overmind
/
matrix-docker-ansible-deploy
огледало од https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Креирај огранак 0
Код Дискусије 0 Издања 0 Вики Activity
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2447 Комити
13 Гране
36 MiB
 
 
Дрво: 33ec5710d9
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from '33ec5710d9'
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-awx/tasks/customise_website_access_ex...

231 lines
7.4 KiB
Датотека Blame Историја 

  1. 

  2. 

  3. - name: Enable index.html creation if user doesn't wish to customise base domain

  4.   delegate_to: 127.0.0.1

  5.   lineinfile:

  6.     path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'

  7.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  8.     line: "{{ item.key }}: {{ item.value }}"

  9.     insertafter: '# Base Domain Settings'

  10.   with_dict:

  11.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'

  12.   when: customise_base_domain_website|bool == false

  13. 

  14. - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain

  15.   delegate_to: 127.0.0.1

  16.   lineinfile:

  17.     path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'

  18.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  19.     line: "{{ item.key }}: {{ item.value }}"

  20.     insertafter: '# Base Domain Settings'

  21.   with_dict:

  22.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'

  23.   when: customise_base_domain_website|bool == true

  24.     

  25. - name: Record custom 'Customise Website + Access Export' variables locally on AWX

  26.   delegate_to: 127.0.0.1

  27.   lineinfile:

  28.     path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'

  29.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  30.     line: "{{ item.key }}: {{ item.value }}"

  31.     insertafter: '# Custom Settings'

  32.   with_dict:

  33.     'customise_base_domain_website': '{{ customise_base_domain_website }}'

  34.     'sftp_auth_method': '"{{ sftp_auth_method }}"'

  35.     'sftp_password': '"{{ sftp_password }}"'

  36.     'sftp_public_key': '"{{ sftp_public_key }}"'

  37.     

  38. - name: Copy new 'matrix_vars.yml' to target machine

  39.   copy:

  40.     src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'

  41.     dest: '/matrix/awx/matrix_vars.yml'

  42.     mode: '0660'

  43. 

  44. - name: Reload vars in matrix_vars.yml

  45.   include_vars:

  46.     file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'

  47.   no_log: True

  48. 

  49. - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template

  50.   delegate_to: 127.0.0.1

  51.   template:

  52.     src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'

  53.     dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  54. 

  55. - name: Copy new 'Customise Website + Access Export' survey.json to target machine

  56.   copy:

  57.     src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  58.     dest:  '/matrix/awx/configure_website_access_export.json'

  59.     mode: '0660'

  60. 

  61. - name: Collect AWX admin token the hard way!

  62.   delegate_to: 127.0.0.1

  63.   shell: |

  64.       curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'

  65.   register: tower_token

  66.   no_log: True

  67. 

  68. - name: Recreate 'Customise Base Domain Export' job template

  69.   delegate_to: 127.0.0.1

  70.   awx.awx.tower_job_template:

  71.     name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"

  72.     description: "Configure base domain website settings and access the servers export."

  73.     extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"

  74.     job_type: run

  75.     job_tags: "start,setup-nginx-proxy"

  76.     inventory: "{{ member_id }}"

  77.     project: "{{ member_id }} - Matrix Docker Ansible Deploy"

  78.     playbook: setup.yml

  79.     credential: "{{ member_id }} - AWX SSH Key"

  80.     survey_enabled: true

  81.     survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"

  82.     become_enabled: yes

  83.     state: present

  84.     verbosity: 1

  85.     tower_host: "https://{{ tower_host }}"

  86.     tower_oauthtoken: "{{ tower_token.stdout }}"

  87.     validate_certs: yes

  88. 

  89. - name: Ensure group "sftp" exists

  90.   group:

  91.     name: sftp

  92.     state: present

  93. 

  94. - name: If user doesn't define a sftp_password, create a disabled 'sftp' account

  95.   user:

  96.     name: sftp

  97.     comment: SFTP user to set custom web files and access servers export

  98.     shell: /bin/false

  99.     home: /home/sftp

  100.     group: sftp

  101.     password: '*'

  102.     update_password: always

  103.   when: sftp_password|length == 0

  104. 

  105. - name: If user defines sftp_password, enable account and set password on 'stfp' account

  106.   user:

  107.     name: sftp

  108.     comment: SFTP user to set custom web files and access servers export

  109.     shell: /bin/false

  110.     home: /home/sftp

  111.     group: sftp

  112.     password: "{{ sftp_password | password_hash('sha512') }}"

  113.     update_password: always

  114.   when: sftp_password|length > 0

  115. 

  116. - name: adding existing user 'sftp' to group matrix

  117.   user:

  118.     name: sftp

  119.     groups: matrix

  120.     append: yes

  121. 

  122. - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)

  123.   file:

  124.     path: /chroot

  125.     state: directory

  126.     owner: root

  127.     group: root

  128.     mode: '1755'

  129. 

  130. - name: Ensure /chroot/website location exists.

  131.   file:

  132.     path: /chroot/website

  133.     state: directory

  134.     owner: matrix

  135.     group: matrix

  136.     mode: '0574'

  137. 

  138. - name: Ensure /chroot/export location exists

  139.   file:

  140.     path: /chroot/export

  141.     state: directory

  142.     owner: sftp

  143.     group: sftp

  144.     mode: '0700'

  145. 

  146. - name: Ensure /home/sftp/.ssh location exists

  147.   file:

  148.     path: /home/sftp/.ssh

  149.     state: directory

  150.     owner: sftp

  151.     group: sftp

  152.     mode: '0700'

  153. 

  154. - name: Ensure /home/sftp/authorized_keys exists

  155.   file:

  156.     path: /home/sftp/.ssh/authorized_keys

  157.     state: touch

  158.     owner: sftp

  159.     group: sftp

  160.     mode: '0644'

  161. 

  162. - name: Clear authorized_keys file

  163.   shell: echo "" > /home/sftp/.ssh/authorized_keys

  164. 

  165. - name: Insert public SSH key into authorized_keys file

  166.   lineinfile:

  167.     path: /home/sftp/.ssh/authorized_keys

  168.     line: "{{ sftp_public_key }}"

  169.     owner: sftp

  170.     group: sftp

  171.     mode: '0644'

  172.   when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")

  173.   

  174. - name: Alter SSH Subsystem State 1

  175.   lineinfile:

  176.     path: /etc/ssh/sshd_config

  177.     line: "Subsystem sftp	/usr/lib/openssh/sftp-server"

  178.     state: absent

  179. 

  180. - name: Alter SSH Subsystem State 2

  181.   lineinfile:

  182.     path: /etc/ssh/sshd_config

  183.     insertafter: "^# override default of no subsystems"

  184.     line: "Subsystem sftp internal-sftp"

  185. 

  186. - name: Add SSH Match User section for disabled auth

  187.   blockinfile:

  188.     path: /etc/ssh/sshd_config

  189.     state: absent

  190.     block: |

  191.       Match User sftp

  192.           ChrootDirectory /chroot

  193.           PermitTunnel no

  194.           X11Forwarding no

  195.           AllowTcpForwarding no

  196.           PasswordAuthentication yes

  197.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  198.   when: sftp_auth_method == "Disabled"

  199. 

  200. - name: Add SSH Match User section for password auth

  201.   blockinfile:

  202.     path: /etc/ssh/sshd_config

  203.     state: present

  204.     block: |

  205.       Match User sftp

  206.           ChrootDirectory /chroot

  207.           PermitTunnel no

  208.           X11Forwarding no

  209.           AllowTcpForwarding no

  210.           PasswordAuthentication yes

  211.   when: sftp_auth_method == "Password"

  212. 

  213. - name: Add SSH Match User section for publickey auth

  214.   blockinfile:

  215.     path: /etc/ssh/sshd_config

  216.     state: present

  217.     block: |

  218.       Match User sftp

  219.           ChrootDirectory /chroot

  220.           PermitTunnel no

  221.           X11Forwarding no

  222.           AllowTcpForwarding no

  223.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  224.   when: sftp_auth_method == "SSH Key"

  225. 

  226. - name: Restart service ssh.service

  227.   service:

  228.     name: ssh.service

  229.     state: restarted