- name : Enable index.html creation if user doesn't wish to customise base domain
delegate_to : 127.0 .0 .1
lineinfile :
path : '{{ awx_cached_matrix_vars }}'
regexp : "^#? *{{ item.key | regex_escape() }}:"
line : "{{ item.key }}: {{ item.value }}"
insertafter : '# Base Domain Settings Start'
with_dict :
'matrix_nginx_proxy_base_domain_homepage_enabled' : 'true'
when : customise_base_domain_website|bool == false
- name : Disable index.html creation to allow multi-file site if user does wish to customise base domain
delegate_to : 127.0 .0 .1
lineinfile :
path : '{{ awx_cached_matrix_vars }}'
regexp : "^#? *{{ item.key | regex_escape() }}:"
line : "{{ item.key }}: {{ item.value }}"
insertafter : '# Base Domain Settings Start'
with_dict :
'matrix_nginx_proxy_base_domain_homepage_enabled' : 'false'
when : customise_base_domain_website|bool == true
- name : Record custom 'Customise Website + Access Export' variables locally on AWX
delegate_to : 127.0 .0 .1
lineinfile :
path : '{{ awx_cached_matrix_vars }}'
regexp : "^#? *{{ item.key | regex_escape() }}:"
line : "{{ item.key }}: {{ item.value }}"
insertafter : '# Custom Settings Start'
with_dict :
'customise_base_domain_website' : '{{ customise_base_domain_website }}'
'sftp_auth_method' : '"{{ sftp_auth_method }}"'
'sftp_password' : '"{{ sftp_password }}"'
'sftp_public_key' : '"{{ sftp_public_key }}"'
- name : Reload vars in matrix_vars.yml
include_vars :
file : '{{ awx_cached_matrix_vars }}'
no_log : True
# ^ Is this even needed?
- name : Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
delegate_to : 127.0 .0 .1
template :
src : './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
dest : '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
- name : Copy new 'Customise Website + Access Export' survey.json to target machine
copy :
src : '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
dest : '/matrix/awx/configure_website_access_export.json'
mode : '0660'
- name : Collect AWX admin token the hard way!
delegate_to : 127.0 .0 .1
shell : |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register : tower_token
no_log : True
- name : Recreate 'Customise Base Domain Export' job template
delegate_to : 127.0 .0 .1
awx.awx.tower_job_template :
name : "{{ matrix_domain }} - 1 - Configure Website + Access Export"
description : "Configure base domain website settings and access the servers export."
extra_vars : "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type : run
job_tags : "start,setup-nginx-proxy"
inventory : "{{ member_id }}"
project : "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook : setup.yml
credential : "{{ member_id }} - AWX SSH Key"
survey_enabled : true
survey_spec : "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
become_enabled : yes
state : present
verbosity : 1
tower_host : "https://{{ tower_host }}"
tower_oauthtoken : "{{ tower_token.stdout }}"
validate_certs : yes
- name : Ensure group "sftp" exists
group :
name : sftp
state : present
- name : If user doesn't define a sftp_password, create a disabled 'sftp' account
user :
name : sftp
comment : SFTP user to set custom web files and access servers export
shell : /bin/false
home : /home/sftp
group : sftp
password : '*'
update_password : always
when : sftp_password|length == 0
- name : If user defines sftp_password, enable account and set password on 'stfp' account
user :
name : sftp
comment : SFTP user to set custom web files and access servers export
shell : /bin/false
home : /home/sftp
group : sftp
password : "{{ sftp_password | password_hash('sha512') }}"
update_password : always
when : sftp_password|length > 0
- name : adding existing user 'sftp' to group matrix
user :
name : sftp
groups : matrix
append : yes
- name : Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)
file :
path : /chroot
state : directory
owner : root
group : root
mode : '1755'
- name : Ensure /chroot/website location exists.
file :
path : /chroot/website
state : directory
owner : matrix
group : matrix
mode : '0574'
- name : Ensure /chroot/export location exists
file :
path : /chroot/export
state : directory
owner : sftp
group : sftp
mode : '0700'
- name : Ensure /home/sftp/.ssh location exists
file :
path : /home/sftp/.ssh
state : directory
owner : sftp
group : sftp
mode : '0700'
- name : Ensure /home/sftp/authorized_keys exists
file :
path : /home/sftp/.ssh/authorized_keys
state : touch
owner : sftp
group : sftp
mode : '0644'
- name : Clear authorized_keys file
shell : echo "" > /home/sftp/.ssh/authorized_keys
- name : Insert public SSH key into authorized_keys file
lineinfile :
path : /home/sftp/.ssh/authorized_keys
line : "{{ sftp_public_key }}"
owner : sftp
group : sftp
mode : '0644'
when : (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
- name : Alter SSH Subsystem State 1
lineinfile :
path : /etc/ssh/sshd_config
line : "Subsystem sftp /usr/lib/openssh/sftp-server"
state : absent
- name : Alter SSH Subsystem State 2
lineinfile :
path : /etc/ssh/sshd_config
insertafter : "^# override default of no subsystems"
line : "Subsystem sftp internal-sftp"
- name : Add SSH Match User section for disabled auth
blockinfile :
path : /etc/ssh/sshd_config
state : absent
block : |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when : sftp_auth_method == "Disabled"
- name : Add SSH Match User section for password auth
blockinfile :
path : /etc/ssh/sshd_config
state : present
block : |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
when : sftp_auth_method == "Password"
- name : Add SSH Match User section for publickey auth
blockinfile :
path : /etc/ssh/sshd_config
state : present
block : |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when : sftp_auth_method == "SSH Key"
- name : Restart service ssh.service
service :
name : ssh.service
state : restarted