Skip to content

Commit

Permalink
♻️ Reworked base role into more parametrized and secure role
Browse files Browse the repository at this point in the history
  • Loading branch information
@sergei-maertens
sergei-maertens committed Jul 17, 2019
1 parent 0d306de commit 227dd37
Show file tree
Hide file tree
Showing 35 changed files with 119 additions and 90 deletions.
1 change: 0 additions & 1 deletion .gitignore
View file
Expand Up @@ -11,7 +11,6 @@ src/regex/conf/uwsgi.ini
/media/
/private_media/
/src/static/css
/src/static/bower_components
node_modules

# testing
Expand Down
3 changes: 1 addition & 2 deletions .travis.yml
View file
Expand Up @@ -19,9 +19,8 @@ install:
before_script:
- mkdir log
- export DJANGO_SETTINGS_MODULE=regex.conf.settings.test
- npm install bower grunt-cli -g
- npm install grunt-cli -g
- npm install
- bower install
- src/manage.py collectstatic --noinput --link
- grunt sass:dist

Expand Down
7 changes: 5 additions & 2 deletions deployment/backupserver.yml
View file
Expand Up @@ -6,12 +6,15 @@

vars:
firewall_open_ports:
- "{{ ssh_port | default('ssh') }}"
- '25565'
postgresql_enabled: false
nginx_enabled: false
redis_enabled: false
nodejs_enabled: false
django_enabled: false

application_user: minecraft

roles:
- base2
- base
- app_user
10 changes: 10 additions & 0 deletions deployment/provision.yml
View file
Expand Up @@ -3,8 +3,18 @@
- name: Provision the server with all required packages and user accounts
hosts: "{{ target|default('staging') }}"
remote_user: root
vars:
bigstore: no
postgresql_enabled: yes
apache_enabled: no
nginx_enabled: yes
redis_enabled: yes
memcached_enabled: no
nodejs_enabled: yes
django_enabled: yes
roles:
- base
- app_user
- postgres
- ssl
- nginx
4 changes: 4 additions & 0 deletions deployment/roles/app_user/defaults/main.yml
View file
@@ -0,0 +1,4 @@
---

users_url_pubkeys:
- https://github.com/sergei-maertens.keys
26 changes: 26 additions & 0 deletions deployment/roles/app_user/tasks/main.yml
View file
@@ -0,0 +1,26 @@
---

- name: Create the application user group
group:
name: "{{ application_user }}"
state: present

- name: Create the application user
user:
name: "{{ application_user }}"
group: "{{ application_user }}"
shell: /bin/bash
generate_ssh_key: yes

- name: Set application user password
user:
name: "{{ application_user }}"
password: "{{ crypted_password }}"
when: crypted_password is defined

- name: Install public keys to authorized_keys.
authorized_key:
user: "{{ application_user }}"
key: "{{ item }}"
state: present
with_items: "{{ users_url_pubkeys }}"
23 changes: 22 additions & 1 deletion deployment/roles/base2/defaults/main.yml → deployment/roles/base/defaults/main.yml
View file
Expand Up @@ -6,7 +6,6 @@ admin_email: root@localhost
firewall_open_ports:
- http
- https
- "{{ ssh_port | default('ssh') }}"

# big storage (Tansip)
bigstorage: no
Expand Down Expand Up @@ -35,3 +34,25 @@ memcached_enabled: no
# NodeJS
nodejs_enabled: false
nodejs_version: 10

# Django
django_enabled: false
django_packages:
- python3-dev
- python3-setuptools
- python3-pip
- python-virtualenv
# lxml depend on these
- libxml2
- libxml2-dev
- libxslt1.1
- libxslt1-dev
# Pillow
- swig
- libjpeg-dev
# weasyprint
- libcairo2
- libpango1.0-0
- libgdk-pixbuf2.0-0
- libffi-dev
- shared-mime-info
0 deployment/roles/base2/files/10periodic → deployment/roles/base/files/10periodic
View file
File renamed without changes.
0 ...yment/roles/base2/files/apache/ports.conf → ...oyment/roles/base/files/apache/ports.conf
View file
File renamed without changes.
0 ...base2/files/nginx/conf.d/client_body.conf → .../base/files/nginx/conf.d/client_body.conf
View file
File renamed without changes.
0 ...roles/base2/files/nginx/conf.d/proxy.conf → .../roles/base/files/nginx/conf.d/proxy.conf
View file
File renamed without changes.
0 ...oyment/roles/base2/files/nginx/nginx.conf → deployment/roles/base/files/nginx/nginx.conf
View file
File renamed without changes.
2 changes: 0 additions & 2 deletions deployment/roles/base/files/nodesource.list
View file

This file was deleted.

0 ...roles/base2/files/php/install_composer.sh → .../roles/base/files/php/install_composer.sh
View file
File renamed without changes.
0 deployment/roles/base2/handlers/main.yml → deployment/roles/base/handlers/main.yml
View file
File renamed without changes.
0 ...oyment/roles/base2/tasks/auto-updates.yml → deployment/roles/base/tasks/auto-updates.yml
View file
File renamed without changes.
0 deployment/roles/base2/tasks/bigstorage.yml → deployment/roles/base/tasks/bigstorage.yml
View file
File renamed without changes.
0 deployment/roles/base2/tasks/build-tools.yml → deployment/roles/base/tasks/build-tools.yml
View file
File renamed without changes.
0 deployment/roles/base2/tasks/caches.yml → deployment/roles/base/tasks/caches.yml
View file
File renamed without changes.
0 deployment/roles/base2/tasks/databases.yml → deployment/roles/base/tasks/databases.yml
View file
File renamed without changes.
6 changes: 6 additions & 0 deletions deployment/roles/base/tasks/django.yml
View file
@@ -0,0 +1,6 @@
---

- name: Install Django system packages
package:
name: "{{ django_packages }}"
when: django_enabled
0 deployment/roles/base2/tasks/fail2ban.yml → deployment/roles/base/tasks/fail2ban.yml
View file
File renamed without changes.
9 changes: 9 additions & 0 deletions deployment/roles/base2/tasks/firewall.yml → deployment/roles/base/tasks/firewall.yml
View file
Expand Up @@ -17,6 +17,15 @@
notify:
- restart ufw

- name: Always allow SSH
ufw:
proto: tcp
direction: in
rule: allow
port: "{{ ssh_port | default('ssh') }}"
notify:
- restart ufw

- name: Open ports
ufw:
proto: tcp
Expand Down
0 deployment/roles/base2/tasks/logwatch.yml → deployment/roles/base/tasks/logwatch.yml
View file
File renamed without changes.
32 changes: 29 additions & 3 deletions deployment/roles/base/tasks/main.yml
View file
@@ -1,5 +1,31 @@
---
# Set up the base system
# Set up the base system: security settings, basic system packages...

- include: packages.yml
- include: users.yml
- include_tasks: build-tools.yml

- include_tasks: auto-updates.yml

- include_tasks: sshd.yml

- include_tasks: firewall.yml

- include_tasks: fail2ban.yml

- include_tasks: bigstorage.yml
when: bigstorage

- include_tasks: logwatch.yml

- include_tasks: databases.yml

- include_tasks: webservers.yml

- include_tasks: caches.yml

- include_tasks: vcs.yml

- include_tasks: nodejs.yml
when: nodejs_enabled

- include_tasks: django.yml
when: django_enabled
0 deployment/roles/base2/tasks/nodejs.yml → deployment/roles/base/tasks/nodejs.yml
View file
File renamed without changes.
27 changes: 0 additions & 27 deletions deployment/roles/base/tasks/packages.yml
View file

This file was deleted.

0 deployment/roles/base2/tasks/sshd.yml → deployment/roles/base/tasks/sshd.yml
View file
File renamed without changes.
20 changes: 0 additions & 20 deletions deployment/roles/base/tasks/users.yml
View file

This file was deleted.

0 deployment/roles/base2/tasks/vcs.yml → deployment/roles/base/tasks/vcs.yml
View file
File renamed without changes.
0 deployment/roles/base2/tasks/webservers.yml → deployment/roles/base/tasks/webservers.yml
View file
File renamed without changes.
0 ...nt/roles/base2/templates/logwatch.conf.j2 → ...ent/roles/base/templates/logwatch.conf.j2
View file
File renamed without changes.
3 changes: 0 additions & 3 deletions deployment/roles/base/vars/main.yml
View file

This file was deleted.

29 changes: 0 additions & 29 deletions deployment/roles/base2/tasks/main.yml
View file

This file was deleted.

7 changes: 7 additions & 0 deletions deployment/sentry.yml
View file
Expand Up @@ -9,6 +9,11 @@
- vars/ssl.yml

vars:
application_user: sentry
postgresql_enabled: no
nginx_enabled: yes
redis_enabled: no

# nginx role overrides
prefix: sentry
nginx_vhost_template: proxy.conf.j2
Expand All @@ -19,6 +24,8 @@
nginx_hostname: sentry.regex-it.nl

roles:
- base
- app_user
- geerlingguy.docker
- sentry
- ssl
Expand Down

0 comments on commit 227dd37

Please sign in to comment.