2024-04-06 22:50:53 +02:00
|
|
|
---
|
|
|
|
- name: Setup QGIS-Server and Lizmap
|
|
|
|
hosts: testing
|
|
|
|
handlers:
|
|
|
|
- name: Ensure nginx is restarted
|
|
|
|
become: true
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
name: nginx
|
|
|
|
state: restarted
|
2024-05-14 12:08:37 +02:00
|
|
|
|
|
|
|
- name: Ensure OpenSSH is restarted
|
|
|
|
become: true
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
name: sshd
|
|
|
|
state: restarted
|
|
|
|
|
2024-06-10 21:22:25 +02:00
|
|
|
- name: Ensure postgresql is restarted
|
|
|
|
become: true
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
name: postgresql
|
|
|
|
state: restarted
|
|
|
|
|
2024-05-14 12:08:37 +02:00
|
|
|
- name: Ensure php-fpm is restarted
|
|
|
|
become: true
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
name: "php{{ php['version'] }}-fpm"
|
|
|
|
state: restarted
|
|
|
|
|
2024-06-08 14:39:43 +02:00
|
|
|
- name: Ensure sftp-permissions is restarted and enabled
|
2024-05-31 16:52:50 +02:00
|
|
|
become: true
|
|
|
|
ansible.builtin.systemd:
|
2024-06-08 14:39:43 +02:00
|
|
|
name: sftp-permissions
|
2024-05-31 16:52:50 +02:00
|
|
|
state: restarted
|
|
|
|
enabled: true
|
2024-06-08 14:39:43 +02:00
|
|
|
daemon_reload: true
|
2024-05-31 16:52:50 +02:00
|
|
|
|
2024-04-06 22:50:53 +02:00
|
|
|
tasks:
|
|
|
|
- name: Ensure valid apt cache and required tools are present
|
|
|
|
become: true
|
|
|
|
ansible.builtin.apt:
|
|
|
|
cache_valid_time: 600
|
|
|
|
name:
|
|
|
|
- acl
|
|
|
|
- ufw
|
|
|
|
- git
|
|
|
|
- unzip
|
|
|
|
- gnupg
|
|
|
|
- software-properties-common
|
2024-05-14 12:08:37 +02:00
|
|
|
- postgresql
|
|
|
|
- acl # bug: https://github.com/ansible/ansible/issues/74830
|
2024-06-08 14:39:43 +02:00
|
|
|
- inotify-tools
|
2024-06-10 21:22:25 +02:00
|
|
|
- postgis
|
2024-04-06 22:50:53 +02:00
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Ensure qgis-server is valid
|
|
|
|
block:
|
|
|
|
- name: Ensure qgis repository key is in apt-keyring
|
|
|
|
become: true
|
|
|
|
ansible.builtin.get_url:
|
|
|
|
url: "{{ qgis_repo['keyring']['url'] }}"
|
|
|
|
checksum: "{{ qgis_repo['keyring']['hash'] }}"
|
|
|
|
dest: /etc/apt/keyrings/qgis-archive-keyring.gpg
|
|
|
|
backup: true
|
|
|
|
owner: root
|
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
|
|
|
|
- name: Ensure qgis repository is in apt-sources
|
|
|
|
become: true
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: ./templates/qgis.sources.j2
|
|
|
|
dest: /etc/apt/sources.list.d/qgis.sources
|
|
|
|
backup: true
|
|
|
|
owner: root
|
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
|
|
|
|
- name: Ensure qgis-server is present
|
|
|
|
become: true
|
|
|
|
ansible.builtin.apt:
|
|
|
|
update_cache: true
|
|
|
|
name:
|
2024-06-10 21:22:25 +02:00
|
|
|
- "{{ 'qgis-server=' + qgis_server['full_version'] }}"
|
2024-04-06 22:50:53 +02:00
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Ensure qgis-server directory is present
|
|
|
|
become: true
|
|
|
|
ansible.builtin.file:
|
|
|
|
dest: "{{ qgis_server['path'] }}"
|
|
|
|
state: directory
|
|
|
|
owner: www-data
|
|
|
|
group: www-data
|
2024-06-10 21:22:25 +02:00
|
|
|
mode: u=rwX,g=rwX,o=rX
|
2024-04-06 22:50:53 +02:00
|
|
|
|
|
|
|
- name: Ensure qgis-server environment file is latest
|
|
|
|
become: true
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: ./templates/qgis_server_env.j2
|
|
|
|
dest: "{{ qgis_server['path'] }}/qgis_server_env"
|
|
|
|
backup: true
|
|
|
|
owner: www-data
|
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
|
|
|
|
- name: Ensure qgis-server systemd files are latest
|
|
|
|
become: true
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: "./templates/{{ item }}.j2"
|
|
|
|
dest: "/etc/systemd/system/{{ item }}"
|
|
|
|
backup: true
|
|
|
|
owner: root
|
2024-06-10 21:22:25 +02:00
|
|
|
group: root
|
2024-04-06 22:50:53 +02:00
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
loop:
|
|
|
|
- "qgis-server@.service"
|
|
|
|
- "qgis-server@.socket"
|
|
|
|
|
|
|
|
- name: Ensure qgis-server service is enabled and stopped
|
|
|
|
become: true
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
daemon_reload: true
|
|
|
|
enabled: true
|
|
|
|
state: stopped
|
|
|
|
name: "qgis-server@{{ item }}.service"
|
|
|
|
loop: "{{ range(1, qgis_server['count'] + 1, 1) | list }}"
|
|
|
|
|
|
|
|
- name: Ensure qgis-server socket is enabled and started
|
|
|
|
become: true
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
daemon_reload: true
|
|
|
|
enabled: true
|
|
|
|
state: started
|
|
|
|
name: "qgis-server@{{ item }}.socket"
|
|
|
|
loop: "{{ range(1, qgis_server['count'] + 1, 1) | list }}"
|
|
|
|
|
|
|
|
- name: Ensure nginx is present
|
|
|
|
become: true
|
|
|
|
ansible.builtin.apt:
|
|
|
|
cache_valid_time: 600
|
|
|
|
name: "nginx"
|
|
|
|
state: present
|
|
|
|
|
2024-06-10 21:22:25 +02:00
|
|
|
- name: Ensure custom ufw rules are latest
|
|
|
|
become: true
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: "{{ item }}"
|
|
|
|
dest: "/etc/ufw/applications.d/{{ item | basename }}"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
with_fileglob: "templates/ufw/applications.d/*"
|
|
|
|
|
|
|
|
- name: Ensure ufw rules are set
|
2024-04-06 22:50:53 +02:00
|
|
|
become: true
|
|
|
|
community.general.ufw:
|
|
|
|
rule: allow
|
|
|
|
name: "{{ item }}"
|
|
|
|
state: enabled
|
|
|
|
loop:
|
|
|
|
- "SSH"
|
|
|
|
- "Nginx HTTP"
|
|
|
|
- "Nginx HTTPS"
|
2024-06-10 21:22:25 +02:00
|
|
|
- "PostgreSQL"
|
2024-04-06 22:50:53 +02:00
|
|
|
|
2024-05-14 12:08:37 +02:00
|
|
|
- name: Ensure postgresql for lizmap is valid
|
|
|
|
block:
|
|
|
|
- name: Check if PostgreSQL database is initialized.
|
|
|
|
become: true
|
|
|
|
ansible.builtin.stat:
|
|
|
|
path: "/var/lib/postgresql/15/main/PG_VERSION"
|
|
|
|
register: pgdata_dir_version
|
|
|
|
|
|
|
|
- name: Ensure PostgreSQL database is initialized.
|
|
|
|
become: true
|
|
|
|
ansible.builtin.command: "pg_createcluster 15 main --start"
|
|
|
|
when: not pgdata_dir_version.stat.exists
|
|
|
|
changed_when: true
|
|
|
|
|
|
|
|
- name: Ensure postgresql is started and enabled
|
|
|
|
become: true
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
name: postgresql
|
|
|
|
state: started
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
- name: Ensure lizmap user exists
|
|
|
|
become: true
|
|
|
|
become_user: postgres
|
|
|
|
community.postgresql.postgresql_user:
|
|
|
|
name: "{{ lizmap['postgresql_connection']['user'] }}"
|
|
|
|
encrypted: true
|
|
|
|
password: "{{ postgresql_lizmap_pass }}"
|
|
|
|
|
|
|
|
- name: Ensure lizmap database exists
|
|
|
|
become: true
|
|
|
|
become_user: postgres
|
|
|
|
community.postgresql.postgresql_db:
|
|
|
|
name: "{{ lizmap['postgresql_connection']['database'] }}"
|
|
|
|
owner: "{{ lizmap['postgresql_connection']['user'] }}"
|
|
|
|
|
2024-04-06 22:50:53 +02:00
|
|
|
- name: Ensure lizmap-web-client is valid
|
|
|
|
block:
|
|
|
|
- name: Ensure php packages required by lizmap are present
|
2024-05-14 12:08:37 +02:00
|
|
|
notify:
|
|
|
|
- "Ensure php-fpm is restarted"
|
2024-04-06 22:50:53 +02:00
|
|
|
become: true
|
|
|
|
ansible.builtin.apt:
|
|
|
|
cache_valid_time: 600
|
|
|
|
name: "{{ lizmap['dependencies'] }}"
|
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Check if lizmap-web-client is present
|
|
|
|
become: true
|
|
|
|
ansible.builtin.stat:
|
|
|
|
path: "/var/www/lizmap-web-client-{{ _lizmap_version }}/VERSION"
|
|
|
|
register: _lizmap_version_stat
|
|
|
|
|
|
|
|
- name: Check if lizmap-web-client is target version
|
|
|
|
become: true
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "/var/www/lizmap-web-client-{{ _lizmap_version }}/VERSION"
|
|
|
|
register: _lizmap_version_file
|
|
|
|
when: _lizmap_version_stat.stat.exists
|
|
|
|
|
|
|
|
- name: Ensure lizmap-web-client is target version
|
|
|
|
when:
|
|
|
|
"(not _lizmap_version_stat.stat.exists) or (_lizmap_version_file is defined and
|
|
|
|
_lizmap_version_file['content'] | b64decode != lizmap['version'] + '\n')"
|
|
|
|
block:
|
|
|
|
- name: Ensure lizmap-web-client is downloaded
|
|
|
|
become: true
|
|
|
|
ansible.builtin.get_url:
|
|
|
|
url: "{{ lizmap['url'] }}"
|
|
|
|
dest: "/tmp/lizmap-web-client-{{ lizmap['version'] }}.zip"
|
|
|
|
checksum: "{{ lizmap['hash'] }}"
|
|
|
|
owner: www-data
|
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
|
|
|
|
- name: Ensure lizmap-web-client is un-archived
|
|
|
|
become: true
|
|
|
|
ansible.builtin.unarchive:
|
|
|
|
remote_src: true
|
|
|
|
src: "/tmp/lizmap-web-client-{{ lizmap['version'] }}.zip"
|
|
|
|
dest: "{{ lizmap['path'] }}"
|
|
|
|
owner: www-data
|
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
register: _lizmap_extracted
|
|
|
|
|
|
|
|
- name: Ensure lizmap-web-client is symlinked to documentRoot
|
|
|
|
become: true
|
|
|
|
ansible.builtin.file:
|
|
|
|
src: "/var/www/lizmap-web-client-{{ _lizmap_version }}/lizmap/www"
|
|
|
|
dest: "/var/www/html/lizmap"
|
|
|
|
state: link
|
|
|
|
|
2024-06-10 21:22:25 +02:00
|
|
|
- name: Ensure lizmap-web-client default users file is latest
|
2024-04-06 22:50:53 +02:00
|
|
|
become: true
|
|
|
|
ansible.builtin.template:
|
2024-06-10 21:22:25 +02:00
|
|
|
src: "./templates/lizmap/defaultusers.json.j2"
|
|
|
|
dest: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/lizmap/modules/lizmap/install/defaultusers.json"
|
2024-04-06 22:50:53 +02:00
|
|
|
backup: true
|
|
|
|
owner: www-data
|
2024-06-10 21:22:25 +02:00
|
|
|
group: www-data
|
|
|
|
mode: u=rw,g=,o=
|
|
|
|
|
|
|
|
- name: Ensure lizmap-web-client conf is latest
|
|
|
|
become: true
|
|
|
|
ansible.builtin.blockinfile:
|
|
|
|
block: "{{ lookup('ansible.builtin.template', './templates/lizmap/' + item + '.j2') }}"
|
|
|
|
dest: "{{ lizmap['path'] + 'lizmap-web-client-' + lizmap['version'] + '/lizmap/var/config/' + item }}"
|
|
|
|
backup: true
|
|
|
|
owner: www-data
|
|
|
|
group: www-data
|
|
|
|
mode: u=rw,g=,o=
|
|
|
|
create: true
|
|
|
|
marker: "; {mark} ANSIBLE MANAGED BLOCK"
|
|
|
|
|
2024-04-06 22:50:53 +02:00
|
|
|
loop:
|
2024-06-10 21:22:25 +02:00
|
|
|
- profiles.ini.php
|
|
|
|
- lizmapConfig.ini.php
|
|
|
|
- localconfig.ini.php
|
2024-05-14 12:08:37 +02:00
|
|
|
|
2024-04-06 22:50:53 +02:00
|
|
|
register: _lizmap_conf
|
|
|
|
|
|
|
|
- name: Ensure lizmap-web-client directory has correct rights and owner
|
|
|
|
become: true
|
|
|
|
ansible.builtin.file:
|
|
|
|
dest: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/{{ item }}"
|
|
|
|
owner: "www-data"
|
|
|
|
group: "www-data"
|
|
|
|
mode: ug+rX
|
|
|
|
recurse: true
|
|
|
|
loop: # taken from lizmap-web-client-3.7.6/lizmap/install/set_rights.sh
|
|
|
|
- ""
|
|
|
|
- lizmap/var/config
|
|
|
|
- lizmap/var/db
|
|
|
|
- lizmap/var/log
|
|
|
|
- lizmap/var/themes
|
|
|
|
- lizmap/var/overloads
|
|
|
|
- lizmap/var/mails
|
|
|
|
- lizmap/var/uploads
|
|
|
|
- lizmap/var/lizmap-theme-config
|
|
|
|
- temp/lizmap
|
|
|
|
- lizmap/www/cache/
|
|
|
|
- lizmap/www/document/
|
|
|
|
- lizmap/www/live/
|
|
|
|
register: _lizmap_rights
|
|
|
|
|
|
|
|
- name: Ensure lizmap-web-client installer was executed
|
|
|
|
become: true
|
|
|
|
become_user: www-data # TODO: ignore warning for remote_tmp
|
|
|
|
ansible.builtin.command:
|
|
|
|
chdir: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}"
|
|
|
|
cmd: "php lizmap/install/installer.php"
|
|
|
|
when:
|
|
|
|
"(_lizmap_extracted is changed)
|
|
|
|
or (_lizmap_conf is changed)
|
|
|
|
or (_lizmap_rights is changed)"
|
|
|
|
# TODO: find actual changes
|
|
|
|
changed_when: true # TODO: find actual changes
|
|
|
|
|
|
|
|
- name: Ensure nginx sites are valid
|
|
|
|
notify:
|
|
|
|
- "Ensure nginx is restarted"
|
|
|
|
block:
|
|
|
|
- name: Ensure default nginx site is disabled
|
|
|
|
become: true
|
|
|
|
ansible.builtin.file:
|
|
|
|
dest: "/etc/nginx/sites-enabled/default"
|
|
|
|
state: absent
|
|
|
|
|
|
|
|
- name: Ensure qgis-server site conf is latest
|
|
|
|
become: true
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: "./templates/nginx/qgis-server.conf.j2"
|
|
|
|
dest: "/etc/nginx/sites-available/qgis-server.conf"
|
|
|
|
backup: true
|
|
|
|
owner: root
|
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
|
|
|
|
- name: Ensure qgis-server site is enabled
|
|
|
|
become: true
|
|
|
|
ansible.builtin.file:
|
|
|
|
src: "/etc/nginx/sites-available/qgis-server.conf"
|
|
|
|
dest: "/etc/nginx/sites-enabled/qgis-server.conf"
|
|
|
|
state: link
|
|
|
|
|
|
|
|
- name: Ensure lizmap-web-client site conf is latest
|
|
|
|
become: true
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: "./templates/nginx/lizmap.conf.j2"
|
|
|
|
dest: "/etc/nginx/sites-available/lizmap.conf"
|
|
|
|
backup: true
|
|
|
|
owner: root
|
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
|
|
|
|
- name: Ensure lizmap-web-client site is enabled
|
|
|
|
become: true
|
|
|
|
ansible.builtin.file:
|
|
|
|
src: "/etc/nginx/sites-available/lizmap.conf"
|
|
|
|
dest: "/etc/nginx/sites-enabled/lizmap.conf"
|
|
|
|
state: link
|
|
|
|
|
|
|
|
- name: Ensure qgis-server plugins are valid
|
|
|
|
tags:
|
|
|
|
- qgis-server-plugins
|
|
|
|
block:
|
|
|
|
- name: Ensure requirements for qgis-server plugins are present
|
|
|
|
become: true
|
|
|
|
ansible.builtin.apt:
|
|
|
|
cache_valid_time: 600
|
|
|
|
name:
|
|
|
|
- python3-pip
|
|
|
|
- python3-venv
|
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Ensure qgis-server venv and qgis-plugin-manager are present
|
|
|
|
become: true
|
|
|
|
become_user: www-data
|
|
|
|
ansible.builtin.pip:
|
|
|
|
virtualenv: "{{ qgis_server['path'] }}/qgis-server-venv"
|
|
|
|
# virtualenv_site_packages: true
|
|
|
|
virtualenv_command: python3 -m venv --system-site-packages
|
|
|
|
name:
|
|
|
|
- qgis-plugin-manager
|
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Ensure qgis-server plugins directory is present
|
|
|
|
become: true
|
|
|
|
ansible.builtin.file:
|
|
|
|
dest: "{{ qgis_server['path'] }}/plugins"
|
|
|
|
state: directory
|
|
|
|
owner: www-data
|
|
|
|
group: www-data
|
|
|
|
mode: ug=rwX,o=r
|
|
|
|
|
|
|
|
- name: Check if qgis-plugin-manager is initialized
|
|
|
|
become: true
|
|
|
|
ansible.builtin.stat:
|
|
|
|
path: "{{ qgis_server['path'] }}/plugins/sources.list"
|
|
|
|
register: _qgis_plugin_sources
|
|
|
|
|
|
|
|
- name: Ensure qgis-plugin-manager is initialized
|
|
|
|
become: true
|
|
|
|
become_user: www-data
|
|
|
|
ansible.builtin.command:
|
|
|
|
chdir: "{{ qgis_server['path'] }}/plugins"
|
|
|
|
cmd: "{{ qgis_server['path'] }}/qgis-server-venv/bin/qgis-plugin-manager init"
|
|
|
|
