Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_faq:ansible_with_semaphore_ui [2019/02/11 09:13] – external edit 127.0.0.1 | linux_faq:ansible_with_semaphore_ui [2019/11/18 07:23] (current) – admin | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | Для своего времени **Semaphore** был неплох. \\ | ||
+ | Однако, | ||
+ | По сути **Semaphore** - бледное подобие **Ansible Tower**. \\ | ||
+ | \\ | ||
+ | ====== Установка Semaphore на Ubuntu/ | ||
+ | [[https:// | ||
+ | sudo apt-get update && sudo apt-get -y upgrade | ||
+ | sudo apt-get install -y software-properties-common | ||
+ | sudo apt-add-repository -y universe | ||
+ | sudo add-apt-repository -y ppa: | ||
+ | sudo apt-get install -y git ansible mysql-server nginx | ||
+ | wget https:// | ||
+ | sudo dpkg -i ./ | ||
+ | Создаем базу данных: | ||
+ | < | ||
+ | |||
+ | mysql> CREATE DATABASE semaphore; | ||
+ | Query OK, 1 row affected (0.04 sec) | ||
+ | |||
+ | mysql> CREATE USER ' | ||
+ | Query OK, 0 rows affected (0.06 sec) | ||
+ | |||
+ | mysql> GRANT ALL PRIVILEGES ON semaphore.* TO ' | ||
+ | Query OK, 0 rows affected (0.01 sec) | ||
+ | |||
+ | mysql> FLUSH PRIVILEGES; | ||
+ | Query OK, 0 rows affected (0.03 sec) | ||
+ | |||
+ | mysql> exit | ||
+ | </ | ||
+ | Создаем файл конфигурации: | ||
+ | sudo semaphore -setup | ||
+ | При первичной настройке не стоит включать **LDAP**-аутентификацию, | ||
+ | Включить **LDAP** можно и в дальнейшем, | ||
+ | |||
+ | ====== Semaphore AD Authentication ====== | ||
+ | |||
+ | Для аутентификации пользователей из AD нужно включить LDAP. Эта часть конфига должна выглядеть так: | ||
+ | < | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | " | ||
+ | " | ||
+ | </ | ||
+ | С начала я пытался сконфигурировать параметр **" | ||
+ | time=" | ||
+ | в таком случае, | ||
+ | Также, вместо **uid** нужно использовать **sAMAccountName**. В противном случае можно увидеть такую ошибку: | ||
+ | time=" | ||
+ | ====== Запуск semaphore в виде сервиса ====== | ||
+ | Копируем конфиг **semaphore** в **/ | ||
+ | cp ./ | ||
+ | И конфигурируем сервис: | ||
+ | **/ | ||
+ | < | ||
+ | [Unit] | ||
+ | Description=Ansible Semaphore | ||
+ | After=syslog.service | ||
+ | Before=nginx.service | ||
+ | Requires=network.target | ||
+ | |||
+ | [Service] | ||
+ | Type=forking | ||
+ | EnvironmentFile=-/ | ||
+ | ExecStart=/ | ||
+ | Restart=always | ||
+ | RestartSec=10s | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | \\ | ||
+ | **/ | ||
+ | < | ||
+ | #Ansible Semaphore Defaults | ||
+ | |||
+ | SEMAPHORE_CONFIG=/ | ||
+ | SEMAPHORE_LOGS=/ | ||
+ | </ | ||
+ | |||
+ | Включаем и запускаем сервис: | ||
+ | systemctl enable semaphore.service | ||
+ | service semaphore start | ||
+ | | ||
+ | ====== SSL посредством nginx ====== | ||
+ | ** / | ||
+ | < | ||
+ | user www-data; | ||
+ | worker_processes auto; | ||
+ | pid / | ||
+ | include / | ||
+ | |||
+ | events { | ||
+ | worker_connections 1024; | ||
+ | use epoll; | ||
+ | multi_accept on; | ||
+ | } | ||
+ | |||
+ | http { | ||
+ | tcp_nodelay on; | ||
+ | keepalive_timeout 600; | ||
+ | types_hash_max_size 2048; | ||
+ | |||
+ | access_log / | ||
+ | error_log / | ||
+ | |||
+ | gzip on; | ||
+ | |||
+ | include / | ||
+ | include / | ||
+ | } | ||
+ | </ | ||
+ | \\ | ||
+ | \\ | ||
+ | **/ | ||
+ | < | ||
+ | server { | ||
+ | listen 80; | ||
+ | root /var/www/; | ||
+ | | ||
+ | #Enable access to acme files | ||
+ | location ~ / | ||
+ | allow all; | ||
+ | access_log off; | ||
+ | log_not_found off; | ||
+ | } | ||
+ | |||
+ | | ||
+ | } | ||
+ | |||
+ | upstream semaphore { | ||
+ | server 127.0.0.1: | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 443 ssl http2; | ||
+ | server_name | ||
+ | | ||
+ | # add Strict-Transport-Security to prevent man in the middle attacks | ||
+ | add_header Strict-Transport-Security " | ||
+ | |||
+ | # SSL | ||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | |||
+ | # Recommendations from https:// | ||
+ | ssl_protocols TLSv1.1 TLSv1.2; | ||
+ | ssl_ciphers ' | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | ssl_session_cache shared: | ||
+ | |||
+ | # disable any limits to avoid HTTP 413 for large image uploads | ||
+ | client_max_body_size 0; | ||
+ | |||
+ | # required to avoid HTTP 411: see Issue #1486 (https:// | ||
+ | chunked_transfer_encoding on; | ||
+ | |||
+ | location / { | ||
+ | proxy_pass http:// | ||
+ | proxy_set_header Host $http_host; | ||
+ | proxy_set_header X-Real-IP $remote_addr; | ||
+ | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
+ | |||
+ | proxy_set_header X-Forwarded-Proto $scheme; | ||
+ | |||
+ | proxy_buffering off; | ||
+ | proxy_request_buffering off; | ||
+ | } | ||
+ | |||
+ | location /api/ws { | ||
+ | proxy_pass http:// | ||
+ | proxy_http_version 1.1; | ||
+ | proxy_set_header Upgrade $http_upgrade; | ||
+ | proxy_set_header Connection " | ||
+ | proxy_set_header Origin ""; | ||
+ | } | ||
+ | } | ||
+ | </ |