william/playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Webserver installation by Ansible

Browse Source
This commit is contained in:
William 2023-01-27 18:43:20 +01:00
parent 27df2eb01c
commit 9ee2c6d83f
15 changed files with 223 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webserver/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
hosts.ini
*.pub

18
webserver/README.md Normal file
View File

@ -0,0 +1,18 @@
# Install Webserver
## How to
Copy then change values of hosts example file
```bash
$ cp hosts.example.ini hosts.ini
```
Then run the playbook:
```bash
DBPASSWORD="$(date +%s | sha256sum | base64 | head -c 32 ; echo)"
ansible-playbook -i hosts.ini playbook.yml \
-e db_root_password=$DBPASSWORD
```

5
webserver/hosts.example.ini Normal file
View File

@ -0,0 +1,5 @@
[webservers]
example.com
[webservers:vars]
ansible_python_interpreter=/usr/bin/python3

19
webserver/playbook.yml Normal file
View File

@ -0,0 +1,19 @@
---
- hosts: webservers
become: true
pre_tasks:
- name: install commons
apt:
name:
- python3-pip
update_cache: yes
roles:
- {role: nginx, tags: nginx}
- {role: wwwuser, tags: wwwuser}
- {role: certbot, tags: certbot}
- {role: php, tags: php}
- {role: mariadb, tags: mariadb}
- {role: firewall, tags: firewall}

17
webserver/roles/certbot/tasks/main.yml Normal file
View File

@ -0,0 +1,17 @@
- name: install letsencrypt
apt:
name:
- letsencrypt
- python3-certbot-nginx
state: present
update_cache: yes
- name: create letsencrypt's challenge directory
file:
name: /var/www/letsencrypt
state: directory
- name: generate letsencrypt's dhparams
shell: openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048
args:
creates: /etc/letsencrypt/ssl-dhparams.pem

14
webserver/roles/firewall/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
- name: allow ssh
ufw:
rule: allow
name: OpenSSH
- name: allow http/https
ufw:
rule: allow
name: Nginx Full
- name: enable and deny by default
ufw:
state: enabled
default: deny

30
webserver/roles/mariadb/tasks/main.yml Normal file
View File

@ -0,0 +1,30 @@
- name: install
apt:
name:
- mariadb-server
- libmysqlclient-dev
state: present
update_cache: yes
- name: install python client
pip:
name: mysqlclient
state: present
- name: ensure service is start
service:
name: mysql
state: started
enabled: yes
- name: change root password
mysql_user:
name: root
password: '{{ db_root_password }}'
host: 'localhost'
- name: write root credentials
template:
src: my.cnf.j2
dest: /root/.my.cnf
mode: '0600'

3
webserver/roles/mariadb/templates/my.cnf.j2 Normal file
View File

@ -0,0 +1,3 @@
[client]
user=root
password={{ db_root_password }}

4
webserver/roles/nginx/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
- name: restart nginx
service:
name: nginx
state: restarted

15
webserver/roles/nginx/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
- name: install nginx
apt:
name:
- nginx
state: present
update_cache: yes
- name: define www user as default user
replace:
path: "/etc/nginx/nginx.conf"
regexp: '{{ item.from }}'
replace: "{{ item.to }}"
with_items:
- {from: '^user (.+);$', to: 'user {{ www_user }};'}
notify: restart nginx

17
webserver/roles/php/defaults/main.yml Normal file
View File

@ -0,0 +1,17 @@
php_version: 8.1
php_packages:
- php{{ php_version }}-common
- php{{ php_version }}-zip
- php{{ php_version }}-pdo
- php{{ php_version }}-mbstring
- php{{ php_version }}-tokenizer
- php{{ php_version }}-xml
- php{{ php_version }}-opcache
- php{{ php_version }}-mysql
- php{{ php_version }}-imap
- php{{ php_version }}-curl
- php{{ php_version }}-memcached
- php{{ php_version }}-intl
- php{{ php_version }}-gd
- php{{ php_version }}-bcmath

4
webserver/roles/php/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
- name: restart php-fpm
service:
name: php{{ php_version }}-fpm
state: restarted

35
webserver/roles/php/tasks/main.yml Normal file
View File

@ -0,0 +1,35 @@
- name: add repository
apt_repository:
repo: ppa:ondrej/php
state: present
update_cache: yes
- name: install package
apt:
name: "php{{ php_version }}-fpm"
state: present
update_cache: yes
install_recommends: no
- name: install extensions
apt:
name: "{{ php_packages | list }}"
state: present
install_recommends: no
- name: change default version
alternatives:
name: php
path: /usr/bin/php{{ php_version }}
- name: define www user as php-fpm's default user
replace:
path: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf"
regexp: '{{ item.from }}'
replace: "{{ item.to }}"
with_items:
- {from: '^user = (.+)$', to: 'user = {{ www_user }}'}
- {from: '^group = (.+)$', to: 'group = {{ www_user }}'}
- {from: '^listen.owner = (.+)$', to: 'listen.owner = {{ www_user }}'}
- {from: '^listen.group = (.+)$', to: 'listen.group = {{ www_user }}'}
notify: restart php-fpm

3
webserver/roles/wwwuser/defaults/main.yml Normal file
View File

@ -0,0 +1,3 @@
www_user: pilot
www_group: pilot
www_home: "/home/{{ www_user }}"

37
webserver/roles/wwwuser/tasks/main.yml Normal file
View File

@ -0,0 +1,37 @@
- name: create wwwuser group
group:
name: "{{ www_group }}"
state: present
system: true
- name: create wwwuser user
user:
name: "{{ www_user }}"
group: "{{ www_group }}"
comment: "Web user"
shell: /bin/bash
home: "{{ www_home }}"
system: true
state: present
- name: set ssh authorized keys
authorized_key:
user: "{{ www_user }}"
key: "{{ item }}"
with_items:
- "{{ lookup('file', 'id.pub') }}"
- name: create app's directory
file:
path: "{{ www_home }}/apps"
state: directory
owner: "{{ www_user }}"
group: "{{ www_group }}"
- name: add permission to wwwuser to reload php-fpm
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^{{ www_user }} ALL=NOPASSWD: /usr/sbin/service php{{ php_version }}-fpm reload$'
line: '{{ www_user }} ALL=NOPASSWD: /usr/sbin/service php{{ php_version }}-fpm reload'
validate: 'visudo -cf %s'