Adding Karaage 3.1.17

buildKaraage3.x.yml

+---
+- 
+  hosts: karaage-server
+  remote_user: ec2-user
+  roles:
+    - karaage3.1.17
+  sudo: true

headNode.yaml

@@ -25,6 +25,7 @@ resources:
     flavor: m1.small
     image: { get_param: image_id }
     key_name: { get_param: key_name }
+    security_groups: [OpenVPN, NSF, default]
     metadata:
      ansible_host_group: headNode
      ansible_ssh_user: ec2-user

roles/karaage3.1.17/tasks/apache.yml

+---
+-
+ name: "Install Apache2"
+ apt: name=apache2 state=present
+-
+ name: "Templating default-ssl site"
+ template: src=default-ssl.j2 dest=/etc/apache2/sites-available/default-ssl.conf owner=www-data group=www-data
+-
+ name: "Templating default site"
+ template: src=default.j2 dest=/etc/apache2/sites-available/000-default.conf owner=www-data group=www-data
+-
+ name: "Templating ssl configuration"
+ template: src=ssl.conf.j2 dest=/etc/apache2/mods-available/ssl.conf owner=www-data group=www-data
+-
+ name: "Enable ssl module"
+ apache2_module: state=present name=ssl
+
+-
+ name: "Enable default-ssl site"
+ shell: a2ensite default-ssl
+
+-
+ name: "Restarting Apache2"
+ service: name=apache2 state=restarted

roles/karaage3.1.17/tasks/karaage.yml

+---
+-
+ name: "Installing prerequisites"
+ apt: name={{ item }} update_cache=yes
+ with_items:
+  - libxml2-dev
+  - libxslt1-dev
+  - python-lxml
+  - libcrack2-dev
+  - csstidy
+  - ldap-utils
+  - python-cracklib
+  - git
+-
+ name: "Getting Karaage from Github"
+ git: repo="https://github.com/monash-merc/karaage.git" dest="/root/karaage3.1.7"
+-
+ name: "Installing Karaage Dependencies"
+ pip: name={{ item }} extra_args="--upgrade"
+ with_items:
+  - six
+  - MySQL-python
+  - mincss
+  - slimit
+  - ply
+-
+ name: "Restrict Django version to 1.7.8"
+ replace: dest=/root/karaage3.1.7/setup.py regexp="Django >= 1.7" replace="Django == 1.7.8"
+-
+ name: "Installing Karaage from source"
+ shell: python setup.py install 
+ args:
+  chdir: /root/karaage3.1.7
+  creates: /root/karaage3.1.7/build/bdist.linux-x86_64
+-
+ name: "Templating Karaage settings"
+ template: src=settings.py.j2 dest=/etc/karaage3/settings.py owner=root group=www-data mode=0640
+-
+ name: "Creating karaage3 in /var/log"
+ file: path=/var/log/karaage3 state=directory owner=www-data group=www-data mode=0755 
+-
+ name: "Creating karaage3 in /var/lib"
+ file: path=/var/lib/karaage3 state=directory owner=root group=www-data mode=0775
+-
+ name: "Change permissions for /var/www"
+ file: path=/var/www state=directory owner=root group=www-data mode=0775
+-
+ name: "enabling Karaage configuration"
+ shell: a2enconf karaage3-wsgi
+-
+ name: "Installing other packages"
+ apt: name={{ item }} update_cache=yes
+ with_items:
+  - python-kgusage
+  - karaage-cluster-tools
+-
+ name: "Set Secret Key"
+ lineinfile: dest=/etc/karaage3/settings.py regexp="SECRET_KEY = ''" line="SECRET_KEY = 'imkaraage'" state=present
+-
+ name: " Create DB tables"
+ shell: kg-manage migrate 
+-
+ name: "Reloading apache"
+ service: name=apache2 state=reloaded
+-
+ name: "Restarting Celery"
+ service: name=karaage3-celery state=restarted
+-
+ name: Templating ldap.conf
+ template: src=client-ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
+ when: ansible_fqdn != "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+-
+ name: Add missing ldap entries
+ shell: kg-manage migrate_ldap
+-
+ name: "Reloading apache"
+ service: name=apache2 state=reloaded

roles/karaage3.1.17/tasks/main.yml

+---
+ - include: prerequisites.yml
+ - include: apache.yml
+ - include: mysql.yml
+ - include: karaage.yml

roles/karaage3.1.17/tasks/mysql.yml

+---
+- 
+ name: "Installing MySQL"
+ apt: name="{{ item }}" update_cache=yes cache_valid_time=3600 state=present
+ with_items:
+  - python
+  - python-dev
+  - libmysqlclient-dev
+  - python-pip
+  - libapache2-mod-wsgi
+  - python-mysql.connector
+  - mysql-server
+  - python-mysqldb
+- 
+ name: "Starting MySQL"
+ service: name=mysql state=started enabled=true
+#-
+# name: "Templating .my.cnf"
+# template: src=".my.cnf.j2" dest=/root/.my.cnf owner=root group=root mode=0600
+-
+ name: "Templating karaage.cnf"
+ template: src="karaage.cnf.j2" dest=/etc/mysql/conf.d/karaage.cnf owner=root group=root
+-
+ name: "Adding root"
+ sudo: true
+ mysql_user: name=root host="{{ item }}" password="{{ mysql_root_password }}" login_user=root login_password="{{ mysql_root_password }}" check_implicit_admin=yes priv="*.*:ALL,GRANT"
+ with_items:
+  - "{{ ansible_hostname }}"
+  - 127.0.0.1
+  - ::1
+  - localhost
+-
+ name: "Adding Karaage Database"
+ mysql_db: name=karaage state=present login_user=root login_password={{ mysql_root_password }} 
+-
+ name: "Giving priviliges to karaage user"
+ mysql_user: name=karaage password={{ karaage_sql_password }} login_user=root login_password={{ mysql_root_password }} priv=karaage.*:ALL state=present
+
+#-
+# name: "Templating mysql settings"
+# template: src="sqlsettings.sql.j2" dest=/root/sqlsettings.sql owner=root group=root mode=0600
+#-
+# name: "Setting root and karaage accounts"
+# shell: mysql < /root/sqlsettings.sql
+- 
+ name: "Starting MySQL"
+ service: name=mysql state=restarted

roles/karaage3.1.17/tasks/prerequisites.yml

+---
+-
+  name: "Installing prereq packages"
+  apt: name={{ item }} update_cache=yes
+  with_items:
+   - debian-keyring
+- 
+  apt_key: "url=http://code.vpac.org/debian/vpac-debian-key.gpg state=present"
+  name: "Installing the VPAC Debian Archive signing key"
+- 
+  apt_repository: "repo='deb     http://code.vpac.org/debian  jessie main' state=present"
+  name: "Adding VPAC repository in the source list"
+- 
+  apt_repository: "repo='deb-src http://code.vpac.org/debian  jessie main' state=present"
+  name: "Adding VPAC source repository"
+- 
+  apt: update_cache=yes
+  name: "Upgrading apt..."

roles/karaage3.1.17/templates/.my.cnf.j2

+[client]
+user            = root
+password        = {{ mysql_root_password }}
+

roles/karaage3.1.17/templates/client-ldap.conf.j2

+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+#URI	ldap://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %} ldaps://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT	{{ x509_cacert_file }}
+TLS_REQCERT allow

