--- /dev/null
+{
+ "ansible.python.interpreterPath": "/usr/bin/python3"
+}
\ No newline at end of file
-# Project
-## Description
-Common files of all ansible projects.
+Project ansknife
+
+# Description
+A collection of predefined tasks, playbooks, scripts and other.
+
+With that project you can create a server definition project in a short time.
+
+# The Project Name
+ansknife is the short form of Ansible swiss knive
+
+# Preconditions
+- we support usage of NGINX, MARIADB, PHP, LetsEncrypt
+
+# Glossar
+- webapp: A web application: a webserver application with PHP source in a directory tree, MariaDB database and Nginx configuration
+
+# Creation of a New Server Definition Project
+The server name may be "colibri", we take the name also for the new project.
+- go to the base directory, e.g. /home/workspace/ansible/
+- clone the ansknife project: /home/workspace/ansible/ansknife will be created
+- start a playbook to create the project colibri: /home/workspace/ansible/colibri will be created
+```
+BASE=/home/workspace/ansible
+GIT_REP=ssh://myserver.com/git/repo
+PROJ=colibri
+cd $BASE
+git clone $GIT_REP/ansknife.git
+cd ansknife
+ansible-playbook playbook/create_project -e project=$PROJ
+cd ../$PROJ
+./SetRights
+```
+- edit all files in $BASE/colibri/var: configure your project by choosing valid/meaningful variable values
+- edit $BASE/colibri/README.md, $BASE/colibri/CHANGELOG.md, inventory
+
+
+
--- /dev/null
+scripts.templates/SetRights
\ No newline at end of file
--- /dev/null
+[hosts]
+localhost
+[hosts:vars]
+ansible_python_interpreter=/usr/bin/python3
+ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
+ansible_user=ansadm
+ansible_become=yes
\ No newline at end of file
--- /dev/null
+---
+
+- hosts: all
+ vars:
+ hostname: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+')}}"
+ tasks:
+ - name: Prepare /media/trg directory
+ file: path=/media/trg state=directory
+ - name: Prepare /media/tmp directory
+ file: path=/media/trg state=directory
+ - name: Prepare /media/fs.cave directory
+ file: path=/media/fs.cave state=directory
+ - name: Prepare /media/fs.sys directory
+ file: path=/media/fs.sys state=directory
+ - name: Prepare /usr/local/bin directory
+ file: path=/usr/local/bin state=directory
+ - name: Prepare /usr/local/bin/local directory
+ file: path=/usr/local/bin/local state=directory
+ - name: Prepare /usr/share/pyrshell directory
+ file: path=/usr/share/pyrshell state=directory
+ - name: Symbolic link to local directory
+ file: src=/usr/local/bin/local dest=/usr/local/bin/{{hostname}} state=link
+ - name: Unpack a tar into /usr/local/bin/local
+ unarchive: src=../resources/needed.tgz dest=/usr/local/bin
+ - name: Symbolic link to /p
+ file: src=/usr/local/bin/std.profile dest=/p state=link
+ - name: Unpack a tar into /usr/share/pyrshell
+ unarchive: src=../resources/rsh.tgz dest=/usr/share/pyrshell
+ - name: Create user bupsrv
+ user: name=bupsrv state=present uid=201
+ - name: Create user bupsupply
+ user: name=bupsupply state=present uid=202
+ - name: Create ssh directory for bupsupply
+ file: path=/home/bupsupply/.ssh state=directory group=bupsupply owner=bupsupply mode=0700
+ - name: Create authorized_keys for bupsupply
+ file: path=/home/bupsupply/.ssh/authorized_keys state=touch group=bupsupply owner=bupsupply mode=0600
+ - name: Create user bupwiki
+ user: name=bupwiki state=present uid=203
+ - name: Create user buptmp
+ user: name=buptmp state=present uid=204
+ - name: Create ssh directory for buptmp
+ file: path=/home/buptmp/.ssh state=directory group=buptmp owner=buptmp mode=0700
+ - name: Create authorized_keys for buptmp
+ file: path=/home/buptmp/.ssh/authorized_keys state=touch group=buptmp owner=buptmp mode=0600
+ - name: Create user extdata
+ user: name=extdata state=present uid=211
+ - name: Create user extcloud
+ user: name=extcloud state=present uid=212
+ - name: Create user extbup
+ user: name=extbup state=present uid=213
+ - name: Create configuration directory
+ file: path=/etc/config state=directory mode=0700
+ - name: Create webapp.d
+ file: path=/etc/config/webapps.d state=directory mode=0700
+ - name: install standard packages
+ apt:
+ name: "{{ item }}"
+ state: present
+ update_cache: true
+ cache_valid_time: 3600
+ with_items: [htop, rsync, sudo, curl, iotop, jnettop, ssl-cert, ca-certificates, zram-tools, nfs-kernel-server, tmux]
+
+
\ No newline at end of file
--- /dev/null
+---
+
+- hosts: all
+ vars:
+ hostname: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+')}}"
+ tasks:
+ - name: install server packages
+ apt:
+ name: "{{ item }}"
+ state: present
+ update_cache: true
+ cache_valid_time: 3600
+ with_items: [certbot, git, unzip, 7zip, unrar-free]
+
+
\ No newline at end of file
--- /dev/null
+---
+# change some values in some configuration files
+# needed facts (variables) from commandline:
+#
+- hosts: all
+ vars_files:
+ - ../var/common.yaml
+ tasks:
+ - name: limit the total size of journald logs
+ lineinfile:
+ dest: /etc/systemd/journald.conf
+ regexp: ^#?\s*SystemMaxUse=
+ line: SystemMaxUse={{ systemd_journal_system_max_use }}
+ notify:
+ - restart systemd-journald
+
+ - name: limit the size of each journald log file
+ lineinfile:
+ dest: /etc/systemd/journald.conf
+ regexp: ^#\s*SystemMaxFileSize=
+ line: SystemMaxFileSize={{ systemd_journal_system_max_file_size }}
+ notify:
+ - restart systemd-journald
+ handlers:
+ - name: restart systemd-journald
+ ansible.builtin.systemd:
+ name: systemd-journald
+ state: restarted
\ No newline at end of file
--- /dev/null
+---
+- name: Install and configure with letsencrypt
+ hosts: all
+ become: yes
+
+ vars:
+ user: www-data
+ hostname: "{{ inventory_hostname }}"
+ log_name: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+') }}"
+ vars_files:
+ - ../var/ssl-certificate.yaml
+ tasks:
+ - name: Install nginx
+ apt:
+ name: nginx
+ state: latest
+ update_cache: yes
+ - name: Prepare letsencrypt home directory
+ file: path=/home/www/letsencrypt/.well-known/acme-challenge state=directory
+ - name: Add test file1
+ copy: src=../templates/nginx/hi1.txt dest=/home/www/letsencrypt/.well-known/
+ - name: Add test file2
+ copy: src=../templates/nginx/hi2.txt dest=/home/www/letsencrypt/.well-known/acme-challenge/hi2.txt
+ - name: Prepare letsencrypt
+ copy:
+ src: ../templates/nginx/letsencrypt.conf
+ dest: /etc/nginx/snippets
+ - name: add HTTP-variables
+ copy:
+ src: ../templates/nginx/http.conf
+ dest: /etc/nginx/snippets
+ - name: create a www directory
+ file: path=/home/www state=directory owner=root group=www-data
+
+ - name: create the /srv/www link
+ file: src=/home/www dest=/srv/www state=link
+ - name: Ensure nginx is running
+ systemd:
+ name: nginx
+ state: started
+ enabled: yes
+ - name: create a test virtual hosts
+ template:
+ src: ../templates/nginx/test.site
+ dest: /etc/nginx/sites-available/{{hostname}}
+ - name: activate by link in sites-enabled
+ file:
+ src: /etc/nginx/sites-available/{{hostname}}
+ dest: /etc/nginx/sites-enabled/{{hostname}}
+ state: link
+ - name: create a ssh-certificate
+ command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/{{hostname}}.key -out /etc/ssl/certs/{{hostname}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{hostname}}"
+ args:
+ creates: /etc/ssl/private/{{hostname}}.key
+ - name: create a document root
+ file: dest=/srv/www/{{hostname}} state=directory owner=www-data group=www-data
+ - name: create a test index.html
+ template: src=../templates/nginx/index.html dest=/srv/www/{{hostname}}/index.html
+ - name: create a test index.php
+ copy: src=../templates/nginx/index.php dest=/srv/www/{{hostname}}/index.php
+
--- /dev/null
+- hosts: all
+ tasks:
+ - name: Install mariadb
+ ansible.builtin.apt:
+ name:
+ - mariadb-server
+ - python3-mysqldb
+ state: latest
+ update_cache: yes
+ - name: Ensure mariadb is running
+ ansible.builtin.systemd:
+ name: mysqld
+ state: started
+ enabled: yes
\ No newline at end of file
--- /dev/null
+- hosts: all
+ vars:
+ - PHP_VERS: "8.2"
+ vars_files:
+ - ../var/php.yaml
+ pre_tasks:
+ - name:
+ apt:
+ name: gpg
+ state: present
+ update_cache: true
+ - name: add packages.sury.org (Debian case)
+ block:
+ - name: add gpg repo key
+ apt_key:
+ url: 'https://packages.sury.org/php/apt.gpg'
+ state: present
+
+ - name: add apt repo
+ apt_repository:
+ repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release|lower }} main'
+ state: present
+ filename: php
+ when: ansible_distribution == 'Debian'
+ tasks:
+ - name: Install PHP {{PHP_VERS}} and common modules
+ ansible.builtin.apt:
+ name: "{{ item }}"
+ state: present
+ update_cache: true
+ cache_valid_time: 3600
+ with_items: "{{ php_packages + php_additional_packages }}"
+ - name: Define PHP variables in php.ini
+ ansible.builtin.ini_file:
+ dest: /etc/php/{{PHP_VERS}}/fpm/php.ini
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ with_items:
+ "{{ php_ini_settings }}"
+ - name: Ensure PHP-FPM is running
+ ansible.builtin.systemd:
+ name: php{{PHP_VERS}}-fpm
+ state: started
+ enabled: yes
+ - name: Ensure Redis is running
+ ansible.builtin.systemd:
+ name: redis-server
+ state: started
+ enabled: yes
\ No newline at end of file
--- /dev/null
+---
+
+- hosts: all
+ vars:
+ git_user: git
+ tasks:
+ - name: install packages
+ apt:
+ name: git
+ state: present
+ - name: create git user
+ user:
+ name: "{{ git_user }}"
+ state: present
+ shell: /usr/bin/git-shell
+ home: /home/git
+ - name: Prepare SSH directory for git
+ file:
+ path: /home/git/.ssh
+ state: directory
+ group: "{{git_user}}"
+ owner: "{{git_user}}"
+ mode: "0700"
+ - name: Prepare authorized_keys
+ file:
+ path: /home/git/.ssh/authorized_keys
+ state: touch
+ group: "{{git_user}}"
+ owner: "{{git_user}}"
+ mode: "0600"
+ - name: Prepare repository directory
+ file:
+ path: /home/git/repo
+ state: directory
+ group: "{{git_user}}"
+ owner: "{{git_user}}"
+
+
\ No newline at end of file
--- /dev/null
+---
+# Installs the postfix mail server
+# Needed facts (variables):
+# -
+# Needed role installation:
+# ansible-galaxy role install sys_fs.postfix
+- hosts: all
+ vars:
+ postfix_domain: "{{ inventory_hostname }}"
+ vars_files:
+ - ../var/common.yaml
+ tasks:
+ - name: install the packages
+ ansible.builtin.package:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - postfix
+ - mailutils
+ - name: build the main.cf
+ copy:
+ src: "../resources/postfix/{{ item }}"
+ dest: "/etc/postfix/{{ item }}"
+ mode: 0640
+ owner: root
+ group: root
+ with_items:
+ - main.cf
+ - master.cf
+ notify:
+ - restart postfix
+ - name: create alias
+ template:
+ src: "../resources/postfix/aliases"
+ dest: "/etc/aliases"
+ mode: 0640
+ owner: root
+ group: root
+ notify:
+ - restart postfix
+ - name: create virtual alias
+ template:
+ src: "../resources/postfix/virtual"
+ dest: "/etc/postfix/virtual"
+ mode: 0640
+ owner: root
+ group: root
+ notify:
+ - restart postfix
+ - name: create the mailname file
+ copy:
+ content: |
+ {{ postfix_domain }}
+ dest: "/etc/mailname"
+ mode: 0644
+ owner: root
+ group: root
+ notify:
+ - restart postfix
+ - name: create a script to activate the virtual alias
+ copy:
+ content: |
+ #! /bin/bash
+ postmap virtual
+ dest: "/etc/postfix/Activate"
+ mode: 0700
+ owner: root
+ group: root
+ notify:
+ - postalias
+ - name: Ensure postfix is running
+ ansible.builtin.systemd:
+ name: postfix
+ state: started
+ enabled: yes
+ handlers:
+ - name: restart postfix
+ ansible.builtin.service:
+ name: postfix
+ state: reloaded
+ - name: postalias
+ shell: postalias /etc/aliases
+ - name: postmap
+ shell: postalias /etc/postfix/virtual
+
+
+
+
+
+
--- /dev/null
+- hosts: all
+ vars_files:
+ - ../var/common.yaml
+ - ../var/ssl-certificate.yaml
+ - ../var/vault_webapps.yaml
+ tasks:
+ - name: Prepare state.infeos.net
+ ansible.builtin.set_fact:
+ webapp_name: "state.infeos.net"
+ domain: "{{ webapp_name }}"
+ shortname: state_infeos
+ db_name: swstateinfeos
+ db_user: swstateinfeos
+ db_password: "{{ vault_state_infeos_net_db_password }}"
+ php_version: "8.3"
+ - debug:
+ - name: create web application for {{ webapp_name }}
+ include_tasks: ../tasks/t_webapp_create.yaml
--- /dev/null
+---
+- name: Install and configure with letsencrypt
+ hosts: all
+ become: yes
+
+ vars:
+ user: www-data
+ hostname: "{{ inventory_hostname }}"
+ log_name: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+') }}"
+ webapp_name: myapp5.example.com
+ vars_files:
+ - ../var/webapps.yaml
+ tasks:
+ - name: Test Dateiänderung
+ copy:
+ content: |
+ Line 1
+ Line 2
+ Line 3 added
+ dest: /tmp/wk.yaml
+ - set_fact:
+ target_file: "/home/tmp/xxx.yyy"
+ - debug:
+ msg: "{{ '/tmp/' + (target_file | basename) }}"
\ No newline at end of file
--- /dev/null
+---
+# Creates the MySQL administrator
+# needed facts (variables): None
+- hosts: all
+ vars_files:
+ - ../var/vault_db.yaml
+ - ../var/db.yaml
+ tasks:
+ - name: Create the database adminstrator {{dba_name}}
+ import_tasks : ../tasks/t_mysql_create_admin.yaml
--- /dev/null
+---
+# Creates a MySQL database and user
+# needed facts (variables) from commandline (e.g. -e db_name=webapp):
+# db_name: name of the database
+# db_user: name of the database user
+# db_password: password of the database user
+- hosts: all
+ vars_files:
+ - ../var/vault_db.yaml
+ - ../var/db.yaml
+ tasks:
+ - name: Create the database adminstrator {{dba_name}}
+ import_tasks : ../tasks/t_mysql_db_and_user.yaml
--- /dev/null
+---
+# Creates the NGINX configuration file for a PHP site
+# needed facts (variables) from commandline (e.g. -e domain=example.com -e force=true):
+# domain: the site domain name
+# optional facts:
+# document_root: the document root of the site without path, e.g. example.com. Default: domain
+# shortname: the short name of the site. Used for log file names
+# php_version: the PHP version to use. Default: 8.3
+# force: if true, the site will be created even if it already exists. Default: false
+- hosts: all
+ vars_files:
+ - ../var/common.yaml
+ - ../var/ssl-certificate.yaml
+ tasks:
+ - name: Check pre-requisites
+ fail: msg="The variable 'domain' must be defined and not empty."
+ when: domain is not defined or domain == ""
+ - name: create certificate for {{ domain }}
+ import_tasks: ../tasks/t_ssl_create_certificate.yaml
+ - name: Create the NGINX configuration for {{domain}}
+ import_tasks: ../tasks/t_nginx_create_site.yaml
+
--- /dev/null
+---
+# Creates a X509 certificate for a domain, needed for a letsencrypt certificate.
+# needed facts (variables) from the commandline: (e.g. ansible-playbook -e "domain=example.com")
+# - domain: the domain name for the certificate
+- hosts: all
+ vars_files:
+ - ../var/common.yaml
+ - ../var/ssl-certificate.yaml
+ tasks:
+ - name: test pre-requisites
+ fail: msg="missing fact! domain. Use -e domain=..."
+ when: domain is not defined
+ - name: Creates a X509 certificate for {{domain}}
+ import_tasks : ../tasks/t_ssl_create_certificate.yaml
--- /dev/null
+---
+# Creates a database, a database user of a web application.
+# Stores the data in configuration files (remote and local)
+# needed facts (variables) from the command line: (e.g. -e webapp_name=webapp):
+# - webapp_name: name of the web application
+# - db_name: name of the database
+# - db_user: name of the databasded user
+# - db_password: password of the database user
+- hosts: all
+ vars_files:
+ - ../var/common.yaml
+ - ../var/vault_db.yaml
+ - ../var/db.yaml
+ tasks:
+ - name: test pre-requisites
+ fail: msg="missing facts! webapp_name, db_name, db_user, db_password. Use -e webapp_name=..."
+ when: webapp_name is not defined or db_name is not defined or db_user is not defined or db_password is not defined
+ - name: create the web application
+ import_tasks : ../tasks/t_webapp_create.yaml
--- /dev/null
+---
+# Dumps a database of a web application.
+# needed facts (variables) from the command line:
+# - webapp_name: name of the web application
+# - target_file: name of the file where the database will be exported to. May be *.sql or *.sql.gz
+- hosts: all
+ vars:
+ fetch: false
+ vars_files:
+ - ../var/common.yaml
+ - ../var/vault_db.yaml
+ - ../var/db.yaml
+ - ../var/webapps.yaml
+ tasks:
+ - name: test pre-requisites
+ fail: msg="missing facts! webapp_name, target_file. Use -e webapp_name=..."
+ when: webapp_name is not defined or target_file is not defined
+ - name: create the web application
+ import_tasks : ../tasks/t_webapp_export.yaml
--- /dev/null
+---
+# Loads a database dump into the database of a web application.
+# needed facts (variables) from the command line: (e.g. -e webapp_name=webapp)
+# - webapp_name: name of the web application
+# - target_file: name of the file where the database will be exported to. May be *.sql or *.sql.gz
+# - webapps_list: the list defined in ../var/webapps.yaml
+- hosts: all
+ vars:
+ backup: true
+ backup_file: "/tmp/{{ webapp_name }}.{{ now(fmt='%s') }}.sql.gz"
+ vars_files:
+ - ../var/common.yaml
+ - ../var/vault_db.yaml
+ - ../var/db.yaml
+ - ../var/webapps.yaml
+ tasks:
+ - name: test pre-requisites
+ fail: msg="missing facts! webapp_name, source_file. Use -e webapp_name=..."
+ when: webapp_name is not defined or source_file is not defined
+ - name: create the web application
+ import_tasks : ../tasks/t_webapp_import.yaml
--- /dev/null
+---
+- hosts: localhost
+ become: yes
+ tasks:
+ - name: Check if project variable is defined
+ fail:
+ msg: "The 'project' variable is not defined. -e project=your_project_name"
+ when: project is not defined
+ - name: Prepare base directory for {{ project }}
+ file: path=../../{{ project }} state=directory
+ - name: create sub directories for {{ project }}
+ file: path=../../{{ project }}/{{ item }} state=directory
+ with_items: [playbooks, tasks, var, scripts, templates, resources, roles]
+ - name: create the links into the resources directory
+ file:
+ src: "../../ansknife/resources/{{ item }}"
+ dest: "../resources/{{ item }}"
+ state: link
+ with_items: [needed.tgz, rsh.tgz]
+ - name: create the nginx link into the templates directory
+ file:
+ src: "../../ansknife/templates/nginx"
+ dest: "../templates/nginx"
+ state: link
+ - name: create the postfix link into the templates directory
+ file:
+ src: "../../ansknife/templates/postfix"
+ dest: "../templates/postfix"
+ state: link
+ - name: Prepare task facts
+ set_fact:
+ src_dir: '../templates/var'
+ dest_dir: "../../{{ project }}/var"
+ pattern: "*.yaml"
+ - name: Copy var.templates
+ import_tasks: ../tasks.templates/t_copy_wildcard.yaml
+ - name: Prepare facts for links in playbooks
+ set_fact:
+ src_dir: '../playbooks.templates'
+ src_relative: '../../ansknife/playbooks.templates'
+ dest_dir: "../../{{ project }}/playbooks"
+ pattern: "*.yaml"
+ - name: Create links in playbooks
+ import_tasks: ../tasks.templates/t_link_wildcard.yaml
+ - name: Prepare facts for links in tasks
+ set_fact:
+ src_dir: '../tasks.templates'
+ src_relative: '../../ansknife/tasks.templates'
+ dest_dir: "../../{{ project }}/tasks"
+ pattern: "*.yaml"
+ - name: Create links in tasks
+ import_tasks: ../tasks.templates/t_link_wildcard.yaml
+ - name: Prepare facts for links in scripts
+ set_fact:
+ src_dir: "../scripts.templates"
+ src_relative: '../../ansknife/scripts.templates'
+ dest_dir: "../../{{ project }}/scripts"
+ pattern: "*"
+ - name: Create links in scripts
+ import_tasks: ../tasks.templates/t_link_wildcard.yaml
+ - name: create a README file
+ copy:
+ dest: ../../{{ project }}/README.md
+ content: |
+ Project {{ project }}
+ This is the README file for the {{ project }} project.
+ # Description
+ This project defines the software of the server
+ - name: create a CHANGELOG file
+ copy:
+ dest: ../../{{ project }}/CHANGELOG.md
+ content: |
+ # V0.1.0
+ - Initial version
+ - name: create a the inventory (host definition)
+ copy:
+ dest: ../../{{ project }}/inventory
+ content: |
+ [hosts]
+ {{ project }}.example.com
+ [hosts:vars]
+ ansible_python_interpreter=/usr/bin/python3
+ ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
+ ansible_user=ansadm
+ ansible_become=yes
+ - name: create a the ansible configuration file
+ copy:
+ dest: ../../{{ project }}/ansible.cfg
+ content: |
+ [defaults]
+ inventory = ./inventory
+
--- /dev/null
+#! /bin/bash
+
+NAME=$1
+VALUE=$2
+PW_SAFE=resources/vaults.yaml
+function usage() {
+ echo "Usage: $0 NAME VALUE"
+ echo "Add a password to the keyring"
+ echo " NAME: The name of the password"
+ echo " VALUE: The value of the password"
+ echo "Example: $0 dba_password mysecret"
+ echo "+++ $*"
+}
+if [ -z "$VALUE" ]; then
+ Usage "missing VALUE"
+else
+ if [ ! -f "$PW_SAFE" ]; then
+ echo "= creating a password safe: $PW_SAFE"
+ ansible-vault create $PW_SAFE
+ fi
+ ansible-vault encrypt_string >$PW_SAFE "$VALUE" --name "$NAME"
+fi
--- /dev/null
+#! /bin/bash
+NAME=$1
+DIR_KNIFE=../ansknife/playbooks.templates
+if [ -z "$NAME" ]; then
+ echo "Usage: CreatePlaybook NAME"
+ echo "Example: CreateTask db_create"
+ echo "+++ missing NAME"
+else
+ touch $DIR_KNIFE/$NAME.yaml
+ cd playbooks
+ ln -s ../$DIR_KNIFE/$NAME.yaml .
+ cd ..
+ ls -ld $DIR_KNIFE/$NAME.yaml
+fi
--- /dev/null
+#! /bin/bash
+NAME=$1
+DIR_KNIFE=../ansknife/tasks.templates
+if [ -z "$NAME" ]; then
+ echo "Usage: CreateTask NAME"
+ echo "Example: CreateTask db_create"
+ echo "+++ missing NAME"
+else
+ touch $DIR_KNIFE/$NAME.yaml
+ cd tasks
+ ln -s ../$DIR_KNIFE/$NAME.yaml .
+ cd ..
+ ls -ld $DIR_KNIFE/$NAME.yaml
+fi
--- /dev/null
+#! /bin/bash
+chown -R ansadm:ansadm *
+chmod -R g+rw *
+
--- /dev/null
+---
+# Copys files specified by a wildcard pattern from the source directory to the destination directory.
+# needed facts (variables):
+# - src_dir: source directory
+# - dest_dir: destination directory
+# - pattern: wildcard pattern
+- name: Copy files matching {{ pattern }} from {{ src_dir }} to {{dest_dir}}
+ copy:
+ src: "{{ item }}"
+ dest: "{{ dest_dir }}"
+ with_fileglob:
+ - "{{ src_dir }}/{{ pattern }}"
+
--- /dev/null
+---
+# Creates a letsencrypt certificate for the given domain
+# needed facts (variables):
+# - domain: the domain to create the certificate for
+# - webmaster_email: the email address to use for the certificate
+- name: Check pre-requisites
+ fail: msg="The variable 'domain' must be defined and not empty."
+ when: domain is not defined or domain == ""
+- name: create a letsencrypt certificate for {{ domain }}
+ shell:
+ cmd: "certbot certonly -a webroot --webroot-path=/srv/www/letsencrypt -d {{ domain }} --email {{ webmaster_email }} --agree-tos --non-interactive"
+ args:
+ creates: "/etc/letsencrypt/live/{{ domain }}"
\ No newline at end of file
--- /dev/null
+---
+# Copys files specified by a wildcard pattern from the source directory to the destination directory.
+# needed facts (variables):
+# - src_dir: source directory
+# - src_relative: source directory relative link target
+# - dest_dir: destination directory
+# - pattern: wildcard pattern
+- name: Link files matching {{ pattern }} from {{ src_dir }} to {{dest_dir}}
+ #command: ln -s {{ src_relative }}/{{ item | basename}} {{ dest_dir }}/{{ item | basename }}
+ file:
+ src: "{{ src_relative }}/{{ item | basename }}"
+ dest: "{{ dest_dir }}/{{ item | basename }}"
+ state: link
+ with_fileglob:
+ - "{{ src_dir }}/{{ pattern }}"
+
--- /dev/null
+# needed facts (variables):
+# dba_name: name of the database user with all privileges
+# dba_password: password of the database user with all privileges
+
+- name: Create the database adminstrator {{dba_name}}
+ community.mysql.mysql_user:
+ name: "{{ dba_name }}"
+ password: "{{ dba_password }}"
+ priv: "*.*:ALL,GRANT"
+ state: present
--- /dev/null
+# needed facts:
+# db_name: name of the database
+# db_user: name of the database user
+# db_password: password of the database user
+# webapp_name: name of the web application
+# dba_name: name of the database user with all privileges
+# dba_password: password of the database user with all privileges
+- name: Create the database {{db_name}}
+ community.mysql.mysql_db:
+ name: "{{ db_name }}"
+ login_user: "{{ dba_name }}"
+ login_password: "{{ dba_password }}"
+ state: present
+- name: Create the database user {{db_user}}
+ community.mysql.mysql_user:
+ name: "{{ db_user }}"
+ password: "{{ db_password }}"
+ login_user: "{{ dba_name }}"
+ login_password: "{{ dba_password }}"
+ priv: "{{ db_name }}.*:ALL,GRANT"
+ state: present
--- /dev/null
+---
+# Creates the nginx site configuration file (sites-available)
+# needed facts (variables):
+# domain: the site domain name
+# document_root: the document root of the site without path, e.g. example.com. Default: domain
+# shortname: the short name of the site. Used for log file names
+# force: if true, the site will be created even if it already exists. Default: false
+- name: Set default values for document_root
+ ansible.builtin.set_fact:
+ document_root: "{{ domain }}"
+ when: document_root is not defined
+- name: Set default values for shortname
+ ansible.builtin.set_fact:
+ shortname: "{{ domain }}"
+ when: name is not defined
+- name: Set default values for php_version
+ ansible.builtin.set_fact:
+ php_version: "8.3"
+ when: php_version is not defined
+- name: Set default values for force
+ ansible.builtin.set_fact:
+ force:
+ when: force is not defined
+- name: check if configuration already exists
+ ansible.builtin.stat:
+ path: /etc/nginx/sites-available/{{ domain }}
+ register: site_config
+- name: abort if configuration already exists
+ ansible.builtin.fail:
+ msg: "The nginx site configuration file /etc/nginx/sites-available/{{ domain }} already exists. Please remove it first."
