majic-ansible-roles Changeset

Changeset - 0f24d5b272f5

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 7 years ago 2017-08-09 09:24:47
branko@majic.rs

MAR-114: Updated task syntax for web server/application roles:

- Updated web_server, php_website, and wsgi_website roles.
- Added and removed quoting where it makes sense.
- Switched to using expanded syntax (instead of one-liners).
- Updated ordering of arguments in task definitions.

6 files changed with 329 insertions and 104 deletions:

roles/php_website/tasks/main.yml

roles/web_server/handlers/main.yml

roles/web_server/tasks/main.yml

108

roles/wsgi_website/handlers/main.yml

roles/wsgi_website/tasks/main.yml

127

roles/wsgi_website/tasks/requirements.yml

0 comments (0 inline, 0 general)

roles/php_website/tasks/main.yml

➞

Show inline comments

 ---
 - name: Create PHP website group
   group: name="{{ user }}" gid="{{ uid | default(omit) }}" state=present
   group:
     name: "{{ user }}"
     gid: "{{ uid | default(omit) }}"
     state: present
 - name: Create PHP website admin user
   user: name="{{ admin }}" uid="{{ admin_uid | default(omit) }}" group="{{ user }}"
         shell=/bin/bash createhome=yes home="{{ home }}" state=present
   user:
     name: "{{ admin }}"
     uid: "{{ admin_uid | default(omit) }}"
     group: "{{ user }}"
     shell: /bin/bash
     createhome: yes
     home: "{{ home }}"
     state: present
 - name: Set-up directory for storing user profile configuration files
   file: path="{{ home }}/.profile.d" state=directory
         owner="{{ admin }}" group="{{ user }}" mode=0750
   file:
     path: "{{ home }}/.profile.d"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: 0750
 - name: Create PHP website user
   user: name="{{ user }}" uid="{{ uid | default(omit) }}" group="{{ user }}" comment="umask=0007"
         system=yes createhome=no state=present home="{{ home }}"
   user:
     name: "{{ user }}"
     uid: "{{ uid | default(omit) }}"
     group: "{{ user }}"
     comment: "umask=0007"
     system: yes
     createhome: no
     state: present
     home: "{{ home }}"
 - name: Add nginx user to website group
   user: name="www-data" groups="{{ user }}" append="yes"
   user:
     name: "www-data"
     groups: "{{ user }}"
     append: "yes"
   notify:
     - Restart nginx
 # Ownership set to root so Postfix would not check if correct user owns the
 # file.
 - name: Set-up forwarding for mails delivered to local application user/admin
   template: src="forward.j2" dest="{{ home }}/.forward"
             owner="root" group="{{ user }}" mode=0640
   template:
     src: "forward.j2"
     dest: "{{ home }}/.forward"
     owner: root
     group: "{{ user }}"
     mode: 0640
 - name: Install extra packages for website
   apt: name="{{ item }}" state=installed
   apt:
     name: "{{ item }}"
     state: installed
   with_items: "{{ packages }}"
 - name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996)
   file: src="/usr/bin/mariadb_config" dest="/usr/bin/mysql_config" state=link
   file:
     src: "/usr/bin/mariadb_config"
     dest: "/usr/bin/mysql_config"
     state: link
   when: "'libmariadb-client-lgpl-dev-compat' in packages"
 - name: Deploy PHP FPM configuration file for website
@@ @@ -49,9 +81,9 @@ @@
   copy:
     dest: "/etc/ssl/private/{{ fqdn }}_https.key"
     content: "{{ https_tls_key }}"
     mode: 0640
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart nginx
@@ @@ -59,25 +91,36 @@ @@
   copy:
     dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
     content: "{{ https_tls_certificate }}"
     mode: 0644
     owner: root
     group: root
     mode: 0644
   notify:
     - Restart nginx
 - name: Deploy configuration file for checking certificate validity via cron
   copy: content="/etc/ssl/certs/{{ fqdn }}_https.pem" dest="/etc/check_certificate/{{ fqdn }}_https.conf"
         owner=root group=root mode=0644
   copy:
     content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
     dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
     owner: root
     group: root
     mode: 0644
 - name: Deploy nginx configuration file for website
   template: src="nginx_site.j2" dest="/etc/nginx/sites-available/{{ fqdn }}"
             owner=root group=root mode=0640 validate="/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
   template:
     src: "nginx_site.j2"
     dest: "/etc/nginx/sites-available/{{ fqdn }}"
     owner: root
     group: root
     mode: 0640
     validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
   notify:
     - Restart nginx
 - name: Enable website
   file: src="/etc/nginx/sites-available/{{ fqdn }}" dest="/etc/nginx/sites-enabled/{{ fqdn }}"
         state=link
   file:
     src: "/etc/nginx/sites-available/{{ fqdn }}"
     dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
     state: link
   notify:
     - Restart nginx

roles/web_server/handlers/main.yml

➞

Show inline comments

 ---
 - name: Restart nginx
   service: name=nginx state=restarted
   service:
     name: nginx
     state: restarted
 - name: Restart php5-fpm
   service: name=php5-fpm state=restarted
@@ \ No newline at end of file @@
   service:
     name: php5-fpm
     state: restarted

roles/web_server/tasks/main.yml

➞

Show inline comments

 ---
 - name: Install nginx
   apt: name=nginx state=installed
   apt:
     name: nginx
     state: installed
 - name: Allow nginx user to traverse the directory with TLS private keys
   user: name=www-data append=yes groups=ssl-cert
   user:
     name: www-data
     append: yes
     groups: ssl-cert
   notify:
     - Restart nginx
@@ @@ -29,103 +34,172 @@ @@
     - Restart nginx
 - name: Deploy configuration file for checking certificate validity via cron
   copy: content="/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" dest="/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
         owner=root group=root mode=0644
   copy:
     content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
     dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
     owner: root
     group: root
     mode: 0644
 - name: Remove TLS protocol configuration from the main configuration file
   lineinfile: dest="/etc/nginx/nginx.conf" backrefs=yes regexp="^\s*ssl_protocols" state=absent
   lineinfile:
     dest: "/etc/nginx/nginx.conf"
     backrefs: yes
     regexp: "^\\s*ssl_protocols"
     state: absent
   notify:
     - Restart nginx
 - name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
   template: dest="/etc/nginx/conf.d/tls.conf" src="tls.conf.j2"
             owner="root" group="root" mode=0644
   template:
     dest: "/etc/nginx/conf.d/tls.conf"
     src: "tls.conf.j2"
     owner: "root"
     group: "root"
     mode: 0644
   notify:
     - Restart nginx
 - name: Deploy script for verification of nginx vhost configurations
   copy: src="nginx_verify_site.sh" dest="/usr/local/bin/nginx_verify_site.sh"
         owner=root group=root mode=0755
   copy:
     src: "nginx_verify_site.sh"
     dest: "/usr/local/bin/nginx_verify_site.sh"
     owner: root
     group: root
     mode: 0755
 - name: Deploy default vhost configuration
   template: src="nginx-default.j2" dest="/etc/nginx/sites-available/default"
              owner=root group=root mode=0640 validate="/usr/local/bin/nginx_verify_site.sh -n default %s"
   template:
     src: "nginx-default.j2"
     dest: "/etc/nginx/sites-available/default"
     owner: root
     group: root
     mode: 0640
     validate: "/usr/local/bin/nginx_verify_site.sh -n default %s"
   notify:
     - Restart nginx
 - name: Enable default website
   file: src="/etc/nginx/sites-available/default" dest="/etc/nginx/sites-enabled/default"
         state=link
   file:
     src: "/etc/nginx/sites-available/default"
     dest: "/etc/nginx/sites-enabled/default"
     state: link
   notify:
     - Restart nginx
 - name: Deploy firewall configuration for web server
   copy: src="ferm_http.conf" dest="/etc/ferm/conf.d/30-web.conf" owner=root group=root mode=0640
   copy:
     src: "ferm_http.conf"
     dest: "/etc/ferm/conf.d/30-web.conf"
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart ferm
 - name: Remove the default Debian html files
   file: path="{{ item }}" state=absent
   file:
     path: "{{ item }}"
     state: absent
   with_items:
     - /var/www/html/index.nginx-debian.html
     - /var/www/html/
 - name: Create directory for storing the default website page
   file: path="/var/www/default/" state=directory
         owner=root group=www-data mode=0750
   file:
     path: "/var/www/default/"
     state: directory
     owner: root
     group: www-data
     mode: 0750
 - name: Deploy the default index.html
   template: src="index.html.j2" dest=/var/www/default/index.html
             owner=root group=www-data mode=0640
   template:
     src: "index.html.j2"
     dest: /var/www/default/index.html
     owner: root
     group: www-data
     mode: 0640
 - name: Enable nginx service
   service: name=nginx enabled=yes state=started
   service:
     name: nginx
     enabled: yes
     state: started
 - name: Install base packages for Python web applications
   apt: name="{{ item }}" state=installed
   apt:
     name: "{{ item }}"
     state: installed
   with_items:
     - virtualenv
     - virtualenvwrapper
 - name: Create directories for storing per-site socket files
   file: path="{{ item }}" state="directory"
         owner="root" group="www-data" mode="0750"
   file:
     path: "{{ item }}"
     state: directory
     owner: root
     group: www-data
     mode: 0750
   with_items:
     - "/run/wsgi/"
     - "/run/php5-fpm/"
 - name: Create directories for storing per-site socket files on boot
   copy: content="d /run/{{ item }}/ 0750 root www-data - -" dest="/etc/tmpfiles.d/{{ item }}.conf"
         owner="root" group="root" mode=0644
   copy:
     content: "d /run/{{ item }}/ 0750 root www-data - -"
     dest: "/etc/tmpfiles.d/{{ item }}.conf"
     owner: root
     group: root
     mode: 0644
   with_items:
     - wsgi
     - php5-fpm
 - name: Install base packages for PHP web applications
   apt: name="{{ item }}" state=installed
   apt:
     name: "{{ item }}"
     state: installed
   with_items:
     - php5-fpm
 - name: Create directory for storing PHP FPM service configuration overrides
   file: path="/etc/systemd/system/php5-fpm.service.d/" state=directory
         owner=root group=root mode=0755
   file:
     path: "/etc/systemd/system/php5-fpm.service.d/"
     state: directory
     owner: root
     group: root
     mode: 0755
 - name: Configure php5-fpm service to run with umask 0007
   copy: src="php5_fpm_umask.conf" dest="/etc/systemd/system/php5-fpm.service.d/umask.conf"
         owner=root group=root mode=0644
   copy:
     src: "php5_fpm_umask.conf"
     dest: "/etc/systemd/system/php5-fpm.service.d/umask.conf"
     owner: root
     group: root
     mode: 0644
   notify:
     - Restart php5-fpm
 - name: Enable service used for running PHP web applications
   service: name="php5-fpm" enabled=yes state=started
   service:
     name: "php5-fpm"
     enabled: yes
     state: started
 - name: Read timezone on server
   slurp: src=/etc/timezone
   slurp:
     src: "/etc/timezone"
   register: server_timezone
 - name: Configure timezone for PHP
   template: src="php_timezone.ini.j2" dest="{{ item }}/30-timezone.ini"
             owner=root group=root mode=0644
   template:
     src: "php_timezone.ini.j2"
     dest: "{{ item }}/30-timezone.ini"
     owner: root
     group: root
     mode: 0644
   with_items:
     - /etc/php5/cli/conf.d/
     - /etc/php5/fpm/conf.d/

roles/wsgi_website/handlers/main.yml

➞

Show inline comments

 ---
 - name: "Restart website {{ fqdn }}"
   service: name="{{ fqdn }}" state=restarted
   service:
     name: "{{ fqdn }}"
     state: restarted

roles/wsgi_website/tasks/main.yml

➞

Show inline comments

 ---
 - name: Create WSGI website group
   group: name="{{ user }}" gid="{{ uid | default(omit) }}" state=present
   group:
     name: "{{ user }}"
     gid: "{{ uid | default(omit) }}"
     state: present
 - name: Create WSGI website admin user
   user: name="{{ admin }}" uid="{{ admin_uid | default(omit) }}" group="{{ user }}"
         shell=/bin/bash createhome=yes home="{{ home }}" state=present
   user:
     name: "{{ admin }}"
     uid: "{{ admin_uid | default(omit) }}"
     group: "{{ user }}"
     shell: /bin/bash
     createhome: yes
     home: "{{ home }}"
     state: present
 - name: Set-up directory for storing user profile configuration files
   file: path="{{ home }}/.profile.d" state=directory
         owner="{{ admin }}" group="{{ user }}" mode=0750
   file:
     path: "{{ home }}/.profile.d"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: 0750
 - name: Deploy profile configuration file for auto-activating the virtual environment
   copy: src="profile_virtualenv.sh" dest="{{ home }}/.profile.d/virtualenv.sh"
         owner="root" group="{{ user }}" mode="0640"
   copy:
     src: "profile_virtualenv.sh"
     dest: "{{ home }}/.profile.d/virtualenv.sh"
     owner: root
     group: "{{ user }}"
     mode: 0640
 - name: Deploy profile configuration file for setting environment variables
   template: src="environment.sh.j2" dest="{{ home }}/.profile.d/environment.sh"
             owner="root" group="{{ user }}" mode=0640
   template:
     src: "environment.sh.j2"
     dest: "{{ home }}/.profile.d/environment.sh"
     owner: root
     group: "{{ user }}"
     mode: 0640
 - name: Create WSGI website user
   user: name="{{ user }}" uid="{{ uid | default(omit) }}" group="{{ user }}" comment="umask=0007"
         system=yes createhome=no state=present home="{{ home }}"
   user:
     name: "{{ user }}"
     uid: "{{ uid | default(omit) }}"
     group: "{{ user }}"
     comment: "umask=0007"
     system: yes
     createhome: no
     state: present
     home: "{{ home }}"
 - name: Add nginx user to website group
   user: name="www-data" groups="{{ user }}" append="yes"
   user:
     name: www-data
     groups: "{{ user }}"
     append: yes
   notify:
     - Restart nginx
 # Ownership set to root so Postfix would not check if correct user owns the
 # file.
 - name: Set-up forwarding for mails delivered to local application user/admin
   template: src="forward.j2" dest="{{ home }}/.forward"
             owner="root" group="{{ user }}" mode=0640
   template:
     src: "forward.j2"
     dest: "{{ home }}/.forward"
     owner: root
     group: "{{ user }}"
     mode: 0640
 - name: Install extra packages for website
   apt: name="{{ item }}" state=present
   apt:
     name: "{{ item }}"
     state: present
   with_items: "{{ packages }}"
   notify:
     - "Restart website {{ fqdn }}"
 - name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996)
   file: src="/usr/bin/mariadb_config" dest="/usr/bin/mysql_config" state=link
   file:
     src: "/usr/bin/mariadb_config"
     dest: "/usr/bin/mysql_config"
     state: link
   when: "'libmariadb-client-lgpl-dev-compat' in packages"
 - name: Create directory for storing the Python virtual environment
   file: path="{{ home }}/virtualenv" state=directory
         owner="{{ admin }}" group="{{ user }}" mode="02750"
   file:
     path: "{{ home }}/virtualenv"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: 02750
 - name: Create Python virtual environment
   command: '/usr/bin/virtualenv --prompt "({{ fqdn }})" "{{ home }}/virtualenv"'
   args:
     creates: "{{ home }}/virtualenv/bin/activate"
   become: yes
   become_user: "{{ admin }}"
   command: /usr/bin/virtualenv --prompt "({{ fqdn }})" "{{ home }}/virtualenv" creates="{{ home }}/virtualenv/bin/activate"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task will not fire if the virtual environment has already bene
@@ @@ -59,17 +105,29 @@ @@
     - skip_ansible_lint
 - name: Configure project directory for the Python virtual environment
   template: src="venv_project.j2" dest="{{ home }}/virtualenv/.project"
             owner="{{ admin }}" group="{{ user }}" mode="0640"
   template:
     src: "venv_project.j2"
     dest: "{{ home }}/virtualenv/.project"
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: 0640
 - name: Deploy virtualenv wrapper
   template: src="venv_exec.j2" dest="{{ home }}/virtualenv/bin/exec"
             owner="{{ admin }}" group="{{ user }}" mode="0750"
   template:
     src: "venv_exec.j2"
     dest: "{{ home }}/virtualenv/bin/exec"
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: 0750
 - name: Install WSGI server
   become: yes
   become_user: "{{ admin }}"
   pip: name="{{ item.package }}" version="{{ item.version }}" state=present virtualenv="{{ home }}/virtualenv"
   pip:
     name: "{{ item.package }}"
     version: "{{ item.version }}"
     state: present
     virtualenv: "{{ home }}/virtualenv"
   with_items:
     - package: gunicorn
       version: "{{ gunicorn_version }}"
@@ @@ -85,39 +143,57 @@ @@
 - name: Install additional packages in Python virtual environment
   become: yes
   become_user: "{{ admin }}"
   pip: name="{{ item }}" state=present virtualenv="{{ home }}/virtualenv"
   pip:
     name: "{{ item }}"
     state: present
     virtualenv: "{{ home }}/virtualenv"
   with_items: "{{ virtualenv_packages }}"
   notify:
     - "Restart website {{ fqdn }}"
 - name: Deploy systemd socket configuration for website
   template: src="systemd_wsgi_website.socket.j2" dest="/etc/systemd/system/{{ fqdn }}.socket"
             owner=root group=root mode=0644
   template:
     src: "systemd_wsgi_website.socket.j2"
     dest: "/etc/systemd/system/{{ fqdn }}.socket"
     owner: root
     group: root
     mode: 0644
   notify:
     - Reload systemd
     - "Restart website {{ fqdn }}"
 - name: Deploy systemd service configuration for website
   template: src="systemd_wsgi_website.service.j2" dest="/etc/systemd/system/{{ fqdn }}.service"
             owner=root group=root mode=0644
   template:
     src: "systemd_wsgi_website.service.j2"
     dest: "/etc/systemd/system/{{ fqdn }}.service"
     owner: root
     group: root
     mode: 0644
   notify:
     - Reload systemd
     - "Restart website {{ fqdn }}"
 - name: Enable the website service
   service: name="{{ fqdn }}" enabled=yes state=started
   service:
     name: "{{ fqdn }}"
     enabled: yes
     state: started
 - name: Create directory where static files can be served from
   file: path="{{ home }}/htdocs/" state=directory
         owner="{{ admin }}" group="{{ user }}" mode="02750"
   file:
     path: "{{ home }}/htdocs/"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: 02750
 - name: Deploy nginx TLS private key for website
   copy:
     dest: "/etc/ssl/private/{{ fqdn }}_https.key"
     content: "{{ https_tls_key }}"
     mode: 0640
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart nginx
@@ @@ -125,25 +201,36 @@ @@
   copy:
     dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
     content: "{{ https_tls_certificate }}"
     mode: 0644
     owner: root
     group: root
     mode: 0644
   notify:
     - Restart nginx
 - name: Deploy configuration file for checking certificate validity via cron
   copy: content="/etc/ssl/certs/{{ fqdn }}_https.pem" dest="/etc/check_certificate/{{ fqdn }}_https.conf"
         owner=root group=root mode=0644
   copy:
     content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
     dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
     owner: root
     group: root
     mode: 0644
 - name: Deploy nginx configuration file for website
   template: src="nginx_site.j2" dest="/etc/nginx/sites-available/{{ fqdn }}"
             owner=root group=root mode=0640 validate="/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
   template:
     src: "nginx_site.j2"
     dest: "/etc/nginx/sites-available/{{ fqdn }}"
     owner: root
     group: root
     mode: 0640
     validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
   notify:
     - Restart nginx
 - name: Enable nginx website
   file: src="/etc/nginx/sites-available/{{ fqdn }}" dest="/etc/nginx/sites-enabled/{{ fqdn }}"
         state=link
   file:
     src: "/etc/nginx/sites-available/{{ fqdn }}"
     dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
     state: link
   notify:
     - Restart nginx

roles/wsgi_website/tasks/requirements.yml

➞

Show inline comments

 ---
 - name: Set-up directory for storing requirements file for upgrade checks
   file: path="/etc/pip_check_requirements_upgrades/{{ fqdn }}" state=directory
         owner="root" group="pipreqcheck" mode=0750
   file:
     path: "/etc/pip_check_requirements_upgrades/{{ fqdn }}"
     state: directory
     owner: root
     group: pipreqcheck
     mode: 0750
 - name: Deploy WSGI requirements files for upgrade checks
   template: src="{{ item }}.j2" dest="/etc/pip_check_requirements_upgrades/{{ fqdn }}/{{ item }}"
             owner="root" group="pipreqcheck" mode="0640"
   template:
     src: "{{ item }}.j2"
     dest: "/etc/pip_check_requirements_upgrades/{{ fqdn }}/{{ item }}"
     owner: root
     group: pipreqcheck
     mode: 0640
   with_items:
     - wsgi_requirements.in
     - wsgi_requirements.txt
@@ @@ -14,12 +22,19 @@ @@
 - name: Deploy Gunicorn requirements file for installation purposes
   become: yes
   become_user: "{{ admin }}"
   template: src="wsgi_requirements.txt.j2" dest="{{ home }}/.wsgi_requirements.txt"
             owner="{{ admin }}" group="{{ user }}" mode="0640"
   template:
     src: "wsgi_requirements.txt.j2"
     dest: "{{ home }}/.wsgi_requirements.txt"
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: 0640
 - name: Install Gunicorn via requirements file
   become: yes
   become_user: "{{ admin }}"
   pip: requirements="{{ home }}/.wsgi_requirements.txt" state=present virtualenv="{{ home }}/virtualenv"
   pip:
     requirements: "{{ home }}/.wsgi_requirements.txt"
     state: present
     virtualenv: "{{ home }}/virtualenv"
   notify:
     - "Restart website {{ fqdn }}"

0 comments (0 inline, 0 general)