1
0
forked from infra/ansible

workadventure: new role for workadventure

This commit is contained in:
Markus 2021-07-22 16:51:57 +02:00
parent 41a94d7142
commit 3be8cce6d8
9 changed files with 171 additions and 3 deletions

View File

@ -150,3 +150,5 @@ root_keys:
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+" slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}" slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen slapd_san: ldap.binary.kitchen
workadventure_domain: wa.binary-kitchen.de

View File

@ -0,0 +1,2 @@
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -0,0 +1,13 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart nginx
service: name=nginx state=restarted
- name: Restart workadventure
service: name=workadventure state=restarted

View File

@ -0,0 +1,6 @@
---
dependencies:
- { role: acertmgr }
- { role: docker }
- { role: nginx, nginx_ssl: True }

View File

@ -0,0 +1,29 @@
---
# TODO
# source code is not yet checked out from git
- name: Install systemd unit
template: src=workadventure.service.j2 dest=/lib/systemd/system/workadventure.service
notify:
- Reload systemd
- Restart workadventure
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ workadventure_domain }}.key -out /etc/nginx/ssl/{{ workadventure_domain }}.crt -days 730 -subj "/CN={{ workadventure_domain }}" creates=/etc/nginx/ssl/{{ workadventure_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for workadventure
template: src=certs.j2 dest=/etc/acertmgr/{{ workadventure_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/workadventure
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/workadventure dest=/etc/nginx/sites-enabled/workadventure state=link
notify: Restart nginx
- name: Enable workadventure
service: name=workadventure enabled=yes

View File

@ -0,0 +1,15 @@
---
{{ workadventure_domain }} play.{{ workadventure_domain }} pusher.{{ workadventure_domain }} uploader.{{ workadventure_domain }}:
- path: /etc/nginx/ssl/{{ workadventure_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ workadventure_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -0,0 +1,76 @@
server {
listen 80;
listen [::]:80;
server_name {{ workadventure_domain }} play.{{ workadventure_domain }} pusher.{{ workadventure_domain }} uploader.{{ workadventure_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ workadventure_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
location / {
root /opt/workadventure/source/landing/dist;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name play.{{ workadventure_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
location / {
root /opt/workadventure/source/front/dist;
try_files $uri uri/ /index.html?$args;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name pusher.{{ workadventure_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
location / {
proxy_pass http://localhost:8002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name uploader.{{ workadventure_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
location / {
proxy_pass http://localhost:8005;
}
}

View File

@ -0,0 +1,27 @@
[Unit]
Description=WorkAdventure service using docker compose
Requires=docker.service
After=docker.service
[Service]
Type=simple
User=workadventure
Group=workadventure
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/workadventure/source/
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose -f docker-compose.bk.yaml down -v
# Compose up
ExecStart=/usr/bin/docker-compose -f docker-compose.bk.yaml up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose -f docker-compose.bk.yaml down -v
[Install]
WantedBy=multi-user.target

View File

@ -124,6 +124,4 @@
- name: Setup WorkAdventure host - name: Setup WorkAdventure host
hosts: barium.binary-kitchen.net hosts: barium.binary-kitchen.net
roles: roles:
- acertmgr - workadventure
- nginx
- docker