diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index b495355..4377087 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -130,6 +130,8 @@ nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de +omm_domain: omm.binary.kitchen + pretix_domain: pretix.rc3.binary-kitchen.de pretix_dbname: pretix pretix_dbuser: pretix diff --git a/roles/omm/defaults/main.yml b/roles/omm/defaults/main.yml new file mode 100644 index 0000000..3240b0e --- /dev/null +++ b/roles/omm/defaults/main.yml @@ -0,0 +1,4 @@ +--- + +omm_http_port: 8000 +omm_https_port: 8443 diff --git a/roles/omm/handlers/main.yml b/roles/omm/handlers/main.yml new file mode 100644 index 0000000..69d31b6 --- /dev/null +++ b/roles/omm/handlers/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Reload systemd + systemd: daemon_reload=yes + +- name: Restart sip-dect-ics + service: name=sip-dect-ics state=restarted + +- name: Restart sip-dect-omm + service: name=sip-dect-omm state=restarted diff --git a/roles/omm/meta/main.yml b/roles/omm/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/omm/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/omm/tasks/main.yml b/roles/omm/tasks/main.yml new file mode 100644 index 0000000..c196400 --- /dev/null +++ b/roles/omm/tasks/main.yml @@ -0,0 +1,80 @@ +--- + +- name: Install dependencies + apt: + name: + - alien + - sysvinit-utils + - telnet + +- name: Add i386 architecture + command: dpkg --add-architecture i386 + args: + creates: /var/lib/dpkg/arch + when: ansible_architecture != 'i386' + register: add_i386 + +- name: Install 32bit dependencies + apt: + name: + - libstdc++6:i386 + - zlib1g:i386 + update_cache: "{{ add_i386.changed }}" + +# TODO check if still needed since we don't use the start-script anymore +- name: Create compatibility symlinks + file: + src: /usr/bin/pidof + dest: /sbin/pidof + state: link + +# TODO manual steps +# alien --target=amd64 /tmp/SIP-DECT-OMM-8.1_SP4_GE30-0.i686.rpm +# dpkg -i sip-dect-omm_8.1SP4GE30-1_amd64.deb +# alien --target=amd64 /tmp/SIP-DECT-HANDSET-8.1_SP4_GE30-0.i686.rpm +# dpkg -i sip-dect-handset_8.1SP4GE30-1_amd64.deb +# rm /etc/init.d/sip-dect-omm +# rm /etc/sysconfig/SIP-DECT + +- name: Install systemd units + template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service + with_items: + - sip-dect-ics + - sip-dect-omm + notify: + - Reload systemd + - Restart sip-dect-ics + - Restart sip-dect-omm + +- name: Enable services + service: name={{ item }} state=started enabled=yes + with_items: + - sip-dect-ics + - sip-dect-omm + +- name: Ensure certificates are available + command: + cmd: > + openssl req -x509 -nodes -newkey rsa:2048 + -keyout /etc/nginx/ssl/{{ omm_domain }}.key -out /etc/nginx/ssl/{{ omm_domain }}.crt + -days 730 -subj "/CN={{ omm_domain }}" + creates: /etc/nginx/ssl/{{ omm_domain }}.crt + notify: Restart nginx + +- name: Request nsupdate key for certificate + include_role: name=acme-dnskey-generate + vars: + acme_dnskey_san_domains: + - "{{ omm_domain }}" + +- name: Configure certificate manager for omm + template: src=certs.j2 dest=/etc/acertmgr/{{ omm_domain }}.conf + notify: Run acertmgr + +- name: Configure vhost + template: src=vhost.j2 dest=/etc/nginx/sites-available/omm + notify: Restart nginx + +- name: Enable vhost + file: src=/etc/nginx/sites-available/omm dest=/etc/nginx/sites-enabled/omm state=link + notify: Restart nginx diff --git a/roles/omm/templates/certs.j2 b/roles/omm/templates/certs.j2 new file mode 100644 index 0000000..7cf1b39 --- /dev/null +++ b/roles/omm/templates/certs.j2 @@ -0,0 +1,18 @@ +--- + +{{ omm_domain }}: +- mode: dns.nsupdate + nsupdate_server: {{ acme_dnskey_server }} + nsupdate_keyfile: {{ acme_dnskey_file }} +- path: /etc/nginx/ssl/{{ omm_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ omm_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/roles/omm/templates/sip-dect-ics.service.j2 b/roles/omm/templates/sip-dect-ics.service.j2 new file mode 100644 index 0000000..1ebd0df --- /dev/null +++ b/roles/omm/templates/sip-dect-ics.service.j2 @@ -0,0 +1,15 @@ +[Unit] +Description=Mitel SIP-DECT ICS (Integrated Conference Server) +After=syslog.target +After=network.target +Requires=sip-dect-omm.service + +[Service] +RestartSec=2s +Type=forking +WorkingDirectory=/opt/SIP-DECT/ +ExecStart=/opt/SIP-DECT/bin/ics -d +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/omm/templates/sip-dect-omm.service.j2 b/roles/omm/templates/sip-dect-omm.service.j2 new file mode 100644 index 0000000..1a1f405 --- /dev/null +++ b/roles/omm/templates/sip-dect-omm.service.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=Mitel SIP-DECT OMM (Open Mobility Manager) +After=syslog.target +After=network.target + +[Service] +RestartSec=2s +Type=forking +WorkingDirectory=/opt/SIP-DECT/ +ExecStart=/opt/SIP-DECT/bin/SIP-DECT -f /opt/SIP-DECT/tmp/omm_conf.txt -http {{ omm_http_port }} -https {{ omm_https_port }} -d +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/omm/templates/vhost.j2 b/roles/omm/templates/vhost.j2 new file mode 100644 index 0000000..ea0ed8f --- /dev/null +++ b/roles/omm/templates/vhost.j2 @@ -0,0 +1,30 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ omm_domain }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://{{ omm_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ omm_domain }}; + + ssl_certificate_key /etc/nginx/ssl/{{ omm_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ omm_domain }}.crt; + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://localhost:{{ omm_https_port }}; + } +} diff --git a/site.yml b/site.yml index cdc9d18..964ac31 100644 --- a/site.yml +++ b/site.yml @@ -42,6 +42,11 @@ roles: - netbox +- name: Setup SIP-DECT OMM + hosts: knoedel.binary.kitchen + roles: + - omm + - name: Setup drone runner hosts: bob.binary.kitchen roles: