From 364d9428d81ac1e698ee9184ec5141adf592c9e1 Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Fri, 13 Nov 2020 17:32:43 +0100
Subject: [PATCH] web_plk: new role (on technetium.binary-kitchen.net)

---
 group_vars/all/vars.yml                 |   5 ++
 group_vars/all/vault.yml                | 115 ++++++++++++------------
 host_vars/technetium.binary-kitchen.net |   4 +
 hosts                                   |   1 +
 roles/web_plk/handlers/main.yml         |   7 ++
 roles/web_plk/meta/main.yml             |   5 ++
 roles/web_plk/tasks/main.yml            |  48 ++++++++++
 roles/web_plk/templates/certs.j2        |  15 ++++
 roles/web_plk/templates/vhost.j2        |  36 ++++++++
 site.yml                                |   5 ++
 10 files changed, 184 insertions(+), 57 deletions(-)
 create mode 100644 host_vars/technetium.binary-kitchen.net
 create mode 100644 roles/web_plk/handlers/main.yml
 create mode 100644 roles/web_plk/meta/main.yml
 create mode 100644 roles/web_plk/tasks/main.yml
 create mode 100644 roles/web_plk/templates/certs.j2
 create mode 100644 roles/web_plk/templates/vhost.j2

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index cb138af..376a8a0 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -109,6 +109,11 @@ nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
+plk_domain: plk-regensburg.de
+plk_dbuser: plkdbuser
+plk_dbname: plkdb
+plk_dbpass: "{{ vault_plk_dbpass }}"
+
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
 
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 4c77fbd..941848f 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,58 +1,59 @@
 $ANSIBLE_VAULT;1.1;AES256
-37373233323433356238633036363036633430346330326366336364396337303233633536623061
-3063666236656134323536656433663266356366333935380a373232663535633864633934373065
-66346432396336613130333166623436353365326138663562623866643035653636353734633661
-3864353063363764320a343264643965366638626332323464373737653032366332616661343732
-36303466623337303437613733393066376534663261643963653866386162393161663936653139
-32363832346265383736646566326465633662303663666332666635636331313631653064636336
-62326261366632356361653734383336353933303862376230356335653762613532626666613936
-62613565383831616632626536303266666161373932316230393730393461363832326431656234
-31356232386165336438396361626332336233386330326364613331336464383234633038616537
-33646438373366633263353438386333326661376461633437633734643132343238626638303763
-37656163373761646164306266623161396437333135616431306165623634613432626439303331
-61316235636661343132323236386561643339353866306665616631303639343837626335383661
-32653035656539383963383163343130313039333935336631623438306161393734323361326536
-66633034383262653262653636393065383235623366623535316630326163393938653165613861
-35323965646533396539633634386534666266336666393635613039626539313262383263353131
-61393563643666313336636262393331323934613637333932323265303431626535623864386130
-64383538363431616230653730653430653764663933343330653963336266383663636135383366
-62306139323963303639336330326131643732376631656138316630386363623261653538666537
-35623733336530333164616632323137343463646137396233363935656361376538383766313433
-62636333633737643235306365343962613565653638343461346331666231333965336534386434
-32616238333962646639393963663931396433333237616137646365653634316362363034656137
-30353239383039356466636466616361326565323661633635623566326265646563336135396135
-66373561303331326562346165663532373465306433653739653835313161326561333533353864
-34373630326637666164336337373730363535396561623463633963393361613236386234656436
-38396631363230663737656538326466623339616265343333393661613631303966646338656332
-36323062333430366566613265623737643830616335626134376563376666393537396238356530
-31633331653031666461313631316138376539343036646532336633656339643362613663363435
-66326139386636303630383539393566366561316561353363623630333662363363643630613563
-38306438326533373665663562306239306636356539306166333830376339356265633861633439
-38623661323730313939313739336361373464663366643337383039633834643864656430313231
-38306137396261353465373133316232353134333432366637636232616663646337396535326162
-35323333623365343262663338356263313734383537623934656132666562346230393535376435
-31623761333565333239303139376632343631636432373137656633633564396366653163386361
-31653538636362636231396237323330643330373464303861363832633332646265626536643761
-36303231393561666564323633393431326634306235653935366232326131656434303738336235
-62373238613737616133613161333335343534343434336564613232366161623162386137306539
-32336139363339643236363264316266343035616265666332336133323234353437616632396138
-31316230336238373935373836643635383637343435316339366164373462373733666162653138
-33323033646239303830343266623262363537336131613863313834366231353834303435316437
