tpiccioli
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request 'Fixes #719. Spostare i ruoli in repository dedicati.' (#210) from adellam/ansible-roles:master into master

This commit is contained in:
Andrea Dell'Amico 2020-06-02 16:02:19 +02:00
parent b2353dc44c 289d299360
commit 4c4224f2e0
110 changed files with 0 additions and 17480 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
library/roles/apache/defaults/main.yml
View File

@ -1,95 +0,0 @@
---
apache_service_enabled: True
apache_user: www-data
apache_pkg_state: latest
apache_group: '{{ apache_user }}'
apache_from_ppa: False
apache_ppa_repo: 'ppa:ondrej/apache2'
apache_listen_ports:
- 80
- '{{ apache_ssl_port }}'
# Possible choices: event, prefork (the old ones), worker (the threaded version), itm
apache_mpm_mode: worker
apache_packages:
- apache2
- apache2-utils
- libapache2-mod-xsendfile
- unzip
- zip
apache_modules_packages:
- 'apache2-mpm-{{ apache_mpm_mode }}'
# Only one can be present at the same time. It needs to be listed as the last one
apache_worker_modules:
# - { name: 'mpm_itm', state: 'absent' }
- { name: 'mpm_event', state: 'absent' }
- { name: 'mpm_prefork', state: 'absent' }
- { name: 'mpm_{{ apache_mpm_mode }}', state: 'present' }
# apache RPAF is needed to obtain the real client addresses when behind a reverse proxy
apache_rpaf_install: False
apache_default_modules:
- headers
- rewrite
- expires
- xsendfile
apache_ssl_modules_enabled: True
apache_ssl_port: 443
apache_ssl_modules:
- ssl
- socache_shmcb
apache_http_proxy_modules_enabled: False
apache_http_proxy_modules:
- proxy
- proxy_ajp
- proxy_http
apache_status_module: True
apache_status_location: '/server-status'
apache_status_allowed_hosts:
- 127.0.0.1/8
apache_info_module: True
apache_info_location: '/server-info'
apache_info_allowed_hosts:
- 127.0.0.1/8
apache_basic_auth: False
apache_basic_auth_single_file: True
apache_basic_auth_dir: /etc/apache2/auth
apache_basic_auth_file: '{{ apache_basic_auth_dir }}/htpasswd'
apache_basic_auth_modules:
- auth_basic
- authn_file
- authz_user
# Put them in a vault file. auth_file is optional. Not used when apache_basic_auth_single_file is true
# apache_basic_users:
# - { username:'', password:'', state:'present,absent', auth_file:'path_to_file' }
#
apache_additional_packages: False
apache_additional_packages_list:
# - libapache2-mod-uwsgi
# - ...
#
# Set this variable to load the modules you need
apache_additional_modules: False
apache_additional_modules_list: []
# -
# -
apache_letsencrypt_managed: True
apache_letsencrypt_proxy_modules:
- proxy
- proxy_http
apache_letsencrypt_proxy_conf:
- letsencrypt-proxy.conf

25
library/roles/apache/files/apache-letsencrypt-acme.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/apache.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/apache.log
fi
echo "Reload the apache service" >> $LE_LOG_DIR/apache.log
if [ -x /bin/systemctl ] ; then
systemctl reload apache2 >> $LE_LOG_DIR/apache.log 2>&1
else
service apache2 reload >> $LE_LOG_DIR/apache.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/apache.log
exit 0

7
library/roles/apache/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: apache2 reload
service: name=apache2 state=reloaded
- name: apache2 restart
service: name=apache2 state=restarted

37
library/roles/apache/tasks/apache-basic-auth.yml
View File

@ -1,37 +0,0 @@
---
- name: Load the basic auth modules
apache2_module: name={{ item }} state=present
with_items: '{{ apache_basic_auth_modules }}'
notify: apache2 reload
tags:
- apache
- apache_basic_auth
- name: Create the authentication directory
file: path={{ apache_basic_auth_dir }} mode=0750 owner=root group={{ apache_group }} state=directory
tags:
- apache
- apache_basic_auth
- name: Install the python-passlib library
apt: pkg=python-passlib state=present
tags:
- apache
- apache_basic_auth
- name: Create the basic auth file when it is unique to all the virtualhosts
htpasswd: path={{ apache_basic_auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }} owner=root group={{ apache_group }} mode=0640
when: apache_basic_users is defined and apache_basic_auth_single_file
with_items: '{{ apache_basic_users }}'
tags:
- apache
- apache_basic_auth
- name: Create the basic auth files
htpasswd: path={{ item.auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }} owner=root group={{ apache_group }} mode=0640
with_items: '{{ apache_basic_users | default([]) }}'
when: apache_basic_users is defined and not apache_basic_auth_single_file
tags:
- apache
- apache_basic_auth

43
library/roles/apache/tasks/apache-letsencrypt.yml
View File

@ -1,43 +0,0 @@
---
- block:
- name: Enable the proxy modules needed by letsencrypt
apache2_module: name={{ item }} state=present
with_items: '{{ apache_letsencrypt_proxy_modules }}'
ignore_errors: True
notify: apache2 reload
- name: Install the apache letsencrypt directives on trusty
template: src={{ item }}.j2 dest=/etc/apache2/conf-available/{{ item }} owner=root group=root mode=0644
with_items: '{{ apache_letsencrypt_proxy_conf }}'
ignore_errors: True
notify: apache2 reload
- name: Enable the apache letsencrypt directives on trusty
file: src=/etc/apache2/conf-available/{{ item }} dest=/etc/apache2/conf-enabled/{{ item }} state=link
with_items: '{{ apache_letsencrypt_proxy_conf }}'
ignore_errors: True
notify: apache2 reload
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook for apache
copy: src=apache-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/apache2 owner=root group=root mode=4555
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install | bool
- apache_letsencrypt_managed | bool
tags: [ 'apache', 'letsencrypt' ]
- block:
- name: Disable the letsencrypt conf
file: dest=/etc/apache2/conf-enabled/letsencrypt-proxy.conf state=absent
ignore_errors: True
notify: apache2 reload
- name: Remove the letsencrypt hook for apache
file: path={{ letsencrypt_acme_services_scripts_dir }}/apache2 state=absent
when: not apache_letsencrypt_managed | bool
tags: [ 'apache', 'letsencrypt' ]

74
library/roles/apache/tasks/apache-modules.yml
View File

@ -1,74 +0,0 @@
---
- name: Load the required modules
apache2_module: name={{ item }} state=present force=yes
with_items: '{{ apache_default_modules }}'
notify: apache2 reload
ignore_errors: True
tags: [ 'apache', 'apache_modules' ]
- name: Install the libapache2-mod-rpaf module
apt: pkg=libapache2-mod-rpaf state=present
when: apache_rpaf_install | bool
tags: [ 'apache', 'apache_mods', 'apache_rpaf' ]
- name: Enable the apache rpaf module
apache2_module: name=rpaf state=present
when: apache_rpaf_install | bool
notify: apache2 reload
tags: [ 'apache', 'apache_mods', 'apache_rpaf' ]
- name: Load the apache ssl modules
apache2_module: name={{ item }} state=present
with_items: '{{ apache_ssl_modules }}'
when: apache_ssl_modules_enabled | bool
notify: apache2 reload
tags: [ 'apache', 'apache_mods' ]
- name: Load some apache proxy modules
apache2_module: name={{ item }} state=present
with_items: '{{ apache_http_proxy_modules }}'
when: apache_http_proxy_modules_enabled | bool
notify: apache2 reload
tags: [ 'apache', 'apache_mods' ]
- name: Load additional apache modules if any
apache2_module: name={{ item }} state=present
with_items: '{{ apache_additional_modules_list | default ([]) }}'
when: apache_additional_modules | bool
notify: apache2 reload
tags: [ 'apache', 'apache_mods' ]
- name: Disable apache modules if any
apache2_module: name={{ item }} state=absent
with_items: '{{ apache_modules_to_be_removed | default ([]) }}'
notify: apache2 reload
tags: [ 'apache', 'apache_mods' ]
- name: Load the apache status module
apache2_module: name={{ item }} state=present
with_items: status
when: apache_status_module | bool
notify: apache2 reload
tags: [ 'apache', 'apache_mods', 'apache_status' ]
- name: Configure the apache status module
template: src={{ item }}.j2 dest=/etc/apache2/mods-available/{{ item }} owner=root group=root mode=0644
with_items: status.conf
when: apache_status_module | bool
notify: apache2 reload
tags: [ 'apache', 'apache_mods', 'apache_status' ]
- name: Load the apache info module
apache2_module: name={{ item }} state=present
with_items: info
when: apache_info_module | bool
notify: apache2 reload
tags: [ 'apache', 'apache_mods', 'apache_info' ]
- name: Configure the apache info module
template: src={{ item }}.j2 dest=/etc/apache2/mods-available/{{ item }} owner=root group=root mode=0644
with_items: info.conf
when: apache_info_module | bool
notify: apache2 reload
tags: [ 'apache', 'apache_mods', 'apache_info' ]

14
library/roles/apache/tasks/apache-ppa.yml
View File

@ -1,14 +0,0 @@
---
- block:
- name: Install the Ubuntu apache PPA
apt_repository: repo='{{ apache_ppa_repo }}' update_cache=yes
when: apache_from_ppa
tags: [ 'apache', 'apache_ppa' ]
- block:
- name: Remove the Ubuntu apache PPA
apt_repository: repo='{{ apache_ppa_repo }}' update_cache=yes state=absent
when: not apache_from_ppa
tags: [ 'apache', 'apache_ppa' ]

44
library/roles/apache/tasks/apache.yml
View File

@ -1,44 +0,0 @@
---
- name: Install the apache packages
apt: pkg={{ item }} state={{ apache_pkg_state }} update_cache=yes cache_valid_time=3600
with_items: '{{ apache_packages }}'
tags: [ 'apache', 'apache_main_packages' ]
- name: Install the apache modules packages
apt: pkg={{ item }} state={{ apache_pkg_state }} update_cache=yes cache_valid_time=3600
with_items: '{{ apache_modules_packages }}'
when:
- not apache_from_ppa
- is_trusty
tags: [ 'apache', 'apache_additional_packages' ]
- name: Install the apache additional packages, if any
apt: pkg={{ item }} state={{ apache_pkg_state }} update_cache=yes cache_valid_time=3600
with_items: '{{ apache_additional_packages_list }}'
when: apache_additional_packages
tags: [ 'apache', 'apache_additional_packages' ]
- name: Instal the ports conf file
template: src=ports.conf dest=/etc/apache2/ports.conf
notify: apache2 reload
tags: [ 'apache', 'apache_conf' ]
- name: Remove the default virtualhost file
file: dest=/etc/apache2/sites-enabled/{{ item }} state=absent
with_items:
- 000-default
- 000-default.conf
notify: apache2 reload
tags: apache
- name: Ensure that the apache service is enabled and started
service: name=apache2 state=started enabled=yes
when: apache_service_enabled
ignore_errors: True
tags: apache
- name: Ensure that the apache service is disabled and stopped if we do not want it running
service: name=apache2 state=stopped enabled=no
when: not apache_service_enabled
ignore_errors: True
tags: apache

8
library/roles/apache/tasks/main.yml
View File

@ -1,8 +0,0 @@
---
- import_tasks: apache-ppa.yml
- import_tasks: apache.yml
- import_tasks: apache-modules.yml
- import_tasks: apache-basic-auth.yml
when: apache_basic_auth
- import_tasks: apache-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install

20
library/roles/apache/templates/info.conf.j2
View File

@ -1,20 +0,0 @@
<IfModule mod_info.c>
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
#
<Location {{ apache_info_location }}>
SetHandler server-info
Require local
{% if nagios_monitoring_server_ip is defined %}
{% for addr in nagios_monitoring_server_ip %}
Require ip {{ addr }}
{% endfor %}
{% endif %}
{% for addr in apache_info_allowed_hosts %}
Require ip {{ addr }}
{% endfor %}
</Location>
</IfModule>

1
library/roles/apache/templates/letsencrypt-proxy.conf.j2
View File

@ -1 +0,0 @@
ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:{{ letsencrypt_acme_standalone_port}}/.well-known/acme-challenge"

3
library/roles/apache/templates/ports.conf
View File

@ -1,3 +0,0 @@
{% for port in apache_listen_ports %}
Listen {{ port }}
{% endfor %}

32
library/roles/apache/templates/status.conf.j2
View File

@ -1,32 +0,0 @@
<IfModule mod_status.c>
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
<Location {{ apache_status_location }}>
SetHandler server-status
Require local
{% if nagios_monitoring_server_ip is defined %}
{% for addr in nagios_monitoring_server_ip %}
Require ip {{ addr }}
{% endfor %}
{% endif %}
{% for addr in apache_status_allowed_hosts %}
Require ip {{ addr }}
{% endfor %}
</Location>
# Keep track of extended status information for each request
ExtendedStatus On
# Determine if mod_status displays the first 63 characters of a request or
# the last 63, assuming the request itself is greater than 63 chars.
# Default: Off
#SeeRequestTail On
<IfModule mod_proxy.c>
# Show Proxy LoadBalancer status in mod_status
ProxyStatus On
</IfModule>
</IfModule>

4
library/roles/ldap-client-config/defaults/main.yml
View File

@ -1,4 +0,0 @@
---
ldap_uri: "ldap://ldap.sub.research-infrastructures.eu"
ldap_base_dn: "dc=research-infrastructures,dc=eu"
ldap_tls_cacert: /etc/ssl/certs/ca-certificates.crt

33
library/roles/ldap-client-config/tasks/main.yml
View File

@ -1,33 +0,0 @@
---
- name: Install the ldap utilities
apt: pkg={{ item }} state={{ pkg_state }}
with_items:
- ldapscripts
- libpam-ldap
tags: ldap-client
- name: Write the ldap client configuration file
template: src=ldap.conf-old.j2 dest=/etc/ldap.conf mode=444 owner=root group=root
when: is_ubuntu_less_than_trusty
tags: ldap-client
- name: Write the ldap client configuration file
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root
when: is_trusty
tags: ldap-client
- name: set the ldapscripts.conf uri
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ ldap_uri }}' syntax=shell
when: is_trusty
tags: ldap-client
- name: set the ldapscripts.conf bind dn
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ ldap_base_dn }}' syntax=shell
when: is_trusty
tags: ldap-client
- name: set the ldapscripts.conf dn suffix
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ ldap_base_dn }}' syntax=shell
when: is_trusty
tags: ldap-client

11
library/roles/ldap-client-config/templates/ldap.conf-old.j2
View File

@ -1,11 +0,0 @@
# The distinguished name of the search base.
BASE {{ ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
URI {{ ldap_uri }}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

14
library/roles/ldap-client-config/templates/ldap.conf.j2
View File

@ -1,14 +0,0 @@
# The distinguished name of the search base.
BASE {{ ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
URI {{ ldap_uri }}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
# TLS certificates (needed for GnuTLS)
TLS_CACERT {{ ldap_tls_cacert }}

47
library/roles/letsencrypt-acmetool-client/defaults/main.yml
View File

@ -1,47 +0,0 @@
---
letsencrypt_acme_install: False
# Set to false if a binary installation is needed (unsupported distributions)
letsencrypt_pkg_install: True
letsencrypt_acme_pkg_state: latest
letsencrypt_acme_pkgs:
- acmetool
- libcap2-bin
letsencrypt_acme_ppa_repo: 'ppa:hlandau/rhea'
letsencrypt_acme_debian_repo: 'deb http://ppa.launchpad.net/hlandau/rhea/ubuntu xenial main'
letsencrypt_acme_debian_repo_key: '9862409EF124EC763B84972FF5AC9651EDB58DFA'
letsencrypt_acme_user: acme
letsencrypt_acme_user_home: /var/lib/acme
letsencrypt_acme_log_dir: /var/log/acme
letsencrypt_acme_command: acmetool
letsencrypt_acme_command_opts: '--hooks={{ letsencrypt_acme_services_scripts_dir }} --batch --xlog.syslog --xlog.syslogseverity=INFO --xlog.file="{{ letsencrypt_acme_log_dir }}/certrequest.log" --xlog.fileseverity=TRACE'
letsencrypt_acme_config_dir: '{{ letsencrypt_acme_user_home }}/conf'
letsencrypt_acme_certsconf_dir: '{{ letsencrypt_acme_user_home }}/desired'
letsencrypt_acme_dest_dir: '{{ ansible_fqdn }}'
letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_user_home }}/live/{{ letsencrypt_acme_dest_dir }}'
# The various services maintainers need to put the reconfigure/restart scripts there
letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks
# responses parameters
letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
letsencrypt_acme_agree_tos: true
letsencrypt_acme_rsa_key_size: 4096
letsencrypt_ocsp_must_staple: False
# rsa|ecdsa
letsencrypt_acme_key_type: ecdsa
letsencrypt_acme_ecdsa_curve: nistp256
letsencrypt_acme_email: sysadmin@example.com
letsencrypt_specify_key_id: False
letsencrypt_key_id: 'some random string'
# We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured.
# Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case.
letsencrypt_acme_authenticator: listener
letsencrypt_acme_cron_day_of_month: '*'
letsencrypt_acme_cron_hour: '{{ range(1, 4) | random }}'
letsencrypt_acme_cron_minute: '{{ range(0, 59) | random }}'
# desired parameters
letsencrypt_acme_domains:
- '{{ ansible_fqdn }}'
letsencrypt_acme_standalone_port: 4402

8
library/roles/letsencrypt-acmetool-client/handlers/main.yml
View File

@ -1,8 +0,0 @@
---
- name: Initialize letsencrypt acmetool
become: True
become_user: '{{ letsencrypt_acme_user }}'
command: '/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1'
when: letsencrypt_acme_install
ignore_errors: True

143
library/roles/letsencrypt-acmetool-client/tasks/main.yml
View File

@ -1,143 +0,0 @@
---
- name: Install the letsencrypt acmetool repo on ubuntu
apt_repository: repo={{ letsencrypt_acme_ppa_repo }} state=present update_cache=yes
when:
- letsencrypt_acme_install
- is_trusty
- letsencrypt_pkg_install
notify: Initialize letsencrypt acmetool
tags: letsencrypt
- name: Install the letsencrypt acmetool repo key on debian
apt_key: keyserver=keyserver.ubuntu.com id={{ letsencrypt_acme_debian_repo_key }}
when:
- letsencrypt_acme_install
- is_debian
- letsencrypt_pkg_install
tags: letsencrypt
- name: Install the letsencrypt acmetool repo on debian
apt_repository: repo={{ letsencrypt_acme_debian_repo }} state=present update_cache=yes
when:
- letsencrypt_acme_install
- is_debian
- letsencrypt_pkg_install
notify: Initialize letsencrypt acmetool
tags: letsencrypt
- name: Create the letsencrypt acme user
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/usr/sbin/nologin system=yes
when: letsencrypt_acme_install
tags: [ 'letsencrypt', 'letsencrypt_user' ]
- name: Create the letsencrypt acme home, if it does not exist already. In a separate step because it could be already there.
file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes
when: letsencrypt_acme_install
tags: letsencrypt
- name: Install the letsencrypt acmetool package and some deps
apt: pkg={{ letsencrypt_acme_pkgs }} state={{ letsencrypt_acme_pkg_state }} update_cache=yes cache_valid_time=3600
when:
- letsencrypt_acme_install
- letsencrypt_pkg_install
tags: letsencrypt
- name: Create the letsencrypt acme config directory
become: True
become_user: '{{ letsencrypt_acme_user }}'
file: dest={{ letsencrypt_acme_config_dir }} state=directory mode=0755
when: letsencrypt_acme_install
tags: letsencrypt
- name: Create the letsencrypt acme desired domains directory
become: True
become_user: '{{ letsencrypt_acme_user }}'
file: dest={{ letsencrypt_acme_certsconf_dir }} state=directory mode=0755
when: letsencrypt_acme_install
tags: letsencrypt
- name: Create the letsencrypt acme hooks directory
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root mode=0755
when: letsencrypt_acme_install
tags: letsencrypt
- name: Install a default file that shell scripts can include
template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
when: letsencrypt_acme_install
tags: letsencrypt
- name: Install the letsencrypt acme responses file
become: True
become_user: '{{ letsencrypt_acme_user }}'
template: src=responses.j2 dest={{ letsencrypt_acme_config_dir }}/responses mode=0644
when: letsencrypt_acme_install
tags: [ 'letsencrypt', 'letsencrypt_responses' ]
- name: Install the letsencrypt acme certs config file
become: True
become_user: '{{ letsencrypt_acme_user }}'
template: src=cert-requirements.j2 dest={{ letsencrypt_acme_certsconf_dir }}/{{ ansible_fqdn }} mode=0644
when: letsencrypt_acme_install
register: letsencrypt_new_desired_file
tags: letsencrypt
- name: Set the cap_net_bind_service capability to the acmetool binary when we use it in listener mode
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
when:
- letsencrypt_acme_install
- letsencrypt_acme_authenticator == 'listener'
tags: letsencrypt
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=absent
when:
- letsencrypt_acme_install
- letsencrypt_acme_authenticator != 'listener'
ignore_errors: True
tags: letsencrypt
- name: Install the sudoers config needed to run the acmetool hooks
template: src=acme-sudoers.j2 dest=/etc/sudoers.d/letsencrypt-acme owner=root group=root mode=0440
when: letsencrypt_acme_install
tags: letsencrypt
- name: Create a directory where to put the cron job and hooks logs
file: dest={{ letsencrypt_acme_log_dir }} state=directory owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} mode=0750
when: letsencrypt_acme_install
tags: letsencrypt
- name: Install a script that requests the certificates and manage the self signed certificate
template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
when: letsencrypt_acme_install
tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_hook' ]
- name: Set certificates as to be revoked
become: True
become_user: '{{ letsencrypt_acme_user }}'
file: dest={{ letsencrypt_acme_user_home }}certs/{{ item.cert_name }}/revoke
with_items: '{{ letsencrypt_certs_revoke_list }}'
when:
- letsencrypt_acme_install
- letsencrypt_certs_revoke_list is defined
tags: letsencrypt
- name: Remove the old cron script
file: dest=/usr/local/bin/cron-acme-cert-request state=absent
when: letsencrypt_acme_install
tags: [ 'letsencrypt', 'letsencrypt_cron' ]
- name: Install a daily cron job to renew the certificates when needed
become: True
become_user: '{{ letsencrypt_acme_user }}'
cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1"
when: letsencrypt_acme_install
tags: [ 'letsencrypt', 'letsencrypt_cron' ]
- name: letsencrypt acmetool request the first certificate
become: True
become_user: '{{ letsencrypt_acme_user }}'
command: '/usr/local/bin/acme-cert-request'
when: letsencrypt_new_desired_file is changed
ignore_errors: True
tags: letsencrypt

28
library/roles/letsencrypt-acmetool-client/templates/acme-cert-request.sh.j2
View File

@ -1,28 +0,0 @@
#!/bin/bash
TMP_DIR=/var/tmp/acmetool
BASE_DIR=/var/lib/acme
RETVAL=
if [ -d $BASE_DIR/keys/fakeselfsignedcert -a -d $BASE_DIR/certs/fakeselfsignedcert ] ; then
mkdir -p $TMP_DIR/{keys,certs}
mv $BASE_DIR/keys/fakeselfsignedcert $TMP_DIR/keys
mv $BASE_DIR/certs/fakeselfsignedcert $TMP_DIR/certs
/bin/rm $BASE_DIR/live/{{ ansible_fqdn }}
{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} quickstart
fi
{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile
RETVAL=$?
if [ -d $TMP_DIR ] ; then
if [ $RETVAL -ne 0 ] ; then
mv $TMP_DIR/keys/fakeselfsignedcert $BASE_DIR/keys
mv $TMP_DIR/certs/fakeselfsignedcert $BASE_DIR/certs
cd $BASE_DIR/live
ln -s ../certs/fakeselfsignedcert {{ ansible_fqdn }}
fi
rm -fr $TMP_DIR
fi
exit $RETVAL

2
library/roles/letsencrypt-acmetool-client/templates/acme-sudoers.j2
View File

@ -1,2 +0,0 @@
{{ letsencrypt_acme_user }} ALL=(root) NOPASSWD: {{ letsencrypt_acme_services_scripts_dir }}/

25
library/roles/letsencrypt-acmetool-client/templates/cert-requirements.j2
View File

@ -1,25 +0,0 @@
satisfy:
names:
{% for d in letsencrypt_acme_domains %}
- {{ d }}
{% endfor %}
request:
{% if letsencrypt_ocsp_must_staple %}
ocsp-must-staple: true
{% endif %}
challenge:
http-ports:
- {{ letsencrypt_acme_standalone_port }}
key:
type: {{ letsencrypt_acme_key_type }}
{% if letsencrypt_acme_key_type == 'rsa' %}
rsa-size: {{ letsencrypt_acme_rsa_key_size }}
{% else %}
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
{% endif %}
{% if letsencrypt_specify_key_id %}
id: {{ letsencrypt_key_id }}
{% endif %}

4
library/roles/letsencrypt-acmetool-client/templates/letsencrypt-default.j2
View File

@ -1,4 +0,0 @@
LE_EMAIL={{ letsencrypt_acme_email }}
LE_SERVICES_SCRIPT_DIR={{ letsencrypt_acme_services_scripts_dir }}
LE_CERTS_DIR={{ letsencrypt_acme_certs_dir }}
LE_LOG_DIR={{ letsencrypt_acme_log_dir }}

13
library/roles/letsencrypt-acmetool-client/templates/responses.j2
View File

@ -1,13 +0,0 @@
"acme-enter-email": "{{ letsencrypt_acme_email }}"
"acme-agreement:{{ letsencrypt_tos_url }}": {{ letsencrypt_acme_agree_tos }}
# https://acme-staging.api.letsencrypt.org/directory is the staging site.
# This is the production site
"acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory
"acmetool-quickstart-choose-method": {{ letsencrypt_acme_authenticator }}
"acmetool-quickstart-complete": true
"acmetool-quickstart-install-cronjob": false
"acmetool-quickstart-install-haproxy-script": false
"acmetool-quickstart-install-redirector-systemd": false
"acmetool-quickstart-key-type": {{ letsencrypt_acme_key_type }}
"acmetool-quickstart-rsa-key-size": {{ letsencrypt_acme_rsa_key_size }}
"acmetool-quickstart-ecdsa-curve": {{ letsencrypt_acme_ecdsa_curve }}

125
library/roles/nginx/defaults/main.yml
View File

@ -1,125 +0,0 @@
---
nginx_enabled: True
nginx_use_ppa: False
nginx_ppa_repo: ppa:nginx/stable
nginx_package_state: present
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
nginx_ssl_level: intermediate
nginx_snippets_dir: /etc/nginx/snippets
nginx_conf_snippets:
- nginx-compression.conf
- nginx-websockets.conf
- nginx-browser-cache.conf
- letsencrypt-proxy.conf
- nginx-proxy-params.conf
- nginx-server-ssl.conf
- nginx-cors.conf
nginx_old_snippets:
- compression.conf
nginx_workers: 4
nginx_worker_connections: 1024
nginx_multi_accept: 'off'
nginx_worker_rlimit_nofile: 2048
nginx_server_tokens: 'off'
nginx_large_client_header_buffers: 4 8k
nginx_enable_compression: True
nginx_gzip_vary: "on"
nginx_gzip_proxied: any
nginx_gzip_comp_level: 6
nginx_gzip_buffers: 16 8k
nginx_gzip_http_version: 1.1
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
nginx_enable_browser_cache: True
nginx_cache_control: public
nginx_html_cache_expire: -1
nginx_feed_cache_expire_enabled: False
nginx_feed_cache_expire: 1h
nginx_media_cache_expire: 1M
nginx_css_js_cache_expire: -1
nginx_reverse_proxy: False
nginx_define_x_real_ip: False
nginx_set_original_uri: True
nginx_proxy_buffering: "on"
nginx_proxy_redirect: "off"
nginx_proxy_buffer_size: 128k
nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}'
nginx_proxy_busy_buffers_size: 256k
nginx_proxy_connect_timeout: 30s
nginx_proxy_read_timeout: 480s
nginx_proxy_send_timeout: 120s
nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
nginx_client_max_body_size: 100M
nginx_client_body_timeout: 240s
nginx_cors_enabled: False
nginx_cors_global: True
nginx_cors_limit_origin: True
nginx_cors_extended_rules: False
nginx_cors_acl_origin: 'http?://(localhost)'
# Possible methods:
# CONNECT, DEBUG, DELETE, DONE, GET, HEAD, HTTP, HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2, OPTIONS, ORIGIN, ORIGINS, PATCH, POST, PUT, QUIC, REST, SESSION, SHOULD, SPDY, TRACE, TRACK
nginx_cors_allowed_methods: 'GET, POST, OPTIONS'
# Possible headers:
# 'Accept, Accept-CH, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, C-Ext, C-Man, C-Opt, C-PEP, C-PEP-Info, CONNECT, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DAV, DELETE, DNT, DPR, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect, Expires, Ext, From, GET, GetProfile, HEAD, HTTP-date, Host, IM, If, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Man, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, OPTION, OPTIONS, OWS, Opt, Optional, Ordering-Type, Origin, Overwrite, P3P, PEP, PICS-Label, POST, PUT, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, RWS, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, Set-Cookie2, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TCN, TE, TRACE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options, X-CustomHeader, X-DNSPrefetch-Control, X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto, X-Frame-Options, X-Modified, X-OTHER, X-PING, X-PINGOTHER, X-Powered-By, X-Requested-With, Observe'
nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range,Observe'
# Find a set of acceptable defaults for the cache setup
nginx_cache_enabled: False
nginx_use_ldap_pam_auth: False
nginx_pam_svc_name: nginx
nginx_ldap_uri: "ldap://ldap.example.org"
nginx_ldap_base_dn: "dc=example,dc=org"
nginx_basic_auth: False
nginx_basic_auth_users:
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
# nginx_ldap_login_attribute: uid
# nginx_ldap_pam_groupdn:
nginx_webroot: /usr/share/nginx/html
nginx_letsencrypt_managed: True
nginx_websockets_support: False
nginx_use_common_virthost: False
# Set it to 'ssl http2' if the nginx version supports it
nginx_ssl_type: ssl
# When we do not use letsencrypt:
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
nginx_block_dotfiles: True
# Virtualhost example
# nginx_virthosts:
# - virthost_name: '{{ ansible_fqdn }}'
# listen: '{{ http_port }}'
# server_name: '{{ ansible_fqdn }}'
# server_aliases: ''
# index: index.html
# error_page: /path_to_error_page.html
# ssl_enabled: False
# ssl_only: False
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
# root: {{ nginx_webroot }}
# server_tokens: 'off'
# proxy_standard_setup: True
# proxy_additional_options:
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
# locations:
# - location: /
# target: http://localhost:{{ local_http_port }}
#
# extra_parameters: |
# location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# }

25
library/roles/nginx/files/nginx-letsencrypt-acme.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/nginx.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log
fi
echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log
if [ -x /bin/systemctl ] ; then
systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1
else
service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/nginx.log
exit 0

26
library/roles/nginx/files/nginx.pam
View File

@ -1,26 +0,0 @@
#
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so
auth requisite pam_deny.so
auth required pam_permit.so
#
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
#
password [success=1 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
#
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so

7
library/roles/nginx/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload nginx
service: name=nginx state=reloaded
- name: Restart nginx
service: name=nginx state=restarted

4
library/roles/nginx/meta/main.yml
View File

@ -1,4 +0,0 @@
---
dependencies:
- role: '../../library/roles/ldap-client-config'
when: nginx_use_ldap_pam_auth

17
library/roles/nginx/tasks/basic-auth.yml
View File

@ -1,17 +0,0 @@
---
- block:
- name: Install the python passlib library on deb based distributions
apt: pkg=python-passlib state=present cache_valid_time=3600
when: ansible_distribution_file_variety == "Debian"
- name: Install the python passlib library on RH based distributions
yum: pkg=python-passlib state=present
when: ansible_distribution_file_variety == "RedHat"
- name: Create the htpasswd file needed by the basic auth
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
with_items: '{{ nginx_basic_auth_users }}'
when: nginx_basic_auth
tags: nginx

24
library/roles/nginx/tasks/main.yml
View File

@ -1,24 +0,0 @@
---
- import_tasks: nginx-deb.yml
when: ansible_distribution_file_variety == "Debian"
- import_tasks: nginx-rh.yml
when: ansible_distribution_file_variety == "RedHat"
- import_tasks: nginx-config.yml
- import_tasks: nginx-virtualhosts.yml
when: nginx_use_common_virthost | bool
- import_tasks: nginx-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: basic-auth.yml
- import_tasks: pam-ldap.yml
- name: Ensure that the webserver is running and enabled at boot time
service: name=nginx state=started enabled=yes
when: nginx_enabled
ignore_errors: True
tags: nginx
- name: Ensure that the webserver is stopped and disabled
service: name=nginx state=stopped enabled=no
when: not nginx_enabled
ignore_errors: True
tags: nginx

45
library/roles/nginx/tasks/nginx-config.yml
View File

@ -1,45 +0,0 @@
---
- block:
- name: Create the snippets directory
file: dest={{ nginx_snippets_dir }} state=directory
- name: Create the pki directory
file: dest={{ pki_dir }}/nginx state=directory
- name: Create the client body tmp directory, if needed
file: dest={{ nginx_client_body_temp_dir }}/nginx state=directory owner=www-data group=www-data mode=0700
when: nginx_client_body_temp_dir is defined
- name: Create a dhparams file 2048 bits long
shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048
args:
creates: '{{ pki_dir }}/nginx/dhparams.pem'
when: nginx_ssl_level == 'intermediate'
notify: Reload nginx
- name: Install the supported configuration snippets
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
with_items: '{{ nginx_conf_snippets }}'
notify: Reload nginx
- name: Install the main nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
notify: Reload nginx
- name: Remove the old configuration snippets
file: dest=/etc/nginx/conf.d/{{ item }} state=absent
with_items: '{{ nginx_old_snippets }}'
notify: Reload nginx
when: nginx_enabled | bool
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
- block:
- name: remove nginx default virtualhost
file: dest=/etc/nginx/sites-enabled/default state=absent
notify: Reload nginx
when:
- nginx_enabled | bool
- ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

27
library/roles/nginx/tasks/nginx-deb.yml
View File

@ -1,27 +0,0 @@
---
- block:
- name: Install the Ubuntu PPA for nginx
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
when:
- nginx_use_ppa
- "'{{ ansible_distribution }}' == 'Ubuntu'"
tags: [ 'nginx', 'nginx_ppa' ]
- name: Install the nginx web server
apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800
when:
- not nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server if we need ldap auth via pam
apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800
when:
- nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server on Ubuntu >= 16.04
apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800
when: ansible_distribution_major_version >= '16'
when: ansible_distribution_file_variety == "Debian"
tags: nginx

20
library/roles/nginx/tasks/nginx-letsencrypt.yml
View File

@ -1,20 +0,0 @@
---
- block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook for nginx
copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]
- block:
- name: Remove the letsencrypt hook for nginx
file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent
when: not nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]

7
library/roles/nginx/tasks/nginx-rh.yml
View File

@ -1,7 +0,0 @@
---
- block:
- name: Install the nginx web server
yum: pkg=nginx state={{ nginx_package_state }}
when: ansible_distribution_file_variety == "RedHat"
tags: nginx

32
library/roles/nginx/tasks/nginx-virtualhosts.yml
View File

@ -1,32 +0,0 @@
---
- block:
- name: Create the nginx webroot if different from the default
file: dest={{ nginx_webroot }} state=directory mode=0755
when: nginx_webroot != '/usr/share/nginx/html'
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on Deb based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
- name: Enable the nginx virtualhosts
file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on RH based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'nginx', 'virtualhost' ]

7
library/roles/nginx/tasks/pam-ldap.yml
View File

@ -1,7 +0,0 @@
---
- name: Install pam service for nginx
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
notify: Reload nginx
when: nginx_use_ldap_pam_auth
tags: nginx

16
library/roles/nginx/templates/ldap.conf.j2
View File

@ -1,16 +0,0 @@
# The distinguished name of the search base.
base {{ nginx_ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
uri {{ nginx_ldap_uri }}
if {% nginx_ldap_login_attribute is defined %}
pam_login_attribute {{ nginx_ldap_login_attribute }}
{% endif %}
if {% nginx_ldap_pam_groupdn is defined %}
pam_groupdn
{% endif %}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

9
library/roles/nginx/templates/letsencrypt-proxy.conf.j2
View File

@ -1,9 +0,0 @@
# Include this one inside a "server" directive listening on port 80, this way:
# include /etc/nginx/snippets/letsencrypt-proxy.conf;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge;
access_log /var/log/nginx/letsencrypt_acmetool_access.log;
error_log /var/log/nginx/letsencrypt_acmetool_error.log;
}

27
library/roles/nginx/templates/nginx-browser-cache.conf.j2
View File

@ -1,27 +0,0 @@
# include inside a 'server' directive
#
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires {{ nginx_html_cache_expire }};
}
{% if nginx_feed_cache_expire_enabled %}
#
location ~* \.(?:rss|atom)$ {
expires {{ nginx_feed_cache_expire }};
add_header Cache-Control "{{ nginx_cache_control }}";
}
{% endif %}
#
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires {{ nginx_media_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}
#
location ~* \.(?:css|js)$ {
expires {{ nginx_css_js_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}

6
library/roles/nginx/templates/nginx-compression.conf.j2
View File

@ -1,6 +0,0 @@
gzip_vary {{ nginx_gzip_vary }};
gzip_proxied {{ nginx_gzip_proxied }};
gzip_comp_level {{ nginx_gzip_comp_level }};
gzip_buffers {{ nginx_gzip_buffers }};
gzip_http_version {{ nginx_gzip_http_version }};
gzip_types {{ nginx_gzip_types }};

58
library/roles/nginx/templates/nginx-cors.conf.j2
View File

@ -1,58 +0,0 @@
{% if nginx_cors_extended_rules %}
if ($request_method = 'OPTIONS') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
}
if ($request_method = 'GET') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
}
{% else %}
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
if ($request_method = OPTIONS ) {
return 204;
}
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
{% endif %}

29
library/roles/nginx/templates/nginx-proxy-params.conf.j2
View File

@ -1,29 +0,0 @@
# Proxy stuff
# include /etc/nginx/snippets/nginx-proxy-params.conf;
proxy_http_version 1.1;
proxy_set_header Connection "";
{% if haproxy_ips is defined %}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-Server $host;
{% else %}
proxy_set_header Host $host;
{% if nginx_define_x_real_ip %}
proxy_set_header X-Real-IP $remote_addr;
{% endif %}
{% endif %}
{% if nginx_set_original_uri %}
proxy_set_header nginx-request-uri $request_uri;
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering {{ nginx_proxy_buffering }};
proxy_buffer_size {{ nginx_proxy_buffer_size }};
proxy_buffers {{ nginx_proxy_buffers }};
proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }};
proxy_redirect {{ nginx_proxy_redirect }};
proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
proxy_read_timeout {{ nginx_proxy_read_timeout }};
proxy_send_timeout {{ nginx_proxy_send_timeout }};

49
library/roles/nginx/templates/nginx-server-ssl.conf.j2
View File

@ -1,49 +0,0 @@
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
{% else %}
ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
{% endif %}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
{% if nginx_ssl_level == 'old' %}
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
{% else %}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{% endif %}
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
{% endif %}
{% if nginx_ssl_level == 'intermediate' %}
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
{% else %}
ssl_protocols TLSv1.1 TLSv1.2;
{% endif %}
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
ssl_prefer_server_ciphers off;
{% endif %}
{% if nginx_ssl_level == 'modern' %}
ssl_session_tickets off;
# modern configuration. tweak to your needs.
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
ssl_protocols TLSv1.2 TLSv1.3;
{% else %}
ssl_protocols TLSv1.2;
{% endif %}
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
{% endif %}
{% if ansible_distribution_version is version_compare('14.04', '>=') %}
ssl_stapling on;
ssl_stapling_verify on;
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
ssl_trusted_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
{% else %}
ssl_trusted_certificate {{ nginx_ssl_fullchain_file | default('/etc/nginx/ssl/cacert.crt') }};
{% endif %}
add_header Strict-Transport-Security max-age=15768000;
{% endif %}

353
library/roles/nginx/templates/nginx-virthost.j2
View File

@ -1,353 +0,0 @@
{% if nginx_websockets_support is defined and nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% else %}
{% if item.websockets is defined and item.websockets %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
{% endif %}
server {
listen {{ item.http_port | default ('80') }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if nginx_block_dotfiles %}
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
return 404;
}
{% endif %}
{% if letsencrypt_acme_install %}
include /etc/nginx/snippets/letsencrypt-proxy.conf;
{% endif %}
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_error.log;
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
{% if item.ssl_enabled and item.ssl_only %}
location / {
return 301 https://{{ item.server_name }}$request_uri;
}
{% else %}
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root {{ item.error_path | default('/usr/share/nginx/html') }};
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if nginx_block_dotfiles %}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
return 404;
}
{% endif %}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
{% if nginx_cors_enabled %}
{% if nginx_cors_global %}
include /etc/nginx/snippets/nginx-cors.conf;
{% endif %}
{% endif %}
{% if item.additional_options is defined %}
{% for add_opt in item.additional_options %}
{{ add_opt }};
{% endfor %}
{% endif %}
{% if item.http_acls is defined %}
{% for acl in item.http_acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if nginx_websockets_support is defined and nginx_websockets_support %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% else %}
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
{% else %}
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% endif %}
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }};
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations -%}
location {{ location.location }} {
{% if nginx_cors_enabled %}
{% if not nginx_cors_global %}
{% if location.cors is defined and location.cors %}
include /etc/nginx/snippets/nginx-cors.conf;
{% endif %}
{% endif %}
{% endif %}
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% elif location.php_target is defined %}
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass {{ location.php_target }};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
#fastcgi_param REMOTE_ADDR $remote_addr;
include fastcgi_params;
{% endif %}
{% if location.websockets is defined and location.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
{% endif %}
{% if location.extra_conf is defined %}
{{ location.extra_conf }}
{% endif %}
{% if location.acls is defined %}
{% for acl in location.acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
{% endif %}
}
{% if item.ssl_enabled %}
server {
{% if item.https_port is defined %}
listen {{ item.https_port }} {{ nginx_ssl_type }};
{% else %}
listen {{ https_port | default('443') }} {{ nginx_ssl_type }};
{% endif %}
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
{% endif %}
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root {{ item.error_path | default('/usr/share/nginx/html') }};
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if nginx_block_dotfiles %}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
return 404;
}
{% endif %}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
include /etc/nginx/snippets/nginx-server-ssl.conf;
server_tokens {{ item.server_tokens | default('off') }};
{% if nginx_cors_enabled %}
{% if nginx_cors_global %}
include /etc/nginx/snippets/nginx-cors.conf;
{% endif %}
{% endif %}
{% if nginx_websockets_support is defined and nginx_websockets_support %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% else %}
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% endif %}
{% if item.additional_options is defined %}
{% for add_opt in item.additional_options %}
{{ add_opt }};
{% endfor %}
{% endif %}
{% if item.https_acls is defined %}
{% for acl in item.https_acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
{% else %}
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% endif %}
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }}
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations -%}
location {{ location.location }} {
{% if nginx_cors_enabled %}
{% if not nginx_cors_global %}
{% if location.cors is defined and location.cors %}
include /etc/nginx/snippets/nginx-cors.conf;
{% endif %}
{% endif %}
{% endif %}
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% elif location.php_target is defined %}
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass {{ location.php_target }};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
#fastcgi_param REMOTE_ADDR $remote_addr;
include fastcgi_params;
{% endif %}
{% if location.websockets is defined and location.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
{% endif %}
{% if location.extra_conf is defined %}
{{ location.extra_conf }}
{% endif %}
{% if location.acls is defined %}
{% for acl in location.acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
}
{% endif %}

4
library/roles/nginx/templates/nginx-websockets.conf.j2
View File

@ -1,4 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

63
library/roles/nginx/templates/nginx.conf.j2
View File

@ -1,63 +0,0 @@
pid /run/nginx.pid;
{% if ansible_distribution_file_variety == "Debian" %}
user www-data;
{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %}
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;
{% else %}
worker_processes {{ nginx_workers }};
{% endif %}
{% endif %}
{% if ansible_distribution_file_variety == "RedHat" %}
user nginx;
worker_processes auto;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
{% endif %}
events {
worker_connections {{ nginx_worker_connections }};
multi_accept {{ nginx_multi_accept }};
}
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens {{ nginx_server_tokens }};
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
large_client_header_buffers {{ nginx_large_client_header_buffers }};
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
{% if nginx_enable_compression %}
include /etc/nginx/snippets/nginx-compression.conf;
{% endif %}
{% if nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
include /etc/nginx/conf.d/*.conf;
{% if ansible_distribution_file_variety == "RedHat" %}
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
{% endif %}
{% if ansible_distribution_file_variety == "Debian" %}
include /etc/nginx/sites-enabled/*;
{% endif %}
}

32
library/roles/openjdk/defaults/main.yml
View File

@ -1,32 +0,0 @@
---
openjdk_default: 8
jdk_default: '{{ openjdk_default }}'
openjdk_pkg_state: present
openjdk_version:
- '{{ openjdk_default }}'
dismissed_openjdk_ppa: 'ppa:openjdk-r/ppa'
openjdk_zulu_repo_install: False
openjdk_zulu_repo_key_id: '0xB1998361219BD9C9'
openjdk_zulu_repository: 'deb http://repos.azulsystems.com/{{ ansible_distribution | lower }} stable main'
openjdk_java_home: '/usr/lib/jvm/java-{{ openjdk_default }}-openjdk-amd64'
openjdk_zulu_java_home: '/usr/lib/jvm/zulu-{{ openjdk_default }}-amd64'
openjdk_zulu_package_name: zulu
openjdk_pkgs:
- jre-headless
- jdk-headless
# - jre
# - jdk
oracle_jdk_ubuntu_ppa: 'ppa:webupd8team/java'
openjdk_oracle_jdk_pkgs:
- oracle-java7-installer
- oracle-java7-set-default
- oracle-java7-unlimited-jce-policy
- oracle-java8-installer
- oracle-java8-set-default
- oracle-java8-unlimited-jce-policy

80
library/roles/openjdk/tasks/main.yml
View File

@ -1,80 +0,0 @@
---
- block:
- name: Remove the openjdk-r ppa. It is not maintained anymore
apt_repository: repo='{{ dismissed_openjdk_ppa }}' update_cache=yes state=absent
- name: Remove the Oracle JDK PPA
apt_repository: repo='{{ oracle_jdk_ubuntu_ppa }}' state=absent update_cache=yes
- name: Check if we must use the Zulu repository
set_fact:
openjdk_zulu_repo_install: True
when: ansible_distribution_major_version <= '16'
tags: [ 'jdk', 'openjdk' ]
- block:
- name: Install the Zulu repository key
apt_key: keyserver='hkp://keyserver.ubuntu.com' id={{ openjdk_zulu_repo_key_id }}
- name: Install the proper Zulu repository
apt_repository: repo='{{ openjdk_zulu_repository }}' update_cache=yes
- name: Install the Zulu OpenJDK
apt: pkg={{ openjdk_zulu_package_name }}-{{ item }} state={{ openjdk_pkg_state }} update_cache=yes cache_valid_time=3600
with_items: '{{ openjdk_version }}'
register: openjdk_installed
- name: Set the default OpenJDK as Zulu
shell: update-java-alternatives -s /usr/lib/jvm/zulu-{{ openjdk_default }}-amd64
when: openjdk_installed is changed
- name: Set the correct value for jdk_java_home when we are installing Zulu
set_fact:
jdk_java_home: '{{ openjdk_zulu_java_home }}'
when: openjdk_zulu_repo_install
tags: [ 'jdk', 'openjdk' ]
- block:
- name: Remove the Zulu repository if it is present
apt_repository: repo='{{ openjdk_zulu_repository }}' update_cache=yes state=absent
- name: Install the OpenJDK that comes with the distribution
apt: pkg=openjdk-{{ item.0 }}-{{ item[1] }} state={{ openjdk_pkg_state }} update_cache=yes cache_valid_time=3600
with_nested:
- '{{ openjdk_version }}'
- '{{ openjdk_pkgs }}'
register: openjdk_installed
- name: Set the default OpenJDK
shell: update-java-alternatives -s java-1.{{ openjdk_default }}.0-openjdk-amd64
when: openjdk_installed is changed
- name: Set the correct value for jdk_java_home when we are installing the distribution OpenJDK
set_fact:
jdk_java_home: '{{ openjdk_java_home }}'
when: not openjdk_zulu_repo_install
tags: [ 'jdk', 'openjdk' ]
- block:
- name: Rebuild the Ubuntu keystore
command: update-ca-certificates --fresh
when: openjdk_installed is changed
tags: [ 'jdk', 'openjdk' ]
- block:
- name: Remove the Oracle JDK packages
apt: pkg={{ openjdk_oracle_jdk_pkgs }} state=absent cache_valid_time=3600
- name: Remove the OpenJDK packages fthat come with the distribution when we use the Zulu repository
apt: pkg=openjdk-{{ item.0 }}-{{ item[1] }} state=absent update_cache=yes cache_valid_time=3600
with_nested:
- '{{ openjdk_version }}'
- '{{ openjdk_pkgs }}'
when: openjdk_zulu_repo_install
tags: [ 'jdk', 'openjdk' ]

98
library/roles/tomcat-multiple-instances/defaults/main.yml
View File

@ -1,98 +0,0 @@
---
tomcat_version: 7
#tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
# Disable the main tomcat instance
tomcat_service_enabled: False
tomcat_m_instances_install: True
tomcat_m_host_manager_install: False
tomcat_m_manager_install: False
# Users and roles for the manager
tomcat_m_manager_gui_user_enabled: False
tomcat_m_manager_gui_user: guiadmin
tomcat_m_manager_gui_r: "manager-gui"
#tomcat_m_manager_gui_pwd: *Use a vault file*
tomcat_m_manager_script_user_enabled: True
tomcat_m_manager_script_user: scriptadmin
tomcat_m_manager_script_r: "manager-script"
#tomcat_m_manager_script_pwd: *Use a vault file*
tomcat_m_manager_jmx_user_enabled: False
tomcat_m_manager_jmx_user: jmxadmin
tomcat_m_manager_jmx_r: "manager-jmx"
#tomcat_m_manager_jmx_pwd: *Use a vault file*
tomcat_m_manager_status_user_enabled: False
tomcat_m_manager_status_user: statusadmin
tomcat_m_manager_status_r: "manager-status"
#tomcat_m_manager_status_pwd: *Use a vault file*
#tomcat_m_manager_other_roles:
# - { role: '', user: '', password: '', user_roles: '' }
tomcat_m_instances_base_path: '/var/lib/tomcat_instances'
tomcat_m_instances_logdir_base: '/var/log/tomcat_instances'
tomcat_m_cache_base: '/var/cache/tomcat-instances'
tomcat_m_default_user: 'tomcat{{ tomcat_version }}'
tomcat_m_use_default_user: True
tomcat_m_user_home: False
tomcat_m_default_user_shell: /bin/false
# Workaround for the '50 days shutdown' bug, until a fixed package will be available
tomcat_m_shutdown_port: -1
tomcat_m_shutdown_pwd: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits,hexdigits,punctuation') }}"
tomcat_m_max_threads: 200
tomcat_m_min_heap_size: 2048m
tomcat_m_heap_size: '{{ tomcat_m_min_heap_size }}'
tomcat_m_permgen_size: 512m
tomcat_m_file_encoding: 'UTF-8'
tomcat_m_restart_timeout: 300
# -server -Djava.awt.headless=true are always used. No need to specify them
tomcat_m_java_opts_heap: "-Xms{{ tomcat_m_min_heap_size }} -Xmx{{ tomcat_m_heap_size }}"
tomcat_m_java_opts_permgen: "-XX:MaxPermSize={{ tomcat_m_permgen_size }}"
tomcat_m_additional_java_8_opts: "-XX:+CrashOnOutOfMemoryError"
tomcat_m_java_opts: ""
tomcat_m_java_gc_opts: "-XX:+UseConcMarkSweepGC"
# Use "-XX:+UseConcMarkSweepGC" to enable the CMS garbage collector (improved
# response time). If you use that option and you run Tomcat on a machine with
# exactly one CPU chip that contains one or two cores, you should also add
# the "-XX:+CMSIncrementalMode" option.
#tomcat_m_other_java_opts: "-Djsse.enableSNIExtension=false"
tomcat_m_reverse_proxy_name_enabled: False
tomcat_m_reverse_proxy_name: '{{ ansible_fqdn }}'
tomcat_m_reverse_proxy_port: '{{ http_port | default(80) }}'
tomcat_m_proxy_enabled: False
tomcat_m_proxy_http_host: 'localhost'
tomcat_m_proxy_http_port: '3128'
tomcat_m_proxy_https_host: '{{ tomcat_m_proxy_http_host }}'
tomcat_m_proxy_https_port: '{{ tomcat_m_proxy_http_port }}'
tomcat_m_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_m_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_m_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_m_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_m_proxy_https_port }}"
tomcat_m_other_java_opts: ""
tomcat_m_webapps_autodeploy: False
tomcat_m_webapps_unpack: False
tomcat_m_start_instances: True
tomcat_m_enable_instances: True
tomcat_m_jndi_pool: False
tomcat_m_direct_access: False
# JMX and debugging
tomcat_m_enable_remote_debugging: False
tomcat_m_remote_debugging_host: '0.0.0.0'
tomcat_m_remote_debugging_port: '8100'
tomcat_m_remote_debugging_uri: '{{ tomcat_m_remote_debugging_host }}:{{ tomcat_m_remote_debugging_port }}'
tomcat_m_jmx_enabled: False
tomcat_m_jmx_auth_enabled: False
tomcat_m_jmx_use_ssl: False
tomcat_m_jmx_port: 8186
# The following works with jdk >= 7.0.25 only
tomcat_m_jmx_disable_additional_ports: True
tomcat_m_jmx_localhost_only: False
tomcat_m_jmx_ip_address: '{{ ansible_default_ipv4.address }}'
#tomcat_m_jmx_auth_dir: '{{ tomcat_m_instances_base_path }}'
# tomcat_m_jmx_monitorpass: define_in_a_vault_file
# tomcat_m_jmx_controlpass: define_in_a_vault_file
# This is only an example. Insert a line for each tomcat instance. 'app_contexts' can be used to automatically configure apache or nginx virtualhost http/ajp proxy
#
#tomcat_m_instances:
# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', proxy_enabled: '{{ tomcat_m_proxy_enabled }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_disable_additional_ports: '{{ tomcat_m_jmx_disable_additional_ports }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '{{ tomcat_m_jmx_port }}', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_uri: '{{ tomcat_m_remote_debugging_uri }}', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] }

35
library/roles/tomcat-multiple-instances/files/context.xml
View File

@ -1,35 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context>
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->
<!-- Uncomment this to enable Comet connection tacking (provides events
on session expiration as well as webapp lifecycle) -->
<!--
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
-->
</Context>

2
library/roles/tomcat-multiple-instances/files/jmxremote.access
View File

@ -1,2 +0,0 @@
monitorRole readonly
controlRole readwrite

49
library/roles/tomcat-multiple-instances/files/logging.properties
View File

@ -1,49 +0,0 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################
1catalina.org.apache.juli.FileHandler.level = FINE
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.FileHandler.prefix = catalina.
2localhost.org.apache.juli.FileHandler.level = FINE
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost.
java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
# For example, set the com.xyz.foo logger to only log SEVERE
# messages:
#org.apache.catalina.startup.ContextConfig.level = FINE
#org.apache.catalina.startup.HostConfig.level = FINE
#org.apache.catalina.session.ManagerBase.level = FINE
#org.apache.catalina.core.AprLifecycleListener.level=FINE

52
library/roles/tomcat-multiple-instances/files/policy.d/01system.policy
View File

@ -1,52 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
// catalina.corepolicy - Security Policy Permissions for Tomcat 6
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the "-security" option. In addition
// to the permissions granted here, the following additional permissions are
// granted to the codebase specific to each web application:
//
// * Read access to the document root directory
//
// $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $
// ============================================================================
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};

10
library/roles/tomcat-multiple-instances/files/policy.d/02debian.policy
View File

@ -1,10 +0,0 @@
// These permissions apply to all JARs from Debian packages
grant codeBase "file:/usr/share/java/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/maven-repo/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/ant/lib/-" {
permission java.security.AllPermission;
};

32
library/roles/tomcat-multiple-instances/files/policy.d/03catalina.policy
View File

@ -1,32 +0,0 @@
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "java.util.logging.config.class", "read";
permission java.util.PropertyPermission "java.util.logging.config.file", "read";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
permission java.util.PropertyPermission "catalina.base", "read";
permission java.util.logging.LoggingPermission "control";
permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
// To enable per context logging configuration, permit read access to the appropriate file.
// Be sure that the logging configuration is secure before enabling such access
// eg for the examples web application:
// permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};

59
library/roles/tomcat-multiple-instances/files/policy.d/04webapps.policy
View File

@ -1,59 +0,0 @@
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";
// OS Specific properties to allow read access
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
// JVM properties to allow read access
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// Required for OpenJMX
permission java.lang.RuntimePermission "getAttribute";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
// Precompiled JSPs need access to this package.
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
// Example JSPs need those to work properly
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission "accessDeclaredMembers";
// Precompiled JSPs need access to this system property.
permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
// java.io.tmpdir should be usable as a temporary file directory
permission java.util.PropertyPermission "java.io.tmpdir", "read";
permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";
};

32
library/roles/tomcat-multiple-instances/files/policy.d/50local.policy
View File

@ -1,32 +0,0 @@
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server. You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.base}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
// };
//
// The permission granted to your JDBC driver
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// };
// The permission granted to the scrape taglib
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };

4283
library/roles/tomcat-multiple-instances/files/web.xml
View File

File diff suppressed because it is too large Load Diff

28
library/roles/tomcat-multiple-instances/handlers/main.yml
View File

@ -1,28 +0,0 @@
---
- name: tomcat restart instances with changed configs
service: name='tomcat-instance-{{ item.item.http_port }}' state=restarted sleep=20
with_items: '{{ restart_needed.results }}'
when: item is changed
ignore_errors: True
- name: tomcat restart instances with changed jmx config
service: name='tomcat-instance-{{ item.item.http_port }}' state=restarted sleep=20
with_items: '{{ jmx_restart_needed.results }}'
when: item is changed
ignore_errors: True
- name: tomcat instances restart
service: name='tomcat-instance-{{ item.http_port }}' state=restarted sleep=20
with_items: '{{ tomcat_m_instances }}'
ignore_errors: True
- name: enable tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' state=started enabled=yes sleep=20
with_items: '{{ tomcat_m_instances }}'
ignore_errors: True
- name: disable tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' state=stopped enabled=no sleep=20
with_items: '{{ tomcat_m_instances }}'
ignore_errors: True

3
library/roles/tomcat-multiple-instances/meta/main.yml
View File

@ -1,3 +0,0 @@
---
dependencies:
- role: '../../library/roles/tomcat'

214
library/roles/tomcat-multiple-instances/tasks/main.yml
View File

@ -1,214 +0,0 @@
---
#
# Note: the library role 'tomcat' is a dependency
#
- name: disable the tomcat main instance
service: name='tomcat{{ tomcat_version }}' state=stopped enabled=no
when: not tomcat_service_enabled
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create a tomcat user for each instance if needed
user: name={{ item.user }} home={{ item.user_home }} createhome=false shell={{ item.user_shell | default('/bin/false') }}
with_items: '{{ tomcat_m_instances }}'
when:
- not tomcat_m_use_default_user | bool
- item.user != "tomcat{{ tomcat_version }}"
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create a tomcat user if needed
user: name={{ tomcat_m_default_user }} home={{ tomcat_m_instances_base_path }} createhome=false shell={{ tomcat_m_default_user_shell }}
when:
- tomcat_m_use_default_user | bool
- tomcat_m_default_user != "tomcat{{ tomcat_version }}"
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create the instances directory trees
file: dest={{ item.0.instance_path }}/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0755 state=directory
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'common/classes', 'conf/Catalina/localhost', 'conf/policy.d', 'lib', 'server/classes', 'shared/classes', 'webapps' ]
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create the instances log dirs
file: dest={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} owner={{ item.user }} group={{ item.user }} mode=0755 state=directory
with_items: '{{ tomcat_m_instances }}'
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create the instances work dirs
file: dest={{ tomcat_m_cache_base }}/{{ item.http_port }} owner={{ item.user }} group={{ item.user }} mode=0755 state=directory
with_items: '{{ tomcat_m_instances }}'
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create links to work dir inside the instances directory tree
file: src={{ tomcat_m_cache_base }}/{{ item.http_port }} dest={{ item.instance_path }}/work state=link
with_items: '{{ tomcat_m_instances }}'
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create links to log dir inside the instances directory tree
file: src={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} dest={{ item.instance_path }}/logs state=link
with_items: '{{ tomcat_m_instances }}'
register: tomcat_first_install
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Create the catalina tmp directory
file: dest={{ item.catalina_tmp_directory }} state=directory owner={{ item.user }} group={{ item.user }} mode=0700
with_items: '{{ tomcat_m_instances }}'
when: item.catalina_tmp_directory is defined
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Populate the instances conf directory
copy: src={{ item[1] }} dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'context.xml' ]
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Install catalina.properties
template: src={{ item[1] }}.j2 dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'catalina.properties' ]
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_catalina_properties' ]
- name: Populate the instances conf/policy.d directory
copy: src=policy.d/{{ item[1] }} dest={{ item.0.instance_path }}/conf/policy.d/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
with_nested:
- '{{ tomcat_m_instances }}'
- [ '01system.policy', '02debian.policy', '03catalina.policy', '04webapps.policy', '50local.policy' ]
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Install logging.properties if we do not use log4j for the tomcat logging
copy: src={{ item[1] }} dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
with_nested:
- '{{ tomcat_m_instances }}'
- [ 'logging.properties' ]
when:
- tomcat_use_log4j is defined
- not tomcat_use_log4j | bool
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances' ]
- name: Install the server.xml conf file
template: src=tomcat-server.xml.j2 dest={{ item.instance_path }}/conf/server.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ]
- name: Install the web.xml file
template: src=tomcat-web.xml.j2 dest={{ item.instance_path }}/conf/web.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ]
- name: Install the tomcat-admin package if the host-manager or manager apps are required
apt: pkg=tomcat{{ tomcat_version }}-admin state={{ tomcat_pkg_state }} cache_valid_time=1800 update_cache=yes
when: tomcat_m_host_manager_install | bool or tomcat_m_manager_install | bool
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
- name: Install the catalina configuration for the tomcat manager
template: src=tomcat-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
when: tomcat_m_manager_install | bool
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_manager' ]
- name: Install the catalina configuration for the tomcat host manager
template: src=tomcat-host-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/host-manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
when: tomcat_m_host_manager_install | bool
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager' ]
- name: Install the catalina configuration for the tomcat manager
template: src=tomcat-users.xml.j2 dest={{ item.instance_path }}/conf/tomcat-users.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify: tomcat restart instances with changed configs
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
- name: Install the instances startup scripts
template: src=tomcat-instance.init.j2 dest=/etc/init.d/tomcat-instance-{{ item.http_port }} mode=0755 owner=root group=root
with_items: '{{ tomcat_m_instances }}'
register: reload_systemd
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_init' ]
- name: Install the tomcat instances default file
template: src=tomcat-default.j2 dest=/etc/default/tomcat-instance-{{ item.http_port }} mode=0640 owner=root group={{ item.user }}
with_items: '{{ tomcat_m_instances }}'
notify: tomcat instances restart
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_default', 'jdk' ]
- name: Reload the systemd daemon if we are running on a systemd-backed server
command: systemctl daemon-reload
when:
- ansible_service_mgr == 'systemd'
- reload_systemd | bool
- name: Install a custom context.xml file
template: src=tomcat-context.xml.j2 dest={{ item.instance_path }}/conf/context.xml owner={{ item.user }} group={{ item.user }} mode=0640
with_items: '{{ tomcat_m_instances }}'
register: restart_needed
notify: tomcat restart instances with changed configs
when: tomcat_m_jndi_pool | bool
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_contextxml', 'jdk' ]
- name: Install a logrotate entry for the access log file
template: src=tomcat.logrotate.j2 dest=/etc/logrotate.d/tomcat_instance-{{ item.http_port }} owner=root group=root mode=0644
with_items: '{{ tomcat_m_instances }}'
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf' ]
- name: Install the jmx authorization file
template: src=jmxremote.passwd.j2 dest={{ item.instance_path }}/conf/jmxremote.passwd owner={{ item.user }} group={{ item.user }} mode=0600
with_items: '{{ tomcat_m_instances }}'
when:
- item.jmx_enabled is defined
- item.jmx_auth_enabled is defined
- item.jmx_enabled | bool
- item.jmx_auth_enabled | bool
register: jmx_restart_needed
notify: tomcat restart instances with changed jmx config
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ]
- name: Install the jmx role file
copy: src=jmxremote.access dest={{ item.instance_path }}/conf/jmxremote.access owner={{ item.user }} group={{ item.user }} mode=0644
with_items: '{{ tomcat_m_instances }}'
when:
- item.jmx_enabled is defined
- item.jmx_auth_enabled is defined
- item.jmx_enabled | bool
- item.jmx_auth_enabled | bool
register: jmx_restart_needed
notify: tomcat restart instances with changed jmx config
tags: [ 'tomcat', 'tomcat_instances', 'tomcat_jmx' ]
- name: Start all the tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' state=started sleep=20
with_items: '{{ tomcat_m_instances }}'
when:
- tomcat_first_install.changed | bool
- tomcat_m_start_instances | bool
tags: [ 'tomcat', 'tomcat_instances']
ignore_errors: True
- name: Enable all the tomcat instances
service: name='tomcat-instance-{{ item.http_port }}' enabled=yes
with_items: '{{ tomcat_m_instances }}'
when: tomcat_m_enable_instances | bool
tags: [ 'tomcat', 'tomcat_instances']

135
library/roles/tomcat-multiple-instances/templates/catalina.properties.j2
View File

@ -1,135 +0,0 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package) has
# been granted.
#
# by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#
package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
#
#
# List of comma-separated paths defining the contents of the "common"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
# If left as blank,the JVM system loader will be used as Catalina's "common"
# loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.base}/common/classes,${catalina.base}/common/*.jar
#
# List of comma-separated paths defining the contents of the "server"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
# If left as blank, the "common" loader will be used as Catalina's "server"
# loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
server.loader=${catalina.base}/server/classes,${catalina.base}/server/*.jar
#
# List of comma-separated paths defining the contents of the "shared"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
# the "common" loader will be used as Catalina's "shared" loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
# Please note that for single jars, e.g. bar.jar, you need the URL form
# starting with file:.
shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/*.jar
# List of JAR files that should not be scanned for configuration information
# such as web fragments, TLD files etc. It must be a comma separated list of
# JAR file names.
# The JARs listed below include:
# - Tomcat Bootstrap JARs
# - Tomcat API JARs
# - Catalina JARs
# - Jasper JARs
# - Tomcat JARs
# - Common non-Tomcat JARs
# - Sun JDK JARs
# - Apple JDK JARs
tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
jasper.jar,jasper-el.jar,ecj-*.jar,\
tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
tomcat-jni.jar,tomcat-spdy.jar,\
tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
tomcat-jdbc.jar,\
tools.jar,\
commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
commons-math*.jar,commons-pool*.jar,\
jstl.jar,\
geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\
xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\
cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
xom-*.jar
# Additional JARs (over and above the default JARs listed above) to skip when
# scanning for Servlet 3.0 pluggability features. These features include web
# fragments, annotations, SCIs and classes that match @HandlesTypes. The list
# must be a comma separated list of JAR file names.
org.apache.catalina.startup.ContextConfig.jarsToSkip=
# Additional JARs (over and above the default JARs listed above) to skip when
# scanning for TLDs. The list must be a comma separated list of JAR file names.
org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar
#
# String cache configuration.
tomcat.util.buf.StringCache.byte.enabled=true
#tomcat.util.buf.StringCache.char.enabled=true
#tomcat.util.buf.StringCache.trainThreshold=500000
#tomcat.util.buf.StringCache.cacheSize=5000
{% if tomcat_m_catalina_opts is defined %}
# Custom configurations
{% for opt in tomcat_m_catalina_opts %}
{{ opt }}
{% endfor %}
{% endif %}

2
library/roles/tomcat-multiple-instances/templates/jmxremote.passwd.j2
View File

@ -1,2 +0,0 @@
monitorRole {{ item.jmx_monitorpass }}
controlRole {{ item.jmx_controlpass }}

79
library/roles/tomcat-multiple-instances/templates/tomcat-context.xml.j2
View File

@ -1,79 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context>
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->
<!-- Uncomment this to enable Comet connection tacking (provides events
on session expiration as well as webapp lifecycle) -->
<!--
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
-->
{% if tomcat_m_jndi_pool %}
{% if tomcat_jndi_pool_databases is defined %}
{% for pool in tomcat_jndi_pool_databases %}
<Resource name="{{ pool. jndi_resource_name | default('jdbc/postgres') }}"
auth="Container"
type="{{ pool.jndi_resource_type | default('javax.sql.DataSource') }}"
driverClassName="{{ pool.jndi_class_name | default('org.postgresql.Driver') }}"
url="jdbc:postgresql://{{ pool. jndi_db_host }}:{{ pool.jndi_db_port | default (5432) }}/{{ pool.jndi_db_name }}"
username="{{ pool.jndi_db_user }}" password="{{ pool.jndi_db_pwd }}"
maxActive="20"
initialSize="0"
minIdle="0"
maxIdle="8"
maxWait="10000"
timeBetweenEvictionRunsMillis="30000"
minEvictableIdleTimeMillis="60000"
testWhileIdle="true"
validationQuery="SELECT 1"
maxAge="600000"
rollbackOnReturn="true"
/>
{% endfor %}
{% else %}
<Resource name="jdbc/postgres"
auth="Container"
type="javax.sql.DataSource"
driverClassName="org.postgresql.Driver"
url="jdbc:postgresql://{{ tomcat_jndi_pool_host }}:{{ tomcat_jndi_pool_db_port | default (5432) }}/{{ tomcat_jndi_pool_db }}"
username="{{ tomcat_jndi_pool_db_user }}" password="{{ tomcat_jndi_pool_db_pwd }}"
maxActive="20"
initialSize="0"
minIdle="0"
maxIdle="8"
maxWait="10000"
timeBetweenEvictionRunsMillis="30000"
minEvictableIdleTimeMillis="60000"
testWhileIdle="true"
validationQuery="SELECT 1"
maxAge="600000"
rollbackOnReturn="true"
/>
{% endif %}
{% endif %}
</Context>

80
library/roles/tomcat-multiple-instances/templates/tomcat-default.j2
View File

@ -1,80 +0,0 @@
{% if limits_nofile_value is defined %}
ulimit -Hn {{ limits_nofile_value }}
ulimit -Sn {{ limits_nofile_value }}
{% endif %}
TOMCAT_USER={{ item.user }}
TOMCAT_GROUP={{ item.user }}
JAVA_HOME={{ item.java_home }}
JAVA_OPTS="-server -Djava.awt.headless=true -Dfile.encoding={{ tomcat_m_file_encoding }}"
{% if jdk_default >= 8 %}
JAVA_OPTS="{{ tomcat_m_additional_java_8_opts }} $JAVA_OPTS"
{% endif %}
{% if item.java_heap is defined %}
JAVA_HEAP="{{ item.java_heap }}"
{% else %}
JAVA_HEAP="{{ tomcat_m_java_opts_heap }}"
{% endif %}
JAVA_PERMGEN=
{% if jdk_default <= 7 %}
{% if item.java_permgen_size is defined %}
JAVA_PERMGEN="-XX:MaxPermSize={{ item.java_permgen_size }}"
{% else %}
JAVA_PERMGEN="-XX:MaxPermSize={{ tomcat_m_permgen_size }}"
{% endif %}
{% endif %}
{% if item.java_opts is defined %}
JAVA_OPTS="{{ item.java_opts }} $JAVA_OPTS $JAVA_HEAP $JAVA_PERMGEN"
{% endif %}
{% if item.java_gc_opts is defined %}
JAVA_OPTS="{{ item.java_gc_opts }} $JAVA_OPTS"
{% endif %}
{% if item.proxy_enabled is defined and item.proxy_enabled %}
{% if item.proxy_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ item.proxy_opts }}"
{% else %}
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_m_proxy_opts }}"
{% endif %}
{% endif %}
{% if item.other_java_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ item.other_java_opts }}"
{% endif %}
{% if item.jmx_enabled is defined and item.jmx_enabled %}
# JMX settings
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ item.jmx_port | default('8186') }}"
{% if item.jmx_use_ssl is defined and item.jmx_use_ssl %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=true"
{% else %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
{% endif %}
{% if item.jmx_localhost_only is defined and item.jmx_localhost_only %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.local.only=true -Djava.rmi.server.hostname=127.0.0.1"
{% else %}
JAVA_OPTS="${JAVA_OPTS} -Djava.rmi.server.hostname={{ tomcat_m_jmx_ip_address }}"
{% endif %}
{% if item.jmx_auth_enabled is defined and item.jmx_auth_enabled %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file={{ item.jmx_auth_dir }}/jmxremote.password -Dcom.sun.management.jmxremote.access.file={{ item.jmx_auth_dir }}/jmxremote.access"
{% else %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
{% endif %}
{% if item.jmx_disable_additional_ports is defined and item.jmx_disable_additional_ports %}
JAVA_OPTS="${JAVA_OPTS} -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote.rmi.port={{ item.jmx_port }}"
{% endif %}
{% endif %}
{% if item.remote_debugging is defined and item.remote_debugging %}
# You will be able to use a java debugger on port {{ item.remote_debugging_uri }}.
JAVA_OPTS="${JAVA_OPTS} -agentlib:jdwp=transport=dt_socket,address={{ item.remote_debugging_uri }},server=y,suspend=n"
{% endif %}
# WARNING: This directory will be destroyed and recreated at every startup !
{% if item.catalina_tmp_directory is defined %}
JVM_TMP={{ item.catalina_tmp_directory }}/jvm_tmp
{% else %}
JVM_TMP={{ item.instance_path }}/tmp/jvm_tmp
{% endif %}
{% if item.catalina_tmp_directory is defined %}
export CATALINA_TMPDIR={{ item.catalina_tmp_directory }}
{% endif %}
# Additional options not managed by the provisioning tools
if [ -f /etc/default/tomcat-instance-{{ item.http_port }}.local ] ; then
. /etc/default/tomcat-instance-{{ item.http_port }}.local
fi

3
library/roles/tomcat-multiple-instances/templates/tomcat-host-manager.xml.j2
View File

@ -1,3 +0,0 @@
<Context path="/host-manager"
docBase="/usr/share/tomcat{{ tomcat_version }}-admin/host-manager"
antiResourceLocking="false" privileged="true" />

310
library/roles/tomcat-multiple-instances/templates/tomcat-instance.init.j2
View File

@ -1,310 +0,0 @@
#!/bin/sh
#
# /etc/init.d/tomcat-instance-{{ item.http_port }} -- startup script for the Tomcat {{ tomcat_version }} {{ item.user }} servlet engine on port {{ item.http_port }}
#
# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
# Modified for Tomcat by Stefan Gybas <sgybas@debian.org>.
# Modified for Tomcat6 by Thierry Carrez <thierry.carrez@ubuntu.com>.
# Modified for Tomcat7 by Ernesto Hernandez-Novich <emhn@itverx.com.ve>.
# Additional improvements by Jason Brittain <jason.brittain@mulesoft.com>.
#
### BEGIN INIT INFO
# Provides: tomcat-instance-{{ item.http_port }}
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Should-Start: $named
# Should-Stop: $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start Tomcat.
# Description: Start the Tomcat servlet engine.
### END INIT INFO
set -e
PATH=/bin:/usr/bin:/sbin:/usr/sbin
NAME=tomcat-instance-{{ item.http_port }}
DESC="Tomcat servlet engine"
DEFAULT=/etc/default/$NAME
JVM_TMP=/var/tmp/$NAME-tmp
if [ `id -u` -ne 0 ]; then
echo "You need root privileges to run this script"
exit 1
fi
# Make sure tomcat is started with system locale
if [ -r /etc/default/locale ]; then
. /etc/default/locale
export LANG
fi
. /lib/lsb/init-functions
if [ -r /etc/default/rcS ]; then
. /etc/default/rcS
fi
# The following variables can be overwritten in $DEFAULT
# Run Tomcat {{ tomcat_version }} as this user ID and group ID
TOMCAT{{ tomcat_version }}_USER={{ item.user }}
TOMCAT{{ tomcat_version }}_GROUP={{ item.user }}
# this is a work-around until there is a suitable runtime replacement
# for dpkg-architecture for arch:all packages
# this function sets the variable OPENJDKS
find_openjdks()
{
for jvmdir in /usr/lib/jvm/java-11-openjdk-*
do
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-11-openjdk-common" ]
then
OPENJDKS=$jvmdir
fi
done
for jvmdir in /usr/lib/jvm/java-8-openjdk-*
do
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-8-openjdk-common" ]
then
OPENJDKS=$jvmdir
fi
done
for jvmdir in /usr/lib/jvm/java-7-openjdk-*
do
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-7-openjdk-common" ]
then
OPENJDKS=$jvmdir
fi
done
for jvmdir in /usr/lib/jvm/java-6-openjdk-*
do
if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-6-openjdk-common" ]
then
OPENJDKS="${OPENJDKS} ${jvmdir}"
fi
done
}
OPENJDKS=""
find_openjdks
# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not
# defined in $DEFAULT)
JDK_DIRS="/usr/lib/jvm/default-java ${OPENJDKS} /usr/lib/jvm/java-6-openjdk /usr/lib/jvm/java-6-sun"
# Look for the right JVM to use
for jdir in $JDK_DIRS; do
if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then
JAVA_HOME="$jdir"
fi
done
export JAVA_HOME
# Directory where the Tomcat binary distribution resides
CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}
# Directory for per-instance configuration files and webapps
CATALINA_BASE={{ item.instance_path }}
# Use the Java security manager? (yes/no)
TOMCAT{{ tomcat_version }}_SECURITY=no
# Default Java options
# Set java.awt.headless=true if JAVA_OPTS is not set so the
# Xalan XSL transformer can work without X11 display on JDK 1.4+
# It also looks like the default heap size of 64M is not enough for most cases
# so the maximum heap size is set to 128M
if [ -z "$JAVA_OPTS" ]; then
JAVA_OPTS="-Djava.awt.headless=true -Xmx512M"
fi
# End of variables that can be overwritten in $DEFAULT
# overwrite settings from default file
if [ -f "$DEFAULT" ]; then
. "$DEFAULT"
fi
if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then
log_failure_msg "$NAME is not installed"
exit 1
fi
POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"
if [ -z "$CATALINA_TMPDIR" ]; then
CATALINA_TMPDIR="$JVM_TMP"
fi
# Set the JSP compiler if set in the ${ NAME }.default file
if [ -n "$JSP_COMPILER" ]; then
JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\""
fi
SECURITY=""
if [ "$TOMCAT{{ tomcat_version }}_SECURITY" = "yes" ]; then
SECURITY="-security"
fi
# Define other required variables
CATALINA_PID="/var/run/$NAME.pid"
CATALINA_SH="$CATALINA_HOME/bin/catalina.sh"
# Look for Java Secure Sockets Extension (JSSE) JARs
if [ -z "${JSSE_HOME}" -a -r "${JAVA_HOME}/jre/lib/jsse.jar" ]; then
JSSE_HOME="${JAVA_HOME}/jre/"
fi
catalina_sh() {
# Escape any double quotes in the value of JAVA_OPTS
JAVA_OPTS="$(echo $JAVA_OPTS | sed 's/\"/\\\"/g')"
AUTHBIND_COMMAND=""
if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"
AUTHBIND_COMMAND="/usr/bin/authbind --deep /bin/bash -c "
fi
# Define the command to run Tomcat's catalina.sh as a daemon
# set -a tells sh to export assigned variables to spawned shells.
TOMCAT_SH="set -a; JAVA_HOME=\"$JAVA_HOME\"; source \"$DEFAULT\"; \
CATALINA_HOME=\"$CATALINA_HOME\"; \
CATALINA_BASE=\"$CATALINA_BASE\"; \
JAVA_OPTS=\"$JAVA_OPTS\"; \
CATALINA_PID=\"$CATALINA_PID\"; \
CATALINA_TMPDIR=\"$CATALINA_TMPDIR\"; \
LANG=\"$LANG\"; JSSE_HOME=\"$JSSE_HOME\"; \
cd \"$CATALINA_BASE\"; \
\"$CATALINA_SH\" $@"
if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then
TOMCAT_SH="'$TOMCAT_SH'"
fi
# Run the catalina.sh script as a daemon
set +e
touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
chown $TOMCAT{{ tomcat_version }}_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
start-stop-daemon --start -b -u "$TOMCAT{{ tomcat_version }}_USER" -g "$TOMCAT{{ tomcat_version }}_GROUP" \
-c "$TOMCAT{{ tomcat_version }}_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
status="$?"
set +a -e
return $status
}
case "$1" in
start)
if [ -z "$JAVA_HOME" ]; then
log_failure_msg "no JDK found - please set JAVA_HOME"
exit 1
fi
if [ ! -d "$CATALINA_BASE/conf" ]; then
log_failure_msg "invalid CATALINA_BASE: $CATALINA_BASE"
exit 1
fi
log_daemon_msg "Starting $DESC" "$NAME"
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
# Regenerate POLICY_CACHE file
umask 022
echo "// AUTO-GENERATED FILE from {{ item.instance_path }}/conf/policy.d/" \
> "$POLICY_CACHE"
echo "" >> "$POLICY_CACHE"
cat $CATALINA_BASE/conf/policy.d/*.policy \
>> "$POLICY_CACHE"
# Remove / recreate JVM_TMP directory
rm -rf "$JVM_TMP"
mkdir -p "$JVM_TMP" || {
log_failure_msg "could not create JVM temporary directory"
exit 1
}
chown $TOMCAT{{ tomcat_version }}_USER "$JVM_TMP"
catalina_sh start $SECURITY
sleep 5
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
if [ -f "$CATALINA_PID" ]; then
rm -f "$CATALINA_PID"
fi
log_end_msg 1
else
log_end_msg 0
fi
else
log_progress_msg "(already running)"
log_end_msg 0
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
set +e
if [ -f "$CATALINA_PID" ]; then
start-stop-daemon --stop --pidfile "$CATALINA_PID" \
--user "$TOMCAT{{ tomcat_version }}_USER" \
--retry=TERM/20/KILL/5 >/dev/null
if [ $? -eq 1 ]; then
log_progress_msg "$DESC is not running but pid file exists, cleaning up"
elif [ $? -eq 3 ]; then
PID="`cat $CATALINA_PID`"
log_failure_msg "Failed to stop $NAME (pid $PID)"
exit 1
fi
rm -f "$CATALINA_PID"
rm -rf "$JVM_TMP"
else
log_progress_msg "(not running)"
fi
log_end_msg 0
set -e
;;
status)
set +e
start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null 2>&1
if [ "$?" = "0" ]; then
if [ -f "$CATALINA_PID" ]; then
log_success_msg "$DESC is not running, but pid file exists."
exit 1
else
log_success_msg "$DESC is not running."
exit 3
fi
else
log_success_msg "$DESC is running with pid `cat $CATALINA_PID`"
fi
set -e
;;
restart|force-reload)
if [ -f "$CATALINA_PID" ]; then
$0 stop
sleep 1
fi
$0 start
;;
try-restart)
if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
--user $TOMCAT{{ tomcat_version }}_USER --exec "$JAVA_HOME/bin/java" \
>/dev/null; then
$0 start
fi
;;
*)
log_success_msg "Usage: $0 {start|stop|restart|try-restart|force-reload|status}"
exit 1
;;
esac
exit 0

3
library/roles/tomcat-multiple-instances/templates/tomcat-manager.xml.j2
View File

@ -1,3 +0,0 @@
<Context path="/manager"
docBase="/usr/share/tomcat{{ tomcat_version }}-admin/manager"
antiResourceLocking="false" privileged="true" />

146
library/roles/tomcat-multiple-instances/templates/tomcat-server.xml.j2
View File

@ -1,146 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
{% if item.shutdown_port == '-1' %}
<Server port="{{ item.shutdown_port }}" shutdown="SHUTDOWN_PORT_DISABLED">
{% else %}
<Server port="{{ item.shutdown_port }}" shutdown="{{ tomcat_m_shutdown_pwd }}">
{% endif %}
{% if tomcat_version <= 7 %}
<Listener className="org.apache.catalina.core.JasperListener" />
{% endif %}
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
{% if item.http_enabled %}
<Executor name="tomcatThreadPool"
namePrefix="catalina-exec-"
maxQueueSize="{{ item.max_queue_size | default(32767) }}"
maxThreads="{{ item.max_threads }}"
minSpareThreads="10"
/>
{% endif %}
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
{% if item.http_enabled %}
<!-- A http "Connector" using the shared thread pool-->
<Connector executor="tomcatThreadPool"
enableLookups="false"
maxQueueSize="{{ item.max_queue_size | default(32767) }}"
maxThreads="{{ item.max_threads }}" connectionTimeout="60000"
URIEncoding="UTF-8"
bindOnInit="false" address="{{ item.http_address }}"
port="{{ item.http_port }}" protocol="HTTP/1.1"
maxPostSize="{{ item.max_post_size | default(104857600) }}"
useBodyEncodingForURI="true"
maxHttpHeaderSize="8192"
disableUploadTimeout="true"
{% if tomcat_m_reverse_proxy_name_enabled %}
proxyName="{{ tomcat_m_reverse_proxy_name }}"
proxyPort="{{ tomcat_m_reverse_proxy_port }}"
{% endif %}
/>
{% endif %}
{% if item.ajp_enabled %}
<!-- Define an AJP 1.3 Connector on port {{ tomcat_ajp_port }} -->
<Connector port="{{ item.ajp_port }}" protocol="AJP/1.3"
enableLookups="false"
address="{{ item.ajp_address }}"
URIEncoding="UTF-8"
useBodyEncodingForURI="true"
maxHttpHeaderSize="8192"
disableUploadTimeout="true"
maxQueueSize="{{ item.max_queue_size | default(32767) }}"
maxThreads="{{ item.max_threads }}"
connectionTimeout="60000"
maxPostSize="{{ item.max_post_size | default(104857600) }}"
{% if tomcat_m_reverse_proxy_name_enabled %}
proxyName="{{ tomcat_m_reverse_proxy_name }}"
proxyPort="{{ tomcat_m_reverse_proxy_port }}"
{% endif %}
URIEncoding="UTF-8"
bindOnInit="false" />
{% endif %}
<Engine name="Catalina" defaultHost="localhost">
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
{% if item.unpack is defined %}
unpackWARs="{{ item.unpack }}"
{% else %}
unpackWARs="False"
{% endif %}
{% if item.autodeploy is defined %}
autoDeploy="{{ item.autodeploy }}"
{% else %}
autoDeploy="False"
{% endif %}
>
{% if item.access_log_enabled %}
<!-- Automatically substitutes the IP with the one contained
in the x-forwarded-for header if that header is set -->
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="combined" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access." suffix="log"
{% if tomcat_m_direct_access %}
pattern="combined"
{% else %}
pattern="%t %{org.apache.catalina.AccessLog.RemoteAddr}r %{X-AUSERNAME}o %I %s &quot;%r&quot; %b %{User-Agent}i"
{% endif %}
rotatable="False"
/>
{% endif %}
</Host>
</Engine>
</Service>
</Server>

49
library/roles/tomcat-multiple-instances/templates/tomcat-users.xml.j2
View File

@ -1,49 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users>
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
{% if tomcat_m_host_manager_install or tomcat_m_manager_install %}
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
{% if tomcat_m_manager_gui_user_enabled %}
<user username="{{ tomcat_m_manager_gui_user }}" password="{{ tomcat_m_manager_gui_pwd }}" roles="{{ tomcat_m_manager_gui_r }}"/>
{% endif %}
{% if tomcat_m_manager_script_user_enabled %}
<user username="{{ tomcat_m_manager_script_user }}" password="{{ tomcat_m_manager_script_pwd }}" roles="{{ tomcat_m_manager_script_r }}"/>
{% endif %}
{% if tomcat_m_manager_jmx_user_enabled %}
<user username="{{ tomcat_m_manager_jmx_user }}" password="{{ tomcat_m_manager_jmx_pwd }}" roles="{{ tomcat_m_manager_jmx_r }}"/>
{% endif %}
{% if tomcat_m_manager_status_user_enabled %}
<user username="{{ tomcat_m_manager_status_user }}" password="{{ tomcat_m_manager_status_pwd }}" roles="{{ tomcat_m_manager_status_r }}"/>
{% endif %}
{% if tomcat_m_manager_other_roles is defined %}
{% for t_adm in tomcat_m_manager_other_roles %}
<role rolename="{{ t_adm.role }}"/>
<user username="{{ t_adm.user }}" password="{{ t_adm.password }}" roles="{{ t_adm.user_roles }}"/>
{% endfor %}
{% endif %}
{% endif %}
</tomcat-users>

4344
library/roles/tomcat-multiple-instances/templates/tomcat-web.xml.j2
View File

File diff suppressed because it is too large Load Diff

17
library/roles/tomcat-multiple-instances/templates/tomcat.logrotate.j2
View File

@ -1,17 +0,0 @@
{{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}/catalina.out {
copytruncate
{{ item.log_rotation_freq }}
rotate {{ item.log_retain }}
compress
missingok
create 640 {{ item.user }} adm
}
{{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}/localhost_access.log {
copytruncate
{{ item.log_rotation_freq }}
rotate {{ item.log_retain }}
compress
missingok
create 640 {{ item.user }} adm
}

