Sélectionner une révision Git
Théo - Le Filament authored
main.yml 20,11 Kio
---
# --------------------------------------------------
# Whitelists section
# --------------------------------------------------
- name: "Copy docker compose for whitelists"
tags:
- "docker_whitelists"
ansible.builtin.template:
src: "whitelists.yaml.j2"
dest: "/home/docker/whitelists.yaml"
owner: "root"
group: "root"
mode: "0400"
notify:
- "restart whitelist containers"
when: >
restrict_internet_access
and whitelisted_urls is defined
- name: "Set empty lists to trigger actions on instances"
tags:
- "docker_proxy"
- "metabase"
- "odoo_config_compose_restart"
set_fact:
instances_to_pull: []
instances_to_rebuild: []
instances_to_remove_key: []
instances_to_restart: []
- name: "Create Odoo docker directories on server in /home/docker/"
ansible.builtin.file:
name: "/home/docker/{{ odoo_instance.key }}"
state: directory
owner: "root"
group: "root"
mode: "0755"
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: test_instance_is_selected
- name: "Create Odoo docker build directories on server in /home/docker/<instance>/odoo/"
ansible.builtin.file:
name: "/home/docker/{{ odoo_instance.key }}/odoo/"
state: directory
owner: "root"
group: "root"
mode: "0755"
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
test_instance_need_build
and test_instance_is_selected
- name: Copy private GitLab ssh keys file
ansible.builtin.copy:
content: "{{ git_modules_privkey | default('') }}"
dest: "/home/docker/{{ odoo_instance.key }}/odoo/id_ed25519.sources"
owner: root
group: root
mode: '0400'
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
test_instance_need_build
and test_instance_is_selected register: result
notify:
- "remove intermediate images"
# notify:
# - "rebuild odoo image"
# - "remove ssh private keys"
- name: "Add instance to rebuild and remove key lists if files was changed"
set_fact:
instances_to_rebuild: "{{ instances_to_rebuild + [item.item.key] }}"
instances_to_remove_key: "{{ instances_to_remove_key + [item.item.key] }}"
loop: "{{ result.results | flatten(levels=1) }}"
loop_control:
label: "{{ item.item.key }}"
when: test_result_item_has_changed
- name: Copy ssh config for connecting to LF Gitlab
ansible.builtin.copy:
src: ssh_config
dest: "/home/docker/{{ odoo_instance.key }}/odoo/ssh_config"
owner: root
group: root
mode: '0444'
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
test_instance_need_build
and test_instance_is_selected
register: result
# notify:
# - "rebuild odoo image"
- name: "Add instance to rebuild list if files was changed"
set_fact:
instances_to_rebuild: "{{ instances_to_rebuild + [item.item.key] }}"
loop: "{{ result.results | flatten(levels=1) }}"
loop_control:
label: "{{ item.item.key }}"
when: test_result_item_has_changed
- name: Copy private Git ssh keys file
ansible.builtin.copy:
content: "{{ git_private_keys }}"
dest: "/home/docker/{{ odoo_instance.key }}/odoo/id_rsa"
owner: root
group: root
mode: '0400'
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
git_private_keys is defined
and test_instance_need_build
and test_instance_is_selected
register: result
# notify:
# - "rebuild odoo image"
- name: "Add instance to rebuild list if files was changed"
set_fact:
instances_to_rebuild: "{{ instances_to_rebuild + [item.item.key] }}"
loop: "{{ result.results | flatten(levels=1) }}"
loop_control:
label: "{{ item.item.key }}"
when: test_result_item_has_changed
- name: "Copy odoo.conf file"
tags:
- "odoo_config" - "odoo_config_odoo"
vars:
template_admin_passwd: "{{ odoo_source_instance.value.master_pass | pbkdf2_passwd(65534 | random(seed=inventory_hostname) | string) }}"
template_server_wide_modules: "{{ odoo_instance_setup.server_wide_modules | join(',') }}{% if odoo_instance.value.odoo_server_wide_modules is defined %},{{ odoo_instance.value.odoo_server_wide_modules | join(',') }}{% endif %}"
template_dbfilter: "^({{ odoo_source_instance.value.db }}|{{ odoo_instance.value.db }})$"
template_db_name: "{{ odoo_source_instance.value.db }}"
template_db_password: "{{ odoo_source_instance.value.db_pass }}"
template_db_user: "{{ odoo_source_instance.value.db_user }}"
template_db_maxconn: "{{ odoo_instance.value.odoo_db_maxconn }}"
template_limit_time_cpu: "{{ odoo_instance.value.odoo_limit_time_cpu }}"
template_limit_time_real: "{{ odoo_instance.value.odoo_limit_time_real }}"
template_force_workers: "{{odoo_instance.value.force_odoo_workers}}"
template_modules_auto_install_disabled: "{{ (odoo_instance_setup.modules_auto_install_disabled | default(['mail_bot'])) | join(',') }}{% if odoo_instance.value.modules_auto_install_disabled is defined %},{{ odoo_instance.value.modules_auto_install_disabled | join(',') }}{% endif %}"
template_modules_auto_install_enabled: "{{ (odoo_instance_setup.modules_auto_install_enabled | default(['web'])) | join(',') }}{% if odoo_instance.value.modules_auto_install_enabled is defined %},{{ odoo_instance.value.modules_auto_install_enabled | join(',') }}{% endif %}"
template_extra_conf: "{{ odoo_instance.value.odoo_extra_conf }}"
ansible.builtin.template:
src: "odoo.conf.j2"
dest: "/home/docker/{{ odoo_instance.key }}/odoo/odoo.conf"
owner: "root"
group: "root"
mode: "0600"
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
test_instance_need_build
and test_instance_is_selected
register: result
# notify:
# - "rebuild odoo image"
- name: "Add instance to restart list if files was changed"
set_fact:
instances_to_rebuild: "{{ instances_to_rebuild + [item.item.key] }}"
loop: "{{ result.results | flatten(levels=1) }}"
loop_control:
label: "{{ item.item.key }}"
when: test_result_item_has_changed
- name: Copy Dockerfile to retrieve private repos and extra OCA ones
tags:
- "odoo_config"
- "odoo_config_dockerfile"
vars:
template_odoo_instance: "{{ odoo_instance }}"
template_odoo_instance_setup: "{{ odoo_instance_setup }}"
ansible.builtin.template:
src: Dockerfile.j2
dest: "/home/docker/{{ odoo_instance.key }}/odoo/Dockerfile"
owner: root
group: root
mode: '0644'
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
test_instance_need_build
and test_instance_is_selected
register: result
# notify:
# - "pull odoo image"
# - "rebuild odoo image"
- name: "Add instance to pull and rebuild lists if files was changed"
set_fact:
instances_to_pull: "{{ instances_to_pull + [item.item.key] }}"
instances_to_rebuild: "{{ instances_to_rebuild + [item.item.key] }}"
loop: "{{ result.results | flatten(levels=1) }}"
loop_control:
label: "{{ item.item.key }}" when: test_result_item_has_changed
- name: Copy docker compose service
tags:
- "odoo_config"
- "odoo_config_compose"
- "odoo_config_compose_restart"
- "docker_proxy"
- "metabase"
vars:
template_odoo_instance: "{{ odoo_instance }}"
template_odoo_instance_setup: "{{ odoo_instance_setup }}"
template_odoo_instance_domains: "{{ odoo_instance_domains }}"
template_odoo_source_instance: "{{ odoo_source_instance }}"
template_database_name: "{{ odoo_instance.value.db }}"
template_instance_is_prod: "{{ test_instance_is_prod }}"
template_instance_need_build: "{{ test_instance_need_build }}"
template_allow_index: "{{ odoo_instance.value.allow_index | default(false) }}"
ansible.builtin.template:
src: docker-compose.yaml.j2
dest: "/home/docker/{{ odoo_instance.key }}/docker-compose.yml"
owner: root
group: root
mode: '0400'
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
test_instance_is_selected
register: result
# notify:
# - "restart odoo image"
- name: "Add instance to restart list if files was changed"
tags:
- "docker_proxy"
- "metabase"
- "odoo_config_compose_restart"
set_fact:
instances_to_restart: "{{ instances_to_restart + [item.item.key] }}"
loop: "{{ result.results | flatten(levels=1) }}"
loop_control:
label: "{{ item.item.key }}"
when: test_result_item_has_changed
# Flush handlers.
- name: "Pull Odoo image"
vars:
odoo_favor: "{{ '_ml' if (odoo_instance.value.odoo_multilingual | default(false)) else '_py3.6' if (odoo_instance.value.odoo_python36 | default(false)) else '' }}"
community.docker.docker_image:
name: "lefilament/odoo:{{ odoo_instance_version }}{{ odoo_favor }}"
source: pull
force_source: true
loop: "{{ instances_to_pull | unique | sort }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
allow_pull is truthy(convert_bool=True)
and (instances_to_pull | length > 0)
async: 600
poll: 10
- name: "Rebuild instance images"
ansible.builtin.command:
chdir: "/home/docker/{{ odoo_instance.key }}/"
cmd: "docker compose build"
loop: "{{ instances_to_rebuild | unique | sort }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: > allow_rebuild is truthy(convert_bool=True)
and instances_to_rebuild | length > 0
async: 1800
poll: 10
- name: "Remove instances private keys"
ansible.builtin.file:
path: "/home/docker/{{ odoo_instance.key }}/odoo/id_ed25519.sources"
state: absent
loop: "{{ instances_to_remove_key | unique | sort }}"
when: >
allow_remove_key is truthy(convert_bool=True)
and instances_to_remove_key | length > 0
- name: "Get image from another instance"
tags:
- "never"
- "check_image"
include_tasks: "instance_images.yml"
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
not test_instance_need_build
and test_instance_is_selected
- name: "Flush handlers"
tags:
- "docker_proxy"
- "metabase"
- "odoo_config_compose_restart"
ansible.builtin.meta: flush_handlers
- name: "Restart instances: remove instance containers"
tags:
- "docker_proxy"
- "metabase"
- "odoo_config_compose_restart"
community.docker.docker_compose_v2:
project_src: "/home/docker/{{ odoo_instance.key }}/"
remove_orphans: true
state: absent
loop: "{{ instances_to_restart | unique | sort }}"
when: >
allow_restart is truthy(convert_bool=True)
and instances_to_restart | length > 0
- name: "Restart instances: start instance containers"
tags:
- "docker_proxy"
- "metabase"
- "odoo_config_compose_restart"
community.docker.docker_compose_v2:
project_src: /home/docker/{{ odoo_instance.key }}/
recreate: always
remove_orphans: true
state: present
loop: "{{ instances_to_restart | unique | sort }}"
when: >
allow_restart is truthy(convert_bool=True)
and instances_to_restart | length > 0
# --------------------------------------------------
# non-prod restore section
# --------------------------------------------------
- name: "Copy sql script to be run before restoring db from backup_instance"
tags:
- "odoo_backup"
vars:
template_database_name: "{{ odoo_instance.value.db }}" ansible.builtin.template:
src: "pre_restore-odootest.sql.j2"
dest: "/home/docker/backups/pre_restore-{{ odoo_instance.key }}.sql"
owner: "root"
group: "root"
mode: "0444"
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
(odoo_instance.value.backup_instance | default(odoo_instance.key) != odoo_instance.key
or odoo_instance.value.backup_host | default(inventory_hostname) != inventory_hostname)
and (inventory_hostname in groups.maintenance_contract)
and test_instance_is_prod is false
and test_instance_is_selected
- name: "Copy sql script to be run after restoring db from backup_instance"
tags:
- "odoo_backup"
ansible.builtin.template:
src: "post_restore-odootest.sql.j2"
dest: "/home/docker/backups/post_restore-{{ odoo_instance.key }}.sql"
owner: "root"
group: "root"
mode: "0444"
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
(odoo_instance.value.backup_instance | default(odoo_instance.key) != odoo_instance.key
or odoo_instance.value.backup_host | default(inventory_hostname) != inventory_hostname)
and (inventory_hostname in groups.maintenance_contract)
and test_instance_is_prod is false
and test_instance_is_selected
- name: "Copy compose file to restore db from backup_instance"
tags:
- "odoo_backup"
vars:
# Allow role vars to work with `item` variable.
item: "{{ item_account_instance.1 }}"
template_backup_account: "{{ item_account_instance.0 }}"
template_backup_credentials: "{{ swift_odoo_credentials[template_backup_account.key] }}"
template_odoo_instance: "{{ odoo_instance }}"
template_database_name: "{{ template_odoo_instance.value.db }}"
template_odoo_source_instance: "{{ {'key': template_odoo_instance.value.prod_instance | default(template_odoo_instance.key ), 'value': odoo_instances[template_odoo_instance.value.prod_instance | default(template_odoo_instance.key )]} }}"
ansible.builtin.template:
src: "restore-odootest.yaml.j2"
dest: "/home/docker/backups/restore-{{ template_odoo_instance.key }}{{ template_backup_account.key }}.yaml"
owner: "root"
group: "root"
mode: "0400"
loop: "{{ swift_odoo_accounts | dict2items | product(odoo_instances | dict2items) }}"
loop_control:
label: "account {{ template_backup_account.key }} on {{ template_odoo_instance.key }}"
loop_var: item_account_instance
when: >
(odoo_instance.value.backup_instance | default(odoo_instance.key) != odoo_instance.key
or odoo_instance.value.backup_host | default(inventory_hostname) != inventory_hostname)
and (inventory_hostname in groups.maintenance_contract)
and test_instance_is_prod is false
and test_instance_is_selected
# --------------------------------------------------
# prod backup section
# --------------------------------------------------
- name: "Copy docker compose for backup"
tags:
- "odoo_backup"
vars: # Allow role vars to work with `item` variable.
item: "{{ item_account_instance.1 }}"
template_backup_account: "{{ item_account_instance.0 }}"
template_backup_credentials: "{{ swift_odoo_credentials[template_backup_account.key] }}"
template_odoo_instance: "{{ odoo_instance }}"
template_odoo_instance_setup: "{{ odoo_instance_setup }}"
ansible.builtin.template:
src: "backup.yaml.j2"
dest: "/home/docker/backups/backup-{{ template_odoo_instance.key }}{{ template_backup_account.key }}.yaml"
owner: "root"
group: "root"
mode: "0400"
loop: "{{ swift_odoo_accounts | dict2items | product(odoo_instances | dict2items) }}"
loop_control:
label: "account {{ template_backup_account.key }} on {{ template_odoo_instance.key }}"
loop_var: item_account_instance
when: >
(odoo_instance.value.backup_host | default(inventory_hostname) == inventory_hostname)
and (inventory_hostname in groups.maintenance_contract)
and test_instance_is_prod
and test_instance_is_selected
- name: "Add cron job to backup instances every day"
tags:
- "odoo_backup"
vars:
# Allow role vars to work with `item` variable.
item: "{{ item_account_instance.1 }}"
template_backup_account: "{{ item_account_instance.0 }}"
template_odoo_instance: "{{ odoo_instance }}"
ansible.builtin.cron:
name: "backup {{ template_odoo_instance.key }}{{ template_backup_account.key }}"
minute: "{{ '%H' | strftime((('1970-01-01 ' + backup_time_start) | to_datetime).timestamp() + (swift_odoo_accounts | length - template_backup_account.key) * ((backup_time_slot_duration | community.general.to_seconds - swift_odoo_accounts | length * backup_time_max_duration | community.general.to_seconds) / (swift_odoo_accounts | length - 1) + backup_time_max_duration | community.general.to_seconds) | int) }}"
hour: "{{ '%H' | strftime((('1970-01-01 ' + backup_time_start) | to_datetime).timestamp() + (swift_odoo_accounts | length - template_backup_account.key) * ((backup_time_slot_duration | community.general.to_seconds - swift_odoo_accounts | length * backup_time_max_duration | community.general.to_seconds) / (swift_odoo_accounts | length - 1) + backup_time_max_duration | community.general.to_seconds) | int) }}"
job: "/usr/bin/docker compose -f /home/docker/backups/backup-{{ template_odoo_instance.key }}{{ template_backup_account.key }}.yaml run --rm backup_odoo"
loop: "{{ swift_odoo_accounts | dict2items | product(odoo_instances | dict2items) }}"
loop_control:
label: "account {{ template_backup_account.key }} on {{ template_odoo_instance.key }}"
loop_var: item_account_instance
when: >
(odoo_instance.value.backup_host | default(inventory_hostname) == inventory_hostname)
and (inventory_hostname in groups.maintenance_contract)
and test_instance_is_prod
and test_instance_is_selected
# --------------------------------------------------
# Postgres Readonly user
# --------------------------------------------------
- name: "Allow readonly user connection to prod db"
tags:
- "db_remote_ro_user"
vars:
pg_hba_path: "/var/lib/docker{{ '/' + (dockremap_subuid | string) + '.' + (dockremap_subgid | string) if docker_userns_remap else '' }}/volumes/{{ odoo_instance.key }}_db/_data/pg_hba.conf"
ansible.builtin.blockinfile:
path: "{{ pg_hba_path }}"
block: |
host {{ odoo_instance.value.db }} {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 172.16.0.0/12 md5
host {{ odoo_instance.value.db }} {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 192.168.0.0/16 md5
host postgres {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 172.16.0.0/12 md5
host postgres {{ odoo_instances[odoo_instance.value.prod_instance | default(odoo_instance.key)].db_user }} 192.168.0.0/16 md5
host {{ odoo_instance.value.db }} {{ odoo_instance.value.odoo_db_rouser }} all md5
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
test_instance_is_prod
and test_instance_is_selected
and odoo_instance.value.odoo_remote_db_access | default(false)
- name: "Disable access all rights to prod db" tags:
- "db_remote_ro_user"
vars:
pg_hba_path: "/var/lib/docker{{ '/' + (dockremap_subuid | string) + '.' + (dockremap_subgid | string) if docker_userns_remap else '' }}/volumes/{{ odoo_instance.key }}_db/_data/pg_hba.conf"
ansible.builtin.lineinfile:
name: "{{ pg_hba_path }}"
regexp: "^host all all all md5"
line: "#host all all all md5"
loop: "{{ odoo_instances | dict2items }}"
loop_control:
label: "{{ odoo_instance.key }}"
when: >
test_instance_is_prod
and test_instance_is_selected
and odoo_instance.value.odoo_remote_db_access | default(false)
# TODO: add restart db container
# --------------------------------------------------
# Remote imports section
# --------------------------------------------------
- name: Remote Imports
tags: "remote_imports"
block:
- name: Push private keys for any external tool connection
when: private_keys is defined
ansible.builtin.copy:
content: "{{ private_keys }}"
dest: "/root/.ssh/id_rsa"
owner: root
group: root
mode: '0400'
- name: PROD Copy script file for collecting remote files
when: private_pull is defined
ansible.builtin.template:
src: pull_remote_files.sh.j2
dest: /root/pull_remote_files.sh
owner: root
group: root
mode: '0700'
- name: PROD add cron job to pull files from remote server
when: private_pull is defined
ansible.builtin.cron:
name: pull remote server files
minute: "30"
hour: "23"
job: /root/pull_remote_files.sh