overmind
/
matrix-docker-ansible-deploy
peilaus alkaen https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Koodi Ongelmat 0 Julkaisut 0 Wiki Toiminta
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3257 Commitit
13 Branchit
519 MiB
 
 
Puu: 71b404d9df
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '71b404d9df'
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-awx/tasks/customise_website_access_ex...

267 rivejä
8.9 KiB
Raaka Blame Historia 

  1. 

  2. - name: Enable index.html creation if user doesn't wish to customise base domain

  3.   delegate_to: 127.0.0.1

  4.   lineinfile:

  5.     path: '{{ awx_cached_matrix_vars }}'

  6.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  7.     line: "{{ item.key }}: {{ item.value }}"

  8.     insertafter: '# Base Domain Settings Start'

  9.   with_dict:

  10.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'

  11.   when: (customise_base_domain_website is defined) and not customise_base_domain_website|bool

  12. 

  13. - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain

  14.   delegate_to: 127.0.0.1

  15.   lineinfile:

  16.     path: '{{ awx_cached_matrix_vars }}'

  17.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  18.     line: "{{ item.key }}: {{ item.value }}"

  19.     insertafter: '# Base Domain Settings Start'

  20.   with_dict:

  21.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'

  22.   when: (customise_base_domain_website is defined) and customise_base_domain_website|bool

  23. 

  24. - name: Record custom 'Customise Website + Access Export' variables locally on AWX

  25.   delegate_to: 127.0.0.1

  26.   lineinfile:

  27.     path: '{{ awx_cached_matrix_vars }}'

  28.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  29.     line: "{{ item.key }}: {{ item.value }}"

  30.     insertafter: '# Custom Settings Start'

  31.   with_dict:

  32.     'sftp_auth_method': '"{{ sftp_auth_method }}"'

  33.     'sftp_password': '"{{ sftp_password }}"'

  34.     'sftp_public_key': '"{{ sftp_public_key }}"'

  35. 

  36. - name: Record custom 'Customise Website + Access Export' variables locally on AWX

  37.   delegate_to: 127.0.0.1

  38.   lineinfile:

  39.     path: '{{ awx_cached_matrix_vars }}'

  40.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  41.     line: "{{ item.key }}: {{ item.value }}"

  42.     insertafter: '# Custom Settings Start'

  43.   with_dict:

  44.     'customise_base_domain_website': '{{ customise_base_domain_website }}'

  45.   when: customise_base_domain_website is defined

  46. 

  47. - name: Reload vars in matrix_vars.yml

  48.   include_vars:

  49.     file: '{{ awx_cached_matrix_vars }}'

  50.   no_log: True

  51. 

  52. - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template

  53.   delegate_to: 127.0.0.1

  54.   template:

  55.     src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'

  56.     dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  57.   when: customise_base_domain_website is defined

  58. 

  59. - name: Copy new 'Customise Website + Access Export' survey.json to target machine

  60.   copy:

  61.     src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  62.     dest:  '/matrix/awx/configure_website_access_export.json'

  63.     mode: '0660'

  64.   when: customise_base_domain_website is defined

  65. 

  66. - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template

  67.   delegate_to: 127.0.0.1

  68.   template:

  69.     src: './roles/matrix-awx/surveys/access_export.json.j2'

  70.     dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'

  71.   when: customise_base_domain_website is undefined

  72. 

  73. - name: Copy new 'Customise Website + Access Export' survey.json to target machine

  74.   copy:

  75.     src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'

  76.     dest:  '/matrix/awx/access_export.json'

  77.     mode: '0660'

  78.   when: customise_base_domain_website is undefined

  79. 

  80. - name: Recreate 'Configure Website + Access Export' job template

  81.   delegate_to: 127.0.0.1

  82.   awx.awx.tower_job_template:

  83.     name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"

  84.     description: "Configure base domain website settings and access the servers export."

  85.     extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"

  86.     job_type: run

  87.     job_tags: "start,setup-nginx-proxy"

  88.     inventory: "{{ member_id }}"

  89.     project: "{{ member_id }} - Matrix Docker Ansible Deploy"

  90.     playbook: setup.yml

  91.     credential: "{{ member_id }} - AWX SSH Key"

  92.     survey_enabled: true

  93.     survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"

  94.     become_enabled: yes

  95.     state: present

  96.     verbosity: 1

  97.     tower_host: "https://{{ awx_host }}"

  98.     tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"

  99.     validate_certs: yes

  100.   when: customise_base_domain_website is defined

  101. 

  102. - name: Recreate 'Access Export' job template

  103.   delegate_to: 127.0.0.1

  104.   awx.awx.tower_job_template:

  105.     name: "{{ matrix_domain }} - 1 - Access Export"

  106.     description: "Access the services export."

  107.     extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"

  108.     job_type: run

  109.     job_tags: "start,setup-nginx-proxy"

  110.     inventory: "{{ member_id }}"

  111.     project: "{{ member_id }} - Matrix Docker Ansible Deploy"

  112.     playbook: setup.yml

  113.     credential: "{{ member_id }} - AWX SSH Key"

  114.     survey_enabled: true

  115.     survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json') }}"

  116.     become_enabled: yes

  117.     state: present

  118.     verbosity: 1

  119.     tower_host: "https://{{ awx_host }}"

  120.     tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"

  121.     validate_certs: yes

  122.   when: customise_base_domain_website is undefined

  123. 

  124. - name: If user doesn't define a sftp_password, create a disabled 'sftp' account

  125.   user:

  126.     name: sftp

  127.     comment: SFTP user to set custom web files and access servers export

  128.     shell: /bin/false

  129.     home: /home/sftp

  130.     group: matrix

  131.     password: '*'

  132.     update_password: always

  133.   when: sftp_password|length == 0

  134. 

  135. - name: If user defines sftp_password, enable account and set password on 'stfp' account

  136.   user:

  137.     name: sftp

  138.     comment: SFTP user to set custom web files and access servers export

  139.     shell: /bin/false

  140.     home: /home/sftp

  141.     group: matrix

  142.     password: "{{ sftp_password | password_hash('sha512') }}"

  143.     update_password: always

  144.   when: sftp_password|length > 0

  145. 

  146. - name: Ensure group "sftp" exists

  147.   group:

  148.     name: sftp

  149.     state: present

  150. 

  151. - name: adding existing user 'sftp' to group matrix

  152.   user:

  153.     name: sftp

  154.     groups: sftp

  155.     append: yes

  156.   when: customise_base_domain_website is defined

  157. 

  158. - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)

  159.   file:

  160.     path: /chroot

  161.     state: directory

  162.     owner: root

  163.     group: root

  164.     mode: '1755'

  165. 

  166. - name: Ensure /chroot/website location exists.

  167.   file:

  168.     path: /chroot/website

  169.     state: directory

  170.     owner: matrix

  171.     group: matrix

  172.     mode: '0770'

  173.   when: customise_base_domain_website is defined

  174. 

  175. - name: Ensure /chroot/export location exists

  176.   file:

  177.     path: /chroot/export

  178.     state: directory

  179.     owner: sftp

  180.     group: sftp

  181.     mode: '0700'

  182. 

  183. - name: Ensure /home/sftp/.ssh location exists

  184.   file:

  185.     path: /home/sftp/.ssh

  186.     state: directory

  187.     owner: sftp

  188.     group: sftp

  189.     mode: '0700'

  190. 

  191. - name: Ensure /home/sftp/authorized_keys exists

  192.   file:

  193.     path: /home/sftp/.ssh/authorized_keys

  194.     state: touch

  195.     owner: sftp

  196.     group: sftp

  197.     mode: '0644'

  198. 

  199. - name: Clear authorized_keys file

  200.   shell: echo "" > /home/sftp/.ssh/authorized_keys

  201. 

  202. - name: Insert public SSH key into authorized_keys file

  203.   lineinfile:

  204.     path: /home/sftp/.ssh/authorized_keys

  205.     line: "{{ sftp_public_key }}"

  206.     owner: sftp

  207.     group: sftp

  208.     mode: '0644'

  209.   when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")

  210.     

  211. - name: Remove any existing Subsystem lines

  212.   lineinfile:

  213.     path: /etc/ssh/sshd_config

  214.     state: absent

  215.     regexp: '^Subsystem'

  216. 

  217. - name: Set SSH Subsystem State

  218.   lineinfile:

  219.     path: /etc/ssh/sshd_config

  220.     insertafter: "^# override default of no subsystems"

  221.     line: "Subsystem sftp internal-sftp"

  222. 

  223. - name: Add SSH Match User section for disabled auth

  224.   blockinfile:

  225.     path: /etc/ssh/sshd_config

  226.     state: absent

  227.     block: |

  228.       Match User sftp

  229.           ChrootDirectory /chroot

  230.           PermitTunnel no

  231.           X11Forwarding no

  232.           AllowTcpForwarding no

  233.           PasswordAuthentication yes

  234.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  235.   when: sftp_auth_method == "Disabled"

  236. 

  237. - name: Add SSH Match User section for password auth

  238.   blockinfile:

  239.     path: /etc/ssh/sshd_config

  240.     state: present

  241.     block: |

  242.       Match User sftp

  243.           ChrootDirectory /chroot

  244.           PermitTunnel no

  245.           X11Forwarding no

  246.           AllowTcpForwarding no

  247.           PasswordAuthentication yes

  248.   when: sftp_auth_method == "Password"

  249. 

  250. - name: Add SSH Match User section for publickey auth

  251.   blockinfile:

  252.     path: /etc/ssh/sshd_config

  253.     state: present

  254.     block: |

  255.       Match User sftp

  256.           ChrootDirectory /chroot

  257.           PermitTunnel no

  258.           X11Forwarding no

  259.           AllowTcpForwarding no

  260.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  261.   when: sftp_auth_method == "SSH Key"

  262. 

  263. - name: Restart service ssh.service

  264.   service:

  265.     name: ssh.service

  266.     state: restarted