diff --git a/create_new_role_stub b/create_new_role_stub new file mode 100755 index 00000000..9f57dca0 --- /dev/null +++ b/create_new_role_stub @@ -0,0 +1,8 @@ +#!/bin/bash + +new_role=$1 + +mkdir "$new_role" +mkdir -p "${new_role}"/{defaults,tasks,files,templates,vars,meta,handlers} +touch "${new_role}"/{defaults,tasks,vars,meta,handlers}/main.yml + diff --git a/fail2ban/tasks/fail2ban.yml b/fail2ban/tasks/fail2ban.yml index 74e76d76..6b007658 100644 --- a/fail2ban/tasks/fail2ban.yml +++ b/fail2ban/tasks/fail2ban.yml @@ -1,7 +1,6 @@ --- - name: Install fail2ban on ubuntu >= 14.04 and debian >= 8 - apt: pkg={{ item }} state=present - with_items: '{{ f2b_packages }}' + apt: pkg={{ f2b_packages }} state=present tags: fail2ban - name: Ensure that fail2ban is enabled and running diff --git a/iptables/defaults/main.yml b/iptables/defaults/main.yml index 9da4e534..47261772 100644 --- a/iptables/defaults/main.yml +++ b/iptables/defaults/main.yml @@ -1,4 +1,8 @@ --- +iptables_deb_pkgs: + - iptables + - iptables-persistent + # # Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables # diff --git a/iptables/tasks/main.yml b/iptables/tasks/main.yml index 06ea7fa6..5441f837 100644 --- a/iptables/tasks/main.yml +++ b/iptables/tasks/main.yml @@ -1,10 +1,7 @@ --- - block: - name: Install the needed iptables packages - apt: pkg={{ item }} state=present - with_items: - - iptables - - iptables-persistent + apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800 - name: Create the /etc/iptables directory when needed file: dest=/etc/iptables state=directory owner=root group=root mode=0755 diff --git a/letsencrypt-acmetool-client/tasks/main.yml b/letsencrypt-acmetool-client/tasks/main.yml index fabcfc85..d114f97b 100644 --- a/letsencrypt-acmetool-client/tasks/main.yml +++ b/letsencrypt-acmetool-client/tasks/main.yml @@ -36,8 +36,7 @@ tags: letsencrypt - name: Install the letsencrypt acmetool package and some deps - apt: pkg={{ item }} state={{ letsencrypt_acme_pkg_state }} update_cache=yes cache_valid_time=3600 - with_items: '{{ letsencrypt_acme_pkgs }}' + apt: pkg={{ letsencrypt_acme_pkgs }} state={{ letsencrypt_acme_pkg_state }} update_cache=yes cache_valid_time=3600 when: - letsencrypt_acme_install - letsencrypt_pkg_install diff --git a/mono/defaults/main.yml b/mono/defaults/main.yml new file mode 100644 index 00000000..f6daeb83 --- /dev/null +++ b/mono/defaults/main.yml @@ -0,0 +1,24 @@ +--- +mono_repo_server: 'keyserver.ubuntu.com' +mono_deb_repo_key_id: 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF +mono_deb_repo_url: 'deb https://download.mono-project.com/repo/{{ ansible_distribution | lower }} stable-{{ ansible_distribution_release }} main' + +mono_rh_key: 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF' +mono_rh_repo_url: 'https://download.mono-project.com/repo/{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}-stable.repo' + +mono_deb_prerequisites: + - apt-transport-https + - dirmngr + - gnupg + - ca-certificates + +mono_deb_packages: + - mono-devel + - referenceassemblies-pcl + - mono-xsp4 + +mono_rh_packages: + - mono-devel + - referenceassemblies-pcl + - xsp + diff --git a/mono/tasks/main.yml b/mono/tasks/main.yml new file mode 100644 index 00000000..552e1119 --- /dev/null +++ b/mono/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- block: + - name: Install the Mono dependencies on Deb based distributions + apt: name={{ mono_deb_prerequisites }} state=present cache_valid_time=1800 + + when: ansible_distribution_file_variety == "Debian" + tags: mono + +- block: + - name: Install the deb Mono repository key + apt_key: + keyserver: {{ mono_repo_server }} + id: {{ mono_deb_repo_key_id }} + + - name: Install the deb Mono repository + apt_repository: + repo: '{{ mono_deb_repo_url }}' + state: present + update_cache: yes + + - name: Install the Mono packages on Deb based distributions + apt: name={{ mono_deb_packages }} state=present cache_valid_time=1800 + + when: ansible_distribution_file_variety == "Debian" + tags: mono + +- block: + - name: Install the RH Mono repository key + rpm_key: + state: present + key: {{ mono_rh_key }} + + - name: Install the RH Mono repository + get_url: + dest: /etc/yum.repos.d/mono-{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}-stable.repo + url: {{ mono_rh_repo_url }} + + - name: Install the Mono packages on RH based distributions + yum: name={{ mono_rh_packages }} state=present + + when: ansible_distribution_file_variety != "Debian" + tags: mono diff --git a/nextcloud/defaults/main.yml b/nextcloud/defaults/main.yml index 5b842532..5fc38f9c 100644 --- a/nextcloud/defaults/main.yml +++ b/nextcloud/defaults/main.yml @@ -1,13 +1,14 @@ --- -nextcloud_version: 13.0.4 +nextcloud_version: 15.0.5 nextcloud_dist_filename: 'nextcloud-{{ nextcloud_version }}.tar.bz2' nextcloud_download_url: 'https://download.nextcloud.com/server/releases/{{ nextcloud_dist_filename }}' nextcloud_use_redis: True nextcloud_use_memcache: False nextcloud_web_basedir: /var/www nextcloud_web_root: '{{ nextcloud_web_basedir }}/nextcloud' -nextcloud_data_dir: /srv/nextcloud/data -nextcloud_oc_dir: /srv/nextcloud/oc_keys +nextcloud_data_base_dir: /srv +nextcloud_data_dir: '{{ nextcloud_data_base_dir }}/nextcloud/data' +nextcloud_oc_dir: '{{ nextcloud_data_base_dir }}/nextcloud/oc_keys' nextcloud_servername: '{{ ansible_fqdn }}' nextcloud_servernames: - { webroot: '{{ nextcloud_web_root }}', id: 1, name: '{{ nextcloud_servername }}' } diff --git a/nextcloud/meta/main.yml b/nextcloud/meta/main.yml index 50957479..4be987f3 100644 --- a/nextcloud/meta/main.yml +++ b/nextcloud/meta/main.yml @@ -1,5 +1,6 @@ --- dependencies: + - { role: '../../library/roles/postgresql' } - { role: '../../library/roles/php-fpm' } - { role: '../../library/roles/nginx' } - { role: '../../library/roles/redis', when nextcloud_use_redis } diff --git a/nextcloud/tasks/nextcloud-install.yml b/nextcloud/tasks/nextcloud-install.yml index 84555a22..a9cff53f 100644 --- a/nextcloud/tasks/nextcloud-install.yml +++ b/nextcloud/tasks/nextcloud-install.yml @@ -11,7 +11,7 @@ get_url: url={{ nextcloud_download_url }} dest=/srv/{{ nextcloud_dist_filename }} - name: Unpack the nextcloud archive - unarchive: remote_src=yes src=/srv/{{ nextcloud_dist_filename }} dest={{ item.doc_root }} owner={{ item.user }} group={{ item.user }} + unarchive: remote_src=yes src=/srv/{{ nextcloud_dist_filename }} dest={{ nextcloud_web_basedir }} owner={{ item.user }} group={{ item.user }} args: creates: '{{ item.doc_root }}/index.php' with_items: '{{ phpfpm_pools }}' diff --git a/nextcloud/vars/main.yml b/nextcloud/vars/main.yml index e69794e5..3e98d2ee 100644 --- a/nextcloud/vars/main.yml +++ b/nextcloud/vars/main.yml @@ -6,7 +6,7 @@ redis_install: True http_port: 80 https_port: 443 -php_version: 7.0 +php_version: 7.2 phpfpm_base_dir: '/etc/php/{{ php_version }}/fpm' phpfpm_cli_dir: '/etc/php/{{ php_version }}/cli' @@ -16,7 +16,6 @@ php_fpm_packages: - 'php{{ php_version }}-json' - 'php{{ php_version }}-ldap' - 'php{{ php_version }}-{{ nextcloud_db }}' - - 'php{{ php_version }}-mcrypt' - 'php{{ php_version }}-xml' - 'php{{ php_version }}-mbstring' - 'php{{ php_version }}-intl' @@ -32,7 +31,7 @@ phpfpm_default_memory_limit: "512M" php_global_settings: - { option: 'always_populate_raw_post_data', value: '-1' } - - { option: 'allow_url_fopen', value: 'off' } + - { option: 'allow_url_fopen', value: 'on' } - { option: 'max_execution_time', value: '240' } - { option: 'memory_limit', value: '{{ phpfpm_default_memory_limit }}' } - { option: 'max_input_vars', value: '1400' } diff --git a/nginx/tasks/nginx.yml b/nginx/tasks/nginx.yml index 897b3764..7b1ee0ba 100644 --- a/nginx/tasks/nginx.yml +++ b/nginx/tasks/nginx.yml @@ -7,26 +7,20 @@ tags: [ 'nginx', 'nginx_ppa' ] - name: Install the nginx web server - apt: pkg={{ item }} state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 - with_items: - - nginx-full + apt: pkg=nginx-full state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 when: - not nginx_use_ldap_pam_auth - ansible_distribution_major_version <= '14' tags: nginx - name: Install the nginx web server if we need ldap auth via pam - apt: pkg={{ item }} state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 - with_items: - - nginx-extras + apt: pkg=nginx-extras state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 when: - nginx_use_ldap_pam_auth - ansible_distribution_major_version <= '14' tags: nginx - name: Install the nginx web server on Ubuntu >= 16.04 - apt: pkg={{ item }} state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 - with_items: - - nginx + apt: pkg=nginx state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 when: ansible_distribution_major_version >= '16' tags: nginx diff --git a/node_js/tasks/main.yml b/node_js/tasks/main.yml index 44cdce16..0dc52dbc 100644 --- a/node_js/tasks/main.yml +++ b/node_js/tasks/main.yml @@ -7,8 +7,7 @@ with_items: '{{ node_js_repo_urls }}' - name: Install the Node.js packages - apt: pkg={{ item }} state={{ node_js_pkg_state }} update_cache=True cache_valid_time=1800 - with_items: '{{ node_js_pkgs }}' + apt: pkg={{ node_js_pkgs }} state={{ node_js_pkg_state }} update_cache=True cache_valid_time=1800 tags: [ 'nodejs', 'node_js' ] @@ -21,8 +20,7 @@ with_items: '{{ node_js_yarn_repo_urls }}' - name: Install the Node.js yarn packages - apt: pkg={{ item }} state={{ node_js_pkg_state }} update_cache=True cache_valid_time=1800 - with_items: '{{ node_js_yarn_pkgs }}' + apt: pkg={{ node_js_yarn_pkgs }} state={{ node_js_pkg_state }} update_cache=True cache_valid_time=1800 when: node_js_yarn_install tags: [ 'nodejs', 'node_js', 'yarn', 'node_js_yarn' ] @@ -33,8 +31,7 @@ with_items: '{{ node_js_yarn_repo_urls }}' - name: Install the Node.js yarn packages - apt: pkg={{ item }} state=absent update_cache=True cache_valid_time=1800 - with_items: '{{ node_js_yarn_pkgs }}' + apt: pkg={{ node_js_yarn_pkgs }} state=absent update_cache=True cache_valid_time=1800 when: not node_js_yarn_install tags: [ 'nodejs', 'node_js', 'yarn', 'node_js_yarn' ] diff --git a/onlyoffice_docserver/defaults/main.yml b/onlyoffice_docserver/defaults/main.yml new file mode 100644 index 00000000..bf75c98f --- /dev/null +++ b/onlyoffice_docserver/defaults/main.yml @@ -0,0 +1,36 @@ +--- +onlyoffice_docserver_deb_repo_key: CB2DE8E5 +onlyoffice_docserver_deb_repo_key_server: 'keyserver.ubuntu.com' +onlyoffice_docserver_deb_repo: 'deb http://download.onlyoffice.com/repo/debian squeeze main' +onlyoffice_docserver_deb_packages: onlyoffice-communityserver +onlyoffice_docserver_letsencrypt_managed: True + +onlyoffice_docserver_use_nginx_role: True + +onlyoffice_docserver_deb_packages_dependencies: + - libcurl3 + - libxml2 + - supervisor + - fonts-dejavu + - fonts-liberation + - ttf-mscorefonts-installer + - fonts-crosextra-carlito + - fonts-takao-gothic + - fonts-opensymbol + - npm + - nginx-extras + +onlyoffice_docserver_packages: + - onlyoffice-documentserver + +onlyoffice_docserver_db_host: localhost +onlyoffice_docserver_db_user: onlyoffice +onlyoffice_docserver_db_name: onlyoffice +#onlyoffice_docserver_db_pwd: 'put it into a vault file' + +onlyoffice_docserver_redis_host: localhost + +onlyoffice_docserver_rabbitmq_url: 'amqp://guest:guest@localhost' + +onlyoffice_docserver_use_a_secret_key: 'true' +#onlyoffice_docserver_secret_key: 'put it into a vault file' \ No newline at end of file diff --git a/onlyoffice_docserver/handlers/main.yml b/onlyoffice_docserver/handlers/main.yml new file mode 100644 index 00000000..f48f37d3 --- /dev/null +++ b/onlyoffice_docserver/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Reload nginx + service: + name: nginx + enabled: yes + state: reloaded diff --git a/onlyoffice_docserver/meta/main.yml b/onlyoffice_docserver/meta/main.yml new file mode 100644 index 00000000..0d66776a --- /dev/null +++ b/onlyoffice_docserver/meta/main.yml @@ -0,0 +1,6 @@ +--- +dependencies: + - { role: '../../library/roles/postgresql', when: psql_postgresql_install } + - { role: '../../library/roles/redis' } + - { role: '../../library/roles/rabbitmq' } + - { role: '../../library/roles/nginx', when: onlyoffice_docserver_use_nginx_role } diff --git a/onlyoffice_docserver/tasks/main.yml b/onlyoffice_docserver/tasks/main.yml new file mode 100644 index 00000000..9b09523e --- /dev/null +++ b/onlyoffice_docserver/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- block: + - name: Install the deb OnlyOffice repository key + apt_key: + keyserver: '{{ onlyoffice_docserver_deb_repo_key_server }}' + id: '{{ onlyoffice_docserver_deb_repo_key }}' + + - name: Install the deb OnlyOffice repository + apt_repository: + repo: '{{ onlyoffice_docserver_deb_repo }}' + state: present + update_cache: yes + + - name: Install the OnlyOffice document server deb dependencies + apt: name={{ onlyoffice_docserver_deb_packages_dependencies }} state=present cache_valid_time=1800 + + - name: Create some OnlyOffice directories where we will install our config files + file: dest={{ item }} state=directory + with_items: + - /etc/onlyoffice/documentserver + - /etc/onlyoffice/documentserver/nginx + + - name: Install the OnlyOffice local configuration from a template + template: src=local.json dest=/etc/onlyoffice/documentserver/local.json owner=root group=root mode=0444 + + - name: Install the OnlyOffice document server configuration that enables SSL + template: src=onlyoffice-documentserver-ssl.conf dest=/etc/onlyoffice/documentserver/nginx/onlyoffice-documentserver.conf + when: onlyoffice_docserver_letsencrypt_managed + notify: Reload nginx + tags: [ 'onlyoffice', 'letsencrypt', 'nginx' ] + + - name: The OnlyOffice document server packages must be done manually, because it is interactive + debug: + msg: "Manually install the onlyoffice-documentserver package with 'apt-get install -y onlyoffice-documentserver'" + +# - name: Install the OnlyOffice document server package +# apt: name={{ onlyoffice_docserver_packages }} state=present cache_valid_time=1800 + + when: ansible_distribution_file_variety == "Debian" + tags: onlyoffice diff --git a/onlyoffice_docserver/templates/onlyoffice-documentserver-ssl.conf b/onlyoffice_docserver/templates/onlyoffice-documentserver-ssl.conf new file mode 100644 index 00000000..0ca187f9 --- /dev/null +++ b/onlyoffice_docserver/templates/onlyoffice-documentserver-ssl.conf @@ -0,0 +1,43 @@ +include /etc/nginx/includes/onlyoffice-http.conf; + +## Normal HTTP host +server { + listen 0.0.0.0:80; + listen [::]:80 default_server; + server_name _; + server_tokens off; + + include /etc/nginx/snippets/letsencrypt-proxy.conf; + ## Redirects all traffic to the HTTPS host + root /nowhere; ## root doesn't have to be a valid path since we are redirecting + rewrite ^ https://$host$request_uri? permanent; +} + +#HTTP host for internal services +server { + listen 127.0.0.1:80; + listen [::1]:80; + server_name localhost; + server_tokens off; + + include /etc/nginx/snippets/letsencrypt-proxy.conf; + include /etc/nginx/includes/onlyoffice-documentserver-common.conf; + include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf; +} + +## HTTPS host +server { + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ssl http2 default_server; + server_tokens off; + root /usr/share/nginx/html; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl on; + include /etc/nginx/snippets/nginx-server-ssl.conf; + # add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + include /etc/nginx/includes/onlyoffice-documentserver-*.conf; + +} diff --git a/onlyoffice_docserver/vars/main.yml b/onlyoffice_docserver/vars/main.yml new file mode 100644 index 00000000..6b1bd977 --- /dev/null +++ b/onlyoffice_docserver/vars/main.yml @@ -0,0 +1,13 @@ +--- +http_port: 80 +https_port: 443 +redis_install: True + +psql_postgresql_install: True +pg_use_postgresql_org_repo: True +psql_version: 11 +pg_backup_retain_copies: 2 + +psql_db_data: + - { name: '{{ onlyoffice_docserver_db_name }}', encoding: 'UTF8', user: '{{ onlyoffice_docserver_db_user }}', roles: 'NOCREATEDB,NOSUPERUSER', pwd: '{{ onlyoffice_docserver_db_pwd }}', managedb: True, allowed_hosts: [ '127.0.0.1' ] } + diff --git a/onlyoffice_portal/defaults/main.yml b/onlyoffice_portal/defaults/main.yml new file mode 100644 index 00000000..973543c1 --- /dev/null +++ b/onlyoffice_portal/defaults/main.yml @@ -0,0 +1,6 @@ +--- +onlyoffice_deb_repo_key: CB2DE8E5 +onlyoffice_deb_repo_key_server: 'keyserver.ubuntu.com' +onlyoffice_deb_repo: 'deb http://download.onlyoffice.com/repo/debian squeeze main' +onlyoffice_deb_packages: onlyoffice-communityserver +onlyoffice_letsencrypt_managed: True diff --git a/onlyoffice_portal/meta/main.yml b/onlyoffice_portal/meta/main.yml new file mode 100644 index 00000000..6fe19602 --- /dev/null +++ b/onlyoffice_portal/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - { role: '../../library/roles/postgresql', when: psql_postgresql_install } + - { role: '../../library/roles/mono' } diff --git a/onlyoffice_portal/tasks/main.yml b/onlyoffice_portal/tasks/main.yml new file mode 100644 index 00000000..2fc23563 --- /dev/null +++ b/onlyoffice_portal/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- block: + - name: Install the deb OnlyOffice repository key + apt_key: + keyserver: {{ onlyoffice_deb_repo_key_server }} + id: {{ onlyoffice_deb_repo_key }} + + - name: Install the deb Mono repository + apt_repository: + repo: '{{ onlyoffice_deb_repo }}' + state: present + update_cache: yes + + - name: Install the Mono packages on Deb based distributions + apt: name={{ onlyoffice_deb_packages }} state=present cache_valid_time=1800 + + when: ansible_distribution_file_variety == "Debian" + tags: onlyoffice + +- block: + - name: Install a letsencrypt acme hook + template: src=onlyoffice-letsencrypt.sh dest=/usr/lib/acme/hooks/onlyoffice owner=root group=root mode=4555 + + - name: Run the letsencrypt acme hook if the certificates are not in place + shell: /usr/lib/acme/hooks/onlyoffice + args: + creates: /var/www/onlyoffice/Data/certs/onlyoffice.key + register: initialize_onlyoffice_https + + - name: Reconfigure the OnlyOffice service for https + shell: /var/www/onlyoffice/Tools/default-onlyoffice-ssl.sh + when: initialize_onlyoffice_https is changed + + when: ansible_distribution_file_variety == "Debian" + tags: [ 'onlyoffic', 'letsencrypt' ] diff --git a/onlyoffice_portal/templates/onlyoffice-letsencrypt.sh b/onlyoffice_portal/templates/onlyoffice-letsencrypt.sh new file mode 100644 index 00000000..38e065c2 --- /dev/null +++ b/onlyoffice_portal/templates/onlyoffice-letsencrypt.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +LE_CERTS_DIR="{{ letsencrypt_acme_certs_dir }}" +LE_LOG_DIR=/var/log/letsencrypt +LE_LOG_FILE=$LE_LOG_DIR/onlyoffice.log +onlyoffice_certdir=/var/www/onlyoffice/Data/certs + +DATE=$( date ) + +[ ! -d "$onlyoffice_certdir" ] && mkdir -p "$onlyoffice_certdir" +[ ! -d "$LE_LOG_DIR" ] && mkdir "$LE_LOG_DIR" +echo "$DATE" >> "$LE_LOG_DIR/postgresql.log" + +if [ -f /etc/default/letsencrypt ] ; then + . /etc/default/letsencrypt +else + echo "No letsencrypt default file" >> $LE_LOG_FILE +fi + +echo "Copy the key file" >> $LE_LOG_FILE +cp "${LE_CERTS_DIR}/privkey" $onlyoffice_certdir/onlyoffice.key +chmod 400 $onlyoffice_certdir/onlyoffice.key +chown root:root $onlyoffice_certdir/onlyoffice.key +cp "${LE_CERTS_DIR}/cert" $onlyoffice_certdir/onlyoffice.crt +chmod 400 $onlyoffice_certdir/onlyoffice.crt +chown root:root $onlyoffice_certdir/onlyoffice.crt + +echo "Restart the onlyoffice service" >> $LE_LOG_FILE +if [ -x /bin/systemctl ] ; then + systemctl reload nginx >> $LE_LOG_FILE 2>&1 +else + service nginx reload >> $LE_LOG_FILE 2>&1 +fi +echo "Done." >> $LE_LOG_FILE + +exit 0 \ No newline at end of file diff --git a/onlyoffice_portal/vars/main.yml b/onlyoffice_portal/vars/main.yml new file mode 100644 index 00000000..65064b5d --- /dev/null +++ b/onlyoffice_portal/vars/main.yml @@ -0,0 +1,4 @@ +--- +letsencrypt_acme_install: True +http_port: 80 +https_port: 443 diff --git a/php-fpm/tasks/main.yml b/php-fpm/tasks/main.yml index ac631f2d..fa29e7c8 100644 --- a/php-fpm/tasks/main.yml +++ b/php-fpm/tasks/main.yml @@ -11,13 +11,11 @@ tags: [ 'php', 'php_ppa' ] - name: Install the php-fpm package - apt: pkg={{ item }} state=present update_cache=yes cache_valid_time=3600 - with_items: '{{ php_fpm_packages }}' + apt: pkg={{ php_fpm_packages }} state=present update_cache=yes cache_valid_time=3600 tags: php - name: Install additional php packages - apt: pkg={{ item }} state=present update_cache=yes cache_valid_time=3600 - with_items: '{{ php_additional_packages | default([]) }}' + apt: pkg={{ php_additional_packages | default([]) }} state=present update_cache=yes cache_valid_time=3600 tags: php - name: Set the timezone if we have one diff --git a/postfix-relay/defaults/main.yml b/postfix-relay/defaults/main.yml index eceb23bb..9b7d549f 100644 --- a/postfix-relay/defaults/main.yml +++ b/postfix-relay/defaults/main.yml @@ -1,6 +1,17 @@ --- postfix_enabled: True postfix_install_packages: True + +postfix_relay_rh_pkgs: + - postfix + - cyrus-sasl-lib + - cyrus-sasl-plain + - cyrus-sasl-md5 + +postfix_relay_deb_pkgs: + - postfix + - libsasl2-2 + # Set it to true when you want configure your machine to send email to a relay postfix_relay_client: False postfix_biff: "no" @@ -15,6 +26,11 @@ postfix_smtp_tls_security_level: encrypt postfix_use_sasl_auth: True postfix_smtp_sasl_auth_enable: "yes" postfix_smtp_create_relay_user: True +# Options: noanonymous, noplaintext +postfix_smtp_sasl_security_options: noanonymous +postfix_smtp_sasl_tls_security_options: '{{ postfix_smtp_sasl_security_options }}' +postfix_smtp_sasl_mechanism_filter: plain, login + # Set it in the local rules #postfix_relay_host: smtp-relay.example.com postfix_relay_port: 587 diff --git a/postfix-relay/meta/main.yml b/postfix-relay/meta/main.yml index 51ba52dd..5fae87e8 100644 --- a/postfix-relay/meta/main.yml +++ b/postfix-relay/meta/main.yml @@ -1,3 +1,3 @@ --- -dependencies: - - { role: '../../library/roles/nagios', when: nagios_enabled is defined and nagios_enabled } +#dependencies: +# - { role: '../../library/roles/nagios', when: nagios_enabled is defined and nagios_enabled } diff --git a/postfix-relay/tasks/smtp-common-packages.yml b/postfix-relay/tasks/smtp-common-packages.yml index a07eb470..f5b186cf 100644 --- a/postfix-relay/tasks/smtp-common-packages.yml +++ b/postfix-relay/tasks/smtp-common-packages.yml @@ -1,11 +1,16 @@ --- - block: + - name: Install postfix and libsas to do mail relay on deb systems + apt: pkg={{ postfix_relay_deb_pkgs }} state=present update_cache=yes cache_valid_time=1800 + when: ansible_distribution_file_variety == "Debian" - - name: Install postfix and libsas to do mail relay - action: apt pkg={{ item }} state=present update_cache=yes cache_valid_time=1800 - with_items: - - postfix - - libsasl2-2 + - name: Install postfix and libsas to do mail relay on RH systems + yum: pkg={{ postfix_relay_rh_pkgs }} state=present + when: ansible_distribution_file_variety == "RedHat" + + - name: Remove the ssmtp package on RH systems + yum: pkg=ssmtp state=absent + when: ansible_distribution_file_variety == "RedHat" - name: Write the postfix main configuration file template: src=main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0444 @@ -15,18 +20,6 @@ template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444 notify: Restart postfix - - name: Install the postfix NRPE nagios check - copy: src={{ item }} dest={{ nagios_plugins_dir }}/{{ item }} owner=root group=nagios mode=0555 - with_items: '{{ postfix_nagios_checks }}' - when: postfix_nagios_check - tags: [ 'postfix-relay', 'nagios', 'nrpe' ] - - - name: Install the postfix NRPE command configuration - template: src=postfix-nrpe.cfg.j2 dest={{ nrpe_include_dir }}/postfix-nrpe.cfg owner=root group=root mode=0444 - notify: Reload NRPE server - when: postfix_nagios_check - tags: [ 'postfix-relay', 'nagios', 'nrpe' ] - - name: Ensure that postfix is started and enabled service: name=postfix state=started enabled=yes when: postfix_enabled @@ -39,12 +32,27 @@ tags: postfix-relay - block: + - name: Install the postfix NRPE nagios check + copy: src={{ item }} dest={{ nagios_plugins_dir }}/{{ item }} owner=root group=nagios mode=0555 + with_items: '{{ postfix_nagios_checks }}' - - name: Remove postfix and libsas - action: apt pkg={{ item }} state=absent - with_items: - - postfix - - libsasl2-2 + - name: Install the postfix NRPE command configuration + template: src=postfix-nrpe.cfg.j2 dest={{ nrpe_include_dir }}/postfix-nrpe.cfg owner=root group=root mode=0444 + notify: Reload NRPE server + + when: + - postfix_install_packages + - postfix_nagios_check + tags: [ 'postfix-relay', 'nagios', 'nrpe' ] + +- block: + - name: Remove postfix and libsas on deb systems + action: apt pkg={{ postfix_relay_deb_pkgs }} state=absent + when: ansible_distribution_file_variety == "Debian" + + - name: Remove postfix and libsas to do mail relay on RH systems + yum: pkg={{ postfix_relay_rh_pkgs }} state=absent + when: ansible_distribution_file_variety == "RedHat" when: not postfix_install_packages tags: postfix-relay diff --git a/postfix-relay/templates/main.cf.j2 b/postfix-relay/templates/main.cf.j2 index d9341502..a95cfb24 100644 --- a/postfix-relay/templates/main.cf.j2 +++ b/postfix-relay/templates/main.cf.j2 @@ -1,8 +1,3 @@ -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname - smtpd_banner = $myhostname ESMTP $mail_name biff = {{ postfix_biff }} @@ -45,14 +40,18 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache myhostname = {{ ansible_fqdn }} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases -myorigin = /etc/mailname +{% if domain_name is defined %} +myorigin = {{ domain_name }} +{% else %} +myorigin = {{ ansible_fqdn }} +{% endif %} mydestination = {{ ansible_fqdn }}, localhost {% if postfix_use_relay_host %} relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }} {% endif %} {% if not postfix_relay_server %} mynetworks = 127.0.0.1 -inet_interfaces = localhost, ip6-localhost +inet_interfaces = localhost inet_protocols = ipv4 {% endif %} mailbox_size_limit = 0 @@ -61,15 +60,15 @@ default_destination_concurrency_limit = {{ postfix_default_destination_concurren {% if postfix_use_sasl_auth %} smtp_sasl_auth_enable= {{ postfix_smtp_sasl_auth_enable }} smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd -smtp_sasl_security_options = noanonymous -smtp_sasl_tls_security_options = noanonymous -smtp_sasl_mechanism_filter = plain, login +smtp_sasl_security_options = {{ postfix_smtp_sasl_security_options }} +smtp_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }} +smtp_sasl_mechanism_filter = {{ postfix_smtp_sasl_mechanism_filter }} {% endif %} {% if postfix_relay_server %} smtpd_sasl_path = smtpd smtpd_sasl_auth_enable = yes -smtpd_sasl_security_options = noanonymous -smtpd_sasl_tls_security_options = noanonymous +smtpd_sasl_security_options = {{ postfix_smtp_sasl_security_options }} +smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }} smtpd_helo_required = yes mynetworks = {{ postfix_mynetworks }} inet_interfaces = {{ postfix_interfaces }} diff --git a/postgresql/tasks/packages.yml b/postgresql/tasks/packages.yml index cc61f118..604f93e0 100644 --- a/postgresql/tasks/packages.yml +++ b/postgresql/tasks/packages.yml @@ -1,12 +1,11 @@ --- -- name: install the postgresql packages - apt: pkg={{ item }} state={{ psql_pkg_state }} - with_items: '{{ postgresql_pkgs }}' - notify: Restart postgresql - tags: [ 'postgresql', 'postgres' ] - -- name: Install the packages that ansible needs to manage the postgresql users and databases - apt: pkg={{ item }} state={{ psql_pkg_state }} - with_items: '{{ psql_ansible_needed_pkgs }}' +- block: + - name: Install the packages that ansible needs to manage the postgresql users and databases + apt: pkg={{ psql_ansible_needed_pkgs }} state={{ psql_pkg_state }} + + - name: install the postgresql packages + apt: pkg={{ postgresql_pkgs }} state={{ psql_pkg_state }} + notify: Restart postgresql + tags: [ 'postgresql', 'postgres' ] diff --git a/postgresql/tasks/pgpool-ii.yml b/postgresql/tasks/pgpool-ii.yml index 90f988db..b6e31f57 100644 --- a/postgresql/tasks/pgpool-ii.yml +++ b/postgresql/tasks/pgpool-ii.yml @@ -1,8 +1,7 @@ --- - block: - name: Install the pgpool package - apt: name={{ item }} state={{ psql_pgpool_pkg_state }} - with_items: '{{ pgpool_pkgs }}' + apt: name={{ pgpool_pkgs }} state={{ psql_pgpool_pkg_state }} cache_valid_time=1800 - name: Configure pcp #template: src=pcp.conf.j2 dest=/etc/pgpool2/pcp.conf owner=root group=postgres mode=0640 @@ -59,8 +58,7 @@ service: name=pgpool2 state=stopped enabled=no - name: Install the pgpool packages - apt: name={{ item }} state=absent - with_items: '{{ pgpool_pkgs }}' + apt: name={{ pgpool_pkgs }} state=absent - name: Remove the pgpool failover sudoers file file: dest=/etc/sudoers.d/pgpool-wd state=absent diff --git a/postgresql/tasks/postgis.yml b/postgresql/tasks/postgis.yml index 6c432f63..55f11689 100644 --- a/postgresql/tasks/postgis.yml +++ b/postgresql/tasks/postgis.yml @@ -1,7 +1,6 @@ --- - name: install the postgresql GIS packages - apt: pkg={{ item }} state={{ psql_pkg_state }} - with_items: '{{ postgres_gis_pkgs }}' + apt: pkg={{ postgres_gis_pkgs }} state={{ psql_pkg_state }} notify: Restart postgresql tags: [ 'postgresql', 'postgres', 'postgis' ] diff --git a/postgresql/tasks/postgres_pgpool.yml b/postgresql/tasks/postgres_pgpool.yml index 8e79cc49..21f9cba1 100644 --- a/postgresql/tasks/postgres_pgpool.yml +++ b/postgresql/tasks/postgres_pgpool.yml @@ -1,7 +1,6 @@ --- - name: Install the packages needed by postgres when running behind a pgpool server - apt: pkg={{ item }} state={{ psql_pkg_state }} - with_items: '{{ postgresql_pgpool_pkgs }}' + apt: pkg={{ postgresql_pgpool_pkgs }} state={{ psql_pkg_state }} when: psql_pgpool_install notify: Restart postgresql tags: [ 'postgresql', 'postgres', 'pgpool' ] diff --git a/postgresql/tasks/postgresql-config.yml b/postgresql/tasks/postgresql-config.yml index b27fcc0e..a70ea5a3 100644 --- a/postgresql/tasks/postgresql-config.yml +++ b/postgresql/tasks/postgresql-config.yml @@ -1,14 +1,31 @@ --- -- name: Create the postgresql data directory if it is not in the default place - file: dest={{ psql_data_dir }} owner=postgres group=postgres mode=700 recurse=yes state=directory - when: psql_use_alternate_data_dir - tags: [ 'postgresql', 'postgres', 'pg_conf' ] +- block: + - name: Check if the new postgresql data directory exists + stat: path={{ psql_data_dir }} + register: postgresql_data_dir + + - name: Stop the postgresql service while reconfiguring the data directory + service: name=postgresql state=stopped + when: postgresql_data_dir.stat.isdir is not defined + + - name: Create the postgresql data directory if it is not in the default place + file: dest={{ psql_data_dir }} owner=postgres group=postgres mode=700 recurse=yes state=directory + + - name: Set the postgresql data dir if it is different from the default + become: True + become_user: postgres + action: configfile path={{ psql_conf_dir }}/postgresql.conf key=data_directory value="'{{ psql_data_dir }}'" + + - name: Copy the postgresql data directory into the new place + shell: '[ "/var/lib/postgresql/{{ psql_version }}/main" != "{{ psql_data_dir }}" ] && cp -a /var/lib/postgresql/{{ psql_version }}/main/* {{ psql_data_dir }}' + args: + creates: '{{ psql_data_dir }}/main/base' + when: postgresql_data_dir.stat.isdir is not defined + + - name: Start the postgresql service that will use the new data directory + service: name=postgresql state=started + when: postgresql_data_dir.stat.isdir is not defined -- name: Set the postgresql data dir if it is different from the default - become: True - become_user: postgres - action: configfile path={{ psql_conf_dir }}/postgresql.conf key=data_directory value="'{{ psql_data_dir }}'" - notify: Restart postgresql when: psql_use_alternate_data_dir tags: [ 'postgresql', 'postgres', 'pg_conf' ] diff --git a/rabbitmq/defaults/main.yml b/rabbitmq/defaults/main.yml index 9a655890..0781b84f 100644 --- a/rabbitmq/defaults/main.yml +++ b/rabbitmq/defaults/main.yml @@ -6,13 +6,15 @@ rabbitmq_pkg_state: present rabbitmq_server_pkg: - rabbitmq-server -rabbitmq_enabled_plugins: 'amqp_client,rabbitmq_amqp1_0,rabbitmq_management,rabbitmq_management_agent,rabbitmq_management_visualiser,rabbitmq_mqtt,rabbitmq_stomp,webmachine' +rabbitmq_enabled_plugins: 'amqp_client,rabbitmq_amqp1_0,rabbitmq_management,rabbitmq_management_agent,rabbitmq_management_visualiser,rabbitmq_mqtt,rabbitmq_stomp' rabbitmq_disabled_plugins: '' rabbitmq_default_f: /etc/default/rabbitmq-server rabbitmq_fileno: 4096 rabbitmq_admin_u: r_admin +#rabbitmq_admin_pwd: use a vault file + # # See http://www.rabbitmq.com/networking.html # 4369 (epmd), 25672 (Erlang distribution) diff --git a/rabbitmq/tasks/main.yml b/rabbitmq/tasks/main.yml index b1aef7bd..cc68618b 100644 --- a/rabbitmq/tasks/main.yml +++ b/rabbitmq/tasks/main.yml @@ -7,8 +7,7 @@ apt_repository: repo='{{ rabbitmq_repo }}' state=present - name: Install the rabbitMQ package - apt: pkg={{ item }} state={{ rabbitmq_pkg_state }} update_cache=yes - with_items: '{{ rabbitmq_server_pkg }}' + apt: pkg={{ rabbitmq_server_pkg }} state={{ rabbitmq_pkg_state }} update_cache=yes - name: Set the rabbitMQ max files lineinfile: name={{ rabbitmq_default_f }} regexp="^ulimit" line="ulimit -n {{ rabbitmq_fileno }}" @@ -18,7 +17,7 @@ rabbitmq_plugin: names={{ rabbitmq_enabled_plugins }} state=enabled - name: Disable some rabbitMQ plugins - rabbitmq_plugin: names={{ rabbitmq_disabled_plugins | default('') }} state=disabled + rabbitmq_plugin: names={{ rabbitmq_disabled_plugins | default([]) }} state=disabled - name: Create an admin user rabbitmq_user: user={{ rabbitmq_admin_u }} password={{ rabbitmq_admin_pwd | default('changemeASAP') }} tags=administrator vhost=/ configure_priv=.* read_priv=.* write_priv=.* state=present diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index fd77cb69..1103643b 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -4,8 +4,7 @@ apt_repository: repo='{{ redis_ppa_repo }}' update_cache=yes - name: Install the Redis packages - apt: name={{ item }} state={{ redis_pkg_state }} cache_valid_time=1800 - with_items: '{{ redis_server_pkg }}' + apt: name={{ redis_server_pkg }} state={{ redis_pkg_state }} cache_valid_time=1800 - name: Install the Redis configuration template: src={{ item }}.j2 dest=/etc/redis/{{ item }} owner=redis group=redis mode=0440 @@ -29,8 +28,7 @@ service: name=redis-server state=stopped enabled=no - name: Remove the Redis packages - apt: name={{ item }} state=absent - with_items: '{{ redis_server_pkg }}' + apt: name={{ redis_server_pkg }} state=absent - name: Remove the Redis PPA apt_repository: repo='{{ redis_ppa_repo }}' state=absent update_cache=yes diff --git a/smartgears/dataminer-service/meta/main.yml b/smartgears/dataminer-service/meta/main.yml new file mode 100644 index 00000000..393590a3 --- /dev/null +++ b/smartgears/dataminer-service/meta/main.yml @@ -0,0 +1,11 @@ +--- +dependencies: + - { role: ../../library/roles/smartgears/smartgears-service } + - { role: ../../library/roles/smartgears/dataminer_app } + - { role: ../../library/roles/conda, when: dataminer_conda_install } + - { role: ../../library/roles/hdf5, when: dataminer_hdf5 } + - { role: ../../library/roles/python3-env, when: py3_env_install } + - { role: ../../library/roles/pandoc } + - { role: ../../library/roles/octave, when: octave_install } + - { role: ../../library/roles/ubuntugis, when: ubuntugis_repo_install } + - { role: ../../library/roles/R, when: r_install } diff --git a/smartgears/dataminer_app/meta/main.yml b/smartgears/dataminer_app/meta/main.yml deleted file mode 100644 index 2fbb3453..00000000 --- a/smartgears/dataminer_app/meta/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -dependencies: - - { role: ../../library/roles/smartgears/smartgears-service } - - { role: ../../library/roles/conda, when: dataminer_conda_install } - - { role: ../../library/roles/hdf5, when: dataminer_hdf5 } - - { role: ../../library/roles/python3-env, when: py3_env_install } diff --git a/smartgears/smartgears-service/meta/main.yml b/smartgears/smartgears-service/meta/main.yml index b94071c6..1628c6f5 100644 --- a/smartgears/smartgears-service/meta/main.yml +++ b/smartgears/smartgears-service/meta/main.yml @@ -1,5 +1,6 @@ --- dependencies: + - role: '../../library/roles/tomcat-multiple-instances' - { role: '../../library/roles/smartgears/smartgears' } - { role: '../../library/roles/smartgears/smartgears-nginx-frontend', when: setup_nginx is defined and setup_nginx } - { role: '../../library/roles/smartgears/resource_updater', when: resource_updater_install is defined } diff --git a/smartgears/smartgears/meta/main.yml b/smartgears/smartgears/meta/main.yml index a30f4a7d..c8f4f0ad 100644 --- a/smartgears/smartgears/meta/main.yml +++ b/smartgears/smartgears/meta/main.yml @@ -1,3 +1,3 @@ --- -dependencies: - - role: '../../library/roles/tomcat-multiple-instances' +#dependencies: +# - role: '../../library/roles/tomcat-multiple-instances'