Skip to content
Snippets Groups Projects
Commit b50043cb authored by void's avatar void
Browse files

deployment warpinfra interne instanz, erster entwurf

parent b4ed73da
No related branches found
No related tags found
No related merge requests found
Showing
with 488 additions and 6 deletions
...@@ -9,11 +9,18 @@ debian_sources: ...@@ -9,11 +9,18 @@ debian_sources:
- "deb http://debian.uni-duisburg-essen.de/debian/ jessie main non-free contrib" - "deb http://debian.uni-duisburg-essen.de/debian/ jessie main non-free contrib"
- "deb http://security.debian.org/ jessie/updates main contrib non-free" - "deb http://security.debian.org/ jessie/updates main contrib non-free"
- "deb http://debian.uni-duisburg-essen.de/debian/ jessie-updates main contrib non-free" - "deb http://debian.uni-duisburg-essen.de/debian/ jessie-updates main contrib non-free"
- "deb https://apt.dockerproject.org/repo debian-jessie main"
- "deb http://http.debian.net/debian wheezy-backports main"
debian_keys: debian_keys:
webserver_domains:
- "infra"
- "infra-test"
administratorenteam: administratorenteam:
- "void" - "void"
- "dray"
- "sandhome" - "sandhome"
- "sandmobil" - "sandmobil"
# - "ennox" (ssh key fehlt noch) # - "ennox" (ssh key fehlt noch)
...@@ -4,11 +4,8 @@ ...@@ -4,11 +4,8 @@
# Interner Server Warpzone # Interner Server Warpzone
# Umgebaute Watchguard im Serverschrank # Umgebaute Watchguard im Serverschrank
# Die KVM Verwaltung erfolgt aktuell noch manuell # https://wiki.warpzone.ms/intern:warpzone_internal_it_infrastructure#host_fuer_interne_dienste_watchguard_xtm_505
warpsrvint ansible_ssh_host=192.168.0.103 warpsrvint ansible_ssh_host=192.168.0.201
# Server für Interne Dienste
# warpsrvint ansible_ssh_host=192.168.0.103
# Öffentlicher Server Warpzone # Öffentlicher Server Warpzone
# Webserver im Rechnzentrum bei myLoc # Webserver im Rechnzentrum bei myLoc
......
...@@ -4,6 +4,7 @@ ...@@ -4,6 +4,7 @@
- include: all/main.yml - include: all/main.yml
- include: vorstandspi/main.yml - include: vorstandspi/main.yml
- include: warphab/main.yml - include: warphab/main.yml
- include: warpsrvint/main.yml
- include: webserver/main.yml - include: webserver/main.yml
......
---
- name: add docker repo key
apt_key:
keyserver: "hkp://p80.pool.sks-keyservers.net:80"
id: 58118E89F3A912897C070ADBF76221572C52609D
- name: install deb packages
apt:
pkg: "{{ item }}"
update_cache: yes
state: installed
with_items:
- docker-engine
- python
- python-pip
- name: install pip packages
pip:
name: docker-py
version: 1.7.2
state: present
---
# Einige Secrets sind auf dem Server lokal gespeichert und werden von dort gelesen
# Auslesen der Dateien vom Server, zwischengespeicert wird in der Variable gitlab_secrets
# Anschließend müssen die entsprechenden Einträge aus gitlab_secrets extrahiert werden
# Die Daten, die von Slurp gelesen werden sind Base64 codiert
# Zur Sicherheit werden Whitespace-Zeichen entfert, damit z.B. Zeilenumbrüche nicht übernommen werden
- name: get secrets from server 1
slurp: src={{ item }}
with_items:
- /srv/ldap/secret/ldap_admin_pass
- /srv/ldap/secret/ldap_readonly_pass
register: ldap_secrets
- name: get secrets from server 2
set_fact:
ldap_admin_pass: "{{ ldap_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_admin_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
ldap_readonly_pass: "{{ ldap_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_readonly_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
- name: create folder struct for ldap
file:
path: "/srv/ldap"
state: "directory"
- name: create folder struct for ldap
file:
path: "/srv/ldap/database"
state: "directory"
- name: create folder struct for ldap
file:
path: "/srv/ldap/config"
