This repository has been archived by the owner on Sep 7, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
deploy.yml
228 lines (199 loc) · 6.71 KB
/
deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
---
- hosts: all
gather_facts: False
tasks:
- name: install python 2
raw: test -e /usr/bin/python || (apt -y update && apt install -y python)
register: test
changed_when: test.stdout
- name: remove require tty
lineinfile: regexp="^\s+\w+\s+requiretty" dest=/etc/sudoers state=absent
- name: Prepare nodes
hosts: all
handlers:
- name: restart ufw
service: name=ufw state=restarted
pre_tasks:
- name: update apt cache if needed
apt: update_cache=yes cache_valid_time=3600
- name: add git ppa
apt_repository:
repo: ppa:git-core/ppa
state: present
- name: install common packages
apt: pkg={{ item }} state=latest
with_items:
- git
- htop
- unzip
- python-pip
- acl
- build-essential
- python-pkg-resources
- name: install python libs
pip:
name: "{{ item }}"
with_items:
- passlib
- name: Add gortc user
user:
name: gortc
shell: /bin/bash
tasks:
- name: incude custom variables
include_vars:
file: "{{ var_file }}"
when: var_file is defined
- name: Prepare certificates
hosts: all
pre_tasks:
- name: certificates direcotry
file:
path: "{{ cert_dir }}"
state: directory
mode: 0755
- name: create self-signed certificate
command: >
openssl req -x509 -nodes -subj '/CN={{ fqdn }}' -days 365
-newkey rsa:4096 -sha256 -keyout {{ cert_dir }}/{{ fqdn }}.key -out {{ cert_dir }}/{{ fqdn }}.crt
args:
creates: "{{ cert_dir }}/{{ fqdn }}.crt"
# Playbook for GoRTC web server.
# Ubuntu 16.04 is expected.
- hosts: all
roles:
- gortc.go
- gortc.nginx
vars:
go_version_target: go version go1.12.7 linux/amd64
go_tarball_checksum: sha256:66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9
go_tarball: go1.12.7.linux-amd64.tar.gz
cf_api_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
38393836326365613430616232623633636437623935666463623064323032396232326364613661
3966303439323363316231316237373631613331323533340a663432323931323432353633663437
62636139356137636137393832376163313538613062313436393962373531323166313432373830
6332313337636362340a313135343335306533363562636336653864643464623937653337376231
39313132313933393264313032306138363330333763623332366135636533333764393463303463
3261383932363230333933633565653762663163613332393530
cf_api_email: !vault |
$ANSIBLE_VAULT;1.1;AES256
38336130363633336432613737623534363937356465623735663236636466303166353032373565
3864393636383836343666313861653934363433653462370a303538663239623165616332346134
31323934333730383362366235663837616638626636333463633635646133633731373538636530
3538363363393932660a663938356233383331326165633939373438363264646634616134343630
6264
gh_hook_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
32323530363436616133306166383362633162316231663139343632613561613263616139613963
3530386362326630386632646435366437653739396635650a626132383262386262383631656232
61656238303733303836616662323737613833636131653239323961316166666261613965313538
3033323833623637640a636566623761613932343062633435393938656163646430363733333361
63363731313432393863633463356533303638346135306532636532623437343364333332373837
6433383466666535653265303334396562613930383130313930
nginx_vhosts:
- listen: "[::]:443 ipv6only=off ssl http2"
server_name: "{{ fqdn }}"
state: "present"
file: "web.conf"
template: "{{ nginx_vhost_template }}"
acme: true
extra_parameters: |
gzip on;
gzip_types text/plain text/html image/svg+xml application/font-woff text/css application/xml;
location / {
proxy_pass http://localhost:3000;
http2_push_preload on;
}
ssl_certificate {{ cert_dir }}/{{ fqdn }}.crt;
ssl_certificate_key {{ cert_dir }}/{{ fqdn }}.key;
ssl_protocols TLSv1.1 TLSv1.2;
- listen: "80"
acme: true
server_name: "{{ fqdn }}"
extra_parameters: |
location / {
return 301 https://{{ fqdn }}$request_uri;
}
filename: "pcl.80.conf"
tasks:
- name: download tokei
unarchive:
src: https://github.com/Aaronepower/tokei/releases/download/v7.0.3/tokei-v7.0.3-x86_64-unknown-linux-gnu.tar.gz
dest: /usr/local/bin
remote_src: yes
creates: /usr/local/bin/tokei
- name: install web
become: true
become_user: gortc
notify: restart web
git:
repo: https://github.com/gortc/web.git
dest: /home/gortc/web
force: yes
- name: build
notify: restart web
become: true
become_user: gortc
shell: /usr/local/go/bin/go build -v -o gortc-web
args:
chdir: /home/gortc/web
register: build
changed_when: "build.stderr"
- name: install systemd service file
template: src=web.service.j2 dest=/etc/systemd/system/web.service
notify: restart web
- name: ensure that service is enabled and started
systemd:
name: web
state: started
enabled: yes
daemon_reload: yes
handlers:
- name: restart web
service: name=web state=restarted
# Enable LetsEncrypt.
- name: LetsEncrypt certificates
hosts: lego
tasks:
- name: acme direcotry
file:
path: "{{ nginx_acme_dir }}"
state: directory
mode: 0755
- name: download lego
unarchive:
src: https://github.com/xenolf/lego/releases/download/{{ lego_version }}/lego_linux_amd64.tar.xz
dest: /usr/local/bin
remote_src: yes
creates: /usr/local/bin/lego_linux_amd64
- name: install lego services
template:
src: "{{ item }}"
dest: /etc/systemd/system/
with_items:
- lego.service
- lego.timer
- name: retrieve letsencrypt certificates
command: /usr/local/bin/lego_linux_amd64 -a -s {{ lego_server }} -d={{ fqdn }} -m={{ lego_email }} --webroot={{ nginx_acme_dir }} --path={{ lego_dir }} run
args:
creates: "{{ cert_dir }}/{{ fqdn }}.json"
notify: reload nginx
- name: check lego certificate
stat:
path: "{{ cert_dir }}/{{ fqdn }}.json"
register: lego_cert
- assert:
that:
- lego_cert.stat.exists
- name: ensure that lego timer is enabled and started
systemd:
name: "{{ item }}"
enabled: yes
state: started
daemon_reload: yes
with_items:
- lego.timer
handlers:
- name: reload nginx
service: name=nginx state=reloaded