[enh] rework whitelists and add metabase

6924bc93 · remi-filament · 5645ea50 · 6924bc93 · 6924bc93 · 6924bc93
--- a/README.md
+++ b/README.md
@@ -102,9 +102,8 @@ odoo_prod:
       branch: 12.0-mig-account_bank_statement_import_ofx
       modules:
         - account_bank_statement_import_ofx
-    # Other URLs that should be allowed connecting to (only sub.domain without https:// in front)
    extra_urls:
-      - "sso.le-filament.com"
+     - "{{ SERVER_sso_url }}"

 odoo_nonprod_instances:
      - name: odoo_test
@@ -126,46 +125,68 @@ odoo_nonprod_instances:
        custom_modules_oca: "{{ odoo_prod.custom_modules_oca | default([]) }}"
        other_repos: "{{ odoo_prod.other_repos | default([]) }}"
        other_modules: "{{ odoo_prod.other_modules | default([]) }}"
-        # Other URLs that should be allowed connecting to (only sub.domain without https:// in front)
        extra_urls:
-          - "sso.le-filament.com"
+         - "{{ SERVER_sso_url }}"

-# OPTIONAL - Odoo multilingual - Will install Odoo with all languages (English and French only if set to no)
-odoo_multilingual: no

+# Default configuration to use namespaces (uncomment and set to yes to use namespace instead)
+#docker_no_namespace: no

-## OPTIONAL - Mail server configuration - for Odoo
+# OPTIONAL - Odoo multilingual - Will install Odoo with all languages (English and French only if set to no - by default) - uncomment and set to yes if needed
+#odoo_multilingual: no
+
+## OPTIONAL - Mail server configuration - for Odoo - uncomment to add mail server
 # Mail domain
-mailname: "{{ SERVER_mail_domain }}"
+#mailname: "{{ SERVER_mail_domain }}"
 # Mail server
-mailserver: "{{ SERVER_mail_srv_url }}"
+#mailserver: "{{ SERVER_mail_srv_url }}"
 # SMTP port
-smtpport: 465
+#smtpport: 465
 # SMTP user
-smtpuser: "{{ SERVER_mail_odoo_user }}"
+#smtpuser: "{{ SERVER_mail_odoo_user }}"
 # SMTP password
-smtppass: "{{ SERVER_mail_odoo_pass }}"
+#smtppass: "{{ SERVER_mail_odoo_pass }}"

-## OPTIONAL - Bank configuration - for Odoo automatic retrieval of statements
+## OPTIONAL - Bank configuration - for Odoo automatic retrieval of statements - uncomment to add bank accounts
 # Should auto retrieval be activated ?
-banking: yes
+#banking: yes
 # Bank name
-bank: "{{ SERVER_bank }}"
+#bank: "{{ SERVER_bank }}"
 # Bank website
-bank_website: "{{ SERVER_bank_website }}"
+#bank_website: "{{ SERVER_bank_website }}"
 # Bank user
-bank_login: "{{ SERVER_bank_login }}"
+#bank_login: "{{ SERVER_bank_login }}"
 # Bank password
-bank_pass: "{{ SERVER_bank_pass }}"
+#bank_pass: "{{ SERVER_bank_pass }}"
 # Bank user id
-bank_userid: "{{ SERVER_bank_userid }}"
+#bank_userid: "{{ SERVER_bank_userid }}"
 # Bank account
-bank_account: "{{ SERVER_bank_account }}"
+#bank_account: "{{ SERVER_bank_account }}"
 # Bank account 2
-bank_account2: "{{ SERVER_bank_account2 }}"
-
-# OPTIONAL - GIT private keys - for retrieving private repos (outside Le Filament ones)
-git_private_keys: "{{ SERVER_git_private_keys }}"
+#bank_account2: "{{ SERVER_bank_account2 }}"
+
+# OPTIONAL - GIT private keys - for retrieving private repos (outside Le Filament ones) - uncomment and provide keys as needed
+#git_private_keys: "{{ SERVER_git_private_keys }}"
+
+# OPTIONAL - Whitelisted URLs allowed to be reached from Odoo SERVER
+#whitelisted_urls:
+# - accounts.google.com
+# - cdnjs.cloudflare.com
+# - www.google.com
+# - www.googleapis.com
+# - www.gravatar.com
+# - nominatim.openstreetmap.org
+# - data.opendatasoft.com
+# - github.com
+# - bitbucket.org
+# - sources.le-filament.com
+# - fonts.googleapis.com
+# - fonts.gstatic.com
+
+# OPTIONAL Deploy Metabase
+#metabase: yes
+#metabase_db_ro_user: "{{ sapo12_odoo_db_ro_user }}"
+#metabase_db_ro_pass: "{{ sapo12_odoo_db_ro_pass }}"


 ## Backup Swift Storage configuration

--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -11,7 +11,8 @@
    group: root
    mode: '0400'
  notify: start odoo docker whitelists
-  tags: odoo_whitelists
+  when: inventory_hostname in groups['docker_secure'] and whitelisted_urls is defined
+  tags: odoo_whitelists, odoo_prod

 #--------------------------------------------------
 # Test Docker section

--- a/templates/prod.yaml.j2
+++ b/templates/prod.yaml.j2
@@ -24,7 +24,12 @@ services:
        networks:
            default:
            inverseproxy_shared:
+{% if whitelisted_urls is defined %}
            whitelists_proxy:
+{% endif %}
+{% if odoo_prod.extra_urls is defined %}
+            extrawhitelists_proxy:
+{% endif %}
 {% if mailname is defined %}
            email_proxy:
 {% endif %}
@@ -121,10 +126,10 @@ services:
        labels:
            co.elastic.logs/enabled: "false"
        networks:
-            whitelists_proxy:
+            extrawhitelists_proxy:
                aliases:
                    - "{{ url }}"
-            whitelists_public:
+            extrawhitelists_public:
        environment:
            PORT: "443"
            TARGET: "{{ url }}"
@@ -132,6 +137,34 @@ services:
        restart: unless-stopped
 {% endfor %}
 {% endif %}
+{% if metabase is defined and metabase %}
+
+    metabase:
+        image: metabase/metabase
+        container_name: odoo_metabase
+        environment:
+            MB_DB_TYPE: "postgres"
+            MB_DB_DBNAME: "{{ odoo_prod.db }}"
+            MB_DB_PORT: 5432
+            MB_DB_USER: "{{ metabase_db_ro_user }}"
+            MB_DB_PASS: "{{ metabase_db_ro_pass }}"
+            MB_DB_HOST: "db"
+        networks:
+            default:
+            inverseproxy_smtp:
+        labels:
+            co.elastic.logs/enabled: "false"
+            traefik.docker.network: "inverseproxy_smtp"
+            traefik.enable: "true"
+            traefik.http.middlewares.metabase-stripprefix.stripprefix.prefixes: "/metabase"
+            traefik.http.routers.metabase.middlewares: "metabase-stripprefix"
+            traefik.http.routers.metabase.rule: "Host(`{{ odoo_prod.url }}`) && PathPrefix(`/metabase/`)"
+            traefik.http.routers.metabase.service: "metabase"
+            traefik.http.services.metabase.loadbalancer.server.port: "3000"
+        restart: unless-stopped
+        volumes:
+            - metabase:/metabase-data:z
+{% endif %}

 networks:
    default:
@@ -140,11 +173,22 @@ networks:
            encrypted: 1
    inverseproxy_shared:
        external: true
+{% if metabase is defined and metabase %}
+    inverseproxy_smtp:
+        external: true
+{% endif %}
+{% if whitelisted_urls is defined %}
    whitelists_proxy:
        external: true
+{% endif %}
 {% if odoo_prod.extra_urls is defined %}
-    whitelists_public:
-        external: true
+    extrawhitelists_proxy:
+        driver_opts:
+            encrypted: 1
+        internal: true
+    extrawhitelists_public:
+        driver_opts:
+            encrypted: 1
 {% endif %}
 {% if mailname is defined %}
    email_proxy:
@@ -162,3 +206,6 @@ volumes:
 {% if mailname is defined %}
    smtp:
 {% endif %}
+{% if metabase is defined and metabase %}
+    metabase:
+{% endif %}
--- a/templates/test.yaml.j2
+++ b/templates/test.yaml.j2
@@ -19,7 +19,12 @@ services:
        networks:
            default:
            inverseproxy_shared:
+{% if whitelisted_urls is defined %}
            whitelists_proxy:
+{% endif %}
+{% if item.extra_urls is defined %}
+            extrawhitelists_proxy:
+{% endif %}
        restart: unless-stopped
        labels:
            co.elastic.logs/multiline.pattern: '^[0-9]{2}'
@@ -42,6 +47,7 @@ services:
            - odoo
            - --smtp-port=1025
            - --database={{ item.db }}
+            - --init=web_environment_ribbon
 {% if ansible_processor_vcpus > 2 %}
            - --workers=2
            - --max-cron-threads=1
@@ -83,10 +89,10 @@ services:
        labels:
            co.elastic.logs/enabled: "false"
        networks:
-            whitelists_proxy:
+            extrawhitelists_proxy:
                aliases:
                    - "{{ url }}"
-            whitelists_public:
+            extrawhitelists_public:
        environment:
            PORT: "443"
            TARGET: "{{ url }}"
@@ -104,11 +110,18 @@ networks:
        external: true
    inverseproxy_smtp:
        external: true
+{% if whitelisted_urls is defined %}
    whitelists_proxy:
        external: true
-{% if sso_url is defined %}
-    whitelists_public:
-        external: true
+{% endif %}
+{% if item.extra_urls is defined %}
+    extrawhitelists_proxy:
+        driver_opts:
+            encrypted: 1
+        internal: true
+    extrawhitelists_public:
+        driver_opts:
+            encrypted: 1
 {% endif %}

 volumes:

