diff --git a/provision.yml b/provision.yml index f8e6b456c..35ea25afb 100644 --- a/provision.yml +++ b/provision.yml @@ -193,6 +193,11 @@ become: true roles: - { role: engineblock, tags: ["eb"] } + +- hosts: docker_mariadb + become: true + roles: + - { role: mariadbdocker, tags: ['mariadbdocker']} + - { role: mongodbdocker, tags: ['mongodbdocker']} -- import_playbook: "{{ environment_dir }}/playbook.yml" - +- import_playbook: "{{ environment_dir }}/playbook.yml" \ No newline at end of file diff --git a/roles/manage/defaults/main.yml b/roles/manage/defaults/main.yml index a2de6442d..95614d006 100644 --- a/roles/manage/defaults/main.yml +++ b/roles/manage/defaults/main.yml @@ -1,8 +1,8 @@ --- manage_dir: /config/ -manage_snapshot_timestamp: '' +manage_snapshot_timestamp: "" manage_jar: manage-current.jar -manage_random_source: 'file:///dev/urandom' +manage_random_source: "file:///dev/urandom" manage_cronjobmaster: false manage_disclaimer_background_color: "{{ environment_ribbon_colour }}" manage_disclaimer_content: "{{ environment_shortname }}" @@ -31,4 +31,4 @@ manage_tabs_enabled: - provisioning - sram manage_docker_networks: - - name: loadbalancer + - name: loadbalancer \ No newline at end of file diff --git a/roles/manage/tasks/main.yml b/roles/manage/tasks/main.yml index 292744a11..6818f3a0d 100644 --- a/roles/manage/tasks/main.yml +++ b/roles/manage/tasks/main.yml @@ -72,6 +72,12 @@ notify: - "restart manageserver" +- name: Add the mongodb docker network to the list of networks when MongoDB runs in Docker + ansible.builtin.set_fact: + manage_docker_networks: + - name: loadbalancer + - name: openconext_mongodb + when: mongodb_in_docker | default(false) | bool - name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker ansible.builtin.set_fact: manage_docker_networks: @@ -87,7 +93,7 @@ pull: true restart_policy: "always" state: started - networks: "{{ manage_docker_networks}}" + networks: "{{ manage_docker_networks }}" mounts: - source: /opt/openconext/manage/ target: /config/ diff --git a/roles/mongodbdocker/defaults/main.yml b/roles/mongodbdocker/defaults/main.yml new file mode 100644 index 000000000..c0095f38b --- /dev/null +++ b/roles/mongodbdocker/defaults/main.yml @@ -0,0 +1,2 @@ +replica_set_name: "{{ instance_name }}" +docker_mongodb_network_range: "172.21.22.0/24" diff --git a/roles/mongodbdocker/tasks/main.yml b/roles/mongodbdocker/tasks/main.yml new file mode 100644 index 000000000..fcc667d54 --- /dev/null +++ b/roles/mongodbdocker/tasks/main.yml @@ -0,0 +1,87 @@ +--- +- name: Install required packages + ansible.builtin.apt: + name: "python3-pymongo" + state: present + +- name: Create MongoDB volume + community.docker.docker_volume: + name: openconext_mongodb + state: present + +- name: Create MongoDB network + community.docker.docker_network: + name: openconext_mongodb + state: present + internal: false + ipam_config: + - subnet: "{{ docker_mongodb_network_range }}" + +- name: Create the MongoDB container + community.docker.docker_container: + name: openconext_mongodb + image: bitnami/mongodb:7.0 + state: started + pull: true + restart_policy: "always" + ports: "127.0.0.1:27017:27017" + networks: + - name: "openconext_mongodb" + mounts: + - type: volume + source: openconext_mongodb + target: /var/lib/mysql + - type: bind + source: /home/backup/mongo/ + target: /home/backup + env: + MONGODB_ROOT_USER: admin + MONGODB_ROOT_PASSWORD: "{{ mongo_admin_password }}" + MONGODB_REPLICA_SET_NAME: "{{ replica_set_name }}" + MONGODB_REPLICA_SET_MODE: primary + MONGODB_REPLICA_SET_KEY: "{{ mongodb_replicateset_key }}" + MONGODB_ADVERTISED_HOSTNAME: openconext_mongodb + volumes: + - openconext_mongodb:/bitnami/mongodb + hostname: openconext_mongodb + +- name: Create mongo database users + community.mongodb.mongodb_user: + login_database: admin + database: "{{ item.db_name }}" + login_user: admin + login_password: "{{ mongo_admin_password }}" + login_host: 127.0.0.1 + name: "{{ item.name }}" + password: "{{ item.password }}" + roles: readWrite + replica_set: "{{ replica_set_name }}" + strict_compatibility: false + no_log: false + run_once: true + with_items: "{{ mongo.users }}" + changed_when: false + tags: mongo_users + +- name: Create the backupdir + ansible.builtin.file: + path: /home/backup/mongo + owner: 1001 + group: 1001 + mode: "0700" + +- name: Install the backup script + ansible.builtin.template: + src: "backup_mongo.pl.j2" + dest: "/usr/local/sbin/backup_mongo.pl" + mode: "0700" + owner: root + group: root + +- name: Create cron symlink for backup script + ansible.builtin.file: + src: "/usr/local/sbin/backup_mongo.pl" + dest: "/etc/cron.daily/mongodb_backup" + state: link + mode: "0700" + owner: root diff --git a/roles/mongodbdocker/templates/backup_mongo.pl.j2 b/roles/mongodbdocker/templates/backup_mongo.pl.j2 new file mode 100644 index 000000000..c8e014742 --- /dev/null +++ b/roles/mongodbdocker/templates/backup_mongo.pl.j2 @@ -0,0 +1,37 @@ +#!/usr/bin/perl +# Variables + +$backupdir = "/home/backup"; +$username = "admin"; +$password = "{{ mongo_admin_password }}"; + +umask 0077; + +# Determine current day +$day = `/bin/date +'%a'`; +chomp($day); + +# Remove old backups if exists +if ( -e "$backupdir/mongo-dump-$day/") { +`rm -rf $backupdir/mongo-dump-$day/`; +} + +# Dump databases +`docker exec openconext_mongodb mongodump --username $username --password $password --authenticationDatabase admin --out $backupdir/mongo-dump-$day`; + +# Gzip dumps +opendir(BDIR, "$backupdir/mongo-dump-$day/"); +my @files = readdir(BDIR); +closedir(BDIR); +chdir("$backupdir/mongo-dump-$day/"); +foreach $dir (@files) { +if ($dir !~ /^\.+$/) { +if ($dir !~ /\.\./g) { +if ( -d "$backupdir/mongo-dump-$day/$dir") { +`tar -cvzf $backupdir/mongo-dump-$day/$dir.tar.gz $dir/`; +`rm -rf $backupdir/mongo-dump-$day/$dir/`; +} +} +} +} +umask 0022; diff --git a/roles/myconext/defaults/main.yml b/roles/myconext/defaults/main.yml index 2fa088e32..4082fa28d 100644 --- a/roles/myconext/defaults/main.yml +++ b/roles/myconext/defaults/main.yml @@ -1,2 +1,4 @@ --- myconext_cronjobmaster: true +myconext_docker_networks: + - name: loadbalancer diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index c3559244e..54c425e86 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -64,7 +64,7 @@ notify: - "restart myconextserver" -- name: copy / create private key +- name: Copy / create private key ansible.builtin.copy: content: "{{ myconext_private_key }}" dest: "/opt/openconext/myconext/myconext_saml.key" @@ -74,7 +74,7 @@ notify: - "restart myconextserver" -- name: copy / create certificate +- name: Copy / create certificate ansible.builtin.copy: src: "{{ inventory_dir }}/files/certs/myconext/myconext_saml.crt" dest: "/opt/openconext/myconext/myconext_saml.crt" @@ -100,6 +100,13 @@ group: "root" mode: "0755" +- name: Add the mongodb docker network to the list of networks when MongoDB runs in Docker + ansible.builtin.set_fact: + myconext_docker_networks: + - name: loadbalancer + - name: openconext_mongodb + when: mongodb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: myconextserver @@ -110,8 +117,7 @@ env: USE_SYSTEM_CA_CERTS: "1" TZ: "{{ timezone }}" - networks: - - name: "loadbalancer" + networks: "{{ myconext_docker_networks }}" mounts: - source: /opt/openconext/myconext/ target: /config/ diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 66ac68c53..071760e92 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -228,7 +228,7 @@ verify: spring: data: mongodb: - uri: mongodb://{{ myconext.mongo_user }}:{{ myconext.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ myconext.mongo_port }}{% if not loop.last %},{% endif %}{% endfor %}/{{ myconext.mongo_database }}?ssl=true + uri: mongodb://{{ myconext.mongo_user }}:{{ myconext.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ myconext.mongo_port }}{% if not loop.last %},{% endif %}{% endfor %}/{{ myconext.mongo_database }}?ssl={{ mongodb_ssl | default('true') }} mail: host: {{ smtp_server }} diff --git a/roles/oidcng/defaults/main.yml b/roles/oidcng/defaults/main.yml index cc444fba4..44641c6c1 100644 --- a/roles/oidcng/defaults/main.yml +++ b/roles/oidcng/defaults/main.yml @@ -1,8 +1,8 @@ --- oidcng_dir: /opt/openconext/oidcng oidcng_config_dir: /config -oidcng_version: '' -oidcng_snapshot_timestamp: '' +oidcng_version: "" +oidcng_snapshot_timestamp: "" oidcng_cronjobmaster: true oidcng_saml_sp_entityid: https://connect.{{ base_domain }} oidcng_idp_metadata_url: https://engine.{{ base_domain }}/authentication/idp/metadata @@ -19,4 +19,5 @@ oidcng_manage_provision_samlsp_metadata_url: "https://connect.{{ base_domain }}/ oidcng_manage_provision_samlsp_sp_cert: "{{ lookup('file', '{{ inventory_dir }}/files/certs/oidc/oidcsaml.crt') | depem }}" oidcng_manage_provision_samlsp_sign: "True" oidcng_manage_provision_samlsp_trusted_proxy: "True" - +oidcng_docker_networks: + - name: loadbalancer diff --git a/roles/oidcng/tasks/main.yml b/roles/oidcng/tasks/main.yml index fdd8834e8..fa35fac7c 100644 --- a/roles/oidcng/tasks/main.yml +++ b/roles/oidcng/tasks/main.yml @@ -88,6 +88,13 @@ group: "root" mode: "0755" +- name: Add the mongodb docker network to the list of networks when MongoDB runs in Docker + ansible.builtin.set_fact: + oidcng_docker_networks: + - name: loadbalancer + - name: openconext_mongodb + when: mongodb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: oidcngserver @@ -96,8 +103,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ oidcng_docker_networks }}" mounts: - source: "{{ oidcng_dir }}" target: /config/ @@ -137,9 +143,6 @@ traefik.http.middlewares.oidcngmw.replacepathregex.regex: "^/.well-known/openid-configuration" traefik.http.middlewares.oidcngmw.replacepathregex.replacement: "/oidc/.well-known/openid-configuration" register: oidcngservercontainer - - - #- name: Include the role manage_provision_entities to provision oidncg to Manage # ansible.builtin.include_role: # name: manage_provision_entities diff --git a/roles/oidcng/templates/application.yml.j2 b/roles/oidcng/templates/application.yml.j2 index f4595497c..c4f4d58d6 100644 --- a/roles/oidcng/templates/application.yml.j2 +++ b/roles/oidcng/templates/application.yml.j2 @@ -76,7 +76,7 @@ idp: spring: data: mongodb: - uri: "mongodb://{{ oidcng.mongo_user }}:{{ oidcng.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ oidcng.mongo_port }}{% if not loop.last %},{% endif %}{%endfor %}/{{ oidcng.mongo_database }}?ssl=true" + uri: "mongodb://{{ oidcng.mongo_user }}:{{ oidcng.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ oidcng.mongo_port }}{% if not loop.last %},{% endif %}{%endfor %}/{{ oidcng.mongo_database }}?ssl={{ mongodb_ssl | default('true') }}" thymeleaf: cache: true