From 2b1968c325d468ef8035f9a4471bb641b709da8c Mon Sep 17 00:00:00 2001 From: Michael Weimann Date: Mon, 13 Sep 2021 18:11:04 +0200 Subject: [PATCH] initial commit --- .gitmodules | 6 +++ README.md | 12 +++++ ansible.cfg | 3 ++ apply.sh | 9 ++++ inventory.yml | 6 +++ playbook.yml | 37 +++++++++++++ roles/common/tasks/main.yml | 9 ++++ roles/docker/tasks/main.yml | 38 +++++++++++++ roles/ki | 1 + roles/nginx/files/nginx.conf | 75 ++++++++++++++++++++++++++ roles/nginx/handlers/main.yml | 6 +++ roles/nginx/tasks/main.yml | 26 +++++++++ roles/nginx/templates/sites/ki.conf.j2 | 44 +++++++++++++++ vaultpw.gpg | 14 +++++ vaultpw.sh | 2 + 15 files changed, 288 insertions(+) create mode 100644 .gitmodules create mode 100644 README.md create mode 100644 ansible.cfg create mode 100755 apply.sh create mode 100644 inventory.yml create mode 100644 playbook.yml create mode 100644 roles/common/tasks/main.yml create mode 100644 roles/docker/tasks/main.yml create mode 160000 roles/ki create mode 100644 roles/nginx/files/nginx.conf create mode 100644 roles/nginx/handlers/main.yml create mode 100644 roles/nginx/tasks/main.yml create mode 100644 roles/nginx/templates/sites/ki.conf.j2 create mode 100644 vaultpw.gpg create mode 100755 vaultpw.sh diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..8246df2 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,6 @@ +[submodule "roles/ki-ansible"] + path = roles/ki-ansible + url = gitea@git.wtf-eg.de:kompetenzinventar/ki-ansible.git +[submodule "roles/ki"] + path = roles/ki + url = gitea@git.wtf-eg.de:kompetenzinventar/ki-ansible.git diff --git a/README.md b/README.md new file mode 100644 index 0000000..d50e2af --- /dev/null +++ b/README.md @@ -0,0 +1,12 @@ +# Kompetenzinventar Ansible Playbook + +## Ausführen + +``` +./apply.sh [tag] +``` + +## Vault Passwort + +Das Vault Passwort wird vom Skript [`vaultpw.sh`](./vaultpw.sh) zurückgegeben. +Es steht GPG verschlüsselt in [`vaultpw.gpg`](./vaultpw.gpg). diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..7046c53 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +vault_password_file=vaultpw.sh +ansible_python_interpreter=/usr/bin/python3 diff --git a/apply.sh b/apply.sh new file mode 100755 index 0000000..6311e76 --- /dev/null +++ b/apply.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +if [ -n "$1" ]; then + TAGS="--tags=$1" +else + TAGS="" +fi + +ansible-playbook $TAGS -i inventory.yml playbook.yml diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..22f669f --- /dev/null +++ b/inventory.yml @@ -0,0 +1,6 @@ +--- +all: + children: + kidev: + hosts: + kidev.wtf-eg.net diff --git a/playbook.yml b/playbook.yml new file mode 100644 index 0000000..c87ae57 --- /dev/null +++ b/playbook.yml @@ -0,0 +1,37 @@ +- hosts: kidev + become: true + vars: + ki_host: kidev.wtf-eg.net + ki_frontend_uri: https://kidev.wtf-eg.net/ + ki_backend_uri: https://kidev.wtf-eg.net/api + ki_db_root_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63333133613433396139313230306262373336303735373138373637386130636665386465633431 + 6139623164376239323937633436346638663134633832360a616233336164356138613439306335 + 31633239366530376364306239363039656234353236383036303239653864626262386130386666 + 3264353533363462660a613234313238383235613363363464613434386231376133363963613732 + 31616165343938646533653434356335356266393230363139636535313639333134 + ki_db_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64323263383232363637343733313738303936653538313531623935363062383137326335393463 + 3738333039313837363138663563333664343538666262610a613036646430633138386666623037 + 62666634353962323463333962626530333133376366663832316536326537326532336366663233 + 6538656334343665350a393833653133663639396166643930656663373737373034343065353636 + 36343532343163353562316639623861353466326139396331626461663438313532 + wtf_docker_registry_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33393462623866336638386164303132643339326237663530343866356262666534353262626132 + 6139323937343135383937613663323939306434353865360a353830303366316365303034386135 + 65653230363733633661616465386331656532666639346130323865316665353664383962373062 + 3235373464316535620a646433363330333431346164323536373162343632363031303339666439 + 37653436383830343430333863363565643934326430353766636236323130333339353234353466 + 3430666235363838383837366631326162636631376436333165 + roles: + - role: common + tags: [common] + - role: docker + tags: [docker] + - role: nginx + tags: [nginx] + - role: ki + tags: [ki] diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..a586940 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: be sure common packages are installed + apt: + name: + - gpg + - gpg-agent + - kitty-terminfo + - vim + update_cache: yes diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..1646858 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,38 @@ +- name: be sure the old docker packages are not installed + apt: + name: + - docker + - docker-engine + - docker.io + - containerd + - runc + state: absent + +- name: be sure the docker apt signing key is installed + apt_key: + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + url: https://download.docker.com/linux/debian/gpg + state: present + +- name: be sure the docker apt repo is configured + apt_repository: + repo: deb https://download.docker.com/linux/debian buster stable + state: present + +- name: be sure the packages required by docker are installed + apt: + name: + - docker-ce + - docker-ce-cli + - docker-compose + - containerd.io + - python3-docker + - python3-pip + - python3-setuptools + update_cache: yes + +- name: be sure to be logged into the ki registry + docker_login: + registry: registry.wtf-eg.net + username: drone + password: "{{ wtf_docker_registry_password }}" diff --git a/roles/ki b/roles/ki new file mode 160000 index 0000000..dd2e113 --- /dev/null +++ b/roles/ki @@ -0,0 +1 @@ +Subproject commit dd2e11392bce2edff0dd4f067491a629be0c81ee diff --git a/roles/nginx/files/nginx.conf b/roles/nginx/files/nginx.conf new file mode 100644 index 0000000..fc022fa --- /dev/null +++ b/roles/nginx/files/nginx.conf @@ -0,0 +1,75 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +worker_rlimit_nofile 8192; + +events { + worker_connections 4096; + use epoll; + # multi_accept on; +} + +http { + resolver 9.9.9.9; + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + +stream { + include /etc/nginx/streams-enabled/*; +} diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..42a19ae --- /dev/null +++ b/roles/nginx/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: reload nginx + service: + name: nginx + state: reloaded + listen: "nginx config changed" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..09e9ce5 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,26 @@ +- name: be sure nginx is installed + apt: + name: nginx + +- name: be sure the nginx config file is present + copy: + src: ../files/nginx.conf + dest: /etc/nginx/nginx.conf + +- name: be sure nginx site config files are present + template: + src: sites/{{ item }}.conf.j2 + dest: /etc/nginx/sites-enabled/{{ item }}.conf + with_items: + - ki + notify: + - "nginx config changed" + +- name: be sure nginx sites are not present + file: + state: absent + path: "/etc/nginx/sites-enabled/{{ item }}" + with_items: + - default + notify: + - "nginx config changed" diff --git a/roles/nginx/templates/sites/ki.conf.j2 b/roles/nginx/templates/sites/ki.conf.j2 new file mode 100644 index 0000000..8e290c8 --- /dev/null +++ b/roles/nginx/templates/sites/ki.conf.j2 @@ -0,0 +1,44 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ ki_host }}; + + if ($host = {{ ki_host }}) { + return 301 https://$host$request_uri; + } + + return 404; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ ki_host }}; + + location /api/ { + proxy_pass http://localhost:{{ ki_backend_port }}/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location / { + proxy_pass http://localhost:{{ ki_frontend_port }}; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + + http2_max_field_size 512k; + http2_max_header_size 512k; + + ssl on; + ssl_certificate /etc/letsencrypt/live/kidev.wtf-eg.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/kidev.wtf-eg.net/privkey.pem; +} diff --git a/vaultpw.gpg b/vaultpw.gpg new file mode 100644 index 0000000..9e94552 --- /dev/null +++ b/vaultpw.gpg @@ -0,0 +1,14 @@ +-----BEGIN PGP MESSAGE----- + +hQGMAy+P5RnCwC3PAQwAo3sUvlFppTDhrDAnde5fNZtBbn0SUmCd+jTaX0mw9sYf +fstGNHJfNLj1E4hCSVA+cWJi+lXxTH8uJMMTodnyHXv5amhZ3/BerC1RMtR9Lob4 +G9adKcEXAcNh4v+1jOwNAia5xvNiz+q88i4nu4mobMleWcmjPV0+I1hWvs+8jJSb +UdeSWbK/fkdNI8lrbCP78YB3wB4ZEKre2WOR2kVt/L+/9lSk3mwnWaVW2bv74JNi +pgMyp56lXyQNK3DKAj2Uqh3Byok7bc7BHDW2qQ4ShimjqdBfGcq0XKH8Ay92Kw1K +nsUQMJjWn0ulrP+HVkpEqxgS6+SWXzw9VIIztMdOLnGvSMClyryXONKM3Pio0M3S +oS8jNMGsMxCclN1lbICeLmr2pwvITLYqlBt9R7BRNeI65Aa512y/Zl7leSRnc6DH +w4gicunPWW8YWgGX4oujdJGfczHDnt7GZcS4XvRSwD0Ny9EUSRNnUyRs2hiAGjic +IfmichKEmnuQT2+q9OAE0kwBZ0mdNMQJWCXAW3Ksw2hCFsubnpkaP/Dx24y5Iu8T +fiAKyhlATrMv47gbpgTLGD02/QJQBt+XfW1WYnHsTB/1Sba+G+XVrS2RWTNO +=zDfG +-----END PGP MESSAGE----- diff --git a/vaultpw.sh b/vaultpw.sh new file mode 100755 index 0000000..236fd3c --- /dev/null +++ b/vaultpw.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env sh +gpg --batch --use-agent --decrypt ./vaultpw.gpg