add role for »Apache Tomcat«

agebhar1 · Dec 14, 2023 · 22d258a · 22d258a
1 parent 328ba11
commit 22d258a
Show file tree

Hide file tree

Showing 8 changed files with 153 additions and 4 deletions.
diff --git a/group_vars/all.yml b/group_vars/all.yml
@@ -1,7 +1,4 @@
 ---
-java_version: zulu21.30.15-ca-jre21.0.1
-java_checksum: sha256:1c7458a7ff567ca9f0afa063f5ced03331e13eadea3a08b6e44e3410cf7a6eae
-
 nginx_version: 1.24.0
 nginx_checksum: sha256:77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d
 
@@ -13,3 +10,10 @@ modsecurity_nginx_checksum: sha256:ae811c7208ac029cb7a99d6f63e03d397179760751718
 
 owasp_modsecurity_crs_version: 3.3.5
 owasp_modsecurity_crs_checksum: sha256:6e311e9b5c07741392a6983075101915988127d385fa786e36d83018ea0a401b
+
+tomcat_version: 10.1.17
+tomcat_checksum: sha512:ff9670f9cd49a604e47edfbcfb5855fe59342048c3278ea8736276b51327adf2d076973f3ad1b8aa7870ef26c28cf7111527be810b445c9927f2a457795f5cb6
+tomcat_java_version: zulu21.30.15-ca-jre21.0.1
+tomcat_java_checksum: sha256:1c7458a7ff567ca9f0afa063f5ced03331e13eadea3a08b6e44e3410cf7a6eae
+# tomcat_java_version: zulu17.46.19-ca-jre17.0.9
+# tomcat_java_checksum: sha256:dc61907942e16c2a4a7895b57264d1ec71be6d1ce02289fd78e6707d78ead5e5
diff --git a/roles/tomcat/defaults/main.yml b/roles/tomcat/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+tomcat_version: null
+tomcat_checksum: null
+tomcat_java_version: null
+tomcat_java_checksum: null
+
+tomcat_user: "{{ ansible_user }}"
+tomcat_user_home: "{{ ansible_user_dir }}"
+tomcat_src_directory: "{{ tomcat_user_home }}/src"
diff --git a/roles/tomcat/handlers/main.yml b/roles/tomcat/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Reload Apache Tomcat user service
+  listen: tomcat changed
+  ansible.builtin.systemd:
+    name: tomcat
+    daemon_reload: true
+    enabled: true
+    scope: user
+    state: restarted
diff --git a/roles/tomcat/meta/main.yml b/roles/tomcat/meta/main.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  - role: java
+    vars:
+      java_version: "{{ tomcat_java_version }}"
+      java_checksum: "{{ tomcat_java_checksum }}"
diff --git a/roles/tomcat/tasks/main.yml b/roles/tomcat/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- name: Ensure required directories are present.
+  ansible.builtin.file:
+    dest: "{{ item.dest }}"
+    state: directory
+    mode: "0700"
+  loop:
+    - { dest: "{{ tomcat_src_directory }}/download" }
+    - { dest: "{{ tomcat_user_home }}/.config/systemd/user" }
+    - { dest: "{{ tomcat_user_home }}/opt/tomcat/{{ tomcat_version }}" }
+
+- name: Ensure binary archive is present.
+  ansible.builtin.get_url:
+    url: https://dlcdn.apache.org/tomcat/tomcat-{{ tomcat_version_major }}/v{{ tomcat_version }}/bin/apache-tomcat-{{ tomcat_version }}.tar.gz
+    dest: "{{ tomcat_src_directory }}/download/apache-tomcat-{{ tomcat_version }}.tar.gz"
+    checksum: "{{ tomcat_checksum }}"
+    mode: "0600"
+
+- name: Ensure binary archive is extracted.
+  ansible.builtin.unarchive:
+    src: "{{ tomcat_src_directory }}/download/apache-tomcat-{{ tomcat_version }}.tar.gz"
+    dest: "{{ tomcat_user_home }}/opt/tomcat/{{ tomcat_version }}"
+    creates: "{{ tomcat_user_home }}/opt/tomcat/{{ tomcat_version }}/RELEASE-NOTES"
+    remote_src: true
+    extra_opts:
+      - --strip-components=1
+      - --exclude=bin/*.bat
+      - --exclude=conf/server.xml
+      - --exclude=conf/tomcat-users.*
+      - --exclude=webapps/*
+    mode: u=rwX,g=,o=
+
+- name: Ensure Tomcat server configuration is present.
+  ansible.builtin.template:
+    src: server.xml.j2
+    dest: "{{ tomcat_user_home }}/opt/tomcat/{{ tomcat_version }}/conf/server.xml"
+    mode: "0600"
+  notify: tomcat changed
+
+- name: Ensure systemd user service file.
+  ansible.builtin.template:
+    src: tomcat.service.j2
+    dest: "{{ tomcat_user_home }}/.config/systemd/user/tomcat.service"
+    mode: "0600"
+  notify: tomcat changed
+
+- name: Check if user is lingering.
+  ansible.builtin.stat:
+    path: /var/lib/systemd/linger/{{ tomcat_user }}
+  register: tomcat_user_lingering
+
+- name: Enable user lingering.
+  ansible.builtin.command: loginctl enable-linger {{ tomcat_user }}
+  when: not tomcat_user_lingering.stat.exists
+  changed_when: true
+  become: true
diff --git a/roles/tomcat/templates/server.xml.j2 b/roles/tomcat/templates/server.xml.j2
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<Server port="-1" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <GlobalNamingResources>
+  </GlobalNamingResources>
+
+  <Service name="Catalina">
+    <Connector port="8081" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               maxParameterCount="1000"
+               />
+
+    <Engine name="Catalina" defaultHost="localhost">
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/roles/tomcat/templates/tomcat.service.j2 b/roles/tomcat/templates/tomcat.service.j2
@@ -0,0 +1,19 @@
+[Unit]
+Description=Apache Tomcat {{ tomcat_version }}
+After=syslog.target network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+UMask=0077
+PIDFile={{ tomcat_user_home }}/opt/tomcat/{{ tomcat_version }}/tomcat.pid
+Environment="CATALINA_PID={{ tomcat_user_home }}/opt/tomcat/{{ tomcat_version }}/tomcat.pid"
+Environment="CATALINA_HOME={{ tomcat_user_home }}/opt/tomcat/{{ tomcat_version }}"
+Environment="CATALINA_OPTS=-server -XX:+HeapDumpOnOutOfMemoryError -Djava.awt.headless=true -Dfile.encoding=UTF-8"
+Environment="JRE_HOME={{ java_user_home }}/usr/lib/jvm/{{ tomcat_java_version }}"
+ExecStart={{ tomcat_user_home }}/opt/tomcat/{{ tomcat_version }}/bin/startup.sh
+ExecStop={{ tomcat_user_home }}/opt/tomcat/{{ tomcat_version }}/bin/shutdown.sh 30 -force
+Restart=always
+
+[Install]
+WantedBy=default.target
diff --git a/webservers.yml b/webservers.yml
@@ -3,7 +3,7 @@
   hosts: webservers
 
   roles:
-    - role: java
+    - role: tomcat
     - role: nginx
     - role: logrotate
     - role: iptables