Skip to content
Snippets Groups Projects
Commit 46b2d790 authored by Gallenkamp, Fabian's avatar Gallenkamp, Fabian
Browse files
parents 3ae9bd34 146ec995
No related branches found
No related tags found
No related merge requests found
......@@ -32,6 +32,26 @@
- absent
- directory
# add and enable default_server entry; on http: 302->https, on https throw 403 per default
- name: setup nginx vhosts
template:
src: templates/nginx_default_site.conf.j2
dest: "{{ nginx_sites_available }}/default.{{ otree_domain }}"
owner: root
group: root
mode: "0644"
- name: create symlinks for nginx vhosts confs
file:
state: link
src: "{{ nginx_sites_available }}/default.{{ otree_domain }}"
dest: "{{ nginx_sites_enabled }}/default.{{ otree_domain }}"
owner: root
group: root
mode: "0644"
notify: restart nginx
# add new vhost configs and enable them
- name: setup nginx vhosts
template:
......@@ -62,22 +82,6 @@
group: root
mode: "0644"
notify: restart nginx
# TLS certificates
# Unfourtunately not scriptable due to security considerations
#- name: copy over certificate key files
# copy:
# src: "{{ item.src }}"
# dest: "{{ item.dest }}"
# group: root
# mode: "{{ item.mode }}"
# no_log: yes
# with_items:
# - src: "ssl/certs/localhost.crt"
# dest: "/etc/ssl/certs/localhost.crt"
# mode: "0644"
# - src: "ssl/private/localhost.key"
# dest: "/etc/ssl/private/localhost.key"
# mode: "0600"
handlers:
- name: restart nginx
......
......@@ -115,20 +115,3 @@
become_user: "{{ item.key }}"
with_dict: "{{ otree_users }}"
when: item.value.override
- name: create supervisor-config for otree instances from template
template:
src: templates/supervisor_otree.conf.j2
dest: "/etc/supervisor/conf.d/{{ item.key }}.conf"
owner: root
group: root
mode: "0644"
with_dict: "{{ otree_users }}"
when: item.value.override
- name: make sure services are created and (re)-started
supervisorctl:
name: "{{ item.key }}"
state: restarted
with_dict: "{{ otree_users }}"
# TODO: set up otree (create venv, install pip packages, adapt .bashrc, run resetdb
FIXME: TODO
---
- name: setup otree
become: true
hosts: all
tasks:
# create current supervisor configs and start it
- name: create supervisor-config for otree instances from template
template:
src: templates/supervisor_otree.conf.j2
dest: "/etc/supervisor/conf.d/{{ item.key }}.conf"
owner: root
group: root
mode: "0640"
with_dict: "{{ otree_users }}"
when: item.value.override
- name: make sure services are created and (re)-started
supervisorctl:
name: "{{ item.key }}"
state: restarted
with_dict: "{{ otree_users }}"
when: item.value.override
......@@ -22,6 +22,15 @@
- postgresql
- postgresql-contrib
tasks:
# install all apt packages
- name: update package information
apt: update_cache=yes
- name: install required packages
apt:
name: "{{ prereq_packages }}"
state: latest
# create/delete users as specified in group_vars/otree_users.yml
- name: Create group for otreeusers
group:
......@@ -45,11 +54,10 @@
set_fact:
removed_users: "{{existing_users.stdout_lines | difference(otree_users) }}"
- name: Delete removed user accounts
user:
- name: stop supervisor services
supervisorctl:
name: "{{ item }}"
state: absent
remove: yes
state: stopped
with_items: "{{ removed_users }}"
- name: remove supervisor services
......@@ -57,23 +65,22 @@
name: "{{ item }}"
state: absent
with_items: "{{ removed_users }}"
# FIXME: remove supervisor configs for deleted users
# add python repos, FIXME should be avoided by using recent unbuntu version
#- name: add ppa repository with python versions
# apt_repository: "ppa:deadsnakes/ppa"
# state: present
# install all apt packages
- name: update package information
apt: update_cache=yes
- name: remove supervisor config files
file:
state: absent
path: "/etc/supervisor/conf.d/{{ item }}.conf"
with_items: "{{ removed_users }}"
- name: install required packages
apt:
name: "{{ prereq_packages }}"
state: latest
- name: Delete removed user accounts
user:
name: "{{ item }}"
state: absent
remove: yes
with_items: "{{ removed_users }}"
- import_playbook: "configure_nginx.yml"
- import_playbook: "configure_postgresql.yml"
- import_playbook: "configure_otree.yml"
- import_playbook: "configure_supervisor.yml"
- import_playbook: "configure_ufw.yml"
......@@ -29,7 +29,7 @@ http {
##
# SSL Settings
# keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d={{ otree_domain }}
# keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d=otree.{{ otree_domain }}
##
ssl_dhparam /etc/nginx/dhparam.pem;
# assumes command executed: openssl dhparam -out /etc/nginx/dhparam.pem 4096
......
# Default server configuration for http
# Redirect http to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# Default server configuration for https
# Throw 403 if no specific domain is matched
# FIXME: Custom 403
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
ssl_certificate {{ ssl_certificate_path }};
ssl_certificate_key {{ ssl_certificate_key_path }};
location / {
return 403;
}
}
......@@ -3,32 +3,19 @@ map $http_upgrade $connection_upgrade {
'' close;
}
{% if item.key == otree_master %}
# Default server configuration for http
# Redirect http to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
listen 443 ssl;
listen [::]:443 ssl;
return 301 https://$host$request_uri;
}
{% endif %}
server {
listen 443 ssl{% if item.key == otree_master %} default_server{% endif %};
listen [::]:443 ssl{% if item.key == otree_master %} default_server{% endif %};
server_name {% if item.key == otree_master %}{{ otree_domain }} *.{{otree_domain}}{% else %}{{ item.key }}.{{otree_domain}}{% endif %};
server_name {{ item.key }}.{{ otree_domain }};
ssl_certificate {{ ssl_certificate_path }};
ssl_certificate_key {{ ssl_certificate_key_path }};
location / {
access_log off;
proxy_pass http://localhost:{{ item.value.port }};
proxy_pass http://127.0.0.1:{{ item.value.port }};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment