overmind
/
matrix-docker-ansible-deploy
şunun yansıması https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Çatalla 0
Kod Konular 0 Sürümler 0 Wiki Aktivite
Matrix Docker Ansible eploy
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
2809 İşleme
13 Dallar
525 MiB
 
 
Ağaç: ea6e344d05
Dallar Biçim İmleri
${ item.name }
${ searchTerm } dalı oluştur
'ea6e344d05'den
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-awx/tasks/customise_website_access_ex...

274 satır
9.2 KiB
Ham Suçlama Geçmiş 

  1. 

  2. - name: Enable index.html creation if user doesn't wish to customise base domain

  3.   delegate_to: 127.0.0.1

  4.   lineinfile:

  5.     path: '{{ awx_cached_matrix_vars }}'

  6.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  7.     line: "{{ item.key }}: {{ item.value }}"

  8.     insertafter: '# Base Domain Settings Start'

  9.   with_dict:

  10.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'

  11.   when: (customise_base_domain_website is defined) and not customise_base_domain_website|bool

  12. 

  13. - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain

  14.   delegate_to: 127.0.0.1

  15.   lineinfile:

  16.     path: '{{ awx_cached_matrix_vars }}'

  17.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  18.     line: "{{ item.key }}: {{ item.value }}"

  19.     insertafter: '# Base Domain Settings Start'

  20.   with_dict:

  21.     'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'

  22.   when: (customise_base_domain_website is defined) and customise_base_domain_website|bool

  23. 

  24. - name: Record custom 'Customise Website + Access Export' variables locally on AWX

  25.   delegate_to: 127.0.0.1

  26.   lineinfile:

  27.     path: '{{ awx_cached_matrix_vars }}'

  28.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  29.     line: "{{ item.key }}: {{ item.value }}"

  30.     insertafter: '# Custom Settings Start'

  31.   with_dict:

  32.     'sftp_auth_method': '"{{ sftp_auth_method }}"'

  33.     'sftp_password': '"{{ sftp_password }}"'

  34.     'sftp_public_key': '"{{ sftp_public_key }}"'

  35. 

  36. - name: Record custom 'Customise Website + Access Export' variables locally on AWX

  37.   delegate_to: 127.0.0.1

  38.   lineinfile:

  39.     path: '{{ awx_cached_matrix_vars }}'

  40.     regexp: "^#? *{{ item.key | regex_escape() }}:"

  41.     line: "{{ item.key }}: {{ item.value }}"

  42.     insertafter: '# Custom Settings Start'

  43.   with_dict:

  44.     'customise_base_domain_website': '{{ customise_base_domain_website }}'

  45.   when: customise_base_domain_website is defined

  46. 

  47. - name: Reload vars in matrix_vars.yml

  48.   include_vars:

  49.     file: '{{ awx_cached_matrix_vars }}'

  50.   no_log: True

  51. 

  52. - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template

  53.   delegate_to: 127.0.0.1

  54.   template:

  55.     src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'

  56.     dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  57.   when: customise_base_domain_website is defined

  58. 

  59. - name: Copy new 'Customise Website + Access Export' survey.json to target machine

  60.   copy:

  61.     src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

  62.     dest:  '/matrix/awx/configure_website_access_export.json'

  63.     mode: '0660'

  64.   when: customise_base_domain_website is defined

  65. 

  66. - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template

  67.   delegate_to: 127.0.0.1

  68.   template:

  69.     src: './roles/matrix-awx/surveys/access_export.json.j2'

  70.     dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'

  71.   when: customise_base_domain_website is undefined

  72. 

  73. - name: Copy new 'Customise Website + Access Export' survey.json to target machine

  74.   copy:

  75.     src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'

  76.     dest:  '/matrix/awx/access_export.json'

  77.     mode: '0660'

  78.   when: customise_base_domain_website is undefined

  79. 

  80. - name: Collect AWX admin token the hard way!

  81.   delegate_to: 127.0.0.1

  82.   shell: |

  83.       curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'

  84.   register: tower_token

  85.   no_log: True

  86. 

  87. - name: Recreate 'Configure Website + Access Export' job template

  88.   delegate_to: 127.0.0.1

  89.   awx.awx.tower_job_template:

  90.     name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"

  91.     description: "Configure base domain website settings and access the servers export."

  92.     extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"

  93.     job_type: run

  94.     job_tags: "start,setup-nginx-proxy"

  95.     inventory: "{{ member_id }}"

  96.     project: "{{ member_id }} - Matrix Docker Ansible Deploy"

  97.     playbook: setup.yml

  98.     credential: "{{ member_id }} - AWX SSH Key"

  99.     survey_enabled: true

  100.     survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"

  101.     become_enabled: yes

  102.     state: present

  103.     verbosity: 1

  104.     tower_host: "https://{{ tower_host }}"

  105.     tower_oauthtoken: "{{ tower_token.stdout }}"

  106.     validate_certs: yes

  107.   when: customise_base_domain_website is defined

  108. 

  109. - name: Recreate 'Access Export' job template

  110.   delegate_to: 127.0.0.1

  111.   awx.awx.tower_job_template:

  112.     name: "{{ matrix_domain }} - 1 - Access Export"

  113.     description: "Access the services export."

  114.     extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"

  115.     job_type: run

  116.     job_tags: "start,setup-nginx-proxy"

  117.     inventory: "{{ member_id }}"

  118.     project: "{{ member_id }} - Matrix Docker Ansible Deploy"

  119.     playbook: setup.yml

  120.     credential: "{{ member_id }} - AWX SSH Key"

  121.     survey_enabled: true

  122.     survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json') }}"

  123.     become_enabled: yes

  124.     state: present

  125.     verbosity: 1

  126.     tower_host: "https://{{ tower_host }}"

  127.     tower_oauthtoken: "{{ tower_token.stdout }}"

  128.     validate_certs: yes

  129.   when: customise_base_domain_website is undefined

  130. 

  131. - name: Ensure group "sftp" exists

  132.   group:

  133.     name: sftp

  134.     state: present

  135. 

  136. - name: If user doesn't define a sftp_password, create a disabled 'sftp' account

  137.   user:

  138.     name: sftp

  139.     comment: SFTP user to set custom web files and access servers export

  140.     shell: /bin/false

  141.     home: /home/sftp

  142.     group: sftp

  143.     password: '*'

  144.     update_password: always

  145.   when: sftp_password|length == 0

  146. 

  147. - name: If user defines sftp_password, enable account and set password on 'stfp' account

  148.   user:

  149.     name: sftp

  150.     comment: SFTP user to set custom web files and access servers export

  151.     shell: /bin/false

  152.     home: /home/sftp

  153.     group: sftp

  154.     password: "{{ sftp_password | password_hash('sha512') }}"

  155.     update_password: always

  156.   when: sftp_password|length > 0

  157. 

  158. - name: adding existing user 'sftp' to group matrix

  159.   user:

  160.     name: sftp

  161.     groups: matrix

  162.     append: yes

  163.   when: customise_base_domain_website is defined

  164. 

  165. - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)

  166.   file:

  167.     path: /chroot

  168.     state: directory

  169.     owner: root

  170.     group: root

  171.     mode: '1755'

  172. 

  173. - name: Ensure /chroot/website location exists.

  174.   file:

  175.     path: /chroot/website

  176.     state: directory

  177.     owner: matrix

  178.     group: matrix

  179.     mode: '0574'

  180.   when: customise_base_domain_website is defined

  181. 

  182. - name: Ensure /chroot/export location exists

  183.   file:

  184.     path: /chroot/export

  185.     state: directory

  186.     owner: sftp

  187.     group: sftp

  188.     mode: '0700'

  189. 

  190. - name: Ensure /home/sftp/.ssh location exists

  191.   file:

  192.     path: /home/sftp/.ssh

  193.     state: directory

  194.     owner: sftp

  195.     group: sftp

  196.     mode: '0700'

  197. 

  198. - name: Ensure /home/sftp/authorized_keys exists

  199.   file:

  200.     path: /home/sftp/.ssh/authorized_keys

  201.     state: touch

  202.     owner: sftp

  203.     group: sftp

  204.     mode: '0644'

  205. 

  206. - name: Clear authorized_keys file

  207.   shell: echo "" > /home/sftp/.ssh/authorized_keys

  208. 

  209. - name: Insert public SSH key into authorized_keys file

  210.   lineinfile:

  211.     path: /home/sftp/.ssh/authorized_keys

  212.     line: "{{ sftp_public_key }}"

  213.     owner: sftp

  214.     group: sftp

  215.     mode: '0644'

  216.   when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")

  217. 

  218. - name: Alter SSH Subsystem State 1

  219.   lineinfile:

  220.     path: /etc/ssh/sshd_config

  221.     line: "Subsystem sftp	/usr/lib/openssh/sftp-server"

  222.     state: absent

  223. 

  224. - name: Alter SSH Subsystem State 2

  225.   lineinfile:

  226.     path: /etc/ssh/sshd_config

  227.     insertafter: "^# override default of no subsystems"

  228.     line: "Subsystem sftp internal-sftp"

  229. 

  230. - name: Add SSH Match User section for disabled auth

  231.   blockinfile:

  232.     path: /etc/ssh/sshd_config

  233.     state: absent

  234.     block: |

  235.       Match User sftp

  236.           ChrootDirectory /chroot

  237.           PermitTunnel no

  238.           X11Forwarding no

  239.           AllowTcpForwarding no

  240.           PasswordAuthentication yes

  241.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  242.   when: sftp_auth_method == "Disabled"

  243. 

  244. - name: Add SSH Match User section for password auth

  245.   blockinfile:

  246.     path: /etc/ssh/sshd_config

  247.     state: present

  248.     block: |

  249.       Match User sftp

  250.           ChrootDirectory /chroot

  251.           PermitTunnel no

  252.           X11Forwarding no

  253.           AllowTcpForwarding no

  254.           PasswordAuthentication yes

  255.   when: sftp_auth_method == "Password"

  256. 

  257. - name: Add SSH Match User section for publickey auth

  258.   blockinfile:

  259.     path: /etc/ssh/sshd_config

  260.     state: present

  261.     block: |

  262.       Match User sftp

  263.           ChrootDirectory /chroot

  264.           PermitTunnel no

  265.           X11Forwarding no

  266.           AllowTcpForwarding no

  267.           AuthorizedKeysFile /home/sftp/.ssh/authorized_keys

  268.   when: sftp_auth_method == "SSH Key"

  269. 

  270. - name: Restart service ssh.service

  271.   service:

  272.     name: ssh.service

  273.     state: restarted