-
Notifications
You must be signed in to change notification settings - Fork 16
/
main.yaml
255 lines (204 loc) · 10.1 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
# By default, tasks in this role that could result in configuration or
# credentials being printed by Ansible are set up to hide the output to prevent
# sensitive information from being exposed.
# Setting ara_api_secure_logging to false will make Ansible print the raw,
# unfiltered result of these tasks.
# Note that it does not have any impact on tasks that are recorded by ARA.
# It is only for the output when running this specific role.
ara_api_secure_logging: true
# Root directory where every file for the ARA installation are located
ara_api_root_dir: "{{ ansible_user_dir }}/.ara"
# Directory where logs are written to
ara_api_log_dir: "{{ ara_api_root_dir }}/logs"
# Whether or not ara should be installed in a virtual environment.
# This defaults to true to prevent conflicting with system or distribution
# python packages.
ara_api_venv: true
# When using a virtualenv, path to where it will be installed
ara_api_venv_path: "{{ ara_api_root_dir }}/virtualenv"
# How ARA will be installed
# - source [default]: installs from a local or remote git repository
# - distribution: installs from distribution packages, if available
# - pypi : installs from pypi
ara_api_install_method: source
# When installing from source, the URL or filesystem path where the git source
# repository can be cloned from.
ara_api_source: "https://github.com/ansible-community/ara"
# When installing from source, location where the source repository will be checked out to.
ara_api_source_checkout: "{{ ara_api_root_dir }}/git/ara"
# Version of ARA to install
# When installing from source, this can be a git ref (tag, branch, commit, etc)
# When installing from PyPi, it would be a version number that has been released.
# When using "latest" as the source version, HEAD will be used
# When using "latest" as the pypi version, the latest release will be used
ara_api_version: master
# The frontend/web server for serving the ARA API
# It is recommended to specify a web server when deploying a production environment.
# - null [default]: No frontend server will be set up.
# - nginx: Nginx will be configured in front of the WSGI application server.
# - apache [planned]
ara_api_frontend_server: null
# Path to a custom vhost configuration jinja template
# The vhost configuration templates provided by the role are simple by design
# and are not sufficient to cover every use cases.
# Use this variable if you need to have your own custom nginx or apache configuration.
ara_api_frontend_vhost: null
# Enable https on port 443 in addition to http on port 80
# Enabling SSL requires specifying the path to your key and certificate via
# ara_api_frontend_ssl_key and ara_api_frontend_ssl_cert
ara_api_frontend_ssl: false
# Path to an existing SSL private key provisioned outside of this role
# ex: /etc/letsencrypt/live/ara.example.org/privkey.pem
ara_api_frontend_ssl_key: null
# Path to an existing SSL certificate provisioned outside of this role
# ex: /etc/letsencrypt/live/ara.example.org/fullchain.pem
ara_api_frontend_ssl_cert: null
# Path to an existing SSL CA certificate provisioned outside of this role
# used for client-side verification (i.e, ssl_verify_client in nginx)
ara_api_frontend_ssl_ca_cert: null
# The WSGI server for running ARA's API server
# - null [default]: No persistent WSGI application server will be set up. Only the offline API client will work.
# - gunicorn: gunicorn will be installed and set up to run the API as a systemd service.
# - mod_wsgi [planned]
ara_api_wsgi_server: null
# Address and port on which the wsgi server will bind
# Changing this value means you might need to adjust "ara_api_allowed_hosts" and
# "ara_api_cors_origin_whitelist".
ara_api_wsgi_bind: "127.0.0.1:8000"
# Amount of worker processes for the wsgi server
# Recommended default formula by gunicorn: https://docs.gunicorn.org/en/stable/design.html#how-many-workers
ara_api_wsgi_workers: "{{ ansible_facts['processor_count'] * ansible_facts['processor_cores'] * ansible_facts['processor_threads_per_core'] * 2 + 1 }}"
# When using a frontend server, the domain or address it will be listening on
ara_api_fqdn: "{{ ansible_facts['default_ipv4']['address'] | default(ansible_facts['default_ipv6']['address']) }}"
####################################
# ara API configuration settings
# For more information, see documentation: https://ara.readthedocs.io
####################################
# ARA_BASE_DIR - Default directory for storing data and configuration
ara_api_base_dir: "{{ ara_api_root_dir }}/server"
# ARA_SETTINGS - Path to an ARA API configuration file
ara_api_settings: "{{ ara_api_base_dir }}/settings.yaml"
# ARA_ENV - Environment to load configuration for
ara_api_env: default
# ARA_EXTERNAL_AUTH - External authentication settings
# Read more about setting up authentication in the documentation:
# https://ara.readthedocs.io/en/latest/api-security.html
ara_api_external_auth: false
# Path to a .htpasswd file that will be managed by the role if ara_api_external_auth is true.
ara_api_external_auth_file: /etc/nginx/.htpasswd
# A list of usernames and passwords to encrypt into a .htpasswd file like so:
# ara_nginx_external_auth_users:
# - username: ara
# password: hunter2
# - username: admin
# password: *******
#
# The role does NOT supply a default: it must be provided if ara_api_external_auth is enabled.
# They can be provided in clear text but it is recommended to use ansible-vault so ara doesn't record them.
# https://docs.ansible.com/ansible/latest/user_guide/vault.html
ara_api_external_auth_users: []
# ARA_READ_LOGIN_REQUIRED - Whether authentication is required for reading data
ara_api_read_login_required: false
# ARA_WRITE_LOGIN_REQUIRED - Whether authentication is required for writing data
ara_api_write_login_required: false
# ARA_PAGE_SIZE - Amount of results returned per page by the API
ara_api_page_size: 100
# ARA_LOG_LEVEL - Log level of the different components
ara_api_log_level: INFO
# ARA_LOGGING - Python logging configuration
ara_api_logging:
disable_existing_loggers: false
formatters:
normal:
format: '%(asctime)s %(levelname)s %(name)s: %(message)s'
handlers:
console:
class: logging.handlers.TimedRotatingFileHandler
formatter: normal
level: "{{ ara_api_log_level }}"
filename: "{{ ara_api_log_dir }}/server.log"
when: 'midnight'
interval: 1
backupCount: 30
loggers:
ara:
handlers:
- console
level: "{{ ara_api_log_level }}"
propagate: 0
version: 1
# ARA_CORS_ORIGIN_ALLOW_ALL - django-cors-headers’s CORS_ORIGIN_WHITELIST_ALLOW_ALL setting
ara_api_cors_origin_allow_all: false
# ARA_CORS_ORIGIN_WHITELIST - django-cors-headers’s CORS_ORIGIN_WHITELIST setting
ara_api_cors_origin_whitelist:
- "http://127.0.0.1:8000"
- "http://localhost:3000"
# ARA_CORS_ORIGIN_REGEX_WHITELIST - django-cors-headers’s CORS_ORIGIN_REGEX_WHITELIST setting
ara_api_cors_origin_regex_whitelist: []
# ARA_SERVER_ALLOWED_HOSTS - Django’s ALLOWED_HOSTS setting
ara_api_allowed_hosts:
- "127.0.0.1"
- "localhost"
- "::1"
- "{{ ara_api_fqdn }}"
# ARA_DEBUG - Django's DEBUG setting
# It is not recommended to run with debug enabled in production.
ara_api_debug: false
# ARA_SECRET_KEY - Django's SECRET_KEY setting
# Note: If no key is provided, a random one will be generated once and persisted
ara_api_secret_key: null
# ARA_DISTRIBUTED_SQLITE - Whether to enable distributed sqlite backend
ara_api_distributed_sqlite: false
# ARA_DISTRIBUTED_SQLITE_PREFIX - Prefix to delegate to the distributed sqlite backend
ara_api_distributed_sqlite_prefix: ara-report
# ARA_DISTRIBUTED_SQLITE_ROOT - Root under which sqlite databases are expected
ara_api_distributed_sqlite_root: /var/www/logs
# ARA_DATABASE_ENGINE - Django’s ENGINE database setting
ara_api_database_engine: "{{ ara_api_distributed_sqlite | ternary('ara.server.db.backends.distributed_sqlite', 'django.db.backends.sqlite3') }}"
# ARA_DATABASE_NAME - Django’s NAME database setting
ara_api_database_name: "{{ ara_api_base_dir }}/ansible.sqlite"
# ARA_DATABASE_USER - Django’s USER database setting
ara_api_database_user: null
# ARA_DATABASE_PASSWORD - Django’s PASSWORD database setting
ara_api_database_password: null
# ARA_DATABASE_HOST - Django’s HOST database setting
ara_api_database_host: null
# ARA_DATABASE_PORT - Django’s PORT database setting
ara_api_database_port: null
# ARA_DATABASE_CONN_MAX_AGE - Django's CONN_MAX_AGE database setting
ara_api_database_conn_max_age: 0
# ARA_DATABASE_OPTIONS - Django's OPTIONS database setting
ara_api_database_options: {}
# ARA_TIME_ZONE - Time zone used when storing and returning results
# Note: the default provided by ARA is dynamic and is set to the local system
# timezone but Ansible doesn't provide, for example, an ansible_timezone fact
# that we could use here. With that in mind, UTC is the best default for now.
ara_api_time_zone: UTC
# ARA cleanup settings
# The following settings configure daily maintenance cronjobs
ara_api_configure_cron: false
# When configuring cronjobs, only provide the arguments for the ara CLI utility
ara_api_cleanup_crons:
- name: ara_api expire running playbooks
arguments: 'expire --server http://localhost:8000 --client http --confirm --hours 24'
special_time: 'daily' # you can also use other time arguments from the cron module
- name: ara_api prune old reports
arguments: 'playbook prune --server http://localhost:8000 --client http --confirm --days 30'
special_time: 'daily'