filhocodes · February 14, 2021 13:30
diff --git a/.gitignore b/.gitignore
 inventory.local.yml
diff --git a/inventory.yml b/inventory.yml
 all:
  children:
    production:
      hosts:
        __APPLICATION__DOMAIN__:
          ansible_host: __APPLICATION__IP__
          # ansible_ssh_private_key_file: ~/.ssh/id_rsa
diff --git a/Makefile b/Makefile
 ifeq ($(wildcard ./inventory.local.yml),)
 	INVENTORY_FILE = inventory.yml
 else
 	INVENTORY_FILE = inventory.local.yml
 endif

 local-inventory:
 	cp -vf ./inventory.yml ./inventory.local.yml

 check-inventory:
 	echo $(INVENTORY_FILE)

 ## == INFRA ============================================================================================================
 prepare: playbook--prepare.yml
  ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--prepare.yml
 	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--prepare.yml

 software: playbook--software.yml
  ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--software.yml
 	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--software.yml

 after: playbook--after.yml
  ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--software.yml
 	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--after.yml

 ## =====================================================================================================================
diff --git a/playbook--after.yml b/playbook--after.yml
 - hosts: production
  remote_user: app
  become: yes
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  roles:
    - role: geerlingguy.pip
    - role: geerlingguy.supervisor
    - role: manala.cron
diff --git a/playbook--prepare.yml b/playbook--prepare.yml
 - hosts: production
  remote_user: root
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  roles:
    - setup
    - oefenweb.fail2ban
diff --git a/playbook--software.yml b/playbook--software.yml
 - hosts: production
  remote_user: app
  become: yes
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  roles:
    - role: geerlingguy.git
    # - role: geerlingguy.postgresql
    - role: geerlingguy.redis
    - role: geerlingguy.php-versions
    - role: geerlingguy.php
    - role: geerlingguy.php-pgsql
    - role: geerlingguy.php-redis
    - role: geerlingguy.composer
    - role: geerlingguy.nodejs
    - role: ocha.yarn

 - hosts: production
  remote_user: app
  become: yes
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  tasks:
    - name: Check NGINX Presence
      stat:
        path: /etc/nginx/nginx.conf
      register: nginx_conf_stat_result
    - name: Stop nginx
      when: nginx_conf_stat_result.stat.exists == True
      service:
        name: nginx
        state: stopped

 - hosts: production
  remote_user: app
  become: yes
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  roles:
    - role: geerlingguy.certbot
    - role: geerlingguy.nginx
diff --git a/roles.setup.defaults.main.yml b/roles.setup.defaults.main.yml
 ### ssh.yml
 security_ssh_config_path: /etc/ssh/sshd_config
 security_sshd_name: ssh

 security_ssh_port: 22
 security_ssh_password_authentication: "no"
 security_ssh_permit_root_login: "no"
 security_ssh_usedns: "no"
 security_ssh_permit_empty_password: "no"
 security_ssh_challenge_response_auth: "no"
 security_ssh_gss_api_authentication: "no"
 security_ssh_x11_forwarding: "no"

 security_sudoers_passwordless: []
 security_sudoers_passworded: []
diff --git a/roles.setup.handlers.main.yml b/roles.setup.handlers.main.yml
 - name: restart ssh
  service: "name={{ security_sshd_name }} state=restarted"
diff --git a/roles.setup.tasks.main.yml b/roles.setup.tasks.main.yml
 - name: Set timezone
  timezone:
    name: America/Sao_Paulo

 - name: apt update
  apt:
    update_cache: yes
    force: yes

 - name: Setup groups
  group:
    name: "{{ item }}"
    state: present
  loop:
    - app
    - www-data

 - name: Setup user app
  user:
    name: app
    state: present
    append: yes
    groups:
      - app
      - admin
      - www-data
    shell: /bin/bash
    home: /home/app
    generate_ssh_key: yes
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_rsa

 - name: Copy authorized keys from root
  copy:
    remote_src: yes
    src: /root/.ssh/authorized_keys
    dest: /home/app/.ssh/authorized_keys
    owner: app
    group: app
    mode: '0644'

 # Retrieved from geerlingguy.security
 - include_tasks: ssh.yml

 - name: Install unzip package
  apt:
    name: unzip
    state: present
    update_cache: yes
diff --git a/roles.setup.tasks.ssh.yml b/roles.setup.tasks.ssh.yml
 ---
 - name: Update SSH configuration to be more secure.
  lineinfile:
    dest: "{{ security_ssh_config_path }}"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
  with_items:
    - regexp: "^PasswordAuthentication"
      line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
    - regexp: "^PermitRootLogin"
      line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
    - regexp: "^Port"
      line: "Port {{ security_ssh_port }}"
    - regexp: "^UseDNS"
      line: "UseDNS {{ security_ssh_usedns }}"
    - regexp: "^PermitEmptyPasswords"
      line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
    - regexp: "^ChallengeResponseAuthentication"
      line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
    - regexp: "^GSSAPIAuthentication"
      line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
    - regexp: "^X11Forwarding"
      line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
  notify: restart ssh

 - name: Add configured user accounts to passwordless sudoers.
  lineinfile:
    dest: /etc/sudoers
    regexp: '^{{ item }}'
    line: '{{ item }} ALL=(ALL) NOPASSWD: ALL'
    state: present
    validate: 'visudo -cf %s'
  with_items: "{{ security_sudoers_passwordless }}"
  when: security_sudoers_passwordless | length > 0

 - name: Add configured user accounts to passworded sudoers.
  lineinfile:
    dest: /etc/sudoers
    regexp: '^{{ item }}'
    line: '{{ item }} ALL=(ALL) ALL'
    state: present
    validate: 'visudo -cf %s'
  with_items: "{{ security_sudoers_passworded }}"
  when: security_sudoers_passworded | length > 0
diff --git a/roles.sh b/roles.sh
 ansible-galaxy -p roles oefenweb.fail2ban

 ansible-galaxy -p roles geerlingguy.git
 # ansible-galaxy -p roles geerlingguy.postgresql
 ansible-galaxy -p roles geerlingguy.redis
 ansible-galaxy -p roles geerlingguy.php-versions
 ansible-galaxy -p roles geerlingguy.php
 ansible-galaxy -p roles geerlingguy.php-pgsql
 ansible-galaxy -p roles geerlingguy.php-redis
 ansible-galaxy -p roles geerlingguy.composer
 ansible-galaxy -p roles geerlingguy.nodejs
 ansible-galaxy -p roles ocha.yarn
 ansible-galaxy -p roles geerlingguy.certbot
 ansible-galaxy -p roles geerlingguy.nginx


 ansible-galaxy -p roles geerlingguy.pip
 ansible-galaxy -p roles geerlingguy.supervisor
 ansible-galaxy -p roles manala.cron
diff --git a/vars.production.yml b/vars.production.yml
 ### voxconexao.setup
 security_sudoers_passwordless:
  - app

 ### oefenweb.fail2ban
 fail2ban_loglevel: 2
 fail2ban_bantime: 3600
 fail2ban_services:
  - name: sshd
    port: 22
    maxretry: 5
    bantime: -1

 ### geerlingguy.redis
 redis_appendonly: "yes"
 redis_databases: 5

 ### geerlingguy.postgresql
 # postgresql_locales:
 #   - 'en_US.UTF-8'
 #   - 'pt_BR.UTF-8'
 # postgresql_users:
 #   - name: __DB_USER__
 #     password: "{{ postgresql_database_password }}"
 # postgresql_databases:
 #   - name: __DB_NAME__
 #     owner: __DB_USER__
 # postgresql_hba_entries:
 #   - { type: local, database: all, user: postgres, auth_method: peer }
 #   - { type: local, database: all, user: __DB_USER__, auth_method: peer }
 #   - { type: local, database: all, user: all, auth_method: peer }
 #   - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
 #   - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }

 ### geerlingguy.php-versions
 ### geerlingguy.php
 ### geerlingguy.php-pgsql
 php_version: '7.4'
 php_default_version_debian: "7.4"
 php_install_recommends: false
 php_packages_extra:
  - php7.4-bcmath
  - php7.4-intl
  - php7.4-pspell
  - php7.4-soap
  - php7.4-zip
 php_enable_webserver: false
 php_enable_php_fpm: true
 php_date_timezone: "America/Sao_Paulo"
 php_upload_max_filesize: "20M"
 php_post_max_size: "64M"
 php_allow_url_fopen: "On"
 php_expose_php: "Off"
 php_pgsql_package: php7.4-pgsql

 ### geerlingguy.certbot
 certbot_auto_renew: false
 certbot_admin_email: __ADMIN__EMAIL__
 certbot_create_if_missing: true
 certbot_create_standalone_stop_services: []
 certbot_certs:
  - domains:
      - __APPLICATION__DOMAIN__

 ### geerlingguy.nginx
 nginx_remove_default_vhost: true
 nginx_vhosts:
  - listen: 80
    root: /var/www/html
    server_name: __APPLICATION__DOMAIN__
    return: 301 https://__APPLICATION__DOMAIN__$request_uri
    filename: __APPLICATION__DOMAIN__.80.conf
  - listen: 443 ssl http2
    server_name: __APPLICATION__DOMAIN__
    root: /home/app/__APPLICATION__DOMAIN__/current/public
    index: index.php index.html index.htm
    access_log: /var/log/nginx/__APPLICATION__DOMAIN__-access.log
    error_log: /var/log/nginx/__APPLICATION__DOMAIN__-error.log
    filename: __APPLICATION__DOMAIN__.443.conf
    extra_parameters: |
      location / {
          try_files $uri $uri/ /index.php?$query_string;
      }
      location ~ \.php$ {
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_pass 127.0.0.1:9000;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          include fastcgi_params;
      }
      location ~ /\.ht {
          deny all;
      }
      ssl_certificate     /etc/letsencrypt/live/__APPLICATION__DOMAIN__/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/__APPLICATION__DOMAIN__/privkey.pem;
      ssl_protocols       TLSv1.1 TLSv1.2;
      ssl_ciphers         HIGH:!aNULL:!MD5;

 ### geerlingguy.supervisor
 supervisor_started: false
 supervisor_programs:
  - name: 'app-worker'
    # command: php /home/app/__APPLICATION__DOMAIN__/current/artisan queue:work --sleep=3
    command: php /home/app/__APPLICATION__DOMAIN__/current/artisan horizon
    state: present
    configuration: |
      process_name=%(program_name)s_%(process_num)02d
      autostart=true
      autorestart=true
      user=app
      numprocs=1
      redirect_stderr=true
      stdout_logfile=/home/app/__APPLICATION__DOMAIN__/shared/storage/logs/queue-worker.log
      stopwaitsecs=3600
 # supervisor_password: "{{ supervisor_ctl_password }}"
 supervisor_password: __SUPERVISOR__PASS__

 ### manala.cron
 manala_cron_files:
  - file: app
    user: app
    jobs:
      - name: scheduler
        job: "cd /home/app/__APPLICATION__DOMAIN__/current/ && php artisan schedule:run >> /dev/null 2>&1"
  - file: root
    user: root
    jobs:
      - name: cerbot
        job: "systemctl stop nginx.service && certbot renew --quiet --no-self-upgrade && systemctl start nginx.service"
        minute: 30
        hour: 3
	all:
	children:
	production:
	hosts:
	__APPLICATION__DOMAIN__:
	ansible_host: __APPLICATION__IP__
	# ansible_ssh_private_key_file: ~/.ssh/id_rsa
	ifeq ($(wildcard ./inventory.local.yml),)
	INVENTORY_FILE = inventory.yml
	else
	INVENTORY_FILE = inventory.local.yml
	endif

	local-inventory:
	cp -vf ./inventory.yml ./inventory.local.yml

	check-inventory:
	echo $(INVENTORY_FILE)

	## == INFRA ============================================================================================================
	prepare: playbook--prepare.yml
	ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--prepare.yml
	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--prepare.yml

	software: playbook--software.yml
	ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--software.yml
	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--software.yml

	after: playbook--after.yml
	ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--software.yml
	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--after.yml

	## =====================================================================================================================
	- hosts: production
	remote_user: app
	become: yes
	vars_files:
	# - vars/production-secrets.yml
	- vars/production.yml
	roles:
	- role: geerlingguy.pip
	- role: geerlingguy.supervisor
	- role: manala.cron
	- hosts: production
	remote_user: root
	vars_files:
	# - vars/production-secrets.yml
	- vars/production.yml
	roles:
	- setup
	- oefenweb.fail2ban
	### ssh.yml
	security_ssh_config_path: /etc/ssh/sshd_config
	security_sshd_name: ssh

	security_ssh_port: 22
	security_ssh_password_authentication: "no"
	security_ssh_permit_root_login: "no"
	security_ssh_usedns: "no"
	security_ssh_permit_empty_password: "no"
	security_ssh_challenge_response_auth: "no"
	security_ssh_gss_api_authentication: "no"
	security_ssh_x11_forwarding: "no"

	security_sudoers_passwordless: []
	security_sudoers_passworded: []
	- name: restart ssh
	service: "name={{ security_sshd_name }} state=restarted"
	- name: Set timezone
	timezone:
	name: America/Sao_Paulo

	- name: apt update
	apt:
	update_cache: yes
	force: yes

	- name: Setup groups
	group:
	name: "{{ item }}"
	state: present
	loop:
	- app
	- www-data

	- name: Setup user app
	user:
	name: app
	state: present
	append: yes
	groups:
	- app
	- admin
	- www-data
	shell: /bin/bash
	home: /home/app
	generate_ssh_key: yes
	ssh_key_bits: 2048
	ssh_key_file: .ssh/id_rsa

	- name: Copy authorized keys from root
	copy:
	remote_src: yes
	src: /root/.ssh/authorized_keys
	dest: /home/app/.ssh/authorized_keys
	owner: app
	group: app
	mode: '0644'

	# Retrieved from geerlingguy.security
	- include_tasks: ssh.yml

	- name: Install unzip package
	apt:
	name: unzip
	state: present
	update_cache: yes
	---
	- name: Update SSH configuration to be more secure.
	lineinfile:
	dest: "{{ security_ssh_config_path }}"
	regexp: "{{ item.regexp }}"
	line: "{{ item.line }}"
	state: present
	with_items:
	- regexp: "^PasswordAuthentication"
	line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
	- regexp: "^PermitRootLogin"
	line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
	- regexp: "^Port"
	line: "Port {{ security_ssh_port }}"
	- regexp: "^UseDNS"
	line: "UseDNS {{ security_ssh_usedns }}"
	- regexp: "^PermitEmptyPasswords"
	line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
	- regexp: "^ChallengeResponseAuthentication"
	line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
	- regexp: "^GSSAPIAuthentication"
	line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
	- regexp: "^X11Forwarding"
	line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
	notify: restart ssh

	- name: Add configured user accounts to passwordless sudoers.
	lineinfile:
	dest: /etc/sudoers
	regexp: '^{{ item }}'
	line: '{{ item }} ALL=(ALL) NOPASSWD: ALL'
	state: present
	validate: 'visudo -cf %s'
	with_items: "{{ security_sudoers_passwordless }}"
	when: security_sudoers_passwordless \| length > 0

	- name: Add configured user accounts to passworded sudoers.
	lineinfile:
	dest: /etc/sudoers
	regexp: '^{{ item }}'
	line: '{{ item }} ALL=(ALL) ALL'
	state: present
	validate: 'visudo -cf %s'
	with_items: "{{ security_sudoers_passworded }}"
	when: security_sudoers_passworded \| length > 0
	ansible-galaxy -p roles oefenweb.fail2ban

	ansible-galaxy -p roles geerlingguy.git
	# ansible-galaxy -p roles geerlingguy.postgresql
	ansible-galaxy -p roles geerlingguy.redis
	ansible-galaxy -p roles geerlingguy.php-versions
	ansible-galaxy -p roles geerlingguy.php
	ansible-galaxy -p roles geerlingguy.php-pgsql
	ansible-galaxy -p roles geerlingguy.php-redis
	ansible-galaxy -p roles geerlingguy.composer
	ansible-galaxy -p roles geerlingguy.nodejs
	ansible-galaxy -p roles ocha.yarn
	ansible-galaxy -p roles geerlingguy.certbot
	ansible-galaxy -p roles geerlingguy.nginx


	ansible-galaxy -p roles geerlingguy.pip
	ansible-galaxy -p roles geerlingguy.supervisor
	ansible-galaxy -p roles manala.cron
	### voxconexao.setup
	security_sudoers_passwordless:
	- app

	### oefenweb.fail2ban
	fail2ban_loglevel: 2
	fail2ban_bantime: 3600
	fail2ban_services:
	- name: sshd
	port: 22
	maxretry: 5
	bantime: -1

	### geerlingguy.redis
	redis_appendonly: "yes"
	redis_databases: 5

	### geerlingguy.postgresql
	# postgresql_locales:
	# - 'en_US.UTF-8'
	# - 'pt_BR.UTF-8'
	# postgresql_users:
	# - name: __DB_USER__
	# password: "{{ postgresql_database_password }}"
	# postgresql_databases:
	# - name: __DB_NAME__
	# owner: __DB_USER__
	# postgresql_hba_entries:
	# - { type: local, database: all, user: postgres, auth_method: peer }
	# - { type: local, database: all, user: __DB_USER__, auth_method: peer }
	# - { type: local, database: all, user: all, auth_method: peer }
	# - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
	# - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }

	### geerlingguy.php-versions
	### geerlingguy.php
	### geerlingguy.php-pgsql
	php_version: '7.4'
	php_default_version_debian: "7.4"
	php_install_recommends: false
	php_packages_extra:
	- php7.4-bcmath
	- php7.4-intl
	- php7.4-pspell
	- php7.4-soap
	- php7.4-zip
	php_enable_webserver: false
	php_enable_php_fpm: true
	php_date_timezone: "America/Sao_Paulo"
	php_upload_max_filesize: "20M"
	php_post_max_size: "64M"
	php_allow_url_fopen: "On"
	php_expose_php: "Off"
	php_pgsql_package: php7.4-pgsql

	### geerlingguy.certbot
	certbot_auto_renew: false
	certbot_admin_email: __ADMIN__EMAIL__
	certbot_create_if_missing: true
	certbot_create_standalone_stop_services: []
	certbot_certs:
	- domains:
	- __APPLICATION__DOMAIN__

	### geerlingguy.nginx
	nginx_remove_default_vhost: true
	nginx_vhosts:
	- listen: 80
	root: /var/www/html
	server_name: __APPLICATION__DOMAIN__
	return: 301 https://__APPLICATION__DOMAIN__$request_uri
	filename: __APPLICATION__DOMAIN__.80.conf
	- listen: 443 ssl http2
	server_name: __APPLICATION__DOMAIN__
	root: /home/app/__APPLICATION__DOMAIN__/current/public
	index: index.php index.html index.htm
	access_log: /var/log/nginx/__APPLICATION__DOMAIN__-access.log
	error_log: /var/log/nginx/__APPLICATION__DOMAIN__-error.log
	filename: __APPLICATION__DOMAIN__.443.conf
	extra_parameters: \|
	location / {
	try_files $uri $uri/ /index.php?$query_string;
	}
	location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass 127.0.0.1:9000;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	}
	location ~ /\.ht {
	deny all;
	}
	ssl_certificate /etc/letsencrypt/live/__APPLICATION__DOMAIN__/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/__APPLICATION__DOMAIN__/privkey.pem;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers HIGH:!aNULL:!MD5;

	### geerlingguy.supervisor
	supervisor_started: false
	supervisor_programs:
	- name: 'app-worker'
	# command: php /home/app/__APPLICATION__DOMAIN__/current/artisan queue:work --sleep=3
	command: php /home/app/__APPLICATION__DOMAIN__/current/artisan horizon
	state: present
	configuration: \|
	process_name=%(program_name)s_%(process_num)02d
	autostart=true
	autorestart=true
	user=app
	numprocs=1
	redirect_stderr=true
	stdout_logfile=/home/app/__APPLICATION__DOMAIN__/shared/storage/logs/queue-worker.log
	stopwaitsecs=3600
	# supervisor_password: "{{ supervisor_ctl_password }}"
	supervisor_password: __SUPERVISOR__PASS__

	### manala.cron
	manala_cron_files:
	- file: app
	user: app
	jobs:
	- name: scheduler
	job: "cd /home/app/__APPLICATION__DOMAIN__/current/ && php artisan schedule:run >> /dev/null 2>&1"
	- file: root
	user: root
	jobs:
	- name: cerbot
	job: "systemctl stop nginx.service && certbot renew --quiet --no-self-upgrade && systemctl start nginx.service"
	minute: 30
	hour: 3