initial ansible implementation

diff --git a/.gitignore b/.gitignore
new file mode 100644 (file)
index 0000000..6d0e0ba
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+ansible/inventory

diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
new file mode 100644 (file)
index 0000000..960a7c4
--- /dev/null
+++ b/ansible/ansible.cfg
@@ -0,0 +1,5 @@
+[defaults]
+inventory=inventory
+
+[ssh_connection]
+pipelining = True

diff --git a/ansible/inventory.example b/ansible/inventory.example
new file mode 100644 (file)
index 0000000..52b45d3
--- /dev/null
+++ b/ansible/inventory.example
@@ -0,0 +1,6 @@
+[lemmy]
+# define the username and hostname that you use for ssh connection, and specify the domain
+myuser@example.com  domain=example.com  letsencrypt_contact_email=your@email.com
+
+[all:vars]
+ansible_connection=ssh

diff --git a/ansible/lemmy.yml b/ansible/lemmy.yml
new file mode 100644 (file)
index 0000000..8830f20
--- /dev/null
+++ b/ansible/lemmy.yml
@@ -0,0 +1,54 @@
+---
+- hosts: all
+
+  # Install python if required
+  # https://www.josharcher.uk/code/ansible-python-connection-failure-ubuntu-server-1604/
+  gather_facts: False
+  pre_tasks:
+    - name: install python for Ansible
+      raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal python-setuptools)
+      args:
+        executable: /bin/bash
+      register: output
+      changed_when: output.stdout != ""
+    - setup: # gather facts
+
+  tasks:
+  - name: install dependencies
+    apt:
+      pkg: ['nginx', 'docker-compose', 'docker.io', 'certbot']
+
+  - name: create lemmy folder
+    file: path={{item.path}} state=directory
+    with_items:
+      - { path: '/lemmy/' }
+
+  - name:  add all template files
+    template: src={{item.src}} dest={{item.dest}}
+    with_items:
+      - { src: '../docker/prod/docker-compose.yml', dest: '/lemmy/docker-compose.yml' }
+      - { src: 'nginx.conf', dest: '/lemmy/nginx.conf' }
+
+  - name: request letsencrypt certificates
+    command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}'
+    args:
+      creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem'
+
+  - name: enable and start docker service
+    systemd:
+      name: docker
+      enabled: yes
+      state: started
+
+  - name: start docker-compose
+    docker_compose:
+      project_src: /peertube/
+      state: present
+      pull: yes
+
+  - name: renew certbot certificates
+    cron:
+      special_time=daily
+      name=certbot-renew
+      user=root
+      job="certbot certonly --webroot --webroot-path=/peertube/volumes/certbot/ -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'"

diff --git a/ansible/nginx.conf b/ansible/nginx.conf
new file mode 100644 (file)
index 0000000..e0aaec9
--- /dev/null
+++ b/ansible/nginx.conf
@@ -0,0 +1,33 @@
+server {
+    listen 80;
+    server_name {{ domain }};
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name {{ domain }};
+
+    ssl_certificate /certs/live/{{ domain }}/fullchain.pem;
+    ssl_certificate_key /certs/live/{{ domain }}/privkey.pem;
+
+    # TODO: add security params
+
+    location / {
+        rewrite (\/(user|u|inbox|post|community|c|login|search|sponsors|communities|modlog|home)+) /static/index.html break;
+        proxy_pass http://0.0.0.0:8536;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}