5095ffad73
* Apply @akrzos fix for firewall variabilization, make firewall register values a static string so port values are truly variablized. * Remove one small, unneeded section doing an unecessary lookup for firewall method since we run this earlier on. Change-Id: Ia29781072d1babc1d71b71345ceb798356c219f5
194 lines
6.7 KiB
YAML
194 lines
6.7 KiB
YAML
---
|
|
#
|
|
# Install/run nginx for browbeat
|
|
#
|
|
|
|
- name: Install nginx, httpd-tools, httplib2, libsemanage-python
|
|
yum: name={{ item }} state=present
|
|
become: true
|
|
with_items:
|
|
- nginx
|
|
- httpd-tools
|
|
- python-httplib2
|
|
- libsemanage-python
|
|
|
|
# SELinux boolean for nginx
|
|
- name: Apply SELinux boolean httpd_can_network_connect
|
|
seboolean: name=httpd_can_network_connect state=yes persistent=yes
|
|
|
|
# create /etc/nginx/conf.d/ directory
|
|
- name: Create nginx directory structure
|
|
file: path=/etc/nginx/conf.d/
|
|
state=directory
|
|
mode=0755
|
|
|
|
# deploy kibana.conf with FQDN
|
|
- name: Setup nginx reverse proxy for kibana
|
|
template:
|
|
src=kibana.conf.j2
|
|
dest=/etc/nginx/conf.d/kibana.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
register: nginx_needs_restart
|
|
|
|
# deploy basic nginx.conf 8080 vhost
|
|
- name: Setup nginx TCP/{{elk_server_ssl_cert_port}} for SSL certificate retrieval
|
|
template:
|
|
src=nginx.conf.j2
|
|
dest=/etc/nginx/nginx.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
# start nginx service
|
|
- name: Start nginx service
|
|
command: systemctl restart nginx.service
|
|
ignore_errors: true
|
|
when: nginx_needs_restart != 0
|
|
|
|
- name: Check if nginx is in use
|
|
shell: systemctl is-enabled nginx.service | egrep -qv 'masked|disabled'
|
|
register: nginx_in_use
|
|
ignore_errors: yes
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Determine if nginx is enabled
|
|
- skip_ansible_lint
|
|
|
|
- name: Set nginx to start on boot
|
|
command: systemctl enable nginx.service
|
|
ignore_errors: true
|
|
when: nginx_in_use.rc != 0
|
|
|
|
# we need TCP/80 and TCP/8080 open
|
|
# determine firewall status and take action
|
|
# 1) use firewall-cmd if firewalld is utilized
|
|
# 2) insert iptables rule if iptables is used
|
|
|
|
# Firewalld
|
|
- name: Determine if firewalld is in use
|
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
|
ignore_errors: true
|
|
register: firewalld_in_use
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall is active
|
|
- skip_ansible_lint
|
|
|
|
- name: Determine if firewalld is active
|
|
shell: systemctl is-active firewalld.service | grep -vq inactive
|
|
ignore_errors: true
|
|
register: firewalld_is_active
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall is active
|
|
- skip_ansible_lint
|
|
|
|
- name: Determine if TCP/{{nginx_kibana_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_nginx_kibana_port_exists
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall rule already exists
|
|
- skip_ansible_lint
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{nginx_kibana_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_nginx_kibana_port_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services)
|
|
shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
register: iptables_nginx_kibana_port_exists
|
|
failed_when: iptables_nginx_kibana_port_exists == 127
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall rule already exists
|
|
- skip_ansible_lint
|
|
|
|
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport {{nginx_kibana_port}} -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_nginx_kibana_port_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services)
|
|
shell: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
|
tags:
|
|
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
|
# No systemctl module available in current stable release (Ansible 2.1)
|
|
- skip_ansible_lint
|
|
|
|
# Firewalld
|
|
- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_elk_server_ssl_port_exists
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall rule already exists
|
|
- skip_ansible_lint
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{elk_server_ssl_cert_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_elk_server_ssl_port_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
|
|
shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
register: iptables_elk_server_ssl_port_exists
|
|
failed_when: iptables_elk_server_ssl_port_exists == 127
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall rule already exists
|
|
- skip_ansible_lint
|
|
|
|
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport {{elk_server_ssl_cert_port}} -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_elk_server_ssl_port_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
|
|
shell: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
|
tags:
|
|
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
|
# No systemctl module available in current stable release (Ansible 2.1)
|
|
- skip_ansible_lint
|