Add audit-storage and systemd-service roles

Alfresco · Nov 26, 2024 · 35c026e · 35c026e
1 parent 8883dfb
commit 35c026e
Show file tree

Hide file tree

Showing 23 changed files with 527 additions and 0 deletions.
diff --git a/.github/workflows/community.yml b/.github/workflows/community.yml
@@ -44,6 +44,7 @@ jobs:
           - name: search
           - name: tomcat
           - name: transformers
+          - name: systemd_service
     env:
       PY_COLORS: 1
       PYTHONUNBUFFERED: 1

diff --git a/.github/workflows/enteprise.yml b/.github/workflows/enteprise.yml
@@ -64,6 +64,7 @@ jobs:
           - name: sfs
           - name: sync
           - name: trouter
+          - name: audit_storage
     steps:
       - name: Share var with further reusable workflows
         id: jobvars

diff --git a/roles/audit_storage/README.md b/roles/audit_storage/README.md
@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/roles/audit_storage/defaults/main.yml b/roles/audit_storage/defaults/main.yml
@@ -0,0 +1,32 @@
+---
+# defaults file for audit_storage
+audit_storage_version: "1.0.0"
+audit_storage_zip_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip
+audit_storage_zip_sha1_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip.sha1
+
+audit_storage_artifact_name: alfresco-audit-storage-app
+
+audit_storage_username: alfresco
+audit_storage_group_name: alfresco
+
+audit_storage_broker_url: failover:(nio://localhost:61616)?timeout=3000
+audit_storage_broker_username: admin
+audit_storage_broker_password: admin
+audit_storage_opensearch_url: http://localhost:9200
+audit_storage_opensearch_username: ''
+audit_storage_opensearch_password: ''
+
+audit_storage_default_environment:
+  SPRING_ACTIVEMQ_BROKERURL: "{{ audit_storage_broker_url }}"
+  SPRING_ACTIVEMQ_USER: "{{ audit_storage_broker_username }}"
+  SPRING_ACTIVEMQ_PASSWORD: "{{ audit_storage_broker_password }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_URI: "{{ audit_storage_opensearch_url }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_USERNAME: "{{ audit_storage_opensearch_username }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_PASSWORD: "{{ audit_storage_opensearch_password }}"
+  AUDIT_EVENTINGESTION_URI: activemq:topic:alfresco.repo.event2
+audit_storage_environment: {}
+
+audit_storage_java_bin_path: /opt/openjdk-17.0.11/bin/java
+
+audit_storage_binaries_dir: "/opt/alfresco/audit-storage-{{ audit_storage_version }}"
+audit_storage_config_dir: "/etc/alfresco/audit-storage"
diff --git a/roles/audit_storage/handlers/main.yml b/roles/audit_storage/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for audit_storage
diff --git a/roles/audit_storage/meta/main.yml b/roles/audit_storage/meta/main.yml
@@ -0,0 +1,33 @@
+galaxy_info:
+  author: Alfresco Ops Readiness
+  description: This role installs and configures the audit storage for Alfresco
+  company: Hyland Software
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  license: Apache-2.0
+
+  min_ansible_version: "2.12"
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
+        - focal
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies:
+  - role: java
diff --git a/roles/audit_storage/molecule/default/converge.yml b/roles/audit_storage/molecule/default/converge.yml
@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: activemq
+    - role: elasticsearch
+    - role: audit_storage
diff --git a/roles/audit_storage/molecule/default/host_vars/instance.yml b/roles/audit_storage/molecule/default/host_vars/instance.yml
@@ -0,0 +1 @@
+ansible_user: ansible
diff --git a/roles/audit_storage/molecule/default/molecule.yml b/roles/audit_storage/molecule/default/molecule.yml
@@ -0,0 +1,32 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: $MOLECULE_ROLE_IMAGE
+    dockerfile: ../../../../tests/molecule/Dockerfile-noprivs.j2
+    command: "/lib/systemd/systemd"
+    privileged: true
+    tmpfs:
+      - /run
+      - /run/lock
+      - /tmp
+    volume_mounts:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    groups:
+      - audit_storage
+      - activemq
+      - elasticsearch
+provisioner:
+  name: ansible
+  ansible_args:
+    - -e
+    - "@../../../../tests/molecule/secrets.yml"
+  inventory:
+    links:
+      group_vars: ../../../../group_vars
+      host_vars: host_vars
+verifier:
+  name: ansible
diff --git a/roles/audit_storage/molecule/default/verify.yml b/roles/audit_storage/molecule/default/verify.yml
@@ -0,0 +1,14 @@
+---
+- name: Verify
+  hosts: instance
+  gather_facts: false
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check that service is up and running
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services['alfresco-audit-storage.service'] is defined
+          - ansible_facts.services['alfresco-audit-storage.service'].state == 'running'
+        quiet: true
diff --git a/roles/audit_storage/tasks/main.yml b/roles/audit_storage/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+# tasks file for audit_storage
+- name: Download audit storage distribution {{ audit_storage_version }}
+  ansible.builtin.get_url:
+    url: "{{ audit_storage_zip_url }}"
+    dest: "{{ download_location }}/{{ audit_storage_artifact_name }}-{{ audit_storage_version }}.zip"
