aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nginx_nossl.conf45
-rw-r--r--playbook.yml93
-rw-r--r--tmpfiles-gerboweb.conf2
3 files changed, 115 insertions, 25 deletions
diff --git a/nginx_nossl.conf b/nginx_nossl.conf
new file mode 100644
index 0000000..0ecd1cb
--- /dev/null
+++ b/nginx_nossl.conf
@@ -0,0 +1,45 @@
+# For more information on configuration, see:
+# * Official English Documentation: http://nginx.org/en/docs/
+# * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 4096;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ # Load modular configuration files from the /etc/nginx/conf.d directory.
+ # See http://nginx.org/en/docs/ngx_core_module.html#include
+ # for more information.
+ include /etc/nginx/conf.d/*.conf;
+
+ server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ server_name gerbolyze.jaseg.net;
+ return 301 https://$host$request_uri;
+ }
+}
+
diff --git a/playbook.yml b/playbook.yml
index 9753df6..a0ff505 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -1,6 +1,33 @@
- name: Gerbolyze container setup playbook
- hosts: all
+ hosts: wendelstein
tasks:
+ - name: Set hostname
+ hostname:
+ name: wendelstein.jaseg.net
+
+ - name: Install common admin tools
+ dnf:
+ name: htop,tmux,fish,mosh,neovim
+ state: latest
+
+ - name: Install host requisites
+ dnf:
+ name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python
+ state: latest
+
+ - name: Disable password-based root login
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ regexp: '^PermitRootLogin'
+ line: 'PermitRootLogin without-password'
+ register: disable_root_pw_ssh
+
+ - name: Restart sshd
+ systemd:
+ name: sshd
+ state: restarted
+ when: disable_root_pw_ssh is changed
+
- name: Create container image file
command: truncate -s 4G /var/cache/gerbolyze_container.img
args:
@@ -14,11 +41,6 @@
checksum: sha256:865c8a25312b663e724923eecf0dfc626f4cd621e2cfcb19eafc69a4fc666756
when: create_container is changed
- - name: Install host requisites
- dnf:
- name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3,certbot,python3-certbot-nginx
- state: latest
-
- name: Create container image filesystem
filesystem:
dev: /var/cache/gerbolyze_container.img
@@ -88,9 +110,9 @@
group: no
owner: no
- - name: Copy nginx config
+ - name: Copy first stage nginx config
copy:
- src: nginx.conf
+ src: nginx_nossl.conf
dest: /etc/nginx/nginx.conf
- name: Create uwsgi worker user and group
@@ -136,22 +158,33 @@
state: permissive
policy: targeted
- - name: Create letsencrypt certificate
- command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
- args:
- creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
-
- - name: Enable certbot renewal timer
- systemd:
- name: certbot-renew.timer
- enabled: yes
-
- name: Enable uwsgi systemd socket
systemd:
daemon-reload: yes
name: uwsgi-app@gerboweb.socket
enabled: yes
+ - name: Copy gerboweb cache dir tmpfiles.d config
+ copy:
+ src: tmpfiles-gerboweb.conf
+ dest: /etc/tmpfiles.d/gerboweb.conf
+ owner: root
+ group: root
+ mode: 0644
+ register: tmpfiles_config
+
+ - name: Kick systemd tmpfiles service to create cache dir
+ command: systemd-tmpfiles --create
+ when: tmpfiles_config is changed
+
+ - name: Create job queue db
+ file:
+ path: /var/cache/gerboweb/job_queue.sqlite3
+ owner: root
+ group: uwsgi
+ mode: 0660
+ state: touch
+
- name: Enable and launch job processor
systemd:
name: gerboweb-job-processor.service
@@ -164,11 +197,23 @@
enabled: yes
state: restarted
- - name: Copy gerboweb cache dir tmpfiles.d config
+ - name: Create letsencrypt certificate
+ command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
+ args:
+ creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
+
+ - name: Copy final nginx config
copy:
- src: tmpfiles-gerboweb.conf
- dest: /etc/tmpfiles.d/gerboweb.conf
- owner: root
- group: root
- mode: 0644
+ src: nginx.conf
+ dest: /etc/nginx/nginx.conf
+
+ - name: Restart nginx to load new cert
+ systemd:
+ name: nginx.service
+ state: restarted
+
+ - name: Enable certbot renewal timer
+ systemd:
+ name: certbot-renew.timer
+ enabled: yes
diff --git a/tmpfiles-gerboweb.conf b/tmpfiles-gerboweb.conf
index 33264cf..1f11122 100644
--- a/tmpfiles-gerboweb.conf
+++ b/tmpfiles-gerboweb.conf
@@ -1 +1 @@
-d /var/cache/gerboweb 760 uwsgi-gerboweb uwsgi 2d
+d /var/cache/gerboweb 770 uwsgi-gerboweb uwsgi 2d