website Changeset - bc4c5deec4bf · Conservancy Kallithea

Changeset - bc4c5deec4bf

Parent rev.

Child rev.

[Not reviewed]

3 0 3

Ben Sturmfels (bsturmfels) - 7 months ago 2023-09-15 11:49:19
ben@sturm.com.au

Extend Ansible config

4 files changed with 138 insertions and 33 deletions:

deploy/ansible/20auto-upgrades

deploy/install.yml

deploy/inventory.ini

rename

deploy/postfix/main.cf

0 comments (0 inline, 0 general)

deploy/ansible/20auto-upgrades

➞

Show inline comments

deleted file

deploy/install.yml

➞

Show inline comments

 file renamed from deploy/ansible/install.yml to deploy/install.yml
 ---
 # Run this with:
 #  ansible-playbook -i deploy/ansible/inventory.ini --become --ask-become-pass deploy/ansible/install.yml
 # Other useful commands:
 # ansible all -i [HOST], -u user -m ping
 # ansible all -i [HOST], -u user -a /bin/date
 # scp -3 -v [OLDHOST]:backup/backup.gz [HOST]:tmp/
 # Ansible playbook for basic web server configuration.
+#
 # Run with:
 # ANSIBLE_STDOUT_CALLBACK=debug ansible-playbook deploy/install.yml -i deploy/inventory.ini --verbose
 # Notes:
+#
 # /etc/apache2 uses OS defaults aside from "site-available", "sites-enabled" and
 # "conservancy.conf".
+#
@@ ... / @@ -16,37 +14,84 @@ @@
 # SQLite database lives at /var/lib/www/database.
+#
 # Disabled Rackspace CDN videos.
+#
 # No mail as yet.
+#
 # No etckeeper as yet.
+#
 # a2enmod ssl rewrite
  - name: Configure web server
    hosts: web
    # remote_user:
    # become_user:
    # become_method:
    become: true
    vars:
      ansible_ssh_pipelining: true
    tasks:
      - name: Install unattended upgrades
        apt:
          name: unattended-upgrades
      - name: Configure unattended upgrades
      - name: Configure unattended upgrades overrides
        # See defaults in 50unattended-upgrades.
        copy:
          src: 20auto-upgrades
          dest: /etc/apt/apt.conf.d/20auto-upgrades
          content: |
            APT::Periodic::Update-Package-Lists "1";
            APT::Periodic::Unattended-Upgrade "1";
            Unattended-Upgrade::Automatic-Reboot "true";
            Unattended-Upgrade::Automatic-Reboot-Time "02:00";
            Unattended-Upgrade::Mail "root";
      - name: Add extensive history logging
        blockinfile:
          path: /etc/bash.bashrc
          block: |
            # Write to history file immediately (rather than only when shell is
            # closed). For setting history length see HISTSIZE and HISTFILESIZE in
            # bash(1).
            shopt -s histappend
            PROMPT_COMMAND='history -a'
            HISTSIZE=1000000
            HISTFILESIZE=1000000
          insertafter: EOF
      - name: Install Apache
        apt:
          name: apache2,libapache2-mod-wsgi-py3
      - apache2_module:
          state: present
          name: ssl
      - apache2_module:
          state: present
          name: rewrite
      - name: Install Postfix
        apt:
          # libsasl2-modules fixes "SASL authentication failure: No worthy mechs found"
          name: postfix,libsasl2-modules,mailutils
          pkg:
            - postfix
            # libsasl2-modules fixes "SASL authentication failure: No worthy mechs found"
            - libsasl2-modules
            - mailutils
      # # Commented because you only want this on first run ever.
      # - name: Add file for SMTP credentials
      #   copy:
      #     dest: /etc/postfix/sasl_passwd
      #     content: |-
      #       # After updating, run `sudo postmap hash:/etc/postfix/sasl_passwd`.
      #       [mail.sfconservancy.org]:587 conference@sfconservancy.org:PASSWORD
      - name: Configure Postfix for relaying
        copy:
          src: postfix/main.cf
          dest: /etc/postfix/main.cf
        notify:
          - restart postfix
      - name: Alias mail to root
        copy:
          dest: /etc/aliases
          content: |-
            postmaster: root
            root: sysadmin@sfconservancy.org, sysadmin@sturm.com.au
        notify:
          - restart postfix
      - name: Install Certbot
        apt:
@@ ... / @@ -71,8 +116,8 @@ @@
      - name: Disable SSH password authentication
        lineinfile:
          path: /etc/ssh/sshd_config
          regexp: '^#?PasswordAuthentication '
          line: 'PasswordAuthentication no'
          regexp: 'PasswordAuthentication '
        notify:
          - restart sshd
@@ ... / @@ -88,6 +133,13 @@ @@
          group: www-data
          mode: '0755'
      - name: Git checkout
        ansible.builtin.git:
          repo: 'https://k.sfconservancy.org/website'
          dest: /var/www/website
          version: master
          remote: upstream
      - name: Create the database directory
        file:
          path: /var/lib/www/database
@@ ... / @@ -96,12 +148,6 @@ @@
          group: www-data
          mode: '0755'
      - name: Git checkout
        ansible.builtin.git:
          repo: 'https://k.sfconservancy.org/website'
          dest: /var/www/website
          version: master
      - name: Create static dir
        file:
          path: /var/www/website/conservancy/static
@@ ... / @@ -110,6 +156,12 @@ @@
          group: www-data
          mode: '0755'
      - name: Install `netfilter-persistent` && `iptables-persistent` packages
        apt:
          pkg:
            - iptables-persistent
            - netfilter-persistent
      - name: Install iptables  # May need kernel reload/reboot
        apt:
          name: iptables,iptables-netflow-dkms
@@ ... / @@ -225,3 +277,8 @@ @@
        service:
          name: ssh
          state: reloaded
      - name: restart postfix
        service:
          name: postfix
          state: reloaded

deploy/inventory.ini

➞

Show inline comments

file renamed from deploy/ansible/inventory.ini to deploy/inventory.ini

deploy/postfix/main.cf

➞

Show inline comments

 new file 100644
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
 # Debian specific:  Specifying a file name will cause the first
 # line of that file to be used as the name.  The Debian default
 # is /etc/mailname.
 #myorigin = /etc/mailname
 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
 biff = no
 # appending .domain is the MUA's job.
 append_dot_mydomain = no
 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h
 readme_directory = no
 # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
 # fresh installs.
 compatibility_level = 3.6
 # TLS parameters
 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_security_level=may
 smtp_tls_CApath=/etc/ssl/certs
 smtp_tls_security_level=secure
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 myhostname = hickory.sfconservancy.org
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = $myhostname, hickory, localhost
 relayhost = [mail.sfconservancy.org]:587
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = loopback-only
 inet_protocols = all
 # Relay authentication
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous
@@ ... / \ No newline at end of file @@

0 comments (0 inline, 0 general)