🎉 Initial commit of infraHEADmain

1 files changed, 199 insertions, 0 deletions

diff --git a/playbook.yaml b/playbook.yaml
new file mode 100644
index 0000000..decbf6b
--- /dev/null
+++ b/playbook.yaml
@@ -0,0 +1,199 @@
+- name: Setup the main server
+  hosts: datagubbe.dev
+  become: true
+
+  vars:
+    jailbase: "/usr/local/jails"
+    jailset: "poolen/jails"
+    jails:
+      gubbhub:
+        name: gubbhub
+        ip: "2a01:4f9:2b:f05::2/64"
+        tags: gubbhub
+        additional_data_sets:
+          - gitdata
+        certificates:
+          - git.datagubbe.dev
+        haproxy_conf: |
+          frontend git-ssh from tcp
+            mode tcp
+            bind :2224
+            default_backend gubbhub
+
+          backend gubbhub from tcp
+            server srv 2a01:4f9:2b:f05::2:22
+
+          backend git.datagubbe.dev from http
+            server srv 2a01:4f9:2b:f05::2:80
+
+      hallosbacken:
+        name: hallosbacken
+        ip: "2a01:4f9:2b:f05::3/64"
+        tags: hallosbacken
+        additional_data_sets:
+          - wp_data
+
+      datagubbe:
+        name: datagubbe
+        ip: "2a01:4f9:2b:f05::4/64"
+        tags: datagubbe
+        certificates:
+          - datagubbe.dev
+        haproxy_conf: |
+          backend datagubbe from http
+            server srv 2a01:4f9:2b:f05::4:80
+
+  roles:
+    - pf
+    - jailhost
+
+    - role: jail
+      jail: "{{ jails.gubbhub }}"
+      tags: "{{ jails.gubbhub.tags }}"
+
+    - role: jail
+      jail: "{{ jails.hallosbacken }}"
+
+    - role: jail
+      jail: "{{ jails.datagubbe }}"
+
+  tasks:
+    - name: configure periodic to be less chatty
+      ansible.builtin.copy:
+        content: |
+          # i do not need to know this
+          daily_show_success=”NO”
+          weekly_show_success="NO"
+          monthly_show_success="NO"
+
+          # enable our certbot renew script
+          daily_renewcerts_enable="YES"
+        dest: /etc/periodic.conf
+
+    - name: install jq
+      community.general.pkgng:
+        name: "jq"
+        state: latest
+
+    - name: install haproxy
+      community.general.pkgng:
+        name: "haproxy"
+        state: latest
+
+    - name: create haproxy user
+      ansible.builtin.user:
+        name: haproxy
+        system: true
+
+    - name: config for haproxy
+      ansible.builtin.template:
+        src: haproxy.conf.j2
+        dest: /usr/local/etc/haproxy.conf
+      notify: reload haproxy
+
+    - name: enable haproxy service
+      community.general.sysrc:
+        name: haproxy_enable
+        value: "YES"
+      notify: start haproxy
+
+    - name: install certbot and nginx
+      community.general.pkgng:
+        name:
+          - security/py-certbot
+          - nginx
+        state: latest
+
+    - name: nginx config for certbot
+      ansible.builtin.template:
+        src: templates/nginx-certbot.conf.j2
+        dest: /usr/local/etc/nginx/nginx.conf
+      vars:
+        root: /var/www/html
+
+    - name: enable nginx
+      community.general.sysrc:
+        name: nginx_enable
+        value: "YES"
+
+    - name: start nginx
+      ansible.builtin.service:
+        name: nginx
+        state: reloaded
+
+    - name: create cert hook for haproxy
+      ansible.builtin.copy:
+        content: |
+          #! /usr/bin/env sh
+          mkdir -p /usr/local/etc/haproxy/certs
+          dir="$RENEWED_LINEAGE"
+          domain=`basename "$RENEWED_LINEAGE"`
+          cat $dir/fullchain.pem $dir/privkey.pem > /usr/local/etc/haproxy/certs/$domain.pem
+          chown -R haproxy:haproxy /usr/local/etc/haproxy
+        dest: /usr/local/etc/letsencrypt/renewal-hooks/deploy/create-haproxy-cert
+        mode: 755
+
+    - name: set needed certs
+      ansible.builtin.set_fact:
+        certificates: "{{ jails | dict2items | selectattr('value.certificates', 'defined') | map(attribute='value.certificates') | list | flatten }}"
+
+    - name: "obtain cert for {{ item }}"
+      shell:
+        cmd: |
+          certbot \
+            --non-interactive \
+            --email albert@acervin.com \
+            --agree-tos \
+            certonly \
+            --webroot \
+            --webroot-path /var/www/html \
+            -d '{{ item }}'
+
+          RENEWED_LINEAGE=/usr/local/etc/letsencrypt/live/{{item}} /usr/local/etc/letsencrypt/renewal-hooks/deploy/create-haproxy-cert
+        creates: /usr/local/etc/letsencrypt/live/{{ item }}
+      loop: "{{ certificates }}"
+
+    - name: create daily job for updating certs
+      ansible.builtin.copy:
+        src: ./10-renewcerts
+        dest: /usr/local/etc/periodic/daily/10-renewcerts
+        mode: 'a=rx,u=rwx'
+
+    - name: config for haproxy (with certs)
+      ansible.builtin.template:
+        src: haproxy.conf.j2
+        dest: /usr/local/etc/haproxy.conf
+      notify: reload haproxy
+
+    - name: Setup datagubbe
+      import_tasks: jails/datagubbe/tasks.yaml
+      vars:
+        jail: "{{ jails.datagubbe }}"
+        certs:
+          - /usr/local/etc/certs/datagubbe.dev.pem
+      tags: datagubbe-setup
+
+    - name: Setup the gubbhub
+      import_tasks: jails/gubbhub/tasks.yaml
+      vars:
+        jail: "{{ jails.gubbhub }}"
+      tags: gubbhub-setup
+
+    - name: Make sure packages are up to date
+      community.general.pkgng:
+        name: "*"
+        state: latest
+
+  handlers:
+    - name: reload haproxy
+      ansible.builtin.shell: /usr/local/etc/rc.d/haproxy configtest && /usr/local/etc/rc.d/haproxy reload
+
+    - name: start haproxy
+      ansible.builtin.service:
+        name: haproxy
+        state: started
+
+    - name: restart sshd in jail
+      jexec:
+        jail: 
+