Roles: initially add role ffmwu-build and playbook for build-servers

2016-10-28 16:37:37 +02:00 · 2016-10-28 16:37:37 +02:00 · 9dd7b203db
parent 1ddf265f31
commit 9dd7b203db
13 changed files with 271 additions and 0 deletions
--- a/ffmwu-build.yml
+++ b/ffmwu-build.yml
@ -0,0 +1,8 @@
+#!/usr/bin/ansible-playbook
+---
+- hosts: build-servers
+  remote_user: admin
+  strategy: linear
+
+  roles: 
+  - ffmwu-build
--- a/roles/ffmwu-build/files/rsync.service
+++ b/roles/ffmwu-build/files/rsync.service
@ -0,0 +1,9 @@
+[Unit]
+Description=fast remote file copy program daemon
+ConditionPathExists=/etc/rsyncd.conf
+
+[Service]
+ExecStart=/usr/bin/rsync --daemon -6 --no-detach
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/ffmwu-build/files/rsyncd.conf
+++ b/roles/ffmwu-build/files/rsyncd.conf
@ -0,0 +1,17 @@
+use chroot = true
+
+max connections = 10
+timeout = 300
+
+transfer logging = false
+log file = /var/log/rsyncd.log
+
+[firmware]
+comment = gluon firmware builds
+path = /var/www/html/firmware
+read only = yes
+list = yes
+uid = nobody
+gid = nogroup
+strict modes = yes
+ignore nonreadable = yes
--- a/roles/ffmwu-build/handlers/main.yml
+++ b/roles/ffmwu-build/handlers/main.yml
@ -0,0 +1,8 @@
+---
+- name: check apache syntax
+  shell: apachectl -t
+  become: true
+
+- name: restart systemd unit apache2
+  systemd: name=apache2 state=restarted
+  become: true
--- a/roles/ffmwu-build/meta/main.yml
+++ b/roles/ffmwu-build/meta/main.yml
@ -0,0 +1,3 @@
+---
+dependencies:
+- ffmwu-server
--- a/roles/ffmwu-build/tasks/ecdsautils.yml
+++ b/roles/ffmwu-build/tasks/ecdsautils.yml
@ -0,0 +1,28 @@
+---
+- name: checkout ecdsautils repo
+  git: repo=https://github.com/tcatm/ecdsautils.git
+       dest=/home/admin/clones/ecdsautils
+       version=v0.3.2
+
+- name: create build directory
+  file: path=/home/admin/clones/ecdsautils/build state=directory
+
+- name: build ecdsautils
+  shell: "{{ item }}"
+  args:
+    chdir: /home/admin/clones/ecdsautils/build
+  with_items:
+    - cmake ..
+    - make
+
+- name: install ecdsautils to /usr/local/bin
+  copy:
+    src: "{{ item }}"
+    dest: /usr/local/bin/
+    mode: 0755
+    remote_src: True
+  with_items:
+    - /home/admin/clones/ecdsautils/build/src/ecdsakeygen
+    - /home/admin/clones/ecdsautils/build/src/ecdsaverify
+    - /home/admin/clones/ecdsautils/build/src/ecdsasign
+  become: true
--- a/roles/ffmwu-build/tasks/main.yml
+++ b/roles/ffmwu-build/tasks/main.yml
@ -0,0 +1,6 @@
+---
+- include: tasks/packages.yml
+- include: tasks/ecdsautils.yml
+- include: tasks/repos.yml
+- include: tasks/rsync.yml
+- include: tasks/web.yml
--- a/roles/ffmwu-build/tasks/packages.yml
+++ b/roles/ffmwu-build/tasks/packages.yml
@ -0,0 +1,31 @@
+---
+- name: add apt repository of neoraider
+  apt_repository: repo='deb https://repo.universe-factory.net/debian/ sid main' state=present filename='neoraider'
+  become: true
+
+- name: add apt-key of neoraider
+  apt_key: keyserver=keyserver.ubuntu.com id=16EF3F64CB201D9C state=present
+  become: true
+
+- name: install needed packages for build-server
+  apt: 
+    state: present
+    name: "{{ item }}"
+    update_cache: yes
+    cache_valid_time: 21600
+  with_items:
+    - apache2
+    - apache2-utils
+    - build-essential
+    - cmake
+    - gawk
+    - git
+    - haveged
+    - libncurses5-dev
+    - libssl-dev
+    - libuecc-dev
+    - pkg-config
+    - subversion
+    - unzip
+    - zlib1g-dev
+  become: true
--- a/roles/ffmwu-build/tasks/repos.yml
+++ b/roles/ffmwu-build/tasks/repos.yml
@ -0,0 +1,4 @@
+---
+- name: checkout sites-ffmwu repo
+  git: repo=https://github.com/freifunk-mwu/sites-ffmwu.git
+       dest=/home/admin/clones/sites-ffmwu
--- a/roles/ffmwu-build/tasks/rsync.yml
+++ b/roles/ffmwu-build/tasks/rsync.yml
@ -0,0 +1,15 @@
+---
+- name: install rsnycd configuration file
+  copy: src=rsyncd.conf dest=/etc/rsyncd.conf mode=640
+  become: true
+
+- name: install rsnyc systemd unit
+  copy: src=rsync.service dest=/etc/systemd/system/ mode=644
+  become: true
+
+- name: ensure rsync is started on boot as a daemon
+  systemd:
+    name: rsync
+    state: started
+    enabled: True
+  become: true
--- a/roles/ffmwu-build/tasks/web.yml
+++ b/roles/ffmwu-build/tasks/web.yml
@ -0,0 +1,90 @@
+---
+- name: ensure webroot owns by user/group admin
+  file: dest=/var/www/html owner=admin group=admin recurse=yes
+  become: true
+
+- name: enable apache module ssl
+  apache2_module: state=present name=ssl
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- name: disable default apache sites and unwanted default configs
+  shell: a2dissite "{{ item }}"
+  with_items:
+    - 000-default
+    - default-ssl
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- shell: a2disconf "{{ item }}"
+  with_items:
+    - other-vhosts-access-log.conf
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- name: configure apache ssl module settings
+  lineinfile: dest=/etc/apache2/mods-enabled/ssl.conf
+              regexp="^([\s\t]+)?SSLCipherSuite"
+              line="SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+              state=present
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- lineinfile: dest=/etc/apache2/mods-available/ssl.conf
+              regexp="^([\s\t]+)?SSLProtocol"
+              line="SSLProtocol all -SSLv2 -SSLv3"
+              state=present
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- name: configure apache security settings
+  lineinfile: dest=/etc/apache2/conf-available/security.conf
+              regexp="^ServerTokens"
+              line="ServerTokens Prod"
+              state=present
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- lineinfile: dest=/etc/apache2/conf-available/security.conf
+              regexp="^ServerSignature"
+              line="ServerSignature EMail"
+              state=present
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- name: write ffmwu apache sites
+  template: src=ffmwu-default-http.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-http.conf
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- template: src=ffmwu-default-https.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-https.conf
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
+
+- name: enable ffmwu apache sites
+  shell: a2ensite "{{ item }}"
+  with_items:
+    - ffmwu-default-http
+    - ffmwu-default-https
+  become: true
+  notify:
+    - check apache syntax
+    - restart systemd unit apache2
--- a/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2
+++ b/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2
@ -0,0 +1,16 @@
+<VirtualHost *:80>
+	ServerName {{ inventory_hostname }}
+	ServerAdmin webmaster@freifunk-mwu.de
+
+	DocumentRoot /var/www/html/firmware
+
+	<Directory /var/www/html/firmware>
+			Options +Indexes +FollowSymlinks
+			IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
+			AllowOverride None
+			Order allow,deny
+			allow from all
+	</Directory>
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2
+++ b/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2
@ -0,0 +1,36 @@
+<IfModule mod_ssl.c>
+	<VirtualHost *:443>
+		ServerAdmin webmaster@freifunk-mwu.de
+		ServerName {{ inventory_hostname }}
+
+		DocumentRoot /var/www/html/firmware
+
+		<Directory /var/www/html/firmware>
+				Options +Indexes +FollowSymlinks
+				IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
+				AllowOverride None
+				Order allow,deny
+				allow from all
+		</Directory>
+
+		SSLEngine on
+		SSLCertificateFile	/etc/webcerts/{{ inventory_hostname }}/cert.pem
+		SSLCertificateKeyFile /etc/webcerts/{{ inventory_hostname }}/privkey.pem
+		SSLCertificateChainFile /etc/webcerts/{{ inventory_hostname }}/fullchain.pem
+
+		<FilesMatch "\.(cgi|shtml|phtml|php)$">
+				SSLOptions +StdEnvVars
+		</FilesMatch>
+		<Directory /usr/lib/cgi-bin>
+				SSLOptions +StdEnvVars
+		</Directory>
+
+		BrowserMatch "MSIE [2-6]" \
+				nokeepalive ssl-unclean-shutdown \
+				downgrade-1.0 force-response-1.0
+		# MSIE 7 and newer should be able to use keepalive
+		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+	</VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet