mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-12-28 05:30:55 +00:00
Merge pull request #14985 from rocky-linux/develop
Merge Downward Changes
This commit is contained in:
commit
be269f8608
21 changed files with 536 additions and 66 deletions
3
.ansible-lint
Normal file
3
.ansible-lint
Normal file
|
@ -0,0 +1,3 @@
|
|||
warn_list:
|
||||
- internal-error
|
||||
- syntax-check
|
|
@ -104,3 +104,6 @@ matterbridge.rockylinux.org ansible_host=10.100.xx.xx
|
|||
|
||||
[matomo]
|
||||
matomo.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
||||
[bugtracker]
|
||||
bugs.rockylinux.org ansible_host=10.100.xx.xx
|
||||
|
|
16
ansible/playbooks/files/etc/systemd/system/noggin.service
Normal file
16
ansible/playbooks/files/etc/systemd/system/noggin.service
Normal file
|
@ -0,0 +1,16 @@
|
|||
[Unit]
|
||||
Description=noggin
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Environment=FLASK_APP=/opt/noggin/noggin/noggin/app.py
|
||||
Environment=NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
|
||||
Environment=FLASK_DEBUG=1
|
||||
User=noggin
|
||||
WorkingDirectory=/opt/noggin/noggin
|
||||
ExecStart=/bin/bash /opt/noggin/start_noggin.sh
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,8 +1,13 @@
|
|||
---
|
||||
# Installs the mantis bug tracker
|
||||
- name: Configure MantisBT
|
||||
hosts: "{{ host }}"
|
||||
hosts: "bugtracker"
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/common.yml
|
||||
- vars/vaults/encpass.yml
|
||||
- vars/vaults/mantis.yml
|
||||
- vars/mantis.yml
|
||||
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
@ -20,11 +25,31 @@
|
|||
success_msg: "We are not able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
|
||||
tasks:
|
||||
- name: Deploy Mantis
|
||||
import_tasks: tasks/mantis.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewalld ports
|
||||
ansible.posix.firewalld:
|
||||
service: "{{ item }}"
|
||||
permanent: true
|
||||
immediate: true
|
||||
state: enabled
|
||||
with_items:
|
||||
- http
|
||||
- https
|
||||
|
||||
- name: Ensure httpd is enabled and running
|
||||
service:
|
||||
name: httpd
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
|
|
34
ansible/playbooks/init-rocky-noggin.yml
Normal file
34
ansible/playbooks/init-rocky-noggin.yml
Normal file
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
# (Re)deploys the noggin theme
|
||||
- name: Deploy Noggin
|
||||
hosts: "idp"
|
||||
become: true
|
||||
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: Deploy Noggin
|
||||
import_tasks: "tasks/noggin.yml"
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
34
ansible/playbooks/init-rocky-repo-servers.yml
Normal file
34
ansible/playbooks/init-rocky-repo-servers.yml
Normal file
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
# Preps a system to be a repository
|
||||
- name: Configure repository system
|
||||
hosts: "{{ host }}"
|
||||
become: true
|
||||
|
||||
handlers:
|
||||
- import_tasks: handers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are not able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: Configure repository system
|
||||
import_tasks: tasks/repository.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
69
ansible/playbooks/role-rocky-wikijs.yml
Normal file
69
ansible/playbooks/role-rocky-wikijs.yml
Normal file
|
@ -0,0 +1,69 @@
|
|||
---
|
||||
# WikiJS
|
||||
- name: Install and manage Wikijs
|
||||
hosts: wiki
|
||||
become: false
|
||||
vars_files:
|
||||
- vars/vaults/hostman.yml
|
||||
- vars/vaults/wikijs.yml
|
||||
- vars/wikijs.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Install SELinux packages
|
||||
become: true
|
||||
package:
|
||||
name: python3-policycoreutils.noarch
|
||||
state: present
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
become: true
|
||||
state: present
|
||||
tags: ['certs']
|
||||
|
||||
- role: rockylinux.wikijs
|
||||
tags: ['wikijs']
|
||||
become: true
|
||||
|
||||
# Define variables in vars/wikijs.yml
|
||||
- role: nginxinc.nginx_core.nginx
|
||||
tags: ['nginx']
|
||||
become: true
