merwyn/infra
1
0
Fork 0
forked from AFPy/infra
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prefer include_role to avoid variables leaking from a role to another.

Browse Source
This commit is contained in:
Julien Palard 2019-12-16 22:03:57 +01:00
parent 664c763fc0
commit f6ec7baa3f
13 changed files with 111 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -1,7 +1,8 @@
# Servers
Dependencies:
- tschifftner.exim4_sendonly from ansible galaxy
- tschifftner.exim4_sendonly
- julienpalard.nginx_letsencrypt
- https://github.com/laxathom/ansible-role-passbolt

6
inventory
View File

@ -1,11 +1,11 @@
[gallery]
163.172.45.2
51.159.55.117
[pycons]
163.172.45.2
51.159.55.117
[rsnapshoters]
10.0.0.2 # Yes it's on my lan, I'm just testing.
[rsnapshotted]
163.172.45.2
51.159.55.117

90
playbook.yml
View File

@ -1,53 +1,65 @@
---
- hosts: all
roles: [common]
tasks:
- name: Common role
include_role: name=common
tags: common
- hosts: gallery
roles: [gallery]
vars:
gallery_https: true
tasks:
- name: Setup sigal of paullaroid.pycon.fr
include_role: name=gallery
vars:
gallery_https: true
gallery_user: gallery
gallery_domain: paullaroid.pycon.fr
gallery_repo: https://github.com/AFPy/pycon-fr-gallery.git
gallery_home: /srv/gallery/
- hosts: pycons
roles: [pelican]
vars:
pelican_user: pycon2010
pelican_https: true
pelican_domain: 2010.pycon.fr
pelican_repo: https://github.com/AFPy/pyconfr_2010
pelican_path_in_repo: 2010/
pelican_home: "/srv/{{ pelican_user }}/"
tasks:
- name: Setup PyCon Fr 2010
include_role: name=pelican
vars:
pelican_user: pycon2010
pelican_https: true
pelican_domain: 2010.pycon.fr
pelican_repo: https://github.com/AFPy/pyconfr_2010
pelican_path_in_repo: 2010/
pelican_home: "/srv/{{ pelican_user }}/"
- hosts: pycons
roles: [pelican]
vars:
pelican_user: pycon2011
pelican_https: true
pelican_domain: 2011.pycon.fr
pelican_repo: https://github.com/AFPy/pyconfr_2010
pelican_path_in_repo: 2011/
pelican_home: "/srv/{{ pelican_user }}/"
- name: Setup PyConFr 2011
include_role: name=pelican
vars:
pelican_user: pycon2011
pelican_https: true
pelican_domain: 2011.pycon.fr
pelican_repo: https://github.com/AFPy/pyconfr_2010
pelican_path_in_repo: 2011/
pelican_home: "/srv/{{ pelican_user }}/"
- hosts: pycons
roles: [static]
vars:
static_user: pycon2012
static_https: true
static_domain: 2012.pycon.fr
static_repo: https://github.com/AFPy/pyconfr_2012
- name: Setup PyConFr 2012
include_role: name=static
vars:
static_user: pycon2012
static_https: true
static_domain: 2012.pycon.fr
static_repo: https://github.com/AFPy/pyconfr_2012
- hosts: rsnapshoters
roles: [rsnapshoter]
vars:
rsnapshotted_hosts: "{{ groups.rsnapshotted }}"
rsnapshot_backups:
- remote: passbolt.afpy.org:/srv/backups/
path: passbolt.afpy.org/
- remote: passbolt.afpy.org:/srv/passbolt/www/webroot/img/public/
path: passbolt.afpy.org/
- remote: passbolt.afpy.org:/srv/passbolt/www/config/
path: passbolt.afpy.org/
tasks:
- name: Setup rsnapshot cron
include_role: name=rsnapshoter
vars:
rsnapshotted_hosts: "{{ groups.rsnapshotted }}"
rsnapshot_backups:
- remote: passbolt.afpy.org:/srv/backups/
path: passbolt.afpy.org/
- remote: passbolt.afpy.org:/srv/passbolt/www/webroot/img/public/
path: passbolt.afpy.org/
- remote: passbolt.afpy.org:/srv/passbolt/www/config/
path: passbolt.afpy.org/
- hosts: rsnapshotted
tasks:

61
roles/common/tasks/common.yml
View File

@ -1,61 +0,0 @@
---
- name: Remove /etc/apt/sources.list (May contain cdroms…)
file:
path: /etc/apt/sources.list
state: absent
- name: Add stretch repositories
apt_repository:
repo: "{{ item }}"
state: present
with_items:
- "deb http://ftp.fr.debian.org/debian/ stretch main non-free contrib"
- "deb http://security.debian.org/ stretch/updates main contrib non-free"
- "deb http://ftp.fr.debian.org/debian stretch-backports main"
- "deb http://ftp.fr.debian.org/debian stretch-updates main"
- name: Update via apt
apt: update_cache=yes
- name: apt-get some packages
apt:
state: present
name:
- aptitude
- ntp
- rsync
- fail2ban
- emacs25-nox
- vim-nox
- htop
- ncdu
- tcpdump
- python3
- python3-pip
- python3-dev
- python3-venv
- python3-setuptools
- python3-wheel
- sudo
- name: Set some authorized keys
authorized_key: user=root key="{{item}}"
with_items: "{{ authorized_keys }}"
- name: Drop mlocate or locate
apt:
name: ["mlocate", "locate"]
state: absent
- name: Drop all Python packages installed globally (Please use venvs)
file:
path: "/usr/local/lib/python{{ item }}"
state: absent
with_items:
- 2.7
- 3.3
- 3.4
- 3.5
- 3.6
- 3.7

