forked from acolab/acolock
-
Notifications
You must be signed in to change notification settings - Fork 0
/
site.yml
147 lines (126 loc) · 3.29 KB
/
site.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
---
# Inspired by:
# - http://docs.gunicorn.org/en/stable/deploy.html
- hosts: pi
remote_user: pi
become: yes
roles:
- { name: dnsmasq, tags: ["dnsmasq"] }
- { name: sshd_config, tags: ["sshd_config"] }
- { name: ssh_port_forward, tags: ["ssh_port_forward"] }
tasks:
- name: Set timezone
copy:
content: "Europe/Paris\n"
dest: /etc/timezone
tags:
- back
- timezone
- name: Install service config
template:
src: acolock_back.service
dest: /etc/systemd/system/acolock_back.service
notify:
- reload systemd
tags:
- back
- name: Install socket config
template:
src: acolock_back.socket
dest: /etc/systemd/system/acolock_back.socket
notify:
- reload systemd
tags:
- back
- meta: flush_handlers
tags:
- back
- name: Ensure the latest rsync is installed
apt:
name: rsync
state: latest
- name: Ensure the latest python3-venv is installed
apt:
name: python3-venv
state: latest
- name: Ensure python3-dev is installed
apt:
name: python3-dev
- name: Ensure build-essential is installed
apt:
name: build-essential
- name: Ensure sqlite3 is installed
apt:
name: sqlite3
- name: Ensure the latest nginx is installed
apt:
name: nginx
state: latest
- name: Ensure nginx service is running and enabled
service:
name: nginx
state: started
enabled: yes
- name: Ensure gunicorn is installed
apt:
name: gunicorn3
state: latest
- name: Ensure default nginx site is disabled
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify:
restart nginx
- name: Install acolock nginx config
template:
src: nginx_config.j2
dest: /etc/nginx/conf.d/acolock.conf
notify:
- restart nginx
- name: Create /run/acolock
file:
path: /run/acolock
state: directory
- name: Ensure service is enabled
service:
name: acolock_back.service
enabled: yes
- name: Ensure socket is enabled
service:
name: acolock_back.socket
enabled: yes
- name: generate dhparams
shell: openssl dhparam -out /etc/nginx/dhparam.pem 2048
args:
creates: /etc/nginx/dhparam.pem
- name: install certificate
shell: bash -c "source /root/.acme.sh/acme.sh.env; /root/.acme.sh/acme.sh --install-cert -d {{ acolock_hostname }} --key-file /etc/nginx/{{ acolock_hostname }}.key --fullchain-file /etc/nginx/{{ acolock_hostname }}.cer --reloadcmd \"systemctl reload nginx\""
tags: certificate
- name: Ensure Hardware Watchdog is enabled at boot
lineinfile:
path: /boot/config.txt
line: dtparam=watchdog=on
register: hw_watchdog
- name: Reboot the machine
reboot:
reboot_timeout: 3600
when: hw_watchdog.changed
- name: Ensure Watchdog package is installed
apt:
name: watchdog
- name: Write watchdog config
template:
src: watchdog.conf
dest: /etc/watchdog.conf
- name: Ensure Watchdog is enabled and started
service:
name: watchdog
state: started
enabled: yes
handlers:
- name: restart nginx
service:
name: nginx
state: restarted
- name: reload systemd
command: systemctl daemon-reload