when: not _qgis_plugin_sources.stat.exists
|
|
|
|
changed_when: true
|
|
|
|
|
|
|
|
- name: Check if Lizmap server plugin is present
|
|
|
|
become: true
|
|
|
|
ansible.builtin.stat:
|
|
|
|
path: "{{ qgis_server['path'] }}/plugins/lizmap_server"
|
|
|
|
register: _qgis_plugin_lizmap_server
|
|
|
|
|
|
|
|
- name: Ensure Lizmap server plugin is present
|
|
|
|
become: true
|
|
|
|
become_user: www-data
|
|
|
|
ansible.builtin.command:
|
|
|
|
chdir: "{{ qgis_server['path'] }}/plugins"
|
|
|
|
cmd: "{{ qgis_server['path'] }}/qgis-server-venv/bin/qgis-plugin-manager {{ item }}"
|
|
|
|
loop:
|
|
|
|
- update
|
|
|
|
- install "Lizmap server"
|
|
|
|
when: not _qgis_plugin_lizmap_server.stat.exists
|
|
|
|
changed_when: true
|
2024-05-14 12:08:37 +02:00
|
|
|
|
|
|
|
- name: Ensure sftp group exists
|
|
|
|
become: true
|
|
|
|
ansible.builtin.group:
|
|
|
|
name: sftp
|
|
|
|
|
|
|
|
- name: Ensure publisher user exists
|
|
|
|
become: true
|
|
|
|
ansible.builtin.user:
|
|
|
|
user: "publisher"
|
|
|
|
password: "{{ os_publisher_user_pass | password_hash('sha512') }}"
|
|
|
|
update_password: on_create
|
2024-05-31 16:52:50 +02:00
|
|
|
umask: u=rwX,g=rwX,o=
|
|
|
|
append: true
|
2024-05-14 12:08:37 +02:00
|
|
|
groups:
|
|
|
|
- sftp
|
|
|
|
|
|
|
|
- name: Ensure webserver user can access gis repositories
|
|
|
|
become: true
|
|
|
|
ansible.builtin.user:
|
|
|
|
user: "www-data"
|
2024-05-31 16:52:50 +02:00
|
|
|
append: true
|
2024-05-14 12:08:37 +02:00
|
|
|
groups:
|
|
|
|
- sftp
|
|
|
|
|
2024-06-10 13:46:15 +02:00
|
|
|
- name: Ensure lizmap root repository has correct rights
|
2024-05-31 16:52:50 +02:00
|
|
|
become: true
|
|
|
|
ansible.builtin.file:
|
|
|
|
dest: "{{ sftp_root }}"
|
|
|
|
state: directory
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: u=rwX,g=rX,o=rX
|
|
|
|
recurse: true
|
|
|
|
|
2024-06-10 13:46:15 +02:00
|
|
|
- name: Ensure lizmap root repository exists
|
2024-05-14 12:08:37 +02:00
|
|
|
become: true
|
|
|
|
ansible.builtin.file:
|
|
|
|
dest: "{{ lizmap['root_repositories'] }}"
|
|
|
|
state: directory
|
|
|
|
owner: "publisher"
|
|
|
|
group: sftp
|
2024-05-31 16:52:50 +02:00
|
|
|
mode: u=rwX,g=rwXs,o=
|
|
|
|
|
2024-06-08 14:39:43 +02:00
|
|
|
- name: Ensure sftp-permissions is latest
|
2024-05-31 16:52:50 +02:00
|
|
|
notify:
|
2024-06-08 14:39:43 +02:00
|
|
|
- Ensure sftp-permissions is restarted and enabled
|
2024-05-31 16:52:50 +02:00
|
|
|
become: true
|
|
|
|
block:
|
2024-06-08 14:39:43 +02:00
|
|
|
- name: Ensure sftp-permissions dir exists
|
|
|
|
ansible.builtin.file:
|
|
|
|
dest: "{{ software_package_root }}/sftp-permissions"
|
|
|
|
state: directory
|
2024-05-31 16:52:50 +02:00
|
|
|
owner: root
|
2024-06-08 14:39:43 +02:00
|
|
|
group: root
|
|
|
|
mode: u=rwX,g=rX,o=rX
|
|
|
|
|
|
|
|
- name: Ensure sftp-permissions script is latest
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: ./templates/sftp-inotify.sh.j2
|
|
|
|
dest: "{{ software_package_root }}/sftp-permissions/sftp-inotify.sh"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: u=rwx,g=r,o=
|
2024-05-31 16:52:50 +02:00
|
|
|
backup: true
|
|
|
|
|
2024-06-08 14:39:43 +02:00
|
|
|
- name: Ensure sftp-permissions service is latest
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: ./templates/sftp-permissions.service.j2
|
|
|
|
dest: /etc/systemd/system/sftp-permissions.service
|
2024-05-31 16:52:50 +02:00
|
|
|
owner: root
|
2024-06-08 14:39:43 +02:00
|
|
|
group: root
|
|
|
|
mode: u=rw,g=r,o=r
|
2024-05-14 12:08:37 +02:00
|
|
|
|
|
|
|
- name: Ensure sshd config is latest
|
|
|
|
notify:
|
|
|
|
- "Ensure OpenSSH is restarted"
|
|
|
|
become: true
|
|
|
|
ansible.builtin.template:
|
2024-05-31 16:52:50 +02:00
|
|
|
src: ./templates/sshd_hardened.conf.j2
|
|
|
|
dest: /etc/ssh/sshd_config.d/sshd_hardened.conf
|
2024-05-14 12:08:37 +02:00
|
|
|
backup: true
|
|
|
|
owner: root
|
|
|
|
mode: u=rw,g=r,o=r
|
|
|
|
|
|
|
|
- name: Ensure publisher's ssh-keys are latest
|
|
|
|
become: true
|
|
|
|
ansible.posix.authorized_key:
|
|
|
|
user: "publisher"
|
|
|
|
state: present
|
|
|
|
key: " {{ lookup('file', item) }} "
|
|
|
|
loop: "{{ publisher_ssh_keys }}"
|
2024-06-10 21:22:25 +02:00
|
|
|
|
|
|
|
- name: Ensure gis database is present
|
|
|
|
tags: debug
|
|
|
|
block:
|
|
|
|
- name: Ensure gis database user exists
|
|
|
|
become: true
|
|
|
|
become_user: postgres
|
|
|
|
community.postgresql.postgresql_user:
|
|
|
|
name: "{{ gis_database['user'] }}"
|
|
|
|
encrypted: true
|
|
|
|
password: "{{ postgresql_gis_pass }}"
|
|
|
|
|
|
|
|
- name: Ensure gis databases exists
|
|
|
|
become: true
|
|
|
|
become_user: postgres
|
|
|
|
community.postgresql.postgresql_db:
|
|
|
|
name: "{{ item }}"
|
|
|
|
owner: "{{ gis_database['user'] }}"
|
|
|
|
loop: "{{ gis_database['databases'] }}"
|
|
|
|
|
|
|
|
- name: Ensure postgis schema is available in databases
|
|
|
|
become: true
|
|
|
|
become_user: postgres
|
|
|
|
community.postgresql.postgresql_ext:
|
|
|
|
db: "{{ item }}"
|
|
|
|
name: postgis
|
|
|
|
loop: "{{ gis_database['databases'] }}"
|
|
|
|
|
|
|
|
- name: Ensure gis database is reachable
|
|
|
|
notify: Ensure postgresql is restarted
|
|
|
|
block:
|
|
|
|
- name: Ensure postgresql listens on addresses
|
|
|
|
become: true
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: ./templates/postgresql/postgresql_remote.conf.j2
|
|
|
|
dest: /etc/postgresql/15/main/conf.d/postgresql_remote.conf
|
|
|
|
owner: postgres
|
|
|
|
group: postgres
|
|
|
|
mode: u=rw,g=r,o=
|
|
|
|
backup: false
|
|
|
|
|
|
|
|
- name: Ensure postgresql allows gis user to connect
|
|
|
|
become: true
|
|
|
|
ansible.builtin.blockinfile:
|
|
|
|
block: "{{ lookup('ansible.builtin.template', './templates/postgresql/pg_hba_remote.conf.j2') }}"
|
|
|
|
dest: /etc/postgresql/15/main/pg_hba.conf
|