summaryrefslogtreecommitdiff
path: root/roles/ickweb
diff options
context:
space:
mode:
Diffstat (limited to 'roles/ickweb')
-rw-r--r--roles/ickweb/files/haproxy.cfg47
-rw-r--r--roles/ickweb/tasks/main.yml72
-rw-r--r--roles/ickweb/templates/ickweb.service13
-rw-r--r--roles/ickweb/templates/start_ickweb6
4 files changed, 138 insertions, 0 deletions
diff --git a/roles/ickweb/files/haproxy.cfg b/roles/ickweb/files/haproxy.cfg
new file mode 100644
index 0000000..6191bcc
--- /dev/null
+++ b/roles/ickweb/files/haproxy.cfg
@@ -0,0 +1,47 @@
+# haproxy.cfg
+# HAProxy configuration for Qvisqve.
+
+global
+ log 127.0.0.1 local4
+ chroot /var/lib/haproxy
+ stats socket /run/haproxy/admin.sock mode 660 level admin
+ stats timeout 30s
+ user haproxy
+ group haproxy
+ daemon
+
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+ tune.ssl.default-dh-param 2048
+ ssl-default-bind-options no-tls-tickets
+ ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+
+defaults
+ log global
+ mode http
+ option httplog
+ option dontlognull
+ timeout connect 5000
+ timeout client 50000
+ timeout server 50000
+ errorfile 400 /etc/haproxy/errors/400.http
+ errorfile 403 /etc/haproxy/errors/403.http
+ errorfile 408 /etc/haproxy/errors/408.http
+ errorfile 500 /etc/haproxy/errors/500.http
+ errorfile 502 /etc/haproxy/errors/502.http
+ errorfile 503 /etc/haproxy/errors/503.http
+ errorfile 504 /etc/haproxy/errors/504.http
+
+
+frontend http-in
+ bind *:80
+ bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem
+
+ rspadd Strict-Transport-Security:\ max-age=15768000
+
+ acl methods method GET HEAD POST PUT DELETE
+ use_backend ickweb if methods
+
+backend ickweb
+ server ickweb_1 127.0.0.1:8080
diff --git a/roles/ickweb/tasks/main.yml b/roles/ickweb/tasks/main.yml
new file mode 100644
index 0000000..163e436
--- /dev/null
+++ b/roles/ickweb/tasks/main.yml
@@ -0,0 +1,72 @@
+- name: "install packages"
+ apt:
+ name: "{{ item }}"
+ with_items:
+ - git
+ - haproxy
+ - python3-bottle
+ - python3-requests
+
+- name: "create ickweb user"
+ user:
+ name: _ickweb
+ comment: Ickweb user
+ system: yes
+
+- name: "create ickweb group"
+ group:
+ name: _ickweb
+ system: yes
+
+- name: "install ickweb code"
+ shell: |
+ rm -rf /var/lib/ickweb
+ git clone git://git.liw.fi/ickweb /var/lib/ickweb
+ chown -R root:root /var/lib/ickweb
+ chmod -R ugo=rX /var/lib/ickweb
+
+- name: "create /etc/ickweb"
+ file:
+ state: directory
+ path: /etc/ickweb
+ owner: _ickweb
+ group: _ickweb
+ mode: 0755
+
+- name: "install ickweb config"
+ copy:
+ content: "{{ ickweb_secret }}"
+ dest: /etc/ickweb/secret
+ owner: _ickweb
+ group: _ickweb
+ mode: 0700
+
+- name: "install ickweb script"
+ template:
+ src: start_ickweb
+ dest: /usr/local/bin
+ owner: root
+ group: root
+ mode: 0755
+
+- name: "install ickweb systemd unit"
+ template:
+ src: ickweb.service
+ dest: /lib/systemd/system/ickweb.service
+ owner: root
+ group: root
+ mode: 0755
+
+- name: "reload systemd"
+ systemd:
+ name: haproxy
+ state: reloaded
+
+- name: "enable and restart services"
+ systemd:
+ name: "{{ item }}"
+ enabled: yes
+ state: restarted
+ with_items:
+ - haproxy
+ - ickweb
diff --git a/roles/ickweb/templates/ickweb.service b/roles/ickweb/templates/ickweb.service
new file mode 100644
index 0000000..208ac09
--- /dev/null
+++ b/roles/ickweb/templates/ickweb.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Ick web app
+Requires=network.target
+After=network.target
+
+[Service]
+Type=simple
+User=_ickweb
+Group=_ickweb
+ExecStart=/usr/local/bin/start_ickweb /etc/ickweb/secret
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/ickweb/templates/start_ickweb b/roles/ickweb/templates/start_ickweb
new file mode 100644
index 0000000..a6e93f7
--- /dev/null
+++ b/roles/ickweb/templates/start_ickweb
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eu
+
+cd /var/lib/ickweb
+./run "{{ controller_url }}" /etc/ickweb/secret "{{ ickweb_port }}" prod
generated by cgit v1.2.1 (git 2.18.0) at 2024-05-10 12:45:30 +0000