From 5e2e602a012db8f07c9f84d12d1902b4ff5c4b69 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 23:27:10 +0100 Subject: [PATCH] Renovate: UCL-MIRSG/.github to v0.69.0 (#103) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [UCL-MIRSG/.github](https://togithub.com/UCL-MIRSG/.github) | repository | minor | `v0.47.0` -> `v0.69.0` | | [UCL-MIRSG/.github](https://togithub.com/UCL-MIRSG/.github) | action | minor | `v0.40.0` -> `v0.69.0` | | [UCL-MIRSG/.github](https://togithub.com/UCL-MIRSG/.github) | action | minor | `v0.38.0` -> `v0.69.0` | Note: The `pre-commit` manager in Renovate is not supported by the `pre-commit` maintainers or community. Please do not report any problems there, instead [create a Discussion in the Renovate repository](https://togithub.com/renovatebot/renovate/discussions/new) if you have any questions. --- ### Release Notes
UCL-MIRSG/.github (UCL-MIRSG/.github) ### [`v0.69.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.68.0...v0.69.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.68.0...v0.69.0) ### [`v0.68.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.67.0...v0.68.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.67.0...v0.68.0) ### [`v0.67.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.66.0...v0.67.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.66.0...v0.67.0) ### [`v0.66.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.65.0...v0.66.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.65.0...v0.66.0) ### [`v0.65.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.64.0...v0.65.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.64.0...v0.65.0) ### [`v0.64.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.63.0...v0.64.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.63.0...v0.64.0) ### [`v0.63.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.62.0...v0.63.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.62.0...v0.63.0) ### [`v0.62.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.61.0...v0.62.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.61.0...v0.62.0) ### [`v0.61.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.60.0...v0.61.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.60.0...v0.61.0) ### [`v0.60.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.59.0...v0.60.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.59.0...v0.60.0) ### [`v0.59.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.58.0...v0.59.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.58.0...v0.59.0) ### [`v0.58.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.57.0...v0.58.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.57.0...v0.58.0) ### [`v0.57.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.56.0...v0.57.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.56.0...v0.57.0) ### [`v0.56.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.55.0...v0.56.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.55.0...v0.56.0) ### [`v0.55.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.54.0...v0.55.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.54.0...v0.55.0) ### [`v0.54.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.53.0...v0.54.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.53.0...v0.54.0) ### [`v0.53.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.52.0...v0.53.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.52.0...v0.53.0) ### [`v0.52.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.51.0...v0.52.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.51.0...v0.52.0) ### [`v0.51.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.50.0...v0.51.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.50.0...v0.51.0) ### [`v0.50.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.49.0...v0.50.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.49.0...v0.50.0) ### [`v0.49.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.48.0...v0.49.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.48.0...v0.49.0) ### [`v0.48.0`](https://togithub.com/UCL-MIRSG/.github/compare/v0.47.0...v0.48.0) [Compare Source](https://togithub.com/UCL-MIRSG/.github/compare/v0.47.0...v0.48.0)
--- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - "every weekday" (UTC). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/UCL-MIRSG/ansible-collection-infra). --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Patrick J. Roddy --- .github/workflows/add-issue-to-project.yml | 2 +- .github/workflows/linting.yml | 2 +- .github/workflows/molecule-docker.yml | 8 +-- .github/workflows/molecule-firewalld.yml | 8 +-- .github/workflows/molecule-install-omero.yml | 11 +-- .github/workflows/molecule-install-xnat.yml | 15 ++-- .github/workflows/molecule-java.yml | 8 +-- .github/workflows/molecule-monitoring.yml | 8 +-- .github/workflows/molecule-nginx.yml | 8 +-- .github/workflows/molecule-postgresql.yml | 8 +-- .../workflows/molecule-postgresql_upgrade.yml | 8 +-- .github/workflows/molecule-provision.yml | 8 +-- .../workflows/molecule-provision_accounts.yml | 10 +-- .github/workflows/molecule-python.yml | 8 +-- .github/workflows/molecule-tomcat.yml | 8 +-- .github/workflows/molecule.yml | 6 +- .markdownlint.yaml | 4 ++ .pre-commit-config.yaml | 2 +- .typos.toml | 2 + README.md | 53 +++++++-------- galaxy.yml | 4 +- meta/runtime.yml | 4 +- molecule_configs/README.md | 6 +- playbooks/README.md | 50 +++++++------- playbooks/group_vars/all.yml | 12 ++-- playbooks/group_vars/db.yml | 14 ++-- playbooks/group_vars/omero.yml | 25 ++++--- playbooks/group_vars/xnat.yml | 50 +++++++------- playbooks/install_monitoring.yml | 9 +-- .../monitoring/inventory/group_vars/all.yml | 4 +- .../inventory/group_vars/centos7.yml | 4 +- .../group_vars/monitoring_client.yml | 12 ++-- .../inventory/group_vars/monitoring_host.yml | 6 +- .../group_vars/monitoring_service.yml | 18 +++-- .../monitoring/inventory/host_vars/mserv.yml | 6 +- .../molecule/resources/monitoring/prepare.yml | 2 +- .../omero/inventory/group_vars/all/common.yml | 2 +- .../omero/inventory/group_vars/all/server.yml | 15 ++-- .../inventory/host_vars/omero_server_web.yml | 2 +- playbooks/molecule/resources/omero/verify.yml | 2 +- .../molecule/resources/shared/prepare.yml | 2 +- .../xnat/inventory/group_vars/all/all.yml | 19 +++--- .../xnat/inventory/group_vars/all/common.yml | 8 ++- .../xnat/inventory/group_vars/all/server.yml | 4 +- .../xnat/inventory/group_vars/centos7.yml | 4 +- .../group_vars/container_service.yml | 5 +- .../group_vars/container_service_client.yml | 7 +- .../xnat/inventory/group_vars/xnat.yml | 2 +- .../resources/xnat/inventory/hosts.yml | 12 ++-- playbooks/molecule/resources/xnat/verify.yml | 2 +- roles/README.md | 57 +++++++++------- roles/docker/README.md | 18 +++-- roles/docker/defaults/main.yml | 33 +++++---- roles/docker/molecule/resources/converge.yml | 11 ++- .../resources/inventory/group_vars/all.yml | 6 +- .../inventory/group_vars/centos7.yml | 4 +- .../molecule/resources/inventory/hosts.yml | 8 +-- roles/docker/molecule/resources/verify.yml | 6 +- roles/docker/tasks/ca-cert.yml | 5 +- roles/docker/tasks/main.yml | 15 ++-- roles/docker/tasks/server-cert.yml | 2 +- roles/firewalld/README.md | 12 ++++ roles/firewalld/defaults/main.yml | 18 ++--- .../resources/inventory/group_vars/all.yml | 4 +- .../firewalld/molecule/resources/prepare.yml | 2 +- roles/firewalld/tasks/main.yml | 9 +-- roles/install_java/tasks/main.yml | 4 +- roles/install_python/README.md | 20 ++++-- roles/install_python/defaults/main.yml | 6 +- .../inventory/group_vars/centos7.yml | 4 +- roles/install_python/tasks/Debian.yml | 2 +- roles/install_python/tasks/RedHat.yml | 2 +- .../tasks/check_default_version.yml | 20 +++--- roles/monitoring_client/defaults/main.yml | 12 ++-- .../tasks/install_node_exporter.yml | 2 +- roles/monitoring_client/tasks/main.yml | 4 +- roles/monitoring_server/defaults/main.yml | 34 ++++++---- .../tasks/install_alertmanager_container.yml | 15 ++-- .../install_blackbox_exporter_container.yml | 7 +- .../tasks/install_cadvisor_container.yml | 2 +- .../tasks/install_grafana_container.yml | 10 ++- .../tasks/install_nginx_container.yml | 16 +++-- .../tasks/install_prometheus_container.yml | 11 ++- roles/monitoring_server/tasks/main.yml | 21 +++--- roles/nginx/README.md | 9 +-- .../resources/inventory/group_vars/all.yml | 2 +- .../inventory/group_vars/centos7.yml | 2 +- roles/nginx/tasks/main.yml | 25 +++++-- roles/omero_server/README.md | 42 ++++++------ roles/omero_server/defaults/main.yml | 65 ++++++++---------- roles/omero_server/handlers/main.yml | 2 +- roles/omero_server/tasks/omero-datadir.yml | 4 +- roles/omero_server/tasks/omero-install.yml | 45 +++++------- roles/omero_server/tasks/omero-ldap.yml | 2 +- roles/postgresql/README.md | 10 +-- roles/postgresql/defaults/main.yml | 37 +++++----- .../resources/inventory/group_vars/all.yml | 10 +-- .../tasks/configure_cron_backup.yml | 6 +- roles/postgresql/tasks/create_database.yml | 4 +- roles/postgresql/tasks/main.yml | 39 +++++++---- roles/postgresql_upgrade/README.md | 16 +++-- roles/postgresql_upgrade/defaults/main.yml | 3 +- .../resources/inventory/group_vars/all.yml | 20 +++--- roles/postgresql_upgrade/tasks/main.yml | 47 +++++++------ roles/provision/README.md | 18 +++-- roles/provision/defaults/main.yml | 2 +- .../resources/inventory/group_vars/all.yml | 2 +- roles/provision/tasks/CentOS.yml | 5 +- roles/provision/tasks/Rocky.yml | 11 +-- roles/provision/tasks/check_mounts.yml | 4 +- roles/provision/tasks/main.yml | 8 +-- roles/provision_accounts/README.md | 2 +- .../resources/inventory/group_vars/all.yml | 2 +- roles/ssl_certificates/README.md | 58 +++++++++++----- roles/ssl_certificates/tasks/main.yml | 7 +- roles/tomcat/README.md | 36 ++++++---- roles/tomcat/defaults/main.yml | 10 +-- roles/tomcat/molecule/resources/prepare.yml | 4 +- roles/tomcat/molecule/resources/verify.yml | 5 +- roles/tomcat/tasks/main.yml | 28 +++++--- roles/tomcat/tasks/upgrade.yml | 26 +++---- roles/xnat/defaults/main.yml | 36 +++++----- roles/xnat/tasks/configure.yml | 68 +++++++++++-------- roles/xnat/tasks/directories.yml | 8 ++- roles/xnat/tasks/ldap.yml | 4 +- roles/xnat/tasks/main.yml | 22 +++--- roles/xnat/tasks/pipelines.yml | 27 +++++--- roles/xnat/tasks/plugins.yml | 48 +++++++------ roles/xnat/tasks/settings_files.yml | 12 ++-- roles/xnat/tasks/upgrade_xnat.yml | 8 +-- .../xnat_container_service/defaults/main.yml | 16 ++--- roles/xnat_container_service/tasks/main.yml | 20 ++++-- xnat_architecture_notes.md | 7 +- 133 files changed, 1014 insertions(+), 781 deletions(-) create mode 100644 .markdownlint.yaml create mode 100644 .typos.toml diff --git a/.github/workflows/add-issue-to-project.yml b/.github/workflows/add-issue-to-project.yml index e15e2315..1f45549c 100644 --- a/.github/workflows/add-issue-to-project.yml +++ b/.github/workflows/add-issue-to-project.yml @@ -11,7 +11,7 @@ jobs: add-issue-to-project: runs-on: ubuntu-latest steps: - - uses: UCL-MIRSG/.github/actions/add-to-project@37270c9d4ceb7872329515476c78654cdb5b6a83 # v0.38.0 + - uses: UCL-MIRSG/.github/actions/add-to-project@561536e2ee67e89d148c1c9830c9debcf3a7ff07 # v0.69.0 with: app-id: ${{ secrets.APP_ID }} app-pem: ${{ secrets.APP_PEM }} diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 1986a968..5f49b6d6 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -6,7 +6,7 @@ on: push: branches: - main - - "renovate/**" + - renovate/** pull_request: jobs: diff --git a/.github/workflows/molecule-docker.yml b/.github/workflows/molecule-docker.yml index 94cb3d6a..2ec83308 100644 --- a/.github/workflows/molecule-docker.yml +++ b/.github/workflows/molecule-docker.yml @@ -5,10 +5,10 @@ name: Test Docker on: pull_request: paths: - - "molecule_configs/*" - - "roles/docker/**" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-docker.yml" + - molecule_configs/* + - roles/docker/** + - .github/workflows/molecule.yml + - .github/workflows/molecule-docker.yml jobs: molecule-docker: diff --git a/.github/workflows/molecule-firewalld.yml b/.github/workflows/molecule-firewalld.yml index b2170ad2..f25e517c 100644 --- a/.github/workflows/molecule-firewalld.yml +++ b/.github/workflows/molecule-firewalld.yml @@ -5,10 +5,10 @@ name: Test firewalld on: pull_request: paths: - - "molecule_configs/*" - - "roles/firewalld/**" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-firewalld.yml" + - molecule_configs/* + - roles/firewalld/** + - .github/workflows/molecule.yml + - .github/workflows/molecule-firewalld.yml jobs: molecule-firewalld: diff --git a/.github/workflows/molecule-install-omero.yml b/.github/workflows/molecule-install-omero.yml index a54b7c17..cd4d9243 100644 --- a/.github/workflows/molecule-install-omero.yml +++ b/.github/workflows/molecule-install-omero.yml @@ -5,12 +5,13 @@ name: Test install_omero playbook on: pull_request: paths: - - "roles/omero_server/**" - - "playbooks/install_omero.yml" - - "playbooks/molecule/**/omero/**" - - ".github/workflows/molecule-install-omero.yml" + - roles/omero_server/** + - playbooks/install_omero.yml + - playbooks/molecule/**/omero/** + - .github/workflows/molecule-install-omero.yml release: - types: [published] + types: + - published jobs: molecule: diff --git a/.github/workflows/molecule-install-xnat.yml b/.github/workflows/molecule-install-xnat.yml index 3bce3131..6ccf445b 100644 --- a/.github/workflows/molecule-install-xnat.yml +++ b/.github/workflows/molecule-install-xnat.yml @@ -5,14 +5,15 @@ name: Test install_xnat playbook on: pull_request: paths: - - "molecule_configs/*" - - "roles/xnat/**" - - "roles/xnat_container_service/**" - - "playbooks/install_xnat.yml" - - "playbooks/molecule/**/xnat/**" - - ".github/workflows/molecule-install-xnat.yml" + - molecule_configs/* + - roles/xnat/** + - roles/xnat_container_service/** + - playbooks/install_xnat.yml + - playbooks/molecule/**/xnat/** + - .github/workflows/molecule-install-xnat.yml release: - types: [published] + types: + - published jobs: molecule: diff --git a/.github/workflows/molecule-java.yml b/.github/workflows/molecule-java.yml index cf527165..8d76a5ee 100644 --- a/.github/workflows/molecule-java.yml +++ b/.github/workflows/molecule-java.yml @@ -5,10 +5,10 @@ name: Test install_java on: pull_request: paths: - - "molecule_configs/*" - - "roles/install_java/**" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-java.yml" + - molecule_configs/* + - roles/install_java/** + - .github/workflows/molecule.yml + - .github/workflows/molecule-java.yml jobs: molecule-java: diff --git a/.github/workflows/molecule-monitoring.yml b/.github/workflows/molecule-monitoring.yml index daff84e4..ca70bc69 100644 --- a/.github/workflows/molecule-monitoring.yml +++ b/.github/workflows/molecule-monitoring.yml @@ -5,10 +5,10 @@ name: Test install_monitoring playbook on: pull_request: paths: - - "molecule_configs/*" - - "roles/monitoring_client/**" - - "roles/monitoring_server/**" - - ".github/workflows/molecule-monitoring.yml" + - molecule_configs/* + - roles/monitoring_client/** + - roles/monitoring_server/** + - .github/workflows/molecule-monitoring.yml jobs: molecule-monitoring: diff --git a/.github/workflows/molecule-nginx.yml b/.github/workflows/molecule-nginx.yml index 6600b91e..1fafce74 100644 --- a/.github/workflows/molecule-nginx.yml +++ b/.github/workflows/molecule-nginx.yml @@ -5,10 +5,10 @@ name: Test nginx on: pull_request: paths: - - "molecule_configs/*" - - "roles/nginx/**" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-nginx.yml" + - molecule_configs/* + - roles/nginx/** + - .github/workflows/molecule.yml + - .github/workflows/molecule-nginx.yml jobs: molecule-nginx: diff --git a/.github/workflows/molecule-postgresql.yml b/.github/workflows/molecule-postgresql.yml index db00944f..7329fcab 100644 --- a/.github/workflows/molecule-postgresql.yml +++ b/.github/workflows/molecule-postgresql.yml @@ -5,10 +5,10 @@ name: Test PostgreSQL on: pull_request: paths: - - "molecule_configs/*" - - "roles/postgresql/**" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-postgresql.yml" + - molecule_configs/* + - roles/postgresql/** + - .github/workflows/molecule.yml + - .github/workflows/molecule-postgresql.yml jobs: molecule-postgresql: diff --git a/.github/workflows/molecule-postgresql_upgrade.yml b/.github/workflows/molecule-postgresql_upgrade.yml index 3cc6cb1b..6ef5f12a 100644 --- a/.github/workflows/molecule-postgresql_upgrade.yml +++ b/.github/workflows/molecule-postgresql_upgrade.yml @@ -5,10 +5,10 @@ name: Test PostgreSQL Upgrade on: pull_request: paths: - - "molecule_configs/*" - - "roles/postgresql_upgrade/**" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-postgresql_upgrade.yml" + - molecule_configs/* + - roles/postgresql_upgrade/** + - .github/workflows/molecule.yml + - .github/workflows/molecule-postgresql_upgrade.yml jobs: molecule-postgresql_upgrade: diff --git a/.github/workflows/molecule-provision.yml b/.github/workflows/molecule-provision.yml index e2870ca1..81930837 100644 --- a/.github/workflows/molecule-provision.yml +++ b/.github/workflows/molecule-provision.yml @@ -5,10 +5,10 @@ name: Test provision on: pull_request: paths: - - "molecule_configs/*" - - "roles/provision/**" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-provision.yml" + - molecule_configs/* + - roles/provision/** + - .github/workflows/molecule.yml + - .github/workflows/molecule-provision.yml jobs: molecule-provision: diff --git a/.github/workflows/molecule-provision_accounts.yml b/.github/workflows/molecule-provision_accounts.yml index 804c2f5e..6361256e 100644 --- a/.github/workflows/molecule-provision_accounts.yml +++ b/.github/workflows/molecule-provision_accounts.yml @@ -5,11 +5,11 @@ name: Test provision_accounts on: pull_request: paths: - - "molecule_configs/*" - - "roles/provision_accounts/**" - - "playbooks/setup_user_accounts.yml" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-provision_accounts.yml" + - molecule_configs/* + - roles/provision_accounts/** + - playbooks/setup_user_accounts.yml + - .github/workflows/molecule.yml + - .github/workflows/molecule-provision_accounts.yml jobs: molecule-provision-accounts: diff --git a/.github/workflows/molecule-python.yml b/.github/workflows/molecule-python.yml index a1940392..f601903d 100644 --- a/.github/workflows/molecule-python.yml +++ b/.github/workflows/molecule-python.yml @@ -5,10 +5,10 @@ name: Test Python on: pull_request: paths: - - "molecule_configs/*" - - "roles/install_python/**" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-python.yml" + - molecule_configs/* + - roles/install_python/** + - .github/workflows/molecule.yml + - .github/workflows/molecule-python.yml jobs: molecule-firewalld: diff --git a/.github/workflows/molecule-tomcat.yml b/.github/workflows/molecule-tomcat.yml index 4f145057..4041ea68 100644 --- a/.github/workflows/molecule-tomcat.yml +++ b/.github/workflows/molecule-tomcat.yml @@ -5,10 +5,10 @@ name: Test tomcat on: pull_request: paths: - - "molecule_configs/*" - - "roles/tomcat/**" - - ".github/workflows/molecule.yml" - - ".github/workflows/molecule-tomcat.yml" + - molecule_configs/* + - roles/tomcat/** + - .github/workflows/molecule.yml + - .github/workflows/molecule-tomcat.yml jobs: molecule-tomcat: diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index cfaa774c..549fec7a 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -31,10 +31,12 @@ jobs: steps: - name: Run `molecule test` - uses: UCL-MIRSG/.github/actions/molecule-test@9a2274e191076c6e2062c04881c67e8df73bfb81 # v0.40.0 + uses: UCL-MIRSG/.github/actions/molecule-test@561536e2ee67e89d148c1c9830c9debcf3a7ff07 # v0.69.0 with: scenario: ${{ matrix.scenario }} # yamllint disable-line rule:line-length - base_config: ${{ format('{0}{1}_base_config.yml', inputs.base-config-path, matrix.scenario ) }} + base_config: + ${{ format('{0}{1}_base_config.yml', inputs.base-config-path, + matrix.scenario ) }} checkout_path: ansible_collections/mirsg/infrastructure tests_path: ${{ inputs.tests-path }} diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 00000000..2f06fedf --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,4 @@ +--- +MD013: + code_blocks: false + tables: false diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 680b555f..1df0cdd2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ --- repos: - repo: https://github.com/UCL-MIRSG/.github - rev: v0.47.0 + rev: v0.69.0 hooks: - id: mirsg-hooks diff --git a/.typos.toml b/.typos.toml new file mode 100644 index 00000000..79ed29eb --- /dev/null +++ b/.typos.toml @@ -0,0 +1,2 @@ +[default.extend-words] +OME = "OME" diff --git a/README.md b/README.md index da1daac6..1bffeb54 100644 --- a/README.md +++ b/README.md @@ -15,15 +15,15 @@ collection can be used to configure infrastructure for deploying XNAT and OMERO. ## External requirements -Before using this collection and its playbooks, you must install the [necessary -Ansible collections and roles](meta/requirements.yml). +Before using this collection and its playbooks, you must install the +[necessary Ansible collections and roles](meta/requirements.yml). ## Using this collection This collection can be installed using the `ansible-galaxy` command-line tool: ansible-galaxy collection install -https://github.com/UCL-MIRSG/ansible-collection-infra.git + It can also be included in a `requirements.yml` file and install it via `ansible-galaxy collection install -r requirements.yml` using the format: @@ -75,15 +75,17 @@ python -m pip install molecule 'molecule-plugins[docker]' docker ### Testing the roles using Molecule -Each role has its own Molecule configuration, which can be found it the `molecule/` -folder of each role. Molecule base configurations are used to reduce to amount -of duplication in the setup for testing each role. There are two base configurations -that correspond to two [Molecule -scenarios](https://ansible.readthedocs.io/projects/molecule/getting-started/#molecule-scenarios) -one for testing on CentOS 7 and another for testing on RockyLinux 9. The base configurations -are in the `ansible_collections/mirsg/infrastructure/molecule_configs` folder. +Each role has its own Molecule configuration, which can be found it the +`molecule/` folder of each role. Molecule base configurations are used to reduce +to amount of duplication in the setup for testing each role. There are two base +configurations that correspond to two +[Molecule scenarios](https://ansible.readthedocs.io/projects/molecule/getting-started/#molecule-scenarios) +one for testing on CentOS 7 and another for testing on RockyLinux 9. The base +configurations are in the +`ansible_collections/mirsg/infrastructure/molecule_configs` folder. -To run the tests for a specific role, first navigate the the role directory, e.g. +To run the tests for a specific role, first navigate the the role directory, +e.g. ```shell cd ansible_collections/mirsg/infrastructure/roles/provision @@ -102,10 +104,8 @@ This command will: - create a CentOS 7 container - run the `molecule/prepare.yml` playbook (if it exists) to do any required setup for the role -- run the `molecule/converge.yml` playbook, which will run - the role being tested -- run `molecule/converge.yml` a second time to check the - role is +- run the `molecule/converge.yml` playbook, which will run the role being tested +- run `molecule/converge.yml` a second time to check the role is [idempotent](https://docs.ansible.com/ansible/latest/reference_appendices/glossary.html#term-Idempotency) - run `molecule/verify.yml` playbook (if it exists) to perform verification - destroy the CentOS 7 container @@ -152,8 +152,8 @@ molecule --base-config ../../molecule_configs/centos7_base_config.yml login --sc #### Destroy the container If you use the `molecule converge` command, you must remember to destroy the -container, network, and volumes yourself. You can do this using the `molecule -destroy` command: +container, network, and volumes yourself. You can do this using the +`molecule destroy` command: ```shell molecule --base-config ../../molecule_configs/centos7_base_config.yml destroy --scenario centos7 @@ -165,19 +165,18 @@ Playbooks in the collection can also be tested using Molecule. The Molecule configuration for playbooks is in the `ansible_collections/mirsg/infrastructure/playbooks/molecule` folder. -An example of how to setup testing for a playbook can be seen by looking at -the tests for the `mirsg.install_monitoring` playbook in this collection. -This is tested on CentOS 7 and RockyLinux 9 using the +An example of how to setup testing for a playbook can be seen by looking at the +tests for the `mirsg.install_monitoring` playbook in this collection. This is +tested on CentOS 7 and RockyLinux 9 using the [centos7_monitoring](./playbooks/molecule/centos7_monitoring/) and [rocky9_monitoring](./playbooks/molecule/rocky9_monitoring/) scenarios. -An inventory -and associated group variables can be found in +An inventory and associated group variables can be found in [playbooks/molecule/resources/monitoring/inventory](./playbooks/molecule/resources/monitoring/inventory/). Testing the playbook also requires its own -[converge.yml](./playbooks/molecule/resources/monitoring/converge.yml), and optional -`prepare.yml` and `verify.yml` playbooks. -Running the tests then proceeds as with testing the roles: +[converge.yml](./playbooks/molecule/resources/monitoring/converge.yml), and +optional `prepare.yml` and `verify.yml` playbooks. Running the tests then +proceeds as with testing the roles: ```shell molecule --base-config ../molecule_configs/centos7_base_config.yml test --scenario centos7_monitoring @@ -203,6 +202,6 @@ This collection is licensed and distributed under the BSD 3-Clause License. ## Author Information -This collection was created by the [Medical Imaging Research Software -Group](https://www.ucl.ac.uk/advanced-research-computing/expertise/research-software-development/medical-imaging-research-software-group) +This collection was created by the +[Medical Imaging Research Software Group](https://www.ucl.ac.uk/advanced-research-computing/expertise/research-software-development/medical-imaging-research-software-group) at [UCL](https://www.ucl.ac.uk/). diff --git a/galaxy.yml b/galaxy.yml index 61df417e..3df12712 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -34,7 +34,7 @@ license_file: LICENSE # A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character # requirements as 'namespace' and 'name' -tags: [] +tags: [] # yamllint disable-line rule:brackets # Collections that this collection requires to be installed for it to be usable. The key of the dict is the # collection label 'namespace.name'. The value is a version range @@ -57,7 +57,7 @@ issues: https://github.com/UCL-MIRSG/ansible-collection-infra/issues # artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This # uses 'fnmatch' to match the files or directories. Some directories and files like 'galaxy.yml', '*.pyc', '*.retry', # and '.git' are always filtered. Mutually exclusive with 'manifest' -build_ignore: [] +build_ignore: [] # yamllint disable-line rule:brackets # A dict controlling use of manifest directives used in building the collection artifact. The key 'directives' is a # list of MANIFEST.in style # L(directives,https://packaging.python.org/en/latest/guides/using-manifest-in/#manifest-in-commands). The key diff --git a/meta/runtime.yml b/meta/runtime.yml index f945807c..558a8c2f 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -10,13 +10,13 @@ requires_ansible: ">=2.15.0" # redirect: ns.col.new_location # deprecated_plugin_name: # deprecation: -# removal_version: "4.0.0" +# removal_version: 4.0.0 # warning_text: | # See the porting guide on how to update your playbook to # use ns.col.another_plugin instead. # removed_plugin_name: # tombstone: -# removal_version: "2.0.0" +# removal_version: 2.0.0 # warning_text: | # See the porting guide on how to update your playbook to # use ns.col.another_plugin instead. diff --git a/molecule_configs/README.md b/molecule_configs/README.md index aecd759d..a88e531a 100644 --- a/molecule_configs/README.md +++ b/molecule_configs/README.md @@ -1,12 +1,12 @@ # mirsg.infrastructure Molecule base configurations -This folder contains base configurations for running tests with [Ansible -Molecule](https://ansible.readthedocs.io/projects/molecule/). +This folder contains base configurations for running tests with +[Ansible Molecule](https://ansible.readthedocs.io/projects/molecule/). The base configuration is merged with - and can be overridden by - the scenario configuration. To use a base configuration, specify the path to one of the files in this directory. For example, to use the CentOS 7 base configuration: -``` +```sh molecule --base-config /centos7_base_config.yml ``` diff --git a/playbooks/README.md b/playbooks/README.md index 11b40c24..4d75c83a 100644 --- a/playbooks/README.md +++ b/playbooks/README.md @@ -1,34 +1,36 @@ # mirsg.infrastructure playbooks -This collection contains playbooks for deploying XNAT and setting up monitoring of servers. +This collection contains playbooks for deploying XNAT and setting up monitoring +of servers. ## Molecule setup This collection is tested using Ansible Molecule. Each playbook has its own Molecule configuration, which can be found in the -`ansible_collections/mirsg/infrastructure/playbooks/molecule/` folder. -Molecule base configurations are used to reduce to amount -of duplication in the setup for testing each playbook. There are two base configurations -that correspond to two [Molecule -scenarios](https://ansible.readthedocs.io/projects/molecule/getting-started/#molecule-scenarios) -one for testing on CentOS 7 and another for testing on RockyLinux 9. The base configurations -are in the `ansible_collections/mirsg/infrastructure/molecule_configs` folder. +`ansible_collections/mirsg/infrastructure/playbooks/molecule/` folder. Molecule +base configurations are used to reduce to amount of duplication in the setup for +testing each playbook. There are two base configurations that correspond to two +[Molecule scenarios](https://ansible.readthedocs.io/projects/molecule/getting-started/#molecule-scenarios) +one for testing on CentOS 7 and another for testing on RockyLinux 9. The base +configurations are in the +`ansible_collections/mirsg/infrastructure/molecule_configs` folder. ## Adding a new playbook To add a new playbook to this collection, you will need to: 1. add the playbook to the `playbooks/` folder -2. add a molecule configuration for the playbook to the `playbooks/molecule/` folder +2. add a molecule configuration for the playbook to the `playbooks/molecule/` + folder 3. add a workflow for the playbook to the `.github/workflows` folder ### Add a new playbook to the playbooks folder -The playbooks in an Ansible Collection are the same as any other playbook - no special -setup is required. If you create a playbook -`ansible_collections/mirsg/infrastructure/playbooks/my_playbook.yml`, you will be able to -run the playbook using `ansible-playbook`: +The playbooks in an Ansible Collection are the same as any other playbook - no +special setup is required. If you create a playbook +`ansible_collections/mirsg/infrastructure/playbooks/my_playbook.yml`, you will +be able to run the playbook using `ansible-playbook`: ```bash ansible-playbook mirsg.infrastructure.my_playbook @@ -44,8 +46,8 @@ or include it within another playbook: ### Add a molecule configuration Create CentOS 7 and RockyLinux 9 scenarios for your playbook in -`ansible_collections/mirsg/infrastructure/playbooks/molecule`. See -the `mirsg.infrastructure.install_monitoring` +`ansible_collections/mirsg/infrastructure/playbooks/molecule`. See the +`mirsg.infrastructure.install_monitoring` [CentOS 7](./molecule/centos7_monitoring/) and [RockyLinux 9](./molecule/rocky9_monitoring/) scenarios for an example configuration. @@ -56,16 +58,17 @@ Add the `converge.yml` playbook to a shared `resources` subfolder: If necessary, add inventory `group_vars` to the shared `resources` subfolder: `molecule/resources/my_playbook/inventory/group_vars`. for your playbook. -You may also need to add `prepare` or `verify` playbooks. These can be added -to the the same shared `resources` folder. +You may also need to add `prepare` or `verify` playbooks. These can be added to +the the same shared `resources` folder. -You will need to update the `molecule.yml` configuration file with the correct paths -to these playbooks. +You will need to update the `molecule.yml` configuration file with the correct +paths to these playbooks. ### Add a GitHub Workflow -You should add a GitHub workflow for your new playbook to `.github/workflows/molecule-my-playbook.yml`. -The workflow should follow this format: +You should add a GitHub workflow for your new playbook to +`.github/workflows/molecule-my-playbook.yml`. The workflow should follow this +format: ```yaml name: Test my_playbook @@ -82,5 +85,6 @@ jobs: tests-path: ansible_collections/mirsg/infrastructure/playbooks ``` -This uses the [`.github/workflows/molecule.yml` reusable workflow](.github/workflows/molecule.yml) to run -molecule on the relevant role. +This uses the +[`.github/workflows/molecule.yml` reusable workflow](.github/workflows/molecule.yml) +to run molecule on the relevant role. diff --git a/playbooks/group_vars/all.yml b/playbooks/group_vars/all.yml index cb1a4ddf..60970940 100644 --- a/playbooks/group_vars/all.yml +++ b/playbooks/group_vars/all.yml @@ -1,8 +1,10 @@ --- ansible_cache_dir: "{{ lookup('env', 'HOME') }}/ansible_persistent_files" -database_server_certificate_cache_filename: "{{ ansible_cache_dir }}/pg_certificates/{{ db_server.host }}.pg.server.crt" -database_client_certificate_cache_filename: "{{ ansible_cache_dir }}/pg_certificates/{{ db_server.host }}.pg.client.crt" +database_server_certificate_cache_filename: + "{{ ansible_cache_dir }}/pg_certificates/{{ db_server.host }}.pg.server.crt" +database_client_certificate_cache_filename: + "{{ ansible_cache_dir }}/pg_certificates/{{ db_server.host }}.pg.client.crt" # mirsg.infrastructure.postgresql - download and install - we need to do this on both the web server and the db postgresql_install: @@ -11,6 +13,6 @@ postgresql_install: https://download.postgresql.org/pub/repos/yum/reporpms/EL-{{ ansible_facts['distribution_major_version'] }}-{{ ansible_facts['architecture'] }}/pgdg-redhat-repo-latest.noarch.rpm - yum_package: "postgresql{{ postgresql_version }}-server" - yum_contrib_package: "postgresql{{ postgresql_version }}-contrib" # required only on CentOS 7 - yum_client_package: "postgresql{{ postgresql_version }}" + yum_package: postgresql{{ postgresql_version }}-server + yum_contrib_package: postgresql{{ postgresql_version }}-contrib # required only on CentOS 7 + yum_client_package: postgresql{{ postgresql_version }} diff --git a/playbooks/group_vars/db.yml b/playbooks/group_vars/db.yml index 4931128a..374377a1 100644 --- a/playbooks/group_vars/db.yml +++ b/playbooks/group_vars/db.yml @@ -10,8 +10,10 @@ postgresql_connection: host: "{{ db_server.host }}" port: "{{ db_server.port }}" client_ip: "{{ web_server.ip }}" - client_certificate_filename: "/var/lib/pgsql/certs/root.crt" # required if using SSL, where to copy the client certificate to on the server - listen_addresses: "{{ db_server.listen_addresses | default('localhost, ' + db_server.host) | quote }}" + client_certificate_filename: /var/lib/pgsql/certs/root.crt # required if using SSL, where to copy the client certificate to on the server + listen_addresses: + "{{ db_server.listen_addresses | default('localhost, ' + db_server.host) | + quote }}" subnet_mask: "{{ web_server.subnet_mask | default('255.255.255.255') }}" # mirsg.infrastructure.postgresql - storage @@ -34,9 +36,11 @@ postgresql_ssl_certificate: csr_filename: "{{ postgresql.base_directory }}/certs/server.csr" csr_common_name: "{{ db_server.host }}" certificate_filename: "{{ postgresql.base_directory }}/certs/server.crt" - provider: "selfsigned" + provider: selfsigned cache_filename: "{{ database_server_certificate_cache_filename }}" # where to store the server certificate in cache firewalld_rich_rules: - - zone: "internal" - rule: "family=ipv4 source address={{ web_server.subnet | default(web_server.ip + '/32') }} port protocol=tcp port={{ db_server.port }} accept" + - zone: internal + rule: + family=ipv4 source address={{ web_server.subnet | default(web_server.ip + + '/32') }} port protocol=tcp port={{ db_server.port }} accept diff --git a/playbooks/group_vars/omero.yml b/playbooks/group_vars/omero.yml index 207211a1..8c784c45 100644 --- a/playbooks/group_vars/omero.yml +++ b/playbooks/group_vars/omero.yml @@ -1,6 +1,6 @@ --- postgresql_client: - server_certificate_filename: "/opt/omero/server/.postgresql/root.crt" # where to copy the server certificate to on the client + server_certificate_filename: /opt/omero/server/.postgresql/root.crt # where to copy the server certificate to on the client # mirsg.ssl_certificates postgresql_client_ssl_certificate: @@ -28,11 +28,11 @@ firewalld_work_zone_open_services: - http - https firewalld_internal_zone_ports: - - "4063" - - "4064" + - 4063 + - 4064 firewalld_work_zone_ports: - - "4063" - - "4064" + - 4063 + - 4064 # ome.common omero_common_basedir: /opt/omero @@ -52,10 +52,12 @@ omero_server_datadir: "{{ web_server.storage_dir }}" omero_server_default_config: omero.db.poolsize: "{{ db_server.poolsize }}" - omero.db.properties: "ssl={{ postgresql_use_ssl }}&\ - sslmode={{ postgresql_ssl_mode }}" + omero.db.properties: + ssl={{ postgresql_use_ssl }}&sslmode={{ postgresql_ssl_mode }} -omero_server_config_set: "{{ omero_server_default_config | ansible.builtin.combine(omero_server_additional_config | default({})) }}" +omero_server_config_set: + "{{ omero_server_default_config | + ansible.builtin.combine(omero_server_additional_config | default({})) }}" # ome.omero_web # don't install nginx using ome.omero_web role @@ -83,7 +85,9 @@ omero_web_apps_config_append: omero_web_default_config: omero.web.viewer.view: omero_iviewer.views.index -omero_web_config_set: "{{ omero_web_default_config | ansible.builtin.combine(omero_web_additional_config | default({})) }}" +omero_web_config_set: + "{{ omero_web_default_config | + ansible.builtin.combine(omero_web_additional_config | default({})) }}" # mirsg.infrastructure.nginx nginx_use_ssl: "{{ ssl.use_ssl }}" @@ -91,7 +95,8 @@ nginx_server_cert_cache: "{{ ssl.server_cert }}" nginx_server_key_cache: "{{ ssl.server_key }}" # ome.omero_user -omero_user_create: "{{ omero_service_user + (omero_additional_users | default([])) }}" +omero_user_create: + "{{ omero_service_user + (omero_additional_users | default([])) }}" omero_user_system: "{{ omero_server_system_user }}" omero_user_admin_user: root omero_user_admin_pass: "{{ omero_server_rootpassword }}" diff --git a/playbooks/group_vars/xnat.yml b/playbooks/group_vars/xnat.yml index e6bbb906..96c146ac 100644 --- a/playbooks/group_vars/xnat.yml +++ b/playbooks/group_vars/xnat.yml @@ -7,31 +7,33 @@ xnat: processingUrl: "" xnat_source: - war_file_name: "xnat-web-{{ xnat_version }}.war" - plugins_downloads_dir: "/ansible/downloads/xnat_plugins" - xnat_downloads_dir: "/ansible/downloads/xnat" - pipeline_installer_file_name: "pipeline-installer-{{ xnat_pipeline_version }}.tar" - xnat_war_url: "https://api.bitbucket.org/2.0/repositories/xnatdev/xnat-web/downloads/xnat-web-{{ xnat_version }}.war" - pipelines_url: "https://api.github.com/repos/NrgXnat/xnat-pipeline-engine/tarball/{{ xnat_pipeline_version }}" - context_file_location: "/usr/share/tomcat/webapps/ROOT/META-INF/context.xml" + war_file_name: xnat-web-{{ xnat_version }}.war + plugins_downloads_dir: /ansible/downloads/xnat_plugins + xnat_downloads_dir: /ansible/downloads/xnat + pipeline_installer_file_name: + pipeline-installer-{{ xnat_pipeline_version }}.tar + xnat_war_url: + https://api.bitbucket.org/2.0/repositories/xnatdev/xnat-web/downloads/xnat-web-{{ + xnat_version }}.war + pipelines_url: + https://api.github.com/repos/NrgXnat/xnat-pipeline-engine/tarball/{{ + xnat_pipeline_version }} + context_file_location: /usr/share/tomcat/webapps/ROOT/META-INF/context.xml # mirsg.infrastructure.tomcat tomcat_version: 9.0.82 -tomcat_owner: "tomcat" -tomcat_group: "tomcat" +tomcat_owner: tomcat +tomcat_group: tomcat tomcat_webapp_name: ROOT -tomcat_root: "/usr/share/tomcat/webapps/{{ tomcat_webapp_name }}" +tomcat_root: /usr/share/tomcat/webapps/{{ tomcat_webapp_name }} tomcat_root_webapp: "{{ tomcat_root }}.war" tomcat_catalina_home: /usr/share/tomcat tomcat_catalina_opts: >- - -Dxnat.home={{ xnat_home_dir }} - -Xms{{ java_mem.Xms | default("512M") }} - -Xmx{{ java_mem.Xmx | default("1G") }} - -XX:MetaspaceSize={{ java_mem.MetaspaceSize | default("100M") }} - -XX:+UseG1GC - -server + -Dxnat.home={{ xnat_home_dir }} -Xms{{ java_mem.Xms | default("512M") }} + -Xmx{{ java_mem.Xmx | default("1G") }} -XX:MetaspaceSize={{ + java_mem.MetaspaceSize | default("100M") }} -XX:+UseG1GC -server tomcat_hostname: localhost tomcat_port: 8080 @@ -44,24 +46,24 @@ tomcat_items_to_restore: - "{{ tomcat_backup_directory }}/.postgresql" postgresql_client: - server_certificate_filename: "/usr/share/tomcat/.postgresql/root.crt" # where to copy the server certificate to on the client + server_certificate_filename: /usr/share/tomcat/.postgresql/root.crt # where to copy the server certificate to on the client # mirsg.infrastructure.ssl_certificates postgresql_client_ssl_certificate: owner: "{{ tomcat_owner }}" group: "{{ tomcat_owner }}" - certificate_directory: "/usr/share/tomcat/.postgresql" - privatekey_filename: "/usr/share/tomcat/.postgresql/postgresql.key" + certificate_directory: /usr/share/tomcat/.postgresql + privatekey_filename: /usr/share/tomcat/.postgresql/postgresql.key use_pk8: true - pk8_filename: "/usr/share/tomcat/.postgresql/postgresql.pk8" - csr_filename: "/usr/share/tomcat/.postgresql/postgresql.csr" + pk8_filename: /usr/share/tomcat/.postgresql/postgresql.pk8 + csr_filename: /usr/share/tomcat/.postgresql/postgresql.csr csr_common_name: "{{ web_server.host }}" - certificate_filename: "/usr/share/tomcat/.postgresql/postgresql.crt" - provider: "selfsigned" + certificate_filename: /usr/share/tomcat/.postgresql/postgresql.crt + provider: selfsigned cache_filename: "{{ database_client_certificate_cache_filename }}" # where to store the client certificate in cache java: - keystore_path: "/usr/lib/jvm/jre/lib/security/cacerts/" + keystore_path: /usr/lib/jvm/jre/lib/security/cacerts/ ldap_ca_cert_file_on_client: "{{ xnat.install_downloads }}/certs/ldap-ca.cert" diff --git a/playbooks/install_monitoring.yml b/playbooks/install_monitoring.yml index 43019bab..5f97050c 100644 --- a/playbooks/install_monitoring.yml +++ b/playbooks/install_monitoring.yml @@ -7,12 +7,9 @@ - name: Generate list of docker clients from `monitoring_client` group ansible.builtin.set_fact: docker_client_hostnames: > - {{ - query('inventory_hostnames', ansible_limit | default('')) | - intersect(groups['monitoring_client']) | - map('extract', hostvars, monitoring_server_hostname_extractor) | - list | default([]) - }} + {{ query('inventory_hostnames', ansible_limit | default('')) | + intersect(groups['monitoring_client']) | map('extract', hostvars, + monitoring_server_hostname_extractor) | list | default([]) }} failed_when: docker_client_hostnames | length == 0 roles: diff --git a/playbooks/molecule/resources/monitoring/inventory/group_vars/all.yml b/playbooks/molecule/resources/monitoring/inventory/group_vars/all.yml index a996484a..14189870 100644 --- a/playbooks/molecule/resources/monitoring/inventory/group_vars/all.yml +++ b/playbooks/molecule/resources/monitoring/inventory/group_vars/all.yml @@ -1,8 +1,8 @@ --- ansible_cache_dir: "{{ lookup('env', 'HOME') }}/ansible_persistent_files" -external_storage_drive: "/storage/molecule" +external_storage_drive: /storage/molecule selinux_enabled: false # mirsg.infrastructure.provision -server_locale: "en_GB.UTF-8" +server_locale: en_GB.UTF-8 diff --git a/playbooks/molecule/resources/monitoring/inventory/group_vars/centos7.yml b/playbooks/molecule/resources/monitoring/inventory/group_vars/centos7.yml index df0405d2..8687ca6e 100644 --- a/playbooks/molecule/resources/monitoring/inventory/group_vars/centos7.yml +++ b/playbooks/molecule/resources/monitoring/inventory/group_vars/centos7.yml @@ -2,8 +2,8 @@ # mirsg.infrastructure.install_python install_python: version: "2" - pip_version: "20.3.4" - pip_executable: "pip" + pip_version: 20.3.4 + pip_executable: pip system_packages: - python - python-pip diff --git a/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_client.yml b/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_client.yml index 1a38749c..c1c9e151 100644 --- a/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_client.yml +++ b/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_client.yml @@ -1,6 +1,7 @@ --- # mirsg.infrastructure.monitoring_client -monitoring_client_certificate_file: "{{ hostvars[inventory_hostname]['hostname'] }}.cert" +monitoring_client_certificate_file: + "{{ hostvars[inventory_hostname]['hostname'] }}.cert" monitoring_client_monitoring_server_ip: "{{ hostvars['mserv']['ansible_ip'] }}" monitoring_client_owner: root monitoring_client_group: root @@ -15,8 +16,7 @@ monitoring_client_server_ca_cert_file: /root/monitoring_certs/ca.pem firewalld_internal_zone_sources: - "{{ monitoring_client_monitoring_server_ip }}" firewalld_rich_rules: - - zone: "internal" - rule: "family=ipv4 source \ - address={{ monitoring_client_monitoring_server_ip }}/32 \ - port protocol=tcp \ - port={{ monitoring_client_node_exporter_port }} accept" + - zone: internal + rule: + family=ipv4 source address={{ monitoring_client_monitoring_server_ip }}/32 + port protocol=tcp port={{ monitoring_client_node_exporter_port }} accept diff --git a/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_host.yml b/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_host.yml index 927a2469..fb68e45c 100644 --- a/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_host.yml +++ b/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_host.yml @@ -1,7 +1,7 @@ --- monitoring_server_hostname: "{{ hostvars['mserv']['hostname'] }}" -monitoring_server_ssl_cert: "/etc/ssl/certs/{{ monitoring_server_hostname }}.cert" -monitoring_server_ssl_key: "/etc/ssl/certs/{{ monitoring_server_hostname }}.key" +monitoring_server_ssl_cert: /etc/ssl/certs/{{ monitoring_server_hostname }}.cert +monitoring_server_ssl_key: /etc/ssl/certs/{{ monitoring_server_hostname }}.key monitoring_server_admin_username: mirsg_service monitoring_server_admin_password: password monitoring_server_admin_email: admin@monitoring.org @@ -16,7 +16,7 @@ monitoring_server_cert_owner: root monitoring_server_cert_group: root monitoring_server_cert_dir: /root/monitoring_certs monitoring_server_client_cert_dir: /root/monitoring_certs/client_certs -monitoring_server_hostname_extractor: "hostname" +monitoring_server_hostname_extractor: hostname monitoring_server_grafana_username: grafana monitoring_server_grafana_password: grafana monitoring_server_grafana_host: "{{ monitoring_server_hostname }}" diff --git a/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_service.yml b/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_service.yml index 57317be5..60a87f4f 100644 --- a/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_service.yml +++ b/playbooks/molecule/resources/monitoring/inventory/group_vars/monitoring_service.yml @@ -1,9 +1,11 @@ --- # mirsg.infrastructure.docker -docker_client_certificate_cache_directory: "{{ lookup('env', 'HOME') }}/ansible_persistent_files/monitoring_server_certificates" +docker_client_certificate_cache_directory: + "{{ lookup('env', 'HOME') + }}/ansible_persistent_files/monitoring_server_certificates" docker_server_hostname: "{{ hostvars['mserv']['hostname'] }}" docker_server_ip: "{{ hostvars['mserv']['ansible_ip'] }}" -docker_server_port: "2376" +docker_server_port: 2376 docker_service_name: docker docker_generate_certificates: true # generate TLS certs for clients docker_tls_verify: true @@ -11,9 +13,13 @@ docker_tls_verify: true # mirsg.infrastructure.monitoring_client monitoring_client_exporter_username: prometheus monitoring_client_exporter_password: prometheus -monitoring_client_certificate_cache_directory: "{{ docker_client_certificate_cache_directory }}" +monitoring_client_certificate_cache_directory: + "{{ docker_client_certificate_cache_directory }}" # mirsg.infrastructure.monitoring_server -monitoring_server_client_exporter_username: "{{ monitoring_client_exporter_username }}" -monitoring_server_client_exporter_password: "{{ monitoring_client_exporter_password }}" -monitoring_server_certificate_cache_directory: "{{ docker_client_certificate_cache_directory }}" +monitoring_server_client_exporter_username: + "{{ monitoring_client_exporter_username }}" +monitoring_server_client_exporter_password: + "{{ monitoring_client_exporter_password }}" +monitoring_server_certificate_cache_directory: + "{{ docker_client_certificate_cache_directory }}" diff --git a/playbooks/molecule/resources/monitoring/inventory/host_vars/mserv.yml b/playbooks/molecule/resources/monitoring/inventory/host_vars/mserv.yml index 6328fe39..3b7a6549 100644 --- a/playbooks/molecule/resources/monitoring/inventory/host_vars/mserv.yml +++ b/playbooks/molecule/resources/monitoring/inventory/host_vars/mserv.yml @@ -3,9 +3,9 @@ monitoring_server_ssl_certificate: owner: "{{ monitoring_server_cert_owner }}" group: "{{ monitoring_server_cert_group }}" certificate_directory: /etc/ssl/certs - privatekey_filename: "/etc/ssl/certs/{{ hostvars['mserv']['hostname'] }}.key" + privatekey_filename: /etc/ssl/certs/{{ hostvars['mserv']['hostname'] }}.key use_pk8: false - csr_filename: "/etc/ssl/certs/{{ hostvars['mserv']['hostname'] }}.csr" + csr_filename: /etc/ssl/certs/{{ hostvars['mserv']['hostname'] }}.csr csr_common_name: "{{ hostvars['mserv']['hostname'] }}" - certificate_filename: "/etc/ssl/certs/{{ hostvars['mserv']['hostname'] }}.cert" + certificate_filename: /etc/ssl/certs/{{ hostvars['mserv']['hostname'] }}.cert provider: selfsigned diff --git a/playbooks/molecule/resources/monitoring/prepare.yml b/playbooks/molecule/resources/monitoring/prepare.yml index e92de525..eb384334 100644 --- a/playbooks/molecule/resources/monitoring/prepare.yml +++ b/playbooks/molecule/resources/monitoring/prepare.yml @@ -16,5 +16,5 @@ - name: Change firewalld backend to iptables ansible.builtin.lineinfile: path: /etc/firewalld/firewalld.conf - regexp: "^FirewallBackend=" + regexp: ^FirewallBackend= line: FirewallBackend=iptables diff --git a/playbooks/molecule/resources/omero/inventory/group_vars/all/common.yml b/playbooks/molecule/resources/omero/inventory/group_vars/all/common.yml index 1c69b4f8..5dd02278 100644 --- a/playbooks/molecule/resources/omero/inventory/group_vars/all/common.yml +++ b/playbooks/molecule/resources/omero/inventory/group_vars/all/common.yml @@ -1,5 +1,5 @@ --- -postgresql_version: "14" +postgresql_version: 14 postgresql_use_ssl: false postgresql_ssl_mode: disable diff --git a/playbooks/molecule/resources/omero/inventory/group_vars/all/server.yml b/playbooks/molecule/resources/omero/inventory/group_vars/all/server.yml index 0476e558..c6b196a3 100644 --- a/playbooks/molecule/resources/omero/inventory/group_vars/all/server.yml +++ b/playbooks/molecule/resources/omero/inventory/group_vars/all/server.yml @@ -2,10 +2,10 @@ # OMERO.server, OMERO.web VM web_server: host: "{{ hostvars['omero_server_web']['hostname'] }}" - url: "https://{{ hostvars['omero_server_web']['hostname'] }}" + url: https://{{ hostvars['omero_server_web']['hostname'] }} ip: "{{ hostvars['omero_server_web']['ansible_ip'] }}" storage_dir: /OMERO - subnet: "192.168.56.0/24" + subnet: 192.168.56.0/24 dbhost: "{{ hostvars['omero_db']['hostname'] }}" rootpassword: "{{ vault_omero_rootpassword }}" @@ -18,7 +18,7 @@ db_server: postgresql_user: omero postgresql_password: "{{ vault_postgres_omero_password }}" storage_dir: /var/lib/pgsql - data_dir: "/var/lib/pgsql/{{ postgresql_version }}/data" + data_dir: /var/lib/pgsql/{{ postgresql_version }}/data backups_dir: /var/lib/pgsql/backups poolsize: 10 @@ -26,11 +26,14 @@ ssl_certificate: owner: root group: root certificate_directory: /etc/ssl/certs - privatekey_filename: "/etc/ssl/certs/{{ hostvars['omero_server_web']['hostname'] }}.key" + privatekey_filename: + /etc/ssl/certs/{{ hostvars['omero_server_web']['hostname'] }}.key use_pk8: false - csr_filename: "/etc/ssl/certs/{{ hostvars['omero_server_web']['hostname'] }}.csr" + csr_filename: + /etc/ssl/certs/{{ hostvars['omero_server_web']['hostname'] }}.csr csr_common_name: "{{ hostvars['omero_server_web']['hostname'] }}" - certificate_filename: "/etc/ssl/certs/{{ hostvars['omero_server_web']['hostname'] }}.cert" + certificate_filename: + /etc/ssl/certs/{{ hostvars['omero_server_web']['hostname'] }}.cert provider: selfsigned # SSL certificate settings diff --git a/playbooks/molecule/resources/omero/inventory/host_vars/omero_server_web.yml b/playbooks/molecule/resources/omero/inventory/host_vars/omero_server_web.yml index 83caa0a4..95a31912 100644 --- a/playbooks/molecule/resources/omero/inventory/host_vars/omero_server_web.yml +++ b/playbooks/molecule/resources/omero/inventory/host_vars/omero_server_web.yml @@ -34,4 +34,4 @@ omero_server_upgrade: false firewalld_allow_public_access: true firewalld_public_zone_sources: - - "0.0.0.0/0" + - 0.0.0.0/0 diff --git a/playbooks/molecule/resources/omero/verify.yml b/playbooks/molecule/resources/omero/verify.yml index 1dc6190c..996f6eac 100644 --- a/playbooks/molecule/resources/omero/verify.yml +++ b/playbooks/molecule/resources/omero/verify.yml @@ -15,4 +15,4 @@ that: - response.status == 200 - "'nginx' in response.server" - - "response.content is search('OMERO.web')" + - response.content is search('OMERO.web') diff --git a/playbooks/molecule/resources/shared/prepare.yml b/playbooks/molecule/resources/shared/prepare.yml index 4fc10211..19ea19b8 100644 --- a/playbooks/molecule/resources/shared/prepare.yml +++ b/playbooks/molecule/resources/shared/prepare.yml @@ -41,5 +41,5 @@ - name: Change firewalld backend to iptables ansible.builtin.lineinfile: path: /etc/firewalld/firewalld.conf - regexp: "^FirewallBackend=" + regexp: ^FirewallBackend= line: FirewallBackend=iptables diff --git a/playbooks/molecule/resources/xnat/inventory/group_vars/all/all.yml b/playbooks/molecule/resources/xnat/inventory/group_vars/all/all.yml index eb10090c..59c42df2 100644 --- a/playbooks/molecule/resources/xnat/inventory/group_vars/all/all.yml +++ b/playbooks/molecule/resources/xnat/inventory/group_vars/all/all.yml @@ -1,11 +1,11 @@ --- -xnat_data_dir: "/data" +xnat_data_dir: /data xnat_root_dir: "{{ xnat_data_dir }}/xnat" xnat_home_dir: "{{ xnat_root_dir }}/home" # XNAT configuration shared between all servers xnat_common_config: - admin_email: "xnatadmin@{{ hostvars['xnat_web']['hostname'] }}" + admin_email: xnatadmin@{{ hostvars['xnat_web']['hostname'] }} restrictUserListAccessToAdmins: true uiAllowNonAdminProjectCreation: false allowNonAdminsToClaimUnassignedSessions: true @@ -13,15 +13,18 @@ xnat_common_config: par: false primaryAdminUsername: "{{ xnat_service_admin.username }}" receivedFileUser: "{{ xnat_service_admin.username }}" - ipsThatCanSendEmailsThroughRest: "127.0.0.1" + ipsThatCanSendEmailsThroughRest: 127.0.0.1 sessionXmlRebuilderInterval: "5" # "^.*$" for all IPs - enabledProviders: ["localdb"] + enabledProviders: + - localdb enableSitewideAnonymizationScript: true - sitewideAnonymizationScript: "//\nversion \"6.1\"\nproject != \"Unassigned\" ? (0008,1030) := project\n(0010,0010) := subject\n(0010,0020) := session" + sitewideAnonymizationScript: + //\nversion \"6.1\"\nproject != \"Unassigned\" ? (0008,1030) := + project\n(0010,0010) := subject\n(0010,0020) := session xnat_service_admin: - username: "service_admin" - firstname: "first" - lastname: "name" + username: service_admin + firstname: first + lastname: name password: "{{ vault_service_admin_password }}" diff --git a/playbooks/molecule/resources/xnat/inventory/group_vars/all/common.yml b/playbooks/molecule/resources/xnat/inventory/group_vars/all/common.yml index e1a32d87..ebe4ee60 100644 --- a/playbooks/molecule/resources/xnat/inventory/group_vars/all/common.yml +++ b/playbooks/molecule/resources/xnat/inventory/group_vars/all/common.yml @@ -3,7 +3,8 @@ package_registry: enabled: false url: "" - authentication_header: "Bearer {{ vault_package_registry_token | default(omit) }}" + authentication_header: + Bearer {{ vault_package_registry_token | default(omit) }} # Generally this should be set to true postgresql_use_ssl: true @@ -12,7 +13,7 @@ postgresql_use_ssl: true selinux_enabled: false # XNAT supports PostgreSQL 11-14 -postgresql_version: "12" +postgresql_version: 12 java_keystore: keystore_pass: "{{ vault_keystore_password }}" @@ -20,4 +21,5 @@ java_keystore: # JSON representation of the site-wide anonymisation script: this could be # defined in a string, or extracted from a template file e.g. using # lookup('template, 'foo.j2') | to_json -xnat_sitewide_anonymization_script: "{{ xnat_common_config.sitewideAnonymizationScript | to_json }}" +xnat_sitewide_anonymization_script: + "{{ xnat_common_config.sitewideAnonymizationScript | to_json }}" diff --git a/playbooks/molecule/resources/xnat/inventory/group_vars/all/server.yml b/playbooks/molecule/resources/xnat/inventory/group_vars/all/server.yml index 43ce82c1..ef755844 100644 --- a/playbooks/molecule/resources/xnat/inventory/group_vars/all/server.yml +++ b/playbooks/molecule/resources/xnat/inventory/group_vars/all/server.yml @@ -9,8 +9,8 @@ external_storage_drive: /storage/xnat # Docker network, and to avoid CORS issues inside the network web_server: host: "{{ hostvars['xnat_web']['hostname'] }}" - url: "http://{{ hostvars['xnat_web']['hostname'] }}:8080" - subnet: "192.168.56.0/24" + url: http://{{ hostvars['xnat_web']['hostname'] }}:8080 + subnet: 192.168.56.0/24 ip: "{{ hostvars['xnat_web']['ansible_ip'] }}" storage_dir: "{{ external_storage_drive }}/data" diff --git a/playbooks/molecule/resources/xnat/inventory/group_vars/centos7.yml b/playbooks/molecule/resources/xnat/inventory/group_vars/centos7.yml index df0405d2..8687ca6e 100644 --- a/playbooks/molecule/resources/xnat/inventory/group_vars/centos7.yml +++ b/playbooks/molecule/resources/xnat/inventory/group_vars/centos7.yml @@ -2,8 +2,8 @@ # mirsg.infrastructure.install_python install_python: version: "2" - pip_version: "20.3.4" - pip_executable: "pip" + pip_version: 20.3.4 + pip_executable: pip system_packages: - python - python-pip diff --git a/playbooks/molecule/resources/xnat/inventory/group_vars/container_service.yml b/playbooks/molecule/resources/xnat/inventory/group_vars/container_service.yml index 2cfa095d..8ed2d1eb 100644 --- a/playbooks/molecule/resources/xnat/inventory/group_vars/container_service.yml +++ b/playbooks/molecule/resources/xnat/inventory/group_vars/container_service.yml @@ -1,7 +1,8 @@ --- # mirsg.infrastructure.docker - only used by the container_service_host group # but the container_service_client group needs access to these variables -docker_client_certificate_cache_directory: "{{ ansible_cache_dir }}/cserv_certificates/cserv" +docker_client_certificate_cache_directory: + "{{ ansible_cache_dir }}/cserv_certificates/cserv" docker_server_hostname: "{{ hostvars['xnat_cserv']['hostname'] }}" docker_server_ip: "{{ hostvars['xnat_cserv']['ansible_ip'] }}" -docker_server_port: "2376" +docker_server_port: 2376 diff --git a/playbooks/molecule/resources/xnat/inventory/group_vars/container_service_client.yml b/playbooks/molecule/resources/xnat/inventory/group_vars/container_service_client.yml index 7fe843f2..39c8cff2 100644 --- a/playbooks/molecule/resources/xnat/inventory/group_vars/container_service_client.yml +++ b/playbooks/molecule/resources/xnat/inventory/group_vars/container_service_client.yml @@ -1,6 +1,6 @@ --- # mirsg.xnat_container_service -xnat_container_service_name: "Container Service" +xnat_container_service_name: Container Service xnat_container_service_url: "{{ web_server.url }}/xapi/docker/server" xnat_container_service_client_hostname: "{{ hostvars['xnat_web']['hostname'] }}" xnat_container_service_validate_certs: "{{ ssl.validate_certs }}" @@ -8,7 +8,8 @@ xnat_container_service_validate_certs: "{{ ssl.validate_certs }}" xnat_container_service_hostname: "{{ docker_server_hostname }}" xnat_container_service_ip: "{{ docker_service_ip }}" xnat_container_service_port: "{{ docker_server_port }}" -xnat_container_service_certificate_cache_directory: "{{ docker_client_certificate_cache_directory }}" +xnat_container_service_certificate_cache_directory: + "{{ docker_client_certificate_cache_directory }}" xnat_container_service_path_translation_xnat_prefix: "{{ xnat_root_dir }}" -xnat_container_service_path_translation_docker_prefix: "/storage/xnat/data/xnat" +xnat_container_service_path_translation_docker_prefix: /storage/xnat/data/xnat diff --git a/playbooks/molecule/resources/xnat/inventory/group_vars/xnat.yml b/playbooks/molecule/resources/xnat/inventory/group_vars/xnat.yml index aaad7dc4..7ceed0e1 100644 --- a/playbooks/molecule/resources/xnat/inventory/group_vars/xnat.yml +++ b/playbooks/molecule/resources/xnat/inventory/group_vars/xnat.yml @@ -3,7 +3,7 @@ firewalld_allow_public_access: true firewalld_public_zone_sources: - - "0.0.0.0/0" + - 0.0.0.0/0 # mirsg.xnat.xnat # Some times the default admin account hasn't finished creating even after tomcat has started diff --git a/playbooks/molecule/resources/xnat/inventory/hosts.yml b/playbooks/molecule/resources/xnat/inventory/hosts.yml index 2b6a4933..42f2088a 100644 --- a/playbooks/molecule/resources/xnat/inventory/hosts.yml +++ b/playbooks/molecule/resources/xnat/inventory/hosts.yml @@ -4,18 +4,18 @@ all: hosts: # Host for your database server. Variables in host_vars/xnat_db will be available to this host xnat_db: - hostname: "xnat.db.local" - ansible_ip: "192.168.56.2" + hostname: xnat.db.local + ansible_ip: 192.168.56.2 # Host for your web server. Variables in host_vars/xnat_web will be available to this host xnat_web: - hostname: "localhost" # necessary to allow redirects outside the Docker network and to avoid CORS issues inside the network - ansible_ip: "192.168.56.3" + hostname: localhost # necessary to allow redirects outside the Docker network and to avoid CORS issues inside the network + ansible_ip: 192.168.56.3 # Host for running the container service. Variables in host_vars/xnat_cserv will be available to this host xnat_cserv: - hostname: "xnat.cserv.local" - ansible_ip: "192.168.56.4" + hostname: xnat.cserv.local + ansible_ip: 192.168.56.4 # Ansible groups. Groups allow configuration and variables to be shared between hosts # Variables in group_vars/all will be shared between all hosts diff --git a/playbooks/molecule/resources/xnat/verify.yml b/playbooks/molecule/resources/xnat/verify.yml index 7f1c4c79..9b0e4773 100644 --- a/playbooks/molecule/resources/xnat/verify.yml +++ b/playbooks/molecule/resources/xnat/verify.yml @@ -15,4 +15,4 @@ that: - response.status == 200 - response.server == "nginx" - - "response.content is search('MIRSG XNAT')" + - response.content is search('MIRSG XNAT') diff --git a/roles/README.md b/roles/README.md index 585ecd37..66df56cf 100644 --- a/roles/README.md +++ b/roles/README.md @@ -7,35 +7,39 @@ XNAT or OMERO. This collection is tested using Ansible Molecule. -Each role has its own Molecule configuration, which can be found it the `molecule/` -folder of each role. Molecule base configurations are used to reduce to amount -of duplication in the setup for testing each role. There are two base configurations -that correspond to two [Molecule -scenarios](https://ansible.readthedocs.io/projects/molecule/getting-started/#molecule-scenarios) -one for testing on CentOS 7 and another for testing on RockyLinux 9. The base configurations -are in the `ansible_collections/mirsg/infrastructure/tests` folder. +Each role has its own Molecule configuration, which can be found it the +`molecule/` folder of each role. Molecule base configurations are used to reduce +to amount of duplication in the setup for testing each role. There are two base +configurations that correspond to two +[Molecule scenarios](https://ansible.readthedocs.io/projects/molecule/getting-started/#molecule-scenarios) +one for testing on CentOS 7 and another for testing on RockyLinux 9. The base +configurations are in the `ansible_collections/mirsg/infrastructure/tests` +folder. ## Adding a new role To add a new role to this collection, you will need to: 1. add the role to the `roles/` folder -2. add a molecule configuration for the role to the `roles//molecule/` folder +2. add a molecule configuration for the role to the `roles//molecule/` + folder 3. add a workflow for the role to the `.github/workflows` folder ### Add a new role to the roles folder -You can use the `ansible-galaxy init` command to create a new role in the `roles/` folder: +You can use the `ansible-galaxy init` command to create a new role in the +`roles/` folder: ```bash ansible-galaxy init my_role ``` -Note, roles within a collection cannot contain hyphens in their names - please use underscores -instead. +Note, roles within a collection cannot contain hyphens in their names - please +use underscores instead. -You can delete the `meta` and `tests` folders as these metadata is stored at the collection level -and the molecule configuration should be stored in a `molecule/` folder: +You can delete the `meta` and `tests` folders as these metadata is stored at the +collection level and the molecule configuration should be stored in a +`molecule/` folder: ```bash rm -r my_role/meta my_role/tests @@ -51,23 +55,25 @@ Create a `molecule` folder in your role: mkdir my_roles/molecule ``` -Add the `converge.yml` playbook to the `molecule/` folder, -and create folders for the `centos7` and `rocky9` scenarios. See +Add the `converge.yml` playbook to the `molecule/` folder, and create folders +for the `centos7` and `rocky9` scenarios. See [`mirsg.infrastructure.firewalld` for an example](./firewalld/). -If necessary, add inventory `group_vars` under a `resources` subfolder: `my-role/molecule/resources/inventory/group_vars`. -for your role. +If necessary, add inventory `group_vars` under a `resources` subfolder: +`my-role/molecule/resources/inventory/group_vars`. for your role. -You may also need to add `prepare` or -`verify` playbooks for your role. These can be added to the `resources` subfolder if you have multiple scenarios that will share the playbooks, or in the default scenario folder. +You may also need to add `prepare` or `verify` playbooks for your role. These +can be added to the `resources` subfolder if you have multiple scenarios that +will share the playbooks, or in the default scenario folder. ### Add a GitHub Workflow -We have a GitHub workflow for running molecule on each role, and doing so -only when that role changes. +We have a GitHub workflow for running molecule on each role, and doing so only +when that role changes. -You should add a GitHub workflow for your new role to `.github/workflows/molecule-my-role.yml`. -The workflow should follow this format: +You should add a GitHub workflow for your new role to +`.github/workflows/molecule-my-role.yml`. The workflow should follow this +format: ```yaml name: Test my_role @@ -85,5 +91,6 @@ jobs: tests-path: ansible_collections/mirsg/infrastructure/roles/my_role ``` -This uses the [`.github/workflows/molecule.yml` reusable workflow](.github/workflows/molecule.yml) to run -molecule on the relevant role. +This uses the +[`.github/workflows/molecule.yml` reusable workflow](.github/workflows/molecule.yml) +to run molecule on the relevant role. diff --git a/roles/docker/README.md b/roles/docker/README.md index 446dc859..4c5fe9ee 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -1,6 +1,7 @@ # mirsg.docker -This role is for installing [docker-ce](https://docs.docker.com/engine/install/) on CentOS 7 or Rocky Linux 8. +This role is for installing [docker-ce](https://docs.docker.com/engine/install/) +on CentOS 7 or Rocky Linux 8. ## Role Variables @@ -14,9 +15,11 @@ This role is for installing [docker-ce](https://docs.docker.com/engine/install/) | `docker_repo_baseurl` | URL to the directory containing the repodata. Defaults to `https://download.docker.com/linux/centos` | | `docker_yum_package` | The name of the Docker package. Defaults to `docker` | -If you would like to [configure](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket) -your Docker server such that clients can connect to it via TLS, you can also use this role to generate the necessary certificates. -The following variables can be used to configure certificate creation and signing: +If you would like to +[configure](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket) +your Docker server such that clients can connect to it via TLS, you can also use +this role to generate the necessary certificates. The following variables can be +used to configure certificate creation and signing: | Name | Description | | ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | @@ -38,9 +41,10 @@ The following variables can be used to configure certificate creation and signin | `docker_client_certificate_directory` | Directory in which to store the client certificates. Defaults to `/home/docker/.docker/client_certs` | | `docker_client_certificate_cache_directory` | Directory in which to client certificates will be copied to. Defaults to `~/ansible_persistent_files/docker_certificates` | -If you have specified a list of clients in `docker_client_hostnames`, the certificate for each client will be stored locally on your Ansible -controller in the folder `docker_client_certificate_cache_directory`. You will then need to copy these certificates to the corresponding -client. +If you have specified a list of clients in `docker_client_hostnames`, the +certificate for each client will be stored locally on your Ansible controller in +the folder `docker_client_certificate_cache_directory`. You will then need to +copy these certificates to the corresponding client. ## Example Playbook diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 97133d4c..bfbc158e 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,27 +1,27 @@ --- # defaults for mirsg.docker -docker_owner: "root" -docker_group: "root" +docker_owner: root +docker_group: root # mirsg.docker service -docker_service_directory: "/etc/systemd/system/docker.service.d" -docker_service_name: "docker" +docker_service_directory: /etc/systemd/system/docker.service.d +docker_service_name: docker # mirsg.docker install -docker_rpm_gpg_key_url: "https://download.docker.com/linux/centos/gpg" -docker_repo_baseurl: "https://download.docker.com/linux/centos/$releasever/$basearch/stable" -docker_yum_package: "docker" +docker_rpm_gpg_key_url: https://download.docker.com/linux/centos/gpg +docker_repo_baseurl: https://download.docker.com/linux/centos/$releasever/$basearch/stable +docker_yum_package: docker # mirsg.docker certificates docker_generate_certificates: false -docker_certificate_directory: "/home/docker/.docker" +docker_certificate_directory: /home/docker/.docker # mirsg.docker configuration -docker_config_dir: "/etc/docker" -docker_daemon_conf_file: "/etc/docker/daemon.json" +docker_config_dir: /etc/docker +docker_daemon_conf_file: /etc/docker/daemon.json docker_server_hostname: "{{ ansible_host }}" -docker_server_ip: "0.0.0.0" -docker_server_port: "2376" +docker_server_ip: 0.0.0.0 +docker_server_port: 2376 docker_tls_verify: true # mirsg.docker CA certificate @@ -35,6 +35,9 @@ docker_server_csr: "{{ docker_certificate_directory }}/server.csr" docker_server_cert: "{{ docker_certificate_directory }}/server-cert.pem" # mirsg.docker client certificates -docker_client_hostnames: [] # list of hostnames of clients that will connect to the server -docker_client_certificate_directory: "{{ docker_certificate_directory }}/client_certs" -docker_client_certificate_cache_directory: "{{ lookup('env', 'HOME') }}/ansible_persistent_files/docker_certificates" +# list of hostnames of clients that will connect to the server +docker_client_hostnames: [] # yamllint disable-line rule:brackets +docker_client_certificate_directory: + "{{ docker_certificate_directory }}/client_certs" +docker_client_certificate_cache_directory: + "{{ lookup('env', 'HOME') }}/ansible_persistent_files/docker_certificates" diff --git a/roles/docker/molecule/resources/converge.yml b/roles/docker/molecule/resources/converge.yml index 44f8bf28..34d6c003 100644 --- a/roles/docker/molecule/resources/converge.yml +++ b/roles/docker/molecule/resources/converge.yml @@ -21,7 +21,8 @@ group: root mode: "0700" - - name: Copy Docker server certificate from Ansible Controller cache to client + - name: + Copy Docker server certificate from Ansible Controller cache to client ansible.builtin.copy: src: "{{ docker_client_certificate_cache_directory }}/ca.pem" dest: "{{ docker_client_directory }}/ca.pem" @@ -29,9 +30,13 @@ group: root mode: "0600" - - name: Copy signed Docker client certificate from Ansible Controller cache to client + - name: + Copy signed Docker client certificate from Ansible Controller cache to + client ansible.builtin.copy: - src: "{{ docker_client_certificate_cache_directory }}/molecule.docker-client.local.cert" + src: + "{{ docker_client_certificate_cache_directory + }}/molecule.docker-client.local.cert" dest: "{{ docker_client_directory }}/cert.pem" owner: root group: root diff --git a/roles/docker/molecule/resources/inventory/group_vars/all.yml b/roles/docker/molecule/resources/inventory/group_vars/all.yml index 630e2eb6..104b8914 100644 --- a/roles/docker/molecule/resources/inventory/group_vars/all.yml +++ b/roles/docker/molecule/resources/inventory/group_vars/all.yml @@ -1,9 +1,11 @@ --- # mirsg.infrastructure.docker -docker_client_certificate_cache_directory: "{{ lookup('env', 'HOME') }}/ansible_persistent_files/docker_server_certificates" +docker_client_certificate_cache_directory: + "{{ lookup('env', 'HOME') + }}/ansible_persistent_files/docker_server_certificates" docker_server_hostname: "{{ hostvars['server']['hostname'] }}" docker_server_ip: "{{ hostvars['server']['ansible_ip'] }}" -docker_server_port: "2376" +docker_server_port: 2376 docker_service_name: docker docker_generate_certificates: true # generate TLS certs for clients docker_tls_verify: true diff --git a/roles/docker/molecule/resources/inventory/group_vars/centos7.yml b/roles/docker/molecule/resources/inventory/group_vars/centos7.yml index 7d004882..c8dd1783 100644 --- a/roles/docker/molecule/resources/inventory/group_vars/centos7.yml +++ b/roles/docker/molecule/resources/inventory/group_vars/centos7.yml @@ -2,8 +2,8 @@ # mirsg.infrastructure.install_python install_python: version: "2" - pip_version: "20.3.4" - pip_executable: "pip" + pip_version: 20.3.4 + pip_executable: pip system_packages: - python - python-pip diff --git a/roles/docker/molecule/resources/inventory/hosts.yml b/roles/docker/molecule/resources/inventory/hosts.yml index e8a5d3a1..f55f3d67 100644 --- a/roles/docker/molecule/resources/inventory/hosts.yml +++ b/roles/docker/molecule/resources/inventory/hosts.yml @@ -2,8 +2,8 @@ all: hosts: client: - hostname: "molecule.docker-client.local" - ansible_ip: "192.168.56.2" + hostname: molecule.docker-client.local + ansible_ip: 192.168.56.2 server: - hostname: "molecule.docker-server.local" - ansible_ip: "192.168.56.3" + hostname: molecule.docker-server.local + ansible_ip: 192.168.56.3 diff --git a/roles/docker/molecule/resources/verify.yml b/roles/docker/molecule/resources/verify.yml index c088c801..9a5ddab9 100644 --- a/roles/docker/molecule/resources/verify.yml +++ b/roles/docker/molecule/resources/verify.yml @@ -3,15 +3,15 @@ hosts: client vars: docker_client_directory: /root/docker_certs - docker_server_ip: "192.168.56.3" + docker_server_ip: 192.168.56.3 docker_server_port: 2376 tasks: - name: Get info about the docker server community.docker.docker_host_info: - ca_path: "{{ docker_client_directory }}/ca.pem" + ca_cert: "{{ docker_client_directory }}/ca.pem" client_cert: "{{ docker_client_directory }}/cert.pem" client_key: "{{ docker_client_directory }}/key.pem" - docker_host: "tcp://{{ docker_server_ip }}:{{ docker_server_port }}" + docker_host: tcp://{{ docker_server_ip }}:{{ docker_server_port }} tls_hostname: "{{ docker_server_ip }}" validate_certs: true networks: true diff --git a/roles/docker/tasks/ca-cert.yml b/roles/docker/tasks/ca-cert.yml index fb13a704..858d6da9 100644 --- a/roles/docker/tasks/ca-cert.yml +++ b/roles/docker/tasks/ca-cert.yml @@ -19,9 +19,10 @@ path: "{{ docker_ca_csr }}" privatekey_path: "{{ docker_ca_key }}" common_name: "{{ docker_server_hostname }}" - subject_alt_name: "IP:{{ docker_server_ip }}" + subject_alt_name: IP:{{ docker_server_ip }} basic_constraints_critical: true - basic_constraints: ["CA:TRUE"] + basic_constraints: + - CA:TRUE - name: Generate self-signed CA certificate community.crypto.x509_certificate: diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index c04706eb..1420a804 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -12,7 +12,8 @@ ansible.builtin.yum: name: epel-release state: installed - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7" + when: + ansible_os_family == "RedHat" and ansible_distribution_major_version == "7" - name: Import docker rpm key ansible.builtin.rpm_key: @@ -44,8 +45,8 @@ - name: Ensure docker service directory exists ansible.builtin.file: path: "{{ docker_service_directory }}" - owner: "root" - group: "root" + owner: root + group: root state: directory mode: "0700" @@ -53,8 +54,8 @@ ansible.builtin.template: src: docker.conf.j2 dest: "{{ docker_service_directory }}/docker.conf" - owner: "root" - group: "root" + owner: root + group: root mode: "0644" notify: Reload docker @@ -89,7 +90,9 @@ ansible.builtin.import_tasks: client-certs.yml when: docker_client_hostnames -- name: "Ensure docker service configuration is reloaded before restarting the service" +- name: + Ensure docker service configuration is reloaded before restarting the + service ansible.builtin.meta: flush_handlers - name: Ensure docker daemon is running diff --git a/roles/docker/tasks/server-cert.yml b/roles/docker/tasks/server-cert.yml index 3c4f199e..479e85dc 100644 --- a/roles/docker/tasks/server-cert.yml +++ b/roles/docker/tasks/server-cert.yml @@ -11,7 +11,7 @@ path: "{{ docker_server_csr }}" privatekey_path: "{{ docker_server_key }}" common_name: "{{ docker_server_hostname }}" - subject_alt_name: "IP:{{ docker_server_ip }}" + subject_alt_name: IP:{{ docker_server_ip }} - name: Generate server certificate community.crypto.x509_certificate: diff --git a/roles/firewalld/README.md b/roles/firewalld/README.md index 634f48c7..c8e69d23 100644 --- a/roles/firewalld/README.md +++ b/roles/firewalld/README.md @@ -10,38 +10,50 @@ See `defaults/main.yml` for the full list. - `allow_public_access`: Allow access from an IP address. Defaults to `false`. - `internal_zone_open_services`: A list of services to allow in the `internal` zone. Defaults to: + ```yaml - http - https - ssh ``` + - `public_zone_open_services`: A list of services to allow in the `public` zone. Defaults to: + ```yaml - http - https ``` + - `work_zone_open_services`: A list of services to allow in the `work` zone. Defaults to: + ```yaml - http - https ``` + - `internal_zone_closed_services`: A list of services to not allow in the `internal` zone. Defaults to: + ```yaml - samba-client ``` + - `public_zone_closed_services`: A list of services to not allow in the `public` zone. Defaults to: + ```yaml - ssh ``` + - `work_zone_closed_services`: A list of services to not allow in the `work` zone. Defaults to: + ```yaml - ssh ``` + - `internal_zone_sources`: A list of IP addresses to allow in `internal` zone. Defaults to `[]`. - `public_zone_sources`: A list of IP addresses to allow in `public` zone. diff --git a/roles/firewalld/defaults/main.yml b/roles/firewalld/defaults/main.yml index 6dc54735..2b11dbe2 100644 --- a/roles/firewalld/defaults/main.yml +++ b/roles/firewalld/defaults/main.yml @@ -5,8 +5,8 @@ firewalld_allow_public_access: false # IP ranges allowing HTTP/HTTPS firewalld_internal_zone_open_services: - ssh -firewalld_public_zone_open_services: [] -firewalld_work_zone_open_services: [] +firewalld_public_zone_open_services: [] # yamllint disable-line rule:brackets +firewalld_work_zone_open_services: [] # yamllint disable-line rule:brackets firewalld_internal_zone_closed_services: - samba-client @@ -15,13 +15,13 @@ firewalld_public_zone_closed_services: firewalld_work_zone_closed_services: - ssh -firewalld_internal_zone_sources: [] -firewalld_work_zone_sources: [] -firewalld_public_zone_sources: [] +firewalld_internal_zone_sources: [] # yamllint disable-line rule:brackets +firewalld_work_zone_sources: [] # yamllint disable-line rule:brackets +firewalld_public_zone_sources: [] # yamllint disable-line rule:brackets -firewalld_internal_zone_ports: [] -firewalld_public_zone_ports: [] -firewalld_work_zone_ports: [] +firewalld_internal_zone_ports: [] # yamllint disable-line rule:brackets +firewalld_public_zone_ports: [] # yamllint disable-line rule:brackets +firewalld_work_zone_ports: [] # yamllint disable-line rule:brackets firewalld_close_zone_services: internal: "{{ firewalld_internal_zone_closed_services }}" @@ -44,4 +44,4 @@ firewalld_zone_ports: work: "{{ firewalld_work_zone_ports }}" # rich_rules should be a list of hashes -firewalld_rich_rules: [] +firewalld_rich_rules: [] # yamllint disable-line rule:brackets diff --git a/roles/firewalld/molecule/resources/inventory/group_vars/all.yml b/roles/firewalld/molecule/resources/inventory/group_vars/all.yml index b2420dce..a362398e 100644 --- a/roles/firewalld/molecule/resources/inventory/group_vars/all.yml +++ b/roles/firewalld/molecule/resources/inventory/group_vars/all.yml @@ -12,6 +12,6 @@ firewalld_work_zone_open_services: - http - https firewalld_public_zone_ports: - - "80" + - 80 firewalld_internal_zone_ports: - - "5432" + - 5432 diff --git a/roles/firewalld/molecule/resources/prepare.yml b/roles/firewalld/molecule/resources/prepare.yml index 6022cab1..0e70776f 100644 --- a/roles/firewalld/molecule/resources/prepare.yml +++ b/roles/firewalld/molecule/resources/prepare.yml @@ -16,5 +16,5 @@ - name: Change firewalld backend to iptables ansible.builtin.lineinfile: path: /etc/firewalld/firewalld.conf - regexp: "^FirewallBackend=" + regexp: ^FirewallBackend= line: FirewallBackend=iptables diff --git a/roles/firewalld/tasks/main.yml b/roles/firewalld/tasks/main.yml index 370d4cc4..04c9b835 100644 --- a/roles/firewalld/tasks/main.yml +++ b/roles/firewalld/tasks/main.yml @@ -18,7 +18,8 @@ immediate: true permanent: true state: disabled - loop: "{{ firewalld_close_zone_services | dict2items | subelements('value') }}" + loop: + "{{ firewalld_close_zone_services | dict2items | subelements('value') }}" - name: Open zones to services become: true @@ -53,7 +54,7 @@ - name: Add firewall rich rules become: true ansible.posix.firewalld: - rich_rule: "rule {{ item.rule }}" + rich_rule: rule {{ item.rule }} zone: "{{ item.zone }}" permanent: true immediate: true @@ -72,7 +73,7 @@ - name: Allow or drop default connections become: true ansible.builtin.command: >- - firewall-cmd - --set-default-zone={% if firewalld_allow_public_access %}public{% else %}drop{% endif %} + firewall-cmd --set-default-zone={% if firewalld_allow_public_access + %}public{% else %}drop{% endif %} when: firewall_default_zone.rc != 0 changed_when: firewall_default_zone.rc != 0 diff --git a/roles/install_java/tasks/main.yml b/roles/install_java/tasks/main.yml index 880873ca..2a875428 100644 --- a/roles/install_java/tasks/main.yml +++ b/roles/install_java/tasks/main.yml @@ -6,14 +6,14 @@ - name: Set JAVA_HOME through shell script ansible.builtin.template: - src: "java_home.sh.j2" + src: java_home.sh.j2 dest: "{{ java_profile_d }}/java_home.sh" mode: "0644" when: java_home is defined and java_home != '' - name: Get info for java package directory ansible.builtin.stat: - path: "/usr/lib/jvm/{{ java_package }}" + path: /usr/lib/jvm/{{ java_package }} register: java_package_info - name: Check if JRE exists diff --git a/roles/install_python/README.md b/roles/install_python/README.md index fd4e4c16..7fe47a3a 100644 --- a/roles/install_python/README.md +++ b/roles/install_python/README.md @@ -1,7 +1,8 @@ # Ansible Role: mirsg.infrastructure.install_python -This role installs Python, pip, and setuptools on Debian and RedHat operating systems. It will also update pip to the latest version or a -user-specified version, and then install user-specified Python packages using pip. +This role installs Python, pip, and setuptools on Debian and RedHat operating +systems. It will also update pip to the latest version or a user-specified +version, and then install user-specified Python packages using pip. ## Role Variables @@ -11,9 +12,11 @@ user-specified version, and then install user-specified Python packages using pi `pip_version`: the version of pip to update to. This defaults to `"21.3.1"`. -`pip_executable`: path to the pip executalbe to use for installing packages. This defaults to `"pip3"` +`pip_executable`: path to the pip executalbe to use for installing packages. +This defaults to `"pip3"` -`system_packages`: list of system packages to be installed along with Python. This defaults to: +`system_packages`: list of system packages to be installed along with Python. +This defaults to: ```yaml - python3 @@ -21,13 +24,16 @@ user-specified version, and then install user-specified Python packages using pi - python3-setuptools ``` -The packages listed in `install_python.system_packages` will be installed by the OS package manager, NOT by pip. +The packages listed in `install_python.system_packages` will be installed by the +OS package manager, NOT by pip. -`pip_packages`: list of Python packages to be installed by pip. This defaults to `[]`. +`pip_packages`: list of Python packages to be installed by pip. This defaults to +`[]`. ## Example Playbook -This role will install Python on a managed host. To used this role, add it to the list of roles in a play: +This role will install Python on a managed host. To used this role, add it to +the list of roles in a play: ```yaml - name: Install Python diff --git a/roles/install_python/defaults/main.yml b/roles/install_python/defaults/main.yml index b249f4d8..9e9adaeb 100644 --- a/roles/install_python/defaults/main.yml +++ b/roles/install_python/defaults/main.yml @@ -1,10 +1,10 @@ --- install_python: version: "3" - pip_version: "21.3.1" - pip_executable: "pip3" + pip_version: 21.3.1 + pip_executable: pip3 system_packages: - python3 - python3-pip - python3-setuptools - pip_packages: [] + pip_packages: [] # yamllint disable-line rule:brackets diff --git a/roles/install_python/molecule/resources/inventory/group_vars/centos7.yml b/roles/install_python/molecule/resources/inventory/group_vars/centos7.yml index df0405d2..8687ca6e 100644 --- a/roles/install_python/molecule/resources/inventory/group_vars/centos7.yml +++ b/roles/install_python/molecule/resources/inventory/group_vars/centos7.yml @@ -2,8 +2,8 @@ # mirsg.infrastructure.install_python install_python: version: "2" - pip_version: "20.3.4" - pip_executable: "pip" + pip_version: 20.3.4 + pip_executable: pip system_packages: - python - python-pip diff --git a/roles/install_python/tasks/Debian.yml b/roles/install_python/tasks/Debian.yml index 22391b30..6ed9eeef 100644 --- a/roles/install_python/tasks/Debian.yml +++ b/roles/install_python/tasks/Debian.yml @@ -2,5 +2,5 @@ # OS specific tasks for the Debian family - name: Update apt cache for Debian OSes ansible.builtin.apt: - update_cache: "true" + update_cache: true cache_valid_time: 600 diff --git a/roles/install_python/tasks/RedHat.yml b/roles/install_python/tasks/RedHat.yml index b9bdaa49..47594fc5 100644 --- a/roles/install_python/tasks/RedHat.yml +++ b/roles/install_python/tasks/RedHat.yml @@ -2,5 +2,5 @@ # OS specific tasks for the RedHat family - name: Install EPEL for RedHat OSes ansible.builtin.yum: - name: "epel-release" + name: epel-release state: installed diff --git a/roles/install_python/tasks/check_default_version.yml b/roles/install_python/tasks/check_default_version.yml index eaea1d9c..a9f2c675 100644 --- a/roles/install_python/tasks/check_default_version.yml +++ b/roles/install_python/tasks/check_default_version.yml @@ -3,20 +3,16 @@ ansible.builtin.set_fact: default_python_version: "2" when: >- - (ansible_os_family == 'RedHat') and - (ansible_distribution_major_version | int < 8) or - (ansible_distribution == 'Debian') and - (ansible_distribution_major_version | int < 10) or - (ansible_distribution == 'Ubuntu') and - (ansible_distribution_major_version | int < 18) + (ansible_os_family == 'RedHat') and (ansible_distribution_major_version | + int < 8) or (ansible_distribution == 'Debian') and + (ansible_distribution_major_version | int < 10) or (ansible_distribution == + 'Ubuntu') and (ansible_distribution_major_version | int < 18) - name: Check if Python 3 is the default version for the OS ansible.builtin.set_fact: default_python_version: "3" when: >- - (ansible_os_family == 'RedHat') and - (ansible_distribution_major_version | int >= 8) or - (ansible_distribution == 'Debian') and - (ansible_distribution_major_version | int >= 10) or - (ansible_distribution == 'Ubuntu') and - (ansible_distribution_major_version | int >= 18) + (ansible_os_family == 'RedHat') and (ansible_distribution_major_version | + int >= 8) or (ansible_distribution == 'Debian') and + (ansible_distribution_major_version | int >= 10) or (ansible_distribution == + 'Ubuntu') and (ansible_distribution_major_version | int >= 18) diff --git a/roles/monitoring_client/defaults/main.yml b/roles/monitoring_client/defaults/main.yml index 7be0b8c6..f8c46070 100644 --- a/roles/monitoring_client/defaults/main.yml +++ b/roles/monitoring_client/defaults/main.yml @@ -2,13 +2,15 @@ monitoring_client_node_exporter_version: 1.7.0 monitoring_client_node_exporter_binary: - "https://github.com/prometheus/node_exporter/releases/download/v\ - {{ monitoring_client_node_exporter_version }}/node_exporter-\ - {{ monitoring_client_node_exporter_version }}.linux-amd64.tar.gz" -monitoring_client_node_exporter_download_dir: "/tmp/node_exporter-{{ monitoring_client_node_exporter_version }}" + https://github.com/prometheus/node_exporter/releases/download/v{{ + monitoring_client_node_exporter_version }}/node_exporter-{{ + monitoring_client_node_exporter_version }}.linux-amd64.tar.gz +monitoring_client_node_exporter_download_dir: + /tmp/node_exporter-{{ monitoring_client_node_exporter_version }} monitoring_client_node_exporter_install_dir: /usr/bin/node_exporter monitoring_client_node_export_service_name: node_exporter.service -monitoring_client_node_exporter_service: "/etc/systemd/system/{{ monitoring_client_node_export_service_name }}" +monitoring_client_node_exporter_service: + /etc/systemd/system/{{ monitoring_client_node_export_service_name }} monitoring_client_node_exporter_web_config: /usr/bin/node_exporter/web.yml monitoring_client_node_exporter_port: 9100 monitoring_client_node_exporter_ssl_key: /usr/bin/node_exporter/node_exporter.key diff --git a/roles/monitoring_client/tasks/install_node_exporter.yml b/roles/monitoring_client/tasks/install_node_exporter.yml index ade237ec..ecfd3664 100644 --- a/roles/monitoring_client/tasks/install_node_exporter.yml +++ b/roles/monitoring_client/tasks/install_node_exporter.yml @@ -22,7 +22,7 @@ remote_src: true owner: "{{ monitoring_client_owner }}" group: "{{ monitoring_client_group }}" - extra_opts: "--strip-components=1" + extra_opts: --strip-components=1 tags: - molecule-idempotence-notest diff --git a/roles/monitoring_client/tasks/main.yml b/roles/monitoring_client/tasks/main.yml index 90882641..4f98dd86 100644 --- a/roles/monitoring_client/tasks/main.yml +++ b/roles/monitoring_client/tasks/main.yml @@ -17,7 +17,9 @@ - name: Copy signed monitoring client certificate to client ansible.builtin.copy: - src: "{{ monitoring_client_certificate_cache_directory }}/{{ monitoring_client_certificate_file }}" + src: + "{{ monitoring_client_certificate_cache_directory }}/{{ + monitoring_client_certificate_file }}" dest: "{{ monitoring_client_ssl_cert_file }}" owner: "{{ monitoring_client_owner }}" group: "{{ monitoring_client_group }}" diff --git a/roles/monitoring_server/defaults/main.yml b/roles/monitoring_server/defaults/main.yml index 5558e47c..fbd7d68a 100644 --- a/roles/monitoring_server/defaults/main.yml +++ b/roles/monitoring_server/defaults/main.yml @@ -8,30 +8,37 @@ monitoring_server_cert_group: root monitoring_server_storage_root: /data/monitoring # mirsg.monitoring_server CA and server certificate -monitoring_server_certificate_cache_directory: "{{ lookup('env', 'HOME') }}/ansible_persistent_files/monitoring_server_certificates" +monitoring_server_certificate_cache_directory: + "{{ lookup('env', 'HOME') + }}/ansible_persistent_files/monitoring_server_certificates" monitoring_server_certificate_directory: /root/monitoring_certs monitoring_server_ca_key: "{{ monitoring_server_certificate_directory }}/ca.key" monitoring_server_ca_csr: "{{ monitoring_server_certificate_directory }}/ca.csr" -monitoring_server_ca_cert: "{{ monitoring_server_certificate_directory }}/ca.pem" -monitoring_server_server_key: "{{ monitoring_server_certificate_directory }}/server-key.pem" -monitoring_server_server_csr: "{{ monitoring_server_certificate_directory }}/server.csr" -monitoring_server_server_cert: "{{ monitoring_server_certificate_directory }}/server-cert.pem" +monitoring_server_ca_cert: + "{{ monitoring_server_certificate_directory }}/ca.pem" +monitoring_server_server_key: + "{{ monitoring_server_certificate_directory }}/server-key.pem" +monitoring_server_server_csr: + "{{ monitoring_server_certificate_directory }}/server.csr" +monitoring_server_server_cert: + "{{ monitoring_server_certificate_directory }}/server-cert.pem" # mirsg.monitoring_server client related -monitoring_server_client_certificate_directory: "{{ monitoring_server_certificate_directory }}/client_certs" -monitoring_server_client_group: "monitoring_client" +monitoring_server_client_certificate_directory: + "{{ monitoring_server_certificate_directory }}/client_certs" +monitoring_server_client_group: monitoring_client monitoring_server_smtp_enabled: false monitoring_server_smtp_hostname: "" -monitoring_server_smtp_port: "25" -monitoring_server_smtp_protocol: "smtp" +monitoring_server_smtp_port: 25 +monitoring_server_smtp_protocol: smtp monitoring_server_smtp_auth: "" monitoring_server_smtp_username: "" monitoring_server_smtp_password: "" -monitoring_server_smtp_start_tls: "false" +monitoring_server_smtp_start_tls: false ssl_trust: "*" -monitoring_server_hostname_extractor: "ansible_host" +monitoring_server_hostname_extractor: ansible_host monitoring_server_alertmanager: container_name: alertmanager @@ -39,7 +46,7 @@ monitoring_server_alertmanager: external_data_dir: "{{ monitoring_server_storage_root }}/alertmanager" volume: /alertmanager commandline_args: - web.external-url: "https://{{ monitoring_server_hostname }}/alertmanager/" + web.external-url: https://{{ monitoring_server_hostname }}/alertmanager/ storage.path: /alertmanager/data config.file: /alertmanager/alertmanager.yml @@ -53,7 +60,8 @@ monitoring_server_grafana: external_data_dir: "{{ monitoring_server_storage_root }}/grafana" external_storage_dir: "{{ monitoring_server_storage_root }}/grafana/storage" volume: /var/lib/grafana - external_datasource: "{{ monitoring_server_storage_root }}/grafana/datasources.yml" + external_datasource: + "{{ monitoring_server_storage_root }}/grafana/datasources.yml" volume_datasource: /etc/grafana/provisioning/datasources/datasources.yml environment_variables: GF_SECURITY_ADMIN_USER: "{{ monitoring_server_grafana_username }}" diff --git a/roles/monitoring_server/tasks/install_alertmanager_container.yml b/roles/monitoring_server/tasks/install_alertmanager_container.yml index 6cd90dbe..bb0c5117 100644 --- a/roles/monitoring_server/tasks/install_alertmanager_container.yml +++ b/roles/monitoring_server/tasks/install_alertmanager_container.yml @@ -1,5 +1,7 @@ --- -- name: Ensure alertmanager data directory exists - {{ monitoring_server_alertmanager.external_data_dir }} +- name: + Ensure alertmanager data directory exists - {{ + monitoring_server_alertmanager.external_data_dir }} ansible.builtin.file: path: "{{ monitoring_server_alertmanager.external_data_dir }}" owner: "{{ monitoring_server_owner }}" @@ -10,7 +12,8 @@ - name: Copy alertmanager config file ansible.builtin.template: src: templates/alertmanager.yml.j2 - dest: "{{ monitoring_server_alertmanager.external_data_dir }}/alertmanager.yml" + dest: + "{{ monitoring_server_alertmanager.external_data_dir }}/alertmanager.yml" owner: root mode: "0644" @@ -21,12 +24,14 @@ image: "{{ monitoring_server_alertmanager.image }}" state: started user: "{{ monitoring_server_uid }}:{{ monitoring_server_gid }}" - command: "{% for key in monitoring_server_alertmanager.commandline_args %}\ - --{{ key }}={{ monitoring_server_alertmanager.commandline_args[key] }} {% endfor %}" + command: + "{% for key in monitoring_server_alertmanager.commandline_args %} --{{ key + }}={{ monitoring_server_alertmanager.commandline_args[key] }} {% endfor %}" networks: - name: monitor-net volumes: - - "{{ monitoring_server_alertmanager.external_data_dir }}:{{ monitoring_server_alertmanager.volume }}" + - "{{ monitoring_server_alertmanager.external_data_dir }}:{{ + monitoring_server_alertmanager.volume }}" restart_policy: always notify: - Restart prometheus diff --git a/roles/monitoring_server/tasks/install_blackbox_exporter_container.yml b/roles/monitoring_server/tasks/install_blackbox_exporter_container.yml index aa58c090..c2813fb9 100644 --- a/roles/monitoring_server/tasks/install_blackbox_exporter_container.yml +++ b/roles/monitoring_server/tasks/install_blackbox_exporter_container.yml @@ -10,7 +10,9 @@ - name: Copy blackbox_exporter config file ansible.builtin.template: src: templates/blackbox-exporter.yml.j2 - dest: "{{ monitoring_server_storage_root }}/blackbox-exporter/blackbox-exporter.yml" + dest: + "{{ monitoring_server_storage_root + }}/blackbox-exporter/blackbox-exporter.yml" owner: "{{ monitoring_server_owner }}" group: "{{ monitoring_server_group }}" mode: "0644" @@ -26,5 +28,6 @@ networks: - name: monitor-net volumes: - - "{{ monitoring_server_storage_root }}/blackbox-exporter/blackbox-exporter.yml:/config/blackbox-exporter.yml" + - "{{ monitoring_server_storage_root + }}/blackbox-exporter/blackbox-exporter.yml:/config/blackbox-exporter.yml" restart_policy: always diff --git a/roles/monitoring_server/tasks/install_cadvisor_container.yml b/roles/monitoring_server/tasks/install_cadvisor_container.yml index 140a29ad..a0e674c0 100644 --- a/roles/monitoring_server/tasks/install_cadvisor_container.yml +++ b/roles/monitoring_server/tasks/install_cadvisor_container.yml @@ -9,7 +9,7 @@ networks: - name: monitor-net command: - - "-url_base_prefix=/cadvisor" + - -url_base_prefix=/cadvisor volumes: - /:/rootfs:ro - /var/run:/var/run:rw diff --git a/roles/monitoring_server/tasks/install_grafana_container.yml b/roles/monitoring_server/tasks/install_grafana_container.yml index 3e18bc85..24417d42 100644 --- a/roles/monitoring_server/tasks/install_grafana_container.yml +++ b/roles/monitoring_server/tasks/install_grafana_container.yml @@ -1,5 +1,7 @@ --- -- name: Ensure grafana's directory exists - {{ monitoring_server_grafana.external_data_dir }} +- name: + Ensure grafana's directory exists - {{ + monitoring_server_grafana.external_data_dir }} ansible.builtin.file: path: "{{ monitoring_server_grafana.external_data_dir }}" owner: "{{ monitoring_server_owner }}" @@ -35,8 +37,10 @@ state: started user: "{{ monitoring_server_uid }}:{{ monitoring_server_gid }}" volumes: - - "{{ monitoring_server_grafana.external_storage_dir }}:{{ monitoring_server_grafana.volume }}" - - "{{ monitoring_server_grafana.external_datasource }}:{{ monitoring_server_grafana.volume_datasource }}" + - "{{ monitoring_server_grafana.external_storage_dir }}:{{ + monitoring_server_grafana.volume }}" + - "{{ monitoring_server_grafana.external_datasource }}:{{ + monitoring_server_grafana.volume_datasource }}" networks: - name: monitor-net env: "{{ monitoring_server_grafana.environment_variables }}" diff --git a/roles/monitoring_server/tasks/install_nginx_container.yml b/roles/monitoring_server/tasks/install_nginx_container.yml index 63b03e49..4054325e 100644 --- a/roles/monitoring_server/tasks/install_nginx_container.yml +++ b/roles/monitoring_server/tasks/install_nginx_container.yml @@ -3,13 +3,17 @@ ansible.builtin.yum: name: python-passlib state: present - when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version("7") + when: + ansible_facts['os_family'] == "RedHat" and + ansible_facts['distribution_major_version'] is version("7") - name: Ensure passlib is installed on rocky9 ansible.builtin.yum: name: python3-passlib state: present - when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version("9") + when: + ansible_facts['os_family'] == "RedHat" and + ansible_facts['distribution_major_version'] is version("9") - name: Ensure nginx certs directory exists on host ansible.builtin.file: @@ -44,7 +48,9 @@ notify: - Restart nginx -- name: Generate Diffie-Hellman (DH) parameters with bits - {{ monitoring_server_nginx.diffie_helman_size_bits }} +- name: + Generate Diffie-Hellman (DH) parameters with bits - {{ + monitoring_server_nginx.diffie_helman_size_bits }} community.crypto.openssl_dhparam: path: "{{ monitoring_server_nginx.dh_params_file }}" size: "{{ monitoring_server_nginx.diffie_helman_size_bits }}" @@ -71,8 +77,8 @@ networks: - name: monitor-net ports: - - "80:80" - - "443:443" + - 80:80 + - 443:443 volumes: - /etc/nginx/.htpasswd:/etc/nginx/.htpasswd - "{{ monitoring_server_nginx.conf_file }}:/etc/nginx/nginx.conf:ro" diff --git a/roles/monitoring_server/tasks/install_prometheus_container.yml b/roles/monitoring_server/tasks/install_prometheus_container.yml index de555702..59f73a10 100644 --- a/roles/monitoring_server/tasks/install_prometheus_container.yml +++ b/roles/monitoring_server/tasks/install_prometheus_container.yml @@ -1,5 +1,7 @@ --- -- name: Ensure prometheus data directory exists - {{ monitoring_server_prometheus.external_data_dir }} +- name: + Ensure prometheus data directory exists - {{ + monitoring_server_prometheus.external_data_dir }} ansible.builtin.file: path: "{{ monitoring_server_prometheus.external_data_dir }}" owner: "{{ monitoring_server_owner }}" @@ -45,9 +47,12 @@ image: "{{ monitoring_server_prometheus.image }}" user: "{{ monitoring_server_uid }}:{{ monitoring_server_gid }}" state: started - command: "{% for key in monitoring_server_prometheus.commandline_args %}--{{ key }}={{ monitoring_server_prometheus.commandline_args[key] }} {% endfor %}" + command: + "{% for key in monitoring_server_prometheus.commandline_args %}--{{ key + }}={{ monitoring_server_prometheus.commandline_args[key] }} {% endfor %}" networks: - name: monitor-net volumes: - - "{{ monitoring_server_prometheus.external_data_dir }}:{{ monitoring_server_prometheus.volume }}" + - "{{ monitoring_server_prometheus.external_data_dir }}:{{ + monitoring_server_prometheus.volume }}" restart_policy: always diff --git a/roles/monitoring_server/tasks/main.yml b/roles/monitoring_server/tasks/main.yml index 73d6c660..34e29255 100644 --- a/roles/monitoring_server/tasks/main.yml +++ b/roles/monitoring_server/tasks/main.yml @@ -1,14 +1,12 @@ --- -- name: Build `monitoring_server_client_hostnames` from `monitoring_client` group +- name: + Build `monitoring_server_client_hostnames` from `monitoring_client` group ansible.builtin.set_fact: # Get hosts in the `monitoring_client` monitoring_server_client_hostnames: > - {{ - query('inventory_hostnames', ansible_limit | default('')) | - intersect(groups['monitoring_client']) | - map('extract', hostvars, monitoring_server_hostname_extractor) | - list | default([]) - }} + {{ query('inventory_hostnames', ansible_limit | default('')) | + intersect(groups['monitoring_client']) | map('extract', hostvars, + monitoring_server_hostname_extractor) | list | default([]) }} failed_when: monitoring_server_client_hostnames | length == 0 - name: Find web servers in `monitoring_client` group @@ -16,13 +14,10 @@ # Get any hosts in the `monitoring_client` that are # also in the `web` group monitoring_server_web_clients: > - {{ - query('inventory_hostnames', ansible_limit | default('')) | - intersect(groups['monitoring_client']) | - intersect(groups['web']) | + {{ query('inventory_hostnames', ansible_limit | default('')) | + intersect(groups['monitoring_client']) | intersect(groups['web']) | map('extract', hostvars, monitoring_server_hostname_extractor) | - map('regex_replace', '^', 'https://') - }} + map('regex_replace', '^', 'https://') }} failed_when: monitoring_server_web_clients | length == 0 - name: Add monitoring_server group diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 50ef7c05..8f38247c 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -24,9 +24,9 @@ on CentOS 7 or RockyLinux 9. | `nginx_add_default_server` | Whether to add an additional server block for a default server that returns an empty response. Defaults to `true` | | `nginx_ipv6_enabled` | Whether to enable support for IPv6. Defaults to `false` | -If you would like to use SSL with NGINX, you will need to have the -certificate and key on your Ansible Controller, and may also need to set -the following variables: +If you would like to use SSL with NGINX, you will need to have the certificate +and key on your Ansible Controller, and may also need to set the following +variables: | Name | Description | | ------------------------------- | ----------------------------------------------------------------------------------------- | @@ -41,7 +41,8 @@ the following variables: ## Dependencies -You will need to install the following collections before using `mirsg.infrastructure.nginx`: +You will need to install the following collections before using +`mirsg.infrastructure.nginx`: - `ansible.posix` - `community.crypto` diff --git a/roles/nginx/molecule/resources/inventory/group_vars/all.yml b/roles/nginx/molecule/resources/inventory/group_vars/all.yml index ffcd1d0b..018954e3 100644 --- a/roles/nginx/molecule/resources/inventory/group_vars/all.yml +++ b/roles/nginx/molecule/resources/inventory/group_vars/all.yml @@ -2,5 +2,5 @@ nginx_server_name: molecule.instance.local nginx_proxy_port: 8000 nginx_diffie_helman_size_bits: 2048 -nginx_root: "/home/" +nginx_root: /home/ nginx_use_ssl: false diff --git a/roles/nginx/molecule/resources/inventory/group_vars/centos7.yml b/roles/nginx/molecule/resources/inventory/group_vars/centos7.yml index 77512db8..8be670cc 100644 --- a/roles/nginx/molecule/resources/inventory/group_vars/centos7.yml +++ b/roles/nginx/molecule/resources/inventory/group_vars/centos7.yml @@ -2,7 +2,7 @@ # mirsg.infrastructure.install_python install_python: version: "2" - pip_version: "20.3.4" + pip_version: 20.3.4 pip_executable: pip system_packages: - python diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 7675ad94..5edb101a 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,8 +1,11 @@ --- - name: Configure SELinux if enabled and enforced - when: ansible_selinux.status == "enabled" and ansible_selinux.mode == "enforcing" + when: + ansible_selinux.status == "enabled" and ansible_selinux.mode == "enforcing" block: - - name: Configure SELinux to allow nginx to listen on port {{ nginx_upstream_listen_port }} + - name: + Configure SELinux to allow nginx to listen on port {{ + nginx_upstream_listen_port }} community.general.seport: ports: "{{ nginx_upstream_listen_port }}" proto: tcp @@ -10,21 +13,27 @@ state: present when: nginx_upstream_listen_port is defined - - name: Configure SELinux to allow httpd to act as relay and keep it persistent across reboots + - name: + Configure SELinux to allow httpd to act as relay and keep it persistent + across reboots ansible.posix.seboolean: name: httpd_can_network_relay state: true persistent: true - when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version("8", ">=") + when: + ansible_facts['os_family'] == "RedHat" and + ansible_facts['distribution_major_version'] is version("8", ">=") - name: Ensure epel is installed ansible.builtin.yum: - name: "epel-release" + name: epel-release state: installed - name: Ensure nginx is installed ansible.builtin.yum: - name: ["nginx", "nginx-mod-stream"] + name: + - nginx + - nginx-mod-stream state: installed - name: Ensure nginx certs directory exists @@ -52,7 +61,9 @@ notify: Reload nginx when: nginx_use_ssl -- name: Generate Diffie-Hellman (DH) parameters. Number of {{ nginx_diffie_helman_size_bits }}. +- name: + Generate Diffie-Hellman (DH) parameters. Number of {{ + nginx_diffie_helman_size_bits }}. community.crypto.openssl_dhparam: path: "{{ nginx_dh_params_file }}" size: "{{ nginx_diffie_helman_size_bits }}" diff --git a/roles/omero_server/README.md b/roles/omero_server/README.md index c2fd4e1b..5ffbc6af 100644 --- a/roles/omero_server/README.md +++ b/roles/omero_server/README.md @@ -6,9 +6,9 @@ role maintained by the OME team. The reasons for maintaining a separate role here are: 1. The OME role no longer supports EL `8` OS variants -2. There is a [bug in the OME - role](https://github.com/ome/ansible-role-omero-server/issues/72) which stops - a database backup working when OMERO.server is upgraded +2. There is a + [bug in the OME role](https://github.com/ome/ansible-role-omero-server/issues/72) + which stops a database backup working when OMERO.server is upgraded If running EL `9` and you set `omero_server_release` to `latest` it is recommended that you use the `ome.omero_server` role in place of this one. @@ -50,8 +50,8 @@ All variables are optional, see defaults/main.yml for the full list `omero_server_dbpassword`: Database password -`omero_server_rootpassword`: OMERO root password, defaults to `omero`. -This is only used when initialising a new database. +`omero_server_rootpassword`: OMERO root password, defaults to `omero`. This is +only used when initialising a new database. ### OMERO.server configuration @@ -81,19 +81,17 @@ not support insecure ciphers `omero_server_systemd_setup`: Create and start the omero-server systemd service, default True -`omero_server_systemd_limit_nofile`: Systemd limit for number of -open files (default ignore) +`omero_server_systemd_limit_nofile`: Systemd limit for number of open files +(default ignore) -`omero_server_systemd_after`: A list of strings with -additional service names to appear in systemd unit file "After" statements. -Default empty/none. +`omero_server_systemd_after`: A list of strings with additional service names to +appear in systemd unit file "After" statements. Default empty/none. -`omero_server_systemd_requires`: A list of strings with -additional service names to appear in systemd unit file "Requires" statements. -Default empty/none. +`omero_server_systemd_requires`: A list of strings with additional service names +to appear in systemd unit file "Requires" statements. Default empty/none. -`omero_server_systemd_environment`: Dictionary of additional -environment variables. Python virtualenv +`omero_server_systemd_environment`: Dictionary of additional environment +variables. Python virtualenv `omero_server_python_addons`: List of additional Python packages to be installed into virtualenv. Alternatively you can install packages into @@ -105,15 +103,15 @@ before upgrading, default empty (disabled) ### Configuring OMERO.server This role regenerates the OMERO configuration file using the configuration files -and helper script in `/opt/omero/server/config`. `omero_server_config_set` can be -used for simple configurations, for anything more complex consider creating one -or more configuration files under: `/opt/omero/server/config/` with the +and helper script in `/opt/omero/server/config`. `omero_server_config_set` can +be used for simple configurations, for anything more complex consider creating +one or more configuration files under: `/opt/omero/server/config/` with the extension .omero. -Manual configuration changes (`omero config ...`) will be lost following a restart -of omero-server with systemd, you can disable this by setting -`omero_server_always_reset_config: false`. Manual configuration changes will never -be copied during an upgrade. +Manual configuration changes (`omero config ...`) will be lost following a +restart of omero-server with systemd, you can disable this by setting +`omero_server_always_reset_config: false`. Manual configuration changes will +never be copied during an upgrade. See [ome/design#70](https://github.com/ome/design/issues/70) for a proposal to add support for a conf.d style directory directly into OMERO. diff --git a/roles/omero_server/defaults/main.yml b/roles/omero_server/defaults/main.yml index b6bb8054..5d0c9eca 100644 --- a/roles/omero_server/defaults/main.yml +++ b/roles/omero_server/defaults/main.yml @@ -3,7 +3,7 @@ omero_server_database_backupdir: "{{ omero_server_datadir }}/upgrade_backups" omero_server_basedir: /opt/omero/server -omero_server_release: "5.6.9" +omero_server_release: 5.6.9 # omero_server_release: present # OMERO database connection parameters @@ -35,10 +35,10 @@ omero_server_datadir: /OMERO omero_server_datadir_managedrepo: "{{ omero_server_datadir }}/ManagedRepository" # Permissions for OMERO data directories apart from ManagedRepository -omero_server_datadir_mode: "u=rwX,g=rX,o=rX" +omero_server_datadir_mode: u=rwX,g=rX,o=rX # Permissions for OMERO ManagedRepository -omero_server_datadir_managedrepo_mode: "u=rwX,g=srwX,o=rX" +omero_server_datadir_managedrepo_mode: u=rwX,g=srwX,o=rX # Setup systemd services omero_server_systemd_setup: true @@ -48,30 +48,26 @@ omero_server_systemd_limit_nofile: # Services which OMERO server needs to be running before it can start, # such as remote storage. -omero_server_systemd_after: [] +omero_server_systemd_after: [] # yamllint disable-line rule:brackets # Services which OMERO server needs to be concurrently running. -omero_server_systemd_requires: [] +omero_server_systemd_requires: [] # yamllint disable-line rule:brackets # Dictionary of additional environment variables -omero_server_systemd_environment: {} +omero_server_systemd_environment: {} # yamllint disable-line rule:braces # List of additional Python packages to be installed into virtualenv -omero_server_python_addons: [] +omero_server_python_addons: [] # yamllint disable-line rule:brackets # If true disable anonymous ciphers and use self-signed certificates omero_server_selfsigned_certificates: true -omero_server_ice_version: "3.6" +omero_server_ice_version: 3.6 omero_server_python_requirements_ice_package: RedHat: - 8: - "https://github.com/glencoesoftware/zeroc-ice-py-rhel8-x86_64/releases/download/\ - 20230929/zeroc_ice-3.6.5-cp36-cp36m-linux_x86_64.whl" - 9: - "https://github.com/glencoesoftware/zeroc-ice-py-rhel9-x86_64/releases/download/\ - 20230830/zeroc_ice-3.6.5-cp39-cp39-linux_x86_64.whl" + 8: https://github.com/glencoesoftware/zeroc-ice-py-rhel8-x86_64/releases/download/20230929/zeroc_ice-3.6.5-cp36-cp36m-linux_x86_64.whl + 9: https://github.com/glencoesoftware/zeroc-ice-py-rhel9-x86_64/releases/download/20230830/zeroc_ice-3.6.5-cp39-cp39-linux_x86_64.whl # TODO: sort this out # ? pip install omero-server-dependencies=={{omero_server_release}} @@ -86,9 +82,11 @@ _omero_dropbox_version: ">=5.6.1" omero_server_python_requirements: - omego==0.7.0 # TODO: make the use of our non-standard wheel optional - - "{{ omero_server_python_requirements_ice_package[ansible_os_family][ansible_distribution_major_version | int] | default('zeroc-ice') }}" - - "omero-py{{ _omero_py_version | default('') }}" - - "omero-dropbox{{ _omero_dropbox_version | default('') }}" + - "{{ + omero_server_python_requirements_ice_package[ansible_os_family][ansible_distribution_major_version + | int] | default('zeroc-ice') }}" + - omero-py{{ _omero_py_version | default('') }} + - omero-dropbox{{ _omero_dropbox_version | default('') }} # TODO: keep or ditch ipython? It's a big dependency and mostly useful for # clients # - ipython @@ -143,7 +141,7 @@ omero_server_symlink: OMERO.server omero_server_omego: "{{ omero_server_virtualenv_basedir + '/bin/omego' }}" # Control verbosity of omego -omero_server_omego_verbosity: "-qq" +omero_server_omego_verbosity: -qq # Additional omego arguments passed to upgrade or install omero_server_omego_additional_args: "" @@ -156,31 +154,24 @@ omero_server_upgrade: true # DEVELOPMENT: Operator for comparing current-version against # omero_server_release, e.g. '!='. Default is to upgrade when # current-version < omero_server_release -omero_server_checkupgrade_comparator: "<" +omero_server_checkupgrade_comparator: < # _omero_server_new_version is set in tasks/omero-install.yml # We can't just use omero_server_release because if it is "present" # it needs to be substituted with a value that omego will accept omero_server_omego_options: > - --release {{ _omero_server_new_version }} - --sym {{ omero_server_symlink }} - --ice {{ omero_server_ice_version }} - --no-start - --no-web - --ignoreconfig - --omerocli {{ omero_server_virtualenv_basedir + '/bin/omero' }} - {{ omero_server_omego_verbosity }} - {{ omero_server_omego_additional_args }} + --release {{ _omero_server_new_version }} --sym {{ omero_server_symlink }} + --ice {{ omero_server_ice_version }} --no-start --no-web --ignoreconfig + --omerocli {{ omero_server_virtualenv_basedir + '/bin/omero' }} {{ + omero_server_omego_verbosity }} {{ omero_server_omego_additional_args }} omero_server_omego_db_options: > - --dbhost {{ omero_server_dbhost | quote }} - --dbuser {{ omero_server_dbuser | quote }} - --dbname {{ omero_server_dbname | quote }} - --dbpass {{ omero_server_dbpassword | quote }} - {{ omero_server_database_manage | ternary('--managedb', '') }} + --dbhost {{ omero_server_dbhost | quote }} --dbuser {{ omero_server_dbuser | + quote }} --dbname {{ omero_server_dbname | quote }} --dbpass {{ + omero_server_dbpassword | quote }} {{ omero_server_database_manage | + ternary('--managedb', '') }} omero_server_omego_db_backup_options: > - --dbhost {{ omero_server_dbhost | quote }} - --dbuser {{ omero_server_dbuser | quote }} - --dbname {{ omero_server_dbname | quote }} - --dbpass {{ omero_server_dbpassword | quote }} + --dbhost {{ omero_server_dbhost | quote }} --dbuser {{ omero_server_dbuser | + quote }} --dbname {{ omero_server_dbname | quote }} --dbpass {{ + omero_server_dbpassword | quote }} diff --git a/roles/omero_server/handlers/main.yml b/roles/omero_server/handlers/main.yml index 45acc67b..72c1cd51 100644 --- a/roles/omero_server/handlers/main.yml +++ b/roles/omero_server/handlers/main.yml @@ -4,7 +4,7 @@ # This also avoids problems with ordering of handlers: # http://stackoverflow.com/a/35130254 -- name: Rewrite omero-server configuration # noqa no-changed-when +- name: Rewrite omero-server configuration # noqa: no-changed-when become: true become_user: "{{ omero_server_system_user }}" ansible.builtin.command: "{{ omero_server_config_update }}" diff --git a/roles/omero_server/tasks/omero-datadir.yml b/roles/omero_server/tasks/omero-datadir.yml index aad4b776..1384735f 100644 --- a/roles/omero_server/tasks/omero-datadir.yml +++ b/roles/omero_server/tasks/omero-datadir.yml @@ -42,8 +42,8 @@ state: link force: true when: >- - omero_server_datadir_bioformatscache != - (omero_server_datadir + "/BioFormatsCache") + omero_server_datadir_bioformatscache != (omero_server_datadir + + "/BioFormatsCache") - name: Create omero ManagedRepository become: true diff --git a/roles/omero_server/tasks/omero-install.yml b/roles/omero_server/tasks/omero-install.yml index f66e5324..0f434cff 100644 --- a/roles/omero_server/tasks/omero-install.yml +++ b/roles/omero_server/tasks/omero-install.yml @@ -36,11 +36,11 @@ - name: Check omero version could be obtained ansible.builtin.assert: msg: >- - OMERO.server found but unable to get version, - you may have a corrupt installation + OMERO.server found but unable to get version, you may have a corrupt + installation that: >- - not _omero_server_matches_virtualenv or - (omero_server_version | default('') | length > 0) + not _omero_server_matches_virtualenv or (omero_server_version | + default('') | length > 0) # TODO: If server was started by systemd but stopped directly you may end up # with a hanging process @@ -91,10 +91,8 @@ - name: Print upgrade error ansible.builtin.debug: msg: >- - Error comparing current version - ({{ omero_server_version | default('') }}) - and new version - ({{ _omero_server_new_version }}), upgrading + Error comparing current version ({{ omero_server_version | default('') + }}) and new version ({{ _omero_server_new_version }}), upgrading - name: Check upgrade failed ansible.builtin.set_fact: @@ -103,17 +101,16 @@ - name: Print upgrade required message ansible.builtin.debug: msg: >- - Upgrade needed: {{ omero_server_version | default('UNKNOWN') }} -> - {{ omero_server_release }} + Upgrade needed: {{ omero_server_version | default('UNKNOWN') }} -> {{ + omero_server_release }} when: _omero_server_update_needed # If the OMERO.server symlink doesn't exist don't upgrade, this is a new # installation - name: Set upgrade flag ansible.builtin.set_fact: - _omero_server_execute_upgrade: "{{ - omero_server_upgrade and - _omero_server_update_needed and + _omero_server_execute_upgrade: + "{{ omero_server_upgrade and _omero_server_update_needed and (omero_server_release != 'present') and omero_server_symlink_st.stat.exists }}" @@ -121,7 +118,7 @@ - name: Setup virtualenv3 become: true ansible.builtin.pip: - name: "pip>=21" + name: pip>=21 state: present virtualenv: "{{ omero_server_virtualenv_basedir }}" virtualenv_command: /usr/local/bin/ome-python3-virtualenv @@ -141,11 +138,9 @@ become: true become_user: "{{ omero_server_system_user }}" ansible.builtin.command: > - {{ omero_server_omego }} - install - {{ omero_server_omego_options }} - {{ omero_server_omego_db_options }} - --rootpass {{ omero_server_rootpassword | quote }} + {{ omero_server_omego }} install {{ omero_server_omego_options }} {{ + omero_server_omego_db_options }} --rootpass {{ omero_server_rootpassword | + quote }} args: chdir: "{{ omero_server_basedir }}" creates: "{{ omero_server_basedir }}/{{ omero_server_symlink }}" @@ -169,13 +164,11 @@ tags: - molecule-idempotence-notest -- name: Backup database # noqa no-changed-when +- name: Backup database # noqa: no-changed-when become: true become_user: "{{ omero_server_system_user }}" ansible.builtin.command: > - {{ omero_server_omego }} - db dump - {{ omero_server_omego_db_backup_options }} + {{ omero_server_omego }} db dump {{ omero_server_omego_db_backup_options }} --serverdir {{ omero_server_basedir }}/{{ omero_server_symlink }} args: chdir: "{{ omero_server_database_backupdir }}" @@ -187,13 +180,11 @@ - molecule-idempotence-notest # Upgrade -- name: Upgrade # noqa no-changed-when +- name: Upgrade # noqa: no-changed-when become: true become_user: "{{ omero_server_system_user }}" ansible.builtin.command: > - {{ omero_server_omego }} - install --upgrade - {{ omero_server_omego_options }} + {{ omero_server_omego }} install --upgrade {{ omero_server_omego_options }} {{ omero_server_omego_db_options }} args: chdir: "{{ omero_server_basedir }}" diff --git a/roles/omero_server/tasks/omero-ldap.yml b/roles/omero_server/tasks/omero-ldap.yml index 774b7e5c..1e66450f 100644 --- a/roles/omero_server/tasks/omero-ldap.yml +++ b/roles/omero_server/tasks/omero-ldap.yml @@ -1,5 +1,5 @@ --- -- name: "Ensure directories exist for cert files" +- name: Ensure directories exist for cert files ansible.builtin.file: path: "{{ item }}" owner: "{{ omero_server_system_user }}" diff --git a/roles/postgresql/README.md b/roles/postgresql/README.md index db6a5c99..7f73a152 100644 --- a/roles/postgresql/README.md +++ b/roles/postgresql/README.md @@ -42,9 +42,9 @@ Note, if `postgresql_use_ssl` is set to `true`, you will also need to define a Generation of new certificates can be disabled by setting `postgresql_generate_certs` to `false` (defaults to `true`). -See the [`mirsg.infrastructure.ssl_certificates` -README](../ssl_certificates/README.md) for a description of how to define this -variable. +See the +[`mirsg.infrastructure.ssl_certificates` README](../ssl_certificates/README.md) +for a description of how to define this variable. ### Required variables for the PostgreSQL client @@ -71,7 +71,9 @@ To use this role with a dual-server setup (a dartase `db` and a web server gather_facts: true tasks: - name: Disable default postgresl module and install rpm key on RedHat 8+ - when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('7', '>') + when: + ansible_facts['os_family'] == "RedHat" and + ansible_facts['distribution_major_version'] is version('7', '>') block: - name: Disable default Postgres module # noqa command-instead-of-module ansible.builtin.command: yum module disable -y postgresql diff --git a/roles/postgresql/defaults/main.yml b/roles/postgresql/defaults/main.yml index 647e803f..a00a1265 100644 --- a/roles/postgresql/defaults/main.yml +++ b/roles/postgresql/defaults/main.yml @@ -1,10 +1,10 @@ --- # defaults for mirsg.postgresql -postgresql_version: "12" -postgresql_service_name: "postgresql-{{ postgresql_version }}" -postgresql_package_name: "postgresql{{ postgresql_version | replace('.', '') }}" -postgresql_bin_directory: "/usr/pgsql-{{ postgresql_version }}/bin" -postgresql_data_directory: "/var/lib/pgsql/{{ postgresql_version }}/data" +postgresql_version: 12 +postgresql_service_name: postgresql-{{ postgresql_version }} +postgresql_package_name: postgresql{{ postgresql_version | replace('.', '') }} +postgresql_bin_directory: /usr/pgsql-{{ postgresql_version }}/bin +postgresql_data_directory: /var/lib/pgsql/{{ postgresql_version }}/data postgresql_generate_certs: true # mirsg.postgresql - download and install @@ -19,32 +19,35 @@ postgresql_install: # mirsg.postgresql - general setup postgresql: - owner: "postgres" - group: "postgres" + owner: postgres + group: postgres bin_directory: "{{ postgresql_bin_directory }}" - base_directory: "/var/lib/pgsql" - log_directory: "/var/log/postgresql" + base_directory: /var/lib/pgsql + log_directory: /var/log/postgresql data_directory: "{{ postgresql_data_directory }}" configuration_directory: "{{ postgresql_data_directory }}" configuration_filename: "{{ postgresql_data_directory }}/postgresql.conf" hba_configuration_filename: "{{ postgresql_data_directory }}/pg_hba.conf" - data_files_regex: "/var/lib/pgsql(/.*)?" # required if SELinux is enabled, allow postgresql to modify these files - setup_command: "{{ postgresql_bin_directory }}/{{ postgresql_service_name }}-setup" + data_files_regex: /var/lib/pgsql(/.*)? # required if SELinux is enabled, allow postgresql to modify these files + setup_command: + "{{ postgresql_bin_directory }}/{{ postgresql_service_name }}-setup" # mirsg.postgresql - service postgresql_service: name: "{{ postgresql_service_name }}" - directory: "/etc/systemd/system/{{ postgresql_service_name }}.service.d" - filename: "/etc/systemd/system/{{ postgresql_service_name }}.service.d/postgresql_service.conf" + directory: /etc/systemd/system/{{ postgresql_service_name }}.service.d + filename: + /etc/systemd/system/{{ postgresql_service_name + }}.service.d/postgresql_service.conf # mirsg.postgresql - storage postgresql_storage: - storage_directory: "/storage/pgsql" - data_directory: "/storage/pgsql/{{ postgresql_version }}/data" # symlink to data_directory + storage_directory: /storage/pgsql + data_directory: /storage/pgsql/{{ postgresql_version }}/data # symlink to data_directory # mirsg.postgresql - backup postgresql_backup: - directory: "/var/lib/pgsql/backups" - script: "/var/lib/pgsql/run_db_backup.sh" # script to run cron backup job + directory: /var/lib/pgsql/backups + script: /var/lib/pgsql/run_db_backup.sh # script to run cron backup job postgresql_create_database: true diff --git a/roles/postgresql/molecule/resources/inventory/group_vars/all.yml b/roles/postgresql/molecule/resources/inventory/group_vars/all.yml index e213a9cc..c507e85c 100644 --- a/roles/postgresql/molecule/resources/inventory/group_vars/all.yml +++ b/roles/postgresql/molecule/resources/inventory/group_vars/all.yml @@ -1,15 +1,15 @@ --- -external_storage_drive: "/storage/molecule" +external_storage_drive: /storage/molecule selinux_enabled: false # mirsg.infrastructure.postgresql postgresql_use_ssl: false postgresql_database: - database_name: "database" - user_name: "user" - user_password: "password" + database_name: database + user_name: user + user_password: password postgresql_connection: - host: "molecule.instance.local" + host: molecule.instance.local port: 5432 client_ip: 0.0.0.0 listen_addresses: "'*'" diff --git a/roles/postgresql/tasks/configure_cron_backup.yml b/roles/postgresql/tasks/configure_cron_backup.yml index c8975fd1..94acdc39 100644 --- a/roles/postgresql/tasks/configure_cron_backup.yml +++ b/roles/postgresql/tasks/configure_cron_backup.yml @@ -9,16 +9,16 @@ - name: Generate Postgresql backup script ansible.builtin.template: - src: "run_db_backup.sh.j2" + src: run_db_backup.sh.j2 dest: "{{ postgresql_backup.script }}" owner: "{{ postgresql.owner }}" group: "{{ postgresql.group }}" mode: "0550" force: true -- name: "Ensure cron nightly backup exists for postgresql" +- name: Ensure cron nightly backup exists for postgresql ansible.builtin.cron: - name: "postgresql backup" + name: postgresql backup user: "{{ postgresql.owner }}" minute: "0" hour: "2" diff --git a/roles/postgresql/tasks/create_database.yml b/roles/postgresql/tasks/create_database.yml index bf7398c4..edc3c51b 100644 --- a/roles/postgresql/tasks/create_database.yml +++ b/roles/postgresql/tasks/create_database.yml @@ -1,5 +1,5 @@ --- -- name: "Create PostgreSQL user" +- name: Create PostgreSQL user become: true become_user: "{{ postgresql.owner }}" community.postgresql.postgresql_user: @@ -7,7 +7,7 @@ password: "{{ postgresql_database.user_password }}" port: "{{ postgresql_connection.port }}" -- name: "Create PostgreSQL database" +- name: Create PostgreSQL database become: true become_user: "{{ postgresql.owner }}" community.postgresql.postgresql_db: diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml index ffd34270..69f60fb3 100644 --- a/roles/postgresql/tasks/main.yml +++ b/roles/postgresql/tasks/main.yml @@ -7,7 +7,9 @@ - policycoreutils-python - python-psycopg2 state: installed - when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('7') + when: + ansible_facts['os_family'] == "RedHat" and + ansible_facts['distribution_major_version'] is version('7') - name: Setup for RedHat 8+ - install sefcontext dependencies and psycopg2 ansible.builtin.yum: @@ -16,7 +18,9 @@ - policycoreutils-python-utils - python3-psycopg2 state: installed - when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('7', '>') + when: + ansible_facts['os_family'] == "RedHat" and + ansible_facts['distribution_major_version'] is version('7', '>') - name: Ensure postgres RPM is installed ansible.builtin.yum: @@ -33,7 +37,9 @@ ansible.builtin.yum: name: "{{ postgresql_install.yum_contrib_package }}" state: installed - when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('7') + when: + ansible_facts['os_family'] == "RedHat" and + ansible_facts['distribution_major_version'] is version('7') - name: Ensure postgresql is not running during configuration change ansible.builtin.service: @@ -44,8 +50,8 @@ - name: Ensure postgresql service configuration directory exists ansible.builtin.file: path: "{{ postgresql_service.directory }}" - owner: "root" - group: "root" + owner: root + group: root state: directory mode: "0755" @@ -53,8 +59,8 @@ ansible.builtin.template: src: postgresql.service.j2 dest: "{{ postgresql_service.filename }}" - owner: "root" - group: "root" + owner: root + group: root mode: "0644" register: postgresql_custom_service_config @@ -74,7 +80,8 @@ state: directory mode: "0700" -- name: Ensure postgresql base directory exists - {{ postgresql.base_directory }} +- name: + Ensure postgresql base directory exists - {{ postgresql.base_directory }} ansible.builtin.file: path: "{{ postgresql.base_directory }}" owner: "{{ postgresql.owner }}" @@ -105,9 +112,13 @@ ansible.builtin.file: path: "{{ postgresql.data_directory }}" state: absent - when: postgresql_data_directory_exists.stat.isdir is defined and postgresql_data_directory_exists.stat.isdir and postgresql_data_files.matched | int == 0 + when: + postgresql_data_directory_exists.stat.isdir is defined and + postgresql_data_directory_exists.stat.isdir and + postgresql_data_files.matched | int == 0 -- name: Ensure there is a symbolic link from postgresql data_directory to storage +- name: + Ensure there is a symbolic link from postgresql data_directory to storage ansible.builtin.file: src: "{{ postgresql_storage.data_directory }}" dest: "{{ postgresql.data_directory }}" @@ -117,7 +128,7 @@ - name: Create PostgreSQL database directory if it does not already exist ansible.builtin.command: "{{ postgresql.setup_command }} initdb" environment: - PATH: "$PATH:/sbin:/bin" + PATH: $PATH:/sbin:/bin args: creates: "{{ postgresql.data_directory }}/PG_VERSION" @@ -178,7 +189,9 @@ notify: Restore selinux contexts when: selinux_enabled -- name: "Ensure that any required restore of selinux contexts happens before postgres starts" +- name: + Ensure that any required restore of selinux contexts happens before postgres + starts ansible.builtin.meta: flush_handlers - name: Ensure postgresql is running @@ -188,7 +201,7 @@ enabled: true changed_when: false -- name: Reload service daemon if custom service config changed # noqa no-handler +- name: Reload service daemon if custom service config changed # noqa: no-handler ansible.builtin.service: name: "{{ postgresql_service.name }}" state: reloaded diff --git a/roles/postgresql_upgrade/README.md b/roles/postgresql_upgrade/README.md index 07254c90..8fc627ae 100644 --- a/roles/postgresql_upgrade/README.md +++ b/roles/postgresql_upgrade/README.md @@ -22,12 +22,12 @@ There are no Ansible-Galaxy dependencies for this role. ## Example Playbook -This role will perform `postgresql_upgrade` tasks on a managed host. Note that to -use this role you will need to make sure that any applications that use the +This role will perform `postgresql_upgrade` tasks on a managed host. Note that +to use this role you will need to make sure that any applications that use the associated Postgresql database are stopped before running the role. For -convenience a [playbook is provided in this -collection](../../playbooks/upgrade_postgresql.yml). To use this role, add it to -the list of roles in a play: +convenience a +[playbook is provided in this collection](../../playbooks/upgrade_postgresql.yml). +To use this role, add it to the list of roles in a play: ```yaml - name: Stop related web services @@ -45,8 +45,10 @@ the list of roles in a play: vars: postgreql_upgrade_current_version: 12 postgreql_upgrade_new_version: 14 - postgresql_upgrade_data_dir: "/var/lib/pgsql/{{ postgreql_upgrade_new_version }}/data" - postgresql_upgrade_scripts_dir: "/var/lib/pgsql/{{ postgreql_upgrade_current_version }}/upgrade" + postgresql_upgrade_data_dir: + "/var/lib/pgsql/{{ postgreql_upgrade_new_version }}/data" + postgresql_upgrade_scripts_dir: + "/var/lib/pgsql/{{ postgreql_upgrade_current_version }}/upgrade" roles: - mirsg.postgresql_upgrade diff --git a/roles/postgresql_upgrade/defaults/main.yml b/roles/postgresql_upgrade/defaults/main.yml index 13fca997..f9897a03 100644 --- a/roles/postgresql_upgrade/defaults/main.yml +++ b/roles/postgresql_upgrade/defaults/main.yml @@ -2,4 +2,5 @@ postgreql_upgrade_backup_script: /var/lib/pgsql/run_db_backup.sh postgresql_upgrade_postgresql_owner: postgres postgresql_upgrade_postgresql_group: postgres -postgresql_upgrade_scripts_dir: "/var/lib/pgsql/{{ postgreql_upgrade_current_version }}/upgrade" +postgresql_upgrade_scripts_dir: + /var/lib/pgsql/{{ postgreql_upgrade_current_version }}/upgrade diff --git a/roles/postgresql_upgrade/molecule/resources/inventory/group_vars/all.yml b/roles/postgresql_upgrade/molecule/resources/inventory/group_vars/all.yml index fe35112b..848fbb4c 100644 --- a/roles/postgresql_upgrade/molecule/resources/inventory/group_vars/all.yml +++ b/roles/postgresql_upgrade/molecule/resources/inventory/group_vars/all.yml @@ -1,21 +1,23 @@ --- -external_storage_drive: "/storage/molecule" +external_storage_drive: /storage/molecule selinux_enabled: false # mirsg.infrastructure.postgresql postgresql_use_ssl: false postgresql_database: - database_name: "database" - user_name: "user" - user_password: "password" + database_name: database + user_name: user + user_password: password postgresql_connection: - host: "molecule.instance.local" + host: molecule.instance.local port: 5432 client_ip: 0.0.0.0 listen_addresses: "'*'" subnet_mask: 255.255.255.255 -postgreql_upgrade_current_version: "12" -postgreql_upgrade_new_version: "14" -postgresql_upgrade_data_dir: "{{ external_storage_drive }}/pgsql/{{ postgreql_upgrade_new_version }}/data" -postgresql_upgrade_scripts_dir: "/var/lib/pgsql/{{ postgreql_upgrade_current_version }}/upgrade" +postgreql_upgrade_current_version: 12 +postgreql_upgrade_new_version: 14 +postgresql_upgrade_data_dir: + "{{ external_storage_drive }}/pgsql/{{ postgreql_upgrade_new_version }}/data" +postgresql_upgrade_scripts_dir: + /var/lib/pgsql/{{ postgreql_upgrade_current_version }}/upgrade diff --git a/roles/postgresql_upgrade/tasks/main.yml b/roles/postgresql_upgrade/tasks/main.yml index f7ec6465..b967dff8 100644 --- a/roles/postgresql_upgrade/tasks/main.yml +++ b/roles/postgresql_upgrade/tasks/main.yml @@ -9,10 +9,12 @@ Fail if new postgres data directory already exists ansible.builtin.fail: msg: > - Cannot upgrade because the new postgres directory - {{ postgresql_upgrade_data_dir }} already exists; this suggests an - upgrade has already been attempted - when: postgresql_upgrade_new_data_dir.stat.exists and postgresql_upgrade_new_data_dir.stat.isdir + Cannot upgrade because the new postgres directory {{ + postgresql_upgrade_data_dir }} already exists; this suggests an upgrade + has already been attempted + when: + postgresql_upgrade_new_data_dir.stat.exists and + postgresql_upgrade_new_data_dir.stat.isdir - name: Back up PostgreSQL ansible.builtin.command: "{{ postgreql_upgrade_backup_script }}" @@ -20,9 +22,11 @@ become_user: postgres changed_when: false -- name: Disable previous version of PostgreSQL - {{ postgreql_upgrade_current_version }} +- name: + Disable previous version of PostgreSQL - {{ + postgreql_upgrade_current_version }} ansible.builtin.service: - name: "postgresql-{{ postgreql_upgrade_current_version }}" + name: postgresql-{{ postgreql_upgrade_current_version }} state: stopped enabled: false @@ -30,13 +34,13 @@ ansible.builtin.include_role: name: mirsg.infrastructure.postgresql vars: - postgresql_version: "{{ postgreql_upgrade_new_version }}" # noqa var-naming[no-role-prefix] + postgresql_version: "{{ postgreql_upgrade_new_version }}" # noqa: var-naming[no-role-prefix] postgresql_create_database: false postgresql_generate_certs: false - name: Ensure new postgres is not running ansible.builtin.service: - name: "postgresql-{{ postgreql_upgrade_new_version }}" + name: postgresql-{{ postgreql_upgrade_new_version }} state: stopped - name: Remove any previous upgrade output @@ -45,8 +49,8 @@ state: absent - name: >- - Ensure directory for upgrade scripts exists - - {{ postgresql_upgrade_scripts_dir }} + Ensure directory for upgrade scripts exists - {{ + postgresql_upgrade_scripts_dir }} ansible.builtin.file: path: "{{ postgresql_upgrade_scripts_dir }}" owner: "{{ postgresql_upgrade_postgresql_owner }}" @@ -57,12 +61,11 @@ - name: Run PostgreSQL upgrade ansible.builtin.command: cmd: > - /usr/pgsql-{{ postgreql_upgrade_new_version }}/bin/pg_upgrade - -d /var/lib/pgsql/{{ postgreql_upgrade_current_version }}/data - -D /var/lib/pgsql/{{ postgreql_upgrade_new_version }}/data - -b /usr/pgsql-{{ postgreql_upgrade_current_version }}/bin - -B /usr/pgsql-{{ postgreql_upgrade_new_version }}/bin - -p 10094 -P 5432 + /usr/pgsql-{{ postgreql_upgrade_new_version }}/bin/pg_upgrade -d + /var/lib/pgsql/{{ postgreql_upgrade_current_version }}/data -D + /var/lib/pgsql/{{ postgreql_upgrade_new_version }}/data -b /usr/pgsql-{{ + postgreql_upgrade_current_version }}/bin -B /usr/pgsql-{{ + postgreql_upgrade_new_version }}/bin -p 10094 -P 5432 chdir: "{{ postgresql_upgrade_scripts_dir }}" become: true become_user: postgres @@ -70,14 +73,16 @@ - name: Ensure new postgres is running - {{ postgreql_upgrade_new_version }} ansible.builtin.service: - name: "postgresql-{{ postgreql_upgrade_new_version }}" + name: postgresql-{{ postgreql_upgrade_new_version }} state: started enabled: true - name: Show suggested commands for removing old service ansible.builtin.debug: msg: - - "The PostgreSQL {{ postgreql_upgrade_current_version }} service has been disabled \ - but you may wish to remove it using the following commands on the db server:" - - "sudo yum remove postgresql{{ postgreql_upgrade_current_version }}-server" - - "sudo yum remove postgresql{{ postgreql_upgrade_current_version }}-libs" + - "The PostgreSQL {{ postgreql_upgrade_current_version }} service has been + disabled \ + but you may wish to remove it using the following commands on the db + server:" + - sudo yum remove postgresql{{ postgreql_upgrade_current_version }}-server + - sudo yum remove postgresql{{ postgreql_upgrade_current_version }}-libs diff --git a/roles/provision/README.md b/roles/provision/README.md index 8038fd31..cadb1e54 100644 --- a/roles/provision/README.md +++ b/roles/provision/README.md @@ -1,10 +1,14 @@ # Ansible Role: mirsg.provision -This role sets up for a specific distribution for CentOS (mirrorlist and locale) or Rocky8 (disable postgres), upgrades all packages and ensures epel is installed. +This role sets up for a specific distribution for CentOS (mirrorlist and locale) +or Rocky8 (disable postgres), upgrades all packages and ensures epel is +installed. ## Requirements -If you would like to run Ansible Molecule to test this role, the requirements are in [`requirements.txt`](https://github.com/UCL-MIRSG/ansible-role-install-python/blob/main/requirements.txt). +If you would like to run Ansible Molecule to test this role, the requirements +are in +[`requirements.txt`](https://github.com/UCL-MIRSG/ansible-role-install-python/blob/main/requirements.txt). ## Role Variables @@ -12,7 +16,8 @@ If you would like to run Ansible Molecule to test this role, the requirements ar `postgresql_rpm_gpg_key_pgdg_x86_64`: the postgresql key for ARM chips. These are not needed for CentOS 7. -`server_locale`: the sets the user's language, region, etc. This is set to "en_GB.UTF-8" +`server_locale`: the sets the user's language, region, etc. This is set to +"en_GB.UTF-8" `external_storage_drive`: path to mounted storage. By default this is undefined. @@ -22,7 +27,8 @@ There are no Ansible-Galaxy dependencies for this role. ## Example Playbook -This role will perform provision tasks on a managed host. To use this role, add it to the list of roles in a play: +This role will perform provision tasks on a managed host. To use this role, add +it to the list of roles in a play: ```yaml - name: Provision @@ -37,4 +43,6 @@ This role will perform provision tasks on a managed host. To use this role, add ## Author Information -This role was created by the [Medical Imaging Research Software Group](https://www.ucl.ac.uk/advanced-research-computing/expertise/research-software-development/medical-imaging-research-software-group) at [UCL](https://www.ucl.ac.uk/). +This role was created by the +[Medical Imaging Research Software Group](https://www.ucl.ac.uk/advanced-research-computing/expertise/research-software-development/medical-imaging-research-software-group) +at [UCL](https://www.ucl.ac.uk/). diff --git a/roles/provision/defaults/main.yml b/roles/provision/defaults/main.yml index 6a443be6..516d47da 100644 --- a/roles/provision/defaults/main.yml +++ b/roles/provision/defaults/main.yml @@ -5,4 +5,4 @@ postgresql_rpm_gpg_key_pgdg_x86_64: >- # not needed for CentOS 7 postgresql_rpm_gpg_key_pgdg_aarch64: >- https://apt.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-AARCH64-RHEL -server_locale: "en_GB.UTF-8" +server_locale: en_GB.UTF-8 diff --git a/roles/provision/molecule/resources/inventory/group_vars/all.yml b/roles/provision/molecule/resources/inventory/group_vars/all.yml index 66c3269a..a4d42605 100644 --- a/roles/provision/molecule/resources/inventory/group_vars/all.yml +++ b/roles/provision/molecule/resources/inventory/group_vars/all.yml @@ -1,3 +1,3 @@ --- -external_storage_drive: "/storage/molecule" +external_storage_drive: /storage/molecule selinux_enabled: false diff --git a/roles/provision/tasks/CentOS.yml b/roles/provision/tasks/CentOS.yml index cc3785a4..35f1d075 100644 --- a/roles/provision/tasks/CentOS.yml +++ b/roles/provision/tasks/CentOS.yml @@ -31,7 +31,7 @@ - name: Allow install of other locales ansible.builtin.lineinfile: path: /etc/yum.conf - search_string: "override_install_langs=en_US.utf8" + search_string: override_install_langs=en_US.utf8 state: absent - name: Install locales # noqa: package-latest @@ -40,5 +40,6 @@ state: latest - name: Set locale - ansible.builtin.command: "localectl set-locale LANG={{ server_locale | quote }}" + ansible.builtin.command: + localectl set-locale LANG={{ server_locale | quote }} changed_when: false diff --git a/roles/provision/tasks/Rocky.yml b/roles/provision/tasks/Rocky.yml index dd669f7e..635f9ca1 100644 --- a/roles/provision/tasks/Rocky.yml +++ b/roles/provision/tasks/Rocky.yml @@ -2,10 +2,10 @@ - name: Ensure the ca-certificates package is installed become: true ansible.builtin.yum: - name: "ca-certificates" + name: ca-certificates state: present -- name: Disable default Postgres module # noqa command-instead-of-module +- name: Disable default Postgres module # noqa: command-instead-of-module ansible.builtin.command: yum module disable -y postgresql register: disable_postgresql_module changed_when: @@ -15,8 +15,8 @@ ansible.builtin.rpm_key: state: present key: >- - {{ lookup('vars', - 'postgresql_rpm_gpg_key_pgdg_' + ansible_architecture) }} + {{ lookup('vars', 'postgresql_rpm_gpg_key_pgdg_' + ansible_architecture) + }} - name: Check if locale already set ansible.builtin.shell: | @@ -35,5 +35,6 @@ state: present - name: Set locale - ansible.builtin.command: "localectl set-locale LANG={{ server_locale | quote }}" + ansible.builtin.command: + localectl set-locale LANG={{ server_locale | quote }} changed_when: false diff --git a/roles/provision/tasks/check_mounts.yml b/roles/provision/tasks/check_mounts.yml index 82fbe413..527013e8 100644 --- a/roles/provision/tasks/check_mounts.yml +++ b/roles/provision/tasks/check_mounts.yml @@ -19,7 +19,9 @@ state: started when: "'is not a mountpoint' in check_mountpoint.stdout" -- name: Check that storage has been mounted correctly if it was previously not mounted +- name: + Check that storage has been mounted correctly if it was previously not + mounted ansible.builtin.command: mountpoint {{ external_storage_drive }} when: "'is not a mountpoint' in check_mountpoint.stdout" register: check_mountpoint_again diff --git a/roles/provision/tasks/main.yml b/roles/provision/tasks/main.yml index a755f160..7d586bbb 100644 --- a/roles/provision/tasks/main.yml +++ b/roles/provision/tasks/main.yml @@ -1,13 +1,13 @@ --- -- name: "Check mounts are available" +- name: Check mounts are available tags: restart ansible.builtin.include_tasks: check_mounts.yml when: external_storage_drive is defined -- name: "Set up for specific distribution" +- name: Set up for specific distribution ansible.builtin.include_tasks: "{{ ansible_distribution }}.yml" -- name: Upgrade all packages # noqa package-latest +- name: Upgrade all packages # noqa: package-latest ansible.builtin.yum: name: "*" state: latest @@ -17,5 +17,5 @@ - name: Ensure epel is installed become: true ansible.builtin.yum: - name: "epel-release" + name: epel-release state: installed diff --git a/roles/provision_accounts/README.md b/roles/provision_accounts/README.md index 3342e643..e8b7e3c4 100644 --- a/roles/provision_accounts/README.md +++ b/roles/provision_accounts/README.md @@ -16,7 +16,7 @@ containing: string with commas separating each group. For details on how to generated encrypted passwords, see: -https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module + ## Dependencies diff --git a/roles/provision_accounts/molecule/resources/inventory/group_vars/all.yml b/roles/provision_accounts/molecule/resources/inventory/group_vars/all.yml index 8030bc39..af3d56f0 100644 --- a/roles/provision_accounts/molecule/resources/inventory/group_vars/all.yml +++ b/roles/provision_accounts/molecule/resources/inventory/group_vars/all.yml @@ -5,4 +5,4 @@ os_users: # yamllint disable-line rule:line-length encrypted_password: $6$TSoIGqmpZJw24vqP$lrhHcIeuv3oi8kpBu3SVyqPeTLuXi5TJf5u7hUOY0vRb4MXWTp1Z/gsjAwC28EQrVnKOJwpw00tN8ExM6AoIC. -os_users_groups: "wheel" +os_users_groups: wheel diff --git a/roles/ssl_certificates/README.md b/roles/ssl_certificates/README.md index cc19e4cd..21a50120 100644 --- a/roles/ssl_certificates/README.md +++ b/roles/ssl_certificates/README.md @@ -1,12 +1,15 @@ # Ansible Role: mirsg.ssl_certificates -Generate SSL certificates using the [`community.crypto` collection](https://docs.ansible.com/ansible/latest/collections/community/crypto/index.html). +Generate SSL certificates using the +[`community.crypto` collection](https://docs.ansible.com/ansible/latest/collections/community/crypto/index.html). ## Requirements ### Using the role -If you would like to convert the private key to `pk8` format (`ssl_certificate.use_pk8: true`), you first need to ensure `openssl` is installed before using this role: +If you would like to convert the private key to `pk8` format +(`ssl_certificate.use_pk8: true`), you first need to ensure `openssl` is +installed before using this role: ```yaml - name: Install openssl @@ -18,7 +21,9 @@ If you would like to convert the private key to `pk8` format (`ssl_certificate.u ### Testing the role -If you would like to run Ansible Molecule to test this role, the requirements are in [`requirements.txt`](https://github.com/UCL-MIRSG/ansible-role-ssl-certificates/blob/main/requirements.txt). +If you would like to run Ansible Molecule to test this role, the requirements +are in +[`requirements.txt`](https://github.com/UCL-MIRSG/ansible-role-ssl-certificates/blob/main/requirements.txt). ## Role Variables @@ -34,19 +39,30 @@ The following values **must be included** in the `ssl_certificate` dictionary: `group`: name of the group that should own the certificate and associated files -`certificate_directory`: directory in which to write the certificate and associated files +`certificate_directory`: directory in which to write the certificate and +associated files -`privatekey_filename`: name of the file in which the generated SSL private key will be written +`privatekey_filename`: name of the file in which the generated SSL private key +will be written -`use_pk8`: boolean; if `true`, will convert the SSL private key to PKCS8 format using the [`community.crypto.openssl_privatekey_convert`](https://docs.ansible.com/ansible/devel/collections/community/crypto/openssl_privatekey_convert_module.html) module +`use_pk8`: boolean; if `true`, will convert the SSL private key to PKCS8 format +using the +[`community.crypto.openssl_privatekey_convert`](https://docs.ansible.com/ansible/devel/collections/community/crypto/openssl_privatekey_convert_module.html) +module -`pk8_filename`: name of the file in which the converted SSL private key will be written. A filename must be provided if `use_pk8` is `true`. +`pk8_filename`: name of the file in which the converted SSL private key will be +written. A filename must be provided if `use_pk8` is `true`. -`csr_filename`: name of the file into which the generated OpenSSL certificate signing request will be written +`csr_filename`: name of the file into which the generated OpenSSL certificate +signing request will be written -`csr_common_name`: the `commonName` field of the certificate signing request subject +`csr_common_name`: the `commonName` field of the certificate signing request +subject -`provider`: name of the provider to use to generate/retrieve the OpenSSL certificate. See the [`community.crypto.x509_certificate`](https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html#parameter-provider) module documentation for options. +`provider`: name of the provider to use to generate/retrieve the OpenSSL +certificate. See the +[`community.crypto.x509_certificate`](https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html#parameter-provider) +module documentation for options. ### Optional variables @@ -60,7 +76,8 @@ The following are **optional** values for the `ssl_certificate` dictionary: ## Example Playbook -Let's see how to generate self-signed SSL certificates for a PostgreSQL server and client. +Let's see how to generate self-signed SSL certificates for a PostgreSQL server +and client. First define variables for the server: @@ -78,10 +95,13 @@ ssl_certificate: csr_common_name: "db" certificate_filename: "/var/lib/pgsql/server.crt" provider: "selfsigned" - cache_filename: "{{ lookup('env', 'HOME') }}/ansible_persistent_files/pg_certificates/db.postgresql_server.crt" + cache_filename: + "{{ lookup('env', 'HOME') + }}/ansible_persistent_files/pg_certificates/db.postgresql_server.crt" ``` -We also need to define variables for the client - here we assume the postgresql client is a tomcat server: +We also need to define variables for the client - here we assume the postgresql +client is a tomcat server: > `host_vars/web/vars` @@ -98,7 +118,9 @@ ssl_certificate: csr_common_name: "{{ web_hostname }}" certificate_filename: "/usr/share/tomcat/.postgresql/postgresql.crt" provider: "selfsigned" - cache_filename: "{{ lookup('env', 'HOME') }}/ansible_persistent_files/pg_certificates/db.postgresql_client.crt" + cache_filename: + "{{ lookup('env', 'HOME') + }}/ansible_persistent_files/pg_certificates/db.postgresql_client.crt" ``` Then inside our playbook we can use the role: @@ -110,7 +132,9 @@ Then inside our playbook we can use the role: - mirsg.ssl_certificates ``` -After creating the certificates and (optionally) copying them both to a shared cache, you will need to copy to server certificate to the client and the client certificate to the server. +After creating the certificates and (optionally) copying them both to a shared +cache, you will need to copy to server certificate to the client and the client +certificate to the server. ## License @@ -118,4 +142,6 @@ After creating the certificates and (optionally) copying them both to a shared c ## Author Information -This role was created by the [Medical Imaging Research Software Group](https://www.ucl.ac.uk/advanced-research-computing/expertise/research-software-development/medical-imaging-research-software-group) at [UCL](https://www.ucl.ac.uk/). +This role was created by the +[Medical Imaging Research Software Group](https://www.ucl.ac.uk/advanced-research-computing/expertise/research-software-development/medical-imaging-research-software-group) +at [UCL](https://www.ucl.ac.uk/). diff --git a/roles/ssl_certificates/tasks/main.yml b/roles/ssl_certificates/tasks/main.yml index 3b424e13..636e4fe2 100644 --- a/roles/ssl_certificates/tasks/main.yml +++ b/roles/ssl_certificates/tasks/main.yml @@ -16,10 +16,11 @@ mode: "0400" register: new_privatekey_generated -- name: Convert private key to PKCS8 for use by JDBC # noqa no-changed-when +- name: Convert private key to PKCS8 for use by JDBC # noqa: no-changed-when ansible.builtin.command: - "openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt \ - -in {{ ssl_certificate.privatekey_filename }} -out {{ ssl_certificate.pk8_filename }}" + openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in {{ + ssl_certificate.privatekey_filename }} -out {{ ssl_certificate.pk8_filename + }} when: new_privatekey_generated.changed and ssl_certificate.use_pk8 - name: Generate OpenSSL CSR diff --git a/roles/tomcat/README.md b/roles/tomcat/README.md index 7395cf40..68d4e79d 100644 --- a/roles/tomcat/README.md +++ b/roles/tomcat/README.md @@ -13,21 +13,25 @@ A role for installing and configuring Apache Tomcat. `java_home`: Path to java installation. Defaults to "/usr/lib/jvm/jre". -`java_profile_d`: Directory in which to put a script for setting java home. Defaults to "/etc/profile.d". +`java_profile_d`: Directory in which to put a script for setting java home. +Defaults to "/etc/profile.d". ### Tomcat general settings -`tomcat_version`: The version of Tomcat to install. Defaults to the latest release of version 9. +`tomcat_version`: The version of Tomcat to install. Defaults to the latest +release of version 9. `tomcat_owner`: The OS user that has ownership of Tomcat. Defaults to "tomcat". -`tomcat_group`: The default OS group the `tomcat_owner` belongs in. Defaults to "tomcat". +`tomcat_group`: The default OS group the `tomcat_owner` belongs in. Defaults to +"tomcat". ### Tomcat WebApp settings `tomcat_webapp_name`: The name of the root web app. Defaults to "ROOT". -`tomcat_root`: The root web app location. Defaults to "/usr/share/tomcat/webapps/{{ +`tomcat_root`: The root web app location. Defaults to +"/usr/share/tomcat/webapps/{{ tomcat_webapp_name }}". `tomcat_root_webapp`: Path to the root web app war file. Defaults to @@ -43,9 +47,11 @@ apache-tomcat-{{ tomcat_version }}.tar.gz" ### Catalina settings -`tomcat_catalina_home`: The installation location. Defaults to "/usr/share/tomcat". +`tomcat_catalina_home`: The installation location. Defaults to +"/usr/share/tomcat". -`tomcat_catalina_opts`: Sets to `CATALINA_OPTS` environment variable. Defaults to: +`tomcat_catalina_opts`: Sets to `CATALINA_OPTS` environment variable. Defaults +to: ```yaml "-Xms4G -Xmx6G -XX:MetaspaceSize=300M -XX:+UseG1GC -server" @@ -59,18 +65,20 @@ apache-tomcat-{{ tomcat_version }}.tar.gz" `tomcat_server_config_file`: The web app configuration file. Defaults to "/usr/share/tomcat/conf/server.xml". -`tomcat_service_config_file`: The location of the systemd service file. Defaults to -"/etc/systemd/system/tomcat.service". +`tomcat_service_config_file`: The location of the systemd service file. Defaults +to "/etc/systemd/system/tomcat.service". ### Tomcat hostname and ports -`tomcat_hostname`: The hostname of the deployed web app. Defaults to `localhost`. +`tomcat_hostname`: The hostname of the deployed web app. Defaults to +`localhost`. `tomcat_server_port`: The server port. Defaults to `8005`. `tomcat_catalina_port`: The catalina port. Defaults to `8983`. -`tomcat_catalina_redirect_port`: Catalina port for redirects. Defaults to `8443`. +`tomcat_catalina_redirect_port`: Catalina port for redirects. Defaults to +`8443`. `tomcat_shutdown_port`: Port for triggering server shutdown. Defaults to `8005`. @@ -78,11 +86,11 @@ apache-tomcat-{{ tomcat_version }}.tar.gz" ### Tomcat back settings -`tomcat_backup_directory`: Where to backup files to before an upgrade. Defaults to -`/usr/share/tomcat_bkp`. +`tomcat_backup_directory`: Where to backup files to before an upgrade. Defaults +to `/usr/share/tomcat_bkp`. -`tomcat_items_to_restore`: A list containing the following items to be restored after -an upgrade. Defaults to: +`tomcat_items_to_restore`: A list containing the following items to be restored +after an upgrade. Defaults to: ```yaml - "{{ tomcat_backup_directory }}/webapps" diff --git a/roles/tomcat/defaults/main.yml b/roles/tomcat/defaults/main.yml index 54bc4980..e31ae382 100644 --- a/roles/tomcat/defaults/main.yml +++ b/roles/tomcat/defaults/main.yml @@ -13,15 +13,15 @@ tomcat_group: tomcat # mirsg.tomcat: webapp tomcat_webapp_name: ROOT -tomcat_root: "/usr/share/tomcat/webapps/{{ tomcat_webapp_name }}" +tomcat_root: /usr/share/tomcat/webapps/{{ tomcat_webapp_name }} tomcat_root_webapp: "{{ tomcat_root }}.war" -tomcat_binary_url: "https://archive.apache.org/dist/tomcat/tomcat-\ - {{ tomcat_version.split('.')[0] }}/v{{ tomcat_version }}/bin/\ - apache-tomcat-{{ tomcat_version }}.tar.gz" +tomcat_binary_url: + https://archive.apache.org/dist/tomcat/tomcat-{{ tomcat_version.split('.')[0] + }}/v{{ tomcat_version }}/bin/apache-tomcat-{{ tomcat_version }}.tar.gz # mirsg.tomcat catalina tomcat_catalina_home: /usr/share/tomcat -tomcat_catalina_opts: "-Xms4G -Xmx6G -XX:MetaspaceSize=300M -XX:+UseG1GC -server" +tomcat_catalina_opts: -Xms4G -Xmx6G -XX:MetaspaceSize=300M -XX:+UseG1GC -server # mirsg.tomcat configs tomcat_config_file: "{{ tomcat_catalina_home }}/conf/tomcat.conf" diff --git a/roles/tomcat/molecule/resources/prepare.yml b/roles/tomcat/molecule/resources/prepare.yml index 9244a3ee..6a49f524 100644 --- a/roles/tomcat/molecule/resources/prepare.yml +++ b/roles/tomcat/molecule/resources/prepare.yml @@ -9,4 +9,6 @@ state: present roles: - role: mirsg.infrastructure.install_java - java_package: "{{ 'java-11-openjdk' if 'tomcat10' in group_names else 'java-1.8.0-openjdk'}}" + java_package: + "{{ 'java-11-openjdk' if 'tomcat10' in group_names else + 'java-1.8.0-openjdk'}}" diff --git a/roles/tomcat/molecule/resources/verify.yml b/roles/tomcat/molecule/resources/verify.yml index 76f18c6b..d1cd7b90 100644 --- a/roles/tomcat/molecule/resources/verify.yml +++ b/roles/tomcat/molecule/resources/verify.yml @@ -16,13 +16,14 @@ set -o pipefail ./version.sh | grep -oP '(?<=Apache Tomcat/)([0-9]+\.?)+' args: - chdir: "/usr/share/tomcat/bin" + chdir: /usr/share/tomcat/bin register: tomcat_check_version changed_when: false - name: Check Tomcat version is correct ansible.builtin.assert: that: - - tomcat_check_version.stdout.split(".")[0] is version(expected_version) + - tomcat_check_version.stdout.split(".")[0] is + version(expected_version) vars: expected_version: "{{ '10' if 'tomcat10' in group_names else '9' }}" diff --git a/roles/tomcat/tasks/main.yml b/roles/tomcat/tasks/main.yml index c1d40852..4982443a 100644 --- a/roles/tomcat/tasks/main.yml +++ b/roles/tomcat/tasks/main.yml @@ -1,24 +1,32 @@ --- - name: Ensure Ansible seport dependencies are installed ansible.builtin.yum: - name: ["libselinux-python", "policycoreutils-python"] + name: + - libselinux-python + - policycoreutils-python state: installed - when: ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('7') + when: + ansible_facts['os_family'] == 'RedHat' and + ansible_facts['distribution_major_version'] is version('7') - name: Ensure Ansible seport dependencies are installed ansible.builtin.yum: - name: ["python3-libselinux", "policycoreutils-python-utils"] + name: + - python3-libselinux + - policycoreutils-python-utils state: installed - when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version("8", ">=") + when: + ansible_facts['os_family'] == "RedHat" and + ansible_facts['distribution_major_version'] is version("8", ">=") - name: Ensure epel is installed ansible.builtin.yum: - name: "epel-release" + name: epel-release state: installed - name: Ensure Tomcat Native library is installed ansible.builtin.yum: - name: "tomcat-native" + name: tomcat-native state: installed - name: Configure SELinux to allow Tomcat to listen on port {{ tomcat_port }} @@ -53,13 +61,15 @@ args: chdir: "{{ tomcat_catalina_home }}/bin" register: tomcat_check_version - when: "tomcat_check.stat.exists" + when: tomcat_check.stat.exists changed_when: false failed_when: tomcat_check_version.stderr - name: Upgrade/install Tomcat if needed ansible.builtin.include_tasks: tasks/upgrade.yml - when: "not tomcat_check.stat.exists or tomcat_version not in tomcat_check_version.stdout" + when: + not tomcat_check.stat.exists or tomcat_version not in + tomcat_check_version.stdout - name: Copy tomcat service file ansible.builtin.template: @@ -111,7 +121,7 @@ block: - name: Trigger restart tomcat ansible.builtin.debug: - msg: "trigger restart tomcat" + msg: trigger restart tomcat notify: restart tomcat changed_when: false - name: Force handler to run now diff --git a/roles/tomcat/tasks/upgrade.yml b/roles/tomcat/tasks/upgrade.yml index 829d3c49..e5ebe4ab 100644 --- a/roles/tomcat/tasks/upgrade.yml +++ b/roles/tomcat/tasks/upgrade.yml @@ -3,13 +3,14 @@ ansible.builtin.service: name: tomcat state: stopped - when: "tomcat_check.stat.exists" + when: tomcat_check.stat.exists - name: Back up existing Tomcat {{ tomcat_catalina_home }} - ansible.builtin.command: "mv {{ tomcat_catalina_home }} {{ tomcat_backup_directory }}" + ansible.builtin.command: + mv {{ tomcat_catalina_home }} {{ tomcat_backup_directory }} args: creates: "{{ tomcat_backup_directory }}" - when: "tomcat_check.stat.exists" + when: tomcat_check.stat.exists - name: Remove currently installed Tomcat folder ansible.builtin.file: @@ -31,7 +32,7 @@ remote_src: true owner: "{{ tomcat_owner }}" group: "{{ tomcat_group }}" - extra_opts: "--strip-components=1" + extra_opts: --strip-components=1 creates: "{{ tomcat_catalina_home }}/bin" - name: Remove default Tomcat webapps @@ -63,11 +64,11 @@ mode: preserve remote_src: true when: - - "tomcat_check.stat.exists" - - "pipeline_installer_folder.stat.exists" + - tomcat_check.stat.exists + - pipeline_installer_folder.stat.exists notify: Restart tomcat -- name: "Restore previously installed apps and files" +- name: Restore previously installed apps and files ansible.builtin.copy: src: "{{ item }}" dest: "{{ tomcat_catalina_home }}" @@ -77,13 +78,14 @@ remote_src: true loop: "{{ tomcat_items_to_restore }}" - when: "tomcat_check.stat.exists" + when: tomcat_check.stat.exists notify: Restart tomcat - name: Show suggested commands for removing backed-up Tomcat folder ansible.builtin.debug: msg: - - "A backup of the previously installed Tomcat folder was created at {{ tomcat_backup_directory }}" - - "You may wish to remove this" - - "e.g sudo rm -rf {{ tomcat_backup_directory }}" - when: "tomcat_check.stat.exists" + - A backup of the previously installed Tomcat folder was created at {{ + tomcat_backup_directory }} + - You may wish to remove this + - e.g sudo rm -rf {{ tomcat_backup_directory }} + when: tomcat_check.stat.exists diff --git a/roles/xnat/defaults/main.yml b/roles/xnat/defaults/main.yml index ea672986..27668573 100644 --- a/roles/xnat/defaults/main.yml +++ b/roles/xnat/defaults/main.yml @@ -18,12 +18,12 @@ xnat_link_data_directory: true # Mail server settings xnat_smtp_enabled: false xnat_smtp_hostname: "" -xnat_smtp_port: "2525" -xnat_smtp_protocol: "smtp" +xnat_smtp_port: 2525 +xnat_smtp_protocol: smtp xnat_smtp_auth: "" xnat_smtp_username: "" xnat_smtp_password: "{{ vault_smtp_password | default(omit) }}" -xnat_smtp_start_tls: "false" +xnat_smtp_start_tls: false xnat_smtp_ssl_trust: "*" # LDAP configuration @@ -39,24 +39,24 @@ xnat_ldap_keystore_alias: "" # Plugins xnat_plugin_urls: - - "https://api.bitbucket.org/2.0/repositories/xnatdev/xsync/downloads/xsync-plugin-all-1.7.0.jar" - - "https://api.bitbucket.org/2.0/repositories/xnatx/ldap-auth-plugin/downloads/ldap-auth-plugin-1.1.0.jar" - - "https://api.bitbucket.org/2.0/repositories/xnatdev/container-service/downloads/container-service-3.4.3-fat.jar" - - "https://api.bitbucket.org/2.0/repositories/xnatx/xnatx-batch-launch-plugin/downloads/batch-launch-0.6.0.jar" - - "https://github.com/VUIIS/dax/raw/main/misc/xnat-plugins/dax-plugin-genProcData-1.4.2.jar" - - "https://api.bitbucket.org/2.0/repositories/icrimaginginformatics/ohif-viewer-xnat-plugin/downloads/ohif-viewer-3.6.1.jar" - - "https://api.bitbucket.org/2.0/repositories/xnatx/ml-plugin/downloads/ml-plugin-1.0.2.jar" - - "https://api.bitbucket.org/2.0/repositories/xnatx/datasets-plugin/downloads/datasets-plugin-1.0.3.jar" - - "https://api.bitbucket.org/2.0/repositories/xnatdev/xnat-image-viewer-plugin/downloads/ximgview-plugin-1.0.2.jar" - - "https://api.bitbucket.org/2.0/repositories/xnatx/xnatx-dxm-settings-plugin/downloads/dxm-settings-plugin-1.0.jar" + - https://api.bitbucket.org/2.0/repositories/xnatdev/xsync/downloads/xsync-plugin-all-1.7.0.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/ldap-auth-plugin/downloads/ldap-auth-plugin-1.1.0.jar + - https://api.bitbucket.org/2.0/repositories/xnatdev/container-service/downloads/container-service-3.4.3-fat.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/xnatx-batch-launch-plugin/downloads/batch-launch-0.6.0.jar + - https://github.com/VUIIS/dax/raw/main/misc/xnat-plugins/dax-plugin-genProcData-1.4.2.jar + - https://api.bitbucket.org/2.0/repositories/icrimaginginformatics/ohif-viewer-xnat-plugin/downloads/ohif-viewer-3.6.1.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/ml-plugin/downloads/ml-plugin-1.0.2.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/datasets-plugin/downloads/datasets-plugin-1.0.3.jar + - https://api.bitbucket.org/2.0/repositories/xnatdev/xnat-image-viewer-plugin/downloads/ximgview-plugin-1.0.2.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/xnatx-dxm-settings-plugin/downloads/dxm-settings-plugin-1.0.jar -xnat_plugin_bundle_urls: [] -xnat_plugin_packages: [] -xnat_server_specific_plugin_urls: [] -xnat_server_specific_plugin_packages: [] +xnat_plugin_bundle_urls: [] # yamllint disable-line rule:brackets +xnat_plugin_packages: [] # yamllint disable-line rule:brackets +xnat_server_specific_plugin_urls: [] # yamllint disable-line rule:brackets +xnat_server_specific_plugin_packages: [] # yamllint disable-line rule:brackets # Path to server logo file -xnat_config_logo: "/images/logo.png" # use the default XNAT logo +xnat_config_logo: /images/logo.png # use the default XNAT logo # Pipeline engine xnat_pipeline_engine_enabled: true diff --git a/roles/xnat/tasks/configure.yml b/roles/xnat/tasks/configure.yml index 4eddc1e6..aaf80953 100644 --- a/roles/xnat/tasks/configure.yml +++ b/roles/xnat/tasks/configure.yml @@ -1,14 +1,18 @@ --- -- name: "Ensure any Tomcat restart handlers have been called before REST configuration" +- name: + Ensure any Tomcat restart handlers have been called before REST + configuration ansible.builtin.meta: flush_handlers -- name: "Ensure Tomcat is running" +- name: Ensure Tomcat is running ansible.builtin.service: - name: "tomcat" + name: tomcat state: started enabled: true -- name: "Waiting for Tomcat to start - this could take several minutes: {{ web_server.url }}" +- name: + "Waiting for Tomcat to start - this could take several minutes: {{ + web_server.url }}" tags: restart ansible.builtin.uri: url: "{{ web_server.url }}" @@ -35,25 +39,27 @@ # To do this, first request a restricted page using the default admin credentials. # If this succeeds (200), this is the initial run and the password needs to be changed. # Subsequently, this should return 401 indicating the password has already been changed and/or the account is disabled. -- name: "Checking if the default admin credentials are the default values" +- name: Checking if the default admin credentials are the default values ansible.builtin.uri: url: "{{ web_server.url }}/xapi/siteConfig" - user: "admin" - password: "admin" + user: admin + password: admin method: GET validate_certs: "{{ ssl.validate_certs }}" status_code: 200, 401 register: admin_default_auth # If the previous call succeeded, it means the default admin password has not yet been changed so we change it now -- name: "Changing default admin password" +- name: Changing default admin password ansible.builtin.uri: url: "{{ web_server.url }}/xapi/users/admin" - user: "admin" - password: "admin" + user: admin + password: admin method: PUT body_format: json - body: '{"password":"{{ xnat_config.admin_password }}", "confirmPassword":"{{ xnat_config.admin_password }}"}' + body: + password: "{{ xnat_config.admin_password }}" + confirmPassword: "{{ xnat_config.admin_password }}" validate_certs: "{{ ssl.validate_certs }}" status_code: 200 register: create @@ -65,10 +71,10 @@ # If an authentication error occurs (401) then the default admin is disabled, so we assume the service account must already exist # If this succeeds (200) then the service_admin is already present, but the default admin is still enabled # If user is not found (404 or 500) then the service_admin has not yet been created and the default admin is still enabled -- name: "Check existence of service admin user using default admin" +- name: Check existence of service admin user using default admin ansible.builtin.uri: url: "{{ web_server.url }}/xapi/users/{{ xnat_service_admin.username }}" - user: "admin" + user: admin password: "{{ xnat_config.admin_password }}" method: GET validate_certs: "{{ ssl.validate_certs }}" @@ -76,10 +82,10 @@ register: service_admin_check # If the above service_admin_check failed with a non-authentication error (404, 500), then we create the service account -- name: "Create service admin user" +- name: Create service admin user ansible.builtin.uri: url: "{{ web_server.url }}/xapi/users/" - user: "admin" + user: admin password: "{{ xnat_config.admin_password }}" method: POST body_format: json @@ -101,10 +107,12 @@ when: service_admin_check.status not in [200, 401] # Ensure that the created service_admin user has the correct admin role -- name: "Set service admin user roles" +- name: Set service admin user roles ansible.builtin.uri: - url: "{{ web_server.url }}/xapi/users/{{ xnat_service_admin.username }}/roles/Administrator" - user: "admin" + url: + "{{ web_server.url }}/xapi/users/{{ xnat_service_admin.username + }}/roles/Administrator" + user: admin password: "{{ xnat_config.admin_password }}" method: PUT validate_certs: "{{ ssl.validate_certs }}" @@ -112,10 +120,12 @@ when: service_admin_check.status != 401 # Ensure that the created service_admin user is non-expiring -- name: "Set service admin account to non-expiring" +- name: Set service admin account to non-expiring ansible.builtin.uri: - url: "{{ web_server.url }}/xapi/users/{{ xnat_service_admin.username }}/roles/non_expiring" - user: "admin" + url: + "{{ web_server.url }}/xapi/users/{{ xnat_service_admin.username + }}/roles/non_expiring" + user: admin password: "{{ xnat_config.admin_password }}" method: PUT validate_certs: "{{ ssl.validate_certs }}" @@ -123,10 +133,12 @@ when: service_admin_check.status != 401 # Give the created service_admin access to all data -- name: "Set service admin role to all data admin" +- name: Set service admin role to all data admin ansible.builtin.uri: - url: "{{ web_server.url }}/xapi/users/{{ xnat_service_admin.username }}/groups/ALL_DATA_ADMIN" - user: "admin" + url: + "{{ web_server.url }}/xapi/users/{{ xnat_service_admin.username + }}/groups/ALL_DATA_ADMIN" + user: admin password: "{{ xnat_config.admin_password }}" method: PUT validate_certs: "{{ ssl.validate_certs }}" @@ -134,7 +146,7 @@ when: service_admin_check.status != 401 # All further admin actions can then be undertaken using the new service_admin -- name: "XNAT configuration" +- name: XNAT configuration ansible.builtin.uri: url: "{{ web_server.url }}/xapi/siteConfig" user: "{{ xnat_service_admin.username }}" @@ -147,7 +159,7 @@ register: login # The default admin is disabled once it is verified that the service_admin works -- name: "Disable default admin user" +- name: Disable default admin user ansible.builtin.uri: url: "{{ web_server.url }}/xapi/users/admin" user: "{{ xnat_service_admin.username }}" @@ -161,7 +173,7 @@ status_code: 200, 201, 304 when: service_admin_check.status != 401 -- name: "Disable the guest user" +- name: Disable the guest user ansible.builtin.uri: url: "{{ web_server.url }}/xapi/users/guest" user: "{{ xnat_service_admin.username }}" @@ -175,7 +187,7 @@ status_code: 200, 201, 304 when: service_admin_check.status != 401 -- name: "Store automation scripts" +- name: Store automation scripts ansible.builtin.uri: url: "{{ web_server.url }}/data/automation/scripts/{{ item.id }}" user: "{{ xnat_service_admin.username }}" diff --git a/roles/xnat/tasks/directories.yml b/roles/xnat/tasks/directories.yml index d352ec41..7b1441ec 100644 --- a/roles/xnat/tasks/directories.yml +++ b/roles/xnat/tasks/directories.yml @@ -8,14 +8,16 @@ mode: "0700" when: xnat_create_data_directory and external_storage_drive is defined -- name: Ensure there is a symbolic link from XNAT data directory to storage directory +- name: + Ensure there is a symbolic link from XNAT data directory to storage + directory ansible.builtin.file: src: "{{ web_server.storage_dir }}" dest: "{{ xnat_data_dir }}" state: link when: xnat_link_data_directory and external_storage_drive is defined -- name: "Ensure XNAT subdirectories exist" +- name: Ensure XNAT subdirectories exist ansible.builtin.file: path: "{{ item }}" owner: "{{ xnat.owner }}" @@ -36,7 +38,7 @@ - "{{ xnat_plugins_dir }}" - "{{ xnat_work_dir }}" -- name: "Ensure XNAT subdirectory ownership is correct" +- name: Ensure XNAT subdirectory ownership is correct ansible.builtin.file: path: "{{ xnat_root_dir }}" state: directory diff --git a/roles/xnat/tasks/ldap.yml b/roles/xnat/tasks/ldap.yml index 679d9c05..e8b63734 100644 --- a/roles/xnat/tasks/ldap.yml +++ b/roles/xnat/tasks/ldap.yml @@ -1,5 +1,5 @@ --- -- name: "Ensure directories exist for cert files" +- name: Ensure directories exist for cert files ansible.builtin.file: path: "{{ item }}" owner: "{{ xnat.owner }}" @@ -28,7 +28,7 @@ - name: Configure LDAP for XNAT ansible.builtin.template: - src: "ldap1-provider.properties.j2" + src: ldap1-provider.properties.j2 dest: "{{ xnat_config_dir }}/auth/ldap1-provider.properties" owner: "{{ xnat.owner }}" group: "{{ xnat.group }}" diff --git a/roles/xnat/tasks/main.yml b/roles/xnat/tasks/main.yml index 846065e1..72325753 100644 --- a/roles/xnat/tasks/main.yml +++ b/roles/xnat/tasks/main.yml @@ -3,11 +3,15 @@ ansible.builtin.pip: name: - lxml - when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '>=') + when: + ansible_facts['os_family'] == "RedHat" and + ansible_facts['distribution_major_version'] is version('8', '>=') - name: Ensure dependencies are installed ansible.builtin.yum: - name: ["postgresql", "wget"] + name: + - postgresql + - wget state: installed - name: Get postgres server certificate from cache @@ -19,25 +23,25 @@ mode: "0600" when: postgresql_use_ssl -- name: "Configure XNAT directories" +- name: Configure XNAT directories ansible.builtin.include_tasks: directories.yml -- name: "Add or upgrade XNAT code" +- name: Add or upgrade XNAT code ansible.builtin.include_tasks: upgrade_xnat.yml -- name: "Add or upgrade plugins" +- name: Add or upgrade plugins ansible.builtin.include_tasks: plugins.yml -- name: "Add or upgrade pipeline installer" +- name: Add or upgrade pipeline installer ansible.builtin.include_tasks: pipelines.yml when: xnat_pipeline_engine_enabled -- name: "Configure XNAT settings files" +- name: Configure XNAT settings files ansible.builtin.include_tasks: settings_files.yml -- name: "Configure LDAP for XNAT" +- name: Configure LDAP for XNAT ansible.builtin.include_tasks: ldap.yml when: xnat_ldap_enabled -- name: "XNAT site configuration" +- name: XNAT site configuration ansible.builtin.include_tasks: configure.yml diff --git a/roles/xnat/tasks/pipelines.yml b/roles/xnat/tasks/pipelines.yml index 1e073c05..d3f14171 100644 --- a/roles/xnat/tasks/pipelines.yml +++ b/roles/xnat/tasks/pipelines.yml @@ -2,13 +2,15 @@ - name: Download pipelines installer ansible.builtin.get_url: url: "{{ xnat_source.pipelines_url }}" - dest: "{{ xnat_source.xnat_downloads_dir }}/{{ xnat_source.pipeline_installer_file_name }}" + dest: + "{{ xnat_source.xnat_downloads_dir }}/{{ + xnat_source.pipeline_installer_file_name }}" timeout: 30 owner: "{{ xnat.owner }}" group: "{{ xnat.group }}" mode: "0644" -- name: "Ensure pipeline installer folder exists" +- name: Ensure pipeline installer folder exists ansible.builtin.file: path: "{{ xnat.pipeline_install_dir }}" owner: "{{ xnat.owner }}" @@ -16,19 +18,22 @@ state: directory mode: "0755" -- name: "Extract pipeline installer files" +- name: Extract pipeline installer files ansible.builtin.unarchive: - src: "{{ xnat_source.xnat_downloads_dir }}/{{ xnat_source.pipeline_installer_file_name }}" + src: + "{{ xnat_source.xnat_downloads_dir }}/{{ + xnat_source.pipeline_installer_file_name }}" dest: "{{ xnat.pipeline_install_dir }}" owner: "{{ xnat.owner }}" group: "{{ xnat.group }}" remote_src: true - extra_opts: [--strip-components=1] + extra_opts: + - --strip-components=1 register: pipeline_extract -- name: "Configure pipeline installer gradle.properties" +- name: Configure pipeline installer gradle.properties ansible.builtin.template: - src: "gradle.properties.j2" + src: gradle.properties.j2 dest: "{{ xnat.pipeline_install_dir }}/gradle.properties" owner: "{{ xnat.owner }}" group: "{{ xnat.group }}" @@ -41,14 +46,16 @@ path: "{{ xnat_pipeline_dir }}/config" register: pipeline_deployment -- name: "Run pipeline builder" +- name: Run pipeline builder ansible.builtin.command: ./gradlew args: chdir: "{{ xnat.pipeline_install_dir }}" - when: pipeline_extract.changed or pipeline_config.changed or not pipeline_deployment.stat.exists + when: + pipeline_extract.changed or pipeline_config.changed or not + pipeline_deployment.stat.exists changed_when: false -- name: "Ensure pipelines subdirectory ownership is correct" +- name: Ensure pipelines subdirectory ownership is correct ansible.builtin.file: path: "{{ xnat_pipeline_dir }}" state: directory diff --git a/roles/xnat/tasks/plugins.yml b/roles/xnat/tasks/plugins.yml index 2392fc6f..7d6e0484 100644 --- a/roles/xnat/tasks/plugins.yml +++ b/roles/xnat/tasks/plugins.yml @@ -1,10 +1,10 @@ --- - name: Ensure unzip is installed ansible.builtin.yum: - name: "unzip" + name: unzip state: installed -- name: "Ensure download directories exist" +- name: Ensure download directories exist ansible.builtin.file: path: "{{ item }}" state: directory @@ -61,30 +61,34 @@ with_items: - "{{ cached_plugins.files }}" when: - - item.path | basename not in plugins_downloaded.results | map(attribute='dest')|map('basename')|list - - item.path | basename not in package_plugins_downloaded.results | map(attribute='dest')|map('basename')|list + - item.path | basename not in plugins_downloaded.results | + map(attribute='dest')|map('basename')|list + - item.path | basename not in package_plugins_downloaded.results | + map(attribute='dest')|map('basename')|list -- name: "Get list of plugins on the local cache" +- name: Get list of plugins on the local cache ansible.builtin.find: paths: "{{ xnat_source.plugins_downloads_dir }}" patterns: "*.jar" file_type: file register: local_plugin_list -- name: "Get stats for local plugins" +- name: Get stats for local plugins ansible.builtin.stat: path: "{{ item.path }}" with_items: "{{ local_plugin_list.files }}" register: local_plugins_stats -- name: "Get list of hashes for local plugins" +- name: Get list of hashes for local plugins vars: - local_stats: [] + local_stats: [] # yamllint disable-line rule:brackets ansible.builtin.set_fact: - local_stats: "{{ local_stats + [{'name': item.stat.path | basename, 'hash': item.stat.checksum}] }}" + local_stats: + "{{ local_stats + [{'name': item.stat.path | basename, 'hash': + item.stat.checksum}] }}" with_items: "{{ local_plugins_stats.results }}" -- name: "Ensure directories exist for install files" +- name: Ensure directories exist for install files ansible.builtin.file: path: "{{ item }}" owner: "{{ xnat.owner }}" @@ -94,35 +98,38 @@ with_items: - "{{ xnat.install_downloads }}" -- name: "Get list of plugins on the remote server" +- name: Get list of plugins on the remote server ansible.builtin.find: paths: "{{ xnat_plugins_dir }}" patterns: "*.jar" file_type: file register: remote_plugin_list -- name: "Get stats for remote plugins" +- name: Get stats for remote plugins ansible.builtin.stat: path: "{{ item.path }}" with_items: "{{ remote_plugin_list.files }}" register: remote_plugins_stats -- name: "Get list of hashes for remote plugins" +- name: Get list of hashes for remote plugins ansible.builtin.set_fact: - remote_stats: "{{ remote_stats | default([]) + [{'name': item.stat.path | basename, 'hash': item.stat.checksum}] }}" + remote_stats: + "{{ remote_stats | default([]) + [{'name': item.stat.path | basename, + 'hash': item.stat.checksum}] }}" with_items: "{{ remote_plugins_stats.results }}" -- name: "Check if any plugins have changed" +- name: Check if any plugins have changed ansible.builtin.set_fact: - plugin_changes: "{{ remote_stats | default([]) | symmetric_difference(local_stats) }}" + plugin_changes: + "{{ remote_stats | default([]) | symmetric_difference(local_stats) }}" -- name: "Ensure tomcat is not running when plugins are being updated" +- name: Ensure tomcat is not running when plugins are being updated ansible.builtin.service: name: tomcat state: stopped when: plugin_changes | length > 0 -- name: "Copy XNAT plugins to {{ xnat_plugins_dir }}" +- name: Copy XNAT plugins to {{ xnat_plugins_dir }} ansible.builtin.copy: src: "{{ item.path }}" dest: "{{ xnat_plugins_dir }}" @@ -142,5 +149,6 @@ with_items: - "{{ remote_plugin_list.files }}" when: - - "item.path | basename not in local_plugin_list.files | map(attribute='path') | map('basename') | list" - - "plugin_changes | length > 0" + - item.path | basename not in local_plugin_list.files | + map(attribute='path') | map('basename') | list + - plugin_changes | length > 0 diff --git a/roles/xnat/tasks/settings_files.yml b/roles/xnat/tasks/settings_files.yml index b832ec16..d5a56949 100644 --- a/roles/xnat/tasks/settings_files.yml +++ b/roles/xnat/tasks/settings_files.yml @@ -1,7 +1,7 @@ --- -- name: "Configure xnat-conf.properties" +- name: Configure xnat-conf.properties ansible.builtin.template: - src: "xnat-conf.properties.j2" + src: xnat-conf.properties.j2 dest: "{{ xnat_config_dir }}/xnat-conf.properties" owner: "{{ xnat.owner }}" group: "{{ xnat.group }}" @@ -14,13 +14,13 @@ that: - xnat_config.site_name is match('^[A-Za-z][A-Za-z0-9_]*$') fail_msg: > - xnat_config.site_name must start with a letter and contain only - letters, numbers, and underscores + xnat_config.site_name must start with a letter and contain only letters, + numbers, and underscores success_msg: xnat_config.site_name is valid -- name: "Configure prefs-init" +- name: Configure prefs-init ansible.builtin.template: - src: "prefs-init.j2" + src: prefs-init.j2 dest: "{{ xnat_config_dir }}/prefs-init.ini" owner: "{{ xnat.owner }}" group: "{{ xnat.group }}" diff --git a/roles/xnat/tasks/upgrade_xnat.yml b/roles/xnat/tasks/upgrade_xnat.yml index ba39cde7..37c522a4 100644 --- a/roles/xnat/tasks/upgrade_xnat.yml +++ b/roles/xnat/tasks/upgrade_xnat.yml @@ -1,5 +1,5 @@ --- -- name: "Ensure download directories exist" +- name: Ensure download directories exist ansible.builtin.file: path: "{{ item }}" state: directory @@ -18,7 +18,7 @@ group: "{{ xnat.group }}" mode: "0644" -- name: "Ensure directories exist for install files" +- name: Ensure directories exist for install files ansible.builtin.file: path: "{{ item }}" owner: "{{ xnat.owner }}" @@ -30,7 +30,7 @@ # We do an advance check without modification using check_mode. This allows us # to stop Tomcat if required before updating the WAR file. -- name: "Check if XNAT war file has changed" +- name: Check if XNAT war file has changed ansible.builtin.copy: src: "{{ xnat_source.xnat_downloads_dir }}/{{ xnat_source.war_file_name }}" dest: "{{ tomcat_root_webapp }}" @@ -64,7 +64,7 @@ path: "{{ tomcat_root }}" when: xnat_war_file_check.changed -- name: "Deploy XNAT war file" +- name: Deploy XNAT war file ansible.builtin.copy: src: "{{ xnat_source.xnat_downloads_dir }}/{{ xnat_source.war_file_name }}" dest: "{{ tomcat_root_webapp }}" diff --git a/roles/xnat_container_service/defaults/main.yml b/roles/xnat_container_service/defaults/main.yml index 01afeabb..0dd3dfa5 100644 --- a/roles/xnat_container_service/defaults/main.yml +++ b/roles/xnat_container_service/defaults/main.yml @@ -1,9 +1,9 @@ --- -xnat_container_service_owner: "tomcat" -xnat_container_service_group: "tomcat" -xnat_container_service_certificate_directory: "/usr/share/tomcat/.docker" -xnat_container_service_key: "/usr/share/tomcat/.docker/key.pem" -xnat_container_service_csr: "/usr/share/tomcat/.docker/docker.csr" -xnat_container_service_pk8: "/usr/share/tomcat/.docker/docker.pk8" -xnat_container_service_cert: "/usr/share/tomcat/.docker/cert.pem" -xnat_container_service_server_ca_cert: "/usr/share/tomcat/.docker/ca.pem" +xnat_container_service_owner: tomcat +xnat_container_service_group: tomcat +xnat_container_service_certificate_directory: /usr/share/tomcat/.docker +xnat_container_service_key: /usr/share/tomcat/.docker/key.pem +xnat_container_service_csr: /usr/share/tomcat/.docker/docker.csr +xnat_container_service_pk8: /usr/share/tomcat/.docker/docker.pk8 +xnat_container_service_cert: /usr/share/tomcat/.docker/cert.pem +xnat_container_service_server_ca_cert: /usr/share/tomcat/.docker/ca.pem diff --git a/roles/xnat_container_service/tasks/main.yml b/roles/xnat_container_service/tasks/main.yml index 4126f8a9..1800049e 100644 --- a/roles/xnat_container_service/tasks/main.yml +++ b/roles/xnat_container_service/tasks/main.yml @@ -15,9 +15,13 @@ group: "{{ xnat_container_service_group }}" mode: "0600" -- name: Copy signed Docker client certificate from Ansible Controller cache to client +- name: + Copy signed Docker client certificate from Ansible Controller cache to + client ansible.builtin.copy: - src: "{{ xnat_container_service_certificate_cache_directory }}/{{ xnat_container_service_client_hostname }}.cert" + src: + "{{ xnat_container_service_certificate_cache_directory }}/{{ + xnat_container_service_client_hostname }}.cert" dest: "{{ xnat_container_service_cert }}" owner: "{{ xnat_container_service_owner }}" group: "{{ xnat_container_service_group }}" @@ -31,7 +35,7 @@ group: "{{ xnat_container_service_group }}" mode: "0600" -- name: "Configure XNAT to talk to container service" +- name: Configure XNAT to talk to container service ansible.builtin.uri: url: "{{ xnat_container_service_url }}" user: "{{ xnat_service_admin.username }}" @@ -40,11 +44,15 @@ body_format: json body: name: "{{ xnat_container_service_name }}" - host: "https://{{ xnat_container_service_hostname }}:{{ xnat_container_service_port }}" + host: + https://{{ xnat_container_service_hostname }}:{{ + xnat_container_service_port }} cert-path: "{{ xnat_container_service_certificate_directory }}" swarm-mode: false - path-translation-xnat-prefix: "{{ xnat_container_service_path_translation_xnat_prefix }}" - path-translation-docker-prefix: "{{ xnat_container_service_path_translation_docker_prefix }}" + path-translation-xnat-prefix: + "{{ xnat_container_service_path_translation_xnat_prefix }}" + path-translation-docker-prefix: + "{{ xnat_container_service_path_translation_docker_prefix }}" pull-images-on-xnat-init: false container-user: "" validate_certs: "{{ xnat_container_service_validate_certs }}" diff --git a/xnat_architecture_notes.md b/xnat_architecture_notes.md index 59f1319e..a029c197 100644 --- a/xnat_architecture_notes.md +++ b/xnat_architecture_notes.md @@ -5,9 +5,10 @@ XNAT is written in Java with the Velocity Template Language (VTL) framework providing front-end integration with HTML/CSS/Javascript. XNAT's interface is primarily a web server which allows direct access through a browser or -programmatic access through the [REST -API](https://wiki.xnat.org/display/XAPI/XNAT+REST+API+Directory), although other -interfaces can be provided such as the DICOM SCP node which receives DICOM data. +programmatic access through the +[REST API](https://wiki.xnat.org/display/XAPI/XNAT+REST+API+Directory), although +other interfaces can be provided such as the DICOM SCP node which receives DICOM +data. ## Pipelines