initial commit

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "roles/ki-ansible"]
+	path = roles/ki-ansible
+	url = gitea@git.wtf-eg.de:kompetenzinventar/ki-ansible.git
+[submodule "roles/ki"]
+	path = roles/ki
+	url = gitea@git.wtf-eg.de:kompetenzinventar/ki-ansible.git

README.md

@@ -0,0 +1,12 @@
+# Kompetenzinventar Ansible Playbook
+
+## Ausführen
+
+```
+./apply.sh [tag]
+```
+
+## Vault Passwort
+
+Das Vault Passwort wird vom Skript [`vaultpw.sh`](./vaultpw.sh) zurückgegeben.
+Es steht GPG verschlüsselt in [`vaultpw.gpg`](./vaultpw.gpg).

ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+vault_password_file=vaultpw.sh
+ansible_python_interpreter=/usr/bin/python3

apply.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+if [ -n "$1" ]; then
+  TAGS="--tags=$1"
+else
+  TAGS=""
+fi
+
+ansible-playbook $TAGS -i inventory.yml playbook.yml

inventory.yml

@@ -0,0 +1,6 @@
+---
+all:
+  children:
+    kidev:
+      hosts:
+        kidev.wtf-eg.net

playbook.yml

@@ -0,0 +1,37 @@
+- hosts: kidev
+  become: true
+  vars:
+    ki_host: kidev.wtf-eg.net
+    ki_frontend_uri: https://kidev.wtf-eg.net/
+    ki_backend_uri: https://kidev.wtf-eg.net/api
+    ki_db_root_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          63333133613433396139313230306262373336303735373138373637386130636665386465633431
+          6139623164376239323937633436346638663134633832360a616233336164356138613439306335
+          31633239366530376364306239363039656234353236383036303239653864626262386130386666
+          3264353533363462660a613234313238383235613363363464613434386231376133363963613732
+          31616165343938646533653434356335356266393230363139636535313639333134
+    ki_db_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          64323263383232363637343733313738303936653538313531623935363062383137326335393463
+          3738333039313837363138663563333664343538666262610a613036646430633138386666623037
+          62666634353962323463333962626530333133376366663832316536326537326532336366663233
+          6538656334343665350a393833653133663639396166643930656663373737373034343065353636
+          36343532343163353562316639623861353466326139396331626461663438313532
+    wtf_docker_registry_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33393462623866336638386164303132643339326237663530343866356262666534353262626132
+          6139323937343135383937613663323939306434353865360a353830303366316365303034386135
+          65653230363733633661616465386331656532666639346130323865316665353664383962373062
+          3235373464316535620a646433363330333431346164323536373162343632363031303339666439
+          37653436383830343430333863363565643934326430353766636236323130333339353234353466
+          3430666235363838383837366631326162636631376436333165
+  roles:
+    - role: common
+      tags: [common]
+    - role: docker
+      tags: [docker]
+    - role: nginx
+      tags: [nginx]
+    - role: ki
+      tags: [ki]

roles/common/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: be sure common packages are installed
+  apt:
+    name:
+      - gpg
+      - gpg-agent
+      - kitty-terminfo
+      - vim
+    update_cache: yes

roles/docker/tasks/main.yml

@@ -0,0 +1,38 @@
+- name: be sure the old docker packages are not installed
+  apt:
+    name:
+      - docker
+      - docker-engine
+      - docker.io
+      - containerd
+      - runc
+    state: absent
+
+- name: be sure the docker apt signing key is installed
+  apt_key:
+    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+    url: https://download.docker.com/linux/debian/gpg
+    state: present
+
+- name: be sure the docker apt repo is configured
+  apt_repository:
+    repo: deb https://download.docker.com/linux/debian buster stable
+    state: present
+
+- name: be sure the packages required by docker are installed
+  apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - docker-compose
+      - containerd.io
+      - python3-docker
+      - python3-pip
+      - python3-setuptools
+    update_cache: yes
+
+- name: be sure to be logged into the ki registry
+  docker_login:
+    registry: registry.wtf-eg.net
+    username: drone
+    password: "{{ wtf_docker_registry_password }}"

roles/ki

@@ -0,0 +1 @@
+Subproject commit dd2e11392bce2edff0dd4f067491a629be0c81ee

roles/nginx/files/nginx.conf

@@ -0,0 +1,75 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+worker_rlimit_nofile 8192;
+
+events {
+	worker_connections 4096;
+	use epoll;
+	# multi_accept on;
+}
+
+http {
+    resolver 9.9.9.9;
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    proxy_buffer_size 128k;
+    proxy_buffers 4 256k;
+    proxy_busy_buffers_size 256k;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+stream {
+	include /etc/nginx/streams-enabled/*;
+}

roles/nginx/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
+  listen: "nginx config changed"

roles/nginx/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: be sure nginx is installed
+  apt:
+    name: nginx
+
+- name: be sure the nginx config file is present
+  copy:
+    src: ../files/nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: be sure nginx site config files are present
+  template:
+    src: sites/{{ item }}.conf.j2
+    dest: /etc/nginx/sites-enabled/{{ item }}.conf
+  with_items:
+    - ki
+  notify:
+    - "nginx config changed"
+
+- name: be sure nginx sites are not present
+  file:
+    state: absent
+    path: "/etc/nginx/sites-enabled/{{ item }}"
+  with_items:
+    - default
+  notify:
+    - "nginx config changed"

roles/nginx/templates/sites/ki.conf.j2

@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ ki_host }};
+
+    if ($host = {{ ki_host }}) {
+        return 301 https://$host$request_uri;
+    }
+
+    return 404;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name {{ ki_host }};
+
+    location /api/ {
+        proxy_pass http://localhost:{{ ki_backend_port }}/;
+        proxy_set_header Host            $http_host;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    location / {
+        proxy_pass http://localhost:{{ ki_frontend_port }};
+        proxy_set_header Host            $http_host;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    proxy_buffer_size 128k;
+    proxy_buffers 4 256k;
+    proxy_busy_buffers_size 256k;
+
+    http2_max_field_size 512k;
+    http2_max_header_size 512k;
+
+    ssl on;
+    ssl_certificate     /etc/letsencrypt/live/kidev.wtf-eg.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/kidev.wtf-eg.net/privkey.pem;
+}

vaultpw.gpg

@@ -0,0 +1,14 @@
+-----BEGIN PGP MESSAGE-----
+
+hQGMAy+P5RnCwC3PAQwAo3sUvlFppTDhrDAnde5fNZtBbn0SUmCd+jTaX0mw9sYf
+fstGNHJfNLj1E4hCSVA+cWJi+lXxTH8uJMMTodnyHXv5amhZ3/BerC1RMtR9Lob4
+G9adKcEXAcNh4v+1jOwNAia5xvNiz+q88i4nu4mobMleWcmjPV0+I1hWvs+8jJSb
+UdeSWbK/fkdNI8lrbCP78YB3wB4ZEKre2WOR2kVt/L+/9lSk3mwnWaVW2bv74JNi
+pgMyp56lXyQNK3DKAj2Uqh3Byok7bc7BHDW2qQ4ShimjqdBfGcq0XKH8Ay92Kw1K
+nsUQMJjWn0ulrP+HVkpEqxgS6+SWXzw9VIIztMdOLnGvSMClyryXONKM3Pio0M3S
+oS8jNMGsMxCclN1lbICeLmr2pwvITLYqlBt9R7BRNeI65Aa512y/Zl7leSRnc6DH
+w4gicunPWW8YWgGX4oujdJGfczHDnt7GZcS4XvRSwD0Ny9EUSRNnUyRs2hiAGjic
+IfmichKEmnuQT2+q9OAE0kwBZ0mdNMQJWCXAW3Ksw2hCFsubnpkaP/Dx24y5Iu8T
+fiAKyhlATrMv47gbpgTLGD02/QJQBt+XfW1WYnHsTB/1Sba+G+XVrS2RWTNO
+=zDfG
+-----END PGP MESSAGE-----

vaultpw.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env sh
+gpg --batch --use-agent --decrypt ./vaultpw.gpg