Merge branch 't38273-extract-roles-reconfigurations' into 'main'

Extract roles reconfigurations | refs #38273 See merge request sys/ansible-public!62

Merge branch 't38273-extract-roles-reconfigurations' into 'main'
260eb985 · Antoine SCHILDKNECHT · b578cea5 · 192ee7a7 · 260eb985 · 260eb985
Commit 260eb985 authored 1 year ago by Antoine SCHILDKNECHT
--- a/roles/conf/tasks/main.yml
+++ b/roles/conf/tasks/main.yml
 ---
- name: proxy
-  when:
-    - proxy_http | d()
-    - proxy_https | d()
-  ansible.builtin.include_role:
-    name: proxy
- name: install requirements
+- name: packages
  ansible.builtin.apt:
    force_apt_get: true
    install_recommends: false
-    name: "{{ conf_req_packages }}"
+    name: "{{ fail2ban_packages }}"
+    state: present
  register: apt_status
  retries: 60
  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: generate root ssh key pair
-  register: conf_root
-  ansible.builtin.user:
-    name: root
-    generate_ssh_key: true
-    ssh_key_type: ed25519
-    ssh_key_file: .ssh/id_ed25519
 ...
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
 ---
- name: packages
+- name: INSTALL
-  ansible.builtin.apt:
+  ansible.builtin.include_tasks:
-    force_apt_get: true
+    file: "install.yml"
-    install_recommends: false
+    apply:
-    name: "{{ fail2ban_packages }}"
+      become: true
-    state: present
+      tags:
-  register: apt_status
+        - install
-  retries: 60
+  tags:
-  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+    - always
- name: create fail2ban path-overrides
+- name: BASE CONFIGURATION
-  notify: restart fail2ban
+  ansible.builtin.include_tasks:
-  ansible.builtin.copy:
+    file: "base.yml"
-    dest: /etc/fail2ban/paths-overrides.local
+    apply:
-    mode: "644"
+      become: true
-    force: false
+      tags:
-    content: |
+        - base
-      [DEFAULT]
+  tags:
+    - always
- name: configure sshd jail backend
+- name: CONFIGURE
-  notify: restart fail2ban
+  ansible.builtin.include_tasks:
-  ansible.builtin.lineinfile:
+    file: "configure.yml"
-    path: /etc/fail2ban/paths-overrides.local
+    apply:
-    regexp: '^sshd_backend'
+      become: true
-    insertafter: '[DEFAULT]'
+      tags:
-    line: 'sshd_backend = systemd'
+        - configure
+  tags:
- name: jail defaults
+    - always
-  notify: restart fail2ban
-  ansible.builtin.template:
-    src: jail.local.j2
-    dest: /etc/fail2ban/jail.local
-    mode: "644"
- name: service
-  ansible.builtin.systemd:
-    name: fail2ban
-    enabled: true
-    state: started
 ...
--- a/roles/fail2ban/vars/main.yml
+++ b/roles/fail2ban/vars/main.yml
 ---
+# Packages required for the group. python3-systemd is used to read systemd journal
 fail2ban_packages:
  - fail2ban
-  - python3-systemd  # used to read systemd journal
+  - python3-systemd
+# IP addresses exceptions (no monitored by fail2ban)
+fail2ban_ignoreip: "127.0.0.1/8 ::1"
+# Number of acceptable failures before banning an IP
+fail2ban_maxretry: "5"
+# Duration of bans
+fail2ban_bantime: "10m"
+# Define the default action to do when a ban occurs ("action_mwl" to send whois and logs via email or "action_" for default)
+fail2ban_action: "action_mwl"
 ...
--- a/roles/haproxy/README.md
+++ b/roles/haproxy/README.md
+# Haproxy
+## Description
+Install and configure the HAProxy reverse-proxy/loadbalancer in front of PostgreSQL
--- a/roles/haproxy/tasks/base.yml
+++ b/roles/haproxy/tasks/base.yml
+---
+- name: configure
+  notify: reload haproxy
+  ansible.builtin.template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    backup: true
+    mode: "644"
+- ansible.builtin.meta: flush_handlers # noqa name[missing]
+...
--- a/roles/haproxy/tasks/install.yml
+++ b/roles/haproxy/tasks/install.yml
+---
+- name: install packages
+  ansible.builtin.apt:
+    force_apt_get: true
+    install_recommends: false
+    name: "{{ hap_packages }}"
+  register: apt_status
+  retries: 60
+  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+...
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
 ---
- name: install packages
+- name: INSTALL
-  ansible.builtin.apt:
+  ansible.builtin.include_tasks:
-    force_apt_get: true
+    file: "install.yml"
-    install_recommends: false
+    apply:
-    name: "{{ hap_packages }}"
+      become: true
-  register: apt_status
+      tags:
-  retries: 60
+        - install
-  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+  tags:
+    - always
- name: configure
+- name: BASE CONFIGURATION
-  notify: reload haproxy
+  ansible.builtin.include_tasks:
-  ansible.builtin.template:
+    file: "base.yml"
-    src: haproxy.cfg.j2
+    apply:
-    dest: /etc/haproxy/haproxy.cfg
+      become: true
-    backup: true
+      tags:
-    mode: "644"
+        - base
+  tags:
- ansible.builtin.meta: flush_handlers # noqa name[missing]
+    - always
 ...
--- a/roles/haproxy/vars/main.yml
+++ b/roles/haproxy/vars/main.yml
 ---
+# Packages required for the group
 hap_packages:
  - haproxy
  - rsyslog
  - logrotate
 ...
--- a/roles/init/README.md
+++ b/roles/init/README.md
-# Init
-## Description
-Used by the "base" metagroup to provide basic utilities and initialise a mandatory proxy if necessary
--- a/roles/init/vars/main.yml
+++ b/roles/init/vars/main.yml
---
-init_packages:
-  - apt-utils
-  - gnupg
-  - ssh-client
-  - sudo
-...
--- a/roles/letsencrypt/README.md
+++ b/roles/letsencrypt/README.md
+# Letsencrypt
+## Description
+Install and configure Let's Encrypt tools to generate and maintain Let's Encrypt SSL certificates for the webdomains
+## Role Variables
+Available variables are listed below, along with the descriptions and the default values.
+`letsencrypt_domains`: List the domain to configure with a let's encrypt certificate. If an empty list is provided, every domain found in nginx is configured. (Optional)
+```
+letsencrypt_domains: []
+```
+`letsencrypt_email`: Email of the Let's Encrypt SSL certificates administrator(s)
+```
+letsencrypt_email: "admin@example.com"
+```
+`letsencrypt_webroot`: Default Let's Encrypt web root folder for challenges publication (Optional)
+```
+letsencrypt_webroot: "/var/www/letsencrypt"
+```
--- a/roles/letsencrypt/defaults/main.yml
+++ b/roles/letsencrypt/defaults/main.yml
 ---
+# List the domain to configure with a let's encrypt certificate. If an empty list is provided, every domain found in nginx is configured.
 letsencrypt_domains: []
-letsencrypt_webroot: "/var/www/letsencrypt"
+# Email of the Let's Encrypt SSL certificates administrator(s)
 letsencrypt_email: "admin@example.com"
+# Default Let's Encrypt web root folder for challenges publication
+letsencrypt_webroot: "/var/www/letsencrypt"
 ...
--- a/roles/letsencrypt/tasks/configure.yml
+++ b/roles/letsencrypt/tasks/configure.yml
+---
+- name: CONFIGURE UBICAST-TESTER
+  ansible.builtin.include_tasks: "configure/letsencrypt-configure.yml"
+  when:
+    - letsencrypt_domains is defined
+    - letsencrypt_email is defined
+    - letsencrypt_webroot is defined
+...
--- a/roles/letsencrypt/tasks/configure/letsencrypt-configure.yml
+++ b/roles/letsencrypt/tasks/configure/letsencrypt-configure.yml
+---
+- name: get all server_name values
+  when: letsencrypt_domains == []
+  changed_when: false
+  register: letsencryt_nginx_output
+  ansible.builtin.shell:
+    executable: /bin/bash
+    cmd: >
+      set -o pipefail;
+      nginx -T 2>&1 | grep -v localhost | grep -P '^\s+server_name\s+.*;$' | sed -r 's/\s+server_name\s+(.*);/\1/' | uniq
+- name: save result as list
+  when: letsencrypt_domains == []
+  ansible.builtin.set_fact:
+    letsencrypt_domains: "{{ letsencryt_nginx_output.stdout.split() }}"
+- name: save domains list in a file
+  register: letsencrypt_save_list
+  ansible.builtin.copy:
+    dest: /etc/letsencrypt/domains.txt
+    content: |
+      {% for domain in letsencrypt_domains %}
+      {{ domain }}
+      {% endfor %}
+    mode: "644"
+- name: create webroot directory
+  ansible.builtin.file:
+    path: "{{ letsencrypt_webroot }}"
+    state: directory
+    mode: "755"
+- name: create pre hook directory
+  ansible.builtin.file:
+    path: /etc/letsencrypt/renewal-hooks/pre
+    state: directory
+    mode: "755"
+- name: create pre hook script
+  ansible.builtin.copy:
+    dest: /etc/letsencrypt/renewal-hooks/pre/mkdir
+    mode: "0755"
+    content: |
+      #!/usr/bin/env bash
+      CERTBOT_DOCROOT=/var/www/letsencrypt
+      mkdir -p "$CERTBOT_DOCROOT"
+      chmod 755 "$CERTBOT_DOCROOT"
+- name: create deploy hook directory
+  ansible.builtin.file:
+    path: /etc/letsencrypt/renewal-hooks/deploy
+    state: directory
+    mode: "755"
+- name: create deploy hook script
+  ansible.builtin.copy:
+    dest: /etc/letsencrypt/renewal-hooks/deploy/nginx
+    mode: "0755"
+    content: |
+      #!/usr/bin/env bash
+      systemctl reload nginx
+- name: test generate certificates
+  when:
+    - letsencrypt_domains != []
+    - letsencrypt_save_list is changed
+  register: letsencrypt_dry_run
+  ignore_errors: true
+  changed_when: false
+  ansible.builtin.command:
+    cmd: >
+      certbot certonly
+        --dry-run
+        -n --agree-tos -m {{ letsencrypt_email }}
+        --webroot -w {{ letsencrypt_webroot }}
+        --expand
+        -d {{ letsencrypt_domains | join(',') }}
+- name: remove domains list file in case of failure
+  when: letsencrypt_dry_run is failed
+  ansible.builtin.file:
+    path: "{{ letsencrypt_save_list.dest }}"
+    state: absent
+- name: exit in case of failure
+  when: letsencrypt_dry_run is failed
+  ansible.builtin.fail:
+- name: generate certificates
+  notify: restart nginx
+  when:
+    - letsencrypt_domains != []
+    - letsencrypt_save_list is changed
+    - letsencrypt_dry_run is succeeded
+  ansible.builtin.command:
+    cmd: >
+      certbot certonly
+        -n --agree-tos -m {{ letsencrypt_email }}
+        --webroot -w {{ letsencrypt_webroot }}
+        --expand
+        -d {{ letsencrypt_domains | join(',') }}
+    creates: "/etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem"
+- name: update nginx certificate configuration
+  when:
+    - letsencrypt_domains != []
+    - letsencrypt_save_list is changed
+    - letsencrypt_dry_run is succeeded
+  notify: restart nginx
+  ansible.builtin.lineinfile:
+    path: /etc/nginx/conf.d/ssl_certificate.conf
+    regexp: 'ssl_certificate\s+([\w/\-\_\.]+);'
+    line: ssl_certificate /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/fullchain.pem;
+- name: update nginx certificate key configuration
+  when:
+    - letsencrypt_domains != []
+    - letsencrypt_save_list is changed
+    - letsencrypt_dry_run is succeeded
+  notify: restart nginx
+  ansible.builtin.lineinfile:
+    path: /etc/nginx/conf.d/ssl_certificate.conf
+    regexp: 'ssl_certificate_key\s+([\w/\-\_\.]+);'
+    line: ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem;
+...
--- a/roles/letsencrypt/tasks/install.yml
+++ b/roles/letsencrypt/tasks/install.yml
+---
+- name: install certbot
+  ansible.builtin.package:
+    force_apt_get: true
+    install_recommends: false
+    name: certbot
+...
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
 ---
- name: install certbot
+- name: INSTALL
-  ansible.builtin.package:
+  ansible.builtin.include_tasks:
-    force_apt_get: true
+    file: "install.yml"
-    install_recommends: false
+    apply:
-    name: certbot
+      become: true
+      tags:
- name: get all server_name values
+        - install
-  when: letsencrypt_domains == []
+  tags:
-  changed_when: false
+    - always
-  register: letsencryt_nginx_output
-  ansible.builtin.shell:
+- name: CONFIGURE
-    executable: /bin/bash
+  ansible.builtin.include_tasks:
-    cmd: >
+    file: "configure.yml"
-      set -o pipefail;
+    apply:
-      nginx -T 2>&1 | grep -v localhost | grep -P '^\s+server_name\s+.*;$' | sed -r 's/\s+server_name\s+(.*);/\1/' | uniq
+      become: true
+      tags:
- name: save result as list
+        - configure
-  when: letsencrypt_domains == []
+  tags:
-  ansible.builtin.set_fact:
+    - always
-    letsencrypt_domains: "{{ letsencryt_nginx_output.stdout.split() }}"
- name: save domains list in a file
-  register: letsencrypt_save_list
-  ansible.builtin.copy:
-    dest: /etc/letsencrypt/domains.txt
-    content: |
-      {% for domain in letsencrypt_domains %}
-      {{ domain }}
-      {% endfor %}
-    mode: "644"
- name: create webroot directory
-  ansible.builtin.file:
-    path: "{{ letsencrypt_webroot }}"
-    state: directory
-    mode: "755"
- name: create pre hook directory
-  ansible.builtin.file:
-    path: /etc/letsencrypt/renewal-hooks/pre
-    state: directory
-    mode: "755"
- name: create pre hook script
-  ansible.builtin.copy:
-    dest: /etc/letsencrypt/renewal-hooks/pre/mkdir
-    mode: "0755"
-    content: |
-      #!/usr/bin/env bash
-      CERTBOT_DOCROOT=/var/www/letsencrypt
-      mkdir -p "$CERTBOT_DOCROOT"
-      chmod 755 "$CERTBOT_DOCROOT"
- name: create deploy hook directory
-  ansible.builtin.file:
-    path: /etc/letsencrypt/renewal-hooks/deploy
-    state: directory
-    mode: "755"
- name: create deploy hook script
-  ansible.builtin.copy:
-    dest: /etc/letsencrypt/renewal-hooks/deploy/nginx
-    mode: "0755"
-    content: |
-      #!/usr/bin/env bash
-      systemctl reload nginx
- name: test generate certificates
-  when:
-    - letsencrypt_domains != []
-    - letsencrypt_save_list is changed
-  register: letsencrypt_dry_run
-  ignore_errors: true
-  changed_when: false
-  ansible.builtin.command:
-    cmd: >
-      certbot certonly
-        --dry-run
-        -n --agree-tos -m {{ letsencrypt_email }}
-        --webroot -w {{ letsencrypt_webroot }}
-        --expand
-        -d {{ letsencrypt_domains | join(',') }}
- name: remove domains list file in case of failure
-  when: letsencrypt_dry_run is failed
-  ansible.builtin.file:
-    path: "{{ letsencrypt_save_list.dest }}"
-    state: absent
- name: exit in case of failure
-  when: letsencrypt_dry_run is failed
-  ansible.builtin.fail:
- name: generate certificates
-  notify: restart nginx
-  when:
-    - letsencrypt_domains != []
-    - letsencrypt_save_list is changed
-    - letsencrypt_dry_run is succeeded
-  ansible.builtin.command:
-    cmd: >
-      certbot certonly
-        -n --agree-tos -m {{ letsencrypt_email }}
-        --webroot -w {{ letsencrypt_webroot }}
-        --expand
-        -d {{ letsencrypt_domains | join(',') }}
-    creates: "/etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem"
- name: update nginx certificate configuration
-  when:
-    - letsencrypt_domains != []
-    - letsencrypt_save_list is changed
-    - letsencrypt_dry_run is succeeded
-  notify: restart nginx
-  ansible.builtin.lineinfile:
-    path: /etc/nginx/conf.d/ssl_certificate.conf
-    regexp: 'ssl_certificate\s+([\w/\-\_\.]+);'
-    line: ssl_certificate /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/fullchain.pem;
- name: update nginx certificate key configuration
-  when:
-    - letsencrypt_domains != []
-    - letsencrypt_save_list is changed
-    - letsencrypt_dry_run is succeeded
-  notify: restart nginx
-  ansible.builtin.lineinfile:
-    path: /etc/nginx/conf.d/ssl_certificate.conf
-    regexp: 'ssl_certificate_key\s+([\w/\-\_\.]+);'
-    line: ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem;
 ...
--- a/roles/live/defaults/main.yml
+++ b/roles/live/defaults/main.yml
 ---
-live_ha: false
+# Define if the deployment is an HA architecture (i.e. live domain is not handle by nudgis frontend server)
+live_ha: False
+# Domain name of the live cluster (only if distinct live server(s) from MediaServer and live_ha variable is set to True)
 live_domain: "live.example.com"
+# Size of the tmpfs storing the live chunks (unit g or m and only if distinct live server(s) from MediaServer)
 live_tmpfs_size: "2048m"
 ...
--- a/roles/live/tasks/base.yml
+++ b/roles/live/tasks/base.yml
+---
+# not working with a tmpfs (mode=777, user=group=root)
+# - name: Changing the rights on the TMPFS directory
+#   notify: restart nginx
+#   ansible.builtin.file:
+#     path: /var/tmp/nginx-rtmp
+#     owner: nginx
+#     group: root
+#     mode: "0700"
+- import_tasks: ../../shared/tasks/firewall_rules_files.yml  # noqa: name[missing]
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+...
--- a/roles/live/tasks/configure.yml
+++ b/roles/live/tasks/configure.yml
+---
+- name: SETUP LIVE TMPFS PARTITION
+  ansible.builtin.include_tasks: "configure/tmpfs.yml"
+  when:
+    - live_tmpfs_size is defined
+...
--- a/roles/live/tasks/configure/tmpfs.yml
+++ b/roles/live/tasks/configure/tmpfs.yml
+---
+- name: TMPFS creation to store the live chunks
+  notify: restart nginx
+  ansible.posix.mount:
+    path: /var/tmp/nginx-rtmp
+    src: tmpfs
+    fstype: tmpfs
+    opts: defaults,size={{ live_tmpfs_size }}
+    state: mounted
+...