Added roles for redis (application, instance)

group_vars/all/vars.yml

@@ -97,6 +97,9 @@ global_nfs_directory: "{{ global_webservers_directory }}/nfs"
 
 global_pamd: "/etc/pam.d"
 
+global_redis_configuration_directory: "/etc/redis"
+global_redis_service_name: "redis-server.service"
+
 global_resolv_conf: "/etc/resolv.conf"
 
 global_ssh_configuration_directory: "/etc/ssh/"

roles/redis/application/meta/main.yml

@@ -0,0 +1,3 @@
+---
+
+allow_duplicates: no

roles/redis/application/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Install required packages
+  apt:
+    state: present
+    name:
+      - redis-server
+
+- name: Disable default instance
+  systemd:
+    name: "{{ global_redis_service_name }}"
+    state: stopped
+    enabled: no
+    masked: yes
+
+- name: Remove configuration for default instance
+  file:
+    state: absent
+    path: "{{ global_redis_configuration_directory }}/redis.conf"

roles/redis/instance/defaults/main.yml

@@ -0,0 +1,22 @@
+---
+
+# domain # To derive service_name and service_description
+
+service_name: "redis_{{ domain }}.service"
+service_file: "{{ global_systemd_configuration_directory }}/{{ service_name }}"
+service_description: "Redis advanced key-value store for {{ domain }}"
+
+# system_user # User for redis execution
+# user_directory # To derive redis_directory
+redis_directory: "{{ user_directory }}/redis" # Directory for all redis data
+
+configuration_file: "{{ redis_directory }}/conf"
+
+data_directory: "{{ redis_directory }}/data"
+run_directory: "{{ redis_directory }}/run"
+
+redis_socket_path: "{{ run_directory }}/socket"
+#pid_file: "{{ run_directory }}/pid"
+
+redis_max_memory: "128mb"
+redis_max_memory_policy: "noeviction"

roles/redis/instance/meta/main.yml

@@ -0,0 +1,7 @@
+---
+
+allow_duplicates: yes
+
+dependencies:
+  - role: misc/handlers
+  - role: redis/application

roles/redis/instance/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Create required directories
+  file:
+    state: directory
+    path: "{{ item }}"
+    owner: "{{ system_user }}"
+    group: "{{ system_user }}"
+    mode: u=rwx,g=rx,o=
+  loop:
+    - "{{ redis_directory }}"
+    - "{{ data_directory }}"
+    - "{{ run_directory }}"
+
+- name: Configure instance
+  template:
+    src: redis.conf
+    dest: "{{ configuration_file }}"
+    owner: root
+    group: "{{ system_user }}"
+    mode: u=rw,g=r,o=
+  register: configuration_file_task
+
+- name: Configure service for instance
+  template:
+    src: redis.service
+    dest: "{{ service_file }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=
+  notify:
+    - reload systemd
+  register: service_file_task
+
+- meta: flush_handlers
+
+# TODO transfer to handler when handler reloading is possible
+- name: Restart service if changes were applied
+  systemd:
+    name: "{{ service_name }}"
+    state: restarted
+  when: configuration_file_task.changed or service_file_task.changed
+
+- name: Enable and start instance service
+  systemd:
+    name: "{{ service_name }}"
+    state: started
+    enabled: yes
+

roles/redis/instance/templates/redis.service

@@ -0,0 +1,41 @@
+[Unit]
+Description={{ service_description }}
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-server(1)
+
+[Service]
+#Type=forking
+Type=notify
+ExecStart=/usr/bin/redis-server {{ configuration_file | quote }}
+ExecStop=/bin/kill -s TERM $MAINPID
+#PIDFile=/run/redis/redis-server.pid
+TimeoutStopSec=0
+Restart=always
+User={{ system_user }}
+Group={{ system_user }}
+#RuntimeDirectory=redis
+#RuntimeDirectoryMode=2755
+
+UMask=007
+PrivateTmp=yes
+LimitNOFILE=65535
+PrivateDevices=yes
+ProtectHome=yes
+ReadOnlyDirectories=/
+ReadWriteDirectories=-{{ data_directory }}
+ReadWriteDirectories=-{{ run_directory }}
+
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+MemoryDenyWriteExecute=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_UNIX
+
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target