forked from AFPy/infra
Prefer include_role to avoid variables leaking from a role to another.
This commit is contained in:
parent
664c763fc0
commit
f6ec7baa3f
|
@ -1,7 +1,8 @@
|
|||
# Servers
|
||||
|
||||
Dependencies:
|
||||
- tschifftner.exim4_sendonly from ansible galaxy
|
||||
- tschifftner.exim4_sendonly
|
||||
- julienpalard.nginx_letsencrypt
|
||||
- https://github.com/laxathom/ansible-role-passbolt
|
||||
|
||||
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
[gallery]
|
||||
163.172.45.2
|
||||
51.159.55.117
|
||||
|
||||
[pycons]
|
||||
163.172.45.2
|
||||
51.159.55.117
|
||||
|
||||
[rsnapshoters]
|
||||
10.0.0.2 # Yes it's on my lan, I'm just testing.
|
||||
|
||||
[rsnapshotted]
|
||||
163.172.45.2
|
||||
51.159.55.117
|
||||
|
|
90
playbook.yml
90
playbook.yml
|
@ -1,53 +1,65 @@
|
|||
---
|
||||
|
||||
|
||||
- hosts: all
|
||||
roles: [common]
|
||||
tasks:
|
||||
- name: Common role
|
||||
include_role: name=common
|
||||
tags: common
|
||||
|
||||
- hosts: gallery
|
||||
roles: [gallery]
|
||||
vars:
|
||||
gallery_https: true
|
||||
tasks:
|
||||
- name: Setup sigal of paullaroid.pycon.fr
|
||||
include_role: name=gallery
|
||||
vars:
|
||||
gallery_https: true
|
||||
gallery_user: gallery
|
||||
gallery_domain: paullaroid.pycon.fr
|
||||
gallery_repo: https://github.com/AFPy/pycon-fr-gallery.git
|
||||
gallery_home: /srv/gallery/
|
||||
|
||||
- hosts: pycons
|
||||
roles: [pelican]
|
||||
vars:
|
||||
pelican_user: pycon2010
|
||||
pelican_https: true
|
||||
pelican_domain: 2010.pycon.fr
|
||||
pelican_repo: https://github.com/AFPy/pyconfr_2010
|
||||
pelican_path_in_repo: 2010/
|
||||
pelican_home: "/srv/{{ pelican_user }}/"
|
||||
tasks:
|
||||
- name: Setup PyCon Fr 2010
|
||||
include_role: name=pelican
|
||||
vars:
|
||||
pelican_user: pycon2010
|
||||
pelican_https: true
|
||||
pelican_domain: 2010.pycon.fr
|
||||
pelican_repo: https://github.com/AFPy/pyconfr_2010
|
||||
pelican_path_in_repo: 2010/
|
||||
pelican_home: "/srv/{{ pelican_user }}/"
|
||||
|
||||
- hosts: pycons
|
||||
roles: [pelican]
|
||||
vars:
|
||||
pelican_user: pycon2011
|
||||
pelican_https: true
|
||||
pelican_domain: 2011.pycon.fr
|
||||
pelican_repo: https://github.com/AFPy/pyconfr_2010
|
||||
pelican_path_in_repo: 2011/
|
||||
pelican_home: "/srv/{{ pelican_user }}/"
|
||||
- name: Setup PyConFr 2011
|
||||
include_role: name=pelican
|
||||
vars:
|
||||
pelican_user: pycon2011
|
||||
pelican_https: true
|
||||
pelican_domain: 2011.pycon.fr
|
||||
pelican_repo: https://github.com/AFPy/pyconfr_2010
|
||||
pelican_path_in_repo: 2011/
|
||||
pelican_home: "/srv/{{ pelican_user }}/"
|
||||
|
||||
- hosts: pycons
|
||||
roles: [static]
|
||||
vars:
|
||||
static_user: pycon2012
|
||||
static_https: true
|
||||
static_domain: 2012.pycon.fr
|
||||
static_repo: https://github.com/AFPy/pyconfr_2012
|
||||
- name: Setup PyConFr 2012
|
||||
include_role: name=static
|
||||
vars:
|
||||
static_user: pycon2012
|
||||
static_https: true
|
||||
static_domain: 2012.pycon.fr
|
||||
static_repo: https://github.com/AFPy/pyconfr_2012
|
||||
|
||||
- hosts: rsnapshoters
|
||||
roles: [rsnapshoter]
|
||||
vars:
|
||||
rsnapshotted_hosts: "{{ groups.rsnapshotted }}"
|
||||
rsnapshot_backups:
|
||||
- remote: passbolt.afpy.org:/srv/backups/
|
||||
path: passbolt.afpy.org/
|
||||
- remote: passbolt.afpy.org:/srv/passbolt/www/webroot/img/public/
|
||||
path: passbolt.afpy.org/
|
||||
- remote: passbolt.afpy.org:/srv/passbolt/www/config/
|
||||
path: passbolt.afpy.org/
|
||||
tasks:
|
||||
- name: Setup rsnapshot cron
|
||||
include_role: name=rsnapshoter
|
||||
vars:
|
||||
rsnapshotted_hosts: "{{ groups.rsnapshotted }}"
|
||||
rsnapshot_backups:
|
||||
- remote: passbolt.afpy.org:/srv/backups/
|
||||
path: passbolt.afpy.org/
|
||||
- remote: passbolt.afpy.org:/srv/passbolt/www/webroot/img/public/
|
||||
path: passbolt.afpy.org/
|
||||
- remote: passbolt.afpy.org:/srv/passbolt/www/config/
|
||||
path: passbolt.afpy.org/
|
||||
|
||||
- hosts: rsnapshotted
|
||||
tasks:
|
||||
|
|
|
@ -1,61 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Remove /etc/apt/sources.list (May contain cdroms…)
|
||||
file:
|
||||
path: /etc/apt/sources.list
|
||||
state: absent
|
||||
|
||||
- name: Add stretch repositories
|
||||
apt_repository:
|
||||
repo: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- "deb http://ftp.fr.debian.org/debian/ stretch main non-free contrib"
|
||||
- "deb http://security.debian.org/ stretch/updates main contrib non-free"
|
||||
- "deb http://ftp.fr.debian.org/debian stretch-backports main"
|
||||
- "deb http://ftp.fr.debian.org/debian stretch-updates main"
|
||||
|
||||
- name: Update via apt
|
||||
apt: update_cache=yes
|
||||
|
||||
- name: apt-get some packages
|
||||
apt:
|
||||
state: present
|
||||
name:
|
||||
- aptitude
|
||||
- ntp
|
||||
- rsync
|
||||
- fail2ban
|
||||
- emacs25-nox
|
||||
- vim-nox
|
||||
- htop
|
||||
- ncdu
|
||||
- tcpdump
|
||||
- python3
|
||||
- python3-pip
|
||||
- python3-dev
|
||||
- python3-venv
|
||||
- python3-setuptools
|
||||
- python3-wheel
|
||||
- sudo
|
||||
|
||||
- name: Set some authorized keys
|
||||
authorized_key: user=root key="{{item}}"
|
||||
with_items: "{{ authorized_keys }}"
|
||||
|
||||
- name: Drop mlocate or locate
|
||||
apt:
|
||||
name: ["mlocate", "locate"]
|
||||
state: absent
|
||||
|
||||
- name: Drop all Python packages installed globally (Please use venvs)
|
||||
file:
|
||||
path: "/usr/local/lib/python{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- 2.7
|
||||
- 3.3
|
||||
- 3.4
|
||||
- 3.5
|
||||
- 3.6
|
||||
- 3.7
|
|
@ -1,4 +1,50 @@
|
|||
---
|
||||
|
||||
- include: common.yml
|
||||
- block:
|
||||
- name: Remove /etc/apt/sources.list (May contain cdroms…)
|
||||
file:
|
||||
path: /etc/apt/sources.list
|
||||
state: absent
|
||||
|
||||
- name: Setup apt source list for buster
|
||||
copy:
|
||||
dest: /etc/apt/sources.list.d/debian.list
|
||||
content: |
|
||||
deb https://deb.debian.org/debian buster main non-free contrib
|
||||
deb http://security.debian.org/debian-security buster/updates main contrib non-free
|
||||
deb https://deb.debian.org/debian buster-updates main
|
||||
|
||||
- name: Update via apt
|
||||
apt: update_cache=yes
|
||||
|
||||
- name: Install some usefull packages
|
||||
apt:
|
||||
state: present
|
||||
name:
|
||||
- aptitude
|
||||
- ntp
|
||||
- rsync
|
||||
- fail2ban
|
||||
- emacs25-nox
|
||||
- vim-nox
|
||||
- htop
|
||||
- ncdu
|
||||
- tcpdump
|
||||
- python3
|
||||
- python3-pip
|
||||
- python3-dev
|
||||
- python3-venv
|
||||
- python3-setuptools
|
||||
- python3-wheel
|
||||
- sudo
|
||||
|
||||
- name: Set some authorized keys
|
||||
authorized_key: user=root key="{{item}}"
|
||||
with_items: "{{ authorized_keys }}"
|
||||
|
||||
- name: Ensure mlocate and locate are not installed
|
||||
apt:
|
||||
name: ["mlocate", "locate"]
|
||||
state: absent
|
||||
|
||||
tags: common
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
|
||||
dependencies:
|
||||
- role: letsencrypt
|
||||
- role: julienpalard.nginx_letsencrypt
|
||||
when: gallery_https
|
||||
domains: "{{ gallery_domain }}"
|
||||
certificates: "{{ [[ gallery_domain]] }}"
|
||||
|
|
|
@ -8,7 +8,6 @@
|
|||
- name: Gallery user
|
||||
user:
|
||||
name: "{{ gallery_user }}"
|
||||
shell: /bin/false
|
||||
system: yes
|
||||
home: "{{ gallery_home }}"
|
||||
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
# Letsencrypt role
|
||||
|
||||
This role uses the standalone mode of certbot if no webserver is
|
||||
running (typically during the first installation), else uses the nginx
|
||||
module.
|
||||
|
||||
Note that existing certificates are renewed (using the nginx module)
|
||||
as a cron task/systemd timer.
|
||||
|
||||
It creates snippets in `/etc/nginx/snippets/letsencrypt-{{ fqdn }}.conf`.
|
|
@ -1,56 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Install certbot
|
||||
apt:
|
||||
state: present
|
||||
default_release: stretch-backports
|
||||
name:
|
||||
- certbot
|
||||
- python-certbot-nginx
|
||||
|
||||
- name: Create ssl dhparam
|
||||
command: openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
|
||||
args:
|
||||
creates: /etc/ssl/certs/dhparam.pem
|
||||
|
||||
- name: check if certificate exist
|
||||
stat:
|
||||
path: '/etc/letsencrypt/live/{{ item }}'
|
||||
with_items: '{{ domains }}'
|
||||
register: st
|
||||
|
||||
- name: check if nginx is running
|
||||
stat:
|
||||
path: /var/run/nginx.pid
|
||||
register: ng
|
||||
|
||||
- name: create a new certificate
|
||||
shell: 'certbot certonly --cert-name {{ item.item }} -n --agree-tos -d {{ item.item }} -m admin@meltygroup.com {{ ng.stat.exists | ternary("--nginx", "--standalone") }} --rsa-key-size 4096'
|
||||
with_items: '{{ st.results }}'
|
||||
when: not item.stat.exists
|
||||
loop_control:
|
||||
label: "{{ item.item }}"
|
||||
|
||||
- name: Create letsencrypt snippets
|
||||
template:
|
||||
src: letsencrypt.conf.j2
|
||||
dest: '/etc/nginx/snippets/letsencrypt-{{ item.item }}.conf'
|
||||
with_items: '{{ st.results }}'
|
||||
loop_control:
|
||||
label: "{{ item.item }}"
|
||||
|
||||
- name: Choose installer-nginx for the cron to work properly
|
||||
lineinfile:
|
||||
path: "/etc/letsencrypt/renewal/{{ item }}.conf"
|
||||
state: present
|
||||
regexp: '^installer ='
|
||||
line: 'installer = nginx'
|
||||
with_items: '{{ domains }}'
|
||||
|
||||
- name: Choose installer-nginx for the cron to work properly
|
||||
lineinfile:
|
||||
path: "/etc/letsencrypt/renewal/{{ item }}.conf"
|
||||
state: present
|
||||
regexp: '^authenticator ='
|
||||
line: 'authenticator = nginx'
|
||||
with_items: '{{ domains }}'
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
- include: letsencrypt.yml
|
||||
tags: letsencrypt
|
|
@ -1,19 +0,0 @@
|
|||
#https://wiki.openssl.org/index.php/Manual:Ciphers(1)
|
||||
|
||||
# 2016-11 (afpy inspired) https://blog.imirhil.fr/2015/09/02/cryptcheck-verifiez-implementations-tls.html
|
||||
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH";
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:ssl_session_cache:10m;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ item.item }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ item.item }}/privkey.pem;
|
||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
|
||||
# Uncomment to enable HSTS:
|
||||
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
||||
|
||||
# Uncomment to enable CSPs:
|
||||
# add_header Content-Security-Policy upgrade-insecure-requests;
|
||||
# add_header Content-Security-Policy block-all-mixed-content;
|
|
@ -1,4 +1,6 @@
|
|||
---
|
||||
|
||||
dependencies:
|
||||
- { role: letsencrypt, domains: ["{{ pelican_domain }}"] }
|
||||
- role: julienpalard.nginx_letsencrypt
|
||||
certificates: "{{ [[ pelican_domain ]] }}"
|
||||
when: pelican_https
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
---
|
||||
|
||||
dependencies:
|
||||
- { role: letsencrypt, domains: ["{{ static_domain }}"], when: static_https }
|
||||
- role: julienpalard.nginx_letsencrypt
|
||||
certificates: "{{ [[ static_domain ]] }}"
|
||||
when: static_https
|
||||
|
|
Loading…
Reference in New Issue
Block a user