we build config files remotely. next test the mailing through msmtp and deploy!

2020-03-31 18:32:13 +02:00 · 2020-03-31 18:32:13 +02:00 · 62061a03fc
commit 62061a03fc
parent 47c4e39b73
17 changed files with 124 additions and 44 deletions
--- a/ansible/README.md
+++ b/ansible/README.md
@ -1,6 +0,0 @@
-Three parts: 
-
-* make a docker-compose wordpress:apache instance with fixed IP, configured to query host's MySQL
-* Configure host's MySQL's access rights to allow connections from fixed IP
-* Make new nginx server (answering to site's URL) to do TLS and pass connections to container with fixed IP
-
--- a/ansible/ansible-playbook.yml.bkp
+++ b/ansible/ansible-playbook.yml.bkp
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -0,0 +1,15 @@
+[defaults]
+# To forward my SSH key to remote hosts, and be able to pull from gitlab
+transport = ssh
+
+ask_vault_pass = True
+
+[ssh_connection]
+
+# ForwardAgent to forward my SSH key to remote hosts, and be able to pull from gitlab
+# ControlMaster to avoid a bug when cloning: https://github.com/ansible/ansible/issues/13876
+# ControlPersist for SSH multiplexing "-o ControlPersist=60s" <- Causes user not being added to docker group T_T
+ssh_args = -o ForwardAgent=yes -o ControlMaster=auto
+
+# For speed
+pipelining=True
--- a/ansible/build.yml
+++ b/ansible/build.yml
@ -0,0 +1,5 @@
+---
+- hosts: all
+  gather_facts: no
+  roles:
+    - build
--- a/ansible/command
+++ b/ansible/command
@ -0,0 +1 @@
+ansible-playbook --ask-vault-pass build.yml -i inventory
--- a/ansible/group_vars/all/vars.yml
+++ b/ansible/group_vars/all/vars.yml
@ -0,0 +1,19 @@
+---
+
+www_path: /vault/www
+sites_path: /vault/sites
+
+sites:
+  - slug: rdb # Shorthand name to use as directory/file name
+    # The complete site URL
+    url: www.rennesdesbois.fr
+    # What kind of service is that?
+    type: wordpress
+    # Subnet addresses
+    subnet_cidr_address: 172.27.0.0/24
+    subnet_gateway_ip: 172.27.0.1
+    subnet_site_ip: 172.27.0.2
+    
+    mysql_database: rdb
+    mysql_username: rdb
+    mysql_password: "{{ vault_rdb_mysql_password }}"
--- a/ansible/group_vars/all/vault.yml
+++ b/ansible/group_vars/all/vault.yml
@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+64613132623931393566346236303131623137326233643334626630346233333933363135666132
+6331386332666238623539613361633836613837343530610a623632666231366436666136303764
+66333939643963323830326161646332633632336164366635613634366138663932393866356464
+3066396637656636380a626635366239363866653335333661346432313566356635303338313963
+34613666396637346536616365323636376466626637313134346266353230376166303031353461
+65633731623463393736663136303931666637303130353531353930663437353835346532373833
+63346539653439383138303732656637323562336265616338323133343863356235346265616130
+63333639666263363361
--- a/ansible/inventory
+++ b/ansible/inventory
@ -0,0 +1 @@
+serenity ansible_user=adrien ansible_host=92.243.8.85
--- a/ansible/roles/build/files/Dockerfile
+++ b/ansible/roles/build/files/Dockerfile
--- a/ansible/roles/build/tasks/main.yml
+++ b/ansible/roles/build/tasks/main.yml
@ -0,0 +1,17 @@
+---
+
+- name: Build Wordpress sites
+  include_tasks: wordpress.yml  
+  loop: "{{ sites }}"
+  when: item.type == "wordpress"
+
+
+
+
+# build an image
+  # do the msmtp bullshit
+# docker compose
+# nginx
+# let's encrypt
+
+# in another role: deploy the stuff
--- a/ansible/roles/build/tasks/wordpress.yml
+++ b/ansible/roles/build/tasks/wordpress.yml
@ -0,0 +1,15 @@
+- name: "Create folder {{ sites_path }}/{{ item.slug }}"
+  file: 
+    path: "{{ sites_path }}/{{ item.slug }}"
+    state: directory
+    mode: '750'
+
+- name: Render sexy Dockerfile
+  template: 
+    src: Dockerfile.j2
+    dest: "{{ sites_path }}/{{ item.slug }}/Dockerfile"
+
+- name: Render marvelous docker-compose.yml
+  template:
+    src: docker-compose.yml.j2
+    dest: "{{ sites_path }}/{{ item.slug }}/docker-compose.yml"
--- a/ansible/roles/build/templates/Dockerfile.j2
+++ b/ansible/roles/build/templates/Dockerfile.j2
@ -0,0 +1,14 @@
+FROM wordpress:apache
+
+RUN apt-get update; \
+	apt-get install -y --no-install-recommends msmtp; \
+	rm -rf /var/lib/apt/lists/*
+
+RUN echo "sendmail_path = /usr/sbin/msmtp -t " > /usr/local/etc/php/conf.d/sendmail.ini
+
+RUN cat << EOF > /etc/msmtprc
+account default
+host {{ item.subnet_gateway_ip }}
+port 25
+EOF
+
--- a/ansible/roles/build/templates/docker-compose.yml.j2
+++ b/ansible/roles/build/templates/docker-compose.yml.j2
@ -0,0 +1,26 @@
+version: '3'
+
+# Generated by ansible for site {{ item.url }} 
+# At {{ item.subnet_site_ip }} on {{ item.subnet_cidr_address }}
+
+services:
+  wp:
+    build: .
+    restart: always
+    environment:
+      WORDPRESS_DB_HOST: "{{ item.subnet_gateway_ip }}"
+      WORDPRESS_DB_USER: "{{ item.mysql_username }}"
+      WORDPRESS_DB_PASSWORD: "{{ item.mysql_password }}"
+      WORDPRESS_DB_NAME: "{{ item.mysql_database }}"
+    volumes: 
+      - "{{ www_path }}/{{ item.slug }}_wp-content:/var/www/html/wp-content"
+    networks:
+      net:
+        ipv4_address: "{{ item.subnet_site_ip }}"
+
+networks:
+  net:
+    ipam:
+      driver: default
+      config:
+        - subnet: "{{ item.subnet_cidr_address }}"
--- a/ansible/roles/build/templates/msmtprc.j2
+++ b/ansible/roles/build/templates/msmtprc.j2
--- a/ansible/roles/build/templates/nginx-site.conf.j2
+++ b/ansible/roles/build/templates/nginx-site.conf.j2
@ -4,7 +4,7 @@
 server {
  listen 80;
  listen [::]:80;
-  server_name {{ site_url }} www.{{ site_url }};
+  server_name {{ site_url }};

  rewrite ^ https://{{ site_url }}$request_uri permanent;
 }
@ -12,7 +12,7 @@ server {
 server {
  listen 443 ssl;
  listen [::]:443 ssl;
-  server_name {{ site_url }} www.{{ site_url }};
+  server_name {{ site_url }};

  access_log  /var/log/nginx/{{ site_name }}-access.log;
  error_log   /var/log/nginx/error.log;
@ -23,16 +23,7 @@ server {
  include snippets/ssl-params.conf;
  ssl_certificate /etc/letsencrypt/live/{{ site_url }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ site_url }}/privkey.pem;
-
-  if ($host = www.{{ site_url }}) {
-    rewrite ^ https://{{ site_url }}$request_uri permanent;
-  }
-
-  # Run by host
-  # root /var/www/{{ site_name }};
-  # include snippets/wordpress.conf;
  
-  # Run in Docker
  include snippets/header-params_server.conf;
  location / {
    include snippets/header-params_location.conf;
--- a/ansible/templates/docker-compose.yml.j2
+++ b/ansible/templates/docker-compose.yml.j2
@ -1,26 +0,0 @@
-version: '3'
-
-
-# Generated by ansible for site {{ site_url }} 
-# At {{ subnet_site_ip }} on {{ subnet_cidr_address }}
-
-services:
-  wp:
-    image: {{ docker_image }}
-    restart: always
-    environment:
-      WORDPRESS_DB_HOST: "{{ subnet_gateway_ip }}"
-      WORDPRESS_DB_USER: "{{ mysql_username }}"
-      WORDPRESS_DB_PASSWORD: "{{ mysql_password }}"
-      WORDPRESS_DB_NAME: "{{ mysql_database }}"
-    volumes: {{ docker_volumes | to_yaml }}
-    networks:
-      net:
-        ipv4_address: "{{ subnet_site_ip }}"
-
-networks:
-  net:
-    ipam:
-      driver: default
-      config:
-        - subnet: "{{ subnet_cidr_address }}"
--- a/wordpress/php/TODO
+++ b/wordpress/php/TODO
@ -1 +0,0 @@
-Add this to an Ansible role executing the templates to add the propoer IP, notably to msmtprc
				`@ -0,0 +1 @@`
				`ansible-playbook --ask-vault-pass build.yml -i inventory`
				`@ -0,0 +1 @@`
				`serenity ansible_user=adrien ansible_host=92.243.8.85`
				`@ -1 +0,0 @@`
				`Add this to an Ansible role executing the templates to add the propoer IP, notably to msmtprc`