- name: 'deploy c3lf-sys3'
hosts: 'c3lf-nodes'
handlers:
- name: restart nginx
service:
name: nginx
state: restarted
- name: restart postfix
service:
name: postfix
state: restarted
- name: restart rspamd
service:
name: rspamd
state: restarted
- name: restart mariadb
service:
name: mariadb
state: restarted
- name: restart c3lf-sys3
service:
name: c3lf-sys3
state: restarted
tasks:
- name: Update apt-get repo and cache
apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
- name: Upgrade all apt packages
apt: upgrade=dist force_apt_get=yes
- name: Ansible apt-get to install base tools
apt:
name:
- htop
- tcpdump
- jq
- curl
- libsensors5
- prometheus-node-exporter
- openssh-server
state: present
force_apt_get: yes
- name: Remove useless packages from the cache
apt:
autoclean: yes
- name: Remove dependencies that are no longer required
apt:
autoremove: yes
- name: Check if a reboot is needed for debian
register: reboot_required_file
stat: path=/var/run/reboot-required get_checksum=no
- name: Reboot the Debian or Ubuntu server
reboot:
msg: "Reboot initiated by Ansible due to kernel updates"
connect_timeout: 5
reboot_timeout: 300
pre_reboot_delay: 0
post_reboot_delay: 30
test_command: uptime
when: reboot_required_file.stat.exists
- name: Ansible apt-get to install sys3 requirements
apt:
name:
- ufw
- fail2ban
- nginx
- redis
- python3
- python3-pip
- python3-venv
- python3-passlib
- certbot
- python3-certbot-nginx
- mariadb-server
- python3-dev
- python3-mysqldb
- default-libmysqlclient-dev
- build-essential
- postfix
- rspamd
- git
- pkg-config
- npm
state: present
- name: remove default nginx site
file:
path: /etc/nginx/sites-enabled/default
state: absent
- name: remove default nginx site
file:
path: /etc/nginx/sites-available/default
state: absent
- name: UFW allow SSH
ufw:
rule: allow
port: 22
proto: tcp
state: enabled
- name: UFW logging off
ufw:
logging: off
- name: Configure nginx
template:
src: templates/nginx.conf.j2
dest: /etc/nginx/sites-available/c3lf-sys3.conf
notify:
- restart nginx
- name: UFW allow http
ufw:
rule: allow
port: 80
proto: tcp
state: enabled
- name: UFW allow https
ufw:
rule: allow
port: 443
proto: tcp
state: enabled
- name: Check if initial certbot certificate is needed
stat:
path: /etc/letsencrypt/live/{{web_domain}}/fullchain.pem
register: certbot_cert_exists
- name: Check nginx ssl config
stat:
path: /etc/letsencrypt/options-ssl-nginx.conf
register: nginx_ssl_config_exists
- block:
- name: stop nginx
service:
name: nginx
state: stopped
- name: disable c3lf-sys3 site
file:
path: /etc/nginx/sites-enabled/c3lf-sys3.conf
state: absent
- name: add certbot domain
command: "certbot certonly --standalone -d {{web_domain}} --non-interactive --agree-tos --email {{main_email}}"
- name: install letsencrypt ssl config
command: "certbot install --nginx --non-interactive"
- name: enable c3lf-sys3 site
file:
src: /etc/nginx/sites-available/c3lf-sys3.conf
dest: /etc/nginx/sites-enabled/c3lf-sys3.conf
state: link
- name: start nginx
service:
name: nginx
state: started
when: certbot_cert_exists.stat.exists == false or nginx_ssl_config_exists.stat.exists == false
- name: Enable certbot auto renew
cron:
name: "certbot-auto renew"
minute: "0"
hour: "12"
job: "certbot renew --quiet --no-self-upgrade --nginx --cert-name {{web_domain}}"
state: present
- name: Configure basic auth
htpasswd:
path: /etc/nginx/conf.d/lf-prod.htpasswd
name: "{{ legacy_api_user }}"
password: "{{ legacy_api_password }}"
state: present
notify:
- restart nginx
- name: Enable nginx site
file:
src: /etc/nginx/sites-available/c3lf-sys3.conf
dest: /etc/nginx/sites-enabled/c3lf-sys3.conf
state: link
notify:
- restart nginx
- name: Initially start nginx
service:
name: nginx
state: started
enabled: yes
- name: create database
mysql_db:
name: c3lf_sys3
state: present
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: create database user
mysql_user:
name: c3lf_sys3
password: "{{ db_password }}"
priv: "c3lf_sys3.*:ALL"
state: present
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: configure webdir
file:
path: /var/www
state: directory
owner: www-data
group: www-data
mode: 0755
- name: configure webdir
file:
path: /var/www/c3lf-sys3
state: directory
owner: www-data
group: www-data
mode: 0755
- name: install python app
become: true
become_user: www-data
become_method: su
become_flags: '-s /bin/bash'
block:
- name: create repo dir
git:
repo: "{{ git_repo }}"
dest: /var/www/c3lf-sys3/repo
version: "{{ git_branch }}"
force: yes
recursive: yes
single_branch: yes
register: git_repo
notify:
- restart c3lf-sys3
- name: check if venv exists
stat:
path: /var/www/c3lf-sys3/venv/bin/python3
register: venv_exists
- name: create venv
command: "python3 -m venv /var/www/c3lf-sys3/venv"
when: venv_exists.stat.exists == false
- name: install requirements
pip:
requirements: /var/www/c3lf-sys3/repo/core/requirements.prod.txt
virtualenv: /var/www/c3lf-sys3/venv
state: present
when: git_repo.changed == true
notify:
- restart c3lf-sys3
- name: configure django
template:
src: templates/django.env.j2
dest: /var/www/c3lf-sys3/repo/core/.env
- name: migrate database
shell: "/var/www/c3lf-sys3/venv/bin/python /var/www/c3lf-sys3/repo/core/manage.py migrate"
when: git_repo.changed == true
- name: create superuser
shell: "/var/www/c3lf-sys3/venv/bin/python /var/www/c3lf-sys3/repo/core/manage.py createsuperuser --noinput || true"
when: git_repo.changed == true
environment:
DJANGO_SUPERUSER_USERNAME: admin
DJANGO_SUPERUSER_PASSWORD: "{{ django_password }}"
DJANGO_SUPERUSER_EMAIL: "{{ main_email }}"
- name: collect static files
shell: "/var/www/c3lf-sys3/venv/bin/python /var/www/c3lf-sys3/repo/core/manage.py collectstatic --noinput"
when: git_repo.changed == true
- name: js config
template:
src: templates/config.js.j2
dest: /var/www/c3lf-sys3/repo/web/src/config.js
- name: install build dependencies
command:
cmd: "npm install"
chdir: /var/www/c3lf-sys3/repo/web
when: git_repo.changed == true
- name: build frontend
command:
cmd: "npm run build"
chdir: /var/www/c3lf-sys3/repo/web
when: git_repo.changed == true
- name: add c3lf-sys3 service
template:
src: templates/c3lf-sys3.service.j2
dest: /etc/systemd/system/c3lf-sys3.service
notify:
- restart c3lf-sys3
- name: reload systemd
systemd:
daemon_reload: yes
- name: start c3lf-sys3 service
service:
name: c3lf-sys3
state: started
enabled: yes
- name: add postfix to www-data group
user:
name: postfix
groups: www-data
append: yes
notify:
- restart postfix
- name: add custom transport config
lineinfile:
path: /etc/postfix/master.cf
line: "c3lf-sys3 unix - n n - - lmtp"
state: present
create: yes
notify:
- restart postfix
- name: configure postfix
template:
src: templates/postfix.cf.j2
dest: /etc/postfix/main.cf
notify:
- restart postfix
- name: configure rspamd dkim
template:
src: templates/rspamd-dkim.cf.j2
dest: /etc/rspamd/local.d/dkim_signing.conf
notify:
- restart rspamd
- name: configure rspamd
copy:
content: |
write_servers = "localhost";
read_servers = "localhost";
dest: /etc/rspamd/local.d/redis.conf
notify:
- restart rspamd
- name: UFW allow smtp
ufw:
rule: allow
port: 25
proto: tcp
state: enabled