gilex-dev
/
GisServer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Add postgresql, publisher user, ssh and sftp config

This commit is contained in:
gilex-dev 2024-05-14 12:08:37 +02:00
parent 3a7e1578f2
commit 6d67b3e15a
Signed by: gilex-dev
GPG Key ID: 9A2BEC7B5188D2E3
9 changed files with 182 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
inventory.yaml
View File

@ -4,3 +4,9 @@ testing:
debian-gis: debian-gis:
ansible_host: debian-gis ansible_host: debian-gis
ansible_become_pass: "{{ testing['hosts']['debian-gis']['ansible_become_pass'] }}" ansible_become_pass: "{{ testing['hosts']['debian-gis']['ansible_become_pass'] }}"
os_postgresql_user_pass: "{{ testing['hosts']['debian-gis']['os_postgresql_user_pass'] }}"
os_publisher_user_pass: "{{ testing['hosts']['debian-gis']['os_publisher_user_pass'] }}"
lizmap_admin_pass: "{{ testing['hosts']['debian-gis']['lizmap_admin_pass'] }}"
postgresql_lizmap_pass: "{{ testing['hosts']['debian-gis']['postgresql_lizmap_pass'] }}"
publisher_ssh_keys: ["~/.ssh/id_publisher@debian-gis.pub"]

120
playbook.yaml
View File

@ -9,6 +9,19 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: nginx name: nginx
state: restarted state: restarted
- name: Ensure OpenSSH is restarted
become: true
ansible.builtin.systemd:
name: sshd
state: restarted
- name: Ensure php-fpm is restarted
become: true
ansible.builtin.systemd:
name: "php{{ php['version'] }}-fpm"
state: restarted
tasks: tasks:
- name: Ensure valid apt cache and required tools are present - name: Ensure valid apt cache and required tools are present
become: true become: true
@ -21,6 +34,8 @@
- unzip - unzip
- gnupg - gnupg
- software-properties-common - software-properties-common
- postgresql
- acl # bug: https://github.com/ansible/ansible/issues/74830
state: present state: present
- name: Ensure qgis-server is valid - name: Ensure qgis-server is valid
@ -118,9 +133,47 @@
- "Nginx HTTP" - "Nginx HTTP"
- "Nginx HTTPS" - "Nginx HTTPS"
- name: Ensure postgresql for lizmap is valid
block:
- name: Check if PostgreSQL database is initialized.
become: true
ansible.builtin.stat:
path: "/var/lib/postgresql/15/main/PG_VERSION"
register: pgdata_dir_version
- name: Ensure PostgreSQL database is initialized.
become: true
ansible.builtin.command: "pg_createcluster 15 main --start"
when: not pgdata_dir_version.stat.exists
changed_when: true
- name: Ensure postgresql is started and enabled
become: true
ansible.builtin.systemd:
name: postgresql
state: started
enabled: true
- name: Ensure lizmap user exists
become: true
become_user: postgres
community.postgresql.postgresql_user:
name: "{{ lizmap['postgresql_connection']['user'] }}"
encrypted: true
password: "{{ postgresql_lizmap_pass }}"
- name: Ensure lizmap database exists
become: true
become_user: postgres
community.postgresql.postgresql_db:
name: "{{ lizmap['postgresql_connection']['database'] }}"
owner: "{{ lizmap['postgresql_connection']['user'] }}"
- name: Ensure lizmap-web-client is valid - name: Ensure lizmap-web-client is valid
block: block:
- name: Ensure php packages required by lizmap are present - name: Ensure php packages required by lizmap are present
notify:
- "Ensure php-fpm is restarted"
become: true become: true
ansible.builtin.apt: ansible.builtin.apt:
cache_valid_time: 600 cache_valid_time: 600
@ -174,15 +227,23 @@
- name: Ensure lizmap-web-client conf is latest - name: Ensure lizmap-web-client conf is latest
become: true become: true
ansible.builtin.template: ansible.builtin.template:
src: "./templates/lizmap/{{ item }}.j2" src: "./templates/lizmap/{{ item.src }}.j2"
dest: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/lizmap/var/config/{{ item }}" dest:
"{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/{{
item.dest if item.dest is not none else 'lizmap/var/config/' }}{{ item.src }}"
backup: true backup: true
owner: www-data owner: www-data
mode: u=rw,g=r,o=r mode: u=rw,g=r,o=r
loop: loop:
- profiles.ini.php - src: profiles.ini.php
- lizmapConfig.ini.php dest:
- localconfig.ini.php - src: lizmapConfig.ini.php
dest:
- src: localconfig.ini.php
dest:
- src: defaultusers.json
dest: lizmap/modules/lizmap/install/
register: _lizmap_conf register: _lizmap_conf
- name: Ensure lizmap-web-client directory has correct rights and owner - name: Ensure lizmap-web-client directory has correct rights and owner
@ -329,3 +390,52 @@
- install "Lizmap server" - install "Lizmap server"
when: not _qgis_plugin_lizmap_server.stat.exists when: not _qgis_plugin_lizmap_server.stat.exists
changed_when: true changed_when: true
- name: Ensure sftp group exists
become: true
ansible.builtin.group:
name: sftp
- name: Ensure publisher user exists
become: true
ansible.builtin.user:
user: "publisher"
password: "{{ os_publisher_user_pass | password_hash('sha512') }}"
update_password: on_create
groups:
- sftp
- name: Ensure webserver user can access gis repositories
become: true
ansible.builtin.user:
user: "www-data"
groups:
- sftp
- name: Ensure lizmap root repositories exists
become: true
ansible.builtin.file:
dest: "{{ lizmap['root_repositories'] }}"
state: directory
owner: "publisher"
group: sftp
mode: u=rwX,g=rwX,o=r
- name: Ensure sshd config is latest
notify:
- "Ensure OpenSSH is restarted"
become: true
ansible.builtin.template:
src: ./templates/sshd_config.j2
dest: /etc/ssh/sshd_config
backup: true
owner: root
mode: u=rw,g=r,o=r
- name: Ensure publisher's ssh-keys are latest
become: true
ansible.posix.authorized_key:
user: "publisher"
state: present
key: " {{ lookup('file', item) }} "
loop: "{{ publisher_ssh_keys }}"

