diff --git a/ansible/playbooks/role-rocky-system.yml b/ansible/playbooks/role-rocky-system.yml new file mode 100644 index 0000000..a637af9 --- /dev/null +++ b/ansible/playbooks/role-rocky-system.yml @@ -0,0 +1,46 @@ +--- +# No idea if this is an antipattern. Manage the system. +# +- name: Manage the basic aspects of the system + hosts: all + become: true + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + tasks: + - name: Install/Update Base System packages + dnf: + name: + - sudo + update_only: true + state: latest + register: dnf_result + + - name: "List changed packages" + debug: + var: dnf_result.results + when: dnf_result.results | length > 0 + + post_tasks: + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-wikijs.yml b/ansible/playbooks/role-rocky-wikijs.yml new file mode 100644 index 0000000..78e06e5 --- /dev/null +++ b/ansible/playbooks/role-rocky-wikijs.yml @@ -0,0 +1,69 @@ +--- +# WikiJS +- name: Install and manage Wikijs + hosts: wiki + become: false + vars_files: + - vars/vaults/hostman.yml + - vars/vaults/wikijs.yml + - vars/wikijs.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Install SELinux packages + become: true + package: + name: python3-policycoreutils.noarch + state: present + + roles: + - role: rockylinux.ipagetcert + become: true + state: present + tags: ['certs'] + + - role: rockylinux.wikijs + tags: ['wikijs'] + become: true + + # Define variables in vars/wikijs.yml + - role: nginxinc.nginx_core.nginx + tags: ['nginx'] + become: true + - role: nginxinc.nginx_core.nginx_config + tags: ['nginx'] + become: true + + post_tasks: + - name: Open firewalld ports + become: true + ansible.posix.firewalld: + port: "{{ item.port }}" + permanent: "{{ item.permanent }}" + state: "{{ item.state }}" + immediate: yes + loop: "{{ firewall_rules }}" + + - name: Touching run file that ansible has ran here + become: true + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/vars/wikijs.yml b/ansible/playbooks/vars/wikijs.yml new file mode 100644 index 0000000..e66085a --- /dev/null +++ b/ansible/playbooks/vars/wikijs.yml @@ -0,0 +1,109 @@ +--- +# wikijs vars +firewall_rules: + - port: 443/tcp + permanent: true + state: enabled + - port: 9100/tcp + permanent: true + state: enabled + +tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt" +tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" +tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: nginx + key_location: "{{ tls_key }}" + cert_location: "{{ tls_cert }}" + postcmd: "/bin/systemctl reload nginx" + +wikijs_dbtype: postgres +wikijs_db: + host: "db.rockylinux.org" + port: 5432 + user: wikijs + password: " {{ _wikijs_db_rw_pass }} " + dbname: wikijs_db + ssl: true + + +#################### +### NGINX CONFIG ### +#################### + + +# no demo config/template +nginx_config_html_demo_template_enable: false + +nginx_config_selinux: true +nginx_config_selinux_enforcing: true + +nginx_config_start: true + +nginx_config_debug_output: true +nginx_config_debug_tasks: true + +# nginx_config_cleanup: true + +nginx_config_http_template_enable: true +nginx_config_main_template_enable: true + +nginx_config_http_template: + default: + template_file: http/default.conf.j2 + conf_file_name: default.conf + conf_file_location: /etc/nginx/conf.d/ + servers: + redirect_https: + listen: + v6: + ip: '[::]' # Wrap in square brackets for IPv6 addresses + port: 80 + opts: ['default_server'] + v4: + ip: '' # Wrap in square brackets for IPv6 addresses + port: 80 + opts: ['default_server'] + server_name: "{{ ansible_fqdn }}" + error_page: /usr/share/nginx/html + access_log: + - name: main + location: /var/log/nginx/access.log + error_log: + location: /var/log/nginx/error.log + level: warn + root: "{{ wikijs_dir }}" + https_redirect: $host + wikijs_server: + listen: + v6: + ip: '[::]' # Wrap in square brackets for IPv6 addresses + port: 443 + ssl: true + opts: ['http2', 'default_server'] + v4: + ip: '' # Wrap in square brackets for IPv6 addresses + port: 443 + ssl: true + opts: ['http2', 'default_server'] + ssl: + cert: "{{ tls_cert }}" + key: "{{ tls_key }}" + server_name: "{{ ansible_fqdn }}" + error_page: /usr/share/nginx/html + access_log: + - name: main + location: /var/log/nginx/access.log + error_log: + location: /var/log/nginx/error.log + level: warn + root: "{{ wikijs_dir }}" + web_server: + locations: + default: + location: / + custom_options: + - "proxy_pass http://localhost:3000/;" + http_demo_conf: false