forked from ISTI-ansible-roles/ansible-roles
Fixes #719. Spostare i ruoli in repository dedicati.
This commit is contained in:
parent
db93e253b5
commit
289d299360
|
@ -1,95 +0,0 @@
|
|||
---
|
||||
apache_service_enabled: True
|
||||
apache_user: www-data
|
||||
apache_pkg_state: latest
|
||||
apache_group: '{{ apache_user }}'
|
||||
apache_from_ppa: False
|
||||
apache_ppa_repo: 'ppa:ondrej/apache2'
|
||||
|
||||
apache_listen_ports:
|
||||
- 80
|
||||
- '{{ apache_ssl_port }}'
|
||||
|
||||
# Possible choices: event, prefork (the old ones), worker (the threaded version), itm
|
||||
apache_mpm_mode: worker
|
||||
|
||||
apache_packages:
|
||||
- apache2
|
||||
- apache2-utils
|
||||
- libapache2-mod-xsendfile
|
||||
- unzip
|
||||
- zip
|
||||
|
||||
apache_modules_packages:
|
||||
- 'apache2-mpm-{{ apache_mpm_mode }}'
|
||||
|
||||
# Only one can be present at the same time. It needs to be listed as the last one
|
||||
apache_worker_modules:
|
||||
# - { name: 'mpm_itm', state: 'absent' }
|
||||
- { name: 'mpm_event', state: 'absent' }
|
||||
- { name: 'mpm_prefork', state: 'absent' }
|
||||
- { name: 'mpm_{{ apache_mpm_mode }}', state: 'present' }
|
||||
|
||||
# apache RPAF is needed to obtain the real client addresses when behind a reverse proxy
|
||||
apache_rpaf_install: False
|
||||
|
||||
apache_default_modules:
|
||||
- headers
|
||||
- rewrite
|
||||
- expires
|
||||
- xsendfile
|
||||
|
||||
apache_ssl_modules_enabled: True
|
||||
apache_ssl_port: 443
|
||||
apache_ssl_modules:
|
||||
- ssl
|
||||
- socache_shmcb
|
||||
apache_http_proxy_modules_enabled: False
|
||||
apache_http_proxy_modules:
|
||||
- proxy
|
||||
- proxy_ajp
|
||||
- proxy_http
|
||||
|
||||
apache_status_module: True
|
||||
apache_status_location: '/server-status'
|
||||
apache_status_allowed_hosts:
|
||||
- 127.0.0.1/8
|
||||
|
||||
apache_info_module: True
|
||||
apache_info_location: '/server-info'
|
||||
apache_info_allowed_hosts:
|
||||
- 127.0.0.1/8
|
||||
|
||||
apache_basic_auth: False
|
||||
apache_basic_auth_single_file: True
|
||||
apache_basic_auth_dir: /etc/apache2/auth
|
||||
apache_basic_auth_file: '{{ apache_basic_auth_dir }}/htpasswd'
|
||||
|
||||
apache_basic_auth_modules:
|
||||
- auth_basic
|
||||
- authn_file
|
||||
- authz_user
|
||||
|
||||
# Put them in a vault file. auth_file is optional. Not used when apache_basic_auth_single_file is true
|
||||
# apache_basic_users:
|
||||
# - { username:'', password:'', state:'present,absent', auth_file:'path_to_file' }
|
||||
|
||||
#
|
||||
apache_additional_packages: False
|
||||
apache_additional_packages_list:
|
||||
# - libapache2-mod-uwsgi
|
||||
# - ...
|
||||
#
|
||||
# Set this variable to load the modules you need
|
||||
apache_additional_modules: False
|
||||
apache_additional_modules_list: []
|
||||
# -
|
||||
# -
|
||||
|
||||
apache_letsencrypt_managed: True
|
||||
apache_letsencrypt_proxy_modules:
|
||||
- proxy
|
||||
- proxy_http
|
||||
|
||||
apache_letsencrypt_proxy_conf:
|
||||
- letsencrypt-proxy.conf
|
|
@ -1,25 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
DATE=$( date )
|
||||
|
||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||
echo "$DATE" >> $LE_LOG_DIR/apache.log
|
||||
|
||||
if [ -f /etc/default/letsencrypt ] ; then
|
||||
. /etc/default/letsencrypt
|
||||
else
|
||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/apache.log
|
||||
fi
|
||||
|
||||
echo "Reload the apache service" >> $LE_LOG_DIR/apache.log
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
systemctl reload apache2 >> $LE_LOG_DIR/apache.log 2>&1
|
||||
else
|
||||
service apache2 reload >> $LE_LOG_DIR/apache.log 2>&1
|
||||
fi
|
||||
|
||||
echo "Done." >> $LE_LOG_DIR/apache.log
|
||||
|
||||
exit 0
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
- name: apache2 reload
|
||||
service: name=apache2 state=reloaded
|
||||
|
||||
- name: apache2 restart
|
||||
service: name=apache2 state=restarted
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
---
|
||||
- name: Load the basic auth modules
|
||||
apache2_module: name={{ item }} state=present
|
||||
with_items: '{{ apache_basic_auth_modules }}'
|
||||
notify: apache2 reload
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
||||
- name: Create the authentication directory
|
||||
file: path={{ apache_basic_auth_dir }} mode=0750 owner=root group={{ apache_group }} state=directory
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
||||
- name: Install the python-passlib library
|
||||
apt: pkg=python-passlib state=present
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
||||
- name: Create the basic auth file when it is unique to all the virtualhosts
|
||||
htpasswd: path={{ apache_basic_auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }} owner=root group={{ apache_group }} mode=0640
|
||||
when: apache_basic_users is defined and apache_basic_auth_single_file
|
||||
with_items: '{{ apache_basic_users }}'
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
||||
- name: Create the basic auth files
|
||||
htpasswd: path={{ item.auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }} owner=root group={{ apache_group }} mode=0640
|
||||
with_items: '{{ apache_basic_users | default([]) }}'
|
||||
when: apache_basic_users is defined and not apache_basic_auth_single_file
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Enable the proxy modules needed by letsencrypt
|
||||
apache2_module: name={{ item }} state=present
|
||||
with_items: '{{ apache_letsencrypt_proxy_modules }}'
|
||||
ignore_errors: True
|
||||
notify: apache2 reload
|
||||
|
||||
- name: Install the apache letsencrypt directives on trusty
|
||||
template: src={{ item }}.j2 dest=/etc/apache2/conf-available/{{ item }} owner=root group=root mode=0644
|
||||
with_items: '{{ apache_letsencrypt_proxy_conf }}'
|
||||
ignore_errors: True
|
||||
notify: apache2 reload
|
||||
|
||||
- name: Enable the apache letsencrypt directives on trusty
|
||||
file: src=/etc/apache2/conf-available/{{ item }} dest=/etc/apache2/conf-enabled/{{ item }} state=link
|
||||
with_items: '{{ apache_letsencrypt_proxy_conf }}'
|
||||
ignore_errors: True
|
||||
notify: apache2 reload
|
||||
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
|
||||
- name: Install a letsencrypt hook for apache
|
||||
copy: src=apache-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/apache2 owner=root group=root mode=4555
|
||||
|
||||
when:
|
||||
- letsencrypt_acme_install is defined and letsencrypt_acme_install | bool
|
||||
- apache_letsencrypt_managed | bool
|
||||
tags: [ 'apache', 'letsencrypt' ]
|
||||
|
||||
- block:
|
||||
- name: Disable the letsencrypt conf
|
||||
file: dest=/etc/apache2/conf-enabled/letsencrypt-proxy.conf state=absent
|
||||
ignore_errors: True
|
||||
notify: apache2 reload
|
||||
|
||||
- name: Remove the letsencrypt hook for apache
|
||||
file: path={{ letsencrypt_acme_services_scripts_dir }}/apache2 state=absent
|
||||
|
||||
when: not apache_letsencrypt_managed | bool
|
||||
tags: [ 'apache', 'letsencrypt' ]
|
||||
|
|
@ -1,74 +0,0 @@
|
|||
---
|
||||
- name: Load the required modules
|
||||
apache2_module: name={{ item }} state=present force=yes
|
||||
with_items: '{{ apache_default_modules }}'
|
||||
notify: apache2 reload
|
||||
ignore_errors: True
|
||||
tags: [ 'apache', 'apache_modules' ]
|
||||
|
||||
- name: Install the libapache2-mod-rpaf module
|
||||
apt: pkg=libapache2-mod-rpaf state=present
|
||||
when: apache_rpaf_install | bool
|
||||
tags: [ 'apache', 'apache_mods', 'apache_rpaf' ]
|
||||
|
||||
- name: Enable the apache rpaf module
|
||||
apache2_module: name=rpaf state=present
|
||||
when: apache_rpaf_install | bool
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_mods', 'apache_rpaf' ]
|
||||
|
||||
- name: Load the apache ssl modules
|
||||
apache2_module: name={{ item }} state=present
|
||||
with_items: '{{ apache_ssl_modules }}'
|
||||
when: apache_ssl_modules_enabled | bool
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_mods' ]
|
||||
|
||||
- name: Load some apache proxy modules
|
||||
apache2_module: name={{ item }} state=present
|
||||
with_items: '{{ apache_http_proxy_modules }}'
|
||||
when: apache_http_proxy_modules_enabled | bool
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_mods' ]
|
||||
|
||||
- name: Load additional apache modules if any
|
||||
apache2_module: name={{ item }} state=present
|
||||
with_items: '{{ apache_additional_modules_list | default ([]) }}'
|
||||
when: apache_additional_modules | bool
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_mods' ]
|
||||
|
||||
- name: Disable apache modules if any
|
||||
apache2_module: name={{ item }} state=absent
|
||||
with_items: '{{ apache_modules_to_be_removed | default ([]) }}'
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_mods' ]
|
||||
|
||||
- name: Load the apache status module
|
||||
apache2_module: name={{ item }} state=present
|
||||
with_items: status
|
||||
when: apache_status_module | bool
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_mods', 'apache_status' ]
|
||||
|
||||
- name: Configure the apache status module
|
||||
template: src={{ item }}.j2 dest=/etc/apache2/mods-available/{{ item }} owner=root group=root mode=0644
|
||||
with_items: status.conf
|
||||
when: apache_status_module | bool
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_mods', 'apache_status' ]
|
||||
|
||||
- name: Load the apache info module
|
||||
apache2_module: name={{ item }} state=present
|
||||
with_items: info
|
||||
when: apache_info_module | bool
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_mods', 'apache_info' ]
|
||||
|
||||
- name: Configure the apache info module
|
||||
template: src={{ item }}.j2 dest=/etc/apache2/mods-available/{{ item }} owner=root group=root mode=0644
|
||||
with_items: info.conf
|
||||
when: apache_info_module | bool
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_mods', 'apache_info' ]
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install the Ubuntu apache PPA
|
||||
apt_repository: repo='{{ apache_ppa_repo }}' update_cache=yes
|
||||
|
||||
when: apache_from_ppa
|
||||
tags: [ 'apache', 'apache_ppa' ]
|
||||
|
||||
- block:
|
||||
- name: Remove the Ubuntu apache PPA
|
||||
apt_repository: repo='{{ apache_ppa_repo }}' update_cache=yes state=absent
|
||||
|
||||
when: not apache_from_ppa
|
||||
tags: [ 'apache', 'apache_ppa' ]
|
|
@ -1,44 +0,0 @@
|
|||
---
|
||||
- name: Install the apache packages
|
||||
apt: pkg={{ item }} state={{ apache_pkg_state }} update_cache=yes cache_valid_time=3600
|
||||
with_items: '{{ apache_packages }}'
|
||||
tags: [ 'apache', 'apache_main_packages' ]
|
||||
|
||||
- name: Install the apache modules packages
|
||||
apt: pkg={{ item }} state={{ apache_pkg_state }} update_cache=yes cache_valid_time=3600
|
||||
with_items: '{{ apache_modules_packages }}'
|
||||
when:
|
||||
- not apache_from_ppa
|
||||
- is_trusty
|
||||
tags: [ 'apache', 'apache_additional_packages' ]
|
||||
|
||||
- name: Install the apache additional packages, if any
|
||||
apt: pkg={{ item }} state={{ apache_pkg_state }} update_cache=yes cache_valid_time=3600
|
||||
with_items: '{{ apache_additional_packages_list }}'
|
||||
when: apache_additional_packages
|
||||
tags: [ 'apache', 'apache_additional_packages' ]
|
||||
|
||||
- name: Instal the ports conf file
|
||||
template: src=ports.conf dest=/etc/apache2/ports.conf
|
||||
notify: apache2 reload
|
||||
tags: [ 'apache', 'apache_conf' ]
|
||||
|
||||
- name: Remove the default virtualhost file
|
||||
file: dest=/etc/apache2/sites-enabled/{{ item }} state=absent
|
||||
with_items:
|
||||
- 000-default
|
||||
- 000-default.conf
|
||||
notify: apache2 reload
|
||||
tags: apache
|
||||
|
||||
- name: Ensure that the apache service is enabled and started
|
||||
service: name=apache2 state=started enabled=yes
|
||||
when: apache_service_enabled
|
||||
ignore_errors: True
|
||||
tags: apache
|
||||
|
||||
- name: Ensure that the apache service is disabled and stopped if we do not want it running
|
||||
service: name=apache2 state=stopped enabled=no
|
||||
when: not apache_service_enabled
|
||||
ignore_errors: True
|
||||
tags: apache
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
- import_tasks: apache-ppa.yml
|
||||
- import_tasks: apache.yml
|
||||
- import_tasks: apache-modules.yml
|
||||
- import_tasks: apache-basic-auth.yml
|
||||
when: apache_basic_auth
|
||||
- import_tasks: apache-letsencrypt.yml
|
||||
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
|
@ -1,20 +0,0 @@
|
|||
<IfModule mod_info.c>
|
||||
|
||||
# Allow remote server configuration reports, with the URL of
|
||||
# http://servername/server-info (requires that mod_info.c be loaded).
|
||||
# Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
|
||||
#
|
||||
<Location {{ apache_info_location }}>
|
||||
SetHandler server-info
|
||||
Require local
|
||||
{% if nagios_monitoring_server_ip is defined %}
|
||||
{% for addr in nagios_monitoring_server_ip %}
|
||||
Require ip {{ addr }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% for addr in apache_info_allowed_hosts %}
|
||||
Require ip {{ addr }}
|
||||
{% endfor %}
|
||||
</Location>
|
||||
|
||||
</IfModule>
|
|
@ -1 +0,0 @@
|
|||
ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:{{ letsencrypt_acme_standalone_port}}/.well-known/acme-challenge"
|
|
@ -1,3 +0,0 @@
|
|||
{% for port in apache_listen_ports %}
|
||||
Listen {{ port }}
|
||||
{% endfor %}
|
|
@ -1,32 +0,0 @@
|
|||
<IfModule mod_status.c>
|
||||
# Allow server status reports generated by mod_status,
|
||||
# with the URL of http://servername/server-status
|
||||
# Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
|
||||
|
||||
<Location {{ apache_status_location }}>
|
||||
SetHandler server-status
|
||||
Require local
|
||||
{% if nagios_monitoring_server_ip is defined %}
|
||||
{% for addr in nagios_monitoring_server_ip %}
|
||||
Require ip {{ addr }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% for addr in apache_status_allowed_hosts %}
|
||||
Require ip {{ addr }}
|
||||
{% endfor %}
|
||||
</Location>
|
||||
|
||||
# Keep track of extended status information for each request
|
||||
ExtendedStatus On
|
||||
|
||||
# Determine if mod_status displays the first 63 characters of a request or
|
||||
# the last 63, assuming the request itself is greater than 63 chars.
|
||||
# Default: Off
|
||||
#SeeRequestTail On
|
||||
|
||||
<IfModule mod_proxy.c>
|
||||
# Show Proxy LoadBalancer status in mod_status
|
||||
ProxyStatus On
|
||||
</IfModule>
|
||||
|
||||
</IfModule>
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
ldap_uri: "ldap://ldap.sub.research-infrastructures.eu"
|
||||
ldap_base_dn: "dc=research-infrastructures,dc=eu"
|
||||
ldap_tls_cacert: /etc/ssl/certs/ca-certificates.crt
|
|
@ -1,33 +0,0 @@
|
|||
---
|
||||
- name: Install the ldap utilities
|
||||
apt: pkg={{ item }} state={{ pkg_state }}
|
||||
with_items:
|
||||
- ldapscripts
|
||||
- libpam-ldap
|
||||
tags: ldap-client
|
||||
|
||||
- name: Write the ldap client configuration file
|
||||
template: src=ldap.conf-old.j2 dest=/etc/ldap.conf mode=444 owner=root group=root
|
||||
when: is_ubuntu_less_than_trusty
|
||||
tags: ldap-client
|
||||
|
||||
- name: Write the ldap client configuration file
|
||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root
|
||||
when: is_trusty
|
||||
tags: ldap-client
|
||||
|
||||
- name: set the ldapscripts.conf uri
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ ldap_uri }}' syntax=shell
|
||||
when: is_trusty
|
||||
tags: ldap-client
|
||||
|
||||
- name: set the ldapscripts.conf bind dn
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ ldap_base_dn }}' syntax=shell
|
||||
when: is_trusty
|
||||
tags: ldap-client
|
||||
|
||||
- name: set the ldapscripts.conf dn suffix
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ ldap_base_dn }}' syntax=shell
|
||||
when: is_trusty
|
||||
tags: ldap-client
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
# The distinguished name of the search base.
|
||||
BASE {{ ldap_base_dn }}
|
||||
|
||||
# Another way to specify your LDAP server is to provide an
|
||||
URI {{ ldap_uri }}
|
||||
|
||||
# The LDAP version to use (defaults to 3
|
||||
# if supported by client library)
|
||||
ldap_version 3
|
||||
|
||||
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
|
|
@ -1,14 +0,0 @@
|
|||
# The distinguished name of the search base.
|
||||
BASE {{ ldap_base_dn }}
|
||||
|
||||
# Another way to specify your LDAP server is to provide an
|
||||
URI {{ ldap_uri }}
|
||||
|
||||
# The LDAP version to use (defaults to 3
|
||||
# if supported by client library)
|
||||
ldap_version 3
|
||||
|
||||
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
|
||||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_CACERT {{ ldap_tls_cacert }}
|
|
@ -1,47 +0,0 @@
|
|||
---
|
||||
letsencrypt_acme_install: False
|
||||
# Set to false if a binary installation is needed (unsupported distributions)
|
||||
letsencrypt_pkg_install: True
|
||||
letsencrypt_acme_pkg_state: latest
|
||||
letsencrypt_acme_pkgs:
|
||||
- acmetool
|
||||
- libcap2-bin
|
||||
letsencrypt_acme_ppa_repo: 'ppa:hlandau/rhea'
|
||||
letsencrypt_acme_debian_repo: 'deb http://ppa.launchpad.net/hlandau/rhea/ubuntu xenial main'
|
||||
letsencrypt_acme_debian_repo_key: '9862409EF124EC763B84972FF5AC9651EDB58DFA'
|
||||
letsencrypt_acme_user: acme
|
||||
letsencrypt_acme_user_home: /var/lib/acme
|
||||
letsencrypt_acme_log_dir: /var/log/acme
|
||||
|
||||
letsencrypt_acme_command: acmetool
|
||||
letsencrypt_acme_command_opts: '--hooks={{ letsencrypt_acme_services_scripts_dir }} --batch --xlog.syslog --xlog.syslogseverity=INFO --xlog.file="{{ letsencrypt_acme_log_dir }}/certrequest.log" --xlog.fileseverity=TRACE'
|
||||
letsencrypt_acme_config_dir: '{{ letsencrypt_acme_user_home }}/conf'
|
||||
letsencrypt_acme_certsconf_dir: '{{ letsencrypt_acme_user_home }}/desired'
|
||||
letsencrypt_acme_dest_dir: '{{ ansible_fqdn }}'
|
||||
letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_user_home }}/live/{{ letsencrypt_acme_dest_dir }}'
|
||||
# The various services maintainers need to put the reconfigure/restart scripts there
|
||||
letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks
|
||||
|
||||
# responses parameters
|
||||
letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
|
||||
letsencrypt_acme_agree_tos: true
|
||||
letsencrypt_acme_rsa_key_size: 4096
|
||||
letsencrypt_ocsp_must_staple: False
|
||||
# rsa|ecdsa
|
||||
letsencrypt_acme_key_type: ecdsa
|
||||
letsencrypt_acme_ecdsa_curve: nistp256
|
||||
letsencrypt_acme_email: sysadmin@example.com
|
||||
letsencrypt_specify_key_id: False
|
||||
letsencrypt_key_id: 'some random string'
|
||||
# We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured.
|
||||
# Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case.
|
||||
letsencrypt_acme_authenticator: listener
|
||||
letsencrypt_acme_cron_day_of_month: '*'
|
||||
letsencrypt_acme_cron_hour: '{{ range(1, 4) | random }}'
|
||||
letsencrypt_acme_cron_minute: '{{ range(0, 59) | random }}'
|
||||
|
||||
# desired parameters
|
||||
letsencrypt_acme_domains:
|
||||
- '{{ ansible_fqdn }}'
|
||||
letsencrypt_acme_standalone_port: 4402
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
- name: Initialize letsencrypt acmetool
|
||||
become: True
|
||||
become_user: '{{ letsencrypt_acme_user }}'
|
||||
command: '/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1'
|
||||
when: letsencrypt_acme_install
|
||||
ignore_errors: True
|
||||
|
|
@ -1,143 +0,0 @@
|
|||
---
|
||||
- name: Install the letsencrypt acmetool repo on ubuntu
|
||||
apt_repository: repo={{ letsencrypt_acme_ppa_repo }} state=present update_cache=yes
|
||||
when:
|
||||
- letsencrypt_acme_install
|
||||
- is_trusty
|
||||
- letsencrypt_pkg_install
|
||||
notify: Initialize letsencrypt acmetool
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install the letsencrypt acmetool repo key on debian
|
||||
apt_key: keyserver=keyserver.ubuntu.com id={{ letsencrypt_acme_debian_repo_key }}
|
||||
when:
|
||||
- letsencrypt_acme_install
|
||||
- is_debian
|
||||
- letsencrypt_pkg_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install the letsencrypt acmetool repo on debian
|
||||
apt_repository: repo={{ letsencrypt_acme_debian_repo }} state=present update_cache=yes
|
||||
when:
|
||||
- letsencrypt_acme_install
|
||||
- is_debian
|
||||
- letsencrypt_pkg_install
|
||||
notify: Initialize letsencrypt acmetool
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Create the letsencrypt acme user
|
||||
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/usr/sbin/nologin system=yes
|
||||
when: letsencrypt_acme_install
|
||||
tags: [ 'letsencrypt', 'letsencrypt_user' ]
|
||||
|
||||
- name: Create the letsencrypt acme home, if it does not exist already. In a separate step because it could be already there.
|
||||
file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install the letsencrypt acmetool package and some deps
|
||||
apt: pkg={{ letsencrypt_acme_pkgs }} state={{ letsencrypt_acme_pkg_state }} update_cache=yes cache_valid_time=3600
|
||||
when:
|
||||
- letsencrypt_acme_install
|
||||
- letsencrypt_pkg_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Create the letsencrypt acme config directory
|
||||
become: True
|
||||
become_user: '{{ letsencrypt_acme_user }}'
|
||||
file: dest={{ letsencrypt_acme_config_dir }} state=directory mode=0755
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Create the letsencrypt acme desired domains directory
|
||||
become: True
|
||||
become_user: '{{ letsencrypt_acme_user }}'
|
||||
file: dest={{ letsencrypt_acme_certsconf_dir }} state=directory mode=0755
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Create the letsencrypt acme hooks directory
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root mode=0755
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install a default file that shell scripts can include
|
||||
template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install the letsencrypt acme responses file
|
||||
become: True
|
||||
become_user: '{{ letsencrypt_acme_user }}'
|
||||
template: src=responses.j2 dest={{ letsencrypt_acme_config_dir }}/responses mode=0644
|
||||
when: letsencrypt_acme_install
|
||||
tags: [ 'letsencrypt', 'letsencrypt_responses' ]
|
||||
|
||||
- name: Install the letsencrypt acme certs config file
|
||||
become: True
|
||||
become_user: '{{ letsencrypt_acme_user }}'
|
||||
template: src=cert-requirements.j2 dest={{ letsencrypt_acme_certsconf_dir }}/{{ ansible_fqdn }} mode=0644
|
||||
when: letsencrypt_acme_install
|
||||
register: letsencrypt_new_desired_file
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Set the cap_net_bind_service capability to the acmetool binary when we use it in listener mode
|
||||
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
|
||||
when:
|
||||
- letsencrypt_acme_install
|
||||
- letsencrypt_acme_authenticator == 'listener'
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
|
||||
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=absent
|
||||
when:
|
||||
- letsencrypt_acme_install
|
||||
- letsencrypt_acme_authenticator != 'listener'
|
||||
ignore_errors: True
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install the sudoers config needed to run the acmetool hooks
|
||||
template: src=acme-sudoers.j2 dest=/etc/sudoers.d/letsencrypt-acme owner=root group=root mode=0440
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Create a directory where to put the cron job and hooks logs
|
||||
file: dest={{ letsencrypt_acme_log_dir }} state=directory owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} mode=0750
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install a script that requests the certificates and manage the self signed certificate
|
||||
template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
|
||||
when: letsencrypt_acme_install
|
||||
tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_hook' ]
|
||||
|
||||
- name: Set certificates as to be revoked
|
||||
become: True
|
||||
become_user: '{{ letsencrypt_acme_user }}'
|
||||
file: dest={{ letsencrypt_acme_user_home }}certs/{{ item.cert_name }}/revoke
|
||||
with_items: '{{ letsencrypt_certs_revoke_list }}'
|
||||
when:
|
||||
- letsencrypt_acme_install
|
||||
- letsencrypt_certs_revoke_list is defined
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Remove the old cron script
|
||||
file: dest=/usr/local/bin/cron-acme-cert-request state=absent
|
||||
when: letsencrypt_acme_install
|
||||
tags: [ 'letsencrypt', 'letsencrypt_cron' ]
|
||||
|
||||
- name: Install a daily cron job to renew the certificates when needed
|
||||
become: True
|
||||
become_user: '{{ letsencrypt_acme_user }}'
|
||||
cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1"
|
||||
when: letsencrypt_acme_install
|
||||
tags: [ 'letsencrypt', 'letsencrypt_cron' ]
|
||||
|
||||
- name: letsencrypt acmetool request the first certificate
|
||||
become: True
|
||||
become_user: '{{ letsencrypt_acme_user }}'
|
||||
command: '/usr/local/bin/acme-cert-request'
|
||||
when: letsencrypt_new_desired_file is changed
|
||||
ignore_errors: True
|
||||
tags: letsencrypt
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
TMP_DIR=/var/tmp/acmetool
|
||||
BASE_DIR=/var/lib/acme
|
||||
RETVAL=
|
||||
|
||||
if [ -d $BASE_DIR/keys/fakeselfsignedcert -a -d $BASE_DIR/certs/fakeselfsignedcert ] ; then
|
||||
mkdir -p $TMP_DIR/{keys,certs}
|
||||
mv $BASE_DIR/keys/fakeselfsignedcert $TMP_DIR/keys
|
||||
mv $BASE_DIR/certs/fakeselfsignedcert $TMP_DIR/certs
|
||||
/bin/rm $BASE_DIR/live/{{ ansible_fqdn }}
|
||||
{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} quickstart
|
||||
fi
|
||||
|
||||
{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile
|
||||
RETVAL=$?
|
||||
|
||||
if [ -d $TMP_DIR ] ; then
|
||||
if [ $RETVAL -ne 0 ] ; then
|
||||
mv $TMP_DIR/keys/fakeselfsignedcert $BASE_DIR/keys
|
||||
mv $TMP_DIR/certs/fakeselfsignedcert $BASE_DIR/certs
|
||||
cd $BASE_DIR/live
|
||||
ln -s ../certs/fakeselfsignedcert {{ ansible_fqdn }}
|
||||
fi
|
||||
rm -fr $TMP_DIR
|
||||
fi
|
||||
|
||||
exit $RETVAL
|
|
@ -1,2 +0,0 @@
|
|||
{{ letsencrypt_acme_user }} ALL=(root) NOPASSWD: {{ letsencrypt_acme_services_scripts_dir }}/
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
satisfy:
|
||||
names:
|
||||
{% for d in letsencrypt_acme_domains %}
|
||||
- {{ d }}
|
||||
{% endfor %}
|
||||
|
||||
request:
|
||||
{% if letsencrypt_ocsp_must_staple %}
|
||||
ocsp-must-staple: true
|
||||
{% endif %}
|
||||
challenge:
|
||||
http-ports:
|
||||
- {{ letsencrypt_acme_standalone_port }}
|
||||
|
||||
key:
|
||||
type: {{ letsencrypt_acme_key_type }}
|
||||
{% if letsencrypt_acme_key_type == 'rsa' %}
|
||||
rsa-size: {{ letsencrypt_acme_rsa_key_size }}
|
||||
{% else %}
|
||||
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
|
||||
{% endif %}
|
||||
{% if letsencrypt_specify_key_id %}
|
||||
id: {{ letsencrypt_key_id }}
|
||||
{% endif %}
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
LE_EMAIL={{ letsencrypt_acme_email }}
|
||||
LE_SERVICES_SCRIPT_DIR={{ letsencrypt_acme_services_scripts_dir }}
|
||||
LE_CERTS_DIR={{ letsencrypt_acme_certs_dir }}
|
||||
LE_LOG_DIR={{ letsencrypt_acme_log_dir }}
|
|
@ -1,13 +0,0 @@
|
|||
"acme-enter-email": "{{ letsencrypt_acme_email }}"
|
||||
"acme-agreement:{{ letsencrypt_tos_url }}": {{ letsencrypt_acme_agree_tos }}
|
||||
# https://acme-staging.api.letsencrypt.org/directory is the staging site.
|
||||
# This is the production site
|
||||
"acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory
|
||||
"acmetool-quickstart-choose-method": {{ letsencrypt_acme_authenticator }}
|
||||
"acmetool-quickstart-complete": true
|
||||
"acmetool-quickstart-install-cronjob": false
|
||||
"acmetool-quickstart-install-haproxy-script": false
|
||||
"acmetool-quickstart-install-redirector-systemd": false
|
||||
"acmetool-quickstart-key-type": {{ letsencrypt_acme_key_type }}
|
||||
"acmetool-quickstart-rsa-key-size": {{ letsencrypt_acme_rsa_key_size }}
|
||||
"acmetool-quickstart-ecdsa-curve": {{ letsencrypt_acme_ecdsa_curve }}
|
|
@ -1,125 +0,0 @@
|
|||
---
|
||||
nginx_enabled: True
|
||||
nginx_use_ppa: False
|
||||
nginx_ppa_repo: ppa:nginx/stable
|
||||
nginx_package_state: present
|
||||
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||
nginx_ssl_level: intermediate
|
||||
|
||||
nginx_snippets_dir: /etc/nginx/snippets
|
||||
|
||||
nginx_conf_snippets:
|
||||
- nginx-compression.conf
|
||||
- nginx-websockets.conf
|
||||
- nginx-browser-cache.conf
|
||||
- letsencrypt-proxy.conf
|
||||
- nginx-proxy-params.conf
|
||||
- nginx-server-ssl.conf
|
||||
- nginx-cors.conf
|
||||
|
||||
nginx_old_snippets:
|
||||
- compression.conf
|
||||
|
||||
nginx_workers: 4
|
||||
nginx_worker_connections: 1024
|
||||
nginx_multi_accept: 'off'
|
||||
nginx_worker_rlimit_nofile: 2048
|
||||
nginx_server_tokens: 'off'
|
||||
|
||||
nginx_large_client_header_buffers: 4 8k
|
||||
|
||||
nginx_enable_compression: True
|
||||
nginx_gzip_vary: "on"
|
||||
nginx_gzip_proxied: any
|
||||
nginx_gzip_comp_level: 6
|
||||
nginx_gzip_buffers: 16 8k
|
||||
nginx_gzip_http_version: 1.1
|
||||
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
|
||||
|
||||
nginx_enable_browser_cache: True
|
||||
nginx_cache_control: public
|
||||
nginx_html_cache_expire: -1
|
||||
nginx_feed_cache_expire_enabled: False
|
||||
nginx_feed_cache_expire: 1h
|
||||
nginx_media_cache_expire: 1M
|
||||
nginx_css_js_cache_expire: -1
|
||||
|
||||
nginx_reverse_proxy: False
|
||||
nginx_define_x_real_ip: False
|
||||
nginx_set_original_uri: True
|
||||
nginx_proxy_buffering: "on"
|
||||
nginx_proxy_redirect: "off"
|
||||
nginx_proxy_buffer_size: 128k
|
||||
nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}'
|
||||
nginx_proxy_busy_buffers_size: 256k
|
||||
nginx_proxy_connect_timeout: 30s
|
||||
nginx_proxy_read_timeout: 480s
|
||||
nginx_proxy_send_timeout: 120s
|
||||
nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
|
||||
nginx_client_max_body_size: 100M
|
||||
nginx_client_body_timeout: 240s
|
||||
|
||||
nginx_cors_enabled: False
|
||||
nginx_cors_global: True
|
||||
nginx_cors_limit_origin: True
|
||||
nginx_cors_extended_rules: False
|
||||
nginx_cors_acl_origin: 'http?://(localhost)'
|
||||
# Possible methods:
|
||||
# CONNECT, DEBUG, DELETE, DONE, GET, HEAD, HTTP, HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2, OPTIONS, ORIGIN, ORIGINS, PATCH, POST, PUT, QUIC, REST, SESSION, SHOULD, SPDY, TRACE, TRACK
|
||||
nginx_cors_allowed_methods: 'GET, POST, OPTIONS'
|
||||
# Possible headers:
|
||||
# 'Accept, Accept-CH, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, C-Ext, C-Man, C-Opt, C-PEP, C-PEP-Info, CONNECT, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DAV, DELETE, DNT, DPR, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect, Expires, Ext, From, GET, GetProfile, HEAD, HTTP-date, Host, IM, If, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Man, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, OPTION, OPTIONS, OWS, Opt, Optional, Ordering-Type, Origin, Overwrite, P3P, PEP, PICS-Label, POST, PUT, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, RWS, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, Set-Cookie2, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TCN, TE, TRACE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options, X-CustomHeader, X-DNSPrefetch-Control, X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto, X-Frame-Options, X-Modified, X-OTHER, X-PING, X-PINGOTHER, X-Powered-By, X-Requested-With, Observe'
|
||||
nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range,Observe'
|
||||
|
||||
# Find a set of acceptable defaults for the cache setup
|
||||
nginx_cache_enabled: False
|
||||
|
||||
nginx_use_ldap_pam_auth: False
|
||||
nginx_pam_svc_name: nginx
|
||||
nginx_ldap_uri: "ldap://ldap.example.org"
|
||||
nginx_ldap_base_dn: "dc=example,dc=org"
|
||||
nginx_basic_auth: False
|
||||
nginx_basic_auth_users:
|
||||
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
|
||||
# nginx_ldap_login_attribute: uid
|
||||
# nginx_ldap_pam_groupdn:
|
||||
nginx_webroot: /usr/share/nginx/html
|
||||
nginx_letsencrypt_managed: True
|
||||
nginx_websockets_support: False
|
||||
nginx_use_common_virthost: False
|
||||
# Set it to 'ssl http2' if the nginx version supports it
|
||||
nginx_ssl_type: ssl
|
||||
# When we do not use letsencrypt:
|
||||
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
|
||||
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
|
||||
nginx_block_dotfiles: True
|
||||
|
||||
# Virtualhost example
|
||||
# nginx_virthosts:
|
||||
# - virthost_name: '{{ ansible_fqdn }}'
|
||||
# listen: '{{ http_port }}'
|
||||
# server_name: '{{ ansible_fqdn }}'
|
||||
# server_aliases: ''
|
||||
# index: index.html
|
||||
# error_page: /path_to_error_page.html
|
||||
# ssl_enabled: False
|
||||
# ssl_only: False
|
||||
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
|
||||
# root: {{ nginx_webroot }}
|
||||
# server_tokens: 'off'
|
||||
# proxy_standard_setup: True
|
||||
# proxy_additional_options:
|
||||
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
|
||||
# locations:
|
||||
# - location: /
|
||||
# target: http://localhost:{{ local_http_port }}
|
||||
#
|
||||
# extra_parameters: |
|
||||
# location ~ \.php$ {
|
||||
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
# fastcgi_pass unix:/var/run/php5-fpm.sock;
|
||||
# fastcgi_index index.php;
|
||||
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
# include fastcgi_params;
|
||||
# }
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
DATE=$( date )
|
||||
|
||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||
echo "$DATE" >> $LE_LOG_DIR/nginx.log
|
||||
|
||||
if [ -f /etc/default/letsencrypt ] ; then
|
||||
. /etc/default/letsencrypt
|
||||
else
|
||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log
|
||||
fi
|
||||
|
||||
echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1
|
||||
else
|
||||
service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1
|
||||
fi
|
||||
|
||||
echo "Done." >> $LE_LOG_DIR/nginx.log
|
||||
|
||||
exit 0
|
|
@ -1,26 +0,0 @@
|
|||
|
||||
#
|
||||
auth [success=2 default=ignore] pam_unix.so nullok_secure
|
||||
auth [success=1 default=ignore] pam_ldap.so
|
||||
auth requisite pam_deny.so
|
||||
auth required pam_permit.so
|
||||
|
||||
#
|
||||
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
|
||||
account [success=1 default=ignore] pam_ldap.so
|
||||
account requisite pam_deny.so
|
||||
account required pam_permit.so
|
||||
|
||||
#
|
||||
password [success=1 default=ignore] pam_unix.so obscure sha512
|
||||
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
|
||||
password requisite pam_deny.so
|
||||
password required pam_permit.so
|
||||
|
||||
#
|
||||
session [default=1] pam_permit.so
|
||||
session requisite pam_deny.so
|
||||
session required pam_permit.so
|
||||
session optional pam_umask.so
|
||||
session required pam_unix.so
|
||||
session optional pam_ldap.so
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
- name: Reload nginx
|
||||
service: name=nginx state=reloaded
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: '../../library/roles/ldap-client-config'
|
||||
when: nginx_use_ldap_pam_auth
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install the python passlib library on deb based distributions
|
||||
apt: pkg=python-passlib state=present cache_valid_time=3600
|
||||
when: ansible_distribution_file_variety == "Debian"
|
||||
|
||||
- name: Install the python passlib library on RH based distributions
|
||||
yum: pkg=python-passlib state=present
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
|
||||
- name: Create the htpasswd file needed by the basic auth
|
||||
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
|
||||
with_items: '{{ nginx_basic_auth_users }}'
|
||||
|
||||
when: nginx_basic_auth
|
||||
tags: nginx
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
---
|
||||
- import_tasks: nginx-deb.yml
|
||||
when: ansible_distribution_file_variety == "Debian"
|
||||
- import_tasks: nginx-rh.yml
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
- import_tasks: nginx-config.yml
|
||||
- import_tasks: nginx-virtualhosts.yml
|
||||
when: nginx_use_common_virthost | bool
|
||||
- import_tasks: nginx-letsencrypt.yml
|
||||
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||
- import_tasks: basic-auth.yml
|
||||
- import_tasks: pam-ldap.yml
|
||||
|
||||
- name: Ensure that the webserver is running and enabled at boot time
|
||||
service: name=nginx state=started enabled=yes
|
||||
when: nginx_enabled
|
||||
ignore_errors: True
|
||||
tags: nginx
|
||||
|
||||
- name: Ensure that the webserver is stopped and disabled
|
||||
service: name=nginx state=stopped enabled=no
|
||||
when: not nginx_enabled
|
||||
ignore_errors: True
|
||||
tags: nginx
|
|
@ -1,45 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create the snippets directory
|
||||
file: dest={{ nginx_snippets_dir }} state=directory
|
||||
|
||||
- name: Create the pki directory
|
||||
file: dest={{ pki_dir }}/nginx state=directory
|
||||
|
||||
- name: Create the client body tmp directory, if needed
|
||||
file: dest={{ nginx_client_body_temp_dir }}/nginx state=directory owner=www-data group=www-data mode=0700
|
||||
when: nginx_client_body_temp_dir is defined
|
||||
|
||||
- name: Create a dhparams file 2048 bits long
|
||||
shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048
|
||||
args:
|
||||
creates: '{{ pki_dir }}/nginx/dhparams.pem'
|
||||
when: nginx_ssl_level == 'intermediate'
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Install the supported configuration snippets
|
||||
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
|
||||
with_items: '{{ nginx_conf_snippets }}'
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Install the main nginx.conf
|
||||
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Remove the old configuration snippets
|
||||
file: dest=/etc/nginx/conf.d/{{ item }} state=absent
|
||||
with_items: '{{ nginx_old_snippets }}'
|
||||
notify: Reload nginx
|
||||
|
||||
when: nginx_enabled | bool
|
||||
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
|
||||
|
||||
- block:
|
||||
- name: remove nginx default virtualhost
|
||||
file: dest=/etc/nginx/sites-enabled/default state=absent
|
||||
notify: Reload nginx
|
||||
|
||||
when:
|
||||
- nginx_enabled | bool
|
||||
- ansible_distribution_file_variety == "Debian"
|
||||
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
|
|
@ -1,27 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install the Ubuntu PPA for nginx
|
||||
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
|
||||
when:
|
||||
- nginx_use_ppa
|
||||
- "'{{ ansible_distribution }}' == 'Ubuntu'"
|
||||
tags: [ 'nginx', 'nginx_ppa' ]
|
||||
|
||||
- name: Install the nginx web server
|
||||
apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800
|
||||
when:
|
||||
- not nginx_use_ldap_pam_auth
|
||||
- ansible_distribution_major_version <= '14'
|
||||
|
||||
- name: Install the nginx web server if we need ldap auth via pam
|
||||
apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800
|
||||
when:
|
||||
- nginx_use_ldap_pam_auth
|
||||
- ansible_distribution_major_version <= '14'
|
||||
|
||||
- name: Install the nginx web server on Ubuntu >= 16.04
|
||||
apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800
|
||||
when: ansible_distribution_major_version >= '16'
|
||||
|
||||
when: ansible_distribution_file_variety == "Debian"
|
||||
tags: nginx
|
|
@ -1,20 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
|
||||
- name: Install a letsencrypt hook for nginx
|
||||
copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555
|
||||
|
||||
when:
|
||||
- letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||
- nginx_letsencrypt_managed
|
||||
tags: [ 'nginx', 'letsencrypt' ]
|
||||
|
||||
- block:
|
||||
- name: Remove the letsencrypt hook for nginx
|
||||
file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent
|
||||
|
||||
when: not nginx_letsencrypt_managed
|
||||
tags: [ 'nginx', 'letsencrypt' ]
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install the nginx web server
|
||||
yum: pkg=nginx state={{ nginx_package_state }}
|
||||
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
tags: nginx
|
|
@ -1,32 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create the nginx webroot if different from the default
|
||||
file: dest={{ nginx_webroot }} state=directory mode=0755
|
||||
when: nginx_webroot != '/usr/share/nginx/html'
|
||||
|
||||
tags: [ 'nginx', 'virtualhost' ]
|
||||
|
||||
- name: Install and enable the nginx virtualhost files on Deb based systems
|
||||
block:
|
||||
- name: Install the nginx virtualhost files
|
||||
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
|
||||
with_items: '{{ nginx_virthosts | default(omit) }}'
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Enable the nginx virtualhosts
|
||||
file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
|
||||
with_items: '{{ nginx_virthosts | default(omit) }}'
|
||||
notify: Reload nginx
|
||||
|
||||
when: ansible_distribution_file_variety == "Debian"
|
||||
tags: [ 'nginx', 'virtualhost' ]
|
||||
|
||||
- name: Install and enable the nginx virtualhost files on RH based systems
|
||||
block:
|
||||
- name: Install the nginx virtualhost files
|
||||
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
|
||||
with_items: '{{ nginx_virthosts | default(omit) }}'
|
||||
notify: Reload nginx
|
||||
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
tags: [ 'nginx', 'virtualhost' ]
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
- name: Install pam service for nginx
|
||||
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
|
||||
notify: Reload nginx
|
||||
when: nginx_use_ldap_pam_auth
|
||||
tags: nginx
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
# The distinguished name of the search base.
|
||||
base {{ nginx_ldap_base_dn }}
|
||||
|
||||
# Another way to specify your LDAP server is to provide an
|
||||
uri {{ nginx_ldap_uri }}
|
||||
if {% nginx_ldap_login_attribute is defined %}
|
||||
pam_login_attribute {{ nginx_ldap_login_attribute }}
|
||||
{% endif %}
|
||||
if {% nginx_ldap_pam_groupdn is defined %}
|
||||
pam_groupdn
|
||||
{% endif %}
|
||||
# The LDAP version to use (defaults to 3
|
||||
# if supported by client library)
|
||||
ldap_version 3
|
||||
|
||||
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
|
|
@ -1,9 +0,0 @@
|
|||
# Include this one inside a "server" directive listening on port 80, this way:
|
||||
# include /etc/nginx/snippets/letsencrypt-proxy.conf;
|
||||
location ^~ /.well-known/acme-challenge {
|
||||
proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge;
|
||||
access_log /var/log/nginx/letsencrypt_acmetool_access.log;
|
||||
error_log /var/log/nginx/letsencrypt_acmetool_error.log;
|
||||
}
|
||||
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
# include inside a 'server' directive
|
||||
#
|
||||
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
||||
expires {{ nginx_html_cache_expire }};
|
||||
}
|
||||
|
||||
{% if nginx_feed_cache_expire_enabled %}
|
||||
#
|
||||
location ~* \.(?:rss|atom)$ {
|
||||
expires {{ nginx_feed_cache_expire }};
|
||||
add_header Cache-Control "{{ nginx_cache_control }}";
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
#
|
||||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
|
||||
expires {{ nginx_media_cache_expire }};
|
||||
access_log off;
|
||||
add_header Cache-Control "{{ nginx_cache_control }}";
|
||||
}
|
||||
|
||||
#
|
||||
location ~* \.(?:css|js)$ {
|
||||
expires {{ nginx_css_js_cache_expire }};
|
||||
access_log off;
|
||||
add_header Cache-Control "{{ nginx_cache_control }}";
|
||||
}
|
|
@ -1,6 +0,0 @@
|
|||
gzip_vary {{ nginx_gzip_vary }};
|
||||
gzip_proxied {{ nginx_gzip_proxied }};
|
||||
gzip_comp_level {{ nginx_gzip_comp_level }};
|
||||
gzip_buffers {{ nginx_gzip_buffers }};
|
||||
gzip_http_version {{ nginx_gzip_http_version }};
|
||||
gzip_types {{ nginx_gzip_types }};
|
|
@ -1,58 +0,0 @@
|
|||
{% if nginx_cors_extended_rules %}
|
||||
if ($request_method = 'OPTIONS') {
|
||||
{% if nginx_cors_limit_origin %}
|
||||
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
||||
{% else %}
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
{% endif %}
|
||||
add_header 'Access-Control-Allow-Credentials' 'true';
|
||||
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
|
||||
#
|
||||
# Custom headers and headers various browsers *should* be OK with but aren't
|
||||
#
|
||||
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
|
||||
#
|
||||
# Tell client that this pre-flight info is valid for 20 days
|
||||
#
|
||||
add_header 'Access-Control-Max-Age' 1728000;
|
||||
add_header 'Content-Type' 'text/plain charset=UTF-8';
|
||||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
if ($request_method = 'POST') {
|
||||
{% if nginx_cors_limit_origin %}
|
||||
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
||||
{% else %}
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
{% endif %}
|
||||
add_header 'Access-Control-Allow-Credentials' 'true';
|
||||
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
|
||||
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
|
||||
add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
|
||||
}
|
||||
if ($request_method = 'GET') {
|
||||
{% if nginx_cors_limit_origin %}
|
||||
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
||||
{% else %}
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
{% endif %}
|
||||
add_header 'Access-Control-Allow-Credentials' 'true';
|
||||
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
|
||||
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
|
||||
add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
|
||||
}
|
||||
{% else %}
|
||||
{% if nginx_cors_limit_origin %}
|
||||
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
||||
{% else %}
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
{% endif %}
|
||||
if ($request_method = OPTIONS ) {
|
||||
return 204;
|
||||
}
|
||||
add_header 'Access-Control-Allow-Credentials' 'true';
|
||||
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
|
||||
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
|
||||
add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
|
||||
{% endif %}
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
# Proxy stuff
|
||||
# include /etc/nginx/snippets/nginx-proxy-params.conf;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Connection "";
|
||||
{% if haproxy_ips is defined %}
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Host $remote_addr;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
{% else %}
|
||||
proxy_set_header Host $host;
|
||||
{% if nginx_define_x_real_ip %}
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if nginx_set_original_uri %}
|
||||
proxy_set_header nginx-request-uri $request_uri;
|
||||
{% endif %}
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_buffering {{ nginx_proxy_buffering }};
|
||||
proxy_buffer_size {{ nginx_proxy_buffer_size }};
|
||||
proxy_buffers {{ nginx_proxy_buffers }};
|
||||
proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
|
||||
proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }};
|
||||
proxy_redirect {{ nginx_proxy_redirect }};
|
||||
proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
|
||||
proxy_read_timeout {{ nginx_proxy_read_timeout }};
|
||||
proxy_send_timeout {{ nginx_proxy_send_timeout }};
|
|
@ -1,49 +0,0 @@
|
|||
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
|
||||
ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
|
||||
ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
|
||||
{% else %}
|
||||
ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
|
||||
ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
|
||||
{% endif %}
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
|
||||
{% if nginx_ssl_level == 'old' %}
|
||||
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
{% else %}
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
{% endif %}
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
|
||||
ssl_prefer_server_ciphers on;
|
||||
{% endif %}
|
||||
{% if nginx_ssl_level == 'intermediate' %}
|
||||
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
|
||||
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
{% else %}
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
{% endif %}
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
|
||||
ssl_prefer_server_ciphers off;
|
||||
{% endif %}
|
||||
{% if nginx_ssl_level == 'modern' %}
|
||||
ssl_session_tickets off;
|
||||
# modern configuration. tweak to your needs.
|
||||
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
{% else %}
|
||||
ssl_protocols TLSv1.2;
|
||||
{% endif %}
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
{% endif %}
|
||||
{% if ansible_distribution_version is version_compare('14.04', '>=') %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
|
||||
ssl_trusted_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
|
||||
{% else %}
|
||||
ssl_trusted_certificate {{ nginx_ssl_fullchain_file | default('/etc/nginx/ssl/cacert.crt') }};
|
||||
{% endif %}
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
{% endif %}
|
|
@ -1,353 +0,0 @@
|
|||
{% if nginx_websockets_support is defined and nginx_websockets_support %}
|
||||
include /etc/nginx/snippets/nginx-websockets.conf;
|
||||
{% else %}
|
||||
{% if item.websockets is defined and item.websockets %}
|
||||
include /etc/nginx/snippets/nginx-websockets.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
server {
|
||||
listen {{ item.http_port | default ('80') }};
|
||||
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
|
||||
{% if nginx_block_dotfiles %}
|
||||
location ~ /\.(?!well-known).* {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
return 404;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if letsencrypt_acme_install %}
|
||||
include /etc/nginx/snippets/letsencrypt-proxy.conf;
|
||||
{% endif %}
|
||||
|
||||
{% if item.access_log is defined %}
|
||||
access_log {{ item.access_log }};
|
||||
{% else %}
|
||||
access_log /var/log/nginx/{{ item.server_name }}_access.log;
|
||||
{% endif %}
|
||||
|
||||
{% if item.error_log is defined %}
|
||||
error_log {{ item.error_log }};
|
||||
{% else %}
|
||||
error_log /var/log/nginx/{{ item.server_name }}_error.log;
|
||||
{% endif %}
|
||||
|
||||
server_tokens {{ item.server_tokens | default('off') }};
|
||||
|
||||
{% if item.ssl_enabled and item.ssl_only %}
|
||||
location / {
|
||||
return 301 https://{{ item.server_name }}$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
root {{ item.root | default('/usr/share/nginx/html/') }};
|
||||
index {{ item.index | default('index.html index.htm') }};
|
||||
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
|
||||
location = /50x.html {
|
||||
root {{ item.error_path | default('/usr/share/nginx/html') }};
|
||||
}
|
||||
location = /favicon.ico {
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
{% if nginx_block_dotfiles %}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
return 404;
|
||||
}
|
||||
{% endif %}
|
||||
{% if haproxy_ips is defined %}
|
||||
# We are behind haproxy
|
||||
{% for ip in haproxy_ips %}
|
||||
set_real_ip_from {{ ip }};
|
||||
{% endfor %}
|
||||
real_ip_header X-Forwarded-For;
|
||||
{% endif %}
|
||||
|
||||
{% if item.max_body is defined %}
|
||||
client_max_body_size {{ item.max_body }};
|
||||
{% else %}
|
||||
client_max_body_size {{ nginx_client_max_body_size }};
|
||||
{% endif %}
|
||||
|
||||
{% if item.body_timeout is defined %}
|
||||
client_body_timeout {{ item.body_timeout }};
|
||||
{% else %}
|
||||
client_body_timeout {{ nginx_client_body_timeout }};
|
||||
{% endif %}
|
||||
|
||||
{% if nginx_cors_enabled %}
|
||||
{% if nginx_cors_global %}
|
||||
include /etc/nginx/snippets/nginx-cors.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.additional_options is defined %}
|
||||
{% for add_opt in item.additional_options %}
|
||||
{{ add_opt }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.http_acls is defined %}
|
||||
{% for acl in item.http_acls %}
|
||||
{{ acl }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if nginx_websockets_support is defined and nginx_websockets_support %}
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
{% else %}
|
||||
{% if item.websockets is defined and item.websockets %}
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
|
||||
|
||||
# Proxy stuff
|
||||
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
|
||||
{% else %}
|
||||
include /etc/nginx/snippets/nginx-proxy-params.conf;
|
||||
{% endif %}
|
||||
|
||||
{% if item.proxy_additional_options is defined %}
|
||||
{% for popt in item.proxy_additional_options %}
|
||||
{{ popt }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.locations is defined %}
|
||||
{% for location in item.locations -%}
|
||||
|
||||
location {{ location.location }} {
|
||||
|
||||
{% if nginx_cors_enabled %}
|
||||
{% if not nginx_cors_global %}
|
||||
{% if location.cors is defined and location.cors %}
|
||||
include /etc/nginx/snippets/nginx-cors.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if location.target is defined %}
|
||||
proxy_pass {{ location.target }};
|
||||
{% elif location.php_target is defined %}
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass {{ location.php_target }};
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
|
||||
#fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
include fastcgi_params;
|
||||
{% endif %}
|
||||
|
||||
{% if location.websockets is defined and location.websockets %}
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
{% endif %}
|
||||
|
||||
{% if location.extra_conf is defined %}
|
||||
{{ location.extra_conf }}
|
||||
{% endif %}
|
||||
|
||||
{% if location.acls is defined %}
|
||||
{% for acl in location.acls %}
|
||||
{{ acl }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if location.other_opts is defined %}
|
||||
{% for opt in location.other_opts %}
|
||||
{{ opt }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.extra_parameters is defined %}
|
||||
{{ item.extra_parameters }}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
}
|
||||
|
||||
{% if item.ssl_enabled %}
|
||||
server {
|
||||
{% if item.https_port is defined %}
|
||||
listen {{ item.https_port }} {{ nginx_ssl_type }};
|
||||
{% else %}
|
||||
listen {{ https_port | default('443') }} {{ nginx_ssl_type }};
|
||||
{% endif %}
|
||||
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
|
||||
|
||||
{% if item.access_log is defined %}
|
||||
access_log {{ item.access_log }};
|
||||
{% else %}
|
||||
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
|
||||
{% endif %}
|
||||
|
||||
{% if item.error_log is defined %}
|
||||
error_log {{ item.error_log }};
|
||||
{% else %}
|
||||
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
|
||||
{% endif %}
|
||||
|
||||
root {{ item.root | default('/usr/share/nginx/html/') }};
|
||||
index {{ item.index | default('index.html index.htm') }};
|
||||
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
|
||||
location = /50x.html {
|
||||
root {{ item.error_path | default('/usr/share/nginx/html') }};
|
||||
}
|
||||
location = /favicon.ico {
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
{% if nginx_block_dotfiles %}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
return 404;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if haproxy_ips is defined %}
|
||||
# We are behind haproxy
|
||||
{% for ip in haproxy_ips %}
|
||||
set_real_ip_from {{ ip }};
|
||||
{% endfor %}
|
||||
real_ip_header X-Forwarded-For;
|
||||
{% endif %}
|
||||
|
||||
{% if item.max_body is defined %}
|
||||
client_max_body_size {{ item.max_body }};
|
||||
{% else %}
|
||||
client_max_body_size {{ nginx_client_max_body_size }};
|
||||
{% endif %}
|
||||
{% if item.body_timeout is defined %}
|
||||
client_body_timeout {{ item.body_timeout }};
|
||||
{% else %}
|
||||
client_body_timeout {{ nginx_client_body_timeout }};
|
||||
{% endif %}
|
||||
|
||||
include /etc/nginx/snippets/nginx-server-ssl.conf;
|
||||
|
||||
server_tokens {{ item.server_tokens | default('off') }};
|
||||
|
||||
{% if nginx_cors_enabled %}
|
||||
{% if nginx_cors_global %}
|
||||
include /etc/nginx/snippets/nginx-cors.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if nginx_websockets_support is defined and nginx_websockets_support %}
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
{% else %}
|
||||
{% if item.websockets is defined and item.websockets %}
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.additional_options is defined %}
|
||||
{% for add_opt in item.additional_options %}
|
||||
{{ add_opt }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.https_acls is defined %}
|
||||
{% for acl in item.https_acls %}
|
||||
{{ acl }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
|
||||
|
||||
# Proxy stuff
|
||||
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
|
||||
{% else %}
|
||||
include /etc/nginx/snippets/nginx-proxy-params.conf;
|
||||
{% endif %}
|
||||
|
||||
{% if item.proxy_additional_options is defined %}
|
||||
{% for popt in item.proxy_additional_options %}
|
||||
{{ popt }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.locations is defined %}
|
||||
{% for location in item.locations -%}
|
||||
location {{ location.location }} {
|
||||
|
||||
{% if nginx_cors_enabled %}
|
||||
{% if not nginx_cors_global %}
|
||||
{% if location.cors is defined and location.cors %}
|
||||
include /etc/nginx/snippets/nginx-cors.conf;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if location.target is defined %}
|
||||
proxy_pass {{ location.target }};
|
||||
{% elif location.php_target is defined %}
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass {{ location.php_target }};
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
|
||||
#fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
include fastcgi_params;
|
||||
{% endif %}
|
||||
|
||||
{% if location.websockets is defined and location.websockets %}
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
{% endif %}
|
||||
|
||||
{% if location.extra_conf is defined %}
|
||||
{{ location.extra_conf }}
|
||||
{% endif %}
|
||||
|
||||
{% if location.acls is defined %}
|
||||
{% for acl in location.acls %}
|
||||
{{ acl }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if location.other_opts is defined %}
|
||||
{% for opt in location.other_opts %}
|
||||
{{ opt }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.extra_parameters is defined %}
|
||||
{{ item.extra_parameters }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endif %}
|
|
@ -1,4 +0,0 @@
|
|||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
|
@ -1,63 +0,0 @@
|
|||
pid /run/nginx.pid;
|
||||
{% if ansible_distribution_file_variety == "Debian" %}
|
||||
user www-data;
|
||||
{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %}
|
||||
worker_processes auto;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
{% else %}
|
||||
worker_processes {{ nginx_workers }};
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if ansible_distribution_file_variety == "RedHat" %}
|
||||
user nginx;
|
||||
worker_processes auto;
|
||||
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
|
||||
include /usr/share/nginx/modules/*.conf;
|
||||
{% endif %}
|
||||
|
||||
events {
|
||||
worker_connections {{ nginx_worker_connections }};
|
||||
multi_accept {{ nginx_multi_accept }};
|
||||
}
|
||||
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
|
||||
|
||||
http {
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
server_tokens {{ nginx_server_tokens }};
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
large_client_header_buffers {{ nginx_large_client_header_buffers }};
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
{% if nginx_enable_compression %}
|
||||
include /etc/nginx/snippets/nginx-compression.conf;
|
||||
{% endif %}
|
||||
{% if nginx_websockets_support %}
|
||||
include /etc/nginx/snippets/nginx-websockets.conf;
|
||||
{% endif %}
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
|
||||
{% if ansible_distribution_file_variety == "RedHat" %}
|
||||
# Load configuration files for the default server block.
|
||||
include /etc/nginx/default.d/*.conf;
|
||||
{% endif %}
|
||||
|
||||
{% if ansible_distribution_file_variety == "Debian" %}
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
{% endif %}
|
||||
}
|
|
@ -1,32 +0,0 @@
|
|||
---
|
||||
openjdk_default: 8
|
||||
jdk_default: '{{ openjdk_default }}'
|
||||
openjdk_pkg_state: present
|
||||
openjdk_version:
|
||||
- '{{ openjdk_default }}'
|
||||
|
||||
dismissed_openjdk_ppa: 'ppa:openjdk-r/ppa'
|
||||
openjdk_zulu_repo_install: False
|
||||
openjdk_zulu_repo_key_id: '0xB1998361219BD9C9'
|
||||
openjdk_zulu_repository: 'deb http://repos.azulsystems.com/{{ ansible_distribution | lower }} stable main'
|
||||
|
||||
openjdk_java_home: '/usr/lib/jvm/java-{{ openjdk_default }}-openjdk-amd64'
|
||||
openjdk_zulu_java_home: '/usr/lib/jvm/zulu-{{ openjdk_default }}-amd64'
|
||||
|
||||
openjdk_zulu_package_name: zulu
|
||||
|
||||
openjdk_pkgs:
|
||||
- jre-headless
|
||||
- jdk-headless
|
||||
# - jre
|
||||
# - jdk
|
||||
|
||||
oracle_jdk_ubuntu_ppa: 'ppa:webupd8team/java'
|
||||
openjdk_oracle_jdk_pkgs:
|
||||
- oracle-java7-installer
|
||||
- oracle-java7-set-default
|
||||
- oracle-java7-unlimited-jce-policy
|
||||
- oracle-java8-installer
|
||||
- oracle-java8-set-default
|
||||
- oracle-java8-unlimited-jce-policy
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Remove the openjdk-r ppa. It is not maintained anymore
|
||||
apt_repository: repo='{{ dismissed_openjdk_ppa }}' update_cache=yes state=absent
|
||||
|
||||
- name: Remove the Oracle JDK PPA
|
||||
apt_repository: repo='{{ oracle_jdk_ubuntu_ppa }}' state=absent update_cache=yes
|
||||
|
||||
- name: Check if we must use the Zulu repository
|
||||
set_fact:
|
||||
openjdk_zulu_repo_install: True
|
||||
when: ansible_distribution_major_version <= '16'
|
||||
|
||||
tags: [ 'jdk', 'openjdk' ]
|
||||
|
||||
- block:
|
||||
- name: Install the Zulu repository key
|
||||
apt_key: keyserver='hkp://keyserver.ubuntu.com' id={{ openjdk_zulu_repo_key_id }}
|
||||
|
||||
- name: Install the proper Zulu repository
|
||||
apt_repository: repo='{{ openjdk_zulu_repository }}' update_cache=yes
|
||||
|
||||
- name: Install the Zulu OpenJDK
|
||||
apt: pkg={{ openjdk_zulu_package_name }}-{{ item }} state={{ openjdk_pkg_state }} update_cache=yes cache_valid_time=3600
|
||||
with_items: '{{ openjdk_version }}'
|
||||
register: openjdk_installed
|
||||
|
||||
- name: Set the default OpenJDK as Zulu
|
||||
shell: update-java-alternatives -s /usr/lib/jvm/zulu-{{ openjdk_default }}-amd64
|
||||
when: openjdk_installed is changed
|
||||
|
||||
- name: Set the correct value for jdk_java_home when we are installing Zulu
|
||||
set_fact:
|
||||
jdk_java_home: '{{ openjdk_zulu_java_home }}'
|
||||
|
||||
when: openjdk_zulu_repo_install
|
||||
tags: [ 'jdk', 'openjdk' ]
|
||||
|
||||
- block:
|
||||
- name: Remove the Zulu repository if it is present
|
||||
apt_repository: repo='{{ openjdk_zulu_repository }}' update_cache=yes state=absent
|
||||
|
||||
- name: Install the OpenJDK that comes with the distribution
|
||||
apt: pkg=openjdk-{{ item.0 }}-{{ item[1] }} state={{ openjdk_pkg_state }} update_cache=yes cache_valid_time=3600
|
||||
with_nested:
|
||||
- '{{ openjdk_version }}'
|
||||
- '{{ openjdk_pkgs }}'
|
||||
register: openjdk_installed
|
||||
|
||||
- name: Set the default OpenJDK
|
||||
shell: update-java-alternatives -s java-1.{{ openjdk_default }}.0-openjdk-amd64
|
||||
when: openjdk_installed is changed
|
||||
|
||||
- name: Set the correct value for jdk_java_home when we are installing the distribution OpenJDK
|
||||
set_fact:
|
||||
jdk_java_home: '{{ openjdk_java_home }}'
|
||||
|
||||
when: not openjdk_zulu_repo_install
|
||||
tags: [ 'jdk', 'openjdk' ]
|
||||
|
||||
- block:
|
||||
- name: Rebuild the Ubuntu keystore
|
||||
command: update-ca-certificates --fresh
|
||||
when: openjdk_installed is changed
|
||||
|
||||
tags: [ 'jdk', 'openjdk' ]
|
||||
|
||||
- block:
|
||||
- name: Remove the Oracle JDK packages
|
||||
apt: pkg={{ openjdk_oracle_jdk_pkgs }} state=absent cache_valid_time=3600
|
||||
|
||||
- name: Remove the OpenJDK packages fthat come with the distribution when we use the Zulu repository
|
||||
apt: pkg=openjdk-{{ item.0 }}-{{ item[1] }} state=absent update_cache=yes cache_valid_time=3600
|
||||
with_nested:
|
||||
- '{{ openjdk_version }}'
|
||||
- '{{ openjdk_pkgs }}'
|
||||
when: openjdk_zulu_repo_install
|
||||
|
||||
tags: [ 'jdk', 'openjdk' ]
|
||||
|
|
@ -1,98 +0,0 @@
|
|||
---
|
||||
tomcat_version: 7
|
||||
#tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
|
||||
# Disable the main tomcat instance
|
||||
tomcat_service_enabled: False
|
||||
|
||||
tomcat_m_instances_install: True
|
||||
|
||||
tomcat_m_host_manager_install: False
|
||||
tomcat_m_manager_install: False
|
||||
# Users and roles for the manager
|
||||
tomcat_m_manager_gui_user_enabled: False
|
||||
tomcat_m_manager_gui_user: guiadmin
|
||||
tomcat_m_manager_gui_r: "manager-gui"
|
||||
#tomcat_m_manager_gui_pwd: *Use a vault file*
|
||||
tomcat_m_manager_script_user_enabled: True
|
||||
tomcat_m_manager_script_user: scriptadmin
|
||||
tomcat_m_manager_script_r: "manager-script"
|
||||
#tomcat_m_manager_script_pwd: *Use a vault file*
|
||||
tomcat_m_manager_jmx_user_enabled: False
|
||||
tomcat_m_manager_jmx_user: jmxadmin
|
||||
tomcat_m_manager_jmx_r: "manager-jmx"
|
||||
#tomcat_m_manager_jmx_pwd: *Use a vault file*
|
||||
tomcat_m_manager_status_user_enabled: False
|
||||
tomcat_m_manager_status_user: statusadmin
|
||||
tomcat_m_manager_status_r: "manager-status"
|
||||
#tomcat_m_manager_status_pwd: *Use a vault file*
|
||||
|
||||
#tomcat_m_manager_other_roles:
|
||||
# - { role: '', user: '', password: '', user_roles: '' }
|
||||
|
||||
tomcat_m_instances_base_path: '/var/lib/tomcat_instances'
|
||||
tomcat_m_instances_logdir_base: '/var/log/tomcat_instances'
|
||||
tomcat_m_cache_base: '/var/cache/tomcat-instances'
|
||||
tomcat_m_default_user: 'tomcat{{ tomcat_version }}'
|
||||
tomcat_m_use_default_user: True
|
||||
tomcat_m_user_home: False
|
||||
tomcat_m_default_user_shell: /bin/false
|
||||
# Workaround for the '50 days shutdown' bug, until a fixed package will be available
|
||||
tomcat_m_shutdown_port: -1
|
||||
tomcat_m_shutdown_pwd: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits,hexdigits,punctuation') }}"
|
||||
tomcat_m_max_threads: 200
|
||||
tomcat_m_min_heap_size: 2048m
|
||||
tomcat_m_heap_size: '{{ tomcat_m_min_heap_size }}'
|
||||
tomcat_m_permgen_size: 512m
|
||||
tomcat_m_file_encoding: 'UTF-8'
|
||||
tomcat_m_restart_timeout: 300
|
||||
# -server -Djava.awt.headless=true are always used. No need to specify them
|
||||
tomcat_m_java_opts_heap: "-Xms{{ tomcat_m_min_heap_size }} -Xmx{{ tomcat_m_heap_size }}"
|
||||
tomcat_m_java_opts_permgen: "-XX:MaxPermSize={{ tomcat_m_permgen_size }}"
|
||||
tomcat_m_additional_java_8_opts: "-XX:+CrashOnOutOfMemoryError"
|
||||
tomcat_m_java_opts: ""
|
||||
tomcat_m_java_gc_opts: "-XX:+UseConcMarkSweepGC"
|
||||
# Use "-XX:+UseConcMarkSweepGC" to enable the CMS garbage collector (improved
|
||||
# response time). If you use that option and you run Tomcat on a machine with
|
||||
# exactly one CPU chip that contains one or two cores, you should also add
|
||||
# the "-XX:+CMSIncrementalMode" option.
|
||||
#tomcat_m_other_java_opts: "-Djsse.enableSNIExtension=false"
|
||||
tomcat_m_reverse_proxy_name_enabled: False
|
||||
tomcat_m_reverse_proxy_name: '{{ ansible_fqdn }}'
|
||||
tomcat_m_reverse_proxy_port: '{{ http_port | default(80) }}'
|
||||
tomcat_m_proxy_enabled: False
|
||||
tomcat_m_proxy_http_host: 'localhost'
|
||||
tomcat_m_proxy_http_port: '3128'
|
||||
tomcat_m_proxy_https_host: '{{ tomcat_m_proxy_http_host }}'
|
||||
tomcat_m_proxy_https_port: '{{ tomcat_m_proxy_http_port }}'
|
||||
tomcat_m_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_m_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_m_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_m_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_m_proxy_https_port }}"
|
||||
tomcat_m_other_java_opts: ""
|
||||
tomcat_m_webapps_autodeploy: False
|
||||
tomcat_m_webapps_unpack: False
|
||||
tomcat_m_start_instances: True
|
||||
tomcat_m_enable_instances: True
|
||||
tomcat_m_jndi_pool: False
|
||||
tomcat_m_direct_access: False
|
||||
|
||||
# JMX and debugging
|
||||
tomcat_m_enable_remote_debugging: False
|
||||
tomcat_m_remote_debugging_host: '0.0.0.0'
|
||||
tomcat_m_remote_debugging_port: '8100'
|
||||
tomcat_m_remote_debugging_uri: '{{ tomcat_m_remote_debugging_host }}:{{ tomcat_m_remote_debugging_port }}'
|
||||
tomcat_m_jmx_enabled: False
|
||||
tomcat_m_jmx_auth_enabled: False
|
||||
tomcat_m_jmx_use_ssl: False
|
||||
tomcat_m_jmx_port: 8186
|
||||
# The following works with jdk >= 7.0.25 only
|
||||
tomcat_m_jmx_disable_additional_ports: True
|
||||
tomcat_m_jmx_localhost_only: False
|
||||
tomcat_m_jmx_ip_address: '{{ ansible_default_ipv4.address }}'
|
||||
|
||||
#tomcat_m_jmx_auth_dir: '{{ tomcat_m_instances_base_path }}'
|
||||
# tomcat_m_jmx_monitorpass: define_in_a_vault_file
|
||||
# tomcat_m_jmx_controlpass: define_in_a_vault_file
|
||||
|
||||
# This is only an example. Insert a line for each tomcat instance. 'app_contexts' can be used to automatically configure apache or nginx virtualhost http/ajp proxy
|
||||
#
|
||||
#tomcat_m_instances:
|
||||
# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', proxy_enabled: '{{ tomcat_m_proxy_enabled }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] }
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<!-- The contents of this file will be loaded for each web application -->
|
||||
<Context>
|
||||
|
||||
<!-- Default set of monitored resources -->
|
||||
<WatchedResource>WEB-INF/web.xml</WatchedResource>
|
||||
|
||||
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
|
||||
<!--
|
||||
<Manager pathname="" />
|
||||
-->
|
||||
|
||||
<!-- Uncomment this to enable Comet connection tacking (provides events
|
||||
on session expiration as well as webapp lifecycle) -->
|
||||
<!--
|
||||
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
|
||||
-->
|
||||
|
||||
</Context>
|
|
@ -1,2 +0,0 @@
|
|||
monitorRole readonly
|
||||
controlRole readwrite
|
|
@ -1,49 +0,0 @@
|
|||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
# contributor license agreements. See the NOTICE file distributed with
|
||||
# this work for additional information regarding copyright ownership.
|
||||
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance with
|
||||
# the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
|
||||
|
||||
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
|
||||
|
||||
############################################################
|
||||
# Handler specific properties.
|
||||
# Describes specific configuration info for Handlers.
|
||||
############################################################
|
||||
|
||||
1catalina.org.apache.juli.FileHandler.level = FINE
|
||||
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
|
||||
1catalina.org.apache.juli.FileHandler.prefix = catalina.
|
||||
|
||||
2localhost.org.apache.juli.FileHandler.level = FINE
|
||||
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
|
||||
2localhost.org.apache.juli.FileHandler.prefix = localhost.
|
||||
|
||||
java.util.logging.ConsoleHandler.level = FINE
|
||||
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
|
||||
|
||||
############################################################
|
||||
# Facility specific properties.
|
||||
# Provides extra control for each logger.
|
||||
############################################################
|
||||
|
||||
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
|
||||
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
|
||||
|
||||
# For example, set the com.xyz.foo logger to only log SEVERE
|
||||
# messages:
|
||||
#org.apache.catalina.startup.ContextConfig.level = FINE
|
||||
#org.apache.catalina.startup.HostConfig.level = FINE
|
||||
#org.apache.catalina.session.ManagerBase.level = FINE
|
||||
#org.apache.catalina.core.AprLifecycleListener.level=FINE
|
|
@ -1,52 +0,0 @@
|
|||
// Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
// contributor license agreements. See the NOTICE file distributed with
|
||||
// this work for additional information regarding copyright ownership.
|
||||
// The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
// (the "License"); you may not use this file except in compliance with
|
||||
// the License. You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
// ============================================================================
|
||||
// catalina.corepolicy - Security Policy Permissions for Tomcat 6
|
||||
//
|
||||
// This file contains a default set of security policies to be enforced (by the
|
||||
// JVM) when Catalina is executed with the "-security" option. In addition
|
||||
// to the permissions granted here, the following additional permissions are
|
||||
// granted to the codebase specific to each web application:
|
||||
//
|
||||
// * Read access to the document root directory
|
||||
//
|
||||
// $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $
|
||||
// ============================================================================
|
||||
|
||||
|
||||
// ========== SYSTEM CODE PERMISSIONS =========================================
|
||||
|
||||
|
||||
// These permissions apply to javac
|
||||
grant codeBase "file:${java.home}/lib/-" {
|
||||
permission java.security.AllPermission;
|
||||
};
|
||||
|
||||
// These permissions apply to all shared system extensions
|
||||
grant codeBase "file:${java.home}/jre/lib/ext/-" {
|
||||
permission java.security.AllPermission;
|
||||
};
|
||||
|
||||
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
|
||||
grant codeBase "file:${java.home}/../lib/-" {
|
||||
permission java.security.AllPermission;
|
||||
};
|
||||
|
||||
// These permissions apply to all shared system extensions when
|
||||
// ${java.home} points at $JAVA_HOME/jre
|
||||
grant codeBase "file:${java.home}/lib/ext/-" {
|
||||
permission java.security.AllPermission;
|
||||
};
|
|
@ -1,10 +0,0 @@
|
|||
// These permissions apply to all JARs from Debian packages
|
||||
grant codeBase "file:/usr/share/java/-" {
|
||||
permission java.security.AllPermission;
|
||||
};
|
||||
grant codeBase "file:/usr/share/maven-repo/-" {
|
||||
permission java.security.AllPermission;
|
||||
};
|
||||
grant codeBase "file:/usr/share/ant/lib/-" {
|
||||
permission java.security.AllPermission;
|
||||
};
|
|
@ -1,32 +0,0 @@
|
|||
// ========== CATALINA CODE PERMISSIONS =======================================
|
||||
|
||||
|
||||
// These permissions apply to the logging API
|
||||
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
|
||||
permission java.util.PropertyPermission "java.util.logging.config.class", "read";
|
||||
permission java.util.PropertyPermission "java.util.logging.config.file", "read";
|
||||
permission java.lang.RuntimePermission "shutdownHooks";
|
||||
permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
|
||||
permission java.util.PropertyPermission "catalina.base", "read";
|
||||
permission java.util.logging.LoggingPermission "control";
|
||||
permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
|
||||
permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
// To enable per context logging configuration, permit read access to the appropriate file.
|
||||
// Be sure that the logging configuration is secure before enabling such access
|
||||
// eg for the examples web application:
|
||||
// permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
|
||||
};
|
||||
|
||||
// These permissions apply to the server startup code
|
||||
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
|
||||
permission java.security.AllPermission;
|
||||
};
|
||||
|
||||
// These permissions apply to the servlet API classes
|
||||
// and those that are shared across all class loaders
|
||||
// located in the "lib" directory
|
||||
grant codeBase "file:${catalina.home}/lib/-" {
|
||||
permission java.security.AllPermission;
|
||||
};
|
|
@ -1,59 +0,0 @@
|
|||
// ========== WEB APPLICATION PERMISSIONS =====================================
|
||||
|
||||
|
||||
// These permissions are granted by default to all web applications
|
||||
// In addition, a web application will be given a read FilePermission
|
||||
// and JndiPermission for all files and directories in its document root.
|
||||
grant {
|
||||
// Required for JNDI lookup of named JDBC DataSource's and
|
||||
// javamail named MimePart DataSource used to send mail
|
||||
permission java.util.PropertyPermission "java.home", "read";
|
||||
permission java.util.PropertyPermission "java.naming.*", "read";
|
||||
permission java.util.PropertyPermission "javax.sql.*", "read";
|
||||
|
||||
// OS Specific properties to allow read access
|
||||
permission java.util.PropertyPermission "os.name", "read";
|
||||
permission java.util.PropertyPermission "os.version", "read";
|
||||
permission java.util.PropertyPermission "os.arch", "read";
|
||||
permission java.util.PropertyPermission "file.separator", "read";
|
||||
permission java.util.PropertyPermission "path.separator", "read";
|
||||
permission java.util.PropertyPermission "line.separator", "read";
|
||||
|
||||
// JVM properties to allow read access
|
||||
permission java.util.PropertyPermission "java.version", "read";
|
||||
permission java.util.PropertyPermission "java.vendor", "read";
|
||||
permission java.util.PropertyPermission "java.vendor.url", "read";
|
||||
permission java.util.PropertyPermission "java.class.version", "read";
|
||||
permission java.util.PropertyPermission "java.specification.version", "read";
|
||||
permission java.util.PropertyPermission "java.specification.vendor", "read";
|
||||
permission java.util.PropertyPermission "java.specification.name", "read";
|
||||
|
||||
permission java.util.PropertyPermission "java.vm.specification.version", "read";
|
||||
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
|
||||
permission java.util.PropertyPermission "java.vm.specification.name", "read";
|
||||
permission java.util.PropertyPermission "java.vm.version", "read";
|
||||
permission java.util.PropertyPermission "java.vm.vendor", "read";
|
||||
permission java.util.PropertyPermission "java.vm.name", "read";
|
||||
|
||||
// Required for OpenJMX
|
||||
permission java.lang.RuntimePermission "getAttribute";
|
||||
|
||||
// Allow read of JAXP compliant XML parser debug
|
||||
permission java.util.PropertyPermission "jaxp.debug", "read";
|
||||
|
||||
// Precompiled JSPs need access to this package.
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
|
||||
|
||||
// Example JSPs need those to work properly
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
|
||||
// Precompiled JSPs need access to this system property.
|
||||
permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
|
||||
|
||||
// java.io.tmpdir should be usable as a temporary file directory
|
||||
permission java.util.PropertyPermission "java.io.tmpdir", "read";
|
||||
permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";
|
||||
|
||||
};
|
|
@ -1,32 +0,0 @@
|
|||
// You can assign additional permissions to particular web applications by
|
||||
// adding additional "grant" entries here, based on the code base for that
|
||||
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
|
||||
//
|
||||
// Different permissions can be granted to JSP pages, classes loaded from
|
||||
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
|
||||
// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
|
||||
//
|
||||
// For instance, assume that the standard "examples" application
|
||||
// included a JDBC driver that needed to establish a network connection to the
|
||||
// corresponding database and used the scrape taglib to get the weather from
|
||||
// the NOAA web server. You might create a "grant" entries like this:
|
||||
//
|
||||
// The permissions granted to the context root directory apply to JSP pages.
|
||||
// grant codeBase "file:${catalina.base}/webapps/examples/-" {
|
||||
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
|
||||
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
|
||||
// };
|
||||
//
|
||||
// The permissions granted to the context WEB-INF/classes directory
|
||||
// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
|
||||
// };
|
||||
//
|
||||
// The permission granted to your JDBC driver
|
||||
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
|
||||
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
|
||||
// };
|
||||
// The permission granted to the scrape taglib
|
||||
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
|
||||
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
|
||||
// };
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -1,28 +0,0 @@
|
|||
---
|
||||
- name: tomcat restart instances with changed configs
|
||||
service: name='tomcat-instance-{{ item.item.http_port }}' state=restarted sleep=20
|
||||
with_items: '{{ restart_needed.results }}'
|
||||
when: item is changed
|
||||
ignore_errors: True
|
||||
|
||||
- name: tomcat restart instances with changed jmx config
|
||||
service: name='tomcat-instance-{{ item.item.http_port }}' state=restarted sleep=20
|
||||
with_items: '{{ jmx_restart_needed.results }}'
|
||||
when: item is changed
|
||||
ignore_errors: True
|
||||
|
||||
- name: tomcat instances restart
|
||||
service: name='tomcat-instance-{{ item.http_port }}' state=restarted sleep=20
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
ignore_errors: True
|
||||
|
||||
- name: enable tomcat instances
|
||||
service: name='tomcat-instance-{{ item.http_port }}' state=started enabled=yes sleep=20
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
ignore_errors: True
|
||||
|
||||
- name: disable tomcat instances
|
||||
service: name='tomcat-instance-{{ item.http_port }}' state=stopped enabled=no sleep=20
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
ignore_errors: True
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: '../../library/roles/tomcat'
|
|
@ -1,214 +0,0 @@
|
|||
---
|
||||
#
|
||||
# Note: the library role 'tomcat' is a dependency
|
||||
#
|
||||
- name: disable the tomcat main instance
|
||||
service: name='tomcat{{ tomcat_version }}' state=stopped enabled=no
|
||||
when: not tomcat_service_enabled
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Create a tomcat user for each instance if needed
|
||||
user: name={{ item.user }} home={{ item.user_home }} createhome=false shell={{ item.user_shell | default('/bin/false') }}
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
when:
|
||||
- not tomcat_m_use_default_user | bool
|
||||
- item.user != "tomcat{{ tomcat_version }}"
|
||||
register: tomcat_first_install
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Create a tomcat user if needed
|
||||
user: name={{ tomcat_m_default_user }} home={{ tomcat_m_instances_base_path }} createhome=false shell={{ tomcat_m_default_user_shell }}
|
||||
when:
|
||||
- tomcat_m_use_default_user | bool
|
||||
- tomcat_m_default_user != "tomcat{{ tomcat_version }}"
|
||||
register: tomcat_first_install
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Create the instances directory trees
|
||||
file: dest={{ item.0.instance_path }}/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0755 state=directory
|
||||
with_nested:
|
||||
- '{{ tomcat_m_instances }}'
|
||||
- [ 'common/classes', 'conf/Catalina/localhost', 'conf/policy.d', 'lib', 'server/classes', 'shared/classes', 'webapps' ]
|
||||
register: tomcat_first_install
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Create the instances log dirs
|
||||
file: dest={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} owner={{ item.user }} group={{ item.user }} mode=0755 state=directory
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: tomcat_first_install
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Create the instances work dirs
|
||||
file: dest={{ tomcat_m_cache_base }}/{{ item.http_port }} owner={{ item.user }} group={{ item.user }} mode=0755 state=directory
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: tomcat_first_install
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Create links to work dir inside the instances directory tree
|
||||
file: src={{ tomcat_m_cache_base }}/{{ item.http_port }} dest={{ item.instance_path }}/work state=link
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: tomcat_first_install
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Create links to log dir inside the instances directory tree
|
||||
file: src={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} dest={{ item.instance_path }}/logs state=link
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: tomcat_first_install
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Create the catalina tmp directory
|
||||
file: dest={{ item.catalina_tmp_directory }} state=directory owner={{ item.user }} group={{ item.user }} mode=0700
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
when: item.catalina_tmp_directory is defined
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Populate the instances conf directory
|
||||
copy: src={{ item[1] }} dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
|
||||
with_nested:
|
||||
- '{{ tomcat_m_instances }}'
|
||||
- [ 'context.xml' ]
|
||||
register: restart_needed
|
||||
notify: tomcat restart instances with changed configs
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Install catalina.properties
|
||||
template: src={{ item[1] }}.j2 dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
|
||||
with_nested:
|
||||
- '{{ tomcat_m_instances }}'
|
||||
- [ 'catalina.properties' ]
|
||||
register: restart_needed
|
||||
notify: tomcat restart instances with changed configs
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_catalina_properties' ]
|
||||
|
||||
- name: Populate the instances conf/policy.d directory
|
||||
copy: src=policy.d/{{ item[1] }} dest={{ item.0.instance_path }}/conf/policy.d/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
|
||||
with_nested:
|
||||
- '{{ tomcat_m_instances }}'
|
||||
- [ '01system.policy', '02debian.policy', '03catalina.policy', '04webapps.policy', '50local.policy' ]
|
||||
register: restart_needed
|
||||
notify: tomcat restart instances with changed configs
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Install logging.properties if we do not use log4j for the tomcat logging
|
||||
copy: src={{ item[1] }} dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
|
||||
with_nested:
|
||||
- '{{ tomcat_m_instances }}'
|
||||
- [ 'logging.properties' ]
|
||||
when:
|
||||
- tomcat_use_log4j is defined
|
||||
- not tomcat_use_log4j | bool
|
||||
register: restart_needed
|
||||
notify: tomcat restart instances with changed configs
|
||||
tags: [ 'tomcat', 'tomcat_instances' ]
|
||||
|
||||
- name: Install the server.xml conf file
|
||||
template: src=tomcat-server.xml.j2 dest={{ item.instance_path }}/conf/server.xml owner={{ item.user }} group={{ item.user }} mode=0640
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: restart_needed
|
||||
notify: tomcat restart instances with changed configs
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ]
|
||||
|
||||
- name: Install the web.xml file
|
||||
template: src=tomcat-web.xml.j2 dest={{ item.instance_path }}/conf/web.xml owner={{ item.user }} group={{ item.user }} mode=0640
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: restart_needed
|
||||
notify: tomcat restart instances with changed configs
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ]
|
||||
|
||||
- name: Install the tomcat-admin package if the host-manager or manager apps are required
|
||||
apt: pkg=tomcat{{ tomcat_version }}-admin state={{ tomcat_pkg_state }} cache_valid_time=1800 update_cache=yes
|
||||
when: tomcat_m_host_manager_install | bool or tomcat_m_manager_install | bool
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
|
||||
|
||||
- name: Install the catalina configuration for the tomcat manager
|
||||
template: src=tomcat-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: restart_needed
|
||||
when: tomcat_m_manager_install | bool
|
||||
notify: tomcat restart instances with changed configs
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_manager' ]
|
||||
|
||||
- name: Install the catalina configuration for the tomcat host manager
|
||||
template: src=tomcat-host-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/host-manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: restart_needed
|
||||
when: tomcat_m_host_manager_install | bool
|
||||
notify: tomcat restart instances with changed configs
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager' ]
|
||||
|
||||
- name: Install the catalina configuration for the tomcat manager
|
||||
template: src=tomcat-users.xml.j2 dest={{ item.instance_path }}/conf/tomcat-users.xml owner={{ item.user }} group={{ item.user }} mode=0640
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: restart_needed
|
||||
notify: tomcat restart instances with changed configs
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
|
||||
|
||||
- name: Install the instances startup scripts
|
||||
template: src=tomcat-instance.init.j2 dest=/etc/init.d/tomcat-instance-{{ item.http_port }} mode=0755 owner=root group=root
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: reload_systemd
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_init' ]
|
||||
|
||||
- name: Install the tomcat instances default file
|
||||
template: src=tomcat-default.j2 dest=/etc/default/tomcat-instance-{{ item.http_port }} mode=0640 owner=root group={{ item.user }}
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
notify: tomcat instances restart
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_default', 'jdk' ]
|
||||
|
||||
- name: Reload the systemd daemon if we are running on a systemd-backed server
|
||||
command: systemctl daemon-reload
|
||||
when:
|
||||
- ansible_service_mgr == 'systemd'
|
||||
- reload_systemd | bool
|
||||
|
||||
- name: Install a custom context.xml file
|
||||
template: src=tomcat-context.xml.j2 dest={{ item.instance_path }}/conf/context.xml owner={{ item.user }} group={{ item.user }} mode=0640
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
register: restart_needed
|
||||
notify: tomcat restart instances with changed configs
|
||||
when: tomcat_m_jndi_pool | bool
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_contextxml', 'jdk' ]
|
||||
|
||||
- name: Install a logrotate entry for the access log file
|
||||
template: src=tomcat.logrotate.j2 dest=/etc/logrotate.d/tomcat_instance-{{ item.http_port }} owner=root group=root mode=0644
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf' ]
|
||||
|
||||
- name: Install the jmx authorization file
|
||||
template: src=jmxremote.passwd.j2 dest={{ item.instance_path }}/conf/jmxremote.passwd owner={{ item.user }} group={{ item.user }} mode=0600
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
when:
|
||||
- item.jmx_enabled is defined
|
||||
- item.jmx_auth_enabled is defined
|
||||
- item.jmx_enabled | bool
|
||||
- item.jmx_auth_enabled | bool
|
||||
register: jmx_restart_needed
|
||||
notify: tomcat restart instances with changed jmx config
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ]
|
||||
|
||||
- name: Install the jmx role file
|
||||
copy: src=jmxremote.access dest={{ item.instance_path }}/conf/jmxremote.access owner={{ item.user }} group={{ item.user }} mode=0644
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
when:
|
||||
- item.jmx_enabled is defined
|
||||
- item.jmx_auth_enabled is defined
|
||||
- item.jmx_enabled | bool
|
||||
- item.jmx_auth_enabled | bool
|
||||
register: jmx_restart_needed
|
||||
notify: tomcat restart instances with changed jmx config
|
||||
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ]
|
||||
|
||||
- name: Start all the tomcat instances
|
||||
service: name='tomcat-instance-{{ item.http_port }}' state=started sleep=20
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
when:
|
||||
- tomcat_first_install.changed | bool
|
||||
- tomcat_m_start_instances | bool
|
||||
tags: [ 'tomcat', 'tomcat_instances']
|
||||
ignore_errors: True
|
||||
|
||||
- name: Enable all the tomcat instances
|
||||
service: name='tomcat-instance-{{ item.http_port }}' enabled=yes
|
||||
with_items: '{{ tomcat_m_instances }}'
|
||||
when: tomcat_m_enable_instances | bool
|
||||
tags: [ 'tomcat', 'tomcat_instances']
|
|
@ -1,135 +0,0 @@
|
|||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
# contributor license agreements. See the NOTICE file distributed with
|
||||
# this work for additional information regarding copyright ownership.
|
||||
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance with
|
||||
# the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
#
|
||||
# List of comma-separated packages that start with or equal this string
|
||||
# will cause a security exception to be thrown when
|
||||
# passed to checkPackageAccess unless the
|
||||
# corresponding RuntimePermission ("accessClassInPackage."+package) has
|
||||
# been granted.
|
||||
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
|
||||
#
|
||||
# List of comma-separated packages that start with or equal this string
|
||||
# will cause a security exception to be thrown when
|
||||
# passed to checkPackageDefinition unless the
|
||||
# corresponding RuntimePermission ("defineClassInPackage."+package) has
|
||||
# been granted.
|
||||
#
|
||||
# by default, no packages are restricted for definition, and none of
|
||||
# the class loaders supplied with the JDK call checkPackageDefinition.
|
||||
#
|
||||
package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
|
||||
|
||||
#
|
||||
#
|
||||
# List of comma-separated paths defining the contents of the "common"
|
||||
# classloader. Prefixes should be used to define what is the repository type.
|
||||
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
|
||||
# If left as blank,the JVM system loader will be used as Catalina's "common"
|
||||
# loader.
|
||||
# Examples:
|
||||
# "foo": Add this folder as a class repository
|
||||
# "foo/*.jar": Add all the JARs of the specified folder as class
|
||||
# repositories
|
||||
# "foo/bar.jar": Add bar.jar as a class repository
|
||||
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.base}/common/classes,${catalina.base}/common/*.jar
|
||||
|
||||
#
|
||||
# List of comma-separated paths defining the contents of the "server"
|
||||
# classloader. Prefixes should be used to define what is the repository type.
|
||||
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
|
||||
# If left as blank, the "common" loader will be used as Catalina's "server"
|
||||
# loader.
|
||||
# Examples:
|
||||
# "foo": Add this folder as a class repository
|
||||
# "foo/*.jar": Add all the JARs of the specified folder as class
|
||||
# repositories
|
||||
# "foo/bar.jar": Add bar.jar as a class repository
|
||||
server.loader=${catalina.base}/server/classes,${catalina.base}/server/*.jar
|
||||
|
||||
#
|
||||
# List of comma-separated paths defining the contents of the "shared"
|
||||
# classloader. Prefixes should be used to define what is the repository type.
|
||||
# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
|
||||
# the "common" loader will be used as Catalina's "shared" loader.
|
||||
# Examples:
|
||||
# "foo": Add this folder as a class repository
|
||||
# "foo/*.jar": Add all the JARs of the specified folder as class
|
||||
# repositories
|
||||
# "foo/bar.jar": Add bar.jar as a class repository
|
||||
# Please note that for single jars, e.g. bar.jar, you need the URL form
|
||||
# starting with file:.
|
||||
shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/*.jar
|
||||
|
||||
# List of JAR files that should not be scanned for configuration information
|
||||
# such as web fragments, TLD files etc. It must be a comma separated list of
|
||||
# JAR file names.
|
||||
# The JARs listed below include:
|
||||
# - Tomcat Bootstrap JARs
|
||||
# - Tomcat API JARs
|
||||
# - Catalina JARs
|
||||
# - Jasper JARs
|
||||
# - Tomcat JARs
|
||||
# - Common non-Tomcat JARs
|
||||
# - Sun JDK JARs
|
||||
# - Apple JDK JARs
|
||||
tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
|
||||
bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
|
||||
annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
|
||||
catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
|
||||
jasper.jar,jasper-el.jar,ecj-*.jar,\
|
||||
tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
|
||||
tomcat-jni.jar,tomcat-spdy.jar,\
|
||||
tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
|
||||
tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
|
||||
tomcat-jdbc.jar,\
|
||||
tools.jar,\
|
||||
commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
|
||||
commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
|
||||
commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
|
||||
commons-math*.jar,commons-pool*.jar,\
|
||||
jstl.jar,\
|
||||
geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
|
||||
ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
|
||||
jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\
|
||||
xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
|
||||
junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\
|
||||
cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
|
||||
jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
|
||||
xom-*.jar
|
||||
|
||||
# Additional JARs (over and above the default JARs listed above) to skip when
|
||||
# scanning for Servlet 3.0 pluggability features. These features include web
|
||||
# fragments, annotations, SCIs and classes that match @HandlesTypes. The list
|
||||
# must be a comma separated list of JAR file names.
|
||||
org.apache.catalina.startup.ContextConfig.jarsToSkip=
|
||||
|
||||
# Additional JARs (over and above the default JARs listed above) to skip when
|
||||
# scanning for TLDs. The list must be a comma separated list of JAR file names.
|
||||
org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar
|
||||
|
||||
#
|
||||
# String cache configuration.
|
||||
tomcat.util.buf.StringCache.byte.enabled=true
|
||||
#tomcat.util.buf.StringCache.char.enabled=true
|
||||
#tomcat.util.buf.StringCache.trainThreshold=500000
|
||||
#tomcat.util.buf.StringCache.cacheSize=5000
|
||||
|
||||
{% if tomcat_m_catalina_opts is defined %}
|
||||
# Custom configurations
|
||||
{% for opt in tomcat_m_catalina_opts %}
|
||||
{{ opt }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
|
@ -1,2 +0,0 @@
|
|||
monitorRole {{ item.jmx_monitorpass }}
|
||||
controlRole {{ item.jmx_controlpass }}
|
|
@ -1,79 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<!-- The contents of this file will be loaded for each web application -->
|
||||
<Context>
|
||||
|
||||
<!-- Default set of monitored resources -->
|
||||
<WatchedResource>WEB-INF/web.xml</WatchedResource>
|
||||
|
||||
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
|
||||
<!--
|
||||
<Manager pathname="" />
|
||||
-->
|
||||
|
||||
<!-- Uncomment this to enable Comet connection tacking (provides events
|
||||
on session expiration as well as webapp lifecycle) -->
|
||||
<!--
|
||||
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
|
||||
-->
|
||||
{% if tomcat_m_jndi_pool %}
|
||||
{% if tomcat_jndi_pool_databases is defined %}
|
||||
{% for pool in tomcat_jndi_pool_databases %}
|
||||
<Resource name="{{ pool. jndi_resource_name | default('jdbc/postgres') }}"
|
||||
auth="Container"
|
||||
type="{{ pool.jndi_resource_type | default('javax.sql.DataSource') }}"
|
||||
driverClassName="{{ pool.jndi_class_name | default('org.postgresql.Driver') }}"
|
||||
url="jdbc:postgresql://{{ pool. jndi_db_host }}:{{ pool.jndi_db_port | default (5432) }}/{{ pool.jndi_db_name }}"
|
||||
username="{{ pool.jndi_db_user }}" password="{{ pool.jndi_db_pwd }}"
|
||||
maxActive="20"
|
||||
initialSize="0"
|
||||
minIdle="0"
|
||||
maxIdle="8"
|
||||
maxWait="10000"
|
||||
timeBetweenEvictionRunsMillis="30000"
|
||||
minEvictableIdleTimeMillis="60000"
|
||||
testWhileIdle="true"
|
||||
validationQuery="SELECT 1"
|
||||
maxAge="600000"
|
||||
rollbackOnReturn="true"
|
||||
/>
|
||||
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
<Resource name="jdbc/postgres"
|
||||
auth="Container"
|
||||
type="javax.sql.DataSource"
|
||||
driverClassName="org.postgresql.Driver"
|
||||
url="jdbc:postgresql://{{ tomcat_jndi_pool_host }}:{{ tomcat_jndi_pool_db_port | default (5432) }}/{{ tomcat_jndi_pool_db }}"
|
||||
username="{{ tomcat_jndi_pool_db_user }}" password="{{ tomcat_jndi_pool_db_pwd }}"
|
||||
maxActive="20"
|
||||
initialSize="0"
|
||||
minIdle="0"
|
||||
maxIdle="8"
|
||||
maxWait="10000"
|
||||
timeBetweenEvictionRunsMillis="30000"
|
||||
minEvictableIdleTimeMillis="60000"
|
||||
testWhileIdle="true"
|
||||
validationQuery="SELECT 1"
|
||||
maxAge="600000"
|
||||
rollbackOnReturn="true"
|
||||
/>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
</Context>
|
|
@ -1,80 +0,0 @@
|
|||
{% if limits_nofile_value is defined %}
|
||||
ulimit -Hn {{ limits_nofile_value }}
|
||||
ulimit -Sn {{ limits_nofile_value }}
|
||||
{% endif %}
|
||||
TOMCAT_USER={{ item.user }}
|
||||
TOMCAT_GROUP={{ item.user }}
|
||||
JAVA_HOME={{ item.java_home }}
|
||||
JAVA_OPTS="-server -Djava.awt.headless=true -Dfile.encoding={{ tomcat_m_file_encoding }}"
|
||||
{% if jdk_default >= 8 %}
|
||||
JAVA_OPTS="{{ tomcat_m_additional_java_8_opts }} $JAVA_OPTS"
|
||||
{% endif %}
|
||||
|
||||
{% if item.java_heap is defined %}
|
||||
JAVA_HEAP="{{ item.java_heap }}"
|
||||
{% else %}
|
||||
JAVA_HEAP="{{ tomcat_m_java_opts_heap }}"
|
||||
{% endif %}
|
||||
JAVA_PERMGEN=
|
||||
{% if jdk_default <= 7 %}
|
||||
{% if item.java_permgen_size is defined %}
|
||||
JAVA_PERMGEN="-XX:MaxPermSize={{ item.java_permgen_size }}"
|
||||
{% else %}
|
||||
JAVA_PERMGEN="-XX:MaxPermSize={{ tomcat_m_permgen_size }}"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if item.java_opts is defined %}
|
||||
JAVA_OPTS="{{ item.java_opts }} $JAVA_OPTS $JAVA_HEAP $JAVA_PERMGEN"
|
||||
{% endif %}
|
||||
{% if item.java_gc_opts is defined %}
|
||||
JAVA_OPTS="{{ item.java_gc_opts }} $JAVA_OPTS"
|
||||
{% endif %}
|
||||
{% if item.proxy_enabled is defined and item.proxy_enabled %}
|
||||
{% if item.proxy_opts is defined %}
|
||||
JAVA_OPTS="${JAVA_OPTS} {{ item.proxy_opts }}"
|
||||
{% else %}
|
||||
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_m_proxy_opts }}"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if item.other_java_opts is defined %}
|
||||
JAVA_OPTS="${JAVA_OPTS} {{ item.other_java_opts }}"
|
||||
{% endif %}
|
||||
{% if item.jmx_enabled is defined and item.jmx_enabled %}
|
||||
# JMX settings
|
||||
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ item.jmx_port | default('8186') }}"
|
||||
{% if item.jmx_use_ssl is defined and item.jmx_use_ssl %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=true"
|
||||
{% else %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
|
||||
{% endif %}
|
||||
{% if item.jmx_localhost_only is defined and item.jmx_localhost_only %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.local.only=true -Djava.rmi.server.hostname=127.0.0.1"
|
||||
{% else %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -Djava.rmi.server.hostname={{ tomcat_m_jmx_ip_address }}"
|
||||
{% endif %}
|
||||
{% if item.jmx_auth_enabled is defined and item.jmx_auth_enabled %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file={{ item.jmx_auth_dir }}/jmxremote.password -Dcom.sun.management.jmxremote.access.file={{ item.jmx_auth_dir }}/jmxremote.access"
|
||||
{% else %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
|
||||
{% endif %}
|
||||
{% if item.jmx_disable_additional_ports is defined and item.jmx_disable_additional_ports %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote.rmi.port={{ item.jmx_port }}"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if item.remote_debugging is defined and item.remote_debugging %}
|
||||
# You will be able to use a java debugger on port {{ item.remote_debugging_uri }}.
|
||||
JAVA_OPTS="${JAVA_OPTS} -agentlib:jdwp=transport=dt_socket,address={{ item.remote_debugging_uri }},server=y,suspend=n"
|
||||
{% endif %}
|
||||
# WARNING: This directory will be destroyed and recreated at every startup !
|
||||
{% if item.catalina_tmp_directory is defined %}
|
||||
JVM_TMP={{ item.catalina_tmp_directory }}/jvm_tmp
|
||||
{% else %}
|
||||
JVM_TMP={{ item.instance_path }}/tmp/jvm_tmp
|
||||
{% endif %}
|
||||
{% if item.catalina_tmp_directory is defined %}
|
||||
export CATALINA_TMPDIR={{ item.catalina_tmp_directory }}
|
||||
{% endif %}
|
||||
# Additional options not managed by the provisioning tools
|
||||
if [ -f /etc/default/tomcat-instance-{{ item.http_port }}.local ] ; then
|
||||
. /etc/default/tomcat-instance-{{ item.http_port }}.local
|
||||
fi
|
|
@ -1,3 +0,0 @@
|
|||
<Context path="/host-manager"
|
||||
docBase="/usr/share/tomcat{{ tomcat_version }}-admin/host-manager"
|
||||
antiResourceLocking="false" privileged="true" />
|
|
@ -1,310 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# /etc/init.d/tomcat-instance-{{ item.http_port }} -- startup script for the Tomcat {{ tomcat_version }} {{ item.user }} servlet engine on port {{ item.http_port }}
|
||||
#
|
||||
# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
|
||||
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
|
||||
# Modified for Tomcat by Stefan Gybas <sgybas@debian.org>.
|
||||
# Modified for Tomcat6 by Thierry Carrez <thierry.carrez@ubuntu.com>.
|
||||
# Modified for Tomcat7 by Ernesto Hernandez-Novich <emhn@itverx.com.ve>.
|
||||
# Additional improvements by Jason Brittain <jason.brittain@mulesoft.com>.
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: tomcat-instance-{{ item.http_port }}
|
||||
# Required-Start: $local_fs $remote_fs $network
|
||||
# Required-Stop: $local_fs $remote_fs $network
|
||||
# Should-Start: $named
|
||||
# Should-Stop: $named
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: Start Tomcat.
|
||||
# Description: Start the Tomcat servlet engine.
|
||||
### END INIT INFO
|
||||
|
||||
set -e
|
||||
|
||||
PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
||||
NAME=tomcat-instance-{{ item.http_port }}
|
||||
DESC="Tomcat servlet engine"
|
||||
DEFAULT=/etc/default/$NAME
|
||||
JVM_TMP=/var/tmp/$NAME-tmp
|
||||
|
||||
if [ `id -u` -ne 0 ]; then
|
||||
echo "You need root privileges to run this script"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Make sure tomcat is started with system locale
|
||||
if [ -r /etc/default/locale ]; then
|
||||
. /etc/default/locale
|
||||
export LANG
|
||||
fi
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
if [ -r /etc/default/rcS ]; then
|
||||
. /etc/default/rcS
|
||||
fi
|
||||
|
||||
|
||||
# The following variables can be overwritten in $DEFAULT
|
||||
|
||||
# Run Tomcat {{ tomcat_version }} as this user ID and group ID
|
||||
TOMCAT{{ tomcat_version }}_USER={{ item.user }}
|
||||
TOMCAT{{ tomcat_version }}_GROUP={{ item.user }}
|
||||
|
||||
# this is a work-around until there is a suitable runtime replacement
|
||||
# for dpkg-architecture for arch:all packages
|
||||
# this function sets the variable OPENJDKS
|
||||
find_openjdks()
|
||||
{
|
||||
for jvmdir in /usr/lib/jvm/java-11-openjdk-*
|
||||
do
|
||||
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-11-openjdk-common" ]
|
||||
then
|
||||
OPENJDKS=$jvmdir
|
||||
fi
|
||||
done
|
||||
for jvmdir in /usr/lib/jvm/java-8-openjdk-*
|
||||
do
|
||||
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-8-openjdk-common" ]
|
||||
then
|
||||
OPENJDKS=$jvmdir
|
||||
fi
|
||||
done
|
||||
for jvmdir in /usr/lib/jvm/java-7-openjdk-*
|
||||
do
|
||||
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-7-openjdk-common" ]
|
||||
then
|
||||
OPENJDKS=$jvmdir
|
||||
fi
|
||||
done
|
||||
for jvmdir in /usr/lib/jvm/java-6-openjdk-*
|
||||
do
|
||||
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-6-openjdk-common" ]
|
||||
then
|
||||
OPENJDKS="${OPENJDKS} ${jvmdir}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
OPENJDKS=""
|
||||
find_openjdks
|
||||
# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not
|
||||
# defined in $DEFAULT)
|
||||
JDK_DIRS="/usr/lib/jvm/default-java ${OPENJDKS} /usr/lib/jvm/java-6-openjdk /usr/lib/jvm/java-6-sun"
|
||||
|
||||
# Look for the right JVM to use
|
||||
for jdir in $JDK_DIRS; do
|
||||
if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then
|
||||
JAVA_HOME="$jdir"
|
||||
fi
|
||||
done
|
||||
export JAVA_HOME
|
||||
|
||||
# Directory where the Tomcat binary distribution resides
|
||||
CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}
|
||||
|
||||
# Directory for per-instance configuration files and webapps
|
||||
CATALINA_BASE={{ item.instance_path }}
|
||||
|
||||
# Use the Java security manager? (yes/no)
|
||||
TOMCAT{{ tomcat_version }}_SECURITY=no
|
||||
|
||||
# Default Java options
|
||||
# Set java.awt.headless=true if JAVA_OPTS is not set so the
|
||||
# Xalan XSL transformer can work without X11 display on JDK 1.4+
|
||||
# It also looks like the default heap size of 64M is not enough for most cases
|
||||
# so the maximum heap size is set to 128M
|
||||
if [ -z "$JAVA_OPTS" ]; then
|
||||
JAVA_OPTS="-Djava.awt.headless=true -Xmx512M"
|
||||
fi
|
||||
|
||||
# End of variables that can be overwritten in $DEFAULT
|
||||
|
||||
# overwrite settings from default file
|
||||
if [ -f "$DEFAULT" ]; then
|
||||
. "$DEFAULT"
|
||||
fi
|
||||
|
||||
if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then
|
||||
log_failure_msg "$NAME is not installed"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"
|
||||
|
||||
if [ -z "$CATALINA_TMPDIR" ]; then
|
||||
CATALINA_TMPDIR="$JVM_TMP"
|
||||
fi
|
||||
|
||||
# Set the JSP compiler if set in the ${ NAME }.default file
|
||||
if [ -n "$JSP_COMPILER" ]; then
|
||||
JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\""
|
||||
fi
|
||||
|
||||
SECURITY=""
|
||||
if [ "$TOMCAT{{ tomcat_version }}_SECURITY" = "yes" ]; then
|
||||
SECURITY="-security"
|
||||
fi
|
||||
|
||||
# Define other required variables
|
||||
CATALINA_PID="/var/run/$NAME.pid"
|
||||
CATALINA_SH="$CATALINA_HOME/bin/catalina.sh"
|
||||
|
||||
# Look for Java Secure Sockets Extension (JSSE) JARs
|
||||
if [ -z "${JSSE_HOME}" -a -r "${JAVA_HOME}/jre/lib/jsse.jar" ]; then
|
||||
JSSE_HOME="${JAVA_HOME}/jre/"
|
||||
fi
|
||||
|
||||
catalina_sh() {
|
||||
# Escape any double quotes in the value of JAVA_OPTS
|
||||
JAVA_OPTS="$(echo $JAVA_OPTS | sed 's/\"/\\\"/g')"
|
||||
|
||||
AUTHBIND_COMMAND=""
|
||||
if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
|
||||
JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"
|
||||
AUTHBIND_COMMAND="/usr/bin/authbind --deep /bin/bash -c "
|
||||
fi
|
||||
|
||||
# Define the command to run Tomcat's catalina.sh as a daemon
|
||||
# set -a tells sh to export assigned variables to spawned shells.
|
||||
TOMCAT_SH="set -a; JAVA_HOME=\"$JAVA_HOME\"; source \"$DEFAULT\"; \
|
||||
CATALINA_HOME=\"$CATALINA_HOME\"; \
|
||||
CATALINA_BASE=\"$CATALINA_BASE\"; \
|
||||
JAVA_OPTS=\"$JAVA_OPTS\"; \
|
||||
CATALINA_PID=\"$CATALINA_PID\"; \
|
||||
CATALINA_TMPDIR=\"$CATALINA_TMPDIR\"; \
|
||||
LANG=\"$LANG\"; JSSE_HOME=\"$JSSE_HOME\"; \
|
||||
cd \"$CATALINA_BASE\"; \
|
||||
\"$CATALINA_SH\" $@"
|
||||
|
||||
if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
|
||||
TOMCAT_SH="'$TOMCAT_SH'"
|
||||
fi
|
||||
|
||||
# Run the catalina.sh script as a daemon
|
||||
set +e
|
||||
touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
|
||||
chown $TOMCAT{{ tomcat_version }}_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
|
||||
start-stop-daemon --start -b -u "$TOMCAT{{ tomcat_version }}_USER" -g "$TOMCAT{{ tomcat_version }}_GROUP" \
|
||||
-c "$TOMCAT{{ tomcat_version }}_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
|
||||
-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
|
||||
status="$?"
|
||||
set +a -e
|
||||
return $status
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
if [ -z "$JAVA_HOME" ]; then
|
||||
log_failure_msg "no JDK found - please set JAVA_HOME"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d "$CATALINA_BASE/conf" ]; then
|
||||
log_failure_msg "invalid CATALINA_BASE: $CATALINA_BASE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
log_daemon_msg "Starting $DESC" "$NAME"
|
||||
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
|
||||
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
|
||||
>/dev/null; then
|
||||
|
||||
# Regenerate POLICY_CACHE file
|
||||
umask 022
|
||||
echo "// AUTO-GENERATED FILE from {{ item.instance_path }}/conf/policy.d/" \
|
||||
> "$POLICY_CACHE"
|
||||
echo "" >> "$POLICY_CACHE"
|
||||
cat $CATALINA_BASE/conf/policy.d/*.policy \
|
||||
>> "$POLICY_CACHE"
|
||||
|
||||
# Remove / recreate JVM_TMP directory
|
||||
rm -rf "$JVM_TMP"
|
||||
mkdir -p "$JVM_TMP" || {
|
||||
log_failure_msg "could not create JVM temporary directory"
|
||||
exit 1
|
||||
}
|
||||
chown $TOMCAT{{ tomcat_version }}_USER "$JVM_TMP"
|
||||
|
||||
catalina_sh start $SECURITY
|
||||
sleep 5
|
||||
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
|
||||
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
|
||||
>/dev/null; then
|
||||
if [ -f "$CATALINA_PID" ]; then
|
||||
rm -f "$CATALINA_PID"
|
||||
fi
|
||||
log_end_msg 1
|
||||
else
|
||||
log_end_msg 0
|
||||
fi
|
||||
else
|
||||
log_progress_msg "(already running)"
|
||||
log_end_msg 0
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
log_daemon_msg "Stopping $DESC" "$NAME"
|
||||
|
||||
set +e
|
||||
if [ -f "$CATALINA_PID" ]; then
|
||||
start-stop-daemon --stop --pidfile "$CATALINA_PID" \
|
||||
--user "$TOMCAT{{ tomcat_version }}_USER" \
|
||||
--retry=TERM/20/KILL/5 >/dev/null
|
||||
if [ $? -eq 1 ]; then
|
||||
log_progress_msg "$DESC is not running but pid file exists, cleaning up"
|
||||
elif [ $? -eq 3 ]; then
|
||||
PID="`cat $CATALINA_PID`"
|
||||
log_failure_msg "Failed to stop $NAME (pid $PID)"
|
||||
exit 1
|
||||
fi
|
||||
rm -f "$CATALINA_PID"
|
||||
rm -rf "$JVM_TMP"
|
||||
else
|
||||
log_progress_msg "(not running)"
|
||||
fi
|
||||
log_end_msg 0
|
||||
set -e
|
||||
;;
|
||||
status)
|
||||
set +e
|
||||
start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
|
||||
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
|
||||
>/dev/null 2>&1
|
||||
if [ "$?" = "0" ]; then
|
||||
|
||||
if [ -f "$CATALINA_PID" ]; then
|
||||
log_success_msg "$DESC is not running, but pid file exists."
|
||||
exit 1
|
||||
else
|
||||
log_success_msg "$DESC is not running."
|
||||
exit 3
|
||||
fi
|
||||
else
|
||||
log_success_msg "$DESC is running with pid `cat $CATALINA_PID`"
|
||||
fi
|
||||
set -e
|
||||
;;
|
||||
restart|force-reload)
|
||||
if [ -f "$CATALINA_PID" ]; then
|
||||
$0 stop
|
||||
sleep 1
|
||||
fi
|
||||
$0 start
|
||||
;;
|
||||
try-restart)
|
||||
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
|
||||
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
|
||||
>/dev/null; then
|
||||
$0 start
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
log_success_msg "Usage: $0 {start|stop|restart|try-restart|force-reload|status}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
|
@ -1,3 +0,0 @@
|
|||
<Context path="/manager"
|
||||
docBase="/usr/share/tomcat{{ tomcat_version }}-admin/manager"
|
||||
antiResourceLocking="false" privileged="true" />
|
|
@ -1,146 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
|
||||
{% if item.shutdown_port == '-1' %}
|
||||
<Server port="{{ item.shutdown_port }}" shutdown="SHUTDOWN_PORT_DISABLED">
|
||||
{% else %}
|
||||
<Server port="{{ item.shutdown_port }}" shutdown="{{ tomcat_m_shutdown_pwd }}">
|
||||
{% endif %}
|
||||
{% if tomcat_version <= 7 %}
|
||||
<Listener className="org.apache.catalina.core.JasperListener" />
|
||||
{% endif %}
|
||||
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
|
||||
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
|
||||
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
|
||||
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
|
||||
|
||||
<GlobalNamingResources>
|
||||
<Resource name="UserDatabase" auth="Container"
|
||||
type="org.apache.catalina.UserDatabase"
|
||||
description="User database that can be updated and saved"
|
||||
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
|
||||
pathname="conf/tomcat-users.xml" />
|
||||
</GlobalNamingResources>
|
||||
|
||||
<Service name="Catalina">
|
||||
|
||||
{% if item.http_enabled %}
|
||||
<Executor name="tomcatThreadPool"
|
||||
namePrefix="catalina-exec-"
|
||||
maxQueueSize="{{ item.max_queue_size | default(32767) }}"
|
||||
maxThreads="{{ item.max_threads }}"
|
||||
minSpareThreads="10"
|
||||
/>
|
||||
{% endif %}
|
||||
|
||||
<!-- A "Connector" represents an endpoint by which requests are received
|
||||
and responses are returned. Documentation at :
|
||||
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
|
||||
Java AJP Connector: /docs/config/ajp.html
|
||||
APR (HTTP/AJP) Connector: /docs/apr.html
|
||||
Define a non-SSL HTTP/1.1 Connector on port 8080
|
||||
-->
|
||||
{% if item.http_enabled %}
|
||||
<!-- A http "Connector" using the shared thread pool-->
|
||||
<Connector executor="tomcatThreadPool"
|
||||
enableLookups="false"
|
||||
maxQueueSize="{{ item.max_queue_size | default(32767) }}"
|
||||
maxThreads="{{ item.max_threads }}" connectionTimeout="60000"
|
||||
URIEncoding="UTF-8"
|
||||
bindOnInit="false" address="{{ item.http_address }}"
|
||||
port="{{ item.http_port }}" protocol="HTTP/1.1"
|
||||
maxPostSize="{{ item.max_post_size | default(104857600) }}"
|
||||
useBodyEncodingForURI="true"
|
||||
maxHttpHeaderSize="8192"
|
||||
disableUploadTimeout="true"
|
||||
{% if tomcat_m_reverse_proxy_name_enabled %}
|
||||
proxyName="{{ tomcat_m_reverse_proxy_name }}"
|
||||
proxyPort="{{ tomcat_m_reverse_proxy_port }}"
|
||||
{% endif %}
|
||||
/>
|
||||
{% endif %}
|
||||
|
||||
{% if item.ajp_enabled %}
|
||||
<!-- Define an AJP 1.3 Connector on port {{ tomcat_ajp_port }} -->
|
||||
<Connector port="{{ item.ajp_port }}" protocol="AJP/1.3"
|
||||
enableLookups="false"
|
||||
address="{{ item.ajp_address }}"
|
||||
URIEncoding="UTF-8"
|
||||
useBodyEncodingForURI="true"
|
||||
maxHttpHeaderSize="8192"
|
||||
disableUploadTimeout="true"
|
||||
maxQueueSize="{{ item.max_queue_size | default(32767) }}"
|
||||
maxThreads="{{ item.max_threads }}"
|
||||
connectionTimeout="60000"
|
||||
maxPostSize="{{ item.max_post_size | default(104857600) }}"
|
||||
{% if tomcat_m_reverse_proxy_name_enabled %}
|
||||
proxyName="{{ tomcat_m_reverse_proxy_name }}"
|
||||
proxyPort="{{ tomcat_m_reverse_proxy_port }}"
|
||||
{% endif %}
|
||||
URIEncoding="UTF-8"
|
||||
bindOnInit="false" />
|
||||
{% endif %}
|
||||
|
||||
<Engine name="Catalina" defaultHost="localhost">
|
||||
|
||||
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
|
||||
via a brute-force attack -->
|
||||
<Realm className="org.apache.catalina.realm.LockOutRealm">
|
||||
<!-- This Realm uses the UserDatabase configured in the global JNDI
|
||||
resources under the key "UserDatabase". Any edits
|
||||
that are performed against this UserDatabase are immediately
|
||||
available for use by the Realm. -->
|
||||
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
|
||||
resourceName="UserDatabase"/>
|
||||
</Realm>
|
||||
|
||||
<Host name="localhost" appBase="webapps"
|
||||
{% if item.unpack is defined %}
|
||||
unpackWARs="{{ item.unpack }}"
|
||||
{% else %}
|
||||
unpackWARs="False"
|
||||
{% endif %}
|
||||
{% if item.autodeploy is defined %}
|
||||
autoDeploy="{{ item.autodeploy }}"
|
||||
{% else %}
|
||||
autoDeploy="False"
|
||||
{% endif %}
|
||||
>
|
||||
|
||||
{% if item.access_log_enabled %}
|
||||
<!-- Automatically substitutes the IP with the one contained
|
||||
in the x-forwarded-for header if that header is set -->
|
||||
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
|
||||
<!-- Access log processes all example.
|
||||
Documentation at: /docs/config/valve.html
|
||||
Note: The pattern used is equivalent to using pattern="combined" -->
|
||||
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
|
||||
prefix="localhost_access." suffix="log"
|
||||
{% if tomcat_m_direct_access %}
|
||||
pattern="combined"
|
||||
{% else %}
|
||||
pattern="%t %{org.apache.catalina.AccessLog.RemoteAddr}r %{X-AUSERNAME}o %I %s "%r" %b %{User-Agent}i"
|
||||
|
||||
{% endif %}
|
||||
rotatable="False"
|
||||
/>
|
||||
{% endif %}
|
||||
</Host>
|
||||
</Engine>
|
||||
</Service>
|
||||
</Server>
|
|
@ -1,49 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<tomcat-users>
|
||||
<!--
|
||||
NOTE: By default, no user is included in the "manager-gui" role required
|
||||
to operate the "/manager/html" web application. If you wish to use this app,
|
||||
you must define such a user - the username and password are arbitrary.
|
||||
-->
|
||||
{% if tomcat_m_host_manager_install or tomcat_m_manager_install %}
|
||||
<role rolename="manager-gui"/>
|
||||
<role rolename="manager-script"/>
|
||||
<role rolename="manager-jmx"/>
|
||||
<role rolename="manager-status"/>
|
||||
{% if tomcat_m_manager_gui_user_enabled %}
|
||||
<user username="{{ tomcat_m_manager_gui_user }}" password="{{ tomcat_m_manager_gui_pwd }}" roles="{{ tomcat_m_manager_gui_r }}"/>
|
||||
{% endif %}
|
||||
{% if tomcat_m_manager_script_user_enabled %}
|
||||
<user username="{{ tomcat_m_manager_script_user }}" password="{{ tomcat_m_manager_script_pwd }}" roles="{{ tomcat_m_manager_script_r }}"/>
|
||||
{% endif %}
|
||||
{% if tomcat_m_manager_jmx_user_enabled %}
|
||||
<user username="{{ tomcat_m_manager_jmx_user }}" password="{{ tomcat_m_manager_jmx_pwd }}" roles="{{ tomcat_m_manager_jmx_r }}"/>
|
||||
{% endif %}
|
||||
{% if tomcat_m_manager_status_user_enabled %}
|
||||
<user username="{{ tomcat_m_manager_status_user }}" password="{{ tomcat_m_manager_status_pwd }}" roles="{{ tomcat_m_manager_status_r }}"/>
|
||||
{% endif %}
|
||||
|
||||
{% if tomcat_m_manager_other_roles is defined %}
|
||||
{% for t_adm in tomcat_m_manager_other_roles %}
|
||||
<role rolename="{{ t_adm.role }}"/>
|
||||
<user username="{{ t_adm.user }}" password="{{ t_adm.password }}" roles="{{ t_adm.user_roles }}"/>
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
</tomcat-users>
|
File diff suppressed because it is too large
Load Diff
|
@ -1,17 +0,0 @@
|
|||
{{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}/catalina.out {
|
||||
copytruncate
|
||||
{{ item.log_rotation_freq }}
|
||||
rotate {{ item.log_retain }}
|
||||
compress
|
||||
missingok
|
||||
create 640 {{ item.user }} adm
|
||||
}
|
||||
|
||||
{{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}/localhost_access.log {
|
||||
copytruncate
|
||||
{{ item.log_rotation_freq }}
|
||||
rotate {{ item.log_retain }}
|
||||
compress
|
||||
missingok
|
||||
create 640 {{ item.user }} adm
|
||||
}
|
|
@ -1,135 +0,0 @@
|
|||
---
|
||||
# The tomcat version is set at runtime. It changes from one distribution to the other.
|
||||
#tomcat_version: 7
|
||||
# To force a tomcat version set the following variable:
|
||||
# tomcat_fixed_version: 9
|
||||
tomcat_pkg_state: present
|
||||
tomcat_service_enabled: True
|
||||
tomcat_pkgs:
|
||||
- 'tomcat{{ tomcat_version }}'
|
||||
- 'libtomcat{{ tomcat_version }}-java'
|
||||
- 'tomcat{{ tomcat_version }}-common'
|
||||
- libapr1
|
||||
|
||||
tomcat8_additional_pkgs:
|
||||
- jsvc
|
||||
- libcommons-daemon-java
|
||||
|
||||
tomcat_user: 'tomcat{{ tomcat_version }}'
|
||||
tomcat_max_threads: 200
|
||||
|
||||
tomcat_min_heap_size: 2048m
|
||||
tomcat_permgen_defined: True
|
||||
tomcat_heap_size: '{{ tomcat_min_heap_size }}'
|
||||
tomcat_permgen_size: 512m
|
||||
tomcat_file_encoding: 'UTF-8'
|
||||
tomcat_java_opts: "-Xms{{ tomcat_min_heap_size }} -Xmx{{ tomcat_heap_size }}"
|
||||
tomcat_additional_java_8_opts: "-XX:+CrashOnOutOfMemoryError"
|
||||
tomcat_java_gc_opts: "-XX:+UseConcMarkSweepGC"
|
||||
#tomcat_other_java_opts: "-Djsse.enableSNIExtension=false"
|
||||
tomcat_proxy_enabled: False
|
||||
tomcat_proxy_http_host: 'localhost'
|
||||
tomcat_proxy_http_port: '3128'
|
||||
tomcat_proxy_https_host: '{{ tomcat_proxy_http_host }}'
|
||||
tomcat_proxy_https_port: '{{ tomcat_proxy_http_port }}'
|
||||
tomcat_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_proxy_https_port }}"
|
||||
tomcat_other_java_opts: ""
|
||||
tomcat_install_server_xml: True
|
||||
tomcat_install_default_conf: True
|
||||
tomcat_load_additional_default_conf: True
|
||||
tomcat_http_enabled: True
|
||||
tomcat_http_port: 8080
|
||||
tomcat_http_address: 0.0.0.0
|
||||
tomcat_webapps_autodeploy: False
|
||||
tomcat_webapps_unpack: False
|
||||
tomcat_ajp_enabled: False
|
||||
tomcat_ajp_port: 8009
|
||||
tomcat_ajp_address: 127.0.0.1
|
||||
tomcat_direct_access: False
|
||||
tomcat_reverse_proxy_name_enabled: False
|
||||
tomcat_reverse_proxy_name: '{{ ansible_fqdn }}'
|
||||
tomcat_reverse_proxy_port: '{{ http_port | default(80) }}'
|
||||
# There is a bug that kills tomcat after 50 days if the shutdown port is enabled
|
||||
# Disable the shutdown port by default
|
||||
#tomcat_shutdown_port: 8005
|
||||
tomcat_shutdown_port: -1
|
||||
tomcat_shutdown_pwd: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits') }}"
|
||||
tomcat_restart_timeout: 300
|
||||
tomcat_max_post_size: 1000000
|
||||
tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
|
||||
tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}'
|
||||
tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}'
|
||||
tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps'
|
||||
tomcat_common_dir: '{{ tomcat_catalina_base_dir }}/common/'
|
||||
tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes'
|
||||
tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat'
|
||||
|
||||
# JMX and debugging
|
||||
tomcat_enable_remote_debugging: False
|
||||
tomcat_remote_debugging_host: '0.0.0.0'
|
||||
tomcat_remote_debugging_port: ':8100'
|
||||
tomcat_remote_debugging_uri: '{{ tomcat_remote_debugging_host }}:{{ tomcat_remote_debugging_port }}'
|
||||
#
|
||||
tomcat_jmx_enabled: False
|
||||
tomcat_jmx_auth_enabled: False
|
||||
tomcat_jmx_port: 8082
|
||||
tomcat_jmx_auth_dir: '{{ tomcat_conf_dir }}'
|
||||
tomcat_jmx_use_ssl: False
|
||||
# The following work with jdk >= 7.0.25 only
|
||||
tomcat_jmx_disable_additional_ports: True
|
||||
tomcat_jmx_localhost_only: False
|
||||
# tomcat_jmx_monitorpass: define_in_a_vault_file
|
||||
# tomcat_jmx_controlpass: define_in_a_vault_file
|
||||
|
||||
# Metrics monitoring via javamelody
|
||||
tomcat_javamelody: True
|
||||
#tomcat_javamelody_version: latest
|
||||
tomcat_javamelody_version: 1.79.0
|
||||
|
||||
# tomcat logging
|
||||
tomcat_logdir: '/var/log/tomcat{{ tomcat_version }}'
|
||||
tomcat_use_log4j: True
|
||||
tomcat_install_the_log4j_properties: True
|
||||
tomcat_retain_old_logs: 30
|
||||
tomcat_log_rotation_threshold: "ALL"
|
||||
tomcat_log_max_file_size: "100MB"
|
||||
tomcat_log_level: INFO
|
||||
tomcat_log_logger: CATALINA
|
||||
tomcat_access_log_enabled: True
|
||||
tomcat_access_log_rotation_freq: "daily"
|
||||
#
|
||||
# Define them if you want to send all the logs to an ELK installation
|
||||
tomcat_send_to_logstash: False
|
||||
tomcat_logstash_collector_host: logstash
|
||||
tomcat_logstash_collector_socketappender_port: 4560
|
||||
tomcat_logstash_collector_socketappender_reconndelay: 10000
|
||||
# Set to LOGSTASH only if you do not want local logs
|
||||
tomcat_logstash_logger: CATALINA, LOGSTASH
|
||||
|
||||
|
||||
#tomcat_access_log_file_name: localhost_access.log
|
||||
#
|
||||
# Administrative interface
|
||||
tomcat_install_admin: False
|
||||
tomcat_manager_gui_user_enabled: True
|
||||
tomcat_manager_gui_user: guiadmin
|
||||
tomcat_manager_gui_r: "manager-gui"
|
||||
#tomcat_manager_gui_pwd: *See the vault file*
|
||||
tomcat_manager_script_user_enabled: False
|
||||
tomcat_manager_script_user: scriptadmin
|
||||
tomcat_manager_script_r: "manager-script"
|
||||
#tomcat_manager_script_pwd: *See the vault file*
|
||||
tomcat_manager_jmx_user_enabled: False
|
||||
tomcat_manager_jmx_user: jmxadmin
|
||||
tomcat_manager_jmx_r: "manager-jmx"
|
||||
#tomcat_manager_jmx_pwd: *See the vault file*
|
||||
tomcat_manager_status_user_enabled: False
|
||||
tomcat_manager_status_user: statusadmin
|
||||
tomcat_manager_status_r: "manager-status"
|
||||
#tomcat_manager_status_pwd: *See the vault file*
|
||||
#
|
||||
tomcat_install_jdbc: False
|
||||
tomcat_install_pg_jdbc: '{{ tomcat_install_jdbc }}'
|
||||
# Not used yet
|
||||
tomcat_install_mysql_jdbc: False
|
||||
|
|
@ -1,131 +0,0 @@
|
|||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
# contributor license agreements. See the NOTICE file distributed with
|
||||
# this work for additional information regarding copyright ownership.
|
||||
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance with
|
||||
# the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
#
|
||||
# List of comma-separated packages that start with or equal this string
|
||||
# will cause a security exception to be thrown when
|
||||
# passed to checkPackageAccess unless the
|
||||
# corresponding RuntimePermission ("accessClassInPackage."+package) has
|
||||
# been granted.
|
||||
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
|
||||
#
|
||||
# List of comma-separated packages that start with or equal this string
|
||||
# will cause a security exception to be thrown when
|
||||
# passed to checkPackageDefinition unless the
|
||||
# corresponding RuntimePermission ("defineClassInPackage."+package) has
|
||||
# been granted.
|
||||
#
|
||||
# by default, no packages are restricted for definition, and none of
|
||||
# the class loaders supplied with the JDK call checkPackageDefinition.
|
||||
#
|
||||
package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
|
||||
|
||||
#
|
||||
#
|
||||
# List of comma-separated paths defining the contents of the "common"
|
||||
# classloader. Prefixes should be used to define what is the repository type.
|
||||
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
|
||||
# If left as blank,the JVM system loader will be used as Catalina's "common"
|
||||
# loader.
|
||||
# Examples:
|
||||
# "foo": Add this folder as a class repository
|
||||
# "foo/*.jar": Add all the JARs of the specified folder as class
|
||||
# repositories
|
||||
# "foo/bar.jar": Add bar.jar as a class repository
|
||||
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/common/classes,${catalina.home}/common/*.jar,${catalina.base}/common/classes,${catalina.base}/common/*.jar
|
||||
|
||||
#
|
||||
# List of comma-separated paths defining the contents of the "server"
|
||||
# classloader. Prefixes should be used to define what is the repository type.
|
||||
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
|
||||
# If left as blank, the "common" loader will be used as Catalina's "server"
|
||||
# loader.
|
||||
# Examples:
|
||||
# "foo": Add this folder as a class repository
|
||||
# "foo/*.jar": Add all the JARs of the specified folder as class
|
||||
# repositories
|
||||
# "foo/bar.jar": Add bar.jar as a class repository
|
||||
server.loader=${catalina.home}/server/classes,${catalina.home}/server/*.jar,${catalina.base}/server/classes,${catalina.base}/server/*.jar
|
||||
|
||||
#
|
||||
# List of comma-separated paths defining the contents of the "shared"
|
||||
# classloader. Prefixes should be used to define what is the repository type.
|
||||
# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
|
||||
# the "common" loader will be used as Catalina's "shared" loader.
|
||||
# Examples:
|
||||
# "foo": Add this folder as a class repository
|
||||
# "foo/*.jar": Add all the JARs of the specified folder as class
|
||||
# repositories
|
||||
# "foo/bar.jar": Add bar.jar as a class repository
|
||||
# Please note that for single jars, e.g. bar.jar, you need the URL form
|
||||
# starting with file:.
|
||||
shared.loader=${catalina.home}/shared/classes,${catalina.home}/shared/*.jar,${catalina.base}/shared/classes,${catalina.base}/shared/*.jar
|
||||
|
||||
# List of JAR files that should not be scanned using the JarScanner
|
||||
# functionality. This is typically used to scan JARs for configuration
|
||||
# information. JARs that do not contain such information may be excluded from
|
||||
# the scan to speed up the scanning process. This is the default list. JARs on
|
||||
# this list are excluded from all scans. Scan specific lists (to exclude JARs
|
||||
# from individual scans) follow this. The list must be a comma separated list of
|
||||
# JAR file names.
|
||||
# The JARs listed below include:
|
||||
# - Tomcat Bootstrap JARs
|
||||
# - Tomcat API JARs
|
||||
# - Catalina JARs
|
||||
# - Jasper JARs
|
||||
# - Tomcat JARs
|
||||
# - Common non-Tomcat JARs
|
||||
# - Test JARs (JUnit, Cobertura and dependencies)
|
||||
tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
|
||||
bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
|
||||
annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
|
||||
catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
|
||||
jasper.jar,jasper-el.jar,ecj-*.jar,\
|
||||
tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
|
||||
tomcat-jni.jar,tomcat-spdy.jar,\
|
||||
tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
|
||||
tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
|
||||
tomcat-jdbc.jar,\
|
||||
tools.jar,\
|
||||
commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
|
||||
commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
|
||||
commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
|
||||
commons-math*.jar,commons-pool*.jar,\
|
||||
jstl.jar,\
|
||||
geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
|
||||
ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
|
||||
jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\
|
||||
xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
|
||||
junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\
|
||||
cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
|
||||
jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
|
||||
xom-*.jar
|
||||
|
||||
# Additional JARs (over and above the default JARs listed above) to skip when
|
||||
# scanning for Servlet 3.0 pluggability features. These features include web
|
||||
# fragments, annotations, SCIs and classes that match @HandlesTypes. The list
|
||||
# must be a comma separated list of JAR file names.
|
||||
org.apache.catalina.startup.ContextConfig.jarsToSkip=
|
||||
|
||||
# Additional JARs (over and above the default JARs listed above) to skip when
|
||||
# scanning for TLDs. The list must be a comma separated list of JAR file names.
|
||||
org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar
|
||||
|
||||
#
|
||||
# String cache configuration.
|
||||
tomcat.util.buf.StringCache.byte.enabled=true
|
||||
#tomcat.util.buf.StringCache.char.enabled=true
|
||||
#tomcat.util.buf.StringCache.trainThreshold=500000
|
||||
#tomcat.util.buf.StringCache.cacheSize=5000
|
|
@ -1,2 +0,0 @@
|
|||
monitorRole readonly
|
||||
controlRole readwrite
|
|
@ -1,49 +0,0 @@
|
|||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
# contributor license agreements. See the NOTICE file distributed with
|
||||
# this work for additional information regarding copyright ownership.
|
||||
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance with
|
||||
# the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
|
||||
|
||||
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
|
||||
|
||||
############################################################
|
||||
# Handler specific properties.
|
||||
# Describes specific configuration info for Handlers.
|
||||
############################################################
|
||||
|
||||
1catalina.org.apache.juli.FileHandler.level = FINE
|
||||
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
|
||||
1catalina.org.apache.juli.FileHandler.prefix = catalina.
|
||||
|
||||
2localhost.org.apache.juli.FileHandler.level = FINE
|
||||
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
|
||||
2localhost.org.apache.juli.FileHandler.prefix = localhost.
|
||||
|
||||
java.util.logging.ConsoleHandler.level = FINE
|
||||
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
|
||||
|
||||
############################################################
|
||||
# Facility specific properties.
|
||||
# Provides extra control for each logger.
|
||||
############################################################
|
||||
|
||||
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
|
||||
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
|
||||
|
||||
# For example, set the com.xyz.foo logger to only log SEVERE
|
||||
# messages:
|
||||
#org.apache.catalina.startup.ContextConfig.level = FINE
|
||||
#org.apache.catalina.startup.HostConfig.level = FINE
|
||||
#org.apache.catalina.session.ManagerBase.level = FINE
|
||||
#org.apache.catalina.core.AprLifecycleListener.level=FINE
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,12 +0,0 @@
|
|||
---
|
||||
- name: tomcat restart
|
||||
service: name='tomcat{{ tomcat_version }}' state=restarted sleep=20
|
||||
when: tomcat_service_enabled
|
||||
|
||||
- name: enable tomcat
|
||||
service: name='tomcat{{ tomcat_version }}' state=started enabled=yes
|
||||
when: tomcat_service_enabled
|
||||
|
||||
- name: disable tomcat
|
||||
service: name='tomcat{{ tomcat_version }}' state=started enabled=no
|
||||
when: not tomcat_service_enabled
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
dependencies:
|
||||
- { role: '../../library/roles/openjdk' }
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
- name: Install a logrotate entry for the access log file
|
||||
template: src=tomcat_access.logrotate.j2 dest=/etc/logrotate.d/tomcat_access owner=root group=root mode=0644
|
||||
when: tomcat_access_log_enabled
|
||||
tags: tomcat
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
---
|
||||
- import_tasks: tomcat-pkgs.yml
|
||||
- import_tasks: tomcat-admin.yml
|
||||
when: tomcat_install_admin
|
||||
- import_tasks: tomcat-jmx.yml
|
||||
when:
|
||||
- tomcat_jmx_enabled
|
||||
- tomcat_jmx_auth_enabled
|
||||
tags: [ 'tomcat', 'jmx' ]
|
||||
- import_tasks: tomcat-log4j-logging.yml
|
||||
when:
|
||||
- tomcat_use_log4j
|
||||
- tomcat_version <= 7
|
||||
tags: [ 'tomcat', 'tomcat_log4j' ]
|
||||
- import_tasks: tomcat-logger-logging.yml
|
||||
when: not tomcat_use_log4j or tomcat_version > 7
|
||||
- import_tasks: access_log.yml
|
||||
when: tomcat_access_log_enabled
|
||||
- import_tasks: pgsql_jdbc.yml
|
||||
when: tomcat_install_pg_jdbc
|
||||
- import_tasks: not_pgsql_jdbc.yml
|
||||
when: not tomcat_install_pg_jdbc
|
||||
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
- name: Do not load the postgresql jdbc driver on tomcat if not needed
|
||||
file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
|
||||
with_items:
|
||||
- postgresql-jdbc4.jar
|
||||
when: not tomcat_install_pg_jdbc
|
||||
notify: tomcat restart
|
||||
tags: tomcat
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
# Postgresql JDBC
|
||||
- name: Install the jdbc package if needed
|
||||
apt: pkg=libpostgresql-jdbc-java state=present
|
||||
when: tomcat_install_pg_jdbc
|
||||
tags: [ 'tomcat', 'tomcat_jdbc' ]
|
||||
|
||||
- name: Configure tomcat to use the global postgresql jdbc driver
|
||||
file: src=/usr/share/java/{{ item }} dest=/usr/share/tomcat{{ tomcat_version }}/lib/{{ item }} state=link
|
||||
with_items:
|
||||
- postgresql-jdbc4.jar
|
||||
when: tomcat_install_pg_jdbc
|
||||
notify:
|
||||
tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_jdbc' ]
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
- name: Install the tomcat console management package
|
||||
apt: pkg=tomcat{{ tomcat_version }}-admin state={{ tomcat_pkg_state }}
|
||||
tags: tomcat
|
||||
|
||||
- name: Install the tomcat users file
|
||||
template: src=tomcat-users.xml.j2 dest={{ tomcat_conf_dir }}/tomcat-users.xml owner=root group={{ tomcat_user }} mode=0640
|
||||
notify: tomcat restart
|
||||
tags: tomcat
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
- name: Distribute the jmx authorization file
|
||||
template: src=jmxremote.passwd.j2 dest={{ tomcat_jmx_auth_dir }}/jmxremote.passwd owner={{ tomcat_user }} mode=0600
|
||||
when:
|
||||
- tomcat_jmx_enabled
|
||||
- tomcat_jmx_auth_enabled
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'jmx' ]
|
||||
|
||||
- name: Distribute the jmx role file
|
||||
copy: src=jmxremote.access dest={{ tomcat_jmx_auth_dir }}/jmxremote.access owner=root mode=0644
|
||||
when:
|
||||
- tomcat_jmx_enabled
|
||||
- tomcat_jmx_auth_enabled
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'jmx' ]
|
|
@ -1,41 +0,0 @@
|
|||
---
|
||||
# Manage tomcat internal logs with log4j
|
||||
- name: Install log4j
|
||||
apt: pkg=liblog4j1.2-java state={{ tomcat_pkg_state }}
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_log4j' ]
|
||||
|
||||
- name: Install tomcat-juli-adapters
|
||||
copy: src=tomcat{{ tomcat_version }}-juli-adapters.jar dest=/usr/share/java/tomcat-juli-adapters.jar
|
||||
tags: [ 'tomcat', 'tomcat_log4j' ]
|
||||
|
||||
- name: Install tomcat-juli
|
||||
copy: src=tomcat{{ tomcat_version }}-juli-log4j.jar dest=/usr/share/java/tomcat-juli-log4j.jar
|
||||
tags: [ 'tomcat', 'tomcat_log4j' ]
|
||||
|
||||
- name: Configure tomcat to use the log4j system library
|
||||
file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=link
|
||||
with_items:
|
||||
- log4j-1.2.jar
|
||||
- tomcat-juli-adapters.jar
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_log4j' ]
|
||||
|
||||
- name: Configure tomcat to use the log4j version of the juli library
|
||||
file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/tomcat-juli.jar state=link
|
||||
with_items:
|
||||
- tomcat-juli-log4j.jar
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_log4j' ]
|
||||
|
||||
- name: Install log4j.properties
|
||||
template: src=log4j.properties.j2 dest={{ tomcat_catalina_home_dir }}/lib/log4j.properties mode=0644 owner=root group=root
|
||||
when: tomcat_install_the_log4j_properties
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_log4j' ]
|
||||
|
||||
- name: Remove logging.properties
|
||||
file: dest=/etc/tomcat{{ tomcat_version }}/logging.properties state=absent
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_log4j' ]
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
---
|
||||
- name: Remove the system log4j library from the tomcat libdir
|
||||
file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
|
||||
with_items:
|
||||
- log4j-1.2.jar
|
||||
- tomcat-juli-adapters.jar
|
||||
notify: tomcat restart
|
||||
tags: tomcat
|
||||
|
||||
- name: Configure tomcat to use the standard version of the juli library
|
||||
file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/{{ item }} state=link
|
||||
with_items:
|
||||
- 'tomcat{{ tomcat_version }}-juli.jar'
|
||||
notify: tomcat restart
|
||||
tags: tomcat
|
||||
|
||||
- name: Remove the system log4j.properties
|
||||
file: dest={{ tomcat_catalina_home_dir }}/lib/log4j.properties state=absent
|
||||
notify: tomcat restart
|
||||
tags: tomcat
|
||||
|
||||
- name: Install logging.properties
|
||||
copy: src=logging.properties dest=/etc/tomcat{{ tomcat_version }}/logging.properties owner=root group=root mode=0644
|
||||
notify: tomcat restart
|
||||
tags: tomcat
|
||||
|
|
@ -1,111 +0,0 @@
|
|||
---
|
||||
- name: Set the tomcat version for ubuntu Trusy
|
||||
set_fact:
|
||||
tomcat_version: 7
|
||||
when:
|
||||
- ansible_distribution_major_version <= '16'
|
||||
- tomcat_fixed_version is not defined
|
||||
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
|
||||
|
||||
- name: Set the tomcat version for Ubuntu bionic
|
||||
set_fact:
|
||||
tomcat_version: 8
|
||||
when:
|
||||
- ansible_distribution_major_version == '18'
|
||||
- tomcat_fixed_version is not defined
|
||||
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
|
||||
|
||||
- name: Impose a tomcat version
|
||||
set_fact:
|
||||
tomcat_version: '{{ tomcat_fixed_version }}'
|
||||
when: tomcat_fixed_version is defined
|
||||
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
|
||||
|
||||
- name: Print the Tomcat version
|
||||
debug:
|
||||
msg: "The Tomcat version we are going to install is {{ tomcat_version }}"
|
||||
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
|
||||
|
||||
- name: Install the tomcat packages
|
||||
apt: pkg={{ tomcat_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800
|
||||
tags: tomcat
|
||||
|
||||
- name: Install additional packages needed by tomcat 8+
|
||||
apt: pkg={{ tomcat8_additional_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800
|
||||
when: tomcat_version >= 8
|
||||
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf', 'tomcat_javamelody' ]
|
||||
|
||||
- name: Create the tomcat tmp directory
|
||||
file: dest={{ tomcat_tmp_dir }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }}
|
||||
notify: tomcat restart
|
||||
tags: tomcat
|
||||
|
||||
- name: Create the catalina temp directory, if different from the default
|
||||
file: dest={{ catalina_tmp_directory }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }}
|
||||
when: catalina_tmp_directory is defined
|
||||
notify: tomcat restart
|
||||
tags: tomcat
|
||||
|
||||
- name: Configure tomcat defaults
|
||||
template: src=tomcat-default.j2 dest=/etc/default/tomcat{{ tomcat_version }}
|
||||
when: tomcat_install_default_conf | bool
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_default' ]
|
||||
|
||||
- name: Configure tomcat server.xml
|
||||
template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml
|
||||
when: tomcat_install_server_xml | bool
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_serverxml' ]
|
||||
|
||||
- name: Configure tomcat web.xml
|
||||
template: src=tomcat-web.xml.j2 dest={{ tomcat_conf_dir }}/web.xml
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_serverxml' ]
|
||||
|
||||
- name: Install a slightly modified catalina.properties
|
||||
copy: src=catalina.properties dest={{ tomcat_conf_dir }}/catalina.properties owner=root group={{ tomcat_user }} mode=0644
|
||||
when: tomcat_install_default_conf | bool
|
||||
notify: tomcat restart
|
||||
tags: [ 'tomcat', 'tomcat_catalinaprops' ]
|
||||
|
||||
- name: Create some directories that the package do not creates itself
|
||||
file: dest={{ tomcat_catalina_home_dir }}/{{ item }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} mode=0755
|
||||
with_items:
|
||||
- common/classes
|
||||
- server/classes
|
||||
- shared/classes
|
||||
tags: tomcat
|
||||
|
||||
- name: On tomcat8, create a link to commons-daemon.jar to avoid exceptions at startup
|
||||
file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/{{ item }} state=link owner=root group=root mode=0644
|
||||
with_items:
|
||||
- commons-daemon.jar
|
||||
when: tomcat_version >= 8
|
||||
tags: [ 'tomcat', 'tomcat_conf' ]
|
||||
|
||||
- name: Install the javamelody dependency jar into the Java shared libs directory
|
||||
maven_artifact: artifact_id=jrobin version=latest group_id=org.jrobin extension=jar dest=/usr/share/java/jrobin.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2
|
||||
when: tomcat_javamelody | bool
|
||||
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
|
||||
|
||||
- name: Install the javamelody-core jar into the Java shared libs directory
|
||||
maven_artifact: artifact_id=javamelody-core version={{ tomcat_javamelody_version }} group_id=net.bull.javamelody extension=jar dest=/usr/share/java/javamelody-core.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2
|
||||
when: tomcat_javamelody | bool
|
||||
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
|
||||
|
||||
- name: Create a link to the the javamelody jar and its dependencies if the javamelody support is enabled
|
||||
file: src=../../java/{{ item }} dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=link owner=root group=root mode=0644
|
||||
with_items:
|
||||
- javamelody-core.jar
|
||||
- jrobin.jar
|
||||
when: tomcat_javamelody | bool
|
||||
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
|
||||
|
||||
- name: Remove the javamelody jar and its dependencies if the javamelody support is disabled
|
||||
file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
|
||||
with_items:
|
||||
- javamelody-core.jar
|
||||
- jrobin.jar
|
||||
when: not tomcat_javamelody | bool
|
||||
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
|
|
@ -1,2 +0,0 @@
|
|||
monitorRole {{ tomcat_jmx_monitorpass }}
|
||||
controlRole {{ tomcat_jmx_controlpass }}
|
|
@ -1,68 +0,0 @@
|
|||
{% if tomcat_send_to_logstash %}
|
||||
log4j.rootLogger = {{ tomcat_log_level }}, {{ tomcat_logstash_logger }}
|
||||
{% else %}
|
||||
log4j.rootLogger = {{ tomcat_log_level }}, {{ tomcat_log_logger }}
|
||||
{% endif %}
|
||||
|
||||
# Define all the appenders
|
||||
log4j.appender.CATALINA = org.apache.log4j.RollingFileAppender
|
||||
log4j.appender.CATALINA.File = ${catalina.base}/logs/catalina.log
|
||||
log4j.appender.CATALINA.Append = true
|
||||
log4j.appender.CATALINA.Encoding = UTF-8
|
||||
log4j.appender.CATALINA.Threshold = {{ tomcat_log_rotation_threshold }}
|
||||
log4j.appender.CATALINA.MaxFileSize = {{ tomcat_log_max_file_size }}
|
||||
log4j.appender.CATALINA.MaxBackupIndex = {{ tomcat_retain_old_logs }}
|
||||
log4j.appender.CATALINA.layout = org.apache.log4j.PatternLayout
|
||||
log4j.appender.CATALINA.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
|
||||
|
||||
log4j.appender.LOCALHOST = org.apache.log4j.RollingFileAppender
|
||||
log4j.appender.LOCALHOST.File = ${catalina.base}/logs/localhost.log
|
||||
log4j.appender.LOCALHOST.Append = true
|
||||
log4j.appender.LOCALHOST.Encoding = UTF-8
|
||||
log4j.appender.LOCALHOST.Threshold = {{ tomcat_log_rotation_threshold }}
|
||||
log4j.appender.LOCALHOST.MaxFileSize = {{ tomcat_log_max_file_size }}
|
||||
log4j.appender.LOCALHOST.MaxBackupIndex = {{ tomcat_retain_old_logs }}
|
||||
log4j.appender.LOCALHOST.layout = org.apache.log4j.PatternLayout
|
||||
log4j.appender.LOCALHOST.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
|
||||
|
||||
log4j.appender.MANAGER = org.apache.log4j.RollingFileAppender
|
||||
log4j.appender.MANAGER.File = ${catalina.base}/logs/manager.log
|
||||
log4j.appender.MANAGER.Append = true
|
||||
log4j.appender.MANAGER.Encoding = UTF-8
|
||||
log4j.appender.MANAGER.Threshold = {{ tomcat_log_rotation_threshold }}
|
||||
log4j.appender.MANAGER.MaxFileSize = {{ tomcat_log_max_file_size }}
|
||||
log4j.appender.MANAGER.MaxBackupIndex = {{ tomcat_retain_old_logs }}
|
||||
log4j.appender.MANAGER.layout = org.apache.log4j.PatternLayout
|
||||
log4j.appender.MANAGER.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
|
||||
|
||||
log4j.appender.HOST-MANAGER = org.apache.log4j.RollingFileAppender
|
||||
log4j.appender.HOST-MANAGER.File = ${catalina.base}/logs/host-manager.log
|
||||
log4j.appender.HOST-MANAGER.Append = true
|
||||
log4j.appender.HOST-MANAGER.Encoding = UTF-8
|
||||
log4j.appender.HOST-MANAGER.Threshold = {{ tomcat_log_rotation_threshold }}
|
||||
log4j.appender.HOST-MANAGER.MaxFileSize = {{ tomcat_log_max_file_size }}
|
||||
log4j.appender.HOST-MANAGER.MaxBackupIndex = {{ tomcat_retain_old_logs }}
|
||||
log4j.appender.HOST-MANAGER.layout = org.apache.log4j.PatternLayout
|
||||
log4j.appender.HOST-MANAGER.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
|
||||
|
||||
{% if tomcat_send_to_logstash %}
|
||||
log4j.appender.LOGSTASH=org.apache.log4j.net.SocketAppender
|
||||
log4j.appender.LOGSTASH.remoteHost={{ tomcat_logstash_collector_host }}
|
||||
log4j.appender.LOGSTASH.port={{ tomcat_logstash_collector_socketappender_port }}
|
||||
log4j.appender.LOGSTASH.ReconnectionDelay={{ tomcat_logstash_collector_socketappender_reconndelay }}
|
||||
log4j.appender.LOGSTASH.LocationInfo=true
|
||||
log4j.appender.LOGSTASH.layout = org.apache.log4j.PatternLayout
|
||||
log4j.appender.LOGSTASH.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
|
||||
{% endif %}
|
||||
|
||||
log4j.appender.CONSOLE = org.apache.log4j.ConsoleAppender
|
||||
log4j.appender.CONSOLE.Encoding = UTF-8
|
||||
log4j.appender.CONSOLE.layout = org.apache.log4j.PatternLayout
|
||||
log4j.appender.CONSOLE.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
|
||||
|
||||
# Configure which loggers log to which appenders
|
||||
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost] = {{ tomcat_log_level }}, LOCALHOST
|
||||
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager] =\
|
||||
{{ tomcat_log_level }}, MANAGER
|
||||
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager] =\
|
||||
{{ tomcat_log_level }}, HOST-MANAGER
|
|
@ -1,71 +0,0 @@
|
|||
{% if limits_nofile_value is defined %}
|
||||
ulimit -Hn {{ limits_nofile_value }}
|
||||
ulimit -Sn {{ limits_nofile_value }}
|
||||
{% endif %}
|
||||
|
||||
# Run Tomcat as this user ID. Not setting this or leaving it blank will use the
|
||||
# default of tomcat{{ tomcat_version}}.
|
||||
TOMCAT{{ tomcat_version}}_USER={{ tomcat_user }}
|
||||
|
||||
# Run Tomcat as this group ID. Not setting this or leaving it blank will use
|
||||
# the default of tomcat{{ tomcat_version}}.
|
||||
TOMCAT{{ tomcat_version}}_GROUP={{ tomcat_user }}
|
||||
|
||||
# The home directory of the Java development kit (JDK). You need at least
|
||||
# JDK version 1.5. If JAVA_HOME is not set, some common directories for
|
||||
# OpenJDK, the Sun JDK, and various J2SE 1.5 versions are tried.
|
||||
{% if jdk_java_home is defined %}
|
||||
JAVA_HOME={{ jdk_java_home }}
|
||||
{% endif %}
|
||||
|
||||
JAVA_OPTS="-server -Djava.awt.headless=true -Dfile.encoding={{ tomcat_file_encoding }}"
|
||||
{% if jdk_default <= 7 %}
|
||||
{% if tomcat_permgen_defined %}
|
||||
{% if tomcat_permgen_size is defined %}
|
||||
JAVA_OPTS="-XX:MaxPermSize={{ tomcat_permgen_size }} $JAVA_OPTS"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if jdk_default >= 8 %}
|
||||
JAVA_OPTS="{{ tomcat_additional_java_8_opts }} $JAVA_OPTS"
|
||||
{% endif %}
|
||||
{% if tomcat_java_opts is defined %}
|
||||
JAVA_OPTS="{{ tomcat_java_opts }} $JAVA_OPTS"
|
||||
{% endif %}
|
||||
{% if tomcat_java_gc_opts is defined %}
|
||||
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_java_gc_opts }}"
|
||||
{% endif %}
|
||||
{% if tomcat_proxy_enabled %}
|
||||
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_proxy_opts }}"
|
||||
{% endif %}
|
||||
{% if tomcat_other_java_opts is defined %}
|
||||
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_other_java_opts }}"
|
||||
{% endif %}
|
||||
{% if tomcat_jmx_enabled %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ tomcat_jmx_port }} -Dcom.sun.management.jmxremote.ssl={{ tomcat_jmx_use_ssl }} -Dcom.sun.management.jmxremote.local.only={{ tomcat_jmx_localhost_only }}"
|
||||
{% if tomcat_jmx_auth_enabled %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file={{ tomcat_jmx_auth_dir }}/jmxremote.password -Dcom.sun.management.jmxremote.access.file={{ tomcat_jmx_auth_dir }}/jmxremote.access"
|
||||
{% else %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
|
||||
{% endif %}
|
||||
{% if tomcat_jmx_disable_additional_ports %}
|
||||
JAVA_OPTS="${JAVA_OPTS} -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote.rmi.port={{ tomcat_jmx_port }}"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if tomcat_enable_remote_debugging %}
|
||||
# You will be able to use a java debugger on URI {{ tomcat_remote_debugging_uri }}.
|
||||
JAVA_OPTS="${JAVA_OPTS} -agentlib:jdwp=transport=dt_socket,address={{ tomcat_remote_debugging_uri }},server=y,suspend=n"
|
||||
# Obsolete
|
||||
#JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,address={{ tomcat_remote_debugging_uri }},server=y,suspend=n"
|
||||
{% endif %}
|
||||
# Location of the JVM temporary directory
|
||||
# WARNING: This directory will be destroyed and recreated at every startup !
|
||||
JVM_TMP={{ tomcat_tmp_dir }}
|
||||
{% if catalina_tmp_directory is defined %}
|
||||
export CATALINA_TMPDIR={{ catalina_tmp_directory }}
|
||||
{% endif %}
|
||||
{% if tomcat_load_additional_default_conf %}
|
||||
if [ -f /etc/default/tomcat.local ] ; then
|
||||
. /etc/default/tomcat.local
|
||||
fi
|
||||
{% endif %}
|
|
@ -1,176 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<!-- Note: A "Server" is not itself a "Container", so you may not
|
||||
define subcomponents such as "Valves" at this level.
|
||||
Documentation at /docs/config/server.html
|
||||
-->
|
||||
{% if tomcat_shutdown_port == -1 %}
|
||||
<Server port="{{ tomcat_shutdown_port }}"
|
||||
shutdown="TOMCAT_SHUTDOWN_DISABLED">
|
||||
{% else %}
|
||||
<Server port="{{ tomcat_shutdown_port }}" shutdown="{{ tomcat_shutdown_pwd }}">
|
||||
{% endif %}
|
||||
<!-- Security listener. Documentation at /docs/config/listeners.html
|
||||
<Listener className="org.apache.catalina.security.SecurityListener" />
|
||||
-->
|
||||
<!--APR library loader. Documentation at /docs/apr.html -->
|
||||
<!--
|
||||
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
|
||||
-->
|
||||
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
|
||||
<Listener className="org.apache.catalina.core.JasperListener" />
|
||||
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
|
||||
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
|
||||
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
|
||||
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
|
||||
|
||||
<!-- Global JNDI resources
|
||||
Documentation at /docs/jndi-resources-howto.html
|
||||
-->
|
||||
<GlobalNamingResources>
|
||||
<!-- Editable user database that can also be used by
|
||||
UserDatabaseRealm to authenticate users
|
||||
-->
|
||||
<Resource name="UserDatabase" auth="Container"
|
||||
type="org.apache.catalina.UserDatabase"
|
||||
description="User database that can be updated and saved"
|
||||
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
|
||||
pathname="conf/tomcat-users.xml" />
|
||||
</GlobalNamingResources>
|
||||
|
||||
<!-- A "Service" is a collection of one or more "Connectors" that share
|
||||
a single "Container" Note: A "Service" is not itself a "Container",
|
||||
so you may not define subcomponents such as "Valves" at this level.
|
||||
Documentation at /docs/config/service.html
|
||||
-->
|
||||
<Service name="Catalina">
|
||||
|
||||
{% if tomcat_http_enabled %}
|
||||
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
|
||||
<Executor name="tomcatThreadPool"
|
||||
namePrefix="catalina-exec-"
|
||||
maxQueueSize="{{ tomcat_max_queue_size | default(32767) }}"
|
||||
maxThreads="{{ tomcat_max_threads }}"
|
||||
minSpareThreads="10"/>
|
||||
{% endif %}
|
||||
|
||||
<!-- A "Connector" represents an endpoint by which requests are received
|
||||
and responses are returned. Documentation at :
|
||||
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
|
||||
Java AJP Connector: /docs/config/ajp.html
|
||||
APR (HTTP/AJP) Connector: /docs/apr.html
|
||||
Define a non-SSL HTTP/1.1 Connector on port 8080
|
||||
-->
|
||||
{% if tomcat_http_enabled %}
|
||||
<!-- A http "Connector" using the shared thread pool-->
|
||||
<Connector executor="tomcatThreadPool"
|
||||
enableLookups="false"
|
||||
maxQueueSize="{{ tomcat_max_queue_size | default(32767) }}"
|
||||
maxThreads="{{ tomcat_max_threads }}" connectionTimeout="60000"
|
||||
URIEncoding="UTF-8"
|
||||
useBodyEncodingForURI="true"
|
||||
bindOnInit="false" address="{{ tomcat_http_address }}"
|
||||
port="{{ tomcat_http_port }}" protocol="HTTP/1.1"
|
||||
maxPostSize="{{ tomcat_max_post_size | default(104857600) }}"
|
||||
{% if tomcat_reverse_proxy_name_enabled %}
|
||||
proxyName="{{ tomcat_reverse_proxy_name }}"
|
||||
proxyPort="{{ tomcat_reverse_proxy_port }}"
|
||||
{% endif %}
|
||||
maxHttpHeaderSize="8192"
|
||||
disableUploadTimeout="true"
|
||||
/>
|
||||
|
||||
{% endif %}
|
||||
{% if tomcat_ajp_enabled %}
|
||||
<!-- Define an AJP 1.3 Connector on port {{ tomcat_ajp_port }} -->
|
||||
<Connector port="{{ tomcat_ajp_port }}" protocol="AJP/1.3"
|
||||
enableLookups="false" address="{{ tomcat_ajp_address }}"
|
||||
maxQueueSize="{{ tomcat_max_queue_size | default(32767) }}"
|
||||
URIEncoding="UTF-8"
|
||||
useBodyEncodingForURI="true"
|
||||
maxThreads="{{ tomcat_max_threads }}"
|
||||
connectionTimeout="60000"
|
||||
maxPostSize="{{ tomcat_max_post_size | default(104857600) }}"
|
||||
{% if tomcat_reverse_proxy_name_enabled %}
|
||||
proxyName="{{ tomcat_reverse_proxy_name }}"
|
||||
proxyPort="{{ tomcat_reverse_proxy_port }}"
|
||||
{% endif %}
|
||||
maxHttpHeaderSize="8192"
|
||||
disableUploadTimeout="true"
|
||||
bindOnInit="false" />
|
||||
{% endif %}
|
||||
|
||||
<!-- An Engine represents the entry point (within Catalina) that processes
|
||||
every request. The Engine implementation for Tomcat stand alone
|
||||
analyzes the HTTP headers included with the request, and passes them
|
||||
on to the appropriate Host (virtual host).
|
||||
Documentation at /docs/config/engine.html -->
|
||||
|
||||
<!-- You should set jvmRoute to support load-balancing via AJP ie :
|
||||
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
|
||||
-->
|
||||
<Engine name="Catalina" defaultHost="localhost">
|
||||
|
||||
<!--For clustering, please take a look at documentation at:
|
||||
/docs/cluster-howto.html (simple how to)
|
||||
/docs/config/cluster.html (reference documentation) -->
|
||||
<!--
|
||||
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
|
||||
-->
|
||||
|
||||
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
|
||||
via a brute-force attack -->
|
||||
<Realm className="org.apache.catalina.realm.LockOutRealm">
|
||||
<!-- This Realm uses the UserDatabase configured in the global JNDI
|
||||
resources under the key "UserDatabase". Any edits
|
||||
that are performed against this UserDatabase are immediately
|
||||
available for use by the Realm. -->
|
||||
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
|
||||
resourceName="UserDatabase"/>
|
||||
</Realm>
|
||||
|
||||
<Host name="localhost" appBase="webapps"
|
||||
unpackWARs="{{ tomcat_webapps_unpack }}" autoDeploy="{{ tomcat_webapps_autodeploy }}">
|
||||
|
||||
<!-- SingleSignOn valve, share authentication between web applications
|
||||
Documentation at: /docs/config/valve.html -->
|
||||
<!--
|
||||
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
|
||||
-->
|
||||
|
||||
{% if tomcat_access_log_enabled %}
|
||||
<!-- Automatically substitutes the IP with the one contained
|
||||
in the x-forwarded-for header if that header is set -->
|
||||
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
|
||||
<!-- Access log processes all example.
|
||||
Documentation at: /docs/config/valve.html
|
||||
Note: The pattern used is equivalent to using pattern="combined" -->
|
||||
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
|
||||
prefix="localhost_access." suffix="log"
|
||||
{% if tomcat_direct_access %}
|
||||
pattern="combined"
|
||||
{% else %}
|
||||
pattern="%t %{org.apache.catalina.AccessLog.RemoteAddr}r %{X-AUSERNAME}o %I %s "%r" %b %{User-Agent}i"
|
||||
rotatable="False"
|
||||
{% endif %}
|
||||
/>
|
||||
{% endif %}
|
||||
</Host>
|
||||
</Engine>
|
||||
</Service>
|
||||
</Server>
|
|
@ -1,40 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<tomcat-users>
|
||||
<!--
|
||||
NOTE: By default, no user is included in the "manager-gui" role required
|
||||
to operate the "/manager/html" web application. If you wish to use this app,
|
||||
you must define such a user - the username and password are arbitrary.
|
||||
-->
|
||||
{% if tomcat_manager_gui_user_enabled %}
|
||||
<role rolename="{{ tomcat_manager_gui_r }}"/>
|
||||
<user username="{{ tomcat_manager_gui_user }}" password="{{ tomcat_manager_gui_pwd }}" roles="{{ tomcat_manager_gui_r }}"/>
|
||||
{% endif %}
|
||||
{% if tomcat_manager_script_user_enabled %}
|
||||
<role rolename="{{ tomcat_manager_script_r }}"/>
|
||||
<user username="{{ tomcat_manager_script_user }}" password="{{ tomcat_manager_script_pwd }}" roles="{{ tomcat_manager_script_r }}"/>
|
||||
{% endif %}
|
||||
{% if tomcat_manager_jmx_user_enabled %}
|
||||
<role rolename="{{ tomcat_manager_jmx_r }}"/>
|
||||
<user username="{{ tomcat_manager_jmx_user }}" password="{{ tomcat_manager_jmx_pwd }}" roles="{{ tomcat_manager_jmx_r }}"/>
|
||||
{% endif %}
|
||||
{% if tomcat_manager_status_user_enabled %}
|
||||
<role rolename="{{ tomcat_manager_status_r }}"/>
|
||||
<user username="{{ tomcat_manager_status_user }}" password="{{ tomcat_manager_status_pwd }}" roles="{{ tomcat_manager_status_r }}"/>
|
||||
{% endif %}
|
||||
</tomcat-users>
|
File diff suppressed because it is too large
Load Diff
|
@ -1,8 +0,0 @@
|
|||
{{ tomcat_logdir }}/localhost_access.log {
|
||||
copytruncate
|
||||
{{ tomcat_access_log_rotation_freq }}
|
||||
rotate {{ tomcat_retain_old_logs }}
|
||||
compress
|
||||
missingok
|
||||
create 640 {{ tomcat_user }} adm
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue