Refactor of the wazuh-dashboard ansible role

CHANGELOG.md

@@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- Refactor of the wazuh-dashboard ansible role ([#1565](https://github.com/wazuh/wazuh-ansible/pull/1565))
 - Refactor of the wazuh-indexer ansible role ([#1551](https://github.com/wazuh/wazuh-ansible/pull/1551))
 - Remove default Wazuh agent configuration file and related tasks ([#1546](https://github.com/wazuh/wazuh-ansible/pull/1546))
 - Refactor of the wazuh-agent ansible role ([#1517](https://github.com/wazuh/wazuh-ansible/pull/1517))

roles/wazuh-dashboard/defaults/main.yml

@@ -1,31 +1,8 @@
 ---
 
-# Dashboard configuration
-indexer_http_port: 9200
-indexer_api_protocol: https
-dashboard_conf_path: /etc/wazuh-dashboard/
-dashboard_node_name: node-1
-dashboard_server_host: "0.0.0.0"
-dashboard_server_port: "443"
-dashboard_server_name: "dashboard"
-wazuh_version: 5.0.0
+dashboard_node_name: "dashboard"
 indexer_cluster_nodes:
-  - 127.0.0.1
+  - "{{ hostvars[inventory_hostname].private_ip }}"
 
-# The Wazuh dashboard package repository
-dashboard_version: "5.0.0"
-
-# API credentials
-wazuh_api_credentials:
-  - id: "default"
-    url: "https://127.0.0.1"
-    port: 55000
-    username: "wazuh-wui"
-    password: "wazuh-wui"
-
-# Dashboard Security
-dashboard_security: true
-indexer_admin_password: changeme
-dashboard_user: kibanaserver
-dashboard_password: changeme
-local_certs_path: "{{ playbook_dir }}/indexer/certificates"
+wazuh_dashboard_package_download_path: "/tmp/wazuh-dashboard"
+wazuh_dashboard_package_name: "wazuh-dashboard-package"

roles/wazuh-dashboard/tasks/dependencies.yml

@@ -0,0 +1,74 @@
+---
+
+- name: Check if local_configs_path directory exists
+  block:
+    - name: Retrieve local_configs_path directory information
+      stat:
+        path: "{{ local_configs_path }}"
+      register: local_configs_path_stat
+
+    - fail:
+        msg: "The directory {{ local_configs_path }} (local_configs_path) does not exist."
+      when: not local_configs_path_stat.stat.exists
+  run_once: true
+  delegate_to: localhost
+  become: no
+
+- name: Ensure wazuh-dashboard package download directory exists
+  file:
+    path: "{{ wazuh_dashboard_package_download_path }}"
+    state: directory
+    mode: '0755'
+
+- name: RHEL, CentOS, and Amazon Linux 2 | Configure system settings and install dependencies
+  block:
+    - name: RedHat/CentOS/Fedora | Install Dashboard dependencies
+      yum:
+        name: "{{ packages }}"
+      vars:
+        packages:
+        - libcap
+
+    - name: RedHat/CentOS/Fedora (x86_64) | Download wazuh-dashboard package
+      get_url:
+        url: "{{ wazuh_dashboard_url_amd64_rpm }}"
+        dest: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.rpm"
+      when:
+        - ansible_architecture == "x86_64"
+
+    - name: RedHat/CentOS/Fedora (aarch64) | Download wazuh-dashboard package
+      get_url:
+        url: "{{ wazuh_dashboard_url_arm64_rpm }}"
+        dest: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.rpm"
+      when:
+        - ansible_architecture == "aarch64"
+
+  when:
+    - ansible_os_family == 'RedHat'
+
+- name: Debian-based systems | Install Wazuh dashboard dependencies and download package
+  block:
+    - name: Debian-based | Install Dashboard dependencies
+      apt:
+        name:
+          - 'debhelper'
+          - 'tar'
+          - 'curl'
+          - 'libcap2-bin'
+        state: present
+
+    - name: Debian-based (AMD64) | Download wazuh-dashboard package
+      get_url:
+        url: "{{ wazuh_dashboard_url_amd64_deb }}"
+        dest: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.deb"
+      when:
+        - ansible_architecture == "x86_64"
+
+    - name: Debian-based (ARM64) | Download wazuh-dashboard package
+      get_url:
+        url: "{{ wazuh_dashboard_url_arm64_deb }}"
+        dest: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.deb"
+      when:
+        - ansible_architecture == "aarch64"
+  when:
+    - ansible_os_family == 'Debian'

roles/wazuh-dashboard/tasks/main.yml

@@ -1,99 +1,74 @@
 ---
-- include_vars: ../../vars/repo_vars.yml
 
-- include_vars: ../../vars/repo.yml
-  when: packages_repository == 'production'
+- include_vars: ../../vars/main.yml
 
-- include_vars: ../../vars/repo_pre-release.yml
-  when: packages_repository == 'pre-release'
+- include_vars: ../../vars/{{ urls_file }}
 