3
requirements.txt Normal file
View File

@ -0,0 +1,3 @@
ansible-compat==4.1.11
ansible-core==2.16.4
ansible-lint==24.2.1

3
requirements.yaml Normal file
View File

@ -0,0 +1,3 @@
collections:
- name: community.postgresql
- name: ansible.posix

14
templates/lizmap/defaultusers.json.j2 Normal file
View File

@ -0,0 +1,14 @@
[
{
"login": "admin",
"_clear_password_to_be_encrypted": "{{ lizmap_admin_pass }}",
"status": 1,
"email": "admin@localhost.localdomain",
"firstname": "",
"lastname": "",
"organization": "",
"street": "",
"postcode": "",
"city": ""
}
]

2
templates/lizmap/lizmapConfig.ini.php.j2
View File

@ -38,7 +38,7 @@ debugMode=0
cacheRootDirectory="/tmp/" cacheRootDirectory="/tmp/"
; path to find repositories ; path to find repositories
rootRepositories={{ lizmap['root_repositories'] }} rootRepositories="{{ lizmap['root_repositories'] }}"
; path to find the QGIS projects private data ; path to find the QGIS projects private data
; created by Lizmap or other tools, related to Qgis projects ; created by Lizmap or other tools, related to Qgis projects

18
templates/lizmap/profiles.ini.php.j2
View File

@ -8,12 +8,22 @@ default=jauth
jacl2_profile=jauth jacl2_profile=jauth
[jdb:jauth] [jdb:jauth]
driver=sqlite3 driver=pgsql
database="var:db/jauth.db" host={{ lizmap['postgresql_connection']['host'] }}
port={{ lizmap['postgresql_connection']['port'] }}
database="{{ lizmap['postgresql_connection']['database'] }}"
user="{{ lizmap['postgresql_connection']['user'] }}"
password="{{ postgresql_lizmap_pass }}"
search_path=public
[jdb:lizlog] [jdb:lizlog]
driver=sqlite3 driver=pgsql
database="var:db/logs.db" host={{ lizmap['postgresql_connection']['host'] }}
port={{ lizmap['postgresql_connection']['port'] }}
database="{{ lizmap['postgresql_connection']['database'] }}"
user="{{ lizmap['postgresql_connection']['user'] }}"
password="{{ postgresql_lizmap_pass }}"
search_path=public
; when you have charset issues, enable force_encoding so the connection will be ; when you have charset issues, enable force_encoding so the connection will be
; made with the charset indicated in jelix config ; made with the charset indicated in jelix config

14
templates/sshd_config.j2 Normal file
View File

@ -0,0 +1,14 @@
# @path: /etc/ssh/sshd_config
# @permission: -rw-r--r-- 1 root root
# Disallow passwords
PasswordAuthentication no
# Restrict user to sftp server (no shell)
Match User publisher
ForceCommand internal-sftp
ChrootDirectory "{{ lizmap['root_repositories'] }}"
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

12
variables/public.yaml
View File

@ -9,6 +9,11 @@ qgis_repo:
url: "https://download.qgis.org/downloads/qgis-archive-keyring.gpg" url: "https://download.qgis.org/downloads/qgis-archive-keyring.gpg"
hash: "sha512:077d28a33ef529c98d3ea3d7a18cd3dd43764372c3e70685335cb5a1edad33c64b3dc7b520ac212ea28cb5b7e44e13f1d05ea652a6889c0870323d45eca9681d" hash: "sha512:077d28a33ef529c98d3ea3d7a18cd3dd43764372c3e70685335cb5a1edad33c64b3dc7b520ac212ea28cb5b7e44e13f1d05ea652a6889c0870323d45eca9681d"
postgresql_server:
port: 5432
user: # TODO: add option to change?
password: # TODO: link to vault?
qgis_server: qgis_server:
path: "/var/www/qgis-server" path: "/var/www/qgis-server"
user: "www-data" user: "www-data"
@ -17,6 +22,12 @@ qgis_server:
count: 4 count: 4
lizmap: lizmap:
postgresql_connection:
host: "localhost"
port: "{{ postgresql_server['port'] }}"
database: "lizmap"
user: "lizmap"
password: # TODO: link to vault?
version: "{{ _lizmap_version }}" version: "{{ _lizmap_version }}"
path: "/var/www/" path: "/var/www/"
root_repositories: "/var/sftp/qgis-projects" root_repositories: "/var/sftp/qgis-projects"
@ -36,3 +47,4 @@ lizmap:
- "php{{ php['version'] }}-xml" - "php{{ php['version'] }}-xml"
- "php{{ php['version'] }}-ldap" - "php{{ php['version'] }}-ldap"
- "php{{ php['version'] }}-redis" - "php{{ php['version'] }}-redis"
- "php{{ php['version'] }}-pgsql"