From 33273003fac3cd5dbf3bb091de4891972e8b2b8b Mon Sep 17 00:00:00 2001 From: Brandon Shipley Date: Wed, 10 Apr 2024 01:10:58 -0700 Subject: [PATCH] bring in playbooks + requirements file + update .gitignore --- .gitignore | 5 +- deploy/cakephp/deploy.yml | 5 ++ deploy/cakephp/hooks/after_code_update.yml | 42 ++++++++++ deploy/cakephp/hooks/after_symlink_shared.yml | 59 +++++++++++++ .../cakephp/templates/config/app_local.php.j2 | 82 +++++++++++++++++++ deploy/gitea/gitea.yml | 47 +++++++++++ deploy/gitea/templates/docker-compose.yml.j2 | 46 +++++++++++ deploy/gitea/templates/nginx.conf.j2 | 35 ++++++++ deploy/gitea/templates/ssh-shell.j2 | 6 ++ deploy/octoprint.yml | 7 ++ deploy/rocketchat.yml | 14 ++++ provision/initialize_server.yml | 61 ++++++++++++++ provision/linode/check_server_linode.yml | 7 ++ provision/linode/create_server_linode.yml | 45 ++++++++++ provision/linode/destroy_server_linode.yml | 10 +++ requirements.yml | 24 ++++++ software/apache.yml | 13 +++ software/certbot.yml | 3 + software/docker.yml | 13 +++ software/haproxy.yml | 4 + software/mysql.yml | 4 + software/php.yml | 9 ++ software/redis.yml | 3 + tools/read_log.yml | 8 ++ 24 files changed, 551 insertions(+), 1 deletion(-) create mode 100644 deploy/cakephp/deploy.yml create mode 100644 deploy/cakephp/hooks/after_code_update.yml create mode 100644 deploy/cakephp/hooks/after_symlink_shared.yml create mode 100644 deploy/cakephp/templates/config/app_local.php.j2 create mode 100644 deploy/gitea/gitea.yml create mode 100644 deploy/gitea/templates/docker-compose.yml.j2 create mode 100755 deploy/gitea/templates/nginx.conf.j2 create mode 100644 deploy/gitea/templates/ssh-shell.j2 create mode 100644 deploy/octoprint.yml create mode 100644 deploy/rocketchat.yml create mode 100644 provision/initialize_server.yml create mode 100644 provision/linode/check_server_linode.yml create mode 100644 provision/linode/create_server_linode.yml create mode 100644 provision/linode/destroy_server_linode.yml create mode 100644 requirements.yml create mode 100644 software/apache.yml create mode 100644 software/certbot.yml create mode 100644 software/docker.yml create mode 100644 software/haproxy.yml create mode 100644 software/mysql.yml create mode 100644 software/php.yml create mode 100644 software/redis.yml create mode 100644 tools/read_log.yml diff --git a/.gitignore b/.gitignore index 5c199eb..bc073b1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ # ---> Ansible *.retry - +backups +roles/* +./roles +.idea \ No newline at end of file diff --git a/deploy/cakephp/deploy.yml b/deploy/cakephp/deploy.yml new file mode 100644 index 0000000..caefad1 --- /dev/null +++ b/deploy/cakephp/deploy.yml @@ -0,0 +1,5 @@ +--- +- name: Deploy cakephp app + hosts: deploy + roles: + - { role: ansistrano.deploy } diff --git a/deploy/cakephp/hooks/after_code_update.yml b/deploy/cakephp/hooks/after_code_update.yml new file mode 100644 index 0000000..18688b4 --- /dev/null +++ b/deploy/cakephp/hooks/after_code_update.yml @@ -0,0 +1,42 @@ +--- +- name: Make way for shared paths / resources shared across releases + file: + state=absent + path={{ansistrano_release_path.stdout}}/{{item}} + with_items: ansistrano_shared_paths + +- name: Add app_local.php config file + template: + dest: "{{ ansistrano_release_path.stdout }}/config/app_local.php" + src: config/app_local.php.j2 + +- name: Set the permissions on {{ ansistrano_release_path.stdout }} + become: yes + file: + path: "{{ ansistrano_release_path.stdout }}" + state: directory +# mode: 0750 + owner: "{{ create_user }}" + group: www-data + recurse: yes + +- name: composer install dependencies + become: no + community.general.composer: + command: install + working_dir: "{{ ansistrano_release_path.stdout }}" + prefer_dist: yes + no_dev: false + +- name: run cakephp script - {{ item.name }} + command: bin/cake {{ item.script }} + args: + chdir: "{{ ansistrano_release_path.stdout }}" + loop: "{{ cakephp_deploy_scripts }}" + +#When writing your custom tasks files you may need some variables that Ansistrano makes available to you: +# +#{{ ansistrano_release_path.stdout }}: Path to current deployment release (probably the one you are going to use the most) +#{{ ansistrano_releases_path }}: Path to releases folder +#{{ ansistrano_shared_path }}: Path to shared folder (where common releases assets can be stored) +#{{ ansistrano_release_version }}: Relative directory name for the release (by default equals to the current timestamp in UTC timezone) diff --git a/deploy/cakephp/hooks/after_symlink_shared.yml b/deploy/cakephp/hooks/after_symlink_shared.yml new file mode 100644 index 0000000..9dcc358 --- /dev/null +++ b/deploy/cakephp/hooks/after_symlink_shared.yml @@ -0,0 +1,59 @@ +--- +- name: Set the permissions on {{ ansistrano_shared_path }} + become: yes + file: + path: "{{ ansistrano_shared_path }}" + state: directory +# mode: 0750 + owner: "{{ create_user }}" + group: www-data + recurse: yes + +- name: Set the permissions on {{ ansistrano_release_path.stdout }} + become: yes + file: + path: "{{ ansistrano_release_path.stdout }}" + state: directory +# mode: 0750 + owner: "{{ create_user }}" + group: www-data + recurse: yes + +- name: composer install dependencies + become: no + community.general.composer: + command: install + working_dir: "{{ ansistrano_release_path.stdout }}" + prefer_dist: yes + no_dev: false + +- name: Set permissions on tmp and logs + ansible.posix.acl: + path: "{{ ansistrano_shared_path }}/{{item}}" + entity: www-data + etype: group + permissions: rwx + default: yes + state: present + with_items: + - tmp + - logs + +- name: Set permissions on tmp and logs in {{ ansistrano_release_path.stdout }} + ansible.posix.acl: + path: "{{ ansistrano_release_path.stdout }}/{{item}}" + entity: www-data + etype: group + permissions: rwx + default: yes + state: present + with_items: + - tmp + - logs + +#When writing your custom tasks files you may need some variables that Ansistrano makes available to you: +# +#{{ ansistrano_release_path.stdout }}: Path to current deployment release (probably the one you are going to use the most) +#{{ ansistrano_releases_path }}: Path to releases folder +#{{ ansistrano_shared_path }}: Path to shared folder (where common releases assets can be stored) +#{{ ansistrano_release_version }}: Relative directory name for the release (by default equals to the current timestamp in UTC timezone) diff --git a/deploy/cakephp/templates/config/app_local.php.j2 b/deploy/cakephp/templates/config/app_local.php.j2 new file mode 100644 index 0000000..157fe4e --- /dev/null +++ b/deploy/cakephp/templates/config/app_local.php.j2 @@ -0,0 +1,82 @@ + '{{ domain_name }}', + 'DebugKit.safeTld' => ['is'], + /* + * Debug Level: + * + * Production Mode: + * false: No error messages, errors, or warnings shown. + * + * Development Mode: + * true: Errors and warnings shown. + */ + 'debug' => filter_var(env('DEBUG', true), FILTER_VALIDATE_BOOLEAN), + + /* + * Security and encryption configuration + * + * - salt - A random string used in security hashing methods. + * The salt value is also used as the encryption key. + * You should treat it as extremely sensitive data. + */ + 'Security' => [ + 'salt' => env('SECURITY_SALT', '__SALT__'), + ], + + /* + * Connection information used by the ORM to connect + * to your application's datastores. + * + * See app.php for more configuration options. + */ + 'Datasources' => [ + 'default' => [ + 'host' => 'localhost', + /* + * CakePHP will use the default DB port based on the driver selected + * MySQL on MAMP uses port 8889, MAMP users will want to uncomment + * the following line and set the port accordingly + */ + //'port' => 'non_standard_port_number', + + 'username' => '{{ cakephp_db_user }}', + 'password' => '{{ cakephp_db_password }}', + 'database' => '{{ cakephp_db_database }}', + /* + * If not using the default 'public' schema with the PostgreSQL driver + * set it here. + */ + //'schema' => 'myapp', + + /* + * You can use a DSN string to set the entire configuration + */ + 'url' => env('DATABASE_URL', null), + ], + ], + + /* + * Email configuration. + * + * Host and credential configuration in case you are using SmtpTransport + * + * See app.php for more configuration options. + */ + 'EmailTransport' => [ + 'default' => [ + 'host' => 'localhost', + 'port' => 25, + 'username' => null, + 'password' => null, + 'client' => null, + 'url' => env('EMAIL_TRANSPORT_DEFAULT_URL', null), + ], + ], +]; diff --git a/deploy/gitea/gitea.yml b/deploy/gitea/gitea.yml new file mode 100644 index 0000000..ee488c5 --- /dev/null +++ b/deploy/gitea/gitea.yml @@ -0,0 +1,47 @@ +- name: "Install gitea" + hosts: gitea + tasks: + # User + Key Setup + - name: Create a new regular user with sudo privileges + user: + name: git + state: present + groups: docker + append: true + create_home: true + shell: /home/git/ssh-shell + + - name: Creates directory structure for gitea data + file: + path: /home/{{ create_user }}/gitea + state: directory + owner: "{{ create_user }}" + group: "{{ create_user }}" + mode: 0775 + + - name: Creates backup directory outside of docker volumes to move dumps more easily off of server + file: + path: /home/{{ create_user }}/backups + state: directory + owner: "{{ create_user }}" + group: "{{ create_user }}" + mode: 0775 + + - name: copy ssh-shell file for git user to server (from template) + template: + src: templates/ssh-shell.j2 + owner: git + group: git + mode: 0750 + dest: /home/git/ssh-shell + + - name: copy docker compose to server (from template) + template: + src: templates/docker-compose.yml.j2 + dest: /home/{{ create_user }}/gitea/docker-compose.yml + + - name: docker compose up + docker_compose: + project_src: /home/{{ create_user }}/gitea/ + state: present + register: __gitea diff --git a/deploy/gitea/templates/docker-compose.yml.j2 b/deploy/gitea/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..e041c79 --- /dev/null +++ b/deploy/gitea/templates/docker-compose.yml.j2 @@ -0,0 +1,46 @@ +version: "3" + +networks: + gitea: + external: false + +volumes: + gitea: + driver: local + +services: + server: + image: gitea/gitea:1.21.7 + container_name: gitea + environment: + - GITEA__database__DB_TYPE=mysql + - GITEA__database__DB_HOST=db:3306 + - GITEA__database__DB_NAME=gitea + - GITEA__database__DB_USER=gitea + - GITEA__database__DB_PASSWD=gitea + - GITEA__service__DISABLE_REGISTRATION=true + + restart: always + networks: + - gitea + volumes: + - gitea:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "3000:3000" + - "2222:22" + depends_on: + - db + db: + image: mysql:8 + restart: always + environment: + - MYSQL_ROOT_PASSWORD=gitea + - MYSQL_USER=gitea + - MYSQL_PASSWORD=gitea + - MYSQL_DATABASE=gitea + networks: + - gitea + volumes: + - ./mysql:/var/lib/mysql diff --git a/deploy/gitea/templates/nginx.conf.j2 b/deploy/gitea/templates/nginx.conf.j2 new file mode 100755 index 0000000..4785719 --- /dev/null +++ b/deploy/gitea/templates/nginx.conf.j2 @@ -0,0 +1,35 @@ +# Upstreams +upstream backend { + server 127.0.0.1:3000; +} + +# HTTPS Server +server { + listen 443; + server_name {{ domain_name }}; + + # You can increase the limit if your need to. + client_max_body_size 200M; + + error_log /var/log/nginx/gitea.access.log; + + ssl on; + ssl_certificate /etc/nginx/gitea.crt; + ssl_certificate_key /etc/nginx/gitea.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE + + location / { + proxy_pass http://backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Nginx-Proxy true; + + proxy_redirect off; + } +} diff --git a/deploy/gitea/templates/ssh-shell.j2 b/deploy/gitea/templates/ssh-shell.j2 new file mode 100644 index 0000000..4a0b4c0 --- /dev/null +++ b/deploy/gitea/templates/ssh-shell.j2 @@ -0,0 +1,6 @@ +#!/bin/sh +shift +ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $@" +EOF +sudo chmod +x /home/git/ssh-shell +sudo usermod -s /home/git/ssh-shell git diff --git a/deploy/octoprint.yml b/deploy/octoprint.yml new file mode 100644 index 0000000..2c366e5 --- /dev/null +++ b/deploy/octoprint.yml @@ -0,0 +1,7 @@ +- hosts: octoprint + become: yes + vars: + pip_install_packages: + - name: OctoPrint + roles: + - geerlingguy.pip diff --git a/deploy/rocketchat.yml b/deploy/rocketchat.yml new file mode 100644 index 0000000..dc97d9a --- /dev/null +++ b/deploy/rocketchat.yml @@ -0,0 +1,14 @@ +- hosts: rocketchat +# vars_files: +# - vars/main.yml + + become: true + vars: + pip_install_packages: + - name: "docker==6.1.3" + - name: docker-compose + roles: + - { role: geerlingguy.pip } + - { role: geerlingguy.docker } + - { role: ansible-role-rocketchat } + diff --git a/provision/initialize_server.yml b/provision/initialize_server.yml new file mode 100644 index 0000000..9becb9a --- /dev/null +++ b/provision/initialize_server.yml @@ -0,0 +1,61 @@ +- name: Initialize System + hosts: all + user: root + tasks: + - name: Install Prerequisites + apt: name=aptitude update_cache=yes state=latest force_apt_get=yes + + # Sudo Group Setup + - name: Make sure we have a 'wheel' group + group: + name: wheel + state: present + + - name: Allow 'wheel' group to have passwordless sudo + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%wheel' + line: '%wheel ALL=(ALL) NOPASSWD: ALL' + validate: '/usr/sbin/visudo -cf %s' + + # User + Key Setup + - name: Create a new regular user with sudo privileges + user: + name: "{{ create_user }}" + state: present + groups: wheel + append: true + create_home: true + shell: /bin/bash + + - name: Set authorized key for remote user + authorized_key: + user: "{{ create_user }}" + state: present + key: "{{ copy_local_key }}" + + - name: Set authorized key for remote user + authorized_key: + user: root + state: present + key: "{{ copy_local_key }}" + + # Install Packages + - name: Update apt + apt: update_cache=yes + + - name: Install required system packages + apt: name={{ sys_packages }} state=latest + + # UFW Setup + - name: UFW - Allow SSH connections + ufw: + rule: allow + name: OpenSSH + + - name: UFW - Deny all other incoming traffic by default + ufw: + state: enabled + policy: deny + direction: incoming diff --git a/provision/linode/check_server_linode.yml b/provision/linode/check_server_linode.yml new file mode 100644 index 0000000..10dbebe --- /dev/null +++ b/provision/linode/check_server_linode.yml @@ -0,0 +1,7 @@ +- name: Check Linode Instance + hosts: linode + tasks: + - name: Check a Linode instance + linode.cloud.instance_info: + api_token: "{{ api_token }}" + label: "{{ server_name }}" diff --git a/provision/linode/create_server_linode.yml b/provision/linode/create_server_linode.yml new file mode 100644 index 0000000..b1af1e9 --- /dev/null +++ b/provision/linode/create_server_linode.yml @@ -0,0 +1,45 @@ +- name: Create Linode Instance + hosts: localhost + gather_facts: false + tasks: + - name: Create a Linode virtual private cloud (VPC) + linode.cloud.vpc: + api_token: "{{ api_token }}" + label: "{{ vpc_name }}" + region: "{{ region }}" + state: present + #tags: "{{ server_tags }}" + register: _vpc_creation + + - name: Create a VPC Subnet + linode.cloud.vpc_subnet: + api_token: "{{ api_token }}" + vpc_id: "{{ _vpc_creation.vpc.id }}" + label: "{{ subnet_name }}" + ipv4: "{{ subnet_ipv4 }}" + state: present + register: _subnet_creation + + - name: Create a Linode instance + linode.cloud.instance: + api_token: "{{ api_token }}" + label: "{{ server_name }}" + type: "{{ instance_type }}" + region: "{{ region }}" + image: linode/ubuntu22.04 + root_pass: "{{ password }}" + authorized_keys: + - "{{ copy_local_key }}" + interfaces: + - purpose: public + - purpose: vpc + subnet_id: "{{ _subnet_creation.subnet.id }}" + + state: present + #tags: "{{ server_tags }}" + register: _linode_creation + + - set_fact: + server_status: "{{ _linode_creation.instance.status }}" + cloud_instance_ip: "{{ _linode_creation.instance.ipv4[0] }}" + diff --git a/provision/linode/destroy_server_linode.yml b/provision/linode/destroy_server_linode.yml new file mode 100644 index 0000000..607798a --- /dev/null +++ b/provision/linode/destroy_server_linode.yml @@ -0,0 +1,10 @@ +- name: Destroy an existing Linode Instance + hosts: localhost + gather_facts: false + tasks: + - name: Destroy a Linode instance + linode.cloud.instance: + api_token: "{{ api_token }}" + label: "{{ server_name }}" + state: absent + #tags: "{{ server_tags }}" diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..6e35f89 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,24 @@ +- src: https://github.com/Brandon1811/ansible-role-rocketchat.git + version: prod +- src: https://github.com/geerlingguy/ansible-role-docker.git +- src: https://github.com/geerlingguy/ansible-role-pip.git +- src: https://github.com/salessandri/ansible-monero +- src: https://github.com/geerlingguy/ansible-role-php + name: geerlingguy.php + version: master + +- name: geerlingguy.pip +- name: geerlingguy.composer +- name: geerlingguy.docker +- name: geerlingguy.php-versions +- name: geerlingguy.apache +- name: geerlingguy.redis +- name: geerlingguy.mysql +- name: geerlingguy.certbot +- name: geerlingguy.php-mysql +- name: robertdebock.bootstrap +- name: robertdebock.users +- name: ansistrano.deploy +- name: ansistrano.rollback +#- name: +# - src: /home/bsounder/code/ansible-role-azure.git diff --git a/software/apache.yml b/software/apache.yml new file mode 100644 index 0000000..6d3a144 --- /dev/null +++ b/software/apache.yml @@ -0,0 +1,13 @@ +- hosts: apache + become: yes +# vars_files: +# - vars/main.yml +# UFW Setup + tasks: + - name: UFW - Allow Apache connections + ufw: + rule: allow + name: 'Apache Full' + roles: + - { role: geerlingguy.apache } + diff --git a/software/certbot.yml b/software/certbot.yml new file mode 100644 index 0000000..98b49c6 --- /dev/null +++ b/software/certbot.yml @@ -0,0 +1,3 @@ +- hosts: certbot + roles: + - geerlingguy.certbot diff --git a/software/docker.yml b/software/docker.yml new file mode 100644 index 0000000..790a2a0 --- /dev/null +++ b/software/docker.yml @@ -0,0 +1,13 @@ +- hosts: docker +# vars_files: +# - vars/main.yml + + become: true + vars: + pip_install_packages: + - name: "docker==6.1.3" + - name: docker-compose + roles: + - { role: geerlingguy.pip } + - { role: geerlingguy.docker } + diff --git a/software/haproxy.yml b/software/haproxy.yml new file mode 100644 index 0000000..3f99e00 --- /dev/null +++ b/software/haproxy.yml @@ -0,0 +1,4 @@ +- hosts: haproxy + become: yes + roles: + - role: geerlingguy.haproxy diff --git a/software/mysql.yml b/software/mysql.yml new file mode 100644 index 0000000..35edce8 --- /dev/null +++ b/software/mysql.yml @@ -0,0 +1,4 @@ +- hosts: mysql + become: yes + roles: + - role: geerlingguy.mysql diff --git a/software/php.yml b/software/php.yml new file mode 100644 index 0000000..7087fc5 --- /dev/null +++ b/software/php.yml @@ -0,0 +1,9 @@ +- hosts: php + become: yes + roles: + - role: geerlingguy.php-versions + - role: geerlingguy.php + - role: geerlingguy.composer + become: false + tags: + - composer diff --git a/software/redis.yml b/software/redis.yml new file mode 100644 index 0000000..da44b6e --- /dev/null +++ b/software/redis.yml @@ -0,0 +1,3 @@ +- hosts: redis + roles: + - role: geerlingguy.redis diff --git a/tools/read_log.yml b/tools/read_log.yml new file mode 100644 index 0000000..8ffed12 --- /dev/null +++ b/tools/read_log.yml @@ -0,0 +1,8 @@ +- hosts: all + become: yes + gather_facts: false + tasks: + - name: Read specified log file + ansible.builtin.slurp: + src: "{{ log_name }}" + register: log_contents