deployed rennesdesbois.fr

ansible/README.md

@@ -0,0 +1,43 @@
+## Required packages on remote
+
+Python (installed with `pip` for user `adrien`):
+
+* docker 
+* docker-compose 
+* pymysql 
+
+TODO: Ansible task to install that before the rest
+
+## Configure mailing
+
+When I send mails from the container with `php`, with current `msmtp` config, it fails if the recipient isn't `@luxeylab.net`. 
+
+Host `mail.log`:
+	
+	# mail('adrien@yopmai.com'...) in container 
+	Apr  2 09:07:56 Serenity postfix/smtpd[22617]: connect from unknown[172.27.1.2]
+	Apr  2 09:07:56 Serenity postfix/smtpd[22617]: NOQUEUE: reject: RCPT from unknown[172.27.1.2]: 454 4.7.1 <adrien@yopmail.com>: Relay access denied; from=<php@www.rennesdesbois.fr> to=<adrien@yopmail.com> proto=ESMTP helo=<localhost>
+	Apr  2 09:07:56 Serenity postfix/smtpd[22617]: lost connection after DATA from unknown[172.27.1.2]
+	Apr  2 09:07:56 Serenity postfix/smtpd[22617]: disconnect from unknown[172.27.1.2] ehlo=1 mail=1 rcpt=0/1 data=0/1 commands=2/4
+
+	# mail('adrien@yopmai.com'...) on host 
+	Apr  2 09:10:33 Serenity postfix/cleanup[27364]: 5DB1D3CCDA: message-id=<20200402071033.5DB1D3CCDA@luxeylab.net>
+	Apr  2 09:10:33 Serenity postfix/qmgr[2066]: 5DB1D3CCDA: from=<adrien@luxeylab.net>, size=286, nrcpt=1 (queue active)
+	Apr  2 09:10:33 Serenity postfix/smtp[27366]: 5DB1D3CCDA: to=<adrien@yopmail.com>, relay=smtp.yopmail.com[87.98.164.155]:25, delay=0.68, delays=0.35/0/0.23/0.09, dsn=2.0.0, status=sent (250 mail saved)
+	Apr  2 09:10:33 Serenity postfix/qmgr[2066]: 5DB1D3CCDA: removed
+
+	# mail('adrien@luxeylab.net'...) in container 
+	Apr  2 08:08:12 Serenity postfix/smtpd[2647]: connect from unknown[172.27.1.2]
+	Apr  2 08:08:12 Serenity postfix/smtpd[2647]: 6BA723CCD8: client=unknown[172.27.1.2]
+	Apr  2 08:08:12 Serenity postfix/cleanup[5829]: 6BA723CCD8: message-id=<>
+	Apr  2 08:08:12 Serenity postfix/smtpd[2647]: disconnect from unknown[172.27.1.2] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
+	Apr  2 08:08:12 Serenity postfix/qmgr[2066]: 6BA723CCD8: from=<php@www.rennesdesbois.fr>, size=290, nrcpt=1 (queue active)
+	Apr  2 08:08:13 Serenity postfix/smtp[5831]: 6BA723CCD8: to=<adrien.luxey@gmail.com>, orig_to=<adrien@luxeylab.net>, relay=gmail-smtp-in.l.google.com[74.125.133.26]:25, delay=0.79, delays=0.23/0.03/0.11/0.42, dsn=2.0.0, status=sent (250 2.0.0 OK  1585807693 130si4035771wma.123 - gsmtp)
+	Apr  2 08:08:13 Serenity postfix/qmgr[2066]: 6BA723CCD8: removed
+
+Good docs on the topic:
+
+* [Explains postfix on Host+ssmtp in Docker in detail, poorly written](https://medium.com/@thilinaviraj950/configure-and-use-host-base-postfix-to-send-emails-from-a-container-18cd279fc460)
+* [Another one](https://www.michelebologna.net/2019/send-an-email-from-a-docker-container/)
+
+I needed to add Docker's network (`172.0.0.0/8`) to `mynetworks` in `/etc/postfix/main.cf`. Also `inet_interfaces` would have had to be changed if Arthur didn't put it to `all`. Now works. 

ansible/deploy.yml

@@ -0,0 +1,5 @@
+---
+- hosts: all
+  gather_facts: no
+  roles:
+    - deploy

ansible/group_vars/all/vars.yml

@@ -5,9 +5,12 @@ sites_path: /vault/sites
 
 sites:
   - slug: rdb # Shorthand name to use as directory/file name
-    # The complete site URL
-    url: www.rennesdesbois.fr
-    # What kind of service is that?
+    # The site URL (without www)
+    url: rennesdesbois.fr
+    # Ask nginx to redirect url to www
+    # Else, we redirect www to url
+    redirect_to_www: yes
+    # What kind of site is that?
     type: wordpress
     # Subnet addresses
     subnet_cidr_address: 172.27.1.0/24
@@ -16,4 +19,7 @@ sites:
     
     mysql_database: rdb
     mysql_username: rdb
-    mysql_password: "{{ vault_rdb_mysql_password }}"
+    mysql_password: "{{ vault_rdb_mysql_password }}"
+
+mysql_root_password: "{{ vault_mysql_root_password }}"
+adrien_serenity_password: "{{ vault_adrien_serenity_password }}"

ansible/group_vars/all/vault.yml

@@ -1,12 +1,15 @@
 $ANSIBLE_VAULT;1.1;AES256
-31616336646162653732636532313464313632303932376532636465323836663938356630663236
-3761366235343066333133623030623532636566306433650a313433303236623333663837326231
-66613662623261373136386439353839633564356663316564613238353861396265386266353461
-3637666538346465370a313465643665333264646639353638623139383235336437373162613965
-61393237613832613661353266636664616661373362626265656136393539663938303463386563
-32616331643533646631613331383930363831383763636638326264346366363837353133626531
-32316539393837333035643833383239386166393061626630623939653232316161653538313938
-64316437343738306537306434663365653135353566363133396532306563306531656534653761
-34303963303231353061653933656335396339343138663335366435663461353931393531616239
-31313564346234353765343631653530343632616539383433303634333338323633633638326132
-643561303631356266313864623937313062
+35323866396364383230333062393263343363613332643931643435636637363133656234303263
+3430343534643762306134316334306438326135653362370a353636346437346438613538333938
+30356339326435373262313031393939373234306464356364373032646433313831326131393438
+3261663633626364660a316138303261373637373865646434393566323236336235323635653331
+39633639383239343563396561373338653561653533666338343232363439626137393733633062
+39353434613431396531646237393464356432326366366531373338306537616164633062623465
+30313661353930353966366166333339646431663537363730656363613735323031653865353933
+38386662363463623038326330386166663066343866616334396461623034343531623939656462
+38633231633061616161653837363239336233396438313064396238653539313031386364636566
+32613331643532303638333638306330616461393266363466333666633637326564383266363761
+61363931373839303863343062356462613932363836376539346463356230343964376233363566
+66666339623439353637316533323762363361303430613765393665343032653564623632613737
+36393839336662343530373330353930633033336335666432373532356662373134616337346462
+6238326631333231336134616166323363663062656232626562

ansible/roles/build/tasks/wordpress.yml

@@ -25,7 +25,21 @@
 # https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html#acme-certificate-module
 # https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04
 # Maybe using shell directly? e.g.
-# $ certbot certonly --webroot -w /var/www/letsencrypt -d {{ item.url }}
+# certbot certonly --webroot -w /var/www/letsencrypt -d <url>
 
-  
-- name: Add user to database
+# MySQL equivalent:
+# create user <user>@<ip> identified by <pass>;
+# grant all on <db>.* to <user>@<ip>;
+- name: "Add database user {{ item.mysql_username }}@{{ item.subnet_site_ip }} and grant all privileges on {{ item.mysql_database }}"
+  mysql_user:
+    # Credentials to log in MySQL
+    login_host: localhost
+    login_user: root
+    login_password: "{{ mysql_root_password }}"
+    # Credentials of the new db user
+    host: "{{ item.subnet_site_ip }}"
+    name: "{{ item.mysql_username }}"
+    password: "{{ item.mysql_password }}"
+    # Grants
+    priv: "{{ item.mysql_database }}:all"
+    state: present

ansible/roles/build/templates/docker-compose.yml.j2

@@ -12,8 +12,8 @@ services:
       WORDPRESS_DB_USER: "{{ item.mysql_username }}"
       WORDPRESS_DB_PASSWORD: "{{ item.mysql_password }}"
       WORDPRESS_DB_NAME: "{{ item.mysql_database }}"
-#    volumes: 
-#      - "{{ www_path }}/{{ item.slug }}_wp-content:/var/www/html/wp-content"
+    volumes: 
+      - "{{ www_path }}/{{ item.slug }}_wp-content:/var/www/html/wp-content"
     networks:
       net:
         ipv4_address: "{{ item.subnet_site_ip }}"

ansible/roles/build/templates/nginx-wordpress.j2

@@ -4,24 +4,40 @@
 server {
   listen 80;
   listen [::]:80;
-  server_name {{ item.url }};
+  server_name {{ item.url }} www.{{ item.url }};
 
   # Let's Encrypt
   include snippets/letsencrypt.conf;
 
   location / {
-    return 301 https://$server_name$request_uri;
+    {% if item.redirect_to_www %}
+      return 301 https://www.{{ item.url }}$request_uri;
+    {% else %}
+      return 301 https://{{ item.url }}$request_uri;
+    {% endif %}
   }
 }
 
 server {
   listen 443 ssl;
   listen [::]:443 ssl;
-  server_name {{ item.url }};
+  server_name {{ item.url }} www.{{ item.url }};
 
   access_log  /var/log/nginx/{{ item.slug }}-access.log;
   error_log   /var/log/nginx/error.log;
 
+  {% if item.redirect_to_www %}
+    # Redirect non-www to www
+    if ($host = {{ item.url }}) {
+      rewrite ^ https://www.{{ item.url }}$request_uri permanent;
+    }
+  {% else %}
+    # Redirect www to non-www
+    if ($host = www.{{ item.url }}) {
+      rewrite ^ https://{{ item.url }}$request_uri permanent;
+    }
+  {% endif %}
+
   # Let's Encrypt
   include snippets/letsencrypt.conf;
 

ansible/roles/deploy/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Deploy Wordpress sites
+  include_tasks: wordpress.yml  
+  loop: "{{ sites }}"
+  when: item.type == "wordpress"

ansible/roles/deploy/tasks/wordpress.yml

@@ -0,0 +1,23 @@
+- name: "Launch the site's containers"
+  docker_compose:
+    project_src: "{{ sites_path }}/{{ item.slug }}"
+    state: present 
+    build: yes
+    restarted: yes
+
+- name: "Symlink nginx configuration to sites-enabled"
+  file:
+    src: "/etc/nginx/sites-available/{{ item.url }}"
+    dest: "/etc/nginx/sites-enabled/{{ item.url }}"
+    state: link
+  become: yes
+
+- name: Verify nginx configuration
+  command: "nginx -t"
+  become: yes
+
+- name: Restart nginx service 
+  service:
+    name: nginx 
+    state: restarted
+  become: yes

ansible/sites.yml

@@ -0,0 +1,3 @@
+---
+- import_playbook: build.yml
+- import_playbook: deploy.yml