Made refactoring for notes app (and other)

ansible/roles/blocks/owner/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+owner_name: ''
+owner_group: '{{ owner_name }}'
+owner_ssh_keys: []
+owner_envs: {}

ansible/roles/blocks/owner/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: 'Check app requirements for {{ owner_name }}.'
+  fail:
+    msg: You must set owner name.
+  when: not owner_name
+
+- name: 'Create group "{{ owner_group }}".'
+  group:
+    name: '{{ owner_group }}'
+    state: present
+
+- name: 'Create user "{{ owner_name }}".'
+  user:
+    name: '{{ owner_name }}'
+    group: '{{ owner_group }}'
+    shell: /bin/bash
+
+- name: 'Set up user ssh keys for {{ owner_name }}.'
+  authorized_key:
+    user: '{{ owner_name }}'
+    key: '{{ item }}'
+    state: present
+  with_items: '{{ owner_ssh_keys }}'
+
+- name: 'Set up environment variables for {{ owner_name }}.'
+  lineinfile:
+    dest: '/home/{{ owner_name }}/.bashrc'
+    regexp: '^export {{ item.key }}='
+    line: 'export {{ item.key }}="{{ item.value }}"'
+  with_dict: '{{ owner_envs }}'

ansible/roles/blocks/php-app/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+php_app_name: ''
+php_app_user: ''
+php_app_group: ''
+php_app_directory: ''
+php_app_web_root: ''
+php_app_nginx_config: ''
+php_app_php_version: ''
+php_app_fpm_pool_name: '{{ php_app_name }}'
+php_app_fpm_listen: '127.0.0.1:9001'
+php_app_envs: {}

ansible/roles/blocks/php-app/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: 'Check app requirements for {{ php_app_name }}.'
+  fail:
+    msg: You must set app name.
+  when: not php_app_name
+
+- name: 'Create web directory for {{ php_app_name }}.'
+  file:
+    state: directory
+    path: '{{ php_app_directory }}'
+    owner: '{{ php_app_user }}'
+    group: '{{ php_app_group }}'
+    recurse: yes
+  notify: restart nginx
+
+- name: 'Create nginx config for {{ php_app_name }}.'
+  template:
+    src: '{{ php_app_nginx_config }}'
+    dest: '/etc/nginx/sites-enabled/{{ php_app_name }}.conf'
+  notify: restart nginx
+
+- name: 'Creates php-fpm pool config for {{ php_app_name }}.'
+  template:
+    src: fpm-pool.conf.j2
+    dest: '/etc/php/{{ php_app_php_version }}/fpm/pool.d/{{ php_app_name }}.conf'
+  notify: restart php-fpm

ansible/roles/blocks/php-app/templates/fpm-pool.conf.j2

@@ -0,0 +1,28 @@
+[{{ php_app_fpm_pool_name }}]
+
+listen = {{ php_app_fpm_listen }}
+listen.allowed_clients = 127.0.0.1
+listen.backlog = -1
+
+user = {{ php_app_user }}
+group = {{ php_app_group }}
+
+; request_slowlog_timeout = 5s
+; slowlog = /var/log/php-fpm/slowlog-blog.log
+
+pm = dynamic
+pm.max_children = 4
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 200
+pm.status_path = /status
+
+request_terminate_timeout = 120s
+rlimit_files = 131072
+rlimit_core = unlimited
+catch_workers_output = yes
+
+{% for name, value in php_app_envs.iteritems() %}
+env[{{ name }}]={{ value }}
+{% endfor %}

ansible/roles/blocks/ssl-certificate/defaults/main.yml

@@ -0,0 +1,23 @@
+---
+# Required, allowed: self-signed, letsencrypt
+cert_type: 'self-signed'
+
+# Required, name for ssl-certificate configuration
+cert_name: ''
+
+# Required: domain owner email
+cert_email: ''
+
+# Required: domains for lets encrypt certificate creation
+cert_domains: []
+
+# Paths to store generated keys
+cert_directory: '/opt/ssl-certificates/{{ cert_name }}'
+cert_key: '{{ cert_directory }}/ssl.key'
+cert_request: '{{ cert_directory }}/ssl.csr'
+cert_certificate: '{{ cert_directory }}/ssl.crt'
+cert_dhparam: '{{ cert_directory }}/dhparam.pem'
+cert_dhparam_n: 2048
+
+# lets encrypt well-known challenge folder
+cert_le_webroot_path: /var/www/letsencrypt

ansible/roles/blocks/ssl-certificate/tasks/letsencrypt.yml

@@ -0,0 +1,32 @@
+---
+- name: Check required parameters.
+  fail:
+    msg: You must set up domain and email.
+  when: not cert_domains or not cert_email
+
+- name: Create letsencrypt web root directory.
+  file:
+    name: '{{ cert_le_webroot_path }}'
+    state: directory
+
+- name: Copy notes acme server config.
+  template:
+    src: vhost.conf.j2
+    dest: "/etc/nginx/sites-enabled/{{ cert_name }}_letsencrypt.conf"
+
+- name: Restart nginx.
+  service:
+    name: nginx
+    state: restarted
+
+- name: Configure Lest Encrypt certificate.
+  include_role:
+    name: thefinn93.ansible-letsencrypt
+    private: yes
+  vars:
+    letsencrypt_webroot_path: '{{ cert_le_webroot_path }}'
+    letsencrypt_email: '{{ cert_email }}'
+    letsencrypt_cert_domains: '{{ cert_domains }}'
+    letsencrypt_renewal_command_args: '--renew-hook "systemctl restart nginx"'
+    ssl_certificate: '{{ cert_certificate }}'
+    ssl_certificate_key: '{{ cert_key }}'

ansible/roles/blocks/ssl-certificate/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure certificate storage exists.
+  file:
+    path: '{{ cert_directory }}'
+    state: directory
+
+- include: self-signed.yml
+  when: cert_type == 'self-signed'
+
+- include: letsencrypt.yml
+  when: cert_type == 'letsencrypt'
+
+- name: Generate dhparams.
+  shell: 'openssl dhparam -out {{ cert_dhparam }} {{ cert_dhparam_n }}'
+  args:
+    creates: '{{ cert_dhparam }}'
+
+- name: Set facts about generated files.
+  set_fact:
+    '{{ cert_name }}_ssl_key': '{{ cert_key }}'
+    '{{ cert_name }}_ssl_certificate': '{{ cert_certificate }}'
+    '{{ cert_name }}_ssl_dhparam': '{{ cert_dhparam }}'

ansible/roles/blocks/ssl-certificate/tasks/self-signed.yml

@@ -0,0 +1,33 @@
+---
+- name: Check certificate params.
+  fail:
+    msg: You must setup certificate file params.
+  when: not cert_certificate or not cert_key
+
+- name: Generate self signed ssl key.
+  shell: |
+    openssl genrsa \
+      -aes256 \
+      -passout pass:client11 \
+      -out {{ cert_directory }}/ssl.pass.key \
+      1024
+
+    openssl rsa \
+      -passin pass:client11 \
+      -in {{ cert_directory }}/ssl.pass.key \
+      -out {{ cert_key }}
+
+    openssl req \
+      -new \
+      -key {{ cert_key }} \
+      -out {{ cert_request }} \
+      -subj "/CN=localhost"
+
+    openssl x509 \
+      -req \
+      -days 365 \
+      -in {{ cert_request }} \
+      -signkey {{ cert_key }} \
+      -out {{ cert_certificate }}
+  args:
+    creates: '{{ cert_certificate }}'

ansible/roles/blocks/ssl-certificate/templates/vhost.conf.j2

@@ -0,0 +1,13 @@
+server {
+    listen 80;
+    server_name {{ cert_domains|join(' ') }};
+
+    location /.well-known {
+        root {{ cert_le_webroot_path }};
+        try_files $uri $uri/ =404;
+    }
+
+    location / {
+        rewrite ^ https://$host$request_uri? permanent;
+    }
+}

ansible/roles/blocks/static-site/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+static_site_name: ''
+static_site_dir: '/var/www/{{ static_site_name }}'
+static_site_web_root: '{{ static_site_dir }}/current'
+static_site_template: site.conf.j2

ansible/roles/blocks/static-site/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: "Create nginx config for {{ static_site_name }} from {{ static_site_template }}."
+  template:
+    src: '{{ static_site_template }}'
+    dest: "/etc/nginx/sites-enabled/{{ static_site_name }}.conf"
+  notify: restart nginx
+
+- name: "Create root folder for {{ static_site_name }}."
+  file:
+    path: "{{ static_site_dir }}"
+    state: directory
+    owner: "{{ deploy_user }}"
+    group: www-data
+    recurse: yes
+  notify: restart nginx

ansible/roles/blocks/static-site/templates/site.conf.j2

@@ -0,0 +1,15 @@
+server {
+    server_name www.{{ static_site_domain }};
+    return 301 $scheme://{{ static_site_domain }}$request_uri;
+}
+
+server {
+    listen 80;
+    server_name {{ static_site_domain }};
+
+    location / {
+        root {{ static_site_web_root }};
+        index index.html;
+        try_files $uri $uri/ =404;
+    }
+}