forked from ISTI-ansible-roles/ansible-roles
powerdns-admin: use gunicorn instead of flask. Fix the paths, they changed in newer releases.
This commit is contained in:
parent
294fe526d9
commit
445b23b941
|
@ -1,5 +1,7 @@
|
||||||
---
|
---
|
||||||
pdns_admin_install: True
|
pdns_admin_install: True
|
||||||
|
# Set it manually from the command line when you want to upgrade
|
||||||
|
pdns_admin_upgrade: False
|
||||||
pdns_admin_dir: 'pdns_admin-{{ pdns_admin_version }}.linux-amd64'
|
pdns_admin_dir: 'pdns_admin-{{ pdns_admin_version }}.linux-amd64'
|
||||||
pdns_admin_git_repo_url: 'https://github.com/ngoduykhanh/PowerDNS-Admin.git'
|
pdns_admin_git_repo_url: 'https://github.com/ngoduykhanh/PowerDNS-Admin.git'
|
||||||
pdns_admin_user: pdnsadmin
|
pdns_admin_user: pdnsadmin
|
||||||
|
@ -7,10 +9,12 @@ pdns_admin_home: /opt/pdnsadmin
|
||||||
pdns_admin_cmd: '{{ pdns_admin_dist_dir }}/{{ pdns_admin_dir }}/pdns_admin'
|
pdns_admin_cmd: '{{ pdns_admin_dist_dir }}/{{ pdns_admin_dir }}/pdns_admin'
|
||||||
pdns_admin_http_port: 9393
|
pdns_admin_http_port: 9393
|
||||||
pdns_admin_opts: ''
|
pdns_admin_opts: ''
|
||||||
|
pdns_admin_title: "PowerDNS Admin"
|
||||||
pdns_admin_loglevel: 'WARN'
|
pdns_admin_loglevel: 'WARN'
|
||||||
pdns_admin_logdir: '/var/log/pdnsadmin'
|
pdns_admin_logdir: '/var/log/pdnsadmin'
|
||||||
pdns_admin_logfile: '{{ pdns_admin_logdir }}/pdnsadmin.log'
|
pdns_admin_logfile: '{{ pdns_admin_logdir }}/pdnsadmin.log'
|
||||||
pdns_admin_local_pgsql: False
|
pdns_admin_local_pgsql: False
|
||||||
|
pdns_admin_app_dir: powerdnsadmin
|
||||||
|
|
||||||
pdns_admin_prereqs:
|
pdns_admin_prereqs:
|
||||||
- git
|
- git
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
---
|
---
|
||||||
- name: Restart pdns_admin
|
- name: Restart pdns_admin
|
||||||
service: name=powerdns-admin state=restarted
|
service: name=powerdns-admin.socket state=restarted
|
||||||
|
|
||||||
|
|
|
@ -17,14 +17,26 @@
|
||||||
apt: pkg={{ pdns_admin_prereqs }} state=present update_cache=yes cache_valid_time=1800
|
apt: pkg={{ pdns_admin_prereqs }} state=present update_cache=yes cache_valid_time=1800
|
||||||
|
|
||||||
- name: Clone pdns_admin
|
- name: Clone pdns_admin
|
||||||
git: repo={{ pdns_admin_git_repo_url }} dest={{ pdns_admin_home }}
|
git: repo={{ pdns_admin_git_repo_url }} dest={{ pdns_admin_home }} update=no
|
||||||
|
|
||||||
|
- name: Force the clone and upgrade pdns_admin when updating
|
||||||
|
git: repo={{ pdns_admin_git_repo_url }} dest={{ pdns_admin_home }} update=yes force=yes
|
||||||
|
when: pdns_admin_upgrade | bool
|
||||||
|
|
||||||
|
- name: Remove the files that we use to skip the initialisation commands
|
||||||
|
file: dest={{ item }} state=absent
|
||||||
|
with_items:
|
||||||
|
- '{{ pdns_admin_logdir }}/.db_initialised'
|
||||||
|
- '{{ pdns_admin_home }}/app/static/generated/login.js'
|
||||||
|
when: pdns_admin_upgrade | bool
|
||||||
|
|
||||||
- name: Make the upload directory writeable by the pdnsadmin user
|
- name: Make the upload directory writeable by the pdnsadmin user
|
||||||
file: dest={{ pdns_admin_home }}/upload recurse=yes owner={{ pdns_admin_user }} group={{ pdns_admin_user }}
|
file: dest={{ pdns_admin_home }}/upload recurse=yes owner={{ pdns_admin_user }} group={{ pdns_admin_user }}
|
||||||
|
|
||||||
- name: Install the pdns_admin configuration
|
- name: Install the pdns_admin configuration
|
||||||
template: src=config.py dest={{ pdns_admin_home }}/config.py owner=root group={{ pdns_admin_user }} mode=0640
|
template: src=config.py.j2 dest={{ pdns_admin_home }}/{{ pdns_admin_app_dir }}/default_config.py owner=root group={{ pdns_admin_user }} mode=0640
|
||||||
notify: Restart pdns_admin
|
notify: Restart pdns_admin
|
||||||
|
tags: [ 'pdns_admin', 'pdns_admin_config' ]
|
||||||
|
|
||||||
- name: Create a python3 virtualenv
|
- name: Create a python3 virtualenv
|
||||||
shell: cd {{ pdns_admin_home }} ; virtualenv -p python3 flask
|
shell: cd {{ pdns_admin_home }} ; virtualenv -p python3 flask
|
||||||
|
@ -41,7 +53,7 @@
|
||||||
notify: Restart pdns_admin
|
notify: Restart pdns_admin
|
||||||
|
|
||||||
- name: Initialise the database
|
- name: Initialise the database
|
||||||
shell: cd {{ pdns_admin_home }}; . {{ pdns_admin_home }}/flask/bin/activate ; export FLASK_APP=app/__init__.py ; flask db upgrade && touch {{ pdns_admin_logdir }}/.db_initialised
|
shell: cd {{ pdns_admin_home }}; . {{ pdns_admin_home }}/flask/bin/activate ; export FLASK_APP={{ pdns_admin_app_dir }}/__init__.py ; flask db upgrade && touch {{ pdns_admin_logdir }}/.db_initialised
|
||||||
args:
|
args:
|
||||||
creates: '{{ pdns_admin_logdir }}/.db_initialised'
|
creates: '{{ pdns_admin_logdir }}/.db_initialised'
|
||||||
|
|
||||||
|
@ -53,26 +65,43 @@
|
||||||
- name: Some directories must be writeable by the pdnsadmin user
|
- name: Some directories must be writeable by the pdnsadmin user
|
||||||
file: dest={{ item }} recurse=yes owner={{ pdns_admin_user }} group={{ pdns_admin_user }}
|
file: dest={{ item }} recurse=yes owner={{ pdns_admin_user }} group={{ pdns_admin_user }}
|
||||||
with_items:
|
with_items:
|
||||||
- '{{ pdns_admin_home }}/app/static/custom'
|
- '{{ pdns_admin_home }}/{{ pdns_admin_app_dir }}/static/custom'
|
||||||
- '{{ pdns_admin_home }}/app/static/.webassets-cache'
|
- '{{ pdns_admin_home }}/{{ pdns_admin_app_dir }}/static/.webassets-cache'
|
||||||
|
|
||||||
- name: Install the pdns_admin server systemd unit
|
|
||||||
template: src=powerdns-admin.service dest=/etc/systemd/system/powerdns-admin.service mode=0644 owner=root group=root
|
|
||||||
when: ansible_service_mgr == 'systemd'
|
|
||||||
notify: systemd reload
|
|
||||||
|
|
||||||
- name: Ensure that pdns_admin is started and enabled
|
|
||||||
service: name=powerdns-admin state=started enabled=yes
|
|
||||||
|
|
||||||
tags: pdns_admin
|
tags: pdns_admin
|
||||||
when: pdns_admin_install
|
when: pdns_admin_install
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Install the tmpfile configuration
|
||||||
|
template: src=tmpfiles-powerdns-run.j2 dest=/usr/lib/tmpfiles.d/powerdns-admin.conf owner=root group=root
|
||||||
|
|
||||||
|
- name: Install the pdns_admin server systemd units
|
||||||
|
template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
||||||
|
with_items:
|
||||||
|
- 'powerdns-admin.service'
|
||||||
|
- 'powerdns-admin.socket'
|
||||||
|
register: pdns_unit
|
||||||
|
notify: Restart pdns_admin
|
||||||
|
|
||||||
|
- name: Reload the systemd configuration
|
||||||
|
systemd: daemon_reload=yes
|
||||||
|
when: pdns_unit is changed
|
||||||
|
|
||||||
|
