deploy an engelsystem named AES
This commit is contained in:
parent
b536e5c2fb
commit
d5285a3fd2
14
inventories/z9/host_vars/engelsystem.yaml
Normal file
14
inventories/z9/host_vars/engelsystem.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'configs/engelsystem/compose.yaml') }}"
|
||||
docker_compose__configuration_files: []
|
||||
|
||||
cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
|
||||
cert__domains:
|
||||
- "aes.ccchh.net"
|
||||
cert__bind_9_host: authoritative-dns
|
||||
cert__bind_9_zone: ccchh.net
|
||||
|
||||
nginx__version_spec: ""
|
||||
nginx__deploy_redirect_conf: true
|
||||
nginx__configurations:
|
||||
- name: aes.ccchh.net
|
||||
content: "{{ lookup('ansible.builtin.file', 'configs/engelsystem/nginx/aes.ccchh.net.conf') }}"
|
|
@ -34,3 +34,6 @@ all:
|
|||
mailserver-endpoint:
|
||||
ansible_host: mailserver-endpoint.ccchh.net
|
||||
ansible_user: chaos
|
||||
engelsystem:
|
||||
ansible_host: engelsystem.z9.ccchh.net
|
||||
ansible_user: chaos
|
||||
|
|
20
playbooks/deploy_engelsystem.yaml
Normal file
20
playbooks/deploy_engelsystem.yaml
Normal file
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
- name: Configure engelsystem.z9 with engelsystem
|
||||
hosts: engelsystem
|
||||
roles:
|
||||
- nginx
|
||||
- cert
|
||||
- docker
|
||||
- docker_compose
|
||||
pre_tasks:
|
||||
- name: Install git
|
||||
ansible.builtin.apt:
|
||||
name: git
|
||||
state: present
|
||||
- name: Clone engelsystem repo
|
||||
ansible.builtin.git:
|
||||
repo: https://github.com/engelsystem/engelsystem.git
|
||||
dest: "{{ ansible_user_dir }}/engelsystem"
|
||||
version: main
|
||||
force: true
|
||||
update: false
|
49
playbooks/files/configs/engelsystem/compose.yaml
Normal file
49
playbooks/files/configs/engelsystem/compose.yaml
Normal file
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
version: "3.6"
|
||||
services:
|
||||
es_server:
|
||||
image: es_server
|
||||
build:
|
||||
context: /home/chaos/engelsystem
|
||||
dockerfile: /home/chaos/engelsystem/docker/Dockerfile
|
||||
environment:
|
||||
MYSQL_HOST: es_database
|
||||
MYSQL_USER: engelsystem
|
||||
MYSQL_PASSWORD: engelsystem
|
||||
MYSQL_DATABASE: engelsystem
|
||||
APP_NAME: CCCamp2023 Alternative Engelsystem
|
||||
APP_URL: https://aes.ccchh.net
|
||||
MAIL_DRIVER: smtp
|
||||
MAIL_FROM_ADDRESS: aes@send-only-mail.ccchh.net
|
||||
MAIL_HOST: send-only-mailserver.ccchh.net
|
||||
MAIL_PORT: 465
|
||||
MAIL_ENCRYPTION: tls
|
||||
# MAIL_USERNAME and MAIL_PASSWORD are loaded from env file
|
||||
env_file:
|
||||
- engelsystem_secrets.env # Must be managed by the admin manually. Not managed by Ansible.
|
||||
ports:
|
||||
- "5080:80"
|
||||
networks:
|
||||
- database
|
||||
- internet
|
||||
depends_on:
|
||||
- es_database
|
||||
es_database:
|
||||
image: mariadb:10.2
|
||||
environment:
|
||||
MYSQL_DATABASE: engelsystem
|
||||
MYSQL_USER: engelsystem
|
||||
MYSQL_PASSWORD: engelsystem
|
||||
MYSQL_RANDOM_ROOT_PASSWORD: 1
|
||||
MYSQL_INITDB_SKIP_TZINFO: "yes"
|
||||
volumes:
|
||||
- db:/var/lib/mysql
|
||||
networks:
|
||||
- database
|
||||
volumes:
|
||||
db: {}
|
||||
|
||||
networks:
|
||||
database:
|
||||
internal: true
|
||||
internet:
|
42
playbooks/files/configs/engelsystem/nginx/aes.ccchh.net.conf
Normal file
42
playbooks/files/configs/engelsystem/nginx/aes.ccchh.net.conf
Normal file
|
@ -0,0 +1,42 @@
|
|||
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
|
||||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 10.31.206.14;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
server_name aes.ccchh.net;
|
||||
|
||||
ssl_certificate /etc/ansible_certs/certs/aes.ccchh.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/ansible_certs/certs/aes.ccchh.net/privkey.pem;
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate /etc/ansible_certs/certs/aes.ccchh.net/chain.pem;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Port 443;
|
||||
# This is https in any case.
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
# Hide the X-Forwarded header.
|
||||
proxy_hide_header X-Forwarded;
|
||||
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
|
||||
# is transparent).
|
||||
# Also provide "_hidden" for by, since it's not relevant.
|
||||
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5080/;
|
||||
}
|
||||
}
|
|
@ -18,6 +18,7 @@ stream {
|
|||
map $ssl_preread_server_name $address {
|
||||
wiki.ccchh.net 10.31.206.13:8443;
|
||||
id.ccchh.net 10.31.206.12:8443;
|
||||
aes.ccchh.net 10.31.206.14:8443;
|
||||
default 127.0.0.1:8443;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue