add manual things

ansible/playbooks/role-rocky-system.yml

@@ -0,0 +1,46 @@
+---
+# No idea if this is an antipattern. Manage the system.
+#
+- name: Manage the basic aspects of the system
+  hosts: all
+  become: true
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+  tasks:
+    - name: Install/Update Base System packages
+      dnf:
+        name:
+          - sudo
+        update_only: true
+        state: latest
+      register: dnf_result
+
+    - name: "List changed packages"
+      debug:
+        var: dnf_result.results
+      when: dnf_result.results | length > 0
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root

ansible/playbooks/role-rocky-wikijs.yml

@@ -0,0 +1,69 @@
+---
+# WikiJS
+- name: Install and manage Wikijs
+  hosts: wiki
+  become: false
+  vars_files:
+    - vars/vaults/hostman.yml
+    - vars/vaults/wikijs.yml
+    - vars/wikijs.yml
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+    - name: Install SELinux packages
+      become: true
+      package:
+        name: python3-policycoreutils.noarch
+        state: present
+
+  roles:
+    - role: rockylinux.ipagetcert
+      become: true
+      state: present
+      tags: ['certs']
+
+    - role: rockylinux.wikijs
+      tags: ['wikijs']
+      become: true
+
+    # Define variables in vars/wikijs.yml
+    - role: nginxinc.nginx_core.nginx
+      tags: ['nginx']
+      become: true
+    - role: nginxinc.nginx_core.nginx_config
+      tags: ['nginx']
+      become: true
+
+  post_tasks:
+    - name: Open firewalld ports
+      become: true
+      ansible.posix.firewalld:
+        port: "{{ item.port }}"
+        permanent: "{{ item.permanent }}"
+        state: "{{ item.state }}"
+        immediate: yes
+      loop: "{{ firewall_rules }}"
+
+    - name: Touching run file that ansible has ran here
+      become: true
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root

ansible/playbooks/vars/wikijs.yml

@@ -0,0 +1,109 @@
+---
+# wikijs vars
+firewall_rules:
+  - port: 443/tcp
+    permanent: true
+    state: enabled
+  - port: 9100/tcp
+    permanent: true
+    state: enabled
+
+tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
+tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
+tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
+
+ipa_getcert_requested_hostnames:
+  - name: "{{ ansible_fqdn }}"
+    owner: nginx
+    key_location: "{{ tls_key }}"
+    cert_location: "{{ tls_cert }}"
+    postcmd: "/bin/systemctl reload nginx"
+
+wikijs_dbtype: postgres
+wikijs_db:
+  host: "db.rockylinux.org"
+  port: 5432
+  user: wikijs
+  password: " {{ _wikijs_db_rw_pass }} "
+  dbname: wikijs_db
+  ssl: true
+
+
+####################
+### NGINX CONFIG ###
+####################
+
+
+# no demo config/template
+nginx_config_html_demo_template_enable: false
+
+nginx_config_selinux: true
+nginx_config_selinux_enforcing: true
+
+nginx_config_start: true
+
+nginx_config_debug_output: true
+nginx_config_debug_tasks: true
+
+# nginx_config_cleanup: true
+
+nginx_config_http_template_enable: true
+nginx_config_main_template_enable: true
+
+nginx_config_http_template:
+  default:
+    template_file: http/default.conf.j2
+    conf_file_name: default.conf
+    conf_file_location: /etc/nginx/conf.d/
+    servers:
+      redirect_https:
+        listen:
+          v6:
+            ip: '[::]'  # Wrap in square brackets for IPv6 addresses
+            port: 80
+            opts: ['default_server']
+          v4:
+            ip: ''  # Wrap in square brackets for IPv6 addresses
+            port: 80
+            opts: ['default_server']
+        server_name: "{{ ansible_fqdn }}"
+        error_page: /usr/share/nginx/html
+        access_log:
+          - name: main
+            location: /var/log/nginx/access.log
+        error_log:
+          location: /var/log/nginx/error.log
+          level: warn
+        root: "{{ wikijs_dir }}"
+        https_redirect: $host
+      wikijs_server:
+        listen:
+          v6:
+            ip: '[::]'  # Wrap in square brackets for IPv6 addresses
+            port: 443
+            ssl: true
+            opts: ['http2', 'default_server']
+          v4:
+            ip: ''  # Wrap in square brackets for IPv6 addresses
+            port: 443
+            ssl: true
+            opts: ['http2', 'default_server']
+        ssl:
+          cert: "{{ tls_cert }}"
+          key: "{{ tls_key }}"
+        server_name: "{{ ansible_fqdn }}"
+        error_page: /usr/share/nginx/html
+        access_log:
+          - name: main
+            location: /var/log/nginx/access.log
+        error_log:
+          location: /var/log/nginx/error.log
+          level: warn
+        root: "{{ wikijs_dir }}"
+        web_server:
+          locations:
+            default:
+              location: /
+              custom_options:
+                - "proxy_pass http://localhost:3000/;"
+          http_demo_conf: false