Commit c1b695e1 authored by Birin Sanchez's avatar Birin Sanchez
Browse files

Add Ansible role for Keel/LDH.


Signed-off-by: Birin Sanchez's avatarBirin Sanchez <birin.sanchez@puri.sm>
parent 5bc29824
*.sublime-*
*.retry
*~
---
- name: Install dependencies
\ No newline at end of file
- name: LDH/Keel Playbook
hosts: all
become: yes
roles:
- role: ldh_middleware
vars:
ldh_site_title: My Site Title
ldh_site_byline: My byline text
ldh_site_domain: "{{ ansible_domain | default('example.com', true) }}"
ldh_site_provider: Provider
ldh_site_provider_link: "https://{{ ldh_site_domain }}"
ldh_debug_all_access: false
ldh_allowed_hosts: >-
localhost,{{ ansible_hostname }}.{{ ldh_site_domain
}},{{ ansible_hostname }},{{ ansible_default_ipv4['address'] }}
ldh_registration_open: true
ldh_base_dn: "dc=freedom,dc=test"
ldh_reg_person_base_dn: 'ou=people,dc=freedom,dc=test'
ldh_reg_group_base_dn: 'ou=groups,dc=freedom,dc=test'
ldh_auth_ldap_server_uri: 'ldap://ldap.freedom.test'
ldh_auth_ldap_start_tls: false
ldh_auth_ldap_bind_dn: "cn=admin,dc=freedom,dc=test"
ldh_auth_ldap_user_search_base_dn: "ou=people,dc=freedom,dc=test"
ldh_woo_url: 'https://example.com'
ldh_woosub1_product_list: '123,124'
# Next 4 varialbes should be in the vault in a production system
ldh_django_key: "inserthereyourdjangokey"
ldh_auth_ldap_bind_password: "verylongpassword"
woo_consumer_key: "inserthereyourwookey"
woo_consumer_secret: "inserthereyourwoosecret"
# Nginx conf
ldh_nginx_server_name: "{{ ansible_hostname }} {{ ansible_fqdn }}"
ldh_nginx_use_https: false
ldh_nginx_https_redirect: "{{ ansible_fqdn }}"
ldh_nginx_ssl_cert_src_path: "certs/{{ ansible_fqdn }}.crt"
ldh_nginx_ssl_cert_path: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
# The unencrypted key file should be in the vault in a produciton system
ldh_nginx_ssl_key_src_path: "cert_keys/{{ ansible_fqdn }}.key.plain"
ldh_nginx_ssl_key_path: "/etc/ssl/private/{{ ansible_fqdn }}.key.plain"
ldh_nginx_log_error: true
Role Name
=========
A role used to setup a basic LDH/Keel instance running on a node.
Requirements
------------
This role has only been tested with Ansible 2.7.1
Role Variables
--------------
* `ldh_site_tile`
The title that will appear on main LDH page.
Default value: `Title`
* `ldh_site_byline`
A line that appears below the title line on the main page.
Default value: `Example byline`
* `ldh_site_domain`
The DNS domain for the site.
Default value: `example.com`
* `ldh_site_provider`
The name of the provider of the site.
Defautl value: `Provider`
* `ldh_site_provider_link`
A link to the provider website.
Default value: `https://example.com`
* `ldh_debug`
When set to `true` it enables Django debugging.
Default value: `true`
* `ldh_debug_all_access`
When set to `true` LDH will debug all access.
Default value: `true`
* `ldh_debug_change_password`
When set to `true` LDH will debug password changes.
Default value: `false`
* `ldh_debug_skip_activation_command`
When set to `true` LDH will skip the activation command.
Default value: `true`
* `ldh_debug_skip_validate_on_authentication`
When set to `true` LDH will not validate authentication.
Default value: `false`
* `ldh_allowed_hosts`
This is the
[ALLOWED_HOSTS](https://docs.djangoproject.com/en/1.11/ref/settings/#allowed-hosts)
variable for Django
Default value: `localhost`
* `ldh_django_key`
This is Django
[SECRET_KEY](https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-SECRET_KEY).
Default value: `inserthereyourdjangokey`
* `ldh_registration_open`
When set to `true` LDH will allow new users to register.
Default value: `true`
* `ldh_reg_person_base_dn`
The default LDAP object to look for or add people.
Default value: `ou=people,dc=example,dc=com`
* `ldh_reg_group_base_dn`
The default LDAP object to look for or add groups.
Default value: `ou=groups,dc=example,dc=com`
* `ldh_auth_ldap_server_uri`
The URI used to contact the LDAP server.
Default value: `ldap://ldap.example.com`
* `ldh_auth_ldap_start_tls`
Whether or not to use TLS connection to talk to the LDAP server.
Default value: `true`
* `ldh_auth_ldap_bind_dn`
The LDAP binding value to use when querying the LDAP server.
Default value: `cn=admin,dc=example,dc=com`
* `ldh_auth_ldap_bind_password`
The password used to authenticate when using `ldh_auth_ldap_bind_dn`.
Default value: `verylongpassword`
* `ldh_auth_ldap_user_search_base_dn`
The LDAP object used as base for searches.
Default value: `ou=people,dc=example,dc=com`
* `ldh_nginx_log_error`
When set to `true` NGINX will log errors.
Default value: `true`
* `ldh_nginx_use_https`
When set to `true` NGINX will HTTPS instead of HTTP.
Default value: `false`
* `ldh_nginx_https_redirect`
URL that NGINX will use if HTTPS is enabled to redirect users
trying to use HTTP. Default value: `https://example.com`
* `ldh_nginx_ssl_cert_src_path`
The location of the SSL certificated that Ansible will copy to the
node. Default value: `certs/example.com.crt`. This is the `certs`
directory relative to the playbooks directory.
* `ldh_nginx_ssl_cert_path`
Location on the node that will be used by Ansible to copy the SSL
certificate. Default value: `/etc/ssl/certs/example.com.crt`
* `ldh_nginx_ssl_key_src_path`
The location of the SSL key used to create the certificate that
Ansible will copy to the node. Default value:
`cert_keys/example.com.key.plain`. This is the `cert_keys`
directory relative to the playbooks directory.
* `ldh_nginx_ssl_key_path`
Location on the node that will be used by Ansible to copy the key
used to create the SSL certificate. Default value:
`/etc/ssl/private/example.com.key.plain`
Dependencies
------------
This role does not depend on other roles.
License
-------
AGPL-3.0-or-later
Author Information
------------------
Purism SPC <liberty@puri.sm>
Homepage: https://source.puri.sm/liberty/ldh_middleware
---
# defaults file for ldh_middleware
ldh_required_packages:
- rabbitmq-server
ldh_site_tile: Title
ldh_site_byline: Example byline
ldh_site_domain: example.com
ldh_site_provider: Provider
ldh_site_provider_link: 'https://example.com'
ldh_debug: true
ldh_debug_all_access: true
ldh_debug_change_password: false
ldh_debug_skip_activation_command: true
ldh_debug_skip_validate_on_authentication: false
ldh_allowed_hosts: localhost
ldh_registration_open: true
ldh_reg_person_base_dn: 'ou=people,dc=example,dc=com'
ldh_reg_group_base_dn: 'ou=groups,dc=example,dc=com'
ldh_auth_ldap_server_uri: 'ldap://ldap.example.com'
ldh_auth_ldap_start_tls: true
ldh_auth_ldap_bind_dn: 'cn=admin,dc=example,dc=com'
ldh_auth_ldap_user_search_base_dn: 'ou=people,dc=example,dc=com'
ldh_woo_url: 'https://example.com'
ldh_woo_wp_api: true
ldh_woo_version: 'wc/v1'
ldh_woo_query_string_auth: true
ldh_woosub1_product_list: '123,124'
ldh_ovpn_hostname: 'ssh.example.com'
ldh_ovpn_port: 22
ldh_ovpn_username: username
ldh_ovpn_filepath: '/path/to/{IDENTITY}/{IDENTITY}.ovpn'
ldh_nginx_log_error: true
ldh_nginx_use_https: false
ldh_nginx_ssl_cert_src_path: "certs/example.com.crt"
ldh_nginx_ssl_cert_path: "/etc/ssl/certs/example.com.crt"
ldh_nginx_ssl_key_src_path: "cert_keys/example.com.key.plain"
ldh_nginx_ssl_key_path: "/etc/ssl/private/example.com.key.plain"
ldh_nginx_https_redirect: "https://example.com"
---
# handlers file for ldh_middleware
- name: restart supervisor
service:
name: supervisor
state: restarted
- name: restart uwsgi-emperor
service:
name: uwsgi-emperor
state: restarted
- name: restart nginx
service:
name: nginx
state: restarted
galaxy_info:
author: your name
description: your description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: license (GPLv2, CC-BY, etc)
min_ansible_version: 2.4
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
\ No newline at end of file
---
# tasks file for ldh_middleware
- name: Install required packages
apt:
name: "{{ ldh_required_packages }}"
update_cache: yes
cache_valid_time: 600
- name: Install ldh_middleware from .deb
apt:
deb: /tmp/ldh-middleware_0.0.2_amd64.deb
- name: Copy sample link_profile to config location
copy:
remote_src: yes
src: /opt/purist/middleware_virtualenv/config_sample/ldh_middleware/link_profile.strict.yml
dest: /etc/opt/purist/middleware/link_profile.strict.yml
- name: Copy and set values for config.ini
template:
src: templates/ldh_middleware/config.ini.j2
dest: /etc/opt/purist/middleware/config.ini
notify: "restart uwsgi-emperor"
- name: Copy and set values for secret.ini
template:
src: templates/ldh_middleware/secret.ini.j2
dest: /etc/opt/purist/middleware/secret.ini
notify: "restart uwsgi-emperor"
- name: "virtualenv initial setup: collecstatic"
shell: |
. /opt/purist/middleware_virtualenv/bin/activate
ldh_middleware collectstatic --no-input
chown --recursive www-data:www-data /var/opt/purist/
args:
creates: /var/opt/purist/middleware/static/admin
# when: ldh_collectstatic_done.stat.exists
- name: "virtualenv initial setup: migrate"
shell: |
. /opt/purist/middleware_virtualenv/bin/activate
ldh_middleware migrate --no-input
chown --recursive www-data:www-data /var/opt/purist/
args:
creates: /var/opt/purist/middleware/db.sqlite3
# when: ldh_migrate_done.stat.exists
- name: Copy Supervisor conf file to conf location
copy:
remote_src: yes
src: /opt/purist/middleware_virtualenv/config_sample/supervisor/purist_middleware_monitor.conf
dest: /etc/supervisor/conf.d/purist_middleware_monitor.conf
notify: "restart supervisor"
- name: Copy uWSGI conf file to conf location
copy:
remote_src: yes
src: /opt/purist/middleware_virtualenv/config_sample/uwsgi_emperor_vassals/purist_middleware.ini
dest: /etc/uwsgi-emperor/vassals/purist_middleware.ini
notify: "restart uwsgi-emperor"
- name: Copy and set config values for nginx
template:
src: templates/nginx/purist_middleware.j2
dest: /etc/nginx/sites-available/purist_middleware
- name: Copy SSL cert for nginx
copy:
src: "{{ ldh_nginx_ssl_cert_src_path }}"
dest: "{{ ldh_nginx_ssl_cert_path }}"
when: ldh_nginx_use_https
- name: Copy SSL key for nginx
copy:
src: "{{ ldh_nginx_ssl_key_src_path }}"
dest: "{{ ldh_nginx_ssl_key_path }}"
when: ldh_nginx_use_https
- name: enable ldh_middleware web for nginx
file:
src: /etc/nginx/sites-available/purist_middleware
dest: /etc/nginx/sites-enabled/purist_middleware
state: link
notify: "restart nginx"
# stored as /etc/opt/purist/middleware/config.ini
# note that % must be escaped as %%
[settings]
SITE_TITLE={{ ldh_site_title }}
SITE_BYLINE={{ ldh_site_byline }}
SITE_DOMAIN={{ ldh_site_domain }}
SITE_PROVIDER={{ ldh_site_provider }}
SITE_PROVIDER_LINK= {{ ldh_site_provider_link }}
DEBUG={{ ldh_debug }}
DEBUG_ALL_ACCESS={{ ldh_debug_all_access }}
DEBUG_CHANGE_PASSWORD={{ ldh_debug_change_password }}
DEBUG_SKIP_ACTIVATION_COMMAND={{ ldh_debug_skip_activation_command }}
DEBUG_SKIP_VALIDATE_ON_AUTHENTICATION = {{ ldh_debug_skip_validate_on_authentication }}
# change to false after initial setup
ALLOWED_HOSTS={{ ldh_allowed_hosts }}
STATIC_ROOT=/var/opt/purist/middleware/static
REGISTRATION_OPEN={{ ldh_registration_open }}
REG_PERSON_BASE_DN={{ ldh_reg_person_base_dn }}
REG_PERSON_OBJECT_CLASSES=inetOrgPerson,organizationalPerson,person
REG_GROUP_BASE_DN={{ ldh_reg_group_base_dn }}
REG_GROUP_OBJECT_CLASSES=groupOfNames
AUTH_LDAP_SERVER_URI={{ ldh_auth_ldap_server_uri }}
AUTH_LDAP_START_TLS={{ ldh_auth_ldap_start_tls }}
AUTH_LDAP_BIND_DN={{ ldh_auth_ldap_bind_dn }}
AUTH_LDAP_USER_SEARCH_BASE_DN={{ ldh_auth_ldap_user_search_base_dn }}
SQLITE_DB_PATH=/var/opt/purist/middleware/db.sqlite3
STATICFILES_DIRS=/var/opt/purist/brand,/var/opt/purist/downloads
WOO_URL={{ ldh_woo_url }}
WOO_WP_API={{ ldh_woo_wp_api }}
WOO_VERSION={{ ldh_woo_version }}
WOO_QUERY_STRING_AUTH = {{ ldh_woo_query_string_auth }}
WOOSUB1_PRODUCT_LIST = {{ ldh_woosub1_product_list }}
OVPN_HOSTNAME={{ ldh_ovpn_hostname }}
OVPN_PORT={{ ldh_ovpn_port }}
OVPN_USERNAME={{ ldh_ovpn_username }}
OVPN_FILEPATH={{ ldh_ovpn_filepath }}
\ No newline at end of file
# stored as /etc/opt/purist/middleware/secret.ini
# note that % must be escaped as %%
[settings]
DJANGO_SECRET_KEY = {{ ldh_django_key }}
AUTH_LDAP_BIND_PASSWORD = {{ ldh_auth_ldap_bind_password }}
WOO_CONSUMER_KEY = {{ woo_consumer_key }}
WOO_CONSUMER_SECRET = {{ woo_consumer_secret }}
# stored as /etc/nginx/sites-available/purist_middleware
# and symlink /etc/nginx/sites-enabled/purist_middleware
# deep links are ignored
server {
server_name {{ ldh_nginx_server_name }};
listen *:80;
listen [::]:80;
{% if ldh_nginx_use_https %}
# naive redirect of HTTP to HTTPS
return 301 https://{{ ldh_nginx_https_redirect }};
{% else %}
charset utf-8;
{% if ldh_nginx_log_error %}
error_log /var/log/nginx/error.log debug;
{% endif %}
location /static/ {
alias /var/opt/purist/middleware/static/;
}
location /favicon.ico {
alias /var/opt/purist/brand/favicon.ico;
}
location / {
uwsgi_pass django;
include /etc/nginx/uwsgi_params;
}
{% endif %}
}
# the upstream component nginx needs to connect to
upstream django {
server unix:/var/opt/purist/middleware/uwsgi.sock; # for a file socket
}
{% if ldh_nginx_use_https %}
# the main server block
server {
server_name {{ ldh_nginx_server_name }};
# SSL configuration
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate {{ ldh_nginx_ssl_cert_path }};
ssl_certificate_key {{ ldh_nginx_ssl_key_path }};
charset utf-8;
{% if ldh_nginx_log_error %}
error_log /var/log/nginx/error.log debug;
{% endif %}
location /static/ {
alias /var/opt/purist/middleware/static/;
}
location /favicon.ico {
alias /var/opt/purist/brand/favicon.ico;
}
location / {
uwsgi_pass django;
include /etc/nginx/uwsgi_params;
}
}
{% endif %}
\ No newline at end of file
---
- hosts: localhost
remote_user: root
roles:
- ldh_middleware
\ No newline at end of file
---
# vars file for ldh_middleware
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment