Удалены старые роли
This commit is contained in:
parent
f5d705d40b
commit
d6bf719453
@ -1,19 +0,0 @@
|
||||
---
|
||||
dependencies:
|
||||
- role: blocks/ssl-certificate
|
||||
cert_type: letsencrypt
|
||||
cert_name: '{{ homepage_name }}'
|
||||
cert_email: anwinged@ya.ru
|
||||
cert_domains:
|
||||
- '{{ homepage_domain }}'
|
||||
- 'www.{{ homepage_domain }}'
|
||||
tags:
|
||||
- webserver
|
||||
|
||||
- role: blocks/static-site
|
||||
static_site_name: '{{ homepage_name }}'
|
||||
static_site_domain: '{{ homepage_domain }}'
|
||||
static_site_dir: '{{ homepage_dir }}'
|
||||
static_site_template: homepage.conf.j2
|
||||
tags:
|
||||
- webserver
|
||||
@ -1,39 +0,0 @@
|
||||
server {
|
||||
server_name www.{{ homepage_domain }};
|
||||
return 301 $scheme://{{ homepage_domain }}$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name {{ homepage_domain }};
|
||||
|
||||
ssl on;
|
||||
ssl_certificate {{ vars[homepage_name + "_ssl_certificate"] }};
|
||||
ssl_certificate_key {{ vars[homepage_name + "_ssl_key"] }};
|
||||
ssl_trusted_certificate {{ vars[homepage_name + "_ssl_certificate"] }};
|
||||
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
|
||||
ssl_dhparam {{ vars[homepage_name + "_ssl_dhparam"] }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
root {{ homepage_dir }}/current;
|
||||
index index.html;
|
||||
|
||||
error_page 404 =404 @notfound;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location @notfound {
|
||||
try_files 404.html /404/index.html =404;
|
||||
internal;
|
||||
}
|
||||
}
|
||||
@ -1,4 +0,0 @@
|
||||
---
|
||||
homepage_name: homepage
|
||||
homepage_domain: vakhrushev.me
|
||||
homepage_dir: /var/www/homepage
|
||||
@ -1,9 +0,0 @@
|
||||
---
|
||||
nginx_proxy_name: ''
|
||||
nginx_proxy_template: ''
|
||||
nginx_proxy_params: {}
|
||||
|
||||
nginx_ssl_type: ~
|
||||
nginx_ssl_name: '{{ nginx_proxy_name }}'
|
||||
nginx_ssl_email: ''
|
||||
nginx_ssl_domains: []
|
||||
@ -1,20 +0,0 @@
|
||||
---
|
||||
- name: "Configure ssl certificate for {{ nginx_proxy_name }}"
|
||||
include_role:
|
||||
name: ssl-certificate
|
||||
vars:
|
||||
cert_type: '{{ nginx_ssl_type }}'
|
||||
cert_name: '{{ nginx_ssl_name }}'
|
||||
cert_email: '{{ nginx_ssl_email }}'
|
||||
cert_domains: '{{ nginx_ssl_domains }}'
|
||||
when: nginx_ssl_type is not none
|
||||
tags:
|
||||
- webserver
|
||||
|
||||
- name: "Create nginx config for {{ nginx_proxy_name }} from {{ nginx_proxy_template }}."
|
||||
template:
|
||||
src: '{{ nginx_proxy_template }}'
|
||||
dest: "/etc/nginx/sites-enabled/{{ nginx_proxy_name }}.conf"
|
||||
notify: restart nginx
|
||||
tags:
|
||||
- webserver
|
||||
@ -1,39 +0,0 @@
|
||||
---
|
||||
dependencies:
|
||||
- role: geerlingguy.mysql
|
||||
mysql_databases:
|
||||
- name: '{{ notes_dbname }}'
|
||||
- name: '{{ notes_search_dbname }}'
|
||||
mysql_users:
|
||||
- name: '{{ notes_dbuser }}'
|
||||
host: 127.0.0.1
|
||||
password: '{{ notes_dbpassword }}'
|
||||
priv: '{{ notes_dbname }}.*:ALL'
|
||||
- name: '{{ notes_search_dbuser }}'
|
||||
host: 127.0.0.1
|
||||
password: '{{ notes_search_dbpassword }}'
|
||||
priv: '{{ notes_search_dbname }}.*:ALL'
|
||||
|
||||
- role: blocks/owner
|
||||
owner_name: '{{ notes_owner }}'
|
||||
owner_group: '{{ notes_owner }}'
|
||||
owner_ssh_keys: ['{{ lookup("file", "av_id_rsa.pub") }}']
|
||||
owner_envs: '{{ notes_env }}'
|
||||
|
||||
- role: blocks/ssl-certificate
|
||||
cert_type: letsencrypt
|
||||
cert_name: '{{ notes_name }}'
|
||||
cert_email: anwinged@ya.ru
|
||||
cert_domains:
|
||||
- '{{ notes_domain }}'
|
||||
|
||||
- role: blocks/php-app
|
||||
php_app_name: '{{ notes_name }}'
|
||||
php_app_user: '{{ notes_owner }}'
|
||||
php_app_group: '{{ notes_owner }}'
|
||||
php_app_directory: '{{ notes_dir }}'
|
||||
php_app_web_root: '{{ notes_web_root }}'
|
||||
php_app_nginx_config: nginx.conf.j2
|
||||
php_app_php_version: '7.1'
|
||||
php_app_fpm_listen: '{{ notes_php_connection }}'
|
||||
php_app_envs: '{{ notes_env }}'
|
||||
@ -1,2 +0,0 @@
|
||||
---
|
||||
|
||||
@ -1,58 +0,0 @@
|
||||
server {
|
||||
server_name {{ notes_domain }};
|
||||
|
||||
listen 443 ssl http2;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate {{ vars[notes_name + "_ssl_certificate"] }};
|
||||
ssl_certificate_key {{ vars[notes_name + "_ssl_key"] }};
|
||||
ssl_trusted_certificate {{ vars[notes_name + "_ssl_certificate"] }};
|
||||
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
|
||||
ssl_dhparam {{ vars[notes_name + "_ssl_dhparam"] }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
root {{ notes_web_root }};
|
||||
|
||||
location / {
|
||||
# try to serve file directly, fallback to app.php
|
||||
try_files $uri /app.php$is_args$args;
|
||||
}
|
||||
|
||||
location ~ ^/app\.php(/|$) {
|
||||
fastcgi_pass {{ notes_php_connection }};
|
||||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||||
include fastcgi_params;
|
||||
|
||||
# When you are using symlinks to link the document root to the
|
||||
# current version of your application, you should pass the real
|
||||
# application path instead of the path to the symlink to PHP
|
||||
# FPM.
|
||||
# Otherwise, PHP's OPcache may not properly detect changes to
|
||||
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
|
||||
# for more information).
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
fastcgi_param DOCUMENT_ROOT $realpath_root;
|
||||
|
||||
# Prevents URIs that include the front controller. This will 404:
|
||||
# http://domain.tld/app.php/some-path
|
||||
# Remove the internal directive to allow URIs like this
|
||||
internal;
|
||||
}
|
||||
|
||||
# return 404 for all other php files not matching the front controller
|
||||
# this prevents access to other php files you don't want to be accessible.
|
||||
location ~ \.php$ {
|
||||
return 404;
|
||||
}
|
||||
|
||||
error_log /var/log/nginx/{{ notes_name }}_error.log;
|
||||
access_log /var/log/nginx/{{ notes_name }}_access.log;
|
||||
}
|
||||
@ -1,37 +0,0 @@
|
||||
---
|
||||
notes_name: notes
|
||||
notes_owner: notes_owner
|
||||
notes_dir: /var/www/notes
|
||||
notes_web_root: '{{ notes_dir }}/current/web'
|
||||
notes_domain: 'notes.vakhrushev.me'
|
||||
notes_cert_type: 'letsencrypt'
|
||||
notes_dbname: notes_db
|
||||
notes_dbuser: notes_db
|
||||
notes_dbpassword: Sf6tp6LKeCyrjVZ2YGKYUd
|
||||
notes_search_dbname: notes_search_db
|
||||
notes_search_dbuser: notes_search_db
|
||||
notes_search_dbpassword: 9k7cwKyWFGSSnEDn
|
||||
notes_php_connection: '127.0.0.1:9010'
|
||||
|
||||
notes_env:
|
||||
NOTES_DEPLOY_DIR: '{{ notes_dir }}'
|
||||
NOTES_WORK_DIR: '{{ notes_dir }}/current'
|
||||
NOTES_APP_PASSWORD: fiat282lux647
|
||||
NOTES_SECRET_TOKEN: qJqFNP5B9RP2EfqgpTPyZe
|
||||
NOTES_DATABASE_HOST: 127.0.0.1
|
||||
NOTES_DATABASE_PORT: 3306
|
||||
NOTES_DATABASE_NAME: '{{ notes_dbname }}'
|
||||
NOTES_DATABASE_USER: '{{ notes_dbuser }}'
|
||||
NOTES_DATABASE_PASSWORD: '{{ notes_dbpassword }}'
|
||||
NOTES_DATABASE_SEARCH_HOST: 127.0.0.1
|
||||
NOTES_DATABASE_SEARCH_PORT: 3306
|
||||
NOTES_DATABASE_SEARCH_NAME: '{{ notes_search_dbname }}'
|
||||
NOTES_DATABASE_SEARCH_USER: '{{ notes_search_dbuser }}'
|
||||
NOTES_DATABASE_SEARCH_PASSWORD: '{{ notes_search_dbpassword }}'
|
||||
NOTES_MAILER_HOST: smtp.timeweb.ru
|
||||
NOTES_MAILER_PORT: 25
|
||||
NOTES_MAILER_USER: noreply@anwinged.ru
|
||||
NOTES_MAILER_PASSWORD: C5DkD5gs
|
||||
NOTES_DROPBOX_TOKEN: jHFhAiEB1nAAAAAAAAAGjWXDoNrVLDWHo4aFZFoNtb-qV7Q5qsNjlMdKU-Y95lMw
|
||||
SYMFONY_ENV: prod
|
||||
APP_ENV: prod
|
||||
@ -1,5 +0,0 @@
|
||||
---
|
||||
dependencies:
|
||||
- role: blocks/static-site
|
||||
static_site_name: s2photo
|
||||
static_site_domain: s2photo.ru
|
||||
@ -1,23 +0,0 @@
|
||||
---
|
||||
# Required, allowed: self-signed, letsencrypt
|
||||
cert_type: 'self-signed'
|
||||
|
||||
# Required, name for ssl-certificate configuration
|
||||
cert_name: ''
|
||||
|
||||
# Required: domain owner email
|
||||
cert_email: ''
|
||||
|
||||
# Required: domains for lets encrypt certificate creation
|
||||
cert_domains: []
|
||||
|
||||
# Paths to store generated keys
|
||||
cert_directory: '/opt/ssl-certificates/{{ cert_name }}'
|
||||
cert_key: '{{ cert_directory }}/ssl.key'
|
||||
cert_request: '{{ cert_directory }}/ssl.csr'
|
||||
cert_certificate: '{{ cert_directory }}/ssl.crt'
|
||||
cert_dhparam: '{{ cert_directory }}/dhparam.pem'
|
||||
cert_dhparam_n: 2048
|
||||
|
||||
# lets encrypt well-known challenge folder
|
||||
cert_le_webroot_path: /var/www/letsencrypt
|
||||
@ -1,32 +0,0 @@
|
||||
---
|
||||
- name: Check required parameters.
|
||||
fail:
|
||||
msg: You must set up domain and email.
|
||||
when: not cert_domains or not cert_email
|
||||
|
||||
- name: Create letsencrypt web root directory.
|
||||
file:
|
||||
name: '{{ cert_le_webroot_path }}'
|
||||
state: directory
|
||||
|
||||
- name: Copy notes acme server config.
|
||||
template:
|
||||
src: vhost.conf.j2
|
||||
dest: "/etc/nginx/sites-enabled/{{ cert_name }}_letsencrypt.conf"
|
||||
|
||||
- name: Restart nginx.
|
||||
service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
|
||||
- name: Configure Lest Encrypt certificate.
|
||||
include_role:
|
||||
name: thefinn93.ansible-letsencrypt
|
||||
private: yes
|
||||
vars:
|
||||
letsencrypt_webroot_path: '{{ cert_le_webroot_path }}'
|
||||
letsencrypt_email: '{{ cert_email }}'
|
||||
letsencrypt_cert_domains: '{{ cert_domains }}'
|
||||
letsencrypt_renewal_command_args: '--renew-hook "systemctl restart nginx"'
|
||||
ssl_certificate: '{{ cert_certificate }}'
|
||||
ssl_certificate_key: '{{ cert_key }}'
|
||||
@ -1,22 +0,0 @@
|
||||
---
|
||||
- name: Ensure certificate storage exists.
|
||||
file:
|
||||
path: '{{ cert_directory }}'
|
||||
state: directory
|
||||
|
||||
- include: self-signed.yml
|
||||
when: cert_type == 'self-signed'
|
||||
|
||||
- include: letsencrypt.yml
|
||||
when: cert_type == 'letsencrypt'
|
||||
|
||||
- name: Generate dhparams.
|
||||
shell: 'openssl dhparam -out {{ cert_dhparam }} {{ cert_dhparam_n }}'
|
||||
args:
|
||||
creates: '{{ cert_dhparam }}'
|
||||
|
||||
- name: Set facts about generated files.
|
||||
set_fact:
|
||||
'{{ cert_name }}_ssl_key': '{{ cert_key }}'
|
||||
'{{ cert_name }}_ssl_certificate': '{{ cert_certificate }}'
|
||||
'{{ cert_name }}_ssl_dhparam': '{{ cert_dhparam }}'
|
||||
@ -1,33 +0,0 @@
|
||||
---
|
||||
- name: Check certificate params.
|
||||
fail:
|
||||
msg: You must setup certificate file params.
|
||||
when: not cert_certificate or not cert_key
|
||||
|
||||
- name: Generate self signed ssl key.
|
||||
shell: |
|
||||
openssl genrsa \
|
||||
-aes256 \
|
||||
-passout pass:client11 \
|
||||
-out {{ cert_directory }}/ssl.pass.key \
|
||||
1024
|
||||
|
||||
openssl rsa \
|
||||
-passin pass:client11 \
|
||||
-in {{ cert_directory }}/ssl.pass.key \
|
||||
-out {{ cert_key }}
|
||||
|
||||
openssl req \
|
||||
-new \
|
||||
-key {{ cert_key }} \
|
||||
-out {{ cert_request }} \
|
||||
-subj "/CN=localhost"
|
||||
|
||||
openssl x509 \
|
||||
-req \
|
||||
-days 365 \
|
||||
-in {{ cert_request }} \
|
||||
-signkey {{ cert_key }} \
|
||||
-out {{ cert_certificate }}
|
||||
args:
|
||||
creates: '{{ cert_certificate }}'
|
||||
@ -1,13 +0,0 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name {{ cert_domains|join(' ') }};
|
||||
|
||||
location /.well-known {
|
||||
root {{ cert_le_webroot_path }};
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location / {
|
||||
rewrite ^ https://$host$request_uri? permanent;
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user