- name: 'deploy c3lf-sys3' hosts: 'c3lf-nodes' handlers: - name: restart nginx service: name: nginx state: restarted - name: restart postfix service: name: postfix state: restarted - name: restart rspamd service: name: rspamd state: restarted - name: restart mariadb service: name: mariadb state: restarted - name: restart c3lf-sys3 service: name: c3lf-sys3 state: restarted tasks: - name: Update apt-get repo and cache apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 - name: Upgrade all apt packages apt: upgrade=dist force_apt_get=yes - name: Ansible apt-get to install base tools apt: name: - htop - tcpdump - jq - curl - libsensors5 - prometheus-node-exporter - openssh-server state: present force_apt_get: yes - name: Remove useless packages from the cache apt: autoclean: yes - name: Remove dependencies that are no longer required apt: autoremove: yes - name: Check if a reboot is needed for debian register: reboot_required_file stat: path=/var/run/reboot-required get_checksum=no - name: Reboot the Debian or Ubuntu server reboot: msg: "Reboot initiated by Ansible due to kernel updates" connect_timeout: 5 reboot_timeout: 300 pre_reboot_delay: 0 post_reboot_delay: 30 test_command: uptime when: reboot_required_file.stat.exists - name: Ansible apt-get to install sys3 requirements apt: name: - ufw - fail2ban - nginx - redis - python3 - python3-pip - python3-venv - python3-passlib - certbot - python3-certbot-nginx - mariadb-server - python3-dev - python3-mysqldb - default-libmysqlclient-dev - build-essential - postfix - rspamd - git - pkg-config - npm state: present - name: remove default nginx site file: path: /etc/nginx/sites-enabled/default state: absent - name: remove default nginx site file: path: /etc/nginx/sites-available/default state: absent - name: UFW allow SSH ufw: rule: allow port: 22 proto: tcp state: enabled - name: UFW logging off ufw: logging: off - name: Configure nginx template: src: templates/nginx.conf.j2 dest: /etc/nginx/sites-available/c3lf-sys3.conf notify: - restart nginx - name: UFW allow http ufw: rule: allow port: 80 proto: tcp state: enabled - name: UFW allow https ufw: rule: allow port: 443 proto: tcp state: enabled - name: Check if initial certbot certificate is needed stat: path: /etc/letsencrypt/live/{{web_domain}}/fullchain.pem register: certbot_cert_exists - name: Check nginx ssl config stat: path: /etc/letsencrypt/options-ssl-nginx.conf register: nginx_ssl_config_exists - block: - name: stop nginx service: name: nginx state: stopped - name: disable c3lf-sys3 site file: path: /etc/nginx/sites-enabled/c3lf-sys3.conf state: absent - name: add certbot domain command: "certbot certonly --standalone -d {{web_domain}} --non-interactive --agree-tos --email {{main_email}}" - name: install letsencrypt ssl config command: "certbot install --nginx --non-interactive" - name: enable c3lf-sys3 site file: src: /etc/nginx/sites-available/c3lf-sys3.conf dest: /etc/nginx/sites-enabled/c3lf-sys3.conf state: link - name: start nginx service: name: nginx state: started when: certbot_cert_exists.stat.exists == false or nginx_ssl_config_exists.stat.exists == false - name: Enable certbot auto renew cron: name: "certbot-auto renew" minute: "0" hour: "12" job: "certbot renew --quiet --no-self-upgrade --nginx --cert-name {{web_domain}}" state: present - name: Configure basic auth htpasswd: path: /etc/nginx/conf.d/lf-prod.htpasswd name: "{{ legacy_api_user }}" password: "{{ legacy_api_password }}" state: present notify: - restart nginx - name: Enable nginx site file: src: /etc/nginx/sites-available/c3lf-sys3.conf dest: /etc/nginx/sites-enabled/c3lf-sys3.conf state: link notify: - restart nginx - name: Initially start nginx service: name: nginx state: started enabled: yes - name: create database mysql_db: name: c3lf_sys3 state: present login_unix_socket: /var/run/mysqld/mysqld.sock - name: create database user mysql_user: name: c3lf_sys3 password: "{{ db_password }}" priv: "c3lf_sys3.*:ALL" state: present login_unix_socket: /var/run/mysqld/mysqld.sock - name: configure webdir file: path: /var/www state: directory owner: www-data group: www-data mode: 0755 - name: configure webdir file: path: /var/www/c3lf-sys3 state: directory owner: www-data group: www-data mode: 0755 - name: install python app become: true become_user: www-data become_method: su become_flags: '-s /bin/bash' block: - name: create repo dir git: repo: "{{ git_repo }}" dest: /var/www/c3lf-sys3/repo version: "{{ git_branch }}" force: yes recursive: yes single_branch: yes register: git_repo notify: - restart c3lf-sys3 - name: check if venv exists stat: path: /var/www/c3lf-sys3/venv/bin/python3 register: venv_exists - name: create venv command: "python3 -m venv /var/www/c3lf-sys3/venv" when: venv_exists.stat.exists == false - name: install requirements pip: requirements: /var/www/c3lf-sys3/repo/core/requirements.prod.txt virtualenv: /var/www/c3lf-sys3/venv state: present when: git_repo.changed == true notify: - restart c3lf-sys3 - name: configure django template: src: templates/django.env.j2 dest: /var/www/c3lf-sys3/repo/core/.env - name: migrate database shell: "/var/www/c3lf-sys3/venv/bin/python /var/www/c3lf-sys3/repo/core/manage.py migrate" when: git_repo.changed == true - name: create superuser shell: "/var/www/c3lf-sys3/venv/bin/python /var/www/c3lf-sys3/repo/core/manage.py createsuperuser --noinput || true" when: git_repo.changed == true environment: DJANGO_SUPERUSER_USERNAME: admin DJANGO_SUPERUSER_PASSWORD: "{{ django_password }}" DJANGO_SUPERUSER_EMAIL: "{{ main_email }}" - name: collect static files shell: "/var/www/c3lf-sys3/venv/bin/python /var/www/c3lf-sys3/repo/core/manage.py collectstatic --noinput" when: git_repo.changed == true - name: js config template: src: templates/config.js.j2 dest: /var/www/c3lf-sys3/repo/web/src/config.js - name: install build dependencies command: cmd: "npm install" chdir: /var/www/c3lf-sys3/repo/web when: git_repo.changed == true - name: build frontend command: cmd: "npm run build" chdir: /var/www/c3lf-sys3/repo/web when: git_repo.changed == true - name: add c3lf-sys3 service template: src: templates/c3lf-sys3.service.j2 dest: /etc/systemd/system/c3lf-sys3.service notify: - restart c3lf-sys3 - name: reload systemd systemd: daemon_reload: yes - name: start c3lf-sys3 service service: name: c3lf-sys3 state: started enabled: yes - name: add postfix to www-data group user: name: postfix groups: www-data append: yes notify: - restart postfix - name: add custom transport config lineinfile: path: /etc/postfix/master.cf line: "c3lf-sys3 unix - n n - - lmtp" state: present create: yes notify: - restart postfix - name: configure postfix template: src: templates/postfix.cf.j2 dest: /etc/postfix/main.cf notify: - restart postfix - name: configure rspamd dkim template: src: templates/rspamd-dkim.cf.j2 dest: /etc/rspamd/local.d/dkim_signing.conf notify: - restart rspamd - name: configure rspamd copy: content: | write_servers = "localhost"; read_servers = "localhost"; dest: /etc/rspamd/local.d/redis.conf notify: - restart rspamd - name: UFW allow smtp ufw: rule: allow port: 25 proto: tcp state: enabled