From 2e6ca1613d86156085063ba9fbe1108de823533d Mon Sep 17 00:00:00 2001 From: Saurabh Date: Tue, 29 Aug 2017 12:21:06 +0530 Subject: [PATCH] roles to setup production environment --- .../roles/nginx/tasks/setup-Debian.yml | 6 -- playbooks/install.py | 3 + playbooks/production/files/nginx.conf | 76 +++++++++++++++++++ .../includes/setup_bench_production.yml | 2 +- .../production/includes/setup_prod_env.yml | 63 --------------- playbooks/production/install.yml | 41 ++++++++-- .../bash_screen_wall/files/screen_wall.sh | 8 ++ .../roles/bash_screen_wall/tasks/main.yml | 3 + .../roles/dns_caching/handlers/main.yml | 3 + .../roles/dns_caching/tasks/main.yml | 20 +++++ .../roles/fail2ban/defaults/main.yml | 2 + .../roles/fail2ban/handlers/main.yml | 3 + .../production/roles/fail2ban/tasks/main.yml | 23 ++++++ .../templates/nginx-proxy-filter.conf.j2 | 10 +++ .../templates/nginx-proxy-jail.conf.j2 | 8 ++ .../frappe_selinux/files}/frappe_selinux.te | 2 +- .../roles/frappe_selinux/tasks/main.yml | 29 +++++++ .../production/roles/locale/defaults/main.yml | 2 + .../production/roles/locale/tasks/main.yml | 19 +++++ .../roles/logwatch/defaults/main.yml | 3 + .../production/roles/logwatch/tasks/main.yml | 6 ++ .../roles/logwatch/templates/logwatch.conf.j2 | 2 + .../roles/nginx/.travis.yml | 0 .../roles/nginx/README.md | 0 .../roles/nginx/defaults/main.yml | 0 .../roles/nginx/handlers/main.yml | 0 .../roles/nginx/meta/main.yml | 0 .../roles/nginx/tasks/main.yml | 4 + .../roles/nginx/tasks/setup-Debian.yml | 18 +++++ .../roles/nginx/tasks/setup-RedHat.yml | 0 .../roles/nginx/tasks/vhosts.yml | 0 .../roles/nginx/templates/nginx.conf.j2 | 0 .../roles/nginx/templates/nginx.repo.j2 | 0 .../roles/nginx/templates/vhosts.j2 | 0 .../roles/nginx/tests/inventory | 0 .../roles/nginx/tests/test.yml | 0 .../roles/nginx/vars/Debian.yml | 0 .../roles/nginx/vars/RedHat.yml | 0 .../production/roles/ntpd/tasks/main.yml | 9 +++ .../production/roles/swap/defaults/main.yml | 1 + .../production/roles/swap/tasks/main.yml | 18 +++++ .../production/templates/default_nginx.j2 | 42 ---------- 42 files changed, 306 insertions(+), 120 deletions(-) delete mode 100644 playbooks/develop/roles/nginx/tasks/setup-Debian.yml create mode 100644 playbooks/production/files/nginx.conf create mode 100644 playbooks/production/roles/bash_screen_wall/files/screen_wall.sh create mode 100644 playbooks/production/roles/bash_screen_wall/tasks/main.yml create mode 100644 playbooks/production/roles/dns_caching/handlers/main.yml create mode 100644 playbooks/production/roles/dns_caching/tasks/main.yml create mode 100644 playbooks/production/roles/fail2ban/defaults/main.yml create mode 100644 playbooks/production/roles/fail2ban/handlers/main.yml create mode 100644 playbooks/production/roles/fail2ban/tasks/main.yml create mode 100644 playbooks/production/roles/fail2ban/templates/nginx-proxy-filter.conf.j2 create mode 100644 playbooks/production/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 rename playbooks/production/{templates => roles/frappe_selinux/files}/frappe_selinux.te (95%) create mode 100644 playbooks/production/roles/frappe_selinux/tasks/main.yml create mode 100644 playbooks/production/roles/locale/defaults/main.yml create mode 100644 playbooks/production/roles/locale/tasks/main.yml create mode 100644 playbooks/production/roles/logwatch/defaults/main.yml create mode 100644 playbooks/production/roles/logwatch/tasks/main.yml create mode 100644 playbooks/production/roles/logwatch/templates/logwatch.conf.j2 rename playbooks/{develop => production}/roles/nginx/.travis.yml (100%) rename playbooks/{develop => production}/roles/nginx/README.md (100%) rename playbooks/{develop => production}/roles/nginx/defaults/main.yml (100%) rename playbooks/{develop => production}/roles/nginx/handlers/main.yml (100%) rename playbooks/{develop => production}/roles/nginx/meta/main.yml (100%) rename playbooks/{develop => production}/roles/nginx/tasks/main.yml (84%) create mode 100644 playbooks/production/roles/nginx/tasks/setup-Debian.yml rename playbooks/{develop => production}/roles/nginx/tasks/setup-RedHat.yml (100%) rename playbooks/{develop => production}/roles/nginx/tasks/vhosts.yml (100%) rename playbooks/{develop => production}/roles/nginx/templates/nginx.conf.j2 (100%) rename playbooks/{develop => production}/roles/nginx/templates/nginx.repo.j2 (100%) rename playbooks/{develop => production}/roles/nginx/templates/vhosts.j2 (100%) rename playbooks/{develop => production}/roles/nginx/tests/inventory (100%) rename playbooks/{develop => production}/roles/nginx/tests/test.yml (100%) rename playbooks/{develop => production}/roles/nginx/vars/Debian.yml (100%) rename playbooks/{develop => production}/roles/nginx/vars/RedHat.yml (100%) create mode 100644 playbooks/production/roles/ntpd/tasks/main.yml create mode 100644 playbooks/production/roles/swap/defaults/main.yml create mode 100644 playbooks/production/roles/swap/tasks/main.yml delete mode 100644 playbooks/production/templates/default_nginx.j2 diff --git a/playbooks/develop/roles/nginx/tasks/setup-Debian.yml b/playbooks/develop/roles/nginx/tasks/setup-Debian.yml deleted file mode 100644 index ced11b65..00000000 --- a/playbooks/develop/roles/nginx/tasks/setup-Debian.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Ensure nginx is installed. - apt: - pkg: nginx - state: installed - default_release: "{{ nginx_default_release }}" diff --git a/playbooks/install.py b/playbooks/install.py index 24c2d29e..3986c70a 100755 --- a/playbooks/install.py +++ b/playbooks/install.py @@ -343,6 +343,9 @@ def parse_commandline_args(): parser.add_argument('--site', dest='site', action='store', default='site1.local', help='Specifiy name for your first ERPNext site') + + parser.add_argument('--without-site', dest='without_site', action='store_true', + default=False) parser.add_argument('--verbose', dest='verbosity', action='store_true', default=False, help='Run the script in verbose mode') diff --git a/playbooks/production/files/nginx.conf b/playbooks/production/files/nginx.conf new file mode 100644 index 00000000..d69a3e12 --- /dev/null +++ b/playbooks/production/files/nginx.conf @@ -0,0 +1,76 @@ +user nginx; +worker_processes auto; +worker_rlimit_nofile 65535; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections {{ nginx_worker_connections or 2048 }}; + multi_accept on; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + + # keepalive_timeout 10; + # keepalive_requests 10; + + gzip on; + gzip_disable "msie6"; + gzip_http_version 1.1; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied any; + gzip_vary on; + gzip_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-ttf + application/font-woff + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/svg+xml + image/x-icon + text/css + text/plain + text/x-component + ; + + server_names_hash_max_size 4096; + + open_file_cache max=65000 inactive=1m; + open_file_cache_valid 5s; + open_file_cache_min_uses 1; + open_file_cache_errors on; + + ssl_protocols SSLv3 TLSv1; + ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; + ssl_prefer_server_ciphers on; + + client_max_body_size 50m; + large_client_header_buffers 4 32k; + + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=web-cache:8m max_size=1000m inactive=600m; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/playbooks/production/includes/setup_bench_production.yml b/playbooks/production/includes/setup_bench_production.yml index 2acbb71f..0814ad1d 100644 --- a/playbooks/production/includes/setup_bench_production.yml +++ b/playbooks/production/includes/setup_bench_production.yml @@ -1,7 +1,7 @@ --- - hosts: localhost vars: - bench_path: "/home/{{ ansible_user_id }}/frappe-bench" + bench_path: "/home/{{ ansible_user_id }}/{{ bench_name }}" tasks: diff --git a/playbooks/production/includes/setup_prod_env.yml b/playbooks/production/includes/setup_prod_env.yml index ffa00c20..9a003618 100755 --- a/playbooks/production/includes/setup_prod_env.yml +++ b/playbooks/production/includes/setup_prod_env.yml @@ -3,60 +3,6 @@ tasks: - - name: Add nginx apt repository key for Debian < 8 - apt_key: - url: http://nginx.org/keys/nginx_signing.key - state: present - become: yes - become_user: root - when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt') - - - name: Add nginx apt repository for Debian < 8 - apt_repository: - repo: 'deb [arch=amd64,i386] http://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx' - state: present - become: yes - become_user: root - when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt') - - ##################################### - # Ubuntu Production Environment Setup - - name: Install production pre-requisites - become: yes - become_user: root - apt: pkg={{ item }} state=present - with_items: - - nginx - - screen - - vim - - htop - - git - - postfix - - supervisor - when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' - - ##################################### - # CentOS Production Environment Setup - - name: Install production pre-requisites - become: yes - become_user: root - yum: pkg={{ item }} state=present - with_items: - - nginx - - screen - - vim - - htop - - git - - postfix - - MySQL-python - when: ansible_distribution == 'CentOS' - - - name: Install supervisor using yum for Centos 7 - yum: pkg=supervisor state=present - become: yes - become_user: root - when: ansible_distribution == 'CentOS' and ansible_lsb.major_release == '7' - #################################################### # Replace default nginx config with nginx template - name: Rename default nginx.conf to nginx.conf.old @@ -146,12 +92,3 @@ become_user: root when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' - - name: insert/update inputrc for history - blockinfile: - dest: "/home/{{ ansible_user_id }}/.inputrc" - create: yes - block: | - ## arrow up - "\e[A":history-search-backward - ## arrow down - "\e[B":history-search-forward \ No newline at end of file diff --git a/playbooks/production/install.yml b/playbooks/production/install.yml index 0a2fd77d..07f8dd7d 100644 --- a/playbooks/production/install.yml +++ b/playbooks/production/install.yml @@ -1,15 +1,42 @@ --- - - hosts: localhost - # Install the common pre-requisites for the setting up bench - include: ../develop/install.yml - # Install the production environment - - include: includes/setup_prod_env.yml + #install production pre-requisites + - name: Apply basic roles + hosts: localhost + become: yes + become_user: root + vars: + - nginx_conf_file: ../files/nginx.conf + roles: + - locale + - swap + - logwatch + - bash_screen_wall + - frappe_selinux + - dns_caching + - ntpd + - nginx + - fail2ban + tasks: + - name: Set hostname + hostname: name='{{ hostname }}' + when: hostname is defined + + - name: Start NTPD + service: name=ntpd state=started + + - name: insert/update inputrc for history + blockinfile: + dest: "/home/{{ ansible_user_id }}/.inputrc" + create: yes + block: | + ## arrow up + "\e[A":history-search-backward + ## arrow down + "\e[B":history-search-forward # Setup Bench for production environment - include: includes/setup_bench_production.yml when: not run_travis - - # Setup SELinux Policy, Optional can be done later - # - include: includes/setup_selinux_policy.yml diff --git a/playbooks/production/roles/bash_screen_wall/files/screen_wall.sh b/playbooks/production/roles/bash_screen_wall/files/screen_wall.sh new file mode 100644 index 00000000..dec411e2 --- /dev/null +++ b/playbooks/production/roles/bash_screen_wall/files/screen_wall.sh @@ -0,0 +1,8 @@ +if [ $TERM != 'screen' ] +then + PS1='HEY! USE SCREEN '$PS1 +fi + +sw() { + screen -x $1 || screen -S $1 +} diff --git a/playbooks/production/roles/bash_screen_wall/tasks/main.yml b/playbooks/production/roles/bash_screen_wall/tasks/main.yml new file mode 100644 index 00000000..338b6fbc --- /dev/null +++ b/playbooks/production/roles/bash_screen_wall/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- name: Setup bash screen wall + copy: src=screen_wall.sh dest=/etc/profile.d/screen_wall.sh \ No newline at end of file diff --git a/playbooks/production/roles/dns_caching/handlers/main.yml b/playbooks/production/roles/dns_caching/handlers/main.yml new file mode 100644 index 00000000..5f7cb344 --- /dev/null +++ b/playbooks/production/roles/dns_caching/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart network manager + service: name=NetworkManager state=restarted diff --git a/playbooks/production/roles/dns_caching/tasks/main.yml b/playbooks/production/roles/dns_caching/tasks/main.yml new file mode 100644 index 00000000..334e6e26 --- /dev/null +++ b/playbooks/production/roles/dns_caching/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: check NetworkManager.conf exists + stat: + path: /etc/NetworkManager/NetworkManager.conf + register: result + +- name: unmask NetworkManager service + command: systemctl unmask NetworkManager + when: result.stat.exists + +- name: add dnsmasq to network config + lineinfile: > + dest=/etc/NetworkManager/NetworkManager.conf + regexp="dns=" + line="dns=dnsmasq" + state=present + when: result.stat.exists + notify: + - restart network manager + diff --git a/playbooks/production/roles/fail2ban/defaults/main.yml b/playbooks/production/roles/fail2ban/defaults/main.yml new file mode 100644 index 00000000..3feadba7 --- /dev/null +++ b/playbooks/production/roles/fail2ban/defaults/main.yml @@ -0,0 +1,2 @@ +--- +fail2ban_nginx_access_log: /var/log/nginx/access.log \ No newline at end of file diff --git a/playbooks/production/roles/fail2ban/handlers/main.yml b/playbooks/production/roles/fail2ban/handlers/main.yml new file mode 100644 index 00000000..d675d4d5 --- /dev/null +++ b/playbooks/production/roles/fail2ban/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart fail2ban + service: name=fail2ban state=restarted \ No newline at end of file diff --git a/playbooks/production/roles/fail2ban/tasks/main.yml b/playbooks/production/roles/fail2ban/tasks/main.yml new file mode 100644 index 00000000..415ffbe3 --- /dev/null +++ b/playbooks/production/roles/fail2ban/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Install fail2ban + yum: name=fail2ban state=present + +- name: Enable fail2ban + service: name=fail2ban enabled=yes + +- name: Create jail.d + file: path=/etc/fail2ban/jail.d state=directory + +- name: Setup filters + template: src="{{item}}-filter.conf.j2" dest="/etc/fail2ban/filter.d/{{item}}.conf" + with_items: + - nginx-proxy + notify: + - restart fail2ban + +- name: setup jails + template: src="{{item}}-jail.conf.j2" dest="/etc/fail2ban/jail.d/{{item}}.conf" + with_items: + - nginx-proxy + notify: + - restart fail2ban diff --git a/playbooks/production/roles/fail2ban/templates/nginx-proxy-filter.conf.j2 b/playbooks/production/roles/fail2ban/templates/nginx-proxy-filter.conf.j2 new file mode 100644 index 00000000..27f74cd5 --- /dev/null +++ b/playbooks/production/roles/fail2ban/templates/nginx-proxy-filter.conf.j2 @@ -0,0 +1,10 @@ +# Block IPs trying to use server as proxy. +[Definition] +failregex = .*\" 400 + .*"[A-Z]* /(cms|muieblackcat|db|cpcommerce|cgi-bin|wp-login|joomla|awstatstotals|wp-content|wp-includes|pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|pmadb|phpmyadmin1|phpmyadmin2).*" 4[\d][\d] + .*".*supports_implicit_sdk_logging.*" 4[\d][\d] + .*".*activities?advertiser_tracking_enabled.*" 4[\d][\d] + .*".*/picture?type=normal.*" 4[\d][\d] + .*".*/announce.php?info_hash=.*" 4[\d][\d] + +ignoreregex = \ No newline at end of file diff --git a/playbooks/production/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 b/playbooks/production/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 new file mode 100644 index 00000000..23a1dfc7 --- /dev/null +++ b/playbooks/production/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 @@ -0,0 +1,8 @@ +## block hosts trying to abuse our server as a forward proxy +[nginx-proxy] +enabled = true +filter = nginx-proxy +logpath = {{ fail2ban_nginx_access_log }} +action = iptables-multiport[name=NoNginxProxy, port="http,https"] +maxretry = 2 +bantime = 86400 \ No newline at end of file diff --git a/playbooks/production/templates/frappe_selinux.te b/playbooks/production/roles/frappe_selinux/files/frappe_selinux.te similarity index 95% rename from playbooks/production/templates/frappe_selinux.te rename to playbooks/production/roles/frappe_selinux/files/frappe_selinux.te index 0551ebad..b8cd1f0f 100644 --- a/playbooks/production/templates/frappe_selinux.te +++ b/playbooks/production/roles/frappe_selinux/files/frappe_selinux.te @@ -29,4 +29,4 @@ allow httpd_t user_home_t:file open; allow httpd_t user_home_t:file read; #!!!! This avc is allowed in the current policy -allow httpd_t user_home_t:lnk_file read; +allow httpd_t user_home_t:lnk_file read; \ No newline at end of file diff --git a/playbooks/production/roles/frappe_selinux/tasks/main.yml b/playbooks/production/roles/frappe_selinux/tasks/main.yml new file mode 100644 index 00000000..79c19d5b --- /dev/null +++ b/playbooks/production/roles/frappe_selinux/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Install deps + yum: name="{{item}}" state=present + with_items: + - policycoreutils-python + - selinux-policy-devel + when: ansible_distribution == 'CentOS' + +- name: Install SELinux for Ubuntu + apt: name={{ item }} state=present + with_items: + - selinux + - selinux-policy-dev + when: ansible_distribution == 'Ubuntu' + +- name: Check enabled SELinux modules + shell: semanage module -l + register: enabled_modules + +- name: Copy frappe_selinux policy + copy: src=frappe_selinux.te dest=/root/frappe_selinux.te + register: dest_frappe_selinux_te + +- name: Compile frappe_selinux policy + shell: "make -f /usr/share/selinux/devel/Makefile frappe_selinux.pp && semodule -i frappe_selinux.pp" + args: + chdir: /root/ + when: "enabled_modules.stdout.find('frappe_selinux') == -1 or dest_frappe_selinux_te.changed" + diff --git a/playbooks/production/roles/locale/defaults/main.yml b/playbooks/production/roles/locale/defaults/main.yml new file mode 100644 index 00000000..3b713b45 --- /dev/null +++ b/playbooks/production/roles/locale/defaults/main.yml @@ -0,0 +1,2 @@ +locale_keymap: us +locale_lang: en_US.utf8 \ No newline at end of file diff --git a/playbooks/production/roles/locale/tasks/main.yml b/playbooks/production/roles/locale/tasks/main.yml new file mode 100644 index 00000000..4e402ca2 --- /dev/null +++ b/playbooks/production/roles/locale/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Check current locale + shell: localectl + register: locale_test + +- name: Set Locale + command: "localectl set-locale LANG={{ locale_lang }}" + when: locale_test.stdout.find('LANG={{ locale_lang }}') == -1 + +- name: Set keymap + command: "localectl set-keymap {{ locale_keymap }}" + when: "locale_test.stdout.find('Keymap: {{locale_keymap}}') == -1" + +- name: Set Locale as en_US + lineinfile: dest=/etc/environment backup=yes line="{{ item }}" + with_items: + - "LC_ALL=en_US.UTF-8" + - "LC_CTYPE=en_US.UTF-8" + - "LANG=en_US.UTF-8" \ No newline at end of file diff --git a/playbooks/production/roles/logwatch/defaults/main.yml b/playbooks/production/roles/logwatch/defaults/main.yml new file mode 100644 index 00000000..7c82c654 --- /dev/null +++ b/playbooks/production/roles/logwatch/defaults/main.yml @@ -0,0 +1,3 @@ +--- +logwatch_emails: "{{ admin_emails }}" +logwatch_detail: High diff --git a/playbooks/production/roles/logwatch/tasks/main.yml b/playbooks/production/roles/logwatch/tasks/main.yml new file mode 100644 index 00000000..6d129c69 --- /dev/null +++ b/playbooks/production/roles/logwatch/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Install logwatch + yum: name=logwatch state=present + +- name: Copy logwatch config + template: src=logwatch.conf.j2 dest=/etc/logwatch/conf/logwatch.conf backup=yes \ No newline at end of file diff --git a/playbooks/production/roles/logwatch/templates/logwatch.conf.j2 b/playbooks/production/roles/logwatch/templates/logwatch.conf.j2 new file mode 100644 index 00000000..a5c45cf8 --- /dev/null +++ b/playbooks/production/roles/logwatch/templates/logwatch.conf.j2 @@ -0,0 +1,2 @@ +MailTo = {{ logwatch_emails }} +Detail = {{ logwatch_detail }} \ No newline at end of file diff --git a/playbooks/develop/roles/nginx/.travis.yml b/playbooks/production/roles/nginx/.travis.yml similarity index 100% rename from playbooks/develop/roles/nginx/.travis.yml rename to playbooks/production/roles/nginx/.travis.yml diff --git a/playbooks/develop/roles/nginx/README.md b/playbooks/production/roles/nginx/README.md similarity index 100% rename from playbooks/develop/roles/nginx/README.md rename to playbooks/production/roles/nginx/README.md diff --git a/playbooks/develop/roles/nginx/defaults/main.yml b/playbooks/production/roles/nginx/defaults/main.yml similarity index 100% rename from playbooks/develop/roles/nginx/defaults/main.yml rename to playbooks/production/roles/nginx/defaults/main.yml diff --git a/playbooks/develop/roles/nginx/handlers/main.yml b/playbooks/production/roles/nginx/handlers/main.yml similarity index 100% rename from playbooks/develop/roles/nginx/handlers/main.yml rename to playbooks/production/roles/nginx/handlers/main.yml diff --git a/playbooks/develop/roles/nginx/meta/main.yml b/playbooks/production/roles/nginx/meta/main.yml similarity index 100% rename from playbooks/develop/roles/nginx/meta/main.yml rename to playbooks/production/roles/nginx/meta/main.yml diff --git a/playbooks/develop/roles/nginx/tasks/main.yml b/playbooks/production/roles/nginx/tasks/main.yml similarity index 84% rename from playbooks/develop/roles/nginx/tasks/main.yml rename to playbooks/production/roles/nginx/tasks/main.yml index 790e8f24..ce7b4f27 100644 --- a/playbooks/develop/roles/nginx/tasks/main.yml +++ b/playbooks/production/roles/nginx/tasks/main.yml @@ -15,6 +15,10 @@ - include: setup-Debian.yml when: ansible_os_family == 'Debian' +# Replace default nginx config with nginx template +- name: Rename default nginx.conf to nginx.conf.old + command: mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old + # Nginx setup. - name: Copy nginx configuration in place. template: diff --git a/playbooks/production/roles/nginx/tasks/setup-Debian.yml b/playbooks/production/roles/nginx/tasks/setup-Debian.yml new file mode 100644 index 00000000..2f50fb37 --- /dev/null +++ b/playbooks/production/roles/nginx/tasks/setup-Debian.yml @@ -0,0 +1,18 @@ +--- +- name: Add nginx apt repository key for Debian < 8 + apt_key: + url: http://nginx.org/keys/nginx_signing.key + state: present + when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt') + +- name: Add nginx apt repository for Debian < 8 + apt_repository: + repo: 'deb [arch=amd64,i386] http://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx' + state: present + when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt') + +- name: Ensure nginx is installed. + apt: + pkg: nginx + state: installed + default_release: "{{ nginx_default_release }}" diff --git a/playbooks/develop/roles/nginx/tasks/setup-RedHat.yml b/playbooks/production/roles/nginx/tasks/setup-RedHat.yml similarity index 100% rename from playbooks/develop/roles/nginx/tasks/setup-RedHat.yml rename to playbooks/production/roles/nginx/tasks/setup-RedHat.yml diff --git a/playbooks/develop/roles/nginx/tasks/vhosts.yml b/playbooks/production/roles/nginx/tasks/vhosts.yml similarity index 100% rename from playbooks/develop/roles/nginx/tasks/vhosts.yml rename to playbooks/production/roles/nginx/tasks/vhosts.yml diff --git a/playbooks/develop/roles/nginx/templates/nginx.conf.j2 b/playbooks/production/roles/nginx/templates/nginx.conf.j2 similarity index 100% rename from playbooks/develop/roles/nginx/templates/nginx.conf.j2 rename to playbooks/production/roles/nginx/templates/nginx.conf.j2 diff --git a/playbooks/develop/roles/nginx/templates/nginx.repo.j2 b/playbooks/production/roles/nginx/templates/nginx.repo.j2 similarity index 100% rename from playbooks/develop/roles/nginx/templates/nginx.repo.j2 rename to playbooks/production/roles/nginx/templates/nginx.repo.j2 diff --git a/playbooks/develop/roles/nginx/templates/vhosts.j2 b/playbooks/production/roles/nginx/templates/vhosts.j2 similarity index 100% rename from playbooks/develop/roles/nginx/templates/vhosts.j2 rename to playbooks/production/roles/nginx/templates/vhosts.j2 diff --git a/playbooks/develop/roles/nginx/tests/inventory b/playbooks/production/roles/nginx/tests/inventory similarity index 100% rename from playbooks/develop/roles/nginx/tests/inventory rename to playbooks/production/roles/nginx/tests/inventory diff --git a/playbooks/develop/roles/nginx/tests/test.yml b/playbooks/production/roles/nginx/tests/test.yml similarity index 100% rename from playbooks/develop/roles/nginx/tests/test.yml rename to playbooks/production/roles/nginx/tests/test.yml diff --git a/playbooks/develop/roles/nginx/vars/Debian.yml b/playbooks/production/roles/nginx/vars/Debian.yml similarity index 100% rename from playbooks/develop/roles/nginx/vars/Debian.yml rename to playbooks/production/roles/nginx/vars/Debian.yml diff --git a/playbooks/develop/roles/nginx/vars/RedHat.yml b/playbooks/production/roles/nginx/vars/RedHat.yml similarity index 100% rename from playbooks/develop/roles/nginx/vars/RedHat.yml rename to playbooks/production/roles/nginx/vars/RedHat.yml diff --git a/playbooks/production/roles/ntpd/tasks/main.yml b/playbooks/production/roles/ntpd/tasks/main.yml new file mode 100644 index 00000000..19881f82 --- /dev/null +++ b/playbooks/production/roles/ntpd/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: Install ntpd + yum: name="{{item}}" state=installed + with_items: + - ntp + - ntpdate + +- name: enable ntpd + service: name=ntpd enabled=yes state=started \ No newline at end of file diff --git a/playbooks/production/roles/swap/defaults/main.yml b/playbooks/production/roles/swap/defaults/main.yml new file mode 100644 index 00000000..3eac0ae0 --- /dev/null +++ b/playbooks/production/roles/swap/defaults/main.yml @@ -0,0 +1 @@ +swap_size_mb: 1024 \ No newline at end of file diff --git a/playbooks/production/roles/swap/tasks/main.yml b/playbooks/production/roles/swap/tasks/main.yml new file mode 100644 index 00000000..1d61d2f4 --- /dev/null +++ b/playbooks/production/roles/swap/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Create swap space + command: dd if=/dev/zero of=/extraswap bs=1M count={{swap_size_mb}} + when: ansible_swaptotal_mb < 1 + +- name: Make swap + command: mkswap /extraswap + when: ansible_swaptotal_mb < 1 + +- name: Add to fstab + action: lineinfile dest=/etc/fstab regexp="extraswap" line="/extraswap none swap sw 0 0" state=present + when: ansible_swaptotal_mb < 1 + +- name: Turn swap on + command: swapon -a + when: ansible_swaptotal_mb < 1 + +- name: Set swapiness + shell: echo 1 | tee /proc/sys/vm/swappiness \ No newline at end of file diff --git a/playbooks/production/templates/default_nginx.j2 b/playbooks/production/templates/default_nginx.j2 deleted file mode 100644 index 4170888d..00000000 --- a/playbooks/production/templates/default_nginx.j2 +++ /dev/null @@ -1,42 +0,0 @@ -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -{% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %} - {% set nginx_user = 'www-data'%} -{% elif ansible_distribution == 'CentOS' %} - {% set nginx_user = 'nginx '%} -{% else %} - {% set nginx_user = 'nobody' %} -{% endif %} - -user {{ nginx_user }}; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -events { - worker_connections {{ max_worker_connections }}; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; -}