diff --git a/install_semaphore.yaml b/install_semaphore.yaml index fbb6092..8af0396 100644 --- a/install_semaphore.yaml +++ b/install_semaphore.yaml @@ -81,8 +81,8 @@ MARIADB_DATABASE: "semaphore" MARIADB_USER: "semaphore" MARIADB_PASSWORD: "{{ sqlpwd }}" - MARIADB_ROOT_PASSWORD : "{{ sqlrootpwd }}" - MYSQL_ROOT_HOST: '%' + MARIADB_ROOT_PASSWORD: "{{ sqlrootpwd }}" + MYSQL_ROOT_HOST: "%" networks: - name: semaphoreNet comparisons: @@ -101,13 +101,13 @@ block: | listen on 0.0.0.0 listen on :: - + table aliases file:/etc/smtpd/aliases - + queue ttl 4d bounce warn-interval 1h, 6h, 2d smtp max-message-size 35M - + table authinfo db:/etc/smtpd/authinfo.db action default relay host "smtps://user@mailhost.neurotec.uni-bremen.de:465" auth tls no-verify match from any for any action default @@ -161,7 +161,6 @@ hostname = 127.0.0.1:25 mda "/usr/bin/procmail -d %T" - - name: Create volume semaphore_etc community.docker.docker_volume: name: semaphore_etc @@ -177,6 +176,14 @@ name: semaphore_tmp state: present + - name: copy key + ansible.builtin.copy: + src: "/config/neuro_ansible/semaphore-wrapper" + dest: "/root/semaphore-wrapper" + owner: root + group: root + mode: "0777" + - name: Create semaphore container community.docker.docker_container: name: semaphore @@ -184,12 +191,12 @@ state: started recreate: yes restart_policy: always - published_ports: - - "80:3000/tcp" + volumes: - "semaphore_etc:/etc/semaphore" - "semaphore_lib:/var/lib/semaphore" - "semaphore_tmp:/tmp/semaphore/" + - "/root/semaphore-wrapper:/usr/local/bin/semaphore-wrapper" env: SEMAPHORE_DB_USER: "semaphore" SEMAPHORE_DB_PASS: "{{ sqlpwd }}" @@ -198,31 +205,108 @@ SEMAPHORE_DB_DIALECT: "mysql" SEMAPHORE_DB: "semaphore" SEMAPHORE_PLAYBOOK_PATH: "/tmp/semaphore/" - + SEMAPHORE_ADMIN_PASSWORD: "{{ semapwd }}" SEMAPHORE_ADMIN_NAME: "admin" SEMAPHORE_ADMIN_EMAIL: "davrot@uni-bremen.de" SEMAPHORE_ADMIN: "admin" - + SEMAPHORE_ACCESS_KEY_ENCRYPTION: "{{ semakey }}" - - SEMAPHORE_LDAP_ACTIVATED: 'no' - + + SEMAPHORE_LDAP_ACTIVATED: "no" + ANSIBLE_HOST_KEY_CHECKING: "False" - email_alert: "true" - email_host: "smtpd" - email_port: "25" - email_sender: "Ansible Neuro ITP" - email_secure: "False" + SEMAPHORE_EMAIL_ALERT: "yes" + SEMAPHORE_EMAIL_HOST: "smtpd" + SEMAPHORE_EMAIL_SENDER: "computers@neuro.uni-bremen.de" - TZ: "Europe/Berlin" networks: - name: semaphoreNet - - name: bridge comparisons: networks: strict + - name: set nginx.conf + blockinfile: + path: /root/nginx/nginx.conf + state: present + create: true + owner: "root" + group: "root" + mode: "0644" + block: | + events {} + http { + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + server { + listen 443 ssl; + ssl_certificate /certs/nginx_certificate.pem; + ssl_certificate_key /certs/nginx_key.pem; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + server_tokens off; + client_max_body_size 50M; + location / { + proxy_pass http://semaphore:3000; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 3m; + proxy_send_timeout 3m; + } + } + } + + - name: copy key + ansible.builtin.copy: + src: "/config/certs/key.pem" + dest: "/root/nginx/key.pem" + owner: root + group: root + mode: "0600" + + - name: copy ca + ansible.builtin.copy: + src: "/config/certs/crt_ca.pem" + dest: "/root/nginx/ca.pem" + owner: root + group: root + mode: "0600" + + - name: Create nginx container + community.docker.docker_container: + name: nginx + image: "nginx:stable-alpine" + state: started + recreate: no + restart_policy: always + + volumes: + - "/root/nginx/key.pem:/certs/nginx_key.pem:ro" + - "/root/nginx/ca.pem:/certs/nginx_certificate.pem:ro" + - "/root/nginx/nginx.conf:/etc/nginx/nginx.conf:ro" + + ports: + - "0.0.0.0:443:443" + - "0.0.0.0:80:80" + env: + NGINX_WORKER_PROCESSES: "4" + NGINX_WORKER_CONNECTIONS: "768" + + networks: + - name: semaphoreNet + + comparisons: + networks: strict diff --git a/machines/nc b/machines/nc new file mode 100644 index 0000000..76a60a5 --- /dev/null +++ b/machines/nc @@ -0,0 +1,20 @@ +nc46.