- name: Ensure that pdns_admin is started and enabled
|
||||||
|
service: name=powerdns-admin.socket state=started enabled=yes
|
||||||
|
|
||||||
|
tags: [ 'pdns_admin', 'pdns_admin_service', 'pdns_admin_config' ]
|
||||||
|
when: pdns_admin_install
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Ensure that pdns_admin is stopped and disabled
|
- name: Ensure that pdns_admin is stopped and disabled
|
||||||
service: name=powerdns-admin state=stopped enabled=no
|
service: name=powerdns-admin state=stopped enabled=no
|
||||||
|
|
||||||
- name: Remove the pdns_admin init script
|
- name: Remove the pdns_admin init scripts
|
||||||
file: dest=/etc/systemd/system/powerdns-admin.service state=absent
|
file: dest=/etc/systemd/system/powerdns-admin.{{ item }} state=absent
|
||||||
|
with_items:
|
||||||
|
- 'service'
|
||||||
|
- 'socket'
|
||||||
|
|
||||||
- name: Remove all the pdns_admin files
|
- name: Remove all the pdns_admin files
|
||||||
file: dest={{ item }} state=absent
|
file: dest={{ item }} state=absent
|
||||||
|
|
|
@ -6,12 +6,13 @@ WTF_CSRF_ENABLED = True
|
||||||
SECRET_KEY = '{{ pdns_admin_secret_key }}'
|
SECRET_KEY = '{{ pdns_admin_secret_key }}'
|
||||||
BIND_ADDRESS = '127.0.0.1'
|
BIND_ADDRESS = '127.0.0.1'
|
||||||
PORT = {{ pdns_admin_http_port }}
|
PORT = {{ pdns_admin_http_port }}
|
||||||
LOGIN_TITLE = "PowerDNS Admin"
|
LOGIN_TITLE = "{{ pdns_admin_title }}"
|
||||||
|
|
||||||
# TIMEOUT - for large zones
|
# TIMEOUT - for large zones
|
||||||
TIMEOUT = 60
|
TIMEOUT = 60
|
||||||
|
|
||||||
# LOG CONFIG
|
# LOG CONFIG
|
||||||
|
LOGLEVEL = '{{ pdns_admin_loglevel }}'
|
||||||
LOG_LEVEL = '{{ pdns_admin_loglevel }}'
|
LOG_LEVEL = '{{ pdns_admin_loglevel }}'
|
||||||
LOG_FILE = '{{ pdns_admin_logfile }}'
|
LOG_FILE = '{{ pdns_admin_logfile }}'
|
||||||
|
|
||||||
|
@ -28,16 +29,16 @@ LDAP_TYPE = 'ldap'
|
||||||
LDAP_URI = 'ldaps://your-ldap-server:636'
|
LDAP_URI = 'ldaps://your-ldap-server:636'
|
||||||
# with LDAP_BIND_TYPE you can specify 'direct' or 'search' to use user credentials
|
# with LDAP_BIND_TYPE you can specify 'direct' or 'search' to use user credentials
|
||||||
# for binding or a predefined LDAP_USERNAME and LDAP_PASSWORD, binding with non-DN only works with AD
|
# for binding or a predefined LDAP_USERNAME and LDAP_PASSWORD, binding with non-DN only works with AD
|
||||||
LDAP_BIND_TYPE= 'direct' # direct or search
|
# LDAP_BIND_TYPE= 'direct' # direct or search
|
||||||
LDAP_USERNAME = 'cn=dnsuser,ou=users,ou=services,dc=duykhanh,dc=me'
|
# LDAP_USERNAME = 'cn=dnsuser,ou=users,ou=services,dc=duykhanh,dc=me'
|
||||||
LDAP_PASSWORD = 'dnsuser'
|
# LDAP_PASSWORD = 'dnsuser'
|
||||||
LDAP_SEARCH_BASE = 'ou=System Admins,ou=People,dc=duykhanh,dc=me'
|
# LDAP_SEARCH_BASE = 'ou=System Admins,ou=People,dc=duykhanh,dc=me'
|
||||||
LDAP_GROUP_SECURITY = False
|
# LDAP_GROUP_SECURITY = False
|
||||||
LDAP_ADMIN_GROUP = 'CN=PowerDNS-Admin Admin,OU=Custom,DC=ivan,DC=local'
|
# LDAP_ADMIN_GROUP = 'CN=PowerDNS-Admin Admin,OU=Custom,DC=ivan,DC=local'
|
||||||
LDAP_USER_GROUP = 'CN=PowerDNS-Admin User,OU=Custom,DC=ivan,DC=local'
|
# LDAP_USER_GROUP = 'CN=PowerDNS-Admin User,OU=Custom,DC=ivan,DC=local'
|
||||||
# Additional options only if LDAP_TYPE=ldap
|
# Additional options only if LDAP_TYPE=ldap
|
||||||
LDAP_USERNAMEFIELD = 'uid'
|
# LDAP_USERNAMEFIELD = 'uid'
|
||||||
LDAP_FILTER = '(objectClass=inetorgperson)'
|
# LDAP_FILTER = '(objectClass=inetorgperson)'
|
||||||
# enable LDAP_GROUP_SECURITY to allow Admin and User roles based on LDAP groups
|
# enable LDAP_GROUP_SECURITY to allow Admin and User roles based on LDAP groups
|
||||||
#LDAP_GROUP_SECURITY = True # True or False
|
#LDAP_GROUP_SECURITY = True # True or False
|
||||||
#LDAP_ADMIN_GROUP = 'CN=DnsAdmins,CN=Users,DC=example,DC=me'
|
#LDAP_ADMIN_GROUP = 'CN=DnsAdmins,CN=Users,DC=example,DC=me'
|
||||||
|
@ -56,40 +57,40 @@ LDAP_FILTER = '(objectClass=inetorgperson)'
|
||||||
|
|
||||||
# Github Oauth
|
# Github Oauth
|
||||||
GITHUB_OAUTH_ENABLE = False
|
GITHUB_OAUTH_ENABLE = False
|
||||||
GITHUB_OAUTH_KEY = ''
|
# GITHUB_OAUTH_KEY = ''
|
||||||
GITHUB_OAUTH_SECRET = ''
|
# GITHUB_OAUTH_SECRET = ''
|
||||||
GITHUB_OAUTH_SCOPE = 'email'
|
# GITHUB_OAUTH_SCOPE = 'email'
|
||||||
GITHUB_OAUTH_URL = 'http://127.0.0.1:9191/api/v3/'
|
# GITHUB_OAUTH_URL = 'http://127.0.0.1:9191/api/v3/'
|
||||||
GITHUB_OAUTH_TOKEN = 'http://127.0.0.1:9191/oauth/token'
|
# GITHUB_OAUTH_TOKEN = 'http://127.0.0.1:9191/oauth/token'
|
||||||
GITHUB_OAUTH_AUTHORIZE = 'http://127.0.0.1:9191/oauth/authorize'
|
# GITHUB_OAUTH_AUTHORIZE = 'http://127.0.0.1:9191/oauth/authorize'
|
||||||
|
|
||||||
|
|
||||||
# Google OAuth
|
# Google OAuth
|
||||||
GOOGLE_OAUTH_ENABLE = False
|
GOOGLE_OAUTH_ENABLE = False
|
||||||
GOOGLE_OAUTH_CLIENT_ID = ' '
|
# GOOGLE_OAUTH_CLIENT_ID = ' '
|
||||||
GOOGLE_OAUTH_CLIENT_SECRET = ' '
|
# GOOGLE_OAUTH_CLIENT_SECRET = ' '
|
||||||
GOOGLE_REDIRECT_URI = '/user/authorized'
|
# GOOGLE_REDIRECT_URI = '/user/authorized'
|
||||||
GOOGLE_TOKEN_URL = 'https://accounts.google.com/o/oauth2/token'
|
# GOOGLE_TOKEN_URL = 'https://accounts.google.com/o/oauth2/token'
|
||||||
GOOGLE_TOKEN_PARAMS = {
|
# GOOGLE_TOKEN_PARAMS = {
|
||||||
'scope': 'email profile'
|
# 'scope': 'email profile'
|
||||||
}
|
# }
|
||||||
GOOGLE_AUTHORIZE_URL='https://accounts.google.com/o/oauth2/auth'
|
# GOOGLE_AUTHORIZE_URL='https://accounts.google.com/o/oauth2/auth'
|
||||||
GOOGLE_BASE_URL='https://www.googleapis.com/oauth2/v1/'
|
# GOOGLE_BASE_URL='https://www.googleapis.com/oauth2/v1/'
|
||||||
|
|
||||||
# SAML Authnetication
|
# SAML Authnetication
|
||||||
SAML_ENABLED = False
|
SAML_ENABLED = False
|
||||||
SAML_DEBUG = True
|
# SAML_DEBUG = True
|
||||||
SAML_PATH = os.path.join(os.path.dirname(__file__), 'saml')
|
# SAML_PATH = os.path.join(os.path.dirname(__file__), 'saml')
|
||||||
##Example for ADFS Metadata-URL
|
##Example for ADFS Metadata-URL
|
||||||
SAML_METADATA_URL = 'https://<hostname>/FederationMetadata/2007-06/FederationMetadata.xml'
|
# SAML_METADATA_URL = 'https://<hostname>/FederationMetadata/2007-06/FederationMetadata.xml'
|
||||||
#Cache Lifetime in Seconds
|
#Cache Lifetime in Seconds
|
||||||
SAML_METADATA_CACHE_LIFETIME = 1
|
# SAML_METADATA_CACHE_LIFETIME = 1
|
||||||
SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
|
# SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
|
||||||
SAML_SP_CONTACT_NAME = '<contact name>'
|
# SAML_SP_CONTACT_NAME = '<contact name>'
|
||||||
SAML_SP_CONTACT_MAIL = '<contact mail>'
|
# SAML_SP_CONTACT_MAIL = '<contact mail>'
|
||||||
#Cofigures if SAML tokens should be encrypted.
