From 2757932b80f9596784f9ac472db9b7e3868b060a Mon Sep 17 00:00:00 2001 From: Krystof Beuermann Date: Sun, 20 Oct 2019 16:08:35 +0200 Subject: [PATCH] add ansible --- .../hispanico.nginx-revproxy/.travis.yml | 46 ++ .../hispanico.nginx-revproxy/LICENSE | 674 ++++++++++++++++++ .../hispanico.nginx-revproxy/README.md | 90 +++ .../defaults/main.yml | 14 + .../handlers/main.yml | 15 + .../meta/.galaxy_install_info | 2 + .../hispanico.nginx-revproxy/meta/main.yml | 23 + .../tasks/letsencrypt.yml | 97 +++ .../hispanico.nginx-revproxy/tasks/main.yml | 171 +++++ .../templates/reverseproxy.conf.j2 | 56 ++ .../templates/reverseproxy_ssl.conf.j2 | 103 +++ .../reverseproxy_ssl_letsencrypt.conf.j2 | 71 ++ .../hispanico.nginx-revproxy/tests/inventory | 1 + .../hispanico.nginx-revproxy/tests/test.yml | 6 + .../hispanico.nginx-revproxy/vars/main.yml | 2 + .ansible/.vault_pass.txt | 6 + .ansible/ansible.cfg | 5 + .ansible/apps/build/Dockerfile | 67 ++ .ansible/apps/build/build.yml | 36 + .ansible/apps/build/inventory | 8 + .ansible/apps/build/inventory-ci | 8 + .ansible/apps/build/update-docker-image.yml | 15 + .../prepare_server/initial_server_setup.yml | 79 ++ .ansible/apps/prepare_server/inventory | 8 + .ansible/apps/prepare_server/nginx_setup.yml | 13 + .ansible/apps/production/deploy.yml | 28 + .../production/host_vars/wetter.krystof.eu | 36 + .ansible/apps/production/inventory | 7 + .ansible/apps/production/inventory-ci | 8 + .ansible/roles/build_app/0.0.1/tasks/main.yml | 56 ++ .../0.0.1/templates/prod.secret.exs.j2 | 19 + .../roles/deploy_app/0.0.1/handlers/main.yml | 3 + .../roles/deploy_app/0.0.1/tasks/main.yml | 42 ++ .../roles/docker_setup/0.0.1/tasks/main.yml | 14 + .circleci/config.yml | 42 ++ README.md | 26 +- config/prod.exs | 77 +- mix.exs | 1 - rel/config.exs | 57 -- rel/plugins/.gitignore | 3 - rel/vm.args | 30 - 41 files changed, 1925 insertions(+), 140 deletions(-) create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/.travis.yml create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/LICENSE create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/README.md create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/defaults/main.yml create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/handlers/main.yml create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/meta/.galaxy_install_info create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/meta/main.yml create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/tasks/letsencrypt.yml create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/tasks/main.yml create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy.conf.j2 create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy_ssl.conf.j2 create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy_ssl_letsencrypt.conf.j2 create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/tests/inventory create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/tests/test.yml create mode 100644 .ansible/.downloaded_roles/hispanico.nginx-revproxy/vars/main.yml create mode 100644 .ansible/.vault_pass.txt create mode 100644 .ansible/ansible.cfg create mode 100644 .ansible/apps/build/Dockerfile create mode 100644 .ansible/apps/build/build.yml create mode 100644 .ansible/apps/build/inventory create mode 100644 .ansible/apps/build/inventory-ci create mode 100644 .ansible/apps/build/update-docker-image.yml create mode 100644 .ansible/apps/prepare_server/initial_server_setup.yml create mode 100644 .ansible/apps/prepare_server/inventory create mode 100644 .ansible/apps/prepare_server/nginx_setup.yml create mode 100644 .ansible/apps/production/deploy.yml create mode 100644 .ansible/apps/production/host_vars/wetter.krystof.eu create mode 100644 .ansible/apps/production/inventory create mode 100644 .ansible/apps/production/inventory-ci create mode 100644 .ansible/roles/build_app/0.0.1/tasks/main.yml create mode 100644 .ansible/roles/build_app/0.0.1/templates/prod.secret.exs.j2 create mode 100644 .ansible/roles/deploy_app/0.0.1/handlers/main.yml create mode 100644 .ansible/roles/deploy_app/0.0.1/tasks/main.yml create mode 100644 .ansible/roles/docker_setup/0.0.1/tasks/main.yml create mode 100644 .circleci/config.yml delete mode 100644 rel/config.exs delete mode 100644 rel/plugins/.gitignore delete mode 100644 rel/vm.args diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/.travis.yml b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/.travis.yml new file mode 100644 index 0000000..cb2c270 --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/.travis.yml @@ -0,0 +1,46 @@ +--- +language: python +python: "2.7" + +sudo: required +dist: xenial + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + + # Run the role/playbook with ansible-playbook + - ansible-playbook tests/test.yml -i tests/inventory --connection=local --become + + # Run the role/playbook again, checking to make sure it's idempotent + - > + ansible-playbook tests/test.yml -i tests/inventory --connection=local --become + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + + # Check for role is done + - sudo service nginx status + - sudo netstat -ntulp |grep nginx + - sudo ls /etc/nginx/sites-enabled/ + - for i in $(sudo ls /etc/nginx/sites-enabled/); do echo $i;echo "------------------------------"; sudo cat /etc/nginx/sites-enabled/$i; echo "------------------------------";echo ""; done + + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/LICENSE b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/LICENSE new file mode 100644 index 0000000..92c8504 --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/LICENSE @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + ansible-nginx-revproxy + Copyright (C) 2017 Hispanico + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + ansible-nginx-revproxy Copyright (C) 2017 Hispanico + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/README.md b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/README.md new file mode 100644 index 0000000..a8c68f8 --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/README.md @@ -0,0 +1,90 @@ +ansible-nginx-revproxy +========= + +[![Build Status](https://img.shields.io/travis/hispanico/ansible-nginx-revproxy.svg?style=flat-square)](https://travis-ci.org/hispanico/ansible-nginx-revproxy) +[![Galaxy](https://img.shields.io/badge/galaxy-hispanico.nginx--revproxy-blue.svg?style=flat-square)](https://galaxy.ansible.com/hispanico/nginx-revproxy/) + +Install and configures Nginx as reverse proxy for multiple website. + +Requirements +------------ + +This role requires Ansible 2.4 or higher. + +Role Variables +-------------- + +Default values: + +```yaml +nginx_revproxy_sites: # List of sites to reverse proxy + default: # Set defualt site to return 444 (Connection Closed Without Response) + ssl: false # Set to True if you want to redirect http to https + letsencrypt: false + + example.com: # Domain name + domains: # List of server_name aliases + - example.com + - www.example.com + upstreams: # List of Upstreams + - { backend_address: 192.168.0.100, backend_port: 80 } + - { backend_address: 192.168.0.101, backend_port: 8080 } + auth: # Define this block for a single HTTP user/password, or leave undefined for unauthenticated vhosts + login: myusername + password: mysecretpassword + listen: 9000 # Specify which port you want to listen to with clear HTTP, or leave undefined for 80 + ssl: false # Set to True if you want to redirect http to https + letsencrypt: false # Set to True if you are using hispanico.letsencrypt-nginx-revproxy role + + example.org: # Domain name + domains: # List of server_name aliases + - example.org + - www.example.org + upstreams: # List of Upstreams + - { backend_address: 192.168.0.200, backend_port: 80 } + - { backend_address: 192.168.0.201, backend_port: 8080 } + listen: 9000 # Specify which port you want to listen to with clear HTTP, or leave undefined for 80 + listen_ssl: 9001 # Specify which port you want to listen to with HTTPS, or leave undefined for 443 + ssl: true # Set to True if you want to redirect http to https + letsencrypt: false # Set to True if you want use letsencrypt + letsencrypt_email: "" # Set email for letencrypt cert +``` + +Dependencies +------------ + +None. + +Example Playbook +---------------- + +```yaml + - hosts: all + roles: + - ansible-nginx-revproxy + vars: + nginx_revproxy_sites: + default: + ssl: false + letsencrypt: false + + example.com: + domains: + - example.com + - www.example.com + upstreams: + - { backend_address: 192.168.0.100, backend_port: 80 } + - { backend_address: 192.168.0.101, backend_port: 80 } + ssl: true + letsencrypt: false +``` + +License +------- + +Licensed under the GPLv3 License. See the LICENSE file for details. + +Author Information +------------------ + +Hispanico diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/defaults/main.yml b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/defaults/main.yml new file mode 100644 index 0000000..17eb814 --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/defaults/main.yml @@ -0,0 +1,14 @@ +--- + +nginx_revproxy_sites: # List of sites to reverse proxy + example.com: # Domain name + domains: # List of server_name aliases + - example.com + - www.example.com + upstreams: # List of Upstreams + - { backend_address: 192.168.0.100, backend_port: 80 } + - { backend_address: 192.168.0.101, backend_port: 8080 } + ssl: true # Set to True if you want to redirect http to https + hsts_max_age: 63072000 # Set HSTS header with max-age defined + letsencrypt: false # Set to True if you want use letsencrypt + letsencrypt_email: "" # Set email for letencrypt cert diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/handlers/main.yml b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/handlers/main.yml new file mode 100644 index 0000000..65d59df --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: Start Nginx + service: + name: nginx + state: started + +- name: Reload Nginx + service: + name: nginx + state: reloaded + +- name: Restart Nginx + service: + name: nginx + state: restarted diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/meta/.galaxy_install_info b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/meta/.galaxy_install_info new file mode 100644 index 0000000..ff2c637 --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Sat Oct 19 07:58:59 2019 +version: v1.1.4 diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/meta/main.yml b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/meta/main.yml new file mode 100644 index 0000000..dedd1ba --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/meta/main.yml @@ -0,0 +1,23 @@ +galaxy_info: + author: Hispanico + description: Manage Nginx as Reverse Proxy + license: GPLv3 + + min_ansible_version: 2.4 + + platforms: + - name: Ubuntu + versions: + - trusty + - xenial + + galaxy_tags: + - development + - web + - nginx + - reverse + - proxy + - load + - balancer + +dependencies: [] diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tasks/letsencrypt.yml b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tasks/letsencrypt.yml new file mode 100644 index 0000000..b627991 --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tasks/letsencrypt.yml @@ -0,0 +1,97 @@ +--- +- name: Install certbot + get_url: + url: https://dl.eff.org/certbot-auto + dest: /usr/bin/certbot-auto + mode: "a+x" + tags: + - lesencrypt + - nginxrevproxy + +- name: Get Active Sites + command: ls -1 /etc/nginx/sites-enabled/ + changed_when: "active.stdout_lines != nginx_revproxy_sites.keys()|sort()" + check_mode: no + register: active + tags: + - lesencrypt + - nginxrevproxy + +- name: Enable sites for ACME protocol + block: + - name: Add Https Site Config + template: + src: reverseproxy_ssl.conf.j2 + dest: /etc/nginx/sites-available/{{ item.key }}.conf + owner: root + group: root + with_dict: "{{ nginx_revproxy_sites }}" + register: siteconfig + when: + - item.value.letsencrypt | default(False) + - item.key not in active.stdout_lines + + - name: Enable Site Config + file: + src: /etc/nginx/sites-available/{{ item.key }}.conf + dest: /etc/nginx/sites-enabled/{{ item.key }} + state: link + with_dict: "{{ nginx_revproxy_sites }}" + register: site_enabled + when: + - siteconfig is success + - not ansible_check_mode + - item.value.letsencrypt | default(False) + - item.key not in active.stdout_lines + + - name: Reload Nginx + service: + name: nginx + state: reloaded + when: + - site_enabled is success + when: + - active.changed + - nginxinstalled is success + tags: + - lesencrypt + - nginxrevproxy + +- name: Generate certs (first time) + command: | + certbot-auto certonly + --webroot -w /var/www/{{ item.key }} + -d {{ item.value.domains | join(' -d ') }} + --email {{ item.value.letsencrypt_email }} + --non-interactive --cert-name {{ item.key }} + --agree-tos creates=/etc/letsencrypt/live/{{ item.key }}/fullchain.pem + with_dict: "{{ nginx_revproxy_sites }}" + when: item.value.letsencrypt | default(False) + tags: + - lesencrypt + - nginxrevproxy + +- name: Update Site Config + template: + src: reverseproxy_ssl_letsencrypt.conf.j2 + dest: /etc/nginx/sites-available/{{ item.key }}.conf + owner: root + group: root + with_dict: "{{ nginx_revproxy_sites }}" + notify: Reload Nginx + when: + - item.value.letsencrypt | default(False) + tags: + - lesencrypt + - nginxrevproxy + +- name: Insert cert-bot renew in crontab + cron: + name: "cert-bot renew" + job: 'certbot-auto renew --post-hook "systemctl reload nginx" >> /var/log/letsencrypt/letsencrypt-update.log 2>&1' + hour: "3" + minute: "30" + weekday: "1" + tags: + - lesencrypt + - nginxrevproxy diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tasks/main.yml b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tasks/main.yml new file mode 100644 index 0000000..5dc436e --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tasks/main.yml @@ -0,0 +1,171 @@ +--- + +- name: Install Nginx + apt: + name: nginx + state: present + register: + nginxinstalled + tags: + - nginxrevproxy + - packages + +- name: Install ssl-cert + apt: + name: ssl-cert + state: present + tags: + - nginxrevproxy + - packages + +- name: Install python-passlib for Python 3 hosts + apt: + name: + - "python3-passlib" + state: present + tags: + - nginxrevproxy + - packages + when: + - ansible_python['version']['major'] == 3 + +- name: Install python-passlib for Python 2 hosts + apt: + name: + - "python-passlib" + state: present + tags: + - nginxrevproxy + - packages + when: + - ansible_python['version']['major'] == 2 + +- name: Add authentication + htpasswd: + path: "/etc/nginx/{{ item.key }}_htpasswd" + name: "{{ item.value.auth.login }}" + password: "{{ item.value.auth.password }}" + with_dict: "{{ nginx_revproxy_sites }}" + when: + - nginxinstalled is success + - item.value.auth is defined + tags: + - nginxrevproxy + +- name: Add Site Config + template: + src: reverseproxy.conf.j2 + dest: /etc/nginx/sites-available/{{ item.key }}.conf + owner: root + group: root + with_dict: "{{ nginx_revproxy_sites }}" + register: + siteconfig + when: + - nginxinstalled is success + - not item.value.ssl | default(True) + - not item.value.letsencrypt | default(True) + tags: + - nginxrevproxy + +- name: Add Https Site Config + template: + src: reverseproxy_ssl.conf.j2 + dest: /etc/nginx/sites-available/{{ item.key }}.conf + owner: root + group: root + with_dict: "{{ nginx_revproxy_sites }}" + register: + siteconfig + when: + - nginxinstalled is success + - item.value.ssl | default(False) + - not item.value.letsencrypt | default(True) + tags: + - nginxrevproxy + +- name: Get Active Sites + command: ls -1 /etc/nginx/sites-enabled/ + changed_when: "active.stdout_lines != nginx_revproxy_sites.keys()|sort()" + check_mode: no + register: active + tags: + - nginxrevproxy + +- name: De-activate Sites + file: + path: /etc/nginx/sites-enabled/{{ item }} + state: absent + with_items: "{{ active.stdout_lines }}" + notify: Reload Nginx + when: + - item not in nginx_revproxy_sites + tags: + - nginxrevproxy + +- name: Enable Site Config + file: + src: /etc/nginx/sites-available/{{ item.key }}.conf + dest: /etc/nginx/sites-enabled/{{ item.key }} + state: link + with_dict: "{{ nginx_revproxy_sites }}" + notify: Reload Nginx + when: + - siteconfig is success + - not item.value.letsencrypt | default(True) + - not ansible_check_mode + tags: + - nginxrevproxy + +- name: Create WebRoot sites + file: + dest: /var/www/{{ item.key }}/.well-known + mode: 0775 + state: directory + owner: www-data + group: www-data + with_dict: "{{ nginx_revproxy_sites }}" + notify: Reload Nginx + when: + - nginxinstalled is success + tags: + - nginxrevproxy + +- name: WebRoot Permissions Sites + file: + dest: /var/www/{{ item.key }} + mode: 0775 + state: directory + owner: www-data + group: www-data + recurse: yes + with_dict: "{{ nginx_revproxy_sites }}" + notify: Reload Nginx + when: + - nginxinstalled is success + tags: + - nginxrevproxy + +- name: Get WebRoot Sites + command: ls -1 /var/www/ + changed_when: "webroot.stdout_lines != nginx_revproxy_sites.keys()|sort()" + check_mode: no + register: webroot + tags: + - nginxrevproxy + +- name: Remove WebRoot Sites + file: + path: /var/www/{{ item }}/ + state: absent + with_items: "{{ webroot.stdout_lines }}" + notify: Reload Nginx + when: + - item not in nginx_revproxy_sites + tags: + - nginxrevproxy + +- include_tasks: letsencrypt.yml + tags: + - lesencrypt + - nginxrevproxy diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy.conf.j2 b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy.conf.j2 new file mode 100644 index 0000000..ec144d2 --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy.conf.j2 @@ -0,0 +1,56 @@ +################################################################################ +# This file was generated by Ansible for {{ansible_fqdn}} +# Do NOT modify this file by hand! +################################################################################ + +{% if item.key == "default" %} +server { + listen {{ item.value.listen | default(80) }} http2 default_server; + listen [::]:{{ item.value.listen | default(80) }} http2 default_server; + server_name _; + return 444; + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} + +{% else %} +upstream {{ item.key }}_backend { +{% for upstream in item.value.upstreams %} + server {{upstream.backend_address}}:{{upstream.backend_port}}; +{% endfor %} +} + +server { + listen {{ item.value.listen | default(80) }} http2; + listen [::]:{{ item.value.listen | default(80) }} http2; + server_name {{ item.value.domains | join(' ') }}; + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size {{ item.value.client_max_body_size | default('50M') }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://{{ item.key }}_backend; +{% if item.value.auth is defined %} + auth_basic "Restricted Content"; + auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd; +{% endif %} + } + + location /.well-known { + alias /var/www/{{ item.key }}/.well-known; + } + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} +{% endif %} diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy_ssl.conf.j2 b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy_ssl.conf.j2 new file mode 100644 index 0000000..85f2c7f --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy_ssl.conf.j2 @@ -0,0 +1,103 @@ +################################################################################ +# This file was generated by Ansible for {{ansible_fqdn}} +# Do NOT modify this file by hand! +################################################################################ + +{% if item.key == "default" %} +server { + listen {{ item.value.listen | default(80) }} http2 default_server; + listen [::]:{{ item.value.listen | default(80) }} http2 default_server; + server_name _; + return 444; + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} + +server { + listen {{ item.value.listen_ssl | default(443) }} ssl http2 default_server; + listen [::]:{{ item.value.listen_ssl | default(443) }} ssl http2 default_server; + server_name _; + return 444; + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + + ssl on; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; +} +{% else %} +upstream {{ item.key }}_backend { +{% for upstream in item.value.upstreams %} + server {{upstream.backend_address}}:{{upstream.backend_port}}; +{% endfor %} +} + +server { + listen {{ item.value.listen | default(80) }} http2; + listen [::]:{{ item.value.listen | default(80) }} http2; + server_name {{ item.value.domains | join(' ') }}; + location / { + return 301 https://$server_name$request_uri; + } + + location /.well-known/acme-challenge { + alias /var/www/{{ item.key }}/.well-known/acme-challenge; + } + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} + +server { + listen {{ item.value.listen_ssl | default(443) }} ssl http2; + listen [::]:{{ item.value.listen_ssl | default(443) }} ssl http2; + server_name {{ item.value.domains | join(' ') }}; + +{% if item.value.hsts_max_age is defined %} + add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always; +{% endif %} + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + + ssl on; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + location /.well-known/acme-challenge { + alias /var/www/{{ item.key }}/.well-known/acme-challenge; + } + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size {{ item.value.client_max_body_size | default('50M') }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass {{ item.value.backend_protocol | default('http') }}://{{ item.key }}_backend; +{% if item.value.auth is defined %} + auth_basic "Restricted Content"; + auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd; +{% endif %} + } +} +{% endif %} diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy_ssl_letsencrypt.conf.j2 b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy_ssl_letsencrypt.conf.j2 new file mode 100644 index 0000000..5b20067 --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/templates/reverseproxy_ssl_letsencrypt.conf.j2 @@ -0,0 +1,71 @@ +################################################################################ +# This file was generated by Ansible for {{ansible_fqdn}} +# Do NOT modify this file by hand! +################################################################################ + +upstream {{ item.key }}_backend { +{% for upstream in item.value.upstreams %} + server {{upstream.backend_address}}:{{upstream.backend_port}}; +{% endfor %} +} + +server { + listen {{ item.value.listen | default(80) }} http2; + listen [::]:{{ item.value.listen | default(80) }} http2; + server_name {{ item.value.domains | join(' ') }}; + location / { + return 301 https://$server_name$request_uri; + } + + location /.well-known/acme-challenge { + alias /var/www/{{ item.key }}/.well-known/acme-challenge; + } + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} + +server { + listen {{ item.value.listen_ssl | default(443) }} ssl http2; + listen [::]:{{ item.value.listen_ssl | default(443) }} ssl http2; + server_name {{ item.value.domains | join(' ') }}; + +{% if item.value.hsts_max_age is defined %} + add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always; +{% endif %} + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + + ssl on; + ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + location /.well-known/acme-challenge { + alias /var/www/{{ item.key }}/.well-known/acme-challenge; + } + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size {{ item.value.client_max_body_size | default('50M') }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass {{ item.value.backend_protocol | default('http') }}://{{ item.key }}_backend; +{% if item.value.auth is defined %} + auth_basic "Restricted Content"; + auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd; +{% endif %} + } +} diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tests/inventory b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tests/inventory new file mode 100644 index 0000000..d18580b --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tests/inventory @@ -0,0 +1 @@ +localhost \ No newline at end of file diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tests/test.yml b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tests/test.yml new file mode 100644 index 0000000..3f38da7 --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/tests/test.yml @@ -0,0 +1,6 @@ +--- +- hosts: localhost + remote_user: root + + roles: + - ansible-nginx-revproxy diff --git a/.ansible/.downloaded_roles/hispanico.nginx-revproxy/vars/main.yml b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/vars/main.yml new file mode 100644 index 0000000..8b9699d --- /dev/null +++ b/.ansible/.downloaded_roles/hispanico.nginx-revproxy/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for roles/ansible-nginx-revproxy diff --git a/.ansible/.vault_pass.txt b/.ansible/.vault_pass.txt new file mode 100644 index 0000000..7054ec3 --- /dev/null +++ b/.ansible/.vault_pass.txt @@ -0,0 +1,6 @@ +EsSoWJLxcWsB81wo0HPRkXXoQCzfyhPloZjucsxE2SERVfa2jAdNNg8eI6DCEul2 +T87qW3n+25eY0QL6ivY+WxjLLSqRo1IO4HB6xfvSTHLm0z63Eti4OPVMTBZ6+dyr +v99Y7xHwerTGyNe79veoauaKqR1YI+sS2f1LATXATcR3wFKkT5y/oHw9j6JBAPZQ +C6nuAK7XBU6AVi6LpNiZLu17qceHMlR+n1qxNcH7I0R5mww1dYFwbny4qJb1IOzB +woAF/EhYn9qFkAkd0yCxfHk9Jhc+560WnRPpEQOWBwKXAvGOlCbb96hsArPwJx0C +5K59uZNKKhjyN0aqcdqaTatdYyz5qgv3y+gdSPdlFHmShtkIJdus5g== diff --git a/.ansible/ansible.cfg b/.ansible/ansible.cfg new file mode 100644 index 0000000..8c79240 --- /dev/null +++ b/.ansible/ansible.cfg @@ -0,0 +1,5 @@ +[defaults] +vault_password_file = ./.vault_pass.txt +roles_path = ./.downloaded_roles:./roles +pipelining = False +callback_whitelist = profile_tasks diff --git a/.ansible/apps/build/Dockerfile b/.ansible/apps/build/Dockerfile new file mode 100644 index 0000000..7d7bae9 --- /dev/null +++ b/.ansible/apps/build/Dockerfile @@ -0,0 +1,67 @@ +FROM ubuntu:18.04 + +WORKDIR /app + +RUN apt-get update && apt-get install -y curl locales + +# Set locale +RUN locale-gen de_DE.UTF-8 +ENV LANG=de_DE.UTF-8 +ENV LANGUAGE=de_DE:en +ENV LC_ALL=de_DE.UTF-8 +ENV HOME=/root +ENV PATH="$HOME/.asdf/bin:$HOME/.asdf/shims:$PATH" + +# Install dependencies +RUN apt-get update && \ + apt-get install -y aptitude ca-certificates python python-dev python-pip \ + python-virtualenv \ + gpg \ + git \ + nodejs \ + automake autoconf libreadline-dev libncurses-dev libssl-dev libyaml-dev libxslt-dev libffi-dev libtool unixodbc-dev unzip && \ + rm -rf /var/lib/apt/lists/* + + +# install yarn +RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - + +RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list + +RUN apt update + +RUN apt install --no-install-recommends yarn + + +# Install asdf +RUN git clone https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch v0.7.2 + +# Install node js +RUN asdf plugin-add nodejs https://github.com/asdf-vm/asdf-nodejs.git && \ + $HOME/.asdf/plugins/nodejs/bin/import-release-team-keyring && \ + asdf install nodejs 11.8.0 && \ + asdf global nodejs 11.8.0 && \ + rm -rf /tmp/* + +# Install erlang +RUN asdf plugin-add erlang https://github.com/asdf-vm/asdf-erlang.git && \ + asdf install erlang 22.1.3 && \ + asdf global erlang 22.1.3 && \ + rm -rf /tmp/* + +# Install elixir +RUN asdf plugin-add elixir https://github.com/asdf-vm/asdf-elixir.git && \ + asdf install elixir 1.9.2 && \ + asdf global elixir 1.9.2 && \ + rm -rf /tmp/* + +# Install hex and rebar +RUN mix local.hex --force +RUN mix local.rebar --force + +# Set up ansible +RUN apt-get update && \ + apt-get install -y software-properties-common && \ + apt-add-repository ppa:ansible/ansible && \ + apt-get update && \ + apt-get install -y ansible \ No newline at end of file diff --git a/.ansible/apps/build/build.yml b/.ansible/apps/build/build.yml new file mode 100644 index 0000000..78aaff3 --- /dev/null +++ b/.ansible/apps/build/build.yml @@ -0,0 +1,36 @@ +--- +- hosts: all + gather_facts: no + vars: + local_build_dir: "/tmp/wetter_build" + git_repo: "git@github.com:krystofbe/wetter.git" + production_vars_file: "../production/host_vars/wetter.krystof.eu" + + pre_tasks: + - command: date +"0.1.0-%Y.%-m.%-d.%-H.%-M" + delegate_to: localhost + register: build_version_cmd + + - set_fact: + build_version: "{{ build_version_cmd.stdout }}" + + - name: Cd Checkout the master branch from git repo + delegate_to: localhost + git: + repo: "{{ git_repo }}" + dest: "{{ local_build_dir }}" + version: master + force: yes + when: ansible_connection == "docker" + + roles: + - role: docker_setup/0.0.1 + vars: + container_name: "{{ ansible_host }}" + image_name: blackboxms/ubuntu-nodejs-elixir:1.9.2 + when: ansible_connection == "docker" + + - role: build_app/0.0.1 + vars: + mix_env: prod + app_name: wetter diff --git a/.ansible/apps/build/inventory b/.ansible/apps/build/inventory new file mode 100644 index 0000000..5b0059c --- /dev/null +++ b/.ansible/apps/build/inventory @@ -0,0 +1,8 @@ +--- +all: + hosts: + build_server + vars: + ansible_connection: docker + ansible_host: wetter_build_server + build_dir: "/app/build" diff --git a/.ansible/apps/build/inventory-ci b/.ansible/apps/build/inventory-ci new file mode 100644 index 0000000..7089a82 --- /dev/null +++ b/.ansible/apps/build/inventory-ci @@ -0,0 +1,8 @@ +--- +all: + hosts: + build_server + vars: + ansible_connection: local + ansible_host: 127.0.0.1 + build_dir: ~/repo diff --git a/.ansible/apps/build/update-docker-image.yml b/.ansible/apps/build/update-docker-image.yml new file mode 100644 index 0000000..efafa3b --- /dev/null +++ b/.ansible/apps/build/update-docker-image.yml @@ -0,0 +1,15 @@ +- hosts: 127.0.0.1 + connection: local + gather_facts: no + + tasks: + - name: Build and upload docker image + docker_image: + debug: yes + path: ./ + name: blackboxms/ubuntu-nodejs-elixir + repository: blackboxms/ubuntu-nodejs-elixir + tag: 1.9.2 + pull: yes + push: yes + force: yes diff --git a/.ansible/apps/prepare_server/initial_server_setup.yml b/.ansible/apps/prepare_server/initial_server_setup.yml new file mode 100644 index 0000000..9181efe --- /dev/null +++ b/.ansible/apps/prepare_server/initial_server_setup.yml @@ -0,0 +1,79 @@ +########################################################################################################### +# DO Community Playbooks +# Playbook: Initial Server Setup +# Based on: https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04 +# Dedicated Guide: https://www.digitalocean.com/community/tutorials/automating-initial-server-setup-with-ansible +################################################################################################################### + +--- +- hosts: wetter.krystof.eu + gather_facts: false + vars: + create_user: deploy + copy_local_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" + required_packages: ["curl", "vim", "git", "ufw", "libtinfo5", "policykit-1"] + + tasks: + - name: Make sure we have a 'wheel' group + group: + name: wheel + state: present + + - name: Allow 'wheel' group to have passwordless sudo + lineinfile: + path: /etc/sudoers + state: present + regexp: "^%wheel" + line: "%wheel ALL=(ALL) NOPASSWD: ALL" + validate: "/usr/sbin/visudo -cf %s" + + - name: Create a new regular user with sudo privileges + user: + name: "{{ create_user }}" + state: present + groups: wheel + append: true + create_home: true + shell: /bin/bash + + - name: Set authorized key for remote user + authorized_key: + user: "{{ create_user }}" + state: present + key: "{{ copy_local_key }}" + + - name: Disable password authentication for root + lineinfile: + path: /etc/ssh/sshd_config + state: present + regexp: "^#?PermitRootLogin" + line: "PermitRootLogin prohibit-password" + + - name: Update apt + apt: update_cache=yes + + - name: Install required system packages + apt: name={{ required_packages }} state=latest + + - name: UFW - Allow SSH connections + ufw: + rule: allow + name: OpenSSH + + - name: Allow all access to tcp port 80 + ufw: + rule: allow + port: 80 + proto: tcp + + - name: Allow all access to tcp port 443 + ufw: + rule: allow + port: 443 + proto: tcp + + - name: UFW - Deny all other incoming traffic by default + ufw: + state: enabled + policy: deny + direction: incoming diff --git a/.ansible/apps/prepare_server/inventory b/.ansible/apps/prepare_server/inventory new file mode 100644 index 0000000..89bd1b9 --- /dev/null +++ b/.ansible/apps/prepare_server/inventory @@ -0,0 +1,8 @@ +--- +all: + hosts: + wetter.krystof.eu + vars: + ansible_user: krystof + ansible_become: yes + port: 5000 \ No newline at end of file diff --git a/.ansible/apps/prepare_server/nginx_setup.yml b/.ansible/apps/prepare_server/nginx_setup.yml new file mode 100644 index 0000000..766d634 --- /dev/null +++ b/.ansible/apps/prepare_server/nginx_setup.yml @@ -0,0 +1,13 @@ +- hosts: all + roles: + - hispanico.nginx-revproxy + vars: + nginx_revproxy_sites: + wetter.krystof.eu: + domains: + - wetter.krystof.eu + upstreams: + - { backend_address: localhost, backend_port: "{{ port }}" } + ssl: true + letsencrypt: true + letsencrypt_email: "kry@gmx.eu" diff --git a/.ansible/apps/production/deploy.yml b/.ansible/apps/production/deploy.yml new file mode 100644 index 0000000..7de750e --- /dev/null +++ b/.ansible/apps/production/deploy.yml @@ -0,0 +1,28 @@ +--- +- hosts: all + gather_facts: no + + vars: + mix_env: prod + local_release_dir: "{{ local_build_dir }}/_build/{{ mix_env }}/rel/wetter" + build_version: "{{ lookup('file', local_build_dir + '/_build/{{ mix_env }}/rel/wetter/BUILD_VERSION') }}" + commit_hash: "{{ lookup('file', local_build_dir + '/_build/{{ mix_env }}/rel/wetter/COMMIT_HASH') }}" + + pre_tasks: + - name: Get git version + delegate_to: localhost + become: false + shell: "git rev-parse master {{ local_build_dir }}" + register: git_version_result + + - name: Check for newest build + delegate_to: localhost + fail: + msg: "Latest GIT commit of {{ git_version_result.stdout_lines[0] }} does not match build version of {{ commit_hash }}. Please build a new release." + when: commit_hash != git_version_result.stdout_lines[0] + + roles: + - role: deploy_app/0.0.1 + vars: + app_name: wetter + username: "{{ ansible_user }}" diff --git a/.ansible/apps/production/host_vars/wetter.krystof.eu b/.ansible/apps/production/host_vars/wetter.krystof.eu new file mode 100644 index 0000000..ebb8e30 --- /dev/null +++ b/.ansible/apps/production/host_vars/wetter.krystof.eu @@ -0,0 +1,36 @@ +--- +port: "5000" +sentry_dsn: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63643661346431326639666462343831643263633564653833363763656163646533346334623335 + 6664306163326339663738313563343336303232663733320a653462393239653564353630313135 + 66663638616434313830653263396566303833333032356664366364303064373532383237653236 + 6462316362643731330a616361306531323065613533343534333437393235353564636462336262 + 38326438393331376239386539626636363032613639353963633965353633646638353438656663 + 30393464383638346137353533626261356537346235333065313766393636643361336361393333 + 64353838376330346161313261626238623162626431323163646238343131363965323263366437 + 61663930306331366562623236313130306534653164633630343464333236393363346133383234 + 3337 +secret_key_base: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 32336231386366393734353330633937343934646633323631663939626532633462633866646464 + 3335613563623933373035636639313261633338306236350a346231386339626466346264633235 + 64366162636239373836626164303236646136653965616165366362373937376163346135343736 + 3066343864333132330a363735666264353034353933363338306137316663656464383162623463 + 37646638373961366131613266666664346238633630633235323835633263303166323237663066 + 30303735316465363962646632646236666363343361636436636464616263666561656632366531 + 38383837383661336430316464343434303339316534656338616335363763356165396162643834 + 63653461336232643432 +sendgrid_api_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61383963623931633866373861383833326363396666306438343030386435343664646163656431 + 6531303661303337396163346136353138363237363637610a323739353962623534306661303862 + 31393734623339366433343263383938306136356236336338303661353730633936653862356235 + 6662333663353639660a666533373065356238393534326538336433646363653361393035376438 + 64326335613039636630643339666134643466326435363864353564363365393366663139643235 + 62633861633164333339626131316338636261663461323938396264323131613937636466623631 + 61323137383235366332303765386437323237366635643132336637383161343761383666646530 + 64306164363330373137 +releases_dir: "/u/apps/wetter/releases" +current_dir: "/u/apps/wetter/current" +releases_to_keep: 10 diff --git a/.ansible/apps/production/inventory b/.ansible/apps/production/inventory new file mode 100644 index 0000000..3fd189b --- /dev/null +++ b/.ansible/apps/production/inventory @@ -0,0 +1,7 @@ +--- +all: + hosts: + wetter.krystof.eu + vars: + local_build_dir: /tmp/wetter_build + ansible_user: deploy \ No newline at end of file diff --git a/.ansible/apps/production/inventory-ci b/.ansible/apps/production/inventory-ci new file mode 100644 index 0000000..b240592 --- /dev/null +++ b/.ansible/apps/production/inventory-ci @@ -0,0 +1,8 @@ +--- +all: + hosts: + wetter.krystof.eu + vars: + local_build_dir: ~/repo + ansible_ssh_extra_args: "-o StrictHostKeyChecking=no" + ansible_user: deploy \ No newline at end of file diff --git a/.ansible/roles/build_app/0.0.1/tasks/main.yml b/.ansible/roles/build_app/0.0.1/tasks/main.yml new file mode 100644 index 0000000..6bef390 --- /dev/null +++ b/.ansible/roles/build_app/0.0.1/tasks/main.yml @@ -0,0 +1,56 @@ +--- +- name: Load production vars + include_vars: "{{ production_vars_file }}" + +- name: Create secrets + template: + src: prod.secret.exs.j2 + dest: "{{ build_dir }}/config/prod.secret.exs" + mode: 0644 + +- name: Fetch mix dependencies + command: bash -lc "mix deps.get" chdir="{{ build_dir }}" + environment: + MIX_ENV: "{{ mix_env }}" + +- name: Fetch yarn dependencies + command: bash -lc "cd {{ build_dir }}/assets && yarn install" + environment: + MIX_ENV: "{{ mix_env }}" + +- name: Build assets + command: bash -lc "cd {{ build_dir }}/assets && yarn deploy" + environment: + MIX_ENV: "{{ mix_env }}" + +- name: Digest assets + command: bash -lc "mix phx.digest" chdir="{{ build_dir }}" + environment: + MIX_ENV: "{{ mix_env }}" + +- name: Remove previous build + file: + name: "{{ build_dir }}/_build/{{ mix_env }}/rel/{{ app_name }}" + state: absent + +- name: "Releasing {{ build_version }}" + command: bash -lc "mix release" chdir="{{ build_dir }}" + environment: + MIX_ENV: "{{ mix_env }}" + BUILD_VERSION: "{{ build_version }}" + +- name: Adding BUILD_VERSION file with "{{ build_version }}" + copy: + content: "{{ build_version }}" + dest: "{{ build_dir }}/_build/{{ mix_env }}/rel/{{ app_name }}/BUILD_VERSION" + +- name: Get GIT version + command: git rev-parse HEAD + args: + chdir: "{{ build_dir }}" + register: git_result + +- name: Adding COMMIT_HASH file with "{{ git_result.stdout }}" + copy: + content: "{{ git_result.stdout }}" + dest: "{{ build_dir }}/_build/{{ mix_env }}/rel/{{ app_name }}/COMMIT_HASH" diff --git a/.ansible/roles/build_app/0.0.1/templates/prod.secret.exs.j2 b/.ansible/roles/build_app/0.0.1/templates/prod.secret.exs.j2 new file mode 100644 index 0000000..5f37cd8 --- /dev/null +++ b/.ansible/roles/build_app/0.0.1/templates/prod.secret.exs.j2 @@ -0,0 +1,19 @@ +use Mix.Config + +# In this file, we keep production configuration that +# you'll likely want to automate and keep away from +# your version control system. +# +# You should document the content of this +# file or create a script for recreating it, since it's +# kept out of version control and might be hard to recover +# or recreate for your teammates (or yourself later on). +config :wetter, WetterWeb.Endpoint, + http: [:inet6, port: String.to_integer("{{ port }}")], + secret_key_base: "{{ secret_key_base }}" + +config :sentry, + dsn: "{{ sentry_dsn }}" + +config :wetter, Wetter.Mailer, + api_key: "{{ sendgrid_api_key }}" diff --git a/.ansible/roles/deploy_app/0.0.1/handlers/main.yml b/.ansible/roles/deploy_app/0.0.1/handlers/main.yml new file mode 100644 index 0000000..3109ae8 --- /dev/null +++ b/.ansible/roles/deploy_app/0.0.1/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: "restart app" + raw: "sudo /bin/systemctl restart {{ app_name }}" diff --git a/.ansible/roles/deploy_app/0.0.1/tasks/main.yml b/.ansible/roles/deploy_app/0.0.1/tasks/main.yml new file mode 100644 index 0000000..dd7dee8 --- /dev/null +++ b/.ansible/roles/deploy_app/0.0.1/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: Check for existing current directory + stat: + path: "{{ current_dir }}" + register: current_dir_stat + +- name: Check for existing release directory + stat: + path: "{{ releases_dir }}/{{ build_version }}" + register: release_dir_stat + +- name: Copy previous release (make faster release deploys) + command: "cp -r -L {{ current_dir }}/ {{ releases_dir }}/{{ build_version }}" + when: current_dir_stat.stat.exists and not release_dir_stat.stat.exists + +- name: "Upload new {{ build_version }} release" + synchronize: + src: "{{ local_release_dir }}/" + dest: "{{ releases_dir }}/{{ build_version }}" + recursive: yes + delete: yes + +# Here you should symlink shared directory in case you have uploaded files, etc. + +- name: Update current symlink + file: + dest: "{{ current_dir }}" + src: "{{ releases_dir }}/{{ build_version }}" + state: link + force: yes + notify: + - "restart app" + +- name: List all releases + shell: "ls -t {{ releases_dir }} | tail -n +{{ releases_to_keep + 1 }}" + register: ls_output + +- name: Remove old releases + file: + name: "{{ releases_dir }}/{{ item }}" + state: absent + with_items: "{{ ls_output.stdout_lines }}" diff --git a/.ansible/roles/docker_setup/0.0.1/tasks/main.yml b/.ansible/roles/docker_setup/0.0.1/tasks/main.yml new file mode 100644 index 0000000..635ac4c --- /dev/null +++ b/.ansible/roles/docker_setup/0.0.1/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Start docker container + delegate_to: localhost + docker_container: + name: "{{ container_name }}" + image: "{{ image_name }}" + volumes: + - "{{ local_build_dir }}:{{ build_dir }}" + env: + SSH_AUTH_SOCK: /ssh-agent + auto_remove: yes + detach: yes + interactive: yes + tty: yes diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000..587dad2 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,42 @@ +# Elixir CircleCI 2.0 configuration file +# +# Check https://circleci.com/docs/2.0/language-elixir/ for more details +version: 2 +jobs: + build: + docker: + - image: blackboxms/ubuntu-nodejs-elixir:1.9.2 + + environment: + MIX_ENV: test + + working_directory: ~/repo + steps: + - checkout + + - restore_cache: + keys: + - deps-build + + # Test + - run: mix deps.get + - run: mix test + + # Build + - run: cd ~/repo && git reset --hard && git clean -dfx + - run: echo "$VAULT_PASS" | base64 -d > ~/repo/.ansible/.vault_pass.txt + - run: cd .ansible && ansible-playbook -i apps/build/inventory-ci apps/build/build.yml -vvv + + - save_cache: + key: deps-build + paths: + - ~/repo/_build + - ~/repo/deps + # Install rsync for deploy + - run: apt-get install rsync -y + - deploy: + name: "Deploy master to production" + command: | + if [ "${CIRCLE_BRANCH}" == "master" ]; then + cd .ansible && ansible-playbook -i apps/production/inventory-ci apps/production/deploy.yml -vvv; + fi diff --git a/README.md b/README.md index 64da610..9546e2f 100644 --- a/README.md +++ b/README.md @@ -2,19 +2,27 @@ To start your Phoenix server: - * Install dependencies with `mix deps.get` - * Create and migrate your database with `mix ecto.create && mix ecto.migrate` - * Install Node.js dependencies with `cd assets && npm install` - * Start Phoenix endpoint with `mix phx.server` +- Install dependencies with `mix deps.get` +- Create and migrate your database with `mix ecto.create && mix ecto.migrate` +- Install Node.js dependencies with `cd assets && npm install` +- Start Phoenix endpoint with `mix phx.server` Now you can visit [`localhost:4000`](http://localhost:4000) from your browser. Ready to run in production? Please [check our deployment guides](http://www.phoenixframework.org/docs/deployment). +## Build + +`ansible-playbook -i apps/build/inventory apps/build/build.yml -vvv` + +## Deploy + +`ansible-playbook -i apps/production/inventory apps/production/deploy.yml -vvv` + ## Learn more - * Official website: http://www.phoenixframework.org/ - * Guides: http://phoenixframework.org/docs/overview - * Docs: https://hexdocs.pm/phoenix - * Mailing list: http://groups.google.com/group/phoenix-talk - * Source: https://github.com/phoenixframework/phoenix +- Official website: http://www.phoenixframework.org/ +- Guides: http://phoenixframework.org/docs/overview +- Docs: https://hexdocs.pm/phoenix +- Mailing list: http://groups.google.com/group/phoenix-talk +- Source: https://github.com/phoenixframework/phoenix diff --git a/config/prod.exs b/config/prod.exs index 159e464..0e8810b 100644 --- a/config/prod.exs +++ b/config/prod.exs @@ -1,36 +1,23 @@ use Mix.Config -# For production, we often load configuration from external -# sources, such as your system environment. For this reason, -# you won't find the :http configuration below, but set inside -# WetterWeb.Endpoint.init/2 when load_from_system_env is -# true. Any dynamic configuration should be done there. +# For production, don't forget to configure the url host +# to something meaningful, Phoenix uses this information +# when generating URLs. # -# Don't forget to configure the url host to something meaningful, -# Phoenix uses this information when generating URLs. -# -# Finally, we also include the path to a cache manifest +# Note we also include the path to a cache manifest # containing the digested version of static files. This -# manifest is generated by the mix phx.digest task -# which you typically run after static files are built. +# manifest is generated by the `mix phx.digest` task, +# which you should run after static files are built and +# before starting your production server. config :wetter, WetterWeb.Endpoint, - load_from_system_env: true, - url: [host: {:system, "HOST"}, port: {:system, "PORT"}], - server: true, - root: ".", - cache_static_manifest: "priv/static/cache_manifest.json", - force_ssl: [rewrite_on: [:x_forwarded_proto]], - root: ".", - server: true, - url: [ - scheme: "https", - host: "ms-wetter.herokuapp.com", - port: 443 - ] + url: [host: "wetter.krystof.eu", port: 443], + cache_static_manifest: "priv/static/cache_manifest.json" # Do not print debug messages in production config :logger, level: :info +config :phoenix, :serve_endpoints, true + # ## SSL Support # # To get SSL working, you will need to add the `https` key @@ -39,32 +26,42 @@ config :logger, level: :info # config :wetter, WetterWeb.Endpoint, # ... # url: [host: "example.com", port: 443], -# https: [:inet6, -# port: 443, -# keyfile: System.get_env("SOME_APP_SSL_KEY_PATH"), -# certfile: System.get_env("SOME_APP_SSL_CERT_PATH")] +# https: [ +# :inet6, +# port: 443, +# cipher_suite: :strong, +# keyfile: System.get_env("SOME_APP_SSL_KEY_PATH"), +# certfile: System.get_env("SOME_APP_SSL_CERT_PATH") +# ] +# +# The `cipher_suite` is set to `:strong` to support only the +# latest and more secure SSL ciphers. This means old browsers +# and clients may not be supported. You can set it to +# `:compatible` for wider support. # -# Where those two env variables return an absolute path to -# the key and cert in disk or a relative path inside priv, -# for example "priv/ssl/server.key". +# `:keyfile` and `:certfile` expect an absolute path to the key +# and cert in disk or a relative path inside priv, for example +# "priv/ssl/server.key". For all supported SSL configuration +# options, see https://hexdocs.pm/plug/Plug.SSL.html#configure/1 # -# We also recommend setting `force_ssl`, ensuring no data is -# ever sent via http, always redirecting to https: +# We also recommend setting `force_ssl` in your endpoint, ensuring +# no data is ever sent via http, always redirecting to https: # # config :wetter, WetterWeb.Endpoint, # force_ssl: [hsts: true] # # Check `Plug.SSL` for all available options in `force_ssl`. -# ## Using releases +# ## Using releases (Elixir v1.9+) # # If you are doing OTP releases, you need to instruct Phoenix -# to start the server for all endpoints: -# -# config :phoenix, :serve_endpoints, true -# -# Alternatively, you can configure exactly which server to -# start per endpoint: +# to start each relevant endpoint: # # config :wetter, WetterWeb.Endpoint, server: true # +# Then you can assemble a release by calling `mix release`. +# See `mix help release` for more information. + +# Finally import the config/prod.secret.exs which loads secrets +# and configuration from environment variables. +import_config "prod.secret.exs" diff --git a/mix.exs b/mix.exs index eacc49e..bb9425a 100644 --- a/mix.exs +++ b/mix.exs @@ -45,7 +45,6 @@ defmodule Wetter.Mixfile do {:solar, "~> 0.1.0"}, {:poison, "~> 3.1"}, {:sentry, "~> 7.0"}, - {:distillery, "~> 2.0"}, {:jason, "~> 1.0"} ] end diff --git a/rel/config.exs b/rel/config.exs deleted file mode 100644 index 1ba7a36..0000000 --- a/rel/config.exs +++ /dev/null @@ -1,57 +0,0 @@ -# Import all plugins from `rel/plugins` -# They can then be used by adding `plugin MyPlugin` to -# either an environment, or release definition, where -# `MyPlugin` is the name of the plugin module. -~w(rel plugins *.exs) -|> Path.join() -|> Path.wildcard() -|> Enum.map(&Code.eval_file(&1)) - -use Distillery.Releases.Config, - # This sets the default release built by `mix release` - default_release: :default, - # This sets the default environment used by `mix release` - default_environment: Mix.env() - -# For a full list of config options for both releases -# and environments, visit https://hexdocs.pm/distillery/config/distillery.html - -# You may define one or more environments in this file, -# an environment's settings will override those of a release -# when building in that environment, this combination of release -# and environment configuration is called a profile - -environment :dev do - # If you are running Phoenix, you should make sure that - # server: true is set and the code reloader is disabled, - # even in dev mode. - # It is recommended that you build with MIX_ENV=prod and pass - # the --env flag to Distillery explicitly if you want to use - # dev mode. - set(dev_mode: true) - set(include_erts: false) - set(cookie: :"VT*t4D.(1`g)X~R6/]mbGjng%7XE%jo7[qE//O;dDQzaXp;@T,mTp9K6dX//`3yZ") -end - -environment :prod do - set(include_erts: true) - set(include_src: false) - set(cookie: :"kg&0g3y]Dq:*ldgrrq_@)=yc)K") -end - -# You may define one or more releases in this file. -# If you have not set a default release, or selected one -# when running `mix release`, the first release in the file -# will be used by default - -release :wetter do - set(version: current_version(:wetter)) - - set( - applications: [ - :runtime_tools - ] - ) - - set(commands: []) -end diff --git a/rel/plugins/.gitignore b/rel/plugins/.gitignore deleted file mode 100644 index 4fa3b5c..0000000 --- a/rel/plugins/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -*.* -!*.exs -!.gitignore \ No newline at end of file diff --git a/rel/vm.args b/rel/vm.args deleted file mode 100644 index 93f34bb..0000000 --- a/rel/vm.args +++ /dev/null @@ -1,30 +0,0 @@ -## This file provide the arguments provided to the VM at startup -## You can find a full list of flags and their behaviours at -## http://erlang.org/doc/man/erl.html - -## Name of the node --name <%= release_name %>@127.0.0.1 - -## Cookie for distributed erlang --setcookie <%= release.profile.cookie %> - -## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive -## (Disabled by default..use with caution!) -##-heart - -## Enable kernel poll and a few async threads -##+K true -##+A 5 -## For OTP21+, the +A flag is not used anymore, -## +SDio replace it to use dirty schedulers -##+SDio 5 - -## Increase number of concurrent ports/sockets -##-env ERL_MAX_PORTS 4096 - -## Tweak GC to run more often -##-env ERL_FULLSWEEP_AFTER 10 - -# Enable SMP automatically based on availability -# On OTP21+, this is not needed anymore. --smp auto