ansible-roles/roles/wh_backend/tasks/main.yml

---

- name: Install needed tools
  yum:
    name:
      - acl
      - MySQL-python
      - mariadb
  tags: web

- set_fact: wh_app_dir=[]
  tags: web
- name: Build a list of app root
  set_fact:
    wh_app_dir: "{{ wh_app_dir }} + [ '/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}' ]"
  loop: "{{ wh_clients | subelements('apps') }}"
  tags: web

- name: Create unix accounts
  user:
    name: "wh-{{ item.name }}"
    comment: "Unix account for {{ item.name }}"
    system: True
    shell: "{{ shell | default('/sbin/nologin') }}"
    home: /opt/wh/{{ item.name }}
  loop: "{{ wh_clients }}"
  tags: web

- name: Create ssh directories
  file: path=/etc/ssh/wh/{{ item.name }}/ state=directory mode=755
  loop: "{{ wh_clients }}"
  tags: web

- name: Deploy SSH keys
  authorized_key:
    user: root
    key: "{{ item.ssh_keys | default([]) | join(\"\n\") }}"
    path: /etc/ssh/wh/{{ item.name }}/authorized_keys
    manage_dir: False
    exclusive: True
  loop: "{{ wh_clients }}"
  tags: web

- name: Set correct permissions on authorized_key files
  file: path=/etc/ssh/wh/{{ item.name }}/authorized_keys owner=root group=root mode=644
  loop: "{{ wh_clients }}"
  when: item.ssh_keys | default([]) | length > 0
  tags: web

- name: List all authorized keys directories
  shell: ls -1 /etc/ssh/wh | xargs -n1 basename
  register: wh_existing_ssh_keys
  changed_when: False
  tags: web

- name: Remove unmanaged ssh keys
  file: path=/etc/ssh/wh/{{ item }} state=absent
  with_items: "{{ wh_existing_ssh_keys.stdout_lines | default([]) }}"
  when: item not in wh_clients | map(attribute='name')
  tags: web

- name: Create applications directories
  file: path={{ item.0 }}/{{ item.1 }} state=directory
  loop: "{{ wh_app_dir | product(['web','data','tmp','logs','archives','bin','info', 'db_dumps']) | list }}"
  notify: reset permissions
  tags: web

- name: Set correct SELinux context for apps directories
  sefcontext:
    target: "{{ item }}(/.*)?"
    setype: httpd_sys_content_t
    state: present
  when: ansible_selinux.status == 'enabled'
  loop: "{{ wh_app_dir }}"
  notify: reset permissions
  tags: web

- name: Deploy PHP FPM pools
  template: src=php-fpm.conf.j2 dest={{ item.value.conf_path }}/php-fpm.d/wh.conf
  vars:
    wh_php_version: "{{ item.key }}"
  loop: "{{ httpd_php_versions | dict2items }}"
  notify: restart php-fpm
  tags: web

- name: Deploy httpd configuration
  template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/31-wh.conf
  notify: reload httpd
  tags: web

- name: Deploy permissions scripts
  template: src=perms.sh.j2 dest=/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}/bin/perms.sh
  loop: "{{ wh_clients | subelements('apps') }}"
  notify: reset permissions
  tags: web

- name: Create databases
  mysql_db:
    name: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}"
    login_host: "{{ (wh_default_app | combine(item.1)).database.server | default(mysql_server) }}"
    login_user: sqladmin
    login_password: "{{ mysql_admin_pass }}"
    collation: "{{ (wh_default_app | combine(item.1)).database.collation  }}"
    encoding: "{{ (wh_default_app | combine(item.1)).database.encoding  }}"
    state: present
  loop: "{{ wh_clients | subelements('apps') }}"
  when:
    - (wh_default_app | combine(item.1)).database.enabled
    - (wh_default_app | combine(item.1)).database.engine == 'mysql'
  tags: web

- name: Create applications database users
  mysql_user:
    name: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}"
    password: "{{ (wh_default_app | combine(item.1)).database.pass | default((wh_pass_seed | password_hash('sha256', 65534 | random(seed=item.0.name + item.1.name) | string))[9:27] ) }}"
    priv: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}.*:ALL"
    host: "%"
    login_host: "{{ (wh_default_app | combine(item.1)).database.server | default(mysql_server) }}"
    login_user: sqladmin
    login_password: "{{ mysql_admin_pass }}"
    state: present
  loop: "{{ wh_clients | subelements('apps') }}"
  when:
    - (wh_default_app | combine(item.1)).database.enabled
    - (wh_default_app | combine(item.1)).database.engine == 'mysql'
  tags: web

- name: Create clients database user
  mysql_user:
    name: "{{ item.0.name[0:15] }}"
    password: "{{ item.0.db_pass | default((wh_pass_seed | password_hash('sha256', 65534 | random(seed=item.0.name) | string))[9:27]) }}"
    priv: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}.*:ALL"
    host: "%"
    login_host: "{{ (wh_default_app | combine(item.1)).database.server | default(mysql_server) }}"
    login_user: sqladmin
    login_password: "{{ mysql_admin_pass }}"
    append_privs: True
    state: present
  loop: "{{ wh_clients | subelements('apps')}}"
  when:
    - (wh_default_app | combine(item.1)).database.enabled
    - (wh_default_app | combine(item.1)).database.engine == 'mysql'
  tags: web

- name: Deploy databases info file
  template: src=database.txt.j2 dest=/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}/info/database.txt
  loop: "{{ wh_clients | subelements('apps') }}"
  notify: reset permissions
  tags: web

- name: Deploy per app backup scripts
  template: src=backup.sh.j2 dest=/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}/bin/backup.sh mode=750
  loop: "{{ wh_clients | subelements('apps') }}"
  tags: web

- name: Deploy wh_create_archives script to archive all the hosted apps
  template: src=wh_create_archives.sh.j2 dest=/usr/local/bin/wh_create_archives.sh mode=750
  tags: web

- name: Setup a daily cronjob to take automatic archives of webapps
  cron:
    name: wh_backups
    special_time: daily
    user: root
    job: 'systemd-cat /usr/local/bin/wh_create_archives.sh'
    cron_file: wh
    state: present
  tags: web

- name: Deploy global pre/post backup scripts
  template: src={{ item }}_backup.sh.j2 dest=/etc/backup/{{ item }}.d/wh.sh mode=700
  loop: [ 'pre', 'post' ]
  tags: web

- name: Deploy logrotate snippet
  template: src=logrotate.j2 dest=/etc/logrotate.d/wh
  tags: web

- name: Remove old logrotate snippet
  file: path=/etc/logrotate.d/wh.conf state=absent
  tags: web

- name: Deploy wh-acld
  template: src=wh-acld.j2 dest=/usr/local/bin/wh-acld mode=750
  notify: restart wh-acld
  tags: web

- name: Deploy wh-acld service unit
  template: src=wh-acld.service.j2 dest=/etc/systemd/system/wh-acld.service
  register: wh_acld_unit
  tags: web

- name: Reload systemd
  systemd: daemon_reload=True
  when: wh_acld_unit.changed
  tags: web

- name: Start and enable wh-acld
  service: name=wh-acld state=started enabled=True
  tags: web
Update to 2020-04-14 5 years ago			`---`

			`- name: Install needed tools`
			`yum:`
			`name:`
			`- acl`
			`- MySQL-python`
			`- mariadb`
			`tags: web`

			`- set_fact: wh_app_dir=[]`
			`tags: web`
			`- name: Build a list of app root`
			`set_fact:`
			`wh_app_dir: "{{ wh_app_dir }} + [ '/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}' ]"`
			`loop: "{{ wh_clients \| subelements('apps') }}"`
			`tags: web`

			`- name: Create unix accounts`
			`user:`
			`name: "wh-{{ item.name }}"`
			`comment: "Unix account for {{ item.name }}"`
			`system: True`
			`shell: "{{ shell \| default('/sbin/nologin') }}"`
			`home: /opt/wh/{{ item.name }}`
			`loop: "{{ wh_clients }}"`
			`tags: web`

			`- name: Create ssh directories`
			`file: path=/etc/ssh/wh/{{ item.name }}/ state=directory mode=755`
			`loop: "{{ wh_clients }}"`
			`tags: web`

			`- name: Deploy SSH keys`
			`authorized_key:`
			`user: root`
			`key: "{{ item.ssh_keys \| default([]) \| join(\"\n\") }}"`
			`path: /etc/ssh/wh/{{ item.name }}/authorized_keys`
			`manage_dir: False`
			`exclusive: True`
			`loop: "{{ wh_clients }}"`
			`tags: web`

			`- name: Set correct permissions on authorized_key files`
			`file: path=/etc/ssh/wh/{{ item.name }}/authorized_keys owner=root group=root mode=644`
			`loop: "{{ wh_clients }}"`
			`when: item.ssh_keys \| default([]) \| length > 0`
			`tags: web`

			`- name: List all authorized keys directories`
			`shell: ls -1 /etc/ssh/wh \| xargs -n1 basename`
			`register: wh_existing_ssh_keys`
			`changed_when: False`
			`tags: web`

			`- name: Remove unmanaged ssh keys`
			`file: path=/etc/ssh/wh/{{ item }} state=absent`
			`with_items: "{{ wh_existing_ssh_keys.stdout_lines \| default([]) }}"`
			`when: item not in wh_clients \| map(attribute='name')`
			`tags: web`

			`- name: Create applications directories`
			`file: path={{ item.0 }}/{{ item.1 }} state=directory`
			`loop: "{{ wh_app_dir \| product(['web','data','tmp','logs','archives','bin','info', 'db_dumps']) \| list }}"`
			`notify: reset permissions`
			`tags: web`

			`- name: Set correct SELinux context for apps directories`
			`sefcontext:`
			`target: "{{ item }}(/.*)?"`
			`setype: httpd_sys_content_t`
			`state: present`
			`when: ansible_selinux.status == 'enabled'`
			`loop: "{{ wh_app_dir }}"`
			`notify: reset permissions`
			`tags: web`

			`- name: Deploy PHP FPM pools`
			`template: src=php-fpm.conf.j2 dest={{ item.value.conf_path }}/php-fpm.d/wh.conf`
			`vars:`
			`wh_php_version: "{{ item.key }}"`
			`loop: "{{ httpd_php_versions \| dict2items }}"`
			`notify: restart php-fpm`
			`tags: web`

			`- name: Deploy httpd configuration`
			`template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/31-wh.conf`
			`notify: reload httpd`
			`tags: web`

			`- name: Deploy permissions scripts`
			`template: src=perms.sh.j2 dest=/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}/bin/perms.sh`
			`loop: "{{ wh_clients \| subelements('apps') }}"`
			`notify: reset permissions`
			`tags: web`

			`- name: Create databases`
			`mysql_db:`
			`name: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}"`
			`login_host: "{{ (wh_default_app \| combine(item.1)).database.server \| default(mysql_server) }}"`
			`login_user: sqladmin`
			`login_password: "{{ mysql_admin_pass }}"`
			`collation: "{{ (wh_default_app \| combine(item.1)).database.collation }}"`
			`encoding: "{{ (wh_default_app \| combine(item.1)).database.encoding }}"`
			`state: present`
			`loop: "{{ wh_clients \| subelements('apps') }}"`
			`when:`
			`- (wh_default_app \| combine(item.1)).database.enabled`
			`- (wh_default_app \| combine(item.1)).database.engine == 'mysql'`
			`tags: web`

			`- name: Create applications database users`
			`mysql_user:`
			`name: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}"`
			`password: "{{ (wh_default_app \| combine(item.1)).database.pass \| default((wh_pass_seed \| password_hash('sha256', 65534 \| random(seed=item.0.name + item.1.name) \| string))[9:27] ) }}"`
			`priv: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}.*:ALL"`
			`host: "%"`
			`login_host: "{{ (wh_default_app \| combine(item.1)).database.server \| default(mysql_server) }}"`
			`login_user: sqladmin`
			`login_password: "{{ mysql_admin_pass }}"`
			`state: present`
			`loop: "{{ wh_clients \| subelements('apps') }}"`
			`when:`
			`- (wh_default_app \| combine(item.1)).database.enabled`
			`- (wh_default_app \| combine(item.1)).database.engine == 'mysql'`
			`tags: web`

			`- name: Create clients database user`
			`mysql_user:`
			`name: "{{ item.0.name[0:15] }}"`
			`password: "{{ item.0.db_pass \| default((wh_pass_seed \| password_hash('sha256', 65534 \| random(seed=item.0.name) \| string))[9:27]) }}"`
			`priv: "{{ item.0.name[0:7] }}_{{ item.1.name[0:7] }}.*:ALL"`
			`host: "%"`
			`login_host: "{{ (wh_default_app \| combine(item.1)).database.server \| default(mysql_server) }}"`
			`login_user: sqladmin`
			`login_password: "{{ mysql_admin_pass }}"`
			`append_privs: True`
			`state: present`
			`loop: "{{ wh_clients \| subelements('apps')}}"`
			`when:`
			`- (wh_default_app \| combine(item.1)).database.enabled`
			`- (wh_default_app \| combine(item.1)).database.engine == 'mysql'`
			`tags: web`

			`- name: Deploy databases info file`
			`template: src=database.txt.j2 dest=/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}/info/database.txt`
			`loop: "{{ wh_clients \| subelements('apps') }}"`
			`notify: reset permissions`
			`tags: web`

			`- name: Deploy per app backup scripts`
			`template: src=backup.sh.j2 dest=/opt/wh/{{ item.0.name }}/apps/{{ item.1.name }}/bin/backup.sh mode=750`
			`loop: "{{ wh_clients \| subelements('apps') }}"`
			`tags: web`

			`- name: Deploy wh_create_archives script to archive all the hosted apps`
			`template: src=wh_create_archives.sh.j2 dest=/usr/local/bin/wh_create_archives.sh mode=750`
			`tags: web`

			`- name: Setup a daily cronjob to take automatic archives of webapps`
			`cron:`
			`name: wh_backups`
			`special_time: daily`
			`user: root`
			`job: 'systemd-cat /usr/local/bin/wh_create_archives.sh'`
			`cron_file: wh`
			`state: present`
			`tags: web`

			`- name: Deploy global pre/post backup scripts`
			`template: src={{ item }}_backup.sh.j2 dest=/etc/backup/{{ item }}.d/wh.sh mode=700`
			`loop: [ 'pre', 'post' ]`
			`tags: web`

			`- name: Deploy logrotate snippet`
			`template: src=logrotate.j2 dest=/etc/logrotate.d/wh`
			`tags: web`

			`- name: Remove old logrotate snippet`
			`file: path=/etc/logrotate.d/wh.conf state=absent`
			`tags: web`

			`- name: Deploy wh-acld`
			`template: src=wh-acld.j2 dest=/usr/local/bin/wh-acld mode=750`
			`notify: restart wh-acld`
			`tags: web`

			`- name: Deploy wh-acld service unit`
			`template: src=wh-acld.service.j2 dest=/etc/systemd/system/wh-acld.service`
			`register: wh_acld_unit`
			`tags: web`

			`- name: Reload systemd`
			`systemd: daemon_reload=True`
			`when: wh_acld_unit.changed`
			`tags: web`

			`- name: Start and enable wh-acld`
			`service: name=wh-acld state=started enabled=True`
			`tags: web`