- name: Enable index.html creation if user doesn't wish to customise base domain delegate_to: 127.0.0.1 lineinfile: path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" insertafter: '# Base Domain Settings' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'true' when: customise_base_domain_website|bool == false - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain delegate_to: 127.0.0.1 lineinfile: path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" insertafter: '# Base Domain Settings' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' when: customise_base_domain_website|bool == true - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 lineinfile: path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" insertafter: '# Custom Settings' with_dict: 'customise_base_domain_website': '{{ customise_base_domain_website }}' 'sftp_auth_method': '"{{ sftp_auth_method }}"' 'sftp_password': '"{{ sftp_password }}"' 'sftp_public_key': '"{{ sftp_public_key }}"' - name: Copy new 'matrix_vars.yml' to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' dest: '/matrix/awx/matrix_vars.yml' mode: '0660' - name: Reload vars in matrix_vars.yml include_vars: file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' no_log: True - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2' dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' - name: Copy new 'Customise Website + Access Export' survey.json to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' dest: '/matrix/awx/configure_website_access_export.json' mode: '0660' - name: Collect AWX admin token the hard way! delegate_to: 127.0.0.1 shell: | curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' register: tower_token no_log: True - name: Recreate 'Customise Base Domain Export' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: name: "{{ matrix_domain }} - 1 - Configure Website + Access Export" description: "Configure base domain website settings and access the servers export." extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" job_type: run job_tags: "start,setup-nginx-proxy" inventory: "{{ member_id }}" project: "{{ member_id }} - Matrix Docker Ansible Deploy" playbook: setup.yml credential: "{{ member_id }} - AWX SSH Key" survey_enabled: true survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}" become_enabled: yes state: present verbosity: 1 tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - name: Ensure group "sftp" exists group: name: sftp state: present - name: If user doesn't define a sftp_password, create a disabled 'sftp' account user: name: sftp comment: SFTP user to set custom web files and access servers export shell: /bin/false home: /home/sftp group: sftp password: '*' update_password: always when: sftp_password|length == 0 - name: If user defines sftp_password, enable account and set password on 'stfp' account user: name: sftp comment: SFTP user to set custom web files and access servers export shell: /bin/false home: /home/sftp group: sftp password: "{{ sftp_password | password_hash('sha512') }}" update_password: always when: sftp_password|length > 0 - name: adding existing user 'sftp' to group matrix user: name: sftp groups: matrix append: yes - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container) file: path: /chroot state: directory owner: root group: root mode: '1755' - name: Ensure /chroot/website location exists. file: path: /chroot/website state: directory owner: matrix group: matrix mode: '0574' - name: Ensure /chroot/export location exists file: path: /chroot/export state: directory owner: sftp group: sftp mode: '0700' - name: Ensure /home/sftp/.ssh location exists file: path: /home/sftp/.ssh state: directory owner: sftp group: sftp mode: '0700' - name: Ensure /home/sftp/authorized_keys exists file: path: /home/sftp/.ssh/authorized_keys state: touch owner: sftp group: sftp mode: '0644' - name: Clear authorized_keys file shell: echo "" > /home/sftp/.ssh/authorized_keys - name: Insert public SSH key into authorized_keys file lineinfile: path: /home/sftp/.ssh/authorized_keys line: "{{ sftp_public_key }}" owner: sftp group: sftp mode: '0644' when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key") - name: Alter SSH Subsystem State 1 lineinfile: path: /etc/ssh/sshd_config line: "Subsystem sftp /usr/lib/openssh/sftp-server" state: absent - name: Alter SSH Subsystem State 2 lineinfile: path: /etc/ssh/sshd_config insertafter: "^# override default of no subsystems" line: "Subsystem sftp internal-sftp" - name: Add SSH Match User section for disabled auth blockinfile: path: /etc/ssh/sshd_config state: absent block: | Match User sftp ChrootDirectory /chroot PermitTunnel no X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes AuthorizedKeysFile /home/sftp/.ssh/authorized_keys when: sftp_auth_method == "Disabled" - name: Add SSH Match User section for password auth blockinfile: path: /etc/ssh/sshd_config state: present block: | Match User sftp ChrootDirectory /chroot PermitTunnel no X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes when: sftp_auth_method == "Password" - name: Add SSH Match User section for publickey auth blockinfile: path: /etc/ssh/sshd_config state: present block: | Match User sftp ChrootDirectory /chroot PermitTunnel no X11Forwarding no AllowTcpForwarding no AuthorizedKeysFile /home/sftp/.ssh/authorized_keys when: sftp_auth_method == "SSH Key" - name: Restart service ssh.service service: name: ssh.service state: restarted