marklit · November 8, 2014 08:27 · Nov 8, 2014
diff --git a/playbook.yml b/playbook.yml
@@ -0,0 +1,202 @@
+---
+
+- name: SSH tightening
+  hosts: all
+  sudo: True
+  tasks:
+    - name: Disable root's ssh account
+      action: >
+        lineinfile
+        dest=/etc/ssh/sshd_config
+        regexp="^PermitRootLogin"
+        line="PermitRootLogin no"
+        state=present
+      notify: Restart ssh
+    - name: Disable password authentication
+      action: >
+        lineinfile
+        dest=/etc/ssh/sshd_config
+        regexp="^PasswordAuthentication"
+        line="PasswordAuthentication no"
+        state=present
+      notify: Restart ssh
+
+  handlers:
+  - name: Restart ssh
+    action: service name=ssh state=restarted
+
+- name: Update APT package cache
+  hosts: all
+  gather_facts: False
+  sudo: True
+  tasks:
+    - name: Update APT package cache
+      action: apt update_cache=yes
+
+- name: Set timezone to UTC
+  hosts: all
+  gather_facts: False
+  sudo: True
+  tasks:
+    - name: Set timezone variables
+      copy: >
+        content='Etc/UTC'
+        dest=/etc/timezone
+        owner=root
+        group=root
+        mode=0644
+        backup=yes
+      notify:
+        - Update timezone
+  handlers:
+    - name: Update timezone
+      command: >
+        dpkg-reconfigure 
+        --frontend noninteractive
+        tzdata
+
+- name: Syncronise clocks
+  hosts: all
+  sudo: True
+  tasks:
+    - name: install ntp
+      apt: name=ntp
+
+    - name: copy ntp config
+      copy: src=files/ntp.conf dest=/etc/ntp.conf
+
+    - name: restart ntp 
+      service: name=ntp state=restarted
+
+- name: Setup unattended upgrades
+  hosts: all
+  gather_facts: False
+  sudo: True
+  tasks:
+    - name: Install unattended upgrades package
+      apt: name=unattended-upgrades
+      notify:
+        - dpkg reconfigure
+
+  handlers:
+    - name: dpkg reconfigure
+      command: >
+        dpkg-reconfigure 
+        --frontend noninteractive 
+        -plow unattended-upgrades
+
+- name: Setup App Server(s)
+  hosts: app_servers
+  sudo: True
+  vars:
+    home_folder: /home/mark
+    venv: faulty
+  tasks:
+    - ufw: state=enabled logging=on
+    - ufw: direction=incoming policy=deny
+    - ufw: rule=limit port=ssh proto=tcp
+    - ufw: rule=allow port=22 proto=tcp
+    - ufw: >
+        rule=allow
+        port=80
+        proto=tcp
+        from_ip={{ hostvars['lb']['ansible_default_ipv4']['address'] }}
+
+    - name: Install python virtualenv
+      apt: name=python-virtualenv
+
+    - name: Install python dev
+      apt: name=python-dev
+
+    - name: Install git
+      apt: name=git
+
+    - name: Checkout Django code
+      git: >
+        repo=https://bitbucket.org/marklit/faulty.git
+        dest={{ home_folder }}/faulty
+        update=no
+    - file: >
+        path={{ home_folder }}/faulty
+        owner=mark
+        group=mark
+        mode=755
+        state=directory
+        recurse=yes
+
+    - name: Install Python requirements
+      pip: >
+        requirements={{ home_folder }}/faulty/requirements.txt
+        virtualenv={{ home_folder }}/.virtualenvs/{{ venv }}
+
+    - template: >
+        src=files/venv_activate.sh
+        dest={{ home_folder }}/.virtualenvs/{{ venv }}/exec
+        mode=755
+
+    - command: >
+        {{ home_folder }}/.virtualenvs/{{ venv }}/exec
+        python manage.py syncdb --noinput
+      args:
+        chdir: '{{ home_folder }}/faulty'
+
+    - command: >
+        {{ home_folder }}/.virtualenvs/{{ venv }}/exec
+        python manage.py migrate
+      args:
+        chdir: '{{ home_folder }}/faulty'
+
+    - name: Install supervisor
+      apt: name=supervisor
+
+    - template: >
+        src=files/supervisord.conf
+        dest=/etc/supervisor/conf.d/django_app.conf
+
+    - command: /usr/bin/supervisorctl reload
+    - supervisorctl: name=web_app state=restarted
+    - supervisorctl: name=celeryd state=restarted
+
+    - name: Install nginx
+      apt: name=nginx
+
+    - name: copy nginx config file
+      template: >
+        src=files/nginx-app.conf
+        dest=/etc/nginx/sites-available/default
+
+    - name: enable configuration
+      file: >
+        dest=/etc/nginx/sites-enabled/default
+        src=/etc/nginx/sites-available/default
+        state=link
+
+    - service: name=nginx state=restarted
+
+- name: Setup Load balancer(s)
+  hosts: load_balancers
+  sudo: True
+  tasks:
+    - ufw: state=enabled logging=on
+    - ufw: direction=incoming policy=deny
+    - ufw: rule=limit port=ssh proto=tcp
+    - ufw: rule=allow port=22 proto=tcp
+    - ufw: rule=allow port=80 proto=tcp
+    - ufw: rule=allow port=443 proto=tcp
+
+    - apt: name=nginx
+
+    - name: copy nginx config file
+      template: >
+        src=files/nginx-load-balancer.conf
+        dest=/etc/nginx/sites-available/default
+    - copy: src=files/nginx.key dest=/etc/nginx/ssl/
+    - copy: src=files/nginx.crt dest=/etc/nginx/ssl/
+
+    - name: enable configuration
+      file: >
+        dest=/etc/nginx/sites-enabled/default
+        src=/etc/nginx/sites-available/default
+        state=link
+
+    - service: name=nginx state=restarted