-33633933656238353535396339323936373637316433646531346334383732363237623663613361
-61393534613236666133396564333735386561306161383966646635396333336636613932353537
-66383762313533333034323038613465383134666233303965386139316634316535616464383532
-31323833656161653361306462633434313765613038653362363863393462623835386331383064
-31383861353031396430393364386466613937656261653039636262336461363639616536663233
-64656636303637316333313365633832363934303034626239663233383031363066343163313639
-33373366363230333665616131333466336666346161353736376434656539643433656261383834
-32346563373537356133346666666439353632333330373034643565653562653064653133373934
-32663162373030323931323862313038626135643136336632643034323963643235353235343161
-37326332323762386235363931663435663934363337626433383936633263373435663866323561
-33333863633833303336333332313566666633646365353639376163376433613639373731303563
-38633163353632353936323135353338626462343161366262393034363438383735393737363739
-61666339326562613131303365306464626663323934623036333461383734616534353031326163
-30663635333461656366653630383165666466653935666161363732303763643234316132613665
-32613130643138666230396366303639306536643065353666316638383366626365623436633732
-31343764636662316438636639393063313430313839646130376233356634336534616463643863
-38343161336366373630383765616139353761353230343832383664376261336164333830373539
-3338
+37303932343462623335393066643531373533636435356462326537373532613534353266396435
+3636666364306637306266393933383963633032383265650a656563303332303134323135353239
+34633863333930316564633632313939643664373163373833636139366537646530383736343130
+6239373931306234620a353966346262646538306631656461613431636230333430663931643933
+31316362353439393838363666613932313635313864333135636530653238653162353033356437
+33353063363639346266313631393463623864636133623264613865336536613536343365386230
+65396263393862626139396430623134316632313637623631623762656139623664356331623066
+30323430613963313162616135303164663364336634326533346438373635366238356531613461
+30333736633965333163616437303566666239313962353531393530613265363833396136646262
+62633662666532396535316361303934613138373365633161393664313234663533363736323335
+38613762376234663564333333386265633138613839636132346638313430653639636339336239
+38633564333831326331326166666362353364303933393532643936313564386565643162623435
+36356437356631666137323039316430656566613436623062656562666139383635653039636463
+35393438323765303431333737356339343730303531333834306239366533393537626239376163
+31663332343136323264376234363264343136623365383833666638656531306362663462383033
+31633838643562613762363634653865353361303666363139636337386439626235336462653036
+30376461643839313665383430386534656265626139313034646438323861653530383637316139
+35313539636137303561646564616362313435666262343137616263396465356434363862323137
+38626464383039386139343665363538326539613837366437623362336639336133323463666235
+36346333356434363838363634343233323363333762653264333062656133623434666162356433
+37623862653862643335333931663063623166353534636430323230663838653532356335306632
+33646265343834363839653565326538353930663061376461646534386637376234646264343933
+65653763343236653630396238333232633461663333646531323337626235396231383931663264
+34363564366134663036643332346238373639646336396261316133326235636265323636663335
+35363537346466396432396162383131306438396431336138666663633132646662316165643333
+64633434623166343262623038623431343631333962663566303566393761653536303638643037
+63363963306139336235363537396432383131303763643966313937353537333739393031616439
+35343361646234663062633631323238656137373464386561656439313636613630323632616332
+39346239666266623038363066643865373762633532323431373431373165643662663661633365
+35353361383339623535336362313430616139396561623934346264323462663663383566393165
+35366637313861386465333530613530623832643333616538336436356134313832306139336361
+32393162373235356236343332363038393631626534643237383232323735633265333562633231
+61613164363962323236666365353830346664643263393532343562383736336535353364343638
+62386465323331653565306234646664393164666334383765336630346438633636353264636138
+31316231326236313839353465353230353935363330393035373234393039386134366534653636
+63323730383931353763383739393330316335373563393039366166313031373664636335363363
+38363131363565326431636361316562313037373664306333313366646336333162663664306539
+64636530363561393037373766383937616435313333653836363835383231633130396133663635
+36613531323732623264646666656139333766656562623430313964366236373663626135383437
+31643663663637613762313465656636396264623362643538323166356636303430613133383664
+66383332326437333638663562376665386237313533303437623765353661393561373338636130
+30383665333366643331366536646330633133643566393962633164643563613536363434393234
+66323931316535353632356432373262623962616264383430623436303637616165386433326231
+38633730636633643634343833313964653530663034333063313334636134646634363437346161
+32613061363032383732323263303830363532326239316538393739313730383530633862313039
+37653865303932313635656332663039376331393161623731623039653865623436363061626538
+32383934613335363534666461343135303235373262343634306130633536323839393139346662
+31623265323138353963623938616665383765366230656461383835346230346261623866366630
+65303965353432386136373562306434623739666262356663656266346439356435613362333563
+34366539353366346636376662363837303332373866323434366261326164633033353930383038
+36666433656365366663326163343034306439653262353733323232373133386436333637346563
+32626533336530633731336631333334353366306538663936643637346335303965626631316562
+33333061656234393661363766663630316662613764333231326434383465666234653238393965
+31636561396665383063613433653837363634623337623330666466353532633434383864343464
+38303436306165353433356536326466306530373635616531393462666336666435633235613937
+37343832333864643636366632623062363234633365326635386663376439383332306333653161
+34353830396165366534313334616161323461613066383561343563393330613464373862623062
+3536303066343262636636393861313539616636643339353562
diff --git a/host_vars/technetium.binary-kitchen.net b/host_vars/technetium.binary-kitchen.net
new file mode 100644
index 0000000..8424acf
--- /dev/null
+++ b/host_vars/technetium.binary-kitchen.net
@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
diff --git a/hosts b/hosts
index 05510e6..a1a57d2 100644
--- a/hosts
+++ b/hosts
@@ -23,3 +23,4 @@ krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
+technetium.binary-kitchen.net
diff --git a/roles/web_plk/handlers/main.yml b/roles/web_plk/handlers/main.yml
new file mode 100644
index 0000000..ff936dd
--- /dev/null
+++ b/roles/web_plk/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
diff --git a/roles/web_plk/meta/main.yml b/roles/web_plk/meta/main.yml
new file mode 100644
index 0000000..8fcf724
--- /dev/null
+++ b/roles/web_plk/meta/main.yml
@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }
diff --git a/roles/web_plk/tasks/main.yml b/roles/web_plk/tasks/main.yml
new file mode 100644
index 0000000..32a3e3c
--- /dev/null
+++ b/roles/web_plk/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - exif
+    - imagemagick
+    - imagemagick-common
+    - libsodium23
+    - mariadb-server
+    - php-common
+    - php-curl
+    - php-fpm
+    - php-imagick
+    - php-json
+    - php-mbstring
+    - php-mysql
+    - php-seclib
+    - php-xml
+    - php-zip
+
+- name: Create vhost directory
+  file: path=/var/www/plk state=directory owner=www-data group=www-data
+
+- name: Configure MySQL database
+  mysql_db: name={{ plk_dbname }}
+
+- name: Configure MySQL user
+  mysql_user: name={{ plk_dbuser }} password={{ plk_dbpass }} priv={{ plk_dbname }}.*:ALL state=present
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ plk_domain }}.key -out /etc/nginx/ssl/{{ plk_domain }}.crt -days 730 -subj "/CN={{ plk_domain }}" creates=/etc/nginx/ssl/{{ plk_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ plk_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhosts
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/plk
+  notify: Restart nginx
+
+- name: Enable vhosts
+  file: src=/etc/nginx/sites-available/plk dest=/etc/nginx/sites-enabled/plk state=link
+  notify: Restart nginx
+
+- name: Start php7.3-fpm
+  service: name=php7.3-fpm state=started enabled=yes
diff --git a/roles/web_plk/templates/certs.j2 b/roles/web_plk/templates/certs.j2
new file mode 100644
index 0000000..ecccbf5
--- /dev/null
+++ b/roles/web_plk/templates/certs.j2
@@ -0,0 +1,15 @@
+---
+
+{{ plk_domain }}:
+- path: /etc/nginx/ssl/{{ plk_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ plk_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
diff --git a/roles/web_plk/templates/vhost.j2 b/roles/web_plk/templates/vhost.j2
new file mode 100644
index 0000000..3534642
--- /dev/null
+++ b/roles/web_plk/templates/vhost.j2
@@ -0,0 +1,36 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ plk_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ plk_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ plk_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ plk_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ plk_domain }}.crt;
+
+	root /var/www/plk;
+
+	location ~ \.php(?:$|/) {
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+		fastcgi_intercept_errors on;
+	}
+}
diff --git a/site.yml b/site.yml
index 0198818..de2fbe0 100644
--- a/site.yml
+++ b/site.yml
@@ -104,3 +104,8 @@
   hosts: molybdenum.binary-kitchen.net
   roles:
   - grafana
+
+- name: Setup PLK server
+  hosts: technetium.binary-kitchen.net
+  roles:
+  - web_plk