135
library/roles/tomcat/defaults/main.yml
View File

@ -1,135 +0,0 @@
---
# The tomcat version is set at runtime. It changes from one distribution to the other.
#tomcat_version: 7
# To force a tomcat version set the following variable:
# tomcat_fixed_version: 9
tomcat_pkg_state: present
tomcat_service_enabled: True
tomcat_pkgs:
- 'tomcat{{ tomcat_version }}'
- 'libtomcat{{ tomcat_version }}-java'
- 'tomcat{{ tomcat_version }}-common'
- libapr1
tomcat8_additional_pkgs:
- jsvc
- libcommons-daemon-java
tomcat_user: 'tomcat{{ tomcat_version }}'
tomcat_max_threads: 200
tomcat_min_heap_size: 2048m
tomcat_permgen_defined: True
tomcat_heap_size: '{{ tomcat_min_heap_size }}'
tomcat_permgen_size: 512m
tomcat_file_encoding: 'UTF-8'
tomcat_java_opts: "-Xms{{ tomcat_min_heap_size }} -Xmx{{ tomcat_heap_size }}"
tomcat_additional_java_8_opts: "-XX:+CrashOnOutOfMemoryError"
tomcat_java_gc_opts: "-XX:+UseConcMarkSweepGC"
#tomcat_other_java_opts: "-Djsse.enableSNIExtension=false"
tomcat_proxy_enabled: False
tomcat_proxy_http_host: 'localhost'
tomcat_proxy_http_port: '3128'
tomcat_proxy_https_host: '{{ tomcat_proxy_http_host }}'
tomcat_proxy_https_port: '{{ tomcat_proxy_http_port }}'
tomcat_proxy_opts: "-DproxySet=true -Dhttp.proxyHost={{ tomcat_proxy_http_host }} -Dhttp.proxyPort={{ tomcat_proxy_http_port }} -Dhttps.proxyHost={{ tomcat_proxy_https_host }} -Dhttps.proxyPort={{ tomcat_proxy_https_port }}"
tomcat_other_java_opts: ""
tomcat_install_server_xml: True
tomcat_install_default_conf: True
tomcat_load_additional_default_conf: True
tomcat_http_enabled: True
tomcat_http_port: 8080
tomcat_http_address: 0.0.0.0
tomcat_webapps_autodeploy: False
tomcat_webapps_unpack: False
tomcat_ajp_enabled: False
tomcat_ajp_port: 8009
tomcat_ajp_address: 127.0.0.1
tomcat_direct_access: False
tomcat_reverse_proxy_name_enabled: False
tomcat_reverse_proxy_name: '{{ ansible_fqdn }}'
tomcat_reverse_proxy_port: '{{ http_port | default(80) }}'
# There is a bug that kills tomcat after 50 days if the shutdown port is enabled
# Disable the shutdown port by default
#tomcat_shutdown_port: 8005
tomcat_shutdown_port: -1
tomcat_shutdown_pwd: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits') }}"
tomcat_restart_timeout: 300
tomcat_max_post_size: 1000000
tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}'
tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}'
tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps'
tomcat_common_dir: '{{ tomcat_catalina_base_dir }}/common/'
tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes'
tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat'
# JMX and debugging
tomcat_enable_remote_debugging: False
tomcat_remote_debugging_host: '0.0.0.0'
tomcat_remote_debugging_port: ':8100'
tomcat_remote_debugging_uri: '{{ tomcat_remote_debugging_host }}:{{ tomcat_remote_debugging_port }}'
#
tomcat_jmx_enabled: False
tomcat_jmx_auth_enabled: False
tomcat_jmx_port: 8082
tomcat_jmx_auth_dir: '{{ tomcat_conf_dir }}'
tomcat_jmx_use_ssl: False
# The following work with jdk >= 7.0.25 only
tomcat_jmx_disable_additional_ports: True
tomcat_jmx_localhost_only: False
# tomcat_jmx_monitorpass: define_in_a_vault_file
# tomcat_jmx_controlpass: define_in_a_vault_file
# Metrics monitoring via javamelody
tomcat_javamelody: True
#tomcat_javamelody_version: latest
tomcat_javamelody_version: 1.79.0
# tomcat logging
tomcat_logdir: '/var/log/tomcat{{ tomcat_version }}'
tomcat_use_log4j: True
tomcat_install_the_log4j_properties: True
tomcat_retain_old_logs: 30
tomcat_log_rotation_threshold: "ALL"
tomcat_log_max_file_size: "100MB"
tomcat_log_level: INFO
tomcat_log_logger: CATALINA
tomcat_access_log_enabled: True
tomcat_access_log_rotation_freq: "daily"
#
# Define them if you want to send all the logs to an ELK installation
tomcat_send_to_logstash: False
tomcat_logstash_collector_host: logstash
tomcat_logstash_collector_socketappender_port: 4560
tomcat_logstash_collector_socketappender_reconndelay: 10000
# Set to LOGSTASH only if you do not want local logs
tomcat_logstash_logger: CATALINA, LOGSTASH
#tomcat_access_log_file_name: localhost_access.log
#
# Administrative interface
tomcat_install_admin: False
tomcat_manager_gui_user_enabled: True
tomcat_manager_gui_user: guiadmin
tomcat_manager_gui_r: "manager-gui"
#tomcat_manager_gui_pwd: *See the vault file*
tomcat_manager_script_user_enabled: False
tomcat_manager_script_user: scriptadmin
tomcat_manager_script_r: "manager-script"
#tomcat_manager_script_pwd: *See the vault file*
tomcat_manager_jmx_user_enabled: False
tomcat_manager_jmx_user: jmxadmin
tomcat_manager_jmx_r: "manager-jmx"
#tomcat_manager_jmx_pwd: *See the vault file*
tomcat_manager_status_user_enabled: False
tomcat_manager_status_user: statusadmin
tomcat_manager_status_r: "manager-status"
#tomcat_manager_status_pwd: *See the vault file*
#
tomcat_install_jdbc: False
tomcat_install_pg_jdbc: '{{ tomcat_install_jdbc }}'
# Not used yet
tomcat_install_mysql_jdbc: False

131
library/roles/tomcat/files/catalina.properties
View File

@ -1,131 +0,0 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package) has
# been granted.
#
# by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#
package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
#
#
# List of comma-separated paths defining the contents of the "common"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
# If left as blank,the JVM system loader will be used as Catalina's "common"
# loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/common/classes,${catalina.home}/common/*.jar,${catalina.base}/common/classes,${catalina.base}/common/*.jar
#
# List of comma-separated paths defining the contents of the "server"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
# If left as blank, the "common" loader will be used as Catalina's "server"
# loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
server.loader=${catalina.home}/server/classes,${catalina.home}/server/*.jar,${catalina.base}/server/classes,${catalina.base}/server/*.jar
#
# List of comma-separated paths defining the contents of the "shared"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
# the "common" loader will be used as Catalina's "shared" loader.
# Examples:
# "foo": Add this folder as a class repository
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
# Please note that for single jars, e.g. bar.jar, you need the URL form
# starting with file:.
shared.loader=${catalina.home}/shared/classes,${catalina.home}/shared/*.jar,${catalina.base}/shared/classes,${catalina.base}/shared/*.jar
# List of JAR files that should not be scanned using the JarScanner
# functionality. This is typically used to scan JARs for configuration
# information. JARs that do not contain such information may be excluded from
# the scan to speed up the scanning process. This is the default list. JARs on
# this list are excluded from all scans. Scan specific lists (to exclude JARs
# from individual scans) follow this. The list must be a comma separated list of
# JAR file names.
# The JARs listed below include:
# - Tomcat Bootstrap JARs
# - Tomcat API JARs
# - Catalina JARs
# - Jasper JARs
# - Tomcat JARs
# - Common non-Tomcat JARs
# - Test JARs (JUnit, Cobertura and dependencies)
tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
jasper.jar,jasper-el.jar,ecj-*.jar,\
tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
tomcat-jni.jar,tomcat-spdy.jar,\
tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
tomcat-jdbc.jar,\
tools.jar,\
commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
commons-math*.jar,commons-pool*.jar,\
jstl.jar,\
geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\
xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\
cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
xom-*.jar
# Additional JARs (over and above the default JARs listed above) to skip when
# scanning for Servlet 3.0 pluggability features. These features include web
# fragments, annotations, SCIs and classes that match @HandlesTypes. The list
# must be a comma separated list of JAR file names.
org.apache.catalina.startup.ContextConfig.jarsToSkip=
# Additional JARs (over and above the default JARs listed above) to skip when
# scanning for TLDs. The list must be a comma separated list of JAR file names.
org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar
#
# String cache configuration.
tomcat.util.buf.StringCache.byte.enabled=true
#tomcat.util.buf.StringCache.char.enabled=true
#tomcat.util.buf.StringCache.trainThreshold=500000
#tomcat.util.buf.StringCache.cacheSize=5000

2
library/roles/tomcat/files/jmxremote.access
View File

@ -1,2 +0,0 @@
monitorRole readonly
controlRole readwrite

49
library/roles/tomcat/files/logging.properties
View File

@ -1,49 +0,0 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################
1catalina.org.apache.juli.FileHandler.level = FINE
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.FileHandler.prefix = catalina.
2localhost.org.apache.juli.FileHandler.level = FINE
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost.
java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
# For example, set the com.xyz.foo logger to only log SEVERE
# messages:
#org.apache.catalina.startup.ContextConfig.level = FINE
#org.apache.catalina.startup.HostConfig.level = FINE
#org.apache.catalina.session.ManagerBase.level = FINE
#org.apache.catalina.core.AprLifecycleListener.level=FINE

BIN
library/roles/tomcat/files/tomcat6-juli-adapters.jar
View File

Binary file not shown.

BIN
library/roles/tomcat/files/tomcat6-juli-log4j.jar
View File

Binary file not shown.

BIN
library/roles/tomcat/files/tomcat7-juli-adapters.jar
View File

Binary file not shown.

BIN
library/roles/tomcat/files/tomcat7-juli-log4j.jar
View File

Binary file not shown.

12
library/roles/tomcat/handlers/main.yml
View File

@ -1,12 +0,0 @@
---
- name: tomcat restart
service: name='tomcat{{ tomcat_version }}' state=restarted sleep=20
when: tomcat_service_enabled
- name: enable tomcat
service: name='tomcat{{ tomcat_version }}' state=started enabled=yes
when: tomcat_service_enabled
- name: disable tomcat
service: name='tomcat{{ tomcat_version }}' state=started enabled=no
when: not tomcat_service_enabled

3
library/roles/tomcat/meta/main.yml
View File

@ -1,3 +0,0 @@
---
dependencies:
- { role: '../../library/roles/openjdk' }

6
library/roles/tomcat/tasks/access_log.yml
View File

@ -1,6 +0,0 @@
---
- name: Install a logrotate entry for the access log file
template: src=tomcat_access.logrotate.j2 dest=/etc/logrotate.d/tomcat_access owner=root group=root mode=0644
when: tomcat_access_log_enabled
tags: tomcat

24
library/roles/tomcat/tasks/main.yml
View File

@ -1,24 +0,0 @@
---
- import_tasks: tomcat-pkgs.yml
- import_tasks: tomcat-admin.yml
when: tomcat_install_admin
- import_tasks: tomcat-jmx.yml
when:
- tomcat_jmx_enabled
- tomcat_jmx_auth_enabled
tags: [ 'tomcat', 'jmx' ]
- import_tasks: tomcat-log4j-logging.yml
when:
- tomcat_use_log4j
- tomcat_version <= 7
tags: [ 'tomcat', 'tomcat_log4j' ]
- import_tasks: tomcat-logger-logging.yml
when: not tomcat_use_log4j or tomcat_version > 7
- import_tasks: access_log.yml
when: tomcat_access_log_enabled
- import_tasks: pgsql_jdbc.yml
when: tomcat_install_pg_jdbc
- import_tasks: not_pgsql_jdbc.yml
when: not tomcat_install_pg_jdbc

9
library/roles/tomcat/tasks/not_pgsql_jdbc.yml
View File

@ -1,9 +0,0 @@
---
- name: Do not load the postgresql jdbc driver on tomcat if not needed
file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
with_items:
- postgresql-jdbc4.jar
when: not tomcat_install_pg_jdbc
notify: tomcat restart
tags: tomcat

16
library/roles/tomcat/tasks/pgsql_jdbc.yml
View File

@ -1,16 +0,0 @@
---
# Postgresql JDBC
- name: Install the jdbc package if needed
apt: pkg=libpostgresql-jdbc-java state=present
when: tomcat_install_pg_jdbc
tags: [ 'tomcat', 'tomcat_jdbc' ]
- name: Configure tomcat to use the global postgresql jdbc driver
file: src=/usr/share/java/{{ item }} dest=/usr/share/tomcat{{ tomcat_version }}/lib/{{ item }} state=link
with_items:
- postgresql-jdbc4.jar
when: tomcat_install_pg_jdbc
notify:
tomcat restart
tags: [ 'tomcat', 'tomcat_jdbc' ]

10
library/roles/tomcat/tasks/tomcat-admin.yml
View File

@ -1,10 +0,0 @@
---
- name: Install the tomcat console management package
apt: pkg=tomcat{{ tomcat_version }}-admin state={{ tomcat_pkg_state }}
tags: tomcat
- name: Install the tomcat users file
template: src=tomcat-users.xml.j2 dest={{ tomcat_conf_dir }}/tomcat-users.xml owner=root group={{ tomcat_user }} mode=0640
notify: tomcat restart
tags: tomcat

16
library/roles/tomcat/tasks/tomcat-jmx.yml
View File

@ -1,16 +0,0 @@
---
- name: Distribute the jmx authorization file
template: src=jmxremote.passwd.j2 dest={{ tomcat_jmx_auth_dir }}/jmxremote.passwd owner={{ tomcat_user }} mode=0600
when:
- tomcat_jmx_enabled
- tomcat_jmx_auth_enabled
notify: tomcat restart
tags: [ 'tomcat', 'jmx' ]
- name: Distribute the jmx role file
copy: src=jmxremote.access dest={{ tomcat_jmx_auth_dir }}/jmxremote.access owner=root mode=0644
when:
- tomcat_jmx_enabled
- tomcat_jmx_auth_enabled
notify: tomcat restart
tags: [ 'tomcat', 'jmx' ]

41
library/roles/tomcat/tasks/tomcat-log4j-logging.yml
View File

@ -1,41 +0,0 @@
---
# Manage tomcat internal logs with log4j
- name: Install log4j
apt: pkg=liblog4j1.2-java state={{ tomcat_pkg_state }}
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_log4j' ]
- name: Install tomcat-juli-adapters
copy: src=tomcat{{ tomcat_version }}-juli-adapters.jar dest=/usr/share/java/tomcat-juli-adapters.jar
tags: [ 'tomcat', 'tomcat_log4j' ]
- name: Install tomcat-juli
copy: src=tomcat{{ tomcat_version }}-juli-log4j.jar dest=/usr/share/java/tomcat-juli-log4j.jar
tags: [ 'tomcat', 'tomcat_log4j' ]
- name: Configure tomcat to use the log4j system library
file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=link
with_items:
- log4j-1.2.jar
- tomcat-juli-adapters.jar
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_log4j' ]
- name: Configure tomcat to use the log4j version of the juli library
file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/tomcat-juli.jar state=link
with_items:
- tomcat-juli-log4j.jar
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_log4j' ]
- name: Install log4j.properties
template: src=log4j.properties.j2 dest={{ tomcat_catalina_home_dir }}/lib/log4j.properties mode=0644 owner=root group=root
when: tomcat_install_the_log4j_properties
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_log4j' ]
- name: Remove logging.properties
file: dest=/etc/tomcat{{ tomcat_version }}/logging.properties state=absent
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_log4j' ]

26
library/roles/tomcat/tasks/tomcat-logger-logging.yml
View File

@ -1,26 +0,0 @@
---
- name: Remove the system log4j library from the tomcat libdir
file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
with_items:
- log4j-1.2.jar
- tomcat-juli-adapters.jar
notify: tomcat restart
tags: tomcat
- name: Configure tomcat to use the standard version of the juli library
file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/{{ item }} state=link
with_items:
- 'tomcat{{ tomcat_version }}-juli.jar'
notify: tomcat restart
tags: tomcat
- name: Remove the system log4j.properties
file: dest={{ tomcat_catalina_home_dir }}/lib/log4j.properties state=absent
notify: tomcat restart
tags: tomcat
- name: Install logging.properties
copy: src=logging.properties dest=/etc/tomcat{{ tomcat_version }}/logging.properties owner=root group=root mode=0644
notify: tomcat restart
tags: tomcat

