salt/ansible
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
b10ee60b74
ansible/playbooks/prod_web.yml

283 lines
9.9 KiB
YAML
Executable File
Raw Blame History

#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Webservers
---
- hosts: web1.desu.ltd
module_defaults:
docker_container:
state: started
restart_policy: unless-stopped
pull: yes
tasks:
- name: ensure docker network
docker_network: name=web
tags: [ docker ]
- name: ensure docker nginx config
copy:
dest: /data/nginx-certbot/user_conf.d/vhosts.conf
mode: "0750"
content: |
server {
listen 443 ssl default_server;
server_name desu.ltd;
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://desultd:80;
}
}
server {
listen 443 ssl;
server_name www.9iron.club;
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
return 301 $scheme://9iron.club$request_uri;
}
server {
listen 443 ssl;
server_name 9iron.club;
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://9iron:80;
}
}
server {
listen 443 ssl;
server_name git.desu.ltd;
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://gitea:3000;
}
}
server {
listen 443 ssl;
server_name nc.desu.ltd;
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://nextcloud:80;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location ^~ /.well-known { return 301 /index.php$uri; }
try_files $uri $uri/ =404;
}
}
server {
listen 443 ssl;
server_name srv.9iron.club;
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://srv:80;
}
}
tags: [ docker, ingress ]
- name: include tasks for apps
include_tasks: tasks/app/{{ task }}
with_items:
- gulagbot.yml
- redis.yml
loop_control:
loop_var: task
tags: [ always ]
- name: include tasks for web services
include_tasks: tasks/web/{{ task }}
with_items:
- 9iron.yml
- desultd.yml
- gitea.yml
- nextcloud.yml
- srv.yml
- ingress-generic.yml
loop_control:
loop_var: task
tags: [ always ]
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /app/gitea/gitea
- /data
- /var/www/nc.desu.ltd
- /var/www/srv.9iron.club
- /srv/desu.ltd
backup_s3backup_exclude_list_extra:
- /var/lib/gitea/log
- /data/gitea/data/gitea/log
tags: [ backup ]
- role: git
vars:
git_repos:
- repo: https://git.desu.ltd/salt/gitea-custom
dest: /data/gitea/data/gitea/custom
tags: [ web, git ]
- hosts: web2.desu.ltd
module_defaults:
docker_container:
state: started
restart_policy: unless-stopped
pull: yes
tasks:
- name: ensure docker network
docker_network: name=web
tags: [ docker ]
- name: ensure docker nginx config
copy:
dest: /data/nginx-certbot/user_conf.d/vhosts.conf
mode: "0750"
content: |
server {
listen 443 ssl default_server;
server_name cowfee.moe;
ssl_certificate /etc/letsencrypt/live/cowfee.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cowfee.moe/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/cowfee.moe/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://pleroma:4000;
}
}
server {
listen 443 ssl;
server_name tube.cowfee.moe;
ssl_certificate /etc/letsencrypt/live/cowfee.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cowfee.moe/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/cowfee.moe/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://peertube:9000;
}
}
tags: [ docker, ingress ]
- name: include tasks for apps
include_tasks: tasks/app/{{ task }}
with_items:
- redis.yml
loop_control:
loop_var: task
tags: [ always ]
- name: include tasks for web services
include_tasks: tasks/web/{{ task }}
with_items:
- peertube.yml
- pleroma.yml
- ingress-generic.yml
loop_control:
loop_var: task
tags: [ always ]
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /data
tags: [ backup ]
- hosts: web3.desu.ltd
module_defaults:
docker_container:
state: started
restart_policy: unless-stopped
pull: yes
tasks:
- name: ensure docker network
docker_network: name=web
tags: [ docker ]
- name: ensure docker nginx config
copy:
dest: /data/nginx-certbot/user_conf.d/vhosts.conf
mode: "0750"
content: |
server {
listen 443 ssl default_server;
server_name netbox.desu.ltd;
ssl_certificate /etc/letsencrypt/live/netbox.desu.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netbox.desu.ltd/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/netbox.desu.ltd/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://netbox:8080;
}
}
server {
listen 443 ssl;
server_name nagios.desu.ltd;
ssl_certificate /etc/letsencrypt/live/netbox.desu.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netbox.desu.ltd/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/netbox.desu.ltd/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://nagios:80;
}
}
server {
listen 443 ssl;
server_name movie.desu.ltd;
ssl_certificate /etc/letsencrypt/live/netbox.desu.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netbox.desu.ltd/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/netbox.desu.ltd/chain.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://movienight:8089;
}
}
tags: [ docker, ingress ]
- name: include tasks for apps
include_tasks: tasks/app/{{ task }}
with_items:
- redis.yml
loop_control:
loop_var: task
tags: [ always ]
- name: include tasks for web services
include_tasks: tasks/web/{{ task }}
with_items:
- movienight.yml
- netbox.yml
- nagios.yml
- ingress-generic.yml
loop_control:
loop_var: task
tags: [ always ]
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /data
tags: [ backup ]
Reference in New Issue View Git Blame Copy Permalink