|
||||
- role: nginxinc.nginx_core.nginx_config
|
||||
tags: ['nginx']
|
||||
become: true
|
||||
|
||||
post_tasks:
|
||||
- name: Open firewalld ports
|
||||
become: true
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ item.port }}"
|
||||
permanent: "{{ item.permanent }}"
|
||||
state: "{{ item.state }}"
|
||||
immediate: yes
|
||||
loop: "{{ firewall_rules }}"
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
become: true
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
|
@ -1,54 +1,4 @@
|
|||
---
|
||||
- name: Reset grub link if we are EFI
|
||||
set_fact:
|
||||
grub_config_path_link: "{{ grub_config_path_efi }}"
|
||||
when:
|
||||
- efi_installed.stat.isdir is defined
|
||||
- efi_installed.stat.isdir
|
||||
- grub_config_path_efi is defined
|
||||
tags:
|
||||
- efi
|
||||
|
||||
- name: Create grub.d directory
|
||||
file:
|
||||
name: /etc/default/grub.d
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
state: directory
|
||||
recurse: true
|
||||
tags:
|
||||
- grub
|
||||
- kernel
|
||||
- harden
|
||||
|
||||
- name: Append /etc/default/grub file
|
||||
lineinfile:
|
||||
path: /etc/default/grub
|
||||
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
|
||||
state: present
|
||||
tags:
|
||||
- grub
|
||||
- kernel
|
||||
- harden
|
||||
|
||||
- name: Command line defaults
|
||||
copy:
|
||||
dest: "/etc/default/grub.d/99-rocky.cfg"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_boot_options }}"'
|
||||
tags:
|
||||
- grub
|
||||
- kernel
|
||||
- harden
|
||||
|
||||
- name: Rebuild grub
|
||||
command: "/usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}"
|
||||
register: grub_command_result
|
||||
changed_when: "grub_command_result.rc == 0"
|
||||
tags:
|
||||
- grub
|
||||
- kernel
|
||||
- harden
|
||||
- name: Add kernel boot options to all kernels and default config
|
||||
command: /usr/sbin/grubby --update-kernel=ALL --args "{{ grub_boot_options }}"
|
||||
changed_when: "1 != 1"
|
||||
|
|
|
@ -32,6 +32,11 @@
|
|||
mode: '0644'
|
||||
remote_src: true
|
||||
|
||||
- name: Generate crypto salt
|
||||
shell: "set -o pipefail && cat /dev/urandom | head -c 64 | base64 --wrap=0"
|
||||
changed_when: "1 != 1"
|
||||
register: cryptosalt_string
|
||||
|
||||
- name: Configure mantis
|
||||
template:
|
||||
src: "var/www/mantis/config/config_inc.php.j2"
|
||||
|
@ -40,6 +45,22 @@
|
|||
group: apache
|
||||
mode: '0640'
|
||||
|
||||
- name: Deploy plugins from Mantis GitHub
|
||||
git:
|
||||
repo: "https://github.com/mantisbt-plugins/{{ item }}.git"
|
||||
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/{{ item }}"
|
||||
update: true
|
||||
version: master
|
||||
with_items:
|
||||
- Snippets
|
||||
|
||||
- name: Deploy custom libravatar plugin
|
||||
git:
|
||||
repo: "https://github.com/nazunalika/mantisbt-libravatar.git"
|
||||
dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Libravatar"
|
||||
update: true
|
||||
version: main
|
||||
|
||||
- name: Configure httpd
|
||||
template:
|
||||
src: "etc/httpd/conf.d/mantis.conf.j2"
|
||||
|
@ -47,3 +68,25 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
- name: Database import template
|
||||
template:
|
||||
src: "tmp/mantis_import.sql.j2"
|
||||
dest: "/tmp/mantis_import.sql.j2"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
|
||||
# We will need to generate this
|
||||
# name: Import database if required
|
||||
# community.general.postgresql_db:
|
||||
# name: "{{ mantis_db_name }}"
|
||||
# target: /tmp/mantis_import.sql
|
||||
# owner: "{{ mantis_db_user }}"
|
||||
# state: restore
|
||||
# login_host: "{{ mantis_db_host }}"
|
||||
# login_user: "{{ mantis_db_user }}"
|
||||
# login_password: "{{ mantis_db_pass }}"
|
||||
|
||||
- name: Patch up some pages
|
||||
import_tasks: mantispatch.yml
|
||||
|
|
25
ansible/playbooks/tasks/mantispatch.yml
Normal file
25
ansible/playbooks/tasks/mantispatch.yml
Normal file
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# Patch up various pieces of mantis to customize it. We do not rely on local
|
||||
# bug tracker accounts. We are doing regex instead of just replacing the
|
||||
# file as a whole. Should make it easier to deal with upgrades in theory.
|
||||
- name: Change signup_page.php to Account Services
|
||||
replace:
|
||||
path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}"
|
||||
regexp: 'signup_page.php'
|
||||
replace: 'https://accounts.rockylinux.org'
|
||||
with_items:
|
||||
- core/print_api.php
|
||||
- lost_pwd_page.php
|
||||
- login_page.php
|
||||
|
||||
- name: Change special signup_page.php reference
|
||||
replace:
|
||||
path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php"
|
||||
regexp: "' . helper_mantis_url( 'signup_page.php' ) . '"
|
||||
replace: 'https://accounts.rockylinux.org'
|
||||
|
||||
- name: Remove LDAP from checks for signup button
|
||||
lineinfile:
|
||||
path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php"
|
||||
state: absent
|
||||
regex: 'LDAP != config_get_global'
|
88
ansible/playbooks/tasks/noggin.yml
Normal file
88
ansible/playbooks/tasks/noggin.yml
Normal file
|
@ -0,0 +1,88 @@
|
|||
---
|
||||
- name: Ensure python is installed
|
||||
yum:
|
||||
name:
|
||||
- python3
|
||||
- python3-pip
|
||||
state: present
|
||||
|
||||
- name: Ensure noggin user exists
|
||||
user:
|
||||
name: noggin
|
||||
comment: "Noggin FAS"
|
||||
|
||||
- name: Create noggin directory
|
||||
file:
|
||||
path: /opt/noggin
|
||||
state: directory
|
||||
mode: '0700'
|
||||
owner: noggin
|
||||
group: noggin
|
||||
|
||||
- name: Deploy noggin
|
||||
git:
|
||||
repo: https://github.com/fedora-infra/noggin.git
|
||||
dest: /opt/noggin/noggin
|
||||
update: true
|
||||
version: main
|
||||
become: true
|
||||
become_user: noggin
|
||||
|
||||
- name: Noggin user must install poetry
|
||||
pip:
|
||||
name: poetry
|
||||
executable: pip3
|
||||
become: true
|
||||
become_user: noggin
|
||||
|
||||
- name: Remove any pycache
|
||||
file:
|
||||
path: "/home/noggin/.cache/pypoetry"
|
||||
state: absent
|
||||
|
||||
- name: Noggin installation
|
||||
command: "/home/noggin/.local/bin/poetry install --no-dev --extras deploy"
|
||||
become: true
|
||||
become_user: noggin
|
||||
changed_when: "1 != 1"
|
||||
args:
|
||||
chdir: "/opt/noggin/noggin"
|
||||
|
||||
- name: Get the noggin poetry virtualenv
|
||||
shell:
|
||||
cmd: "poetry env list | awk '{print $1}'"
|
||||
chdir: "/opt/noggin/noggin"
|
||||
become: true
|
||||
become_user: noggin
|
||||
changed_when: "1 != 1"
|
||||
register: virtualenv_location
|
||||
|
||||
- name: Deploy start up script
|
||||
template:
|
||||
src: "opt/noggin/start_noggin.sh.j2"
|
||||
dest: "/opt/noggin/start_noggin.sh"
|
||||
mode: '0750'
|
||||
user: noggin
|
||||
group: noggin
|
||||
|
||||
- name: Deploy systemd unit
|
||||
copy:
|
||||
src: "etc/systemd/system/noggin.service"
|
||||
dest: "/etc/systemd/system/noggin.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
- name: Deploy noggin configuration
|
||||
template:
|
||||
src: "opt/noggin/noggin.cfg.j2"
|
||||
dest: "/opt/noggin/noggin.cfg"
|
||||
owner: noggin
|
||||
group: noggin
|
||||
mode: '0600'
|
||||
|
||||
# The only way to run it properly, at least on EL8, is we need this line
|
||||
- name: Add missing create_app call
|
||||
lineinfile:
|
||||
path: "/opt/noggin/noggin/noggin/app.py"
|
||||
line: "app = create_app()"
|
2
ansible/playbooks/tasks/repository.yml
Normal file
2
ansible/playbooks/tasks/repository.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
# no tasks yet
|
|
@ -136,3 +136,6 @@ gitlab_rails['db_password'] = '{{ gitlab_external_db_password }}'
|
|||
{% if gitlab_trusted_proxies %}
|
||||
gitlab_rails['trusted_proxies'] = '{{ gitlab_trusted_proxies | map("to_json") | join(", ") }}'
|
||||
{% endif %}
|
||||
|
||||
gitlab_rails['gravatar_enabled'] = true
|
||||
gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"
|
||||
|
|
23
ansible/playbooks/templates/opt/noggin/noggin.cfg
Normal file
23
ansible/playbooks/templates/opt/noggin/noggin.cfg
Normal file
|
@ -0,0 +1,23 @@
|
|||
TEMPLATES_AUTO_RELOAD = False
|
||||
FREEIPA_SERVERS = []
|
||||
FREEIPA_CACERT = '/etc/ipa/ca.crt'
|
||||
FREEIPA_ADMIN_USER = 'userman'
|
||||
FREEIPA_ADMIN_PASSWORD = '{{ rocky_ldap_userman_pw }}'
|
||||
THEME = "rocky"
|
||||
FERNET_SECRET = b'NOTASECRET='
|
||||
SECRET_KEY = b'NOTASECRET='
|
||||
SESSION_COOKIE_HTTPONLY = True
|
||||
SESSION_COOKIE_SECURE = True
|
||||
USER_DEFAULTS = {
|
||||
"locale": "en-US",
|
||||
"timezone": "UTC",
|
||||
"status_note": "active",
|
||||
}
|
||||
REGISTRATION_OPEN = True
|
||||
ACTIVATION_TOKEN_EXPIRATION = 30
|
||||
PASSWORD_RESET_EXPIRATION = 10
|
||||
MAIL_DEFAULT_SENDER = "Account Services <identitymanagement@rockylinux.org>"
|
||||
MAIL_SUPPRESS_SEND = False
|
||||
AVATAR_SERVICE_URL = "https://seccdn.libravatar.org/"
|
||||
AVATAR_DEFAULT_TYPE = "retro"
|
||||
FEDORA_MESSAGING_ENABLED = False
|
14
ansible/playbooks/templates/opt/noggin/start_noggin.sh.j2
Normal file
14
ansible/playbooks/templates/opt/noggin/start_noggin.sh.j2
Normal file
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
export PATH=/home/noggin/.local/bin:/home/noggin/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
|
||||
export NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
|
||||
export FLASK_DEBUG=1
|
||||
export FLASK_APP=/opt/noggin/noggin/noggin/app.py
|
||||
source /home/noggin/.cache/pypoetry/virtualenvs/{{ virtualenv_location.stdout }}/bin/activate
|
||||
cd /opt/noggin/noggin
|
||||
#/home/noggin/.local/bin/poetry run flask run -h 0.0.0.0
|
||||
# --certfile=/etc/pki/tls/certs/noggin.crt \
|
||||
# --keyfile=/etc/pki/tls/private/noggin.key \
|
||||
gunicorn -w 3 \
|
||||
--env NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg \
|
||||
--bind tcp://0.0.0.0:5000 \
|
||||
noggin.app:app
|
1
ansible/playbooks/templates/tmp/mantis_import.sql.j2
Normal file
1
ansible/playbooks/templates/tmp/mantis_import.sql.j2
Normal file
|
@ -0,0 +1 @@
|
|||
# Empty
|
|
@ -1,5 +1,5 @@
|
|||
<?php
|
||||
$g_hostname = 'build-a-box.labs.angelsofclockwork.net';
|
||||
$g_hostname = '{{ mantis_db_host }}';
|
||||
$g_db_type = 'pgsql';
|
||||
$g_database_name = '{{ mantis_db_name }}';
|
||||
$g_db_username = '{{ mantis_db_user }}';
|
||||
|
@ -7,13 +7,14 @@ $g_db_password = '{{ mantis_db_pass }}';
|
|||
|
||||
$g_default_timezone = 'UTC';
|
||||
|
||||
$g_crypto_master_salt = 'DDQF2sdgdPycpzfWNSOt4KelQlz7h0kb9HHxaUFpYXk=';
|
||||
$g_crypto_master_salt = '{{ cryptosalt_string.stdout }}';
|
||||
|
||||
# Added
|
||||
$g_login_method = 'LDAP';
|
||||
$g_ldap_server = '{{ rocky_ipaserver_lb }}';
|
||||
$g_ldap_port = '389';
|
||||
$g_ldap_root_dn = '{{ rocky_ldap_user_basedn }}';
|
||||
$g_ldap_organization = '(objectClass=posixAccount)';
|
||||
#$g_ldap_organization = '(objectClass=posixAccount)';
|
||||
$g_ldap_protocol_version = 3;
|
||||
$g_ldap_network_timeout = 30;
|
||||
$g_ldap_follow_referrals = ON;
|
||||
|
@ -32,9 +33,14 @@ $g_allow_file_upload = ON;
|
|||
$g_file_upload_method = DATABASE; # or DISK
|
||||
$g_dropzone_enabled = ON;
|
||||
$g_show_realname = ON;
|
||||
$g_show_avatar = ON;
|
||||
$g_allowed_files = 'log,patch,txt';
|
||||
$g_disallowed_files = 'exe,tar,tgz,tar.gz,pl,sh';
|
||||
$g_disallowed_files = 'exe,pl,sh,py,c,cpp,rar,zip,rpm';
|
||||
$g_window_title = 'Rocky Bugzilla';
|
||||
$g_allow_signup = OFF;
|
||||
$g_allow_signup = ON;
|
||||
$g_allow_anonymous_login = ON;
|
||||
$g_anonymous_account = 'anonymous';
|
||||
$g_enable_email_notification = ON;
|
||||
|
||||
# Cookie problems
|
||||
$g_allow_permanent_cookie = OFF;
|
||||
|
|
|
@ -9,3 +9,5 @@ rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
|
|||
rocky_ipaserver_lb: "ipa-lb.rockylinux.org"
|
||||
# This will need to be vaulted
|
||||
rocky_ldap_bind_pw: "{{ ipa_binder_password }}"
|
||||
rocky_ldap_userman_dn: "uid=userman,cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||
rocky_ldap_userman_pw: "{{ ipa_userman_password }}"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
# mantis vars
|
||||
mantis_version: 2.24.2
|
||||
mantis_checksum: "sha256:c1b483c8395a0fb1249bcc50ada203db584d819f4f6f606b1d1eec42c5205cb8"
|
||||
mantis_version: 2.25.0
|
||||
mantis_checksum: "sha256:d8973d3677ecb2ccbfee95e2267b3128049fbdcc59aa1f007686a342d93a4c0a"
|
||||
mantis_pkg:
|
||||
- php
|
||||
- php-ldap
|
||||
|
@ -11,8 +11,21 @@ mantis_pkg:
|
|||
- php-mbstring
|
||||
- php-curl
|
||||
- openldap
|
||||
mantis_db_name: mantis
|
||||
- php-json
|
||||
mantis_db_host: db.rockylinux.org
|
||||
mantis_db_name: mantisdb
|
||||
mantis_db_user: mantis
|
||||
#mantis_db_pass: ThisIsNotThePassword!
|
||||
mantis_binder_user: "uid=mantis_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||
#mantis_binder_pass: ThisIsNotThePassword!
|
||||
mantis_binder_user: "{{ rocky_ldap_bind_dn }}"
|
||||
mantis_binder_pass: "{{ rocky_ldap_bind_pw }}"
