From c560d6cc9b171a3357440b65973184a84e6886a7 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 25 Sep 2020 23:52:06 -0400 Subject: [PATCH 1/5] CU-cunmht Updated README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ea1798f..62806cb 100644 --- a/README.md +++ b/README.md @@ -31,4 +31,5 @@ updates in newest versions, etc._) | `deploy` | Deploys everything, or only tasks specified in `TAGS=` environment variable | | `check` | Runs `deploy` in a "dry-run", showing diff-style outputs on tasks indicating changes | | `vault` | Opens the Ansible vault file for editing | +| `lint-ci` | Meant for use with `bdebyl/yamllint` (_see `.drone.yml`_) | From 1cbfb80544762f20ed68a79a7c87516b43b8f5fa Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 25 Sep 2020 23:55:02 -0400 Subject: [PATCH 2/5] CU-cunmht Updated limiting sizes in nginx.conf --- ansible/roles/http/files/nginx/nginx.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/roles/http/files/nginx/nginx.conf b/ansible/roles/http/files/nginx/nginx.conf index 8fc5fbd..6752ac7 100644 --- a/ansible/roles/http/files/nginx/nginx.conf +++ b/ansible/roles/http/files/nginx/nginx.conf @@ -29,10 +29,10 @@ http { gzip on; gzip_disable "mise6"; - client_body_buffer_size 1k; - client_header_buffer_size 1k; - client_max_body_size 2k; - large_client_header_buffers 2 1k; + # client_body_buffer_size 1k; + # client_header_buffer_size 1k; + # client_max_body_size 2k; + # large_client_header_buffers 2 1k; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; From bb9ec41f70017d92c3bd69ec92b0b748bcd09703 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 25 Sep 2020 23:57:30 -0400 Subject: [PATCH 3/5] CU-cunmht Updated .drone.yml --- .drone.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.drone.yml b/.drone.yml index b0f6ba4..ab3ead5 100644 --- a/.drone.yml +++ b/.drone.yml @@ -11,8 +11,3 @@ steps: image: bdebyl/yamllint command: - make lint-ci - -trigger: - event: - - pull_request - - push From 137ddaca9712e18b4ccecaf298c7b337539bd348 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Tue, 29 Sep 2020 21:40:01 -0400 Subject: [PATCH 4/5] CU-cunmht split ssl from http role to separate role --- ansible/deploy_home.yml | 1 + ansible/roles/http/meta/main.yml | 2 +- ansible/roles/http/tasks/https.yml | 23 +++++++++ ansible/roles/http/tasks/main.yml | 3 +- ansible/roles/http/tasks/ssl.yml | 60 ---------------------- ansible/roles/ssl/meta/main.yml | 3 ++ ansible/roles/ssl/tasks/certbot.yml | 25 +++++++++ ansible/roles/{http => ssl}/tasks/cron.yml | 0 ansible/roles/ssl/tasks/main.yml | 3 ++ 9 files changed, 57 insertions(+), 63 deletions(-) create mode 100644 ansible/roles/http/tasks/https.yml delete mode 100644 ansible/roles/http/tasks/ssl.yml create mode 100644 ansible/roles/ssl/meta/main.yml create mode 100644 ansible/roles/ssl/tasks/certbot.yml rename ansible/roles/{http => ssl}/tasks/cron.yml (100%) create mode 100644 ansible/roles/ssl/tasks/main.yml diff --git a/ansible/deploy_home.yml b/ansible/deploy_home.yml index 40758a2..b2a9f26 100644 --- a/ansible/deploy_home.yml +++ b/ansible/deploy_home.yml @@ -4,5 +4,6 @@ - vars/vault.yml roles: - role: common + - role: ssl - role: http - role: drone diff --git a/ansible/roles/http/meta/main.yml b/ansible/roles/http/meta/main.yml index fdda41b..bfe9e18 100644 --- a/ansible/roles/http/meta/main.yml +++ b/ansible/roles/http/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - role: common + - role: ssl diff --git a/ansible/roles/http/tasks/https.yml b/ansible/roles/http/tasks/https.yml new file mode 100644 index 0000000..d332778 --- /dev/null +++ b/ansible/roles/http/tasks/https.yml @@ -0,0 +1,23 @@ +--- + +- name: template nginx https sites-available + become: true + template: + src: "templates/nginx/sites/{{ item }}.j2" + dest: "/etc/nginx/sites-available/{{ item }}" + mode: 0644 + with_items: + - "{{ ci_server_name }}.https.conf" + tags: https + +- name: enable desired nginx https sites + become: true + file: + src: "/etc/nginx/sites-available/{{ item }}" + dest: "/etc/nginx/sites-enabled/{{ item }}" + state: link + with_items: + - "{{ ci_server_name }}.https.conf" + notify: restart_nginx + when: stat_result.stat.exists + tags: https diff --git a/ansible/roles/http/tasks/main.yml b/ansible/roles/http/tasks/main.yml index 8f657d3..68ecafb 100644 --- a/ansible/roles/http/tasks/main.yml +++ b/ansible/roles/http/tasks/main.yml @@ -2,5 +2,4 @@ - import_tasks: deps.yml - import_tasks: modsec.yml - import_tasks: http.yml -- import_tasks: ssl.yml -- import_tasks: cron.yml +- import_tasks: https.yml diff --git a/ansible/roles/http/tasks/ssl.yml b/ansible/roles/http/tasks/ssl.yml deleted file mode 100644 index e5eda28..0000000 --- a/ansible/roles/http/tasks/ssl.yml +++ /dev/null @@ -1,60 +0,0 @@ ---- -- name: flush existing nginx https enabled sites - become: true - file: - path: "/etc/nginx/sites-enabled/{{ item }}" - state: absent - with_items: - - "{{ ci_server_name }}.https.conf" - notify: restart_nginx - tags: ssl - -- meta: flush_handlers - tags: ssl - -- name: generate openssl dhparam for nginx - become: true - command: | - openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048 - args: - creates: /etc/ssl/certs/dhparam.pem - tags: ssl - -- name: create ssl certificate for ci server - become: true - command: | - certbot certonly --webroot --webroot-path=/srv/http \ - -m {{ ci_server_email }} --agree-tos \ - -d {{ ci_server_name }} - args: - creates: "/etc/letsencrypt/live/{{ ci_server_name }}" - tags: ssl - -- name: check if certbot certificate was created - become: true - stat: - path: "/etc/letsencrypt/live/{{ ci_server_name }}" - register: stat_result - tags: ssl - -- name: template nginx https sites-available - become: true - template: - src: "templates/nginx/sites/{{ item }}.j2" - dest: "/etc/nginx/sites-available/{{ item }}" - mode: 0644 - with_items: - - "{{ ci_server_name }}.https.conf" - tags: ssl - -- name: enable desired nginx https sites - become: true - file: - src: "/etc/nginx/sites-available/{{ item }}" - dest: "/etc/nginx/sites-enabled/{{ item }}" - state: link - with_items: - - "{{ ci_server_name }}.https.conf" - notify: restart_nginx - when: stat_result.stat.exists - tags: ssl diff --git a/ansible/roles/ssl/meta/main.yml b/ansible/roles/ssl/meta/main.yml new file mode 100644 index 0000000..fdda41b --- /dev/null +++ b/ansible/roles/ssl/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: common diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml new file mode 100644 index 0000000..fa67f71 --- /dev/null +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -0,0 +1,25 @@ +--- +- name: generate openssl dhparam for nginx + become: true + command: | + openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048 + args: + creates: /etc/ssl/certs/dhparam.pem + tags: ssl + +- name: create ssl certificate for ci server + become: true + command: | + certbot certonly --webroot --webroot-path=/srv/http \ + -m {{ ci_server_email }} --agree-tos \ + -d {{ ci_server_name }} + args: + creates: "/etc/letsencrypt/live/{{ ci_server_name }}" + tags: ssl + +- name: check if certbot certificate was created + become: true + stat: + path: "/etc/letsencrypt/live/{{ ci_server_name }}" + register: stat_result + tags: ssl diff --git a/ansible/roles/http/tasks/cron.yml b/ansible/roles/ssl/tasks/cron.yml similarity index 100% rename from ansible/roles/http/tasks/cron.yml rename to ansible/roles/ssl/tasks/cron.yml diff --git a/ansible/roles/ssl/tasks/main.yml b/ansible/roles/ssl/tasks/main.yml new file mode 100644 index 0000000..a27991f --- /dev/null +++ b/ansible/roles/ssl/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- import_tasks: certbot.yml +- import_tasks: cron.yml From 1e1433275ef76cce88add4a3d480a34222a787c2 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Tue, 29 Sep 2020 21:45:01 -0400 Subject: [PATCH 5/5] CU-cunmht fixed empty line in https.yml --- ansible/roles/http/tasks/https.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/roles/http/tasks/https.yml b/ansible/roles/http/tasks/https.yml index d332778..f5d8637 100644 --- a/ansible/roles/http/tasks/https.yml +++ b/ansible/roles/http/tasks/https.yml @@ -1,5 +1,4 @@ --- - - name: template nginx https sites-available become: true template: