Update to 2021-05-19 15:00

master
Daniel Berteaud 4 years ago
parent 348642f619
commit 72a6d628e0
  1. 4
      roles/ampache/defaults/main.yml
  2. 7
      roles/letsencrypt/templates/domains.txt.j2
  3. 2
      roles/mkdir/tasks/main.yml
  4. 14
      roles/rabbitmq_server/defaults/main.yml
  5. 1
      roles/rabbitmq_server/meta/main.yml
  6. 9
      roles/rabbitmq_server/tasks/conf.yml
  7. 6
      roles/rabbitmq_server/tasks/facts.yml
  8. 8
      roles/rabbitmq_server/tasks/install.yml
  9. 3
      roles/rabbitmq_server/tasks/iptables.yml
  10. 20
      roles/rabbitmq_server/templates/dehydrated_hook.sh.j2
  11. 3
      roles/rabbitmq_server/templates/rabbitmq.conf.j2
  12. 2
      roles/radius_server/files/rad_check_client_cert
  13. 4
      roles/squid/files/acl/software_various.domains

@ -3,10 +3,10 @@
ampache_id: "1" ampache_id: "1"
ampache_manage_upgrade: True ampache_manage_upgrade: True
ampache_version: '4.4.1' ampache_version: '4.4.2'
ampache_config_version: 49 ampache_config_version: 49
ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip
ampache_zip_sha1: fa0ef4ba8fb0e37d3a90ce88d3306fe34e81cfcd ampache_zip_sha1: 1e861091f032c44dc402c97180edd88c2246e0aa
ampache_root_dir: /opt/ampache_{{ ampache_id }} ampache_root_dir: /opt/ampache_{{ ampache_id }}

@ -39,3 +39,10 @@
{% if turn_letsencrypt_cert is defined and turn_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %} {% if turn_letsencrypt_cert is defined and turn_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
{{ turn_letsencrypt_cert }} {{ turn_letsencrypt_cert }}
{% endif %} {% endif %}
{% if rabbitmq_letsencrypt_cert is defined %}
{% if rabbitmq_letsencrypt_cert is string and rabbitmq_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
{{ rabbitmq_letsencrypt_cert }}
{% elif rabbitmq_letsencrypt_cert == True and inventory_hostname not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
{{ inventory_hostname }}
{% endif %}
{% endif %}

@ -33,7 +33,7 @@
file: path=/etc/dehydrated/{{ item }}.d state=directory file: path=/etc/dehydrated/{{ item }}.d state=directory
loop: loop:
- hooks_deploy_cert - hooks_deploy_cert
tags: backup,mkdir tags: ssl,web,mkdir
- name: Create bash_completion dir - name: Create bash_completion dir
file: path=/etc/bash_completion.d state=directory file: path=/etc/bash_completion.d state=directory

@ -2,9 +2,23 @@
# Plain TCP port # Plain TCP port
rabbitmq_port: 5672 rabbitmq_port: 5672
rabbitmq_ssl_port: 5671
# Access to the plain port # Access to the plain port
rabbitmq_src_ip: [] rabbitmq_src_ip: []
# Access to the ssl port
rabbitmq_ssl_src_ip: []
# Can be either true, in which case a cert will be automatically obtained using letsencrypt
# or can be a name, in which case you have to configure letsencrypt to obtain the cert yourself
# rabbitmq_letsencrypt_cert: True
# or
# rabbitmq_letsencrypt_cert: rabbit.example.org
# You have to deploy the letsencrypt role on the host for this to work
# Or you can specify cert and key path. They must be readable by rabbitmq
#rabbitmq_ssl_cert_path: /etc/rabbitmq/ssl/cert.pem
#rabbitmq_ssl_key_path: /etc/rabbitmq/ssl/key.pem
# HTTP API / Web management interface # HTTP API / Web management interface
rabbitmq_web_port: 15672 rabbitmq_web_port: 15672

@ -1,6 +1,7 @@
--- ---
dependencies: dependencies:
- role: mkdir
- role: repo_rabbitmq - role: repo_rabbitmq
when: when:
- ansible_os_family == 'RedHat' - ansible_os_family == 'RedHat'

@ -6,6 +6,15 @@
notify: restart rabbitmq-server notify: restart rabbitmq-server
tags: rabbit tags: rabbit
# Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
# turnserver must be started before that
- import_tasks: ../includes/create_selfsigned_cert.yml
vars:
- cert_path: /etc/rabbitmq/ssl/cert.pem
- cert_key_path: /etc/rabbitmq/ssl/key.pem
- cert_user: rabbitmq
tags: rabbitmq
- name: Deploy configuration - name: Deploy configuration
template: src={{ rabbitmq_conf }}.j2 dest=/etc/rabbitmq/{{ rabbitmq_conf }} template: src={{ rabbitmq_conf }}.j2 dest=/etc/rabbitmq/{{ rabbitmq_conf }}
notify: restart rabbitmq-server notify: restart rabbitmq-server

@ -3,3 +3,9 @@
# On EL8 and newer, rabbitmq config uses the new format # On EL8 and newer, rabbitmq config uses the new format
- set_fact: rabbitmq_conf={{ ansible_distribution_major_version is version('8','>=') | ternary('rabbitmq.conf','rabbitmq.config') }} - set_fact: rabbitmq_conf={{ ansible_distribution_major_version is version('8','>=') | ternary('rabbitmq.conf','rabbitmq.config') }}
tags: rabbitmq tags: rabbitmq
- when: rabbitmq_letsencrypt_cert is defined or rabbitmq_ssl_cert_path is not defined or rabbitmq_ssl_key_path is not defined
block:
- set_fact: rabbitmq_ssl_cert_path='/etc/rabbitmq/ssl/cert.pem'
- set_fact: rabbitmq_ssl_key_path='/etc/rabbitmq/ssl/key.pem'
tags: rabbitmq

@ -12,3 +12,11 @@
- pre - pre
- post - post
tags: rabbitmq tags: rabbitmq
- name: Create directories
file: path=/etc/rabbitmq/ssl state=directory owner=rabbitmq group=rabbitmq mode=700
tags: rabbitmq
- name: Install dehydrated hook
template: src=dehydrated_hook.sh.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/rabbitmq.sh mode=755
tags: rabbitmq

@ -9,6 +9,9 @@
- name: rabbitmq_port - name: rabbitmq_port
port: "{{ rabbitmq_port }}" port: "{{ rabbitmq_port }}"
src_ip: "{{ rabbitmq_src_ip }}" src_ip: "{{ rabbitmq_src_ip }}"
- name: rabbitmq_ssl_port
port: "{{ rabbitmq_ssl_port }}"
src_ip: "{{ rabbitmq_ssl_src_ip }}"
- name: rabbitmq_web_port - name: rabbitmq_web_port
port: "{{ rabbitmq_web_port }}" port: "{{ rabbitmq_web_port }}"
src_ip: "{{ rabbitmq_web_src_ip }}" src_ip: "{{ rabbitmq_web_src_ip }}"

@ -0,0 +1,20 @@
#!/bin/bash -e
{% if rabbitmq_letsencrypt_cert is defined %}
{% if rabbitmq_letsencrypt_cert == True %}
{% set cert = inventory_hostname %}
{% elif rabbitmq_letsencrypt_cert is string %}
{% set cert = rabbitmq_letsencrypt_cert %}
{% endif %}
if [ $1 == "{{ cert }}" ]; then
cp /var/lib/dehydrated/certificates/certs/{{ cert }}/fullchain.pem /etc/rabbitmq/ssl/cert.pem
cp /var/lib/dehydrated/certificates/certs/{{ cert }}/privkey.pem /etc/rabbitmq/ssl/key.pem
chown :rabbitmq /etc/rabbitmq/ssl/key.pem
chmod 644 /etc/rabbitmq/ssl/cert.pem
chmod 640 /etc/rabbitmq/ssl/key.pem
systemctl restart rabbitmq-server
fi
{% endif %}

@ -1,4 +1,7 @@
listeners.tcp.default = {{ rabbitmq_port }} listeners.tcp.default = {{ rabbitmq_port }}
listeners.ssl.default = {{ rabbitmq_ssl_port }}
ssl_options.certfile = {{ rabbitmq_ssl_cert_path }}
ssl_options.keyfile = {{ rabbitmq_ssl_key_path }}
loopback_users.guest = {{ rabbitmq_guest_from_anywhere | ternary('false','true') }} loopback_users.guest = {{ rabbitmq_guest_from_anywhere | ternary('false','true') }}
management.tcp.port = {{ rabbitmq_web_port }} management.tcp.port = {{ rabbitmq_web_port }}
management.tcp.ip = 0.0.0.0 management.tcp.ip = 0.0.0.0

@ -39,7 +39,7 @@ if ($crl){
} }
if (!-e '/run/radiusd/tls/crl.pem' or $crl_age > 900){ if (!-e '/run/radiusd/tls/crl.pem' or $crl_age > 900){
my $code = getstore($crl,$crl_file); my $code = getstore($crl, '/run/radiusd/tls/crl.pem');
if ($code == 200){ if ($code == 200){
$crl_age = 0; $crl_age = 0;
$crl_file = '/run/radiusd/tls/crl.pem'; $crl_file = '/run/radiusd/tls/crl.pem';

@ -47,10 +47,10 @@ s3.eu-central-1.amazonaws.com
forge.glpi-project.org forge.glpi-project.org
# Chrome on Linux # Chrome on Linux
dl.google.com/linux/chrome dl.google.com
# Hosts several things, including the Zabbix datasource for Grafana # Hosts several things, including the Zabbix datasource for Grafana
storage.googleapis.com .storage.googleapis.com
# Grafana repo # Grafana repo
grafanarel.s3.amazonaws.com grafanarel.s3.amazonaws.com

Loading…
Cancel
Save