--- - name: run ca gather_facts: false hosts: ca tasks: - name: create docker directory ansible.builtin.file: path: /docker state: directory - name: clone repository ansible.builtin.git: repo: https://git.badms.ru/bms/step-ca.git dest: /docker/step-ca register: git_clone_result failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg) - name: create data directory ansible.builtin.file: path: /docker/step-ca/data state: directory owner: 1000 group: 1000 - name: change fqdn ansible.builtin.lineinfile: name: /docker/step-ca/.env regexp: 'STEP_CA_FQDN=ca.example.com' line: 'STEP_CA_FQDN={{step_ca_fqdn}}' - name: start service community.docker.docker_compose_v2: project_src: /docker/step-ca - name: check configured ansible.builtin.lineinfile: name: /docker/step-ca/data/config/ca.json regexp: '"forceCN": true' line: '' check_mode: yes register: ca_config changed_when: false - block: - name: check started community.docker.docker_container_exec: container: step-ca command: step ca provisioner update acme --force-cn - name: restart service community.docker.docker_compose_v2: project_src: /docker/step-ca state: restarted when: 'ca_config.msg == "line added"' - name: run npm gather_facts: false hosts: npm tasks: - name: create docker directory ansible.builtin.file: path: /docker state: directory - name: clone repository ansible.builtin.git: repo: https://git.badms.ru/bms/npm-step-ca.git dest: /docker/npm-step-ca register: git_clone_result failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg) - name: change fqdn ansible.builtin.lineinfile: name: /docker/npm-step-ca/.env regexp: 'STEP_CA_FQDN=ca.example.com' line: 'STEP_CA_FQDN={{step_ca_fqdn}}' - name: start service community.docker.docker_compose_v2: project_src: /docker/npm-step-ca - name: install packages ansible.builtin.apt: update_cache: yes pkg: - sqlite3 # - python3-passlib - name: wait database created ansible.builtin.wait_for: path: /docker/npm-step-ca/data/npm-data/database.sqlite state: present - name: change admin email ansible.builtin.command: cmd: sqlite3 /docker/npm-step-ca/data/npm-data/database.sqlite "UPDATE user SET email='{{admin_email}}' WHERE id=1;" - name: get password hash ansible.builtin.set_fact: admin_password_hashed: "{{ admin_password | ansible.builtin.password_hash(hashtype=\"blowfish\") }}" - name: change admin password ansible.builtin.command: cmd: sqlite3 /docker/npm-step-ca/data/npm-data/database.sqlite "UPDATE auth SET secret='{{ admin_password_hashed }}' WHERE id=1;" - name: run documentserver gather_facts: false hosts: docs tasks: - name: create docker directory ansible.builtin.file: path: /docker state: directory - name: clone repository ansible.builtin.git: repo: '{{item.repo}}' dest: '{{item.dest}}' register: git_clone_result failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg) loop: - repo: https://git.badms.ru/bms/documentserver.git dest: /docker/documentserver - repo: https://git.badms.ru/bms/oo-unlim.git dest: /docker/oo-unlim - name: create ca docker directory ansible.builtin.file: path: /docker/documentserver/data/step_ca state: directory - name: download ca certificate ansible.builtin.get_url: validate_certs: false url: https://{{step_ca_fqdn}}/roots.pem dest: /docker/documentserver/data/step_ca/{{step_ca_fqdn}}.crt - name: uncomment and replace ansible.builtin.replace: path: /docker/documentserver/{{item.file}} regexp: '{{item.regexp}}' replace: '{{item.replace}}' loop: - file: .env regexp: 'JWT_SECRET=' replace: 'JWT_SECRET={{ds_jwt_secret}}' - file: .env regexp: 'ca.example.com' replace: '{{step_ca_fqdn}}' - file: config/supervisord.conf regexp: 'ca.example.com' replace: '{{step_ca_fqdn}}' - file: .env regexp: '# STEP_CA_FQDN' replace: ' STEP_CA_FQDN' - file: docker-compose.yml regexp: '# - STEP_CA_FQDN' replace: ' - STEP_CA_FQDN' - file: docker-compose.yml regexp: '#volumes' replace: 'volumes' - file: docker-compose.yml regexp: '# - ./data/step_ca' replace: ' - ./data/step_ca' - file: docker-compose.yml regexp: '# - ./config/supervisord.conf' replace: ' - ./config/supervisord.conf' - name: start service (long task) community.docker.docker_compose_v2: project_src: /docker/documentserver - name: run docspace gather_facts: false hosts: office tasks: - name: create docker directory ansible.builtin.file: path: /docker state: directory - name: clone repository ansible.builtin.git: repo: https://git.badms.ru/bms/docspace.git dest: /docker/docspace register: git_clone_result failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg) - name: create directories ansible.builtin.file: path: /docker/docspace/{{item}} state: directory loop: - data - data/app_data - data/es_data - data/files_data - data/mysql_data - data/people_data - data/proxy_log - data/router_log - data/webroot_path - data/step_ca - name: create special directories ansible.builtin.file: path: /docker/docspace/{{item.path}} owner: '{{item.owner}}' group: '{{item.group}}' state: directory loop: - path: data/es_data owner: 1000 group: 1000 - path: data/mysql_data owner: 999 group: 999 - name: uncomment and replace ansible.builtin.replace: path: /docker/docspace/{{item.file}} regexp: '{{item.regexp}}' replace: '{{item.replace}}' loop: - file: .env regexp: 'APP_URL_PORTAL=' replace: 'APP_URL_PORTAL=https://office.{{ step_ca_fqdn | regex_replace("^\w*\.(.*)$", "\1") }}' - file: .env regexp: 'DOCUMENT_SERVER_URL_EXTERNAL=' replace: 'DOCUMENT_SERVER_URL_EXTERNAL=https://docs.{{ step_ca_fqdn | regex_replace("^\w*\.(.*)$", "\1") }}' - file: .env regexp: 'APP_CORE_MACHINEKEY=' replace: 'APP_CORE_MACHINEKEY={{ lookup("community.general.random_string", length=12, special=false) }}' - file: .env regexp: 'MYSQL_ROOT_PASSWORD=' replace: 'MYSQL_ROOT_PASSWORD={{ lookup("community.general.random_string", length=20, special=false) }}' - file: .env regexp: 'MYSQL_PASSWORD=' replace: 'MYSQL_PASSWORD={{ lookup("community.general.random_string", length=20, special=false) }}' - file: .env regexp: 'DOCUMENT_SERVER_JWT_SECRET=' replace: 'DOCUMENT_SERVER_JWT_SECRET={{ds_jwt_secret}}' - file: .env regexp: '# STEP_CA_FQDN=ca.example.com' replace: 'STEP_CA_FQDN={{step_ca_fqdn}}' - file: .env regexp: '# NODE_EXTRA_CA_CERTS' replace: 'NODE_EXTRA_CA_CERTS' - file: docker-compose.yml regexp: '# STEP_CA_FQDN' replace: 'STEP_CA_FQDN' - file: docker-compose.yml regexp: '# NODE_EXTRA_CA_CERTS' replace: 'NODE_EXTRA_CA_CERTS' - file: docker-compose.yml regexp: '# - /etc/ssl' replace: '- /etc/ssl' - file: docker-compose.yml regexp: '# - ./data/step_ca' replace: '- ./data/step_ca' - name: download ca certificate ansible.builtin.get_url: validate_certs: false url: https://{{step_ca_fqdn}}/roots.pem dest: '{{item}}' loop: - /docker/docspace/data/step_ca/{{step_ca_fqdn}}.crt - /usr/local/share/ca-certificates/{{step_ca_fqdn}}.crt - name: update ca certificates ansible.builtin.command: cmd: update-ca-certificates register: updata_ca_result changed_when: '"1 added" in updata_ca_result.stdout' - name: start service (long task) community.docker.docker_compose_v2: project_src: /docker/docspace # UPDATE docspace.core_user SET email='bms@badms.ru' WHERE id='66faa6e4-f133-11ea-b126-00ffeec8b4ef'; # UPDATE docspace.tenants_tenants SET statuschanged='2024-03-31 13:43:06',timezone='Europe/Moscow',`language`='ru',version_changed='0001-01-01 00:00:00' WHERE id=1; # UPDATE docspace.core_usersecurity SET pwdhash='5/pKuJ+2FDOksnA2EcFgH416mluIKBu0BcZKDU65WimvcR4u/bBMw8S/r3v1MYSeXbt/cviqRcxsXMsnLK8WVQ==' WHERE userid='66faa6e4-f133-11ea-b126-00ffeec8b4ef'; # DELETE FROM docspace.webstudio_settings WHERE TenantID=1 AND ID='9a925891-1f92-4ed7-b277-d6f649739f06' AND UserID='00000000-0000-0000-0000-000000000000'; # INSERT INTO docspace.webstudio_settings (TenantID, ID, UserID, `Data`) VALUES(1, '03b382bd-3c20-4f03-8ab9-5a33f016316e', '66faa6e4-f133-11ea-b126-00ffeec8b4ef', '{"EnableThirdpartySettings":true,"FastDelete":false,"StoreOriginalFiles":true,"KeepNewFileName":false,"UpdateIfExist":false,"ConvertNotify":true,"DefaultSortedBy":0,"DefaultSortedAsc":false,"HideConfirmConvertSave":false,"HideConfirmConvertOpen":false,"Forcesave":true,"StoreForcesave":false,"HideRecent":false,"HideFavorites":false,"HideTemplates":false,"DownloadZip":false,"ShareLink":false,"ShareLinkSocialMedia":false,"AutomaticallyCleanUp":{"IsAutoCleanUp":true,"Gap":4},"DefaultSharingAccessRights":null}'); # INSERT INTO docspace.webstudio_settings (TenantID, ID, UserID, `Data`) VALUES(1, 'ee139f6c-8821-4011-8444-fd87882cd5f5', '00000000-0000-0000-0000-000000000000', '{"IsFirst":true}'); - name: run authentik gather_facts: false hosts: auth tasks: - name: create docker directory ansible.builtin.file: path: /docker state: directory - name: clone repository ansible.builtin.git: repo: https://git.badms.ru/bms/authentik.git dest: /docker/authentik register: git_clone_result failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg) - name: replace veriables ansible.builtin.replace: path: /docker/authentik/.env regexp: '{{item.regexp}}' replace: '{{item.replace}}' loop: - regexp: 'PG_PASS=' replace: 'PG_PASS={{ lookup("community.general.random_string", length=20, special=false) }}' - regexp: 'AUTHENTIK_SECRET_KEY=' replace: 'AUTHENTIK_SECRET_KEY={{ lookup("community.general.random_string", length=20, special=false) }}' - name: start service (long task) community.docker.docker_compose_v2: project_src: /docker/authentik - name: install packages ansible.builtin.apt: name: python3-passlib update_cache: yes state: present - name: generate password hash ansible.builtin.shell: cmd: python3 -c 'from passlib.hash import django_pbkdf2_sha256; print(django_pbkdf2_sha256.hash("{{admin_password}}"))' register: password_hash changed_when: false - name: wait for page is up ansible.builtin.uri: url: 'https://auth.{{ step_ca_fqdn | regex_replace("^\w*\.(.*)$", "\1") }}' validate_certs: false register: uri_result until: uri_result.status == 200 retries: 24 delay: 10 - name: set admin password and email community.docker.docker_container_exec: container: authentik-postgresql-1 command: psql -d authentik -U authentik -c "UPDATE public.authentik_core_user SET password='{{password_hash.stdout}}',email='{{admin_email}}' WHERE username='akadmin'"