From 37d104f7d74fd7b5fd6b65caf6f4d0dcf0cd614a Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Sun, 25 Feb 2018 07:15:53 +0100 Subject: wip --- .gitmodules | 3 + ansible/.gitignore | 5 ++ ansible/ansible.cfg | 3 +- ansible/connection_plugins/lxc_ssh.py | 8 +-- ansible/connection_plugins/lxc_ssh.pyc | Bin 34768 -> 34788 bytes ansible/inventory | 11 +++- ansible/knot.yml | 2 + ansible/misc/ansible-vault-tools | 1 + ansible/mw.yml | 2 + .../etc/apache2/sites-enabled/000-default.conf | 56 +++++++++++++++++ ansible/roles/mw-backend/handlers/main.yml | 6 +- ansible/roles/mw-backend/tasks/main.yml | 67 +++++++++++++++++---- .../apache2/sites-available/mw.trygvis.io-ssl.conf | 7 ++- ansible/roles/mw-frontend/handlers/main.yml | 5 ++ ansible/roles/mw-frontend/tasks/main.yml | 23 +++++++ ansible/secrets.yml | 8 +++ 16 files changed, 185 insertions(+), 22 deletions(-) create mode 160000 ansible/misc/ansible-vault-tools create mode 100644 ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf create mode 100644 ansible/roles/mw-frontend/handlers/main.yml create mode 100644 ansible/secrets.yml diff --git a/.gitmodules b/.gitmodules index 795eb73..4e2cc60 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "knot/ssp/self-service-password"] path = knot/ssp/self-service-password url = https://github.com/ltb-project/self-service-password +[submodule "ansible/misc/ansible-vault-tools"] + path = ansible/misc/ansible-vault-tools + url = https://github.com/building5/ansible-vault-tools diff --git a/ansible/.gitignore b/ansible/.gitignore index a8b42eb..6fa6a9f 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -1 +1,6 @@ +*.not_encrypted *.retry +*.swp + +vault-password +vault-password.asc diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index c5caa3d..0da44ae 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,4 +1,5 @@ [defaults] become_method = sudo -inventory = ./hosts +inventory = ./inventory connection_plugins = ./connection_plugins +vault_password_file = vault-password diff --git a/ansible/connection_plugins/lxc_ssh.py b/ansible/connection_plugins/lxc_ssh.py index 9f93305..2bb5352 100644 --- a/ansible/connection_plugins/lxc_ssh.py +++ b/ansible/connection_plugins/lxc_ssh.py @@ -1167,11 +1167,11 @@ class Connection(ConnectionBase): cmd = ('cat > %s; echo -n done' % pipes.quote(out_path)) h = self.container_name if (self.lxc_version == 2): - lxc_cmd = 'lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ + lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) elif (self.lxc_version == 1): - lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \ + lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) if in_data: @@ -1204,11 +1204,11 @@ class Connection(ConnectionBase): cmd = ('cat < %s' % pipes.quote(in_path)) h = self.container_name if (self.lxc_version == 2): - lxc_cmd = 'lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ + lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) elif (self.lxc_version == 1): - lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \ + lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) diff --git a/ansible/connection_plugins/lxc_ssh.pyc b/ansible/connection_plugins/lxc_ssh.pyc index 01895c8..9696804 100644 Binary files a/ansible/connection_plugins/lxc_ssh.pyc and b/ansible/connection_plugins/lxc_ssh.pyc differ diff --git a/ansible/inventory b/ansible/inventory index 3aff9e0..ef29986 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -2,7 +2,14 @@ all: hosts: knot: ansible_host: knot.trygvis.io - mw: - ansible_host: mw.trygvis.io +# mw: +# ansible_host: mw.trygvis.io + children: + via_knot: + hosts: + mw: + ansible_host: knot.trygvis.io + ansible_connection: lxc_ssh + ansible_ssh_extra_args: mw # vim: set filetype=yaml: diff --git a/ansible/knot.yml b/ansible/knot.yml index 141542b..fa70876 100644 --- a/ansible/knot.yml +++ b/ansible/knot.yml @@ -1,5 +1,7 @@ --- - hosts: - knot + vars_files: + - secrets.yml roles: - mw-frontend diff --git a/ansible/misc/ansible-vault-tools b/ansible/misc/ansible-vault-tools new file mode 160000 index 0000000..1a7c781 --- /dev/null +++ b/ansible/misc/ansible-vault-tools @@ -0,0 +1 @@ +Subproject commit 1a7c7817dd3052b077fb6809e303e46d7b711df1 diff --git a/ansible/mw.yml b/ansible/mw.yml index d7e711a..c799529 100644 --- a/ansible/mw.yml +++ b/ansible/mw.yml @@ -1,6 +1,8 @@ --- - hosts: - mw + vars_files: + - secrets.yml roles: - mw-backend diff --git a/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf new file mode 100644 index 0000000..3823cf1 --- /dev/null +++ b/ansible/roles/mw-backend/files/etc/apache2/sites-enabled/000-default.conf @@ -0,0 +1,56 @@ +# Based on /etc/apache2/conf-available/mediawiki.conf + + + ServerName mw.trygvis.io + + ServerAdmin webmaster@trygvis.io + DocumentRoot /var/lib/mediawiki + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + Options +FollowSymLinks + AllowOverride All + = 2.3> + Require all granted + + + order allow,deny + allow from all + + + +# some directories must be protected + + Options -FollowSymLinks + AllowOverride None + + php_admin_flag engine off + + + php_admin_flag engine off + + + + Options -FollowSymLinks + AllowOverride None + + php_admin_flag engine off + + + php_admin_flag engine off + + + + Options -FollowSymLinks + AllowOverride None + + php_admin_flag engine off + + + php_admin_flag engine off + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/ansible/roles/mw-backend/handlers/main.yml b/ansible/roles/mw-backend/handlers/main.yml index 0298ff9..3588f2b 100644 --- a/ansible/roles/mw-backend/handlers/main.yml +++ b/ansible/roles/mw-backend/handlers/main.yml @@ -1,5 +1,9 @@ --- - name: update apt cache - become: yes apt: update_cache: yes + +- name: reload apache + service: + name: apache2 + state: reloaded diff --git a/ansible/roles/mw-backend/tasks/main.yml b/ansible/roles/mw-backend/tasks/main.yml index 799f0e5..a60f08d 100644 --- a/ansible/roles/mw-backend/tasks/main.yml +++ b/ansible/roles/mw-backend/tasks/main.yml @@ -1,21 +1,66 @@ --- - name: apt setup - tags: packages - become: yes + tags: + - mw-backend + - packages block: - copy: dest: /etc/apt/apt.conf.d/99force-ipv4 content: 'Acquire::ForceIPv4 "true";' notify: update apt cache + - name: configure debian repositories + notify: update apt cache + copy: + dest: /etc/apt/sources.list + content: | + deb http://httpredir.debian.org/debian/ stretch main contrib non-free + deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free + + deb http://security.debian.org/debian-security stretch/updates main contrib non-free + deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free + + deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free + deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free - meta: flush_handlers -# - name: packages -# tags: packages -# become: yes -# apt: -# name: "{{ item }}" -# install_recommends: no -# with_items: -# - ping -# - apache2 + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - git + - etckeeper + + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - iputils-ping + - vim-nox + - host + - less + +- name: Mediawiki + tags: + - mw-backend + - mediawiki + block: + - name: packages + notify: reload apache + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - git + - php-pgsql + - php-intl + - php-gd + - php-apcu + - mediawiki + - name: apache config + notify: reload apache + copy: + src: etc/apache2/sites-enabled/000-default.conf + dest: /etc/apache2/sites-enabled/000-default.conf diff --git a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf index 533c559..210cf2f 100644 --- a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf +++ b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf @@ -20,11 +20,12 @@ allow from all + ProxyTimeout 600 ProxyPreserveHost On - ProxyPass / http://mw.trygvis.io/ + ProxyPass / http://10.0.3.2/ - SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io/fullchain.pem - SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io/privkey.pem + SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io-0001/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io-0001/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf diff --git a/ansible/roles/mw-frontend/handlers/main.yml b/ansible/roles/mw-frontend/handlers/main.yml new file mode 100644 index 0000000..1b2172f --- /dev/null +++ b/ansible/roles/mw-frontend/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload apache + service: + name: apache2 + state: reloaded diff --git a/ansible/roles/mw-frontend/tasks/main.yml b/ansible/roles/mw-frontend/tasks/main.yml index 40906ea..ee54719 100644 --- a/ansible/roles/mw-frontend/tasks/main.yml +++ b/ansible/roles/mw-frontend/tasks/main.yml @@ -1,8 +1,31 @@ --- - name: Apache config become: yes + tags: + - mw-frontend block: - name: apache config copy: src: etc/apache2/sites-available/mw.trygvis.io-ssl.conf dest: /etc/apache2/sites-available/mw.trygvis.io-ssl.conf + - name: packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - python-psycopg2 + - name: postgresql db + become: yes + become_user: postgres + vars: + ansible_ssh_pipelining: true + block: + - name: CREATE ROLE mediawiki + postgresql_user: + name: "mediawiki" + password: "{{ mediawiki_secrets.mediawiki_password }}" + encrypted: yes + - name: CREATE DATABASE mediawiki + postgresql_db: + name: "mediawiki" + encoding: "utf-8" diff --git a/ansible/secrets.yml b/ansible/secrets.yml new file mode 100644 index 0000000..e9350b8 --- /dev/null +++ b/ansible/secrets.yml @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +38343733333238303264656336313538633066346564646536383735313339383531386237663365 +6631623430383634363135616262653430326234616531390a343463303836383038353239376461 +63393233666438306634613366306363383934343934333537363932303235356234643035343065 +3863313664383437660a383761613566396536363339626532636332343539353639643336366662 +37666561376566613936353061343234376535633264353962383232616666666438396435363438 +66376461306532323333336638653339663361616437353538633538626561316535363636623939 +323934376164626335386463363836356661 -- cgit v1.2.3