diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 5093e0f92..3558071c2 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -82,130 +82,6 @@ tls_star_cert: star.{{ base_domain }}.pem tls_star_cert_key: star.{{ base_domain }}.key tls_ca: star.{{ base_domain }}_ca.pem -springboot_service_to_deploy: all -springboot_gui_services: - - name: manage - enabled: true - version: "{{ manage_gui_version }}" - - name: teams - enabled: true - version: "{{ teams_gui_version }}" - - name: pdp - enabled: true - version: "{{ pdp_gui_version }}" - - name: attribute-aggregation - enabled: true - version: "{{ attribute_aggregation_gui_version }}" - - name: dashboard - enabled: "{{ dashboard_install }}" - version: "{{ dashboard_gui_version | default('SNAPSHOT') }}" - - name: oidc-playground - enabled: true - version: "{{ oidc_playground_client_version }}" - role: oidc-playground-client - artifactid: oidc-playground-client - - name: myconext - enabled: true - version: "{{ myconext_gui_version }}" - - name: account - enabled: true - version: "{{ account_gui_version }}" - -springboot_server_services: - - name: manage - enabled: true - version: "{{ manage_server_version }}" - type: server - port: "{{ manage_springapp_tcpport }}" - config: - "{{ manage }}" - - name: oidcng - enabled: true - role: oidcng - version: "{{ oidcng_version }}" - artifactid: oidcng - port: 9195 - type: server - config: - "{{ oidcng }}" - - name: teams - enabled: true - version: "{{ teams_server_version }}" - min_heapsize: '256m' - max_heapsize: '256m' - type: server - port: 9197 - config: - "{{ teams }}" - - name: voot - enabled: true - version: "{{ voot_version }}" - min_heapsize: '128m' - max_heapsize: '128m' - role: voot - artifactid: voot-service - port: 9191 - type: server - config: - "{{ voot }}" - - name: pdp - enabled: true - version: "{{ pdp_server_version }}" - port: 9196 - type: server - config: - "{{ pdp }}" - - name: attribute-aggregation - enabled: true - min_heapsize: '256m' - max_heapsize: '256m' - version: "{{ attribute_aggregation_server_version }}" - type: server - port: 9198 - - name: dashboard - enabled: "{{ dashboard_install }}" - version: "{{ dashboard_server_version | default('SNAPSHOT') }}" - type: server - port: 9394 - - name: oidc-playground - enabled: true - min_heapsize: '256m' - max_heapsize: '256m' - version: "{{ oidc_playground_server_version }}" - type: server - port: 9399 - config: - "{{ oidc_playground }}" - - name: myconext - enabled: true - version: "{{ myconext_server_version }}" - type: server - port: 9189 - config: - "{{ myconext }}" - - name: mujina-sp - enabled: true - min_heapsize: '128m' - max_heapsize: '128m' - version: "{{ mujina_version }}" - role: mujina-sp - artifactid: mujina-sp - type: server - port: 9391 - config: - "{{ mujina_sp }}" - - name: mujina-idp - enabled: true - min_heapsize: '128m' - max_heapsize: '128m' - version: "{{ mujina_version }}" - role: mujina-idp - artifactid: mujina-idp - type: server - port: 9390 - config: - "{{ mujina_idp }}" - # Value for the isMemberOf attribute for users from IdPs that are marked as 'guest'. guest_qualifier: "urn:collab:org:{{ base_domain }}" @@ -232,34 +108,6 @@ profile_apache_symfony_environment: prod # Engine's assertion signing certificate: engine_profile_idp_certificate: /etc/openconext/engineblock.crt -# shibboleth -shibboleth_apps: - teams: - entityID: "https://teams.{{ base_domain }}/shibboleth" - baseurl: "" - pdp: - entityID: "https://pdp.{{ base_domain }}/shibboleth" - baseurl: "" - "attribute-aggregation": - entityID: "https://aa.{{ base_domain }}/shibboleth" - baseurl: "" - "attribute-aggregation-link": - entityID: "https://link.{{ base_domain }}/shibboleth" - baseurl: "" - "manage": - entityID: "https://manage.{{ base_domain }}/shibboleth" - baseurl: "" - "myconext": - entityID: "https://my.{{ base_domain }}/shibboleth" - baseurl: "" - "dashboard": - entityID: "https://dashboard.{{ base_domain }}/shibboleth" - baseurl: "" - -shib: - db_host: "{{ mariadb_host }}" -shibboleth_database_backend: false - teams: db_name: "teams" db_user: "teamsrw" @@ -574,35 +422,35 @@ haproxy_applications: ha_method: "GET" ha_url: "/health" port: "{{ loadbalancing.engine.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: profile vhost_name: profile.{{ base_domain }} ha_method: "HEAD" ha_url: "/health" port: "{{ loadbalancing.profile.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: static vhost_name: static.{{ base_domain }} ha_method: "HEAD" ha_url: "/media/alive.txt" port: "{{ loadbalancing.static.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: metadata vhost_name: metadata.{{ base_domain }} ha_method: "HEAD" ha_url: "/alive.txt" port: "{{ loadbalancing.metadata.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: engine_api vhost_name: engine-api.{{ base_domain }} ha_method: "GET" ha_url: "/health" port: "{{ loadbalancing.engine_api.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" restricted: yes - name: teams @@ -610,105 +458,105 @@ haproxy_applications: ha_method: "GET" ha_url: "/api/teams/health" port: "{{ loadbalancing.teams.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: oidc_playground vhost_name: "oidc-playground.{{ base_domain }}" ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.oidc_playground.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: voot vhost_name: voot.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.voot.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: pdp vhost_name: pdp.{{ base_domain }} ha_method: "GET" ha_url: "/pdp/api/health" port: "{{ loadbalancing.pdp.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: aa vhost_name: aa.{{ base_domain }} ha_method: "GET" ha_url: "/aa/api/health" port: "{{ loadbalancing.aa.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: link vhost_name: link.{{ base_domain }} ha_method: "GET" ha_url: "/aa/api/health" port: "{{ loadbalancing.aa.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: manage vhost_name: manage.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.manage.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: mujina-sp vhost_name: mujina-sp.{{ base_domain }} ha_method: "GET" ha_url: "/" port: "{{ loadbalancing.mujina_sp.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: mujina-idp vhost_name: mujina-idp.{{ base_domain }} ha_method: "GET" ha_url: "/" port: "{{ loadbalancing.mujina_idp.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: welcome vhost_name: welcome.{{ base_domain }} ha_method: "GET" ha_url: "/" port: "{{ loadbalancing.welcome.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: oidcng vhost_name: connect.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.oidcng.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: myconext vhost_name: my.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.myconext.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: account vhost_name: account.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.account.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: eduid vhost_name: eduid.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.eduid.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: dashboard vhost_name: dashboard.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.dashboard.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" haproxy_backend_tls: False @@ -728,27 +576,8 @@ haproxy_sni_ip_restricted: key_content: "{{ https_star_private_key }}" crt_name: star.{{ base_domain }}.pem -php_servers: - - { ip: "127.0.0.1", label: "php"} - -java_servers: - - { ip: "127.0.0.1", label: "java"} +docker_servers: + - { ip: "127.0.0.1", label: "docker"} iptables_enable: false dashboard_install: false - -springboot_services_state: - manage: true - teams: true - pdp: true - attribute_aggregation: true - oidc_playground: true - myconext: true - account: true - eduid: true - oidcng: true - voot: true - mujina_sp: true - mujina_idp: true - dashboard: false - diff --git a/environments/template/host_vars/template.yml b/environments/template/host_vars/template.yml index 6f6db93ac..cb6a621aa 100644 --- a/environments/template/host_vars/template.yml +++ b/environments/template/host_vars/template.yml @@ -1,22 +1,2 @@ myconext_cronjobmaster: false -apache_app_listen_address: - welcome: 127.0.0.1 - engine: 127.0.0.1 - engine_api: 127.0.0.1 - profile: 127.0.0.1 - mujina_idp: 127.0.0.1 - mujina_sp: 127.0.0.1 - static: 127.0.0.1 - metadata: 127.0.0.1 - oidc_playground: 127.0.0.1 - teams: 127.0.0.1 - voot: 127.0.0.1 - pdp: 127.0.0.1 - oidcng: 127.0.0.1 - aa: 127.0.0.1 - manage: 127.0.0.1 - myconext: 127.0.0.1 - account: 127.0.0.1 - eduid: 127.0.0.1 - mongo_replication_role: primary diff --git a/environments/template/inventory b/environments/template/inventory index 3a070aed8..b0289ff55 100644 --- a/environments/template/inventory +++ b/environments/template/inventory @@ -1,18 +1,6 @@ [storage] %target_host% -[java_apps] -%target_host% - -[java_apps_vm] -%target_host% - -[java_apps_common] -%target_host% - -[php_apps] -%target_host% - [mongo_servers] %target_host% @@ -24,9 +12,6 @@ [%env%:children] storage -java_apps -java_apps_vm -php_apps mongo_servers selfsigned_certs sysloghost @@ -34,7 +19,6 @@ loadbalancer_ha loadbalancer elk lifecycle -oidc dbcluster dbcluster_nodes stats @@ -43,18 +27,12 @@ stats [loadbalancer_ha] [elk] [lifecycle] -[oidc] [dbcluster] [dbcluster_nodes] [stats] -[php_apps_vm] - -# Overview of "services" [base:children] loadbalancer -php_apps -java_apps storage dbcluster sysloghost @@ -66,9 +44,6 @@ selfsigned_certs loadbalancer_ha [frontend:children] -php_apps_vm -java_apps_vm -oidc lifecycle [db_mysql:children] @@ -77,16 +52,7 @@ dbcluster dbcluster_nodes [app_php:children] -php_apps -php_apps_vm lifecycle -[app_java:children] -java_apps -java_apps_vm - -[app_oidc:children] -oidc - [local] localhost ansible_connection=local diff --git a/environments/template/playbook.yml b/environments/template/playbook.yml deleted file mode 100644 index d58eb1f64..000000000 --- a/environments/template/playbook.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- hosts: php-apps - diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 1ed11a8a1..3c8bfd03d 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -120,35 +120,6 @@ profile_apache_symfony_environment: prod # Engine's assertion signing certificate (fixme: make variable?): engine_profile_idp_certificate: /etc/openconext/engineblock.crt -# shibboleth -shibboleth_apps: - teams: - entityID: "https://teams.{{ base_domain }}/shibboleth" - baseurl: "" - pdp: - entityID: "https://pdp.{{ base_domain }}/shibboleth" - baseurl: "" - "attribute-aggregation": - entityID: "https://aa.{{ base_domain }}/shibboleth" - baseurl: "" - "attribute-aggregation-link": - entityID: "https://link.{{ base_domain }}/shibboleth" - baseurl: "" - "manage": - entityID: "https://manage.{{ base_domain }}/shibboleth" - baseurl: "" - "myconext": - entityID: "https://my.{{ base_domain }}/shibboleth" - baseurl: "" - "dashboard": - entityID: "https://dashboard.{{ base_domain }}/shibboleth" - baseurl: "" - -shib: - db_host: "127.0.0.1" -shibboleth_database_backend: true - - ## # VM config for the teams app ## @@ -483,154 +454,154 @@ haproxy_applications: ha_method: "GET" ha_url: "/health" port: "{{ loadbalancing.engine.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: profile vhost_name: profile.{{ base_domain }} ha_method: "HEAD" ha_url: "/health" port: "{{ loadbalancing.profile.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: static vhost_name: static.{{ base_domain }} ha_method: "HEAD" ha_url: "/media/alive.txt" port: "{{ loadbalancing.static.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: engine_api vhost_name: engine-api.{{ base_domain }} ha_method: "GET" ha_url: "/health" port: "{{ loadbalancing.engine_api.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: metadata vhost_name: metadata.{{ base_domain }} ha_method: "HEAD" ha_url: "/alive.txt" port: "{{ loadbalancing.metadata.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: teams vhost_name: teams.{{ base_domain }} ha_method: GET ha_url: "/api/teams/health" port: "{{ loadbalancing.teams.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: oidc_playground vhost_name: "oidc-playground.{{base_domain }}" ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.oidc_playground.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: voot vhost_name: voot.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.voot.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: pdp vhost_name: pdp.{{ base_domain }} ha_method: "GET" ha_url: "/pdp/api/health" port: "{{ loadbalancing.pdp.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: aa vhost_name: aa.{{ base_domain }} ha_method: "GET" ha_url: "/aa/api/health" port: "{{ loadbalancing.aa.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: link vhost_name: link.{{ base_domain }} ha_method: "GET" ha_url: "/aa/api/health" port: "{{ loadbalancing.aa.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: manage vhost_name: manage.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.manage.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: oidcng vhost_name: connect.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.oidcng.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: myconext vhost_name: my.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.myconext.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: account vhost_name: account.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.account.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: eduid vhost_name: eduid.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.eduid.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: mujina-sp vhost_name: mujina-sp.{{ base_domain }} ha_method: "GET" ha_url: "/" port: "{{ loadbalancing.mujina_sp.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: mujina-idp vhost_name: mujina-idp.{{ base_domain }} ha_method: "GET" ha_url: "/" port: "{{ loadbalancing.mujina_idp.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" - name: welcome vhost_name: welcome.{{ base_domain }} ha_method: "GET" ha_url: "/" port: "{{ loadbalancing.welcome.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: kibana vhost_name: kibana.{{ base_domain }} ha_method: "GET" ha_url: "/" port: "{{ loadbalancing.kibana.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: stats vhost_name: stats.{{ base_domain }} ha_method: "GET" ha_url: "/health" port: "{{ loadbalancing.stats.port }}" - servers: "{{php_servers}}" + servers: "{{docker_servers}}" - name: dashboard vhost_name: dashboard.{{ base_domain }} ha_method: "GET" ha_url: "/internal/health" port: "{{ loadbalancing.dashboard.port }}" - servers: "{{java_servers}}" + servers: "{{docker_servers}}" haproxy_sni_ip: ipv4: 192.168.66.98 @@ -642,26 +613,8 @@ haproxy_sni_ip: haproxy_backend_tls: False -php_servers: - - { ip: "192.168.66.99", label: "phpapps"} - -java_servers: - - { ip: "192.168.66.99", label: "javapps"} +docker_servers: + - { ip: "192.168.66.99", label: "docker"} dashboard_install: false iptables_enable: False - -springboot_services_state: - manage: true - teams: true - pdp: true - attribute_aggregation: true - oidc_playground: true - myconext: false - account: false - eduid: false - oidcng: true - voot: true - mujina_sp: true - mujina_idp: true - dashboard: false diff --git a/environments/vm/host_vars/192.168.66.79.yml b/environments/vm/host_vars/192.168.66.79.yml deleted file mode 100644 index e39d3ead0..000000000 --- a/environments/vm/host_vars/192.168.66.79.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apache_app_listen_address: - engine: 192.168.66.79 - engine_api: 192.168.66.79 - profile: 192.168.66.79 - oidc_playground: 192.168.66.79 - mujina_idp: 192.168.66.79 - mujina_sp: 192.168.66.79 - static: 192.168.66.79 - teams: 192.168.66.79 - voot: 192.168.66.79 - pdp: 192.168.66.79 - aa: 192.168.66.79 - welcome: 192.168.66.79 - oidcng: 192.168.66.79 - myconext: 192.168.66.79 - account: 192.168.66.79 - eduid: 192.168.66.79 diff --git a/environments/vm/host_vars/192.168.66.99.yml b/environments/vm/host_vars/192.168.66.99.yml index 8e5dbc297..6a02f2387 100644 --- a/environments/vm/host_vars/192.168.66.99.yml +++ b/environments/vm/host_vars/192.168.66.99.yml @@ -1,24 +1,2 @@ --- -apache_app_listen_address: - engine: 192.168.66.99 - engine_api: 192.168.66.99 - profile: 192.168.66.99 - oidc_playground: 192.168.66.99 - mujina_idp: 192.168.66.99 - mujina_sp: 192.168.66.99 - static: 192.168.66.99 - teams: 192.168.66.99 - voot: 192.168.66.99 - pdp: 192.168.66.99 - welcome: 192.168.66.99 - oidcng: 192.168.66.99 - aa: 192.168.66.99 - metadata: 192.168.66.99 - manage: 192.168.66.99 - kibana: 192.168.66.99 - stats: 192.168.66.99 - myconext: 192.168.66.99 - account: 192.168.66.99 - eduid: 192.168.66.99 - mongo_replication_role: primary diff --git a/environments/vm/inventory b/environments/vm/inventory index 04f146e50..2b02ad8bf 100644 --- a/environments/vm/inventory +++ b/environments/vm/inventory @@ -7,21 +7,6 @@ [storage_vm:children] storage -[java_apps] -192.168.66.99 ansible_ssh_private_key_file=./.vagrant/machines/apps_centos7/virtualbox/private_key - -[java_apps_common] -192.168.66.99 ansible_ssh_private_key_file=./.vagrant/machines/apps_centos7/virtualbox/private_key - -[java_apps_vm:children] -java_apps - -[php_apps] -192.168.66.99 ansible_ssh_private_key_file=./.vagrant/machines/apps_centos7/virtualbox/private_key - -[php_apps_vm:children] -php_apps - [mongo_servers] 192.168.66.99 ansible_ssh_private_key_file=./.vagrant/machines/apps_centos7/virtualbox/private_key @@ -37,8 +22,6 @@ php_apps [vm:children] storage -java_apps_vm -php_apps mongo_servers logstash selfsigned_certs @@ -47,7 +30,6 @@ loadbalancer_ha loadbalancer elk lifecycle -oidc dbcluster dbcluster_nodes stats @@ -56,7 +38,6 @@ stats [loadbalancer_ha] [elk] [lifecycle] -[oidc] [dbcluster] [dbcluster_nodes] [stats] @@ -65,8 +46,6 @@ stats [base:children] loadbalancer -php_apps -java_apps storage dbcluster sysloghost @@ -78,24 +57,9 @@ selfsigned_certs loadbalancer_ha [frontend:children] -php_apps_vm -java_apps_vm -oidc lifecycle [db_mysql:children] storage dbcluster dbcluster_nodes - -[app_php:children] -php_apps -php_apps_vm -lifecycle - -[app_java:children] -java_apps -java_apps_vm - -[app_oidc:children] -oidc diff --git a/environments/vm/playbook.yml b/environments/vm/playbook.yml deleted file mode 100644 index d58eb1f64..000000000 --- a/environments/vm/playbook.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- hosts: php-apps - diff --git a/provision.yml b/provision.yml index d4304c82c..a13670de3 100644 --- a/provision.yml +++ b/provision.yml @@ -25,20 +25,6 @@ - use_selfsigned_certs tags: ['core', 'base', 'selfsigned_certs'] -- hosts: frontend - become: true - roles: - - role: hosts - when: - - update_hosts_file - tags: ['core', 'frontend', 'hosts'] - - role: httpd - tags: ['core', 'frontend', 'httpd'] - - role: welcome - when: - - use_welcome_role - tags: ['core', 'frontend', 'welcome'] - - hosts: loadbalancer gather_facts: true become: true @@ -82,38 +68,6 @@ - role: mongo tags: ['core', 'mongo'] -- hosts: app_java - gather_facts: true - become: true - roles: - - role: java - tags: ['core', 'app_java', 'java'] - - role: shibboleth - tags: ['core', 'app_java', 'shib'] - handlers: - - import_tasks: roles/httpd/handlers/main.yml - -# run -t springboot -e springboot_service_to_deploy=manage,voot to only install -# the manage and voot app. Both GUI as servers will be installed. -- hosts: java_apps - become: true - roles: - - { role: springboot, tags: ['core', 'springboot'] } - - handlers: - - import_tasks: roles/httpd/handlers/main.yml - -- hosts: app_php - gather_facts: no - become: true - roles: - - role: profile - when: - - inventory_hostname not in groups['lifecycle'] - tags: ['core', 'app_php', 'profile'] - handlers: - - import_tasks: roles/httpd/handlers/main.yml - - hosts: elk gather_facts: true become: true @@ -127,8 +81,6 @@ roles: - role: influxdb tags: ['influxdb' ] - handlers: - - include_tasks: roles/httpd/handlers/main.yml - hosts: stepuppapp become: true diff --git a/roles/account-gui/defaults/main.yml b/roles/account-gui/defaults/main.yml deleted file mode 100644 index 860617ec9..000000000 --- a/roles/account-gui/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -account_gui_version: '' -account_gui_snapshot_timestamp: '' -account_install: true diff --git a/roles/account-gui/handlers/main.yml b/roles/account-gui/handlers/main.yml deleted file mode 100644 index a45857dd2..000000000 --- a/roles/account-gui/handlers/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: restart httpd - service: - name: httpd - state: restarted - -- name: reload httpd - service: - name: httpd - state: reloaded - -- name: restart iptables - service: - name: iptables - state: restarted diff --git a/roles/account-gui/meta/main.yml b/roles/account-gui/meta/main.yml deleted file mode 100644 index 73b314ff7..000000000 --- a/roles/account-gui/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- \ No newline at end of file diff --git a/roles/account-gui/tasks/main.yml b/roles/account-gui/tasks/main.yml deleted file mode 100644 index afeb84290..000000000 --- a/roles/account-gui/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: copy virtual host config - template: - src: account.conf.j2 - dest: /etc/httpd/conf.d/account.conf - notify: reload httpd diff --git a/roles/account-gui/templates/account.conf.j2 b/roles/account-gui/templates/account.conf.j2 deleted file mode 100644 index 67a874bf9..000000000 --- a/roles/account-gui/templates/account.conf.j2 +++ /dev/null @@ -1,92 +0,0 @@ -{% if apache_app_listen_address.account is defined %} -Listen {{ apache_app_listen_address.account }}:{{ loadbalancing.account.port }} - -{% else %} - -{% endif %} - # General setup for the virtual host, inherited from global configuration - ServerName https://login.{{ myconext_base_domain }} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-account'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-account'" combined - - RewriteEngine on - - {% for links in myconext.links %} - RewriteRule "^/{{ links.name }}(/|$)" "{{ links.url }}" [R,L] - {% endfor %} - - RewriteCond %{REQUEST_URI} !\.html$ - RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ - RewriteCond %{REQUEST_URI} !\.svg$ - RewriteCond %{REQUEST_URI} !\.png$ - RewriteCond %{REQUEST_URI} !\.ico$ - RewriteCond %{REQUEST_URI} !\.woff$ - RewriteCond %{REQUEST_URI} !\.woff2$ - RewriteCond %{REQUEST_URI} !\.ttf$ - RewriteCond %{REQUEST_URI} !\.eot$ - RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ - RewriteCond %{REQUEST_URI} !^/myconext - RewriteCond %{REQUEST_URI} !^/mobile - RewriteCond %{REQUEST_URI} !^/tiqr - RewriteCond %{REQUEST_URI} !^/config - RewriteCond %{REQUEST_URI} !^/register - RewriteCond %{REQUEST_URI} !^/doLogin - RewriteCond %{REQUEST_URI} !^/doLogout - RewriteCond %{REQUEST_URI} !^/create-from-institution-login - RewriteCond %{REQUEST_URI} !^/saml - RewriteCond %{REQUEST_URI} !^/actuator - RewriteCond %{REQUEST_URI} !^/internal - RewriteCond %{REQUEST_URI} !^/fonts - RewriteCond %{REQUEST_URI} !^/.well-known - RewriteRule (.