├── .config ├── ansible-lint-ignore.txt └── ansible-lint.yml ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── dependabot.yml └── workflows │ ├── ansible_lint.yml │ ├── dependency-review.yml │ └── main.yml ├── .pre-commit-config.yaml ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── README.md ├── defaults └── main.yml ├── files ├── .gitkeep ├── CoreConfig.xml ├── DP.pref ├── makeCert.sh ├── makeDP.sh └── takserver-public-gpg.key ├── handlers └── main.yml ├── meta └── main.yml ├── requirements.txt ├── tasks ├── configure-firewall.yml ├── enable-start-takserver.yml ├── install-epel.yml ├── install-postgresql.yml ├── install-takserver.yml ├── main.yml ├── setup-takserver-certs.yml ├── setup-takserver-config.yml ├── setup-takserver-db.yml ├── setup-takserver-users.yml ├── update-dnf.yml └── update-ulimit.yml ├── templates └── .gitkeep ├── tests ├── inventory └── test.yml └── vars └── main.yml /.config/ansible-lint-ignore.txt: -------------------------------------------------------------------------------- 1 | .github/workflows/ansible_lint.yml yaml[truthy] 2 | .github/workflows/dependency-review.yml yaml[line-length] 3 | .github/workflows/dependency-review.yml yaml[truthy] 4 | .github/workflows/main.yml yaml[truthy] -------------------------------------------------------------------------------- /.config/ansible-lint.yml: -------------------------------------------------------------------------------- 1 | warn_list: # or 'skip_list' to silence them completely 2 | - no-changed-when # Commands should not change things if nothing needs do 3 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: "[BUG]" 5 | labels: bug 6 | assignees: konykon, oyale 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behaviour. Tell us about: 15 | - Python version 16 | - Use of virtual environments 17 | - Any other information of interest. 18 | 19 | **Logs** 20 | ```bash 21 | Properly redacted if needed, please paste here the output of the execution. 22 | ``` 23 | **Environment (please complete the following information):** 24 | - OS: [e.g. Arch] 25 | - Shell [e.g. bash, zshi] 26 | 27 | **Additional context** 28 | Add any other context about the problem here. 29 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: "[FEATURE]" 5 | labels: enhancement 6 | assignees: konykon, oyale 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "pip" # See documentation for possible values 9 | directory: "/" # Location of package manifests 10 | schedule: 11 | interval: "weekly" 12 | - package-ecosystem: "github-actions" 13 | directory: "/.github/workflows" 14 | schedule: 15 | interval: "daily" 16 | -------------------------------------------------------------------------------- /.github/workflows/ansible_lint.yml: -------------------------------------------------------------------------------- 1 | name: Ansible Lint 2 | on: [push, pull_request] 3 | 4 | jobs: 5 | build: 6 | runs-on: ubuntu-latest 7 | 8 | steps: 9 | - uses: actions/checkout@v4 10 | 11 | - name: Run ansible-lint 12 | uses: ansible-community/ansible-lint-action@main 13 | -------------------------------------------------------------------------------- /.github/workflows/dependency-review.yml: -------------------------------------------------------------------------------- 1 | # Dependency Review Action 2 | # 3 | # This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. 4 | # 5 | # Source repository: https://github.com/actions/dependency-review-action 6 | # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement 7 | name: 'Dependency Review' 8 | on: [pull_request] 9 | 10 | permissions: 11 | contents: read 12 | 13 | jobs: 14 | dependency-review: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: 'Checkout Repository' 18 | uses: actions/checkout@v4 19 | - name: 'Dependency Review' 20 | uses: actions/dependency-review-action@v3 21 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: auto-merge 2 | 3 | on: 4 | pull_request: 5 | 6 | jobs: 7 | auto-merge: 8 | runs-on: ubuntu-latest 9 | permissions: write-all 10 | steps: 11 | - uses: actions/checkout@v4 12 | - uses: ahmadnassri/action-dependabot-auto-merge@v2 13 | with: 14 | target: minor 15 | github-token: ${{ secrets.MERGE_TOKEN }} 16 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | repos: 3 | - repo: https://github.com/ansible-community/ansible-lint 4 | rev: v5.4.0 5 | hooks: 6 | - id: ansible-lint 7 | 8 | - repo: https://github.com/pre-commit/pre-commit-hooks 9 | rev: v3.2.0 10 | hooks: 11 | - id: trailing-whitespace 12 | exclude: /README\.rst$|\.pot?