premier jet

.gitignore

@@ -0,0 +1 @@
+.DS_Store

.vagrant/machines/default/virtualbox/action_provision

@@ -0,0 +1 @@
+1.5:357ab7d8-b5fd-4aef-9f10-5f4b8a92eeb6

.vagrant/machines/default/virtualbox/action_set_name

@@ -0,0 +1 @@
+1568057510

.vagrant/machines/default/virtualbox/box_meta

@@ -0,0 +1 @@
+{"name":"debian/stretch64","version":"9.9.1","provider":"virtualbox","directory":"boxes/debian-VAGRANTSLASH-stretch64/9.9.1/virtualbox"}

.vagrant/machines/default/virtualbox/creator_uid

@@ -0,0 +1 @@
+501

.vagrant/machines/default/virtualbox/id

@@ -0,0 +1 @@
+357ab7d8-b5fd-4aef-9f10-5f4b8a92eeb6

.vagrant/machines/default/virtualbox/index_uuid

@@ -0,0 +1 @@
+2fa22703365741989ff40e554bc2e1cc

.vagrant/machines/default/virtualbox/private_key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA4IGno3JUyHaA/HqSNSefF8rE2LXOzGrIN6Yy69o+bYdXM1NJ
+ePN1hWKiokVTPYWt/rjyonN8yLs1jOQi/MlxnMnoXn6WCtGGke2x0t+FH8qLw5yn
+W++aTmrnp3LqK5U9jof57zbikYpU5895jp/ftRWmUXkeqMy+BKheLKfsdlVQIKDV
+P33AeP7MDi8M649dT+cuZFNiiXdCV9wCA7HmUCgoc6EKukyc6E9Oon0YKm2VRLEO
+o808HbamO/u7HYLGiR+Rm/WMhqBasUCJo+8wYFqCZqcGHDqZtnSityVyPZqk/8S9
+HRXyWUBdNsrwNvgDMH0mvqCKxRKvD0AV/hXkgwIDAQABAoIBAQC3sl7wpgQpYo14
+CPLI+3p5hTg7+ccUC+t3XU4dHZ4nEK6RGHztsodedK6OCBtsI42S9tHRip13wXa3
+qZPXMxz7JVo0t28duwNZNBxkZvAOazShAfUOjKa9s0uI/8YLkzmi/i/LRCVu4LlI
+U8MqqDXrfaNw1qH3jE+OkBU+hMg+qVbNVzbEOfIMFOamGAP/I+IYFIHPQQl3dPfL
+cjT0CmIjGn0jmPe+KyKG7G9evOMrV/QS45+C3gugJOVQXvarr/+l4qHs9kR8wZsb
+u4QUSt/TBDZZgSipuywwUJum7uEjnWv1Fsjsl9Zd/86CBgmcQdta0zX/dssxxa8D
+auw88oIBAoGBAP2ayRS0/mW1nj5CaJQpNgY++s3gqXH0BOmXMuO5P7hO31RDvpTf
+gpkNYxlORe6cTx1U9oCwlOacjT9sMmiisYlYYBzMfcXDUysutzdZm3IzFxnBGFT9
+mjeG2jwPs3840B/no/eELY7dZbFr9zD9irG8cLEVD7JzO37vfqkspe/hAoGBAOKg
+gppVLaHY/6+yMW/nFxJDfvyMW6SeKXEnuxrS3tgfn/tENjL8HetTf9P2eOtqeJqj
+pumUXPeZcwJrF568ebm+gVGtBJU2sC307XYdfrBmTXwirR7UvsGIy+DyU8cCgabh
+zl0DCg9H9c3P/+Egs0maBKogDWA95nYCh5Do+DDjAoGBAJTNm6rwwEyBkoZJhP9a
+Zv6nOZZPel0Ip1FAjHWeHstQTC4vScYkl4aimkEg8ludj7ZQQgskkVn3BdHu9Gz8
++VrzZgG/4xSFFWnDEXICu/j4DVfpOxOzcieekrKnK9U8SrJNwqHbBrhLI/5EsVgn
+jJfZT+43w2wbvQ8wC4vMTNlBAoGBAJsBP/MBWYG+oztvvMKWI8CZK8zez3urthqw
+GxiArGzUTJ8Wi5+Zs3kWlnLKvO//1denIW3XzTKI4RIBX5lxviweMeNEXMMWMbBt
+OtGz4MgUYOEL8q8IwiQrRY9pD4Ypn7Yd8gDKKGJFTMllf9VigV5RGumlnKB8FhoX
+JtQllEQTAoGAdZ9QrPok+3uVhwh9noxu7antbr0WqIwMPOxFNqipTjFjYTOy3Lcr
+1WZJkAJAHH0pgCkGmTl7OPWfVO8Hru3kOYY1yDIbYCiA9/z4InjDBhAF8DEe9SlX
+aPQFWnV4Rf2nTdw0rUKGEPFkLEzXRKCY7QfEJCtZVUrAyLLn9Zhunbw=
+-----END RSA PRIVATE KEY-----

.vagrant/machines/default/virtualbox/synced_folders

@@ -0,0 +1 @@
+{"rsync":{"/vagrant":{"type":"rsync","guestpath":"/vagrant","hostpath":"/Users/jlecour/code/evolix/chexpire-ansible","disabled":false,"__vagrantfile":true,"owner":"vagrant","group":"vagrant"}}}

.vagrant/machines/default/virtualbox/vagrant_cwd

@@ -0,0 +1 @@
+/Users/jlecour/code/evolix/chexpire-ansible

.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory

@@ -0,0 +1,3 @@
+# Generated by Vagrant
+
+default ansible_host=127.0.0.1 ansible_port=2222 ansible_user='vagrant' ansible_ssh_private_key_file='/Users/jlecour/code/evolix/chexpire-ansible/.vagrant/machines/default/virtualbox/private_key'

.vagrant/rgloader/loader.rb

@@ -0,0 +1,9 @@
+# This file loads the proper rgloader/loader.rb file that comes packaged
+# with Vagrant so that encoded files can properly run with Vagrant.
+
+if ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"]
+  require File.expand_path(
+    "rgloader/loader", ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"])
+else
+  raise "Encoded files can't be read outside of the Vagrant installer."
+end

Vagrantfile

@@ -0,0 +1,84 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.require_version ">= 1.7.0"
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box =  "debian/stretch64"
+
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+  # config.vm.network "forwarded_port", guest: 80, host: 8080
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine and only allow access
+  # via 127.0.0.1 to disable public access
+  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
+
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+  # config.vm.network "private_network", ip: "192.168.33.10"
+
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  config.vm.provider "virtualbox" do |vb|
+    # Display the VirtualBox GUI when booting the machine
+    # vb.gui = true
+
+    # Customize the amount of memory on the VM:
+    vb.memory = 1024
+    vb.cpus = 1
+  end
+  #
+  # View the documentation for the provider you are using for more
+  # information on available options.
+
+  # Enable provisioning with a shell script. Additional provisioners such as
+  # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
+  # documentation for more information about their specific syntax and use.
+  # config.vm.provision "shell", inline: <<-SHELL
+  #   apt-get update
+  #   apt-get install -y apache2
+  # SHELL
+  config.vm.provision :ansible do |ansible|
+    ansible.playbook = "vagrant.yml"
+    ansible.raw_arguments = [
+      "-b",
+      # "--ask-vault-pass",
+      # "--diff",
+      # "--step",
+      # "--syntax",
+      # "-vvv",
+    ]
+  end
+end

config.yml

@@ -0,0 +1,31 @@
+---
+
+- hosts: all
+  gather_facts: yes
+  become: yes
+
+  vars_files:
+    - vars/main.yml
+
+  roles:
+    # - { role: rbenv, username: "{{ ansible_user }}", rbenv_ruby_version: "2.6.4" }
+    # - { role: nodejs, nodejs_install_yarn: yes }
+    # - apache-vhost
+    - chexpire-admin-init
+
+  post_tasks:
+    - include_role:
+        name: etc-git
+        tasks_from: commit.yml
+      vars:
+        commit_message: "Ansible post-run config.yml"
+
+
+
+- hosts: all
+
+  vars_files:
+    - vars/main.yml
+
+  roles:
+    - { role: chexpire-user-init, username: "{{ ansible_user }}" }

evolinux.yml

@@ -0,0 +1,20 @@
+---
+
+- hosts: all
+  gather_facts: yes
+  become: yes
+
+  vars_files:
+    - vars/main.yml
+
+  roles:
+    # - evolinux-base
+    - apache
+    - mysql
+
+  post_tasks:
+    - include_role:
+        name: etc-git
+        tasks_from: commit.yml
+      vars:
+        commit_message: "Ansible post-run evolinux.yml"

roles/apache-vhost/files/chexpire.conf

@@ -0,0 +1,70 @@
+<VirtualHost *:80 *:443>
+
+    # FQDN principal
+    # ServerName chexpire.evolix.org
+    #ServerAlias chexpire.evolix.org
+
+    # Repertoire principal
+    DocumentRoot /home/vagrant/www/current/public
+
+    # Include /etc/apache2/ssl/chexpire.conf
+
+    # Propriete du repertoire
+    <Directory /home/vagrant/www/current/public/>
+        #Options +Indexes +SymLinksIfOwnerMatch
+        Options +SymLinksIfOwnerMatch
+        AllowOverride AuthConfig Limit FileInfo
+        Require all granted
+    </Directory>
+
+    <IfModule mod_proxy_http.c>
+        <Location /assets>
+            ProxyPass !
+        </Location>
+        <Location /system>
+            ProxyPass !
+        </Location>
+        <Location /packs>
+            ProxyPass !
+        </Location>
+        <Location /.well-known>
+            ProxyPass !
+        </Location>
+
+        ProxyPreserveHost On
+        ProxyPass / http://127.0.0.1:3000/
+        ProxyPassReverse / http://127.0.0.1:3000/
+
+        RequestHeader set X-Forwarded-Proto https
+
+        <Proxy *>
+            Allow from all
+        </Proxy>
+    </IfModule>
+
+    # user - group (thanks to sesse@debian.org)
+    AssignUserID vagrant vagrant
+
+    # LOG
+    CustomLog /var/log/apache2/access.log vhost_combined
+    CustomLog /home/vagrant/log/access.log combined
+    ErrorLog  /home/vagrant/log/error.log
+
+    # AWSTATS
+    # SetEnv AWSTATS_FORCE_CONFIG chexpire
+
+    # REWRITE
+    # UseCanonicalName On
+    # RewriteEngine On
+    #
+    # RewriteCond %{HTTPS} !=on
+    # RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=permanent]
+    #
+    # RewriteCond %{HTTP_HOST} !^chexpire.evolix.org$
+    # RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R]
+
+    # no PHP
+    php_admin_flag engine off
+    AddType text/html .html
+
+</VirtualHost>

roles/apache-vhost/tasks/main.yml

@@ -0,0 +1 @@
+---

roles/app-user/files/public_keys/jlecour.pub

@@ -0,0 +1,2 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBE2anD/8R9siNL/ZIc7XLvlo5XC4A3lmBr6GfaxgR1rB85myy4vxrfbAnq66eEWDmUd1jG28MEj4kEd8fmPCEQmzvLKSpSemJfMw9bkHxBEl6nDrXB+86OJJ9FxkEWbE7xldPquouwb9QDYlWE7Y0SntE6ZhutQ24H/B5sHNqeRu5MJn9nhg9B4G19Ej6u4qW1PjjBeJW/wQdAkx6X9yqoOPG3ERXjfua7cKCZrGdvbV/98/dc1VVwxh94yrrHCnr7YVC1p1Hwzxv1JQznhuC8vZZrheSFA3W+FdJOOleMwjajYLBybLDwIPC7DxF3rpUsbHtPYgET7q6s341Oysz jlecour@x1
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIylGTDZ7YbYGEkWPMYWZN4I8S4qDG/fYxX1HkRPhphT jlecour@x1

roles/app-user/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: reload ssh
+  service:
+    name: ssh
+    state: reloaded
+
+- name: newaliases
+  command: newaliases

roles/app-user/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- include: user.yml
+
+- include: ssh.yml

roles/app-user/tasks/ssh.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Modify AllowUsers' sshd directive for {{ username }}
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!{{ username }}).)*)$'
+    replace: '\1 {{ username }}'
+  notify:
+    - reload ssh
+  tags:
+    - app_user
+
+- name: Modify Match User's sshd directive for {{ username }}
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(Match User ((?!{{ username }}).)*)$'
+    replace: '\1,{{ username }}'
+  notify:
+    - reload ssh
+  tags:
+    - app_user
+
+- name: Add public keys to {{ username }}
+  authorized_key:
+    user: '{{ username }}'
+    key: '{{ item }}'
+  with_file:
+    - public_keys/jlecour.pub
+  tags:
+    - app_user

roles/app-user/tasks/user.yml

@@ -0,0 +1,64 @@
+---
+- name: Test if uid exists
+  command: 'getent passwd {{ uid }}'
+  register: uidisbusy
+  ignore_errors: True
+  changed_when: False
+  check_mode: no
+  tags:
+  - app_user
+
+- name: Add Unix account with uid {{ uid }} for {{ username }}
+  user:
+    uid: '{{ uid }}'
+    name: '{{ username }}'
+    shell: /bin/bash
+    update_password: on_create
+    state: present
+  when: uidisbusy|failed
+  tags:
+  - app_user
+
+- name: Add Unix account with random uid for {{ username }}
+  user:
+    name: '{{ username }}'
+    shell: /bin/bash
+    update_password: on_create
+    state: present
+  when: uidisbusy|success
+  tags:
+  - app_user
+
+- name: the www-data user must be in the {{ username }} group
+  user:
+    name: www-data
+    groups: '{{ username }}'
+    append: yes
+  tags:
+  - app_user
+
+- name: add {{ username }} in the adm group (for logs)
+  user:
+    name: '{{ username }}'
+    groups: adm
+    append: yes
+  tags:
+  - app_user
+
+# Home directory must be accessible to the group (for www-data)
+- name: Fix perms on homedirectory for {{ username }}
+  file:
+    name: '/home/{{ username }}'
+    mode: "750"
+    state: directory
+  tags:
+  - app_user
+
+# - name: Add evomaintenance trap for {{ username }}
+#   lineinfile:
+#     dest: '/home/{{ username }}/.profile'
+#     insertafter: EOF
+#     line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
+#     state: absent
+#   tags:
+#   - app_user

roles/chexpire-admin-init/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: packages are installed
+  apt:
+    name: "{{ item }}"
+  with_items:
+    - libsodium-dev
+    - default-libmysqlclient-dev

roles/chexpire-user-init/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+chexpire_app_directory: "www"
+chexpire_config__mailer_default_from: "from@example.org"
+chexpire_config__host: "chexpire.local"

roles/chexpire-user-init/tasks/main.yml

@@ -0,0 +1,43 @@
+---
+
+
+# - name: Repository is checked-out
+#   git:
+#     repo: 'https://github.com/Evolix/chexpire.git'
+#     dest: "{{ chexpire_app_directory }}"
+#
+# - name: Bundle dependencies are installed
+#   bundler:
+#     executable: ~/.rbenv/shims/bundle
+#     chdir: "{{ chexpire_app_directory }}"
+#     state: present
+#     deployment_mode: yes
+#
+# - name: Yarn dependencies are installed
+#   command: "yarn install --check-files"
+#   args:
+#     chdir: "{{ chexpire_app_directory }}"
+
+- name: Chexpire config file is present
+  template:
+    dest: "{{ chexpire_app_directory}}/config/chexpire.yml"
+    src: chexpire.yml.j2
+    force: no
+
+- name: Database config file is copied
+  command: "cp {{ chexpire_app_directory }}/config/database.example.yml {{ chexpire_app_directory }}/config/database.yml"
+  args:
+    creates: "{{ chexpire_app_directory }}/config/database.yml"
+
+- name: Secret key base is generated
+  command: ~/.rbenv/shims/bundle exec rails secret
+  register: secret_key_base
+  args:
+    chdir: "{{ chexpire_app_directory }}"
+    creates: "{{ chexpire_app_directory }}/config/secrets.yml"
+
+- name: Secret key is in the secrets file
+  template:
+    dest: "{{ chexpire_app_directory }}/config/secrets.yml"
+    src: secrets.yml.j2
+    force: no

roles/chexpire-user-init/templates/chexpire.yml.j2

@@ -0,0 +1,3 @@
+production:
+  mailer_default_from: "{{ chexpire_config__mailer_default_from }}"
+  host: "{{ chexpire_config__host }}"

roles/chexpire-user-init/templates/secrets.yml.j2

@@ -0,0 +1,2 @@
+production:
+  secret_key_base: "{{ secret_key_base.stdout }}"

vagrant-ansible-playbook

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+export PYTHONUNBUFFERED=1
+export ANSIBLE_FORCE_COLOR=true
+export ANSIBLE_HOST_KEY_CHECKING=false
+export ANSIBLE_SSH_ARGS='-o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s'
+export ANSIBLE_DEPRECATION_WARNINGS=false
+
+ansible-playbook --private-key=.vagrant/machines/default/virtualbox/private_key -u vagrant -i .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory $@

vagrant.yml

@@ -0,0 +1,3 @@
+---
+
+- hosts: all

vars/main.yml

@@ -0,0 +1,11 @@
+---
+
+evolinux_hostname: "vagrant-ansible"
+evolinux_domain: "evolix.local"
+evolinux_ssh_allow_current_user: True
+evolinux_evomaintenance_include: False
+minifirewall_additional_trusted_ips: ["192.168.0.0/16", "10.0.0.0/8"]
+evolinux_fail2ban_include: False
+mysql_custom_datadir: '/home/mysql'
+mysql_custom_tmpdir: '/home/tmpmysql'
+mysql_custom_logdir: '/home/mysql-logs'