*) /index.html [L] - - ProxyPreserveHost On - ProxyPass /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api retry=0 - ProxyPassReverse /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api - - ProxyPass /mobile http://localhost:{{ springapp_tcpport }}/mobile retry=0 - ProxyPassReverse /mobile http://localhost:{{ springapp_tcpport }}/mobile - - ProxyPass /tiqr http://localhost:{{ springapp_tcpport }}/tiqr retry=0 - ProxyPassReverse /tiqr http://localhost:{{ springapp_tcpport }}/tiqr - - ProxyPass /saml/guest-idp http://localhost:{{ springapp_tcpport }}/saml/guest-idp retry=0 - ProxyPassReverse /saml/guest-idp http://localhost:{{ springapp_tcpport }}/saml/guest-idp - - ProxyPass /actuator http://localhost:{{ springapp_tcpport }}/internal retry=0 - ProxyPass /internal http://localhost:{{ springapp_tcpport }}/internal retry=0 - ProxyPass /config http://localhost:{{ springapp_tcpport }}/config retry=0 - ProxyPass /register http://localhost:{{ springapp_tcpport }}/register retry=0 - ProxyPass /doLogin http://localhost:{{ springapp_tcpport }}/doLogin retry=0 - ProxyPass /doLogout http://localhost:{{ springapp_tcpport }}/doLogout retry=0 - ProxyPass /create-from-institution-login http://localhost:{{ springapp_tcpport }}/create-from-institution-login retry=0 - - DocumentRoot "{{ _springapp_dir }}/current" - - - Require all granted - Options -Indexes - - - Header always set Content-Security-Policy "{{ httpd_csp.lenient_with_static_img_for_idp }}" - Header always set X-Frame-Options "DENY" - Header always set Referrer-Policy "same-origin" - Header always set X-Content-Type-Options "nosniff" - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - diff --git a/roles/account-gui/vars/main.yml b/roles/account-gui/vars/main.yml deleted file mode 100644 index 99fb575c4..000000000 --- a/roles/account-gui/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -springapp_tcpport: 9189 -springapp_artifact_id: account-gui -springapp_version: "{{ account_gui_version }}" diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml deleted file mode 100644 index 1e0e77ae6..000000000 --- a/roles/httpd/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ -haproxy_backend_tls: false diff --git a/roles/httpd/files/00-base.conf b/roles/httpd/files/00-base.conf deleted file mode 100644 index 557879401..000000000 --- a/roles/httpd/files/00-base.conf +++ /dev/null @@ -1,77 +0,0 @@ -# -# This file loads most of the modules included with the Apache HTTP -# Server itself. -# - -LoadModule access_compat_module modules/mod_access_compat.so -LoadModule actions_module modules/mod_actions.so -LoadModule alias_module modules/mod_alias.so -LoadModule allowmethods_module modules/mod_allowmethods.so -LoadModule auth_basic_module modules/mod_auth_basic.so -#LoadModule auth_digest_module modules/mod_auth_digest.so -#LoadModule authn_anon_module modules/mod_authn_anon.so -LoadModule authn_core_module modules/mod_authn_core.so -#LoadModule authn_dbd_module modules/mod_authn_dbd.so -#LoadModule authn_dbm_module modules/mod_authn_dbm.so -LoadModule authn_file_module modules/mod_authn_file.so -LoadModule authn_socache_module modules/mod_authn_socache.so -LoadModule authz_core_module modules/mod_authz_core.so -#LoadModule authz_dbd_module modules/mod_authz_dbd.so -#LoadModule authz_dbm_module modules/mod_authz_dbm.so -LoadModule authz_groupfile_module modules/mod_authz_groupfile.so -LoadModule authz_host_module modules/mod_authz_host.so -LoadModule authz_owner_module modules/mod_authz_owner.so -LoadModule authz_user_module modules/mod_authz_user.so -LoadModule autoindex_module modules/mod_autoindex.so -#LoadModule cache_module modules/mod_cache.so -#LoadModule cache_disk_module modules/mod_cache_disk.so -#LoadModule data_module modules/mod_data.so -#LoadModule dbd_module modules/mod_dbd.so -LoadModule deflate_module modules/mod_deflate.so -LoadModule dir_module modules/mod_dir.so -LoadModule dumpio_module modules/mod_dumpio.so -LoadModule echo_module modules/mod_echo.so -LoadModule env_module modules/mod_env.so -LoadModule expires_module modules/mod_expires.so -#LoadModule ext_filter_module modules/mod_ext_filter.so -#LoadModule filter_module modules/mod_filter.so -LoadModule headers_module modules/mod_headers.so -#LoadModule include_module modules/mod_include.so -LoadModule info_module modules/mod_info.so -LoadModule log_config_module modules/mod_log_config.so -LoadModule logio_module modules/mod_logio.so -#LoadModule mime_magic_module modules/mod_mime_magic.so -LoadModule mime_module modules/mod_mime.so -LoadModule negotiation_module modules/mod_negotiation.so -LoadModule remoteip_module modules/mod_remoteip.so -LoadModule reqtimeout_module modules/mod_reqtimeout.so -LoadModule rewrite_module modules/mod_rewrite.so -LoadModule setenvif_module modules/mod_setenvif.so -LoadModule slotmem_plain_module modules/mod_slotmem_plain.so -LoadModule slotmem_shm_module modules/mod_slotmem_shm.so -LoadModule socache_dbm_module modules/mod_socache_dbm.so -LoadModule socache_memcache_module modules/mod_socache_memcache.so -LoadModule socache_shmcb_module modules/mod_socache_shmcb.so -#LoadModule status_module modules/mod_status.so -#LoadModule substitute_module modules/mod_substitute.so -#LoadModule suexec_module modules/mod_suexec.so -LoadModule unique_id_module modules/mod_unique_id.so -LoadModule unixd_module modules/mod_unixd.so -#LoadModule userdir_module modules/mod_userdir.so -LoadModule version_module modules/mod_version.so -LoadModule vhost_alias_module modules/mod_vhost_alias.so - -#LoadModule buffer_module modules/mod_buffer.so -#LoadModule watchdog_module modules/mod_watchdog.so -#LoadModule heartbeat_module modules/mod_heartbeat.so -#LoadModule heartmonitor_module modules/mod_heartmonitor.so -#LoadModule usertrack_module modules/mod_usertrack.so -#LoadModule dialup_module modules/mod_dialup.so -#LoadModule charset_lite_module modules/mod_charset_lite.so -#LoadModule log_debug_module modules/mod_log_debug.so -#LoadModule ratelimit_module modules/mod_ratelimit.so -#LoadModule reflector_module modules/mod_reflector.so -#LoadModule request_module modules/mod_request.so -#LoadModule sed_module modules/mod_sed.so -#LoadModule speling_module modules/mod_speling.so - diff --git a/roles/httpd/files/00-dav.conf b/roles/httpd/files/00-dav.conf deleted file mode 100644 index 8130f211a..000000000 --- a/roles/httpd/files/00-dav.conf +++ /dev/null @@ -1,3 +0,0 @@ -#LoadModule dav_module modules/mod_dav.so -#LoadModule dav_fs_module modules/mod_dav_fs.so -#LoadModule dav_lock_module modules/mod_dav_lock.so diff --git a/roles/httpd/files/00-lua.conf b/roles/httpd/files/00-lua.conf deleted file mode 100644 index 26a59ead9..000000000 --- a/roles/httpd/files/00-lua.conf +++ /dev/null @@ -1 +0,0 @@ -#LoadModule lua_module modules/mod_lua.so diff --git a/roles/httpd/files/00-proxy.conf b/roles/httpd/files/00-proxy.conf deleted file mode 100644 index 2991f20fd..000000000 --- a/roles/httpd/files/00-proxy.conf +++ /dev/null @@ -1,16 +0,0 @@ -# This file configures all the proxy modules: -LoadModule proxy_module modules/mod_proxy.so -#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so -#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so -#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so -#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so -LoadModule proxy_ajp_module modules/mod_proxy_ajp.so -#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so -LoadModule proxy_connect_module modules/mod_proxy_connect.so -LoadModule proxy_express_module modules/mod_proxy_express.so -LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so -LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so -#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so -LoadModule proxy_http_module modules/mod_proxy_http.so -#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so -#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so diff --git a/roles/httpd/files/ssl_backend.conf b/roles/httpd/files/ssl_backend.conf deleted file mode 100644 index 18f7c33e6..000000000 --- a/roles/httpd/files/ssl_backend.conf +++ /dev/null @@ -1,6 +0,0 @@ -# SSL-settings included in vhosts when used as haproxy backend - -SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 -SSLHonorCipherOrder on -SSLCompression off diff --git a/roles/httpd/handlers/main.yml b/roles/httpd/handlers/main.yml deleted file mode 100644 index a45857dd2..000000000 --- a/roles/httpd/handlers/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: restart httpd - service: - name: httpd - state: restarted - -- name: reload httpd - service: - name: httpd - state: reloaded - -- name: restart iptables - service: - name: iptables - state: restarted diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml deleted file mode 100644 index 4bcf01f1d..000000000 --- a/roles/httpd/tasks/main.yml +++ /dev/null @@ -1,107 +0,0 @@ ---- -- name: Install httpd and required modules - yum: - name: - - httpd - - mod_ssl - state: present - register: httpd_httpd_installed - until: httpd_httpd_installed is succeeded - -- name: Copy default config files - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - tags: httpd - with_items: - - src: 01_default.conf.j2 - dest: /etc/httpd/conf.d/01_default.conf - - src: httpd.conf_httpd24.j2 - dest: /etc/httpd/conf/httpd.conf - notify: - - "reload httpd" - -- name: Stop listening on port 443 - lineinfile: - dest: /etc/httpd/conf.d/ssl.conf - state: absent - regexp: "Listen 443*" - -- name: Create empty welcome.conf and userdir.conf - copy: - content: "" - dest: "/etc/httpd/conf.d/{{ item }}" - with_items: - - welcome.conf - - userdir.conf - - autoindex.conf - notify: - - "reload httpd" - -- name: Copy include files - copy: - src: "{{ item.src }}" - dest: "/etc/httpd/{{ item.dest }}" - with_items: - - src: ssl_backend.conf - dest: ssl_backend.conf - - src: 00-base.conf - dest: conf.modules.d/00-base.conf - - src: 00-dav.conf - dest: conf.modules.d/00-dav.conf - - src: 00-lua.conf - dest: conf.modules.d/00-lua.conf - - src: 00-proxy.conf - dest: conf.modules.d/00-proxy.conf - notify: - - "reload httpd" - -- name: Remove default /var/www folders - file: - path: "/var/www/{{ item }}" - state: absent - with_items: - - cgi-bin - - error - - html - - icons - -- name: Create SSL key - copy: - content: "{{ backend_tls_key }}" - dest: "{{ tls.cert_private_path }}/backend.{{ base_domain }}.key" - mode: 0600 - owner: root - when: - - haproxy_backend_tls | bool - -- name: Create SSL certificate - copy: - src: "{{ inventory_dir }}/files/certs/backend.{{ base_domain }}.pem" - dest: "{{ tls.cert_path }}/backend.{{ base_domain}}.pem" - when: - - haproxy_backend_tls | bool - -#- name: Create SSL files -# copy: -# content: "{{ item.content }}" -# dest: "{{ item.dest }}" -# mode: "{{ item.mode | default(0644) }}" -# owner: root -# with_items: -# - content: "{{ backend_tls_key }}" -# dest: "{{ tls.cert_private_path }}/backend.{{ base_domain }}.key" -# mode: "0600" -# - content: "{{ inventory_dir }}/files/certs/backend.{{ base_domain }}.pem" -# dest: "{{ tls.cert_path }}/backend.{{ base_domain}}.pem" -# no_log: true -# when: -# - haproxy_backend_tls | bool - -- name: enable httpd - service: - name: "{{ item }}" - enabled: yes - state: started - with_items: - - httpd diff --git a/roles/httpd/templates/01_default.conf.j2 b/roles/httpd/templates/01_default.conf.j2 deleted file mode 100644 index ac5ec02de..000000000 --- a/roles/httpd/templates/01_default.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -UseCanonicalName On - -TraceEnable Off -ServerTokens Prod - -RewriteEngine On -RewriteCond %{HTTPS} off -RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} - -{% if apache_app_listen_address.all is defined %} -# listen to the HTTPS port only -Listen *:443 -{% else %} -# we need an initial dummy port, or apache won't start when it's first installed -Listen 127.0.0.1:9876 -{% endif %} \ No newline at end of file diff --git a/roles/httpd/templates/httpd.conf_httpd24.j2 b/roles/httpd/templates/httpd.conf_httpd24.j2 deleted file mode 100644 index 69794c0d2..000000000 --- a/roles/httpd/templates/httpd.conf_httpd24.j2 +++ /dev/null @@ -1,348 +0,0 @@ -# -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so 'log/access_log' -# with ServerRoot set to '/www' will be interpreted by the -# server as '/www/log/access_log', where as '/log/access_log' will be -# interpreted as '/log/access_log'. - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "/etc/httpd" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -#Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -Include conf.modules.d/*.conf - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User apache -Group apache - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin {{ admin_email }} - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -#ServerName www.example.com:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "/var/www/" - -# -# Relax access to content within /var/www. -# - - AllowOverride None - # Allow open access: - Require all granted - - -# Further relax access to the default document root: - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options -Indexes - Options FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - # - AllowOverride None - - # - # Controls who can get stuff from this server. - # - Require all granted - - - # - # UserDir is disabled by default since it can confirm the presence - # of a username on the system (depending on home directory - # permissions). - # - UserDir disabled - - # - # To enable requests to /~user/ to serve the user's public_html - # directory, remove the "UserDir disabled" line above, and uncomment - # the following line instead: - # - #UserDir public_html - - - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.html - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog "logs/error_log" - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - #CustomLog "logs/access_log" common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog "logs/access_log" combined - - - -# -# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig /etc/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - AddType font/woff2 .woff2 - AddType image/x-icon .ico - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - AddType text/html .shtml - AddOutputFilter INCLUDES .shtml - - -# -# Specify a default charset for all content served; this enables -# interpretation of all content as UTF-8 by default. To use the -# default browser choice (ISO-8859-1), or to allow the META tags -# in HTML content to override this choice, comment out this -# directive: -# -AddDefaultCharset UTF-8 -AddCharset UTF-8 .css -AddCharset UTF-8 .js - - - # - # The mod_mime_magic module allows the server to use various hints from the - # contents of the file itself to determine its type. The MIMEMagicFile - # directive tells the module where the hint definitions are located. - # - MIMEMagicFile conf/magic - - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults if commented: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off - -{% if develop %} -# Disable sendfile for development as modified assets such as JavaScript and CSS will be sent incorrectly -EnableSendfile Off -{% else %} -EnableSendfile On -{% endif %} - -ServerSignature Off - -# Supplemental configuration -# -# Load config files in the "/etc/httpd/conf.d" directory, if any. -IncludeOptional conf.d/*.conf diff --git a/roles/java/tasks/main.yml b/roles/java/tasks/main.yml deleted file mode 100644 index 7ed92616f..000000000 --- a/roles/java/tasks/main.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: set timezone for java apps that may be started on the commandline - template: - src: "jdk-timezone.sh.j2" - dest: "/etc/profile.d/jdk-timezone.sh" - owner: root - group: root - mode: 0644 - -- name: Install java - yum: - name: - - java-11-openjdk-headless.x86_64 - state: present - register: java_package_java_installed - until: java_package_java_installed is succeeded - tags: - - java - -- name: Uninstall once used Java versions - yum: - name: - - java-1.7.0-openjdk - - java-1.7.0-openjdk-headless - - java-1.8.0-openjdk - - java-1.8.0-openjdk-headless - - java-1.8.0-openjdk-devel.x86_64 - state: absent - tags: - - java diff --git a/roles/java/templates/jdk-timezone.sh.j2 b/roles/java/templates/jdk-timezone.sh.j2 deleted file mode 100644 index 4b521d8c6..000000000 --- a/roles/java/templates/jdk-timezone.sh.j2 +++ /dev/null @@ -1 +0,0 @@ -export TZ="{{ timezone }}" diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml deleted file mode 100644 index 0073f178d..000000000 --- a/roles/php/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ -php_opcode_validate_timestamps: 0 diff --git a/roles/php/files/RPM-GPG-KEY-remi b/roles/php/files/RPM-GPG-KEY-remi deleted file mode 100644 index 328338606..000000000 --- a/roles/php/files/RPM-GPG-KEY-remi +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.7 (GNU/Linux) - -mQGiBEJny1wRBACRnbQgZ6qLmJSuGvi/EwrRL6aW610BbdpLQRL3dnwy5wI5t9T3 -/JEiEJ7GTvAwfiisEHifMfk2sRlWRf2EDQFttHyrrYXfY5L6UAF2IxixK5FL7PWA -/2a7tkw1IbCbt4IGG0aZJ6/xgQejrOLi4ewniqWuXCc+tLuWBZrGpE2QfwCggZ+L -0e6KPTHMP97T4xV81e3Ba5MD/3NwOQh0pVvZlW66Em8IJnBgM+eQh7pl4xq7nVOh -dEMJwVU0wDRKkXqQVghOxALOSAMapj5mDppEDzGLZHZNSRcvGEs2iPwo9vmY+Qhp -AyEBzE4blNR8pwPtAwL0W3cBKUx7ZhqmHr2FbNGYNO/hP4tO2ochCn5CxSwAfN1B -Qs5pBACOkTZMNC7CLsSUT5P4+64t04x/STlAFczEBcJBLF1T16oItDITJmAsPxbY -iee6JRfXmZKqmDP04fRdboWMcRjfDfCciSdIeGqP7vMcO25bDZB6x6++fOcmQpyD -1Fag3ZUq2yojgXWqVrgFHs/HB3QE7UQkykNp1fjQGbKK+5mWTrQkUmVtaSBDb2xs -ZXQgPFJQTVNARmFtaWxsZUNvbGxldC5jb20+iGAEExECACAFAkZ+MYoCGwMGCwkI -BwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAATm9HAPl/Vv/UAJ9EL8ioMTsz/2EPbNuQ -MP5Xx/qPLACeK5rk2hb8VFubnEsbVxnxfxatGZ25AQ0EQmfLXRAEANwGvY+mIZzj -C1L5Nm2LbSGZNTN3NMbPFoqlMfmym8XFDXbdqjAHutGYEZH/PxRI6GC8YW5YK4E0 -HoBAH0b0F97JQEkKquahCakj0P5mGuH6Q8gDOfi6pHimnsSAGf+D+6ZwAn8bHnAa -o+HVmEITYi6s+Csrs+saYUcjhu9zhyBfAAMFA/9Rmfj9/URdHfD1u0RXuvFCaeOw -CYfH2/nvkx+bAcSIcbVm+tShA66ybdZ/gNnkFQKyGD9O8unSXqiELGcP8pcHTHsv -JzdD1k8DhdFNhux/WPRwbo/es6QcpIPa2JPjBCzfOTn9GXVdT4pn5tLG2gHayudK -8Sj1OI2vqGLMQzhxw4hJBBgRAgAJBQJCZ8tdAhsMAAoJEABOb0cA+X9WcSAAn11i -gC5ns/82kSprzBOU0BNwUeXZAJ0cvNmY7rvbyiJydyLsSxh/la6HKw== -=6Rbg ------END PGP PUBLIC KEY BLOCK----- diff --git a/roles/php/files/createrundir.conf b/roles/php/files/createrundir.conf deleted file mode 100644 index b101e5204..000000000 --- a/roles/php/files/createrundir.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -RuntimeDirectory=php-fpm diff --git a/roles/php/files/php72-fpm.conf b/roles/php/files/php72-fpm.conf deleted file mode 100644 index 6e0b288ef..000000000 --- a/roles/php/files/php72-fpm.conf +++ /dev/null @@ -1,138 +0,0 @@ -;;;;;;;;;;;;;;;;;;;;; -; FPM Configuration ; -;;;;;;;;;;;;;;;;;;;;; - -; All relative paths in this configuration file are relative to PHP's install -; prefix. - -; Include one or more files. If glob(3) exists, it is used to include a bunch of -; files from a glob(3) pattern. This directive can be used everywhere in the -; file. -include=/etc/opt/remi/php72/php-fpm.d/*.conf - -;;;;;;;;;;;;;;;;;; -; Global Options ; -;;;;;;;;;;;;;;;;;; - -[global] -; Pid file -; Default Value: none -pid = /var/opt/remi/php72/run/php-fpm/php-fpm.pid - -; Error log file -; If it's set to "syslog", log is sent to syslogd instead of being written -; in a local file. -; Default Value: /var/opt/remi/php72/log/php-fpm.log -;error_log = /var/opt/remi/php72/log/php-fpm/error.log -error_log = syslog - -; syslog_facility is used to specify what type of program is logging the -; message. This lets syslogd specify that messages from different facilities -; will be handled differently. -; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) -; Default Value: daemon -;syslog.facility = daemon - -; syslog_ident is prepended to every message. If you have multiple FPM -; instances running on the same server, you can change the default value -; which must suit common needs. -; Default Value: php-fpm -;syslog.ident = php-fpm - -; Log level -; Possible Values: alert, error, warning, notice, debug -; Default Value: notice -;log_level = notice - -; Log limit on number of characters in the single line (log entry). If the -; line is over the limit, it is wrapped on multiple lines. The limit is for -; all logged characters including message prefix and suffix if present. However -; the new line character does not count into it as it is present only when -; logging to a file descriptor. It means the new line character is not present -; when logging to syslog. -; Default Value: 1024 -;log_limit = 4096 - -; Log buffering specifies if the log line is buffered which means that the -; line is written in a single write operation. If the value is false, then the -; data is written directly into the file descriptor. It is an experimental -; option that can potentionaly improve logging performance and memory usage -; for some heavy logging scenarios. This option is ignored if logging to syslog -; as it has to be always buffered. -; Default value: yes -;log_buffering = no - -; If this number of child processes exit with SIGSEGV or SIGBUS within the time -; interval set by emergency_restart_interval then FPM will restart. A value -; of '0' means 'Off'. -; Default Value: 0 -;emergency_restart_threshold = 0 - -; Interval of time used by emergency_restart_interval to determine when -; a graceful restart will be initiated. This can be useful to work around -; accidental corruptions in an accelerator's shared memory. -; Available Units: s(econds), m(inutes), h(ours), or d(ays) -; Default Unit: seconds -; Default Value: 0 -;emergency_restart_interval = 0 - -; Time limit for child processes to wait for a reaction on signals from master. -; Available units: s(econds), m(inutes), h(ours), or d(ays) -; Default Unit: seconds -; Default Value: 0 -;process_control_timeout = 0 - -; The maximum number of processes FPM will fork. This has been designed to control -; the global number of processes when using dynamic PM within a lot of pools. -; Use it with caution. -; Note: A value of 0 indicates no limit -; Default Value: 0 -;process.max = 128 - -; Specify the nice(2) priority to apply to the master process (only if set) -; The value can vary from -19 (highest priority) to 20 (lowest priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool process will inherit the master process priority -; unless specified otherwise -; Default Value: no set -;process.priority = -19 - -; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. -; Default Value: yes -daemonize = yes - -; Set open file descriptor rlimit for the master process. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit for the master process. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Specify the event mechanism FPM will use. The following is available: -; - select (any POSIX os) -; - poll (any POSIX os) -; - epoll (linux >= 2.5.44) -; Default Value: not set (auto detection) -;events.mechanism = epoll - -; When FPM is built with systemd integration, specify the interval, -; in seconds, between health report notification to systemd. -; Set to 0 to disable. -; Available Units: s(econds), m(inutes), h(ours) -; Default Unit: seconds -; Default value: 10 -;systemd_interval = 10 - -;;;;;;;;;;;;;;;;;;;; -; Pool Definitions ; -;;;;;;;;;;;;;;;;;;;; - -; Multiple pools of child processes may be started with different listening -; ports and different management options. The name of the pool will be -; used in logs and stats. There is no limitation on the number of pools which -; FPM can handle. Your system will tell you anyway :) - -; See /etc/opt/remi/php72/php-fpm.d/*.conf - diff --git a/roles/php/files/remi-safe.repo b/roles/php/files/remi-safe.repo deleted file mode 100644 index 32ef0a16a..000000000 --- a/roles/php/files/remi-safe.repo +++ /dev/null @@ -1,13 +0,0 @@ -# This repository is safe to use with RHEL/CentOS base repository -# it only provides additional packages for the PHP stack -# all dependencies are in base repository or in EPEL - -[remi-safe] -name=Safe Remi's RPM repository for Enterprise Linux 7 - $basearch -#baseurl=http://rpms.remirepo.net/enterprise/7/safe/$basearch/ -#mirrorlist=https://rpms.remirepo.net/enterprise/7/safe/httpsmirror -mirrorlist=http://cdn.remirepo.net/enterprise/7/safe/mirror -enabled=1 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi - diff --git a/roles/php/files/remi.repo b/roles/php/files/remi.repo deleted file mode 100644 index 560edf715..000000000 --- a/roles/php/files/remi.repo +++ /dev/null @@ -1,71 +0,0 @@ -# Repository: http://rpms.remirepo.net/ -# Blog: http://blog.remirepo.net/ -# Forum: http://forum.remirepo.net/ - -[remi] -name=Remi's RPM repository for Enterprise Linux 7 - $basearch -#baseurl=http://rpms.remirepo.net/enterprise/7/remi/$basearch/ -#mirrorlist=https://rpms.remirepo.net/enterprise/7/remi/httpsmirror -mirrorlist=http://cdn.remirepo.net/enterprise/7/remi/mirror -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi - -[remi-php55] -name=Remi's PHP 5.5 RPM repository for Enterprise Linux 7 - $basearch -#baseurl=http://rpms.remirepo.net/enterprise/7/php55/$basearch/ -#mirrorlist=https://rpms.remirepo.net/enterprise/7/php55/httpsmirror -mirrorlist=http://cdn.remirepo.net/enterprise/7/php55/mirror -# NOTICE: common dependencies are in "remi-safe" -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi - -[remi-php56] -name=Remi's PHP 5.6 RPM repository for Enterprise Linux 7 - $basearch -#baseurl=http://rpms.remirepo.net/enterprise/7/php56/$basearch/ -#mirrorlist=https://rpms.remirepo.net/enterprise/7/php56/httpsmirror -mirrorlist=http://cdn.remirepo.net/enterprise/7/php56/mirror -# NOTICE: common dependencies are in "remi-safe" -enabled=1 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi - -[remi-test] -name=Remi's test RPM repository for Enterprise Linux 7 - $basearch -#baseurl=http://rpms.remirepo.net/enterprise/7/test/$basearch/ -#mirrorlist=https://rpms.remirepo.net/enterprise/7/test/mirror -mirrorlist=http://cdn.remirepo.net/enterprise/7/test/mirror -# WARNING: If you enable this repository, you must also enable "remi" -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi - -[remi-debuginfo] -name=Remi's RPM repository for Enterprise Linux 7 - $basearch - debuginfo -baseurl=http://rpms.remirepo.net/enterprise/7/debug-remi/$basearch/ -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi - -[remi-php55-debuginfo] -name=Remi's PHP 5.5 RPM repository for Enterprise Linux 7 - $basearch - debuginfo -baseurl=http://rpms.remirepo.net/enterprise/7/debug-php55/$basearch/ -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi - -[remi-php56-debuginfo] -name=Remi's PHP 5.6 RPM repository for Enterprise Linux 7 - $basearch - debuginfo -baseurl=http://rpms.remirepo.net/enterprise/7/debug-php56/$basearch/ -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi - -[remi-test-debuginfo] -name=Remi's test RPM repository for Enterprise Linux 7 - $basearch - debuginfo -baseurl=http://rpms.remirepo.net/enterprise/7/debug-test/$basearch/ -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi - diff --git a/roles/php/files/www.conf b/roles/php/files/www.conf deleted file mode 100644 index 47e2c46aa..000000000 --- a/roles/php/files/www.conf +++ /dev/null @@ -1,434 +0,0 @@ -; Start a new pool named 'www'. -; the variable $pool can we used in any directive and will be replaced by the -; pool name ('www' here) -[www] - -; Per pool prefix -; It only applies on the following directives: -; - 'access.log' -; - 'slowlog' -; - 'listen' (unixsocket) -; - 'chroot' -; - 'chdir' -; - 'php_values' -; - 'php_admin_values' -; When not set, the global prefix (or @php_fpm_prefix@) applies instead. -; Note: This directive can also be relative to the global prefix. -; Default Value: none -;prefix = /path/to/pools/$pool - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -; RPM: apache user chosen to provide access to the same directories as httpd -user = apache -; RPM: Keep a group allowed to write in log dir. -group = apache - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on -; a specific port; -; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses -; (IPv6 and IPv4-mapped) on a specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. -listen = 127.0.0.1:9072 - -; Set listen(2) backlog. -; Default Value: 511 -;listen.backlog = 511 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. -; Default Values: user and group are set as the running user -; mode is set to 0660 -;listen.owner = nobody -;listen.group = nobody -;listen.mode = 0660 - -; When POSIX Access Control Lists are supported you can set them using -; these options, value is a comma separated list of user/group names. -; When set, listen.owner and listen.group are ignored -;listen.acl_users = apache -;listen.acl_groups = - -; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Specify the nice(2) priority to apply to the pool processes (only if set) -; The value can vary from -19 (highest priority) to 20 (lower priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool processes will inherit the master process priority -; unless it specified otherwise -; Default Value: no set -; process.priority = -19 - -; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user -; or group is differrent than the master process user. It allows to create process -; core dump and ptrace the process for the pool user. -; Default Value: no -; process.dumpable = yes - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives. With this process management, there will be -; always at least 1 children. -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; ondemand - no children are created at startup. Children will be forked when -; new requests will connect. The following parameter are used: -; pm.max_children - the maximum number of children that -; can be alive at the same time. -; pm.process_idle_timeout - The number of seconds after which -; an idle process will be killed. -; Note: This value is mandatory. -pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. The below defaults are based on a server without much resources. Don't -; forget to tweak pm.* to fit your needs. -; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' -; Note: This value is mandatory. -pm.max_children = 50 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = 5 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 5 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 35 - -; The number of seconds after which an idle process will be killed. -; Note: Used only when pm is set to 'ondemand' -; Default Value: 10s -;pm.process_idle_timeout = 10s; - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. It shows the following informations: -; pool - the name of the pool; -; process manager - static, dynamic or ondemand; -; start time - the date and time FPM has started; -; start since - number of seconds since FPM has started; -; accepted conn - the number of request accepted by the pool; -; listen queue - the number of request in the queue of pending -; connections (see backlog in listen(2)); -; max listen queue - the maximum number of requests in the queue -; of pending connections since FPM has started; -; listen queue len - the size of the socket queue of pending connections; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes; -; max active processes - the maximum number of active processes since FPM -; has started; -; max children reached - number of times, the process limit has been reached, -; when pm tries to start more children (works only for -; pm 'dynamic' and 'ondemand'); -; Value are updated in real time. -; Example output: -; pool: www -; process manager: static -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 62636 -; accepted conn: 190460 -; listen queue: 0 -; max listen queue: 1 -; listen queue len: 42 -; idle processes: 4 -; active processes: 11 -; total processes: 15 -; max active processes: 12 -; max children reached: 0 -; -; By default the status page output is formatted as text/plain. Passing either -; 'html', 'xml' or 'json' in the query string will return the corresponding -; output syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; http://www.foo.bar/status?xml -; -; By default the status page only outputs short status. Passing 'full' in the -; query string will also return status for each pool process. -; Example: -; http://www.foo.bar/status?full -; http://www.foo.bar/status?json&full -; http://www.foo.bar/status?html&full -; http://www.foo.bar/status?xml&full -; The Full status returns for each process: -; pid - the PID of the process; -; state - the state of the process (Idle, Running, ...); -; start time - the date and time the process has started; -; start since - the number of seconds since the process has started; -; requests - the number of requests the process has served; -; request duration - the duration in µs of the requests; -; request method - the request method (GET, POST, ...); -; request URI - the request URI with the query string; -; content length - the content length of the request (only with POST); -; user - the user (PHP_AUTH_USER) (or '-' if not set); -; script - the main script called (or '-' if not set); -; last request cpu - the %cpu the last request consumed -; it's always 0 if the process is not in Idle state -; because CPU calculation is done when the request -; processing has terminated; -; last request memory - the max amount of memory the last request consumed -; it's always 0 if the process is not in Idle state -; because memory calculation is done when the request -; processing has terminated; -; If the process is in Idle state, then informations are related to the -; last request the process has served. Otherwise informations are related to -; the current request being served. -; Example output: -; ************************ -; pid: 31330 -; state: Running -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 63087 -; requests: 12808 -; request duration: 1250261 -; request method: GET -; request URI: /test_mem.php?N=10000 -; content length: 0 -; user: - -; script: /home/fat/web/docs/php/test_mem.php -; last request cpu: 0.00 -; last request memory: 0 -; -; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: @EXPANDED_DATADIR@/fpm/status.html -; -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The access log file -; Default: not set -;access.log = log/$pool.access.log - -; The access log format. -; The following syntax is allowed -; %%: the '%' character -; %C: %CPU used by the request -; it can accept the following format: -; - %{user}C for user CPU only -; - %{system}C for system CPU only -; - %{total}C for user + system CPU (default) -; %d: time taken to serve the request -; it can accept the following format: -; - %{seconds}d (default) -; - %{miliseconds}d -; - %{mili}d -; - %{microseconds}d -; - %{micro}d -; %e: an environment variable (same as $_ENV or $_SERVER) -; it must be associated with embraces to specify the name of the env -; variable. Some exemples: -; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e -; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e -; %f: script filename -; %l: content-length of the request (for POST request only) -; %m: request method -; %M: peak of memory allocated by PHP -; it can accept the following format: -; - %{bytes}M (default) -; - %{kilobytes}M -; - %{kilo}M -; - %{megabytes}M -; - %{mega}M -; %n: pool name -; %o: output header -; it must be associated with embraces to specify the name of the header: -; - %{Content-Type}o -; - %{X-Powered-By}o -; - %{Transfert-Encoding}o -; - .... -; %p: PID of the child that serviced the request -; %P: PID of the parent of the child that serviced the request -; %q: the query string -; %Q: the '?' character if query string exists -; %r: the request URI (without the query string, see %q and %Q) -; %R: remote IP address -; %s: status (response code) -; %t: server time the request was received -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; The strftime(3) format must be encapsuled in a %{}t tag -; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t -; %T: time the log has been written (the request has finished) -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; The strftime(3) format must be encapsuled in a %{}t tag -; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t -; %u: remote user -; -; Default: "%R - %u %t \"%m %r\" %s" -;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/opt/remi/php72/log/php-fpm/www-slow.log - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: you can prefix with '$prefix' to chroot to the pool prefix or one -; of its subdirectories. If the pool prefix is not set, the global prefix -; will be used instead. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. -; Note: relative path can be used. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Note: on highloaded environement, this can cause some delay in the page -; process time (several ms). -; Default Value: no -;catch_workers_output = yes - -; Clear environment in FPM workers -; Prevents arbitrary environment variables from reaching FPM worker processes -; by clearing the environment in workers before env vars specified in this -; pool configuration are added. -; Setting to "no" will make all environment variables available to PHP code -; via getenv(), $_ENV and $_SERVER. -; Default Value: yes -;clear_env = no - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 .php7 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Note: path INI options can be relative and will be expanded with the prefix -; (pool, global or @prefix@) - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -php_admin_value[error_log] = /var/opt/remi/php72/log/php-fpm/www-error.log -php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 128M - -; Set the following data paths to directories owned by the FPM process user. -; -; Do not change the ownership of existing system directories, if the process -; user does not have write permission, create dedicated directories for this -; purpose. -; -; See warning about choosing the location of these directories on your system -; at http://php.net/session.save-path -php_value[session.save_handler] = files -php_value[session.save_path] = /var/opt/remi/php72/lib/php/session -php_value[soap.wsdl_cache_dir] = /var/opt/remi/php72/lib/php/wsdlcache -;php_value[opcache.file_cache] = /var/opt/remi/php72/lib/php/opcache diff --git a/roles/php/handlers/main.yml b/roles/php/handlers/main.yml deleted file mode 100644 index 6c87216ff..000000000 --- a/roles/php/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: restart php72-php-fpm - systemd: - name: php72-php-fpm - daemon_reload: yes - state: restarted - enabled: yes diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml deleted file mode 100644 index 08288beb5..000000000 --- a/roles/php/tasks/main.yml +++ /dev/null @@ -1,122 +0,0 @@ -# Some cleanup from the situation where REMI was installed from an rpm -- name: Remove the REMI RPM if installed - yum: - name: remi-release - state: absent - register: php_packages_remi_remove - until: php_packages_remi_remove is succeeded - -- name: Install the remi-safe yum repo files - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root - mode: 0644 - with_items: - - src: remi-safe.repo - dest: /etc/yum.repos.d/remi-safe.repo - - src: RPM-GPG-KEY-remi - dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-remi - -- name: Install php-(cli,fpm) 7.2 - yum: - name: - - php72-php-fpm - - php72-php-cli - - php72-php-pecl-apcu - - php72-php-pecl-apcu-bc - - php72-php-curl - - php72-php-mbstring - - php72-php-mysql - - php72-php-soap - - php72-php-xml - - php72-php-gd - - php72-php-opcache - state: present - register: php_packages_php_installed - until: php_packages_php_installed is succeeded - -- name: Install custom PHP configuration for 7.2 - template: - src: "{{ item }}.j2" - dest: "/etc/opt/remi/php72/php.d/{{ item }}" - with_items: - - 40-apcu.ini - - 10-opcache.ini - - openconext.ini - notify: - - "restart php72-php-fpm" - -- name: Install PHP debug extensions - yum: - name: - - php72-php-pecl-xdebug - state: present - register: php_packages_php_installed - until: php_packages_php_installed is succeeded - when: - - develop | bool - -- name: Configure PHP Xdebug for 7.2 - template: - src: "xdebug-php72.ini.j2" - dest: "/etc/opt/remi/php72/php.d/15-xdebug.ini" - when: - - develop | bool - notify: - - "restart php72-php-fpm" - -- name: Put 7.2 FPM configuration - copy: - src: php72-fpm.conf - dest: "/etc/opt/remi/php72/php-fpm.conf" - notify: - - "restart php72-php-fpm" - -- name: Create an empty default www pool file - copy: - content: "" - dest: /etc/opt/remi/php72/php-fpm.d/www.conf - notify: - - "restart php72-php-fpm" - -- name: Put 72 php-fpm systemd override file to create the socket dir - copy: - src: "createrundir.conf" - dest: "/etc/systemd/system/php72-php-fpm.service.d/createrundir.conf" - notify: - - "restart php72-php-fpm" - -- name: Create OpenConext dir to hold sessions - file: - path: /var/lib/openconext - state: directory - mode: 0775 - owner: root - -# Set mode to a+x so components can access their subdirectories under session/ -- name: Create directory for vhosts to store PHP sessions - file: - path: "{{ php_session_dir }}" - state: directory - mode: 0775 - -- name: Remove all php56 packages and composer - yum: - name: - - "php-*" - - "composer" - state: absent - register: php_packages_php_remove - until: php_packages_php_remove is succeeded - - -- name: Clean up old php-fpm 5.6 config - file: - path: "{{ item }}" - state: absent - with_items: - - "/etc/php.d/15-xdebug.ini" - - "/etc/php.d/40-apcu.ini" - - "/etc/php.d/openconext.ini" - - "/etc/php-fpm.conf" diff --git a/roles/php/templates/10-opcache.ini.j2 b/roles/php/templates/10-opcache.ini.j2 deleted file mode 100644 index 5a00f048d..000000000 --- a/roles/php/templates/10-opcache.ini.j2 +++ /dev/null @@ -1,129 +0,0 @@ -; Enable Zend OPcache extension module -zend_extension=opcache - -; Determines if Zend OPCache is enabled -opcache.enable=1 - -; Determines if Zend OPCache is enabled for the CLI version of PHP -;opcache.enable_cli=0 - -; The OPcache shared memory storage size. -opcache.memory_consumption=128 - -; The amount of memory for interned strings in Mbytes. -opcache.interned_strings_buffer=8 - -; The maximum number of keys (scripts) in the OPcache hash table. -; Only numbers between 200 and 1000000 are allowed. -opcache.max_accelerated_files=10000 - -; The maximum percentage of "wasted" memory until a restart is scheduled. -;opcache.max_wasted_percentage=5 - -; When this directive is enabled, the OPcache appends the current working -; directory to the script key, thus eliminating possible collisions between -; files with the same name (basename). Disabling the directive improves -; performance, but may break existing applications. -;opcache.use_cwd=1 - -; When disabled, you must reset the OPcache manually or restart the -; webserver for changes to the filesystem to take effect. -opcache.validate_timestamps="{{ php_opcode_validate_timestamps }}" - -; How often (in seconds) to check file timestamps for changes to the shared -; memory storage allocation. ("1" means validate once per second, but only -; once per request. "0" means always validate) -;opcache.revalidate_freq=2 - -; Enables or disables file search in include_path optimization -;opcache.revalidate_path=0 - -; If disabled, all PHPDoc comments are dropped from the code to reduce the -; size of the optimized code. -;opcache.save_comments=1 - -; If enabled, a fast shutdown sequence is used for the accelerated code -; Depending on the used Memory Manager this may cause some incompatibilities. -;opcache.fast_shutdown=0 - -; Allow file existence override (file_exists, etc.) performance feature. -;opcache.enable_file_override=0 - -; A bitmask, where each bit enables or disables the appropriate OPcache -; passes -;opcache.optimization_level=0xffffffff - -;opcache.inherited_hack=1 -;opcache.dups_fix=0 - -; The location of the OPcache blacklist file (wildcards allowed). -; Each OPcache blacklist file is a text file that holds the names of files -; that should not be accelerated. -opcache.blacklist_filename=/etc/opt/remi/php72/php.d/opcache*.blacklist - -; Allows exclusion of large files from being cached. By default all files -; are cached. -;opcache.max_file_size=0 - -; Check the cache checksum each N requests. -; The default value of "0" means that the checks are disabled. -;opcache.consistency_checks=0 - -; How long to wait (in seconds) for a scheduled restart to begin if the cache -; is not being accessed. -;opcache.force_restart_timeout=180 - -; OPcache error_log file name. Empty string assumes "stderr". -;opcache.error_log= - -; All OPcache errors go to the Web server log. -; By default, only fatal errors (level 0) or errors (level 1) are logged. -; You can also enable warnings (level 2), info messages (level 3) or -; debug messages (level 4). -;opcache.log_verbosity_level=1 - -; Preferred Shared Memory back-end. Leave empty and let the system decide. -;opcache.preferred_memory_model= - -; Protect the shared memory from unexpected writing during script execution. -; Useful for internal debugging only. -;opcache.protect_memory=0 - -; Allows calling OPcache API functions only from PHP scripts which path is -; started from specified string. The default "" means no restriction -;opcache.restrict_api= - -; Enables and sets the second level cache directory. -; It should improve performance when SHM memory is full, at server restart or -; SHM reset. The default "" disables file based caching. -; RPM note : file cache directory must be owned by process owner -; for mod_php, see /etc/opt/remi/php72/httpd/conf.d/php.conf -; for php-fpm, see /etc/opt/remi/php72/php-fpm.d/*conf -;opcache.file_cache= - -; Enables or disables opcode caching in shared memory. -;opcache.file_cache_only=0 - -; Enables or disables checksum validation when script loaded from file cache. -;opcache.file_cache_consistency_checks=1 - -; Implies opcache.file_cache_only=1 for a certain process that failed to -; reattach to the shared memory (for Windows only). Explicitly enabled file -; cache is required. -;opcache.file_cache_fallback=1 - -; Validate cached file permissions. -; Leads OPcache to check file readability on each access to cached file. -; This directive should be enabled in shared hosting environment, when few -; users (PHP-FPM pools) reuse the common OPcache shared memory. -;opcache.validate_permission=0 - -; Prevent name collisions in chroot'ed environment. -; This directive prevents file name collisions in different "chroot" -; environments. It should be enabled for sites that may serve requests in -; different "chroot" environments. -;opcache.validate_root=0 - -; Enables or disables copying of PHP code (text segment) into HUGE PAGES. -; This should improve performance, but requires appropriate OS configuration. -opcache.huge_code_pages=0 diff --git a/roles/php/templates/40-apcu.ini.j2 b/roles/php/templates/40-apcu.ini.j2 deleted file mode 100644 index 19a64b970..000000000 --- a/roles/php/templates/40-apcu.ini.j2 +++ /dev/null @@ -1,3 +0,0 @@ -extension=apcu.so -apc.enabled=1 -apc.shm_size=256M diff --git a/roles/php/templates/openconext.ini.j2 b/roles/php/templates/openconext.ini.j2 deleted file mode 100644 index 1a5b0bd24..000000000 --- a/roles/php/templates/openconext.ini.j2 +++ /dev/null @@ -1,12 +0,0 @@ -; General PHP settings for all OpenConext hosts - -; disable onzinnige 'X-Powered-By' HTTP header -expose_php = Off - -; more secure -session.cookie_httponly = On -session.cookie_secure = On -session.sid_bits_per_character = 6 - -; You are required to use the date.timezone setting -date.timezone = "{{ timezone }}" diff --git a/roles/php/templates/php.ini.j2 b/roles/php/templates/php.ini.j2 deleted file mode 100644 index 87f0143ab..000000000 --- a/roles/php/templates/php.ini.j2 +++ /dev/null @@ -1,2 +0,0 @@ -display_errors={{ php_display_errors }} -date.timezone={{ timezone }} diff --git a/roles/php/templates/xdebug-php72.ini.j2 b/roles/php/templates/xdebug-php72.ini.j2 deleted file mode 100644 index 5fb339761..000000000 --- a/roles/php/templates/xdebug-php72.ini.j2 +++ /dev/null @@ -1,5 +0,0 @@ -zend_extension = /opt/remi/php72/root/usr/lib64/php/modules/xdebug.so - -xdebug.remote_enable = 1 -xdebug.remote_host = 192.168.66.1 -xdebug.idekey = "PHPSTORM" diff --git a/roles/shibboleth/defaults/main.yml b/roles/shibboleth/defaults/main.yml deleted file mode 100644 index c49f698b2..000000000 --- a/roles/shibboleth/defaults/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -shibboleth_metadata_sources: - engine: "https://engine.{{ base_domain }}/authentication/idp/metadata" -engine_logout_url: "https://engine.