aboutsummaryrefslogtreecommitdiff
path: root/ansible/roles/rosin
diff options
context:
space:
mode:
authorTrygve Laugstøl <trygvis@inamo.no>2018-08-30 10:15:35 +0200
committerTrygve Laugstøl <trygvis@inamo.no>2018-08-30 10:15:35 +0200
commit8b2f8441ccb110427078e47c76a8098f2677a54d (patch)
treef944472d68f850f6e15228bc065333407a5028ad /ansible/roles/rosin
parenta5705d3f44cb86b216277c6311f313963d4f9c49 (diff)
downloadinfra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.gz
infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.bz2
infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.xz
infra-8b2f8441ccb110427078e47c76a8098f2677a54d.zip
o Adding rosin and numquam.
o Adding unattended-upgrades.
Diffstat (limited to 'ansible/roles/rosin')
-rw-r--r--ansible/roles/rosin/handlers/main.yml11
-rw-r--r--ansible/roles/rosin/tasks/main.yml15
-rw-r--r--ansible/roles/rosin/tasks/nginx.yml31
-rw-r--r--ansible/roles/rosin/tasks/rosin-db.yml36
-rw-r--r--ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j252
-rw-r--r--ansible/roles/rosin/vars/main.yml3
6 files changed, 148 insertions, 0 deletions
diff --git a/ansible/roles/rosin/handlers/main.yml b/ansible/roles/rosin/handlers/main.yml
new file mode 100644
index 0000000..5248ca9
--- /dev/null
+++ b/ansible/roles/rosin/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: reload nginx
+ become: yes
+ service:
+ name: nginx
+ state: reloaded
+
+- name: apt update
+ become: yes
+ apt:
+ update_cache: yes
diff --git a/ansible/roles/rosin/tasks/main.yml b/ansible/roles/rosin/tasks/main.yml
new file mode 100644
index 0000000..7a9805b
--- /dev/null
+++ b/ansible/roles/rosin/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: rosin account
+ user:
+ name: rosin
+ shell: "/bin/bash"
+ createhome: no
+ home: /home/rosin
+ system: yes
+- name: nginx
+ tags: nginx
+ import_tasks: nginx.yml
+- name: rosin-db
+ tags: rosin-db
+ import_tasks: rosin-db.yml
+
diff --git a/ansible/roles/rosin/tasks/nginx.yml b/ansible/roles/rosin/tasks/nginx.yml
new file mode 100644
index 0000000..8ef9145
--- /dev/null
+++ b/ansible/roles/rosin/tasks/nginx.yml
@@ -0,0 +1,31 @@
+---
+- name: Packages for nginx
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - nginx
+ - certbot
+ - python3-certbot-nginx
+
+- name: no default nginx site
+ notify: reload nginx
+ file:
+ path: /etc/nginx/sites-enabled/default
+ state: absent
+
+- name: nginx config
+ notify: reload nginx
+ template:
+ dest: "/etc/nginx/sites-enabled/rosin.trygvis.io"
+ src: etc/nginx/sites-enabled/rosin.j2
+
+- name: docroot dir
+ file:
+ path: "/var/www/rosin"
+ state: directory
+
+#- name: docroot dir
+# copy:
+# dest: "/var/www/rosin/index.html"
+# src: "docroot/index.html"
diff --git a/ansible/roles/rosin/tasks/rosin-db.yml b/ansible/roles/rosin/tasks/rosin-db.yml
new file mode 100644
index 0000000..be2eac1
--- /dev/null
+++ b/ansible/roles/rosin/tasks/rosin-db.yml
@@ -0,0 +1,36 @@
+---
+- name: packages
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - python-psycopg2
+ - python3-psycopg2
+- become: yes
+ become_user: postgres
+ vars:
+ ansible_ssh_pipelining: true
+ block:
+ - name: create-user rosin-prod
+ tags: update-password
+ postgresql_user:
+ name: rosin-prod
+ password: "{{ rosin_secret.db_password_rosin_prod }}"
+ encrypted: yes
+ - name: createdb rosin-prod
+ postgresql_db:
+ name: "rosin-prod"
+ encoding: "utf-8"
+ owner: "rosin-prod"
+ - name: enable uuid extension
+ postgresql_ext:
+ name: uuid-ossp
+ db: rosin-prod
+ - name: grant permissions
+ postgresql_privs:
+ database: rosin-prod
+ state: present
+ privs: USAGE
+ type: schema
+ objs: public
+ roles: rosin-prod
diff --git a/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2
new file mode 100644
index 0000000..a67899c
--- /dev/null
+++ b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2
@@ -0,0 +1,52 @@
+# Managed by Ansible
+
+server {
+ server_name numquam.trygvis.io;
+
+# listen 443 default_server ssl;
+# include /etc/letsencrypt/options-ssl-nginx.conf;
+# ssl_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem; # managed by Certbot
+# ssl_certificate_key /etc/letsencrypt/live/numquam.trygvis.io/privkey.pem; # managed by Certbot
+# ssl_trusted_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem;
+
+ listen 80 default_server;
+
+ location / {
+ # Pløens gate 4
+ allow 77.40.158.96/27;
+ allow 2001:840:4b0b::/48;
+
+ # Cloudflare
+ allow 2400:cb00::/32;
+ allow 2405:8100::/32;
+ allow 2405:b500::/32;
+ allow 2606:4700::/32;
+ allow 2803:f800::/32;
+ allow 2c0f:f248::/32;
+ allow 2a06:98c0::/29;
+ allow 103.21.244.0/22;
+ allow 103.22.200.0/22;
+ allow 103.31.4.0/22;
+ allow 104.16.0.0/12;
+ allow 108.162.192.0/18;
+ allow 131.0.72.0/22;
+ allow 141.101.64.0/18;
+ allow 162.158.0.0/15;
+ allow 172.64.0.0/13;
+ allow 173.245.48.0/20;
+ allow 188.114.96.0/20;
+ allow 190.93.240.0/20;
+ allow 197.234.240.0/22;
+ allow 198.41.128.0/17;
+
+ deny all;
+ try_files $uri @proxy;
+ }
+
+ location @proxy {
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_pass http://127.0.0.1:{{ rosin.http_port }};
+ }
+}
diff --git a/ansible/roles/rosin/vars/main.yml b/ansible/roles/rosin/vars/main.yml
new file mode 100644
index 0000000..be784dc
--- /dev/null
+++ b/ansible/roles/rosin/vars/main.yml
@@ -0,0 +1,3 @@
+rosin:
+ http_port: 7410
+wat: awesome