111
library/roles/tomcat/tasks/tomcat-pkgs.yml
View File

@ -1,111 +0,0 @@
---
- name: Set the tomcat version for ubuntu Trusy
set_fact:
tomcat_version: 7
when:
- ansible_distribution_major_version <= '16'
- tomcat_fixed_version is not defined
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Set the tomcat version for Ubuntu bionic
set_fact:
tomcat_version: 8
when:
- ansible_distribution_major_version == '18'
- tomcat_fixed_version is not defined
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Impose a tomcat version
set_fact:
tomcat_version: '{{ tomcat_fixed_version }}'
when: tomcat_fixed_version is defined
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Print the Tomcat version
debug:
msg: "The Tomcat version we are going to install is {{ tomcat_version }}"
tags: [ 'tomcat', 'tomcat_ver', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Install the tomcat packages
apt: pkg={{ tomcat_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800
tags: tomcat
- name: Install additional packages needed by tomcat 8+
apt: pkg={{ tomcat8_additional_pkgs }} state={{ tomcat_pkg_state }} cache_valid_time=1800
when: tomcat_version >= 8
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf', 'tomcat_javamelody' ]
- name: Create the tomcat tmp directory
file: dest={{ tomcat_tmp_dir }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }}
notify: tomcat restart
tags: tomcat
- name: Create the catalina temp directory, if different from the default
file: dest={{ catalina_tmp_directory }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }}
when: catalina_tmp_directory is defined
notify: tomcat restart
tags: tomcat
- name: Configure tomcat defaults
template: src=tomcat-default.j2 dest=/etc/default/tomcat{{ tomcat_version }}
when: tomcat_install_default_conf | bool
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_default' ]
- name: Configure tomcat server.xml
template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml
when: tomcat_install_server_xml | bool
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_serverxml' ]
- name: Configure tomcat web.xml
template: src=tomcat-web.xml.j2 dest={{ tomcat_conf_dir }}/web.xml
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_serverxml' ]
- name: Install a slightly modified catalina.properties
copy: src=catalina.properties dest={{ tomcat_conf_dir }}/catalina.properties owner=root group={{ tomcat_user }} mode=0644
when: tomcat_install_default_conf | bool
notify: tomcat restart
tags: [ 'tomcat', 'tomcat_catalinaprops' ]
- name: Create some directories that the package do not creates itself
file: dest={{ tomcat_catalina_home_dir }}/{{ item }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} mode=0755
with_items:
- common/classes
- server/classes
- shared/classes
tags: tomcat
- name: On tomcat8, create a link to commons-daemon.jar to avoid exceptions at startup
file: src=/usr/share/java/{{ item }} dest={{ tomcat_catalina_home_dir }}/bin/{{ item }} state=link owner=root group=root mode=0644
with_items:
- commons-daemon.jar
when: tomcat_version >= 8
tags: [ 'tomcat', 'tomcat_conf' ]
- name: Install the javamelody dependency jar into the Java shared libs directory
maven_artifact: artifact_id=jrobin version=latest group_id=org.jrobin extension=jar dest=/usr/share/java/jrobin.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2
when: tomcat_javamelody | bool
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
- name: Install the javamelody-core jar into the Java shared libs directory
maven_artifact: artifact_id=javamelody-core version={{ tomcat_javamelody_version }} group_id=net.bull.javamelody extension=jar dest=/usr/share/java/javamelody-core.jar verify_checksum=always mode=0644 owner=root group=root repository_url=https://repo1.maven.org/maven2
when: tomcat_javamelody | bool
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
- name: Create a link to the the javamelody jar and its dependencies if the javamelody support is enabled
file: src=../../java/{{ item }} dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=link owner=root group=root mode=0644
with_items:
- javamelody-core.jar
- jrobin.jar
when: tomcat_javamelody | bool
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]
- name: Remove the javamelody jar and its dependencies if the javamelody support is disabled
file: dest={{ tomcat_catalina_home_dir }}/lib/{{ item }} state=absent
with_items:
- javamelody-core.jar
- jrobin.jar
when: not tomcat_javamelody | bool
tags: [ 'tomcat', 'tomcat_javamelody', 'tomcat_conf' ]

2
library/roles/tomcat/templates/jmxremote.passwd.j2
View File

@ -1,2 +0,0 @@
monitorRole {{ tomcat_jmx_monitorpass }}
controlRole {{ tomcat_jmx_controlpass }}

68
library/roles/tomcat/templates/log4j.properties.j2
View File

@ -1,68 +0,0 @@
{% if tomcat_send_to_logstash %}
log4j.rootLogger = {{ tomcat_log_level }}, {{ tomcat_logstash_logger }}
{% else %}
log4j.rootLogger = {{ tomcat_log_level }}, {{ tomcat_log_logger }}
{% endif %}
# Define all the appenders
log4j.appender.CATALINA = org.apache.log4j.RollingFileAppender
log4j.appender.CATALINA.File = ${catalina.base}/logs/catalina.log
log4j.appender.CATALINA.Append = true
log4j.appender.CATALINA.Encoding = UTF-8
log4j.appender.CATALINA.Threshold = {{ tomcat_log_rotation_threshold }}
log4j.appender.CATALINA.MaxFileSize = {{ tomcat_log_max_file_size }}
log4j.appender.CATALINA.MaxBackupIndex = {{ tomcat_retain_old_logs }}
log4j.appender.CATALINA.layout = org.apache.log4j.PatternLayout
log4j.appender.CATALINA.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
log4j.appender.LOCALHOST = org.apache.log4j.RollingFileAppender
log4j.appender.LOCALHOST.File = ${catalina.base}/logs/localhost.log
log4j.appender.LOCALHOST.Append = true
log4j.appender.LOCALHOST.Encoding = UTF-8
log4j.appender.LOCALHOST.Threshold = {{ tomcat_log_rotation_threshold }}
log4j.appender.LOCALHOST.MaxFileSize = {{ tomcat_log_max_file_size }}
log4j.appender.LOCALHOST.MaxBackupIndex = {{ tomcat_retain_old_logs }}
log4j.appender.LOCALHOST.layout = org.apache.log4j.PatternLayout
log4j.appender.LOCALHOST.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
log4j.appender.MANAGER = org.apache.log4j.RollingFileAppender
log4j.appender.MANAGER.File = ${catalina.base}/logs/manager.log
log4j.appender.MANAGER.Append = true
log4j.appender.MANAGER.Encoding = UTF-8
log4j.appender.MANAGER.Threshold = {{ tomcat_log_rotation_threshold }}
log4j.appender.MANAGER.MaxFileSize = {{ tomcat_log_max_file_size }}
log4j.appender.MANAGER.MaxBackupIndex = {{ tomcat_retain_old_logs }}
log4j.appender.MANAGER.layout = org.apache.log4j.PatternLayout
log4j.appender.MANAGER.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
log4j.appender.HOST-MANAGER = org.apache.log4j.RollingFileAppender
log4j.appender.HOST-MANAGER.File = ${catalina.base}/logs/host-manager.log
log4j.appender.HOST-MANAGER.Append = true
log4j.appender.HOST-MANAGER.Encoding = UTF-8
log4j.appender.HOST-MANAGER.Threshold = {{ tomcat_log_rotation_threshold }}
log4j.appender.HOST-MANAGER.MaxFileSize = {{ tomcat_log_max_file_size }}
log4j.appender.HOST-MANAGER.MaxBackupIndex = {{ tomcat_retain_old_logs }}
log4j.appender.HOST-MANAGER.layout = org.apache.log4j.PatternLayout
log4j.appender.HOST-MANAGER.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
{% if tomcat_send_to_logstash %}
log4j.appender.LOGSTASH=org.apache.log4j.net.SocketAppender
log4j.appender.LOGSTASH.remoteHost={{ tomcat_logstash_collector_host }}
log4j.appender.LOGSTASH.port={{ tomcat_logstash_collector_socketappender_port }}
log4j.appender.LOGSTASH.ReconnectionDelay={{ tomcat_logstash_collector_socketappender_reconndelay }}
log4j.appender.LOGSTASH.LocationInfo=true
log4j.appender.LOGSTASH.layout = org.apache.log4j.PatternLayout
log4j.appender.LOGSTASH.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
{% endif %}
log4j.appender.CONSOLE = org.apache.log4j.ConsoleAppender
log4j.appender.CONSOLE.Encoding = UTF-8
log4j.appender.CONSOLE.layout = org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout.ConversionPattern = %d [%t] %-5p %c- %m%n
# Configure which loggers log to which appenders
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost] = {{ tomcat_log_level }}, LOCALHOST
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager] =\
{{ tomcat_log_level }}, MANAGER
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager] =\
{{ tomcat_log_level }}, HOST-MANAGER

71
library/roles/tomcat/templates/tomcat-default.j2
View File

@ -1,71 +0,0 @@
{% if limits_nofile_value is defined %}
ulimit -Hn {{ limits_nofile_value }}
ulimit -Sn {{ limits_nofile_value }}
{% endif %}
# Run Tomcat as this user ID. Not setting this or leaving it blank will use the
# default of tomcat{{ tomcat_version}}.
TOMCAT{{ tomcat_version}}_USER={{ tomcat_user }}
# Run Tomcat as this group ID. Not setting this or leaving it blank will use
# the default of tomcat{{ tomcat_version}}.
TOMCAT{{ tomcat_version}}_GROUP={{ tomcat_user }}
# The home directory of the Java development kit (JDK). You need at least
# JDK version 1.5. If JAVA_HOME is not set, some common directories for
# OpenJDK, the Sun JDK, and various J2SE 1.5 versions are tried.
{% if jdk_java_home is defined %}
JAVA_HOME={{ jdk_java_home }}
{% endif %}
JAVA_OPTS="-server -Djava.awt.headless=true -Dfile.encoding={{ tomcat_file_encoding }}"
{% if jdk_default <= 7 %}
{% if tomcat_permgen_defined %}
{% if tomcat_permgen_size is defined %}
JAVA_OPTS="-XX:MaxPermSize={{ tomcat_permgen_size }} $JAVA_OPTS"
{% endif %}
{% endif %}
{% endif %}
{% if jdk_default >= 8 %}
JAVA_OPTS="{{ tomcat_additional_java_8_opts }} $JAVA_OPTS"
{% endif %}
{% if tomcat_java_opts is defined %}
JAVA_OPTS="{{ tomcat_java_opts }} $JAVA_OPTS"
{% endif %}
{% if tomcat_java_gc_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_java_gc_opts }}"
{% endif %}
{% if tomcat_proxy_enabled %}
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_proxy_opts }}"
{% endif %}
{% if tomcat_other_java_opts is defined %}
JAVA_OPTS="${JAVA_OPTS} {{ tomcat_other_java_opts }}"
{% endif %}
{% if tomcat_jmx_enabled %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ tomcat_jmx_port }} -Dcom.sun.management.jmxremote.ssl={{ tomcat_jmx_use_ssl }} -Dcom.sun.management.jmxremote.local.only={{ tomcat_jmx_localhost_only }}"
{% if tomcat_jmx_auth_enabled %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file={{ tomcat_jmx_auth_dir }}/jmxremote.password -Dcom.sun.management.jmxremote.access.file={{ tomcat_jmx_auth_dir }}/jmxremote.access"
{% else %}
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
{% endif %}
{% if tomcat_jmx_disable_additional_ports %}
JAVA_OPTS="${JAVA_OPTS} -XX:+DisableAttachMechanism -Dcom.sun.management.jmxremote.rmi.port={{ tomcat_jmx_port }}"
{% endif %}
{% endif %}
{% if tomcat_enable_remote_debugging %}
# You will be able to use a java debugger on URI {{ tomcat_remote_debugging_uri }}.
JAVA_OPTS="${JAVA_OPTS} -agentlib:jdwp=transport=dt_socket,address={{ tomcat_remote_debugging_uri }},server=y,suspend=n"
# Obsolete
#JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,address={{ tomcat_remote_debugging_uri }},server=y,suspend=n"
{% endif %}
# Location of the JVM temporary directory
# WARNING: This directory will be destroyed and recreated at every startup !
JVM_TMP={{ tomcat_tmp_dir }}
{% if catalina_tmp_directory is defined %}
export CATALINA_TMPDIR={{ catalina_tmp_directory }}
{% endif %}
{% if tomcat_load_additional_default_conf %}
if [ -f /etc/default/tomcat.local ] ; then
. /etc/default/tomcat.local
fi
{% endif %}

176
library/roles/tomcat/templates/tomcat-server.xml.j2
View File

@ -1,176 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
{% if tomcat_shutdown_port == -1 %}
<Server port="{{ tomcat_shutdown_port }}"
shutdown="TOMCAT_SHUTDOWN_DISABLED">
{% else %}
<Server port="{{ tomcat_shutdown_port }}" shutdown="{{ tomcat_shutdown_pwd }}">
{% endif %}
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<!--
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-->
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
{% if tomcat_http_enabled %}
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<Executor name="tomcatThreadPool"
namePrefix="catalina-exec-"
maxQueueSize="{{ tomcat_max_queue_size | default(32767) }}"
maxThreads="{{ tomcat_max_threads }}"
minSpareThreads="10"/>
{% endif %}
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
{% if tomcat_http_enabled %}
<!-- A http "Connector" using the shared thread pool-->
<Connector executor="tomcatThreadPool"
enableLookups="false"
maxQueueSize="{{ tomcat_max_queue_size | default(32767) }}"
maxThreads="{{ tomcat_max_threads }}" connectionTimeout="60000"
URIEncoding="UTF-8"
useBodyEncodingForURI="true"
bindOnInit="false" address="{{ tomcat_http_address }}"
port="{{ tomcat_http_port }}" protocol="HTTP/1.1"
maxPostSize="{{ tomcat_max_post_size | default(104857600) }}"
{% if tomcat_reverse_proxy_name_enabled %}
proxyName="{{ tomcat_reverse_proxy_name }}"
proxyPort="{{ tomcat_reverse_proxy_port }}"
{% endif %}
maxHttpHeaderSize="8192"
disableUploadTimeout="true"
/>
{% endif %}
{% if tomcat_ajp_enabled %}
<!-- Define an AJP 1.3 Connector on port {{ tomcat_ajp_port }} -->
<Connector port="{{ tomcat_ajp_port }}" protocol="AJP/1.3"
enableLookups="false" address="{{ tomcat_ajp_address }}"
maxQueueSize="{{ tomcat_max_queue_size | default(32767) }}"
URIEncoding="UTF-8"
useBodyEncodingForURI="true"
maxThreads="{{ tomcat_max_threads }}"
connectionTimeout="60000"
maxPostSize="{{ tomcat_max_post_size | default(104857600) }}"
{% if tomcat_reverse_proxy_name_enabled %}
proxyName="{{ tomcat_reverse_proxy_name }}"
proxyPort="{{ tomcat_reverse_proxy_port }}"
{% endif %}
maxHttpHeaderSize="8192"
disableUploadTimeout="true"
bindOnInit="false" />
{% endif %}
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="{{ tomcat_webapps_unpack }}" autoDeploy="{{ tomcat_webapps_autodeploy }}">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
{% if tomcat_access_log_enabled %}
<!-- Automatically substitutes the IP with the one contained
in the x-forwarded-for header if that header is set -->
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="combined" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access." suffix="log"
{% if tomcat_direct_access %}
pattern="combined"
{% else %}
pattern="%t %{org.apache.catalina.AccessLog.RemoteAddr}r %{X-AUSERNAME}o %I %s &quot;%r&quot; %b %{User-Agent}i"
rotatable="False"
{% endif %}
/>
{% endif %}
</Host>
</Engine>
</Service>
</Server>

40
library/roles/tomcat/templates/tomcat-users.xml.j2
View File

@ -1,40 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users>
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
{% if tomcat_manager_gui_user_enabled %}
<role rolename="{{ tomcat_manager_gui_r }}"/>
<user username="{{ tomcat_manager_gui_user }}" password="{{ tomcat_manager_gui_pwd }}" roles="{{ tomcat_manager_gui_r }}"/>
{% endif %}
{% if tomcat_manager_script_user_enabled %}
<role rolename="{{ tomcat_manager_script_r }}"/>
<user username="{{ tomcat_manager_script_user }}" password="{{ tomcat_manager_script_pwd }}" roles="{{ tomcat_manager_script_r }}"/>
{% endif %}
{% if tomcat_manager_jmx_user_enabled %}
<role rolename="{{ tomcat_manager_jmx_r }}"/>
<user username="{{ tomcat_manager_jmx_user }}" password="{{ tomcat_manager_jmx_pwd }}" roles="{{ tomcat_manager_jmx_r }}"/>
{% endif %}
{% if tomcat_manager_status_user_enabled %}
<role rolename="{{ tomcat_manager_status_r }}"/>
<user username="{{ tomcat_manager_status_user }}" password="{{ tomcat_manager_status_pwd }}" roles="{{ tomcat_manager_status_r }}"/>
{% endif %}
</tomcat-users>

4344
library/roles/tomcat/templates/tomcat-web.xml.j2
View File

File diff suppressed because it is too large Load Diff

8
library/roles/tomcat/templates/tomcat_access.logrotate.j2
View File

@ -1,8 +0,0 @@
{{ tomcat_logdir }}/localhost_access.log {
copytruncate
{{ tomcat_access_log_rotation_freq }}
rotate {{ tomcat_retain_old_logs }}
compress
missingok
create 640 {{ tomcat_user }} adm
}

Some files were not shown because too many files have changed in this diff Show More