diff --git a/library/roles/gitea/defaults/main.yml b/library/roles/gitea/defaults/main.yml deleted file mode 100644 index 31a39a52..00000000 --- a/library/roles/gitea/defaults/main.yml +++ /dev/null @@ -1,79 +0,0 @@ ---- -# -# https://gitea.io -# -# We use the server ssh daemon, and nginx in front of the service by default. -# So we do not start in http mode and we do not use the embedded letsencrypt support -# -gitea_version: 1.11.3 -gitea_download_url: 'https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64' -gitea_bin_path: /usr/local/bin/gitea - -gitea_conf_dir: /etc/gitea -gitea_data_dir: /var/lib/gitea -gitea_data_subdirs: - - custom - - data - - log - - sock - -gitea_repository_data: '{{ gitea_data_dir }}/repositories' - -gitea_server_protocol: unix -gitea_http_addr: '{{ gitea_data_dir }}/sock/gitea.sock' -gitea_http_port: 3000 -gitea_root_url: https://{{ ansible_fqdn }} - -# home, explore -gitea_landing_page: explore -gitea_user: gitea -gitea_group: '{{ gitea_user }}' -gitea_run_mode: prod -gitea_db: postgres -gitea_local_postgresql: True -gitea_local_mysql: False -gitea_local_mariadb: False -gitea_nginx_frontend: True -gitea_local_redis: True -gitea_local_memcache: True - -gitea_start_lfs: 'true' -gitea_lfs_content_path: '{{ gitea_data_dir }}/data/lfs' -#gitea_lfs_jwt_secret: put it into a vault file -gitea_lfs_http_auth_expiry: 20m - -gitea_required_packages: - - git - -gitea_db_name: gitea -gitea_db_user: gitea_u -#gitea_db_pwd: put it into a vault file -gitea_db_host: localhost -gitea_db_port: 5432 -gitea_db_ssl_mode: 'disable' - -gitea_app_name: "Gitea" -gitea_disable_registration: 'false' -gitea_install_lock: 'false' -gitea_mailer_enabled: False -gitea_mail_from: gitea@localhost -gitea_mailer_type: sendmail -gitea_sendmail_path: /usr/sbin/sendmail -gitea_cache_provider: memcache -#gitea_cache_host: '127.0.0.1:11211' -gitea_cache_host: '127.0.0.1:11211' -gitea_session_provider: redis -gitea_session_config: 'network=tcp,addr=127.0.0.1:6379,db=0,pool_size=100,idle_timeout=180' - -gitea_prometheus_metrics: False -#gitea_prometheus_bearer_token: put it into a vault file -gitea_prometheus_bearer_token: '' -gitea_log_level: Info - -# gitea_app_configurations: -# - { section: 'mailer', option: 'ENABLED', value: 'true', state: 'present' } -# - { section: 'mailer', option: 'FROM', value: '{{ gitea_mail_from }}', state: 'present' } -# - { section: 'mailer', option: 'MAILER_TYPE', value: '{{ gitea_mailer_type }}', state: 'present' } -# - { section: 'mailer', option: 'SENDMAIL_PATH', value: '{{ gitea_sendmail_path }}', state: 'present' } -# - { section: 'metrics', option: 'ENABLED', value: 'true', state: 'present' } -# - { section: 'metrics', option: 'TOKEN', value: '{{ gitea_prometheus_bearer_token }}', state: 'present' } diff --git a/library/roles/gitea/handlers/main.yml b/library/roles/gitea/handlers/main.yml deleted file mode 100644 index 04ba04ff..00000000 --- a/library/roles/gitea/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: reload gitea - service: name=gitea state=reloaded - -- name: restart gitea - service: name=gitea state=restarted \ No newline at end of file diff --git a/library/roles/gitea/meta/main.yml b/library/roles/gitea/meta/main.yml deleted file mode 100644 index c2caa0ee..00000000 --- a/library/roles/gitea/meta/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -dependencies: - - { role: 'postgresql', when: gitea_local_postgresql } - - { role: 'mysql', when: gitea_local_mysql } - - { role: 'nginx', when: gitea_nginx_frontend } - - { role: 'redis', when: gitea_local_redis } - - { role: 'memcached', when: gitea_local_memcache } diff --git a/library/roles/gitea/tasks/main.yml b/library/roles/gitea/tasks/main.yml deleted file mode 100644 index 11521a14..00000000 --- a/library/roles/gitea/tasks/main.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- block: - - name: Create the gitea service user - user: name={{ gitea_user }} home=/srv/gitea createhome=yes shell=/bin/bash system=yes - - - name: Create the gitea directory tree - file: dest={{ gitea_data_dir }}/{{ item }} state=directory owner={{ gitea_user }} group={{ gitea_group }} - with_items: '{{ gitea_data_subdirs }}' - - - name: Create the gitea conf directory - file: dest={{ gitea_conf_dir }} state=directory owner=root group={{ gitea_group }} mode=0750 - - - name: Download the gitea binary - get_url: url={{ gitea_download_url }} dest={{ gitea_bin_path }} owner=root group={{ gitea_group }} mode=0750 - - - name: Install the required packages - package: state=present use=auto name={{ gitea_required_packages }} - - - name: Check if the gitea configuration file exists - stat: path={{ gitea_conf_dir }}/app.ini - register: gitea_app_ini - - - name: Change the gitea configuration. After the installation - ini_file: path={{ gitea_conf_dir }}/app.ini section={{ item.section }} option={{ item.option }} value={{ item.value }} state={{ item.state }} owner={{ gitea_user }} group={{ gitea_group }} mode=0640 create=no - with_items: '{{ gitea_app_configurations }}' - when: - - gitea_app_ini.stat.exists - - gitea_app_configurations is defined - notify: restart gitea - - - name: Install the gitea configuration file. At install time only - template: src=app.ini.j2 dest={{ gitea_conf_dir }}/app.ini owner={{ gitea_user }} group={{ gitea_group }} mode=0640 force=no - notify: restart gitea - - - name: Install the gitea systemd unit - template: src=gitea.service.systemd dest=/etc/systemd/system/gitea.service - register: gitea_systemd_unit - - - name: Reload the systemd configuration - command: systemctl daemon-reload - when: gitea_systemd_unit is changed - - - name: Ensure that the gitea service is running and enabled - service: name=gitea state=started enabled=yes - - tags: [ 'git', 'gitea' ] diff --git a/library/roles/gitea/templates/app.ini.j2 b/library/roles/gitea/templates/app.ini.j2 deleted file mode 100644 index f0d1032b..00000000 --- a/library/roles/gitea/templates/app.ini.j2 +++ /dev/null @@ -1,65 +0,0 @@ -APP_NAME = {{ gitea_app_name }} -RUN_USER = {{ gitea_user }} -RUN_MODE= {{ gitea_run_mode }} - -[repository] -ROOT = {{ gitea_repository_data }} - -[server] -PROTOCOL = {{ gitea_server_protocol }} -HTTP_ADDR = {{ gitea_http_addr }} -LANDING_PAGE = {{ gitea_landing_page }} -LFS_START_SERVER = {{ gitea_start_lfs }} -LFS_CONTENT_PATH = {{ gitea_lfs_content_path }} -LFS_HTTP_AUTH_EXPIRY = {{ gitea_lfs_http_auth_expiry }} -SSH_DOMAIN = localhost -DOMAIN = localhost -HTTP_PORT = {{ gitea_http_port }} -ROOT_URL = {{ gitea_root_url }} -DISABLE_SSH = false -SSH_PORT = 22 -OFFLINE_MODE = false - -[database] -DB_TYPE = {{ gitea_db }} -HOST = {{ gitea_db_host }}:{{ gitea_db_port }} -NAME = {{ gitea_db_name }} -USER = {{ gitea_db_user }} -PASSWD = {{ gitea_db_pwd }} -SSL_MODE = {{ gitea_db_ssl_mode }} - -[security] -INSTALL_LOCK = {{ gitea_install_lock }} - -[service] -DISABLE_REGISTRATION = {{ gitea_disable_registration }} -NO_REPLY_ADDRESS = {{ gitea_mail_from }} - -{% if gitea_mailer_enabled %} -[mailer] -ENABLED = true -FROM = {{ gitea_mail_from }} -MAILER_TYPE = {{ gitea_mailer_type }} -SENDMAIL_PATH = {{ gitea_sendmail_path }} -{% endif %} - -[cache] -ADAPTER = {{ gitea_cache_provider }} -HOST = {{ gitea_cache_host }} - -[session] -PROVIDER = {{ gitea_session_provider }} -PROVIDER_CONFIG = {{ gitea_session_config }} - -{% if gitea_prometheus_metrics %} -[metrics] -ENABLED = true -TOKEN = '{{ gitea_prometheus_bearer_token }}' -{% endif %} - -[other] -SHOW_FOOTER_VERSION = false -SHOW_FOOTER_TEMPLATE_LOAD_TIME = false - -[log] -LEVEL = {{ gitea_log_level }} diff --git a/library/roles/gitea/templates/gitea.service.systemd b/library/roles/gitea/templates/gitea.service.systemd deleted file mode 100644 index 9458dc26..00000000 --- a/library/roles/gitea/templates/gitea.service.systemd +++ /dev/null @@ -1,42 +0,0 @@ -[Unit] -Description=Gitea (Git with a cup of tea) -After=syslog.target -After=network.target -{% if gitea_local_mysql %} -Requires=mysql.service -{% endif %} -#Requires=mariadb.service -{% if gitea_local_postgresql %} -Requires=postgresql.service -{% endif %} -{% if gitea_local_redis %} -Requires=redis.service -{% endif %} -{% if gitea_local_memcache %} -Requires=memcached.service -{% endif %} - -[Service] -# Modify these two values and uncomment them if you have -# repos with lots of files and get an HTTP error 500 because -# of that -### -#LimitMEMLOCK=infinity -#LimitNOFILE=65535 -RestartSec=2s -Type=simple -User={{ gitea_user }} -Group={{ gitea_user }} -WorkingDirectory={{ gitea_data_dir }} -ExecStart=/usr/local/bin/gitea web -c {{ gitea_conf_dir }}/app.ini -Restart=always -Environment=USER={{ gitea_user }} HOME=/srv/gitea GITEA_WORK_DIR={{ gitea_data_dir }} -# If you want to bind Gitea to a port below 1024 uncomment -# the two values below -### -#CapabilityBoundingSet=CAP_NET_BIND_SERVICE -#AmbientCapabilities=CAP_NET_BIND_SERVICE - -[Install] -WantedBy=multi-user.target - diff --git a/library/roles/gitea/vars/main.yml b/library/roles/gitea/vars/main.yml deleted file mode 100644 index 5e466664..00000000 --- a/library/roles/gitea/vars/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -nginx_use_common_virthost: True -redis_install: True -http_port: 80 -https_port: 443 - diff --git a/library/roles/memcached/defaults/main.yml b/library/roles/memcached/defaults/main.yml deleted file mode 100644 index 63037a33..00000000 --- a/library/roles/memcached/defaults/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -mc_pkg_state: present -mc_enabled: True - -mc_port: 11211 -mc_user: memcached -mc_maxconn: 1024 -mc_cachesize: 256 -mc_options: "" -mc_ipaddress: 127.0.0.1 diff --git a/library/roles/memcached/handlers/main.yml b/library/roles/memcached/handlers/main.yml deleted file mode 100644 index 75e00612..00000000 --- a/library/roles/memcached/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: Restart memcached - service: name=memcached state=restarted - diff --git a/library/roles/memcached/tasks/main.yml b/library/roles/memcached/tasks/main.yml deleted file mode 100644 index d26cdfbc..00000000 --- a/library/roles/memcached/tasks/main.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -- name: Install the memcached package - apt: name={{ item }} state={{ mc_pkg_state }} - with_items: - - memcached - tags: [ 'memcache', 'memcached' ] - -- name: Install the memcached conf file - template: src={{ item }}.j2 dest=/etc/{{ item }} owner=root group=root mode=0444 - with_items: - - memcached.conf - notify: Restart memcached - tags: [ 'memcache', 'memcached' ] - -- name: Enable memcached - copy: content="ENABLE_MEMCACHED='yes'" dest=/etc/default/memcached - when: mc_enabled - tags: [ 'memcache', 'memcached' ] - -- name: Ensure that the memcached service is started and enabled - service: name=memcached state=started enabled=yes - when: mc_enabled - tags: [ 'memcache', 'memcached' ] - -- name: Ensure that the memcached service is stopped - service: name=memcached state=stopped enabled=no - when: not mc_enabled - tags: [ 'memcache', 'memcached' ] - -- name: Disable memcached - action: configfile path=/etc/default/memcached key=ENABLE_MEMCACHED value='no' syntax=shell - when: not mc_enabled - tags: [ 'memcache', 'memcached' ] - diff --git a/library/roles/memcached/templates/memcached.conf.j2 b/library/roles/memcached/templates/memcached.conf.j2 deleted file mode 100644 index 6e67a622..00000000 --- a/library/roles/memcached/templates/memcached.conf.j2 +++ /dev/null @@ -1,47 +0,0 @@ -# memcached default config file -# 2003 - Jay Bonci -# This configuration file is read by the start-memcached script provided as -# part of the Debian GNU/Linux distribution. - -# Run memcached as a daemon. This command is implied, and is not needed for the -# daemon to run. See the README.Debian that comes with this package for more -# information. --d - -# Log memcached's output to /var/log/memcached -logfile /var/log/memcached.log - -# Be verbose -# -v - -# Be even more verbose (print client commands as well) -# -vv - -# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default -# Note that the daemon will grow to this size, but does not start out holding this much -# memory --m {{ mc_cachesize }} - -# Default connection port is 11211 --p {{ mc_port }} - -# Run the daemon as root. The start-memcached will default to running as root if no -# -u command is present in this config file --u nobody - -# Specify which IP address to listen on. The default is to listen on all IP addresses -# This parameter is one of the only security measures that memcached has, so make sure -# it's listening on a firewalled interface. --l {{ mc_ipaddress }} - -# Limit the number of simultaneous incoming connections. The daemon default is 1024 --c {{ mc_maxconn }} - -# Lock down all paged memory. Consult with the README and homepage before you do this -# -k - -# Return error when memory is exhausted (rather than removing items) -# -M - -# Maximize core file limit -# -r diff --git a/library/roles/nextcloud/defaults/main.yml b/library/roles/nextcloud/defaults/main.yml deleted file mode 100644 index 2e5e0a20..00000000 --- a/library/roles/nextcloud/defaults/main.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -nextcloud_version: 17.0.1 -nextcloud_dist_filename: 'nextcloud-{{ nextcloud_version }}.tar.bz2' -nextcloud_download_url: 'https://download.nextcloud.com/server/releases/{{ nextcloud_dist_filename }}' -nextcloud_use_redis: True -nextcloud_use_memcache: False -nextcloud_local_postgresql: True -nextcloud_web_basedir: /var/www -nextcloud_web_root: '{{ nextcloud_web_basedir }}/nextcloud' -nextcloud_data_base_dir: /srv -nextcloud_data_dir: '{{ nextcloud_data_base_dir }}/nextcloud/data' -nextcloud_oc_dir: '{{ nextcloud_data_base_dir }}/nextcloud/oc_keys' -nextcloud_servername: '{{ ansible_fqdn }}' -nextcloud_servernames: - - { webroot: '{{ nextcloud_web_root }}', id: 1, name: '{{ nextcloud_servername }}' } - -nextcloud_user: nextcloud - -nextcloud_db: pgsql -nextcloud_db_host: localhost -nextcloud_db_name: nextcloud -nextcloud_db_user: nextcloud_u -#nextcloud_db_pwd: 'Use a vault file' - -nextcloud_admin_user: nc_admin -#nextcloud_admin_u_pwd: 'Use a vault file' - -nextcloud_encryption_enabled: True -nextcloud_ldap_auth: False - diff --git a/library/roles/nextcloud/meta/main.yml b/library/roles/nextcloud/meta/main.yml deleted file mode 100644 index c664699d..00000000 --- a/library/roles/nextcloud/meta/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -dependencies: - - { role: '../../library/roles/postgresql', when: nextcloud_local_postgresql } - - { role: 'php-fpm' } - - { role: '../../library/roles/nginx' } - - { role: '../../library/roles/redis', when nextcloud_use_redis } - - { role: '../../library/roles/memcached', when nextcloud_use_memcache } diff --git a/library/roles/nextcloud/tasks/main.yml b/library/roles/nextcloud/tasks/main.yml deleted file mode 100644 index 53b6fe3a..00000000 --- a/library/roles/nextcloud/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- import_tasks: nextcloud-nginx.yml -- import_tasks: nextcloud-install.yml diff --git a/library/roles/nextcloud/tasks/nextcloud-install.yml b/library/roles/nextcloud/tasks/nextcloud-install.yml deleted file mode 100644 index a9cff53f..00000000 --- a/library/roles/nextcloud/tasks/nextcloud-install.