Add Ansible config

This commit is contained in:
Ben Sturmfels 2023-09-14 18:21:00 +10:00
parent 053504d099
commit 3c79fa50b5
Signed by: bsturmfels
GPG key ID: 023C05E2C9C068F0
4 changed files with 230 additions and 0 deletions

View file

@ -0,0 +1,4 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

222
deploy/ansible/install.yml Normal file
View file

@ -0,0 +1,222 @@
---
# Run this with:
# ansible-playbook -i deploy/ansible/inventory.ini --become --ask-become-pass deploy/ansible/install.yml
# Other useful commands:
# ansible all -i [HOST], -u user -m ping
# ansible all -i [HOST], -u user -a /bin/date
# scp -3 -v [OLDHOST]:backup/backup.gz [HOST]:tmp/
# /etc/apache2 uses OS defaults aside from "site-available", "sites-enabled" and
# "conservancy.conf".
#
# Current site does not use "django.contrib.staticfiles", so no need to run
# `collectstatic`.
#
# SQLite database lives at /var/lib/www/database.
#
# Disabled Rackspace CDN videos.
#
# No mail as yet.
#
# No etckeeper as yet.
#
# a2enmod ssl rewrite
- name: Configure web server
hosts: web
# remote_user:
# become_user:
# become_method:
tasks:
- name: Install unattended upgrades
apt:
name: unattended-upgrades
- name: Configure unattended upgrades
copy:
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
- name: Install Apache
apt:
name: apache2,libapache2-mod-wsgi-py3
- name: Install Certbot
apt:
name: certbot, python3-certbot-apache
- name: Install Python dependencies
apt:
name: python3-django,python3-bs4,python3-html5lib,python3-django-countries
- name: Install Python essentials
apt:
name: python3-venv,python3-pip,python3-wheel
- name: Install Python build dependencies
apt:
name: build-essential,python3-dev,libffi-dev
- name: Security settings
apt:
name: fail2ban
- name: Disable SSH password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication '
line: 'PasswordAuthentication no'
notify:
- restart sshd
- name: Install utilities
apt:
name: tmux,curl,git,magic-wormhole,htop,rsync
- name: Create the project directory
file:
path: /var/www/website
state: directory
owner: www-data
group: www-data
mode: '0755'
- name: Create the database directory
file:
path: /var/lib/www/database
state: directory
owner: www-data
group: www-data
mode: '0755'
- name: Git checkout
ansible.builtin.git:
repo: 'https://k.sfconservancy.org/website'
dest: /var/www/website
version: master
- name: Create static dir
file:
path: /var/www/website/conservancy/static
state: directory
owner: www-data
group: www-data
mode: '0755'
- name: Install iptables # May need kernel reload/reboot
apt:
name: iptables,iptables-netflow-dkms
- name: Flush existing firewall rules
iptables:
flush: true
- name: Firewall rule - allow all loopback traffic
iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Firewall rule - allow established connections
iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Firewall rule - allow port ping traffic
iptables:
chain: INPUT
jump: ACCEPT
protocol: icmp
- name: Firewall rule - allow port 22/SSH traffic
iptables:
chain: INPUT
destination_port: '22'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - allow port 80/HTTP traffic
iptables:
chain: INPUT
destination_port: '80'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - allow port 443/HTTPS traffic
iptables:
chain: INPUT
destination_port: '443'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - drop any traffic without rule
iptables:
chain: INPUT
jump: DROP
- name: Flush existing firewall rules
iptables:
ip_version: ipv6
flush: true
- name: Firewall rule - allow all loopback traffic v6
iptables:
ip_version: ipv6
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Firewall rule - allow established connections v6
iptables:
ip_version: ipv6
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Firewall rule - allow port ping traffic v6
iptables:
ip_version: ipv6
chain: INPUT
jump: ACCEPT
protocol: icmp
- name: Firewall rule - allow port 22/SSH traffic v6
iptables:
ip_version: ipv6
chain: INPUT
destination_port: '22'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - allow port 80/HTTP traffic v6
iptables:
ip_version: ipv6
chain: INPUT
destination_port: '80'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - allow port 443/HTTPS traffic v6
iptables:
ip_version: ipv6
chain: INPUT
destination_port: '443'
jump: ACCEPT
protocol: tcp
- name: Firewall rule - drop any traffic without rule v6
iptables:
ip_version: ipv6
chain: INPUT
jump: DROP
handlers:
- name: restart sshd
service:
name: ssh
state: reloaded

View file

@ -0,0 +1,2 @@
[web]
debian@hickory.sfconservancy.org ansible_connection=ssh

View file

@ -15,3 +15,5 @@ Updates will fail unless `/var/www/website` has a git upstream, so set that with
git remote add upstream https://k.sfconservancy.org/website
git branch --set-upstream-to=upstream/master master
Note that the update script does not run `migrate`.