Debian 11 support, Refs #34234

55b9a545 · Baptiste DE RENZO · 2781312d · 55b9a545 · 55b9a545 · 55b9a545
Commit 55b9a545 authored 2 years ago by Baptiste DE RENZO
--- a/playbooks/postgres-maintenance/fenced_to_standby.yml
+++ b/playbooks/postgres-maintenance/fenced_to_standby.yml
@@ -15,13 +15,13 @@
    - name: delete postgresql data directory
      ansible.builtin.file:
-        path: /var/lib/postgresql/11/main/
+        path: /var/lib/postgresql/13/main/
        state: absent
        force: true
    - name: copy data from primary
      ansible.builtin.command: >
-        repmgr -f /etc/postgresql/11/main/repmgr.conf
+        repmgr -f /etc/postgresql/13/main/repmgr.conf
          --force --verbose
          standby clone
          -h {{ hostvars[groups['postgres_primary'][0]]['ansible_default_ipv4']['address'] }}
@@ -39,7 +39,7 @@
      when: copy_from_primary is succeeded
    - name: register node as standby
-      ansible.builtin.command: "repmgr -f /etc/postgresql/11/main/repmgr.conf --force --verbose standby register"
+      ansible.builtin.command: "repmgr -f /etc/postgresql/13/main/repmgr.conf --force --verbose standby register"
      become: true
      become_user: postgres
      when: copy_from_primary is succeeded

--- a/playbooks/postgres-maintenance/standby_to_primary.yml
+++ b/playbooks/postgres-maintenance/standby_to_primary.yml
@@ -8,13 +8,13 @@
        msg: "Current status {{ rephacheck['stdout'] }} must be standby."
      when: rephacheck['stdout'] != "standby"
    - name: check if node is currently in standby
-      ansible.builtin.command: "repmgr standby switchover -f /etc/postgresql/11/main/repmgr.conf --siblings-follow --dry-run"
+      ansible.builtin.command: "repmgr standby switchover -f /etc/postgresql/13/main/repmgr.conf --siblings-follow --dry-run"
      become: true
      become_user: postgres
      when: rephacheck['stdout'] == "standby"
      register: standby_dry_run
    - name: switch standby node to primary
-      ansible.builtin.command: "repmgr standby switchover -f /etc/postgresql/11/main/repmgr.conf --siblings-follow"
+      ansible.builtin.command: "repmgr standby switchover -f /etc/postgresql/13/main/repmgr.conf --siblings-follow"
      become: true
      become_user: postgres
      when:

--- a/roles/celerity/tasks/main.yml
+++ b/roles/celerity/tasks/main.yml
@@ -4,7 +4,7 @@
  ansible.builtin.apt:
    force_apt_get: true
    install_recommends: false
-    name: celerity-server
+    name: ubicast-celerity-server
  register: apt_status
  retries: 60
  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)

--- a/roles/ferm-install/tasks/main.yml
+++ b/roles/ferm-install/tasks/main.yml
@@ -9,6 +9,13 @@
  retries: 60
  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+- name: use iptables-legacy
+  ansible.builtin.shell: |
+    update-alternatives --set iptables /usr/sbin/iptables-legacy
+    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+  register: cmd
+  changed_when: "'using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode' in cmd.stdout"
 - name: configuration
  notify: restart ferm
  ansible.builtin.template:

--- a/roles/mediaimport/handlers/main.yml
+++ b/roles/mediaimport/handlers/main.yml
@@ -4,6 +4,11 @@
  ansible.builtin.systemd:
    daemon_reload: true
+- name: restart sshd
+  ansible.builtin.systemd:
+    name: sshd
+    state: restarted
 - name: restart pure-ftpd
  ansible.builtin.systemd:
    name: pure-ftpd

--- a/roles/mediaimport/tasks/main.yml
+++ b/roles/mediaimport/tasks/main.yml
@@ -41,6 +41,13 @@
 ## MYSECURESHELL
+- name: enable password login for ssh
+  notify: restart sshd
+  ansible.builtin.replace:
+    dest: /etc/ssh/sshd_config
+    regexp: "^PasswordAuthentication no"
+    replace: "#PasswordAuthentication yes"
 - name: set the setuid on mysecureshell
  ansible.builtin.file:
    path: /usr/bin/mysecureshell

--- a/roles/mediaserver/defaults/main.yml
+++ b/roles/mediaserver/defaults/main.yml
@@ -6,7 +6,6 @@ server_packages:
  - memcached
  - nginx
  - postfix
-  - celerity-utils
  - ubicast-mediaserver
 server_default_email_sender: "noreply@{{ server_hostname }}"

--- a/roles/mediaserver/tasks/main.yml
+++ b/roles/mediaserver/tasks/main.yml
@@ -27,14 +27,6 @@
    key: "{{ hostvars[item]['pubkey'] }}"
  tags: always
- name: resolve domain name to localhost
-  notify: restart nginx
-  loop: "{{ server_instances }}"
-  ansible.builtin.lineinfile:
-    path: /etc/hosts
-    line: '127.0.1.1 {{ item.ms_server_name }}'
-    backup: true
 - name: Update the MS configuration with the celerity server IP
  ansible.builtin.lineinfile:
    path: /etc/mediaserver/msconf.py
@@ -60,23 +52,6 @@
    mode: '0644'
 - name: create instances
-  when: inventory_hostname == groups['mediaserver'][0]
-  loop: "{{ server_instances }}"
-  environment:
-    MS_ID: "{{ item.ms_id }}"
-    MS_SERVER_NAME: "{{ item.ms_server_name }}"
-    MS_API_KEY: "{{ item.ms_api_key }}"
-    CM_SERVER_NAME: "{{ item.cm_server_name }}"
-    MS_SUPERUSER_PWD: "{{ item.ms_superuser_pwd }}"
-    MS_ADMIN_PWD: "{{ item.ms_admin_pwd }}"
-  ansible.builtin.command:
-    cmd: msinstaller.py {{ item.name }} --no-input
-    creates: /etc/nginx/sites-available/mediaserver-{{ item.name }}.conf
- name: create instances for secondary servers
-  when:
-    - groups['mediaserver'] | length > 1
-    - inventory_hostname != groups['mediaserver'][0]
  loop: "{{ server_instances }}"
  environment:
    MS_ID: "{{ item.ms_id }}"
@@ -85,8 +60,12 @@
    CM_SERVER_NAME: "{{ item.cm_server_name }}"
    MS_SUPERUSER_PWD: "{{ item.ms_superuser_pwd }}"
    MS_ADMIN_PWD: "{{ item.ms_admin_pwd }}"
+    DB_HOST: "{{ envsetup_db_host | d('127.0.0.1') }}"
+    DB_PORT: "{{ envsetup_db_port | d('5432') }}"
+    DB_PG_ROOT_PWD: "{{ envsetup_db_pg_root_pwd | d('') }}"
+    MS_SECRET: "{{ envsetup_ms_secret | d('') }}"
  ansible.builtin.command:
-    cmd: msinstaller.py {{ item.name }} --no-input
+    cmd: mscontroller.py add -u {{ item.name }}
    creates: /etc/nginx/sites-available/mediaserver-{{ item.name }}.conf
  throttle: 1

--- a/roles/mediaworker/tasks/main.yml
+++ b/roles/mediaworker/tasks/main.yml
@@ -4,7 +4,7 @@
  ansible.builtin.apt:
    force_apt_get: true
    install_recommends: false
-    name: celerity-workers
+    name: ubicast-celerity-workers
  register: apt_status
  retries: 60
  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)

--- a/roles/mirismanager/tasks/main.yml
+++ b/roles/mirismanager/tasks/main.yml
@@ -15,6 +15,8 @@
    state: started
 - name: mirismanager install
+  environment:
+    CM_SERVER_NAME: "{{ manager_hostname }}"
  ansible.builtin.apt:
    force_apt_get: true
    install_recommends: false
@@ -23,38 +25,6 @@
  retries: 60
  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: configure domain name in nginx conf
-  notify: restart nginx
-  ansible.builtin.replace:
-    path: /etc/nginx/sites-available/skyreach.conf
-    regexp: '^(\s*server_name).*;$'
-    replace: '\1 {{ manager_hostname }};'
-    backup: true
- name: configure domain name in settings
-  notify: restart skyreach
-  ansible.builtin.lineinfile:
-    path: /home/skyreach/skyreach_data/private/settings_override.py
-    regexp: '^#? ?SITE_URL.*'
-    line: "SITE_URL = 'https://{{ manager_hostname }}'"
-    backup: true
- name: configure site title in settings
-  notify: restart skyreach
-  ansible.builtin.lineinfile:
-    path: /home/skyreach/skyreach_data/private/settings_override.py
-    regexp: '^#? ?SITE_TITLE.*'
-    line: "SITE_TITLE = '{{ manager_hostname }}'"
-    backup: true
- name: configure site name in settings
-  notify: restart skyreach
-  ansible.builtin.lineinfile:
-    path: /home/skyreach/skyreach_data/private/settings_override.py
-    regexp: '^#? ?SITE_NAME.*'
-    line: "SITE_NAME = '{{ manager_hostname }}'"
-    backup: true
 - name: configure email sender address in settings
  notify: restart skyreach
  ansible.builtin.lineinfile:
@@ -63,13 +33,6 @@
    line: "DEFAULT_FROM_EMAIL = '{{ manager_email_sender }}'"
    backup: true
- name: resolve domain name to localhost ipv4
-  notify: restart nginx
-  ansible.builtin.lineinfile:
-    path: /etc/hosts
-    line: '127.0.0.1 {{ manager_hostname }}'
-    backup: true
 - name: ensure skyreach is running
  ansible.builtin.service:
    name: skyreach

--- a/roles/munin/msmonitor/defaults/main.yml
+++ b/roles/munin/msmonitor/defaults/main.yml
 ---
 monitor_shell_pwd: "{{ envsetup_monitor_shell_pwd | d() }}"
+monitor_admin_pwd: "{{ envsetup_monitor_admin_pwd | d() }}"
+monitor_superuser_pwd: "{{ envsetup_monitor_superuser_pwd | d() }}"
+ssh_maintenance_port: "{{ envsetup_ssh_maintenance_port | d() }}"
 monitor_hostname: "{{ envsetup_monitor_server_name | d('monitor', true) }}"
 monitor_firewall_enabled: true

--- a/roles/munin/msmonitor/tasks/main.yml
+++ b/roles/munin/msmonitor/tasks/main.yml
 ---
 - name: install ubicast msmonitor
+  environment:
+    MONITOR_SERVER_NAME: "{{ monitor_hostname }}"
+    MONITOR_SHELL_PWD: "{{ monitor_shell_pwd | password_hash('sha512', 'monitor') }}"
+    MONITOR_ADMIN_PWD: "{{ monitor_admin_pwd | password_hash('sha512', 'monitor') }}"
+    MONITOR_SUPERUSER_PWD: "{{ monitor_superuser_pwd  }}"
+    SSH_MAINTENANCE_PORT: "{{ ssh_maintenance_port }}"
  ansible.builtin.apt:
    force_apt_get: true
    install_recommends: false
    state: latest
    name:
-      - ubicast-monitor
+      - ubicast-webmonitor
-      - ubicast-monitor-runtime
+      - ubicast-webmonitor-runtime
  register: apt_status
  retries: 60
  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
- name: set msmonitor account password
-  ansible.builtin.user:
-    name: msmonitor
-    password: "{{ monitor_shell_pwd | password_hash('sha512', 'monitor') }}"
- name: configure domain name in nginx
-  notify: restart nginx
-  ansible.builtin.replace:
-    path: /etc/nginx/sites-available/msmonitor.conf
-    regexp: '^(\s*server_name).*;$'
-    replace: '\1 {{ monitor_hostname }};'
-    backup: true
- name: resolve domain name to localhost ipv4
-  notify: restart nginx
-  ansible.builtin.lineinfile:
-    path: /etc/hosts
-    line: '127.0.1.1 {{ monitor_hostname }}'
-    backup: true
 - name: ensure msmonitor is running
  ansible.builtin.service:
-    name: msmonitor
+    name: webmonitor
    enabled: true
    state: started
- name: set directory permissions
-  ansible.builtin.file:
-    path: /home/msmonitor/msmonitor
-    mode: 0755
-    state: directory
 # FIREWALL
 - name: firewall

--- a/roles/postgres-ha/defaults/main.yml
+++ b/roles/postgres-ha/defaults/main.yml
@@ -7,7 +7,7 @@ repmgr_packages:
  - python3-psycopg2
  - python3-toml
-repmgr_pg_version: "{{ pg_version | default('11') }}"
+repmgr_pg_version: "{{ pg_version | default('13') }}"
 repmgr_pg_cluster: "{{ pg_cluster | default('main') }}"
 repmgr_pg_data: /var/lib/postgresql/{{ repmgr_pg_version }}/{{ repmgr_pg_cluster }}

--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@@ -4,7 +4,7 @@ pg_packages:
  - acl
  - postgresql
-pg_version: 11
+pg_version: 13
 pg_cluster: main
 pg_password: "{{ envsetup_db_pg_root_pwd | d() }}"

--- a/roles/postgres/files/logrotate-postgresql
+++ b/roles/postgres/files/logrotate-postgresql
+/var/log/postgresql/*.log {
+       weekly
+       rotate 4
+       copytruncate
+       delaycompress
+       compress
+       notifempty
+       missingok
+       su root root
+}
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -20,6 +20,15 @@
 # CONFIGURATION
+- name: update logrotate config
+  ansible.builtin.copy:
+    src: logrotate-postgresql
+    dest: "/etc/logrotate.d/postgresql-common"
+    owner: root
+    group: root
+    backup: false
+    mode: '644'
 - name: ensure conf directory exists
  ansible.builtin.file:
    path: "{{ pg_conf_dir }}/conf.d"

--- a/roles/sysconfig/tasks/main.yml
+++ b/roles/sysconfig/tasks/main.yml
@@ -86,12 +86,13 @@
    replace: 'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";'
  notify: restart unattended-upgrades
- name: allow automatic updates for ubicast security
+- name: allow automatic updates for ubicast security repo
  ansible.builtin.lineinfile:
    path: /etc/apt/apt.conf.d/50unattended-upgrades
    insertafter: '^Unattended-Upgrade::Origins-Pattern {$'
    line: '        "origin=UbiCast,label=UbiCast-Security";'
    backup: true
+  notify: restart unattended-upgrades
 - name: enable root login via ssh with key
  ansible.builtin.replace:

--- a/roles/sysconfig/tasks/ntp.yml
+++ b/roles/sysconfig/tasks/ntp.yml
 ---
- name: create systemd-timesync service config directory
-  ansible.builtin.file:
-    path: /lib/systemd/system/systemd-timesyncd.service.d
-    state: directory
-    mode: 0755
- name: ntp add condition to systemd-timesyncd service
+- name: gathering services
-  notify: systemd daemon reload
+  ansible.builtin.service_facts:
-  ansible.builtin.copy:
-    dest: /lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf
-    mode: '644'
-    content: |
-      [Unit]
-      # don't run timesyncd if we have another NTP daemon installed
-      ConditionFileIsExecutable=!/usr/sbin/ntpd
-      ConditionFileIsExecutable=!/usr/sbin/openntpd
-      ConditionFileIsExecutable=!/usr/sbin/chronyd
-      ConditionFileIsExecutable=!/usr/sbin/VBoxService
 - name: ntp disable systemd-timesyncd service
  notify: restart ntp
  ansible.builtin.systemd:
    name: systemd-timesyncd
    enabled: false
+    daemon_reload: true
    state: stopped
+  when: ('systemd-timesyncd.service' in ansible_facts.services)
+        and (ansible_facts.services['systemd-timesyncd.service'].status != 'not-found')
 - name: ntp install
  ansible.builtin.apt:

--- a/roles/sysconfig/tasks/repos.yml
+++ b/roles/sysconfig/tasks/repos.yml
 ---
- name: ubuntu apt repo sources list
+- name: debian 10 apt repo sources list
  when:
    - not offline_mode | d(false)
-    - ansible_distribution == 'Ubuntu'
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version == '10'
  notify: update cache
  ansible.builtin.copy:
    dest: /etc/apt/sources.list
    mode: '644'
    content: |
-      deb {{ repos_prefix }}archive.ubuntu.com/ubuntu/ {{ repos_release }} main restricted universe multiverse
+      deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }} main contrib non-free
-      deb {{ repos_prefix }}archive.ubuntu.com/ubuntu/ {{ repos_release }}-updates main restricted universe multiverse
+      deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }}-updates main contrib non-free
-      deb {{ repos_prefix }}archive.ubuntu.com/ubuntu/ {{ repos_release }}-backports main restricted universe multiverse
+      deb {{ repos_prefix }}{{ repos_deb_sec }}/debian-security {{ repos_release }}/updates main contrib non-free
-      deb {{ repos_prefix }}security.ubuntu.com/ubuntu {{ repos_release }}-security main restricted universe multiverse
- name: debian apt repo sources list
+- name: debian 11 apt repo sources list
  when:
    - not offline_mode | d(false)
    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version == '11'
  notify: update cache
  ansible.builtin.copy:
    dest: /etc/apt/sources.list
@@ -25,7 +26,7 @@
    content: |
      deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }} main contrib non-free
      deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }}-updates main contrib non-free
-      deb {{ repos_prefix }}{{ repos_deb_sec }}/debian-security {{ repos_release }}/updates main contrib non-free
+      deb {{ repos_prefix }}{{ repos_deb_sec }}/debian-security {{ repos_release }}-security main contrib non-free
 - name: add ubicast apt repo key
  when: not offline_mode | d(false)
@@ -36,16 +37,42 @@
  when:
    - not offline_mode | d(false)
    - repos_skyreach_token | d(false)
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version == '10'
  ansible.builtin.apt_repository:
    repo: deb https://{{ repos_skyreach_host }} packaging/apt/{{ repos_skyreach_token }}/
    filename: ubicast
    update_cache: true
+- name: add ubicast apt repo
+  when:
+    - not offline_mode | d(false)
+    - repos_skyreach_token | d(false)
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version == '11'
+  ansible.builtin.apt_repository:
+    repo: deb https://{{ repos_skyreach_host }} packaging/apt/{{ repos_skyreach_token }}/bullseye/
+    filename: ubicast
+    update_cache: true
 - name: add ubicast security apt repo
-  when: not offline_mode | d(false)
+  when:
+    - not offline_mode | d(false)
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version == '10'
  ansible.builtin.apt_repository:
    repo: deb https://{{ repos_skyreach_host }} packaging/apt/ubicast-security-updates/
    filename: ubicast-secu
    update_cache: true
+- name: add ubicast security apt repo
+  when:
+    - not offline_mode | d(false)
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version == '11'
+  ansible.builtin.apt_repository:
+    repo: deb https://{{ repos_skyreach_host }} packaging/apt/ubicast-security-updates/bullseye/
+    filename: ubicast-secu
+    update_cache: true
 ...
--- a/roles/tester/defaults/main.yml
+++ b/roles/tester/defaults/main.yml
@@ -3,5 +3,7 @@
 tester_packages:
  - ubicast-env
  - ubicast-tester
+  - ubicast-tester-nudgis
+  - ubicast-tester-system
 ...