diff --git a/.secrets.baseline b/.secrets.baseline index 012eb86d5..2db8cc8f7 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -144,7 +144,7 @@ "filename": "playbooks/acs.yml", "hashed_secret": "3a0b8a438a9efa61267357269709a946d797b9bd", "is_verified": false, - "line_number": 404, + "line_number": 433, "is_secret": false } ], @@ -259,5 +259,5 @@ } ] }, - "generated_at": "2024-06-28T13:00:16Z" + "generated_at": "2024-07-03T08:58:42Z" } diff --git a/playbooks/acs.yml b/playbooks/acs.yml index b81e77877..46e557f06 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -3,15 +3,15 @@ hosts: all:!external gather_facts: true tasks: - - name: Compare host OS with supported matrix - vars: - os_versions: "{{ supported_os[ansible_distribution].versions | default([]) }}" - ansible.builtin.fail: - msg: - - "{{ ansible_distribution }} {{ ansible_distribution_version }} is not a supported OS" - when: - - not (skip_os_test | default(false) | bool) - - ansible_distribution_version | float not in os_versions + - name: Compare host OS with supported matrix + vars: + os_versions: "{{ supported_os[ansible_distribution].versions | default([]) }}" + ansible.builtin.fail: + msg: + - "{{ ansible_distribution }} {{ ansible_distribution_version }} is not a supported OS" + when: + - not (skip_os_test | default(false) | bool) + - ansible_distribution_version | float not in os_versions - name: Populate facts ansible.builtin.import_playbook: facts.yml @@ -51,16 +51,45 @@ identity_url: "{{ alfresco_url }}/auth" - name: Database Role - hosts: database + hosts: database[0] gather_facts: false - roles: - - role: "../roles/postgres" - when: repo_db_url == "" or sync_db_url == "" + vars: + pg_role: "../roles/postgres" + create_repo_db: >- + {{ (repo_db_url == "") | ansible.builtin.bool }} + create_sync_db: >- + {{ (sync_db_url == "" and groups.syncservice | default([]) | length > 0) | ansible.builtin.bool }} + tasks: + - name: Install Postgres + ansible.builtin.include_role: + name: "{{ pg_role }}" + when: create_repo_db or create_sync_db + - name: Setup repository database + ansible.builtin.include_role: + name: "{{ pg_role }}" + tasks_from: setup_db + vars: + postgres_db_name: "{{ repo_db_name }}" + postgres_db_username: "{{ repo_db_username }}" + postgres_db_password: "{{ repo_db_password }}" + postgres_db_clients: "{{ groups.repository }}" + when: create_repo_db + - name: Setup sync database + ansible.builtin.include_role: + role: "{{ pg_role }}" + tasks_from: setup_db + vars: + postgres_db_name: "{{ sync_db_name }}" + postgres_db_username: "{{ sync_db_username }}" + postgres_db_password: "{{ sync_db_password }}" + postgres_db_clients: "{{ groups.syncservice }}" + when: create_sync_db post_tasks: - name: Make sure PostgreSQL is running ansible.builtin.service: name: "{{ postgresql_service }}" state: started + when: create_repo_db or create_sync_db tags: - database diff --git a/playbooks/secrets-init.yml b/playbooks/secrets-init.yml index bcdd9b62e..199b5e418 100644 --- a/playbooks/secrets-init.yml +++ b/playbooks/secrets-init.yml @@ -21,8 +21,8 @@ ansible.builtin.shell: executable: /bin/bash cmd: | - set -o pipefail - head -1 {{ secrets_file }} | grep -q \$ANSIBLE_VAULT + set -o pipefail + head -1 {{ secrets_file }} | grep -q \$ANSIBLE_VAULT register: peek_encrypted_file_vault failed_when: "peek_encrypted_file_vault.rc not in [0, 1]" changed_when: false @@ -59,7 +59,6 @@ ansible.builtin.set_fact: password_loop: - repo_db_password - - sync_db_password - name: Check if inventory is provided ansible.builtin.set_fact: @@ -95,6 +94,11 @@ password_loop: "{{ password_loop + ['identity_admin_password'] }}" when: (((groups.identity | default([])) + (groups.external_identity | default([]))) | length > 0) or empty_inventory + - name: Append password_loop when sync_db_password is needed + ansible.builtin.set_fact: + password_loop: "{{ password_loop + ['sync_db_password'] }}" + when: ((groups.syncservice | default([])) | length > 0) or empty_inventory + - name: Populate secrets.yml with missing secrets ansible.builtin.shell: "{{ base_folder }}/scripts/generate-secret.sh -s {{ item }} -m {{ gs_mode }} >> {{ secrets_file }}" changed_when: true diff --git a/playbooks/secrets.yml b/playbooks/secrets.yml index 8b3fb735e..0a8e1203a 100644 --- a/playbooks/secrets.yml +++ b/playbooks/secrets.yml @@ -49,7 +49,6 @@ ansible.builtin.assert: that: - repo_db_password is defined and repo_db_password | length > 0 - - sync_db_password is defined and sync_db_password | length > 0 msg: "Mandatory secrets are missing from vars/secrets.yml file. If this is a test environment, you can autogenerate them setting the autogen_unsecure_secrets variable to yes. Otherwise, please take a look @@ -63,6 +62,13 @@ quiet: true when: ((groups.activemq | default([])) + (groups.external_activemq | default([]))) | length > 0 + - name: Ensure sync_db_password is set when required + ansible.builtin.assert: + that: sync_db_password is defined and sync_db_password | length > 0 + msg: "sync_db_password must have been already set at this point" + quiet: true + when: (groups.syncservice | default([])) | length > 0 + - name: Ensure ca_signing_key_passphrase is set when required ansible.builtin.assert: that: ca_signing_key_passphrase is defined and ca_signing_key_passphrase | length > 0 @@ -122,6 +128,7 @@ - name: Set sync_db_password secret ansible.builtin.set_fact: sync_db_password: "{{ hostvars.localhost.sync_db_password }}" + when: (groups.syncservice | default([])) | length > 0 - name: Set secrets for ActiveMQ auth hosts: activemq:repository:transformers:syncservice:search_enterprise diff --git a/roles/postgres/meta/argument_specs.yml b/roles/postgres/meta/argument_specs.yml new file mode 100644 index 000000000..c679841f6 --- /dev/null +++ b/roles/postgres/meta/argument_specs.yml @@ -0,0 +1,28 @@ +--- +argument_specs: + setup_db: + short_description: Configure PostgreSQL database + options: + postgres_db_name: + type: str + required: true + description: | + Name of the database to be created + postgres_db_username: + type: str + required: true + description: | + Username of the database user + postgres_db_password: + type: str + required: true + description: | + Password of the database user + postgres_db_clients: + type: list + elements: str + required: true + description: | + List of clients that are allowed to connect to the database + Each client must be an host inventory for which facts have been + gathered (in particular ansible_default_ipv4.address) diff --git a/roles/postgres/molecule/default/converge.yml b/roles/postgres/molecule/default/converge.yml index 87cd8277d..d416fa360 100644 --- a/roles/postgres/molecule/default/converge.yml +++ b/roles/postgres/molecule/default/converge.yml @@ -2,6 +2,24 @@ - name: Converge hosts: all tasks: - - name: "Include roles/postgres" + - name: Install PostgreSQL ansible.builtin.include_role: - name: "postgres" + name: postgres + - name: Configure repo database + ansible.builtin.include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: alfresco + postgres_db_username: alfresco + postgres_db_password: alfresco + postgres_db_clients: "{{ groups.syncservice }}" + - name: Configure sync database + ansible.builtin.include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: alfresco-sync + postgres_db_username: alfresco-sync + postgres_db_password: alfresco + postgres_db_clients: "{{ groups.syncservice }}" diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index 699fb6bce..08a99d195 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -4,6 +4,10 @@ loop: >- {{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }} +- name: Set PostgreSQL service name as fact + ansible.builtin.set_fact: + postgresql_service: "{{ postgresql_service }}" + - name: Install PostgreSQL RDBMS become: true block: @@ -29,13 +33,13 @@ notify: - Restart-postgresql block: - - name: Configure postgresql to listen on all IP interfaces + - name: Configure PostgreSQL to listen on all IP interfaces ansible.builtin.lineinfile: path: "{{ postgresql_conf_path }}/postgresql.conf" regexp: ^\s*listen_addresses\s*= line: "listen_addresses = '{{ postgres_listen_addresses }}'" - - name: Custom postgresql Configuration + - name: Custom PostgreSQL Configuration ansible.builtin.lineinfile: path: "{{ postgresql_conf_path }}/postgresql.conf" regexp: "^{{ item['line'] }}" @@ -44,83 +48,5 @@ backup: true with_items: "{{ postgres_config }}" - - name: Configure postgresql client auth - ansible.builtin.template: - src: "pg_hba.conf.j2" - dest: "{{ postgresql_conf_path }}/pg_hba.conf" - owner: postgres - group: postgres - mode: 'u=rw' - -- name: Always flush after Configure PostgreSQL RDBMS block +- name: Flush handlers ansible.builtin.meta: flush_handlers - -- name: Configure PostgreSQL RDBMS - become: true - become_user: postgres - vars: - ansible_ssh_pipelining: true - block: - - name: Create necessary databases - community.postgresql.postgresql_db: - name: "{{ item }}" - loop: - - "{{ repo_db_name }}" - - "{{ sync_db_name }}" - - - name: Revoke default access to public schema - community.postgresql.postgresql_privs: - db: "{{ item }}" - privs: ALL - type: schema - objs: public - role: public - state: absent - loop: - - "{{ repo_db_name }}" - - "{{ sync_db_name }}" - tags: - - molecule-idempotence-notest - - - name: Create unprivileged users - community.postgresql.postgresql_user: - db: "{{ item.db }}" - name: "{{ item.user }}" - password: "{{ item.pwd }}" - expires: infinity - role_attr_flags: NOSUPERUSER - no_log: true - loop: - - db: "{{ repo_db_name }}" - user: "{{ repo_db_username }}" - pwd: "{{ repo_db_password }}" - - db: "{{ sync_db_name }}" - user: "{{ sync_db_username }}" - pwd: "{{ sync_db_password }}" - tags: - - molecule-idempotence-notest - - - name: Grant db privileges to users - community.postgresql.postgresql_privs: - db: "{{ item.db }}" - privs: ALL - type: schema - objs: public - role: "{{ item.user }}" - loop: - - db: "{{ repo_db_name }}" - user: "{{ repo_db_username }}" - - db: "{{ sync_db_name }}" - user: "{{ sync_db_username }}" - - - name: >- - Revoke {{ repo_db_username }} user access to - {{ sync_db_name }} database due to previous bug - community.postgresql.postgresql_user: - db: "{{ sync_db_name }}" - name: "{{ repo_db_username }}" - priv: "ALL" - state: absent - fail_on_user: false - tags: - - molecule-idempotence-notest diff --git a/roles/postgres/tasks/setup_db.yml b/roles/postgres/tasks/setup_db.yml new file mode 100644 index 000000000..169e69d6b --- /dev/null +++ b/roles/postgres/tasks/setup_db.yml @@ -0,0 +1,63 @@ +--- +- name: Include OS specific variables + ansible.builtin.include_vars: "{{ item }}" + loop: >- + {{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }} + +- name: Configure PostgreSQL client auth + become: true + notify: + - Restart-postgresql + ansible.builtin.blockinfile: + path: "{{ postgresql_conf_path }}/pg_hba.conf" + block: | + {% for host in postgres_db_clients | map('extract', hostvars, ['ansible_default_ipv4', 'address']) %} + host {{ postgres_db_name }} {{ postgres_db_username }} {{ host }}/32 md5 + {% endfor %} + marker: >- + # {mark} ANSIBLE MANAGED: allow {{ postgres_db_clients | join(", ") }} to connect to {{ postgres_db_name }} as {{ postgres_db_username }} + owner: postgres + group: postgres + mode: "u=rw" + +- name: Configure PostgreSQL database + become: true + become_user: postgres + vars: + ansible_ssh_pipelining: true + block: + - name: Create database + community.postgresql.postgresql_db: + name: "{{ postgres_db_name }}" + + - name: Revoke default access to public schema + community.postgresql.postgresql_privs: + db: "{{ postgres_db_name }}" + privs: ALL + type: schema + objs: public + role: public + state: absent + tags: + - molecule-idempotence-notest + + - name: Create unprivileged user + community.postgresql.postgresql_user: + db: "{{ postgres_db_name }}" + name: "{{ postgres_db_username }}" + password: "{{ postgres_db_password }}" + expires: infinity + role_attr_flags: NOSUPERUSER + no_log: true + tags: + - molecule-idempotence-notest + + - name: Grant db privileges to user + community.postgresql.postgresql_privs: + db: "{{ postgres_db_name }}" + privs: ALL + type: schema + objs: public + role: "{{ postgres_db_username }}" + tags: + - molecule-idempotence-notest diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2 deleted file mode 100644 index 738c08859..000000000 --- a/roles/postgres/templates/pg_hba.conf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -{{ ansible_managed | comment }} -# PostgreSQL Client Authentication Configuration File -# =================================================== -# -# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html -local all postgres peer -host all all 127.0.0.1/32 md5 -{% for host in repo_hosts | map(attribute='local_addr') %} -host {{ repo_db_name }} {{ repo_db_username }} {{ host }}/32 md5 -{% endfor %} -host {{ sync_db_name }} {{ sync_db_username }} {{ sync_host }}/32 md5 diff --git a/roles/repository/molecule/default/converge.yml b/roles/repository/molecule/default/converge.yml index db7e703a4..8bfbef8af 100644 --- a/roles/repository/molecule/default/converge.yml +++ b/roles/repository/molecule/default/converge.yml @@ -2,10 +2,25 @@ - name: Converge hosts: all roles: - - role: postgres - role: activemq activemq_version: "{{ dependencies_version.activemq }}" - - role: repository - repository_properties: "{{ global_properties }}" - raw_properties: - - ../../configuration_files/alfresco-global.properties + tasks: + - name: Install PostgreSQL + ansible.builtin.include_role: + name: postgres + - name: Configure repository database + ansible.builtin.include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: "{{ repo_db_name }}" + postgres_db_username: "{{ repo_db_username }}" + postgres_db_password: "{{ repo_db_password }}" + postgres_db_clients: "{{ groups.repository }}" + - name: Install Alfresco repository + ansible.builtin.include_role: + name: repository + vars: + repository_properties: "{{ global_properties }}" + raw_properties: + - ../../configuration_files/alfresco-global.properties diff --git a/roles/sync/molecule/default/converge.yml b/roles/sync/molecule/default/converge.yml index d25d73891..dbc5a45a8 100644 --- a/roles/sync/molecule/default/converge.yml +++ b/roles/sync/molecule/default/converge.yml @@ -2,12 +2,38 @@ - name: Converge hosts: all roles: - - role: postgres - role: activemq - - role: repository - repository_properties: "{{ global_properties }}" - role: nginx - - role: sync + tasks: + - name: Install PostgreSQL + ansible.builtin.include_role: + name: postgres + - name: Setup repository database + ansible.builtin.include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: "{{ repo_db_name }}" + postgres_db_username: "{{ repo_db_username }}" + postgres_db_password: "{{ repo_db_password }}" + postgres_db_clients: "{{ groups.repository }}" + - name: Setup sync database + ansible.builtin.include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: "{{ sync_db_name }}" + postgres_db_username: "{{ sync_db_username }}" + postgres_db_password: "{{ sync_db_password }}" + postgres_db_clients: "{{ groups.syncservice }}" + - name: Install Alfresco repository + ansible.builtin.include_role: + name: repository + vars: + repository_properties: "{{ global_properties }}" + - name: Install Alfresco sync service + ansible.builtin.include_role: + name: sync vars: sync_environment: JAVA_OPTS: