2021-02-20 17:19:17 +08:00
- name : Enable index.html creation if user doesn't wish to customise base domain
delegate_to : 127.0 .0 .1
lineinfile :
2021-04-04 11:41:06 +08:00
path : '{{ awx_cached_matrix_vars }}'
2021-02-20 17:19:17 +08:00
regexp : "^#? *{{ item.key | regex_escape() }}:"
line : "{{ item.key }}: {{ item.value }}"
2021-04-04 11:41:06 +08:00
insertafter : '# Base Domain Settings Start'
2021-02-20 17:19:17 +08:00
with_dict :
'matrix_nginx_proxy_base_domain_homepage_enabled' : 'true'
2021-04-26 20:00:32 +08:00
when : (customise_base_domain_website is defined) and not customise_base_domain_website|bool
2021-02-20 17:19:17 +08:00
- name : Disable index.html creation to allow multi-file site if user does wish to customise base domain
delegate_to : 127.0 .0 .1
lineinfile :
2021-04-04 11:41:06 +08:00
path : '{{ awx_cached_matrix_vars }}'
2021-02-20 17:19:17 +08:00
regexp : "^#? *{{ item.key | regex_escape() }}:"
line : "{{ item.key }}: {{ item.value }}"
2021-04-04 11:41:06 +08:00
insertafter : '# Base Domain Settings Start'
2021-02-20 17:19:17 +08:00
with_dict :
'matrix_nginx_proxy_base_domain_homepage_enabled' : 'false'
2021-04-26 20:00:32 +08:00
when : (customise_base_domain_website is defined) and customise_base_domain_website|bool
2021-03-16 09:56:29 +02:00
2021-02-28 22:21:40 +08:00
- name : Record custom 'Customise Website + Access Export' variables locally on AWX
2021-02-20 17:19:17 +08:00
delegate_to : 127.0 .0 .1
lineinfile :
2021-04-04 11:41:06 +08:00
path : '{{ awx_cached_matrix_vars }}'
2021-02-20 17:19:17 +08:00
regexp : "^#? *{{ item.key | regex_escape() }}:"
line : "{{ item.key }}: {{ item.value }}"
2021-04-04 11:41:06 +08:00
insertafter : '# Custom Settings Start'
2021-02-20 17:19:17 +08:00
with_dict :
2021-02-28 22:21:40 +08:00
'sftp_auth_method' : '"{{ sftp_auth_method }}"'
'sftp_password' : '"{{ sftp_password }}"'
'sftp_public_key' : '"{{ sftp_public_key }}"'
2021-03-16 09:56:29 +02:00
2021-04-26 20:00:32 +08:00
- name : Record custom 'Customise Website + Access Export' variables locally on AWX
delegate_to : 127.0 .0 .1
lineinfile :
path : '{{ awx_cached_matrix_vars }}'
regexp : "^#? *{{ item.key | regex_escape() }}:"
line : "{{ item.key }}: {{ item.value }}"
insertafter : '# Custom Settings Start'
with_dict :
'customise_base_domain_website' : '{{ customise_base_domain_website }}'
when : customise_base_domain_website is defined
2021-02-20 17:19:17 +08:00
- name : Reload vars in matrix_vars.yml
include_vars :
2021-04-04 11:41:06 +08:00
file : '{{ awx_cached_matrix_vars }}'
2021-02-28 22:21:40 +08:00
no_log : True
2021-02-20 17:19:17 +08:00
2021-02-28 22:21:40 +08:00
- name : Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
2021-02-20 17:19:17 +08:00
delegate_to : 127.0 .0 .1
template :
2021-02-28 22:21:40 +08:00
src : './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
dest : '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
2021-04-26 20:00:32 +08:00
when : customise_base_domain_website is defined
2021-02-20 17:19:17 +08:00
2021-02-28 22:21:40 +08:00
- name : Copy new 'Customise Website + Access Export' survey.json to target machine
2021-02-20 17:19:17 +08:00
copy :
2021-02-28 22:21:40 +08:00
src : '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
dest : '/matrix/awx/configure_website_access_export.json'
2021-02-20 17:19:17 +08:00
mode : '0660'
2021-04-26 20:00:32 +08:00
when : customise_base_domain_website is defined
- name : Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
delegate_to : 127.0 .0 .1
template :
src : './roles/matrix-awx/surveys/access_export.json.j2'
dest : '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'
when : customise_base_domain_website is undefined
- name : Copy new 'Customise Website + Access Export' survey.json to target machine
copy :
src : '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'
dest : '/matrix/awx/access_export.json'
mode : '0660'
when : customise_base_domain_website is undefined
2021-02-20 17:19:17 +08:00
- name : Collect AWX admin token the hard way!
delegate_to : 127.0 .0 .1
shell : |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register : tower_token
no_log : True
2021-04-26 20:00:32 +08:00
- name : Recreate 'Configure Website + Access Export' job template
2021-02-20 17:19:17 +08:00
delegate_to : 127.0 .0 .1
awx.awx.tower_job_template :
2021-02-28 22:21:40 +08:00
name : "{{ matrix_domain }} - 1 - Configure Website + Access Export"
description : "Configure base domain website settings and access the servers export."
2021-02-20 17:19:17 +08:00
extra_vars : "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type : run
job_tags : "start,setup-nginx-proxy"
inventory : "{{ member_id }}"
project : "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook : setup.yml
credential : "{{ member_id }} - AWX SSH Key"
survey_enabled : true
2021-02-28 22:21:40 +08:00
survey_spec : "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
2021-02-20 17:19:17 +08:00
become_enabled : yes
state : present
verbosity : 1
tower_host : "https://{{ tower_host }}"
tower_oauthtoken : "{{ tower_token.stdout }}"
validate_certs : yes
2021-04-26 20:00:32 +08:00
when : customise_base_domain_website is defined
- name : Recreate 'Access Export' job template
delegate_to : 127.0 .0 .1
awx.awx.tower_job_template :
name : "{{ matrix_domain }} - 1 - Access Export"
description : "Access the services export."
extra_vars : "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type : run
job_tags : "start,setup-nginx-proxy"
inventory : "{{ member_id }}"
project : "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook : setup.yml
credential : "{{ member_id }} - AWX SSH Key"
survey_enabled : true
survey_spec : "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json') }}"
become_enabled : yes
state : present
verbosity : 1
tower_host : "https://{{ tower_host }}"
tower_oauthtoken : "{{ tower_token.stdout }}"
validate_certs : yes
when : customise_base_domain_website is undefined
2021-02-20 17:19:17 +08:00
- name : Ensure group "sftp" exists
group :
name : sftp
state : present
2021-02-28 22:21:40 +08:00
- name : If user doesn't define a sftp_password, create a disabled 'sftp' account
2021-02-20 17:19:17 +08:00
user :
name : sftp
2021-02-28 22:21:40 +08:00
comment : SFTP user to set custom web files and access servers export
2021-02-20 17:19:17 +08:00
shell : /bin/false
2021-02-28 22:21:40 +08:00
home : /home/sftp
2021-02-20 17:19:17 +08:00
group : sftp
2021-02-28 22:21:40 +08:00
password : '*'
2021-02-20 17:19:17 +08:00
update_password : always
2021-02-28 22:21:40 +08:00
when : sftp_password|length == 0
2021-02-20 17:19:17 +08:00
2021-02-28 22:21:40 +08:00
- name : If user defines sftp_password, enable account and set password on 'stfp' account
user :
name : sftp
comment : SFTP user to set custom web files and access servers export
shell : /bin/false
home : /home/sftp
group : sftp
password : "{{ sftp_password | password_hash('sha512') }}"
update_password : always
when : sftp_password|length > 0
2021-02-20 17:19:17 +08:00
- name : adding existing user 'sftp' to group matrix
user :
name : sftp
groups : matrix
append : yes
2021-04-26 20:00:32 +08:00
when : customise_base_domain_website is defined
2021-02-20 17:19:17 +08:00
- name : Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)
file :
path : /chroot
state : directory
owner : root
group : root
mode : '1755'
2021-02-28 22:21:40 +08:00
- name : Ensure /chroot/website location exists.
2021-02-20 17:19:17 +08:00
file :
path : /chroot/website
state : directory
owner : matrix
group : matrix
mode : '0574'
2021-04-26 20:00:32 +08:00
when : customise_base_domain_website is defined
2021-02-20 17:19:17 +08:00
2021-02-28 22:21:40 +08:00
- name : Ensure /chroot/export location exists
2021-02-20 17:19:17 +08:00
file :
2021-02-28 22:21:40 +08:00
path : /chroot/export
2021-02-20 17:19:17 +08:00
state : directory
owner : sftp
group : sftp
mode : '0700'
2021-02-28 22:21:40 +08:00
- name : Ensure /home/sftp/.ssh location exists
file :
path : /home/sftp/.ssh
state : directory
owner : sftp
group : sftp
mode : '0700'
- name : Ensure /home/sftp/authorized_keys exists
file :
path : /home/sftp/.ssh/authorized_keys
state : touch
owner : sftp
group : sftp
mode : '0644'
- name : Clear authorized_keys file
shell : echo "" > /home/sftp/.ssh/authorized_keys
2021-02-20 17:19:17 +08:00
2021-02-28 22:21:40 +08:00
- name : Insert public SSH key into authorized_keys file
lineinfile :
path : /home/sftp/.ssh/authorized_keys
line : "{{ sftp_public_key }}"
owner : sftp
group : sftp
mode : '0644'
when : (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
2021-03-16 09:56:29 +02:00
2021-02-28 22:21:40 +08:00
- name : Alter SSH Subsystem State 1
lineinfile :
path : /etc/ssh/sshd_config
line : "Subsystem sftp /usr/lib/openssh/sftp-server"
state : absent
- name : Alter SSH Subsystem State 2
lineinfile :
path : /etc/ssh/sshd_config
insertafter : "^# override default of no subsystems"
line : "Subsystem sftp internal-sftp"
- name : Add SSH Match User section for disabled auth
blockinfile :
path : /etc/ssh/sshd_config
state : absent
block : |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when : sftp_auth_method == "Disabled"
- name : Add SSH Match User section for password auth
blockinfile :
path : /etc/ssh/sshd_config
state : present
block : |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
when : sftp_auth_method == "Password"
- name : Add SSH Match User section for publickey auth
blockinfile :
path : /etc/ssh/sshd_config
state : present
block : |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when : sftp_auth_method == "SSH Key"
- name : Restart service ssh.service
2021-02-20 17:19:17 +08:00
service :
2021-02-28 22:21:40 +08:00
name : ssh.service
state : restarted