diff --git a/ansible/inventories/automotive.yaml b/ansible/inventories/automotive.yaml index d9f0b93..9d0b4e5 100644 --- a/ansible/inventories/automotive.yaml +++ b/ansible/inventories/automotive.yaml @@ -4,5 +4,4 @@ automotive: web: hosts: automotive.sse.cloud.isti.cnr.it: - ansible_host: 146.48.29.251 #automotive2.sse.cloud.isti.cnr.it: \ No newline at end of file diff --git a/ansible/inventories/group_vars/automotive/automotive.yaml b/ansible/inventories/group_vars/automotive/automotive.yaml index 329f01c..bcd90cd 100644 --- a/ansible/inventories/group_vars/automotive/automotive.yaml +++ b/ansible/inventories/group_vars/automotive/automotive.yaml @@ -1,30 +1,31 @@ --- -#Common Docker -docker_network_name: wp_net +# Docker +wordpress_docker_tag: 7.0.0-php8.2-apache +mysql_docker_tag: 9.7.0 +nginx_docker_tag: 1.31.1 + docker_base_volume_path: /usr/data/wp # MYSQL Docker -mysql_docker_tag: 9.7.0 -docker_mysql_hostname: web_db - -db_name: automotive_test_db -db_user: automotive_test_db_u +db_name: automotive_db +db_user: automotive_db_u db_password: "{{ automotive_mysql_user_password }}" db_root_password: "{{ automotive_mysql_root_password }}" #NGINX Docker -nginx_docker_tag: 1.31.1 nginx_server_name: automotive.sse.cloud.isti.cnr.it ssl: true -#WORDPRESS Docker -wordpress_docker_tag: 7.0.0-php8.2-apache -docker_wordpress_hostname: automotive_test -#CERTBOT for letsencrypt -certbot_create_method: webroot +# WORDPRESS +wordpress_debug : true +wordpress_debug_log: true + + +#******* CERTBOT for letsencrypt +certbot_create_method: standalone certbot_create_if_missing: true certbot_admin_email: fabio.sinibaldi@isti.cnr.it @@ -35,5 +36,5 @@ certbot_certs: - "{{ nginx_server_name }}" #Certbot verbose level -certbot_create_extra_args: "-v" +certbot_create_extra_args: "-vvv" certbot_testmode: false \ No newline at end of file diff --git a/ansible/playbooks/docker_deploy_image.yaml b/ansible/playbooks/docker_deploy_image.yaml new file mode 100644 index 0000000..c8366b8 --- /dev/null +++ b/ansible/playbooks/docker_deploy_image.yaml @@ -0,0 +1,29 @@ +--- +- name: Create and run container + hosts: all + become : true + vars: + image_name: ubuntu + image_tag: latest + image_hostname: ubuntu + image_network: + - wp_net + image_volumes: + - "/usr/data/wp/wordpress/:/var/www" + + + tasks: + - name: Pull Image + docker_image: + name: "{{ image_name }}:{{ image_tag }}" + source: pull + + - name: Create container with pulled image + docker_container: + name: "{{ image_name }}" + image: "{{ image_name }}" + networks: + - name: "{{ image_network }}" + hostname: "{{ image_hostname }}" + volumes: "{{image_volumes}}" + restart: true \ No newline at end of file diff --git a/ansible/playbooks/misc_tests.yaml b/ansible/playbooks/misc_tests.yaml new file mode 100644 index 0000000..69c578c --- /dev/null +++ b/ansible/playbooks/misc_tests.yaml @@ -0,0 +1,9 @@ +--- +- name: Misc tests + hosts: web + + tasks: + - name: Using dict2items + ansible.builtin.debug: + msg: "{{ item.name }}" + loop: "{{ certbot_certs }}" \ No newline at end of file diff --git a/ansible/playbooks/roles/certbot/defaults/main.yaml b/ansible/playbooks/roles/certbot/defaults/main.yaml new file mode 100644 index 0000000..fdfde23 --- /dev/null +++ b/ansible/playbooks/roles/certbot/defaults/main.yaml @@ -0,0 +1 @@ +certbot_with_dockered_nginx : True \ No newline at end of file diff --git a/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml b/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml new file mode 100644 index 0000000..338feaa --- /dev/null +++ b/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml @@ -0,0 +1,54 @@ +--- +# Stop NGINX +- name: Stop NGINX + docker_container: + name: nginx + state: stopped + +# Manage certbot + +- name: Instal and configure certbot + include_role: + name: geerlingguy.certbot + + +- name: Copy fullchain files to nginx volume + ansible.builtin.copy: + src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem" + #TODO nginx configuration is not multi domain + dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem" + remote_src: true + mode: '0644' + loop: "{{ certbot_certs }}" + +- name: Copy privkey files to nginx volume + ansible.builtin.copy: + src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem" + #TODO nginx configuration is not multi domain + dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem" + remote_src: true + mode: '0644' + loop: "{{ certbot_certs }}" + + +- name: Setting up Docker NGINX renewal hooks + template: + src: "docker_nginx_{{ item }}.j2" + dest: "/etc/letsencrypt/renewal-hooks/{{ item }}/docker_nginx_{{ item }}.sh" + mode: '0744' + loop: + - pre + - post + +- name: Removing systemctl hooks + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - "/etc/letsencrypt/renewal-hooks/pre/stop_services" + - "/etc/letsencrypt/renewal-hooks/post/start_services" + +# Start NGINX +- name: Start NGINX + docker_container: + name: nginx diff --git a/ansible/playbooks/roles/certbot/tasks/main.yaml b/ansible/playbooks/roles/certbot/tasks/main.yaml new file mode 100644 index 0000000..882be34 --- /dev/null +++ b/ansible/playbooks/roles/certbot/tasks/main.yaml @@ -0,0 +1,3 @@ +--- +- include_tasks: certbot_with_dockered_nginx.yaml + when: certbot_with_dockered_nginx \ No newline at end of file diff --git a/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2 b/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2 new file mode 100644 index 0000000..1721fab --- /dev/null +++ b/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2 @@ -0,0 +1,10 @@ +#!/bin/sh + +{% for item in certbot_certs %} +cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem +cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem +{% endfor %} + +docker start nginx + +docker ps diff --git a/ansible/playbooks/roles/certbot/templates/docker_nginx_pre.j2 b/ansible/playbooks/roles/certbot/templates/docker_nginx_pre.j2 new file mode 100644 index 0000000..7a6498a --- /dev/null +++ b/ansible/playbooks/roles/certbot/templates/docker_nginx_pre.j2 @@ -0,0 +1,5 @@ +#!/bin/sh +docker stop nginx + +docker ps + diff --git a/ansible/playbooks/roles/docker-certbot/tasks/main.yaml b/ansible/playbooks/roles/docker-certbot/tasks/main.yaml index 9cfcef1..da6fe2a 100644 --- a/ansible/playbooks/roles/docker-certbot/tasks/main.yaml +++ b/ansible/playbooks/roles/docker-certbot/tasks/main.yaml @@ -8,8 +8,11 @@ docker_container: name: certbot image: certbot/certbot + command: "certonly --standalone --non-interactive -v --dry-run -d {{ nginx_server_name}} --agree-tos -m {{ certbot_domain_mail }}" networks: - name: "{{ docker_network_name }}" + ports: + - "81:80" hostname: certbot volumes: - "{{ docker_base_volume_path }}/certbot/logs:/var/log/letsencrypt" diff --git a/ansible/playbooks/roles/wordpress-docker/defaults/main.yaml b/ansible/playbooks/roles/wordpress-docker/defaults/main.yaml new file mode 100644 index 0000000..bed1ce6 --- /dev/null +++ b/ansible/playbooks/roles/wordpress-docker/defaults/main.yaml @@ -0,0 +1,27 @@ +--- +wordpress_docker_tag: latest +nginx_docker_tag: latest +mysql_docker_tag: latest + +docker_network_name: wordpress_network +docker_wordpress_hostname: wordpress_host +docker_nginx_hostname: nginx_host +docker_mysql_hostname: mysql_host + +docker_base_volume_path: /home/wordpress_docker + + +nginx_server_name: default_server +ssl: false + +db_name: wordpress_database +db_user: wordpress_user +db_password: wordpress_password +db_root_password: wordpress_rootpassword + +wordpress_debug : false +wordpress_debug_log: false + + + + diff --git a/ansible/playbooks/roles/wordpress-docker/tasks/main.yml b/ansible/playbooks/roles/wordpress-docker/tasks/main.yml new file mode 100644 index 0000000..6249824 --- /dev/null +++ b/ansible/playbooks/roles/wordpress-docker/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: Pull docker images + docker_image: + name: "{{ item.name }}" + tag: "{{ item.tag }}" + source: pull + loop: + - name : wordpress + tag: "{{ wordpress_docker_tag }}" + - name: mysql + tag : "{{ mysql_docker_tag }}" + - name: nginx + tag : "{{ nginx_docker_tag }}" + + +- name: Create docker network + docker_network: + name: "{{ docker_network_name }}" + state: present + + +- name: Create container with mysql image + docker_container: + name: mysql + image: mysql + networks: + - name: "{{ docker_network_name }}" + hostname: "{{ docker_mysql_hostname }}" + env: + MYSQL_DATABASE: "{{ db_name }}" + MYSQL_USER: "{{ db_user }}" + MYSQL_PASSWORD: "{{ db_password }}" + MYSQL_ROOT_PASSWORD: "{{ db_root_password }}" + volumes: + - "{{ docker_base_volume_path }}/temp_db_data:/var/tmp" + + +- name: Create container with Wordpress image + docker_container: + name: wordpress + image: wordpress + networks: + - name: "{{ docker_network_name }}" + hostname: "{{ docker_wordpress_hostname }}" + env: + WORDPRESS_DB_HOST: "{{ docker_mysql_hostname }}" + WORDPRESS_DB_NAME: "{{ db_name }}" + WORDPRESS_DB_USER: "{{ db_user }}" + WORDPRESS_DB_PASSWORD: "{{ db_password }}" + WORDPRESS_DEBUG: " {{ wordpress_debug }} " + WORDPRESS_DEBUG_LOG: " {{ wordpress_debug_log }} " + volumes: + - "{{ docker_base_volume_path }}/wordpress:/var/www/html" + restart: true + +- include_tasks: nginx.yaml + when: ssl is true diff --git a/ansible/playbooks/roles/wordpress-docker/tasks/nginx.yaml b/ansible/playbooks/roles/wordpress-docker/tasks/nginx.yaml new file mode 100644 index 0000000..4780a08 --- /dev/null +++ b/ansible/playbooks/roles/wordpress-docker/tasks/nginx.yaml @@ -0,0 +1,18 @@ +--- +- name: Create conf folder to put nginx folder + ansible.builtin.file: + path: "{{ docker_base_volume_path }}/nginx/conf" + state: directory + mode: "0755" + +- name: Copy nginx.conf to server + template: + src: templates/nginx.j2 + dest: "{{ docker_base_volume_path }}/nginx/conf/nginx.conf" + + +- include_tasks: nginx_http.yml + when: ssl is false + +- include_tasks: nginx_https.yml + when: ssl is true diff --git a/ansible/playbooks/roles/wordpress-docker/tasks/nginx_http.yml b/ansible/playbooks/roles/wordpress-docker/tasks/nginx_http.yml new file mode 100644 index 0000000..d55acab --- /dev/null +++ b/ansible/playbooks/roles/wordpress-docker/tasks/nginx_http.yml @@ -0,0 +1,15 @@ +--- +- name: Start Nginx Container (HTTP) + docker_container: + name: nginx + image: nginx + ports: + - "80:80" + networks: + - name: "{{ docker_network_name }}" + hostname: "{{ docker_nginx_hostname }}" + volumes: + - "{{ docker_base_volume_path }}/wordpress:/var/www/html" + - "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d" + - "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx" + restart: true diff --git a/ansible/playbooks/roles/wordpress-docker/tasks/nginx_https.yml b/ansible/playbooks/roles/wordpress-docker/tasks/nginx_https.yml new file mode 100644 index 0000000..72f2a7d --- /dev/null +++ b/ansible/playbooks/roles/wordpress-docker/tasks/nginx_https.yml @@ -0,0 +1,17 @@ +--- +- name: Start Nginx Container (HTTPS) + docker_container: + name: nginx + image: nginx + ports: + - "80:80" + - "443:443" + networks: + - name: "{{ docker_network_name }}" + hostname: "{{ docker_nginx_hostname }}" + volumes: + - "{{ docker_base_volume_path }}/wordpress:/var/www/html" + - "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d" + - "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx" + - "{{ docker_base_volume_path }}/nginx/ssl:/etc/nginx/ssl/:ro" + restart: true diff --git a/ansible/playbooks/templates/nginx.j2 b/ansible/playbooks/roles/wordpress-docker/templates/nginx.j2 similarity index 73% rename from ansible/playbooks/templates/nginx.j2 rename to ansible/playbooks/roles/wordpress-docker/templates/nginx.j2 index fce58f5..e067326 100644 --- a/ansible/playbooks/templates/nginx.j2 +++ b/ansible/playbooks/roles/wordpress-docker/templates/nginx.j2 @@ -15,9 +15,21 @@ server { root /var/www/html; index index.php; - ssl_certificate /etc/nginx/ssl/fullchain.pem; + # Needed to upload backups + + client_max_body_size 40M; + + + # Try to support website restore plugin + + proxy_read_timeout 600s; + keepalive_timeout 600s; + + + + ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privatekey.pem; - {# ssl_trusted_certificate /etc/nginx/ssl/intermediatecertificate.pem; #} + location / { proxy_pass http://{{ docker_wordpress_hostname }}:80; @@ -26,4 +38,5 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } + } \ No newline at end of file diff --git a/ansible/playbooks/templates/nginx.j2_http b/ansible/playbooks/roles/wordpress-docker/templates/nginx.j2_http similarity index 92% rename from ansible/playbooks/templates/nginx.j2_http rename to ansible/playbooks/roles/wordpress-docker/templates/nginx.j2_http index a5d6645..5e15a28 100644 --- a/ansible/playbooks/templates/nginx.j2_http +++ b/ansible/playbooks/roles/wordpress-docker/templates/nginx.j2_http @@ -3,6 +3,9 @@ server { listen [::]:80; server_name {{ nginx_server_name }}; + client_max_body_size 40M; + + root /var/www/html; index index.php; diff --git a/ansible/playbooks/wordpress.yaml b/ansible/playbooks/wordpress.yaml index bddf1b4..a4604f8 100644 --- a/ansible/playbooks/wordpress.yaml +++ b/ansible/playbooks/wordpress.yaml @@ -2,61 +2,9 @@ - name: Install and configure Wordpress hosts: web become : True - collections: - - chrissayon.wordpress_docker + roles: - geerlingguy.docker - - chrissayon.wordpress_docker.network - - chrissayon.wordpress_docker.mysql - - chrissayon.wordpress_docker.wordpress - - - tasks: - # Need to stop using port 80 for certbot webroot validation - - name: Gathering NGINX container state - docker_container_info: - name: nginx - register: nginx_info - - - name: Stop NGINX if present - docker_container: - name: nginx - state: stopped - when: - - nginx_info.exists - - # Manage certbot - - - name: Install / configure certbot - include_role: - name: geerlingguy.certbot - - # Copy certificates - # configured volume for ssl is - # "/usr/data/wp/nginx/ssl:/etc/nginx/ssl/:ro" - - - name: Copy fullchain files to nginx volume - ansible.builtin.copy: - src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem" - #TODO nginx configuration is not multi domain - dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem" - remote_src: true - mode: '0644' - loop: "{{ certbot_certs }}" - - - name: Copy privkey files to nginx volume - ansible.builtin.copy: - src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem" - #TODO nginx configuration is not multi domain - dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem" - remote_src: true - mode: '0644' - loop: "{{ certbot_certs }}" - - - # Restart NGINX - - - name: (Re)start NGINX - include_role: - name: chrissayon.wordpress_docker.nginx + - wordpress-docker + - certbot \ No newline at end of file