From d02b582f6c3284bdde3995534e9adebb789e201c Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 25 Oct 2024 16:21:41 +0200 Subject: [PATCH 1/8] Engineblock: Move to docker --- provision.yml | 5 +- roles/engineblock/defaults/main.yml | 4 +- roles/engineblock/handlers/main.yml | 6 + roles/engineblock/tasks/main.yml | 375 +++++++----------- roles/engineblock/templates/parameters.yml.j2 | 18 +- roles/engineblock/vars/docker.yml | 3 + 6 files changed, 169 insertions(+), 242 deletions(-) create mode 100644 roles/engineblock/vars/docker.yml diff --git a/provision.yml b/provision.yml index 5a21697c3..90b4bfcfb 100644 --- a/provision.yml +++ b/provision.yml @@ -98,10 +98,6 @@ tags: ['app_php', 'static'] - role: openconext-common tags: ['core', 'app_php', 'eb', 'profile'] - - role: engineblock - when: - - inventory_hostname not in groups['lifecycle'] - tags: ['core', 'app_php', 'eb'] - role: lifecycle when: - inventory_hostname in groups['lifecycle'] @@ -187,6 +183,7 @@ - { role: diyidp, tags: ["diyidp"] } - { role: profile, tags: ["profile"] } - { role: lifecycle, tags: ["lifecycle"] } + - { role: engineblock, tags: ["eb"] } - { role: stepuptiqr, tags: ['stepuptiqr' , 'stepup'] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 389247a44..1ab26ffcc 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -1,4 +1,3 @@ -#--- ## Version of EngineBlock that is installable by this role engine_version: '' # Be aware that if you enable this option that NPM, Node.js and Composer are installed @@ -13,7 +12,6 @@ engine_feature_enable_sso_session_cookie: 0 engine_feature_enable_consent: 1 engine_feature_stepup_override_entityid: 0 engine_feature_idp_initiated_flow: 1 - engine_api_feature_metadata_push: 1 engine_api_feature_consent_listing: 1 engine_api_feature_consent_remove: 0 @@ -128,3 +126,5 @@ engineblock_selenium_install_dir: /opt # Composer composer_path: /usr/local/bin/composer + +engineblock_log_attributes: [] diff --git a/roles/engineblock/handlers/main.yml b/roles/engineblock/handlers/main.yml index 8a2235003..ee9e9e1e8 100644 --- a/roles/engineblock/handlers/main.yml +++ b/roles/engineblock/handlers/main.yml @@ -3,3 +3,9 @@ service: name: php72-php-fpm state: restarted + +- name: restart engine + community.docker.docker_container: + name: engine + state: started + restart: true diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 2baa50469..c68843405 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -1,300 +1,223 @@ ---- -- name: Add group {{ engine_fpm_user }} - group: - name: "{{ engine_fpm_user }}" +- name: Include docker vars + ansible.builtin.include_vars: docker.yml + +- name: Add group engine + ansible.builtin.group: + name: "engine" state: present + register: engine_guid -- name: Add user {{ engine_fpm_user }} - user: - name: "{{ engine_fpm_user }}" - group: "{{ engine_fpm_user }}" - createhome: no +- name: Add user engine + ansible.builtin.user: + name: "engine" + group: "engine" + createhome: false state: present + register: engine_uid -- name: Create directory for vhosts to store PHP sessions - file: - path: "{{ php_session_dir}}/engine" +- name: Create some dirs + ansible.builtin.file: state: directory - owner: "{{ engine_fpm_user }}" + dest: "{{ item }}" + owner: root group: root - mode: 0770 - -- name: Install build tools (npm, composer) - include_tasks: build.yml - when: - - "(engine_branch is defined and engine_branch != '') or develop" - -- name: Include install-release.yml - include_tasks: install-release.yml - when: - - "(engine_branch is not defined or engine_branch == '') and not develop" - -- name: Include install-branch.yml - include_tasks: install-branch.yml - when: - - "(engine_branch is defined and engine_branch != '') and not develop" - -- name: Include develop.yml - include_tasks: develop.yml - when: - - develop | bool - -- name: Include test.yml - include_tasks: test.yml - when: - - develop | bool + mode: "0755" + with_items: + - "{{ current_release_config_dir_name }}" + - "{{ current_release_config_dir_name }}/certs" + - "{{ current_release_config_dir_name }}/configs" + - "{{ current_release_config_dir_name }}/images" + - "{{ current_release_config_dir_name }}/languages" - name: Place parameters.yml - template: - src: "{{ item }}.j2" - dest: "{{ engine_current_release_symlink }}/app/config/{{ item }}" - mode: 0644 - with_items: - - parameters.yml - notify: - - "restart php72-fpm" + ansible.builtin.template: + src: parameters.yml.j2 + dest: "{{ current_release_config_dir_name }}/configs/parameters.yml" + mode: "0640" + owner: root + group: engine + notify: restart engine - name: Check presence of environment specific attributes.json - local_action: stat path="{{ inventory_dir }}/files/eb/attributes.json" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/attributes.json" register: attributes_json_present become: false + delegate_to: localhost - name: Copy environment specific attributes.json - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/eb/attributes.json" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/application/configs/" + dest: "{{ current_release_config_dir_name }}/configs/" + mode: "0644" + owner: root + group: engine when: attributes_json_present.stat.exists - name: Check presence of language specific overrides - local_action: stat path="{{ inventory_dir }}/files/eb/languages/" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/languages/" register: overrides_present become: false + delegate_to: localhost - name: Copy language specific overrides - template: + ansible.builtin.template: src: "{{ item }}" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/languages" + dest: "{{ current_release_config_dir_name }}/languages/" + owner: root + group: engine + mode: "0644" when: overrides_present.stat.exists with_fileglob: - "{{ inventory_dir }}/files/eb/languages/*" notify: - - "restart php72-fpm" + - "restart engine" - name: Check if we have a custom logo - local_action: stat path="{{ inventory_dir }}/files/logo.png" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/logo.png" register: customlogo become: false + delegate_to: localhost - name: Install environment specific logo - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/logo.png" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/images/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: engine + mode: "0644" when: customlogo.stat.exists - name: Check if we have a custom favicon - local_action: stat path="{{ inventory_dir }}/files/favicon.ico" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/favicon.ico" register: customfavicon become: false + delegate_to: localhost - name: Install environment specific favicon - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/favicon.ico" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/" + dest: "/opt/openconext/common/" + owner: root + group: root + mode: "0644" when: customfavicon.stat.exists - name: Check if we have a custom background back image for the feedback page - local_action: stat path="{{ inventory_dir }}/files/eb/background-back.svg" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/background-back.svg" register: eb_customfeedbackbackground become: false + delegate_to: localhost - name: Install environment specific background back image - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/eb/background-back.svg" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/images/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: engine + mode: "0644" when: eb_customfeedbackbackground.stat.exists - name: Check if we have a custom background front image for the feedback page - local_action: stat path="{{ inventory_dir }}/files/eb/background-front.svg" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/background-front.svg" register: eb_customfeedbackforeground become: false + delegate_to: localhost - name: Install environment specific background front image - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/eb/background-front.svg" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/images/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: engine + mode: "0644" when: eb_customfeedbackforeground.stat.exists - name: Check if we have a Stepup GW certificate - local_action: stat path="{{ inventory_dir }}/files/certs/stepup_gateway.pem" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/certs/stepup_gateway.pem" register: eb_stepupgwcert become: false + delegate_to: localhost - name: Install Stepup GW certificate - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/certs/stepup_gateway.pem" - dest: "{{ engine_stepup_gateway_sfo_public_key_file }}" + dest: "{{ current_release_config_dir_name }}/certs/" + owner: root + group: engine + mode: "0644" when: eb_stepupgwcert.stat.exists -- name: Install Apache vhost - template: - src: "{{ item }}.j2" - dest: "/etc/httpd/conf.d/{{ item }}" - with_items: - - engine.conf - - engine-api.conf - notify: - - "restart httpd" - -- name: clean up old php-fpm 5.6 config - file: - path: "/etc/php-fpm.d/engine-pool.conf" - state: absent - -- name: php-fpm 72 config - template: - src: "{{ item }}.j2" - dest: "/etc/opt/remi/php72/php-fpm.d/{{ item }}" - with_items: - - engine-pool-72.conf - notify: - - "restart php72-fpm" - -- name: copy over the engineblock keys - copy: - content: "{{ engineblock_private_keys[item.key] }}" - dest: "{{ item.value.privateFile }}" - owner: "{{ engine_fpm_user }}" - group: root - mode: 0440 - with_dict: "{{ engine_keys }}" - -- name: copy engineblock certificates to correct location - copy: - src: "{{ inventory_dir }}/files/certs/{{ item.value.publicKey }}" - dest: "{{ item.value.publicFile }}" - with_dict: "{{ engine_keys }}" - when: - - not engine_crt_not_in_inventory - -- name: copy engineblock certificates to correct location when not located in the inventory dir - copy: - src: "files/certs/{{ item.value.publicKey }}" - dest: "{{ item.value.publicFile }}" - with_dict: "{{ engine_keys }}" - when: - - engine_crt_not_in_inventory | bool - -- name: Make the SYMFONY_ENV var available for scripts - become: yes - lineinfile: - dest: "/etc/environment" - state: present - line: "SYMFONY_ENV={{ engine_apache_symfony_environment }}" - -- name: Create EngineBlock test database - mysql_db: - name: "{{ engine_test_database_name }}" - state: present - when: - - develop | bool - -- name: Create EngineBlock test database user - mysql_user: - name: "{{ engine_test_database_user }}" - host: "{{ engine_test_database_host }}" - password: "{{ engine_test_database_password }}" - priv: "{{ engine_test_database_name }}.*:ALL" - state: present - when: - - develop | bool - -- name: Check existence of the eb database - shell: php72 app/console doctrine:migrations:status --env={{ engine_apache_symfony_environment }} | grep "Current Version" | awk '{print $4 }' - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - register: eb_database_version - changed_when: False - run_once: True - -- name: Check doctrine migrations status - shell: php72 app/console doctrine:migrations:status --env={{ engine_apache_symfony_environment }} - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - register: eb_database_migration_status - changed_when: False - run_once: True - -- name: Print return information from the previous task - ansible.builtin.debug: - var: eb_database_migration_status - -- name: Create the database schema - command: "php72 app/console doctrine:schema:create -n --env={{ engine_apache_symfony_environment }}" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - when: - - eb_database_version.stdout == '0' - run_once: True - -- name: Add migration versions to the database - command: "php72 app/console doctrine:migrations:version -n --add --all --env={{ engine_apache_symfony_environment }}" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - when: - - eb_database_version.stdout == '0' - run_once: True - -- name: Run EngineBlock Doctrine migrations - command: "php72 app/console doctrine:migrations:migrate -n --env={{ engine_apache_symfony_environment }}" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - register: doctrine_migrations_output - changed_when: "'No migrations to execute' not in doctrine_migrations_output.stdout" - tags: enginemigrations - when: - - engine_skip_db_migration is undefined - run_once: true - -- name: Clear the symfony cache - command: "php72 app/console cache:clear --env={{ engine_apache_symfony_environment }} --no-debug" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - when: - - not develop - changed_when: false - -- name: Make sure cache dir has correct permissions - file: - path: "{{engine_current_release_symlink}}/app/cache" - owner: "{{ engine_fpm_user }}" - group: "{{ engine_fpm_user }}" - recurse: yes - when: - - not develop - changed_when: False - -- name: Make sure log dir has correct permissions - file: - path: "{{engine_current_release_symlink}}/app/logs" - owner: "{{ engine_fpm_user }}" - group: "{{ engine_fpm_user }}" - recurse: yes - when: not develop - -# Remove all dirs, but keep the current version and from the rest the most recent one. -- name: Clean up old releases - shell: ls -td {{ openconext_releases_dir }}/OpenConext-engineblock-* | grep -v $(readlink {{ engine_current_release_symlink }}) | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_engine_releases - changed_when: '"removed" in clean_engine_releases.stdout' - -# Remove all tarballs, but keep the current version and from the rest the most recent one. -- name: Clean up old builds - shell: ls -td {{ openconext_builds_dir }}/OpenConext-engineblock-* {{ openconext_builds_dir }}/Releases/ | grep -v {{ engine_build_path }} | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_engine_builds - changed_when: '"removed" in clean_engine_builds.stdout' +- name: Copy over the engineblock keys + ansible.builtin.copy: + content: "{{ item.private_key }}" + dest: "{{ current_release_config_dir_name }}/certs/{{ item.name }}.key" + owner: root + group: engine + mode: "0440" + loop: "{{ engine_key_and_certs }}" + +- name: Copy engineblock certificates to correct location + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/{{ item.crt_name }}" + dest: "{{ current_release_config_dir_name }}/certs/{{ item.name }}.crt" + owner: root + group: engine + mode: "0644" + loop: "{{ engine_key_and_certs }}" + +- name: Create the container + community.docker.docker_container: + name: "engineblock" + image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:{{ engine_version }} + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.engine.rule: "Host(`engine.{{ base_domain }}`)" + traefik.http.routers.engine.service: "engineblock" + traefik.http.routers.engine.tls: "true" + traefik.http.routers.engineapi.rule: "Host(`engine-api.{{ base_domain }}`)" + traefik.http.routers.engineapi.service: "engineblock" + traefik.http.routers.engineapi.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ engine_uid.uid }}" + APACHE_GUID: "#{{ engine_guid.gid }}" + etc_hosts: + host.docker.internal: host-gateway + mounts: + - source: "{{ current_release_config_dir_name }}/configs/parameters.yml" + target: "/var/www/html/app/config/parameters.yml" + type: bind + - source: "{{ current_release_config_dir_name }}/configs/attributes.json" + target: "/var/www/html/app/config/attributes.json" + type: bind + - source: "{{ current_release_config_dir_name }}/images/background-back.svg" + target: "/var/www/html/web/images/background-back.svg" + type: bind + - source: "{{ current_release_config_dir_name }}/images/background-front.svg" + target: "/var/www/html/web/images/background-front.svg" + type: bind + - source: "{{ current_release_config_dir_name }}/images/logo.png" + target: "/var/www/html/web/images/logo.png" + type: bind + - source: "{{ current_release_config_dir_name }}/certs/" + target: "/var/www/html/certs/" + type: bind + - source: "/opt/openconext/common/favicon.ico" + target: "/var/www/html/web/favicon.ico" + type: bind diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 5982aa21a..19a23f77e 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -38,18 +38,17 @@ parameters: ## * How attributes are displayed in Profile and Consent ## * How attributes are Normalized and Denormalized ## * How attributes are validated - attribute_definition_file_path: {{ openconext_releases_dir }}/OpenConext-engineblock/application/configs/attributes.json + attribute_definition_file_path: {{ engine_config_dir }}/attributes.json ## The Signing / Encryption keys used for the SAML2 authentication and metadata ## When EngineBlock signs responses (when it acts as an Idp) ## or requests (when it acts as an SP) it uses these X.509 certs. encryption_keys: -{% for key, value in engine_keys.items() %} - {{ key }}: - publicFile: {{ value.publicFile }} - privateFile: {{ value.privateFile }} +{% for engine_key in engine_key_and_certs %} + {{ engine_key.name }}: + publicFile: "{{ engine_certs_dir }}/{{ engine_key.name}}.crt" + privateFile: "{{ engine_certs_dir}}/{{ engine_key.name }}.key" {% endfor %} - ## List of signature methods explicitly forbidden by EngineBlock. forbidden_signature_methods: { } @@ -209,7 +208,7 @@ parameters: ## Swiftmailer configuration mailer_transport: 'smtp' - mailer_host: 'localhost' + mailer_host: '{{ smtp_server }}' mailer_port: '25' mailer_user: '' mailer_password: '' @@ -231,7 +230,6 @@ parameters: feature_enable_consent: {{ engine_feature_enable_consent | bool | to_json }} feature_stepup_sfo_override_engine_entityid: {{ engine_feature_stepup_override_entityid | bool | to_json }} feature_enable_idp_initiated_flow: {{ engine_feature_idp_initiated_flow | bool | to_json }} - ########################################################################################## ## PROFILE SETTINGS ########################################################################################## @@ -268,7 +266,7 @@ parameters: ## The single sign-on endpoint used for Stepup Gateway SFO callouts stepup.gateway.sfo.sso_location: '{{ engine_stepup_gateway_sfo_sso_location | replace("%","%%") }}' ## The public key from the Stepup Gateway IdP - stepup.gateway.sfo.key_file: {{ engine_stepup_gateway_sfo_public_key_file | replace("%","%%") }} + stepup.gateway.sfo.key_file: "{{ engine_certs_dir }}/stepup_gateway.pem" ## You can override the default entityID used by Engineblock for its callout to stepup gateway. ## You also need to enable the feature toggle feature_stepup_sfo_override_engine_entityid above. stepup.sfo.override_engine_entityid: '{{ engine_stepup_override_entityid }}' @@ -308,4 +306,4 @@ parameters: # A (list) mapping is for example : where the label represents the label that is # used in the authentication log record. The attributeName will be searched in the response attributes and if present # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation. - auth.log.attributes: [] + auth.log.attributes: {{ engineblock_log_attributes }} diff --git a/roles/engineblock/vars/docker.yml b/roles/engineblock/vars/docker.yml new file mode 100644 index 000000000..d9a3a943b --- /dev/null +++ b/roles/engineblock/vars/docker.yml @@ -0,0 +1,3 @@ +current_release_config_dir_name: /opt/openconext/engine +engine_config_dir: /var/www/html/app/config +engine_certs_dir: /var/www/html/certs From 9612abfe6e962f7323a57f0a02fa6df35dac37a2 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 5 Nov 2024 09:33:56 +0100 Subject: [PATCH 2/8] Engineblock: Mount the language overrides files --- roles/engineblock/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index c68843405..f6475c9cd 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -203,6 +203,12 @@ - source: "{{ current_release_config_dir_name }}/configs/parameters.yml" target: "/var/www/html/app/config/parameters.yml" type: bind + - source: "{{ current_release_config_dir_name }}/languages/overrides.en.php" + target: "/var/www/html/languages/overrides.en.php" + type: bind + - source: "{{ current_release_config_dir_name }}/languages/overrides.nl.php" + target: "/var/www/html/languages/overrides.nl.php" + type: bind - source: "{{ current_release_config_dir_name }}/configs/attributes.json" target: "/var/www/html/app/config/attributes.json" type: bind From b301da5ccf665c2e38975166f18f46c9bfaaafac Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 13:41:31 +0100 Subject: [PATCH 3/8] EB: Mount a volume in /tmp to save the sessions --- roles/engineblock/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index f6475c9cd..594b4f85d 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -178,6 +178,11 @@ mode: "0644" loop: "{{ engine_key_and_certs }}" +- name: Create Docker volume to contain the sessions + community.docker.docker_volume: + name: engineblock_sessions + state: present + - name: Create the container community.docker.docker_container: name: "engineblock" @@ -197,6 +202,7 @@ env: APACHE_UID: "#{{ engine_uid.uid }}" APACHE_GUID: "#{{ engine_guid.gid }}" + TZ: "{{ timezone }}" etc_hosts: host.docker.internal: host-gateway mounts: @@ -227,3 +233,6 @@ - source: "/opt/openconext/common/favicon.ico" target: "/var/www/html/web/favicon.ico" type: bind + - source: engineblock_sessions + target: /tmp/ + type: volume From a9546eeab2877e2569e7b171fdff505b98534c33 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 20 Nov 2024 08:27:01 +0100 Subject: [PATCH 4/8] Engineblock: Clean non docker related configuration --- roles/engineblock/defaults/main.yml | 29 +-- roles/engineblock/handlers/main.yml | 5 - roles/engineblock/tasks/build.yml | 43 ---- roles/engineblock/tasks/develop.yml | 46 ---- roles/engineblock/tasks/install-branch.yml | 45 ---- roles/engineblock/tasks/install-release.yml | 31 --- roles/engineblock/tasks/main.yml | 21 +- roles/engineblock/tasks/test.yml | 36 --- .../engineblock/templates/engine-api.conf.j2 | 54 ----- .../templates/engine-pool-72.conf.j2 | 227 ------------------ roles/engineblock/templates/engine.conf.j2 | 56 ----- roles/engineblock/templates/selenium-unit.j2 | 11 - .../engineblock/vars/{docker.yml => main.yml} | 0 13 files changed, 9 insertions(+), 595 deletions(-) delete mode 100644 roles/engineblock/tasks/build.yml delete mode 100644 roles/engineblock/tasks/develop.yml delete mode 100644 roles/engineblock/tasks/install-branch.yml delete mode 100644 roles/engineblock/tasks/install-release.yml delete mode 100644 roles/engineblock/tasks/test.yml delete mode 100644 roles/engineblock/templates/engine-api.conf.j2 delete mode 100644 roles/engineblock/templates/engine-pool-72.conf.j2 delete mode 100644 roles/engineblock/templates/engine.conf.j2 delete mode 100644 roles/engineblock/templates/selenium-unit.j2 rename roles/engineblock/vars/{docker.yml => main.yml} (100%) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 1ab26ffcc..c58a30d05 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -1,7 +1,6 @@ ## Version of EngineBlock that is installable by this role -engine_version: '' +engine_version: "" # Be aware that if you enable this option that NPM, Node.js and Composer are installed -#engine_branch: "develop" # Feature toggles engine_feature_encrypted_assertions: 1 engine_feature_encrypted_assertions_require_outer_signature: 1 @@ -42,7 +41,7 @@ engine_domain: engine.{{ base_domain }} engine_debug: false engine_theme: "skeune" -#engine_theme: openconext +# engine_theme: openconext engine_profile_baseurl: "https://profile.{{ base_domain }}" @@ -90,17 +89,6 @@ engine_stepup_gateway_sfo_public_key_file: "{{ engine_keys.default.publicFile }} ## The minimum priority of messages that will be logged engine_logging_passthru_level: NOTICE -#engine_initial_sql: '' - -engineblock_symfony_cache_path: "/tmp/engineblock/cache" -engineblock_symfony_log_path: "{{ engine_current_release_symlink }}/var/logs" - -engine_fpm_user: engine -engine_fpm_port: 801 -engine_fpm_memory: 128M -# When using vagrant for provisioning, it's not possible to put something in the inventory dir -engine_crt_not_in_inventory: false - # The memory limit used for the metadata push engine_metadata_push_memory_limit: 256M @@ -116,15 +104,4 @@ eb_tos_url: "https://example.org" engine_site_notice_show: false -# Backwards compatibility with older secrets files -engineblock_private_keys: - default: "{{ engineblock_private_key }}" - -# Webdriver test settings -engineblock_selenium_version: 2.53.1 -engineblock_selenium_install_dir: /opt - -# Composer -composer_path: /usr/local/bin/composer - -engineblock_log_attributes: [] +engineblock_log_attributes: [] diff --git a/roles/engineblock/handlers/main.yml b/roles/engineblock/handlers/main.yml index ee9e9e1e8..6ab193b9f 100644 --- a/roles/engineblock/handlers/main.yml +++ b/roles/engineblock/handlers/main.yml @@ -1,9 +1,4 @@ --- -- name: restart php72-fpm - service: - name: php72-php-fpm - state: restarted - - name: restart engine community.docker.docker_container: name: engine diff --git a/roles/engineblock/tasks/build.yml b/roles/engineblock/tasks/build.yml deleted file mode 100644 index 566f0e6f6..000000000 --- a/roles/engineblock/tasks/build.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: Get Composer installer signature. - uri: - url: https://composer.github.io/installer.sig - return_content: true - register: composer_installer_signature - -- name: Download Composer installer - get_url: - url: https://getcomposer.org/installer - dest: /tmp/composer-installer.php - mode: 0755 - checksum: "sha384:{{ composer_installer_signature.content }}" - register: reg_composer_installer - -- name: Run Composer installer - command: > - php72 composer-installer.php - chdir=/tmp - when: - - reg_composer_installer.changed | bool - -- name: Move Composer into globally-accessible location. - command: > - mv -f /tmp/composer.phar {{ composer_path }} - creates={{ composer_path }} - when: - - reg_composer_installer.changed | bool - -- name: Remove Nodesource repositories for Node.js - yum: - name: "nodesource-release" - state: removed - -- name: Add Nodesource repositories for Node.js - yum: - name: "https://rpm.nodesource.com/pub_12.x/el/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/nodesource-release-el{{ ansible_distribution_major_version }}-1.noarch.rpm" - state: present - -- name: Ensure Node.js and npm are installed - yum: - name: "nodejs-12*" - state: present - enablerepo: nodesource diff --git a/roles/engineblock/tasks/develop.yml b/roles/engineblock/tasks/develop.yml deleted file mode 100644 index 4732b79f6..000000000 --- a/roles/engineblock/tasks/develop.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: Add "engineblock" user - user: - name: engineblock - groups: "{{ apache_user}}" - append: yes - state: present - createhome: no - -- name: Create the cache dir for Symfony - file: - path: "{{ engineblock_symfony_cache_path }}" - state: directory - recurse: yes - -- name: Create the log dir for Symfony - file: - path: "{{ engineblock_symfony_log_path }}" - state: directory - recurse: yes - -- name: Ensure setfacl support is present. - become: true - package: - name: acl - state: present - -- name: Allow vagrant user complete access to all engineblock files - become: true - acl: - entity: "{{ item[0] }}" - default: "{{ item[1] }}" - path: "{{ item[2] }}" - permissions: rwx - use_nfsv4_acls: yes - with_nested: - - [ "{{ engine_fpm_user }}", "vagrant" ] - - [ "no", "yes" ] - - [ "{{ engineblock_symfony_cache_path }}", "{{ engineblock_symfony_log_path }}", "/opt/openconext/OpenConext-engineblock/" ] - -- name: Copy app_dev.php.dist to OpenConext web folder - copy: - src: "/opt/openconext/OpenConext-engineblock/app_dev.php.dist" - dest: "/opt/openconext/OpenConext-engineblock/web/app_dev.php" - remote_src: yes - mode: 0644 diff --git a/roles/engineblock/tasks/install-branch.yml b/roles/engineblock/tasks/install-branch.yml deleted file mode 100644 index 56d819ac3..000000000 --- a/roles/engineblock/tasks/install-branch.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ engine_release_dir }}" - register: eb_dir - -- name: Checkout engine-block branch - git: - repo: https://github.com/OpenConext/OpenConext-engineblock.git - dest: "{{ engine_branch_dir }}" - version: "{{ engine_branch }}" - force: yes - register: eb_gitclone - -- name: Make release - command: "./bin/makeRelease.sh {{ engine_branch }}" - environment: - HOME: "{{ openconext_builds_dir }}" - PATH: /usr/local/bin:{{ ansible_env.PATH }} - args: - chdir: "{{ engine_branch_dir }}" - when: - - eb_gitclone.changed or not eb_dir.stat.exists - register: make_release_out - -- debug: - var: make_release_out - verbosity: 2 - -- name: Unpack current version - unarchive: - src: "{{ openconext_builds_dir }}/Releases/OpenConext-engineblock-{{ engine_branch | replace('/', '_') }}.tar.gz" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - eb_gitclone.changed or not eb_dir.stat.exists - -- name: Activate new EngineBlock branch - file: - src: "{{ openconext_releases_dir }}/OpenConext-engineblock-{{ engine_branch | replace('/', '_') }}" - dest: "{{ engine_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" diff --git a/roles/engineblock/tasks/install-release.yml b/roles/engineblock/tasks/install-release.yml deleted file mode 100644 index a76789e17..000000000 --- a/roles/engineblock/tasks/install-release.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ engine_current_release_symlink }}" - follow: no - register: eb_dir - -- name: Download current version - get_url: - url: "{{ engine_download_url }}" - dest: "{{ engine_build_path }}" - register: eb_download - -- name: Unpack current version - unarchive: - src: "{{ engine_build_path }}" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - eb_download.changed or eb_dir.stat.lnk_source != engine_release_dir - -- name: Activate new EngineBlock release - file: - src: "{{ engine_release_dir }}" - dest: "{{ engine_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" - when: - - eb_download.changed or eb_dir.stat.lnk_source != engine_release_dir diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 594b4f85d..0376bd638 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -1,6 +1,3 @@ -- name: Include docker vars - ansible.builtin.include_vars: docker.yml - - name: Add group engine ansible.builtin.group: name: "engine" @@ -52,8 +49,7 @@ mode: "0644" owner: root group: engine - when: - attributes_json_present.stat.exists + when: attributes_json_present.stat.exists - name: Check presence of language specific overrides ansible.builtin.stat: @@ -89,8 +85,7 @@ owner: root group: engine mode: "0644" - when: - customlogo.stat.exists + when: customlogo.stat.exists - name: Check if we have a custom favicon ansible.builtin.stat: @@ -106,8 +101,7 @@ owner: root group: root mode: "0644" - when: - customfavicon.stat.exists + when: customfavicon.stat.exists - name: Check if we have a custom background back image for the feedback page ansible.builtin.stat: @@ -123,8 +117,7 @@ owner: root group: engine mode: "0644" - when: - eb_customfeedbackbackground.stat.exists + when: eb_customfeedbackbackground.stat.exists - name: Check if we have a custom background front image for the feedback page ansible.builtin.stat: @@ -140,8 +133,7 @@ owner: root group: engine mode: "0644" - when: - eb_customfeedbackforeground.stat.exists + when: eb_customfeedbackforeground.stat.exists - name: Check if we have a Stepup GW certificate ansible.builtin.stat: @@ -157,8 +149,7 @@ owner: root group: engine mode: "0644" - when: - eb_stepupgwcert.stat.exists + when: eb_stepupgwcert.stat.exists - name: Copy over the engineblock keys ansible.builtin.copy: diff --git a/roles/engineblock/tasks/test.yml b/roles/engineblock/tasks/test.yml deleted file mode 100644 index 43133372b..000000000 --- a/roles/engineblock/tasks/test.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Create install directory - file: - path: "{{ engineblock_selenium_install_dir }}/selenium" - state: directory - recurse: yes - -- name: Install latest Chrome - yum: - name: https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm - state: present - -- name: Install Selenium standalone - get_url: - url: "http://selenium-release.storage.googleapis.com/{{ engineblock_selenium_version | regex_replace('\\.[0-9]+$', '') }}/selenium-server-standalone-{{ engineblock_selenium_version }}.jar" - dest: "{{ engineblock_selenium_install_dir }}/selenium/selenium-server-standalone-{{ engineblock_selenium_version }}.jar" - mode: 0755 - -- name: Get the latest release for chromedriver - uri: - url: https://chromedriver.storage.googleapis.com/LATEST_RELEASE - return_content: yes - register: chromedriver_latest - -- name: Install chromedriver - unarchive: - src: "https://chromedriver.storage.googleapis.com/{{ chromedriver_latest.content | trim }}/chromedriver_linux64.zip" - dest: "{{ engineblock_selenium_install_dir }}/selenium" - mode: 0755 - copy: no - -- name: Install systemd unit file - template: - src: "selenium-unit.j2" - dest: /etc/systemd/system/selenium.service - mode: 0755 diff --git a/roles/engineblock/templates/engine-api.conf.j2 b/roles/engineblock/templates/engine-api.conf.j2 deleted file mode 100644 index f2e455933..000000000 --- a/roles/engineblock/templates/engine-api.conf.j2 +++ /dev/null @@ -1,54 +0,0 @@ -{% if apache_app_listen_address.engine_api is defined %} -Listen {{ apache_app_listen_address.engine_api }}:{{ loadbalancing.engine_api.port }} - -{% else %} - -{% endif %} - ServerAdmin {{ admin_email }} - - DocumentRoot {{ engine_current_release_symlink }}/web - ServerName {{ engine_api_domain }} - - - Require all granted - Options -MultiViews - RewriteEngine On - RewriteBase / - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ app{% if develop %}_dev{% endif %}.php [QSA,L] - -{% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} -{% endif %} - - Header always set X-Content-Type-Options "nosniff" - Header always set X-Frame-Options "DENY" - Header always set Content-Security-Policy "{{ httpd_csp.nothing }}" - - SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 - SetEnv ENGINEBLOCK_ENV {{ engine_apache_environment }} - SetEnv SYMFONY_ENV {{ engine_apache_symfony_environment }} - SetEnv HTTPS on - - RewriteEngine On - # We support only GET/POST/HEAD - RewriteCond %{REQUEST_METHOD} !^(POST|DELETE|GET|HEAD)$ - RewriteRule .* - [R=405,L] - - #Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/engine-pool-72.sock|fcgi://localhost/{{ engine_current_release_symlink }}/web/$1 - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-EBAPI'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-EBAPI'" combined - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - diff --git a/roles/engineblock/templates/engine-pool-72.conf.j2 b/roles/engineblock/templates/engine-pool-72.conf.j2 deleted file mode 100644 index c766f2a65..000000000 --- a/roles/engineblock/templates/engine-pool-72.conf.j2 +++ /dev/null @@ -1,227 +0,0 @@ -; Create a new pool named engine. -[engine] - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. - -; Use unix socket -listen = /var/run/php-fpm/engine-pool-72.sock - -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: -1 -;listen.backlog = -1 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -listen.owner = apache -listen.group = apache -listen.mode = 0640 - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = {{ engine_fpm_user }} -group = {{ engine_fpm_user }} - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives: -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; Note: This value is mandatory. -pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. -; Note: Used when pm is set to either 'static' or 'dynamic' -; Note: This value is mandatory. -pm.max_children = 40 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = 5 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 5 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 35 - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. By default, the status page shows the following -; information: -; accepted conn - the number of request accepted by the pool; -; pool - the name of the pool; -; process manager - static or dynamic; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes. -; The values of 'idle processes', 'active processes' and 'total processes' are -; updated each second. The value of 'accepted conn' is updated in real time. -; Example output: -; accepted conn: 12073 -; pool: www -; process manager: static -; idle processes: 35 -; active processes: 65 -; total processes: 100 -; By default the status page output is formatted as text/plain. Passing either -; 'html' or 'json' as a query string will return the corresponding output -; syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/php-fpm/www-slow.log - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. This value must be an absolute path. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -php_admin_value[error_log] = /var/log/php-fpm/engine-error.log -php_admin_flag[log_errors] = on -php_admin_value[memory_limit] = {{ engine_fpm_memory }} -php_admin_value[post_max_size] = 25M - -; Set session path to a directory owned by process user -php_value[session.save_handler] = files -php_value[session.save_path] = {{ php_session_dir }}/engine -php_value[disable_functions] = {{ php_disabled_functions }} diff --git a/roles/engineblock/templates/engine.conf.j2 b/roles/engineblock/templates/engine.conf.j2 deleted file mode 100644 index 6b7b769c1..000000000 --- a/roles/engineblock/templates/engine.conf.j2 +++ /dev/null @@ -1,56 +0,0 @@ -{% if apache_app_listen_address.engine is defined %} -Listen {{ apache_app_listen_address.engine }}:{{ loadbalancing.engine.port }} - -{% else %} - -{% endif %} - ServerAdmin {{ admin_email }} - - DocumentRoot {{ engine_current_release_symlink }}/web - ServerName {{ engine_domain }} - - - Require all granted - Options -MultiViews - RewriteEngine On - RewriteBase / - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ app{% if develop %}_dev{% endif %}.php [QSA,L] - - - Header always set X-Content-Type-Options "nosniff" - - SetEnv ENGINEBLOCK_ENV {{ engine_apache_environment }} - SetEnv SYMFONY_ENV {{ engine_apache_symfony_environment }} - SetEnv HTTPS on - - RewriteEngine On - # We support only GET/POST - RewriteCond %{REQUEST_METHOD} !^(POST|GET)$ - RewriteRule .* - [R=405,L] - - #Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/engine-pool-72.sock|fcgi://localhost/{{ engine_current_release_symlink }}/web/$1 - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-EB'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-EB'" combined - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - ExpiresActive on - ExpiresByType font/* "access plus 1 year" - ExpiresByType image/* "access plus 6 months" - ExpiresByType text/css "access plus 1 year" - ExpiresByType text/js "access plus 1 year" - diff --git a/roles/engineblock/templates/selenium-unit.j2 b/roles/engineblock/templates/selenium-unit.j2 deleted file mode 100644 index 29f943cfa..000000000 --- a/roles/engineblock/templates/selenium-unit.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Selenium test framework -After=syslog.target network.target - -[Service] -ExecStart=/usr/bin/java -jar {{ engineblock_selenium_install_dir }}/selenium/selenium-server-standalone-{{ engineblock_selenium_version }}.jar -Dwebdriver.chrome.driver={{ engineblock_selenium_install_dir }}/selenium/chromedriver & -Restart=on-failure -RestartSec=20s - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/engineblock/vars/docker.yml b/roles/engineblock/vars/main.yml similarity index 100% rename from roles/engineblock/vars/docker.yml rename to roles/engineblock/vars/main.yml From 7b690916eafa3ad57a5f618e89974d3441592745 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 22 Nov 2024 08:11:49 +0100 Subject: [PATCH 5/8] EB: Add no log option to tasks that would show the eb keys on screen --- roles/engineblock/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 0376bd638..492329c32 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -158,6 +158,7 @@ owner: root group: engine mode: "0440" + no_log: true loop: "{{ engine_key_and_certs }}" - name: Copy engineblock certificates to correct location @@ -167,6 +168,7 @@ owner: root group: engine mode: "0644" + no_log: true loop: "{{ engine_key_and_certs }}" - name: Create Docker volume to contain the sessions From c1eb2189c5d4a6c3762353a7a2f5b8636c511ea4 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 22 Nov 2024 08:12:20 +0100 Subject: [PATCH 6/8] EB: Add memory environment var --- roles/engineblock/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 492329c32..2189ad4c2 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -196,6 +196,7 @@ APACHE_UID: "#{{ engine_uid.uid }}" APACHE_GUID: "#{{ engine_guid.gid }}" TZ: "{{ timezone }}" + PHP_MEMORY_LIMIT: "{{ engine_php_memory }}" etc_hosts: host.docker.internal: host-gateway mounts: From 61e4c460721ca2704d829d421cfeb3a86ed5be30 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Sun, 24 Nov 2024 20:07:29 +0100 Subject: [PATCH 7/8] Engineblock: add default php memory setting --- roles/engineblock/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index c58a30d05..07f906d37 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -105,3 +105,5 @@ eb_tos_url: "https://example.org" engine_site_notice_show: false engineblock_log_attributes: [] + +engine_php_memory: 256M From 10354e717409b00d2192cb05379e68e8964b4443 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Nov 2024 08:09:28 +0100 Subject: [PATCH 8/8] Engineblock is moved to a seperate group. This allows running engineblock on seperate docker hosts --- provision.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/provision.yml b/provision.yml index 90b4bfcfb..f8e6b456c 100644 --- a/provision.yml +++ b/provision.yml @@ -164,10 +164,14 @@ - { role: stepupra , tags: ['stepupra' , 'stepup'] } - { role: stepupgateway , tags: ['stepupgateway' , 'stepup'] } -- hosts: docker +- hosts: docker_apps1,docker_apps2 become: true roles: - { role: docker, tags: ['docker' ] } + +- hosts: docker_apps1 + become: true + roles: - { role: invite, tags: ['invite' ] } - { role: dashboard, tags: ["dashboard"] } - { role: teams, tags: ["teams"] } @@ -183,8 +187,12 @@ - { role: diyidp, tags: ["diyidp"] } - { role: profile, tags: ["profile"] } - { role: lifecycle, tags: ["lifecycle"] } - - { role: engineblock, tags: ["eb"] } - { role: stepuptiqr, tags: ['stepuptiqr' , 'stepup'] } +- hosts: docker_apps2 + become: true + roles: + - { role: engineblock, tags: ["eb"] } + - import_playbook: "{{ environment_dir }}/playbook.yml"