overmind
/
matrix-docker-ansible-deploy
镜像来自 https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
複製 0
程式碼 問題管理 0 版本發佈 0 Wiki Activity
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2656 Commit
11 分支
1.3 GiB
 
 
目錄樹: b2ca1f2829
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from 'b2ca1f2829'
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-awx/tasks/customise_website_access_ex...

225 line
7.0 KiB
原始文件 Blame 文件歷史 

  1. 

  2. - name: Enable index.html creation if user doesn't wish to customise base domain

  3.   delegate_to: 127.0.0.1

  4.   lineinfile:

  5.     path: '{{ awx_cached_matrix_vars }}'

  6.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  7.     line: "{{ item.key }}: {{ item.value }}"

  8.     insertafter: '# Base Domain Settings Start'

  9.   with_dict:

  10.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'

  11.   when: customise_base_domain_website|bool == false

  12. 

  13. - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain

  14.   delegate_to: 127.0.0.1

  15.   lineinfile:

  16.     path: '{{ awx_cached_matrix_vars }}'

  17.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  18.     line: "{{ item.key }}: {{ item.value }}"

  19.     insertafter: '# Base Domain Settings Start'

  20.   with_dict:

  21.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'

  22.   when: customise_base_domain_website|bool == true

  23. 

  24. - name: Record custom 'Customise Website + Access Export' variables locally on AWX

  25.   delegate_to: 127.0.0.1

  26.   lineinfile:

  27.     path: '{{ awx_cached_matrix_vars }}'

  28.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  29.     line: "{{ item.key }}: {{ item.value }}"

  30.     insertafter: '# Custom Settings Start'

  31.   with_dict:

  32.     'customise_base_domain_website': '{{ customise_base_domain_website }}'

  33.     'sftp_auth_method': '"{{ sftp_auth_method }}"'

  34.     'sftp_password': '"{{ sftp_password }}"'

  35.     'sftp_public_key': '"{{ sftp_public_key }}"'

  36. 

  37. - name: Reload vars in matrix_vars.yml

  38.   include_vars:

  39.     file: '{{ awx_cached_matrix_vars }}'

  40.   no_log: True

  41. 

  42. # ^ Is this even needed?

  43. 

  44. - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template

  45.   delegate_to: 127.0.0.1

  46.   template:

  47.     src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'

  48.     dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  49. 

  50. - name: Copy new 'Customise Website + Access Export' survey.json to target machine

  51.   copy:

  52.     src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  53.     dest:  '/matrix/awx/configure_website_access_export.json'

  54.     mode: '0660'

  55. 

  56. - name: Collect AWX admin token the hard way!

  57.   delegate_to: 127.0.0.1

  58.   shell: |

  59.       curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'

  60.   register: tower_token

  61.   no_log: True

  62. 

  63. - name: Recreate 'Customise Base Domain Export' job template

  64.   delegate_to: 127.0.0.1

  65.   awx.awx.tower_job_template:

  66.     name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"

  67.     description: "Configure base domain website settings and access the servers export."

  68.     extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"

  69.     job_type: run

  70.     job_tags: "start,setup-nginx-proxy"

  71.     inventory: "{{ member_id }}"

  72.     project: "{{ member_id }} - Matrix Docker Ansible Deploy"

  73.     playbook: setup.yml

  74.     credential: "{{ member_id }} - AWX SSH Key"

  75.     survey_enabled: true

  76.     survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"

  77.     become_enabled: yes

  78.     state: present

  79.     verbosity: 1

  80.     tower_host: "https://{{ tower_host }}"

  81.     tower_oauthtoken: "{{ tower_token.stdout }}"

  82.     validate_certs: yes

  83. 

  84. - name: Ensure group "sftp" exists

  85.   group:

  86.     name: sftp

  87.     state: present

  88. 

  89. - name: If user doesn't define a sftp_password, create a disabled 'sftp' account

  90.   user:

  91.     name: sftp

  92.     comment: SFTP user to set custom web files and access servers export

  93.     shell: /bin/false

  94.     home: /home/sftp

  95.     group: sftp

  96.     password: '*'

  97.     update_password: always

  98.   when: sftp_password|length == 0

  99. 

  100. - name: If user defines sftp_password, enable account and set password on 'stfp' account

  101.   user:

  102.     name: sftp

  103.     comment: SFTP user to set custom web files and access servers export

  104.     shell: /bin/false

  105.     home: /home/sftp

  106.     group: sftp

  107.     password: "{{ sftp_password | password_hash('sha512') }}"

  108.     update_password: always

  109.   when: sftp_password|length > 0

  110. 

  111. - name: adding existing user 'sftp' to group matrix

  112.   user:

  113.     name: sftp

  114.     groups: matrix

  115.     append: yes

  116. 

  117. - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)

  118.   file:

  119.     path: /chroot

  120.     state: directory

  121.     owner: root

  122.     group: root

  123.     mode: '1755'

  124. 

  125. - name: Ensure /chroot/website location exists.

  126.   file:

  127.     path: /chroot/website

  128.     state: directory

  129.     owner: matrix

  130.     group: matrix

  131.     mode: '0574'

  132. 

  133. - name: Ensure /chroot/export location exists

  134.   file:

  135.     path: /chroot/export

  136.     state: directory

  137.     owner: sftp

  138.     group: sftp

  139.     mode: '0700'

  140. 

  141. - name: Ensure /home/sftp/.ssh location exists

  142.   file:

  143.     path: /home/sftp/.ssh

  144.     state: directory

  145.     owner: sftp

  146.     group: sftp

  147.     mode: '0700'

  148. 

  149. - name: Ensure /home/sftp/authorized_keys exists

  150.   file:

  151.     path: /home/sftp/.ssh/authorized_keys

  152.     state: touch

  153.     owner: sftp

  154.     group: sftp

  155.     mode: '0644'

  156. 

  157. - name: Clear authorized_keys file

  158.   shell: echo "" > /home/sftp/.ssh/authorized_keys

  159. 

  160. - name: Insert public SSH key into authorized_keys file

  161.   lineinfile:

  162.     path: /home/sftp/.ssh/authorized_keys

  163.     line: "{{ sftp_public_key }}"

  164.     owner: sftp

  165.     group: sftp

  166.     mode: '0644'

  167.   when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")

  168. 

  169. - name: Alter SSH Subsystem State 1

  170.   lineinfile:

  171.     path: /etc/ssh/sshd_config

  172.     line: "Subsystem sftp	/usr/lib/openssh/sftp-server"

  173.     state: absent

  174. 

  175. - name: Alter SSH Subsystem State 2

  176.   lineinfile:

  177.     path: /etc/ssh/sshd_config

  178.     insertafter: "^# override default of no subsystems"

  179.     line: "Subsystem sftp internal-sftp"

  180. 

  181. - name: Add SSH Match User section for disabled auth

  182.   blockinfile:

  183.     path: /etc/ssh/sshd_config

  184.     state: absent

  185.     block: |

  186.       Match User sftp

  187.           ChrootDirectory /chroot

  188.           PermitTunnel no

  189.           X11Forwarding no

  190.           AllowTcpForwarding no

  191.           PasswordAuthentication yes

  192.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  193.   when: sftp_auth_method == "Disabled"

  194. 

  195. - name: Add SSH Match User section for password auth

  196.   blockinfile:

  197.     path: /etc/ssh/sshd_config

  198.     state: present

  199.     block: |

  200.       Match User sftp

  201.           ChrootDirectory /chroot

  202.           PermitTunnel no

  203.           X11Forwarding no

  204.           AllowTcpForwarding no

  205.           PasswordAuthentication yes

  206.   when: sftp_auth_method == "Password"

  207. 

  208. - name: Add SSH Match User section for publickey auth

  209.   blockinfile:

  210.     path: /etc/ssh/sshd_config

  211.     state: present

  212.     block: |

  213.       Match User sftp

  214.           ChrootDirectory /chroot

  215.           PermitTunnel no

  216.           X11Forwarding no

  217.           AllowTcpForwarding no

  218.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  219.   when: sftp_auth_method == "SSH Key"

  220. 

  221. - name: Restart service ssh.service

  222.   service:

  223.     name: ssh.service

  224.     state: restarted