2
0
mirror of https://github.com/frappe/bench.git synced 2025-01-10 00:37:51 +00:00

roles to setup production environment

This commit is contained in:
Saurabh 2017-08-29 12:21:06 +05:30
parent e360b0702a
commit 2e6ca1613d
42 changed files with 306 additions and 120 deletions

View File

@ -1,6 +0,0 @@
---
- name: Ensure nginx is installed.
apt:
pkg: nginx
state: installed
default_release: "{{ nginx_default_release }}"

View File

@ -343,6 +343,9 @@ def parse_commandline_args():
parser.add_argument('--site', dest='site', action='store', default='site1.local',
help='Specifiy name for your first ERPNext site')
parser.add_argument('--without-site', dest='without_site', action='store_true',
default=False)
parser.add_argument('--verbose', dest='verbosity', action='store_true', default=False,
help='Run the script in verbose mode')

View File

@ -0,0 +1,76 @@
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections {{ nginx_worker_connections or 2048 }};
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
# keepalive_timeout 10;
# keepalive_requests 10;
gzip on;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/font-woff
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
;
server_names_hash_max_size 4096;
open_file_cache max=65000 inactive=1m;
open_file_cache_valid 5s;
open_file_cache_min_uses 1;
open_file_cache_errors on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
client_max_body_size 50m;
large_client_header_buffers 4 32k;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=web-cache:8m max_size=1000m inactive=600m;
include /etc/nginx/conf.d/*.conf;
}

View File

@ -1,7 +1,7 @@
---
- hosts: localhost
vars:
bench_path: "/home/{{ ansible_user_id }}/frappe-bench"
bench_path: "/home/{{ ansible_user_id }}/{{ bench_name }}"
tasks:

View File

@ -3,60 +3,6 @@
tasks:
- name: Add nginx apt repository key for Debian < 8
apt_key:
url: http://nginx.org/keys/nginx_signing.key
state: present
become: yes
become_user: root
when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt')
- name: Add nginx apt repository for Debian < 8
apt_repository:
repo: 'deb [arch=amd64,i386] http://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx'
state: present
become: yes
become_user: root
when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt')
#####################################
# Ubuntu Production Environment Setup
- name: Install production pre-requisites
become: yes
become_user: root
apt: pkg={{ item }} state=present
with_items:
- nginx
- screen
- vim
- htop
- git
- postfix
- supervisor
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
#####################################
# CentOS Production Environment Setup
- name: Install production pre-requisites
become: yes
become_user: root
yum: pkg={{ item }} state=present
with_items:
- nginx
- screen
- vim
- htop
- git
- postfix
- MySQL-python
when: ansible_distribution == 'CentOS'
- name: Install supervisor using yum for Centos 7
yum: pkg=supervisor state=present
become: yes
become_user: root
when: ansible_distribution == 'CentOS' and ansible_lsb.major_release == '7'
####################################################
# Replace default nginx config with nginx template
- name: Rename default nginx.conf to nginx.conf.old
@ -146,12 +92,3 @@
become_user: root
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
- name: insert/update inputrc for history
blockinfile:
dest: "/home/{{ ansible_user_id }}/.inputrc"
create: yes
block: |
## arrow up
"\e[A":history-search-backward
## arrow down
"\e[B":history-search-forward

View File

@ -1,15 +1,42 @@
---
- hosts: localhost
# Install the common pre-requisites for the setting up bench
- include: ../develop/install.yml
# Install the production environment
- include: includes/setup_prod_env.yml
#install production pre-requisites
- name: Apply basic roles
hosts: localhost
become: yes
become_user: root
vars:
- nginx_conf_file: ../files/nginx.conf
roles:
- locale
- swap
- logwatch
- bash_screen_wall
- frappe_selinux
- dns_caching
- ntpd
- nginx
- fail2ban
tasks:
- name: Set hostname
hostname: name='{{ hostname }}'
when: hostname is defined
- name: Start NTPD
service: name=ntpd state=started
- name: insert/update inputrc for history
blockinfile:
dest: "/home/{{ ansible_user_id }}/.inputrc"
create: yes
block: |
## arrow up
"\e[A":history-search-backward
## arrow down
"\e[B":history-search-forward
# Setup Bench for production environment
- include: includes/setup_bench_production.yml
when: not run_travis
# Setup SELinux Policy, Optional can be done later
# - include: includes/setup_selinux_policy.yml

View File

@ -0,0 +1,8 @@
if [ $TERM != 'screen' ]
then
PS1='HEY! USE SCREEN '$PS1
fi
sw() {
screen -x $1 || screen -S $1
}

View File

@ -0,0 +1,3 @@
---
- name: Setup bash screen wall
copy: src=screen_wall.sh dest=/etc/profile.d/screen_wall.sh

View File

@ -0,0 +1,3 @@
---
- name: restart network manager
service: name=NetworkManager state=restarted

View File

@ -0,0 +1,20 @@
---
- name: check NetworkManager.conf exists
stat:
path: /etc/NetworkManager/NetworkManager.conf
register: result
- name: unmask NetworkManager service
command: systemctl unmask NetworkManager
when: result.stat.exists
- name: add dnsmasq to network config
lineinfile: >
dest=/etc/NetworkManager/NetworkManager.conf
regexp="dns="
line="dns=dnsmasq"
state=present
when: result.stat.exists
notify:
- restart network manager

View File

@ -0,0 +1,2 @@
---
fail2ban_nginx_access_log: /var/log/nginx/access.log

View File

@ -0,0 +1,3 @@
---
- name: restart fail2ban
service: name=fail2ban state=restarted

View File

@ -0,0 +1,23 @@
---
- name: Install fail2ban
yum: name=fail2ban state=present
- name: Enable fail2ban
service: name=fail2ban enabled=yes
- name: Create jail.d
file: path=/etc/fail2ban/jail.d state=directory
- name: Setup filters
template: src="{{item}}-filter.conf.j2" dest="/etc/fail2ban/filter.d/{{item}}.conf"
with_items:
- nginx-proxy
notify:
- restart fail2ban
- name: setup jails
template: src="{{item}}-jail.conf.j2" dest="/etc/fail2ban/jail.d/{{item}}.conf"
with_items:
- nginx-proxy
notify:
- restart fail2ban

View File

@ -0,0 +1,10 @@
# Block IPs trying to use server as proxy.
[Definition]
failregex = <HOST>.*\" 400
<HOST>.*"[A-Z]* /(cms|muieblackcat|db|cpcommerce|cgi-bin|wp-login|joomla|awstatstotals|wp-content|wp-includes|pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|pmadb|phpmyadmin1|phpmyadmin2).*" 4[\d][\d]
<HOST>.*".*supports_implicit_sdk_logging.*" 4[\d][\d]
<HOST>.*".*activities?advertiser_tracking_enabled.*" 4[\d][\d]
<HOST>.*".*/picture?type=normal.*" 4[\d][\d]
<HOST>.*".*/announce.php?info_hash=.*" 4[\d][\d]
ignoreregex =

View File

@ -0,0 +1,8 @@
## block hosts trying to abuse our server as a forward proxy
[nginx-proxy]
enabled = true
filter = nginx-proxy
logpath = {{ fail2ban_nginx_access_log }}
action = iptables-multiport[name=NoNginxProxy, port="http,https"]
maxretry = 2
bantime = 86400

View File

@ -29,4 +29,4 @@ allow httpd_t user_home_t:file open;
allow httpd_t user_home_t:file read;
#!!!! This avc is allowed in the current policy
allow httpd_t user_home_t:lnk_file read;
allow httpd_t user_home_t:lnk_file read;

View File

@ -0,0 +1,29 @@
---
- name: Install deps
yum: name="{{item}}" state=present
with_items:
- policycoreutils-python
- selinux-policy-devel
when: ansible_distribution == 'CentOS'
- name: Install SELinux for Ubuntu
apt: name={{ item }} state=present
with_items:
- selinux
- selinux-policy-dev
when: ansible_distribution == 'Ubuntu'
- name: Check enabled SELinux modules
shell: semanage module -l
register: enabled_modules
- name: Copy frappe_selinux policy
copy: src=frappe_selinux.te dest=/root/frappe_selinux.te
register: dest_frappe_selinux_te
- name: Compile frappe_selinux policy
shell: "make -f /usr/share/selinux/devel/Makefile frappe_selinux.pp && semodule -i frappe_selinux.pp"
args:
chdir: /root/
when: "enabled_modules.stdout.find('frappe_selinux') == -1 or dest_frappe_selinux_te.changed"

View File

@ -0,0 +1,2 @@
locale_keymap: us
locale_lang: en_US.utf8

View File

@ -0,0 +1,19 @@
---
- name: Check current locale
shell: localectl
register: locale_test
- name: Set Locale
command: "localectl set-locale LANG={{ locale_lang }}"
when: locale_test.stdout.find('LANG={{ locale_lang }}') == -1
- name: Set keymap
command: "localectl set-keymap {{ locale_keymap }}"
when: "locale_test.stdout.find('Keymap: {{locale_keymap}}') == -1"
- name: Set Locale as en_US
lineinfile: dest=/etc/environment backup=yes line="{{ item }}"
with_items:
- "LC_ALL=en_US.UTF-8"
- "LC_CTYPE=en_US.UTF-8"
- "LANG=en_US.UTF-8"

View File

@ -0,0 +1,3 @@
---
logwatch_emails: "{{ admin_emails }}"
logwatch_detail: High

View File

@ -0,0 +1,6 @@
---
- name: Install logwatch
yum: name=logwatch state=present
- name: Copy logwatch config
template: src=logwatch.conf.j2 dest=/etc/logwatch/conf/logwatch.conf backup=yes

View File

@ -0,0 +1,2 @@
MailTo = {{ logwatch_emails }}
Detail = {{ logwatch_detail }}

View File

@ -15,6 +15,10 @@
- include: setup-Debian.yml
when: ansible_os_family == 'Debian'
# Replace default nginx config with nginx template
- name: Rename default nginx.conf to nginx.conf.old
command: mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old
# Nginx setup.
- name: Copy nginx configuration in place.
template:

View File

@ -0,0 +1,18 @@
---
- name: Add nginx apt repository key for Debian < 8
apt_key:
url: http://nginx.org/keys/nginx_signing.key
state: present
when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt')
- name: Add nginx apt repository for Debian < 8
apt_repository:
repo: 'deb [arch=amd64,i386] http://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx'
state: present
when: ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', 'lt')
- name: Ensure nginx is installed.
apt:
pkg: nginx
state: installed
default_release: "{{ nginx_default_release }}"

View File

@ -0,0 +1,9 @@
---
- name: Install ntpd
yum: name="{{item}}" state=installed
with_items:
- ntp
- ntpdate
- name: enable ntpd
service: name=ntpd enabled=yes state=started

View File

@ -0,0 +1 @@
swap_size_mb: 1024

View File

@ -0,0 +1,18 @@
- name: Create swap space
command: dd if=/dev/zero of=/extraswap bs=1M count={{swap_size_mb}}
when: ansible_swaptotal_mb < 1
- name: Make swap
command: mkswap /extraswap
when: ansible_swaptotal_mb < 1
- name: Add to fstab
action: lineinfile dest=/etc/fstab regexp="extraswap" line="/extraswap none swap sw 0 0" state=present
when: ansible_swaptotal_mb < 1
- name: Turn swap on
command: swapon -a
when: ansible_swaptotal_mb < 1
- name: Set swapiness
shell: echo 1 | tee /proc/sys/vm/swappiness

View File

@ -1,42 +0,0 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
{% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
{% set nginx_user = 'www-data'%}
{% elif ansible_distribution == 'CentOS' %}
{% set nginx_user = 'nginx '%}
{% else %}
{% set nginx_user = 'nobody' %}
{% endif %}
user {{ nginx_user }};
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events {
worker_connections {{ max_worker_connections }};
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}