From 37d035491b0c2fe9f7b7af4b40343ce260da99cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 14 Jan 2025 09:49:12 +0100 Subject: [PATCH 01/38] Refs #8142: Samba Server Deploy - Refactor variables to set hosts file --- roles/services/tasks/adsamba.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 7852165..1addaf2 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -55,7 +55,7 @@ path: /etc/hosts marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" block: | - {{ ip_serverad1 }} {{ name_ip_serverad1}}.{{ domain }}.{{ resolv_domain }} {{ realm }} + {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} - name: Force remove smb.conf file file: From 010b01c5b7a98fbff8e522de2f60c5b5640034f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 15 Jan 2025 15:54:54 +0100 Subject: [PATCH 02/38] refs #8142: Add dynamic DNS NS and A records for Samba server deployment --- roles/services/tasks/adsamba.yml | 49 ++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 1addaf2..4a3bd80 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -97,9 +97,52 @@ enabled: yes when: domain_join.changed - # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS - # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. - # Bloque de inizialización del dominio ## Hecho + # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS. Hecho. + # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. Hecho. + # Bloque de inizialización del dominio ## Hecho. # Revisar la condicion de domain_join ## Hecho. # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho. + +- name: Perform a DNS query to get the IP of google.es + command: "dig @{{ main_dns_server }} google.es +short" + register: dns_exists + +- name: Show the result of the DNS query + debug: + var: dns_exists.stdout + +- when: dns_exists + block: + + - name: Extracting variables + no_log: true + set_fact: + passwords: "{{ lookup(passbolt, 'rndc.key', folder_parent_id=passbolt_folder).password }}" + + - name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ name_ad }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present + + + - name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ name_ad }}.{{ realm }}.' + state: present \ No newline at end of file From e9c6253812b5893a2e1e2fd4d2b31d2a64849df6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 15 Jan 2025 15:56:22 +0100 Subject: [PATCH 03/38] refs #8142: Reorder yml --- roles/services/tasks/adsamba.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 4a3bd80..4d1769c 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -97,12 +97,6 @@ enabled: yes when: domain_join.changed - # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS. Hecho. - # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. Hecho. - # Bloque de inizialización del dominio ## Hecho. - # Revisar la condicion de domain_join ## Hecho. - # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho. - - name: Perform a DNS query to get the IP of google.es command: "dig @{{ main_dns_server }} google.es +short" register: dns_exists @@ -132,7 +126,6 @@ value: '{{ ip_serverad }}' state: present - - name: Add NS record to DNS nsupdate: key_name: '{{ key_name }}' @@ -145,4 +138,9 @@ record: '{{ realm }}.' value: '{{ name_ad }}.{{ realm }}.' state: present - \ No newline at end of file + + # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS. Hecho. + # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. Hecho. + # Bloque de inizialización del dominio ## Hecho. + # Revisar la condicion de domain_join ## Hecho. + # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho. \ No newline at end of file From 40c1e21e93685ca1abbe11bafdb68264433103d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:50:41 +0100 Subject: [PATCH 04/38] =?UTF-8?q?refs=20#8142:=20Package=20installation=20?= =?UTF-8?q?moved=20to=20the=20beginning.=C3=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/services/tasks/adsamba.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 4d1769c..b702422 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -18,6 +18,12 @@ - name: Gather installed packages package_facts: +- name: Install adSamba packages + package: + name: "{{ dcsamba_base_packages }}" + # default_release: bookworm-backports # If we want to go 4.21 + state: latest + - name: Check if metadata.tdb exists and is not empty stat: path: /var/lib/samba/private/sam.ldb.d/metadata.tdb @@ -44,12 +50,7 @@ - when: "not domain_exists" block: - - name: Install adSamba packages - package: - name: "{{ dcsamba_base_packages }}" - # default_release: bookworm-backports # If we want to go 4.21 - state: latest - + - name: Add adsamba host to hosts file blockinfile: path: /etc/hosts @@ -109,9 +110,13 @@ block: - name: Extracting variables - no_log: true + #no_log: true set_fact: - passwords: "{{ lookup(passbolt, 'rndc.key', folder_parent_id=passbolt_folder).password }}" + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" + + - name: + debug: + msg: "Las variables son {{ key_name }} -- {{ passwords }} -- {{ key_algorithm }} -- {{ main_dns_server }} -- {{ resolv_domain }} -- {{ name_ad }}.{{ realm }}. -- {{ ip_serverad }}" - name: Add A record to DNS nsupdate: @@ -139,8 +144,3 @@ value: '{{ name_ad }}.{{ realm }}.' state: present - # Hay que crear un registro tipo A con el FQDN es decir el GLUE RECORD en tu DNS. Hecho. - # Luego hay que crear la delegación # update add activedirectory.verdnatura.es. 86400 NS dc1-ad.activedirectory.verdnatura.es. Hecho. - # Bloque de inizialización del dominio ## Hecho. - # Revisar la condicion de domain_join ## Hecho. - # Cuidado con la copia de KRB5, revisar si lo hace ya el samba-tool. ## Hecho. \ No newline at end of file From 375cb1c1ccfece8e1cd5fb4cacba20552d9d1676 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:53:07 +0100 Subject: [PATCH 05/38] refs #8142: Refactor hosts file moved to the beginning. --- roles/services/tasks/adsamba.yml | 34 ++++++++++++++++---------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index b702422..9b659bb 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -14,6 +14,16 @@ # apt install ldb-tools # # samba-tool domain provision --use-rfc2307 --interactive +# +# If we want to go 4.21 +# - name: Add Debian backports repository +# apt_repository: +# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" +# state: present + +# - name: Update apt cache +# apt: +# update_cache: yes - name: Gather installed packages package_facts: @@ -24,6 +34,13 @@ # default_release: bookworm-backports # If we want to go 4.21 state: latest +- name: Add adsamba host to hosts file + blockinfile: + path: /etc/hosts + marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" + block: | + {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} + - name: Check if metadata.tdb exists and is not empty stat: path: /var/lib/samba/private/sam.ldb.d/metadata.tdb @@ -38,26 +55,9 @@ (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0) }} -# If we want to go 4.21 -#- name: Add Debian backports repository -# apt_repository: -# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" -# state: present - -#- name: Update apt cache -# apt: -# update_cache: yes - - when: "not domain_exists" block: - - name: Add adsamba host to hosts file - blockinfile: - path: /etc/hosts - marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" - block: | - {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} - - name: Force remove smb.conf file file: path: /etc/samba/smb.conf From 40ea739925bfb61983105efb8f3e6d2b3506c08d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:54:37 +0100 Subject: [PATCH 06/38] refs #8142: Disable Samba client services and mask them goes out block slice --- roles/services/tasks/adsamba.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 9b659bb..3325e0b 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -63,15 +63,7 @@ path: /etc/samba/smb.conf state: absent force: yes - - - name: Disable Samba client services and mask them - systemd: - name: "{{ item }}" - state: stopped - enabled: no - masked: yes - loop: "{{ samba_client_services }}" - + - name: Join domain command: cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 @@ -97,6 +89,14 @@ state: started enabled: yes when: domain_join.changed + +- name: Disable Samba client services and mask them + systemd: + name: "{{ item }}" + state: stopped + enabled: no + masked: yes + loop: "{{ samba_client_services }}" - name: Perform a DNS query to get the IP of google.es command: "dig @{{ main_dns_server }} google.es +short" From 541a71c83ae5e7c905c66f014d7fa3381585624c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:57:48 +0100 Subject: [PATCH 07/38] refs #8142: - Remove DNS query used to check if main_dns_server failed --- roles/services/tasks/adsamba.yml | 71 +++++++++++++------------------- 1 file changed, 28 insertions(+), 43 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 3325e0b..f2025df 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -98,49 +98,34 @@ masked: yes loop: "{{ samba_client_services }}" -- name: Perform a DNS query to get the IP of google.es - command: "dig @{{ main_dns_server }} google.es +short" - register: dns_exists +- name: Extracting variables + #no_log: true + set_fact: + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" -- name: Show the result of the DNS query - debug: - var: dns_exists.stdout +- name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ name_ad }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present -- when: dns_exists - block: - - - name: Extracting variables - #no_log: true - set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - - name: - debug: - msg: "Las variables son {{ key_name }} -- {{ passwords }} -- {{ key_algorithm }} -- {{ main_dns_server }} -- {{ resolv_domain }} -- {{ name_ad }}.{{ realm }}. -- {{ ip_serverad }}" - - - name: Add A record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: "{{ main_dns_server }}" - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'A' - record: '{{ name_ad }}.{{ realm }}.' - value: '{{ ip_serverad }}' - state: present - - - name: Add NS record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: '{{ main_dns_server }}' - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'NS' - record: '{{ realm }}.' - value: '{{ name_ad }}.{{ realm }}.' - state: present +- name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ name_ad }}.{{ realm }}.' + state: present From 56ed72d0a11db2ef1d9985cd11f9ad1294ae7f3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 11:59:17 +0100 Subject: [PATCH 08/38] refs #8142: - Extracting variables - no_log: yes --- roles/services/tasks/adsamba.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index f2025df..0449343 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -99,7 +99,7 @@ loop: "{{ samba_client_services }}" - name: Extracting variables - #no_log: true + no_log: true set_fact: passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" From 0283612eb40d5391676fd678c40a28b4623b191f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 14:49:22 +0100 Subject: [PATCH 09/38] refs #8142: Remove recollecting package facts and add DNS records within the block. --- roles/services/tasks/adsamba.yml | 66 +++++++++++++++----------------- 1 file changed, 31 insertions(+), 35 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 0449343..a48dbe2 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -25,9 +25,6 @@ # apt: # update_cache: yes -- name: Gather installed packages - package_facts: - - name: Install adSamba packages package: name: "{{ dcsamba_base_packages }}" @@ -90,6 +87,37 @@ enabled: yes when: domain_join.changed + - name: Extracting variables + no_log: true + set_fact: + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" + + - name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ name_ad }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present + + - name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ name_ad }}.{{ realm }}.' + state: present + - name: Disable Samba client services and mask them systemd: name: "{{ item }}" @@ -97,35 +125,3 @@ enabled: no masked: yes loop: "{{ samba_client_services }}" - -- name: Extracting variables - no_log: true - set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - -- name: Add A record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: "{{ main_dns_server }}" - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'A' - record: '{{ name_ad }}.{{ realm }}.' - value: '{{ ip_serverad }}' - state: present - -- name: Add NS record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: '{{ main_dns_server }}' - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'NS' - record: '{{ realm }}.' - value: '{{ name_ad }}.{{ realm }}.' - state: present - From e460ddba6b40f5dc64b34ed872c513ef6a4d06b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 16 Jan 2025 16:11:25 +0100 Subject: [PATCH 10/38] refs #8142: Split tasks using the new main_ad variable --- roles/services/tasks/adsamba.yml | 101 +++++++++++++++---------------- 1 file changed, 50 insertions(+), 51 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index a48dbe2..34b6b92 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -38,21 +38,12 @@ block: | {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} -- name: Check if metadata.tdb exists and is not empty +- name: Check if metadata.tdb exists stat: path: /var/lib/samba/private/sam.ldb.d/metadata.tdb register: metadata_tdb -- name: Register domain existence - set_fact: - domain_exists: >- - {{ - ('samba-ad-provision' in ansible_facts.packages or - 'samba-ad-dc' in ansible_facts.packages) and - (metadata_tdb.stat.exists and metadata_tdb.stat.size > 0) - }} - -- when: "not domain_exists" +- when: metadata_tdb.stat.exists is false block: - name: Force remove smb.conf file @@ -61,14 +52,55 @@ state: absent force: yes - - name: Join domain - command: - cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 - register: domain_join + - when: main_ad is true + block: + - name: Provision domain + command: + cmd: samba-tool domain provision --realm="{{ realm }}" --domain="{{ domain }}" --dns-backend=SAMBA_INTERNAL --server-role=dc --use-rfc2307 + register: domain_join + + - name: Show the domain join output with Administrator password + debug: + msg: "{{ domain_join.stderr_lines[-6:] }}" + + - name: Extracting variables + no_log: true + set_fact: + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - name: Show the domain join output with Administrator password - debug: - msg: "{{ domain_join.stderr_lines[-6:] }}" + - name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ name_ad }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present + + - name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ resolv_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ name_ad }}.{{ realm }}.' + state: present + + - when: main_ad is false + block: + - name: Join domain + debug: + msg: + - "metadata_tdb: {{ metadata_tdb }}" + - "main_ad: {{ main_ad }}" - name: Copy Kerberos configuration copy: @@ -78,45 +110,12 @@ owner: root group: root mode: '0644' - when: domain_join.changed - name: Enable and start Samba AD DC service systemd: name: samba-ad-dc state: started enabled: yes - when: domain_join.changed - - - name: Extracting variables - no_log: true - set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - - name: Add A record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: "{{ main_dns_server }}" - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'A' - record: '{{ name_ad }}.{{ realm }}.' - value: '{{ ip_serverad }}' - state: present - - - name: Add NS record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: '{{ main_dns_server }}' - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'NS' - record: '{{ realm }}.' - value: '{{ name_ad }}.{{ realm }}.' - state: present - name: Disable Samba client services and mask them systemd: From bf86ac2f1664a675d976b6229daccd9ecc77c9a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 17 Jan 2025 10:35:43 +0100 Subject: [PATCH 11/38] refs #8142: - Comments to get second ad server with samba-tool --- roles/services/tasks/adsamba.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 34b6b92..9652416 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -101,6 +101,7 @@ msg: - "metadata_tdb: {{ metadata_tdb }}" - "main_ad: {{ main_ad }}" + # Hay que recoger la password de passbolt, meterla en un fichero y leerla con --password-file para por último borrarla - name: Copy Kerberos configuration copy: From 67231faaf5b2e7ef5c08955f5a2eba5c24fc6160 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 20 Jan 2025 08:45:47 +0100 Subject: [PATCH 12/38] refs #8142: - Second domain --- roles/services/tasks/adsamba.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 9652416..30aff38 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -67,6 +67,10 @@ no_log: true set_fact: passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" + + - name: + debug: + msg: "{{ key_name }} {{ passwords }} {{ key_algorithm }} {{ main_dns_server }} {{ resolv_domain }} {{ ttl }} {{ name_ad }}.{{ realm }}. {{ ip_serverad }}" - name: Add A record to DNS nsupdate: @@ -97,11 +101,9 @@ - when: main_ad is false block: - name: Join domain - debug: - msg: - - "metadata_tdb: {{ metadata_tdb }}" - - "main_ad: {{ main_ad }}" - # Hay que recoger la password de passbolt, meterla en un fichero y leerla con --password-file para por último borrarla + shell: samba-tool domain join "activedirectory.lab.verdnatura.es" DC -U"ACTIVEDIRECTORY\administrator" + environment: + PASSWD: aWZ::bpl))6&r)iHd,7-8NH&-M - name: Copy Kerberos configuration copy: From 4e7cc34e15e620da14b4d6046b079b66307e8c54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 20 Jan 2025 14:04:46 +0100 Subject: [PATCH 13/38] refs #8142: - Second domain final tasks --- roles/services/tasks/adsamba.yml | 86 ++++++++++++++++---------------- 1 file changed, 44 insertions(+), 42 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 30aff38..187e6dc 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -17,13 +17,13 @@ # # If we want to go 4.21 # - name: Add Debian backports repository -# apt_repository: -# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" -# state: present - +# apt_repository: +# repo: "deb http://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main" +# state: present +# # - name: Update apt cache -# apt: -# update_cache: yes +# apt: +# update_cache: yes - name: Install adSamba packages package: @@ -36,7 +36,7 @@ path: /etc/hosts marker: "# {mark} ANSIBLE-MANAGED SAMBA DC ENTRY" block: | - {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ resolv_domain }} {{ realm }} + {{ ip_serverad | default(ansible_default_ipv4.address) }} {{ ansible_facts['hostname'] }}.{{ domain }}.{{ host_domain }} {{ realm }} - name: Check if metadata.tdb exists stat: @@ -63,47 +63,18 @@ debug: msg: "{{ domain_join.stderr_lines[-6:] }}" + - when: main_ad is false + block: + - name: Extracting variables no_log: true set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - - name: - debug: - msg: "{{ key_name }} {{ passwords }} {{ key_algorithm }} {{ main_dns_server }} {{ resolv_domain }} {{ ttl }} {{ name_ad }}.{{ realm }}. {{ ip_serverad }}" + passwad_admin_password: "{{ lookup(passbolt, ad_admin_password_name, folder_parent_id=passbolt_folder).password }}" - - name: Add A record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: "{{ main_dns_server }}" - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'A' - record: '{{ name_ad }}.{{ realm }}.' - value: '{{ ip_serverad }}' - state: present - - - name: Add NS record to DNS - nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' - key_algorithm: '{{ key_algorithm }}' - server: '{{ main_dns_server }}' - zone: '{{ resolv_domain }}' - ttl: '{{ ttl }}' - type: 'NS' - record: '{{ realm }}.' - value: '{{ name_ad }}.{{ realm }}.' - state: present - - - when: main_ad is false - block: - name: Join domain - shell: samba-tool domain join "activedirectory.lab.verdnatura.es" DC -U"ACTIVEDIRECTORY\administrator" + shell: samba-tool domain join "{{ realm }}" DC -U"{{ domain | upper }}\administrator" environment: - PASSWD: aWZ::bpl))6&r)iHd,7-8NH&-M + PASSWD: "{{ passwad_admin_password }}" - name: Copy Kerberos configuration copy: @@ -127,3 +98,34 @@ enabled: no masked: yes loop: "{{ samba_client_services }}" + +- name: Extracting variables + no_log: true + set_fact: + passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" + +- name: Add A record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: "{{ main_dns_server }}" + zone: '{{ host_domain }}' + ttl: '{{ ttl }}' + type: 'A' + record: '{{ inventory_hostname_short }}.{{ realm }}.' + value: '{{ ip_serverad }}' + state: present + +- name: Add NS record to DNS + nsupdate: + key_name: '{{ key_name }}' + key_secret: '{{ passwords }}' + key_algorithm: '{{ key_algorithm }}' + server: '{{ main_dns_server }}' + zone: '{{ host_domain }}' + ttl: '{{ ttl }}' + type: 'NS' + record: '{{ realm }}.' + value: '{{ inventory_hostname_short }}.{{ realm }}.' + state: present From 25c7f62cc34b2fefdabd432c8e4f7db63e01487e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 20 Jan 2025 14:39:38 +0100 Subject: [PATCH 14/38] refs #8142: - Second domain - change variable resolv_domain to host_domain --- roles/services/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index efbbcdd..05c6778 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -1,4 +1,4 @@ -realm: "{{domain}}.{{resolv_domain}}" +realm: "{{domain}}.{{host_domain}}" samba_client_services: - smbd - nmbd From ef9c1d54e1ea3b605c5c9484caa68c7f3a777fb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 24 Jan 2025 10:33:40 +0100 Subject: [PATCH 15/38] refs #8414 - modify maribackup config files and templates --- roles/services/defaults/main.yaml | 3 +- .../files/mariabackup/bacula-after.sh | 51 +++++++++++++++++ .../services/files/mariabackuptest/apply.sql | 6 ++ roles/services/tasks/mariadb.yml | 56 ++++++++++++++++++- roles/services/templates/apply.cnf | 5 ++ roles/services/templates/apply.config-test.sh | 20 +++++++ .../{files/mariabackup => templates}/my.cnf | 4 +- 7 files changed, 141 insertions(+), 4 deletions(-) create mode 100755 roles/services/files/mariabackup/bacula-after.sh create mode 100644 roles/services/files/mariabackuptest/apply.sql create mode 100644 roles/services/templates/apply.cnf create mode 100755 roles/services/templates/apply.config-test.sh rename roles/services/{files/mariabackup => templates}/my.cnf (51%) diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index efbbcdd..fbf2d02 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -32,13 +32,14 @@ required_directories: - { path: /mnt/mysqlbin/binlog, owner: mysql, group: mysql, mode: 'u=rwx,g=,o=' } - { path: /root/scripts, owner: root, group: root, mode: 'u=rwx,g=rx,o=rx' } - { path: /root/mariabackup, owner: root, group: root, mode: 'u=rwx,g=rx,o=rx' } + - { path: /mnt/mysqldata/mysql, owner: mysql, group: mysql, mode: 'u=rwx,g=rx,o=rx' } required_files_and_mariabackup_files_and_root_scripts: - { src: "mariadb_override.conf", dest: "/etc/systemd/system/mariadb.service.d/override.conf", mode: "u=rw,g=r,o=r" } - { src: "mysql-flush.sh", dest: "/etc/qemu/fsfreeze-hook.d/mysql-flush.sh", mode: "u=rwx,g=rx,o=rx" } + - { src: "files/mariabackup/bacula-after.sh", dest: "/root/mariabackup/bacula-after.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/mariabackup/bacula-before.sh", dest: "/root/mariabackup/bacula-before.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/mariabackup/config.sh", dest: "/root/mariabackup/config.sh", mode: "u=rwx,g=rx,o=x" } - { src: "files/mariabackup/inc-backup.sh", dest: "/root/mariabackup/inc-backup.sh", mode: "u=rwx,g=rx,o=rx" } - - { src: "files/mariabackup/my.cnf", dest: "/root/mariabackup/my.cnf", mode: "u=rw,g=,o=" } - { src: "files/mariabackup/restore-backup.sh", dest: "/root/mariabackup/restore-backup.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/scripts/check-memory.sh", dest: "/root/scripts/check-memory.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/scripts/export-privs.sh", dest: "/root/scripts/export-privs.sh", mode: "u=rwx,g=rx,o=rx" } diff --git a/roles/services/files/mariabackup/bacula-after.sh b/roles/services/files/mariabackup/bacula-after.sh new file mode 100755 index 0000000..53e37bb --- /dev/null +++ b/roles/services/files/mariabackup/bacula-after.sh @@ -0,0 +1,51 @@ +#!/bin/bash +set -e + +myDir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +. "$myDir/config.sh" +. "$myDir/apply.config.sh" + +todayDir=$(date +%Y-%m-%d) +pattern="$baculaDir/mnt/local-backup/${todayDir}_??-??_full.gz" +files=($pattern) +backupFile="${files[0]}" + +"$myDir/restore-backup.sh" "$backupFile" +rm -r "$baculaDir" + +if [[ "${#dbClusterSiblings[@]}" -gt "0" ]]; then + for node in "${dbClusterSiblings[@]}"; do + ssh root@$node service mysql stop + ssh root@$node "if pgrep mariadbd; then pkill -9 mariadbd; fi" + done + + galera_new_cluster +else + service mariadb start +fi + +echo "Applying custom script." +mysql -e "UPDATE util.config SET environment = '$dbEnvironment', lastDump = NOW()" +mysql < "$myDir/apply.sql" + +echo "Upgrading tables." +mysql_upgrade + +echo "Applying repository changes." +curl --silent --request POST --location --user "$jenkinsAuth" "$jenkinsUrl/build?delay=0sec" + +echo "Waiting for Jenkins job to end." +jobResult=null +while [ "$jobResult" = "null" ]; do + sleep 10 + jobResult=$(curl --silent --location --user "$jenkinsAuth" "$jenkinsUrl/lastBuild/api/json" | jq --raw-output ".result") +done +echo "Job result: $jobResult" + +echo "Promoting to master." +"/root/scripts/promote-master.sh" + +for node in "${dbClusterSiblings[@]}"; do + ssh root@$node service mysql start +done + diff --git a/roles/services/files/mariabackuptest/apply.sql b/roles/services/files/mariabackuptest/apply.sql new file mode 100644 index 0000000..b1b26d3 --- /dev/null +++ b/roles/services/files/mariabackuptest/apply.sql @@ -0,0 +1,6 @@ +UPDATE vn2008.tblContadores + SET dbproduccion = FALSE; + +DELETE FROM util.binlogQueue; + +UPDATE `account`.