diff options
| author | Trygve Laugstøl <trygvis@inamo.no> | 2018-02-25 07:15:53 +0100 |
|---|---|---|
| committer | Trygve Laugstøl <trygvis@inamo.no> | 2018-02-25 07:15:53 +0100 |
| commit | 37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a (patch) | |
| tree | 9e5bd01097ccadf6de2ba59dc264df51cd335665 | |
| parent | 443efffc41984ac604ffa733dd936fecd83006dd (diff) | |
| download | infra-37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a.tar.gz infra-37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a.tar.bz2 infra-37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a.tar.xz infra-37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a.zip | |
wip
| -rw-r--r-- | .gitmodules | 3 | ||||
| -rw-r--r-- | ansible/.gitignore | 5 | ||||
| -rw-r--r-- | ansible/ansible.cfg | 3 | ||||
| -rw-r--r-- | ansible/connection_plugins/lxc_ssh.py | 8 | ||||
| -rw-r--r-- | ansible/connection_plugins/lxc_ssh.pyc | bin | 34768 -> 34788 bytes | |||
| -rw-r--r-- | ansible/inventory | 11 | ||||
| -rw-r--r-- | ansible/knot.yml | 2 | ||||
| m--------- | ansible/misc/ansible-vault-tools | 0 | ||||
| -rw-r--r-- | ansible/mw.yml | 2 | ||||
| -rw-r--r-- | ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf | 56 | ||||
| -rw-r--r-- | ansible/roles/mw-backend/handlers/main.yml | 6 | ||||
| -rw-r--r-- | ansible/roles/mw-backend/tasks/main.yml | 67 | ||||
| -rw-r--r-- | ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf | 7 | ||||
| -rw-r--r-- | ansible/roles/mw-frontend/handlers/main.yml | 5 | ||||
| -rw-r--r-- | ansible/roles/mw-frontend/tasks/main.yml | 23 | ||||
| -rw-r--r-- | ansible/secrets.yml | 8 |
16 files changed, 184 insertions, 22 deletions
diff --git a/.gitmodules b/.gitmodules index 795eb73..4e2cc60 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "knot/ssp/self-service-password"] path = knot/ssp/self-service-password url = https://github.com/ltb-project/self-service-password +[submodule "ansible/misc/ansible-vault-tools"] + path = ansible/misc/ansible-vault-tools + url = https://github.com/building5/ansible-vault-tools diff --git a/ansible/.gitignore b/ansible/.gitignore index a8b42eb..6fa6a9f 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -1 +1,6 @@ +*.not_encrypted *.retry +*.swp + +vault-password +vault-password.asc diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index c5caa3d..0da44ae 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,4 +1,5 @@ [defaults] become_method = sudo -inventory = ./hosts +inventory = ./inventory connection_plugins = ./connection_plugins +vault_password_file = vault-password diff --git a/ansible/connection_plugins/lxc_ssh.py b/ansible/connection_plugins/lxc_ssh.py index 9f93305..2bb5352 100644 --- a/ansible/connection_plugins/lxc_ssh.py +++ b/ansible/connection_plugins/lxc_ssh.py @@ -1167,11 +1167,11 @@ class Connection(ConnectionBase): cmd = ('cat > %s; echo -n done' % pipes.quote(out_path)) h = self.container_name if (self.lxc_version == 2): - lxc_cmd = 'lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ + lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) elif (self.lxc_version == 1): - lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \ + lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) if in_data: @@ -1204,11 +1204,11 @@ class Connection(ConnectionBase): cmd = ('cat < %s' % pipes.quote(in_path)) h = self.container_name if (self.lxc_version == 2): - lxc_cmd = 'lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ + lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) elif (self.lxc_version == 1): - lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \ + lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) diff --git a/ansible/connection_plugins/lxc_ssh.pyc b/ansible/connection_plugins/lxc_ssh.pyc Binary files differindex 01895c8..9696804 100644 --- a/ansible/connection_plugins/lxc_ssh.pyc +++ b/ansible/connection_plugins/lxc_ssh.pyc diff --git a/ansible/inventory b/ansible/inventory index 3aff9e0..ef29986 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -2,7 +2,14 @@ all: hosts: knot: ansible_host: knot.trygvis.io - mw: - ansible_host: mw.trygvis.io +# mw: +# ansible_host: mw.trygvis.io + children: + via_knot: + hosts: + mw: + ansible_host: knot.trygvis.io + ansible_connection: lxc_ssh + ansible_ssh_extra_args: mw # vim: set filetype=yaml: diff --git a/ansible/knot.yml b/ansible/knot.yml index 141542b..fa70876 100644 --- a/ansible/knot.yml +++ b/ansible/knot.yml @@ -1,5 +1,7 @@ --- - hosts: - knot + vars_files: + - secrets.yml roles: - mw-frontend diff --git a/ansible/misc/ansible-vault-tools b/ansible/misc/ansible-vault-tools new file mode 160000 +Subproject 1a7c7817dd3052b077fb6809e303e46d7b711df diff --git a/ansible/mw.yml b/ansible/mw.yml index d7e711a..c799529 100644 --- a/ansible/mw.yml +++ b/ansible/mw.yml @@ -1,6 +1,8 @@ --- - hosts: - mw + vars_files: + - secrets.yml roles: - mw-backend diff --git a/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf new file mode 100644 index 0000000..3823cf1 --- /dev/null +++ b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf @@ -0,0 +1,56 @@ +# Based on /etc/apache2/conf-available/mediawiki.conf + +<VirtualHost *:80> + ServerName mw.trygvis.io + + ServerAdmin webmaster@trygvis.io + DocumentRoot /var/lib/mediawiki + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + +<Directory /var/lib/mediawiki/> + Options +FollowSymLinks + AllowOverride All + <IfVersion >= 2.3> + Require all granted + </IfVersion> + <IfVersion < 2.3> + order allow,deny + allow from all + </IfVersion> +</Directory> + +# some directories must be protected +<Directory /var/lib/mediawiki/config> + Options -FollowSymLinks + AllowOverride None + <IfModule mod_php7.c> + php_admin_flag engine off + </IfModule> + <IfModule mod_php5.c> + php_admin_flag engine off + </IfModule> +</Directory> +<Directory /var/lib/mediawiki/images> + Options -FollowSymLinks + AllowOverride None + <IfModule mod_php7.c> + php_admin_flag engine off + </IfModule> + <IfModule mod_php5.c> + php_admin_flag engine off + </IfModule> +</Directory> +<Directory /var/lib/mediawiki/upload> + Options -FollowSymLinks + AllowOverride None + <IfModule mod_php7.c> + php_admin_flag engine off + </IfModule> + <IfModule mod_php5.c> + php_admin_flag engine off + </IfModule> +</Directory> +</VirtualHost> +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/ansible/roles/mw-backend/handlers/main.yml b/ansible/roles/mw-backend/handlers/main.yml index 0298ff9..3588f2b 100644 --- a/ansible/roles/mw-backend/handlers/main.yml +++ b/ansible/roles/mw-backend/handlers/main.yml @@ -1,5 +1,9 @@ --- - name: update apt cache - become: yes apt: update_cache: yes + +- name: reload apache + service: + name: apache2 + state: reloaded diff --git a/ansible/roles/mw-backend/tasks/main.yml b/ansible/roles/mw-backend/tasks/main.yml index 799f0e5..a60f08d 100644 --- a/ansible/roles/mw-backend/tasks/main.yml +++ b/ansible/roles/mw-backend/tasks/main.yml @@ -1,21 +1,66 @@ --- - name: apt setup - tags: packages - become: yes + tags: + - mw-backend + - packages block: - copy: dest: /etc/apt/apt.conf.d/99force-ipv4 content: 'Acquire::ForceIPv4 "true";' notify: update apt cache + - name: configure debian repositories + notify: update apt cache + copy: + dest: /etc/apt/sources.list + content: | + deb http://httpredir.debian.org/debian/ stretch main contrib non-free + deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free + + deb http://security.debian.org/debian-security stretch/updates main contrib non-free + deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free + + deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free + deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free - meta: flush_handlers -# - name: packages -# tags: packages -# become: yes -# apt: -# name: "{{ item }}" -# install_recommends: no -# with_items: -# - ping -# - apache2 + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - git + - etckeeper + + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - iputils-ping + - vim-nox + - host + - less + +- name: Mediawiki + tags: + - mw-backend + - mediawiki + block: + - name: packages + notify: reload apache + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - git + - php-pgsql + - php-intl + - php-gd + - php-apcu + - mediawiki + - name: apache config + notify: reload apache + copy: + src: etc/apache2/sites-enabled/000-default.conf + dest: /etc/apache2/sites-enabled/000-default.conf diff --git a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf index 533c559..210cf2f 100644 --- a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf +++ b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf @@ -20,11 +20,12 @@ allow from all </Directory> + ProxyTimeout 600 ProxyPreserveHost On - ProxyPass / http://mw.trygvis.io/ + ProxyPass / http://10.0.3.2/ - SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io/fullchain.pem - SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io/privkey.pem + SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io-0001/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io-0001/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> diff --git a/ansible/roles/mw-frontend/handlers/main.yml b/ansible/roles/mw-frontend/handlers/main.yml new file mode 100644 index 0000000..1b2172f --- /dev/null +++ b/ansible/roles/mw-frontend/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload apache + service: + name: apache2 + state: reloaded diff --git a/ansible/roles/mw-frontend/tasks/main.yml b/ansible/roles/mw-frontend/tasks/main.yml index 40906ea..ee54719 100644 --- a/ansible/roles/mw-frontend/tasks/main.yml +++ b/ansible/roles/mw-frontend/tasks/main.yml @@ -1,8 +1,31 @@ --- - name: Apache config become: yes + tags: + - mw-frontend block: - name: apache config copy: src: etc/apache2/sites-available/mw.trygvis.io-ssl.conf dest: /etc/apache2/sites-available/mw.trygvis.io-ssl.conf + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - python-psycopg2 + - name: postgresql db + become: yes + become_user: postgres + vars: + ansible_ssh_pipelining: true + block: + - name: CREATE ROLE mediawiki + postgresql_user: + name: "mediawiki" + password: "{{ mediawiki_secrets.mediawiki_password }}" + encrypted: yes + - name: CREATE DATABASE mediawiki + postgresql_db: + name: "mediawiki" + encoding: "utf-8" diff --git a/ansible/secrets.yml b/ansible/secrets.yml new file mode 100644 index 0000000..e9350b8 --- /dev/null +++ b/ansible/secrets.yml @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +38343733333238303264656336313538633066346564646536383735313339383531386237663365 +6631623430383634363135616262653430326234616531390a343463303836383038353239376461 +63393233666438306634613366306363383934343934333537363932303235356234643035343065 +3863313664383437660a383761613566396536363339626532636332343539353639643336366662 +37666561376566613936353061343234376535633264353962383232616666666438396435363438 +66376461306532323333336638653339663361616437353538633538626561316535363636623939 +323934376164626335386463363836356661 |