GisServer/playbooks/main.yaml

561 lines
18 KiB
YAML
Raw Normal View History

2024-04-06 22:50:53 +02:00
---
- name: Setup QGIS-Server and Lizmap
hosts: testing
handlers:
- name: Ensure nginx is restarted
become: true
ansible.builtin.systemd:
name: nginx
state: restarted
- name: Ensure OpenSSH is restarted
become: true
ansible.builtin.systemd:
name: sshd
state: restarted
- name: Ensure postgresql is restarted
become: true
ansible.builtin.systemd:
name: postgresql
state: restarted
- name: Ensure php-fpm is restarted
become: true
ansible.builtin.systemd:
name: "php{{ php['version'] }}-fpm"
state: restarted
2024-06-08 14:39:43 +02:00
- name: Ensure sftp-permissions is restarted and enabled
become: true
ansible.builtin.systemd:
2024-06-08 14:39:43 +02:00
name: sftp-permissions
state: restarted
enabled: true
2024-06-08 14:39:43 +02:00
daemon_reload: true
2024-04-06 22:50:53 +02:00
tasks:
- name: Ensure valid apt cache and required tools are present
become: true
ansible.builtin.apt:
cache_valid_time: 600
name:
- acl
- ufw
- git
- unzip
- gnupg
- software-properties-common
- postgresql
- acl # bug: https://github.com/ansible/ansible/issues/74830
2024-06-08 14:39:43 +02:00
- inotify-tools
- postgis
2024-04-06 22:50:53 +02:00
state: present
- name: Ensure qgis-server is valid
block:
- name: Ensure qgis repository key is in apt-keyring
become: true
ansible.builtin.get_url:
url: "{{ qgis_repo['keyring']['url'] }}"
checksum: "{{ qgis_repo['keyring']['hash'] }}"
dest: /etc/apt/keyrings/qgis-archive-keyring.gpg
backup: true
owner: root
mode: u=rw,g=r,o=r
- name: Ensure qgis repository is in apt-sources
become: true
ansible.builtin.template:
src: ./templates/qgis.sources.j2
dest: /etc/apt/sources.list.d/qgis.sources
backup: true
owner: root
mode: u=rw,g=r,o=r
- name: Ensure qgis-server is present
become: true
ansible.builtin.apt:
update_cache: true
name:
- "{{ 'qgis-server=' + qgis_server['full_version'] }}"
2024-04-06 22:50:53 +02:00
state: present
- name: Ensure qgis-server directory is present
become: true
ansible.builtin.file:
dest: "{{ qgis_server['path'] }}"
state: directory
owner: www-data
group: www-data
mode: u=rwX,g=rwX,o=rX
2024-04-06 22:50:53 +02:00
- name: Ensure qgis-server environment file is latest
become: true
ansible.builtin.template:
src: ./templates/qgis_server_env.j2
dest: "{{ qgis_server['path'] }}/qgis_server_env"
backup: true
owner: www-data
mode: u=rw,g=r,o=r
- name: Ensure qgis-server systemd files are latest
become: true
ansible.builtin.template:
src: "./templates/{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
backup: true
owner: root
group: root
2024-04-06 22:50:53 +02:00
mode: u=rw,g=r,o=r
loop:
- "qgis-server@.service"
- "qgis-server@.socket"
- name: Ensure qgis-server service is enabled and stopped
become: true
ansible.builtin.systemd:
daemon_reload: true
enabled: true
state: stopped
name: "qgis-server@{{ item }}.service"
loop: "{{ range(1, qgis_server['count'] + 1, 1) | list }}"
- name: Ensure qgis-server socket is enabled and started
become: true
ansible.builtin.systemd:
daemon_reload: true
enabled: true
state: started
name: "qgis-server@{{ item }}.socket"
loop: "{{ range(1, qgis_server['count'] + 1, 1) | list }}"
- name: Ensure nginx is present
become: true
ansible.builtin.apt:
cache_valid_time: 600
name: "nginx"
state: present
- name: Ensure custom ufw rules are latest
become: true
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/ufw/applications.d/{{ item | basename }}"
owner: root
group: root
mode: u=rw,g=r,o=r
with_fileglob: "templates/ufw/applications.d/*"
- name: Ensure ufw rules are set
2024-04-06 22:50:53 +02:00
become: true
community.general.ufw:
rule: allow
name: "{{ item }}"
state: enabled
loop:
- "SSH"
- "Nginx HTTP"
- "Nginx HTTPS"
- "PostgreSQL"
2024-04-06 22:50:53 +02:00
- name: Ensure postgresql for lizmap is valid
block:
- name: Check if PostgreSQL database is initialized.
become: true
ansible.builtin.stat:
path: "/var/lib/postgresql/15/main/PG_VERSION"
register: pgdata_dir_version
- name: Ensure PostgreSQL database is initialized.
become: true
ansible.builtin.command: "pg_createcluster 15 main --start"
when: not pgdata_dir_version.stat.exists
changed_when: true
- name: Ensure postgresql is started and enabled
become: true
ansible.builtin.systemd:
name: postgresql
state: started
enabled: true
- name: Ensure lizmap user exists
become: true
become_user: postgres
community.postgresql.postgresql_user:
name: "{{ lizmap['postgresql_connection']['user'] }}"
encrypted: true
password: "{{ postgresql_lizmap_pass }}"
- name: Ensure lizmap database exists
become: true
become_user: postgres
community.postgresql.postgresql_db:
name: "{{ lizmap['postgresql_connection']['database'] }}"
owner: "{{ lizmap['postgresql_connection']['user'] }}"
2024-04-06 22:50:53 +02:00
- name: Ensure lizmap-web-client is valid
block:
- name: Ensure php packages required by lizmap are present
notify:
- "Ensure php-fpm is restarted"
2024-04-06 22:50:53 +02:00
become: true
ansible.builtin.apt:
cache_valid_time: 600
name: "{{ lizmap['dependencies'] }}"
state: present
- name: Check if lizmap-web-client is present
become: true
ansible.builtin.stat:
path: "/var/www/lizmap-web-client-{{ _lizmap_version }}/VERSION"
register: _lizmap_version_stat
- name: Check if lizmap-web-client is target version
become: true
ansible.builtin.slurp:
src: "/var/www/lizmap-web-client-{{ _lizmap_version }}/VERSION"
register: _lizmap_version_file
when: _lizmap_version_stat.stat.exists
- name: Ensure lizmap-web-client is target version
when:
"(not _lizmap_version_stat.stat.exists) or (_lizmap_version_file is defined and
_lizmap_version_file['content'] | b64decode != lizmap['version'] + '\n')"
block:
- name: Ensure lizmap-web-client is downloaded
become: true
ansible.builtin.get_url:
url: "{{ lizmap['url'] }}"
dest: "/tmp/lizmap-web-client-{{ lizmap['version'] }}.zip"
checksum: "{{ lizmap['hash'] }}"
owner: www-data
mode: u=rw,g=r,o=r
- name: Ensure lizmap-web-client is un-archived
become: true
ansible.builtin.unarchive:
remote_src: true
src: "/tmp/lizmap-web-client-{{ lizmap['version'] }}.zip"
dest: "{{ lizmap['path'] }}"
owner: www-data
mode: u=rw,g=r,o=r
register: _lizmap_extracted
- name: Ensure lizmap-web-client is symlinked to documentRoot
become: true
ansible.builtin.file:
src: "/var/www/lizmap-web-client-{{ _lizmap_version }}/lizmap/www"
dest: "/var/www/html/lizmap"
state: link
- name: Ensure lizmap-web-client default users file is latest
2024-04-06 22:50:53 +02:00
become: true
ansible.builtin.template:
src: "./templates/lizmap/defaultusers.json.j2"
dest: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/lizmap/modules/lizmap/install/defaultusers.json"
2024-04-06 22:50:53 +02:00
backup: true
owner: www-data
group: www-data
mode: u=rw,g=r,o=
- name: Ensure lizmap-web-client conf is latest
become: true
ansible.builtin.blockinfile:
block: "{{ lookup('ansible.builtin.template', './templates/lizmap/' + item + '.j2') }}"
dest: "{{ lizmap['path'] + 'lizmap-web-client-' + lizmap['version'] + '/lizmap/var/config/' + item }}"
backup: true
owner: www-data
group: www-data
mode: u=rw,g=r,o=
create: true
marker: "; {mark} ANSIBLE MANAGED BLOCK"
2024-04-06 22:50:53 +02:00
loop:
- profiles.ini.php
- lizmapConfig.ini.php
- localconfig.ini.php
2024-04-06 22:50:53 +02:00
register: _lizmap_conf
- name: Ensure lizmap-web-client directory has correct rights and owner
become: true
ansible.builtin.file:
dest: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/{{ item }}"
owner: "www-data"
group: "www-data"
mode: u+rwX,g+rX
2024-04-06 22:50:53 +02:00
recurse: true
loop: # taken from lizmap-web-client-3.7.6/lizmap/install/set_rights.sh
- ""
- lizmap/var/config
- lizmap/var/db
- lizmap/var/log
- lizmap/var/themes
- lizmap/var/overloads
- lizmap/var/mails
- lizmap/var/uploads
- lizmap/var/lizmap-theme-config
- temp/lizmap
- lizmap/www/cache/
- lizmap/www/document/
- lizmap/www/live/
register: _lizmap_rights
- name: Ensure lizmap-web-client installer was executed
become: true
become_user: www-data # TODO: ignore warning for remote_tmp
ansible.builtin.command:
chdir: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}"
cmd: "php lizmap/install/installer.php"
when:
"(_lizmap_extracted is changed)
or (_lizmap_conf is changed)
or (_lizmap_rights is changed)"
# TODO: find actual changes
changed_when: true # TODO: find actual changes
- name: Ensure nginx sites are valid
notify:
- "Ensure nginx is restarted"
block:
- name: Ensure default nginx site is disabled
become: true
ansible.builtin.file:
dest: "/etc/nginx/sites-enabled/default"
state: absent
- name: Ensure qgis-server site conf is latest
become: true
ansible.builtin.template:
src: "./templates/nginx/qgis-server.conf.j2"
dest: "/etc/nginx/sites-available/qgis-server.conf"
backup: true
owner: root
mode: u=rw,g=r,o=r
- name: Ensure qgis-server site is enabled
become: true
ansible.builtin.file:
src: "/etc/nginx/sites-available/qgis-server.conf"
dest: "/etc/nginx/sites-enabled/qgis-server.conf"
state: link
- name: Ensure lizmap-web-client site conf is latest
become: true
ansible.builtin.template:
src: "./templates/nginx/lizmap.conf.j2"
dest: "/etc/nginx/sites-available/lizmap.conf"
backup: true
owner: root
mode: u=rw,g=r,o=r
- name: Ensure lizmap-web-client site is enabled
become: true
ansible.builtin.file:
src: "/etc/nginx/sites-available/lizmap.conf"
dest: "/etc/nginx/sites-enabled/lizmap.conf"
state: link
- name: Ensure qgis-server plugins are valid
block:
- name: Ensure requirements for qgis-server plugins are present
become: true
ansible.builtin.apt:
cache_valid_time: 600
name:
- python3-pip
- python3-venv
state: present
- name: Ensure qgis-server venv and qgis-plugin-manager are present
become: true
become_user: www-data
ansible.builtin.pip:
virtualenv: "{{ qgis_server['path'] }}/qgis-server-venv"
# virtualenv_site_packages: true
virtualenv_command: python3 -m venv --system-site-packages
name:
- qgis-plugin-manager
state: present
- name: Ensure qgis-server plugins directory is present
become: true
ansible.builtin.file:
dest: "{{ qgis_server['path'] }}/plugins"
state: directory
owner: www-data
group: www-data
mode: ug=rwX,o=r
- name: Check if qgis-plugin-manager is initialized
become: true
ansible.builtin.stat:
path: "{{ qgis_server['path'] }}/plugins/sources.list"
register: _qgis_plugin_sources
- name: Ensure qgis-plugin-manager is initialized
become: true
become_user: www-data
ansible.builtin.command:
chdir: "{{ qgis_server['path'] }}/plugins"
cmd: "{{ qgis_server['path'] }}/qgis-server-venv/bin/qgis-plugin-manager init"
when: not _qgis_plugin_sources.stat.exists
changed_when: true
- name: Check if Lizmap server plugin is present
become: true
ansible.builtin.stat:
path: "{{ qgis_server['path'] }}/plugins/lizmap_server"
register: _qgis_plugin_lizmap_server
- name: Ensure Lizmap server plugin is present
become: true
become_user: www-data
ansible.builtin.command:
chdir: "{{ qgis_server['path'] }}/plugins"
cmd: "{{ qgis_server['path'] }}/qgis-server-venv/bin/qgis-plugin-manager {{ item }}"
loop:
- update
- install "Lizmap server"
