move from svn to this git repo

roles/awx/templates/d.o

@@ -0,0 +1,61 @@
+---
+version: '2.1'
+services:
+        # Primary AWX Development Container
+  awx_1:
+    hostname: awx1920_1
+    networks:
+      ansible-net:
+        aliases:
+          - awx1920_1
+      traefik-net:
+        aliases:
+          - awx1920_1
+    restart: unless-stopped
+    environment:
+      http_proxy:
+      https_proxy:
+      no_proxy:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.awx1920_1.service=awx1920_1"
+      - "traefik.http.routers.awx1920_1.entrypoints=http"
+      - "traefik.http.routers.awx1920_1.rule=Host(`awx1920.seboto.my-wan.de`) || Host(`awx19.seboto.my-wan.de`)"
+      - "traefik.http.middlewares.awx1920_1-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.awx1920_1.middlewares=awx1920_1-https-redirect"
+      - "traefik.http.routers.awx1920_1-secure.entrypoints=https"
+      - "traefik.http.routers.awx1920_1-secure.rule=Host(`awx1920.seboto.my-wan.de`) || Host(`awx19.seboto.my-wan.de`)"
+      - "traefik.http.routers.awx1920_1-secure.tls=true"
+      - "traefik.http.routers.awx1920_1-secure.tls.domains[0].main=awx1920.seboto.my-wan.de"
+      - "traefik.http.routers.awx1920_1-secure.tls.domains[0].sans=awx19.seboto.my-wan.de"
+      - "traefik.http.routers.awx1920_1-secure.tls.certresolver=http"
+      - "traefik.http.routers.awx1920_1-secure.service=awx1920_1"
+      - "traefik.http.services.awx1920_1.loadbalancer.server.port=8013"
+      - "traefik.docker.network=traefik_proxy"
+#    volumes:
+#      - "/home/awx/certs/ldap.conf:/etc/openldap/ldap.conf:ro"
+#      - "/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro"
+#      - "/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro"
+#      - "/etc/pki/tls/private/ansible01.warburg.com.pem:/etc/nginx/nginx.key:ro"
+#      - "/etc/pki/tls/certs/ansible01.warburg.com.crt:/etc/nginx/nginx.crt:ro"
+  redis_1:
+    networks:
+      ansible-net:
+        aliases:
+          - redis_1
+    restart: unless-stopped
+  postgres:
+    networks:
+      ansible-net:
+        aliases:
+          - postgres
+    restart: unless-stopped
+    volumes:
+      - "/opt/awxcompose19.2.0/initdb.d:/docker-entrypoint-initdb.d:ro"
+
+networks:
+  ansible-net:
+  traefik-net:
+    external: true
+    name: traefik_proxy
+...

roles/awx/templates/database.py.j2

@@ -0,0 +1,11 @@
+DATABASES = {
+    'default': {
+        'ATOMIC_REQUESTS': True,
+        'ENGINE': 'awx.main.db.profiled_pg',
+        'NAME': "{{ pg_database }}",
+        'USER': "{{ pg_username }}",
+        'PASSWORD': "{{ pg_password }}",
+        'HOST': "{{ pg_hostname | default('postgres') }}",
+        'PORT': "{{ pg_port }}",
+    }
+}

roles/awx/templates/docker-compose.override.yml.j2

@@ -0,0 +1,96 @@
+---
+version: '2.1'
+services:
+{% for i in range(cluster_node_count|default(1)|int) %}
+  {% set container_postfix = loop.index %}
+  {% set awx_sdb_port_start = 7899 + (loop.index0*1000) | int %}
+  {% set awx_sdb_port_end = 7999 + (loop.index0*1000) | int %}
+  # Primary AWX Development Container
+  awx_{{ container_postfix }}:
+    hostname: {{ awx_prefix }}_{{ container_postfix }}
+    networks:
+      ansible-net:
+        aliases:
+          - {{ awx_prefix }}_{{ container_postfix }}
+      traefik-net:
+        aliases:
+          - {{ awx_prefix }}_{{ container_postfix }}
+    restart: unless-stopped
+    environment:
+      http_proxy:
+      https_proxy:
+      no_proxy:
+{% if cluster_node_count == 1 %}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}.service={{ awx_prefix }}_{{ container_postfix }}"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}.entrypoints=http"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}.rule=Host(`{{ awx_prefix }}.seboto.my-wan.de`) || Host(`ansible-{{ awx_prefix }}.seboto.my-wan.de`)"
+      - "traefik.http.middlewares.{{ awx_prefix }}_{{ container_postfix }}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}.middlewares={{ awx_prefix }}_{{ container_postfix }}-https-redirect"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}-secure.entrypoints=https"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}-secure.rule=Host(`{{ awx_prefix }}.seboto.my-wan.de`) || Host(`ansible-{{ awx_prefix }}.seboto.my-wan.de`)"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}-secure.tls=true"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}-secure.tls.domains[0].main={{ awx_prefix }}.seboto.my-wan.de"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}-secure.tls.domains[0].sans=ansible-{{ awx_prefix }}.seboto.my-wan.de"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}-secure.tls.certresolver=http"
+      - "traefik.http.routers.{{ awx_prefix }}_{{ container_postfix }}-secure.service={{ awx_prefix }}_{{ container_postfix }}"
+      - "traefik.http.services.{{ awx_prefix }}_{{ container_postfix }}.loadbalancer.server.port={{ traefik_http_port }}"
+      - "traefik.docker.network=traefik_proxy"
+{% endif %}
+#    volumes:
+#      - "/home/awx/certs/ldap.conf:/etc/openldap/ldap.conf:ro"
+#      - "/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro"
+#      - "/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro"
+#      - "/etc/pki/tls/private/ansible01.warburg.com.pem:/etc/nginx/nginx.key:ro"
+#      - "/etc/pki/tls/certs/ansible01.warburg.com.crt:/etc/nginx/nginx.crt:ro"
+  redis_{{ container_postfix }}:
+    restart: unless-stopped
+    networks:
+      ansible-net:
+        aliases:
+          - redis_{{ container_postfix }}
+    restart: unless-stopped
+{% endfor %}
+{% if cluster_node_count|default(1)|int > 1 %}
+  haproxy:
+    hostname: haproxy
+    networks:
+      ansible-net:
+        aliases:
+          - haproxy
+      traefik-net:
+        aliases:
+          - haproxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.haproxy.service=haproxy"
+      - "traefik.http.routers.haproxy.entrypoints=http"
+      - "traefik.http.routers.haproxy.rule=Host(`{{ awx_prefix }}.seboto.my-wan.de`) || Host(`ansible-{{ awx_prefix }}.seboto.my-wan.de`)"
+      - "traefik.http.middlewares.haproxy-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.haproxy.middlewares=haproxy-https-redirect"
+      - "traefik.http.routers.haproxy-secure.entrypoints=https"
+      - "traefik.http.routers.haproxy-secure.rule=Host(`{{ awx_prefix }}.seboto.my-wan.de`) || Host(`ansible-{{ awx_prefix }}.seboto.my-wan.de`)"
+      - "traefik.http.routers.haproxy-secure.tls=true"
+      - "traefik.http.routers.haproxy-secure.tls.domains[0].main={{ awx_prefix }}.seboto.my-wan.de"
+      - "traefik.http.routers.haproxy-secure.tls.domains[0].sans=ansible-{{ awx_prefix }}.seboto.my-wan.de"
+      - "traefik.http.routers.haproxy-secure.tls.certresolver=http"
+      - "traefik.http.routers.haproxy-secure.service=haproxy"
+      - "traefik.http.services.haproxy.loadbalancer.server.port={{ traefik_http_port }}"
+      - "traefik.docker.network=traefik_proxy"
+{% endif %}
+  postgres:
+    networks:
+      ansible-net:
+        aliases:
+          - postgres
+    restart: unless-stopped
+    volumes:
+      - "{{ awx_composedir }}/initdb.d:/docker-entrypoint-initdb.d:ro"
+
+networks:
+  ansible-net:
+  traefik-net:
+    external: true
+    name: traefik_proxy
+...

roles/awx/templates/docker-compose.yml.j2

@@ -0,0 +1,102 @@
+---
+version: '2.1'
+services:
+{% for i in range(cluster_node_count|default(1)|int) %}
+  {% set container_postfix = loop.index %}
+  {% set awx_sdb_port_start = sdb_port_base|int + (loop.index0*1000) | int %}
+  {% set awx_sdb_port_end = sdb_port_base|int +100 + (loop.index0*1000) | int %}
+  # Primary AWX Development Container
+  awx_{{ container_postfix }}:
+    user: "{{ user_id }}"
+    image: "{{ awx_image }}:{{ awx_image_tag }}"
+    container_name: {{ awx_prefix }}_awx_{{ container_postfix }}
+    hostname: awx_{{ container_postfix }}
+    command: launch_awx.sh
+    environment:
+      OS: "{{ os_info.stdout }}"
+      SDB_HOST: 0.0.0.0
+      SDB_PORT: {{ awx_sdb_port_start }}
+      AWX_GROUP_QUEUES: tower
+      RECEPTORCTL_SOCKET: /var/run/receptor/receptor.sock
+{% if loop.index == 1 %}
+      RUN_MIGRATIONS: 1
+{% endif %}
+    links:
+      - postgres
+      - redis_{{ container_postfix }}
+    working_dir: "/awx_devel"
+    volumes:
+      - "{{ awx_basedir }}/{{ awx_version }}:/awx_devel"
+      - "{{ awx_composedir }}/supervisor.conf:/etc/supervisord.conf"
+      - "{{ awx_composedir }}//database.py:/etc/tower/conf.d/database.py"
+      - "{{ awx_composedir }}//websocket_secret.py:/etc/tower/conf.d/websocket_secret.py"
+      - "{{ awx_composedir }}//local_settings.py:/etc/tower/conf.d/local_settings.py"
+      - "{{ awx_composedir }}//SECRET_KEY:/etc/tower/SECRET_KEY"
+      - "{{ awx_composedir }}/receptor.conf:/etc/receptor/receptor.conf"
+      - "/sys/fs/cgroup:/sys/fs/cgroup"
+      - "~/.kube/config:/var/lib/awx/.kube/config"
+      - "redis_socket_{{ container_postfix }}:/var/run/redis/:rw"
+      - "receptor_{{ container_postfix }}:/var/run/receptor/"
+    privileged: true
+    tty: true
+    ports:
+      - "{{ awx_sdb_port_start }}-{{ awx_sdb_port_end }}:{{ awx_sdb_port_start }}-{{ awx_sdb_port_end }}"  # sdb-listen
+{% if cluster_node_count|default(1)|int == 1 %}
+      #- "6899:6899"
+      #- "8080:8080"  # unused but mapped for debugging
+      #- "8888:8888"  # jupyter notebook
+      - "{{ http_port }}:8013"  # http
+      - "{{ https_port }}:8043"  # https
+{% endif %}
+  redis_{{ container_postfix }}:
+    image: redis:latest
+    container_name: {{ awx_prefix }}_redis_{{ container_postfix }}
+    volumes:
+      - "{{ awx_composedir }}/redis/redis.conf:/usr/local/etc/redis/redis.conf"
+      - "redis_socket_{{ container_postfix }}:/var/run/redis/:rw"
+    entrypoint: ["redis-server"]
+    command: ["/usr/local/etc/redis/redis.conf"]
+{% endfor %}
+{% if cluster_node_count|default(1)|int > 1 %}
+  haproxy:
+    user: "{{ user_id }}"
+    image: haproxy
+    container_name: {{ awx_prefix }}_haproxy_1
+    volumes:
+      - "{{ awx_composedir }}/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg"
+    ports:
+      - "{{ http_port }}:8013"
+      - "{{ https_port }}:8043"
+      - "1936:1936"
+    depends_on:
+  {% for i in range(cluster_node_count|default(1)|int) -%}
+  {% set container_postfix = loop.index %}
+    - "awx_{{ container_postfix }}"
+  {% endfor %}
+{% endif %}
+  # A useful container that simply passes through log messages to the console
+  # helpful for testing awx/tower logging
+  # logstash:
+  #   build:
+  #     context: ./docker-compose
+  #     dockerfile: Dockerfile-logstash
+  postgres:
+    image: postgres:12
+    container_name: {{ awx_prefix }}_postgres_1
+    environment:
+      POSTGRES_HOST_AUTH_METHOD: trust
+      POSTGRES_USER: {{ pg_username }}
+      POSTGRES_DB: {{ pg_database }}
+      POSTGRES_PASSWORD: {{ pg_password }}
+    volumes:
+      - "awx_db:/var/lib/postgresql/data"
+volumes:
+  awx_db:
+    name: {{ awx_prefix }}_awx_db
+{% for i in range(cluster_node_count|default(1)|int) -%}
+  {% set container_postfix = loop.index %}
+  receptor_{{ container_postfix }}:
+    name: {{ awx_prefix }}_receptor_{{ container_postfix }}
+  redis_socket_{{ container_postfix }}:
+    name: {{ awx_prefix }}_redis_socket_{{ container_postfix }}
+{% endfor -%}

