--- /dev/null
+# Change log of
--- /dev/null
+# Project
+## Description
+Ansible-Definition des Servers der Gemeinwohlgesellschaft namens 'nest'.
--- /dev/null
+[defaults]
+inventory = ./inventory
+
--- /dev/null
+# Protokoll des Ansible Projekt mit Zielserver "nest"
+
+## Standardbenutzer
+Wir verwenden sowohl im Kontrollsystem als auch auf dem Zielsystem den User ansadm mit Id 260.
+
+Einrichten von ansadm auf dem Kontrollsystem:
+```
+adduser --firstuid=260 --firstgid=260 ansadm
+sudo -u ansadm ssh-keygen
+sudo -u ansadm ssh-keyscan -t rsa nest >>~/.ssh/known_hosts
+```
+## Der Nest Server (VM)
+- Als Standardbenutzer verwenden wir einen beliebigen Benutzer.
+- Wir brauchen eine VM (zum Test), die folgende Festplattenkonfiguration hat:
+```
+/dev/sda1 2048 206847 204800 100M EFI System
+/dev/sda2 206848 1258596351 124999680 59,6G Linux filesystem
+```
+sda2 ist ein Btrfs-Dateisystem.
+
+Als Software brauchen wir nur:<br>
+[x] SSH-Server<br>
+[x] Standard-Systemwerkzeuge<br>
+'''Wichtig''': keinen Desktop!
+- Basiseinrichtung:
+```
+apt install ansible sudo wget rsync
+adduser --firstuid=260 --firstgid=260 ansadm
+```
+- Einrichten von /etc/sudoers:
+```
+ansadm ALL=NOPASSWD: ALL
+```
+## Das Inventory
+```
+cd ansible
+mkdir nest
+cat <<EOS >ansible.cfg
+[defaults]
+inventory = ./inventory
+EOS
+cat <<EOS >./inventory
+[hosts]
+nest
+[hosts:vars]
+ansible_python_interpreter=/usr/bin/python3
+# nur für Testsysteme
+#ansible_ssh_common_args='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+ansible_user=ansadm
+ansible_become=yes
+EOS
+# Test, ob sudo auf dem Ziel funktioniert:
+ansible all -a "head -1 /etc/shadow"
+```
+## PHP mittels ansible-galaxy einrichten
+```
+ansible-galaxy role install <namespace>.<module>
+```
+# Kommandozeilentipps:
+```
+# Verzeichnis anlegen:
+ansible all -m file -a "dest=/media/trg state=directory"
+# Paket installieren:
+ansible all -m package -a "name=htop"
+# Datei hochladen:
+ansible all -m copy -a "src=myfile dest=/tmp/myfile"
+```
--- /dev/null
+[hosts]
+nest
+[hosts:vars]
+ansible_python_interpreter=/usr/bin/python3
+ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
+ansible_user=ansadm
+ansible_become=yes
\ No newline at end of file
--- /dev/null
+---
+
+- hosts: all
+ vars:
+ hostname: "nest"
+ tasks:
+ - name: Prepare /media/trg directory
+ file: path=/media/trg state=directory
+ - name: Prepare /media/tmp directory
+ file: path=/media/trg state=directory
+ - name: Prepare /media/fs.cave directory
+ file: path=/media/fs.cave state=directory
+ - name: Prepare /media/fs.sys directory
+ file: path=/media/fs.sys state=directory
+ - name: Prepare /usr/local/bin directory
+ file: path=/usr/local/bin state=directory
+ - name: Prepare /usr/local/bin/local directory
+ file: path=/usr/local/bin/local state=directory
+ - name: Prepare /usr/share/pyrshell directory
+ file: path=/usr/share/pyrshell state=directory
+ - name: Symbolic link to local directory
+ file: src=/usr/local/bin/local dest=/usr/local/bin/{{hostname}} state=link
+ - name: Unpack a tar into /usr/local/bin/local
+ unarchive: src=../resources/needed.tgz dest=/usr/local/bin
+ - name: Symbolic link to /p
+ file: src=/usr/local/bin/std.profile dest=/p state=link
+ - name: Unpack a tar into /usr/share/pyrshell
+ unarchive: src=../resources/rsh.tgz dest=/usr/share/pyrshell
+ - name: Create user bupsrv
+ user: name=bupsrv state=present uid=201
+ - name: Create user bupsupply
+ user: name=bupsupply state=present uid=202
+ - name: Create user bupwiki
+ user: name=bupwiki state=present uid=203
+ - name: Create user buptmp
+ user: name=buptmp state=present uid=204
+ - name: Create user extdata
+ user: name=extdata state=present uid=211
+ - name: Create user extcloud
+ user: name=extcloud state=present uid=212
+ - name: Create user extbup
+ user: name=extbup state=present uid=213
+
\ No newline at end of file
--- /dev/null
+---
+- name: Install and configure with letsencrypt
+ hosts: all
+ become: yes
+
+ vars:
+ user: www-data
+
+ tasks:
+ - name: Install nginx
+ apt:
+ name: nginx
+ state: latest
+ update_cache: yes
+ - name: Prepare letsencrypt home directory
+ file: path=/home/www/letsencrypt/.well-known/acme-challenge state=directory
+ - name: Add test file1
+ copy: src=../templates/nginx/hi1.txt dest=/home/www/letsencrypt/.well-known/
+ - name: Add test file2
+ copy: src=../templates/nginx/hi2.txt dest=/home/www/letsencrypt/.well-known/acme-challenge/hi2.txt
+ - name: Prepare letsencrypt
+ copy:
+ src: ../templates/nginx/letsencrypt.conf
+ dest: /etc/nginx/snippets
+ - name: add HTTP-variables
+ copy:
+ src: ../templates/nginx/http.conf
+ dest: /etc/nginx/snippets
+ - name: create a www directory
+ file: path=/home/www state=directory owner=root group=www-data
+
+ - name: create the /srv/www link
+ file: src=/home/www dest=/srv/www state=link
+ - name: Ensure nginx is running
+ systemd:
+ name: nginx
+ state: started
+ enabled: yes
+
--- /dev/null
+- hosts: all
+ vars:
+ - PHP_VERS: "8.3"
+
+ tasks:
+ - name: Install mariadb
+ ansible.builtin.apt:
+ name:
+ - mariadb-server
+ state: latest
+ update_cache: yes
+ - name: Ensure mariadb is running
+ ansible.builtin.systemd:
+ name: mysqld
+ state: started
+ enabled: yes
\ No newline at end of file
--- /dev/null
+- hosts: all
+ vars:
+ - PHP_VERS: "8.3"
+
+ pre_tasks:
+ - name: add packages.sury.org (Debian case)
+ block:
+ - name: add gpg repo key
+ apt_key:
+ url: 'https://packages.sury.org/php/apt.gpg'
+ state: present
+
+ - name: add apt repo
+ apt_repository:
+ repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release|lower }} main'
+ state: present
+ filename: php
+ when: ansible_distribution == 'Debian'
+ tasks:
+ - name: Install PHP 8.3 and common modules
+ ansible.builtin.apt:
+ name:
+ - php{{PHP_VERS}}
+ - php{{PHP_VERS}}-cli
+ - php{{PHP_VERS}}-common
+ - php{{PHP_VERS}}-curl
+ - php{{PHP_VERS}}-fpm
+ - php{{PHP_VERS}}-gd
+ - php{{PHP_VERS}}-igbinary
+ - php{{PHP_VERS}}-imagick
+ - php{{PHP_VERS}}-imap
+ - php{{PHP_VERS}}-intl
+ - php{{PHP_VERS}}-mbstring
+ - php{{PHP_VERS}}-memcached
+ - php{{PHP_VERS}}-msgpack
+ - php{{PHP_VERS}}-mysql
+ - php{{PHP_VERS}}-opcache
+ - php{{PHP_VERS}}-phpdbg
+ - php{{PHP_VERS}}-readline
+ - php{{PHP_VERS}}-redis
+ - php{{PHP_VERS}}-xdebug
+ - php{{PHP_VERS}}-xml
+ - php{{PHP_VERS}}-zip
+ - redis-server
+ - imagemagick
+ state: present
+ update_cache: yes
+ - name: Define PHP variables in php.ini
+ ansible.builtin.ini_file:
+ dest: /etc/php/{{PHP_VERS}}/fpm/php.ini
+ section: "{{ item.section }}"
+ option: "{{ item.option }}"
+ value: "{{ item.value }}"
+ with_items:
+ - { section: "DEFAULT", option: "memory_limit", value: 512M }
+ - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" }
+ - { section: "DEFAULT", option: "max_file_uploads", value: 100 }
+ - { section: "DEFAULT", option: "post_max_size", value: "512M" }
+ - { section: "DEFAULT", option: "max_execution_time", value: 600 }
+ - { section: "DEFAULT", option: "max_input_time", value: 600 }
+ - { section: "DEFAULT", option: "default_socket_timeout", value: 600 }
+ - { section: "Session", option: "session.save_handler", value: "redis" }
+ - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" }
+ - { section: "opcache", option: "opcache.enable", value: 1 }
+ - { section: "opcache", option: "opcache.memory_consumption", value: 1024 }
+ - { section: "opcache", option: "opcache.interned_strings_buffer", value: 512 }
+ - name: Ensure PHP-FPM is running
+ ansible.builtin.systemd:
+ name: php{{PHP_VERS}}-fpm
+ state: started
+ enabled: yes
+ - name: Ensure Redis is running
+ ansible.builtin.systemd:
+ name: redis-server
+ state: started
+ enabled: yes
\ No newline at end of file
--- /dev/null
+../../common/resources/needed.tgz
\ No newline at end of file
--- /dev/null
+../../common/resources/rsh.tgz
\ No newline at end of file
--- /dev/null
+client_max_body_size 512M;
+## Detect when HTTPS is used
+map $scheme $fastcgi_https {
+ default off;
+ https on;
+}
+fastcgi_read_timeout 3600s;
+fastcgi_request_buffering off;
+error_log /var/log/nginx/error.log;
--- /dev/null
+location ^~ /.well-known/acme-challenge/ {
+ default_type "text/plain";
+ root /home/www/letsencrypt;
+}
+# Hide /acme-challenge subdirectory and return 404 on all requests.
+# It is somewhat more secure than letting Nginx return 403.
+# Ending slash is important!
+location = /.well-known/acme-challenge/ {
+ return 404;
+}
+
projects / nest_ansible.git / commitdiff