From df24dbb071faa28fb446a6ff4d8504ad724b4116 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Mon, 21 Dec 2020 14:00:05 +0100 Subject: [PATCH] Update to 2020-12-21 14:00 --- roles/itop/defaults/main.yml | 3 +++ roles/itop/tasks/conf.yml | 3 +++ roles/itop/tasks/directories.yml | 3 +++ roles/itop/tasks/install.yml | 28 ++++++++++++++++++++++++++++ roles/itop/templates/cron.param.j2 | 7 +++++++ roles/itop/templates/httpd.conf.j2 | 4 +--- roles/itop/templates/itop.service.j2 | 14 ++++++++++++++ roles/itop/templates/itop.timer.j2 | 8 ++++++++ roles/itop/templates/perms.sh.j2 | 15 ++++++++++++--- 9 files changed, 79 insertions(+), 6 deletions(-) create mode 100644 roles/itop/templates/cron.param.j2 create mode 100644 roles/itop/templates/itop.service.j2 create mode 100644 roles/itop/templates/itop.timer.j2 diff --git a/roles/itop/defaults/main.yml b/roles/itop/defaults/main.yml index 9b7dbcb..750897b 100644 --- a/roles/itop/defaults/main.yml +++ b/roles/itop/defaults/main.yml @@ -28,3 +28,6 @@ itop_db_user: itop_{{ itop_id }} # - 192.168.7.0/24 # - 10.2.0.0/24 +# Cron task needs a user and a pass, so it won't be enabled until you set it +# itop_cron_user: cron +# itop_cron_pass: secret diff --git a/roles/itop/tasks/conf.yml b/roles/itop/tasks/conf.yml index e9cdbb7..871afeb 100644 --- a/roles/itop/tasks/conf.yml +++ b/roles/itop/tasks/conf.yml @@ -7,3 +7,6 @@ - php_fpm_pool: "{{ itop_php_fpm_pool | default('') }}" tags: itop +- name: Deploy cron param file + template: src=cron.param.j2 dest={{ itop_root_dir }}/etc/cron.params group={{ itop_php_user }} mode=640 + tags: itop diff --git a/roles/itop/tasks/directories.yml b/roles/itop/tasks/directories.yml index 7d6e5ee..c4957c7 100644 --- a/roles/itop/tasks/directories.yml +++ b/roles/itop/tasks/directories.yml @@ -16,6 +16,9 @@ mode: 700 - dir: "{{ itop_root_dir }}/backup" mode: 700 + - dir: "{{ itop_root_dir }}/etc" + group: "{{ itop_php_user }}" + mode: 750 - dir: "{{ itop_root_dir }}/web/data" - dir: "{{ itop_root_dir }}/web/conf" - dir: "{{ itop_root_dir }}/web/env-production" diff --git a/roles/itop/tasks/install.yml b/roles/itop/tasks/install.yml index 5d3485d..34fb792 100644 --- a/roles/itop/tasks/install.yml +++ b/roles/itop/tasks/install.yml @@ -47,6 +47,7 @@ - synchro - sources - documentation + - extensions - name: Install new version of iTop synchronize: @@ -55,6 +56,13 @@ recursive: True delegate_to: "{{ inventory_hostname }}" + - name: Install extensions + get_url: + url: "{{ itop_extensions[item].url }}" + checksum: sha1:{{ itop_extensions[item].sha1 }} + dest: "{{ itop_root_dir }}/tmp" + loop: "{{ itop_extensions.keys() | list }}" + tags: itop - name: Ensure env-production directories exist @@ -78,3 +86,23 @@ - pre - post tags: itop + +- name: Install systemd units + template: src=itop.{{ item }}.j2 dest=/etc/systemd/system/itop_{{ itop_id }}.{{ item }} + loop: + - service + - timer + register: itop_units + tags: itop + +- name: Reload systemd + systemd: daemon_reload=True + when: itop_units.results | selectattr('changed','equalto',True) | list | length > 0 + tags: itop + +- name: Enable iTop timer + systemd: + name: itop_{{ itop_id }}.timer + state: "{{ (itop_cron_user is defined and itop_cron_pass is defined) | ternary('started','stopped') }}" + enabled: "{{ (itop_cron_user is defined and itop_cron_pass is defined) | ternary(True,False) }}" + tags: itop diff --git a/roles/itop/templates/cron.param.j2 b/roles/itop/templates/cron.param.j2 new file mode 100644 index 0000000..b97d96c --- /dev/null +++ b/roles/itop/templates/cron.param.j2 @@ -0,0 +1,7 @@ +{% if itop_cron_user is defined and itop_cron_pass is defined %} +auth_user = {{ itop_cron_user }} +auth_pwd = {{ itop_cron_pass }} +{% endif %} + +size_min = 20 # in MB +time_limit = 40 # in minutes diff --git a/roles/itop/templates/httpd.conf.j2 b/roles/itop/templates/httpd.conf.j2 index d46b27a..ba72bfe 100644 --- a/roles/itop/templates/httpd.conf.j2 +++ b/roles/itop/templates/httpd.conf.j2 @@ -6,9 +6,7 @@ Alias /{{ itop_alias }} {{ itop_root_dir }}/web/ RewriteEngine On # Upgrading DB schema can be very long, so makes sure httpd will wait for a response long enough - - ProxySet timeout=1800 - +ProxyTimeout 1800 AllowOverride All Options FollowSymLinks diff --git a/roles/itop/templates/itop.service.j2 b/roles/itop/templates/itop.service.j2 new file mode 100644 index 0000000..f8c8ed1 --- /dev/null +++ b/roles/itop/templates/itop.service.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=iTop {{ itop_id }} background tasks + +[Service] +Type=oneshot +ExecStart=/bin/php{{ itop_php_version }} \ + -d session.save_path={{ itop_root_dir }}/sessions \ + {{ itop_root_dir }}/web/webservices/cron.php \ + --param_file={{ itop_root_dir }}/etc/cron.params \ + --verbose=1 +User={{ itop_php_user }} +Group={{ itop_php_user }} + + diff --git a/roles/itop/templates/itop.timer.j2 b/roles/itop/templates/itop.timer.j2 new file mode 100644 index 0000000..9f92025 --- /dev/null +++ b/roles/itop/templates/itop.timer.j2 @@ -0,0 +1,8 @@ +[Unit] +Description=iTop {{ itop_id }} background tasks + +[Timer] +OnCalendar=*:0/5 + +[Install] +WantedBy=timers.target diff --git a/roles/itop/templates/perms.sh.j2 b/roles/itop/templates/perms.sh.j2 index 2762b69..9573733 100644 --- a/roles/itop/templates/perms.sh.j2 +++ b/roles/itop/templates/perms.sh.j2 @@ -1,9 +1,18 @@ #!/bin/sh restorecon -R {{ itop_root_dir }} +chown -R root:root {{ itop_root_dir }}/web/ +find {{ itop_root_dir }}/web/ -type d -exec chmod 755 "{}" \; +find {{ itop_root_dir }}/web/ -type f -exec chmod 644 "{}" \; {% for dir in ['data', 'conf', 'log', 'env-production', 'env-production-build', 'extensions'] %} +chmod 700 {{ itop_root_dir }}/web/{{ dir }} setfacl -k -b -R {{ itop_root_dir }}/web/{{ dir }} -chown -R {{ itop_php_user }} {{ itop_root_dir }}/web/{{ dir }} -setfacl -R -m u:{{ httpd_user | default('apache') }}:rX {{ itop_root_dir }}/web/{{ dir }} +chown -R {{ itop_php_user }}:{{ itop_php_user }} {{ itop_root_dir }}/web/{{ dir }} +{% if dir == 'conf' %} +find {{ itop_root_dir }}/web/{{ dir }} -type d -exec chmod 750 "{}" \; +find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chown root:{{ itop_php_user }} "{}" \; -exec chmod 640 "{}" \; +{% else %} +find {{ itop_root_dir }}/web/{{ dir }} -type d -exec chmod 750 "{}" \; +find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chmod 640 "{}" \; +{% endif %} {% endfor %} -