roles to setup production environment

playbooks/develop/roles/nginx/tasks/setup-Debian.yml

@@ -1,6 +0,0 @@
----
-- name: Ensure nginx is installed.
-  apt:
-    pkg: nginx
-    state: installed
-    default_release: "{{ nginx_default_release }}"

playbooks/install.py

@@ -343,6 +343,9 @@ def parse_commandline_args():
 
 	parser.add_argument('--site', dest='site', action='store', default='site1.local',
 		help='Specifiy name for your first ERPNext site')
+	
+	parser.add_argument('--without-site', dest='without_site', action='store_true',
+		default=False)
 
 	parser.add_argument('--verbose', dest='verbosity', action='store_true', default=False,
 		help='Run the script in verbose mode')

playbooks/production/files/nginx.conf

@@ -0,0 +1,76 @@
+user  nginx;
+worker_processes  auto;
+worker_rlimit_nofile 65535;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections {{ nginx_worker_connections or 2048 }};
+    multi_accept on;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    server_tokens off;
+
+    # keepalive_timeout  10;
+    # keepalive_requests 10;
+
+	gzip on;
+	gzip_disable "msie6";
+	gzip_http_version 1.1;
+	gzip_comp_level 5;
+	gzip_min_length 256;
+	gzip_proxied any;
+	gzip_vary on;
+    gzip_types
+		application/atom+xml
+		application/javascript
+		application/json
+		application/rss+xml
+		application/vnd.ms-fontobject
+		application/x-font-ttf
+		application/font-woff
+		application/x-web-app-manifest+json
+		application/xhtml+xml
+		application/xml
+		font/opentype
+		image/svg+xml
+		image/x-icon
+		text/css
+		text/plain
+		text/x-component
+		;
+
+    server_names_hash_max_size 4096;
+
+    open_file_cache max=65000 inactive=1m;
+    open_file_cache_valid 5s;
+    open_file_cache_min_uses 1;
+    open_file_cache_errors on;
+
+    ssl_protocols  SSLv3 TLSv1;
+    ssl_ciphers     ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
+    ssl_prefer_server_ciphers   on;
+
+	client_max_body_size 50m;
+	large_client_header_buffers 4 32k;
+
+    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=web-cache:8m max_size=1000m inactive=600m;
+
+    include /etc/nginx/conf.d/*.conf;
+}

playbooks/production/includes/setup_bench_production.yml

@@ -1,7 +1,7 @@
 ---
   - hosts: localhost
     vars:
-      bench_path: "/home/{{ ansible_user_id }}/frappe-bench"
+      bench_path: "/home/{{ ansible_user_id }}/{{ bench_name }}"
 
     tasks:
 

playbooks/production/includes/setup_prod_env.yml

@@ -3,60 +3,6 @@
 
   tasks:
 
-  - name: Add nginx apt repository key for Debian < 8
-    apt_key:
-      url: http://nginx.org/keys/nginx_signing.key
-      state: present
-    become: yes
-    become_user: root
-    when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt')
-
-  - name: Add nginx apt repository for Debian < 8
-    apt_repository:
-      repo: 'deb [arch=amd64,i386] http://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx'
-      state: present
-    become: yes
-    become_user: root
-    when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt')
-
-  #####################################
-  # Ubuntu Production Environment Setup
-  - name: Install production pre-requisites
-    become: yes
-    become_user: root
-    apt: pkg={{ item }} state=present
-    with_items:
-      - nginx
-      - screen
-      - vim
-      - htop
-      - git
-      - postfix
-      - supervisor
-    when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
-
-  #####################################
-  # CentOS Production Environment Setup
-  - name: Install production pre-requisites
-    become: yes
-    become_user: root
-    yum: pkg={{ item }} state=present
-    with_items:
-      - nginx
-      - screen
-      - vim
-      - htop
-      - git
-      - postfix
-      - MySQL-python
-    when: ansible_distribution == 'CentOS'
-
-  - name: Install supervisor using yum for Centos 7
-    yum: pkg=supervisor state=present
-    become: yes
-    become_user: root
-    when: ansible_distribution == 'CentOS' and ansible_lsb.major_release == '7'
-
   ####################################################
   # Replace default nginx config with nginx template
   - name: Rename default nginx.conf to nginx.conf.old
@@ -146,12 +92,3 @@
     become_user: root
     when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
 
-  - name: insert/update inputrc for history
-    blockinfile:
-      dest: "/home/{{ ansible_user_id }}/.inputrc"
-      create: yes
-      block: |
-        ## arrow up
-        "\e[A":history-search-backward
-        ## arrow down
-        "\e[B":history-search-forward

playbooks/production/install.yml

@@ -1,15 +1,42 @@
 ---
-  - hosts: localhost
-
   # Install the common pre-requisites for the setting up bench
   - include: ../develop/install.yml
 
-  # Install the production environment
+  #install production pre-requisites
-  - include: includes/setup_prod_env.yml
+  - name: Apply basic roles
+    hosts: localhost
+    become: yes
+    become_user: root
+    vars:
+      - nginx_conf_file: ../files/nginx.conf
+    roles:
+      - locale
+      - swap
+      - logwatch
+      - bash_screen_wall
+      - frappe_selinux
+      - dns_caching
+      - ntpd
+      - nginx
+      - fail2ban
+    tasks:
+      - name: Set hostname
+        hostname: name='{{ hostname }}'
+        when: hostname is defined
+
+      - name: Start NTPD
+        service: name=ntpd state=started
+
+      - name: insert/update inputrc for history
+        blockinfile:
+          dest: "/home/{{ ansible_user_id }}/.inputrc"
+          create: yes
+          block: |
+            ## arrow up
+            "\e[A":history-search-backward
+            ## arrow down
+            "\e[B":history-search-forward
 
   # Setup Bench for production environment
   - include: includes/setup_bench_production.yml
     when: not run_travis
-
-  # Setup SELinux Policy, Optional can be done later
-  # - include: includes/setup_selinux_policy.yml

playbooks/production/roles/bash_screen_wall/files/screen_wall.sh

@@ -0,0 +1,8 @@
+if [ $TERM != 'screen' ]
+then
+        PS1='HEY! USE SCREEN '$PS1
+fi
+
+sw() {
+        screen -x $1 || screen -S $1
+}

playbooks/production/roles/bash_screen_wall/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Setup bash screen wall
+  copy: src=screen_wall.sh dest=/etc/profile.d/screen_wall.sh

playbooks/production/roles/dns_caching/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart network manager
+  service: name=NetworkManager state=restarted

playbooks/production/roles/dns_caching/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: check NetworkManager.conf exists
+  stat:
+    path: /etc/NetworkManager/NetworkManager.conf
+  register: result
+
+- name: unmask NetworkManager service
+  command: systemctl unmask NetworkManager
+  when: result.stat.exists
+
+- name: add dnsmasq to network config
+  lineinfile: >
+    dest=/etc/NetworkManager/NetworkManager.conf
+    regexp="dns="
+    line="dns=dnsmasq"
+    state=present
+  when: result.stat.exists
+  notify:
+  - restart network manager
+

playbooks/production/roles/fail2ban/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+fail2ban_nginx_access_log: /var/log/nginx/access.log

playbooks/production/roles/fail2ban/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart fail2ban
+  service: name=fail2ban state=restarted

playbooks/production/roles/fail2ban/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Install fail2ban
+  yum: name=fail2ban state=present
+
+- name: Enable fail2ban
+  service: name=fail2ban enabled=yes
+
+- name: Create jail.d
+  file: path=/etc/fail2ban/jail.d state=directory
+
+- name: Setup filters
+  template: src="{{item}}-filter.conf.j2" dest="/etc/fail2ban/filter.d/{{item}}.conf"
+  with_items:
+    - nginx-proxy
+  notify:
+  - restart fail2ban
+
+- name: setup jails
+  template: src="{{item}}-jail.conf.j2" dest="/etc/fail2ban/jail.d/{{item}}.conf"
+  with_items:
+    - nginx-proxy
+  notify:
+  - restart fail2ban