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -- block: - - name: Create the nextcloud webroot - file: dest={{ nextcloud_web_basedir }} owner=root group=root state=directory - - - name: Create the nextcloud data directory - file: dest={{ nextcloud_data_dir }} state=directory owner={{ item.user }} group={{ item.user }} - with_items: '{{ phpfpm_pools }}' - - - name: Get nextcloud - get_url: url={{ nextcloud_download_url }} dest=/srv/{{ nextcloud_dist_filename }} - - - name: Unpack the nextcloud archive - unarchive: remote_src=yes src=/srv/{{ nextcloud_dist_filename }} dest={{ nextcloud_web_basedir }} owner={{ item.user }} group={{ item.user }} - args: - creates: '{{ item.doc_root }}/index.php' - with_items: '{{ phpfpm_pools }}' - - tags: [ 'nextcloud' ] - -- block: - - name: Configure the nextcloud instance - shell: cd {{ item.doc_root }} ; php occ maintenance:install --database="{{ nextcloud_db }}" --database-host "{{ nextcloud_db_host }}" --database-name "{{ nextcloud_db_name }}" --database-user "{{ nextcloud_db_user }}" --database-pass "{{ nextcloud_db_pwd }}" --admin-user "{{ nextcloud_admin_user }}" --admin-pass "{{ nextcloud_admin_u_pwd }}" --data-dir={{ nextcloud_data_dir }} ; touch {{ nextcloud_data_dir }}/.ht_nextcloud_setup - args: - creates: '{{ nextcloud_data_dir }}/.ht_nextcloud_setup' - with_items: '{{ phpfpm_pools }}' - - - name: Set the trusted domains list - shell: cd {{ item.webroot }} ; php occ config:system:set trusted_domains {{ item.id }} --value={{ item.name }} ; touch {{ nextcloud_data_dir }}/.ht_nextcloud_trusted_domains - args: - creates: '{{ nextcloud_data_dir }}/.ht_nextcloud_trusted_domains' - with_items: '{{ nextcloud_servernames }}' - - - name: Setup the cron configuration - shell: cd {{ item.webroot }} ; php occ background:cron ; touch {{ nextcloud_data_dir }}/.ht_nextcloud_cron - args: - creates: 'touch {{ nextcloud_data_dir }}/.ht_nextcloud_cron' - with_items: '{{ nextcloud_servernames }}' - tags: [ 'nextcloud', 'nextcloud_config_cron' ] - - - name: Install the nextcloud cron job - cron: user={{ item.user }} minute="*/15" job="php -f {{ item.doc_root }}/cron.php" name="NextCloud cron job" - with_items: '{{ phpfpm_pools }}' - tags: [ 'nextcloud', 'nextcloud_config_cron' ] - - become: True - become_user: '{{ nextcloud_user }}' - tags: [ 'nextcloud', 'nextcloud_config' ] - -- block: - - name: Create the nextcloud encryption keys directory - become_user: root - file: dest={{ nextcloud_oc_dir }} state=directory owner={{ item.user }} group={{ item.user }} - with_items: '{{ phpfpm_pools }}' - - - name: Activate global encryption - shell: cd {{ item.doc_root }} ; php occ app:enable encryption ; php occ encryption:enable ; php occ encryption:enable-master-key ; php occ encryption:change-key-storage-root {{ nextcloud_oc_dir }} ; touch {{ nextcloud_oc_dir }}/.ht_nextcloud_oc - args: - creates: '{{ nextcloud_oc_dir }}/.ht_nextcloud_oc' - with_items: '{{ phpfpm_pools }}' - - become: True - become_user: '{{ nextcloud_user }}' - when: nextcloud_encryption_enabled - tags: [ 'nextcloud', 'nextcloud_config', 'nextcloud_config_oc' ] - -- block: - - name: Enable ldap - shell: cd {{ item.doc_root }} ; php occ app:enable user_ldap ; touch {{ item.doc_root }}/.ht_nextcloud_ldap_enabled - args: - creates: '{{ item.doc_root }}/.ht_nextcloud_ldap_enabled' - with_items: '{{ phpfpm_pools }}' - - - name: Configure ldap - shell: cd {{ item.doc_root }} ; php occ ldap:create-empty-config ; touch {{ item.doc_root }}/.ht_nextcloud_ldap_configured - args: - creates: '{{ item.doc_root }}/.ht_nextcloud_ldap_configured' - with_items: '{{ phpfpm_pools }}' - - become: True - become_user: '{{ nextcloud_user }}' - when: nextcloud_ldap_auth - tags: [ 'nextcloud', 'nextcloud_config', 'nextcloud_config_ldap' ] diff --git a/library/roles/nextcloud/tasks/nextcloud-nginx.yml b/library/roles/nextcloud/tasks/nextcloud-nginx.yml deleted file mode 100644 index 4c43aa9d..00000000 --- a/library/roles/nextcloud/tasks/nextcloud-nginx.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- block: - - name: Install the nginx virtualhosts - template: src=nginx-virthost.conf dest=/etc/nginx/sites-available/{{ item.virthost }} owner=root group=root mode=0444 - with_items: '{{ phpfpm_pools }}' - notify: Reload nginx - - - name: Enable the nginx virtualhosts - file: src=/etc/nginx/sites-available/{{ item.virthost }} dest=/etc/nginx/sites-enabled/{{ item.virthost }} state=link - with_items: '{{ phpfpm_pools }}' - notify: Reload nginx - - - name: Create the nginx body temp directory - file: dest={{ nginx_client_body_temp_dir }} state=directory owner=www-data group=www-data mode=1700 - when: nginx_client_body_temp_dir is defined - - tags: [ 'nginx', 'virtualhost', 'nextcloud' ] diff --git a/library/roles/nextcloud/templates/nginx-virthost.conf b/library/roles/nextcloud/templates/nginx-virthost.conf deleted file mode 100644 index 95f8211f..00000000 --- a/library/roles/nextcloud/templates/nginx-virthost.conf +++ /dev/null @@ -1,160 +0,0 @@ -upstream php-handler { - server {{ item.listen }}; - #server unix:/var/run/php5-fpm.sock; -} - -server { - listen 80; - listen [::]:80; - server_name {{ item.nginx_servername }}; - # enforce https - location ~ /\.(?!well-known).* { - deny all; - access_log off; - log_not_found off; - return 404; - } - include /etc/nginx/snippets/letsencrypt-proxy.conf; - location / { - return 301 https://$server_name$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name {{ item.nginx_servername }}; - - include /etc/nginx/snippets/nginx-server-ssl.conf; - server_tokens off; - - # Add headers to serve security related headers - # Before enabling Strict-Transport-Security headers please read into this - # topic first. - add_header Strict-Transport-Security "max-age=15768000"; - # includeSubDomains; preload;"; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root {{ item.doc_root }}; - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - location = /favicon.ico { - log_not_found off; - access_log off; - } - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json - # last; - - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } - - # set max upload size - client_max_body_size 512M; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - location / { - rewrite ^ /index.php; - } - - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+\.php)(/.*)$; - try_files $fastcgi_script_name =404; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - #Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass php-handler; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^/(?:updater|ocs-provider)(?:$|/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff|svg|gif|map)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } -} - diff --git a/library/roles/nextcloud/vars/main.yml b/library/roles/nextcloud/vars/main.yml deleted file mode 100644 index f131d0f7..00000000 --- a/library/roles/nextcloud/vars/main.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -nginx_use_common_virthost: False -phpfpm_default_user: '{{ nextcloud_user }}' -phpfpm_default_pool_name: nextcloud -redis_install: True -http_port: 80 -https_port: 443 - -php_version: 7.2 - -php_additional_packages: - - 'php{{ php_version }}-gd' - - 'php{{ php_version }}-json' - - 'php{{ php_version }}-ldap' - - 'php{{ php_version }}-{{ nextcloud_db }}' - - 'php{{ php_version }}-xml' - - 'php{{ php_version }}-mbstring' - - 'php{{ php_version }}-intl' - - 'php{{ php_version }}-curl' - - 'php{{ php_version }}-zip' - - 'php{{ php_version }}-bz2' - - 'php{{ php_version }}-gmp' - - 'php-imagick' - - 'php-redis' - - 'php-apcu' - -phpfpm_default_memory_limit: "512M" - -php_global_settings: - - { option: 'always_populate_raw_post_data', value: '-1' } - - { option: 'allow_url_fopen', value: 'on' } - - { option: 'max_execution_time', value: '240' } - - { option: 'memory_limit', value: '{{ phpfpm_default_memory_limit }}' } - - { option: 'max_input_vars', value: '1400' } - - { option: 'post_max_size', value: '32M' } - - { option: 'upload_max_filesize', value: '32M' } - - { option: 'opcache.enable', value: '1' } - - { option: 'opcache.enable_cli', value: '1' } - - { option: 'opcache.interned_strings_buffer', value: '8' } - - { option: 'opcache.max_accelerated_files', value: '10000' } - - { option: 'opcache.memory_consumption', value: '128' } - - { option: 'opcache.save_comments', value: '1' } - - { option: 'opcache.revalidate_freq', value: '1' } - -php_cli_global_settings: '{{ php_global_settings }}' - - -phpfpm_pools: - - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', doc_root: '{{ nextcloud_web_root }}', req_term_timeout: '240s', virthost: '{{ nextcloud_servername }}', nginx_servername: '{{ nextcloud_servername }}' } - diff --git a/library/roles/postgresql/defaults/main.yml b/library/roles/postgresql/defaults/main.yml deleted file mode 100644 index 2360d346..00000000 --- a/library/roles/postgresql/defaults/main.yml +++ /dev/null @@ -1,232 +0,0 @@ ---- -pg_use_postgresql_org_repo: True - -psql_postgresql_install: False -psql_pkg_state: present -postgresql_enabled: True -psql_pgpool_install: False -psql_pgpool_service_install: False -psql_pgpool_pkg_state: installed -# 9.3 is the default version for Ubuntu trusty -# It is highly recommended to use the postgresql.org repositories -# -# See the features matrix here: http://www.postgresql.org/about/featurematrix/ -# -psql_version: 11 -psql_db_host: localhost -psql_db_port: 5432 -psql_db_size_w: 150000000 -psql_db_size_c: 170000000 -psql_listen_on_ext_int: False -psql_use_alternate_data_dir: False -psql_data_dir: '/var/lib/postgresql/{{ psql_version }}' -psql_conf_dir: '/etc/postgresql/{{ psql_version }}/main' -psql_log_dir: /var/log/postgresql -psql_conf_parameters: - - { name: 'max_connections', value: '100', set: 'False' } - - { name: 'shared_buffers', value: '24MB', set: 'False' } - - { name: 'temp_buffers', value: '8MB', set: 'False' } - - { name: 'work_mem', value: '1MB', set: 'False' } - - { name: 'maintenance_work_mem', value: '16MB', set: 'False' } - - { name: 'max_stack_depth', value: '2MB', set: 'False' } - - { name: 'max_files_per_process', value: '1000', set: 'False' } - -# logging configuration. Important: the parameters that need a restart must be listed in psql_conf_parameters -psql_log_configuration: - - { name: 'log_destination', value: 'stderr', set: 'True' } - - { name: 'logging_collector', value: 'off', set: 'False' } - - { name: 'log_directory', value: "'{{ psql_log_dir }}'", set: 'True' } - - { name: 'log_rotation_age', value: '1d', set: 'True' } - - { name: 'log_rotation_size', value: '10MB', set: 'True' } - - { name: 'client_min_messages', value: 'notice', set: 'True' } - - { name: 'log_min_messages', value: 'warning', set: 'True' } - - { name: 'log_min_error_statement', value: 'error', set: 'True' } - - { name: 'log_min_duration_statement', value: '-1', set: 'True' } - - { name: 'log_checkpoints', value: 'off', set: 'True' } - - { name: 'log_connections', value: 'on', set: 'True' } - - { name: 'log_disconnections', value: 'off', set: 'True' } - - { name: 'log_duration', value: 'off', set: 'True' } - - { name: 'log_error_verbosity', value: 'default', set: 'True' } - - { name: 'log_hostname', value: 'on', set: 'True' } - -# Treat vacuum separately. Important: the parameters that need a restart must be listed in psql_conf_parameters -psql_autovacuum_configuration: - - { name: 'track_counts', value: 'on', set: 'True' } - - { name: 'autovacuum', value: 'on', set: 'True' } - - { name: 'log_autovacuum_min_duration', value: '-1', set: 'True' } - - { name: 'autovacuum_vacuum_threshold', value: '50', set: 'True' } - - { name: 'autovacuum_analyze_threshold', value: '50', set: 'True' } - - { name: 'autovacuum_vacuum_scale_factor', value: '0.2', set: 'True' } - - { name: 'autovacuum_vacuum_cost_limit', value: '1000', set: 'True' } - -# SSL as a special case -psql_enable_ssl: False -psql_force_ssl_client_connection: False -postgresql_letsencrypt_managed: '{{ psql_enable_ssl }}' -psql_ssl_privkey_global_file: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey' -psql_ssl_privkey_file: /etc/pki/postgresql/postgresql.key -psql_ssl_cert_file: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' -psql_ssl_ca_file: '/var/lib/acme/live/{{ ansible_fqdn }}/fullchain' -psql_conf_ssl_parameters: - - { name: 'ssl', value: 'true' } - - { name: 'ssl_cert_file', value: '{{ psql_ssl_cert_file }}' } - - { name: 'ssl_key_file', value: '{{ psql_ssl_privkey_file }}' } - - { name: 'ssl_ca_file', value: '{{ psql_ssl_ca_file }}' } - -psql_conf_disable_ssl_parameters: - - { name: 'ssl', value: 'false' } - -psql_set_shared_memory: False -psql_sysctl_file: 30-postgresql-shm.conf -psql_sysctl_kernel_sharedmem_parameters: - - { name: 'kernel.shmmax', value: '33554432' } - - { name: 'kernel.shmall', value: '2097152' } - -postgresql_pkgs: - - 'postgresql-{{ psql_version }}' - - 'postgresql-contrib-{{ psql_version }}' - - 'postgresql-client-{{ psql_version }}' - - pgtop - -psql_ansible_needed_pkgs: - - python-psycopg2 - -psql_db_name: db_name -psql_db_user: db_user -psql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault" - -# Those need to be installed on the postgresql server. -postgresql_pgpool_pkgs: - - 'postgresql-{{ psql_version }}-pgpool2' - -#psql_db_data: - # Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. - #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: True } - # Example of line needed to manage the db accesses (used by iptables too), without creating the db and the user. Useful, for example, to give someone access to the postgresql db - #- { name: '{{ psql_db_name }}', user: '{{ psql_db_user }}', allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: False } - # Example of line needed to remove a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. - #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', managedb: True, roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], state=absent } - - -# pgpool-II -pgpool_pkgs: - - pgpool2 - - iputils-arping - -pgpool_enabled: True -pgpool_listen_addresses: 'localhost' -pgpool_port: 5433 -pgpool_listen_backlog_multiplier: 2 -pgpool_pcp_user: admin -# Define pcp_pwd in a vault file -pgpool_pcp_listen_addresses: '*' -pgpool_pcp_port: 9898 -#pgpool_backends: -# - { id: 0, hostname: 'backend0', backend_port: '{{ psql_db_port }}', backend_weight: 1, backend_data_directory: '{{ psql_data_dir }}', backend_flag: 'ALLOW_TO_FAILOVER' } -pgpool_enable_pool_hba: 'on' -pgpool_pool_passwd: 'pool_passwd' -pgpool_num_init_children: 32 -pgpool_max_pool: 4 -pgpool_child_life_time: 300 -pgpool_child_max_connections: 0 -pgpool_connection_life_time: 0 -pgpool_client_idle_limit: 0 -pgpool_log_destination: syslog -pgpool_log_connections: 'on' -pgpool_log_hostname: 'on' -pgpool_log_statement: 'off' -pgpool_log_per_node_statement: 'off' -pgpool_debug_level: 0 -pgpool_replication_mode: 'on' -pgpool_replicate_select: 'off' -pgpool_insert_lock: 'on' -pgpool_lobj_lock_table: '' -pgpool_replication_stop_on_mismatch: 'on' -pgpool_failover_if_affected_tuples_mismatch: 'off' -pgpool_recovery_timeout: 30 -pgpool_client_idle_limit_in_recovery: -1 -pgpool_load_balance_mode: 'on' -pgpool_ignore_leading_white_space: 'on' -pgpool_recovery_user: postgres -# pgpool_recovery_user_pwd: use a vault file for this one -pgpool_recovery_stage1_script: pgpool_recovery_stage_1 -pgpool_recovery_stage2_script: pgpool_recovery_stage_2 -pgpool_remote_start_script: pgpool_remote_start -pgpool_white_function_list: '' -pgpool_black_function_list: 'nextval,setval' -pgpool_allow_sql_comments: 'on' -pgpool_fail_over_on_backend_error: 'on' -pgpool_relcache_expire: 3600 -pgpool_memory_cache_enabled: 'off' -pgpool_memqcache_method: memcached -pgpool_memqcache_memcached_host: localhost -pgpool_memqcache_memcached_port: 11211 -pgpool_memqcache_expire: 0 -pgpool_memqcache_auto_cache_invalidation: 'on' -pgpool_serialize_accept: 'off' -# HA and watchdog -pgpool_use_watchdog: 'off' -pgpool_wd_trusted_servers: 'localhost,localhost' -pgpool_wd_port: 9000 -pgpool_wd_priority: 1 -# Warning: setting pgpool_wd_heartbeat_mode to False enables -# the 'query mode' that is untested and not working without manual intervention -pgpool_wd_heartbeat_mode: True -pgpool_wd_heartbeat_port: 9694 -pgpool_wd_heartbeat_keepalive_int: 3 -pgpool_wd_heartbeat_deadtime: 30 -pgpool_wd_heartbeat_dest0: 'localhost' -pgpool_wd_heartbeat_dest0_port: '{{ pgpool_wd_heartbeat_port }}' -#pgpool_wd_authkey: 'set it inside a vault file' - -# SSL as a special case -pgpool_enable_ssl: False -pgpool_letsencrypt_managed: True -pgpool_ssl_key: /etc/pki/pgpool2/pgpool2.key -pgpool_ssl_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' -pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/fullchain' -pgpool_ssl_ca_dir: /etc/ssl/certs -pgpool_virtual_ip: 127.0.0.1 -pgpool_virtual_netmask: 24 - -# WAL files archiving is mandatory for pgpool recovery -psql_wal_files_archiving_enabled: '{{ psql_pgpool_install }}' -psql_restart_after_wal_enabling: True -psql_wal_archiving_log_dir: '{{ psql_data_dir }}/archive_log' -psql_base_backup_dir: '{{ pg_backup_base_dir }}/base_backup' -psql_wal_files_conf: - - { name: 'wal_level', value: 'archive', set: '{{ psql_wal_files_archiving_enabled }}' } - - { name: 'wal_sync_method', value: 'fdatasync', set: '{{ psql_wal_files_archiving_enabled }}' } - - { name: 'full_page_writes', value: 'on', set: '{{ psql_wal_files_archiving_enabled }}' } - - { name: 'wal_log_hints', value: 'on', set: '{{ psql_wal_files_archiving_enabled }}' } - - { name: 'archive_mode', value: 'on', set: '{{ psql_wal_files_archiving_enabled }}' } - - { name: 'archive_command', value: "'test ! -f {{ psql_wal_archiving_log_dir }}/%f && cp %p {{ psql_wal_archiving_log_dir }}/%f'", set: '{{ psql_wal_files_archiving_enabled }}' } - - { name: 'archive_timeout', value: '120', set: '{{ psql_wal_files_archiving_enabled }}' } - - { name: 'max_wal_senders', value: '5', set: '{{ psql_wal_files_archiving_enabled }}' } - - { name: 'wal_sender_timeout', value: '60s', set: '{{ psql_wal_files_archiving_enabled }}' } - - { name: 'max_replication_slots', value: '5', set: '{{ psql_wal_files_archiving_enabled }}' } - - -# postgis -postgres_install_gis_extensions: False -postgres_gis_version: 2.4 -postgres_gis_pkgs: - - 'postgresql-{{ psql_version }}-postgis-{{ postgres_gis_version }}' - -# Local backup -pg_backup_enabled: True -pg_backup_bin: /usr/local/sbin/postgresql-backup -pg_backup_pgdump_bin: /usr/bin/pg_dump -pg_backup_retain_copies: 2 -pg_backup_build_db_list: "yes" -# Dynamically created from psql_db_data if pg_backup_db_list is not set -#pg_backup_db_list: '{{ psql_db_name}}' -pg_backup_base_dir: /var/lib/pgsql -pg_backup_destdir: '{{ pg_backup_base_dir }}/backups' -pg_backup_logdir: /var/log/postgresql -pg_backup_logfile: '{{ pg_backup_logdir }}/postgresql-backup.log' -pg_backup_use_auth: "no" -pg_backup_pass_file: /root/.pgpass -pg_backup_use_nagios: "yes" - -postgresql_firewalld_zone: '{{ firewalld_default_zone }}' diff --git a/library/roles/postgresql/files/arping_script b/library/roles/postgresql/files/arping_script deleted file mode 100644 index ae7479f9..00000000 --- a/library/roles/postgresql/files/arping_script +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# -# Exec /usr/bin/arping as root via sudo - -RETVAL= -CMD=/usr/bin/arping - -sudo $CMD $@ -RETVAL=$? - -exit $RETVAL - diff --git a/library/roles/postgresql/files/ip_script b/library/roles/postgresql/files/ip_script deleted file mode 100644 index 225bbb73..00000000 --- a/library/roles/postgresql/files/ip_script +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# -# Exec /sbin/ip as root via sudo - -RETVAL= -CMD=/sbin/ip - -sudo $CMD $@ -RETVAL=$? - -exit $RETVAL - diff --git a/library/roles/postgresql/files/pgpool-letsencrypt-acme.sh b/library/roles/postgresql/files/pgpool-letsencrypt-acme.sh deleted file mode 100644 index 38ac48b9..00000000 --- a/library/roles/postgresql/files/pgpool-letsencrypt-acme.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -H_NAME=$( hostname -f ) -LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks -LE_CERTS_DIR=/var/lib/acme/live/$H_NAME -LE_LOG_DIR=/var/log/letsencrypt -PGPOOL2_CERTDIR=/etc/pki/pgpool2 -PGPOOL2_KEYFILE=$PGPOOL2_CERTDIR/pgpool2.key -DATE=$( date ) - -[ ! -d $PGPOOL2_CERTDIR ] && mkdir -p $PGPOOL2_CERTDIR -[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR -echo "$DATE" >> $LE_LOG_DIR/pgpool2.log - -if [ -f /etc/default/letsencrypt ] ; then - . /etc/default/letsencrypt -else - echo "No letsencrypt default file" >> $LE_LOG_DIR/pgpool2.log -fi - -echo "Copy the key file" >> $LE_LOG_DIR/pgpool2.log -cp ${LE_CERTS_DIR}/privkey ${PGPOOL2_KEYFILE} -chmod 440 ${PGPOOL2_KEYFILE} -chown root ${PGPOOL2_KEYFILE} -chgrp postgres ${PGPOOL2_KEYFILE} - -echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log -if [ -x /bin/systemctl ] ; then - systemctl reload pgpool2 >> $LE_LOG_DIR/pgpool2.log 2>&1 -else - service pgpool2 reload >> $LE_LOG_DIR/pgpool2.log 2>&1 -fi - -echo "Done." >> $LE_LOG_DIR/pgpool2.log - -exit 0 - diff --git a/library/roles/postgresql/files/postgresql-backup.cron b/library/roles/postgresql/files/postgresql-backup.cron deleted file mode 100755 index e7972984..00000000 --- a/library/roles/postgresql/files/postgresql-backup.cron +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -if [ -f /etc/default/pg_backup ] ; then - . /etc/default/pg_backup -else - PG_BACKUP_ENABLED=True - PG_SERVICE=postgresql - USE_NAGIOS=no - LOG_DIR=/var/log/postgresql - LOG_FILE=$LOG_DIR/postgresql-backup.log - PG_BCK_BIN=/usr/local/sbin/postgresql-backup -fi - -# Remote backup performed by duplicity. When active, do not run via cron -if [ -x /etc/cron.daily/duplicity_backup ] ; then - DATE=$( date ) - echo "$DATE: duplicity backups active. Exiting" >> $LOG_FILE - exit 0 -fi - -# Remote backup performed by BackupPC. If it is active, do not run via cron -if [ -f /var/log/backuppc.log ] ; then - TMSTMP=$( date +%s ) - . /var/log/backuppc.log - LAST_BACKUP_TIME=$( expr $TMSTMP - $BACKUP_TIMESTAMP ) - if [ $LAST_BACKUP_TIME -lt 86400 -a $BACKUP_RESULT == 'OK' ] ; then - DATE=$( date ) - echo "$DATE: BackupPC is active, doing nothing" >> $LOG_FILE - exit 0 - fi -fi - -export PATH="/sbin:/usr/sbin:/usr/local/sbin:$PATH" -PG_SVC=$( service $PG_SERVICE status >/dev/null ) -PG_RUNNING=$? - -if [ $PG_BACKUP_ENABLED == 'True' ] ; then - if [ "$PG_RUNNING" -ne "0" -a "$PG_RUNNING" -ne "3" ] ; then - DATE=$( date ) - echo "$DATE: The postgresql service is not running" >> $LOG_FILE - exit 1 - else - if [ ! -d $LOG_DIR ] ; then - mkdir -p $LOG_DIR - fi - DATE_START=$( date ) - echo "$DATE_START: Starting the backup procedure" >> $LOG_FILE - $PG_BCK_BIN >> $LOG_FILE 2>&1 - DATE_END=$( date ) - echo "$DATE_END: Backup procedure finished" >> $LOG_FILE - fi -else - DATE=$( date ) - echo "$DATE: Postgresql backups administratively disabled" >> $LOG_FILE -fi - -if [ "${USE_NAGIOS}" == "yes" ] ; then - N_LOGDIR=/var/log/nagios-checks - if [ ! -d $N_LOGDIR ] ; then - mkdir -p $N_LOGDIR - fi -fi - -exit 0 - - diff --git a/library/roles/postgresql/files/postgresql-backup.sh b/library/roles/postgresql/files/postgresql-backup.sh deleted file mode 100755 index 1b7c8900..00000000 --- a/library/roles/postgresql/files/postgresql-backup.sh +++ /dev/null @@ -1,150 +0,0 @@ -#!/bin/bash - - -# Set up the environment -if [ -f /etc/default/pg_backup ] ; then - . /etc/default/pg_backup -else - N_DAYS_TO_SPARE=7 - USE_NAGIOS=no - BUILD_DBLIST=yes - PG_USE_AUTH=no - PG_PASS_FILE=/root/.pgpass - BACKUPDIR=/var/lib/pgsql/backups - DB_LIST= -fi - -# Year month day - hour minute second -SAVE_TIME=$( date +%Y%m%d-%H%M%S ) -TIMESTAMP= -RETVAL=0 -#export LANG=C -HISTDIR=$BACKUPDIR/history -TIMESTAMP_LOG=$BACKUPDIR/.timestamp -# If nagios is active, save the report status for each backup -# Nagios return values: 0 = OK, 1 = WARNING, 2 = CRITICAL, 3 = UNKNOWN -NAGIOS_LOG=$BACKUPDIR/.nagios-status -DUMP_RESULT=0 -LOCKFILE=${BACKUPDIR}/.dumplock - -create_backup_dirs() { - if [ ! -d ${BACKUPDIR} ] ; then - mkdir -p ${BACKUPDIR} - fi - if [ ! -d ${HISTDIR} ] ; then - mkdir -p ${HISTDIR} - fi - if [ "${PG_USE_AUTH}" == "no" ] ; then - chown -R postgres:postgres $BACKUPDIR - fi -} - -cleanup_old_backups() { - # Remove the old backups - find ${HISTDIR} -atime +${N_DAYS_TO_SPARE} -type f -exec rm -f {} \; - # TODELETE=$( /bin/ls "${HISTDIR}/" | awk -F '.' '{print $NF}' | sort -ruV | tail -n +${N_DAYS_TO_SPARE} ) - # for i in ${TODELETE} - # do - # rm -f "${HISTDIR}/*.${i}" - # done -} - -create_db_list() { - # The psql -l command prints too much stuff - #DB_LIST=$( psql -q -t -l -U postgres | grep -v template0 | grep -v template1 | grep -v : | grep -v ^\( | grep -v ^\- | awk '{print $1}' ) - DB_LIST=$( su - postgres -c "/usr/lib/postgresql/${PG_VERSION}/bin/oid2name " | awk '{print $2}' | tail -n +4 | grep -v template0 | grep -v template1 ) -} - -run_backup_as_db_user() { - for db in $DB_LIST ; do - grep ":${db}:" "$PG_PASS_FILE" 2>/dev/null - DB_IN_AUTFILE_RETVAL=$? - if [ $DB_IN_AUTFILE_RETVAL -eq 0 ] ; then - PG_HOST=$( grep :${db}: $PG_PASS_FILE | cut -d : -f 1 ) - PG_PORT=$( grep :${db}: $PG_PASS_FILE | cut -d : -f 2 ) - PG_USER=$( grep :${db}: $PG_PASS_FILE | cut -d : -f 4 ) - ${PG_DUMP_BIN} -Fc -h $PG_HOST -p $PG_PORT -U $PG_USER $db > ${HISTDIR}/$db.data.$SAVE_TIME - DUMP_RESULT=$? - else - DUMP_RESULT=2 - fi - pushd ${BACKUPDIR}/ >/dev/null 2>&1 - rm -f $db.data - ln -s ${HISTDIR}/$db.data.$SAVE_TIME ./$db.data - popd >/dev/null 2>&1 - done -} - -run_backup_as_postgres() { - su - postgres -c "pg_dumpall -g > ${HISTDIR}/pgsql-global.data.$SAVE_TIME" - for db in $DB_LIST ; do - su - postgres -c "${PG_DUMP_BIN} -Fc $db > ${HISTDIR}/$db.data.$SAVE_TIME" - DUMP_RESULT=$? - pushd ${BACKUPDIR}/ >/dev/null 2>&1 - rm -f $db.data - ln -s ${HISTDIR}/$db.data.$SAVE_TIME ./$db.data - popd >/dev/null 2>&1 - done -} - -clear_nagios_data() { - if [ "$USE_NAGIOS" == "yes" ] ; then - > $NAGIOS_LOG - fi -} - -write_nagios_data() { - if [ "$USE_NAGIOS" == "yes" ] ; then - if [ $DUMP_RESULT -ne 0 ] ; then - echo "$db:FAILED" >> $NAGIOS_LOG - RETVAL=$DUMP_RESULT - else - echo "$db:OK" >> $NAGIOS_LOG - fi - fi -} - -fix_backup_permissions() { - chmod -R u+rwX,g-rwx,o-rwx ${HISTDIR} -} -######## -# -# Main -# -umask 0077 - -create_backup_dirs -if [ "$BUILD_DBLIST" == "yes" ] ; then - create_db_list -fi - -if [ ! -f $LOCKFILE ] ; then - touch $LOCKFILE - clear_nagios_data - if [ "${PG_USE_AUTH}" == "yes" ] ; then - if [ ! -f $PG_PASS_FILE -o -z $PG_PASS_FILE ] ; then - if [ "$USE_NAGIOS" == "yes" ] ; then - echo ".pgpass file not found or empty but authentication needed. All db backups FAILED" >> $NAGIOS_LOG - fi - RETVAL=2 - exit 2 - fi - run_backup_as_db_user - else - run_backup_as_postgres - fi - write_nagios_data - TIMESTAMP=$( date +%s ) - echo "$TIMESTAMP" > $TIMESTAMP_LOG - rm -f $LOCKFILE -else - RETVAL=2 - if [ "$USE_NAGIOS" == "yes" ] ; then - echo "old backup still running:WARNING" >> $NAGIOS_LOG - fi -fi - -fix_backup_permissions -cleanup_old_backups - -exit $RETVAL diff --git a/library/roles/postgresql/files/postgresql-letsencrypt-acme.sh b/library/roles/postgresql/files/postgresql-letsencrypt-acme.sh deleted file mode 100644 index 1d3a2674..00000000 --- a/library/roles/postgresql/files/postgresql-letsencrypt-acme.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -H_NAME=$( hostname -f ) -LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks -LE_CERTS_DIR=/var/lib/acme/live/$H_NAME -LE_LOG_DIR=/var/log/letsencrypt -POSTGRESQL_CERTDIR=/etc/pki/postgresql -POSTGRESQL_KEYFILE=$POSTGRESQL_CERTDIR/postgresql.key -DATE=$( date ) - -[ ! -d $POSTGRESQL_CERTDIR ] && mkdir -p $POSTGRESQL_CERTDIR -[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR -echo "$DATE" >> $LE_LOG_DIR/postgresql.log - -echo "Copy the key file" >> $LE_LOG_DIR/postgresql.log -cp ${LE_CERTS_DIR}/privkey ${POSTGRESQL_KEYFILE} -chmod 440 ${POSTGRESQL_KEYFILE} -chown root ${POSTGRESQL_KEYFILE} -chgrp postgres ${POSTGRESQL_KEYFILE} - -# We assume we are dealing with postgresql 10 or later -echo "Restart the postgresql service" >> $LE_LOG_DIR/postgresql.log -if [ -x /bin/systemctl ] ; then - systemctl reload postgresql >> $LE_LOG_DIR/postgresql.log 2>&1 -fi - -echo "Done." >> $LE_LOG_DIR/postgresql.log - -exit 0 - diff --git a/library/roles/postgresql/handlers/main.yml b/library/roles/postgresql/handlers/main.yml deleted file mode 100644 index 54aa620a..00000000 --- a/library/roles/postgresql/handlers/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Restart postgresql - service: name=postgresql state=restarted - when: postgresql_enabled - -- name: Reload postgresql - service: name=postgresql state=reloaded - when: postgresql_enabled - -- name: Reload pgpool2 - service: name=pgpool2 state=reloaded - when: pgpool_enabled - ignore_errors: True - -- name: Restart pgpool2 - service: name=pgpool2 state=restarted - when: pgpool_enabled - -- name: Restart postgresql with pgpool config - service: name=postgresql state=restarted - when: - - postgresql_enabled - - psql_restart_after_wal_enabling diff --git a/library/roles/postgresql/tasks/configure-access.yml b/library/roles/postgresql/tasks/configure-access.yml deleted file mode 100644 index f2871b2c..00000000 --- a/library/roles/postgresql/tasks/configure-access.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -- name: Open the postgresql service to a specific zone. - firewalld: service=postgresql zone={{ postgresql_firewalld_zone }} permanent=True state=enabled immediate=True - when: - - psql_listen_on_ext_int | bool - - firewalld_enabled | bool - -- name: Give access to the remote postgresql client - lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" - with_subelements: - - '{{ psql_db_data | default([]) }}' - - allowed_hosts - when: - - psql_listen_on_ext_int | bool - - psql_db_data is defined - - item.1 is defined - - not psql_force_ssl_client_connection | bool - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - -- name: Give access to the remote postgresql client, force ssl - lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" - with_subelements: - - '{{ psql_db_data | default([]) }}' - - allowed_hosts - when: - - psql_listen_on_ext_int | bool - - psql_db_data is defined - - item.1 is defined - - psql_force_ssl_client_connection | bool - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - -# No conditionals, it is needed to perform base backups when the WAL archive is active -- name: Give local access with replication privileges to the postgres user - lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] - -- name: Set the postgresql listen port - action: configfile path={{ psql_conf_dir }}/postgresql.conf key=port value="{{ psql_db_port }}" - register: restart_postgresql - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - -- name: We want postgres listen on the public IP - action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'*'" - register: restart_postgresql - when: - - psql_listen_on_ext_int | bool - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - -- name: If postgresql is only accessed from localhost make it listen only on the localhost interface - action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'localhost'" - register: restart_postgresql - when: - - not psql_listen_on_ext_int | bool - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - -- name: Log the connections - action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_connections value="on" - register: restart_postgresql - when: psql_db_data is defined - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - -- name: Log the disconnections - action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_disconnections value="on" - register: restart_postgresql - when: psql_db_data is defined - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - -- name: Log the hostnames - action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_hostname value="on" - register: restart_postgresql - when: - - psql_listen_on_ext_int | bool - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - -- name: Set the correct permissions to the postgresql files - file: dest={{ psql_conf_dir }}/{{ item }} owner=root group=postgres mode=0640 - with_items: - - pg_hba.conf - - postgresql.conf - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ] - -- name: Restart the postgresql server after changing parameters that need a restart - service: name=postgresql state=restarted - when: - - restart_postgresql is changed - ignore_errors: True - tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ] diff --git a/library/roles/postgresql/tasks/main.yml b/library/roles/postgresql/tasks/main.yml deleted file mode 100644 index 1204603d..00000000 --- a/library/roles/postgresql/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- import_tasks: postgresql_org_repo.yml - when: pg_use_postgresql_org_repo -- import_tasks: packages.yml - when: psql_postgresql_install -- import_tasks: postgis.yml - when: postgres_install_gis_extensions -- import_tasks: postgresql-config.yml - when: psql_postgresql_install -- import_tasks: postgresql-ssl-config.yml - when: psql_postgresql_install -- import_tasks: psql-kernel-sharedmem.yml - when: - - psql_postgresql_install | bool - - psql_set_shared_memory | bool -- import_tasks: configure-access.yml - when: - - psql_postgresql_install | bool -- import_tasks: postgresql-service-status.yml - when: psql_postgresql_install -- import_tasks: postgres_pgpool.yml - when: psql_pgpool_install -- import_tasks: manage_pg_db.yml - when: - - psql_postgresql_install | bool - - psql_db_data is defined | bool -- import_tasks: postgresql-backup.yml - when: - - psql_postgresql_install | bool -- import_tasks: pgpool-ii.yml - when: psql_pgpool_service_install | bool -- import_tasks: postgresql-letsencrypt-acmetool.yml - when: - - letsencrypt_acme_install is defined -- import_tasks: pgpool-letsencrypt-acmetool.yml - when: - - letsencrypt_acme_install is defined - - diff --git a/library/roles/postgresql/tasks/manage_pg_db.yml b/library/roles/postgresql/tasks/manage_pg_db.yml deleted file mode 100644 index 4c24a89b..00000000 --- a/library/roles/postgresql/tasks/manage_pg_db.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -- name: Add a user for the postgresql DBs - become: True - become_user: postgres - postgresql_user: user={{ item.user }} password={{ item.pwd }} role_attr_flags={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }} - with_items: '{{ psql_db_data | default(omit) }}' - when: item.roles is defined - tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user' ] - -- name: Add the databases with the correct owner. Or remove them, if not used anymore - become: True - become_user: postgres - postgresql_db: db={{ item.name }} port={{ psql_db_port }} encoding={{ item.encoding }} owner={{ item.user }} template=template0 state={{ item.state | default('present') }} - with_items: '{{ psql_db_data | default(omit) }}' - when: item.managedb | default(True) - tags: [ 'postgresql', 'postgres', 'pg_db' ] - -- name: Manage users privileges - become: True - become_user: postgres - postgresql_privs: db={{ item.name }} privs={{ item.privs }} type=database roles={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }} - with_items: '{{ psql_db_privs | default(omit) }}' - when: psql_db_privs is defined - tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user' ] - -# - name: Add schemas to a database. -# become: True -# become_user: postgres -# postgresql_schema: database={{ item.0.name }} port={{ psql_db_port }} name={{ item.1 }} owner={{ item.0.user }} state={{ item.0.schemastate | default('present') }} -# with_subelements: -# - '{{ psql_db_data | default([]) }}' -# - schema -# when: -# - item.0.manageschema | default(False) -# - item.1 is defined -# ignore_errors: True -# tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_schema' ] - -- name: Define a user with password, with no associated DBs - become: True - become_user: postgres - postgresql_user: user={{ item.user }} password={{ item.pwd }} port={{ psql_db_port }} - with_items: '{{ psql_db_data | default(omit) }}' - when: - - item.pwd is defined - - item.roles is not defined - tags: [ 'postgresql', 'postgres', 'pg_db' ] - diff --git a/library/roles/postgresql/tasks/packages.yml b/library/roles/postgresql/tasks/packages.yml deleted file mode 100644 index 604f93e0..00000000 --- a/library/roles/postgresql/tasks/packages.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- block: - - name: Install the packages that ansible needs to manage the postgresql users and databases - apt: pkg={{ psql_ansible_needed_pkgs }} state={{ psql_pkg_state }} - - - name: install the postgresql packages - apt: pkg={{ postgresql_pkgs }} state={{ psql_pkg_state }} - notify: Restart postgresql - - tags: [ 'postgresql', 'postgres' ] - diff --git a/library/roles/postgresql/tasks/pgpool-ii.yml b/library/roles/postgresql/tasks/pgpool-ii.yml deleted file mode 100644 index b6e31f57..00000000 --- a/library/roles/postgresql/tasks/pgpool-ii.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- -- block: - - name: Install the pgpool package - apt: name={{ pgpool_pkgs }} state={{ psql_pgpool_pkg_state }} cache_valid_time=1800 - - - name: Configure pcp - #template: src=pcp.conf.j2 dest=/etc/pgpool2/pcp.conf owner=root group=postgres mode=0640 - shell: pwd=`pg_md5 {{ pcp_pwd }}` ; echo "{{ pgpool_pcp_user }}:${pwd}" > /etc/pgpool2/pcp.conf ; chmod 640 /etc/pgpool2/pcp.conf; chown root:postgres /etc/pgpool2/pcp.conf - - - name: Install the pgpool configuration file - template: src=pgpool.conf.j2 dest=/etc/pgpool2/pgpool.conf owner=root group=postgres mode=0640 - notify: Restart pgpool2 - - - name: Give access to the remote postgresql clients - lineinfile: name=/etc/pgpool2/pool_hba.conf regexp="^host {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" - with_subelements: - - '{{ psql_db_data | default([]) }}' - - allowed_hosts - when: - - psql_db_data is defined - - item.1 is defined - notify: Reload pgpool2 - - - name: Create the pki directory to store the pgpool key - file: dest=/etc/pki/pgpool2 state=directory owner=postgres group=postgres mode=0750 - when: pgpool_enable_ssl - - - name: Create a pgpool accessible ssl key file if it does not exist - copy: src=/var/lib/acme/live/{{ ansible_fqdn }}/privkey dest=/etc/pki/pgpool2/pgpool2.key owner=postgres group=postgres mode=0400 remote_src=True - when: pgpool_enable_ssl - - - name: Install the pool_passwd configuration file - shell: cd /etc/pgpool2 ; pg_md5 -m -u {{ item.user }} {{ item.pwd }} ; chown root:postgres /etc/pgpool2/pool_passwd ; chmod 660 /etc/pgpool2/pool_passwd - with_items: '{{ psql_db_data | default([]) }}' - - - name: Install the sudoers config that permits pgpool change the network configuration during a failover - template: src=pgpool-wd-sudoers.j2 dest=/etc/sudoers.d/pgpool-wd owner=root group=root mode=0440 - - - name: Install the ip script that manage the network configuration during a failover - copy: src={{ item }} dest=/sbin/{{ item }} owner=root group=root mode=0755 - with_items: - - ip_script - - - name: Install the arping scripts that manage the network configuration during a failover - copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 - with_items: - - arping_script - - - name: Start and enable pgpool2 - service: name=pgpool2 state=started enabled=yes - - when: pgpool_enabled - tags: [ 'postgresql', 'postgres', 'pgpool', 'pcp_conf', 'pgpool_conf' ] - - -- block: - - name: Stop and disable pgpool2 - service: name=pgpool2 state=stopped enabled=no - - - name: Install the pgpool packages - apt: name={{ pgpool_pkgs }} state=absent - - - name: Remove the pgpool failover sudoers file - file: dest=/etc/sudoers.d/pgpool-wd state=absent - - - name: Remove the pgpool configuration directory - file: dest=/etc/pgpool2 state=absent - - - name: Remove the scripts that manage the network configuration during a failover - file: dest={{ item }} state=absent - with_items: - - /sbin/ip_script - - /usr/local/bin/arping_script - - when: not pgpool_enabled - tags: [ 'postgresql', 'postgres', 'pgpool' ] - - diff --git a/library/roles/postgresql/tasks/pgpool-letsencrypt-acmetool.yml b/library/roles/postgresql/tasks/pgpool-letsencrypt-acmetool.yml deleted file mode 100644 index 627e6e67..00000000 --- a/library/roles/postgresql/tasks/pgpool-letsencrypt-acmetool.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- block: - - name: Create the acme hooks directory if it does not yet exist - file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root - - - name: Install a script that fix the letsencrypt certificate for pgpool and then reloads the service - copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555 - - when: - - psql_pgpool_service_install - - pgpool_letsencrypt_managed - - letsencrypt_acme_install - tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ] - - -- block: - - name: Remove the letsencrypt hook for pgpool - file: dest=/usr/lib/acme/hooks/pgpool state=absent - - when: - - psql_pgpool_service_install - - not pgpool_letsencrypt_managed - tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ] diff --git a/library/roles/postgresql/tasks/postgis.yml b/library/roles/postgresql/tasks/postgis.yml deleted file mode 100644 index 55f11689..00000000 --- a/library/roles/postgresql/tasks/postgis.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: install the postgresql GIS packages - apt: pkg={{ postgres_gis_pkgs }} state={{ psql_pkg_state }} - notify: Restart postgresql - tags: [ 'postgresql', 'postgres', 'postgis' ] - diff --git a/library/roles/postgresql/tasks/postgres_pgpool.yml b/library/roles/postgresql/tasks/postgres_pgpool.yml deleted file mode 100644 index 21f9cba1..00000000 --- a/library/roles/postgresql/tasks/postgres_pgpool.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- -- name: Install the packages needed by postgres when running behind a pgpool server - apt: pkg={{ postgresql_pgpool_pkgs }} state={{ psql_pkg_state }} - when: psql_pgpool_install - notify: Restart postgresql - tags: [ 'postgresql', 'postgres', 'pgpool' ] - -- name: Add the postgres user that will manage the recovery, if not postgres - become: True - become_user: postgres - postgresql_user: user={{ pgpool_recovery_user }} password={{ pgpool_recovery_user_pwd }} role_attr_flags=REPLICATION port={{ psql_db_port }} - when: - - ('{{ pgpool_recovery_user }}' != 'postgres') - - pgpool_recovery_user_pwd is defined - tags: [ 'postgresql', 'postgres', 'pgpool' ] - -- name: Give access to the pgpool recovery user, if it is not postgres - lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host {{ item.0.name }} {{ pgpool_recovery_user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ pgpool_recovery_user }} {{ item.1 }} md5" - with_subelements: - - '{{ psql_db_data | default([]) }}' - - allowed_hosts - when: - - psql_db_data is defined - - item.1 is defined - - pgpool_recovery_user_pwd is defined - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pgpool' ] - -- name: Add the system user that will manage the recovery, if not postgres - user: user={{ pgpool_recovery_user }} password={{ pgpool_recovery_user_pwd | password_hash('sha512') }} groups=postgres shell=/bin/bash system=yes - when: - - ('{{ pgpool_recovery_user }}' != 'postgres') - - pgpool_recovery_user_pwd is defined - tags: [ 'postgresql', 'postgres', 'pgpool' ] - -- name: Create the ssh keys for the recovery user - user: user={{ pgpool_recovery_user }} generate_ssh_key=yes ssh_key_bits=2048 ssh_key_file=.ssh/id_rsa ssh_key_type=rsa - tags: [ 'postgresql', 'postgres', 'pgpool' ] - -- name: Install the pgpool recovery and remote restart scripts. They assume that the postgresql hosts can talk to each other - template: src={{ item.1 }}.j2 dest={{ item.0.backend_data_directory }}/main/{{ item.1 }} owner=postgres group=postgres mode=0500 - with_nested: - - '{{ pgpool_backends | default([]) }}' - - [ '{{ pgpool_recovery_stage1_script }}', '{{ pgpool_recovery_stage2_script }}', '{{ pgpool_remote_start_script }}' ] - tags: [ 'postgresql', 'postgres', 'pgpool' ] - -- name: Set the postgresql configuration parameters needed by pgpool - action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="{{ item.value }}" - with_items: '{{ psql_wal_files_conf }}' - when: - - item.set - - psql_wal_files_archiving_enabled - notify: Restart postgresql with pgpool config - tags: [ 'postgresql', 'postgres', 'pg_conf', 'pgpool' ] - -- name: Add the pgpool postgres extensions to the template1 dbs - become: True - become_user: postgres - postgresql_ext: name={{ item }} db=template1 port={{ psql_db_port }} - with_items: - - pgpool_regclass - - pgpool_recovery - tags: [ 'postgresql', 'postgres', 'pg_extensions' ] - -- name: Install the sudoers config that permits the postgres user to restart the service after a recovery - template: src=postgresql-sudoers.j2 dest=/etc/sudoers.d/postgres-pgpool owner=root group=root mode=0440 - tags: [ 'postgres', 'postgresql', 'sudo', 'pgpool' ] - -- name: Install a script that cleans up the wal log archives - template: src=postgresql_wal_backup_and_removal.j2 dest=/usr/local/sbin/postgresql_wal_backup_and_removal owner=root group=root mode=0755 - tags: [ 'postgresql', 'postgres', 'pgpool' ] - -- name: Install a cron job to cleanup the wal log archives - cron: name="Clean up the postgresql WAL log archives" user=postgres job="/usr/local/sbin/postgresql_wal_backup_and_removal > {{ psql_log_dir }}/wal_removal.log 2>&1" special_time=daily - tags: [ 'postgresql', 'postgres', 'pgpool' ] diff --git a/library/roles/postgresql/tasks/postgresql-backup.yml b/library/roles/postgresql/tasks/postgresql-backup.yml deleted file mode 100644 index 874193e6..00000000 --- a/library/roles/postgresql/tasks/postgresql-backup.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: Backup script for the postgresql database(s) - copy: src=postgresql-backup.sh dest=/usr/local/sbin/postgresql-backup owner=root mode=0744 - tags: [ 'pgbackup_cron', 'pg_backup', 'postgresql', 'postgres' ] - -- name: daily cron job for the postgresql database(s) backup - copy: src=postgresql-backup.cron dest=/etc/cron.daily/postgresql-backup owner=root mode=0744 - when: pgbackup_cron_step is undefined or - pgbackup_cron_step < 1 or - pgbackup_cron_step > 12 - tags: [ 'pgbackup_cron', 'pg_backup', 'postgresql', 'postgres' ] - -- name: hour step cron job for the postgresql database(s) backup - cron: - name: "hourly step postgresql dump" - minute: "10" - hour: "*/{{ pgbackup_cron_step }}" - job: "/usr/local/sbin/postgresql-backup.cron" - when: pgbackup_cron_step is defined and - pgbackup_cron_step >=1 and - pgbackup_cron_step <= 12 - tags: [ 'pgbackup_cron', 'pg_backup', 'postgresql', 'postgres' ] - -- name: postgresql backup defaults - template: src=pg_backup-default.j2 dest=/etc/default/pg_backup owner=root mode=0744 - tags: [ 'pg_backup', 'postgresql', 'postgres', 'pg_db' ] - -- name: Create the postgresql backups data directory - file: dest={{ pg_backup_destdir }} owner=postgres group=postgres mode=700 recurse=yes state=directory - tags: [ 'pg_backup', 'postgresql', 'postgres' ] - -- name: Create the postgresql WAL files backup directories - file: dest={{ item }} owner=postgres group=postgres mode=700 recurse=yes state=directory - with_items: - - '{{ psql_wal_archiving_log_dir }}' - - '{{ psql_base_backup_dir }}' - when: psql_wal_files_archiving_enabled - tags: [ 'pg_backup', 'postgresql', 'postgres' ] - -- name: authorization file for the psql command - template: src=pgpass.j2 dest={{ pg_backup_pass_file }} owner=root mode=0600 - tags: [ 'pg_backup', 'postgresql', 'postgres', 'pgpass', 'pg_db' ] diff --git a/library/roles/postgresql/tasks/postgresql-config.yml b/library/roles/postgresql/tasks/postgresql-config.yml deleted file mode 100644 index a70ea5a3..00000000 --- a/library/roles/postgresql/tasks/postgresql-config.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -- block: - - name: Check if the new postgresql data directory exists - stat: path={{ psql_data_dir }} - register: postgresql_data_dir - - - name: Stop the postgresql service while reconfiguring the data directory - service: name=postgresql state=stopped - when: postgresql_data_dir.stat.isdir is not defined - - - name: Create the postgresql data directory if it is not in the default place - file: dest={{ psql_data_dir }} owner=postgres group=postgres mode=700 recurse=yes state=directory - - - name: Set the postgresql data dir if it is different from the default - become: True - become_user: postgres - action: configfile path={{ psql_conf_dir }}/postgresql.conf key=data_directory value="'{{ psql_data_dir }}'" - - - name: Copy the postgresql data directory into the new place - shell: '[ "/var/lib/postgresql/{{ psql_version }}/main" != "{{ psql_data_dir }}" ] && cp -a /var/lib/postgresql/{{ psql_version }}/main/* {{ psql_data_dir }}' - args: - creates: '{{ psql_data_dir }}/main/base' - when: postgresql_data_dir.stat.isdir is not defined - - - name: Start the postgresql service that will use the new data directory - service: name=postgresql state=started - when: postgresql_data_dir.stat.isdir is not defined - - when: psql_use_alternate_data_dir - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - -- name: Set some postgresql configuration parameters that require a db restart - become: True - become_user: postgres - action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}" - with_items: '{{ psql_conf_parameters }}' - when: item.set == 'True' - notify: Restart postgresql - tags: [ 'postgresql', 'postgres', 'pg_conf' ] - -- name: Set the postgresql logging configuration parameters - become: True - become_user: postgres - action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}" - with_items: '{{ psql_log_configuration }}' - when: item.set == 'True' - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_log' ] - -- name: Set the postgresql autovacuum configuration parameters - become: True - become_user: postgres - action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}" - with_items: '{{ psql_autovacuum_configuration }}' - when: item.set == 'True' - notify: Reload postgresql - tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum' ] - diff --git a/library/roles/postgresql/tasks/postgresql-letsencrypt-acmetool.yml b/library/roles/postgresql/tasks/postgresql-letsencrypt-acmetool.yml deleted file mode 100644 index 8531a461..00000000 --- a/library/roles/postgresql/tasks/postgresql-letsencrypt-acmetool.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- block: - - name: Create the acme hooks directory if it does not yet exist - file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root - - - name: Install a script that fix the letsencrypt certificate for postgresql and then restarts the service - copy: src=postgresql-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/postgresql owner=root group=root mode=4555 - - when: - - postgresql_letsencrypt_managed - - letsencrypt_acme_install - tags: [ 'postgresql', 'postgres', 'letsencrypt' ] - - -- block: - - name: Remove the letsencrypt certificate hook for postgresql - file: dest=/usr/lib/acme/hooks/postgresql state=absent - - when: - - not postgresql_letsencrypt_managed - tags: [ 'postgresql', 'postgres', 'letsencrypt' ] diff --git a/library/roles/postgresql/tasks/postgresql-service-status.yml b/library/roles/postgresql/tasks/postgresql-service-status.yml deleted file mode 100644 index 09803788..00000000 --- a/library/roles/postgresql/tasks/postgresql-service-status.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Ensure that the postgresql server is started - service: name=postgresql state=started enabled=yes - when: postgresql_enabled - tags: [ 'postgresql', 'postgres' ] - -- name: Ensure that the postgresql server is stopped and disabled - service: name=postgresql state=stopped enabled=no - when: not postgresql_enabled - tags: [ 'postgresql', 'postgres' ] - diff --git a/library/roles/postgresql/tasks/postgresql-ssl-config.yml b/library/roles/postgresql/tasks/postgresql-ssl-config.yml deleted file mode 100644 index d7fbfb32..00000000 --- a/library/roles/postgresql/tasks/postgresql-ssl-config.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- block: - - name: Setup SSL in the postgresql configuration - become: True - become_user: postgres - action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'" - with_items: '{{ psql_conf_ssl_parameters }}' - notify: Restart postgresql - - - name: Create the pki directory to store the postgresql key - file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750 - - - name: Create a postgres accessible ssl key file if it does not exist - copy: src={{ psql_ssl_privkey_global_file }} dest={{ psql_ssl_privkey_file }} owner=postgres group=postgres mode=0400 remote_src=True - - when: psql_enable_ssl - tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ] - - -- block: - - name: Disable SSL in the postgresql configuration - become: True - become_user: postgres - action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'" - with_items: '{{ psql_conf_disable_ssl_parameters }}' - notify: Restart postgresql - - when: not psql_enable_ssl - tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ] diff --git a/library/roles/postgresql/tasks/postgresql_org_repo.yml b/library/roles/postgresql/tasks/postgresql_org_repo.yml deleted file mode 100644 index 3d44f1eb..00000000 --- a/library/roles/postgresql/tasks/postgresql_org_repo.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Get the signing key for the postgresql.org repository - apt_key: url=https://www.postgresql.org/media/keys/ACCC4CF8.asc state=present - when: pg_use_postgresql_org_repo - tags: - - postgresql - - postgresql_repo - -- name: Setup the postgresql.org repository - apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_lsb.codename }}-pgdg main' - when: pg_use_postgresql_org_repo - tags: - - postgresql - - postgresql_repo - diff --git a/library/roles/postgresql/tasks/psql-kernel-sharedmem.yml b/library/roles/postgresql/tasks/psql-kernel-sharedmem.yml deleted file mode 100644 index 6a3ca442..00000000 --- a/library/roles/postgresql/tasks/psql-kernel-sharedmem.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Configure the kernel shared memory to please postgresql - sysctl: name={{ item.name }} value={{ item.value }} sysctl_file=/etc/sysctl.d/{{ psql_sysctl_file }} reload=yes state=present - with_items: '{{ psql_sysctl_kernel_sharedmem_parameters }}' - when: psql_set_shared_memory - tags: - - sysctl - - postgresql diff --git a/library/roles/postgresql/templates/pcp.conf.j2 b/library/roles/postgresql/templates/pcp.conf.j2 deleted file mode 100644 index 26a41d86..00000000 --- a/library/roles/postgresql/templates/pcp.conf.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ pgpool_pcp_user }}:{{ '{{ pcp_pwd }}' | pg_md5 }} diff --git a/library/roles/postgresql/templates/pg_backup-default.j2 b/library/roles/postgresql/templates/pg_backup-default.j2 deleted file mode 100644 index 61648797..00000000 --- a/library/roles/postgresql/templates/pg_backup-default.j2 +++ /dev/null @@ -1,26 +0,0 @@ -PG_SERVICE=postgresql -PG_BACKUP_ENABLED={{ pg_backup_enabled }} -PG_VERSION={{ psql_version }} -PG_DUMP_BIN={{ pg_backup_pgdump_bin }} -PG_BCK_BIN={{ pg_backup_bin }} -{% if pg_backup_enabled %} -USE_NAGIOS={{ pg_backup_use_nagios }} -{% else %} -USE_NAGIOS=no -{% endif %} -LOG_DIR={{ pg_backup_logdir }} -LOG_FILE={{ pg_backup_logfile}} -N_DAYS_TO_SPARE={{ pg_backup_retain_copies }} -BUILD_DBLIST={{ pg_backup_build_db_list }} -{% if pg_backup_db_list is defined %} -DB_LIST="{{ pg_backup_db_list }}" -{% else %} -{% if psql_db_data is defined %} -DB_LIST="{% for db in psql_db_data %}{% if db.managedb is defined and db.managedb %}{{ db.name }} {% endif %}{% endfor %}" -{% else %} -DB_LIST="" -{% endif %} -{% endif %} -PG_USE_AUTH={{ pg_backup_use_auth }} -PG_PASS_FILE={{ pg_backup_pass_file }} -BACKUPDIR={{ pg_backup_destdir }} diff --git a/library/roles/postgresql/templates/pgpass.j2 b/library/roles/postgresql/templates/pgpass.j2 deleted file mode 100644 index c3d7f75e..00000000 --- a/library/roles/postgresql/templates/pgpass.j2 +++ /dev/null @@ -1,10 +0,0 @@ -# Loop psql_db_data to add multiple databases -{% if psql_db_data is defined %} -{% for db in psql_db_data %} -{% if db.pwd is defined %} -{% if db.managedb is defined and db.managedb %} -{{ psql_db_host }}:{{ psql_db_port }}:{{ db.name }}:{{ db.user }}:{{ db.pwd }} -{% endif %} -{% endif %} -{% endfor %} -{% endif %} diff --git a/library/roles/postgresql/templates/pgpool-wd-sudoers.j2 b/library/roles/postgresql/templates/pgpool-wd-sudoers.j2 deleted file mode 100644 index 9ba1167f..00000000 --- a/library/roles/postgresql/templates/pgpool-wd-sudoers.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{{ pgpool_recovery_user }} ALL=(ALL) NOPASSWD: /bin/ip -{{ pgpool_recovery_user }} ALL=(ALL) NOPASSWD: /usr/bin/arping - diff --git a/library/roles/postgresql/templates/pgpool.conf.j2 b/library/roles/postgresql/templates/pgpool.conf.j2 deleted file mode 100644 index 3718912b..00000000 --- a/library/roles/postgresql/templates/pgpool.conf.j2 +++ /dev/null @@ -1,677 +0,0 @@ -# ---------------------------- -# pgPool-II configuration file -# ---------------------------- -# -# This file consists of lines of the form: -# -# name = value -# -# Whitespace may be used. Comments are introduced with "#" anywhere on a line. -# The complete list of parameter names and allowed values can be found in the -# pgPool-II documentation. -# -# This file is read on server startup and when the server receives a SIGHUP -# signal. If you edit the file on a running system, you have to SIGHUP the -# server for the changes to take effect, or use "pgpool reload". Some -# parameters, which are marked below, require a server shutdown and restart to -# take effect. -# - - -#------------------------------------------------------------------------------ -# CONNECTIONS -#------------------------------------------------------------------------------ - -# - pgpool Connection Settings - - -listen_addresses = '{{ pgpool_listen_addresses }}' - # Host name or IP address to listen on: - # '*' for all, '' for no TCP/IP connections - # (change requires restart) -port = {{ pgpool_port }} - # Port number - # (change requires restart) -socket_dir = '/var/run/postgresql' - # Unix domain socket path - # The Debian package defaults to - # /var/run/postgresql - # (change requires restart) -listen_backlog_multiplier = {{ pgpool_listen_backlog_multiplier }} - # Set the backlog parameter of listen(2) to - # num_init_children * listen_backlog_multiplier. - # (change requires restart) - -# - pgpool Communication Manager Connection Settings - - -pcp_listen_addresses = '{{ pgpool_pcp_listen_addresses }}' - # Host name or IP address for pcp process to listen on: - # '*' for all, '' for no TCP/IP connections - # (change requires restart) -pcp_port = {{ pgpool_pcp_port }} - # Port number for pcp - # (change requires restart) -pcp_socket_dir = '/var/run/postgresql' - # Unix domain socket path for pcp - # The Debian package defaults to - # /var/run/postgresql - # (change requires restart) - -# - Backend Connection Settings - - -{% for bk in pgpool_backends %} -backend_hostname{{ bk.id}} = '{{ bk.hostname }}' -backend_port{{ bk.id }} = {{ bk.backend_port }} -backend_weight{{ bk.id }} = {{ bk.backend_weight }} -backend_data_directory{{ bk.id }} = '{{ bk.backend_data_directory }}' -backend_flag{{ bk.id }} = '{{ bk.backend_flag }}' -{% endfor %} -# - Authentication - - -enable_pool_hba = {{ pgpool_enable_pool_hba }} - # Use pool_hba.conf for client authentication -pool_passwd = '{{ pgpool_pool_passwd }}' - # File name of pool_passwd for md5 authentication. - # "" disables pool_passwd. - # (change requires restart) -authentication_timeout = 60 - # Delay in seconds to complete client authentication - # 0 means no timeout. - -{% if pgpool_enable_ssl %} -# - SSL Connections - -ssl = on -ssl_key = '{{ pgpool_ssl_key }}' -ssl_cert = '{{ pgpool_ssl_cert }}' -ssl_ca_cert = '{{ pgpool_ssl_ca }}' -ssl_ca_cert_dir = '{{ pgpool_ssl_ca_dir }}' -{% endif %} - -#------------------------------------------------------------------------------ -# POOLS -#------------------------------------------------------------------------------ - -# - Pool size - - -num_init_children = {{ pgpool_num_init_children }} - # Number of pools - # (change requires restart) -max_pool = {{ pgpool_max_pool }} - # Number of connections per pool - # (change requires restart) - -# - Life time - - -child_life_time = {{ pgpool_child_life_time }} - # Pool exits after being idle for this many seconds -child_max_connections = {{ pgpool_child_max_connections }} - # Pool exits after receiving that many connections - # 0 means no exit -connection_life_time = {{ pgpool_connection_life_time }} - # Connection to backend closes after being idle for this many seconds - # 0 means no close -client_idle_limit = {{ pgpool_client_idle_limit }} - # Client is disconnected after being idle for that many seconds - # (even inside an explicit transactions!) - # 0 means no disconnection - - -#------------------------------------------------------------------------------ -# LOGS -#------------------------------------------------------------------------------ - -# - Where to log - - -log_destination = '{{ pgpool_log_destination }}' - # Where to log - # Valid values are combinations of stderr, - # and syslog. Default to stderr. - -# - What to log - - -log_line_prefix = '%t: pid %p: ' # printf-style string to output at beginning of each log line. - -log_connections = {{ pgpool_log_connections }} - # Log connections -log_hostname = {{ pgpool_log_hostname }} - # Hostname will be shown in ps status - # and in logs if connections are logged -log_statement = {{ pgpool_log_statement }} - # Log all statements -log_per_node_statement = {{ pgpool_log_per_node_statement }} - # Log all statements - # with node and backend informations -log_standby_delay = 'none' - # Log standby delay - # Valid values are combinations of always, - # if_over_threshold, none - -# - Syslog specific - - -syslog_facility = 'LOCAL0' - # Syslog local facility. Default to LOCAL0 -syslog_ident = 'pgpool' - # Syslog program identification string - # Default to 'pgpool' - -# - Debug - - -debug_level = {{ pgpool_debug_level }} - # Debug message verbosity level - # 0 means no message, 1 or more mean verbose - -#log_error_verbosity = default # terse, default, or verbose messages - -#client_min_messages = notice # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # log - # notice - # warning - # error - -#log_min_messages = warning # values in order of decreasing detail: - # debug5 - # debug4 - # debug3 - # debug2 - # debug1 - # info - # notice - # warning - # error - # log - # fatal - # panic - -#------------------------------------------------------------------------------ -# FILE LOCATIONS -#------------------------------------------------------------------------------ - -pid_file_name = '/var/run/postgresql/pgpool.pid' - # PID file name - # (change requires restart) -logdir = '/var/log/postgresql' - # Directory of pgPool status file - # (change requires restart) - - -#------------------------------------------------------------------------------ -# CONNECTION POOLING -#------------------------------------------------------------------------------ - -connection_cache = on - # Activate connection pools - # (change requires restart) - - # Semicolon separated list of queries - # to be issued at the end of a session - # The default is for 8.3 and later -reset_query_list = 'ABORT; DISCARD ALL' - # The following one is for 8.2 and before -#reset_query_list = 'ABORT; RESET ALL; SET SESSION AUTHORIZATION DEFAULT' - -serialize_accept = {{ pgpool_serialize_accept }} - - -#------------------------------------------------------------------------------ -# REPLICATION MODE -#------------------------------------------------------------------------------ - -replication_mode = {{ pgpool_replication_mode }} - # Activate replication mode - # (change requires restart) -replicate_select = {{ pgpool_replicate_select }} - # Replicate SELECT statements - # when in replication mode - # replicate_select is higher priority than - # load_balance_mode. - -insert_lock = {{ pgpool_insert_lock }} - # Automatically locks a dummy row or a table - # with INSERT statements to keep SERIAL data - # consistency - # Without SERIAL, no lock will be issued -lobj_lock_table = '{{ pgpool_lobj_lock_table }}' - # When rewriting lo_creat command in - # replication mode, specify table name to - # lock - -# - Degenerate handling - - -replication_stop_on_mismatch = {{ pgpool_replication_stop_on_mismatch }} - # On disagreement with the packet kind - # sent from backend, degenerate the node - # which is most likely "minority" - # If off, just force to exit this session - -failover_if_affected_tuples_mismatch = {{ pgpool_failover_if_affected_tuples_mismatch }} - # On disagreement with the number of affected - # tuples in UPDATE/DELETE queries, then - # degenerate the node which is most likely - # "minority". - # If off, just abort the transaction to - # keep the consistency - - -#------------------------------------------------------------------------------ -# LOAD BALANCING MODE -#------------------------------------------------------------------------------ - -load_balance_mode = {{ pgpool_load_balance_mode }} - # Activate load balancing mode - # (change requires restart) -ignore_leading_white_space = {{ pgpool_ignore_leading_white_space }} - # Ignore leading white spaces of each query -white_function_list = '{{ pgpool_white_function_list }}' - # Comma separated list of function names - # that don't write to database - # Regexp are accepted -black_function_list = '{{ pgpool_black_function_list }}' - # Comma separated list of function names - # that write to database - # Regexp are accepted - -database_redirect_preference_list = '' - # comma separated list of pairs of database and node id. - # example: postgres:primary,mydb[0-4]:1,mydb[5-9]:2' - # valid for streaming replicaton mode only. - -app_name_redirect_preference_list = '' - # comma separated list of pairs of app name and node id. - # example: 'psql:primary,myapp[0-4]:1,myapp[5-9]:standby' - # valid for streaming replicaton mode only. -allow_sql_comments = {{ pgpool_allow_sql_comments }} - # if on, ignore SQL comments when judging if load balance or - # query cache is possible. - # If off, SQL comments effectively prevent the judgment - # (pre 3.4 behavior). - -#------------------------------------------------------------------------------ -# MASTER/SLAVE MODE -#------------------------------------------------------------------------------ - -master_slave_mode = off - # Activate master/slave mode - # (change requires restart) -master_slave_sub_mode = 'slony' - # Master/slave sub mode - # Valid values are combinations slony or - # stream. Default is slony. - # (change requires restart) - -# - Streaming - - -sr_check_period = 0 - # Streaming replication check period - # Disabled (0) by default -sr_check_user = 'nobody' - # Streaming replication check user - # This is neccessary even if you disable streaming - # replication delay check by sr_check_period = 0 -sr_check_password = '' - # Password for streaming replication check user -delay_threshold = 0 - # Threshold before not dispatching query to standby node - # Unit is in bytes - # Disabled (0) by default - -# - Special commands - - -follow_master_command = '' - # Executes this command after master failover - # Special values: - # %d = node id - # %h = host name - # %p = port number - # %D = database cluster path - # %m = new master node id - # %H = hostname of the new master node - # %M = old master node id - # %P = old primary node id - # %r = new master port number - # %R = new master database cluster path - # %% = '%' character - -#------------------------------------------------------------------------------ -# HEALTH CHECK -#------------------------------------------------------------------------------ - -health_check_period = 0 - # Health check period - # Disabled (0) by default -health_check_timeout = 20 - # Health check timeout - # 0 means no timeout -health_check_user = 'nobody' - # Health check user -health_check_password = '' - # Password for health check user -health_check_max_retries = 0 - # Maximum number of times to retry a failed health check before giving up. -health_check_retry_delay = 1 - # Amount of time to wait (in seconds) between retries. -connect_timeout = 10000 - # Timeout value in milliseconds before giving up to connect to backend. - # Default is 10000 ms (10 second). Flaky network user may want to increase - # the value. 