Commit d8b8d8c7 authored by Reimar Unger's avatar Reimar Unger
Browse files

include all changes from sdm

parent 4c0b7eb0
...@@ -54,10 +54,17 @@ Variables ...@@ -54,10 +54,17 @@ Variables
* The SSL CA certificate for the service. * The SSL CA certificate for the service.
* default: "" * default: ""
* www_serverhostname: * www_ssl_selfsigned:
* description:
* This option specifies if selfsigned SSL certificates are used.
* If it is `true` the selfsigned SSL certificates are generated.
* choices: [false, true]
* default: false
* www_servername:
* description: * description:
* The default name of der www hostname. * The default name of der www hostname.
* default: "nextcloud.local" * default: "{{ inventory_hostname }}"
* www_ssl_cert_dest_path: * www_ssl_cert_dest_path:
* description: * description:
...@@ -84,6 +91,12 @@ Variables ...@@ -84,6 +91,12 @@ Variables
* The standard log-file directory * The standard log-file directory
* default: "/var/log/nginx/" * default: "/var/log/nginx/"
* www_php_enable
* description:
* If this option is `true`, the PHP FPM will be installed.
* choices: [false, true]
* default: true
Processes Processes
========= =========
...@@ -91,11 +104,13 @@ main ...@@ -91,11 +104,13 @@ main
---- ----
1. create www group 1. create www group
2. create www user 2. create www user
3. install PHP if www_php_enable is `true`
configure configure
--------- ---------
1. create and configure www directory 1. create and configure www directory
2. configure SSL if www_ssl_priv_key and www_ssl_cert are set 2. configure PHP if www_php_enable is `true`
3. configure SSL if www_ssl_priv_key and www_ssl_cert or www_ssl_selfsigned are set
License License
======= =======
......
...@@ -6,6 +6,8 @@ www_group: "www" ...@@ -6,6 +6,8 @@ www_group: "www"
www_ssl_priv_key: "" www_ssl_priv_key: ""
www_ssl_cert: "" www_ssl_cert: ""
www_ssl_ca_cert: "" www_ssl_ca_cert: ""
www_ssl_selfsign: false
www_servername: "{{ inventory_hostname }}"
www_mimetypes: [] www_mimetypes: []
www_list_directory: false www_list_directory: false
www_index_files: ["index.html"] www_index_files: ["index.html"]
...@@ -13,4 +15,5 @@ www_port: 80 ...@@ -13,4 +15,5 @@ www_port: 80
www_ssl_port: 443 www_ssl_port: 443
www_hsts: "no" www_hsts: "no"
www_max_upload_size: "512M" www_max_upload_size: "512M"
www_log_files: "/var/log/nginx/" www_log_files: "/var/log"
www_php_enable: true
...@@ -3,9 +3,7 @@ ...@@ -3,9 +3,7 @@
hosts: all hosts: all
vars: vars:
system_config_directory: "/etc" system_config_directory: "/etc"
www_ssl_priv_key: "/tmp/ssl_priv_key.pem" www_ssl_selfsign: true
www_ssl_cert: "/tmp/ssl_pub_key.pem"
tasks: tasks:
- name: "test install package.www" - name: "test install package.www"
sdm.oor.call_role: sdm.oor.call_role:
......
...@@ -10,7 +10,7 @@ platforms: ...@@ -10,7 +10,7 @@ platforms:
- name: debian - name: debian
registry: registry:
url: gitlab.mn.tu-dresden.de:8000 url: gitlab.mn.tu-dresden.de:8000
image: sdmgroup/containers/debian10:latest image: sdmgroup/containers/debian11:latest
command: /lib/systemd/systemd command: /lib/systemd/systemd
pre_build_image: false pre_build_image: false
......
---
- name: "generate path for SSL private key"
sdm.oor.set_role_fact:
www_ssl_priv_key: "{{ '/tmp/ssl_priv_key_%s.pem' | format(inventory_hostname) }}"
- name: "generate path for SSL certificate key"
sdm.oor.set_role_fact:
_www_ssl_csr: "{{ '/tmp/ssl_pub_key_%s.csr' | format(inventory_hostname) }}"
- name: "generate path for SSL certificate key"
sdm.oor.set_role_fact:
www_ssl_cert: "{{ '/tmp/ssl_pub_key_%s.pem' | format(inventory_hostname) }}"
- block:
- name: "create SSL private key"
community.crypto.openssl_privatekey:
path: "{{ www_ssl_priv_key }}"
- name: "create certificate signing request (CSR) for self-signed certificate"
community.crypto.openssl_csr:
path: "{{ _www_ssl_csr }}"
privatekey_path: "{{ www_ssl_priv_key }}"
common_name: "{{ www_servername }}"
organization_name: "SDM Framework"
- name: "create self-signed certificate from CSR"
community.crypto.x509_certificate:
path: "{{ www_ssl_cert }}"
csr_path: "{{ _www_ssl_csr }}"
privatekey_path: "{{ www_ssl_priv_key }}"
provider: selfsigned
delegate_to: localhost
...@@ -8,8 +8,22 @@ ...@@ -8,8 +8,22 @@
group: "{{ www_group }}" group: "{{ www_group }}"
mode: 0755 mode: 0755
- name: "configure PHP"
sdm.oor.call_role:
name: "package.lang.php.fpm"
tasks: "configure"
vars:
php_default_user: "{{ www_user }}"
php_default_group: "{{ www_group }}"
when: www_php_enable
- name: "configure SSL" - name: "configure SSL"
block: block:
- name: "create selfsigned certificate"
sdm.oor.call_tasks:
from: "_selfsignedcerts"
when: www_ssl_selfsigned is true
- name: "get stat of SSL private directory" - name: "get stat of SSL private directory"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ '%s/ssl/private' | format(system_config_directory) }}" path: "{{ '%s/ssl/private' | format(system_config_directory) }}"
...@@ -44,11 +58,12 @@ ...@@ -44,11 +58,12 @@
owner: "{{ _stat_sslcertsdir.stat.pw_name }}" owner: "{{ _stat_sslcertsdir.stat.pw_name }}"
group: "{{ _stat_sslcertsdir.stat.gr_name }}" group: "{{ _stat_sslcertsdir.stat.gr_name }}"
when: (www_ssl_ca_cert | length) > 0 when: (www_ssl_ca_cert | length) > 0
when: (www_ssl_priv_key | length) > 0 and (www_ssl_cert | length) > 0 when: ((www_ssl_priv_key | length) > 0 and (www_ssl_cert | length) > 0) or
www_ssl_selfsigned is true
notify: notify:
- "reload services" - "reload services"
- name: "execute inherited configure" - name: "execute inherited configure"
sdm.oor.call_tasks: sdm.oor.call_tasks:
from: configure from: configure
super: True super: true
...@@ -18,3 +18,12 @@ ...@@ -18,3 +18,12 @@
group: "{{ www_group }}" group: "{{ www_group }}"
home: "{{ www_root_directory }}" home: "{{ www_root_directory }}"
shell: "/usr/sbin/nologin" shell: "/usr/sbin/nologin"
- name: "install PHP"
sdm.oor.call_role:
name: "package.lang.php.fpm"
tasks: "main"
vars:
php_default_user: "{{ www_user }}"
php_default_group: "{{ www_group }}"
when: www_php_enable is true
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment