-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathansible-playbook.yaml
156 lines (150 loc) · 5.03 KB
/
ansible-playbook.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
---
- hosts: all
remote_user: root
tasks:
- name: ensure deps installed
apt:
name: "{{ packages }}"
vars:
packages:
- python3-gunicorn
- python3-flask
- python3-pil
- gifsicle
- nginx
- zsh
- unattended-upgrades
- git
- rsync
- certbot
- python3-certbot-nginx
# - name: enable systemd persistent journal
# file: path=/var/log/journal state=directory
# TODO set up some firewall rules, steal from nolan
- name: ensure user exists
user:
name: intensify
password: '!'
shell: /usr/bin/zsh
- name: ensure bin directory
file:
path: /home/intensify/bin
state: directory
mode: 0555
- name: ensure rrsync
copy:
dest: /home/intensify/bin/rrsync
mode: 0555
content: |
#!/bin/sh
/usr/bin/perl /usr/share/doc/rsync/scripts/rrsync "$@"
- name: ensure ssh key
authorized_key:
user: intensify
key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGcJ8aHNnqdnIlJb4zdTe3HB4Z8utxirrkZrl3BdCFY intensify@thebunk
state: present
exclusive: True
manage_dir: True
key_options: restrict,command="/home/intensify/bin/rrsync -ro /home/intensify/intensify.pictures"
- name: ensure clone
git:
dest: /home/intensify/intensify.pictures
repo: https://github.com/cdanis/intensify.pictures.git
update: no # just ensure it exists
- name: create tmpfiles.d snippet
copy:
dest: /etc/tmpfiles.d/intensify.conf
mode: 0644
content: 'd /run/intensify 0755 intensify intensify -'
- name: update tmpfiles # todo: make this a handler
command: systemd-tmpfiles --create /etc/tmpfiles.d/intensify.conf
- name: create socket systemd unit
copy:
dest: /etc/systemd/system/intensify.socket
content: |
[Unit]
description=gunicorn socket
[Socket]
ListenStream=/run/intensify/socket
[Install]
WantedBy=intensify.service
- name: create systemd service
copy:
dest: /etc/systemd/system/intensify.service
content: |
[Unit]
Description=gunicorn daemon for intensify.pictures
Requires=intensify.socket
After=network.target
[Service]
PIDFile=/run/intensify/pid
User=intensify
Group=intensify
WorkingDirectory=/home/intensify/intensify.pictures
ExecStart=/usr/bin/gunicorn3 --pid /run/intensify/pid --bind unix:/run/intensify/socket -w 8 app:app
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
- name: enable socket
systemd:
name: intensify.socket
daemon_reload: yes
enabled: yes
state: started
- name: nginx SSL params snippet
copy:
dest: /etc/nginx/snippets/ssl.conf
content: |
ssl_dhparam /etc/nginx/dhparams4096.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
- name: nginx intensify site snippet
copy:
dest: /etc/nginx/sites-available/intensify
content: |
upstream intensify_app_server {
server unix:/run/intensify/socket fail_timeout=0;
}
server {
listen 80;
listen [::]:80;
server_name intensify.pictures www.intensify.pictures;
return 301 https://intensify.pictures$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name intensify.pictures www.intensify.pictures;
ssl_certificate /etc/letsencrypt/live/intensify.pictures/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/intensify.pictures/privkey.pem; # managed by Certbot
include snippets/ssl.conf;
access_log /var/log/nginx/intensify.access.log;
error_log /var/log/nginx/intensify.error.log;
client_max_body_size 17M;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://intensify_app_server;
}
}
- name: enable nginx site
file:
state: link
path: /etc/nginx/sites-enabled/intensify
src: ../sites-available/intensify
- name: reload nginx systemd service # todo: handler.
systemd:
name: nginx.service
state: reloaded