Skip to content
Snippets Groups Projects
Commit 89035e3e authored by Christian Elberfeld's avatar Christian Elberfeld
Browse files

Merge branch 'master' of ssh://gitlab.warpzone.ms:444/infrastruktur/ansible-warpzone

# Conflicts:
#	group_vars/all
#	host_vars/webserver-test
#	webserver-test/main.yml
#	webserver/nginx/tasks/main.yml
#	webserver/nginx/templates/letsencrypt.sh
#	webserver/nginx/templates/nginx-site
parents 52370b28 14e86643
No related branches found
No related tags found
No related merge requests found
Showing
with 219 additions and 71 deletions
...@@ -12,6 +12,10 @@ ...@@ -12,6 +12,10 @@
vars: vars:
packages: packages:
- apt-transport-https - apt-transport-https
- ca-certificates
- curl
- gnupg2
- software-properties-common
- name: add debian repo keys (id) - name: add debian repo keys (id)
apt_key: apt_key:
......
# Gruppen-Spezifishe Variablen
# Globale Variablen für alle produktiven Server
# Ports des LDAP Servers
ldap_port_default: 389
ldap_port_secure: 636
# IP Adresse des LDAP Servers
# Extern läuft auf dem webserver
ldap_ip_ext: 10.0.20.2
# int ist noch ungenutzt / später replikation in der Zone
ldap_ip_int: 10.0.20.2
# Basis-Informationen der LDAP Konfiguration
ldap_org: Warpzone TEST
ldap_domain: warpzone.ms
ldap_base_dn: dc=warpzone,dc=ms
ldap_admin_bind_dn: cn=admin,dc=warpzone,dc=ms
ldap_readonly_bind_dn: cn=readonly,dc=warpzone,dc=ms
# Zentrale InfluxDb für Systemmonitoring
influxdb_sysmon:
url: "http://192.168.0.201:18086"
db: "influx"
user: "influx"
password: "influx"
# Zentrale InfluxDb für Snmp Daten
influxdb_snmp:
url: "http://192.168.0.201:28086"
db: "influx"
user: "influx"
password: "influx"
# Gruppen-Spezifishe Variablen
\ No newline at end of file
# Globale Variablen für alle Server
# Ports des LDAP Servers
ldap_port_default: 2389
ldap_port_secure: 2636
# IP Adresse des LDAP Servers
# Extern läuft auf dem webserver
ldap_ip_ext: 127.0.0.1
# int ist noch ungenutzt / später replikation in der Zone
ldap_ip_int: 127.0.0.1
# Basis-Informationen der LDAP Konfiguration
ldap_org: Warpzone TEST
ldap_domain: warpzone-test.ms
ldap_base_dn: dc=warpzone-test,dc=ms
ldap_admin_bind_dn: cn=admin,dc=warpzone-test,dc=ms
ldap_readonly_bind_dn: cn=readonly,dc=warpzone-test,dc=ms
# SMTP Settings
smtp_host: smtp.warpzone.ms
smtp_port: 25
noreply_email_user: noreply@warpzone.ms
...@@ -5,9 +5,10 @@ ...@@ -5,9 +5,10 @@
roles: roles:
- { role: ../common/docker, tags: docker } - { role: ../common/docker, tags: docker }
- { role: ../common/nginx, tags: nginx } - { role: ../common/nginx, tags: nginx }
- { role: ../webserver/docker_jabber, tags: jabber }
- { role: ../webserver/docker_ldap, tags: ldap } - { role: ../webserver/docker_ldap, tags: ldap }
- { role: ../webserver/docker_warpinfra, tags: warpinfra }
- { role: ../webserver/docker_wordpress, tags: wordpress } - { role: ../webserver/docker_wordpress, tags: wordpress }
- { role: docker_mail, tags: mail }
# - { role: docker_mail, tags: mail }
# - { role: ../webserver/docker_jabber, tags: jabber }
# - { role: ../webserver/docker_warpinfra, tags: warpinfra }
...@@ -41,3 +41,18 @@ ...@@ -41,3 +41,18 @@
docker_service: docker_service:
project_src: /srv/jabber/ project_src: /srv/jabber/
state: present state: present
# Letsencrypt
- name: LetsEncrypt Renewal Hook erstellen
file:
path: "/etc/letsencrypt/renewal-hooks/deploy"
state: directory
recurse: yes
- name: LetsEncrypt Renewal Hook erstellen
template:
src: certbot-hook.sh
dest: /etc/letsencrypt/renewal-hooks/deploy/jabber.sh
mode: o+x
register: letsencryptsh
notify: restart nginx
#!/bin/bash
# Certbot Renewal Hook to reload jabber when a certificate is renewed
# TODO: command per docker exec im container ausführen
...@@ -15,9 +15,10 @@ services: ...@@ -15,9 +15,10 @@ services:
- /srv/jabber/logs:/var/log/prosody - /srv/jabber/logs:/var/log/prosody
- /srv/jabber/data:/var/lib/prosody - /srv/jabber/data:/var/lib/prosody
# mount the certificates created by lets encrypt # mount the certificates created by lets encrypt
- /etc/ssl/key.pem:/etc/prosody/certs/jabber.warpzone.ms.key - /etc/letsencrypt/live/jabber.warpzone.ms/privkey.pem:/etc/prosody/certs/jabber.warpzone.ms.key
- /etc/ssl/fullchain.pem:/etc/prosody/certs/jabber.warpzone.ms.crt - /etc/letsencrypt/live/jabber.warpzone.ms/fullchain.pem:/etc/prosody/certs/jabber.warpzone.ms.crt
- /etc/ssl/key.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.key - /etc/letsencrypt/live/muc.jabber.warpzone.ms/privkey.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.key
- /etc/ssl/fullchain.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.crt - /etc/letsencrypt/live/muc.jabber.warpzone.ms/fullchain.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.crt
- /etc/ssl/key.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.key - /etc/letsencrypt/live/proxy.jabber.warpzone.ms/privkey.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.key
- /etc/ssl/fullchain.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.crt - /etc/letsencrypt/live/proxy.jabber.warpzone.ms/fullchain.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.crt
--- ---
# Einige Secrets sind auf dem Server lokal gespeichert und werden von dort gelesen
# Auslesen der Dateien vom Server, zwischengespeicert wird in der Variable gitlab_secrets
# Anschließend müssen die entsprechenden Einträge aus gitlab_secrets extrahiert werden
# Die Daten, die von Slurp gelesen werden sind Base64 codiert
# Zur Sicherheit werden Whitespace-Zeichen entfert, damit z.B. Zeilenumbrüche nicht übernommen werden
- name: get secrets from server 1 - include_tasks: ../functions/get_secret.yml
slurp: src={{ item }}
with_items: with_items:
- /srv/ldap/secret/ldap_admin_pass - { path: /srv/ldap/ldap_admin_pass, length: 24 }
- /srv/ldap/secret/ldap_readonly_pass - { path: /srv/ldap/ldap_config_pass, length: 24 }
register: ldap_secrets - { path: /srv/ldap/ldap_readonly_pass, length: 24 }
- name: get secrets from server 2
set_fact:
ldap_admin_pass: "{{ ldap_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_admin_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
ldap_readonly_pass: "{{ ldap_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_readonly_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
- name: create folder struct for ldap - name: create folder struct for ldap
file: file:
......
...@@ -6,28 +6,34 @@ services: ...@@ -6,28 +6,34 @@ services:
openldap: openldap:
image: osixia/openldap:1.1.10 image: osixia/openldap:1.1.10
restart: always restart: always
hostname: "{{ ldap_ip_ext }}"
ports: ports:
- "{{ ldap_ip_ext }}:389:389" - "{{ ldap_ip_ext }}:{{ ldap_port_default }}:389"
- "{{ ldap_ip_ext }}:636:636" - "{{ ldap_ip_ext }}:{{ ldap_port_secure }}:636"
volumes: volumes:
- /srv/ldap/database:/var/lib/ldap - /srv/ldap/database:/var/lib/ldap
- /srv/ldap/config:/etc/ldap/slapd.d - /srv/ldap/config:/etc/ldap/slapd.d
environment: environment:
- LDAP_ORGANISATION=Warpzone - LDAP_ORGANISATION="{{ ldap_org }}"
- LDAP_DOMAIN=warpzone.ms - LDAP_DOMAIN="{{ ldap_domain }}"
- LDAP_ADMIN_PASSWORD="{{ ldap_admin_pass }}" - LDAP_ADMIN_PASSWORD="{{ ldap_admin_pass }}"
- LDAP_CONFIG_PASSWORD="{{ ldap_config_pass }}"
- LDAP_READONLY_USER=true - LDAP_READONLY_USER=true
- LDAP_READONLY_USER_USERNAME=readonly - LDAP_READONLY_USER_USERNAME=readonly
- LDAP_READONLY_USER_PASSWORD="{{ ldap_readonly_pass }}" - LDAP_READONLY_USER_PASSWORD="{{ ldap_readonly_pass }}"
- LDAP_REPLICATION=true
- LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://{{ ldap_ip_ext }}:{{ ldap_port_default }}']"
phpldapadmin: # - LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://{{ ldap_ip_ext }}:{{ ldap_port_default }}','ldap://{{ ldap_ip_int }}:{{ ldap_port_default }}']"
image: osixia/phpldapadmin:0.7.1
restart: always phpldapadmin:
depends_on: image: osixia/phpldapadmin:0.7.1
- openldap restart: always
ports: depends_on:
- 127.0.0.1:42004:80 - openldap
environment: ports:
- PHPLDAPADMIN_LDAP_HOSTS=openldap - 127.0.0.1:42004:80
- PHPLDAPADMIN_HTTPS=false environment:
- PHPLDAPADMIN_TRUST_PROXY_SSL=true - PHPLDAPADMIN_LDAP_HOSTS=openldap
- PHPLDAPADMIN_HTTPS=false
- PHPLDAPADMIN_TRUST_PROXY_SSL=true
...@@ -27,23 +27,23 @@ MYSQL_NAME = warpinfra ...@@ -27,23 +27,23 @@ MYSQL_NAME = warpinfra
[ldap] [ldap]
LDAP_HOST = {{ ldap_ip_ext }} LDAP_HOST = {{ ldap_ip_ext }}
LDAP_BIND_DN = cn=admin,dc=warpzone,dc=ms LDAP_BIND_DN = {{ ldap_admin_bind_dn }}
LDAP_PASSWORD = {{ ldap_admin_pass }} LDAP_PASSWORD = {{ ldap_admin_pass }}
LDAP_USER_SEARCH_PATH = ou=users,dc=warpzone,dc=ms LDAP_USER_SEARCH_PATH = ou=users,{{ ldap_base_dn }}
LDAP_GROUP_SEARCH_PATH = dc=warpzone,dc=ms LDAP_GROUP_SEARCH_PATH = {{ ldap_base_dn }}
LDAP_USER_SEARCH_FILTER = (uid=%(user)s) LDAP_USER_SEARCH_FILTER = (uid=%(user)s)
LDAP_GROUP_IS_ACTIVE = cn=active,ou=groups,dc=warpzone,dc=ms LDAP_GROUP_IS_ACTIVE = cn=active,ou=groups,{{ ldap_base_dn }}
LDAP_GROUP_IS_STAFF = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms LDAP_GROUP_IS_STAFF = cn=warpauth-admin,ou=infrastructure,{{ ldap_base_dn }}
LDAP_GROUP_SUPERUSER = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms LDAP_GROUP_SUPERUSER = cn=warpauth-admin,ou=infrastructure,{{ ldap_base_dn }}
[email] [email]
SMTP_HOST = smtp.warpzone.ms SMTP_HOST = {{ smtp_host }}
SMTP_PORT = 25 SMTP_PORT = {{ smtp_port }}
SMTP_USERNAME = noreply@warpzone.ms SMTP_USERNAME = {{ noreply_email_user }}
SMTP_PASSWORD = {{ noreply_email_pass }} SMTP_PASSWORD = {{ noreply_email_pass }}
SMTP_EMAIL_FROM = infra@warpzone.ms SMTP_EMAIL_FROM = {{ noreply_email_user }}
SMTP_USE_TLS = True SMTP_USE_TLS = True
SUBJECT_PREFIX = '' SUBJECT_PREFIX = ''
......
--- ---
- name: get secrets from server 1
slurp: src={{ item }}
with_items:
- /srv/wordpress/mysql_root_pass
- /srv/wordpress/mysql_user_pass
register: wordpress_secrets
- name: get secrets from server 2
set_fact:
mysql_root_pass: "{{ wordpress_secrets.results | selectattr('item', 'equalto', '/srv/wordpress/mysql_root_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
mysql_user_pass: "{{ wordpress_secrets.results | selectattr('item', 'equalto', '/srv/wordpress/mysql_user_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: /srv/wordpress/mysql_root_pass, length: 24 }
- { path: /srv/wordpress/mysql_user_pass, length: 12 }
- name: create folder struct for wordpress - name: create folder struct for wordpress
file: file:
path: "{{ item }}" path: "{{ item }}"
...@@ -24,12 +18,16 @@ ...@@ -24,12 +18,16 @@
- "/srv/wordpress/db/" - "/srv/wordpress/db/"
- name: create config files - name: create config files
template: src={{ item }} dest=/srv/wordpress/config/{{ item }} template:
src: "{{ item }}"
dest: "/srv/wordpress/config/{{ item }}"
with_items: with_items:
- uploads.ini - uploads.ini
- name: create config file - name: create config file
template: src={{ item }} dest=/srv/wordpress/{{ item }} template:
src: "{{ item }}"
dest: "/srv/wordpress/{{ item }}"
with_items: with_items:
- docker-compose.yml - docker-compose.yml
......
#!/bin/bash
# Certbot Renewal Hook to reload nginx when a certificate is renewed
systemctl reload nginx
server {
listen 80 default_server;
listen [::]:80 default_server;
{% if nginx_https == True %}
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
{% if 'test' in inventory_hostname %}
ssl_certificate /etc/letsencrypt/live/www.test.warpzone.ms/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.test.warpzone.ms/privkey.pem;
{% else %}
ssl_certificate /etc/letsencrypt/live/www.warpzone.ms/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.warpzone.ms/privkey.pem;
{% endif %}
{% endif %}
server_name _;
root /dev/null;
{% if 'test' in inventory_hostname %}
location / {
rewrite ^(.*) https://www.test.warpzone.ms$1 permanent;
}
{% else %}
location / {
rewrite ^(.*) https://www.warpzone.ms$1 permanent;
}
{% endif %}
}
server {
listen 9145;
location /status {
# Turn on nginx stats
stub_status on;
# I do not need logs for stats
access_log off;
# Security: Only allow access from
allow 127.0.0.1;
# Send rest of the world to /dev/null #
deny all;
}
}
# Read Nginx's basic status information (ngx_http_stub_status_module)
[[inputs.nginx]]
## An array of Nginx stub_status URI to gather stats.
urls = ["http://127.0.0.1:9145/status"]
## HTTP response timeout (default: 5s)
response_timeout = "5s"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment