o Adding rosin and numquam.

o Adding unattended-upgrades.
author: Trygve Laugstøl <trygvis@inamo.no> 2018-08-30 10:15:35 +0200
committer: Trygve Laugstøl <trygvis@inamo.no> 2018-08-30 10:15:35 +0200
commit: 8b2f8441ccb110427078e47c76a8098f2677a54d (patch)
tree: f944472d68f850f6e15228bc065333407a5028ad /ansible/roles/rosin
parent: a5705d3f44cb86b216277c6311f313963d4f9c49 (diff)
download: infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.gz
infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.bz2
infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.xz
infra-8b2f8441ccb110427078e47c76a8098f2677a54d.zip
6 files changed, 148 insertions, 0 deletions
diff --git a/ansible/roles/rosin/handlers/main.yml b/ansible/roles/rosin/handlers/main.yml
new file mode 100644
index 0000000..5248ca9
--- /dev/null
+++ b/ansible/roles/rosin/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: reload nginx
+  become: yes
+  service:
+    name: nginx
+    state: reloaded
+
+- name: apt update
+  become: yes
+  apt:
+    update_cache: yes
diff --git a/ansible/roles/rosin/tasks/main.yml b/ansible/roles/rosin/tasks/main.yml
new file mode 100644
index 0000000..7a9805b
--- /dev/null
+++ b/ansible/roles/rosin/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: rosin account
+  user:
+    name: rosin
+    shell: "/bin/bash"
+    createhome: no
+    home: /home/rosin
+    system: yes
+- name: nginx
+  tags: nginx
+  import_tasks: nginx.yml
+- name: rosin-db
+  tags: rosin-db
+  import_tasks: rosin-db.yml
+    
diff --git a/ansible/roles/rosin/tasks/nginx.yml b/ansible/roles/rosin/tasks/nginx.yml
new file mode 100644
index 0000000..8ef9145
--- /dev/null
+++ b/ansible/roles/rosin/tasks/nginx.yml
@@ -0,0 +1,31 @@
+---
+- name: Packages for nginx
+  apt:
+    name: "{{ item }}"
+    install_recommends: no
+  with_items:
+    - nginx
+    - certbot
+    - python3-certbot-nginx
+
+- name: no default nginx site
+  notify: reload nginx
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+
+- name: nginx config
+  notify: reload nginx
+  template:
+    dest: "/etc/nginx/sites-enabled/rosin.trygvis.io"
+    src: etc/nginx/sites-enabled/rosin.j2
+
+- name: docroot dir
+  file:
+    path: "/var/www/rosin"
+    state: directory
+
+#- name: docroot dir
+#  copy:
+#    dest: "/var/www/rosin/index.html"
+#    src: "docroot/index.html"
diff --git a/ansible/roles/rosin/tasks/rosin-db.yml b/ansible/roles/rosin/tasks/rosin-db.yml
new file mode 100644
index 0000000..be2eac1
--- /dev/null
+++ b/ansible/roles/rosin/tasks/rosin-db.yml
@@ -0,0 +1,36 @@
+---
+- name: packages
+  apt:
+    name: "{{ item }}"
+    install_recommends: no
+  with_items:
+    - python-psycopg2
+    - python3-psycopg2
+- become: yes
+  become_user: postgres
+  vars:
+    ansible_ssh_pipelining: true
+  block:
+    - name: create-user rosin-prod
+      tags: update-password
+      postgresql_user:
+        name: rosin-prod
+        password: "{{ rosin_secret.db_password_rosin_prod }}"
+        encrypted: yes
+    - name: createdb rosin-prod
+      postgresql_db:
+        name: "rosin-prod"
+        encoding: "utf-8"
+        owner: "rosin-prod"
+    - name: enable uuid extension
+      postgresql_ext:
+        name: uuid-ossp
+        db: rosin-prod
+    - name: grant permissions
+      postgresql_privs:
+        database: rosin-prod
+        state: present
+        privs: USAGE
+        type: schema
+        objs: public
+        roles: rosin-prod
diff --git a/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2
new file mode 100644
index 0000000..a67899c
--- /dev/null
+++ b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2
@@ -0,0 +1,52 @@
+# Managed by Ansible
+
+server {
+    server_name numquam.trygvis.io;
+
+#    listen 443 default_server ssl;
+#    include /etc/letsencrypt/options-ssl-nginx.conf;
+#    ssl_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem; # managed by Certbot
+#    ssl_certificate_key /etc/letsencrypt/live/numquam.trygvis.io/privkey.pem; # managed by Certbot
+#    ssl_trusted_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem;
+
+    listen 80 default_server;
+
+    location / {
+        # Pløens gate 4
+        allow 77.40.158.96/27;
+        allow 2001:840:4b0b::/48;
+
+        # Cloudflare
+        allow 2400:cb00::/32;
+        allow 2405:8100::/32;
+        allow 2405:b500::/32;
+        allow 2606:4700::/32;
+        allow 2803:f800::/32;
+        allow 2c0f:f248::/32;
+        allow 2a06:98c0::/29;
+        allow 103.21.244.0/22;
+        allow 103.22.200.0/22;
+        allow 103.31.4.0/22;
+        allow 104.16.0.0/12;
+        allow 108.162.192.0/18;
+        allow 131.0.72.0/22;
+        allow 141.101.64.0/18;
+        allow 162.158.0.0/15;
+        allow 172.64.0.0/13;
+        allow 173.245.48.0/20;
+        allow 188.114.96.0/20;
+        allow 190.93.240.0/20;
+        allow 197.234.240.0/22;
+        allow 198.41.128.0/17;
+
+        deny all;
+        try_files $uri @proxy;
+    }
+
+    location @proxy {
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://127.0.0.1:{{ rosin.http_port }};
+    }
+}
diff --git a/ansible/roles/rosin/vars/main.yml b/ansible/roles/rosin/vars/main.yml
new file mode 100644
index 0000000..be784dc
--- /dev/null
+++ b/ansible/roles/rosin/vars/main.yml
@@ -0,0 +1,3 @@
+rosin:
+  http_port: 7410
+wat: awesome
author	Trygve Laugstøl <trygvis@inamo.no>	2018-08-30 10:15:35 +0200
committer	Trygve Laugstøl <trygvis@inamo.no>	2018-08-30 10:15:35 +0200
commit	8b2f8441ccb110427078e47c76a8098f2677a54d (patch)
tree	f944472d68f850f6e15228bc065333407a5028ad /ansible/roles/rosin
parent	a5705d3f44cb86b216277c6311f313963d4f9c49 (diff)
download	infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.gz infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.bz2 infra-8b2f8441ccb110427078e47c76a8098f2677a54d.tar.xz infra-8b2f8441ccb110427078e47c76a8098f2677a54d.zip