347 lines
No EOL
8.9 KiB
YAML
347 lines
No EOL
8.9 KiB
YAML
- name: 'deploy c3lf-sys3'
|
|
hosts: 'c3lf-nodes'
|
|
handlers:
|
|
- name: restart nginx
|
|
service:
|
|
name: nginx
|
|
state: restarted
|
|
|
|
- name: restart postfix
|
|
service:
|
|
name: postfix
|
|
state: restarted
|
|
|
|
- name: restart mariadb
|
|
service:
|
|
name: mariadb
|
|
state: restarted
|
|
|
|
- name: restart c3lf-sys3
|
|
service:
|
|
name: c3lf-sys3
|
|
state: restarted
|
|
|
|
tasks:
|
|
- name: Update apt-get repo and cache
|
|
apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
|
|
|
|
- name: Upgrade all apt packages
|
|
apt: upgrade=dist force_apt_get=yes
|
|
|
|
- name: Ansible apt-get to install base tools
|
|
apt:
|
|
name:
|
|
- htop
|
|
- tcpdump
|
|
- jq
|
|
- curl
|
|
- libsensors5
|
|
- prometheus-node-exporter
|
|
- openssh-server
|
|
state: present
|
|
force_apt_get: yes
|
|
|
|
- name: Remove useless packages from the cache
|
|
apt:
|
|
autoclean: yes
|
|
|
|
- name: Remove dependencies that are no longer required
|
|
apt:
|
|
autoremove: yes
|
|
|
|
- name: Check if a reboot is needed for debian
|
|
register: reboot_required_file
|
|
stat: path=/var/run/reboot-required get_md5=no
|
|
|
|
- name: Reboot the Debian or Ubuntu server
|
|
reboot:
|
|
msg: "Reboot initiated by Ansible due to kernel updates"
|
|
connect_timeout: 5
|
|
reboot_timeout: 300
|
|
pre_reboot_delay: 0
|
|
post_reboot_delay: 30
|
|
test_command: uptime
|
|
when: reboot_required_file.stat.exists
|
|
|
|
- name: Ansible apt-get to install sys3 requirements
|
|
apt:
|
|
name:
|
|
- ufw
|
|
- fail2ban
|
|
- nginx
|
|
- redis
|
|
- python3
|
|
- python3-pip
|
|
- python3-venv
|
|
- python3-passlib
|
|
- certbot
|
|
- python3-certbot-nginx
|
|
- mariadb-server
|
|
- python3-dev
|
|
- python3-mysqldb
|
|
- default-libmysqlclient-dev
|
|
- build-essential
|
|
- postfix
|
|
- git
|
|
- pkg-config
|
|
- npm
|
|
state: present
|
|
|
|
- name: remove default nginx site
|
|
file:
|
|
path: /etc/nginx/sites-enabled/default
|
|
state: absent
|
|
|
|
- name: remove default nginx site
|
|
file:
|
|
path: /etc/nginx/sites-available/default
|
|
state: absent
|
|
|
|
- name: UFW allow SSH
|
|
ufw:
|
|
rule: allow
|
|
port: 22
|
|
proto: tcp
|
|
state: enabled
|
|
|
|
- name: UFW logging off
|
|
ufw:
|
|
logging: off
|
|
|
|
- name: Configure nginx
|
|
template:
|
|
src: templates/nginx.conf.j2
|
|
dest: /etc/nginx/sites-available/c3lf-sys3.conf
|
|
notify:
|
|
- restart nginx
|
|
|
|
- name: UFW allow http
|
|
ufw:
|
|
rule: allow
|
|
port: 80
|
|
proto: tcp
|
|
state: enabled
|
|
|
|
- name: UFW allow https
|
|
ufw:
|
|
rule: allow
|
|
port: 443
|
|
proto: tcp
|
|
state: enabled
|
|
|
|
- name: Check if initial certbot certificate is needed
|
|
stat:
|
|
path: /etc/letsencrypt/live/{{web_domain}}/fullchain.pem
|
|
register: certbot_cert_exists
|
|
|
|
- name: Check nginx ssl config
|
|
stat:
|
|
path: /etc/letsencrypt/options-ssl-nginx.conf
|
|
register: nginx_ssl_config_exists
|
|
|
|
- block:
|
|
- name: stop nginx
|
|
service:
|
|
name: nginx
|
|
state: stopped
|
|
- name: disable c3lf-sys3 site
|
|
file:
|
|
path: /etc/nginx/sites-enabled/c3lf-sys3.conf
|
|
state: absent
|
|
- name: add certbot domain
|
|
command: "certbot certonly --standalone -d {{web_domain}} --non-interactive --agree-tos --email {{main_email}}"
|
|
- name: install letsencrypt ssl config
|
|
command: "certbot install --nginx --non-interactive"
|
|
- name: enable c3lf-sys3 site
|
|
file:
|
|
src: /etc/nginx/sites-available/c3lf-sys3.conf
|
|
dest: /etc/nginx/sites-enabled/c3lf-sys3.conf
|
|
state: link
|
|
- name: start nginx
|
|
service:
|
|
name: nginx
|
|
state: started
|
|
when: certbot_cert_exists.stat.exists == false or nginx_ssl_config_exists.stat.exists == false
|
|
|
|
- name: Enable certbot auto renew
|
|
cron:
|
|
name: "certbot-auto renew"
|
|
minute: "0"
|
|
hour: "12"
|
|
job: "certbot renew --quiet --no-self-upgrade --nginx --cert-name {{web_domain}}"
|
|
state: present
|
|
|
|
- name: Configure basic auth
|
|
htpasswd:
|
|
path: /etc/nginx/conf.d/lf-prod.htpasswd
|
|
name: "{{ legacy_api_user }}"
|
|
password: "{{ legacy_api_password }}"
|
|
state: present
|
|
notify:
|
|
- restart nginx
|
|
|
|
- name: Enable nginx site
|
|
file:
|
|
src: /etc/nginx/sites-available/c3lf-sys3.conf
|
|
dest: /etc/nginx/sites-enabled/c3lf-sys3.conf
|
|
state: link
|
|
notify:
|
|
- restart nginx
|
|
|
|
- name: Initially start nginx
|
|
service:
|
|
name: nginx
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: create database
|
|
mysql_db:
|
|
name: c3lf_sys3
|
|
state: present
|
|
login_unix_socket: /var/run/mysqld/mysqld.sock
|
|
|
|
- name: create database user
|
|
mysql_user:
|
|
name: c3lf_sys3
|
|
password: "{{ db_password }}"
|
|
priv: "c3lf_sys3.*:ALL"
|
|
state: present
|
|
login_unix_socket: /var/run/mysqld/mysqld.sock
|
|
|
|
- name: configure webdir
|
|
file:
|
|
path: /var/www
|
|
state: directory
|
|
owner: www-data
|
|
group: www-data
|
|
mode: 0755
|
|
|
|
- name: configure webdir
|
|
file:
|
|
path: /var/www/c3lf-sys3
|
|
state: directory
|
|
owner: www-data
|
|
group: www-data
|
|
mode: 0755
|
|
|
|
- name: install python app
|
|
become: true
|
|
become_user: www-data
|
|
become_method: su
|
|
become_flags: '-s /bin/bash'
|
|
block:
|
|
- name: create repo dir
|
|
git:
|
|
repo: "{{ git_repo }}"
|
|
dest: /var/www/c3lf-sys3/repo
|
|
version: "{{ git_branch }}"
|
|
force: yes
|
|
recursive: yes
|
|
single_branch: yes
|
|
register: git_repo
|
|
notify:
|
|
- restart c3lf-sys3
|
|
|
|
- name: check if venv exists
|
|
stat:
|
|
path: /var/www/c3lf-sys3/venv/bin/python3
|
|
register: venv_exists
|
|
|
|
- name: create venv
|
|
command: "python3 -m venv /var/www/c3lf-sys3/venv"
|
|
when: venv_exists.stat.exists == false
|
|
|
|
- name: install requirements
|
|
pip:
|
|
requirements: /var/www/c3lf-sys3/repo/core/requirements.prod.txt
|
|
virtualenv: /var/www/c3lf-sys3/venv
|
|
state: present
|
|
when: git_repo.changed == true
|
|
notify:
|
|
- restart c3lf-sys3
|
|
|
|
- name: configure django
|
|
template:
|
|
src: templates/django.env.j2
|
|
dest: /var/www/c3lf-sys3/repo/core/.env
|
|
|
|
- name: migrate database
|
|
shell: "/var/www/c3lf-sys3/venv/bin/python /var/www/c3lf-sys3/repo/core/manage.py migrate"
|
|
when: git_repo.changed == true
|
|
|
|
- name: create superuser
|
|
shell: "/var/www/c3lf-sys3/venv/bin/python /var/www/c3lf-sys3/repo/core/manage.py createsuperuser --noinput || true"
|
|
when: git_repo.changed == true
|
|
environment:
|
|
DJANGO_SUPERUSER_USERNAME: admin
|
|
DJANGO_SUPERUSER_PASSWORD: "{{ django_password }}"
|
|
DJANGO_SUPERUSER_EMAIL: "{{ main_email }}"
|
|
|
|
- name: collect static files
|
|
shell: "/var/www/c3lf-sys3/venv/bin/python /var/www/c3lf-sys3/repo/core/manage.py collectstatic --noinput"
|
|
when: git_repo.changed == true
|
|
|
|
- name: js config
|
|
template:
|
|
src: templates/config.js.j2
|
|
dest: /var/www/c3lf-sys3/repo/web/src/config.js
|
|
|
|
- name: install build dependencies
|
|
command:
|
|
cmd: "npm install"
|
|
chdir: /var/www/c3lf-sys3/repo/web
|
|
when: git_repo.changed == true
|
|
|
|
- name: build frontend
|
|
command:
|
|
cmd: "npm run build"
|
|
chdir: /var/www/c3lf-sys3/repo/web
|
|
when: git_repo.changed == true
|
|
|
|
- name: add c3lf-sys3 service
|
|
template:
|
|
src: templates/c3lf-sys3.service.j2
|
|
dest: /etc/systemd/system/c3lf-sys3.service
|
|
notify:
|
|
- restart c3lf-sys3
|
|
|
|
- name: reload systemd
|
|
systemd:
|
|
daemon_reload: yes
|
|
|
|
- name: start c3lf-sys3 service
|
|
service:
|
|
name: c3lf-sys3
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: add postfix to www-data group
|
|
user:
|
|
name: postfix
|
|
groups: www-data
|
|
append: yes
|
|
notify:
|
|
- restart postfix
|
|
|
|
- name: add custom transport config
|
|
lineinfile:
|
|
path: /etc/postfix/master.cf
|
|
line: "c3lf-sys3 unix - n n - - lmtp"
|
|
state: present
|
|
create: yes
|
|
notify:
|
|
- restart postfix
|
|
|
|
- name: configure postfix
|
|
template:
|
|
src: templates/postfix.cf.j2
|
|
dest: /etc/postfix/main.cf
|
|
notify:
|
|
- restart postfix
|
|
|
|
- name: UFW allow smtp
|
|
ufw:
|
|
rule: allow
|
|
port: 25
|
|
proto: tcp
|
|
state: enabled |