strichliste: deploy on tschunk

Signed-off-by: Thomas Schmid <tom@lfence.de>
This commit is contained in:
Thomas 2023-01-16 21:41:01 +01:00
parent 3b1b600c8e
commit 4993782513
7 changed files with 170 additions and 0 deletions

View File

@ -163,6 +163,11 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}" slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen slapd_san: ldap.binary.kitchen
strichliste_domain: tschunk.binary.kitchen
strichliste_dbname: strichliste
strichliste_dbuser: strichliste
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
vaultwarden_domain: vault.binary-kitchen.de vaultwarden_domain: vault.binary-kitchen.de
vaultwarden_dbname: vaultwarden vaultwarden_dbname: vaultwarden
vaultwarden_dbuser: vaultwarden vaultwarden_dbuser: vaultwarden

View File

@ -0,0 +1,5 @@
---
strichliste_checksum: sha256:4615e4faef8c9839c2ce4bb068bb52fc0dfa036329b5dc500e4b6d57160f235d
strichliste_version: 1.8.2
strichliste_url: https://github.com/strichliste/strichliste/releases/download/v{{ strichliste_version }}/strichliste-v{{ strichliste_version }}.tar.gz

View File

@ -0,0 +1,7 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -2,3 +2,4 @@
dependencies: dependencies:
- { role: acertmgr } - { role: acertmgr }
- { role: nginx, nginx_ssl: True }

View File

@ -2,3 +2,80 @@
- name: Request nsupdate key for certificate - name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate include_role: name=acme-dnskey-generate
- name: Enable sury php apt-key
apt_key: url="https://packages.sury.org/php/apt.gpg"
- name: Enable sury php repository
apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
- name: Install packages
apt:
name:
- php8.1
- php8.1-common
- php8.1-curl
- php8.1-mysql
- php8.1-mbstring
- php8.1-cli
- php8.1-opcache
- php8.1-xml
- php8.1-fpm
- php8.1-readline
- mariadb-server
- python3-mysqldb
- python3-psycopg2
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ strichliste_domain }}.key -out /etc/nginx/ssl/{{ strichliste_domain }}.crt -days 730 -subj "/CN={{ strichliste_domain }}" creates=/etc/nginx/ssl/{{ strichliste_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for strichliste
template: src=certs.j2 dest=/etc/acertmgr/{{ strichliste_domain }}.conf
notify: Run acertmgr
- name: Create vhost directory
file: path=/var/www/strichliste state=directory owner=www-data group=www-data
- name: Install Mariadb
apt:
name:
- mariadb-server
- python3-mysqldb
- name: Configure Mariadb database
community.mysql.mysql_db: name={{ strichliste_dbname }}
become: true
- name: Configure Mariadb user
community.mysql.mysql_user: name={{ strichliste_dbuser }} password={{ strichliste_dbpass }} priv='{{ strichliste_dbname }}.*:ALL' state=present
become: true
- name: Download strichliste
get_url: url={{ strichliste_url }} dest=/tmp/ checksum={{ strichliste_checksum }} mode=0755
- name: Unpack strichliste
unarchive:
remote_src: true
src: /tmp/strichliste-v{{ strichliste_version }}.tar.gz
dest: /var/www/strichliste
owner: www-data
group: www-data
notify: Restart nginx
- name: Configure strichliste database
lineinfile:
path: /var/www/strichliste/.env
regexp: '^DATABASE_URL='
line: DATABASE_URL="mysql://strichliste:{{ strichliste_dbpass }}@localhost/strichliste"
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/strichliste
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/strichliste dest=/etc/nginx/sites-enabled/strichliste state=link
notify: Restart nginx
- name: Start php8.1-fpm
service: name=php8.1-fpm state=started enabled=yes

View File

@ -0,0 +1,18 @@
---
{{ strichliste_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ strichliste_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ strichliste_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -0,0 +1,57 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ strichliste_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ strichliste_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ strichliste_domain }}.crt;
root /var/www/strichliste/public;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/index.php/some-path
# Remove the internal directive to allow URIs like this
internal;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
}
server {
listen [::]:80;
listen 80;
server_name {{ strichliste_domain }};
if ($host = {{ strichliste_domain }}) {
return 301 https://$host$request_uri;
}
return 404;
}