when: not _qgis_plugin_lizmap_server.stat.exists
changed_when: true
- name: Ensure sftp group exists
become: true
ansible.builtin.group:
name: sftp
- name: Ensure publisher user exists
become: true
ansible.builtin.user:
user: "publisher"
password: "{{ os_publisher_user_pass | password_hash('sha512') }}"
update_password: on_create
umask: u=rwX,g=rwX,o=
append: true
groups:
- sftp
- name: Ensure webserver user can access gis repositories
become: true
ansible.builtin.user:
user: "www-data"
append: true
groups:
- sftp
2024-06-13 23:32:41 +02:00
- name: Ensure sftp root has correct rights and exists
become: true
ansible.builtin.file:
dest: "{{ sftp_root }}"
state: directory
owner: root
group: root
mode: u=rwX,g=rX,o=rX
recurse: false
2024-06-13 23:32:41 +02:00
- name: Ensure lizmap root repository has correct rights and exists
become: true
ansible.builtin.file:
dest: "{{ lizmap['root_repositories'] }}"
state: directory
owner: "publisher"
group: sftp
mode: u=rwX,g=rwXs,o=
2024-06-08 14:39:43 +02:00
- name: Ensure sftp-permissions is latest
notify:
2024-06-08 14:39:43 +02:00
- Ensure sftp-permissions is restarted and enabled
become: true
block:
2024-06-08 14:39:43 +02:00
- name: Ensure sftp-permissions dir exists
ansible.builtin.file:
dest: "{{ software_package_root }}/sftp-permissions"
state: directory
owner: root
2024-06-08 14:39:43 +02:00
group: root
mode: u=rwX,g=rX,o=rX
- name: Ensure sftp-permissions script is latest
ansible.builtin.template:
src: ./templates/sftp-inotify.sh.j2
dest: "{{ software_package_root }}/sftp-permissions/sftp-inotify.sh"
owner: root
group: root
mode: u=rwx,g=r,o=
backup: true
2024-06-08 14:39:43 +02:00
- name: Ensure sftp-permissions service is latest
ansible.builtin.template:
src: ./templates/sftp-permissions.service.j2
dest: /etc/systemd/system/sftp-permissions.service
owner: root
2024-06-08 14:39:43 +02:00
group: root
mode: u=rw,g=r,o=r
- name: Ensure sshd config is latest
notify:
- "Ensure OpenSSH is restarted"
become: true
ansible.builtin.template:
src: ./templates/sshd_hardened.conf.j2
dest: /etc/ssh/sshd_config.d/sshd_hardened.conf
backup: true
owner: root
mode: u=rw,g=r,o=r
- name: Ensure publisher's ssh-keys are latest
become: true
ansible.posix.authorized_key:
user: "publisher"
state: present
key: " {{ lookup('file', item) }} "
loop: "{{ publisher_ssh_keys }}"
- name: Ensure gis database is present
block:
- name: Ensure gis database user exists
become: true
become_user: postgres
community.postgresql.postgresql_user:
name: "{{ gis_database['user'] }}"
encrypted: true
password: "{{ postgresql_gis_pass }}"
- name: Ensure gis databases exists
become: true
become_user: postgres
community.postgresql.postgresql_db:
name: "{{ item }}"
owner: "{{ gis_database['user'] }}"
loop: "{{ gis_database['databases'] }}"
- name: Ensure postgis schema is available in databases
become: true
become_user: postgres
community.postgresql.postgresql_ext:
db: "{{ item }}"
name: postgis
loop: "{{ gis_database['databases'] }}"
- name: Ensure gis database is reachable
notify: Ensure postgresql is restarted
block:
- name: Ensure postgresql listens on addresses
become: true
ansible.builtin.template:
src: ./templates/postgresql/postgresql_remote.conf.j2
dest: /etc/postgresql/15/main/conf.d/postgresql_remote.conf
owner: postgres
group: postgres
mode: u=rw,g=r,o=
backup: false
- name: Ensure postgresql allows gis user to connect
become: true
ansible.builtin.blockinfile:
block: "{{ lookup('ansible.builtin.template', './templates/postgresql/pg_hba_remote.conf.j2') }}"
dest: /etc/postgresql/15/main/pg_hba.conf