Update to 2021-11-25 15:00

3 years ago · c8fe1a2671
parent 29959730f5
commit c8fe1a2671
12 changed files with 124 additions and 14 deletions
--- a/roles/metabase/defaults/main.yml
+++ b/roles/metabase/defaults/main.yml
@ -20,9 +20,11 @@ metabase_port: 3002
 # List of IP or CIDR allowed to reach metabase_port
 metabase_src_ip: []
-# MySQL database
+# application database
-metabase_db_server: "{{ mysql_server | default('localhost') }}"
+# Can be either mysql or postgres
-metabase_db_port: 3306
+metabase_db_engine: mysql
 metabase_db_server: "{{ (metabase_db_engine == 'mysql') | ternary(mysql_server, pg_server) | default('localhost') }}"
 metabase_db_port: "{{ (metabase_db_engine == 'mysql') | ternary('3306', '5432') }}"
 metabase_db_name: metabase
 metabase_db_user: metabase
 # A random pass will be generated and stored in the meta dir if not defined
--- a/roles/metabase/meta/main.yml
+++ b/roles/metabase/meta/main.yml
@ -2,4 +2,6 @@
 dependencies:
  - role: mysql_server
-    when: metabase_db_server in ['localhost','127.0.0.1']
+    when: metabase_db_server in ['localhost','127.0.0.1'] and metabase_db_engine == 'mysql'
  - role: postgresql_server
    when: metabase_db_server in ['localhost','127.0.0.1'] and metabase_db_engine == 'postgres'
--- a/roles/metabase/tasks/archive_pre.yml
+++ b/roles/metabase/tasks/archive_pre.yml
@ -33,4 +33,20 @@
    single_transaction: True
  environment:
    XZ_OPT: -T0
  when: metabase_db_engine == 'mysql'
  tags: metabase
 - name: Dump the database
  shell: >
    /usr/pgsql-14/bin/pg_dump
    --clean
    --create
    --host={{ metabase_db_server }}
    --port={{ metabase_db_port }}
    --username={{ metabase_db_user }} {{ metabase_db_name }} |
    zstd -10 -c > {{ metabase_root_dir }}/archives/{{ metabase_current_version }}/{{ metabase_db_name }}.sql.zst
  environment:
    - PGPASSWORD: "{{ metabase_db_pass }}"
  when: metabase_db_engine == 'postgres'
  tags: metabase
--- a/roles/metabase/tasks/install.yml
+++ b/roles/metabase/tasks/install.yml
@ -43,6 +43,32 @@
    - db_user: "{{ metabase_db_user }}"
    - db_server: "{{ metabase_db_server }}"
    - db_pass: "{{ metabase_db_pass }}"
  when: metabase_db_engine == 'mysql'
  tags: metabase
 - when: metabase_db_engine == 'postgres'
  block:
    - name: Create postgres user
      postgresql_user:
        db: postgres
        name: "{{ metabase_db_user }}"
        password: "{{ metabase_db_pass }}"
        login_host: "{{ metabase_db_server }}"
        login_user: sqladmin
        login_password: "{{ pg_admin_pass }}"
    - name: Create the PostgreSQL database
      postgresql_db:
        name: "{{ metabase_db_name }}"
        encoding: UTF-8
        lc_collate: C
        lc_ctype: C
        template: template0
        owner: "{{ metabase_db_user }}"
        login_host: "{{ metabase_db_server }}"
        login_user: sqladmin
        login_password: "{{ pg_admin_pass }}"
  tags: metabase
 - name: Install pre and post backup hooks
--- a/roles/metabase/templates/env.j2
+++ b/roles/metabase/templates/env.j2