+    checksum: sha1:{{ lookup('url', audit_storage_zip_sha1_url, username=nexus_user, password=nexus_password) }} # pragma: allowlist secret
+    mode: "0644"
+    url_username: "{{ nexus_user }}"
+    url_password: "{{ nexus_password }}"
+
+- name: Install Audit Storage
+  become: true
+  block:
+    - name: Create directories
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        owner: "{{ audit_storage_username }}"
+        group: "{{ audit_storage_group_name }}"
+        mode: "0755"
+      loop:
+        - "{{ audit_storage_binaries_dir }}"
+        - "{{ audit_storage_config_dir }}"
+
+    - name: Extract distribution zip in binaries
+      ansible.builtin.unarchive:
+        src: "{{ download_location }}/{{ audit_storage_artifact_name }}-{{ audit_storage_version }}.zip"
+        dest: "{{ audit_storage_binaries_dir }}"
+        remote_src: true
+        creates: "{{ audit_storage_binaries_dir }}/README.md"
+        owner: "{{ audit_storage_username }}"
+        group: "{{ audit_storage_group_name }}"
+
+    - name: Install service
+      ansible.builtin.include_role:
+        name: systemd_service
+      vars:
+        systemd_service_unit_name: "alfresco-audit-storage"
+        systemd_service_unit_description: "Alfresco Audit Storage"
+        systemd_service_exec_start: "{{ audit_storage_java_bin_path }} -jar {{ audit_storage_artifact_path }}"
+        systemd_service_user: "{{ audit_storage_username }}"
+        systemd_service_environment: >-
+          {{ audit_storage_default_environment |
+          combine(audit_storage_environment) }}
diff --git a/roles/audit_storage/vars/main.yml b/roles/audit_storage/vars/main.yml
@@ -0,0 +1,3 @@
+---
+# vars file for audit_storage
+audit_storage_artifact_path: "{{ audit_storage_binaries_dir }}/{{ audit_storage_artifact_name }}-{{ audit_storage_version }}.jar"
diff --git a/roles/systemd_service/README.md b/roles/systemd_service/README.md
@@ -0,0 +1,118 @@
+# systemd_service
+
+Install and configure systemd services
+
+## Table of content
+
+* [systemd\_service](#systemd_service)
+  * [Table of content](#table-of-content)
+  * [Requirements](#requirements)
+  * [Default Variables](#default-variables)
+    * [systemd\_service\_additional\_options](#systemd_service_additional_options)
+    * [systemd\_service\_enabled](#systemd_service_enabled)
+    * [systemd\_service\_environment](#systemd_service_environment)
+    * [systemd\_service\_exec\_start](#systemd_service_exec_start)
+    * [systemd\_service\_exec\_stop](#systemd_service_exec_stop)
+    * [systemd\_service\_state](#systemd_service_state)
+    * [systemd\_service\_type](#systemd_service_type)
+    * [systemd\_service\_unit\_after](#systemd_service_unit_after)
+    * [systemd\_service\_unit\_description](#systemd_service_unit_description)
+    * [systemd\_service\_unit\_name](#systemd_service_unit_name)
+    * [systemd\_service\_user](#systemd_service_user)
+    * [systemd\_service\_working\_directory](#systemd_service_working_directory)
+  * [Dependencies](#dependencies)
+  * [License](#license)
+  * [Author](#author)
+
+---
+
+## Requirements
+
+* Minimum Ansible version: `2.1`
+
+## Default Variables
+
+### systemd_service_additional_options
+
+```YAML
+systemd_service_additional_options: {}
+```
+
+### systemd_service_enabled
+
+```YAML
+systemd_service_enabled: true
+```
+
+### systemd_service_environment
+
+```YAML
+systemd_service_environment: {}
+```
+
+### systemd_service_exec_start
+
+```YAML
+systemd_service_exec_start: ''
+```
+
+### systemd_service_exec_stop
+
+```YAML
+systemd_service_exec_stop: kill -15 $MAINPID
+```
+
+### systemd_service_state
+
+```YAML
+systemd_service_state: started
+```
+
+### systemd_service_type
+
+```YAML
+systemd_service_type: simple
+```
+
+### systemd_service_unit_after
+
+```YAML
+systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target
+  nss-lookup.target
+```
+
+### systemd_service_unit_description
+
+```YAML
+systemd_service_unit_description: ''
+```
+
+### systemd_service_unit_name
+
+```YAML
+systemd_service_unit_name: ''
+```
+
+### systemd_service_user
+
+```YAML
+systemd_service_user: ''
+```
+
+### systemd_service_working_directory
+
+```YAML
+systemd_service_working_directory: /tmp
+```
+
+## Dependencies
+
+None.
+
+## License
+
+Apache-2.0
+
+## Author
+
+Alfresco Ops Readiness
diff --git a/roles/systemd_service/defaults/main.yml b/roles/systemd_service/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+# defaults file for systemd-service
+systemd_service_unit_name: ''
+systemd_service_unit_description: ''
+systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target nss-lookup.target
+
+systemd_service_type: simple
+systemd_service_user: ''
+systemd_service_environment: {}
+systemd_service_exec_start: ''
+systemd_service_exec_stop: kill -15 $MAINPID
+systemd_service_working_directory: /tmp
+systemd_service_additional_options: {}
+systemd_service_state: started
+systemd_service_enabled: true
diff --git a/roles/systemd_service/handlers/main.yml b/roles/systemd_service/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+# handlers file for systemd-service
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart {{ systemd_service_unit_name }}
+  ansible.builtin.systemd:
+    name: "{{ systemd_service_unit_name }}"
+    state: restarted
+  when: systemd_service_state == 'started'