dani
/
ansible-roles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update to 2021-12-31 14:05

This commit is contained in:
Daniel Berteaud 2021-12-31 14:05:49 +01:00
parent 489c627e9d
commit 6430e931d0
46 changed files with 856 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
README.md
View File

@ -25,7 +25,7 @@ Here're the steps to make use of this. Note that this is not a complete ansible
* Clone the repo
```
git clone https://git.lapiole.org/fws/ansible-roles.git
git clone https://git.lapiole.org/dani/ansible-roles.git
cd ansible-roles
```
@ -44,7 +44,7 @@ ssh-keygen -t rsa -b 4096 -f ssh/id_rsa
useradd -m ansible
mkdir ~ansible/.ssh
cat <<_EOF > ~ansible/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== ansible@fws.fr
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQgTcFNGSnLtuvNg53rdTEjbpwTGlhQj3PJ6Ova0eIPU8uf0ZrdET9guqvI3k1ng1OHNzWk3E+6VyXYW+N/nyLiliXxR4Dyf0DRECz8PSdGd8TnmRHGfNtLg941ndI6XqrZDt9+CLghAjasuRWV1LvWIK5M+z1X/uFAPmLAUDdkx7hC9PNb5M3yBkyRiwfB8OifLvQlWaM9Nr1wZMFvyD/LqZfHuzuv1CD76sZ+7GnHK3gZ4n+LAamQOhJiBqYOoTRMFOCLSIBYnGwuVdmEtC6mlbaw8Vj6umnPpJ3lwEO6IfUnIRz1XIr32kh0qXd6MWV/aHto9uzDlAO1EKm1WI8yjSm2NzUqWc5eelHFfYOQgro1KhoVkh1D39iyQZMblxqO8nuaX5sHK4F9r0/E+hDj8tWhsiocdO+/B7nYuMiDsqUpVVvtiTvk3x5J3FhaTmmA3F0buObjok1ifd1HeE6IORzHzsWFo9TvMpF1CjjOw7FG2vlH6eIvS29/9whzLK= ansible@lapiole.org
_EOF
chown -R ansible:ansible ~ansible/.ssh/
chmod 700 ~ansible/.ssh/
@ -88,7 +88,7 @@ This will create a single group **infra** with two hosts in it.
It's pretty self-explanatory. First, roles **common** and **backup** will be deployed on every hosts in the infra group. Then, **mysql_server** and **postgresql_server** will be deployed on **db.acme.com**. And roles **nginx**, **letsencrypt** and **lemonldap_ng** will be deployed on host **proxyin.acme.com**
* Now, it's time to configure a few things. Configuration is done be assigning values to varibles, and can be done at several levels.
* group_vars/all/vars.yml : variables here will be inherited by every hosts
* group_vars/all/vars.yml : variables here will be inherited by every hosts
```
ansible_become: True
trusted_ip:
@ -108,7 +108,7 @@ zabbix_agent_servers: "{{ zabbix_ip }}"
zabbix_proxy_encryption: psk
zabbix_proxy_server: 'zabbix.example.com'
```
* group_vars/infra/vars.yml : variables here will be inherited by hosts in the **infra** group
* group_vars/infra/vars.yml : variables here will be inherited by hosts in the **infra** group
```
sshd_src_ip: "{{ trusted_ip }}"
postfix_relay_host: '[smtp.example.com]:587'
@ -118,12 +118,11 @@ postfix_relay_pass: "S3cretP@ssw0rd"
ssh_users:
- name: ansible
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== ansible@fws.fr
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggaRr+WX94ojMdK35qYb8XtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxX/Ml7q9Sdj1t7BrqQqIK3T9kP7SZRhWNP6tvNKBgKFgc/k01ldw== ansible@lapiole.org
- name: dani
allow_forwarding: True
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+
dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== dani@fws.fr
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc9G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QMORxvCdfdsqoeod7jK384NXq+UD24Y/tEgT/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+dX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw== dani@lapiole.org
# Default database server
mysql_server: db.acme.com
@ -136,7 +135,7 @@ letsencrypt_dns_provider: gandi
letsencrypt_dns_provider_options: '--api-protocol=rest'
letsencrypt_dns_auth_token: "G7BL9RzkZdUI"
```
* host_vars/proxyin.acme.com/vars.yml : variables here will be inherited only by the host **proxyin.acme.com**
* host_vars/proxyin.acme.com/vars.yml : variables here will be inherited only by the host **proxyin.acme.com**
```
nginx_auto_letsencrypt_cert: True
@ -146,7 +145,7 @@ nginx_default_vhost_extra:
csp: >-
default-src 'self' 'unsafe-inline' blob:;
style-src-elem 'self' 'unsafe-inline' data:;
img-src 'self' data: blob: https://stats.fws.fr;
img-src 'self' data: blob: https://stats.lapiole.org;
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://stats.acme.com blob:;
font-src 'self' data:
proxy:

2
roles/bookstack/defaults/main.yml
View File

@ -19,7 +19,7 @@ bookstack_root_dir: /opt/bookstack_{{ bookstack_id }}
# User under which the app will be executed
bookstack_php_user: php-bookstack_{{ bookstack_id }}
# Version of PHP used
bookstack_php_version: 80
bookstack_php_version: 81
# Or you can specify here the name of a custom PHP FPM pool. See the httpd_php role
# bookstack_php_fpm_pool: custom_bookstack

4
roles/diagrams/defaults/main.yml
View File

@ -1,11 +1,11 @@
---
# Veresion of diagrams to deploy
diagrams_version: 15.9.6
diagrams_version: 16.1.0
# URL of the WAR file to deploy
diagrams_war_url: https://github.com/jgraph/drawio/releases/download/v{{ diagrams_version }}/draw.war
# Expected sha1 of the WAR file
diagrams_war_sha1: 54db4de31408d309dfc27ec81a6def55bca15afc
diagrams_war_sha1: ceee75855e8ac9a69d3723c2aa8c414a59d9c565
# root directory of the installation
diagrams_root_dir: /opt/diagrams
# Should ansible manage upgrades, or just initial install ?

5
roles/etherpad/defaults/main.yml
View File

@ -40,8 +40,11 @@ etherpad_theme: colibris
# List of plugins to install
etherpad_plugins_base:
- adminpads
- delete_after_delay
- delete_empty_pads
etherpad_plugins_extra: []
etherpad_plugins: "{{ etherpad_plugins_base + etherpad_plugins_extra }}"
# If you add the whiteboard plugin, set the URL
# See https://www.npmjs.com/package/ep_whiteboard
# etherpad_wbo_host: wbo.example.org

21
roles/etherpad/tasks/install.yml
View File

@ -51,6 +51,27 @@
notify: restart etherpad
tags: etherpad
- name: Link plugins
file: src={{ etherpad_root_dir }}/app/src/node_modules/ep_{{ item }} dest={{ etherpad_root_dir }}/app/node_modules/ep_{{ item }} state=link
loop: "{{ etherpad_plugins }}"
notify: restart etherpad
tags: etherpad
- name: List linked plugins
shell: find {{ etherpad_root_dir }}/app/node_modules/ -type l -maxdepth 1 -mindepth 1 -exec basename "{}" \;
register: etherpad_linked_plugins
changed_when: False
tags: etherpad
- name: Unlink unmanaged plugins
file: path={{ etherpad_root_dir }}/app/node_modules/{{ item }} state=absent
loop: "{{ etherpad_linked_plugins.stdout_lines }}"
when:
- item | regex_replace('^ep_', '') not in etherpad_plugins
- item != 'ep_etherpad-lite'
notify: restart etherpad
tags: etherpad
- import_tasks: ../includes/webapps_create_mysql_db.yml
vars:
- db_name: "{{ etherpad_db_name }}"

5
roles/etherpad/templates/settings.json.j2
View File

@ -22,6 +22,11 @@
"is_admin" : true
}
},
{% if 'whiteboard' in etherpad_plugins and etherpad_wbo_host is defined %}
"ep_draw": {
"host": "{{ etherpad_wbo_host }}"
},
{% endif %}
"ep_delete_after_delay": {
"delay" : 2592000,
"loop" : true,

4
roles/gitea/defaults/main.yml
View File

@ -1,11 +1,11 @@
---
# Version to install
gitea_version: 1.15.7
gitea_version: 1.15.9
# URL to the binary
gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
# sha256 of the binary
gitea_bin_sha256: 39b2a3f447a102822216fcc695fafed64dd5745d455ce9bdb15381e80f0f38e5
gitea_bin_sha256: dbdefbeed7073951ba955cb6c40bd7d9ece7a349c1326ad80c314690ff3616f1
# Handle updates. If set to false, ansible will only install
# Gitea and then won't touch an existing installation
gitea_manage_upgrade: True

5
roles/gitea/tasks/conf.yml
View File

@ -32,3 +32,8 @@
changed_when: False
tags: gitea
- name: Regenerate authorized_keys
command: "{{ gitea_root_dir }}/bin/gitea -c {{ gitea_root_dir }}/etc/app.ini admin regenerate keys"
become_user: gitea
when: gitea_install_mode == 'upgrade'
tags: gitea

4
roles/matrix_element/defaults/main.yml
View File

@ -5,9 +5,9 @@
element_id: element
# Version to deploy, and expected sha1
element_version: 1.9.7
element_version: 1.9.8
# sha1sum of the tar.gz
element_archive_sha1: a99123bce678b0e63380790ce80cafeb4e0d89ec
element_archive_sha1: 2f3099c119253f2c5d248ca7c8af9019dbc55a03
# Where to install element
element_root_dir: /opt/matrix/element

2
roles/matrix_synapse/defaults/main.yml
View File

@ -1,7 +1,7 @@
---
# Synapse version to deploy
synapse_version: 1.49.0
synapse_version: 1.49.2
# Should ansible handle Synapse upgrades ? If false, only initial install will be done
synapse_manage_upgrade: True

4
roles/openxpki/defaults/main.yml
View File

@ -1,8 +1,8 @@
---
pki_version: '3.16.0'
pki_version: '3.16.1'
pki_archive_url: https://github.com/openxpki/openxpki/archive/v{{ pki_version }}.tar.gz
pki_archive_sha1: 9bba585de36b81f70a7a315f8a591e388c516b38
pki_archive_sha1: 87eb892bcf4d7098e0803e0f03d66f1268d4fcef
pki_config_version: '3.16'
pki_config_archive_url: https://github.com/openxpki/openxpki-config/archive/v{{ pki_config_version }}.tar.gz

2
roles/pgadmin4/defaults/main.yml
View File

@ -10,7 +10,7 @@ pga_src_ip: []
# Root dir where the app will be installed
pga_root_dir: /opt/pgadmin4_{{ pga_id }}
# Version to deploy
pga_version: '6.2'
pga_version: '6.3'
# URL of the wheel
pga_pip_url: https://ftp.postgresql.org/pub/pgadmin/pgadmin4/v{{ pga_version }}/pip/pgadmin4-{{ pga_version }}-py3-none-any.whl

2
roles/pgadmin4/templates/config_local.py.j2
View File

@ -35,4 +35,4 @@ OAUTH2_CONFIG=[{
WEBSERVER_AUTO_CREATE_USER=True
WEBSERVER_REMOTE_USER='{{ pga_webserver_header }}'
{% endif %}
AUTO_DISCOVER_SERVERS = False

14
roles/rpm_build_server/README.md Normal file
View File

@ -0,0 +1,14 @@
# RPM Build Server
# Description
This role will configure an rpm build server
# Compatibility
The role is testing on the following distributions
* AlmaLinux 8
# Settings
# Installation
# Upgrades

47
roles/rpm_build_server/defaults/main.yml Normal file
View File

@ -0,0 +1,47 @@
---
rpm_root_dir: /opt/rpm-build
rpm_packager: RPM Builder <rpms@{{ ansible_domain }}>
# User account under which the buildsys will run
# will be created
rpm_user: rpmbuilder
# Unix group allowed to submit builds
rpm_build_group: rpmbuilders
# Admin email where notifications will be sent
rpm_admin_email: "{{ system_admin_email | default('root@' ~ ansible_domain) }}"
# name of the GPG key used to sign the packages
rpm_gpg_name: RPM Signing Key
rpm_gpg_email: rpms@{{ ansible_domain }}
# optional passphrase for the GPG Key
# rpm_gpg_pass: S3cr3tP@ssPhr4z
# You can configure remote mirrors to which the local repo will be synced with rsync
# rpm_mirrors:
# - dest: repo@repo.example.org:/opt/repo/rpms/
# rsync_opts:
# - '--times'
# - '--recursive'
# - '--partial'
# - '--delete-after'
# - '--exclude=archives'
# A list of rsync options which will be used to sync repo to mirrors
# This is a fallback if rsync_opts is not defined for a mirror
rpm_mirror_rsync_opts:
- '--times'
- '--recursive'
- '--partial'
- '--delete-after'
# You can use an LDAP server to lookup email address of build
# submitters. The buildsys will first get the username of the uploaded SRPM
# and then lookup into LDAP as configured here for the corresponding email address
# If an email if found, notifications will be sent to the submitter's address
rpm_ldap_servers: "{{ ad_ldap_servers is defined | ternary(ad_ldap_servers | map('regex_replace', '^(.*)', 'ldap://\\1') | list, []) }}"
rpm_ldap_start_tls: True
# rpm_ldap_bind_dn: CN=Build System,OU=Apps,DC=foo,DC=bar
# rpm_ldap_bind_pass: S3cr3t.
rpm_ldap_search_base: "{{ ad_ldap_user_search_base is defined | ternary(ad_ldap_user_search_base, ansible_domain | regex_replace('\\.', ',DC=')) }}"
# The {user} string will be replaced with the username of the submiter of the build
rpm_ldap_search_filter: (&(objectClass=user)(userPrincipalName={user})(mail=*))
rpm_ldap_email_attr: mail

357
roles/rpm_build_server/files/watcher.pl Normal file
View File

@ -0,0 +1,357 @@
#!/usr/bin/perl
use strict;
use warnings;
use Linux::Inotify2;
use YAML::Tiny;
use Getopt::Long;
use File::stat;
use File::Find;
use File::Basename;
use File::Path qw(make_path);
use File::Copy qw(move);
use AnyEvent;
use RPM2;
use Time::HiRes 'time';
use Email::MIME;
use Email::Sender::Simple qw(sendmail);
use Email::Sender::Transport::Sendmail;
use Net::LDAP;
# Init an empty conf
my $conf = {};
# Disable output buffering
$| = 1;
# Defaults for command line flags
my $opt = {
config => '../etc/config.yml',
verbose => 0,
quiet => 0
};
# Read some options from the command line
GetOptions (
'config=s' => \$opt->{config},
'quiet' => \$opt->{quiet},
'verbose' => \$opt->{verbose}
);
# Check if the config file exists, and if so, parse it
# and load it in $conf
if ( -e $opt->{config} ) {
log_verbose( "Reading config file " . $opt->{config} );
my $yaml = YAML::Tiny->read( $opt->{config} );
if ( not $yaml or not $yaml->[0] ) {
die "Config file " . $opt->{config} . " is invalid\n";
}
$conf = $yaml->[0];
} else {
# If the config file doesn't exist, just die
die "Config file " . $opt->{config} . " doesn't exist\n";
}
# If ldap is configured, we'll use it to lookup email
# addresses of submitters to send them notifications
my $ldap;
my $ldap_msg;
if (defined $conf->{ldap} and defined $conf->{ldap}->{servers}){
log_verbose("Connecting to " . join(', ', @{$conf->{ldap}->{servers}}));
$ldap = new Net::LDAP($conf->{ldap}->{servers},
timeout => 10,
);
if (not defined $ldap){
log_info("Couldn't connect to any LDAP servers (" . join(',', @{$conf->{ldap}->{servers}}) . ")");
} else {
if (defined $conf->{ldap}->{start_tls} and $conf->{ldap}->{start_tls}){
log_verbose("Upgrade LDAP connection using StartTLS");
$ldap_msg = $ldap->start_tls(
verify => 'require'
);
if ($ldap_msg->code){
log_verbose("StartTLS failed : " . $ldap_msg->error);
log_verbose("LDAP support will be disabled");
$ldap = undef;
}
}
if (defined $conf->{ldap}->{bind_dn} and defined $conf->{ldap}->{bind_pass}){
log_verbose("Binding as $conf->{ldap}->{bind_dn}");
$ldap_msg = $ldap->bind(
$conf->{ldap}->{bind_dn},
password => $conf->{ldap}->{bind_pass}
);
if ($ldap_msg->code){
log_verbose("LDAP bind failed : " . $ldap_msg->error);
log_verbose("LDAP support will be disabled");
$ldap = undef;
}
} else {
log_verbose("Using anonymous bind");
$ldap_msg = $ldap->bind;
}
}
} else {
log_verbose("No LDAP servers configured");
}
my $inotify = new Linux::Inotify2
or die "Unable to create new inotify object: $!";
log_verbose("Searching for folders in $conf->{paths}->{uploads}");
find({
wanted => sub { -d and create_watcher($inotify, $File::Find::name); }
}, $conf->{paths}->{uploads});
my $cv = AnyEvent->condvar;
my $poller = AnyEvent->io(
fh => $inotify->fileno,
poll => 'r',
cb => sub { $inotify->poll }
);
# Receive event signals (inotify signals)
$cv->recv;
# Print messages only if the verbose flag was given
sub log_verbose {
my $msg = shift;
print $msg . "\n" if ( $opt->{verbose} );
}
# Print normal messages
sub log_info {
my $msg = shift;
print $msg . "\n" if ( not $opt->{quiet} );
}
# Print error messages
sub log_error {
my $msg = shift;
print $msg . "\n";
}
# Create a watcher for a specific directory
sub create_watcher {
my ($inotify, $dir) = @_;
log_verbose("Start watching folder $dir");
$inotify->watch ($dir, IN_CLOSE_WRITE | IN_MOVED_TO, sub {
my $event = shift;
my $candidate = $event->fullname;
handle_submit($candidate);
});
}
# takes the path of an SRPM to rebuild,
# build it with mock, sign the result, update the repo
# and sync to remote mirrors if defined
sub handle_submit {
my $srpm = shift;
if (not -f $srpm){
log_verbose("$srpm isn't a file, ignoring");
return;
}
if ($srpm !~ m/src\.rpm$/i){
log_verbose("New file $srpm isn't an src.rpm file, ignoring");
return;
}
log_info("New file to process $srpm");
my $submiter = getpwuid(stat($srpm)->uid);
my $email;
log_info("File submited by $submiter");
if (defined $ldap){
$email = user2email($submiter);
if (not defined $email){
log_verbose("LDAP returned no result");
}
}
if (defined $email){
log_verbose("Notifications will be sent to $email");
} else {
log_verbose("No email address for $submiter, no notification will be sent");
}
my $src_pkg = RPM2->open_package($srpm);
if (not $src_pkg->is_source_package){
log_verbose("Couldn't parse $srpm as a valid srpm");
return;
}
my $target = basename(dirname($srpm));
if (not defined $conf->{targets}->{$target}){
log_info("$srpm submited for target $target, but it's not defined in the configuration");
}
foreach my $arch (@{$conf->{targets}->{$target}}){
my $job_id = $src_pkg->as_nvre() . '-' . time();
my $result = $conf->{paths}->{builds} . '/' . $submiter . '/' . $target . '-' . $arch . '/' . $job_id;
log_info("Rebuilding $srpm for $target/$arch in $result (job ID $job_id)");
make_path($result);
my $mock_msg;
foreach my $out (qx(mock -r $target-$arch --resultdir=$result $srpm 2>&1)){
chomp $out;
$mock_msg .= $out;
log_info("[$job_id] $out");
}
if ($? != 0) {
log_info("[$job_id] Build submited by $submiter failed");
handle_error($job_id, 'Mock build', $mock_msg);
return;
}
my $repo_dir = $conf->{paths}->{repo};
my $repo_cache_dir = $conf->{paths}->{repo_cache};
if ($src_pkg->release =~ m/\.(beta|git\.)/){
$repo_dir .= '/testing';
$repo_cache_dir .= '/testing';
}
$repo_dir .= '/' . $target;
$repo_cache_dir .= '/' . $target;
find({
wanted => sub {
return if (not -f);
return if (not $_ =~ m/\.rpm$/);
my $built_pkg = $_;
log_info("[$job_id] Signing package $built_pkg");
# Note : the optional passphrase for the gpg key is in rpmmacros
qx(rpm --addsign $built_pkg);
if ($? != 0) {
log_info("[$job_id] Signing failed");
handle_error($job_id, 'Package signature error', "Command rpm --addsign $built_pkg failed");
return;
}
# Open the package without checking the signature, as the key might not be present in the
# rpm trusted store
my $pkg = RPM2->open_package($built_pkg, RPM2->_rpmvsf_nosignatures);
my $dest = $repo_dir;
if ($pkg->is_source_package){
$dest .= '/SRPMS';
} else {
# the resulting RPM can be noarch, so use this instead of $arch
$dest .= '/' . $pkg->arch;
}
log_info("[$job_id] Moving $built_pkg to the repo $dest");
make_path($dest);
make_path($repo_cache_dir);
move $built_pkg, $dest . '/' . basename($built_pkg);
}
}, $result);
log_info("[$job_id] Updating repo metadata for $target");
qx(createrepo --checksum sha -x "*debuginfo*" --update -c $repo_cache_dir $repo_dir);
if ($? != 0) {
log_info("[$job_id] Createrepo failed");
handle_error(
$job_id,
'Createrepo error',
"Command createrepo --checksum sha -x \"*debuginfo*\" --update -c $repo_cache_dir $repo_dir"
);
return;
}
log_info("[$job_id] Building package finished");
# Now push to mirrors if defined
if (defined $conf->{mirror} and defined $conf->{mirror}->{push}){
foreach my $mirror (@{$conf->{mirror}->{push}}){
log_info("[$job_id] syncing repo to $mirror->{dest}");
my $rsync_cmd = 'rsync ';
if (defined $mirror->{rsync_opts}){
$rsync_cmd .= join(' ', @{$mirror->{rsync_opts}});
} else {
$rsync_cmd .= join(' ', @{$conf->{mirror}->{rsync_opts}});
}
$rsync_cmd .= ' ' . $conf->{paths}->{repo} . '/ ' . $mirror->{dest} . '/';
log_verbose("[$job_id] Running command $rsync_cmd");
foreach my $out (qx($rsync_cmd 2>&1)){
chomp $out;
log_verbose("[$job_id] $out");
}
if ($? != 0) {
log_info("[$job_id] Syncing to $mirror->{dest} failed");
handle_error($job_id, 'Mirror update error', "Command $rsync_cmd failed");
return;
}
}
}
if (defined $email){
my $body = "Resulting RPM are available in $conf->{paths}->{repo}/$target";
if (defined $conf->{mirror} and defined $conf->{mirror}->{push}){
$body .= "\nand have been synced to the following mirror:\n";
foreach my $mirror (@{$conf->{mirror}->{push}}){
$body .= "$mirror->{dest}\n";
}
}
send_notification(
$email,
"Rebuilding " . $src_pkg->as_nvre() . " for $target/$arch succeded",
$body
);
}
}
}
# Handle errors. Log it, and notify the admin
sub handle_error {
my $job_id = shift;
my $step = shift;
my $err = shift;
my $dest = shift;
log_error( $err );
if ( defined $conf->{notify}->{to} ) {
send_notification(
$conf->{notify}->{to},
"Error while building $job_id",
"Building $job_id failed at step '$step'. The error was\n$err\n"
);
}
if ( defined $dest ) {
send_notification(
$dest,
"Error while building $job_id",
"Building $job_id failed at step '$step'. The error was\n$err\n"
);
}
}
# Send an email message
sub send_notification {
my $to = shift;
my $subject = shift;
my $body = shift;
my $mail = Email::MIME->create(
header_str => [
From => $conf->{notify}->{from},
To => $to,
Subject => $subject
],
attributes => {
charset => 'utf-8',
encoding => 'base64'
},
body_str => $body
);
my $transport = Email::Sender::Transport::Sendmail->new();
sendmail( $mail, { transport => $transport } );
}
# Lookup in LDAP if we can get the email address of a user
sub user2email {
my $user = shift;
if (not defined $ldap or not defined $conf->{ldap}->{search_base} or not defined $conf->{ldap}->{search_filter}){
return;
}
my $filter = $conf->{ldap}->{search_filter};
$filter =~ s/\{user\}/$user/g;
log_verbose("Searching in $conf->{ldap}->{search_base} with filter $filter");
my $results = $ldap->search(
base => $conf->{ldap}->{search_base},
filter => $filter,
attrs => [ $conf->{ldap}->{email_attr} ]
);
if ($results->code){
log_verbose("Error occured while searching in LDAP : " . $results->error);
return;
}
if ($results->count != 1){
log_verbose("Searching returned " . $results->count . "result(s), while it should have returned 1");
return;
}
return $results->entry(0)->get_value( $conf->{ldap}->{email_attr} );
}

8
roles/rpm_build_server/handlers/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: reset permissions
command: "{{ rpm_root_dir }}/bin/perms.sh"
- name: restart build-watcher
service: name=build-watcher state=restarted

58
roles/rpm_build_server/tasks/conf.yml Normal file
View File

@ -0,0 +1,58 @@
---
- name: Deploy mock config
template: src=mock/{{ item }}.j2 dest=/etc/mock/{{ item }}
loop:
- site-defaults.cfg
- el7-x86_64.cfg
- el8-x86_64.cfg
tags: rpm
- name: Deploy rpmmacros
template: src=rpmmacros.j2 dest={{ rpm_root_dir }}/.rpmmacros owner={{ rpm_user }} mode=600
tags: rpm
- name: Deploy main configuration
template: src=config.yml.j2 dest={{ rpm_root_dir }}/etc/config.yml
notify: restart build-watcher
tags: rpm
- name: Check if gpg key exists
shell: gpg --list-options show-only-fpr-mbox --list-secret-keys | grep -q "{{ rpm_gpg_email }}"
failed_when: False
changed_when: False
register: rpm_gpg_key_exists
become_user: "{{ rpm_user }}"
tags: rpm
- name: Flush handlers to set permissions on directories
meta: flush_handlers
tags: rpm
- when: rpm_gpg_key_exists.rc != 0
block:
- name: Generate main key
shell: |
gpg --batch \
--passphrase '{{ rpm_gpg_pass is defined | ternary(rpm_gpg_pass, '') }}' \
--pinentry-mode loopback \
--quick-gen-key "{{ rpm_gpg_name }} <{{ rpm_gpg_email }}>" rsa3072 default never
- name: Get key ID
shell: gpg --list-options show-only-fpr-mbox --list-secret-keys | grep {{ rpm_gpg_email }} | awk '{ print $1 }'
register: rpm_gpg_key_id
changed_when: False
- name: Add sub key
shell: |
gpg --batch \
--passphrase '{{ rpm_gpg_pass is defined | ternary(rpm_gpg_pass, '') }}' \
--pinentry-mode loopback \
--quick-add-key {{ rpm_gpg_key_id.stdout }} rsa3072 default never \
- name: Export public key
shell: gpg --export -a "rpms@lapiole.org" > {{ rpm_root_dir }}/repo/RPM-GPG-KEY
become_user: "{{ rpm_user }}"
tags: rpm

18
roles/rpm_build_server/tasks/directories.yml Normal file
View File

@ -0,0 +1,18 @@
---
- name: Create directories
file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
loop:
- dir: "{{ rpm_root_dir }}"
- dir: "{{ rpm_root_dir }}/mock"
- dir: "{{ rpm_root_dir }}/cache"
- dir: "{{ rpm_root_dir }}/cache/mock"
- dir: "{{ rpm_root_dir }}/cache/repo"
- dir: "{{ rpm_root_dir }}/repo"
- dir: "{{ rpm_root_dir }}/bin"
- dir: "{{ rpm_root_dir }}/uploads/el7"
- dir: "{{ rpm_root_dir }}/uploads/el8"
- dir: "{{ rpm_root_dir }}/errors"
- dir: "{{ rpm_root_dir }}/builds"
- dir: "{{ rpm_root_dir }}/etc"
tags: rpm

9
roles/rpm_build_server/tasks/facts.yml Normal file
View File

@ -0,0 +1,9 @@
---
- include_vars: "{{ item }}"
with_first_found:
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
tags: rpm

22
roles/rpm_build_server/tasks/install.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Deploy permission script
template: src=perms.sh.j2 dest={{ rpm_root_dir }}/bin/perms.sh mode=755
notify: reset permissions
tags: rpm
- name: Install watcher daemon
copy: src=watcher.pl dest={{ rpm_root_dir }}/bin/watcher.pl mode=755
notify: restart build-watcher
tags: rpm
- name: Deploy systemd unit
template: src=build-watcher.service.j2 dest=/etc/systemd/system/build-watcher.service
notify: restart build-watcher
register: rpm_unit
tags: rpm
- name: Reload systemd
systemd: daemon_reload=True
when: rpm_unit.changed
tags: rpm

9
roles/rpm_build_server/tasks/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
- include: facts.yml
- include: requirements.yml
- include: user.yml
- include: directories.yml
- include: install.yml
- include: conf.yml
- include: services.yml

5
roles/rpm_build_server/tasks/requirements.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Install required packages
package: name={{ rpm_packages }}
tags: rpm

5
roles/rpm_build_server/tasks/services.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Start and enable the build watcher
service: name=build-watcher state=started enabled=True
tags: rpm

23
roles/rpm_build_server/tasks/user.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: Create build user
user:
name: "{{ rpm_user }}"
system: True
home: "{{ rpm_root_dir }}"
generate_ssh_key: True
ssh_key_file: .ssh/id_rsa
tags: rpm
- name: Create builder group
group:
name: "{{ rpm_build_group }}"
tags: rpm
- name: Add build user to the mock group
user:
name: "{{ rpm_user }}"
append: True
groups:
- mock
tags: rpm

16
roles/rpm_build_server/templates/build-watcher.service.j2 Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=RPM Build watcher service
[Service]
Type=simple
User={{ rpm_user }}
Group={{ rpm_user }}
ExecStart=/usr/bin/perl {{ rpm_root_dir }}/bin/watcher.pl --config {{ rpm_root_dir }}/etc/config.yml --verbose
WorkingDirectory={{ rpm_root_dir }}/
Restart=always
ReadWritePaths=/run {{ rpm_root_dir }}/repo {{ rpm_root_dir }}/cache {{ rpm_root_dir }}/builds
PrivateTmp=true
[Install]
WantedBy=multi-user.target

52
roles/rpm_build_server/templates/config.yml.j2 Normal file
View File

@ -0,0 +1,52 @@
---
targets:
el7:
- x86_64
el8:
- x86_64
paths:
repo: {{ rpm_root_dir }}/repo
repo_cache: {{ rpm_root_dir }}/cache/repo
builds: {{ rpm_root_dir }}/builds
uploads: {{ rpm_root_dir }}/uploads
notify:
from: buildsys@{{ ansible_domain }}
to: {{ rpm_admin_email }}
{% if rpm_mirrors is defined and rpm_mirrors | length > 0 %}
mirror:
push:
{% for mirror in rpm_mirrors %}
- dest: {{ mirror.dest }}
{% if mirror.rsync_opts is defined %}
rsync_opts:
{% for opt in mirror.rsync_opts %}
- '{{ opt }}'
{% endfor %}
{% endif %}
{% endfor %}
rsync_opts:
{% for opt in rpm_mirror_rsync_opts %}
- '{{ opt }}'
{% endfor %}
{% endif %}
ldap:
{% if rpm_ldap_servers is defined and rpm_ldap_servers | length > 0 %}
servers:
{% for server in rpm_ldap_servers %}
- {{ server }}
{% endfor %}
{% else %}
servers: []
{% endif %}
start_tls: {{ rpm_ldap_start_tls | ternary('True', 'False') }}
bind_dn: {{ rpm_ldap_bind_dn }}
bind_pass: {{ rpm_ldap_bind_pass | quote }}
search_base: {{ rpm_ldap_search_base }}
search_filter: {{ rpm_ldap_search_filter }}
email_attr: {{ rpm_ldap_email_attr }}

1
roles/rpm_build_server/templates/gpg-agent.conf.j2 Normal file
View File

@ -0,0 +1 @@
allow-loopback-pinentry

2
roles/rpm_build_server/templates/gpg.conf.j2 Normal file
View File

@ -0,0 +1,2 @@
use-agent
pinentry-mode loopback

25
roles/rpm_build_server/templates/mock/el7-x86_64.cfg.j2 Normal file
View File

@ -0,0 +1,25 @@
include('templates/centos-7.tpl')
include('templates/epel-7.tpl')
config_opts['root'] = 'el7-x86_64'
config_opts['target_arch'] = 'x86_64'
config_opts['legal_host_arches'] = ('x86_64',)
config_opts['macros']['%rhel'] = '7'
config_opts['macros']['%dist'] = '.el7.dbd'
config_opts['dnf.conf'] += """
[rpmfusion-free-updates]
baseurl = http://download1.rpmfusion.org/free/el/updates/7/x86_64/
gpgcheck = 1
gpgkey = https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-el-7
name = RPM Fusion for EL - Free - Updates
[dbd]
name=dbd
baseurl=http://rpms.lapiole.org/el7/
enabled=1
gpgcheck=1
gpgkey=https://rpms.lapiole.org/RPM-GPG-KEY
"""

28
roles/rpm_build_server/templates/mock/el8-x86_64.cfg.j2 Normal file
View File

@ -0,0 +1,28 @@
include('templates/almalinux-8.tpl')
include('templates/epel-8.tpl')
# Disable use_bootstrap_image until new release
# See https://github.com/rpm-software-management/mock/issues/831
config_opts['use_bootstrap_image'] = False
config_opts['root'] = 'el8-x86_64'
config_opts['target_arch'] = 'x86_64'
config_opts['legal_host_arches'] = ('x86_64',)
config_opts['macros']['%rhel'] = '8'
config_opts['macros']['%dist'] = '.el8.dbd'
config_opts['dnf.conf'] += """
[rpmfusion-free-updates]
baseurl = http://download1.rpmfusion.org/free/el/updates/8/x86_64/
gpgcheck = 1
gpgkey = https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-el-8
name = RPM Fusion for EL - Free - Updates
[dbd]
name=dbd
baseurl=http://rpms.lapiole.org/el8/
enabled=1
gpgcheck=1
gpgkey=https://rpms.lapiole.org/RPM-GPG-KEY
"""

17
roles/rpm_build_server/templates/mock/site-defaults.cfg.j2 Normal file
View File

@ -0,0 +1,17 @@
{% if system_proxy is defined and system_proxy != '' %}
config_opts['environment']['http_proxy'] = '{{ system_proxy }}'
config_opts['environment']['https_proxy'] = '{{ system_proxy }}'
{% endif %}
config_opts['createrepo_on_rpms'] = False
config_opts['cleanup_on_failure'] = 1
config_opts['cleanup_on_success'] = 1
config_opts['use_bootstrap_image'] = True
config_opts['plugin_conf']['root_cache_opts']['compress_program'] = "zstd"
config_opts['plugin_conf']['root_cache_opts']['extension'] = ".zst"
config_opts['rpmbuild_networking'] = True
config_opts['macros']['%distribution'] = "{{ rpm_packager }}"
config_opts['macros']['%packager'] = "{{ rpm_packager }}"
config_opts['macros']['%vendor'] = "{{ rpm_packager }}"
config_opts['basedir'] = '{{ rpm_root_dir }}/mock'
config_opts['cache_topdir'] = '{{ rpm_root_dir }}/cache/mock'

9
roles/rpm_build_server/templates/perms.sh.j2 Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
set -eo pipefail
chown -R {{ rpm_user }} {{ rpm_root_dir }}
chmod 770 {{ rpm_root_dir }}
setfacl -b -k -R {{ rpm_root_dir }}
setfacl -m g:{{ rpm_build_group }}:rX {{ rpm_root_dir }}
setfacl -R -m g:{{ rpm_build_group }}:rwX,d:g:{{ rpm_build_group }}:rwX {{ rpm_root_dir }}/uploads {{ rpm_root_dir }}/builds {{ rpm_root_dir }}/repo

3
roles/rpm_build_server/templates/rpmmacros.j2 Normal file
View File

@ -0,0 +1,3 @@
%_signature gpg
%_gpg_name {{ rpm_gpg_name }}
%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --batch --pinentry-mode loopback --passphrase '{{ (rpm_gpg_pass is defined) | ternary(rpm_gpg_pass, '') }}' --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}

18
roles/rpm_build_server/vars/RedHat-8.yml Normal file
View File

@ -0,0 +1,18 @@
---
rpm_packages:
- podman
- mock
- inotify-tools
- zstd
- rsync
- yum-utils
- rpm-sign
- perl-Linux-Inotify2
- perl-YAML-Tiny
- perl-AnyEvent
- perl-RPM2
- perl-Time-HiRes
- perl-Email-MIME
- perl-Email-Sender
- perl-LDAP

8
roles/unmaintained/wbo/defaults/main.yml
View File

@ -1,8 +0,0 @@
---
wbo_id: 1
wbo_port: 8095
wbo_src_ip: []
wbo_root_dir: /opt/wbo_{{ wbo_id }}
wbo_git_url: https://github.com/lovasoa/whitebophir.git

13
roles/wbo/defaults/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
# Several WBO instances can be installed on the same server
# but should have a uniq ID and bind port
wbo_id: 1
wbo_port: 8095
# List of IP/CIDR having access to WBO port (if iptables_manage == True)
wbo_src_ip: []
# Root dir where WBO will be installed
wbo_root_dir: /opt/wbo_{{ wbo_id }}
# URL of the git repo
wbo_git_url: https://github.com/lovasoa/whitebophir.git

0
roles/unmaintained/wbo/handlers/main.yml → roles/wbo/handlers/main.yml
View File

0
roles/unmaintained/wbo/meta/main.yml → roles/wbo/meta/main.yml
View File

8
roles/wbo/tasks/directory.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Create needed directories
file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | dedfault(omit) }}
loop:
- dir: "{{ wbo_root_dir }}"
owner: wbo_{{ wbo_id }}
tags: wbo

25
roles/unmaintained/wbo/tasks/main.yml → roles/wbo/tasks/install.yml
View File

@ -7,26 +7,20 @@
- git
tags: wbo
- import_tasks: ../includes/create_system_user.yml
vars:
- user: wbo_{{ wbo_id }}
- home: "{{ wbo_root_dir }}"
- comment: "Online collaborative Whiteboard {{ wbo_id }}"
tags: wbo
- name: Clone wbo repo
git:
repo: "{{ wbo_git_url }}"
dest: "{{ wbo_root_dir }}/app"
force: True
notify: restart wbo
become_user: wbo_{{ wbo_id }}
register: wbo_git
tags: wbo
- name: Install wbo
command: npm i
args:
chdir: "{{ wbo_root_dir }}/app"
npm:
path: "{{ wbo_root_dir }}/app"
become_user: wbo_{{ wbo_id }}
when: wbo_git.changed
tags: wbo
@ -44,14 +38,3 @@
when: wbo_unit.changed
tags: wbo
- name: Handle wbo port
iptables_raw:
name: wbo_port_{{ wbo_id }}
state: "{{ (wbo_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp --dport {{ wbo_port }} -s {{ wbo_src_ip | join(',') }} -j ACCEPT"
when: iptables_manage | default(True)
tags: wbo
- name: Start and enable wbo daemon
service: name=wbo-{{ wbo_id }} state=started enabled=True
tags: wbo

8
roles/wbo/tasks/iptables.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Handle wbo port
iptables_raw:
name: wbo_port_{{ wbo_id }}
state: "{{ (wbo_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp --dport {{ wbo_port }} -s {{ wbo_src_ip | join(',') }} -j ACCEPT"
tags: wbo

8
roles/wbo/tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- include: user.yml
- include: install.yml
- include: iptables.yml
when: iptables_manage | default(True)
- include: services.yml

6
roles/wbo/tasks/services.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Start and enable wbo daemon
service: name=wbo-{{ wbo_id }} state=started enabled=True
tags: wbo

8
roles/wbo/tasks/user.yml Normal file
View File

@ -0,0 +1,8 @@
---
- import_tasks: ../includes/create_system_user.yml
vars:
- user: wbo_{{ wbo_id }}
- home: "{{ wbo_root_dir }}"
- comment: "Online collaborative Whiteboard {{ wbo_id }}"
tags: wbo

0
roles/unmaintained/wbo/templates/wbo.service.j2 → roles/wbo/templates/wbo.service.j2
View File