roles/awx/templates/environment.sh.j2

@@ -0,0 +1,10 @@
+DATABASE_USER={{ pg_username|quote }}
+DATABASE_NAME={{ pg_database|quote }}
+DATABASE_HOST={{ pg_hostname|default('postgres')|quote }}
+DATABASE_PORT={{ pg_port|default('5432')|quote }}
+DATABASE_PASSWORD={{ pg_password|default('awxpass')|quote }}
+{% if pg_admin_password is defined %}
+DATABASE_ADMIN_PASSWORD={{ pg_admin_password|quote }}
+{% endif %}
+AWX_ADMIN_USER={{ admin_user|quote }}
+AWX_ADMIN_PASSWORD={{ admin_password|quote }}

roles/awx/templates/haproxy.cfg.j2

@@ -0,0 +1,49 @@
+global
+    stats socket /tmp/admin.sock
+    stats timeout 30s
+
+defaults
+    log     global
+    mode    http
+    option  httplog
+    option  dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+
+frontend localnodes
+    bind *:8013
+    mode http
+    default_backend nodes
+
+frontend localnodes_ssl
+    bind *:8043
+    mode tcp
+    default_backend nodes_ssl
+
+backend nodes
+    mode http
+    balance roundrobin
+    option forwardfor
+    option http-pretend-keepalive
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto https if { ssl_fc }
+    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
+{% for i in range(cluster_node_count|default(1)|int) %}
+    {% set container_postfix = loop.index %}
+    server {{ awx_prefix }}_awx_{{ container_postfix }} {{ awx_prefix }}_awx_{{ container_postfix }}:8013 check
+{% endfor %}
+
+backend nodes_ssl
+    mode tcp
+    balance roundrobin
+{% for i in range(cluster_node_count|default(1)|int) %}
+    {% set container_postfix = loop.index %}
+    server {{ awx_prefix }}_awx_{{ container_postfix }} {{ awx_prefix }}_awx_{{ container_postfix }}:8043 check
+{% endfor %}
+
+listen stats
+    bind *:1936
+    stats enable
+    stats uri /
+

roles/awx/templates/nginx.conf.j2

@@ -0,0 +1,122 @@
+#user awx;
+
+worker_processes  1;
+
+pid        /tmp/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+    server_tokens off;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /dev/stdout main;
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+
+    sendfile        on;
+    #tcp_nopush     on;
+    #gzip  on;
+
+    upstream uwsgi {
+        server 127.0.0.1:8050;
+        }
+
+    upstream daphne {
+        server 127.0.0.1:8051;
+    }
+
+    {% if ssl_certificate is defined %}
+    server {
+        listen 8052 default_server;
+        server_name _;
+
+        # Redirect all HTTP links to the matching HTTPS page
+        return 301 https://$host$request_uri;
+    }
+    {%endif %}
+
+    server {
+        {% if (ssl_certificate is defined) and (ssl_certificate_key is defined) %}
+        listen 8053 ssl;
+
+        ssl_certificate /etc/nginx/awxweb.pem;
+        ssl_certificate_key /etc/nginx/awxweb_key.pem;
+        {% elif (ssl_certificate is defined) and (ssl_certificate_key is not defined) %}
+        listen 8053 ssl;
+
+        ssl_certificate /etc/nginx/awxweb.pem;
+        ssl_certificate_key /etc/nginx/awxweb.pem;
+        {% else %}
+        listen 8052 default_server;
+        {% endif %}
+
+        # If you have a domain name, this is where to add it
+        server_name _;
+        keepalive_timeout 65;
+
+        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+        add_header Strict-Transport-Security max-age=15768000;
+
+        # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
+        add_header X-Frame-Options "DENY";
+
+        location /nginx_status {
+          stub_status on;
+          access_log off;
+          allow 127.0.0.1;
+          deny all;
+        }
+
+        location /static/ {
+            alias /var/lib/awx/public/static/;
+        }
+
+        location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
+
+        location /websocket {
+            # Pass request to the upstream alias
+            proxy_pass http://daphne;
+            # Require http version 1.1 to allow for upgrade requests
+            proxy_http_version 1.1;
+            # We want proxy_buffering off for proxying to websockets.
+            proxy_buffering off;
+            # http://en.wikipedia.org/wiki/X-Forwarded-For
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            # enable this if you use HTTPS:
+            proxy_set_header X-Forwarded-Proto https;
+            # pass the Host: header from the client for the sake of redirects
+            proxy_set_header Host $http_host;
+            # We've set the Host header, so we don't need Nginx to muddle
+            # about with redirects
+            proxy_redirect off;
+            # Depending on the request value, set the Upgrade and
+            # connection headers
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+        }
+
+        location / {
+            # Add trailing / if missing
+            rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
+            uwsgi_read_timeout 120s;
+            uwsgi_pass uwsgi;
+            include /etc/nginx/uwsgi_params;
+            {%- if extra_nginx_include is defined %}
+            include {{ extra_nginx_include }};
+            {%- endif %}
+            proxy_set_header X-Forwarded-Port 443;
+            uwsgi_param HTTP_X_FORWARDED_PORT 443;
+        }
+    }
+}

roles/awx/templates/pg_dump.sh.j2

@@ -0,0 +1,41 @@
+#!/bin/bash
+#
+
+PG_SERVICE=postgres
+PG_USER={{ pg_username }}
+PG_DATABASE={{ pg_database }}
+PG_DUMPDIR={{ pg_database_dumpdir | default('/var/lib/pgdocker/backup_'+awx_version) }}
+PG_TIMESTAMP=`date '+%Y-%m-%d_%H.%M.%S'`
+PG_DUMPFILE=${PG_DUMPDIR}/pg_dump_${PG_DATABASE}_${PG_TIMESTAMP}.sql.gz
+PG_NB_DAYS=3
+#
+# /usr/local/bin in den Suchpfad aufnehmen
+#
+PATH=/usr/local/bin:${PATH}
+export PATH
+
+PROG_DIR=`dirname $0`
+COMPOSE_DIR={{ awx_composedir }}
+COMPOSE_FILES="${COMPOSE_DIR}/{{ awx_compose_name }} ${COMPOSE_DIR}/{{ awx_compose_override_name }}"
+
+#
+# Loesche Dump Dateien aelter als 3 Tage
+#
+echo "Lösche alle Dumps, die älter sind als drei Tage ..."
+${PROG_DIR}/HouseKeeping.sh -d ${PG_DUMPDIR} -t ${PG_NB_DAYS} -p '*' -v
+
+[ -d ${PG_DUMPDIR} ] || mkdir ${PG_DUMPDIR}
+
+echo "Stelle sicher, dass der PostgreSQL Container gestartet ist ..."
+COMPOSE_OPTIONS="--project-directory ${COMPOSE_DIR} "
+for COMPOSE_FILE in ${COMPOSE_FILES}
+do
+	COMPOSE_OPTIONS="${COMPOSE_OPTIONS} -f ${COMPOSE_FILE}"
+done
+
+docker-compose ${COMPOSE_OPTIONS} up -d ${PG_SERVICE}
+
+echo "Erstelle Dump der Datenbanken ..."
+docker-compose ${COMPOSE_OPTIONS} exec -T ${PG_SERVICE} pg_dump -U ${PG_USER} ${PG_DATABASE} | gzip >${PG_DUMPFILE}
+
+echo "Größe des Datenbank Dumps: `du -sh ${PG_DUMPFILE}`"

roles/awx/templates/secrets.yml.j2

@@ -0,0 +1 @@
+{{ item.item }}: '{{ lookup('vars', item.item, default='') or lookup('password', '/dev/null chars=ascii_letters') }}'

roles/awx/templates/websocket_secret.py.j2

@@ -0,0 +1 @@
+BROADCAST_WEBSOCKET_SECRET = "{{ broadcast_websocket_secret | b64encode }}"