diff --git a/roles/bitwarden_rs/tasks/install.yml b/roles/bitwarden_rs/tasks/install.yml index eca3f11..0ec0731 100644 --- a/roles/bitwarden_rs/tasks/install.yml +++ b/roles/bitwarden_rs/tasks/install.yml @@ -13,12 +13,14 @@ when: - bitwarden_db_engine == 'mysql' - mysql_mariadb_version is not defined or mysql_mariadb_version == 'default' + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version is version('8','<') tags: bitwarden - name: Install MariaDB devel package yum: name: - - MariaDB-devel + - mariadb-devel when: bitwarden_db_engine == 'mysql' tags: bitwarden diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index a324268..069bac4 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -33,6 +33,7 @@ system_utils: - nano - tree - mc + - tar # Kernel modules to load system_kmods: [] diff --git a/roles/common/vars/CentOS-8.yml b/roles/common/vars/CentOS-8.yml index 85ad251..b3bb35e 100644 --- a/roles/common/vars/CentOS-8.yml +++ b/roles/common/vars/CentOS-8.yml @@ -7,7 +7,7 @@ system_distro_utils: - lz4 - yum-utils - fuse-sshfs - - python3-policycoreutils + - policycoreutils-python-utils - python3-mysql - python3-psycopg2 - zstd diff --git a/roles/coturn/defaults/main.yml b/roles/coturn/defaults/main.yml new file mode 100644 index 0000000..eead33c --- /dev/null +++ b/roles/coturn/defaults/main.yml @@ -0,0 +1,38 @@ +--- + +# Set turn realm. Default to the domain name if unset +# turn_realm: turn.example.com + +# The static, shared auth secret. If not set, will use long term auth. +# See turn_lt_users +# turn_auth_secret: + +# Long term users +turn_lt_users: [] +# - name: asterisk +# pass: S3cr3t. + + +turn_listen_ip: + - 0.0.0.0 + +# If defined, restrict who can access the service +turn_src_ip: + - 0.0.0.0/0 + +turn_port: 3478 +turn_alt_port: 3479 +turn_tls_port: 5349 +turn_alt_tls_port: 5350 + +# Allow non TLS relay +turn_allow_non_tls: True + +# Turn on TLS listener. If true, certificate must be present +turn_tls: False +# turn_tls_cert: +# turn_tls_key: + +# If behind a NAT, you must set the public IP +# turn_external_ip: 12.13.14.15 + diff --git a/roles/coturn/files/dehydrated_deploy_hook b/roles/coturn/files/dehydrated_deploy_hook new file mode 100644 index 0000000..cc6c32c --- /dev/null +++ b/roles/coturn/files/dehydrated_deploy_hook @@ -0,0 +1,3 @@ +#!/bin/sh + +/bin/systemctl restart coturn diff --git a/roles/coturn/handlers/main.yml b/roles/coturn/handlers/main.yml new file mode 100644 index 0000000..8288105 --- /dev/null +++ b/roles/coturn/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: restart coturn + service: name=coturn state=restarted enabled=yes diff --git a/roles/coturn/meta/main.yml b/roles/coturn/meta/main.yml new file mode 100644 index 0000000..dc58dfa --- /dev/null +++ b/roles/coturn/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - role: mkdir diff --git a/roles/coturn/tasks/main.yml b/roles/coturn/tasks/main.yml new file mode 100644 index 0000000..d6c6c79 --- /dev/null +++ b/roles/coturn/tasks/main.yml @@ -0,0 +1,73 @@ +--- + +- name: Install Coturn + yum: name=coturn state=present + register: turn_installed + tags: turn + +- name: Create tmpfiles + command: systemd-tmpfiles --create + when: turn_installed.changed + tags: turn + +- name: Deploy main configuration + template: src=coturn.conf.j2 dest=/etc/coturn/coturn.conf group=coturn mode=640 + notify: restart coturn + tags: turn + +- name: Deploy dehydrated hook + copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755 + tags: turn + +- name: Remove turnserver rules + iptables_raw: + name: turnserver_ports + state: absent + when: iptables_manage | default(True) + tags: turn,firewall + +- name: Handle coturn ports + iptables_raw: + name: coturn_ports + state: "{{ (turn_src_ip | length > 0) | ternary('present','absent') }}" + rules: | + -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT + -A INPUT -p udp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT + -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT + -A INPUT -p udp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT + -A INPUT -p tcp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT + -A INPUT -p udp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT + when: iptables_manage | default(True) + tags: turn,firewall + +- name: Start and enable the service + service: name=coturn state=started enabled=True + tags: turn + +- name: Add long term users + command: turnadmin --add --user={{ item.name }} --password={{ item.pass | quote }} --realm={{ turn_realm | default(ansible_domain) }} + loop: "{{ turn_lt_users }}" + tags: turn + +- name: Remove users with unknown realm + shell: | + for U in $(turnadmin --list | grep -v '\[{{ turn_realm | default(ansible_domain) }}\]'); do + user=$(echo $U | cut -d'[' -f1) + realm=$(echo $U | perl -pe 's/.*\[(.*)\]/$1/') + turnadmin --delete --user=$user --realm=$realm + done + changed_when: False + tags: turn + +- name: List long term users + shell: turnadmin --list | grep -vP '^0:\s+(log file opened|SQLite connection)' | cut -d'[' -f1 + register: turn_lt_existing_users + changed_when: False + tags: turn + +- name: Remove unmanaged long term users + command: turnadmin --delete --user={{ item }} --realm={{ turn_realm | default(ansible_domain) }} + when: item not in turn_lt_users | map(attribute='name') | list + loop: "{{ turn_lt_existing_users.stdout_lines }}" + tags: turn + diff --git a/roles/coturn/templates/coturn.conf.j2 b/roles/coturn/templates/coturn.conf.j2 new file mode 100644 index 0000000..94aa3c0 --- /dev/null +++ b/roles/coturn/templates/coturn.conf.j2 @@ -0,0 +1,40 @@ +pidfile="/var/run/coturn/coturn.pid" +verbose +fingerprint +{% if turn_auth_secret is defined %} +use-auth-secret +static-auth-secret {{ turn_auth_secret }} +{% else %} +lt-cred-mech +{% endif %} +no-sslv2 +no-sslv3 +no-loopback-peers +no-multicast-peers +realm {{ turn_realm | default(ansible_domain) }} +proc-user turnserver +proc-group turnserver +syslog + +{% for ip in turn_listen_ip %} +listening-ip {{ ip }} +{% endfor %} + +{% if not turn_allow_non_tls %} +no-tcp +no-udp +{% endif %} + +listening-port {{ turn_port }} +alt-listening-port {{ turn_alt_port }} + +{% if turn_tls %} +tls-listening-port {{ turn_tls_port }} +alt-tls-listening-port {{ turn_alt_tls_port }} +cert {{ turn_tls_cert }} +pkey {{ turn_tls_key }} +{% endif %} + +{% if turn_external_ip is defined %} +external-ip {{ turn_external_ip }} +{% endif %} diff --git a/roles/freepbx/defaults/main.yml b/roles/freepbx/defaults/main.yml index f190b24..2db239c 100644 --- a/roles/freepbx/defaults/main.yml +++ b/roles/freepbx/defaults/main.yml @@ -1,7 +1,7 @@ --- fpbx_version: 15.0 -fpbx_archive_sha1: f9c076d5afbe787cb2a7068f02c96b4bc413f61e +fpbx_archive_sha1: 42aae0f245a5d6297f8f2154281f28436663ee33 fpbx_archive_url: https://mirror.freepbx.org/modules/packages/freepbx/freepbx-{{ fpbx_version }}-latest.tgz fpbx_root_dir: /opt/freepbx fpbx_manage_upgrade: True diff --git a/roles/freepbx/tasks/main.yml b/roles/freepbx/tasks/main.yml index 8031a6a..40d91eb 100644 --- a/roles/freepbx/tasks/main.yml +++ b/roles/freepbx/tasks/main.yml @@ -1,39 +1,15 @@ --- +- include_vars: "{{ item }}" + with_first_found: + - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_distribution }}.yml + - vars/{{ ansible_os_family }}.yml + - vars/defaults.yml + tags: fpbx + - name: Install Asterisk and its dependencies - yum: - name: - - asterisk - - asterisk-voicemail - - asterisk-pjsip - - asterisk-sip - - asterisk-mysql - - asterisk-ael - - asterisk-iax2 - - asterisk-dahdi - - asterisk-fax - - asterisk-ldap - - asterisk-misdn - - asterisk-mp3 - - asterisk-odbc - - mysql-connector-odbc - - mpg123 - - lame - - opus - - nmap - - nodejs - #- kmod-dahdi-linux - #- dahdi-tools - #- dahdi-linux - - tar - - mariadb - - MySQL-python - - acl - - gcc-c++ # needed for ucp - - icu - - libicu-devel - - patch - - vsftpd + yum: name={{ fpbx_packages }} tags: fpbx - name: Build a list of music on hold format to install @@ -75,15 +51,14 @@ - import_tasks: ../includes/disable_selinux.yml tags: fpbx -- import_tasks: ../includes/webapps_set_install_mode.yml - vars: - - root_dir: "{{ fpbx_root_dir }}" - - version: "{{ fpbx_version }}" - - manage_upgrade: False - tags: fpbx -- set_fact: fpbx_install_mode={{ (install_mode == 'install') | ternary('install','none') }} - tags: fpbx -- set_fact: fpbx_current_version={{ current_version | default('') }} +- block: + - import_tasks: ../includes/webapps_set_install_mode.yml + vars: + - root_dir: "{{ fpbx_root_dir }}" + - version: "{{ fpbx_version }}" + - manage_upgrade: False + - set_fact: fpbx_install_mode={{ (install_mode == 'install') | ternary('install','none') }} + - set_fact: fpbx_current_version={{ current_version | default('') }} tags: fpbx - name: Create directories diff --git a/roles/freepbx/templates/logrotate.conf.j2 b/roles/freepbx/templates/logrotate.conf.j2 index 586b8ed..57aa842 100644 --- a/roles/freepbx/templates/logrotate.conf.j2 +++ b/roles/freepbx/templates/logrotate.conf.j2 @@ -2,6 +2,7 @@ /var/log/asterisk/event_log /var/log/asterisk/queue_log /var/log/asterisk/full +/var/log/asterisk/security /var/log/asterisk/freepbx.log /var/log/asterisk/freepbx_security.log /var/log/asterisk/ucp_err.log diff --git a/roles/freepbx/vars/CentOS-7.yml b/roles/freepbx/vars/CentOS-7.yml new file mode 100644 index 0000000..280d0ed --- /dev/null +++ b/roles/freepbx/vars/CentOS-7.yml @@ -0,0 +1,32 @@ +--- + +fpbx_packages: + - asterisk + - asterisk-voicemail + - asterisk-pjsip + - asterisk-sip + - asterisk-mysql + - asterisk-ael + - asterisk-iax2 + - asterisk-dahdi + - asterisk-fax + - asterisk-ldap + - asterisk-misdn + - asterisk-mp3 + - asterisk-odbc + - mysql-connector-odbc + - mpg123 + - lame + - opus + - nmap + - nodejs + - tar + - mariadb + - MySQL-python + - acl + - gcc-c++ # needed for ucp + - icu + - libicu-devel + - patch + - vsftpd + diff --git a/roles/freepbx/vars/CentOS-8.yml b/roles/freepbx/vars/CentOS-8.yml new file mode 100644 index 0000000..2420c72 --- /dev/null +++ b/roles/freepbx/vars/CentOS-8.yml @@ -0,0 +1,31 @@ +--- + +fpbx_packages: + - asterisk + - asterisk-voicemail + - asterisk-pjsip + - asterisk-sip + - asterisk-mysql + - asterisk-ael + - asterisk-iax2 + - asterisk-dahdi + - asterisk-fax + - asterisk-ldap + - asterisk-mp3 + - asterisk-odbc + - mariadb-connector-odbc + - mpg123 +# - lame + - opus + - nmap + - nodejs + - tar + - mariadb + - python3-mysql + - acl + - gcc-c++ # needed for ucp + - icu + - libicu-devel + - patch + - vsftpd + diff --git a/roles/httpd_php/tasks/main.yml b/roles/httpd_php/tasks/main.yml index 1285014..95b6531 100644 --- a/roles/httpd_php/tasks/main.yml +++ b/roles/httpd_php/tasks/main.yml @@ -10,14 +10,25 @@ - name: Install PHP packages yum: name={{ httpd_php_packages }} - notify: - - systemd-tmpfiles - - restart php-fpm + notify: restart php-fpm + register: httpd_php_installed + tags: web + +- name: Install scl utils + yum: + name: + - scl-utils tags: web - name: Create tmpfiles.d fragment copy: src=tmpfiles.conf dest=/etc/tmpfiles.d/php-fpm-scl.conf notify: systemd-tmpfiles + register: httpd_php_tmpfiles + tags: web + +- name: Create tmpfiles + command: systemd-tmpfiles --create + when: httpd_php_installed.changed or httpd_php_tmpfiles.changed tags: web - name: Disable default FPM pools diff --git a/roles/jitsi/tasks/install.yml b/roles/jitsi/tasks/install.yml index 6b12c54..4497d8a 100644 --- a/roles/jitsi/tasks/install.yml +++ b/roles/jitsi/tasks/install.yml @@ -9,6 +9,7 @@ - nodejs # needed to build meet - libXScrnSaver # needed for jigasi - python3 # needed for confmapper + - make tags: jitsi # If you use an Let's Encrypt cert, it might not be there yet. In this case, create a link diff --git a/roles/nfs_server/handlers/main.yml b/roles/nfs_server/handlers/main.yml index 3c64eff..7625804 100644 --- a/roles/nfs_server/handlers/main.yml +++ b/roles/nfs_server/handlers/main.yml @@ -1,4 +1,4 @@ --- - name: reload nfs - service: name=nfs state=reloaded + service: name=nfs-server state=reloaded diff --git a/roles/nfs_server/tasks/main.yml b/roles/nfs_server/tasks/main.yml index ce24773..e27ace1 100644 --- a/roles/nfs_server/tasks/main.yml +++ b/roles/nfs_server/tasks/main.yml @@ -24,4 +24,5 @@ - name: Start and enable services service: name={{ item }} state=started enabled=True with_items: - - nfs + - nfs-server + tags: nfs diff --git a/roles/nginx/tasks/conf.yml b/roles/nginx/tasks/conf.yml index 8789457..cecf5f8 100644 --- a/roles/nginx/tasks/conf.yml +++ b/roles/nginx/tasks/conf.yml @@ -57,3 +57,10 @@ - name: Configure log rotation template: src=logrotate.conf.j2 dest=/etc/logrotate.d/nginx tags: web + +- name: Ensure log files has correct permission + file: path=/var/log/nginx/{{ item }} owner=nginx group=nginx state=touch + loop: + - error.log + - access.log + tags: web diff --git a/roles/nginx/tasks/install_nginx.yml b/roles/nginx/tasks/install_nginx.yml index 6ecaaea..7a23d2c 100644 --- a/roles/nginx/tasks/install_nginx.yml +++ b/roles/nginx/tasks/install_nginx.yml @@ -7,9 +7,22 @@ state: absent tags: web +- name: Enable 1.16 module + shell: | + yum -y module reset nginx + yum -y module enable nginx:1.16 + args: + warn: False + changed_when: False + when: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version is version('8', '>=') + tags: web + - name: Install nginx yum: name: - nginx + - nginx-all-modules tags: web diff --git a/roles/nginx/tasks/service.yml b/roles/nginx/tasks/service.yml index 40d1592..a94a35b 100644 --- a/roles/nginx/tasks/service.yml +++ b/roles/nginx/tasks/service.yml @@ -20,10 +20,6 @@ Restart=on-failure StartLimitInterval=0 RestartSec=5 - PrivateDevices=yes - ProtectSystem=full - ProtectHome=yes - NoNewPrivileges=yes [Install] WantedBy=multi-user.target diff --git a/roles/onlyoffice_document_server/files/onlyoffice_docserver.te b/roles/onlyoffice_document_server/files/onlyoffice_docserver.te new file mode 100644 index 0000000..0fad4f2 --- /dev/null +++ b/roles/onlyoffice_document_server/files/onlyoffice_docserver.te @@ -0,0 +1,18 @@ +module onlyoffice_docserver 1.0; + +require { + type httpd_sys_content_t; + type amqp_port_t; + type mysqld_port_t; + type init_t; + class file { execute execute_no_trans getattr map open read }; + class process execmem; + class tcp_socket name_connect; +} + +#============= init_t ============== +allow init_t amqp_port_t:tcp_socket name_connect; +allow init_t mysqld_port_t:tcp_socket name_connect; +allow init_t httpd_sys_content_t:file map; +allow init_t httpd_sys_content_t:file { execute execute_no_trans getattr open read }; +allow init_t self:process execmem; diff --git a/roles/onlyoffice_document_server/meta/main.yml b/roles/onlyoffice_document_server/meta/main.yml index 3dd9637..811ad16 100644 --- a/roles/onlyoffice_document_server/meta/main.yml +++ b/roles/onlyoffice_document_server/meta/main.yml @@ -6,3 +6,5 @@ dependencies: - role: nginx - role: redis_server - role: rabbitmq_server + - role: mysql_server + when: oo_db_server in ['localhost','127.0.0.1'] diff --git a/roles/onlyoffice_document_server/tasks/conf.yml b/roles/onlyoffice_document_server/tasks/conf.yml new file mode 100644 index 0000000..d19464a --- /dev/null +++ b/roles/onlyoffice_document_server/tasks/conf.yml @@ -0,0 +1,13 @@ +--- + +- name: Deploy configuration + template: src={{ item }}.j2 dest=/etc/onlyoffice/documentserver/{{ item }} owner=ds group=ds mode=440 + loop: + - oods.json + notify: restart documentserver + tags: oo + +- name: Deploy nginx configuration + template: src=nginx_vhost.conf.j2 dest=/etc/nginx/ansible_conf.d/32-oods.conf + notify: reload nginx + tags: oo diff --git a/roles/onlyoffice_document_server/tasks/directories.yml b/roles/onlyoffice_document_server/tasks/directories.yml new file mode 100644 index 0000000..db11ce3 --- /dev/null +++ b/roles/onlyoffice_document_server/tasks/directories.yml @@ -0,0 +1,5 @@ +--- + +- name: Create meta directory + file: path=/etc/onlyoffice/meta state=directory mode=700 + tags: oo diff --git a/roles/onlyoffice_document_server/tasks/facts.yml b/roles/onlyoffice_document_server/tasks/facts.yml new file mode 100644 index 0000000..bb4dfc5 --- /dev/null +++ b/roles/onlyoffice_document_server/tasks/facts.yml @@ -0,0 +1,17 @@ +--- + +- set_fact: + oo_services: + - documentserver-converter + - documentserver-docservice + - documentserver-metrics + - documentserver-spellchecker + tags: oo + +- when: oo_db_pass is not defined + block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: /etc/onlyoffice/meta/ansible_db_pass + - set_fact: oo_db_pass={{ rand_pass }} + tags: oo diff --git a/roles/onlyoffice_document_server/tasks/install.yml b/roles/onlyoffice_document_server/tasks/install.yml new file mode 100644 index 0000000..26a4da3 --- /dev/null +++ b/roles/onlyoffice_document_server/tasks/install.yml @@ -0,0 +1,74 @@ +--- + +- name: Install packages + yum: + name: + - gcc-c++ # needed to rebuild modules for spellchecker + - nodejs + - onlyoffice-documentserver + tags: oo + +- name: Fix permissions on onlyoffice web resources + file: path=/var/www/onlyoffice state=directory mode=755 + tags: oo + +- import_tasks: ../includes/webapps_create_mysql_db.yml + vars: + - db_name: "{{ oo_db_name }}" + - db_user: "{{ oo_db_user }}" + - db_server: "{{ oo_db_server }}" + - db_pass: "{{ oo_db_pass }}" + tags: oo + +- name: Load MySQL schema + mysql_db: + name: "{{ oo_db_name }}" + state: import + target: /var/www/onlyoffice/documentserver/server/schema/mysql/createdb.sql + login_host: "{{ oo_db_server }}" + login_user: sqladmin + login_password: "{{ mysql_admin_pass }}" + when: db_created.changed + tags: oo + +- name: Set permissions for default conf + file: path=/etc/onlyoffice/documentserver/{{ item }} mode=644 + loop: + - default.json + - development-mac.json + - development-windows.json + - production-linux.json + - log4js/development.json + - log4js/production.json + tags: oo + +- name: Fix permissions on data dir + command: chown -R ds:ds /var/lib/onlyoffice/documentserver/ + args: + warn: False + changed_when: False + tags: oo + +- name: Deploy systemd service units + template: src={{ item }}.service.j2 dest=/etc/systemd/system/{{ item }}.service + loop: "{{ oo_services }}" + register: oo_units + notify: restart documentserver + tags: oo + +- name: Reload systemd + systemd: daemon_reload=True + when: oo_units.results | selectattr('changed','equalto',True) | list | length > 0 + tags: oo + +- name: Remove obsolete services + file: path=/etc/systemd/system/{{ item }}.service state=absent + loop: + - documentserver-gc + register: oo_obsolete_units + tags: oo + +- name: Reload systemd + systemd: daemon_reload=True + when: oo_obsolete_units.changed + tags: oo diff --git a/roles/onlyoffice_document_server/tasks/main.yml b/roles/onlyoffice_document_server/tasks/main.yml index 181f81a..50c03ff 100644 --- a/roles/onlyoffice_document_server/tasks/main.yml +++ b/roles/onlyoffice_document_server/tasks/main.yml @@ -1,129 +1,9 @@ --- -- set_fact: - oo_services: - - documentserver-converter - - documentserver-docservice - - documentserver-metrics - - documentserver-spellchecker - tags: oo - -- name: Create a system user - user: - name: ds - comment: OnlyOffice Document Server - system: True - home: /var/www/onlyoffice - shell: /sbin/nologin - tags: oo - -- name: Install packages - yum: - name: - - gcc-c++ # needed to rebuild modules for spellchecker - - nodejs - - onlyoffice-documentserver - tags: oo - -- name: Create meta directory - file: path=/etc/onlyoffice/meta state=directory mode=700 - tags: oo - -- name: Fix permissions on onlyoffice web resources - file: path=/var/www/onlyoffice state=directory mode=755 - tags: oo - -- import_tasks: ../includes/get_rand_pass.yml - vars: - - pass_file: /etc/onlyoffice/meta/ansible_db_pass - tags: oo -- set_fact: oo_db_pass={{ rand_pass }} - when: oo_db_pass is not defined - tags: oo - -- import_tasks: ../includes/webapps_create_mysql_db.yml - vars: - - db_name: "{{ oo_db_name }}" - - db_user: "{{ oo_db_user }}" - - db_server: "{{ oo_db_server }}" - - db_pass: "{{ oo_db_pass }}" - tags: oo - -- name: Load MySQL schema - mysql_db: - name: "{{ oo_db_name }}" - state: import - target: /var/www/onlyoffice/documentserver/server/schema/mysql/createdb.sql - login_host: "{{ oo_db_server }}" - login_user: sqladmin - login_password: "{{ mysql_admin_pass }}" - when: db_created.changed - tags: oo - -- name: Deploy configuration - template: src={{ item }}.j2 dest=/etc/onlyoffice/documentserver/{{ item }} owner=ds group=ds mode=440 - loop: - - oods.json - notify: restart documentserver - tags: oo - -- name: Set permissions for default conf - file: path=/etc/onlyoffice/documentserver/{{ item }} mode=644 - loop: - - default.json - - development-mac.json - - development-windows.json - - production-linux.json - - log4js/development.json - - log4js/production.json - tags: oo - -- name: Fix permissions on data dir - command: chown -R ds:ds /var/lib/onlyoffice/documentserver/ - args: - warn: False - changed_when: False - tags: oo - -- name: Deploy nginx configuration - template: src=nginx_vhost.conf.j2 dest=/etc/nginx/ansible_conf.d/32-oods.conf - notify: reload nginx - tags: oo - -- name: Create /etc/system/system - file: path=/etc/systemd/system state=directory - tags: oo - -- name: Deploy systemd service units - template: src={{ item }}.service.j2 dest=/etc/systemd/system/{{ item }}.service - loop: "{{ oo_services }}" - register: oo_units - notify: restart documentserver - tags: oo - -- name: Reload systemd - systemd: daemon_reload=True - when: oo_units.results | selectattr('changed','equalto',True) | list | length > 0 - tags: oo - -- name: Stop and disable supervisord - systemd: name=supervisord state=stopped enabled=False masked=True - tags: oo - -- name: Remove obsolete services - file: path=/etc/systemd/system/{{ item }}.service state=absent - loop: - - documentserver-gc - register: oo_obsolete_units - tags: oo - -- name: Reload systemd - systemd: daemon_reload=True - when: oo_obsolete_units.changed - tags: oo - -- name: Start and enable documentserver services - service: name={{ item }} state=started enabled=True - loop: "{{ oo_services }}" - tags: oo - +- include: user.yml +- include: directories.yml +- include: facts.yml +- include: install.yml +- include: selinux.yml + when: ansible_selinux.status == 'enabled' +- include: services.yml diff --git a/roles/onlyoffice_document_server/tasks/selinux.yml b/roles/onlyoffice_document_server/tasks/selinux.yml new file mode 100644 index 0000000..5ca2ca8 --- /dev/null +++ b/roles/onlyoffice_document_server/tasks/selinux.yml @@ -0,0 +1,16 @@ +--- + +- name: Copy SELinux policy + copy: src=onlyoffice_docserver.te dest=/etc/selinux/targeted/local/onlyoffice_docserver.te + register: oo_selinux_policy + tags: oo + +- name: Compile SELinux policy + shell: | + cd /etc/selinux/targeted/local/ + checkmodule -M -m -o onlyoffice_docserver.mod onlyoffice_docserver.te + semodule_package -o onlyoffice_docserver.pp -m onlyoffice_docserver.mod + semodule -i /etc/selinux/targeted/local/onlyoffice_docserver.pp + when: oo_selinux_policy.changed + tags: oo + diff --git a/roles/onlyoffice_document_server/tasks/services.yml b/roles/onlyoffice_document_server/tasks/services.yml new file mode 100644 index 0000000..cea6757 --- /dev/null +++ b/roles/onlyoffice_document_server/tasks/services.yml @@ -0,0 +1,11 @@ +--- + +- name: Stop and disable supervisord + systemd: name=supervisord state=stopped enabled=False masked=True + tags: oo + +- name: Start and enable documentserver services + service: name={{ item }} state=started enabled=True + loop: "{{ oo_services }}" + tags: oo + diff --git a/roles/onlyoffice_document_server/tasks/user.yml b/roles/onlyoffice_document_server/tasks/user.yml new file mode 100644 index 0000000..e35ec71 --- /dev/null +++ b/roles/onlyoffice_document_server/tasks/user.yml @@ -0,0 +1,10 @@ +--- + +- name: Create a system user + user: + name: ds + comment: OnlyOffice Document Server + system: True + home: /var/www/onlyoffice + shell: /sbin/nologin + tags: oo diff --git a/roles/rabbitmq_server/meta/main.yml b/roles/rabbitmq_server/meta/main.yml new file mode 100644 index 0000000..debfb84 --- /dev/null +++ b/roles/rabbitmq_server/meta/main.yml @@ -0,0 +1,7 @@ +--- + +dependencies: + - role: repo_rabbitmq + when: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version is version('8','>=') diff --git a/roles/redis_server/meta/main.yml b/roles/redis_server/meta/main.yml index 8b7ca04..95aebdd 100644 --- a/roles/redis_server/meta/main.yml +++ b/roles/redis_server/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - - role: repo_redis + - role: remi diff --git a/roles/repo_asterisk/tasks/main.yml b/roles/repo_asterisk/tasks/main.yml index 2323dd9..2a3c117 100644 --- a/roles/repo_asterisk/tasks/main.yml +++ b/roles/repo_asterisk/tasks/main.yml @@ -20,3 +20,18 @@ gpgkey: https://ast.tucny.com/repo/RPM-GPG-KEY-dtucny tags: repo + # asterisk core sounds aren't available yet for el8, so also configure el7 repo + # on el8 for now +- name: Configure Tucny common repo for Asterisk el7 + yum_repository: + file: asterisk + name: asterisk-common-el7 + description: Asterisk Asterisk Common Requirement Packages @ tucny.com + baseurl: https://ast.tucny.com/repo/asterisk-common/el7/$basearch/ + includepkgs: + - asterisk-sounds-core* + - asterisk-moh-opsound* + gpgcheck: 1 + gpgkey: https://ast.tucny.com/repo/RPM-GPG-KEY-dtucny + state: "{{ ansible_distribution_major_version is version('8', '==') | ternary('present','absent') }}" + tags: repo diff --git a/roles/repo_base/tasks/main.yml b/roles/repo_base/tasks/main.yml index b7a0162..d374752 100644 --- a/roles/repo_base/tasks/main.yml +++ b/roles/repo_base/tasks/main.yml @@ -36,4 +36,14 @@ state: "{{ repo_postgres | ternary('present','absent') }}" includepkgs: postgresql13 postgresql13-libs tags: repo + +- name: Remove obsolete repo + file: path=/etc/yum.repos.d/{{ item }}.repo state=absent + loop: + - nux-dextop + - seadrive + - remi-safe + - redis + - fws-extra-nginx + tags: repo ... diff --git a/roles/repo_elasticsearch/tasks/main.yml b/roles/repo_elasticsearch/tasks/main.yml index c8b679f..8340a5a 100644 --- a/roles/repo_elasticsearch/tasks/main.yml +++ b/roles/repo_elasticsearch/tasks/main.yml @@ -1,3 +1,3 @@ --- -- include_tasks: install_{{ ansible_os_family }}.yml +- include: install_{{ ansible_os_family }}.yml diff --git a/roles/repo_lemonldap_ng/tasks/main.yml b/roles/repo_lemonldap_ng/tasks/main.yml index 87123f6..a64f432 100644 --- a/roles/repo_lemonldap_ng/tasks/main.yml +++ b/roles/repo_lemonldap_ng/tasks/main.yml @@ -8,10 +8,11 @@ baseurl: "{{ item.url }}" gpgcheck: 1 gpgkey: https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 - with_items: + loop: - repo: lemonldap-ng url: https://lemonldap-ng.org/redhat/stable/$releasever/noarch desc: Lemonldap::NG - repo: lemonldap-ng-extras url: https://lemonldap-ng.org/redhat/extras/$releasever desc: Lemonldap::NG Extras packages + tags: repo diff --git a/roles/repo_rabbitmq/tasks/main.yml b/roles/repo_rabbitmq/tasks/main.yml new file mode 100644 index 0000000..f9e5507 --- /dev/null +++ b/roles/repo_rabbitmq/tasks/main.yml @@ -0,0 +1,49 @@ +--- + +- name: Copy Messenging SIG GPG Key + copy: + content: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v2.0.22 (GNU/Linux) + + mQENBF3jBZQBCAC3mGl8pmWoOuUzh8rJAbaqiOXEZ8wa904VN2bTDgxydtwL16cy + ad54OaW+jyD0+api5b5pKmmu+7qLT3vfndITQaF8lE1w+1qSFFJpbxOSsqU7rVx5 + +KpqfmfBJ9/jTIQsCcIdcx8Ajachgjifj1bM48quYE5pQp4YTu+I/HhwjacO9CEt + yIcX48wph2CbvY/xPX8E+8kdrc4/gd3F9c5Nmvj5Xa22QsXpCzrJSO5Vm8NIGycU + O4NhE4ctQLa5MqydvyAyORA4IYrzsK1Ioa8MJeeKvUQ46NWR+N2AsTQPbnULAiJM + ef3giEt56YpPx3JMe7G4XfAgsnYQphhFdV5VABEBAAG0Y0NlbnRPUyBNZXNzYWdp + bmcgU0lHIChodHRwczovL3dpa2kuY2VudG9zLm9yZy9TcGVjaWFsSW50ZXJlc3RH + cm91cC9NZXNzYWdpbmcpIDxzZWN1cml0eUBjZW50b3Mub3JnPokBOQQTAQIAIwUC + XeMFlAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEIMBTrvhbg0SwosH + /0sOHzZb0yLtcUfpOa+CUQv3BTvlg73lgw3/W1hQkjmrCi5YC4KQ80ZWluv7lxF3 + xSMR9QVKA05pjwVS+I7D2g18SXwvQn35WaezT5G9kf6feQCY0njenM6qtI5p5c40 + AkgrCWLFLxUUdPYvy8FEj5HlrAABZz9x1Tw8HMJlE6H7tx/4F825/jAosY0rWDhV + ue2dPT8wgZFWHpKDuatDGG8P2spIOKW5BEP9hguEo2oOhjLTpTU/He3uc2srCyWd + nxH0zQQlo4TpOcQBuvUhr4BU3ODA0Fx8Wd1PJj2lgekFnZgS4QK3iVKyVkYPDULq + YIOEUgsWlki4uUyPUAJoS025AQ0EXeMFlAEIANFN5aHtItH/5c0hxBNv8S4yDnEm + NwHKzWQBPJv69zjcokjYyAImRs6EqbEKL2hWA+9AbrLOC+s1Fya3U0EJIZmVKsuj + 8GFaFBB7l26t596re8aWMWf+sbHGgBPHxi+Z/3LAkBGViI5r1WZO1h3b/v9j3QOA + A8WIVAcqGzwbBQDCV4zVZuePoNouYhMLvjai3Y3Ydd8vnZyGT02Zk4zYgBOw7cnh + 0yveyYxJ+11x53UJXFmGI/vbslqmnWawp0eqT5T/TH45KNXHglvGqPct+6FdQ9N/ + sIFjjYDXxuFNr3jCleXdP3SSi+Fvx7OrIVGmXNa0b02DWjci0wouXR0kGn0AEQEA + AYkBHwQYAQIACQUCXeMFlAIbDAAKCRCDAU674W4NEpkjB/97bQndwOuzaqwPRlwe + on2iy7jqbleOBwzkvjbIMZuxlYG9AjuqsEo/Y6cxpvePlVSEaaiN1oCAP6bOZpLa + pG3TOnJSKDMYMlgg1OsZjLS9Q8QPVxJrcBIqGSqa/Xdjap4WiPNDCpNBzsRMm74s + ZA0xRFu1GZuNbI8+TKXfR7dFMHzKuC//UV+VPbsG0JBEbCQF4YQU3t+9SwYGi3RL + KrfAh9X+OykyaUPtkshW4yS7RCA0MihfCVlxMq4ogEA/4I7/LWHyI7hTZ24lDOs1 + Yd+k4Gl4Nd58iBKL2J8KHanZFUEWqlBAAdcnxjSqsaWmCUe2ABUZ0szErNn1wR1V + ix+K + =zKEu + -----END PGP PUBLIC KEY BLOCK----- + dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging + tags: repo,rabbitmq + +- name: Configure rabbitmq repository + yum_repository: + name: rabbitmq + description: CentOS-8 - RabbitMQ 38 + baseurl: http://mirror.centos.org/centos/$releasever/messaging/$basearch/rabbitmq-38 + gpgcheck: True + gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging + tags: repo,rabbitmq + diff --git a/roles/seadrive/meta/main.yml b/roles/seadrive/meta/main.yml index 5f6bf40..ed97d53 100644 --- a/roles/seadrive/meta/main.yml +++ b/roles/seadrive/meta/main.yml @@ -1,3 +1 @@ --- -dependencies: - - role: repo_seadrive diff --git a/roles/seadrive/tasks/main.yml b/roles/seadrive/tasks/main.yml index b9a687f..0baebf7 100644 --- a/roles/seadrive/tasks/main.yml +++ b/roles/seadrive/tasks/main.yml @@ -3,7 +3,7 @@ - name: Install packages yum: name: - - seadrive + - seadrive-daemon - fuse tags: seadrive diff --git a/roles/seafile/meta/main.yml b/roles/seafile/meta/main.yml index a964bea..0624619 100644 --- a/roles/seafile/meta/main.yml +++ b/roles/seafile/meta/main.yml @@ -1,6 +1,6 @@ --- dependencies: - - role: repo_nux_dextop + - role: repo_rpmfusion - role: memcached_server when: seafile_memcached_server is search('^(127\.0\.0\.1|localhost)') - role: clamav diff --git a/roles/seafile/tasks/facts.yml b/roles/seafile/tasks/facts.yml index 40ab1fd..934d7e7 100644 --- a/roles/seafile/tasks/facts.yml +++ b/roles/seafile/tasks/facts.yml @@ -1,5 +1,12 @@ --- +- include_vars: "{{ item }}" + with_first_found: + - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_distribution }}.yml + - vars/{{ ansible_os_family }}.yml + tags: seafile + - name: Set default install mode set_fact: seafile_install_mode='none' tags: seafile diff --git a/roles/seafile/tasks/install.yml b/roles/seafile/tasks/install.yml index 3e7af39..0aed2ce 100644 --- a/roles/seafile/tasks/install.yml +++ b/roles/seafile/tasks/install.yml @@ -1,26 +1,7 @@ --- - name: Install RPM dependencies - yum: - name: - - python3 - - python3-setuptools - - python3-pip - - python3-virtualenv - - MySQL-python - - ffmpeg - - ffmpeg-devel - - libmemcached-devel - - mysql-devel - - zlib-devel - - gcc - - tar - - mariadb - - fuse - - java-1.8.0-openjdk # For seafile-pro - - poppler-utils # For seafile-pro - - unoconv # For seafile-pro - - python-setuptools # needed for ansible to create the venv + yum: name={{ seafile_packages }} tags: seafile - name: Check if py2 venv is setup @@ -165,7 +146,7 @@ tags: seafile - name: Generate a secret for seahub - shell: python2.7 {{ seafile_root_dir }}/seafile-server/seahub/tools/secret_key_generator.py > {{ seafile_root_dir }}/meta/ansible_hub_secret + shell: "{{ seafile_root_dir }}/bin/python {{ seafile_root_dir }}/seafile-server/seahub/tools/secret_key_generator.py > {{ seafile_root_dir }}/meta/ansible_hub_secret" args: creates: "{{ seafile_root_dir }}/meta/ansible_hub_secret" when: seafile_seahub_secret is not defined diff --git a/roles/seafile/templates/seafile.service.j2 b/roles/seafile/templates/seafile.service.j2 index e0d39fb..0573dd5 100644 --- a/roles/seafile/templates/seafile.service.j2 +++ b/roles/seafile/templates/seafile.service.j2 @@ -5,8 +5,10 @@ After=network.target mariadb.service [Service] Type=forking Environment=PATH={{ seafile_root_dir }}/bin:/bin:/usr/bin +Environment=PYTHONPATH={{ seafile_root_dir }}/lib64/python3.6/site-packages/ +Environment=PYTHON={{ seafile_root_dir }}/bin/python ExecStart={{ seafile_root_dir }}/seafile-server/seafile.sh start -ExecStop={{ seafile_root_dir }}/seafile-server-latest/seafile.sh stop +ExecStop={{ seafile_root_dir }}/seafile-server/seafile.sh stop User={{ seafile_user }} Group={{ seafile_group }} PrivateDevices=yes diff --git a/roles/seafile/vars/CentOS-7.yml b/roles/seafile/vars/CentOS-7.yml new file mode 100644 index 0000000..7e62f44 --- /dev/null +++ b/roles/seafile/vars/CentOS-7.yml @@ -0,0 +1,21 @@ +--- + +seafile_packages: + - python3 + - python3-setuptools + - python3-pip + - python3-virtualenv + - MySQL-python + - ffmpeg + - ffmpeg-devel + - libmemcached-devel + - mysql-devel + - zlib-devel + - gcc + - tar + - mariadb + - fuse + - java-1.8.0-openjdk # For seafile-pro + - poppler-utils # For seafile-pro + - unoconv # For seafile-pro + - python-setuptools # needed for ansible to create the venv diff --git a/roles/seafile/vars/CentOS-8.yml b/roles/seafile/vars/CentOS-8.yml new file mode 100644 index 0000000..6be4c04 --- /dev/null +++ b/roles/seafile/vars/CentOS-8.yml @@ -0,0 +1,21 @@ +--- + +seafile_packages: + - python3 + - python3-setuptools + - python3-pip + - python3-virtualenv + - python3-mysql + - ffmpeg + - ffmpeg-devel + - libmemcached-devel + - mysql-devel + - zlib-devel + - gcc + - tar + - mariadb + - fuse + - java-1.8.0-openjdk # For seafile-pro + - poppler-utils # For seafile-pro + - unoconv # For seafile-pro + - python3-setuptools # needed for ansible to create the venv diff --git a/roles/transmission_daemon/tasks/main.yml b/roles/transmission_daemon/tasks/main.yml index 427c739..706e427 100644 --- a/roles/transmission_daemon/tasks/main.yml +++ b/roles/transmission_daemon/tasks/main.yml @@ -2,9 +2,11 @@ - name: Install transmission daemon yum: name=transmission-daemon state=present + tags: torrent - name: Create user user: name={{ transmission_user }} comment="Transmission Daemon" system=yes shell=/sbin/nologin + tags: torrent - name: Create directories file: path={{ transmission_data_dir }}/{{ item }} state=directory owner={{ transmission_user }} @@ -12,15 +14,18 @@ - finished - incomplete - watch + tags: torrent - name: Deploy default config template: src=sysconfig.j2 dest=/etc/sysconfig/transmission notify: restart transmission + tags: torrent - name: Override default systemd unit template: src=transmission-daemon.service.j2 dest=/etc/systemd/system/transmission-daemon.service register: transmission_unit notify: restart transmission + tags: torrent - name: Handle transmission port iptables_raw: @@ -30,6 +35,7 @@ -A INPUT -m state --state NEW -p tcp --dport {{ transmission_port }} -s {{ transmission_src_ip | join(',') }} -j ACCEPT -A INPUT -p udp --dport {{ transmission_port }} -s {{ transmission_src_ip | join(',') }} -j ACCEPT when: iptables_manage | default(True) + tags: torrent,firewall - name: Handle transmission RPC port iptables_raw: @@ -37,10 +43,13 @@ state={{ (transmission_rpc_src_ip | length > 0) | ternary('present','absent') }} rules="-A INPUT -m state --state NEW -p tcp --dport {{ transmission_rpc_port }} -s {{ transmission_rpc_src_ip | join(',') }} -j ACCEPT" when: iptables_manage | default(True) + tags: torrent,firewall - name: Reload systemd command: systemctl daemon-reload when: transmission_unit.changed + tags: torrent - name: Start and enable the service service: name=transmission-daemon state=started enabled=yes + tags: torrent