Merge branch 't33830-security-repository-migration' into 'master'

Security repository migration | refs #33830

See merge request mediaserver/envsetup!70

ansible/molecule/default/tests/test_mirismanager.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("all")
-
-
-def test_manager_is_installed(host):
-    p = host.package("ubicast-skyreach")
-
-    assert p.is_installed
-
-
-def test_manager_user(host):
-    u = host.user("skyreach")
-
-    assert u.name == "skyreach"
-
-
-def test_manager_nginx(host):
-    f = host.file("/etc/nginx/sites-available/skyreach.conf")
-
-    assert f.exists
-
-
-def test_manager_service(host):
-    s = host.service("skyreach")
-
-    assert s.is_running
-    assert s.is_enabled
-
-
-def test_manager_socket(host):
-    s = host.socket("tcp://0.0.0.0:443")
-
-    assert s.is_listening
-
-
-def test_fail2ban_conf(host):
-    f = host.file("/etc/fail2ban/jail.d/skyreach.conf")
-
-    assert f.exists
-
-
-def test_fail2ban_service(host):
-    s = host.service("fail2ban")
-
-    assert s.is_running
-
-
-def test_postfix_service(host):
-    s = host.service("postfix")
-
-    assert s.is_running

ansible/molecule/default/tests/test_msmonitor.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("all")
-
-
-def test_munin_is_installed(host):
-    p = host.package("munin-node")
-
-    assert p.is_installed
-
-
-def test_monitor_is_installed(host):
-    p = host.package("ubicast-monitor")
-
-    assert p.is_installed
-
-
-def test_monitor_runtime_is_installed(host):
-    p = host.package("ubicast-monitor-runtime")
-
-    assert p.is_installed
-
-
-def test_monitor_user(host):
-    u = host.user("msmonitor")
-
-    assert u.name == "msmonitor"
-
-
-def test_monitor_nginx(host):
-    f = host.file("/etc/nginx/sites-available/msmonitor.conf")
-
-    assert f.exists
-
-
-def test_monitor_service(host):
-    s = host.service("msmonitor")
-
-    assert s.is_running
-    assert s.is_enabled
-
-
-def test_monitor_socket(host):
-    s = host.socket("tcp://0.0.0.0:443")
-
-    assert s.is_listening
-
-
-def test_fail2ban_conf(host):
-    f = host.file("/etc/fail2ban/jail.d/monitor.conf")
-
-    assert f.exists
-
-
-def test_fail2ban_service(host):
-    s = host.service("fail2ban")
-
-    assert s.is_running

ansible/molecule/default/tests/test_netcapture.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("all")
-
-
-def test_netcapture_is_installed(host):
-    p = host.package("python3-miris-netcapture")
-
-    assert p.is_installed
-
-
-def test_docker_is_installed(host):
-    p = host.package("docker-ce")
-
-    assert p.is_installed
-
-
-def test_netcapture_conf(host):
-    f = host.file("/etc/miris/netcapture.json")
-
-    assert f.exists
-
-
-def test_miris_api_conf(host):
-    f = host.file("/etc/miris/conf/api.json")
-
-    assert f.exists
-
-
-def test_docker_service(host):
-    s = host.service("docker")
-
-    assert s.is_running
-    assert s.is_enabled

ansible/molecule/default/tests/test_nginx.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("all")
-
-
-def test_apache2_is_installed(host):
-    p = host.package("apache2")
-
-    assert not p.is_installed
-
-
-def test_nginx_is_installed(host):
-    p = host.package("nginx")
-
-    assert p.is_installed
-
-
-def test_nginx_removed_default(host):
-    f = host.file("/etc/nginx/sites-enabled/default.conf")
-
-    assert not f.exists
-
-
-def test_nginx_removed_old_ssl(host):
-    f = host.file("/etc/nginx/conf.d/ssl.conf")
-
-    assert not f.exists

