root: "root john.doe@example.com"

  smtp_relay_host: mail.example.com

  smtp_relay_host_port: 27

  smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem

Web Server

----------

   ::

      ---

      - hosts: communications

        remote_user: ansible

        roles:

          - common

2. Create playbook for the web server:

   :file:`~/mysite/playbooks/web.yml`

   ::

      ---

      - hosts: web

        remote_user: ansible

        roles:

          - common

3. Create playbook for the backup server:

   :file:`~/mysite/playbooks/backup.yml`

   ::

      ---

      - hosts: backup

        remote_user: ansible

        roles:

          - common

4. Create the global site playbook:

   :file:`~/mysite/playbooks/site.yml`

   ::

      ---

      - hosts: communications

        remote_user: ansible

        roles:

          - common

          - ldap_client

          - ldap_server

2. Update the playbook for web server to include the LDAP client role

   ::

      ---

      - hosts: web

        remote_user: ansible

        roles:

          - common

          - ldap_client

3. Time to configure the roles. For start, let us configure the LDAP

   server role. Keep in mind that there is a lot of default variables

    ::

      ---

      - hosts: communications

        remote_user: ansible

        roles:

          - common

          - ldap_client

          - ldap_server

          - mail_server

   ::

      ---

      - hosts: web

        remote_user: ansible

        roles:

          - common

          - ldap_client

          - mail_forwarder

   :file:`~/mysite/playbooks/backup.yml`

   ::

      ---

      - hosts: backup

        remote_user: ansible

        roles:

          - common

          - mail_forwarder

2. The next thing is to set-up the configuration for the new role. We can define

   this globally for all servers

   ::

      ---

      - hosts: communications

        remote_user: ansible

        roles:

          - common

          - ldap_client

          - ldap_server

          - mail_server

          - xmpp_server

    ::

      ---

      - hosts: web

        remote_user: ansible

        roles:

          - common

          - ldap_client

          - mail_forwarder

          - web_server

    ::

      ---

      - hosts: web

        remote_user: ansible

        roles:

          - common

          - ldap_client

          - mail_forwarder

          - web_server

          - database_server

      - name: Download the application archive

        ansible.builtin.get_url:

          url: "https://download.nextcloud.com/server/releases/nextcloud-29.0.4.tar.bz2"

          dest: "/var/www/nextcloud.example.com/nextcloud-29.0.4.tar.gz"

          checksum: "sha256:19c469e264b31ee80400f8396460854546569e88db4c15fc0854e192f96027eb"

        become_user: admin-nextcloud_example_com

      - name: Unpack the application archive

        ansible.builtin.unarchive:

          src: "/var/www/nextcloud.example.com/nextcloud-29.0.4.tar.gz"

          dest: "/var/www/nextcloud.example.com/"

          creates: "/var/www/nextcloud.example.com/nextcloud"

        become_user: admin-nextcloud_example_com

      # Majic Ansible Roles currently only support utf8 encoding.

      - name: Disable opportunistic use of utf8mb4 on fresh installs

        ansible.builtin.lineinfile:

          dest: "/var/www/nextcloud.example.com/nextcloud/lib/private/Setup/MySQL.php"

          group: "web-nextcloud_example_com"

      - name: Create an empty log file if it does not exist

        ansible.builtin.copy:

          content: ""

          dest: "/var/www/nextcloud.example.com/data/nextcloud.log"

      - name: Set-up log file permissions

        ansible.builtin.file:

          path: "/var/www/nextcloud.example.com/data/nextcloud.log"

          owner: "admin-nextcloud_example_com"

          group: "web-nextcloud_example_com"

      # Installation

      # ============

      - name: Get application installation status

        ansible.builtin.command: "/var/www/nextcloud.example.com/nextcloud/occ status"

        become_user: "admin-nextcloud_example_com"

        register: nextcloud_status

      - name: Check if application is installed

        ansible.builtin.set_fact:

          nextcloud_installed: "{{ 'Nextcloud is not installed' not in nextcloud_status.stderr }}"

      - name: Deploy installation script

          group: "web-nextcloud_example_com"

          mode: "0700"

        when: "not nextcloud_installed"

      - name: Install application

        ansible.builtin.command: "/var/www/nextcloud.example.com/install_nextcloud.py"

        become_user: "admin-nextcloud_example_com"

        when: "not nextcloud_installed"

      - name: Remove installation script

        ansible.builtin.file:

          path: "/var/www/nextcloud.example.com/install_nextcloud.py"

          state: absent

      - name: Fix data file permissions for application user/group

        ansible.builtin.file:

          path: "/var/www/nextcloud.example.com/data"

          mode: g+w

      - name: Deploy local configuration overrides

        ansible.builtin.copy:

          src: "local.config.php"

          dest: "/var/www/nextcloud.example.com/nextcloud/config/local.config.php"

          owner: "admin-nextcloud_example_com"

   ::

      ---

      - hosts: web

        remote_user: ansible

        roles:

          - common

          - ldap_client

          - mail_forwarder

          - web_server

          - database_server

      - name: Start Django project for the Wiki website

        ansible.builtin.command: "/var/www/wiki.example.com/virtualenv/bin/exec django-admin startproject wiki_example_com /var/www/wiki.example.com/code"

        args:

          chdir: "/var/www/wiki.example.com"

          creates: "/var/www/wiki.example.com/code/wiki_example_com"

        become_user: admin-wiki_example_com

      - name: Deploy settings for wiki website

        ansible.builtin.copy:

          src: "{{ item }}"

          dest: "/var/www/wiki.example.com/code/wiki_example_com/{{ item }}"

      - name: Deploy project database and deploy static files

        community.general.django_manage:

          command: "{{ item }}"

          app_path: "/var/www/wiki.example.com/code/"

          virtualenv: "/var/www/wiki.example.com/virtualenv/"

        become_user: admin-wiki_example_com

        with_items:

          - migrate

          - collectstatic

      - name: Deploy the superuser creation script

          mode: "0750"

      - name: Create initial superuser

        ansible.builtin.command: "/var/www/wiki.example.com/virtualenv/bin/exec ./create_superuser.py"

        args:

          chdir: "/var/www/wiki.example.com/code/"

        become_user: admin-wiki_example_com

        register: wiki_superuser

        changed_when: "wiki_superuser.stdout ==  'Created superuser.'"

   :file:`~/mysite/roles/wiki/handlers/main.yml`

   ::

   ::

      ---

      - hosts: web

        remote_user: ansible

        roles:

          - common

          - ldap_client

          - mail_forwarder

          - web_server

          - database_server

   ::

      ---

      - hosts: backup

        remote_user: ansible

        roles:

          - common

          - mail_forwarder

          - backup_server

2. There is just one mandatory parameter for the role - OpenSSH server keys to

      invalid. Therefore the example below explicitly disables

      stripping newline from the end of the file.

   :file:`~/mysite/group_vars/all.yml`

   ::

      backup_encryption_key: "{{ lookup('pipe', 'gpg --homedir ~/mysite/gnupg/ --armour --export-secret-keys ' + ansible_fqdn ) }}"

      backup_server: bak.example.com

      backup_server_host_ssh_public_keys:

        - "{{ lookup('file', inventory_dir + '/ssh/bak_rsa_key.pub') }}"

        - "{{ lookup('file', inventory_dir + '/ssh/bak_ed25519_key.pub') }}"

        - "{{ lookup('file', inventory_dir + '/ssh/bak_ecdsa_key.pub') }}"