diff --git a/roles/nextcloud_instance/readme.md b/roles/nextcloud_instance/readme.md index c93e4d8c5de40596f1c29db8a0354b7fe6a6b62c..1902b8e0e6ecd6965fde17aaf91797e57d943fac 100644 --- a/roles/nextcloud_instance/readme.md +++ b/roles/nextcloud_instance/readme.md @@ -1,32 +1,39 @@ # Nextcloud -## Create a volume +## Files created -Requires hetzner cloud api : -Ref : https://docs.ansible.com/ansible/latest/collections/hetzner/hcloud/index.html#plugins-in-hetzner-hcloud - -sudo pip install cloud -ansible-galaxy collection install hetzner.hcloud - -./play.py vps11.paquerette.eu nc_tel install -e "hcloud_token=rUJSKemnDGElZiHF" --apply-tags=volumes +## Files modified -## Créer un volume +## Create new instance : Custom steps -Il est requis d'avoir l'API de hetzner (cloud) +### Create a volume -`sudo pip install cloud` +#### Why using volume ? +We choose to use volume for Nextcloud data storage. This has the following benefits :  -`ansible-galaxy collection install hetzner.hcloud` + - We use small VPS, this allow us to have nextcloud with big storage + - Changing space for client is only increasing storage volume + - Removing client is easier by removing volume + +#### How-To -`./play.py vps11.paquerette.eu nc_tel install -e "hcloud_token=rUJSKemnDGElZiHF" --apply-tags=volume` +Requires hetzner cloud api : +Ref : https://docs.ansible.com/ansible/latest/collections/hetzner/hcloud/index.html#plugins-in-hetzner-hcloud -## Créer une instance +sudo pip install cloud +ansible-galaxy collection install hetzner.hcloud +./play.py vps11.paquerette.eu nc_tel install -e "hcloud_token=MY_TOKEN" --apply-tags=volumes -## Mettre à jour une instance +## Update instance 1. Prévenir les clients concernés par un message sur un canal de leur choix 2. Vérifier les sauvegardes 3. Modifier les variables `app_version` et `app_old_version` pour les faire correspondre `app_old_version` à la version actuelle de `app_version` puis mettre dernière version voulu sur `app_version`. 4. Lancer la commande de mise à jour (en remplaçant les éléments) -`./play.py SERVEUR NOMINSTANCE upgrade` \ No newline at end of file +`./play.py SERVEUR NOMINSTANCE upgrade` + +## TODO improve role + + - [ ] improve documentation + - [ ] Create strong admin password \ No newline at end of file diff --git a/roles/postgres_server/readme.md b/roles/postgres_server/readme.md new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/roles/rustform/README.md b/roles/rustform/README.md new file mode 100644 index 0000000000000000000000000000000000000000..9b817812f74043759533c8ecc4644651df825971 --- /dev/null +++ b/roles/rustform/README.md @@ -0,0 +1,67 @@ +# RustForm + +Install [RustForm](https://git.paquerette.eu/paquerette/developpements/rust-form) in the server. + +## Files created + +This role create the following files :  + + - **/etc/nginx/site-available/{{ app_instance_id }}.conf** + - **{{ binary_location }}** + - **/etc/systemd/system/{{ app_instance_id }}.service** + - **{{ app_instance_root}} + +## Files modified + +## Role dependency + +- _letsencrypt_certificate + +## Role Variables + +### Default + + - app_program: RustForm + - app_instance_root: "{{ www_root }}/{{ app_instance_id }}" + - app_instance_www_root: "{{ app_instance_root }}" + - app_port: 3200 + - binary_src: ./rust_form + - binary_location: /usr/local/bin/rust_form + - app_service: "{{ app_instance_id }}" + - rev_proxy: nginx + +### host_vars + +```yaml + app_instance_id + app_domain + mosparo : + privatekey: MY_PRIVATE_KEY + publickey: MY_PUBLIC_KEY + url: URL + clients: + - id: CLIENT_ID + email: "EMAIL@DOMAIN.TLD + subject: "SUBJECT PROMPT" + domain: "WEBSITE_DOMAIN" + mosparo: true/fals + mail: + from: MAIL@FROM.TLD + user: USER + pwd: "MY_STRONG_PASSWORD" + security: starttls + port: 587 + url: mail.server.tld + +## Role dependencies + + - _letsencrypt_certificate + +## Custom informations + + - You must compile and download binary before using role. + +## TODO + +- [ ] remove duplicate value like app_domain +- [ ] set more default values like mail port and security diff --git a/roles/rustform/defaults/main.yml b/roles/rustform/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..ce9c1dddd835241ed50b13ccc56cb6312ceb561a --- /dev/null +++ b/roles/rustform/defaults/main.yml @@ -0,0 +1,13 @@ +--- +app_program: RustForm +app_instance_root: "{{ www_root }}/{{ app_instance_id }}" +app_instance_www_root: "{{ app_instance_root }}" +app_port: 3200 +binary_src: ./rust_form +binary_location: /usr/local/bin/rust_form +app_service: "{{ app_instance_id }}" +rev_proxy: nginx + +clients: + - {id: site_paquerette, email: paq@example.com, subject: Test, domain: paq.domain, mosparo: true} + - {id: site_test, email: test@example.com, subject: Test, domain: test.domain, mosparo: false} diff --git a/roles/rustform/handlers/main.yml b/roles/rustform/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..404fdcbeea439f6a3988377f8f5bfcdb2e6a5af1 --- /dev/null +++ b/roles/rustform/handlers/main.yml @@ -0,0 +1,10 @@ +--- +# handlers file for rustform +- name: reload {{ rev_proxy }} + service: name={{ rev_proxy }} state=reloaded + +- name: restart {{ app_service }} service + service: + name: "{{ app_service }}" + state: restarted + \ No newline at end of file diff --git a/roles/rustform/tasks/install.yml b/roles/rustform/tasks/install.yml new file mode 100644 index 0000000000000000000000000000000000000000..78ffed099daa73443b93755ccd138a453beb3199 --- /dev/null +++ b/roles/rustform/tasks/install.yml @@ -0,0 +1,48 @@ +--- + +- name: create directory + file: + path: "{{ app_instance_root }}" + state: directory + +- name: Create LetsEncrypt certificate + import_role: + name: _letsencrypt_certificate + +- name: Copy from binary from the Tower + copy: + src: "{{ binary_src }}" + dest: "{{ binary_location }}" + remote_src: false + mode: '0755' + +- name: Template configuration + template: + src: config.j2 + dest: "{{ app_instance_root }}/config.toml" + +- name: systemd configuration + template: + src: service.j2 + dest: "/etc/systemd/system/{{ app_instance_id }}.service" + +- name: "start service {{ app_service }}" + systemd: + name: "{{ app_service }}" + state: started + enabled: yes + daemon_reload: yes + +- name: nginx configuration + template: + src: nginx.j2 + dest: "/etc/{{ rev_proxy }}/sites-available/{{ app_instance_id }}.conf" + +- name: "enable site for {{ app_domain }}" + file: + state: link + path: "/etc/{{ rev_proxy }}/sites-enabled/{{ app_instance_id }}.conf" + src: "/etc/{{ rev_proxy }}/sites-available/{{ app_instance_id }}.conf" + notify: reload {{ rev_proxy }} + + diff --git a/roles/rustform/tasks/main.yml b/roles/rustform/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..e773e015adb1e85c074360765eda5209ced1ae49 --- /dev/null +++ b/roles/rustform/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- import_tasks: install.yml + when: app_run in ['install', 'reinstall'] + +- import_tasks: upgrade.yml + when: app_run == 'upgrade' + +- import_tasks: uninstall.yml + when: app_run == 'uninstall' \ No newline at end of file diff --git a/roles/rustform/tasks/uninstall.yml b/roles/rustform/tasks/uninstall.yml new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/roles/rustform/tasks/upgrade.yml b/roles/rustform/tasks/upgrade.yml new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/roles/rustform/templates/config.j2 b/roles/rustform/templates/config.j2 new file mode 100644 index 0000000000000000000000000000000000000000..e8e2908ba5100487624c1f39b323fbf9070dbe72 --- /dev/null +++ b/roles/rustform/templates/config.j2 @@ -0,0 +1,36 @@ +port = {{ app_port }} + +[smtp] +<<<<<<< HEAD +mail_from = "{{ mail.from}}" +user = "{{ mail.user }}" +password = "{{ mail.pwd }}" +security = "{{ mail.security }}" +port = {{ mail.port }} +url = "{{ mail.url }}" +mail_from = "{{ mail.from }}" +user = "{{ mail.user }}" +password = "{{ mail.pwd }}" +security = "{{ mail.security }}" +url = "{{ mail.url }}" +>>>>>>> b4e5402 (don't use empty var) + + +{% if mosparo %} +[mosparo] +privatekey = "{{ mosparo.privatekey }}" +publickey = "{{ mosparo.publickey }}" +url = "{{ mosparo.url }}" +{% endif %} + +[clients] + +{% for client in clients %} +[clients.{{ client.id }}] + mail = "{{ client.email }}" + subject = "{{ client.subject }}" + domain = "{{ client.domain }}" + mosparo = {{ client.mosparo }} +{% endfor %} + + diff --git a/roles/rustform/templates/nginx.j2 b/roles/rustform/templates/nginx.j2 new file mode 100644 index 0000000000000000000000000000000000000000..c419f9d8f9569f88e698ea207e0f46ef404ab325 --- /dev/null +++ b/roles/rustform/templates/nginx.j2 @@ -0,0 +1,71 @@ +server { + listen 80; + listen [::]:80; + server_name {{ app_domain }}; + # enforce https + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ app_domain }}; + + ssl_certificate /etc/letsencrypt/live/{{ app_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ app_domain }}/privkey.pem; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag all; # https://developers.google.com/search/docs/advanced/robots/robots_meta_tag + add_header X-Download-Options noopen; + add_header Strict-Transport-Security "max-age=15768000"; + + + access_log /mnt/vdb/log/nginx/{{ app_instance_id }}/access.log; + error_log /mnt/vdb/log/nginx/{{ app_instance_id }}/error.log; + + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). + # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) + location ~ /\. { + deny all; + } + + # When site is in maintenance a maintenance.html file si present in root + # All the site is in 503 + if (-f $document_root/maintenance.html) { + return 503; + } + + # error 503 redirect to mainteance.html + error_page 503 @maintenance; + location @maintenance { + rewrite ^(.*)$ /maintenance.html break; + } + + location / { + proxy_pass http://localhost:{{ app_port }}/ ; + } +} diff --git a/roles/rustform/templates/service.j2 b/roles/rustform/templates/service.j2 new file mode 100644 index 0000000000000000000000000000000000000000..277bb32969fdb421157d2345a1602e6977c41741 --- /dev/null +++ b/roles/rustform/templates/service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=service d'envoi de mail à partir d'un formulaire +ConditionFileIsExecutable={{ binary_location }} + +[Service] +ExecStart={{ binary_location }} +WorkingDirectory={{ app_instance_root }} + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/rustform/vars/main.yml b/roles/rustform/vars/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..7c66ce3cd1a26f229e5f28bc7c492acc4418430a --- /dev/null +++ b/roles/rustform/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for rustform