diff options
author | Lars Wirzenius <liw@liw.fi> | 2018-08-07 18:47:37 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2018-08-07 18:47:37 +0300 |
commit | 61c12b7938bd8fd8c17155b646b08fd1caf3cd6c (patch) | |
tree | c233df31c843f2e178fbd8114d6e1af434d6ba76 /roles | |
parent | c0f9a32ae8f092b7ba552798ea1ae2f2fdd9666a (diff) | |
download | ick2-ansible-61c12b7938bd8fd8c17155b646b08fd1caf3cd6c.tar.gz |
Change: use haproxy role from debian-ansible, add ickweb, etc
Diffstat (limited to 'roles')
-rw-r--r-- | roles/apt_repository/templates/apache-http.conf | 2 | ||||
-rw-r--r-- | roles/haproxy/tasks/main.yml | 37 | ||||
-rw-r--r-- | roles/ickweb/files/haproxy.cfg (renamed from roles/haproxy/templates/haproxy.cfg.j2) | 48 | ||||
-rw-r--r-- | roles/ickweb/tasks/main.yml | 72 | ||||
-rw-r--r-- | roles/ickweb/templates/ickweb.service | 13 | ||||
-rw-r--r-- | roles/ickweb/templates/start_ickweb | 6 | ||||
-rw-r--r-- | roles/letsencrypt/defaults/main.yml | 10 | ||||
-rw-r--r-- | roles/letsencrypt/tasks/main.yml | 79 | ||||
-rw-r--r-- | roles/letsencrypt/templates/deploy_certs_haproxy | 8 |
9 files changed, 100 insertions, 175 deletions
diff --git a/roles/apt_repository/templates/apache-http.conf b/roles/apt_repository/templates/apache-http.conf index b7aa353..46a54ed 100644 --- a/roles/apt_repository/templates/apache-http.conf +++ b/roles/apt_repository/templates/apache-http.conf @@ -1,5 +1,5 @@ Listen 8080 -<VirtualHost _default_:8080> +<VirtualHost _default_:{{ apache_port }}> ServerAdmin {{ apt_admin_email }} DocumentRoot /srv/http diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml deleted file mode 100644 index 2161b3b..0000000 --- a/roles/haproxy/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: install haproxy - apt: - name: haproxy - -- name: create config dir - file: - state: directory - path: "{{ item }}" - owner: root - group: root - mode: 0755 - with_items: - - /etc/haproxy - -- name: install haproxy config - template: - src: haproxy.cfg.j2 - dest: /etc/haproxy/haproxy.cfg - owner: root - group: root - mode: 0644 - -- name: install TLS certificate - copy: - content: "{{ tls_certificate }}" - dest: /etc/ssl/ick.pem - owner: root - group: root - mode: 0600 - -- name: enable and start haproxy - service: - name: "{{ item }}" - state: restarted - enabled: yes - with_items: - - haproxy diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/ickweb/files/haproxy.cfg index 0a6ec70..6191bcc 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/ickweb/files/haproxy.cfg @@ -1,3 +1,6 @@ +# haproxy.cfg +# HAProxy configuration for Qvisqve. + global log 127.0.0.1 local4 chroot /var/lib/haproxy @@ -13,6 +16,7 @@ global ssl-default-bind-options no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + defaults log global mode http @@ -32,48 +36,12 @@ defaults frontend http-in bind *:80 - bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/haproxy.pem + bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem rspadd Strict-Transport-Security:\ max-age=15768000 - acl ickweb path_beg /web - acl blobs path_beg /blobs - acl token path_beg /token - acl login path_beg /login - acl auth path_beg /auth - acl clients path_beg /clients - acl users path_beg /users - acl applications path_beg /applications - acl notify path_beg /notify - acl debian path_beg /debian - acl any method GET HEAD POST PUT DELETE - - use_backend apache if debian - use_backend ickweb if ickweb - use_backend notification_service if notify - use_backend artifact_store if blobs - use_backend qvisqve if token - use_backend qvisqve if login - use_backend qvisqve if auth - use_backend qvisqve if clients - use_backend qvisqve if users - use_backend qvisqve if applications - use_backend controller if any - -backend apache - server apache_1 127.0.0.1:8080 + acl methods method GET HEAD POST PUT DELETE + use_backend ickweb if methods backend ickweb - server ickweb_1 127.0.0.1:{{ ickweb_port }} - -backend controller - server controller_1 127.0.0.1:{{ controller_port }} - -backend artifact_store - server artifact_store_1 127.0.0.1:{{ artifact_store_port }} - -backend qvisqve - server qvisqve_1 127.0.0.1:{{ qvisqve_port }} - -backend notification_service - server notify_1 127.0.0.1:{{ notify_port }} + server ickweb_1 127.0.0.1:8080 diff --git a/roles/ickweb/tasks/main.yml b/roles/ickweb/tasks/main.yml new file mode 100644 index 0000000..163e436 --- /dev/null +++ b/roles/ickweb/tasks/main.yml @@ -0,0 +1,72 @@ +- name: "install packages" + apt: + name: "{{ item }}" + with_items: + - git + - haproxy + - python3-bottle + - python3-requests + +- name: "create ickweb user" + user: + name: _ickweb + comment: Ickweb user + system: yes + +- name: "create ickweb group" + group: + name: _ickweb + system: yes + +- name: "install ickweb code" + shell: | + rm -rf /var/lib/ickweb + git clone git://git.liw.fi/ickweb /var/lib/ickweb + chown -R root:root /var/lib/ickweb + chmod -R ugo=rX /var/lib/ickweb + +- name: "create /etc/ickweb" + file: + state: directory + path: /etc/ickweb + owner: _ickweb + group: _ickweb + mode: 0755 + +- name: "install ickweb config" + copy: + content: "{{ ickweb_secret }}" + dest: /etc/ickweb/secret + owner: _ickweb + group: _ickweb + mode: 0700 + +- name: "install ickweb script" + template: + src: start_ickweb + dest: /usr/local/bin + owner: root + group: root + mode: 0755 + +- name: "install ickweb systemd unit" + template: + src: ickweb.service + dest: /lib/systemd/system/ickweb.service + owner: root + group: root + mode: 0755 + +- name: "reload systemd" + systemd: + name: haproxy + state: reloaded + +- name: "enable and restart services" + systemd: + name: "{{ item }}" + enabled: yes + state: restarted + with_items: + - haproxy + - ickweb diff --git a/roles/ickweb/templates/ickweb.service b/roles/ickweb/templates/ickweb.service new file mode 100644 index 0000000..208ac09 --- /dev/null +++ b/roles/ickweb/templates/ickweb.service @@ -0,0 +1,13 @@ +[Unit] +Description=Ick web app +Requires=network.target +After=network.target + +[Service] +Type=simple +User=_ickweb +Group=_ickweb +ExecStart=/usr/local/bin/start_ickweb /etc/ickweb/secret + +[Install] +WantedBy=multi-user.target diff --git a/roles/ickweb/templates/start_ickweb b/roles/ickweb/templates/start_ickweb new file mode 100644 index 0000000..a6e93f7 --- /dev/null +++ b/roles/ickweb/templates/start_ickweb @@ -0,0 +1,6 @@ +#!/bin/sh + +set -eu + +cd /var/lib/ickweb +./run "{{ controller_url }}" /etc/ickweb/secret "{{ ickweb_port }}" prod diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml deleted file mode 100644 index ce1a2d3..0000000 --- a/roles/letsencrypt/defaults/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -# Enable letsencrypt? -letsencrypt: yes - -# Specify a properly configured and functional domain name -letsencrypt_domain: FIXME - -# Specify a working email address -letsencrypt_email: FIXME - -letsencrypt_server_haproxy_crt: /etc/haproxy/haproxy.pem diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml deleted file mode 100644 index b7d0df0..0000000 --- a/roles/letsencrypt/tasks/main.yml +++ /dev/null @@ -1,79 +0,0 @@ -- name: check required variables - fail: - msg: "value of {{ item }} should no be FIXME!" - with_items: - - letsencrypt_domain - - letsencrypt_email - - letsencrypt_server - when: item == "FIXME" - -- name: install deploy_certs_haproxy - template: - src: deploy_certs_haproxy - dest: /usr/local/sbin/deploy_certs_haproxy - owner: root - group: root - mode: 0755 - when: letsencrypt - -- name: install certbot - apt: - name: certbot - default_release: stretch-backports - when: letsencrypt - -- name: install haproxy - apt: - name: haproxy - -- name: install ssl-cert - apt: - name: ssl-cert - when: not letsencrypt - -- name: stop haproxy - ignore_errors: true - systemd: - name: haproxy - state: stopped - -- name: install snakeoil certificate for haproxy - shell: | - cat /etc/ssl/certs/ssl-cert-snakeoil.pem \ - /etc/ssl/private/ssl-cert-snakeoil.key \ - > /etc/haproxy/haproxy.pem - when: not letsencrypt - -- name: fetch new certificate - command: > - certbot certonly - --standalone - --noninteractive - --domain "{{ letsencrypt_domain }}" - --email "{{ letsencrypt_email }}" - --agree-tos - when: letsencrypt - -- name: install new cert for haproxy - command: /usr/local/sbin/deploy_certs_haproxy - when: letsencrypt - -- name: start haproxy - ignore_errors: true - systemd: - name: haproxy - state: started - -- name: add cron job - cron: - name: letsencrypt - hour: 23 - minute: 42 - user: root - job: > - certbot renew - --standalone - --quiet - --pre-hook "systemctl stop haproxy" - --post-hook "/usr/local/sbin/deploy_certs_haproxy && systemctl start haproxy" - when: letsencrypt diff --git a/roles/letsencrypt/templates/deploy_certs_haproxy b/roles/letsencrypt/templates/deploy_certs_haproxy deleted file mode 100644 index 6c93a80..0000000 --- a/roles/letsencrypt/templates/deploy_certs_haproxy +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -set -eu - -cat "/etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem" \ - "/etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem" \ - > "{{ letsencrypt_server_haproxy_crt }}" -chmod 600 "{{ letsencrypt_server_haproxy_crt }}" |