Verified Commit fb6b4643 authored by Tomáš Sapák's avatar Tomáš Sapák
Browse files

rename master

parent b8a37998
[stable]
stable.ics.muni.cz
[barn]
barn.ics.muni.cz
[slaves]
147.251.21.252
......
---
- name: Install nginx
apt: name=nginx state=latest
- name: install letsencrypt
apt: name=letsencrypt state=latest
- name: create letsencrypt directory
file: name=/var/www/letsencrypt state=directory
- name: Remove default nginx config
file: name=/etc/nginx/sites-enabled/default state=absent
- name: Install system nginx config
template:
src: templates/nginx.conf.j2
dest: /etc/nginx/nginx.conf
- name: Install nginx site for letsencrypt requests
template:
src: templates/nginx-http.j2
dest: /etc/nginx/sites-enabled/http
- name: Reload nginx to activate letsencrypt site
service: name=nginx state=restarted
- name: Create letsencrypt certificate
shell: letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }}
args:
creates: /etc/letsencrypt/live/{{ domain_name }}
- name: Generate dhparams
shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
args:
creates: /etc/nginx/dhparams.pem
- name: Install nginx site for specified site
template:
src: templates/nginx-le.j2
dest: /etc/nginx/sites-enabled/le
- name: Reload nginx to activate specified site
service: name=nginx state=restarted
- name: Add letsencrypt cronjob for cert renewal
cron:
name: letsencrypt_renewal
special_time: weekly
job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload
server_tokens off;
server {
listen 80 default_server;
server_name {{ domain_name }};
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
}
}
upstream rancher {
server localhost:8080;
}
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
server {
listen 443 ssl;
server_name {{ domain_name }};
root /var/www/html;
ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://rancher;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 900s;
}
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
......@@ -10,7 +10,7 @@
- name: Create a rancher container
docker_container:
name: rancher
image: rancher/server:preview
image: rancher/rancher:v2.0.0
restart_policy: unless-stopped
ports:
- "8080:80"
......
- hosts: stable
- hosts: barn
gather_facts: False
remote_user: "{{ REMOTE_USER }}"
become: "{{ BECOME }}"
......@@ -6,17 +6,18 @@
- name: Install python for Ansible
raw: test -e /usr/bin/python || (test -e /usr/bin/apt && apt -y update && apt install -y python-minimal; test -e /usr/bin/yum && yum install -y python2 python-simplejson )
changed_when: False
- setup: # aka gather_facts
- setup:
- name: Setup linux
hosts: stable
hosts: barn
remote_user: "{{ REMOTE_USER }}"
become: "{{ BECOME }}"
roles:
- ssh-key
- vim
- base-system
# - docker
- docker
- { role: vmware-tools, when: ansible_virtualization_type == "VMware" }
- rancher
- { role: nginx-le, vars: { letsencrypt_email: 'sapakt@ics.muni.cz', domain_name: 'barn.ics.muni.cz' } }
- upgrade-reboot
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment