511a1f Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 24 Jan 2020 13:58:05 +0100 Subject: [PATCH 06/26] Move the max_message_size option out of the 'if' case. --- library/roles/postfix-relay/templates/main.cf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/roles/postfix-relay/templates/main.cf.j2 b/library/roles/postfix-relay/templates/main.cf.j2 index 9e7a09b9..04846327 100644 --- a/library/roles/postfix-relay/templates/main.cf.j2 +++ b/library/roles/postfix-relay/templates/main.cf.j2 @@ -55,6 +55,7 @@ inet_interfaces = localhost inet_protocols = ipv4 {% endif %} mailbox_size_limit = 0 +message_size_limit = {{ postfix_message_size_limit }} recipient_delimiter = + default_destination_concurrency_limit = {{ postfix_default_destination_concurrency_limit }} {% if postfix_use_sasl_auth %} @@ -77,7 +78,6 @@ smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }} smtpd_helo_required = yes mynetworks = {{ postfix_mynetworks }} inet_interfaces = {{ postfix_interfaces }} -message_size_limit = {{ postfix_message_size_limit }} # Don't talk to mail systems that don't know their own hostname. smtpd_helo_restrictions = reject_unknown_helo_hostname From af32ce30bcfb53d1e4ca99b4ccb795ffbb15eddf Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Sat, 25 Jan 2020 13:58:26 +0100 Subject: [PATCH 07/26] Change the way we enable the local recipient maps. --- library/roles/postfix/templates/main.cf.j2 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/library/roles/postfix/templates/main.cf.j2 b/library/roles/postfix/templates/main.cf.j2 index d4db78f6..8d177203 100644 --- a/library/roles/postfix/templates/main.cf.j2 +++ b/library/roles/postfix/templates/main.cf.j2 @@ -177,8 +177,10 @@ mydestination = {{ ansible_fqdn }}, localhost # #local_recipient_maps = unix:passwd.byname $alias_maps #local_recipient_maps = proxy:unix:passwd.byname $alias_maps -{% if not postfix_local_recipients %} +{% if postfix_virtual_transport_enabled %} local_recipient_maps = +{% elif not postfix_local_recipients %} +#local_recipient_maps = {% endif %} # The unknown_local_recipient_reject_code specifies the SMTP server @@ -347,6 +349,7 @@ relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }} transport_maps = {% for tmap in postfix_transport_maps %}{{ tmap }}{% if not loop.last %}, {% endif %}{% endfor %} {% endif %} + # ALIAS DATABASE # # The alias_maps parameter specifies the list of alias databases used @@ -490,7 +493,7 @@ virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap } {% endif %} {% if postfix_virtual_domains %} -virtual_alias_domains = = {{ postfix_virtual_alias_domains }} +virtual_alias_domains = {{ postfix_virtual_alias_domains }} {% endif %} {% if postfix_virtual_addresses %} virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %} From 2da5d26ef6d8b348fcb4058f8c16d35619775da8 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 30 Jan 2020 12:29:51 +0100 Subject: [PATCH 08/26] The roundcube session lifetime is now a variable. --- library/roles/roundcube/defaults/main.yml | 2 ++ library/roles/roundcube/templates/config.inc.php.j2 | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/library/roles/roundcube/defaults/main.yml b/library/roles/roundcube/defaults/main.yml index 43b3722f..b9e6293f 100644 --- a/library/roles/roundcube/defaults/main.yml +++ b/library/roles/roundcube/defaults/main.yml @@ -65,6 +65,8 @@ roundcube_show_images: 0 # 3 - on forward or reply to HTML message # 4 - always, except when replying to plain text message roundcube_html_editor: 0 +# In minutes +roundcube_session_lifetime: 60 roundcube_default_plugins: - acl diff --git a/library/roles/roundcube/templates/config.inc.php.j2 b/library/roles/roundcube/templates/config.inc.php.j2 index 52944e93..a4f2bef1 100644 --- a/library/roles/roundcube/templates/config.inc.php.j2 +++ b/library/roles/roundcube/templates/config.inc.php.j2 @@ -301,6 +301,18 @@ $config['login_lc'] = {{ roundcube_login_lc }}; $config['display_product_info'] = 0; +// Session lifetime in minutes +$config['session_lifetime'] = {{ roundcube_session_lifetime }}; + +// Session domain: .example.org +$config['session_domain'] = ''; + +// Session name. Default: 'roundcube_sessid' +$config['session_name'] = null; + +// Session authentication cookie name. Default: 'roundcube_sessauth' +$config['session_auth_name'] = null; + {% if roundcube_use_memcache %} $config['session_storage'] = 'memcache'; {% elif roundcube_use_redis %} From d019c0d8cd9c398a8dcf4a24c5f0b99092e862ba Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 4 Feb 2020 19:16:42 +0100 Subject: [PATCH 09/26] Fix the behaviour when we request the certificate via http. --- .../letsencrypt-acme-sh-client/defaults/main.yml | 2 ++ .../files/acme-sh-cron-script | 7 ++++++- .../files/acme-sh-request-cert | 11 ++++++++++- .../roles/letsencrypt-acme-sh-client/tasks/main.yml | 12 +++++++++++- .../templates/account.conf.j2 | 2 +- .../templates/acme_sh_request_env.j2 | 2 ++ 6 files changed, 32 insertions(+), 4 deletions(-) diff --git a/library/roles/letsencrypt-acme-sh-client/defaults/main.yml b/library/roles/letsencrypt-acme-sh-client/defaults/main.yml index 2a5a2c3c..94dc828f 100644 --- a/library/roles/letsencrypt-acme-sh-client/defaults/main.yml +++ b/library/roles/letsencrypt-acme-sh-client/defaults/main.yml @@ -9,6 +9,8 @@ letsencrypt_acme_user_home: /var/lib/acme letsencrypt_acme_git_dest_dir: '{{ letsencrypt_acme_user_home }}/acme_sh_dist' letsencrypt_acme_sh_user_home: '{{ letsencrypt_acme_user_home }}' letsencrypt_acme_sh_base_data_dir: '{{ letsencrypt_acme_sh_user_home }}/acme_data' +letsencrypt_acme_sh_certs_data_prefix: '{{ ansible_fqdn }}' +letsencrypt_acme_sh_certs_data_path: '{{ letsencrypt_acme_sh_base_data_dir }}/certs/{{ letsencrypt_acme_sh_certs_data_prefix }}' letsencrypt_acme_sh_certificates_install_dir: '{{ ansible_fqdn }}' letsencrypt_acme_sh_certificates_install_base_path: '{{ letsencrypt_acme_sh_user_home }}/live' letsencrypt_acme_sh_certificates_install_path: '{{ letsencrypt_acme_sh_certificates_install_base_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}' diff --git a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script index 4af87ef8..d96d2be5 100644 --- a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script +++ b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script @@ -13,7 +13,12 @@ else fi chown -R acme:acme "$ACME_SH_HOME" -sudo -u acme -s /bin/bash /usr/local/bin/acme-sh-cron-command +if [ "$ACME_SH_HTTP_BIND_PORT" -eq 80 ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then + /usr/local/bin/acme-sh-cron-command + chown -R acme:acme "$ACME_SH_HOME" +else + sudo -u acme -s /bin/bash /usr/local/bin/acme-sh-cron-command +fi if [ "$ACME_SH_INSTALL_CERTS" == "True" ] ; then $ACME_SH_BIN $ACME_SH_INSTALL_CERT_REQUEST > "$ACME_SH_INSTALL_LOG_FILE" 2>&1 diff --git a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert index 70fed230..07716fe7 100644 --- a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert +++ b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert @@ -17,7 +17,7 @@ else fi RETVAL= -if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then +if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then # First request. Try to shut down all the services running on port 80 if [ -x /bin/systemctl ] ; then /bin/systemctl stop nginx >/dev/null 2>&1 @@ -30,6 +30,15 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then fi $ACME_SH_BIN $ACME_SH_FIRST_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1 RETVAL=$? + if [ -x /bin/systemctl ] ; then + /bin/systemctl start nginx >/dev/null 2>&1 + /bin/systemctl start apache2 >/dev/null 2>&1 + /bin/systemctl start httpd >/dev/null 2>&1 + else + service nginx start + service apache2 start + service httpd start + fi else $ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1 RETVAL=$? diff --git a/library/roles/letsencrypt-acme-sh-client/tasks/main.yml b/library/roles/letsencrypt-acme-sh-client/tasks/main.yml index ce607e1b..44ecb315 100644 --- a/library/roles/letsencrypt-acme-sh-client/tasks/main.yml +++ b/library/roles/letsencrypt-acme-sh-client/tasks/main.yml @@ -114,10 +114,20 @@ - name: Install the certificates shell: /usr/local/bin/acme-sh-install-certs when: - - letsencrypt_acme_sh_explicitly_install_certs + - letsencrypt_acme_sh_explicitly_install_certs | bool - acme_sh_certificate_issued is defined - acme_sh_certificate_issued is changed ignore_errors: True + - name: Fix the http port in the configuration. Needed when we renew using the http protocol and we are behind a web server + lineinfile: + path: '{{ letsencrypt_acme_sh_certs_data_path }}/{{ letsencrypt_acme_sh_certs_data_prefix }}.conf' + create: no + state: present + regexp: "^Le_HTTPPort=" + line: "Le_HTTPPort='{{ letsencrypt_acme_standalone_port }}'" + when: not letsencrypt_acme_sh_use_dns_provider | bool + tags: [ 'letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_http_port' ] + when: letsencrypt_acme_sh_install | bool tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ] diff --git a/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2 b/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2 index 3573d973..7e455e86 100644 --- a/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2 +++ b/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2 @@ -1,5 +1,5 @@ {% if letsencrypt_acme_sh_log_enabled %} -LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs" +LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs/cert_request.log" LOG_LEVEL=1 {% endif %} diff --git a/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 b/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 index 0a95e3e2..89866187 100644 --- a/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 +++ b/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 @@ -11,6 +11,8 @@ ACME_SH_CRON_LOG_FILE={{ letsencrypt_acme_sh_base_data_dir }}/logs/cron.log ACME_SH_INSTALL_LOG_FILE={{ letsencrypt_acme_sh_log_dir }}/cert_install.log ACME_SH_GIT_DIST_DIR={{ letsencrypt_acme_git_dest_dir }} ACME_LETSENCRYPT_HOOKS_DIR={{ letsencrypt_acme_services_scripts_dir }} +ACME_SH_HTTP_BIND_PORT={{ letsencrypt_acme_standalone_port }} +ACME_SH_USE_DNS_PROVIDER="{{ letsencrypt_acme_sh_use_dns_provider }}" ACME_SH_INSTALL_CERTS={{ letsencrypt_acme_sh_explicitly_install_certs }} From 94ffed10c93a84e8b5a113b78f4db5e4195fe18b Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 7 Feb 2020 14:54:39 +0100 Subject: [PATCH 10/26] acme-sh-request-cert: do not fail if there's a valid, and not expiring, certificate already. --- .../letsencrypt-acme-sh-client/files/acme-sh-request-cert | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert index 07716fe7..327789bb 100644 --- a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert +++ b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert @@ -48,4 +48,8 @@ if [ $RETVAL -eq 0 ] ; then touch "$ACME_SH_CONFIG_HOME/ok_certificate_issued" fi +if [ $RETVAL -eq 2 ] ; then + # There is a valid certificate already + exit 0 +fi exit $RETVAL From e433a4eeb32e25c5ea07418196248da09cefa2d5 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 7 Feb 2020 16:30:21 +0100 Subject: [PATCH 11/26] Fix the creation of the letsencrypt hook for postfix. --- .../tasks/postfix-letsencrypt-hook.yml | 6 ++++- .../tasks/postfix-letsencrypt-hook.yml | 22 ++++++++++++++----- .../roles/postfix/tasks/smtp-sasl-auth.yml | 2 +- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/library/roles/postfix-relay/tasks/postfix-letsencrypt-hook.yml b/library/roles/postfix-relay/tasks/postfix-letsencrypt-hook.yml index d391d0be..8d634215 100644 --- a/library/roles/postfix-relay/tasks/postfix-letsencrypt-hook.yml +++ b/library/roles/postfix-relay/tasks/postfix-letsencrypt-hook.yml @@ -1,4 +1,8 @@ --- +- name: Create the acme hooks directory if it does not exist + file: dest=/usr/lib/acme/hooks state=directory + tags: [ 'postfix', 'postfix-relay', 'postfix_letsencrypt', 'letsencrypt' ] + - name: Install a hook for letsencrypt template: src=postfix-letsencrypt-hook dest=/usr/lib/acme/hooks/postfix owner=root group=root mode=4555 - tags: [ 'postfix', 'postfix-relay' ] + tags: [ 'postfix', 'postfix-relay', 'postfix_letsencrypt', 'letsencrypt' ] diff --git a/library/roles/postfix/tasks/postfix-letsencrypt-hook.yml b/library/roles/postfix/tasks/postfix-letsencrypt-hook.yml index 5d67e52b..202a0b3a 100644 --- a/library/roles/postfix/tasks/postfix-letsencrypt-hook.yml +++ b/library/roles/postfix/tasks/postfix-letsencrypt-hook.yml @@ -1,8 +1,18 @@ --- -- name: Create the acme hooks directory if it does not exist - file: dest=/usr/lib/acme/hooks/postfix state=directory - tags: [ 'postfix', 'postfix-relay', 'letsencrypt' ] +- name: Manage the letsencrypt hook for postfix + block: + - name: Create the acme hooks directory if it does not exist + file: dest=/usr/lib/acme/hooks state=directory -- name: Install a hook for letsencrypt - template: src=postfix-letsencrypt-hook dest=/usr/lib/acme/hooks/postfix owner=root group=root mode=4555 - tags: [ 'postfix', 'postfix-relay', 'letsencrypt' ] + - name: In the past we created a directory instead of a file. Check if it's the case + stat: path=/usr/lib/acme/hooks/postfix + register: postfix_hookdir + + - name: Remove the wrong directory if it's present + file: dest=/usr/lib/acme/hooks/postfix state=absent + when: postfix_hookdir.stat.isdir is defined and postfix_hookdir.stat.isdir + + - name: Install a hook for letsencrypt + template: src=postfix-letsencrypt-hook dest=/usr/lib/acme/hooks/postfix owner=root group=root mode=0555 + + tags: [ 'postfix', 'postfix_letsencrypt', 'letsencrypt' ] diff --git a/library/roles/postfix/tasks/smtp-sasl-auth.yml b/library/roles/postfix/tasks/smtp-sasl-auth.yml index bc4f2a2e..62a806e9 100644 --- a/library/roles/postfix/tasks/smtp-sasl-auth.yml +++ b/library/roles/postfix/tasks/smtp-sasl-auth.yml @@ -1,7 +1,7 @@ --- - name: Write sasl hash file template: src=sasl_passwd.j2 dest=/etc/postfix/sasl_passwd owner=root group=root mode=0400 - when: postfix_use_sasl_auth + when: postfix_use_sasl_auth | bool register: update_sasl_hash tags: postfix-relay From 172373fb5c628b35dc74c30ff53acca3ec264f85 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 7 Feb 2020 18:34:48 +0100 Subject: [PATCH 12/26] Fix some conditionals so that we can skip nagios. --- library/bootstrap-roles/deb-ubuntu-common/meta/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml index 053a8f7f..a99ad2cf 100644 --- a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml +++ b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml @@ -8,6 +8,6 @@ dependencies: - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks } - role: '../../library/roles/sshd_config' - { role: '../library/roles/letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install } - - { role: '../../library/roles/nagios', when: nagios_enabled is defined } - - { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled } + - { role: '../../library/roles/nagios', when: nagios_enabled is defined and nagios_enabled } + - { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled is defined and prometheus_enabled } From 1060ef930099cdedae7c5ba1886a0910537a36d0 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 7 Feb 2020 19:35:27 +0100 Subject: [PATCH 13/26] Fix the path of the php-fpm pid, it is now used by the systemd unit. --- library/roles/php-fpm/templates/php-fpm.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/roles/php-fpm/templates/php-fpm.conf.j2 b/library/roles/php-fpm/templates/php-fpm.conf.j2 index dfb2c2af..692d3542 100644 --- a/library/roles/php-fpm/templates/php-fpm.conf.j2 +++ b/library/roles/php-fpm/templates/php-fpm.conf.j2 @@ -17,7 +17,7 @@ [global] ; Pid file ; Default Value: none -pid = /var/run/php5-fpm.pid +pid = /run/php/php{{ php_version }}-fpm.pid ; Error log file ; If it's set to "syslog", log is sent to syslogd instead of being written From 98dc9c2960758c6a8124709ac1ca0222f60ecbc1 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 11:42:05 +0100 Subject: [PATCH 14/26] Keepalived: restart the service if the floating IPs disappear on Ubuntu 18.04. --- library/roles/keepalived/tasks/main.yml | 24 ++++++++++++------- .../keepalived/templates/keepalived.conf.j2 | 13 +++++++--- .../keepalived_check_service_status.sh.j2 | 16 ++++++++++++- 3 files changed, 40 insertions(+), 13 deletions(-) diff --git a/library/roles/keepalived/tasks/main.yml b/library/roles/keepalived/tasks/main.yml index b011fe69..da47b165 100644 --- a/library/roles/keepalived/tasks/main.yml +++ b/library/roles/keepalived/tasks/main.yml @@ -10,6 +10,12 @@ - name: Install the user that the keepalived scripts will run under user: name={{ keepalived_script_username }} home={{ keepalived_script_user_home }} createhome=no shell=/usr/sbin/nologin system=yes + tags: keepalived + when: + - keepalived_install | bool + - ansible_distribution_file_variety == "Debian" + +- block: - name: Create the keepalive script user directory file: dest={{ keepalived_script_user_home }} state=directory owner={{ keepalived_script_username }} group={{ keepalived_script_username }} mode=0750 @@ -33,7 +39,7 @@ sysctl_set: yes sysctl_file: /etc/sysctl.d/90-keepalived value: 1 - when: keepalived_non_local_bind + when: keepalived_non_local_bind | bool - name: Disable the kernel net.ipv4.ip_nonlocal_bind sysctl if not needed sysctl: @@ -43,18 +49,18 @@ sysctl_set: yes sysctl_file: /etc/sysctl.d/90-keepalived value: 1 - when: not keepalived_non_local_bind + when: not keepalived_non_local_bind | bool - name: Ensure that keepalived is started and enabled service: name=keepalived state=started enabled=yes - when: keepalived_enabled + when: keepalived_enabled | bool - name: Ensure that keepalived is stopped and disabled service: name=keepalived state=stopped enabled=no - when: not keepalived_enabled + when: not keepalived_enabled | bool - tags: keepalived - when: keepalived_install + tags: [ 'keepalived', 'keepalived_conf' ] + when: keepalived_install | bool - block: - name: Install the keepalived NRPE nagios check @@ -67,8 +73,8 @@ tags: keepalived when: - - keepalived_install - - keepalived_nagios_check + - keepalived_install | bool + - keepalived_nagios_check | bool - block: - name: Remove the keepalived package if we do not want it @@ -86,5 +92,5 @@ file: dest={{ nrpe_include_dir }}/keepalived-nrpe.cfg state=absent tags: keepalived - when: not keepalived_install + when: not keepalived_install | bool diff --git a/library/roles/keepalived/templates/keepalived.conf.j2 b/library/roles/keepalived/templates/keepalived.conf.j2 index 4e8f85e1..1a1dcb1a 100644 --- a/library/roles/keepalived/templates/keepalived.conf.j2 +++ b/library/roles/keepalived/templates/keepalived.conf.j2 @@ -1,10 +1,13 @@ global_defs { - {% if keepalived_enable_script_security %} +{% if keepalived_enable_script_security %} enable_script_security +{% if ansible_distribution_file_variety == "Debian" and ansible_distribution_major_version == '18' %} + script_user root +{% else %} script_user {{ keepalived_script_username }} - - {% endif %} +{% endif %} +{% endif %} } {% for script in keepalived_scripts %} @@ -22,9 +25,13 @@ vrrp_script {{ script.name }} { vrrp_instance {{ instance.name }} { interface {{ instance.interface }} {% if instance.state is defined %} + {% if instance.nopreempt is defined and instance.nopreempt %} + state BACKUP + {% else %} state {{ instance.state }} + {% endif %} {% endif %} virtual_router_id {{ instance.vrouter_id }} priority {{ instance.priority }} diff --git a/library/roles/keepalived/templates/keepalived_check_service_status.sh.j2 b/library/roles/keepalived/templates/keepalived_check_service_status.sh.j2 index 5f8bba67..1955f423 100644 --- a/library/roles/keepalived/templates/keepalived_check_service_status.sh.j2 +++ b/library/roles/keepalived/templates/keepalived_check_service_status.sh.j2 @@ -1,4 +1,18 @@ -!#/bin/bash +#!/bin/bash +{% if ansible_distribution_file_variety == "Debian" and ansible_distribution_major_version == '18' %} +am_i_master=$( grep MASTER /var/lib/keepalived/keepalive.state ) +keepalive_master=$? + +if [ $keepalive_master -eq 0 ] ; then +{% for instance in keepalived_instances %} +{% for addr in instance.v_addr %} + float_ip=$( ip addr show | grep {{ addr }} ) + retval=$? + [ $retval -eq 1 ] && /bin/systemctl restart keepalived +{% endfor %} +{% endfor %} +fi +{% endif %} {{ keepalived_script1_check }} From 6cbaef0857ac573a994cd54f33d8b3bc5712e52b Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 16:00:42 +0100 Subject: [PATCH 15/26] tomcat javamelody: maven wants https now. --- library/roles/tomcat/defaults/main.yml | 2 ++ library/roles/tomcat/tasks/tomcat-pkgs.yml | 18 +++++++++--------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/library/roles/tomcat/defaults/main.yml b/library/roles/tomcat/defaults/main.yml index 22cc1f00..ef784eb1 100644 --- a/library/roles/tomcat/defaults/main.yml +++ b/library/roles/tomcat/defaults/main.yml @@ -77,6 +77,8 @@ tomcat_jmx_localhost_only: False # Metrics monitoring via javamelody tomcat_javamelody: True +#tomcat_javamelody_version: latest +tomcat_javamelody_version: 1.79.0 # tomcat logging tomcat_logdir: '/var/log/tomcat{{ tomcat_version }}' diff --git a/library/roles/tomcat/tasks/tomcat-pkgs.yml b/library/roles/tomcat/tasks/tomcat-pkgs.yml index e5203d1c..e7922dbc 100644 --- a/library/roles/tomcat/tasks/tomcat-pkgs.yml +++ b/library/roles/tomcat/tasks/tomcat-pkgs.yml @@ -43,13 +43,13 @@ - name: Configure tomcat defaults template: src=tomcat-default.j2 dest=/etc/default/tomcat{{ tomcat_version }} - when: tomcat_install_default_conf + when: tomcat_install_default_conf | bool notify: tomcat restart tags: [ 'tomcat', 'tomcat_default' ] - name: Configure tomcat server.xml template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml - when: tomcat_install_server_xml + when: tomcat_install_server_xml | bool notify: tomcat restart tags: [ 'tomcat', 'tomcat_serverxml' ] @@ -60,7 +60,7 @@ - name: Install a slightly modified catalina.properties copy: src=catalina.properties dest={{ tomcat_conf_dir }}/catalina.properties owner=root group={{ tomcat_user }} mode=0644 - when: tomcat_install_default_conf + when: tomcat_install_default_conf | bool notify: tomcat restart tags: [ 'tomcat', 'tomcat_catalinaprops' ] @@ -80,13 +80,13 @@ tags: [ 'tomcat', 'tomcat_javamelody' ] - name: Install the javamelody dependency jar into the Java shared libs directory - maven_artifact: artifact_id=jrobin version=latest group_id=org.jrobin extension=jar dest=/usr/share/java/jrobin.jar verify_checksum=always mode=0644 owner=root group=root - when: tomcat_javamelody + maven_artifact: artifact_id=jrobin version=latest group_id=org.jrobin extension=jar dest=/usr/share/java/jrobin.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2 + when: tomcat_javamelody | bool tags: [ 'tomcat', 'tomcat_javamelody' ] - name: Install the javamelody-core jar into the Java shared libs directory - maven_artifact: artifact_id=javamelody-core version={{ tomcat_javamelody_version }} group_id=net.bull.javamelody extension=jar dest=/usr/share/java/javamelody-core.jar verify_checksum=always mode=0644 owner=root group=root - when: tomcat_javamelody + maven_artifact: artifact_id=javamelody-core version={{ tomcat_javamelody_version }} group_id=net.bull.javamelody extension=jar dest=/usr/share/java/javamelody-core.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2 + when: tomcat_javamelody | bool tags: [ 'tomcat', 'tomcat_javamelody' ] - name: Create a link to the the javamelody jar and its dependencies if the javamelody support is enabled @@ -94,7 +94,7 @@ with_items: - javamelody-core.jar - jrobin.jar - when: tomcat_javamelody + when: tomcat_javamelody | bool tags: [ 'tomcat', 'tomcat_javamelody' ] - name: Remove the javamelody jar and its dependencies if the javamelody support is disabled @@ -102,5 +102,5 @@ with_items: - javamelody-core.jar - jrobin.jar - when: not tomcat_javamelody + when: not tomcat_javamelody | bool tags: [ 'tomcat', 'tomcat_javamelody' ] From 68ba0933f050cc50db8f41efa2783e50b62f38a3 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 16:01:58 +0100 Subject: [PATCH 16/26] thredds: support the configuration of a google analytics id. --- library/roles/thredds/defaults/main.yml | 3 +++ library/roles/thredds/tasks/main.yml | 12 ++++++++++-- library/roles/thredds/templates/threddsConfig.xml.j2 | 8 ++++---- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/library/roles/thredds/defaults/main.yml b/library/roles/thredds/defaults/main.yml index f4a7e818..cbc59172 100644 --- a/library/roles/thredds/defaults/main.yml +++ b/library/roles/thredds/defaults/main.yml @@ -20,3 +20,6 @@ thredds_host_institution_name: 'ORG' thredds_host_institution_web: '' thredds_force_ssl_for_user_data: False thredds_palettes_customisation: False +thredds_abstract: 'Scientific Data' +thredds_contact_name: 'Support' +thredds_google_analytics_key: '' \ No newline at end of file diff --git a/library/roles/thredds/tasks/main.yml b/library/roles/thredds/tasks/main.yml index 96cee4fc..d13ba15e 100644 --- a/library/roles/thredds/tasks/main.yml +++ b/library/roles/thredds/tasks/main.yml @@ -22,15 +22,23 @@ register: thredds_skip_conf tags: [ 'thredds', 'tomcat', 'thredds_conf' ] - - name: Install the Thredds data configuration files + - name: Install the Thredds data configuration files -only at initialization- template: src={{ item[1] }}.j2 dest={{ thredds_data_content_dir }}/thredds/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=644 with_nested: - '{{ tomcat_m_instances }}' - - [ 'threddsConfig.xml', 'catalog.xml', 'wmsConfig.xml' ] + - ['catalog.xml', 'wmsConfig.xml' ] notify: tomcat instances restart when: not thredds_skip_conf.stat.exists tags: [ 'thredds', 'tomcat', 'thredds_conf' ] + - name: Install-update the Thredds data configuration files + template: src={{ item[1] }}.j2 dest={{ thredds_data_content_dir }}/thredds/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=644 + with_nested: + - '{{ tomcat_m_instances }}' + - [ 'threddsConfig.xml'] + notify: tomcat instances restart + tags: [ 'thredds', 'tomcat', 'thredds_conf' ] + - name: Create the file that states that the thredds instance has been configured copy: content="initialized by ansible" dest={{ thredds_data_content_dir }}/thredds/.conf_initialized mode=0400 register: thredds_skip_conf diff --git a/library/roles/thredds/templates/threddsConfig.xml.j2 b/library/roles/thredds/templates/threddsConfig.xml.j2 index 5e282fec..79e14745 100644 --- a/library/roles/thredds/templates/threddsConfig.xml.j2 +++ b/library/roles/thredds/templates/threddsConfig.xml.j2 @@ -6,13 +6,13 @@ {{ thredds_server_name }} {{ thredds_logo_url }} - {{ thredds_server_name }} + {{ thredds_logo_alt_text }} - Scientific Data + {{ thredds_abstract }} meteorology, atmosphere, climate, ocean, earth science - Support + {{ thredds_contact_name}} {{ thredds_organization }} {{ thredds_email }} @@ -55,7 +55,7 @@ * webpages associated with THREDDS. This will not track WMS or DAP * requests for data, only browsing the catalog. --> - + {{ thredds_google_analytics_key }} From f0c5a54f9d627f2f270e66a389e0b2aa55e956d3 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 17:25:58 +0100 Subject: [PATCH 17/26] elasticsearch: support versions >= 6 --- library/roles/ELK/elasticsearch/defaults/main.yml | 3 +++ library/roles/ELK/elasticsearch/tasks/elasticsearch.yml | 4 +--- .../roles/ELK/elasticsearch/templates/elasticsearch.yml.j2 | 7 ++++++- library/roles/ELK/elasticsearch/templates/jvm.options.j2 | 2 ++ 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/library/roles/ELK/elasticsearch/defaults/main.yml b/library/roles/ELK/elasticsearch/defaults/main.yml index 79f7923e..5ac05201 100644 --- a/library/roles/ELK/elasticsearch/defaults/main.yml +++ b/library/roles/ELK/elasticsearch/defaults/main.yml @@ -31,6 +31,9 @@ elasticsearch_define_heap_size: False elasticsearch_heap_size: 2g elasticsearch_additional_java_opts: '-server -Djava.awt.headless=true -Dfile.encoding=UTF-8' elasticsearch_max_open_files: 65536 +elasticsearch_cluster_routing_allocation_disk_threshold_enabled: 'true' +elasticsearch_cluster_routing_allocation_disk_watermark_low: '85%' +elasticsearch_cluster_routing_allocation_disk_watermark_high: '90%' # Compatibility with kernels <= 3.5. Set to False if you are using a newer kernel elasticsearch_disable_bootstrap_syscall_filter: True diff --git a/library/roles/ELK/elasticsearch/tasks/elasticsearch.yml b/library/roles/ELK/elasticsearch/tasks/elasticsearch.yml index ae9d0742..d59c5fbd 100644 --- a/library/roles/ELK/elasticsearch/tasks/elasticsearch.yml +++ b/library/roles/ELK/elasticsearch/tasks/elasticsearch.yml @@ -7,8 +7,7 @@ apt_repository: repo='{{ elasticsearch_repo }}' state=present update_cache=yes - name: Install the elasticsearch deb packages - apt: name='{{ item }}' state={{ elasticsearch_package_state }} update_cache=yes cache_valid_time=1800 - with_items: '{{ elasticsearch_packages }}' + apt: name='{{ elasticsearch_packages }}' state={{ elasticsearch_package_state }} update_cache=yes cache_valid_time=1800 - name: Install the elasticsearch startup default template: src=elasticsearch-default.j2 dest=/etc/default/elasticsearch owner=root group=elasticsearch mode=0640 @@ -24,5 +23,4 @@ notify: Restart elasticsearch tags: [ 'ELK', 'elasticsearch', 'elk', 'elasticsearch_conf' ] - tags: [ 'ELK', 'elasticsearch', 'elk' ] diff --git a/library/roles/ELK/elasticsearch/templates/elasticsearch.yml.j2 b/library/roles/ELK/elasticsearch/templates/elasticsearch.yml.j2 index 35444a54..99c7b03e 100644 --- a/library/roles/ELK/elasticsearch/templates/elasticsearch.yml.j2 +++ b/library/roles/ELK/elasticsearch/templates/elasticsearch.yml.j2 @@ -24,7 +24,7 @@ node.name: {{ ansible_fqdn }} {% if elasticsearch_major_version >= 7 %} cluster.initial_master_nodes: -{% for n in elasticsearch_bootstrap_known_masters 5} +{% for n in elasticsearch_bootstrap_known_masters %} - {{ n }} {% endfor %} {% endif %} @@ -106,6 +106,11 @@ node.max_local_storage_nodes: {{ elasticsearch_max_local_storage_nodes }} # action.destructive_requires_name: {{ elasticsearch_destructive_requires_name }} +# +cluster.routing.allocation.disk.threshold_enabled: {{ elasticsearch_cluster_routing_allocation_disk_threshold_enabled }} +cluster.routing.allocation.disk.watermark.low: {{ elasticsearch_cluster_routing_allocation_disk_watermark_low }} +cluster.routing.allocation.disk.watermark.high: {{ elasticsearch_cluster_routing_allocation_disk_watermark_high }} + {% if elasticsearch_disable_bootstrap_syscall_filter %} # When using an old kernel bootstrap.system_call_filter: false diff --git a/library/roles/ELK/elasticsearch/templates/jvm.options.j2 b/library/roles/ELK/elasticsearch/templates/jvm.options.j2 index 8caf4fbd..d71d715a 100644 --- a/library/roles/ELK/elasticsearch/templates/jvm.options.j2 +++ b/library/roles/ELK/elasticsearch/templates/jvm.options.j2 @@ -71,7 +71,9 @@ -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true +{% if elasticsearch_major_version >= 6 %} -Djava.io.tmpdir=${ES_TMPDIR} +{% endif %} ## heap dumps From 4878798502009b4df8c4640fb51b7461acf328c0 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 18:00:57 +0100 Subject: [PATCH 18/26] Always install python-lxml. --- library/roles/ubuntu-deb-general/defaults/main.yml | 2 -- library/roles/ubuntu-deb-general/tasks/packages.yml | 6 ------ 2 files changed, 8 deletions(-) diff --git a/library/roles/ubuntu-deb-general/defaults/main.yml b/library/roles/ubuntu-deb-general/defaults/main.yml index 15e539c4..edeb1e2f 100644 --- a/library/roles/ubuntu-deb-general/defaults/main.yml +++ b/library/roles/ubuntu-deb-general/defaults/main.yml @@ -34,8 +34,6 @@ common_packages: default_python_packages_trusty: - python-software-properties - - python-lxml - - python-boto default_python_packages: - python-lxml diff --git a/library/roles/ubuntu-deb-general/tasks/packages.yml b/library/roles/ubuntu-deb-general/tasks/packages.yml index 488a1b4a..ad434750 100644 --- a/library/roles/ubuntu-deb-general/tasks/packages.yml +++ b/library/roles/ubuntu-deb-general/tasks/packages.yml @@ -5,7 +5,6 @@ - name: Install the basic python packages apt: pkg={{ default_python_packages }} state=present update_cache=yes cache_valid_time=1800 - when: not is_trusty tags: packages - name: Install the basic python packages on trusty @@ -13,11 +12,6 @@ when: is_trusty | bool tags: packages -- name: Install python-lxml on bionic - apt: pkg=python-lxml state=present update_cache=yes cache_valid_time=1800 - when: is_bionic | bool - tags: packages - - name: Install software-properties-common if needed apt: pkg=software-properties-common state=present update_cache=yes cache_valid_time=1800 when: is_ubuntu | bool From 2a188a11f4793f2fd8933dc39e9c23a66653e062 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 18:01:59 +0100 Subject: [PATCH 19/26] postgresql: use the fullchain file for pgpool too. --- library/roles/postgresql/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/roles/postgresql/defaults/main.yml b/library/roles/postgresql/defaults/main.yml index 44ab1490..5aac90b9 100644 --- a/library/roles/postgresql/defaults/main.yml +++ b/library/roles/postgresql/defaults/main.yml @@ -184,7 +184,7 @@ pgpool_enable_ssl: False pgpool_letsencrypt_managed: True pgpool_ssl_key: /etc/pki/pgpool2/pgpool2.key pgpool_ssl_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' -pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain' +pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/fullchain' pgpool_ssl_ca_dir: /etc/ssl/certs pgpool_virtual_ip: 127.0.0.1 pgpool_virtual_netmask: 24 From 5f46719ad85b746f38c833124f6ac5a0cf5598fa Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 18:04:39 +0100 Subject: [PATCH 20/26] Do not fail if a plugin do not install. --- library/roles/jenkins/common/tasks/main.yml | 2 ++ library/roles/jenkins/master/tasks/jenkins_plugins.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/library/roles/jenkins/common/tasks/main.yml b/library/roles/jenkins/common/tasks/main.yml index 12434ca7..a046844b 100644 --- a/library/roles/jenkins/common/tasks/main.yml +++ b/library/roles/jenkins/common/tasks/main.yml @@ -18,6 +18,8 @@ user: name={{ jenkins_username }} generate_ssh_key=True delegate_to: '{{ item }}' with_items: '{{ groups.jenkins_master }}' + when: ansible_fqdn == '{{ jenkins_master_hostname }}' + run_once: True - name: Get the master ssh keys become: True diff --git a/library/roles/jenkins/master/tasks/jenkins_plugins.yml b/library/roles/jenkins/master/tasks/jenkins_plugins.yml index 79dd3e32..045585e1 100644 --- a/library/roles/jenkins/master/tasks/jenkins_plugins.yml +++ b/library/roles/jenkins/master/tasks/jenkins_plugins.yml @@ -35,12 +35,14 @@ when: item.version is not defined with_items: '{{ jenkins_plugins }}' notify: Restart jenkins + ignore_errors: True - name: Install plugins with a specific version jenkins_plugin: name="{{ item.name }}" state={{ item.state | default('latest') }} version='{{ item.version }}' url={{ jenkins_local_url }} url_username={{ jenkins_access_params.url_username }} url_password={{ jenkins_access_params.url_password }} when: item.version is defined with_items: '{{ jenkins_plugins }}' notify: Restart jenkins + ignore_errors: True become: True become_user: '{{ jenkins_username }}' From f78a20bab8865937660b7eaef3722ed21bbf1b25 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 18:14:09 +0100 Subject: [PATCH 21/26] New default version for rstudio. --- library/roles/rstudio-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/roles/rstudio-server/defaults/main.yml b/library/roles/rstudio-server/defaults/main.yml index c0ed8a9f..fa49f607 100644 --- a/library/roles/rstudio-server/defaults/main.yml +++ b/library/roles/rstudio-server/defaults/main.yml @@ -1,7 +1,7 @@ --- rstudio_install_server: False rstudio_enabled: True -rstudio_file: rstudio-server-1.0.143-amd64.deb +rstudio_file: rstudio-server-1.1.463-amd64.deb rstudio_download_url: 'https://download2.rstudio.org/{{ rstudio_file }}' rstudio_install_kill_script: True From bb88b7519adc4d6a779a0edf9a9b09dc081623bb Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 18:17:42 +0100 Subject: [PATCH 22/26] mongodb: manage the keyfile needed by a cluster configuration. --- library/roles/mongodb-org/defaults/main.yml | 1 + library/roles/mongodb-org/handlers/main.yml | 1 + library/roles/mongodb-org/tasks/main.yml | 1 + library/roles/mongodb-org/tasks/mongodb.yml | 16 ++++++++++++++-- 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/library/roles/mongodb-org/defaults/main.yml b/library/roles/mongodb-org/defaults/main.yml index 449b816c..b9607d51 100644 --- a/library/roles/mongodb-org/defaults/main.yml +++ b/library/roles/mongodb-org/defaults/main.yml @@ -86,3 +86,4 @@ mongodb_ganglia_auth_enabled: False mongodb_ganglia_db: admin mongodb_ganglia_auth_mechanism: MONGODB-CR # User and password are stored in the variables mongo_monitoring_u and mongo_monitoring_pwd + diff --git a/library/roles/mongodb-org/handlers/main.yml b/library/roles/mongodb-org/handlers/main.yml index 360d4b7a..aea1cbc6 100644 --- a/library/roles/mongodb-org/handlers/main.yml +++ b/library/roles/mongodb-org/handlers/main.yml @@ -5,5 +5,6 @@ - name: Restart mongodb service: name=mongodb state=restarted + ignore_errors: true when: "'{{ mongodb_start_server }}' == 'yes'" diff --git a/library/roles/mongodb-org/tasks/main.yml b/library/roles/mongodb-org/tasks/main.yml index cb357450..1d393b06 100644 --- a/library/roles/mongodb-org/tasks/main.yml +++ b/library/roles/mongodb-org/tasks/main.yml @@ -3,3 +3,4 @@ - import_tasks: mongodb-letsencrypt-acmetool.yml when: mongodb_ssl_letsencrypt_managed + diff --git a/library/roles/mongodb-org/tasks/mongodb.yml b/library/roles/mongodb-org/tasks/mongodb.yml index e217c52d..1df7f19d 100644 --- a/library/roles/mongodb-org/tasks/mongodb.yml +++ b/library/roles/mongodb-org/tasks/mongodb.yml @@ -37,7 +37,7 @@ template: src=mongod-{{ mongodb_version }}.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0444 backup=yes when: mongodb_install_conf notify: Restart mongodb - tags: [ 'mongodb', 'mongodb_update_conf' ] + tags: [ 'mongodb', 'mongodb_update_conf', 'mongodb_keyfile' ] when: - mongodb_install_server @@ -75,7 +75,7 @@ - name: Install/Update the mongodb configuration template: src=mongod-{{ mongodb_version }}.conf.j2 dest=/etc/mongodb.conf owner=root group=root mode=0444 backup=yes when: mongodb_install_conf - notify: Restart mongodb + notify: Restart mongod tags: [ 'mongodb', 'mongodb_update_conf' ] when: @@ -100,6 +100,18 @@ when: mongodb_install_server tags: mongodb +- block: + - name: Create the mongodb conf directory + file: dest={{ mongodb_conf_path }} state=directory owner={{ mongodb_user }} group={{ mongodb_group }} mode=0755 + + - name: Install the keyfile if it is a replica cluster + copy: src='vault-{{ mongodb_replicaset }}-keyfile' dest={{ mongodb_conf_path }}/{{ mongodb_keyfile_name }} owner=mongodb group=mongodb mode=0400 + notify: Restart mongod + + when: mongodb_cluster_enabled + tags: [ 'mongodb', 'mongodb_keyfile', 'mongodb_update_conf' ] + + - block: - name: Ensure mongodb is started and enabled service: name=mongodb state=started enabled=yes From 62539644e805b1869c84e8d608e251162a3b1808 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Feb 2020 18:19:18 +0100 Subject: [PATCH 23/26] solr as tomcat webapp: try to figure out the tomcat version. --- .../solr-tomcat-core-conf/defaults/main.yml | 1 - .../solr-tomcat-core-conf/tasks/main.yml | 22 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/library/roles/solr-tomcat-core-conf/defaults/main.yml b/library/roles/solr-tomcat-core-conf/defaults/main.yml index ca445377..11416223 100644 --- a/library/roles/solr-tomcat-core-conf/defaults/main.yml +++ b/library/roles/solr-tomcat-core-conf/defaults/main.yml @@ -1,7 +1,6 @@ --- solr_http_port: 8983 tomcat_load_additional_default_conf: True -tomcat_version: 7 # solr needs a lot of time to start if it needs to rebuild its indices tomcat_restart_timeout: 100000 diff --git a/library/roles/solr-tomcat-core-conf/tasks/main.yml b/library/roles/solr-tomcat-core-conf/tasks/main.yml index bc828ef5..ad720603 100644 --- a/library/roles/solr-tomcat-core-conf/tasks/main.yml +++ b/library/roles/solr-tomcat-core-conf/tasks/main.yml @@ -1,4 +1,26 @@ --- +- name: Set the tomcat version for ubuntu Trusy + set_fact: + tomcat_version: 7 + when: + - ansible_distribution_major_version <= '16' + - tomcat_fixed_version is not defined + tags: [ solr, tomcat, solr_core ] + +- name: Set the tomcat version for Ubuntu bionic + set_fact: + tomcat_version: 8 + when: + - ansible_distribution_major_version == '18' + - tomcat_fixed_version is not defined + tags: [ solr, tomcat, solr_core ] + +- name: Impose a tomcat version + set_fact: + tomcat_version: '{{ tomcat_fixed_version }}' + when: tomcat_fixed_version is defined + tags: [ solr, tomcat, solr_core ] + - block: - name: Create the solr cores data directories file: dest={{ solr_collections_base_dir }}/{{ item }} state=directory owner={{ solr_user }} group={{ solr_user }} From 47ce8bf05c85e25253f571f808ac758c8354e398 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 13 Feb 2020 14:14:04 +0100 Subject: [PATCH 24/26] simplesaml: fix a problem in the main configuration. It's now possible to enable/disable debug and error output. --- library/roles/simplesaml/defaults/main.yml | 5 +++++ library/roles/simplesaml/tasks/main.yml | 8 +++---- .../{authsources.php => authsources.php.j2} | 0 .../templates/{config.php => config.php.j2} | 21 ++++++++++--------- ...x-virthost.conf => nginx-virthost.conf.j2} | 0 ...dp-hosted.php => saml20-idp-hosted.php.j2} | 0 ...-sp-remote.php => saml20-sp-remote.php.j2} | 0 7 files changed, 20 insertions(+), 14 deletions(-) rename library/roles/simplesaml/templates/{authsources.php => authsources.php.j2} (100%) rename library/roles/simplesaml/templates/{config.php => config.php.j2} (98%) rename library/roles/simplesaml/templates/{nginx-virthost.conf => nginx-virthost.conf.j2} (100%) rename library/roles/simplesaml/templates/{saml20-idp-hosted.php => saml20-idp-hosted.php.j2} (100%) rename library/roles/simplesaml/templates/{saml20-sp-remote.php => saml20-sp-remote.php.j2} (100%) diff --git a/library/roles/simplesaml/defaults/main.yml b/library/roles/simplesaml/defaults/main.yml index 35679772..c50d1a06 100644 --- a/library/roles/simplesaml/defaults/main.yml +++ b/library/roles/simplesaml/defaults/main.yml @@ -24,6 +24,11 @@ simplesaml_protectindexpage: 'true' simplesaml_protectmetadata: 'false' # ERR, WARNING, NOTICE, INFO, DEBUG simplesaml_loglevel: NOTICE +simplesaml_debug_saml: 'false' +simplesaml_debug_backtraces: 'true' +simplesaml_debug_validatexml: 'false' +simplesaml_php_show_errors: 'false' +simplesaml_error_reporting: 'false' # Change this one when we are setting up a cluster of simplesaml servers simplesaml_create_self_signed_cert_host: '{{ ansible_fqdn }}' diff --git a/library/roles/simplesaml/tasks/main.yml b/library/roles/simplesaml/tasks/main.yml index 09555a24..d3294a0d 100644 --- a/library/roles/simplesaml/tasks/main.yml +++ b/library/roles/simplesaml/tasks/main.yml @@ -63,19 +63,19 @@ tags: [ 'simplesaml', 'simplesaml_php', 'simplesaml_config' ] - name: Install the simplesaml config files - template: src={{ item }}.php dest={{ simplesaml_install_dir }}/config/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640 + template: src={{ item }}.php.j2 dest={{ simplesaml_install_dir }}/config/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640 with_items: - config - authsources tags: [ 'simplesaml', 'simplesaml_php', 'simplesaml_config' ] - name: Install some metadata files - template: src={{ item }}.php dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640 + template: src={{ item }}.php.j2 dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640 with_items: - saml20-idp-hosted - name: Install some metadata files - template: src={{ item }}.php dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640 + template: src={{ item }}.php.j2 dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640 with_items: - saml20-sp-remote when: simplesaml_global_sp_remote_template @@ -109,7 +109,7 @@ - block: - name: Install the nginx virtualhosts - template: src=nginx-virthost.conf dest=/etc/nginx/sites-available/{{ item.virthost }} owner=root group=root mode=0444 + template: src=nginx-virthost.conf.j2 dest=/etc/nginx/sites-available/{{ item.virthost }} owner=root group=root mode=0444 with_items: '{{ phpfpm_pools }}' notify: Reload nginx diff --git a/library/roles/simplesaml/templates/authsources.php b/library/roles/simplesaml/templates/authsources.php.j2 similarity index 100% rename from library/roles/simplesaml/templates/authsources.php rename to library/roles/simplesaml/templates/authsources.php.j2 diff --git a/library/roles/simplesaml/templates/config.php b/library/roles/simplesaml/templates/config.php.j2 similarity index 98% rename from library/roles/simplesaml/templates/config.php rename to library/roles/simplesaml/templates/config.php.j2 index 0ea3c269..439c120c 100644 --- a/library/roles/simplesaml/templates/config.php +++ b/library/roles/simplesaml/templates/config.php.j2 @@ -66,7 +66,7 @@ $config = [ * root directory. */ {% endraw %} - 'certdir' => '{{ simplesaml_cert_dir }}', + 'certdir' => '{{ simplesaml_cert_dir }}', 'loggingdir' => '{{ simplesaml_log_dir }}', 'datadir' => '{{ simplesaml_data_dir }}', 'tempdir' => '{{ simplesaml_tmp_dir }}', @@ -96,8 +96,6 @@ $config = [ */ 'timezone' => null, - - /********************************** | SECURITY CONFIGURATION OPTIONS | **********************************/ @@ -231,10 +229,11 @@ $config = [ * If you want to disable debugging completely, unset this option or set it to an * empty array. */ +{% endraw %} 'debug' => [ - 'saml' => false, - 'backtraces' => true, - 'validatexml' => false, + 'saml' => {{ simplesaml_debug_saml}}, + 'backtraces' => {{ simplesaml_debug_backtraces }}, + 'validatexml' => {{ simplesaml_debug_validatexml }}, ], /* @@ -244,9 +243,9 @@ $config = [ * When 'errorreporting' is enabled, a form will be presented for the user to report * the error to 'technicalcontact_email'. */ - 'showerrors' => true, - 'errorreporting' => true, - + 'showerrors' => {{ simplesaml_php_show_errors }}, + 'errorreporting' => {{ simplesaml_error_reporting }}, +{% raw %} /* * Custom error show function called from SimpleSAML\Error\Error::show. * See docs/simplesamlphp-errorhandling.txt for function code example. @@ -730,7 +729,9 @@ $config = [ 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', ], 'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'], +{% endraw %} 'language.default' => '{{ simplesaml_language_default }}', +{% raw %} /* * Options to override the default settings for the language parameter @@ -1112,7 +1113,7 @@ $config = [ * The hostname and port of the Redis datastore instance. */ {% endraw %} - 'store.redis.host' => '{{ simplesaml_redis_host }}', + 'store.redis.host' => '{{ simplesaml_redis_host }}', 'store.redis.port' => 6379, {% raw %} diff --git a/library/roles/simplesaml/templates/nginx-virthost.conf b/library/roles/simplesaml/templates/nginx-virthost.conf.j2 similarity index 100% rename from library/roles/simplesaml/templates/nginx-virthost.conf rename to library/roles/simplesaml/templates/nginx-virthost.conf.j2 diff --git a/library/roles/simplesaml/templates/saml20-idp-hosted.php b/library/roles/simplesaml/templates/saml20-idp-hosted.php.j2 similarity index 100% rename from library/roles/simplesaml/templates/saml20-idp-hosted.php rename to library/roles/simplesaml/templates/saml20-idp-hosted.php.j2 diff --git a/library/roles/simplesaml/templates/saml20-sp-remote.php b/library/roles/simplesaml/templates/saml20-sp-remote.php.j2 similarity index 100% rename from library/roles/simplesaml/templates/saml20-sp-remote.php rename to library/roles/simplesaml/templates/saml20-sp-remote.php.j2 From a5c523bb4c3cd643d6e23f363f57cc3d1adb4f83 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 14 Feb 2020 18:39:00 +0100 Subject: [PATCH 25/26] keepalived: put the state file under /run/keepalived and instruct systemd to create the directory. --- library/roles/keepalived/defaults/main.yml | 15 ++++++++++----- library/roles/keepalived/tasks/main.yml | 10 +++++++--- .../keepalived_check_service_status.sh.j2 | 2 +- .../keepalived/templates/keepalived_notify.sh.j2 | 2 +- .../templates/tmpfile_keepalived.conf.j2 | 1 + 5 files changed, 20 insertions(+), 10 deletions(-) create mode 100644 library/roles/keepalived/templates/tmpfile_keepalived.conf.j2 diff --git a/library/roles/keepalived/defaults/main.yml b/library/roles/keepalived/defaults/main.yml index e0a286d7..bdcd8aa4 100644 --- a/library/roles/keepalived/defaults/main.yml +++ b/library/roles/keepalived/defaults/main.yml @@ -21,6 +21,9 @@ keepalived_script1_name: keepalived_check_service_status # We set haproxy as the default because most of our keepalived use is haproxy related keepalived_service_to_check: 'haproxy' keepalived_script1_check: '/bin/pidof {{ keepalived_service_to_check }}' +keepalived_instance1_name: 'VRRP_1' +keepalived_interface1_name: '{{ ansible_default_ipv4.interface }}' +keepalived_initial_state: 'MASTER' keepalived_inst_priority: 100 keepalived_vrouter_id: 51 keepalived_non_local_bind: True @@ -28,6 +31,7 @@ keepalived_non_local_bind: True keepalived_enable_script_security: True keepalived_script_username: keepalived_script keepalived_script_user_home: '/var/lib/keepalived' +keepalived_runtime_dir: /run/keepalived keepalived_nagios_check: False keepalived_notify_script: /usr/local/bin/keepalived_notify @@ -43,15 +47,16 @@ keepalived_scripts: weight: 2 keepalived_instances: - - name: VI_1 - interface: eth0 - state: MASTER + - name: '{{ keepalived_instance1_name }}' + interface: '{{ keepalived_interface1_name }}' + state: '{{ keepalived_initial_state }}' vrouter_id: '{{ keepalived_vrouter_id }}' notify: '{{ keepalived_notify_script }}' priority: '{{ keepalived_inst_priority }}' + nopreempt: True v_addr: - '{{ keepalived_floating_ip1 }}' track_script: - '{{ keepalived_script1_name }}' - #track_interface: - # - eth0 + track_interface: + - '{{ keepalived_interface1_name }}' diff --git a/library/roles/keepalived/tasks/main.yml b/library/roles/keepalived/tasks/main.yml index da47b165..87e928bb 100644 --- a/library/roles/keepalived/tasks/main.yml +++ b/library/roles/keepalived/tasks/main.yml @@ -7,18 +7,22 @@ - name: Install the keepalived package apt: name={{ keepalived_pkgs }} state={{ keepalived_pkg_state }} cache_valid_time=1800 - - name: Install the user that the keepalived scripts will run under - user: name={{ keepalived_script_username }} home={{ keepalived_script_user_home }} createhome=no shell=/usr/sbin/nologin system=yes - tags: keepalived when: - keepalived_install | bool - ansible_distribution_file_variety == "Debian" - block: + - name: Install the user that the keepalived scripts will run under + user: name={{ keepalived_script_username }} home={{ keepalived_script_user_home }} createhome=no shell=/usr/sbin/nologin system=yes + - name: Create the keepalive script user directory file: dest={{ keepalived_script_user_home }} state=directory owner={{ keepalived_script_username }} group={{ keepalived_script_username }} mode=0750 + - name: Create the tmpfile entry for the keepalived runtime directory + template: src=tmpfile_keepalived.conf.j2 dest=/usr/lib/tmpfiles.d/keepalived.conf owner=root group=root mode=0644 + when: ansible_service_mgr == 'systemd' + - name: Install the keepalived configuration template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf owner=root group=root mode=0600 notify: restart keepalived diff --git a/library/roles/keepalived/templates/keepalived_check_service_status.sh.j2 b/library/roles/keepalived/templates/keepalived_check_service_status.sh.j2 index 1955f423..6ed36e5d 100644 --- a/library/roles/keepalived/templates/keepalived_check_service_status.sh.j2 +++ b/library/roles/keepalived/templates/keepalived_check_service_status.sh.j2 @@ -1,6 +1,6 @@ #!/bin/bash {% if ansible_distribution_file_variety == "Debian" and ansible_distribution_major_version == '18' %} -am_i_master=$( grep MASTER /var/lib/keepalived/keepalive.state ) +am_i_master=$( grep MASTER {{ keepalived_runtime_dir }}/keepalive.state ) keepalive_master=$? if [ $keepalive_master -eq 0 ] ; then diff --git a/library/roles/keepalived/templates/keepalived_notify.sh.j2 b/library/roles/keepalived/templates/keepalived_notify.sh.j2 index 6654c17f..531ad0db 100644 --- a/library/roles/keepalived/templates/keepalived_notify.sh.j2 +++ b/library/roles/keepalived/templates/keepalived_notify.sh.j2 @@ -13,7 +13,7 @@ RETVAL=0 {{ keepalived_notify_extra_params }} {% endif %} -echo "$TYPE $NAME is in $STATE state" > {{ keepalived_script_user_home }}/keepalive.state +echo "$TYPE $NAME is in $STATE state" > {{ keepalived_runtime_dir }}/keepalive.state exit $RETVAL diff --git a/library/roles/keepalived/templates/tmpfile_keepalived.conf.j2 b/library/roles/keepalived/templates/tmpfile_keepalived.conf.j2 new file mode 100644 index 00000000..c6666b18 --- /dev/null +++ b/library/roles/keepalived/templates/tmpfile_keepalived.conf.j2 @@ -0,0 +1 @@ +d {{ keepalived_runtime_dir }} 0775 {{ keepalived_script_username }} {{ keepalived_script_username }} From 973faadfe2056855609af0b2a52f17cd9ce6cd34 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 17 Feb 2020 12:40:46 +0100 Subject: [PATCH 26/26] tomcat: add tags so that we set tomcat_version when we use tomcat_conf or tomcat_javamelody. --- .../tomcat-multiple-instances/tasks/main.yml | 70 ++++++++----------- library/roles/tomcat/tasks/tomcat-pkgs.yml | 23 +++--- 2 files changed, 44 insertions(+), 49 deletions(-) diff --git a/library/roles/tomcat-multiple-instances/tasks/main.yml b/library/roles/tomcat-multiple-instances/tasks/main.yml index abf8a1d1..710c1c25 100644 --- a/library/roles/tomcat-multiple-instances/tasks/main.yml +++ b/library/roles/tomcat-multiple-instances/tasks/main.yml @@ -11,7 +11,7 @@ user: name={{ item.user }} home={{ item.user_home }} createhome=false shell={{ item.user_shell | default('/bin/false') }} with_items: '{{ tomcat_m_instances }}' when: - - not tomcat_m_use_default_user + - not tomcat_m_use_default_user | bool - item.user != "tomcat{{ tomcat_version }}" register: tomcat_first_install tags: [ 'tomcat', 'tomcat_instances' ] @@ -19,7 +19,7 @@ - name: Create a tomcat user if needed user: name={{ tomcat_m_default_user }} home={{ tomcat_m_instances_base_path }} createhome=false shell={{ tomcat_m_default_user_shell }} when: - - tomcat_m_use_default_user + - tomcat_m_use_default_user | bool - tomcat_m_default_user != "tomcat{{ tomcat_version }}" register: tomcat_first_install tags: [ 'tomcat', 'tomcat_instances' ] @@ -68,8 +68,7 @@ - '{{ tomcat_m_instances }}' - [ 'context.xml' ] register: restart_needed - notify: - - tomcat restart instances with changed configs + notify: tomcat restart instances with changed configs tags: [ 'tomcat', 'tomcat_instances' ] - name: Install catalina.properties @@ -78,8 +77,7 @@ - '{{ tomcat_m_instances }}' - [ 'catalina.properties' ] register: restart_needed - notify: - - tomcat restart instances with changed configs + notify: tomcat restart instances with changed configs tags: [ 'tomcat', 'tomcat_instances', 'tomcat_catalina_properties' ] - name: Populate the instances conf/policy.d directory @@ -88,8 +86,7 @@ - '{{ tomcat_m_instances }}' - [ '01system.policy', '02debian.policy', '03catalina.policy', '04webapps.policy', '50local.policy' ] register: restart_needed - notify: - - tomcat restart instances with changed configs + notify: tomcat restart instances with changed configs tags: [ 'tomcat', 'tomcat_instances' ] - name: Install logging.properties if we do not use log4j for the tomcat logging @@ -99,57 +96,51 @@ - [ 'logging.properties' ] when: - tomcat_use_log4j is defined - - not tomcat_use_log4j + - not tomcat_use_log4j | bool register: restart_needed - notify: - - tomcat restart instances with changed configs + notify: tomcat restart instances with changed configs tags: [ 'tomcat', 'tomcat_instances' ] - name: Install the server.xml conf file template: src=tomcat-server.xml.j2 dest={{ item.instance_path }}/conf/server.xml owner={{ item.user }} group={{ item.user }} mode=0640 with_items: '{{ tomcat_m_instances }}' register: restart_needed - notify: - - tomcat restart instances with changed configs + notify: tomcat restart instances with changed configs tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ] - name: Install the web.xml file template: src=tomcat-web.xml.j2 dest={{ item.instance_path }}/conf/web.xml owner={{ item.user }} group={{ item.user }} mode=0640 with_items: '{{ tomcat_m_instances }}' register: restart_needed - notify: - - tomcat restart instances with changed configs + notify: tomcat restart instances with changed configs tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ] - name: Install the tomcat-admin package if the host-manager or manager apps are required apt: pkg=tomcat{{ tomcat_version }}-admin state={{ tomcat_pkg_state }} cache_valid_time=1800 update_cache=yes - when: tomcat_m_host_manager_install or tomcat_m_manager_install + when: tomcat_m_host_manager_install | bool or tomcat_m_manager_install | bool tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ] - name: Install the catalina configuration for the tomcat manager template: src=tomcat-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/manager.xml owner={{ item.user }} group={{ item.user }} mode=0640 with_items: '{{ tomcat_m_instances }}' register: restart_needed - when: tomcat_m_manager_install - notify: - - tomcat restart instances with changed configs + when: tomcat_m_manager_install | bool + notify: tomcat restart instances with changed configs tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_manager' ] - name: Install the catalina configuration for the tomcat host manager template: src=tomcat-host-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/host-manager.xml owner={{ item.user }} group={{ item.user }} mode=0640 with_items: '{{ tomcat_m_instances }}' register: restart_needed - when: tomcat_m_host_manager_install - notify: - - tomcat restart instances with changed configs + when: tomcat_m_host_manager_install | bool + notify: tomcat restart instances with changed configs tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager' ] - name: Install the catalina configuration for the tomcat manager template: src=tomcat-users.xml.j2 dest={{ item.instance_path }}/conf/tomcat-users.xml owner={{ item.user }} group={{ item.user }} mode=0640 with_items: '{{ tomcat_m_instances }}' register: restart_needed - notify: - - tomcat restart instances with changed configs + notify: tomcat restart instances with changed configs tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ] - name: Install the instances startup scripts @@ -166,15 +157,16 @@ - name: Reload the systemd daemon if we are running on a systemd-backed server command: systemctl daemon-reload - when: ansible_service_mgr == 'systemd' + when: + - ansible_service_mgr == 'systemd' + - reload_systemd | bool - name: Install a custom context.xml file template: src=tomcat-context.xml.j2 dest={{ item.instance_path }}/conf/context.xml owner={{ item.user }} group={{ item.user }} mode=0640 with_items: '{{ tomcat_m_instances }}' register: restart_needed - notify: - - tomcat restart instances with changed configs - when: tomcat_m_jndi_pool + notify: tomcat restart instances with changed configs + when: tomcat_m_jndi_pool | bool tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_contextxml', 'jdk' ] - name: Install a logrotate entry for the access log file @@ -188,11 +180,10 @@ when: - item.jmx_enabled is defined - item.jmx_auth_enabled is defined - - item.jmx_enabled - - item.jmx_auth_enabled + - item.jmx_enabled | bool + - item.jmx_auth_enabled | bool register: jmx_restart_needed - notify: - - tomcat restart instances with changed jmx config + notify: tomcat restart instances with changed jmx config tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ] - name: Install the jmx role file @@ -201,24 +192,23 @@ when: - item.jmx_enabled is defined - item.jmx_auth_enabled is defined - - item.jmx_enabled - - item.jmx_auth_enabled - register: jmx restart_needed - notify: - - tomcat restart instances with changed jmx config + - item.jmx_enabled | bool + - item.jmx_auth_enabled | bool + register: jmx_restart_needed + notify: tomcat restart instances with changed jmx config tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ] - name: Start all the tomcat instances service: name='tomcat-instance-{{ item.http_port }}' state=started sleep=20 with_items: '{{ tomcat_m_instances }}' when: - - tomcat_first_install.changed - - tomcat_m_start_instances + - tomcat_first_install.changed | bool + - tomcat_m_start_instances | bool tags: [ 'tomcat', 'tomcat_instances'] ignore_errors: True - name: Enable all the tomcat instances service: name='tomcat-instance-{{ item.http_port }}' enabled=yes with_items: '{{ tomcat_m_instances }}' - when: tomcat_m_enable_instances + when: tomcat_m_enable_instances | bool tags: [ 'tomcat', 'tomcat_instances'] diff --git a/library/roles/tomcat/tasks/tomcat-pkgs.yml b/library/roles/tomcat/tasks/tomcat-pkgs.yml index e7922dbc..20153177 100644 --- a/library/roles/tomcat/tasks/tomcat-pkgs.yml +++ b/library/roles/tomcat/tasks/tomcat-pkgs.yml @@ -5,7 +5,7 @@ when: - ansible_distribution_major_version <= '16' - tomcat_fixed_version is not defined - tags: [ 'tomcat', 'tomcat_ver' ] + tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ] - name: Set the tomcat version for Ubuntu bionic set_fact: @@ -13,13 +13,18 @@ when: - ansible_distribution_major_version == '18' - tomcat_fixed_version is not defined - tags: [ 'tomcat', 'tomcat_ver' ] + tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ] - name: Impose a tomcat version set_fact: tomcat_version: '{{ tomcat_fixed_version }}' when: tomcat_fixed_version is defined - tags: [ 'tomcat', 'tomcat_ver' ] + tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ] + +- name: Print the Tomcat version + debug: + msg: "The Tomcat version we are going to install is {{ tomcat_version }}" + tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ] - name: Install the tomcat packages apt: pkg={{ tomcat_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800 @@ -28,7 +33,7 @@ - name: Install additional packages needed by tomcat 8+ apt: pkg={{ tomcat8_additional_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800 when: tomcat_version >= 8 - tags: [ 'tomcat', 'tomcat_javamelody' ] + tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf', 'tomcat_javamelody' ] - name: Create the tomcat tmp directory file: dest={{ tomcat_tmp_dir }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} @@ -77,17 +82,17 @@ with_items: - commons-daemon.jar when: tomcat_version >= 8 - tags: [ 'tomcat', 'tomcat_javamelody' ] + tags: [ 'tomcat', 'tomcat_conf' ] - name: Install the javamelody dependency jar into the Java shared libs directory maven_artifact: artifact_id=jrobin version=latest group_id=org.jrobin extension=jar dest=/usr/share/java/jrobin.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2 when: tomcat_javamelody | bool - tags: [ 'tomcat', 'tomcat_javamelody' ] + tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ] - name: Install the javamelody-core jar into the Java shared libs directory maven_artifact: artifact_id=javamelody-core version={{ tomcat_javamelody_version }} group_id=net.bull.javamelody extension=jar dest=/usr/share/java/javamelody-core.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2 when: tomcat_javamelody | bool - tags: [ 'tomcat', 'tomcat_javamelody' ] + tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ] - name: Create a link to the the javamelody jar and its dependencies if the javamelody support is enabled file: src=../../java/{{ item }} dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=link owner=root group=root mode=0644 @@ -95,7 +100,7 @@ - javamelody-core.jar - jrobin.jar when: tomcat_javamelody | bool - tags: [ 'tomcat', 'tomcat_javamelody' ] + tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ] - name: Remove the javamelody jar and its dependencies if the javamelody support is disabled file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent @@ -103,4 +108,4 @@ - javamelody-core.jar - jrobin.jar when: not tomcat_javamelody | bool - tags: [ 'tomcat', 'tomcat_javamelody' ] + tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]