state: "directory"
- name: start ldap docker
docker_container:
name: ldap-service
image: osixia/openldap:1.1.6
hostname: ldap-service
state: started
restart_policy: always
volumes:
- /srv/ldap/database:/var/lib/ldap
- /srv/ldap/config:/etc/ldap/slapd.d
env:
LDAP_ORGANISATION: Warpzone
LDAP_DOMAIN: warpzone.ms
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_pass }}"
LDAP_READONLY_USER: true
LDAP_READONLY_USER_USERNAME: readonly
LDAP_READONLY_USER_PASSWORD: "{{ ldap_readonly_pass }}"
- name: start phpldapadmin docker
docker_container:
name: phpldapadmin-app
image: osixia/phpldapadmin:0.6.11
state: started
restart_policy: always
env:
PHPLDAPADMIN_LDAP_HOSTS: ldap-host
PHPLDAPADMIN_HTTPS: false
PHPLDAPADMIN_TRUST_PROXY_SSL: true
links:
- ldap-service:ldap-host
ports:
- 127.0.0.1:42004:80
---
# Einige Secrets sind auf dem Server lokal gespeichert und werden von dort gelesen
# Auslesen der Dateien vom Server, zwischengespeicert wird in der Variable gitlab_secrets
# Anschließend müssen die entsprechenden Einträge aus gitlab_secrets extrahiert werden
# Die Daten, die von Slurp gelesen werden sind Base64 codiert
# Zur Sicherheit werden Whitespace-Zeichen entfert, damit z.B. Zeilenumbrüche nicht übernommen werden
- name: get secrets from server 1
slurp: src={{ item }}
with_items:
- /srv/ldap/secret/ldap_admin_pass
- /srv/ldap/secret/ldap_readonly_pass
- /srv/warpinfra/secret/web_secret_key
- /srv/warpinfra/secret/mysql_root_pw
- /srv/warpinfra/secret/mysql_user_pw
register: warpinfra_secrets
- name: get secrets from server 2
set_fact:
ldap_admin_pass: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_admin_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
ldap_readonly_pass: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_readonly_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
web_secret_key: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/warpinfra/secret/web_secret_key') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
mysql_root_pw: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/warpinfra/secret/mysql_root_pw') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
mysql_user_pw: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/warpinfra/secret/mysql_user_pw') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
- name: create folder struct for warpinfra
file:
path: "/tmp/warpinfra_docker/"
state: "directory"
- name: create folder struct for warpinfra
file:
path: "/srv/warpinfra/etc"
state: "directory"
- name: create folder struct for warpinfra
file:
path: "/srv/warpinfra/data"
state: "directory"
- name: create folder struct for warpinfra
file:
path: "/srv/warpinfra/log"
state: "directory"
- name: Konfig-Datei erstellen
template:
src: "config.ini"
dest: "/srv/warpinfra/etc/config.ini"
- name: clone repo
git:
repo: "https://gitlab.warpzone.ms/infrastruktur/warpinfra.git"
version: "1.1"
dest: "/tmp/warpinfra_docker"
force: "yes"
register: gitclone
- name: clone repo status
debug:
msg: "{{gitclone}}"
# commit id in den Namen des Image einbeziehen
# als tag scheint von docker_image nicht korrekt gesetzt zu werden
- name: build the image
docker_image:
name: "warpinfra-app-{{ gitclone.after }}"
path: /tmp/warpinfra_docker/www/
state: present
- name: start warpinfra-db docker
docker_container:
name: warpinfra-db
image: mariadb:10.1
state: started
interactive: yes
restart_policy: always
volumes:
- /srv/warpinfratest/db/:/var/lib/mysql
env:
MYSQL_DATABASE=warpinfra
MYSQL_USER=warpinfra
MYSQL_PASSWORD={{ mysql_user_pw }}
MYSQL_ROOT_PASSWORD={{ mysql_root_pw }}
- name: start warpinfra docker
docker_container:
name: warpinfra-app
image: "warpinfra-app-{{ gitclone.after }}"
state: started
interactive: yes
restart_policy: always
volumes:
- /tmp/warpinfra:/opt/socket
- /srv/warpinfra/etc:/etc/warpinfra
- /srv/warpinfra/data:/opt/database
- /srv/warpinfra/log:/opt/log
links:
- warpinfra-test-db:mysql
# - ldap-service:ldap
[common]
# Possible Apps: warpmain, warpauth, warpfood, warpapi, warppay
APPS = warpmain, warpauth, warppay
[debug]
DEBUG = False
[security]
SECRET_KEY = '{{ web_secret_key }}'
PW_RESET_TOKEN_LIFETIME = 5
ALLOWED_HOSTS = infra.warpzone
[mattermost]
API_KEY = ''
[ldap]
LDAP_HOST = 10.0.20.2
LDAP_BIND_DN = cn=admin,dc=warpzone,dc=ms
LDAP_PASSWORD = {{ ldap_admin_pass }}
LDAP_USER_SEARCH_PATH = ou=users,dc=warpzone,dc=ms
LDAP_GROUP_SEARCH_PATH = dc=warpzone,dc=ms
LDAP_USER_SEARCH_FILTER = (uid=%(user)s)
LDAP_GROUP_IS_ACTIVE = cn=active,ou=groups,dc=warpzone,dc=ms
LDAP_GROUP_IS_STAFF = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms
LDAP_GROUP_SUPERUSER = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms
[email]
SMTP_ENABLED = False
SMTP_HOST = smtp.warpzone.ms
SMTP_PORT = 25
SMTP_USERNAME = ''
SMTP_PASSWORD = ''
SMTP_EMAIL_FROM = ''
SMTP_USE_TLS = True
SUBJECT_PREFIX = ''
[misc]
LOG_PATH = /opt/log/
---
# Einige Secrets sind auf dem Server lokal gespeichert und werden von dort gelesen
# Auslesen der Dateien vom Server, zwischengespeicert wird in der Variable gitlab_secrets
# Anschließend müssen die entsprechenden Einträge aus gitlab_secrets extrahiert werden
# Die Daten, die von Slurp gelesen werden sind Base64 codiert
# Zur Sicherheit werden Whitespace-Zeichen entfert, damit z.B. Zeilenumbrüche nicht übernommen werden
- name: get secrets from server 1
slurp: src={{ item }}
with_items:
- /srv/ldap/secret/ldap_admin_pass
- /srv/ldap/secret/ldap_readonly_pass
- /srv/warpinfratest/secret/web_secret_key
- /srv/warpinfratest/secret/mysql_root_pw
- /srv/warpinfratest/secret/mysql_user_pw
register: warpinfratest_secrets
- name: get secrets from server 2
set_fact:
ldap_admin_pass: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_admin_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
ldap_readonly_pass: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_readonly_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
web_secret_key: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/warpinfratest/secret/web_secret_key') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
mysql_root_pw: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/warpinfratest/secret/mysql_root_pw') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
mysql_user_pw: "{{ warpinfratest_secrets.results | selectattr('item', 'equalto', '/srv/warpinfratest/secret/mysql_user_pw') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}"
- name: create folder struct for warpinfratest
file:
path: "/tmp/warpinfratest_docker/"
state: "directory"
- name: create folder struct for warpinfratest
file:
path: "/srv/warpinfratest/etc"
state: "directory"
- name: create folder struct for warpinfratest
file:
path: "/srv/warpinfratest/data"
state: "directory"
- name: create folder struct for warpinfratest
file:
path: "/srv/warpinfratest/log"
state: "directory"
- name: Konfig-Datei erstellen
template:
src: "config.ini"
dest: "/srv/warpinfratest/etc/config.ini"
- name: clone repo
git:
repo: "https://gitlab.warpzone.ms/infrastruktur/warpinfra.git"
dest: "/tmp/warpinfratest_docker"
force: "yes"
register: gitclone
- name: clone repo status
debug:
msg: "{{gitclone}}"
# commit id in den Namen des Image einbeziehen
# als tag scheint von docker_image nicht korrekt gesetzt zu werden
- name: build the image
docker_image:
name: "warpinfra-test-{{ gitclone.after }}"
path: /tmp/warpinfratest_docker/www/
state: present
- name: start warpinfratest-db docker
docker_container:
name: warpinfra-test-db
image: mariadb:10.1
state: started
interactive: yes
restart_policy: always
volumes:
- /srv/warpinfratest/db/:/var/lib/mysql
env:
MYSQL_DATABASE=warpinfra
MYSQL_USER=warpinfra
MYSQL_PASSWORD={{ mysql_user_pw }}
MYSQL_ROOT_PASSWORD={{ mysql_root_pw }}
- name: start warpinfratest-app docker
docker_container:
name: warpinfra-test
image: "warpinfra-test-{{ gitclone.after }}"
state: started
interactive: yes
restart_policy: always
volumes:
- /tmp/warpinfratest:/opt/socket
- /srv/warpinfratest/etc:/etc/warpinfra
- /srv/warpinfratest/data:/opt/database
- /srv/warpinfratest/log:/opt/log
links:
- warpinfra-test-db:mysql
# - ldap-service:ldap
[common]
# Possible Apps: warpmain, warpauth, warpfood, warpapi, warppay
APPS = warpmain, warpauth, warppay
[debug]
DEBUG = True
[security]
SECRET_KEY = '{{ web_secret_key }}'
PW_RESET_TOKEN_LIFETIME = 5
ALLOWED_HOSTS = infra-test.warpzone
[mattermost]
API_KEY = ''
[ldap]
LDAP_HOST = 10.0.20.2
LDAP_BIND_DN = cn=admin,dc=warpzone,dc=ms
LDAP_PASSWORD = {{ ldap_admin_pass }}
LDAP_USER_SEARCH_PATH = ou=users,dc=warpzone,dc=ms
LDAP_GROUP_SEARCH_PATH = dc=warpzone,dc=ms
LDAP_USER_SEARCH_FILTER = (uid=%(user)s)
LDAP_GROUP_IS_ACTIVE = cn=active,ou=groups,dc=warpzone,dc=ms
LDAP_GROUP_IS_STAFF = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms
LDAP_GROUP_SUPERUSER = cn=warpauth-admin,ou=infrastructure,dc=warpzone,dc=ms
[email]
SMTP_ENABLED = False
SMTP_HOST = smtp.warpzone.ms
SMTP_PORT = 25
SMTP_USERNAME = ''
SMTP_PASSWORD = ''
SMTP_EMAIL_FROM = ''
SMTP_USE_TLS = True
SUBJECT_PREFIX = '[TEST] '
[misc]
LOG_PATH = /opt/log/
---
- hosts: warpsrvint
remote_user: root
roles:
- { role: nginx, tags: nginx }
- { role: docker, tags: docker }
# - { role: docker_ldap, tags: ldap }
- { role: docker_warpinfra, tags: warpinfra }
- { role: docker_warpinfratest, tags: warpinfratest }
---
- name: restart nginx
service: name=nginx state=restarted
location /static {
alias /tmp/warpinfra/static; # your Django project's static files - amend as required
}
location / {
uwsgi_pass unix:///tmp/warpinfra/warpinfra.sock;
include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
}
location /static {
alias /tmp/warpinfratest/static; # your Django project's static files - amend as required
}
location / {
uwsgi_pass unix:///tmp/warpinfratest/warpinfra.sock;
include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
}
# Pakete installieren
- name: nginx installieren
apt:
pkg: "{{ item }}"
update_cache: yes
state: installed
with_items:
- nginx
- git
- name: nginx default Konfig entfernen
file:
path: /etc/nginx/sites-enabled/default
state: absent
# nginx konfigurieren
- name: Konfig-Datei default erstellen
template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone
with_items: webserver_domains
notify: restart nginx
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
# listen 443 ssl spdy;
# listen [::]:443 ssl spdy;
# ssl_certificate /etc/ssl/fullchain.pem;
# ssl_certificate_key /etc/ssl/key.pem;
# ssl_session_cache shared:SSL:5m;
# ssl_session_timeout 5m;
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
# ssl_prefer_server_ciphers on;
server_name {{ item }}.warpzone.ms;
root /dev/null;
index index.html;
location /.well-known/ {
root /var/www/html/;
}
{% include "includes/" + item ignore missing %}
}
...@@ -51,7 +51,7 @@ ...@@ -51,7 +51,7 @@
- name: clone repo - name: clone repo
git: git:
repo: "https://gitlab.warpzone.ms/infrastruktur/warpinfra.git" repo: "https://gitlab.warpzone.ms/infrastruktur/warpinfra.git"
version: "1.1" # version: "1.1"
dest: "/tmp/warpinfra_docker" dest: "/tmp/warpinfra_docker"
force: "yes" force: "yes"
register: gitclone register: gitclone
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment