From 52f0ec0993c67c2d90132163c4e0d8c4a04a7234 Mon Sep 17 00:00:00 2001 From: Norman Ziegner Date: Fri, 15 Mar 2024 15:15:26 +0100 Subject: [PATCH] Merge zammad role into collection Signed-off-by: Norman Ziegner --- .github/labeler.yml | 6 + .github/workflows/zammad.yml | 78 ++++++++++ .yamllint.yml | 2 +- LICENSES/MIT.txt | 10 ++ README.md | 7 +- galaxy.yml | 2 + molecule/zammad/converge.yml | 30 ++++ molecule/zammad/molecule.yml | 30 ++++ molecule/zammad/prepare.yml | 41 +++++ molecule/zammad/requirements.yml | 17 +++ molecule/zammad/verify.yml | 16 ++ requirements.yml | 9 ++ roles/zammad/CHANGELOG.md | 142 +++++++++++++++++ roles/zammad/README.md | 144 ++++++++++++++++++ roles/zammad/defaults/main.yml | 19 +++ roles/zammad/handlers/main.yml | 21 +++ roles/zammad/meta/main.yml | 26 ++++ roles/zammad/tasks/install.yml | 67 ++++++++ roles/zammad/tasks/main.yml | 17 +++ roles/zammad/tasks/nginx-config.yml | 17 +++ roles/zammad/tasks/ssl.yml | 48 ++++++ roles/zammad/templates/nginx-zammad.conf.j2 | 95 ++++++++++++ .../templates/nginx-zammad.conf.j2.license | 4 + 23 files changed, 845 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/zammad.yml create mode 100644 LICENSES/MIT.txt create mode 100644 molecule/zammad/converge.yml create mode 100644 molecule/zammad/molecule.yml create mode 100644 molecule/zammad/prepare.yml create mode 100644 molecule/zammad/requirements.yml create mode 100644 molecule/zammad/verify.yml create mode 100644 requirements.yml create mode 100644 roles/zammad/CHANGELOG.md create mode 100644 roles/zammad/README.md create mode 100644 roles/zammad/defaults/main.yml create mode 100644 roles/zammad/handlers/main.yml create mode 100644 roles/zammad/meta/main.yml create mode 100644 roles/zammad/tasks/install.yml create mode 100644 roles/zammad/tasks/main.yml create mode 100644 roles/zammad/tasks/nginx-config.yml create mode 100644 roles/zammad/tasks/ssl.yml create mode 100644 roles/zammad/templates/nginx-zammad.conf.j2 create mode 100644 roles/zammad/templates/nginx-zammad.conf.j2.license diff --git a/.github/labeler.yml b/.github/labeler.yml index 4630e07..5c7cfcd 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -10,3 +10,9 @@ unattended_upgrades: - "roles/unattended_upgrades/**" - "molecule/unattended_upgrades/**" - ".github/workflows/unattended_upgrades.yml" +zammad: + - changed-files: + - any-glob-to-any-file: + - "roles/zammad/**" + - "molecule/zammad/**" + - ".github/workflows/zammad.yml" diff --git a/.github/workflows/zammad.yml b/.github/workflows/zammad.yml new file mode 100644 index 0000000..514b34b --- /dev/null +++ b/.github/workflows/zammad.yml @@ -0,0 +1,78 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: Apache-2.0 + +--- +name: "hifis.zammad" +on: + pull_request: + paths: + - '.github/workflows/zammad.yml' + - 'roles/zammad/**' + - 'molecule/zammad/**' + - 'Pipfile' + - 'Pipfile.lock' + push: + branches: + - "main" + tags: + - "v*.*.*" + paths: + - '.github/workflows/zammad.yml' + - 'roles/zammad/**' + - 'molecule/zammad/**' + - 'Pipfile' + - 'Pipfile.lock' + schedule: + - cron: '0 0 * * *' + +jobs: + + test: + name: "Run Molecule tests." + runs-on: "ubuntu-22.04" + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 + strategy: + fail-fast: false + matrix: + image: + - "ghcr.io/hifis-net/ubuntu-systemd:22.04" + - "ghcr.io/hifis-net/ubuntu-systemd:20.04" + + steps: + - name: "Check out the codebase." + uses: "actions/checkout@v4" + with: + path: "ansible_collections/hifis/software_services" + + - name: "Prepare the job environment." + uses: "./ansible_collections/hifis/software_services/.github/workflows/prepare-action" + + # https://github.com/ansible/molecule/issues/3806 + - name: "Help molecule to find the dependencies" + run: | + mkdir -p /home/runner/.ansible + ln -s /home/runner/work/ansible-role-unattended-upgrades/ansible-role-unattended-upgrades/ansible_collections/hifis/software_services/roles \ + /home/runner/.ansible/roles + + - name: "Install modern podman" + run: | + sudo mkdir -p /etc/apt/keyrings + curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key \ + | gpg --dearmor \ + | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null + echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\ + https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \ + | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null + sudo apt-get update -qq + sudo apt-get -qq -y install podman + + - name: "Run Molecule tests." + run: "XDG_RUNTIME_DIR=/run/user/$UID pipenv run molecule test -s zammad" + env: + MOLECULE_IMAGE: "${{ matrix.image }}" + working-directory: "ansible_collections/hifis/software_services" diff --git a/.yamllint.yml b/.yamllint.yml index 391bd3b..99352e4 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -24,7 +24,7 @@ rules: max-spaces-after: -1 level: "error" comments: "disable" - comments-indentation: "enable" + comments-indentation: "disable" document-start: "disable" empty-lines: max: 3 diff --git a/LICENSES/MIT.txt b/LICENSES/MIT.txt new file mode 100644 index 0000000..81c7942 --- /dev/null +++ b/LICENSES/MIT.txt @@ -0,0 +1,10 @@ +MIT License + +Copyright (c) 2020 Helmholtz Centre for Environmental Research (UFZ) +Copyright (c) 2020 Helmholtz-Zentrum Dresden-Rossendorf (HZDR) + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md index 4833377..0557203 100644 --- a/README.md +++ b/README.md @@ -9,17 +9,19 @@ SPDX-License-Identifier: Apache-2.0 [![Latest release](https://img.shields.io/github/v/release/hifis-net/ansible-role-unattended-upgrades)](https://github.com/hifis-net/ansible-role-unattended-upgrades/releases) [![hifis.unattended_upgrades](https://github.com/hifis-net/ansible-role-unattended-upgrades/actions/workflows/unattended_upgrades.yml/badge.svg)](https://github.com/hifis-net/ansible-role-unattended-upgrades/actions/workflows/unattended_upgrades.yml) +[![hifis.zammad](https://github.com/hifis-net/ansible-role-unattended-upgrades/actions/workflows/zammad.yml/badge.svg)](https://github.com/hifis-net/ansible-role-unattended-upgrades/actions/workflows/zammad.yml) ## Description This collection provides production-ready Ansible roles used for providing services used in research and by research software engineers, but not exclusively. The following use cases are supported: -* DevOps platform + +* DevOps platform: * GitLab (coming soon!) * GitLab-Runner (coming soon!) * Redis (coming soon!) * Help desk: - * Zammad (coming soon!) + * [**Zammad**](roles/zammad) * High Availability (HA) / Load Balancing: * HAProxy (coming soon!) * Keepalived (coming soon!) @@ -33,6 +35,7 @@ software engineers, but not exclusively. The following use cases are supported: * Ansible >= 2.14 ## Installation + Install the collection via ansible-galaxy: ```shell diff --git a/galaxy.yml b/galaxy.yml index afc9ba0..4136241 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -11,7 +11,9 @@ authors: - 'HIFIS Software Services ' description: 'This collection provides production-ready Ansible roles used for providing services used in research and by research software engineers, but not exclusively.' license: + - 'Apache-2.0' - 'GPL-2.0-or-later' + - 'MIT' tags: - 'hifis' - 'ubuntu' diff --git a/molecule/zammad/converge.yml b/molecule/zammad/converge.yml new file mode 100644 index 0000000..3ba5c6d --- /dev/null +++ b/molecule/zammad/converge.yml @@ -0,0 +1,30 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- +- name: "Converge" + hosts: "all" + tasks: + + - name: "Get private key content" + ansible.builtin.command: "cat /etc/ssl/private/ssl-cert-snakeoil.key" + changed_when: false + check_mode: false + register: "private_key" + + - name: "Get SSL certificate content" + ansible.builtin.command: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem" + changed_when: false + check_mode: false + register: "certificate" + + - name: "Pass SSL key pair to zammad role" + ansible.builtin.set_fact: + zammad_ssl_key: "{{ private_key.stdout }}" + zammad_ssl_cert: "{{ certificate.stdout }}" + + - name: "Include ansible-role-zammad" + ansible.builtin.include_role: + name: "hifis.software_services.zammad" diff --git a/molecule/zammad/molecule.yml b/molecule/zammad/molecule.yml new file mode 100644 index 0000000..db72888 --- /dev/null +++ b/molecule/zammad/molecule.yml @@ -0,0 +1,30 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- +dependency: + name: "galaxy" + options: + requirements-file: "molecule/zammad/requirements.yml" +driver: + name: "podman" +platforms: + - name: "instance" + image: "${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:22.04}" + pre_build_image: true + privileged: true + override_command: false + systemd: true + tty: true + published_ports: + - "0.0.0.0:8080:80" + - "0.0.0.0:8443:443" +provisioner: + name: "ansible" + playbooks: + prepare: "prepare.yml" + converge: "converge.yml" +verifier: + name: "ansible" diff --git a/molecule/zammad/prepare.yml b/molecule/zammad/prepare.yml new file mode 100644 index 0000000..f37c65b --- /dev/null +++ b/molecule/zammad/prepare.yml @@ -0,0 +1,41 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- +- name: "Prepare" + hosts: "all" + vars: + # Apply suggested Elasticsearch configuration + elasticsearch_version: "8.x" + elasticsearch_package: "elasticsearch=8.8.1" + elasticsearch_heap_size_min: "256m" + elasticsearch_heap_size_max: "256m" + elasticsearch_extra_options: | + xpack.security.enabled: false + xpack.security.http.ssl.enabled: false + xpack.security.transport.ssl.enabled: false + http.max_content_length: 400mb + indices.query.bool.max_clause_count: 2000 + + tasks: + + - name: "Install required packages" + ansible.builtin.apt: + name: + - "sudo" + - "gpg" + - "ca-certificates" + - "python3-cryptography" + - "ssl-cert" + state: "present" + update_cache: true + + - name: "Include geerlingguy.elasticsearch" + ansible.builtin.include_role: + name: "geerlingguy.elasticsearch" + + - name: "Include geerlingguy.postgresql" + ansible.builtin.include_role: + name: "geerlingguy.postgresql" diff --git a/molecule/zammad/requirements.yml b/molecule/zammad/requirements.yml new file mode 100644 index 0000000..e16d57b --- /dev/null +++ b/molecule/zammad/requirements.yml @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- + +collections: + - name: "community.crypto" + version: "2.14.1" # Required due to https://github.com/ansible-collections/community.crypto/issues/627 + +roles: + - src: "geerlingguy.elasticsearch" + version: "5.1.2" + + - src: "geerlingguy.postgresql" + version: "3.5.0" diff --git a/molecule/zammad/verify.yml b/molecule/zammad/verify.yml new file mode 100644 index 0000000..d56f950 --- /dev/null +++ b/molecule/zammad/verify.yml @@ -0,0 +1,16 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- +- name: "Verify" + hosts: "all" + tasks: + - name: "Check that Zammad web interface is available" + ansible.builtin.uri: + url: "https://localhost" + validate_certs: false + return_content: true + register: "zammad_web" + failed_when: "'Zammad Helpdesk' not in zammad_web.content" diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..1764797 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,9 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: Apache-2.0 + +--- + +collections: + - name: "community.crypto" diff --git a/roles/zammad/CHANGELOG.md b/roles/zammad/CHANGELOG.md new file mode 100644 index 0000000..7e9e9e9 --- /dev/null +++ b/roles/zammad/CHANGELOG.md @@ -0,0 +1,142 @@ + + +# Changelog + +## [v2.1.0](https://github.com/hifis-net/ansible-role-zammad/tree/v2.1.0) (2024-03-14) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/v2.0.0...v2.1.0) + +**Closed issues:** + +- Release version 2.0.0 [\#43](https://github.com/hifis-net/ansible-role-zammad/issues/43) + +**Merged pull requests:** + +- chore\(deps-dev\): bump ansible-lint from 24.2.0 to 24.2.1 [\#82](https://github.com/hifis-net/ansible-role-zammad/pull/82) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Prepare release 2.1.0 [\#81](https://github.com/hifis-net/ansible-role-zammad/pull/81) ([Normo](https://github.com/Normo)) +- Bump ansible from 9.2.0 to 9.3.0 [\#80](https://github.com/hifis-net/ansible-role-zammad/pull/80) ([dependabot[bot]](https://github.com/apps/dependabot)) +- ci: install a recent podman version [\#79](https://github.com/hifis-net/ansible-role-zammad/pull/79) ([Normo](https://github.com/Normo)) +- Bump molecule-plugins from 23.5.0 to 23.5.3 [\#78](https://github.com/hifis-net/ansible-role-zammad/pull/78) ([dependabot[bot]](https://github.com/apps/dependabot)) +- fix: update nginx ssl ciphers to get TLSv1.2 working again [\#77](https://github.com/hifis-net/ansible-role-zammad/pull/77) ([Normo](https://github.com/Normo)) +- Bump yamllint from 1.33.0 to 1.35.1 [\#76](https://github.com/hifis-net/ansible-role-zammad/pull/76) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump molecule from 5.1.0 to 24.2.0 [\#75](https://github.com/hifis-net/ansible-role-zammad/pull/75) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump ansible-lint from 6.17.2 to 24.2.0 [\#73](https://github.com/hifis-net/ansible-role-zammad/pull/73) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump ansible from 8.1.0 to 9.2.0 [\#72](https://github.com/hifis-net/ansible-role-zammad/pull/72) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump yamllint from 1.32.0 to 1.33.0 [\#66](https://github.com/hifis-net/ansible-role-zammad/pull/66) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump actions/checkout from 3 to 4 [\#56](https://github.com/hifis-net/ansible-role-zammad/pull/56) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump molecule-plugins from 23.4.1 to 23.5.0 [\#51](https://github.com/hifis-net/ansible-role-zammad/pull/51) ([dependabot[bot]](https://github.com/apps/dependabot)) +- docs: add galaxy badges to README [\#49](https://github.com/hifis-net/ansible-role-zammad/pull/49) ([tobiashuste](https://github.com/tobiashuste)) + +## [v2.0.0](https://github.com/hifis-net/ansible-role-zammad/tree/v2.0.0) (2023-07-04) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.4.0...v2.0.0) + +**Implemented enhancements:** + +- feat: ensure compatibility with Zammad \>= 6.0 [\#37](https://github.com/hifis-net/ansible-role-zammad/pull/37) ([tobiashuste](https://github.com/tobiashuste)) +- feat: add support for Ubuntu 22.04 [\#34](https://github.com/hifis-net/ansible-role-zammad/pull/34) ([tobiashuste](https://github.com/tobiashuste)) + +**Closed issues:** + +- Add CHANGELOG [\#30](https://github.com/hifis-net/ansible-role-zammad/issues/30) +- Add CITATION.cff [\#39](https://github.com/hifis-net/ansible-role-zammad/issues/39) +- Establish compatibility with Zammad \>= 6.0 [\#36](https://github.com/hifis-net/ansible-role-zammad/issues/36) +- Update README [\#35](https://github.com/hifis-net/ansible-role-zammad/issues/35) +- Unify the GitHub Actions workflow with other projects [\#31](https://github.com/hifis-net/ansible-role-zammad/issues/31) +- Rename default branch to main [\#29](https://github.com/hifis-net/ansible-role-zammad/issues/29) +- Add support for Ubuntu 22.04 [\#27](https://github.com/hifis-net/ansible-role-zammad/issues/27) + +**Merged pull requests:** + +- Bump geerlingguy.postgresql from 2.2.1 to 3.0.0 [\#26](https://github.com/hifis-net/ansible-role-zammad/pull/26) ([Normo](https://github.com/Normo)) +- Set Zammad 3.6.0 as default version [\#25](https://github.com/hifis-net/ansible-role-zammad/pull/25) ([Normo](https://github.com/Normo)) +- Bump elastic.elasticsearch from 7.9.3 to 7.10.0 [\#24](https://github.com/hifis-net/ansible-role-zammad/pull/24) ([Normo](https://github.com/Normo)) +- chore: prepare relase of version 2.0.0 [\#46](https://github.com/hifis-net/ansible-role-zammad/pull/46) ([tobiashuste](https://github.com/tobiashuste)) +- fix: properly check if the ssl variables are set [\#41](https://github.com/hifis-net/ansible-role-zammad/pull/41) ([tobiashuste](https://github.com/tobiashuste)) +- chore: add CITATION.cff [\#40](https://github.com/hifis-net/ansible-role-zammad/pull/40) ([Normo](https://github.com/Normo)) +- docs: update README information [\#38](https://github.com/hifis-net/ansible-role-zammad/pull/38) ([tobiashuste](https://github.com/tobiashuste)) +- style: fix ansible-lint violations [\#33](https://github.com/hifis-net/ansible-role-zammad/pull/33) ([tobiashuste](https://github.com/tobiashuste)) +- ci: fix and align GitHub Actions workflow [\#32](https://github.com/hifis-net/ansible-role-zammad/pull/32) ([tobiashuste](https://github.com/tobiashuste)) +- ci: configure Dependabot version updates [\#28](https://github.com/hifis-net/ansible-role-zammad/pull/28) ([tobiashuste](https://github.com/tobiashuste)) + +## [1.4.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.4.0) (2020-11-09) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.3.0...1.4.0) + +**Implemented enhancements:** + +- Add Ansible Galaxy release job [\#23](https://github.com/hifis-net/ansible-role-zammad/pull/23) ([Normo](https://github.com/Normo)) + +**Closed issues:** + +- Automate role import into Ansible Galaxy [\#19](https://github.com/hifis-net/ansible-role-zammad/issues/19) + +**Merged pull requests:** + +- Bump elastic.elasticsearch from 7.9.2 to 7.9.3 [\#22](https://github.com/hifis-net/ansible-role-zammad/pull/22) ([Normo](https://github.com/Normo)) +- Update molecule action [\#21](https://github.com/hifis-net/ansible-role-zammad/pull/21) ([Normo](https://github.com/Normo)) +- Explicitly set file permissions for repository files [\#20](https://github.com/hifis-net/ansible-role-zammad/pull/20) ([Normo](https://github.com/Normo)) + +## [1.3.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.3.0) (2020-10-06) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.2.0...1.3.0) + +**Implemented enhancements:** + +- Allow to disable Nginx version information [\#15](https://github.com/hifis-net/ansible-role-zammad/issues/15) +- Allow to specify SSL certificates via path only [\#13](https://github.com/hifis-net/ansible-role-zammad/issues/13) + +**Merged pull requests:** + +- Bump elastic.elasticsearch from 7.9.0 to 7.9.2 [\#18](https://github.com/hifis-net/ansible-role-zammad/pull/18) ([tobiashuste](https://github.com/tobiashuste)) +- Install Zammad 3.5.0 by default [\#17](https://github.com/hifis-net/ansible-role-zammad/pull/17) ([tobiashuste](https://github.com/tobiashuste)) +- Allow to configure nginx server\_tokens directive [\#16](https://github.com/hifis-net/ansible-role-zammad/pull/16) ([tobiashuste](https://github.com/tobiashuste)) +- Allow to use SSL keypair given by path only [\#14](https://github.com/hifis-net/ansible-role-zammad/pull/14) ([tobiashuste](https://github.com/tobiashuste)) + +## [1.2.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.2.0) (2020-08-27) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.1.0...1.2.0) + +**Implemented enhancements:** + +- Add Ubuntu 20.04 focal support [\#8](https://github.com/hifis-net/ansible-role-zammad/issues/8) +- Allow to optionally configure additional server directives in Nginx config [\#5](https://github.com/hifis-net/ansible-role-zammad/issues/5) +- Allow to optionally configure additional Nginx server directives [\#7](https://github.com/hifis-net/ansible-role-zammad/pull/7) ([tobiashuste](https://github.com/tobiashuste)) + +**Merged pull requests:** + +- molecule verify: Check wether Zammad web interface is available [\#12](https://github.com/hifis-net/ansible-role-zammad/pull/12) ([Normo](https://github.com/Normo)) +- Add Ubuntu 20.4 support [\#11](https://github.com/hifis-net/ansible-role-zammad/pull/11) ([Normo](https://github.com/Normo)) +- Update molecule action [\#10](https://github.com/hifis-net/ansible-role-zammad/pull/10) ([Normo](https://github.com/Normo)) +- Update requirements.yml [\#9](https://github.com/hifis-net/ansible-role-zammad/pull/9) ([Normo](https://github.com/Normo)) +- Install Zammad 3.4.0 by default [\#6](https://github.com/hifis-net/ansible-role-zammad/pull/6) ([Normo](https://github.com/Normo)) + +## [1.1.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.1.0) (2020-07-16) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.0.0...1.1.0) + +**Implemented enhancements:** + +- Allow to install packages from the development channel [\#3](https://github.com/hifis-net/ansible-role-zammad/issues/3) + +**Merged pull requests:** + +- Make Zammad release channel configurable [\#4](https://github.com/hifis-net/ansible-role-zammad/pull/4) ([tobiashuste](https://github.com/tobiashuste)) + +## [1.0.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.0.0) (2020-05-12) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/157bef1dfe6bc566f10f927ab929b3910d3ea986...1.0.0) + +**Merged pull requests:** + +- Specify zammad version on installation [\#2](https://github.com/hifis-net/ansible-role-zammad/pull/2) ([Normo](https://github.com/Normo)) +- Create GitHub actions workflow [\#1](https://github.com/hifis-net/ansible-role-zammad/pull/1) ([Normo](https://github.com/Normo)) + + + +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* diff --git a/roles/zammad/README.md b/roles/zammad/README.md new file mode 100644 index 0000000..b1acb90 --- /dev/null +++ b/roles/zammad/README.md @@ -0,0 +1,144 @@ + + +# Ansible role: Zammad + +[![CI Status](https://github.com/hifis-net/ansible-role-unattended-upgrades/actions/workflows/zammad.yml/badge.svg)](https://github.com/hifis-net/ansible-role-zammad/actions/workflows/zammad.yml) +[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/hifis-net/ansible-role-zammad/blob/main/LICENSE.md) + +An Ansible Role that installs and configures the web-based open source user +support/ticketing solution [Zammad](https://zammad.org/). + +**Note:** This role does not install elasticsearch and postgresql server. +See [Dependencies](#dependencies). + +## Requirements + +The below requirements are needed on the target host: + +- [cryptography](https://pypi.org/project/cryptography/) >= 1.6.0 + +## Role Variables + +```yaml +zammad_version: "6.2.0" +``` + +Zammad version to be installed. + +```yaml +zammad_release_channel: "stable" +``` + +Choose another release channel for the Zammad packages. +Please refer to for a complete list. + +```yaml +zammad_domain_name: "{{ ansible_fqdn }}" +``` + +Zammad's fully qualified domain name. + +```yaml +zammad_nginx_config_path: "/etc/nginx/sites-available/zammad.conf" +``` + +File path to Zammad's Nginx config. + +```yaml +zammad_ssl_cert_path: "/etc/ssl/certs/zammad_cert.pem" +``` + +File path to the SSL/TLS certificate which is used for HTTPS. + +```yaml +zammad_ssl_key_path: "/etc/ssl/private/zammad_key.pem" +``` + +File path to the SSL/TLS private key which is used for HTTPS. + +```yaml +zammad_ssl_cert: +``` + +Content of SSL/TLS certificate (**required**). + +```yaml +zammad_ssl_key: +``` + +Content of SSL/TLS private key (**required**). +**Please note:** In the special case, that you previously put an SSL keypair +on the host, e.g. via Let's Encrypt, you must not configure the variables +`zammad_ssl_cert` and `zammad_ssl_key`. +Nevertheless, in each case the role will +validate, if the SSL key pair is given under the paths `zammad_ssl_key_path` and +`zammad_ssl_cert_path` are valid. + +```yaml +zammad_nginx_server_tokens: "off" +``` + +Enable or disable emitting nginx version information in error pages or in the +_Server_ response header field. Please read the nginx +[docs](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) +for further information. + +```yaml +zammad_nginx_additional_server_configs: + - | + server { + listen 80; + server_name zammad.example.com zammad-old.example.com; + return 301 https://zammad.example.com$request_uri; + } + - | + server { + listen 443 ssl; + + # ... SSL configuration + + server_name zammad-old.example.com; + return 301 https://zammad.example.com$request_uri; + } +``` + +Configure additional server directives in the Nginx configuration. +This allows to implement more use case specific adjustments, e.g. +configuring multiple domains or the redirection of outdated domains to the +most recent one. + +```yaml +elasticsearch_url: "http://localhost:9200" +``` + +Elasticsearch server address. + +## Dependencies + +Zammad requires Elasticsearch and PostgreSQL database server. +This role has been successfully tested together with the following roles: + +- Elasticsearch - [geerlingguy.elasticsearch](https://github.com/geerlingguy/ansible-role-elasticsearch) +- PostgreSQL - [geerlingguy.postgresql](https://galaxy.ansible.com/geerlingguy/postgresql) + +## Example Playbook + +```yaml + - hosts: servers + roles: + - role: hifis.zammad + become: yes +``` + +## License + +MIT + +## Author Information + +This role was created in 2020 by [HIFIS Software Services](https://hifis.net/). diff --git a/roles/zammad/defaults/main.yml b/roles/zammad/defaults/main.yml new file mode 100644 index 0000000..d2253b8 --- /dev/null +++ b/roles/zammad/defaults/main.yml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- +zammad_version: "6.2.0" +zammad_release_channel: "stable" +zammad_domain_name: "{{ ansible_fqdn }}" + +zammad_nginx_config_path: "/etc/nginx/sites-available/zammad.conf" +zammad_ssl_cert_path: "/etc/ssl/certs/zammad_cert.pem" +zammad_ssl_key_path: "/etc/ssl/private/zammad_key.pem" + +zammad_nginx_additional_server_configs: [] +zammad_nginx_server_tokens: "off" + +elasticsearch_url: "http://localhost:9200" +... diff --git a/roles/zammad/handlers/main.yml b/roles/zammad/handlers/main.yml new file mode 100644 index 0000000..0b36310 --- /dev/null +++ b/roles/zammad/handlers/main.yml @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- +- name: "Reload nginx" + ansible.builtin.service: + name: "nginx" + state: "reloaded" + +- name: "Set Elasticsearch server address" + ansible.builtin.command: >- + zammad run rails r "Setting.set('es_url', '{{ elasticsearch_url | quote }}')" + changed_when: true + +- name: "Build search index" + ansible.builtin.command: "zammad run rake zammad:searchindex:rebuild" + changed_when: true + +... diff --git a/roles/zammad/meta/main.yml b/roles/zammad/meta/main.yml new file mode 100644 index 0000000..c67ef3c --- /dev/null +++ b/roles/zammad/meta/main.yml @@ -0,0 +1,26 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + + +galaxy_info: + role_name: "zammad" + namespace: "hifis" + description: "Install Zammad helpdesk on Linux." + author: "HIFIS Software Services" + company: "Helmholtz Association of German Research Centres" + license: "MIT" + issue_tracker_url: "https://github.com/hifis-net/ansible-role-unattended-upgrades/issues" + min_ansible_version: "2.14" + + platforms: + - name: "Ubuntu" + versions: + - "focal" + - "jammy" + + galaxy_tags: + - "zammad" + +dependencies: [] diff --git a/roles/zammad/tasks/install.yml b/roles/zammad/tasks/install.yml new file mode 100644 index 0000000..302a965 --- /dev/null +++ b/roles/zammad/tasks/install.yml @@ -0,0 +1,67 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- + +- name: "Configure Zammad repository for Centos-like" + when: "ansible_distribution | lower == 'centos'" + block: + + - name: "Install | Install EPEL repo" + ansible.builtin.yum: + name: "epel-release" + state: "present" + + - name: "Install | Add Zammad yum repository" + ansible.builtin.yum_repository: + name: "zammad" + state: "present" + description: "Repository for zammad/zammad ({{ zammad_release_channel }}) packages." + baseurl: "https://dl.packager.io/srv/rpm/zammad/zammad/{{ zammad_release_channel }}/el/7/$basearch" + enabled: true + gpgcheck: false + repo_gpgcheck: true + gpgkey: "https://dl.packager.io/srv/zammad/zammad/key" + mode: "0644" + +- name: "Configure Zammad repository for Ubuntu" + when: "ansible_distribution | lower == 'ubuntu'" + block: + + - name: "Install | Add Zammad apt key" + ansible.builtin.apt_key: + url: "https://dl.packager.io/srv/zammad/zammad/key" + state: "present" + + - name: "Install | Add Zammad DEB repository" + ansible.builtin.apt_repository: + repo: "deb https://dl.packager.io/srv/deb/zammad/zammad/{{ zammad_release_channel }}/ubuntu {{ ansible_distribution_version }} main" + state: "present" + filename: "zammad" + update_cache: true + mode: "0644" + +- name: "Install | Install Zammad package" + ansible.builtin.package: + name: "zammad={{ zammad_version }}*" + state: "present" + force: true + notify: + - "Set Elasticsearch server address" + - "Build search index" + +- name: "Install | Start and enable services" + ansible.builtin.service: + name: "{{ item }}" + state: "started" + enabled: true + loop: + - "zammad" + - "zammad-web" + - "zammad-worker" + - "zammad-websocket" + notify: "Build search index" + +... diff --git a/roles/zammad/tasks/main.yml b/roles/zammad/tasks/main.yml new file mode 100644 index 0000000..e054851 --- /dev/null +++ b/roles/zammad/tasks/main.yml @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- + +- name: "Install zammad" + ansible.builtin.import_tasks: "install.yml" + +- name: "Set up SSL/TLS" + ansible.builtin.import_tasks: "ssl.yml" + +- name: "Configure nginx" + ansible.builtin.import_tasks: "nginx-config.yml" + +... diff --git a/roles/zammad/tasks/nginx-config.yml b/roles/zammad/tasks/nginx-config.yml new file mode 100644 index 0000000..8005f0c --- /dev/null +++ b/roles/zammad/tasks/nginx-config.yml @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- + +- name: "Nginx | Create config" + ansible.builtin.template: + src: "nginx-zammad.conf.j2" + dest: "{{ zammad_nginx_config_path }}" + mode: "0644" + owner: "root" + group: "root" + notify: "Reload nginx" + +... diff --git a/roles/zammad/tasks/ssl.yml b/roles/zammad/tasks/ssl.yml new file mode 100644 index 0000000..6e9913d --- /dev/null +++ b/roles/zammad/tasks/ssl.yml @@ -0,0 +1,48 @@ +# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) +# +# SPDX-License-Identifier: MIT + +--- + +- name: "SSL | Insert private key" + ansible.builtin.blockinfile: + path: "{{ zammad_ssl_key_path }}" + create: true + block: | + {{ zammad_ssl_key }} + mode: "0640" + owner: "root" + group: "root" + when: "zammad_ssl_key | default('') | length > 0" + +- name: "SSL | Insert certificate" + ansible.builtin.blockinfile: + path: "{{ zammad_ssl_cert_path }}" + create: true + block: | + {{ zammad_ssl_cert }} + mode: "0644" + owner: "root" + group: "root" + when: "zammad_ssl_cert | default('') | length > 0" + +- name: "SSL | Check if certificate is still valid, ignoring failures" + community.crypto.x509_certificate_info: + path: "{{ zammad_ssl_cert_path }}" + register: "certificate" + ignore_errors: "{{ ansible_check_mode }}" + +- name: "SSL | Ensure certificate and private key match" + community.crypto.openssl_privatekey_info: + path: "{{ zammad_ssl_key_path }}" + register: "private_key" + ignore_errors: "{{ ansible_check_mode }}" + +- name: "SSL | Validate that certificate is still valid" + ansible.builtin.assert: + that: + - "not certificate.expired" + - "certificate.public_key == private_key.public_key" + +... diff --git a/roles/zammad/templates/nginx-zammad.conf.j2 b/roles/zammad/templates/nginx-zammad.conf.j2 new file mode 100644 index 0000000..4d7aab2 --- /dev/null +++ b/roles/zammad/templates/nginx-zammad.conf.j2 @@ -0,0 +1,95 @@ +# {{ ansible_managed }} +# +# this is the nginx config for zammad +# + +upstream zammad-railsserver { + server 127.0.0.1:3000; +} + +upstream zammad-websocket { + server 127.0.0.1:6042; +} + +server { + listen 80; + server_name {{ zammad_domain_name }}; + server_tokens {{ zammad_nginx_server_tokens }}; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + server_name {{ zammad_domain_name }}; + + server_tokens {{ zammad_nginx_server_tokens }}; + + ssl_certificate {{ zammad_ssl_cert_path }}; + ssl_certificate_key {{ zammad_ssl_key_path }}; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + location = /robots.txt { + access_log off; log_not_found off; + } + + location = /favicon.ico { + access_log off; log_not_found off; + } + + root /opt/zammad/public; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + client_max_body_size 50M; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) { + expires max; + } + + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } + + {% if zammad_version is version('6.0', 'ge') +%} + location /cable { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-railsserver; + } + {% endif %} + + location / { + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + proxy_pass http://zammad-railsserver; + + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } +} + +{% for server_config in zammad_nginx_additional_server_configs %} +{{ server_config }} +{% endfor %} diff --git a/roles/zammad/templates/nginx-zammad.conf.j2.license b/roles/zammad/templates/nginx-zammad.conf.j2.license new file mode 100644 index 0000000..dafcfba --- /dev/null +++ b/roles/zammad/templates/nginx-zammad.conf.j2.license @@ -0,0 +1,4 @@ +SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ) +SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR) + +SPDX-License-Identifier: MIT