48
roles/common/tasks/main.yml
View File

@ -1,4 +1,50 @@
---
- include: common.yml
- block:
- name: Remove /etc/apt/sources.list (May contain cdroms…)
file:
path: /etc/apt/sources.list
state: absent
- name: Setup apt source list for buster
copy:
dest: /etc/apt/sources.list.d/debian.list
content: |
deb https://deb.debian.org/debian buster main non-free contrib
deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb https://deb.debian.org/debian buster-updates main
- name: Update via apt
apt: update_cache=yes
- name: Install some usefull packages
apt:
state: present
name:
- aptitude
- ntp
- rsync
- fail2ban
- emacs25-nox
- vim-nox
- htop
- ncdu
- tcpdump
- python3
- python3-pip
- python3-dev
- python3-venv
- python3-setuptools
- python3-wheel
- sudo
- name: Set some authorized keys
authorized_key: user=root key="{{item}}"
with_items: "{{ authorized_keys }}"
- name: Ensure mlocate and locate are not installed
apt:
name: ["mlocate", "locate"]
state: absent
tags: common

4
roles/gallery/meta/main.yml
View File

@ -1,6 +1,6 @@
---
dependencies:
- role: letsencrypt
- role: julienpalard.nginx_letsencrypt
when: gallery_https
domains: "{{ gallery_domain }}"
certificates: "{{ [[ gallery_domain]] }}"

1
roles/gallery/tasks/main.yml
View File

@ -8,7 +8,6 @@
- name: Gallery user
user:
name: "{{ gallery_user }}"
shell: /bin/false
system: yes
home: "{{ gallery_home }}"

10
roles/letsencrypt/README.md
View File

@ -1,10 +0,0 @@
# Letsencrypt role
This role uses the standalone mode of certbot if no webserver is
running (typically during the first installation), else uses the nginx
module.
Note that existing certificates are renewed (using the nginx module)
as a cron task/systemd timer.
It creates snippets in `/etc/nginx/snippets/letsencrypt-{{ fqdn }}.conf`.

56
roles/letsencrypt/tasks/letsencrypt.yml
View File

@ -1,56 +0,0 @@
---
- name: Install certbot
apt:
state: present
default_release: stretch-backports
name:
- certbot
- python-certbot-nginx
- name: Create ssl dhparam
command: openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
args:
creates: /etc/ssl/certs/dhparam.pem
- name: check if certificate exist
stat:
path: '/etc/letsencrypt/live/{{ item }}'
with_items: '{{ domains }}'
register: st
- name: check if nginx is running
stat:
path: /var/run/nginx.pid
register: ng
- name: create a new certificate
shell: 'certbot certonly --cert-name {{ item.item }} -n --agree-tos -d {{ item.item }} -m admin@meltygroup.com {{ ng.stat.exists | ternary("--nginx", "--standalone") }} --rsa-key-size 4096'
with_items: '{{ st.results }}'
when: not item.stat.exists
loop_control:
label: "{{ item.item }}"
- name: Create letsencrypt snippets
template:
src: letsencrypt.conf.j2
dest: '/etc/nginx/snippets/letsencrypt-{{ item.item }}.conf'
with_items: '{{ st.results }}'
loop_control:
label: "{{ item.item }}"
- name: Choose installer-nginx for the cron to work properly
lineinfile:
path: "/etc/letsencrypt/renewal/{{ item }}.conf"
state: present
regexp: '^installer ='
line: 'installer = nginx'
with_items: '{{ domains }}'
- name: Choose installer-nginx for the cron to work properly
lineinfile:
path: "/etc/letsencrypt/renewal/{{ item }}.conf"
state: present
regexp: '^authenticator ='
line: 'authenticator = nginx'
with_items: '{{ domains }}'

4
roles/letsencrypt/tasks/main.yml
View File

@ -1,4 +0,0 @@
---
- include: letsencrypt.yml
tags: letsencrypt

19
roles/letsencrypt/templates/letsencrypt.conf.j2
View File

@ -1,19 +0,0 @@
#https://wiki.openssl.org/index.php/Manual:Ciphers(1)
# 2016-11 (afpy inspired) https://blog.imirhil.fr/2015/09/02/cryptcheck-verifiez-implementations-tls.html
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:ssl_session_cache:10m;
ssl_certificate /etc/letsencrypt/live/{{ item.item }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.item }}/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Uncomment to enable HSTS:
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
# Uncomment to enable CSPs:
# add_header Content-Security-Policy upgrade-insecure-requests;
# add_header Content-Security-Policy block-all-mixed-content;

4
roles/pelican/meta/main.yml
View File

@ -1,4 +1,6 @@
---
dependencies:
- { role: letsencrypt, domains: ["{{ pelican_domain }}"] }
- role: julienpalard.nginx_letsencrypt
certificates: "{{ [[ pelican_domain ]] }}"
when: pelican_https

4
roles/static/meta/main.yml
View File

@ -1,4 +1,6 @@
---
dependencies:
- { role: letsencrypt, domains: ["{{ static_domain }}"], when: static_https }
- role: julienpalard.nginx_letsencrypt
certificates: "{{ [[ static_domain ]] }}"
when: static_https