From 8c0ddb8ea21b9ef989ec9c1b8bf2e98fafc75c3e Mon Sep 17 00:00:00 2001 From: Norman Ziegner Date: Fri, 15 Mar 2024 15:15:26 +0100 Subject: [PATCH] Merge zammad role into collection Signed-off-by: Norman Ziegner --- .github/workflows/zammad.yml | 60 +++++++++ molecule/zammad/INSTALL.md | 17 +++ molecule/zammad/converge.yml | 25 ++++ molecule/zammad/molecule.yml | 25 ++++ molecule/zammad/prepare.yml | 36 +++++ molecule/zammad/requirements.yml | 13 ++ molecule/zammad/verify.yml | 11 ++ roles/zammad/CHANGELOG.md | 135 +++++++++++++++++++ roles/zammad/LICENSE | 21 +++ roles/zammad/README.md | 139 ++++++++++++++++++++ roles/zammad/VERSION | 1 + roles/zammad/defaults/main.yml | 14 ++ roles/zammad/handlers/main.yml | 15 +++ roles/zammad/meta/main.yml | 20 +++ roles/zammad/tasks/install.yml | 62 +++++++++ roles/zammad/tasks/main.yml | 12 ++ roles/zammad/tasks/nginx-config.yml | 12 ++ roles/zammad/tasks/ssl.yml | 43 ++++++ roles/zammad/templates/nginx-zammad.conf.j2 | 95 +++++++++++++ 19 files changed, 756 insertions(+) create mode 100644 .github/workflows/zammad.yml create mode 100644 molecule/zammad/INSTALL.md create mode 100644 molecule/zammad/converge.yml create mode 100644 molecule/zammad/molecule.yml create mode 100644 molecule/zammad/prepare.yml create mode 100644 molecule/zammad/requirements.yml create mode 100644 molecule/zammad/verify.yml create mode 100644 roles/zammad/CHANGELOG.md create mode 100644 roles/zammad/LICENSE create mode 100644 roles/zammad/README.md create mode 100644 roles/zammad/VERSION create mode 100644 roles/zammad/defaults/main.yml create mode 100644 roles/zammad/handlers/main.yml create mode 100644 roles/zammad/meta/main.yml create mode 100644 roles/zammad/tasks/install.yml create mode 100644 roles/zammad/tasks/main.yml create mode 100644 roles/zammad/tasks/nginx-config.yml create mode 100644 roles/zammad/tasks/ssl.yml create mode 100644 roles/zammad/templates/nginx-zammad.conf.j2 diff --git a/.github/workflows/zammad.yml b/.github/workflows/zammad.yml new file mode 100644 index 0000000..af90531 --- /dev/null +++ b/.github/workflows/zammad.yml @@ -0,0 +1,60 @@ +--- +name: "hifis.unattended_upgrades" +on: + pull_request: + push: + branches: + - "main" + tags: + - "v*.*.*" + paths: + - '.github/workflows/zammad.yml' + - 'roles/zammad/**' + - 'molecule/zammad/**' + - 'Pipfile' + - 'Pipfile.lock' + schedule: + - cron: '0 0 * * *' + +jobs: + + test: + name: "Run Molecule tests." + runs-on: "ubuntu-22.04" + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 + strategy: + fail-fast: false + matrix: + image: + - "ghcr.io/hifis-net/ubuntu-systemd:22.04" + - "ghcr.io/hifis-net/ubuntu-systemd:20.04" + + steps: + - name: "Check out the codebase." + uses: "actions/checkout@v4" + with: + path: "ansible_collections/hifis/software_services" + + - name: "Prepare the job environment." + uses: "./ansible_collections/hifis/software_services/.github/workflows/prepare-action" + + - name: "Install modern podman" + run: | + sudo mkdir -p /etc/apt/keyrings + curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key \ + | gpg --dearmor \ + | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null + echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\ + https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \ + | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null + sudo apt-get update -qq + sudo apt-get -qq -y install podman + + - name: "Run Molecule tests." + run: "pipenv run molecule test -s zammad" + env: + MOLECULE_IMAGE: "${{ matrix.image }}" + working-directory: "ansible_collections/hifis/software_services" diff --git a/molecule/zammad/INSTALL.md b/molecule/zammad/INSTALL.md new file mode 100644 index 0000000..1c03304 --- /dev/null +++ b/molecule/zammad/INSTALL.md @@ -0,0 +1,17 @@ +# Docker driver installation guide + +# Requirements + +* Docker Engine + +# Install + +Please refer to the [Virtual environment](https://virtualenv.pypa.io/en/latest/) +documentation for installation best practices. If not using a virtual +environment, please consider passing the widely recommended +[`--user` flag](https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site) +when invoking `pip`. + +```bash +$ pip install 'molecule[docker]' +``` diff --git a/molecule/zammad/converge.yml b/molecule/zammad/converge.yml new file mode 100644 index 0000000..fd30694 --- /dev/null +++ b/molecule/zammad/converge.yml @@ -0,0 +1,25 @@ +--- +- name: Converge + hosts: all + tasks: + + - name: Get private key content + ansible.builtin.command: cat /etc/ssl/private/ssl-cert-snakeoil.key + changed_when: false + check_mode: false + register: private_key + + - name: Get SSL certificate content + ansible.builtin.command: cat /etc/ssl/certs/ssl-cert-snakeoil.pem + changed_when: false + check_mode: false + register: certificate + + - name: Pass SSL key pair to zammad role + ansible.builtin.set_fact: + zammad_ssl_key: "{{ private_key.stdout }}" + zammad_ssl_cert: "{{ certificate.stdout }}" + + - name: "Include ansible-role-zammad" + ansible.builtin.include_role: + name: "hifis.software_services.zammad" diff --git a/molecule/zammad/molecule.yml b/molecule/zammad/molecule.yml new file mode 100644 index 0000000..7c49aeb --- /dev/null +++ b/molecule/zammad/molecule.yml @@ -0,0 +1,25 @@ +--- +dependency: + name: galaxy + options: + requirements-file: molecule/default/requirements.yml +driver: + name: podman +platforms: + - name: instance + image: ${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:20.04} + pre_build_image: true + privileged: true + override_command: false + systemd: true + tty: true + published_ports: + - 0.0.0.0:8080:80 + - 0.0.0.0:8443:443 +provisioner: + name: ansible + playbooks: + prepare: prepare.yml + converge: converge.yml +verifier: + name: ansible diff --git a/molecule/zammad/prepare.yml b/molecule/zammad/prepare.yml new file mode 100644 index 0000000..1e4c43f --- /dev/null +++ b/molecule/zammad/prepare.yml @@ -0,0 +1,36 @@ +--- +- name: Prepare + hosts: all + vars: + # Apply suggested Elasticsearch configuration + elasticsearch_version: 8.x + elasticsearch_package: elasticsearch=8.8.1 + elasticsearch_heap_size_min: 256m + elasticsearch_heap_size_max: 256m + elasticsearch_extra_options: | + xpack.security.enabled: false + xpack.security.http.ssl.enabled: false + xpack.security.transport.ssl.enabled: false + http.max_content_length: 400mb + indices.query.bool.max_clause_count: 2000 + + tasks: + + - name: Install required packages + ansible.builtin.apt: + name: + - sudo + - gpg + - ca-certificates + - python3-cryptography + - ssl-cert + state: present + update_cache: yes + + - name: "Include geerlingguy.elasticsearch" + ansible.builtin.include_role: + name: "geerlingguy.elasticsearch" + + - name: "Include geerlingguy.postgresql" + ansible.builtin.include_role: + name: "geerlingguy.postgresql" diff --git a/molecule/zammad/requirements.yml b/molecule/zammad/requirements.yml new file mode 100644 index 0000000..245dbd2 --- /dev/null +++ b/molecule/zammad/requirements.yml @@ -0,0 +1,13 @@ +--- + + +collections: + - name: "community.crypto" + version: "2.14.1" # Required due to https://github.com/ansible-collections/community.crypto/issues/627 + +roles: + - src: geerlingguy.elasticsearch + version: 5.1.1 + + - src: geerlingguy.postgresql + version: 3.5.0 diff --git a/molecule/zammad/verify.yml b/molecule/zammad/verify.yml new file mode 100644 index 0000000..b923f5d --- /dev/null +++ b/molecule/zammad/verify.yml @@ -0,0 +1,11 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check that Zammad web interface is available + ansible.builtin.uri: + url: https://localhost + validate_certs: no + return_content: yes + register: this + failed_when: "'Zammad Helpdesk' not in this.content" diff --git a/roles/zammad/CHANGELOG.md b/roles/zammad/CHANGELOG.md new file mode 100644 index 0000000..83b8d9f --- /dev/null +++ b/roles/zammad/CHANGELOG.md @@ -0,0 +1,135 @@ +# Changelog + +## [v2.1.0](https://github.com/hifis-net/ansible-role-zammad/tree/v2.1.0) (2024-03-14) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/v2.0.0...v2.1.0) + +**Closed issues:** + +- Release version 2.0.0 [\#43](https://github.com/hifis-net/ansible-role-zammad/issues/43) + +**Merged pull requests:** + +- chore\(deps-dev\): bump ansible-lint from 24.2.0 to 24.2.1 [\#82](https://github.com/hifis-net/ansible-role-zammad/pull/82) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Prepare release 2.1.0 [\#81](https://github.com/hifis-net/ansible-role-zammad/pull/81) ([Normo](https://github.com/Normo)) +- Bump ansible from 9.2.0 to 9.3.0 [\#80](https://github.com/hifis-net/ansible-role-zammad/pull/80) ([dependabot[bot]](https://github.com/apps/dependabot)) +- ci: install a recent podman version [\#79](https://github.com/hifis-net/ansible-role-zammad/pull/79) ([Normo](https://github.com/Normo)) +- Bump molecule-plugins from 23.5.0 to 23.5.3 [\#78](https://github.com/hifis-net/ansible-role-zammad/pull/78) ([dependabot[bot]](https://github.com/apps/dependabot)) +- fix: update nginx ssl ciphers to get TLSv1.2 working again [\#77](https://github.com/hifis-net/ansible-role-zammad/pull/77) ([Normo](https://github.com/Normo)) +- Bump yamllint from 1.33.0 to 1.35.1 [\#76](https://github.com/hifis-net/ansible-role-zammad/pull/76) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump molecule from 5.1.0 to 24.2.0 [\#75](https://github.com/hifis-net/ansible-role-zammad/pull/75) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump ansible-lint from 6.17.2 to 24.2.0 [\#73](https://github.com/hifis-net/ansible-role-zammad/pull/73) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump ansible from 8.1.0 to 9.2.0 [\#72](https://github.com/hifis-net/ansible-role-zammad/pull/72) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump yamllint from 1.32.0 to 1.33.0 [\#66](https://github.com/hifis-net/ansible-role-zammad/pull/66) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump actions/checkout from 3 to 4 [\#56](https://github.com/hifis-net/ansible-role-zammad/pull/56) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump molecule-plugins from 23.4.1 to 23.5.0 [\#51](https://github.com/hifis-net/ansible-role-zammad/pull/51) ([dependabot[bot]](https://github.com/apps/dependabot)) +- docs: add galaxy badges to README [\#49](https://github.com/hifis-net/ansible-role-zammad/pull/49) ([tobiashuste](https://github.com/tobiashuste)) + +## [v2.0.0](https://github.com/hifis-net/ansible-role-zammad/tree/v2.0.0) (2023-07-04) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.4.0...v2.0.0) + +**Implemented enhancements:** + +- feat: ensure compatibility with Zammad \>= 6.0 [\#37](https://github.com/hifis-net/ansible-role-zammad/pull/37) ([tobiashuste](https://github.com/tobiashuste)) +- feat: add support for Ubuntu 22.04 [\#34](https://github.com/hifis-net/ansible-role-zammad/pull/34) ([tobiashuste](https://github.com/tobiashuste)) + +**Closed issues:** + +- Add CHANGELOG [\#30](https://github.com/hifis-net/ansible-role-zammad/issues/30) +- Add CITATION.cff [\#39](https://github.com/hifis-net/ansible-role-zammad/issues/39) +- Establish compatibility with Zammad \>= 6.0 [\#36](https://github.com/hifis-net/ansible-role-zammad/issues/36) +- Update README [\#35](https://github.com/hifis-net/ansible-role-zammad/issues/35) +- Unify the GitHub Actions workflow with other projects [\#31](https://github.com/hifis-net/ansible-role-zammad/issues/31) +- Rename default branch to main [\#29](https://github.com/hifis-net/ansible-role-zammad/issues/29) +- Add support for Ubuntu 22.04 [\#27](https://github.com/hifis-net/ansible-role-zammad/issues/27) + +**Merged pull requests:** + +- Bump geerlingguy.postgresql from 2.2.1 to 3.0.0 [\#26](https://github.com/hifis-net/ansible-role-zammad/pull/26) ([Normo](https://github.com/Normo)) +- Set Zammad 3.6.0 as default version [\#25](https://github.com/hifis-net/ansible-role-zammad/pull/25) ([Normo](https://github.com/Normo)) +- Bump elastic.elasticsearch from 7.9.3 to 7.10.0 [\#24](https://github.com/hifis-net/ansible-role-zammad/pull/24) ([Normo](https://github.com/Normo)) +- chore: prepare relase of version 2.0.0 [\#46](https://github.com/hifis-net/ansible-role-zammad/pull/46) ([tobiashuste](https://github.com/tobiashuste)) +- fix: properly check if the ssl variables are set [\#41](https://github.com/hifis-net/ansible-role-zammad/pull/41) ([tobiashuste](https://github.com/tobiashuste)) +- chore: add CITATION.cff [\#40](https://github.com/hifis-net/ansible-role-zammad/pull/40) ([Normo](https://github.com/Normo)) +- docs: update README information [\#38](https://github.com/hifis-net/ansible-role-zammad/pull/38) ([tobiashuste](https://github.com/tobiashuste)) +- style: fix ansible-lint violations [\#33](https://github.com/hifis-net/ansible-role-zammad/pull/33) ([tobiashuste](https://github.com/tobiashuste)) +- ci: fix and align GitHub Actions workflow [\#32](https://github.com/hifis-net/ansible-role-zammad/pull/32) ([tobiashuste](https://github.com/tobiashuste)) +- ci: configure Dependabot version updates [\#28](https://github.com/hifis-net/ansible-role-zammad/pull/28) ([tobiashuste](https://github.com/tobiashuste)) + +## [1.4.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.4.0) (2020-11-09) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.3.0...1.4.0) + +**Implemented enhancements:** + +- Add Ansible Galaxy release job [\#23](https://github.com/hifis-net/ansible-role-zammad/pull/23) ([Normo](https://github.com/Normo)) + +**Closed issues:** + +- Automate role import into Ansible Galaxy [\#19](https://github.com/hifis-net/ansible-role-zammad/issues/19) + +**Merged pull requests:** + +- Bump elastic.elasticsearch from 7.9.2 to 7.9.3 [\#22](https://github.com/hifis-net/ansible-role-zammad/pull/22) ([Normo](https://github.com/Normo)) +- Update molecule action [\#21](https://github.com/hifis-net/ansible-role-zammad/pull/21) ([Normo](https://github.com/Normo)) +- Explicitly set file permissions for repository files [\#20](https://github.com/hifis-net/ansible-role-zammad/pull/20) ([Normo](https://github.com/Normo)) + +## [1.3.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.3.0) (2020-10-06) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.2.0...1.3.0) + +**Implemented enhancements:** + +- Allow to disable Nginx version information [\#15](https://github.com/hifis-net/ansible-role-zammad/issues/15) +- Allow to specify SSL certificates via path only [\#13](https://github.com/hifis-net/ansible-role-zammad/issues/13) + +**Merged pull requests:** + +- Bump elastic.elasticsearch from 7.9.0 to 7.9.2 [\#18](https://github.com/hifis-net/ansible-role-zammad/pull/18) ([tobiashuste](https://github.com/tobiashuste)) +- Install Zammad 3.5.0 by default [\#17](https://github.com/hifis-net/ansible-role-zammad/pull/17) ([tobiashuste](https://github.com/tobiashuste)) +- Allow to configure nginx server\_tokens directive [\#16](https://github.com/hifis-net/ansible-role-zammad/pull/16) ([tobiashuste](https://github.com/tobiashuste)) +- Allow to use SSL keypair given by path only [\#14](https://github.com/hifis-net/ansible-role-zammad/pull/14) ([tobiashuste](https://github.com/tobiashuste)) + +## [1.2.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.2.0) (2020-08-27) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.1.0...1.2.0) + +**Implemented enhancements:** + +- Add Ubuntu 20.04 focal support [\#8](https://github.com/hifis-net/ansible-role-zammad/issues/8) +- Allow to optionally configure additional server directives in Nginx config [\#5](https://github.com/hifis-net/ansible-role-zammad/issues/5) +- Allow to optionally configure additional Nginx server directives [\#7](https://github.com/hifis-net/ansible-role-zammad/pull/7) ([tobiashuste](https://github.com/tobiashuste)) + +**Merged pull requests:** + +- molecule verify: Check wether Zammad web interface is available [\#12](https://github.com/hifis-net/ansible-role-zammad/pull/12) ([Normo](https://github.com/Normo)) +- Add Ubuntu 20.4 support [\#11](https://github.com/hifis-net/ansible-role-zammad/pull/11) ([Normo](https://github.com/Normo)) +- Update molecule action [\#10](https://github.com/hifis-net/ansible-role-zammad/pull/10) ([Normo](https://github.com/Normo)) +- Update requirements.yml [\#9](https://github.com/hifis-net/ansible-role-zammad/pull/9) ([Normo](https://github.com/Normo)) +- Install Zammad 3.4.0 by default [\#6](https://github.com/hifis-net/ansible-role-zammad/pull/6) ([Normo](https://github.com/Normo)) + +## [1.1.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.1.0) (2020-07-16) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.0.0...1.1.0) + +**Implemented enhancements:** + +- Allow to install packages from the development channel [\#3](https://github.com/hifis-net/ansible-role-zammad/issues/3) + +**Merged pull requests:** + +- Make Zammad release channel configurable [\#4](https://github.com/hifis-net/ansible-role-zammad/pull/4) ([tobiashuste](https://github.com/tobiashuste)) + +## [1.0.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.0.0) (2020-05-12) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/157bef1dfe6bc566f10f927ab929b3910d3ea986...1.0.0) + +**Merged pull requests:** + +- Specify zammad version on installation [\#2](https://github.com/hifis-net/ansible-role-zammad/pull/2) ([Normo](https://github.com/Normo)) +- Create GitHub actions workflow [\#1](https://github.com/hifis-net/ansible-role-zammad/pull/1) ([Normo](https://github.com/Normo)) + + + +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* diff --git a/roles/zammad/LICENSE b/roles/zammad/LICENSE new file mode 100644 index 0000000..251a712 --- /dev/null +++ b/roles/zammad/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2020 Helmholtz Centre for Environmental Research – UFZ + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/roles/zammad/README.md b/roles/zammad/README.md new file mode 100644 index 0000000..d0ed3bb --- /dev/null +++ b/roles/zammad/README.md @@ -0,0 +1,139 @@ +# Ansible role: Zammad + +[![CI](https://github.com/hifis-net/ansible-role-zammad/actions/workflows/ci.yml/badge.svg)](https://github.com/hifis-net/ansible-role-zammad/actions/workflows/ci.yml) +[![Ansible Galaxy Role](https://img.shields.io/ansible/role/d/hifis/zammad)](https://galaxy.ansible.com/hifis/zammad) +[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/hifis-net/ansible-role-zammad/blob/main/LICENSE.md) +[![GitLab Release (latest by SemVer)](https://img.shields.io/github/v/release/hifis-net/ansible-role-zammad?color=blue&sort=semver)](https://github.com/hifis-net/ansible-role-zammad/releases) + +An Ansible Role that installs and configures the web-based open source user +support/ticketing solution [Zammad](https://zammad.org/). + +**Note:** This role does not install elasticsearch and postgresql server. +See [Dependencies](#dependencies). + +## Requirements + +The below requirements are needed on the target host: + +- [cryptography](https://pypi.org/project/cryptography/) >= 1.6.0 + +## Role Variables + +```yaml +zammad_version: "6.2.0" +``` + +Zammad version to be installed. + +```yaml +zammad_release_channel: "stable" +``` + +Choose another release channel for the Zammad packages. +Please refer to for a complete list. + +```yaml +zammad_domain_name: "{{ ansible_fqdn }}" +``` + +Zammad's fully qualified domain name. + +```yaml +zammad_nginx_config_path: "/etc/nginx/sites-available/zammad.conf" +``` + +File path to Zammad's Nginx config. + +```yaml +zammad_ssl_cert_path: "/etc/ssl/certs/zammad_cert.pem" +``` + +File path to the SSL/TLS certificate which is used for HTTPS. + +```yaml +zammad_ssl_key_path: "/etc/ssl/private/zammad_key.pem" +``` + +File path to the SSL/TLS private key which is used for HTTPS. + +```yaml +zammad_ssl_cert: +``` + +Content of SSL/TLS certificate (**required**). + +```yaml +zammad_ssl_key: +``` + +Content of SSL/TLS private key (**required**). +**Please note:** In the special case, that you previously put an SSL keypair +on the host, e.g. via Let's Encrypt, you must not configure the variables +`zammad_ssl_cert` and `zammad_ssl_key`. +Nevertheless, in each case the role will +validate, if the SSL key pair is given under the paths `zammad_ssl_key_path` and +`zammad_ssl_cert_path` are valid. + +```yaml +zammad_nginx_server_tokens: "off" +``` + +Enable or disable emitting nginx version information in error pages or in the +_Server_ response header field. Please read the nginx +[docs](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) +for further information. + +```yaml +zammad_nginx_additional_server_configs: + - | + server { + listen 80; + server_name zammad.example.com zammad-old.example.com; + return 301 https://zammad.example.com$request_uri; + } + - | + server { + listen 443 ssl; + + # ... SSL configuration + + server_name zammad-old.example.com; + return 301 https://zammad.example.com$request_uri; + } +``` + +Configure additional server directives in the Nginx configuration. +This allows to implement more use case specific adjustments, e.g. +configuring multiple domains or the redirection of outdated domains to the +most recent one. + +```yaml +elasticsearch_url: "http://localhost:9200" +``` + +Elasticsearch server address. + +## Dependencies + +Zammad requires Elasticsearch and PostgreSQL database server. +This role has been successfully tested together with the following roles: + +- Elasticsearch - [geerlingguy.elasticsearch](https://github.com/geerlingguy/ansible-role-elasticsearch) +- PostgreSQL - [geerlingguy.postgresql](https://galaxy.ansible.com/geerlingguy/postgresql) + +## Example Playbook + +```yaml + - hosts: servers + roles: + - role: hifis.zammad + become: yes +``` + +## License + +MIT + +## Author Information + +This role was created in 2020 by [HIFIS Software Services](https://hifis.net/). diff --git a/roles/zammad/VERSION b/roles/zammad/VERSION new file mode 100644 index 0000000..7ec1d6d --- /dev/null +++ b/roles/zammad/VERSION @@ -0,0 +1 @@ +2.1.0 diff --git a/roles/zammad/defaults/main.yml b/roles/zammad/defaults/main.yml new file mode 100644 index 0000000..fb66658 --- /dev/null +++ b/roles/zammad/defaults/main.yml @@ -0,0 +1,14 @@ +--- +zammad_version: "6.2.0" +zammad_release_channel: "stable" +zammad_domain_name: "{{ ansible_fqdn }}" + +zammad_nginx_config_path: "/etc/nginx/sites-available/zammad.conf" +zammad_ssl_cert_path: "/etc/ssl/certs/zammad_cert.pem" +zammad_ssl_key_path: "/etc/ssl/private/zammad_key.pem" + +zammad_nginx_additional_server_configs: [] +zammad_nginx_server_tokens: "off" + +elasticsearch_url: "http://localhost:9200" +... diff --git a/roles/zammad/handlers/main.yml b/roles/zammad/handlers/main.yml new file mode 100644 index 0000000..4c54af5 --- /dev/null +++ b/roles/zammad/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: Reload nginx + ansible.builtin.service: + name: nginx + state: reloaded + +- name: Set Elasticsearch server address + ansible.builtin.command: zammad run rails r "Setting.set('es_url', '{{ elasticsearch_url | quote }}')" + changed_when: true + +- name: Build search index + ansible.builtin.command: zammad run rake zammad:searchindex:rebuild + changed_when: true + +... diff --git a/roles/zammad/meta/main.yml b/roles/zammad/meta/main.yml new file mode 100644 index 0000000..8e009b3 --- /dev/null +++ b/roles/zammad/meta/main.yml @@ -0,0 +1,20 @@ +galaxy_info: + role_name: zammad + namespace: hifis + description: Install Zammad helpdesk on Linux. + author: HIFIS Software Services + company: Helmholtz Association of German Research Centres + license: MIT + issue_tracker_url: https://github.com/Helmholtz-UFZ/ansible-role-zammad/issues + min_ansible_version: "2.14" + + platforms: + - name: Ubuntu + versions: + - focal + - jammy + + galaxy_tags: + - zammad + +dependencies: [] diff --git a/roles/zammad/tasks/install.yml b/roles/zammad/tasks/install.yml new file mode 100644 index 0000000..4c036f8 --- /dev/null +++ b/roles/zammad/tasks/install.yml @@ -0,0 +1,62 @@ +--- + +- name: "Configure Zammad repository for Centos-like" + when: ansible_distribution | lower == 'centos' + block: + + - name: Install | Install EPEL repo + ansible.builtin.yum: + name: epel-release + state: present + + - name: Install | Add Zammad yum repository + ansible.builtin.yum_repository: + name: zammad + state: present + description: Repository for zammad/zammad ({{ zammad_release_channel }}) packages. + baseurl: https://dl.packager.io/srv/rpm/zammad/zammad/{{ zammad_release_channel }}/el/7/$basearch + enabled: yes + gpgcheck: no + repo_gpgcheck: yes + gpgkey: https://dl.packager.io/srv/zammad/zammad/key + mode: 0644 + +- name: "Configure Zammad repository for Ubuntu" + when: ansible_distribution | lower == 'ubuntu' + block: + + - name: Install | Add Zammad apt key + ansible.builtin.apt_key: + url: https://dl.packager.io/srv/zammad/zammad/key + state: present + + - name: Install | Add Zammad DEB repository + ansible.builtin.apt_repository: + repo: deb https://dl.packager.io/srv/deb/zammad/zammad/{{ zammad_release_channel }}/ubuntu {{ ansible_distribution_version }} main + state: present + filename: zammad + update_cache: yes + mode: 0644 + +- name: Install | Install Zammad package + ansible.builtin.package: + name: zammad={{ zammad_version }}* + state: present + force: yes + notify: + - Set Elasticsearch server address + - Build search index + +- name: Install | Start and enable services + ansible.builtin.service: + name: "{{ item }}" + state: started + enabled: yes + loop: + - zammad + - zammad-web + - zammad-worker + - zammad-websocket + notify: Build search index + +... diff --git a/roles/zammad/tasks/main.yml b/roles/zammad/tasks/main.yml new file mode 100644 index 0000000..0fe446c --- /dev/null +++ b/roles/zammad/tasks/main.yml @@ -0,0 +1,12 @@ +--- + +- name: Install zammad + ansible.builtin.import_tasks: install.yml + +- name: Set up SSL/TLS + ansible.builtin.import_tasks: ssl.yml + +- name: Configure nginx + ansible.builtin.import_tasks: nginx-config.yml + +... diff --git a/roles/zammad/tasks/nginx-config.yml b/roles/zammad/tasks/nginx-config.yml new file mode 100644 index 0000000..777000c --- /dev/null +++ b/roles/zammad/tasks/nginx-config.yml @@ -0,0 +1,12 @@ +--- + +- name: Nginx | Create config + ansible.builtin.template: + src: nginx-zammad.conf.j2 + dest: "{{ zammad_nginx_config_path }}" + mode: 0644 + owner: root + group: root + notify: Reload nginx + +... diff --git a/roles/zammad/tasks/ssl.yml b/roles/zammad/tasks/ssl.yml new file mode 100644 index 0000000..cb267a2 --- /dev/null +++ b/roles/zammad/tasks/ssl.yml @@ -0,0 +1,43 @@ +--- + +- name: SSL | Insert private key + ansible.builtin.blockinfile: + path: "{{ zammad_ssl_key_path }}" + create: true + block: | + {{ zammad_ssl_key }} + mode: 0640 + owner: root + group: root + when: zammad_ssl_key | default('') | length > 0 + +- name: SSL | Insert certificate + ansible.builtin.blockinfile: + path: "{{ zammad_ssl_cert_path }}" + create: true + block: | + {{ zammad_ssl_cert }} + mode: 0644 + owner: root + group: root + when: zammad_ssl_cert | default('') | length > 0 + +- name: SSL | Check if certificate is still valid, ignoring failures + community.crypto.x509_certificate_info: + path: "{{ zammad_ssl_cert_path }}" + register: certificate + ignore_errors: "{{ ansible_check_mode }}" + +- name: SSL | Ensure certificate and private key match + community.crypto.openssl_privatekey_info: + path: "{{ zammad_ssl_key_path }}" + register: private_key + ignore_errors: "{{ ansible_check_mode }}" + +- name: SSL | Validate that certificate is still valid + ansible.builtin.assert: + that: + - not certificate.expired + - certificate.public_key == private_key.public_key + +... diff --git a/roles/zammad/templates/nginx-zammad.conf.j2 b/roles/zammad/templates/nginx-zammad.conf.j2 new file mode 100644 index 0000000..4d7aab2 --- /dev/null +++ b/roles/zammad/templates/nginx-zammad.conf.j2 @@ -0,0 +1,95 @@ +# {{ ansible_managed }} +# +# this is the nginx config for zammad +# + +upstream zammad-railsserver { + server 127.0.0.1:3000; +} + +upstream zammad-websocket { + server 127.0.0.1:6042; +} + +server { + listen 80; + server_name {{ zammad_domain_name }}; + server_tokens {{ zammad_nginx_server_tokens }}; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + server_name {{ zammad_domain_name }}; + + server_tokens {{ zammad_nginx_server_tokens }}; + + ssl_certificate {{ zammad_ssl_cert_path }}; + ssl_certificate_key {{ zammad_ssl_key_path }}; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + location = /robots.txt { + access_log off; log_not_found off; + } + + location = /favicon.ico { + access_log off; log_not_found off; + } + + root /opt/zammad/public; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + client_max_body_size 50M; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) { + expires max; + } + + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } + + {% if zammad_version is version('6.0', 'ge') +%} + location /cable { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-railsserver; + } + {% endif %} + + location / { + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + proxy_pass http://zammad-railsserver; + + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } +} + +{% for server_config in zammad_nginx_additional_server_configs %} +{{ server_config }} +{% endfor %}