diff --git a/.etckeeper b/.etckeeper index f3f38ca..b9e085b 100755 --- a/.etckeeper +++ b/.etckeeper @@ -4292,6 +4292,7 @@ maybe chmod 0755 'rc.d/init.d/bestcrypt' maybe chmod 0755 'rc.d/init.d/falco' maybe chmod 0644 'rc.d/init.d/functions' maybe chmod 0755 'rc.d/init.d/network' +maybe chmod 0755 'rc.d/init.d/rundeckd' maybe chmod 0755 'rc.d/init.d/vpn-gazduire' maybe chmod 0755 'rc.d/rc.local' maybe chmod 0755 'rc.d/rc0.d' @@ -4424,6 +4425,57 @@ maybe chmod 0644 'rspamd/worker-proxy.inc' maybe chmod 0644 'rsyslog.conf' maybe chmod 0755 'rsyslog.d' maybe chmod 0644 'rsyslog.d/ignore-systemd-session-slice.conf' +maybe chown 'rundeck' 'rundeck' +maybe chgrp 'rundeck' 'rundeck' +maybe chmod 0755 'rundeck' +maybe chown 'rundeck' 'rundeck/admin.aclpolicy' +maybe chgrp 'rundeck' 'rundeck/admin.aclpolicy' +maybe chmod 0640 'rundeck/admin.aclpolicy' +maybe chown 'rundeck' 'rundeck/apitoken.aclpolicy' +maybe chgrp 'rundeck' 'rundeck/apitoken.aclpolicy' +maybe chmod 0640 'rundeck/apitoken.aclpolicy' +maybe chown 'rundeck' 'rundeck/framework.properties' +maybe chgrp 'rundeck' 'rundeck/framework.properties' +maybe chmod 0640 'rundeck/framework.properties' +maybe chown 'rundeck' 'rundeck/jaas-loginmodule.conf' +maybe chgrp 'rundeck' 'rundeck/jaas-loginmodule.conf' +maybe chmod 0640 'rundeck/jaas-loginmodule.conf' +maybe chown 'rundeck' 'rundeck/log4j2.properties' +maybe chgrp 'rundeck' 'rundeck/log4j2.properties' +maybe chmod 0640 'rundeck/log4j2.properties' +maybe chown 'rundeck' 'rundeck/profile' +maybe chgrp 'rundeck' 'rundeck/profile' +maybe chmod 0640 'rundeck/profile' +maybe chown 'rundeck' 'rundeck/project.properties' +maybe chgrp 'rundeck' 'rundeck/project.properties' +maybe chmod 0640 'rundeck/project.properties' +maybe chown 'rundeck' 'rundeck/realm.properties' +maybe chgrp 'rundeck' 'rundeck/realm.properties' +maybe chmod 0640 'rundeck/realm.properties' +maybe chown 'rundeck' 'rundeck/rundeck-config.properties' +maybe chgrp 'rundeck' 'rundeck/rundeck-config.properties' +maybe chmod 0640 'rundeck/rundeck-config.properties' +maybe chown 'rundeck' 'rundeck/ssl' +maybe chgrp 'rundeck' 'rundeck/ssl' +maybe chmod 0755 'rundeck/ssl' +maybe chown 'rundeck' 'rundeck/ssl/ssl.properties' +maybe chgrp 'rundeck' 'rundeck/ssl/ssl.properties' +maybe chmod 0640 'rundeck/ssl/ssl.properties' +maybe chown 'rundeck' 'rundeck/system-job_reader.aclpolicy_template' +maybe chgrp 'rundeck' 'rundeck/system-job_reader.aclpolicy_template' +maybe chmod 0640 'rundeck/system-job_reader.aclpolicy_template' +maybe chown 'rundeck' 'rundeck/system-job_runner.aclpolicy_template' +maybe chgrp 'rundeck' 'rundeck/system-job_runner.aclpolicy_template' +maybe chmod 0640 'rundeck/system-job_runner.aclpolicy_template' +maybe chown 'rundeck' 'rundeck/system-job_viewer.aclpolicy_template' +maybe chgrp 'rundeck' 'rundeck/system-job_viewer.aclpolicy_template' +maybe chmod 0640 'rundeck/system-job_viewer.aclpolicy_template' +maybe chown 'rundeck' 'rundeck/system-job_writer.aclpolicy_template' +maybe chgrp 'rundeck' 'rundeck/system-job_writer.aclpolicy_template' +maybe chmod 0640 'rundeck/system-job_writer.aclpolicy_template' +maybe chown 'rundeck' 'rundeck/system-project_admin.aclpolicy_template' +maybe chgrp 'rundeck' 'rundeck/system-project_admin.aclpolicy_template' +maybe chmod 0640 'rundeck/system-project_admin.aclpolicy_template' maybe chmod 0755 'rwtab.d' maybe chmod 0644 'rwtab.d/logrotate' maybe chmod 0644 'rwtab.d/named' diff --git a/group b/group index be7f834..d96c4b8 100644 --- a/group +++ b/group @@ -99,3 +99,4 @@ PxAzpq9B:x:1014: _AodQqBu:x:1015: cfb:x:1016: mailcow:x:1017: +rundeck:x:1018: diff --git a/group- b/group- index ba74aac..be7f834 100644 --- a/group- +++ b/group- @@ -98,3 +98,4 @@ ZTmpNnll:x:1013: PxAzpq9B:x:1014: _AodQqBu:x:1015: cfb:x:1016: +mailcow:x:1017: diff --git a/gshadow b/gshadow index bb3bd6c..f670238 100644 --- a/gshadow +++ b/gshadow @@ -99,3 +99,4 @@ PxAzpq9B:!:: _AodQqBu:!:: cfb:!:: mailcow:!:: +rundeck:!:: diff --git a/gshadow- b/gshadow- index 61dec87..bb3bd6c 100644 --- a/gshadow- +++ b/gshadow- @@ -98,3 +98,4 @@ ZTmpNnll:!:: PxAzpq9B:!:: _AodQqBu:!:: cfb:!:: +mailcow:!:: diff --git a/passwd b/passwd index d219c39..62f9126 100644 --- a/passwd +++ b/passwd @@ -70,3 +70,4 @@ PxAzpq9B:x:1013:1014:PxAzpq9B:/mnt/volume-fra1-01/backup2021:/sbin/nologin _AodQqBu:x:1014:1015:_AodQqBu:/mnt/volume-fra1-01/backup2021:/sbin/nologin cfb:x:1015:1016::/home/cfb:/bin/bash mailcow:x:1016:1017::/home/mailcow:/bin/bash +rundeck:x:1017:1018::/var/lib/rundeck:/bin/bash diff --git a/passwd- b/passwd- index 42d3d91..d219c39 100644 --- a/passwd- +++ b/passwd- @@ -69,3 +69,4 @@ ZTmpNnll:x:1012:1013:ZTmpNnll:/mnt/volume-fra1-01/backup2021:/sbin/nologin PxAzpq9B:x:1013:1014:PxAzpq9B:/mnt/volume-fra1-01/backup2021:/sbin/nologin _AodQqBu:x:1014:1015:_AodQqBu:/mnt/volume-fra1-01/backup2021:/sbin/nologin cfb:x:1015:1016::/home/cfb:/bin/bash +mailcow:x:1016:1017::/home/mailcow:/bin/bash diff --git a/rc.d/init.d/rundeckd b/rc.d/init.d/rundeckd new file mode 100755 index 0000000..40b217c --- /dev/null +++ b/rc.d/init.d/rundeckd @@ -0,0 +1,83 @@ +#!/bin/bash +# +# rundeckd Startup script for the rundeck +# +# chkconfig: 2345 90 10 +# description: rundeckd, providing rundeckd +# pidfile: /var/run/rundeckd.pid + +# Source function library + +prog="rundeckd" +RETVAL=0 +PID_FILE=/var/run/${prog}.pid +servicelog=/var/log/rundeck/service.log + +. /etc/rc.d/init.d/functions + +. /etc/rundeck/profile + +start() { + status -p $PID_FILE $prog >/dev/null + RETVAL=$? + if [ $RETVAL -eq 0 ]; then + echo Already started. + return $RETVAL + fi + echo -n $"Starting $prog: " + if ! touch $servicelog; then + echo No access to $servicelog. This usually means you need to be root + echo_failure + echo + return 1 + fi + nohup runuser -s /bin/bash -l rundeck -c "$rundeckd" >>$servicelog 2>&1 & + RETVAL=$? + PID=$! + echo $PID > $PID_FILE + if [ $RETVAL -eq 0 ]; then + touch /var/lock/subsys/$prog + echo_success + else + echo_failure + fi + echo + return $RETVAL +} + +stop() { + echo -n $"Stopping $prog: " + killproc -p $PID_FILE "$rundeckd" + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog + return $RETVAL +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + condrestart) + if [ -f /var/lock/subsys/$prog ]; then + stop + start + fi + ;; + status) + status -p $PID_FILE $prog + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|condrestart|status}" + RETVAL=1 +esac + +exit $RETVAL diff --git a/rc.d/rc0.d/K10rundeckd b/rc.d/rc0.d/K10rundeckd new file mode 120000 index 0000000..8c1c599 --- /dev/null +++ b/rc.d/rc0.d/K10rundeckd @@ -0,0 +1 @@ +../init.d/rundeckd \ No newline at end of file diff --git a/rc.d/rc1.d/K10rundeckd b/rc.d/rc1.d/K10rundeckd new file mode 120000 index 0000000..8c1c599 --- /dev/null +++ b/rc.d/rc1.d/K10rundeckd @@ -0,0 +1 @@ +../init.d/rundeckd \ No newline at end of file diff --git a/rc.d/rc2.d/S90rundeckd b/rc.d/rc2.d/S90rundeckd new file mode 120000 index 0000000..8c1c599 --- /dev/null +++ b/rc.d/rc2.d/S90rundeckd @@ -0,0 +1 @@ +../init.d/rundeckd \ No newline at end of file diff --git a/rc.d/rc3.d/S90rundeckd b/rc.d/rc3.d/S90rundeckd new file mode 120000 index 0000000..8c1c599 --- /dev/null +++ b/rc.d/rc3.d/S90rundeckd @@ -0,0 +1 @@ +../init.d/rundeckd \ No newline at end of file diff --git a/rc.d/rc4.d/S90rundeckd b/rc.d/rc4.d/S90rundeckd new file mode 120000 index 0000000..8c1c599 --- /dev/null +++ b/rc.d/rc4.d/S90rundeckd @@ -0,0 +1 @@ +../init.d/rundeckd \ No newline at end of file diff --git a/rc.d/rc5.d/S90rundeckd b/rc.d/rc5.d/S90rundeckd new file mode 120000 index 0000000..8c1c599 --- /dev/null +++ b/rc.d/rc5.d/S90rundeckd @@ -0,0 +1 @@ +../init.d/rundeckd \ No newline at end of file diff --git a/rc.d/rc6.d/K10rundeckd b/rc.d/rc6.d/K10rundeckd new file mode 120000 index 0000000..8c1c599 --- /dev/null +++ b/rc.d/rc6.d/K10rundeckd @@ -0,0 +1 @@ +../init.d/rundeckd \ No newline at end of file diff --git a/rundeck/admin.aclpolicy b/rundeck/admin.aclpolicy new file mode 100644 index 0000000..79c6043 --- /dev/null +++ b/rundeck/admin.aclpolicy @@ -0,0 +1,31 @@ +description: Admin, all access. +context: + project: '.*' # all projects +for: + resource: + - allow: '*' # allow read/create all kinds + adhoc: + - allow: '*' # allow read/running/killing adhoc jobs + job: + - allow: '*' # allow read/write/delete/run/kill of all jobs + node: + - allow: '*' # allow read/run for all nodes +by: + group: admin + +--- + +description: Admin, all access. +context: + application: 'rundeck' +for: + resource: + - allow: '*' # allow create of projects + project: + - allow: '*' # allow view/admin of all projects + project_acl: + - allow: '*' # allow admin of all project-level ACL policies + storage: + - allow: '*' # allow read/create/update/delete for all /keys/* storage content +by: + group: admin diff --git a/rundeck/apitoken.aclpolicy b/rundeck/apitoken.aclpolicy new file mode 100644 index 0000000..c2958e6 --- /dev/null +++ b/rundeck/apitoken.aclpolicy @@ -0,0 +1,43 @@ +description: API project level access control +context: + project: '.