--- # file: webservers.yml - hosts: all tasks: - name: Update all packages to their latest version apt: name: "*" state: latest update_cache: yes - community.general.ufw: rule: limit port: ssh proto: tcp - name: Allow all access from RFC1918 networks to this host community.general.ufw: rule: allow src: '10.114.0.0/20' - name: Allow everything and enable UFW community.general.ufw: state: enabled policy: deny - hosts: mysql tasks: - name: Install mysql-server apt: name: mysql-server state: present - name: Install python3-pip apt: name: python3-pip state: present - name: Install PyMySQL python package pip: name: PyMySQL - name: Create database user with name 'kuvia' and password 'kuvia!2020@geheim' with all database privileges community.mysql.mysql_user: name: kuvia password: kuvia!2020@geheim host: "%" priv: 'kuvia.*:ALL' state: present login_unix_socket: /var/run/mysqld/mysqld.sock - name: Create a new database with name 'kuvia' community.mysql.mysql_db: name: kuvia state: present login_unix_socket: /var/run/mysqld/mysqld.sock - name: Set Bindung for mysql ansible.builtin.replace: path: /etc/mysql/mysql.conf.d/mysqld.cnf regexp: '^bind-address\s*=.*$' replace: 'bind-address = 0.0.0.0' - name: Restart mysql ansible.builtin.systemd: state: restarted daemon_reload: yes name: mysql - hosts: web tasks: - name: Install nginx apt: name: nginx state: present - name: Install git apt: name: git state: present - name: Install php-fpm apt: name: php-fpm state: present - name: Install php-cli apt: name: php-cli state: present - name: Install php-simplexml apt: name: php-simplexml state: present - name: Install php-mbstring apt: name: php-mbstring state: present - name: Install php-gd apt: name: php-gd state: present - name: Install php-mysql apt: name: php-mysql state: present - name: Install unzip apt: name: unzip state: present - name: Install php-zip apt: name: php-zip state: present - name: Check that the /bin/composer exists stat: path: /bin/composer register: stat_result - name: Download foo.conf get_url: url: https://getcomposer.org/installer dest: /tmp/composer-setup.php mode: '0440' when: not stat_result.stat.exists - name: Execute the command in remote shell; stdout goes to the specified file on the remote ansible.builtin.shell: php /tmp/composer-setup.php --install-dir=/bin --filename=composer when: not stat_result.stat.exists - name: Git checkout git: repo: 'https://git.keks.cloud/kekskurse/kuvia.git' dest: /var/www/kuvia update: yes - name: Change file ownership, group and permissions ansible.builtin.file: path: /var/www/kuvia/storage owner: www-data group: www-data recurse: yes state: directory - name: Download and installs all libs and dependencies outlined in the /var/www/kuvia community.general.composer: command: install working_dir: /var/www/kuvia environment: - COMPOSER_ALLOW_SUPERUSER: 1 - name: Template a file to /etc/file.conf ansible.builtin.template: src: env.j2 dest: /var/www/kuvia/.env owner: root group: root mode: '0644' - name: Artisan migration ansible.builtin.shell: php artisan migrate --force args: chdir: /var/www/kuvia become: yes become_user: www-data tags: - debug - name: Allow all access to tcp port 80 community.general.ufw: rule: allow port: '80' proto: tcp - name: Allow all access to tcp port 443 community.general.ufw: rule: allow port: '443' proto: tcp - name: Check if certificat exists stat: path: "/etc/letsencrypt/live/{{domain}}/privkey.pem" register: ssl_result - name: Template a file to /etc/file.conf ansible.builtin.template: src: nginx.j2 dest: /etc/nginx/sites-available/kuvia owner: root group: root mode: '0644' vars: - ssl: "{{ ssl_result.stat.exists }}" - name: Create a symbolic link ansible.builtin.file: src: /etc/nginx/sites-available/kuvia dest: /etc/nginx/sites-enabled/kuvia state: link - name: Restart nginx ansible.builtin.systemd: state: restarted daemon_reload: no name: nginx - name: Creates a cron file under /etc/cron.d ansible.builtin.cron: name: laravelcron user: www-data job: "php /var/www/kuvia/artisan schedule:run" - name: Set upload_max_filesize for php ansible.builtin.replace: path: /etc/php/7.4/fpm/php.ini regexp: '^upload_max_filesize\s*=.*$' replace: 'upload_max_filesize = 100M' - name: Set upload_max_filesize for php ansible.builtin.replace: path: /etc/php/7.4/fpm/php.ini regexp: '^post_max_size\s*=.*$' replace: 'post_max_size = 100M' - name: Restart php ansible.builtin.systemd: state: restarted daemon_reload: no name: php7.4-fpm - name: Install certbot apt: name: certbot state: present - name: Install python3-certbot-nginx apt: name: python3-certbot-nginx state: present - name: Cert bot ansible.builtin.shell: "certbot --nginx -d {{domain}} -n --agree-tos -m hello@kekskurse.de" when: not ssl_result.stat.exists - name: Template a file to /etc/file.conf ansible.builtin.template: src: nginx.j2 dest: /etc/nginx/sites-available/kuvia_main owner: root group: root mode: '0644' vars: - ssl: "{{ ssl_result.stat.exists }}" - name: Restart nginx ansible.builtin.systemd: state: restarted daemon_reload: no name: nginx - hosts: pweb tasks: - name: Domain ansible.builtin.debug: msg: "Domain: {{http_domain}}" - name: Check if certificat exists stat: path: "/etc/letsencrypt/live/{{http_domain}}/privkey.pem" register: ssl_result - name: Template a file to /etc/file.conf ansible.builtin.template: src: nginx.j2 dest: /etc/nginx/sites-available/kuvia_main owner: root group: root mode: '0644' vars: - ssl: "{{ ssl_result.stat.exists }}" - domain: "{{ http_domain }}" - name: Create a symbolic link ansible.builtin.file: src: /etc/nginx/sites-available/kuvia_main dest: /etc/nginx/sites-enabled/kuvia_main state: link - name: Restart nginx ansible.builtin.systemd: state: restarted daemon_reload: no name: nginx - name: Cert bot ansible.builtin.shell: "certbot --nginx -d {{http_domain}} -n --agree-tos -m hello@kekskurse.de" when: not ssl_result.stat.exists - name: Check if certificat exists stat: path: "/etc/letsencrypt/live/{{http_domain}}/privkey.pem" register: ssl_result - name: Template a file to /etc/file.conf ansible.builtin.template: src: nginx.j2 dest: /etc/nginx/sites-available/kuvia_main owner: root group: root mode: '0644' vars: - ssl: "{{ ssl_result.stat.exists }}" - domain: "{{ http_domain }}" - name: Restart nginx ansible.builtin.systemd: state: restarted daemon_reload: no name: nginx