diff --git a/.gitignore b/.gitignore
index 9732852b..49db8f6f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,9 @@ setup.sh
.*.sw?
roles/has_certificate/files/*.key
*.retry
+
+# IntelliJ
+.idea
+*.ipr
+*.iml
+*.iws
\ No newline at end of file
diff --git a/accounting-playbook.yml b/accounting-playbook.yml
new file mode 100644
index 00000000..bf3ea5c2
--- /dev/null
+++ b/accounting-playbook.yml
@@ -0,0 +1,49 @@
+---
+
+
+- hosts: all
+ become: yes
+ roles:
+ - { role: commons, task: timezone, tags: timezone }
+ - { role: commons, task: repos, tags: repos }
+ - { role: commons, task: basic_utils, tags: basic_utils }
+ - { role: commons, task: users, tags: groups_users_sshKeys }
+ - { role: commons, task: sshd, tags: sshd }
+ - { role: commons, task: firewall, tags: firewall }
+ - { role: commons, task: fail2ban, tags: fail2ban_conf }
+ - { role: commons, task: cert, tags: cert }
+ - { role: commons, task: rsyslog, tags: rsyslog_conf }
+ - { role: nickhammond.logrotate, tags: logrotate }
+ #- { role: commons, task: is_monitored, tags: monitored }
+ #- { role: commons, task: backupamsmongo, tags: rsyslog_conf }
+
+- hosts: mongo
+ become: yes
+ roles:
+ - { role: mongodb, task: main, tags: mongodb }
+
+- hosts: apache
+ become: yes
+ roles:
+ - { role: commons, task: cert, tags: apache_certs }
+ - { role: apache, task: main, tags: apache_install }
+
+- hosts: accounting
+ become: yes
+ roles:
+ - { role: accounting, task: accounting, tags: accounting }
+
+- hosts: accounting_oidc_client
+ become: yes
+ roles:
+ - { role: accounting, task: oidc_client, tags: accounting-oidc-client }
+
+- hosts: haproxy
+ become: yes
+ roles:
+ - { role: haproxy, task: haproxy , tags: haproxy_install }
+
+- hosts: icinga_agent
+ become: yes
+ roles:
+ - { role: icinga_agent, tags: deploy_icinga_agent }
\ No newline at end of file
diff --git a/ams-cluster-playbook.yml b/ams-cluster-playbook.yml
new file mode 100644
index 00000000..dfb038a2
--- /dev/null
+++ b/ams-cluster-playbook.yml
@@ -0,0 +1,72 @@
+---
+
+
+- hosts: all
+ become: yes
+ roles:
+ - { role: commons, task: selinux, tags: disable_selinux }
+ - { role: commons, task: timezone, tags: timezone }
+ - { role: commons, task: repos, tags: repos }
+ - { role: commons, task: basic_utils, tags: basic_utils }
+ - { role: commons, task: users, tags: groups_users_sshKeys }
+ - { role: commons, task: sshd, tags: sshd }
+ - { role: commons, task: firewall, tags: firewall }
+ - { role: commons, task: fail2ban, tags: fail2ban_conf }
+ - { role: commons, task: cert, tags: cert }
+ - { role: commons, task: rsyslog, tags: rsyslog_conf }
+ - { role: nickhammond.logrotate, tags: logrotate }
+ #- { role: commons, task: is_monitored, tags: monitored }
+ #- { role: commons, task: backupamsmongo, tags: rsyslog_conf }
+
+
+- hosts: icinga_agent
+ become: yes
+ roles:
+ - { role: icinga_agent, tags: deploy_icinga_agent }
+
+
+- hosts: ams_cluster
+ become: yes
+ roles:
+ - { role: private_hosts, task: main, tags: local_dns }
+
+
+- hosts: mongo_private_cluster
+ become: yes
+ roles:
+ - { role: mongodb, task: main, tags: mongodb }
+
+
+- hosts: ams
+ become: yes
+ roles:
+ - { role: zookeeper, task: main, tags: zookeeper_install }
+ - { role: kafka, task: main, tags: kafka_install }
+ - { role: ams, task: deploy, tags: ams_install }
+ - { role: ams, task: deploy_metrics, tags: ams_install }
+ - { role: ams, task: init_db, tags: init_ams_db }
+
+
+- hosts: ams_push_server
+ become: yes
+ roles:
+ - { role: push-server, task: push-server-setup, tags: push_install }
+
+
+- hosts: haproxy
+ become: yes
+ roles:
+ - { role: haproxy, task: haproxy, tags: haproxy_install }
+
+
+- hosts: authn
+ become: yes
+ roles:
+ - { role: argo-api-authn, task: authn-setup }
+ - { role: argo-api-authn, task: python-env-setup }
+ - { role: argo-api-authn, task: scripts_cert }
+ - { role: argo-api-authn, task: authn-init, tags: init_checks }
+ - { role: argo-api-authn, task: ams-create-users-gocdb-script, tags: authn_ams_create_users }
+ - { role: argo-api-authn, task: ams-create-users-cloud-info-script, tags: authn_ams_create_users }
+
+
diff --git a/argo-status-pages.yml b/argo-status-pages.yml
new file mode 100644
index 00000000..0f6b6163
--- /dev/null
+++ b/argo-status-pages.yml
@@ -0,0 +1,16 @@
+---
+- hosts: argo_status_pages
+ become: true
+ serial: 1
+ roles:
+ - { role: commons, task: sshd, tags: argo_status_pages}
+ - { role: commons, task: repos, tags: argo_status_pages}
+ - { role: commons, task: timezone, tags: argo_status_pages}
+ - { role: commons, task: cert, tags: argo_status_pages}
+ - { role: apache, task: main, tags: argo_status_pages}
+ - { role: argo_status_pages, task: deploy, tags: argo_status_pages}
+
+- hosts: icinga_agent
+ become: yes
+ roles:
+ - { role: icinga_agent, tags: deploy_icinga_agent }
\ No newline at end of file
diff --git a/cat-playbook.yml b/cat-playbook.yml
new file mode 100644
index 00000000..5b499fc7
--- /dev/null
+++ b/cat-playbook.yml
@@ -0,0 +1,40 @@
+---
+
+
+- hosts: all
+ become: yes
+ roles:
+ - { role: commons, task: timezone, tags: timezone }
+ - { role: commons, task: repos, tags: repos }
+ - { role: commons, task: basic_utils, tags: basic_utils }
+ - { role: commons, task: users, tags: groups_users_sshKeys }
+ - { role: commons, task: sshd, tags: sshd }
+ - { role: commons, task: firewall, tags: firewall }
+ - { role: commons, task: fail2ban, tags: fail2ban_conf }
+ - { role: commons, task: cert, tags: cert }
+ - { role: commons, task: rsyslog, tags: rsyslog_conf }
+ - { role: nickhammond.logrotate, tags: logrotate }
+ #- { role: commons, task: is_monitored, tags: monitored }
+ #- { role: commons, task: backupamsmongo, tags: rsyslog_conf }
+
+- hosts: apache
+ become: yes
+ roles:
+ - { role: commons, task: cert, tags: apache_certs }
+ - { role: apache, task: main, tags: apache_install }
+
+- hosts: quarkus-api
+ become: yes
+ roles:
+ - { role: quarkus-api, task: quarkus-api, tags: quarkus-api }
+ - { role: mariadb, task: main, tags: mariadb }
+
+- hosts: icinga_agent
+ become: yes
+ roles:
+ - { role: icinga_agent, tags: deploy_icinga_agent }
+
+- hosts: frontend
+ become: true
+ roles:
+ - { role: frontend, task: vite-react-ts-based, tags: frontend}
\ No newline at end of file
diff --git a/install.yml b/install.yml
index 447221bd..383dee65 100644
--- a/install.yml
+++ b/install.yml
@@ -3,6 +3,7 @@
- hosts: all
become: yes
roles:
+ - { role: commons, task: selinux, tags: disable_selinux }
- { role: commons, task: timezone, tags: timezone }
- { role: commons, task: repos, tags: repos }
- { role: commons, task: basic_utils, tags: basic_utils }
@@ -38,39 +39,42 @@
- hosts: haproxy
become: yes
roles:
- - { role: haproxy, task: rsyslog }
- { role: haproxy, task: haproxy , tags: haproxy_install }
-- hosts: ams_store
- become: yes
- roles:
- - { role: private_hosts }
- - { role: mongodb }
- - { role: ams, task: init_db, tags: ams_install }
-
- hosts: ams
become: yes
roles:
- - { role: private_hosts }
- { role: zookeeper, tags: zookeeper_install }
- { role: kafka, tags: kafka_install }
- { role: ams, task: deploy, tags: ams_install }
- { role: ams, task: deploy_metrics, tags: ams_install }
+ - { role: ams, task: init_db }
+
+- hosts: mongo_devel_private_network
+ become: yes
+ roles:
+ - { role: private_hosts, tags: private_hosts }
- hosts: ams_push_server
become: yes
roles:
- { role: push-server, task: push-server-setup, tags: push_install }
-- hosts: authn
+- hosts: mongo_private_cluster
become: yes
roles:
- { role: mongodb }
- - { role: argo-api-authn, task: authn-setup }
- - { role: argo-api-authn, task: python-env-setup }
- - { role: argo-api-authn, task: ams-create-users-gocdb-script }
- - { role: argo-api-authn, task: ams-create-users-cloud-info-script }
- - { role: argo-api-authn, task: scripts_cert }
+
+- hosts: authn
+ become: yes
+ roles:
+ - { role: argo-api-authn, task: authn-setup, tags: authn_install }
+ - { role: argo-api-authn, task: python-env-setup }
+ - { role: argo-api-authn, task: scripts_cert, tags: authn-scripts-cert }
+ - { role: argo-api-authn, task: authn-init, tags: init_checks }
+ - { role: argo-api-authn, task: ams-create-users-gocdb-script, tags: authn_ams_create_users }
+ - { role: argo-api-authn, task: ams-create-users-cloud-info-script, tags: authn_ams_create_users }
+
- hosts: metrics
become: yes
@@ -100,8 +104,9 @@
- hosts: swagger
become: yes
roles:
- - { role: httpd, tags: httpd }
- - { role: swagger }
+ - { role: commons, task: cert, tags: swagger_deploy }
+ - { role: apache, tags: swagger_deploy }
+ - { role: swagger, tags: [swagger_deploy, swagger_update] }
- hosts: c_cluster
become: yes
@@ -134,4 +139,26 @@
- hosts: icinga_agent
become: yes
roles:
- - { role: icinga_agent, tags: deploy_icinga_agent }
+ - { role: icinga_agent, tags: deploy_icinga_agent }
+
+- hosts: apache
+ become: yes
+ roles:
+ - { role: commons, task: cert, tags: apache_certs }
+ - { role: apache, task: main, tags: apache_install }
+
+- hosts: eseal
+ become: yes
+ remote_user: root
+ roles:
+ - { role: commons, task: firewall, tags: firewall }
+ - { role: commons, task: cert, tags: cert }
+ - { role: commons, task: rsyslog, tags: rsyslog_conf }
+ - { role: apache, task: main, tags: apache_install }
+ - { role: eseal, task: main, tags: eseal }
+
+
+- hosts: gocdb
+ become: yes
+ roles:
+ - { role: backup_mysql, task: backup, tags: mysql-backup }
diff --git a/pcc-api-playbook.yml b/pcc-api-playbook.yml
new file mode 100644
index 00000000..b09ccea8
--- /dev/null
+++ b/pcc-api-playbook.yml
@@ -0,0 +1,27 @@
+---
+
+- hosts: all
+ become: yes
+ roles:
+ - { role: commons, task: timezone, tags: timezone }
+ - { role: commons, task: repos, tags: repos }
+ - { role: commons, task: basic_utils, tags: basic_utils }
+ - { role: commons, task: users, tags: groups_users_sshKeys }
+ - { role: commons, task: sshd, tags: sshd }
+ - { role: commons, task: firewall, tags: firewall }
+ - { role: commons, task: fail2ban, tags: fail2ban_conf }
+ - { role: commons, task: cert, tags: cert }
+ - { role: commons, task: rsyslog, tags: rsyslog_conf }
+ - { role: nickhammond.logrotate, tags: logrotate }
+ #- { role: commons, task: is_monitored, tags: monitored }
+ #- { role: commons, task: backupamsmongo, tags: rsyslog_conf }
+
+- hosts: pcc-api
+ become: yes
+ roles:
+ - { role: pcc-api, task: main, tags: pcc-api }
+
+- hosts: icinga_agent
+ become: yes
+ roles:
+ - { role: icinga_agent, tags: deploy_icinga_agent }
diff --git a/pcc-ui.yml b/pcc-ui.yml
new file mode 100644
index 00000000..e9fd3ff0
--- /dev/null
+++ b/pcc-ui.yml
@@ -0,0 +1,7 @@
+---
+- hosts: pcc_ui
+ become: true
+ roles:
+ - { role: commons, task: cert}
+ - { role: pcc-ui, task: deploy, tags: pcc-ui}
+ - { role: apache, task: main}
diff --git a/pidmr-playbook.yml b/pidmr-playbook.yml
new file mode 100644
index 00000000..4d427660
--- /dev/null
+++ b/pidmr-playbook.yml
@@ -0,0 +1,40 @@
+---
+
+
+- hosts: all
+ become: yes
+ roles:
+ - { role: commons, task: timezone, tags: timezone }
+ - { role: commons, task: repos, tags: repos }
+ - { role: commons, task: basic_utils, tags: basic_utils }
+ - { role: commons, task: users, tags: groups_users_sshKeys }
+ - { role: commons, task: sshd, tags: sshd }
+ - { role: commons, task: firewall, tags: firewall }
+ - { role: commons, task: fail2ban, tags: fail2ban_conf }
+ - { role: commons, task: cert, tags: cert }
+ - { role: commons, task: rsyslog, tags: rsyslog_conf }
+ - { role: nickhammond.logrotate, tags: logrotate }
+ #- { role: commons, task: is_monitored, tags: monitored }
+ #- { role: commons, task: backupamsmongo, tags: rsyslog_conf }
+
+- hosts: apache
+ become: yes
+ roles:
+ - { role: commons, task: cert, tags: apache_certs }
+ - { role: apache, task: main, tags: apache_install }
+
+- hosts: quarkus-api
+ become: yes
+ roles:
+ - { role: quarkus-api, task: quarkus-api, tags: quarkus-api }
+ - { role: mariadb, task: main, tags: mariadb }
+
+- hosts: icinga_agent
+ become: yes
+ roles:
+ - { role: icinga_agent, tags: deploy_icinga_agent }
+
+- hosts: frontend
+ become: true
+ roles:
+ - { role: frontend, task: vite-react-ts-based, tags: frontend}
diff --git a/requirements.txt b/requirements.txt
index dd879291..f56b9ad0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,5 @@
ansible==2.9.11
docker==3.4.1
molecule==2.16.0
+dnspython==2.2.0
+requests==2.20.1
diff --git a/roles/accounting/README.md b/roles/accounting/README.md
new file mode 100644
index 00000000..937320a3
--- /dev/null
+++ b/roles/accounting/README.md
@@ -0,0 +1,59 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+```
+- hosts: mongo
+ become: yes
+ roles:
+ - { role: mongodb, task: main, tags: mongodb }
+
+
+- hosts: accounting
+ become: yes
+ roles:
+ - { role: apache, task: main, tags: apache_install }
+ - { role: accounting, task: main, tags: accounting }
+```
+
+* Deploy :
+```bash
+ansible-playbook -i accounting.ini argo-ansible/accounting-playbook.yml --vault-password-file=../vaultARGO
+```
+
+* Update only:
+```bash
+ansible-playbook -i accounting.ini argo-ansible/accounting-playbook.yml --vault-password-file=../vaultARGO --tags="accounting:update"
+```
+
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/roles/accounting/defaults/main.yml b/roles/accounting/defaults/main.yml
new file mode 100644
index 00000000..8c39d548
--- /dev/null
+++ b/roles/accounting/defaults/main.yml
@@ -0,0 +1,36 @@
+---
+# defaults file for accounting
+
+
+## Privileged user for accounting
+#
+accounting_user: accounting
+accounting_group: accounting
+
+
+# Directories
+#
+accounting_root_dir: /opt/accounting
+accounting_logs_dir: /var/log/accounting
+
+
+# Parameters
+#
+#quarkus_oidc:
+# client_id: example-system
+# credentials_secret: 1234
+# auth_server_url: https://login-example.com/auth/realms/
+#
+#keycloak_server:
+# url: https://login-example.com/auth
+# realm: example
+# client_id: example-system-public
+#
+#quarkus:
+# mongodb_uri: mongodb://localhost:27017"
+
+has_oidc_client: false
+
+oidc_client_version: 2.2.0
+
+oidc_client_directory: /var/www/oidc-client
diff --git a/roles/accounting/handlers/main.yml b/roles/accounting/handlers/main.yml
new file mode 100644
index 00000000..0643b486
--- /dev/null
+++ b/roles/accounting/handlers/main.yml
@@ -0,0 +1,28 @@
+---
+# handlers file for accounting
+
+
+- name: restart rsyslog
+ service:
+ name: rsyslog
+ state: restarted
+ enabled: true
+
+
+- name: Reload the systemd daemon
+ systemd:
+ daemon_reload: yes
+
+
+- name: accounting service restart and enable
+ service:
+ name: accounting.service
+ state: restarted
+ enabled: true
+
+- name: Wait a few seconds for the service to wake up
+ become: no
+ wait_for:
+ timeout: 10
+ delegate_to: localhost
+
diff --git a/roles/accounting/meta/main.yml b/roles/accounting/meta/main.yml
new file mode 100644
index 00000000..f3b4b7f3
--- /dev/null
+++ b/roles/accounting/meta/main.yml
@@ -0,0 +1,53 @@
+galaxy_info:
+ author: Anastasios Lisgaras
+ description: DevOps Engineer
+ company: GRNET
+
+ # If the issue tracker for your role is not on github, uncomment the
+ # next line and provide a value
+ # issue_tracker_url: http://example.com/issue/tracker
+
+ # Choose a valid license ID from https://spdx.org - some suggested licenses:
+ # - BSD-3-Clause (default)
+ # - MIT
+ # - GPL-2.0-or-later
+ # - GPL-3.0-only
+ # - Apache-2.0
+ # - CC-BY-4.0
+ license: license (GPL-2.0-or-later, MIT, etc)
+
+ min_ansible_version: 2.9
+
+ # If this a Container Enabled role, provide the minimum Ansible Container version.
+ # min_ansible_container_version:
+
+ #
+ # Provide a list of supported platforms, and for each platform a list of versions.
+ # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+ # To view available platforms and versions (or releases), visit:
+ # https://galaxy.ansible.com/api/v1/platforms/
+ #
+ # platforms:
+ # - name: Fedora
+ # versions:
+ # - all
+ # - 25
+ # - name: SomePlatform
+ # versions:
+ # - all
+ # - 1.0
+ # - 7
+ # - 99.99
+
+ galaxy_tags: []
+ # List tags for your role here, one per line. A tag is a keyword that describes
+ # and categorizes the role. Users find roles by searching for tags. Be sure to
+ # remove the '[]' above, if you add tags to this list.
+ #
+ # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+ # Maximum 20 tags per role.
+
+dependencies: []
+ # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+ # if you add dependencies to this list.
+
diff --git a/roles/accounting/tasks/accounting.yml b/roles/accounting/tasks/accounting.yml
new file mode 100644
index 00000000..0603aaf5
--- /dev/null
+++ b/roles/accounting/tasks/accounting.yml
@@ -0,0 +1,156 @@
+---
+# tasks file for accounting installation
+
+
+- name: Ensure group "{{ accounting_group }}" exists
+ group:
+ name: "{{ accounting_group }}"
+ state: present
+ tags:
+ - accounting
+ - accounting-user
+
+- name: Add user "{{ accounting_user }}"
+ user:
+ name: "{{ accounting_user }}"
+ groups: "{{ accounting_group }}"
+ append: yes
+ create_home: no
+ shell: /sbin/nologin
+ comment: accounting nologin user
+ tags:
+ - accounting
+ - accounting-user
+
+
+- name: Install Java 11
+ yum:
+ name: "{{ packages }}"
+ state: latest
+ vars:
+ packages:
+ - java-11-openjdk
+ - java-11-openjdk-devel
+ tags:
+ - accounting
+ - accounting-packages
+ - accounting-java
+ - accounting-maven
+
+- name: Create systemd file for Accounting
+ template:
+ src: accounting.service.j2
+ dest: /etc/systemd/system/accounting.service
+ owner: root
+ group: root
+ mode: '0644'
+ notify:
+ - Reload the systemd daemon
+ - accounting service restart and enable
+ - Wait a few seconds for the service to wake up
+ tags:
+ - accounting
+ - accounting-update
+ - accounting-service_file
+
+
+- name: "Create {{ accounting_root_dir }} directory if it does not exist"
+ file:
+ path: "{{ item }}"
+ state: directory
+ owner: "{{ accounting_user }}"
+ group: "{{ accounting_group }}"
+ mode: '0755'
+ loop:
+ - "{{ accounting_root_dir }}"
+ tags:
+ - accounting
+ - accounting-directories
+
+- name: "Create Accounting logs directory if it doesn't exist"
+ file:
+ path: "{{ accounting_logs_dir }}"
+ state: directory
+ owner: root
+ group: root
+ mode: '0700'
+ tags:
+ - accounting
+ - accounting-directories
+
+
+- name: Find the artifact of the last successful build
+ uri:
+ url: https://{{ jenkins.host }}/job/{{ jenkins.job }}/job/{{ jenkins.repository }}/job/{{ jenkins.branch }}/lastSuccessfulBuild/api/json
+ user: "{{ jenkins.user }}"
+ password: "{{ jenkins.password }}"
+ method: GET
+ force_basic_auth: yes
+ status_code: 200
+ register: _jenkins_results
+ tags:
+ - accounting
+ - accounting-jenkins
+ - accounting-jar
+ - accounting-update
+
+- name: Download the latest Jenkins artifact
+ get_url:
+ url: https://{{ jenkins.host }}/job/{{ jenkins.job }}/job/{{ jenkins.repository }}/job/{{ jenkins.branch }}/lastSuccessfulBuild/artifact/{{ _jenkins_results.json.artifacts[0].relativePath }}
+ dest: "{{ accounting_root_dir }}/accounting.jar"
+ username: "{{ jenkins.user }}"
+ password: "{{ jenkins.password }}"
+ force_basic_auth: yes
+ owner: "{{ accounting_user }}"
+ group: "{{ accounting_group }}"
+ mode: '0744'
+ backup: yes
+ notify:
+ - accounting service restart and enable
+ - Wait a few seconds for the service to wake up
+ tags:
+ - accounting
+ - accounting-jar
+ - accounting-update
+
+- name: Recursively change ownership of the Accounting directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ recurse: yes
+ owner: "{{ accounting_user }}"
+ group: "{{ accounting_group }}"
+ loop:
+ - "{{ accounting_root_dir }}"
+ tags:
+ - accounting
+ - accounting-directories
+ - accounting-update
+
+
+- name: Create rsyslog filter for Accounting logs
+ template:
+ src: etc/rsyslog.d/71_accounting.conf.j2
+ dest: /etc/rsyslog.d/71_accounting.conf
+ backup: yes
+ owner: root
+ group: root
+ mode: '0644'
+ notify:
+ - restart rsyslog
+ tags:
+ - accounting
+ - accounting-logs
+ - accounting-rsyslog
+
+
+- meta: flush_handlers
+
+
+- name: More about Accounting project.
+ debug:
+ msg:
+ - https://github.com/ARGOeu/ARGO-accounting/tree/devel
+ tags:
+ - accounting
+ - accounting-check
diff --git a/roles/accounting/tasks/main.yml b/roles/accounting/tasks/main.yml
new file mode 100644
index 00000000..8b3ddd8c
--- /dev/null
+++ b/roles/accounting/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+# tasks file for accounting
+
+- include: "{{task}}.yml"
diff --git a/roles/accounting/tasks/oidc_client.yml b/roles/accounting/tasks/oidc_client.yml
new file mode 100644
index 00000000..18f5c96c
--- /dev/null
+++ b/roles/accounting/tasks/oidc_client.yml
@@ -0,0 +1,75 @@
+---
+# tasks file for oidc client installation
+
+- name: Clear any previous installations
+ file:
+ path: "{{ oidc_client_directory }}"
+ state: absent
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
+
+- name: Install git
+ yum:
+ name: git
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
+
+- name: Git clone the simple-oidc-client-php repo
+ git:
+ repo: https://github.com/rciam/simple-oidc-client-php.git
+ dest: "{{ oidc_client_directory }}"
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
+
+- name: Create oidc client php config file
+ template:
+ src: oidc_client_config.php.j2
+ dest: "{{ oidc_client_directory }}/config.php"
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
+
+- name: Install remi repo for php
+ yum:
+ name: http://rpms.remirepo.net/enterprise/remi-release-7.rpm
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
+
+- name: Install php 7.4
+ yum:
+ name: php
+ enablerepo: remi-php74
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
+
+- name: Install php xml
+ yum:
+ name: php-xml
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
+
+- name: Download php composer
+ command: php -r "copy('https://getcomposer.org/installer', '/tmp/composer-setup.php');"
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
+
+- name: Add php composer to system path
+ command: php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
+
+- name: Run php composer for the oidc client repo
+ command: "composer install --working-dir={{ oidc_client_directory }}"
+ environment:
+ COMPOSER_NO_INTERACTION: "1"
+ tags:
+ - accounting-oidc-client
+ when: has_oidc_client | bool
\ No newline at end of file
diff --git a/roles/accounting/templates/accounting.service.j2 b/roles/accounting/templates/accounting.service.j2
new file mode 100644
index 00000000..a7e02a26
--- /dev/null
+++ b/roles/accounting/templates/accounting.service.j2
@@ -0,0 +1,32 @@
+[Unit]
+Description=ARGO Accounting.
+After=network.target remote-fs.target nss-lookup.target
+Documentation=https://github.com/ARGOeu/ARGO-accounting/tree/devel
+
+[Service]
+#Type=simple
+User={{ accounting_user }}
+Group={{ accounting_group }}
+WorkingDirectory={{ accounting_root_dir }}
+ExecStart=/usr/bin/java -jar {{ accounting_root_dir }}/accounting.jar
+SyslogIdentifier=accounting
+Restart=on-failure
+RestartSec=5s
+SuccessExitStatus=143
+#KillMode=mixed
+Environment="QUARKUS_MONGODB_CONNECTION_STRING={{ quarkus.mongodb_uri }}"
+Environment="SERVER_URL=https://{{ inventory_hostname }}"
+Environment="SYSTEM_ADMIN_VOPERSONID={{ system_admin_vopersonids | join(',')}}"
+Environment="SYSTEM_ADMIN_EMAIL={{ system_admin_emails | join(',')}}"
+Environment="SYSTEM_ADMIN_NAME={{ system_admin_names | join(',')}}"
+
+Environment="QUARKUS_OIDC_AUTH_SERVER_URL={{ quarkus_oidc.auth_server_url }}"
+Environment="QUARKUS_OIDC_CREDENTIALS_SECRET={{ quarkus_oidc.credentials_secret }}"
+Environment="QUARKUS_OIDC_CLIENT_ID={{ quarkus_oidc.client_id }}"
+
+Environment="AAI_PROXY_CLIENT_URL={{ aai_proxy_client_url }}"
+
+[Install]
+WantedBy=multi-user.target
+#Alias=accounting.service
+#Alias=accountingd.service
diff --git a/roles/accounting/templates/etc/rsyslog.d/71_accounting.conf.j2 b/roles/accounting/templates/etc/rsyslog.d/71_accounting.conf.j2
new file mode 100644
index 00000000..7a395f5e
--- /dev/null
+++ b/roles/accounting/templates/etc/rsyslog.d/71_accounting.conf.j2
@@ -0,0 +1,53 @@
+# {{ ansible_managed }}
+
+
+# accounting templates
+template(name="accounting-logs" type="string" string="/var/log/accounting/accounting.log")
+
+# Local logs
+if ($programname contains "accounting") then {
+ action(type="omfile"
+ name="accounting"
+ dynaFile="accounting-logs"
+ queue.type="LinkedList"
+ queue.filename="queue_accounting_backend"
+ queue.size="100000"
+ action.resumeRetryCount="-1"
+ queue.saveonshutdown="on"
+ )
+ & stop
+}
+
+
+# Send accounting logs.
+## https://www.rsyslog.com/doc/master/configuration/modules/imfile.html
+## https://www.rsyslog.com/doc/master/configuration/actions.html
+## https://www.rsyslog.com/doc/master/configuration/templates.html
+## https://www.rsyslog.com/doc/master/concepts/queues.html
+## https://www.rsyslog.com/doc/master/rainerscript/queue_parameters.html
+
+
+ruleset(name="fwdaccountingtocentrallog"){
+ action(type="omfwd"
+ name="accounting"
+ template="RSYSLOG_TraditionalForwardFormat"
+ queue.type="LinkedList" # In Memory Queue
+ queue.filename="fwd_q_accounting" # File name to be used for the queue files.
+ queue.size="100000" # The maximum size of the queue in number of messages.
+ action.resumeRetryCount="-1" # Sets how often an action is retried before it is considered to have failed. Failed actions discard messages. (-1 means eternal)
+ queue.saveonshutdown="on" # This parameter specifies if data should be saved at shutdown.
+ Target="{{ central_rsyslog.hostname }}" Port="{{ central_rsyslog.port }}" Protocol="tcp"
+ StreamDriver="gtls"
+ StreamDriverMode="1" # run driver in TLS-only mode
+ StreamDriverAuthMode="x509/name"
+ StreamDriverPermittedPeers="{{ central_rsyslog.permittedPeers }}"
+ )
+}
+
+input(type="imfile"
+ File="/var/log/accounting/*log"
+ Tag="accounting:"
+ ruleset="fwdaccountingtocentrallog"
+)
+
+
diff --git a/roles/accounting/templates/oidc_client_config.php.j2 b/roles/accounting/templates/oidc_client_config.php.j2
new file mode 100644
index 00000000..7a2f6907
--- /dev/null
+++ b/roles/accounting/templates/oidc_client_config.php.j2
@@ -0,0 +1,31 @@
+ 'log in using your identity',
+ 'email' => 'read your email address',
+ 'profile' => 'read your basic profile info',
+ 'voperson_id' => 'read your unique id',
+ 'eduperson_entitlement' => 'read your entitlement'
+);
+// refreshtoken.php interface configuration
+$refreshTokenNote = "NOTE: New refresh tokens expire in 12 months.";
+$accessTokenNote = "NOTE: New access tokens expire in 1 hour.";
+$manageTokenNote = "You can manage your refresh tokens in the following link: ";
+$manageTokens = $issuer . "manage/user/services";
+$sessionName = "oidc-client";
+$sessionLifetime = 60 * 60; // must be equal to access token validation time in seconds
+$allowIntrospection = true;
+$enableActiveTokensTable = false;
diff --git a/roles/alerta/defaults/main.yml b/roles/alerta/defaults/main.yml
index 6fd0149a..57244139 100644
--- a/roles/alerta/defaults/main.yml
+++ b/roles/alerta/defaults/main.yml
@@ -2,15 +2,17 @@
ssmtp_debug: YES;
alerta_admin_list: ['admin@localhost']
alerta_plugin_list: ['reject','amqp']
+alerta_default_env: 'production'
alerta_allowed_env_list: ['production']
alerta_dashboard_dir: '/var/www/html/'
alerta_dashboard_repo: https://github.com/alerta/alerta-webui.git
-alerta_dashboard_release: 'v7.2.11'
+alerta_dashboard_release: 'v8.7.0'
alerta_amqp_release: '8b1b3b3'
alerta_mailer_release: '74834e6'
alerta_secret_key: 'HOf%A)w6de5oJXJ^F=Jb@rfz4YDRKui9'
alerta_server_dir: '/opt/alerta/'
alerta_token: ''
+alerta_default_severity: 'ok'
alerta_www_url: 'localhost'
@@ -20,8 +22,8 @@ alerta_mail_from: ''
alerta_smtp_host: ''
alerta_smtp_port: 587
alerta_mail_debug: true
-alerta_version: 7.2.2
-alerta_server_version: 7.2.11
+alerta_version: 8.5.1
+alerta_server_version: 8.7.0
# default: use pip to install argo-alert from github repo using devel branch
argo_alert_repo: 'git+https://github.com/ARGOeu/argo-alert@devel#egg=argoalert'
diff --git a/roles/alerta/files/enable-python38.sh b/roles/alerta/files/enable-python38.sh
new file mode 100644
index 00000000..ae6983bb
--- /dev/null
+++ b/roles/alerta/files/enable-python38.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+source scl_source enable rh-python38
\ No newline at end of file
diff --git a/roles/alerta/files/wsgi.py b/roles/alerta/files/wsgi.py
index 4b3bcd28..50314fa4 100644
--- a/roles/alerta/files/wsgi.py
+++ b/roles/alerta/files/wsgi.py
@@ -1 +1,2 @@
-from alerta import app
+from alerta import create_app
+app = create_app()
\ No newline at end of file
diff --git a/roles/alerta/tasks/deploy.yml b/roles/alerta/tasks/deploy.yml
index 90242958..84869e37 100644
--- a/roles/alerta/tasks/deploy.yml
+++ b/roles/alerta/tasks/deploy.yml
@@ -1,20 +1,34 @@
---
+- name: Enable scl
+ yum:
+ name: '{{ item }}'
+ loop:
+ - centos-release-scl
+ - scl-utils
+ - scl-utils-build
+
- name: Install all needed packages including python3
yum:
- name: '{{ item }}'
- state: present
+ name: '{{ item }}'
+ state: present
loop:
- - python36
- - python36-devel
- - python36-setuptools
- - python36-pip
+ - rh-python38
+ - rh-python38-python-devel
- git
- supervisor
- nginx
- ssmtp
tags: alerta
+- name: copy enable python script to profile.d
+ copy:
+ src: enable-python38.sh
+ dest: /etc/profile.d/enable-python38.sh
+
+- name: Enable python 3.8 by resetting ssh connection
+ meta: reset_connection
+
- name: install the 'Development tools' package group
yum:
name: "@Development tools"
@@ -24,7 +38,7 @@
pip:
name: virtualenv
state: present
- executable: pip3.6
+ executable: pip3.8
tags: alerta
- name: Install Alerta
@@ -33,7 +47,7 @@
name: alerta
version: '{{alerta_version}}'
virtualenv: '{{ alerta_server_dir }}'
- virtualenv_python: python3.6
+ virtualenv_python: python3.8
state: forcereinstall
- name: Install Alerta-server
@@ -42,6 +56,7 @@
name: alerta-server
version: '{{alerta_server_version}}'
virtualenv: '{{ alerta_server_dir }}'
+
state: forcereinstall
- name: Install uswgi through pip
@@ -51,16 +66,12 @@
virtualenv: '{{ alerta_server_dir }}'
state: forcereinstall
-- name: (pip) Uninstall Werkzeug 1.0.0 [Fix 'werkzeug.contrib' problem (1/2)]
- pip:
- name: werkzeug
- state: absent
- virtualenv: '{{ alerta_server_dir }}'
-
-- name: (pip) Install Werkzeug 0.16.1 [Fix 'werkzeug.contrib' problem (2/2)]
+- name: Install pymongo
+ tags: alerta
pip:
- name: werkzeug==0.16.1
+ name: pymongo
virtualenv: '{{ alerta_server_dir }}'
+ state: forcereinstall
- name: Add www-data group
tags: alerta
@@ -178,7 +189,7 @@
- name: download alerta dashboard
tags: alerta, dashboard
get_url:
- url: https://github.com/alerta/alerta-webui/releases/download/v7.2.11/alerta-webui.tar.gz
+ url: 'https://github.com/alerta/alerta-webui/releases/download/{{alerta_dashboard_release}}/alerta-webui.tar.gz'
dest: /tmp/alerta_ui.tar.gz
- name: extract alerta web ui
diff --git a/roles/alerta/templates/alertad.conf.j2 b/roles/alerta/templates/alertad.conf.j2
index ddebe69c..278a66df 100644
--- a/roles/alerta/templates/alertad.conf.j2
+++ b/roles/alerta/templates/alertad.conf.j2
@@ -3,6 +3,11 @@
DEBUG=True
ADMIN_USERS = {{alerta_admin_list}}
+DATABASE_URL='mongodb://localhost:27017/monitoring'
+
+DEFAULT_ENVIRONMENT='{{alerta_default_env}}'
+DEFAULT_NORMAL_SEVERITY='{{alerta_default_severity}}'
+
SECRET_KEY='{{alerta_secret_key}}'
SEVERITY_MAP = {
'fatal': 0,
diff --git a/roles/ams/defaults/main.yml b/roles/ams/defaults/main.yml
index 4ff87169..14e6b20c 100644
--- a/roles/ams/defaults/main.yml
+++ b/roles/ams/defaults/main.yml
@@ -9,8 +9,12 @@ ams_zookeeper_hosts: "localhost:2181"
ams_kafka_znode: ''
ams_per_resource_auth: 'true'
ams_log_level: 'INFO'
+# ams_auth_option has 3 possible values, key, header, both
+ams_auth_option: 'both'
+repo_argo_disabled: "*cloudera*"
# ams_metrics_token: 'secret_key' this should be overridden in host vars
# ams_service_token: 'secret_key' this should be overridden in host vars
+# ams_proxy_hostname: 'proxy.argo.gr' this should be overridden in host vars
# ams_data_projects:
# - name: TEST #the project name
diff --git a/roles/ams/files/etc/yum.repos.d/mongodb-org-4.0.repo b/roles/ams/files/etc/yum.repos.d/mongodb-org-4.0.repo
new file mode 100644
index 00000000..545741ad
--- /dev/null
+++ b/roles/ams/files/etc/yum.repos.d/mongodb-org-4.0.repo
@@ -0,0 +1,6 @@
+[mongodb-org-4.0]
+name=MongoDB Repository
+baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
+gpgcheck=1
+enabled=1
+gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
\ No newline at end of file
diff --git a/roles/ams/handlers/main.yml b/roles/ams/handlers/main.yml
index ffaedff5..2f5f40f3 100644
--- a/roles/ams/handlers/main.yml
+++ b/roles/ams/handlers/main.yml
@@ -3,3 +3,10 @@
- name: restart argo-messaging
service: name=argo-messaging state=restarted
+
+
+- name: restart rsyslog
+ service:
+ name: rsyslog
+ state: restarted
+
diff --git a/roles/ams/tasks/deploy.yml b/roles/ams/tasks/deploy.yml
index 7e81f346..de69d4a5 100644
--- a/roles/ams/tasks/deploy.yml
+++ b/roles/ams/tasks/deploy.yml
@@ -4,41 +4,141 @@
- name: Install argo-messaging package
yum: name=argo-messaging state=latest enablerepo={{ repo_argo_enabled }} update_cache=yes
notify: restart argo-messaging
- tags: ams_install
+ tags:
+ - ams_install
+ #- ams_update
+ - ams_package
+ - ams_config
- name: copy cert to ams folder
copy: remote_src=yes src=/etc/grid-security/hostcert.pem dest=/var/www/argo-messaging/hostcert.pem backup=yes
owner=argo-messaging group=argo-messaging mode=0644
- tags: ams_install
+ tags:
+ - ams_install
+ - ams_certs
+ - ams_config
notify: restart argo-messaging
- name: copy key to ams folder
copy: remote_src=yes src=/etc/grid-security/hostkey.pem dest=/var/www/argo-messaging/hostkey.pem backup=yes
owner=argo-messaging group=argo-messaging mode=0644
- tags: ams_install
+ tags:
+ - ams_install
+ - ams_certs
+ - ams_config
notify: restart argo-messaging
- name: Create CA dir if not exists
file: dest=/var/www/argo-messaging/cas state=directory
owner=argo-messaging group=argo-messaging mode=0755
- tags: ams_install
+ tags:
+ - ams_install
+ - ams_certs
+ - ams_config
notify: restart argo-messaging
+ when: ams_push_enabled is defined and ams_push_enabled | default(false) | bool
-- name: Copy CA file
- copy: src=private_files/{{ inventory_hostname }}/DigiCertCA.crt
- dest=/var/www/argo-messaging/cas/DigiCertCA.pem
+- name: Copy CA file to validate push server
+ copy: src=private_files/{{ inventory_hostname }}/PushCA.crt
+ dest=/var/www/argo-messaging/cas/PushCA.pem
backup=yes
owner=argo-messaging group=argo-messaging mode=0644
- tags: ams_install
+ tags:
+ - ams_install
+ - ams_certs
+ - ams_config
notify: restart argo-messaging
+ when: ams_push_enabled is defined and ams_push_enabled | default(false) | bool
- name: Configure argo-messaging api
template: src=config.json.j2
dest=/etc/argo-messaging/config.json backup=yes
owner=root group=root mode=0644
- tags: ams_install
+ tags:
+ - ams_install
+ - ams_config
+ - ams_config_json
notify: restart argo-messaging
+
+- name: Configure argo-messaging log(rsyslog)
+ template:
+ src: etc/rsyslog.d/61_ams.conf.j2
+ dest: /etc/rsyslog.d/61_ams.conf
+ backup: true
+ owner: root
+ group: root
+ notify: restart rsyslog
+ tags:
+ - ams_install
+ - ams_config
+ - ams_rsyslog
+
+
+- name: Download Republisher ( ARGOeu/argo-messaging/devel )
+ get_url:
+ url: https://raw.githubusercontent.com/ARGOeu/argo-messaging/devel/tools/republisher.py
+ dest: /etc/argo-messaging/republisher.py
+ owner: argo-messaging
+ group: argo-messaging
+ mode: '0755'
+ backup: yes
+ tags:
+ - ams_install
+ - ams_config
+ - ams_republisher
+
+
- name: Start argo-messaging service
service: name=argo-messaging state=started enabled=true
- tags: ams_install
+ tags:
+ - ams_install
+ - ams_config
+
+
+- name: AMS check - Version (1/3)
+ uri:
+ url: "https://localhost/v1/version"
+ method: GET
+ return_content: yes
+ status_code: 200
+ validate_certs: no
+ retries: 3
+ delay: 3
+ register: ams_version_response
+ tags:
+ - ams_install
+ - ams_check
+ - ams_check:version
+
+- name: AMS check - Health status (2/3)
+ uri:
+ url: "https://localhost/v1/status"
+ method: GET
+ return_content: yes
+ status_code: 200
+ validate_certs: no
+ retries: 3
+ delay: 3
+ register: ams_status_response
+ tags:
+ - ams_install
+ - ams_check
+ - ams_check:stats
+
+- name: AMS check - All projects (3/3)
+ uri:
+ url: "https://localhost/v1/projects"
+ method: GET
+ return_content: yes
+ status_code: 200
+ validate_certs: no
+ headers:
+ x-api-key: "{{ ams_service_token }}"
+ retries: 3
+ delay: 3
+ register: ams_projects_response
+ tags:
+ - ams_install
+ - ams_check
+ - ams_check:projects
diff --git a/roles/ams/tasks/init_db.yml b/roles/ams/tasks/init_db.yml
index 368a507b..7a876775 100644
--- a/roles/ams/tasks/init_db.yml
+++ b/roles/ams/tasks/init_db.yml
@@ -1,14 +1,34 @@
---
+- name: Install mongodb 4.0 repo
+ copy: src=etc/yum.repos.d/mongodb-org-4.0.repo
+ dest=/etc/yum.repos.d/mongodb-org-4.0.repo backup=no
+ owner=root group=root mode=0644
+ when: groups[cluster_group][0] == inventory_hostname
+ tags:
+ - ams_install
+ - init_db
+
+- name: Install mongoDB shell
+ yum:
+ name: mongodb-org-shell
+ state: present
+ when: groups[cluster_group][0] == inventory_hostname
+ tags:
+ - ams_install
+ - init_db
+
- name: Move init roles script
template: dest="/tmp/db_init_roles.js" owner=root group=root mode=640 src=db_init_roles.js.j2
+ when: groups[cluster_group][0] == inventory_hostname
tags:
- ams_install
- init_db
- init_roles
- name: Run init roles script
- shell: mongo < /tmp/db_init_roles.js
+ shell: mongo --host "rs0/{{ams_store_host}}" < /tmp/db_init_roles.js
+ when: groups[cluster_group][0] == inventory_hostname
tags:
- ams_install
- init_db
@@ -16,13 +36,15 @@
- name: Move init projects script
template: dest="/tmp/db_init_projects.js" owner=root group=root mode=640 src=db_init_projects.js.j2
+ when: groups[cluster_group][0] == inventory_hostname
tags:
- ams_install
- init_db
- init_projects
- name: Run init projects script
- shell: mongo < /tmp/db_init_projects.js
+ shell: mongo --host "rs0/{{ams_store_host}}" < /tmp/db_init_projects.js
+ when: groups[cluster_group][0] == inventory_hostname
tags:
- ams_install
- init_db
@@ -30,13 +52,15 @@
- name: Move init users script
template: dest="/tmp/db_init_users.js" owner=root group=root mode=640 src=db_init_users.js.j2
+ when: groups[cluster_group][0] == inventory_hostname
tags:
- ams_install
- init_db
- init_projects
- name: Run init users script
- shell: mongo < /tmp/db_init_users.js
+ shell: mongo --host "rs0/{{ams_store_host}}" < /tmp/db_init_users.js
+ when: groups[cluster_group][0] == inventory_hostname
tags:
- ams_install
- init_db
@@ -44,13 +68,15 @@
- name: Move init push worker script
template: dest="/tmp/db_init_pushworker.js" owner=root group=root mode=640 src=db_init_pushworker.js.j2
+ when: groups[cluster_group][0] == inventory_hostname
tags:
- ams_install
- init_db
- init_push_worker
- name: Run init push worker script
- shell: mongo < /tmp/db_init_pushworker.js
+ shell: mongo --host "rs0/{{ams_store_host}}" < /tmp/db_init_pushworker.js
+ when: groups[cluster_group][0] == inventory_hostname
tags:
- ams_install
- init_db
diff --git a/roles/ams/tasks/update.yml b/roles/ams/tasks/update.yml
index 4bc14d65..7b109222 100644
--- a/roles/ams/tasks/update.yml
+++ b/roles/ams/tasks/update.yml
@@ -1,11 +1,31 @@
---
+- name: Move init roles script
+ template:
+ dest: "/tmp/db_init_roles.js"
+ owner: root
+ group: root
+ mode: 640
+ src: db_init_roles.js.j2
+ when: groups[cluster_group][0] == inventory_hostname
+ tags: ams_update
+
+- name: Run init roles script
+ shell: mongo --host "rs0/{{ams_store_host}}" < /tmp/db_init_roles.js
+ when: groups[cluster_group][0] == inventory_hostname
+ tags: ams_update
+
- name: Update argo-messaging package
- yum: name=argo-messaging state=latest enablerepo={{ repo_argo_enabled }} update_cache=yes
+ yum:
+ name: argo-messaging
+ state: latest
+ enablerepo: "{{ repo_argo_enabled }}"
+ disablerepo: "{{ repo_argo_disabled }}"
+ update_cache: yes
notify: restart argo-messaging
tags: ams_update
- name: Reload the systemd daemon
systemd:
daemon_reload: yes
- tags: ams_update
\ No newline at end of file
+ tags: ams_update
diff --git a/roles/ams/templates/check-metrics.sh.j2 b/roles/ams/templates/check-metrics.sh.j2
index f4fbd90f..d9aa55aa 100644
--- a/roles/ams/templates/check-metrics.sh.j2
+++ b/roles/ams/templates/check-metrics.sh.j2
@@ -1 +1 @@
-curl -k -X GET 'https://{{inventory_hostname}}/v1/metrics?key={{ams_metrics_token}}' -H 'cache-control: no-cache' -H 'content-type: application/json'
+curl -k -X GET 'https://{{inventory_hostname}}/v1/metrics' -H 'x-api-key: {{ams_metrics_token}}' -H 'cache-control: no-cache' -H 'content-type: application/json'
diff --git a/roles/ams/templates/config.json.j2 b/roles/ams/templates/config.json.j2
index 0cf9d56d..cfa47ab4 100644
--- a/roles/ams/templates/config.json.j2
+++ b/roles/ams/templates/config.json.j2
@@ -1,7 +1,7 @@
{
"bind_ip":"{{ams_bind_ip}}",
"port":{{ams_port}},
- "zookeeper_hosts":[{% for host in groups[cluster_group] %}"{{hostvars[host]['private']['hostname']}}:2181"{% if not loop.last %},{% endif %}{% endfor %}],
+ "zookeeper_hosts":[{% for host in groups[zookeeper_cluster_group] %}{% if hostvars[host]['is_zoo_host'] is defined %}{% if hostvars[host]['is_zoo_host'] | bool == True %}"{{hostvars[host]['private']['hostname']}}:2181"{% if not loop.last %},{% endif %}{% endif %}{% endif %}{% endfor %} ],
"kafka_znode":"{{ams_kafka_znode}}",
"store_host":"{{ams_store_host}}",
"store_db":"{{ams_store_db}}",
@@ -9,18 +9,24 @@
"certificate_key":"/var/www/argo-messaging/hostkey.pem",
"per_resource_auth":{{ams_per_resource_auth}},
{% if ams_service_token %}
- "service_token":"{{ams_service_token}}",
+"service_token":"{{ams_service_token}}",
{% endif %}
- "log_level": "{{ams_log_level}}",
{% if ams_push_enabled %}
- "push_enabled": {{ams_push_enabled}},
+"push_enabled": {{ams_push_enabled}},
"push_server_host": "{{ams_push_server_host}}",
"push_server_port": {{ams_push_server_port}},
"push_worker_token": "{{ams_push_worker_token}}",
{% if ams_push_tls_enabled %}
"push_tls_enabled": {{ams_push_tls_enabled}},
"verify_push_server": {{ams_verify_push_server}},
- "certificate_authorities_dir": "/var/www/argo-messaging/cas"
+ "certificate_authorities_dir": "/var/www/argo-messaging/cas",
{% endif %}
{% endif %}
+ {% if ams_proxy_hostname %}
+ "proxy_hostname": "{{ams_proxy_hostname}}",
+ {% endif %}
+ {% if ams_auth_option %}
+ "auth_option": "{{ams_auth_option}}",
+ {% endif %}
+ "log_level": "{{ams_log_level}}"
}
diff --git a/roles/ams/templates/db_init_pushworker.js.j2 b/roles/ams/templates/db_init_pushworker.js.j2
index 7ac7f458..b21cbd5b 100644
--- a/roles/ams/templates/db_init_pushworker.js.j2
+++ b/roles/ams/templates/db_init_pushworker.js.j2
@@ -1,13 +1,23 @@
use {{ams_store_db}}
db.users.update(
-{"token": "{{ams_push_worker_token}}"},
-{"$set":
- {
- "uuid":"{{ams_push_worker_uuid}}",
- "name": "push_worker_0",
- "email": "argo-ops@lists.grnet.gr",
- "projects": [],
- "service_roles": ["push_worker"]}
+{
+ "token": "{{ams_push_worker_token}}"
},
-{"upsert":"true"})
+{
+ "$set":{
+ "uuid":"{{ams_push_worker_uuid}}",
+ "name": "push_worker_0",
+ "email": "argo-ops@lists.grnet.gr",
+ "modified_on": new Date(),
+ "service_roles": ["push_worker"]
+ },
+ "$setOnInsert":{
+ "created_on": new Date(),
+ "projects":[]
+ }
+ },
+{
+ "upsert":"true"
+}
+)
diff --git a/roles/ams/templates/db_init_roles.js.j2 b/roles/ams/templates/db_init_roles.js.j2
index 53b12e7f..ae6eb01a 100644
--- a/roles/ams/templates/db_init_roles.js.j2
+++ b/roles/ams/templates/db_init_roles.js.j2
@@ -1,22 +1,21 @@
use {{ams_store_db}}
db.roles.drop()
db.roles.insert([
-{"resource" : "ams:metrics", "roles": ["service_admin", "metrics_viewer"]},
-{"resource" : "ams:dailyMessageAverage", "roles": ["service_admin", "metrics_viewer"]},
+{"resource" : "ams:metrics", "roles": ["service_admin", "metrics_viewer", "project_admin"]},
+{"resource" : "ams:vaMetrics", "roles": ["service_admin", "metrics_viewer", "project_admin"]},
{"resource" : "users:byUUID", "roles" : [ "service_admin", "argo_api_authn"] },
{"resource" : "users:byToken", "roles" : [ "service_admin", "push_worker" ] },
{"resource" : "users:list", "roles" : [ "service_admin", "project_admin" ] },
-{"resource" : "users:show", "roles" : [ "service_admin", "project_admin" ] },
-{"resource" : "users:create", "roles" : [ "service_admin", "project_admin" ] },
-{"resource" : "users:update", "roles" : [ "service_admin", "project_admin" ] },
-{"resource" : "users:refreshToken", "roles" : [ "service_admin", "project_admin" ] },
-{"resource" : "users:delete", "roles" : [ "service_admin", "project_admin" ] },
+{"resource" : "users:show", "roles" : [ "service_admin" ] },
+{"resource" : "users:create", "roles" : [ "service_admin" ] },
+{"resource" : "users:update", "roles" : [ "service_admin" ] },
+{"resource" : "users:refreshToken", "roles" : [ "service_admin" ] },
+{"resource" : "users:delete", "roles" : [ "service_admin" ] },
{"resource" : "registrations:newUser", "roles" : [ "service_admin", "register_admin" ] },
{"resource" : "registrations:acceptNewUser", "roles" : [ "service_admin" ] },
{"resource" : "registrations:declineNewUser", "roles" : [ "service_admin" ] },
{"resource" : "registrations:show", "roles" : [ "service_admin" ] },
{"resource" : "registrations:list", "roles" : [ "service_admin" ] },
-{"resource" : "projects:showUser", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "projects:createUser", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "projects:metrics", "roles" : [ "service_admin", "project_admin"] },
{"resource" : "projects:list", "roles" : [ "service_admin"] },
@@ -24,15 +23,21 @@ db.roles.insert([
{"resource" : "projects:show", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "projects:update", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "projects:delete", "roles" : [ "service_admin", "project_admin" ] },
+{"resource" : "projects:addUser", "roles" : [ "service_admin", "project_admin" ] },
+{"resource" : "projects:removeUser", "roles" : [ "service_admin", "project_admin" ] },
+{"resource" : "projects:showUser", "roles" : [ "service_admin", "project_admin" ] },
+{"resource" : "projects:updateUser", "roles" : [ "service_admin", "project_admin" ] },
+{"resource" : "projects:listUsers", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "topics:list", "roles" : ["service_admin", "project_admin", "publisher" ] },
{"resource" : "topics:publish", "roles" : [ "service_admin","project_admin", "publisher" ] },
{"resource" : "topics:metrics", "roles" : [ "service_admin", "project_admin", "publisher" ] },
-{"resource" : "topics:list", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "topics:show", "roles" : [ "service_admin", "project_admin", "publisher" ] },
{"resource" : "topics:create", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "topics:delete", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "topics:acl", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "topics:modifyAcl", "roles" : [ "service_admin", "project_admin" ] },
+{"resource" : "topics:attachSchema", "roles" : [ "service_admin", "project_admin" ] },
+{"resource" : "topics:detachSchema", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "subscriptions:create", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "subscriptions:delete", "roles" : ["service_admin", "project_admin" ] },
{"resource" : "subscriptions:list", "roles" : [ "service_admin", "project_admin", "consumer" ] },
@@ -55,5 +60,6 @@ db.roles.insert([
{"resource" : "schemas:update", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "schemas:delete", "roles" : [ "service_admin", "project_admin" ] },
{"resource" : "schemas:list", "roles" : [ "service_admin", "project_admin" ] },
-{"resource" : "schemas:validateMessage", "roles" : [ "service_admin", "project_admin" ] }
+{"resource" : "schemas:validateMessage", "roles" : [ "service_admin", "project_admin" ] },
+{"resource": "ams:healthStatus", "roles":["service_admin", "admin_viewer"] }
])
diff --git a/roles/ams/templates/etc/rsyslog.d/61_ams.conf.j2 b/roles/ams/templates/etc/rsyslog.d/61_ams.conf.j2
new file mode 100644
index 00000000..7a46f2e5
--- /dev/null
+++ b/roles/ams/templates/etc/rsyslog.d/61_ams.conf.j2
@@ -0,0 +1,50 @@
+# {{ ansible_managed }}
+
+
+# AMS templates
+template(name="ams-logs" type="string" string="/var/log/argo_messaging/ams.log")
+
+if ($programname contains "argo_messaging") then {
+ action(type="omfile"
+ name="AMS"
+ dynaFile="ams-logs"
+ queue.type="LinkedList"
+ queue.filename="queue_AMS"
+ queue.size="100000"
+ action.resumeRetryCount="-1"
+ queue.saveonshutdown="on"
+ )
+ & stop
+}
+
+
+# Send ARGO-Messaging logs.
