initial commit
This commit is contained in:
commit
1676912bf4
6
.gitmodules
vendored
Normal file
6
.gitmodules
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
[submodule "roles/ki-ansible"]
|
||||
path = roles/ki-ansible
|
||||
url = gitea@git.wtf-eg.de:kompetenzinventar/ki-ansible.git
|
||||
[submodule "roles/ki"]
|
||||
path = roles/ki
|
||||
url = gitea@git.wtf-eg.de:kompetenzinventar/ki-ansible.git
|
12
README.md
Normal file
12
README.md
Normal file
@ -0,0 +1,12 @@
|
||||
# Kompetenzinventar Ansible Playbook
|
||||
|
||||
## Ausführen
|
||||
|
||||
```
|
||||
./apply.sh [tag]
|
||||
```
|
||||
|
||||
## Vault Passwort
|
||||
|
||||
Das Vault Passwort wird vom Skript [`vaultpw.sh`](./vaultpw.sh) zurückgegeben.
|
||||
Es steht GPG verschlüsselt in [`vaultpw.gpg`](./vaultpw.gpg).
|
3
ansible.cfg
Normal file
3
ansible.cfg
Normal file
@ -0,0 +1,3 @@
|
||||
[defaults]
|
||||
vault_password_file=vaultpw.sh
|
||||
ansible_python_interpreter=/usr/bin/python3
|
9
apply.sh
Executable file
9
apply.sh
Executable file
@ -0,0 +1,9 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
if [ -n "$1" ]; then
|
||||
TAGS="--tags=$1"
|
||||
else
|
||||
TAGS=""
|
||||
fi
|
||||
|
||||
ansible-playbook $TAGS -i inventory.yml playbook.yml
|
6
inventory.yml
Normal file
6
inventory.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
all:
|
||||
children:
|
||||
kidev:
|
||||
hosts:
|
||||
kidev.wtf-eg.net
|
37
playbook.yml
Normal file
37
playbook.yml
Normal file
@ -0,0 +1,37 @@
|
||||
- hosts: kidev
|
||||
become: true
|
||||
vars:
|
||||
ki_host: kidev.wtf-eg.net
|
||||
ki_frontend_uri: https://kidev.wtf-eg.net/
|
||||
ki_backend_uri: https://kidev.wtf-eg.net/api
|
||||
ki_db_root_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
63333133613433396139313230306262373336303735373138373637386130636665386465633431
|
||||
6139623164376239323937633436346638663134633832360a616233336164356138613439306335
|
||||
31633239366530376364306239363039656234353236383036303239653864626262386130386666
|
||||
3264353533363462660a613234313238383235613363363464613434386231376133363963613732
|
||||
31616165343938646533653434356335356266393230363139636535313639333134
|
||||
ki_db_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
64323263383232363637343733313738303936653538313531623935363062383137326335393463
|
||||
3738333039313837363138663563333664343538666262610a613036646430633138386666623037
|
||||
62666634353962323463333962626530333133376366663832316536326537326532336366663233
|
||||
6538656334343665350a393833653133663639396166643930656663373737373034343065353636
|
||||
36343532343163353562316639623861353466326139396331626461663438313532
|
||||
wtf_docker_registry_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
33393462623866336638386164303132643339326237663530343866356262666534353262626132
|
||||
6139323937343135383937613663323939306434353865360a353830303366316365303034386135
|
||||
65653230363733633661616465386331656532666639346130323865316665353664383962373062
|
||||
3235373464316535620a646433363330333431346164323536373162343632363031303339666439
|
||||
37653436383830343430333863363565643934326430353766636236323130333339353234353466
|
||||
3430666235363838383837366631326162636631376436333165
|
||||
roles:
|
||||
- role: common
|
||||
tags: [common]
|
||||
- role: docker
|
||||
tags: [docker]
|
||||
- role: nginx
|
||||
tags: [nginx]
|
||||
- role: ki
|
||||
tags: [ki]
|
9
roles/common/tasks/main.yml
Normal file
9
roles/common/tasks/main.yml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
- name: be sure common packages are installed
|
||||
apt:
|
||||
name:
|
||||
- gpg
|
||||
- gpg-agent
|
||||
- kitty-terminfo
|
||||
- vim
|
||||
update_cache: yes
|
38
roles/docker/tasks/main.yml
Normal file
38
roles/docker/tasks/main.yml
Normal file
@ -0,0 +1,38 @@
|
||||
- name: be sure the old docker packages are not installed
|
||||
apt:
|
||||
name:
|
||||
- docker
|
||||
- docker-engine
|
||||
- docker.io
|
||||
- containerd
|
||||
- runc
|
||||
state: absent
|
||||
|
||||
- name: be sure the docker apt signing key is installed
|
||||
apt_key:
|
||||
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
|
||||
url: https://download.docker.com/linux/debian/gpg
|
||||
state: present
|
||||
|
||||
- name: be sure the docker apt repo is configured
|
||||
apt_repository:
|
||||
repo: deb https://download.docker.com/linux/debian buster stable
|
||||
state: present
|
||||
|
||||
- name: be sure the packages required by docker are installed
|
||||
apt:
|
||||
name:
|
||||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- docker-compose
|
||||
- containerd.io
|
||||
- python3-docker
|
||||
- python3-pip
|
||||
- python3-setuptools
|
||||
update_cache: yes
|
||||
|
||||
- name: be sure to be logged into the ki registry
|
||||
docker_login:
|
||||
registry: registry.wtf-eg.net
|
||||
username: drone
|
||||
password: "{{ wtf_docker_registry_password }}"
|
1
roles/ki
Submodule
1
roles/ki
Submodule
@ -0,0 +1 @@
|
||||
Subproject commit dd2e11392bce2edff0dd4f067491a629be0c81ee
|
75
roles/nginx/files/nginx.conf
Normal file
75
roles/nginx/files/nginx.conf
Normal file
@ -0,0 +1,75 @@
|
||||
user www-data;
|
||||
worker_processes auto;
|
||||
pid /run/nginx.pid;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
worker_rlimit_nofile 8192;
|
||||
|
||||
events {
|
||||
worker_connections 4096;
|
||||
use epoll;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
resolver 9.9.9.9;
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
stream {
|
||||
include /etc/nginx/streams-enabled/*;
|
||||
}
|
6
roles/nginx/handlers/main.yml
Normal file
6
roles/nginx/handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: reload nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
listen: "nginx config changed"
|
26
roles/nginx/tasks/main.yml
Normal file
26
roles/nginx/tasks/main.yml
Normal file
@ -0,0 +1,26 @@
|
||||
- name: be sure nginx is installed
|
||||
apt:
|
||||
name: nginx
|
||||
|
||||
- name: be sure the nginx config file is present
|
||||
copy:
|
||||
src: ../files/nginx.conf
|
||||
dest: /etc/nginx/nginx.conf
|
||||
|
||||
- name: be sure nginx site config files are present
|
||||
template:
|
||||
src: sites/{{ item }}.conf.j2
|
||||
dest: /etc/nginx/sites-enabled/{{ item }}.conf
|
||||
with_items:
|
||||
- ki
|
||||
notify:
|
||||
- "nginx config changed"
|
||||
|
||||
- name: be sure nginx sites are not present
|
||||
file:
|
||||
state: absent
|
||||
path: "/etc/nginx/sites-enabled/{{ item }}"
|
||||
with_items:
|
||||
- default
|
||||
notify:
|
||||
- "nginx config changed"
|
44
roles/nginx/templates/sites/ki.conf.j2
Normal file
44
roles/nginx/templates/sites/ki.conf.j2
Normal file
@ -0,0 +1,44 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ ki_host }};
|
||||
|
||||
if ($host = {{ ki_host }}) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
return 404;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name {{ ki_host }};
|
||||
|
||||
location /api {
|
||||
proxy_pass http://localhost:{{ ki_backend_port }};
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:{{ ki_frontend_port }};
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
}
|
||||
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
|
||||
http2_max_field_size 512k;
|
||||
http2_max_header_size 512k;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/letsencrypt/live/kidev.wtf-eg.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/kidev.wtf-eg.net/privkey.pem;
|
||||
}
|
14
vaultpw.gpg
Normal file
14
vaultpw.gpg
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQGMAy+P5RnCwC3PAQwAo3sUvlFppTDhrDAnde5fNZtBbn0SUmCd+jTaX0mw9sYf
|
||||
fstGNHJfNLj1E4hCSVA+cWJi+lXxTH8uJMMTodnyHXv5amhZ3/BerC1RMtR9Lob4
|
||||
G9adKcEXAcNh4v+1jOwNAia5xvNiz+q88i4nu4mobMleWcmjPV0+I1hWvs+8jJSb
|
||||
UdeSWbK/fkdNI8lrbCP78YB3wB4ZEKre2WOR2kVt/L+/9lSk3mwnWaVW2bv74JNi
|
||||
pgMyp56lXyQNK3DKAj2Uqh3Byok7bc7BHDW2qQ4ShimjqdBfGcq0XKH8Ay92Kw1K
|
||||
nsUQMJjWn0ulrP+HVkpEqxgS6+SWXzw9VIIztMdOLnGvSMClyryXONKM3Pio0M3S
|
||||
oS8jNMGsMxCclN1lbICeLmr2pwvITLYqlBt9R7BRNeI65Aa512y/Zl7leSRnc6DH
|
||||
w4gicunPWW8YWgGX4oujdJGfczHDnt7GZcS4XvRSwD0Ny9EUSRNnUyRs2hiAGjic
|
||||
IfmichKEmnuQT2+q9OAE0kwBZ0mdNMQJWCXAW3Ksw2hCFsubnpkaP/Dx24y5Iu8T
|
||||
fiAKyhlATrMv47gbpgTLGD02/QJQBt+XfW1WYnHsTB/1Sba+G+XVrS2RWTNO
|
||||
=zDfG
|
||||
-----END PGP MESSAGE-----
|
2
vaultpw.sh
Executable file
2
vaultpw.sh
Executable file
@ -0,0 +1,2 @@
|
||||
#!/usr/bin/env sh
|
||||
gpg --batch --use-agent --decrypt ./vaultpw.gpg
|
Loading…
Reference in New Issue
Block a user