aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ansible/group_vars/all/unattended-upgrades.yml2
-rw-r--r--ansible/host_vars/numquam/rosin_secret.yml9
-rw-r--r--ansible/numquam.yml26
-rw-r--r--ansible/roles/rosin/handlers/main.yml11
-rw-r--r--ansible/roles/rosin/tasks/main.yml15
-rw-r--r--ansible/roles/rosin/tasks/nginx.yml31
-rw-r--r--ansible/roles/rosin/tasks/rosin-db.yml36
-rw-r--r--ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j252
-rw-r--r--ansible/roles/rosin/vars/main.yml3
-rw-r--r--ansible/roles/timezone/tasks/main.yml1
-rw-r--r--ansible/roles/unattended-upgrades/README.md109
-rw-r--r--ansible/roles/unattended-upgrades/tasks/main.yml39
12 files changed, 331 insertions, 3 deletions
diff --git a/ansible/group_vars/all/unattended-upgrades.yml b/ansible/group_vars/all/unattended-upgrades.yml
new file mode 100644
index 0000000..b3ca37a
--- /dev/null
+++ b/ansible/group_vars/all/unattended-upgrades.yml
@@ -0,0 +1,2 @@
+unattended_upgrades:
+ mail: root@inamo.no
diff --git a/ansible/host_vars/numquam/rosin_secret.yml b/ansible/host_vars/numquam/rosin_secret.yml
new file mode 100644
index 0000000..fe2cc41
--- /dev/null
+++ b/ansible/host_vars/numquam/rosin_secret.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33393536373264646466653564653130343331366262646331333331343030346131363636386137
+3335323235633466366262656263383863396631353930370a653630376237633336656162356261
+61306633643233343133343135366233663237313365386163383039323830316430336463313739
+3466303364343931300a386232326561396534396464326339303061663236346532366639643037
+37376461306333313466656337636238303734386133353835633533393862373337323232393832
+37636531333136356636623461626231643130353634373764633736383835663939386536346137
+31363565616636323864333536616262363134613432643736616265306166306366656231356330
+36386162363036333035
diff --git a/ansible/numquam.yml b/ansible/numquam.yml
index 36ec607..c75987f 100644
--- a/ansible/numquam.yml
+++ b/ansible/numquam.yml
@@ -1,8 +1,28 @@
---
- hosts:
- numquam
- vars_files:
- - secrets.yml
roles:
- - superusers
- timezone
+ - superusers
+ tasks:
+ - name: timezone
+ import_role: name=timezone
+ tags: timezone
+ - name: superusers
+ import_role: name=superusers
+ tags: superusers
+ - name: unattended-upgrades
+ import_role: name=unattended-upgrades
+ tags: unattended-upgrades
+ - name: postgresql-server
+ import_role: name=postgresql-server
+ tags: postgresql-server
+ become: yes
+ - name: java8
+ import_role: name=java8
+ tags: java8
+ become: yes
+ - name: rosin
+ import_role: name=rosin
+ tags: rosin
+ become: yes
diff --git a/ansible/roles/rosin/handlers/main.yml b/ansible/roles/rosin/handlers/main.yml
new file mode 100644
index 0000000..5248ca9
--- /dev/null
+++ b/ansible/roles/rosin/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: reload nginx
+ become: yes
+ service:
+ name: nginx
+ state: reloaded
+
+- name: apt update
+ become: yes
+ apt:
+ update_cache: yes
diff --git a/ansible/roles/rosin/tasks/main.yml b/ansible/roles/rosin/tasks/main.yml
new file mode 100644
index 0000000..7a9805b
--- /dev/null
+++ b/ansible/roles/rosin/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: rosin account
+ user:
+ name: rosin
+ shell: "/bin/bash"
+ createhome: no
+ home: /home/rosin
+ system: yes
+- name: nginx
+ tags: nginx
+ import_tasks: nginx.yml
+- name: rosin-db
+ tags: rosin-db
+ import_tasks: rosin-db.yml
+
diff --git a/ansible/roles/rosin/tasks/nginx.yml b/ansible/roles/rosin/tasks/nginx.yml
new file mode 100644
index 0000000..8ef9145
--- /dev/null
+++ b/ansible/roles/rosin/tasks/nginx.yml
@@ -0,0 +1,31 @@
+---
+- name: Packages for nginx
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - nginx
+ - certbot
+ - python3-certbot-nginx
+
+- name: no default nginx site
+ notify: reload nginx
+ file:
+ path: /etc/nginx/sites-enabled/default
+ state: absent
+
+- name: nginx config
+ notify: reload nginx
+ template:
+ dest: "/etc/nginx/sites-enabled/rosin.trygvis.io"
+ src: etc/nginx/sites-enabled/rosin.j2
+
+- name: docroot dir
+ file:
+ path: "/var/www/rosin"
+ state: directory
+
+#- name: docroot dir
+# copy:
+# dest: "/var/www/rosin/index.html"
+# src: "docroot/index.html"
diff --git a/ansible/roles/rosin/tasks/rosin-db.yml b/ansible/roles/rosin/tasks/rosin-db.yml
new file mode 100644
index 0000000..be2eac1
--- /dev/null
+++ b/ansible/roles/rosin/tasks/rosin-db.yml
@@ -0,0 +1,36 @@
+---
+- name: packages
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - python-psycopg2
+ - python3-psycopg2
+- become: yes
+ become_user: postgres
+ vars:
+ ansible_ssh_pipelining: true
+ block:
+ - name: create-user rosin-prod
+ tags: update-password
+ postgresql_user:
+ name: rosin-prod
+ password: "{{ rosin_secret.db_password_rosin_prod }}"
+ encrypted: yes
+ - name: createdb rosin-prod
+ postgresql_db:
+ name: "rosin-prod"
+ encoding: "utf-8"
+ owner: "rosin-prod"
+ - name: enable uuid extension
+ postgresql_ext:
+ name: uuid-ossp
+ db: rosin-prod
+ - name: grant permissions
+ postgresql_privs:
+ database: rosin-prod
+ state: present
+ privs: USAGE
+ type: schema
+ objs: public
+ roles: rosin-prod
diff --git a/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2
new file mode 100644
index 0000000..a67899c
--- /dev/null
+++ b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2
@@ -0,0 +1,52 @@
+# Managed by Ansible
+
+server {
+ server_name numquam.trygvis.io;
+
+# listen 443 default_server ssl;
+# include /etc/letsencrypt/options-ssl-nginx.conf;
+# ssl_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem; # managed by Certbot
+# ssl_certificate_key /etc/letsencrypt/live/numquam.trygvis.io/privkey.pem; # managed by Certbot
+# ssl_trusted_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem;
+
+ listen 80 default_server;
+
+ location / {
+ # Pløens gate 4
+ allow 77.40.158.96/27;
+ allow 2001:840:4b0b::/48;
+
+ # Cloudflare
+ allow 2400:cb00::/32;
+ allow 2405:8100::/32;
+ allow 2405:b500::/32;
+ allow 2606:4700::/32;
+ allow 2803:f800::/32;
+ allow 2c0f:f248::/32;
+ allow 2a06:98c0::/29;
+ allow 103.21.244.0/22;
+ allow 103.22.200.0/22;
+ allow 103.31.4.0/22;
+ allow 104.16.0.0/12;
+ allow 108.162.192.0/18;
+ allow 131.0.72.0/22;
+ allow 141.101.64.0/18;
+ allow 162.158.0.0/15;
+ allow 172.64.0.0/13;
+ allow 173.245.48.0/20;
+ allow 188.114.96.0/20;
+ allow 190.93.240.0/20;
+ allow 197.234.240.0/22;
+ allow 198.41.128.0/17;
+
+ deny all;
+ try_files $uri @proxy;
+ }
+
+ location @proxy {
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_pass http://127.0.0.1:{{ rosin.http_port }};
+ }
+}
diff --git a/ansible/roles/rosin/vars/main.yml b/ansible/roles/rosin/vars/main.yml
new file mode 100644
index 0000000..be784dc
--- /dev/null
+++ b/ansible/roles/rosin/vars/main.yml
@@ -0,0 +1,3 @@
+rosin:
+ http_port: 7410
+wat: awesome
diff --git a/ansible/roles/timezone/tasks/main.yml b/ansible/roles/timezone/tasks/main.yml
index 1279897..3b81702 100644
--- a/ansible/roles/timezone/tasks/main.yml
+++ b/ansible/roles/timezone/tasks/main.yml
@@ -5,4 +5,5 @@
src: /usr/share/zoneinfo/Europe/Oslo
dest: /etc/localtime
state: link
+ force: yes
notify: reconfigure tzdata
diff --git a/ansible/roles/unattended-upgrades/README.md b/ansible/roles/unattended-upgrades/README.md
new file mode 100644
index 0000000..eee9ff7
--- /dev/null
+++ b/ansible/roles/unattended-upgrades/README.md
@@ -0,0 +1,109 @@
+# Original /etc/apt/apt.conf.d/50unattended-upgrades
+
+ // Unattended-Upgrade::Origins-Pattern controls which packages are
+ // upgraded.
+ //
+ // Lines below have the format format is "keyword=value,...". A
+ // package will be upgraded only if the values in its metadata match
+ // all the supplied keywords in a line. (In other words, omitted
+ // keywords are wild cards.) The keywords originate from the Release
+ // file, but several aliases are accepted. The accepted keywords are:
+ // a,archive,suite (eg, "stable")
+ // c,component (eg, "main", "contrib", "non-free")
+ // l,label (eg, "Debian", "Debian-Security")
+ // o,origin (eg, "Debian", "Unofficial Multimedia Packages")
+ // n,codename (eg, "jessie", "jessie-updates")
+ // site (eg, "http.debian.net")
+ // The available values on the system are printed by the command
+ // "apt-cache policy", and can be debugged by running
+ // "unattended-upgrades -d" and looking at the log file.
+ //
+ // Within lines unattended-upgrades allows 2 macros whose values are
+ // derived from /etc/debian_version:
+ // ${distro_id} Installed origin.
+ // ${distro_codename} Installed codename (eg, "jessie")
+ Unattended-Upgrade::Origins-Pattern {
+ // Codename based matching:
+ // This will follow the migration of a release through different
+ // archives (e.g. from testing to stable and later oldstable).
+ // "o=Debian,n=jessie";
+ // "o=Debian,n=jessie-updates";
+ // "o=Debian,n=jessie-proposed-updates";
+ // "o=Debian,n=jessie,l=Debian-Security";
+
+ // Archive or Suite based matching:
+ // Note that this will silently match a different release after
+ // migration to the specified archive (e.g. testing becomes the
+ // new stable).
+ // "o=Debian,a=stable";
+ // "o=Debian,a=stable-updates";
+ // "o=Debian,a=proposed-updates";
+ "origin=Debian,codename=${distro_codename},label=Debian-Security";
+ };
+
+ // List of packages to not update (regexp are supported)
+ Unattended-Upgrade::Package-Blacklist {
+ // "vim";
+ // "libc6";
+ // "libc6-dev";
+ // "libc6-i686";
+ };
+
+ // This option allows you to control if on a unclean dpkg exit
+ // unattended-upgrades will automatically run
+ // dpkg --force-confold --configure -a
+ // The default is true, to ensure updates keep getting installed
+ //Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+ // Split the upgrade into the smallest possible chunks so that
+ // they can be interrupted with SIGUSR1. This makes the upgrade
+ // a bit slower but it has the benefit that shutdown while a upgrade
+ // is running is possible (with a small delay)
+ //Unattended-Upgrade::MinimalSteps "true";
+
+ // Install all unattended-upgrades when the machine is shuting down
+ // instead of doing it in the background while the machine is running
+ // This will (obviously) make shutdown slower
+ //Unattended-Upgrade::InstallOnShutdown "true";
+
+ // Send email to this address for problems or packages upgrades
+ // If empty or unset then no email is sent, make sure that you
+ // have a working mail setup on your system. A package that provides
+ // 'mailx' must be installed. E.g. "user@example.com"
+ //Unattended-Upgrade::Mail "root";
+
+ // Set this value to "true" to get emails only on errors. Default
+ // is to always send a mail if Unattended-Upgrade::Mail is set
+ //Unattended-Upgrade::MailOnlyOnError "true";
+
+ // Do automatic removal of new unused dependencies after the upgrade
+ // (equivalent to apt-get autoremove)
+ //Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+ // Automatically reboot *WITHOUT CONFIRMATION* if
+ // the file /var/run/reboot-required is found after the upgrade
+ //Unattended-Upgrade::Automatic-Reboot "false";
+
+ // Automatically reboot even if there are users currently logged in.
+ //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+ // If automatic reboot is enabled and needed, reboot at the specific
+ // time instead of immediately
+ // Default: "now"
+ //Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+ // Use apt bandwidth limit feature, this example limits the download
+ // speed to 70kb/sec
+ //Acquire::http::Dl-Limit "70";
+
+ // Enable logging to syslog. Default is False
+ // Unattended-Upgrade::SyslogEnable "false";
+
+ // Specify syslog facility. Default is daemon
+ // Unattended-Upgrade::SyslogFacility "daemon";
+
+# Original /etc/apt/apt.conf.d/20auto-upgrades
+
+ APT::Periodic::Update-Package-Lists "1";
+ APT::Periodic::Unattended-Upgrade "1";
+
diff --git a/ansible/roles/unattended-upgrades/tasks/main.yml b/ansible/roles/unattended-upgrades/tasks/main.yml
new file mode 100644
index 0000000..0bc02a1
--- /dev/null
+++ b/ansible/roles/unattended-upgrades/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: Packages for unattended upgrades
+ become: true
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - unattended-upgrades
+ - apt-listchanges
+
+- name: Configure /etc/apt/apt.conf.d/50unattended-upgrades
+ become: true
+ copy:
+ dest: /etc/apt/apt.conf.d/50unattended-upgrades
+ content: |
+ Unattended-Upgrade::Origins-Pattern {
+ "origin=Debian,codename=${distro_codename},label=Debian";
+ "origin=Debian,codename=${distro_codename}-updates,label=Debian";
+ "origin=Debian,codename=${distro_codename},label=Debian-Security";
+ "origin=apt.postgresql.org,codename=${distro_codename}-pgdg,label=PostgreSQL for Debian/Ubuntu repository";
+ }
+ Unattended-Upgrade::MinimalSteps "False";
+ Unattended-Upgrade::Mail "{{ unattended_upgrades.mail }}";
+ Unattended-Upgrade::MailOnlyOnError "false";
+
+- name: Configure /etc/apt/apt.conf.d/20auto-upgrades
+ become: true
+ copy:
+ dest: /etc/apt/apt.conf.d/20auto-upgrades
+ content: |
+ APT::Periodic::Update-Package-Lists "1";
+ APT::Periodic::Unattended-Upgrade "1";
+
+- name: Configure /etc/apt/listchanges.conf
+ become: true
+ lineinfile:
+ dest: /etc/apt/listchanges.conf
+ line: "email_address={{ unattended_upgrades.mail }}"
+ regexp: "^email_address="