308 lines
7.2 KiB
YAML
308 lines
7.2 KiB
YAML
---
|
|
# file: roles/snipeit/tasks/main.yml
|
|
|
|
- name: Install EPEL RPM
|
|
package:
|
|
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
|
|
state: present
|
|
disable_gpg_check: True
|
|
|
|
- name: Install remi RPM
|
|
package:
|
|
name: https://rpms.remirepo.net/enterprise/remi-release-9.rpm
|
|
state: present
|
|
disable_gpg_check: True
|
|
|
|
- name: Enable DNF module for php
|
|
shell: |
|
|
dnf module enable -y php:remi-8.1
|
|
register: dnf_module_enable
|
|
changed_when: "'Nothing to do' not in dnf_module_enable.stdout"
|
|
|
|
- name: Install packages
|
|
package:
|
|
name:
|
|
- nginx
|
|
- mariadb-server
|
|
- php
|
|
- php-mysqlnd
|
|
- php-json
|
|
- php-openssl
|
|
- php-pdo
|
|
- php-mbstring
|
|
- php-curl
|
|
- php-ldap
|
|
- php-fileinfo
|
|
- php-bcmath
|
|
- php-xml
|
|
- php-exif
|
|
- php-gd
|
|
- php-sodium
|
|
- php-zip
|
|
- git
|
|
state: latest
|
|
|
|
- name: Install PyMySQL
|
|
pip:
|
|
name: pymysql
|
|
state: present
|
|
|
|
- name: Start and enable php
|
|
service:
|
|
name: php-fpm
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Start and enable mariadb
|
|
service:
|
|
name: mariadb
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Delete anonymous MySQL server user
|
|
mysql_user:
|
|
user: ""
|
|
host_all: yes
|
|
state: "absent"
|
|
check_implicit_admin: true
|
|
login_unix_socket: /var/lib/mysql/mysql.sock
|
|
|
|
- name: Remove the default MySQL test database
|
|
mysql_db:
|
|
db: test
|
|
state: absent
|
|
check_implicit_admin: true
|
|
login_unix_socket: /var/lib/mysql/mysql.sock
|
|
|
|
- name: Creating DB
|
|
mysql_db:
|
|
name: "{{ snipeit_config_db_database }}"
|
|
state: present
|
|
encoding: "{{ snipeit_config_db_charset }}"
|
|
check_implicit_admin: true
|
|
login_unix_socket: /var/lib/mysql/mysql.sock
|
|
|
|
- name: Creating DB User
|
|
mysql_user:
|
|
name: "{{ snipeit_config_db_username }}"
|
|
password: "{{ snipeit_config_db_password }}"
|
|
priv: "{{ snipeit_config_db_database + '.*:ALL' }}"
|
|
state: present
|
|
check_implicit_admin: true
|
|
login_unix_socket: /var/lib/mysql/mysql.sock
|
|
|
|
- name: Create snipeit user
|
|
user:
|
|
name: "{{ snipeit_user }}"
|
|
shell: /sbin/nologin
|
|
comment: "nologin user"
|
|
groups: "apache,nginx"
|
|
state: present
|
|
system: yes
|
|
|
|
- name: Deploy nginx configuration file
|
|
template:
|
|
src: "{{ snipeit_nginx_config }}"
|
|
dest: "/etc/nginx/conf.d/{{ snipeit_nginx_config_output }}"
|
|
notify: Reload nginx
|
|
|
|
- name: Allow nginx to read config file
|
|
sefcontext:
|
|
target: "/etc/nginx/conf.d/{{ snipeit_nginx_config_output }}"
|
|
seuser: system_u
|
|
setype: httpd_config_t
|
|
state: present
|
|
notify: Restorecon nginx config
|
|
|
|
- name: Set httpd_unified flag
|
|
seboolean:
|
|
name: httpd_unified
|
|
state: true
|
|
persistent: true
|
|
|
|
- name: Set httpd_can_network_connect flag
|
|
seboolean:
|
|
name: httpd_can_network_connect
|
|
state: true
|
|
persistent: true
|
|
|
|
- name: Set httpd_can_sendmail flag
|
|
seboolean:
|
|
name: httpd_can_sendmail
|
|
state: true
|
|
persistent: true
|
|
|
|
- name: Ensure install directory exists
|
|
file:
|
|
path: "{{ snipeit_install_path }}"
|
|
state: directory
|
|
owner: "{{ snipeit_user }}"
|
|
group: "root"
|
|
|
|
- name: Clone the upstream repo
|
|
git:
|
|
repo: "https://github.com/snipe/snipe-it"
|
|
dest: "{{ snipeit_install_path }}"
|
|
force: yes
|
|
#version: master # version moves to main with v7
|
|
become_user: "{{ snipeit_user }}"
|
|
|
|
- name: Create log file
|
|
file:
|
|
path: /opt/snipeit/storage/logs/laravel.log
|
|
state: touch
|
|
owner: "{{ snipeit_user }}"
|
|
group: apache
|
|
mode: '0775'
|
|
|
|
- name: Set owner to non-privileged user
|
|
file:
|
|
path: "{{ snipeit_install_path }}"
|
|
recurse: yes
|
|
owner: "{{ snipeit_user }}"
|
|
|
|
- name: Update storage directory to allow webserver access
|
|
file:
|
|
path: "{{ snipeit_install_path }}/storage"
|
|
recurse: yes
|
|
owner: "{{ snipeit_user }}"
|
|
group: apache
|
|
mode: '775'
|
|
|
|
- name: Set storage secontext definition
|
|
sefcontext:
|
|
target: "{{ snipeit_install_path }}/storage(/.*)?"
|
|
seuser: system_u
|
|
setype: httpd_sys_rw_content_t
|
|
state: present
|
|
notify: Restorecon snipeit storage
|
|
|
|
- name: Update public directory to allow webserver access
|
|
file:
|
|
path: "{{ snipeit_install_path }}/public"
|
|
recurse: yes
|
|
owner: "{{ snipeit_user }}"
|
|
group: apache
|
|
mode: '775'
|
|
|
|
- name: Set secontext definition
|
|
sefcontext:
|
|
target: "{{ snipeit_install_path }}/public(/.*)?"
|
|
seuser: system_u
|
|
setype: httpd_sys_content_t
|
|
state: present
|
|
notify: Restorecon snipeit public
|
|
|
|
- name: Update cache directory to allow webserver access
|
|
file:
|
|
path: "{{ snipeit_install_path }}/bootstrap/cache"
|
|
state: directory
|
|
recurse: yes
|
|
owner: "{{ snipeit_user }}"
|
|
group: apache
|
|
mode: '775'
|
|
|
|
- name: Set secontext definition
|
|
sefcontext:
|
|
target: "{{ snipeit_install_path }}/bootstrap/cache(/.*)?"
|
|
seuser: system_u
|
|
setype: httpd_sys_rw_content_t
|
|
state: present
|
|
notify: Restorecon snipeit cache
|
|
|
|
- name: Download composer
|
|
shell: curl -sS https://getcomposer.org/installer | php
|
|
args:
|
|
chdir: "{{ snipeit_install_path }}"
|
|
creates: "{{ snipeit_install_path }}/composer.phar"
|
|
register: composer_installed
|
|
|
|
- name: Install composer
|
|
shell: php composer.phar install --no-dev --prefer-source
|
|
args:
|
|
chdir: "{{ snipeit_install_path }}"
|
|
when: composer_installed.changed
|
|
|
|
- name: Check that .env file exists
|
|
stat:
|
|
path: "{{ snipeit_install_path }}/.env"
|
|
register: stat_result
|
|
|
|
- name: Capture app_key
|
|
block:
|
|
- name: Capture existing }/.env" file
|
|
slurp:
|
|
src: "{{ snipeit_install_path }}/.env"
|
|
register: envconfig
|
|
|
|
- name: Set fact
|
|
set_fact:
|
|
snipeit_config_app_key: "{{ envconfig['content'] | b64decode | regex_findall('(?<=APP_KEY=).*') | first }}"
|
|
when: envconfig['content'] | b64decode | regex_findall('(?<=APP_KEY=).*') != snipeit_config_app_key
|
|
when: stat_result.stat.exists
|
|
|
|
- name: Deploy env file
|
|
template:
|
|
src: "env.j2"
|
|
dest: "{{ snipeit_install_path }}/.env"
|
|
notify: Reload nginx
|
|
|
|
- name: Generate app key for fresh install
|
|
shell: "php artisan key:generate --force"
|
|
args:
|
|
chdir: "{{ snipeit_install_path }}"
|
|
when: not stat_result.stat.exists or snipeit_config_app_key == 'ChangeMe' and stat_result.stat.exists
|
|
|
|
|
|
- name: Enable firewall rule for access 80
|
|
firewalld:
|
|
port: "80/tcp"
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
notify: Reload firewalld
|
|
|
|
- name: Enable firewall rule for access 443
|
|
firewalld:
|
|
port: "443/tcp"
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
notify: Reload firewalld
|
|
|
|
- name: Allow nginx to listen on port 80
|
|
seport:
|
|
ports: "80"
|
|
proto: "tcp"
|
|
setype: http_port_t
|
|
state: present
|
|
|
|
- name: Allow nginx to listen on port 443
|
|
seport:
|
|
ports: "443"
|
|
proto: "tcp"
|
|
setype: http_port_t
|
|
state: present
|
|
|
|
- name: Start and enable nginx services
|
|
service:
|
|
name: nginx
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Deploy snipeit upgrade service
|
|
template:
|
|
src: snipeit-upgrade.service.j2
|
|
dest: /etc/systemd/system/snipeit-upgrade.service
|
|
notify: Daemon Reload
|
|
|
|
- name: Deploy snipeit upgrade timer
|
|
template:
|
|
src: snipeit-upgrade.timer.j2
|
|
dest: /etc/systemd/system/snipeit-upgrade.timer
|
|
notify: Daemon Reload
|
|
|
|
- name: Enable systemd timer for snipeit upgrade
|
|
service:
|
|
name: snipeit-upgrade.timer
|
|
enabled: yes
|