initial commit

This commit is contained in:
weeman 2021-09-13 18:11:04 +02:00
commit 1676912bf4
Signed by: weeman
GPG Key ID: 34F0524D4DA694A1
15 changed files with 288 additions and 0 deletions

6
.gitmodules vendored Normal file
View File

@ -0,0 +1,6 @@
[submodule "roles/ki-ansible"]
path = roles/ki-ansible
url = gitea@git.wtf-eg.de:kompetenzinventar/ki-ansible.git
[submodule "roles/ki"]
path = roles/ki
url = gitea@git.wtf-eg.de:kompetenzinventar/ki-ansible.git

12
README.md Normal file
View File

@ -0,0 +1,12 @@
# Kompetenzinventar Ansible Playbook
## Ausführen
```
./apply.sh [tag]
```
## Vault Passwort
Das Vault Passwort wird vom Skript [`vaultpw.sh`](./vaultpw.sh) zurückgegeben.
Es steht GPG verschlüsselt in [`vaultpw.gpg`](./vaultpw.gpg).

3
ansible.cfg Normal file
View File

@ -0,0 +1,3 @@
[defaults]
vault_password_file=vaultpw.sh
ansible_python_interpreter=/usr/bin/python3

9
apply.sh Executable file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env bash
if [ -n "$1" ]; then
TAGS="--tags=$1"
else
TAGS=""
fi
ansible-playbook $TAGS -i inventory.yml playbook.yml

6
inventory.yml Normal file
View File

@ -0,0 +1,6 @@
---
all:
children:
kidev:
hosts:
kidev.wtf-eg.net

37
playbook.yml Normal file
View File

@ -0,0 +1,37 @@
- hosts: kidev
become: true
vars:
ki_host: kidev.wtf-eg.net
ki_frontend_uri: https://kidev.wtf-eg.net/
ki_backend_uri: https://kidev.wtf-eg.net/api
ki_db_root_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63333133613433396139313230306262373336303735373138373637386130636665386465633431
6139623164376239323937633436346638663134633832360a616233336164356138613439306335
31633239366530376364306239363039656234353236383036303239653864626262386130386666
3264353533363462660a613234313238383235613363363464613434386231376133363963613732
31616165343938646533653434356335356266393230363139636535313639333134
ki_db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
64323263383232363637343733313738303936653538313531623935363062383137326335393463
3738333039313837363138663563333664343538666262610a613036646430633138386666623037
62666634353962323463333962626530333133376366663832316536326537326532336366663233
6538656334343665350a393833653133663639396166643930656663373737373034343065353636
36343532343163353562316639623861353466326139396331626461663438313532
wtf_docker_registry_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
33393462623866336638386164303132643339326237663530343866356262666534353262626132
6139323937343135383937613663323939306434353865360a353830303366316365303034386135
65653230363733633661616465386331656532666639346130323865316665353664383962373062
3235373464316535620a646433363330333431346164323536373162343632363031303339666439
37653436383830343430333863363565643934326430353766636236323130333339353234353466
3430666235363838383837366631326162636631376436333165
roles:
- role: common
tags: [common]
- role: docker
tags: [docker]
- role: nginx
tags: [nginx]
- role: ki
tags: [ki]

View File

@ -0,0 +1,9 @@
---
- name: be sure common packages are installed
apt:
name:
- gpg
- gpg-agent
- kitty-terminfo
- vim
update_cache: yes

View File

@ -0,0 +1,38 @@
- name: be sure the old docker packages are not installed
apt:
name:
- docker
- docker-engine
- docker.io
- containerd
- runc
state: absent
- name: be sure the docker apt signing key is installed
apt_key:
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
url: https://download.docker.com/linux/debian/gpg
state: present
- name: be sure the docker apt repo is configured
apt_repository:
repo: deb https://download.docker.com/linux/debian buster stable
state: present
- name: be sure the packages required by docker are installed
apt:
name:
- docker-ce
- docker-ce-cli
- docker-compose
- containerd.io
- python3-docker
- python3-pip
- python3-setuptools
update_cache: yes
- name: be sure to be logged into the ki registry
docker_login:
registry: registry.wtf-eg.net
username: drone
password: "{{ wtf_docker_registry_password }}"

1
roles/ki Submodule

@ -0,0 +1 @@
Subproject commit dd2e11392bce2edff0dd4f067491a629be0c81ee

View File

@ -0,0 +1,75 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
worker_rlimit_nofile 8192;
events {
worker_connections 4096;
use epoll;
# multi_accept on;
}
http {
resolver 9.9.9.9;
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
stream {
include /etc/nginx/streams-enabled/*;
}

View File

@ -0,0 +1,6 @@
---
- name: reload nginx
service:
name: nginx
state: reloaded
listen: "nginx config changed"

View File

@ -0,0 +1,26 @@
- name: be sure nginx is installed
apt:
name: nginx
- name: be sure the nginx config file is present
copy:
src: ../files/nginx.conf
dest: /etc/nginx/nginx.conf
- name: be sure nginx site config files are present
template:
src: sites/{{ item }}.conf.j2
dest: /etc/nginx/sites-enabled/{{ item }}.conf
with_items:
- ki
notify:
- "nginx config changed"
- name: be sure nginx sites are not present
file:
state: absent
path: "/etc/nginx/sites-enabled/{{ item }}"
with_items:
- default
notify:
- "nginx config changed"

View File

@ -0,0 +1,44 @@
server {
listen 80;
listen [::]:80;
server_name {{ ki_host }};
if ($host = {{ ki_host }}) {
return 301 https://$host$request_uri;
}
return 404;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ ki_host }};
location /api {
proxy_pass http://localhost:{{ ki_backend_port }};
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass http://localhost:{{ ki_frontend_port }};
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
http2_max_field_size 512k;
http2_max_header_size 512k;
ssl on;
ssl_certificate /etc/letsencrypt/live/kidev.wtf-eg.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kidev.wtf-eg.net/privkey.pem;
}

14
vaultpw.gpg Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP MESSAGE-----
hQGMAy+P5RnCwC3PAQwAo3sUvlFppTDhrDAnde5fNZtBbn0SUmCd+jTaX0mw9sYf
fstGNHJfNLj1E4hCSVA+cWJi+lXxTH8uJMMTodnyHXv5amhZ3/BerC1RMtR9Lob4
G9adKcEXAcNh4v+1jOwNAia5xvNiz+q88i4nu4mobMleWcmjPV0+I1hWvs+8jJSb
UdeSWbK/fkdNI8lrbCP78YB3wB4ZEKre2WOR2kVt/L+/9lSk3mwnWaVW2bv74JNi
pgMyp56lXyQNK3DKAj2Uqh3Byok7bc7BHDW2qQ4ShimjqdBfGcq0XKH8Ay92Kw1K
nsUQMJjWn0ulrP+HVkpEqxgS6+SWXzw9VIIztMdOLnGvSMClyryXONKM3Pio0M3S
oS8jNMGsMxCclN1lbICeLmr2pwvITLYqlBt9R7BRNeI65Aa512y/Zl7leSRnc6DH
w4gicunPWW8YWgGX4oujdJGfczHDnt7GZcS4XvRSwD0Ny9EUSRNnUyRs2hiAGjic
IfmichKEmnuQT2+q9OAE0kwBZ0mdNMQJWCXAW3Ksw2hCFsubnpkaP/Dx24y5Iu8T
fiAKyhlATrMv47gbpgTLGD02/QJQBt+XfW1WYnHsTB/1Sba+G+XVrS2RWTNO
=zDfG
-----END PGP MESSAGE-----

2
vaultpw.sh Executable file
View File

@ -0,0 +1,2 @@
#!/usr/bin/env sh
gpg --batch --use-agent --decrypt ./vaultpw.gpg