diff --git a/playbooks/link.yml b/playbooks/link.yml index 95cf874..669ad9a 100644 --- a/playbooks/link.yml +++ b/playbooks/link.yml @@ -27,6 +27,14 @@ group: "{{ podman_prometheus_podman_rootless_user }}" mode: "0444" become: true + - name: Podman CDR Link | Update legacy instance list for Prometheus + ansible.builtin.template: + src: oldlink_sd.yml + dest: "/home/{{ podman_prometheus_podman_rootless_user }}/file-configs/oldlink.yml" + owner: "{{ podman_prometheus_podman_rootless_user }}" + group: "{{ podman_prometheus_podman_rootless_user }}" + mode: "0444" + become: true - name: Legacy Link | Set up ClouDNS monitoring of legacy (Docker Compose) Link instances hosts: diff --git a/playbooks/templates/oldlink_sd.yml b/playbooks/templates/oldlink_sd.yml new file mode 100644 index 0000000..0b92fd5 --- /dev/null +++ b/playbooks/templates/oldlink_sd.yml @@ -0,0 +1,9 @@ +--- +{% for host in groups['legacy_link'] %} +- targets: + - "{{ hostvars[host].vpc_ip | default(host) }}:9100" + labels: + job: node + app: legacy_link + instance: "{{ host }}" +{% endfor %} diff --git a/roles/podman_link/defaults/main.yml b/roles/podman_link/defaults/main.yml index 2692592..a7bdbe9 100644 --- a/roles/podman_link/defaults/main.yml +++ b/roles/podman_link/defaults/main.yml @@ -1,6 +1,6 @@ # podman_link_podman_rootless_user: podman_link_web_hostname: "{{ inventory_hostname }}" -podman_link_stack_version: 3.3.2 +podman_link_stack_version: 3.4.2-beta.3 podman_link_postgres_zammad_user: postgres podman_link_postgres_zammad_database: zammad_production podman_link_postgres_link_user: link @@ -13,7 +13,6 @@ podman_link_postgres_link_database: link podman_link_opensearch_memory_limit: 2048 podman_link_setup_mode: false podman_link_leafcutter_enabled: false -podman_link_dashboard_url: "" podman_link_zammad_api_token: "" # podman_link_nextauth_secret: # podman_link_google_client_id: @@ -26,5 +25,3 @@ podman_link_zammad_api_token: "" podman_link_postgres_zammad_postgresql_host: zammad-postgresql podman_link_postgres_zammad_es_host: opensearch podman_link_postgres_zammad_memcached_server: zammad-memcached:11211 -# podman_link_opensearch_hub_ip: -# podman_link_opensearch_spoke_ip: diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index bad08c5..98c1ddc 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -8,23 +8,6 @@ mode: "0444" become: true -- name: Allow access from hub to spoke to Opensearch using firewalld rich rule - ansible.posix.firewalld: - rich_rule: >- - rule family="ipv4" - source address="{{ podman_link_opensearch_hub_ip }}" - destination address="{{ podman_link_opensearch_spoke_ip }}" - port protocol="tcp" port="{{ item }}" accept - permanent: true - state: enabled - with_items: - - 9200 - - 9300 - when: - - podman_link_opensearch_hub_ip is defined - - podman_link_opensearch_spoke_ip is defined - become: true - - name: Podman CDR Link | PATCH | Install podman and verify rootless podman user ansible.builtin.include_role: role: sr2c.core.podman_host @@ -85,18 +68,6 @@ notify: - Restart Link -# Opensearch Dashboards runs with UID/GID 1000 inside the container -- name: Podman CDR Link | PATCH | Install Opensearch Dashboards configuration - ansible.builtin.template: - src: home/opensearch-dashboards.yml - dest: "/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml" - mode: "0400" - owner: "{{ _podman_link_user_subuid_start + 999 }}" - group: "{{ _podman_link_user_subgid_start + 999 }}" - become: true - notify: - - Restart Link - # Zammad runs with UID/GID 1000 inside the container - name: Podman CDR Link | PATCH | Install Zammad database configuration file ansible.builtin.template: @@ -253,7 +224,6 @@ with_items: - link.container - zammad-opensearch.container - - opensearch-dashboards.container - bridge-worker.container - bridge-postgresql.container - bridge-whatsapp.container diff --git a/roles/podman_link/templates/etc/motd.d/10-data-plate.txt b/roles/podman_link/templates/etc/motd.d/10-data-plate.txt index 8d39824..a0c604a 100644 --- a/roles/podman_link/templates/etc/motd.d/10-data-plate.txt +++ b/roles/podman_link/templates/etc/motd.d/10-data-plate.txt @@ -3,7 +3,7 @@ Podman user: {{ podman_link_podman_rootless_user }} ========================================================= # Become the podman user - sudo -iu {{ podman_link_podman_rootless_user }} + sudo -iu {{ podman_link_podman_rootless_user }} bash # Check the Link stack status systemctl --user status link.target # Restart the Link stack diff --git a/roles/podman_link/templates/home/config/containers/systemd/common-bridge.env b/roles/podman_link/templates/home/config/containers/systemd/common-bridge.env index f96835b..1b98341 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/common-bridge.env +++ b/roles/podman_link/templates/home/config/containers/systemd/common-bridge.env @@ -3,11 +3,10 @@ POSTGRES_PASSWORD={{ podman_link_postgres_link_password }} POSTGRES_DB={{ podman_link_postgres_link_database }} NEXTAUTH_URL=https://{{ podman_link_web_hostname }}/link/api/auth NEXTAUTH_SECRET={{ podman_link_nextauth_secret }} -{% if podman_link_google_client_id is defined %} -GOOGLE_CLIENT_ID={{ podman_link_google_client_id }} -GOOGLE_CLIENT_SECRET={{ podman_link_google_client_secret }} -{% endif %} -BRIDGE_FRONTEND_URL=http://link:3000 +KEYCLOAK_ISSUER={{ podman_link_keycloak_issuer }} +KEYCLOAK_CLIENT_ID={{ podman_link_keycloak_id }} +KEYCLOAK_CLIENT_SECRET={{ podman_link_keycloak_secret }} +BRIDGE_FRONTEND_URL=http://link:3000/link BRIDGE_SIGNAL_URL=http://signal-cli-rest-api:8081 BRIDGE_WHATSAPP_URL=http://bridge-whatsapp:5000 DATABASE_NAME={{ podman_link_postgres_link_database }} diff --git a/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container b/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container deleted file mode 100644 index ba01cb1..0000000 --- a/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Requires=zammad-opensearch.service -After=zammad-opensearch.service -PartOf=link.target - -[Container] -ContainerName=opensearch-dashboards -Environment=OPENSEARCH_USERNAME=admin -Environment=OPENSEARCH_PASSWORD={{ podman_link_opensearch_password | replace("%", "%%") }} -Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch-dashboards:{{ podman_link_stack_version }} -PublishPort=127.0.0.1:5601:5601 -Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml:ro,Z -Network=zammad.network - -[Service] -Restart=always -Slice=link.slice diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container index af25e35..fc0bbc0 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container @@ -1,5 +1,6 @@ [Unit] -Requires=zammad-railsserver.service zammad-websocket.service link.service +Requires=zammad-railsserver.service zammad-websocket.service +Wants=link.service After=zammad-railsserver.service zammad-websocket.service link.service PartOf=link.target diff --git a/roles/podman_link/templates/home/config/systemd/user/link.target b/roles/podman_link/templates/home/config/systemd/user/link.target index d5d87b9..9dbd684 100644 --- a/roles/podman_link/templates/home/config/systemd/user/link.target +++ b/roles/podman_link/templates/home/config/systemd/user/link.target @@ -1,9 +1,9 @@ [Unit] Description=Podman CDR Link Stack by SR2 Communications -Requires=opensearch-dashboards.service -Requires=zammad-nginx.service -After=opensearch-dashboards.service +Wants=zammad-nginx.service After=zammad-nginx.service +Wants=nginx.service +After=nginx.service [Install] WantedBy=default.target diff --git a/roles/podman_link/templates/home/opensearch-dashboards.yml b/roles/podman_link/templates/home/opensearch-dashboards.yml deleted file mode 100644 index 3634911..0000000 --- a/roles/podman_link/templates/home/opensearch-dashboards.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -opensearch.hosts: [https://zammad-opensearch:9200] -opensearch.ssl.verificationMode: none -opensearch.requestHeadersAllowlist: - - "securitytenant" - - "Authorization" - - "x-forwarded-for" - - "x-forwarded-user" - - "x-forwarded-roles" -opensearch_security.auth.type: "proxy" -opensearch_security.proxycache.user_header: "x-forwarded-user" -opensearch_security.proxycache.roles_header: "x-forwarded-roles" -opensearch_security.multitenancy.enabled: true -opensearch_security.multitenancy.tenants.enable_global: true -opensearch_security.multitenancy.tenants.enable_private: true -opensearch_security.multitenancy.tenants.preferred: [Private, Global] -opensearch_security.cookie.secure: false -server.basePath: "/link/dashboards" -server.rewriteBasePath: false - -opensearch.username: "admin" -opensearch.password: "{{ podman_link_opensearch_password }}" - -server.host: "0.0.0.0" - -# New config that adds to or overrides existing one: -# -# server.port: 5601 -# server.name: "nextgen-dashboards" -# opensearch.hosts: ["https://aberdeen-opensearch:9200"] -# opensearch.ssl.verificationMode: certificate -# opensearch.ssl.certificateAuthorities: -# ["/usr/share/opensearch-dashboards/config/certs/ca.pem"] - -# opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"] -# opensearch_security.readonly_mode.roles: ["kibana_read_only"] \ No newline at end of file diff --git a/roles/podman_seafile/tasks/main.yml b/roles/podman_seafile/tasks/main.yml index 8bc7b1a..1820676 100644 --- a/roles/podman_seafile/tasks/main.yml +++ b/roles/podman_seafile/tasks/main.yml @@ -123,10 +123,10 @@ - name: Podman Seafile | Set up ClouDNS monitoring sr2c.core.cloudns_monitor: - name: "Seafile - {{ inventory_hostname[:22] }}" - host: "{{ inventory_hostname }}" - ip: "{{ inventory_hostname }}" - http_status_code: "200" + name: "Seafile - {{ podman_seafile_hostname[:22] }}" + host: "{{ podman_seafile_hostname }}" + ip: "{{ podman_seafile_hostname }}" + http_status_code: "302" # This is going to redirect for SSO emails: "{{ cloudns_monitoring_emails }}" auth_id: "{{ cloudns_auth_id }}" auth_password: "{{ cloudns_auth_password }}"