fws
/
ansible-roles
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to 2021-09-14 16:00

Browse Source
master
Daniel Berteaud 3 years ago
parent 1d674c2d6b
commit 0381f183cb
22 changed files with 430 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      roles/includes/webapps_create_mysql_db.yml
  2. 100
      roles/sftpgo/defaults/main.yml
  3. 4
      roles/sftpgo/handlers/main.yml
  4. 5
      roles/sftpgo/meta/main.yml
  5. 10
      roles/sftpgo/tasks/archive_post.yml
  6. 23
      roles/sftpgo/tasks/archive_pre.yml
  7. 9
      roles/sftpgo/tasks/cleanup.yml
  8. 12
      roles/sftpgo/tasks/conf.yml
  9. 29
      roles/sftpgo/tasks/directories.yml
  10. 28
      roles/sftpgo/tasks/facts.yml
  11. 71
      roles/sftpgo/tasks/install.yml
  12. 21
      roles/sftpgo/tasks/iptables.yml
  13. 18
      roles/sftpgo/tasks/main.yml
  14. 15
      roles/sftpgo/tasks/selinux.yml
  15. 5
      roles/sftpgo/tasks/services.yml
  16. 10
      roles/sftpgo/tasks/user.yml
  17. 5
      roles/sftpgo/tasks/write_version.yml
  18. 5
      roles/sftpgo/templates/post-backup.j2
  19. 16
      roles/sftpgo/templates/pre-backup.j2
  20. 33
      roles/sftpgo/templates/sftpgo.service.j2
  21. 3
      roles/sftpgo/templates/sftpgo.yml.j2
  22. 6
      roles/sftpgo/vars/RedHat.yml

2
roles/includes/webapps_create_mysql_db.yml
Unescape View File

@ -15,6 +15,7 @@
mysql_db: mysql_db:
name: "{{ db_name }}" name: "{{ db_name }}"
login_host: "{{ db_server | default(mysql_server) }}" login_host: "{{ db_server | default(mysql_server) }}"
login_port: "{{ db_port | default(omit) }}"
login_user: sqladmin login_user: sqladmin
login_password: "{{ mysql_admin_pass }}" login_password: "{{ mysql_admin_pass }}"
state: present state: present
@ -30,6 +31,7 @@
append_privs: "{{ append_privs | default(False) }}" append_privs: "{{ append_privs | default(False) }}"
host: "{{ ( db_server == 'localhost' ) | ternary('localhost', item ) }}" host: "{{ ( db_server == 'localhost' ) | ternary('localhost', item ) }}"
login_host: "{{ db_server }}" login_host: "{{ db_server }}"
login_port: "{{ db_port | default(omit) }}"
login_user: sqladmin login_user: sqladmin
login_password: "{{ mysql_admin_pass }}" login_password: "{{ mysql_admin_pass }}"
state: present state: present

100
roles/sftpgo/defaults/main.yml
Unescape View File

@ -0,0 +1,100 @@
---
# Version to deploy
sftpgo_version: 2.1.2
# URL of the archive
sftpgo_archive_url: https://github.com/drakkan/sftpgo/releases/download/v{{ sftpgo_version }}/sftpgo_v{{ sftpgo_version }}_linux_x86_64.tar.xz
# Expected sha1 of the archive
sftpgo_archive_sha1: 6b9ea26c53d62b47eec3ad18afeb90b6651df10c
# Should ansible handle upgrades ? If False, only initial install will be done
sftpgo_manage_upgrade: True
# Root dir where sftpgo will be installed
sftpgo_root_dir: /opt/sftpgo
# User account under which sftpgo will run
sftpgo_user: sftpgo
# Database settings
sftpgo_db_server: "{{ mysql_server | default('localhost') }}"
sftpgo_db_port: 3306
sftpgo_db_name: sftpgo
sftpgo_db_user: sftpgo
# If the password is not defined, a random one will be created and stored under {{ sftpgo_root_dir }}/meta/ansible_dbpass
# sftpgo_db_pass: S3cr3t.
# You can restrict access per port. This can be a list of IP (or network in CIDR notation)
# Access will be controlled by iptables
sftpgo_src_ip: []
sftpgo_sftp_src_ip: "{{ sftpgo_src_ip }}"
sftpgo_ftp_src_ip: "{{ sftpgo_src_ip }}"
sftpgo_webdav_src_ip: "{{ sftpgo_src_ip }}"
sftpgo_http_src_ip: "{{ sftpgo_src_ip }}"
# Base configuration of the service
sftpgo_base_conf:
common:
upload_mode: 1
setstat_mode: 1
temp_path: "{{ sftpgo_root_dir }}/tmp"
max_total_connections: 500
max_per_host_connections: 20
defender:
enabled: True
ban_time: 5
ban_time_increment: 50
threshold: 20
score_invalid: 10
score_valid: 1
score_limit_exceeded: 10
observation_time: 10
sftpd:
bindings:
port: 2022
max_auth_tries: 4
ftpd:
bindings:
port: 2021
passive_port_range:
start: 50000
end: 50200
force_passive_ip: ''
disable_active_mode: True
webdavd:
bindings:
port: 2080
prefix: /dav
proxy_allowed: []
data_provider:
driver: mysql
name: "{{ sftpgo_db_name }}"
host: "{{ sftpgo_db_server }}"
port: "{{ sftpgo_db_port }}"
username: "{{ sftpgo_db_user }}"
password: "{{ sftpgo_db_pass }}"
track_quota: 1
delayed_quota_update: 60
pool_size: 5
users_base_dir: "{{ sftpgo_root_dir }}/data/home/"
httpd:
bindings:
port: 8080
address: ''
proxy_allowed: []
enable_web_admin: True
enable_web_client: True
templates_path: "{{ sftpgo_root_dir }}/app/templates"
static_files_path: "{{ sftpgo_root_dir }}/app/static"
backups_path: "{{ sftpgo_root_dir }}/backup"
max_upload_file_size: 1048576000
telemetry:
bind_port: 0
# You can override and/or add custom settings here. Same format as sftpgo_base_conf
# The extra conf will be merged on top of the base conf
sftpgo_extra_conf: {}
sftpgo_conf: "{{ sftpgo_base_conf | combine(sftpgo_extra_conf, recursive=True) }}"

4
roles/sftpgo/handlers/main.yml
Unescape View File

@ -0,0 +1,4 @@
---
- name: restart sftpgo
service: name=sftpgo state=restarted

5
roles/sftpgo/meta/main.yml
Unescape View File

@ -0,0 +1,5 @@
---
dependencies:
- role: mysql_server
when: sftpgo_db_server in ['localhost','127.0.0.1']

10
roles/sftpgo/tasks/archive_post.yml
Unescape View File

@ -0,0 +1,10 @@
---
- name: Compress previous version
command: tar cf {{ sftpgo_root_dir }}/archives/{{ sftpgo_current_version }}.tar.zst --use-compress-program=zstd ./
args:
chdir: "{{ sftpgo_root_dir }}/archives/{{ sftpgo_current_version }}"
warn: False
environment:
ZSTD_CLEVEL: 10
tags: sftpgo

23
roles/sftpgo/tasks/archive_pre.yml
Unescape View File

@ -0,0 +1,23 @@
---
- name: Create the archive dir
file: path={{ sftpgo_root_dir }}/archives/{{ sftpgo_current_version }} state=directory
tags: sftpgo
- name: Backup previous version
copy: src={{ sftpgo_root_dir }}/app dest={{ sftpgo_root_dir }}/archives/{{ sftpgo_current_version }}/ remote_src=True
tags: sftpgo
- name: Archive the database
mysql_db:
state: dump
name: "{{ sftpgo_db_name }}"
target: "{{ sftpgo_root_dir }}/archives/{{ sftpgo_current_version }}/{{ sftpgo_db_name }}.sql.xz"
login_host: "{{ sftpgo_db_server }}"
login_user: sqladmin
login_password: "{{ mysql_admin_pass }}"
quick: True
single_transaction: True
environment:
XZ_OPT: -T0
tags: sftpgo

9
roles/sftpgo/tasks/cleanup.yml
Unescape View File

@ -0,0 +1,9 @@
---
- name: Remove tmp and obsolete files
file: path={{ item }} state=absent
loop:
- "{{ sftpgo_root_dir }}/archives/{{ sftpgo_current_version }}"
- "{{ sftpgo_root_dir }}/tmp/sftpgo_v{{ sftpgo_version }}_linux_x86_64.tar.xz"
- "{{ sftpgo_root_dir }}/tmp/{{ sftpgo_version }}"
tags: sftpgo

12
roles/sftpgo/tasks/conf.yml
Unescape View File

@ -0,0 +1,12 @@
---
- name: Deploy sftpgo config
template: src=sftpgo.yml.j2 dest={{ sftpgo_root_dir }}/etc/sftpgo.yml group={{ sftpgo_user }} mode=640
notify: restart sftpgo
tags: sftpgo
- name: Init or upgrade the database
command: "{{ sftpgo_root_dir }}/app/sftpgo --config-file {{ sftpgo_root_dir }}/etc/sftpgo.yml initprovider"
become_user: "{{ sftpgo_user }}"
when: sftpgo_install_mode != 'none'
tags: sftpgo

29
roles/sftpgo/tasks/directories.yml
Unescape View File

@ -0,0 +1,29 @@
---
- name: Create directories
file: path={{ sftpgo_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
loop:
- dir: /
owner: "{{ sftpgo_user }}"
mode: 700
- dir: meta
mode: 700
- dir: archives
omde: 700
- dir: tmp
owner: "{{ sftpgo_user }}"
mode: 700
- dir: etc
owner: "{{ sftpgo_user }}"
mode: 700
- dir: bin
- dir: data
owner: "{{ sftpgo_user }}"
mode: 700
- dir: data/home
owner: "{{ sftpgo_user }}"
mode: 700
- dir: backup
owner: "{{ sftpgo_user }}"
mode: 700
tags: sftpgo

28
roles/sftpgo/tasks/facts.yml
Unescape View File

@ -0,0 +1,28 @@
---
- include_vars: "{{ item }}"
with_first_found:
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
tags: sftpgo
- name: Detect installed version
block:
- import_tasks: ../includes/webapps_set_install_mode.yml
vars:
- root_dir: "{{ sftpgo_root_dir }}"
- version: "{{ sftpgo_version }}"
- set_fact: sftpgo_install_mode={{ (install_mode == 'upgrade' and not sftpgo_manage_upgrade) | ternary('none',install_mode) }}
- set_fact: sftpgo_current_version={{ current_version | default('') }}
tags: sftpgo
- when: sftpgo_db_pass is not defined
name: Generate a random pass for the database
block:
- import_tasks: ../includes/get_rand_pass.yml
vars:
- pass_file: "{{ sftpgo_root_dir }}/meta/ansible_dbpass"
- set_fact: sftpgo_db_pass={{ rand_pass }}
tags: sftpgo

71
roles/sftpgo/tasks/install.yml
Unescape View File

@ -0,0 +1,71 @@
---
- name: Install dependencies
package:
name: "{{ sftpgo_packages }}"
tags: sftpgo
- name: Stop the service during upgrades
service: name=sftpgo state=stopped
when: sftpgo_install_mode == 'upgrade'
tags: sftpgo
- when: sftpgo_install_mode != 'none'
block:
- name: Download sftpgo
get_url:
url: "{{ sftpgo_archive_url }}"
dest: "{{ sftpgo_root_dir }}/tmp/"
checksum: sha1:{{ sftpgo_archive_sha1 }}
- name: Create tmp dir
file: path={{ sftpgo_root_dir }}/tmp/{{ sftpgo_version }} state=directory
- name: Extract sftpgo archive
unarchive:
src: "{{ sftpgo_root_dir }}/tmp/sftpgo_v{{ sftpgo_version }}_linux_x86_64.tar.xz"
dest: "{{ sftpgo_root_dir }}/tmp/{{ sftpgo_version }}"
remote_src: True
- name: Install or update the app
synchronize:
src: "{{ sftpgo_root_dir }}/tmp/{{ sftpgo_version }}/{{ item }}"
dest: "{{ sftpgo_root_dir }}/app/"
compress: False
delete: True
loop:
- sftpgo
- templates
- static
delegate_to: "{{ inventory_hostname }}"
notify: restart sftpgo
tags: sftpgo
- name: Install systemd unit
template: src=sftpgo.service.j2 dest=/etc/systemd/system/sftpgo.service
register: sftpgo_unit
tags: sftpgo
- name: Reload systemd
systemd: daemon_reload=True
when: sftpgo_unit.changed
tags: sftpgo
# Create MySQL database
- import_tasks: ../includes/webapps_create_mysql_db.yml
vars:
- db_name: "{{ sftpgo_db_name }}"
- db_user: "{{ sftpgo_db_user }}"
- db_server: "{{ sftpgo_db_server }}"
- db_port: "{{ sftpgo_db_port }}"
- db_pass: "{{ sftpgo_db_pass }}"
tags: sftpgo
- name: Install backups hooks
template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/sftpgo mode=700
loop:
- pre
- post
tags: sftpgo

21
roles/sftpgo/tasks/iptables.yml
Unescape View File

@ -0,0 +1,21 @@
---
- name: Handle sftpgo ports in the firewall
iptables_raw:
name: "{{ item.name }}"
state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp {{ item.port is string | ternary('--dport ' ~ item.port, '-m multiport --dports ' ~ item.port | join(',')) }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
with_items:
- port: "{{ sftpgo_conf.sftpd.bindings.port }}"
name: sftpgo_sftp_port
src_ip: "{{ sftpgo_sftp_src_ip }}"
- port: "{{ [sftpgo_conf.ftpd.bindings.port,sftpgo_conf.ftpd.passive_port_range.start ~ ':' ~ sftpgo_conf.ftpd.passive_port_range.end] }}"
name: sftpgo_ftp_port
src_ip: "{{ sftpgo_ftp_src_ip }}"
- port: "{{ sftpgo_conf.webdavd.bindings.port }}"
name: sftpgo_webdav_port
src_ip: "{{ sftpgo_webdav_src_ip }}"
- port: "{{ sftpgo_conf.httpd.bindings.port }}"
name: sftpgo_http_port
src_ip: "{{ sftpgo_http_src_ip }}"
tags: firewall,sftpgo

18
roles/sftpgo/tasks/main.yml
Unescape View File

@ -0,0 +1,18 @@
---
- include: user.yml
- include: directories.yml
- include: facts.yml
- include: archive_pre.yml
when: sftpgo_install_mode == 'upgrade'
- include: install.yml
- include: selinux.yml
when: ansible_selinux.status == 'enabled'
- include: conf.yml
- include: iptables.yml
when: iptables_manage | default(True)
- include: services.yml
- include: write_version.yml
- include: archive_post.yml
when: sftpgo_install_mode == 'upgrade'
- include: cleanup.yml

15
roles/sftpgo/tasks/selinux.yml
Unescape View File

@ -0,0 +1,15 @@
---
- name: Set correct SELinux context
sefcontext:
target: "{{ sftpgo_root_dir }}/app/sftpgo"
setype: bin_t
state: present
register: sftpgo_selinux_context
tags: sftpgo
- name: Restore correct SELinux context
command: restorecon {{ sftpgo_root_dir }}/app/sftpgo
when: sftpgo_selinux_context.changed
tags: sftpgo

5
roles/sftpgo/tasks/services.yml
Unescape View File

@ -0,0 +1,5 @@
---
- name: Start and enable the service
service: name=sftpgo state=started enabled=True
tags: sftpgo

10
roles/sftpgo/tasks/user.yml
Unescape View File

@ -0,0 +1,10 @@
---
- name: Create sftpgo user
user:
name: "{{ sftpgo_user }}"
comment: SFTPGO User account
home: "{{ sftpgo_root_dir }}"
system: True
shell: /sbin/nologin
tags: sftpgo

5
roles/sftpgo/tasks/write_version.yml
Unescape View File

@ -0,0 +1,5 @@
---
- name: Write installed version
copy: content={{ sftpgo_version }} dest={{ sftpgo_root_dir }}/meta/ansible_version
tags: sftpgo

5
roles/sftpgo/templates/post-backup.j2
Unescape View File

@ -0,0 +1,5 @@
#!/bin/bash
set -eo pipefail
rm -f {{ sftpgo_root_dir }}/backup/*.sql.zst {{ sftpgo_root_dir }}/backup/id_*

16
roles/sftpgo/templates/pre-backup.j2
Unescape View File

@ -0,0 +1,16 @@
#!/bin/bash
set -eo pipefail
/usr/bin/mysqldump \
{% if sftpgo_db_server not in ['localhost', '127.0.0.1'] %}
--user={{ sftpgo_db_user | quote }} \
--password={{ sftpgo_db_pass | quote }} \
--host={{ sftpgo_db_server | quote }} \
--port={{ sftpgo_db_port }} \
{% endif %}
--quick --single-transaction \
--add-drop-table {{ sftpgo_db_name }} | \
zstd -c > {{ sftpgo_root_dir }}/backup/{{ sftpgo_db_name }}.sql.zst
cp -a {{ sftpgo_root_dir }}/etc/id_* {{ sftpgo_root_dir }}/backup/

33
roles/sftpgo/templates/sftpgo.service.j2
Unescape View File

@ -0,0 +1,33 @@
[Unit]
Description=SFTPGo Server
After=network.target mariadb.service mysqld.service postgresql.service
[Service]
User={{ sftpgo_user }}
Group={{ sftpgo_user }}
Type=simple
WorkingDirectory={{ sftpgo_root_dir }}/data
ExecStart={{ sftpgo_root_dir }}/app/sftpgo --config-file={{ sftpgo_root_dir }}/etc/sftpgo.yml --config-dir={{ sftpgo_root_dir }}/etc --log-file-path='' serve
ExecReload=/bin/kill -s HUP $MAINPID
KillMode=mixed
Restart=always
StartLimitInterval=0
RestartSec=10s
PrivateTmp=true
PrivateDevices=yes
ProtectSystem=strict
ReadWritePaths={{ sftpgo_root_dir }}/etc/ {{ sftpgo_root_dir }}/data/
ProtectHome=yes
NoNewPrivileges=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
UMask=077
MemoryLimit=2048M
# Allow binding on privileged ports
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target

3
roles/sftpgo/templates/sftpgo.yml.j2
Unescape View File

@ -0,0 +1,3 @@
---
{{ sftpgo_conf | to_nice_yaml(indent=2, width=1000) }}

6
roles/sftpgo/vars/RedHat.yml
Unescape View File

@ -0,0 +1,6 @@
---
sftpgo_packages:
- tar
- zstd
- mariadb
Write Preview
Loading…
Cancel
Save