diff --git a/playbooks/link.yml b/playbooks/link.yml index 669ad9a..95cf874 100644 --- a/playbooks/link.yml +++ b/playbooks/link.yml @@ -27,14 +27,6 @@ group: "{{ podman_prometheus_podman_rootless_user }}" mode: "0444" become: true - - name: Podman CDR Link | Update legacy instance list for Prometheus - ansible.builtin.template: - src: oldlink_sd.yml - dest: "/home/{{ podman_prometheus_podman_rootless_user }}/file-configs/oldlink.yml" - owner: "{{ podman_prometheus_podman_rootless_user }}" - group: "{{ podman_prometheus_podman_rootless_user }}" - mode: "0444" - become: true - name: Legacy Link | Set up ClouDNS monitoring of legacy (Docker Compose) Link instances hosts: diff --git a/playbooks/templates/oldlink_sd.yml b/playbooks/templates/oldlink_sd.yml deleted file mode 100644 index 0b92fd5..0000000 --- a/playbooks/templates/oldlink_sd.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -{% for host in groups['legacy_link'] %} -- targets: - - "{{ hostvars[host].vpc_ip | default(host) }}:9100" - labels: - job: node - app: legacy_link - instance: "{{ host }}" -{% endfor %} diff --git a/roles/podman_link/defaults/main.yml b/roles/podman_link/defaults/main.yml index a7bdbe9..2692592 100644 --- a/roles/podman_link/defaults/main.yml +++ b/roles/podman_link/defaults/main.yml @@ -1,6 +1,6 @@ # podman_link_podman_rootless_user: podman_link_web_hostname: "{{ inventory_hostname }}" -podman_link_stack_version: 3.4.2-beta.3 +podman_link_stack_version: 3.3.2 podman_link_postgres_zammad_user: postgres podman_link_postgres_zammad_database: zammad_production podman_link_postgres_link_user: link @@ -13,6 +13,7 @@ podman_link_postgres_link_database: link podman_link_opensearch_memory_limit: 2048 podman_link_setup_mode: false podman_link_leafcutter_enabled: false +podman_link_dashboard_url: "" podman_link_zammad_api_token: "" # podman_link_nextauth_secret: # podman_link_google_client_id: @@ -25,3 +26,5 @@ podman_link_zammad_api_token: "" podman_link_postgres_zammad_postgresql_host: zammad-postgresql podman_link_postgres_zammad_es_host: opensearch podman_link_postgres_zammad_memcached_server: zammad-memcached:11211 +# podman_link_opensearch_hub_ip: +# podman_link_opensearch_spoke_ip: diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index 98c1ddc..bad08c5 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -8,6 +8,23 @@ mode: "0444" become: true +- name: Allow access from hub to spoke to Opensearch using firewalld rich rule + ansible.posix.firewalld: + rich_rule: >- + rule family="ipv4" + source address="{{ podman_link_opensearch_hub_ip }}" + destination address="{{ podman_link_opensearch_spoke_ip }}" + port protocol="tcp" port="{{ item }}" accept + permanent: true + state: enabled + with_items: + - 9200 + - 9300 + when: + - podman_link_opensearch_hub_ip is defined + - podman_link_opensearch_spoke_ip is defined + become: true + - name: Podman CDR Link | PATCH | Install podman and verify rootless podman user ansible.builtin.include_role: role: sr2c.core.podman_host @@ -68,6 +85,18 @@ notify: - Restart Link +# Opensearch Dashboards runs with UID/GID 1000 inside the container +- name: Podman CDR Link | PATCH | Install Opensearch Dashboards configuration + ansible.builtin.template: + src: home/opensearch-dashboards.yml + dest: "/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml" + mode: "0400" + owner: "{{ _podman_link_user_subuid_start + 999 }}" + group: "{{ _podman_link_user_subgid_start + 999 }}" + become: true + notify: + - Restart Link + # Zammad runs with UID/GID 1000 inside the container - name: Podman CDR Link | PATCH | Install Zammad database configuration file ansible.builtin.template: @@ -224,6 +253,7 @@ with_items: - link.container - zammad-opensearch.container + - opensearch-dashboards.container - bridge-worker.container - bridge-postgresql.container - bridge-whatsapp.container diff --git a/roles/podman_link/templates/etc/motd.d/10-data-plate.txt b/roles/podman_link/templates/etc/motd.d/10-data-plate.txt index a0c604a..8d39824 100644 --- a/roles/podman_link/templates/etc/motd.d/10-data-plate.txt +++ b/roles/podman_link/templates/etc/motd.d/10-data-plate.txt @@ -3,7 +3,7 @@ Podman user: {{ podman_link_podman_rootless_user }} ========================================================= # Become the podman user - sudo -iu {{ podman_link_podman_rootless_user }} bash + sudo -iu {{ podman_link_podman_rootless_user }} # Check the Link stack status systemctl --user status link.target # Restart the Link stack diff --git a/roles/podman_link/templates/home/config/containers/systemd/common-bridge.env b/roles/podman_link/templates/home/config/containers/systemd/common-bridge.env index 1b98341..f96835b 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/common-bridge.env +++ b/roles/podman_link/templates/home/config/containers/systemd/common-bridge.env @@ -3,10 +3,11 @@ POSTGRES_PASSWORD={{ podman_link_postgres_link_password }} POSTGRES_DB={{ podman_link_postgres_link_database }} NEXTAUTH_URL=https://{{ podman_link_web_hostname }}/link/api/auth NEXTAUTH_SECRET={{ podman_link_nextauth_secret }} -KEYCLOAK_ISSUER={{ podman_link_keycloak_issuer }} -KEYCLOAK_CLIENT_ID={{ podman_link_keycloak_id }} -KEYCLOAK_CLIENT_SECRET={{ podman_link_keycloak_secret }} -BRIDGE_FRONTEND_URL=http://link:3000/link +{% if podman_link_google_client_id is defined %} +GOOGLE_CLIENT_ID={{ podman_link_google_client_id }} +GOOGLE_CLIENT_SECRET={{ podman_link_google_client_secret }} +{% endif %} +BRIDGE_FRONTEND_URL=http://link:3000 BRIDGE_SIGNAL_URL=http://signal-cli-rest-api:8081 BRIDGE_WHATSAPP_URL=http://bridge-whatsapp:5000 DATABASE_NAME={{ podman_link_postgres_link_database }} diff --git a/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container b/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container new file mode 100644 index 0000000..ba01cb1 --- /dev/null +++ b/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container @@ -0,0 +1,17 @@ +[Unit] +Requires=zammad-opensearch.service +After=zammad-opensearch.service +PartOf=link.target + +[Container] +ContainerName=opensearch-dashboards +Environment=OPENSEARCH_USERNAME=admin +Environment=OPENSEARCH_PASSWORD={{ podman_link_opensearch_password | replace("%", "%%") }} +Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch-dashboards:{{ podman_link_stack_version }} +PublishPort=127.0.0.1:5601:5601 +Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml:ro,Z +Network=zammad.network + +[Service] +Restart=always +Slice=link.slice diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container index fc0bbc0..af25e35 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container @@ -1,6 +1,5 @@ [Unit] -Requires=zammad-railsserver.service zammad-websocket.service -Wants=link.service +Requires=zammad-railsserver.service zammad-websocket.service link.service After=zammad-railsserver.service zammad-websocket.service link.service PartOf=link.target diff --git a/roles/podman_link/templates/home/config/systemd/user/link.target b/roles/podman_link/templates/home/config/systemd/user/link.target index 9dbd684..d5d87b9 100644 --- a/roles/podman_link/templates/home/config/systemd/user/link.target +++ b/roles/podman_link/templates/home/config/systemd/user/link.target @@ -1,9 +1,9 @@ [Unit] Description=Podman CDR Link Stack by SR2 Communications -Wants=zammad-nginx.service +Requires=opensearch-dashboards.service +Requires=zammad-nginx.service +After=opensearch-dashboards.service After=zammad-nginx.service -Wants=nginx.service -After=nginx.service [Install] WantedBy=default.target diff --git a/roles/podman_link/templates/home/opensearch-dashboards.yml b/roles/podman_link/templates/home/opensearch-dashboards.yml new file mode 100644 index 0000000..3634911 --- /dev/null +++ b/roles/podman_link/templates/home/opensearch-dashboards.yml @@ -0,0 +1,36 @@ +--- +opensearch.hosts: [https://zammad-opensearch:9200] +opensearch.ssl.verificationMode: none +opensearch.requestHeadersAllowlist: + - "securitytenant" + - "Authorization" + - "x-forwarded-for" + - "x-forwarded-user" + - "x-forwarded-roles" +opensearch_security.auth.type: "proxy" +opensearch_security.proxycache.user_header: "x-forwarded-user" +opensearch_security.proxycache.roles_header: "x-forwarded-roles" +opensearch_security.multitenancy.enabled: true +opensearch_security.multitenancy.tenants.enable_global: true +opensearch_security.multitenancy.tenants.enable_private: true +opensearch_security.multitenancy.tenants.preferred: [Private, Global] +opensearch_security.cookie.secure: false +server.basePath: "/link/dashboards" +server.rewriteBasePath: false + +opensearch.username: "admin" +opensearch.password: "{{ podman_link_opensearch_password }}" + +server.host: "0.0.0.0" + +# New config that adds to or overrides existing one: +# +# server.port: 5601 +# server.name: "nextgen-dashboards" +# opensearch.hosts: ["https://aberdeen-opensearch:9200"] +# opensearch.ssl.verificationMode: certificate +# opensearch.ssl.certificateAuthorities: +# ["/usr/share/opensearch-dashboards/config/certs/ca.pem"] + +# opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"] +# opensearch_security.readonly_mode.roles: ["kibana_read_only"] \ No newline at end of file diff --git a/roles/podman_seafile/tasks/main.yml b/roles/podman_seafile/tasks/main.yml index 1820676..8bc7b1a 100644 --- a/roles/podman_seafile/tasks/main.yml +++ b/roles/podman_seafile/tasks/main.yml @@ -123,10 +123,10 @@ - name: Podman Seafile | Set up ClouDNS monitoring sr2c.core.cloudns_monitor: - name: "Seafile - {{ podman_seafile_hostname[:22] }}" - host: "{{ podman_seafile_hostname }}" - ip: "{{ podman_seafile_hostname }}" - http_status_code: "302" # This is going to redirect for SSO + name: "Seafile - {{ inventory_hostname[:22] }}" + host: "{{ inventory_hostname }}" + ip: "{{ inventory_hostname }}" + http_status_code: "200" emails: "{{ cloudns_monitoring_emails }}" auth_id: "{{ cloudns_auth_id }}" auth_password: "{{ cloudns_auth_password }}"