Browse Source

Deploy ansible configuration to created instances

master
lavenderguitar 3 years ago
parent
commit
1802a80cbd
  1. 5
      ansible/ansible.cfg
  2. 3
      ansible/galaxy_roles/caddy-ansible/.ansible-lint
  3. 49
      ansible/galaxy_roles/caddy-ansible/.github/workflows/ci.yml
  4. 4
      ansible/galaxy_roles/caddy-ansible/.gitignore
  5. 6
      ansible/galaxy_roles/caddy-ansible/.yamllint
  6. 21
      ansible/galaxy_roles/caddy-ansible/LICENSE
  7. 213
      ansible/galaxy_roles/caddy-ansible/README.md
  8. 49
      ansible/galaxy_roles/caddy-ansible/Vagrantfile
  9. 2
      ansible/galaxy_roles/caddy-ansible/ansible.cfg
  10. 31
      ansible/galaxy_roles/caddy-ansible/defaults/main.yml
  11. 12
      ansible/galaxy_roles/caddy-ansible/handlers/main.yml
  12. 28
      ansible/galaxy_roles/caddy-ansible/meta/main.yml
  13. 16
      ansible/galaxy_roles/caddy-ansible/molecule/default/converge.yml
  14. 28
      ansible/galaxy_roles/caddy-ansible/molecule/default/molecule.yml
  15. 38
      ansible/galaxy_roles/caddy-ansible/molecule/default/tests/test_default.py
  16. 21
      ansible/galaxy_roles/caddy-ansible/tasks/github-extract.yml
  17. 22
      ansible/galaxy_roles/caddy-ansible/tasks/github-url.yml
  18. 143
      ansible/galaxy_roles/caddy-ansible/tasks/main.yml
  19. 18
      ansible/galaxy_roles/caddy-ansible/tasks/packages-apt.yml
  20. 1
      ansible/galaxy_roles/caddy-ansible/tasks/packages-dnf.yml
  21. 1
      ansible/galaxy_roles/caddy-ansible/tasks/packages-pacman.yml
  22. 1
      ansible/galaxy_roles/caddy-ansible/tasks/packages-yum.yml
  23. 17
      ansible/galaxy_roles/caddy-ansible/tasks/preflight.yml
  24. 2
      ansible/galaxy_roles/caddy-ansible/templates/Caddyfile.j2
  25. 73
      ansible/galaxy_roles/caddy-ansible/templates/caddy.service
  26. 1
      ansible/galaxy_roles/caddy-ansible/tests/inventory
  27. 8
      ansible/galaxy_roles/caddy-ansible/tests/playbook.yml
  28. 27
      ansible/galaxy_roles/caddy-ansible/vars/main.yml
  29. 20
      ansible/galaxy_roles/jekyll-site/README.md
  30. 12
      ansible/galaxy_roles/jekyll-site/defaults/main.yml
  31. 13
      ansible/galaxy_roles/jekyll-site/meta/main.yml
  32. 12
      ansible/galaxy_roles/jekyll-site/tasks/dependencies.yml
  33. 41
      ansible/galaxy_roles/jekyll-site/tasks/deploy_user.yml
  34. 48
      ansible/galaxy_roles/jekyll-site/tasks/install_ruby.yml
  35. 22
      ansible/galaxy_roles/jekyll-site/tasks/main.yml
  36. 2
      ansible/galaxy_roles/linode-preflight/README.md
  37. 17
      ansible/galaxy_roles/linode-preflight/defaults/main.yml
  38. 6
      ansible/galaxy_roles/linode-preflight/handlers/main.yml
  39. 9
      ansible/galaxy_roles/linode-preflight/meta/main.yml
  40. 40
      ansible/galaxy_roles/linode-preflight/tasks/add_user.yml
  41. 9
      ansible/galaxy_roles/linode-preflight/tasks/ansible_dependencies.yml
  42. 49
      ansible/galaxy_roles/linode-preflight/tasks/firewall.yml
  43. 5
      ansible/galaxy_roles/linode-preflight/tasks/main.yml
  44. 12
      ansible/galaxy_roles/linode-preflight/tasks/oh-my-bash.yml
  45. 27
      ansible/galaxy_roles/linode-preflight/tasks/preflight.yml
  46. 4
      ansible/galaxy_roles/linode-preflight/templates/etc/apt/apt.conf.d/10periodic.j2
  47. 123
      ansible/galaxy_roles/linode-preflight/templates/etc/ssh/sshd_config.j2
  48. 10
      ansible/inventories/common/group_vars/all/main.yml
  49. 1
      ansible/inventories/production/group_vars/all/common-main.yml
  50. 14
      ansible/inventories/production/group_vars/all/main.yml
  51. 7
      ansible/inventories/production/hosts
  52. 9
      ansible/requirements.yml
  53. 6
      ansible/roles/web-server/handlers/main.yml
  54. 21
      ansible/roles/web-server/tasks/main.yml
  55. 26
      ansible/roles/web-server/templates/etc/caddy/Caddyfile.j2
  56. 18
      ansible/site.yml

5
ansible/ansible.cfg

@ -0,0 +1,5 @@
[defaults]
remote_user=admin
become=True
roles_path=galaxy_roles/
vault_password_file=./.vault_pass

3
ansible/galaxy_roles/caddy-ansible/.ansible-lint

@ -0,0 +1,3 @@
---
skip_list:
- 'role-name' # Role name caddy-ansible does not match `^[a-z][a-z0-9_]+$` pattern

