diff options
author | Lars Wirzenius <liw@liw.fi> | 2018-08-07 18:47:37 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2018-08-07 18:47:37 +0300 |
commit | 61c12b7938bd8fd8c17155b646b08fd1caf3cd6c (patch) | |
tree | c233df31c843f2e178fbd8114d6e1af434d6ba76 /roles/ickweb | |
parent | c0f9a32ae8f092b7ba552798ea1ae2f2fdd9666a (diff) | |
download | ick2-ansible-61c12b7938bd8fd8c17155b646b08fd1caf3cd6c.tar.gz |
Change: use haproxy role from debian-ansible, add ickweb, etc
Diffstat (limited to 'roles/ickweb')
-rw-r--r-- | roles/ickweb/files/haproxy.cfg | 47 | ||||
-rw-r--r-- | roles/ickweb/tasks/main.yml | 72 | ||||
-rw-r--r-- | roles/ickweb/templates/ickweb.service | 13 | ||||
-rw-r--r-- | roles/ickweb/templates/start_ickweb | 6 |
4 files changed, 138 insertions, 0 deletions
diff --git a/roles/ickweb/files/haproxy.cfg b/roles/ickweb/files/haproxy.cfg new file mode 100644 index 0000000..6191bcc --- /dev/null +++ b/roles/ickweb/files/haproxy.cfg @@ -0,0 +1,47 @@ +# haproxy.cfg +# HAProxy configuration for Qvisqve. + +global + log 127.0.0.1 local4 + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + tune.ssl.default-dh-param 2048 + ssl-default-bind-options no-tls-tickets + ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +frontend http-in + bind *:80 + bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem + + rspadd Strict-Transport-Security:\ max-age=15768000 + + acl methods method GET HEAD POST PUT DELETE + use_backend ickweb if methods + +backend ickweb + server ickweb_1 127.0.0.1:8080 diff --git a/roles/ickweb/tasks/main.yml b/roles/ickweb/tasks/main.yml new file mode 100644 index 0000000..163e436 --- /dev/null +++ b/roles/ickweb/tasks/main.yml @@ -0,0 +1,72 @@ +- name: "install packages" + apt: + name: "{{ item }}" + with_items: + - git + - haproxy + - python3-bottle + - python3-requests + +- name: "create ickweb user" + user: + name: _ickweb + comment: Ickweb user + system: yes + +- name: "create ickweb group" + group: + name: _ickweb + system: yes + +- name: "install ickweb code" + shell: | + rm -rf /var/lib/ickweb + git clone git://git.liw.fi/ickweb /var/lib/ickweb + chown -R root:root /var/lib/ickweb + chmod -R ugo=rX /var/lib/ickweb + +- name: "create /etc/ickweb" + file: + state: directory + path: /etc/ickweb + owner: _ickweb + group: _ickweb + mode: 0755 + +- name: "install ickweb config" + copy: + content: "{{ ickweb_secret }}" + dest: /etc/ickweb/secret + owner: _ickweb + group: _ickweb + mode: 0700 + +- name: "install ickweb script" + template: + src: start_ickweb + dest: /usr/local/bin + owner: root + group: root + mode: 0755 + +- name: "install ickweb systemd unit" + template: + src: ickweb.service + dest: /lib/systemd/system/ickweb.service + owner: root + group: root + mode: 0755 + +- name: "reload systemd" + systemd: + name: haproxy + state: reloaded + +- name: "enable and restart services" + systemd: + name: "{{ item }}" + enabled: yes + state: restarted + with_items: + - haproxy + - ickweb diff --git a/roles/ickweb/templates/ickweb.service b/roles/ickweb/templates/ickweb.service new file mode 100644 index 0000000..208ac09 --- /dev/null +++ b/roles/ickweb/templates/ickweb.service @@ -0,0 +1,13 @@ +[Unit] +Description=Ick web app +Requires=network.target +After=network.target + +[Service] +Type=simple +User=_ickweb +Group=_ickweb +ExecStart=/usr/local/bin/start_ickweb /etc/ickweb/secret + +[Install] +WantedBy=multi-user.target diff --git a/roles/ickweb/templates/start_ickweb b/roles/ickweb/templates/start_ickweb new file mode 100644 index 0000000..a6e93f7 --- /dev/null +++ b/roles/ickweb/templates/start_ickweb @@ -0,0 +1,6 @@ +#!/bin/sh + +set -eu + +cd /var/lib/ickweb +./run "{{ controller_url }}" /etc/ickweb/secret "{{ ickweb_port }}" prod |