diff --git a/ansible/roles/homepage/meta/main.yml b/ansible/roles/homepage/meta/main.yml deleted file mode 100644 index 47d0af9..0000000 --- a/ansible/roles/homepage/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -dependencies: - - role: blocks/ssl-certificate - cert_type: letsencrypt - cert_name: '{{ homepage_name }}' - cert_email: anwinged@ya.ru - cert_domains: - - '{{ homepage_domain }}' - - 'www.{{ homepage_domain }}' - tags: - - webserver - - - role: blocks/static-site - static_site_name: '{{ homepage_name }}' - static_site_domain: '{{ homepage_domain }}' - static_site_dir: '{{ homepage_dir }}' - static_site_template: homepage.conf.j2 - tags: - - webserver diff --git a/ansible/roles/homepage/templates/homepage.conf.j2 b/ansible/roles/homepage/templates/homepage.conf.j2 deleted file mode 100755 index 81cb714..0000000 --- a/ansible/roles/homepage/templates/homepage.conf.j2 +++ /dev/null @@ -1,39 +0,0 @@ -server { - server_name www.{{ homepage_domain }}; - return 301 $scheme://{{ homepage_domain }}$request_uri; -} - -server { - listen 443 ssl http2; - server_name {{ homepage_domain }}; - - ssl on; - ssl_certificate {{ vars[homepage_name + "_ssl_certificate"] }}; - ssl_certificate_key {{ vars[homepage_name + "_ssl_key"] }}; - ssl_trusted_certificate {{ vars[homepage_name + "_ssl_certificate"] }}; - - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 5m; - ssl_stapling on; - ssl_stapling_verify on; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - - ssl_dhparam {{ vars[homepage_name + "_ssl_dhparam"] }}; - ssl_prefer_server_ciphers on; - - root {{ homepage_dir }}/current; - index index.html; - - error_page 404 =404 @notfound; - - location / { - try_files $uri $uri/ =404; - } - - location @notfound { - try_files 404.html /404/index.html =404; - internal; - } -} diff --git a/ansible/roles/homepage/vars/main.yml b/ansible/roles/homepage/vars/main.yml deleted file mode 100644 index ecb46ba..0000000 --- a/ansible/roles/homepage/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -homepage_name: homepage -homepage_domain: vakhrushev.me -homepage_dir: /var/www/homepage diff --git a/ansible/roles/nginx-proxy/defaults/main.yml b/ansible/roles/nginx-proxy/defaults/main.yml deleted file mode 100644 index 5386655..0000000 --- a/ansible/roles/nginx-proxy/defaults/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -nginx_proxy_name: '' -nginx_proxy_template: '' -nginx_proxy_params: {} - -nginx_ssl_type: ~ -nginx_ssl_name: '{{ nginx_proxy_name }}' -nginx_ssl_email: '' -nginx_ssl_domains: [] diff --git a/ansible/roles/nginx-proxy/tasks/main.yml b/ansible/roles/nginx-proxy/tasks/main.yml deleted file mode 100644 index 0ad8890..0000000 --- a/ansible/roles/nginx-proxy/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: "Configure ssl certificate for {{ nginx_proxy_name }}" - include_role: - name: ssl-certificate - vars: - cert_type: '{{ nginx_ssl_type }}' - cert_name: '{{ nginx_ssl_name }}' - cert_email: '{{ nginx_ssl_email }}' - cert_domains: '{{ nginx_ssl_domains }}' - when: nginx_ssl_type is not none - tags: - - webserver - -- name: "Create nginx config for {{ nginx_proxy_name }} from {{ nginx_proxy_template }}." - template: - src: '{{ nginx_proxy_template }}' - dest: "/etc/nginx/sites-enabled/{{ nginx_proxy_name }}.conf" - notify: restart nginx - tags: - - webserver diff --git a/ansible/roles/notes/meta/main.yml b/ansible/roles/notes/meta/main.yml deleted file mode 100644 index 49a2732..0000000 --- a/ansible/roles/notes/meta/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -dependencies: - - role: geerlingguy.mysql - mysql_databases: - - name: '{{ notes_dbname }}' - - name: '{{ notes_search_dbname }}' - mysql_users: - - name: '{{ notes_dbuser }}' - host: 127.0.0.1 - password: '{{ notes_dbpassword }}' - priv: '{{ notes_dbname }}.*:ALL' - - name: '{{ notes_search_dbuser }}' - host: 127.0.0.1 - password: '{{ notes_search_dbpassword }}' - priv: '{{ notes_search_dbname }}.*:ALL' - - - role: blocks/owner - owner_name: '{{ notes_owner }}' - owner_group: '{{ notes_owner }}' - owner_ssh_keys: ['{{ lookup("file", "av_id_rsa.pub") }}'] - owner_envs: '{{ notes_env }}' - - - role: blocks/ssl-certificate - cert_type: letsencrypt - cert_name: '{{ notes_name }}' - cert_email: anwinged@ya.ru - cert_domains: - - '{{ notes_domain }}' - - - role: blocks/php-app - php_app_name: '{{ notes_name }}' - php_app_user: '{{ notes_owner }}' - php_app_group: '{{ notes_owner }}' - php_app_directory: '{{ notes_dir }}' - php_app_web_root: '{{ notes_web_root }}' - php_app_nginx_config: nginx.conf.j2 - php_app_php_version: '7.1' - php_app_fpm_listen: '{{ notes_php_connection }}' - php_app_envs: '{{ notes_env }}' diff --git a/ansible/roles/notes/tasks/main.yml b/ansible/roles/notes/tasks/main.yml deleted file mode 100644 index cd21505..0000000 --- a/ansible/roles/notes/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- - diff --git a/ansible/roles/notes/templates/nginx.conf.j2 b/ansible/roles/notes/templates/nginx.conf.j2 deleted file mode 100644 index 523a13a..0000000 --- a/ansible/roles/notes/templates/nginx.conf.j2 +++ /dev/null @@ -1,58 +0,0 @@ -server { - server_name {{ notes_domain }}; - - listen 443 ssl http2; - - ssl on; - ssl_certificate {{ vars[notes_name + "_ssl_certificate"] }}; - ssl_certificate_key {{ vars[notes_name + "_ssl_key"] }}; - ssl_trusted_certificate {{ vars[notes_name + "_ssl_certificate"] }}; - - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 5m; - ssl_stapling on; - ssl_stapling_verify on; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - - ssl_dhparam {{ vars[notes_name + "_ssl_dhparam"] }}; - ssl_prefer_server_ciphers on; - - root {{ notes_web_root }}; - - location / { - # try to serve file directly, fallback to app.php - try_files $uri /app.php$is_args$args; - } - - location ~ ^/app\.php(/|$) { - fastcgi_pass {{ notes_php_connection }}; - fastcgi_split_path_info ^(.+\.php)(/.*)$; - include fastcgi_params; - - # When you are using symlinks to link the document root to the - # current version of your application, you should pass the real - # application path instead of the path to the symlink to PHP - # FPM. - # Otherwise, PHP's OPcache may not properly detect changes to - # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 - # for more information). - fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; - fastcgi_param DOCUMENT_ROOT $realpath_root; - - # Prevents URIs that include the front controller. This will 404: - # http://domain.tld/app.php/some-path - # Remove the internal directive to allow URIs like this - internal; - } - - # return 404 for all other php files not matching the front controller - # this prevents access to other php files you don't want to be accessible. - location ~ \.php$ { - return 404; - } - - error_log /var/log/nginx/{{ notes_name }}_error.log; - access_log /var/log/nginx/{{ notes_name }}_access.log; -} diff --git a/ansible/roles/notes/vars/main.yml b/ansible/roles/notes/vars/main.yml deleted file mode 100644 index e381b35..0000000 --- a/ansible/roles/notes/vars/main.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -notes_name: notes -notes_owner: notes_owner -notes_dir: /var/www/notes -notes_web_root: '{{ notes_dir }}/current/web' -notes_domain: 'notes.vakhrushev.me' -notes_cert_type: 'letsencrypt' -notes_dbname: notes_db -notes_dbuser: notes_db -notes_dbpassword: Sf6tp6LKeCyrjVZ2YGKYUd -notes_search_dbname: notes_search_db -notes_search_dbuser: notes_search_db -notes_search_dbpassword: 9k7cwKyWFGSSnEDn -notes_php_connection: '127.0.0.1:9010' - -notes_env: - NOTES_DEPLOY_DIR: '{{ notes_dir }}' - NOTES_WORK_DIR: '{{ notes_dir }}/current' - NOTES_APP_PASSWORD: fiat282lux647 - NOTES_SECRET_TOKEN: qJqFNP5B9RP2EfqgpTPyZe - NOTES_DATABASE_HOST: 127.0.0.1 - NOTES_DATABASE_PORT: 3306 - NOTES_DATABASE_NAME: '{{ notes_dbname }}' - NOTES_DATABASE_USER: '{{ notes_dbuser }}' - NOTES_DATABASE_PASSWORD: '{{ notes_dbpassword }}' - NOTES_DATABASE_SEARCH_HOST: 127.0.0.1 - NOTES_DATABASE_SEARCH_PORT: 3306 - NOTES_DATABASE_SEARCH_NAME: '{{ notes_search_dbname }}' - NOTES_DATABASE_SEARCH_USER: '{{ notes_search_dbuser }}' - NOTES_DATABASE_SEARCH_PASSWORD: '{{ notes_search_dbpassword }}' - NOTES_MAILER_HOST: smtp.timeweb.ru - NOTES_MAILER_PORT: 25 - NOTES_MAILER_USER: noreply@anwinged.ru - NOTES_MAILER_PASSWORD: C5DkD5gs - NOTES_DROPBOX_TOKEN: jHFhAiEB1nAAAAAAAAAGjWXDoNrVLDWHo4aFZFoNtb-qV7Q5qsNjlMdKU-Y95lMw - SYMFONY_ENV: prod - APP_ENV: prod diff --git a/ansible/roles/s2photo/meta/main.yml b/ansible/roles/s2photo/meta/main.yml deleted file mode 100644 index 581329f..0000000 --- a/ansible/roles/s2photo/meta/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -dependencies: - - role: blocks/static-site - static_site_name: s2photo - static_site_domain: s2photo.ru diff --git a/ansible/roles/ssl-certificate/defaults/main.yml b/ansible/roles/ssl-certificate/defaults/main.yml deleted file mode 100644 index bacef48..0000000 --- a/ansible/roles/ssl-certificate/defaults/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Required, allowed: self-signed, letsencrypt -cert_type: 'self-signed' - -# Required, name for ssl-certificate configuration -cert_name: '' - -# Required: domain owner email -cert_email: '' - -# Required: domains for lets encrypt certificate creation -cert_domains: [] - -# Paths to store generated keys -cert_directory: '/opt/ssl-certificates/{{ cert_name }}' -cert_key: '{{ cert_directory }}/ssl.key' -cert_request: '{{ cert_directory }}/ssl.csr' -cert_certificate: '{{ cert_directory }}/ssl.crt' -cert_dhparam: '{{ cert_directory }}/dhparam.pem' -cert_dhparam_n: 2048 - -# lets encrypt well-known challenge folder -cert_le_webroot_path: /var/www/letsencrypt diff --git a/ansible/roles/ssl-certificate/tasks/letsencrypt.yml b/ansible/roles/ssl-certificate/tasks/letsencrypt.yml deleted file mode 100644 index 594c9f5..0000000 --- a/ansible/roles/ssl-certificate/tasks/letsencrypt.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: Check required parameters. - fail: - msg: You must set up domain and email. - when: not cert_domains or not cert_email - -- name: Create letsencrypt web root directory. - file: - name: '{{ cert_le_webroot_path }}' - state: directory - -- name: Copy notes acme server config. - template: - src: vhost.conf.j2 - dest: "/etc/nginx/sites-enabled/{{ cert_name }}_letsencrypt.conf" - -- name: Restart nginx. - service: - name: nginx - state: restarted - -- name: Configure Lest Encrypt certificate. - include_role: - name: thefinn93.ansible-letsencrypt - private: yes - vars: - letsencrypt_webroot_path: '{{ cert_le_webroot_path }}' - letsencrypt_email: '{{ cert_email }}' - letsencrypt_cert_domains: '{{ cert_domains }}' - letsencrypt_renewal_command_args: '--renew-hook "systemctl restart nginx"' - ssl_certificate: '{{ cert_certificate }}' - ssl_certificate_key: '{{ cert_key }}' diff --git a/ansible/roles/ssl-certificate/tasks/main.yml b/ansible/roles/ssl-certificate/tasks/main.yml deleted file mode 100644 index f8b3874..0000000 --- a/ansible/roles/ssl-certificate/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Ensure certificate storage exists. - file: - path: '{{ cert_directory }}' - state: directory - -- include: self-signed.yml - when: cert_type == 'self-signed' - -- include: letsencrypt.yml - when: cert_type == 'letsencrypt' - -- name: Generate dhparams. - shell: 'openssl dhparam -out {{ cert_dhparam }} {{ cert_dhparam_n }}' - args: - creates: '{{ cert_dhparam }}' - -- name: Set facts about generated files. - set_fact: - '{{ cert_name }}_ssl_key': '{{ cert_key }}' - '{{ cert_name }}_ssl_certificate': '{{ cert_certificate }}' - '{{ cert_name }}_ssl_dhparam': '{{ cert_dhparam }}' diff --git a/ansible/roles/ssl-certificate/tasks/self-signed.yml b/ansible/roles/ssl-certificate/tasks/self-signed.yml deleted file mode 100644 index 60fb73a..0000000 --- a/ansible/roles/ssl-certificate/tasks/self-signed.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: Check certificate params. - fail: - msg: You must setup certificate file params. - when: not cert_certificate or not cert_key - -- name: Generate self signed ssl key. - shell: | - openssl genrsa \ - -aes256 \ - -passout pass:client11 \ - -out {{ cert_directory }}/ssl.pass.key \ - 1024 - - openssl rsa \ - -passin pass:client11 \ - -in {{ cert_directory }}/ssl.pass.key \ - -out {{ cert_key }} - - openssl req \ - -new \ - -key {{ cert_key }} \ - -out {{ cert_request }} \ - -subj "/CN=localhost" - - openssl x509 \ - -req \ - -days 365 \ - -in {{ cert_request }} \ - -signkey {{ cert_key }} \ - -out {{ cert_certificate }} - args: - creates: '{{ cert_certificate }}' diff --git a/ansible/roles/ssl-certificate/templates/vhost.conf.j2 b/ansible/roles/ssl-certificate/templates/vhost.conf.j2 deleted file mode 100644 index 4b8637c..0000000 --- a/ansible/roles/ssl-certificate/templates/vhost.conf.j2 +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - server_name {{ cert_domains|join(' ') }}; - - location /.well-known { - root {{ cert_le_webroot_path }}; - try_files $uri $uri/ =404; - } - - location / { - rewrite ^ https://$host$request_uri? permanent; - } -}