*' # all projects +for: + resource: + - equals: + kind: job + allow: [create,delete] # allow create and delete jobs + - equals: + kind: node + allow: [read,create,update,refresh] # allow refresh node sources + - equals: + kind: event + allow: [read,create] # allow read/create events + adhoc: + - allow: [read,run,kill] # allow running/killing adhoc jobs and read output + job: + - allow: [create,read,update,delete,run,kill] # allow create/read/write/delete/run/kill of all jobs + node: + - allow: [read,run] # allow read/run for all nodes +by: + group: api_token_group + +--- + +description: API Application level access control +context: + application: 'rundeck' +for: + resource: + - equals: + kind: system + allow: [read] # allow read of system info + project: + - match: + name: '.*' + allow: [read] # allow view of all projects + storage: + - match: + path: '(keys|keys/.*)' + allow: '*' # allow all access to manage stored keys +by: + group: api_token_group diff --git a/rundeck/framework.properties b/rundeck/framework.properties new file mode 100644 index 0000000..cb7810e --- /dev/null +++ b/rundeck/framework.properties @@ -0,0 +1,41 @@ +# framework.properties - +# + +# ---------------------------------------------------------------- +# Rundeck server connection information +# ---------------------------------------------------------------- + +framework.server.name = localhost +framework.server.hostname = localhost +framework.server.port = 4440 +framework.server.url = http://localhost:4440 + +# ---------------------------------------------------------------- +# Installation locations +# ---------------------------------------------------------------- + +rdeck.base=/var/lib/rundeck + +framework.projects.dir=/var/lib/rundeck/projects +framework.etc.dir=/etc/rundeck +framework.var.dir=/var/lib/rundeck/var +framework.tmp.dir=/var/lib/rundeck/var/tmp +framework.logs.dir=/var/lib/rundeck/logs +framework.libext.dir=/var/lib/rundeck/libext + +# ---------------------------------------------------------------- +# SSH defaults for node executor and file copier +# ---------------------------------------------------------------- + +framework.ssh.keypath = /var/lib/rundeck/.ssh/id_rsa +framework.ssh.user = rundeck + +# ssh connection timeout after a specified number of milliseconds. +# "0" value means wait forever. +framework.ssh.timeout = 0 + + +# ---------------------------------------------------------------- +# Auto generated server UUID: c86b0213-35d0-45a8-8522-725247f43595 +# ---------------------------------------------------------------- +rundeck.server.uuid = c86b0213-35d0-45a8-8522-725247f43595 diff --git a/rundeck/jaas-loginmodule.conf b/rundeck/jaas-loginmodule.conf new file mode 100644 index 0000000..b253bf5 --- /dev/null +++ b/rundeck/jaas-loginmodule.conf @@ -0,0 +1,5 @@ +RDpropertyfilelogin { +org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required +debug="true" +file="/etc/rundeck/realm.properties"; +}; diff --git a/rundeck/log4j2.properties b/rundeck/log4j2.properties new file mode 100644 index 0000000..8df9349 --- /dev/null +++ b/rundeck/log4j2.properties @@ -0,0 +1,258 @@ + +name = Rundeck Logging Configuration + +property.baseDir = /var/log/rundeck +property.classLength = 2 +property.noConsoleNoAnsi = true +property.prefix = [%style{%d{ISO8601}}{dim, noConsoleNoAnsi=${noConsoleNoAnsi}}] %highlight{%-5p}{noConsoleNoAnsi=${noConsoleNoAnsi}} %style{%c{${classLength}}}{cyan,noConsoleNoAnsi=${noConsoleNoAnsi}} + +appender.console.type = Console +appender.console.name = STDOUT +appender.console.layout.type = PatternLayout +appender.console.layout.pattern = ${prefix} - %m%n + +appender.rundeck.type = RollingFile +appender.rundeck.name = rundeck +appender.rundeck.fileName = ${baseDir}/rundeck.log +appender.rundeck.append = true +appender.rundeck.bufferedIO = true +appender.rundeck.filePattern = ${baseDir}/rundeck.log.%d{yyyy-MM-dd}.gz +appender.rundeck.layout.type = PatternLayout +appender.rundeck.layout.pattern = ${prefix} [%t] - %m%n +appender.rundeck.policies.type = Policies +appender.rundeck.policies.time.type = TimeBasedTriggeringPolicy +appender.rundeck.policies.time.interval = 1 + +appender.audit.type = RollingFile +appender.audit.name = audit +appender.audit.fileName = ${baseDir}/rundeck.audit.log +appender.audit.append = true +appender.audit.bufferedIO = true +appender.audit.filePattern = ${baseDir}/rundeck.audit.log.%d{yyyy-MM-dd}.gz +appender.audit.layout.type = PatternLayout +appender.audit.layout.pattern = ${prefix} - %m%n +appender.audit.policies.type = Policies +appender.audit.policies.time.type = TimeBasedTriggeringPolicy +appender.audit.policies.time.interval = 1 + +appender.options.type = RollingFile +appender.options.name = options +appender.options.fileName = ${baseDir}/rundeck.options.log +appender.options.append = true +appender.options.bufferedIO = true +appender.options.filePattern = ${baseDir}/rundeck.options.log.%d{yyyy-MM-dd}.gz +appender.options.layout.type = PatternLayout +appender.options.layout.pattern = ${prefix} %X{httpStatusCode} %X{contentLength}B %X{durationTime}ms %X{lastModifiedDateTime} [%X{jobName}] %X{url} %X{contentSHA1}%n +appender.options.policies.type = Policies +appender.options.policies.time.type = TimeBasedTriggeringPolicy +appender.options.policies.time.interval = 1 + +appender.storage.type = RollingFile +appender.storage.name = storage +appender.storage.fileName = ${baseDir}/rundeck.storage.log +appender.storage.append = true +appender.storage.bufferedIO = true +appender.storage.filePattern = ${baseDir}/rundeck.storage.log.%d{yyyy-MM-dd}.gz +appender.storage.layout.type = PatternLayout +appender.storage.layout.pattern = ${prefix} %X{action} %X{type} %X{path} %X{status} %X{metadata}%n +appender.storage.policies.type = Policies +appender.storage.policies.time.type = TimeBasedTriggeringPolicy +appender.storage.policies.time.interval = 1 + +appender.jobchanges.type = RollingFile +appender.jobchanges.name = jobchanges +appender.jobchanges.fileName = ${baseDir}/rundeck.jobs.log +appender.jobchanges.append = true +appender.jobchanges.bufferedIO = true +appender.jobchanges.filePattern = ${baseDir}/rundeck.jobs.log.%d{yyyy-MM-dd}.gz +appender.jobchanges.layout.type = PatternLayout +appender.jobchanges.layout.pattern = ${prefix} %X{user} %X{change} [%X{id}] %X{project} "%X{groupPath}/%X{jobName}" (%X{method})%X{extraInfo}%n +appender.jobchanges.policies.type = Policies +appender.jobchanges.policies.time.type = TimeBasedTriggeringPolicy +appender.jobchanges.policies.time.interval = 1 + +appender.execevents.type = RollingFile +appender.execevents.name = execevents +appender.execevents.fileName = ${baseDir}/rundeck.executions.log +appender.execevents.append = true +appender.execevents.bufferedIO = true +appender.execevents.filePattern = ${baseDir}/rundeck.executions.log.%d{yyyy-MM-dd}.gz +appender.execevents.layout.type = PatternLayout +appender.execevents.layout.pattern = ${prefix} %X{eventUser} %X{event} [%X{id}:%X{state}] %X{project} %X{user}/%X{abortedby} \"%X{groupPath}/%X{jobName} %X{argString}\"[%X{uuid}] %n +appender.execevents.policies.type = Policies +appender.execevents.policies.time.type = TimeBasedTriggeringPolicy +appender.execevents.policies.time.interval = 1 + +appender.apirequests.type = RollingFile +appender.apirequests.name = apirequests +appender.apirequests.fileName = ${baseDir}/rundeck.api.log +appender.apirequests.append = true +appender.apirequests.bufferedIO = true +appender.apirequests.filePattern = ${baseDir}/rundeck.api.log.%d{yyyy-MM-dd}.gz +appender.apirequests.layout.type = PatternLayout +appender.apirequests.layout.pattern = ${prefix} "%X{method} %X{uri}" %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} (%X{userAgent})%n +appender.apirequests.policies.type = Policies +appender.apirequests.policies.time.type = TimeBasedTriggeringPolicy +appender.apirequests.policies.time.interval = 1 + +appender.access.type = RollingFile +appender.access.name = access +appender.access.fileName = ${baseDir}/rundeck.access.log +appender.access.append = true +appender.access.bufferedIO = true +appender.access.filePattern = ${baseDir}/rundeck.access.log.%d{yyyy-MM-dd}.gz +appender.access.layout.type = PatternLayout +appender.access.layout.pattern = ${prefix} "%X{method} %X{uri}" %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} [%X{contentType}] (%X{userAgent})%n +appender.access.policies.type = Policies +appender.access.policies.time.type = TimeBasedTriggeringPolicy +appender.access.policies.time.interval = 1 + +appender.project.type = RollingFile +appender.project.name = project +appender.project.fileName = ${baseDir}/rundeck.project.log +appender.project.append = true +appender.project.bufferedIO = true +appender.project.filePattern = ${baseDir}/rundeck.project.log.%d{yyyy-MM-dd}.gz +appender.project.layout.type = PatternLayout +appender.project.layout.pattern = ${prefix} - %m%n +appender.project.policies.type = Policies +appender.project.policies.time.type = TimeBasedTriggeringPolicy +appender.project.policies.time.interval = 1 + +appender.cleanup.type = RollingFile +appender.cleanup.name = cleanup +appender.cleanup.fileName = ${baseDir}/rundeck.cleanup.log +appender.cleanup.append = true +appender.cleanup.bufferedIO = true +appender.cleanup.filePattern = ${baseDir}/rundeck.cleanup.log.%d{yyyy-MM-dd}.gz +appender.cleanup.layout.type = PatternLayout +appender.cleanup.layout.pattern = ${prefix} - %m%n +appender.cleanup.policies.type = Policies +appender.cleanup.policies.time.type = TimeBasedTriggeringPolicy +appender.cleanup.policies.time.interval = 1 + +appender.webhooks.type = RollingFile +appender.webhooks.name = webhooks +appender.webhooks.fileName = ${baseDir}/rundeck.webhooks.log +appender.webhooks.append = true +appender.webhooks.bufferedIO = true +appender.webhooks.filePattern = ${baseDir}/rundeck.webhooks.log.%d{yyyy-MM-dd}.gz +appender.webhooks.layout.type = PatternLayout +appender.webhooks.layout.pattern = ${prefix} - %m%n +appender.webhooks.policies.type = Policies +appender.webhooks.policies.time.type = TimeBasedTriggeringPolicy +appender.webhooks.policies.time.interval = 1 + +rootLogger.level = warn +rootLogger.appenderRef.stdout.ref = STDOUT +rootLogger.appenderRef.rundeck.ref = rundeck + +logger.interceptors.name = rundeck.interceptors +logger.interceptors.level = info +logger.interceptors.additivity = false +logger.interceptors.appenderRef.stdout.ref = STDOUT + +logger.rundeckapp.name = rundeckapp +logger.rundeckapp.level = info +logger.rundeckapp.additivity = false +logger.rundeckapp.appenderRef.stdout.ref = STDOUT + +logger.bootstrap.name = rundeckapp.BootStrap +logger.bootstrap.level = info +logger.bootstrap.additivity = false +logger.bootstrap.appenderRef.stdout.ref = STDOUT + +logger.grails.name = grails +logger.grails.level = warn +logger.grails.additivity = false +logger.grails.appenderRef.stdout.ref = STDOUT + +logger.grails_env.name = grails.util.Environment +logger.grails_env.level = error +logger.grails_env.additivity = false +logger.grails_env.appenderRef.stdout.ref = STDOUT + +logger.prjmanager.name = grails.app.services.rundeck.services.ProjectManagerService +logger.prjmanager.level = info +logger.prjmanager.additivity = false +logger.prjmanager.appenderRef.stdout.ref = STDOUT + +logger.authorization.name = com.dtolabs.rundeck.core.authorization +logger.authorization.level = info +logger.authorization.additivity = false +logger.authorization.appenderRef.stdout.ref = audit + +logger.options.name = com.dtolabs.rundeck.remoteservice.http.options +logger.options.level = info +logger.options.additivity = false +logger.options.appenderRef.stdout.ref = options + +logger.jobchanges.name = com.dtolabs.rundeck.data.jobs.changes +logger.jobchanges.level = info +logger.jobchanges.additivity = false +logger.jobchanges.appenderRef.stdout.ref = jobchanges + +logger.execevents.name = org.rundeck.execution.status +logger.execevents.level = info +logger.execevents.additivity = false +logger.execevents.appenderRef.stdout.ref = execevents + +logger.apirequests.name = org.rundeck.api.requests +logger.apirequests.level = info +logger.apirequests.additivity = false +logger.apirequests.appenderRef.stdout.ref = apirequests + +logger.access.name = org.rundeck.web.requests +logger.access.level = info +logger.access.additivity = false +logger.access.appenderRef.access.ref = access + +logger.project.name = org.rundeck.project.events +logger.project.level = info +logger.project.additivity = false +logger.project.appenderRef.stdout.ref = project + +logger.storage.name = org.rundeck.storage.events +logger.storage.level = info +logger.storage.additivity = false +logger.storage.appenderRef.storage.ref = storage + +logger.webhook_events.name = org.rundeck.webhook.events +logger.webhook_events.level = info +logger.webhook_events.additivity = false +logger.webhook_events.appenderRef.webhooks.ref = webhooks + +logger.webhook_plugins.name = org.rundeck.plugin.webhook +logger.webhook_plugins.level = debug +logger.webhook_plugins.additivity = false +logger.webhook_plugins.appenderRef.webhooks.ref = webhooks + +logger.cleanup.name = rundeck.quartzjobs.ExecutionsCleanUp +logger.cleanup.level = debug +logger.cleanup.additivity = false +logger.cleanup.appenderRef.cleanup.ref = cleanup + +logger.jetty.name = org.mortbay.log +logger.jetty.level = warn +logger.jetty.additivity = false +logger.jetty.appenderRef.stdout.ref = STDOUT + +logger.hibernate.name = org.hibernate.orm.deprecation +logger.hibernate.level = error +logger.hibernate.additivity = false +logger.hibernate.appenderRef.stdout.ref = STDOUT + +logger.rundeck_jaas.name = com.dtolabs.rundeck.jetty.jaas +logger.rundeck_jaas.level = debug +logger.rundeck_jaas.additivity = false +logger.rundeck_jaas.appenderRef.stdout.ref = STDOUT + +logger.spring_security.name = grails.plugin.springsecurity.web.authentication.GrailsUsernamePasswordAuthenticationFilter +logger.spring_security.level = debug +logger.spring_security.additivity = false +logger.spring_security.appenderRef.stdout.ref = STDOUT + +logger.jaas.name = org.rundeck.jaas +logger.jaas.level = debug +logger.jaas.additivity = false +logger.jaas.appenderRef.stdout.ref = STDOUT \ No newline at end of file diff --git a/rundeck/profile b/rundeck/profile new file mode 100644 index 0000000..83ce68d --- /dev/null +++ b/rundeck/profile @@ -0,0 +1,100 @@ +######### +# Rundeck Profile sourced from /etc/rc.d/init.d/rundeckd +######### +# +# NOTE: DO NOT MODIFY THIS FILE +# It will be replaced when the package is upgraded and your changes will not be saved. +# +# ################## +# +# To override variables in this file, you can instead create a file at: +# +# # Centos/Redhat default: +# +# /etc/sysconfig/rundeckd +# +# Or +# +# # Ubuntu/Debian default: +# +# /etc/default/rundeckd +# +# which contains exports for any of the variables listed below. E.g.: +# +# RUNDECK_TEMPDIR=/path/to/tmpdir +# +# That file will be sourced before this one, allowing your exports to take precedence. +# +############### + +prog="rundeckd" +[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog +[ -e /etc/default/$prog ] && . /etc/default/$prog + +RDECK_INSTALL="${RDECK_INSTALL:-/var/lib/rundeck}" +RDECK_BASE="${RDECK_BASE:-/var/lib/rundeck}" +RDECK_CONFIG="${RDECK_CONFIG:-/etc/rundeck}" +RDECK_CONFIG_FILE="${RDECK_CONFIG_FILE:-$RDECK_CONFIG/rundeck-config.properties}" +RDECK_SERVER_BASE="${RDECK_SERVER_BASE:-$RDECK_BASE}" +RDECK_SERVER_CONFIG="${RDECK_SERVER_CONFIG:-$RDECK_CONFIG}" +RDECK_SERVER_DATA="${RDECK_SERVER_DATA:-$RDECK_BASE/data}" +RDECK_PROJECTS="${RDECK_PROJECTS:-$RDECK_BASE/projects}" +RUNDECK_TEMPDIR="${RUNDECK_TEMPDIR:-/tmp/rundeck}" +RUNDECK_WORKDIR="${RUNDECK_TEMPDIR:-$RDECK_BASE/work}" +RUNDECK_LOGDIR="${RUNDECK_LOGDIR:-$RDECK_BASE/logs}" +RDECK_JVM_SETTINGS="${RDECK_JVM_SETTINGS:- -Xmx1024m -Xms256m -XX:MaxMetaspaceSize=256m -server}" +RDECK_TRUSTSTORE_FILE="${RDECK_TRUSTSTORE_FILE:-$RDECK_CONFIG/ssl/truststore}" +RDECK_TRUSTSTORE_TYPE="${RDECK_TRUSTSTORE_TYPE:-jks}" +JAAS_LOGIN="${JAAS_LOGIN:-true}" +JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-loginmodule.conf}" +LOGIN_MODULE="${LOGIN_MODULE:-RDpropertyfilelogin}" +RDECK_HTTP_PORT=${RDECK_HTTP_PORT:-4440} +RDECK_HTTPS_PORT=${RDECK_HTTPS_PORT:-4443} + + +# If no JAVA_CMD, try to find it in $JAVA_HOME +if [ -z "$JAVA_CMD" ] && [ -n "$JAVA_HOME" ] && [ -x "$JAVA_HOME/bin/java" ] ; then + JAVA_CMD=$JAVA_HOME/bin/java + PATH=$PATH:$JAVA_HOME/bin + export JAVA_HOME +elif [ -z "$JAVA_CMD" ] ; then + JAVA_CMD=java +fi + +for war in $(find $RDECK_INSTALL/bootstrap -name '*.war') ; do + EXECUTABLE_WAR=$war +done + +RDECK_JVM="-Drundeck.jaaslogin=$JAAS_LOGIN \ + -Djava.security.auth.login.config=$JAAS_CONF \ + -Dloginmodule.name=$LOGIN_MODULE \ + -Drdeck.config=$RDECK_CONFIG \ + -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \ + -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \ + -Drundeck.server.serverDir=$RDECK_INSTALL \ + -Drdeck.projects=$RDECK_PROJECTS \ + -Dlog4j.configurationFile=$RDECK_SERVER_CONFIG/log4j2.properties \ + -Dlogging.config=file:$RDECK_SERVER_CONFIG/log4j2.properties \ + -Drdeck.runlogs=$RUNDECK_LOGDIR \ + -Drundeck.server.logDir=$RUNDECK_LOGDIR \ + -Drundeck.config.location=$RDECK_CONFIG_FILE \ + -Djava.io.tmpdir=$RUNDECK_TEMPDIR \ + -Drundeck.server.workDir=$RUNDECK_WORKDIR \ + -Dserver.http.port=$RDECK_HTTP_PORT \ + -Drdeck.base=$RDECK_BASE" +# +# Set min/max heap size +# +RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS" +# +# SSL Configuration - Uncomment the following to enable. Check SSL.properties for details. +# +if [ -n "$RUNDECK_WITH_SSL" ] ; then + RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT}" +fi + +unset JRE_HOME + +umask 002 + +rundeckd="$JAVA_CMD $RDECK_JVM $RDECK_JVM_OPTS -jar $EXECUTABLE_WAR --skipinstall" diff --git a/rundeck/project.properties b/rundeck/project.properties new file mode 100644 index 0000000..66a6cce --- /dev/null +++ b/rundeck/project.properties @@ -0,0 +1,27 @@ +# project.properties +# +# $Id: project.properties.template 2126 2010-08-17 21:06:08Z ahonor $ +# + +# +# The base directory for this project's instances +# +project.dir = /var/lib/rundeck/projects/${project.name} +# +# The base directory of project specific configuration files +# +project.etc.dir = /var/lib/rundeck/projects/${project.name}/etc + +# +# The resources registration file +# +project.resources.file = /var/lib/rundeck/projects/${project.name}/etc/resources.xml + +# +# The project description +# +project.description = +# +# The organization +# +project.organization = diff --git a/rundeck/realm.properties b/rundeck/realm.properties new file mode 100644 index 0000000..5e0abd4 --- /dev/null +++ b/rundeck/realm.properties @@ -0,0 +1,33 @@ +# +# This file defines users passwords and roles for a HashUserRealm +# +# The format is +# : [, ...] +# +# Passwords may be clear text, obfuscated or checksummed. The class +# org.mortbay.util.Password should be used to generate obfuscated +# passwords or password checksums +# +# If DIGEST Authentication is used, the password must be in a recoverable +# format, either plain text or OBF:. +# +#jetty: MD5:164c88b302622e17050af52c89945d44,user +#admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin +#other: OBF:1xmk1w261u9r1w1c1xmq +#plain: plain +#user: password +# This entry is for digest auth. The credential is a MD5 hash of username:realmname:password +#digest: MD5:6e120743ad67abfbc385bc2bb754e297 + +# +# This sets the default user accounts for the Rundeck app +# +admin:admin,user,admin,architect,deploy,build + +# +# example users matching the example aclpolicy template roles +# +#job-runner:admin,user,job_runner +#job-writer:admin,user,job_writer +#job-reader:admin,user,job_reader +#job-viewer:admin,user,job_viewer diff --git a/rundeck/rundeck-config.properties b/rundeck/rundeck-config.properties new file mode 100644 index 0000000..0a1db34 --- /dev/null +++ b/rundeck/rundeck-config.properties @@ -0,0 +1,33 @@ +#loglevel.default is the default log level for jobs: ERROR,WARN,INFO,VERBOSE,DEBUG +loglevel.default=INFO +rdeck.base=/var/lib/rundeck + +#rss.enabled if set to true enables RSS feeds that are public (non-authenticated) +rss.enabled=false +# change hostname here +grails.serverURL=http://localhost:4440 +dataSource.dbCreate = update +dataSource.url = jdbc:h2:file:/var/lib/rundeck/data/rundeckdb;MVCC=true + +# Encryption for key storage +rundeck.storage.provider.1.type=db +rundeck.storage.provider.1.path=keys + +rundeck.storage.converter.1.type=jasypt-encryption +rundeck.storage.converter.1.path=keys +rundeck.storage.converter.1.config.encryptorType=custom +rundeck.storage.converter.1.config.password=eea687e3ff09b3c0 +rundeck.storage.converter.1.config.algorithm=PBEWITHSHA256AND128BITAES-CBC-BC +rundeck.storage.converter.1.config.provider=BC + +# Encryption for project config storage +rundeck.projectsStorageType=db + +rundeck.config.storage.converter.1.type=jasypt-encryption +rundeck.config.storage.converter.1.path=projects +rundeck.config.storage.converter.1.config.password=eea687e3ff09b3c0 +rundeck.config.storage.converter.1.config.encryptorType=custom +rundeck.config.storage.converter.1.config.algorithm=PBEWITHSHA256AND128BITAES-CBC-BC +rundeck.config.storage.converter.1.config.provider=BC + +rundeck.feature.repository.enabled=true diff --git a/rundeck/ssl/ssl.properties b/rundeck/ssl/ssl.properties new file mode 100644 index 0000000..1c199b7 --- /dev/null +++ b/rundeck/ssl/ssl.properties @@ -0,0 +1,5 @@ +keystore=/etc/rundeck/ssl/keystore +keystore.password=adminadmin +key.password=adminadmin +truststore=/etc/rundeck/ssl/truststore +truststore.password=adminadmin diff --git a/rundeck/system-job_reader.aclpolicy_template b/rundeck/system-job_reader.aclpolicy_template new file mode 100644 index 0000000..32400ef --- /dev/null +++ b/rundeck/system-job_reader.aclpolicy_template @@ -0,0 +1,27 @@ +description: Allow groups to list projects +context: + application: 'rundeck' +for: + project: + - allow: read + match: + name: '.*' +by: + group: job_reader + +--- + +description: Global read access to job_reader role +context: + project: '.*' +for: + job: + - allow: [read] + match: + name: '.*' + resource: + - allow: read + equals: + kind: event +by: + group: job_reader diff --git a/rundeck/system-job_runner.aclpolicy_template b/rundeck/system-job_runner.aclpolicy_template new file mode 100644 index 0000000..0aafef2 --- /dev/null +++ b/rundeck/system-job_runner.aclpolicy_template @@ -0,0 +1,35 @@ +description: Allow groups to list projects +context: + application: 'rundeck' +for: + project: + - allow: read + match: + name: '.*' +by: + group: job_runner + +--- + +description: Global run permissions to job_runner role +context: + project: '.*' +for: + resource: + - equals: + kind: 'node' + allow: [read,refresh] + job: + - allow: [read, run] + match: + name: '.*' + node: + - allow: [read, run, refresh] + match: + nodename: '.*' + resource: + - allow: read + equals: + kind: event +by: + group: job_runner \ No newline at end of file diff --git a/rundeck/system-job_viewer.aclpolicy_template b/rundeck/system-job_viewer.aclpolicy_template new file mode 100644 index 0000000..73ff70b --- /dev/null +++ b/rundeck/system-job_viewer.aclpolicy_template @@ -0,0 +1,27 @@ +description: Allow groups to list projects +context: + application: 'rundeck' +for: + project: + - allow: read + match: + name: '.*' +by: + group: job_viewer + +--- + +description: Global read access to job_reader role +context: + project: '.*' +for: + job: + - allow: [view] + match: + name: '.*' + resource: + - allow: read + equals: + kind: event +by: + group: job_viewer diff --git a/rundeck/system-job_writer.aclpolicy_template b/rundeck/system-job_writer.aclpolicy_template new file mode 100644 index 0000000..819e65a --- /dev/null +++ b/rundeck/system-job_writer.aclpolicy_template @@ -0,0 +1,37 @@ +description: Allow groups to list projects +context: + application: 'rundeck' +for: + project: + - allow: read + match: + name: '.*' +by: + group: job_writer + +--- + +description: Global write permissions to job_writer role +context: + project: '.*' +for: + resource: + - equals: + kind: 'node' + allow: [read,refresh] + - equals: + kind: job + allow: [create, delete] + - equals: + kind: event + allow: [read] + job: + - allow: [create,read,update,delete,run,kill] + match: + name: '.*' + node: + - allow: [read, run, refresh] + match: + nodename: '.*' +by: + group: job_writer \ No newline at end of file diff --git a/rundeck/system-project_admin.aclpolicy_template b/rundeck/system-project_admin.aclpolicy_template new file mode 100644 index 0000000..b16bf50 --- /dev/null +++ b/rundeck/system-project_admin.aclpolicy_template @@ -0,0 +1,51 @@ +description: Allow groups to list projects +context: + application: 'rundeck' +for: + project: + - allow: read + match: + name: '.*' +by: + group: project_admin + +--- +description: Global project admin permissions to project_admin role +context: + project: '.*' +for: + resource: + - equals: + kind: job + allow: '*' + - equals: + kind: node + allow: '*' + - equals: + kind: event + allow: '*' + adhoc: + - allow: '*' + job: + - allow: '*' + node: + - allow: '*' + project: + - allow: '*' +by: + group: project_admin +--- +description: project_admin application scope permissions +context: + application: 'rundeck' +for: + resource: + - equals: + kind: project + allow: '*' + project: + - match: + name: '.*' + allow: '*' +by: + group: project_admin \ No newline at end of file diff --git a/shadow b/shadow index d0c8e62..e504307 100644 --- a/shadow +++ b/shadow @@ -70,3 +70,4 @@ PxAzpq9B:$1$F6ZjZcoN$gX11Ys/26Yo/jxJVh0dcZ1:18658:0:99999:7:30:: _AodQqBu:$1$SrfZx/5I$Xw.KOzTE2gE7eBTcbP7sB.:18658:0:99999:7:30:: cfb:$6$qp3Fo53PpelMFPxu$kpw4lw/ODVjqSnohBn7MeduZuorwzWLD5QQGiZ5ARhGylK.56a7FswSh/OaN/LcXYR3I92ZUshb9vgsOoksSr0:18731:0:99999:7:30:: mailcow:$6$7vT203MTlIc8ROf0$VxXn56jKN5.UAPyXsgvv4r2XQDaL5yjo8Tk1We6rPS1eB7fRxbmIRMt8n4irsVtV4zhCwECzlZN8Q6kKezmwp0:18768:0:99999:7:30:: +rundeck:!!:18772:0:99999:7:30:: diff --git a/shadow- b/shadow- index 47bc112..d0c8e62 100644 --- a/shadow- +++ b/shadow- @@ -69,3 +69,4 @@ ZTmpNnll:$1$pEQFJ/iz$JUnmcIcUyUssWzOnDL0Fv0:18658:0:99999:7:30:: PxAzpq9B:$1$F6ZjZcoN$gX11Ys/26Yo/jxJVh0dcZ1:18658:0:99999:7:30:: _AodQqBu:$1$SrfZx/5I$Xw.KOzTE2gE7eBTcbP7sB.:18658:0:99999:7:30:: cfb:$6$qp3Fo53PpelMFPxu$kpw4lw/ODVjqSnohBn7MeduZuorwzWLD5QQGiZ5ARhGylK.56a7FswSh/OaN/LcXYR3I92ZUshb9vgsOoksSr0:18731:0:99999:7:30:: +mailcow:$6$7vT203MTlIc8ROf0$VxXn56jKN5.UAPyXsgvv4r2XQDaL5yjo8Tk1We6rPS1eB7fRxbmIRMt8n4irsVtV4zhCwECzlZN8Q6kKezmwp0:18768:0:99999:7:30:: diff --git a/subgid b/subgid index f705733..e3c16d4 100644 --- a/subgid +++ b/subgid @@ -14,3 +14,4 @@ PxAzpq9B:886432:65536 _AodQqBu:951968:65536 cfb:1017504:65536 mailcow:1083040:65536 +rundeck:1148576:65536 diff --git a/subgid- b/subgid- index 7113630..f705733 100644 --- a/subgid- +++ b/subgid- @@ -13,3 +13,4 @@ ZTmpNnll:820896:65536 PxAzpq9B:886432:65536 _AodQqBu:951968:65536 cfb:1017504:65536 +mailcow:1083040:65536 diff --git a/subuid b/subuid index f705733..e3c16d4 100644 --- a/subuid +++ b/subuid @@ -14,3 +14,4 @@ PxAzpq9B:886432:65536 _AodQqBu:951968:65536 cfb:1017504:65536 mailcow:1083040:65536 +rundeck:1148576:65536 diff --git a/subuid- b/subuid- index 7113630..f705733 100644 --- a/subuid- +++ b/subuid- @@ -13,3 +13,4 @@ ZTmpNnll:820896:65536 PxAzpq9B:886432:65536 _AodQqBu:951968:65536 cfb:1017504:65536 +mailcow:1083040:65536