overmind
/
matrix-docker-ansible-deploy
miroir de https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Bifurcation 0
Code Tickets 0 Versions 0 Wiki Activité
Matrix Docker Ansible eploy
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
3795 Révisions
13 Branches
36 MiB
 
 
Aborescence: 7e5b88c3b7
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '7e5b88c3b7'
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-awx/tasks/customise_website_access_ex...

268 lignes
9.0 KiB
Brut Annotations Historique 

  1. ---

  2. 

  3. - name: Enable index.html creation if user doesn't wish to customise base domain

  4.   delegate_to: 127.0.0.1

  5.   lineinfile:

  6.     path: '{{ awx_cached_matrix_vars }}'

  7.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  8.     line: "{{ item.key }}: {{ item.value }}"

  9.     insertafter: '# Base Domain Settings Start'

  10.   with_dict:

  11.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'

  12.   when: (awx_customise_base_domain_website is defined) and not awx_customise_base_domain_website|bool

  13. 

  14. - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain

  15.   delegate_to: 127.0.0.1

  16.   lineinfile:

  17.     path: '{{ awx_cached_matrix_vars }}'

  18.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  19.     line: "{{ item.key }}: {{ item.value }}"

  20.     insertafter: '# Base Domain Settings Start'

  21.   with_dict:

  22.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'

  23.   when: (awx_customise_base_domain_website is defined) and awx_customise_base_domain_website|bool

  24. 

  25. - name: Record custom 'Customise Website + Access Export' variables locally on AWX

  26.   delegate_to: 127.0.0.1

  27.   lineinfile:

  28.     path: '{{ awx_cached_matrix_vars }}'

  29.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  30.     line: "{{ item.key }}: {{ item.value }}"

  31.     insertafter: '# Custom Settings Start'

  32.   with_dict:

  33.     'awx_sftp_auth_method': '"{{ awx_sftp_auth_method }}"'

  34.     'awx_sftp_password': '"{{ awx_sftp_password }}"'

  35.     'awx_sftp_public_key': '"{{ awx_sftp_public_key }}"'

  36. 

  37. - name: Record custom 'Customise Website + Access Export' variables locally on AWX

  38.   delegate_to: 127.0.0.1

  39.   lineinfile:

  40.     path: '{{ awx_cached_matrix_vars }}'

  41.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  42.     line: "{{ item.key }}: {{ item.value }}"

  43.     insertafter: '# Custom Settings Start'

  44.   with_dict:

  45.     'awx_customise_base_domain_website': '{{ awx_customise_base_domain_website }}'

  46.   when: awx_customise_base_domain_website is defined

  47. 

  48. - name: Reload vars in matrix_vars.yml

  49.   include_vars:

  50.     file: '{{ awx_cached_matrix_vars }}'

  51.   no_log: true

  52. 

  53. - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template

  54.   delegate_to: 127.0.0.1

  55.   template:

  56.     src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'

  57.     dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  58.   when: awx_customise_base_domain_website is defined

  59. 

  60. - name: Copy new 'Customise Website + Access Export' survey.json to target machine

  61.   copy:

  62.     src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  63.     dest: '/matrix/awx/configure_website_access_export.json'

  64.     mode: '0660'

  65.   when: awx_customise_base_domain_website is defined

  66. 

  67. - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template

  68.   delegate_to: 127.0.0.1

  69.   template:

  70.     src: './roles/matrix-awx/surveys/access_export.json.j2'

  71.     dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'

  72.   when: awx_customise_base_domain_website is undefined

  73. 

  74. - name: Copy new 'Customise Website + Access Export' survey.json to target machine

  75.   copy:

  76.     src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'

  77.     dest: '/matrix/awx/access_export.json'

  78.     mode: '0660'

  79.   when: awx_customise_base_domain_website is undefined

  80. 

  81. - name: Recreate 'Configure Website + Access Export' job template

  82.   delegate_to: 127.0.0.1

  83.   awx.awx.tower_job_template:

  84.     name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"

  85.     description: "Configure base domain website settings and access the servers export."

  86.     extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"

  87.     job_type: run

  88.     job_tags: "start,setup-nginx-proxy"

  89.     inventory: "{{ member_id }}"

  90.     project: "{{ member_id }} - Matrix Docker Ansible Deploy"

  91.     playbook: setup.yml

  92.     credential: "{{ member_id }} - AWX SSH Key"

  93.     survey_enabled: true

  94.     survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"

  95.     become_enabled: true

  96.     state: present

  97.     verbosity: 1

  98.     tower_host: "https://{{ awx_host }}"

  99.     tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"

  100.     validate_certs: true

  101.   when: awx_customise_base_domain_website is defined

  102. 

  103. - name: Recreate 'Access Export' job template

  104.   delegate_to: 127.0.0.1

  105.   awx.awx.tower_job_template:

  106.     name: "{{ matrix_domain }} - 1 - Access Export"

  107.     description: "Access the services export."

