- name: Setup the main server hosts: datagubbe.dev become: true vars: jailbase: "/usr/local/jails" jailset: "poolen/jails" jails: gubbhub: name: gubbhub ip: "2a01:4f9:2b:f05::2/64" tags: gubbhub additional_data_sets: - gitdata certificates: - git.datagubbe.dev haproxy_conf: | frontend git-ssh from tcp mode tcp bind :2224 default_backend gubbhub backend gubbhub from tcp server srv 2a01:4f9:2b:f05::2:22 backend git.datagubbe.dev from http server srv 2a01:4f9:2b:f05::2:80 hallosbacken: name: hallosbacken ip: "2a01:4f9:2b:f05::3/64" tags: hallosbacken additional_data_sets: - wp_data datagubbe: name: datagubbe ip: "2a01:4f9:2b:f05::4/64" tags: datagubbe certificates: - datagubbe.dev haproxy_conf: | backend datagubbe from http server srv 2a01:4f9:2b:f05::4:80 roles: - pf - jailhost - role: jail jail: "{{ jails.gubbhub }}" tags: "{{ jails.gubbhub.tags }}" - role: jail jail: "{{ jails.hallosbacken }}" - role: jail jail: "{{ jails.datagubbe }}" tasks: - name: configure periodic to be less chatty ansible.builtin.copy: content: | # i do not need to know this daily_show_success=”NO” weekly_show_success="NO" monthly_show_success="NO" # enable our certbot renew script daily_renewcerts_enable="YES" dest: /etc/periodic.conf - name: install jq community.general.pkgng: name: "jq" state: latest - name: install haproxy community.general.pkgng: name: "haproxy" state: latest - name: create haproxy user ansible.builtin.user: name: haproxy system: true - name: config for haproxy ansible.builtin.template: src: haproxy.conf.j2 dest: /usr/local/etc/haproxy.conf notify: reload haproxy - name: enable haproxy service community.general.sysrc: name: haproxy_enable value: "YES" notify: start haproxy - name: install certbot and nginx community.general.pkgng: name: - security/py-certbot - nginx state: latest - name: nginx config for certbot ansible.builtin.template: src: templates/nginx-certbot.conf.j2 dest: /usr/local/etc/nginx/nginx.conf vars: root: /var/www/html - name: enable nginx community.general.sysrc: name: nginx_enable value: "YES" - name: start nginx ansible.builtin.service: name: nginx state: reloaded - name: create cert hook for haproxy ansible.builtin.copy: content: | #! /usr/bin/env sh mkdir -p /usr/local/etc/haproxy/certs dir="$RENEWED_LINEAGE" domain=`basename "$RENEWED_LINEAGE"` cat $dir/fullchain.pem $dir/privkey.pem > /usr/local/etc/haproxy/certs/$domain.pem chown -R haproxy:haproxy /usr/local/etc/haproxy dest: /usr/local/etc/letsencrypt/renewal-hooks/deploy/create-haproxy-cert mode: 755 - name: set needed certs ansible.builtin.set_fact: certificates: "{{ jails | dict2items | selectattr('value.certificates', 'defined') | map(attribute='value.certificates') | list | flatten }}" - name: "obtain cert for {{ item }}" shell: cmd: | certbot \ --non-interactive \ --email albert@acervin.com \ --agree-tos \ certonly \ --webroot \ --webroot-path /var/www/html \ -d '{{ item }}' RENEWED_LINEAGE=/usr/local/etc/letsencrypt/live/{{item}} /usr/local/etc/letsencrypt/renewal-hooks/deploy/create-haproxy-cert creates: /usr/local/etc/letsencrypt/live/{{ item }} loop: "{{ certificates }}" - name: create daily job for updating certs ansible.builtin.copy: src: ./10-renewcerts dest: /usr/local/etc/periodic/daily/10-renewcerts mode: 'a=rx,u=rwx' - name: config for haproxy (with certs) ansible.builtin.template: src: haproxy.conf.j2 dest: /usr/local/etc/haproxy.conf notify: reload haproxy - name: Setup datagubbe import_tasks: jails/datagubbe/tasks.yaml vars: jail: "{{ jails.datagubbe }}" certs: - /usr/local/etc/certs/datagubbe.dev.pem tags: datagubbe-setup - name: Setup the gubbhub import_tasks: jails/gubbhub/tasks.yaml vars: jail: "{{ jails.gubbhub }}" tags: gubbhub-setup - name: Make sure packages are up to date community.general.pkgng: name: "*" state: latest handlers: - name: reload haproxy ansible.builtin.shell: /usr/local/etc/rc.d/haproxy configtest && /usr/local/etc/rc.d/haproxy reload - name: start haproxy ansible.builtin.service: name: haproxy state: started - name: restart sshd in jail jexec: jail: