--- # file: roles/snipeit/tasks/main.yml - name: Install EPEL RPM package: name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" state: present disable_gpg_check: True - name: Install remi RPM package: name: https://rpms.remirepo.net/enterprise/remi-release-9.rpm state: present disable_gpg_check: True - name: Enable DNF module for php shell: | dnf module enable -y php:remi-8.1 register: dnf_module_enable changed_when: "'Nothing to do' not in dnf_module_enable.stdout" - name: Install packages package: name: - nginx - mariadb-server - php - php-mysqlnd - php-json - php-openssl - php-pdo - php-mbstring - php-curl - php-ldap - php-fileinfo - php-bcmath - php-xml - php-exif - php-gd - php-sodium - php-zip - git state: latest - name: Install PyMySQL pip: name: pymysql state: present - name: Start and enable php service: name: php-fpm state: started enabled: yes - name: Start and enable mariadb service: name: mariadb state: started enabled: yes - name: Delete anonymous MySQL server user mysql_user: user: "" host_all: yes state: "absent" check_implicit_admin: true login_unix_socket: /var/lib/mysql/mysql.sock - name: Remove the default MySQL test database mysql_db: db: test state: absent check_implicit_admin: true login_unix_socket: /var/lib/mysql/mysql.sock - name: Creating DB mysql_db: name: "{{ snipeit_config_db_database }}" state: present encoding: "{{ snipeit_config_db_charset }}" check_implicit_admin: true login_unix_socket: /var/lib/mysql/mysql.sock - name: Creating DB User mysql_user: name: "{{ snipeit_config_db_username }}" password: "{{ snipeit_config_db_password }}" priv: "{{ snipeit_config_db_database + '.*:ALL' }}" state: present check_implicit_admin: true login_unix_socket: /var/lib/mysql/mysql.sock - name: Create snipeit user user: name: "{{ snipeit_user }}" shell: /sbin/nologin comment: "nologin user" groups: "apache,nginx" state: present system: yes - name: Deploy nginx configuration file template: src: "{{ snipeit_nginx_config }}" dest: "/etc/nginx/conf.d/{{ snipeit_nginx_config_output }}" notify: Reload nginx - name: Allow nginx to read config file sefcontext: target: "/etc/nginx/conf.d/{{ snipeit_nginx_config_output }}" seuser: system_u setype: httpd_config_t state: present notify: Restorecon nginx config - name: Set httpd_unified flag seboolean: name: httpd_unified state: true persistent: true - name: Set httpd_can_network_connect flag seboolean: name: httpd_can_network_connect state: true persistent: true - name: Set httpd_can_sendmail flag seboolean: name: httpd_can_sendmail state: true persistent: true - name: Ensure install directory exists file: path: "{{ snipeit_install_path }}" state: directory owner: "{{ snipeit_user }}" group: "root" - name: Clone the upstream repo git: repo: "https://github.com/snipe/snipe-it" dest: "{{ snipeit_install_path }}" force: yes #version: master # version moves to main with v7 become_user: "{{ snipeit_user }}" - name: Create log file file: path: /opt/snipeit/storage/logs/laravel.log state: touch owner: "{{ snipeit_user }}" group: apache mode: '0775' - name: Set owner to non-privileged user file: path: "{{ snipeit_install_path }}" recurse: yes owner: "{{ snipeit_user }}" - name: Update storage directory to allow webserver access file: path: "{{ snipeit_install_path }}/storage" recurse: yes owner: "{{ snipeit_user }}" group: apache mode: '775' - name: Set storage secontext definition sefcontext: target: "{{ snipeit_install_path }}/storage(/.*)?" seuser: system_u setype: httpd_sys_rw_content_t state: present notify: Restorecon snipeit storage - name: Update public directory to allow webserver access file: path: "{{ snipeit_install_path }}/public" recurse: yes owner: "{{ snipeit_user }}" group: apache mode: '775' - name: Set secontext definition sefcontext: target: "{{ snipeit_install_path }}/public(/.*)?" seuser: system_u setype: httpd_sys_content_t state: present notify: Restorecon snipeit public - name: Update cache directory to allow webserver access file: path: "{{ snipeit_install_path }}/bootstrap/cache" state: directory recurse: yes owner: "{{ snipeit_user }}" group: apache mode: '775' - name: Set secontext definition sefcontext: target: "{{ snipeit_install_path }}/bootstrap/cache(/.*)?" seuser: system_u setype: httpd_sys_rw_content_t state: present notify: Restorecon snipeit cache - name: Download composer shell: curl -sS https://getcomposer.org/installer | php args: chdir: "{{ snipeit_install_path }}" creates: "{{ snipeit_install_path }}/composer.phar" register: composer_installed - name: Install composer shell: php composer.phar install --no-dev --prefer-source args: chdir: "{{ snipeit_install_path }}" when: composer_installed.changed - name: Check that .env file exists stat: path: "{{ snipeit_install_path }}/.env" register: stat_result - name: Capture app_key block: - name: Capture existing }/.env" file slurp: src: "{{ snipeit_install_path }}/.env" register: envconfig - name: Set fact set_fact: snipeit_config_app_key: "{{ envconfig['content'] | b64decode | regex_findall('(?<=APP_KEY=).*') | first }}" when: envconfig['content'] | b64decode | regex_findall('(?<=APP_KEY=).*') != snipeit_config_app_key when: stat_result.stat.exists - name: Deploy env file template: src: "env.j2" dest: "{{ snipeit_install_path }}/.env" notify: Reload nginx - name: Generate app key for fresh install shell: "php artisan key:generate --force" args: chdir: "{{ snipeit_install_path }}" when: not stat_result.stat.exists or snipeit_config_app_key == 'ChangeMe' and stat_result.stat.exists - name: Enable firewall rule for access 80 firewalld: port: "80/tcp" permanent: yes immediate: yes state: enabled notify: Reload firewalld - name: Enable firewall rule for access 443 firewalld: port: "443/tcp" permanent: yes immediate: yes state: enabled notify: Reload firewalld - name: Allow nginx to listen on port 80 seport: ports: "80" proto: "tcp" setype: http_port_t state: present - name: Allow nginx to listen on port 443 seport: ports: "443" proto: "tcp" setype: http_port_t state: present - name: Start and enable nginx services service: name: nginx state: started enabled: yes - name: Deploy snipeit upgrade service template: src: snipeit-upgrade.service.j2 dest: /etc/systemd/system/snipeit-upgrade.service notify: Daemon Reload - name: Deploy snipeit upgrade timer template: src: snipeit-upgrade.timer.j2 dest: /etc/systemd/system/snipeit-upgrade.timer notify: Daemon Reload - name: Enable systemd timer for snipeit upgrade service: name: snipeit-upgrade.timer enabled: yes