312 lines
8.6 KiB
YAML
312 lines
8.6 KiB
YAML
---
|
|
- name: install ansible semaphore
|
|
hosts: all
|
|
become: true
|
|
|
|
tasks:
|
|
- name: remove other files
|
|
include_tasks: yaml_sub/myrepo_clean.yaml
|
|
|
|
- name: update file myrepo.repo
|
|
import_tasks: yaml_sub/myrepo_data.yaml
|
|
|
|
- name: install client
|
|
ansible.builtin.dnf:
|
|
name: "http://10.10.0.3/cmk/check_mk/agents/check-mk-agent-2.2.0p24-1.noarch.rpm"
|
|
state: present
|
|
update_cache: true
|
|
skip_broken: true
|
|
nobest: false
|
|
allowerasing: true
|
|
disable_gpg_check: true
|
|
|
|
- name: ldap
|
|
include_tasks: yaml_sub/ldap.yaml
|
|
|
|
- name: sssd
|
|
include_tasks: yaml_sub/sssd.yaml
|
|
|
|
- name: remove other files
|
|
include_tasks: yaml_sub/myrepo_clean.yaml
|
|
- name: update file myrepo.repo
|
|
import_tasks: yaml_sub/myrepo_data.yaml
|
|
|
|
- name: install nfs tools
|
|
dnf:
|
|
name: nfs-utils,nfs-utils-coreos,nfsv4-client-utils,rpcbind
|
|
state: present
|
|
update_cache: true
|
|
skip_broken: true
|
|
nobest: false
|
|
allowerasing: true
|
|
|
|
- name: Make sure rpcbind service unit is started
|
|
systemd_service:
|
|
enabled: true
|
|
state: started
|
|
name: rpcbind
|
|
|
|
- name: mount_info
|
|
include_tasks: yaml_sub/mount_info.yaml
|
|
|
|
- name: remove other files
|
|
include_tasks: yaml_sub/install_docker.yaml
|
|
|
|
- name: install python3-request
|
|
dnf:
|
|
name: python3-requests+security
|
|
state: present
|
|
update_cache: true
|
|
skip_broken: true
|
|
nobest: false
|
|
allowerasing: true
|
|
|
|
- name: Create network semaphoreNet
|
|
community.docker.docker_network:
|
|
name: semaphoreNet
|
|
|
|
- name: Create volume semaphore_maria_db
|
|
community.docker.docker_volume:
|
|
name: semaphore_maria_db
|
|
state: present
|
|
|
|
- name: Create mariab container
|
|
community.docker.docker_container:
|
|
name: semaphoremariadb
|
|
image: mariadb
|
|
state: started
|
|
recreate: no
|
|
restart_policy: always
|
|
env:
|
|
MARIADB_DATABASE: "semaphore"
|
|
MARIADB_USER: "semaphore"
|
|
MARIADB_PASSWORD: "{{ sqlpwd }}"
|
|
MARIADB_ROOT_PASSWORD: "{{ sqlrootpwd }}"
|
|
MYSQL_ROOT_HOST: "%"
|
|
networks:
|
|
- name: semaphoreNet
|
|
comparisons:
|
|
networks: strict
|
|
volumes:
|
|
- "semaphore_maria_db:/var/lib/mysql"
|
|
|
|
- name: set smtpd_pre.conf
|
|
blockinfile:
|
|
path: /root/opensmtpd/smtpd_pre.conf
|
|
state: present
|
|
create: true
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
block: |
|
|
listen on 0.0.0.0
|
|
listen on ::
|
|
|
|
table aliases file:/etc/smtpd/aliases
|
|
|
|
queue ttl 4d
|
|
bounce warn-interval 1h, 6h, 2d
|
|
smtp max-message-size 35M
|
|
|
|
table authinfo db:/etc/smtpd/authinfo.db
|
|
action default relay host "smtps://user@mailhost.neurotec.uni-bremen.de:465" auth <authinfo> tls no-verify
|
|
match from any for any action default
|
|
|
|
- name: Create a volume smtpd_spool
|
|
community.docker.docker_volume:
|
|
name: smtpd_spool
|
|
state: present
|
|
|
|
- name: Create OpenSMTPd
|
|
community.docker.docker_container:
|
|
name: smtpd
|
|
image: wodby/opensmtpd
|
|
state: started
|
|
recreate: no
|
|
restart_policy: always
|
|
published_ports:
|
|
- "25:25/tcp"
|
|
env:
|
|
RELAY_HOST: "XXX"
|
|
RELAY_PROTO: "smtps"
|
|
RELAY_PORT: "XXX"
|
|
RELAY_USER: "{{ EMAIL__USERNAME }}"
|
|
RELAY_PASSWORD: "{{ EMAIL__PASSWORD }}"
|
|
|
|
volumes:
|
|
- "/root/opensmtpd/smtpd_pre.conf:/etc/gotpl/smtpd.conf.tmpl"
|
|
- "smtpd_spool:/var/spool/smtpd"
|
|
|
|
networks:
|
|
- name: semaphoreNet
|
|
- name: bridge
|
|
comparisons:
|
|
networks: strict
|
|
|
|
- name: install mailx
|
|
dnf:
|
|
name: "mailx,telnet,sendmail"
|
|
state: latest
|
|
update_cache: true
|
|
skip_broken: true
|
|
nobest: false
|
|
allowerasing: true
|
|
|
|
- name: esmtprc
|
|
blockinfile:
|
|
path: /etc/esmtprc
|
|
state: present
|
|
create: true
|
|
block: |
|
|
hostname = 127.0.0.1:25
|
|
mda "/usr/bin/procmail -d %T"
|
|
|
|
- name: Create volume semaphore_etc
|
|
community.docker.docker_volume:
|
|
name: semaphore_etc
|
|
state: present
|
|
|
|
- name: Create volume semaphore_lib
|
|
community.docker.docker_volume:
|
|
name: semaphore_lib
|
|
state: present
|
|
|
|
- name: Create volume semaphore_tmp
|
|
community.docker.docker_volume:
|
|
name: semaphore_tmp
|
|
state: present
|
|
|
|
- name: copy key
|
|
ansible.builtin.copy:
|
|
src: "/config/neuro_ansible/semaphore-wrapper"
|
|
dest: "/root/semaphore-wrapper"
|
|
owner: root
|
|
group: root
|
|
mode: "0777"
|
|
|
|
- name: Create semaphore container
|
|
community.docker.docker_container:
|
|
name: semaphore
|
|
image: semaphoreui/semaphore
|
|
state: started
|
|
recreate: yes
|
|
restart_policy: always
|
|
|
|
volumes:
|
|
- "semaphore_etc:/etc/semaphore"
|
|
- "semaphore_lib:/var/lib/semaphore"
|
|
- "semaphore_tmp:/tmp/semaphore/"
|
|
- "/root/semaphore-wrapper:/usr/local/bin/semaphore-wrapper"
|
|
env:
|
|
SEMAPHORE_DB_USER: "semaphore"
|
|
SEMAPHORE_DB_PASS: "{{ sqlpwd }}"
|
|
SEMAPHORE_DB_HOST: "semaphoremariadb"
|
|
SEMAPHORE_DB_PORT: "3306"
|
|
SEMAPHORE_DB_DIALECT: "mysql"
|
|
SEMAPHORE_DB: "semaphore"
|
|
SEMAPHORE_PLAYBOOK_PATH: "/tmp/semaphore/"
|
|
|
|
SEMAPHORE_ADMIN_PASSWORD: "{{ semapwd }}"
|
|
SEMAPHORE_ADMIN_NAME: "admin"
|
|
SEMAPHORE_ADMIN_EMAIL: "davrot@uni-bremen.de"
|
|
SEMAPHORE_ADMIN: "admin"
|
|
|
|
SEMAPHORE_ACCESS_KEY_ENCRYPTION: "{{ semakey }}"
|
|
|
|
SEMAPHORE_LDAP_ACTIVATED: "no"
|
|
|
|
ANSIBLE_HOST_KEY_CHECKING: "False"
|
|
|
|
SEMAPHORE_EMAIL_ALERT: "yes"
|
|
SEMAPHORE_EMAIL_HOST: "smtpd"
|
|
SEMAPHORE_EMAIL_SENDER: "computers@neuro.uni-bremen.de"
|
|
|
|
TZ: "Europe/Berlin"
|
|
|
|
networks:
|
|
- name: semaphoreNet
|
|
comparisons:
|
|
networks: strict
|
|
|
|
- name: set nginx.conf
|
|
blockinfile:
|
|
path: /root/nginx/nginx.conf
|
|
state: present
|
|
create: true
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
block: |
|
|
events {}
|
|
http {
|
|
server {
|
|
listen 80 default_server;
|
|
server_name _;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
server {
|
|
listen 443 ssl;
|
|
ssl_certificate /certs/nginx_certificate.pem;
|
|
ssl_certificate_key /certs/nginx_key.pem;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
|
server_tokens off;
|
|
client_max_body_size 50M;
|
|
|
|
location / {
|
|
proxy_pass http://semaphore:3000;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_read_timeout 3m;
|
|
proxy_send_timeout 3m;
|
|
}
|
|
}
|
|
}
|
|
|
|
- name: copy key
|
|
ansible.builtin.copy:
|
|
src: "/config/certs/key.pem"
|
|
dest: "/root/nginx/key.pem"
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
|
|
- name: copy ca
|
|
ansible.builtin.copy:
|
|
src: "/config/certs/crt_ca.pem"
|
|
dest: "/root/nginx/ca.pem"
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
|
|
- name: Create nginx container
|
|
community.docker.docker_container:
|
|
name: nginx
|
|
image: "nginx:stable-alpine"
|
|
state: started
|
|
recreate: no
|
|
restart_policy: always
|
|
|
|
volumes:
|
|
- "/root/nginx/key.pem:/certs/nginx_key.pem:ro"
|
|
- "/root/nginx/ca.pem:/certs/nginx_certificate.pem:ro"
|
|
- "/root/nginx/nginx.conf:/etc/nginx/nginx.conf:ro"
|
|
|
|
ports:
|
|
- "0.0.0.0:443:443"
|
|
- "0.0.0.0:80:80"
|
|
env:
|
|
NGINX_WORKER_PROCESSES: "4"
|
|
NGINX_WORKER_CONNECTIONS: "768"
|
|
|
|
networks:
|
|
- name: semaphoreNet
|
|
|
|
comparisons:
|
|
networks: strict
|