#!/usr/bin/env ansible-playbook # vim:ft=ansible: # Webservers --- - hosts: web1.desu.ltd roles: - role: backup vars: backup_s3backup_list_extra: - /var/lib/gitea - /var/www/nc.desu.ltd - /var/www/www.9iron.club/files - /srv/desu.ltd become: yes tags: [ backup ] - role: certbot vars: certbot_admin_email: rehashedsalt@cock.li certbot_create_if_missing: yes certbot_create_method: standalone certbot_create_standalone_stop_services: - apache2 certbot_certs: - domains: - desu.ltd - git.desu.ltd - nc.desu.ltd - web1.desu.ltd - 9iron.club - www.9iron.club - otwstudios.org become: yes tags: [ web, certbot ] - role: php vars: php_enable_php_fpm: yes php_memory_limit: 512M php_packages_extra: - libapache2-mod-php - php-zip # For Nextcloud - php-intl - php-imagick - php-redis - php-bcmath - php-gmp - php-pgsql # For general DB stuff # Nextcloud recommended opcache settings php_opcache_max_accelerated_files: 10000 php_opcache_memory_consumption: 128 php_opcache_revalidate_freq: 2 become: yes tags: [ web, php ] - role: apache vars: apache_remove_default_vhost: yes apache_packages_state: latest apache_mods_enabled: - headers.load - http2.load - mpm_worker.load - proxy.load - proxy_fcgi.load - proxy_http.load - rewrite.load - ssl.load apache_mods_disabled: - mpm_prefork.load - php7.4.load apache_global_vhost_settings: | DirectoryIndex index.php index.html Protocols h2 http/1.1 SetHandler "proxy:fcgi://127.0.0.1:9000" apache_vhosts: # desu.ltd - servername: nc.desu.ltd extra_parameters: | Redirect permanent / https://nc.desu.ltd/ - servername: desu.ltd extra_parameters: | Redirect permanent / https://desu.ltd/ - servername: git.desu.ltd extra_parameters: | Redirect permanent / https://git.desu.ltd/ # 9iron.club - servername: 9iron.club extra_parameters: | Redirect permanent / https://www.9iron.club/ - servername: www.9iron.club extra_parameters: | Redirect permanent / https://www.9iron.club/ apache_vhosts_ssl: # desu.ltd - servername: nc.desu.ltd extra_parameters: | Header always set Strict-Transport-Security "max-age=31536000" documentroot: /var/www/nc.desu.ltd certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem - servername: desu.ltd documentroot: /var/www/desu.ltd certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem - servername: git.desu.ltd extra_parameters: | ProxyPreserveHost On ProxyRequests Off ProxyPass / http://127.0.0.1:3000/ nocanon retry=1 certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem # 9iron.club - servername: 9iron.club extra_parameters: | Redirect permanent / https://www.9iron.club/ certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem - servername: www.9iron.club documentroot: /var/www/www.9iron.club certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem # otwstudios.org - servername: otwstudios.org extra_parameters: | Redirect permanent / https://www.otwstudios.org/ certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem - servername: www.otwstudios.org documentroot: /var/www/www.otwstudios.org certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem become: yes tags: [ web, apache ] - role: git vars: git_repos: - repo: https://git.desu.ltd/salt/desultd dest: /var/www/desu.ltd - repo: https://git.desu.ltd/salt/9iron dest: /var/www/www.9iron.club - repo: https://git.desu.ltd/salt/gitea-custom dest: /usr/local/bin/custom become: yes tags: [ web, git ] - role: nextcloud vars: nextcloud_installation_dir: /var/www/nc.desu.ltd nextcloud_data_dir: /srv/desu.ltd/nc nextcloud_admin_user: admin nextcloud_admin_pass: "{{ secret_nextcloud_admin_pass }}" nextcloud_version: 19 nextcloud_urls: - http://nc.desu.ltd:80 - https://nc.desu.ltd:443 nextcloud_config: system: trusted_domains: "{{ nextcloud_urls | map('urlsplit', 'hostname') | list }}" nextcloud_database: backend: pgsql name: nextcloud-desultd user: nextcloud-desultd pass: "{{ secret_nextcloud_db_pass }}" host: 192.168.164.156 port: 5432 become: yes tags: [ web, nextcloud ] - role: gitea vars: # Look and feel gitea_app_name: "Git Desu" # Core config gitea_db_type: postgres gitea_db_host: 192.168.164.156:5432 gitea_db_name: gitea-desultd gitea_db_user: gitea-desultd gitea_db_password: "{{ secret_gitea_db_pass }}" gitea_http_domain: git.desu.ltd gitea_oauth2_enabled: no gitea_repository_root: /srv/desu.ltd/git gitea_require_signin: no gitea_root_url: https://git.desu.ltd gitea_shell: "/bin/bash" gitea_ssh_domain: git.desu.ltd gitea_ssh_port: 22 gitea_start_ssh: no gitea_user: git become: yes tags: [ web, gitea ]