Skip to content

Instantly share code, notes, and snippets.

@cognifloyd

cognifloyd/group_vars--stackstorm--stackstorm.yaml

Last active August 5, 2017 23:11
Show Gist options
  • Save cognifloyd/c03cafc62f26a3ea0cfe1a5ed5c4238d to your computer and use it in GitHub Desktop.
Save cognifloyd/c03cafc62f26a3ea0cfe1a5ed5c4238d to your computer and use it in GitHub Desktop.
Download ZIP
Improve ansible-st2 security (-- in lieu of / in path) https://github.com/StackStorm/ansible-st2/issues/75
Raw
group_vars--stackstorm--stackstorm.yaml
---
# StackStorm auth
st2_auth_enable: yes
# Save credentials under /root/.st2/config
st2_save_credentials: yes
st2_auth_username: st2admin
st2_auth_password: "{{ lookup('password', '{{ my_creds_dir }}/st2-' + inventory_hostname + '-' + st2_auth_username + ' length=42' ) }}"
# MongoDB
st2mongo_db: st2
st2mongo_username: st2mongo
st2mongo_password: "{{ lookup('password', '{{ my_creds_dir }}/st2mongo-' + inventory_hostname + '-' + st2mongo_username + ' length=42' ) }}"
st2mongo_host: 127.0.0.1
st2mongo_port: 27017
st2mongo_admin_db: admin
st2mongo_admin_username: admin
st2mongo_admin_password: "{{ st2mongo_password }}"
# RabbitMQ
# vhost defaults to empty (equivalent to /)
st2rmq_vhost: st2
st2rmq_username: st2rmq
st2rmq_password: "{{ lookup('password', '{{ my_creds_dir }}/st2rmq-' + inventory_hostname + '-' + st2rmq_db_username + ' length=42' ) }}"
st2rmq_host: 127.0.0.1
st2rmq_port: 5672
# Postgres
st2mistral_db: mistral
st2mistral_db_username: st2mistral
st2mistral_db_password: "{{ lookup('password', '{{ my_creds_dir }}/st2mistral-' + inventory_hostname + '-' + st2mistral_db_username + ' length=42' ) }}"
# host is hardcoded to localhost
#st2mistral_db_host: localhost
#st2mistral_db_port: 5432
# TODO: Redis
# Redis
#st2redis_password: "{{ lookup('password', '{{ my_creds_dir }}/st2redis-' + inventory_hostname + ' length=42' ) }}"
#st2redis_host:
#st2redis_port: 6379
# TODO: These must be strings, not file paths. So, they'll need to be stored in vault.
# st2web copies these to /etc/ssl/st2/st2.{crt,key} instead of modifying/templating /etc/nginx/conf.d/st2.conf
#st2web_ssl_certificate: "{{ my_ssl_crt }}"
#st2web_ssl_certificate_key: "{{ my_ssl_key }}"
st2mistral_config:
# TODO: modify stackstorm.mistral to specify host and port and still take advantage of the mistral restart handler
# the default database.connection uses st2mistral_db{,_username,_password} and hardcodes localhost
#database:
# connection: "postgresql://{{ st2mistral_db_username }}:{{ st2mistral_db_password }}@{{ st2mistral_db_host }}:{{ st2mistral_db_port }}/{{ st2mistral_db|default('mistral') }}"
DEFAULT:
transport_url: "rabbit://{{ st2rmq_username }}:{{ st2rmq_password }}@{{ st2rmq_host }}:{{ st2rmq_port }}{{ st2rmq_vhost|default('') }}"
# group dict gets merged with host dict. Override host dict in hostvars.
# From playbook:
# roles:
# - name: ST2 | Install and configure StackStorm (st2)
# role: StackStorm.stackstorm/roles/st2
# vars:
# st2_config: "{{ group_st2_config|combine(host_st2_config, recursive=True) }}"
host_st2_config: {}
group_st2_config:
database: # Mongo
db_name: "{{ st2mongo_db }}"
username: "{{ st2mongo_username }}"
password: "{{ st2mongo_password }}"
host: "{{ st2mongo_host }}"
port: "{{ st2mongo_port }}"
messaging: # RabbitMQ
url: "amqp://{{ st2rmq_username }}:{{ st2rmq_password }}@{{ st2rmq_host }}:{{ st2rmq_port }}{{ st2rmq_vhost|default('') }}"
#coordination: # Redis
# url: 'redis://{{ st2redis_password }}@{{ st2redis_host }}:'
Raw
roles--stackstorm.st2mongo--tasks--main.yaml
---
- name: Ensure pymongo is installed
pip:
name: pymongo
become: yes
- name: See if authorization is enabled in mongod.conf
check_mode: yes
lineinfile:
path: /etc/mongod.conf
insertafter: 'security:'
line: ' authorization: enabled'
register: mongo_authorization
# changed = line not in file, authorization is disabled
# succeeded = line in file, authorization is enabled
- name: Add mongo admin
mongodb_user:
state: present
update_password: on_create
name: "{{ st2mongo_admin_username }}"
password: "{{ st2mongo_admin_password }}"
database: "{{ st2mongo_admin_db }}"
roles: userAdminAnyDatabase
login_host: "{{ st2mongo_host }}"
login_port: "{{ st2mongo_port }}"
login_user: "{{ mongo_authorization|changed | ternary(omit, st2mongo_admin_username) }}"
login_password: "{{ mongo_authorization|changed | ternary(omit, st2mongo_admin_password) }}"
- name: Enable security section in mongod.conf
lineinefile:
path: /etc/mongod.conf
regexp: '^#security:'
line: 'security:'
- name: Enable authentication in mongod.conf
lineinfile:
path: /etc/mongod.conf
insertafter: 'security:'
line: ' authorization: enabled'
notify: Restart mongod
- name: Add the ST2 user to mongo
mongodb_user:
state: present
update_password: always
name: "{{ st2mongo_username }}"
password: "{{ st2mongo_password }}"
database: "{{ st2mongo_db }}"
roles: readWrite
login_host: "{{ st2mongo_host }}"
login_port: "{{ st2mongo_port }}"
login_user: "{{ st2mongo_admin_username }}"
login_password: "{{ mongo_authorization|changed | ternary(omit, st2mongo_admin_password) }}"
login_database: "{{ mongo_authorization|changed | ternary(omit, st2mongo_admin_db) }}"
Raw
roles--stackstrom.st2rabbitmq--tasks--main.yaml
---
- name: Add the rabbitmq management plugin
rabbitmq_plugin:
name: rabbitmq_management
state: enabled
- name: Remove the guest user from rabbitmq
rabbitmq_user:
user: guest
state: absent
when: st2rmq_username|default('guest') != 'guest'
- name: Add the stackstorm user to rabbitmq
rabbitmq_user:
user: "{{ st2rmq_username }}"
password: "{{ st2rmq_password }}"
vhost: "{{ st2rmq_vhost | default('/') }}"
configure_priv: *
read_priv: *
write_priv: *
state: present
when:
- st2rmq_username is defined
- st2rmq_password is defined
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment