bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CU-cunmht[complete] Merge pull request #2 from bdebyl/CU-cunmht

Browse Source 
CU-cunmht Updated README
This commit is contained in:
bdebyl
2020-09-29 21:47:24 -04:00
committed by GitHub
parent a41d922394 1e1433275e
commit 888f9dd289
11 changed files with 61 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -31,4 +31,5 @@ updates in newest versions, etc._)
| `deploy` | Deploys everything, or only tasks specified in `TAGS=` environment variable | | `deploy` | Deploys everything, or only tasks specified in `TAGS=` environment variable |
| `check` | Runs `deploy` in a "dry-run", showing diff-style outputs on tasks indicating changes | | `check` | Runs `deploy` in a "dry-run", showing diff-style outputs on tasks indicating changes |
| `vault` | Opens the Ansible vault file for editing | | `vault` | Opens the Ansible vault file for editing |
| `lint-ci` | Meant for use with `bdebyl/yamllint` (_see `.drone.yml`_) |

1
ansible/deploy_home.yml
View File

@@ -4,5 +4,6 @@
- vars/vault.yml - vars/vault.yml
roles: roles:
- role: common - role: common
- role: ssl
- role: http - role: http
- role: drone - role: drone

8
ansible/roles/http/files/nginx/nginx.conf
View File

@@ -29,10 +29,10 @@ http {
gzip on; gzip on;
gzip_disable "mise6"; gzip_disable "mise6";
client_body_buffer_size 1k; # client_body_buffer_size 1k;
client_header_buffer_size 1k; # client_header_buffer_size 1k;
client_max_body_size 2k; # client_max_body_size 2k;
large_client_header_buffers 2 1k; # large_client_header_buffers 2 1k;
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;

2
ansible/roles/http/meta/main.yml
View File

@@ -1,3 +1,3 @@
--- ---
dependencies: dependencies:
- role: common - role: ssl

22
ansible/roles/http/tasks/https.yml Normal file
View File

@@ -0,0 +1,22 @@
---
- name: template nginx https sites-available
become: true
template:
src: "templates/nginx/sites/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
mode: 0644
with_items:
- "{{ ci_server_name }}.https.conf"
tags: https
- name: enable desired nginx https sites
become: true
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
with_items:
- "{{ ci_server_name }}.https.conf"
notify: restart_nginx
when: stat_result.stat.exists
tags: https

3
ansible/roles/http/tasks/main.yml
View File

@@ -2,5 +2,4 @@
- import_tasks: deps.yml - import_tasks: deps.yml
- import_tasks: modsec.yml - import_tasks: modsec.yml
- import_tasks: http.yml - import_tasks: http.yml
- import_tasks: ssl.yml - import_tasks: https.yml
- import_tasks: cron.yml

60
ansible/roles/http/tasks/ssl.yml
View File

@@ -1,60 +0,0 @@
---
- name: flush existing nginx https enabled sites
become: true
file:
path: "/etc/nginx/sites-enabled/{{ item }}"
state: absent
with_items:
- "{{ ci_server_name }}.https.conf"
notify: restart_nginx
tags: ssl
- meta: flush_handlers
tags: ssl
- name: generate openssl dhparam for nginx
become: true
command: |
openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048
args:
creates: /etc/ssl/certs/dhparam.pem
tags: ssl
- name: create ssl certificate for ci server
become: true
command: |
certbot certonly --webroot --webroot-path=/srv/http \
-m {{ ci_server_email }} --agree-tos \
-d {{ ci_server_name }}
args:
creates: "/etc/letsencrypt/live/{{ ci_server_name }}"
tags: ssl
- name: check if certbot certificate was created
become: true
stat:
path: "/etc/letsencrypt/live/{{ ci_server_name }}"
register: stat_result
tags: ssl
- name: template nginx https sites-available
become: true
template:
src: "templates/nginx/sites/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
mode: 0644
with_items:
- "{{ ci_server_name }}.https.conf"
tags: ssl
- name: enable desired nginx https sites
become: true
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
with_items:
- "{{ ci_server_name }}.https.conf"
notify: restart_nginx
when: stat_result.stat.exists
tags: ssl

3
ansible/roles/ssl/meta/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
dependencies:
- role: common

25
ansible/roles/ssl/tasks/certbot.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: generate openssl dhparam for nginx
become: true
command: |
openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048
args:
creates: /etc/ssl/certs/dhparam.pem
tags: ssl
- name: create ssl certificate for ci server
become: true
command: |
certbot certonly --webroot --webroot-path=/srv/http \
-m {{ ci_server_email }} --agree-tos \
-d {{ ci_server_name }}
args:
creates: "/etc/letsencrypt/live/{{ ci_server_name }}"
tags: ssl
- name: check if certbot certificate was created
become: true
stat:
path: "/etc/letsencrypt/live/{{ ci_server_name }}"
register: stat_result
tags: ssl

0
ansible/roles/http/tasks/cron.yml → ansible/roles/ssl/tasks/cron.yml
View File

3
ansible/roles/ssl/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- import_tasks: certbot.yml
- import_tasks: cron.yml