dnet-mincyt: new VM to host the portal. Fixes to the apache virtualhosts generation tasks.

library/roles/dnet_user_services_perms: New roles to configure the VM permissions in a way that allows playing with tomcat without been root.
infrastructure-services: First bits of nagios configuration for the infrastructure services.

dnet_user_services_perms/README.md

@@ -0,0 +1,3 @@
+This role sets acls that permit unprivileged users to:
+- write inside a list of directories
+- restart the tomcat instances

dnet_user_services_perms/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+dnet_user: tomcat7
+dnet_group: dnet
+
+dnet_data_directories:
+  - /var/lib/dnet

dnet_user_services_perms/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Add the all the users to the dnet group
+  user: name={{ item.login }} groups={{ dnet_group }}
+  with_items: users_system_users
+  tags: [ 'dnet', 'users' ]
+
+- name: Install the sudoers config that permits the dnet users to restart tomcat
+  template: src=dnet-sudoers.j2 dest=/etc/sudoers.d/dnet-group owner=root group=root mode=0440
+  tags: [ 'tomcat', 'dnet', 'sudo', 'users' ]
+
+- name: Create the dnet data dirs
+  file: name={{ item }} state=directory owner={{ dnet_user }} group={{ dnet_group }} mode=0750
+  with_items: dnet_data_directories
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
+- name: Set the read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present
+  with_items:
+#    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ]
+    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+- name: Set the default read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes
+  with_items:
+#    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ]
+    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+

dnet_user_services_perms/templates/dnet-sudoers.j2

@@ -0,0 +1,3 @@
+%{{ dnet_group }}  ALL=(ALL) NOPASSWD:   /etc/init.d/tomcat7, /etc/init.d/tomcat-instance-*
+
+

haproxy/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Restart haproxy
+  service: name=haproxy state=restarted
+  when: haproxy_enabled
+
+- name: Reload haproxy
+  service: name=haproxy state=reloaded
+  when: haproxy_enabled
+

iptables/handlers/main.yml

@@ -1,10 +1,6 @@
 ---
 - name: Start the iptables service
   service: name=iptables-persistent state=restarted enabled=yes
-  when:
-    - is_precise
-    - is_trusty
-    - is_debian7
   notify: Restart fail2ban
 
 - name: Start the netfilter service

iptables/tasks/main.yml

@@ -22,10 +22,7 @@
   with_items:
     - rules.v4
     - rules.v6
-  when:
-    - is_precise
-    - is_trusty
-    - is_debian7
+  when: ( is_precise ) or ( is_trusty ) or ( is_debian7 )
   notify: Start the iptables service
   tags:
     - iptables

tomcat/defaults/main.yml

@@ -31,6 +31,7 @@ tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
 tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}'
 tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}'
 tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps'
+tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes'
 tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat'
 
 # JMX and debugging

users/defaults/main.yml

@@ -1,8 +1,14 @@
 ---
+#
+# This role adds users to a system
+# The users can access if their ssh key is provided
+# Users can have sudo privileges if the 'admin' property is 'true'
+# admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true'
+
 users_sudoers_group: sudo
 users_sudoers_create_group: False
 users_sudoers_create_sudo_conf: False
 users_home_dir: /home
 #users_system_users:
-#  - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}, createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'True' }
+#  - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'False', log_as_root: 'False' }
 

users/tasks/main.yml

@@ -33,5 +33,17 @@
   with_items: users_system_users
   when:
     - users_system_users is defined
+    - item.admin == 'True'
   tags:
     - users
+
+- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
+  authorized_key: user=root key="{{ item.ssh_key }}" state=present
+  with_items: users_system_users
+  when:
+    - users_system_users is defined
+    - item.ssh_key is defined
+    - item.log_as_root == 'True'
+  tags:
+    - users
+

varnish-cache/templates/varnish.service.systemd.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=Varnish HTTP accelerator
+After=network.target
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/default/varnish
+LimitNOFILE={{ varnish_n_files }}
+LimitMEMLOCK={{ varnish_memlock }}
+ExecStartPre=/usr/sbin/varnishd -C -f {{ varnish_vcl_conf }}
+ExecStart=/usr/sbin/varnishd  -u {{ varnish_user }} $DAEMON_OPTS
+ExecReload=/usr/share/varnish/reload-vcl
+
+[Install]
+WantedBy=multi-user.target