285 lines
7.9 KiB
YAML
285 lines
7.9 KiB
YAML
---
|
|
# file: webservers.yml
|
|
- hosts: all
|
|
tasks:
|
|
- name: Update all packages to their latest version
|
|
apt:
|
|
name: "*"
|
|
state: latest
|
|
update_cache: yes
|
|
- community.general.ufw:
|
|
rule: limit
|
|
port: ssh
|
|
proto: tcp
|
|
- name: Allow all access from RFC1918 networks to this host
|
|
community.general.ufw:
|
|
rule: allow
|
|
src: '10.114.0.0/20'
|
|
- name: Allow everything and enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
policy: deny
|
|
- hosts: mysql
|
|
tasks:
|
|
- name: Install mysql-server
|
|
apt:
|
|
name: mysql-server
|
|
state: present
|
|
- name: Install python3-pip
|
|
apt:
|
|
name: python3-pip
|
|
state: present
|
|
- name: Install PyMySQL python package
|
|
pip:
|
|
name: PyMySQL
|
|
- name: Create database user with name 'kuvia' and password 'kuvia!2020@geheim' with all database privileges
|
|
community.mysql.mysql_user:
|
|
name: kuvia
|
|
password: kuvia!2020@geheim
|
|
host: "%"
|
|
priv: 'kuvia.*:ALL'
|
|
state: present
|
|
login_unix_socket: /var/run/mysqld/mysqld.sock
|
|
- name: Create a new database with name 'kuvia'
|
|
community.mysql.mysql_db:
|
|
name: kuvia
|
|
state: present
|
|
login_unix_socket: /var/run/mysqld/mysqld.sock
|
|
- name: Set Bindung for mysql
|
|
ansible.builtin.replace:
|
|
path: /etc/mysql/mysql.conf.d/mysqld.cnf
|
|
regexp: '^bind-address\s*=.*$'
|
|
replace: 'bind-address = 0.0.0.0'
|
|
- name: Restart mysql
|
|
ansible.builtin.systemd:
|
|
state: restarted
|
|
daemon_reload: yes
|
|
name: mysql
|
|
- hosts: web
|
|
tasks:
|
|
- name: Install nginx
|
|
apt:
|
|
name: nginx
|
|
state: present
|
|
- name: Install git
|
|
apt:
|
|
name: git
|
|
state: present
|
|
- name: Install php-fpm
|
|
apt:
|
|
name: php-fpm
|
|
state: present
|
|
- name: Install php-cli
|
|
apt:
|
|
name: php-cli
|
|
state: present
|
|
- name: Install php-simplexml
|
|
apt:
|
|
name: php-simplexml
|
|
state: present
|
|
- name: Install php-mbstring
|
|
apt:
|
|
name: php-mbstring
|
|
state: present
|
|
- name: Install php-gd
|
|
apt:
|
|
name: php-gd
|
|
state: present
|
|
- name: Install php-mysql
|
|
apt:
|
|
name: php-mysql
|
|
state: present
|
|
- name: Install unzip
|
|
apt:
|
|
name: unzip
|
|
state: present
|
|
- name: Install php-zip
|
|
apt:
|
|
name: php-zip
|
|
state: present
|
|
- name: Install imagemagick
|
|
apt:
|
|
name: imagemagick
|
|
state: present
|
|
- name: Install php-imagick
|
|
apt:
|
|
name: php-imagick
|
|
state: present
|
|
- name: Check that the /bin/composer exists
|
|
stat:
|
|
path: /bin/composer
|
|
register: stat_result
|
|
- name: Download foo.conf
|
|
get_url:
|
|
url: https://getcomposer.org/installer
|
|
dest: /tmp/composer-setup.php
|
|
mode: '0440'
|
|
when: not stat_result.stat.exists
|
|
- name: Execute the command in remote shell; stdout goes to the specified file on the remote
|
|
ansible.builtin.shell: php /tmp/composer-setup.php --install-dir=/bin --filename=composer
|
|
when: not stat_result.stat.exists
|
|
- name: Git checkout
|
|
git:
|
|
repo: 'https://git.keks.cloud/kekskurse/kuvia.git'
|
|
dest: /var/www/kuvia
|
|
update: yes
|
|
- name: Change file ownership, group and permissions
|
|
ansible.builtin.file:
|
|
path: /var/www/kuvia/storage
|
|
owner: www-data
|
|
group: www-data
|
|
recurse: yes
|
|
state: directory
|
|
- name: Download and installs all libs and dependencies outlined in the /var/www/kuvia
|
|
community.general.composer:
|
|
command: install
|
|
working_dir: /var/www/kuvia
|
|
environment:
|
|
- COMPOSER_ALLOW_SUPERUSER: 1
|
|
- name: Template a file to /etc/file.conf
|
|
ansible.builtin.template:
|
|
src: env.j2
|
|
dest: /var/www/kuvia/.env
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
- name: Artisan migration
|
|
ansible.builtin.shell: php artisan migrate --force
|
|
args:
|
|
