From c8fe1a267198ec7d8f2d9026ed30c94d87d7d3dd Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Thu, 25 Nov 2021 15:00:07 +0100 Subject: [PATCH] Update to 2021-11-25 15:00 --- roles/metabase/defaults/main.yml | 8 +++++--- roles/metabase/meta/main.yml | 4 +++- roles/metabase/tasks/archive_pre.yml | 16 ++++++++++++++++ roles/metabase/tasks/install.yml | 26 ++++++++++++++++++++++++++ roles/metabase/templates/env.j2 | 7 +++++-- roles/metabase/templates/pre-backup.j2 | 9 +++++++++ roles/openvpn/handlers/main.yml | 6 +++++- roles/openvpn/tasks/main.yml | 23 +++++++++++++++++------ roles/openvpn/templates/openvpn@.service.j2 | 24 ++++++++++++++++++++++++ roles/pgadmin4/tasks/conf.yml | 13 ++++++++++++- roles/pgadmin4/vars/RedHat-7.yml | 1 + roles/pgadmin4/vars/RedHat-8.yml | 1 + 12 files changed, 124 insertions(+), 14 deletions(-) create mode 100644 roles/openvpn/templates/openvpn@.service.j2 diff --git a/roles/metabase/defaults/main.yml b/roles/metabase/defaults/main.yml index 6e3d84c..f739a80 100644 --- a/roles/metabase/defaults/main.yml +++ b/roles/metabase/defaults/main.yml @@ -20,9 +20,11 @@ metabase_port: 3002 # List of IP or CIDR allowed to reach metabase_port metabase_src_ip: [] -# MySQL database -metabase_db_server: "{{ mysql_server | default('localhost') }}" -metabase_db_port: 3306 +# application database +# Can be either mysql or postgres +metabase_db_engine: mysql +metabase_db_server: "{{ (metabase_db_engine == 'mysql') | ternary(mysql_server, pg_server) | default('localhost') }}" +metabase_db_port: "{{ (metabase_db_engine == 'mysql') | ternary('3306', '5432') }}" metabase_db_name: metabase metabase_db_user: metabase # A random pass will be generated and stored in the meta dir if not defined diff --git a/roles/metabase/meta/main.yml b/roles/metabase/meta/main.yml index 91d91ca..0bee4ea 100644 --- a/roles/metabase/meta/main.yml +++ b/roles/metabase/meta/main.yml @@ -2,4 +2,6 @@ dependencies: - role: mysql_server - when: metabase_db_server in ['localhost','127.0.0.1'] + when: metabase_db_server in ['localhost','127.0.0.1'] and metabase_db_engine == 'mysql' + - role: postgresql_server + when: metabase_db_server in ['localhost','127.0.0.1'] and metabase_db_engine == 'postgres' diff --git a/roles/metabase/tasks/archive_pre.yml b/roles/metabase/tasks/archive_pre.yml index 0b1a7c9..f77f09e 100644 --- a/roles/metabase/tasks/archive_pre.yml +++ b/roles/metabase/tasks/archive_pre.yml @@ -33,4 +33,20 @@ single_transaction: True environment: XZ_OPT: -T0 + when: metabase_db_engine == 'mysql' tags: metabase + +- name: Dump the database + shell: > + /usr/pgsql-14/bin/pg_dump + --clean + --create + --host={{ metabase_db_server }} + --port={{ metabase_db_port }} + --username={{ metabase_db_user }} {{ metabase_db_name }} | + zstd -10 -c > {{ metabase_root_dir }}/archives/{{ metabase_current_version }}/{{ metabase_db_name }}.sql.zst + environment: + - PGPASSWORD: "{{ metabase_db_pass }}" + when: metabase_db_engine == 'postgres' + tags: metabase + diff --git a/roles/metabase/tasks/install.yml b/roles/metabase/tasks/install.yml index 0fbc5b2..0564bf5 100644 --- a/roles/metabase/tasks/install.yml +++ b/roles/metabase/tasks/install.yml @@ -43,6 +43,32 @@ - db_user: "{{ metabase_db_user }}" - db_server: "{{ metabase_db_server }}" - db_pass: "{{ metabase_db_pass }}" + when: metabase_db_engine == 'mysql' + tags: metabase + +- when: metabase_db_engine == 'postgres' + block: + - name: Create postgres user + postgresql_user: + db: postgres + name: "{{ metabase_db_user }}" + password: "{{ metabase_db_pass }}" + login_host: "{{ metabase_db_server }}" + login_user: sqladmin + login_password: "{{ pg_admin_pass }}" + + - name: Create the PostgreSQL database + postgresql_db: + name: "{{ metabase_db_name }}" + encoding: UTF-8 + lc_collate: C + lc_ctype: C + template: template0 + owner: "{{ metabase_db_user }}" + login_host: "{{ metabase_db_server }}" + login_user: sqladmin + login_password: "{{ pg_admin_pass }}" + tags: metabase - name: Install pre and post backup hooks diff --git a/roles/metabase/templates/env.j2 b/roles/metabase/templates/env.j2 index 7c32e16..e0db31f 100644 --- a/roles/metabase/templates/env.j2 +++ b/roles/metabase/templates/env.j2 @@ -8,16 +8,19 @@ MB_EMAIL_SMTP_PASSWORD={{ metabase_smtp_pass }} {% endif %} MB_EMAIL_SMTP_SECURITY={{ metabase_smtp_starttls | ternary('starttls','none') }} MB_ANON_TRACKING_ENABLED=false -MB_DB_FILE={{ metabase_root_dir }}/data/metabase.db MB_DB_DBNAME={{ metabase_db_name }} MB_DB_HOST={{ metabase_db_server }} MB_DB_USER={{ metabase_db_user }} MB_DB_PASS={{ metabase_db_pass | quote }} MB_DB_PORT={{ metabase_db_port }} -MB_DB_TYPE=mysql +MB_DB_TYPE={{ metabase_db_engine }} MB_ENCRYPTION_SECRET_KEY={{ metabase_encryption_key | quote }} MB_JETTY_HOST=0.0.0.0 MB_JETTY_PORT={{ metabase_port }} MB_PLUGINS_DIR={{ metabase_root_dir }}/plugins MB_SITE_LOCALE={{ metabase_lang }} MB_SITE_URL={{ metabase_public_url }} +MB_CHECK_FOR_UPDATES=false +MB_ENABLE_EMBEDDING=true +MB_ENABLE_PUBLIC_SHARING=true +MB_ENABLE_QUERY_CACHING=false diff --git a/roles/metabase/templates/pre-backup.j2 b/roles/metabase/templates/pre-backup.j2 index e68d2da..b10a8e9 100644 --- a/roles/metabase/templates/pre-backup.j2 +++ b/roles/metabase/templates/pre-backup.j2 @@ -2,6 +2,7 @@ set -eo pipefail +{% if metabase_db_engine == 'mysql' %} /usr/bin/mysqldump \ {% if metabase_db_server not in ['localhost','127.0.0.1'] %} --user={{ metabase_db_user | quote }} \ @@ -11,5 +12,13 @@ set -eo pipefail {% endif %} --quick --single-transaction \ --add-drop-table {{ metabase_db_name | quote }} | zstd -c > {{ metabase_root_dir }}/backup/{{ metabase_db_name }}.sql.zst +{% elif metabase_db_engine == 'postgres' %} +PGPASSWORD={{ metabase_db_pass | quote }} /usr/pgsql-14/bin/pg_dump \ + --clean \ + --create \ + --username={{ metabase_db_user }} \ + --host={{ metabase_db_server }} \ + {{ metabase_db_name }} | zstd -c > {{ metabase_root_dir }}/backup/{{ metabase_db_name }}.sql.zst +{% endif %} cp {{ metabase_root_dir }}/etc/env {{ metabase_root_dir }}/backup/ diff --git a/roles/openvpn/handlers/main.yml b/roles/openvpn/handlers/main.yml index e313c31..dbe54cb 100644 --- a/roles/openvpn/handlers/main.yml +++ b/roles/openvpn/handlers/main.yml @@ -2,5 +2,9 @@ - name: restart openvpn service: name=openvpn@{{ item.item.name }} state=restarted - with_items: "{{ ovpn_daemons_mod.results }}" + loop: "{{ ovpn_daemons_mod.results }}" when: item.changed + +- name: restart all openvpn + service: name=openvpn@{{ item.name }} state=restarted + loop: "{{ ovpn_daemons }}" diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 1b58390..e20a8b1 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -2,7 +2,7 @@ - name: Build config for OpenVPN tunnels set_fact: ovpn_daemons_conf={{ ovpn_daemons_conf | default([]) + [ovpn_daemon_defaults | combine(item)] }} - with_items: "{{ ovpn_daemons }}" + loop: "{{ ovpn_daemons }}" tags: ovpn - set_fact: ovpn_daemons={{ ovpn_daemons_conf | default([]) }} tags: ovpn @@ -13,9 +13,20 @@ - openvpn tags: ovpn +- name: Deploy OpenVPN service template + template: src=openvpn@.service.j2 dest=/etc/systemd/system/openvpn@.service + register: ovpn_service_template + notify: restart all openvpn + tags: ovpn + +- name: Reload systemd + systemd: daemon_reload=True + when: ovpn_service_template.changed + tags: ovpn + - name: Deploy daemons configuration template: src=openvpn.conf.j2 dest=/etc/openvpn/{{ item.name }}.conf mode=640 - with_items: "{{ ovpn_daemons }}" + loop: "{{ ovpn_daemons }}" when: item.enabled register: ovpn_daemons_mod notify: restart openvpn @@ -25,7 +36,7 @@ command: openssl dhparam /etc/openvpn/{{ item.iname}}.dh 2048 args: creates: /etc/openvpn/{{ item.name }}.dh - with_items: "{{ ovpn_daemons }}" + loop: "{{ ovpn_daemons }}" when: - item.type == 'server' - item.enabled @@ -58,7 +69,7 @@ - name: Handle daemons status service: name=openvpn@{{ item.name }} state={{ (item.enabled) | ternary('started','stopped') }} enabled={{ (item.enabled) | ternary(True,False) }} - with_items: "{{ ovpn_daemons }}" + loop: "{{ ovpn_daemons }}" tags: ovpn - name: List managed daemons ID @@ -73,10 +84,10 @@ - name: Disable unmanaged services service: name=openvpn@{{ item }} state=stopped enabled=False - with_items: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}" + loop: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}" tags: ovpn - name: Remove unmanaged conf file: path=/etc/openvpn/{{ item }}.conf state=absent - with_items: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}" + loop: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}" tags: ovpn diff --git a/roles/openvpn/templates/openvpn@.service.j2 b/roles/openvpn/templates/openvpn@.service.j2 new file mode 100644 index 0000000..60d58fb --- /dev/null +++ b/roles/openvpn/templates/openvpn@.service.j2 @@ -0,0 +1,24 @@ +[Unit] +Description=OpenVPN tunnel for %I +After=syslog.target network-online.target +Wants=network-online.target +Documentation=man:openvpn(8) +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO + +[Service] +Type=notify +PrivateTmp=true +WorkingDirectory=/etc/openvpn/ +ExecStart=/usr/sbin/openvpn --suppress-timestamps --config %i.conf +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE +LimitNPROC=10 +DeviceAllow=/dev/null rw +DeviceAllow=/dev/net/tun rw +ProtectSystem=true +ProtectHome=true +KillMode=process + +[Install] +WantedBy=multi-user.target + diff --git a/roles/pgadmin4/tasks/conf.yml b/roles/pgadmin4/tasks/conf.yml index b60ba03..77ac175 100644 --- a/roles/pgadmin4/tasks/conf.yml +++ b/roles/pgadmin4/tasks/conf.yml @@ -13,12 +13,23 @@ - name: Initial setup of pgadmin4 expect: command: "{{ pga_root_dir }}/venv/bin/python {{ pga_root_dir }}/venv/lib/python3.6/site-packages/pgadmin4/setup.py" + timeout: 120 echo: true responses: 'Email address:\s?': "admin@{{ ansible_domain }}" '(Retype )?[Pp]assword:\s?': "pgadmin" become_user: pgadmin4_{{ pga_id }} - when: not pga_db.stat.exists + when: + - not pga_db.stat.exists + - pga_auth | length >= 1 + tags: pgadmin4 + +- name: Initial setup of pgAdmin4 + command: "{{ pga_root_dir }}/venv/bin/python {{ pga_root_dir }}/venv/lib/python3.6/site-packages/pgadmin4/setup.py" + become_user: pgadmin4_{{ pga_id }} + when: + - not pga_db.stat.exists + - pga_auth | length < 1 tags: pgadmin4 - name: Configure logrotate diff --git a/roles/pgadmin4/vars/RedHat-7.yml b/roles/pgadmin4/vars/RedHat-7.yml index 6b8c1ac..531afac 100644 --- a/roles/pgadmin4/vars/RedHat-7.yml +++ b/roles/pgadmin4/vars/RedHat-7.yml @@ -10,3 +10,4 @@ pgadmin4_packages: - python-setuptools # Needed for pip install expect - python-pip # Also needed to install expect - krb5-devel + - sqlite diff --git a/roles/pgadmin4/vars/RedHat-8.yml b/roles/pgadmin4/vars/RedHat-8.yml index 7ee913e..225478d 100644 --- a/roles/pgadmin4/vars/RedHat-8.yml +++ b/roles/pgadmin4/vars/RedHat-8.yml @@ -9,3 +9,4 @@ pgadmin4_packages: - python3-pip - python3-setuptools # Needed for pip install expect - krb5-devel + - sqlite