Update to 2021-11-25 15:00

3 years ago · c8fe1a2671
parent 29959730f5
commit c8fe1a2671
12 changed files with 124 additions and 14 deletions
--- a/roles/metabase/defaults/main.yml
+++ b/roles/metabase/defaults/main.yml
@ -20,9 +20,11 @@ metabase_port: 3002
 # List of IP or CIDR allowed to reach metabase_port
 metabase_src_ip: []

-# MySQL database
-metabase_db_server: "{{ mysql_server | default('localhost') }}"
-metabase_db_port: 3306
+# application database
+# Can be either mysql or postgres
+metabase_db_engine: mysql
+metabase_db_server: "{{ (metabase_db_engine == 'mysql') | ternary(mysql_server, pg_server) | default('localhost') }}"
+metabase_db_port: "{{ (metabase_db_engine == 'mysql') | ternary('3306', '5432') }}"
 metabase_db_name: metabase
 metabase_db_user: metabase
 # A random pass will be generated and stored in the meta dir if not defined
--- a/roles/metabase/meta/main.yml
+++ b/roles/metabase/meta/main.yml
@ -2,4 +2,6 @@

 dependencies:
  - role: mysql_server
-    when: metabase_db_server in ['localhost','127.0.0.1']
+    when: metabase_db_server in ['localhost','127.0.0.1'] and metabase_db_engine == 'mysql'
+  - role: postgresql_server
+    when: metabase_db_server in ['localhost','127.0.0.1'] and metabase_db_engine == 'postgres'
--- a/roles/metabase/tasks/archive_pre.yml
+++ b/roles/metabase/tasks/archive_pre.yml
@ -33,4 +33,20 @@
    single_transaction: True
  environment:
    XZ_OPT: -T0
+  when: metabase_db_engine == 'mysql'
  tags: metabase
+
+- name: Dump the database
+  shell: >
+    /usr/pgsql-14/bin/pg_dump
+    --clean
+    --create
+    --host={{ metabase_db_server }}
+    --port={{ metabase_db_port }}
+    --username={{ metabase_db_user }} {{ metabase_db_name }} |
+    zstd -10 -c > {{ metabase_root_dir }}/archives/{{ metabase_current_version }}/{{ metabase_db_name }}.sql.zst
+  environment:
+    - PGPASSWORD: "{{ metabase_db_pass }}"
+  when: metabase_db_engine == 'postgres'
+  tags: metabase
+
--- a/roles/metabase/tasks/install.yml
+++ b/roles/metabase/tasks/install.yml
@ -43,6 +43,32 @@
    - db_user: "{{ metabase_db_user }}"
    - db_server: "{{ metabase_db_server }}"
    - db_pass: "{{ metabase_db_pass }}"
+  when: metabase_db_engine == 'mysql'
+  tags: metabase
+
+- when: metabase_db_engine == 'postgres'
+  block:
+    - name: Create postgres user
+      postgresql_user:
+        db: postgres
+        name: "{{ metabase_db_user }}"
+        password: "{{ metabase_db_pass }}"
+        login_host: "{{ metabase_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+
+    - name: Create the PostgreSQL database
+      postgresql_db:
+        name: "{{ metabase_db_name }}"
+        encoding: UTF-8
+        lc_collate: C
+        lc_ctype: C
+        template: template0
+        owner: "{{ metabase_db_user }}"
+        login_host: "{{ metabase_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ pg_admin_pass }}"
+
  tags: metabase

 - name: Install pre and post backup hooks
--- a/roles/metabase/templates/env.j2
+++ b/roles/metabase/templates/env.j2
@ -8,16 +8,19 @@ MB_EMAIL_SMTP_PASSWORD={{ metabase_smtp_pass }}
 {% endif %}
 MB_EMAIL_SMTP_SECURITY={{ metabase_smtp_starttls | ternary('starttls','none') }}
 MB_ANON_TRACKING_ENABLED=false
-MB_DB_FILE={{ metabase_root_dir }}/data/metabase.db
 MB_DB_DBNAME={{ metabase_db_name }}
 MB_DB_HOST={{ metabase_db_server }}
 MB_DB_USER={{ metabase_db_user }}
 MB_DB_PASS={{ metabase_db_pass | quote }}
 MB_DB_PORT={{ metabase_db_port }}
-MB_DB_TYPE=mysql
+MB_DB_TYPE={{ metabase_db_engine }}
 MB_ENCRYPTION_SECRET_KEY={{ metabase_encryption_key | quote }}
 MB_JETTY_HOST=0.0.0.0
 MB_JETTY_PORT={{ metabase_port }}
 MB_PLUGINS_DIR={{ metabase_root_dir }}/plugins
 MB_SITE_LOCALE={{ metabase_lang }}
 MB_SITE_URL={{ metabase_public_url }}
+MB_CHECK_FOR_UPDATES=false
+MB_ENABLE_EMBEDDING=true
+MB_ENABLE_PUBLIC_SHARING=true
+MB_ENABLE_QUERY_CACHING=false
--- a/roles/metabase/templates/pre-backup.j2
+++ b/roles/metabase/templates/pre-backup.j2
@ -2,6 +2,7 @@

 set -eo pipefail

+{% if metabase_db_engine == 'mysql' %}
 /usr/bin/mysqldump \
 {% if metabase_db_server not in ['localhost','127.0.0.1'] %}
  --user={{ metabase_db_user | quote }} \
@ -11,5 +12,13 @@ set -eo pipefail
 {% endif %}
  --quick --single-transaction \
  --add-drop-table {{ metabase_db_name | quote }} | zstd -c > {{ metabase_root_dir }}/backup/{{ metabase_db_name }}.sql.zst
+{% elif metabase_db_engine == 'postgres' %}
+PGPASSWORD={{ metabase_db_pass | quote }} /usr/pgsql-14/bin/pg_dump \
+  --clean \
+  --create \
+  --username={{ metabase_db_user }} \
+  --host={{ metabase_db_server }} \
+  {{ metabase_db_name }} | zstd -c > {{ metabase_root_dir }}/backup/{{ metabase_db_name }}.sql.zst
+{% endif %}
 cp {{ metabase_root_dir }}/etc/env {{ metabase_root_dir }}/backup/

--- a/roles/openvpn/handlers/main.yml
+++ b/roles/openvpn/handlers/main.yml
@ -2,5 +2,9 @@

 - name: restart openvpn
  service: name=openvpn@{{ item.item.name }} state=restarted
-  with_items: "{{ ovpn_daemons_mod.results }}"
+  loop: "{{ ovpn_daemons_mod.results }}"
  when: item.changed
+
+- name: restart all openvpn
+  service: name=openvpn@{{ item.name }} state=restarted
+  loop: "{{ ovpn_daemons }}"
--- a/roles/openvpn/tasks/main.yml
+++ b/roles/openvpn/tasks/main.yml
@ -2,7 +2,7 @@

 - name: Build config for OpenVPN tunnels
  set_fact: ovpn_daemons_conf={{ ovpn_daemons_conf | default([]) + [ovpn_daemon_defaults | combine(item)] }}
-  with_items: "{{ ovpn_daemons }}"
+  loop: "{{ ovpn_daemons }}"
  tags: ovpn
 - set_fact: ovpn_daemons={{ ovpn_daemons_conf | default([]) }}
  tags: ovpn
@ -13,9 +13,20 @@
      - openvpn
  tags: ovpn

+- name: Deploy OpenVPN service template
+  template: src=openvpn@.service.j2 dest=/etc/systemd/system/openvpn@.service
+  register: ovpn_service_template
+  notify: restart all openvpn
+  tags: ovpn
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: ovpn_service_template.changed
+  tags: ovpn
+
 - name: Deploy daemons configuration
  template: src=openvpn.conf.j2 dest=/etc/openvpn/{{ item.name }}.conf mode=640
-  with_items: "{{ ovpn_daemons }}"
+  loop: "{{ ovpn_daemons }}"
  when: item.enabled
  register: ovpn_daemons_mod
  notify: restart openvpn
@ -25,7 +36,7 @@
  command: openssl dhparam /etc/openvpn/{{ item.iname}}.dh 2048
  args:
    creates: /etc/openvpn/{{ item.name }}.dh
-  with_items: "{{ ovpn_daemons }}"
+  loop: "{{ ovpn_daemons }}"
  when:
    - item.type == 'server'
    - item.enabled
@ -58,7 +69,7 @@

 - name: Handle daemons status
  service: name=openvpn@{{ item.name }} state={{ (item.enabled) | ternary('started','stopped') }} enabled={{ (item.enabled) | ternary(True,False) }}
-  with_items: "{{ ovpn_daemons }}"
+  loop: "{{ ovpn_daemons }}"
  tags: ovpn

 - name: List managed daemons ID
@ -73,10 +84,10 @@

 - name: Disable unmanaged services
  service: name=openvpn@{{ item }} state=stopped enabled=False
-  with_items: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
+  loop: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
  tags: ovpn

 - name: Remove unmanaged conf
  file: path=/etc/openvpn/{{ item }}.conf state=absent
-  with_items: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
+  loop: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
  tags: ovpn
--- a/roles/openvpn/templates/openvpn@.service.j2
+++ b/roles/openvpn/templates/openvpn@.service.j2
@ -0,0 +1,24 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+
+[Service]
+Type=notify
+PrivateTmp=true
+WorkingDirectory=/etc/openvpn/
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --config %i.conf
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
+
--- a/roles/pgadmin4/tasks/conf.yml
+++ b/roles/pgadmin4/tasks/conf.yml
@ -13,12 +13,23 @@
 - name: Initial setup of pgadmin4
  expect:
    command: "{{ pga_root_dir }}/venv/bin/python {{ pga_root_dir }}/venv/lib/python3.6/site-packages/pgadmin4/setup.py"
+    timeout: 120
    echo: true
    responses:
      'Email address:\s?': "admin@{{ ansible_domain }}"
      '(Retype )?[Pp]assword:\s?': "pgadmin"
  become_user: pgadmin4_{{ pga_id }}
-  when: not pga_db.stat.exists
+  when:
+    - not pga_db.stat.exists
+    - pga_auth | length >= 1
+  tags: pgadmin4
+
+- name: Initial setup of pgAdmin4
+  command: "{{ pga_root_dir }}/venv/bin/python {{ pga_root_dir }}/venv/lib/python3.6/site-packages/pgadmin4/setup.py"
+  become_user: pgadmin4_{{ pga_id }}
+  when:
+    - not pga_db.stat.exists
+    - pga_auth | length < 1
  tags: pgadmin4

 - name: Configure logrotate
--- a/roles/pgadmin4/vars/RedHat-7.yml
+++ b/roles/pgadmin4/vars/RedHat-7.yml
@ -10,3 +10,4 @@ pgadmin4_packages:
  - python-setuptools # Needed for pip install expect
  - python-pip        # Also needed to install expect
  - krb5-devel
+  - sqlite
--- a/roles/pgadmin4/vars/RedHat-8.yml
+++ b/roles/pgadmin4/vars/RedHat-8.yml
@ -9,3 +9,4 @@ pgadmin4_packages:
  - python3-pip
  - python3-setuptools # Needed for pip install expect
  - krb5-devel
+  - sqlite