49
ansible/galaxy_roles/caddy-ansible/.github/workflows/ci.yml

@ -0,0 +1,49 @@
---
name: CI
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: "30 7 * * 3"
defaults:
run:
working-directory: 'caddy_ansible.caddy_ansible'
jobs:
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
distro:
- centos8
- centos7
- fedora29
- ubuntu2004
- ubuntu1804
- debian10
- debian9
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'caddy_ansible.caddy_ansible'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install ansible ansible-lint yamllint molecule[docker] pytest testinfra
- name: Run Molecule tests.
run: molecule test
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
MOLECULE_DISTRO: ${{ matrix.distro }}

4
ansible/galaxy_roles/caddy-ansible/.gitignore

@ -0,0 +1,4 @@
.vagrant
*.retry
.molecule
__pycache__/

6
ansible/galaxy_roles/caddy-ansible/.yamllint

@ -0,0 +1,6 @@
---
extends: default
rules:
line-length:
max: 120
level: warning

21
ansible/galaxy_roles/caddy-ansible/LICENSE

@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2015 Lorenz Bischof
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

213
ansible/galaxy_roles/caddy-ansible/README.md

@ -0,0 +1,213 @@
[![Build Status](https://travis-ci.org/caddy-ansible/caddy-ansible.svg?branch=master)](https://travis-ci.org/caddy-ansible/caddy-ansible)
[![Galaxy Role](https://img.shields.io/badge/ansible--galaxy-caddy-blue.svg)](https://galaxy.ansible.com/caddy_ansible/caddy_ansible/)
# Caddy Ansible Role
<!-- toc -->
- [Dependencies](#dependencies)
- [Role Variables](#role-variables)
* [The Caddyfile](#the-caddyfile)
* [The OS to download caddy for](#the-os-to-download-caddy-for)
* [Auto update Caddy?](#auto-update-caddy)
* [Additional Available Packages](#additional-available-packages)
* [Use `setcap`?](#use-setcap)
* [Use systemd capabilities controls](#use-systemd-capabilities-controls)
* [Add additional environment variables](#add-additional-environment-variables)
* [Use additional CLI arguments](#use-additional-cli-arguments)
* [Use a GitHub OAuth token to request the list of caddy releases](#use-a-github-oauth-token-to-request-the-list-of-caddy-releases)
- [Example Playbooks](#example-playbooks)
- [Debugging](#debugging)
- [Contributing](#contributing)
<!-- tocstop -->
This role installs and configures the caddy web server. The user can specify any http configuration parameters they wish to apply their site. Any number of sites can be added with configurations of your choice.
## Dependencies
None
## Role Variables
### The Caddyfile
See [Caddyfile docs](https://caddyserver.com/docs/caddyfile). Notice the `|` used to include a multi-line string. You may set `caddy_conf_filename` to `config.json` to use json format.
default:
```yaml
caddy_conf_filename: Caddyfile
caddy_config: |
http://localhost:2020
respond "Hello, world!"
```
If you wish to use a template for the config you can do this:
```yaml
caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}"
```
### The OS to download caddy for
default:
```yaml
caddy_os: linux
```
### Auto update Caddy?
default:
```yaml
caddy_update: true
```
### Additional Available Packages
Changing this variable will reinstall Caddy with the new packages if `caddy_update` is enabled. Check https://caddyserver.com/download for available packages.
default:
```yaml
caddy_packages: []
```
### Use `setcap`?
This allows Caddy to open a low port (under 1024 - e.g. 80, 443).
default:
```yaml
caddy_setcap: true
```
### Use systemd capabilities controls
default:
```yaml
caddy_systemd_capabilities_enabled: false
caddy_systemd_capabilities: "CAP_NET_BIND_SERVICE"
```
NOTE: This feature requires systemd v229 or newer and might be needed in addition to `caddy_setcap: yes`.
Supported:
* Debian 9 (stretch)
* Fedora 25
* Ubuntu 16.04 (xenial)
RHEL/CentOS has no release that supports systemd capability controls at this time.
### Add additional environment variables
Add environment variables to the systemd script.
default:
```yaml
caddy_environment_variables: {}
```
Example usage:
```yaml
caddy_environment_variables:
FOO: bar
SECONDVAR: spam
```
### Use additional CLI arguments
default:
```yaml
caddy_additional_args: ""
```
Example for LetsEncrypt staging:
```yaml
caddy_additional_args: "-ca https://acme-staging.api.letsencrypt.org/directory"
```
### Use a GitHub OAuth token to request the list of caddy releases
This role uses the GitHub releases list to check when a new version is available. [GitHub has some fairly agressive rate-limiting](https://developer.github.com/v3/#rate-limiting) which can cause failures. You can set your GitHub token to increase the limits for yourself when running the role (e.g. if deploying many servers behind a NAT or running this role repeatedly as part of a CI process).
default:
```yaml
caddy_github_token: ""
```
## Example Playbooks
```yaml
---
- hosts: all
become: yes
roles:
- role: caddy_ansible.caddy_ansible
caddy_config: |
files.example.com
encode gzip
file_server browse {
root /home/caddy/
}
```
Example with DigitalOcean DNS for TLS:
```yaml
---
- hosts: all
roles:
- role: caddy_ansible.caddy_ansible
caddy_environment_variables:
DO_AUTH_TOKEN: "your-token-here"
caddy_systemd_capabilities_enabled: true
caddy_systemd_network_dependency: false
caddy_packages: ["github.com/caddy-dns/lego-deprecated"]
caddy_config: |
nextcloud.example.com {
log
reverse_proxy http://localhost:8080 {
header_up Host {http.request.host}
header_up X-Real-IP {http.request.remote.host}
header_up X-Forwarded-For {http.request.remote.host}
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
}
tls webmaster@example.com {
dns lego_deprecated digitalocean
}
}
```
## Debugging
If the service fails to start you can figure out why by looking at the output of Caddy.
```bash
systemctl status caddy -l
```
If something doesn't seem right, open an issue!
## Contributing
Pull requests are welcome. Please test your changes beforehand with vagrant:
```bash
vagrant up
vagrant provision # (since it already provisioned there should be no changes here)
vagrant destroy
```

49
ansible/galaxy_roles/caddy-ansible/Vagrantfile

@ -0,0 +1,49 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure(2) do |config|
config.vm.define "buster" do |buster|
buster.vm.box = "debian/buster64"
end
config.vm.define "bionic" do |bionic|
bionic.vm.box = "bento/ubuntu-18.04"
end
config.vm.define "focal" do |focal|
focal.vm.box = "bento/ubuntu-20.04"
end
config.vm.define "centos7" do |centos7|
centos7.vm.box = "bento/centos-7.6"
end
config.vm.define "fedora32" do |fedora32|
fedora32.vm.box = "bento/fedora-32"
end
config.vm.provision "ansible" do |ansible|
ansible.playbook = 'tests/playbook.yml'
ansible.verbose = true
end
$script = <<SCRIPT
# curl localhost and get the http response code
while ! curl -Is localhost:2020 -o /dev/null; do
sleep 1 && echo -n .
done
echo
http_code=$(curl --silent --head --output /dev/null -w '%{http_code}' localhost:2020)
case $http_code in
200|404) echo "$http_code | Server running" ;;
000) echo "$http_code | Server not accessible!" >&2 ; exit 1 ;;
*) echo "$http_code | Unknown http response code!" >&2 ; exit 1 ;;
esac
SCRIPT
# Fix 'stdin: is not a tty' error
config.ssh.pty = true
config.vm.provision :shell, inline: $script
config.vm.synced_folder ".", "/vagrant", disabled: true
end

2
ansible/galaxy_roles/caddy-ansible/ansible.cfg

@ -0,0 +1,2 @@
[defaults]
roles_path=../

31
ansible/galaxy_roles/caddy-ansible/defaults/main.yml

@ -0,0 +1,31 @@
---
# defaults file for caddy-ansible
caddy_user: caddy
caddy_home: /home/caddy
caddy_packages: []
caddy_update: true
caddy_bin_dir: /usr/local/bin
caddy_conf_dir: /etc/caddy
caddy_conf_filename: Caddyfile
caddy_github_token: ""
caddy_log_dir: /var/log/caddy
caddy_log_file: stdout
caddy_certs_dir: /etc/ssl/caddy
# additional cli args to pass to caddy
caddy_additional_args: ""
caddy_systemd_network_dependency: true
caddy_systemd_capabilities_enabled: true
caddy_systemd_capabilities: "CAP_NET_BIND_SERVICE"
caddy_systemd_restart: "on-failure" # always, on-success, on-failure, on-abnormal, on-abort, on-watchdog
caddy_systemd_restart_startlimitinterval: "86400"
caddy_systemd_restart_startlimitburst: "5"
caddy_systemd_private_tmp: "true"
caddy_systemd_private_devices: "true"
# Disable this because the git module writes to ~/.ssh
caddy_systemd_protect_home: "false"
caddy_systemd_protect_system: "full"
caddy_systemd_nproc_limit: 0
caddy_setcap: true
caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}"
caddy_environment_variables: {}
caddy_os: linux

12
ansible/galaxy_roles/caddy-ansible/handlers/main.yml

@ -0,0 +1,12 @@
---
- name: Restart caddy
systemd:
daemon_reload: true
name: caddy
state: restarted
- name: Reload caddy
systemd:
name: caddy
state: reloaded

28
ansible/galaxy_roles/caddy-ansible/meta/main.yml

@ -0,0 +1,28 @@
---
galaxy_info:
author: caddy_ansible
role_name: caddy_ansible
description: Installs and configures a Caddy webserver
license: MIT
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- 7
- 8
- name: Ubuntu
versions:
- bionic
- focal
- name: Debian
versions:
- stretch
- buster
- bullseye
- name: Fedora
versions:
- 29
galaxy_tags:
- system
- web
dependencies: []

16
ansible/galaxy_roles/caddy-ansible/molecule/default/converge.yml

@ -0,0 +1,16 @@
---
- name: Converge
hosts: all
roles:
- role: caddy_ansible.caddy_ansible
tasks:
- name: Ensure ss is installed (for testinfra)
yum:
name: iproute
state: present
when: ansible_distribution in ['CentOS', 'Red Hat Enterprise Linux', 'Fedora']
- name: Ensure ss is installed (for testinfra)
package:
name: iproute2
state: present
when: ansible_distribution not in ['CentOS', 'Red Hat Enterprise Linux', 'Fedora']

28
ansible/galaxy_roles/caddy-ansible/molecule/default/molecule.yml

@ -0,0 +1,28 @@
---
dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}
env:
ANSIBLE_ROLES_PATH: "../../.cache/roles"
scenario:
name: default
verifier:
name: testinfra
enabled: true

38
ansible/galaxy_roles/caddy-ansible/molecule/default/tests/test_default.py

@ -0,0 +1,38 @@
import os
from testinfra.utils.ansible_runner import AnsibleRunner
inventory = os.environ['MOLECULE_INVENTORY_FILE']
testinfra_hosts = AnsibleRunner(inventory).get_hosts('all')
def test_files(host):
dirs = [
"/etc/caddy",
"/var/log/caddy"
]
for dir in dirs:
d = host.file(dir)
assert d.exists
assert d.is_directory
def test_packages(host):
pkgs = []
for p in pkgs:
assert host.package(p).is_installed
def test_service(host):
s = host.service("caddy")
assert s.is_enabled
assert s.is_running
def test_socket(host):
sockets = [
"tcp://127.0.0.1:2020"
]
for socket in sockets:
s = host.socket(socket)
assert s.is_listening

21
ansible/galaxy_roles/caddy-ansible/tasks/github-extract.yml

@ -0,0 +1,21 @@
---
- name: Extract Caddy
unarchive:
src: "{{ caddy_home }}/caddy.tar.gz"
dest: "{{ caddy_home }}"
copy: false
mode: 0644
owner: "{{ caddy_user }}"
group: "{{ caddy_user_details.group }}"
when: caddy_binary_cache.changed
tags: skip_ansible_lint
- name: Extract Caddy
unarchive:
src: "{{ caddy_home }}/caddy.tar.gz"
dest: "{{ caddy_home }}"
creates: "{{ caddy_home }}/caddy"
copy: false
mode: 0644
owner: "{{ caddy_user }}"
group: "{{ caddy_user_details.group }}"

22
ansible/galaxy_roles/caddy-ansible/tasks/github-url.yml

@ -0,0 +1,22 @@
---
- name: Get latest Caddy release details
uri:
url: https://api.github.com/repos/caddyserver/caddy/releases/latest
return_content: true
headers: '{{ caddy_github_headers }}'
register: latest_caddy_release
- name: Set Caddy tag
set_fact:
caddy_tag: "{{ (latest_caddy_release.content | from_json).get('tag_name') }}"
- name: Set Caddy version
set_fact:
caddy_version: "{{ caddy_tag | regex_replace('^v', '') }}"
- name: Set Caddy urls
set_fact:
caddy_url: "https://github.com/caddyserver/caddy/releases/download/\
{{ caddy_tag }}/caddy_{{ caddy_version }}_{{ caddy_os }}_{{ go_arch }}.tar.gz"
caddy_checksum_url: "sha512:https://github.com/caddyserver/caddy/releases/download/\
{{ caddy_tag }}/caddy_{{ caddy_version }}_checksums.txt"

143
ansible/galaxy_roles/caddy-ansible/tasks/main.yml

@ -0,0 +1,143 @@
---
- include: preflight.yml
- include: packages-{{ ansible_pkg_mgr }}.yml
- name: Create Caddy user
user:
name: "{{ caddy_user }}"
group: "{{ group }}"
system: true
createhome: true
home: "{{ caddy_home }}"
shell: /bin/bash
register: caddy_user_details
become: yes
- name: Build headers to use when making requests to github
set_fact:
caddy_github_headers: "{{ caddy_github_headers | combine({'Authorization': 'token ' + caddy_github_token}) }}"
when: caddy_github_token | length > 0
- name: Get all Caddy releases
get_url:
url: https://api.github.com/repos/caddyserver/caddy/git/refs/tags
dest: "{{ caddy_home }}/releases.txt"
force: true
headers: '{{ caddy_github_headers }}'
owner: "{{ caddy_user }}"
group: "{{ caddy_user_details.group }}"
retries: 3
delay: 2
when: caddy_update
register: caddy_releases_cache
become: yes
- name: Set Caddy features
copy:
content: "{{ ','.join(caddy_packages) }}"
dest: "{{ caddy_home }}/features.txt"
mode: 0640
owner: "{{ caddy_user }}"
group: "{{ caddy_user_details.group }}"
when: caddy_update
register: caddy_features_cache
become: yes
- include: github-url.yml
when: caddy_use_github
- name: Download Caddy
get_url:
url: "{{ caddy_url }}"
checksum: "{{ caddy_checksum_url | default(omit) }}"
dest: "{{ caddy_home }}/{{ 'caddy.tar.gz' if caddy_use_github else 'caddy' }}"
force: true
timeout: 300
mode: 0644
owner: "{{ caddy_user }}"
group: "{{ caddy_user_details.group }}"
retries: 3
delay: 2
when: caddy_releases_cache.changed or caddy_features_cache.changed
register: caddy_binary_cache
tags: skip_ansible_lint
become: yes
- name: Download Caddy
get_url:
url: "{{ caddy_url }}"
checksum: "{{ caddy_checksum_url | default(omit) }}"
dest: "{{ caddy_home }}/{{ 'caddy.tar.gz' if caddy_use_github else 'caddy' }}"
timeout: 300
mode: 0644
owner: "{{ caddy_user }}"
group: "{{ caddy_user_details.group }}"
retries: 3
delay: 2
register: caddy_download
tags: skip_ansible_lint
become: yes
- include: github-extract.yml
when: caddy_use_github
- name: Copy Caddy Binary
copy:
src: "{{ caddy_home }}/caddy"
dest: "{{ caddy_bin }}"
mode: 0755
remote_src: true
notify:
- Restart caddy
- name: Create directories
file:
path: "{{ item }}"
state: directory
owner: "{{ caddy_user }}"
mode: 0770
with_items:
- "{{ caddy_conf_dir }}"
- "{{ caddy_certs_dir }}"
- name: Create log directory
file:
path: "{{ caddy_log_dir }}"
state: directory
owner: "{{ caddy_user }}"
mode: 0775
- name: Create caddy config
copy:
content: "{{ caddy_config }}"
dest: "{{ caddy_conf_dir }}/{{ caddy_conf_filename }}"
owner: "{{ caddy_user }}"
mode: 0640
notify:
- Reload caddy
- name: Template systemd service
template:
src: caddy.service
dest: /etc/systemd/system/caddy.service
owner: root
group: root
mode: 0644
notify:
- Restart caddy
- name: Set capability on the binary file to be able to bind to TCP port <1024
capabilities:
path: "{{ caddy_bin }}"
capability: cap_net_bind_service+eip
state: present
when: caddy_setcap
- name: Ensue caddy service is up-to-date before starting it
meta: flush_handlers
- name: Start Caddy service
systemd:
name: caddy
state: started
enabled: true

18
ansible/galaxy_roles/caddy-ansible/tasks/packages-apt.yml

@ -0,0 +1,18 @@
---
- name: Update cache
apt:
update_cache: true
cache_valid_time: 43200 # 12 hours
# This is required because it provides the /bin/kill binary used in the service file
- name: Install procps
apt:
name: procps
state: present
- name: Install libcap
apt:
name: libcap2-bin
state: present
when: caddy_setcap

1
ansible/galaxy_roles/caddy-ansible/tasks/packages-dnf.yml

@ -0,0 +1 @@
---

1
ansible/galaxy_roles/caddy-ansible/tasks/packages-pacman.yml

@ -0,0 +1 @@
---

1
ansible/galaxy_roles/caddy-ansible/tasks/packages-yum.yml

@ -0,0 +1 @@
---

17
ansible/galaxy_roles/caddy-ansible/tasks/preflight.yml

@ -0,0 +1,17 @@
---
- name: Assert usage of systemd as an init system
assert:
that: ansible_service_mgr == 'systemd'
msg: "This module only works with systemd"
- name: Get systemd version
command: systemctl --version
changed_when: false
check_mode: false
register: __systemd_version
tags:
- skip_ansible_lint
- name: Set systemd version fact
set_fact:
caddy_systemd_version: "{{ __systemd_version.stdout_lines[0].split(' ')[1] }}"

2
ansible/galaxy_roles/caddy-ansible/templates/Caddyfile.j2

@ -0,0 +1,2 @@
http://localhost:2020
respond "Hello, world!"

73
ansible/galaxy_roles/caddy-ansible/templates/caddy.service

@ -0,0 +1,73 @@
{{ ansible_managed | comment(decoration="; ") }}
; source: https://github.com/mholt/caddy/blob/master/dist/init/linux-systemd/caddy.service
; version: 6be0386
; changes: Set variables via Ansible
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
{% if caddy_systemd_network_dependency == true %}
Wants=network-online.target systemd-networkd-wait-online.service
{% endif %}
{% if caddy_systemd_version | int >= 230 %}
StartLimitIntervalSec={{ caddy_systemd_restart_startlimitinterval }}
StartLimitBurst={{ caddy_systemd_restart_startlimitburst }}
{% endif %}
[Service]
Restart={{ caddy_systemd_restart }}
{% if caddy_systemd_version | int < 230 %}
StartLimitInterval={{ caddy_systemd_restart_startlimitinterval }}
StartLimitBurst={{ caddy_systemd_restart_startlimitburst }}
{% endif %}
; User and group the process will run as.
User={{ caddy_user }}
Group={{ group }}
; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH={{ caddy_certs_dir }}
ExecStart="{{ caddy_bin_dir }}/caddy" run --environ --config "{{ caddy_conf_dir }}/{{ caddy_conf_filename }}" {{ caddy_additional_args }}
ExecReload="{{ caddy_bin_dir }}/caddy" reload --config "{{ caddy_conf_dir }}/{{ caddy_conf_filename }}"
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
{% if caddy_systemd_nproc_limit > 0 %}
; Limit the number of caddy threads.
LimitNPROC={{ caddy_systemd_nproc_limit }}
{% endif %}
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp={{ caddy_systemd_private_tmp }}
; Use a minimal /dev
PrivateDevices={{ caddy_systemd_private_devices }}
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome={{ caddy_systemd_protect_home }}
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem={{ caddy_systemd_protect_system }}
; … except {{ caddy_certs_dir }}, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories={{ caddy_certs_dir }} {{ caddy_log_dir }}
{% if caddy_systemd_capabilities_enabled %}
; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet={{ caddy_systemd_capabilities }}
AmbientCapabilities={{ caddy_systemd_capabilities }}
NoNewPrivileges=true
{% endif %}
{% if caddy_environment_variables|length %}
; Additional environment variables:
{% for key, value in caddy_environment_variables.items() %}
Environment={{ key }}={{ value }}
{% endfor %}
{% endif %}
[Install]
WantedBy=multi-user.target

1
ansible/galaxy_roles/caddy-ansible/tests/inventory

@ -0,0 +1 @@
localhost

8
ansible/galaxy_roles/caddy-ansible/tests/playbook.yml

@ -0,0 +1,8 @@
---
- hosts: all
become: true
tasks:
- name: Install curl
package: name=curl state=present
roles:
- caddy_ansible.caddy_ansible

27
ansible/galaxy_roles/caddy-ansible/vars/main.yml

@ -0,0 +1,27 @@
---
# vars file for caddy-ansible
caddy_github_headers: {}
go_arch_map:
i386: '386'
x86_64: 'amd64'
aarch64: 'arm64'
armv7l: 'armv7'
armv6l: 'armv6'
go_arch: "{{ go_arch_map[ansible_architecture] | default(ansible_architecture) }}"
caddy_bin: "{{ caddy_bin_dir }}/caddy"
caddy_arch_param_map:
armv7l: 'arch=arm&arm=7'
armv6l: 'arch=arm&arm=6'
caddy_arch_param: "{{ caddy_arch_param_map[ansible_architecture] | default('arch=' + go_arch) }}"
caddy_url: "https://caddyserver.com/api/download?os={{ caddy_os }}&{{ caddy_arch_param }}\
{% for pkg in caddy_packages %}\
&p={{ pkg | urlencode() }}\
{% endfor %}"
caddy_use_github: "{{ caddy_packages == [] }}"

20
ansible/galaxy_roles/jekyll-site/README.md

@ -0,0 +1,20 @@
Jekyll Site Configuration
==============
This role automates the configuration for Jekyll static sites on Ubuntu20 instances. Ruby is installed to support the use of Jekyll. Bundler is installed to support the use of Capistrano for deploys.
Use `deploy_dirs` to set the directory for deploys.
Role Variables
--------
site_name: "example-site" # Name of the static-site (no spaces).
deploy_dirs: # List of deploy directories to create.
- "/srv/{{ site_name }}/"
deploy_user: "jekyll" # User for deploys.
deploy_group: "jekyll" # Group of deploy user.
ruby_version: "2.7" # The version of Ruby to install. (v2.3 -> 2.7)
bundler_version: "2.1.4" # The Bundler version.
ssh_keys: [] # SSH Key for deploy user access.

12
ansible/galaxy_roles/jekyll-site/defaults/main.yml

@ -0,0 +1,12 @@
---
# site_name: "example-site"
# deploy_dirs:
# - "/srv/{{ site_name }}/"
# # - "/srv/{{ site_name }}-staging/"
# deploy_user: "jekyll"
# deploy_group: "jekyll"
# ruby_version: "2.7"
# bundler_version: "2.1.4"
# ssh_keys: []

13
ansible/galaxy_roles/jekyll-site/meta/main.yml

@ -0,0 +1,13 @@
galaxy_info:
author: James Lavender
description: Installation of Ruby and Jekyll for Static Site generation.
license: MIT
min_ansible_version: 2.1
platforms:
- name: Ubuntu
version:
- 18.04
- 20.04
galaxy_tags:
- jekyll
- static_sites

12
ansible/galaxy_roles/jekyll-site/tasks/dependencies.yml

@ -0,0 +1,12 @@
---
- name: jekyll_site | Dependencies | Install additional packages
apt:
name: "{{ item }}"
state: present
update_cache: yes
loop:
- build-essential
- zlib1g-dev
- git
- nmap
become: yes

41
ansible/galaxy_roles/jekyll-site/tasks/deploy_user.yml

@ -0,0 +1,41 @@
---
- name: jekyll_site | Deploy User | Ensure deploy group exists
group:
name: "{{ deploy_group }}"
state: present
become: yes
- name: jekyll_site | Deploy User | Allow deploy group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%{{ deploy_group }}'
line: '%{{ deploy_group }} ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
become: yes
- name: jekyll_site | Deploy User | Ensure deploy user exists.
user:
name: "{{ deploy_user }}"
group: "{{ deploy_group }}"
state: present
create_home: yes
shell: /bin/bash
become: yes
- name: jekyll_site | Deploy User | Ensure admin user ssh directory exists
file:
path: "/home/{{ deploy_user }}/.ssh/"
state: directory
owner: "{{ deploy_user }}"
group: "{{ deploy_group }}"
mode: 0700
become: yes
- name: jekyll_site | Deploy User | Add SSH keys to admin user
authorized_key:
user: "{{ deploy_user }}"
state: present
key: "{{ item.key }}"
with_items: "{{ ssh__keys }}"
become: yes

48
ansible/galaxy_roles/jekyll-site/tasks/install_ruby.yml

@ -0,0 +1,48 @@
---
- name: jekyll_site | Install Ruby | Add brightbox PPA
apt_repository:
repo: 'ppa:brightbox/ruby-ng'
become: yes
- name: jekyll_site | Install Ruby | Install Ruby
apt:
name: "ruby{{ ruby_version }}"
state: present
update_cache: yes
become: yes
- name: jekyll_site | Install Ruby | Install Ruby Development headers
apt:
name: "ruby{{ ruby_version }}-dev"
state: present
update_cache: yes
become: yes
- name: jekyll_site | Install Ruby | Install bundler
gem:
name: bundler
version: "{{ bundler_version }}"
state: present
include_dependencies: True
# user_install: False
become: yes
- name: jekyll_site | Install Ruby | Install bundle
gem:
name: bundle
state: present
include_dependencies: True
user_install: False
become: yes
- name: jekyll_site | Install Ruby | Update ruby alternatives
alternatives:
name: ruby
path: "/usr/bin/ruby{{ ruby_version }}"
become: yes
- name: jekyll_site | Install Ruby | Update Gem alternatives
alternatives:
name: gem
path: "/usr/bin/gem{{ ruby_version }}"
become: yes

22
ansible/galaxy_roles/jekyll-site/tasks/main.yml

@ -0,0 +1,22 @@
---
- include_tasks: dependencies.yml
- include_tasks: deploy_user.yml
- include_tasks: install_ruby.yml
- name: Install jekyll
gem:
name: jekyll
state: present
include_dependencies: True
user_install: False
become: yes
- name: Setup deploy directories
file:
state: directory
path: "{{ item }}"
owner: "{{ deploy_user }}"
group: "{{ deploy_group }}"
mode: 0755
with_items: "{{ deploy_dirs }}"
become: yes

2
ansible/galaxy_roles/linode-preflight/README.md

@ -0,0 +1,2 @@
# Linode-Preflight
A set of Ansible tasks for preflighting a Linode instance.

17
ansible/galaxy_roles/linode-preflight/defaults/main.yml

@ -0,0 +1,17 @@
---
# Preflight
preflight__timezone: UTC
# Firewall
firewall__ssh_rule: limit
# User
user: "ops"
group: "ops"
# SSH Config
ssh__port: 8822
ssh__password_authentication: "no"
ssh__address_family: "inet"
ssh__keys: []

6
ansible/galaxy_roles/linode-preflight/handlers/main.yml

@ -0,0 +1,6 @@
---
- name: restart sshd
service:
name: sshd
state: restarted
become: yes

9
ansible/galaxy_roles/linode-preflight/meta/main.yml

@ -0,0 +1,9 @@
galaxy_info:
author: James Lavender
description: A set of preflight tasks for any Linode Instance.
license: GPLv3
min_ansible_version: 1.2
galaxy-tags:
- linode-preflight
dependencies: []

40
ansible/galaxy_roles/linode-preflight/tasks/add_user.yml

@ -0,0 +1,40 @@
---
- name: linode_preflight | add_user | Add admin group
group:
name: "{{ group }}"
state: present
- name: linode_preflight | add_user | Allow admin group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%{{ group }}'
line: '%{{ group }} ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
become: yes
- name: linode_preflight | add_user | Add admin user
user:
name: "{{ user }}"
group: "{{ group }}"
state: present
create_home: yes
shell: /bin/bash
become: yes
- name: linode_preflight | add_user | Ensure admin user ssh directory exists
file:
path: "/home/{{ user }}/.ssh/"
state: directory
owner: "{{ user }}"
group: "{{ group }}"
mode: 0700
become: yes
- name: linode_preflight | add_user | Add SSH keys to admin user
authorized_key:
user: "{{ user }}"
state: present
key: "{{ item.key }}"
with_items: "{{ ssh__keys }}"
become: yes

9
ansible/galaxy_roles/linode-preflight/tasks/ansible_dependencies.yml

@ -0,0 +1,9 @@
---
- name: linode-preflight | ansible dependencies | Install Python
raw: test -e /usr/bin/python || (sudo apt-get -y update && sudo apt-get install -y python2-minimal)
register: common__pyout
become: yes
changed_when:
- False
- common__pyout.stdout != ""
- common__pyout.stderr != "\r\n"

49
ansible/galaxy_roles/linode-preflight/tasks/firewall.yml

@ -0,0 +1,49 @@
---
- name: linode_preflight | firewall | install ufw
apt:
pkg: ufw
state: present
become: yes
- name: linode_preflight | firewall | Open ssh port
ufw:
state: enabled
rule: "{{ firewall__ssh_rule }}"
port: "{{ item }}"
proto: tcp
loop:
- 22
- 8822
become: yes
- name: linode_preflight | firewall | deny all incoming connections
ufw:
state: enabled
policy: deny
direction: incoming
become: yes
- name: linode_preflight | firewall | allow all outgoing connections
ufw:
state: enabled
policy: allow
direction: outgoing
become: yes
- name: linode_preflight | firewall | allow all connections from localhost
ufw:
state: enabled
from: "127.0.0.1"
rule: allow
proto: any
become: yes
- name: linode_preflight | firewall | Copy SSH config
template:
src: "etc/ssh/sshd_config.j2"
dest: "/etc/ssh/sshd_config"
mode: 0644
validate: '/usr/sbin/sshd -t -f %s'
become: yes
notify: restart sshd

5
ansible/galaxy_roles/linode-preflight/tasks/main.yml

@ -0,0 +1,5 @@
---
- include_tasks: ansible_dependencies.yml
- include_tasks: preflight.yml
- include_tasks: add_user.yml
- include_tasks: firewall.yml # Always run last. Then swap Ansible user.

12
ansible/galaxy_roles/linode-preflight/tasks/oh-my-bash.yml

@ -0,0 +1,12 @@
---
- name: linode_preflight | ohmybash | Install dependency
apt:
pkg: curl
state: present
become: yes
- name: linode_preflight | ohmybash | Install OhMyBash
shell:
cmd: bash -c "$(curl -fsSL https://raw.githubusercontent.com/ohmybash/oh-my-bash/master/tools/install.sh)"
become: yes
become_user: "{{ user }}"

27
ansible/galaxy_roles/linode-preflight/tasks/preflight.yml

@ -0,0 +1,27 @@
---
- name: linode_preflight | preflight | install ntp
apt:
name: ntp
state: present
become: yes
- name: linode_preflight | preflight | ensure ntp is running on boot
service:
name: ntp
state: started
enabled: yes
become: yes
- name: linode_preflight | preflight | Set Timezone
timezone:
name: "{{ preflight__timezone }}"
become: yes
- name: linode_preflight | preflight | copy 10periodic unattended upgrades
template:
src: "etc/apt/apt.conf.d/10periodic.j2"
dest: "/etc/apt/apt.conf.d/10periodic"
owner: root
group: root
mode: 0644
become: yes

4
ansible/galaxy_roles/linode-preflight/templates/etc/apt/apt.conf.d/10periodic.j2

@ -0,0 +1,4 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";

123
ansible/galaxy_roles/linode-preflight/templates/etc/ssh/sshd_config.j2

@ -0,0 +1,123 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port {{ ssh__port }}
AddressFamily {{ ssh__address_family }}
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ ssh__password_authentication }}
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

10
ansible/inventories/common/group_vars/all/main.yml

@ -0,0 +1,10 @@
---
ruby_version: '2.7'
bundler_version: '2.1.4'
ssh__keys:
- key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLNjy5+2zBjT4cHUNzWeoCoQYi8y+7AHQJr+2cAfw+S+q7JWlx00L3XAp3mINARcJyRxVb4TypiTV3vX55cwAz2eYmzyYBQfDCorNq+26iNs9pF/SwEq1nHhM0MtVu7w9v2kizVFMP/aYN3kcUaTM0hGNQ5OqNy/1by91zei/wsieXjxj18OiThWD77oSoxZrejxrPTZRcxL4aPgeEbJqsXtvBvPBjhLF7s4EvmPfzb0N/hYaQOwXDhLOU576yN/6TgnGkSazsVIkZRO67qVAlZAJs4VOlm7x1t/9cwLhwjDUqj9x+nIVh/Cr62jvn8aQVS9SO69rbkzf8lhSaVbgQ/Yi/lqbOQJ8gc0RKhcJwz2TltaY9piaVOSgiIW7sqWfcnwWohs2C+YS0F6qN8Nor897dWONbwRCvp52b6u0mqf3DEUIlWoDopVbkVgSg08uOoswJ/mum/6Xn+SN+zsL2y+32UlbE3gQRL/WUh7hzN+XVupBwijgQXgcfN2t5UgspiAIpup0Po+I/enbNdiZ/rAlhr8wX0NetTYr2rrHNzzV74HjnXjjUo72zaeMk9rPseL4FgnL8F7BBnuctW5tApjmA3AB5VBD7GbTQLRXg1kYBxujiQTSAQulpm7ezKz3PgUsUOg5IYAQYa1Bye2bit4ayNKWMM2iXGLfSkTYluw==
# Defaults
user: "ops"
group: "oper"

1
ansible/inventories/production/group_vars/all/common-main.yml

@ -0,0 +1 @@
../../../common/group_vars/all/main.yml

14
ansible/inventories/production/group_vars/all/main.yml

@ -0,0 +1,14 @@
---
# Website/Blog settings
domain: "example.com"
staging_domain: "staging.example.com"
site_name: "example"
# Defaults
deploy_dirs:
- "/srv/{{ site_name }}"
- "/srv/{{ site_name }}-staging"
deploy_user: "jekyll"
deploy_group: "jekyll"

7
ansible/inventories/production/hosts

@ -0,0 +1,7 @@
[all:vars]
ansible_port=22
ansible_user=root
[jekyll_site]
#45.79.216.88
#45.79.216.70

9
ansible/requirements.yml

@ -0,0 +1,9 @@
---
- src: git+ssh://gitea@git.jameslavender.com:8822/jameslavender/linode-preflight.git
name: linode-preflight
- src: git+ssh://git@github.com/caddy-ansible/caddy-ansible.git
name: caddy-ansible
- src: git+ssh://gitea@git.jameslavender.com:8822/jameslavender/jekyll_site-ansible.git
name: jekyll-site

6
ansible/roles/web-server/handlers/main.yml

@ -0,0 +1,6 @@
---
- name: reload_caddy
service:
name: caddy
state: reloaded
become: yes

21
ansible/roles/web-server/tasks/main.yml

@ -0,0 +1,21 @@
---
- name: web_server | Write Caddyfile and restart Caddy
template:
src: "etc/caddy/Caddyfile.j2"
dest: "/etc/caddy/Caddyfile"
owner: caddy
group: "{{ group }}"
mode: 0644
become: yes
notify:
- reload_caddy
- name: web_server | Allow Internet traffic
ufw:
rule: allow
port: "{{ item }}"
proto: tcp
become: yes
loop:
- '80'
- '443'

26
ansible/roles/web-server/templates/etc/caddy/Caddyfile.j2

@ -0,0 +1,26 @@
{{ domain }} {
root * /srv/{{ site_name }}/current/_site
file_server
log {
output file /var/log/caddy/{{ domain }}.access.log {
roll_size 3MiB
roll_keep 5
roll_keep_for 48h
}
format console
}
}
{{ staging_domain }} {
root * /srv/{{ site_name }}-staging/current/_site
file_server
log {
output file /var/log/caddy/{{ domain }}.access.log {
roll_size 3MiB
roll_keep 5
roll_keep_for 48h
}
format console
}
}

18
ansible/site.yml

@ -0,0 +1,18 @@
---
- hosts: all
gather_facts: true
roles:
- linode-preflight
- caddy-ansible
- jekyll-site
- web-server
tasks:
- name: clean-up | Close now unneeded firewall ports.
ufw:
rule: allow
port: "{{ item }}"
proto: tcp
delete: yes
become: yes
loop:
- '22'
Loading…
Cancel
Save