From 1900b6658dd7a452040d037846e928a855a0dace Mon Sep 17 00:00:00 2001 From: Michele Carraglia Date: Tue, 29 Oct 2024 16:18:05 +0100 Subject: [PATCH] Initial commit --- .gitignore | 3 + LICENSE | 305 +++++++++++++++++ README.md | 3 + ansible.cfg | 506 ++++++++++++++++++++++++++++ group_vars/all/README.md | 12 + group_vars/all/all.yml | 87 +++++ inventory/hosts.production | 2 + requirements.yml | 23 ++ roles/wordpress_local/meta/main.yml | 5 + run.sh | 85 +++++ site.yml | 7 + 11 files changed, 1038 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.md create mode 100644 ansible.cfg create mode 100644 group_vars/all/README.md create mode 100644 group_vars/all/all.yml create mode 100644 inventory/hosts.production create mode 100644 requirements.yml create mode 100644 roles/wordpress_local/meta/main.yml create mode 100755 run.sh create mode 100644 site.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..423b8aa --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +# ---> Ansible +*.retry +.vscode diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c108cad --- /dev/null +++ b/LICENSE @@ -0,0 +1,305 @@ +European Union Public Licence v. 1.2 + +EUPL © the European Union 2007, 2016 + +This European Union Public Licence (the 'EUPL') applies to the Work (as defined +below) which is provided under the terms of this Licence. Any use of the Work, +other than as authorised under this Licence is prohibited (to the extent such +use is covered by a right of the copyright holder of the Work). + +The Work is provided under the terms of this Licence when the Licensor (as +defined below) has placed the following notice immediately following the copyright +notice for the Work: + + + + Licensed under the EUPL + + + +or has expressed by any other means his willingness to license under the EUPL. + + 1. Definitions + + In this Licence, the following terms have the following meaning: + + — 'The Licence': this Licence. + +— 'The Original Work': the work or software distributed or communicated by +the Licensor under this Licence, available as Source Code and also as Executable +Code as the case may be. + +— 'Derivative Works': the works or software that could be created by the Licensee, +based upon the Original Work or modifications thereof. This Licence does not +define the extent of modification or dependence on the Original Work required +in order to classify a work as a Derivative Work; this extent is determined +by copyright law applicable in the country mentioned in Article 15. + + — 'The Work': the Original Work or its Derivative Works. + +— 'The Source Code': the human-readable form of the Work which is the most +convenient for people to study and modify. + +— 'The Executable Code': any code which has generally been compiled and which +is meant to be interpreted by a computer as a program. + +— 'The Licensor': the natural or legal person that distributes or communicates +the Work under the Licence. + +— 'Contributor(s)': any natural or legal person who modifies the Work under +the Licence, or otherwise contributes to the creation of a Derivative Work. + +— 'The Licensee' or 'You': any natural or legal person who makes any usage +of the Work under the terms of the Licence. + +— 'Distribution' or 'Communication': any act of selling, giving, lending, +renting, distributing, communicating, transmitting, or otherwise making available, +online or offline, copies of the Work or providing access to its essential +functionalities at the disposal of any other natural or legal person. + + 2. Scope of the rights granted by the Licence + +The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable +licence to do the following, for the duration of copyright vested in the Original +Work: + + — use the Work in any circumstance and for all usage, + + — reproduce the Work, + + — modify the Work, and make Derivative Works based upon the Work, + +— communicate to the public, including the right to make available or display +the Work or copies thereof to the public and perform publicly, as the case +may be, the Work, + + — distribute the Work or copies thereof, + + — lend and rent the Work or copies thereof, + + — sublicense rights in the Work or copies thereof. + +Those rights can be exercised on any media, supports and formats, whether +now known or later invented, as far as the applicable law permits so. + +In the countries where moral rights apply, the Licensor waives his right to +exercise his moral right to the extent allowed by law in order to make effective +the licence of the economic rights here above listed. + +The Licensor grants to the Licensee royalty-free, non-exclusive usage rights +to any patents held by the Licensor, to the extent necessary to make use of +the rights granted on the Work under this Licence. + + 3. Communication of the Source Code + +The Licensor may provide the Work either in its Source Code form, or as Executable +Code. If the Work is provided as Executable Code, the Licensor provides in +addition a machine-readable copy of the Source Code of the Work along with +each copy of the Work that the Licensor distributes or indicates, in a notice +following the copyright notice attached to the Work, a repository where the +Source Code is easily and freely accessible for as long as the Licensor continues +to distribute or communicate the Work. + + 4. Limitations on copyright + +Nothing in this Licence is intended to deprive the Licensee of the benefits +from any exception or limitation to the exclusive rights of the rights owners +in the Work, of the exhaustion of those rights or of other applicable limitations +thereto. + + 5. Obligations of the Licensee + +The grant of the rights mentioned above is subject to some restrictions and +obligations imposed on the Licensee. Those obligations are the following: + +Attribution right: The Licensee shall keep intact all copyright, patent or +trademarks notices and all notices that refer to the Licence and to the disclaimer +of warranties. The Licensee must include a copy of such notices and a copy +of the Licence with every copy of the Work he/she distributes or communicates. +The Licensee must cause any Derivative Work to carry prominent notices stating +that the Work has been modified and the date of modification. + +Copyleft clause: If the Licensee distributes or communicates copies of the +Original Works or Derivative Works, this Distribution or Communication will +be done under the terms of this Licence or of a later version of this Licence +unless the Original Work is expressly distributed only under this version +of the Licence — for example by communicating 'EUPL v. 1.2 only'. The Licensee +(becoming Licensor) cannot offer or impose any additional terms or conditions +on the Work or Derivative Work that alter or restrict the terms of the Licence. + +Compatibility clause: If the Licensee Distributes or Communicates Derivative +Works or copies thereof based upon both the Work and another work licensed +under a Compatible Licence, this Distribution or Communication can be done +under the terms of this Compatible Licence. For the sake of this clause, 'Compatible +Licence' refers to the licences listed in the appendix attached to this Licence. +Should the Licensee's obligations under the Compatible Licence conflict with +his/her obligations under this Licence, the obligations of the Compatible +Licence shall prevail. + +Provision of Source Code: When distributing or communicating copies of the +Work, the Licensee will provide a machine-readable copy of the Source Code +or indicate a repository where this Source will be easily and freely available +for as long as the Licensee continues to distribute or communicate the Work. + +Legal Protection: This Licence does not grant permission to use the trade +names, trademarks, service marks, or names of the Licensor, except as required +for reasonable and customary use in describing the origin of the Work and +reproducing the content of the copyright notice. + + 6. Chain of Authorship + +The original Licensor warrants that the copyright in the Original Work granted +hereunder is owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each Contributor warrants that the copyright in the modifications he/she brings +to the Work are owned by him/her or licensed to him/her and that he/she has +the power and authority to grant the Licence. + +Each time You accept the Licence, the original Licensor and subsequent Contributors +grant You a licence to their contributions to the Work, under the terms of +this Licence. + + 7. Disclaimer of Warranty + +The Work is a work in progress, which is continuously improved by numerous +Contributors. It is not a finished work and may therefore contain defects +or 'bugs' inherent to this type of development. + +For the above reason, the Work is provided under the Licence on an 'as is' +basis and without warranties of any kind concerning the Work, including without +limitation merchantability, fitness for a particular purpose, absence of defects +or errors, accuracy, non-infringement of intellectual property rights other +than copyright as stated in Article 6 of this Licence. + +This disclaimer of warranty is an essential part of the Licence and a condition +for the grant of any rights to the Work. + + 8. Disclaimer of Liability + +Except in the cases of wilful misconduct or damages directly caused to natural +persons, the Licensor will in no event be liable for any direct or indirect, +material or moral, damages of any kind, arising out of the Licence or of the +use of the Work, including without limitation, damages for loss of goodwill, +work stoppage, computer failure or malfunction, loss of data or any commercial +damage, even if the Licensor has been advised of the possibility of such damage. +However, the Licensor will be liable under statutory product liability laws +as far such laws apply to the Work. + + 9. Additional agreements + +While distributing the Work, You may choose to conclude an additional agreement, +defining obligations or services consistent with this Licence. However, if +accepting obligations, You may act only on your own behalf and on your sole +responsibility, not on behalf of the original Licensor or any other Contributor, +and only if You agree to indemnify, defend, and hold each Contributor harmless +for any liability incurred by, or claims asserted against such Contributor +by the fact You have accepted any warranty or additional liability. + + 10. Acceptance of the Licence + +The provisions of this Licence can be accepted by clicking on an icon 'I agree' +placed under the bottom of a window displaying the text of this Licence or +by affirming consent in any other similar way, in accordance with the rules +of applicable law. Clicking on that icon indicates your clear and irrevocable +acceptance of this Licence and all of its terms and conditions. + +Similarly, you irrevocably accept this Licence and all of its terms and conditions +by exercising any rights granted to You by Article 2 of this Licence, such +as the use of the Work, the creation by You of a Derivative Work or the Distribution +or Communication by You of the Work or copies thereof. + + 11. Information to the public + +In case of any Distribution or Communication of the Work by means of electronic +communication by You (for example, by offering to download the Work from a +remote location) the distribution channel or media (for example, a website) +must at least provide to the public the information requested by the applicable +law regarding the Licensor, the Licence and the way it may be accessible, +concluded, stored and reproduced by the Licensee. + + 12. Termination of the Licence + +The Licence and the rights granted hereunder will terminate automatically +upon any breach by the Licensee of the terms of the Licence. + +Such a termination will not terminate the licences of any person who has received +the Work from the Licensee under the Licence, provided such persons remain +in full compliance with the Licence. + + 13. Miscellaneous + +Without prejudice of Article 9 above, the Licence represents the complete +agreement between the Parties as to the Work. + +If any provision of the Licence is invalid or unenforceable under applicable +law, this will not affect the validity or enforceability of the Licence as +a whole. Such provision will be construed or reformed so as necessary to make +it valid and enforceable. + +The European Commission may publish other linguistic versions or new versions +of this Licence or updated versions of the Appendix, so far this is required +and reasonable, without reducing the scope of the rights granted by the Licence. +New versions of the Licence will be published with a unique version number. + +All linguistic versions of this Licence, approved by the European Commission, +have identical value. Parties can take advantage of the linguistic version +of their choice. + + 14. Jurisdiction + + Without prejudice to specific agreement between parties, + +— any litigation resulting from the interpretation of this License, arising +between the European Union institutions, bodies, offices or agencies, as a +Licensor, and any Licensee, will be subject to the jurisdiction of the Court +of Justice of the European Union, as laid down in article 272 of the Treaty +on the Functioning of the European Union, + +— any litigation arising between other parties and resulting from the interpretation +of this License, will be subject to the exclusive jurisdiction of the competent +court where the Licensor resides or conducts its primary business. + + 15. Applicable Law + + Without prejudice to specific agreement between parties, + +— this Licence shall be governed by the law of the European Union Member State +where the Licensor has his seat, resides or has his registered office, + +— this licence shall be governed by Belgian law if the Licensor has no seat, +residence or registered office inside a European Union Member State. + +Appendix + +'Compatible Licences' according to Article 5 EUPL are: + + — GNU General Public License (GPL) v. 2, v. 3 + + — GNU Affero General Public License (AGPL) v. 3 + + — Open Software License (OSL) v. 2.1, v. 3.0 + + — Eclipse Public License (EPL) v. 1.0 + + — CeCILL v. 2.0, v. 2.1 + + — Mozilla Public Licence (MPL) v. 2 + + — GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 + +— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for +works other than software + + — European Union Public Licence (EUPL) v. 1.1, v. 1.2 + +— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity +(LiLiQ-R+). + +The European Commission may update this Appendix to later versions of the +above licences without producing a new version of the EUPL, as long as they +provide the rights granted in Article 2 of this Licence and protect the covered +Source Code from exclusive appropriation. + +All other changes or additions to this Appendix require the production of +a new EUPL version. diff --git a/README.md b/README.md new file mode 100644 index 0000000..13f663f --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# wp-template + +Template for Wordpress instance that hosts a website diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..545ac5a --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,506 @@ +# config file for ansible -- https://ansible.com/ +# =============================================== + +# nearly all parameters can be overridden in ansible-playbook +# or with command line flags. ansible will read ANSIBLE_CONFIG, +# ansible.cfg in the current working directory, .ansible.cfg in +# the home directory or /etc/ansible/ansible.cfg, whichever it +# finds first + +[defaults] + +# some basic default values... + +#inventory = /etc/ansible/hosts +library = ./modules +#module_utils = /usr/share/my_module_utils/ +#remote_tmp = ~/.ansible/tmp +#local_tmp = ~/.ansible/tmp +#plugin_filters_cfg = /etc/ansible/plugin_filters.yml +#forks = 5 +#poll_interval = 15 +#sudo_user = root +#ask_sudo_pass = True +#ask_pass = True +#transport = smart +#remote_port = 22 +#module_lang = C +#module_set_locale = False + +# plays will gather facts by default, which contain information about +# the remote system. +# +# smart - gather by default, but don't regather if already gathered +# implicit - gather by default, turn off with gather_facts: False +# explicit - do not gather by default, must say gather_facts: True +gathering = smart + +# This only affects the gathering done by a play's gather_facts directive, +# by default gathering retrieves all facts subsets +# all - gather all subsets +# network - gather min and network facts +# hardware - gather hardware facts (longest facts to retrieve) +# virtual - gather min and virtual facts +# facter - import facts from facter +# ohai - import facts from ohai +# You can combine them using comma (ex: network,virtual) +# You can negate them using ! (ex: !hardware,!facter,!ohai) +# A minimal set of facts is always gathered. +#gather_subset = all + +# some hardware related facts are collected +# with a maximum timeout of 10 seconds. This +# option lets you increase or decrease that +# timeout to something more suitable for the +# environment. +# gather_timeout = 10 + +# Ansible facts are available inside the ansible_facts.* dictionary +# namespace. This setting maintains the behaviour which was the default prior +# to 2.5, duplicating these variables into the main namespace, each with a +# prefix of 'ansible_'. +# This variable is set to True by default for backwards compatibility. It +# will be changed to a default of 'False' in a future release. +# ansible_facts. +# inject_facts_as_vars = True + +# additional paths to search for roles in, colon separated +#roles_path = /etc/ansible/roles + +# uncomment this to disable SSH key host checking +host_key_checking = False + +# change the default callback, you can only have one 'stdout' type enabled at a time. +#stdout_callback = skippy + + +## Ansible ships with some plugins that require whitelisting, +## this is done to avoid running all of a type by default. +## These setting lists those that you want enabled for your system. +## Custom plugins should not need this unless plugin author specifies it. + +# enable callback plugins, they can output to stdout but cannot be 'stdout' type. +callback_whitelist = timer,profile_roles,profile_tasks,mail + +# Determine whether includes in tasks and handlers are "static" by +# default. As of 2.0, includes are dynamic by default. Setting these +# values to True will make includes behave more like they did in the +# 1.x versions. +#task_includes_static = False +#handler_includes_static = False + +# Controls if a missing handler for a notification event is an error or a warning +#error_on_missing_handler = True + +# change this for alternative sudo implementations +#sudo_exe = sudo + +# What flags to pass to sudo +# WARNING: leaving out the defaults might create unexpected behaviours +#sudo_flags = -H -S -n + +# SSH timeout +#timeout = 10 + +# default user to use for playbooks if user is not specified +# (/usr/bin/ansible will use current user as default) +#remote_user = root +remote_user = ansible + +# logging is off by default unless this path is defined +# if so defined, consider logrotate +#log_path = /var/log/ansible.log + +# default module name for /usr/bin/ansible +#module_name = command + +# use this shell for commands executed under sudo +# you may need to change this to bin/bash in rare instances +# if sudo is constrained +#executable = /bin/sh + +# if inventory variables overlap, does the higher precedence one win +# or are hash values merged together? The default is 'replace' but +# this can also be set to 'merge'. +#hash_behaviour = replace + +# by default, variables from roles will be visible in the global variable +# scope. To prevent this, the following option can be enabled, and only +# tasks and handlers within the role will see the variables there +#private_role_vars = yes + +# list any Jinja2 extensions to enable here: +#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n + +# if set, always use this private key file for authentication, same as +# if passing --private-key to ansible or ansible-playbook +#private_key_file = /path/to/file + +# If set, configures the path to the Vault password file as an alternative to +# specifying --vault-password-file on the command line. +#vault_password_file = /path/to/vault_password_file + +# format of string {{ ansible_managed }} available within Jinja2 +# templates indicates to users editing templates files will be replaced. +# replacing {file}, {host} and {uid} and strftime codes with proper values. +ansible_managed = Ansible managed: {file} on {host} +# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence +# in some situations so the default is a static string: +#ansible_managed = Ansible managed + +# by default, ansible-playbook will display "Skipping [host]" if it determines a task +# should not be run on a host. Set this to "False" if you don't want to see these "Skipping" +# messages. NOTE: the task header will still be shown regardless of whether or not the +# task is skipped. +#display_skipped_hosts = True + +# by default, if a task in a playbook does not include a name: field then +# ansible-playbook will construct a header that includes the task's action but +# not the task's args. This is a security feature because ansible cannot know +# if the *module* considers an argument to be no_log at the time that the +# header is printed. If your environment doesn't have a problem securing +# stdout from ansible-playbook (or you have manually specified no_log in your +# playbook on all of the tasks where you have secret information) then you can +# safely set this to True to get more informative messages. +#display_args_to_stdout = False + +# by default (as of 1.3), Ansible will raise errors when attempting to dereference +# Jinja2 variables that are not set in templates or action lines. Uncomment this line +# to revert the behavior to pre-1.3. +#error_on_undefined_vars = False + +# by default (as of 1.6), Ansible may display warnings based on the configuration of the +# system running ansible itself. This may include warnings about 3rd party packages or +# other conditions that should be resolved if possible. +# to disable these warnings, set the following value to False: +#system_warnings = True + +# by default (as of 1.4), Ansible may display deprecation warnings for language +# features that should no longer be used and will be removed in future versions. +# to disable these warnings, set the following value to False: +#deprecation_warnings = True + +# (as of 1.8), Ansible can optionally warn when usage of the shell and +# command module appear to be simplified by using a default Ansible module +# instead. These warnings can be silenced by adjusting the following +# setting or adding warn=yes or warn=no to the end of the command line +# parameter string. This will for example suggest using the git module +# instead of shelling out to the git command. +command_warnings = True +ssh_args = -o ControlMaster=auto -o ControlPersist=600s +control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r + + +# set plugin path directories here, separate with colons +action_plugins = /usr/share/ansible/plugins/action +#cache_plugins = /usr/share/ansible/plugins/cache +callback_plugins = /usr/share/ansible/plugins/callback +connection_plugins = /usr/share/ansible/plugins/connection +lookup_plugins = /usr/share/ansible/plugins/lookup +#inventory_plugins = /usr/share/ansible/plugins/inventory +vars_plugins = /usr/share/ansible/plugins/vars +filter_plugins = /usr/share/ansible/plugins/filter +test_plugins = /usr/share/ansible/plugins/test +#terminal_plugins = /usr/share/ansible/plugins/terminal +#strategy_plugins = /usr/share/ansible/plugins/strategy + + +# by default, ansible will use the 'linear' strategy but you may want to try +# another one +#strategy = free + +# by default callbacks are not loaded for /bin/ansible, enable this if you +# want, for example, a notification or logging callback to also apply to +# /bin/ansible runs +bin_ansible_callbacks = True + + +# don't like cows? that's unfortunate. +# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 +#nocows = 1 + +# set which cowsay stencil you'd like to use by default. When set to 'random', +# a random stencil will be selected for each task. The selection will be filtered +# against the `cow_whitelist` option below. +#cow_selection = default +#cow_selection = random + +# when using the 'random' option for cowsay, stencils will be restricted to this list. +# it should be formatted as a comma-separated list with no spaces between names. +# NOTE: line continuations here are for formatting purposes only, as the INI parser +# in python does not support them. +#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\ +# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\ +# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www + +# don't like colors either? +# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 +#nocolor = 1 + +# if set to a persistent type (not 'memory', for example 'redis') fact values +# from previous runs in Ansible will be stored. This may be useful when +# wanting to use, for example, IP information from one group of servers +# without having to talk to them in the same playbook run to get their +# current IP information. +fact_caching = memory + +#This option tells Ansible where to cache facts. The value is plugin dependent. +#For the jsonfile plugin, it should be a path to a local directory. +#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0 + +fact_caching_connection=$HOME/.ansible/facts + + + +# retry files +# When a playbook fails by default a .retry file will be created in ~/ +# You can disable this feature by setting retry_files_enabled to False +# and you can change the location of the files by setting retry_files_save_path + +retry_files_enabled = False +retry_files_save_path = ~/.ansible_retry + +# squash actions +# Ansible can optimise actions that call modules with list parameters +# when looping. Instead of calling the module once per with_ item, the +# module is called once with all items at once. Currently this only works +# under limited circumstances, and only with parameters named 'name'. +#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper + +# prevents logging of task data, off by default +#no_log = False + +# prevents logging of tasks, but only on the targets, data is still logged on the master/controller +no_target_syslog = False + +# controls whether Ansible will raise an error or warning if a task has no +# choice but to create world readable temporary files to execute a module on +# the remote machine. This option is False by default for security. Users may +# turn this on to have behaviour more like Ansible prior to 2.1.x. See +# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user +# for more secure ways to fix this than enabling this option. +#allow_world_readable_tmpfiles = False + +# controls the compression level of variables sent to +# worker processes. At the default of 0, no compression +# is used. This value must be an integer from 0 to 9. +#var_compression_level = 9 + +# controls what compression method is used for new-style ansible modules when +# they are sent to the remote system. The compression types depend on having +# support compiled into both the controller's python and the client's python. +# The names should match with the python Zipfile compression types: +# * ZIP_STORED (no compression. available everywhere) +# * ZIP_DEFLATED (uses zlib, the default) +# These values may be set per host via the ansible_module_compression inventory +# variable +#module_compression = 'ZIP_DEFLATED' + +# This controls the cutoff point (in bytes) on --diff for files +# set to 0 for unlimited (RAM may suffer!). +#max_diff_size = 1048576 + +# This controls how ansible handles multiple --tags and --skip-tags arguments +# on the CLI. If this is True then multiple arguments are merged together. If +# it is False, then the last specified argument is used and the others are ignored. +# This option will be removed in 2.8. +#merge_multiple_cli_flags = True + +# Controls showing custom stats at the end, off by default +show_custom_stats = True + +# Controls which files to ignore when using a directory as inventory with +# possibly multiple sources (both static and dynamic) +inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo + +# This family of modules use an alternative execution path optimized for network appliances +# only update this setting if you know how this works, otherwise it can break module execution +#network_group_modules=eos, nxos, ios, iosxr, junos, vyos + +# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as +# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain +# jinja2 templating language which will be run through the templating engine. +# ENABLING THIS COULD BE A SECURITY RISK +#allow_unsafe_lookups = False + +# set default errors for all plays +#any_errors_fatal = False + +[inventory] +# enable inventory plugins, default: 'host_list', 'script', 'yaml', 'ini', 'auto' +#enable_plugins = host_list, virtualbox, yaml, constructed + +# ignore these extensions when parsing a directory as inventory source +#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry + +# ignore files matching these patterns when parsing a directory as inventory source +#ignore_patterns= + +# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise. +#unparsed_is_failed=False + +[privilege_escalation] +become=True +become_method=sudo +become_user=root +become_ask_pass=False + +[paramiko_connection] + +# uncomment this line to cause the paramiko connection plugin to not record new host +# keys encountered. Increases performance on new host additions. Setting works independently of the +# host key checking setting above. +record_host_keys=False + +# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this +# line to disable this behaviour. +#pty=False + +# paramiko will default to looking for SSH keys initially when trying to +# authenticate to remote devices. This is a problem for some network devices +# that close the connection after a key failure. Uncomment this line to +# disable the Paramiko look for keys function +#look_for_keys = False + +# When using persistent connections with Paramiko, the connection runs in a +# background process. If the host doesn't already have a valid SSH key, by +# default Ansible will prompt to add the host key. This will cause connections +# running in background processes to fail. Uncomment this line to have +# Paramiko automatically add host keys. +#host_key_auto_add = True + +[ssh_connection] + +# ssh arguments to use +# Leaving off ControlPersist will result in poor performance, so use +# paramiko on older platforms rather than removing it, -C controls compression use +ssh_args = -C -o ControlMaster=auto -o ControlPersist=120s + +# The base directory for the ControlPath sockets. +# This is the "%(directory)s" in the control_path option +# +# Example: +# control_path_dir = /tmp/.ansible/cp +#control_path_dir = ~/.ansible/cp + +# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname, +# port and username (empty string in the config). The hash mitigates a common problem users +# found with long hostames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format. +# In those cases, a "too long for Unix domain socket" ssh error would occur. +# +# Example: +#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r +#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r +#control_path = + +# Enabling pipelining reduces the number of SSH operations required to +# execute a module on the remote server. This can result in a significant +# performance improvement when enabled, however when using "sudo:" you must +# first disable 'requiretty' in /etc/sudoers +# +# By default, this option is disabled to preserve compatibility with +# sudoers configurations that have requiretty (the default on many distros). +# +pipelining = True + +# Control the mechanism for transferring files (old) +# * smart = try sftp and then try scp [default] +# * True = use scp only +# * False = use sftp only +#scp_if_ssh = smart + +# Control the mechanism for transferring files (new) +# If set, this will override the scp_if_ssh option +# * sftp = use sftp to transfer files +# * scp = use scp to transfer files +# * piped = use 'dd' over SSH to transfer files +# * smart = try sftp, scp, and piped, in that order [default] +transfer_method = smart + +# if False, sftp will not use batch mode to transfer files. This may cause some +# types of file transfer failures impossible to catch however, and should +# only be disabled if your sftp version has problems with batch mode +#sftp_batch_mode = False + +# The -tt argument is passed to ssh when pipelining is not enabled because sudo +# requires a tty by default. +#use_tty = True + +# Number of times to retry an SSH connection to a host, in case of UNREACHABLE. +# For each retry attempt, there is an exponential backoff, +# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max). +retries = 3 + +[persistent_connection] + +# Configures the persistent connection timeout value in seconds. This value is +# how long the persistent connection will remain idle before it is destroyed. +# If the connection doesn't receive a request before the timeout value +# expires, the connection is shutdown. The default value is 30 seconds. +connect_timeout = 120 + +# Configures the persistent connection retry timeout. This value configures the +# the retry timeout that ansible-connection will wait to connect +# to the local domain socket. This value must be larger than the +# ssh timeout (timeout) and less than persistent connection idle timeout (connect_timeout). +# The default value is 15 seconds. +#connect_retry_timeout = 15 + +# The command timeout value defines the amount of time to wait for a command +# or RPC call before timing out. The value for the command timeout must +# be less than the value of the persistent connection idle timeout (connect_timeout) +# The default value is 10 second. +#command_timeout = 10 + +[accelerate] +#accelerate_port = 5099 +#accelerate_timeout = 30 +#accelerate_connect_timeout = 5.0 + +# The daemon timeout is measured in minutes. This time is measured +# from the last activity to the accelerate daemon. +#accelerate_daemon_timeout = 30 + +# If set to yes, accelerate_multi_key will allow multiple +# private keys to be uploaded to it, though each user must +# have access to the system via SSH to add a new key. The default +# is "no". +#accelerate_multi_key = yes + +[selinux] +# file systems that require special treatment when dealing with security context +# the default behaviour that copies the existing context or uses the user default +# needs to be changed to use the file system dependent context. +#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p + +# Set this to yes to allow libvirt_lxc connections to work without SELinux. +#libvirt_lxc_noseclabel = yes + +[colors] +#highlight = white +#verbose = blue +#warn = bright purple +#error = red +#debug = dark gray +#deprecate = purple +#skip = cyan +#unreachable = red +#ok = green +#changed = yellow +#diff_add = green +#diff_remove = red +#diff_lines = cyan + + +[diff] +# Always print diff when running ( same as always running with -D/--diff ) +# always = no + +# Set how many context lines to show in diff +# context = 3 + +[ara] +api_client = http +api_timeout = 30 +api_server = http://127.0.0.1:8000 + diff --git a/group_vars/all/README.md b/group_vars/all/README.md new file mode 100644 index 0000000..eda6d22 --- /dev/null +++ b/group_vars/all/README.md @@ -0,0 +1,12 @@ +# required variables in vault file ( vault_all.yml or *vault* ) + +postfix_smtp_relay_pwd: (if postfix required) + +wordpress_db_pwd: + +wordpress_admin_pwd: + +mysql_root_password: + +phpmyadmin_blowfish_secret: (if phpmyadmin required) + diff --git a/group_vars/all/all.yml b/group_vars/all/all.yml new file mode 100644 index 0000000..4ca6a59 --- /dev/null +++ b/group_vars/all/all.yml @@ -0,0 +1,87 @@ +--- +# Search 'template' or 'TEMPLATE' to substitute specific variables + +time_zone: 'Europe/Rome' +domain_name: 'isti.cnr.it' +iptables_default_policy: REJECT +nagios_enabled: False +postfix_relay_host: smtp-srv.isti.cnr.it +postfix_relay_client: False +postfix_use_letsencrypt: True +# SMTP server (require specific smtp user to be created) +# postfix_smtp_relay_user: smtp-template +# +letsencrypt_acme_install: True +letsencrypt_email: s2i2s@isti.cnr.it +letsencrypt_acme_email: s2i2s@isti.cnr.it +letsencrypt_acme_cron_day_of_month: '1-15' +letsencrypt_acme_sh_explicitly_install_certs: True +letsencrypt_ocsp_must_staple: True +letsencrypt_acme_sh_use_ecc: False +http_port: 80 +https_port: 443 + +# Bug with the PHP repository. The php8.3-cli package is always installed and breaks the mysql setup +additional_packages: + - php8.3-mysql + +# Some name aliases are too long for the default +nginx_server_names_hash_bucket_size: 128 + +resolv_conf_ip: + - '146.48.80.4' + - '146.48.80.3' + +wordpress_servername: 'www.template.it' +wordpress_aliases: 'template.{{ domain_name }}' +wordpress_admin_email: 'template@isti.cnr.it' +wordpress_title: 'Template site' +wordpress_upload_max_filesize: 200M + +phpmyadmin_install: True +phpmyadmin_shared_installation: True +phpmyadmin_behind_nginx: True +phpmyadmin_behind_apache: False +phpmyadmin_phpfpm_app_context: '/' +phpmyadmin_phpfpm_virthost: '{{ ansible_fqdn }}' +phpmyadmin_default_lang: 'it' +phpmyadmin_target_servers: + - { id: '1', description: 'TEMPLATE WP', host: 'localhost', port: 3306, socket: '', ssl: 'false', auth_type: 'cookie', user: '', password: '', only_db: "'wp_db'", allowroot: 'false' } + +phpfpm_listen_on_socket: True +# Remove the phpmyadmin_phpfpm_pool from the list if phpMyAdmin is not required +phpfpm_pools: + - '{{ wordpress_phpfpm_pool }}' + - '{{ phpmyadmin_phpfpm_pool }}' + +letsencrypt_acme_sh_domains: + - { domain: '{{ ansible_fqdn }}', standalone: True } + - { domain: '{{ wordpress_servername }}', standalone: True } + - { domain: 'template.isti.cnr.it', standalone: True } + +users_system_users: + - { login: 'andrea.dellamico', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ andrea_dellamico }}', shell: '/bin/bash', admin: True, limited_sudoers_user: False } + - { login: 'tommaso.piccioli', name: "Tommaso Piccioli", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ tommaso_piccioli }}', shell: '/bin/bash', admin: True, limited_sudoers_user: False } + - { login: 'franca.debole', name: "Franca Debole", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ franca_debole }}', shell: '/bin/bash', admin: True, limited_sudoers_user: False } + +sshd_enable_sftp_subsystem: True +sshd_enable_sftp_jail: True +sshd_sftp_chroot_match_group: '{{ wordpress_system_user }}' +sshd_sftp_chroot_directory: '/var/www/html' + +users_additional_groups: + - { group: '{{ sshd_sftp_chroot_match_group }}' } +users_system_users_adjunct: + - { login: 'template.user', group: '{{ sshd_sftp_chroot_match_group }}', name: "Template User", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ template_user_ssh_key }}', shell: '/usr/sbin/nologin', admin: False, log_as_root: False } + +additional_data_directories: + - { name: '{{ wordpress_doc_root }}', file: False, create: False, perms: '0755', owner: '{{ wordpress_system_user }}', group: '{{ common_users_group }}', aclperms: 'rwX' } + + +andrea_dellamico: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ9n6B+J5S7NPnwjejPC2WrvcRzC07WPnAoQ7ZHZ0Mv9JakyWItswzI3Drz/zI0mCamyuye+9dWz9v/ZRwUfBobVyXuptRaZIwxlMC/KsTZofpp3RHOBTteZ4/VM0VhEeiOHu+GuzNE0fRB2gsusWeMMae2cq4TjVAOMcQmJX496L703Smc14gFrP8y/P9jbC5HquuVnPR29PsW4mHidPmjdKkO7QmDfFAj44pEUGeInYOJe708C03NCpsjHw8AVdAJ6Pf16EOdDH+z8D6CByVO3s8UT0HJ85BRoIy6254/hmYLzyd/eRnCXHS/dke+ivrlA3XxG4+DmqjuJR/Jpfx adellam@semovente +tommaso_piccioli: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzcHuDU7PgJwz34AsVG0E2+ZRx17ZKW1uDEGABNk3Z60/c9LTwWKPj6kcIRy6RzFJI5X+IgPJnYouXVmJsIWjVL8IRk8fP1ffJC6Fyf6H7+fCxu/Wwed5OoOCvKeZ0bEmJ1tlXFM6+EnxKqLCvz3fsNy8e4WKMnpS1hT8K6YB7PMjt60S3wOaxds1Lv4NmmgnfGM5uZFYrZCx1/GJCzNSh7AEEEUIVQ1B8xmXbet7whNiwDmiOnXSlt38dkIYT8kNMuRCj/r9wPr7FmoUCOFzUVXTcnuYagKyURrZ8QDyHbK6XQLYXgvCz/lWoErGFbDqpmBHHyvKSeLPxYfJpWJ70w== tom@tom +luca_trupiano: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+KPRBXAPaWowOs8GQh/x357VIXO2mXZWQ3x/rJ+6OvU30ks95Fz2FgC2QpvMsuGOjlbJteyzbEBRNr/R0ix1DAuAYR14VrLZffIw+Sx7Hi4UC90WgreQJixfbqT/FE2bw0aCW0qYJSWulTopf3WXxjiB1GcU7IcMzFO6sF0NddmK0bI7QOHltdznxu/5pgmulY1KkwwdvXHOSNnUoQSU0VH/5agiP3dTvL4M1xRNDgfbbK3e2a5/bNLO0SDHGAhx0ajjf/A+Vuu492X6wvQfsZuyL0Yo+co/ofmY+llR4zM+/vAMsskk8AdVXdM85JNwGDFgpQFgBQgzCmDlUXRCL luca@tacitus +franca_debole: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5al6w7Lsm2hVP5Ak3y1YVuqB02vrCvlNQSjF3+y4U/KwSsLDk0EtK6cZQuplehVK+XkdiIxECTokyvwulfHSMa25p8l4bjUA44TTdeWlHjcFgt2SFXbSeAY/XeoukKlafccKqVF0ySrKIIQj94oWIB15qIZMSg8HVIU6XtpHjlF2w8K+YrzmDnU3hs+f1bHp9gi5Q2JKVqm3ZIiUIvb1bYGNq7rdMf0xjAn1ZGuvmEIRSwqR8YMtyIHnrPsMh+sdnV3PosyUQRt/b74Df/ufvJ2t9QBlOprrCQxWibcjYktDOBP4AT5he3giXjz51FJqx7hEj2ISVSiwln5G/cPor franca@Mac.local +# add here user ssh_key +# template_user_ssh_key: ssh-rsa ... + diff --git a/inventory/hosts.production b/inventory/hosts.production new file mode 100644 index 0000000..792bc13 --- /dev/null +++ b/inventory/hosts.production @@ -0,0 +1,2 @@ +[all] +nomesito.isti.cnr.it diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..543f5cb --- /dev/null +++ b/requirements.yml @@ -0,0 +1,23 @@ +--- +- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-basic-system-setup.git + version: master + name: basic-system-setup + state: latest +- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-user_services_perms.git + version: master + name: user_services_perms + state: latest +- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git + version: master + name: zabbix-agent + state: latest +- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-wordpress.git + version: master + name: wordpress + state: latest +- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-phpmyadmin.git + version: master + name: phpMyAdmin + state: latest + when: phpmyadmin_install | bool + diff --git a/roles/wordpress_local/meta/main.yml b/roles/wordpress_local/meta/main.yml new file mode 100644 index 0000000..6e6b45f --- /dev/null +++ b/roles/wordpress_local/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - role: wordpress + - role: phpMyAdmin + when: phpmyadmin_install | bool diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..93fb51e --- /dev/null +++ b/run.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# +# The "directory/directory.yml" is the old way that we used to simplify jobs execution. +# The "directory/site.yml" is the syntax used by roles (from ansible version 1.2) +# +# Otherwise we can directly execute a single play (file) +# + +PAR=50 +TIMEOUT=15 +PLAY=site.yml +HOSTS_DIR=. +ANSIBLE_HOSTS= + +export TMPDIR=/var/tmp/${USER} +if [ ! -d ${TMPDIR} ] ; then + mkdir -p ${TMPDIR} +fi + +if [ -f ../ansible.cfg ] ; then + export ANSIBLE_CONFIG="../ansible.cfg" +fi +if [ -f ./ansible.cfg ] ; then + export ANSIBLE_CONFIG="./ansible.cfg" +fi + +# No cows! +export ANSIBLE_NOCOWS=1 + +export ANSIBLE_ERROR_ON_UNDEFINED_VARS=True +export ANSIBLE_HOST_KEY_CHECKING=False +export ANSIBLE_LIBRARY="/usr/share/ansible:./modules:../modules:$ANSIBLE_LIBRARY" + +# Update the galaxy requirements +if [ -f requirements.yml ] ; then + ansible-galaxy install --ignore-errors -f -r requirements.yml +fi + +PLAY_OPTS="-T $TIMEOUT -f $PAR" + +if [ -f "$1" ] ; then + PLAY=$1 +elif [ ! -f $PLAY ] ; then + echo "No play file available." + exit 1 +fi + +if [ -f "${PLAY}" ] ; then + MAIN="${PLAY}" + shift +elif [ -f "${PLAY}.yml" ]; then + MAIN="${PLAY}.yml" + shift +fi + +if [ -f ${HOSTS_DIR}/hosts ] ; then + ANSIBLE_HOSTS=${HOSTS_DIR}/hosts +fi +if [ -f ${HOSTS_DIR}/inventory/hosts ] ; then + ANSIBLE_HOSTS=${HOSTS_DIR}/inventory/hosts +fi +if [ ! -z "$ANSIBLE_HOSTS" ] ; then + PLAY_OPTS="-i $ANSIBLE_HOSTS" +fi + +#echo "Find vault encrypted files if any" +if [ -d ./group_vars ] ; then + VAULT_GROUP_FILES=$( find ./group_vars -name \*vault\* ) +fi +if [ -d ./host_vars ] ; then + VAULT_HOST_FILES=$( find ./host_vars -name \*vault\* ) +fi + + +if [ ! -z "$VAULT_GROUP_FILES" -o ! -z "$VAULT_HOST_FILES" ] ; then + # Vault needs a password. You can run playbooks that don't have encrypted files just passing a blank one. + # To encrypt a password for a user: python -c "from passlib.hash import sha512_crypt; print sha512_crypt.encrypt('')" + echo "There are password protected encrypted files, we will ask for password before proceeding" + PLAY_OPTS="$PLAY_OPTS --ask-vault-pass" +fi + +# Main +ansible-playbook $PLAY_OPTS $MAIN $@ + +rm -f /tmp/passwordfile diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..c680898 --- /dev/null +++ b/site.yml @@ -0,0 +1,7 @@ +--- +- hosts: all + roles: + - ../library/bootstrap-roles/deb-ubuntu-common + - wordpress_local + - user_services_perms +