Compare commits

..

No commits in common. "main" and "0.1b" have entirely different histories.
main ... 0.1b

9 changed files with 61 additions and 94 deletions

6
.gitignore vendored
View File

@ -1,6 +0,0 @@
.venv/
*.code-workspace
*password*
host_vars/*/
docs/*.html
docs/*.pdf

View File

@ -1,10 +0,0 @@
{
"recommendations": [
"redhat.ansible",
"asciidoctor.asciidoctor-vscode",
"streetsidesoftware.code-spell-checker",
"mhutchie.git-graph",
"esbenp.prettier-vscode",
"redhat.vscode-yaml"
]
}

View File

@ -30,11 +30,11 @@ Requirements
```bash ```bash
# run one of the following (depending on your package manager) # run one of the following (depending on your package manager)
sudo dnf install ruby-devel sudo dnf install ruby-devel
sudo apt install ruby-dev sudo apt install ruby-devel
``` ```
- The `asciidoctor-pdf` (asciidoctor + pdf conversion), `rouge` (syntax highlighting) and `rghost` (pdf optimization) gem - The `asciidoctor-pdf` (asciidoctor + pdf conversion), `rouge` (syntax highlighting) and `rghost` (pdf optimization) gem
```bash ```bash
gem install asciidoctor-pdf rouge rghost # you might have to run with 'sudo' gem install asciidoctor-pdf rouge rghost
``` ```
Then compile the guide: Then compile the guide:
@ -42,7 +42,7 @@ Then compile the guide:
```bash ```bash
# for pdf # for pdf
asciidoctor-pdf -a optimize ./docs/User_guide.adoc asciidoctor-pdf -a optimize ./docs/User_guide.adoc
# for html WARNING: external resources are loaded when opening (fonts.googleapis.com, fonts.gstatic.com, cdnjs.cloudflare etc.) # for html WARNING: external resources are loaded when opening (google fonts etc.)
asciidoctor ./docs/User_guide.adoc asciidoctor ./docs/User_guide.adoc
``` ```

View File

@ -38,7 +38,6 @@ cd GisServer
+ +
[,bash] [,bash]
---- ----
sudo apt install python3-venv # required on debian/ubuntu
python3 -m venv ./.venv --system-site-packages python3 -m venv ./.venv --system-site-packages
source ./.venv/bin/activate source ./.venv/bin/activate
pip3 install -r requirements.txt pip3 install -r requirements.txt
@ -56,10 +55,10 @@ ansible-galaxy install -r requirements.yaml
+ +
[,bash] [,bash]
---- ----
ssh-keygen -a 100 -t ed25519 -C "a comment" -f ~/.ssh/id_$NEW_ANSIBLE_USER@$NEW_ANSIBLE_HOST ssh-keygen -a 100 -t ed25519 -C "a comment" -f ~/.ssh/id_$NEW_ANSIBLE_USER@NEW_ANSIBLE_HOST
ssh-keygen -a 100 -t ed25519 -C "another comment" -f ~/.ssh/id_publisher@$NEW_ANSIBLE_HOST ssh-keygen -a 100 -t ed25519 -C "another comment" -f ~/.ssh/id_publisher@$NEW_ANSIBLE_HOST
ssh-copy-id -i ~/.ssh/id_$NEW_ANSIBLE_USER@$NEW_ANSIBLE_HOST $NEW_ANSIBLE_USER@$NEW_ANSIBLE_HOST ssh-copy-id -i ~/.ssh/id_$NEW_ANSIBLE_USER@NEW_ANSIBLE_HOST $NEW_ANSIBLE_USER@$NEW_ANSIBLE_HOST
ssh-add ~/.ssh/id_$NEW_ANSIBLE_USER@$NEW_ANSIBLE_HOST # optional, to remember key-phrase ssh-add ~/.ssh/id_$NEW_ANSIBLE_USER@NEW_ANSIBLE_HOST # optional, to remember key-phrase
---- ----
. Add the host to the inventory `nano inventory.yaml` (keep other entries) . Add the host to the inventory `nano inventory.yaml` (keep other entries)
@ -74,27 +73,27 @@ testing: # or production or any other sensible group name
ansible_ssh_private_key_file: # ~/.ssh/id_$NEW_ANSIBLE_USER@$NEW_ANSIBLE_HOST ansible_ssh_private_key_file: # ~/.ssh/id_$NEW_ANSIBLE_USER@$NEW_ANSIBLE_HOST
---- ----
. Create a directory for the host `mkdir host_vars/$NEW_ANSIBLE_INV_NAME` . Create a directory for the host `mkdir host_vars/$NEW_ANSIBLE_HOST`
. Copy the basic config file . Copy the basic config file
+ +
[,bash] [,bash]
---- ----
cp host_vars/variables.yaml.template host_vars/$NEW_ANSIBLE_INV_NAME/variables.yaml cp host_vars/variables.yaml.template host_vars/$NEW_ANSIBLE_HOST/variables.yaml
---- ----
. Create the vault to store passwords needed by ansible . Create the vault to store passwords needed by ansible
+ +
[,bash] [,bash]
---- ----
ansible-vault encrypt host_vars/secrets.yaml.template --output host_vars/$NEW_ANSIBLE_INV_NAME/secrets.yaml ansible-vault encrypt host_vars/secrets.yaml.template --output host_vars/$NEW_ANSIBLE_HOST/secrets.yaml`
---- ----
. Edit the vault . Edit the vault
+ +
[,bash] [,bash]
---- ----
ansible-vault edit host_vars/$NEW_ANSIBLE_INV_NAME/secrets.yaml ansible-vault edit host_vars/$NEW_ANSIBLE_HOST/secrets.yaml
# Generate a new password for every entry (preferably A-z0-9 to avoid escape mishaps) # Generate a new password for every entry (preferably A-z0-9 to avoid escape mishaps)
---- ----
@ -116,7 +115,7 @@ Host # e.g. $NEW_ANSIBLE_HOST
=== Run ansible (finally) === Run ansible (finally)
If you don't want to make any changes in `host_vars/$NEW_ANSIBLE_INV_NAME/variables.yaml` you can now run the playbook with the following command: If you don't want to make any changes in `host_vars/$NEW_ANSIBLE_HOST/variables.yaml` you can now run the playbook with the following command:
[,bash] [,bash]
---- ----
ansible-playbook playbooks/main.yaml --ask-vault-pass ansible-playbook playbooks/main.yaml --ask-vault-pass

View File

@ -27,6 +27,7 @@ qgis_repo:
postgresql_server: postgresql_server:
port: 5432 port: 5432
user: # TODO: add option to change? user: # TODO: add option to change?
password: # TODO: link to vault?
qgis_server: qgis_server:
full_version: "1:{{ _qgis_server_version }}+17bookworm" full_version: "1:{{ _qgis_server_version }}+17bookworm"
@ -42,6 +43,7 @@ lizmap:
port: "{{ postgresql_server['port'] }}" port: "{{ postgresql_server['port'] }}"
database: "lizmap" database: "lizmap"
user: "lizmap" user: "lizmap"
password: # TODO: link to vault?
version: "{{ _lizmap_version }}" version: "{{ _lizmap_version }}"
path: "/var/www/" path: "/var/www/"
root_repositories: "{{ sftp_root }}/qgis-projects" # no trailing / root_repositories: "{{ sftp_root }}/qgis-projects" # no trailing /

View File

@ -1,3 +1,3 @@
--- ---
# you have to generate the SSH-keys yourself # you have to generate the SSH-keys yourself
publisher_ssh_keys: ["~/.ssh/id_publisher@{{ ansible_host }}.pub"] # or {{ inventory_hostname }} publisher_ssh_keys: ["~/.ssh/id_publisher@{{ ansible_hostname }}.pub"]

View File

@ -35,15 +35,6 @@
daemon_reload: true daemon_reload: true
tasks: tasks:
- name: Ensure custom motd is latest
become: true
ansible.builtin.template:
src: ./templates/motd.sh.j2
dest: /etc/profile.d/motd.sh
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Ensure valid apt cache and required tools are present - name: Ensure valid apt cache and required tools are present
become: true become: true
ansible.builtin.apt: ansible.builtin.apt:
@ -218,18 +209,20 @@
- name: Check if lizmap-web-client is present - name: Check if lizmap-web-client is present
become: true become: true
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ lizmap['path'] }}lizmap-web-client-{{ _lizmap_version }}/VERSION" path: "/var/www/lizmap-web-client-{{ _lizmap_version }}/VERSION"
register: _lizmap_version_stat register: _lizmap_version_stat
- name: Check if lizmap-web-client has version information - name: Check if lizmap-web-client is target version
become: true become: true
ansible.builtin.slurp: ansible.builtin.slurp:
src: "{{ lizmap['path'] }}lizmap-web-client-{{ _lizmap_version }}/VERSION" src: "/var/www/lizmap-web-client-{{ _lizmap_version }}/VERSION"
when: _lizmap_version_stat.stat.exists
register: _lizmap_version_file register: _lizmap_version_file
when: _lizmap_version_stat.stat.exists
- name: Check if lizmap-web-client must be installed - name: Ensure lizmap-web-client is target version
when: "not _lizmap_version_stat.stat.exists" when:
"(not _lizmap_version_stat.stat.exists) or (_lizmap_version_file is defined and
_lizmap_version_file['content'] | b64decode != lizmap['version'] + '\n')"
block: block:
- name: Ensure lizmap-web-client is downloaded - name: Ensure lizmap-web-client is downloaded
become: true become: true
@ -247,16 +240,26 @@
src: "/tmp/lizmap-web-client-{{ lizmap['version'] }}.zip" src: "/tmp/lizmap-web-client-{{ lizmap['version'] }}.zip"
dest: "{{ lizmap['path'] }}" dest: "{{ lizmap['path'] }}"
owner: www-data owner: www-data
mode: u=rwX,g=rX,o=r mode: u=rw,g=r,o=r
register: _lizmap_extracted register: _lizmap_extracted
- name: Ensure lizmap-web-client is symlinked to documentRoot - name: Ensure lizmap-web-client is symlinked to documentRoot
become: true become: true
ansible.builtin.file: ansible.builtin.file:
src: "{{ lizmap['path'] }}lizmap-web-client-{{ _lizmap_version }}/lizmap/www" src: "/var/www/lizmap-web-client-{{ _lizmap_version }}/lizmap/www"
dest: "/var/www/html/lizmap" dest: "/var/www/html/lizmap"
state: link state: link
- name: Ensure lizmap-web-client default users file is latest
become: true
ansible.builtin.template:
src: "./templates/lizmap/defaultusers.json.j2"
dest: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/lizmap/modules/lizmap/install/defaultusers.json"
backup: true
owner: www-data
group: www-data
mode: u=rw,g=r,o=
- name: Ensure lizmap-web-client conf is latest - name: Ensure lizmap-web-client conf is latest
become: true become: true
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
@ -268,11 +271,14 @@
mode: u=rw,g=r,o= mode: u=rw,g=r,o=
create: true create: true
marker: "; {mark} ANSIBLE MANAGED BLOCK" marker: "; {mark} ANSIBLE MANAGED BLOCK"
loop: loop:
- profiles.ini.php - profiles.ini.php
- lizmapConfig.ini.php - lizmapConfig.ini.php
- localconfig.ini.php - localconfig.ini.php
register: _lizmap_conf
- name: Ensure lizmap-web-client directory has correct rights and owner - name: Ensure lizmap-web-client directory has correct rights and owner
become: true become: true
ansible.builtin.file: ansible.builtin.file:
@ -295,36 +301,21 @@
- lizmap/www/cache/ - lizmap/www/cache/
- lizmap/www/document/ - lizmap/www/document/
- lizmap/www/live/ - lizmap/www/live/
register: _lizmap_rights
- name: Ensure lizmap-web-client installer was executed # noqa: no-handler - name: Ensure lizmap-web-client installer was executed
when:
"_lizmap_extracted is changed"
# TODO: find actual changes
block:
- name: Ensure lizmap-web-client default users file is latest
become: true
ansible.builtin.template:
src: "./templates/lizmap/defaultusers.json.j2"
dest: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/lizmap/modules/lizmap/install/defaultusers.json"
backup: false
owner: www-data
group: www-data
mode: u=rw,g=r,o=
- name: Run lizmap-web-client installer
become: true become: true
become_user: www-data # TODO: ignore warning for remote_tmp become_user: www-data # TODO: ignore warning for remote_tmp
ansible.builtin.command: ansible.builtin.command:
chdir: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}" chdir: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}"
cmd: "php lizmap/install/installer.php" cmd: "php lizmap/install/installer.php"
when:
"(_lizmap_extracted is changed)
or (_lizmap_conf is changed)
or (_lizmap_rights is changed)"
# TODO: find actual changes
changed_when: true # TODO: find actual changes changed_when: true # TODO: find actual changes
- name: Ensure lizmap-web-client default users file is removed
become: true
ansible.builtin.file:
path: "{{ lizmap['path'] }}lizmap-web-client-{{ lizmap['version'] }}/lizmap/modules/lizmap/install/defaultusers.json"
state: absent
- name: Ensure nginx sites are valid - name: Ensure nginx sites are valid
notify: notify:
- "Ensure nginx is restarted" - "Ensure nginx is restarted"

View File

@ -1,9 +0,0 @@
RED='\033[0;31m'
YELLOW='\033[0;33m'
NC='\033[0m' # No Color
if [ "${USER}" == "{{ ansible_user }}" ]; then
echo -e "\nYou are logged in as user ${RED}${USER}${NC} used by ansible to manage this linux installation.
${YELLOW}Make sure to reflect all manual changes in the playbook found at
https://somepi.ddns.net/gites/gilex-dev/GisServer${NC}";
fi