From 978aae108239c4b276ced99ef6f17d645ecff3ee Mon Sep 17 00:00:00 2001 From: Norman Ziegner Date: Fri, 15 Mar 2024 15:15:26 +0100 Subject: [PATCH] Merge zammad role into collection Signed-off-by: Norman Ziegner --- .github/labeler.yml | 6 + .github/workflows/zammad.yml | 73 +++++++++++ .yamllint.yml | 2 +- molecule/zammad/converge.yml | 25 ++++ molecule/zammad/molecule.yml | 25 ++++ molecule/zammad/prepare.yml | 36 +++++ molecule/zammad/requirements.yml | 13 ++ molecule/zammad/verify.yml | 11 ++ requirements.yml | 4 + roles/zammad/CHANGELOG.md | 135 +++++++++++++++++++ roles/zammad/LICENSE | 21 +++ roles/zammad/README.md | 137 ++++++++++++++++++++ roles/zammad/defaults/main.yml | 14 ++ roles/zammad/handlers/main.yml | 16 +++ roles/zammad/meta/main.yml | 20 +++ roles/zammad/tasks/install.yml | 62 +++++++++ roles/zammad/tasks/main.yml | 12 ++ roles/zammad/tasks/nginx-config.yml | 12 ++ roles/zammad/tasks/ssl.yml | 43 ++++++ roles/zammad/templates/nginx-zammad.conf.j2 | 95 ++++++++++++++ 20 files changed, 761 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/zammad.yml create mode 100644 molecule/zammad/converge.yml create mode 100644 molecule/zammad/molecule.yml create mode 100644 molecule/zammad/prepare.yml create mode 100644 molecule/zammad/requirements.yml create mode 100644 molecule/zammad/verify.yml create mode 100644 requirements.yml create mode 100644 roles/zammad/CHANGELOG.md create mode 100644 roles/zammad/LICENSE create mode 100644 roles/zammad/README.md create mode 100644 roles/zammad/defaults/main.yml create mode 100644 roles/zammad/handlers/main.yml create mode 100644 roles/zammad/meta/main.yml create mode 100644 roles/zammad/tasks/install.yml create mode 100644 roles/zammad/tasks/main.yml create mode 100644 roles/zammad/tasks/nginx-config.yml create mode 100644 roles/zammad/tasks/ssl.yml create mode 100644 roles/zammad/templates/nginx-zammad.conf.j2 diff --git a/.github/labeler.yml b/.github/labeler.yml index 14c9dd9..bdeb987 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -5,3 +5,9 @@ unattended_upgrades: - "roles/unattended_upgrades/**" - "molecule/unattended_upgrades/**" - ".github/workflows/unattended_upgrades.yml" +zammad: + - changed-files: + - any-glob-to-any-file: + - "roles/zammad/**" + - "molecule/zammad/**" + - ".github/workflows/zammad.yml" diff --git a/.github/workflows/zammad.yml b/.github/workflows/zammad.yml new file mode 100644 index 0000000..d3977d7 --- /dev/null +++ b/.github/workflows/zammad.yml @@ -0,0 +1,73 @@ +--- +name: "hifis.zammad" +on: + pull_request: + paths: + - '.github/workflows/zammad.yml' + - 'roles/zammad/**' + - 'molecule/zammad/**' + - 'Pipfile' + - 'Pipfile.lock' + push: + branches: + - "main" + tags: + - "v*.*.*" + paths: + - '.github/workflows/zammad.yml' + - 'roles/zammad/**' + - 'molecule/zammad/**' + - 'Pipfile' + - 'Pipfile.lock' + schedule: + - cron: '0 0 * * *' + +jobs: + + test: + name: "Run Molecule tests." + runs-on: "ubuntu-22.04" + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 + strategy: + fail-fast: false + matrix: + image: + - "ghcr.io/hifis-net/ubuntu-systemd:22.04" + - "ghcr.io/hifis-net/ubuntu-systemd:20.04" + + steps: + - name: "Check out the codebase." + uses: "actions/checkout@v4" + with: + path: "ansible_collections/hifis/software_services" + + - name: "Prepare the job environment." + uses: "./ansible_collections/hifis/software_services/.github/workflows/prepare-action" + + # https://github.com/ansible/molecule/issues/3806 + - name: "Help molecule to find the dependencies" + run: | + mkdir -p /home/runner/.ansible + ln -s /home/runner/work/ansible-role-unattended-upgrades/ansible-role-unattended-upgrades/ansible_collections/hifis/software_services/roles \ + /home/runner/.ansible/roles + + - name: "Install modern podman" + run: | + sudo mkdir -p /etc/apt/keyrings + curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key \ + | gpg --dearmor \ + | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null + echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\ + https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \ + | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null + sudo apt-get update -qq + sudo apt-get -qq -y install podman + + - name: "Run Molecule tests." + run: "XDG_RUNTIME_DIR=/run/user/$UID pipenv run molecule test -s zammad" + env: + MOLECULE_IMAGE: "${{ matrix.image }}" + working-directory: "ansible_collections/hifis/software_services" diff --git a/.yamllint.yml b/.yamllint.yml index 1e2eb72..09f2050 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -19,7 +19,7 @@ rules: max-spaces-after: -1 level: "error" comments: "disable" - comments-indentation: "enable" + comments-indentation: "disable" document-start: "disable" empty-lines: max: 3 diff --git a/molecule/zammad/converge.yml b/molecule/zammad/converge.yml new file mode 100644 index 0000000..3cf7090 --- /dev/null +++ b/molecule/zammad/converge.yml @@ -0,0 +1,25 @@ +--- +- name: "Converge" + hosts: "all" + tasks: + + - name: "Get private key content" + ansible.builtin.command: "cat /etc/ssl/private/ssl-cert-snakeoil.key" + changed_when: false + check_mode: false + register: "private_key" + + - name: "Get SSL certificate content" + ansible.builtin.command: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem" + changed_when: false + check_mode: false + register: "certificate" + + - name: "Pass SSL key pair to zammad role" + ansible.builtin.set_fact: + zammad_ssl_key: "{{ private_key.stdout }}" + zammad_ssl_cert: "{{ certificate.stdout }}" + + - name: "Include ansible-role-zammad" + ansible.builtin.include_role: + name: "hifis.software_services.zammad" diff --git a/molecule/zammad/molecule.yml b/molecule/zammad/molecule.yml new file mode 100644 index 0000000..917efd9 --- /dev/null +++ b/molecule/zammad/molecule.yml @@ -0,0 +1,25 @@ +--- +dependency: + name: "galaxy" + options: + requirements-file: "molecule/zammad/requirements.yml" +driver: + name: "podman" +platforms: + - name: "instance" + image: "${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:22.04}" + pre_build_image: true + privileged: true + override_command: false + systemd: true + tty: true + published_ports: + - "0.0.0.0:8080:80" + - "0.0.0.0:8443:443" +provisioner: + name: "ansible" + playbooks: + prepare: "prepare.yml" + converge: "converge.yml" +verifier: + name: "ansible" diff --git a/molecule/zammad/prepare.yml b/molecule/zammad/prepare.yml new file mode 100644 index 0000000..b5635c6 --- /dev/null +++ b/molecule/zammad/prepare.yml @@ -0,0 +1,36 @@ +--- +- name: "Prepare" + hosts: "all" + vars: + # Apply suggested Elasticsearch configuration + elasticsearch_version: "8.x" + elasticsearch_package: "elasticsearch=8.8.1" + elasticsearch_heap_size_min: "256m" + elasticsearch_heap_size_max: "256m" + elasticsearch_extra_options: | + xpack.security.enabled: false + xpack.security.http.ssl.enabled: false + xpack.security.transport.ssl.enabled: false + http.max_content_length: 400mb + indices.query.bool.max_clause_count: 2000 + + tasks: + + - name: "Install required packages" + ansible.builtin.apt: + name: + - "sudo" + - "gpg" + - "ca-certificates" + - "python3-cryptography" + - "ssl-cert" + state: "present" + update_cache: true + + - name: "Include geerlingguy.elasticsearch" + ansible.builtin.include_role: + name: "geerlingguy.elasticsearch" + + - name: "Include geerlingguy.postgresql" + ansible.builtin.include_role: + name: "geerlingguy.postgresql" diff --git a/molecule/zammad/requirements.yml