0 means no timeout. - # Note that this value is not only used for health check, - # but also for ordinary conection to backend. - -#------------------------------------------------------------------------------ -# FAILOVER AND FAILBACK -#------------------------------------------------------------------------------ - -failover_command = '' - # Executes this command at failover - # Special values: - # %d = node id - # %h = host name - # %p = port number - # %D = database cluster path - # %m = new master node id - # %H = hostname of the new master node - # %M = old master node id - # %P = old primary node id - # %r = new master port number - # %R = new master database cluster path - # %% = '%' character -failback_command = '' - # Executes this command at failback. - # Special values: - # %d = node id - # %h = host name - # %p = port number - # %D = database cluster path - # %m = new master node id - # %H = hostname of the new master node - # %M = old master node id - # %P = old primary node id - # %r = new master port number - # %R = new master database cluster path - # %% = '%' character - -fail_over_on_backend_error = {{ pgpool_fail_over_on_backend_error }} - # Initiates failover when reading/writing to the - # backend communication socket fails - # If set to off, pgpool will report an - # error and disconnect the session. - -search_primary_node_timeout = 10 - # Timeout in seconds to search for the - # primary node when a failover occurs. - # 0 means no timeout, keep searching - # for a primary node forever. - -#------------------------------------------------------------------------------ -# ONLINE RECOVERY -#------------------------------------------------------------------------------ - -recovery_user = '{{ pgpool_recovery_user }}' - # Online recovery user -{% if pgpool_recovery_user_pwd is defined %} -recovery_password = '{{ pgpool_recovery_user_pwd | default() }}' - # Online recovery password -{% else %} -recovery_password = '' -{% endif %} -recovery_1st_stage_command = '{{ pgpool_recovery_stage1_script }}' - # Executes a command in first stage -recovery_2nd_stage_command = '{{ pgpool_recovery_stage2_script }}' - # Executes a command in second stage -recovery_timeout = {{ pgpool_recovery_timeout }} - # Timeout in seconds to wait for the - # recovering node's postmaster to start up - # 0 means no wait -client_idle_limit_in_recovery = {{ pgpool_client_idle_limit_in_recovery }} - # Client is disconnected after being idle - # for that many seconds in the second stage - # of online recovery - # 0 means no disconnection - # -1 means immediate disconnection - - -#------------------------------------------------------------------------------ -# WATCHDOG -#------------------------------------------------------------------------------ - -# - Enabling - - -use_watchdog = {{ pgpool_use_watchdog }} - # Activates watchdog - # (change requires restart) - -# -Connection to up stream servers - - -trusted_servers = '{{ pgpool_wd_trusted_servers }}' - # trusted server list which are used - # to confirm network connection - # (hostA,hostB,hostC,...) - # (change requires restart) -ping_path = '/bin' - # ping command path - # (change requires restart) - -# - Watchdog communication Settings - - -wd_hostname = '{{ ansible_default_ipv4.address }}' - # Host name or IP address of this watchdog - # (change requires restart) -wd_port = 9000 - # port number for watchdog service - # (change requires restart) -wd_authkey = '{{ pgpool_wd_authkey }}' - # Authentication key for watchdog communication - # (change requires restart) - -# - Virtual IP control Setting - - -delegate_IP = '{{ pgpool_virtual_ip }}' - # delegate IP address - # If this is empty, virtual IP never bring up. - # (change requires restart) -if_cmd_path = '/sbin' - # ifconfig command path - # (change requires restart) -if_up_cmd = 'ip_script addr add {{ pgpool_virtual_ip }}/{{ pgpool_virtual_netmask }} dev {{ ansible_default_ipv4.alias }}' - # startup delegate IP command - # (change requires restart) -if_down_cmd = 'ip_script addr del {{ pgpool_virtual_ip }}/{{ pgpool_virtual_netmask }} dev {{ ansible_default_ipv4.alias }}' - # shutdown delegate IP command - # (change requires restart) - -arping_path = '/usr/local/bin' # arping command path - # (change requires restart) - -arping_cmd = 'arping_script -U $_IP_$ -w 1' - # arping command - # (change requires restart) - -# - Behaivor on escalation Setting - - -clear_memqcache_on_escalation = on - # Clear all the query cache on shared memory - # when standby pgpool escalate to active pgpool - # (= virtual IP holder). - # This should be off if client connects to pgpool - # not using virtual IP. - # (change requires restart) -wd_escalation_command = 'date >> {{ psql_log_dir }}/wd_pgpool_escalation.log' - # Executes this command at escalation on new active pgpool. - # (change requires restart) -wd_de_escalation_command = 'date >> {{ psql_log_dir }}/wd_pgpool_de_escalation.log' - -# - Lifecheck Setting - - -# -- common -- -wd_monitoring_interfaces_list = 'any' - -wd_lifecheck_method = 'heartbeat' - # Method of watchdog lifecheck ('heartbeat' or 'query') - # (change requires restart) -wd_interval = 10 - # lifecheck interval (sec) > 0 - # (change requires restart) - -wd_priority = {{ pgpool_wd_priority }} - -{% if pgpool_wd_heartbeat_mode %} -# -- heartbeat mode -- - -wd_heartbeat_port = {{ pgpool_wd_heartbeat_port }} - # Port number for receiving heartbeat signal - # (change requires restart) -wd_heartbeat_keepalive = {{ pgpool_wd_heartbeat_keepalive_int }} - # Interval time of sending heartbeat signal (sec) - # (change requires restart) -wd_heartbeat_deadtime = {{ pgpool_wd_heartbeat_deadtime }} - # Deadtime interval for heartbeat signal (sec) - # (change requires restart) -heartbeat_destination0 = '{{ pgpool_wd_heartbeat_dest0 }}' - # Host name or IP address of destination 0 - # for sending heartbeat signal. - # (change requires restart) -heartbeat_destination_port0 = {{ pgpool_wd_heartbeat_dest0_port }} - # Port number of destination 0 for sending - # heartbeat signal. Usually this is the - # same as wd_heartbeat_port. - # (change requires restart) -heartbeat_device0 = '' - # Name of NIC device (such like 'eth0') - # used for sending/receiving heartbeat - # signal to/from destination 0. - # This works only when this is not empty - # and pgpool has root privilege. - # (change requires restart) - -{% else %} -# -- query mode -- - -wd_life_point = 3 - # lifecheck retry times - # (change requires restart) -wd_lifecheck_query = 'SELECT 1' - # lifecheck query to pgpool from watchdog - # (change requires restart) -wd_lifecheck_dbname = 'template1' - # Database name connected for lifecheck - # (change requires restart) -wd_lifecheck_user = 'nobody' - # watchdog user monitoring pgpools in lifecheck - # (change requires restart) -wd_lifecheck_password = '' - # Password for watchdog user in lifecheck - # (change requires restart) - - -{% endif %} -# - Other pgpool Connection Settings - - -other_pgpool_hostname0 = '{{ pgpool_wd_heartbeat_dest0 }}' - # Host name or IP address to connect to for other pgpool 0 - # (change requires restart) -other_pgpool_port0 = {{ pgpool_port }} - # Port number for othet pgpool 0 - # (change requires restart) -other_wd_port0 = {{ pgpool_wd_port }} - # Port number for othet watchdog 0 - # (change requires restart) - -#------------------------------------------------------------------------------ -# OTHERS -#------------------------------------------------------------------------------ -relcache_expire = {{ pgpool_relcache_expire }} - # Life time of relation cache in seconds. - # 0 means no cache expiration(the default). - # The relation cache is used for cache the - # query result against PostgreSQL system - # catalog to obtain various information - # including table structures or if it's a - # temporary table or not. The cache is - # maintained in a pgpool child local memory - # and being kept as long as it survives. - # If someone modify the table by using - # ALTER TABLE or some such, the relcache is - # not consistent anymore. - # For this purpose, cache_expiration - # controls the life time of the cache. -relcache_size = 256 - # Number of relation cache - # entry. If you see frequently: - # "pool_search_relcache: cache replacement happend" - # in the pgpool log, you might want to increate this number. - -check_temp_table = on - # If on, enable temporary table check in SELECT statements. - # This initiates queries against system catalog of primary/master - # thus increases load of master. - # If you are absolutely sure that your system never uses temporary tables - # and you want to save access to primary/master, you could turn this off. - # Default is on. - -check_unlogged_table = on - # If on, enable unlogged table check in SELECT statements. - # This initiates queries against system catalog of primary/master - # thus increases load of master. - # If you are absolutely sure that your system never uses unlogged tables - # and you want to save access to primary/master, you could turn this off. - # Default is on. - -#------------------------------------------------------------------------------ -# IN MEMORY QUERY MEMORY CACHE -#------------------------------------------------------------------------------ -memory_cache_enabled = {{ pgpool_memory_cache_enabled }} - # If on, use the memory cache functionality, off by default -memqcache_method = '{{ pgpool_memqcache_method }}' - # Cache storage method. either 'shmem'(shared memory) or - # 'memcached'. 'shmem' by default - # (change requires restart) -memqcache_memcached_host = '{{ pgpool_memqcache_memcached_host }}' - # Memcached host name or IP address. Mandatory if - # memqcache_method = 'memcached'. - # Defaults to localhost. - # (change requires restart) -memqcache_memcached_port = {{ pgpool_memqcache_memcached_port }} - # Memcached port number. Mondatory if memqcache_method = 'memcached'. - # Defaults to 11211. - # (change requires restart) -memqcache_total_size = 67108864 - # Total memory size in bytes for storing memory cache. - # Mandatory if memqcache_method = 'shmem'. - # Defaults to 64MB. - # (change requires restart) -memqcache_max_num_cache = 1000000 - # Total number of cache entries. Mandatory - # if memqcache_method = 'shmem'. - # Each cache entry consumes 48 bytes on shared memory. - # Defaults to 1,000,000(45.8MB). - # (change requires restart) -memqcache_expire = {{ pgpool_memqcache_expire }} # Memory cache entry life time specified in seconds. - # 0 means infinite life time. 0 by default. - # (change requires restart) -memqcache_auto_cache_invalidation = {{ pgpool_memqcache_auto_cache_invalidation }} - # If on, invalidation of query cache is triggered by corresponding - # DDL/DML/DCL(and memqcache_expire). If off, it is only triggered - # by memqcache_expire. on by default. - # (change requires restart) -memqcache_maxcache = 409600 - # Maximum SELECT result size in bytes. - # Must be smaller than memqcache_cache_block_size. Defaults to 400KB. - # (change requires restart) -memqcache_cache_block_size = 1048576 - # Cache block size in bytes. Mandatory if memqcache_method = 'shmem'. - # Defaults to 1MB. - # (change requires restart) -memqcache_oiddir = '/var/log/pgpool/oiddir' - # Temporary work directory to record table oids - # (change requires restart) -white_memqcache_table_list = '' - # Comma separated list of table names to memcache - # that don't write to database - # Regexp are accepted -black_memqcache_table_list = '' - # Comma separated list of table names not to memcache - # that don't write to database - # Regexp are accepted diff --git a/library/roles/postgresql/templates/pgpool_recovery_stage_1.j2 b/library/roles/postgresql/templates/pgpool_recovery_stage_1.j2 deleted file mode 100644 index 8b77ffa8..00000000 --- a/library/roles/postgresql/templates/pgpool_recovery_stage_1.j2 +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash -# PGpool stage 1 recovery script -# Reference: http://michael.stapelberg.de/Artikel/replicated_postgresql_with_pgpool -# -TS=$(date +%Y-%m-%d_%H-%M-%S) -MASTER_HOST=$(hostname -f) -# $1 is {{ psql_data_dir }}/main while $3 is {{ psql_data_dir }} -MASTER_DATA=$1 -MASTER_DATA_BASE_DIR={{ psql_data_dir }} -RECOVERY_TARGET=${2} -RECOVERY_DATA=${3}/main -RECOVERY_DATA_BASE_DIR={{ psql_data_dir }} - -logger "pgpool_recovery_1: MASTER_DATA=$MASTER_DATA" -logger "pgpool_recovery_1: RECOVERY_DATA=$RECOVERY_DATA" - -archive_dir={{ psql_wal_archiving_log_dir }} - -# Ensure that postgres is shut down on the target node -ssh -T $RECOVERY_TARGET sudo /etc/init.d/postgresql stop - -# Move the PostgreSQL data directory out of our way. -ssh -T $RECOVERY_TARGET \ - "[ -d $RECOVERY_DATA ] && mv $RECOVERY_DATA $RECOVERY_DATA.$TS" - -# If the archive dir is not empty the backup fails -ssh -T $RECOVERY_TARGET \ - "[ -d $archive_dir ] && rm $archive_dir/*" - -# We only use archived WAL logs during recoveries, so delete all -# logs from the last recovery to limit the growth. -rm $archive_dir/* - -# With this file present, our archive_command will actually -# archive WAL files. -touch $archive_dir/backup_in_progress - -psql -c "select pg_start_backup('pgpool-recovery')" postgres -echo "restore_command = 'scp $MASTER_HOST:$archive_dir/%f %p'" > $RECOVERY_DATA/recovery.conf -tar -C $MASTER_DATA_BASE_DIR -zcf pgsql.tar.gz main -psql -c 'select pg_stop_backup()' postgres -scp pgsql.tar.gz $RECOVERY_TARGET:$RECOVERY_DATA_BASE_DIR - diff --git a/library/roles/postgresql/templates/pgpool_recovery_stage_2.j2 b/library/roles/postgresql/templates/pgpool_recovery_stage_2.j2 deleted file mode 100644 index d9e037b4..00000000 --- a/library/roles/postgresql/templates/pgpool_recovery_stage_2.j2 +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -# Online recovery 2nd stage script -# -MASTER_DATA_BASE_DIR={{ psql_data_dir }} -MASTER_DATA=${1} -RECOVERY_TARGET=${2} -RECOVERY_DATA_BASE_DIR={{ psql_data_dir }} -RECOVERY_DATA=${3} -port={{ psql_db_port }} # PostgreSQL port number - -archive_dir={{ psql_wal_archiving_log_dir }} - -logger "pgpool_recovery_2: MASTER_DATA=$MASTER_DATA" -logger "pgpool_recovery_2: RECOVERY_DATA=$RECOVERY_DATA" -logger "pgpool_recovery_2: archive_dir=$archive_dir" - - -# Force to flush current value of sequences to xlog -psql -p $port -t -c 'SELECT datname FROM pg_database WHERE NOT datistemplate AND datallowconn' template1| -while read i -do - if [ "$i" != "" ];then - psql -p $port -c "SELECT setval(oid, nextval(oid)) FROM pg_class WHERE relkind = 'S'" $i - fi -done - -# Flush all transactions to disk. Since pgpool stopped all connections, -# there cannot be any data that does not reside on disk until the -# to-be-recovered host is back on line. -psql -p $port -c "SELECT pgpool_switch_xlog('$archive_dir')" template1 - -# Copy over all archive logs at once. -rsync -avx --delete $archive_dir/ \ - $RECOVERY_TARGET:$archive_dir/ - -# Delete the flag file to disable WAL archiving again. -rm $archive_dir/backup_in_progress diff --git a/library/roles/postgresql/templates/pgpool_remote_start.j2 b/library/roles/postgresql/templates/pgpool_remote_start.j2 deleted file mode 100644 index 6c44c255..00000000 --- a/library/roles/postgresql/templates/pgpool_remote_start.j2 +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -DEST=$1 -DESTDIR=$2 - -# Deploy a base backup -ssh -T $DEST 'cd {{ psql_data_dir }}; tar zxf pgsql.tar.gz' 2>/dev/null 1>/dev/null < /dev/null -# Startup PostgreSQL server -ssh -T $DEST sudo /etc/init.d/postgresql start 2>/dev/null 1>/dev/null < /dev/null diff --git a/library/roles/postgresql/templates/postgresql-sudoers.j2 b/library/roles/postgresql/templates/postgresql-sudoers.j2 deleted file mode 100644 index 9726c80c..00000000 --- a/library/roles/postgresql/templates/postgresql-sudoers.j2 +++ /dev/null @@ -1,3 +0,0 @@ -postgres ALL=(ALL) NOPASSWD: /etc/init.d/postgres* - - diff --git a/library/roles/postgresql/templates/postgresql_wal_backup_and_removal.j2 b/library/roles/postgresql/templates/postgresql_wal_backup_and_removal.j2 deleted file mode 100644 index 22d64548..00000000 --- a/library/roles/postgresql/templates/postgresql_wal_backup_and_removal.j2 +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -BASE_BACKUP_DIR={{ psql_base_backup_dir }} -WAL_ARCHIVES_LOG_DIR={{ psql_wal_archiving_log_dir }} -WAL_LATEST_BACKUP= - -# The base backup dir needs to be empty - -rm -f $BASE_BACKUP_DIR/* -pg_basebackup -F t -z -D $BASE_BACKUP_DIR - -cd $WAL_ARCHIVES_LOG_DIR -WAL_LATEST_BACKUP=$( /bin/ls -1tr *.backup | tail -1 ) -pg_archivecleanup $WAL_ARCHIVES_LOG_DIR $WAL_LATEST_BACKUP - -exit $? - diff --git a/library/roles/redis/defaults/main.yml b/library/roles/redis/defaults/main.yml deleted file mode 100644 index c12a7a69..00000000 --- a/library/roles/redis/defaults/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -redis_install: False -redis_enabled: True -# https://launchpad.net/~chris-lea/+archive/ubuntu/redis-server -redis_ppa_repo: ppa:chris-lea/redis-server -redis_pkg_state: present - -redis_server_pkg: - - redis-server - -redis_conf_files: - - redis.conf - -redis_tcp_port: 6379 -redis_bind_localhost: True -redis_append_only_mode: 'no' diff --git a/library/roles/redis/handlers/main.yml b/library/roles/redis/handlers/main.yml deleted file mode 100644 index 6a5e2730..00000000 --- a/library/roles/redis/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: Reload Redis - service: name=redis-server state=restarted - when: redis_enabled diff --git a/library/roles/redis/tasks/main.yml b/library/roles/redis/tasks/main.yml deleted file mode 100644 index 77d5fe1f..00000000 --- a/library/roles/redis/tasks/main.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -- block: - - name: Install the Redis PPA - apt_repository: repo='{{ redis_ppa_repo }}' update_cache=yes - - - name: Install the Redis packages - apt: name={{ redis_server_pkg }} state={{ redis_pkg_state }} cache_valid_time=1800 - - - name: Install the Redis configuration - template: src={{ item }}.j2 dest=/etc/redis/{{ item }} owner=redis group=redis mode=0440 - with_items: '{{ redis_conf_files }}' - notify: Reload Redis - - - name: Start and enable the Redis service - service: name=redis-server state=started enabled=yes - when: redis_enabled - - - name: Stop and disable the Redis service - service: name=redis-server state=stopped enabled=no - when: not redis_enabled - - when: redis_install - tags: redis - - -- block: - - name: Stop and disable the Redis service - service: name=redis-server state=stopped enabled=no - ignore_errors: True - - - name: Remove the Redis packages - apt: name={{ redis_server_pkg }} state=absent - - - name: Remove the Redis PPA - apt_repository: repo='{{ redis_ppa_repo }}' state=absent update_cache=yes - - when: not redis_install - tags: redis diff --git a/library/roles/redis/templates/redis.conf.j2 b/library/roles/redis/templates/redis.conf.j2 deleted file mode 100644 index 9818946b..00000000 --- a/library/roles/redis/templates/redis.conf.j2 +++ /dev/null @@ -1,703 +0,0 @@ -# Redis configuration file example - -# Note on units: when memory size is needed, it is possible to specify -# it in the usual form of 1k 5GB 4M and so forth: -# -# 1k => 1000 bytes -# 1kb => 1024 bytes -# 1m => 1000000 bytes -# 1mb => 1024*1024 bytes -# 1g => 1000000000 bytes -# 1gb => 1024*1024*1024 bytes -# -# units are case insensitive so 1GB 1Gb 1gB are all the same. - -# By default Redis does not run as a daemon. Use 'yes' if you need it. -# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. -daemonize yes - -# When running daemonized, Redis writes a pid file in /var/run/redis.pid by -# default. You can specify a custom pid file location here. -pidfile /var/run/redis/redis-server.pid - -# Accept connections on the specified port, default is 6379. -# If port 0 is specified Redis will not listen on a TCP socket. -port {{ redis_tcp_port }} - -# By default Redis listens for connections from all the network interfaces -# available on the server. It is possible to listen to just one or multiple -# interfaces using the "bind" configuration directive, followed by one or -# more IP addresses. -# -# Examples: -# -# bind 192.168.1.100 10.0.0.1 -{% if redis_bind_localhost %} -bind 127.0.0.1 -{% else %} -{% if redis_bind_ip_list is defined %} -bind {% for ip in redis_bind_ip_list %}{{ ip }} {% endfor %} -{% else %} -bind 0.0.0.0 -{% endif %} -{% endif %} - -# Specify the path for the unix socket that will be used to listen for -# incoming connections. There is no default, so Redis will not listen -# on a unix socket when not specified. -# -# unixsocket /var/run/redis/redis.sock -# unixsocketperm 755 - -# Close the connection after a client is idle for N seconds (0 to disable) -timeout 0 - -# TCP keepalive. -# -# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence -# of communication. This is useful for two reasons: -# -# 1) Detect dead peers. -# 2) Take the connection alive from the point of view of network -# equipment in the middle. -# -# On Linux, the specified value (in seconds) is the period used to send ACKs. -# Note that to close the connection the double of the time is needed. -# On other kernels the period depends on the kernel configuration. -# -# A reasonable value for this option is 60 seconds. -tcp-keepalive 0 - -# Specify the server verbosity level. -# This can be one of: -# debug (a lot of information, useful for development/testing) -# verbose (many rarely useful info, but not a mess like the debug level) -# notice (moderately verbose, what you want in production probably) -# warning (only very important / critical messages are logged) -loglevel notice - -# Specify the log file name. Also the emptry string can be used to force -# Redis to log on the standard output. Note that if you use standard -# output for logging but daemonize, logs will be sent to /dev/null -logfile /var/log/redis/redis-server.log - -# To enable logging to the system logger, just set 'syslog-enabled' to yes, -# and optionally update the other syslog parameters to suit your needs. -# syslog-enabled no - -# Specify the syslog identity. -# syslog-ident redis - -# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. -# syslog-facility local0 - -# Set the number of databases. The default database is DB 0, you can select -# a different one on a per-connection basis using SELECT where -# dbid is a number between 0 and 'databases'-1 -databases 16 - -################################ SNAPSHOTTING ################################# -# -# Save the DB on disk: -# -# save -# -# Will save the DB if both the given number of seconds and the given -# number of write operations against the DB occurred. -# -# In the example below the behaviour will be to save: -# after 900 sec (15 min) if at least 1 key changed -# after 300 sec (5 min) if at least 10 keys changed -# after 60 sec if at least 10000 keys changed -# -# Note: you can disable saving at all commenting all the "save" lines. -# -# It is also possible to remove all the previously configured save -# points by adding a save directive with a single empty string argument -# like in the following example: -# -# save "" - -save 900 1 -save 300 10 -save 60 10000 - -# By default Redis will stop accepting writes if RDB snapshots are enabled -# (at least one save point) and the latest background save failed. -# This will make the user aware (in an hard way) that data is not persisting -# on disk properly, otherwise chances are that no one will notice and some -# distater will happen. -# -# If the background saving process will start working again Redis will -# automatically allow writes again. -# -# However if you have setup your proper monitoring of the Redis server -# and persistence, you may want to disable this feature so that Redis will -# continue to work as usually even if there are problems with disk, -# permissions, and so forth. -stop-writes-on-bgsave-error yes - -# Compress string objects using LZF when dump .rdb databases? -# For default that's set to 'yes' as it's almost always a win. -# If you want to save some CPU in the saving child set it to 'no' but -# the dataset will likely be bigger if you have compressible values or keys. -rdbcompression yes - -# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. -# This makes the format more resistant to corruption but there is a performance -# hit to pay (around 10%) when saving and loading RDB files, so you can disable it -# for maximum performances. -# -# RDB files created with checksum disabled have a checksum of zero that will -# tell the loading code to skip the check. -rdbchecksum yes - -# The filename where to dump the DB -dbfilename dump.rdb - -# The working directory. -# -# The DB will be written inside this directory, with the filename specified -# above using the 'dbfilename' configuration directive. -# -# The Append Only File will also be created inside this directory. -# -# Note that you must specify a directory here, not a file name. -dir /var/lib/redis - -################################# REPLICATION ################################# - -# Master-Slave replication. Use slaveof to make a Redis instance a copy of -# another Redis server. Note that the configuration is local to the slave -# so for example it is possible to configure the slave to save the DB with a -# different interval, or to listen to another port, and so on. -# -# slaveof - -# If the master is password protected (using the "requirepass" configuration -# directive below) it is possible to tell the slave to authenticate before -# starting the replication synchronization process, otherwise the master will -# refuse the slave request. -# -# masterauth - -# When a slave loses its connection with the master, or when the replication -# is still in progress, the slave can act in two different ways: -# -# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will -# still reply to client requests, possibly with out of date data, or the -# data set may just be empty if this is the first synchronization. -# -# 2) if slave-serve-stale-data is set to 'no' the slave will reply with -# an error "SYNC with master in progress" to all the kind of commands -# but to INFO and SLAVEOF. -# -slave-serve-stale-data yes - -# You can configure a slave instance to accept writes or not. Writing against -# a slave instance may be useful to store some ephemeral data (because data -# written on a slave will be easily deleted after resync with the master) but -# may also cause problems if clients are writing to it because of a -# misconfiguration. -# -# Since Redis 2.6 by default slaves are read-only. -# -# Note: read only slaves are not designed to be exposed to untrusted clients -# on the internet. It's just a protection layer against misuse of the instance. -# Still a read only slave exports by default all the administrative commands -# such as CONFIG, DEBUG, and so forth. To a limited extend you can improve -# security of read only slaves using 'rename-command' to shadow all the -# administrative / dangerous commands. -slave-read-only yes - -# Slaves send PINGs to server in a predefined interval. It's possible to change -# this interval with the repl_ping_slave_period option. The default value is 10 -# seconds. -# -# repl-ping-slave-period 10 - -# The following option sets the replication timeout for: -# -# 1) Bulk transfer I/O during SYNC, from the point of view of slave. -# 2) Master timeout from the point of view of slaves (data, pings). -# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). -# -# It is important to make sure that this value is greater than the value -# specified for repl-ping-slave-period otherwise a timeout will be detected -# every time there is low traffic between the master and the slave. -# -# repl-timeout 60 - -# Disable TCP_NODELAY on the slave socket after SYNC? -# -# If you select "yes" Redis will use a smaller number of TCP packets and -# less bandwidth to send data to slaves. But this can add a delay for -# the data to appear on the slave side, up to 40 milliseconds with -# Linux kernels using a default configuration. -# -# If you select "no" the delay for data to appear on the slave side will -# be reduced but more bandwidth will be used for replication. -# -# By default we optimize for low latency, but in very high traffic conditions -# or when the master and slaves are many hops away, turning this to "yes" may -# be a good idea. -repl-disable-tcp-nodelay no - -# Set the replication backlog size. The backlog is a buffer that accumulates -# slave data when slaves are disconnected for some time, so that when a slave -# wants to reconnect again, often a full resync is not needed, but a partial -# resync is enough, just passing the portion of data the slave missed while -# disconnected. -# -# The biggest the replication backlog, the longer the time the slave can be -# disconnected and later be able to perform a partial resynchronization. -# -# The backlog is only allocated once there is at least a slave connected. -# -# repl-backlog-size 1mb - -# After a master has no longer connected slaves for some time, the backlog -# will be freed. The following option configures the amount of seconds that -# need to elapse, starting from the time the last slave disconnected, for -# the backlog buffer to be freed. -# -# A value of 0 means to never release the backlog. -# -# repl-backlog-ttl 3600 - -# The slave priority is an integer number published by Redis in the INFO output. -# It is used by Redis Sentinel in order to select a slave to promote into a -# master if the master is no longer working correctly. -# -# A slave with a low priority number is considered better for promotion, so -# for instance if there are three slaves with priority 10, 100, 25 Sentinel will -# pick the one wtih priority 10, that is the lowest. -# -# However a special priority of 0 marks the slave as not able to perform the -# role of master, so a slave with priority of 0 will never be selected by -# Redis Sentinel for promotion. -# -# By default the priority is 100. -slave-priority 100 - -# It is possible for a master to stop accepting writes if there are less than -# N slaves connected, having a lag less or equal than M seconds. -# -# The N slaves need to be in "online" state. -# -# The lag in seconds, that must be <= the specified value, is calculated from -# the last ping received from the slave, that is usually sent every second. -# -# This option does not GUARANTEES that N replicas will accept the write, but -# will limit the window of exposure for lost writes in case not enough slaves -# are available, to the specified number of seconds. -# -# For example to require at least 3 slaves with a lag <= 10 seconds use: -# -# min-slaves-to-write 3 -# min-slaves-max-lag 10 -# -# Setting one or the other to 0 disables the feature. -# -# By default min-slaves-to-write is set to 0 (feature disabled) and -# min-slaves-max-lag is set to 10. - -################################## SECURITY ################################### - -# Require clients to issue AUTH before processing any other -# commands. This might be useful in environments in which you do not trust -# others with access to the host running redis-server. -# -# This should stay commented out for backward compatibility and because most -# people do not need auth (e.g. they run their own servers). -# -# Warning: since Redis is pretty fast an outside user can try up to -# 150k passwords per second against a good box. This means that you should -# use a very strong password otherwise it will be very easy to break. -# -# requirepass foobared - -# Command renaming. -# -# It is possible to change the name of dangerous commands in a shared -# environment. For instance the CONFIG command may be renamed into something -# hard to guess so that it will still be available for internal-use tools -# but not available for general clients. -# -# Example: -# -# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 -# -# It is also possible to completely kill a command by renaming it into -# an empty string: -# -# rename-command CONFIG "" -# -# Please note that changing the name of commands that are logged into the -# AOF file or transmitted to slaves may cause problems. - -################################### LIMITS #################################### - -# Set the max number of connected clients at the same time. By default -# this limit is set to 10000 clients, however if the Redis server is not -# able to configure the process file limit to allow for the specified limit -# the max number of allowed clients is set to the current file limit -# minus 32 (as Redis reserves a few file descriptors for internal uses). -# -# Once the limit is reached Redis will close all the new connections sending -# an error 'max number of clients reached'. -# -# maxclients 10000 - -# Don't use more memory than the specified amount of bytes. -# When the memory limit is reached Redis will try to remove keys -# accordingly to the eviction policy selected (see maxmemmory-policy). -# -# If Redis can't remove keys according to the policy, or if the policy is -# set to 'noeviction', Redis will start to reply with errors to commands -# that would use more memory, like SET, LPUSH, and so on, and will continue -# to reply to read-only commands like GET. -# -# This option is usually useful when using Redis as an LRU cache, or to set -# an hard memory limit for an instance (using the 'noeviction' policy). -# -# WARNING: If you have slaves attached to an instance with maxmemory on, -# the size of the output buffers needed to feed the slaves are subtracted -# from the used memory count, so that network problems / resyncs will -# not trigger a loop where keys are evicted, and in turn the output -# buffer of slaves is full with DELs of keys evicted triggering the deletion -# of more keys, and so forth until the database is completely emptied. -# -# In short... if you have slaves attached it is suggested that you set a lower -# limit for maxmemory so that there is some free RAM on the system for slave -# output buffers (but this is not needed if the policy is 'noeviction'). -# -# maxmemory - -# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory -# is reached. You can select among five behaviors: -# -# volatile-lru -> remove the key with an expire set using an LRU algorithm -# allkeys-lru -> remove any key accordingly to the LRU algorithm -# volatile-random -> remove a random key with an expire set -# allkeys-random -> remove a random key, any key -# volatile-ttl -> remove the key with the nearest expire time (minor TTL) -# noeviction -> don't expire at all, just return an error on write operations -# -# Note: with any of the above policies, Redis will return an error on write -# operations, when there are not suitable keys for eviction. -# -# At the date of writing this commands are: set setnx setex append -# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd -# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby -# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby -# getset mset msetnx exec sort -# -# The default is: -# -# maxmemory-policy volatile-lru - -# LRU and minimal TTL algorithms are not precise algorithms but approximated -# algorithms (in order to save memory), so you can select as well the sample -# size to check. For instance for default Redis will check three keys and -# pick the one that was used less recently, you can change the sample size -# using the following configuration directive. -# -# maxmemory-samples 3 - -############################## APPEND ONLY MODE ############################### - -# By default Redis asynchronously dumps the dataset on disk. This mode is -# good enough in many applications, but an issue with the Redis process or -# a power outage may result into a few minutes of writes lost (depending on -# the configured save points). -# -# The Append Only File is an alternative persistence mode that provides -# much better durability. For instance using the default data fsync policy -# (see later in the config file) Redis can lose just one second of writes in a -# dramatic event like a server power outage, or a single write if something -# wrong with the Redis process itself happens, but the operating system is -# still running correctly. -# -# AOF and RDB persistence can be enabled at the same time without problems. -# If the AOF is enabled on startup Redis will load the AOF, that is the file -# with the better durability guarantees. -# -# Please check http://redis.io/topics/persistence for more information. - -appendonly yes - -# The name of the append only file (default: "appendonly.aof") -# appendfilename appendonly.aof - -# The fsync() call tells the Operating System to actually write data on disk -# instead to wait for more data in the output buffer. Some OS will really flush -# data on disk, some other OS will just try to do it ASAP. -# -# Redis supports three different modes: -# -# no: don't fsync, just let the OS flush the data when it wants. Faster. -# always: fsync after every write to the append only log . Slow, Safest. -# everysec: fsync only one time every second. Compromise. -# -# The default is "everysec", as that's usually the right compromise between -# speed and data safety. It's up to you to understand if you can relax this to -# "no" that will let the operating system flush the output buffer when -# it wants, for better performances (but if you can live with the idea of -# some data loss consider the default persistence mode that's snapshotting), -# or on the contrary, use "always" that's very slow but a bit safer than -# everysec. -# -# More details please check the following article: -# http://antirez.com/post/redis-persistence-demystified.html -# -# If unsure, use "everysec". - -# appendfsync always -appendfsync everysec -# appendfsync no - -# When the AOF fsync policy is set to always or everysec, and a background -# saving process (a background save or AOF log background rewriting) is -# performing a lot of I/O against the disk, in some Linux configurations -# Redis may block too long on the fsync() call. Note that there is no fix for -# this currently, as even performing fsync in a different thread will block -# our synchronous write(2) call. -# -# In order to mitigate this problem it's possible to use the following option -# that will prevent fsync() from being called in the main process while a -# BGSAVE or BGREWRITEAOF is in progress. -# -# This means that while another child is saving, the durability of Redis is -# the same as "appendfsync none". In practical terms, this means that it is -# possible to lose up to 30 seconds of log in the worst scenario (with the -# default Linux settings). -# -# If you have latency problems turn this to "yes". Otherwise leave it as -# "no" that is the safest pick from the point of view of durability. -no-appendfsync-on-rewrite no - -# Automatic rewrite of the append only file. -# Redis is able to automatically rewrite the log file implicitly calling -# BGREWRITEAOF when the AOF log size grows by the specified percentage. -# -# This is how it works: Redis remembers the size of the AOF file after the -# latest rewrite (if no rewrite has happened since the restart, the size of -# the AOF at startup is used). -# -# This base size is compared to the current size. If the current size is -# bigger than the specified percentage, the rewrite is triggered. Also -# you need to specify a minimal size for the AOF file to be rewritten, this -# is useful to avoid rewriting the AOF file even if the percentage increase -# is reached but it is still pretty small. -# -# Specify a percentage of zero in order to disable the automatic AOF -# rewrite feature. - -auto-aof-rewrite-percentage 100 -auto-aof-rewrite-min-size 64mb - -################################ LUA SCRIPTING ############################### - -# Max execution time of a Lua script in milliseconds. -# -# If the maximum execution time is reached Redis will log that a script is -# still in execution after the maximum allowed time and will start to -# reply to queries with an error. -# -# When a long running script exceed the maximum execution time only the -# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be -# used to stop a script that did not yet called write commands. The second -# is the only way to shut down the server in the case a write commands was -# already issue by the script but the user don't want to wait for the natural -# termination of the script. -# -# Set it to 0 or a negative value for unlimited execution without warnings. -lua-time-limit 5000 - -################################## SLOW LOG ################################### - -# The Redis Slow Log is a system to log queries that exceeded a specified -# execution time. The execution time does not include the I/O operations -# like talking with the client, sending the reply and so forth, -# but just the time needed to actually execute the command (this is the only -# stage of command execution where the thread is blocked and can not serve -# other requests in the meantime). -# -# You can configure the slow log with two parameters: one tells Redis -# what is the execution time, in microseconds, to exceed in order for the -# command to get logged, and the other parameter is the length of the -# slow log. When a new command is logged the oldest one is removed from the -# queue of logged commands. - -# The following time is expressed in microseconds, so 1000000 is equivalent -# to one second. Note that a negative number disables the slow log, while -# a value of zero forces the logging of every command. -slowlog-log-slower-than 10000 - -# There is no limit to this length. Just be aware that it will consume memory. -# You can reclaim memory used by the slow log with SLOWLOG RESET. -slowlog-max-len 128 - -############################# Event notification ############################## - -# Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at http://redis.io/topics/keyspace-events -# -# For instance if keyspace events notification is enabled, and a client -# performs a DEL operation on key "foo" stored in the Database 0, two -# messages will be published via Pub/Sub: -# -# PUBLISH __keyspace@0__:foo del -# PUBLISH __keyevent@0__:del foo -# -# It is possible to select the events that Redis will notify among a set -# of classes. Every class is identified by a single character: -# -# K Keyspace events, published with __keyspace@__ prefix. -# E Keyevent events, published with __keyevent@__ prefix. -# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... -# $ String commands -# l List commands -# s Set commands -# h Hash commands -# z Sorted set commands -# x Expired events (events generated every time a key expires) -# e Evicted events (events generated when a key is evicted for maxmemory) -# A Alias for g$lshzxe, so that the "AKE" string means all the events. -# -# The "notify-keyspace-events" takes as argument a string that is composed -# by zero or multiple characters. The empty string means that notifications -# are disabled at all. -# -# Example: to enable list and generic events, from the point of view of the -# event name, use: -# -# notify-keyspace-events Elg -# -# Example 2: to get the stream of the expired keys subscribing to channel -# name __keyevent@0__:expired use: -# -# notify-keyspace-events Ex -# -# By default all notifications are disabled because most users don't need -# this feature and the feature has some overhead. Note that if you don't -# specify at least one of K or E, no events will be delivered. -notify-keyspace-events "" - -############################### ADVANCED CONFIG ############################### - -# Hashes are encoded using a memory efficient data structure when they have a -# small number of entries, and the biggest entry does not exceed a given -# threshold. These thresholds can be configured using the following directives. -hash-max-ziplist-entries 512 -hash-max-ziplist-value 64 - -# Similarly to hashes, small lists are also encoded in a special way in order -# to save a lot of space. The special representation is only used when -# you are under the following limits: -list-max-ziplist-entries 512 -list-max-ziplist-value 64 - -# Sets have a special encoding in just one case: when a set is composed -# of just strings that happens to be integers in radix 10 in the range -# of 64 bit signed integers. -# The following configuration setting sets the limit in the size of the -# set in order to use this special memory saving encoding. -set-max-intset-entries 512 - -# Similarly to hashes and lists, sorted sets are also specially encoded in -# order to save a lot of space. This encoding is only used when the length and -# elements of a sorted set are below the following limits: -zset-max-ziplist-entries 128 -zset-max-ziplist-value 64 - -# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in -# order to help rehashing the main Redis hash table (the one mapping top-level -# keys to values). The hash table implementation Redis uses (see dict.c) -# performs a lazy rehashing: the more operation you run into an hash table -# that is rehashing, the more rehashing "steps" are performed, so if the -# server is idle the rehashing is never complete and some more memory is used -# by the hash table. -# -# The default is to use this millisecond 10 times every second in order to -# active rehashing the main dictionaries, freeing memory when possible. -# -# If unsure: -# use "activerehashing no" if you have hard latency requirements and it is -# not a good thing in your environment that Redis can reply form time to time -# to queries with 2 milliseconds delay. -# -# use "activerehashing yes" if you don't have such hard requirements but -# want to free memory asap when possible. -activerehashing yes - -# The client output buffer limits can be used to force disconnection of clients -# that are not reading data from the server fast enough for some reason (a -# common reason is that a Pub/Sub client can't consume messages as fast as the -# publisher can produce them). -# -# The limit can be set differently for the three different classes of clients: -# -# normal -> normal clients -# slave -> slave clients and MONITOR clients -# pubsub -> clients subcribed to at least one pubsub channel or pattern -# -# The syntax of every client-output-buffer-limit directive is the following: -# -# client-output-buffer-limit -# -# A client is immediately disconnected once the hard limit is reached, or if -# the soft limit is reached and remains reached for the specified number of -# seconds (continuously). -# So for instance if the hard limit is 32 megabytes and the soft limit is -# 16 megabytes / 10 seconds, the client will get disconnected immediately -# if the size of the output buffers reach 32 megabytes, but will also get -# disconnected if the client reaches 16 megabytes and continuously overcomes -# the limit for 10 seconds. -# -# By default normal clients are not limited because they don't receive data -# without asking (in a push way), but just after a request, so only -# asynchronous clients may create a scenario where data is requested faster -# than it can read. -# -# Instead there is a default limit for pubsub and slave clients, since -# subscribers and slaves receive data in a push fashion. -# -# Both the hard or the soft limit can be disabled by setting them to zero. -client-output-buffer-limit normal 0 0 0 -client-output-buffer-limit slave 256mb 64mb 60 -client-output-buffer-limit pubsub 32mb 8mb 60 - -# Redis calls an internal function to perform many background tasks, like -# closing connections of clients in timeot, purging expired keys that are -# never requested, and so forth. -# -# Not all tasks are performed with the same frequency, but Redis checks for -# tasks to perform accordingly to the specified "hz" value. -# -# By default "hz" is set to 10. Raising the value will use more CPU when -# Redis is idle, but at the same time will make Redis more responsive when -# there are many keys expiring at the same time, and timeouts may be -# handled with more precision. -# -# The range is between 1 and 500, however a value over 100 is usually not -# a good idea. Most users should use the default of 10 and raise this up to -# 100 only in environments where very low latency is required. -hz 10 - -# When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 32 MB of data generated. This is useful -# in order to commit the file to the disk more incrementally and avoid -# big latency spikes. -aof-rewrite-incremental-fsync yes - -################################## INCLUDES ################################### - -# Include one or more other config files here. This is useful if you -# have a standard template that goes to all Redis server but also need -# to customize a few per-server settings. Include files can include -# other files, so use this wisely. -# -# include /path/to/local.conf -# include /path/to/other.conf