From 5a211c975a2f58af015e316430ede3bc1a9cc5da Mon Sep 17 00:00:00 2001 From: Darks Date: Thu, 10 Sep 2020 21:56:13 +0200 Subject: [PATCH] Refactoring - moved inventory - add some variables - splitted files and templates - added role grafana - add a play 'all' --- README.md | 29 +- all.yml | 13 + .../host_vars/aperture-labs.yml | 16 + inventory.yml => inventory/main.yml | 1 + monitoring.yml | 12 + roles/grafana/tasks/main.yml | 17 + roles/grafana/templates/grafana.ini | 517 ++++++++++++++++++ roles/iptables/tasks/main.yml | 4 +- roles/nginx/tasks/main.yml | 10 +- .../sites-available/000-default.conf | 0 .../sites-available/bible.conf | 0 .../sites-available/creativecalc.conf | 0 .../sites-available/gitea.conf | 6 +- .../sites-available/grafana.conf | 6 +- .../sites-available/mumbleweb.conf | 8 +- .../sites-available/p7.conf | 0 .../sites-available/pc-dev.conf | 0 .../sites-available/pc.conf | 0 roles/nginx/vars/main.yml | 9 - roles/ssh/tasks/main.yml | 2 +- roles/uwsgi/tasks/main.yml | 11 +- roles/uwsgi/vars/main.yml | 2 - 22 files changed, 612 insertions(+), 51 deletions(-) create mode 100644 all.yml rename roles/ssh/vars/main.yml => inventory/host_vars/aperture-labs.yml (56%) rename inventory.yml => inventory/main.yml (89%) create mode 100644 monitoring.yml create mode 100644 roles/grafana/tasks/main.yml create mode 100644 roles/grafana/templates/grafana.ini rename roles/nginx/{files => templates}/sites-available/000-default.conf (100%) rename roles/nginx/{files => templates}/sites-available/bible.conf (100%) rename roles/nginx/{files => templates}/sites-available/creativecalc.conf (100%) rename roles/nginx/{files => templates}/sites-available/gitea.conf (93%) rename roles/nginx/{files => templates}/sites-available/grafana.conf (91%) rename roles/nginx/{files => templates}/sites-available/mumbleweb.conf (76%) rename roles/nginx/{files => templates}/sites-available/p7.conf (100%) rename roles/nginx/{files => templates}/sites-available/pc-dev.conf (100%) rename roles/nginx/{files => templates}/sites-available/pc.conf (100%) delete mode 100644 roles/nginx/vars/main.yml delete mode 100644 roles/uwsgi/vars/main.yml diff --git a/README.md b/README.md index 3d668ab..ab68c33 100644 --- a/README.md +++ b/README.md @@ -16,28 +16,23 @@ Usually, it looks like this: ``` # Dummy try with --check -ansible-playbook -i inventory.yml role.yml -v --diff --check --ask-become-pass +ansible-playbook -i inventory/main.yml role.yml -vv --diff --check --ask-become-pass # Real try -ansible-playbook -i inventory.yml role.yml -v --ask-become-pass +ansible-playbook -i inventory/main.yml role.yml -v --ask-become-pass ``` -The file `inventory.yml` already contains an host: the main VPS, `aperture-labs`. +The file `inventory/main.yml` already contains an host: the main VPS, `aperture-labs`. See [Configuration](#Configuration) to add the host to your SSH config. -## Existing roles +## Variables -### Nginx +Variables are defined in `inventory/host_vars/aperture-labs.yml`. +They can be overriden, see [the documentation](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable). -**Update the nginx configuration, reload the service** +They may be mandatory for execution of roles. -| Variable name | Mandatory | Comment | -|------------------|-----------|----------------------------------------------| -| sites_enabled | yes | List of sites to enable from sites-available | - -### Uwsgi - -**Update the uwsgi configuration, restart the service** - -| Variable name | Mandatory | Comment | -|------------------|-----------|----------------------------------------------| -| environments | yes | List of environments to restart | +| Variable name | Comment | +|------------------|----------------------------------------------| +| sites_enabled | List of sites to enable from sites-available | +| proxy_ports | List of ports to use with proxy_pass | +| allowed_users | List of users allowed to login through SSH | diff --git a/all.yml b/all.yml new file mode 100644 index 0000000..13ef194 --- /dev/null +++ b/all.yml @@ -0,0 +1,13 @@ +--- +- name: Run all roles + hosts: all + become: yes + become_user: root + become_method: sudo + + roles: + - grafana + - iptables + - nginx + - ssh + - uwsgi diff --git a/roles/ssh/vars/main.yml b/inventory/host_vars/aperture-labs.yml similarity index 56% rename from roles/ssh/vars/main.yml rename to inventory/host_vars/aperture-labs.yml index 72430be..5d64603 100644 --- a/roles/ssh/vars/main.yml +++ b/inventory/host_vars/aperture-labs.yml @@ -1,3 +1,19 @@ +--- +sites_enabled: + - "000-default" + - "bible" + - "creativecalc" + - "gitea" + - "grafana" + - "mumbleweb" + - "p7" + - "pc-dev" + +proxy_ports: + grafana: 3000 + gitea: 3001 + mumbleweb: 64737 + allowed_users: - "breizh" - "cake" diff --git a/inventory.yml b/inventory/main.yml similarity index 89% rename from inventory.yml rename to inventory/main.yml index 66b946f..0510e99 100644 --- a/inventory.yml +++ b/inventory/main.yml @@ -1 +1,2 @@ +[vps] aperture-labs # Add an entry in your ~/.ssh/config diff --git a/monitoring.yml b/monitoring.yml new file mode 100644 index 0000000..877ac0b --- /dev/null +++ b/monitoring.yml @@ -0,0 +1,12 @@ +--- +- name: Update monitoring configuration + hosts: all + become: yes + become_user: root + become_method: sudo + + roles: + - grafana + - telegraf + - influxdb + - goaccess diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml new file mode 100644 index 0000000..18ce420 --- /dev/null +++ b/roles/grafana/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: "Install Grafana" + pacman: + name: "grafana" + state: present + +- name: "Copy ini file" + template: + src: 'grafana.ini' + dest: '/etc/' + owner: 'grafana' + mode: 0644 + +- name: "Restarting grafana" + service: + name: "grafana" + state: restarted diff --git a/roles/grafana/templates/grafana.ini b/roles/grafana/templates/grafana.ini new file mode 100644 index 0000000..a40f336 --- /dev/null +++ b/roles/grafana/templates/grafana.ini @@ -0,0 +1,517 @@ +##################### Grafana Configuration Example ##################### +# +# Everything has defaults so you only need to uncomment things you want to +# change + +# possible values : production, development +;app_mode = production + +# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty +;instance_name = ${HOSTNAME} + +#################################### Paths #################################### +[paths] +# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used) +;data = /var/lib/grafana + +# Temporary files in `data` directory older than given duration will be removed +;temp_data_lifetime = 24h + +# Directory where grafana can store logs +;logs = /var/log/grafana + +# Directory where grafana will automatically scan and look for plugins +;plugins = /var/lib/grafana/plugins + +# folder that contains provisioning config files that grafana will apply on startup and while running. +;provisioning = conf/provisioning + +#################################### Server #################################### +[server] +# Protocol (http, https, socket) +;protocol = http + +# The ip address to bind to, empty will bind to all interfaces +http_addr = 127.0.0.1 + +# The http port to use +http_port = {{ proxy_ports.grafana | mandatory }} + +# The public facing domain name used to access grafana from a browser +domain = grafana.planet-casio.com + +# Redirect to correct domain if host header does not match domain +# Prevents DNS rebinding attacks +;enforce_domain = false + +# The full public facing url you use in browser, used for redirects and emails +# If you use reverse proxy and sub path specify full url (with sub path) +root_url = https://grafana.planet-casio.com + +# Log web requests +;router_logging = false + +# the path relative working path +;static_root_path = public + +# enable gzip +;enable_gzip = false + +# https certs & key file +;cert_file = +;cert_key = + +# Unix socket path +;socket = + +#################################### Database #################################### +[database] +# You can configure the database connection by specifying type, host, name, user and password +# as separate properties or as on string using the url properties. + +# Either "mysql", "postgres" or "sqlite3", it's your choice +;type = sqlite3 +;host = 127.0.0.1:3306 +;name = grafana +;user = root +# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" +;password = + +# Use either URL or the previous fields to configure the database +# Example: mysql://user:secret@host:port/database +;url = + +# For "postgres" only, either "disable", "require" or "verify-full" +;ssl_mode = disable + +# For "sqlite3" only, path relative to data_path setting +;path = grafana.db + +# Max idle conn setting default is 2 +;max_idle_conn = 2 + +# Max conn setting default is 0 (mean not set) +;max_open_conn = + +# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours) +;conn_max_lifetime = 14400 + +# Set to true to log the sql calls and execution times. +log_queries = + +# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared) +;cache_mode = private + +#################################### Session #################################### +[session] +# Either "memory", "file", "redis", "mysql", "postgres", default is "file" +;provider = file + +# Provider config options +# memory: not have any config yet +# file: session dir path, is relative to grafana data_path +# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana` +# mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name` +# postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable +;provider_config = sessions + +# Session cookie name +;cookie_name = grafana_sess + +# If you use session in https only, default is false +cookie_secure = true + +# Session life time, default is 86400 +;session_life_time = 86400 + +#################################### Data proxy ########################### +[dataproxy] + +# This enables data proxy logging, default is false +;logging = false + +# How long the data proxy should wait before timing out default is 30 (seconds) +;timeout = 30 + +#################################### Analytics #################################### +[analytics] +# Server reporting, sends usage counters to stats.grafana.org every 24 hours. +# No ip addresses are being tracked, only simple counters to track +# running instances, dashboard and error counts. It is very helpful to us. +# Change this option to false to disable reporting. +;reporting_enabled = true + +# Set to false to disable all checks to https://grafana.net +# for new vesions (grafana itself and plugins), check is used +# in some UI views to notify that grafana or plugin update exists +# This option does not cause any auto updates, nor send any information +# only a GET request to http://grafana.com to get latest versions +;check_for_updates = true + +# Google Analytics universal tracking code, only enabled if you specify an id here +;google_analytics_ua_id = + +# Google Tag Manager ID, only enabled if you specify an id here +;google_tag_manager_id = + +#################################### Security #################################### +[security] +# default admin user, created on startup +; admin_user = admin + +# default admin password, can be changed before first start of grafana, or in profile settings +;admin_password = admin + +# used for signing +;secret_key = SW2YcwTIb9zpOOhoPsMm + +# disable gravatar profile images +;disable_gravatar = false + +# data source proxy whitelist (ip_or_domain:port separated by spaces) +;data_source_proxy_whitelist = + +# disable protection against brute force login attempts +;disable_brute_force_login_protection = false + +# set to true if you host Grafana behind HTTPS. default is false. +cookie_secure = true + +# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict" and "none" +;cookie_samesite = lax + +#################################### Snapshots ########################### +[snapshots] +# snapshot sharing options +;external_enabled = true +;external_snapshot_url = https://snapshots-origin.raintank.io +;external_snapshot_name = Publish to snapshot.raintank.io + +# remove expired snapshot +;snapshot_remove_expired = true + +#################################### Dashboards History ################## +[dashboards] +# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1 +;versions_to_keep = 20 + +#################################### Users ############################### +[users] +# disable user signup / registration +;allow_sign_up = true + +# Allow non admin users to create organizations +;allow_org_create = true + +# Set to true to automatically assign new users to the default organization (id 1) +;auto_assign_org = true + +# Default role new users will be automatically assigned (if disabled above is set to true) +;auto_assign_org_role = Viewer + +# Background text for the user field on the login page +;login_hint = email or username + +# Default UI theme ("dark" or "light") +;default_theme = dark + +# External user management, these options affect the organization users view +;external_manage_link_url = +;external_manage_link_name = +;external_manage_info = + +# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard. +;viewers_can_edit = false + +[auth] +# Login cookie name +;login_cookie_name = grafana_session + +# The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days, +;login_maximum_inactive_lifetime_days = 7 + +# The maximum lifetime (days) an authenticated user can be logged in since login time before being required to login. Default is 30 days. +;login_maximum_lifetime_days = 30 + +# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes. +;token_rotation_interval_minutes = 10 + +# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false +;disable_login_form = false + +# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false +;disable_signout_menu = false + +# URL to redirect the user to after sign out +;signout_redirect_url = + +# Set to true to attempt login with OAuth automatically, skipping the login screen. +# This setting is ignored if multiple OAuth providers are configured. +;oauth_auto_login = false + +#################################### Anonymous Auth ###################### +[auth.anonymous] +# enable anonymous access +;enabled = false + +# specify organization name that should be used for unauthenticated users +;org_name = Main Org. + +# specify role for unauthenticated users +;org_role = Viewer + +#################################### Github Auth ########################## +[auth.github] +;enabled = false +;allow_sign_up = true +;client_id = some_id +;client_secret = some_secret +;scopes = user:email,read:org +;auth_url = https://github.com/login/oauth/authorize +;token_url = https://github.com/login/oauth/access_token +;api_url = https://api.github.com/user +;team_ids = +;allowed_organizations = + +#################################### Google Auth ########################## +[auth.google] +;enabled = false +;allow_sign_up = true +;client_id = some_client_id +;client_secret = some_client_secret +;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email +;auth_url = https://accounts.google.com/o/oauth2/auth +;token_url = https://accounts.google.com/o/oauth2/token +;api_url = https://www.googleapis.com/oauth2/v1/userinfo +;allowed_domains = + +#################################### Generic OAuth ########################## +[auth.generic_oauth] +;enabled = false +;name = OAuth +;allow_sign_up = true +;client_id = some_id +;client_secret = some_secret +;scopes = user:email,read:org +;auth_url = https://foo.bar/login/oauth/authorize +;token_url = https://foo.bar/login/oauth/access_token +;api_url = https://foo.bar/user +;team_ids = +;allowed_organizations = +;tls_skip_verify_insecure = false +;tls_client_cert = +;tls_client_key = +;tls_client_ca = + +; Set to true to enable sending client_id and client_secret via POST body instead of Basic authentication HTTP header +; This might be required if the OAuth provider is not RFC6749 compliant, only supporting credentials passed via POST payload +;send_client_credentials_via_post = false + +#################################### Grafana.com Auth #################### +[auth.grafana_com] +;enabled = false +;allow_sign_up = true +;client_id = some_id +;client_secret = some_secret +;scopes = user:email +;allowed_organizations = + +#################################### Auth Proxy ########################## +[auth.proxy] +;enabled = false +;header_name = X-WEBAUTH-USER +;header_property = username +;auto_sign_up = true +;ldap_sync_ttl = 60 +;whitelist = 192.168.1.1, 192.168.2.1 +;headers = Email:X-User-Email, Name:X-User-Name + +#################################### Basic Auth ########################## +[auth.basic] +;enabled = true + +#################################### Auth LDAP ########################## +[auth.ldap] +;enabled = false +;config_file = /etc/grafana/ldap.toml +;allow_sign_up = true + +#################################### SMTP / Emailing ########################## +[smtp] +enabled = true +host = localhost:25 +;user = +# If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;""" +;password = +;cert_file = +;key_file = +;skip_verify = false +from_address = grafana@planet-casio.com +from_name = "Grafana" +# EHLO identity in SMTP dialog (defaults to instance_name) +; ehlo_identity = + +[emails] +;welcome_email_on_sign_up = false + +#################################### Logging ########################## +[log] +# Either "console", "file", "syslog". Default is console and file +# Use space to separate multiple modes, e.g. "console file" +;mode = console file + +# Either "debug", "info", "warn", "error", "critical", default is "info" +;level = info + +# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug +;filters = + +# For "console" mode only +[log.console] +;level = + +# log line format, valid options are text, console and json +;format = console + +# For "file" mode only +[log.file] +;level = + +# log line format, valid options are text, console and json +;format = text + +# This enables automated log rotate(switch of following options), default is true +;log_rotate = true + +# Max line number of single file, default is 1000000 +;max_lines = 1000000 + +# Max size shift of single file, default is 28 means 1 << 28, 256MB +;max_size_shift = 28 + +# Segment log daily, default is true +;daily_rotate = true + +# Expired days of log file(delete after max days), default is 7 +;max_days = 7 + +[log.syslog] +;level = + +# log line format, valid options are text, console and json +;format = text + +# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used. +;network = +;address = + +# Syslog facility. user, daemon and local0 through local7 are valid. +;facility = + +# Syslog tag. By default, the process' argv[0] is used. +;tag = + +#################################### Alerting ############################ +[alerting] +# Disable alerting engine & UI features +;enabled = true +# Makes it possible to turn off alert rule execution but alerting UI is visible +;execute_alerts = true + +# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state) +;error_or_timeout = alerting + +# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok) +;nodata_or_nullvalues = no_data + +# Alert notifications can include images, but rendering many images at the same time can overload the server +# This limit will protect the server from render overloading and make sure notifications are sent out quickly +;concurrent_render_limit = 5 + +#################################### Explore ############################# +[explore] +# Enable the Explore section +;enabled = true + +#################################### Internal Grafana Metrics ########################## +# Metrics available at HTTP API Url /metrics +[metrics] +# Disable / Enable internal metrics +;enabled = true + +# Publish interval +;interval_seconds = 10 + +# Send internal metrics to Graphite +[metrics.graphite] +# Enable by setting the address setting (ex localhost:2003) +;address = +;prefix = prod.grafana.%(instance_name)s. + +#################################### Distributed tracing ############ +[tracing.jaeger] +# Enable by setting the address sending traces to jaeger (ex localhost:6831) +;address = localhost:6831 +# Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2) +;always_included_tag = tag1:value1 +# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote +;sampler_type = const +# jaeger samplerconfig param +# for "const" sampler, 0 or 1 for always false/true respectively +# for "probabilistic" sampler, a probability between 0 and 1 +# for "rateLimiting" sampler, the number of spans per second +# for "remote" sampler, param is the same as for "probabilistic" +# and indicates the initial sampling rate before the actual one +# is received from the mothership +;sampler_param = 1 + +#################################### Grafana.com integration ########################## +# Url used to import dashboards directly from Grafana.com +[grafana_com] +;url = https://grafana.com + +#################################### External image storage ########################## +[external_image_storage] +# Used for uploading images to public servers so they can be included in slack/email messages. +# you can choose between (s3, webdav, gcs, azure_blob, local) +;provider = + +[external_image_storage.s3] +;bucket = +;region = +;path = +;access_key = +;secret_key = + +[external_image_storage.webdav] +;url = +;public_url = +;username = +;password = + +[external_image_storage.gcs] +;key_file = +;bucket = +;path = + +[external_image_storage.azure_blob] +;account_name = +;account_key = +;container_name = + +[external_image_storage.local] +# does not require any configuration + +[rendering] +# Options to configure external image rendering server like https://github.com/grafana/grafana-image-renderer +;server_url = +;callback_url = + +[enterprise] +# Path to a valid Grafana Enterprise license.jwt file +;license_path = + +[panels] +;enable_alpha = false +# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities. +;disable_sanitize_html = false diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index 34a61dc..45fe9a0 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -5,14 +5,14 @@ state: present - name: "Copy rules" - template: + file: src: '{{ item }}' dest: '/etc/iptables/' owner: 'root' mode: 0644 with_fileglob: '*.rules' -- name: "Restarting iptables" +- name: "Reloading iptables" service: name: "iptables" state: reloaded diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index c54fb79..7a65eac 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -14,7 +14,7 @@ - "sites-enabled" - name: "Copy common files" - copy: + file: src: '{{ item }}' dest: '/etc/nginx/' owner: 'root' @@ -22,7 +22,7 @@ with_fileglob: '*.conf' - name: "Copy conf.d" - copy: + file: src: '{{ item }}' dest: '/etc/nginx/sites-available/' owner: 'root' @@ -30,12 +30,12 @@ with_fileglob: 'conf.d/*.conf' - name: "Copy sites-available" - copy: + template: src: '{{ item }}' dest: '/etc/nginx/sites-available/' owner: 'root' mode: 0644 - with_fileglob: 'sites-available/*.conf' + with_fileglob: '../templates/sites-available/*.conf' - name: "Enable sites" file: @@ -44,7 +44,7 @@ state: link loop: "{{ sites_enabled }}" -- name: "Restarting nginx" +- name: "Reloading nginx" service: name: "nginx" state: reloaded diff --git a/roles/nginx/files/sites-available/000-default.conf b/roles/nginx/templates/sites-available/000-default.conf similarity index 100% rename from roles/nginx/files/sites-available/000-default.conf rename to roles/nginx/templates/sites-available/000-default.conf diff --git a/roles/nginx/files/sites-available/bible.conf b/roles/nginx/templates/sites-available/bible.conf similarity index 100% rename from roles/nginx/files/sites-available/bible.conf rename to roles/nginx/templates/sites-available/bible.conf diff --git a/roles/nginx/files/sites-available/creativecalc.conf b/roles/nginx/templates/sites-available/creativecalc.conf similarity index 100% rename from roles/nginx/files/sites-available/creativecalc.conf rename to roles/nginx/templates/sites-available/creativecalc.conf diff --git a/roles/nginx/files/sites-available/gitea.conf b/roles/nginx/templates/sites-available/gitea.conf similarity index 93% rename from roles/nginx/files/sites-available/gitea.conf rename to roles/nginx/templates/sites-available/gitea.conf index a98d7da..a89916e 100644 --- a/roles/nginx/files/sites-available/gitea.conf +++ b/roles/nginx/templates/sites-available/gitea.conf @@ -3,7 +3,7 @@ server { listen *:80; server_name gitea.planet-casio.com git.planet-casio.com; - + include common.conf; access_log /var/log/nginx/gitea_access.log; @@ -19,7 +19,7 @@ server { listen *:443 ssl http2; server_name gitea.planet-casio.com git.planet-casio.com; - + include common.conf; include ssl.conf; @@ -36,6 +36,6 @@ server { location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - proxy_pass http://127.0.0.1:3001; + proxy_pass http://127.0.0.1:{{ proxy_ports.gitea | mandatory }}; } } diff --git a/roles/nginx/files/sites-available/grafana.conf b/roles/nginx/templates/sites-available/grafana.conf similarity index 91% rename from roles/nginx/files/sites-available/grafana.conf rename to roles/nginx/templates/sites-available/grafana.conf index 641fa12..aac0730 100644 --- a/roles/nginx/files/sites-available/grafana.conf +++ b/roles/nginx/templates/sites-available/grafana.conf @@ -3,7 +3,7 @@ server { listen *:80; server_name grafana.planet-casio.com; - + include common.conf; access_log /var/log/nginx/grafana_access.log; @@ -19,7 +19,7 @@ server { listen *:443 ssl http2; server_name grafana.planet-casio.com; - + include common.conf; include ssl.conf; @@ -32,6 +32,6 @@ server { location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - proxy_pass http://127.0.0.1:3000; + proxy_pass http://127.0.0.1:{{ proxy_ports.grafana | mandatory }}; } } diff --git a/roles/nginx/files/sites-available/mumbleweb.conf b/roles/nginx/templates/sites-available/mumbleweb.conf similarity index 76% rename from roles/nginx/files/sites-available/mumbleweb.conf rename to roles/nginx/templates/sites-available/mumbleweb.conf index 66b60c0..5164ddb 100644 --- a/roles/nginx/files/sites-available/mumbleweb.conf +++ b/roles/nginx/templates/sites-available/mumbleweb.conf @@ -3,7 +3,7 @@ server { listen *:80; server_name mumble.planet-casio.com; - + include common.conf; access_log /var/log/nginx/mumbleweb_access.log; @@ -23,8 +23,8 @@ server { include common.conf; include ssl.conf; - ssl_certificate /etc/dehydrated/certs/mumble.planet-casio.com/fullchain.pem; - ssl_certificate_key /etc/dehydrated/certs/mumble.planet-casio.com/privkey.pem; + ssl_certificate /etc/dehydrated/certs/mumble.planet-casio.com/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/mumble.planet-casio.com/privkey.pem; access_log /var/log/nginx/mumbleweb_access.log; error_log /var/log/nginx/mumbleweb_error.log; @@ -37,7 +37,7 @@ server { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_pass http://localhost:64737; + proxy_pass http://localhost:{{ proxy_ports.mumbleweb | mandatory }}; } } diff --git a/roles/nginx/files/sites-available/p7.conf b/roles/nginx/templates/sites-available/p7.conf similarity index 100% rename from roles/nginx/files/sites-available/p7.conf rename to roles/nginx/templates/sites-available/p7.conf diff --git a/roles/nginx/files/sites-available/pc-dev.conf b/roles/nginx/templates/sites-available/pc-dev.conf similarity index 100% rename from roles/nginx/files/sites-available/pc-dev.conf rename to roles/nginx/templates/sites-available/pc-dev.conf diff --git a/roles/nginx/files/sites-available/pc.conf b/roles/nginx/templates/sites-available/pc.conf similarity index 100% rename from roles/nginx/files/sites-available/pc.conf rename to roles/nginx/templates/sites-available/pc.conf diff --git a/roles/nginx/vars/main.yml b/roles/nginx/vars/main.yml deleted file mode 100644 index da02ab1..0000000 --- a/roles/nginx/vars/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -sites_enabled: - - "000-default" - - "bible" - - "creativecalc" - - "gitea" - - "grafana" - - "mumbleweb" - - "p7" - - "pc-dev" diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml index 5a407e4..010c479 100644 --- a/roles/ssh/tasks/main.yml +++ b/roles/ssh/tasks/main.yml @@ -11,7 +11,7 @@ owner: 'root' mode: 0644 -- name: "Restarting sshd" +- name: "Reloading sshd" service: name: "sshd" state: reloaded diff --git a/roles/uwsgi/tasks/main.yml b/roles/uwsgi/tasks/main.yml index b0de8d4..68bf0d2 100644 --- a/roles/uwsgi/tasks/main.yml +++ b/roles/uwsgi/tasks/main.yml @@ -6,22 +6,23 @@ - name: "Copy ini files" copy: - src: '{{ item }}' + src: '{{ item }}.ini' dest: '/etc/uwsgi/' owner: 'root' mode: 0644 - with_fileglob: '*.ini' + loop: "{{ sites_enabled }}" + when: item in ["pc", "pc-dev"] - name: "Copy systemd service" copy: - src: '{{ item }}' + src: 'uwsgi@.service' dest: '/etc/systemd/system/' owner: 'root' mode: 0644 - with_fileglob: '*.service' - name: "Restarting uwsgi" service: name: "uwsgi@{{ item }}" state: restarted - loop: "{{ environments }}" + loop: "{{ sites_enabled }}" + when: item in ["pc", "pc-dev"] diff --git a/roles/uwsgi/vars/main.yml b/roles/uwsgi/vars/main.yml deleted file mode 100644 index 04b4100..0000000 --- a/roles/uwsgi/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -environments: - - "pc-dev"