av/pet-project-server
1
0
Fork 0
Code Pull Requests Activity

Удалены старые роли

Browse Source
This commit is contained in:
Anton Vakhrushev 2019-06-14 16:59:48 +03:00
parent f5d705d40b
commit d6bf719453
15 changed files with 0 additions and 355 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
ansible/roles/homepage/meta/main.yml
View File

@ -1,19 +0,0 @@
---
dependencies:
- role: blocks/ssl-certificate
cert_type: letsencrypt
cert_name: '{{ homepage_name }}'
cert_email: anwinged@ya.ru
cert_domains:
- '{{ homepage_domain }}'
- 'www.{{ homepage_domain }}'
tags:
- webserver
- role: blocks/static-site
static_site_name: '{{ homepage_name }}'
static_site_domain: '{{ homepage_domain }}'
static_site_dir: '{{ homepage_dir }}'
static_site_template: homepage.conf.j2
tags:
- webserver

39
ansible/roles/homepage/templates/homepage.conf.j2
View File

@ -1,39 +0,0 @@
server {
server_name www.{{ homepage_domain }};
return 301 $scheme://{{ homepage_domain }}$request_uri;
}
server {
listen 443 ssl http2;
server_name {{ homepage_domain }};
ssl on;
ssl_certificate {{ vars[homepage_name + "_ssl_certificate"] }};
ssl_certificate_key {{ vars[homepage_name + "_ssl_key"] }};
ssl_trusted_certificate {{ vars[homepage_name + "_ssl_certificate"] }};
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam {{ vars[homepage_name + "_ssl_dhparam"] }};
ssl_prefer_server_ciphers on;
root {{ homepage_dir }}/current;
index index.html;
error_page 404 =404 @notfound;
location / {
try_files $uri $uri/ =404;
}
location @notfound {
try_files 404.html /404/index.html =404;
internal;
}
}

4
ansible/roles/homepage/vars/main.yml
View File

@ -1,4 +0,0 @@
---
homepage_name: homepage
homepage_domain: vakhrushev.me
homepage_dir: /var/www/homepage

9
ansible/roles/nginx-proxy/defaults/main.yml
View File

@ -1,9 +0,0 @@
---
nginx_proxy_name: ''
nginx_proxy_template: ''
nginx_proxy_params: {}
nginx_ssl_type: ~
nginx_ssl_name: '{{ nginx_proxy_name }}'
nginx_ssl_email: ''
nginx_ssl_domains: []

20
ansible/roles/nginx-proxy/tasks/main.yml
View File

@ -1,20 +0,0 @@
---
- name: "Configure ssl certificate for {{ nginx_proxy_name }}"
include_role:
name: ssl-certificate
vars:
cert_type: '{{ nginx_ssl_type }}'
cert_name: '{{ nginx_ssl_name }}'
cert_email: '{{ nginx_ssl_email }}'
cert_domains: '{{ nginx_ssl_domains }}'
when: nginx_ssl_type is not none
tags:
- webserver
- name: "Create nginx config for {{ nginx_proxy_name }} from {{ nginx_proxy_template }}."
template:
src: '{{ nginx_proxy_template }}'
dest: "/etc/nginx/sites-enabled/{{ nginx_proxy_name }}.conf"
notify: restart nginx
tags:
- webserver

39
ansible/roles/notes/meta/main.yml
View File

@ -1,39 +0,0 @@
---
dependencies:
- role: geerlingguy.mysql
mysql_databases:
- name: '{{ notes_dbname }}'
- name: '{{ notes_search_dbname }}'
mysql_users:
- name: '{{ notes_dbuser }}'
host: 127.0.0.1
password: '{{ notes_dbpassword }}'
priv: '{{ notes_dbname }}.*:ALL'
- name: '{{ notes_search_dbuser }}'
host: 127.0.0.1
password: '{{ notes_search_dbpassword }}'
priv: '{{ notes_search_dbname }}.*:ALL'
- role: blocks/owner
owner_name: '{{ notes_owner }}'
owner_group: '{{ notes_owner }}'
owner_ssh_keys: ['{{ lookup("file", "av_id_rsa.pub") }}']
owner_envs: '{{ notes_env }}'
- role: blocks/ssl-certificate
cert_type: letsencrypt
cert_name: '{{ notes_name }}'
cert_email: anwinged@ya.ru
cert_domains:
- '{{ notes_domain }}'
- role: blocks/php-app
php_app_name: '{{ notes_name }}'
php_app_user: '{{ notes_owner }}'
php_app_group: '{{ notes_owner }}'
php_app_directory: '{{ notes_dir }}'
php_app_web_root: '{{ notes_web_root }}'
php_app_nginx_config: nginx.conf.j2
php_app_php_version: '7.1'
php_app_fpm_listen: '{{ notes_php_connection }}'
php_app_envs: '{{ notes_env }}'

2
ansible/roles/notes/tasks/main.yml
View File

@ -1,2 +0,0 @@
---

58
ansible/roles/notes/templates/nginx.conf.j2
View File

@ -1,58 +0,0 @@
server {
server_name {{ notes_domain }};
listen 443 ssl http2;
ssl on;
ssl_certificate {{ vars[notes_name + "_ssl_certificate"] }};
ssl_certificate_key {{ vars[notes_name + "_ssl_key"] }};
ssl_trusted_certificate {{ vars[notes_name + "_ssl_certificate"] }};
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam {{ vars[notes_name + "_ssl_dhparam"] }};
ssl_prefer_server_ciphers on;
root {{ notes_web_root }};
location / {
# try to serve file directly, fallback to app.php
try_files $uri /app.php$is_args$args;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass {{ notes_php_connection }};
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/app.php/some-path
# Remove the internal directive to allow URIs like this
internal;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
error_log /var/log/nginx/{{ notes_name }}_error.log;
access_log /var/log/nginx/{{ notes_name }}_access.log;
}

37
ansible/roles/notes/vars/main.yml
View File

@ -1,37 +0,0 @@
---
notes_name: notes
notes_owner: notes_owner
notes_dir: /var/www/notes
notes_web_root: '{{ notes_dir }}/current/web'
notes_domain: 'notes.vakhrushev.me'
notes_cert_type: 'letsencrypt'
notes_dbname: notes_db
notes_dbuser: notes_db
notes_dbpassword: Sf6tp6LKeCyrjVZ2YGKYUd
notes_search_dbname: notes_search_db
notes_search_dbuser: notes_search_db
notes_search_dbpassword: 9k7cwKyWFGSSnEDn
notes_php_connection: '127.0.0.1:9010'
notes_env:
NOTES_DEPLOY_DIR: '{{ notes_dir }}'
NOTES_WORK_DIR: '{{ notes_dir }}/current'
NOTES_APP_PASSWORD: fiat282lux647
NOTES_SECRET_TOKEN: qJqFNP5B9RP2EfqgpTPyZe
NOTES_DATABASE_HOST: 127.0.0.1
NOTES_DATABASE_PORT: 3306
NOTES_DATABASE_NAME: '{{ notes_dbname }}'
NOTES_DATABASE_USER: '{{ notes_dbuser }}'
NOTES_DATABASE_PASSWORD: '{{ notes_dbpassword }}'
NOTES_DATABASE_SEARCH_HOST: 127.0.0.1
NOTES_DATABASE_SEARCH_PORT: 3306
NOTES_DATABASE_SEARCH_NAME: '{{ notes_search_dbname }}'
NOTES_DATABASE_SEARCH_USER: '{{ notes_search_dbuser }}'
NOTES_DATABASE_SEARCH_PASSWORD: '{{ notes_search_dbpassword }}'
NOTES_MAILER_HOST: smtp.timeweb.ru
NOTES_MAILER_PORT: 25
NOTES_MAILER_USER: noreply@anwinged.ru
NOTES_MAILER_PASSWORD: C5DkD5gs
NOTES_DROPBOX_TOKEN: jHFhAiEB1nAAAAAAAAAGjWXDoNrVLDWHo4aFZFoNtb-qV7Q5qsNjlMdKU-Y95lMw
SYMFONY_ENV: prod
APP_ENV: prod

5
ansible/roles/s2photo/meta/main.yml
View File

@ -1,5 +0,0 @@
---
dependencies:
- role: blocks/static-site
static_site_name: s2photo
static_site_domain: s2photo.ru

23
ansible/roles/ssl-certificate/defaults/main.yml
View File

@ -1,23 +0,0 @@
---
# Required, allowed: self-signed, letsencrypt
cert_type: 'self-signed'
# Required, name for ssl-certificate configuration
cert_name: ''
# Required: domain owner email
cert_email: ''
# Required: domains for lets encrypt certificate creation
cert_domains: []
# Paths to store generated keys
cert_directory: '/opt/ssl-certificates/{{ cert_name }}'
cert_key: '{{ cert_directory }}/ssl.key'
cert_request: '{{ cert_directory }}/ssl.csr'
cert_certificate: '{{ cert_directory }}/ssl.crt'
cert_dhparam: '{{ cert_directory }}/dhparam.pem'
cert_dhparam_n: 2048
# lets encrypt well-known challenge folder
cert_le_webroot_path: /var/www/letsencrypt

32
ansible/roles/ssl-certificate/tasks/letsencrypt.yml
View File

@ -1,32 +0,0 @@
---
- name: Check required parameters.
fail:
msg: You must set up domain and email.
when: not cert_domains or not cert_email
- name: Create letsencrypt web root directory.
file:
name: '{{ cert_le_webroot_path }}'
state: directory
- name: Copy notes acme server config.
template:
src: vhost.conf.j2
dest: "/etc/nginx/sites-enabled/{{ cert_name }}_letsencrypt.conf"
- name: Restart nginx.
service:
name: nginx
state: restarted
- name: Configure Lest Encrypt certificate.
include_role:
name: thefinn93.ansible-letsencrypt
private: yes
vars:
letsencrypt_webroot_path: '{{ cert_le_webroot_path }}'
letsencrypt_email: '{{ cert_email }}'
letsencrypt_cert_domains: '{{ cert_domains }}'
letsencrypt_renewal_command_args: '--renew-hook "systemctl restart nginx"'
ssl_certificate: '{{ cert_certificate }}'
ssl_certificate_key: '{{ cert_key }}'

22
ansible/roles/ssl-certificate/tasks/main.yml
View File

@ -1,22 +0,0 @@
---
- name: Ensure certificate storage exists.
file:
path: '{{ cert_directory }}'
state: directory
- include: self-signed.yml
when: cert_type == 'self-signed'
- include: letsencrypt.yml
when: cert_type == 'letsencrypt'
- name: Generate dhparams.
shell: 'openssl dhparam -out {{ cert_dhparam }} {{ cert_dhparam_n }}'
args:
creates: '{{ cert_dhparam }}'
- name: Set facts about generated files.
set_fact:
'{{ cert_name }}_ssl_key': '{{ cert_key }}'
'{{ cert_name }}_ssl_certificate': '{{ cert_certificate }}'
'{{ cert_name }}_ssl_dhparam': '{{ cert_dhparam }}'

33
ansible/roles/ssl-certificate/tasks/self-signed.yml
View File

@ -1,33 +0,0 @@
---
- name: Check certificate params.
fail:
msg: You must setup certificate file params.
when: not cert_certificate or not cert_key
- name: Generate self signed ssl key.
shell: |
openssl genrsa \
-aes256 \
-passout pass:client11 \
-out {{ cert_directory }}/ssl.pass.key \
1024
openssl rsa \
-passin pass:client11 \
-in {{ cert_directory }}/ssl.pass.key \
-out {{ cert_key }}
openssl req \
-new \
-key {{ cert_key }} \
-out {{ cert_request }} \
-subj "/CN=localhost"
openssl x509 \
-req \
-days 365 \
-in {{ cert_request }} \
-signkey {{ cert_key }} \
-out {{ cert_certificate }}
args:
creates: '{{ cert_certificate }}'

13
ansible/roles/ssl-certificate/templates/vhost.conf.j2
View File

@ -1,13 +0,0 @@
server {
listen 80;
server_name {{ cert_domains|join(' ') }};
location /.well-known {
root {{ cert_le_webroot_path }};
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}