|
#Cofigures if SAML tokens should be encrypted.
|
||||||
#If enabled a new app certificate will be generated on restart
|
#If enabled a new app certificate will be generated on restart
|
||||||
SAML_SIGN_REQUEST = False
|
# SAML_SIGN_REQUEST = False
|
||||||
#Use SAML standard logout mechanism retreived from idp metadata
|
#Use SAML standard logout mechanism retreived from idp metadata
|
||||||
#If configured false don't care about SAML session on logout.
|
#If configured false don't care about SAML session on logout.
|
||||||
#Logout from PowerDNS-Admin only and keep SAML session authenticated.
|
#Logout from PowerDNS-Admin only and keep SAML session authenticated.
|
||||||
|
@ -100,7 +101,7 @@ SAML_LOGOUT = False
|
||||||
|
|
||||||
#Default Auth
|
#Default Auth
|
||||||
BASIC_ENABLED = True
|
BASIC_ENABLED = True
|
||||||
SIGNUP_ENABLED = True
|
SIGNUP_ENABLED = False
|
||||||
|
|
||||||
# POWERDNS CONFIG
|
# POWERDNS CONFIG
|
||||||
PDNS_STATS_URL = 'http://{{ pdns_master_host }}:8081/'
|
PDNS_STATS_URL = 'http://{{ pdns_master_host }}:8081/'
|
|
@ -1,14 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=PowerDNS-Admin
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
User={{ pdns_admin_user }}
|
|
||||||
Group={{ pdns_admin_user }}
|
|
||||||
ExecStart={{ pdns_admin_home }}/flask/bin/python ./run.py
|
|
||||||
WorkingDirectory={{ pdns_admin_home }}
|
|
||||||
Restart=always
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
[Unit]
|
||||||
|
Description=PowerDNS-Admin
|
||||||
|
Requires=powerdns-admin.socket
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
PIDFile=/run/powerdns-admin/pid
|
||||||
|
User={{ pdns_admin_user }}
|
||||||
|
Group={{ pdns_admin_user }}
|
||||||
|
WorkingDirectory={{ pdns_admin_home }}
|
||||||
|
ExecStart={{ pdns_admin_home }}/flask/bin/gunicorn --pid /run/powerdns-admin/pid --bind unix:/run/powerdns-admin/socket 'powerdnsadmin:create_app()'
|
||||||
|
ExecReload=/bin/kill -s HUP $MAINPID
|
||||||
|
ExecStop=/bin/kill -s TERM $MAINPID
|
||||||
|
PrivateTmp=true
|
||||||
|
Restart=on-failure
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -0,0 +1,8 @@
|
||||||
|
[Unit]
|
||||||
|
Description=PowerDNS-Admin socket
|
||||||
|
|
||||||
|
[Socket]
|
||||||
|
ListenStream=/run/powerdns-admin/socket
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sockets.target
|
|
@ -0,0 +1 @@
|
||||||
|
d /run/powerdns-admin 0755 {{ pdns_admin_user }} {{ pdns_admin_user }} -
|
|
@ -16,11 +16,15 @@ nginx_virthosts:
|
||||||
ssl_enabled: True
|
ssl_enabled: True
|
||||||
ssl_only: True
|
ssl_only: True
|
||||||
ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
|
ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
|
||||||
root: '{{ nginx_webroot }}'
|
root: '{{ pdns_admin_home }}'
|
||||||
server_tokens: 'off'
|
server_tokens: 'off'
|
||||||
proxy_standard_setup: True
|
proxy_standard_setup: True
|
||||||
locations:
|
locations:
|
||||||
|
- location: ~ ^/static
|
||||||
|
other_opts:
|
||||||
|
- include /etc/nginx/mime.types
|
||||||
|
- root {{ pdns_admin_home }}/powerdnsadmin
|
||||||
- location: /
|
- location: /
|
||||||
target: http://localhost:{{ pdns_admin_http_port }}
|
target: http://unix:/run/powerdns-admin/socket
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue