From 370451fbe71373cd203a8d20a51f65c171b0d5bb Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Thu, 11 Feb 2021 20:00:07 +0100 Subject: [PATCH] Update to 2021-02-11 20:00 --- roles/appsmith/defaults/main.yml | 6 +++ roles/appsmith/tasks/conf.yml | 17 ++++++++ roles/appsmith/tasks/directories.yml | 1 + roles/appsmith/tasks/facts.yml | 29 +++++++++++++ roles/appsmith/templates/env.j2 | 5 +++ roles/appsmith/templates/pre-backup.sh.j2 | 9 +++- roles/graylog/defaults/main.yml | 10 ++++- roles/graylog/tasks/archive_pre.yml | 2 +- roles/graylog/tasks/conf.yml | 53 ++++++++--------------- roles/graylog/tasks/directories.yml | 2 + roles/graylog/tasks/facts.yml | 71 ++++++++++++++++++++++++++++++- roles/graylog/tasks/install.yml | 10 +++++ roles/graylog/templates/post-backup.j2 | 2 +- roles/graylog/templates/pre-backup.j2 | 9 +++- roles/graylog/templates/server.conf.j2 | 8 +++- 15 files changed, 192 insertions(+), 42 deletions(-) diff --git a/roles/appsmith/defaults/main.yml b/roles/appsmith/defaults/main.yml index ec9e21c..e0f2e53 100644 --- a/roles/appsmith/defaults/main.yml +++ b/roles/appsmith/defaults/main.yml @@ -17,6 +17,12 @@ appsmith_user: appsmith # appsmith needs a redis server and a mongodb one appsmith_redis_url: redis://localhost:6379 +# A random one will be created and stored in the meta directory if not defined here +appsmith_mongo_user: appsmith +# appsmith_mongo_pass: S3cr3t. +# Note: if appsmith_mongo_pass is defined, it'll be used with appsmith_mongo_user to connect, even if not indicated in appsmith_mongo_url +# Else, anonymous connection is made. By default, if you do not set appsmith_mongo_pass, a random one will be created +# If you insist on using anonymous connections, you should set appsmith_mongo_pass to False appsmith_mongo_url: mongodb://localhost/appsmith?retryWrites=true # appsmith server component diff --git a/roles/appsmith/tasks/conf.yml b/roles/appsmith/tasks/conf.yml index ffe7ab5..ea6c5f0 100644 --- a/roles/appsmith/tasks/conf.yml +++ b/roles/appsmith/tasks/conf.yml @@ -11,3 +11,20 @@ template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/appsmith.conf notify: reload nginx tags: appsmith + +- name: Create the mongodb user + mongodb_user: + database: "{{ appsmith_mongo_url | urlsplit('path') | regex_replace('^\\/', '') }}" + name: "{{ appsmith_mongo_user }}" + password: "{{ appsmith_mongo_pass }}" + login_database: admin + login_host: "{{ appsmith_mongo_url | urlsplit('hostname') }}" + login_port: "{{ appsmith_mongo_url | urlsplit('port') | ternary(appsmith_mongo_url | urlsplit('port'),omit) }}" + login_user: mongoadmin + login_password: "{{ mongo_admin_pass }}" + roles: + - readWrite + when: + - appsmith_mongo_pass is defined + - appsmith_mongo_pass != False + tags: appsmith diff --git a/roles/appsmith/tasks/directories.yml b/roles/appsmith/tasks/directories.yml index a838e8f..0c9ae84 100644 --- a/roles/appsmith/tasks/directories.yml +++ b/roles/appsmith/tasks/directories.yml @@ -4,6 +4,7 @@ file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} loop: - dir: "{{ appsmith_root_dir }}" + mode: 755 - dir: "{{ appsmith_root_dir }}/archives" mode: 700 - dir: "{{ appsmith_root_dir }}/backup" diff --git a/roles/appsmith/tasks/facts.yml b/roles/appsmith/tasks/facts.yml index 1e6d935..45ad89d 100644 --- a/roles/appsmith/tasks/facts.yml +++ b/roles/appsmith/tasks/facts.yml @@ -30,3 +30,32 @@ when: appsmith_encryption_salt is not defined tags: appsmith +- set_fact: appsmith_mongo_pass={{ appsmith_mongo_url | urlsplit('password') | urldecode }} + when: + - appsmith_mongo_pass is not defined + - appsmith_mongo_url | urlsplit('password') is string + tags: mongo + +# Create a random password for mongo +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ appsmith_root_dir }}/meta/ansible_mongo_pass" + - set_fact: appsmith_mongo_pass={{ rand_pass }} + when: appsmith_mongo_pass is not defined + tags: appsmith + +# Try to read mongo admin pass +- name: Check if mongo pass file exists + stat: path=/root/.mongo.pw + register: appsmith_mongo_pw + tags: appsmith +- when: appsmith_mongo_pw.stat.exists and mongo_admin_pass is not defined + block: + - slurp: src=/root/.mongo.pw + register: appsmith_mongo_admin_pass + - set_fact: mongo_admin_pass={{ appsmith_mongo_admin_pass.content | b64decode | trim }} + tags: appsmith +- fail: msg='mongo_admin_pass must be provided' + when: not appsmith_mongo_pw.stat.exists and mongo_admin_pass is not defined + tags: appsmith diff --git a/roles/appsmith/templates/env.j2 b/roles/appsmith/templates/env.j2 index 14a40d3..2f777dc 100644 --- a/roles/appsmith/templates/env.j2 +++ b/roles/appsmith/templates/env.j2 @@ -9,7 +9,12 @@ APPSMITH_MAIL_USERNAME={{ appsmith_email_user }} APPSMITH_MAIL_PASSWORD={{ appsmith_email_pass }} {% endif %} APPSMITH_REDIS_URL={{ appsmith_redis_url }} +{% if appsmith_mongo_user is defined and appsmith_mongo_pass is defined and appsmith_mongo_pass != False %} +{% set appsmith_mongo_url_obj = appsmith_mongo_url | urlsplit %} +APPSMITH_MONGODB_URI={{ appsmith_mongo_url_obj['scheme'] }}://{{ appsmith_mongo_user }}:{{ appsmith_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ appsmith_mongo_url_obj['hostname'] }}{% if appsmith_mongo_url_obj['port'] %}:{{ appsmith_mongo_url_obj['port'] }}{% endif %}{{ appsmith_mongo_url_obj['path'] }}?{{ appsmith_mongo_url_obj['query'] }} +{% else %} APPSMITH_MONGODB_URI={{ appsmith_mongo_url }} +{% endif %} APPSMITH_DISABLE_TELEMETRY=true APPSMITH_ENCRYPTION_PASSWORD={{ appsmith_encryption_pass }} APPSMITH_ENCRYPTION_SALT={{ appsmith_encryption_salt }} diff --git a/roles/appsmith/templates/pre-backup.sh.j2 b/roles/appsmith/templates/pre-backup.sh.j2 index e0d1e07..549411a 100644 --- a/roles/appsmith/templates/pre-backup.sh.j2 +++ b/roles/appsmith/templates/pre-backup.sh.j2 @@ -1,3 +1,10 @@ #!/bin/bash -e -mongodump --uri {{ appsmith_mongo_url }} --out {{ appsmith_root_dir }}/backup +mongodump \ +{% if appsmith_mongo_pass is defined and appsmith_mongo_pass != False %} +{% set appsmith_mongo_url_obj = appsmith_mongo_url | urlsplit %} + --uri {{ appsmith_mongo_url_obj['scheme'] }}://{{ appsmith_mongo_user }}:{{ appsmith_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ appsmith_mongo_url_obj['hostname'] }}{% if appsmith_mongo_url_obj['port'] %}:{{ appsmith_mongo_url_obj['port'] }}{% endif %}{{ appsmith_mongo_url_obj['path'] }}?{{ appsmith_mongo_url_obj['query'] }} \ +{% else %} + --uri {{ appsmith_mongo_url }} \ +{% endif %} + --out {{ appsmith_root_dir }}/backup diff --git a/roles/graylog/defaults/main.yml b/roles/graylog/defaults/main.yml index 9de87d8..32a0df2 100644 --- a/roles/graylog/defaults/main.yml +++ b/roles/graylog/defaults/main.yml @@ -42,7 +42,15 @@ graylog_es_hosts: - http://localhost:9200 graylog_es_cluster_name: elasticsearch -graylog_mongodb_uri: +graylog_mongo_user: graylog +# A random one will be created if not set. To make anonymous connections, set it to False +# If you use more than 1 mongo URL, then no password will be created, mongo user must be created manually +# and configured in the url +#graylog_mongo_pass: S3cRet. +# Note: if graylog_mongo_pass is defined, it'll be used with graylog_mongo_user to connect, even if not indicated in graylog_mongo_url +# Else, anonymous connection is made. By default, if you do not set graylog_mongo_pass, a random one will be created +# If you insist on using anonymous connections, you should set graylog_mongo_pass to False +graylog_mongo_url: - mongodb://localhost/graylog # Max size of Graylog journal, in GB diff --git a/roles/graylog/tasks/archive_pre.yml b/roles/graylog/tasks/archive_pre.yml index 5133f15..d2d74f1 100644 --- a/roles/graylog/tasks/archive_pre.yml +++ b/roles/graylog/tasks/archive_pre.yml @@ -14,5 +14,5 @@ tags: graylog - name: Archive mongo database - command: mongodump --quiet --out {{ graylog_root_dir }}/archives/{{ graylog_current_version }}/mongo --uri {{ graylog_mongodb_uri[0] }} + command: mongodump --quiet --out {{ graylog_root_dir }}/archives/{{ graylog_current_version }}/mongo --uri {{ graylog_mongo_url[0] }} tags: graylog diff --git a/roles/graylog/tasks/conf.yml b/roles/graylog/tasks/conf.yml index 66cbae6..5a7fbb0 100644 --- a/roles/graylog/tasks/conf.yml +++ b/roles/graylog/tasks/conf.yml @@ -1,33 +1,5 @@ --- -- name: Remove randomly generated admin password - file: path={{ graylog_root_dir }}/meta/admin_pass state=absent - when: graylog_admin_pass is defined - tags: graylog - -- name: Remove randomly generated password secret - file: path={{ graylog_root_dir }}/meta/pass_secret state=absent - when: graylog_pass_secret is defined - tags: graylog - -- import_tasks: ../includes/get_rand_pass.yml - vars: - - pass_file: "{{ graylog_root_dir }}/meta/pass_secret" - when: graylog_pass_secret is not defined - tags: graylog -- set_fact: graylog_pass_secret={{ rand_pass }} - when: graylog_pass_secret is not defined - tags: graylog - -- import_tasks: ../includes/get_rand_pass.yml - vars: - - pass_file: "{{ graylog_root_dir }}/meta/admin_pass" - when: graylog_admin_pass is not defined - tags: graylog -- set_fact: graylog_admin_pass={{ rand_pass }} - when: graylog_admin_pass is not defined - tags: graylog - - name: Deploy configuration template: src={{ item }}.j2 dest={{ graylog_root_dir }}/etc/{{ item }} group=graylog mode=640 loop: @@ -36,12 +8,23 @@ notify: restart graylog-server tags: graylog -- name: Deploy dehydrated hook - template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/graylog mode=755 - when: graylog_letsencrypt_cert is defined +- name: Create the mongodb user + mongodb_user: + database: "{{ item | urlsplit('path') | regex_replace('^\\/', '') }}" + name: "{{ graylog_mongo_user }}" + password: "{{ graylog_mongo_pass }}" + login_database: admin + login_host: "{{ item | urlsplit('hostname') }}" + login_port: "{{ item | urlsplit('port') | ternary(item | urlsplit('port'),omit) }}" + login_user: mongoadmin + login_password: "{{ mongo_admin_pass }}" + roles: + - readWrite + loop: "{{ graylog_mongo_url }}" + changed_when: False # the module is buggy and indicates a change even if there were none + when: + - graylog_mongo_url | length == 1 + - graylog_mongo_pass is defined + - graylog_mongo_pass != False tags: graylog -- name: Remove dehydrated hook - file: path=/etc/dehydrated/hooks_deploy_cert.d/graylog state=absent - when: graylog_letsencrypt_cert is not defined - tags: graylog diff --git a/roles/graylog/tasks/directories.yml b/roles/graylog/tasks/directories.yml index 8734f12..af88a51 100644 --- a/roles/graylog/tasks/directories.yml +++ b/roles/graylog/tasks/directories.yml @@ -34,4 +34,6 @@ owner: graylog group: graylog mode: 700 + - dir: backup + mode: 700 tags: graylog diff --git a/roles/graylog/tasks/facts.yml b/roles/graylog/tasks/facts.yml index 184166a..33ba5f7 100644 --- a/roles/graylog/tasks/facts.yml +++ b/roles/graylog/tasks/facts.yml @@ -1,7 +1,6 @@ --- # Detect if already installed, and if an upgrade is needed - - import_tasks: ../includes/webapps_set_install_mode.yml vars: - root_dir: "{{ graylog_root_dir }}" @@ -11,3 +10,73 @@ tags: graylog - set_fact: graylog_current_version={{ current_version | default('') }} tags: graylog + +# Try to read mongo admin pass +- name: Check if mongo pass file exists + stat: path=/root/.mongo.pw + register: graylog_mongo_pw + tags: graylog +- when: graylog_mongo_pw.stat.exists and mongo_admin_pass is not defined + block: + - slurp: src=/root/.mongo.pw + register: graylog_mongo_admin_pass + - set_fact: mongo_admin_pass={{ graylog_mongo_admin_pass.content | b64decode | trim }} + tags: graylog +- fail: msg='mongo_admin_pass must be provided' + when: not graylog_mongo_pw.stat.exists and mongo_admin_pass is not defined + tags: graylog + +- name: Remove randomly generated admin password + file: path={{ graylog_root_dir }}/meta/admin_pass state=absent + when: graylog_admin_pass is defined + tags: graylog + +- name: Remove randomly generated password secret + file: path={{ graylog_root_dir }}/meta/pass_secret state=absent + when: graylog_pass_secret is defined + tags: graylog + +- import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ graylog_root_dir }}/meta/pass_secret" + when: graylog_pass_secret is not defined + tags: graylog +- set_fact: graylog_pass_secret={{ rand_pass }} + when: graylog_pass_secret is not defined + tags: graylog + +- import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ graylog_root_dir }}/meta/admin_pass" + when: graylog_admin_pass is not defined + tags: graylog +- set_fact: graylog_admin_pass={{ rand_pass }} + when: graylog_admin_pass is not defined + tags: graylog + +# If only one mongo url is given and graylog_mongo_pass is not defined, +# parse the password from the url, or generate one +- debug: + msg: | + graylog_mongo_url is '{{ graylog_mongo_url }}' + parsed pass is "{{ graylog_mongo_url[0] | urlsplit('password') }}" + tags: graylog + +- name: Parse password from the first mongo URL + set_fact: graylog_mongo_pass={{ graylog_mongo_url[0] | urlsplit('password') | urldecode }} + when: + - graylog_mongo_url | length == 1 + - graylog_mongo_pass is not defined + - graylog_mongo_url[0] | urlsplit('password') is string + tags: mongo + +# Create a random password for mongo +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ graylog_root_dir }}/meta/mongo_pass" + - set_fact: graylog_mongo_pass={{ rand_pass }} + when: + - graylog_mongo_url | length == 1 + - graylog_mongo_pass is not defined + tags: graylog diff --git a/roles/graylog/tasks/install.yml b/roles/graylog/tasks/install.yml index 9c23d36..e90eb51 100644 --- a/roles/graylog/tasks/install.yml +++ b/roles/graylog/tasks/install.yml @@ -103,3 +103,13 @@ - pre - post tags: graylog + +- name: Deploy dehydrated hook + template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/graylog mode=755 + when: graylog_letsencrypt_cert is defined + tags: graylog + +- name: Remove dehydrated hook + file: path=/etc/dehydrated/hooks_deploy_cert.d/graylog state=absent + when: graylog_letsencrypt_cert is not defined + tags: graylog diff --git a/roles/graylog/templates/post-backup.j2 b/roles/graylog/templates/post-backup.j2 index 23f4460..bb5d786 100644 --- a/roles/graylog/templates/post-backup.j2 +++ b/roles/graylog/templates/post-backup.j2 @@ -1,3 +1,3 @@ #!/bin/bash -e -rm -rf {{ graylog_root_dir }}/dumps/{mongo,es}/* +rm -rf {{ graylog_root_dir }}/backup/{mongo,es}/* diff --git a/roles/graylog/templates/pre-backup.j2 b/roles/graylog/templates/pre-backup.j2 index 033bde3..dbb8c05 100644 --- a/roles/graylog/templates/pre-backup.j2 +++ b/roles/graylog/templates/pre-backup.j2 @@ -1,3 +1,10 @@ #!/bin/bash -e -mongodump --quiet --out {{ graylog_root_dir }}/dumps/mongo --uri {{ graylog_mongodb_uri[0] }} +mongodump \ +{% if graylog_mongo_url | length == 1 and graylog_mongo_pass is defined and graylog_mongo_pass != False %} +{% set graylog_mongo = graylog_mongo_url[0] | urlsplit %} + --uri {{ graylog_mongo['scheme'] }}://{{ graylog_mongo_user }}:{{ graylog_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ graylog_mongo['hostname'] }}{% if graylog_mongo['port'] %}:{{ graylog_mongo['port'] }}{% endif %}{{ graylog_mongo['path'] }}?{{ graylog_mongo['query'] }} \ +{% else %} + --uri {{ graylog_mongo_url[0] }} \ +{% endif %} + --quiet --out {{ graylog_root_dir }}/backup/mongo diff --git a/roles/graylog/templates/server.conf.j2 b/roles/graylog/templates/server.conf.j2 index c3de0e7..291493e 100644 --- a/roles/graylog/templates/server.conf.j2 +++ b/roles/graylog/templates/server.conf.j2 @@ -16,7 +16,13 @@ trusted_proxies = {% for host in graylog_http_src_ip %}{{ host }}{% if not host {% endif %} elasticsearch_hosts = {{ graylog_es_hosts | join(',') }} elasticsearch_cluster_name = {{ graylog_es_cluster_name | default('elasticsearch') }} -mongodb_uri = {{ graylog_mongodb_uri | join(',') }} +{% if graylog_mongo_pass is defined and graylog_mongo_pass != False and graylog_mongo_url | length == 1 %} +mongodb_uri = {% for url in graylog_mongo_url %}{{ url | urlsplit('scheme') }}://{{ graylog_mongo_user }}:{{ graylog_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ url | urlsplit('hostname') }}{% if url | urlsplit('port') %}:{{ url | urlsplit('port') }}{% endif %}{{ url | urlsplit('path') }}{{ url | urlsplit('query') }}{% if not loop.last %},{% endif %} +{% endfor %} +{% else %} +mongodb_uri = {{ graylog_mongo_url | join(',') }} +{% endif %} + message_journal_enabled = true transport_email_enabled = true