aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTrygve Laugstøl <trygvis@inamo.no>2018-02-25 07:15:53 +0100
committerTrygve Laugstøl <trygvis@inamo.no>2018-02-25 07:15:53 +0100
commit37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a (patch)
tree9e5bd01097ccadf6de2ba59dc264df51cd335665
parent443efffc41984ac604ffa733dd936fecd83006dd (diff)
downloadinfra-37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a.tar.gz
infra-37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a.tar.bz2
infra-37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a.tar.xz
infra-37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a.zip
wip
-rw-r--r--.gitmodules3
-rw-r--r--ansible/.gitignore5
-rw-r--r--ansible/ansible.cfg3
-rw-r--r--ansible/connection_plugins/lxc_ssh.py8
-rw-r--r--ansible/connection_plugins/lxc_ssh.pycbin34768 -> 34788 bytes
-rw-r--r--ansible/inventory11
-rw-r--r--ansible/knot.yml2
m---------ansible/misc/ansible-vault-tools0
-rw-r--r--ansible/mw.yml2
-rw-r--r--ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf56
-rw-r--r--ansible/roles/mw-backend/handlers/main.yml6
-rw-r--r--ansible/roles/mw-backend/tasks/main.yml67
-rw-r--r--ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf7
-rw-r--r--ansible/roles/mw-frontend/handlers/main.yml5
-rw-r--r--ansible/roles/mw-frontend/tasks/main.yml23
-rw-r--r--ansible/secrets.yml8
16 files changed, 184 insertions, 22 deletions
diff --git a/.gitmodules b/.gitmodules
index 795eb73..4e2cc60 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,6 @@
[submodule "knot/ssp/self-service-password"]
path = knot/ssp/self-service-password
url = https://github.com/ltb-project/self-service-password
+[submodule "ansible/misc/ansible-vault-tools"]
+ path = ansible/misc/ansible-vault-tools
+ url = https://github.com/building5/ansible-vault-tools
diff --git a/ansible/.gitignore b/ansible/.gitignore
index a8b42eb..6fa6a9f 100644
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@@ -1 +1,6 @@
+*.not_encrypted
*.retry
+*.swp
+
+vault-password
+vault-password.asc
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index c5caa3d..0da44ae 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,4 +1,5 @@
[defaults]
become_method = sudo
-inventory = ./hosts
+inventory = ./inventory
connection_plugins = ./connection_plugins
+vault_password_file = vault-password
diff --git a/ansible/connection_plugins/lxc_ssh.py b/ansible/connection_plugins/lxc_ssh.py
index 9f93305..2bb5352 100644
--- a/ansible/connection_plugins/lxc_ssh.py
+++ b/ansible/connection_plugins/lxc_ssh.py
@@ -1167,11 +1167,11 @@ class Connection(ConnectionBase):
cmd = ('cat > %s; echo -n done' % pipes.quote(out_path))
h = self.container_name
if (self.lxc_version == 2):
- lxc_cmd = 'lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \
+ lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \
% (pipes.quote(h),
pipes.quote(cmd))
elif (self.lxc_version == 1):
- lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \
+ lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \
% (pipes.quote(h),
pipes.quote(cmd))
if in_data:
@@ -1204,11 +1204,11 @@ class Connection(ConnectionBase):
cmd = ('cat < %s' % pipes.quote(in_path))
h = self.container_name
if (self.lxc_version == 2):
- lxc_cmd = 'lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \
+ lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \
% (pipes.quote(h),
pipes.quote(cmd))
elif (self.lxc_version == 1):
- lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \
+ lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \
% (pipes.quote(h),
pipes.quote(cmd))
diff --git a/ansible/connection_plugins/lxc_ssh.pyc b/ansible/connection_plugins/lxc_ssh.pyc
index 01895c8..9696804 100644
--- a/ansible/connection_plugins/lxc_ssh.pyc
+++ b/ansible/connection_plugins/lxc_ssh.pyc
Binary files differ
diff --git a/ansible/inventory b/ansible/inventory
index 3aff9e0..ef29986 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -2,7 +2,14 @@ all:
hosts:
knot:
ansible_host: knot.trygvis.io
- mw:
- ansible_host: mw.trygvis.io
+# mw:
+# ansible_host: mw.trygvis.io
+ children:
+ via_knot:
+ hosts:
+ mw:
+ ansible_host: knot.trygvis.io
+ ansible_connection: lxc_ssh
+ ansible_ssh_extra_args: mw
# vim: set filetype=yaml:
diff --git a/ansible/knot.yml b/ansible/knot.yml
index 141542b..fa70876 100644
--- a/ansible/knot.yml
+++ b/ansible/knot.yml
@@ -1,5 +1,7 @@
---
- hosts:
- knot
+ vars_files:
+ - secrets.yml
roles:
- mw-frontend
diff --git a/ansible/misc/ansible-vault-tools b/ansible/misc/ansible-vault-tools
new file mode 160000
+Subproject 1a7c7817dd3052b077fb6809e303e46d7b711df
diff --git a/ansible/mw.yml b/ansible/mw.yml
index d7e711a..c799529 100644
--- a/ansible/mw.yml
+++ b/ansible/mw.yml
@@ -1,6 +1,8 @@
---
- hosts:
- mw
+ vars_files:
+ - secrets.yml
roles:
- mw-backend
diff --git a/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf
new file mode 100644
index 0000000..3823cf1
--- /dev/null
+++ b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf
@@ -0,0 +1,56 @@
+# Based on /etc/apache2/conf-available/mediawiki.conf
+
+<VirtualHost *:80>
+ ServerName mw.trygvis.io
+
+ ServerAdmin webmaster@trygvis.io
+ DocumentRoot /var/lib/mediawiki
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+<Directory /var/lib/mediawiki/>
+ Options +FollowSymLinks
+ AllowOverride All
+ <IfVersion >= 2.3>
+ Require all granted
+ </IfVersion>
+ <IfVersion < 2.3>
+ order allow,deny
+ allow from all
+ </IfVersion>
+</Directory>
+
+# some directories must be protected
+<Directory /var/lib/mediawiki/config>
+ Options -FollowSymLinks
+ AllowOverride None
+ <IfModule mod_php7.c>
+ php_admin_flag engine off
+ </IfModule>
+ <IfModule mod_php5.c>
+ php_admin_flag engine off
+ </IfModule>
+</Directory>
+<Directory /var/lib/mediawiki/images>
+ Options -FollowSymLinks
+ AllowOverride None
+ <IfModule mod_php7.c>
+ php_admin_flag engine off
+ </IfModule>
+ <IfModule mod_php5.c>
+ php_admin_flag engine off
+ </IfModule>
+</Directory>
+<Directory /var/lib/mediawiki/upload>
+ Options -FollowSymLinks
+ AllowOverride None
+ <IfModule mod_php7.c>
+ php_admin_flag engine off
+ </IfModule>
+ <IfModule mod_php5.c>
+ php_admin_flag engine off
+ </IfModule>
+</Directory>
+</VirtualHost>
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/ansible/roles/mw-backend/handlers/main.yml b/ansible/roles/mw-backend/handlers/main.yml
index 0298ff9..3588f2b 100644
--- a/ansible/roles/mw-backend/handlers/main.yml
+++ b/ansible/roles/mw-backend/handlers/main.yml
@@ -1,5 +1,9 @@
---
- name: update apt cache
- become: yes
apt:
update_cache: yes
+
+- name: reload apache
+ service:
+ name: apache2
+ state: reloaded
diff --git a/ansible/roles/mw-backend/tasks/main.yml b/ansible/roles/mw-backend/tasks/main.yml
index 799f0e5..a60f08d 100644
--- a/ansible/roles/mw-backend/tasks/main.yml
+++ b/ansible/roles/mw-backend/tasks/main.yml
@@ -1,21 +1,66 @@
---
- name: apt setup
- tags: packages
- become: yes
+ tags:
+ - mw-backend
+ - packages
block:
- copy:
dest: /etc/apt/apt.conf.d/99force-ipv4
content: 'Acquire::ForceIPv4 "true";'
notify: update apt cache
+ - name: configure debian repositories
+ notify: update apt cache
+ copy:
+ dest: /etc/apt/sources.list
+ content: |
+ deb http://httpredir.debian.org/debian/ stretch main contrib non-free
+ deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free
+
+ deb http://security.debian.org/debian-security stretch/updates main contrib non-free
+ deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free
+
+ deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
+ deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
- meta: flush_handlers
-# - name: packages
-# tags: packages
-# become: yes
-# apt:
-# name: "{{ item }}"
-# install_recommends: no
-# with_items:
-# - ping
-# - apache2
+ - name: packages
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - git
+ - etckeeper
+
+ - name: packages
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - iputils-ping
+ - vim-nox
+ - host
+ - less
+
+- name: Mediawiki
+ tags:
+ - mw-backend
+ - mediawiki
+ block:
+ - name: packages
+ notify: reload apache
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - git
+ - php-pgsql
+ - php-intl
+ - php-gd
+ - php-apcu
+ - mediawiki
+ - name: apache config
+ notify: reload apache
+ copy:
+ src: etc/apache2/sites-enabled/000-default.conf
+ dest: /etc/apache2/sites-enabled/000-default.conf
diff --git a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf
index 533c559..210cf2f 100644
--- a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf
+++ b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf
@@ -20,11 +20,12 @@
allow from all
</Directory>
+ ProxyTimeout 600
ProxyPreserveHost On
- ProxyPass / http://mw.trygvis.io/
+ ProxyPass / http://10.0.3.2/
- SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io/fullchain.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io/privkey.pem
+ SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io-0001/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
diff --git a/ansible/roles/mw-frontend/handlers/main.yml b/ansible/roles/mw-frontend/handlers/main.yml
new file mode 100644
index 0000000..1b2172f
--- /dev/null
+++ b/ansible/roles/mw-frontend/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload apache
+ service:
+ name: apache2
+ state: reloaded
diff --git a/ansible/roles/mw-frontend/tasks/main.yml b/ansible/roles/mw-frontend/tasks/main.yml
index 40906ea..ee54719 100644
--- a/ansible/roles/mw-frontend/tasks/main.yml
+++ b/ansible/roles/mw-frontend/tasks/main.yml
@@ -1,8 +1,31 @@
---
- name: Apache config
become: yes
+ tags:
+ - mw-frontend
block:
- name: apache config
copy:
src: etc/apache2/sites-available/mw.trygvis.io-ssl.conf
dest: /etc/apache2/sites-available/mw.trygvis.io-ssl.conf
+ - name: packages
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - python-psycopg2
+ - name: postgresql db
+ become: yes
+ become_user: postgres
+ vars:
+ ansible_ssh_pipelining: true
+ block:
+ - name: CREATE ROLE mediawiki
+ postgresql_user:
+ name: "mediawiki"
+ password: "{{ mediawiki_secrets.mediawiki_password }}"
+ encrypted: yes
+ - name: CREATE DATABASE mediawiki
+ postgresql_db:
+ name: "mediawiki"
+ encoding: "utf-8"
diff --git a/ansible/secrets.yml b/ansible/secrets.yml
new file mode 100644
index 0000000..e9350b8
--- /dev/null
+++ b/ansible/secrets.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+38343733333238303264656336313538633066346564646536383735313339383531386237663365
+6631623430383634363135616262653430326234616531390a343463303836383038353239376461
+63393233666438306634613366306363383934343934333537363932303235356234643035343065
+3863313664383437660a383761613566396536363339626532636332343539353639643336366662
+37666561376566613936353061343234376535633264353962383232616666666438396435363438
+66376461306532323333336638653339663361616437353538633538626561316535363636623939
+323934376164626335386463363836356661