@ -8,16 +8,19 @@ MB_EMAIL_SMTP_PASSWORD={{ metabase_smtp_pass }}
 {% endif %}
 MB_EMAIL_SMTP_SECURITY={{ metabase_smtp_starttls | ternary('starttls','none') }}
 MB_ANON_TRACKING_ENABLED=false
 MB_DB_FILE={{ metabase_root_dir }}/data/metabase.db
 MB_DB_DBNAME={{ metabase_db_name }}
 MB_DB_HOST={{ metabase_db_server }}
 MB_DB_USER={{ metabase_db_user }}
 MB_DB_PASS={{ metabase_db_pass | quote }}
 MB_DB_PORT={{ metabase_db_port }}
-MB_DB_TYPE=mysql
+MB_DB_TYPE={{ metabase_db_engine }}
 MB_ENCRYPTION_SECRET_KEY={{ metabase_encryption_key | quote }}
 MB_JETTY_HOST=0.0.0.0
 MB_JETTY_PORT={{ metabase_port }}
 MB_PLUGINS_DIR={{ metabase_root_dir }}/plugins
 MB_SITE_LOCALE={{ metabase_lang }}
 MB_SITE_URL={{ metabase_public_url }}
 MB_CHECK_FOR_UPDATES=false
 MB_ENABLE_EMBEDDING=true
 MB_ENABLE_PUBLIC_SHARING=true
 MB_ENABLE_QUERY_CACHING=false
--- a/roles/metabase/templates/pre-backup.j2
+++ b/roles/metabase/templates/pre-backup.j2
@ -2,6 +2,7 @@
 set -eo pipefail
 {% if metabase_db_engine == 'mysql' %}
 /usr/bin/mysqldump \
 {% if metabase_db_server not in ['localhost','127.0.0.1'] %}
  --user={{ metabase_db_user | quote }} \
@ -11,5 +12,13 @@ set -eo pipefail
 {% endif %}
  --quick --single-transaction \
  --add-drop-table {{ metabase_db_name | quote }} | zstd -c > {{ metabase_root_dir }}/backup/{{ metabase_db_name }}.sql.zst
 {% elif metabase_db_engine == 'postgres' %}
 PGPASSWORD={{ metabase_db_pass | quote }} /usr/pgsql-14/bin/pg_dump \
  --clean \
  --create \
  --username={{ metabase_db_user }} \
  --host={{ metabase_db_server }} \
  {{ metabase_db_name }} | zstd -c > {{ metabase_root_dir }}/backup/{{ metabase_db_name }}.sql.zst
 {% endif %}
 cp {{ metabase_root_dir }}/etc/env {{ metabase_root_dir }}/backup/
--- a/roles/openvpn/handlers/main.yml
+++ b/roles/openvpn/handlers/main.yml
@ -2,5 +2,9 @@
 - name: restart openvpn
  service: name=openvpn@{{ item.item.name }} state=restarted
-  with_items: "{{ ovpn_daemons_mod.results }}"
+  loop: "{{ ovpn_daemons_mod.results }}"
  when: item.changed
 - name: restart all openvpn
  service: name=openvpn@{{ item.name }} state=restarted
  loop: "{{ ovpn_daemons }}"
--- a/roles/openvpn/tasks/main.yml
+++ b/roles/openvpn/tasks/main.yml
@ -2,7 +2,7 @@
 - name: Build config for OpenVPN tunnels
  set_fact: ovpn_daemons_conf={{ ovpn_daemons_conf | default([]) + [ovpn_daemon_defaults | combine(item)] }}
-  with_items: "{{ ovpn_daemons }}"
+  loop: "{{ ovpn_daemons }}"
  tags: ovpn
 - set_fact: ovpn_daemons={{ ovpn_daemons_conf | default([]) }}
  tags: ovpn
@ -13,9 +13,20 @@
      - openvpn
  tags: ovpn
 - name: Deploy OpenVPN service template
  template: src=openvpn@.service.j2 dest=/etc/systemd/system/openvpn@.service
  register: ovpn_service_template
  notify: restart all openvpn
  tags: ovpn
 - name: Reload systemd
  systemd: daemon_reload=True
  when: ovpn_service_template.changed
  tags: ovpn
 - name: Deploy daemons configuration
  template: src=openvpn.conf.j2 dest=/etc/openvpn/{{ item.name }}.conf mode=640
-  with_items: "{{ ovpn_daemons }}"
+  loop: "{{ ovpn_daemons }}"
  when: item.enabled
  register: ovpn_daemons_mod
  notify: restart openvpn
@ -25,7 +36,7 @@
  command: openssl dhparam /etc/openvpn/{{ item.iname}}.dh 2048
  args:
    creates: /etc/openvpn/{{ item.name }}.dh
-  with_items: "{{ ovpn_daemons }}"
+  loop: "{{ ovpn_daemons }}"
  when:
    - item.type == 'server'
    - item.enabled
@ -58,7 +69,7 @@
 - name: Handle daemons status
  service: name=openvpn@{{ item.name }} state={{ (item.enabled) | ternary('started','stopped') }} enabled={{ (item.enabled) | ternary(True,False) }}
-  with_items: "{{ ovpn_daemons }}"
+  loop: "{{ ovpn_daemons }}"
  tags: ovpn
 - name: List managed daemons ID
@ -73,10 +84,10 @@
 - name: Disable unmanaged services
  service: name=openvpn@{{ item }} state=stopped enabled=False
-  with_items: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
+  loop: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
  tags: ovpn
 - name: Remove unmanaged conf
  file: path=/etc/openvpn/{{ item }}.conf state=absent
-  with_items: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
+  loop: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
  tags: ovpn
--- a/roles/openvpn/templates/openvpn@.service.j2
+++ b/roles/openvpn/templates/openvpn@.service.j2
@ -0,0 +1,24 @@
 [Unit]
 Description=OpenVPN tunnel for %I
 After=syslog.target network-online.target
 Wants=network-online.target
 Documentation=man:openvpn(8)
 Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 Type=notify
 PrivateTmp=true
 WorkingDirectory=/etc/openvpn/
 ExecStart=/usr/sbin/openvpn --suppress-timestamps --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
 ProtectSystem=true
 ProtectHome=true
 KillMode=process
 [Install]
 WantedBy=multi-user.target
--- a/roles/pgadmin4/tasks/conf.yml
+++ b/roles/pgadmin4/tasks/conf.yml
@ -13,12 +13,23 @@
 - name: Initial setup of pgadmin4
  expect:
    command: "{{ pga_root_dir }}/venv/bin/python {{ pga_root_dir }}/venv/lib/python3.6/site-packages/pgadmin4/setup.py"
    timeout: 120
    echo: true
    responses:
      'Email address:\s?': "admin@{{ ansible_domain }}"
      '(Retype )?[Pp]assword:\s?': "pgadmin"
  become_user: pgadmin4_{{ pga_id }}
-  when: not pga_db.stat.exists
+  when:
    - not pga_db.stat.exists
    - pga_auth | length >= 1
  tags: pgadmin4
 - name: Initial setup of pgAdmin4
  command: "{{ pga_root_dir }}/venv/bin/python {{ pga_root_dir }}/venv/lib/python3.6/site-packages/pgadmin4/setup.py"
  become_user: pgadmin4_{{ pga_id }}
  when:
    - not pga_db.stat.exists
    - pga_auth | length < 1
  tags: pgadmin4
 - name: Configure logrotate
--- a/roles/pgadmin4/vars/RedHat-7.yml
+++ b/roles/pgadmin4/vars/RedHat-7.yml
@ -10,3 +10,4 @@ pgadmin4_packages:
  - python-setuptools # Needed for pip install expect
  - python-pip        # Also needed to install expect
  - krb5-devel
  - sqlite
--- a/roles/pgadmin4/vars/RedHat-8.yml
+++ b/roles/pgadmin4/vars/RedHat-8.yml
@ -9,3 +9,4 @@ pgadmin4_packages:
  - python3-pip
  - python3-setuptools # Needed for pip install expect
  - krb5-devel
  - sqlite