|
||||
|
||||
# Vault
|
||||
# mantis_db_pass: ThisIsNotThePassword!
|
||||
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: apache
|
||||
key_location: "/etc/pki/tls/private/bugs.rockylinux.org.key"
|
||||
cert_location: "/etc/pki/tls/certs/bugs.rockylinux.org.crt"
|
||||
postcmd: "/bin/systemctl reload httpd"
|
||||
cnames:
|
||||
- "bugs.rockylinux.org"
|
||||
|
|
109
ansible/playbooks/vars/wikijs.yml
Normal file
109
ansible/playbooks/vars/wikijs.yml
Normal file
|
@ -0,0 +1,109 @@
|
|||
---
|
||||
# wikijs vars
|
||||
firewall_rules:
|
||||
- port: 443/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
- port: 9100/tcp
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: nginx
|
||||
key_location: "{{ tls_key }}"
|
||||
cert_location: "{{ tls_cert }}"
|
||||
postcmd: "/bin/systemctl reload nginx"
|
||||
|
||||
wikijs_dbtype: postgres
|
||||
wikijs_db:
|
||||
host: "db.rockylinux.org"
|
||||
port: 5432
|
||||
user: wikijs
|
||||
password: " {{ _wikijs_db_rw_pass }} "
|
||||
dbname: wikijs_db
|
||||
ssl: true
|
||||
|
||||
|
||||
####################
|
||||
### NGINX CONFIG ###
|
||||
####################
|
||||
|
||||
|
||||
# no demo config/template
|
||||
nginx_config_html_demo_template_enable: false
|
||||
|
||||
nginx_config_selinux: true
|
||||
nginx_config_selinux_enforcing: true
|
||||
|
||||
nginx_config_start: true
|
||||
|
||||
nginx_config_debug_output: true
|
||||
nginx_config_debug_tasks: true
|
||||
|
||||
# nginx_config_cleanup: true
|
||||
|
||||
nginx_config_http_template_enable: true
|
||||
nginx_config_main_template_enable: true
|
||||
|
||||
nginx_config_http_template:
|
||||
default:
|
||||
template_file: http/default.conf.j2
|
||||
conf_file_name: default.conf
|
||||
conf_file_location: /etc/nginx/conf.d/
|
||||
servers:
|
||||
redirect_https:
|
||||
listen:
|
||||
v6:
|
||||
ip: '[::]' # Wrap in square brackets for IPv6 addresses
|
||||
port: 80
|
||||
opts: ['default_server']
|
||||
v4:
|
||||
ip: '' # Wrap in square brackets for IPv6 addresses
|
||||
port: 80
|
||||
opts: ['default_server']
|
||||
server_name: "{{ ansible_fqdn }}"
|
||||
error_page: /usr/share/nginx/html
|
||||
access_log:
|
||||
- name: main
|
||||
location: /var/log/nginx/access.log
|
||||
error_log:
|
||||
location: /var/log/nginx/error.log
|
||||
level: warn
|
||||
root: "{{ wikijs_dir }}"
|
||||
https_redirect: $host
|
||||
wikijs_server:
|
||||
listen:
|
||||
v6:
|
||||
ip: '[::]' # Wrap in square brackets for IPv6 addresses
|
||||
port: 443
|
||||
ssl: true
|
||||
opts: ['http2', 'default_server']
|
||||
v4:
|
||||
ip: '' # Wrap in square brackets for IPv6 addresses
|
||||
port: 443
|
||||
ssl: true
|
||||
opts: ['http2', 'default_server']
|
||||
ssl:
|
||||
cert: "{{ tls_cert }}"
|
||||
key: "{{ tls_key }}"
|
||||
server_name: "{{ ansible_fqdn }}"
|
||||
error_page: /usr/share/nginx/html
|
||||
access_log:
|
||||
- name: main
|
||||
location: /var/log/nginx/access.log
|
||||
error_log:
|
||||
location: /var/log/nginx/error.log
|
||||
level: warn
|
||||
root: "{{ wikijs_dir }}"
|
||||
web_server:
|
||||
locations:
|
||||
default:
|
||||
location: /
|
||||
custom_options:
|
||||
- "proxy_pass http://localhost:3000/;"
|
||||
http_demo_conf: false
|
|
@ -3,7 +3,7 @@
|
|||
roles:
|
||||
- name: geerlingguy.mysql
|
||||
# monitoring
|
||||
- name: cloudalchemy.node-exporter
|
||||
- name: cloudalchemy.node_exporter
|
||||
- name: cloudalchemy.prometheus
|
||||
- name: cloudalchemy.alertmanager
|
||||
- name: cloudalchemy.grafana
|
||||
|
@ -30,6 +30,11 @@ roles:
|
|||
- name: rockylinux.matterbridge
|
||||
src: https://github.com/NeilHanlon/ansible-role-matterbridge
|
||||
version: master
|
||||
- name: rockylinux.wikijs
|
||||
src: https://git.rockylinux.org/infrastructure/public/ansible/ansible-role-wikijs.git
|
||||
scm: git
|
||||
version: develop
|
||||
- name: riemers.gitlab-runner
|
||||
|
||||
collections:
|
||||
# freeipa
|
||||
|
@ -43,6 +48,8 @@ collections:
|
|||
- name: netbox.netbox
|
||||
- name: community.aws
|
||||
- name: containers.podman
|
||||
- name: nginxinc.nginx_core
|
||||
version: 0.3.0
|
||||
# - name: rockylinux.taiga
|
||||
# source: https://github.com/rocky-linux/taiga-ansible.git
|
||||
# type: git
|
||||
|
|
Loading…
Reference in a new issue