dnet-mincyt: new VM to host the portal. Fixes to the apache virtualhosts generation tasks.

library/roles/dnet_user_services_perms: New roles to configure the VM permissions in a way that allows playing with tomcat without been root.
infrastructure-services: First bits of nagios configuration for the infrastructure services.
This commit is contained in:
Andrea Dell'Amico 2015-07-13 17:54:21 +02:00
parent d37840100e
commit d222d0cfdc
11 changed files with 87 additions and 9 deletions
dnet_user_services_perms
haproxy/handlers
iptables
handlers
tasks
tomcat/defaults
users
defaults
tasks
varnish-cache/templates

View File

@ -0,0 +1,3 @@
This role sets acls that permit unprivileged users to:
- write inside a list of directories
- restart the tomcat instances

View File

@ -0,0 +1,6 @@
---
dnet_user: tomcat7
dnet_group: dnet
dnet_data_directories:
- /var/lib/dnet

View File

@ -0,0 +1,30 @@
---
- name: Add the all the users to the dnet group
user: name={{ item.login }} groups={{ dnet_group }}
with_items: users_system_users
tags: [ 'dnet', 'users' ]
- name: Install the sudoers config that permits the dnet users to restart tomcat
template: src=dnet-sudoers.j2 dest=/etc/sudoers.d/dnet-group owner=root group=root mode=0440
tags: [ 'tomcat', 'dnet', 'sudo', 'users' ]
- name: Create the dnet data dirs
file: name={{ item }} state=directory owner={{ dnet_user }} group={{ dnet_group }} mode=0750
with_items: dnet_data_directories
tags: [ 'tomcat', 'dnet', 'users' ]
# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
- name: Set the read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs
acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present
with_items:
# - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ]
- [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ]
tags: [ 'tomcat', 'dnet', 'users' ]
- name: Set the default read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs
acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes
with_items:
# - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ]
- [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ]
tags: [ 'tomcat', 'dnet', 'users' ]

View File

@ -0,0 +1,3 @@
%{{ dnet_group }} ALL=(ALL) NOPASSWD: /etc/init.d/tomcat7, /etc/init.d/tomcat-instance-*

View File

@ -0,0 +1,9 @@
---
- name: Restart haproxy
service: name=haproxy state=restarted
when: haproxy_enabled
- name: Reload haproxy
service: name=haproxy state=reloaded
when: haproxy_enabled

View File

@ -1,10 +1,6 @@
--- ---
- name: Start the iptables service - name: Start the iptables service
service: name=iptables-persistent state=restarted enabled=yes service: name=iptables-persistent state=restarted enabled=yes
when:
- is_precise
- is_trusty
- is_debian7
notify: Restart fail2ban notify: Restart fail2ban
- name: Start the netfilter service - name: Start the netfilter service

View File

@ -22,10 +22,7 @@
with_items: with_items:
- rules.v4 - rules.v4
- rules.v6 - rules.v6
when: when: ( is_precise ) or ( is_trusty ) or ( is_debian7 )
- is_precise
- is_trusty
- is_debian7
notify: Start the iptables service notify: Start the iptables service
tags: tags:
- iptables - iptables

View File

@ -31,6 +31,7 @@ tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}' tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}'
tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}' tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}'
tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps' tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps'
tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes'
tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat' tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat'
# JMX and debugging # JMX and debugging

View File

@ -1,8 +1,14 @@
--- ---
#
# This role adds users to a system
# The users can access if their ssh key is provided
# Users can have sudo privileges if the 'admin' property is 'true'
# admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true'
users_sudoers_group: sudo users_sudoers_group: sudo
users_sudoers_create_group: False users_sudoers_create_group: False
users_sudoers_create_sudo_conf: False users_sudoers_create_sudo_conf: False
users_home_dir: /home users_home_dir: /home
#users_system_users: #users_system_users:
# - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}, createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'True' } # - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'False', log_as_root: 'False' }

View File

@ -33,5 +33,17 @@
with_items: users_system_users with_items: users_system_users
when: when:
- users_system_users is defined - users_system_users is defined
- item.admin == 'True'
tags: tags:
- users - users
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
authorized_key: user=root key="{{ item.ssh_key }}" state=present
with_items: users_system_users
when:
- users_system_users is defined
- item.ssh_key is defined
- item.log_as_root == 'True'
tags:
- users

View File

@ -0,0 +1,15 @@
[Unit]
Description=Varnish HTTP accelerator
After=network.target
[Service]
Type=forking
EnvironmentFile=-/etc/default/varnish
LimitNOFILE={{ varnish_n_files }}
LimitMEMLOCK={{ varnish_memlock }}
ExecStartPre=/usr/sbin/varnishd -C -f {{ varnish_vcl_conf }}
ExecStart=/usr/sbin/varnishd -u {{ varnish_user }} $DAEMON_OPTS
ExecReload=/usr/share/varnish/reload-vcl
[Install]
WantedBy=multi-user.target