Yoda portal role: add support for Ubuntu/focal

UtrechtUniversity · Jan 31, 2024 · 8528fe3 · 8528fe3
1 parent 1373fbf
commit 8528fe3
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 12 deletions.
diff --git a/roles/yoda_portal/defaults/main.yml b/roles/yoda_portal/defaults/main.yml
@@ -30,8 +30,6 @@ irods_icat_fqdn: icat.yoda.test            # iRODS iCAT fully qualified domain n
 irods_icat_port: 1247
 
 # OpenSSL configuration.
-openssl_private_dir: '/etc/pki/tls/private'
-openssl_certs_dir: '/etc/pki/tls/certs'
 openssl_key_signed: localhost.key
 openssl_crt_signed_and_chain: localhost_and_chain.crt
 

diff --git a/roles/yoda_portal/meta/main.yml b/roles/yoda_portal/meta/main.yml
@@ -9,9 +9,12 @@ galaxy_info:
   platforms:
     - name: EL
       version: 7
-
+    - name: Ubuntu
+      version: focal
 
 dependencies:
   - role: apache
   - role: apache_wsgi
+  - role: certificates
   - role: remove_php
+    when: ansible_os_family == 'RedHat'
diff --git a/roles/yoda_portal/tasks/main.yml b/roles/yoda_portal/tasks/main.yml
@@ -1,6 +1,10 @@
 ---
 # copyright Utrecht University
 
+- name: Include OS-specific variables
+  ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
+
+
 - name: Ensure yodadeployment user exists
   ansible.builtin.user:
     name: "{{ yoda_deployment_user }}"
@@ -44,7 +48,7 @@
 - name: Ensure Yoda portal virtualenv exists
   become_user: "{{ yoda_deployment_user }}"
   become: true
-  ansible.builtin.command: virtualenv --python /opt/rh/rh-python38/root/bin/python3 /var/www/yoda/venv
+  ansible.builtin.command: "virtualenv --python {{ yoda_portal_python3_path }} /var/www/yoda/venv"
   args:
     creates: /var/www/yoda/venv
 
@@ -66,7 +70,7 @@
     virtualenv: '/var/www/yoda/venv'
     virtualenv_python: python3.8
   environment:
-    C_INCLUDE_PATH: /opt/rh/rh-python38/root/usr/include/python3.8
+    C_INCLUDE_PATH: "{{ yoda_portal_python3_include_path }}"
   notify: Restart Apache webserver
 
 
@@ -79,6 +83,7 @@
     exit
   args:
     creates: /etc/httpd/conf.modules.d/02-wsgi.conf
+  when: ansible_os_family == 'RedHat'
 
 
 - name: Generate Flask secret key
@@ -101,38 +106,47 @@
 
 
 - name: Copy Yoda Portal config for Flask
-  become_user: "{{ yoda_deployment_user }}"
-  become: true
   ansible.builtin.template:
     src: "flask.cfg.j2"
     dest: "/var/www/yoda/flask.cfg"
     mode: '0644'
+    owner: "{{ yoda_deployment_user }}"
+    group: "{{ yoda_deployment_user }}"
   when: not ansible_check_mode
   notify: Restart Apache webserver
 
 
 - name: Copy Yoda Portal virtual host config for Apache
   ansible.builtin.template:
     src: "yoda-portal-vhost.conf.j2"
-    dest: "/etc/httpd/conf.d/yoda-portal-vhost.conf"
+    dest: "{{ yoda_portal_site_config_dir }}/{{ yoda_portal_site_config_file }}"
     mode: '0644'
   notify: Restart Apache webserver
 
 
+- name: Ensure Apache modules used by Yoda are enabled (Ubuntu)
+  ansible.builtin.file:
+    src: "{{ yoda_portal_site_config_dir }}//{{ yoda_portal_site_config_file }}"
+    dest: "{{ yoda_portal_site_enabled_config_dir }}//{{ yoda_portal_site_config_file }}"
+    state: link
+  notify: Restart Apache webserver
+  when: ansible_os_family == 'Debian'
+
+
 - name: Set SELinux context for shared libraries
   community.general.sefcontext:
     target: '/var/www/yoda/venv/.*\.so(\..*)?'
     setype: httpd_sys_script_exec_t
     state: present
   register: filescontext
-  when: ansible_selinux.status == "enabled"
+  when: ansible_os_family == 'RedHat' and ansible_selinux.status == "enabled"
 
 
 # Only running when context changed works unreliably, so just
 # run always when SELinux is enabled.
 - name: Ensure selinux context is enforced on shared libraries
   ansible.builtin.command: 'restorecon -r /var/www/yoda/venv'
-  when: ansible_selinux.status == "enabled"
+  when: ansible_os_family == 'RedHat' and ansible_selinux.status == "enabled"
   changed_when: false
 
 
@@ -141,4 +155,4 @@
     name: httpd_can_network_connect
     state: true
     persistent: true
-  when: ansible_selinux.status == "enabled" and enable_open_search
+  when: ansible_os_family == 'RedHat' and ansible_selinux.status == "enabled" and enable_open_search
diff --git a/roles/yoda_portal/templates/yoda-portal-vhost.conf.j2 b/roles/yoda_portal/templates/yoda-portal-vhost.conf.j2
@@ -62,7 +62,7 @@
     SetEnvIf Request_URI "\.woff$" dontlog
     SetEnvIf Request_URI "\.woff2$" dontlog
     SetEnvIf Request_Method "^OPTIONS$" dontlog
-    CustomLog /var/log/httpd/portal_access.log common env=!dontlog
+    CustomLog {{ yoda_portal_apache_log_dir }}/portal_access.log common env=!dontlog
 
     # HSTS (mod_headers is required) (31536000 seconds = 1 year)
     Header always set Strict-Transport-Security "max-age=31536000"

diff --git a/roles/yoda_portal/vars/Debian.yml b/roles/yoda_portal/vars/Debian.yml
@@ -0,0 +1,12 @@
+---
+# copyright Utrecht University
+
+openssl_private_dir: '/etc/ssl/private/'
+openssl_certs_dir: '/etc/ssl/certs'
+
+yoda_portal_python3_path: /usr/bin/python3
+yoda_portal_python3_include_path: /usr/include/python3.8
+yoda_portal_site_config_dir: /etc/apache2/sites-available
+yoda_portal_site_enabled_config_dir: /etc/apache2/sites-enabled
+yoda_portal_site_config_file: 001-yoda-portal-vhost.conf
+yoda_portal_apache_log_dir: /var/log/apache2
diff --git a/roles/yoda_portal/vars/RedHat.yml b/roles/yoda_portal/vars/RedHat.yml
@@ -0,0 +1,11 @@
+---
+# copyright Utrecht University
+
+openssl_private_dir: '/etc/pki/tls/private'
+openssl_certs_dir: '/etc/pki/tls/certs'
+
+yoda_portal_python3_path: /opt/rh/rh-python38/root/bin/python3
+yoda_portal_python3_include_path: /opt/rh/rh-python38/root/usr/include/python3.8
+yoda_portal_site_config_dir: /etc/apache2/sites-available
+yoda_portal_site_config_file: yoda-portal-vhost.conf
+yoda_portal_apache_log_dir: /var/log/httpd