From 17cd763bf40748cced6c4e53d11f973d41c0fde3 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Fri, 29 Apr 2022 11:00:10 +0200 Subject: [PATCH] Update to 2022-04-29 11:00 --- roles/ampache/defaults/main.yml | 4 +- roles/matrix_synapse/defaults/main.yml | 2 +- roles/nginx/defaults/main.yml | 2 + roles/nginx/templates/nginx.conf.j2 | 2 + roles/penpot/vars/RedHat-8.yml | 2 + roles/repo_samba4/defaults/main.yml | 2 +- roles/squash_tm/defaults/main.yml | 36 ++++ roles/squash_tm/handlers/main.yml | 5 + roles/squash_tm/meta/main.yml | 8 + roles/squash_tm/tasks/archive_post.yml | 15 ++ roles/squash_tm/tasks/archive_pre.yml | 60 +++++++ roles/squash_tm/tasks/cleanup.yml | 11 ++ roles/squash_tm/tasks/conf.yml | 11 ++ roles/squash_tm/tasks/directories.yml | 40 +++++ roles/squash_tm/tasks/facts.yml | 39 +++++ roles/squash_tm/tasks/install.yml | 154 ++++++++++++++++++ roles/squash_tm/tasks/iptables.yml | 8 + roles/squash_tm/tasks/main.yml | 37 +++++ roles/squash_tm/tasks/services.yml | 6 + roles/squash_tm/tasks/user.yml | 9 + roles/squash_tm/tasks/write_version.yml | 5 + roles/squash_tm/templates/env.j2 | 9 + roles/squash_tm/templates/log4j2.xml.j2 | 52 ++++++ roles/squash_tm/templates/perms.sh.j2 | 6 + roles/squash_tm/templates/post-backup.j2 | 5 + roles/squash_tm/templates/pre-backup.j2 | 30 ++++ .../squash_tm/templates/squash-tm.service.j2 | 44 +++++ .../templates/squash.tm.cfg.properties.j2 | 11 ++ roles/squash_tm/vars/RedHat-8.yml | 6 + roles/unifi/defaults/main.yml | 4 +- 30 files changed, 619 insertions(+), 6 deletions(-) create mode 100644 roles/squash_tm/defaults/main.yml create mode 100644 roles/squash_tm/handlers/main.yml create mode 100644 roles/squash_tm/meta/main.yml create mode 100644 roles/squash_tm/tasks/archive_post.yml create mode 100644 roles/squash_tm/tasks/archive_pre.yml create mode 100644 roles/squash_tm/tasks/cleanup.yml create mode 100644 roles/squash_tm/tasks/conf.yml create mode 100644 roles/squash_tm/tasks/directories.yml create mode 100644 roles/squash_tm/tasks/facts.yml create mode 100644 roles/squash_tm/tasks/install.yml create mode 100644 roles/squash_tm/tasks/iptables.yml create mode 100644 roles/squash_tm/tasks/main.yml create mode 100644 roles/squash_tm/tasks/services.yml create mode 100644 roles/squash_tm/tasks/user.yml create mode 100644 roles/squash_tm/tasks/write_version.yml create mode 100644 roles/squash_tm/templates/env.j2 create mode 100644 roles/squash_tm/templates/log4j2.xml.j2 create mode 100644 roles/squash_tm/templates/perms.sh.j2 create mode 100644 roles/squash_tm/templates/post-backup.j2 create mode 100644 roles/squash_tm/templates/pre-backup.j2 create mode 100644 roles/squash_tm/templates/squash-tm.service.j2 create mode 100644 roles/squash_tm/templates/squash.tm.cfg.properties.j2 create mode 100644 roles/squash_tm/vars/RedHat-8.yml diff --git a/roles/ampache/defaults/main.yml b/roles/ampache/defaults/main.yml index f81f93e..b4c9b47 100644 --- a/roles/ampache/defaults/main.yml +++ b/roles/ampache/defaults/main.yml @@ -3,10 +3,10 @@ ampache_id: "1" ampache_manage_upgrade: True -ampache_version: '5.3.1' +ampache_version: '5.3.2' ampache_config_version: 61 ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip -ampache_zip_sha256: dda828eda42e2f16637495e77388867c79ca023537dc06e19b54ef598927eef6 +ampache_zip_sha256: 786b3a4899185196ba39004bf69af91b2ecc6cae4f5d5cf3603ab009292883e7 ampache_root_dir: /opt/ampache_{{ ampache_id }} diff --git a/roles/matrix_synapse/defaults/main.yml b/roles/matrix_synapse/defaults/main.yml index 3cc8d95..9524ea4 100644 --- a/roles/matrix_synapse/defaults/main.yml +++ b/roles/matrix_synapse/defaults/main.yml @@ -1,7 +1,7 @@ --- # Synapse version to deploy -synapse_version: 1.56.0 +synapse_version: 1.57.0 # Should ansible handle Synapse upgrades ? If false, only initial install will be done synapse_manage_upgrade: True diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 75d1502..a88d8b4 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -84,6 +84,8 @@ nginx_default_vhost_base: nginx_default_vhost_extra: {} nginx_default_vhost: "{{ nginx_default_vhost_base | combine(nginx_default_vhost_extra,recursive=True) }}" +# Should HSTS header be added on the default vhost +nginx_hsts: True # List of IP addresses which won't be affected by maintenance redirections nginx_maintenance_ip: [] diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 676d9ee..67f708c 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -90,7 +90,9 @@ http { add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; +{% if nginx_hsts %} add_header Strict-Transport-Security $hsts_header; +{% endif %} include /etc/nginx/ansible_conf.d/acme.inc; diff --git a/roles/penpot/vars/RedHat-8.yml b/roles/penpot/vars/RedHat-8.yml index 59d567a..cf98f70 100644 --- a/roles/penpot/vars/RedHat-8.yml +++ b/roles/penpot/vars/RedHat-8.yml @@ -14,3 +14,5 @@ penpot_packages: - liberation-fonts - fontforge - woff2-tools + - git + - bzip2 diff --git a/roles/repo_samba4/defaults/main.yml b/roles/repo_samba4/defaults/main.yml index 1f7f277..64d5d7e 100644 --- a/roles/repo_samba4/defaults/main.yml +++ b/roles/repo_samba4/defaults/main.yml @@ -1,3 +1,3 @@ --- # Select a branch from https://samba.tranquil.it/centos7/ or https://samba.tranquil.it/centos7/ -samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.15.6') }} +samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.15.7') }} diff --git a/roles/squash_tm/defaults/main.yml b/roles/squash_tm/defaults/main.yml new file mode 100644 index 0000000..8adafa3 --- /dev/null +++ b/roles/squash_tm/defaults/main.yml @@ -0,0 +1,36 @@ +--- + +# Version of Shash TM to install +squashtm_version: 3.0.4 +# Archive URL which will be downloaded during install/upgrades +squashtm_archive_url: https://nexus.squashtest.org/nexus/repository/public-releases/tm/core/squash-tm-distribution/{{ squashtm_version }}.RELEASE/squash-tm-{{ squashtm_version }}.RELEASE.tar.gz +# Expected checksum of the archive +squashtm_archive_sha256: 9f11049505e5f9678fe7f7454127c697e0e0fe3cc9596adb6f52fef4ee06d6f2 +# Should ansible handle upgrades ? (if False, only initial install and configuration will be done) +squashtm_manage_upgrade: True + +# Directory where Squash TM will be installed +squashtm_root_dir: /opt/squash_tm +# User account under which the software will run (will be created if needed) +squashtm_user: squashtm + +# TCP port on which Squash TM will listen +squashtm_port: 8088 +# List of IP/CIDR for which this port will be reachable (with iptable_manage is True) +# Empty list means the port won't be opened +squashtm_src_ip: [] + +# Database settings +# Engine can be mysql or postgres +squashtm_db_engine: mysql +# Database server +squashtm_db_server: "{{ (squashtm_db_engine == 'postgres') | ternary(pg_server, mysql_server) | default('localhost') }}" +squashtm_db_port: "{{ (squashtm_db_engine == 'postgres') | ternary('5432', '3306') }}" +squashtm_db_user: squashtm +squashtm_db_name: squashtm +# If the password is not set, a random one will be created and stored in {{ squashtm_root_dir }}/meta/ansible_dbpass +# squashtm_db_pass: 'S3cr3t.' + +# Credentials in Squash TM database are encrypted with a passphrase. If not defined, +# a random one will be created and stored in {{ squashtm_root_dir }}/meta/ansible_secret +# squashtm_secret: p@ssw0rd diff --git a/roles/squash_tm/handlers/main.yml b/roles/squash_tm/handlers/main.yml new file mode 100644 index 0000000..69b62f7 --- /dev/null +++ b/roles/squash_tm/handlers/main.yml @@ -0,0 +1,5 @@ +--- + +- name: restart squash-tm + service: name=squash-tm state=restarted + when: squashtm_service is not defined or not squashtm_service.changed diff --git a/roles/squash_tm/meta/main.yml b/roles/squash_tm/meta/main.yml new file mode 100644 index 0000000..dbfe049 --- /dev/null +++ b/roles/squash_tm/meta/main.yml @@ -0,0 +1,8 @@ +--- + +dependencies: + - role: mkdir + - role: mysql_server + when: squashtm_db_engine == 'mysql' and squashtm_db_server in ['localhost', '127.0.0.1'] + - role: postgresql_server + when: squashtm_db_engine == 'postgres' and squashtm_db_server in ['localhost', '127.0.0.1'] diff --git a/roles/squash_tm/tasks/archive_post.yml b/roles/squash_tm/tasks/archive_post.yml new file mode 100644 index 0000000..6e12e95 --- /dev/null +++ b/roles/squash_tm/tasks/archive_post.yml @@ -0,0 +1,15 @@ +--- + +- name: Compress previous version + command: tar cf {{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}.tar.zst --use-compress-program=zstd ./ + args: + chdir: "{{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}" + warn: False + environment: + ZSTD_CLEVEL: 10 + ZSTD_NBTHREADS: 0 + tags: squashtm + +- name: Remove archive dir + file: path={{ squashtm_root_dir }}/archives/{{ squashtm_current_version }} state=absent + tags: squashtm diff --git a/roles/squash_tm/tasks/archive_pre.yml b/roles/squash_tm/tasks/archive_pre.yml new file mode 100644 index 0000000..0f7d76b --- /dev/null +++ b/roles/squash_tm/tasks/archive_pre.yml @@ -0,0 +1,60 @@ +--- + +- name: Create archive dir + file: path={{ squashtm_root_dir }}/archives/{{ squashtm_current_version }} state=directory + tags: squashtm + +- name: Stop service during upgrade + service: name={{ item }} state=stopped + loop: + - squash-tm + tags: squashtm + +- name: Archive current version + synchronize: + src: "{{ squashtm_root_dir }}/{{ item }}" + dest: "{{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}/" + delete: True + compress: False + delegate_to: "{{ inventory_hostname }}" + loop: + - app + tags: squashtm + +- when: squashtm_db_engine == 'mysql' + block: + - name: Install mysqldump + package: name=mariadb + + - name: Dump the database + mysql_db: + state: dump + name: "{{ squashtm_db_name }}" + target: "{{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}/{{ squashtm_db_name }}.sql" + login_host: "{{ squashtm_db_server }}" + login_port: "{{ squashtm_db_port }}" + login_user: "{{ squashtm_db_user }}" + login_password: "{{ squashtm_db_pass }}" + quick: True + single_transaction: True + + tags: squashtm + +- when: squashtm_db_engine == 'postgres' + block: + - name: Install pg_dump + package: name=postgresql14 + + - name: Dump the database + command: > + /usr/pgsql-14/bin/pg_dump + --clean + --create + --host={{ squashtm_db_server | quote }} + --port={{ squashtm_db_port | quote }} + --username={{ squashtm_db_user | quote }} {{ squashtm_db_name | quote }} + --file="{{ squashtm_root_dir }}/archives/{{ squashtm_current_version }}/{{ squashtm_db_name }}.sql" + environment: + - PGPASSWORD: "{{ squashtm_db_pass }}" + tags: squashtm + diff --git a/roles/squash_tm/tasks/cleanup.yml b/roles/squash_tm/tasks/cleanup.yml new file mode 100644 index 0000000..1715684 --- /dev/null +++ b/roles/squash_tm/tasks/cleanup.yml @@ -0,0 +1,11 @@ +--- + +- name: Remove tmp and obsolete files + file: path={{ item }} state=absent + loop: + - "{{ squashtm_root_dir }}/tmp/squash-tm-{{ squashtm_version }}.RELEASE.tar.gz" + - "{{ squashtm_root_dir }}/tmp/squash-tm" + - "{{ squashtm_root_dir }}/app/logs" + - "{{ squashtm_root_dir }}/app/conf" + - "{{ squashtm_root_dir }}/app/data" + tags: squashtm diff --git a/roles/squash_tm/tasks/conf.yml b/roles/squash_tm/tasks/conf.yml new file mode 100644 index 0000000..ca7345f --- /dev/null +++ b/roles/squash_tm/tasks/conf.yml @@ -0,0 +1,11 @@ +--- + +- name: Deploy Squash TM configuration + template: src={{ item }}.j2 dest={{ squashtm_root_dir }}/etc/{{ item }} owner=root group={{ squashtm_user }} mode=640 + loop: + - env + - squash.tm.cfg.properties + - log4j2.xml + notify: restart squash-tm + tags: squashtm + diff --git a/roles/squash_tm/tasks/directories.yml b/roles/squash_tm/tasks/directories.yml new file mode 100644 index 0000000..8800dc4 --- /dev/null +++ b/roles/squash_tm/tasks/directories.yml @@ -0,0 +1,40 @@ +--- + +- name: Create directories + file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} + loop: + - dir: "{{ squashtm_root_dir }}/archives" + owner: root + group: root + mode: 700 + - dir: "{{ squashtm_root_dir }}/meta" + owner: root + group: root + mode: 700 + - dir: "{{ squashtm_root_dir }}/backup" + owner: root + group: root + mode: 700 + - dir: "{{ squashtm_root_dir }}/app" + mode: 755 + - dir: "{{ squashtm_root_dir }}/logs" + owner: "{{ squashtm_user }}" + group: "{{ squashtm_user }}" + mode: 755 + - dir: "{{ squashtm_root_dir }}/etc" + owner: "{{ squashtm_user }}" + group: "{{ squashtm_user }}" + mode: 755 + - dir: "{{ squashtm_root_dir }}/tmp" + owner: root + group: "{{ squashtm_user }}" + mode: 770 + - dir: "{{ squashtm_root_dir }}/data" + owner: "{{ squashtm_user }}" + group: "{{ squashtm_user }}" + mode: 700 + - dir: "{{ squashtm_root_dir }}/data/tomcat" + owner: "{{ squashtm_user }}" + group: "{{ squashtm_user }}" + mode: 700 + tags: squashtm diff --git a/roles/squash_tm/tasks/facts.yml b/roles/squash_tm/tasks/facts.yml new file mode 100644 index 0000000..8acaa1c --- /dev/null +++ b/roles/squash_tm/tasks/facts.yml @@ -0,0 +1,39 @@ +--- + +# Load distribution specific variables +- include_vars: "{{ item }}" + with_first_found: + - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" + tags: squashtm + +# Detect installed version (if any) +- block: + - import_tasks: ../includes/webapps_set_install_mode.yml + vars: + - root_dir: "{{ squashtm_root_dir }}" + - version: "{{ squashtm_version }}" + - set_fact: squashtm_install_mode={{ (install_mode == 'upgrade' and not squashtm_manage_upgrade) | ternary('none',install_mode) }} + - set_fact: squashtm_current_version={{ current_version | default('') }} + tags: squashtm + +# Create a random pass for the DB if needed +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ squashtm_root_dir }}/meta/ansible_dbpass" + - set_fact: squashtm_db_pass={{ rand_pass }} + when: squashtm_db_pass is not defined + tags: squashtm + +# Create a random pass to encrypt credentials in the database +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ squashtm_root_dir }}/meta/ansible_secret" + - set_fact: squashtm_secret={{ rand_pass }} + when: squashtm_secret is not defined + tags: squashtm + diff --git a/roles/squash_tm/tasks/install.yml b/roles/squash_tm/tasks/install.yml new file mode 100644 index 0000000..e458e75 --- /dev/null +++ b/roles/squash_tm/tasks/install.yml @@ -0,0 +1,154 @@ +--- + +- name: Install dependencies + package: name={{ squashtm_packages }} + tags: squashtm + +- name: Detect exact JRE version + block: + - command: rpm -q java-11-openjdk + args: + warn: False + changed_when: False + register: squashtm_jre11_version + - set_fact: squashtm_jre11_version={{ squashtm_jre11_version.stdout | trim }} + tags: squashtm + +- when: squashtm_install_mode != 'none' + block: + + - name: Download Squash TM + get_url: + url: "{{ squashtm_archive_url }}" + dest: "{{ squashtm_root_dir }}/tmp/" + checksum: sha256:{{ squashtm_archive_sha256 }} + + - name: Extract Squash TM archive + unarchive: + src: "{{ squashtm_root_dir }}/tmp/squash-tm-{{ squashtm_version }}.RELEASE.tar.gz" + dest: "{{ squashtm_root_dir }}/tmp/" + remote_src: True + + - name: Move Squash TM to the app dir + synchronize: + src: "{{ squashtm_root_dir }}/tmp/squash-tm/" + dest: "{{ squashtm_root_dir }}/app/" + delete: True + compress: False + delegate_to: "{{ inventory_hostname }}" + + tags: squashtm + +- name: Install the permission script + template: src=perms.sh.j2 dest={{ squashtm_root_dir }}/perms.sh mode=755 + register: squashtm_perm_script + tags: squashtm + +- name: Fix permissions + command: "{{ squashtm_root_dir }}/perms.sh" + when: squashtm_install_mode != none or squashtm_perm_script.changed + tags: squashtm + +- name: Install backup hooks + template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/squashtm owner=root group=root mode=700 + loop: + - pre + - post + tags: squashtm + +- name: Install service unit + template: src=squash-tm.service.j2 dest=/etc/systemd/system/squash-tm.service + notify: restart squash-tm + register: squashtm_unit + tags: squashtm + +- name: Reload systemd + systemd: daemon_reload=True + when: squashtm_unit.changed + tags: squashtm + +- when: squashtm_db_engine == 'postgres' + block: + - name: Create the PostgreSQL role + postgresql_user: + db: postgres + name: "{{ squashtm_db_user }}" + password: "{{ squashtm_db_pass }}" + login_host: "{{ squashtm_db_server }}" + login_port: "{{ squashtm_db_port }}" + login_user: sqladmin + login_password: "{{ pg_admin_pass }}" + + - name: Create the PostgreSQL database + postgresql_db: + name: "{{ squashtm_db_name }}" + encoding: UTF-8 + template: template0 + owner: "{{ squashtm_db_user }}" + login_host: "{{ squashtm_db_server }}" + login_port: "{{ squashtm_db_port }}" + login_user: sqladmin + login_password: "{{ pg_admin_pass }}" + + tags: squashtm + +- when: squashtm_db_engine == 'mysql' + import_tasks: ../includes/webapps_create_mysql_db.yml + vars: + - db_name: "{{ squashtm_db_name }}" + - db_user: "{{ squashtm_db_user }}" + - db_server: "{{ squashtm_db_server }}" + - db_port: "{{ squashtm_db_port }}" + - db_pass: "{{ squashtm_db_pass }}" + tags: squashtm + +- name: Import initial DB structure (postgresql) + postgresql_db: + db: "{{ squashtm_db_name }}" + state: restore + target: "{{ squashtm_root_dir }}/app/database-scripts/postgresql-full-install-version-{{ squashtm_version }}.RELEASE.sql" + login_host: "{{ squashtm_db_server }}" + login_port: "{{ squashtm_db_port }}" + login_user: "{{ squashtm_db_user }}" + login_password: "{{ squashtm_db_pass }}" + when: squashtm_install_mode == 'install' and squashtm_db_engine == 'postgres' + tags: squashtm + +- name: Import the initial DB structure (mysql) + mysql_db: + db: "{{ squashtm_db_name }}" + state: import + target: "{{ squashtm_root_dir }}/app/database-scripts/mysql-full-install-version-{{ squashtm_version }}.RELEASE.sql" + login_host: "{{ squashtm_db_server }}" + login_port: "{{ squashtm_db_port }}" + login_user: "{{ squashtm_db_user }}" + login_password: "{{ squashtm_db_pass }}" + when: squashtm_install_mode == 'install' and squashtm_db_engine == 'mysql' + tags: squashtm + +- name: List database upgrade scripts + shell: > + ls /opt/squash_tm/app/database-scripts/{{ (squashtm_db_engine == 'postgres') | ternary('postgresql', 'mysql') }}-* | + grep 'upgrade-to' | + perl -pe 's/.*upgrade\-to\-(\d+(\.\d+)+).*/$1/' | + sort --version-sort + register: squashtm_db_upgrade_scripts + changed_when: False + tags: squashtm + +- name: Upgrade the database + mysql_db: + db: "{{ squashtm_db_name }}" + state: import + target: "{{ squashtm_root_dir }}/app/database-scripts/{{ (squashtm_db_engine == 'postgres') | ternary('postgresql', 'mysql') }}-upgrade-to-{{ item }}.sql" + login_host: "{{ squashtm_db_server }}" + login_port: "{{ squashtm_db_port }}" + login_user: "{{ squashtm_db_user }}" + login_password: "{{ squashtm_db_pass }}" + when: + - squashtm_install_mode == 'upgrade' # Only apply scripts when upgrading Squash TM + - squashtm_current_version is version(item, '<') # Apply DB scripts if they are for a more recent version than currently installed + - squashtm_version is version(item, '>=') # Do not apply scripts for more recent version than the one being installed + ignore_errors: True + loop: "{{ squashtm_db_upgrade_scripts.stdout_lines }}" + tags: squashtm diff --git a/roles/squash_tm/tasks/iptables.yml b/roles/squash_tm/tasks/iptables.yml new file mode 100644 index 0000000..e083042 --- /dev/null +++ b/roles/squash_tm/tasks/iptables.yml @@ -0,0 +1,8 @@ +--- + +- name: Handle Squash TM port + iptables_raw: + name: squashtm_port + state: "{{ (squashtm_src_ip | length > 0) | ternary('present','absent') }}" + rules: "-A INPUT -m state --state NEW -p tcp --dport {{ squashtm_port }} -s {{ squashtm_src_ip | join(',') }} -j ACCEPT" + tags: squashtm diff --git a/roles/squash_tm/tasks/main.yml b/roles/squash_tm/tasks/main.yml new file mode 100644 index 0000000..c6731bb --- /dev/null +++ b/roles/squash_tm/tasks/main.yml @@ -0,0 +1,37 @@ +--- + +- include_tasks: user.yml + tags: always + +- include_tasks: directories.yml + tags: always + +- include_tasks: facts.yml + tags: always + +- include_tasks: archive_pre.yml + when: squashtm_install_mode | default('none') == 'upgrade' + tags: always + +- include_tasks: install.yml + tags: always + +- include_tasks: conf.yml + tags: always + +- include_tasks: iptables.yml + when: iptables_manage | default(True) + tags: always + +- include_tasks: services.yml + tags: always + +- include_tasks: write_version.yml + tags: always + +- include_tasks: archive_post.yml + when: squashtm_install_mode | default('none') == 'upgrade' + tags: always + +- include_tasks: cleanup.yml + tags: always diff --git a/roles/squash_tm/tasks/services.yml b/roles/squash_tm/tasks/services.yml new file mode 100644 index 0000000..34f502f --- /dev/null +++ b/roles/squash_tm/tasks/services.yml @@ -0,0 +1,6 @@ +--- + +- name: Start and enable Squash TM service + service: name=squash-tm state=started enabled=True + register: squashtm_service + tags: squashtm diff --git a/roles/squash_tm/tasks/user.yml b/roles/squash_tm/tasks/user.yml new file mode 100644 index 0000000..bc1d776 --- /dev/null +++ b/roles/squash_tm/tasks/user.yml @@ -0,0 +1,9 @@ +--- + +- name: Create user account + user: + name: "{{ squashtm_user }}" + system: True + home: "{{ squashtm_root_dir }}" + shell: /sbin/nologin + tags: squashtm diff --git a/roles/squash_tm/tasks/write_version.yml b/roles/squash_tm/tasks/write_version.yml new file mode 100644 index 0000000..9f947c0 --- /dev/null +++ b/roles/squash_tm/tasks/write_version.yml @@ -0,0 +1,5 @@ +--- + +- name: Write installed version + copy: content={{ squashtm_version }} dest={{ squashtm_root_dir }}/meta/ansible_version + tags: squashtm diff --git a/roles/squash_tm/templates/env.j2 b/roles/squash_tm/templates/env.j2 new file mode 100644 index 0000000..4bb4923 --- /dev/null +++ b/roles/squash_tm/templates/env.j2 @@ -0,0 +1,9 @@ +JAR_NAME="squash-tm.war" +HTTP_PORT={{ squashtm_port }} +TMP_DIR={{ squashtm_root_dir }}/tmp +BUNDLES_DIR={{ squashtm_root_dir }}/app/bundles +CONF_DIR={{ squashtm_root_dir }}/etc +LOG_DIR={{ squashtm_root_dir }}/logs +TOMCAT_HOME={{ squashtm_root_dir }}/data/tomcat +PLUGINS_DIR={{ squashtm_root_dir }}/app/plugins +DB_TYPE={{ (squashtm_db_engine == 'postgres') | ternary('postgresql', 'mysql') }} diff --git a/roles/squash_tm/templates/log4j2.xml.j2 b/roles/squash_tm/templates/log4j2.xml.j2 new file mode 100644 index 0000000..8f88bc8 --- /dev/null +++ b/roles/squash_tm/templates/log4j2.xml.j2 @@ -0,0 +1,52 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/roles/squash_tm/templates/perms.sh.j2 b/roles/squash_tm/templates/perms.sh.j2 new file mode 100644 index 0000000..26bc202 --- /dev/null +++ b/roles/squash_tm/templates/perms.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/bash -e + +chown -R root:root {{ squashtm_root_dir }}/app +find {{ squashtm_root_dir }}/app -type f -exec chmod 644 "{}" \; +find {{ squashtm_root_dir }}/app -type d -exec chmod 755 "{}" \; +restorecon -Rv {{ squashtm_root_dir }} diff --git a/roles/squash_tm/templates/post-backup.j2 b/roles/squash_tm/templates/post-backup.j2 new file mode 100644 index 0000000..0a3a84e --- /dev/null +++ b/roles/squash_tm/templates/post-backup.j2 @@ -0,0 +1,5 @@ +#!/bin/sh + +set -eo pipefail + +rm -f {{ squashtm_root_dir }}/backup/*.sql.zst diff --git a/roles/squash_tm/templates/pre-backup.j2 b/roles/squash_tm/templates/pre-backup.j2 new file mode 100644 index 0000000..3821e9f --- /dev/null +++ b/roles/squash_tm/templates/pre-backup.j2 @@ -0,0 +1,30 @@ +#!/bin/sh + +set -eo pipefail + +{% if squashtm_db_engine == 'postgres' %} +{% if squashtm_db_server not in ['localhost', '127.0.0.1'] %} +PGPASSWORD={{ squashtm_db_pass | quote }} \ + /usr/pgsql-14/bin/pg_dump \ + --clean \ + --create \ + --username={{ squashtm_db_user | quote }} \ + --host={{ squashtm_db_server | quote }} \ + --port={{ squashtm_db_port }} \ + {{ squashtm_db_name }} | \ +{% else %} +su - postgres -c "/usr/pgsql-14/bin/pg_dump --clear {{ squashtm_db_name }}" | \ +{% endif %} + zstd -c > {{ squashtm_root_dir }}/backup/{{ squashtm_db_name }}.sql.zst +{% else %} +/usr/bin/mysqldump \ +{% if squashtm_db_server not in ['localhost', '127.0.0.1'] %} + --user={{ squashtm_db_user | quote }} \ + --password={{ squashtm_db_pass | quote }} \ + --host={{ squashtm_db_server | quote }} \ + --port={{ squashtm_db_port }} \ +{% endif %} + --quick --single-transaction \ + --add-drop-table {{ squashtm_db_name }} | \ + zstd -c > {{ squashtm_root_dir }}/backup/{{ squashtm_db_name }}.sql.zst +{% endif %} diff --git a/roles/squash_tm/templates/squash-tm.service.j2 b/roles/squash_tm/templates/squash-tm.service.j2 new file mode 100644 index 0000000..8c17870 --- /dev/null +++ b/roles/squash_tm/templates/squash-tm.service.j2 @@ -0,0 +1,44 @@ +[Unit] +Description=Squash TM +After=syslog.target network.target mariadb.service postgresql.service postgresql-11.service postgresql-12.service postgresql-13.service postgresql-14.service + +[Service] +Type=simple +User={{ squashtm_user }} +Group={{ squashtm_user }} +WorkingDirectory={{ squashtm_root_dir }}/app +EnvironmentFile={{ squashtm_root_dir }}/etc/env +ExecStart=/usr/lib/jvm/{{ squashtm_jre11_version }}/bin/java \ + -Xms128m -Xmx2048m -server \ + -Duser.language=en \ + -Djava.io.tmpdir=${TMP_DIR} \ + -Dlogging.dir=${LOG_DIR} \ + -jar ${BUNDLES_DIR}/${JAR_NAME} \ + --spring.config.additional-location=${CONF_DIR}/ \ + --spring.profiles.active=${DB_TYPE} \ + --spring.config.name=application,squash.tm.cfg \ + --logging.config=${CONF_DIR}/log4j2.xml +UMask=007 +SuccessExitStatus=143 +PrivateTmp=yes +NoNewPrivileges=true +MemoryLimit=3072M +SyslogIdentifier=squash-tm +Restart=on-failure +StartLimitInterval=0 +RestartSec=30 +PrivateDevices=true +ProtectControlGroups=true +ProtectHome=true +ProtectSystem=full +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RestrictRealtime=true +RestrictNamespaces=true +ReadWritePaths=/run {{ squashtm_root_dir }}/logs {{ squashtm_root_dir }}/data {{ squashtm_root_dir }}/tmp +LockPersonality=true + +[Install] +WantedBy=multi-user.target + diff --git a/roles/squash_tm/templates/squash.tm.cfg.properties.j2 b/roles/squash_tm/templates/squash.tm.cfg.properties.j2 new file mode 100644 index 0000000..f68a53d --- /dev/null +++ b/roles/squash_tm/templates/squash.tm.cfg.properties.j2 @@ -0,0 +1,11 @@ +spring.datasource.url=jdbc:{{ (squashtm_db_engine == 'postgres') | ternary('postgresql', 'mysql') }}://{{ squashtm_db_server }}:{{ squashtm_db_port }}/{{ squashtm_db_name }} +spring.datasource.username={{ squashtm_db_user }} +spring.datasource.password={{ squashtm_db_pass }} + +server.servlet.session.timeout=3600 +server.port={{ squashtm_port }} +server.tomcat.basedir={{ squashtm_root_dir }}/data/tomcat + +squash.crypto.secret={{ squashtm_secret }} +squash.path.bundles-path={{ squashtm_root_dir }}/app/bundles +squash.path.plugins-path={{ squashtm_root_dir }}/plugins diff --git a/roles/squash_tm/vars/RedHat-8.yml b/roles/squash_tm/vars/RedHat-8.yml new file mode 100644 index 0000000..522ea4b --- /dev/null +++ b/roles/squash_tm/vars/RedHat-8.yml @@ -0,0 +1,6 @@ +--- + +squashtm_packages: + - java-11-openjdk + - tar + - zstd diff --git a/roles/unifi/defaults/main.yml b/roles/unifi/defaults/main.yml index 2ef3bd2..184c5e3 100644 --- a/roles/unifi/defaults/main.yml +++ b/roles/unifi/defaults/main.yml @@ -3,11 +3,11 @@ # Where unifi will be installed unifi_root_dir: /opt/unifi # Version to deploy -unifi_version: 7.0.25 +unifi_version: 7.1.61 # URL to get the installation tarball unifi_archive_url: https://www.ubnt.com/downloads/unifi/{{ unifi_version }}/UniFi.unix.zip # Expected sha256 -unifi_archive_sha256: 1b18006832dae6830b72925bcb1d7ae1a2e7b82faaddfacd778419c2c8744133 +unifi_archive_sha256: cd42fe6d5d0237718ada796fb011e071ba45429ac9addc72c4534fef1fcdb514 # Should ansible handle upgrades (if False, only initial install will be done) unifi_manage_upgrade: True # List of ports used by UniFi controler