roles/karaage3.1.17/templates/default-ssl.j2

+<IfModule mod_ssl.c>
+<VirtualHost _default_:443>
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+	<Directory "/usr/lib/cgi-bin">
+		AllowOverride None
+		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+		Order allow,deny
+		Allow from all
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+
+	#   SSL Engine Switch:
+	#   Enable/Disable SSL for this virtual host.
+	SSLEngine on
+
+	#   A self-signed (snakeoil) certificate can be created by installing
+	#   the ssl-cert package. See
+	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+	#   If both key and certificate are stored in the same file, only the
+	#   SSLCertificateFile directive is needed.
+	SSLCertificateFile    /etc/ssl/certs/server.crt
+	SSLCertificateKeyFile /etc/ssl/private/server.key
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded CA certificates which form the
+	#   certificate chain for the server certificate. Alternatively
+	#   when the CA certificates are directly appended to the server
+	#   certificate for convinience.
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	SSLCACertificatePath /etc/ssl/certs/
+	SSLCACertificateFile /etc/ssl/certs/ca.crt
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded)
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#   Client Authentication (Type):
+	#   Client certificate verification type and depth.  Types are
+	#   none, optional, require and optional_no_ca.  Depth is a
+	#   number which specifies how deeply to verify the certificate
+	#   issuer chain before deciding the certificate is not valid.
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#   Access Control:
+	#   With SSLRequire you can do per-directory access control based
+	#   on arbitrary complex boolean expressions containing server
+	#   variable checks and other lookup directives.  The syntax is a
+	#   mixture between C and Perl.  See the mod_ssl documentation
+	#   for more details.
+	#<Location />
+	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+	#</Location>
+
+	#   SSL Engine Options:
+	#   Set various options for the SSL engine.
+	#   o FakeBasicAuth:
+	#     Translate the client X.509 into a Basic Authorisation.  This means that
+	#     the standard Auth/DBMAuth methods can be used for access control.  The
+	#     user name is the `one line' version of the client's X.509 certificate.
+	#     Note that no password is obtained from the user. Every entry in the user
+	#     file needs this password: `xxj31ZMTZzkVA'.
+	#   o ExportCertData:
+	#     This exports two additional environment variables: SSL_CLIENT_CERT and
+	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+	#     server (always existing) and the client (only existing when client
+	#     authentication is used). This can be used to import the certificates
+	#     into CGI scripts.
+	#   o StdEnvVars:
+	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+	#     Per default this exportation is switched off for performance reasons,
+	#     because the extraction step is an expensive operation and is usually
+	#     useless for serving static content. So one usually enables the
+	#     exportation for CGI and SSI requests only.
+	#   o StrictRequire:
+	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+	#     under a "Satisfy any" situation, i.e. when it applies access is denied
+	#     and no other module can change it.
+	#   o OptRenegotiate:
+	#     This enables optimized SSL connection renegotiation handling when SSL
+	#     directives are used in per-directory context.
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+	#   SSL Protocol Adjustments:
+	#   The safe and default but still SSL/TLS standard compliant shutdown
+	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+	#   the close notify alert from client. When you need a different shutdown
+	#   approach you can use one of the following variables:
+	#   o ssl-unclean-shutdown:
+	#     This forces an unclean shutdown when the connection is closed, i.e. no
+	#     SSL close notify alert is send or allowed to received.  This violates
+	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+	#     this when you receive I/O errors because of the standard approach where
+	#     mod_ssl sends the close notify alert.
+	#   o ssl-accurate-shutdown:
+	#     This forces an accurate shutdown when the connection is closed, i.e. a
+	#     SSL close notify alert is send and mod_ssl waits for the close notify
+	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+	#     practice often causes hanging connections with brain-dead browsers. Use
+	#     this only for browsers where you know that their SSL implementation
+	#     works correctly.
+	#   Notice: Most problems of broken clients are also related to the HTTP
+	#   keep-alive facility, so you usually additionally want to disable
+	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+	#   "force-response-1.0" for this.
+	BrowserMatch "MSIE [2-6]" \
+		nokeepalive ssl-unclean-shutdown \
+		downgrade-1.0 force-response-1.0
+	# MSIE 7 and newer should be able to use keepalive
+	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+</VirtualHost>
+</IfModule>

roles/karaage3.1.17/templates/default.j2

+<VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+		ServerName {{ ansible_nodename }}
+		Redirect permanent / https://{{ ansible_nodename }}/
+
+        DocumentRoot /var/www
+        <Directory />
+                Options FollowSymLinks
+                AllowOverride None
+        </Directory>
+        <Directory /var/www/>
+                Options Indexes FollowSymLinks MultiViews
+                AllowOverride None
+                Order allow,deny
+                allow from all
+        </Directory>
+		<Directory /etc/karaage3>
+                Options FollowSymLinks
+                AllowOverride None
+        </Directory>
+
+        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+        <Directory "/usr/lib/cgi-bin">
+                AllowOverride None
+                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+                Order allow,deny
+                Allow from all
+        </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+
+        # Possible values include: debug, info, notice, warn, error, crit,
+        # alert, emerg.
+        LogLevel warn
+
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>

roles/karaage3.1.17/templates/karaage.cnf.j2

+[mysqld]
+character_set_server=utf8
+default-storage-engine = innodb
+sql_mode = STRICT_ALL_TABLES
+
+[client]
+default-character-set = utf8

roles/karaage3.1.17/templates/settings.py.j2

+# -*- coding: utf-8 -*-
+
+# Globally defined Karaage settings
+# These settings will be used for karaage-admin and karaage-registration.
+
+# Some of these values have sensible defaults. Settings that don't have a
+# sensible default must be configured manually.
+
+# Other Django settings are also possible, this list is not a comprehensive
+# list of all settings.
+
+# Copyright 2010-2011, 2014-2015 VPAC
+# Copyright 2010-2011 The University of Melbourne
+#
+# Django settings
+#
+
+# A boolean that turns on/off debug mode.
+#
+# Never deploy a site into production with DEBUG turned on.
+#
+# Did you catch that? NEVER deploy a site into production with DEBUG turned on.
+#
+# One of the main features of debug mode is the display of detailed error
+# pages. If your app raises an exception when DEBUG is True, Django will
+# display a detailed traceback, including a lot of metadata about your
+# environment, such as all the currently defined Django settings (from
+# settings.py).
+#
+# default: DEBUG = False
+#
+# DEBUG = True
+
+# Implemented by Shahaan due to the django-pipeline bug
+PIPELINE_ENABLED = False
+STATICFILES_STORAGE = 'pipeline.storage.PipelineStorage'
+
+# FQDN host, used in default settings for :setting:`ALLOWED_HOSTS`,
+# :setting:`REGISTRATION_BASE_URL`, and :setting:`ADMIN_BASE_URL`.
+#
+# default: HTTP_HOST = FQDN hostname
+#
+HTTP_HOST = "{% for host in groups['karaage-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+
+# A list of strings representing the host/domain names that this Django site
+# can serve. This is a security measure to prevent an attacker from poisoning
+# caches and password reset emails with links to malicious hosts by submitting
+# requests with a fake HTTP Host header, which is possible even under many
+# seemingly-safe web server configurations.
+#
+# %(HOST) will be substituted with the HTTP_HOST setting.
+#
+# default: ALLOWED_HOSTS = ["%(HOST)s"]
+#
+# ALLOWED_HOSTS = ["www.example.org"]
+
+# Whether to use a secure cookie for the session cookie. If this is set to
+# True, the cookie will be marked as “secure,” which means browsers may ensure
+# that the cookie is only sent under an HTTPS connection.
+#
+# default: SESSION_COOKIE_SECURE = True
+#
+# SESSION_COOKIE_SECURE = False
+
+# A tuple that lists people who get code error notifications. When DEBUG=False
+# and a view raises an exception, Django will email these people with the full
+# exception information. Each member of the tuple should be a tuple of (Full
+# name, email address).
+ADMINS = (
+    # ('Your Name', 'your_email@domain.com'),
+)
+
+# A tuple in the same format as ADMINS that specifies who should get broken
+# link notifications when BrokenLinkEmailsMiddleware is enabled.
+MANAGERS = ADMINS
+
+# A dictionary containing the settings for all databases to be used with
+# Django. It is a nested dictionary whose contents maps database aliases to a
+# dictionary containing the options for an individual database.
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': 'karaage',
+        'USER': 'karaage',
+        'PASSWORD': 'imkaraage',
+        'HOST': 'localhost',
+        'PORT': '',
+        'ATOMIC_REQUESTS': True,
+    }
+}
+
+LDAP = {
+     'default': {
+          'ENGINE': 'tldap.backend.fake_transactions',
+          'URI': 'ldaps://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}/',
+          'USER': '{{ ldapManager }}',
+          'PASSWORD': '{{ ldapManagerPassword }}',
+          'REQUIRE_TLS': True,
+          'START_TLS': True,
+          'TLS_CA': '{{ x509_cacert_file }}',
+     }
+}
+
+MACHINE_CATEGORY_DATASTORES = {
+     'ldap': [
+          {
+                'DESCRIPTION': 'LDAP datastore',
+                'ENGINE': 'karaage.datastores.ldap.MachineCategoryDataStore',
+                'LDAP': 'default',
+                'ACCOUNT': 'karaage.datastores.ldap_schemas.openldap_account',
+                'GROUP': 'karaage.datastores.ldap_schemas.openldap_account_group',
+                'PRIMARY_GROUP': "institute",
+                'DEFAULT_PRIMARY_GROUP': "ldap",
+                'HOME_DIRECTORY': "/home/%(uid)s",
+                'LOCKED_SHELL': "/usr/local/sbin/locked",
+                'NUMBER_SCHEME': 'default',
+                'LDAP_ACCOUNT_BASE': 'ou=Accounts,dc=monash,dc=edu,dc=au',
+                'LDAP_GROUP_BASE': 'ou=Groups,dc=monash,dc=edu,dc=au',
+          },
+    ],
+     'dummy': [
+     ],
+}
+
+GLOBAL_DATASTORES = [
+      {
+            'DESCRIPTION': 'LDAP datastore',
+            'ENGINE': 'karaage.datastores.ldap.GlobalDataStore',
+            'LDAP': 'default',
+            'PERSON': 'karaage.datastores.ldap_schemas.openldap_person',
+            'GROUP': 'karaage.datastores.ldap_schemas.openldap_person_group',
+            'NUMBER_SCHEME': 'global',
+            'LDAP_PERSON_BASE': 'ou=People,dc=monash,dc=edu,dc=au',
+            'LDAP_GROUP_BASE': 'ou=People_Groups,dc=monash,dc=edu,dc=au',
+      },
+]
+# The email address that error messages come from, such as those sent to ADMINS
+# and MANAGERS.
+SERVER_EMAIL = 'karaage@example.org'
+
+# The host to use for sending email.
+EMAIL_HOST = 'localhost'
+
+# Subject-line prefix for email messages sent with django.core.mail.mail_admins
+# or django.core.mail.mail_managers. You’ll probably want to include the
+# trailing space.
+EMAIL_SUBJECT_PREFIX = '[Karaage] - '
+
+# Local time zone for this installation. Choices can be found here:
+# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
+# although not all choices may be available on all operating systems.
+# If running in a Windows environment this must be set to the same as your
+# system time zone.
+TIME_ZONE = 'Australia/Melbourne'
+
+# Language code for this installation. All choices can be found here:
+# http://www.i18nguy.com/unicode/language-identifiers.html
+LANGUAGE_CODE = 'en-au'
+
+# A secret key for a particular Django installation. This is used to provide
+# cryptographic signing, and should be set to a unique, unpredictable value.
+SECRET_KEY = ''
+
+# A data structure containing configuration information. The contents of this
+# data structure will be passed as the argument to the configuration method
+# described in LOGGING_CONFIG.
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'formatters': {
+        'verbose': {
+            'format': '%(levelname)s %(asctime)s '
+            '%(module)s %(process)d %(thread)d %(message)s'
+        },
+        'simple': {
+            'format': '%(levelname)s %(message)s'
+        },
+    },
+    'handlers': {
+        'mail_admins': {
+            'level': 'ERROR',
+            'class': 'django.utils.log.AdminEmailHandler'
+        },
+        'django_file': {
+            'level': 'WARNING',
+            'class': 'karaage.common.logging.FileHandler',
+            'filename': '/var/log/karaage3/django.log',
+            'formatter': 'verbose',
+            'owner': ['www-data', 'www-data'],
+        },
+        'karaage_file': {
+            'level': 'WARNING',
+            'class': 'karaage.common.logging.FileHandler',
+            'filename': '/var/log/karaage3/karaage.log',
+            'formatter': 'verbose',
+            'owner': ['www-data', 'www-data'],
+        },
+        # 'ldap_file': {
+        #     'level': 'DEBUG',
+        #     'class': 'karaage.common.logging.FileHandler',
+        #     'filename': '/var/log/karaage3/ldap.log',
+        #     'formatter': 'verbose',
+        #     'owner': ['www-data', 'www-data'],
+        # },
+        # 'mam_file': {
+        #     'level': 'DEBUG',
+        #     'class': 'karaage.common.logging.FileHandler',
+        #     'filename': '/var/log/karaage3/mam.log',
+        #     'formatter': 'verbose',
+        #     'owner': ['www-data', 'www-data'],
+        # },
+        # 'slurm_file': {
+        #     'level': 'DEBUG',
+        #     'class': 'karaage.common.logging.FileHandler',
+        #     'filename': '/var/log/karaage3/slurm.log',
+        #     'formatter': 'verbose',
+        #     'owner': ['www-data', 'www-data'],
+        # },
+    },
+    'loggers': {
+        '': {
+            'handlers': ['mail_admins'],
+            'level': 'ERROR',
+            'propagate': True,
+        },
+        'django': {
+            'handlers': ['django_file'],
+            'level': 'DEBUG',
+            'propagate': True,
+        },
+        'karaage': {
+            'handlers': ['karaage_file'],
+            'level': 'DEBUG',
+            'propagate': True,
+        },
+        # 'karaage.datastores.ldap': {
+        #     'handlers': ['ldap_file'],
+        #     'level': 'DEBUG',
+        #     'propagate': True,
+        # },
+        # 'karaage.datastores.mam': {
+        #     'handlers': ['mam_file'],
+        #     'level': 'DEBUG',
+        #     'propagate': True,
+        # },
+        # 'karaage.datastores.slurm': {
+        #     'handlers': ['slurm_file'],
+        #     'level': 'DEBUG',
+        #     'propagate': True,
+        # },
+    },
+}
+
+
+#
+# Karaage settings
+#
+
+# Users are advised to contact this address if having problems.
+# This is also used as the from address in outgoing emails.
+ACCOUNTS_EMAIL = 'accounts@example.com'
+
+# This organisation name, used in outgoing emails.
+ACCOUNTS_ORG_NAME = 'Example'
+
+# Registration base URL - Used in email templates
+# Uncomment to override default
+#
+# %(HOST) will be substituted with the HTTP_HOST setting.
+#
+# default: REGISTRATION_BASE_URL = 'https://%(HOST)s/users'
+#
+# REGISTRATION_BASE_URL = 'https://accounts.example.org/users'
+
+# Admin base URL - Used in email templates
+# Uncomment to override default
+#
+# %(HOST) will be substituted with the HTTP_HOST setting.
+#
+# default: ADMIN_BASE_URL = 'https://%(HOST)s/kgadmin'
+#
+# ADMIN_BASE_URL = 'https://accounts.example.org/kgadmin'
+
+# Is Shibboleth supported?
+#
+# default: SHIB_SUPPORTED = False
+#
+# SHIB_SUPPORTED = True
+
+# Path to AUP policy. Note that setting this will not disable the Karaage
+# default page, it might be better to replace the AUP with a file in
+# the templates directory ``karaage/common/aup-detail.html`` if required.
+#
+# default: Django template ``karaage/common/aup-detail.html``
+#
+# AUP_URL = "https://site.example.org/users/aup/"
+
+# Do we allow anonymous users to request accounts?
+#
+# default:  ALLOW_REGISTRATIONS = False
+#
+# ALLOW_REGISTRATIONS = True
+
+# Do we allow any logged in user to access all usage information?
+#
+# default: USAGE_IS_PUBLIC = True
+#
+# USAGE_IS_PUBLIC = False
+
+# Settings to restrict the valid list of email addresses we allow in
+# applications.  EMAIL_MATCH_TYPE can be "include" or "exclude".  If "include"
+# then the email address must match one of the RE entries in EMAIL_MATCH_LIST.
+# If "exclude" then then email address must not match of the the RE entries in
+# EMAIL_MATCH_LIST.
+#
+# default: allow any email address
+#
+# EMAIL_MATCH_TYPE="include"
+# EMAIL_MATCH_LIST=["@vpac.org$", "@v3.org.au$", "^tux@.*au$"]
+
+# List of Karaage plugins
+#
+# default: PLUGINS = []
+#
+PLUGINS = [
+     'karaage.plugins.kgapplications.plugin',
+     'karaage.plugins.kgsoftware.plugin',
+     'karaage.plugins.kgsoftware.applications.plugin',
+     'karaage.plugins.kgusage.plugin',
+ ]

roles/karaage3.1.17/templates/sqlsettings.sql.j2

+CREATE DATABASE IF NOT EXISTS karaage;
+DROP USER 'karaage'@'localhost';
+CREATE USER 'karaage'@'localhost' IDENTIFIED BY '{{ karaage_sql_password }}';
+GRANT ALL PRIVILEGES ON karaage.* TO 'karaage'@'localhost';

roles/karaage3.1.17/templates/ssl.conf.j2

+<IfModule mod_ssl.c>
+#
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the SSL library.
+# The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
+#
+SSLRandomSeed startup builtin
+SSLRandomSeed startup file:/dev/urandom 512
+SSLRandomSeed connect builtin
+SSLRandomSeed connect file:/dev/urandom 512
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#
+#   Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl    .crl
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog  builtin
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+#   (The mechanism dbm has known memory leaks and should not be used).
+#SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
+SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
+SSLSessionCacheTimeout  300
+
+#   Semaphore:
+#   Configure the path to the mutual exclusion semaphore the
+#   SSL engine uses internally for inter-process synchronization. 
+Mutex default
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate. See the
+#   ciphers(1) man page from the openssl package for list of all available
+#   options.
+#   Enable only secure ciphers:
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on
+
+# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
+SSLProtocol all -SSLv2 -SSLv3
+
+# Allow insecure renegotiation with clients which do not yet support the
+# secure renegotiation protocol. Default: Off
+#SSLInsecureRenegotiation on
+
+# Whether to forbid non-SNI clients to access name based virtual hosts.
+# Default: Off
+#SSLStrictSNIVHostCheck On
+
+</IfModule>

roles/karaage3.1.17/vars/main.yml

+---
+countryName: "AU"
+reginalName: "Victoria"
+cityName: "Melbourne"
+organizationName: "Monash University"
+emailAddress: "shahaan@gmail.com"
+organizationUnit: "defaultUnit"
+ldapDomain: "dc=monash,dc=edu,dc=au"
+ldapManager: "cn=Manager,dc=monash,dc=edu,dc=au"
+ldapBindDN: "cn=ldapuser,ou=users,dc=monash,dc=edu,dc=au"
+ldapUserBase: "ou=users,dc=monash,dc=edu,dc=au"
+ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
+ldapBase: "dc=monash,dc=edu,dc=au"
+ldapURI: "ldaps://{{ ansible_hostname }}"
+smtp_smarthost: "{{ ansible_hostname }}"