From 2202790c08800acb14fb1bea0b27463b58207c00 Mon Sep 17 00:00:00 2001 From: Matt Rasband Date: Wed, 19 Jul 2017 23:46:36 -0600 Subject: [PATCH] extract nginx role in line with #39 --- .gitignore | 2 + README.md | 25 +++-- ansible.cfg | 3 +- requirements.yml | 3 + roles/nginx/defaults/main.yml | 3 - roles/nginx/handlers/main.yml | 20 ---- roles/nginx/tasks/http.yml | 15 --- roles/nginx/tasks/main.yml | 19 ---- roles/nginx/tasks/ssl.yml | 35 ------- .../nginx/sites-available/site-available.j2 | 98 ------------------- sirbot.yml | 11 ++- website.yml | 12 ++- 12 files changed, 40 insertions(+), 206 deletions(-) create mode 100644 requirements.yml delete mode 100644 roles/nginx/defaults/main.yml delete mode 100644 roles/nginx/handlers/main.yml delete mode 100644 roles/nginx/tasks/http.yml delete mode 100644 roles/nginx/tasks/main.yml delete mode 100644 roles/nginx/tasks/ssl.yml delete mode 100644 roles/nginx/templates/etc/nginx/sites-available/site-available.j2 diff --git a/.gitignore b/.gitignore index ee979cf..fcf72af 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,5 @@ .pass .env env + +roles/nginx/ diff --git a/README.md b/README.md index b566c93..88f0f8e 100644 --- a/README.md +++ b/README.md @@ -7,17 +7,24 @@ Interested in becoming a member? Get your invite here: http://pythondevelopers.h ## Get Started -Ensure you have a `.pass` file in the root of your project, populated with the ansible password. +1. Ensure you have a `.pass` file in the root of the repository, populated with the ansible password for the any variables your playbook depends on +2. Download/install ansible-galaxy provided roles before you run any playbooks + +```bash +$ ansible-galaxy install -r requirements.yml +``` ### Configure/Deploy PySlackers website - $ ansible-playbook website.yml +```bash +$ ansible-playbook website.yml +``` ### Configure/Deploy SirBot -TODO! - - $ ansible-playbook sirbot.yml +```bash +$ ansible-playbook sirbot.yml +``` ### Run the deployment for the specific app you want to deploy @@ -28,13 +35,17 @@ TODO! Run the deployment. - $ ansible-playbook -i deploy.yml --tags +```bash +$ ansible-playbook -i deploy.yml --tags +``` ## Testing Tests are run via Travis CI's `.travis.yml`. Unit tests can be manually via docker with: - $ docker run -t -i -v ${PWD}:/data geerlingguy/docker-ubuntu1604-ansible /data/run_tests.sh +```bash +$ docker run -t -i -v ${PWD}:/data geerlingguy/docker-ubuntu1604-ansible /data/run_tests.sh +``` Ensure that you have placed the Ansible vault password into `.pass` beforehand. diff --git a/ansible.cfg b/ansible.cfg index a005e8c..af469f1 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,7 @@ [defaults] ansible_managed = This file is managed by Ansible, manual edits will be lost inventory = environments/inventory +pipelining = True retry_files_enabled = False +roles_path = ./roles/ vault_password_file = .pass -pipelining = True diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..ceca24e --- /dev/null +++ b/requirements.yml @@ -0,0 +1,3 @@ +- src: https://github.com/pyslackers/ansible-role-nginx.git + version: master + name: nginx diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml deleted file mode 100644 index 6ca357b..0000000 --- a/roles/nginx/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -ssl: false -static_dir: false diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml deleted file mode 100644 index 8d5ba66..0000000 --- a/roles/nginx/handlers/main.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: restart nginx - service: - name: nginx - state: restarted - -- name: stop nginx - service: - name: nginx - state: stopped - -- name: start nginx - service: - name: nginx - state: started - -- name: reload nginx - service: - name: nginx.service - state: reloaded - when: "enabled_sites.changed" diff --git a/roles/nginx/tasks/http.yml b/roles/nginx/tasks/http.yml deleted file mode 100644 index 9609d51..0000000 --- a/roles/nginx/tasks/http.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: "make {{ domains | join(',') }} available" - template: - src: etc/nginx/sites-available/site-available.j2 - dest: "/etc/nginx/sites-available/{{ domains | first }}" - -- name: "enable {{ domains | join(',') }}" - file: - src: "/etc/nginx/sites-available/{{ domains | first }}" - dest: "/etc/nginx/sites-enabled/{{ domains | first }}" - state: link - register: enabled_sites - notify: - - reload nginx - diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml deleted file mode 100644 index 2fb7a6a..0000000 --- a/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: install nginx - apt: - name: nginx - state: latest - notify: - - start nginx - -- name: enable nginx in ufw - ufw: - rule: allow - name: 'Nginx Full' - notify: - - enable ufw - -- include: ssl.yml - when: ssl - -- include: http.yml diff --git a/roles/nginx/tasks/ssl.yml b/roles/nginx/tasks/ssl.yml deleted file mode 100644 index 3f979b4..0000000 --- a/roles/nginx/tasks/ssl.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# Note: Debian9 has certbot in the official PPAs -- name: add certbot ppa - apt_repository: - repo: ppa:certbot/certbot - when: ansible_distribution == 'Ubuntu' - -- name: install certbot - apt: - name: certbot - state: latest - -- name: "check if ssl certs for {{ domains | join(',') }} are already generated" - stat: - path: "/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem" - register: fullchain - -- name: stop nginx - service: - name: nginx - state: stopped - when: not fullchain.stat.exists - -- name: "generate ssl certificates for {{ domains | join(',') }}" - command: "certbot certonly --standalone --email {{ email }} - --agree-tos -n -d {{ domains | join(',') }}{% if ssl_staging %} --staging{% endif %}" - when: not fullchain.stat.exists - -- name: create a cron job to autorenew all ssl certificates - cron: - name: auto renew the ssl certificates - minute: 1 - hour: 23 - weekday: 0 - job: '/usr/bin/certbot renew --quiet --pre-hook "systemctl stop nginx.service" --post-hook "systemctl start nginx.service"' diff --git a/roles/nginx/templates/etc/nginx/sites-available/site-available.j2 b/roles/nginx/templates/etc/nginx/sites-available/site-available.j2 deleted file mode 100644 index 89fa292..0000000 --- a/roles/nginx/templates/etc/nginx/sites-available/site-available.j2 +++ /dev/null @@ -1,98 +0,0 @@ -# {{ ansible_managed }} - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -server { - listen 80; - listen [::]:80; - - server_name {{ domains | join(' ') }}; - - root /var/www/{{ domains | first }}; - index index.html; - - - location / { -{% if ssl %} - return 301 https://$host$request_uri; -{% else %} - proxy_pass http://127.0.0.1:{{ site_port }}; - - # Enable websocket support with connection upgrades - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - # Forward headers of the original request - proxy_pass_request_headers on; - - # And include some standard reverse proxy headers... - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; -{% endif %} - } - -{% if static_dir %} - location /static { - alias {{ static_dir }}; - } -{% endif %} -} - -{% if ssl %} -server { - access_log /var/log/nginx/{{ domains | first }}_access.log; - error_log /var/log/nginx/{{ domains | first }}_error.log; - charset utf-8; - - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name {{ domains | join(' ') }}; - - # ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; - ssl_ecdh_curve secp384r1; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - resolver 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 5s; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - - location / { - proxy_pass http://127.0.0.1:{{ site_port }}; - - # Enable websocket support with connection upgrades - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - # Forward headers of the original request - proxy_pass_request_headers on; - - # And include some standard reverse proxy headers... - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -{% if static_dir %} - location /static { - alias {{ static_dir }}; - } -{% endif %} -} -{% endif %} diff --git a/sirbot.yml b/sirbot.yml index 5273419..297af4d 100644 --- a/sirbot.yml +++ b/sirbot.yml @@ -5,10 +5,7 @@ repo: https://github.com/pyslackers/sirbot-pythondev.git version: prod username: "{{ sirbot_user }}" - domains: - - "{{ sirbot_domain }}" service_name: sirbot - site_port: "{{ sirbot_port }}" exec_start: "/home/{{ username }}/.pyvenv/bin/sirbot -c {{ sirbot_config }}" work_dir: "/home/{{ username }}/" post_install: "/home/{{ username }}/.pyvenv/bin/sirbot -c {{ sirbot_config }} --update" @@ -19,7 +16,13 @@ - "SIRBOT_GITHUB_SECRET={{ SIRBOT_GITHUB_SECRET }}" roles: - user - - nginx + - role: nginx + sites: + sirbot: + domains: + - "{{ sirbot_domain }}" + port: "{{ sirbot_port }}" + ssl: true - sirbot - role: system_service when: systemd_enabled == true diff --git a/website.yml b/website.yml index cfaeac8..4dd35c1 100644 --- a/website.yml +++ b/website.yml @@ -2,9 +2,6 @@ - name: deploy pyslackers website hosts: website vars: - domains: - - "{{ website_domain }}" - - "www.{{ website_domain }}" repo: https://github.com/pyslackers/website-old.git service_name: pyslackers-website site_port: "{{ website_port }}" @@ -19,7 +16,14 @@ - "SECRET_KEY={{ SECRET_KEY }}" roles: - user - - nginx + - role: nginx + sites: + website: + domains: + - www.pyslackers.com + - pyslackers.com + port: "{{ website_port }}" + ssl: true - pythonapp - role: system_service when: systemd_enabled