  108.     extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"

  109.     job_type: run

  110.     job_tags: "start,setup-nginx-proxy"

  111.     inventory: "{{ member_id }}"

  112.     project: "{{ member_id }} - Matrix Docker Ansible Deploy"

  113.     playbook: setup.yml

  114.     credential: "{{ member_id }} - AWX SSH Key"

  115.     survey_enabled: true

  116.     survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json') }}"

  117.     become_enabled: true

  118.     state: present

  119.     verbosity: 1

  120.     tower_host: "https://{{ awx_host }}"

  121.     tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"

  122.     validate_certs: true

  123.   when: awx_customise_base_domain_website is undefined

  124. 

  125. - name: If user doesn't define a awx_sftp_password, create a disabled 'sftp' account

  126.   user:

  127.     name: sftp

  128.     comment: SFTP user to set custom web files and access servers export

  129.     shell: /bin/false

  130.     home: /home/sftp

  131.     group: matrix

  132.     password: '*'

  133.     update_password: always

  134.   when: awx_sftp_password|length == 0

  135. 

  136. - name: If user defines awx_sftp_password, enable account and set password on 'stfp' account

  137.   user:

  138.     name: sftp

  139.     comment: SFTP user to set custom web files and access servers export

  140.     shell: /bin/false

  141.     home: /home/sftp

  142.     group: matrix

  143.     password: "{{ awx_sftp_password | password_hash('sha512') }}"

  144.     update_password: always

  145.   when: awx_sftp_password|length > 0

  146. 

  147. - name: Ensure group "sftp" exists

  148.   group:

  149.     name: sftp

  150.     state: present

  151. 

  152. - name: adding existing user 'sftp' to group matrix

  153.   user:

  154.     name: sftp

  155.     groups: sftp

  156.     append: true

  157.   when: awx_customise_base_domain_website is defined

  158. 

  159. - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)

  160.   file:

  161.     path: /chroot

  162.     state: directory

  163.     owner: root

  164.     group: root

  165.     mode: '1755'

  166. 

  167. - name: Ensure /chroot/website location exists.

  168.   file:

  169.     path: /chroot/website

  170.     state: directory

  171.     owner: matrix

  172.     group: matrix

  173.     mode: '0770'

  174.   when: awx_customise_base_domain_website is defined

  175. 

  176. - name: Ensure /chroot/export location exists

  177.   file:

  178.     path: /chroot/export

  179.     state: directory

  180.     owner: sftp

  181.     group: sftp

  182.     mode: '0700'

  183. 

  184. - name: Ensure /home/sftp/.ssh location exists

  185.   file:

  186.     path: /home/sftp/.ssh

  187.     state: directory

  188.     owner: sftp

  189.     group: sftp

  190.     mode: '0700'

  191. 

  192. - name: Ensure /home/sftp/authorized_keys exists

  193.   file:

  194.     path: /home/sftp/.ssh/authorized_keys

  195.     state: touch

  196.     owner: sftp

  197.     group: sftp

  198.     mode: '0644'

  199. 

  200. - name: Clear authorized_keys file

  201.   shell: echo "" > /home/sftp/.ssh/authorized_keys

  202. 

  203. - name: Insert public SSH key into authorized_keys file

  204.   lineinfile:

  205.     path: /home/sftp/.ssh/authorized_keys

  206.     line: "{{ awx_sftp_public_key }}"

  207.     owner: sftp

  208.     group: sftp

  209.     mode: '0644'

  210.   when: (awx_sftp_public_key | length > 0) and (awx_sftp_auth_method == "SSH Key")

  211. 

  212. - name: Remove any existing Subsystem lines

  213.   lineinfile:

  214.     path: /etc/ssh/sshd_config

  215.     state: absent

  216.     regexp: '^Subsystem'

  217. 

  218. - name: Set SSH Subsystem State

  219.   lineinfile:

  220.     path: /etc/ssh/sshd_config

  221.     insertafter: "^# override default of no subsystems"

  222.     line: "Subsystem sftp internal-sftp"

  223. 

  224. - name: Add SSH Match User section for disabled auth

  225.   blockinfile:

  226.     path: /etc/ssh/sshd_config

  227.     state: absent

  228.     block: |

  229.       Match User sftp

  230.           ChrootDirectory /chroot

  231.           PermitTunnel no

  232.           X11Forwarding no

  233.           AllowTcpForwarding no

  234.           PasswordAuthentication yes

  235.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  236.   when: awx_sftp_auth_method == "Disabled"

  237. 

  238. - name: Add SSH Match User section for password auth

  239.   blockinfile:

  240.     path: /etc/ssh/sshd_config

  241.     state: present

  242.     block: |

  243.       Match User sftp

  244.           ChrootDirectory /chroot

  245.           PermitTunnel no

  246.           X11Forwarding no

  247.           AllowTcpForwarding no

  248.           PasswordAuthentication yes

  249.   when: awx_sftp_auth_method == "Password"

  250. 

  251. - name: Add SSH Match User section for publickey auth

  252.   blockinfile:

  253.     path: /etc/ssh/sshd_config

  254.     state: present

  255.     block: |

  256.       Match User sftp

  257.           ChrootDirectory /chroot

  258.           PermitTunnel no

  259.           X11Forwarding no

  260.           AllowTcpForwarding no

  261.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  262.   when: awx_sftp_auth_method == "SSH Key"

  263. 

  264. - name: Restart service ssh.service

  265.   service:

  266.     name: ssh.service

  267.     state: restarted