diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index 4c43a60..f336d99 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -68,6 +68,18 @@ notify: - Restart Link +# Opensearch Dashboards runs with UID/GID 1000 inside the container +- name: Podman CDR Link | PATCH | Install Opensearch Dashboards configuration + ansible.builtin.template: + src: home/opensearch-dashboards.yml + dest: "/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml" + mode: "0400" + owner: "{{ _podman_link_user_subuid_start + 999 }}" + group: "{{ _podman_link_user_subgid_start + 999 }}" + become: true + notify: + - Restart Link + # Zammad runs with UID/GID 1000 inside the container - name: Podman CDR Link | PATCH | Install Zammad database configuration file ansible.builtin.template: diff --git a/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env b/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env index 92b144d..6f3b378 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env +++ b/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env @@ -10,3 +10,4 @@ ELASTICSEARCH_USER=admin ELASTICSEARCH_PASS={{ podman_link_opensearch_password }} ELASTICSEARCH_SCHEMA=https ELASTICSEARCH_REINDEX=false +TZ=Etc/UTC diff --git a/roles/podman_link/templates/home/config/containers/systemd/link.container b/roles/podman_link/templates/home/config/containers/systemd/link.container index 4cfd232..4494117 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/link.container +++ b/roles/podman_link/templates/home/config/containers/systemd/link.container @@ -7,8 +7,8 @@ PartOf=zammad-nginx.service ContainerName=link Environment=ZAMMAD_VIRTUAL_HOST={{ podman_link_web_hostname }} Environment=SETUP_MODE={{ podman_link_setup_mode }} -Environment=LEAFCUTTER_ENABLED={{ podman_link_leafcutter_enabled }} -Environment=LEAFCUTTER_DEFAULT_DASHBOARD_URL={{ podman_link_dashboard_url }} +Environment=LEAFCUTTER_ENABLED=false +Environment=LEAFCUTTER_DEFAULT_DASHBOARD_URL="" Environment=ZAMMAD_API_TOKEN={{ podman_link_zammad_api_token }} Environment=LINK_URL=https://localhost:3000/link Environment=ZAMMAD_URL=http://zammad-nginx:8080 diff --git a/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container b/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container index 0d0ac6d..6311b0c 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container +++ b/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container @@ -5,11 +5,11 @@ PartOf=link.target [Container] ContainerName=opensearch-dashboards -Environment=OPENSEARCH_USERNAME=admin -Environment=OPENSEARCH_PASSWORD={{ podman_link_opensearch_password }} +#Environment=OPENSEARCH_USERNAME=admin +#Environment=OPENSEARCH_PASSWORD={{ podman_link_opensearch_password }} Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch-dashboards:{{ podman_link_stack_version }} PublishPort=127.0.0.1:5601:5601 -#Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards-config.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml +Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml:ro,Z Network=zammad.network [Service] diff --git a/roles/podman_link/templates/home/opensearch-dashboards.yml b/roles/podman_link/templates/home/opensearch-dashboards.yml new file mode 100644 index 0000000..3634911 --- /dev/null +++ b/roles/podman_link/templates/home/opensearch-dashboards.yml @@ -0,0 +1,36 @@ +--- +opensearch.hosts: [https://zammad-opensearch:9200] +opensearch.ssl.verificationMode: none +opensearch.requestHeadersAllowlist: + - "securitytenant" + - "Authorization" + - "x-forwarded-for" + - "x-forwarded-user" + - "x-forwarded-roles" +opensearch_security.auth.type: "proxy" +opensearch_security.proxycache.user_header: "x-forwarded-user" +opensearch_security.proxycache.roles_header: "x-forwarded-roles" +opensearch_security.multitenancy.enabled: true +opensearch_security.multitenancy.tenants.enable_global: true +opensearch_security.multitenancy.tenants.enable_private: true +opensearch_security.multitenancy.tenants.preferred: [Private, Global] +opensearch_security.cookie.secure: false +server.basePath: "/link/dashboards" +server.rewriteBasePath: false + +opensearch.username: "admin" +opensearch.password: "{{ podman_link_opensearch_password }}" + +server.host: "0.0.0.0" + +# New config that adds to or overrides existing one: +# +# server.port: 5601 +# server.name: "nextgen-dashboards" +# opensearch.hosts: ["https://aberdeen-opensearch:9200"] +# opensearch.ssl.verificationMode: certificate +# opensearch.ssl.certificateAuthorities: +# ["/usr/share/opensearch-dashboards/config/certs/ca.pem"] + +# opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"] +# opensearch_security.readonly_mode.roles: ["kibana_read_only"] \ No newline at end of file