-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprovision.yml
153 lines (133 loc) · 3.63 KB
/
provision.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
---
# Playbook for setting up a new webserver
- hosts: all
become: yes
vars:
ansible_become_pass: '{{ ansible_pass }}'
ansible_user: ansible
tasks:
- name: Install nginx
apt:
name: nginx
state: present
- name: Copy nginx site config
copy:
src: files/bidchowder.conf
dest: /etc/nginx/sites-available
mode: 0644
notify:
- restart nginx
- name: Create well-known directory
file:
path: /var/www/letsencrypt
state: directory
mode: 0755
- name: Install and configure certbot
include_role:
name: geerlingguy.certbot
vars:
certbot_auto_renew_user: root
certbot_auto_renew_options: >-
--quiet --no-self-upgrade --webroot -w /var/www/letsencrypt/
--deploy-hook "systemctl reload nginx"
certbot_create_if_missing: True
certbot_create_method: standalone
certbot_admin_email: [email protected]
certbot_create_standalone_stop_services: nginx
certbot_certs:
- domains:
- www.bidchowder.com
- name: Nginx cert directory
file:
path: /etc/nginx/certs
state: directory
- name: Generate dh params
command: openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
args:
creates: /etc/nginx/certs/dhparams.pem
- name: Update default enabled site
file:
state: link
src: /etc/nginx/sites-available/bidchowder.conf
dest: /etc/nginx/sites-enabled/default
notify:
- restart nginx
- name: Add CI/CD group
group:
name: ci-cd
# hook role sets a new_user variable
- name: Install webhook handler
include_role:
name: hooks
vars:
hook_command_path: "{{ deploy_install_location }}"
hook_user_groups:
- ci-cd
- name: Add script called by hooks
copy:
src: files/update-and-start-deploy.sh
dest: "{{ deploy_install_location }}"
owner: "{{ new_user.name }}"
group: "{{ new_user.group }}"
- name: Add settings file used by deploy script
template:
src: templates/site-settings.sh.j2
dest: "{{ deploy_install_dir }}site-settings.sh"
owner: "{{ new_user.name }}"
group: "{{ new_user.group }}"
mode: 0660
- name: Create service for startup
template:
src: templates/start-bidsoup.service.j2
dest: /etc/systemd/system/start-bidsoup.service
mode: 0644
vars:
run_user: "{{ new_user.name }}"
- name: Enable start-bidsoup service
systemd:
name: start-bidsoup
enabled: yes
- name: Clone repo
git:
repo: '[email protected]:mardotio/bidsoup.git'
dest: /var/code/bidsoup
key_file: "{{ new_user.ssh_key_file }}"
force: yes
umask: '002'
notify: setup repo permissions
- name: Install Docker
include_role:
name: geerlingguy.docker
vars:
docker_users:
- jayson
- mardotio
- "{{ new_user.name }}"
- name: Create data mount directory
file:
path: /var/lib/bidsoup/data/prod
state: directory
group: docker
mode: 0774
handlers:
- name: restart nginx
systemd:
name: nginx
state: restarted
- name: Set repo sharable
shell: git config --add core.sharedRepository group
args:
chdir: /var/code/bidsoup
listen: setup repo permissions
- name: Update repo permissions
file:
path: /var/code/bidsoup
recurse: yes
owner: hooker
group: ci-cd
listen: setup repo permissions
- name: Set .git directory to sticky group
file:
path: /var/code/bidsoup/.git
mode: g+s
listen: setup repo permissions