commit a59531dc4f1a6a855543929ae934ac269a407cbe Author: Jérémy Lecour Date: Mon Sep 9 23:24:54 2019 +0200 premier jet diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e43b0f9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.DS_Store diff --git a/.vagrant/machines/default/virtualbox/action_provision b/.vagrant/machines/default/virtualbox/action_provision new file mode 100644 index 0000000..22ed29d --- /dev/null +++ b/.vagrant/machines/default/virtualbox/action_provision @@ -0,0 +1 @@ +1.5:357ab7d8-b5fd-4aef-9f10-5f4b8a92eeb6 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/action_set_name b/.vagrant/machines/default/virtualbox/action_set_name new file mode 100644 index 0000000..4bc4d69 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/action_set_name @@ -0,0 +1 @@ +1568057510 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/box_meta b/.vagrant/machines/default/virtualbox/box_meta new file mode 100644 index 0000000..f521d06 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/box_meta @@ -0,0 +1 @@ +{"name":"debian/stretch64","version":"9.9.1","provider":"virtualbox","directory":"boxes/debian-VAGRANTSLASH-stretch64/9.9.1/virtualbox"} \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/creator_uid b/.vagrant/machines/default/virtualbox/creator_uid new file mode 100644 index 0000000..ec52cb8 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/creator_uid @@ -0,0 +1 @@ +501 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/id b/.vagrant/machines/default/virtualbox/id new file mode 100644 index 0000000..f8c882f --- /dev/null +++ b/.vagrant/machines/default/virtualbox/id @@ -0,0 +1 @@ +357ab7d8-b5fd-4aef-9f10-5f4b8a92eeb6 \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/index_uuid b/.vagrant/machines/default/virtualbox/index_uuid new file mode 100644 index 0000000..59c43bb --- /dev/null +++ b/.vagrant/machines/default/virtualbox/index_uuid @@ -0,0 +1 @@ +2fa22703365741989ff40e554bc2e1cc \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/private_key b/.vagrant/machines/default/virtualbox/private_key new file mode 100644 index 0000000..7764418 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA4IGno3JUyHaA/HqSNSefF8rE2LXOzGrIN6Yy69o+bYdXM1NJ +ePN1hWKiokVTPYWt/rjyonN8yLs1jOQi/MlxnMnoXn6WCtGGke2x0t+FH8qLw5yn +W++aTmrnp3LqK5U9jof57zbikYpU5895jp/ftRWmUXkeqMy+BKheLKfsdlVQIKDV +P33AeP7MDi8M649dT+cuZFNiiXdCV9wCA7HmUCgoc6EKukyc6E9Oon0YKm2VRLEO +o808HbamO/u7HYLGiR+Rm/WMhqBasUCJo+8wYFqCZqcGHDqZtnSityVyPZqk/8S9 +HRXyWUBdNsrwNvgDMH0mvqCKxRKvD0AV/hXkgwIDAQABAoIBAQC3sl7wpgQpYo14 +CPLI+3p5hTg7+ccUC+t3XU4dHZ4nEK6RGHztsodedK6OCBtsI42S9tHRip13wXa3 +qZPXMxz7JVo0t28duwNZNBxkZvAOazShAfUOjKa9s0uI/8YLkzmi/i/LRCVu4LlI +U8MqqDXrfaNw1qH3jE+OkBU+hMg+qVbNVzbEOfIMFOamGAP/I+IYFIHPQQl3dPfL +cjT0CmIjGn0jmPe+KyKG7G9evOMrV/QS45+C3gugJOVQXvarr/+l4qHs9kR8wZsb +u4QUSt/TBDZZgSipuywwUJum7uEjnWv1Fsjsl9Zd/86CBgmcQdta0zX/dssxxa8D +auw88oIBAoGBAP2ayRS0/mW1nj5CaJQpNgY++s3gqXH0BOmXMuO5P7hO31RDvpTf +gpkNYxlORe6cTx1U9oCwlOacjT9sMmiisYlYYBzMfcXDUysutzdZm3IzFxnBGFT9 +mjeG2jwPs3840B/no/eELY7dZbFr9zD9irG8cLEVD7JzO37vfqkspe/hAoGBAOKg +gppVLaHY/6+yMW/nFxJDfvyMW6SeKXEnuxrS3tgfn/tENjL8HetTf9P2eOtqeJqj +pumUXPeZcwJrF568ebm+gVGtBJU2sC307XYdfrBmTXwirR7UvsGIy+DyU8cCgabh +zl0DCg9H9c3P/+Egs0maBKogDWA95nYCh5Do+DDjAoGBAJTNm6rwwEyBkoZJhP9a +Zv6nOZZPel0Ip1FAjHWeHstQTC4vScYkl4aimkEg8ludj7ZQQgskkVn3BdHu9Gz8 ++VrzZgG/4xSFFWnDEXICu/j4DVfpOxOzcieekrKnK9U8SrJNwqHbBrhLI/5EsVgn +jJfZT+43w2wbvQ8wC4vMTNlBAoGBAJsBP/MBWYG+oztvvMKWI8CZK8zez3urthqw +GxiArGzUTJ8Wi5+Zs3kWlnLKvO//1denIW3XzTKI4RIBX5lxviweMeNEXMMWMbBt +OtGz4MgUYOEL8q8IwiQrRY9pD4Ypn7Yd8gDKKGJFTMllf9VigV5RGumlnKB8FhoX +JtQllEQTAoGAdZ9QrPok+3uVhwh9noxu7antbr0WqIwMPOxFNqipTjFjYTOy3Lcr +1WZJkAJAHH0pgCkGmTl7OPWfVO8Hru3kOYY1yDIbYCiA9/z4InjDBhAF8DEe9SlX +aPQFWnV4Rf2nTdw0rUKGEPFkLEzXRKCY7QfEJCtZVUrAyLLn9Zhunbw= +-----END RSA PRIVATE KEY----- diff --git a/.vagrant/machines/default/virtualbox/synced_folders b/.vagrant/machines/default/virtualbox/synced_folders new file mode 100644 index 0000000..aae2c19 --- /dev/null +++ b/.vagrant/machines/default/virtualbox/synced_folders @@ -0,0 +1 @@ +{"rsync":{"/vagrant":{"type":"rsync","guestpath":"/vagrant","hostpath":"/Users/jlecour/code/evolix/chexpire-ansible","disabled":false,"__vagrantfile":true,"owner":"vagrant","group":"vagrant"}}} \ No newline at end of file diff --git a/.vagrant/machines/default/virtualbox/vagrant_cwd b/.vagrant/machines/default/virtualbox/vagrant_cwd new file mode 100644 index 0000000..169accc --- /dev/null +++ b/.vagrant/machines/default/virtualbox/vagrant_cwd @@ -0,0 +1 @@ +/Users/jlecour/code/evolix/chexpire-ansible \ No newline at end of file diff --git a/.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory b/.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory new file mode 100644 index 0000000..671066c --- /dev/null +++ b/.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory @@ -0,0 +1,3 @@ +# Generated by Vagrant + +default ansible_host=127.0.0.1 ansible_port=2222 ansible_user='vagrant' ansible_ssh_private_key_file='/Users/jlecour/code/evolix/chexpire-ansible/.vagrant/machines/default/virtualbox/private_key' diff --git a/.vagrant/rgloader/loader.rb b/.vagrant/rgloader/loader.rb new file mode 100644 index 0000000..c3c05b0 --- /dev/null +++ b/.vagrant/rgloader/loader.rb @@ -0,0 +1,9 @@ +# This file loads the proper rgloader/loader.rb file that comes packaged +# with Vagrant so that encoded files can properly run with Vagrant. + +if ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"] + require File.expand_path( + "rgloader/loader", ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"]) +else + raise "Encoded files can't be read outside of the Vagrant installer." +end diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..25ce717 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,84 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.require_version ">= 1.7.0" + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + + # Every Vagrant development environment requires a box. You can search for + # boxes at https://vagrantcloud.com/search. + config.vm.box = "debian/stretch64" + + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + # NOTE: This will enable public access to the opened port + # config.vm.network "forwarded_port", guest: 80, host: 8080 + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine and only allow access + # via 127.0.0.1 to disable public access + # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + # config.vm.network "private_network", ip: "192.168.33.10" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # config.vm.synced_folder "../data", "/vagrant_data" + + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + config.vm.provider "virtualbox" do |vb| + # Display the VirtualBox GUI when booting the machine + # vb.gui = true + + # Customize the amount of memory on the VM: + vb.memory = 1024 + vb.cpus = 1 + end + # + # View the documentation for the provider you are using for more + # information on available options. + + # Enable provisioning with a shell script. Additional provisioners such as + # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the + # documentation for more information about their specific syntax and use. + # config.vm.provision "shell", inline: <<-SHELL + # apt-get update + # apt-get install -y apache2 + # SHELL + config.vm.provision :ansible do |ansible| + ansible.playbook = "vagrant.yml" + ansible.raw_arguments = [ + "-b", + # "--ask-vault-pass", + # "--diff", + # "--step", + # "--syntax", + # "-vvv", + ] + end +end diff --git a/config.yml b/config.yml new file mode 100644 index 0000000..db13927 --- /dev/null +++ b/config.yml @@ -0,0 +1,31 @@ +--- + +- hosts: all + gather_facts: yes + become: yes + + vars_files: + - vars/main.yml + + roles: + # - { role: rbenv, username: "{{ ansible_user }}", rbenv_ruby_version: "2.6.4" } + # - { role: nodejs, nodejs_install_yarn: yes } + # - apache-vhost + - chexpire-admin-init + + post_tasks: + - include_role: + name: etc-git + tasks_from: commit.yml + vars: + commit_message: "Ansible post-run config.yml" + + + +- hosts: all + + vars_files: + - vars/main.yml + + roles: + - { role: chexpire-user-init, username: "{{ ansible_user }}" } diff --git a/evolinux.yml b/evolinux.yml new file mode 100644 index 0000000..373f42b --- /dev/null +++ b/evolinux.yml @@ -0,0 +1,20 @@ +--- + +- hosts: all + gather_facts: yes + become: yes + + vars_files: + - vars/main.yml + + roles: + # - evolinux-base + - apache + - mysql + + post_tasks: + - include_role: + name: etc-git + tasks_from: commit.yml + vars: + commit_message: "Ansible post-run evolinux.yml" diff --git a/roles/apache-vhost/files/chexpire.conf b/roles/apache-vhost/files/chexpire.conf new file mode 100644 index 0000000..bbebaaf --- /dev/null +++ b/roles/apache-vhost/files/chexpire.conf @@ -0,0 +1,70 @@ + + + # FQDN principal + # ServerName chexpire.evolix.org + #ServerAlias chexpire.evolix.org + + # Repertoire principal + DocumentRoot /home/vagrant/www/current/public + + # Include /etc/apache2/ssl/chexpire.conf + + # Propriete du repertoire + + #Options +Indexes +SymLinksIfOwnerMatch + Options +SymLinksIfOwnerMatch + AllowOverride AuthConfig Limit FileInfo + Require all granted + + + + + ProxyPass ! + + + ProxyPass ! + + + ProxyPass ! + + + ProxyPass ! + + + ProxyPreserveHost On + ProxyPass / http://127.0.0.1:3000/ + ProxyPassReverse / http://127.0.0.1:3000/ + + RequestHeader set X-Forwarded-Proto https + + + Allow from all + + + + # user - group (thanks to sesse@debian.org) + AssignUserID vagrant vagrant + + # LOG + CustomLog /var/log/apache2/access.log vhost_combined + CustomLog /home/vagrant/log/access.log combined + ErrorLog /home/vagrant/log/error.log + + # AWSTATS + # SetEnv AWSTATS_FORCE_CONFIG chexpire + + # REWRITE + # UseCanonicalName On + # RewriteEngine On + # + # RewriteCond %{HTTPS} !=on + # RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=permanent] + # + # RewriteCond %{HTTP_HOST} !^chexpire.evolix.org$ + # RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R] + + # no PHP + php_admin_flag engine off + AddType text/html .html + + diff --git a/roles/apache-vhost/tasks/main.yml b/roles/apache-vhost/tasks/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/apache-vhost/tasks/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/app-user/files/public_keys/jlecour.pub b/roles/app-user/files/public_keys/jlecour.pub new file mode 100644 index 0000000..63af52f --- /dev/null +++ b/roles/app-user/files/public_keys/jlecour.pub @@ -0,0 +1,2 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBE2anD/8R9siNL/ZIc7XLvlo5XC4A3lmBr6GfaxgR1rB85myy4vxrfbAnq66eEWDmUd1jG28MEj4kEd8fmPCEQmzvLKSpSemJfMw9bkHxBEl6nDrXB+86OJJ9FxkEWbE7xldPquouwb9QDYlWE7Y0SntE6ZhutQ24H/B5sHNqeRu5MJn9nhg9B4G19Ej6u4qW1PjjBeJW/wQdAkx6X9yqoOPG3ERXjfua7cKCZrGdvbV/98/dc1VVwxh94yrrHCnr7YVC1p1Hwzxv1JQznhuC8vZZrheSFA3W+FdJOOleMwjajYLBybLDwIPC7DxF3rpUsbHtPYgET7q6s341Oysz jlecour@x1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIylGTDZ7YbYGEkWPMYWZN4I8S4qDG/fYxX1HkRPhphT jlecour@x1 diff --git a/roles/app-user/handlers/main.yml b/roles/app-user/handlers/main.yml new file mode 100644 index 0000000..77a81ca --- /dev/null +++ b/roles/app-user/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: reload ssh + service: + name: ssh + state: reloaded + +- name: newaliases + command: newaliases diff --git a/roles/app-user/tasks/main.yml b/roles/app-user/tasks/main.yml new file mode 100644 index 0000000..7c420cb --- /dev/null +++ b/roles/app-user/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- include: user.yml + +- include: ssh.yml diff --git a/roles/app-user/tasks/ssh.yml b/roles/app-user/tasks/ssh.yml new file mode 100644 index 0000000..3beb1aa --- /dev/null +++ b/roles/app-user/tasks/ssh.yml @@ -0,0 +1,30 @@ +--- + +- name: Modify AllowUsers' sshd directive for {{ username }} + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!{{ username }}).)*)$' + replace: '\1 {{ username }}' + notify: + - reload ssh + tags: + - app_user + +- name: Modify Match User's sshd directive for {{ username }} + replace: + dest: /etc/ssh/sshd_config + regexp: '^(Match User ((?!{{ username }}).)*)$' + replace: '\1,{{ username }}' + notify: + - reload ssh + tags: + - app_user + +- name: Add public keys to {{ username }} + authorized_key: + user: '{{ username }}' + key: '{{ item }}' + with_file: + - public_keys/jlecour.pub + tags: + - app_user diff --git a/roles/app-user/tasks/user.yml b/roles/app-user/tasks/user.yml new file mode 100644 index 0000000..e42e832 --- /dev/null +++ b/roles/app-user/tasks/user.yml @@ -0,0 +1,64 @@ +--- +- name: Test if uid exists + command: 'getent passwd {{ uid }}' + register: uidisbusy + ignore_errors: True + changed_when: False + check_mode: no + tags: + - app_user + +- name: Add Unix account with uid {{ uid }} for {{ username }} + user: + uid: '{{ uid }}' + name: '{{ username }}' + shell: /bin/bash + update_password: on_create + state: present + when: uidisbusy|failed + tags: + - app_user + +- name: Add Unix account with random uid for {{ username }} + user: + name: '{{ username }}' + shell: /bin/bash + update_password: on_create + state: present + when: uidisbusy|success + tags: + - app_user + +- name: the www-data user must be in the {{ username }} group + user: + name: www-data + groups: '{{ username }}' + append: yes + tags: + - app_user + +- name: add {{ username }} in the adm group (for logs) + user: + name: '{{ username }}' + groups: adm + append: yes + tags: + - app_user + +# Home directory must be accessible to the group (for www-data) +- name: Fix perms on homedirectory for {{ username }} + file: + name: '/home/{{ username }}' + mode: "750" + state: directory + tags: + - app_user + +# - name: Add evomaintenance trap for {{ username }} +# lineinfile: +# dest: '/home/{{ username }}/.profile' +# insertafter: EOF +# line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' +# state: absent +# tags: +# - app_user diff --git a/roles/chexpire-admin-init/tasks/main.yml b/roles/chexpire-admin-init/tasks/main.yml new file mode 100644 index 0000000..85d1e12 --- /dev/null +++ b/roles/chexpire-admin-init/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +- name: packages are installed + apt: + name: "{{ item }}" + with_items: + - libsodium-dev + - default-libmysqlclient-dev diff --git a/roles/chexpire-user-init/defaults/main.yml b/roles/chexpire-user-init/defaults/main.yml new file mode 100644 index 0000000..30f07eb --- /dev/null +++ b/roles/chexpire-user-init/defaults/main.yml @@ -0,0 +1,5 @@ +--- + +chexpire_app_directory: "www" +chexpire_config__mailer_default_from: "from@example.org" +chexpire_config__host: "chexpire.local" diff --git a/roles/chexpire-user-init/tasks/main.yml b/roles/chexpire-user-init/tasks/main.yml new file mode 100644 index 0000000..ebef4db --- /dev/null +++ b/roles/chexpire-user-init/tasks/main.yml @@ -0,0 +1,43 @@ +--- + + +# - name: Repository is checked-out +# git: +# repo: 'https://github.com/Evolix/chexpire.git' +# dest: "{{ chexpire_app_directory }}" +# +# - name: Bundle dependencies are installed +# bundler: +# executable: ~/.rbenv/shims/bundle +# chdir: "{{ chexpire_app_directory }}" +# state: present +# deployment_mode: yes +# +# - name: Yarn dependencies are installed +# command: "yarn install --check-files" +# args: +# chdir: "{{ chexpire_app_directory }}" + +- name: Chexpire config file is present + template: + dest: "{{ chexpire_app_directory}}/config/chexpire.yml" + src: chexpire.yml.j2 + force: no + +- name: Database config file is copied + command: "cp {{ chexpire_app_directory }}/config/database.example.yml {{ chexpire_app_directory }}/config/database.yml" + args: + creates: "{{ chexpire_app_directory }}/config/database.yml" + +- name: Secret key base is generated + command: ~/.rbenv/shims/bundle exec rails secret + register: secret_key_base + args: + chdir: "{{ chexpire_app_directory }}" + creates: "{{ chexpire_app_directory }}/config/secrets.yml" + +- name: Secret key is in the secrets file + template: + dest: "{{ chexpire_app_directory }}/config/secrets.yml" + src: secrets.yml.j2 + force: no diff --git a/roles/chexpire-user-init/templates/chexpire.yml.j2 b/roles/chexpire-user-init/templates/chexpire.yml.j2 new file mode 100644 index 0000000..0eaebd2 --- /dev/null +++ b/roles/chexpire-user-init/templates/chexpire.yml.j2 @@ -0,0 +1,3 @@ +production: + mailer_default_from: "{{ chexpire_config__mailer_default_from }}" + host: "{{ chexpire_config__host }}" diff --git a/roles/chexpire-user-init/templates/secrets.yml.j2 b/roles/chexpire-user-init/templates/secrets.yml.j2 new file mode 100644 index 0000000..54d383e --- /dev/null +++ b/roles/chexpire-user-init/templates/secrets.yml.j2 @@ -0,0 +1,2 @@ +production: + secret_key_base: "{{ secret_key_base.stdout }}" diff --git a/vagrant-ansible-playbook b/vagrant-ansible-playbook new file mode 100755 index 0000000..da0fa82 --- /dev/null +++ b/vagrant-ansible-playbook @@ -0,0 +1,9 @@ +#!/bin/sh + +export PYTHONUNBUFFERED=1 +export ANSIBLE_FORCE_COLOR=true +export ANSIBLE_HOST_KEY_CHECKING=false +export ANSIBLE_SSH_ARGS='-o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s' +export ANSIBLE_DEPRECATION_WARNINGS=false + +ansible-playbook --private-key=.vagrant/machines/default/virtualbox/private_key -u vagrant -i .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory $@ diff --git a/vagrant.yml b/vagrant.yml new file mode 100644 index 0000000..4faf546 --- /dev/null +++ b/vagrant.yml @@ -0,0 +1,3 @@ +--- + +- hosts: all diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..df6dfb6 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,11 @@ +--- + +evolinux_hostname: "vagrant-ansible" +evolinux_domain: "evolix.local" +evolinux_ssh_allow_current_user: True +evolinux_evomaintenance_include: False +minifirewall_additional_trusted_ips: ["192.168.0.0/16", "10.0.0.0/8"] +evolinux_fail2ban_include: False +mysql_custom_datadir: '/home/mysql' +mysql_custom_tmpdir: '/home/tmpmysql' +mysql_custom_logdir: '/home/mysql-logs'