From e448415ec877e9929031d471828041adf952b221 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 25 May 2020 19:39:43 +0200 Subject: [PATCH] sync with the d4science ansible library. --- .../roles/ELK/elasticsearch/tasks/plugins.yml | 16 ----- library/roles/R/defaults/main.yml | 4 +- library/roles/R/tasks/r-installation.yml | 20 ++++-- .../roles/apache/tasks/apache-letsencrypt.yml | 6 +- library/roles/ckan/ckan/defaults/main.yml | 25 ++++++- library/roles/ckan/ckan/tasks/ckan-config.yml | 10 ++- .../roles/ckan/ckan/tasks/ckan-memcache.yml | 10 ++- .../roles/ckan/ckan/tasks/ckan-plugins.yml | 34 ++++++++- library/roles/deb-set-hostname/tasks/main.yml | 17 ----- .../roles/deb-set-locale/defaults/main.yml | 8 --- library/roles/deb-set-locale/tasks/main.yml | 10 --- .../geonetwork/templates/3.2-web.xml.j2 | 8 ++- library/roles/hdf5/defaults/main.yml | 6 ++ library/roles/hdf5/tasks/main.yml | 13 +++- library/roles/motd/tasks/deb_motd.yml | 2 + library/roles/pandoc/tasks/main.yml | 17 +++-- library/roles/python-env/tasks/main.yml | 22 +++--- library/roles/timezone/defaults/main.yml | 3 - library/roles/timezone/tasks/main.yml | 16 ----- .../roles/timezone/templates/etc-timezone.j2 | 1 - .../defaults/main.yml | 9 ++- .../templates/tomcat-default.j2 | 7 ++ library/roles/tomcat/defaults/main.yml | 6 ++ .../roles/tomcat/templates/tomcat-default.j2 | 3 + .../ubuntu-deb-general/defaults/main.yml | 5 +- .../roles/ubuntu-deb-general/meta/main.yml | 6 +- .../ubuntu-deb-general/tasks/packages.yml | 57 +++------------ .../ubuntu-deb-general/templates/ntp.conf.j2 | 69 +++++++++++++++++++ .../ubuntu-python-setup/defaults/main.yml | 7 +- .../roles/ubuntu-python-setup/tasks/main.yml | 15 +++- library/roles/users/tasks/main.yml | 23 ++++++- 31 files changed, 279 insertions(+), 176 deletions(-) delete mode 100644 library/roles/ELK/elasticsearch/tasks/plugins.yml delete mode 100644 library/roles/deb-set-hostname/tasks/main.yml delete mode 100644 library/roles/deb-set-locale/defaults/main.yml delete mode 100644 library/roles/deb-set-locale/tasks/main.yml delete mode 100644 library/roles/timezone/defaults/main.yml delete mode 100644 library/roles/timezone/tasks/main.yml delete mode 100644 library/roles/timezone/templates/etc-timezone.j2 create mode 100644 library/roles/ubuntu-deb-general/templates/ntp.conf.j2 diff --git a/library/roles/ELK/elasticsearch/tasks/plugins.yml b/library/roles/ELK/elasticsearch/tasks/plugins.yml deleted file mode 100644 index bfe64918..00000000 --- a/library/roles/ELK/elasticsearch/tasks/plugins.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- block: - - name: Manage a list of elasticsearch plugins - elasticsearch_plugin: name="{{ item.name }}" state={{ item.state }} plugin_bin={{ elasticsearch_plugin_bin }} url={{ item.url|default(omit) }} version={{ item.version|default(omit) }} - with_items: '{{ elasticsearch_plugins | default ([]) }}' - - - name: Install the elasticsearch HQ plugin - elasticsearch_plugin: name="{{ item.name }}" state={{ item.state }} plugin_bin={{ elasticsearch_plugin_bin }} url={{ item.url|default(omit) }} version={{ item.version|default(omit) }} - with_items: '{{ elasticsearch_hq_plugin | default ([]) }}' - when: - - elasticsearch_major_version <= 2 - - elasticsearch_hq_install - - when: elasticsearch_plugins is defined - tags: [ 'elasticsearch', 'es_plugins' ] - diff --git a/library/roles/R/defaults/main.yml b/library/roles/R/defaults/main.yml index dbcd237d..296d38b0 100644 --- a/library/roles/R/defaults/main.yml +++ b/library/roles/R/defaults/main.yml @@ -10,8 +10,8 @@ # The install/remove script has been taken from here: http://adamj.eu/tech/2014/07/19/installing-and-removing-r-packages-with-ansible/ # -# Set to present if you want install from CRAN -r_install_cran_repo: absent +# Set to True if you want install from the CRAN deb repository +r_install_cran_repo: False #r_cran_mirror_site: http://cran.rstudio.com r_cran_set_default_mirror: True r_cran_mirror_site: https://cran.mirror.garr.it/mirrors/CRAN/ diff --git a/library/roles/R/tasks/r-installation.yml b/library/roles/R/tasks/r-installation.yml index afceb9d2..97a2cfe6 100644 --- a/library/roles/R/tasks/r-installation.yml +++ b/library/roles/R/tasks/r-installation.yml @@ -1,10 +1,20 @@ --- -- name: Manage the cran repository key - apt_key: id=E084DAB9 keyserver=keyserver.ubuntu.com state={{ r_install_cran_repo }} - tags: [ 'r_software', 'r_repo', 'r_repo_key' ] +- block: + - name: Add the cran repository key + apt_key: id=E084DAB9 keyserver=keyserver.ubuntu.com state=present + tags: [ 'r_software', 'r_repo', 'r_repo_key' ] -- name: Manage the cran repository definition - apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state={{ r_install_cran_repo }} update_cache=yes + - name: Add the CRAN repository + apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=present update_cache=yes + + when: r_install_cran_repo | bool + tags: [ 'r_software', 'r_repo' ] + +- block: + - name: Remove the CRAN repository + apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=absent update_cache=yes + + when: not r_install_cran_repo | bool tags: [ 'r_software', 'r_repo' ] - name: Remove the hold state from the debian R packages diff --git a/library/roles/apache/tasks/apache-letsencrypt.yml b/library/roles/apache/tasks/apache-letsencrypt.yml index 4b1d6621..86928be5 100644 --- a/library/roles/apache/tasks/apache-letsencrypt.yml +++ b/library/roles/apache/tasks/apache-letsencrypt.yml @@ -25,8 +25,8 @@ copy: src=apache-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/apache2 owner=root group=root mode=4555 when: - - letsencrypt_acme_install is defined and letsencrypt_acme_install - - apache_letsencrypt_managed + - letsencrypt_acme_install is defined and letsencrypt_acme_install | bool + - apache_letsencrypt_managed | bool tags: [ 'apache', 'letsencrypt' ] - block: @@ -38,6 +38,6 @@ - name: Remove the letsencrypt hook for apache file: path={{ letsencrypt_acme_services_scripts_dir }}/apache2 state=absent - when: not apache_letsencrypt_managed + when: not apache_letsencrypt_managed | bool tags: [ 'apache', 'letsencrypt' ] diff --git a/library/roles/ckan/ckan/defaults/main.yml b/library/roles/ckan/ckan/defaults/main.yml index 9636c34d..db2061c1 100644 --- a/library/roles/ckan/ckan/defaults/main.yml +++ b/library/roles/ckan/ckan/defaults/main.yml @@ -75,11 +75,23 @@ ckan_ldap_fallback: True ckan_ckanext_lire: False ckan_ckanext_lire_n: lire ckan_ckanext_lire_url: 'https://github.com/milicp/ckanext-lire.git' -# OAI-PMH -ckan_oai_pmh: False +# Kata OAI-PMH +ckan_kata_oai_pmh: False ckan_oai_pmh_name: oaipmh ckan_oai_pmh_state: absent -ckan_oai_pmh_url: 'git+https://github.com/florenthemmi/ckanext-oaipmh#egg=ckanext-oaipm' +ckan_oai_pmh_url: 'git+https://github.com/kata-csc/ckanext-oaipmh#egg=ckanext-oaipmh' +ckan_oai_pmh_kata_plugin_url: 'git+https://github.com/kata-csc/ckanext-kata.git#egg=ckanext-kata' +ckan_oai_pmh_kata_ini_state: 'present' +ckan_oai_pmh_kata_ini_options: + - { section: 'app:main', option: 'kata.storage.malware_scan', value: 'false', state: '{{ ckan_oai_pmh_kata_ini_state }}' } + - { section: 'app:main', option: 'kata.ldap.enabled', value: 'false', state: '{{ ckan_oai_pmh_kata_ini_state }}' } + - { section: 'app:main', option: 'kata.disable_contact', value: 'true', state: '{{ ckan_oai_pmh_kata_ini_state }}' } + +# OLD OAI-PMH +ckan_oai_pm: False +ckan_oai_pm_name: oaipmh +ckan_oai_pm_state: absent +ckan_oai_pm_url: 'git+https://github.com/florenthemmi/ckanext-oaipmh#egg=ckanext-oaipm' # Google analytics ckan_google_analytics: False ckan_ga_plugin_state: '{{ ckan_plugins_state }}' @@ -93,6 +105,10 @@ ckan_star_ratings_name: rating ckan_star_ratings_url: 'git+https://github.com/6aika/ckanext-rating.git#egg=ckanext-rating' ckan_memcache_sessions: False +ckan_memcache_deb_pkgs: + - libmemcached10 + - libmemcached-dev + ckan_memcache_ini_opts: - { section: 'app:main', option: 'beaker.session.type', value: 'ext:memcached', state: 'present' } - { section: 'app:main', option: 'beaker.session.url ', value: "{{ mc_ipaddress | default('127.0.0.1') }}:{{ mc_port | default('11211') }}", state: 'present' } @@ -138,6 +154,9 @@ ckan_pip_dependencies: - xmltodict - ndg-httpsclient - pyasn1 + - enum + - ipaddress + - x509 ckan_pip_versioned_dependencies: - { name: 'SQLAlchemy', version: '0.9.6', state: 'present' } diff --git a/library/roles/ckan/ckan/tasks/ckan-config.yml b/library/roles/ckan/ckan/tasks/ckan-config.yml index 8ef3d7aa..fef8961c 100644 --- a/library/roles/ckan/ckan/tasks/ckan-config.yml +++ b/library/roles/ckan/ckan/tasks/ckan-config.yml @@ -1,9 +1,17 @@ --- - name: Configure the CKAN plugins list into the configuration file - ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} backup=yes + ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} backup=no with_items: '{{ ckan_production_ini_plugins_opts }}' notify: - Restart CKAN - Restart fetch and gather consumers tags: [ 'ckan', 'ckan_ini', 'ckan_plugins' ] +- name: Configure the CKAN options used by the KATA plugin + ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} backup=no + with_items: '{{ ckan_oai_pmh_kata_ini_options }}' + notify: + - Restart CKAN + - Restart fetch and gather consumers + tags: [ 'ckan', 'ckan_ini', 'ckan_plugins', 'ckan_oai_pmh' ] + diff --git a/library/roles/ckan/ckan/tasks/ckan-memcache.yml b/library/roles/ckan/ckan/tasks/ckan-memcache.yml index 6afe2c96..52673138 100644 --- a/library/roles/ckan/ckan/tasks/ckan-memcache.yml +++ b/library/roles/ckan/ckan/tasks/ckan-memcache.yml @@ -1,4 +1,11 @@ --- +- block: + - name: Install the memcache library deb package + apt: pkg={{ ckan_memcache_deb_pkgs }} state=present cache_valid_time=1800 + + when: ckan_memcache_sessions is defined and ckan_memcache_sessions + tags: [ 'ckan', 'ckan_sessions', 'ckan_memcache' ] + - block: - name: Install the memcache library pip: name=pylibmc virtualenv={{ ckan_virtenv }} state=present @@ -9,9 +16,6 @@ tags: [ 'ckan', 'ckan_sessions', 'ckan_memcache' ] - block: - - name: Install the memcache library deb package - apt: pkg=libmemcached10 state=present update_cache=yes cache_valid_time=1800 - - name: Configure CKAN so that it uses memcache for its sessions ini_file: dest={{ ckan_config_file }} section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} with_items: '{{ ckan_memcache_ini_opts }}' diff --git a/library/roles/ckan/ckan/tasks/ckan-plugins.yml b/library/roles/ckan/ckan/tasks/ckan-plugins.yml index dcf07cca..9aa50b08 100644 --- a/library/roles/ckan/ckan/tasks/ckan-plugins.yml +++ b/library/roles/ckan/ckan/tasks/ckan-plugins.yml @@ -6,6 +6,10 @@ tags: [ 'ckan', 'geonetwork', 'ckan_plugins', 'ckan_pip_deps' ] - block: + - name: Upgrade pip inside the virtualenv + pip: name=pip virtualenv={{ ckan_virtenv }} state=latest + tags: [ 'ckan', 'geonetwork', 'ckan_plugins', 'ckan_pip_deps' ] + - name: Install some python versioned plugins dependencies inside the CKAN virtualenv pip: name={{ item.name }} virtualenv={{ ckan_virtenv }} version={{ item.version }} state={{ item.state }} with_items: '{{ ckan_pip_versioned_dependencies }}' @@ -165,12 +169,36 @@ notify: Restart CKAN tags: [ 'ckan', 'ckan_lire', 'ckan_plugins' ] - - name: Download the CKAN OAI-PMH plugin + - name: Download the KATA CKAN OAI-PMH plugin pip: name='{{ ckan_oai_pmh_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True - when: ckan_oai_pmh | bool + when: ckan_kata_oai_pmh | bool notify: Restart CKAN tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ] - + + - name: Download the KATA CKAN ckanext-oaiphm requirements + pip: requirements={{ ckan_virtenv }}/src/ckanext-oaipmh/requirements.txt virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} + when: ckan_kata_oai_pmh | bool + notify: Restart CKAN + tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ] + + - name: Download the KATA CKAN plugin + pip: name='{{ ckan_oai_pmh_kata_plugin_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True + when: ckan_kata_oai_pmh | bool + notify: Restart CKAN + tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ] + + - name: Download the KATA CKAN requirements + pip: requirements={{ ckan_virtenv }}/src/ckanext-kata/requirements.txt virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} + when: ckan_kata_oai_pmh | bool + notify: Restart CKAN + tags: [ 'ckan', 'ckan_oai_pmh', 'ckan_plugins' ] + + - name: Download the opendatasoft CKAN OAI-PMH plugin + pip: name='{{ ckan_oai_pm_url }}' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} editable=True + when: ckan_oai_pm | bool + notify: Restart CKAN + tags: [ 'ckan', 'ckan_oai_pm', 'ckan_plugins' ] + - name: Download the CKAN google analytics plugin python requirements pip: name='genshi' virtualenv={{ ckan_virtenv }} state={{ ckan_plugins_state }} when: ckan_google_analytics | bool diff --git a/library/roles/deb-set-hostname/tasks/main.yml b/library/roles/deb-set-hostname/tasks/main.yml deleted file mode 100644 index 6f3ebab5..00000000 --- a/library/roles/deb-set-hostname/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: Set the hostname when different from the inventory one. - hostname: name={{ hostname }} - when: hostname is defined - tags: [ 'bootstrap', 'set_hostname' ] - -- name: Set the hostname as defined in the inventory - hostname: name={{ inventory_hostname }} - when: hostname is not defined - tags: [ 'bootstrap', 'set_hostname' ] - -- name: Add the hostname to /etc/hosts - shell: grep -v {{ ansible_default_ipv4.address }} /etc/hosts > /etc/hosts.tmp ; echo "{{ ansible_default_ipv4.address }} {{ hostname }} {{ ansible_hostname }}" >> /etc/hosts.tmp ; /bin/mv /etc/hosts.tmp /etc/hosts - when: - - hostname is defined - - ansible_virtualization_type == 'xen' - tags: [ 'bootstrap', 'set_hostname' ] diff --git a/library/roles/deb-set-locale/defaults/main.yml b/library/roles/deb-set-locale/defaults/main.yml deleted file mode 100644 index c8e7d739..00000000 --- a/library/roles/deb-set-locale/defaults/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -deb_default_locale: "en_US.UTF-8" -deb_locales_list: - - { name: '{{ deb_default_locale }}' } - - { name: 'en_US' } - - { name: 'it_IT.UTF-8' } - - { name: 'it_IT' } - diff --git a/library/roles/deb-set-locale/tasks/main.yml b/library/roles/deb-set-locale/tasks/main.yml deleted file mode 100644 index 39ae7af6..00000000 --- a/library/roles/deb-set-locale/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- block: - - name: Add/remove a list of locales - locale_gen: name={{ item.name }} state={{ item.state | default('present') }} - with_items: '{{ deb_locales_list }}' - - - name: Set the default locale - shell: update-locale LANG={{ deb_default_locale }} - - tags: locale diff --git a/library/roles/geonetwork/geonetwork/templates/3.2-web.xml.j2 b/library/roles/geonetwork/geonetwork/templates/3.2-web.xml.j2 index 44826d1a..43b5e2f1 100644 --- a/library/roles/geonetwork/geonetwork/templates/3.2-web.xml.j2 +++ b/library/roles/geonetwork/geonetwork/templates/3.2-web.xml.j2 @@ -330,11 +330,13 @@ geonetwork.dir - /app/geonetwork_data_dir - --> + {{ geonetwork_data_directory }} + + + 1 diff --git a/library/roles/hdf5/defaults/main.yml b/library/roles/hdf5/defaults/main.yml index 3ed9d9c0..4e13e74c 100644 --- a/library/roles/hdf5/defaults/main.yml +++ b/library/roles/hdf5/defaults/main.yml @@ -7,3 +7,9 @@ hdf5_pkgs_list: - hdf5-helpers - libhdf5-10 - libhdf5-dev + +hdf5_bionic_pkgs_list: + - hdf5-tools + - hdf5-helpers + - libhdf5-100 + - libhdf5-dev diff --git a/library/roles/hdf5/tasks/main.yml b/library/roles/hdf5/tasks/main.yml index e865c1f8..291b4978 100644 --- a/library/roles/hdf5/tasks/main.yml +++ b/library/roles/hdf5/tasks/main.yml @@ -7,7 +7,14 @@ apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/trusty-infrascience {{ ansible_distribution_release }} main' update_cache=yes - name: Install the hdf5 packages - apt: pkg={{ item }} state={{ hdf5_pkg_state }} update_cache=yes cache_valid_time=3600 - with_items: '{{ hdf5_pkgs_list }}' + apt: pkg={{ hdf5_pkgs_list }} state={{ hdf5_pkg_state }} update_cache=yes cache_valid_time=3600 - tags: [ 'hdf5' ] \ No newline at end of file + when: ansible_distribution_release == 'trusty' + tags: [ 'hdf5' ] + +- block: + - name: Install the hdf5 packages + apt: pkg={{ hdf5_bionic_pkgs_list }} state={{ hdf5_pkg_state }} update_cache=yes cache_valid_time=3600 + + when: ansible_distribution_release == 'bionic' + tags: [ 'hdf5' ] diff --git a/library/roles/motd/tasks/deb_motd.yml b/library/roles/motd/tasks/deb_motd.yml index b19c4bd8..125c32ac 100644 --- a/library/roles/motd/tasks/deb_motd.yml +++ b/library/roles/motd/tasks/deb_motd.yml @@ -15,4 +15,6 @@ creates: /etc/.custom_motd ignore_errors: True + when: + - ( ansible_distribution == 'Ubuntu' ) or ( ansible_distribution == 'Debian' and ansible_distribution_major_version >= '9' ) tags: motd diff --git a/library/roles/pandoc/tasks/main.yml b/library/roles/pandoc/tasks/main.yml index d92186a7..6f781df3 100644 --- a/library/roles/pandoc/tasks/main.yml +++ b/library/roles/pandoc/tasks/main.yml @@ -1,8 +1,17 @@ --- -- name: Get the pandoc deb package - get_url: url={{pandoc_pkg_url}} dest=/srv/{{ pandoc_pkg_file }} +- block: + - name: Get the pandoc deb package + get_url: url={{pandoc_pkg_url}} dest=/srv/{{ pandoc_pkg_file }} + + - name: Install the pandoc deb package + apt: deb=/srv/{{ pandoc_pkg_file }} + + when: ansible_facts['distribution_version'] is version('16.04', '<') tags: pandoc -- name: Install the pandoc deb package - apt: deb=/srv/{{ pandoc_pkg_file }} +- block: + - name: Install the pandoc deb package, distribution version + apt: pkg=pandoc state=present cache_valid_time=3600 + + when: ansible_facts['distribution_version'] is version('16.04', '>=') tags: pandoc diff --git a/library/roles/python-env/tasks/main.yml b/library/roles/python-env/tasks/main.yml index c82b185b..a721e861 100644 --- a/library/roles/python-env/tasks/main.yml +++ b/library/roles/python-env/tasks/main.yml @@ -4,33 +4,31 @@ apt: name={{ py_env_basic_pkgs | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600 when: - - py_env_install - - is_not_trusty + - py_env_install | bool + - ansible_facts['distribution_version'] is version('16.04', '>=') tags: [ "python", "py_env" ] - block: - name: Remove python deb packages apt: name={{ py_env_dpkg_toremove | default([]) }} state=absent - when: - - py_env_install + when: py_env_install | bool tags: [ "python", "py_env", "py_env_pkgs" ] - block: - - name: Install python deb packages - apt: name={{ py_env_dpkg | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600 - - name: Install deb packages needed to compile the pip modules apt: name={{ py_pip_deps | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600 - - name: Install a list of pip packages - pip: name={{ py_env_pip_pkgs | default ([]) }} state=latest - - name: Install a list of versioned pip packages pip: name={{ item.pkg }} version={{ item.version }} with_items: '{{ py_env_versioned_pip_pkgs | default ([]) }}' - when: - - py_env_install + - name: Install a list of pip packages + pip: name={{ py_env_pip_pkgs | default ([]) }} state=latest + + - name: Install python deb packages + apt: name={{ py_env_dpkg | default([]) }} state={{ py_env_pkgs_state }} update_cache=yes cache_valid_time=600 + + when: py_env_install | bool tags: [ "python", "py_env", "py_env_pkgs" ] diff --git a/library/roles/timezone/defaults/main.yml b/library/roles/timezone/defaults/main.yml deleted file mode 100644 index c2387a6f..00000000 --- a/library/roles/timezone/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -timezone: "Europe/Rome" - diff --git a/library/roles/timezone/tasks/main.yml b/library/roles/timezone/tasks/main.yml deleted file mode 100644 index 57a0e911..00000000 --- a/library/roles/timezone/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Set the timezone on Ubuntu >=18 - command: timedatectl set-timezone {{ timezone }} - when: ansible_distribution_version is version_compare('18.04', '>=') - tags: timezone - -- name: Write the timezone file - template: src=etc-timezone.j2 dest=/etc/timezone owner=root group=root mode=0644 - register: set_timezone - tags: timezone - -- name: Reconfigure the system tzdata - command: dpkg-reconfigure --frontend noninteractive tzdata - when: set_timezone is changed - tags: timezone - diff --git a/library/roles/timezone/templates/etc-timezone.j2 b/library/roles/timezone/templates/etc-timezone.j2 deleted file mode 100644 index 0b6d0093..00000000 --- a/library/roles/timezone/templates/etc-timezone.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ timezone }} diff --git a/library/roles/tomcat-multiple-instances/defaults/main.yml b/library/roles/tomcat-multiple-instances/defaults/main.yml index 4ad949da..ff7aeae3 100644 --- a/library/roles/tomcat-multiple-instances/defaults/main.yml +++ b/library/roles/tomcat-multiple-instances/defaults/main.yml @@ -59,7 +59,12 @@ tomcat_m_java_gc_opts: "-XX:+UseConcMarkSweepGC" tomcat_m_reverse_proxy_name_enabled: False tomcat_m_reverse_proxy_name: '{{ ansible_fqdn }}' tomcat_m_reverse_proxy_port: '{{ http_port | default(80) }}' - +tomcat_m_proxy_enabled: False +tomcat_m_proxy_http_host: 'localhost' +tomcat_m_proxy_http_port: '3128' +tomcat_m_proxy_https_host: '{{ tomcat_m_proxy_http_host }}' +tomcat_m_proxy_https_port: '{{ tomcat_m_proxy_http_port }}' +tomcat_m_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_m_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_m_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_m_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_m_proxy_https_port }}" tomcat_m_other_java_opts: "" tomcat_m_webapps_autodeploy: False tomcat_m_webapps_unpack: False @@ -89,5 +94,5 @@ tomcat_m_jmx_ip_address: '{{ ansible_default_ipv4.address }}' # This is only an example. Insert a line for each tomcat instance. 'app_contexts' can be used to automatically configure apache or nginx virtualhost http/ajp proxy # #tomcat_m_instances: -# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] } +# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', proxy_enabled: '{{ tomcat_m_proxy_enabled }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] } diff --git a/library/roles/tomcat-multiple-instances/templates/tomcat-default.j2 b/library/roles/tomcat-multiple-instances/templates/tomcat-default.j2 index acba45e4..54afff18 100644 --- a/library/roles/tomcat-multiple-instances/templates/tomcat-default.j2 +++ b/library/roles/tomcat-multiple-instances/templates/tomcat-default.j2 @@ -29,6 +29,13 @@ JAVA_OPTS="{{ item.java_opts }} $JAVA_OPTS $JAVA_HEAP $JAVA_PERMGEN" {% if item.java_gc_opts is defined %} JAVA_OPTS="{{ item.java_gc_opts }} $JAVA_OPTS" {% endif %} +{% if item.proxy_enabled is defined and item.proxy_enabled %} +{% if item.proxy_opts is defined %} +JAVA_OPTS="${JAVA_OPTS} {{ item.proxy_opts }}" +{% else %} +JAVA_OPTS="${JAVA_OPTS} {{ tomcat_m_proxy_opts }}" +{% endif %} +{% endif %} {% if item.other_java_opts is defined %} JAVA_OPTS="${JAVA_OPTS} {{ item.other_java_opts }}" {% endif %} diff --git a/library/roles/tomcat/defaults/main.yml b/library/roles/tomcat/defaults/main.yml index ef784eb1..39ffa85e 100644 --- a/library/roles/tomcat/defaults/main.yml +++ b/library/roles/tomcat/defaults/main.yml @@ -27,6 +27,12 @@ tomcat_java_opts: "-Xms{{ tomcat_min_heap_size }} -Xmx{{ tomcat_heap_size }}" tomcat_additional_java_8_opts: "-XX:+CrashOnOutOfMemoryError" tomcat_java_gc_opts: "-XX:+UseConcMarkSweepGC" #tomcat_other_java_opts: "-Djsse.enableSNIExtension=false" +tomcat_proxy_enabled: False +tomcat_proxy_http_host: 'localhost' +tomcat_proxy_http_port: '3128' +tomcat_proxy_https_host: '{{ tomcat_proxy_http_host }}' +tomcat_proxy_https_port: '{{ tomcat_proxy_http_port }}' +tomcat_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_proxy_https_port }}" tomcat_other_java_opts: "" tomcat_install_server_xml: True tomcat_install_default_conf: True diff --git a/library/roles/tomcat/templates/tomcat-default.j2 b/library/roles/tomcat/templates/tomcat-default.j2 index fd908844..698f4366 100644 --- a/library/roles/tomcat/templates/tomcat-default.j2 +++ b/library/roles/tomcat/templates/tomcat-default.j2 @@ -35,6 +35,9 @@ JAVA_OPTS="{{ tomcat_java_opts }} $JAVA_OPTS" {% if tomcat_java_gc_opts is defined %} JAVA_OPTS="${JAVA_OPTS} {{ tomcat_java_gc_opts }}" {% endif %} +{% if tomcat_proxy_enabled %} +JAVA_OPTS="${JAVA_OPTS} {{ tomcat_proxy_opts }}" +{% endif %} {% if tomcat_other_java_opts is defined %} JAVA_OPTS="${JAVA_OPTS} {{ tomcat_other_java_opts }}" {% endif %} diff --git a/library/roles/ubuntu-deb-general/defaults/main.yml b/library/roles/ubuntu-deb-general/defaults/main.yml index 797dfd90..9cc5e312 100644 --- a/library/roles/ubuntu-deb-general/defaults/main.yml +++ b/library/roles/ubuntu-deb-general/defaults/main.yml @@ -34,6 +34,8 @@ common_packages: default_python_packages_trusty: - python-software-properties + - python-lxml + - python-boto default_python_packages: - python-lxml @@ -144,9 +146,6 @@ default_security_limits: '{{ root_security_limits }}' # - ':msg, contains, "icmp6_send: no reply to icmp error" ~' # - ':msg, contains, "[PYTHON] Can\'t call the metric handler function for" ~' -# -infrascience_internal_ppa: False - # # debian/ubuntu distributions controllers # diff --git a/library/roles/ubuntu-deb-general/meta/main.yml b/library/roles/ubuntu-deb-general/meta/main.yml index ad35f92d..4a05223d 100644 --- a/library/roles/ubuntu-deb-general/meta/main.yml +++ b/library/roles/ubuntu-deb-general/meta/main.yml @@ -1,10 +1,8 @@ --- dependencies: - role: '../../library/roles/deb-apt-setup' - - role: '../../library/roles/ubuntu-python-setup' - - role: '../../library/roles/deb-set-hostname' - - role: '../../library/roles/deb-set-locale' - - role: '../../library/roles/timezone' + - { role: '../../library/roles/ubuntu-python-setup', when: ansible_distribution_release == "trusty" } + - role: 'basic-system-setup' - role: '../../library/roles/motd' - role: '../../library/roles/ntp' - role: '../../library/roles/linux-kernel-sysctl' diff --git a/library/roles/ubuntu-deb-general/tasks/packages.yml b/library/roles/ubuntu-deb-general/tasks/packages.yml index ad434750..7e998911 100644 --- a/library/roles/ubuntu-deb-general/tasks/packages.yml +++ b/library/roles/ubuntu-deb-general/tasks/packages.yml @@ -3,18 +3,24 @@ apt: pkg=aptitude state=present cache_valid_time=1800 tags: packages -- name: Install the basic python packages - apt: pkg={{ default_python_packages }} state=present update_cache=yes cache_valid_time=1800 +- name: Install the basic python packages. Not Trusty + apt: pkg={{ default_python_packages }} state=present cache_valid_time=1800 + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_release != "trusty" tags: packages - name: Install the basic python packages on trusty apt: pkg={{ default_python_packages_trusty }} state=present update_cache=yes cache_valid_time=1800 - when: is_trusty | bool + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_release == "trusty" tags: packages - name: Install software-properties-common if needed apt: pkg=software-properties-common state=present update_cache=yes cache_valid_time=1800 - when: is_ubuntu | bool + when: + - ansible_distribution == "Ubuntu" tags: packages - name: Default the backports repository on debian 7 @@ -32,49 +38,6 @@ when: is_debian8 | bool tags: jessie-backports -- name: apt key for the internal ppa repository - apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present - when: - - is_ubuntu | bool - - egi_image is not defined or not egi_image - - infrascience_internal_ppa | bool - ignore_errors: True - tags: packages - -- name: Remove the broken system apt repository - apt_repository: repo='deb http://ppa.research-infrastructures.eu/system stable main' state=absent - when: is_ubuntu | bool - tags: packages - -- name: setup system apt repository - apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/system stable main' update_cache=yes - when: - - is_ubuntu | bool - - infrascience_internal_ppa | bool - ignore_errors: True - tags: packages - -- name: Remove the broken system apt repository for specific distributions - apt_repository: repo='deb http://ppa.research-infrastructures.eu/system {{ ansible_distribution_release }} main' state=absent - when: is_trusty | bool - tags: packages - -- name: setup system apt repository for specific distributions - apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/system {{ ansible_distribution_release }} main' update_cache=yes - when: - - is_trusty | bool - - infrascience_internal_ppa | bool - ignore_errors: True - tags: packages - -- name: Setup the infrascience trusty repository - apt_repository: repo='deb [arch=amd64] http://ppa.research-infrastructures.eu/trusty-infrascience {{ ansible_distribution_release }} main' update_cache=yes - when: - - is_trusty | bool - - infrascience_internal_ppa | bool - ignore_errors: True - tags: packages - - name: install common packages apt: pkg={{ common_packages }} state={{ pkg_state }} update_cache=yes cache_valid_time=1800 tags: [ 'packages', 'common_pkgs' ] diff --git a/library/roles/ubuntu-deb-general/templates/ntp.conf.j2 b/library/roles/ubuntu-deb-general/templates/ntp.conf.j2 new file mode 100644 index 00000000..b4670dd6 --- /dev/null +++ b/library/roles/ubuntu-deb-general/templates/ntp.conf.j2 @@ -0,0 +1,69 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + +# Specify one or more NTP servers. + +# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board +# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for +# more information. +pool 0.ubuntu.pool.ntp.org iburst +pool 1.ubuntu.pool.ntp.org iburst +pool 2.ubuntu.pool.ntp.org iburst +pool 3.ubuntu.pool.ntp.org iburst + +# Use Ubuntu's ntp server as a fallback. +pool ntp.ubuntu.com + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery limited +restrict -6 default kod notrap nomodify nopeer noquery limited + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +{% if nagios_monitoring_server_ip is defined %} +{% for ip in nagios_monitoring_server_ip %} +restrict {{ ip }} mask 255.255.255.255 +{% endfor %} +{% endif %} + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient + +#Changes recquired to use pps synchonisation as explained in documentation: +#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918 + +#server 127.127.8.1 mode 135 prefer # Meinberg GPS167 with PPS +#fudge 127.127.8.1 time1 0.0042 # relative to PPS for my hardware + +#server 127.127.22.1 # ATOM(PPS) +#fudge 127.127.22.1 flag3 1 # enable PPS API diff --git a/library/roles/ubuntu-python-setup/defaults/main.yml b/library/roles/ubuntu-python-setup/defaults/main.yml index 29565a57..593a2460 100644 --- a/library/roles/ubuntu-python-setup/defaults/main.yml +++ b/library/roles/ubuntu-python-setup/defaults/main.yml @@ -1,10 +1,12 @@ --- python_pkgs_state: present python_get_pip_url: https://bootstrap.pypa.io/get-pip.py -python_force_pip_fix: False +force_python_fix: False python_basic_pkgs: - python-pip + - python-requests + - python-lxml python_pip_dev_packages: - libpython-dev @@ -19,4 +21,5 @@ python_pip_fix_ssl_warnings: - ndg-httpsclient - urllib3 - pyasn1 - + - ipaddress + - enum diff --git a/library/roles/ubuntu-python-setup/tasks/main.yml b/library/roles/ubuntu-python-setup/tasks/main.yml index 8aa3d735..d558410e 100644 --- a/library/roles/ubuntu-python-setup/tasks/main.yml +++ b/library/roles/ubuntu-python-setup/tasks/main.yml @@ -1,7 +1,16 @@ --- - block: + - name: Check if the pip downloader is already installed + stat: + path: '/usr/local/lib/get-pip.py' + get_checksum: yes + follow: no + checksum_algorithm: sha256 + register: get_pip_file + - name: Install the get-pip.py pip downloader - get_url: url={{ python_get_pip_url }} dest=/usr/local/lib/get-pip.py + get_url: url={{ python_get_pip_url }} dest=/usr/local/lib/get-pip.py #checksum="sha256:{{ get_pip_file.stat.checksum }}" + when: not get_pip_file.stat.exists - name: Install a script that fixes the broken trusty pip package copy: src=pip-fixer.sh dest=/usr/local/bin/python-pip-fixer mode=0755 owner=root group=root @@ -9,7 +18,7 @@ - name: Fix the trusty pip installation shell: /usr/local/bin/python-pip-fixer - when: python_pip_fixer is changed or python_force_pip_fix + when: python_pip_fixer is changed or force_python_fix | bool - name: Install the python dev headers and other dev requirements apt: pkg={{ python_pip_dev_packages }} state={{ python_pkgs_state }} update_cache=yes cache_valid_time=1800 @@ -27,5 +36,5 @@ pip: name={{ python_pip_fix_ssl_warnings | default ([]) }} state={{ python_pkgs_state }} register: python_pip_env_workaround - when: is_trusty + when: ansible_distribution_release == "trusty" tags: [ "python", 'py_env', 'ansible_setup' ] diff --git a/library/roles/users/tasks/main.yml b/library/roles/users/tasks/main.yml index 0b1bfd46..f648dce6 100644 --- a/library/roles/users/tasks/main.yml +++ b/library/roles/users/tasks/main.yml @@ -47,7 +47,17 @@ with_items: '{{ users_system_users }}' when: - item.ssh_key is defined - - ( item.log_as_root is defined ) and ( item.log_as_root ) + - item.log_as_root is defined + - item.log_as_root + + - name: ensure that the users can not login with their ssh keys as root + authorized_key: user=root key="{{ item.ssh_key }}" state=absent + with_items: '{{ users_system_users }}' + when: + - item.ssh_key is defined + - item.log_as_root is defined + - not item.log_as_root + when: users_system_users is defined tags: users @@ -81,7 +91,16 @@ with_items: '{{ users_system_users_adjunct }}' when: - item.ssh_key is defined - - ( item.log_as_root is defined ) and ( item.log_as_root ) + - item.log_as_root is defined + - item.log_as_root + + - name: ensure that the additional users cannot login with their ssh keys as root + authorized_key: user=root key="{{ item.ssh_key }}" state=absent + with_items: '{{ users_system_users_adjunct }}' + when: + - item.ssh_key is defined + - item.log_as_root is defined + - not item.log_as_root when: users_system_users_adjunct is defined tags: users