b/molecule/zammad/requirements.yml new file mode 100644 index 0000000..ef5e60e --- /dev/null +++ b/molecule/zammad/requirements.yml @@ -0,0 +1,13 @@ +--- + + +collections: + - name: "community.crypto" + version: "2.14.1" # Required due to https://github.com/ansible-collections/community.crypto/issues/627 + +roles: + - src: "geerlingguy.elasticsearch" + version: "5.1.2" + + - src: "geerlingguy.postgresql" + version: "3.5.0" diff --git a/molecule/zammad/verify.yml b/molecule/zammad/verify.yml new file mode 100644 index 0000000..ad96e22 --- /dev/null +++ b/molecule/zammad/verify.yml @@ -0,0 +1,11 @@ +--- +- name: "Verify" + hosts: "all" + tasks: + - name: "Check that Zammad web interface is available" + ansible.builtin.uri: + url: "https://localhost" + validate_certs: false + return_content: true + register: "zammad_web" + failed_when: "'Zammad Helpdesk' not in zammad_web.content" diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..a031a2a --- /dev/null +++ b/requirements.yml @@ -0,0 +1,4 @@ +--- + +collections: + - name: "community.crypto" diff --git a/roles/zammad/CHANGELOG.md b/roles/zammad/CHANGELOG.md new file mode 100644 index 0000000..83b8d9f --- /dev/null +++ b/roles/zammad/CHANGELOG.md @@ -0,0 +1,135 @@ +# Changelog + +## [v2.1.0](https://github.com/hifis-net/ansible-role-zammad/tree/v2.1.0) (2024-03-14) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/v2.0.0...v2.1.0) + +**Closed issues:** + +- Release version 2.0.0 [\#43](https://github.com/hifis-net/ansible-role-zammad/issues/43) + +**Merged pull requests:** + +- chore\(deps-dev\): bump ansible-lint from 24.2.0 to 24.2.1 [\#82](https://github.com/hifis-net/ansible-role-zammad/pull/82) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Prepare release 2.1.0 [\#81](https://github.com/hifis-net/ansible-role-zammad/pull/81) ([Normo](https://github.com/Normo)) +- Bump ansible from 9.2.0 to 9.3.0 [\#80](https://github.com/hifis-net/ansible-role-zammad/pull/80) ([dependabot[bot]](https://github.com/apps/dependabot)) +- ci: install a recent podman version [\#79](https://github.com/hifis-net/ansible-role-zammad/pull/79) ([Normo](https://github.com/Normo)) +- Bump molecule-plugins from 23.5.0 to 23.5.3 [\#78](https://github.com/hifis-net/ansible-role-zammad/pull/78) ([dependabot[bot]](https://github.com/apps/dependabot)) +- fix: update nginx ssl ciphers to get TLSv1.2 working again [\#77](https://github.com/hifis-net/ansible-role-zammad/pull/77) ([Normo](https://github.com/Normo)) +- Bump yamllint from 1.33.0 to 1.35.1 [\#76](https://github.com/hifis-net/ansible-role-zammad/pull/76) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump molecule from 5.1.0 to 24.2.0 [\#75](https://github.com/hifis-net/ansible-role-zammad/pull/75) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump ansible-lint from 6.17.2 to 24.2.0 [\#73](https://github.com/hifis-net/ansible-role-zammad/pull/73) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump ansible from 8.1.0 to 9.2.0 [\#72](https://github.com/hifis-net/ansible-role-zammad/pull/72) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump yamllint from 1.32.0 to 1.33.0 [\#66](https://github.com/hifis-net/ansible-role-zammad/pull/66) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump actions/checkout from 3 to 4 [\#56](https://github.com/hifis-net/ansible-role-zammad/pull/56) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump molecule-plugins from 23.4.1 to 23.5.0 [\#51](https://github.com/hifis-net/ansible-role-zammad/pull/51) ([dependabot[bot]](https://github.com/apps/dependabot)) +- docs: add galaxy badges to README [\#49](https://github.com/hifis-net/ansible-role-zammad/pull/49) ([tobiashuste](https://github.com/tobiashuste)) + +## [v2.0.0](https://github.com/hifis-net/ansible-role-zammad/tree/v2.0.0) (2023-07-04) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.4.0...v2.0.0) + +**Implemented enhancements:** + +- feat: ensure compatibility with Zammad \>= 6.0 [\#37](https://github.com/hifis-net/ansible-role-zammad/pull/37) ([tobiashuste](https://github.com/tobiashuste)) +- feat: add support for Ubuntu 22.04 [\#34](https://github.com/hifis-net/ansible-role-zammad/pull/34) ([tobiashuste](https://github.com/tobiashuste)) + +**Closed issues:** + +- Add CHANGELOG [\#30](https://github.com/hifis-net/ansible-role-zammad/issues/30) +- Add CITATION.cff [\#39](https://github.com/hifis-net/ansible-role-zammad/issues/39) +- Establish compatibility with Zammad \>= 6.0 [\#36](https://github.com/hifis-net/ansible-role-zammad/issues/36) +- Update README [\#35](https://github.com/hifis-net/ansible-role-zammad/issues/35) +- Unify the GitHub Actions workflow with other projects [\#31](https://github.com/hifis-net/ansible-role-zammad/issues/31) +- Rename default branch to main [\#29](https://github.com/hifis-net/ansible-role-zammad/issues/29) +- Add support for Ubuntu 22.04 [\#27](https://github.com/hifis-net/ansible-role-zammad/issues/27) + +**Merged pull requests:** + +- Bump geerlingguy.postgresql from 2.2.1 to 3.0.0 [\#26](https://github.com/hifis-net/ansible-role-zammad/pull/26) ([Normo](https://github.com/Normo)) +- Set Zammad 3.6.0 as default version [\#25](https://github.com/hifis-net/ansible-role-zammad/pull/25) ([Normo](https://github.com/Normo)) +- Bump elastic.elasticsearch from 7.9.3 to 7.10.0 [\#24](https://github.com/hifis-net/ansible-role-zammad/pull/24) ([Normo](https://github.com/Normo)) +- chore: prepare relase of version 2.0.0 [\#46](https://github.com/hifis-net/ansible-role-zammad/pull/46) ([tobiashuste](https://github.com/tobiashuste)) +- fix: properly check if the ssl variables are set [\#41](https://github.com/hifis-net/ansible-role-zammad/pull/41) ([tobiashuste](https://github.com/tobiashuste)) +- chore: add CITATION.cff [\#40](https://github.com/hifis-net/ansible-role-zammad/pull/40) ([Normo](https://github.com/Normo)) +- docs: update README information [\#38](https://github.com/hifis-net/ansible-role-zammad/pull/38) ([tobiashuste](https://github.com/tobiashuste)) +- style: fix ansible-lint violations [\#33](https://github.com/hifis-net/ansible-role-zammad/pull/33) ([tobiashuste](https://github.com/tobiashuste)) +- ci: fix and align GitHub Actions workflow [\#32](https://github.com/hifis-net/ansible-role-zammad/pull/32) ([tobiashuste](https://github.com/tobiashuste)) +- ci: configure Dependabot version updates [\#28](https://github.com/hifis-net/ansible-role-zammad/pull/28) ([tobiashuste](https://github.com/tobiashuste)) + +## [1.4.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.4.0) (2020-11-09) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.3.0...1.4.0) + +**Implemented enhancements:** + +- Add Ansible Galaxy release job [\#23](https://github.com/hifis-net/ansible-role-zammad/pull/23) ([Normo](https://github.com/Normo)) + +**Closed issues:** + +- Automate role import into Ansible Galaxy [\#19](https://github.com/hifis-net/ansible-role-zammad/issues/19) + +**Merged pull requests:** + +- Bump elastic.elasticsearch from 7.9.2 to 7.9.3 [\#22](https://github.com/hifis-net/ansible-role-zammad/pull/22) ([Normo](https://github.com/Normo)) +- Update molecule action [\#21](https://github.com/hifis-net/ansible-role-zammad/pull/21) ([Normo](https://github.com/Normo)) +- Explicitly set file permissions for repository files [\#20](https://github.com/hifis-net/ansible-role-zammad/pull/20) ([Normo](https://github.com/Normo)) + +## [1.3.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.3.0) (2020-10-06) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.2.0...1.3.0) + +**Implemented enhancements:** + +- Allow to disable Nginx version information [\#15](https://github.com/hifis-net/ansible-role-zammad/issues/15) +- Allow to specify SSL certificates via path only [\#13](https://github.com/hifis-net/ansible-role-zammad/issues/13) + +**Merged pull requests:** + +- Bump elastic.elasticsearch from 7.9.0 to 7.9.2 [\#18](https://github.com/hifis-net/ansible-role-zammad/pull/18) ([tobiashuste](https://github.com/tobiashuste)) +- Install Zammad 3.5.0 by default [\#17](https://github.com/hifis-net/ansible-role-zammad/pull/17) ([tobiashuste](https://github.com/tobiashuste)) +- Allow to configure nginx server\_tokens directive [\#16](https://github.com/hifis-net/ansible-role-zammad/pull/16) ([tobiashuste](https://github.com/tobiashuste)) +- Allow to use SSL keypair given by path only [\#14](https://github.com/hifis-net/ansible-role-zammad/pull/14) ([tobiashuste](https://github.com/tobiashuste)) + +## [1.2.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.2.0) (2020-08-27) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.1.0...1.2.0) + +**Implemented enhancements:** + +- Add Ubuntu 20.04 focal support [\#8](https://github.com/hifis-net/ansible-role-zammad/issues/8) +- Allow to optionally configure additional server directives in Nginx config [\#5](https://github.com/hifis-net/ansible-role-zammad/issues/5) +- Allow to optionally configure additional Nginx server directives [\#7](https://github.com/hifis-net/ansible-role-zammad/pull/7) ([tobiashuste](https://github.com/tobiashuste)) + +**Merged pull requests:** + +- molecule verify: Check wether Zammad web interface is available [\#12](https://github.com/hifis-net/ansible-role-zammad/pull/12) ([Normo](https://github.com/Normo)) +- Add Ubuntu 20.4 support [\#11](https://github.com/hifis-net/ansible-role-zammad/pull/11) ([Normo](https://github.com/Normo)) +- Update molecule action [\#10](https://github.com/hifis-net/ansible-role-zammad/pull/10) ([Normo](https://github.com/Normo)) +- Update requirements.yml [\#9](https://github.com/hifis-net/ansible-role-zammad/pull/9) ([Normo](https://github.com/Normo)) +- Install Zammad 3.4.0 by default [\#6](https://github.com/hifis-net/ansible-role-zammad/pull/6) ([Normo](https://github.com/Normo)) + +## [1.1.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.1.0) (2020-07-16) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/1.0.0...1.1.0) + +**Implemented enhancements:** + +- Allow to install packages from the development channel [\#3](https://github.com/hifis-net/ansible-role-zammad/issues/3) + +**Merged pull requests:** + +- Make Zammad release channel configurable [\#4](https://github.com/hifis-net/ansible-role-zammad/pull/4) ([tobiashuste](https://github.com/tobiashuste)) + +## [1.0.0](https://github.com/hifis-net/ansible-role-zammad/tree/1.0.0) (2020-05-12) + +[Full Changelog](https://github.com/hifis-net/ansible-role-zammad/compare/157bef1dfe6bc566f10f927ab929b3910d3ea986...1.0.0) + +**Merged pull requests:** + +- Specify zammad version on installation [\#2](https://github.com/hifis-net/ansible-role-zammad/pull/2) ([Normo](https://github.com/Normo)) +- Create GitHub actions workflow [\#1](https://github.com/hifis-net/ansible-role-zammad/pull/1) ([Normo](https://github.com/Normo)) + + + +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* diff --git a/roles/zammad/LICENSE b/roles/zammad/LICENSE new file mode 100644 index 0000000..251a712 --- /dev/null +++ b/roles/zammad/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2020 Helmholtz Centre for Environmental Research – UFZ + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/roles/zammad/README.md b/roles/zammad/README.md new file mode 100644 index 0000000..6dbc8e1 --- /dev/null +++ b/roles/zammad/README.md @@ -0,0 +1,137 @@ +# Ansible role: Zammad + +[![CI Status](https://github.com/hifis-net/ansible-role-unattended-upgrades/actions/workflows/zammad.yml/badge.svg)](https://github.com/hifis-net/ansible-role-zammad/actions/workflows/zammad.yml) +[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/hifis-net/ansible-role-zammad/blob/main/LICENSE.md) + +An Ansible Role that installs and configures the web-based open source user +support/ticketing solution [Zammad](https://zammad.org/). + +**Note:** This role does not install elasticsearch and postgresql server. +See [Dependencies](#dependencies). + +## Requirements + +The below requirements are needed on the target host: + +- [cryptography](https://pypi.org/project/cryptography/) >= 1.6.0 + +## Role Variables + +```yaml +zammad_version: "6.2.0" +``` + +Zammad version to be installed. + +```yaml +zammad_release_channel: "stable" +``` + +Choose another release channel for the Zammad packages. +Please refer to for a complete list. + +```yaml +zammad_domain_name: "{{ ansible_fqdn }}" +``` + +Zammad's fully qualified domain name. + +```yaml +zammad_nginx_config_path: "/etc/nginx/sites-available/zammad.conf" +``` + +File path to Zammad's Nginx config. + +```yaml +zammad_ssl_cert_path: "/etc/ssl/certs/zammad_cert.pem" +``` + +File path to the SSL/TLS certificate which is used for HTTPS. + +```yaml +zammad_ssl_key_path: "/etc/ssl/private/zammad_key.pem" +``` + +File path to the SSL/TLS private key which is used for HTTPS. + +```yaml +zammad_ssl_cert: +``` + +Content of SSL/TLS certificate (**required**). + +```yaml +zammad_ssl_key: +``` + +Content of SSL/TLS private key (**required**). +**Please note:** In the special case, that you previously put an SSL keypair +on the host, e.g. via Let's Encrypt, you must not configure the variables +`zammad_ssl_cert` and `zammad_ssl_key`. +Nevertheless, in each case the role will +validate, if the SSL key pair is given under the paths `zammad_ssl_key_path` and +`zammad_ssl_cert_path` are valid. + +```yaml +zammad_nginx_server_tokens: "off" +``` + +Enable or disable emitting nginx version information in error pages or in the +_Server_ response header field. Please read the nginx +[docs](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) +for further information. + +```yaml +zammad_nginx_additional_server_configs: + - | + server { + listen 80; + server_name zammad.example.com zammad-old.example.com; + return 301 https://zammad.example.com$request_uri; + } + - | + server { + listen 443 ssl; + + # ... SSL configuration + + server_name zammad-old.example.com; + return 301 https://zammad.example.com$request_uri; + } +``` + +Configure additional server directives in the Nginx configuration. +This allows to implement more use case specific adjustments, e.g. +configuring multiple domains or the redirection of outdated domains to the +most recent one. + +```yaml +elasticsearch_url: "http://localhost:9200" +``` + +Elasticsearch server address. + +## Dependencies + +Zammad requires Elasticsearch and PostgreSQL database server. +This role has been successfully tested together with the following roles: + +- Elasticsearch - [geerlingguy.elasticsearch](https://github.com/geerlingguy/ansible-role-elasticsearch) +- PostgreSQL - [geerlingguy.postgresql](https://galaxy.ansible.com/geerlingguy/postgresql) + +## Example Playbook + +```yaml + - hosts: servers + roles: + - role: hifis.zammad + become: yes +``` + +## License + +MIT + +## Author Information + +This role was created in 2020 by [HIFIS Software Services](https://hifis.net/). diff --git a/roles/zammad/defaults/main.yml b/roles/zammad/defaults/main.yml new file mode 100644 index 0000000..fb66658 --- /dev/null +++ b/roles/zammad/defaults/main.yml @@ -0,0 +1,14 @@ +--- +zammad_version: "6.2.0" +zammad_release_channel: "stable" +zammad_domain_name: "{{ ansible_fqdn }}" + +zammad_nginx_config_path: "/etc/nginx/sites-available/zammad.conf" +zammad_ssl_cert_path: "/etc/ssl/certs/zammad_cert.pem" +zammad_ssl_key_path: "/etc/ssl/private/zammad_key.pem" + +zammad_nginx_additional_server_configs: [] +zammad_nginx_server_tokens: "off" + +elasticsearch_url: "http://localhost:9200" +... diff --git a/roles/zammad/handlers/main.yml b/roles/zammad/handlers/main.yml new file mode 100644 index 0000000..4841f34 --- /dev/null +++ b/roles/zammad/handlers/main.yml @@ -0,0 +1,16 @@ +--- +- name: "Reload nginx" + ansible.builtin.service: + name: "nginx" + state: "reloaded" + +- name: "Set Elasticsearch server address" + ansible.builtin.command: >- + zammad run rails r "Setting.set('es_url', '{{ elasticsearch_url | quote }}')" + changed_when: true + +- name: "Build search index" + ansible.builtin.command: "zammad run rake zammad:searchindex:rebuild" + changed_when: true + +... diff --git a/roles/zammad/meta/main.yml b/roles/zammad/meta/main.yml new file mode 100644 index 0000000..30f6d57 --- /dev/null +++ b/roles/zammad/meta/main.yml @@ -0,0 +1,20 @@ +galaxy_info: + role_name: "zammad" + namespace: "hifis" + description: "Install Zammad helpdesk on Linux." + author: "HIFIS Software Services" + company: "Helmholtz Association of German Research Centres" + license: "MIT" + issue_tracker_url: "https://github.com/hifis-net/ansible-role-unattended-upgrades/issues" + min_ansible_version: "2.14" + + platforms: + - name: "Ubuntu" + versions: + - "focal" + - "jammy" + + galaxy_tags: + - "zammad" + +dependencies: [] diff --git a/roles/zammad/tasks/install.yml b/roles/zammad/tasks/install.yml new file mode 100644 index 0000000..8d4a978 --- /dev/null +++ b/roles/zammad/tasks/install.yml @@ -0,0 +1,62 @@ +--- + +- name: "Configure Zammad repository for Centos-like" + when: "ansible_distribution | lower == 'centos'" + block: + + - name: "Install | Install EPEL repo" + ansible.builtin.yum: + name: "epel-release" + state: "present" + + - name: "Install | Add Zammad yum repository" + ansible.builtin.yum_repository: + name: "zammad" + state: "present" + description: "Repository for zammad/zammad ({{ zammad_release_channel }}) packages." + baseurl: "https://dl.packager.io/srv/rpm/zammad/zammad/{{ zammad_release_channel }}/el/7/$basearch" + enabled: true + gpgcheck: false + repo_gpgcheck: true + gpgkey: "https://dl.packager.io/srv/zammad/zammad/key" + mode: "0644" + +- name: "Configure Zammad repository for Ubuntu" + when: "ansible_distribution | lower == 'ubuntu'" + block: + + - name: "Install | Add Zammad apt key" + ansible.builtin.apt_key: + url: "https://dl.packager.io/srv/zammad/zammad/key" + state: "present" + + - name: "Install | Add Zammad DEB repository" + ansible.builtin.apt_repository: + repo: "deb https://dl.packager.io/srv/deb/zammad/zammad/{{ zammad_release_channel }}/ubuntu {{ ansible_distribution_version }} main" + state: "present" + filename: "zammad" + update_cache: true + mode: "0644" + +- name: "Install | Install Zammad package" + ansible.builtin.package: + name: "zammad={{ zammad_version }}*" + state: "present" + force: true + notify: + - "Set Elasticsearch server address" + - "Build search index" + +- name: "Install | Start and enable services" + ansible.builtin.service: + name: "{{ item }}" + state: "started" + enabled: true + loop: + - "zammad" + - "zammad-web" + - "zammad-worker" + - "zammad-websocket" + notify: "Build search index" + +... diff --git a/roles/zammad/tasks/main.yml b/roles/zammad/tasks/main.yml new file mode 100644 index 0000000..b3c0b08 --- /dev/null +++ b/roles/zammad/tasks/main.yml @@ -0,0 +1,12 @@ +--- + +- name: "Install zammad" + ansible.builtin.import_tasks: "install.yml" + +- name: "Set up SSL/TLS" + ansible.builtin.import_tasks: "ssl.yml" + +- name: "Configure nginx" + ansible.builtin.import_tasks: "nginx-config.yml" + +... diff --git a/roles/zammad/tasks/nginx-config.yml b/roles/zammad/tasks/nginx-config.yml new file mode 100644 index 0000000..54d33a8 --- /dev/null +++ b/roles/zammad/tasks/nginx-config.yml @@ -0,0 +1,12 @@ +--- + +- name: "Nginx | Create config" + ansible.builtin.template: + src: "nginx-zammad.conf.j2" + dest: "{{ zammad_nginx_config_path }}" + mode: "0644" + owner: "root" + group: "root" + notify: "Reload nginx" + +... diff --git a/roles/zammad/tasks/ssl.yml b/roles/zammad/tasks/ssl.yml new file mode 100644 index 0000000..a7bc379 --- /dev/null +++ b/roles/zammad/tasks/ssl.yml @@ -0,0 +1,43 @@ +--- + +- name: "SSL | Insert private key" + ansible.builtin.blockinfile: + path: "{{ zammad_ssl_key_path }}" + create: true + block: | + {{ zammad_ssl_key }} + mode: "0640" + owner: "root" + group: "root" + when: "zammad_ssl_key | default('') | length > 0" + +- name: "SSL | Insert certificate" + ansible.builtin.blockinfile: + path: "{{ zammad_ssl_cert_path }}" + create: true + block: | + {{ zammad_ssl_cert }} + mode: "0644" + owner: "root" + group: "root" + when: "zammad_ssl_cert | default('') | length > 0" + +- name: "SSL | Check if certificate is still valid, ignoring failures" + community.crypto.x509_certificate_info: + path: "{{ zammad_ssl_cert_path }}" + register: "certificate" + ignore_errors: "{{ ansible_check_mode }}" + +- name: "SSL | Ensure certificate and private key match" + community.crypto.openssl_privatekey_info: + path: "{{ zammad_ssl_key_path }}" + register: "private_key" + ignore_errors: "{{ ansible_check_mode }}" + +- name: "SSL | Validate that certificate is still valid" + ansible.builtin.assert: + that: + - "not certificate.expired" + - "certificate.public_key == private_key.public_key" + +... diff --git a/roles/zammad/templates/nginx-zammad.conf.j2 b/roles/zammad/templates/nginx-zammad.conf.j2 new file mode 100644 index 0000000..4d7aab2 --- /dev/null +++ b/roles/zammad/templates/nginx-zammad.conf.j2 @@ -0,0 +1,95 @@ +# {{ ansible_managed }} +# +# this is the nginx config for zammad +# + +upstream zammad-railsserver { + server 127.0.0.1:3000; +} + +upstream zammad-websocket { + server 127.0.0.1:6042; +} + +server { + listen 80; + server_name {{ zammad_domain_name }}; + server_tokens {{ zammad_nginx_server_tokens }}; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + server_name {{ zammad_domain_name }}; + + server_tokens {{ zammad_nginx_server_tokens }}; + + ssl_certificate {{ zammad_ssl_cert_path }}; + ssl_certificate_key {{ zammad_ssl_key_path }}; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + location = /robots.txt { + access_log off; log_not_found off; + } + + location = /favicon.ico { + access_log off; log_not_found off; + } + + root /opt/zammad/public; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + client_max_body_size 50M; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) { + expires max; + } + + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } + + {% if zammad_version is version('6.0', 'ge') +%} + location /cable { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-railsserver; + } + {% endif %} + + location / { + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + proxy_pass http://zammad-railsserver; + + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } +} + +{% for server_config in zammad_nginx_additional_server_configs %} +{{ server_config }} +{% endfor %}