+## https://www.rsyslog.com/doc/master/configuration/modules/imfile.html
+## https://www.rsyslog.com/doc/master/configuration/actions.html
+## https://www.rsyslog.com/doc/master/configuration/templates.html
+## https://www.rsyslog.com/doc/master/concepts/queues.html
+## https://www.rsyslog.com/doc/master/rainerscript/queue_parameters.html
+
+
+ruleset(name="fwdamstocentrallog"){
+ action(type="omfwd"
+ name="ams"
+ template="RSYSLOG_TraditionalForwardFormat"
+ queue.type="LinkedList" # In Memory Queue
+ queue.filename="fwd_q_ams" # File name to be used for the queue files.
+ queue.size="100000" # The maximum size of the queue in number of messages.
+ action.resumeRetryCount="-1" # Sets how often an action is retried before it is considered to have failed. Failed actions discard messages. (-1 means eternal)
+ queue.saveonshutdown="on" # This parameter specifies if data should be saved at shutdown.
+ Target="{{ central_rsyslog.hostname }}" Port="{{ central_rsyslog.port }}" Protocol="tcp"
+ StreamDriver="gtls"
+ StreamDriverMode="1" # run driver in TLS-only mode
+ StreamDriverAuthMode="x509/name"
+ StreamDriverPermittedPeers="{{ central_rsyslog.permittedPeers }}"
+ )
+}
+
+input(type="imfile"
+ File="/var/log/argo_messaging/ams.log"
+ Tag="ams:"
+ ruleset="fwdamstocentrallog"
+)
diff --git a/roles/apache/README.md b/roles/apache/README.md
new file mode 100644
index 00000000..e2538e1f
--- /dev/null
+++ b/roles/apache/README.md
@@ -0,0 +1,110 @@
+Apache
+=========
+
+Installs apache to remote host and sets up a secure configuration
+(Only for CentOS)
+
+Requirements
+------------
+
+Inventory group `[apache]` contains hostnames. Each host must have a directory in `private_files` including the ssl certificates and a `host_var` file. The private files should include the ssl certificate with the following format where hostname=server name
+
+- `key file`: hostname.key
+- `cert file`: hostname.pem
+- `ca chain file`: chain-hostname.key
+
+Role Variables
+--------------
+Defaults:
+- `cert_dir`: /etc/grid-security # directory to save certificates
+- `cert_path`: /etc/grid-security/hostcert.pem
+- `cert_key_path`: /etc/grid-security/hostkey.pem
+- `ca_path`: /etc/pki/tls/certs/
+- `ca_path/chain-{{inventory_hostname}}.pem`: /etc/pki/tls/certs/chain-host.pem
+- `backup_dir`: /var/apache_backup
+
+If you want to add 2 virtualhosts in the same server with different names you should change the values of
+`cert_path` and `cert_key_path` so the certificates will not be overwritten
+
+The chain ca file is at `ca_path/chain-{{inventory_hostname}}.pem` and we dont just replace the ca-bundle.crt file under `/etc/pki/tls/certs/` because ca-bundle.crt is a symlink to to the aggregate ca certificates file.
+
+Required host variables:
+
+- `httpd_rev_proxy`: # OPTIONAL if apache is reverse proxying a service
+ - `ip`: service ip
+ - `port`: service port
+- `httpd_document_root`: directory path # OPTIONAL if apache serves static files
+- `httpd_extra_conf`: extra apache directives # OPTIONAL if virtualhost uses additional custom directives
+- `httpd_global_conf`: extra global apache directives # OPTIONAL This directives are placed outside of the virtualhost tags
+
+example.com host_var
+```yaml
+httpd_document_root: /var/www/html/example/
+httpd_extra_conf: |
+ RequestHeader set X-Forwarded-Proto "https"
+ RequestHeader set X-Forwarded-Port "443"
+
+```
+
+Example Playbook
+----------------
+
+ - hosts: apache
+ roles:
+ - { role: apache, tags: apache_install }
+
+simple execution:
+```bash
+ansible-playbook -i devel argo-ansible/install.yml -t apache_install -u root -v
+```
+
+*Clean install*
+
+By running clean install the role will *DELETE* `/etc/httpd/conf.d` and `/etc/httpd/conf` directories after the backup of the apache cofigurations. Find, the backup tarball at the default location /var/apache_backup in case you need to revert the files to the latest version.
+
+*IMPORTANT*, do not run clean install for the *single server - several NameHosts* use case. If you want to make a cleanup use clean_install variable for the first Namehost, and then run the role for the next NameHosts without the variable.
+
+- execution for clean install:
+```bash
+ansible-playbook -i devel -l apache argo-ansible/install.yml -t apache_install -u root -v --extra-vars "clean_install=True"
+```
+
+In case the following error occures use the `--ask-become-pass` to use a sudoers pass
+```
+TASK [commons : Check if chain file exists in private_files] **********************************************************************************************************
+task path: /home/user/repos/argo/ansible/argo-ansible-deploy/argo-ansible/roles/commons/tasks/cert.yml:21
+fatal: [jenkins.argo.grnet.gr]: FAILED! => changed=false
+ module_stderr: |-
+ sudo: a password is required
+ module_stdout: ''
+ msg: |-
+ MODULE FAILURE
+ See stdout/stderr for the exact error
+ rc: 1
+```
+
+Execution with `--ask-become-pass`
+```bash
+ansible-playbook --ask-become-pass -i devel -l apache argo-ansible/install.yml -t apache_install -u root -vv
+```
+
+### Apache (httpd) modules
+
+If you want to enable/disable some extra apache module, you can use the following list variables:
+
+* `httpd_extra_system_packages` : System packages that required for the extra apache modules.
+* `httpd_mods_disabled` : The name of the apache module where you want to disable.
+* `httpd_mods_enabled` : The name of the apache module where you want to enable.
+
+* See `defaults/main.yml` for usage examples.
+
+
+License
+-------
+
+Apache 2
+
+Author Information
+------------------
+
+GRNET
diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml
new file mode 100644
index 00000000..1cbf04e8
--- /dev/null
+++ b/roles/apache/defaults/main.yml
@@ -0,0 +1,42 @@
+---
+# defaults file for apache
+
+backup_dir: /var/apache_backup
+
+#httpd_document_root: /var/www/html/{{inventory_hostname}}
+#
+#httpd_rev_proxy:
+# ip: 127.0.0.1
+# port: 8080
+#
+#httpd_extra_conf: |
+#
+# Options Indexes FollowSymLinks
+# AllowOverride None
+# Require all granted
+#
+
+#httpd_extra_system_packages:
+# - httpd-tools
+# - httpd-devel
+# - openssl
+# - mod_ssl
+# - mod_wsgi
+# - mod_geoip
+# - mod_gnutls
+# - mod_fcgid
+# - mod_security
+
+#httpd_mods_disabled:
+# - mpm_prefork
+# - gnutls
+
+#httpd_mods_enabled:
+# - rewrite
+# - ssl
+# - headers
+# - http2
+# - env
+# - dir
+# - mime
+
diff --git a/roles/apache/files/httpd.conf b/roles/apache/files/httpd.conf
new file mode 100644
index 00000000..ea1d4cde
--- /dev/null
+++ b/roles/apache/files/httpd.conf
@@ -0,0 +1,353 @@
+#
+# This is the main Apache HTTP server configuration file. It contains the
+# configuration directives that give the server its instructions.
+# See for detailed information.
+# In particular, see
+#
+# for a discussion of each configuration directive.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path. If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
+# with ServerRoot set to '/www' will be interpreted by the
+# server as '/www/log/access_log', where as '/log/access_log' will be
+# interpreted as '/log/access_log'.
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# Do not add a slash at the end of the directory path. If you point
+# ServerRoot at a non-local disk, be sure to specify a local disk on the
+# Mutex directive, if file-based mutexes are used. If you wish to share the
+# same ServerRoot for multiple httpd daemons, you will need to change at
+# least PidFile.
+#
+ServerRoot "/etc/httpd"
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+Listen 80
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+Include conf.modules.d/*.conf
+
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User apache
+Group apache
+
+# 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# definition. These values also provide defaults for
+# any containers you may define later in the file.
+#
+# All of these directives may appear inside containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed. This address appears on some server-generated pages, such
+# as error documents. e.g. admin@your-domain.com
+#
+ServerAdmin root@localhost
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+#
+#ServerName www.example.com:80
+
+#
+# Deny access to the entirety of your server's filesystem. You must
+# explicitly permit access to web content directories in other
+# blocks below.
+#
+
+ AllowOverride none
+ Require all denied
+
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "/var/www/html"
+
+#
+# Relax access to content within /var/www.
+#
+
+ AllowOverride None
+ # Allow open access:
+ Require all granted
+
+
+# Further relax access to the default document root:
+
+ #
+ # Possible values for the Options directive are "None", "All",
+ # or any combination of:
+ # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+ #
+ # Note that "MultiViews" must be named *explicitly* --- "Options All"
+ # doesn't give it to you.
+ #
+ # The Options directive is both complicated and important. Please see
+ # http://httpd.apache.org/docs/2.4/mod/core.html#options
+ # for more information.
+ #
+ Options Indexes FollowSymLinks
+
+ #
+ # AllowOverride controls what directives may be placed in .htaccess files.
+ # It can be "All", "None", or any combination of the keywords:
+ # Options FileInfo AuthConfig Limit
+ #
+ AllowOverride None
+
+ #
+ # Controls who can get stuff from this server.
+ #
+ Require all granted
+
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+
+ DirectoryIndex index.html
+
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+
+ Require all denied
+
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog "logs/error_log"
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+
+ #
+ # The following directives define some format nicknames for use with
+ # a CustomLog directive (see below).
+ #
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+
+ # You need to enable mod_logio.c to use %I and %O
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+
+ #
+ # The location and format of the access logfile (Common Logfile Format).
+ # If you do not define any access logfiles within a
+ # container, they will be logged here. Contrariwise, if you *do*
+ # define per- access logfiles, transactions will be
+ # logged therein and *not* in this file.
+ #
+ #CustomLog "logs/access_log" common
+
+ #
+ # If you prefer a logfile with access, agent, and referer information
+ # (Combined Logfile Format) you can use the following directive.
+ #
+ CustomLog "logs/access_log" combined
+
+
+
+ #
+ # Redirect: Allows you to tell clients about documents that used to
+ # exist in your server's namespace, but do not anymore. The client
+ # will make a new request for the document at its new location.
+ # Example:
+ # Redirect permanent /foo http://www.example.com/bar
+
+ #
+ # Alias: Maps web paths into filesystem paths and is used to
+ # access content that does not live under the DocumentRoot.
+ # Example:
+ # Alias /webpath /full/filesystem/path
+ #
+ # If you include a trailing / on /webpath then the server will
+ # require it to be present in the URL. You will also likely
+ # need to provide a section to allow access to
+ # the filesystem path.
+
+ #
+ # ScriptAlias: This controls which directories contain server scripts.
+ # ScriptAliases are essentially the same as Aliases, except that
+ # documents in the target directory are treated as applications and
+ # run by the server when requested rather than as documents sent to the
+ # client. The same rules about trailing "/" apply to ScriptAlias
+ # directives as to Alias.
+ #
+ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+
+
+
+#
+# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+
+ AllowOverride None
+ Options None
+ Require all granted
+
+
+
+ #
+ # TypesConfig points to the file containing the list of mappings from
+ # filename extension to MIME-type.
+ #
+ TypesConfig /etc/mime.types
+
+ #
+ # AddType allows you to add to or override the MIME configuration
+ # file specified in TypesConfig for specific file types.
+ #
+ #AddType application/x-gzip .tgz
+ #
+ # AddEncoding allows you to have certain browsers uncompress
+ # information on the fly. Note: Not all browsers support this.
+ #
+ #AddEncoding x-compress .Z
+ #AddEncoding x-gzip .gz .tgz
+ #
+ # If the AddEncoding directives above are commented-out, then you
+ # probably should define those extensions to indicate media types:
+ #
+ AddType application/x-compress .Z
+ AddType application/x-gzip .gz .tgz
+
+ #
+ # AddHandler allows you to map certain file extensions to "handlers":
+ # actions unrelated to filetype. These can be either built into the server
+ # or added with the Action directive (see below)
+ #
+ # To use CGI scripts outside of ScriptAliased directories:
+ # (You will also need to add "ExecCGI" to the "Options" directive.)
+ #
+ #AddHandler cgi-script .cgi
+
+ # For type maps (negotiated resources):
+ #AddHandler type-map var
+
+ #
+ # Filters allow you to process content before it is sent to the client.
+ #
+ # To parse .shtml files for server-side includes (SSI):
+ # (You will also need to add "Includes" to the "Options" directive.)
+ #
+ AddType text/html .shtml
+ AddOutputFilter INCLUDES .shtml
+
+
+#
+# Specify a default charset for all content served; this enables
+# interpretation of all content as UTF-8 by default. To use the
+# default browser choice (ISO-8859-1), or to allow the META tags
+# in HTML content to override this choice, comment out this
+# directive:
+#
+AddDefaultCharset UTF-8
+
+
+ #
+ # The mod_mime_magic module allows the server to use various hints from the
+ # contents of the file itself to determine its type. The MIMEMagicFile
+ # directive tells the module where the hint definitions are located.
+ #
+ MIMEMagicFile conf/magic
+
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# EnableMMAP and EnableSendfile: On systems that support it,
+# memory-mapping or the sendfile syscall may be used to deliver
+# files. This usually improves server performance, but must
+# be turned off when serving from networked-mounted
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+# Defaults if commented: EnableMMAP On, EnableSendfile Off
+#
+#EnableMMAP off
+EnableSendfile on
+
+# Supplemental configuration
+#
+# Load config files in the "/etc/httpd/conf.d" directory, if any.
+IncludeOptional conf.d/*.conf
\ No newline at end of file
diff --git a/roles/apache/files/ssl.conf b/roles/apache/files/ssl.conf
new file mode 100644
index 00000000..b6efdfad
--- /dev/null
+++ b/roles/apache/files/ssl.conf
@@ -0,0 +1,218 @@
+#
+# When we also provide SSL we have to listen to the
+# the HTTPS port in addition.
+#
+Listen 443 https
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+SSLSessionCache shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout 300
+
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the
+# SSL library. The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
+SSLRandomSeed startup file:/dev/urandom 256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random 512
+#SSLRandomSeed connect file:/dev/random 512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect. Disable SSLv2 access by default:
+SSLProtocol all -SSLv2 -SSLv3
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
+
+# Speed-optimized SSL Cipher configuration:
+# If speed is your main concern (on busy HTTPS servers e.g.),
+# you might want to force clients to specific, performance
+# optimized ciphers. In this case, prepend those ciphers
+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+# Caveat: by giving precedence to RC4-SHA and AES128-SHA
+# (as in the example below), most connections will no longer
+# have perfect forward secrecy - if the server's key is
+# compromised, captures of past or future traffic must be
+# considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on
+
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convinience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is send or allowed to received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is send and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
+
+IncludeOptional conf.d/strong_ssl.conf
\ No newline at end of file
diff --git a/roles/apache/files/strong_ssl.conf b/roles/apache/files/strong_ssl.conf
new file mode 100644
index 00000000..9ca9bfee
--- /dev/null
+++ b/roles/apache/files/strong_ssl.conf
@@ -0,0 +1,63 @@
+#
+# ServerTokens:
+# This directive controls which info of the generic OS-type
+# and apache version will be sent as a response to the client
+# Prod value will only return the webserver type (Apache)
+ServerTokens Prod
+
+# ServerSignature:
+# This directive allows the configuration of a trailing
+# footer line under server-generated documents
+ServerSignature Off
+
+# Disabling directory listing by default
+
+ Options -Indexes
+ Order allow,deny
+ Allow from all
+
+
+# SSLStaplingCache:
+# Configures the cache used to store OCSP responses which get
+# included in the TLS handshake if SSLUseStapling is enabled
+SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
+
+# SSLCipherSuite:
+# This is a colon-separated cipher-spec string consisting of OpenSSL
+# cipher specifications to configure the Cipher Suite the client is
+# permitted to negotiate in the SSL handshake phase
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
+
+# SSLProtocol
+# This directive can be used to control which versions of the SSL/TLS
+# protocol will be accepted in new connections. Enabling only TLSv1.2
+SSLProtocol -all +TLSv1.2
+
+# SSLHonorCipherOrder:
+# When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
+# the client's preference is used. If this directive is enabled, the
+# server's preference will be used instead.
+SSLHonorCipherOrder On
+
+# This directive allows to enable compression on the SSL level
+SSLCompression off
+
+# This directive allows to enable or disable the use of TLS session tickets
+SSLSessionTickets Off
+
+# Enable stapling of OCSP responses in the TLS handshak
+SSLUseStapling on
+
+
+# The HTTP Strict-Transport-Security response header lets a web
+# site tell browsers that it should only be accessed using HTTPS,
+# instead of using HTTP.
+Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+
+# The X-Frame-Options HTTP response header can be used to indicate
+# whether or not a browser should be allowed to render a page in a
+# ,