diff --git a/ansible.cfg b/ansible.cfg deleted file mode 100644 index 4009fad..0000000 --- a/ansible.cfg +++ /dev/null @@ -1,4 +0,0 @@ -[defaults] -roles_path = ./roles -remote_user = ansible -inventory = ./inventory.yml diff --git a/handlers.yml b/handlers.yml deleted file mode 100644 index 1907c98..0000000 --- a/handlers.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: restart sentry - systemd: - name: sentry - state: restarted - enabled: true diff --git a/inventory.yml b/inventory.yml deleted file mode 100644 index 07c3fdb..0000000 --- a/inventory.yml +++ /dev/null @@ -1,3 +0,0 @@ -sentry: - hosts: - 192.168.178.73: diff --git a/playbook.yml b/playbook.yml index 666a101..3ab181f 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,36 +1,9 @@ -- hosts: sentry - become: true - become_method: sudo - pre_tasks: - - include_role: - name: common - tasks_from: 'setup.yml' - - include_role: - name: common - tasks_from: 'network.yml' - - include_role: - name: common - tasks_from: 'host.yml' - - include_role: - name: common - tasks_from: 'sudoers.yml' - loop: - - { src: '../../templates/sudoers.j2', dest: '/etc/sudoers.d/30-ansible-extra' } - roles: - - common +# Note: this playbook requires the `docker` and `docker-compose` pip packages +# in order for the `docker_compose` module to work +- hosts: localhost tasks: - - include_role: - name: common - tasks_from: 'ssl.yml' - - include_role: - name: common - tasks_from: 'nginx.yml' - - import_tasks: 'tasks/docker.yml' - import_tasks: 'tasks/main.yml' - handlers: - - import_tasks: 'handlers.yml' vars_files: - 'vars/main.yml' - - 'vars/network.yml' - 'vars/postgres.yml' - 'vars/email.yml' diff --git a/requirements.yml b/requirements.yml deleted file mode 100644 index ba54c45..0000000 --- a/requirements.yml +++ /dev/null @@ -1,4 +0,0 @@ -- src: git+https://git.fudiggity.nl/ansible/common.git - name: common - version: master - scm: git diff --git a/tasks/docker.yml b/tasks/docker.yml deleted file mode 100644 index 25e600c..0000000 --- a/tasks/docker.yml +++ /dev/null @@ -1,42 +0,0 @@ -- name: add docker gpg key - apt_key: - id: '0EBFCD88' - url: 'https://download.docker.com/linux/debian/gpg' - validate_certs: true - state: present - -- name: add docker repo - apt_repository: - repo: 'deb https://download.docker.com/linux/debian buster stable' - validate_certs: true - state: present - -- name: install docker - apt: - name: - - docker-ce - - docker-ce-cli - - containerd.io - state: present - -- name: check docker-compose existence - stat: - path: '/usr/local/bin/docker-compose' - register: docker_compose_stat - -- name: download docker-compose - get_url: - url: 'https://github.com/docker/compose/releases/download/1.26.0/docker-compose-Linux-x86_64' - dest: '/usr/local/bin/docker-compose' - mode: '0755' - when: docker_compose_stat.stat.isfile is not defined - -- name: add sentry user - user: - name: sentry - create_home: true - shell: '/bin/bash' - groups: - - sudo - - docker - append: true diff --git a/tasks/main.yml b/tasks/main.yml index 097e2ad..db4166a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,51 +1,14 @@ -- name: copy sentry systemd service - template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - owner: '{{ app_user }}' - group: '{{ app_user }}' - mode: '0644' - loop: - - { src: 'templates/sentry.systemd.j2', dest: '/etc/systemd/system/sentry.service' } - notify: restart sentry - -- name: copy firewall templates - template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - owner: root - group: root - mode: '0600' - loop: - - { src: 'templates/nftables.j2', dest: '/etc/nftables.conf' } - -- name: restart nftables - systemd: - name: nftables - state: restarted - enabled: true - -- name: ensure sentry is stopped - systemd: - name: sentry - state: stopped - -# restart docker after nftables changes so that it applies docker related rules -- name: restart docker - systemd: - name: docker - state: restarted - enabled: true - - name: create sites directory + become: true file: - path: '/srv/sites' + path: '/srv/docker' state: directory owner: root group: root mode: 0755 - name: create sentry dir + become: true file: path: '{{ app_dir }}' state: directory @@ -54,8 +17,6 @@ mode: 0755 - name: clone project - become_user: '{{ app_user }}' - become: true git: repo: '{{ app_repository }}' dest: '{{ app_dir }}' @@ -73,6 +34,7 @@ - { src: 'templates/sentry.conf.j2', dest: '{{ app_dir }}/sentry/sentry.conf.py' } - { src: 'templates/sentry.config.j2', dest: '{{ app_dir }}/sentry/config.yml' } +# TODO: tag other sentry images aswell # can be ran multiple times to upgrade sentry - name: run sentry installer command: './install.sh' @@ -80,27 +42,15 @@ chdir: '{{ app_dir }}' environment: SENTRY_IMAGE: 'getsentry/sentry:{{ app_branch }}' - ignore_errors: true + SENTRY_BIND: '{{ bind_address }}' + register: installer_output -- name: copy nginx sentry config - template: - src: 'templates/nginx.j2' - dest: '/etc/nginx/sites-available/{{ app_name }}' - owner: root - group: root - mode: '0644' +- name: log installer output + debug: + var: installer_output.stdout_lines -- name: link nginx config - file: - src: '/etc/nginx/sites-available/{{ app_name }}' - dest: '/etc/nginx/sites-enabled/{{ app_name }}' - owner: root - group: root - mode: '0777' - state: link - -- name: ensure nginx is restarted - systemd: - name: nginx - state: restarted - enabled: true +- name: start sentry + docker_compose: + project_src: '{{ app_dir }}' + build: false + restarted: true diff --git a/templates/nftables.j2 b/templates/nftables.j2 deleted file mode 100644 index 6f597c8..0000000 --- a/templates/nftables.j2 +++ /dev/null @@ -1,33 +0,0 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} -# -# vim:set ts=2 sw=2 et: -# use uppercase table names for compatibility with docker - -flush ruleset - -table inet filter { - chain INPUT { - type filter hook input priority 0; policy drop; - - # accept any localhost traffic - iif lo accept - - # accept traffic originated from us - ct state { established, related } accept - - tcp dport { 22, 80, 443 } accept - } - - chain FORWARD { - type filter hook forward priority 0; policy drop; - ct state { established, related } accept; - - mark 1 accept - } -} - -table ip filter { - chain DOCKER-USER { - mark set 1 - } -} diff --git a/templates/nginx.j2 b/templates/nginx.j2 deleted file mode 100644 index 3167b94..0000000 --- a/templates/nginx.j2 +++ /dev/null @@ -1,26 +0,0 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} -# -server { - listen 80; - server_name {{ app_name }}.fudiggity.nl; - return 301 https://$server_name$request_uri; -} - -server { - listen 443 ssl; - server_name {{ app_name }}.fudiggity.nl; - - ssl_certificate /etc/ssl/{{ app_name }}/{{ app_name }}.crt; - ssl_certificate_key /etc/ssl/{{ app_name }}/local.pem; - - access_log /var/log/nginx/{{ app_name }}.log; - error_log /var/log/nginx/{{ app_name }}.log; - - location / { - include proxy_params; - - proxy_redirect off; - - proxy_pass http://localhost:9000; - } -} diff --git a/templates/sentry.systemd.j2 b/templates/sentry.systemd.j2 deleted file mode 100644 index 973df02..0000000 --- a/templates/sentry.systemd.j2 +++ /dev/null @@ -1,17 +0,0 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} -# -[Unit] -Description=Sentry -Requires=docker.service -After=docker.service - -[Service] -Type=oneshot -RemainAfterExit=yes -User={{ app_user }} -ExecStart=/usr/local/bin/docker-compose up --detach -ExecStop=/usr/local/bin/docker-compose down -WorkingDirectory={{ app_dir }} - -[Install] -WantedBy=multi-user.target diff --git a/templates/sudoers.j2 b/templates/sudoers.j2 deleted file mode 100644 index 1b45772..0000000 --- a/templates/sudoers.j2 +++ /dev/null @@ -1,3 +0,0 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} -# -ansible ALL = (sentry:sentry) NOPASSWD: ALL diff --git a/vars/main.yml b/vars/main.yml index f931d66..f2d40e4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,11 +1,13 @@ -default_user: 'sonny' +# Can either use a port number or an IP:PORT combo, see SENTRY_BIND +bind_address: '9000' app_name: 'sentry' -app_dir: '/srv/sites/sentry' +app_dir: '/srv/docker/sentry' app_url: 'https://sentry.fudiggity.nl' app_repository: 'https://github.com/getsentry/onpremise.git' app_branch: '21.7.0' -app_user: 'sentry' + +app_user: 'sonny' app_key: !vault | $ANSIBLE_VAULT;1.1;AES256 33666233326139613365306263323464666538303862666561313839646435643866663064356263 diff --git a/vars/network.yml b/vars/network.yml deleted file mode 100644 index e41809d..0000000 --- a/vars/network.yml +++ /dev/null @@ -1,6 +0,0 @@ -hostname: 'sentry.fudiggity.nl' -host_interface: 'en*' -host_ip: '192.168.178.73' -host_subnet: '24' -host_gateway: '192.168.178.1' -host_dns: '192.168.178.1' diff --git a/vars/postgres.yml b/vars/postgres.yml index 594366b..88b07d3 100644 --- a/vars/postgres.yml +++ b/vars/postgres.yml @@ -1,12 +1,5 @@ -postgres_host: '192.168.178.165' -postgres_port: '5432' -postgres_db: 'sentry' -postgres_user: 'sentry' -postgres_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 62306238313361643131646665646161336162626464393839353238363861376462663936666239 - 3166653966303132393563653832653635623131393536640a653037306539666261346232633930 - 34656431386531303234316137396436653635393061393934393839663032386638633264326133 - 6564366362326462640a323835633561363433393435376434306535636339646662343234356530 - 61656162663462616538313835343665333661303963653635346666323933663761376335373832 - 3761303331613539623761626535336330353836373838363963 +postgres_host: 'postgres' +postgres_port: '' +postgres_db: 'postgres' +postgres_user: 'postgres' +postgres_password: ''