This repository has been archived by the owner on Feb 29, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 13
/
bastion.yml
147 lines (126 loc) · 3.88 KB
/
bastion.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
- name: Configure bastion
hosts: bastion
become: true
pre_tasks:
- file:
path: /root/.ssh
state: directory
owner: root
mode: 0700
roles:
- role: common
common_hostname: "{{ bonnyci_hostname | default('') }}"
- role: sshd
tags:
- sshd
- role: dd-agent
tags:
- monitoring
when: secrets is defined
- role: letsencrypt-apache
tags:
- letsencrypt
when: letsencrypt_csr_cn | default(False)
- bastion
- role: datadog-builder
datadog_builder_secrets:
api_key: "{{ secrets.datadog.api_key }}"
app_key: "{{ secrets.datadog.ansible_app_key }}"
when: secrets is defined
- role: logrotate
logrotate_configs:
- name: datadog-builder
path: /var/log/datadog-builder/*log
options:
- compress
- missingok
- rotate 30
- daily
- notifempty
when: secrets is defined
- role: mysql
mysql_root_password: "{{ secrets.db_password }}"
tags: ['mysql']
- role: dd-mysql
dd_mysql_password: "{{ secrets.datadog.mysql_password }}"
tags:
- monitoring
- role: ara-db
ara_db_username: "{{ secrets.ara.username }}"
ara_db_password: "{{ secrets.ara.password }}"
- role: ara-web
ara_db_username: "{{ secrets.ara.username }}"
ara_db_password: "{{ secrets.ara.password }}"
ara_db_host: localhost
ara_webroot: /var/www/ara
ara_file_owner: www-data
ara_file_group: www-data
- role: uwsgi
uwsgi_apt_plugins:
- uwsgi-plugin-python
uwsgi_vassals:
- name: ara
state: present
config:
uid: www-data
gid: www-data
wsgi-file: "{{ ara_venv_path }}/bin/ara-wsgi"
virtualenv: "{{ ara_venv_path }}"
chdir: /var/www/ara
plugin: python
socket: localhost:3311
lazy-apps: true
- role: ansible-runner
ansible_runner_minute: "*/15"
ara_enabled: "{{ bonnyci_ara_enabled | default(False) | bool }}"
ara_db_username: "{{ secrets.ara.username }}"
ara_db_password: "{{ secrets.ara.password }}"
ara_db_host: "localhost"
when: secrets is defined
- role: tailon
tailon_ip: 127.0.0.1
tailon_port: 8080
tailon_relative_root: /cron-logs/live/
tailon_files:
- "/var/www/html/cron-logs/**/*_current.log"
- role: apache
apache_apt_install:
- libapache2-mod-proxy-uwsgi
apache_mods_enabled:
- proxy.conf
- proxy.load
- proxy_http.load
- proxy_uwsgi.load
apache_vhosts:
- name: bastion
document_root: /var/www/html/
document_root_options: +FollowSymLinks
ssl: "{{ bonnyci_bastion_ssl | default(False) }}"
certificate_file: "{{ letsencrypt_cert_path | default('') }}"
certificate_key_file: "{{ letsencrypt_key_path | default('') }}"
certificate_chain_file: "{{ letsencrypt_chain_path | default('') }}"
vhost_extra: |
AddType text/plain .log
Redirect permanent /cron-logs/live /cron-logs/live/
ProxyPass "/cron-logs/live/" http://localhost:8080/cron-logs/live/
Redirect permanent /ara /ara/
<Location "/ara/">
ProxyPass uwsgi://localhost:3311/
SetEnv ANSIBLE_CONFIG /var/www/ara/ansible.cfg
</Location>
- name: tailon
delete: yes
- name: ara
delete: yes
- role: dd-apache
tags:
- monitoring
- role: filebeat
filebeat_prospectors:
- name: apache
prospectors:
- input_type: log
document_type: apache
paths:
- /var/log/apache/*.log
- role: fail2ban # This should be last