From 30c751e485b8ee03aa168f1574c0f44f833f9b24 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Sun, 27 Feb 2022 18:00:05 +0100 Subject: [PATCH] Update to 2022-02-27 18:00 --- roles/akeneo_pim/tasks/main.yml | 31 ++++++---- roles/appsmith/tasks/cleanup.yml | 1 + roles/bookstack/tasks/main.yml | 30 ++++++---- roles/diagrams/tasks/main.yml | 37 +++++++----- roles/glpi/tasks/main.yml | 34 +++++++---- roles/includes/get_rand_pass.yml | 98 ++++++++++++++++++++------------ roles/kimai/defaults/main.yml | 6 +- roles/kimai/tasks/main.yml | 31 ++++++---- 8 files changed, 171 insertions(+), 97 deletions(-) diff --git a/roles/akeneo_pim/tasks/main.yml b/roles/akeneo_pim/tasks/main.yml index a541d76..63cd6c1 100644 --- a/roles/akeneo_pim/tasks/main.yml +++ b/roles/akeneo_pim/tasks/main.yml @@ -1,13 +1,22 @@ --- -- include: user.yml -- include: directories.yml -- include: facts.yml -- include: archive_pre.yml - when: pim_install_mode == 'upgrade' -- include: install.yml -- include: conf.yml -- include: write_version.yml -- include: archive_post.yml - when: pim_install_mode == 'upgrade' -- include: cleanup.yml +- include_tasks: user.yml + tags: always +- include_tasks: directories.yml + tags: always +- include_tasks: facts.yml + tags: always +- include_tasks: archive_pre.yml + when: pim_install_mode | default('none') == 'upgrade' + tags: always +- include_tasks: install.yml + tags: always +- include_tasks: conf.yml + tags: always +- include_tasks: write_version.yml + tags: always +- include_tasks: archive_post.yml + when: pim_install_mode | default('none') == 'upgrade' + tags: always +- include_tasks: cleanup.yml + tags: always diff --git a/roles/appsmith/tasks/cleanup.yml b/roles/appsmith/tasks/cleanup.yml index 7524f1b..b7ed4e8 100644 --- a/roles/appsmith/tasks/cleanup.yml +++ b/roles/appsmith/tasks/cleanup.yml @@ -4,6 +4,7 @@ file: path={{ item }} state=absent loop: - "{{ appsmith_root_dir }}/archives/{{ appsmith_current_version }}" + - "{{ appsmith_root_dir }}/src/app/client/node_modules" - "{{ appsmith_root_dir }}/tmp/appsmith-{{ appsmith_version }}" - "{{ appsmith_root_dir }}/tmp/appsmith-{{ appsmith_version }}.tar.gz" tags: appsmith diff --git a/roles/bookstack/tasks/main.yml b/roles/bookstack/tasks/main.yml index 4a78539..3e0d96b 100644 --- a/roles/bookstack/tasks/main.yml +++ b/roles/bookstack/tasks/main.yml @@ -1,14 +1,24 @@ --- -- include: user.yml -- include: directories.yml -- include: facts.yml -- include: archive_pre.yml +- include_tasks: user.yml + tags: always +- include_tasks: directories.yml + tags: always +- include_tasks: facts.yml + tags: always +- include_tasks: archive_pre.yml when: bookstack_install_mode == 'upgrade' -- include: install.yml -- include: conf.yml -- include: services.yml -- include: write_version.yml -- include: archive_post.yml + tags: always +- include_tasks: install.yml + tags: always +- include_tasks: conf.yml + tags: always +- include_tasks: services.yml + tags: always +- include_tasks: write_version.yml + tags: always +- include_tasks: archive_post.yml when: bookstack_install_mode == 'upgrade' -- include: cleanup.yml + tags: always +- include_tasks: cleanup.yml + tags: always diff --git a/roles/diagrams/tasks/main.yml b/roles/diagrams/tasks/main.yml index c74213c..787a1d2 100644 --- a/roles/diagrams/tasks/main.yml +++ b/roles/diagrams/tasks/main.yml @@ -6,18 +6,29 @@ - tomcat tags: diagrams -- include: directories.yml -- include: facts.yml -- include: archive_pre.yml - when: diagrams_install_mode == 'upgrade' -- include: install.yml -- include: conf.yml -- include: selinux.yml +- include_tasks: directories.yml + tags: always +- include_tasks: facts.yml + tags: always +- include_tasks: archive_pre.yml + when: diagrams_install_mode | default('none') == 'upgrade' + tags: always +- include_tasks: install.yml + tags: always +- include_tasks: conf.yml + tags: always +- include_tasks: selinux.yml when: ansible_selinux.status == 'enabled' -- include: iptables.yml + tags: always +- include_tasks: iptables.yml when: iptables_manage | default(True) -- include: services.yml -- include: write_version.yml -- include: archive_post.yml - when: diagrams_install_mode == 'upgrade' -- include: cleanup.yml + tags: always +- include_tasks: services.yml + tags: always +- include_tasks: write_version.yml + tags: always +- include_tasks: archive_post.yml + when: diagrams_install_mode | default('none') == 'upgrade' + tags: always +- include_tasks: cleanup.yml + tags: always diff --git a/roles/glpi/tasks/main.yml b/roles/glpi/tasks/main.yml index 1f16396..dd2443e 100644 --- a/roles/glpi/tasks/main.yml +++ b/roles/glpi/tasks/main.yml @@ -1,14 +1,24 @@ --- -- include: user.yml -- include: directories.yml -- include: facts.yml -- include: archive_pre.yml - when: glpi_install_mode == 'upgrade' -- include: install.yml -- include: conf.yml -- include: cleanup.yml -- include: write_version.yml -- include: archive_post.yml - when: glpi_install_mode == 'upgrade' -- include: filebeat.yml +- include_tasks: user.yml + tags: always +- include_tasks: directories.yml + tags: always +- include_tasks: facts.yml + tags: always +- include_tasks: archive_pre.yml + when: glpi_install_mode | default('none') == 'upgrade' + tags: always +- include_tasks: install.yml + tags: always +- include_tasks: conf.yml + tags: always +- include_tasks: cleanup.yml + tags: always +- include_tasks: write_version.yml + tags: always +- include_tasks: archive_post.yml + when: glpi_install_mode | default('none')== 'upgrade' + tags: always +- include_tasks: filebeat.yml + tags: always diff --git a/roles/includes/get_rand_pass.yml b/roles/includes/get_rand_pass.yml index 4d0741a..7d8f858 100644 --- a/roles/includes/get_rand_pass.yml +++ b/roles/includes/get_rand_pass.yml @@ -1,49 +1,73 @@ --- +- name: Install tools + package: + name: + - pwgen + - openssl + when: rand_pass_tools_installed is not defined or not rand_pass_tools_installed + +# Mark tool sas installed so we do not check each time, as it can be slow +- set_fact: rand_pass_tools_installed=True + +# Check if a non encrypted file exists. We do it first for backward compatibility - name: Check if password file exists stat: path={{ pass_file }} - register: pass_file_exists - tags: always + register: pass_file_clear -#- name: Check if a vault password file exists -# stat: path={{ pass_file }}.vault -# register: pass_file_vault_exists -# tags: always -# -## Generate a pass and store it encrypted -#- when: not pass_file_exists.stat.exists and not pass_file_vault_exists.stat.exists and encryption | default(True) and vault_encryption_key is defined -# block: -# - package: name=pwgen -# - shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1 -# register: rand_pass -# # Now write this new pass -# - copy: content={{ rand_pass.stdout | trim | vault(vault_encryption_key) }} dest={{ pass_file }}.vault mode=600 -# tags: always +# Now check if an encrypted file exists +- name: Check if an encrypted password file exists + stat: path={{ pass_file }}.aes256 + register: pass_file_enc -# When no pass exist, create one -- when: not pass_file_exists.stat.exists # and (not encryption or vault_encryption_key is not defined) +# When no clear nor encrypted file exists, generate a random pass with pwgen +- name: Generate a random password + shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1 + register: rand_pass + when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists + +# New pass generation ? Encrypt it with openssl, unless encryption is disabled, or the global rand_pass_encryption_key isn't defined +- when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined block: - - package: name=pwgen - - shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1 - register: rand_pass - # Now write this new pass - - copy: content={{ rand_pass.stdout | trim }} dest={{ pass_file }} mode=600 - tags: always + - name: Encrypt the generated password + shell: openssl enc -e -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }} + args: + stdin: "{{ rand_pass.stdout }}" + register: encrypted_rand_pass + - copy: content={{ encrypted_rand_pass.stdout | trim }} dest={{ pass_file }}.aes256 mode=600 + +# New pass generation but with encryption disabled, or the global rand_pass_encryption_key not defined +# in this case, store the password as plain text +- name: Store the generated password as clear text + copy: content={{ rand_pass.stdout | trim }} dest={{ pass_file }} mode=600 + when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and (not encryption | default(True) or rand_pass_encryption_key is not defined) # Read the encrypted pass -#- when: not pass_file_exists.stat.exists and encryption | default(True) and vault_encryption_key is defined -# block: -# - name: Read the password -# slurp: src={{ pass_file }}.vault -# register: rand_pass -# - set_fact: rand_pass={{ rand_pass.content | b64decode | trim | unvault(vault_encryption_key) }} -# tags: always +- when: not pass_file_clear.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined + block: -# Read unencrypted pass file (compat) -- block: - - name: Read the password - slurp: src={{ pass_file }} + - name: Read the encrypted password + slurp: src={{ pass_file }}.aes256 register: rand_pass - - set_fact: rand_pass={{ rand_pass.content | b64decode | trim }} - tags: always + + - name: Decrypt the password + shell: openssl enc -d -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }} + args: + stdin: "{{ rand_pass.content | b64decode | trim }}" + register: rand_pass_decrypted + changed_when: False + +# Read unencrypted pass file +- when: not encryption | default(True) or rand_pass_encryption_key is not defined or pass_file_clear.stat.exists + block: + - name: Read the clear text password + slurp: src={{ pass_file }} + register: rand_pass_clear + +# Now set either the decrypted, or the clear text pass in the rand_pass variable which will be used by the caller +- set_fact: + rand_pass: >- + {%- if (rand_pass_decrypted is defined and rand_pass_decrypted.stdout is defined) -%}{{ rand_pass_decrypted.stdout }} + {%- elif rand_pass_clear is defined and rand_pass_clear.content is defined -%}{{ rand_pass_clear.content | b64decode | trim }} + {%- else -%}{%- endif -%} diff --git a/roles/kimai/defaults/main.yml b/roles/kimai/defaults/main.yml index 01667e8..1be8934 100644 --- a/roles/kimai/defaults/main.yml +++ b/roles/kimai/defaults/main.yml @@ -5,12 +5,12 @@ # You can set it to a number or a simple string (no special chars) kimai_id: 1 # Kimai version to deploy -kimai_version: 1.17.1 +kimai_version: 1.18 # URL of the archive kimai_archive_url: https://github.com/kevinpapst/kimai2/archive/refs/tags/{{ kimai_version }}.tar.gz # Expected sha256 of the archive -kimai_archive_sha256: ceff0573591d2e5c70a679301caabe626d8545af5e987443c8155f633babcd0e +kimai_archive_sha256: 55de86690b9c0907ccd0c35802bb469d3e798aadaa046e21c76dd669e930d0e3 # Directory where kimai will be installed kimai_root_dir: /opt/kimai_{{ kimai_id }} @@ -21,7 +21,7 @@ kimai_manage_upgrade: True # Will be created kimai_php_user: php-kimai_{{ kimai_id }} # PHP version under which kimai will run -kimai_php_version: 81 +kimai_php_version: 80 # Or you can specify here the name of a custom PHP FPM pool. See the httpd_php role # bookstack_php_fpm_pool: custom_kimai diff --git a/roles/kimai/tasks/main.yml b/roles/kimai/tasks/main.yml index c87b01b..72501bc 100644 --- a/roles/kimai/tasks/main.yml +++ b/roles/kimai/tasks/main.yml @@ -1,13 +1,22 @@ --- -- include: user.yml -- include: directories.yml -- include: facts.yml -- include: archive_pre.yml - when: kimai_install_mode == 'upgrade' -- include: install.yml -- include: conf.yml -- include: write_version.yml -- include: archive_post.yml - when: kimai_install_mode == 'upgrade' -- include: cleanup.yml +- include_tasks: user.yml + tags: always +- include_tasks: directories.yml + tags: always +- include_tasks: facts.yml + tags: always +- include_tasks: archive_pre.yml + when: kimai_install_mode | default('non') == 'upgrade' + tags: always +- include_tasks: install.yml + tags: always +- include_tasks: conf.yml + tags: always +- include_tasks: write_version.yml + tags: always +- include_tasks: archive_post.yml + when: kimai_install_mode | default('none') == 'upgrade' + tags: always +- include_tasks: cleanup.yml + tags: always