-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathprovision.yml
163 lines (148 loc) · 4.55 KB
/
provision.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
---
- name: provision
hosts: all
remote_user: root
gather_facts: no
tasks:
- name: add certbot ppa
apt_repository:
repo: 'ppa:certbot/certbot'
state: present
- name: install certbot packages
apt:
name: "{{ packages }}"
state: present
update_cache: yes
vars:
packages:
- letsencrypt
- python-certbot-nginx
# install services
- name: install services packages
apt:
name: "{{ packages }}"
state: present
update_cache: yes
vars:
packages:
- nginx
- mongodb
# https://github.com/nodesource/distributions#manual-installation
# TODO: contribute to https://github.com/nodesource/ansible-nodejs-role
- name: Add the NodeSource package signing key
apt_key:
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
state: present
- name: Add the desired NodeSource repository
apt_repository:
repo: "{{ item }}"
state: present
loop:
- deb https://deb.nodesource.com/node_8.x bionic main
- deb-src https://deb.nodesource.com/node_8.x bionic main
- name: Update package lists and install Node.js
apt:
name: nodejs
state: present
update_cache: yes
# setup unprivileged user
- name: create user
user:
name: "{{ user }}"
shell: /bin/bash
generate_ssh_key: yes
- name: add ssh keys
authorized_key:
user: "{{ user }}"
key: "{{ item }}"
loop: "{{ ssh_key_urls }}"
- name: enable running services while not logged in
command: "loginctl enable-linger {{ user }}"
- name: customize .bashrc
blockinfile:
path: "/home/{{ user }}/.bashrc"
block: |
export PATH=/home/{{ user }}/bin:$PATH
export XDG_RUNTIME_DIR=/run/user/$UID
- name: create logs directory
file:
path: "/home/{{ user }}/logs"
state: "directory"
owner: "{{ user }}"
group: "{{ user }}"
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# or https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8
- name: copy nginx config
copy:
src: nginx.conf
dest: /etc/nginx
- name: copy nginx blocks
template:
src: "nginx/{{ item.name }}.conf.j2"
dest: "/etc/nginx/sites-available/{{ item.name }}.conf"
when: item.domain is defined
loop:
- "{{ website }}"
- "{{ app }}"
- "{{ service }}"
- "{{ idp }}"
- "{{ webhooks }}"
- name: enable enginx blocks
file:
src: "/etc/nginx/sites-available/{{ item.name }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item.name }}.conf"
state: link
when: item.domain is defined
loop:
- "{{ website }}"
- "{{ app }}"
- "{{ service }}"
- "{{ idp }}"
- "{{ webhooks }}"
# certificates with let's encrypt
- name: generate certificates
include_role:
name: certbot-standalone
vars:
domain: "{{ item.domain }}"
alternative_domain: "{{ item.alternative_domain }}"
when: item.domain is defined
loop:
- "{{ website }}"
- "{{ app }}"
- "{{ service }}"
- "{{ idp }}"
- "{{ webhooks }}"
- name: add cert paths to nginx blocks
blockinfile:
path: "/etc/nginx/sites-available/{{ item.name }}.conf"
marker: "# {mark} ANSIBLE MANAGED TLS BLOCK"
insertbefore: "^}"
block: |
ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
when: item.domain is defined
loop:
- "{{ website }}"
- "{{ app }}"
- "{{ service }}"
- "{{ idp }}"
- "{{ webhooks }}"
- name: add root to app nginx block
blockinfile:
path: "/etc/nginx/sites-available/{{ app.name }}.conf"
marker: "# {mark} ANSIBLE MANAGED root BLOCK"
insertbefore: "^}"
block: |
root /home/{{ user }}/{{ app.name }}/dist;
index index.html;
when: app.domain is defined
- name: add root to website nginx block
blockinfile:
path: "/etc/nginx/sites-available/{{ website.name }}.conf"
marker: "# {mark} ANSIBLE MANAGED root BLOCK"
insertbefore: "^}"
block: |
root /home/{{ user }}/{{ website.name }};
index index.html;
when: website.domain is defined