-- include_vars: ../../vars/repo_staging.yml
-  when: packages_repository == 'staging'
-
-- import_tasks: RedHat.yml
-  when: ansible_os_family == 'RedHat'
-
-- import_tasks: Debian.yml
-  when: ansible_os_family == 'Debian'
-
-- name: Remove Dashboard configuration file
-  file:
-    # noqa 503
-    path: "{{ dashboard_conf_path }}/opensearch_dashboards.yml"
-    state: absent
-  tags: install
-
-- import_tasks: security_actions.yml
-
-- name: Copy Configuration File
-  template:
-    src: "templates/opensearch_dashboards.yml.j2"
-    dest: "{{ dashboard_conf_path }}/opensearch_dashboards.yml"
-    group: wazuh-dashboard
-    owner: wazuh-dashboard
-    mode: 0640
-    force: yes
-  notify: restart wazuh-dashboard
-  tags:
-    - install
-    - configure
-
-- name: Ensuring Wazuh dashboard directory owner
-  file:
-    # noqa 208
-    path: "/usr/share/wazuh-dashboard"
-    state: directory
-    owner: wazuh-dashboard
-    group: wazuh-dashboard
-    recurse: yes
-
-- name: Wait for Wazuh-Indexer port
-  wait_for: host={{ indexer_network_host }} port={{ indexer_http_port }}
-
-- name: Select correct API protocol
-  set_fact:
-    indexer_api_protocol: "{% if dashboard_security is defined and dashboard_security %}https{% else %}http{% endif %}"
-
-- name: Attempting to delete legacy Wazuh index if exists
-  uri:
-    url: "{{ indexer_api_protocol }}://{{ indexer_network_host }}:{{ indexer_http_port }}/.wazuh"
-    method: DELETE
-    user: "admin"
-    password: "{{ indexer_admin_password }}"
-    validate_certs: no
-    status_code: 200, 404
+- import_tasks: dependencies.yml
+  become: yes
 
-- name: Create Wazuh Plugin config directory
-  file:
-    path: /usr/share/wazuh-dashboard/data/wazuh/config/
-    state: directory
-    recurse: yes
-    owner: wazuh-dashboard
-    group: wazuh-dashboard
-    mode: 0751
-  changed_when: False
+- name: Linux CentOS/RedHat | Install wazuh-dashboard using yum
+  yum:
+    name: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.rpm"
+    state: present
+    disable_gpg_check: yes
+  become: yes
+  when:
+    - ansible_os_family|lower == "redhat"
 
-- name: Configure Wazuh Dashboard Plugin
-  template:
-    src: wazuh.yml.j2
-    dest: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+- name: Linux Debian | Install wazuh-dashboard using dpkg
+  shell: |
+    dpkg -i {{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.deb
+  become: yes
+  when:
+    - ansible_os_family|lower == 'debian'
+
+- name: Dashboard | Configure Wazuh dashboard
+  block:
+      - name: Dashboard | Remove current opensearch.hosts configuration
+        replace:
+          path: /etc/wazuh-dashboard/opensearch_dashboards.yml
+          regexp: 'opensearch\.hosts: .*$'
+          replace: 'opensearch.hosts:'
+
+      - name: Dashboard | Add opensearch.hosts configuration
+        blockinfile:
+          path: /etc/wazuh-dashboard/opensearch_dashboards.yml
+          insertafter: 'opensearch.hosts:'
+          block: |
+            {% for node in indexer_cluster_nodes %}
+              - https://{{ node }}:9200
+            {% endfor %}
+
+- name: Copy the certificates from local to the Wazuh dashboard instance
+  copy:
+    src: "{{ local_configs_path }}/wazuh-certificates/{{ item }}"
+    dest: /etc/wazuh-dashboard/certs/
     owner: wazuh-dashboard
     group: wazuh-dashboard
-    mode: 0751
-  changed_when: False
-
-- name: Configure opensearch.password in opensearch_dashboards.keystore
-  shell: >-
-    echo '{{ dashboard_password }}' | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
-  args:
-    executable: /bin/bash
+    mode: 0400
+  with_items:
+    - "root-ca.pem"
+    - "{{ dashboard_node_name }}-key.pem"
+    - "{{ dashboard_node_name }}.pem"
+
+- name: Rename certificates to match default names
+  command: mv /etc/wazuh-dashboard/certs/{{ item.src }} /etc/wazuh-dashboard/certs/{{ item.dest }}
+  with_items:
+    - { src: "{{ dashboard_node_name }}.pem", dest: "dashboard.pem" }
+    - { src: "{{ dashboard_node_name }}-key.pem", dest: "dashboard-key.pem" }
   become: yes
+  when: dashboard_node_name != "dashboard"
 
 - name: Ensure Wazuh dashboard started and enabled
   service:
     name: wazuh-dashboard
     enabled: true
     state: started
 
-- import_tasks: RMRedHat.yml
-  when: ansible_os_family == 'RedHat'
+- name: Remove installation leftovers
+  file:
+    path: "{{ wazuh_dashboard_package_download_path }}"
+    state: absent
+    force: yes
+  become: yes