diff options
-rw-r--r-- | ansible/group_vars/all/unattended-upgrades.yml | 2 | ||||
-rw-r--r-- | ansible/host_vars/numquam/rosin_secret.yml | 9 | ||||
-rw-r--r-- | ansible/numquam.yml | 26 | ||||
-rw-r--r-- | ansible/roles/rosin/handlers/main.yml | 11 | ||||
-rw-r--r-- | ansible/roles/rosin/tasks/main.yml | 15 | ||||
-rw-r--r-- | ansible/roles/rosin/tasks/nginx.yml | 31 | ||||
-rw-r--r-- | ansible/roles/rosin/tasks/rosin-db.yml | 36 | ||||
-rw-r--r-- | ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 | 52 | ||||
-rw-r--r-- | ansible/roles/rosin/vars/main.yml | 3 | ||||
-rw-r--r-- | ansible/roles/timezone/tasks/main.yml | 1 | ||||
-rw-r--r-- | ansible/roles/unattended-upgrades/README.md | 109 | ||||
-rw-r--r-- | ansible/roles/unattended-upgrades/tasks/main.yml | 39 |
12 files changed, 331 insertions, 3 deletions
diff --git a/ansible/group_vars/all/unattended-upgrades.yml b/ansible/group_vars/all/unattended-upgrades.yml new file mode 100644 index 0000000..b3ca37a --- /dev/null +++ b/ansible/group_vars/all/unattended-upgrades.yml @@ -0,0 +1,2 @@ +unattended_upgrades: + mail: root@inamo.no diff --git a/ansible/host_vars/numquam/rosin_secret.yml b/ansible/host_vars/numquam/rosin_secret.yml new file mode 100644 index 0000000..fe2cc41 --- /dev/null +++ b/ansible/host_vars/numquam/rosin_secret.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +33393536373264646466653564653130343331366262646331333331343030346131363636386137 +3335323235633466366262656263383863396631353930370a653630376237633336656162356261 +61306633643233343133343135366233663237313365386163383039323830316430336463313739 +3466303364343931300a386232326561396534396464326339303061663236346532366639643037 +37376461306333313466656337636238303734386133353835633533393862373337323232393832 +37636531333136356636623461626231643130353634373764633736383835663939386536346137 +31363565616636323864333536616262363134613432643736616265306166306366656231356330 +36386162363036333035 diff --git a/ansible/numquam.yml b/ansible/numquam.yml index 36ec607..c75987f 100644 --- a/ansible/numquam.yml +++ b/ansible/numquam.yml @@ -1,8 +1,28 @@ --- - hosts: - numquam - vars_files: - - secrets.yml roles: - - superusers - timezone + - superusers + tasks: + - name: timezone + import_role: name=timezone + tags: timezone + - name: superusers + import_role: name=superusers + tags: superusers + - name: unattended-upgrades + import_role: name=unattended-upgrades + tags: unattended-upgrades + - name: postgresql-server + import_role: name=postgresql-server + tags: postgresql-server + become: yes + - name: java8 + import_role: name=java8 + tags: java8 + become: yes + - name: rosin + import_role: name=rosin + tags: rosin + become: yes diff --git a/ansible/roles/rosin/handlers/main.yml b/ansible/roles/rosin/handlers/main.yml new file mode 100644 index 0000000..5248ca9 --- /dev/null +++ b/ansible/roles/rosin/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: reload nginx + become: yes + service: + name: nginx + state: reloaded + +- name: apt update + become: yes + apt: + update_cache: yes diff --git a/ansible/roles/rosin/tasks/main.yml b/ansible/roles/rosin/tasks/main.yml new file mode 100644 index 0000000..7a9805b --- /dev/null +++ b/ansible/roles/rosin/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: rosin account + user: + name: rosin + shell: "/bin/bash" + createhome: no + home: /home/rosin + system: yes +- name: nginx + tags: nginx + import_tasks: nginx.yml +- name: rosin-db + tags: rosin-db + import_tasks: rosin-db.yml + diff --git a/ansible/roles/rosin/tasks/nginx.yml b/ansible/roles/rosin/tasks/nginx.yml new file mode 100644 index 0000000..8ef9145 --- /dev/null +++ b/ansible/roles/rosin/tasks/nginx.yml @@ -0,0 +1,31 @@ +--- +- name: Packages for nginx + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - nginx + - certbot + - python3-certbot-nginx + +- name: no default nginx site + notify: reload nginx + file: + path: /etc/nginx/sites-enabled/default + state: absent + +- name: nginx config + notify: reload nginx + template: + dest: "/etc/nginx/sites-enabled/rosin.trygvis.io" + src: etc/nginx/sites-enabled/rosin.j2 + +- name: docroot dir + file: + path: "/var/www/rosin" + state: directory + +#- name: docroot dir +# copy: +# dest: "/var/www/rosin/index.html" +# src: "docroot/index.html" diff --git a/ansible/roles/rosin/tasks/rosin-db.yml b/ansible/roles/rosin/tasks/rosin-db.yml new file mode 100644 index 0000000..be2eac1 --- /dev/null +++ b/ansible/roles/rosin/tasks/rosin-db.yml @@ -0,0 +1,36 @@ +--- +- name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - python-psycopg2 + - python3-psycopg2 +- become: yes + become_user: postgres + vars: + ansible_ssh_pipelining: true + block: + - name: create-user rosin-prod + tags: update-password + postgresql_user: + name: rosin-prod + password: "{{ rosin_secret.db_password_rosin_prod }}" + encrypted: yes + - name: createdb rosin-prod + postgresql_db: + name: "rosin-prod" + encoding: "utf-8" + owner: "rosin-prod" + - name: enable uuid extension + postgresql_ext: + name: uuid-ossp + db: rosin-prod + - name: grant permissions + postgresql_privs: + database: rosin-prod + state: present + privs: USAGE + type: schema + objs: public + roles: rosin-prod diff --git a/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 new file mode 100644 index 0000000..a67899c --- /dev/null +++ b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 @@ -0,0 +1,52 @@ +# Managed by Ansible + +server { + server_name numquam.trygvis.io; + +# listen 443 default_server ssl; +# include /etc/letsencrypt/options-ssl-nginx.conf; +# ssl_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem; # managed by Certbot +# ssl_certificate_key /etc/letsencrypt/live/numquam.trygvis.io/privkey.pem; # managed by Certbot +# ssl_trusted_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem; + + listen 80 default_server; + + location / { + # Pløens gate 4 + allow 77.40.158.96/27; + allow 2001:840:4b0b::/48; + + # Cloudflare + allow 2400:cb00::/32; + allow 2405:8100::/32; + allow 2405:b500::/32; + allow 2606:4700::/32; + allow 2803:f800::/32; + allow 2c0f:f248::/32; + allow 2a06:98c0::/29; + allow 103.21.244.0/22; + allow 103.22.200.0/22; + allow 103.31.4.0/22; + allow 104.16.0.0/12; + allow 108.162.192.0/18; + allow 131.0.72.0/22; + allow 141.101.64.0/18; + allow 162.158.0.0/15; + allow 172.64.0.0/13; + allow 173.245.48.0/20; + allow 188.114.96.0/20; + allow 190.93.240.0/20; + allow 197.234.240.0/22; + allow 198.41.128.0/17; + + deny all; + try_files $uri @proxy; + } + + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://127.0.0.1:{{ rosin.http_port }}; + } +} diff --git a/ansible/roles/rosin/vars/main.yml b/ansible/roles/rosin/vars/main.yml new file mode 100644 index 0000000..be784dc --- /dev/null +++ b/ansible/roles/rosin/vars/main.yml @@ -0,0 +1,3 @@ +rosin: + http_port: 7410 +wat: awesome diff --git a/ansible/roles/timezone/tasks/main.yml b/ansible/roles/timezone/tasks/main.yml index 1279897..3b81702 100644 --- a/ansible/roles/timezone/tasks/main.yml +++ b/ansible/roles/timezone/tasks/main.yml @@ -5,4 +5,5 @@ src: /usr/share/zoneinfo/Europe/Oslo dest: /etc/localtime state: link + force: yes notify: reconfigure tzdata diff --git a/ansible/roles/unattended-upgrades/README.md b/ansible/roles/unattended-upgrades/README.md new file mode 100644 index 0000000..eee9ff7 --- /dev/null +++ b/ansible/roles/unattended-upgrades/README.md @@ -0,0 +1,109 @@ +# Original /etc/apt/apt.conf.d/50unattended-upgrades + + // Unattended-Upgrade::Origins-Pattern controls which packages are + // upgraded. + // + // Lines below have the format format is "keyword=value,...". A + // package will be upgraded only if the values in its metadata match + // all the supplied keywords in a line. (In other words, omitted + // keywords are wild cards.) The keywords originate from the Release + // file, but several aliases are accepted. The accepted keywords are: + // a,archive,suite (eg, "stable") + // c,component (eg, "main", "contrib", "non-free") + // l,label (eg, "Debian", "Debian-Security") + // o,origin (eg, "Debian", "Unofficial Multimedia Packages") + // n,codename (eg, "jessie", "jessie-updates") + // site (eg, "http.debian.net") + // The available values on the system are printed by the command + // "apt-cache policy", and can be debugged by running + // "unattended-upgrades -d" and looking at the log file. + // + // Within lines unattended-upgrades allows 2 macros whose values are + // derived from /etc/debian_version: + // ${distro_id} Installed origin. + // ${distro_codename} Installed codename (eg, "jessie") + Unattended-Upgrade::Origins-Pattern { + // Codename based matching: + // This will follow the migration of a release through different + // archives (e.g. from testing to stable and later oldstable). + // "o=Debian,n=jessie"; + // "o=Debian,n=jessie-updates"; + // "o=Debian,n=jessie-proposed-updates"; + // "o=Debian,n=jessie,l=Debian-Security"; + + // Archive or Suite based matching: + // Note that this will silently match a different release after + // migration to the specified archive (e.g. testing becomes the + // new stable). + // "o=Debian,a=stable"; + // "o=Debian,a=stable-updates"; + // "o=Debian,a=proposed-updates"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; + }; + + // List of packages to not update (regexp are supported) + Unattended-Upgrade::Package-Blacklist { + // "vim"; + // "libc6"; + // "libc6-dev"; + // "libc6-i686"; + }; + + // This option allows you to control if on a unclean dpkg exit + // unattended-upgrades will automatically run + // dpkg --force-confold --configure -a + // The default is true, to ensure updates keep getting installed + //Unattended-Upgrade::AutoFixInterruptedDpkg "false"; + + // Split the upgrade into the smallest possible chunks so that + // they can be interrupted with SIGUSR1. This makes the upgrade + // a bit slower but it has the benefit that shutdown while a upgrade + // is running is possible (with a small delay) + //Unattended-Upgrade::MinimalSteps "true"; + + // Install all unattended-upgrades when the machine is shuting down + // instead of doing it in the background while the machine is running + // This will (obviously) make shutdown slower + //Unattended-Upgrade::InstallOnShutdown "true"; + + // Send email to this address for problems or packages upgrades + // If empty or unset then no email is sent, make sure that you + // have a working mail setup on your system. A package that provides + // 'mailx' must be installed. E.g. "user@example.com" + //Unattended-Upgrade::Mail "root"; + + // Set this value to "true" to get emails only on errors. Default + // is to always send a mail if Unattended-Upgrade::Mail is set + //Unattended-Upgrade::MailOnlyOnError "true"; + + // Do automatic removal of new unused dependencies after the upgrade + // (equivalent to apt-get autoremove) + //Unattended-Upgrade::Remove-Unused-Dependencies "false"; + + // Automatically reboot *WITHOUT CONFIRMATION* if + // the file /var/run/reboot-required is found after the upgrade + //Unattended-Upgrade::Automatic-Reboot "false"; + + // Automatically reboot even if there are users currently logged in. + //Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; + + // If automatic reboot is enabled and needed, reboot at the specific + // time instead of immediately + // Default: "now" + //Unattended-Upgrade::Automatic-Reboot-Time "02:00"; + + // Use apt bandwidth limit feature, this example limits the download + // speed to 70kb/sec + //Acquire::http::Dl-Limit "70"; + + // Enable logging to syslog. Default is False + // Unattended-Upgrade::SyslogEnable "false"; + + // Specify syslog facility. Default is daemon + // Unattended-Upgrade::SyslogFacility "daemon"; + +# Original /etc/apt/apt.conf.d/20auto-upgrades + + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Unattended-Upgrade "1"; + diff --git a/ansible/roles/unattended-upgrades/tasks/main.yml b/ansible/roles/unattended-upgrades/tasks/main.yml new file mode 100644 index 0000000..0bc02a1 --- /dev/null +++ b/ansible/roles/unattended-upgrades/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Packages for unattended upgrades + become: true + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - unattended-upgrades + - apt-listchanges + +- name: Configure /etc/apt/apt.conf.d/50unattended-upgrades + become: true + copy: + dest: /etc/apt/apt.conf.d/50unattended-upgrades + content: | + Unattended-Upgrade::Origins-Pattern { + "origin=Debian,codename=${distro_codename},label=Debian"; + "origin=Debian,codename=${distro_codename}-updates,label=Debian"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; + "origin=apt.postgresql.org,codename=${distro_codename}-pgdg,label=PostgreSQL for Debian/Ubuntu repository"; + } + Unattended-Upgrade::MinimalSteps "False"; + Unattended-Upgrade::Mail "{{ unattended_upgrades.mail }}"; + Unattended-Upgrade::MailOnlyOnError "false"; + +- name: Configure /etc/apt/apt.conf.d/20auto-upgrades + become: true + copy: + dest: /etc/apt/apt.conf.d/20auto-upgrades + content: | + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Unattended-Upgrade "1"; + +- name: Configure /etc/apt/listchanges.conf + become: true + lineinfile: + dest: /etc/apt/listchanges.conf + line: "email_address={{ unattended_upgrades.mail }}" + regexp: "^email_address=" |