diff --git a/roles/php_website/tasks/main.yml b/roles/php_website/tasks/main.yml index 1b797f3ea5a4a2d3ab482c0f2bd204608a0bfdff..f1d255983d64240a005e38f6150514a4554df279 100644 --- a/roles/php_website/tasks/main.yml +++ b/roles/php_website/tasks/main.yml @@ -1,37 +1,69 @@ --- - name: Create PHP website group - group: name="{{ user }}" gid="{{ uid | default(omit) }}" state=present + group: + name: "{{ user }}" + gid: "{{ uid | default(omit) }}" + state: present - name: Create PHP website admin user - user: name="{{ admin }}" uid="{{ admin_uid | default(omit) }}" group="{{ user }}" - shell=/bin/bash createhome=yes home="{{ home }}" state=present + user: + name: "{{ admin }}" + uid: "{{ admin_uid | default(omit) }}" + group: "{{ user }}" + shell: /bin/bash + createhome: yes + home: "{{ home }}" + state: present - name: Set-up directory for storing user profile configuration files - file: path="{{ home }}/.profile.d" state=directory - owner="{{ admin }}" group="{{ user }}" mode=0750 + file: + path: "{{ home }}/.profile.d" + state: directory + owner: "{{ admin }}" + group: "{{ user }}" + mode: 0750 - name: Create PHP website user - user: name="{{ user }}" uid="{{ uid | default(omit) }}" group="{{ user }}" comment="umask=0007" - system=yes createhome=no state=present home="{{ home }}" + user: + name: "{{ user }}" + uid: "{{ uid | default(omit) }}" + group: "{{ user }}" + comment: "umask=0007" + system: yes + createhome: no + state: present + home: "{{ home }}" - name: Add nginx user to website group - user: name="www-data" groups="{{ user }}" append="yes" + user: + name: "www-data" + groups: "{{ user }}" + append: "yes" notify: - Restart nginx # Ownership set to root so Postfix would not check if correct user owns the # file. - name: Set-up forwarding for mails delivered to local application user/admin - template: src="forward.j2" dest="{{ home }}/.forward" - owner="root" group="{{ user }}" mode=0640 + template: + src: "forward.j2" + dest: "{{ home }}/.forward" + owner: root + group: "{{ user }}" + mode: 0640 - name: Install extra packages for website - apt: name="{{ item }}" state=installed + apt: + name: "{{ item }}" + state: installed with_items: "{{ packages }}" - name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996) - file: src="/usr/bin/mariadb_config" dest="/usr/bin/mysql_config" state=link + file: + src: "/usr/bin/mariadb_config" + dest: "/usr/bin/mysql_config" + state: link when: "'libmariadb-client-lgpl-dev-compat' in packages" - name: Deploy PHP FPM configuration file for website @@ -49,9 +81,9 @@ copy: dest: "/etc/ssl/private/{{ fqdn }}_https.key" content: "{{ https_tls_key }}" - mode: 0640 owner: root group: root + mode: 0640 notify: - Restart nginx @@ -59,25 +91,36 @@ copy: dest: "/etc/ssl/certs/{{ fqdn }}_https.pem" content: "{{ https_tls_certificate }}" - mode: 0644 owner: root group: root + mode: 0644 notify: - Restart nginx - name: Deploy configuration file for checking certificate validity via cron - copy: content="/etc/ssl/certs/{{ fqdn }}_https.pem" dest="/etc/check_certificate/{{ fqdn }}_https.conf" - owner=root group=root mode=0644 + copy: + content: "/etc/ssl/certs/{{ fqdn }}_https.pem" + dest: "/etc/check_certificate/{{ fqdn }}_https.conf" + owner: root + group: root + mode: 0644 - name: Deploy nginx configuration file for website - template: src="nginx_site.j2" dest="/etc/nginx/sites-available/{{ fqdn }}" - owner=root group=root mode=0640 validate="/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s" + template: + src: "nginx_site.j2" + dest: "/etc/nginx/sites-available/{{ fqdn }}" + owner: root + group: root + mode: 0640 + validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s" notify: - Restart nginx - name: Enable website - file: src="/etc/nginx/sites-available/{{ fqdn }}" dest="/etc/nginx/sites-enabled/{{ fqdn }}" - state=link + file: + src: "/etc/nginx/sites-available/{{ fqdn }}" + dest: "/etc/nginx/sites-enabled/{{ fqdn }}" + state: link notify: - Restart nginx diff --git a/roles/web_server/handlers/main.yml b/roles/web_server/handlers/main.yml index 0dcf4940c96701fb1eab95273fefff73c6ac5047..48b3a2051eaaf069c2e4020e2e7fd1637c5c6fbd 100644 --- a/roles/web_server/handlers/main.yml +++ b/roles/web_server/handlers/main.yml @@ -1,7 +1,11 @@ --- - name: Restart nginx - service: name=nginx state=restarted + service: + name: nginx + state: restarted - name: Restart php5-fpm - service: name=php5-fpm state=restarted \ No newline at end of file + service: + name: php5-fpm + state: restarted diff --git a/roles/web_server/tasks/main.yml b/roles/web_server/tasks/main.yml index 8d4edc70cd6c00f29bac2238c969383c64813d2c..0808803a6492b55a940ab21b10c7dc07943e3c68 100644 --- a/roles/web_server/tasks/main.yml +++ b/roles/web_server/tasks/main.yml @@ -1,10 +1,15 @@ --- - name: Install nginx - apt: name=nginx state=installed + apt: + name: nginx + state: installed - name: Allow nginx user to traverse the directory with TLS private keys - user: name=www-data append=yes groups=ssl-cert + user: + name: www-data + append: yes + groups: ssl-cert notify: - Restart nginx @@ -29,103 +34,172 @@ - Restart nginx - name: Deploy configuration file for checking certificate validity via cron - copy: content="/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" dest="/etc/check_certificate/{{ ansible_fqdn }}_https.conf" - owner=root group=root mode=0644 + copy: + content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" + dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf" + owner: root + group: root + mode: 0644 - name: Remove TLS protocol configuration from the main configuration file - lineinfile: dest="/etc/nginx/nginx.conf" backrefs=yes regexp="^\s*ssl_protocols" state=absent + lineinfile: + dest: "/etc/nginx/nginx.conf" + backrefs: yes + regexp: "^\\s*ssl_protocols" + state: absent notify: - Restart nginx - name: Harden TLS by allowing only TLSv1.2 and PFS ciphers - template: dest="/etc/nginx/conf.d/tls.conf" src="tls.conf.j2" - owner="root" group="root" mode=0644 + template: + dest: "/etc/nginx/conf.d/tls.conf" + src: "tls.conf.j2" + owner: "root" + group: "root" + mode: 0644 notify: - Restart nginx - name: Deploy script for verification of nginx vhost configurations - copy: src="nginx_verify_site.sh" dest="/usr/local/bin/nginx_verify_site.sh" - owner=root group=root mode=0755 + copy: + src: "nginx_verify_site.sh" + dest: "/usr/local/bin/nginx_verify_site.sh" + owner: root + group: root + mode: 0755 - name: Deploy default vhost configuration - template: src="nginx-default.j2" dest="/etc/nginx/sites-available/default" - owner=root group=root mode=0640 validate="/usr/local/bin/nginx_verify_site.sh -n default %s" + template: + src: "nginx-default.j2" + dest: "/etc/nginx/sites-available/default" + owner: root + group: root + mode: 0640 + validate: "/usr/local/bin/nginx_verify_site.sh -n default %s" notify: - Restart nginx - name: Enable default website - file: src="/etc/nginx/sites-available/default" dest="/etc/nginx/sites-enabled/default" - state=link + file: + src: "/etc/nginx/sites-available/default" + dest: "/etc/nginx/sites-enabled/default" + state: link notify: - Restart nginx - name: Deploy firewall configuration for web server - copy: src="ferm_http.conf" dest="/etc/ferm/conf.d/30-web.conf" owner=root group=root mode=0640 + copy: + src: "ferm_http.conf" + dest: "/etc/ferm/conf.d/30-web.conf" + owner: root + group: root + mode: 0640 notify: - Restart ferm - name: Remove the default Debian html files - file: path="{{ item }}" state=absent + file: + path: "{{ item }}" + state: absent with_items: - /var/www/html/index.nginx-debian.html - /var/www/html/ - name: Create directory for storing the default website page - file: path="/var/www/default/" state=directory - owner=root group=www-data mode=0750 + file: + path: "/var/www/default/" + state: directory + owner: root + group: www-data + mode: 0750 - name: Deploy the default index.html - template: src="index.html.j2" dest=/var/www/default/index.html - owner=root group=www-data mode=0640 + template: + src: "index.html.j2" + dest: /var/www/default/index.html + owner: root + group: www-data + mode: 0640 - name: Enable nginx service - service: name=nginx enabled=yes state=started + service: + name: nginx + enabled: yes + state: started - name: Install base packages for Python web applications - apt: name="{{ item }}" state=installed + apt: + name: "{{ item }}" + state: installed with_items: - virtualenv - virtualenvwrapper - name: Create directories for storing per-site socket files - file: path="{{ item }}" state="directory" - owner="root" group="www-data" mode="0750" + file: + path: "{{ item }}" + state: directory + owner: root + group: www-data + mode: 0750 with_items: - "/run/wsgi/" - "/run/php5-fpm/" - name: Create directories for storing per-site socket files on boot - copy: content="d /run/{{ item }}/ 0750 root www-data - -" dest="/etc/tmpfiles.d/{{ item }}.conf" - owner="root" group="root" mode=0644 + copy: + content: "d /run/{{ item }}/ 0750 root www-data - -" + dest: "/etc/tmpfiles.d/{{ item }}.conf" + owner: root + group: root + mode: 0644 with_items: - wsgi - php5-fpm - name: Install base packages for PHP web applications - apt: name="{{ item }}" state=installed + apt: + name: "{{ item }}" + state: installed with_items: - php5-fpm - name: Create directory for storing PHP FPM service configuration overrides - file: path="/etc/systemd/system/php5-fpm.service.d/" state=directory - owner=root group=root mode=0755 + file: + path: "/etc/systemd/system/php5-fpm.service.d/" + state: directory + owner: root + group: root + mode: 0755 - name: Configure php5-fpm service to run with umask 0007 - copy: src="php5_fpm_umask.conf" dest="/etc/systemd/system/php5-fpm.service.d/umask.conf" - owner=root group=root mode=0644 + copy: + src: "php5_fpm_umask.conf" + dest: "/etc/systemd/system/php5-fpm.service.d/umask.conf" + owner: root + group: root + mode: 0644 notify: - Restart php5-fpm - name: Enable service used for running PHP web applications - service: name="php5-fpm" enabled=yes state=started + service: + name: "php5-fpm" + enabled: yes + state: started - name: Read timezone on server - slurp: src=/etc/timezone + slurp: + src: "/etc/timezone" register: server_timezone - name: Configure timezone for PHP - template: src="php_timezone.ini.j2" dest="{{ item }}/30-timezone.ini" - owner=root group=root mode=0644 + template: + src: "php_timezone.ini.j2" + dest: "{{ item }}/30-timezone.ini" + owner: root + group: root + mode: 0644 with_items: - /etc/php5/cli/conf.d/ - /etc/php5/fpm/conf.d/ diff --git a/roles/wsgi_website/handlers/main.yml b/roles/wsgi_website/handlers/main.yml index f77fdad85965854c7cdf5ad642e98f995df5ca7a..e0ae79be23ae5d6d26bc5ef0b0f885d962b7234a 100644 --- a/roles/wsgi_website/handlers/main.yml +++ b/roles/wsgi_website/handlers/main.yml @@ -1,4 +1,6 @@ --- - name: "Restart website {{ fqdn }}" - service: name="{{ fqdn }}" state=restarted + service: + name: "{{ fqdn }}" + state: restarted diff --git a/roles/wsgi_website/tasks/main.yml b/roles/wsgi_website/tasks/main.yml index 2c475a2d9d345d1653a0a0a53d7861e08e397049..0bbea9ad15eb05557c3db6cbfe8fa07d326a5b19 100644 --- a/roles/wsgi_website/tasks/main.yml +++ b/roles/wsgi_website/tasks/main.yml @@ -1,57 +1,103 @@ --- - name: Create WSGI website group - group: name="{{ user }}" gid="{{ uid | default(omit) }}" state=present + group: + name: "{{ user }}" + gid: "{{ uid | default(omit) }}" + state: present - name: Create WSGI website admin user - user: name="{{ admin }}" uid="{{ admin_uid | default(omit) }}" group="{{ user }}" - shell=/bin/bash createhome=yes home="{{ home }}" state=present + user: + name: "{{ admin }}" + uid: "{{ admin_uid | default(omit) }}" + group: "{{ user }}" + shell: /bin/bash + createhome: yes + home: "{{ home }}" + state: present - name: Set-up directory for storing user profile configuration files - file: path="{{ home }}/.profile.d" state=directory - owner="{{ admin }}" group="{{ user }}" mode=0750 + file: + path: "{{ home }}/.profile.d" + state: directory + owner: "{{ admin }}" + group: "{{ user }}" + mode: 0750 - name: Deploy profile configuration file for auto-activating the virtual environment - copy: src="profile_virtualenv.sh" dest="{{ home }}/.profile.d/virtualenv.sh" - owner="root" group="{{ user }}" mode="0640" + copy: + src: "profile_virtualenv.sh" + dest: "{{ home }}/.profile.d/virtualenv.sh" + owner: root + group: "{{ user }}" + mode: 0640 - name: Deploy profile configuration file for setting environment variables - template: src="environment.sh.j2" dest="{{ home }}/.profile.d/environment.sh" - owner="root" group="{{ user }}" mode=0640 + template: + src: "environment.sh.j2" + dest: "{{ home }}/.profile.d/environment.sh" + owner: root + group: "{{ user }}" + mode: 0640 - name: Create WSGI website user - user: name="{{ user }}" uid="{{ uid | default(omit) }}" group="{{ user }}" comment="umask=0007" - system=yes createhome=no state=present home="{{ home }}" + user: + name: "{{ user }}" + uid: "{{ uid | default(omit) }}" + group: "{{ user }}" + comment: "umask=0007" + system: yes + createhome: no + state: present + home: "{{ home }}" - name: Add nginx user to website group - user: name="www-data" groups="{{ user }}" append="yes" + user: + name: www-data + groups: "{{ user }}" + append: yes notify: - Restart nginx # Ownership set to root so Postfix would not check if correct user owns the # file. - name: Set-up forwarding for mails delivered to local application user/admin - template: src="forward.j2" dest="{{ home }}/.forward" - owner="root" group="{{ user }}" mode=0640 + template: + src: "forward.j2" + dest: "{{ home }}/.forward" + owner: root + group: "{{ user }}" + mode: 0640 - name: Install extra packages for website - apt: name="{{ item }}" state=present + apt: + name: "{{ item }}" + state: present with_items: "{{ packages }}" notify: - "Restart website {{ fqdn }}" - name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996) - file: src="/usr/bin/mariadb_config" dest="/usr/bin/mysql_config" state=link + file: + src: "/usr/bin/mariadb_config" + dest: "/usr/bin/mysql_config" + state: link when: "'libmariadb-client-lgpl-dev-compat' in packages" - name: Create directory for storing the Python virtual environment - file: path="{{ home }}/virtualenv" state=directory - owner="{{ admin }}" group="{{ user }}" mode="02750" + file: + path: "{{ home }}/virtualenv" + state: directory + owner: "{{ admin }}" + group: "{{ user }}" + mode: 02750 - name: Create Python virtual environment + command: '/usr/bin/virtualenv --prompt "({{ fqdn }})" "{{ home }}/virtualenv"' + args: + creates: "{{ home }}/virtualenv/bin/activate" become: yes become_user: "{{ admin }}" - command: /usr/bin/virtualenv --prompt "({{ fqdn }})" "{{ home }}/virtualenv" creates="{{ home }}/virtualenv/bin/activate" tags: # [ANSIBLE0012] Commands should not change things if nothing needs doing # This task will not fire if the virtual environment has already bene @@ -59,17 +105,29 @@ - skip_ansible_lint - name: Configure project directory for the Python virtual environment - template: src="venv_project.j2" dest="{{ home }}/virtualenv/.project" - owner="{{ admin }}" group="{{ user }}" mode="0640" + template: + src: "venv_project.j2" + dest: "{{ home }}/virtualenv/.project" + owner: "{{ admin }}" + group: "{{ user }}" + mode: 0640 - name: Deploy virtualenv wrapper - template: src="venv_exec.j2" dest="{{ home }}/virtualenv/bin/exec" - owner="{{ admin }}" group="{{ user }}" mode="0750" + template: + src: "venv_exec.j2" + dest: "{{ home }}/virtualenv/bin/exec" + owner: "{{ admin }}" + group: "{{ user }}" + mode: 0750 - name: Install WSGI server become: yes become_user: "{{ admin }}" - pip: name="{{ item.package }}" version="{{ item.version }}" state=present virtualenv="{{ home }}/virtualenv" + pip: + name: "{{ item.package }}" + version: "{{ item.version }}" + state: present + virtualenv: "{{ home }}/virtualenv" with_items: - package: gunicorn version: "{{ gunicorn_version }}" @@ -85,39 +143,57 @@ - name: Install additional packages in Python virtual environment become: yes become_user: "{{ admin }}" - pip: name="{{ item }}" state=present virtualenv="{{ home }}/virtualenv" + pip: + name: "{{ item }}" + state: present + virtualenv: "{{ home }}/virtualenv" with_items: "{{ virtualenv_packages }}" notify: - "Restart website {{ fqdn }}" - name: Deploy systemd socket configuration for website - template: src="systemd_wsgi_website.socket.j2" dest="/etc/systemd/system/{{ fqdn }}.socket" - owner=root group=root mode=0644 + template: + src: "systemd_wsgi_website.socket.j2" + dest: "/etc/systemd/system/{{ fqdn }}.socket" + owner: root + group: root + mode: 0644 notify: - Reload systemd - "Restart website {{ fqdn }}" - name: Deploy systemd service configuration for website - template: src="systemd_wsgi_website.service.j2" dest="/etc/systemd/system/{{ fqdn }}.service" - owner=root group=root mode=0644 + template: + src: "systemd_wsgi_website.service.j2" + dest: "/etc/systemd/system/{{ fqdn }}.service" + owner: root + group: root + mode: 0644 notify: - Reload systemd - "Restart website {{ fqdn }}" - name: Enable the website service - service: name="{{ fqdn }}" enabled=yes state=started + service: + name: "{{ fqdn }}" + enabled: yes + state: started - name: Create directory where static files can be served from - file: path="{{ home }}/htdocs/" state=directory - owner="{{ admin }}" group="{{ user }}" mode="02750" + file: + path: "{{ home }}/htdocs/" + state: directory + owner: "{{ admin }}" + group: "{{ user }}" + mode: 02750 - name: Deploy nginx TLS private key for website copy: dest: "/etc/ssl/private/{{ fqdn }}_https.key" content: "{{ https_tls_key }}" - mode: 0640 owner: root group: root + mode: 0640 notify: - Restart nginx @@ -125,25 +201,36 @@ copy: dest: "/etc/ssl/certs/{{ fqdn }}_https.pem" content: "{{ https_tls_certificate }}" - mode: 0644 owner: root group: root + mode: 0644 notify: - Restart nginx - name: Deploy configuration file for checking certificate validity via cron - copy: content="/etc/ssl/certs/{{ fqdn }}_https.pem" dest="/etc/check_certificate/{{ fqdn }}_https.conf" - owner=root group=root mode=0644 + copy: + content: "/etc/ssl/certs/{{ fqdn }}_https.pem" + dest: "/etc/check_certificate/{{ fqdn }}_https.conf" + owner: root + group: root + mode: 0644 - name: Deploy nginx configuration file for website - template: src="nginx_site.j2" dest="/etc/nginx/sites-available/{{ fqdn }}" - owner=root group=root mode=0640 validate="/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s" + template: + src: "nginx_site.j2" + dest: "/etc/nginx/sites-available/{{ fqdn }}" + owner: root + group: root + mode: 0640 + validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s" notify: - Restart nginx - name: Enable nginx website - file: src="/etc/nginx/sites-available/{{ fqdn }}" dest="/etc/nginx/sites-enabled/{{ fqdn }}" - state=link + file: + src: "/etc/nginx/sites-available/{{ fqdn }}" + dest: "/etc/nginx/sites-enabled/{{ fqdn }}" + state: link notify: - Restart nginx diff --git a/roles/wsgi_website/tasks/requirements.yml b/roles/wsgi_website/tasks/requirements.yml index 3dd59531db4ca11b7ad6d2686b81cd64475a82b9..c81d7ccaec7e5a5aee1df320d6518f69313b03a7 100644 --- a/roles/wsgi_website/tasks/requirements.yml +++ b/roles/wsgi_website/tasks/requirements.yml @@ -1,12 +1,20 @@ --- - name: Set-up directory for storing requirements file for upgrade checks - file: path="/etc/pip_check_requirements_upgrades/{{ fqdn }}" state=directory - owner="root" group="pipreqcheck" mode=0750 + file: + path: "/etc/pip_check_requirements_upgrades/{{ fqdn }}" + state: directory + owner: root + group: pipreqcheck + mode: 0750 - name: Deploy WSGI requirements files for upgrade checks - template: src="{{ item }}.j2" dest="/etc/pip_check_requirements_upgrades/{{ fqdn }}/{{ item }}" - owner="root" group="pipreqcheck" mode="0640" + template: + src: "{{ item }}.j2" + dest: "/etc/pip_check_requirements_upgrades/{{ fqdn }}/{{ item }}" + owner: root + group: pipreqcheck + mode: 0640 with_items: - wsgi_requirements.in - wsgi_requirements.txt @@ -14,12 +22,19 @@ - name: Deploy Gunicorn requirements file for installation purposes become: yes become_user: "{{ admin }}" - template: src="wsgi_requirements.txt.j2" dest="{{ home }}/.wsgi_requirements.txt" - owner="{{ admin }}" group="{{ user }}" mode="0640" + template: + src: "wsgi_requirements.txt.j2" + dest: "{{ home }}/.wsgi_requirements.txt" + owner: "{{ admin }}" + group: "{{ user }}" + mode: 0640 - name: Install Gunicorn via requirements file become: yes become_user: "{{ admin }}" - pip: requirements="{{ home }}/.wsgi_requirements.txt" state=present virtualenv="{{ home }}/virtualenv" + pip: + requirements: "{{ home }}/.wsgi_requirements.txt" + state: present + virtualenv: "{{ home }}/virtualenv" notify: - "Restart website {{ fqdn }}"