diff --git a/host_vars/warpsrvint b/host_vars/warpsrvint index 4d1c4c0ddecb2f5ce34f4a9f057368e340d334f9..1a64c61af50d215f99ef8a60f5cbdd1691a6303a 100644 --- a/host_vars/warpsrvint +++ b/host_vars/warpsrvint @@ -9,11 +9,18 @@ debian_sources: - "deb http://debian.uni-duisburg-essen.de/debian/ jessie main non-free contrib" - "deb http://security.debian.org/ jessie/updates main contrib non-free" - "deb http://debian.uni-duisburg-essen.de/debian/ jessie-updates main contrib non-free" + - "deb https://apt.dockerproject.org/repo debian-jessie main" + - "deb http://http.debian.net/debian wheezy-backports main" debian_keys: +webserver_domains: + - "infra" + - "infra-test" + administratorenteam: - "void" + - "dray" - "sandhome" - "sandmobil" # - "ennox" (ssh key fehlt noch) diff --git a/hosts b/hosts index f8dbda9012b5dd3d35d21c8052e596ddefff2c9f..2daa4fc751358e252f2c29b576d617fc4458563b 100644 --- a/hosts +++ b/hosts @@ -4,11 +4,8 @@ # Interner Server Warpzone # Umgebaute Watchguard im Serverschrank -# Die KVM Verwaltung erfolgt aktuell noch manuell -warpsrvint ansible_ssh_host=192.168.0.103 - -# Server für Interne Dienste -# warpsrvint ansible_ssh_host=192.168.0.103 +# https://wiki.warpzone.ms/intern:warpzone_internal_it_infrastructure#host_fuer_interne_dienste_watchguard_xtm_505 +warpsrvint ansible_ssh_host=192.168.0.201 # Öffentlicher Server Warpzone # Webserver im Rechnzentrum bei myLoc diff --git a/site.yml b/site.yml index 148ba4e9320aa6e27f7cd8d143d9080060593ca1..dc39bc0f60d5cb9df53a0b501e5179ca78bb79b9 100644 --- a/site.yml +++ b/site.yml @@ -4,6 +4,7 @@ - include: all/main.yml - include: vorstandspi/main.yml - include: warphab/main.yml +- include: warpsrvint/main.yml - include: webserver/main.yml diff --git a/warpsrvint/docker/tasks/main.yml b/warpsrvint/docker/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..2d93189f719848d73399a075ffca75864e2ec303 --- /dev/null +++ b/warpsrvint/docker/tasks/main.yml @@ -0,0 +1,23 @@ +--- + +- name: add docker repo key + apt_key: + keyserver: "hkp://p80.pool.sks-keyservers.net:80" + id: 58118E89F3A912897C070ADBF76221572C52609D + +- name: install deb packages + apt: + pkg: "{{ item }}" + update_cache: yes + state: installed + with_items: + - docker-engine + - python + - python-pip + +- name: install pip packages + pip: + name: docker-py + version: 1.7.2 + state: present + diff --git a/warpsrvint/docker_ldap/tasks/main.yml b/warpsrvint/docker_ldap/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..66388402d6fffffcf768a0641e695eea3b4a5b7d --- /dev/null +++ b/warpsrvint/docker_ldap/tasks/main.yml @@ -0,0 +1,67 @@ +--- +# Einige Secrets sind auf dem Server lokal gespeichert und werden von dort gelesen +# Auslesen der Dateien vom Server, zwischengespeicert wird in der Variable gitlab_secrets +# Anschließend müssen die entsprechenden Einträge aus gitlab_secrets extrahiert werden +# Die Daten, die von Slurp gelesen werden sind Base64 codiert +# Zur Sicherheit werden Whitespace-Zeichen entfert, damit z.B. Zeilenumbrüche nicht übernommen werden + +- name: get secrets from server 1 + slurp: src={{ item }} + with_items: + - /srv/ldap/secret/ldap_admin_pass + - /srv/ldap/secret/ldap_readonly_pass + register: ldap_secrets + +- name: get secrets from server 2 + set_fact: + ldap_admin_pass: "{{ ldap_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_admin_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + ldap_readonly_pass: "{{ ldap_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_readonly_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + +- name: create folder struct for ldap + file: + path: "/srv/ldap" + state: "directory" + +- name: create folder struct for ldap + file: + path: "/srv/ldap/database" + state: "directory" + +- name: create folder struct for ldap + file: + path: "/srv/ldap/config" + state: "directory" + +- name: start ldap docker + docker_container: + name: ldap-service + image: osixia/openldap:1.1.6 + hostname: ldap-service + state: started + restart_policy: always + volumes: + - /srv/ldap/database:/var/lib/ldap + - /srv/ldap/config:/etc/ldap/slapd.d + env: + LDAP_ORGANISATION: Warpzone + LDAP_DOMAIN: warpzone.ms + LDAP_ADMIN_PASSWORD: "{{ ldap_admin_pass }}" + LDAP_READONLY_USER: true + LDAP_READONLY_USER_USERNAME: readonly + LDAP_READONLY_USER_PASSWORD: "{{ ldap_readonly_pass }}" + +- name: start phpldapadmin docker + docker_container: + name: phpldapadmin-app + image: osixia/phpldapadmin:0.6.11 + state: started + restart_policy: always + env: + PHPLDAPADMIN_LDAP_HOSTS: ldap-host + PHPLDAPADMIN_HTTPS: false + PHPLDAPADMIN_TRUST_PROXY_SSL: true + links: + - ldap-service:ldap-host + ports: + - 127.0.0.1:42004:80 + diff --git a/warpsrvint/docker_warpinfra/tasks/main.yml b/warpsrvint/docker_warpinfra/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..91ff7c7ca4c5d02af54d6a221e452f15e2b7abe3 --- /dev/null +++ b/warpsrvint/docker_warpinfra/tasks/main.yml @@ -0,0 +1,104 @@ +--- +# Einige Secrets sind auf dem Server lokal gespeichert und werden von dort gelesen +# Auslesen der Dateien vom Server, zwischengespeicert wird in der Variable gitlab_secrets +# Anschließend müssen die entsprechenden Einträge aus gitlab_secrets extrahiert werden +# Die Daten, die von Slurp gelesen werden sind Base64 codiert +# Zur Sicherheit werden Whitespace-Zeichen entfert, damit z.B. Zeilenumbrüche nicht übernommen werden + +- name: get secrets from server 1 + slurp: src={{ item }} + with_items: + - /srv/ldap/secret/ldap_admin_pass + - /srv/ldap/secret/ldap_readonly_pass + - /srv/warpinfra/secret/web_secret_key + - /srv/warpinfra/secret/mysql_root_pw + - /srv/warpinfra/secret/mysql_user_pw + register: warpinfra_secrets + +- name: get secrets from server 2 + set_fact: + ldap_admin_pass: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_admin_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + ldap_readonly_pass: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_readonly_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + web_secret_key: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/warpinfra/secret/web_secret_key') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + mysql_root_pw: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/warpinfra/secret/mysql_root_pw') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + mysql_user_pw: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/warpinfra/secret/mysql_user_pw') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + +- name: create folder struct for warpinfra + file: + path: "/tmp/warpinfra_docker/" + state: "directory" + +- name: create folder struct for warpinfra + file: + path: "/srv/warpinfra/etc" + state: "directory" + +- name: create folder struct for warpinfra + file: + path: "/srv/warpinfra/data" + state: "directory" + +- name: create folder struct for warpinfra + file: + path: "/srv/warpinfra/log" + state: "directory" + +- name: Konfig-Datei erstellen + template: + src: "config.ini" + dest: "/srv/warpinfra/etc/config.ini" + +- name: clone repo + git: + repo: "https://gitlab.warpzone.ms/infrastruktur/warpinfra.git" + version: "1.1" + dest: "/tmp/warpinfra_docker" + force: "yes" + register: gitclone + +- name: clone repo status + debug: + msg: "{{gitclone}}" + +# commit id in den Namen des Image einbeziehen +# als tag scheint von docker_image nicht korrekt gesetzt zu werden + +- name: build the image + docker_image: + name: "warpinfra-app-{{ gitclone.after }}" + path: /tmp/warpinfra_docker/www/ + state: present + + +- name: start warpinfra-db docker + docker_container: + name: warpinfra-db + image: mariadb:10.1 + state: started + interactive: yes + restart_policy: always + volumes: + - /srv/warpinfratest/db/:/var/lib/mysql + env: + MYSQL_DATABASE=warpinfra + MYSQL_USER=warpinfra + MYSQL_PASSWORD={{ mysql_user_pw }} + MYSQL_ROOT_PASSWORD={{ mysql_root_pw }} + + +- name: start warpinfra docker + docker_container: + name: warpinfra-app + image: "warpinfra-app-{{ gitclone.after }}" + state: started + interactive: yes + restart_policy: always + volumes: + - /tmp/warpinfra:/opt/socket + - /srv/warpinfra/etc:/etc/warpinfra + - /srv/warpinfra/data:/opt/database + - /srv/warpinfra/log:/opt/log + links: + - warpinfra-test-db:mysql +# - ldap-service:ldap + diff --git a/warpsrvint/docker_warpinfra/templates/config.ini b/warpsrvint/docker_warpinfra/templates/config.ini new file mode 100644 index 0000000000000000000000000000000000000000..3da2346ca5d0fa8f8790598f47feb96bbd48688b --- /dev/null +++ b/warpsrvint/docker_warpinfra/templates/config.ini @@ -0,0 +1,41 @@ + +[common] +# Possible Apps: warpmain, warpauth, warpfood, warpapi, warppay +APPS = warpmain, warpauth, warppay + +[debug] +DEBUG = False + +[security] +SECRET_KEY = '{{ web_secret_key }}' +PW_RESET_TOKEN_LIFETIME = 5 +ALLOWED_HOSTS = infra.warpzone + +[mattermost] +API_KEY = '' + +[ldap] +LDAP_HOST = 10.0.20.2 +LDAP_BIND_DN = cn=admin,dc=warpzone,dc=ms +LDAP_PASSWORD = {{ ldap_admin_pass }} + +LDAP_USER_SEARCH_PATH = ou=users,dc=warpzone,dc=ms +LDAP_GROUP_SEARCH_PATH = dc=warpzone,dc=ms +LDAP_USER_SEARCH_FILTER = (uid=%(user)s) + +LDAP_GROUP_IS_ACTIVE = cn=active,ou=groups,dc=warpzone,dc=ms +LDAP_GROUP_IS_STAFF = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms +LDAP_GROUP_SUPERUSER = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms + +[email] +SMTP_ENABLED = False +SMTP_HOST = smtp.warpzone.ms +SMTP_PORT = 25 +SMTP_USERNAME = '' +SMTP_PASSWORD = '' +SMTP_EMAIL_FROM = '' +SMTP_USE_TLS = True +SUBJECT_PREFIX = '' + +[misc] +LOG_PATH = /opt/log/ diff --git a/warpsrvint/docker_warpinfratest/tasks/main.yml b/warpsrvint/docker_warpinfratest/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..65431bf5f6972c0380ea918a7f1aa35ae79aafeb --- /dev/null +++ b/warpsrvint/docker_warpinfratest/tasks/main.yml @@ -0,0 +1,103 @@ +--- +# Einige Secrets sind auf dem Server lokal gespeichert und werden von dort gelesen +# Auslesen der Dateien vom Server, zwischengespeicert wird in der Variable gitlab_secrets +# Anschließend müssen die entsprechenden Einträge aus gitlab_secrets extrahiert werden +# Die Daten, die von Slurp gelesen werden sind Base64 codiert +# Zur Sicherheit werden Whitespace-Zeichen entfert, damit z.B. Zeilenumbrüche nicht übernommen werden + +- name: get secrets from server 1 + slurp: src={{ item }} + with_items: + - /srv/ldap/secret/ldap_admin_pass + - /srv/ldap/secret/ldap_readonly_pass + - /srv/warpinfratest/secret/web_secret_key + - /srv/warpinfratest/secret/mysql_root_pw + - /srv/warpinfratest/secret/mysql_user_pw + register: warpinfratest_secrets + +- name: get secrets from server 2 + set_fact: + ldap_admin_pass: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_admin_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + ldap_readonly_pass: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_readonly_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + web_secret_key: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/warpinfratest/secret/web_secret_key') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + mysql_root_pw: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/warpinfratest/secret/mysql_root_pw') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + mysql_user_pw: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/warpinfratest/secret/mysql_user_pw') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + +- name: create folder struct for warpinfratest + file: + path: "/tmp/warpinfratest_docker/" + state: "directory" + +- name: create folder struct for warpinfratest + file: + path: "/srv/warpinfratest/etc" + state: "directory" + +- name: create folder struct for warpinfratest + file: + path: "/srv/warpinfratest/data" + state: "directory" + +- name: create folder struct for warpinfratest + file: + path: "/srv/warpinfratest/log" + state: "directory" + +- name: Konfig-Datei erstellen + template: + src: "config.ini" + dest: "/srv/warpinfratest/etc/config.ini" + +- name: clone repo + git: + repo: "https://gitlab.warpzone.ms/infrastruktur/warpinfra.git" + dest: "/tmp/warpinfratest_docker" + force: "yes" + register: gitclone + +- name: clone repo status + debug: + msg: "{{gitclone}}" + +# commit id in den Namen des Image einbeziehen +# als tag scheint von docker_image nicht korrekt gesetzt zu werden + +- name: build the image + docker_image: + name: "warpinfra-test-{{ gitclone.after }}" + path: /tmp/warpinfratest_docker/www/ + state: present + + +- name: start warpinfratest-db docker + docker_container: + name: warpinfra-test-db + image: mariadb:10.1 + state: started + interactive: yes + restart_policy: always + volumes: + - /srv/warpinfratest/db/:/var/lib/mysql + env: + MYSQL_DATABASE=warpinfra + MYSQL_USER=warpinfra + MYSQL_PASSWORD={{ mysql_user_pw }} + MYSQL_ROOT_PASSWORD={{ mysql_root_pw }} + + +- name: start warpinfratest-app docker + docker_container: + name: warpinfra-test + image: "warpinfra-test-{{ gitclone.after }}" + state: started + interactive: yes + restart_policy: always + volumes: + - /tmp/warpinfratest:/opt/socket + - /srv/warpinfratest/etc:/etc/warpinfra + - /srv/warpinfratest/data:/opt/database + - /srv/warpinfratest/log:/opt/log + links: + - warpinfra-test-db:mysql +# - ldap-service:ldap + diff --git a/warpsrvint/docker_warpinfratest/templates/config.ini b/warpsrvint/docker_warpinfratest/templates/config.ini new file mode 100644 index 0000000000000000000000000000000000000000..3a9f596d8d09af3aea6a3e33094bdd23b1eddc0d --- /dev/null +++ b/warpsrvint/docker_warpinfratest/templates/config.ini @@ -0,0 +1,41 @@ + +[common] +# Possible Apps: warpmain, warpauth, warpfood, warpapi, warppay +APPS = warpmain, warpauth, warppay + +[debug] +DEBUG = True + +[security] +SECRET_KEY = '{{ web_secret_key }}' +PW_RESET_TOKEN_LIFETIME = 5 +ALLOWED_HOSTS = infra-test.warpzone + +[mattermost] +API_KEY = '' + +[ldap] +LDAP_HOST = 10.0.20.2 +LDAP_BIND_DN = cn=admin,dc=warpzone,dc=ms +LDAP_PASSWORD = {{ ldap_admin_pass }} + +LDAP_USER_SEARCH_PATH = ou=users,dc=warpzone,dc=ms +LDAP_GROUP_SEARCH_PATH = dc=warpzone,dc=ms +LDAP_USER_SEARCH_FILTER = (uid=%(user)s) + +LDAP_GROUP_IS_ACTIVE = cn=active,ou=groups,dc=warpzone,dc=ms +LDAP_GROUP_IS_STAFF = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms +LDAP_GROUP_SUPERUSER = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms + +[email] +SMTP_ENABLED = False +SMTP_HOST = smtp.warpzone.ms +SMTP_PORT = 25 +SMTP_USERNAME = '' +SMTP_PASSWORD = '' +SMTP_EMAIL_FROM = '' +SMTP_USE_TLS = True +SUBJECT_PREFIX = '[TEST] ' + +[misc] +LOG_PATH = /opt/log/ diff --git a/warpsrvint/main.yml b/warpsrvint/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..ef5e2475190d8f4be123ab4c85ad4080f8500534 --- /dev/null +++ b/warpsrvint/main.yml @@ -0,0 +1,11 @@ +--- + +- hosts: warpsrvint + remote_user: root + roles: + - { role: nginx, tags: nginx } + - { role: docker, tags: docker } +# - { role: docker_ldap, tags: ldap } + - { role: docker_warpinfra, tags: warpinfra } + - { role: docker_warpinfratest, tags: warpinfratest } + diff --git a/warpsrvint/nginx/handlers/main.yml b/warpsrvint/nginx/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..92971d2cdf145a0108a354b0c6c9e9aef0dd0464 --- /dev/null +++ b/warpsrvint/nginx/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart nginx + service: name=nginx state=restarted diff --git a/warpsrvint/nginx/includes/infra b/warpsrvint/nginx/includes/infra new file mode 100644 index 0000000000000000000000000000000000000000..040c45651ffacee703c6ff85f9ffa17df6fa5944 --- /dev/null +++ b/warpsrvint/nginx/includes/infra @@ -0,0 +1,12 @@ + + + location /static { + alias /tmp/warpinfra/static; # your Django project's static files - amend as required + } + + location / { + uwsgi_pass unix:///tmp/warpinfra/warpinfra.sock; + include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed + } + + diff --git a/warpsrvint/nginx/includes/infra-test b/warpsrvint/nginx/includes/infra-test new file mode 100644 index 0000000000000000000000000000000000000000..b2d07df0812aa7b90390e3dd972892f1be67e714 --- /dev/null +++ b/warpsrvint/nginx/includes/infra-test @@ -0,0 +1,9 @@ + + location /static { + alias /tmp/warpinfratest/static; # your Django project's static files - amend as required + } + + location / { + uwsgi_pass unix:///tmp/warpinfratest/warpinfra.sock; + include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed + } diff --git a/warpsrvint/nginx/tasks/main.yml b/warpsrvint/nginx/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..fc240e1d9edcfdf9725de148503c93985ba44da8 --- /dev/null +++ b/warpsrvint/nginx/tasks/main.yml @@ -0,0 +1,26 @@ +# Pakete installieren +- name: nginx installieren + apt: + pkg: "{{ item }}" + update_cache: yes + state: installed + with_items: + - nginx + - git + +- name: nginx default Konfig entfernen + file: + path: /etc/nginx/sites-enabled/default + state: absent + + + +# nginx konfigurieren + +- name: Konfig-Datei default erstellen + template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone + with_items: webserver_domains + notify: restart nginx + + + diff --git a/warpsrvint/nginx/templates/nginx-site b/warpsrvint/nginx/templates/nginx-site new file mode 100644 index 0000000000000000000000000000000000000000..1764241a77628007f0fff1b6d7b84f42aef55bfe --- /dev/null +++ b/warpsrvint/nginx/templates/nginx-site @@ -0,0 +1,37 @@ + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + + listen 80; + listen [::]:80; + + +# listen 443 ssl spdy; +# listen [::]:443 ssl spdy; + +# ssl_certificate /etc/ssl/fullchain.pem; +# ssl_certificate_key /etc/ssl/key.pem; +# ssl_session_cache shared:SSL:5m; +# ssl_session_timeout 5m; +# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; +# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +# ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS"; +# ssl_prefer_server_ciphers on; + + + server_name {{ item }}.warpzone.ms; + root /dev/null; + index index.html; + + location /.well-known/ { + root /var/www/html/; + } + + {% include "includes/" + item ignore missing %} + +} + diff --git a/webserver/docker_warpinfra/tasks/main.yml b/webserver/docker_warpinfra/tasks/main.yml index 8d8f4d1e3be3b54188df9085e9fa8961913abc9f..908887cc84dd09d92332dd675ddd2a9f90fb4583 100644 --- a/webserver/docker_warpinfra/tasks/main.yml +++ b/webserver/docker_warpinfra/tasks/main.yml @@ -51,7 +51,7 @@ - name: clone repo git: repo: "https://gitlab.warpzone.ms/infrastruktur/warpinfra.git" - version: "1.1" +# version: "1.1" dest: "/tmp/warpinfra_docker" force: "yes" register: gitclone