diff --git a/CTbase.yml b/CTbase.yml index 6dfc4f6..827214e 100644 --- a/CTbase.yml +++ b/CTbase.yml @@ -6,6 +6,7 @@ # déclaration de la variables globales vars: - email: contact@iloth.net - cthostname: web1 - domain: web1.iloth.net + email: your_email@your_domain.com + cthostname: machine_hostname + domain: domain_name + create_user: false diff --git a/CTweb.yml b/CTweb.yml index 52ff5b7..bb757f2 100644 --- a/CTweb.yml +++ b/CTweb.yml @@ -11,7 +11,8 @@ http_port: 80 domain: web1.iloth.net cthostname: web1 - + create_user: false + # ici, on demande directement à l'exécution de renseigner une variable vars_prompt: - name: "mysqlRootPassword" diff --git a/bim!chat.yml b/bim!chat.yml index 97f5e27..a57ef81 100644 --- a/bim!chat.yml +++ b/bim!chat.yml @@ -5,9 +5,10 @@ - common - postgresql - nginx + - ssl-cert - mattermost - - # déclaration de la variables globales + + # Déclaration des variables globales vars: email: contact@iloth.net domain: chat.bim.land diff --git a/bimorganise.yml b/bimorganise.yml new file mode 100644 index 0000000..3ace5d3 --- /dev/null +++ b/bimorganise.yml @@ -0,0 +1,15 @@ +--- +- hosts: bim + roles: + - common + - nginx + - postgresql + + + # Déclaration des variables globales + vars: + email: contact@bim.land + domain: organise.bim.land + cthostname: organise + create_user: false + installCertbot: true diff --git a/bimsocial.yml b/bimsocial.yml new file mode 100644 index 0000000..859c7c0 --- /dev/null +++ b/bimsocial.yml @@ -0,0 +1,18 @@ +--- +- hosts: bim + roles: + #- common + #- rbenv + #- nginx + #- postgresql + - mastodon + + # Déclaration des variables globales + vars: + email: contact@bim.land + domain: social.bim.land + cthostname: social + create_user: true + username: mastodon + installCertbot: true + ruby_version: 2.6.6 diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index cea5b6d..0a3d52f 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,4 +1,18 @@ --- + +- name: Disable ssh password authentication + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^.*PasswordAuthentication yes" + line: "PasswordAuthentication no" + backrefs: yes + +- name: Reload sshd service + service: + name: sshd + state: reloaded + + - name: Update & upgrade system apt: update_cache: yes @@ -35,12 +49,22 @@ line: "{{ ansible_default_ipv4.address }} {{ cthostname }} {{ domain }}" regexp: "^{{ ansible_default_ipv4.address }}" +# On créé un utilisateur si il le faut. +- name: create user {{ username }} + user: + name: "{{ username }}" + system: yes + createhome: yes + when: create_user + +# Régles de parefeu. - name: Allow SSH connexions ufw: rule: limit port: ssh proto: tcp + - name: Set logging off ufw: logging: 'off' diff --git a/roles/mastodon/README.md b/roles/mastodon/README.md new file mode 100644 index 0000000..7ee44b0 --- /dev/null +++ b/roles/mastodon/README.md @@ -0,0 +1,3 @@ +# Mastodon pour social.bim.land. + +Rbenv est installé dans le home de l'utilisateur mastodon diff --git a/roles/mastodon/defaults/main.yml b/roles/mastodon/defaults/main.yml new file mode 100644 index 0000000..c8950d0 --- /dev/null +++ b/roles/mastodon/defaults/main.yml @@ -0,0 +1,30 @@ +--- + +requiredPackages: + - imagemagick + - ffmpeg + - libpq-dev + - libxml2-dev + - libxslt1-dev + - file + - git-core + - g++ + - libprotobuf-dev + - protobuf-compiler + - pkg-config + - gcc + - autoconf + - bison + - build-essential + - libssl-dev + - libyaml-dev + - libreadline-dev + - zlib1g-dev + - libncurses5-dev + - libffi-dev + - libgdbm-dev + - libidn11-dev + - libicu-dev + - libjemalloc-dev + - redis-tools + - redis-server diff --git a/roles/mastodon/tasks/main.yml b/roles/mastodon/tasks/main.yml new file mode 100644 index 0000000..c913cf1 --- /dev/null +++ b/roles/mastodon/tasks/main.yml @@ -0,0 +1,106 @@ +--- + +- name: Add Yarn apt key + apt_key: + url: https://dl.yarnpkg.com/debian/pubkey.gpg + state: present + +- name: Add Yarn Repository + apt_repository: + repo: deb https://dl.yarnpkg.com/debian/ stable main + state: present + +- name: Install Yarn + apt: + name: yarn + state: present + +- name: Add Nodejs apt key + apt_key: + url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key + state: present + +- name: Add Nodes 12 repository + apt_repository: + repo: deb https://deb.nodesource.com/node_12.x buster main + state: present + +- name: Install NodeJs + apt: + name: nodejs + state: present + +- name: Install required by mastodon + apt: + name: "{{ requiredPackages }}" + state: present + +- name: Install Mastodon from git + become: yes + become_user: "{{ username }}" + shell: | + cd + export PATH="$HOME/.rbenv/bin:$PATH" + eval "$(rbenv init -)" + git clone https://github.com/tootsuite/mastodon.git live + cd live + git checkout $(git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1) + gem install bundler --no-document + bundle config set deployment 'true' + bundle config set without 'development test' + bundle install + yarn install --pure-lockfile --non-interactive + args: + executable: /bin/bash + +- name: ensure postgresql is running + service: + name: postgresql + state: restarted + +- name: Create postgresql Database + become: yes + become_user: postgres + shell: psql -c "CREATE USER mastodon CREATEDB;" + +- name: Copy nginx configuration + copy: + src: /home/{{ username }}/live/dist/nginx.conf + dest: /etc/nginx/sites-available/mastodon.conf + owner: root + group: root + remote_src: yes + +- name: Set server name in nginx configuration + replace: + path: /etc/nginx/sites-available/mastodon.conf + regexp: "^.*server_name example.com;" + replace: " server_name {{ domain }};" + + +- name: Set root directory in nginx configuration + replace: + dest: /etc/nginx/sites-available/mastodon.conf + regexp: "^.*root /home/mastodon/live/public;" + replace: "root /home/{{ username}}/live/public;" + + +- name: Create a symbolic link + file: + src: /etc/nginx/sites-available/mastodon.conf + dest: /etc/nginx/sites-enabled/mastodon.conf + owner: root + group: root + state: link + +- name: Copy systemd services + shell: | + cp /home/"{{ username }}"/live/dist/mastodon-web.service /etc/systemd/system/ + cp /home/"{{ username }}"/live/dist/mastodon-sidekiq.service /etc/systemd/system/ + cp /home/"{{ username }}"/live/dist/mastodon-streaming.service /etc/systemd/system/ + +- name: Enable systemd service + shell: | + systemctl enable mastodon-web + systemctl enable mastodon-sidekiq + systemctl enable mastodon-streaming diff --git a/roles/mattermost/tasks/main.yml b/roles/mattermost/tasks/main.yml index 0d93514..d50ed3a 100644 --- a/roles/mattermost/tasks/main.yml +++ b/roles/mattermost/tasks/main.yml @@ -26,12 +26,6 @@ line: '"DataSource": "postgres://{{ db_user }}:{{ db_pass }}@127.0.0.1:5432/{{ db_name }}?sslmode=disable&connect_timeout=10",' backrefs: yes -- name: Create mattermost user - user: - name: "{{ mattermost_user }}" - system: yes - createhome: yes - - name: Change mattermost directory permissions file: path: /opt/mattermost @@ -75,7 +69,7 @@ - name: ensure user does not have unnecessary privilege become: yes - become_user: "{{ mattermost_user }}" + become_user: "{{ username }}" postgresql_user: name: "{{ db_user }}" role_attr_flags: NOSUPERUSER,NOCREATEDB diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 7f197df..9ca0d09 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -5,8 +5,10 @@ - name: install Certbot Nginx plugin apt: - name: python3-certbot-nginx - when: installCertbot == True + name: + - certbot + - python3-certbot-nginx + when: installCertbot == true - name: Allow http and https connexions ufw: diff --git a/roles/postgresql/handlers/main.yml b/roles/postgresql/handlers/main.yml index ddb5001..0d7e5b8 100644 --- a/roles/postgresql/handlers/main.yml +++ b/roles/postgresql/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: restart apache +- name: restart postgresql service: name: postgresql state: restarted diff --git a/roles/rbenv/README.md b/roles/rbenv/README.md new file mode 100644 index 0000000..e69de29 diff --git a/roles/rbenv/defaults/main.yml b/roles/rbenv/defaults/main.yml new file mode 100644 index 0000000..44dbecb --- /dev/null +++ b/roles/rbenv/defaults/main.yml @@ -0,0 +1,19 @@ +--- + +requiredPackages: + - git + - curl + - libssl-dev + - libreadline-dev + - zlib1g-dev + - autoconf + - bison + - build-essential + - libyaml-dev + - libreadline-dev + - libncurses5-dev + - libffi-dev + - libgdbm-dev + - libjemalloc-dev + +ruby_version: 2.7.0 diff --git a/roles/rbenv/emacs-27.1.core b/roles/rbenv/emacs-27.1.core new file mode 100644 index 0000000..87fe256 Binary files /dev/null and b/roles/rbenv/emacs-27.1.core differ diff --git a/roles/rbenv/files/rbenv_installer.sh b/roles/rbenv/files/rbenv_installer.sh new file mode 100644 index 0000000..f426db6 --- /dev/null +++ b/roles/rbenv/files/rbenv_installer.sh @@ -0,0 +1,121 @@ +#!/bin/bash +set -e + +homebrew= +type -p brew >/dev/null && homebrew=1 + +try_bash_extension() { + if [ -x src/configure ]; then + src/configure && make -C src || { + echo "Optional bash extension failed to build, but things will still work normally." + } + fi +} + +if ! type -p git >/dev/null; then + git() { + echo "Error: git is required to proceed. Please install git and try again." >&2 + exit 1 + } +fi + +http() { + local url="$1" + if type -p curl >/dev/null; then + curl -fsSL "$url" + elif type -p wget >/dev/null; then + wget -q "$url" -O- + else + echo "Error: couldn't download file. No \`curl' or \`wget' found." >&2 + return 1 + fi +} + +rbenv="$(command -v rbenv ~/.rbenv/bin/rbenv | head -1)" + +if [ -n "$rbenv" ]; then + echo "rbenv already seems installed in \`$rbenv'." + cd "${rbenv%/*}" + + if [ -x ./brew ]; then + echo "Trying to update with Homebrew..." + brew update >/dev/null + if [ "$(./rbenv --version)" < "1.0.0" ] && brew list rbenv | grep -q rbenv/HEAD; then + brew uninstall rbenv + brew install rbenv --without-ruby-build + else + brew upgrade rbenv + fi + elif git remote -v 2>/dev/null | grep -q rbenv; then + echo "Trying to update with git..." + git pull --tags origin master + cd .. + try_bash_extension + fi +else + if [ -n "$homebrew" ]; then + echo "Installing rbenv with Homebrew..." + brew update + brew install rbenv --without-ruby-build + rbenv="$(brew --prefix)/bin/rbenv" + else + echo "Installing rbenv with git..." + mkdir -p ~/.rbenv + cd ~/.rbenv + git init + git remote add -f -t master origin https://github.com/rbenv/rbenv.git + git checkout -b master origin/master + try_bash_extension + rbenv=~/.rbenv/bin/rbenv + + if [ ! -e versions ] && [ -w /opt/rubies ]; then + ln -s /opt/rubies versions + fi + fi +fi + +rbenv_root="$("$rbenv" root)" +ruby_build="$(command -v "$rbenv_root"/plugins/*/bin/rbenv-install rbenv-install | head -1)" + +echo +if [ -n "$ruby_build" ]; then + echo "\`rbenv install' command already available in \`$ruby_build'." + cd "${ruby_build%/*}" + + if [ -x ./brew ]; then + echo "Trying to update with Homebrew..." + brew update >/dev/null + brew upgrade ruby-build + elif git remote -v 2>/dev/null | grep -q ruby-build; then + echo "Trying to update with git..." + git pull origin master + fi +else + if [ -n "$homebrew" ]; then + echo "Installing ruby-build with Homebrew..." + brew update + brew install ruby-build + else + echo "Installing ruby-build with git..." + mkdir -p "${rbenv_root}/plugins" + git clone https://github.com/rbenv/ruby-build.git "${rbenv_root}/plugins/ruby-build" + fi +fi + +# Enable caching of rbenv-install downloads +mkdir -p "${rbenv_root}/cache" + +echo +echo "Running doctor script to verify installation..." +http https://github.com/rbenv/rbenv-installer/raw/master/bin/rbenv-doctor | "$BASH" + +echo +echo "All done!" +echo "Note that this installer doesn't yet configure your shell startup files:" +i=0 +if [ -x ~/.rbenv/bin ]; then + echo "$((++i)). You'll want to ensure that \`~/.rbenv/bin' is added to PATH." +fi +echo "$((++i)). Run \`rbenv init' to see instructions how to configure rbenv for your shell." +echo "$((++i)). Launch a new terminal window to verify that the configuration is correct." +echo diff --git a/roles/rbenv/tasks/main.yml b/roles/rbenv/tasks/main.yml new file mode 100644 index 0000000..fe1dcbd --- /dev/null +++ b/roles/rbenv/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: Install Package Required by rbenv + apt: + name: "{{ requiredPackages }}" + state: present + +- name: Copy rbenv installer + become: yes + become_user: "{{ username }}" + copy: + src: rbenv_installer.sh + dest: rbenv_installer.sh + owner: "{{ username }}" + group: "{{ username }}" + mode: 0755 + when: create_user + +- name: Install rbenv + become: yes + become_user: "{{ username }}" + shell: | + git clone https://github.com/rbenv/rbenv.git ~/.rbenv + cd ~/.rbenv && src/configure && make -C src + echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc + echo 'eval "$(rbenv init -)"' >> ~/.bashrc + git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build + when: create_user + +- name: Install ruby "{{ ruby_version }}" + become: yes + become_user: "{{ username }}" + shell: | + cd ~ + export PATH="$HOME/.rbenv/bin:$PATH" + eval "$(rbenv init -)" + RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install "{{ ruby_version }}" + rbenv global "{{ ruby_version }}" + args: + executable: /bin/bash + when: create_user diff --git a/roles/ssl-cert/defaults/main.yml b/roles/ssl-cert/defaults/main.yml new file mode 100644 index 0000000..21225bf --- /dev/null +++ b/roles/ssl-cert/defaults/main.yml @@ -0,0 +1,2 @@ +--- +installcertbot: false diff --git a/roles/ssl-cert/tasks/main.yml b/roles/ssl-cert/tasks/main.yml new file mode 100644 index 0000000..07c1e16 --- /dev/null +++ b/roles/ssl-cert/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: Install openssl + apt: + name: openssl + state: present + +- name: install Certbot Nginx plugin + apt: + name: python3-certbot + when: installCertbot == True + +- name: Create Directory for Domain self-signed + file: + path: /etc/ssl/{{ domain }} + state: directory + mode: '0755' + when: installCertbot == False + +- name: Create self-signed certificate, if configured. + shell: "openssl req -x509 -nodes -subj '/CN={{ domain }}' -days 365 -newkey rsa:4096 -sha256 -keyout /etc/server/{{ domain }}/server.key -out /etc/server/{{ domain }}/server.crt" + when: installCertbot == False + +- name: Create self-signed certificate, if configured. + shell: "certbot -certonly -d {{ domain }} --nginx -m contact@bim.land --agree-tos" + when: installCertbot == True