diff options
author | Trygve Laugstøl <trygvis@inamo.no> | 2018-08-30 10:15:35 +0200 |
---|---|---|
committer | Trygve Laugstøl <trygvis@inamo.no> | 2018-08-30 10:15:35 +0200 |
commit | 8b2f8441ccb110427078e47c76a8098f2677a54d (patch) | |
tree | f944472d68f850f6e15228bc065333407a5028ad /ansible/roles/rosin | |
parent | a5705d3f44cb86b216277c6311f313963d4f9c49 (diff) | |
download | infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.gz infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.bz2 infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.xz infra-8b2f8441ccb110427078e47c76a8098f2677a54d.zip |
o Adding rosin and numquam.
o Adding unattended-upgrades.
Diffstat (limited to 'ansible/roles/rosin')
-rw-r--r-- | ansible/roles/rosin/handlers/main.yml | 11 | ||||
-rw-r--r-- | ansible/roles/rosin/tasks/main.yml | 15 | ||||
-rw-r--r-- | ansible/roles/rosin/tasks/nginx.yml | 31 | ||||
-rw-r--r-- | ansible/roles/rosin/tasks/rosin-db.yml | 36 | ||||
-rw-r--r-- | ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 | 52 | ||||
-rw-r--r-- | ansible/roles/rosin/vars/main.yml | 3 |
6 files changed, 148 insertions, 0 deletions
diff --git a/ansible/roles/rosin/handlers/main.yml b/ansible/roles/rosin/handlers/main.yml new file mode 100644 index 0000000..5248ca9 --- /dev/null +++ b/ansible/roles/rosin/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: reload nginx + become: yes + service: + name: nginx + state: reloaded + +- name: apt update + become: yes + apt: + update_cache: yes diff --git a/ansible/roles/rosin/tasks/main.yml b/ansible/roles/rosin/tasks/main.yml new file mode 100644 index 0000000..7a9805b --- /dev/null +++ b/ansible/roles/rosin/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: rosin account + user: + name: rosin + shell: "/bin/bash" + createhome: no + home: /home/rosin + system: yes +- name: nginx + tags: nginx + import_tasks: nginx.yml +- name: rosin-db + tags: rosin-db + import_tasks: rosin-db.yml + diff --git a/ansible/roles/rosin/tasks/nginx.yml b/ansible/roles/rosin/tasks/nginx.yml new file mode 100644 index 0000000..8ef9145 --- /dev/null +++ b/ansible/roles/rosin/tasks/nginx.yml @@ -0,0 +1,31 @@ +--- +- name: Packages for nginx + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - nginx + - certbot + - python3-certbot-nginx + +- name: no default nginx site + notify: reload nginx + file: + path: /etc/nginx/sites-enabled/default + state: absent + +- name: nginx config + notify: reload nginx + template: + dest: "/etc/nginx/sites-enabled/rosin.trygvis.io" + src: etc/nginx/sites-enabled/rosin.j2 + +- name: docroot dir + file: + path: "/var/www/rosin" + state: directory + +#- name: docroot dir +# copy: +# dest: "/var/www/rosin/index.html" +# src: "docroot/index.html" diff --git a/ansible/roles/rosin/tasks/rosin-db.yml b/ansible/roles/rosin/tasks/rosin-db.yml new file mode 100644 index 0000000..be2eac1 --- /dev/null +++ b/ansible/roles/rosin/tasks/rosin-db.yml @@ -0,0 +1,36 @@ +--- +- name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - python-psycopg2 + - python3-psycopg2 +- become: yes + become_user: postgres + vars: + ansible_ssh_pipelining: true + block: + - name: create-user rosin-prod + tags: update-password + postgresql_user: + name: rosin-prod + password: "{{ rosin_secret.db_password_rosin_prod }}" + encrypted: yes + - name: createdb rosin-prod + postgresql_db: + name: "rosin-prod" + encoding: "utf-8" + owner: "rosin-prod" + - name: enable uuid extension + postgresql_ext: + name: uuid-ossp + db: rosin-prod + - name: grant permissions + postgresql_privs: + database: rosin-prod + state: present + privs: USAGE + type: schema + objs: public + roles: rosin-prod diff --git a/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 new file mode 100644 index 0000000..a67899c --- /dev/null +++ b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 @@ -0,0 +1,52 @@ +# Managed by Ansible + +server { + server_name numquam.trygvis.io; + +# listen 443 default_server ssl; +# include /etc/letsencrypt/options-ssl-nginx.conf; +# ssl_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem; # managed by Certbot +# ssl_certificate_key /etc/letsencrypt/live/numquam.trygvis.io/privkey.pem; # managed by Certbot +# ssl_trusted_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem; + + listen 80 default_server; + + location / { + # Pløens gate 4 + allow 77.40.158.96/27; + allow 2001:840:4b0b::/48; + + # Cloudflare + allow 2400:cb00::/32; + allow 2405:8100::/32; + allow 2405:b500::/32; + allow 2606:4700::/32; + allow 2803:f800::/32; + allow 2c0f:f248::/32; + allow 2a06:98c0::/29; + allow 103.21.244.0/22; + allow 103.22.200.0/22; + allow 103.31.4.0/22; + allow 104.16.0.0/12; + allow 108.162.192.0/18; + allow 131.0.72.0/22; + allow 141.101.64.0/18; + allow 162.158.0.0/15; + allow 172.64.0.0/13; + allow 173.245.48.0/20; + allow 188.114.96.0/20; + allow 190.93.240.0/20; + allow 197.234.240.0/22; + allow 198.41.128.0/17; + + deny all; + try_files $uri @proxy; + } + + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://127.0.0.1:{{ rosin.http_port }}; + } +} diff --git a/ansible/roles/rosin/vars/main.yml b/ansible/roles/rosin/vars/main.yml new file mode 100644 index 0000000..be784dc --- /dev/null +++ b/ansible/roles/rosin/vars/main.yml @@ -0,0 +1,3 @@ +rosin: + http_port: 7410 +wat: awesome |