You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
356 lines
12 KiB
YAML
356 lines
12 KiB
YAML
---
|
|
- name: run ca
|
|
gather_facts: false
|
|
hosts: ca
|
|
tasks:
|
|
|
|
- name: create docker directory
|
|
ansible.builtin.file:
|
|
path: /docker
|
|
state: directory
|
|
|
|
- name: clone repository
|
|
ansible.builtin.git:
|
|
repo: https://git.badms.ru/bms/step-ca.git
|
|
dest: /docker/step-ca
|
|
register: git_clone_result
|
|
failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg)
|
|
|
|
- name: create data directory
|
|
ansible.builtin.file:
|
|
path: /docker/step-ca/data
|
|
state: directory
|
|
owner: 1000
|
|
group: 1000
|
|
|
|
- name: change fqdn
|
|
ansible.builtin.lineinfile:
|
|
name: /docker/step-ca/.env
|
|
regexp: 'STEP_CA_FQDN=ca.example.com'
|
|
line: 'STEP_CA_FQDN={{step_ca_fqdn}}'
|
|
|
|
- name: start service
|
|
community.docker.docker_compose_v2:
|
|
project_src: /docker/step-ca
|
|
|
|
- name: check configured
|
|
ansible.builtin.lineinfile:
|
|
name: /docker/step-ca/data/config/ca.json
|
|
regexp: '"forceCN": true'
|
|
line: ''
|
|
check_mode: yes
|
|
register: ca_config
|
|
changed_when: false
|
|
|
|
- block:
|
|
- name: check started
|
|
community.docker.docker_container_exec:
|
|
container: step-ca
|
|
command: step ca provisioner update acme --force-cn
|
|
|
|
- name: restart service
|
|
community.docker.docker_compose_v2:
|
|
project_src: /docker/step-ca
|
|
state: restarted
|
|
when: 'ca_config.msg == "line added"'
|
|
|
|
- name: run npm
|
|
gather_facts: false
|
|
hosts: npm
|
|
tasks:
|
|
|
|
- name: create docker directory
|
|
ansible.builtin.file:
|
|
path: /docker
|
|
state: directory
|
|
|
|
- name: clone repository
|
|
ansible.builtin.git:
|
|
repo: https://git.badms.ru/bms/npm-step-ca.git
|
|
dest: /docker/npm-step-ca
|
|
register: git_clone_result
|
|
failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg)
|
|
|
|
- name: change fqdn
|
|
ansible.builtin.lineinfile:
|
|
name: /docker/npm-step-ca/.env
|
|
regexp: 'STEP_CA_FQDN=ca.example.com'
|
|
line: 'STEP_CA_FQDN={{step_ca_fqdn}}'
|
|
|
|
- name: start service
|
|
community.docker.docker_compose_v2:
|
|
project_src: /docker/npm-step-ca
|
|
|
|
- name: install packages
|
|
ansible.builtin.apt:
|
|
update_cache: yes
|
|
pkg:
|
|
- sqlite3
|
|
# - python3-passlib
|
|
|
|
- name: wait database created
|
|
ansible.builtin.wait_for:
|
|
path: /docker/npm-step-ca/data/npm-data/database.sqlite
|
|
state: present
|
|
|
|
- name: change admin email
|
|
ansible.builtin.command:
|
|
cmd: sqlite3 /docker/npm-step-ca/data/npm-data/database.sqlite "UPDATE user SET email='{{admin_email}}' WHERE id=1;"
|
|
|
|
- name: get password hash
|
|
ansible.builtin.set_fact:
|
|
admin_password_hashed: "{{ admin_password | ansible.builtin.password_hash(hashtype=\"blowfish\") }}"
|
|
|
|
- name: change admin password
|
|
ansible.builtin.command:
|
|
cmd: sqlite3 /docker/npm-step-ca/data/npm-data/database.sqlite "UPDATE auth SET secret='{{ admin_password_hashed }}' WHERE id=1;"
