Update to 2020-11-15 20:00

4 years ago · 0deae1a5cb
parent 9d87bc8a46
commit 0deae1a5cb
47 changed files with 610 additions and 210 deletions
--- a/roles/bitwarden_rs/tasks/install.yml
+++ b/roles/bitwarden_rs/tasks/install.yml
@ -13,12 +13,14 @@
  when:
    - bitwarden_db_engine == 'mysql'
    - mysql_mariadb_version is not defined or mysql_mariadb_version == 'default'
    - ansible_os_family == 'RedHat'
    - ansible_distribution_major_version is version('8','<')
  tags: bitwarden
 - name: Install MariaDB devel package
  yum:
    name:
-      - MariaDB-devel
+      - mariadb-devel
  when: bitwarden_db_engine == 'mysql'
  tags: bitwarden
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@ -33,6 +33,7 @@ system_utils:
  - nano
  - tree
  - mc
  - tar
 # Kernel modules to load
 system_kmods: []
--- a/roles/common/vars/CentOS-8.yml
+++ b/roles/common/vars/CentOS-8.yml
@ -7,7 +7,7 @@ system_distro_utils:
  - lz4
  - yum-utils
  - fuse-sshfs
-  - python3-policycoreutils
+  - policycoreutils-python-utils
  - python3-mysql
  - python3-psycopg2
  - zstd
--- a/roles/coturn/defaults/main.yml
+++ b/roles/coturn/defaults/main.yml
@ -0,0 +1,38 @@
 ---
 # Set turn realm. Default to the domain name if unset
 # turn_realm: turn.example.com
 # The static, shared auth secret. If not set, will use long term auth.
 # See turn_lt_users
 # turn_auth_secret: 
 # Long term users
 turn_lt_users: []
 # - name: asterisk
 #   pass: S3cr3t.
 turn_listen_ip:
  - 0.0.0.0
 # If defined, restrict who can access the service
 turn_src_ip:
 - 0.0.0.0/0
 turn_port: 3478
 turn_alt_port: 3479
 turn_tls_port: 5349
 turn_alt_tls_port: 5350
 # Allow non TLS relay
 turn_allow_non_tls: True
 # Turn on TLS listener. If true, certificate must be present
 turn_tls: False
 # turn_tls_cert:
 # turn_tls_key:
 # If behind a NAT, you must set the public IP
 # turn_external_ip: 12.13.14.15
--- a/roles/coturn/files/dehydrated_deploy_hook
+++ b/roles/coturn/files/dehydrated_deploy_hook
@ -0,0 +1,3 @@
 #!/bin/sh
 /bin/systemctl restart coturn
--- a/roles/coturn/handlers/main.yml
+++ b/roles/coturn/handlers/main.yml
@ -0,0 +1,4 @@
 ---
 - name: restart coturn
  service: name=coturn state=restarted enabled=yes
--- a/roles/coturn/meta/main.yml
+++ b/roles/coturn/meta/main.yml
@ -0,0 +1,4 @@
 ---
 dependencies:
  - role: mkdir
--- a/roles/coturn/tasks/main.yml
+++ b/roles/coturn/tasks/main.yml
@ -0,0 +1,73 @@
 ---
 - name: Install Coturn
  yum: name=coturn state=present
  register: turn_installed
  tags: turn
 - name: Create tmpfiles
  command: systemd-tmpfiles --create
  when: turn_installed.changed
  tags: turn
 - name: Deploy main configuration
  template: src=coturn.conf.j2 dest=/etc/coturn/coturn.conf group=coturn mode=640
  notify: restart coturn
  tags: turn
 - name: Deploy dehydrated hook
  copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/20coturn.sh mode=755
  tags: turn
 - name: Remove turnserver rules
  iptables_raw:
    name: turnserver_ports
    state: absent
  when: iptables_manage | default(True)
  tags: turn,firewall
 - name: Handle coturn ports
  iptables_raw:
    name: coturn_ports
    state: "{{ (turn_src_ip | length > 0) | ternary('present','absent') }}"
    rules: |
      -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
      -A INPUT -p udp -m multiport --dports {{ [turn_port,turn_alt_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
      -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
      -A INPUT -p udp -m multiport --dports {{ [turn_tls_port,turn_alt_tls_port] | join(',') }} -s {{ turn_src_ip | join(',') }} -j ACCEPT
      -A INPUT -p tcp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
      -A INPUT -p udp --dport 49152:65535 -s {{ turn_src_ip | join(',') }} -j ACCEPT
  when: iptables_manage | default(True)
  tags: turn,firewall
 - name: Start and enable the service
  service: name=coturn state=started enabled=True
  tags: turn
 - name: Add long term users
  command: turnadmin --add --user={{ item.name }} --password={{ item.pass | quote }} --realm={{ turn_realm | default(ansible_domain) }}
  loop: "{{ turn_lt_users }}"
  tags: turn
 - name: Remove users with unknown realm
  shell: |
    for U in $(turnadmin --list | grep -v '\[{{ turn_realm | default(ansible_domain) }}\]'); do
      user=$(echo $U | cut -d'[' -f1)
      realm=$(echo $U | perl -pe 's/.*\[(.*)\]/$1/')
      turnadmin --delete --user=$user --realm=$realm
    done
  changed_when: False
  tags: turn
 - name: List long term users
  shell: turnadmin --list | grep -vP '^0:\s+(log file opened|SQLite connection)' | cut -d'[' -f1
  register: turn_lt_existing_users
  changed_when: False
  tags: turn
 - name: Remove unmanaged long term users
  command: turnadmin --delete --user={{ item }} --realm={{ turn_realm | default(ansible_domain) }}
  when: item not in turn_lt_users | map(attribute='name') | list
  loop: "{{ turn_lt_existing_users.stdout_lines }}"
  tags: turn
--- a/roles/coturn/templates/coturn.conf.j2
+++ b/roles/coturn/templates/coturn.conf.j2
@ -0,0 +1,40 @@
 pidfile="/var/run/coturn/coturn.pid"
 verbose
 fingerprint
 {% if turn_auth_secret is defined %}
 use-auth-secret
 static-auth-secret {{ turn_auth_secret }}
 {% else %}
 lt-cred-mech
 {% endif %}
 no-sslv2
 no-sslv3
 no-loopback-peers
 no-multicast-peers
 realm {{ turn_realm | default(ansible_domain) }}
 proc-user turnserver
 proc-group turnserver
 syslog
 {% for ip in turn_listen_ip %}
 listening-ip {{ ip }}
 {% endfor %}
 {% if not turn_allow_non_tls %}
 no-tcp
 no-udp
 {% endif %}
 listening-port {{ turn_port }}
 alt-listening-port {{ turn_alt_port }}
 {% if turn_tls %}
 tls-listening-port {{ turn_tls_port }}
 alt-tls-listening-port {{ turn_alt_tls_port }}
 cert {{ turn_tls_cert }}
 pkey {{ turn_tls_key }}
 {% endif %}
 {% if turn_external_ip is defined %}
 external-ip {{ turn_external_ip }}
 {% endif %}
--- a/roles/freepbx/defaults/main.yml
+++ b/roles/freepbx/defaults/main.yml
@ -1,7 +1,7 @@
 ---
 fpbx_version: 15.0
-fpbx_archive_sha1: f9c076d5afbe787cb2a7068f02c96b4bc413f61e
+fpbx_archive_sha1: 42aae0f245a5d6297f8f2154281f28436663ee33
 fpbx_archive_url: https://mirror.freepbx.org/modules/packages/freepbx/freepbx-{{ fpbx_version }}-latest.tgz
 fpbx_root_dir: /opt/freepbx
 fpbx_manage_upgrade: True
--- a/roles/freepbx/tasks/main.yml
+++ b/roles/freepbx/tasks/main.yml
@ -1,39 +1,15 @@
 ---
 - include_vars: "{{ item }}"
  with_first_found:
    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
    - vars/{{ ansible_distribution }}.yml
    - vars/{{ ansible_os_family }}.yml
    - vars/defaults.yml
  tags: fpbx
 - name: Install Asterisk and its dependencies
-  yum:
+  yum: name={{ fpbx_packages }}
    name:
      - asterisk
      - asterisk-voicemail
      - asterisk-pjsip
      - asterisk-sip
      - asterisk-mysql
      - asterisk-ael
      - asterisk-iax2
      - asterisk-dahdi
      - asterisk-fax
      - asterisk-ldap
      - asterisk-misdn
      - asterisk-mp3
      - asterisk-odbc
      - mysql-connector-odbc
      - mpg123
      - lame
      - opus
      - nmap
      - nodejs
        #- kmod-dahdi-linux
        #- dahdi-tools
        #- dahdi-linux
      - tar
      - mariadb
      - MySQL-python
      - acl
      - gcc-c++ # needed for ucp
      - icu
      - libicu-devel
      - patch
      - vsftpd
  tags: fpbx
 - name: Build a list of music on hold format to install
@ -75,15 +51,14 @@
 - import_tasks: ../includes/disable_selinux.yml
  tags: fpbx
- import_tasks: ../includes/webapps_set_install_mode.yml
+- block:
-  vars:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
-    - root_dir: "{{ fpbx_root_dir }}"
+      vars:
-    - version: "{{ fpbx_version }}"
+        - root_dir: "{{ fpbx_root_dir }}"
-    - manage_upgrade: False
+        - version: "{{ fpbx_version }}"
-  tags: fpbx
+        - manage_upgrade: False
- set_fact: fpbx_install_mode={{ (install_mode == 'install') | ternary('install','none') }}
+    - set_fact: fpbx_install_mode={{ (install_mode == 'install') | ternary('install','none') }}
-  tags: fpbx
+    - set_fact: fpbx_current_version={{ current_version | default('') }}
 - set_fact: fpbx_current_version={{ current_version | default('') }}
  tags: fpbx
 - name: Create directories
--- a/roles/freepbx/templates/logrotate.conf.j2
+++ b/roles/freepbx/templates/logrotate.conf.j2
@ -2,6 +2,7 @@
 /var/log/asterisk/event_log
 /var/log/asterisk/queue_log
 /var/log/asterisk/full
 /var/log/asterisk/security
 /var/log/asterisk/freepbx.log
 /var/log/asterisk/freepbx_security.log
 /var/log/asterisk/ucp_err.log
--- a/roles/freepbx/vars/CentOS-7.yml
+++ b/roles/freepbx/vars/CentOS-7.yml
@ -0,0 +1,32 @@
 ---
 fpbx_packages:
  - asterisk
  - asterisk-voicemail
  - asterisk-pjsip
  - asterisk-sip
  - asterisk-mysql
  - asterisk-ael
  - asterisk-iax2
  - asterisk-dahdi
  - asterisk-fax
  - asterisk-ldap
  - asterisk-misdn
  - asterisk-mp3
  - asterisk-odbc
  - mysql-connector-odbc
  - mpg123
  - lame
  - opus
  - nmap
  - nodejs
  - tar
  - mariadb
  - MySQL-python
  - acl
  - gcc-c++ # needed for ucp
  - icu
  - libicu-devel
  - patch
  - vsftpd
--- a/roles/freepbx/vars/CentOS-8.yml
+++ b/roles/freepbx/vars/CentOS-8.yml
@ -0,0 +1,31 @@
 ---
 fpbx_packages:
  - asterisk
  - asterisk-voicemail
  - asterisk-pjsip
  - asterisk-sip
  - asterisk-mysql
  - asterisk-ael
  - asterisk-iax2
  - asterisk-dahdi
  - asterisk-fax
  - asterisk-ldap
  - asterisk-mp3
  - asterisk-odbc
  - mariadb-connector-odbc
  - mpg123
 #  - lame
  - opus
  - nmap
  - nodejs
  - tar
  - mariadb
  - python3-mysql
  - acl
  - gcc-c++ # needed for ucp
  - icu
  - libicu-devel
  - patch
  - vsftpd
--- a/roles/httpd_php/tasks/main.yml
+++ b/roles/httpd_php/tasks/main.yml
@ -10,14 +10,25 @@
 - name: Install PHP packages
  yum: name={{ httpd_php_packages }}
-  notify:
+  notify: restart php-fpm
-    - systemd-tmpfiles
+  register: httpd_php_installed
-    - restart php-fpm
+  tags: web
 - name: Install scl utils
  yum:
    name:
      - scl-utils
  tags: web
 - name: Create tmpfiles.d fragment
  copy: src=tmpfiles.conf dest=/etc/tmpfiles.d/php-fpm-scl.conf
  notify: systemd-tmpfiles
  register: httpd_php_tmpfiles
  tags: web
 - name: Create tmpfiles
  command: systemd-tmpfiles --create
  when: httpd_php_installed.changed or httpd_php_tmpfiles.changed
  tags: web
 - name: Disable default FPM pools
--- a/roles/jitsi/tasks/install.yml
+++ b/roles/jitsi/tasks/install.yml
@ -9,6 +9,7 @@
      - nodejs        # needed to build meet
      - libXScrnSaver # needed for jigasi
      - python3       # needed for confmapper
      - make
  tags: jitsi
  # If you use an Let's Encrypt cert, it might not be there yet. In this case, create a link
--- a/roles/nfs_server/handlers/main.yml
+++ b/roles/nfs_server/handlers/main.yml
@ -1,4 +1,4 @@
 ---
 - name: reload nfs
-  service: name=nfs state=reloaded
+  service: name=nfs-server state=reloaded
--- a/roles/nfs_server/tasks/main.yml
+++ b/roles/nfs_server/tasks/main.yml
@ -24,4 +24,5 @@
 - name: Start and enable services
  service: name={{ item }} state=started enabled=True
  with_items:
-    - nfs
+    - nfs-server
  tags: nfs
--- a/roles/nginx/tasks/conf.yml
+++ b/roles/nginx/tasks/conf.yml
@ -57,3 +57,10 @@
 - name: Configure log rotation
  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/nginx
  tags: web
 - name: Ensure log files has correct permission
  file: path=/var/log/nginx/{{ item }} owner=nginx group=nginx state=touch
  loop:
    - error.log
    - access.log
  tags: web
--- a/roles/nginx/tasks/install_nginx.yml
+++ b/roles/nginx/tasks/install_nginx.yml
@ -7,9 +7,22 @@
    state: absent
  tags: web
 - name: Enable 1.16 module
  shell: |
    yum -y module reset nginx
    yum -y module enable nginx:1.16
  args:
    warn: False
  changed_when: False
  when:
    - ansible_os_family == 'RedHat'
    - ansible_distribution_major_version is version('8', '>=')
  tags: web
 - name: Install nginx
  yum:
    name:
      - nginx
      - nginx-all-modules
  tags: web
--- a/roles/nginx/tasks/service.yml
+++ b/roles/nginx/tasks/service.yml
@ -20,10 +20,6 @@
      Restart=on-failure
      StartLimitInterval=0
      RestartSec=5
      PrivateDevices=yes
      ProtectSystem=full
      ProtectHome=yes
      NoNewPrivileges=yes
      [Install]
      WantedBy=multi-user.target
--- a/roles/onlyoffice_document_server/files/onlyoffice_docserver.te
+++ b/roles/onlyoffice_document_server/files/onlyoffice_docserver.te
@ -0,0 +1,18 @@
 module onlyoffice_docserver 1.0;
 require {
        type httpd_sys_content_t;
        type amqp_port_t;
        type mysqld_port_t;
        type init_t;
        class file { execute execute_no_trans getattr map open read };
        class process execmem;
        class tcp_socket name_connect;
 }
 #============= init_t ==============
 allow init_t amqp_port_t:tcp_socket name_connect;
 allow init_t mysqld_port_t:tcp_socket name_connect;
 allow init_t httpd_sys_content_t:file map;
 allow init_t httpd_sys_content_t:file { execute execute_no_trans getattr open read };
 allow init_t self:process execmem;
--- a/roles/onlyoffice_document_server/meta/main.yml
+++ b/roles/onlyoffice_document_server/meta/main.yml
@ -6,3 +6,5 @@ dependencies:
  - role: nginx
  - role: redis_server
  - role: rabbitmq_server
  - role: mysql_server
    when: oo_db_server in ['localhost','127.0.0.1']
--- a/roles/onlyoffice_document_server/tasks/conf.yml
+++ b/roles/onlyoffice_document_server/tasks/conf.yml
@ -0,0 +1,13 @@
 ---
 - name: Deploy configuration
  template: src={{ item }}.j2 dest=/etc/onlyoffice/documentserver/{{ item }} owner=ds group=ds mode=440
  loop:
    - oods.json
  notify: restart documentserver
  tags: oo
 - name: Deploy nginx configuration
  template: src=nginx_vhost.conf.j2 dest=/etc/nginx/ansible_conf.d/32-oods.conf
  notify: reload nginx
  tags: oo
--- a/roles/onlyoffice_document_server/tasks/directories.yml
+++ b/roles/onlyoffice_document_server/tasks/directories.yml
@ -0,0 +1,5 @@
 ---
 - name: Create meta directory
  file: path=/etc/onlyoffice/meta state=directory mode=700
  tags: oo
--- a/roles/onlyoffice_document_server/tasks/facts.yml
+++ b/roles/onlyoffice_document_server/tasks/facts.yml
@ -0,0 +1,17 @@
 ---
 - set_fact:
    oo_services:
      - documentserver-converter
      - documentserver-docservice
      - documentserver-metrics
      - documentserver-spellchecker
  tags: oo
 - when: oo_db_pass is not defined
  block:
    - import_tasks: ../includes/get_rand_pass.yml
      vars:
        - pass_file: /etc/onlyoffice/meta/ansible_db_pass
    - set_fact: oo_db_pass={{ rand_pass }}
  tags: oo
--- a/roles/onlyoffice_document_server/tasks/install.yml
+++ b/roles/onlyoffice_document_server/tasks/install.yml
@ -0,0 +1,74 @@
 ---
 - name: Install packages
  yum:
    name:
      - gcc-c++ # needed to rebuild modules for spellchecker
      - nodejs
      - onlyoffice-documentserver
  tags: oo
 - name: Fix permissions on onlyoffice web resources
  file: path=/var/www/onlyoffice state=directory mode=755
  tags: oo
 - import_tasks: ../includes/webapps_create_mysql_db.yml
  vars:
    - db_name: "{{ oo_db_name }}"
    - db_user: "{{ oo_db_user }}"
    - db_server: "{{ oo_db_server }}"
    - db_pass: "{{ oo_db_pass }}"
  tags: oo
 - name: Load MySQL schema
  mysql_db:
    name: "{{ oo_db_name }}"
    state: import
    target: /var/www/onlyoffice/documentserver/server/schema/mysql/createdb.sql
    login_host: "{{ oo_db_server }}"
    login_user: sqladmin
    login_password: "{{ mysql_admin_pass }}"
  when: db_created.changed
  tags: oo
 - name: Set permissions for default conf
  file: path=/etc/onlyoffice/documentserver/{{ item }} mode=644
  loop:
    - default.json
    - development-mac.json
    - development-windows.json
    - production-linux.json
    - log4js/development.json
    - log4js/production.json
  tags: oo
 - name: Fix permissions on data dir
  command: chown -R ds:ds /var/lib/onlyoffice/documentserver/
  args:
    warn: False
  changed_when: False
  tags: oo
 - name: Deploy systemd service units
  template: src={{ item }}.service.j2 dest=/etc/systemd/system/{{ item }}.service
  loop: "{{ oo_services }}"
  register: oo_units
  notify: restart documentserver
  tags: oo
 - name: Reload systemd
  systemd: daemon_reload=True
  when: oo_units.results | selectattr('changed','equalto',True) | list | length > 0
  tags: oo
 - name: Remove obsolete services
  file: path=/etc/systemd/system/{{ item }}.service state=absent
  loop:
    - documentserver-gc
  register: oo_obsolete_units
  tags: oo
 - name: Reload systemd
  systemd: daemon_reload=True
  when: oo_obsolete_units.changed
  tags: oo
--- a/roles/onlyoffice_document_server/tasks/main.yml
+++ b/roles/onlyoffice_document_server/tasks/main.yml
@ -1,129 +1,9 @@
 ---
- set_fact:
+- include: user.yml
-    oo_services:
+- include: directories.yml
-      - documentserver-converter
+- include: facts.yml
-      - documentserver-docservice
+- include: install.yml
-      - documentserver-metrics
+- include: selinux.yml
-      - documentserver-spellchecker
+  when: ansible_selinux.status == 'enabled'
-  tags: oo
+- include: services.yml
 - name: Create a system user
  user:
    name: ds
    comment: OnlyOffice Document Server
    system: True
    home: /var/www/onlyoffice
    shell: /sbin/nologin
  tags: oo
 - name: Install packages
  yum:
    name:
      - gcc-c++ # needed to rebuild modules for spellchecker
      - nodejs
      - onlyoffice-documentserver
  tags: oo
 - name: Create meta directory
  file: path=/etc/onlyoffice/meta state=directory mode=700
  tags: oo
 - name: Fix permissions on onlyoffice web resources
  file: path=/var/www/onlyoffice state=directory mode=755
  tags: oo
 - import_tasks: ../includes/get_rand_pass.yml
  vars:
    - pass_file: /etc/onlyoffice/meta/ansible_db_pass
  tags: oo
 - set_fact: oo_db_pass={{ rand_pass }}
  when: oo_db_pass is not defined
  tags: oo
 - import_tasks: ../includes/webapps_create_mysql_db.yml
  vars:
    - db_name: "{{ oo_db_name }}"
    - db_user: "{{ oo_db_user }}"
    - db_server: "{{ oo_db_server }}"
    - db_pass: "{{ oo_db_pass }}"
  tags: oo
 - name: Load MySQL schema
  mysql_db:
    name: "{{ oo_db_name }}"
    state: import
    target: /var/www/onlyoffice/documentserver/server/schema/mysql/createdb.sql
    login_host: "{{ oo_db_server }}"
    login_user: sqladmin
    login_password: "{{ mysql_admin_pass }}"
  when: db_created.changed
  tags: oo
 - name: Deploy configuration
  template: src={{ item }}.j2 dest=/etc/onlyoffice/documentserver/{{ item }} owner=ds group=ds mode=440
  loop:
    - oods.json
  notify: restart documentserver
  tags: oo
 - name: Set permissions for default conf
  file: path=/etc/onlyoffice/documentserver/{{ item }} mode=644
  loop:
    - default.json
    - development-mac.json
    - development-windows.json
    - production-linux.json
    - log4js/development.json
    - log4js/production.json
  tags: oo
 - name: Fix permissions on data dir
  command: chown -R ds:ds /var/lib/onlyoffice/documentserver/
  args:
    warn: False
  changed_when: False
  tags: oo
 - name: Deploy nginx configuration
  template: src=nginx_vhost.conf.j2 dest=/etc/nginx/ansible_conf.d/32-oods.conf
  notify: reload nginx
  tags: oo
 - name: Create /etc/system/system
  file: path=/etc/systemd/system state=directory
  tags: oo
 - name: Deploy systemd service units
  template: src={{ item }}.service.j2 dest=/etc/systemd/system/{{ item }}.service
  loop: "{{ oo_services }}"
  register: oo_units
  notify: restart documentserver
  tags: oo
 - name: Reload systemd
  systemd: daemon_reload=True
  when: oo_units.results | selectattr('changed','equalto',True) | list | length > 0
  tags: oo
 - name: Stop and disable supervisord
  systemd: name=supervisord state=stopped enabled=False masked=True
  tags: oo
 - name: Remove obsolete services
  file: path=/etc/systemd/system/{{ item }}.service state=absent
  loop:
    - documentserver-gc
  register: oo_obsolete_units
  tags: oo
 - name: Reload systemd
  systemd: daemon_reload=True
  when: oo_obsolete_units.changed
  tags: oo
 - name: Start and enable documentserver services
  service: name={{ item }} state=started enabled=True
  loop: "{{ oo_services }}"
  tags: oo
--- a/roles/onlyoffice_document_server/tasks/selinux.yml
+++ b/roles/onlyoffice_document_server/tasks/selinux.yml
@ -0,0 +1,16 @@
 ---
 - name: Copy SELinux policy
  copy: src=onlyoffice_docserver.te dest=/etc/selinux/targeted/local/onlyoffice_docserver.te
  register: oo_selinux_policy
  tags: oo
 - name: Compile SELinux policy
  shell: |
    cd /etc/selinux/targeted/local/
    checkmodule -M -m -o onlyoffice_docserver.mod onlyoffice_docserver.te
    semodule_package -o onlyoffice_docserver.pp -m onlyoffice_docserver.mod
    semodule -i /etc/selinux/targeted/local/onlyoffice_docserver.pp
  when: oo_selinux_policy.changed
  tags: oo
--- a/roles/onlyoffice_document_server/tasks/services.yml
+++ b/roles/onlyoffice_document_server/tasks/services.yml
@ -0,0 +1,11 @@
 ---
 - name: Stop and disable supervisord
  systemd: name=supervisord state=stopped enabled=False masked=True
  tags: oo
 - name: Start and enable documentserver services
  service: name={{ item }} state=started enabled=True
  loop: "{{ oo_services }}"
  tags: oo
--- a/roles/onlyoffice_document_server/tasks/user.yml
+++ b/roles/onlyoffice_document_server/tasks/user.yml
@ -0,0 +1,10 @@
 ---
 - name: Create a system user
  user:
    name: ds
    comment: OnlyOffice Document Server
    system: True
    home: /var/www/onlyoffice
    shell: /sbin/nologin
  tags: oo
--- a/roles/rabbitmq_server/meta/main.yml
+++ b/roles/rabbitmq_server/meta/main.yml
@ -0,0 +1,7 @@
 ---
 dependencies:
  - role: repo_rabbitmq
    when:
      - ansible_os_family == 'RedHat'
      - ansible_distribution_major_version is version('8','>=')
--- a/roles/redis_server/meta/main.yml
+++ b/roles/redis_server/meta/main.yml
@ -1,4 +1,4 @@
 ---
 dependencies:
-  - role: repo_redis
+  - role: remi
--- a/roles/repo_asterisk/tasks/main.yml
+++ b/roles/repo_asterisk/tasks/main.yml
@ -20,3 +20,18 @@
    gpgkey: https://ast.tucny.com/repo/RPM-GPG-KEY-dtucny
  tags: repo
  # asterisk core sounds aren't available yet for el8, so also configure el7 repo
  # on el8 for now
 - name: Configure Tucny common repo for Asterisk el7
  yum_repository:
    file: asterisk
    name: asterisk-common-el7
    description: Asterisk Asterisk Common Requirement Packages @ tucny.com
    baseurl: https://ast.tucny.com/repo/asterisk-common/el7/$basearch/
    includepkgs:
      - asterisk-sounds-core*
      - asterisk-moh-opsound*
    gpgcheck: 1
    gpgkey: https://ast.tucny.com/repo/RPM-GPG-KEY-dtucny
    state: "{{ ansible_distribution_major_version is version('8', '==') | ternary('present','absent') }}"
  tags: repo
--- a/roles/repo_base/tasks/main.yml
+++ b/roles/repo_base/tasks/main.yml
@ -36,4 +36,14 @@
    state: "{{ repo_postgres | ternary('present','absent') }}"
    includepkgs: postgresql13 postgresql13-libs
  tags: repo
 - name: Remove obsolete repo
  file: path=/etc/yum.repos.d/{{ item }}.repo state=absent
  loop:
    - nux-dextop
    - seadrive
    - remi-safe
    - redis
    - fws-extra-nginx
  tags: repo
 ...
--- a/roles/repo_elasticsearch/tasks/main.yml
+++ b/roles/repo_elasticsearch/tasks/main.yml
@ -1,3 +1,3 @@
 ---
- include_tasks: install_{{ ansible_os_family }}.yml
+- include: install_{{ ansible_os_family }}.yml
--- a/roles/repo_lemonldap_ng/tasks/main.yml
+++ b/roles/repo_lemonldap_ng/tasks/main.yml
@ -8,10 +8,11 @@
    baseurl: "{{ item.url }}"
    gpgcheck: 1
    gpgkey: https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
-  with_items:
+  loop:
    - repo: lemonldap-ng
      url: https://lemonldap-ng.org/redhat/stable/$releasever/noarch
      desc: Lemonldap::NG
    - repo: lemonldap-ng-extras
      url: https://lemonldap-ng.org/redhat/extras/$releasever
      desc: Lemonldap::NG Extras packages
  tags: repo
--- a/roles/repo_rabbitmq/tasks/main.yml
+++ b/roles/repo_rabbitmq/tasks/main.yml
@ -0,0 +1,49 @@
 ---
 - name: Copy Messenging SIG GPG Key
  copy:
    content: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      Version: GnuPG v2.0.22 (GNU/Linux)
      mQENBF3jBZQBCAC3mGl8pmWoOuUzh8rJAbaqiOXEZ8wa904VN2bTDgxydtwL16cy
      ad54OaW+jyD0+api5b5pKmmu+7qLT3vfndITQaF8lE1w+1qSFFJpbxOSsqU7rVx5
      +KpqfmfBJ9/jTIQsCcIdcx8Ajachgjifj1bM48quYE5pQp4YTu+I/HhwjacO9CEt
      yIcX48wph2CbvY/xPX8E+8kdrc4/gd3F9c5Nmvj5Xa22QsXpCzrJSO5Vm8NIGycU
      O4NhE4ctQLa5MqydvyAyORA4IYrzsK1Ioa8MJeeKvUQ46NWR+N2AsTQPbnULAiJM
      ef3giEt56YpPx3JMe7G4XfAgsnYQphhFdV5VABEBAAG0Y0NlbnRPUyBNZXNzYWdp
      bmcgU0lHIChodHRwczovL3dpa2kuY2VudG9zLm9yZy9TcGVjaWFsSW50ZXJlc3RH
      cm91cC9NZXNzYWdpbmcpIDxzZWN1cml0eUBjZW50b3Mub3JnPokBOQQTAQIAIwUC
      XeMFlAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEIMBTrvhbg0SwosH
      /0sOHzZb0yLtcUfpOa+CUQv3BTvlg73lgw3/W1hQkjmrCi5YC4KQ80ZWluv7lxF3
      xSMR9QVKA05pjwVS+I7D2g18SXwvQn35WaezT5G9kf6feQCY0njenM6qtI5p5c40
      AkgrCWLFLxUUdPYvy8FEj5HlrAABZz9x1Tw8HMJlE6H7tx/4F825/jAosY0rWDhV
      ue2dPT8wgZFWHpKDuatDGG8P2spIOKW5BEP9hguEo2oOhjLTpTU/He3uc2srCyWd
      nxH0zQQlo4TpOcQBuvUhr4BU3ODA0Fx8Wd1PJj2lgekFnZgS4QK3iVKyVkYPDULq
      YIOEUgsWlki4uUyPUAJoS025AQ0EXeMFlAEIANFN5aHtItH/5c0hxBNv8S4yDnEm
      NwHKzWQBPJv69zjcokjYyAImRs6EqbEKL2hWA+9AbrLOC+s1Fya3U0EJIZmVKsuj
      8GFaFBB7l26t596re8aWMWf+sbHGgBPHxi+Z/3LAkBGViI5r1WZO1h3b/v9j3QOA
      A8WIVAcqGzwbBQDCV4zVZuePoNouYhMLvjai3Y3Ydd8vnZyGT02Zk4zYgBOw7cnh
      0yveyYxJ+11x53UJXFmGI/vbslqmnWawp0eqT5T/TH45KNXHglvGqPct+6FdQ9N/
      sIFjjYDXxuFNr3jCleXdP3SSi+Fvx7OrIVGmXNa0b02DWjci0wouXR0kGn0AEQEA
      AYkBHwQYAQIACQUCXeMFlAIbDAAKCRCDAU674W4NEpkjB/97bQndwOuzaqwPRlwe
      on2iy7jqbleOBwzkvjbIMZuxlYG9AjuqsEo/Y6cxpvePlVSEaaiN1oCAP6bOZpLa
      pG3TOnJSKDMYMlgg1OsZjLS9Q8QPVxJrcBIqGSqa/Xdjap4WiPNDCpNBzsRMm74s
      ZA0xRFu1GZuNbI8+TKXfR7dFMHzKuC//UV+VPbsG0JBEbCQF4YQU3t+9SwYGi3RL
      KrfAh9X+OykyaUPtkshW4yS7RCA0MihfCVlxMq4ogEA/4I7/LWHyI7hTZ24lDOs1
      Yd+k4Gl4Nd58iBKL2J8KHanZFUEWqlBAAdcnxjSqsaWmCUe2ABUZ0szErNn1wR1V
      ix+K
      =zKEu
      -----END PGP PUBLIC KEY BLOCK-----
    dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging
  tags: repo,rabbitmq
 - name: Configure rabbitmq repository
  yum_repository:
    name: rabbitmq
    description: CentOS-8 - RabbitMQ 38
    baseurl: http://mirror.centos.org/centos/$releasever/messaging/$basearch/rabbitmq-38
    gpgcheck: True
    gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging
  tags: repo,rabbitmq
--- a/roles/seadrive/meta/main.yml
+++ b/roles/seadrive/meta/main.yml
@ -1,3 +1 @@
 ---
 dependencies:
  - role: repo_seadrive
--- a/roles/seadrive/tasks/main.yml
+++ b/roles/seadrive/tasks/main.yml
@ -3,7 +3,7 @@
 - name: Install packages
  yum:
    name:
-      - seadrive
+      - seadrive-daemon
      - fuse
  tags: seadrive
--- a/roles/seafile/meta/main.yml
+++ b/roles/seafile/meta/main.yml
@ -1,6 +1,6 @@
 ---
 dependencies:
-  - role: repo_nux_dextop
+  - role: repo_rpmfusion
  - role: memcached_server
    when: seafile_memcached_server is search('^(127\.0\.0\.1|localhost)')
  - role: clamav
--- a/roles/seafile/tasks/facts.yml
+++ b/roles/seafile/tasks/facts.yml
@ -1,5 +1,12 @@
 ---
 - include_vars: "{{ item }}"
  with_first_found:
    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
    - vars/{{ ansible_distribution }}.yml
    - vars/{{ ansible_os_family }}.yml
  tags: seafile
 - name: Set default install mode
  set_fact: seafile_install_mode='none'
  tags: seafile
--- a/roles/seafile/tasks/install.yml
+++ b/roles/seafile/tasks/install.yml
@ -1,26 +1,7 @@
 ---
 - name: Install RPM dependencies
-  yum:
+  yum: name={{ seafile_packages }}
    name:
      - python3
      - python3-setuptools
      - python3-pip
      - python3-virtualenv
      - MySQL-python
      - ffmpeg
      - ffmpeg-devel
      - libmemcached-devel
      - mysql-devel
      - zlib-devel
      - gcc
      - tar
      - mariadb
      - fuse
      - java-1.8.0-openjdk  # For seafile-pro
      - poppler-utils       # For seafile-pro
      - unoconv             # For seafile-pro
      - python-setuptools   # needed for ansible to create the venv
  tags: seafile
 - name: Check if py2 venv is setup
@ -165,7 +146,7 @@
  tags: seafile
 - name: Generate a secret for seahub
-  shell: python2.7 {{ seafile_root_dir }}/seafile-server/seahub/tools/secret_key_generator.py > {{ seafile_root_dir }}/meta/ansible_hub_secret
+  shell: "{{ seafile_root_dir }}/bin/python {{ seafile_root_dir }}/seafile-server/seahub/tools/secret_key_generator.py > {{ seafile_root_dir }}/meta/ansible_hub_secret"
  args:
    creates: "{{ seafile_root_dir }}/meta/ansible_hub_secret"
  when: seafile_seahub_secret is not defined
--- a/roles/seafile/templates/seafile.service.j2
+++ b/roles/seafile/templates/seafile.service.j2
@ -5,8 +5,10 @@ After=network.target mariadb.service
 [Service]
 Type=forking
 Environment=PATH={{ seafile_root_dir }}/bin:/bin:/usr/bin
 Environment=PYTHONPATH={{ seafile_root_dir }}/lib64/python3.6/site-packages/
 Environment=PYTHON={{ seafile_root_dir }}/bin/python
 ExecStart={{ seafile_root_dir }}/seafile-server/seafile.sh start
-ExecStop={{ seafile_root_dir }}/seafile-server-latest/seafile.sh stop
+ExecStop={{ seafile_root_dir }}/seafile-server/seafile.sh stop
 User={{ seafile_user }}
 Group={{ seafile_group }}
 PrivateDevices=yes
--- a/roles/seafile/vars/CentOS-7.yml
+++ b/roles/seafile/vars/CentOS-7.yml
@ -0,0 +1,21 @@
 ---
 seafile_packages:
  - python3
  - python3-setuptools
  - python3-pip
  - python3-virtualenv
  - MySQL-python
  - ffmpeg
  - ffmpeg-devel
  - libmemcached-devel
  - mysql-devel
  - zlib-devel
  - gcc
  - tar
  - mariadb
  - fuse
  - java-1.8.0-openjdk  # For seafile-pro
  - poppler-utils       # For seafile-pro
  - unoconv             # For seafile-pro
  - python-setuptools   # needed for ansible to create the venv
--- a/roles/seafile/vars/CentOS-8.yml
+++ b/roles/seafile/vars/CentOS-8.yml
@ -0,0 +1,21 @@
 ---
 seafile_packages:
  - python3
  - python3-setuptools
  - python3-pip
  - python3-virtualenv
  - python3-mysql
  - ffmpeg
  - ffmpeg-devel
  - libmemcached-devel
  - mysql-devel
  - zlib-devel
  - gcc
  - tar
  - mariadb
  - fuse
  - java-1.8.0-openjdk   # For seafile-pro
  - poppler-utils        # For seafile-pro
  - unoconv              # For seafile-pro
  - python3-setuptools   # needed for ansible to create the venv
--- a/roles/transmission_daemon/tasks/main.yml
+++ b/roles/transmission_daemon/tasks/main.yml
@ -2,9 +2,11 @@
 - name: Install transmission daemon
  yum: name=transmission-daemon state=present
  tags: torrent
 - name: Create user
  user: name={{ transmission_user }} comment="Transmission Daemon" system=yes shell=/sbin/nologin
  tags: torrent
 - name: Create directories
  file: path={{ transmission_data_dir }}/{{ item }} state=directory owner={{ transmission_user }}
@ -12,15 +14,18 @@
    - finished
    - incomplete
    - watch
  tags: torrent
 - name: Deploy default config
  template: src=sysconfig.j2 dest=/etc/sysconfig/transmission
  notify: restart transmission
  tags: torrent
 - name: Override default systemd unit
  template: src=transmission-daemon.service.j2 dest=/etc/systemd/system/transmission-daemon.service
  register: transmission_unit
  notify: restart transmission
  tags: torrent
 - name: Handle transmission port
  iptables_raw:
@ -30,6 +35,7 @@
      -A INPUT -m state --state NEW -p tcp --dport {{ transmission_port }} -s {{ transmission_src_ip | join(',') }} -j ACCEPT
      -A INPUT -p udp --dport {{ transmission_port }} -s {{ transmission_src_ip | join(',') }} -j ACCEPT
  when: iptables_manage | default(True)
  tags: torrent,firewall
 - name: Handle transmission RPC port
  iptables_raw:
@ -37,10 +43,13 @@
    state={{ (transmission_rpc_src_ip | length > 0) | ternary('present','absent') }}
    rules="-A INPUT -m state --state NEW -p tcp --dport {{ transmission_rpc_port }} -s {{ transmission_rpc_src_ip | join(',') }} -j ACCEPT"
  when: iptables_manage | default(True)
  tags: torrent,firewall
 - name: Reload systemd
  command: systemctl daemon-reload
  when: transmission_unit.changed
  tags: torrent
 - name: Start and enable the service
  service: name=transmission-daemon state=started enabled=yes
  tags: torrent
`@ -1,3 +1,3 @@`
	`---`	`---`

	`- include_tasks: install_{{ ansible_os_family }}.yml`	`- include: install_{{ ansible_os_family }}.yml`