Update to 2020-12-21 14:00

4 years ago · df24dbb071
parent 4a07e810b1
commit df24dbb071
9 changed files with 79 additions and 6 deletions
--- a/roles/itop/defaults/main.yml
+++ b/roles/itop/defaults/main.yml
@ -28,3 +28,6 @@ itop_db_user: itop_{{ itop_id }}
 #   - 192.168.7.0/24
 #   - 10.2.0.0/24

+# Cron task needs a user and a pass, so it won't be enabled until you set it
+# itop_cron_user: cron
+# itop_cron_pass: secret
--- a/roles/itop/tasks/conf.yml
+++ b/roles/itop/tasks/conf.yml
@ -7,3 +7,6 @@
    - php_fpm_pool: "{{ itop_php_fpm_pool | default('') }}"
  tags: itop

+- name: Deploy cron param file
+  template: src=cron.param.j2 dest={{ itop_root_dir }}/etc/cron.params group={{ itop_php_user }} mode=640
+  tags: itop
--- a/roles/itop/tasks/directories.yml
+++ b/roles/itop/tasks/directories.yml
@ -16,6 +16,9 @@
      mode: 700
    - dir: "{{ itop_root_dir }}/backup"
      mode: 700
+    - dir: "{{ itop_root_dir }}/etc"
+      group: "{{ itop_php_user }}"
+      mode: 750
    - dir: "{{ itop_root_dir }}/web/data"
    - dir: "{{ itop_root_dir }}/web/conf"
    - dir: "{{ itop_root_dir }}/web/env-production"
--- a/roles/itop/tasks/install.yml
+++ b/roles/itop/tasks/install.yml
@ -47,6 +47,7 @@
        - synchro
        - sources
        - documentation
+        - extensions
    
    - name: Install new version of iTop
      synchronize:
@ -55,6 +56,13 @@
        recursive: True
      delegate_to: "{{ inventory_hostname }}"

+    - name: Install extensions
+      get_url:
+        url: "{{ itop_extensions[item].url }}"
+        checksum: sha1:{{ itop_extensions[item].sha1 }}
+        dest: "{{ itop_root_dir }}/tmp"
+      loop: "{{ itop_extensions.keys() | list }}"
+
  tags: itop

 - name: Ensure env-production directories exist
@ -78,3 +86,23 @@
    - pre
    - post
  tags: itop
+
+- name: Install systemd units
+  template: src=itop.{{ item }}.j2 dest=/etc/systemd/system/itop_{{ itop_id }}.{{ item }}
+  loop:
+    - service
+    - timer
+  register: itop_units
+  tags: itop
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: itop_units.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: itop
+
+- name: Enable iTop timer
+  systemd:
+    name: itop_{{ itop_id }}.timer
+    state: "{{ (itop_cron_user is defined and itop_cron_pass is defined) | ternary('started','stopped') }}"
+    enabled: "{{ (itop_cron_user is defined and itop_cron_pass is defined) | ternary(True,False) }}"
+  tags: itop
--- a/roles/itop/templates/cron.param.j2
+++ b/roles/itop/templates/cron.param.j2
@ -0,0 +1,7 @@
+{% if itop_cron_user is defined and itop_cron_pass is defined %}
+auth_user = {{ itop_cron_user }}
+auth_pwd = {{ itop_cron_pass }}
+{% endif %}
+
+size_min = 20 # in MB
+time_limit = 40 # in minutes
--- a/roles/itop/templates/httpd.conf.j2
+++ b/roles/itop/templates/httpd.conf.j2
@ -6,9 +6,7 @@ Alias /{{ itop_alias }} {{ itop_root_dir }}/web/

 RewriteEngine On
 # Upgrading DB schema can be very long, so makes sure httpd will wait for a response long enough
-<Proxy unix:/run/php-fpm/{{ itop_php_fpm_pool  | default('itop_' + itop_id | string) }}.sock|fcgi://localhost>
-  ProxySet timeout=1800
-</Proxy>
+ProxyTimeout 1800
 <Directory {{ itop_root_dir }}/web/>
  AllowOverride All
  Options FollowSymLinks
--- a/roles/itop/templates/itop.service.j2
+++ b/roles/itop/templates/itop.service.j2
@ -0,0 +1,14 @@
+[Unit]
+Description=iTop {{ itop_id }} background tasks
+
+[Service]
+Type=oneshot
+ExecStart=/bin/php{{ itop_php_version }} \
+            -d session.save_path={{ itop_root_dir }}/sessions \
+            {{ itop_root_dir }}/web/webservices/cron.php \
+            --param_file={{ itop_root_dir }}/etc/cron.params \
+            --verbose=1
+User={{ itop_php_user }}
+Group={{ itop_php_user }}
+
+
--- a/roles/itop/templates/itop.timer.j2
+++ b/roles/itop/templates/itop.timer.j2
@ -0,0 +1,8 @@
+[Unit]
+Description=iTop {{ itop_id }} background tasks
+
+[Timer]
+OnCalendar=*:0/5
+
+[Install]
+WantedBy=timers.target
--- a/roles/itop/templates/perms.sh.j2
+++ b/roles/itop/templates/perms.sh.j2
@ -1,9 +1,18 @@
 #!/bin/sh

 restorecon -R {{ itop_root_dir }}
+chown -R root:root {{ itop_root_dir }}/web/
+find {{ itop_root_dir }}/web/ -type d -exec chmod 755 "{}" \;
+find {{ itop_root_dir }}/web/ -type f -exec chmod 644 "{}" \;
 {% for dir in ['data', 'conf', 'log', 'env-production', 'env-production-build', 'extensions'] %}
+chmod 700 {{ itop_root_dir }}/web/{{ dir }}
 setfacl -k -b -R {{ itop_root_dir }}/web/{{ dir }}
-chown -R {{ itop_php_user }} {{ itop_root_dir }}/web/{{ dir }}
-setfacl -R -m u:{{ httpd_user | default('apache') }}:rX {{ itop_root_dir }}/web/{{ dir }}
+chown -R {{ itop_php_user }}:{{ itop_php_user }} {{ itop_root_dir }}/web/{{ dir }}
+{% if dir == 'conf' %}
+find {{ itop_root_dir }}/web/{{ dir }} -type d -exec chmod 750 "{}" \;
+find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chown root:{{ itop_php_user }} "{}" \; -exec chmod 640 "{}" \;
+{% else %}
+find {{ itop_root_dir }}/web/{{ dir }} -type d -exec chmod 750 "{}" \;
+find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chmod 640 "{}" \;
+{% endif %}
 {% endfor %}
-