Specify qgis-server version, add remotely accessible gis database

group_vars/all.yaml

@@ -4,10 +4,21 @@ software_package_root: "/opt"
 
 # temporary fix for https://github.com/ansible/ansible/issues/8603
 _lizmap_version: 3.7.6
+_qgis_server_version: 3.34.7 # LTS preferred
 
 php:
   version: 8.2
 
+gis_database:
+  user: gis
+  databases:
+    - gisdb
+  allow_ips:
+    v4: 
+      - "0.0.0.0/0"
+    v6: 
+      - "::0/0"
+
 qgis_repo:
   keyring:
     url: "https://download.qgis.org/downloads/qgis-archive-keyring.gpg"
@@ -19,7 +30,8 @@ postgresql_server:
   password: # TODO: link to vault?
 
 qgis_server:
-  path: "/var/www/qgis-server" # no trailing /
+  full_version: "1:{{ _qgis_server_version }}+17bookworm"
+  path: "/opt/qgis-server" # no trailing /
   user: "www-data"
   group: "www-data"
   port: 3030

playbook.yaml

@@ -14,6 +14,12 @@
         name: sshd
         state: restarted
 
+    - name: Ensure postgresql is restarted
+      become: true
+      ansible.builtin.systemd:
+        name: postgresql
+        state: restarted
+
     - name: Ensure php-fpm is restarted
       become: true
       ansible.builtin.systemd:
@@ -43,6 +49,7 @@
           - postgresql
           - acl # bug: https://github.com/ansible/ansible/issues/74830
           - inotify-tools
+          - postgis
         state: present
 
     - name: Ensure qgis-server is valid
@@ -71,7 +78,7 @@
           ansible.builtin.apt:
             update_cache: true
             name:
-              - qgis-server
+              - "{{ 'qgis-server=' + qgis_server['full_version'] }}"
             state: present
 
         - name: Ensure qgis-server directory is present
@@ -81,7 +88,7 @@
             state: directory
             owner: www-data
             group: www-data
-            mode: u=rwX,g=rwX,o=r
+            mode: u=rwX,g=rwX,o=rX
 
         - name: Ensure qgis-server environment file is latest
           become: true
@@ -99,6 +106,7 @@
             dest: "/etc/systemd/system/{{ item }}"
             backup: true
             owner: root
+            group: root
             mode: u=rw,g=r,o=r
           loop:
             - "qgis-server@.service"
@@ -129,7 +137,17 @@
         name: "nginx"
         state: present
 
-    - name: Ensure nginx and ssh ports are exposed
+    - name: Ensure custom ufw rules are latest
+      become: true
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "/etc/ufw/applications.d/{{ item | basename }}"
+        owner: root
+        group: root
+        mode: u=rw,g=r,o=r
+      with_fileglob: "templates/ufw/applications.d/*"
+
+    - name: Ensure ufw rules are set
       become: true
       community.general.ufw:
         rule: allow
@@ -139,6 +157,7 @@
         - "SSH"
         - "Nginx HTTP"
         - "Nginx HTTPS"
+        - "PostgreSQL"
 
     - name: Ensure postgresql for lizmap is valid
       block:
@@ -231,25 +250,32 @@
             dest: "/var/www/html/lizmap"
             state: link
 
-        - name: Ensure lizmap-web-client conf is latest
+        - name: Ensure lizmap-web-client default users file is latest
           become: true
           ansible.builtin.template:
-            src: "./templates/lizmap/{{ item.src }}.j2"
+            src: "./templates/lizmap/defaultusers.json.j2"
-            dest:
+            dest: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/lizmap/modules/lizmap/install/defaultusers.json"
-              "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/{{
-              item.dest if item.dest is not none else 'lizmap/var/config/' }}{{ item.src }}"
             backup: true
             owner: www-data
-            mode: u=rw,g=r,o=r
+            group: www-data
+            mode: u=rw,g=,o=
+
+        - name: Ensure lizmap-web-client conf is latest
+          become: true
+          ansible.builtin.blockinfile:
+            block: "{{ lookup('ansible.builtin.template', './templates/lizmap/' + item + '.j2') }}"
+            dest: "{{ lizmap['path'] + 'lizmap-web-client-' + lizmap['version'] + '/lizmap/var/config/' + item }}"
+            backup: true
+            owner: www-data
+            group: www-data
+            mode: u=rw,g=,o=
+            create: true
+            marker: "; {mark} ANSIBLE MANAGED BLOCK"
+
           loop:
-            - src: profiles.ini.php
+            - profiles.ini.php
-              dest:
+            - lizmapConfig.ini.php
-            - src: lizmapConfig.ini.php
+            - localconfig.ini.php
-              dest:
-            - src: localconfig.ini.php
-              dest:
-            - src: defaultusers.json
-              dest: lizmap/modules/lizmap/install/
 
           register: _lizmap_conf
 
@@ -489,3 +515,49 @@
         state: present
         key: " {{ lookup('file', item) }} "
       loop: "{{ publisher_ssh_keys }}"
+
+    - name: Ensure gis database is present
+      tags: debug
+      block:
+        - name: Ensure gis database user exists
+          become: true
+          become_user: postgres
+          community.postgresql.postgresql_user:
+            name: "{{ gis_database['user'] }}"
+            encrypted: true
+            password: "{{ postgresql_gis_pass }}"
+
+        - name: Ensure gis databases exists
+          become: true
+          become_user: postgres
+          community.postgresql.postgresql_db:
+            name: "{{ item }}"
+            owner: "{{ gis_database['user'] }}"
+          loop: "{{ gis_database['databases'] }}"
+
+        - name: Ensure postgis schema is available in databases
+          become: true
+          become_user: postgres
+          community.postgresql.postgresql_ext:
+            db: "{{ item }}"
+            name: postgis
+          loop: "{{ gis_database['databases'] }}"
+
+        - name: Ensure gis database is reachable
+          notify: Ensure postgresql is restarted
+          block:
+            - name: Ensure postgresql listens on addresses
+              become: true
+              ansible.builtin.template:
+                src: ./templates/postgresql/postgresql_remote.conf.j2
+                dest: /etc/postgresql/15/main/conf.d/postgresql_remote.conf
+                owner: postgres
+                group: postgres
+                mode: u=rw,g=r,o=
+                backup: false
+
+            - name: Ensure postgresql allows gis user to connect
+              become: true
+              ansible.builtin.blockinfile:
+                block: "{{ lookup('ansible.builtin.template', './templates/postgresql/pg_hba_remote.conf.j2') }}"
+                dest: /etc/postgresql/15/main/pg_hba.conf

templates/postgresql/pg_hba_remote.conf.j2

@@ -0,0 +1,7 @@
+# Allow remote access to gis databases
+{% for item in gis_database['allow_ips']['v4'] %}
+hostssl {{ gis_database['databases'] | join(',') }}          {{ gis_database['user'] }}             {{ item }}               scram-sha-256
+{% endfor %}
+{% for item in gis_database['allow_ips']['v6'] %}
+hostssl {{ gis_database['databases'] | join(',') }}          {{ gis_database['user'] }}             {{ item }}               scram-sha-256
+{% endfor %}

templates/postgresql/postgresql_remote.conf.j2

@@ -0,0 +1 @@
+listen_addresses = '*'

templates/ufw/applications.d/PostgreSQL

@@ -0,0 +1,5 @@
+# from https://github.com/ageis/ufw-application-profiles/blob/master/applications.d/PostgreSQL
+[PostgreSQL]
+title=PostgreSQL
+description=Fully featured object-relational database management system.
+ports=5432/tcp