chdir: /var/www/kuvia
|
|
become: yes
|
|
become_user: www-data
|
|
tags:
|
|
- debug
|
|
- name: Allow all access to tcp port 80
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '80'
|
|
proto: tcp
|
|
- name: Allow all access to tcp port 443
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '443'
|
|
proto: tcp
|
|
- name: Check if certificat exists
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{domain}}/privkey.pem"
|
|
register: ssl_result
|
|
- name: Template a file to /etc/file.conf
|
|
ansible.builtin.template:
|
|
src: nginx.j2
|
|
dest: /etc/nginx/sites-available/kuvia
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
vars:
|
|
- ssl: "{{ ssl_result.stat.exists }}"
|
|
- name: Create a symbolic link
|
|
ansible.builtin.file:
|
|
src: /etc/nginx/sites-available/kuvia
|
|
dest: /etc/nginx/sites-enabled/kuvia
|
|
state: link
|
|
- name: Restart nginx
|
|
ansible.builtin.systemd:
|
|
state: restarted
|
|
daemon_reload: no
|
|
name: nginx
|
|
|
|
- name: Creates a cron file under /etc/cron.d
|
|
ansible.builtin.cron:
|
|
name: laravelcron
|
|
user: www-data
|
|
job: "php /var/www/kuvia/artisan schedule:run"
|
|
|
|
- name: Set upload_max_filesize for php
|
|
ansible.builtin.replace:
|
|
path: /etc/php/7.4/fpm/php.ini
|
|
regexp: '^upload_max_filesize\s*=.*$'
|
|
replace: 'upload_max_filesize = 100M'
|
|
- name: Set upload_max_filesize for php
|
|
ansible.builtin.replace:
|
|
path: /etc/php/7.4/fpm/php.ini
|
|
regexp: '^post_max_size\s*=.*$'
|
|
replace: 'post_max_size = 100M'
|
|
- name: Restart php
|
|
ansible.builtin.systemd:
|
|
state: restarted
|
|
daemon_reload: no
|
|
name: php7.4-fpm
|
|
- name: Install certbot
|
|
apt:
|
|
name: certbot
|
|
state: present
|
|
- name: Install python3-certbot-nginx
|
|
apt:
|
|
name: python3-certbot-nginx
|
|
state: present
|
|
- name: Cert bot
|
|
ansible.builtin.shell: "certbot --nginx -d {{domain}} -n --agree-tos -m hello@kekskurse.de"
|
|
when: not ssl_result.stat.exists
|
|
- name: Template a file to /etc/file.conf
|
|
ansible.builtin.template:
|
|
src: nginx.j2
|
|
dest: /etc/nginx/sites-available/kuvia_main
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
vars:
|
|
- ssl: "{{ ssl_result.stat.exists }}"
|
|
- name: Restart nginx
|
|
ansible.builtin.systemd:
|
|
state: restarted
|
|
daemon_reload: no
|
|
name: nginx
|
|
- hosts: pweb
|
|
tasks:
|
|
- name: Domain
|
|
ansible.builtin.debug:
|
|
msg: "Domain: {{http_domain}}"
|
|
- name: Check if certificat exists
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{http_domain}}/privkey.pem"
|
|
register: ssl_result
|
|
- name: Template a file to /etc/file.conf
|
|
ansible.builtin.template:
|
|
src: nginx.j2
|
|
dest: /etc/nginx/sites-available/kuvia_main
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
vars:
|
|
- ssl: "{{ ssl_result.stat.exists }}"
|
|
- domain: "{{ http_domain }}"
|
|
- name: Create a symbolic link
|
|
ansible.builtin.file:
|
|
src: /etc/nginx/sites-available/kuvia_main
|
|
dest: /etc/nginx/sites-enabled/kuvia_main
|
|
state: link
|
|
- name: Restart nginx
|
|
ansible.builtin.systemd:
|
|
state: restarted
|
|
daemon_reload: no
|
|
name: nginx
|
|
- name: Cert bot
|
|
ansible.builtin.shell: "certbot --nginx -d {{http_domain}} -n --agree-tos -m hello@kekskurse.de"
|
|
when: not ssl_result.stat.exists
|
|
- name: Check if certificat exists
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{http_domain}}/privkey.pem"
|
|
register: ssl_result
|
|
- name: Template a file to /etc/file.conf
|
|
ansible.builtin.template:
|
|
src: nginx.j2
|
|
dest: /etc/nginx/sites-available/kuvia_main
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
vars:
|
|
- ssl: "{{ ssl_result.stat.exists }}"
|
|
- domain: "{{ http_domain }}"
|
|
- name: Restart nginx
|
|
ansible.builtin.systemd:
|
|
state: restarted
|
|
daemon_reload: no
|
|
name: nginx
|