diff --git a/roles/openxpki/defaults/main.yml b/roles/openxpki/defaults/main.yml index 571f89b..3ac3087 100644 --- a/roles/openxpki/defaults/main.yml +++ b/roles/openxpki/defaults/main.yml @@ -1,12 +1,12 @@ --- -pki_version: 3.6.1 +pki_version: 3.8.1 pki_archive_url: https://github.com/openxpki/openxpki/archive/v{{ pki_version }}.tar.gz -pki_archive_sha1: 95573cbdcd75f654f5b79c1e0f5f3ca576f97b76 +pki_archive_sha1: 9ba93400aa689a5daeedca59b531928373c616b9 -pki_config_version: 3.6 +pki_config_version: 3.8 pki_config_archive_url: https://github.com/openxpki/openxpki-config/archive/v{{ pki_config_version }}.tar.gz -pki_config_archive_sha1: 22178afe883e636aebb607952c297e944cfe0023 +pki_config_archive_sha1: 9f1499aee6be42f26a2bdddee4687fa02f23f8f2 # Should ansible handle updates or only initial install pki_manage_upgrade: True @@ -79,14 +79,7 @@ pki_default_realm: filter: 'cn=*' role: 'Anonymous' passwd_quality: normal - # passwd_quality can either be string none, normal or strong. Or a dict - # for fine grain tuning, with the following keys - # minlen: 8 - # maxlen: 64 - # groups: 2 - # dictionary: 4 - # following: 3 - # following_keyboard: 3 + # passwd_quality can either be string none, normal or strong. # pki_extra_realm just lets you override some of the defaults, without # redefining the whole dict diff --git a/roles/openxpki/files/openxpki-auth-ldap b/roles/openxpki/files/openxpki-auth-ldap index 116fd28..4fa0ec3 100755 --- a/roles/openxpki/files/openxpki-auth-ldap +++ b/roles/openxpki/files/openxpki-auth-ldap @@ -392,7 +392,7 @@ if(defined($filter)) { print STDERR "$tag: info: successfully authenticated as '$userdn'\n" if($verbose); if(defined($print)) { print STDERR "$tag: debug: print was requested by user\n" if($debug); - if($print =~ /%{[a-zA-Z0-9_]+}/) { + if($print =~ /%\{[a-zA-Z0-9_]+\}/) { print STDERR "$tag: debug: print template contains placeholders -- will retrieve user attributes\n" if($debug); if($rebind) { if($debug) { @@ -432,10 +432,10 @@ if(defined($print)) { my @entries = $result->entries(); my $userentry = @entries[0]; print STDERR "$tag: debug: substituting s/%{dn}/$userdn/gi\n" if($debug); - $print =~ s/%{dn}/$userdn/gi; + $print =~ s/%\{dn\}/$userdn/gi; foreach my $attr ($userentry->attributes) { my @values = $userentry->get_value($attr); - if($print =~ /%{$attr}/) { + if($print =~ /%\{$attr\}/) { if($debug) { print STDERR "$tag: debug: substituting s/%{$attr}/$_/gi\n" foreach (@values); } diff --git a/roles/openxpki/files/openxpki.te b/roles/openxpki/files/openxpki.te new file mode 100644 index 0000000..337df8b --- /dev/null +++ b/roles/openxpki/files/openxpki.te @@ -0,0 +1,10 @@ +module openxpki 1.0; + +require { + type httpd_sys_script_t; + type httpd_var_run_t; + class sock_file write; +} + +#============= httpd_sys_script_t ============== +allow httpd_sys_script_t httpd_var_run_t:sock_file write; diff --git a/roles/openxpki/files/upgrade_to_v3.8.sql b/roles/openxpki/files/upgrade_to_v3.8.sql new file mode 100644 index 0000000..cf04e1f --- /dev/null +++ b/roles/openxpki/files/upgrade_to_v3.8.sql @@ -0,0 +1,8 @@ +CREATE TABLE IF NOT EXISTS `users` ( + `username` varchar(255) NOT NULL, + `password` varchar(255) DEFAULT NULL, + `pki_realm` varchar(255) DEFAULT NULL, + `mail` varchar(255) NOT NULL, + `realname` varchar(255) DEFAULT NULL, + `role` varchar(255) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/roles/openxpki/meta/main.yml b/roles/openxpki/meta/main.yml index 34ea7df..dbd1928 100644 --- a/roles/openxpki/meta/main.yml +++ b/roles/openxpki/meta/main.yml @@ -2,3 +2,5 @@ dependencies: - role: httpd_common - role: mkdir + - role: mysql_server + when: pki_db_server in ['localhost', '127.0.0.1'] diff --git a/roles/openxpki/tasks/cleanup.yml b/roles/openxpki/tasks/cleanup.yml index fdd34f8..99cc3cc 100644 --- a/roles/openxpki/tasks/cleanup.yml +++ b/roles/openxpki/tasks/cleanup.yml @@ -16,3 +16,9 @@ - item != 'openxpki-config-' ~ pki_config_version - item != 'openxpki-config-' ~ pki_config_version ~ '.tar.gz' tags: pki + +- name: Remove obsolete and temp files and directories + file: path={{ item }} state=absent + loop: + - "{{ pki_root_dir }}/db_dumps" + tags: pki diff --git a/roles/openxpki/tasks/conf.yml b/roles/openxpki/tasks/conf.yml index 9ebff5f..dfefcdf 100644 --- a/roles/openxpki/tasks/conf.yml +++ b/roles/openxpki/tasks/conf.yml @@ -11,7 +11,9 @@ - name: Remove notification dir from the config file: path={{ pki_root_dir }}/etc/notification state=absent - when: pki_notif_config.stat.isdir + when: + - pki_notif_config.stat.isdir is defined + - pki_notif_config.stat.isdir tags: pki - name: Copy default configuration diff --git a/roles/openxpki/tasks/directories.yml b/roles/openxpki/tasks/directories.yml index 67a418c..72408e7 100644 --- a/roles/openxpki/tasks/directories.yml +++ b/roles/openxpki/tasks/directories.yml @@ -33,7 +33,7 @@ mode: 700 - path: locale - path: web - - path: db_dumps + - path: backup mode: 700 - path: src - path: archives diff --git a/roles/openxpki/tasks/facts.yml b/roles/openxpki/tasks/facts.yml index c196337..d8e1b65 100644 --- a/roles/openxpki/tasks/facts.yml +++ b/roles/openxpki/tasks/facts.yml @@ -1,5 +1,12 @@ --- +- include_vars: "{{ item }}" + with_first_found: + - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_distribution }}.yml + - vars/{{ ansible_os_family }}.yml + tags: pki + # Merge realm config - name: Build PKI realm config set_fact: pki_realms_conf={{ pki_realms_conf | default([]) + [ pki_realm_conf | combine(item, recursive=True) ] }} diff --git a/roles/openxpki/tasks/install.yml b/roles/openxpki/tasks/install.yml index 5a84a5e..b56a145 100644 --- a/roles/openxpki/tasks/install.yml +++ b/roles/openxpki/tasks/install.yml @@ -1,23 +1,7 @@ --- - name: Install dependencies - yum: - name: - - openssl-devel - - openldap-devel - - libxml2-devel - - expat-devel - - mariadb-devel - - libapreq2-devel - - gcc - - perl-App-cpanminus - - gettext # To build I18N files - - pwgen # To generate random secrets - - java-1.8.0-openjdk-headless # For keytool utility - - systemd-devel # Needed for Log::Log4perl::Appender::Journald - - MySQL-python # To create and manage the MySQL DB - - mysql # To load the schema - - patch # To apply local patches + yum: name={{ pki_packages }} tags: pki - name: Download OpenXPKI @@ -68,64 +52,79 @@ when: pki_install_mode == 'upgrade' tags: pki -- name: Install perl modules needed to run the build - cpanm: - name: "{{ item }}" - locallib: "{{ pki_root_dir }}" - with_items: - - Config::Std - - Fatal - tags: pki - -- name: Install perl module without tests - cpanm: - name: "{{ item }}" - locallib: "{{ pki_root_dir }}" - notest: True - with_items: - - Git::PurePerl - - Connector # This module tries to fetch web content without checking proxy from env - tags: pki - -- name: Install OpenXPKI dependencies - cpanm: - locallib: "{{ pki_root_dir }}" - installdeps: True - from_path: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server" - environment: - PERL5LIB: "{{ pki_root_dir }}/lib/perl5" - PATH: "{{ pki_root_dir }}/bin:{{ ansible_env.PATH }}" - tags: pki - -- name: Build OpenXPKI - cpanm: - locallib: "{{ pki_root_dir }}" - from_path: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server" - notest: True - when: pki_install_mode != 'none' - environment: - PERL5LIB: "{{ pki_root_dir }}/lib/perl5" - PATH: "{{ pki_root_dir }}/bin:{{ ansible_env.PATH }}" - tags: pki +- when: pki_install_mode != 'none' + block: + - name: Install perl module without tests + cpanm: + name: "{{ item }}" + locallib: "{{ pki_root_dir }}" + notest: True + with_items: + - Git::PurePerl + - Connector # This module tries to fetch web content without checking proxy from env + - Net::Server # 2 tests are failing on el8 t/SSL_test.t and t/SSLEAY_test.t + + - name: Install OpenXPKI dependencies + cpanm: + locallib: "{{ pki_root_dir }}" + installdeps: True + from_path: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server" + environment: + PERL5LIB: "{{ pki_root_dir }}/lib/perl5" + PATH: "{{ pki_root_dir }}/bin:{{ ansible_env.PATH }}" + + - name: Install additional perl modules + cpanm: + name: "{{ item }}" + locallib: "{{ pki_root_dir }}" + with_items: + - Devel::CheckLib # Needed to build BDB::mysql >= 4.047 + - DBD::mysql + - Log::Log4perl::Appender::Screen # Log::Log4perl::Appender::Journald is broken on systemd > 209 + - Data::Dump # Needed for the external ldap auth script + - String::Escape # Needed for the external ldap auth script + - TINITA/YAML-1.30.tar.gz + + - name: Build OpenXPKI + cpanm: + locallib: "{{ pki_root_dir }}" + from_path: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server" + notest: True + environment: + PERL5LIB: "{{ pki_root_dir }}/lib/perl5" + PATH: "{{ pki_root_dir }}/bin:{{ ansible_env.PATH }}" + + - name: Install OpenXPKI + command: make install + args: + chdir: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server" + notify: restart openxpki + + # This is needed so the build-pot.pl script finds msg labels in config + # during the make scan step in next task + - name: Copy default conf in server source directory + synchronize: + src: "{{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/" + dest: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/config/" + recursive: True + delete: True + delegate_to: "{{ inventory_hostname }}" + + - name: Scan, build and install translations + shell: make scan && make && make install LOCALE_DIR={{ pki_root_dir }}/locale + args: + chdir: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/i18n" + + - name: Install the web UI + synchronize: + src: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server/{{ item }}" + dest: "{{ pki_root_dir }}/web/" + recursive: True + delegate_to: "{{ inventory_hostname }}" + with_items: + - cgi-bin + - htdocs -- name: Install additional perl modules - cpanm: - name: "{{ item }}" - locallib: "{{ pki_root_dir }}" - with_items: - - Devel::CheckLib # Needed to build BDB::mysql >= 4.047 - - DBD::mysql - - Log::Log4perl::Appender::Journald - - Data::Dump # Needed for the external ldap auth script - - String::Escape # Needed for the external ldap auth script - tags: pki - -- name: Install OpenXPKI - command: make install - args: - chdir: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server" - when: pki_install_mode != 'none' - notify: restart openxpki tags: pki - name: Install OpenXPKI CGI::Session driver @@ -135,36 +134,6 @@ remote_src: True tags: pki - # This is needed so the build-pot.pl script finds msg labels in config - # during the make scan step in next task -- name: Copy default conf in server source directory - synchronize: - src: "{{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/" - dest: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/config/" - recursive: True - delete: True - delegate_to: "{{ inventory_hostname }}" - when: pki_install_mode != 'none' - tags: pki - -- name: Scan, build and install translations - shell: make scan && make && make install LOCALE_DIR={{ pki_root_dir }}/locale - args: - chdir: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/i18n" - when: pki_install_mode != 'none' - tags: pki - -- name: Install the web UI - synchronize: - src: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server/{{ item }}" - dest: "{{ pki_root_dir }}/web/" - recursive: True - delegate_to: "{{ inventory_hostname }}" - with_items: - - cgi-bin - - htdocs - when: pki_install_mode != 'none' - tags: pki - name: Fix relative URL in the index page command: sed -i -e 's|/openxpki/|{{ pki_web_alias }}|g' {{ pki_root_dir }}/web/htdocs/default.html @@ -217,7 +186,7 @@ login_password: "{{ mysql_admin_pass }}" when: - pki_install_mode == 'install' - - pki_db.changed + - db_created.changed tags: pki - name: Copy additional sql scripts @@ -270,6 +239,7 @@ copy: src=upgrade_to_v{{ item }}.sql dest={{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/contrib/sql/ loop: - '3.4' + - '3.8' tags: pki - name: Apply db upgrades @@ -282,6 +252,7 @@ login_password: "{{ mysql_admin_pass }}" loop: - '3.4' + - '3.8' when: - pki_install_mode == 'upgrade' - pki_current_version is version(item, '<') diff --git a/roles/openxpki/tasks/pki.yml b/roles/openxpki/tasks/pki.yml index 5d75dc7..296d827 100644 --- a/roles/openxpki/tasks/pki.yml +++ b/roles/openxpki/tasks/pki.yml @@ -201,3 +201,11 @@ when: item.changed tags: pki +- name: Deploy permission script + template: src=perms.sh.j2 dest={{ pki_root_dir }}/bin/perms.sh mode=755 + tags: pki + +- name: Fix permissions on key files + command: "{{ pki_root_dir }}/bin/perms.sh }}" + changed_when: False + tags: pki diff --git a/roles/openxpki/tasks/selinux.yml b/roles/openxpki/tasks/selinux.yml index 9f7c1cb..332d5b3 100644 --- a/roles/openxpki/tasks/selinux.yml +++ b/roles/openxpki/tasks/selinux.yml @@ -21,3 +21,17 @@ changed_when: False tags: pki +- name: Copy SElinux policy file + copy: src=openxpki.te dest=/etc/selinux/targeted/local/ + register: pki_selinux_policy + tags: pki + +- name: Add local policy + shell: | + cd /etc/selinux/targeted/local/ + checkmodule -M -m -o openxpki.mod openxpki.te + semodule_package -o openxpki.pp -m openxpki.mod + when: pki_selinux_policy.changed + tags: pki + + diff --git a/roles/openxpki/templates/config.d/realm/profile/default.yaml.j2 b/roles/openxpki/templates/config.d/realm/profile/default.yaml.j2 index b790aef..2a5832a 100644 --- a/roles/openxpki/templates/config.d/realm/profile/default.yaml.j2 +++ b/roles/openxpki/templates/config.d/realm/profile/default.yaml.j2 @@ -6,14 +6,11 @@ key: enc: - aes256 - - _3des - - idea generate: both rsa: key_length: - - _1024 - 2048 - 4096 @@ -39,11 +36,10 @@ publish: - disk extensions: - copy: copy - basic_constraints: critical: 1 ca: 0 + path_length: 0 subject_key_identifier: critical: 0 @@ -52,11 +48,11 @@ extensions: authority_key_identifier: critical: 0 keyid: 1 - issuer: 1 + issuer: 0 issuer_alt_name: critical: 0 - copy: 1 + copy: 0 crl_distribution_points: critical: 0 @@ -71,21 +67,3 @@ extensions: policy_identifier: critical: 0 - netscape: - comment: - critical: 0 - text: This is a generic certificate. Generated with OpenXPKI trustcenter software. - certificate_type: - critical: 0 - ssl_client: 0 - smime_client: 0 - object_signing: 0 - ssl_client_ca: 0 - smime_client_ca: 0 - object_signing_ca: 0 - - cdp: - critical: 0 - uri: {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/crl - ca_uri: {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/crl - diff --git a/roles/openxpki/templates/config.d/realm/profile/tls_client.yaml.j2 b/roles/openxpki/templates/config.d/realm/profile/tls_client.yaml.j2 index 3f9022f..f6aec32 100644 --- a/roles/openxpki/templates/config.d/realm/profile/tls_client.yaml.j2 +++ b/roles/openxpki/templates/config.d/realm/profile/tls_client.yaml.j2 @@ -30,7 +30,7 @@ style: enroll: subject: - dn: CN=[% serial %],{{ item.0.subj_suffix }} + dn: CN=[% CN.0 %],{{ item.0.subj_suffix }} # Profile extensions - set 0/1 as needed diff --git a/roles/openxpki/templates/config.d/realm/profile/tls_server.yaml.j2 b/roles/openxpki/templates/config.d/realm/profile/tls_server.yaml.j2 index 650d9d7..f21db2b 100644 --- a/roles/openxpki/templates/config.d/realm/profile/tls_server.yaml.j2 +++ b/roles/openxpki/templates/config.d/realm/profile/tls_server.yaml.j2 @@ -77,7 +77,7 @@ extensions: non_repudiation: 0 key_encipherment: 1 data_encipherment: 0 - key_agreement: 0 + key_agreement: 1 key_cert_sign: 0 crl_sign: 0 encipher_only: 0 diff --git a/roles/openxpki/templates/config.d/realm/workflow/global/validator/password_quality.yaml.j2 b/roles/openxpki/templates/config.d/realm/workflow/global/validator/password_quality.yaml.j2 index 3c193ba..308c3f5 100644 --- a/roles/openxpki/templates/config.d/realm/workflow/global/validator/password_quality.yaml.j2 +++ b/roles/openxpki/templates/config.d/realm/workflow/global/validator/password_quality.yaml.j2 @@ -2,34 +2,21 @@ class: OpenXPKI::Server::Workflow::Validator::PasswordQuality arg: - $_password param: + checks: + - length {% if item.0.passwd_quality is string %} {% if item.0.passwd_quality == 'none' %} - minlen: 0 - maxlen: 0 - groups: 0 - dictionary: 0 - following: 0 - following_keyboard: 0 + minlen: 1 + maxlen: 64 {% elif item.0.passwd_quality == 'normal' %} + - entropy + min_entropy: 20 minlen: 6 maxlen: 64 - groups: 2 - dictionary: 0 - following: 0 - following_keyboard: 0 {% elif item.0.passwd_quality == 'strong' %} - minlen: 8 + - entropy + min_entropy: 60 + minlen: 10 maxlen: 64 - groups: 2 - dictionary: 4 - following: 3 - following_keyboard: 3 {% endif %} -{% else %} - minlen: {{ item.0.passwd_quality.minlen }} - maxlen: {{ item.0.passwd_quality.maxlen }} - groups: {{ item.0.passwd_quality.groups }} - dictionary: {{ item.0.passwd_quality.dictionary }} - following: {{ item.0.passwd_quality.following }} - following_keyboard: {{ item.0.passwd_quality.following_keyboard }} {% endif %} diff --git a/roles/openxpki/templates/config.d/system/crypto.yaml.j2 b/roles/openxpki/templates/config.d/system/crypto.yaml.j2 index 67396c0..0dffc61 100644 --- a/roles/openxpki/templates/config.d/system/crypto.yaml.j2 +++ b/roles/openxpki/templates/config.d/system/crypto.yaml.j2 @@ -2,7 +2,7 @@ tokenapi: certsign: OpenXPKI::Crypto::Backend::API crlsign: OpenXPKI::Crypto::Backend::API datasafe: OpenXPKI::Crypto::Backend::API - scep: OpenXPKI::Crypto::Tool::SCEP::API + scep: OpenXPKI::Crypto::Tool::LibSCEP::API token: default: diff --git a/roles/openxpki/templates/config.d/system/database.yaml.j2 b/roles/openxpki/templates/config.d/system/database.yaml.j2 index 2023bfb..e8c0d75 100644 --- a/roles/openxpki/templates/config.d/system/database.yaml.j2 +++ b/roles/openxpki/templates/config.d/system/database.yaml.j2 @@ -1,8 +1,8 @@ main: debug: 0 type: MySQL - name: {{ pki_db_name }} - host: {{ pki_db_server }} - port: {{ pki_db_port }} - user: {{ pki_db_user }} - passwd: {{ pki_db_pass }} + name: '{{ pki_db_name }}' + host: '{{ pki_db_server }}' + port: '{{ pki_db_port }}' + user: '{{ pki_db_user }}' + passwd: '{{ pki_db_pass | regex_replace("'","''") }}' diff --git a/roles/openxpki/templates/config.d/system/server.yaml.j2 b/roles/openxpki/templates/config.d/system/server.yaml.j2 index 408f475..42f4670 100644 --- a/roles/openxpki/templates/config.d/system/server.yaml.j2 +++ b/roles/openxpki/templates/config.d/system/server.yaml.j2 @@ -12,6 +12,7 @@ environment: session: type: Database + table: frontend_session transport: Simple: 1 @@ -19,13 +20,10 @@ transport: service: Default: enabled: 1 - timeout: 120 - - SCEP: - enabled: 1 + idle_timeout: 120 LibSCEP: - enabled: 0 + enabled: 1 # settings for i18n i18n: diff --git a/roles/openxpki/templates/config.d/system/watchdog.yaml.j2 b/roles/openxpki/templates/config.d/system/watchdog.yaml.j2 index 599c4c7..6687728 100644 --- a/roles/openxpki/templates/config.d/system/watchdog.yaml.j2 +++ b/roles/openxpki/templates/config.d/system/watchdog.yaml.j2 @@ -3,9 +3,10 @@ max_exception_threshhold: 10 interval_sleep_exception: 60 max_tries_hanging_workflows: 3 -interval_wait_initial: 30 +interval_wait_initial: 10 interval_loop_idle: 5 interval_loop_run: 1 +interval_sleep_overload: 15 interval_session_purge: 300 diff --git a/roles/openxpki/templates/log.conf.j2 b/roles/openxpki/templates/log.conf.j2 index 2ef087a..bc0225b 100644 --- a/roles/openxpki/templates/log.conf.j2 +++ b/roles/openxpki/templates/log.conf.j2 @@ -53,11 +53,11 @@ log4perl.filter.FilterIsWorkflow = Log::Log4perl::Filt log4perl.filter.FilterIsWorkflow.KeyToMatch = wfid log4perl.filter.FilterIsWorkflow.RegexToMatch = \d+ -log4perl.appender.Journal = Log::Log4perl::Appender::Journald +log4perl.appender.Journal = Log::Log4perl::Appender::Screen log4perl.appender.Journal.layout = Log::Log4perl::Layout::SimpleLayout log4perl.appender.Journal.utf8 = 1 -log4perl.appender.CatchAll = Log::Log4perl::Appender::Journald +log4perl.appender.CatchAll = Log::Log4perl::Appender::Screen log4perl.appender.CatchAll.layout = Log::Log4perl::Layout::SimpleLayout log4perl.appender.CatchAll.utf8 = 1 @@ -68,7 +68,7 @@ log4perl.appender.ApplicationDBI.layout.ConversionPattern = %m (%X{user}) log4perl.appender.ApplicationDBI.table = application_log log4perl.appender.ApplicationDBI.microseconds = 1 -log4perl.appender.ApplicationFile = Log::Log4perl::Appender::Journald +log4perl.appender.ApplicationFile = Log::Log4perl::Appender::Screen log4perl.appender.ApplicationFile.Filter = FilterIsWorkflow log4perl.appender.ApplicationFile.layout = Log::Log4perl::Layout::PatternLayout log4perl.appender.ApplicationFile.layout.ConversionPattern = %X{wfid} %m %n @@ -78,11 +78,11 @@ log4perl.appender.AuditDBI = OpenXPKI::Server::L log4perl.appender.AuditDBI.layout = OpenXPKI::Server::Log::Layout::Audit log4perl.appender.AuditDBI.warp_message = 0 -log4perl.appender.AuditFile = Log::Log4perl::Appender::Journald +log4perl.appender.AuditFile = Log::Log4perl::Appender::Screen log4perl.appender.AuditFile.layout = OpenXPKI::Server::Log::Layout::Audit log4perl.appender.AuditFile.layout.ConversionPattern = %c.%p %m [pid=%P|%i]%n log4perl.appender.AuditFile.utf8 = 1 -log4perl.appender.Deprecated = Log::Log4perl::Appender::Journald +log4perl.appender.Deprecated = Log::Log4perl::Appender::Screen log4perl.appender.Deprecated.layout = Log::Log4perl::Layout::SimpleLayout diff --git a/roles/openxpki/templates/openxpki.service.j2 b/roles/openxpki/templates/openxpki.service.j2 index 6bc7468..e2326ee 100644 --- a/roles/openxpki/templates/openxpki.service.j2 +++ b/roles/openxpki/templates/openxpki.service.j2 @@ -14,7 +14,7 @@ PrivateDevices=yes ProtectSystem=full ProtectHome=yes NoNewPrivileges=yes -MemoryLimit=512M +MemoryLimit=1024M Restart=on-failure StartLimitInterval=0 RestartSec=20 diff --git a/roles/openxpki/templates/perms.sh.j2 b/roles/openxpki/templates/perms.sh.j2 new file mode 100644 index 0000000..93c1c03 --- /dev/null +++ b/roles/openxpki/templates/perms.sh.j2 @@ -0,0 +1,4 @@ +#!/bin/bash + +chown -R {{ pki_user }}:{{ pki_user }} {{ pki_root_dir }}/etc/ssl +chmod 700 {{ pki_root_dir }}/etc/ssl diff --git a/roles/openxpki/templates/post-backup.j2 b/roles/openxpki/templates/post-backup.j2 index c628a00..a1f814e 100644 --- a/roles/openxpki/templates/post-backup.j2 +++ b/roles/openxpki/templates/post-backup.j2 @@ -1,3 +1,3 @@ #!/bin/sh -rm -f {{ pki_root_dir }}/db_dumps/* +rm -f {{ pki_root_dir }}/backup/* diff --git a/roles/openxpki/templates/pre-backup.j2 b/roles/openxpki/templates/pre-backup.j2 index 6b5a0c7..64db633 100644 --- a/roles/openxpki/templates/pre-backup.j2 +++ b/roles/openxpki/templates/pre-backup.j2 @@ -1,7 +1,10 @@ #!/bin/sh -/usr/bin/mysqldump --user={{ pki_db_user }} \ - --password={{ pki_db_pass }} \ - --host={{ pki_db_server }} \ - --quick --single-transaction \ - --add-drop-table {{ pki_db_name }} | lz4 -c > {{ pki_root_dir }}/db_dumps/{{ pki_db_name }}.sql.lz4 +/usr/bin/mysqldump \ +{% if pki_db_server not in [ '127.0.0.1', 'localhost' ] %} + --user={{ pki_db_user }} \ + --password={{ pki_db_pass }} \ + --host={{ pki_db_server }} \ +{% endif %} + --quick --single-transaction \ + --add-drop-table {{ pki_db_name }} | zstd -c > {{ pki_root_dir }}/backup/{{ pki_db_name }}.sql.zst diff --git a/roles/openxpki/templates/scep/log.conf.j2 b/roles/openxpki/templates/scep/log.conf.j2 index 40ebc52..43e319e 100644 --- a/roles/openxpki/templates/scep/log.conf.j2 +++ b/roles/openxpki/templates/scep/log.conf.j2 @@ -1,5 +1,5 @@ log4perl.category.client.scep = DEBUG, Logfile -log4perl.appender.Logfile = Log::Log4perl::Appender::Journald +log4perl.appender.Logfile = Log::Log4perl::Appender::Screen log4perl.appender.Logfile.layout = Log::Log4perl::Layout::PatternLayout log4perl.appender.Logfile.layout.ConversionPattern = scep log4perl.appender.Logfile.utf8 = 1 diff --git a/roles/openxpki/templates/webui/log.conf.j2 b/roles/openxpki/templates/webui/log.conf.j2 index e4c9a96..cdbb4e7 100644 --- a/roles/openxpki/templates/webui/log.conf.j2 +++ b/roles/openxpki/templates/webui/log.conf.j2 @@ -1,6 +1,6 @@ log4perl.logger = INFO, Journal -log4perl.appender.Journal = Log::Log4perl::Appender::Journald +log4perl.appender.Journal = Log::Log4perl::Appender::Screen log4perl.appender.Journal.layout = Log::Log4perl::Layout::PatternLayout log4perl.appender.Journal.layout.ConversionPattern = OpenXPKI-WebUI %m log4perl.appender.Journal.utf8 = 1 diff --git a/roles/openxpki/vars/CentOS-7.yml b/roles/openxpki/vars/CentOS-7.yml new file mode 100644 index 0000000..eb58238 --- /dev/null +++ b/roles/openxpki/vars/CentOS-7.yml @@ -0,0 +1,19 @@ +--- + +pki_packages: + - openssl-devel + - openldap-devel + - libxml2-devel + - expat-devel + - mariadb-devel + - libapreq2-devel + - gcc + - perl-App-cpanminus + - gettext # To build I18N files + - pwgen # To generate random secrets + - java-1.8.0-openjdk-headless # For keytool utility + - mariadb # To load the schema + - patch # To apply local patches + - perl-autodie # Provides perl(Fatal), needed to install perl deps + - perl-Config-Std # needed to install perl deps + diff --git a/roles/openxpki/vars/CentOS-8.yml b/roles/openxpki/vars/CentOS-8.yml new file mode 100644 index 0000000..433f73c --- /dev/null +++ b/roles/openxpki/vars/CentOS-8.yml @@ -0,0 +1,20 @@ +--- + +pki_packages: + - openssl-devel + - openldap-devel + - libxml2-devel + - expat-devel + - mariadb-devel + - libapreq2-devel + - gcc + - perl-App-cpanminus + - gettext # To build I18N files + - pwgen # To generate random secrets + - java-1.8.0-openjdk-headless # For keytool utility + - mariadb # To load the schema + - patch # To apply local patches + - perl-autodie # Provides perl(Fatal), needed to install perl deps + - perl-Config-Std # needed to install perl deps + - glibc-langpack-en +