225 lines
7 KiB
YAML
Executable file
225 lines
7 KiB
YAML
Executable file
|
|
- name: Enable index.html creation if user doesn't wish to customise base domain
|
|
delegate_to: 127.0.0.1
|
|
lineinfile:
|
|
path: '{{ awx_cached_matrix_vars }}'
|
|
regexp: "^#? *{{ item.key | regex_escape() }}:"
|
|
line: "{{ item.key }}: {{ item.value }}"
|
|
insertafter: '# Base Domain Settings Start'
|
|
with_dict:
|
|
'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'
|
|
when: customise_base_domain_website|bool == false
|
|
|
|
- name: Disable index.html creation to allow multi-file site if user does wish to customise base domain
|
|
delegate_to: 127.0.0.1
|
|
lineinfile:
|
|
path: '{{ awx_cached_matrix_vars }}'
|
|
regexp: "^#? *{{ item.key | regex_escape() }}:"
|
|
line: "{{ item.key }}: {{ item.value }}"
|
|
insertafter: '# Base Domain Settings Start'
|
|
with_dict:
|
|
'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
|
|
when: customise_base_domain_website|bool == true
|
|
|
|
- name: Record custom 'Customise Website + Access Export' variables locally on AWX
|
|
delegate_to: 127.0.0.1
|
|
lineinfile:
|
|
path: '{{ awx_cached_matrix_vars }}'
|
|
regexp: "^#? *{{ item.key | regex_escape() }}:"
|
|
line: "{{ item.key }}: {{ item.value }}"
|
|
insertafter: '# Custom Settings Start'
|
|
with_dict:
|
|
'customise_base_domain_website': '{{ customise_base_domain_website }}'
|
|
'sftp_auth_method': '"{{ sftp_auth_method }}"'
|
|
'sftp_password': '"{{ sftp_password }}"'
|
|
'sftp_public_key': '"{{ sftp_public_key }}"'
|
|
|
|
- name: Reload vars in matrix_vars.yml
|
|
include_vars:
|
|
file: '{{ awx_cached_matrix_vars }}'
|
|
no_log: True
|
|
|
|
# ^ Is this even needed?
|
|
|
|
- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
|
|
delegate_to: 127.0.0.1
|
|
template:
|
|
src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
|
|
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
|
|
|
|
- name: Copy new 'Customise Website + Access Export' survey.json to target machine
|
|
copy:
|
|
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
|
|
dest: '/matrix/awx/configure_website_access_export.json'
|
|
mode: '0660'
|
|
|
|
- name: Collect AWX admin token the hard way!
|
|
delegate_to: 127.0.0.1
|
|
shell: |
|
|
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
|
register: tower_token
|
|
no_log: True
|
|
|
|
- name: Recreate 'Customise Base Domain Export' job template
|
|
delegate_to: 127.0.0.1
|
|
awx.awx.tower_job_template:
|
|
name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
|
|
description: "Configure base domain website settings and access the servers export."
|
|
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
|
|
job_type: run
|
|
job_tags: "start,setup-nginx-proxy"
|
|
inventory: "{{ member_id }}"
|
|
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
|
|
playbook: setup.yml
|
|
credential: "{{ member_id }} - AWX SSH Key"
|
|
survey_enabled: true
|
|
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
|
|
become_enabled: yes
|
|
state: present
|
|
verbosity: 1
|
|
tower_host: "https://{{ tower_host }}"
|
|
tower_oauthtoken: "{{ tower_token.stdout }}"
|
|
validate_certs: yes
|
|
|
|
- name: Ensure group "sftp" exists
|
|
group:
|
|
name: sftp
|
|
state: present
|
|
|
|
- name: If user doesn't define a sftp_password, create a disabled 'sftp' account
|
|
user:
|
|
name: sftp
|
|
comment: SFTP user to set custom web files and access servers export
|
|
shell: /bin/false
|
|
home: /home/sftp
|
|
group: sftp
|
|
password: '*'
|
|
update_password: always
|
|
when: sftp_password|length == 0
|
|
|
|
- name: If user defines sftp_password, enable account and set password on 'stfp' account
|
|
user:
|
|
name: sftp
|
|
comment: SFTP user to set custom web files and access servers export
|
|
shell: /bin/false
|
|
home: /home/sftp
|
|
group: sftp
|
|
password: "{{ sftp_password | password_hash('sha512') }}"
|
|
update_password: always
|
|
when: sftp_password|length > 0
|
|
|
|
- name: adding existing user 'sftp' to group matrix
|
|
user:
|
|
name: sftp
|
|
groups: matrix
|
|
append: yes
|
|
|
|
- name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)
|
|
file:
|
|
path: /chroot
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '1755'
|
|
|
|
- name: Ensure /chroot/website location exists.
|
|
file:
|
|
path: /chroot/website
|
|
state: directory
|
|
owner: matrix
|
|
group: matrix
|
|
mode: '0574'
|
|
|
|
- name: Ensure /chroot/export location exists
|
|
file:
|
|
path: /chroot/export
|
|
state: directory
|
|
owner: sftp
|
|
group: sftp
|
|
mode: '0700'
|
|
|
|
- name: Ensure /home/sftp/.ssh location exists
|
|
file:
|
|
path: /home/sftp/.ssh
|
|
state: directory
|
|
owner: sftp
|
|
group: sftp
|
|
mode: '0700'
|
|
|
|
- name: Ensure /home/sftp/authorized_keys exists
|
|
file:
|
|
path: /home/sftp/.ssh/authorized_keys
|
|
state: touch
|
|
owner: sftp
|
|
group: sftp
|
|
mode: '0644'
|
|
|
|
- name: Clear authorized_keys file
|
|
shell: echo "" > /home/sftp/.ssh/authorized_keys
|
|
|
|
- name: Insert public SSH key into authorized_keys file
|
|
lineinfile:
|
|
path: /home/sftp/.ssh/authorized_keys
|
|
line: "{{ sftp_public_key }}"
|
|
owner: sftp
|
|
group: sftp
|
|
mode: '0644'
|
|
when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
|
|
|
|
- name: Alter SSH Subsystem State 1
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: "Subsystem sftp /usr/lib/openssh/sftp-server"
|
|
state: absent
|
|
|
|
- name: Alter SSH Subsystem State 2
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
insertafter: "^# override default of no subsystems"
|
|
line: "Subsystem sftp internal-sftp"
|
|
|
|
- name: Add SSH Match User section for disabled auth
|
|
blockinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: absent
|
|
block: |
|
|
Match User sftp
|
|
ChrootDirectory /chroot
|
|
PermitTunnel no
|
|
X11Forwarding no
|
|
AllowTcpForwarding no
|
|
PasswordAuthentication yes
|
|
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
|
|
when: sftp_auth_method == "Disabled"
|
|
|
|
- name: Add SSH Match User section for password auth
|
|
blockinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
block: |
|
|
Match User sftp
|
|
ChrootDirectory /chroot
|
|
PermitTunnel no
|
|
X11Forwarding no
|
|
AllowTcpForwarding no
|
|
PasswordAuthentication yes
|
|
when: sftp_auth_method == "Password"
|
|
|
|
- name: Add SSH Match User section for publickey auth
|
|
blockinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
block: |
|
|
Match User sftp
|
|
ChrootDirectory /chroot
|
|
PermitTunnel no
|
|
X11Forwarding no
|
|
AllowTcpForwarding no
|
|
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
|
|
when: sftp_auth_method == "SSH Key"
|
|
|
|
- name: Restart service ssh.service
|
|
service:
|
|
name: ssh.service
|
|
state: restarted
|