add psycopg2 to reqs.txt

Author: mattmakai

deploy/group_vars/all

@@ -0,0 +1,8 @@
+deploy_user: deployer
+deploy_group: deployers
+ssh_dir: "/home/matt/serverconfig/"
+ssh_key_name: "serverconfig"
+
+db_name: "chapter6"
+db_user: "{{ deploy_user }}"
+db_password: pleaseuseagoodpassword

deploy/hosts

@@ -0,0 +1,13 @@
+[init_config]
+142.93.123.128 ansible_python_interpreter=/usr/bin/python3
+142.93.119.59 ansible_python_interpreter=/usr/bin/python3
+
+[common]
+142.93.123.128 ansible_python_interpreter=/usr/bin/python3
+142.93.119.59 ansible_python_interpreter=/usr/bin/python3
+
+[webserver]
+142.93.123.128 ansible_python_interpreter=/usr/bin/python3
+
+[database]
+142.93.119.59 ansible_python_interpreter=/usr/bin/python3

deploy/init_config.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+ansible-playbook -vvvv ./init_config.yml --private-key=/home/matt/do_deploy -u root -i ./hosts

deploy/roles/common/tasks/main.yml

@@ -0,0 +1,2 @@
+# handles server protection and configuration regardless of server type
+- include: security.yml

deploy/roles/common/tasks/security.yml

@@ -0,0 +1,19 @@
+# install security configuration
+- name: ensure python packages are installed
+  apt:
+    name: "{{ item }}"
+    update_cache: yes
+  become: yes
+  with_items:
+    - "python3-pip"
+    - "python3-dev"
+    - "fail2ban"
+
+
+- name: enable SSH within the firewall
+  ufw: rule=allow port=22
+  become: yes
+
+- name: enable firewall itself
+  ufw: state=enabled
+  become: yes

deploy/roles/database/tasks/main.yml

@@ -0,0 +1,3 @@
+# handles server protection and configuration for database servers
+- include: security.yml
+- include: postgresql.yml

deploy/roles/database/tasks/postgresql.yml

@@ -0,0 +1,25 @@
+# install and configure PostgreSQL database
+- name: ensure postgresql database packages are installed
+  apt: name={{ item }}
+  with_items:
+    - postgresql
+    - libpq-dev
+    - python3-psycopg2
+    - postgresql-client
+    - postgresql-client-common
+  become: yes
+
+
+- name: create database instance
+  postgresql_db: name={{ db_name }}
+  become: yes
+  become_user: postgres
+
+
+- name: configure separate PostgreSQL user
+  postgresql_user: db={{ db_name }} name={{ db_user }}
+                   password={{ db_password }} priv=ALL
+                   role_attr_flags=NOSUPERUSER
+  become: yes
+  become_user: postgres
+

deploy/roles/database/tasks/security.yml

@@ -0,0 +1,5 @@
+# install security configuration
+- name: enable PostgreSQL access
+  ufw: rule=allow port=5432
+  become: yes
+

deploy/roles/init_config/tasks/main.yml

@@ -0,0 +1,52 @@
+# establish non-root user with sudo privileges
+- name: create a non-root group
+  group:
+    name: "{{ deploy_group }}"
+    state: present
+
+
+- name: create non-root user
+  user:
+    name: "{{ deploy_user }}"
+    group: "{{ deploy_group }}"
+    shell: "/bin/bash"
+    state: present
+
+
+- name: add authorized_key to non-root user
+  authorized_key:
+    user: "{{ deploy_user }}"
+    state: present
+    key: "{{ lookup('file', ssh_dir + ssh_key_name + '.pub') }}"
+
+
+- name: add non-root group to sudo privileges
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: "^{{ deploy_group }}"
+    line: "%{{ deploy_group }} ALL=(ALL) NOPASSWD: ALL"
+    validate: visudo -cf %s
+
+
+- name: disable root SSH logins
+  replace:
+    destfile: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin yes"
+    replace: "PermitRootLogin no"
+    backup: no
+
+
+- name: disable SSH logins by password
+  replace:
+    destfile: /etc/ssh/sshd_config
+    regexp: "^PasswordAuthentication yes"
+    replace: "PasswordAuthentication no"
+    backup: no
+
+
+- name: restart SSH service
+  service:
+    name: ssh
+    state: restarted
+

deploy/roles/webserver/handlers/main.yml

@@ -0,0 +1,4 @@
+
+- name: restart nginx
+  service: name=nginx state=restarted
+  become: true