Browse Source

premier jet

master
Jérémy Lecour 2 years ago
commit
a59531dc4f
  1. 1
      .gitignore
  2. 1
      .vagrant/machines/default/virtualbox/action_provision
  3. 1
      .vagrant/machines/default/virtualbox/action_set_name
  4. 1
      .vagrant/machines/default/virtualbox/box_meta
  5. 1
      .vagrant/machines/default/virtualbox/creator_uid
  6. 1
      .vagrant/machines/default/virtualbox/id
  7. 1
      .vagrant/machines/default/virtualbox/index_uuid
  8. 27
      .vagrant/machines/default/virtualbox/private_key
  9. 1
      .vagrant/machines/default/virtualbox/synced_folders
  10. 1
      .vagrant/machines/default/virtualbox/vagrant_cwd
  11. 3
      .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory
  12. 9
      .vagrant/rgloader/loader.rb
  13. 84
      Vagrantfile
  14. 31
      config.yml
  15. 20
      evolinux.yml
  16. 70
      roles/apache-vhost/files/chexpire.conf
  17. 1
      roles/apache-vhost/tasks/main.yml
  18. 2
      roles/app-user/files/public_keys/jlecour.pub
  19. 8
      roles/app-user/handlers/main.yml
  20. 4
      roles/app-user/tasks/main.yml
  21. 30
      roles/app-user/tasks/ssh.yml
  22. 64
      roles/app-user/tasks/user.yml
  23. 8
      roles/chexpire-admin-init/tasks/main.yml
  24. 5
      roles/chexpire-user-init/defaults/main.yml
  25. 43
      roles/chexpire-user-init/tasks/main.yml
  26. 3
      roles/chexpire-user-init/templates/chexpire.yml.j2
  27. 2
      roles/chexpire-user-init/templates/secrets.yml.j2
  28. 9
      vagrant-ansible-playbook
  29. 3
      vagrant.yml
  30. 11
      vars/main.yml

1
.gitignore

@ -0,0 +1 @@
.DS_Store

1
.vagrant/machines/default/virtualbox/action_provision

@ -0,0 +1 @@
1.5:357ab7d8-b5fd-4aef-9f10-5f4b8a92eeb6

1
.vagrant/machines/default/virtualbox/action_set_name

@ -0,0 +1 @@
1568057510

1
.vagrant/machines/default/virtualbox/box_meta

@ -0,0 +1 @@
{"name":"debian/stretch64","version":"9.9.1","provider":"virtualbox","directory":"boxes/debian-VAGRANTSLASH-stretch64/9.9.1/virtualbox"}

1
.vagrant/machines/default/virtualbox/creator_uid

@ -0,0 +1 @@
501

1
.vagrant/machines/default/virtualbox/id

@ -0,0 +1 @@
357ab7d8-b5fd-4aef-9f10-5f4b8a92eeb6

1
.vagrant/machines/default/virtualbox/index_uuid

@ -0,0 +1 @@
2fa22703365741989ff40e554bc2e1cc

27
.vagrant/machines/default/virtualbox/private_key

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA4IGno3JUyHaA/HqSNSefF8rE2LXOzGrIN6Yy69o+bYdXM1NJ
ePN1hWKiokVTPYWt/rjyonN8yLs1jOQi/MlxnMnoXn6WCtGGke2x0t+FH8qLw5yn
W++aTmrnp3LqK5U9jof57zbikYpU5895jp/ftRWmUXkeqMy+BKheLKfsdlVQIKDV
P33AeP7MDi8M649dT+cuZFNiiXdCV9wCA7HmUCgoc6EKukyc6E9Oon0YKm2VRLEO
o808HbamO/u7HYLGiR+Rm/WMhqBasUCJo+8wYFqCZqcGHDqZtnSityVyPZqk/8S9
HRXyWUBdNsrwNvgDMH0mvqCKxRKvD0AV/hXkgwIDAQABAoIBAQC3sl7wpgQpYo14
CPLI+3p5hTg7+ccUC+t3XU4dHZ4nEK6RGHztsodedK6OCBtsI42S9tHRip13wXa3
qZPXMxz7JVo0t28duwNZNBxkZvAOazShAfUOjKa9s0uI/8YLkzmi/i/LRCVu4LlI
U8MqqDXrfaNw1qH3jE+OkBU+hMg+qVbNVzbEOfIMFOamGAP/I+IYFIHPQQl3dPfL
cjT0CmIjGn0jmPe+KyKG7G9evOMrV/QS45+C3gugJOVQXvarr/+l4qHs9kR8wZsb
u4QUSt/TBDZZgSipuywwUJum7uEjnWv1Fsjsl9Zd/86CBgmcQdta0zX/dssxxa8D
auw88oIBAoGBAP2ayRS0/mW1nj5CaJQpNgY++s3gqXH0BOmXMuO5P7hO31RDvpTf
gpkNYxlORe6cTx1U9oCwlOacjT9sMmiisYlYYBzMfcXDUysutzdZm3IzFxnBGFT9
mjeG2jwPs3840B/no/eELY7dZbFr9zD9irG8cLEVD7JzO37vfqkspe/hAoGBAOKg
gppVLaHY/6+yMW/nFxJDfvyMW6SeKXEnuxrS3tgfn/tENjL8HetTf9P2eOtqeJqj
pumUXPeZcwJrF568ebm+gVGtBJU2sC307XYdfrBmTXwirR7UvsGIy+DyU8cCgabh
zl0DCg9H9c3P/+Egs0maBKogDWA95nYCh5Do+DDjAoGBAJTNm6rwwEyBkoZJhP9a
Zv6nOZZPel0Ip1FAjHWeHstQTC4vScYkl4aimkEg8ludj7ZQQgskkVn3BdHu9Gz8
+VrzZgG/4xSFFWnDEXICu/j4DVfpOxOzcieekrKnK9U8SrJNwqHbBrhLI/5EsVgn
jJfZT+43w2wbvQ8wC4vMTNlBAoGBAJsBP/MBWYG+oztvvMKWI8CZK8zez3urthqw
GxiArGzUTJ8Wi5+Zs3kWlnLKvO//1denIW3XzTKI4RIBX5lxviweMeNEXMMWMbBt
OtGz4MgUYOEL8q8IwiQrRY9pD4Ypn7Yd8gDKKGJFTMllf9VigV5RGumlnKB8FhoX
JtQllEQTAoGAdZ9QrPok+3uVhwh9noxu7antbr0WqIwMPOxFNqipTjFjYTOy3Lcr
1WZJkAJAHH0pgCkGmTl7OPWfVO8Hru3kOYY1yDIbYCiA9/z4InjDBhAF8DEe9SlX
aPQFWnV4Rf2nTdw0rUKGEPFkLEzXRKCY7QfEJCtZVUrAyLLn9Zhunbw=
-----END RSA PRIVATE KEY-----

1
.vagrant/machines/default/virtualbox/synced_folders

@ -0,0 +1 @@
{"rsync":{"/vagrant":{"type":"rsync","guestpath":"/vagrant","hostpath":"/Users/jlecour/code/evolix/chexpire-ansible","disabled":false,"__vagrantfile":true,"owner":"vagrant","group":"vagrant"}}}

1
.vagrant/machines/default/virtualbox/vagrant_cwd

@ -0,0 +1 @@
/Users/jlecour/code/evolix/chexpire-ansible

3
.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory

@ -0,0 +1,3 @@
# Generated by Vagrant
default ansible_host=127.0.0.1 ansible_port=2222 ansible_user='vagrant' ansible_ssh_private_key_file='/Users/jlecour/code/evolix/chexpire-ansible/.vagrant/machines/default/virtualbox/private_key'

9
.vagrant/rgloader/loader.rb

@ -0,0 +1,9 @@
# This file loads the proper rgloader/loader.rb file that comes packaged
# with Vagrant so that encoded files can properly run with Vagrant.
if ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"]
require File.expand_path(
"rgloader/loader", ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"])
else
raise "Encoded files can't be read outside of the Vagrant installer."
end

84
Vagrantfile

@ -0,0 +1,84 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.require_version ">= 1.7.0"
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "debian/stretch64"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
# config.vm.network "forwarded_port", guest: 80, host: 8080
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
# config.vm.network "private_network", ip: "192.168.33.10"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
config.vm.provider "virtualbox" do |vb|
# Display the VirtualBox GUI when booting the machine
# vb.gui = true
# Customize the amount of memory on the VM:
vb.memory = 1024
vb.cpus = 1
end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
# config.vm.provision "shell", inline: <<-SHELL
# apt-get update
# apt-get install -y apache2
# SHELL
config.vm.provision :ansible do |ansible|
ansible.playbook = "vagrant.yml"
ansible.raw_arguments = [
"-b",
# "--ask-vault-pass",
# "--diff",
# "--step",
# "--syntax",
# "-vvv",
]
end
end

31
config.yml

@ -0,0 +1,31 @@
---
- hosts: all
gather_facts: yes
become: yes
vars_files:
- vars/main.yml
roles:
# - { role: rbenv, username: "{{ ansible_user }}", rbenv_ruby_version: "2.6.4" }
# - { role: nodejs, nodejs_install_yarn: yes }
# - apache-vhost
- chexpire-admin-init
post_tasks:
- include_role:
name: etc-git
tasks_from: commit.yml
vars:
commit_message: "Ansible post-run config.yml"
- hosts: all
vars_files:
- vars/main.yml
roles:
- { role: chexpire-user-init, username: "{{ ansible_user }}" }

20
evolinux.yml

@ -0,0 +1,20 @@
---
- hosts: all
gather_facts: yes
become: yes
vars_files:
- vars/main.yml
roles:
# - evolinux-base
- apache
- mysql
post_tasks:
- include_role:
name: etc-git
tasks_from: commit.yml
vars:
commit_message: "Ansible post-run evolinux.yml"

70
roles/apache-vhost/files/chexpire.conf

@ -0,0 +1,70 @@
<VirtualHost *:80 *:443>
# FQDN principal
# ServerName chexpire.evolix.org
#ServerAlias chexpire.evolix.org
# Repertoire principal
DocumentRoot /home/vagrant/www/current/public
# Include /etc/apache2/ssl/chexpire.conf
# Propriete du repertoire
<Directory /home/vagrant/www/current/public/>
#Options +Indexes +SymLinksIfOwnerMatch
Options +SymLinksIfOwnerMatch
AllowOverride AuthConfig Limit FileInfo
Require all granted
</Directory>
<IfModule mod_proxy_http.c>
<Location /assets>
ProxyPass !
</Location>
<Location /system>
ProxyPass !
</Location>
<Location /packs>
ProxyPass !
</Location>
<Location /.well-known>
ProxyPass !
</Location>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
RequestHeader set X-Forwarded-Proto https
<Proxy *>
Allow from all
</Proxy>
</IfModule>
# user - group (thanks to sesse@debian.org)
AssignUserID vagrant vagrant
# LOG
CustomLog /var/log/apache2/access.log vhost_combined
CustomLog /home/vagrant/log/access.log combined
ErrorLog /home/vagrant/log/error.log
# AWSTATS
# SetEnv AWSTATS_FORCE_CONFIG chexpire
# REWRITE
# UseCanonicalName On
# RewriteEngine On
#
# RewriteCond %{HTTPS} !=on
# RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=permanent]
#
# RewriteCond %{HTTP_HOST} !^chexpire.evolix.org$
# RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R]
# no PHP
php_admin_flag engine off
AddType text/html .html
</VirtualHost>

1
roles/apache-vhost/tasks/main.yml

@ -0,0 +1 @@
---

2
roles/app-user/files/public_keys/jlecour.pub

@ -0,0 +1,2 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBE2anD/8R9siNL/ZIc7XLvlo5XC4A3lmBr6GfaxgR1rB85myy4vxrfbAnq66eEWDmUd1jG28MEj4kEd8fmPCEQmzvLKSpSemJfMw9bkHxBEl6nDrXB+86OJJ9FxkEWbE7xldPquouwb9QDYlWE7Y0SntE6ZhutQ24H/B5sHNqeRu5MJn9nhg9B4G19Ej6u4qW1PjjBeJW/wQdAkx6X9yqoOPG3ERXjfua7cKCZrGdvbV/98/dc1VVwxh94yrrHCnr7YVC1p1Hwzxv1JQznhuC8vZZrheSFA3W+FdJOOleMwjajYLBybLDwIPC7DxF3rpUsbHtPYgET7q6s341Oysz jlecour@x1
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIylGTDZ7YbYGEkWPMYWZN4I8S4qDG/fYxX1HkRPhphT jlecour@x1

8
roles/app-user/handlers/main.yml

@ -0,0 +1,8 @@
---
- name: reload ssh
service:
name: ssh
state: reloaded
- name: newaliases
command: newaliases

4
roles/app-user/tasks/main.yml

@ -0,0 +1,4 @@
---
- include: user.yml
- include: ssh.yml

30
roles/app-user/tasks/ssh.yml

@ -0,0 +1,30 @@
---
- name: Modify AllowUsers' sshd directive for {{ username }}
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!{{ username }}).)*)$'
replace: '\1 {{ username }}'
notify:
- reload ssh
tags:
- app_user
- name: Modify Match User's sshd directive for {{ username }}
replace:
dest: /etc/ssh/sshd_config
regexp: '^(Match User ((?!{{ username }}).)*)$'
replace: '\1,{{ username }}'
notify:
- reload ssh
tags:
- app_user
- name: Add public keys to {{ username }}
authorized_key:
user: '{{ username }}'
key: '{{ item }}'
with_file:
- public_keys/jlecour.pub
tags:
- app_user

64
roles/app-user/tasks/user.yml

@ -0,0 +1,64 @@
---
- name: Test if uid exists
command: 'getent passwd {{ uid }}'
register: uidisbusy
ignore_errors: True
changed_when: False
check_mode: no
tags:
- app_user
- name: Add Unix account with uid {{ uid }} for {{ username }}
user:
uid: '{{ uid }}'
name: '{{ username }}'
shell: /bin/bash
update_password: on_create
state: present
when: uidisbusy|failed
tags:
- app_user
- name: Add Unix account with random uid for {{ username }}
user:
name: '{{ username }}'
shell: /bin/bash
update_password: on_create
state: present
when: uidisbusy|success
tags:
- app_user
- name: the www-data user must be in the {{ username }} group
user:
name: www-data
groups: '{{ username }}'
append: yes
tags:
- app_user
- name: add {{ username }} in the adm group (for logs)
user:
name: '{{ username }}'
groups: adm
append: yes
tags:
- app_user
# Home directory must be accessible to the group (for www-data)
- name: Fix perms on homedirectory for {{ username }}
file:
name: '/home/{{ username }}'
mode: "750"
state: directory
tags:
- app_user
# - name: Add evomaintenance trap for {{ username }}
# lineinfile:
# dest: '/home/{{ username }}/.profile'
# insertafter: EOF
# line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
# state: absent
# tags:
# - app_user

8
roles/chexpire-admin-init/tasks/main.yml

@ -0,0 +1,8 @@
---
- name: packages are installed
apt:
name: "{{ item }}"
with_items:
- libsodium-dev
- default-libmysqlclient-dev

5
roles/chexpire-user-init/defaults/main.yml

@ -0,0 +1,5 @@
---
chexpire_app_directory: "www"
chexpire_config__mailer_default_from: "from@example.org"
chexpire_config__host: "chexpire.local"

43
roles/chexpire-user-init/tasks/main.yml

@ -0,0 +1,43 @@
---
# - name: Repository is checked-out
# git:
# repo: 'https://github.com/Evolix/chexpire.git'
# dest: "{{ chexpire_app_directory }}"
#
# - name: Bundle dependencies are installed
# bundler:
# executable: ~/.rbenv/shims/bundle
# chdir: "{{ chexpire_app_directory }}"
# state: present
# deployment_mode: yes
#
# - name: Yarn dependencies are installed
# command: "yarn install --check-files"
# args:
# chdir: "{{ chexpire_app_directory }}"
- name: Chexpire config file is present
template:
dest: "{{ chexpire_app_directory}}/config/chexpire.yml"
src: chexpire.yml.j2
force: no
- name: Database config file is copied
command: "cp {{ chexpire_app_directory }}/config/database.example.yml {{ chexpire_app_directory }}/config/database.yml"
args:
creates: "{{ chexpire_app_directory }}/config/database.yml"
- name: Secret key base is generated
command: ~/.rbenv/shims/bundle exec rails secret
register: secret_key_base
args:
chdir: "{{ chexpire_app_directory }}"
creates: "{{ chexpire_app_directory }}/config/secrets.yml"
- name: Secret key is in the secrets file
template:
dest: "{{ chexpire_app_directory }}/config/secrets.yml"
src: secrets.yml.j2
force: no

3
roles/chexpire-user-init/templates/chexpire.yml.j2

@ -0,0 +1,3 @@
production:
mailer_default_from: "{{ chexpire_config__mailer_default_from }}"
host: "{{ chexpire_config__host }}"

2
roles/chexpire-user-init/templates/secrets.yml.j2

@ -0,0 +1,2 @@
production:
secret_key_base: "{{ secret_key_base.stdout }}"

9
vagrant-ansible-playbook

@ -0,0 +1,9 @@
#!/bin/sh
export PYTHONUNBUFFERED=1
export ANSIBLE_FORCE_COLOR=true
export ANSIBLE_HOST_KEY_CHECKING=false
export ANSIBLE_SSH_ARGS='-o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s'
export ANSIBLE_DEPRECATION_WARNINGS=false
ansible-playbook --private-key=.vagrant/machines/default/virtualbox/private_key -u vagrant -i .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory $@

3
vagrant.yml

@ -0,0 +1,3 @@
---
- hosts: all

11
vars/main.yml

@ -0,0 +1,11 @@
---
evolinux_hostname: "vagrant-ansible"
evolinux_domain: "evolix.local"
evolinux_ssh_allow_current_user: True
evolinux_evomaintenance_include: False
minifirewall_additional_trusted_ips: ["192.168.0.0/16", "10.0.0.0/8"]
evolinux_fail2ban_include: False
mysql_custom_datadir: '/home/mysql'
mysql_custom_tmpdir: '/home/tmpmysql'
mysql_custom_logdir: '/home/mysql-logs'
Loading…
Cancel
Save