$ 13 | 14 | - repo: https://github.com/adrienverge/yamllint 15 | rev: v1.26.3 16 | hooks: 17 | - id: yamllint 18 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct for Our Cooperative Open Source Project 2 | 3 | ## Purpose 4 | 5 | Our open-source software project is committed to fostering a cooperative, solidary, welcoming, and collaborative environment for everyone, irrespective of their background. This Code of Conduct applies to everyone who engages with our project on any level, providing guidance to all participants to maintain a safe, positive, and mutually supportive community. 6 | 7 | ## Values 8 | 9 | 1. **Cooperation:** We believe in the power of working together. We encourage team efforts, collaborations, and the pooling of resources and knowledge. We understand that our collective intelligence surpasses individual capacities. 10 | 11 | 2. **Solidarity:** We stand together and support each other. We believe that the success of one is the success of all, and we're committed to helping each other in times of need. 12 | 13 | ## Expected Behavior 14 | 15 | 1. **Respect:** Treat all community members with kindness and respect. Remember that everyone is contributing their time and expertise to improve the project. 16 | 2. **Patience:** Demonstrate patience and understanding towards others, especially when discussing complex or controversial issues. 17 | 3. **Constructive Criticism:** Provide feedback that is constructive and helpful. This includes being open to receiving such feedback. 18 | 4. **Openness:** All trascendental technical debates should take place in the project's repository issues, ensuring everyone has the chance to contribute to the discussion. 19 | 5. **Inclusivity:** Promote an inclusive and supportive environment. Every contribution is important and should be recognized. 20 | 6. **Transparency:** *If it is not in the repository, it has not happened*, or, in other words, the single source of truth is the repository and its issues. Document everything, including, e.g, writting down discussions that have been held elsewhere. 21 | 22 | ## Unacceptable Behavior 23 | 24 | 1. **Personal Attacks:** Any form of personal attacks, trolling, or insulting/derogatory comments are not tolerated. 25 | 2. **Harassment:** This includes, but is not limited to, harassment based on race, gender, sexual orientation, disability, age, or religion. 26 | 3. **Disruptive Behavior:** Any disruptive behavior that derails technical discussions or demeans others' contributions is unacceptable. 27 | 4. **Public or Private Harassment:** Harassment in any form, either online or offline, is not allowed. 28 | 5. **Other Unethical or Unprofessional Conduct:** Any other conduct which could reasonably be considered inappropriate in a professional setting. 29 | 30 | ## Reporting and Enforcement 31 | 32 | Violations of this Code of Conduct will result in actions aimed at facilitating conflict resolution and repairing any harm caused. These measures will be adapted according to the evolution of the situation and the process. Actions could range from mediation between involved parties to temporary or permanent restrictions from contributing. If you witness or experience any violations, please report them by sending an email to cures@coopdevs.org. 33 | 34 | Our project maintainers will review and investigate all reports, and then take action that is deemed necessary and appropriate based on the progress and nature of the process. We are committed to ensuring that all our community members feel safe and respected, and we appreciate your help in maintaining this environment. 35 | 36 | --- 37 | 38 | This Code of Conduct is a living document, and we are committed to it for the project's health and community. We will continuously review and update it as our community grows and learns. 39 | 40 | We believe in the quality and potential of everyone who contributes to our project. Adhering to this Code of Conduct helps ensure that our community is welcoming, inclusive, cooperative, solidary, and respectful to all. We expect everyone to help make this a place where everyone feels safe and welcomed. 41 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Development setup 2 | 3 | ### Configure python environment 4 | 5 | In order to assure that the files contained here are linted the same way, we are using [`pyenv`](https://github.com/pyenv/pyenv). 6 | 7 | Follow [Installing and using pyenv](https://github.com/coopdevs/handbook/wiki/Installing-and-using-pyenv), or, in short: 8 | 9 | ```sh 10 | pyenv install 3.8.12 11 | pyenv virtualenv 3.8.12 role-name 12 | ``` 13 | 14 | ### Configure ansible environment 15 | 16 | You will need Ansible on your machine to run the playbooks, follow the steps below to install it. 17 | 18 | ```sh 19 | pyenv exec pip install -r requirements.txt 20 | ansible-galaxy install -r requirements.yml -f 21 | ``` 22 | 23 | ### Install pre-commit hooks 24 | 25 | We use [pre-commit framework](https://pre-commit.com/) to assure quality code. 26 | 27 | ```sh 28 | pre-commit install 29 | ``` 30 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright (c) 2020-2024 IQT Labs LLC, All Rights Reserved. 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | ansible-playbook tasks/main.yml -i ../inventory.yaml --vault-password-file=../vault.txt -e '@../secret' --vault-password-file ../vault.txt -l mytakserver 3 | 4 | certbot: 5 | ansible-playbook tasks/certbot.yml -i ../inventory.yaml --vault-password-file=../vault.txt -e '@../secret' --vault-password-file ../vault.txt -l mytakserver 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Using this template 2 | 3 | This template is a starting point for creating a new repository for Ansible roles. You must complete the following steps: 4 | 5 | - [ ] Click on button `Use this template` to create a new repository. 6 | - [ ] Clone it to your computer and follow [CONTRIBUTING.md](CONTRIBUTING.md) instructions to setup the developing enviroment. 7 | - [ ] Update the `README.md` file to describe the role. 8 | - [ ] Update the `meta/main.yml` with proper metadata about the role. 9 | - [ ] Update the `defaults/main.yml` file to set the default values for the role. 10 | - [ ] Update the `tasks/main.yml` file to implement the role. 11 | - [ ] Update the `vars/main.yml` file to set the variables for the role. 12 | - [ ] Add template files to the `templates` directory 13 | - [ ] Add needed files to the `files` directory 14 | - [ ] If needed, define handlers in the `handlers/main.yml` file 15 | - [ ] Delete all unused files 16 | 17 | ## Contents 18 | 19 | This template contains the following items: 20 | 21 | - An Ansible role skeleton generated by `ansible-galaxy init`. 22 | - Pre-filled `CONTRIBUTING.md` with instructions to set-up the development environment. 23 | - Pre-commit configuration to check the code before commiting. 24 | - `requirements.txt` file to include test dependencies. 25 | - Github actions to check the role with `ansible-lint` and `yamllint`. 26 | - Dependabot configuration to keep the dependencies up-to-date. 27 | - A [LICENSE](LICENSE) file. 28 | 29 | --- 30 | 31 | TAK Server 32 | ========= 33 | 34 | An Ansible role for deploying & configuring a [TAK Server](https://www.tak.gov/) 35 | 36 | Requirements 37 | ------------ 38 | 39 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 40 | 41 | Role Variables 42 | -------------- 43 | 44 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 45 | 46 | Dependencies 47 | ------------ 48 | 49 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 50 | 51 | Example Playbook 52 | ---------------- 53 | 54 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 55 | 56 | ```bash 57 | ansible-playbook tests/test.yml -i tests/inventory --extra-vars '{"var":"value"}' 58 | ``` 59 | 60 | License 61 | ------- 62 | 63 | Apache License, Version 2.0 64 | 65 | Author Information 66 | ------------------ 67 | 68 | SNSTAC 69 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | # Description: Default variables for the TAK Server role 2 | 3 | takserver_rpm: | 4 | You must specify the TAK Server RPM in the 5 | takserver_rpm variable. 6 | 7 | takserver_epel_repo_url: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" 8 | takserver_epel_repo_gpg_key_url: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}" 9 | takserver_epel_repofile_path: "/etc/yum.repos.d/epel.repo" 10 | takserver_epel_repo_disable: false 11 | 12 | takserver_cert_name: "takserver" 13 | takserver_ca_name: "takserver-ca" 14 | takserver_intermediateca_name: "takserver-intermediate-ca" 15 | takserver_ca_state: "California" 16 | takserver_ca_city: "San Francisco" 17 | takserver_ca_org: "TAK Server" 18 | takserver_ca_ou: "TAK Server" 19 | takserver_ca_country: "US" 20 | takserver_ca_email: "info@snstac.com" 21 | takserver_ca_capass: "atakatak" 22 | 23 | takserver_cert_pass: "atakatak" 24 | takserver_cert_keysize: 2048 25 | takserver_cert_days: 3650 26 | 27 | takserver_db_name: "cot" 28 | takserver_db_user: "martiuser" 29 | takserver_db_pass: "atakatak" 30 | takserver_db_host: "localhost" 31 | takserver_db_port: 5432 32 | takserver_db_sslmode: "disable" 33 | takserver_db_sslcert: "" 34 | takserver_db_sslkey: "" 35 | takserver_db_sslrootcert: "" 36 | takserver_db_sslcrl: "" 37 | 38 | takserver_users: ["takadmin", "enroll"] 39 | takserver_user_pass: "-default-X-2025-" 40 | takserver_admins: ["takadmin"] 41 | -------------------------------------------------------------------------------- /files/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snstac/ansible-takserver/4055bb69652c20f8af5542f73590bff9f358b21f/files/.gitkeep -------------------------------------------------------------------------------- /files/CoreConfig.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 58 | 59 | 60 | 61 | 62 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 131 | 132 | 133 | 134 | 135 | 136 | 143 | 144 | 145 | 146 | 147 | 148 | 152 | 153 | 154 | 155 | 156 | 157 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 197 | 198 | 199 | 200 | 201 | -------------------------------------------------------------------------------- /files/DP.pref: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 1 5 | Example TAK Server 6 | true 7 | tak.example.net:8089:ssl 8 | cert/truststore.p12 9 | atakatak 10 | true 11 | false 12 | cert/client.p12 13 | atakatak 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /files/makeCert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SNSTAC modified version of TAK Server 5.2's makeCert.sh script. 3 | # 4 | # EDIT cert-metadata.sh before running this script! 5 | # Optionally, you may also edit config.cfg, although unless you know what 6 | # you are doing, you probably shouldn't. 7 | 8 | source cert-metadata.sh 9 | 10 | mkdir -p "$DIR" 11 | cd "$DIR" || exit 12 | 13 | usage() { 14 | echo "Usage: ./makeCert.sh [server|client|ca|dbclient] " 15 | echo " If you do not provide a common name on the command line, you will be prompted for one" 16 | exit 1 17 | } 18 | 19 | if [ ! -e ca.pem ]; then 20 | echo "ca.pem does not exist! Please make a CA before trying to make server certficiates" 21 | exit 1 22 | fi 23 | 24 | if [ "$1" ]; then 25 | if [ "$1" == "server" ]; then 26 | EXT=server 27 | elif [ "$1" == "client" ]; then 28 | EXT=client 29 | elif [ "$1" == "ca" ]; then 30 | EXT=v3_ca 31 | elif [ "$1" == "dbclient" ]; then 32 | EXT=client 33 | else 34 | usage 35 | fi 36 | else 37 | usage 38 | fi 39 | 40 | 41 | if [ "$2" ]; then 42 | SNAME=$2 43 | else 44 | if [ "$1" == "dbclient" ]; then 45 | echo "Use default name martiuser for database client certificate" 46 | SNAME=martiuser 47 | else 48 | echo "Please give the common name for your certificate (no spaces). It should be unique. If you don't enter anything, or try something under 5 characters, I will make one for you" 49 | read -r SNAME 50 | canamelen=${#SNAME} 51 | if [[ "$canamelen" -lt 5 ]]; then 52 | SNAME=$(date +%N) 53 | fi 54 | fi 55 | fi 56 | 57 | if [ "$1" == "server" ]; then 58 | if [[ $SNAME =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then 59 | ALTNAMEFIELD="IP.1" 60 | else 61 | ALTNAMEFIELD="DNS.1" 62 | fi 63 | 64 | cp ../config.cfg config-"$SNAME".cfg 65 | echo " 66 | subjectAltName = @alt_names 67 | 68 | [alt_names] 69 | $ALTNAMEFIELD = $SNAME 70 | " >> config-"$SNAME".cfg 71 | CONFIG=config-$SNAME.cfg 72 | else 73 | CONFIG=../config.cfg 74 | fi 75 | 76 | CRYPTO_SETTINGS="" 77 | FIPS_SETTINGS="" 78 | 79 | openssl list -providers 2>&1 | grep "\(invalid command\|unknown option\)" >/dev/null 80 | if [ $? -ne 0 ] ; then 81 | echo "Using legacy provider" 82 | CRYPTO_SETTINGS="-legacy" 83 | fi 84 | 85 | fips=false 86 | for var in "$@" 87 | do 88 | echo "$var" 89 | if [ "$var" == "-fips" ] || [ "$var" == "--fips" ];then 90 | fips=true 91 | FIPS_SETTINGS='-macalg SHA256 -aes256 -descert -keypbe AES-256-CBC -certpbe AES-256-CBC' 92 | fi 93 | done 94 | 95 | SUBJ=$SUBJBASE"CN=$SNAME" 96 | echo "Making a $1 cert for " "$SUBJ" 97 | if [[ "$1" == "ca" ]]; then 98 | # Have to use the password {CAPASS} instead of {PASS} since the original CA can be replaced by this new CA at the end 99 | openssl req -new -newkey rsa:2048 -sha256 -keyout "${SNAME}".key -passout pass:"${CAPASS}" -out "${SNAME}".csr -subj "$SUBJ" 100 | else 101 | openssl req -new -newkey rsa:2048 -sha256 -keyout "${SNAME}".key -passout pass:"${PASS}" -out "${SNAME}".csr -subj "$SUBJ" 102 | fi 103 | openssl x509 -sha256 -req -days 730 -in "${SNAME}".csr -CA ca.pem -CAkey ca-do-not-share.key -out "${SNAME}".pem -set_serial 0x"$(openssl rand -hex 8)" -passin pass:"${CAPASS}" -extensions $EXT -extfile "$CONFIG" 104 | 105 | if [[ "$1" == "ca" ]]; then 106 | openssl x509 -in "${SNAME}".pem -addtrust clientAuth -addtrust serverAuth -setalias "${SNAME}" -out "${SNAME}"-trusted.pem 107 | fi 108 | 109 | # Convert the database client private key to PKCS#8 format to use in TAK Server configuration file 110 | if [[ "$1" == "dbclient" ]]; then 111 | openssl pkcs8 -topk8 -outform DER -in "${SNAME}".key -passin pass:"$PASS" -out "${SNAME}".key.pk8 -nocrypt 112 | fi 113 | 114 | # now add the chain 115 | cat ca.pem >> "${SNAME}".pem 116 | cat ca-trusted.pem >> "${SNAME}"-trusted.pem 117 | 118 | # now make pkcs12 and jks keystore files 119 | if [[ "$1" == "server" || "$1" == "client" || "$1" == "dbclient" ]]; then 120 | openssl pkcs12 ${CRYPTO_SETTINGS} ${FIPS_SETTINGS} -export -in "${SNAME}".pem -inkey "${SNAME}".key -out "${SNAME}".p12 -name "${SNAME}" -CAfile ca.pem -passin pass:"${PASS}" -passout pass:"${PASS}" 121 | keytool -importkeystore -deststorepass "${PASS}" -destkeypass "${PASS}" -destkeystore "${SNAME}".jks -srckeystore "${SNAME}".p12 -srcstoretype PKCS12 -srcstorepass "${PASS}" -alias "${SNAME}" 122 | else # a CA 123 | if [ "$fips" = true ];then 124 | openssl pkcs12 ${CRYPTO_SETTINGS} -export -in "${SNAME}"-trusted.pem -out truststore-"${SNAME}"-legacy.p12 -nokeys -passout pass:"${CAPASS}" 125 | fi 126 | openssl pkcs12 ${CRYPTO_SETTINGS} "${FIPS_SETTINGS}" -export -in "${SNAME}"-trusted.pem -out truststore-"${SNAME}".p12 -nokeys -passout pass:"${CAPASS}" 127 | keytool -import -trustcacerts -file "${SNAME}".pem -keystore truststore-"${SNAME}".jks -storepass "${CAPASS}" -noprompt 128 | 129 | # include a CA signing keystore; NOT FOR DISTRIBUTION TO CLIENTS 130 | openssl pkcs12 "${CRYPTO_SETTINGS}" "${FIPS_SETTINGS}" -export -in "${SNAME}".pem -inkey "${SNAME}".key -out "${SNAME}"-signing.p12 -name "${SNAME}" -passin pass:"${CAPASS}" -passout pass:"${CAPASS}" 131 | keytool -importkeystore -deststorepass "${CAPASS}" -destkeypass "${CAPASS}" -destkeystore "${SNAME}"-signing.jks -srckeystore "${SNAME}"-signing.p12 -srcstoretype PKCS12 -srcstorepass "${CAPASS}" -alias "${SNAME}" 132 | 133 | ## create empty crl 134 | openssl ca -config ../config.cfg -gencrl -keyfile "${SNAME}".key -key "${CAPASS}" -cert "${SNAME}".pem -out "${SNAME}".crl 135 | 136 | # echo "Do you want me to move files around so that future server and client certificates are signed by this new CA? [y/n]" 137 | # read MVREQ 138 | # if [[ "$MVREQ" == "y" || "$MVREQ" == "Y" ]]; then 139 | cp "$SNAME".pem ca.pem 140 | cp "$SNAME".key ca-do-not-share.key 141 | cp "$SNAME"-trusted.pem ca-trusted.pem 142 | # else 143 | # echo "Ok, not overwriting existing keys. To manually change the CA later, execute these commands from the 'files' directory:" 144 | # echo " cp $SNAME.pem ca.pem" 145 | # echo " cp $SNAME.key ca-do-not-share.key" 146 | # echo " cp $SNAME-trusted.pem ca-trusted.pem" 147 | # fi 148 | 149 | fi 150 | 151 | chmod og-rwx "${SNAME}".key 152 | 153 | -------------------------------------------------------------------------------- /files/makeDP.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | DP_NAME=dp-takserver.zip 4 | 5 | rm -f ${ZIP_NAME} 6 | zip -r ${ZIP_NAME} *.pref cert *.xml 7 | -------------------------------------------------------------------------------- /files/takserver-public-gpg.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mQGNBGAwFLcBDADAeSns0R5l4dJpsHy7N0ZXjA8vm6MBrmRR6Fym+UNY0+wUwNwJ 4 | Y41fRwstBQ2ZhzNYQDI1bwjUoVbDi4w2Db+BjutglpVmTt7sEHnhP+U/SfSXT1LW 5 | 3zx8qGJa0UCx+ktxokCM78qtiB0K5NBDw8QJfMep1r0GNE/t/wpnWmOBOw2BHdVE 6 | 8NJyyW37HB+Zi8ASswYMK31JebvBTU078a7sf97QQtxMa2afwuEX2iwhQhz3nEeZ 7 | O11hSa6Yrbq1wQzI6JTAPhQKcbcocjJyzv/nsJzhXMRMoFnruZHsXn5PtGlWy+EC 8 | 6MZbygyY64fH0xB3ruzyCyKj5EidcA5OrxBd1albeRfq3Uu1XLLlZoeTTkePpUlb 9 | K/GsBYwLRb7uYleCNn5FQfyB84vsQibLcxDpWIwUu5jmbvTFTvmETXZaZw7wUdiI 10 | gRNRL+dbByPHbtdtEXPKUrDOEaKER7gZmD+GmgXUTwL3pen2H81hvmFtU3FMqWNo 11 | P8Nmy1Clmk+tKKkAEQEAAbQ3VEFLIFByb2R1Y3QgQ2VudGVyIFRBSyBTZXJ2ZXIg 12 | UmVsZWFzZSA8c3VwcG9ydEB0YWsuZ292PokBzgQTAQgAOBYhBHHAM0Xzk9vQ4Drr 13 | K/BiN5NoUfW1BQJgMBS3AhsvBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEPBi 14 | N5NoUfW1cO0L/R9cYeDa8vdhFGKU9vgBmi8h8zRkZMXyRK4Avt5tMyfftbZfkE+R 15 | lWMxf4U6bO1TSZw9BhWxtWKxVMB+B7YeZ7ua2n5y0cdofcIh13MvA0JIkW4yUqFH 16 | hnoGyQNpyiio8pmlzElmw4bngrX0tq/l4F5x9y/bvJ2lrIjv9SjTWClj03RDcbUY 17 | qBStbKBuxQIF5FCaSyp4WKd00Qx1rmE3Pea/SArcqXzKGCoovL8/zd1y5xvWHah7 18 | I/X+AqRWcvnaEnKqBJ1J9sWot79fV1lHQsx5GLjPcg5AkDaVvi2zCvs+Ppa442uF 19 | A2Q3oGxGypMs4RnGb7isre928okIdqQCsosHT6601AdtuvGTcG6zzMbhf0DajnFV 20 | zmrLeAWTJXBOdQoR27wjRSeMihGpZpytP/athCkcLRMXc74xuxWFYWZ76QmekxyV 21 | Z4mle/EyVr3yg1+XU2q7QyG0BpYCrdkBKutO4hJihZreDq8udLtzCrkyKJTCxe0g 22 | xA09pVPS+bAzGA== 23 | =Heiq 24 | -----END PGP PUBLIC KEY BLOCK----- 25 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for ansible-role-takserver 3 | 4 | - name: Restart takserver. 5 | ansible.builtin.systemd: 6 | name: takserver 7 | state: restarted 8 | 9 | - name: Reload all system config settings. 10 | become: true 11 | ansible.posix.sysctl: 12 | name: net.ipv4.ip_forward 13 | reload: true 14 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | role_name: ansible_role 4 | namespace: coopdevs 5 | author: Coopdevs 6 | description: An Ansible role to <> 7 | license: GPL-3.0-only 8 | min_ansible_version: "2.1" 9 | 10 | platforms: 11 | - name: Ubuntu 12 | versions: 13 | - all 14 | 15 | galaxy_tags: [] 16 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | ansible==9.1.0 2 | ansible-lint==6.22.1 3 | yamllint==1.33.0 4 | pre-commit==3.6.0 5 | -------------------------------------------------------------------------------- /tasks/configure-firewall.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | 3 | - name: Permanently enable 8089, also enable it immediately if possible. 4 | ansible.posix.firewalld: 5 | port: 8089/tcp 6 | state: enabled 7 | permanent: true 8 | immediate: true 9 | offline: true 10 | tags: takserver 11 | when: ansible_os_family == "RedHat" 12 | 13 | - name: Permanently enable 8446, also enable it immediately if possible. 14 | ansible.posix.firewalld: 15 | port: 8446/tcp 16 | state: enabled 17 | permanent: true 18 | immediate: true 19 | offline: true 20 | tags: takserver 21 | when: ansible_os_family == "RedHat" 22 | -------------------------------------------------------------------------------- /tasks/enable-start-takserver.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | --- 3 | - name: Force systemd to re-read configs. 4 | become: true 5 | ansible.builtin.systemd: 6 | daemon_reload: true 7 | 8 | - name: Start TAK Server service. 9 | ansible.builtin.systemd: 10 | name: takserver 11 | enabled: true 12 | state: started 13 | -------------------------------------------------------------------------------- /tasks/install-epel.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | --- 3 | - name: Check if EPEL repo is already configured. 4 | ansible.builtin.stat: 5 | path: "{{ takserver_epel_repofile_path }}" 6 | register: epel_repofile_result 7 | 8 | - name: Import EPEL GPG key. 9 | ansible.builtin.rpm_key: 10 | key: "{{ takserver_epel_repo_gpg_key_url }}" 11 | state: present 12 | register: result 13 | until: result is succeeded 14 | retries: 5 15 | delay: 10 16 | when: not epel_repofile_result.stat.exists 17 | ignore_errors: "{{ ansible_check_mode }}" 18 | 19 | - name: Install EPEL repo. 20 | ansible.builtin.dnf: 21 | name: "{{ takserver_epel_repo_url }}" 22 | state: present 23 | register: result 24 | until: result is succeeded 25 | retries: 5 26 | delay: 10 27 | when: not epel_repofile_result.stat.exists 28 | 29 | - name: Disable Main EPEL repo. 30 | community.general.ini_file: 31 | path: "/etc/yum.repos.d/epel.repo" 32 | section: epel 33 | option: enabled 34 | value: "{{ takserver_epel_repo_disable | ternary(0, 1) }}" 35 | no_extra_spaces: true 36 | mode: "0644" 37 | -------------------------------------------------------------------------------- /tasks/install-postgresql.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | --- 3 | - name: Install PostgreSQL repo RPM (RHEL 8). 4 | ansible.builtin.dnf: 5 | name: https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm 6 | state: present 7 | disable_gpg_check: true 8 | when: ansible_distribution_major_version == "8" and ansible_distribution == "RedHat" 9 | register: pgsql_repo_rpm_installed 10 | 11 | - name: Install PostgreSQL repo RPM (RHEL 9). 12 | ansible.builtin.dnf: 13 | name: https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm 14 | state: present 15 | disable_gpg_check: true 16 | when: ansible_distribution_major_version == "9" 17 | register: pgsql_repo_rpm_installed 18 | 19 | - name: Disable default PostgreSQL DNF module. 20 | community.general.ini_file: 21 | path: /etc/dnf/modules.d/postgresql.module 22 | section: postgresql 23 | option: state 24 | value: disabled 25 | no_extra_spaces: true 26 | mode: "0644" 27 | owner: root 28 | group: root 29 | register: postgresql_dnf_module_disabled 30 | 31 | - name: Update DNF cache. 32 | tags: always 33 | ansible.builtin.dnf: 34 | update_cache: true 35 | 36 | - name: Install DNF Plugins. 37 | ansible.builtin.dnf: 38 | name: 39 | - dnf-plugins-core 40 | - epel-release 41 | state: present 42 | when: ansible_distribution == "Rocky" 43 | 44 | # "crb", fka "powertools": https://developers.redhat.com/blog/2018/11/15/introducing-codeready-linux-builder 45 | - name: Enable crb repository 46 | ansible.builtin.command: dnf config-manager --set-enabled crb 47 | when: ansible_distribution == "Rocky" 48 | changed_when: false 49 | 50 | - name: Update DNF cache. 51 | tags: always 52 | ansible.builtin.dnf: 53 | update_cache: true 54 | -------------------------------------------------------------------------------- /tasks/install-takserver.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | --- 3 | - name: Install Java 17 OpenJDK. 4 | ansible.builtin.dnf: 5 | name: java-17-openjdk-devel 6 | state: present 7 | 8 | - name: Copy TAK Server RPM to remote host. 9 | ansible.builtin.copy: 10 | src: "{{ takserver_rpm }}" 11 | dest: "/usr/src/{{ takserver_rpm }}" 12 | mode: "0644" 13 | owner: root 14 | group: root 15 | 16 | - name: Copy TAK Server GPG key to remote host. 17 | ansible.builtin.copy: 18 | src: "{{ takserver_gpg_key }}" 19 | dest: "/usr/src/{{ takserver_gpg_key }}" 20 | mode: "0644" 21 | owner: root 22 | group: root 23 | 24 | - name: Import TAK Server GPG key. 25 | ansible.builtin.rpm_key: 26 | state: present 27 | key: "/usr/src/{{ takserver_gpg_key }}" 28 | 29 | - name: Install TAK Server from RPM. 30 | ansible.builtin.dnf: 31 | name: "/usr/src/{{ takserver_rpm }}" 32 | state: present 33 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | # 3 | # This file is the main entry point for the TAK Server role. 4 | # It includes all the other tasks that are needed to install and configure the TAK Server. 5 | # 6 | 7 | - name: Install TAK Server. 8 | tags: takserver 9 | ansible.builtin.include_tasks: "{{ item }}" 10 | loop: 11 | - update-ulimit.yml 12 | - update-dnf.yml 13 | - install-epel.yml 14 | - update-dnf.yml 15 | - install-postgresql.yml 16 | - install-takserver.yml 17 | - setup-takserver-config.yml 18 | - setup-takserver-db.yml 19 | - enable-start-takserver.yml 20 | - setup-takserver-certs.yml 21 | - setup-takserver-users.yml 22 | - configure-firewall.yml 23 | when: ansible_os_family == "RedHat" 24 | # TODO: Add support for Debian based systems. 25 | 26 | -------------------------------------------------------------------------------- /tasks/setup-takserver-certs.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | - name: Replace values in the TAK Server cert metadata. 3 | ansible.builtin.replace: 4 | path: /opt/tak/certs/cert-metadata.sh 5 | regexp: '^({{ item.key }}=).*' 6 | replace: '\1"{{ item.value }}"' 7 | loop: 8 | - { key: 'STATE', value: '{{ takserver_ca_state | default("default_takserver_ca_state") }}' } 9 | - { key: 'CITY', value: '{{ takserver_ca_city | default("default_takserver_ca_city") }}' } 10 | - { key: 'ORGANIZATION', value: '{{ takserver_ca_org | default("default_takserver_ca_org") }}' } 11 | - { key: 'ORGANIZATIONAL_UNIT', value: '{{ takserver_ca_ou | default("default_takserver_ca_ou") }}' } 12 | - { key: 'CAPASS', value: '{{ takserver_ca_capass | default("default_takserver_ca_capass") }}' } 13 | - { key: 'PASS', value: '{{ takserver_cert_pass | default("default_takserver_cert_pass") }}' } 14 | 15 | - name: Generate TAK Server CA. 16 | ansible.builtin.command: /opt/tak/certs/makeRootCa.sh --ca-name {{ takserver_ca_name | default('default_takserver_ca_name') }} 17 | args: 18 | chdir: /opt/tak/certs 19 | creates: /opt/tak/certs/files/ca.pem 20 | 21 | - name: Copy makeCert-sns.sh to /opt/tak/certs. 22 | ansible.builtin.copy: 23 | src: "makeCert.sh" 24 | dest: /opt/tak/certs/makeCert-sns.sh 25 | mode: '0755' 26 | 27 | - name: Generate TAK Server Intermediate CA. 28 | ansible.builtin.command: /opt/tak/certs/makeCert-sns.sh ca {{ takserver_intermediateca_name | default('default_takserver_intermediateca_name') }} 29 | args: 30 | chdir: /opt/tak/certs 31 | creates: /opt/tak/certs/files/{{ takserver_intermediateca_name | default('default_takserver_intermediateca_name') }}.pem 32 | 33 | - name: Generate TAK Server TLS certificate. 34 | ansible.builtin.command: /opt/tak/certs/makeCert-sns.sh server {{ takserver_cert_name | default('default_takserver_cert_name') }} 35 | args: 36 | chdir: /opt/tak/certs 37 | creates: /opt/tak/certs/files/{{ takserver_cert_name | default('default_takserver_cert_name') }}.jks 38 | -------------------------------------------------------------------------------- /tasks/setup-takserver-config.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | --- 3 | - name: Install lxml Python module. 4 | ansible.builtin.dnf: 5 | name: python3-lxml 6 | state: present 7 | 8 | - name: Check if CoreConfig.xml exists. 9 | ansible.builtin.stat: 10 | path: /opt/tak/CoreConfig.xml 11 | register: coreconfig_stat 12 | 13 | - name: Copy TAK Server CoreConfig.xml to /opt/tak if it does not exist. 14 | ansible.builtin.copy: 15 | src: "CoreConfig.xml" 16 | dest: /opt/tak/CoreConfig.xml 17 | mode: '0644' 18 | owner: tak 19 | group: tak 20 | when: not coreconfig_stat.stat.exists 21 | 22 | - name: Update TAK Server CoreConfig.xml with database pass. 23 | community.general.xml: 24 | path: /opt/tak/CoreConfig.xml 25 | xpath: /a:Configuration/a:repository/a:connection 26 | value: "{{ takserver_db_pass }}" 27 | attribute: password 28 | namespaces: 29 | a: http://bbn.com/marti/xml/config 30 | b: http://www.w3.org/2001/XMLSchema-instance 31 | c: file:///opt/tak/CoreConfig.xsd 32 | notify: Restart takserver. 33 | 34 | - name: Update TAK Server CoreConfig.xml with database user. 35 | community.general.xml: 36 | path: /opt/tak/CoreConfig.xml 37 | xpath: /a:Configuration/a:repository/a:connection 38 | value: "{{ takserver_db_user }}" 39 | attribute: username 40 | namespaces: 41 | a: http://bbn.com/marti/xml/config 42 | b: http://www.w3.org/2001/XMLSchema-instance 43 | c: file:///opt/tak/CoreConfig.xsd 44 | notify: Restart takserver. 45 | 46 | - name: Update TAK Server CoreConfig.xml with TLS keystoreFile. 47 | community.general.xml: 48 | path: /opt/tak/CoreConfig.xml 49 | xpath: /a:Configuration/a:security/a:tls 50 | value: /opt/tak/certs/files/{{ takserver_cert_name | default('default_takserver_cert_name') }}.jks 51 | attribute: keystoreFile 52 | namespaces: 53 | a: http://bbn.com/marti/xml/config 54 | b: http://www.w3.org/2001/XMLSchema-instance 55 | c: file:///opt/tak/CoreConfig.xsd 56 | notify: Restart takserver. 57 | 58 | - name: Update TAK Server CoreConfig.xml with TLS keystorePass. 59 | community.general.xml: 60 | path: /opt/tak/CoreConfig.xml 61 | xpath: /a:Configuration/a:security/a:tls 62 | value: '{{ takserver_cert_pass | default("default_takserver_cert_pass") }}' 63 | attribute: keystorePass 64 | namespaces: 65 | a: http://bbn.com/marti/xml/config 66 | b: http://www.w3.org/2001/XMLSchema-instance 67 | c: file:///opt/tak/CoreConfig.xsd 68 | 69 | - name: Update TAK Server CoreConfig.xml with TLS truststorePass. 70 | community.general.xml: 71 | path: /opt/tak/CoreConfig.xml 72 | xpath: /a:Configuration/a:security/a:tls 73 | value: '{{ takserver_ca_capass | default("default_takserver_ca_capass") }}' 74 | attribute: truststorePass 75 | namespaces: 76 | a: http://bbn.com/marti/xml/config 77 | b: http://www.w3.org/2001/XMLSchema-instance 78 | c: file:///opt/tak/CoreConfig.xsd 79 | 80 | - name: Flush handlers. 81 | meta: flush_handlers 82 | -------------------------------------------------------------------------------- /tasks/setup-takserver-db.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | --- 3 | - name: Install psycopg2 Python module. 4 | ansible.builtin.dnf: 5 | name: python3-psycopg2 6 | state: present 7 | 8 | - name: Setup TAK PostgreSQL Database. 9 | ansible.builtin.command: /opt/tak/db-utils/takserver-setup-db.sh 10 | args: 11 | creates: /var/lib/pgsql/10/data/PG_VERSION 12 | 13 | - name: Set PostgreSQL password for TAK Server. 14 | become: true 15 | community.postgresql.postgresql_user: 16 | name: "{{ takserver_db_user }}" 17 | password: "{{ takserver_db_pass }}" 18 | become_user: postgres 19 | -------------------------------------------------------------------------------- /tasks/setup-takserver-users.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | --- 3 | - name: Create TAK Server user TLS certificates. 4 | with_items: "{{ takserver_users }}" 5 | ansible.builtin.command: /opt/tak/certs/makeCert-sns.sh client {{ item }} 6 | args: 7 | chdir: /opt/tak/certs 8 | creates: /opt/tak/certs/files/{{ item }}.pem 9 | 10 | - name: Create TAK Server user account. 11 | with_items: "{{ takserver_users }}" 12 | ansible.builtin.command: java -jar /opt/tak/utils/UserManager.jar usermod -p {{ takserver_user_pass }} {{ item }} 13 | args: 14 | chdir: /opt/tak/certs 15 | 16 | - name: Create TAK Server user-cert association. 17 | with_items: "{{ takserver_users }}" 18 | ansible.builtin.command: java -jar /opt/tak/utils/UserManager.jar certmod /opt/tak/certs/files/{{ item }}.pem 19 | args: 20 | chdir: /opt/tak/certs 21 | 22 | - name: Create TAK Server admins. 23 | with_items: "{{ takserver_admins }}" 24 | ansible.builtin.shell: | 25 | java -jar /opt/tak/utils/UserManager.jar usermod -A {{ item }} 26 | args: 27 | chdir: /opt/tak/certs 28 | 29 | - name: Create /usr/src/dp directory. 30 | ansible.builtin.file: 31 | path: /usr/src/dp 32 | state: directory 33 | mode: "0755" 34 | 35 | - name: Copy DP.pref to /usr/src/dp. 36 | ansible.builtin.copy: 37 | src: "DP.pref" 38 | dest: /usr/src/dp/dp.pref 39 | mode: "0644" 40 | 41 | - name: Create Data Packages for users. 42 | with_items: "{{ takserver_users }}" 43 | ansible.builtin.shell: | 44 | rm -f /usr/src/dp/DP-{{ item }}.zip 45 | mkdir -p /usr/src/dp/{{ item }} 46 | cp /opt/tak/certs/files/truststore-takserver-intermediate-ca.p12 /usr/src/dp/{{ item }}/truststore.p12 47 | cp /opt/tak/certs/files/{{ item }}.p12 /usr/src/dp/{{ item }}/user.p12 48 | cp /usr/src/dp/DP.pref /usr/src/dp/{{ item }}/dp.pref 49 | cd /usr/src/dp/{{ item }} 50 | zip -r ../dp-{{ item }}.zip *.pref *.p12 51 | args: 52 | chdir: /usr/src/dp 53 | -------------------------------------------------------------------------------- /tasks/update-dnf.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | --- 3 | - name: Update DNF cache 4 | ansible.builtin.dnf: 5 | update_cache: true 6 | -------------------------------------------------------------------------------- /tasks/update-ulimit.yml: -------------------------------------------------------------------------------- 1 | # code: language=ansible 2 | --- 3 | - name: Increase PAM nofile limit to 32768. 4 | become: true 5 | community.general.pam_limits: 6 | domain: '*' 7 | limit_type: soft 8 | limit_item: nofile 9 | value: '32768' 10 | register: pam_limits_updated 11 | notify: Reload all system config settings. 12 | -------------------------------------------------------------------------------- /templates/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snstac/ansible-takserver/4055bb69652c20f8af5542f73590bff9f358b21f/templates/.gitkeep -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | takserver_rpm: SET_takserver_rpm_PLS 3 | takserver_gpg_key: takserver-public-gpg.key 4 | pgsql_repo_rpm: pgdg-redhat-repo-latest.noarch.rpm 5 | --------------------------------------------------------------------------------