`user` SET `active` = TRUE WHERE `name` = 'mindshore'; diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 8866ad9..e51815e 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -124,6 +124,60 @@ - "files/mariaconfigfiles/z90-vn.cnf" - "files/mariaconfigfiles/z92-testing.cnf" notify: restart-mariadb + + # - name: Extracting passwords + # no_log: true + # set_fact: + # jenkins_token: "{{ lookup(passbolt, jenkins_user_name, folder_parent_id=passbolt_folder).password }}" + + # - name: Debug variable + # debug: + # msg: "{{ jenkins_token }}" + + - name: Set MariaBackup custom configuration Test + template: + src: "apply.config-test.sh" + dest: /root/mariabackup/apply.config.sh + owner: root + group: root + mode: u=rw,g=r,o=r + + - name: Extracting dbusername + set_fact: + dbusername: "{{ lookup(passbolt, dbuser, folder_parent_id=passbolt_folder).username }}" + + - name: Extracting dbpassword + no_log: true + set_fact: + dbpass: "{{ lookup(passbolt, dbuser, folder_parent_id=passbolt_folder).password }}" + + - name: Extracting MariaBackup UserName + set_fact: + mariabackupusernametpl: "{{ lookup(passbolt, mariabackupusername, folder_parent_id=passbolt_folder).username }}" + + - name: Extracting MariaBackup Password + no_log: true + set_fact: + mariabackuppasstpl: "{{ lookup(passbolt, mariabackupusername, folder_parent_id=passbolt_folder).password }}" + + - name: Set MariaBackup custom template configuration Test + template: + src: "{{ item }}" + dest: /root/mariabackup/ + owner: root + group: root + mode: u=rw,g=,o= + with_items: + - "apply.cnf" + - "my.cnf" + + - name: Set MariaDB local configuration file + copy: + src: files/mariabackuptest/apply.sql + dest: /root/mariabackup/ + owner: root + group: root + mode: u=rw,g=r,o=r - name: Reminder to check mount points debug: @@ -132,7 +186,7 @@ - /mnt/mysqltmp Make sure they are correctly configured and accessible. -- name: Set MariaDB local configuration file +- name: template: src: templates/z99-local.cnf dest: /etc/mysql/mariadb.conf.d/ diff --git a/roles/services/templates/apply.cnf b/roles/services/templates/apply.cnf new file mode 100644 index 0000000..0e4ce4f --- /dev/null +++ b/roles/services/templates/apply.cnf @@ -0,0 +1,5 @@ +[client] +host = localhost +user = {{ dbusername }} +password = {{ dbpass }} +socket = /var/run/mysqld/mysqld.sock diff --git a/roles/services/templates/apply.config-test.sh b/roles/services/templates/apply.config-test.sh new file mode 100755 index 0000000..0eab0a8 --- /dev/null +++ b/roles/services/templates/apply.config-test.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# Bacula directory for restore +baculaDir=/mnt/mysqldata/bacula-restore + +# Database branch name +dbBranch=test + +# Database environment +dbEnvironment=test + +# MariaDB cluster sibling node hostnames +dbClusterSiblings=() + +# Jenkins authentication string +jenkinsAuth=jenkins:{{ lookup(passbolt, 'jenkinsAuth', folder_parent_id=passbolt_folder).password }} + +# Jenkins job URL +jenkinsUrl=https://jenkins.verdnatura.es/job/Scheduler/job/db-apply-changes-test + diff --git a/roles/services/files/mariabackup/my.cnf b/roles/services/templates/my.cnf similarity index 51% rename from roles/services/files/mariabackup/my.cnf rename to roles/services/templates/my.cnf index 14edb89..12effdb 100644 --- a/roles/services/files/mariabackup/my.cnf +++ b/roles/services/templates/my.cnf @@ -1,7 +1,7 @@ [mariabackup] host = localhost -user = {{ user_mariabackup }} -password = {{ password_user_mariabackup }} +user = {{ mariabackupusernametpl }} +password = {{ mariabackuppasstpl }} use-memory = 1G parallel = 2 stream = mbstream From edee3ac215624614653aef20d6e7d302efc94e62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 24 Jan 2025 11:31:45 +0100 Subject: [PATCH 16/38] refs #8343 - Bacula_change_ca_cert_variable --- roles/debian-base/tasks/bacula.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian-base/tasks/bacula.yml b/roles/debian-base/tasks/bacula.yml index 3958dbd..8ae1525 100644 --- a/roles/debian-base/tasks/bacula.yml +++ b/roles/debian-base/tasks/bacula.yml @@ -34,7 +34,7 @@ register: bacula_config - name: Configure master cert copy: - content: "{{ master_cert_content }}" + content: "{{ ca_bacula }}" dest: /etc/bacula/master-cert.pem owner: root group: root From e84cfe3853b6a200f26b4a6e3ad60b3a22cc1337 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 24 Jan 2025 12:42:29 +0100 Subject: [PATCH 17/38] refs 8414-change_ca_verdnatura --- roles/services/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index fbf2d02..cd6c649 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -23,7 +23,7 @@ mariadb_requeriments: - curl - apt-transport-https certificates: - - { content: '{{ ca_mysql }}', dest: '/etc/mysql/ca.pem', mode: 'u=rw,g=r,o=r' } + - { content: '{{ ca_verdnatura_deprecated }}', dest: '/etc/mysql/ca.pem', mode: 'u=rw,g=r,o=r' } - { content: '{{ cert_mysql }}', dest: '/etc/mysql/cert.pem', mode: 'u=rw,g=r,o=r' } required_directories: - { path: /mnt/local-backup, owner: root, group: root, mode: 'u=rwx,g=rx,o=rx' } From 89c18a0e6dfaf1539fd9d62c3a427c2e3cde5b97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 24 Jan 2025 13:09:58 +0100 Subject: [PATCH 18/38] refs 8414-move_key_cert --- roles/services/defaults/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index cd6c649..2c20952 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -25,6 +25,7 @@ mariadb_requeriments: certificates: - { content: '{{ ca_verdnatura_deprecated }}', dest: '/etc/mysql/ca.pem', mode: 'u=rw,g=r,o=r' } - { content: '{{ cert_mysql }}', dest: '/etc/mysql/cert.pem', mode: 'u=rw,g=r,o=r' } + - { content: '{{ cert_mysql_key }}', dest: '/etc/mysql/key.pem', mode: 'u=rw,g=,o=' } required_directories: - { path: /mnt/local-backup, owner: root, group: root, mode: 'u=rwx,g=rx,o=rx' } - { path: /mnt/mysqlbin, owner: root, group: root, mode: 'u=rwx,g=rx,o=rx' } From 4d70766a41f97ab532d33f221b9a22febb73227e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 24 Jan 2025 14:49:49 +0100 Subject: [PATCH 19/38] refs #8414 - Refactor extract playbook variables and secrets everywhere in TV Screen --- roles/services/tasks/mariadb.yml | 65 +++++-------------- roles/services/templates/apply.cnf | 5 -- roles/services/templates/my.cnf | 4 +- .../apply.config.sh} | 0 4 files changed, 17 insertions(+), 57 deletions(-) delete mode 100644 roles/services/templates/apply.cnf rename roles/services/templates/{apply.config-test.sh => test-db/apply.config.sh} (100%) diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index e51815e..486d1c3 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -62,13 +62,13 @@ command: mount -a when: fstab.changed -- name: Set MariaDB Cron to /etc/cron.d - template: - src: templates/cron_mariadb - dest: /etc/cron.d/vn - owner: root - group: root - mode: u=rw,g=r,o=r +# - name: Set MariaDB Cron to /etc/cron.d +# template: +# src: templates/cron_mariadb +# dest: /etc/cron.d/vn +# owner: root +# group: root +# mode: u=rw,g=r,o=r - name: Insert MySQL certificates copy: @@ -80,14 +80,6 @@ loop: "{{ certificates }}" notify: restart-mariadb -- name: Configure MySQL master cert - copy: - content: "{{ lookup(passbolt, 'private_mysql', folder_parent_id=passbolt_folder).description }}" - dest: /etc/mysql/key.pem - owner: mysql - group: mysql - mode: u=rw,g=,o= - - when: production is true block: - name: Set MariaDB custom configuration Production @@ -125,41 +117,14 @@ - "files/mariaconfigfiles/z92-testing.cnf" notify: restart-mariadb - # - name: Extracting passwords - # no_log: true - # set_fact: - # jenkins_token: "{{ lookup(passbolt, jenkins_user_name, folder_parent_id=passbolt_folder).password }}" - - # - name: Debug variable - # debug: - # msg: "{{ jenkins_token }}" - - - name: Set MariaBackup custom configuration Test - template: - src: "apply.config-test.sh" - dest: /root/mariabackup/apply.config.sh - owner: root - group: root - mode: u=rw,g=r,o=r + # - name: Set MariaBackup custom configuration Test + # template: + # src: "apply.config-test.sh" + # dest: /root/mariabackup/apply.config.sh + # owner: root + # group: root + # mode: u=rw,g=r,o=r - - name: Extracting dbusername - set_fact: - dbusername: "{{ lookup(passbolt, dbuser, folder_parent_id=passbolt_folder).username }}" - - - name: Extracting dbpassword - no_log: true - set_fact: - dbpass: "{{ lookup(passbolt, dbuser, folder_parent_id=passbolt_folder).password }}" - - - name: Extracting MariaBackup UserName - set_fact: - mariabackupusernametpl: "{{ lookup(passbolt, mariabackupusername, folder_parent_id=passbolt_folder).username }}" - - - name: Extracting MariaBackup Password - no_log: true - set_fact: - mariabackuppasstpl: "{{ lookup(passbolt, mariabackupusername, folder_parent_id=passbolt_folder).password }}" - - name: Set MariaBackup custom template configuration Test template: src: "{{ item }}" @@ -168,7 +133,7 @@ group: root mode: u=rw,g=,o= with_items: - - "apply.cnf" + - "test-db/apply.config.sh" - "my.cnf" - name: Set MariaDB local configuration file diff --git a/roles/services/templates/apply.cnf b/roles/services/templates/apply.cnf deleted file mode 100644 index 0e4ce4f..0000000 --- a/roles/services/templates/apply.cnf +++ /dev/null @@ -1,5 +0,0 @@ -[client] -host = localhost -user = {{ dbusername }} -password = {{ dbpass }} -socket = /var/run/mysqld/mysqld.sock diff --git a/roles/services/templates/my.cnf b/roles/services/templates/my.cnf index 12effdb..b1b4ac9 100644 --- a/roles/services/templates/my.cnf +++ b/roles/services/templates/my.cnf @@ -1,7 +1,7 @@ [mariabackup] host = localhost -user = {{ mariabackupusernametpl }} -password = {{ mariabackuppasstpl }} +user = mariabackup +password = {{ lookup(passbolt, 'mariabackup', folder_parent_id=passbolt_folder).password }} use-memory = 1G parallel = 2 stream = mbstream diff --git a/roles/services/templates/apply.config-test.sh b/roles/services/templates/test-db/apply.config.sh similarity index 100% rename from roles/services/templates/apply.config-test.sh rename to roles/services/templates/test-db/apply.config.sh From 654b263523dc398562ef742778bcebd8b5935cb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 24 Jan 2025 15:47:01 +0100 Subject: [PATCH 20/38] refs #8142 Simplify the way to extract passwords and variables and secrets --- roles/services/tasks/adsamba.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 187e6dc..75e95d3 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -66,15 +66,10 @@ - when: main_ad is false block: - - name: Extracting variables - no_log: true - set_fact: - passwad_admin_password: "{{ lookup(passbolt, ad_admin_password_name, folder_parent_id=passbolt_folder).password }}" - - name: Join domain shell: samba-tool domain join "{{ realm }}" DC -U"{{ domain | upper }}\administrator" environment: - PASSWD: "{{ passwad_admin_password }}" + PASSWD: "{{ lookup(passbolt, 'ad_admin_password', folder_parent_id=passbolt_folder).password }}" - name: Copy Kerberos configuration copy: From b0911c4b5e6e7420770502d01a81b8544ea436af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 27 Jan 2025 09:03:52 +0100 Subject: [PATCH 21/38] refs 8414-change ca_verdnatura_deprecated variable --- roles/services/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index 2c20952..8784d55 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -23,7 +23,7 @@ mariadb_requeriments: - curl - apt-transport-https certificates: - - { content: '{{ ca_verdnatura_deprecated }}', dest: '/etc/mysql/ca.pem', mode: 'u=rw,g=r,o=r' } + - { content: '{{ ca_company_deprecated }}', dest: '/etc/mysql/ca.pem', mode: 'u=rw,g=r,o=r' } - { content: '{{ cert_mysql }}', dest: '/etc/mysql/cert.pem', mode: 'u=rw,g=r,o=r' } - { content: '{{ cert_mysql_key }}', dest: '/etc/mysql/key.pem', mode: 'u=rw,g=,o=' } required_directories: From 610d17b51da42c1c74cd74c5d483cfb6f8f80789 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 27 Jan 2025 11:46:15 +0100 Subject: [PATCH 22/38] refs 8414-Refactor --- roles/services/tasks/mariadb.yml | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 486d1c3..3513f54 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -117,26 +117,15 @@ - "files/mariaconfigfiles/z92-testing.cnf" notify: restart-mariadb - # - name: Set MariaBackup custom configuration Test - # template: - # src: "apply.config-test.sh" - # dest: /root/mariabackup/apply.config.sh - # owner: root - # group: root - # mode: u=rw,g=r,o=r - - name: Set MariaBackup custom template configuration Test template: - src: "{{ item }}" + src: test-db/apply.config.sh dest: /root/mariabackup/ owner: root group: root mode: u=rw,g=,o= - with_items: - - "test-db/apply.config.sh" - - "my.cnf" - - name: Set MariaDB local configuration file + - name: Set MariaDB local configuration file for test-db copy: src: files/mariabackuptest/apply.sql dest: /root/mariabackup/ @@ -153,8 +142,16 @@ - name: template: - src: templates/z99-local.cnf + src: z99-local.cnf dest: /etc/mysql/mariadb.conf.d/ owner: root group: root - mode: u=rw,g=r,o=r \ No newline at end of file + mode: u=rw,g=r,o=r + +- name: Set MariaBackup custom template configuration Test + template: + src: "my.cnf" + dest: /root/mariabackup/ + owner: root + group: root + mode: u=rw,g=,o= From cb7b75392c4761d67b150ffae9d8f811ce7df166 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 27 Jan 2025 13:47:27 +0100 Subject: [PATCH 23/38] refs #8414 - Minor changes in description and paths --- roles/services/tasks/mariadb.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 3513f54..d4861bb 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -90,8 +90,8 @@ group: root mode: u=rw,g=r,o=r with_items: - - "files/mariaconfigfiles/z90-vn.cnf" - - "files/mariaconfigfiles/z95-production" + - "mariaconfigfiles/z90-vn.cnf" + - "mariaconfigfiles/z95-production.cnf" notify: restart-mariadb - name: Reminder to check mount points @@ -133,7 +133,7 @@ group: root mode: u=rw,g=r,o=r - - name: Reminder to check mount points + - name: Reminder to check mount points environment test debug: msg: | Remember to check the following mount points: From 7ec9b463eee1e9c024dcecd799929c0e5f446706 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Mon, 27 Jan 2025 14:22:46 +0100 Subject: [PATCH 24/38] refs #8414 - Minor changes in description Name --- roles/services/tasks/mariadb.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index d4861bb..1e6b3ea 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -140,7 +140,7 @@ - /mnt/mysqltmp Make sure they are correctly configured and accessible. -- name: +- name: Set Custom Configuration local template template: src: z99-local.cnf dest: /etc/mysql/mariadb.conf.d/ From 315280665ac6b183c9a4712075e2099b9b9a5ef6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 28 Jan 2025 11:17:39 +0100 Subject: [PATCH 25/38] =?UTF-8?q?refs=20#8414=20-=20Add=20No=20Log=20=3D?= =?UTF-8?q?=20true=20to=20don=C2=B4t=20see=20private=20certificates=20in?= =?UTF-8?q?=20stdout?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/services/tasks/mariadb.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 1e6b3ea..7c2c430 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -71,6 +71,7 @@ # mode: u=rw,g=r,o=r - name: Insert MySQL certificates + no_log: true copy: content: "{{ item.content }}" dest: "{{ item.dest }}" From e95b64e96f27758f197f3cba0ad436f79c66f007 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 28 Jan 2025 12:15:42 +0100 Subject: [PATCH 26/38] refs #8414 - Better define in Name sections to know environment --- roles/services/tasks/mariadb.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 7c2c430..41d6aef 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -106,7 +106,7 @@ - when: testdb is true block: - - name: Set MariaDB custom configuration Test + - name: Set MariaDB custom configuration Test-DB copy: src: "{{ item }}" dest: /etc/mysql/mariadb.conf.d/ @@ -118,7 +118,7 @@ - "files/mariaconfigfiles/z92-testing.cnf" notify: restart-mariadb - - name: Set MariaBackup custom template configuration Test + - name: Set MariaBackup custom template configuration Test-DB template: src: test-db/apply.config.sh dest: /root/mariabackup/ @@ -126,7 +126,7 @@ group: root mode: u=rw,g=,o= - - name: Set MariaDB local configuration file for test-db + - name: Set MariaDB local configuration file for Test-DB copy: src: files/mariabackuptest/apply.sql dest: /root/mariabackup/ @@ -134,14 +134,14 @@ group: root mode: u=rw,g=r,o=r - - name: Reminder to check mount points environment test + - name: Reminder to check mount points environment Test-DB debug: msg: | Remember to check the following mount points: - /mnt/mysqltmp Make sure they are correctly configured and accessible. -- name: Set Custom Configuration local template +- name: Set Custom Configuration local template all Environment template: src: z99-local.cnf dest: /etc/mysql/mariadb.conf.d/ @@ -149,7 +149,7 @@ group: root mode: u=rw,g=r,o=r -- name: Set MariaBackup custom template configuration Test +- name: Set MariaBackup custom template configuration all Environment template: src: "my.cnf" dest: /root/mariabackup/ From 813c404b197b9a338008954a660957da8d87ebda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 28 Jan 2025 14:23:00 +0100 Subject: [PATCH 27/38] refs #8414 - Add dev environment --- .../{mariabackuptest => mariabackuptest_dev}/apply.sql | 0 .../{mariabackup => mariabackuptest_dev}/bacula-after.sh | 0 .../{z92-testing.cnf => z92-testing_dev.cnf} | 0 roles/services/tasks/mariadb.yml | 9 +++++---- .../templates/{test-db => test-db_dev}/apply.config.sh | 6 +++--- 5 files changed, 8 insertions(+), 7 deletions(-) rename roles/services/files/{mariabackuptest => mariabackuptest_dev}/apply.sql (100%) rename roles/services/files/{mariabackup => mariabackuptest_dev}/bacula-after.sh (100%) rename roles/services/files/mariaconfigfiles/{z92-testing.cnf => z92-testing_dev.cnf} (100%) rename roles/services/templates/{test-db => test-db_dev}/apply.config.sh (82%) diff --git a/roles/services/files/mariabackuptest/apply.sql b/roles/services/files/mariabackuptest_dev/apply.sql similarity index 100% rename from roles/services/files/mariabackuptest/apply.sql rename to roles/services/files/mariabackuptest_dev/apply.sql diff --git a/roles/services/files/mariabackup/bacula-after.sh b/roles/services/files/mariabackuptest_dev/bacula-after.sh similarity index 100% rename from roles/services/files/mariabackup/bacula-after.sh rename to roles/services/files/mariabackuptest_dev/bacula-after.sh diff --git a/roles/services/files/mariaconfigfiles/z92-testing.cnf b/roles/services/files/mariaconfigfiles/z92-testing_dev.cnf similarity index 100% rename from roles/services/files/mariaconfigfiles/z92-testing.cnf rename to roles/services/files/mariaconfigfiles/z92-testing_dev.cnf diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 41d6aef..225140c 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -104,7 +104,8 @@ - /mnt/local-backup Make sure they are correctly configured and accessible. -- when: testdb is true +- when: testdb is true or dev is true + block: - name: Set MariaDB custom configuration Test-DB copy: @@ -115,12 +116,12 @@ mode: u=rw,g=r,o=r with_items: - "files/mariaconfigfiles/z90-vn.cnf" - - "files/mariaconfigfiles/z92-testing.cnf" + - "files/mariaconfigfiles/z92-testing_dev.cnf" notify: restart-mariadb - name: Set MariaBackup custom template configuration Test-DB template: - src: test-db/apply.config.sh + src: test-db_dev/apply.config.sh dest: /root/mariabackup/ owner: root group: root @@ -128,7 +129,7 @@ - name: Set MariaDB local configuration file for Test-DB copy: - src: files/mariabackuptest/apply.sql + src: files/mariabackuptest_dev/apply.sql dest: /root/mariabackup/ owner: root group: root diff --git a/roles/services/templates/test-db/apply.config.sh b/roles/services/templates/test-db_dev/apply.config.sh similarity index 82% rename from roles/services/templates/test-db/apply.config.sh rename to roles/services/templates/test-db_dev/apply.config.sh index 0eab0a8..f8cb310 100755 --- a/roles/services/templates/test-db/apply.config.sh +++ b/roles/services/templates/test-db_dev/apply.config.sh @@ -4,10 +4,10 @@ baculaDir=/mnt/mysqldata/bacula-restore # Database branch name -dbBranch=test +dbBranch={{ environment }} # Database environment -dbEnvironment=test +dbEnvironment={{ environment }} # MariaDB cluster sibling node hostnames dbClusterSiblings=() @@ -16,5 +16,5 @@ dbClusterSiblings=() jenkinsAuth=jenkins:{{ lookup(passbolt, 'jenkinsAuth', folder_parent_id=passbolt_folder).password }} # Jenkins job URL -jenkinsUrl=https://jenkins.verdnatura.es/job/Scheduler/job/db-apply-changes-test +jenkinsUrl=https://jenkins.verdnatura.es/job/Scheduler/job/db-apply-changes-{{ environment }} From 994447329c108cc0b0b21e29dc77e7171a863842 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Tue, 28 Jan 2025 15:52:29 +0100 Subject: [PATCH 28/38] refs #8414 - Refactor paths --- roles/services/defaults/main.yaml | 4 +++- roles/services/tasks/mariadb.yml | 12 ++++++------ roles/services/templates/test-db_dev/apply.config.sh | 6 +++--- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index 8784d55..0eaff75 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -34,10 +34,12 @@ required_directories: - { path: /root/scripts, owner: root, group: root, mode: 'u=rwx,g=rx,o=rx' } - { path: /root/mariabackup, owner: root, group: root, mode: 'u=rwx,g=rx,o=rx' } - { path: /mnt/mysqldata/mysql, owner: mysql, group: mysql, mode: 'u=rwx,g=rx,o=rx' } + - { path: /etc/systemd/system/mariadb.service.d, owner: root, group: root, mode: 'u=rwx,g=rx,o=rx' } + required_files_and_mariabackup_files_and_root_scripts: - { src: "mariadb_override.conf", dest: "/etc/systemd/system/mariadb.service.d/override.conf", mode: "u=rw,g=r,o=r" } - { src: "mysql-flush.sh", dest: "/etc/qemu/fsfreeze-hook.d/mysql-flush.sh", mode: "u=rwx,g=rx,o=rx" } - - { src: "files/mariabackup/bacula-after.sh", dest: "/root/mariabackup/bacula-after.sh", mode: "u=rwx,g=rx,o=rx" } + - { src: "files/mariabackuptest_dev/bacula-after.sh", dest: "/root/mariabackup/bacula-after.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/mariabackup/bacula-before.sh", dest: "/root/mariabackup/bacula-before.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/mariabackup/config.sh", dest: "/root/mariabackup/config.sh", mode: "u=rwx,g=rx,o=x" } - { src: "files/mariabackup/inc-backup.sh", dest: "/root/mariabackup/inc-backup.sh", mode: "u=rwx,g=rx,o=rx" } diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 225140c..b831a5c 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -71,7 +71,7 @@ # mode: u=rw,g=r,o=r - name: Insert MySQL certificates - no_log: true + #no_log: true copy: content: "{{ item.content }}" dest: "{{ item.dest }}" @@ -104,10 +104,10 @@ - /mnt/local-backup Make sure they are correctly configured and accessible. -- when: testdb is true or dev is true +- when: production is false block: - - name: Set MariaDB custom configuration Test-DB + - name: Set MariaDB custom configuration Test-DB-DEV copy: src: "{{ item }}" dest: /etc/mysql/mariadb.conf.d/ @@ -119,7 +119,7 @@ - "files/mariaconfigfiles/z92-testing_dev.cnf" notify: restart-mariadb - - name: Set MariaBackup custom template configuration Test-DB + - name: Set MariaBackup custom template configuration Test-DB-DEV template: src: test-db_dev/apply.config.sh dest: /root/mariabackup/ @@ -127,7 +127,7 @@ group: root mode: u=rw,g=,o= - - name: Set MariaDB local configuration file for Test-DB + - name: Set MariaDB local configuration file for Test-DB-DEV copy: src: files/mariabackuptest_dev/apply.sql dest: /root/mariabackup/ @@ -135,7 +135,7 @@ group: root mode: u=rw,g=r,o=r - - name: Reminder to check mount points environment Test-DB + - name: Reminder to check mount points environment Test-DB-DEV debug: msg: | Remember to check the following mount points: diff --git a/roles/services/templates/test-db_dev/apply.config.sh b/roles/services/templates/test-db_dev/apply.config.sh index f8cb310..8ac2677 100755 --- a/roles/services/templates/test-db_dev/apply.config.sh +++ b/roles/services/templates/test-db_dev/apply.config.sh @@ -4,10 +4,10 @@ baculaDir=/mnt/mysqldata/bacula-restore # Database branch name -dbBranch={{ environment }} +dbBranch={{ entorno }} # Database environment -dbEnvironment={{ environment }} +dbEnvironment={{ entorno }} # MariaDB cluster sibling node hostnames dbClusterSiblings=() @@ -16,5 +16,5 @@ dbClusterSiblings=() jenkinsAuth=jenkins:{{ lookup(passbolt, 'jenkinsAuth', folder_parent_id=passbolt_folder).password }} # Jenkins job URL -jenkinsUrl=https://jenkins.verdnatura.es/job/Scheduler/job/db-apply-changes-{{ environment }} +jenkinsUrl=https://jenkins.verdnatura.es/job/Scheduler/job/db-apply-changes-{{ entorno }} From d1ec1bc57be7844b10d6b6c10a70d075c1c621a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 29 Jan 2025 09:51:30 +0100 Subject: [PATCH 29/38] =?UTF-8?q?refs=20#8414=20-=20Rsync=20to=20dont?= =?UTF-8?q?=C2=B4t=20fail=20at=20the=20end?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/services/tasks/mariadb.yml | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index b831a5c..a10f5ea 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -71,7 +71,7 @@ # mode: u=rw,g=r,o=r - name: Insert MySQL certificates - #no_log: true + no_log: true copy: content: "{{ item.content }}" dest: "{{ item.dest }}" @@ -104,7 +104,7 @@ - /mnt/local-backup Make sure they are correctly configured and accessible. -- when: production is false +- when: production is false or production is not defined block: - name: Set MariaDB custom configuration Test-DB-DEV @@ -157,3 +157,26 @@ owner: root group: root mode: u=rw,g=,o= + +- name: Check if /var/lib/mysql/ exists + stat: + path: /var/lib/mysql/ + register: mysql_dir + + +- when: mysql_dir.stat.exists + block: + + - name: Sync MySQL data directory + synchronize: + src: /var/lib/mysql/ + dest: /mnt/mysqldata/mysql/ + archive: true + compress: true + recursive: true + delegate_to: "{{ inventory_hostname }}" + + - name: Remove old MySQL data after sync + file: + path: /var/lib/mysql/ + state: absent From fe27a4b2e6a3f1c8af21ce0a0c566e674aec41ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 29 Jan 2025 10:24:14 +0100 Subject: [PATCH 30/38] refs #8414 - adjust bacula-after.sh only in non production --- roles/services/defaults/main.yaml | 3 +-- roles/services/tasks/mariadb.yml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index 0eaff75..9e977f2 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -38,8 +38,7 @@ required_directories: required_files_and_mariabackup_files_and_root_scripts: - { src: "mariadb_override.conf", dest: "/etc/systemd/system/mariadb.service.d/override.conf", mode: "u=rw,g=r,o=r" } - - { src: "mysql-flush.sh", dest: "/etc/qemu/fsfreeze-hook.d/mysql-flush.sh", mode: "u=rwx,g=rx,o=rx" } - - { src: "files/mariabackuptest_dev/bacula-after.sh", dest: "/root/mariabackup/bacula-after.sh", mode: "u=rwx,g=rx,o=rx" } + - { src: "mysql-flush.sh", dest: "/etc/qemu/fsfreeze-hook.d/mysql-flush.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/mariabackup/bacula-before.sh", dest: "/root/mariabackup/bacula-before.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/mariabackup/config.sh", dest: "/root/mariabackup/config.sh", mode: "u=rwx,g=rx,o=x" } - { src: "files/mariabackup/inc-backup.sh", dest: "/root/mariabackup/inc-backup.sh", mode: "u=rwx,g=rx,o=rx" } diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index a10f5ea..80c5f3f 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -129,7 +129,7 @@ - name: Set MariaDB local configuration file for Test-DB-DEV copy: - src: files/mariabackuptest_dev/apply.sql + src: files/mariabackuptest_dev/* dest: /root/mariabackup/ owner: root group: root From 73a32dd8e6b399b3a0012c35080575955124373f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 29 Jan 2025 11:14:10 +0100 Subject: [PATCH 31/38] refs #8414 - minnor changes --- roles/services/handlers/main.yml | 2 +- roles/services/tasks/mariadb.yml | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/services/handlers/main.yml b/roles/services/handlers/main.yml index 77780d8..aa291cc 100644 --- a/roles/services/handlers/main.yml +++ b/roles/services/handlers/main.yml @@ -2,7 +2,7 @@ systemd: name: chrony state: restarted -- name: reload systemd +- name: reload-systemd command: cmd: systemctl daemon-reload - name: restart-mariadb diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 80c5f3f..35b97c6 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -48,7 +48,7 @@ group: root mode: "{{ item.mode }}" loop: "{{ required_files_and_mariabackup_files_and_root_scripts }}" - notify: reload systemd + notify: reload-systemd - name: Add tmpfs in /etc/fstab blockinfile: @@ -129,11 +129,14 @@ - name: Set MariaDB local configuration file for Test-DB-DEV copy: - src: files/mariabackuptest_dev/* + src: "{{ item }}" dest: /root/mariabackup/ owner: root group: root mode: u=rw,g=r,o=r + with_items: + - "mariabackuptest_dev/apply.sql" + - "mariabackuptest_dev/bacula-after.sh" - name: Reminder to check mount points environment Test-DB-DEV debug: From f2b6f9a40464db059b462dca6ff9d488d4e3b9d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 29 Jan 2025 12:34:35 +0100 Subject: [PATCH 32/38] refs #8434 - Approach change: Register the copied file and reboot if it does not exist --- roles/pve/handlers/main.yml | 5 +---- roles/pve/tasks/vhost.yml | 8 +++++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/roles/pve/handlers/main.yml b/roles/pve/handlers/main.yml index c096c8e..1cbeed2 100644 --- a/roles/pve/handlers/main.yml +++ b/roles/pve/handlers/main.yml @@ -2,7 +2,4 @@ service: name: nagios-nrpe-server state: restarted -- name: restart-sysctl - service: - name: systemd-sysctl - state: restarted + diff --git a/roles/pve/tasks/vhost.yml b/roles/pve/tasks/vhost.yml index 81bc001..77c25b5 100644 --- a/roles/pve/tasks/vhost.yml +++ b/roles/pve/tasks/vhost.yml @@ -5,4 +5,10 @@ mode: u=rw,g=r,o=r owner: root group: root - notify: restart-sysctl + register: copy_result + +- name: Reboot the system if file was copied + reboot: + reboot_timeout: 600 + become: true + when: copy_result.changed \ No newline at end of file From 892f3c61e2178e420a0945f85450e47e7332740d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 29 Jan 2025 14:13:57 +0100 Subject: [PATCH 33/38] refs #8142 - Refactor the method for retrieving the RNDC key --- roles/services/tasks/adsamba.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/roles/services/tasks/adsamba.yml b/roles/services/tasks/adsamba.yml index 75e95d3..0fae7b3 100644 --- a/roles/services/tasks/adsamba.yml +++ b/roles/services/tasks/adsamba.yml @@ -94,15 +94,10 @@ masked: yes loop: "{{ samba_client_services }}" -- name: Extracting variables - no_log: true - set_fact: - passwords: "{{ lookup(passbolt, key_name, folder_parent_id=passbolt_folder).password }}" - - name: Add A record to DNS nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' + key_name: 'rndc-key' + key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}" key_algorithm: '{{ key_algorithm }}' server: "{{ main_dns_server }}" zone: '{{ host_domain }}' @@ -114,8 +109,8 @@ - name: Add NS record to DNS nsupdate: - key_name: '{{ key_name }}' - key_secret: '{{ passwords }}' + key_name: 'rndc-key' + key_secret: "{{ lookup(passbolt, 'rndc-key', folder_parent_id=passbolt_folder).password }}" key_algorithm: '{{ key_algorithm }}' server: '{{ main_dns_server }}' zone: '{{ host_domain }}' From 335dbfa3a47fe7672709324137e8621866d34739 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 29 Jan 2025 15:51:49 +0100 Subject: [PATCH 34/38] refs #8142 - Minor changes - Check differences in files --- roles/services/defaults/main.yaml | 3 +-- roles/services/files/scripts/sync-conf.sh | 21 ------------------- roles/services/tasks/mariadb.yml | 2 +- .../templates/test-db_dev/apply.config.sh | 6 +++--- 4 files changed, 5 insertions(+), 27 deletions(-) delete mode 100755 roles/services/files/scripts/sync-conf.sh diff --git a/roles/services/defaults/main.yaml b/roles/services/defaults/main.yaml index 9e977f2..77fbac6 100644 --- a/roles/services/defaults/main.yaml +++ b/roles/services/defaults/main.yaml @@ -49,8 +49,7 @@ required_files_and_mariabackup_files_and_root_scripts: - { src: "files/scripts/promote-master.sh", dest: "/root/scripts/promote-master.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/scripts/promote-slave.sh", dest: "/root/scripts/promote-slave.sh", mode: "u=rwx,g=rx,o=rx" } - { src: "files/scripts/README.md", dest: "/root/scripts/README.md", mode: "u=rw,g=r,o=r" } - - { src: "files/scripts/scheduler-log.sh", dest: "/root/scripts/scheduler-log.sh", mode: "u=rwx,g=rx,o=rx" } - - { src: "files/scripts/sync-conf.sh", dest: "/root/scripts/sync-conf.sh", mode: "u=rwx,g=rx,o=rx" } + - { src: "files/scripts/scheduler-log.sh", dest: "/root/scripts/scheduler-log.sh", mode: "u=rwx,g=rx,o=rx" } downloads: - { url: "https://r.mariadb.com/downloads/mariadb_repo_setup", dest: "/tmp/mariadb_repo_setup", mode: "u=rwx,g=rx,o=rx" } - { url: "https://repo.percona.com/apt/percona-release_latest.generic_all.deb", dest: "/tmp/percona-release_latest.generic_all.deb", mode: "u=rw,g=r,o=r" } diff --git a/roles/services/files/scripts/sync-conf.sh b/roles/services/files/scripts/sync-conf.sh deleted file mode 100755 index 3597234..0000000 --- a/roles/services/files/scripts/sync-conf.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -partner=root@db2.static.verdnatura.es -confDir=/etc/mysql/mariadb.conf.d -files=( - z90-vn.cnf - z95-production.cnf -) - -#echo "Reloading service." -#service mariadb reload - -if [ $? -eq "0" ]; then - echo "Synchronizing partner configuration." - for file in "${files[@]}"; do - scp "$confDir/$file" $partner:$confDir - done - - #echo "Reloading partner service." - #ssh $partner service mariadb reload -fi diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 35b97c6..5049a1d 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -55,7 +55,7 @@ path: /etc/fstab marker: "# {mark} ANSIBLE-MANAGED TMPFS ENTRY" block: | - tmpfs /mnt/mysqltmp tmpfs rw,size=6144M 0 0 + tmpfs /mnt/mysqltmp tmpfs rw,size={{ mysqltmpsize }} 0 0 register: fstab - name: Mount all filesystems from /etc/fstab diff --git a/roles/services/templates/test-db_dev/apply.config.sh b/roles/services/templates/test-db_dev/apply.config.sh index 8ac2677..6894c3f 100755 --- a/roles/services/templates/test-db_dev/apply.config.sh +++ b/roles/services/templates/test-db_dev/apply.config.sh @@ -4,10 +4,10 @@ baculaDir=/mnt/mysqldata/bacula-restore # Database branch name -dbBranch={{ entorno }} +dbBranch={{ dbBranch }} # Database environment -dbEnvironment={{ entorno }} +dbEnvironment={{ dbEnvironment }} # MariaDB cluster sibling node hostnames dbClusterSiblings=() @@ -16,5 +16,5 @@ dbClusterSiblings=() jenkinsAuth=jenkins:{{ lookup(passbolt, 'jenkinsAuth', folder_parent_id=passbolt_folder).password }} # Jenkins job URL -jenkinsUrl=https://jenkins.verdnatura.es/job/Scheduler/job/db-apply-changes-{{ entorno }} +jenkinsUrl=https://jenkins.verdnatura.es/job/Scheduler/job/db-apply-changes-{{ dbBranch }} From 0d5a6d96ca380293a86fc61a94fa6421c1cefced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Wed, 29 Jan 2025 15:57:20 +0100 Subject: [PATCH 35/38] refs #8142 - Uncomment cron --- roles/services/tasks/mariadb.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 5049a1d..398d6b1 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -62,13 +62,13 @@ command: mount -a when: fstab.changed -# - name: Set MariaDB Cron to /etc/cron.d -# template: -# src: templates/cron_mariadb -# dest: /etc/cron.d/vn -# owner: root -# group: root -# mode: u=rw,g=r,o=r +- name: Set MariaDB Cron to /etc/cron.d + template: + src: templates/cron_mariadb + dest: /etc/cron.d/vn + owner: root + group: root + mode: u=rw,g=r,o=r - name: Insert MySQL certificates no_log: true From ba526a86115cb395f164c14d0e2832b67dd234c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 30 Jan 2025 15:06:45 +0100 Subject: [PATCH 36/38] refs #8025 - Add jq to base_packages array --- roles/debian-base/defaults/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 24714fd..2d8ef29 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -32,6 +32,7 @@ base_packages: - cloud-guest-utils - rsync - parted + - jq locales_present: - en_US.UTF-8 - es_ES.UTF-8 From 3ad5a9528ebc3393c4491b4615fc0485e2f51d9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3?= Date: Fri, 31 Jan 2025 10:30:14 +0000 Subject: [PATCH 37/38] Actualizar roles/debian-base/defaults/main.yaml refs #8025 - Reomve jq to base_packages array and add yq --- roles/debian-base/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 2d8ef29..6b4f9bf 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -32,7 +32,7 @@ base_packages: - cloud-guest-utils - rsync - parted - - jq + - yq locales_present: - en_US.UTF-8 - es_ES.UTF-8 From 5da2adfce23569a709623f3f49f915e427363a89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 31 Jan 2025 15:47:37 +0100 Subject: [PATCH 38/38] refs #8414 - Add new db section --- roles/services/files/mariabackupdev/apply.sql | 23 ++++++++ .../bacula-after.sh | 0 .../apply.sql | 0 .../files/mariabackuptest/bacula-after.sh | 51 +++++++++++++++++ roles/services/tasks/mariadb.yml | 57 ++++++++++++++++--- .../templates/test-db_dev/apply.config.sh | 4 +- 6 files changed, 125 insertions(+), 10 deletions(-) create mode 100644 roles/services/files/mariabackupdev/apply.sql rename roles/services/files/{mariabackuptest_dev => mariabackupdev}/bacula-after.sh (100%) rename roles/services/files/{mariabackuptest_dev => mariabackuptest}/apply.sql (100%) create mode 100755 roles/services/files/mariabackuptest/bacula-after.sh diff --git a/roles/services/files/mariabackupdev/apply.sql b/roles/services/files/mariabackupdev/apply.sql new file mode 100644 index 0000000..b6aab80 --- /dev/null +++ b/roles/services/files/mariabackupdev/apply.sql @@ -0,0 +1,23 @@ +UPDATE vn2008.tblContadores + SET dbproduccion = FALSE; + +DELETE FROM util.binlogQueue; + +GRANT + SELECT, + INSERT, + UPDATE, + DELETE, + CREATE, + DROP, + INDEX, + ALTER, + CREATE TEMPORARY TABLES, + CREATE VIEW, + EVENT, + TRIGGER, + SHOW VIEW, + CREATE ROUTINE, + ALTER ROUTINE, + EXECUTE + ON *.* TO developerBoss; diff --git a/roles/services/files/mariabackuptest_dev/bacula-after.sh b/roles/services/files/mariabackupdev/bacula-after.sh similarity index 100% rename from roles/services/files/mariabackuptest_dev/bacula-after.sh rename to roles/services/files/mariabackupdev/bacula-after.sh diff --git a/roles/services/files/mariabackuptest_dev/apply.sql b/roles/services/files/mariabackuptest/apply.sql similarity index 100% rename from roles/services/files/mariabackuptest_dev/apply.sql rename to roles/services/files/mariabackuptest/apply.sql diff --git a/roles/services/files/mariabackuptest/bacula-after.sh b/roles/services/files/mariabackuptest/bacula-after.sh new file mode 100755 index 0000000..53e37bb --- /dev/null +++ b/roles/services/files/mariabackuptest/bacula-after.sh @@ -0,0 +1,51 @@ +#!/bin/bash +set -e + +myDir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +. "$myDir/config.sh" +. "$myDir/apply.config.sh" + +todayDir=$(date +%Y-%m-%d) +pattern="$baculaDir/mnt/local-backup/${todayDir}_??-??_full.gz" +files=($pattern) +backupFile="${files[0]}" + +"$myDir/restore-backup.sh" "$backupFile" +rm -r "$baculaDir" + +if [[ "${#dbClusterSiblings[@]}" -gt "0" ]]; then + for node in "${dbClusterSiblings[@]}"; do + ssh root@$node service mysql stop + ssh root@$node "if pgrep mariadbd; then pkill -9 mariadbd; fi" + done + + galera_new_cluster +else + service mariadb start +fi + +echo "Applying custom script." +mysql -e "UPDATE util.config SET environment = '$dbEnvironment', lastDump = NOW()" +mysql < "$myDir/apply.sql" + +echo "Upgrading tables." +mysql_upgrade + +echo "Applying repository changes." +curl --silent --request POST --location --user "$jenkinsAuth" "$jenkinsUrl/build?delay=0sec" + +echo "Waiting for Jenkins job to end." +jobResult=null +while [ "$jobResult" = "null" ]; do + sleep 10 + jobResult=$(curl --silent --location --user "$jenkinsAuth" "$jenkinsUrl/lastBuild/api/json" | jq --raw-output ".result") +done +echo "Job result: $jobResult" + +echo "Promoting to master." +"/root/scripts/promote-master.sh" + +for node in "${dbClusterSiblings[@]}"; do + ssh root@$node service mysql start +done + diff --git a/roles/services/tasks/mariadb.yml b/roles/services/tasks/mariadb.yml index 398d6b1..0ee6e98 100644 --- a/roles/services/tasks/mariadb.yml +++ b/roles/services/tasks/mariadb.yml @@ -81,7 +81,7 @@ loop: "{{ certificates }}" notify: restart-mariadb -- when: production is true +- when: db.branch == 'production' block: - name: Set MariaDB custom configuration Production copy: @@ -104,10 +104,10 @@ - /mnt/local-backup Make sure they are correctly configured and accessible. -- when: production is false or production is not defined +- when: db.branch == 'test' block: - - name: Set MariaDB custom configuration Test-DB-DEV + - name: Set MariaDB custom configuration TestDB copy: src: "{{ item }}" dest: /etc/mysql/mariadb.conf.d/ @@ -119,7 +119,7 @@ - "files/mariaconfigfiles/z92-testing_dev.cnf" notify: restart-mariadb - - name: Set MariaBackup custom template configuration Test-DB-DEV + - name: Set MariaBackup custom template configuration TestDB template: src: test-db_dev/apply.config.sh dest: /root/mariabackup/ @@ -127,7 +127,7 @@ group: root mode: u=rw,g=,o= - - name: Set MariaDB local configuration file for Test-DB-DEV + - name: Set MariaDB local configuration file for TestDB copy: src: "{{ item }}" dest: /root/mariabackup/ @@ -135,10 +135,51 @@ group: root mode: u=rw,g=r,o=r with_items: - - "mariabackuptest_dev/apply.sql" - - "mariabackuptest_dev/bacula-after.sh" + - "mariabackuptest/apply.sql" + - "mariabackuptest/bacula-after.sh" - - name: Reminder to check mount points environment Test-DB-DEV + - name: Reminder to check mount points environment TestDB + debug: + msg: | + Remember to check the following mount points: + - /mnt/mysqltmp + Make sure they are correctly configured and accessible. + +- when: db.branch == 'dev' + + block: + - name: Set MariaDB custom configuration DevDB + copy: + src: "{{ item }}" + dest: /etc/mysql/mariadb.conf.d/ + owner: root + group: root + mode: u=rw,g=r,o=r + with_items: + - "files/mariaconfigfiles/z90-vn.cnf" + - "files/mariaconfigfiles/z92-testing_dev.cnf" + notify: restart-mariadb + + - name: Set MariaBackup custom template configuration DevDB + template: + src: test-db_dev/apply.config.sh + dest: /root/mariabackup/ + owner: root + group: root + mode: u=rw,g=,o= + + - name: Set MariaDB local configuration file for DevDB + copy: + src: "{{ item }}" + dest: /root/mariabackup/ + owner: root + group: root + mode: u=rw,g=r,o=r + with_items: + - "mariabackupdev/apply.sql" + - "mariabackupdev/bacula-after.sh" + + - name: Reminder to check mount points environment DevDB debug: msg: | Remember to check the following mount points: diff --git a/roles/services/templates/test-db_dev/apply.config.sh b/roles/services/templates/test-db_dev/apply.config.sh index 6894c3f..8d15118 100755 --- a/roles/services/templates/test-db_dev/apply.config.sh +++ b/roles/services/templates/test-db_dev/apply.config.sh @@ -4,7 +4,7 @@ baculaDir=/mnt/mysqldata/bacula-restore # Database branch name -dbBranch={{ dbBranch }} +dbBranch={{ db.branch }} # Database environment dbEnvironment={{ dbEnvironment }} @@ -16,5 +16,5 @@ dbClusterSiblings=() jenkinsAuth=jenkins:{{ lookup(passbolt, 'jenkinsAuth', folder_parent_id=passbolt_folder).password }} # Jenkins job URL -jenkinsUrl=https://jenkins.verdnatura.es/job/Scheduler/job/db-apply-changes-{{ dbBranch }} +jenkinsUrl=https://jenkins.verdnatura.es/job/Scheduler/job/db-apply-changes-{{ db.branch }}