CU-cunmht[complete] Merge pull request #2 from bdebyl/CU-cunmht

CU-cunmht Updated README

README.md

@@ -31,4 +31,5 @@ updates in newest versions, etc._)
 | `deploy`    | Deploys everything, or only tasks specified in `TAGS=` environment variable          |
 | `check`     | Runs `deploy` in a "dry-run", showing diff-style outputs on tasks indicating changes |
 | `vault`     | Opens the Ansible vault file for editing                                             |
+| `lint-ci`   | Meant for use with `bdebyl/yamllint` (_see `.drone.yml`_)                            |
 

ansible/deploy_home.yml

@@ -4,5 +4,6 @@
   - vars/vault.yml
   roles:
   - role: common
+  - role: ssl
   - role: http
   - role: drone

ansible/roles/http/files/nginx/nginx.conf

@@ -29,10 +29,10 @@ http {
   gzip on;
   gzip_disable "mise6";
 
-  client_body_buffer_size     1k;
-  client_header_buffer_size   1k;
-  client_max_body_size        2k;
-  large_client_header_buffers 2 1k;
+  # client_body_buffer_size     1k;
+  # client_header_buffer_size   1k;
+  # client_max_body_size        2k;
+  # large_client_header_buffers 2 1k;
 
   add_header X-Frame-Options SAMEORIGIN;
   add_header X-Content-Type-Options nosniff;

ansible/roles/http/meta/main.yml

@@ -1,3 +1,3 @@
 ---
 dependencies:
-  - role: common
+  - role: ssl

ansible/roles/http/tasks/https.yml

@@ -0,0 +1,22 @@
+---
+- name: template nginx https sites-available
+  become: true
+  template:
+    src: "templates/nginx/sites/{{ item }}.j2"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+    mode: 0644
+  with_items:
+    - "{{ ci_server_name }}.https.conf"
+  tags: https
+
+- name: enable desired nginx https sites
+  become: true
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    state: link
+  with_items:
+    - "{{ ci_server_name }}.https.conf"
+  notify: restart_nginx
+  when: stat_result.stat.exists
+  tags: https

ansible/roles/http/tasks/main.yml

@@ -2,5 +2,4 @@
 - import_tasks: deps.yml
 - import_tasks: modsec.yml
 - import_tasks: http.yml
-- import_tasks: ssl.yml
-- import_tasks: cron.yml
+- import_tasks: https.yml

ansible/roles/http/tasks/ssl.yml

@@ -1,60 +0,0 @@
----
-- name: flush existing nginx https enabled sites
-  become: true
-  file:
-    path: "/etc/nginx/sites-enabled/{{ item }}"
-    state: absent
-  with_items:
-    - "{{ ci_server_name }}.https.conf"
-  notify: restart_nginx
-  tags: ssl
-
-- meta: flush_handlers
-  tags: ssl
-
-- name: generate openssl dhparam for nginx
-  become: true
-  command: |
-    openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048
-  args:
-    creates: /etc/ssl/certs/dhparam.pem
-  tags: ssl
-
-- name: create ssl certificate for ci server
-  become: true
-  command: |
-    certbot certonly --webroot --webroot-path=/srv/http \
-    -m {{ ci_server_email }} --agree-tos \
-    -d {{ ci_server_name }}
-  args:
-    creates: "/etc/letsencrypt/live/{{ ci_server_name }}"
-  tags: ssl
-
-- name: check if certbot certificate was created
-  become: true
-  stat:
-    path: "/etc/letsencrypt/live/{{ ci_server_name }}"
-  register: stat_result
-  tags: ssl
-
-- name: template nginx https sites-available
-  become: true
-  template:
-    src: "templates/nginx/sites/{{ item }}.j2"
-    dest: "/etc/nginx/sites-available/{{ item }}"
-    mode: 0644
-  with_items:
-    - "{{ ci_server_name }}.https.conf"
-  tags: ssl
-
-- name: enable desired nginx https sites
-  become: true
-  file:
-    src: "/etc/nginx/sites-available/{{ item }}"
-    dest: "/etc/nginx/sites-enabled/{{ item }}"
-    state: link
-  with_items:
-    - "{{ ci_server_name }}.https.conf"
-  notify: restart_nginx
-  when: stat_result.stat.exists
-  tags: ssl

ansible/roles/ssl/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: common

ansible/roles/ssl/tasks/certbot.yml

@@ -0,0 +1,25 @@
+---
+- name: generate openssl dhparam for nginx
+  become: true
+  command: |
+    openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048
+  args:
+    creates: /etc/ssl/certs/dhparam.pem
+  tags: ssl
+
+- name: create ssl certificate for ci server
+  become: true
+  command: |
+    certbot certonly --webroot --webroot-path=/srv/http \
+    -m {{ ci_server_email }} --agree-tos \
+    -d {{ ci_server_name }}
+  args:
+    creates: "/etc/letsencrypt/live/{{ ci_server_name }}"
+  tags: ssl
+
+- name: check if certbot certificate was created
+  become: true
+  stat:
+    path: "/etc/letsencrypt/live/{{ ci_server_name }}"
+  register: stat_result
+  tags: ssl

ansible/roles/ssl/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- import_tasks: certbot.yml
+- import_tasks: cron.yml