improved wordpress creation, added host config for docker and logrotate

This commit is contained in:
Adrien Luxey 2020-05-03 14:52:54 +02:00
parent dc35e4de30
commit 812ae572d8
23 changed files with 224 additions and 304 deletions

View file

@ -4,7 +4,7 @@ transport = ssh
[ssh_connection] [ssh_connection]
# ForwardAgent to forward my SSH key to remote hosts, and be able to pull from gitlab # ForwardAgent to forward my SSH key to remote hosts, and be able to pull from remote git
# ControlMaster to avoid a bug when cloning: https://github.com/ansible/ansible/issues/13876 # ControlMaster to avoid a bug when cloning: https://github.com/ansible/ansible/issues/13876
# ControlPersist for SSH multiplexing "-o ControlPersist=60s" <- Causes user not being added to docker group T_T # ControlPersist for SSH multiplexing "-o ControlPersist=60s" <- Causes user not being added to docker group T_T
ssh_args = -o ForwardAgent=yes -o ControlMaster=auto ssh_args = -o ForwardAgent=yes -o ControlMaster=auto

View file

@ -1,5 +1,8 @@
--- ---
mysql_root_password: "{{ vault_mysql_root_password }}"
adrien_serenity_password: "{{ vault_adrien_serenity_password }}"
www_path: /vault/www www_path: /vault/www
sites_path: /vault/sites sites_path: /vault/sites
@ -8,91 +11,95 @@ wordpress:
checksum: sha1:d5f1e6d7cadd72c11d086a2e1ede0a72f23d993e checksum: sha1:d5f1e6d7cadd72c11d086a2e1ede0a72f23d993e
sites: sites:
- slug: test # Shorthand name to use as directory/file name # - slug: test # Shorthand name to use as directory/file name
# # The site URL (without www)
# url: test.luxeylab.net
# # Ask nginx to redirect url to www
# # Else, we redirect www to url
# redirect_to_www: no
# # What kind of site is that?
# type: wordpress
# # Subnet addresses
# subnet_cidr_address: 172.27.6.0/24
# subnet_gateway_ip: 172.27.6.1
# subnet_nginx_ip: 172.27.6.2
# subnet_site_ip: 172.27.6.3
# # MySQL
# mysql_database: wp_test
# mysql_username: wp_test
# mysql_password: "{{ vault_wp_test_mysql_password }}"
- slug: rdb # Shorthand name to use as directory/file name
# The site URL (without www) # The site URL (without www)
url: test.luxeylab.net url: rennesdesbois.fr
# Ask nginx to redirect url to www
# Else, we redirect www to url
redirect_to_www: yes
# What kind of site is that?
type: wordpress
# Subnet addresses
subnet_cidr_address: 172.27.1.0/24
subnet_gateway_ip: 172.27.1.1
subnet_nginx_ip: 172.27.1.2
subnet_site_ip: 172.27.1.3
# MySQL
mysql_database: rdb
mysql_username: rdb
mysql_password: "{{ vault_rdb_mysql_password }}"
- slug: arvuhez # Shorthand name to use as directory/file name
# The site URL (without www)
url: arvuhez.org
# Ask nginx to redirect url to www # Ask nginx to redirect url to www
# Else, we redirect www to url # Else, we redirect www to url
redirect_to_www: no redirect_to_www: no
# What kind of site is that? # What kind of site is that?
type: wordpress type: wordpress
# Subnet addresses # Subnet addresses
subnet_cidr_address: 172.27.6.0/24 subnet_cidr_address: 172.27.2.0/24
subnet_gateway_ip: 172.27.6.1 subnet_gateway_ip: 172.27.2.1
subnet_nginx_ip: 172.27.6.2 subnet_nginx_ip: 172.27.2.2
subnet_site_ip: 172.27.6.3 subnet_site_ip: 172.27.2.3
# MySQL
mysql_database: arvuhez
mysql_username: arvuhez
mysql_password: "{{ vault_arvuhez_mysql_password }}"
mysql_database: wp_test - slug: zinzoscope # Shorthand name to use as directory/file name
mysql_username: wp_test # The site URL (without www)
mysql_password: "{{ vault_wp_test_mysql_password }}" url: zinz.luxeylab.net
# Ask nginx to redirect url to www
# Else, we redirect www to url
redirect_to_www: no
# What kind of site is that?
type: wordpress
# Subnet addresses
subnet_cidr_address: 172.27.3.0/24
subnet_gateway_ip: 172.27.3.1
subnet_nginx_ip: 172.27.3.2
subnet_site_ip: 172.27.3.3
# MySQL
mysql_database: zinzoscope
mysql_username: zinzoscope
mysql_password: "{{ vault_zinzoscope_mysql_password }}"
# - slug: rdb # Shorthand name to use as directory/file name - slug: lexperimental # Shorthand name to use as directory/file name
# # The site URL (without www) # The site URL (without www)
# url: rennesdesbois.fr url: lexperimental.fr
# # Ask nginx to redirect url to www # Ask nginx to redirect url to www
# # Else, we redirect www to url # Else, we redirect www to url
# redirect_to_www: yes redirect_to_www: no
# # What kind of site is that? # What kind of site is that?
# type: wordpress type: wordpress
# # Subnet addresses # Subnet addresses
# subnet_cidr_address: 172.27.1.0/24 subnet_cidr_address: 172.27.4.0/24
# subnet_gateway_ip: 172.27.1.1 subnet_gateway_ip: 172.27.4.1
# subnet_site_ip: 172.27.1.2 subnet_nginx_ip: 172.27.4.2
subnet_site_ip: 172.27.4.3
# mysql_database: rdb # MySQL
# mysql_username: rdb mysql_database: lexperimental
# mysql_password: "{{ vault_rdb_mysql_password }}" mysql_username: lexperimental
mysql_password: "{{ vault_lexperimental_mysql_password }}"
# - slug: arvuhez # Shorthand name to use as directory/file name
# # The site URL (without www)
# url: arvuhez.org
# # Ask nginx to redirect url to www
# # Else, we redirect www to url
# redirect_to_www: no
# # What kind of site is that?
# type: wordpress
# # Subnet addresses
# subnet_cidr_address: 172.27.2.0/24
# subnet_gateway_ip: 172.27.2.1
# subnet_site_ip: 172.27.2.2
# mysql_database: arvuhez
# mysql_username: arvuhez
# mysql_password: "{{ vault_arvuhez_mysql_password }}"
# - slug: zinzoscope # Shorthand name to use as directory/file name
# # The site URL (without www)
# url: zinz.luxeylab.net
# # Ask nginx to redirect url to www
# # Else, we redirect www to url
# redirect_to_www: no
# # What kind of site is that?
# type: wordpress
# # Subnet addresses
# subnet_cidr_address: 172.27.3.0/24
# subnet_gateway_ip: 172.27.3.1
# subnet_site_ip: 172.27.3.2
# mysql_database: zinzoscope
# mysql_username: zinzoscope
# mysql_password: "{{ vault_zinzoscope_mysql_password }}"
# - slug: lexperimental # Shorthand name to use as directory/file name
# # The site URL (without www)
# url: lexperimental.fr
# # Ask nginx to redirect url to www
# # Else, we redirect www to url
# redirect_to_www: no
# # What kind of site is that?
# type: wordpress
# # Subnet addresses
# subnet_cidr_address: 172.27.4.0/24
# subnet_gateway_ip: 172.27.4.1
# subnet_site_ip: 172.27.4.2
# mysql_database: lexperimental
# mysql_username: lexperimental
# mysql_password: "{{ vault_lexperimental_mysql_password }}"
# - slug: mts # Shorthand name to use as directory/file name # - slug: mts # Shorthand name to use as directory/file name
# # The site URL (without www) # # The site URL (without www)
@ -106,13 +113,9 @@ sites:
# subnet_cidr_address: 172.27.5.0/24 # subnet_cidr_address: 172.27.5.0/24
# subnet_gateway_ip: 172.27.5.1 # subnet_gateway_ip: 172.27.5.1
# subnet_site_ip: 172.27.5.2 # subnet_site_ip: 172.27.5.2
# # This will allow setting up MySQL # # This will allow setting up MySQL
# # Configuration on Drupal's side must be done by hand: # # Configuration on Drupal's side must be done by hand:
# # Edit your <drupal_install>/sites/default/settings.php # # Edit your <drupal_install>/sites/default/settings.php
# mysql_database: mts8 # mysql_database: mts8
# mysql_username: mts # mysql_username: mts
# mysql_password: "{{ vault_mts_mysql_password }}" # mysql_password: "{{ vault_mts_mysql_password }}"
mysql_root_password: "{{ vault_mysql_root_password }}"
adrien_serenity_password: "{{ vault_adrien_serenity_password }}"

5
deployer/host.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: serenity
gather_facts: no
roles:
- host

View file

@ -1,4 +1,6 @@
#####################
# Create wp-content #
#####################
- name: Is it a new install? - name: Is it a new install?
stat: stat:
@ -83,23 +85,10 @@
when: filetree_item.state == 'file' when: filetree_item.state == 'file'
tags: [docker, nginx] tags: [docker, nginx]
- name: Copy host config to /etc/nginx/sites-available
copy:
remote_src: yes
src: "{{ sites_path }}/{{ item.slug }}/nginx.host"
dest: "/etc/nginx/sites-available/{{ item.url }}"
become: yes
tags: nginx
#######################
# MySQL configuration #
#######################
# - name: Create Let's Encrypt certificate
# This seems hard, see:
# https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html#acme-certificate-module
# https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04
# Maybe using shell directly? e.g.
# certbot certonly --webroot -w /var/www/letsencrypt -d <url>
# MySQL equivalent: # MySQL equivalent:
# create user <user>@<ip> identified by <pass>; # create user <user>@<ip> identified by <pass>;
@ -118,3 +107,15 @@
priv: "{{ item.mysql_database }}.*:all" priv: "{{ item.mysql_database }}.*:all"
state: present state: present
tags: mysql tags: mysql
###################
# SSL certificate #
###################
# - name: Create Let's Encrypt certificate
# This seems hard, see:
# https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html#acme-certificate-module
# https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04
# Maybe using shell directly? e.g.
# certbot certonly --webroot -w /var/www/letsencrypt -d <url>

View file

@ -15,8 +15,8 @@ http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
set_real_ip_from {{ item.subnet_gateway_ip }};
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' log_format main '$http_x_real_ip - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" ' '$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'; '"$http_user_agent" "$http_x_forwarded_for"';

View file

@ -0,0 +1,8 @@
---
- name: Restart nginx
service:
name: nginx
state: restarted
become: yes
tags: nginx

View file

@ -6,22 +6,25 @@
restarted: yes restarted: yes
tags: docker tags: docker
- name: Copy host config to /etc/nginx/sites-available
copy:
remote_src: yes
src: "{{ sites_path }}/{{ item.slug }}/nginx.host"
dest: "/etc/nginx/sites-available/{{ item.url }}"
become: yes
notify: Restart nginx
tags: nginx
- name: "Symlink nginx configuration to sites-enabled" - name: "Symlink nginx configuration to sites-enabled"
file: file:
src: "/etc/nginx/sites-available/{{ item.url }}" src: "/etc/nginx/sites-available/{{ item.url }}"
dest: "/etc/nginx/sites-enabled/{{ item.url }}" dest: "/etc/nginx/sites-enabled/{{ item.url }}"
state: link state: link
become: yes become: yes
notify: Restart nginx
tags: nginx tags: nginx
- name: Verify nginx configuration - name: Verify nginx configuration
command: "nginx -t" command: "nginx -t"
become: yes become: yes
tags: nginx tags: nginx
- name: Restart nginx service
service:
name: nginx
state: restarted
become: yes
tags: nginx

View file

@ -0,0 +1,8 @@
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "5",
"compress": "true"
}
}

View file

@ -0,0 +1,20 @@
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
compress
# Set a max size of 200MB for any log file before they get rotated
size 100M
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may be configured here

View file

@ -0,0 +1,7 @@
# no packages own btmp -- we'll rotate it here
/var/log/btmp {
missingok
monthly
create 0660 root utmp
rotate 1
}

View file

@ -0,0 +1,18 @@
/var/log/nginx/*.log {
weekly
missingok
rotate 12
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi \
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
}

View file

@ -0,0 +1,8 @@
# no packages own wtmp -- we'll rotate it here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
minsize 1M
rotate 1
}

View file

@ -0,0 +1,8 @@
---
- name: Restart Docker
service:
name: docker
state: restarted
become: yes
tags: docker

View file

@ -0,0 +1,7 @@
- name: Copy Docker daemon.json
copy:
src: docker/daemon.json
dest: /etc/docker/daemon.json
become: yes
tags: docker
notify: Restart Docker

View file

@ -0,0 +1,12 @@
- name: "Copy logrotate.conf"
copy:
src: "logrotate.conf"
dest: "/etc/"
become: yes
tags: logrotate
- name: "Copy logrotate.d"
copy:
src: "logrotate.d/"
dest: "/etc/logrotate.d/"
tags: logrotate
become: yes

View file

@ -0,0 +1,9 @@
---
- name: Configure logrotate
include_tasks: logrotate.yml
tags: logrotate
- name: Configure Docker
include_tasks: docker.yml
tags: docker

View file

@ -1,13 +0,0 @@
## MySQL madness!
Wordpress's IP is configured to 172.26.0.2
Do the MySQL!
```mysql
select host, user, password from mysql.user order by user;
create user 'arvuhez'@'172.26.0.2' identified by 'kjhs';
grant all on arvuhez.* to 'arvuhez'@'172.26.0.2';
show grants for 'arvuhez'@'172.26.0.2';
```

View file

@ -1,24 +0,0 @@
version: '3'
services:
wp:
image: wordpress:apache
# build: wp/
restart: always
environment:
WORDPRESS_DB_HOST: 172.26.0.1
WORDPRESS_DB_USER: arvuhez
WORDPRESS_DB_PASSWORD: "xMnCfZzBs8F3y5pEUY8HWAJFu4DGdBFGJqAcbgJN"
WORDPRESS_DB_NAME: arvuhez
volumes:
- "/vault/www/arvuhez_wp-content/:/var/www/html/wp-content"
networks:
arvuheznet:
ipv4_address: 172.26.0.2
networks:
arvuheznet:
ipam:
driver: default
config:
- subnet: 172.26.0.0/16

View file

@ -1,27 +0,0 @@
version: '3'
# Generated by ansible for site lexperimental.fr
# At 172.100.0.2 on 172.100.0.0/24
services:
wp:
image: wordpress:apache
restart: always
environment:
WORDPRESS_DB_HOST: "172.100.0.1"
WORDPRESS_DB_USER: "lexperimental"
WORDPRESS_DB_PASSWORD: "c2nGCmaRfJfF3Ltw5hoVVXF63Gm2VsVGUTdr4eQT"
WORDPRESS_DB_NAME: "lexperimental"
volumes: ['/var/www/lexperimental/wp-content/:/var/www/html/wp-content']
networks:
net:
ipv4_address: "172.100.0.2"
networks:
net:
ipam:
driver: default
config:
- subnet: "172.100.0.0/24"

View file

@ -1,44 +0,0 @@
# Generated by ansible for site lexperimental.fr
# At 172.100.0.2 on 172.100.0.0/24
server {
listen 80;
listen [::]:80;
server_name lexperimental.fr www.lexperimental.fr;
rewrite ^ https://lexperimental.fr$request_uri permanent;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name lexperimental.fr www.lexperimental.fr;
access_log /var/log/nginx/lexperimental-access.log;
error_log /var/log/nginx/error.log;
# Let's Encrypt
include snippets/letsencrypt.conf;
include snippets/ssl-params.conf;
ssl_certificate /etc/letsencrypt/live/lexperimental.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lexperimental.fr/privkey.pem;
if ($host = www.lexperimental.fr) {
rewrite ^ https://lexperimental.fr$request_uri permanent;
}
# Run by host
# root /var/www/lexperimental;
# include snippets/wordpress.conf;
# Run in Docker
include snippets/header-params_server.conf;
location / {
include snippets/header-params_location.conf;
proxy_pass http://172.100.0.2:80;
}
}

View file

@ -1,52 +0,0 @@
version: '3.7'
services:
drupal:
image: drupal:8-apache
# No need to expose a port when you know the container's IP
# ports:
# - 8080:80
volumes:
# this takes advantage of the feature in Docker that a new anonymous
# volume (which is what we're creating here) will be initialized with the
# existing content of the image at the same location
- /var/www/html/modules
- /var/www/html/profiles
# - /var/www/html/sites
# We want a host volume for the themes directory to easily work on theming
- ./themes:/var/www/html/themes
- ./sites:/var/www/html/sites
# Drupal 8 needs Drupal 7 folder to migrate
- "/var/www/mts7:/var/www/mts7"
restart: always
# Fix the container's IP
networks:
drupalnet:
ipv4_address: 172.28.0.2
db:
image: mariadb:10
volumes:
- "mariadb_data:/var/lib/mysql"
restart: always
networks:
drupalnet:
ipv4_address: 172.28.0.3
environment:
MYSQL_ROOT_PASSWORD: 'qdlkjqsdlkj78YKJHDKJ332'
MYSQL_DATABASE: 'drupal'
MYSQL_USER: 'drupal'
MYSQL_PASSWORD: 'drupaltestsite'
volumes:
mariadb_data:
driver: local
networks:
drupalnet:
ipam:
driver: default
config:
- subnet: 172.28.0.0/16

View file

@ -1,13 +0,0 @@
## MySQL madness!
Wordpress's IP is configured to 172.26.0.2
Do the MySQL!
```mysql
select host, user, password from mysql.user order by user;
create user 'rdb'@'172.26.0.2' identified by 'kjhs';
grant all on rdb.* to 'rdb'@'172.26.0.2';
show grants for 'rdb'@'172.26.0.2';
```

View file

@ -1,24 +0,0 @@
version: '3'
services:
wp:
image: wordpress:apache
# build: wp/
restart: always
environment:
WORDPRESS_DB_HOST: 172.27.0.1
WORDPRESS_DB_USER: rdb
WORDPRESS_DB_PASSWORD: "brEuC8KGQEPh4L9rYiwFaDxDB7FVdWLMB3TbgAcz"
WORDPRESS_DB_NAME: rdb
volumes:
- "/vault/www/rdb_wp-content/:/var/www/html/wp-content"
networks:
rdbnet:
ipv4_address: 172.27.0.2
networks:
rdbnet:
ipam:
driver: default
config:
- subnet: 172.27.0.0/24