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc47.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc48.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc49.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc50.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc51.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc52.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc53.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc54.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc55.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc56.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc57.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc58.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc59.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc60.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc61.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc62.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc63.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc64.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' +nc66.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no' diff --git a/semaphore-wrapper b/semaphore-wrapper new file mode 100755 index 0000000..af54236 --- /dev/null +++ b/semaphore-wrapper @@ -0,0 +1,176 @@ +#!/bin/sh + +set -e + +echoerr() { printf "%s\n" "$*" >&2; } + +file_env() { + local var="" + local fileVar="" + eval var="\$${1}" + eval fileVar="\$${1}_FILE" + local def="${2:-}" + if [ -n "${var:-}" ] && [ -n "${fileVar:-}" ]; then + echo >&2 "error: both ${1} and ${1}_FILE are set (but are exclusive)" + exit 1 + fi + local val="$def" + if [ -n "${var:-}" ]; then + val="${var}" + elif [ -n "${fileVar:-}" ]; then + val="$(cat "${fileVar}")" + fi + export "${1}"="$val" + unset "${1}_FILE" +} + +SEMAPHORE_CONFIG_PATH="${SEMAPHORE_CONFIG_PATH:-/etc/semaphore}" +SEMAPHORE_TMP_PATH="${SEMAPHORE_TMP_PATH:-/tmp/semaphore}" + +# Semaphore database env config +SEMAPHORE_DB_DIALECT="${SEMAPHORE_DB_DIALECT:-mysql}" +SEMAPHORE_DB_HOST="${SEMAPHORE_DB_HOST:-0.0.0.0}" +SEMAPHORE_DB_PATH="${SEMAPHORE_DB_PATH:-/var/lib/semaphore}" +SEMAPHORE_DB_PORT="${SEMAPHORE_DB_PORT:-}" +SEMAPHORE_DB="${SEMAPHORE_DB:-semaphore}" +file_env 'SEMAPHORE_DB_USER' 'semaphore' +file_env 'SEMAPHORE_DB_PASS' 'semaphore' +# Email alert env config +SEMAPHORE_WEB_ROOT="${SEMAPHORE_WEB_ROOT:-}" +# Semaphore Admin env config +file_env 'SEMAPHORE_ADMIN' 'admin' +SEMAPHORE_ADMIN_EMAIL="${SEMAPHORE_ADMIN_EMAIL:-admin@localhost}" +SEMAPHORE_ADMIN_NAME="${SEMAPHORE_ADMIN_NAME:-Semaphore Admin}" +file_env 'SEMAPHORE_ADMIN_PASSWORD' 'semaphorepassword' +#Semaphore LDAP env config +SEMAPHORE_LDAP_ACTIVATED="${SEMAPHORE_LDAP_ACTIVATED:-no}" +SEMAPHORE_LDAP_HOST="${SEMAPHORE_LDAP_HOST:-}" +SEMAPHORE_LDAP_PORT="${SEMAPHORE_LDAP_PORT:-}" +SEMAPHORE_LDAP_NEEDTLS="${SEMAPHORE_LDAP_NEEDTLS:-no}" +SEMAPHORE_LDAP_DN_BIND="${SEMAPHORE_LDAP_DN_BIND:-}" +file_env 'SEMAPHORE_LDAP_PASSWORD' +SEMAPHORE_LDAP_DN_SEARCH="${SEMAPHORE_LDAP_DN_SEARCH:-}" +SEMAPHORE_LDAP_SEARCH_FILTER="${SEMAPHORE_LDAP_SEARCH_FILTER:-(uid=%s)}" +SEMAPHORE_LDAP_MAPPING_DN="${SEMAPHORE_LDAP_MAPPING_DN:-dn}" +SEMAPHORE_LDAP_MAPPING_USERNAME="${SEMAPHORE_LDAP_MAPPING_USERNAME:-uid}" +SEMAPHORE_LDAP_MAPPING_FULLNAME="${SEMAPHORE_LDAP_MAPPING_FULLNAME:-cn}" +SEMAPHORE_LDAP_MAPPING_EMAIL="${SEMAPHORE_LDAP_MAPPING_EMAIL:-mail}" + +file_env 'SEMAPHORE_ACCESS_KEY_ENCRYPTION' + +[ -d "${SEMAPHORE_TMP_PATH}" ] || mkdir -p "${SEMAPHORE_TMP_PATH}" || { + echo "Can't create Semaphore tmp path ${SEMAPHORE_TMP_PATH}." + exit 1 +} + +[ -d "${SEMAPHORE_CONFIG_PATH}" ] || mkdir -p "${SEMAPHORE_CONFIG_PATH}" || { + echo "Can't create Semaphore Config path ${SEMAPHORE_CONFIG_PATH}." + exit 1 +} + +[ -d "${SEMAPHORE_DB_PATH}" ] || mkdir -p "${SEMAPHORE_DB_PATH}" || { + echo "Can't create data path ${SEMAPHORE_DB_PATH}." + exit 1 +} + +# wait on db to be up + +if [ "${SEMAPHORE_DB_DIALECT}" != 'bolt' ]; then + echoerr "Attempting to connect to database ${SEMAPHORE_DB} on ${SEMAPHORE_DB_HOST}:${SEMAPHORE_DB_PORT} with user ${SEMAPHORE_DB_USER} ..." + TIMEOUT=30 + while ! $(nc -z "$SEMAPHORE_DB_HOST" "$SEMAPHORE_DB_PORT") >/dev/null 2>&1; do + TIMEOUT=$(expr $TIMEOUT - 1) + if [ $TIMEOUT -eq 0 ]; then + echoerr "Could not connect to database server. Exiting." + exit 1 + fi + echo -n "." + sleep 1 + done +fi + +if [ -n "${SEMAPHORE_DB_PORT}" ]; then + SEMAPHORE_DB_HOST="${SEMAPHORE_DB_HOST}:${SEMAPHORE_DB_PORT}" +fi + +case ${SEMAPHORE_DB_DIALECT} in + mysql) SEMAPHORE_DB_DIALECT_ID=1;; + bolt) SEMAPHORE_DB_DIALECT_ID=2;; + postgres) SEMAPHORE_DB_DIALECT_ID=3;; + *) + echoerr "Unknown database dialect: ${SEMAPHORE_DB_DIALECT}" + exit 1 + ;; +esac + +# Create a config if it does not exist in the current config path +if [ ! -f "${SEMAPHORE_CONFIG_PATH}/config.json" ]; then + echoerr "Generating ${SEMAPHORE_TMP_PATH}/config.stdin ..." + cat << EOF > "${SEMAPHORE_TMP_PATH}/config.stdin" +${SEMAPHORE_DB_DIALECT_ID} +EOF + + if [ "${SEMAPHORE_DB_DIALECT}" = "bolt" ]; then + cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin" +${SEMAPHORE_DB_PATH}/database.boltdb +EOF + else + cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin" +${SEMAPHORE_DB_HOST} +${SEMAPHORE_DB_USER} +${SEMAPHORE_DB_PASS} +${SEMAPHORE_DB} +EOF + fi + + cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin" +${SEMAPHORE_TMP_PATH} +${SEMAPHORE_WEB_ROOT} +${SEMAPHORE_EMAIL_ALERT} +EOF + if [ "${SEMAPHORE_EMAIL_ALERT}" = "yes" ]; then + cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin" +${SEMAPHORE_EMAIL_HOST} +25 +${SEMAPHORE_EMAIL_SENDER} +EOF + fi + + cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin" +no +no +no +no +${SEMAPHORE_LDAP_ACTIVATED} +EOF + + if [ "${SEMAPHORE_LDAP_ACTIVATED}" = "yes" ]; then + cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin" +${SEMAPHORE_LDAP_HOST}:${SEMAPHORE_LDAP_PORT} +${SEMAPHORE_LDAP_NEEDTLS} +${SEMAPHORE_LDAP_DN_BIND} +${SEMAPHORE_LDAP_PASSWORD} +${SEMAPHORE_LDAP_DN_SEARCH} +${SEMAPHORE_LDAP_SEARCH_FILTER} +${SEMAPHORE_LDAP_MAPPING_DN} +${SEMAPHORE_LDAP_MAPPING_USERNAME} +${SEMAPHORE_LDAP_MAPPING_FULLNAME} +${SEMAPHORE_LDAP_MAPPING_EMAIL} +EOF + fi; + + cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin" +${SEMAPHORE_CONFIG_PATH} +${SEMAPHORE_ADMIN} +${SEMAPHORE_ADMIN_EMAIL} +${SEMAPHORE_ADMIN_NAME} +${SEMAPHORE_ADMIN_PASSWORD} +EOF + + cat "${SEMAPHORE_TMP_PATH}/config.stdin" + $1 setup - < "${SEMAPHORE_TMP_PATH}/config.stdin" + echoerr "Run Semaphore with semaphore server --config ${SEMAPHORE_CONFIG_PATH}/config.json" +fi + +# run our command +exec "$@"