├── .config
├── ansible-lint-ignore.txt
└── ansible-lint.yml
├── .github
├── ISSUE_TEMPLATE
│ ├── bug_report.md
│ └── feature_request.md
├── dependabot.yml
└── workflows
│ ├── ansible_lint.yml
│ ├── dependency-review.yml
│ └── main.yml
├── .pre-commit-config.yaml
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── Makefile
├── README.md
├── defaults
└── main.yml
├── files
├── .gitkeep
├── CoreConfig.xml
├── DP.pref
├── makeCert.sh
├── makeDP.sh
└── takserver-public-gpg.key
├── handlers
└── main.yml
├── meta
└── main.yml
├── requirements.txt
├── tasks
├── configure-firewall.yml
├── enable-start-takserver.yml
├── install-epel.yml
├── install-postgresql.yml
├── install-takserver.yml
├── main.yml
├── setup-takserver-certs.yml
├── setup-takserver-config.yml
├── setup-takserver-db.yml
├── setup-takserver-users.yml
├── update-dnf.yml
└── update-ulimit.yml
├── templates
└── .gitkeep
├── tests
├── inventory
└── test.yml
└── vars
└── main.yml
/.config/ansible-lint-ignore.txt:
--------------------------------------------------------------------------------
1 | .github/workflows/ansible_lint.yml yaml[truthy]
2 | .github/workflows/dependency-review.yml yaml[line-length]
3 | .github/workflows/dependency-review.yml yaml[truthy]
4 | .github/workflows/main.yml yaml[truthy]
--------------------------------------------------------------------------------
/.config/ansible-lint.yml:
--------------------------------------------------------------------------------
1 | warn_list: # or 'skip_list' to silence them completely
2 | - no-changed-when # Commands should not change things if nothing needs do
3 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: "[BUG]"
5 | labels: bug
6 | assignees: konykon, oyale
7 |
8 | ---
9 |
10 | **Describe the bug**
11 | A clear and concise description of what the bug is.
12 |
13 | **To Reproduce**
14 | Steps to reproduce the behaviour. Tell us about:
15 | - Python version
16 | - Use of virtual environments
17 | - Any other information of interest.
18 |
19 | **Logs**
20 | ```bash
21 | Properly redacted if needed, please paste here the output of the execution.
22 | ```
23 | **Environment (please complete the following information):**
24 | - OS: [e.g. Arch]
25 | - Shell [e.g. bash, zshi]
26 |
27 | **Additional context**
28 | Add any other context about the problem here.
29 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: "[FEATURE]"
5 | labels: enhancement
6 | assignees: konykon, oyale
7 |
8 | ---
9 |
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 |
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 |
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 |
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | # To get started with Dependabot version updates, you'll need to specify which
2 | # package ecosystems to update and where the package manifests are located.
3 | # Please see the documentation for all configuration options:
4 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
5 |
6 | version: 2
7 | updates:
8 | - package-ecosystem: "pip" # See documentation for possible values
9 | directory: "/" # Location of package manifests
10 | schedule:
11 | interval: "weekly"
12 | - package-ecosystem: "github-actions"
13 | directory: "/.github/workflows"
14 | schedule:
15 | interval: "daily"
16 |
--------------------------------------------------------------------------------
/.github/workflows/ansible_lint.yml:
--------------------------------------------------------------------------------
1 | name: Ansible Lint
2 | on: [push, pull_request]
3 |
4 | jobs:
5 | build:
6 | runs-on: ubuntu-latest
7 |
8 | steps:
9 | - uses: actions/checkout@v4
10 |
11 | - name: Run ansible-lint
12 | uses: ansible-community/ansible-lint-action@main
13 |
--------------------------------------------------------------------------------
/.github/workflows/dependency-review.yml:
--------------------------------------------------------------------------------
1 | # Dependency Review Action
2 | #
3 | # This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
4 | #
5 | # Source repository: https://github.com/actions/dependency-review-action
6 | # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
7 | name: 'Dependency Review'
8 | on: [pull_request]
9 |
10 | permissions:
11 | contents: read
12 |
13 | jobs:
14 | dependency-review:
15 | runs-on: ubuntu-latest
16 | steps:
17 | - name: 'Checkout Repository'
18 | uses: actions/checkout@v4
19 | - name: 'Dependency Review'
20 | uses: actions/dependency-review-action@v3
21 |
--------------------------------------------------------------------------------
/.github/workflows/main.yml:
--------------------------------------------------------------------------------
1 | name: auto-merge
2 |
3 | on:
4 | pull_request:
5 |
6 | jobs:
7 | auto-merge:
8 | runs-on: ubuntu-latest
9 | permissions: write-all
10 | steps:
11 | - uses: actions/checkout@v4
12 | - uses: ahmadnassri/action-dependabot-auto-merge@v2
13 | with:
14 | target: minor
15 | github-token: ${{ secrets.MERGE_TOKEN }}
16 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | repos:
3 | - repo: https://github.com/ansible-community/ansible-lint
4 | rev: v5.4.0
5 | hooks:
6 | - id: ansible-lint
7 |
8 | - repo: https://github.com/pre-commit/pre-commit-hooks
9 | rev: v3.2.0
10 | hooks:
11 | - id: trailing-whitespace
12 | exclude: /README\.rst$|\.pot?$
13 |
14 | - repo: https://github.com/adrienverge/yamllint
15 | rev: v1.26.3
16 | hooks:
17 | - id: yamllint
18 |
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Code of Conduct for Our Cooperative Open Source Project
2 |
3 | ## Purpose
4 |
5 | Our open-source software project is committed to fostering a cooperative, solidary, welcoming, and collaborative environment for everyone, irrespective of their background. This Code of Conduct applies to everyone who engages with our project on any level, providing guidance to all participants to maintain a safe, positive, and mutually supportive community.
6 |
7 | ## Values
8 |
9 | 1. **Cooperation:** We believe in the power of working together. We encourage team efforts, collaborations, and the pooling of resources and knowledge. We understand that our collective intelligence surpasses individual capacities.
10 |
11 | 2. **Solidarity:** We stand together and support each other. We believe that the success of one is the success of all, and we're committed to helping each other in times of need.
12 |
13 | ## Expected Behavior
14 |
15 | 1. **Respect:** Treat all community members with kindness and respect. Remember that everyone is contributing their time and expertise to improve the project.
16 | 2. **Patience:** Demonstrate patience and understanding towards others, especially when discussing complex or controversial issues.
17 | 3. **Constructive Criticism:** Provide feedback that is constructive and helpful. This includes being open to receiving such feedback.
18 | 4. **Openness:** All trascendental technical debates should take place in the project's repository issues, ensuring everyone has the chance to contribute to the discussion.
19 | 5. **Inclusivity:** Promote an inclusive and supportive environment. Every contribution is important and should be recognized.
20 | 6. **Transparency:** *If it is not in the repository, it has not happened*, or, in other words, the single source of truth is the repository and its issues. Document everything, including, e.g, writting down discussions that have been held elsewhere.
21 |
22 | ## Unacceptable Behavior
23 |
24 | 1. **Personal Attacks:** Any form of personal attacks, trolling, or insulting/derogatory comments are not tolerated.
25 | 2. **Harassment:** This includes, but is not limited to, harassment based on race, gender, sexual orientation, disability, age, or religion.
26 | 3. **Disruptive Behavior:** Any disruptive behavior that derails technical discussions or demeans others' contributions is unacceptable.
27 | 4. **Public or Private Harassment:** Harassment in any form, either online or offline, is not allowed.
28 | 5. **Other Unethical or Unprofessional Conduct:** Any other conduct which could reasonably be considered inappropriate in a professional setting.
29 |
30 | ## Reporting and Enforcement
31 |
32 | Violations of this Code of Conduct will result in actions aimed at facilitating conflict resolution and repairing any harm caused. These measures will be adapted according to the evolution of the situation and the process. Actions could range from mediation between involved parties to temporary or permanent restrictions from contributing. If you witness or experience any violations, please report them by sending an email to cures@coopdevs.org.
33 |
34 | Our project maintainers will review and investigate all reports, and then take action that is deemed necessary and appropriate based on the progress and nature of the process. We are committed to ensuring that all our community members feel safe and respected, and we appreciate your help in maintaining this environment.
35 |
36 | ---
37 |
38 | This Code of Conduct is a living document, and we are committed to it for the project's health and community. We will continuously review and update it as our community grows and learns.
39 |
40 | We believe in the quality and potential of everyone who contributes to our project. Adhering to this Code of Conduct helps ensure that our community is welcoming, inclusive, cooperative, solidary, and respectful to all. We expect everyone to help make this a place where everyone feels safe and welcomed.
41 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Development setup
2 |
3 | ### Configure python environment
4 |
5 | In order to assure that the files contained here are linted the same way, we are using [`pyenv`](https://github.com/pyenv/pyenv).
6 |
7 | Follow [Installing and using pyenv](https://github.com/coopdevs/handbook/wiki/Installing-and-using-pyenv), or, in short:
8 |
9 | ```sh
10 | pyenv install 3.8.12
11 | pyenv virtualenv 3.8.12 role-name
12 | ```
13 |
14 | ### Configure ansible environment
15 |
16 | You will need Ansible on your machine to run the playbooks, follow the steps below to install it.
17 |
18 | ```sh
19 | pyenv exec pip install -r requirements.txt
20 | ansible-galaxy install -r requirements.yml -f
21 | ```
22 |
23 | ### Install pre-commit hooks
24 |
25 | We use [pre-commit framework](https://pre-commit.com/) to assure quality code.
26 |
27 | ```sh
28 | pre-commit install
29 | ```
30 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright (c) 2020-2024 IQT Labs LLC, All Rights Reserved.
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | ansible-playbook tasks/main.yml -i ../inventory.yaml --vault-password-file=../vault.txt -e '@../secret' --vault-password-file ../vault.txt -l mytakserver
3 |
4 | certbot:
5 | ansible-playbook tasks/certbot.yml -i ../inventory.yaml --vault-password-file=../vault.txt -e '@../secret' --vault-password-file ../vault.txt -l mytakserver
6 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Using this template
2 |
3 | This template is a starting point for creating a new repository for Ansible roles. You must complete the following steps:
4 |
5 | - [ ] Click on button `Use this template` to create a new repository.
6 | - [ ] Clone it to your computer and follow [CONTRIBUTING.md](CONTRIBUTING.md) instructions to setup the developing enviroment.
7 | - [ ] Update the `README.md` file to describe the role.
8 | - [ ] Update the `meta/main.yml` with proper metadata about the role.
9 | - [ ] Update the `defaults/main.yml` file to set the default values for the role.
10 | - [ ] Update the `tasks/main.yml` file to implement the role.
11 | - [ ] Update the `vars/main.yml` file to set the variables for the role.
12 | - [ ] Add template files to the `templates` directory
13 | - [ ] Add needed files to the `files` directory
14 | - [ ] If needed, define handlers in the `handlers/main.yml` file
15 | - [ ] Delete all unused files
16 |
17 | ## Contents
18 |
19 | This template contains the following items:
20 |
21 | - An Ansible role skeleton generated by `ansible-galaxy init`.
22 | - Pre-filled `CONTRIBUTING.md` with instructions to set-up the development environment.
23 | - Pre-commit configuration to check the code before commiting.
24 | - `requirements.txt` file to include test dependencies.
25 | - Github actions to check the role with `ansible-lint` and `yamllint`.
26 | - Dependabot configuration to keep the dependencies up-to-date.
27 | - A [LICENSE](LICENSE) file.
28 |
29 | ---
30 |
31 | TAK Server
32 | =========
33 |
34 | An Ansible role for deploying & configuring a [TAK Server](https://www.tak.gov/)
35 |
36 | Requirements
37 | ------------
38 |
39 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
40 |
41 | Role Variables
42 | --------------
43 |
44 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
45 |
46 | Dependencies
47 | ------------
48 |
49 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
50 |
51 | Example Playbook
52 | ----------------
53 |
54 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
55 |
56 | ```bash
57 | ansible-playbook tests/test.yml -i tests/inventory --extra-vars '{"var":"value"}'
58 | ```
59 |
60 | License
61 | -------
62 |
63 | Apache License, Version 2.0
64 |
65 | Author Information
66 | ------------------
67 |
68 | SNSTAC
69 |
--------------------------------------------------------------------------------
/defaults/main.yml:
--------------------------------------------------------------------------------
1 | # Description: Default variables for the TAK Server role
2 |
3 | takserver_rpm: |
4 | You must specify the TAK Server RPM in the
5 | takserver_rpm variable.
6 |
7 | takserver_epel_repo_url: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
8 | takserver_epel_repo_gpg_key_url: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
9 | takserver_epel_repofile_path: "/etc/yum.repos.d/epel.repo"
10 | takserver_epel_repo_disable: false
11 |
12 | takserver_cert_name: "takserver"
13 | takserver_ca_name: "takserver-ca"
14 | takserver_intermediateca_name: "takserver-intermediate-ca"
15 | takserver_ca_state: "California"
16 | takserver_ca_city: "San Francisco"
17 | takserver_ca_org: "TAK Server"
18 | takserver_ca_ou: "TAK Server"
19 | takserver_ca_country: "US"
20 | takserver_ca_email: "info@snstac.com"
21 | takserver_ca_capass: "atakatak"
22 |
23 | takserver_cert_pass: "atakatak"
24 | takserver_cert_keysize: 2048
25 | takserver_cert_days: 3650
26 |
27 | takserver_db_name: "cot"
28 | takserver_db_user: "martiuser"
29 | takserver_db_pass: "atakatak"
30 | takserver_db_host: "localhost"
31 | takserver_db_port: 5432
32 | takserver_db_sslmode: "disable"
33 | takserver_db_sslcert: ""
34 | takserver_db_sslkey: ""
35 | takserver_db_sslrootcert: ""
36 | takserver_db_sslcrl: ""
37 |
38 | takserver_users: ["takadmin", "enroll"]
39 | takserver_user_pass: "-default-X-2025-"
40 | takserver_admins: ["takadmin"]
41 |
--------------------------------------------------------------------------------
/files/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snstac/ansible-takserver/4055bb69652c20f8af5542f73590bff9f358b21f/files/.gitkeep
--------------------------------------------------------------------------------
/files/CoreConfig.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
58 |
59 |
60 |
61 |
62 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
131 |
132 |
133 |
134 |
135 |
136 |
143 |
144 |
145 |
146 |
147 |
148 |
152 |
153 |
154 |
155 |
156 |
157 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
197 |
198 |
199 |
200 |
201 |
--------------------------------------------------------------------------------
/files/DP.pref:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 1
5 | Example TAK Server
6 | true
7 | tak.example.net:8089:ssl
8 | cert/truststore.p12
9 | atakatak
10 | true
11 | false
12 | cert/client.p12
13 | atakatak
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/files/makeCert.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # SNSTAC modified version of TAK Server 5.2's makeCert.sh script.
3 | #
4 | # EDIT cert-metadata.sh before running this script!
5 | # Optionally, you may also edit config.cfg, although unless you know what
6 | # you are doing, you probably shouldn't.
7 |
8 | source cert-metadata.sh
9 |
10 | mkdir -p "$DIR"
11 | cd "$DIR" || exit
12 |
13 | usage() {
14 | echo "Usage: ./makeCert.sh [server|client|ca|dbclient] "
15 | echo " If you do not provide a common name on the command line, you will be prompted for one"
16 | exit 1
17 | }
18 |
19 | if [ ! -e ca.pem ]; then
20 | echo "ca.pem does not exist! Please make a CA before trying to make server certficiates"
21 | exit 1
22 | fi
23 |
24 | if [ "$1" ]; then
25 | if [ "$1" == "server" ]; then
26 | EXT=server
27 | elif [ "$1" == "client" ]; then
28 | EXT=client
29 | elif [ "$1" == "ca" ]; then
30 | EXT=v3_ca
31 | elif [ "$1" == "dbclient" ]; then
32 | EXT=client
33 | else
34 | usage
35 | fi
36 | else
37 | usage
38 | fi
39 |
40 |
41 | if [ "$2" ]; then
42 | SNAME=$2
43 | else
44 | if [ "$1" == "dbclient" ]; then
45 | echo "Use default name martiuser for database client certificate"
46 | SNAME=martiuser
47 | else
48 | echo "Please give the common name for your certificate (no spaces). It should be unique. If you don't enter anything, or try something under 5 characters, I will make one for you"
49 | read -r SNAME
50 | canamelen=${#SNAME}
51 | if [[ "$canamelen" -lt 5 ]]; then
52 | SNAME=$(date +%N)
53 | fi
54 | fi
55 | fi
56 |
57 | if [ "$1" == "server" ]; then
58 | if [[ $SNAME =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
59 | ALTNAMEFIELD="IP.1"
60 | else
61 | ALTNAMEFIELD="DNS.1"
62 | fi
63 |
64 | cp ../config.cfg config-"$SNAME".cfg
65 | echo "
66 | subjectAltName = @alt_names
67 |
68 | [alt_names]
69 | $ALTNAMEFIELD = $SNAME
70 | " >> config-"$SNAME".cfg
71 | CONFIG=config-$SNAME.cfg
72 | else
73 | CONFIG=../config.cfg
74 | fi
75 |
76 | CRYPTO_SETTINGS=""
77 | FIPS_SETTINGS=""
78 |
79 | openssl list -providers 2>&1 | grep "\(invalid command\|unknown option\)" >/dev/null
80 | if [ $? -ne 0 ] ; then
81 | echo "Using legacy provider"
82 | CRYPTO_SETTINGS="-legacy"
83 | fi
84 |
85 | fips=false
86 | for var in "$@"
87 | do
88 | echo "$var"
89 | if [ "$var" == "-fips" ] || [ "$var" == "--fips" ];then
90 | fips=true
91 | FIPS_SETTINGS='-macalg SHA256 -aes256 -descert -keypbe AES-256-CBC -certpbe AES-256-CBC'
92 | fi
93 | done
94 |
95 | SUBJ=$SUBJBASE"CN=$SNAME"
96 | echo "Making a $1 cert for " "$SUBJ"
97 | if [[ "$1" == "ca" ]]; then
98 | # Have to use the password {CAPASS} instead of {PASS} since the original CA can be replaced by this new CA at the end
99 | openssl req -new -newkey rsa:2048 -sha256 -keyout "${SNAME}".key -passout pass:"${CAPASS}" -out "${SNAME}".csr -subj "$SUBJ"
100 | else
101 | openssl req -new -newkey rsa:2048 -sha256 -keyout "${SNAME}".key -passout pass:"${PASS}" -out "${SNAME}".csr -subj "$SUBJ"
102 | fi
103 | openssl x509 -sha256 -req -days 730 -in "${SNAME}".csr -CA ca.pem -CAkey ca-do-not-share.key -out "${SNAME}".pem -set_serial 0x"$(openssl rand -hex 8)" -passin pass:"${CAPASS}" -extensions $EXT -extfile "$CONFIG"
104 |
105 | if [[ "$1" == "ca" ]]; then
106 | openssl x509 -in "${SNAME}".pem -addtrust clientAuth -addtrust serverAuth -setalias "${SNAME}" -out "${SNAME}"-trusted.pem
107 | fi
108 |
109 | # Convert the database client private key to PKCS#8 format to use in TAK Server configuration file
110 | if [[ "$1" == "dbclient" ]]; then
111 | openssl pkcs8 -topk8 -outform DER -in "${SNAME}".key -passin pass:"$PASS" -out "${SNAME}".key.pk8 -nocrypt
112 | fi
113 |
114 | # now add the chain
115 | cat ca.pem >> "${SNAME}".pem
116 | cat ca-trusted.pem >> "${SNAME}"-trusted.pem
117 |
118 | # now make pkcs12 and jks keystore files
119 | if [[ "$1" == "server" || "$1" == "client" || "$1" == "dbclient" ]]; then
120 | openssl pkcs12 ${CRYPTO_SETTINGS} ${FIPS_SETTINGS} -export -in "${SNAME}".pem -inkey "${SNAME}".key -out "${SNAME}".p12 -name "${SNAME}" -CAfile ca.pem -passin pass:"${PASS}" -passout pass:"${PASS}"
121 | keytool -importkeystore -deststorepass "${PASS}" -destkeypass "${PASS}" -destkeystore "${SNAME}".jks -srckeystore "${SNAME}".p12 -srcstoretype PKCS12 -srcstorepass "${PASS}" -alias "${SNAME}"
122 | else # a CA
123 | if [ "$fips" = true ];then
124 | openssl pkcs12 ${CRYPTO_SETTINGS} -export -in "${SNAME}"-trusted.pem -out truststore-"${SNAME}"-legacy.p12 -nokeys -passout pass:"${CAPASS}"
125 | fi
126 | openssl pkcs12 ${CRYPTO_SETTINGS} "${FIPS_SETTINGS}" -export -in "${SNAME}"-trusted.pem -out truststore-"${SNAME}".p12 -nokeys -passout pass:"${CAPASS}"
127 | keytool -import -trustcacerts -file "${SNAME}".pem -keystore truststore-"${SNAME}".jks -storepass "${CAPASS}" -noprompt
128 |
129 | # include a CA signing keystore; NOT FOR DISTRIBUTION TO CLIENTS
130 | openssl pkcs12 "${CRYPTO_SETTINGS}" "${FIPS_SETTINGS}" -export -in "${SNAME}".pem -inkey "${SNAME}".key -out "${SNAME}"-signing.p12 -name "${SNAME}" -passin pass:"${CAPASS}" -passout pass:"${CAPASS}"
131 | keytool -importkeystore -deststorepass "${CAPASS}" -destkeypass "${CAPASS}" -destkeystore "${SNAME}"-signing.jks -srckeystore "${SNAME}"-signing.p12 -srcstoretype PKCS12 -srcstorepass "${CAPASS}" -alias "${SNAME}"
132 |
133 | ## create empty crl
134 | openssl ca -config ../config.cfg -gencrl -keyfile "${SNAME}".key -key "${CAPASS}" -cert "${SNAME}".pem -out "${SNAME}".crl
135 |
136 | # echo "Do you want me to move files around so that future server and client certificates are signed by this new CA? [y/n]"
137 | # read MVREQ
138 | # if [[ "$MVREQ" == "y" || "$MVREQ" == "Y" ]]; then
139 | cp "$SNAME".pem ca.pem
140 | cp "$SNAME".key ca-do-not-share.key
141 | cp "$SNAME"-trusted.pem ca-trusted.pem
142 | # else
143 | # echo "Ok, not overwriting existing keys. To manually change the CA later, execute these commands from the 'files' directory:"
144 | # echo " cp $SNAME.pem ca.pem"
145 | # echo " cp $SNAME.key ca-do-not-share.key"
146 | # echo " cp $SNAME-trusted.pem ca-trusted.pem"
147 | # fi
148 |
149 | fi
150 |
151 | chmod og-rwx "${SNAME}".key
152 |
153 |
--------------------------------------------------------------------------------
/files/makeDP.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | DP_NAME=dp-takserver.zip
4 |
5 | rm -f ${ZIP_NAME}
6 | zip -r ${ZIP_NAME} *.pref cert *.xml
7 |
--------------------------------------------------------------------------------
/files/takserver-public-gpg.key:
--------------------------------------------------------------------------------
1 | -----BEGIN PGP PUBLIC KEY BLOCK-----
2 |
3 | mQGNBGAwFLcBDADAeSns0R5l4dJpsHy7N0ZXjA8vm6MBrmRR6Fym+UNY0+wUwNwJ
4 | Y41fRwstBQ2ZhzNYQDI1bwjUoVbDi4w2Db+BjutglpVmTt7sEHnhP+U/SfSXT1LW
5 | 3zx8qGJa0UCx+ktxokCM78qtiB0K5NBDw8QJfMep1r0GNE/t/wpnWmOBOw2BHdVE
6 | 8NJyyW37HB+Zi8ASswYMK31JebvBTU078a7sf97QQtxMa2afwuEX2iwhQhz3nEeZ
7 | O11hSa6Yrbq1wQzI6JTAPhQKcbcocjJyzv/nsJzhXMRMoFnruZHsXn5PtGlWy+EC
8 | 6MZbygyY64fH0xB3ruzyCyKj5EidcA5OrxBd1albeRfq3Uu1XLLlZoeTTkePpUlb
9 | K/GsBYwLRb7uYleCNn5FQfyB84vsQibLcxDpWIwUu5jmbvTFTvmETXZaZw7wUdiI
10 | gRNRL+dbByPHbtdtEXPKUrDOEaKER7gZmD+GmgXUTwL3pen2H81hvmFtU3FMqWNo
11 | P8Nmy1Clmk+tKKkAEQEAAbQ3VEFLIFByb2R1Y3QgQ2VudGVyIFRBSyBTZXJ2ZXIg
12 | UmVsZWFzZSA8c3VwcG9ydEB0YWsuZ292PokBzgQTAQgAOBYhBHHAM0Xzk9vQ4Drr
13 | K/BiN5NoUfW1BQJgMBS3AhsvBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEPBi
14 | N5NoUfW1cO0L/R9cYeDa8vdhFGKU9vgBmi8h8zRkZMXyRK4Avt5tMyfftbZfkE+R
15 | lWMxf4U6bO1TSZw9BhWxtWKxVMB+B7YeZ7ua2n5y0cdofcIh13MvA0JIkW4yUqFH
16 | hnoGyQNpyiio8pmlzElmw4bngrX0tq/l4F5x9y/bvJ2lrIjv9SjTWClj03RDcbUY
17 | qBStbKBuxQIF5FCaSyp4WKd00Qx1rmE3Pea/SArcqXzKGCoovL8/zd1y5xvWHah7
18 | I/X+AqRWcvnaEnKqBJ1J9sWot79fV1lHQsx5GLjPcg5AkDaVvi2zCvs+Ppa442uF
19 | A2Q3oGxGypMs4RnGb7isre928okIdqQCsosHT6601AdtuvGTcG6zzMbhf0DajnFV
20 | zmrLeAWTJXBOdQoR27wjRSeMihGpZpytP/athCkcLRMXc74xuxWFYWZ76QmekxyV
21 | Z4mle/EyVr3yg1+XU2q7QyG0BpYCrdkBKutO4hJihZreDq8udLtzCrkyKJTCxe0g
22 | xA09pVPS+bAzGA==
23 | =Heiq
24 | -----END PGP PUBLIC KEY BLOCK-----
25 |
--------------------------------------------------------------------------------
/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ansible-role-takserver
3 |
4 | - name: Restart takserver.
5 | ansible.builtin.systemd:
6 | name: takserver
7 | state: restarted
8 |
9 | - name: Reload all system config settings.
10 | become: true
11 | ansible.posix.sysctl:
12 | name: net.ipv4.ip_forward
13 | reload: true
14 |
--------------------------------------------------------------------------------
/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | galaxy_info:
3 | role_name: ansible_role
4 | namespace: coopdevs
5 | author: Coopdevs
6 | description: An Ansible role to <>
7 | license: GPL-3.0-only
8 | min_ansible_version: "2.1"
9 |
10 | platforms:
11 | - name: Ubuntu
12 | versions:
13 | - all
14 |
15 | galaxy_tags: []
16 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | ansible==9.1.0
2 | ansible-lint==6.22.1
3 | yamllint==1.33.0
4 | pre-commit==3.6.0
5 |
--------------------------------------------------------------------------------
/tasks/configure-firewall.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 |
3 | - name: Permanently enable 8089, also enable it immediately if possible.
4 | ansible.posix.firewalld:
5 | port: 8089/tcp
6 | state: enabled
7 | permanent: true
8 | immediate: true
9 | offline: true
10 | tags: takserver
11 | when: ansible_os_family == "RedHat"
12 |
13 | - name: Permanently enable 8446, also enable it immediately if possible.
14 | ansible.posix.firewalld:
15 | port: 8446/tcp
16 | state: enabled
17 | permanent: true
18 | immediate: true
19 | offline: true
20 | tags: takserver
21 | when: ansible_os_family == "RedHat"
22 |
--------------------------------------------------------------------------------
/tasks/enable-start-takserver.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | ---
3 | - name: Force systemd to re-read configs.
4 | become: true
5 | ansible.builtin.systemd:
6 | daemon_reload: true
7 |
8 | - name: Start TAK Server service.
9 | ansible.builtin.systemd:
10 | name: takserver
11 | enabled: true
12 | state: started
13 |
--------------------------------------------------------------------------------
/tasks/install-epel.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | ---
3 | - name: Check if EPEL repo is already configured.
4 | ansible.builtin.stat:
5 | path: "{{ takserver_epel_repofile_path }}"
6 | register: epel_repofile_result
7 |
8 | - name: Import EPEL GPG key.
9 | ansible.builtin.rpm_key:
10 | key: "{{ takserver_epel_repo_gpg_key_url }}"
11 | state: present
12 | register: result
13 | until: result is succeeded
14 | retries: 5
15 | delay: 10
16 | when: not epel_repofile_result.stat.exists
17 | ignore_errors: "{{ ansible_check_mode }}"
18 |
19 | - name: Install EPEL repo.
20 | ansible.builtin.dnf:
21 | name: "{{ takserver_epel_repo_url }}"
22 | state: present
23 | register: result
24 | until: result is succeeded
25 | retries: 5
26 | delay: 10
27 | when: not epel_repofile_result.stat.exists
28 |
29 | - name: Disable Main EPEL repo.
30 | community.general.ini_file:
31 | path: "/etc/yum.repos.d/epel.repo"
32 | section: epel
33 | option: enabled
34 | value: "{{ takserver_epel_repo_disable | ternary(0, 1) }}"
35 | no_extra_spaces: true
36 | mode: "0644"
37 |
--------------------------------------------------------------------------------
/tasks/install-postgresql.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | ---
3 | - name: Install PostgreSQL repo RPM (RHEL 8).
4 | ansible.builtin.dnf:
5 | name: https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
6 | state: present
7 | disable_gpg_check: true
8 | when: ansible_distribution_major_version == "8" and ansible_distribution == "RedHat"
9 | register: pgsql_repo_rpm_installed
10 |
11 | - name: Install PostgreSQL repo RPM (RHEL 9).
12 | ansible.builtin.dnf:
13 | name: https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm
14 | state: present
15 | disable_gpg_check: true
16 | when: ansible_distribution_major_version == "9"
17 | register: pgsql_repo_rpm_installed
18 |
19 | - name: Disable default PostgreSQL DNF module.
20 | community.general.ini_file:
21 | path: /etc/dnf/modules.d/postgresql.module
22 | section: postgresql
23 | option: state
24 | value: disabled
25 | no_extra_spaces: true
26 | mode: "0644"
27 | owner: root
28 | group: root
29 | register: postgresql_dnf_module_disabled
30 |
31 | - name: Update DNF cache.
32 | tags: always
33 | ansible.builtin.dnf:
34 | update_cache: true
35 |
36 | - name: Install DNF Plugins.
37 | ansible.builtin.dnf:
38 | name:
39 | - dnf-plugins-core
40 | - epel-release
41 | state: present
42 | when: ansible_distribution == "Rocky"
43 |
44 | # "crb", fka "powertools": https://developers.redhat.com/blog/2018/11/15/introducing-codeready-linux-builder
45 | - name: Enable crb repository
46 | ansible.builtin.command: dnf config-manager --set-enabled crb
47 | when: ansible_distribution == "Rocky"
48 | changed_when: false
49 |
50 | - name: Update DNF cache.
51 | tags: always
52 | ansible.builtin.dnf:
53 | update_cache: true
54 |
--------------------------------------------------------------------------------
/tasks/install-takserver.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | ---
3 | - name: Install Java 17 OpenJDK.
4 | ansible.builtin.dnf:
5 | name: java-17-openjdk-devel
6 | state: present
7 |
8 | - name: Copy TAK Server RPM to remote host.
9 | ansible.builtin.copy:
10 | src: "{{ takserver_rpm }}"
11 | dest: "/usr/src/{{ takserver_rpm }}"
12 | mode: "0644"
13 | owner: root
14 | group: root
15 |
16 | - name: Copy TAK Server GPG key to remote host.
17 | ansible.builtin.copy:
18 | src: "{{ takserver_gpg_key }}"
19 | dest: "/usr/src/{{ takserver_gpg_key }}"
20 | mode: "0644"
21 | owner: root
22 | group: root
23 |
24 | - name: Import TAK Server GPG key.
25 | ansible.builtin.rpm_key:
26 | state: present
27 | key: "/usr/src/{{ takserver_gpg_key }}"
28 |
29 | - name: Install TAK Server from RPM.
30 | ansible.builtin.dnf:
31 | name: "/usr/src/{{ takserver_rpm }}"
32 | state: present
33 |
--------------------------------------------------------------------------------
/tasks/main.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | #
3 | # This file is the main entry point for the TAK Server role.
4 | # It includes all the other tasks that are needed to install and configure the TAK Server.
5 | #
6 |
7 | - name: Install TAK Server.
8 | tags: takserver
9 | ansible.builtin.include_tasks: "{{ item }}"
10 | loop:
11 | - update-ulimit.yml
12 | - update-dnf.yml
13 | - install-epel.yml
14 | - update-dnf.yml
15 | - install-postgresql.yml
16 | - install-takserver.yml
17 | - setup-takserver-config.yml
18 | - setup-takserver-db.yml
19 | - enable-start-takserver.yml
20 | - setup-takserver-certs.yml
21 | - setup-takserver-users.yml
22 | - configure-firewall.yml
23 | when: ansible_os_family == "RedHat"
24 | # TODO: Add support for Debian based systems.
25 |
26 |
--------------------------------------------------------------------------------
/tasks/setup-takserver-certs.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | - name: Replace values in the TAK Server cert metadata.
3 | ansible.builtin.replace:
4 | path: /opt/tak/certs/cert-metadata.sh
5 | regexp: '^({{ item.key }}=).*'
6 | replace: '\1"{{ item.value }}"'
7 | loop:
8 | - { key: 'STATE', value: '{{ takserver_ca_state | default("default_takserver_ca_state") }}' }
9 | - { key: 'CITY', value: '{{ takserver_ca_city | default("default_takserver_ca_city") }}' }
10 | - { key: 'ORGANIZATION', value: '{{ takserver_ca_org | default("default_takserver_ca_org") }}' }
11 | - { key: 'ORGANIZATIONAL_UNIT', value: '{{ takserver_ca_ou | default("default_takserver_ca_ou") }}' }
12 | - { key: 'CAPASS', value: '{{ takserver_ca_capass | default("default_takserver_ca_capass") }}' }
13 | - { key: 'PASS', value: '{{ takserver_cert_pass | default("default_takserver_cert_pass") }}' }
14 |
15 | - name: Generate TAK Server CA.
16 | ansible.builtin.command: /opt/tak/certs/makeRootCa.sh --ca-name {{ takserver_ca_name | default('default_takserver_ca_name') }}
17 | args:
18 | chdir: /opt/tak/certs
19 | creates: /opt/tak/certs/files/ca.pem
20 |
21 | - name: Copy makeCert-sns.sh to /opt/tak/certs.
22 | ansible.builtin.copy:
23 | src: "makeCert.sh"
24 | dest: /opt/tak/certs/makeCert-sns.sh
25 | mode: '0755'
26 |
27 | - name: Generate TAK Server Intermediate CA.
28 | ansible.builtin.command: /opt/tak/certs/makeCert-sns.sh ca {{ takserver_intermediateca_name | default('default_takserver_intermediateca_name') }}
29 | args:
30 | chdir: /opt/tak/certs
31 | creates: /opt/tak/certs/files/{{ takserver_intermediateca_name | default('default_takserver_intermediateca_name') }}.pem
32 |
33 | - name: Generate TAK Server TLS certificate.
34 | ansible.builtin.command: /opt/tak/certs/makeCert-sns.sh server {{ takserver_cert_name | default('default_takserver_cert_name') }}
35 | args:
36 | chdir: /opt/tak/certs
37 | creates: /opt/tak/certs/files/{{ takserver_cert_name | default('default_takserver_cert_name') }}.jks
38 |
--------------------------------------------------------------------------------
/tasks/setup-takserver-config.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | ---
3 | - name: Install lxml Python module.
4 | ansible.builtin.dnf:
5 | name: python3-lxml
6 | state: present
7 |
8 | - name: Check if CoreConfig.xml exists.
9 | ansible.builtin.stat:
10 | path: /opt/tak/CoreConfig.xml
11 | register: coreconfig_stat
12 |
13 | - name: Copy TAK Server CoreConfig.xml to /opt/tak if it does not exist.
14 | ansible.builtin.copy:
15 | src: "CoreConfig.xml"
16 | dest: /opt/tak/CoreConfig.xml
17 | mode: '0644'
18 | owner: tak
19 | group: tak
20 | when: not coreconfig_stat.stat.exists
21 |
22 | - name: Update TAK Server CoreConfig.xml with database pass.
23 | community.general.xml:
24 | path: /opt/tak/CoreConfig.xml
25 | xpath: /a:Configuration/a:repository/a:connection
26 | value: "{{ takserver_db_pass }}"
27 | attribute: password
28 | namespaces:
29 | a: http://bbn.com/marti/xml/config
30 | b: http://www.w3.org/2001/XMLSchema-instance
31 | c: file:///opt/tak/CoreConfig.xsd
32 | notify: Restart takserver.
33 |
34 | - name: Update TAK Server CoreConfig.xml with database user.
35 | community.general.xml:
36 | path: /opt/tak/CoreConfig.xml
37 | xpath: /a:Configuration/a:repository/a:connection
38 | value: "{{ takserver_db_user }}"
39 | attribute: username
40 | namespaces:
41 | a: http://bbn.com/marti/xml/config
42 | b: http://www.w3.org/2001/XMLSchema-instance
43 | c: file:///opt/tak/CoreConfig.xsd
44 | notify: Restart takserver.
45 |
46 | - name: Update TAK Server CoreConfig.xml with TLS keystoreFile.
47 | community.general.xml:
48 | path: /opt/tak/CoreConfig.xml
49 | xpath: /a:Configuration/a:security/a:tls
50 | value: /opt/tak/certs/files/{{ takserver_cert_name | default('default_takserver_cert_name') }}.jks
51 | attribute: keystoreFile
52 | namespaces:
53 | a: http://bbn.com/marti/xml/config
54 | b: http://www.w3.org/2001/XMLSchema-instance
55 | c: file:///opt/tak/CoreConfig.xsd
56 | notify: Restart takserver.
57 |
58 | - name: Update TAK Server CoreConfig.xml with TLS keystorePass.
59 | community.general.xml:
60 | path: /opt/tak/CoreConfig.xml
61 | xpath: /a:Configuration/a:security/a:tls
62 | value: '{{ takserver_cert_pass | default("default_takserver_cert_pass") }}'
63 | attribute: keystorePass
64 | namespaces:
65 | a: http://bbn.com/marti/xml/config
66 | b: http://www.w3.org/2001/XMLSchema-instance
67 | c: file:///opt/tak/CoreConfig.xsd
68 |
69 | - name: Update TAK Server CoreConfig.xml with TLS truststorePass.
70 | community.general.xml:
71 | path: /opt/tak/CoreConfig.xml
72 | xpath: /a:Configuration/a:security/a:tls
73 | value: '{{ takserver_ca_capass | default("default_takserver_ca_capass") }}'
74 | attribute: truststorePass
75 | namespaces:
76 | a: http://bbn.com/marti/xml/config
77 | b: http://www.w3.org/2001/XMLSchema-instance
78 | c: file:///opt/tak/CoreConfig.xsd
79 |
80 | - name: Flush handlers.
81 | meta: flush_handlers
82 |
--------------------------------------------------------------------------------
/tasks/setup-takserver-db.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | ---
3 | - name: Install psycopg2 Python module.
4 | ansible.builtin.dnf:
5 | name: python3-psycopg2
6 | state: present
7 |
8 | - name: Setup TAK PostgreSQL Database.
9 | ansible.builtin.command: /opt/tak/db-utils/takserver-setup-db.sh
10 | args:
11 | creates: /var/lib/pgsql/10/data/PG_VERSION
12 |
13 | - name: Set PostgreSQL password for TAK Server.
14 | become: true
15 | community.postgresql.postgresql_user:
16 | name: "{{ takserver_db_user }}"
17 | password: "{{ takserver_db_pass }}"
18 | become_user: postgres
19 |
--------------------------------------------------------------------------------
/tasks/setup-takserver-users.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | ---
3 | - name: Create TAK Server user TLS certificates.
4 | with_items: "{{ takserver_users }}"
5 | ansible.builtin.command: /opt/tak/certs/makeCert-sns.sh client {{ item }}
6 | args:
7 | chdir: /opt/tak/certs
8 | creates: /opt/tak/certs/files/{{ item }}.pem
9 |
10 | - name: Create TAK Server user account.
11 | with_items: "{{ takserver_users }}"
12 | ansible.builtin.command: java -jar /opt/tak/utils/UserManager.jar usermod -p {{ takserver_user_pass }} {{ item }}
13 | args:
14 | chdir: /opt/tak/certs
15 |
16 | - name: Create TAK Server user-cert association.
17 | with_items: "{{ takserver_users }}"
18 | ansible.builtin.command: java -jar /opt/tak/utils/UserManager.jar certmod /opt/tak/certs/files/{{ item }}.pem
19 | args:
20 | chdir: /opt/tak/certs
21 |
22 | - name: Create TAK Server admins.
23 | with_items: "{{ takserver_admins }}"
24 | ansible.builtin.shell: |
25 | java -jar /opt/tak/utils/UserManager.jar usermod -A {{ item }}
26 | args:
27 | chdir: /opt/tak/certs
28 |
29 | - name: Create /usr/src/dp directory.
30 | ansible.builtin.file:
31 | path: /usr/src/dp
32 | state: directory
33 | mode: "0755"
34 |
35 | - name: Copy DP.pref to /usr/src/dp.
36 | ansible.builtin.copy:
37 | src: "DP.pref"
38 | dest: /usr/src/dp/dp.pref
39 | mode: "0644"
40 |
41 | - name: Create Data Packages for users.
42 | with_items: "{{ takserver_users }}"
43 | ansible.builtin.shell: |
44 | rm -f /usr/src/dp/DP-{{ item }}.zip
45 | mkdir -p /usr/src/dp/{{ item }}
46 | cp /opt/tak/certs/files/truststore-takserver-intermediate-ca.p12 /usr/src/dp/{{ item }}/truststore.p12
47 | cp /opt/tak/certs/files/{{ item }}.p12 /usr/src/dp/{{ item }}/user.p12
48 | cp /usr/src/dp/DP.pref /usr/src/dp/{{ item }}/dp.pref
49 | cd /usr/src/dp/{{ item }}
50 | zip -r ../dp-{{ item }}.zip *.pref *.p12
51 | args:
52 | chdir: /usr/src/dp
53 |
--------------------------------------------------------------------------------
/tasks/update-dnf.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | ---
3 | - name: Update DNF cache
4 | ansible.builtin.dnf:
5 | update_cache: true
6 |
--------------------------------------------------------------------------------
/tasks/update-ulimit.yml:
--------------------------------------------------------------------------------
1 | # code: language=ansible
2 | ---
3 | - name: Increase PAM nofile limit to 32768.
4 | become: true
5 | community.general.pam_limits:
6 | domain: '*'
7 | limit_type: soft
8 | limit_item: nofile
9 | value: '32768'
10 | register: pam_limits_updated
11 | notify: Reload all system config settings.
12 |
--------------------------------------------------------------------------------
/templates/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snstac/ansible-takserver/4055bb69652c20f8af5542f73590bff9f358b21f/templates/.gitkeep
--------------------------------------------------------------------------------
/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
--------------------------------------------------------------------------------
/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | takserver_rpm: SET_takserver_rpm_PLS
3 | takserver_gpg_key: takserver-public-gpg.key
4 | pgsql_repo_rpm: pgdg-redhat-repo-latest.noarch.rpm
5 |
--------------------------------------------------------------------------------