ansible/molecule/default/tests/test_ntp.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("all")
-
-
-def test_ntp_is_installed(host):
-    p = host.package("ntp")
-
-    assert p.is_installed
-
-
-def test_systemd_timesyncd_override(host):
-    f = host.file(
-        "/lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf"
-    )
-
-    assert f.exists
-    assert f.contains("[Unit]")
-    assert f.contains("ConditionFileIsExecutable=!")
-
-
-def test_systemd_timesyncd_disabled(host):
-    s = host.service("systemd-timesyncd")
-
-    assert not s.is_running
-    assert not s.is_enabled
-
-
-def test_ntp_service(host):
-    s = host.service("ntp")
-
-    assert s.is_running
-    assert s.is_enabled

ansible/molecule/default/tests/test_postfix.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("all")
-
-
-def test_postfix_is_installed(host):
-    p = host.package("postfix")
-
-    assert p.is_installed
-
-
-def test_postfix_main(host):
-    f = host.file("/etc/postfix/main.cf")
-
-    assert f.exists
-
-
-def test_mailname(host):
-    f = host.file("/etc/mailname")
-
-    assert f.exists
-
-
-def test_aliases(host):
-    f = host.file("/etc/aliases")
-
-    assert f.exists
-    assert f.contains("devnull:")
-    assert f.contains("root:")
-
-
-def test_postfix_virtual(host):
-    f = host.file("/etc/postfix/virtual")
-
-    assert f.exists
-    assert f.contains("postmaster@")
-    assert f.contains("bounces@")
-    assert f.contains("noreply@")
-
-
-def test_postfix_generic(host):
-    f = host.file("/etc/postfix/generic")
-
-    assert f.exists
-    assert f.contains("root@")
-
-
-def test_postfix_service(host):
-    s = host.service("postfix")
-
-    assert s.is_running
-    assert s.is_enabled
-
-
-def test_postfix_listen(host):
-    s = host.socket("tcp://127.0.0.1:25")
-
-    assert s.is_listening

ansible/molecule/default/tests/test_postgres.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("all")
-
-
-def test_psycopg2_is_installed(host):
-    p = host.package("python3-psycopg2")
-
-    assert p.is_installed
-
-
-def test_postgres_is_installed(host):
-    p = host.package("postgresql")
-
-    assert p.is_installed
-
-
-def test_postgres_user(host):
-    u = host.user("postgres")
-
-    assert u.name == "postgres"
-
-
-def test_postgres_service(host):
-    s = host.service("postgresql@11-main")
-
-    assert s.is_running
-
-
-def test_postgres_socket(host):
-    s = host.socket("tcp://127.0.0.1:5432")
-
-    assert s.is_listening

ansible/molecule/default/tests/test_python3.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("all")
-
-
-def test_python3_is_installed(host):
-    p = host.package("python3")
-
-    assert p.is_installed
-    assert p.version.startswith("3.")

ansible/molecule/pf-ha/converge.yml

-../default/converge.yml
\ No newline at end of file

ansible/molecule/pf-ha/molecule.yml

----
-
-driver:
-  name: docker
-
-platforms:
-  - name: ms0-${CI_PIPELINE_ID:-default}
-    environment:
-      HOSTALIASES: /etc/hosts.aliases
-    image: registry.ubicast.net/docker/debian-systemd:buster
-    command: /lib/systemd/systemd
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      - data-${CI_PIPELINE_ID:-ha}:/data:rw
-    tmpfs:
-      - /tmp
-      - /run
-    groups:
-      - mediaserver
-      - live
-      - celerity
-  - name: ms1-${CI_PIPELINE_ID:-default}
-    environment:
-      HOSTALIASES: /etc/hosts.aliases
-    image: registry.ubicast.net/docker/debian-systemd:buster
-    command: /lib/systemd/systemd
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      - data-${CI_PIPELINE_ID:-ha}:/data:rw
-    tmpfs:
-      - /tmp
-      - /run
-    groups:
-      - mediaserver
-      - live
-  - name: ms2-${CI_PIPELINE_ID:-default}
-    image: registry.ubicast.net/docker/debian-systemd:buster
-    environment:
-      HOSTALIASES: /etc/hosts.aliases
-    command: /lib/systemd/systemd
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      - data-${CI_PIPELINE_ID:-ha}:/data:rw
-    tmpfs:
-      - /tmp
-      - /run
-    groups:
-      - mediaserver
-      - live
-  - name: db0-${CI_PIPELINE_ID:-default}
-    image: registry.ubicast.net/docker/debian-systemd:buster
-    command: /lib/systemd/systemd
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /tmp
-      - /run
-    groups:
-      - postgres
-  - name: db1-${CI_PIPELINE_ID:-default}
-    image: registry.ubicast.net/docker/debian-systemd:buster
-    command: /lib/systemd/systemd
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /tmp
-      - /run
-    groups:
-      - postgres
-  - name: db2-${CI_PIPELINE_ID:-default}
-    image: registry.ubicast.net/docker/debian-systemd:buster
-    command: /lib/systemd/systemd
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /tmp
-      - /run
-    groups:
-      - postgres
-provisioner:
-  name: ansible
-  options:
-    D: true
-  env:
-    ANSIBLE_ROLES_PATH: ../../roles
-    ANSIBLE_LIBRARY: ../../library
-    ANSIBLE_ACTION_PLUGINS: ../../plugins/action
-    ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3
-    SKYREACH_SYSTEM_KEY: ${SKYREACH_SYSTEM_KEY_HA}
-  inventory:
-    group_vars:
-      postgres:
-        repmgr_password: "testrepmgr"
-
-verifier:
-  name: testinfra
-  options:
-    verbose: true
-
-...

ansible/molecule/pf-ha/tests/commons.py

-import socket
-
-
-def get_status(host):
-    ip = host.interface('eth0').addresses[0]
-    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    s.connect((ip, 8543))
-    data = s.recv(1024)
-    return data.rstrip().decode('utf-8')

ansible/molecule/pf-ha/tests/test_haproxy.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("mediaserver")
-
-
-def test_psycopg2_is_installed(host):
-    p = host.package("haproxy")
-
-    assert p.is_installed
-
-
-def test_postgres_service(host):
-    s = host.service("haproxy")
-
-    assert s.is_running
-
-
-def test_haproxy_socket(host):
-    s = host.socket("tcp://0.0.0.0:54321")
-
-    assert s.is_listening

ansible/molecule/pf-ha/tests/test_mediaserver.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("mediaserver")
-
-
-def test_server_is_installed(host):
-    p = host.package("ubicast-mediaserver")
-
-    assert p.is_installed
-
-
-def test_server_user(host):
-    u = host.user("msuser")
-
-    assert u.name == "msuser"
-
-
-def test_server_nginx(host):
-    f = host.file("/etc/nginx/sites-available/mediaserver-msuser.conf")
-
-    assert f.exists
-
-
-def test_server_service(host):
-    s = host.service("mediaserver")
-
-    assert s.is_running
-    assert s.is_enabled
-
-
-def test_server_socket(host):
-    s = host.socket("tcp://0.0.0.0:443")
-
-    assert s.is_listening
-
-
-def test_fail2ban_conf(host):
-    f = host.file("/etc/fail2ban/jail.d/mediaserver.conf")
-
-    assert f.exists
-
-
-def test_fail2ban_service(host):
-    s = host.service("fail2ban")
-
-    assert s.is_running

ansible/molecule/pf-ha/tests/test_postgres.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("postgres")
-
-
-def test_psycopg2_is_installed(host):
-    p = host.package("python3-psycopg2")
-
-    assert p.is_installed
-
-
-def test_postgres_is_installed(host):
-    p = host.package("postgresql")
-
-    assert p.is_installed
-
-
-def test_postgres_user(host):
-    u = host.user("postgres")
-
-    assert u.name == "postgres"
-
-
-def test_postgres_service(host):
-    s = host.service("postgresql@11-main")
-
-    assert s.is_running
-
-
-def test_postgres_socket(host):
-    s = host.socket("tcp://127.0.0.1:5432")
-
-    assert s.is_listening

ansible/molecule/pf-std/converge.yml

-../default/converge.yml
\ No newline at end of file

ansible/molecule/pf-std/molecule.yml

----
-
-driver:
-  name: docker
-
-platforms:
-  - name: ms-${CI_PIPELINE_ID:-default}
-    environment:
-      HOSTALIASES: /etc/hosts.aliases
-    image: registry.ubicast.net/docker/debian-systemd:buster
-    command: /lib/systemd/systemd
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /tmp
-      - /run
-    groups:
-      - mediaserver
-      - postgres
-      - celerity
-      - live
-      - mirismanager
-      - mediaimport
-      - msmonitor
-  - name: mw-${CI_PIPELINE_ID:-default}
-    environment:
-      HOSTALIASES: /etc/hosts.aliases
-    image: registry.ubicast.net/docker/debian-systemd:buster
-    command: /lib/systemd/systemd
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /tmp
-      - /run
-    groups:
-      - mediaworker
-
-provisioner:
-  name: ansible
-  options:
-    D: true
-  env:
-    ANSIBLE_ROLES_PATH: ../../roles
-    ANSIBLE_LIBRARY: ../../library
-    ANSIBLE_ACTION_PLUGINS: ../../plugins/action
-    ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3
-    SKYREACH_SYSTEM_KEY: ${SKYREACH_SYSTEM_KEY_STD}
-
-verifier:
-  name: testinfra
-  options:
-    verbose: true
-
-...

ansible/molecule/pf-std/tests/commons.py

-import socket
-
-
-def get_status(host):
-    ip = host.interface('eth0').addresses[0]
-    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    s.connect((ip, 8543))
-    data = s.recv(1024)
-    return data.rstrip().decode('utf-8')

ansible/molecule/pf-std/tests/test_mediaserver.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("mediaserver")
-
-
-def test_server_is_installed(host):
-    p = host.package("ubicast-mediaserver")
-
-    assert p.is_installed
-
-
-def test_server_user(host):
-    u = host.user("msuser")
-
-    assert u.name == "msuser"
-
-
-def test_server_nginx(host):
-    f = host.file("/etc/nginx/sites-available/mediaserver-msuser.conf")
-
-    assert f.exists
-
-
-def test_server_service(host):
-    s = host.service("mediaserver")
-
-    assert s.is_running
-    assert s.is_enabled
-
-
-def test_server_socket(host):
-    s = host.socket("tcp://0.0.0.0:443")
-
-    assert s.is_listening
-
-
-def test_fail2ban_conf(host):
-    f = host.file("/etc/fail2ban/jail.d/mediaserver.conf")
-
-    assert f.exists
-
-
-def test_fail2ban_service(host):
-    s = host.service("fail2ban")
-
-    assert s.is_running

ansible/molecule/pf-std/tests/test_postgres.py

-import os
-
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ["MOLECULE_INVENTORY_FILE"]
-).get_hosts("postgres")
-
-
-def test_psycopg2_is_installed(host):
-    p = host.package("python3-psycopg2")
-
-    assert p.is_installed
-
-
-def test_postgres_is_installed(host):
-    p = host.package("postgresql")
-
-    assert p.is_installed
-
-
-def test_postgres_user(host):
-    u = host.user("postgres")
-
-    assert u.name == "postgres"
-
-
-def test_postgres_service(host):
-    s = host.service("postgresql@11-main")
-
-    assert s.is_running
-
-
-def test_postgres_socket(host):
-    s = host.socket("tcp://127.0.0.1:5432")
-
-    assert s.is_listening

ansible/molecule/pgsql-ha/converge.yml

-#!/usr/bin/env ansible-playbook
----
-
-- name: PYTHON
-  hosts: all
-  gather_facts: false
-  tasks:
-    - name: ensure python3 is installed
-      register: python_install
-      changed_when: "'es_pyinstall' in python_install.stdout_lines"
-      raw: command -v python3 || echo es_pyinstall && apt update && apt install -y python3-minimal python3-apt
-
-- name: Converge
-  hosts: postgres
-  pre_tasks:
-    - name: check running in a docker container
-      register: check_if_docker
-      stat:
-        path: /.dockerenv
-    - name: set docker flag variable
-      set_fact:
-        in_docker: "{{ check_if_docker.stat.exists | d(false) }}"
-  roles:
-    - base
-    - postgres-ha
-  post_tasks:
-    - name: deploy letsencrypt certificate
-      when: letsencrypt_enabled | d(false)
-      include_role:
-        name: letsencrypt
-    - name: configure network
-      when: network_apply | d(false)
-      include_role:
-        name: network
-    - name: configure proxy
-      when: proxy_apply | d(false)
-      include_role:
-        name: proxy
-
-...