From bb63a8333a5664f696dfce135c8d18eba1a54783 Mon Sep 17 00:00:00 2001
From: Steve Smith <ssmith@atlassian.com>
Date: Wed, 22 May 2019 14:11:13 +1000
Subject: [PATCH 1/5] DCD-352: Start of Confluence config role.

---
 aws_confluence_dc_node.yml                    | 18 +++++
 roles/confluence_config/.yamllint             | 12 ++++
 roles/confluence_config/defaults/atl.sh       | 56 +++++++++++++++
 roles/confluence_config/defaults/main.yml     | 34 +++++++++
 .../molecule/default/Dockerfile.j2            | 14 ++++
 .../molecule/default/molecule.yml             | 32 +++++++++
 .../molecule/default/playbook.yml             | 18 +++++
 .../molecule/default/tests/test_default.py    | 58 +++++++++++++++
 roles/confluence_config/tasks/main.yml        | 63 ++++++++++++++++
 .../templates/seraph-config.xml.j2            | 71 +++++++++++++++++++
 .../confluence_config/templates/server.xml.j2 | 67 +++++++++++++++++
 11 files changed, 443 insertions(+)
 create mode 100644 aws_confluence_dc_node.yml
 create mode 100644 roles/confluence_config/.yamllint
 create mode 100644 roles/confluence_config/defaults/atl.sh
 create mode 100644 roles/confluence_config/defaults/main.yml
 create mode 100644 roles/confluence_config/molecule/default/Dockerfile.j2
 create mode 100644 roles/confluence_config/molecule/default/molecule.yml
 create mode 100644 roles/confluence_config/molecule/default/playbook.yml
 create mode 100644 roles/confluence_config/molecule/default/tests/test_default.py
 create mode 100644 roles/confluence_config/tasks/main.yml
 create mode 100644 roles/confluence_config/templates/seraph-config.xml.j2
 create mode 100644 roles/confluence_config/templates/server.xml.j2

diff --git a/aws_confluence_dc_node.yml b/aws_confluence_dc_node.yml
new file mode 100644
index 0000000..74b239b
--- /dev/null
+++ b/aws_confluence_dc_node.yml
@@ -0,0 +1,18 @@
+---
+- hosts: aws_node_local
+  become: true
+
+  vars:
+    # See group_vars/aws_node_local.yml, which pull vars from the environment.
+    atl_product_family: "confluence"
+    atl_product_user: "confluence"
+    atl_product_edition: "confluence"
+
+  roles:
+    - role: linux_common
+    - role: aws_common
+    - role: aws_efs_config
+    - role: product_common
+    - role: product_install
+    - role: database_init
+    - role: confluence_config
diff --git a/roles/confluence_config/.yamllint b/roles/confluence_config/.yamllint
new file mode 100644
index 0000000..a87f8ff
--- /dev/null
+++ b/roles/confluence_config/.yamllint
@@ -0,0 +1,12 @@
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable
+  truthy: disable
+  trailing-spaces: false
diff --git a/roles/confluence_config/defaults/atl.sh b/roles/confluence_config/defaults/atl.sh
new file mode 100644
index 0000000..aeb571d
--- /dev/null
+++ b/roles/confluence_config/defaults/atl.sh
@@ -0,0 +1,56 @@
+ATL_APP_DATA_MOUNT_ENABLED=false
+ATL_AUTOLOGIN_COOKIE_AGE=
+ATL_AWS_STACK_NAME=Confluence
+ATL_CATALINA_OPTS=" "
+ATL_CONFLUENCE_DATA_CENTER=true
+ATL_CONFLUENCE_INSTALLER_DOWNLOAD_URL=
+ATL_CONFLUENCE_VERSION=6.13.2
+ATL_DB_ACQUIREINCREMENT=1
+ATL_DB_HOST=confluence.cvuoodawotyo.ap-southeast-2.rds.amazonaws.com
+ATL_DB_IDLETESTPERIOD=100
+ATL_DB_MAXSTATEMENTS=0
+ATL_DB_NAME=confluence
+ATL_DB_PASSWORD=base1name
+ATL_DB_POOLMAXSIZE=60
+ATL_DB_POOLMINSIZE=20
+ATL_DB_PORT=5432
+ATL_DB_PREFERREDTESTQUERY="select version();"
+ATL_DB_TIMEOUT=30
+ATL_DB_VALIDATE=false
+ATL_ENABLED_PRODUCTS=Confluence
+ATL_ENABLED_SHARED_HOMES=
+ATL_ENVIRONMENT=prod
+ATL_HAZELCAST_NETWORK_AWS_HOST_HEADER=ec2.amazonaws.com
+ATL_HAZELCAST_NETWORK_AWS_IAM_REGION=ap-southeast-2
+ATL_HAZELCAST_NETWORK_AWS_IAM_ROLE=Confluence-ConfluenceClusterNodeRole-ZFINZTEGMH6G
+ATL_HAZELCAST_NETWORK_AWS_TAG_KEY=Cluster
+ATL_HAZELCAST_NETWORK_AWS_TAG_VALUE=Confluence
+ATL_HOSTEDZONE=
+ATL_JDBC_DRIVER=org.postgresql.Driver
+ATL_JDBC_PASSWORD=base1name
+ATL_JDBC_URL=jdbc:postgresql://confluence.cvuoodawotyo.ap-southeast-2.rds.amazonaws.com:5432/confluence
+ATL_JDBC_USER=atlconfluence
+ATL_JVM_HEAP=2048m
+ATL_LOCALANSIBLE_REPO=
+ATL_LOCALANSIBLE_SSHKEYNAME=
+ATL_NGINX_ENABLED=false
+ATL_POSTGRES_ENABLED=false
+ATL_PROXY_NAME=ssmith-conf-old.deplops.com
+ATL_RELEASE_S3_BUCKET=atlassian-software
+ATL_RELEASE_S3_PATH=releases/confluence
+ATL_SSL_PROXY=true
+ATL_SSL_SELF_CERT_ENABLED=false
+ATL_STARTCOLLECTD=false
+ATL_SYNCHRONY_SERVICE_URL=https://ssmith-conf-old.deplops.com/synchrony/v1
+ATL_TOMCAT_ACCEPTCOUNT=10
+ATL_TOMCAT_CONNECTIONTIMEOUT=20000
+ATL_TOMCAT_CONTEXTPATH=
+ATL_TOMCAT_DEFAULTCONNECTORPORT=8080
+ATL_TOMCAT_ENABLELOOKUPS=false
+ATL_TOMCAT_MAXTHREADS=48
+ATL_TOMCAT_MINSPARETHREADS=10
+ATL_TOMCAT_PROTOCOL=HTTP/1.1
+ATL_TOMCAT_PROXYPORT=443
+ATL_TOMCAT_REDIRECTPORT=8443
+ATL_TOMCAT_SCHEME=https
+ATL_TOMCAT_SECURE=true
diff --git a/roles/confluence_config/defaults/main.yml b/roles/confluence_config/defaults/main.yml
new file mode 100644
index 0000000..7c812f1
--- /dev/null
+++ b/roles/confluence_config/defaults/main.yml
@@ -0,0 +1,34 @@
+---
+
+atl_jvm_heap: "2048m"
+
+atl_catalina_opts: ""
+atl_catalina_opts_extra: >-
+  -Datlassian.event.thread_pool_configuration.queue_size=4096
+  -Datlassian.plugins.enable.wait=300
+  -Dconfluence.upgrade.recovery.file.enabled=false
+  -Dfile.encoding=UTF-8
+  -Djava.net.preferIPv4Stack=true
+  -Dshare.group.email.mapping=atlassian-all:atlassian-all@atlassian.com,atlassian-staff:atlassian-staff@atlassian.com
+  -XX:+PrintAdaptiveSizePolicy
+  -XX:+PrintGCDetails
+  -XX:+PrintTenuringDistribution
+  -Dsynchrony.proxy.enabled=false
+  -Dsynchrony.service.url=${ATL_SYNCHRONY_SERVICE_URL}
+  -Dconfluence.cluster.node.name=${_ATL_PRIVATE_IPV4}
+  -Dconfluence.cluster.hazelcast.max.no.heartbeat.seconds=60
+
+atl_tomcat_port: "8080"
+atl_tomcat_mgmt_port: "8005"
+atl_tomcat_acceptcount: "10"
+atl_tomcat_connectiontimeout: "20000"
+atl_tomcat_contextpath: ""
+atl_tomcat_maxthreads: "200"
+atl_tomcat_minsparethreads: "10"
+atl_tomcat_protocol: "HTTP/1.1"
+atl_tomcat_redirectport: ""
+atl_tomcat_scheme: "http"
+atl_tomcat_secure: "false"
+
+atl_autologin_cookie_age: "{{ lookup('env', 'ATL_AUTOLOGIN_COOKIE_AGE') }}"
+atl_synchrony_service_url: "{{ lookup('env', 'ATL_SYNCHRONY_SERVICE_URL') }}"
diff --git a/roles/confluence_config/molecule/default/Dockerfile.j2 b/roles/confluence_config/molecule/default/Dockerfile.j2
new file mode 100644
index 0000000..e6aa95d
--- /dev/null
+++ b/roles/confluence_config/molecule/default/Dockerfile.j2
@@ -0,0 +1,14 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
+    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi
diff --git a/roles/confluence_config/molecule/default/molecule.yml b/roles/confluence_config/molecule/default/molecule.yml
new file mode 100644
index 0000000..33c377c
--- /dev/null
+++ b/roles/confluence_config/molecule/default/molecule.yml
@@ -0,0 +1,32 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+platforms:
+  - name: amazon_linux2
+    image: amazonlinux:2
+    groups:
+      - aws_node_local
+  - name: ubuntu_lts
+    image: ubuntu:bionic
+    groups:
+      - aws_node_local
+provisioner:
+  name: ansible
+  options:
+    skip-tags: runtime_pkg
+  lint:
+    name: ansible-lint
+    options:
+      x: ["701"]
+  inventory:
+    links:
+      group_vars: ../../../../group_vars/
+verifier:
+  name: testinfra
+  lint:
+    name: flake8
+    enabled: false
diff --git a/roles/confluence_config/molecule/default/playbook.yml b/roles/confluence_config/molecule/default/playbook.yml
new file mode 100644
index 0000000..68f6c4b
--- /dev/null
+++ b/roles/confluence_config/molecule/default/playbook.yml
@@ -0,0 +1,18 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    atl_product_family: "confluence"
+    atl_product_edition: "confluence"
+    atl_product_user: "confluence"
+    atl_product_version: "latest"
+    atl_jdbc_user: 'confluence'
+    atl_jvm_heap: 'PLACEHOLDER'
+    atl_cluster_node_id: 'FAKEID'
+    atl_autologin_cookie_age: "COOKIEAGE"
+
+  roles:
+    - role: linux_common
+    - role: product_common
+    - role: product_install
+    - role: confluence_config
diff --git a/roles/confluence_config/molecule/default/tests/test_default.py b/roles/confluence_config/molecule/default/tests/test_default.py
new file mode 100644
index 0000000..9a939d0
--- /dev/null
+++ b/roles/confluence_config/molecule/default/tests/test_default.py
@@ -0,0 +1,58 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+def test_seraph_file(host):
+    f = host.file('/opt/atlassian/confluence/current/confluence/WEB-INF/classes/seraph-config.xml')
+    assert f.exists
+    assert f.contains('<param-value>COOKIEAGE</param-value>')
+
+def test_setenv_file(host):
+    f = host.file('/opt/atlassian/confluence/current/bin/setenv.sh')
+    assert f.exists
+    assert f.contains('-XmsPLACEHOLDER')
+    assert f.contains('-XmxPLACEHOLDER')
+
+def test_server_file(host):
+    f = host.file('/opt/atlassian/confluence/current/conf/server.xml')
+    assert f.exists
+    assert f.contains('Connector port="8080"')
+    assert f.contains('Server port="8005"')
+    assert f.contains('<Context path=""')
+    assert f.contains('maxThreads="200"')
+    assert f.contains('minSpareThreads="10"')
+    assert f.contains('connectionTimeout="20000"')
+    assert f.contains('enableLookups="false"')
+    assert f.contains('protocol="HTTP/1.1"')
+    assert f.contains('redirectPort=""')
+    assert f.contains('acceptCount="10"')
+    assert f.contains('secure="false"')
+    assert f.contains('scheme="http"')
+    assert not f.contains('proxyName=')
+    assert not f.contains('proxyPort=')
+
+def test_install_permissions(host):
+    assert host.file('/opt/atlassian/confluence/current/conf/server.xml').user == 'root'
+    assert host.file('/opt/atlassian/confluence/current/confluence/WEB-INF/web.xml').user == 'root'
+
+    assert host.file('/opt/atlassian/confluence/current/logs/').user == 'confluence'
+    assert host.file('/opt/atlassian/confluence/current/work/').user == 'confluence'
+    assert host.file('/opt/atlassian/confluence/current/temp/').user == 'confluence'
+
+# def test_dbconfig_file(host):
+#     f = host.file('/var/atlassian/application-data/jira/dbconfig.xml')
+#     assert f.exists
+#     assert f.user == 'jira'
+#     assert f.contains("<driver-class>org.postgresql.Driver</driver-class>")
+#     assert f.contains("<username>atljira</username>")
+#     assert f.contains("<pool-min-size>20</pool-min-size>")
+
+
+# def test_cluster_file(host):
+#     f = host.file('/var/atlassian/application-data/jira/cluster.properties')
+#     assert f.exists
+#     assert f.contains('jira.node.id = FAKEID')
+#     assert f.contains('jira.shared.home = /media/atl/jira/shared')
diff --git a/roles/confluence_config/tasks/main.yml b/roles/confluence_config/tasks/main.yml
new file mode 100644
index 0000000..c680c37
--- /dev/null
+++ b/roles/confluence_config/tasks/main.yml
@@ -0,0 +1,63 @@
+---
+
+- name: Configure login properties
+  template:
+    src: seraph-config.xml.j2
+    dest: "{{ atl_product_installation_versioned }}/confluence/WEB-INF/classes/seraph-config.xml"
+
+- name: Override JVM memory settings.
+  replace:
+    path: "{{ atl_product_installation_versioned }}/bin/setenv.sh"
+    regexp: "-{{ item }}\\d+m "
+    replace: "-{{ item }}{{ atl_jvm_heap }} "
+  with_items:
+    - 'Xmx'
+    - 'Xms'
+
+- name: Create server config
+  template:
+    src: server.xml.j2
+    dest: "{{ atl_product_installation_versioned }}/conf/server.xml"
+
+
+
+- name: Create application directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ atl_product_user }}"
+    group: "{{ atl_product_user }}"
+  with_items:
+    - "{{ atl_product_home }}"
+    - "{{ atl_product_home_shared }}"
+    - "{{ atl_product_shared_plugins }}"
+  changed_when: false  # For Molecule idempotence check
+
+
+- name: Limit permissions on the installation directory
+  file:
+    path: "{{ atl_product_installation_versioned }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: true
+  with_items:
+    - "{{ atl_installer_temp }}"
+    - "{{ atl_product_installation_versioned }}"
+    - "{{ atl_product_version_cache_dir }}"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Grant access to the product working directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: "u=rwX,g=rX,o-rwx"
+    owner: "{{ atl_product_user }}"
+    group: "{{ atl_product_user }}"
+    recurse: true
+  with_items:
+    - "{{ atl_product_installation_versioned }}/logs"
+    - "{{ atl_product_installation_versioned }}/temp"
+    - "{{ atl_product_installation_versioned }}/work"
+  changed_when: false  # For Molecule idempotence check
diff --git a/roles/confluence_config/templates/seraph-config.xml.j2 b/roles/confluence_config/templates/seraph-config.xml.j2
new file mode 100644
index 0000000..8c91e87
--- /dev/null
+++ b/roles/confluence_config/templates/seraph-config.xml.j2
@@ -0,0 +1,71 @@
+<security-config>
+    <parameters>
+        <init-param>
+            <param-name>login.url</param-name>
+            <param-value>/login.action?os_destination=${originalurl}&amp;permissionViolation=true</param-value>
+        </init-param>
+        <init-param>
+            <param-name>link.login.url</param-name>
+            <param-value>/login.action</param-value>
+        </init-param>
+        <init-param>
+            <param-name>cookie.encoding</param-name>
+            <param-value>cNf</param-value>
+        </init-param>
+        <init-param>
+            <param-name>login.cookie.key</param-name>
+            <param-value>seraph.confluence</param-value>
+        </init-param>
+ 
+        {% if atl_autologin_cookie_age is defined and atl_autologin_cookie_age|length %}
+            <init-param>
+                <param-name>autologin.cookie.age</param-name>
+                <param-value>{{ atl_autologin_cookie_age }}</param-value>
+            </init-param>
+        {% endif %}
+
+        <!--only basic authentication available-->
+        <init-param>
+            <param-name>authentication.type</param-name>
+            <param-value>os_authType</param-value>
+        </init-param>
+
+        <!-- Invalidate session on login to prevent session fixation attack -->
+         <init-param>
+            <param-name>invalidate.session.on.login</param-name>
+            <param-value>true</param-value>
+        </init-param>
+        <!-- Add names for session attributes that must not be copied to a new session when the old one gets invalidated.
+          Currently it is empty (i.e. all attributes will be copied). -->
+        <init-param>
+            <param-name>invalidate.session.exclude.list</param-name>
+            <param-value></param-value>
+        </init-param>
+    </parameters>
+
+    <rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/>
+    <controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>
+
+    <!-- Default Confluence authenticator, which uses the configured user management for authentication. -->
+    <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
+
+    <!-- Custom authenticators appear below. To enable one of them, comment out the default authenticator above and uncomment the one below. -->
+
+    <!-- Authenticator with support for Crowd single-sign on (SSO). -->
+    <!-- <authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/> -->
+
+    <!-- Specialised version of the default authenticator which adds authenticated users to confluence-users if they aren't already a member. -->
+    <!-- <authenticator class="com.atlassian.confluence.user.ConfluenceGroupJoiningAuthenticator"/> -->
+
+    <services>
+        <service class="com.atlassian.seraph.service.PathService">
+            <init-param>
+                <param-name>config.file</param-name>
+                <param-value>seraph-paths.xml</param-value>
+            </init-param>
+        </service>
+    </services>
+
+    <elevatedsecurityguard class="com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard"/>
+
+</security-config>
diff --git a/roles/confluence_config/templates/server.xml.j2 b/roles/confluence_config/templates/server.xml.j2
new file mode 100644
index 0000000..664bc83
--- /dev/null
+++ b/roles/confluence_config/templates/server.xml.j2
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<Server port="{{ atl_tomcat_mgmt_port }}"
+        shutdown="SHUTDOWN">
+
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
+  <Listener className="org.apache.catalina.core.AprLifecycleListener"
+            SSLEngine="on"/>
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
+
+  <Service name="Catalina">
+
+    <Connector port="{{ atl_tomcat_port }}"
+               maxThreads="{{ atl_tomcat_maxthreads }}"
+               minSpareThreads="{{ atl_tomcat_minsparethreads }}"
+               connectionTimeout="{{ atl_tomcat_connectiontimeout }}"
+               enableLookups="{{ atl_tomcat_enablelookups }}"
+               protocol="{{ atl_tomcat_protocol }}"
+               redirectPort="{{ atl_tomcat_redirectport }}"
+               acceptCount="{{ atl_tomcat_acceptcount }}"
+               secure="{{ atl_tomcat_secure }}"
+               scheme="{{ atl_tomcat_scheme }}"
+               {% if atl_proxy_name is defined and atl_proxy_name != '' %}
+                 proxyName="{{ atl_proxy_name }}"
+               {% endif %}
+               {% if atl_proxy_port is defined and atl_proxy_port != '' %}
+                 proxyPort="{{ atl_proxy_port }}"
+               {% endif %}
+
+               relaxedPathChars="[]|"
+               relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;"
+               bindOnInit="false"
+               maxHttpHeaderSize="8192"
+               useBodyEncodingForURI="true"
+               disableUploadTimeout="true" />
+
+    <Engine name="Catalina"
+            defaultHost="localhost">
+      <Host name="localhost"
+            appBase="webapps"
+            unpackWARs="true"
+            autoDeploy="true">
+
+        <Context path="{{ atl_tomcat_contextpath }}"
+                 docBase="${catalina.home}/atlassian-jira"
+                 reloadable="false"
+                 useHttpOnly="true">
+          <Resource name="UserTransaction"
+                    auth="Container"
+                    type="javax.transaction.UserTransaction"
+                    factory="org.objectweb.jotm.UserTransactionFactory"
+                    jotm.timeout="60"/>
+          <Manager pathname=""/>
+          <JarScanner scanManifest="false"/>
+          <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve"
+                 threshold="120" />
+        </Context>
+
+      </Host>
+      <Valve className="org.apache.catalina.valves.AccessLogValve"
+             pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
+    </Engine>
+
+  </Service>
+</Server>

From 1d68e80cf4f59227f5d2a439c793db1aee428418 Mon Sep 17 00:00:00 2001
From: Steve Smith <ssmith@atlassian.com>
Date: Mon, 27 May 2019 11:41:31 +1000
Subject: [PATCH 2/5] DCD-352: Port server.xml changes from Jira fixes.

---
 roles/confluence_config/templates/server.xml.j2 | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/roles/confluence_config/templates/server.xml.j2 b/roles/confluence_config/templates/server.xml.j2
index 664bc83..9e55982 100644
--- a/roles/confluence_config/templates/server.xml.j2
+++ b/roles/confluence_config/templates/server.xml.j2
@@ -36,6 +36,20 @@
                useBodyEncodingForURI="true"
                disableUploadTimeout="true" />
 
+    {% if atl_tomcat_redirectport is defined and atl_tomcat_redirectport != '' %}
+    <Connector port="{{ atl_tomcat_redirectport }}"
+               protocol="{{ atl_tomcat_protocol }}"
+               connectionTimeout="{{ atl_tomcat_connectiontimeout }}"
+
+               relaxedPathChars="[]|"
+               relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;"
+               maxHttpHeaderSize="65536"
+               URIEncoding="UTF-8"
+               useBodyEncodingForURI="true"
+               compression="on"
+               compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript" />
+    {% endif %}
+
     <Engine name="Catalina"
             defaultHost="localhost">
       <Host name="localhost"
@@ -44,7 +58,7 @@
             autoDeploy="true">
 
         <Context path="{{ atl_tomcat_contextpath }}"
-                 docBase="${catalina.home}/atlassian-jira"
+                 docBase="${catalina.home}/confluence"
                  reloadable="false"
                  useHttpOnly="true">
           <Resource name="UserTransaction"

From 697f86c3996fe63dc2d3a470789955ca421d1f03 Mon Sep 17 00:00:00 2001
From: Steve Smith <ssmith@atlassian.com>
Date: Mon, 27 May 2019 11:51:04 +1000
Subject: [PATCH 3/5] DCD-352: Remove accidentally imported file.

---
 roles/confluence_config/defaults/atl.sh | 56 -------------------------
 1 file changed, 56 deletions(-)
 delete mode 100644 roles/confluence_config/defaults/atl.sh

diff --git a/roles/confluence_config/defaults/atl.sh b/roles/confluence_config/defaults/atl.sh
deleted file mode 100644
index aeb571d..0000000
--- a/roles/confluence_config/defaults/atl.sh
+++ /dev/null
@@ -1,56 +0,0 @@
-ATL_APP_DATA_MOUNT_ENABLED=false
-ATL_AUTOLOGIN_COOKIE_AGE=
-ATL_AWS_STACK_NAME=Confluence
-ATL_CATALINA_OPTS=" "
-ATL_CONFLUENCE_DATA_CENTER=true
-ATL_CONFLUENCE_INSTALLER_DOWNLOAD_URL=
-ATL_CONFLUENCE_VERSION=6.13.2
-ATL_DB_ACQUIREINCREMENT=1
-ATL_DB_HOST=confluence.cvuoodawotyo.ap-southeast-2.rds.amazonaws.com
-ATL_DB_IDLETESTPERIOD=100
-ATL_DB_MAXSTATEMENTS=0
-ATL_DB_NAME=confluence
-ATL_DB_PASSWORD=base1name
-ATL_DB_POOLMAXSIZE=60
-ATL_DB_POOLMINSIZE=20
-ATL_DB_PORT=5432
-ATL_DB_PREFERREDTESTQUERY="select version();"
-ATL_DB_TIMEOUT=30
-ATL_DB_VALIDATE=false
-ATL_ENABLED_PRODUCTS=Confluence
-ATL_ENABLED_SHARED_HOMES=
-ATL_ENVIRONMENT=prod
-ATL_HAZELCAST_NETWORK_AWS_HOST_HEADER=ec2.amazonaws.com
-ATL_HAZELCAST_NETWORK_AWS_IAM_REGION=ap-southeast-2
-ATL_HAZELCAST_NETWORK_AWS_IAM_ROLE=Confluence-ConfluenceClusterNodeRole-ZFINZTEGMH6G
-ATL_HAZELCAST_NETWORK_AWS_TAG_KEY=Cluster
-ATL_HAZELCAST_NETWORK_AWS_TAG_VALUE=Confluence
-ATL_HOSTEDZONE=
-ATL_JDBC_DRIVER=org.postgresql.Driver
-ATL_JDBC_PASSWORD=base1name
-ATL_JDBC_URL=jdbc:postgresql://confluence.cvuoodawotyo.ap-southeast-2.rds.amazonaws.com:5432/confluence
-ATL_JDBC_USER=atlconfluence
-ATL_JVM_HEAP=2048m
-ATL_LOCALANSIBLE_REPO=
-ATL_LOCALANSIBLE_SSHKEYNAME=
-ATL_NGINX_ENABLED=false
-ATL_POSTGRES_ENABLED=false
-ATL_PROXY_NAME=ssmith-conf-old.deplops.com
-ATL_RELEASE_S3_BUCKET=atlassian-software
-ATL_RELEASE_S3_PATH=releases/confluence
-ATL_SSL_PROXY=true
-ATL_SSL_SELF_CERT_ENABLED=false
-ATL_STARTCOLLECTD=false
-ATL_SYNCHRONY_SERVICE_URL=https://ssmith-conf-old.deplops.com/synchrony/v1
-ATL_TOMCAT_ACCEPTCOUNT=10
-ATL_TOMCAT_CONNECTIONTIMEOUT=20000
-ATL_TOMCAT_CONTEXTPATH=
-ATL_TOMCAT_DEFAULTCONNECTORPORT=8080
-ATL_TOMCAT_ENABLELOOKUPS=false
-ATL_TOMCAT_MAXTHREADS=48
-ATL_TOMCAT_MINSPARETHREADS=10
-ATL_TOMCAT_PROTOCOL=HTTP/1.1
-ATL_TOMCAT_PROXYPORT=443
-ATL_TOMCAT_REDIRECTPORT=8443
-ATL_TOMCAT_SCHEME=https
-ATL_TOMCAT_SECURE=true

From 697051c9be4423af53491c3faeb146667bbebb25 Mon Sep 17 00:00:00 2001
From: Steve Smith <ssmith@atlassian.com>
Date: Mon, 27 May 2019 12:39:50 +1000
Subject: [PATCH 4/5] DCD-352: Make the name of the shared home dir
 configurable by product.

---
 group_vars/aws_node_local.yml                         |  6 +++++-
 .../molecule/default/tests/test_default.py            | 11 +++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/group_vars/aws_node_local.yml b/group_vars/aws_node_local.yml
index a69c57c..26930eb 100644
--- a/group_vars/aws_node_local.yml
+++ b/group_vars/aws_node_local.yml
@@ -17,7 +17,11 @@ atl_shared_mountpoint: "/media/atl"
 # FIXME: Some of these should be overridden from the environment?
 atl_home_base: "/var/atlassian/application-data"
 atl_product_home: "{{ atl_home_base }}/{{ atl_product_family }}"
-atl_product_home_shared: "{{ atl_shared_mountpoint }}/{{ atl_product_family }}/shared"
+atl_product_shared_home_map:
+  confluence: "shared-home"
+  jira: "shared"
+  stash: "FIXME"
+atl_product_home_shared: "{{ atl_shared_mountpoint }}/{{ atl_product_family }}/{{ atl_product_shared_home_map[atl_product_family] }}"
 atl_product_shared_plugins: "{{ atl_product_home_shared }}/plugins/installed-plugins"
 
 atl_installation_base: "/opt/atlassian"
diff --git a/roles/confluence_config/molecule/default/tests/test_default.py b/roles/confluence_config/molecule/default/tests/test_default.py
index 9a939d0..f6dfb2f 100644
--- a/roles/confluence_config/molecule/default/tests/test_default.py
+++ b/roles/confluence_config/molecule/default/tests/test_default.py
@@ -1,4 +1,5 @@
 import os
+import pytest
 
 import testinfra.utils.ansible_runner
 
@@ -42,6 +43,16 @@ def test_install_permissions(host):
     assert host.file('/opt/atlassian/confluence/current/work/').user == 'confluence'
     assert host.file('/opt/atlassian/confluence/current/temp/').user == 'confluence'
 
+@pytest.mark.parametrize('directory', [
+    '/var/atlassian/application-data/confluence/',
+    '/media/atl/confluence/shared-home/'
+])
+def test_home_directories(host, directory):
+    d = host.file(directory)
+    assert d.exists
+    assert d.user == 'confluence'
+
+
 # def test_dbconfig_file(host):
 #     f = host.file('/var/atlassian/application-data/jira/dbconfig.xml')
 #     assert f.exists

From 8bcae6751d067b7cb4983a3221220d198bb10bb2 Mon Sep 17 00:00:00 2001
From: Steve Smith <ssmith@atlassian.com>
Date: Mon, 27 May 2019 14:11:06 +1000
Subject: [PATCH 5/5] DCD-352: Add the confluence config file and more
 environment settings.

---
 group_vars/aws_node_local.yml                 |  3 +-
 roles/confluence_config/defaults/main.yml     | 23 ++++++--
 .../molecule/default/playbook.yml             |  2 +
 .../molecule/default/tests/test_default.py    | 22 +++-----
 roles/confluence_config/tasks/main.yml        | 55 ++++++++++++-------
 .../templates/confluence.cfg.xml.j2           | 42 ++++++++++++++
 6 files changed, 105 insertions(+), 42 deletions(-)
 create mode 100644 roles/confluence_config/templates/confluence.cfg.xml.j2

diff --git a/group_vars/aws_node_local.yml b/group_vars/aws_node_local.yml
index 26930eb..dfbfa74 100644
--- a/group_vars/aws_node_local.yml
+++ b/group_vars/aws_node_local.yml
@@ -20,7 +20,7 @@ atl_product_home: "{{ atl_home_base }}/{{ atl_product_family }}"
 atl_product_shared_home_map:
   confluence: "shared-home"
   jira: "shared"
-  stash: "FIXME"
+  stash: "shared"
 atl_product_home_shared: "{{ atl_shared_mountpoint }}/{{ atl_product_family }}/{{ atl_product_shared_home_map[atl_product_family] }}"
 atl_product_shared_plugins: "{{ atl_product_home_shared }}/plugins/installed-plugins"
 
@@ -37,6 +37,7 @@ atl_installer_temp: "{{ atl_installation_base }}/tmp"
 atl_product_version: "{{ lookup('env', 'ATL_PRODUCT_VERSION') | lower }}"
 
 atl_efs_id: "{{ lookup('env', 'ATL_EFS_ID') }}"
+atl_aws_stack_name: "{{ lookup('env', 'ATL_AWS_STACK_NAME') }}"
 
 atl_db_host: "{{ lookup('env', 'ATL_DB_HOST') }}"
 atl_db_port: "{{ lookup('env', 'ATL_DB_PORT') or '5432' }}"
diff --git a/roles/confluence_config/defaults/main.yml b/roles/confluence_config/defaults/main.yml
index 7c812f1..db918a0 100644
--- a/roles/confluence_config/defaults/main.yml
+++ b/roles/confluence_config/defaults/main.yml
@@ -2,6 +2,22 @@
 
 atl_jvm_heap: "2048m"
 
+atl_db_timeout: "{{ lookup('env', 'ATL_DB_TIMEOUT') or '30' }}"
+atl_db_idletestperiod: "{{ lookup('env', 'ATL_DB_IDLETESTPERIOD') or '100' }}"
+atl_db_maxstatements: "{{ lookup('env', 'ATL_DB_MAXSTATEMENTS') or '0' }}"
+atl_db_validate: "{{ lookup('env', 'ATL_ATL_DB_VALIDATE') or 'false' }}"
+atl_db_acquireincrement: "{{ lookup('env', 'ATL_DB_ACQUIREINCREMENT') or '1' }}"
+
+atl_hazelcast_network_aws_tag_key: "Cluster"
+atl_hazelcast_network_aws_host_header: "ec2.amazonaws.com"
+atl_hazelcast_network_aws_iam_region: "{{ lookup('env', 'ATL_HAZELCAST_NETWORK_AWS_IAM_REGION') }}"
+atl_hazelcast_network_aws_iam_role: "{{ lookup('env', 'ATL_HAZELCAST_NETWORK_AWS_IAM_ROLE') }}"
+atl_hazelcast_network_aws_tag_value: "{{ lookup('env', 'ATL_HAZELCAST_NETWORK_AWS_TAG_VALUE') }}"
+
+atl_autologin_cookie_age: "{{ lookup('env', 'ATL_AUTOLOGIN_COOKIE_AGE') }}"
+atl_synchrony_service_url: "{{ lookup('env', 'ATL_SYNCHRONY_SERVICE_URL') }}"
+
+
 atl_catalina_opts: ""
 atl_catalina_opts_extra: >-
   -Datlassian.event.thread_pool_configuration.queue_size=4096
@@ -14,8 +30,8 @@ atl_catalina_opts_extra: >-
   -XX:+PrintGCDetails
   -XX:+PrintTenuringDistribution
   -Dsynchrony.proxy.enabled=false
-  -Dsynchrony.service.url=${ATL_SYNCHRONY_SERVICE_URL}
-  -Dconfluence.cluster.node.name=${_ATL_PRIVATE_IPV4}
+  -Dsynchrony.service.url={{ atl_synchrony_service_url }}
+  -Dconfluence.cluster.node.name={{ ansible_ec2_local_ipv4 | default(ansible_default_ipv4.address) }}
   -Dconfluence.cluster.hazelcast.max.no.heartbeat.seconds=60
 
 atl_tomcat_port: "8080"
@@ -29,6 +45,3 @@ atl_tomcat_protocol: "HTTP/1.1"
 atl_tomcat_redirectport: ""
 atl_tomcat_scheme: "http"
 atl_tomcat_secure: "false"
-
-atl_autologin_cookie_age: "{{ lookup('env', 'ATL_AUTOLOGIN_COOKIE_AGE') }}"
-atl_synchrony_service_url: "{{ lookup('env', 'ATL_SYNCHRONY_SERVICE_URL') }}"
diff --git a/roles/confluence_config/molecule/default/playbook.yml b/roles/confluence_config/molecule/default/playbook.yml
index 68f6c4b..1be669d 100644
--- a/roles/confluence_config/molecule/default/playbook.yml
+++ b/roles/confluence_config/molecule/default/playbook.yml
@@ -10,6 +10,8 @@
     atl_jvm_heap: 'PLACEHOLDER'
     atl_cluster_node_id: 'FAKEID'
     atl_autologin_cookie_age: "COOKIEAGE"
+    ansible_ec2_local_ipv4: "1.1.1.1"
+    ansible_default_ipv4: "2.2.2.2"
 
   roles:
     - role: linux_common
diff --git a/roles/confluence_config/molecule/default/tests/test_default.py b/roles/confluence_config/molecule/default/tests/test_default.py
index f6dfb2f..90e9293 100644
--- a/roles/confluence_config/molecule/default/tests/test_default.py
+++ b/roles/confluence_config/molecule/default/tests/test_default.py
@@ -16,6 +16,7 @@ def test_setenv_file(host):
     assert f.exists
     assert f.contains('-XmsPLACEHOLDER')
     assert f.contains('-XmxPLACEHOLDER')
+    assert f.contains('-Dconfluence.cluster.node.name=1.1.1.1')
 
 def test_server_file(host):
     f = host.file('/opt/atlassian/confluence/current/conf/server.xml')
@@ -52,18 +53,9 @@ def test_home_directories(host, directory):
     assert d.exists
     assert d.user == 'confluence'
 
-
-# def test_dbconfig_file(host):
-#     f = host.file('/var/atlassian/application-data/jira/dbconfig.xml')
-#     assert f.exists
-#     assert f.user == 'jira'
-#     assert f.contains("<driver-class>org.postgresql.Driver</driver-class>")
-#     assert f.contains("<username>atljira</username>")
-#     assert f.contains("<pool-min-size>20</pool-min-size>")
-
-
-# def test_cluster_file(host):
-#     f = host.file('/var/atlassian/application-data/jira/cluster.properties')
-#     assert f.exists
-#     assert f.contains('jira.node.id = FAKEID')
-#     assert f.contains('jira.shared.home = /media/atl/jira/shared')
+def test_confluence_config_file(host):
+    f = host.file('/var/atlassian/application-data/confluence/confluence.cfg.xml')
+    assert f.exists
+    assert f.user == 'confluence'
+    assert f.contains('<property name="confluence.cluster.home">/media/atl/confluence/shared-home</property>')
+    assert f.contains('<property name="hibernate.connection.driver_class">org.postgresql.Driver</property>')
diff --git a/roles/confluence_config/tasks/main.yml b/roles/confluence_config/tasks/main.yml
index c680c37..2be0221 100644
--- a/roles/confluence_config/tasks/main.yml
+++ b/roles/confluence_config/tasks/main.yml
@@ -1,26 +1,5 @@
 ---
 
-- name: Configure login properties
-  template:
-    src: seraph-config.xml.j2
-    dest: "{{ atl_product_installation_versioned }}/confluence/WEB-INF/classes/seraph-config.xml"
-
-- name: Override JVM memory settings.
-  replace:
-    path: "{{ atl_product_installation_versioned }}/bin/setenv.sh"
-    regexp: "-{{ item }}\\d+m "
-    replace: "-{{ item }}{{ atl_jvm_heap }} "
-  with_items:
-    - 'Xmx'
-    - 'Xms'
-
-- name: Create server config
-  template:
-    src: server.xml.j2
-    dest: "{{ atl_product_installation_versioned }}/conf/server.xml"
-
-
-
 - name: Create application directories
   file:
     path: "{{ item }}"
@@ -35,6 +14,40 @@
   changed_when: false  # For Molecule idempotence check
 
 
+- name: Create Tomcat server config
+  template:
+    src: server.xml.j2
+    dest: "{{ atl_product_installation_versioned }}/conf/server.xml"
+
+- name: Override JVM memory settings.
+  replace:
+    path: "{{ atl_product_installation_versioned }}/bin/setenv.sh"
+    regexp: "-{{ item }}\\d+m "
+    replace: "-{{ item }}{{ atl_jvm_heap }} "
+  with_items:
+    - 'Xmx'
+    - 'Xms'
+
+- name: Set the Tomcat environment
+  lineinfile:    
+    path: "{{ atl_product_installation_versioned }}/bin/setenv.sh"
+    insertafter: "EOF"
+    line: 'export CATALINA_OPTS="${CATALINA_OPTS} {{ atl_catalina_opts }} {{ atl_catalina_opts_extra }}"'
+
+
+- name: Configure login properties
+  template:
+    src: seraph-config.xml.j2
+    dest: "{{ atl_product_installation_versioned }}/confluence/WEB-INF/classes/seraph-config.xml"
+
+- name: Create Confluence configuration
+  template:
+    src: confluence.cfg.xml.j2
+    dest: "{{ atl_product_home }}/confluence.cfg.xml"
+    owner: "{{ atl_product_user }}"
+    group: "{{ atl_product_user }}"
+
+
 - name: Limit permissions on the installation directory
   file:
     path: "{{ atl_product_installation_versioned }}"
diff --git a/roles/confluence_config/templates/confluence.cfg.xml.j2 b/roles/confluence_config/templates/confluence.cfg.xml.j2
new file mode 100644
index 0000000..4b5368c
--- /dev/null
+++ b/roles/confluence_config/templates/confluence.cfg.xml.j2
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<confluence-configuration>
+
+  <setupStep>setupstart</setupStep>
+  <setupType>custom</setupType>
+  <buildNumber>0</buildNumber>
+
+  <properties>
+    <property name="confluence.database.choice">postgresql</property>
+    <property name="confluence.database.connection.type">database-type-standard</property>
+    <property name="hibernate.dialect">com.atlassian.confluence.impl.hibernate.dialect.PostgreSQLDialect</property>
+    <property name="webwork.multipart.saveDir">${localHome}/temp</property>
+    <property name="attachments.dir">${confluenceHome}/attachments</property>
+
+    <property name="hibernate.connection.driver_class">{{ atl_db_driver }}</property>
+    <property name="hibernate.connection.url">{{ atl_jdbc_url }}</property>
+    <property name="hibernate.connection.username">{{ atl_jdbc_user }}</property>
+    <property name="hibernate.connection.password">{{ atl_jdbc_password }}</property>
+    <property name="hibernate.c3p0.min_size">{{ atl_db_poolminsize }}</property>
+    <property name="hibernate.c3p0.max_size">{{ atl_db_poolmaxsize }}</property>
+    <property name="hibernate.c3p0.timeout">{{ atl_db_timeout }}</property>
+    <property name="hibernate.c3p0.idle_test_period">{{ atl_db_idletestperiod }}</property>
+    <property name="hibernate.c3p0.max_statements">{{ atl_db_maxstatements }}</property>
+    <property name="hibernate.c3p0.validate">{{ atl_db_validate }}</property>
+    <property name="hibernate.c3p0.acquire_increment">{{ atl_db_acquireincrement }}</property>
+    <property name="hibernate.c3p0.preferredTestQuery">select version();</property>
+
+    <property name="shared-home">{{ atl_product_home_shared }}</property>
+    <property name="confluence.cluster">true</property>
+    <property name="confluence.cluster.home">{{ atl_product_home_shared }}</property>
+    <property name="confluence.cluster.aws.iam.role">{{ atl_hazelcast_network_aws_iam_role }}</property>
+    <property name="confluence.cluster.aws.region">{{ atl_hazelcast_network_aws_iam_region }}</property>
+    <property name="confluence.cluster.aws.host.header">{{ atl_hazelcast_network_aws_host_header }}</property>
+    <property name="confluence.cluster.aws.tag.key">{{ atl_hazelcast_network_aws_tag_key }}</property>
+    <property name="confluence.cluster.aws.tag.value">{{ atl_hazelcast_network_aws_tag_value }}</property>
+    <property name="confluence.cluster.join.type">aws</property>
+    <property name="confluence.cluster.name">{{ atl_aws_stack_name }}</property>
+    <property name="confluence.cluster.ttl">1</property>
+
+  </properties>
+</confluence-configuration>