diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml new file mode 100755 index 0000000..9c4b506 --- /dev/null +++ b/ansible/group_vars/all.yml @@ -0,0 +1,9 @@ +--- +api_domain: api2.gempir.com +email: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65373739353434323038366266343639376262633166356330336339396664326264343334633864 + 6164633261343062623666613536343265663038343330360a313637663739343464396133366565 + 35666538386231343533333231646131383734663834663039636235313237636366343535376366 + 3438353430666537630a323338663565366439353163646435633738653563393330613064363163 + 66356363623063373532626262343361663933623132653162633034396131623038 \ No newline at end of file diff --git a/ansible/hosts b/ansible/hosts new file mode 100755 index 0000000..3ebe9b6 --- /dev/null +++ b/ansible/hosts @@ -0,0 +1,2 @@ +[main] +apollo.gempir.com \ No newline at end of file diff --git a/ansible/playbook.retry b/ansible/playbook.retry new file mode 100755 index 0000000..3112ecd --- /dev/null +++ b/ansible/playbook.retry @@ -0,0 +1 @@ +eros.logs.tv diff --git a/ansible/playbook.yml b/ansible/playbook.yml new file mode 100755 index 0000000..137c83b --- /dev/null +++ b/ansible/playbook.yml @@ -0,0 +1,18 @@ +--- +- name: Provision hosts for logstv + hosts: all + remote_user: root + + roles: + - {role: 'common', tags: ['common']} + - {role: 'geerlingguy.docker', tags: ['docker']} + - {role: 'traefik', tags: ['traefik']} + - {role: 'portainer', tags: ['portainer']} + - {role: 'bot', tags: ['bot']} + + handlers: + - name: restart ufw + service: name=ufw state=restarted + + - name: Reload systemd daemon + command: systemctl daemon-reload \ No newline at end of file diff --git a/ansible/roles/bot/tasks/main.yml b/ansible/roles/bot/tasks/main.yml new file mode 100755 index 0000000..2f2e532 --- /dev/null +++ b/ansible/roles/bot/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: create directory + file: + path: /var/twitch_logs + state: directory + owner: root + group: docker + mode: 0740 + +- name: create channels file + template: + src: templates/channels.j2 + dest: /var/logstv_channels + owner: root + group: docker + mode: 0640 \ No newline at end of file diff --git a/ansible/roles/bot/templates/channels.j2 b/ansible/roles/bot/templates/channels.j2 new file mode 100755 index 0000000..3f8f538 --- /dev/null +++ b/ansible/roles/bot/templates/channels.j2 @@ -0,0 +1,5 @@ +gempir +pajlada +forsen +nymn +nani \ No newline at end of file diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml new file mode 100755 index 0000000..4fc6775 --- /dev/null +++ b/ansible/roles/common/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: update and upgrade apt packages + become: true + apt: + upgrade: yes + update_cache: yes + cache_valid_time: 86400 #One day + +- name: install apt-transport-https + apt: name=apt-transport-https state=present + +- name: install htop + apt: name=htop state=present + +- name: install ufw firewall + include: ufw.yml diff --git a/ansible/roles/common/tasks/ufw.yml b/ansible/roles/common/tasks/ufw.yml new file mode 100755 index 0000000..b4a2b21 --- /dev/null +++ b/ansible/roles/common/tasks/ufw.yml @@ -0,0 +1,28 @@ +--- +- name: Install ufw + apt: package=ufw state=present + +- name: Configure ufw defaults + ufw: direction={{ item.direction }} policy={{ item.policy }} + with_items: + - { direction: 'incoming', policy: 'deny' } + - { direction: 'outgoing', policy: 'allow' } + notify: + - restart ufw + +- name: Configure ufw rules + ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }} + with_items: + - { rule: 'limit', port: '{{ ssh_port | default("22") }}', proto: 'tcp' } + - { rule: 'allow', port: '80', proto: 'tcp' } + - { rule: 'allow', port: '443', proto: 'tcp' } + notify: + - restart ufw + +- name: Enable ufw logging + ufw: logging=on + notify: + - restart ufw + +- name: Enable ufw + ufw: state=enabled \ No newline at end of file diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..dcdebb4 --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yml @@ -0,0 +1,52 @@ +--- + - name: Upgrade system + apt: upgrade=dist update_cache=yes + + - name: Install nginx + apt: name=nginx state=latest + + - name: install letsencrypt + apt: name=letsencrypt state=latest + + - name: create letsencrypt directory + file: name=/var/www/letsencrypt state=directory + + - name: Remove default nginx config + file: name=/etc/nginx/sites-enabled/default state=absent + + - name: Install system nginx config + template: + src: templates/nginx.conf.j2 + dest: /etc/nginx/nginx.conf + + - name: Install nginx site for api + template: + src: templates/api.j2 + dest: /etc/nginx/sites-enabled/api + + - name: Reload nginx to activate letsencrypt site + service: name=nginx state=restarted + + - name: Create letsencrypt certificate + shell: letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ api_domain }} --agree-tos -d {{ api_domain }} + args: + creates: /etc/letsencrypt/live/{{ api_domain }} + + - name: Generate dhparams + shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048 + args: + creates: /etc/nginx/dhparams.pem + + - name: Install nginx site for api + template: + src: templates/api.le.j2 + dest: /etc/nginx/sites-enabled/api_le + + - name: Reload nginx to activate specified site + service: name=nginx state=restarted + + - name: Add letsencrypt cronjob for cert renewal + cron: + name: letsencrypt_renewal + special_time: weekly + job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ email }} --agree-tos -d {{ api_domain }} && service nginx reload diff --git a/ansible/roles/nginx/templates/api.j2 b/ansible/roles/nginx/templates/api.j2 new file mode 100644 index 0000000..234b064 --- /dev/null +++ b/ansible/roles/nginx/templates/api.j2 @@ -0,0 +1,15 @@ +server_tokens off; + +server { + listen 80 default_server; + server_name {{ api_domain }}; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://$host$request_uri? permanent; + } +} \ No newline at end of file diff --git a/ansible/roles/nginx/templates/api.le.j2 b/ansible/roles/nginx/templates/api.le.j2 new file mode 100644 index 0000000..86d2446 --- /dev/null +++ b/ansible/roles/nginx/templates/api.le.j2 @@ -0,0 +1,21 @@ +server { + listen 443 ssl default deferred; + server_name {{ api_domain }}; + + ssl on; + ssl_certificate /etc/letsencrypt/live/{{ api_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ api_domain }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ api_domain }}/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_dhparam /etc/nginx/dhparams.pem; + + location / { + proxy_pass http://127.0.0.1:8010; + } +} \ No newline at end of file diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..6784a69 --- /dev/null +++ b/ansible/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,35 @@ +user www-data; +worker_processes 4; +pid /run/nginx.pid; + +events { + worker_connections 2000; +} + +http { + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 600; + send_timeout 600; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + gzip on; + gzip_disable "msie6"; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} \ No newline at end of file