Ongoing refactoring and dev involving certbot nginx and vaultwarden

ansible/inventories/group_vars/automotive/automotive.yaml

@@ -1,31 +1,30 @@
 ---
-# Docker 
-wordpress_docker_tag: 7.0.0-php8.2-apache
-mysql_docker_tag: 9.7.0
-nginx_docker_tag: 1.31.1
-
+#Common Docker 
+docker_network_name: wp_net
 docker_base_volume_path: /usr/data/wp
 
 
 # MYSQL Docker 
-db_name: automotive_db
-db_user: automotive_db_u
+mysql_docker_tag: 9.7.0
+docker_mysql_hostname: web_db
+
+db_name: automotive_test_db
+db_user: automotive_test_db_u
 db_password:  "{{ automotive_mysql_user_password }}"
 db_root_password: "{{ automotive_mysql_root_password }}"
 
 
 #NGINX Docker 
+nginx_docker_tag: 1.31.1
 nginx_server_name: automotive.sse.cloud.isti.cnr.it
 ssl: true
 
+#WORDPRESS Docker
+wordpress_docker_tag: 7.0.0-php8.2-apache
+docker_wordpress_hostname: automotive_test
 
-# WORDPRESS
-wordpress_debug : true
-wordpress_debug_log: true
-
-
-#******* CERTBOT for letsencrypt
-certbot_create_method: standalone
+#CERTBOT for letsencrypt
+certbot_create_method: webroot
 certbot_create_if_missing: true
 certbot_admin_email: fabio.sinibaldi@isti.cnr.it
 
@@ -36,5 +35,5 @@ certbot_certs:
     - "{{ nginx_server_name }}"
 
 #Certbot verbose level
-certbot_create_extra_args: "-vvv"
+certbot_create_extra_args: "-vvv --force-renewal"
 certbot_testmode: false

ansible/inventories/sse-lab.yaml

@@ -0,0 +1,5 @@
+---
+sse:
+  children:
+    testing:
+      tester.sse.cloud.isti.cnr.it:

ansible/playbooks/docker_deploy_image.yaml

@@ -1,29 +0,0 @@
----
-- name: Create and run container
-  hosts: all
-  become : true
-  vars:
-    image_name: ubuntu
-    image_tag: latest
-    image_hostname: ubuntu
-    image_network:
-      - wp_net
-    image_volumes:
-      - "/usr/data/wp/wordpress/:/var/www"
-
-
-  tasks:
-  - name: Pull Image
-    docker_image:
-      name: "{{ image_name }}:{{ image_tag }}"
-      source: pull
-
-  - name: Create container with pulled image
-    docker_container:
-      name: "{{ image_name }}"
-      image: "{{ image_name }}"
-      networks:
-        - name: "{{ image_network }}"
-      hostname: "{{ image_hostname }}"
-      volumes: "{{image_volumes}}"
-      restart: true

ansible/playbooks/misc_tests.yaml

@@ -1,9 +0,0 @@
----
-- name: Misc tests
-  hosts: web
-
-  tasks:
-    - name: Using dict2items
-      ansible.builtin.debug:
-        msg: "{{ item.name }}"
-      loop: "{{ certbot_certs }}"

ansible/playbooks/roles/certbot/defaults/main.yaml

@@ -1 +1,19 @@
-certbot_with_dockered_nginx : True
+certbot_with_dockered_nginx : True
+
+#CERTBOT for letsencrypt
+certbot_create_method: webroot
+certbot_create_if_missing: true
+certbot_admin_email: fabio.sinibaldi@isti.cnr.it
+
+certbot_webroot: "{{ docker_base_volume_path }}/www"
+
+certbot_certs:
+  - name: "{{ ansible_hostname }}"
+    domains: 
+      - "{{ inventory_hostname }}"
+    webroot: "{{ docker_base_volume_path }}/{{ ansible_hostname }}"
+
+#Certbot verbose level
+certbot_create_extra_args: "-vvv --force-renewal"
+certbot_testmode: false
+

ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml

@@ -1,9 +1,18 @@
 ---
-# Stop NGINX
-- name: Stop NGINX 
+# Need to stop using port 80 for certbot webroot validation
+# Needed also if not first run 
+
+- name: Gathering NGINX container state
+  docker_container_info:
+    name: nginx
+  register: nginx_info
+
+- name: Stop NGINX if present
   docker_container:
     name: nginx
     state: stopped
+  when: 
+    - nginx_info.exists
 
 # Manage certbot
 
@@ -11,24 +20,23 @@
   include_role:
     name: geerlingguy.certbot
 
+# - name: Copy fullchain files to nginx volume
+#   ansible.builtin.copy:
+#     src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
+#     #TODO nginx configuration is not multi domain
+#     dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
+#     remote_src: true
+#     mode: '0644'
+#   loop: "{{ certbot_certs }}"
 
-- name: Copy fullchain files to nginx volume
-  ansible.builtin.copy:
-    src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
-    #TODO nginx configuration is not multi domain
-    dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
-    remote_src: true
-    mode: '0644'
-  loop: "{{ certbot_certs }}"
-
-- name: Copy privkey files to nginx volume
-  ansible.builtin.copy:
-    src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
-    #TODO nginx configuration is not multi domain
-    dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
-    remote_src: true
-    mode: '0644'
-  loop: "{{ certbot_certs }}"
+# - name: Copy privkey files to nginx volume
+#   ansible.builtin.copy:
+#     src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
+#     #TODO nginx configuration is not multi domain
+#     dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
+#     remote_src: true
+#     mode: '0644'
+#   loop: "{{ certbot_certs }}"
 
 
 - name: Setting up Docker NGINX renewal hooks 
@@ -40,7 +48,7 @@
     - pre
     - post
 
-- name: Removing systemctl hooks
+- name: Removing systemctl hooks (defined by geerlingguy)
   ansible.builtin.file:
     path: "{{ item }}"
     state: absent
@@ -48,7 +56,11 @@
     - "/etc/letsencrypt/renewal-hooks/pre/stop_services"
     - "/etc/letsencrypt/renewal-hooks/post/start_services"
 
-# Start NGINX
+
+# Installs dockered NGINX if needed and start it 
+
+- name: Installing NGINX
+  include_task: install_nginx.yaml
+
 - name: Start NGINX
-  docker_container:
-    name: nginx
+  include_task: start_nginx.yaml

ansible/playbooks/roles/certbot/tasks/install_nginx.yaml

@@ -7,12 +7,10 @@
 
 - name: Copy nginx.conf to server
   template:
-    src: templates/nginx.j2
+    src: "templates/nginx.conf.j2"
     dest: "{{ docker_base_volume_path }}/nginx/conf/nginx.conf"
 
-
-- include_tasks: nginx_http.yml
-  when: ssl is false
-
-- include_tasks: nginx_https.yml
-  when: ssl is true
+- name: Pull Nginx image
+  docker_image:
+    name: "nginx:{{ nginx_docker_tag }}"
+    source: pull

ansible/playbooks/roles/certbot/tasks/start_nginx.yaml

@@ -7,11 +7,11 @@
       - "80:80"
       - "443:443"
     networks:
-      - name: "{{ docker_network_name }}"
+      - name: "{{ docker_nginx_network_name }}"
     hostname: "{{ docker_nginx_hostname }}"
     volumes:
-      - "{{ docker_base_volume_path }}/wordpress:/var/www/html"
+      - "{{ docker_base_volume_path }}/vaultwarden:/var/www/html"
       - "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d"
       - "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx"
-      - "{{ docker_base_volume_path }}/nginx/ssl:/etc/nginx/ssl/:ro"
-    restart: true
+      - "/etc/letsencrypt/live:/etc/nginx/ssl/:ro"
+    restart: true

ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-{% for item in certbot_certs %}
-cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
-cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
-{% endfor %}
+# {% for item in certbot_certs %}
+# cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
+# cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
+# {% endfor %}
 
 docker start nginx
 

ansible/playbooks/roles/certbot/templates/nginx.conf.j2

@@ -0,0 +1,34 @@
+{% for item in certbot_certs %}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ item.name }};
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ item.name }};
+
+    root   /var/www/html;
+    index  index.php;
+
+
+    ssl_certificate /etc/nginx/ssl/{{ item.name }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ item.name }}/privatekey.pem;
+
+    client_max_body_size 40M;
+
+
+    location / {
+        proxy_pass http://{{ docker_wordpress_hostname }}:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

ansible/playbooks/roles/docker-certbot/tasks/main.yaml

@@ -8,11 +8,8 @@
   docker_container:
     name: certbot
     image: certbot/certbot
-    command: "certonly --standalone --non-interactive -v --dry-run -d {{ nginx_server_name}} --agree-tos -m {{ certbot_domain_mail }}"
     networks:
       - name: "{{ docker_network_name }}"
-    ports: 
-      - "81:80"
     hostname: certbot
     volumes:
       - "{{ docker_base_volume_path }}/certbot/logs:/var/log/letsencrypt"

ansible/playbooks/roles/vaultwarden/defaults/main.yaml

@@ -0,0 +1,5 @@
+vaultwarden_docker_tag
+docker_vaultwarden_network_name
+docker_vaultwarden_hostname
+docker_base_volume_path
+

ansible/playbooks/roles/vaultwarden/tasks/install_certbot.yaml

@@ -0,0 +1,4 @@
+---
+- name: Instal and configure certbot
+  include_role:
+    name: geerlingguy.certbot

ansible/playbooks/roles/vaultwarden/tasks/main.yaml

@@ -0,0 +1,17 @@
+---
+- name: Pull Vaultwarden server image
+  docker_image:
+    name: "vaultwarden/server:{{ vaultwarden_docker_tag }}"
+    source: pull
+
+- name: Create container with Vaultwarden image
+  docker_container:
+    name: vaultwarden
+    image: vaultwarden
+    networks:
+      - name: "{{ docker_vaultwarden_network_name }}"
+    hostname: "{{ docker_vaultwarden_hostname }}"
+    ports:
+      - "80:"
+    volumes:
+      - "{{ docker_base_volume_path }}/vaultwarden:/data/"

ansible/playbooks/roles/wordpress-docker/defaults/main.yaml

@@ -1,27 +0,0 @@
----
-wordpress_docker_tag: latest
-nginx_docker_tag: latest
-mysql_docker_tag: latest
-
-docker_network_name: wordpress_network
-docker_wordpress_hostname: wordpress_host
-docker_nginx_hostname: nginx_host
-docker_mysql_hostname: mysql_host
-
-docker_base_volume_path: /home/wordpress_docker
-
-
-nginx_server_name: default_server
-ssl: false
-
-db_name: wordpress_database
-db_user: wordpress_user
-db_password: wordpress_password
-db_root_password: wordpress_rootpassword
-
-wordpress_debug : false
-wordpress_debug_log: false
-
-
-
-

ansible/playbooks/roles/wordpress-docker/tasks/main.yml

@@ -1,57 +0,0 @@
----
-- name: Pull docker images
-  docker_image:
-    name: "{{ item.name }}"
-    tag: "{{ item.tag }}"
-    source: pull
-  loop:
-    - name : wordpress
-      tag: "{{ wordpress_docker_tag }}"
-    - name: mysql
-      tag : "{{ mysql_docker_tag }}"
-    - name: nginx
-      tag : "{{ nginx_docker_tag }}"
-    
-
-- name: Create docker network
-  docker_network:
-    name: "{{ docker_network_name }}"
-    state: present
-
-
-- name: Create container with mysql image
-  docker_container:
-    name: mysql
-    image: mysql
-    networks:
-      - name: "{{ docker_network_name }}"
-    hostname: "{{ docker_mysql_hostname }}"
-    env:
-      MYSQL_DATABASE: "{{ db_name }}"
-      MYSQL_USER: "{{ db_user }}"
-      MYSQL_PASSWORD: "{{ db_password }}"
-      MYSQL_ROOT_PASSWORD: "{{ db_root_password }}"
-    volumes:
-      - "{{ docker_base_volume_path }}/temp_db_data:/var/tmp"
-
-
-- name: Create container with Wordpress image
-  docker_container:
-    name: wordpress
-    image: wordpress
-    networks:
-      - name: "{{ docker_network_name }}"
-    hostname: "{{ docker_wordpress_hostname }}"
-    env:
-      WORDPRESS_DB_HOST: "{{ docker_mysql_hostname }}"
-      WORDPRESS_DB_NAME: "{{ db_name }}"
-      WORDPRESS_DB_USER: "{{ db_user }}"
-      WORDPRESS_DB_PASSWORD: "{{ db_password }}"
-      WORDPRESS_DEBUG: " {{ wordpress_debug }} "
-      WORDPRESS_DEBUG_LOG: " {{ wordpress_debug_log }} "
-    volumes:
-      - "{{ docker_base_volume_path }}/wordpress:/var/www/html"
-    restart: true
-
-- include_tasks: nginx.yaml
-  when: ssl is true

ansible/playbooks/roles/wordpress-docker/tasks/nginx_http.yml

@@ -1,15 +0,0 @@
----
-- name: Start Nginx Container (HTTP)
-  docker_container:
-    name: nginx
-    image: nginx
-    ports:
-      - "80:80"
-    networks:
-      - name: "{{ docker_network_name }}"
-    hostname: "{{ docker_nginx_hostname }}"
-    volumes:
-      - "{{ docker_base_volume_path }}/wordpress:/var/www/html"
-      - "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d"
-      - "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx"
-    restart: true

ansible/playbooks/templates/nginx.j2

@@ -15,22 +15,13 @@ server {
     root   /var/www/html;
     index  index.php;
 
-    # Needed to upload backups 
+
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privatekey.pem;
 
     client_max_body_size 40M;
 
 
-    # Try to support website restore plugin 
-
-    proxy_read_timeout 600s;
-    keepalive_timeout 600s;
-
-
-
-     ssl_certificate /etc/nginx/ssl/fullchain.pem;
-    ssl_certificate_key /etc/nginx/ssl/privatekey.pem;
-
-
     location / {
         proxy_pass http://{{ docker_wordpress_hostname }}:80;
         proxy_set_header Host $host;
@@ -38,5 +29,4 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
     }
-
 }

ansible/playbooks/vaultwarden.yaml

@@ -0,0 +1,14 @@
+---
+- name: Install and configure Vaultwarden
+  hosts: web
+  become : True
+
+  roles:
+    - geerlingguy.docker
+    - vaultwarden
+
+  tasks:
+    - name: Install certbot and nginx
+      include_task: nginx_http.yaml
+      when:
+        - vaultwarden_with_nginx_https.yaml

ansible/playbooks/wordpress.yaml

@@ -2,9 +2,12 @@
 - name: Install and configure Wordpress
   hosts: web
   become : True
-  
+  collections:
+    - chrissayon.wordpress_docker
 
   roles:
     - geerlingguy.docker
-    - wordpress-docker
+    - chrissayon.wordpress_docker.network
+    - chrissayon.wordpress_docker.mysql
+    - chrissayon.wordpress_docker.wordpress
     - certbot