diff --git a/.ansible-lint b/.ansible-lint index ce96d21..c3c8380 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -2,3 +2,4 @@ skip_list: - no-changed-when # Commands should not change things if nothing needs doing - no-handler # Tasks that run when changed should likely be handlers - experimental # all rules tagged as experimental + - schema[meta] diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 7e839fa..29b9022 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -12,7 +12,7 @@ jobs: - uses: actions/checkout@v2 - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@main + uses: ansible/ansible-lint-action@v6.15.0 # [optional] # Arguments to be passed to the ansible-lint diff --git a/playbook.yml b/playbook.yml index f1b74d7..931d1bd 100644 --- a/playbook.yml +++ b/playbook.yml @@ -25,4 +25,4 @@ - solr - redis - ckan - - msl-api + - msl_api diff --git a/roles/acme_certificates/meta/main.yml b/roles/acme_certificates/meta/main.yml index 0007205..6d28f6b 100644 --- a/roles/acme_certificates/meta/main.yml +++ b/roles/acme_certificates/meta/main.yml @@ -5,7 +5,7 @@ galaxy_info: author: Lazlo Westerhof description: Install Let's Encrypt certificates license: GPLv3 - min_ansible_version: 2.7 + min_ansible_version: "2.7" platforms: - name: CentOS version: 7 diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index c2711f3..0c0b2b6 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -41,7 +41,7 @@ dest: '{{ openssl_certs_dir }}/{{ openssl_crt_signed_and_chain }}' owner: root group: root - mode: 0644 + mode: "0644" when: cert_mode == "static" @@ -94,7 +94,7 @@ content: '{{ static_cert_crt }}' owner: root group: root - mode: 0644 + mode: "0644" when: cert_mode == "static" @@ -104,7 +104,7 @@ content: '{{ static_cert_chain }}' owner: root group: root - mode: 0644 + mode: "0644" when: cert_mode == "static" @@ -137,7 +137,7 @@ - name: Ensure certificate files have correct permissions ansible.builtin.file: path: '{{ item }}' - mode: 0644 + mode: "0644" group: 'root' owner: 'root' state: file diff --git a/roles/ckan/defaults/main.yml b/roles/ckan/defaults/main.yml index f731432..970495d 100644 --- a/roles/ckan/defaults/main.yml +++ b/roles/ckan/defaults/main.yml @@ -25,6 +25,7 @@ ckan_package_file: /tmp/ckan_package.deb ckan_package_upgrade: false ckan_ini_file: /etc/ckan/default/ckan.ini ckan_storage_path: /ckandata +ckan_search_facets_limit: 10000 ckan_session_timeout: 3600 @@ -39,6 +40,7 @@ ckanext_scheming_version: release-2.1.0 # whereas the branch parameter is used for updating the code. They are separate parameters # so that we can reference a specific commit in the code base while still getting # the correct Solr schema. They would usually be the same, however. -ckan_msl_core_plugin_version: 1.3.0 -ckan_msl_core_plugin_branch: 1.3.0 +ckan_msl_core_plugin_version: 1.4.0 +ckan_msl_core_plugin_branch: 1.4.0 ckan_msl_util_plugin_branch: 1.0.0 +ckan_msl_vocabularies_endpoint: https://epos-msl.ckan.test/webservice/api/vocabularies diff --git a/roles/ckan/meta/main.yml b/roles/ckan/meta/main.yml index fe6ee0b..f932113 100644 --- a/roles/ckan/meta/main.yml +++ b/roles/ckan/meta/main.yml @@ -20,7 +20,7 @@ galaxy_info: # - CC-BY license: GPLv3 - min_ansible_version: 2.7 + min_ansible_version: "2.7" # If this a Container Enabled role, provide the minimum Ansible Container version. # min_ansible_container_version: @@ -62,8 +62,8 @@ galaxy_info: dependencies: - - common - - solr - - redis - - postgresql - - nginx + - role: common + - role: solr + - role: redis + - role: postgresql + - role: nginx diff --git a/roles/ckan/tasks/main.yml b/roles/ckan/tasks/main.yml index 1ab7e61..0b21a94 100644 --- a/roles/ckan/tasks/main.yml +++ b/roles/ckan/tasks/main.yml @@ -27,7 +27,7 @@ state: directory owner: www-data group: www-data - mode: 0775 + mode: "0775" - name: Install CKAN package @@ -92,7 +92,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0755 + mode: "0755" owner: root with_items: - /usr/lib/ckan @@ -131,10 +131,48 @@ dest: "{{ ckan_ini_file }}" owner: www-data group: www-data - mode: 0644 + mode: "0644" when: not ansible_check_mode +# Needed for preventing warnings/error when installing MSL plugins +- name: Install wheel package + ansible.builtin.pip: + name: wheel + virtualenv: /usr/lib/ckan/default + + +- name: Install CKAN scheming plugin + ansible.builtin.pip: + name: "https://github.com/ckan/ckanext-scheming/archive/{{ ckanext_scheming_version }}.tar.gz" + virtualenv: /usr/lib/ckan/default + extra_args: "--upgrade" + notify: Restart ckan-uwsgi + + +- name: Install CKAN MSL Core plugin + ansible.builtin.pip: + name: "git+https://github.com/UtrechtUniversity/msl_ckan_core@{{ ckan_msl_core_plugin_branch }}" + virtualenv: /usr/lib/ckan/default + extra_args: "--upgrade" + notify: Restart ckan-uwsgi + + +- name: Clone CKAN MSL Core plugin for copying images + ansible.builtin.git: + repo: "https://github.com/UtrechtUniversity/msl_ckan_core" + dest: /usr/lib/ckan/msl_ckan_core + version: "{{ ckan_msl_core_plugin_branch }}" + + +# Workaround for issue where pip doesn't install static images in MSL core plugin +- name: Synchronize MSL Core plugin images + ansible.posix.synchronize: + src: /usr/lib/ckan/msl_ckan_core/ckanext/msl_ckan/public/ + dest: /usr/lib/ckan/default/lib/python3.8/site-packages/ckanext/msl_ckan/public/ + delegate_to: "{{ inventory_hostname }}" + + - name: Check Solr schema ansible.builtin.stat: path: /etc/solr/conf/schema.xml @@ -142,20 +180,21 @@ - name: Ensure default schema has been backed up - ansible.builtin.command: "mv /etc/solr/conf/schema.xml /etc/solr/conf/schema.xml.orig" + ansible.builtin.command: + cmd: "mv /etc/solr/conf/schema.xml /etc/solr/conf/schema.xml.orig" + creates: /etc/solr/conf/schema.xml.orig when: solrschema.stat.exists and solrschema.stat.isreg is defined and solrschema.stat.isreg - name: Use custom Solr scheme for EPOS-MSL become_user: root become: true - ansible.builtin.template: - src: solrschema.xml.j2 + ansible.posix.synchronize: + src: /usr/lib/ckan/msl_ckan_core/ckanext/msl_ckan/config/solr/schema.xml dest: /etc/solr/conf/schema.xml - owner: root - group: root - mode: 0644 notify: Restart Solr + delegate_to: "{{ inventory_hostname }}" + when: not ansible_check_mode - name: Check who.ini @@ -178,36 +217,6 @@ state: link -# Needed for preventing warnings/error when installing MSL plugins -- name: Install wheel package - ansible.builtin.pip: - name: wheel - virtualenv: /usr/lib/ckan/default - - -- name: Install CKAN scheming plugin - ansible.builtin.pip: - name: "https://github.com/ckan/ckanext-scheming/archive/{{ ckanext_scheming_version }}.tar.gz" - virtualenv: /usr/lib/ckan/default - extra_args: "--upgrade" - notify: Restart ckan-uwsgi - - -- name: Install CKAN MSL Core plugin - ansible.builtin.pip: - name: "git+https://github.com/UtrechtUniversity/msl_ckan_core@{{ ckan_msl_core_plugin_branch }}" - virtualenv: /usr/lib/ckan/default - extra_args: "--upgrade" - notify: Restart ckan-uwsgi - - -- name: Clone CKAN MSL Core plugin for copying images - ansible.builtin.git: - repo: "https://github.com/UtrechtUniversity/msl_ckan_core" - dest: /usr/lib/ckan/msl_ckan_core - version: "{{ ckan_msl_core_plugin_branch }}" - - # Workaround for issue where pip doesn't install static images in MSL core plugin - name: Synchronize MSL Core plugin images ansible.posix.synchronize: @@ -290,7 +299,7 @@ dest: "/etc/nginx/sites-available/ckan" owner: root group: root - mode: 0644 + mode: "0644" notify: Restart Nginx webserver diff --git a/roles/ckan/templates/ckan.ini.j2 b/roles/ckan/templates/ckan.ini.j2 index f2d5570..715db05 100644 --- a/roles/ckan/templates/ckan.ini.j2 +++ b/roles/ckan/templates/ckan.ini.j2 @@ -39,6 +39,9 @@ beaker.session.secret = {{ session_secret.stdout }} # a config file. app_instance_uuid = {{ app_instance_uuid.stdout }} +# Default number of search facets returned in a query +search.facets.limit = {{ ckan_search_facets_limit }} + # repoze.who config who.config_file = %(here)s/who.ini who.log_level = warning @@ -124,13 +127,14 @@ solr_url = http://127.0.0.1:{{ solr_port }}/solr ckan.plugins = stats text_view image_view recline_view msl_ckan scheming_datasets scheming_groups scheming_organizations msl_custom_facets msl_repeating_fields scheming.dataset_schemas = ckanext.msl_ckan:schemas/datasets/data_publication.yml ckanext.msl_ckan:schemas/datasets/labs.json -scheming.group_schemas = ckanext.msl_ckan:schemas/groups/custom_group_msl_subdomain.json -scheming.organization_schemas = ckanext.msl_ckan:schemas/organizations/custom_org_institute.json +scheming.organization_schemas = ckanext.msl_ckan:schemas/organizations/organization.json mslfacets.dataset_config = ckanext.msl_ckan:config/facets.json mslindexfields.field_config = ckanext.msl_ckan:config/msl_index_fields.json +mslvocabularies.endpoint_root = {{ ckan_msl_vocabularies_endpoint }} + # Define which views should be created by default # (plugins must be loaded in ckan.plugins) ckan.views.default_views = image_view text_view recline_view @@ -267,12 +271,6 @@ formatter = generic [formatter_generic] format = %(asctime)s %(levelname)-5.5s [%(name)s] %(message)s -# Settings for EPOS-MSL plugins - -# msl_ckan settings -scheming.dataset_schemas = ckanext.msl_ckan:schemas/datasets/data_publication.yml ckanext.msl_ckan:schemas/datasets/labs.json -scheming.group_schemas = ckanext.msl_ckan:schemas/groups/custom_group_msl_subdomain.json -scheming.organization_schemas = ckanext.msl_ckan:schemas/organizations/custom_org_institute.json # msl_ckan_util settings ckan.mslfacets.dataset_config = ckanext.msl_ckan_util:samples/facets.json ckan.mslindexfields.fields_config = ckanext.msl_ckan_util:samples/msl_index_fields.json diff --git a/roles/ckan/templates/solrschema.xml.j2 b/roles/ckan/templates/solrschema.xml.j2 deleted file mode 100644 index 00fcecd..0000000 --- a/roles/ckan/templates/solrschema.xml.j2 +++ /dev/null @@ -1,359 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -index_id -text - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/roles/common/tasks/apt_update.yml b/roles/common/tasks/apt_update.yml index 477ce5e..4a599d5 100644 --- a/roles/common/tasks/apt_update.yml +++ b/roles/common/tasks/apt_update.yml @@ -2,4 +2,8 @@ # copyright Utrecht University - name: Update apt cache - ansible.builtin.apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 + ansible.builtin.apt: + update_cache: true + force_apt_get: true + cache_valid_time: 3600 + changed_when: false diff --git a/roles/common/tasks/firewalld.yml b/roles/common/tasks/firewalld.yml index 08ddbd3..cb4d132 100644 --- a/roles/common/tasks/firewalld.yml +++ b/roles/common/tasks/firewalld.yml @@ -9,7 +9,7 @@ - name: Ensure firewall is running and enabled - ansible.builtin.service: + ansible.builtin.systemd_service: name: firewalld state: started enabled: true diff --git a/roles/msl-api/defaults/main.yml b/roles/msl_api/defaults/main.yml similarity index 94% rename from roles/msl-api/defaults/main.yml rename to roles/msl_api/defaults/main.yml index d7519a9..17f2bc9 100644 --- a/roles/msl-api/defaults/main.yml +++ b/roles/msl_api/defaults/main.yml @@ -1,7 +1,7 @@ --- # copyright Utrecht University -msl_api_version: 1.4.0 +msl_api_version: 1.5.1 msl_api_database: mslapi msl_api_database_user: msl msl_api_user: www-data diff --git a/roles/msl-api/handlers/main.yml b/roles/msl_api/handlers/main.yml similarity index 100% rename from roles/msl-api/handlers/main.yml rename to roles/msl_api/handlers/main.yml diff --git a/roles/msl-api/tasks/application.yml b/roles/msl_api/tasks/application.yml similarity index 97% rename from roles/msl-api/tasks/application.yml rename to roles/msl_api/tasks/application.yml index fd91618..d7e1754 100644 --- a/roles/msl-api/tasks/application.yml +++ b/roles/msl_api/tasks/application.yml @@ -18,7 +18,7 @@ ansible.builtin.file: path: /var/www/msl_api state: directory - mode: 0755 + mode: "0755" - name: Ensure MSL API dir is writable for Composer @@ -64,5 +64,5 @@ dest: /etc/supervisor/conf.d/laravel-worker.conf owner: root group: root - mode: 0644 + mode: "0644" notify: Reload Supervisor diff --git a/roles/msl-api/tasks/config.yml b/roles/msl_api/tasks/config.yml similarity index 100% rename from roles/msl-api/tasks/config.yml rename to roles/msl_api/tasks/config.yml diff --git a/roles/msl-api/tasks/database.yml b/roles/msl_api/tasks/database.yml similarity index 100% rename from roles/msl-api/tasks/database.yml rename to roles/msl_api/tasks/database.yml diff --git a/roles/msl-api/tasks/main.yml b/roles/msl_api/tasks/main.yml similarity index 100% rename from roles/msl-api/tasks/main.yml rename to roles/msl_api/tasks/main.yml diff --git a/roles/msl-api/tasks/prerequisites.yml b/roles/msl_api/tasks/prerequisites.yml similarity index 97% rename from roles/msl-api/tasks/prerequisites.yml rename to roles/msl_api/tasks/prerequisites.yml index 5657e53..84be03d 100644 --- a/roles/msl-api/tasks/prerequisites.yml +++ b/roles/msl_api/tasks/prerequisites.yml @@ -29,4 +29,4 @@ checksum: '{{ composer_checksum }}' group: root owner: root - mode: 0755 + mode: "0755" diff --git a/roles/msl-api/tasks/storage.yml b/roles/msl_api/tasks/storage.yml similarity index 100% rename from roles/msl-api/tasks/storage.yml rename to roles/msl_api/tasks/storage.yml diff --git a/roles/msl-api/templates/env.j2 b/roles/msl_api/templates/env.j2 similarity index 100% rename from roles/msl-api/templates/env.j2 rename to roles/msl_api/templates/env.j2 diff --git a/roles/msl-api/templates/laravel-worker.j2 b/roles/msl_api/templates/laravel-worker.j2 similarity index 100% rename from roles/msl-api/templates/laravel-worker.j2 rename to roles/msl_api/templates/laravel-worker.j2 diff --git a/roles/postgresql/meta/main.yml b/roles/postgresql/meta/main.yml index b947b04..0163a4a 100644 --- a/roles/postgresql/meta/main.yml +++ b/roles/postgresql/meta/main.yml @@ -20,7 +20,7 @@ galaxy_info: # - CC-BY license: GPLv3 - min_ansible_version: 2.7 + min_ansible_version: "2.7" # If this a Container Enabled role, provide the minimum Ansible Container version. # min_ansible_container_version: @@ -61,5 +61,5 @@ galaxy_info: # Maximum 20 tags per role. dependencies: - - common - - certificates + - role: common + - role: certificates diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml index e8e4abf..fe6adc1 100644 --- a/roles/postgresql/tasks/main.yml +++ b/roles/postgresql/tasks/main.yml @@ -56,7 +56,7 @@ - name: Ensure PostgreSQL has access to PKI files ansible.builtin.file: path: '{{ item }}' - mode: 0600 + mode: "0600" group: 'postgres' owner: 'postgres' state: file @@ -68,10 +68,10 @@ - name: Ensure PostgreSQL is configured to use SSL community.general.ini_file: path: /etc/postgresql/12/main/postgresql.conf - section: null + section: '' option: '{{ item.option }}' value: '{{ item.value }}' - mode: 0644 + mode: "0644" with_items: - option: ssl value: "on" diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml index 20c3f6d..092d5de 100644 --- a/roles/redis/tasks/main.yml +++ b/roles/redis/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.template: src: redis.conf.j2 dest: /etc/redis.conf - mode: 0644 + mode: "0644" notify: Restart Redis diff --git a/roles/solr/tasks/main.yml b/roles/solr/tasks/main.yml index 851bab2..710415e 100644 --- a/roles/solr/tasks/main.yml +++ b/roles/solr/tasks/main.yml @@ -15,7 +15,7 @@ dest: /etc/tomcat9/server.xml owner: root group: tomcat - mode: 0640 + mode: "0640" register: serverxml diff --git a/roles/zabbix_agent/tasks/main.yml b/roles/zabbix_agent/tasks/main.yml index 1e03d75..d38755c 100644 --- a/roles/zabbix_agent/tasks/main.yml +++ b/roles/zabbix_agent/tasks/main.yml @@ -6,6 +6,7 @@ url: "{{ zabbix_agent.url }}/{{ zabbix_agent.filename }}" dest: '{{ zabbix_agent.deb_dest_dir }}/{{ zabbix_agent.filename }}' checksum: '{{ zabbix_agent.checksum }}' + mode: "0644" - name: Install Zabbix repo from downloaded package @@ -22,7 +23,7 @@ dest: /etc/apt/preferences.d/99zabbix-agent owner: root group: root - mode: 0644 + mode: "0644" - name: Install Zabbix agent" @@ -50,7 +51,7 @@ path: /etc/zabbix/zabbix_agentd.psk owner: zabbix group: zabbix - mode: 0600 + mode: "0600" - name: Configure Zabbix agent @@ -59,5 +60,5 @@ dest: /etc/zabbix/zabbix_agentd.conf owner: zabbix group: zabbix - mode: 0600 + mode: "0600" notify: Restart Zabbix agent diff --git a/roles/zabbix_ckan/tasks/main.yml b/roles/zabbix_ckan/tasks/main.yml index 942db8a..58e5892 100644 --- a/roles/zabbix_ckan/tasks/main.yml +++ b/roles/zabbix_ckan/tasks/main.yml @@ -7,7 +7,7 @@ dest: '/etc/zabbix/zabbix_agentd.conf.d/{{ item }}' owner: zabbix group: zabbix - mode: 0500 + mode: "0500" with_items: - 'dailyErrorLog.sh' @@ -18,7 +18,7 @@ dest: '/etc/zabbix/zabbix_agentd.conf.d/zabbix_agentd.userparams.conf' owner: zabbix group: zabbix - mode: 0400 + mode: "0400" - name: Ensure Zabbix sudoers file is present @@ -27,4 +27,4 @@ dest: '/etc/sudoers.d/ckan-zabbix-sudoers' owner: root group: root - mode: 0440 + mode: "0440" diff --git a/roles/zabbix_postgresql/tasks/main.yml b/roles/zabbix_postgresql/tasks/main.yml index b5d7bb5..5b018ed 100644 --- a/roles/zabbix_postgresql/tasks/main.yml +++ b/roles/zabbix_postgresql/tasks/main.yml @@ -6,6 +6,7 @@ ansible.builtin.get_url: url: 'https://github.com/zabbix/zabbix/archive/refs/tags/{{ zabbix_source_version }}.tar.gz' dest: '/tmp/zabbix-{{ zabbix_source_version }}.tar.gz' + mode: "0644" - name: Extract Zabbix source code @@ -20,7 +21,7 @@ path: '{{ item }}' owner: zabbix group: zabbix - mode: 0755 + mode: "0755" state: directory with_items: - /var/lib/zabbix @@ -43,14 +44,14 @@ dest: /etc/zabbix/zabbix_agentd.conf.d/template_db_postgresql.conf owner: zabbix group: zabbix - mode: 0640 + mode: "0640" no_log: true - name: Create Zabbix database user become_user: postgres become: true - postgresql_user: + community.postgresql.postgresql_user: db: "{{ zabbix_database_name }}" name: "{{ zabbix_psql_monitoring_user }}" password: "{{ zabbix_psql_monitoring_password }}" @@ -61,7 +62,7 @@ - name: Grant Zabbix user select rights on postgres database become: true become_user: postgres - postgresql_privs: + community.postgresql.postgresql_privs: db: "{{ zabbix_psql_monitoring_db }}" role: "{{ zabbix_psql_monitoring_user }}" objs: ALL_IN_SCHEMA diff --git a/zabbix.yml b/zabbix.yml index 93fb7b8..3d025ba 100644 --- a/zabbix.yml +++ b/zabbix.yml @@ -2,7 +2,8 @@ # copyright Utrecht University # This playbook provisions EPOS-MSL instance with the Zabbix agent, PostgreSQL monitoring and Zabbix user access to the database. -- hosts: localhost +- name: Local checks + hosts: localhost gather_facts: false pre_tasks: - name: Verify Ansible version meets requirements