Ansible roles
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

211 lines
5.8 KiB

---
- name: Install packages
yum:
name:
- tis-waptserver
- tis-waptsetup
- postgresql11
- python-psycopg2 # Needed to manage PG with ansible
tags: wapt
- include_tasks: postgresql.yml
when: wapt_db_server == '127.0.0.1' or wapt_db_server == 'localhost'
tags: wapt
- name: Create directories
file: path={{ item.path }} state=directory mode={{ item.mode | default(omit) }} owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }}
loop:
- path: /opt/wapt/meta
mode: 700
- path: /var/www/html/ssl
mode: 750
owner: wapt
group: nginx
tags: wapt
- import_tasks: ../includes/get_rand_pass.yml
vars:
- pass_file: "/opt/wapt/meta/ansible_dbpass"
when: wapt_db_pass is not defined
tags: wapt
- set_fact: wapt_db_pass={{ rand_pass }}
when: wapt_db_pass is not defined
tags: wapt
- name: Create wapt DB user
postgresql_user:
db: postgres
name: "{{ wapt_db_user }}"
password: "{{ wapt_db_pass }}"
login_host: "{{ wapt_db_server }}"
login_user: sqladmin
login_password: "{{ pg_admin_pass }}"
tags: wapt
- name: Create the PostgreSQL database
postgresql_db:
name: wapt
encoding: UTF-8
template: template0
owner: "{{ wapt_db_user }}"
login_host: "{{ wapt_db_server }}"
login_user: sqladmin
login_password: "{{ pg_admin_pass }}"
tags: wapt
- name: Enable the hstore extension
postgresql_ext:
db: "{{ wapt_db_name }}"
login_host: "{{ wapt_db_server }}"
login_user: sqladmin
login_password: "{{ pg_admin_pass }}"
name: hstore
tags: wapt
- name: Configure SELinux
seboolean: name={{ item }} state=True persistent=True
with_items:
- httpd_can_network_connect
- httpd_setrlimit
when: ansible_selinux.status == 'enabled'
tags: wapt
- name: Set SELinux context on repo dir
sefcontext:
target: '/var/www/html/wapt(\-host)?(/.*)?'
setype: httpd_sys_content_t
when: ansible_selinux.status == 'enabled'
tags: wapt
- name: Reset SELinux contexts
command: restorecon -Rv /var/www/html
changed_when: False
tags: wapt
- import_tasks: ../includes/get_rand_pass.yml
vars:
- pass_file: "/opt/wapt/meta/ansible_secret_key"
tags: wapt
- set_fact: wapt_secret_key={{ rand_pass }}
tags: wapt
- name: Configure WAPT server
ini_file: path=/opt/wapt/conf/waptserver.ini section=options option={{ item.option }} value={{ item.value }}
with_items:
- option: db_name
value: "{{ wapt_db_name }}"
- option: db_host
value: "{{ wapt_db_server }}"
- option: db_user
value: "{{ wapt_db_user }}"
- option: db_password
value: "{{ wapt_db_pass }}"
- option: waptwua_folder
value: /var/www/html/waptwua
- option: server_uuid
value: "{{ inventory_hostname | to_uuid }}"
- option: allow_unauthenticated_connect
value: 'False'
- option: allow_unauthenticated_registration
value: 'False'
- option: secret_key
value: "{{ wapt_secret_key }}"
- option: use_kerberos
value: 'False'
notify: restart wapt
tags: wapt
- name: Create unit snippet dir
file: path=/etc/systemd/system/waptserver.service.d state=directory
tags: wapt
- name: Tune wapt to restart indefinitely
copy:
content: |
[Service]
Restart=on-failure
StartLimitInterval=0
RestartSec=20
dest: /etc/systemd/system/waptserver.service.d/restart.conf
register: wapt_unit
tags: wapt
- name: Reload systemd
systemd: daemon_reload=True
when: wapt_unit.changed
tags: wapt
- name: Configure system proxy
ini_file: path=/opt/wapt/conf/waptserver.ini section=options option=http_proxy value={{ system_proxy }}
when: system_proxy is defined and system_proxy != ''
notify: restart wapt
tags: wapt
- name: Check if admin password is set
command: grep -qP '^wapt_password' /opt/wapt/conf/waptserver.ini
ignore_errors: True
register: wapt_admin_pass_set
changed_when: False
tags: wapt
- name: Hash the WAPT admin password
command: python -c 'from passlib.hash import pbkdf2_sha256; print pbkdf2_sha256.hash("admin".encode("utf8"))'
register: wapt_admin_pass_hash
environment:
- PYTHONPATH: /opt/wapt/lib/python2.7/site-packages/
when: wapt_admin_pass_set.rc != 0
changed_when: False
tags: wapt
- set_fact: wapt_admin_pass_hash={{ wapt_admin_pass_hash.stdout }}
when: wapt_admin_pass_set.rc != 0
tags: wapt
- name: Set default admin password
ini_file: path=/opt/wapt/conf/waptserver.ini section=options option=wapt_password value={{ wapt_admin_pass_hash }}
when: wapt_admin_pass_set.rc != 0
notify: restart wapt
tags: wapt
- name: Set correct ownership for wapt configuration
file: path=/opt/wapt/conf/waptserver.ini owner=wapt mode=0600
tags: wapt
- name: Deploy nginx config
template: src={{ item.src }}.j2 dest={{ item.dest }}
with_items:
- src: nginx.conf
dest: /etc/nginx/nginx.conf
- src: wapt.conf
dest: /etc/nginx/conf.d/wapt.conf
notify: restart nginx
tags: wapt
- name: Start and enable nginx
service: name=nginx state=started enabled=True
tags: wapt
- name: Start and enable WAPT services
service: name={{ item }} state=started enabled=True
with_items:
- waptserver
#- wapttasks
tags: wapt
- name: Handle ports
iptables_raw:
name: wapt_ports
state: "{{ (wapt_src_ip is defined and wapt_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ wapt_ports | join(',') }} -s {{ wapt_src_ip | join(',') }} -j ACCEPT"
when: iptables_manage | default(True)
tags: wapt
- name: Create DB dump directory
file: path=/opt/wapt/db_dumps state=directory mode=0700
tags: wapt
- name: Deploy pre and post backup scripts
template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/wapt.sh mode=0755
with_items:
- pre
- post
tags: wapt