playbooks/production/roles/fail2ban/templates/nginx-proxy-filter.conf.j2

@@ -0,0 +1,10 @@
+# Block IPs trying to use server as proxy.
+[Definition]
+failregex = <HOST>.*\" 400
+	<HOST>.*"[A-Z]* /(cms|muieblackcat|db|cpcommerce|cgi-bin|wp-login|joomla|awstatstotals|wp-content|wp-includes|pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|pmadb|phpmyadmin1|phpmyadmin2).*" 4[\d][\d]
+	<HOST>.*".*supports_implicit_sdk_logging.*" 4[\d][\d]
+	<HOST>.*".*activities?advertiser_tracking_enabled.*" 4[\d][\d]
+	<HOST>.*".*/picture?type=normal.*" 4[\d][\d]
+	<HOST>.*".*/announce.php?info_hash=.*" 4[\d][\d]
+
+ignoreregex =

playbooks/production/roles/fail2ban/templates/nginx-proxy-jail.conf.j2

@@ -0,0 +1,8 @@
+## block hosts trying to abuse our server as a forward proxy
+[nginx-proxy]
+enabled = true
+filter = nginx-proxy
+logpath = {{ fail2ban_nginx_access_log }}
+action = iptables-multiport[name=NoNginxProxy, port="http,https"]
+maxretry = 2
+bantime  = 86400

playbooks/production/roles/frappe_selinux/files/frappe_selinux.te

@@ -29,4 +29,4 @@ allow httpd_t user_home_t:file open;
 allow httpd_t user_home_t:file read;
 
 #!!!! This avc is allowed in the current policy
-allow httpd_t user_home_t:lnk_file read;
+allow httpd_t user_home_t:lnk_file read;

playbooks/production/roles/frappe_selinux/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- name: Install deps
+  yum: name="{{item}}" state=present
+  with_items:
+    - policycoreutils-python
+    - selinux-policy-devel
+  when: ansible_distribution == 'CentOS'
+
+- name: Install SELinux for Ubuntu
+  apt: name={{ item }} state=present
+  with_items:
+   - selinux
+   - selinux-policy-dev
+  when: ansible_distribution == 'Ubuntu'
+
+- name: Check enabled SELinux modules
+  shell: semanage module -l
+  register: enabled_modules
+
+- name: Copy frappe_selinux policy
+  copy: src=frappe_selinux.te dest=/root/frappe_selinux.te
+  register: dest_frappe_selinux_te
+
+- name: Compile frappe_selinux policy
+  shell: "make -f /usr/share/selinux/devel/Makefile frappe_selinux.pp && semodule -i frappe_selinux.pp"
+  args:
+    chdir: /root/
+  when: "enabled_modules.stdout.find('frappe_selinux') == -1 or dest_frappe_selinux_te.changed" 
+

playbooks/production/roles/locale/defaults/main.yml

@@ -0,0 +1,2 @@
+locale_keymap: us
+locale_lang: en_US.utf8

playbooks/production/roles/locale/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Check current locale
+  shell: localectl
+  register: locale_test
+
+- name: Set Locale
+  command: "localectl set-locale LANG={{ locale_lang }}"
+  when: locale_test.stdout.find('LANG={{ locale_lang }}') == -1
+
+- name: Set keymap
+  command: "localectl set-keymap {{ locale_keymap }}"
+  when: "locale_test.stdout.find('Keymap: {{locale_keymap}}') == -1"
+
+- name: Set Locale as en_US
+  lineinfile: dest=/etc/environment backup=yes line="{{ item }}"
+  with_items:
+    - "LC_ALL=en_US.UTF-8"
+    - "LC_CTYPE=en_US.UTF-8"
+    - "LANG=en_US.UTF-8"

playbooks/production/roles/logwatch/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+logwatch_emails: "{{ admin_emails }}"
+logwatch_detail: High

playbooks/production/roles/logwatch/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Install logwatch
+  yum: name=logwatch state=present
+
+- name: Copy logwatch config
+  template: src=logwatch.conf.j2 dest=/etc/logwatch/conf/logwatch.conf backup=yes

playbooks/production/roles/logwatch/templates/logwatch.conf.j2

@@ -0,0 +1,2 @@
+MailTo = {{ logwatch_emails }}
+Detail = {{ logwatch_detail }}

playbooks/production/roles/nginx/tasks/main.yml

@@ -15,6 +15,10 @@
 - include: setup-Debian.yml
   when: ansible_os_family == 'Debian'
 
+# Replace default nginx config with nginx template
+- name: Rename default nginx.conf to nginx.conf.old
+  command: mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old
+
 # Nginx setup.
 - name: Copy nginx configuration in place.
   template:

playbooks/production/roles/nginx/tasks/setup-Debian.yml

@@ -0,0 +1,18 @@
+---
+- name: Add nginx apt repository key for Debian < 8
+  apt_key:
+    url: http://nginx.org/keys/nginx_signing.key
+    state: present
+  when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt')
+
+- name: Add nginx apt repository for Debian < 8
+  apt_repository:
+    repo: 'deb [arch=amd64,i386] http://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx'
+    state: present
+  when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt')
+    
+- name: Ensure nginx is installed.
+  apt:
+    pkg: nginx
+    state: installed
+    default_release: "{{ nginx_default_release }}"

playbooks/production/roles/ntpd/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Install ntpd
+  yum: name="{{item}}" state=installed
+  with_items:
+    - ntp
+    - ntpdate
+
+- name: enable ntpd
+  service: name=ntpd enabled=yes state=started

playbooks/production/roles/swap/defaults/main.yml

@@ -0,0 +1 @@
+swap_size_mb: 1024

playbooks/production/roles/swap/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: Create swap space
+  command: dd if=/dev/zero of=/extraswap bs=1M count={{swap_size_mb}}
+  when: ansible_swaptotal_mb < 1
+
+- name: Make swap
+  command: mkswap /extraswap
+  when: ansible_swaptotal_mb < 1
+
+- name: Add to fstab
+  action: lineinfile dest=/etc/fstab regexp="extraswap" line="/extraswap none swap sw 0 0" state=present
+  when: ansible_swaptotal_mb < 1
+
+- name: Turn swap on
+  command: swapon -a
+  when: ansible_swaptotal_mb < 1
+
+- name: Set swapiness
+  shell: echo 1 | tee /proc/sys/vm/swappiness

playbooks/production/templates/default_nginx.j2

@@ -1,42 +0,0 @@
-# For more information on configuration, see:
-#   * Official English Documentation: http://nginx.org/en/docs/
-#   * Official Russian Documentation: http://nginx.org/ru/docs/
-
-{% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
-	{% set nginx_user = 'www-data'%}
-{% elif ansible_distribution == 'CentOS' %}
-	{% set nginx_user = 'nginx '%}
-{% else %}
-	{% set nginx_user = 'nobody' %}
-{% endif %}
-
-user {{ nginx_user }};
-worker_processes auto;
-error_log /var/log/nginx/error.log;
-pid /run/nginx.pid;
-
-events {
-    worker_connections {{ max_worker_connections }};
-}
-
-http {
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile            on;
-    tcp_nopush          on;
-    tcp_nodelay         on;
-    keepalive_timeout   65;
-    types_hash_max_size 2048;
-
-    include             /etc/nginx/mime.types;
-    default_type        application/octet-stream;
-
-    # Load modular configuration files from the /etc/nginx/conf.d directory.
-    # See http://nginx.org/en/docs/ngx_core_module.html#include
-    # for more information.
-    include /etc/nginx/conf.d/*.conf;
-}