|
|
|
|
|
|
- name: run documentserver
|
|
gather_facts: false
|
|
hosts: docs
|
|
tasks:
|
|
|
|
- name: create docker directory
|
|
ansible.builtin.file:
|
|
path: /docker
|
|
state: directory
|
|
|
|
- name: clone repository
|
|
ansible.builtin.git:
|
|
repo: '{{item.repo}}'
|
|
dest: '{{item.dest}}'
|
|
register: git_clone_result
|
|
failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg)
|
|
loop:
|
|
- repo: https://git.badms.ru/bms/documentserver.git
|
|
dest: /docker/documentserver
|
|
- repo: https://git.badms.ru/bms/oo-unlim.git
|
|
dest: /docker/oo-unlim
|
|
|
|
- name: create ca docker directory
|
|
ansible.builtin.file:
|
|
path: /docker/documentserver/data/step_ca
|
|
state: directory
|
|
|
|
- name: download ca certificate
|
|
ansible.builtin.get_url:
|
|
validate_certs: false
|
|
url: https://{{step_ca_fqdn}}/roots.pem
|
|
dest: /docker/documentserver/data/step_ca/{{step_ca_fqdn}}.crt
|
|
|
|
- name: uncomment and replace
|
|
ansible.builtin.replace:
|
|
path: /docker/documentserver/{{item.file}}
|
|
regexp: '{{item.regexp}}'
|
|
replace: '{{item.replace}}'
|
|
loop:
|
|
- file: .env
|
|
regexp: 'JWT_SECRET=<CHANGE>'
|
|
replace: 'JWT_SECRET={{ds_jwt_secret}}'
|
|
- file: .env
|
|
regexp: 'ca.example.com'
|
|
replace: '{{step_ca_fqdn}}'
|
|
- file: config/supervisord.conf
|
|
regexp: 'ca.example.com'
|
|
replace: '{{step_ca_fqdn}}'
|
|
- file: .env
|
|
regexp: '# STEP_CA_FQDN'
|
|
replace: ' STEP_CA_FQDN'
|
|
- file: docker-compose.yml
|
|
regexp: '# - STEP_CA_FQDN'
|
|
replace: ' - STEP_CA_FQDN'
|
|
- file: docker-compose.yml
|
|
regexp: '#volumes'
|
|
replace: 'volumes'
|
|
- file: docker-compose.yml
|
|
regexp: '# - ./data/step_ca'
|
|
replace: ' - ./data/step_ca'
|
|
- file: docker-compose.yml
|
|
regexp: '# - ./config/supervisord.conf'
|
|
replace: ' - ./config/supervisord.conf'
|
|
|
|
- name: start service (long task)
|
|
community.docker.docker_compose_v2:
|
|
project_src: /docker/documentserver
|
|
|
|
|
|
- name: run docspace
|
|
gather_facts: false
|
|
hosts: office
|
|
tasks:
|
|
|
|
- name: create docker directory
|
|
ansible.builtin.file:
|
|
path: /docker
|
|
state: directory
|
|
|
|
- name: clone repository
|
|
ansible.builtin.git:
|
|
repo: https://git.badms.ru/bms/docspace.git
|
|
dest: /docker/docspace
|
|
register: git_clone_result
|
|
failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg)
|
|
|
|
- name: create directories
|
|
ansible.builtin.file:
|
|
path: /docker/docspace/{{item}}
|
|
state: directory
|
|
loop:
|
|
- data
|
|
- data/app_data
|
|
- data/es_data
|
|
- data/files_data
|
|
- data/mysql_data
|
|
- data/people_data
|
|
- data/proxy_log
|
|
- data/router_log
|
|
- data/webroot_path
|
|
- data/step_ca
|
|
|
|
- name: create special directories
|
|
ansible.builtin.file:
|
|
path: /docker/docspace/{{item.path}}
|
|
owner: '{{item.owner}}'
|
|
group: '{{item.group}}'
|
|
state: directory
|
|
loop:
|
|
- path: data/es_data
|
|
owner: 1000
|
|
group: 1000
|
|
- path: data/mysql_data
|
|
owner: 999
|
|
group: 999
|
|
|
|
- name: uncomment and replace
|
|
ansible.builtin.replace:
|
|
path: /docker/docspace/{{item.file}}
|
|
regexp: '{{item.regexp}}'
|
|
replace: '{{item.replace}}'
|
|
loop:
|
|
- file: .env
|
|
regexp: 'APP_URL_PORTAL=<CHANGE_ME>'
|
|
replace: 'APP_URL_PORTAL=https://office.{{ step_ca_fqdn | regex_replace("^\w*\.(.*)$", "\1") }}'
|
|
- file: .env
|
|
regexp: 'DOCUMENT_SERVER_URL_EXTERNAL=<CHANGE_ME>'
|
|
replace: 'DOCUMENT_SERVER_URL_EXTERNAL=https://docs.{{ step_ca_fqdn | regex_replace("^\w*\.(.*)$", "\1") }}'
|
|
- file: .env
|
|
regexp: 'APP_CORE_MACHINEKEY=<CHANGE_ME>'
|
|
replace: 'APP_CORE_MACHINEKEY={{ lookup("community.general.random_string", length=12, special=false) }}'
|
|
- file: .env
|
|
regexp: 'MYSQL_ROOT_PASSWORD=<CHANGE_ME>'
|
|
replace: 'MYSQL_ROOT_PASSWORD={{ lookup("community.general.random_string", length=20, special=false) }}'
|
|
- file: .env
|
|
regexp: 'MYSQL_PASSWORD=<CHANGE_ME>'
|
|
replace: 'MYSQL_PASSWORD={{ lookup("community.general.random_string", length=20, special=false) }}'
|
|
- file: .env
|
|
regexp: 'DOCUMENT_SERVER_JWT_SECRET=<CHANGE_ME>'
|
|
replace: 'DOCUMENT_SERVER_JWT_SECRET={{ds_jwt_secret}}'
|
|
- file: .env
|
|
regexp: '# STEP_CA_FQDN=ca.example.com'
|
|
replace: 'STEP_CA_FQDN={{step_ca_fqdn}}'
|
|
- file: .env
|
|
regexp: '# NODE_EXTRA_CA_CERTS'
|
|
replace: 'NODE_EXTRA_CA_CERTS'
|
|
- file: docker-compose.yml
|
|
regexp: '# STEP_CA_FQDN'
|
|
replace: 'STEP_CA_FQDN'
|
|
- file: docker-compose.yml
|
|
regexp: '# NODE_EXTRA_CA_CERTS'
|
|
replace: 'NODE_EXTRA_CA_CERTS'
|
|
- file: docker-compose.yml
|
|
regexp: '# - /etc/ssl'
|
|
replace: '- /etc/ssl'
|
|
- file: docker-compose.yml
|
|
regexp: '# - ./data/step_ca'
|
|
replace: '- ./data/step_ca'
|
|
|
|
- name: download ca certificate
|
|
ansible.builtin.get_url:
|
|
validate_certs: false
|
|
url: https://{{step_ca_fqdn}}/roots.pem
|
|
dest: '{{item}}'
|
|
loop:
|
|
- /docker/docspace/data/step_ca/{{step_ca_fqdn}}.crt
|
|
- /usr/local/share/ca-certificates/{{step_ca_fqdn}}.crt
|
|
|
|
- name: update ca certificates
|
|
ansible.builtin.command:
|
|
cmd: update-ca-certificates
|
|
register: updata_ca_result
|
|
changed_when: '"1 added" in updata_ca_result.stdout'
|
|
|
|
- name: start service (long task)
|
|
community.docker.docker_compose_v2:
|
|
project_src: /docker/docspace
|
|
|
|
|
|
# UPDATE docspace.core_user SET email='bms@badms.ru' WHERE id='66faa6e4-f133-11ea-b126-00ffeec8b4ef';
|
|
# UPDATE docspace.tenants_tenants SET statuschanged='2024-03-31 13:43:06',timezone='Europe/Moscow',`language`='ru',version_changed='0001-01-01 00:00:00' WHERE id=1;
|
|
# UPDATE docspace.core_usersecurity SET pwdhash='5/pKuJ+2FDOksnA2EcFgH416mluIKBu0BcZKDU65WimvcR4u/bBMw8S/r3v1MYSeXbt/cviqRcxsXMsnLK8WVQ==' WHERE userid='66faa6e4-f133-11ea-b126-00ffeec8b4ef';
|
|
