-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsite.yaml
executable file
·314 lines (314 loc) · 11 KB
/
site.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
- hosts: all
vars:
internal_web_app_port: "5000"
tasks:
# Disable SELinux because of issues with podman when mounting file
- name: Disable SELinux
become: yes
ansible.posix.selinux:
state: disabled
- name: Add ssh keys of {{ github_user }}
when: github_user is defined
ansible.posix.authorized_key:
user: "{{ ansible_user }}"
state: present
key: https://github.com/{{ github_user }}.keys
- name: Enable linger process for {{ ansible_user }}
become: yes
ansible.builtin.shell: loginctl enable-linger {{ ansible_user }}
- name: Install EPEL repo
become: yes
yum:
name: epel-release
state: present
- name: Install podman
become: yes
yum:
name: podman
state: installed
tags:
- common
- name: Install Shibboleth service provider
become: yes
block:
- name: Add Shibboleth repository
yum_repository:
name: shibboleth
description: Shibboleth (CentOS_8)
gpgcheck: no
gpgkey: https://download.opensuse.org/repositories/security:/shibboleth/CentOS_8/repodata/repomd.xml.key
mirrorlist: https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8
- name: Install Shibboleth package
yum:
name: shibboleth.x86_64
state: installed
tags:
- shibboleth
- name: Install Apache HTTPD server
become: yes
yum:
name:
- httpd.x86_64
- mod_ssl
state: installed
tags:
- apache
- name: Configure Shibboleth service provider
become: yes
block:
- name: Check if Shibboleth keys and certificates exist locally
local_action: command stat {{ inventory_dir }}/shibboleth-crypto/{{ item }}
become: no
failed_when: no
changed_when: false
loop:
- sp-encrypt-cert.pem
- sp-encrypt-key.pem
- sp-signing-cert.pem
- sp-signing-key.pem
register: shib_keys_and_certificates_stats
- name: Copy Shibboleth keys and certificates
copy:
src: "{{ inventory_dir }}/shibboleth-crypto/{{ item.src }}"
dest: /etc/shibboleth
mode: "{{ item.mode }}"
with_items:
- {src: "sp-encrypt-cert.pem", mode: "0644"}
- {src: "sp-encrypt-key.pem", mode: "0600"}
- {src: "sp-signing-cert.pem", mode: "0644"}
- {src: "sp-signing-key.pem", mode: "0600"}
when: (shib_keys_and_certificates_stats.results | selectattr('rc') | list | length) == 0
- name: Copy Shibboleth attribute map
copy:
src: files/etc/shibboleth/attribute-map.xml
dest: /etc/shibboleth
mode: "0644"
- name: Download Identity Provider's metadata
get_url:
url: "{{ saml_identity_provider_metadata_url }}"
dest: /etc/shibboleth/partner-metadata.xml
mode: "0644"
- name: Create Shibboleth main configuration file
template:
src: files/etc/shibboleth/shibboleth2.xml.j2
dest: /etc/shibboleth/shibboleth2.xml
mode: "0644"
- name: Start Shibboleth service
systemd:
name: shibd
state: started
enabled: yes
tags:
- shibboleth
- name: Configure Apache HTTPD server
become: yes
block:
- name: Remove Apache welcome.conf configuration file
file:
path: /etc/httpd/conf.d/welcome.conf
state: absent
- name: Create the main Apache configuration file
template:
src: files/etc/httpd/conf/httpd.conf.j2
dest: /etc/httpd/conf/httpd.conf
mode: "0644"
- name: Create the Shibboleth Apache configuration file
template:
src: files/etc/httpd/conf.d/shib.conf.j2
dest: /etc/httpd/conf.d/shib.conf
mode: "0644"
# - name: Set httpd_can_network_connect flag on
# seboolean:
# name: httpd_can_network_connect
# state: yes
# persistent: yes
- name: Start Apache service
systemd:
name: httpd
state: started
enabled: yes
tags:
- apache
- name: Prepare the bind mounts for the MC Hub container
block:
- name: Create the MC Hub work directory
file:
path: "/home/{{ ansible_user }}/mc-hub"
state: directory
mode: "0700"
- name: Create the MC Hub database directory
file:
path: "/home/{{ ansible_user }}/mc-hub/database"
state: directory
mode: "0700"
- name: Create the MC Hub credentials directory
file:
path: "/home/{{ ansible_user }}/mc-hub/credentials"
state: directory
mode: "0700"
- name: Copy the OpenStack configuration file
copy:
src: "{{ inventory_dir }}/clouds.yaml"
dest: "/home/{{ ansible_user }}/mc-hub/credentials"
mode: "0600"
- name: Copy the MC Hub configuration file
copy:
src: "{{ inventory_dir }}/configuration.json"
dest: "/home/{{ ansible_user }}/mc-hub"
mode: "0600"
- name: Create the clusters directory
file:
path: "/home/{{ ansible_user }}/mc-hub/clusters"
state: directory
mode: "0700"
- name: Copy the ACME registration key
copy:
src: "{{ inventory_dir }}/acme_key.pem"
dest: "/home/{{ ansible_user }}/mc-hub/credentials"
mode: "0600"
tags:
- docker
- name: Start the MC Hub container
containers.podman.podman_container:
name: mc-hub
image: docker.io/cmdntrf/mc-hub:{{ mc_hub_version }}
state: started
env:
MAGIC_CASTLE_ACME_KEY_PEM: /home/mcu/credentials/acme_key.pem
OS_CLIENT_CONFIG_FILE: /home/mcu/credentials/clouds.yaml
OS_CLOUD: "{{ default_cloud }}"
published_ports:
- "{{ internal_web_app_port }}:5000"
volumes:
- /home/{{ ansible_user }}/mc-hub/configuration.json:/home/mcu/configuration.json
- /home/{{ ansible_user }}/mc-hub/credentials:/home/mcu/credentials
- /home/{{ ansible_user }}/mc-hub/clusters:/home/mcu/clusters
- /home/{{ ansible_user }}/mc-hub/database:/home/mcu/database
userns: keep-id
workdir: /home/mcu
tags:
- docker
- name: Start the MC Hub clean-up container
containers.podman.podman_container:
name: mc-hub-cleaner
image: docker.io/cmdntrf/mc-hub:{{ mc_hub_version }}
restart_policy: always
state: started
network_mode: host
env:
MCHUB_HOST: "127.0.0.1"
MCHUB_PORT: "5000"
volumes:
- /home/{{ ansible_user }}/mc-hub/configuration.json:/home/mcu/configuration.json
command: "python3 -m mchub.services.cull_expired_cluster"
userns: keep-id
tags:
- docker
- name: Enable HTTPS
# Inspired by https://certbot.eff.org/lets-encrypt/centosrhel7-apache
block:
- name: Install Certbot
become: yes
yum:
name:
- certbot
- python3-certbot-apache
state: installed
- name: Check whether HTTPS keys and certificates already exist
become: yes
stat:
path: "{{ item }}"
loop:
- /etc/letsencrypt/live/{{ fqdn }}/cert.pem
- /etc/letsencrypt/live/{{ fqdn }}/privkey.pem
- /etc/letsencrypt/live/{{ fqdn }}/chain.pem
- /etc/letsencrypt/live/{{ fqdn }}/fullchain.pem
register: https_keys_and_certificates_stats
- name: Generate HTTPS certificate
become: yes
# Only generate HTTPS keys and certificate when they don't already exist
when: https_keys_and_certificates_stats.results | rejectattr('stat.exists') | list
command:
cmd: certbot -n --apache -d {{ fqdn }} -m {{ server_admin_email }} --agree-tos certonly
- name: Create the HTTPS Apache configuration file
become: yes
template:
src: files/etc/httpd/conf.d/httpd-le-ssl.conf.j2
dest: /etc/httpd/conf.d/httpd-le-ssl.conf
mode: "0644"
- name: Reload httpd
become: yes
ansible.builtin.service:
name: httpd
state: reloaded
- name: Setup automatic HTTPS certificate renewal
become: yes
cron:
name: Let's Encrypt HTTPS certificate renewal
minute: "0"
hour: "0,12"
day: "*"
month: "*"
weekday: "*"
user: root
job: "python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q"
tags:
- apache
- name: Configure Filebeat
when: configure_filebeat is defined
block:
- name: Create downloads directory
file:
path: "/home/{{ ansible_user }}/Downloads"
state: directory
- name: Download Filebeat
get_url:
url: https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.1-x86_64.rpm
dest: "/home/{{ ansible_user }}/Downloads/filebeat.rpm"
- name: Install Filebeat
yum:
name: "/home/{{ ansible_user }}/Downloads/filebeat.rpm"
state: present
- name: Configure Filebeat
become: yes
template:
src: files/etc/filebeat/filebeat.yml
dest: /etc/filebeat/filebeat.yml
mode: "0644"
- name: Copy logstash certificate
become: yes
copy:
src: "{{ inventory_dir }}/logstash-servers.crt"
dest: /etc/filebeat/logstash-servers.crt
- name: Start Filebeat service
become: yes
systemd:
name: filebeat
state: started
enabled: yes
tags:
- filebeat
- name: Install sqlite3
become: yes
yum:
name: sqlite
state: installed
- name: get file stat to be able to perform a check in the following task
tags: users-db
local_action: stat path={{ inventory_dir }}/user-project.yaml
register: file
- name: Copy the MC Hub users configuration file
tags: users-db
when: file.stat.exists
register: userproject
copy:
src: "{{ inventory_dir }}/user-project.yaml"
dest: "/home/{{ ansible_user }}/mc-hub/database"
mode: "0600"
- name: Configure users database
tags: users-db
when: userproject.changed
script: new-db-entry.py user-project.yaml
args:
executable: python3
chdir: /home/rocky/mc-hub/database