--- a/templates/whitelists.yaml.j2
+++ b/templates/whitelists.yaml.j2
 version: "2.1"
 services:
-    accounts_google_com:
-        image: tecnativa/whitelist
-        restart: unless-stopped
-        labels:
-            co.elastic.logs/enabled: "false"
-        networks:
-            proxy:
-                aliases:
-                    - "accounts.google.com"
-            public:
-        environment:
-            TARGET: "accounts.google.com"
-            PRE_RESOLVE: 1
-
-    cdnjs_cloudflare_com:
-        image: tecnativa/whitelist
-        restart: unless-stopped
-        labels:
-            co.elastic.logs/enabled: "false"
-        networks:
-            proxy:
-                aliases:
-                    - "cdnjs.cloudflare.com"
-            public:
-        environment:
-            TARGET: "cdnjs.cloudflare.com"
-            PRE_RESOLVE: 1
-
-    www_google_com:
-        image: tecnativa/whitelist
-        restart: unless-stopped
-        labels:
-            co.elastic.logs/enabled: "false"
-        networks:
-            proxy:
-                aliases:
-                    - "www.google.com"
-            public:
-        environment:
-            TARGET: "www.google.com"
-            PRE_RESOLVE: 1
-
-    www_googleapis_com:
-        image: tecnativa/whitelist
-        restart: unless-stopped
-        labels:
-            co.elastic.logs/enabled: "false"
-        networks:
-            proxy:
-                aliases:
-                    - "www.googleapis.com"
-            public:
-        environment:
-            TARGET: "www.googleapis.com"
-            PRE_RESOLVE: 1
-
-    www_gravatar_com:
-        image: tecnativa/whitelist
-        restart: unless-stopped
-        labels:
-            co.elastic.logs/enabled: "false"
-        networks:
-            proxy:
-                aliases:
-                    - "www.gravatar.com"
-            public:
-        environment:
-            TARGET: "www.gravatar.com"
-            PRE_RESOLVE: 1
-
-    openstreetmap:
-        image: tecnativa/whitelist
-        networks:
-            proxy:
-                aliases:
-                    - "nominatim.openstreetmap.org"
-            public:
-        environment:
-            TARGET: "nominatim.openstreetmap.org"
-            PRE_RESOLVE: 1
-        labels:
-            co.elastic.logs/enabled: "false"
-        restart: unless-stopped
-
-    sirene:
-        image: tecnativa/whitelist
-        networks:
-            proxy:
-                aliases:
-                    - "data.opendatasoft.com"
-            public:
-        environment:
-            TARGET: "data.opendatasoft.com"
-            PRE_RESOLVE: 1
-        labels:
-            co.elastic.logs/enabled: "false"
-        restart: unless-stopped
-
-    github:
-        image: tecnativa/whitelist
-        networks:
-            proxy:
-                aliases:
-                    - "github.com"
-            public:
-        environment:
-            TARGET: "github.com"
-            PRE_RESOLVE: 1
-        labels:
-            co.elastic.logs/enabled: "false"
-        restart: unless-stopped
-
-    bitbucket:
-        image: tecnativa/whitelist
-        networks:
-            proxy:
-                aliases:
-                    - "bitbucket.org"
-            public:
-        environment:
-            TARGET: "bitbucket.org"
-            PRE_RESOLVE: 1
-        labels:
-            co.elastic.logs/enabled: "false"
-        restart: unless-stopped
+{% for url in whitelisted_urls %}

-    gitlab:
+    {{ url }}:
        image: tecnativa/whitelist
-        networks:
-            proxy:
-                aliases:
-                    - "sources.le-filament.com"
-            public:
        environment:
-            PORT: "443 22"
-            TARGET: "sources.le-filament.com"
+            TARGET: "{{ url }}"
            PRE_RESOLVE: 1
-        labels:
-            co.elastic.logs/enabled: "false"
-        restart: unless-stopped
-
-    fonts_googleapis_com:
-        image: tecnativa/whitelist
-        restart: unless-stopped
        labels:
            co.elastic.logs/enabled: "false"
        networks:
            proxy:
                aliases:
-                    - "fonts.googleapis.com"
+                    - "{{ url }}"
            public:
-        environment:
-            TARGET: "fonts.googleapis.com"
-            PRE_RESOLVE: 1
-
-    fonts_gstatic_com:
-        image: tecnativa/whitelist
        restart: unless-stopped
-        labels:
-            co.elastic.logs/enabled: "false"
-        networks:
-            proxy:
-                aliases:
-                    - "fonts.gstatic.com"
-            public:
-        environment:
-            TARGET: "fonts.gstatic.com"
-            PRE_RESOLVE: 1
+{% endfor %}

 networks:
    proxy: