Ansible playbook to deploy pycon galleries.
This commit is contained in:
parent
9f394ec22a
commit
adb93ecc5c
|
@ -0,0 +1,8 @@
|
|||
|
||||
# Created by https://www.gitignore.io/api/ansible
|
||||
# Edit at https://www.gitignore.io/?templates=ansible
|
||||
|
||||
### Ansible ###
|
||||
*.retry
|
||||
|
||||
# End of https://www.gitignore.io/api/ansible
|
|
@ -0,0 +1,2 @@
|
|||
[defaults]
|
||||
inventory = inventory
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
ansible_user: root
|
||||
authorized_keys:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKA7DgTQ0G7+kdsX0lIUOAAOllwGSCu8s8TxPvr/61Y8q+pIO5mrZycI0xYcKP5NZaABqlFyXUUNfLj7RLqteBxqq2QZP4NOJ1MutYRIkzJ9YW0f565jHaOqSguz0MY+1sCHtuEPiUUZoNexkKN7SIx60SfoaMEvGjAj46txA7VFbJUuKcJtA1Yvmn0C0KoXUUQ/G+JqvjQ7QuKLQYdTZ8S9OEvNaqNfwNSwvy1/LCnuajFw0O+H5bz7AcS5Iuj+9k8wgHPK1a1rQEdteOcn2XBCvta/VOVlFLv6/9K3iU3EJ1pyaZ88UkuJef8aWnH/AJGaF2gLqUbBuL+UeXyD41 julien+yubikey@palard.fr"
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
- hosts: gallery
|
||||
roles: [common, gallery]
|
|
@ -0,0 +1,60 @@
|
|||
---
|
||||
|
||||
- name: Remove /etc/apt/sources.list (May contain cdroms…)
|
||||
file:
|
||||
path: /etc/apt/sources.list
|
||||
state: absent
|
||||
|
||||
- name: Add stretch repositories
|
||||
apt_repository:
|
||||
repo: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- "deb http://ftp.fr.debian.org/debian/ stretch main non-free contrib"
|
||||
- "deb http://security.debian.org/ stretch/updates main contrib non-free"
|
||||
- "deb http://ftp.fr.debian.org/debian stretch-backports main"
|
||||
- "deb http://ftp.fr.debian.org/debian stretch-updates main"
|
||||
|
||||
- name: Update via apt
|
||||
apt: update_cache=yes
|
||||
|
||||
- name: apt-get some packages
|
||||
apt:
|
||||
state: present
|
||||
name:
|
||||
- aptitude
|
||||
- ntp
|
||||
- rsync
|
||||
- fail2ban
|
||||
- emacs25-nox
|
||||
- vim-nox
|
||||
- htop
|
||||
- ncdu
|
||||
- tcpdump
|
||||
- python3
|
||||
- python3-pip
|
||||
- python3-dev
|
||||
- python3-venv
|
||||
- python3-setuptools
|
||||
- python3-wheel
|
||||
|
||||
- name: Set some authorized keys
|
||||
authorized_key: user=root key="{{item}}"
|
||||
with_items: "{{ authorized_keys }}"
|
||||
|
||||
- name: Drop mlocate or locate
|
||||
apt:
|
||||
name: ["mlocate", "locate"]
|
||||
state: absent
|
||||
|
||||
- name: Drop all Python packages installed globall (Please use venvs)
|
||||
file:
|
||||
path: "/usr/local/lib/python{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- 2.7
|
||||
- 3.3
|
||||
- 3.4
|
||||
- 3.5
|
||||
- 3.6
|
||||
- 3.7
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
- include: common.yml
|
||||
tags: common
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
|
||||
gallery_user: gallery
|
||||
gallery_https: false
|
||||
gallery_domain: paullaroid.pycon.fr
|
||||
gallery_repo: https://github.com/AFPy/pycon-fr-gallery.git
|
||||
gallery_home: /srv/gallery/
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
- name: reload nginx
|
||||
service: name=nginx state=reloaded
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
dependencies:
|
||||
- role: letsencrypt
|
||||
when: gallery_https
|
||||
domains: "{{ gallery_domain }}"
|
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
|
||||
- name: Install nginx
|
||||
apt:
|
||||
name: [nginx, git, python3, python3-venv]
|
||||
state: present
|
||||
|
||||
- name: Gallery user
|
||||
user:
|
||||
name: "{{ gallery_user }}"
|
||||
shell: /bin/false
|
||||
system: yes
|
||||
home: "{{ gallery_home }}"
|
||||
|
||||
- name: Clone gallery repo
|
||||
git:
|
||||
repo: "{{ gallery_repo }}"
|
||||
dest: "{{ gallery_home }}/repo"
|
||||
register: clone_repo
|
||||
|
||||
- name: pip install sigal
|
||||
pip:
|
||||
name: sigal
|
||||
virtualenv_command: /usr/bin/python3 -m venv
|
||||
virtualenv: "{{ gallery_home }}/venv"
|
||||
|
||||
- name: Ensure sigal can write in its output dir
|
||||
file:
|
||||
path: "{{ gallery_home }}/repo/_build/"
|
||||
state: directory
|
||||
owner: "{{ gallery_user }}"
|
||||
mode: 0755
|
||||
|
||||
- name: Build gallery
|
||||
when: clone_repo.changed
|
||||
command: "{{ gallery_home }}/venv/bin/sigal build"
|
||||
args:
|
||||
chdir: "{{ gallery_home }}/repo"
|
||||
become: true
|
||||
become_method: su
|
||||
become_user: "{{ gallery_user }}"
|
||||
become_flags: "-s /bin/sh"
|
||||
|
||||
- name: Configure nginx
|
||||
template:
|
||||
src: nginx-vhost
|
||||
dest: "/etc/nginx/conf.d/{{ gallery_domain }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload nginx
|
|
@ -0,0 +1,33 @@
|
|||
{% if gallery_https %}
|
||||
server {
|
||||
listen 80;
|
||||
server_name {{ gallery_domain }};
|
||||
|
||||
location / {
|
||||
return 301 https://{{ gallery_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server
|
||||
{
|
||||
listen 443 ssl;
|
||||
server_name {{ gallery_domain }};
|
||||
|
||||
include snippets/letsencrypt-{{ gallery_domain }}.conf;
|
||||
|
||||
location / {
|
||||
root {{ gallery_home }}/repo/_build/;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
||||
{% else %}
|
||||
server {
|
||||
listen 80;
|
||||
server_name {{ gallery_domain }};
|
||||
|
||||
location / {
|
||||
root {{ gallery_home }}/repo/_build/;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
||||
{% endif %}
|
|
@ -0,0 +1,56 @@
|
|||
---
|
||||
|
||||
- name: Install certbot
|
||||
apt:
|
||||
state: present
|
||||
default_release: stretch-backports
|
||||
name:
|
||||
- certbot
|
||||
- python-certbot-nginx
|
||||
|
||||
- name: Create ssl dhparam
|
||||
command: openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
|
||||
args:
|
||||
creates: /etc/ssl/certs/dhparam.pem
|
||||
|
||||
- name: check if certificate exist
|
||||
stat:
|
||||
path: '/etc/letsencrypt/live/{{ item }}'
|
||||
with_items: '{{ domains }}'
|
||||
register: st
|
||||
|
||||
- name: check if nginx is running
|
||||
stat:
|
||||
path: /var/run/nginx.pid
|
||||
register: ng
|
||||
|
||||
- name: create a new certificate
|
||||
shell: 'certbot certonly --cert-name {{ item.item }} -n --agree-tos -d {{ item.item }} -m admin@meltygroup.com {{ ng.stat.exists | ternary("--nginx", "--standalone") }} --rsa-key-size 4096'
|
||||
with_items: '{{ st.results }}'
|
||||
when: not item.stat.exists
|
||||
loop_control:
|
||||
label: "{{ item.item }}"
|
||||
|
||||
- name: Create letsencrypt snippets
|
||||
template:
|
||||
src: letsencrypt.conf.j2
|
||||
dest: '/etc/nginx/snippets/letsencrypt-{{ item.item }}.conf'
|
||||
with_items: '{{ st.results }}'
|
||||
loop_control:
|
||||
label: "{{ item.item }}"
|
||||
|
||||
- name: Choose installer-nginx for the cron to work properly
|
||||
lineinfile:
|
||||
path: "/etc/letsencrypt/renewal/{{ item }}.conf"
|
||||
state: present
|
||||
regexp: '^installer ='
|
||||
line: 'installer = nginx'
|
||||
with_items: '{{ domains }}'
|
||||
|
||||
- name: Choose installer-nginx for the cron to work properly
|
||||
lineinfile:
|
||||
path: "/etc/letsencrypt/renewal/{{ item }}.conf"
|
||||
state: present
|
||||
regexp: '^authenticator ='
|
||||
line: 'authenticator = nginx'
|
||||
with_items: '{{ domains }}'
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
- include: letsencrypt.yml
|
||||
tags: letsencrypt
|
|
@ -0,0 +1,19 @@
|
|||
#https://wiki.openssl.org/index.php/Manual:Ciphers(1)
|
||||
|
||||
# 2016-11 (afpy inspired) https://blog.imirhil.fr/2015/09/02/cryptcheck-verifiez-implementations-tls.html
|
||||
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH";
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:ssl_session_cache:10m;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ item.item }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ item.item }}/privkey.pem;
|
||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
|
||||
# Uncomment to enable HSTS:
|
||||
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
||||
|
||||
# Uncomment to enable CSPs:
|
||||
# add_header Content-Security-Policy upgrade-insecure-requests;
|
||||
# add_header Content-Security-Policy block-all-mixed-content;
|
Loading…
Reference in New Issue