From a674689dcb197cdb4485b2660218bf0de2f98784 Mon Sep 17 00:00:00 2001 From: Hamatoma Date: Thu, 6 Mar 2025 15:27:03 +0100 Subject: [PATCH 1/1] Initial commit --- .gitignore | 1 + CHANGELOG.md | 1 + README.md | 3 ++ ansible.cfg | 3 ++ docu/creation.md | 67 ++++++++++++++++++++++++++++ inventory | 7 +++ playbooks/i_1_basic.yaml | 43 ++++++++++++++++++ playbooks/i_2_nginx.yaml | 39 ++++++++++++++++ playbooks/i_3_mariadb.yaml | 16 +++++++ playbooks/i_4_php8.3.yaml | 76 ++++++++++++++++++++++++++++++++ resources/needed.tgz | 1 + resources/rsh.tgz | 1 + templates/nginx/hi1.txt | 1 + templates/nginx/hi2.txt | 1 + templates/nginx/http.conf | 9 ++++ templates/nginx/letsencrypt.conf | 11 +++++ 16 files changed, 280 insertions(+) create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 README.md create mode 100644 ansible.cfg create mode 100644 docu/creation.md create mode 100644 inventory create mode 100644 playbooks/i_1_basic.yaml create mode 100644 playbooks/i_2_nginx.yaml create mode 100644 playbooks/i_3_mariadb.yaml create mode 100644 playbooks/i_4_php8.3.yaml create mode 120000 resources/needed.tgz create mode 120000 resources/rsh.tgz create mode 100644 templates/nginx/hi1.txt create mode 100644 templates/nginx/hi2.txt create mode 100644 templates/nginx/http.conf create mode 100644 templates/nginx/letsencrypt.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..722d5e7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vscode diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..51ee0d2 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1 @@ +# Change log of diff --git a/README.md b/README.md new file mode 100644 index 0000000..16d7e66 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# Project +## Description +Ansible-Definition des Servers der Gemeinwohlgesellschaft namens 'nest'. diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..930e818 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +inventory = ./inventory + diff --git a/docu/creation.md b/docu/creation.md new file mode 100644 index 0000000..7b4cefd --- /dev/null +++ b/docu/creation.md @@ -0,0 +1,67 @@ +# Protokoll des Ansible Projekt mit Zielserver "nest" + +## Standardbenutzer +Wir verwenden sowohl im Kontrollsystem als auch auf dem Zielsystem den User ansadm mit Id 260. + +Einrichten von ansadm auf dem Kontrollsystem: +``` +adduser --firstuid=260 --firstgid=260 ansadm +sudo -u ansadm ssh-keygen +sudo -u ansadm ssh-keyscan -t rsa nest >>~/.ssh/known_hosts +``` +## Der Nest Server (VM) +- Als Standardbenutzer verwenden wir einen beliebigen Benutzer. +- Wir brauchen eine VM (zum Test), die folgende Festplattenkonfiguration hat: +``` +/dev/sda1 2048 206847 204800 100M EFI System +/dev/sda2 206848 1258596351 124999680 59,6G Linux filesystem +``` +sda2 ist ein Btrfs-Dateisystem. + +Als Software brauchen wir nur:
+[x] SSH-Server
+[x] Standard-Systemwerkzeuge
+'''Wichtig''': keinen Desktop! +- Basiseinrichtung: +``` +apt install ansible sudo wget rsync +adduser --firstuid=260 --firstgid=260 ansadm +``` +- Einrichten von /etc/sudoers: +``` +ansadm ALL=NOPASSWD: ALL +``` +## Das Inventory +``` +cd ansible +mkdir nest +cat <ansible.cfg +[defaults] +inventory = ./inventory +EOS +cat <./inventory +[hosts] +nest +[hosts:vars] +ansible_python_interpreter=/usr/bin/python3 +# nur für Testsysteme +#ansible_ssh_common_args='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' +ansible_user=ansadm +ansible_become=yes +EOS +# Test, ob sudo auf dem Ziel funktioniert: +ansible all -a "head -1 /etc/shadow" +``` +## PHP mittels ansible-galaxy einrichten +``` +ansible-galaxy role install . +``` +# Kommandozeilentipps: +``` +# Verzeichnis anlegen: +ansible all -m file -a "dest=/media/trg state=directory" +# Paket installieren: +ansible all -m package -a "name=htop" +# Datei hochladen: +ansible all -m copy -a "src=myfile dest=/tmp/myfile" +``` diff --git a/inventory b/inventory new file mode 100644 index 0000000..ddaa9ed --- /dev/null +++ b/inventory @@ -0,0 +1,7 @@ +[hosts] +nest +[hosts:vars] +ansible_python_interpreter=/usr/bin/python3 +ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null +ansible_user=ansadm +ansible_become=yes \ No newline at end of file diff --git a/playbooks/i_1_basic.yaml b/playbooks/i_1_basic.yaml new file mode 100644 index 0000000..a5f64df --- /dev/null +++ b/playbooks/i_1_basic.yaml @@ -0,0 +1,43 @@ +--- + +- hosts: all + vars: + hostname: "nest" + tasks: + - name: Prepare /media/trg directory + file: path=/media/trg state=directory + - name: Prepare /media/tmp directory + file: path=/media/trg state=directory + - name: Prepare /media/fs.cave directory + file: path=/media/fs.cave state=directory + - name: Prepare /media/fs.sys directory + file: path=/media/fs.sys state=directory + - name: Prepare /usr/local/bin directory + file: path=/usr/local/bin state=directory + - name: Prepare /usr/local/bin/local directory + file: path=/usr/local/bin/local state=directory + - name: Prepare /usr/share/pyrshell directory + file: path=/usr/share/pyrshell state=directory + - name: Symbolic link to local directory + file: src=/usr/local/bin/local dest=/usr/local/bin/{{hostname}} state=link + - name: Unpack a tar into /usr/local/bin/local + unarchive: src=../resources/needed.tgz dest=/usr/local/bin + - name: Symbolic link to /p + file: src=/usr/local/bin/std.profile dest=/p state=link + - name: Unpack a tar into /usr/share/pyrshell + unarchive: src=../resources/rsh.tgz dest=/usr/share/pyrshell + - name: Create user bupsrv + user: name=bupsrv state=present uid=201 + - name: Create user bupsupply + user: name=bupsupply state=present uid=202 + - name: Create user bupwiki + user: name=bupwiki state=present uid=203 + - name: Create user buptmp + user: name=buptmp state=present uid=204 + - name: Create user extdata + user: name=extdata state=present uid=211 + - name: Create user extcloud + user: name=extcloud state=present uid=212 + - name: Create user extbup + user: name=extbup state=present uid=213 + \ No newline at end of file diff --git a/playbooks/i_2_nginx.yaml b/playbooks/i_2_nginx.yaml new file mode 100644 index 0000000..1e1067c --- /dev/null +++ b/playbooks/i_2_nginx.yaml @@ -0,0 +1,39 @@ +--- +- name: Install and configure with letsencrypt + hosts: all + become: yes + + vars: + user: www-data + + tasks: + - name: Install nginx + apt: + name: nginx + state: latest + update_cache: yes + - name: Prepare letsencrypt home directory + file: path=/home/www/letsencrypt/.well-known/acme-challenge state=directory + - name: Add test file1 + copy: src=../templates/nginx/hi1.txt dest=/home/www/letsencrypt/.well-known/ + - name: Add test file2 + copy: src=../templates/nginx/hi2.txt dest=/home/www/letsencrypt/.well-known/acme-challenge/hi2.txt + - name: Prepare letsencrypt + copy: + src: ../templates/nginx/letsencrypt.conf + dest: /etc/nginx/snippets + - name: add HTTP-variables + copy: + src: ../templates/nginx/http.conf + dest: /etc/nginx/snippets + - name: create a www directory + file: path=/home/www state=directory owner=root group=www-data + + - name: create the /srv/www link + file: src=/home/www dest=/srv/www state=link + - name: Ensure nginx is running + systemd: + name: nginx + state: started + enabled: yes + diff --git a/playbooks/i_3_mariadb.yaml b/playbooks/i_3_mariadb.yaml new file mode 100644 index 0000000..a5852e1 --- /dev/null +++ b/playbooks/i_3_mariadb.yaml @@ -0,0 +1,16 @@ +- hosts: all + vars: + - PHP_VERS: "8.3" + + tasks: + - name: Install mariadb + ansible.builtin.apt: + name: + - mariadb-server + state: latest + update_cache: yes + - name: Ensure mariadb is running + ansible.builtin.systemd: + name: mysqld + state: started + enabled: yes \ No newline at end of file diff --git a/playbooks/i_4_php8.3.yaml b/playbooks/i_4_php8.3.yaml new file mode 100644 index 0000000..d418d7a --- /dev/null +++ b/playbooks/i_4_php8.3.yaml @@ -0,0 +1,76 @@ +- hosts: all + vars: + - PHP_VERS: "8.3" + + pre_tasks: + - name: add packages.sury.org (Debian case) + block: + - name: add gpg repo key + apt_key: + url: 'https://packages.sury.org/php/apt.gpg' + state: present + + - name: add apt repo + apt_repository: + repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release|lower }} main' + state: present + filename: php + when: ansible_distribution == 'Debian' + tasks: + - name: Install PHP 8.3 and common modules + ansible.builtin.apt: + name: + - php{{PHP_VERS}} + - php{{PHP_VERS}}-cli + - php{{PHP_VERS}}-common + - php{{PHP_VERS}}-curl + - php{{PHP_VERS}}-fpm + - php{{PHP_VERS}}-gd + - php{{PHP_VERS}}-igbinary + - php{{PHP_VERS}}-imagick + - php{{PHP_VERS}}-imap + - php{{PHP_VERS}}-intl + - php{{PHP_VERS}}-mbstring + - php{{PHP_VERS}}-memcached + - php{{PHP_VERS}}-msgpack + - php{{PHP_VERS}}-mysql + - php{{PHP_VERS}}-opcache + - php{{PHP_VERS}}-phpdbg + - php{{PHP_VERS}}-readline + - php{{PHP_VERS}}-redis + - php{{PHP_VERS}}-xdebug + - php{{PHP_VERS}}-xml + - php{{PHP_VERS}}-zip + - redis-server + - imagemagick + state: present + update_cache: yes + - name: Define PHP variables in php.ini + ansible.builtin.ini_file: + dest: /etc/php/{{PHP_VERS}}/fpm/php.ini + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + with_items: + - { section: "DEFAULT", option: "memory_limit", value: 512M } + - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" } + - { section: "DEFAULT", option: "max_file_uploads", value: 100 } + - { section: "DEFAULT", option: "post_max_size", value: "512M" } + - { section: "DEFAULT", option: "max_execution_time", value: 600 } + - { section: "DEFAULT", option: "max_input_time", value: 600 } + - { section: "DEFAULT", option: "default_socket_timeout", value: 600 } + - { section: "Session", option: "session.save_handler", value: "redis" } + - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" } + - { section: "opcache", option: "opcache.enable", value: 1 } + - { section: "opcache", option: "opcache.memory_consumption", value: 1024 } + - { section: "opcache", option: "opcache.interned_strings_buffer", value: 512 } + - name: Ensure PHP-FPM is running + ansible.builtin.systemd: + name: php{{PHP_VERS}}-fpm + state: started + enabled: yes + - name: Ensure Redis is running + ansible.builtin.systemd: + name: redis-server + state: started + enabled: yes \ No newline at end of file diff --git a/resources/needed.tgz b/resources/needed.tgz new file mode 120000 index 0000000..0da7040 --- /dev/null +++ b/resources/needed.tgz @@ -0,0 +1 @@ +../../common/resources/needed.tgz \ No newline at end of file diff --git a/resources/rsh.tgz b/resources/rsh.tgz new file mode 120000 index 0000000..fda2b9c --- /dev/null +++ b/resources/rsh.tgz @@ -0,0 +1 @@ +../../common/resources/rsh.tgz \ No newline at end of file diff --git a/templates/nginx/hi1.txt b/templates/nginx/hi1.txt new file mode 100644 index 0000000..877acc4 --- /dev/null +++ b/templates/nginx/hi1.txt @@ -0,0 +1 @@ +Hi 1! diff --git a/templates/nginx/hi2.txt b/templates/nginx/hi2.txt new file mode 100644 index 0000000..e42aa2a --- /dev/null +++ b/templates/nginx/hi2.txt @@ -0,0 +1 @@ +Hi 2! diff --git a/templates/nginx/http.conf b/templates/nginx/http.conf new file mode 100644 index 0000000..0eed601 --- /dev/null +++ b/templates/nginx/http.conf @@ -0,0 +1,9 @@ +client_max_body_size 512M; +## Detect when HTTPS is used +map $scheme $fastcgi_https { + default off; + https on; +} +fastcgi_read_timeout 3600s; +fastcgi_request_buffering off; +error_log /var/log/nginx/error.log; diff --git a/templates/nginx/letsencrypt.conf b/templates/nginx/letsencrypt.conf new file mode 100644 index 0000000..67149c9 --- /dev/null +++ b/templates/nginx/letsencrypt.conf @@ -0,0 +1,11 @@ +location ^~ /.well-known/acme-challenge/ { + default_type "text/plain"; + root /home/www/letsencrypt; +} +# Hide /acme-challenge subdirectory and return 404 on all requests. +# It is somewhat more secure than letting Nginx return 403. +# Ending slash is important! +location = /.well-known/acme-challenge/ { + return 404; +} + -- 2.39.5