Update to 2020-11-30 12:00

master
Daniel Berteaud 4 years ago
parent 0352af510d
commit a256a03c79
  1. 6
      roles/funkwhale/meta/main.yml
  2. 2
      roles/funkwhale/vars/CentOS-8.yml
  3. 3
      roles/jitsi/defaults/main.yml
  4. 4
      roles/jitsi/templates/prosody.cfg.lua.j2
  5. 3
      roles/mongodb_server/tasks/main.yml
  6. 1
      roles/mongodb_server/templates/mongod.conf.j2
  7. 4
      roles/onlyoffice_document_server/tasks/install.yml
  8. 1
      roles/onlyoffice_document_server/tasks/main.yml
  9. 2
      roles/openxpki/tasks/selinux.yml
  10. 4
      roles/openxpki/templates/perms.sh.j2
  11. 1
      roles/postfix/templates/main.cf.j2
  12. 9
      roles/repo_base/tasks/main.yml
  13. 37
      roles/repo_xsendfile/tasks/main.yml
  14. 10
      roles/seadrive/files/seadrive.te
  15. 4
      roles/seadrive/tasks/main.yml
  16. 19
      roles/seadrive/tasks/selinux.yml
  17. 6
      roles/unifi/meta/main.yml
  18. 25
      roles/unifi/tasks/main.yml
  19. 3
      roles/unifi/templates/post-backup.sh.j2
  20. 4
      roles/unifi/templates/pre-backup.sh.j2
  21. 5
      roles/unifi/vars/CentOS-7.yml
  22. 6
      roles/unifi/vars/CentOS-8.yml
  23. 1
      roles/wordpress/templates/post-backup.sh.j2
  24. 7
      roles/wordpress/templates/pre-backup.sh.j2
  25. 4
      roles/zabbix_proxy/files/zabbix_proxy.te
  26. 8
      roles/zimbra/tasks/cas.yml

@ -1,7 +1,11 @@
--- ---
allow_duplicates: true allow_duplicates: true
dependencies: dependencies:
- role: repo_remi # for ffmpeg - role: repo_rpmfusion # for ffmpeg
- role: repo_xsendfile # mod_xsendfile is not available in base repo for EL8
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version is version('8','>=')
- role: httpd_common - role: httpd_common
- role: redis_server - role: redis_server
when: funkwhale_redis_url | urlsplit('hostname') == 'localhost' or funkwhale_redis_url | urlsplit('hostname') == '127.0.0.1' when: funkwhale_redis_url | urlsplit('hostname') == 'localhost' or funkwhale_redis_url | urlsplit('hostname') == '127.0.0.1'

@ -13,4 +13,4 @@ funkwhale_packages:
- python3-virtualenv - python3-virtualenv
- python3-pip - python3-pip
- ffmpeg - ffmpeg
#- mod_xsendfile - mod_xsendfile

@ -69,7 +69,8 @@ jitsi_meet_conf_base:
muc: conference.{{ jitsi_domain }} muc: conference.{{ jitsi_domain }}
bosh: '//{{ jitsi_domain }}/http-bind' bosh: '//{{ jitsi_domain }}/http-bind'
# websocket support is broken on prosody 0.11.7 when running lua 5.1 (on EL7), so disable it for now so it fallback to BOSH # websocket support is broken on prosody 0.11.7 when running lua 5.1 (on EL7), so disable it for now so it fallback to BOSH
websocket: "{{ (ansible_os_family == 'RedHat' and ansible_distribution_major_version is version ('8','<')) | ternary(False,'wss://{{ jitsi_domain }}/xmpp-websocket') }}" # websocket: wss://{{ jitsi_domain }}/xmpp-websocket
websocket: False
clientNode: http://jitsi.org/jitsimeet clientNode: http://jitsi.org/jitsimeet
focusUserJid: "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" focusUserJid: "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}"
disableAudioLevels: True disableAudioLevels: True

@ -1,7 +1,7 @@
muc_mapper_domain_base = "{{ jitsi_domain }}"; muc_mapper_domain_base = "{{ jitsi_domain }}";
admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" } admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" };
http_default_host = "{{ jitsi_domain }}" http_default_host = "{{ jitsi_domain }}";
{% if jitsi_turn_secret is defined %} {% if jitsi_turn_secret is defined %}
turncredentials_secret = "{{ jitsi_turn_secret }}"; turncredentials_secret = "{{ jitsi_turn_secret }}";

@ -62,12 +62,9 @@
copy: copy:
content: | content: |
[Service] [Service]
Type=simple
PrivateTmp=yes PrivateTmp=yes
ProtectSystem=full ProtectSystem=full
ProtectHome=yes ProtectHome=yes
NoNewPrivileges=yes
SyslogIdentifier=mongod
Restart=on-failure Restart=on-failure
StartLimitInterval=0 StartLimitInterval=0
RestartSec=30 RestartSec=30

@ -4,3 +4,4 @@ pidfilepath = /var/run/mongodb/mongod.pid
unixSocketPrefix = /var/run/mongodb unixSocketPrefix = /var/run/mongodb
dbpath = {{ mongo_db_path }} dbpath = {{ mongo_db_path }}
syslog = true syslog = true
fork = true

@ -42,6 +42,10 @@
- log4js/production.json - log4js/production.json
tags: oo tags: oo
- name: Set permission on config directory
file: path=/etc/onlyoffice state=directory mode=755
tags: oo
- name: Fix permissions on data dir - name: Fix permissions on data dir
command: chown -R ds:ds /var/lib/onlyoffice/documentserver/ command: chown -R ds:ds /var/lib/onlyoffice/documentserver/
args: args:

@ -4,6 +4,7 @@
- include: directories.yml - include: directories.yml
- include: facts.yml - include: facts.yml
- include: install.yml - include: install.yml
- include: conf.yml
- include: selinux.yml - include: selinux.yml
when: ansible_selinux.status == 'enabled' when: ansible_selinux.status == 'enabled'
- include: services.yml - include: services.yml

@ -31,7 +31,7 @@
cd /etc/selinux/targeted/local/ cd /etc/selinux/targeted/local/
checkmodule -M -m -o openxpki.mod openxpki.te checkmodule -M -m -o openxpki.mod openxpki.te
semodule_package -o openxpki.pp -m openxpki.mod semodule_package -o openxpki.pp -m openxpki.mod
semodule -i /etc/selinux/targeted/local/openxpki.pp
when: pki_selinux_policy.changed when: pki_selinux_policy.changed
tags: pki tags: pki

@ -2,3 +2,7 @@
chown -R {{ pki_user }}:{{ pki_user }} {{ pki_root_dir }}/etc/ssl chown -R {{ pki_user }}:{{ pki_user }} {{ pki_root_dir }}/etc/ssl
chmod 700 {{ pki_root_dir }}/etc/ssl chmod 700 {{ pki_root_dir }}/etc/ssl
# The root key is not used by OpenXPKI itself, protect it
chown root:root {{ pki_root_dir }}/etc/ssl/root/signer-key-1.pem
# Restrict access to the different keys
chmod 600 {{ pki_root_dir }}/etc/ssl/*/*key*.pem

@ -16,6 +16,7 @@ inet_protocols = ipv4
mydestination = {{ postfix_mydestination | default(['$myhostname', 'localhost.$mydomain', 'localhost']) | join(', ') }} mydestination = {{ postfix_mydestination | default(['$myhostname', 'localhost.$mydomain', 'localhost']) | join(', ') }}
mynetworks = {{ postfix_mynetworks | default([ '127.0.0.0/8' ]) | join (', ') }} mynetworks = {{ postfix_mynetworks | default([ '127.0.0.0/8' ]) | join (', ') }}
smtpd_recipient_restrictions = permit_mynetworks
{% if postfix_relay_host is defined %} {% if postfix_relay_host is defined %}
relayhost = {{ postfix_relay_host }} relayhost = {{ postfix_relay_host }}

@ -27,14 +27,7 @@
tags: repo tags: repo
- name: Configure latest PostgreSQL repository - name: Configure latest PostgreSQL repository
yum_repository: template: src=postgresql-client.repo.j2 dest=/etc/yum.repos.d/postgresql-client.repo
name: postgresql-client
description: PostgreSQL
baseurl: https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-$releasever-$basearch
gpgcheck: True
gpgkey: https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG-13
state: "{{ repo_postgres | ternary('present','absent') }}"
includepkgs: postgresql13 postgresql13-libs
tags: repo tags: repo
- name: Remove obsolete repo - name: Remove obsolete repo

@ -0,0 +1,37 @@
---
- name: Configure CentOS SIG Cloud GPG Key
copy:
content: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQENBFVWcCcBCACfm3eQ0526/I0/p7HpR0NjK7K307XHhnbcbZv1sDUjQABDaqh0
N4gnZcovf+3fj6pcdOmeOpGI0cKE7Fh68RbEIqyjB7l7+j1grjewR0oCFFZ38KGm
j+DWQrj1IJW7JU5fH/G0Cu66ix+dJPcuTB3PJTqXN3ce+4TuG09D+epgwfbHlqaT
pH2qHCu2uiGj/AaRSM/ZZzcInMaeleHSB+NChvaQ0W/m+kK5d/20d7sfkaTfI/pY
SrodCfVTYxfKAd0TLW03kimHs5/Rdz+iZWecVKv6aFxzaywbrOjmOsy2q0kEWIwX
MTZrq6cBRRuWyiXsI2zT2YHQ4UK44IxINiaJABEBAAG0WkNlbnRPUyBDbG91ZCBT
SUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVyZXN0R3JvdXAv
Q2xvdWQpIDxzZWN1cml0eUBjZW50b3Mub3JnPokBOQQTAQIAIwUCVVZwJwIbAwcL
CQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPm5/ud2RCnmATUH/3HDtWxpFkmy
FiA3VGkMt5dp3bgCRSd84X6Orfx1LARowpI4LomCGglGBGXVJePBacwcclorbLaz
uWrW/wU0efz0aDB5c4NPg/yXfNvujvlda8ADJwZXVBQphzvaIKwl4PqBsEnxC10I
93T/0iyphAhfMRJ5R8AbEHMj7uF+TWTX/JoyQagllMqWTwoP4DFRutPdOmmjwvSV
kWItH7hq6z9+M4dhlqeoOvPbL5oCxX7TVmLck02Q5gI4syULOa7sqntzUQKFkhWp
9U0+5KrBQBKezrurrrkq/WZR3WNE1KQfNQ77f7S2JcXJdOaKgJ7xe7Y2flPq98Aq
wKXK7l1c3dc=
=W6yF
-----END PGP PUBLIC KEY BLOCK-----
dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud
tags: repo
- name: Configure Openstack repo for mod_xsendfile
yum_repository:
name: xsendfile
description: Cloud SIG repo for mod_xsendfile
baseurl: http://mirror.centos.org/$contentdir/$releasever/cloud/$basearch/openstack-train/
gpgcheck: True
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud
includepkgs: mod_xsendfile
tags: repo

@ -0,0 +1,10 @@
module seadrive 1.0;
require {
type init_t;
type fusermount_exec_t;
class file execute;
}
#============= init_t ==============
allow init_t fusermount_exec_t:file execute;

@ -16,6 +16,7 @@
loop: loop:
- /etc/seadrive - /etc/seadrive
- /var/cache/seadrive - /var/cache/seadrive
- /opt/seadrive
tags: seadrive tags: seadrive
- name: Create cache directories - name: Create cache directories
@ -68,6 +69,9 @@
loop: "{{ seadrive_remove_instances }}" loop: "{{ seadrive_remove_instances }}"
tags: seadrive tags: seadrive
- include: selinux.yml
when: ansible_selinux.status == 'enabled'
- name: Obtain API Tokens - name: Obtain API Tokens
uri: uri:
url: "{{ item.server }}/api2/auth-token/" url: "{{ item.server }}/api2/auth-token/"

@ -0,0 +1,19 @@
---
- name: Copy SELinux policy
copy: src=seadrive.te dest=/etc/selinux/targeted/local/
register: seadrive_selinux_policy
tags: seadrive
- name: Compile SELinux policy
shell: |
cd /etc/selinux/targeted/local/
checkmodule -M -m -o seadrive.mod seadrive.te
semodule_package -o seadrive.pp -m seadrive.mod
when: seadrive_selinux_policy.changed
tags: seadrive
- name: Load SELinux policy
command: semodule -i /etc/selinux/targeted/local/seadrive.pp
when: seadrive_selinux_policy.changed
tags: seadrive

@ -2,3 +2,9 @@
dependencies: dependencies:
- role: mkdir - role: mkdir
- role: repo_mongodb # MongoDB isn't in base repo anymore on EL8
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version is version('8','>=')
vars:
- mongo_major_version: 3.4 # Unifi recommends Mong 3.4

@ -1,14 +1,18 @@
--- ---
- include_vars: "{{ item }}"
with_first_found:
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
tags: unifi
- name: Set default install mode to none - name: Set default install mode to none
set_fact: unifi_install_mode="none" set_fact: unifi_install_mode="none"
tags: unifi tags: unifi
- name: Install dependencies - name: Install dependencies
yum: yum: name={{ unifi_packages }}
name:
- java-1.8.0-openjdk-headless
- mongodb-server
tags: unifi tags: unifi
- name: Create a system account to run unifi - name: Create a system account to run unifi
@ -184,6 +188,19 @@
when: unifi_unit.changed when: unifi_unit.changed
tags: unifi tags: unifi
# Only supported on el8 as el7 provides mongodb-server but no mongodump
# It'd be possible to migrate existing el7 server from base mongodb to
# the one provided by upstream repo though
- name: Deploy pre and post backup hooks
template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/unifi mode=755
loop:
- pre
- post
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version is version('8','>=')
tags: unifi
- name: Start and enable the service - name: Start and enable the service
service: name=unifi state=started enabled=True service: name=unifi state=started enabled=True
tags: unifi tags: unifi

@ -0,0 +1,3 @@
#!/bin/bash
rm -rf {{ unifi_root_dir }}/backup/mongo/*

@ -0,0 +1,4 @@
#!/bin/bash -e
mkdir -p {{ unifi_root_dir }}/backup/mongo
mongodump --quiet --port 27117 --out {{ unifi_root_dir }}/backup/mongo

@ -0,0 +1,5 @@
---
unifi_packages:
- java-1.8.0-openjdk-headless
- mongodb-server

@ -0,0 +1,6 @@
---
unifi_packages:
- java-1.8.0-openjdk-headless
- mongodb-org-server
- mongodb-org

@ -1,4 +1,3 @@
#!/bin/bash #!/bin/bash
umount /home/lbkp/wordpress_{{ wp_id }}
rm -f {{ wp_root_dir }}/backup/* rm -f {{ wp_root_dir }}/backup/*

@ -1,15 +1,12 @@
#!/bin/bash -e #!/bin/bash -e
mkdir -p /home/lbkp/wordpress_{{ wp_id }}
/usr/bin/mysqldump \ /usr/bin/mysqldump \
{% if wp_db_server != 'localhost' and wp_db_server != '127.0.0.1' %} {% if not wp_db_server in ['localhost', '127.0.0.1'] %}
--user='{{ wp_db_user }}' \ --user='{{ wp_db_user }}' \
--password='{{ wp_db_pass }}' \ --password='{{ wp_db_pass }}' \
--host='{{ wp_db_server }}' \ --host='{{ wp_db_server }}' \
--port='{{ wp_db_port }}' \ --port='{{ wp_db_port }}' \
{% endif %} {% endif %}
--quick --single-transaction \ --quick --single-transaction \
--add-drop-table '{{ wp_db_name }}' | zstd -T0 > {{ wp_root_dir }}/backup/{{ wp_db_name }}.sql.zst --add-drop-table '{{ wp_db_name }}' | zstd -c > {{ wp_root_dir }}/backup/{{ wp_db_name }}.sql.zst
mountpoint -q /home/lbkp/wordpress_{{ wp_id }}/ || mount -o bind,ro {{ wp_root_dir }}/backup/ /home/lbkp/wordpress_{{ wp_id }}

@ -1,4 +1,4 @@
module zabbix_proxy 1.0; module zabbix_proxy 1.1;
require { require {
type zabbix_var_run_t; type zabbix_var_run_t;
@ -8,6 +8,7 @@ require {
class sock_file { create unlink }; class sock_file { create unlink };
class unix_stream_socket connectto; class unix_stream_socket connectto;
class file { getattr read }; class file { getattr read };
class capability dac_override;
} }
#============= ping_t ============== #============= ping_t ==============
@ -16,3 +17,4 @@ allow ping_t zabbix_var_lib_t:file { getattr read };
#============= zabbix_t ============== #============= zabbix_t ==============
allow zabbix_t self:unix_stream_socket connectto; allow zabbix_t self:unix_stream_socket connectto;
allow zabbix_t zabbix_var_run_t:sock_file { create unlink }; allow zabbix_t zabbix_var_run_t:sock_file { create unlink };
allow zabbix_t self:capability dac_override;

@ -22,13 +22,13 @@
- name: Install preauth pages - name: Install preauth pages
template: src=cas_preauth.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbra/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra template: src=cas_preauth.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbra/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra
loop: "{{ zcs_preauthkeys.results }}" loop: "{{ zcs_preauthkeys.results }}"
notify: restart zmmailboxd notify: restart zimbra
tags: zcs tags: zcs
- name: Install admin preauth pages - name: Install admin preauth pages
template: src=cas_preauth_admin.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra template: src=cas_preauth_admin.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra
loop: "{{ zcs_preauthkeys.results }}" loop: "{{ zcs_preauthkeys.results }}"
notify: restart zmmailboxd notify: restart zimbra
tags: zcs tags: zcs
- name: Configure CAS filters - name: Configure CAS filters
@ -123,7 +123,7 @@
marker: '<!-- "# {mark} ANSIBLE MANAGED BLOCK" -->' marker: '<!-- "# {mark} ANSIBLE MANAGED BLOCK" -->'
insertafter: '</error-page>' insertafter: '</error-page>'
validate: xmllint %s validate: xmllint %s
notify: restart zmmailboxd notify: restart zimbra
tags: zcs tags: zcs
- name: Configure CAS admin filters - name: Configure CAS admin filters
@ -219,7 +219,7 @@
marker: '<!-- "# {mark} ANSIBLE MANAGED BLOCK" -->' marker: '<!-- "# {mark} ANSIBLE MANAGED BLOCK" -->'
insertafter: '</error-page>' insertafter: '</error-page>'
validate: xmllint %s validate: xmllint %s
notify: restart zmmailboxd notify: restart zimbra
tags: zcs tags: zcs
- name: Configure login and logout URL - name: Configure login and logout URL

Loading…
Cancel
Save