From: Hamatoma Date: Mon, 19 May 2025 05:08:11 +0000 (+0200) Subject: improvements X-Git-Url: https://gitweb.hamatoma.de/?a=commitdiff_plain;h=3f7dca1175df2a04a789662fc1418d5759709fd7;p=ansknife.git improvements --- diff --git a/playbooks.templates/i_17_configuration.yaml b/playbooks.templates/i_17_configuration.yaml index b0be4ca..76bbe09 100644 --- a/playbooks.templates/i_17_configuration.yaml +++ b/playbooks.templates/i_17_configuration.yaml @@ -5,7 +5,7 @@ - ../vars/common.yaml tasks: - name: limit the total size of journald logs - lineinfile: + ansible.builtin.lineinfile: dest: /etc/systemd/journald.conf regexp: ^#?\s*SystemMaxUse= line: SystemMaxUse={{ systemd_journal_system_max_use }} @@ -13,7 +13,7 @@ - restart systemd-journald - name: limit the size of each journald log file - lineinfile: + ansible.builtin.lineinfile: dest: /etc/systemd/journald.conf regexp: ^#\s*SystemMaxFileSize= line: SystemMaxFileSize={{ systemd_journal_system_max_file_size }} diff --git a/playbooks.templates/lets_multi_certificate.yaml b/playbooks.templates/lets_multi_certificate.yaml new file mode 100644 index 0000000..7cd6e32 --- /dev/null +++ b/playbooks.templates/lets_multi_certificate.yaml @@ -0,0 +1,19 @@ +--- +# Creates a letsencrypt certificate for a domain +# needed facts (variables) from commandline: (e.g. -e domain=example.com +# domain: the site domain name +- hosts: all + vars_files: + - ../vars/common.yaml + - ../vars/ssl-certificate.yaml + tasks: + - name: Check pre-requisites + fail: + msg: "The variable 'domains' must be defined: use -e domain=mydomain.com,www.mydomain.com" + when: domains is not defined or "," not in domains + - name: Set facts + set_fact: + domain_list: "{{ domains.split(',') }}" + - name: create certificate for {{ domain_list }} + ansible.builtin.include_tasks: ../tasks/t_lets_multi_cert.yaml + diff --git a/playbooks.templates/opencloud_install.yaml b/playbooks.templates/opencloud_install.yaml new file mode 100644 index 0000000..351ff7e --- /dev/null +++ b/playbooks.templates/opencloud_install.yaml @@ -0,0 +1,52 @@ +- name: Installs a opencloud server as docker container + # needed facts (variables) from the commandline: (e.g. ansible-playbook -e "domain=example.com") + # - domain: the domain name for the certificate + hosts: all + vars_files: + - ../vars/common.yaml + - ../vars/opencloud.yaml + - ../vars/ssl-certificate.yaml + tasks: + - name: Enable the docker repository + ansible.builtin.include_tasks : ../tasks/t_docker_install.yaml + - name: Create directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0755 + owner: 1000 + group: 1000 + with_items: ["{{ opencloud_base }}/opencloud_config", "{{ opencloud_base }}/opencloud_data"] + - name: Prepare git for repository ownership + ansible.builtin.command: + cmd: git config --global --add safe.directory {{ opencloud_base }}/opencloud + - name: Clone opencloud repository + ansible.builtin.git: + repo: https://github.com/opencloud-eu/opencloud.git + dest: "{{ opencloud_base }}/opencloud" + #version: main + depth: 1 + update: no + - name: Configuration in .env + ansible.builtin.lineinfile: + dest: "{{ opencloud_config_file }}" + regexp: "{{ item.key }}" + line: "{{ item.value }}" + with_dict: "{{ opencloud_configs }}" + - name: Configuration for docker-compose + ansible.builtin.lineinfile: + dest: "{{ opencloud_base }}/opencloud/deployments/examples/opencloud_full/docker-compose.yml" + regexp: "{{ item.key }}" + line: "{{ item.value }}" + with_dict: + '^ +- "[0-9]+:80"': ' - "{{ opencloud_port80 }}:80"' + '^ +- "[0-9]+:443"': ' - "{{ opencloud_port443 }}:443"' + - name: Create a X509 certificate for {{ opencloud_domain }} + ansible.builtin.include_tasks : ../tasks/t_ssl_multi_cert.yaml + vars: + domain_names: + - "cloud.{{ opencloud_domain }}" + - "collabora.{{ opencloud_domain }}" + - "wopiserver.{{ opencloud_domain }}" + - "traefik.{{ opencloud_domain }}" + diff --git a/playbooks.templates/ssl_multi_cert.yaml b/playbooks.templates/ssl_multi_cert.yaml new file mode 100644 index 0000000..d8b98fa --- /dev/null +++ b/playbooks.templates/ssl_multi_cert.yaml @@ -0,0 +1,17 @@ +--- +- name: Creates a X509 certificate for a domain, needed for a letsencrypt certificate + # needed facts (variables) from the commandline: (e.g. ansible-playbook -e "domain=example.com") + # - domains: a list of domain name for the certificate + hosts: all + vars_files: + - ../vars/common.yaml + - ../vars/ssl-certificate.yaml + tasks: + - name: test pre-requisites + fail: msg="missing fact! domains. Use -e domains=example.com,example.org" + when: domains is not defined or ',' not in domains + - name: build list of domains + set_fact: + domain_names: "{{ domains.split(',') }}" + - name: Creates a X509 certificate for {{domain}} + import_tasks : ../tasks/t_ssl_multi_cert.yaml diff --git a/tasks.templates/t_docker_install.yaml b/tasks.templates/t_docker_install.yaml new file mode 100644 index 0000000..466f2fc --- /dev/null +++ b/tasks.templates/t_docker_install.yaml @@ -0,0 +1,14 @@ +# Installs the docker repository to enable the current version of docker +- name: does the docker repo exists + ansible.builtin.stat: + path: /etc/apt/sources.list.d/docker.list + register: docker_repo_exists +- name: do the needed things + ansible.builtin.include_tasks: ../tasks/t_docker_internal.yaml + when: not docker_repo_exists.stat.exists +- name: reload docker + service: + name: docker + state: restarted + enabled: yes + diff --git a/tasks.templates/t_docker_internal.yaml b/tasks.templates/t_docker_internal.yaml new file mode 100644 index 0000000..fb9ff29 --- /dev/null +++ b/tasks.templates/t_docker_internal.yaml @@ -0,0 +1,57 @@ +- name: Check if docker key exists + ansible.builtin.stat: + path: /etc/apt/keyrings/docker.gpg + register: docker_gpg + +- name: Create APT keyring directory + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + mode: '0755' + owner: root + group: root + +# TODO: cleanup docker.asc +- name: Download docker armored signature + ansible.builtin.get_url: + url: https://download.docker.com/linux/debian/gpg + dest: /tmp/docker.asc + when: not docker_gpg.stat.exists + +# TODO: Make sure gnupg/gnupg2 is installed +- name: Dearmor docker asc + ansible.builtin.command: /usr/bin/gpg --dearmor -o /etc/apt/keyrings/docker.gpg /tmp/docker.asc + when: not docker_gpg.stat.exists + +- name: Add docker apt repository. + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" + state: present + update_cache: yes + filename: docker +- name: remove wrong docker packages + ansible.builtin.apt: + name: "docker" + state: absent + update_cache: true + cache_valid_time: 3600 + with_items: + - docker.io + - docker-doc + - docker-compose + - podman-docker + - containerd + - runc + when: not docker_repo_exists.stat.exists +- name: Install docker + ansible.builtin.apt: + name: "docker" + state: present + update_cache: true + cache_valid_time: 3600 + with_items: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin \ No newline at end of file diff --git a/tasks.templates/t_lets_multi_cert.yaml b/tasks.templates/t_lets_multi_cert.yaml new file mode 100644 index 0000000..3cab11a --- /dev/null +++ b/tasks.templates/t_lets_multi_cert.yaml @@ -0,0 +1,15 @@ +--- +# Creates a letsencrypt certificate for the given domain +# needed facts (variables): +# - domain_list: a list of domain names to create the certificate for +# - webmaster_email: the email address to use for the certificate +- name: Set facts + set_fact: + domain: "{{ domain_list[0] }}" + domain_seq: "{{ domain_list | map('regex_replace', '^(.*)$', ' -d \\1') | join(' ') }}" + +- name: create a letsencrypt certificate for {{ domain_seq }} + shell: + cmd: 'certbot certonly -a webroot --webroot-path=/srv/www/letsencrypt --email {{ webmaster_email }} --agree-tos --non-interactive {{ domain_seq }}' + args: + creates: "/etc/letsencrypt/live/{{ domain }}" \ No newline at end of file diff --git a/tasks.templates/t_ssl_create_certificate.yaml b/tasks.templates/t_ssl_create_certificate.yaml index 5d9550c..d53473a 100644 --- a/tasks.templates/t_ssl_create_certificate.yaml +++ b/tasks.templates/t_ssl_create_certificate.yaml @@ -8,6 +8,10 @@ # - ssl_lifetime: the lifetime of the certificate in days # - ssl_rsa_key_size: the size of the RSA key for the certificate - name: create a ssh-certificate - ansible.builtin.command: openssl req -x509 -nodes -days {{ssl_lifetime}} -newkey rsa:{{ssl_rsa_key_size}} -keyout /etc/ssl/private/{{domain}}.key -out /etc/ssl/certs/{{domain}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{domain}}" + ansible.builtin.command: 'openssl req -x509 -nodes -days {{ssl_lifetime}} \ + -newkey rsa:{{ssl_rsa_key_size}} \ + -keyout /etc/ssl/private/{{domain}}.key \ + -out /etc/ssl/certs/{{domain}}.pem \ + -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{domain}}"'' args: creates: /etc/ssl/private/{{domain}}.key diff --git a/tasks.templates/t_ssl_multi_cert.yaml b/tasks.templates/t_ssl_multi_cert.yaml new file mode 100644 index 0000000..be2c34d --- /dev/null +++ b/tasks.templates/t_ssl_multi_cert.yaml @@ -0,0 +1,24 @@ +# Creates a X509 certificate for a domain, needed for a letsencrypt certificate. +# needed facts (variables): +# - domain_names: a list of domain names for the certificate +# - ssl_country: the country code for the certificate +# - ssl_state: the state for the certificate +# - ssl_locality: the locality for the certificate +# - ssl_organization: the organization for the certificate +# - ssl_lifetime: the lifetime of the certificate in days +# - ssl_rsa_key_size: the size of the RSA key for the certificate +- name: Set facts + set_fact: + domain: "{{ domain_names[0] }}" + san_list: "{{ domain_names | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }}" +- name: debug + ansible.builtin.debug: + msg: "== san: {{ san_list }} domain: {{ domain }}\nDomains: {{ domain_names }}\n" +- name: create a ssh-certificate + ansible.builtin.command: 'openssl req -x509 -nodes -days {{ssl_lifetime}} \ + -newkey rsa:{{ssl_rsa_key_size}} -keyout /etc/ssl/private/{{domain}}.key \ + -out /etc/ssl/certs/{{domain}}.pem \ + -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{domain}}" \ + -addext "subjectAltName={{ san_list }}"' + args: + creates: /etc/ssl/private/{{domain}}.key