{{ base_domain }}/logout" -shibd_sp_crt_not_in_inventory: false -mariadb_odbc_version: 3.1.9 -shibboleth_database_backend: false -shibboleth_db_cleanup_interval: 900 diff --git a/roles/shibboleth/files/20_shib_apache24.conf b/roles/shibboleth/files/20_shib_apache24.conf deleted file mode 100644 index d1dd238ad..000000000 --- a/roles/shibboleth/files/20_shib_apache24.conf +++ /dev/null @@ -1,26 +0,0 @@ -# https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig - -# RPM installations on platforms with a conf.d directory will -# result in this file being copied into that directory for you -# and preserved across upgrades. - -# For non-RPM installs, you should copy the relevant contents of -# this file to a configuration location you control. - -# -# Load the Shibboleth module. -# -LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so - -# -# Used for example logo and style sheet in error templates. -# - - - - Require all granted - - Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css - - - diff --git a/roles/shibboleth/files/mariadb.ini b/roles/shibboleth/files/mariadb.ini deleted file mode 100644 index 701da2a52..000000000 --- a/roles/shibboleth/files/mariadb.ini +++ /dev/null @@ -1,4 +0,0 @@ -[MariaDB] -Description = ODBC for MariaDB -Driver64 = /usr/local/lib/mariadb/lib64/libmaodbc.so - diff --git a/roles/shibboleth/files/shibboleth-centos7.repo b/roles/shibboleth/files/shibboleth-centos7.repo deleted file mode 100644 index b9e813c4b..000000000 --- a/roles/shibboleth/files/shibboleth-centos7.repo +++ /dev/null @@ -1,8 +0,0 @@ -[shibboleth] -name=Shibboleth (CentOS_7) -type=rpm-md -mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7 -gpgcheck=1 -gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key - https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key -enabled=1 diff --git a/roles/shibboleth/files/shibboleth_database.sql b/roles/shibboleth/files/shibboleth_database.sql deleted file mode 100644 index ead34f0b8..000000000 --- a/roles/shibboleth/files/shibboleth_database.sql +++ /dev/null @@ -1,28 +0,0 @@ -CREATE TABLE IF NOT EXISTS `version` ( - `major` int(11) NOT NULL, - `minor` int(11) NOT NULL, - `id` int(11) NOT NULL AUTO_INCREMENT, - PRIMARY KEY (`id`), - UNIQUE KEY `major` (`major`,`minor`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 ; - -CREATE TABLE IF NOT EXISTS `strings` ( - `context` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `expires` datetime NOT NULL, - `version` smallint(6) NOT NULL, - `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`context`,`id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 ; - -CREATE TABLE IF NOT EXISTS `texts` ( - `context` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `expires` datetime NOT NULL, - `version` smallint(6) NOT NULL, - `value` text COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`context`,`id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 ; - -REPLACE INTO version(major,minor) VALUES (1,0); - diff --git a/roles/shibboleth/handlers/main.yml b/roles/shibboleth/handlers/main.yml deleted file mode 100644 index cf226bf74..000000000 --- a/roles/shibboleth/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart shibd - service: - name: shibd - state: restarted diff --git a/roles/shibboleth/tasks/main.yml b/roles/shibboleth/tasks/main.yml deleted file mode 100644 index 9ed138fbd..000000000 --- a/roles/shibboleth/tasks/main.yml +++ /dev/null @@ -1,79 +0,0 @@ ---- -- name: Add Shibboleth repo - copy: - src: "{{ item }}" - dest: "/etc/yum.repos.d/{{ item }}" - with_items: - - shibboleth-centos7.repo - -- name: Install Shibboleth - yum: - name: - - shibboleth.x86_64 - state: present - -- name: Include tasks to save Shibboleth sessions to the database - include_tasks: shibboleth_database_backend.yml - when: shibboleth_database_backend | bool - -- name: Remove default conf files apache - file: - path: "/etc/httpd/conf.d/{{ item }}" - state: absent - with_items: - - shib.conf - -- name: Copy default config files - copy: - src: "{{ item }}" - dest: "/etc/httpd/conf.d/20_shib.conf" - with_items: - - 20_shib_apache24.conf - notify: - - "reload httpd" - -- name: shibboleth SP certificate - copy: - src: "{{ inventory_dir }}/files/certs/shib-sp.crt" - dest: "/etc/shibboleth/shib-sp.crt" - notify: - - "restart shibd" - when: not shibd_sp_crt_not_in_inventory - -- name: shibboleth SP certificate when it is not located in the inventory_dir - copy: - src: "files/certs/shib-sp.crt" - dest: "/etc/shibboleth/shib-sp.crt" - notify: - - "restart shibd" - when: shibd_sp_crt_not_in_inventory | bool - -- name: shibboleth SP key - copy: - content: "{{ shibboleth_sp_key }}" - dest: "/etc/shibboleth/shib-sp.key" - owner: root - group: shibd - mode: 0640 - notify: - - "restart shibd" - -- name: Shibboleth config - template: - src: "shibboleth/{{ item }}.j2" - dest: "/etc/shibboleth/{{ item }}" - with_items: - - attribute-map.xml - - localLogout.html - - shibboleth2.xml - - attribute-policy.xml - -- name: enable shibd - service: - name: "{{ item }}" - enabled: yes - with_items: - - shibd - notify: - - "restart shibd" - - "reload httpd" diff --git a/roles/shibboleth/tasks/shibboleth_database_backend.yml b/roles/shibboleth/tasks/shibboleth_database_backend.yml deleted file mode 100644 index d971b396b..000000000 --- a/roles/shibboleth/tasks/shibboleth_database_backend.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -- name: Install python2-PyMySQL - yum: - name: python2-PyMySQL - state: present - -- name: Create directory to contain the MariaDB ODBC driver - file: - dest: "/usr/local/lib/mariadb" - state: directory - owner: root - mode: 0755 - -- name: Install mariadb odbc driver - unarchive: - src: "https://downloads.mariadb.com/Connectors/odbc/connector-odbc-{{ mariadb_odbc_version}}/mariadb-connector-odbc-{{ mariadb_odbc_version }}-centos7-amd64.tar.gz" - dest: "/usr/local/lib/mariadb" - remote_src: yes - owner: root - group: root - mode: 0744 - -- name: Place the odbc libs in /usr/local/lib/mariadb/lib64/ where shib expects them - copy: - src: /usr/local/lib/mariadb/mariadb-connector-odbc-{{ mariadb_odbc_version }}-centos7-amd64/lib/mariadb/ - dest: /usr/local/lib/mariadb/lib64/ - remote_src: yes - changed_when: false - -- name: Install ODBC ini file - copy: - src: mariadb.ini - dest: /etc/mariadb.ini - owner: root - group: root - mode: 0744 - -- name: Check presence of MariaDB driver in /etc/odbcinst.ini - shell: "odbcinst -q -d | grep MariaDB || true" - register: odbcinst_mariadb - changed_when: false - -- name: Install MariaDB driver to /etc/odbcinst.ini - command: odbcinst -i -d -f /etc/mariadb.ini - when: odbcinst_mariadb.stdout == "" - -- name: Copy the Shibboleth database table definitions - copy: - src: shibboleth_database.sql - dest: /tmp/shibboleth_database.sql - owner: root - mode: 0744 - -- name: Create tables for shibboleth - mysql_db: - name: shibboleth - login_user: shibrw - login_password: "{{ mysql_passwords.shibboleth }}" - login_host: "{{ shib.db_host }}" - state: import - target: /tmp/shibboleth_database.sql - config_file: "" - changed_when: false - run_once: true - diff --git a/roles/shibboleth/templates/shibboleth/attribute-map.xml.j2 b/roles/shibboleth/templates/shibboleth/attribute-map.xml.j2 deleted file mode 100644 index cea7916cd..000000000 --- a/roles/shibboleth/templates/shibboleth/attribute-map.xml.j2 +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/roles/shibboleth/templates/shibboleth/attribute-policy.xml.j2 b/roles/shibboleth/templates/shibboleth/attribute-policy.xml.j2 deleted file mode 100644 index f6c97a46c..000000000 --- a/roles/shibboleth/templates/shibboleth/attribute-policy.xml.j2 +++ /dev/null @@ -1,77 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/roles/shibboleth/templates/shibboleth/localLogout.html.j2 b/roles/shibboleth/templates/shibboleth/localLogout.html.j2 deleted file mode 100644 index 0bc858850..000000000 --- a/roles/shibboleth/templates/shibboleth/localLogout.html.j2 +++ /dev/null @@ -1,46 +0,0 @@ - - - - - {{ instance_name }} - Local logout - - - - - -
- -
- -
- -
-
- -

Local Logout

- -
-
-

- Status of Local Logout:
- -

-

- You must close your browser to complete the logout process. -

- -
-
-
-
-

This service is provided by {{ instance_name }}.

-
-
-
-
-
- - - - diff --git a/roles/shibboleth/templates/shibboleth/shibboleth2.xml.j2 b/roles/shibboleth/templates/shibboleth/shibboleth2.xml.j2 deleted file mode 100644 index 8746e6af3..000000000 --- a/roles/shibboleth/templates/shibboleth/shibboleth2.xml.j2 +++ /dev/null @@ -1,151 +0,0 @@ - - - {% if shibboleth_database_backend %} - - - - - - - - DRIVER=MariaDB;SERVER={{ shib.db_host }};USER=shibrw;PASSWORD={{ mysql_passwords.shibboleth }};DATABASE=shibboleth - - - - - - {% endif %} - - - - - - - - - - - - - - - SAML2 - - - SAML2 Local - - - - - - - - - - - - - - - - - - -{% for key, value in shibboleth_metadata_sources.items() %} - - -{% endfor %} - - - - - - - - - - - - - - - -{% for key, value in shibboleth_apps.items() %} - - -{% if value.customIdP is defined %} - SAML2 - - - -{% else %} - -{% endif %} - -{% endfor %} - - - - - - - - - - diff --git a/roles/springboot/defaults/main.yml b/roles/springboot/defaults/main.yml deleted file mode 100644 index a3219e7c1..000000000 --- a/roles/springboot/defaults/main.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- - -springboot_services_state: - manage: true - myconext: true - account: true - oidcng: true - mujina_sp: true - -springboot_core_services: - - manage - - mujina-sp - - mujina-idp - -springboot_service_to_deploy: all -springboot_gui_services: - - name: manage - alias: manage-gui - enabled: "{{ springboot_services_state.manage }}" - version: "{{ manage_gui_version }}" - - name: myconext - alias: myconext-gui - enabled: "{{ springboot_services_state.myconext }}" - version: "{{ myconext_gui_version }}" - - name: account - alias: account-gui - group: myconext - enabled: "{{ springboot_services_state.account }}" - version: "{{ account_gui_version }}" - -springboot_server_services: - - name: manage - enabled: "{{ springboot_services_state.manage }}" - version: "{{ manage_server_version }}" - type: server - port: "{{ manage_springapp_tcpport }}" - min_heapsize: "{{ manage_min_heapsize | default('512m') }}" - max_heapsize: "{{ manage_max_heapsize | default('512m') }}" - config: - "{{ manage }}" - - name: oidcng - enabled: "{{ springboot_services_state.oidcng }}" - role: oidcng - version: "{{ oidcng_version }}" - artifactid: oidcng - port: 9195 - type: server - min_heapsize: "{{ oidcng_min_heapsize | default('512m') }}" - max_heapsize: "{{ oidcng_max_heapsize | default('512m')}}" - config: - "{{ oidcng }}" - - name: myconext - alias: myconext - enabled: "{{ springboot_services_state.myconext }}" - version: "{{ myconext_server_version }}" - type: server - port: 9189 - min_heapsize: "{{ myconext_min_heapsize | default('512m') }}" - max_heapsize: "{{ myconext_max_heapsize | default('512m') }}" - config: - "{{ myconext }}" - - name: mujina-sp - alias: mujina - enabled: "{{ springboot_services_state.mujina_sp }}" - version: "{{ mujina_version }}" - role: mujina-sp - artifactid: mujina-sp - type: server - port: 9391 - min_heapsize: "{{ mujina_sp_min_heapsize | default('128m') }}" - max_heapsize: "{{ mujina_sp_max_heapsize | default('128m') }}" - config: - "{{ mujina_sp }}" - -springboot_min_heapsize: "512m" -springboot_max_heapsize: "512m" -springboot_random_source: "file:///dev/urandom" -springboot_opts: -springboot_artifact_group_dir: org/openconext -springboot_artifact_type: jar -springboot_tcpport: 9999 -springboot_java_binary: "/usr/lib/jvm/jre-11-openjdk/bin/java" diff --git a/roles/springboot/handlers/main.yml b/roles/springboot/handlers/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/springboot/handlers/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/springboot/meta/main.yml b/roles/springboot/meta/main.yml deleted file mode 100644 index cf454b7b4..000000000 --- a/roles/springboot/meta/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -dependencies: - - role: java - - role: httpd - - role: maven_artifact_requirements diff --git a/roles/springboot/tasks/gui.yml b/roles/springboot/tasks/gui.yml deleted file mode 100644 index fcf5c43df..000000000 --- a/roles/springboot/tasks/gui.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | create html folder" - file: - path: "{{ _springapp_dir }}" - owner: root - group: root - mode: 02755 - state: directory - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | download html archive" - maven_artifact: - group_id: org.openconext - artifact_id: "{{ _springapp_artifact_id }}" - extension: zip - version: "{{ _springapp_version }}" - repository_url: "{{ maven_snapshot_repo if 'SNAPSHOT' in _springapp_version else maven_repo }}" - dest: "{{ _springapp_dir }}" - register: maven_result - until: maven_result is succeeded - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | extract html archive" - unarchive: - src: "{{ maven_result.dest }}" - dest: "{{ _springapp_dir }}" - copy: no - owner: root - group: apache - when: - - maven_result.changed - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Check if we have a custom favicon" - local_action: stat path="{{ inventory_dir }}/files/favicon.ico" - register: customfavicon - become: false - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Install environment specific favicon" - copy: - src: "{{ inventory_dir }}/files/favicon.ico" - dest: "{{ _springapp_dir }}/{{ _springapp_artifact_id }}-{{ _springapp_version }}/" - when: - - customfavicon.stat.exists - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | create symlink to downloaded version" - file: - src: "{{ _springapp_dir }}/{{ _springapp_artifact_id}}-{{ _springapp_version }}" - dest: "{{ _springapp_dir }}/current" - state: link - force: yes - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Remove old zipfiles" - shell: 'ls -t *.zip | tail -n +3| xargs --no-run-if-empty rm -v' - args: - chdir: "{{ _springapp_dir }}" - register: clean_zips - changed_when: '"removed" in clean_zips' - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Remove old www directories" - shell: 'find . ! -name $(basename $(readlink current)) -name "{{ _springapp_artifact_id }}-*" -type d -printf "%T@ %p\n" | sort -rn | awk ''{print $2}'' | tail -n +2 | xargs --no-run-if-empty rm -vr' - args: - chdir: "{{ _springapp_dir }}" - register: clean_wwwdirs - changed_when: '"removed" in clean_wwwdirs' - -# These are pre-2020 deploys which put gui under /var/www -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Remove ancient www directories" - file: - state: absent - path: "/var/www/{{ _springapp_service_name }}" diff --git a/roles/springboot/tasks/main.yml b/roles/springboot/tasks/main.yml deleted file mode 100644 index b03f951e5..000000000 --- a/roles/springboot/tasks/main.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -- name: "Generate complete servers_to_install list" - set_fact: - _services_to_install: "{{ _services_to_install | default([]) }} + [ '{{ item.name }}' ]" - with_items: "{{ springboot_server_services }}" - when: - - springboot_service_to_deploy | lower == "all" - -- name: "Generate complete servers_to_install list" - set_fact: - _services_to_install: "{{ springboot_core_services }}" - with_items: "{{ springboot_server_services }}" - when: - - springboot_service_to_deploy | lower == "all" - tags: [ 'never', 'core' ] - -- name: "Create servers_to_install list" - set_fact: - _services_to_install: "{{ _services_to_install | default([]) }} + [ '{{ item }}' ]" - with_items: "{{ springboot_service_to_deploy.split(',') }}" - when: - - springboot_service_to_deploy | lower != "all" - -- name: "Install Springboot GUI services" - include_tasks: "springboot.yml" - with_items: "{{ springboot_gui_services }}" - no_log: true - loop_control: - loop_var: springboot - when: - - springboot.name in _services_to_install or (springboot.alias is defined and springboot.alias in _services_to_install) - or (springboot.group is defined and springboot.group in _services_to_install) - - springboot.enabled - -- name: "Install Springboot Server services" - include_tasks: "springboot.yml" - with_items: "{{ springboot_server_services }}" - loop_control: - loop_var: springboot - when: - - springboot.name in _services_to_install or (springboot.alias is defined and springboot.alias in _services_to_install) - or (springboot.group is defined and springboot.group in _services_to_install) - - springboot.enabled diff --git a/roles/springboot/tasks/maven.yml b/roles/springboot/tasks/maven.yml deleted file mode 100644 index 0c1e0145b..000000000 --- a/roles/springboot/tasks/maven.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | download maven-artifact" - maven_artifact: - group_id: "{{ _springapp_artifact_group_dir }}" - artifact_id: "{{ _springapp_artifact_id }}" - extension: "{{ _springapp_artifact_type }}" - version: "{{ _springapp_version }}" - repository_url: "{{ maven_snapshot_repo if 'SNAPSHOT' in _springapp_version else maven_repo }}" - dest: "{{ _springapp_dir }}/{{ _springapp_artifact_id }}-{{ _springapp_version }}.{{ _springapp_artifact_type }}" - register: maven_result - until: maven_result is succeeded - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | set ownership of application artifact" - file: - path: "{{ maven_result.dest }}" - owner: "{{ _springapp_user }}" - group: "{{ _springapp_user }}" - mode: 0600 - when: - - maven_result.changed - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | stop app" - service: - name: "{{ _springapp_service_name }}" - state: stopped - when: - - maven_result.changed - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | wait for the app to be fully stopped" - wait_for: - port: "{{ _springapp_tcpport }}" - state: stopped - delay: 5 - when: - - maven_result.changed - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | change symlink to current version" - file: - src: "{{ maven_result.dest }}" - dest: "{{ _springapp_dir }}/{{ _springapp_jar }}" - state: link - owner: "{{ _springapp_user }}" - group: "{{ _springapp_user }}" - register: maven_symlink - ignore_errors: "{{ ansible_check_mode }}" diff --git a/roles/springboot/tasks/service.yml b/roles/springboot/tasks/service.yml deleted file mode 100644 index b8c5a106c..000000000 --- a/roles/springboot/tasks/service.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | start the {{ _springapp_service_name }} service" - service: - name: "{{ _springapp_service_name }}" - state: started - enabled: yes - daemon_reload: yes - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | wait for {{ _springapp_service_name }} to start" - wait_for: - connect_timeout: 30 - timeout: 120 - port: "{{ _springapp_tcpport }}" - state: started - register: task_springapp_service_name - until: task_springapp_service_name is succeeded - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | cleanup old jars" - shell: 'find . ! -name $(basename $(readlink "{{ _springapp_dir }}/{{ _springapp_jar }}")) -name "*.jar" -type f -printf "%T@ %p\n" | sort -rn | awk ''{print $2}'' | tail -n +2 | xargs --no-run-if-empty rm -v' - args: - chdir: "{{ _springapp_dir }}" - register: clean_jars - changed_when: '"removed" in clean_jars' - -- name: "Restart 'service'" - systemd: - name: "{{ _springapp_service_name }}" - state: restarted - enabled: yes - daemon_reload: yes - when: - - maven_result.changed or maven_symlink.changed - ignore_errors: "{{ ansible_check_mode }}" diff --git a/roles/springboot/tasks/springboot.yml b/roles/springboot/tasks/springboot.yml deleted file mode 100644 index 37ad5755b..000000000 --- a/roles/springboot/tasks/springboot.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- - -- name: "{{ springboot.name }} | Set facts (1)" - set_fact: - _springapp_service_name: "{{ springboot.name }}" - _springapp_type: "{{ springboot.type if springboot.type is defined else 'gui' }}" - -- name: "{{ springboot.name }}-{{ _springapp_type }} | Set facts (2)" - set_fact: - _springapp_min_heapsize: "{{ springboot.min_heapsize if springboot.min_heapsize is defined else springboot_min_heapsize }}" - _springapp_max_heapsize: "{{ springboot.max_heapsize if springboot.max_heapsize is defined else springboot_max_heapsize }}" - _springapp_random_source: "{{ springboot.random_source if springboot.random_source is defined else springboot_random_source }}" - _springapp_jar: "{{ springboot.jar if springboot.jar is defined else _springapp_service_name + '.jar' }}" - _springapp_opts: "{{ springboot.opts if springboot.opts is defined else springboot_opts }}" - _springapp_user: "{{ springboot.user if springboot.user is defined else _springapp_service_name }}" - _springapp_dir: "{{ springboot.dir if springboot.dir is defined else '/opt/' + _springapp_service_name }}" - _springapp_role: "{{ springboot.role if springboot.role is defined else _springapp_service_name + '-' + _springapp_type }}" - _springapp_artifact_id: "{{ springboot.artifactid if springboot.artifactid is defined else _springapp_service_name + '-' + _springapp_type }}" - _springapp_artifact_group_dir: "{{ springboot.artifactgroup if springboot.artifactgroup is defined else springboot_artifact_group_dir }}" - _springapp_artifact_type: "{{ springboot.artifacttype if springboot.artifacttype is defined else springboot_artifact_type }}" - _springapp_version: "{{ springboot.version }}" - _springapp_tcpport: "{{ springboot.port if springboot.port is defined else springboot_tcpport }}" - _springapp_java_binary: "{{ springboot.java_binary if springboot.java_binary is defined else springboot_java_binary }}" - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Include user related tasks" - include_tasks: user.yml - when: - - _springapp_type == "server" - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Include GUI related tasks" - include_tasks: gui.yml - when: - - _springapp_type == "gui" - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Include maven related tasks" - include_tasks: maven.yml - when: - - _springapp_type == "server" - -# Need to make sure that manage is running before manage can do a call to manage -- name: "Restart 'manage'" - systemd: - name: manage - state: restarted - daemon_reload: yes - when: - - maven_result.changed - - _springapp_type == "server" - - _springapp_service_name == "manage" - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Include role" - include_role: - name: "{{ _springapp_role }}" - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Include service related tasks" - include_tasks: service.yml - when: - - _springapp_type == "server" diff --git a/roles/springboot/tasks/user.yml b/roles/springboot/tasks/user.yml deleted file mode 100644 index e66202b95..000000000 --- a/roles/springboot/tasks/user.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | create user" - user: - name: "{{ _springapp_user }}" - system: yes - home: "{{ _springapp_dir }}" - shell: /sbin/nologin - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Create logging directory" - file: - path: "/var/log/{{ _springapp_service_name }}" - state: directory - owner: "{{ _springapp_user }}" - group: "{{ _springapp_user }}" - mode: 0755 - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | Copy systemd service file" - template: - src: "spring-boot.service.j2" - dest: "/etc/systemd/system/{{ _springapp_service_name }}.service" - register: springboot_service_state - -- name: "{{ _springapp_service_name }}-{{ _springapp_type }} | enable service" - service: - name: "{{ _springapp_service_name }}" - enabled: yes - daemon_reload: true - when: - - springboot_service_state.changed diff --git a/roles/springboot/templates/spring-boot.service.j2 b/roles/springboot/templates/spring-boot.service.j2 deleted file mode 100644 index b96246b22..000000000 --- a/roles/springboot/templates/spring-boot.service.j2 +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description={{ _springapp_service_name }} - -[Service] -WorkingDirectory={{ _springapp_dir }} -ExecStart={{ _springapp_java_binary }} -Xms{{ _springapp_min_heapsize }} -Xmx{{ _springapp_max_heapsize }} -Djava.security.egd={{ _springapp_random_source }} -jar {{ _springapp_jar }} {{ _springapp_opts }} -User={{ _springapp_user }} -PrivateTmp=yes -SuccessExitStatus=143 - -[Install] -WantedBy=multi-user.target