Vendor Galaxy Roles and Collections

ansible_collections/debops/debops/roles/java/COPYRIGHT

@@ -0,0 +1,20 @@
+debops.java - Manage Java environment using Ansible
+
+Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.

ansible_collections/debops/debops/roles/java/defaults/main.yml

@@ -0,0 +1,154 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+# .. Copyright (C) 2014-2022 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _java__ref_defaults:
+
+# debops.java default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Java APT packages [[[
+# ---------------------
+
+# .. envvar:: java__install_jdk [[[
+#
+# By default the role installs only the Java Runtime Environment (JRE)
+# packages. Other Ansible roles can request installation of the compatible Java
+# Development Kit (JDK) by enabling this variable.
+java__install_jdk: False
+
+                                                                   # ]]]
+# .. envvar:: java__base_packages [[[
+#
+# List of default APT packages which should be installed for Java Runtime
+# Environment.
+java__base_packages: [ 'default-jre-headless', 'ca-certificates-java' ]
+
+                                                                   # ]]]
+# .. envvar:: java__jdk_packages [[[
+#
+# List of default APT packages which should be installed for Java Development
+# Kit.
+java__jdk_packages: '{{ (["default-jdk"]
+                         if (ansible_distribution_release in ["trusty"])
+                         else ["default-jdk-headless"])
+                        if java__install_jdk | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: java__packages [[[
+#
+# List of APT packages which should be installed on all hosts in Ansible
+# inventory.
+java__packages: []
+
+                                                                   # ]]]
+# .. envvar:: java__group_packages [[[
+#
+# List of APT packages which should be installed on a group of hosts in Ansible
+# inventory.
+java__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: java__host_packages [[[
+#
+# List of APT packages which should be installed on specific hosts in Ansible
+# inventory.
+java__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: java__dependent_packages [[[
+#
+# List of APT packages requested by other Ansible roles.
+java__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Java versions [[[
+# -----------------
+
+# .. envvar:: java__version [[[
+#
+# The version of Java detected by the Ansible local facts.
+java__version: '{{ ansible_local.java.version | d("0.0.0") }}'
+
+                                                                   # ]]]
+# .. envvar:: java__major_version [[[
+#
+# The Java major version number detected by the Ansible local facts.
+java__major_version: '{{ ansible_local.java.major_version | d("0") }}'
+
+                                                                   # ]]]
+# .. envvar:: java__alternatives [[[
+#
+# You can use this variable to select which version of Java is used system-wide
+# by default. To find out what versions are available, use the
+# :command:`update-java-alternatives -l` command on the remote host.
+java__alternatives: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Java Security Policy configuration [[[
+# --------------------------------------
+
+# Java Security Policy defines what paths and resources can be accessed by the
+# Java-based applications. In DebOps we want to grant access to the PKI
+# directories managed by the :ref:`debops.pki` role to support encrypted
+# communication.
+
+# .. envvar:: java__security_policy_path [[[
+#
+# Path to the system-wide security policy used by all Java applications.
+java__security_policy_path: '{{ "/etc/java-" + java__major_version + "-openjdk/security/java.policy" }}'
+
+                                                                   # ]]]
+# .. envvar:: java__default_security_policy [[[
+#
+# This variable contains the contents of the
+# :file:`/etc/java-*-openjdk/security/java.policy` configuration file.
+java__default_security_policy: |
+  // default permissions granted to all domains
+  grant {
+      // allows anyone to listen on dynamic ports
+      permission java.net.SocketPermission "localhost:0", "listen";
+
+      // "standard" properties that can be read by anyone
+      permission java.util.PropertyPermission "java.version", "read";
+      permission java.util.PropertyPermission "java.vendor", "read";
+      permission java.util.PropertyPermission "java.vendor.url", "read";
+      permission java.util.PropertyPermission "java.class.version", "read";
+      permission java.util.PropertyPermission "os.name", "read";
+      permission java.util.PropertyPermission "os.version", "read";
+      permission java.util.PropertyPermission "os.arch", "read";
+      permission java.util.PropertyPermission "file.separator", "read";
+      permission java.util.PropertyPermission "path.separator", "read";
+      permission java.util.PropertyPermission "line.separator", "read";
+      permission java.util.PropertyPermission
+                     "java.specification.version", "read";
+      permission java.util.PropertyPermission "java.specification.vendor", "read";
+      permission java.util.PropertyPermission "java.specification.name", "read";
+      permission java.util.PropertyPermission
+                     "java.vm.specification.version", "read";
+      permission java.util.PropertyPermission
+                     "java.vm.specification.vendor", "read";
+      permission java.util.PropertyPermission
+                     "java.vm.specification.name", "read";
+      permission java.util.PropertyPermission "java.vm.version", "read";
+      permission java.util.PropertyPermission "java.vm.vendor", "read";
+      permission java.util.PropertyPermission "java.vm.name", "read";
+
+      // Permit access to DebOps PKI infrastructure and system-wide certificate store
+      permission java.io.FilePermission "{{ ansible_local.pki.base_path | d('/etc/pki/realms') }}/-", "read";
+      permission java.io.FilePermission "{{ ansible_local.pki.base_path | d('/etc/pki/realms') }}/", "read";
+      permission java.io.FilePermission "/etc/ssl/certs/-", "read";
+      permission java.io.FilePermission "/etc/ssl/certs/", "read";
+  };
+# ]]]
+# ]]]

ansible_collections/debops/debops/roles/java/meta/main.yml

@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Nick Janetakis'
+  description: 'Manage Java OpenJRE/OpenJDK environment'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - java
+    - development
+    - jre
+    - jdk
+    - openjdk
+    - openjre

ansible_collections/debops/debops/roles/java/tasks/main.yml

@@ -0,0 +1,59 @@
+---
+# Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install Java packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (java__base_packages
+                              + java__jdk_packages
+                              + java__packages
+                              + java__group_packages
+                              + java__host_packages
+                              + java__dependent_packages)) }}'
+    state: 'present'
+  register: java__register_packages
+  until: java__register_packages is succeeded
+
+- name: Update Java alternatives
+  ansible.builtin.command: 'update-java-alternatives -s {{ java__alternatives }}'
+  register: java__register_update_alternatives
+  changed_when: java__register_update_alternatives.changed | bool
+  when: java__alternatives | d()
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Java local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/java.fact.j2'
+    dest: '/etc/ansible/facts.d/java.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Divert default Java security policy configuration file
+  debops.debops.dpkg_divert:
+    path: '{{ java__security_policy_path }}'
+    state: 'present'
+
+- name: Generate default Java security policy configuration
+  ansible.builtin.template:
+    src: 'etc/java-x-openjdk/security/java.policy.j2'
+    dest: '{{ java__security_policy_path }}'
+    mode: '0644'

ansible_collections/debops/debops/roles/java/templates/etc/ansible/facts.d/java.fact.j2

@@ -0,0 +1,31 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import subprocess
+
+output = {"installed": True}
+
+try:
+    java_version_output = subprocess.check_output(
+        ['java', '-version'],
+        stderr=subprocess.STDOUT).decode('utf-8').split('\n')
+
+except subprocess.CalledProcessError:
+    pass
+
+if java_version_output:
+    for line in java_version_output:
+        if 'version' in line:
+            output['version'] = line.split()[2].strip('"').split('_')[0]
+            output['major_version'] = output['version'].split('.')[0]
+
+print(dumps(output, sort_keys=True, indent=4))

ansible_collections/debops/debops/roles/java/templates/etc/java-x-openjdk/security/java.policy.j2

@@ -0,0 +1,20 @@
+{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+// {{ ansible_managed }}
+//
+// This system policy file grants a set of default permissions to all domains
+// and can be configured to grant additional permissions to modules and other
+// code sources. The code source URL scheme for modules linked into a
+// run-time image is "jrt".
+//
+// For example, to grant permission to read the "foo" property to the module
+// "com.greetings", the grant entry is:
+//
+// grant codeBase "jrt:/com.greetings" {
+//     permission java.util.PropertyPermission "foo", "read";
+// };
+//
+
+{{ java__default_security_policy }}