WIP: add ansible docker config

group_vars/studentenportal

@@ -0,0 +1 @@
+lets_encrypt_email: [email protected]

group_vars/ubuntu

@@ -0,0 +1,3 @@
+apt_cache_time: 3600
+ansible_python_interpreter: /usr/bin/python3
+ansible_user: root

inventory/production

@@ -1,21 +1,5 @@
-###############################################################################
-# Servers (with connection parameters)
-###############################################################################
-# Hostname                 Parameters
-vshsr01.nine.ch            ansible_ssh_user=root
-
-
-###############################################################################
-# Server class
-###############################################################################
-
-[ubuntu]
+[studentenportal]
 vshsr01.nine.ch
 
-###############################################################################
-# Infrastructure location
-###############################################################################
-
-# Nine, Zürich
-[nine]
-vshsr01.nine.ch
+[ubuntu:children]
+studentenportal

provision

@@ -4,6 +4,6 @@
 export ANSIBLE_FORCE_COLOR=true
 
 # Execute playbook
-exec ansible-playbook ./provision.yaml $@
+exec ansible-playbook ./provision.yml $@
 
 # --vault-id @prompt --vault-password-file ./secrets.yaml $@

provision.yml

@@ -0,0 +1,12 @@
+---
+- hosts: all
+  roles:
+    - role: base
+      tags: [base]
+
+- hosts: studentenportal
+  roles:
+    - role: nickjj.docker
+      tags: [docker]
+    - role: studentenportal
+      tags: [studentenportal]

roles/base/defaults/main.yml

@@ -0,0 +1,2 @@
+package_update: False
+reboot: False

roles/base/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: restart sshd
+  service: name=sshd state=restarted

roles/base/tasks/fail2ban.yml

@@ -0,0 +1,14 @@
+---
+- name: ensure packages are installed
+  apt:
+    name: "{{ packages }}"
+    state: present
+    cache_valid_time: "{{ apt_cache_time | int }}"
+  vars:
+    packages:
+      - fail2ban
+
+- name: ensure fail2ban is running
+  service:
+    name: fail2ban
+    state: started

roles/base/tasks/firewall.yml

@@ -0,0 +1,11 @@
+---
+- name: ensure ssh is allowed
+  ufw:
+    rule: allow
+    name: OpenSSH
+
+- name: ensure ufw is enabled
+  ufw:
+    state: enabled
+    direction: incoming
+    policy: deny

roles/base/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- import_tasks: firewall.yml
+- import_tasks: packages.yml
+- import_tasks: sshd.yml
+- import_tasks: fail2ban.yml
+- import_tasks: unattended-upgrades.yml
+- import_tasks: reboot.yml

roles/base/tasks/packages.yml

@@ -0,0 +1,17 @@
+---
+- name: ensure latest package versions are installed
+  apt:
+    name: "*"
+    state: latest
+    update_cache: yes
+  when: package_update
+
+- name: remove dependencies that are no longer required
+  apt:
+    autoremove: yes
+  when: package_update
+
+- name: remove useless packages from the cache
+  apt:
+    autoclean: yes
+  when: package_update

roles/base/tasks/reboot.yml

@@ -0,0 +1,11 @@
+---
+- name: reboot server
+  command: /sbin/shutdown -r +1 "Ansible-triggered Reboot"
+  async: 0
+  poll: 0
+  when: reboot
+
+- name: wait for the server to finish rebooting
+  wait_for_connection:
+    delay: "80"
+  when: reboot

roles/base/tasks/sshd.yml

@@ -0,0 +1,39 @@
+---
+- name: define preffered key exchange algorithms
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^KexAlgorithms"
+    line: KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
+  notify: restart sshd
+
+- name: define preffered ciphers
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^Ciphers"
+    line: Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
+  notify: restart sshd
+
+- name: define preffered message authentication codes
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^MACs"
+    line: MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
+  notify: restart sshd
+
+#- name: only allow root to login through ssh
+#  lineinfile:
+#    path: /etc/ssh/sshd_config
+#    regexp: "^AllowUsers"
+#    line: AllowUsers root
+#  notify: restart sshd
+
+- name: ensure ssh is allowed
+  ufw:
+    rule: allow
+    name: OpenSSH
+
+- name: ensure ssh gets limited
+  ufw:
+    rule: limit
+    port: ssh
+    proto: tcp

roles/base/tasks/unattended-upgrades.yml

@@ -1,21 +1,24 @@
 ---
-- name: Install unattended-upgrade packages
+- name: ensure that unattended-upgrade packages are installed
   apt:
-      name: "{{ item }}"
-      state:  present
-      update-cache: yes
-      cache_valid_time: 3600
-  loop:
-    - unattended-upgrades
-    - update-notifier-common
+    name: "{{ packages }}"
+    state: present
+    cache_valid_time: "{{ apt_cache_time | int }}"
+  vars:
+    packages:
+      - unattended-upgrades
+      - update-notifier-common
 
-- name: Create APT {{ item.src }} configuration
+- name: ensure apt config {{ item.src }} exists
   copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     owner: root
     group: root
     mode: 0644
   loop:
-    - {src: "auto-upgrades", dest: "/etc/apt/apt.conf.d/20auto-upgrades"}
-    - {src: "unattended-upgrades", dest: "/etc/apt/apt.conf.d/50unattended-upgrades"}
+    - { src: "auto-upgrades", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
+    - {
+        src: "unattended-upgrades",
+        dest: "/etc/apt/apt.conf.d/50unattended-upgrades",
+      }

roles/studentenportal/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- import_tasks: traefik.yml
+- import_tasks: postgres.yml
+- import_tasks: studentenportal.yml

roles/studentenportal/tasks/postgres.yml

@@ -0,0 +1,24 @@
+---
+- name: ensure studentenportal network exists
+  docker_network:
+    name: studentenportal
+  vars:
+    ansible_python_interpreter: "/usr/bin/env python-docker"
+
+- name: ensure the postgres container runs
+  docker_container:
+    name: postgres
+    image: postgres:9.3-alpine
+    pull: true
+    state: started
+    network_mode: bridge
+    volumes:
+      - /var/studentenportal/db:/var/lib/postgresql/data
+    env:
+      POSTGRES_USER: "{{ postgres_user }}"
+      POSTGRES_PASSWORD: "{{ postgres_password }}"
+      POSTGRES_DB: "{{ postgres_database }}"
+    networks:
+      - name: studentenportal
+  vars:
+    ansible_python_interpreter: "/usr/bin/env python-docker"