diff --git a/webserver/.gitignore b/webserver/.gitignore new file mode 100644 index 0000000..5a4571c --- /dev/null +++ b/webserver/.gitignore @@ -0,0 +1,2 @@ +hosts.ini +*.pub diff --git a/webserver/README.md b/webserver/README.md new file mode 100644 index 0000000..c7aee98 --- /dev/null +++ b/webserver/README.md @@ -0,0 +1,18 @@ +# Install Webserver + +## How to + +Copy then change values of hosts example file + +```bash +$ cp hosts.example.ini hosts.ini +``` + +Then run the playbook: + +```bash +DBPASSWORD="$(date +%s | sha256sum | base64 | head -c 32 ; echo)" + +ansible-playbook -i hosts.ini playbook.yml \ + -e db_root_password=$DBPASSWORD +``` diff --git a/webserver/hosts.example.ini b/webserver/hosts.example.ini new file mode 100644 index 0000000..8b6c631 --- /dev/null +++ b/webserver/hosts.example.ini @@ -0,0 +1,5 @@ +[webservers] +example.com + +[webservers:vars] +ansible_python_interpreter=/usr/bin/python3 diff --git a/webserver/playbook.yml b/webserver/playbook.yml new file mode 100644 index 0000000..7b8b1ed --- /dev/null +++ b/webserver/playbook.yml @@ -0,0 +1,19 @@ +--- + +- hosts: webservers + become: true + + pre_tasks: + - name: install commons + apt: + name: + - python3-pip + update_cache: yes + + roles: + - {role: nginx, tags: nginx} + - {role: wwwuser, tags: wwwuser} + - {role: certbot, tags: certbot} + - {role: php, tags: php} + - {role: mariadb, tags: mariadb} + - {role: firewall, tags: firewall} diff --git a/webserver/roles/certbot/tasks/main.yml b/webserver/roles/certbot/tasks/main.yml new file mode 100644 index 0000000..4107a8a --- /dev/null +++ b/webserver/roles/certbot/tasks/main.yml @@ -0,0 +1,17 @@ +- name: install letsencrypt + apt: + name: + - letsencrypt + - python3-certbot-nginx + state: present + update_cache: yes + +- name: create letsencrypt's challenge directory + file: + name: /var/www/letsencrypt + state: directory + +- name: generate letsencrypt's dhparams + shell: openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048 + args: + creates: /etc/letsencrypt/ssl-dhparams.pem diff --git a/webserver/roles/firewall/tasks/main.yml b/webserver/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..963c3dd --- /dev/null +++ b/webserver/roles/firewall/tasks/main.yml @@ -0,0 +1,14 @@ +- name: allow ssh + ufw: + rule: allow + name: OpenSSH + +- name: allow http/https + ufw: + rule: allow + name: Nginx Full + +- name: enable and deny by default + ufw: + state: enabled + default: deny diff --git a/webserver/roles/mariadb/tasks/main.yml b/webserver/roles/mariadb/tasks/main.yml new file mode 100644 index 0000000..513619e --- /dev/null +++ b/webserver/roles/mariadb/tasks/main.yml @@ -0,0 +1,30 @@ +- name: install + apt: + name: + - mariadb-server + - libmysqlclient-dev + state: present + update_cache: yes + +- name: install python client + pip: + name: mysqlclient + state: present + +- name: ensure service is start + service: + name: mysql + state: started + enabled: yes + +- name: change root password + mysql_user: + name: root + password: '{{ db_root_password }}' + host: 'localhost' + +- name: write root credentials + template: + src: my.cnf.j2 + dest: /root/.my.cnf + mode: '0600' diff --git a/webserver/roles/mariadb/templates/my.cnf.j2 b/webserver/roles/mariadb/templates/my.cnf.j2 new file mode 100644 index 0000000..56edaaa --- /dev/null +++ b/webserver/roles/mariadb/templates/my.cnf.j2 @@ -0,0 +1,3 @@ +[client] +user=root +password={{ db_root_password }} diff --git a/webserver/roles/nginx/handlers/main.yml b/webserver/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..5463835 --- /dev/null +++ b/webserver/roles/nginx/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart nginx + service: + name: nginx + state: restarted diff --git a/webserver/roles/nginx/tasks/main.yml b/webserver/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..fd8b835 --- /dev/null +++ b/webserver/roles/nginx/tasks/main.yml @@ -0,0 +1,15 @@ +- name: install nginx + apt: + name: + - nginx + state: present + update_cache: yes + +- name: define www user as default user + replace: + path: "/etc/nginx/nginx.conf" + regexp: '{{ item.from }}' + replace: "{{ item.to }}" + with_items: + - {from: '^user (.+);$', to: 'user {{ www_user }};'} + notify: restart nginx \ No newline at end of file diff --git a/webserver/roles/php/defaults/main.yml b/webserver/roles/php/defaults/main.yml new file mode 100644 index 0000000..47c5530 --- /dev/null +++ b/webserver/roles/php/defaults/main.yml @@ -0,0 +1,17 @@ +php_version: 8.1 + +php_packages: + - php{{ php_version }}-common + - php{{ php_version }}-zip + - php{{ php_version }}-pdo + - php{{ php_version }}-mbstring + - php{{ php_version }}-tokenizer + - php{{ php_version }}-xml + - php{{ php_version }}-opcache + - php{{ php_version }}-mysql + - php{{ php_version }}-imap + - php{{ php_version }}-curl + - php{{ php_version }}-memcached + - php{{ php_version }}-intl + - php{{ php_version }}-gd + - php{{ php_version }}-bcmath diff --git a/webserver/roles/php/handlers/main.yml b/webserver/roles/php/handlers/main.yml new file mode 100644 index 0000000..31c1647 --- /dev/null +++ b/webserver/roles/php/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart php-fpm + service: + name: php{{ php_version }}-fpm + state: restarted diff --git a/webserver/roles/php/tasks/main.yml b/webserver/roles/php/tasks/main.yml new file mode 100644 index 0000000..94bcbd8 --- /dev/null +++ b/webserver/roles/php/tasks/main.yml @@ -0,0 +1,35 @@ +- name: add repository + apt_repository: + repo: ppa:ondrej/php + state: present + update_cache: yes + +- name: install package + apt: + name: "php{{ php_version }}-fpm" + state: present + update_cache: yes + install_recommends: no + +- name: install extensions + apt: + name: "{{ php_packages | list }}" + state: present + install_recommends: no + +- name: change default version + alternatives: + name: php + path: /usr/bin/php{{ php_version }} + +- name: define www user as php-fpm's default user + replace: + path: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf" + regexp: '{{ item.from }}' + replace: "{{ item.to }}" + with_items: + - {from: '^user = (.+)$', to: 'user = {{ www_user }}'} + - {from: '^group = (.+)$', to: 'group = {{ www_user }}'} + - {from: '^listen.owner = (.+)$', to: 'listen.owner = {{ www_user }}'} + - {from: '^listen.group = (.+)$', to: 'listen.group = {{ www_user }}'} + notify: restart php-fpm diff --git a/webserver/roles/wwwuser/defaults/main.yml b/webserver/roles/wwwuser/defaults/main.yml new file mode 100644 index 0000000..474fa28 --- /dev/null +++ b/webserver/roles/wwwuser/defaults/main.yml @@ -0,0 +1,3 @@ +www_user: pilot +www_group: pilot +www_home: "/home/{{ www_user }}" diff --git a/webserver/roles/wwwuser/tasks/main.yml b/webserver/roles/wwwuser/tasks/main.yml new file mode 100644 index 0000000..0b76294 --- /dev/null +++ b/webserver/roles/wwwuser/tasks/main.yml @@ -0,0 +1,37 @@ +- name: create wwwuser group + group: + name: "{{ www_group }}" + state: present + system: true + +- name: create wwwuser user + user: + name: "{{ www_user }}" + group: "{{ www_group }}" + comment: "Web user" + shell: /bin/bash + home: "{{ www_home }}" + system: true + state: present + +- name: set ssh authorized keys + authorized_key: + user: "{{ www_user }}" + key: "{{ item }}" + with_items: + - "{{ lookup('file', 'id.pub') }}" + +- name: create app's directory + file: + path: "{{ www_home }}/apps" + state: directory + owner: "{{ www_user }}" + group: "{{ www_group }}" + +- name: add permission to wwwuser to reload php-fpm + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^{{ www_user }} ALL=NOPASSWD: /usr/sbin/service php{{ php_version }}-fpm reload$' + line: '{{ www_user }} ALL=NOPASSWD: /usr/sbin/service php{{ php_version }}-fpm reload' + validate: 'visudo -cf %s'