# DELETE FROM docspace.webstudio_settings WHERE TenantID=1 AND ID='9a925891-1f92-4ed7-b277-d6f649739f06' AND UserID='00000000-0000-0000-0000-000000000000';
|
|
# INSERT INTO docspace.webstudio_settings (TenantID, ID, UserID, `Data`) VALUES(1, '03b382bd-3c20-4f03-8ab9-5a33f016316e', '66faa6e4-f133-11ea-b126-00ffeec8b4ef', '{"EnableThirdpartySettings":true,"FastDelete":false,"StoreOriginalFiles":true,"KeepNewFileName":false,"UpdateIfExist":false,"ConvertNotify":true,"DefaultSortedBy":0,"DefaultSortedAsc":false,"HideConfirmConvertSave":false,"HideConfirmConvertOpen":false,"Forcesave":true,"StoreForcesave":false,"HideRecent":false,"HideFavorites":false,"HideTemplates":false,"DownloadZip":false,"ShareLink":false,"ShareLinkSocialMedia":false,"AutomaticallyCleanUp":{"IsAutoCleanUp":true,"Gap":4},"DefaultSharingAccessRights":null}');
|
|
# INSERT INTO docspace.webstudio_settings (TenantID, ID, UserID, `Data`) VALUES(1, 'ee139f6c-8821-4011-8444-fd87882cd5f5', '00000000-0000-0000-0000-000000000000', '{"IsFirst":true}');
|
|
|
|
|
|
|
|
- name: run authentik
|
|
gather_facts: false
|
|
hosts: auth
|
|
tasks:
|
|
|
|
- name: create docker directory
|
|
ansible.builtin.file:
|
|
path: /docker
|
|
state: directory
|
|
|
|
- name: clone repository
|
|
ansible.builtin.git:
|
|
repo: https://git.badms.ru/bms/authentik.git
|
|
dest: /docker/authentik
|
|
register: git_clone_result
|
|
failed_when: (git_clone_result.failed == true) and ("Local modifications" not in git_clone_result.msg)
|
|
|
|
- name: replace veriables
|
|
ansible.builtin.replace:
|
|
path: /docker/authentik/.env
|
|
regexp: '{{item.regexp}}'
|
|
replace: '{{item.replace}}'
|
|
loop:
|
|
- regexp: 'PG_PASS=<CHANGE>'
|
|
replace: 'PG_PASS={{ lookup("community.general.random_string", length=20, special=false) }}'
|
|
- regexp: 'AUTHENTIK_SECRET_KEY=<CHANGE>'
|
|
replace: 'AUTHENTIK_SECRET_KEY={{ lookup("community.general.random_string", length=20, special=false) }}'
|
|
|
|
- name: start service (long task)
|
|
community.docker.docker_compose_v2:
|
|
project_src: /docker/authentik
|
|
|
|
- name: install packages
|
|
ansible.builtin.apt:
|
|
name: python3-passlib
|
|
update_cache: yes
|
|
state: present
|
|
|
|
- name: generate password hash
|
|
ansible.builtin.shell:
|
|
cmd: python3 -c 'from passlib.hash import django_pbkdf2_sha256; print(django_pbkdf2_sha256.hash("{{admin_password}}"))'
|
|
register: password_hash
|
|
changed_when: false
|
|
|
|
- name: wait for page is up
|
|
ansible.builtin.uri:
|
|
url: 'https://auth.{{ step_ca_fqdn | regex_replace("^\w*\.(.*)$", "\1") }}'
|
|
validate_certs: false
|
|
register: uri_result
|
|
until: uri_result.status == 200
|
|
retries: 24
|
|
delay: 10
|
|
|
|
- name: set admin password and email
|
|
community.docker.docker_container_exec:
|
|
container: authentik-postgresql-1
|
|
command: psql -d authentik -U authentik -c "UPDATE public.authentik_core_user SET password='{{password_hash.stdout}}',email='{{admin_email}}' WHERE username='akadmin'"
|
|
|
|
|