+ when: not force and site_config.stat.exists
+- name: Create nginx site configuration of {{ domain }}
+ ansible.builtin.template:
+ src: ../templates/nginx/site.php
+ dest: /etc/nginx/sites-available/{{ domain }}
+ owner: root
+ group: root
+ mode: '0644'
+- name: Create symlink to sites-enabled
+ ansible.builtin.file:
+ src: /etc/nginx/sites-available/{{ domain }}
+ dest: /etc/nginx/sites-enabled/{{ domain }}
+ state: link
--- /dev/null
+# Creates a X509 certificate for a domain, needed for a letsencrypt certificate.
+# needed facts (variables):
+# - domain: the domain name for the certificate
+# - ssl_country: the country code for the certificate
+# - ssl_state: the state for the certificate
+# - ssl_locality: the locality for the certificate
+# - ssl_organization: the organization for the certificate
+# - ssl_lifetime: the lifetime of the certificate in days
+# - ssl_rsa_key_size: the size of the RSA key for the certificate
+- name: create a ssh-certificate
+ command: openssl req -x509 -nodes -days {{ssl_lifetime}} -newkey rsa:{{ssl_rsa_key_size}} -keyout /etc/ssl/private/{{domain}}.key -out /etc/ssl/certs/{{domain}}.pem -subj "/C={{ssl_country}}/ST={{ssl_state}}/L={{ssl_locality}}/O={{ssl_organization}}/CN={{domain}}"
+ args:
+ creates: /etc/ssl/private/{{domain}}.key
--- /dev/null
+# Create a backup of a web application:
+# - Dumps a database of a web application
+# - Syncronizes the directory with the web application with an local directory
+# needed facts:
+# webapp_name: name of the web application
+# webapp_backup_directory: a local directory which will be syncronized with the web application
+# webapps_list: the list defined in ../var/webapps.yaml
+# fetch: true: the file will be fetched to the local machine
+- set_fact:
+ db_name: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_name') | first }}"
+ db_user: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_user') | first }}"
+ db_password: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_password') | first }}"
+ document_root: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='directory') | first }}"
+ target_file: "{{ document_root }}/db/{{ webapp_name }}.sql.gz"
+- name: Dump the database {{ db_name }} into {{ document_root }}
+ import_tasks: t_webapp_export.yaml
+- name: Synchronize the web application {{ webapp_name }} with {{ webapp_backup_directory }}
+ ansible.posix.synchronize:
+ mode: push
+ src: "{{ document_root }}"
+ dest: "{{ webapp_backup_directory }}/{{ webapp_name }}"
+ rsync_opts:
+ - "--delete"
+ - "--exclude=.git"
+
\ No newline at end of file
--- /dev/null
+# Create a web application: database, db user, db password, configuration file (remote and local)
+# needed facts:
+# db_name: name of the database
+# db_user: name of the database user
+# db_password: password of the database user
+# webapp_name: name of the web application
+# dba_name: name of the database user with all privileges
+# dba_password: password of the database user with all privileges
+# remote_webapps_directory: the access data will be stored there, e.g. /etc/ansknife/webapp.d
+# local_webapps_directory: the access data will be stored there, e.g. ../webapp.d
+- name: 'check if the webapp is already defined'
+ stat:
+ path: "{{remote_webapps_directory}}/{{ webapp_name }}.yaml"
+ register: webapp
+- name: 'stop if the webapp already defined'
+ fail: msg="webapp {{ webapp_name }} is already defined"
+ when: webapp.stat.exists
+- name: 'stop on missing facts'
+ fail: msg="missing facts! webapp_name, db_name, db_user, db_password. Use -e webapp_name=..., -e db_name=..., -e db_user=..., -e db_password=..."
+ when: webapp_name is not defined or db_name is not defined or db_user is not defined or db_password is not defined
+- name: Create the database {{db_name}} and db user {{db_user}}
+ import_tasks: ../tasks/t_mysql_create_db_and_user.yaml
+- name: Store data in remote configuration file
+ copy:
+ content: |
+ db_name={{ db_name }}
+ db_user={{ db_user }}
+ db_password={{ db_password }}
+ directory=/srv/www/{{ webapp_name }}
+ exclude_dirs=
+ dest: "{{remote_webapps_directory}}/{{ webapp_name }}.conf"
+ mode: 0600
+ owner: root
+ group: root
+- name: append it to the webapps list
+ ansible.builtin.lineinfile:
+ path: ../var/webapps.yaml
+ line: " - webapp_name: '{{ webapp_name }}'\n db_name: '{{ db_name }}'\n db_user: '{{ db_user }}'\n db_password: '{{ db_password }}'\n directory: '/srv/www/{{ webapp_name }}'"
+ create: yes
+ delegate_to: localhost
--- /dev/null
+# Dumps a database of a web application into a file
+# needed facts:
+# webapp_name: name of the web application
+# target_file: the file where the database will be exported to. May be *.sql or *.sql.gz
+# webapps_list: the list defined in ../var/webapps.yaml
+# fetch: true: the file will be fetched to the local machine
+- set_fact:
+ db_name: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_name') | first }}"
+ db_user: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_user') | first }}"
+ db_password: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_password') | first }}"
+ compressed: "{{ target_file is regex('\\.sql\\.') }}"
+ remote_file: "{{ target_file }}"
+- set_fact:
+ remote_file: "{{ '/tmp/' + (target_file | basename) }}"
+ when: fetch | bool
+- name: Dump the database {{db_name}} to {{ target_file }}
+ community.mysql.mysql_db:
+ state: dump
+ name: "{{ db_name }}"
+ login_user: "{{ db_user }}"
+ login_password: "{{ db_password }}"
+ target: "{{ remote_file }}"
+ single_transaction: true
+ pipefail: "{{ compressed }}"
+- name: Fetch the database dump {{ target_file }} to local machine
+ fetch:
+ src: "{{ remote_file }}"
+ dest: "{{ target_file }}"
+ flat: true
+ when: fetch | bool
+
--- /dev/null
+# Imports a database dump into the database of a web application
+# needed facts:
+# webapp_name: name of the web application
+# source_file: the database dump file. May be *.sql or *.sql.gz
+# backup: if true, the database will be dumped before importing
+# backup_file: the name of the backup file
+# webapps_list: the list defined in ../var/webapps.yaml
+- set_fact:
+ db_name: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_name') | first }}"
+ db_user: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_user') | first }}"
+ db_password: "{{ webapps_list | selectattr('webapp_name', 'equalto', webapp_name) | map(attribute='db_password') | first }}"
+ compressed: "{{ source_file is regex('\\.sql\\.$') }}"
+- name: Backup the current database {{db_name}} to {{ backup_file }}
+ community.mysql.mysql_db:
+ state: dump
+ name: "{{ db_name }}"
+ login_user: "{{ db_user }}"
+ login_password: "{{ db_password }}"
+ target: "{{ backup_file }}"
+ single_transaction: true
+ pipefail: "{{ compressed }}"
+ when: backup | bool
+- name: Import {{ source_file }} into {{db_name}}
+ community.mysql.mysql_db:
+ state: import
+ name: "{{ db_name }}"
+ login_user: "{{ db_user }}"
+ login_password: "{{ db_password }}"
+ target: "{{ source_file }}"
+
--- /dev/null
+client_max_body_size 512M;
+## Detect when HTTPS is used
+map $scheme $fastcgi_https {
+ default off;
+ https on;
+}
+fastcgi_read_timeout 3600s;
+fastcgi_request_buffering off;
+error_log /var/log/nginx/error.log;
--- /dev/null
+<html>
+<body>
+<h1>Welcome to {{hostname}}!</h1>
+</body
+</html>
\ No newline at end of file
--- /dev/null
+<?php
+phpinfo();
\ No newline at end of file
--- /dev/null
+location ^~ /.well-known/acme-challenge/ {
+ default_type "text/plain";
+ root /home/www/letsencrypt;
+}
+# Hide /acme-challenge subdirectory and return 404 on all requests.
+# It is somewhat more secure than letting Nginx return 403.
+# Ending slash is important!
+location = /.well-known/acme-challenge/ {
+ return 404;
+}
+
--- /dev/null
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ domain }};
+ include snippets/letsencrypt.conf;
+ root /srv/www/{{ document_root }};
+ location / {
+ return 301 https://hero$request_uri; # enforce https
+ }
+ }
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name {{ domain}};
+ access_log /var/log/nginx/a_{{ shortname }}.log;
+ error_log /var/log/nginx/e_{{ shortname }}.log;
+
+ #ssl_certificate /etc/letsencrypt/live/latest/fullchain.pem;
+ #ssl_certificate_key /etc/letsencrypt/live/latest/privkey.pem;
+ ssl_certificate /etc/ssl/certs/{{ domain }}.pem;
+ ssl_certificate_key /etc/ssl/private/{{ domain }}.key;
+
+ # Path to the root of your installation
+ root /srv/www/{{ document_root }};
+ autoindex off;
+ client_max_body_size 1m; # set max upload size
+ fastcgi_buffers 64 4K;
+
+ index index.html;
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+ location / {
+ allow all;
+ }
+ # Optional: set long EXPIRES header on static assets
+ location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
+ expires 30d;
+ # Optional: Don't log access to assets
+ access_log off;
+ }
+ location ~ ^(.+?\.php)(/.*)?$ {
+ try_files $1 = 404;
+
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$1;
+ fastcgi_param PATH_INFO $2;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/run/php/php{{ php_version }}-fpm.sock;
+ }
+}
+
--- /dev/null
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{hostname}} hamatoma.de;
+ include snippets/letsencrypt.conf;
+ server_name {{hostname}};
+ root /srv/www/{{hostname}};
+ location / {
+ return 301 https://{{hostname}}$request_uri; # enforce https
+ }
+ }
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name {{hostname}};
+ access_log /var/log/nginx/a_{{log_name}}.log;
+ error_log /var/log/nginx/e_{{log_name}}.log;
+
+ #ssl_certificate /etc/letsencrypt/live/latest/fullchain.pem;
+ #ssl_certificate_key /etc/letsencrypt/live/latest/privkey.pem;
+ ssl_certificate /etc/ssl/certs/{{hostname}}.pem;
+ ssl_certificate_key /etc/ssl/private/{{hostname}}.key;
+
+ # Path to the root of your installation
+ root /home/www/{{hostname}};
+ autoindex off;
+ client_max_body_size 1m; # set max upload size
+ fastcgi_buffers 64 4K;
+
+ index index.html;
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+ location / {
+ allow all;
+ }
+ # Optional: set long EXPIRES header on static assets
+ location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
+ expires 30d;
+ # Optional: Don't log access to assets
+ access_log off;
+ }
+ location ~ ^(.+?\.php)(/.*)?$ {
+ try_files $1 = 404;
+
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$1;
+ fastcgi_param PATH_INFO $2;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+ }
+}
+
\ No newline at end of file
--- /dev/null
+root {{ postfix_receipient_email }}
+webmaster {{ postfix_receipient_email }}
+#ada ada@miller.com
+#all@example.com jonny@miller.com ada@miller.com
+#@example.com info@miller.com
+
--- /dev/null
+configuration_directory: /etc/ansknife
+remote_webapps_directory: "{{ configuration_directory }}/webapps.d"
+local_webapps_directory: "../webapps"
+webmaster_email: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+') }}@hamatoma.de"
+systemd_journal_system_max_use: 200M
+systemd_journal_system_max_file_size: 50M
+
--- /dev/null
+---
+# Creation of the central password file:
+# echo "top_secret_password" > resources/.vaults
+# Creation of the encrypted vault file:
+# ansible-vault encrypt_string --vault-password-file resources/.vault --name 'vault_dba_password' --stdin-name 'vault_dba_password' | tee var/vault_db.yaml
+# Find the password file: ANSIBLE_VAULT_PASSWORD_FILE=resources/.vault
+dba_name: dba
+dba_password: "{{ vault_dba_password }}"
\ No newline at end of file
--- /dev/null
+---
+# php.yaml:
+# Defines variables for the PHP role.
+# This file is used to set up the PHP environment and configuration.
+# needed variables: PHP_VERS
+
+php_packages:
+ - php{{PHP_VERS}}-common
+ - php{{PHP_VERS}}-curl
+ - php{{PHP_VERS}}-fpm
+ - php{{PHP_VERS}}-gd
+ - php{{PHP_VERS}}-igbinary
+ - php{{PHP_VERS}}-imagick
+ - php{{PHP_VERS}}-imap
+ - php{{PHP_VERS}}-intl
+ - php{{PHP_VERS}}-mbstring
+ - php{{PHP_VERS}}-memcached
+ - php{{PHP_VERS}}-msgpack
+ - php{{PHP_VERS}}-mysql
+ - php{{PHP_VERS}}-opcache
+ - php{{PHP_VERS}}-phpdbg
+ - php{{PHP_VERS}}-readline
+ - php{{PHP_VERS}}-redis
+ - php{{PHP_VERS}}-xdebug
+ - php{{PHP_VERS}}-xml
+ - php{{PHP_VERS}}-zip
+php_additional_packages:
+ - redis-server
+ - imagemagick
+
+php_ini_settings:
+ - { section: "DEFAULT", option: "memory_limit", value: "512M" }
+ - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" }
+ - { section: "DEFAULT", option: "max_file_uploads", value: 100 }
+ - { section: "DEFAULT", option: "post_max_size", value: "512M" }
+ - { section: "DEFAULT", option: "max_execution_time", value: 600 }
+ - { section: "DEFAULT", option: "max_input_time", value: 600 }
+ - { section: "DEFAULT", option: "default_socket_timeout", value: 600 }
+ - { section: "Session", option: "session.save_handler", value: "redis" }
+ - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" }
+ - { section: "opcache", option: "opcache.enable", value: 1 }
+ - { section: "opcache", option: "opcache.memory_consumption", value: 512 }
+ - { section: "opcache", option: "opcache.interned_strings_buffer", value: 256 }
+
--- /dev/null
+# postfix.yaml:
+# Defines variables for the postfix configuration.
+# Needed facts (variables):
+# - postfix_domain: The full qualified name of the postfix server.
+postfix_configuration:
+ - alias_database: "hash:/etc/aliases"
+ - alias_maps: "hash:/etc/aliases"
+ - append_dot_mydomain: no
+ - biff: no
+ - compatibility_level: 2
+ - inet_interfaces: all
+ - inet_protocols: all
+ - mailbox_size_limit: 0
+ - mydestination: $myhostname, {{ postfix_domain }}, ,localhost
+ - myhostname: "{{ postfix_domain }}"
+ - mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+ - myorigin: /etc/mailname
+ - readme_directory: no
+ - recipient_delimiter: +
+ - relayhost: ""
+ - smtpd_banner: $myhostname ESMTP $mail_name (Debian/GNU)
+ - smtpd_relay_restrictions: permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+ - smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
+ - smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
+ - smtpd_tls_security_level: may
+ - smtp_tls_CApath: /etc/ssl/certs
+ - smtp_tls_security_level: may
+ - smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
+postfix_recipient_email: jonny@example.com
--- /dev/null
+---
+# "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}"
+ssl_country: DE
+ssl_state: Bavaria
+ssl_locality: Kempten
+ssl_organization: 'Gemeinwohl-Gesellschaft e.V.'
+ssl_lifetime: 365
+ssl_rsa_key_size: 2048
+
--- /dev/null
+vault_dba_password: TopSecret
\ No newline at end of file
--- /dev/null
+webapps_list:
+ - dummy
+ db_name: dbdummy5
+ db_user: dummy5
+ db_password: NeverKnown5
+ directory: /srv/www/myapp5.example.com
projects / ansknife.git / commitdiff