From fecc1d77d4eebc10dd766b7fd89505ee74bd99d7 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Fri, 9 Apr 2021 19:57:32 +0200 Subject: [PATCH] Initial commit --- .gitignore | 1 + README.md | 101 ++++++++++ ansible/mini-beieli-server.yml | 13 ++ ansible/production | 12 ++ ansible/roles/aide/files/aide-update | 4 + ansible/roles/aide/files/aide.conf.local | 1 + ansible/roles/aide/handlers/main.yml | 3 + ansible/roles/aide/tasks/main.yml | 42 +++++ ansible/roles/common/files/jail.local | 2 + ansible/roles/common/handlers/main.yml | 30 +++ ansible/roles/common/tasks/main.yml | 172 ++++++++++++++++++ ansible/roles/common/templates/hosts.j2 | 16 ++ ansible/roles/influxsw/handlers/main.yml | 5 + ansible/roles/influxsw/tasks/main.yml | 33 ++++ .../roles/influxsw/templates/telegraf.conf.j2 | 31 ++++ .../mini-beieli-lorahandler/handlers/main.yml | 3 + .../mini-beieli-lorahandler/tasks/main.yml | 15 ++ .../roles/mini-beieli-web/handlers/main.yml | 3 + ansible/roles/mini-beieli-web/tasks/main.yml | 7 + ansible/roles/nginx/handlers/main.yml | 5 + ansible/roles/nginx/tasks/main.yml | 27 +++ ansible/roles/nginx/templates/nginx.conf.j2 | 74 ++++++++ ansible/roles/nginx/templates/vhost.j2 | 18 ++ ansible/roles/nginx/templates/vserver.conf.j2 | 9 + ansible/roles/redis/tasks/main.yml | 10 + 25 files changed, 637 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 ansible/mini-beieli-server.yml create mode 100644 ansible/production create mode 100644 ansible/roles/aide/files/aide-update create mode 100644 ansible/roles/aide/files/aide.conf.local create mode 100644 ansible/roles/aide/handlers/main.yml create mode 100644 ansible/roles/aide/tasks/main.yml create mode 100644 ansible/roles/common/files/jail.local create mode 100644 ansible/roles/common/handlers/main.yml create mode 100644 ansible/roles/common/tasks/main.yml create mode 100644 ansible/roles/common/templates/hosts.j2 create mode 100644 ansible/roles/influxsw/handlers/main.yml create mode 100644 ansible/roles/influxsw/tasks/main.yml create mode 100644 ansible/roles/influxsw/templates/telegraf.conf.j2 create mode 100644 ansible/roles/mini-beieli-lorahandler/handlers/main.yml create mode 100644 ansible/roles/mini-beieli-lorahandler/tasks/main.yml create mode 100644 ansible/roles/mini-beieli-web/handlers/main.yml create mode 100644 ansible/roles/mini-beieli-web/tasks/main.yml create mode 100644 ansible/roles/nginx/handlers/main.yml create mode 100644 ansible/roles/nginx/tasks/main.yml create mode 100644 ansible/roles/nginx/templates/nginx.conf.j2 create mode 100644 ansible/roles/nginx/templates/vhost.j2 create mode 100644 ansible/roles/nginx/templates/vserver.conf.j2 create mode 100644 ansible/roles/redis/tasks/main.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..61962e6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +hcloud/ diff --git a/README.md b/README.md new file mode 100644 index 0000000..95267cb --- /dev/null +++ b/README.md @@ -0,0 +1,101 @@ +# mini-beieli-server - Bienenstock Ueberwachung + +Code zum Erstellen des Servers + +Spezifikaktion: +- CentOS 8 +- Hetzner Cloud Server +- nginx Webserver/Proxy +- mini-beieli-web (Webapplikation/Golang) +- lorahandler (Webapplikation/Golang) +- Redis +- InfluxDB + +## Erstellen des Servers + +Mit dem Binary hcloud von: +https://github.com/hetznercloud/cli + +Temporaer einen API Key erstellen (nachher wieder loeschen) + +$ hcloud context create mini-beieli-server +$ hcloud image list # zeigt moegliche Images +$ hcloud server-type list # zeigt moegliche Typen + +$ hcloud server create --name mb1 --image centos-8 --type cx11 --ssh-key joerg@cinnamon.nbit.ch +$ hcloud server set-rdns mb1 --hostname mb1.nbit.ch +$ IPV6="$(hcloud server ip mb1 -6)" +$ hcloud server set-rdns mb1 --ip $IPV6 --hostname mb1.nbit.ch + +DNS Eintraege erstellen: +$ hcloud server ip mb1 +$ hcloud server ip mb1 -6 + +Root-Passwort setzen (das machen wir von Hand) + +## Ansible Playbook laufen lassen + +$ cd ansible +$ ansible-playbook -i production mini-beieli-server.yml --limit mb1.mini-beieli.ch # or mb2.mini-beieli.ch + +Mailzugang muss auf mail.nbit.ch noch gegeben werden (main.cf)! + + + +Root-Passwort setzen (das machen wir von Hand) + +` +# yum update +` + +### Let's Encrypt Zertifikat einrichten + +` +# curl https://get.acme.sh | sh -s email=info@nbit.ch +# systemctl stop nginx +# acme.sh --issue -d mini-beieli.ch -d www.mini-beieli.ch -w /home/appuser/wo-bisch-web --standalone +# restorecon -irv /etc/letsencrypt + + +[Sa Feb 27 17:27:34 CET 2021] Your cert is in /root/.acme.sh/mini-beieli.ch/mini-beieli.ch.cer +[Sa Feb 27 17:27:34 CET 2021] Your cert key is in /root/.acme.sh/mini-beieli.ch/mini-beieli.ch.key +[Sa Feb 27 17:27:34 CET 2021] The intermediate CA cert is in /root/.acme.sh/mini-beieli.ch/ca.cer +[Sa Feb 27 17:27:34 CET 2021] And the full chain certs is there: /root/.acme.sh/mini-beieli.ch/fullchain.cer + +Install Certificate: +# acme.sh --install-cert -d mini-beieli.ch --key-file /etc/letsencrypt/mini-beieli.ch/mini-beieli.ch.key --fullchain-file /etc/letsencrypt/mini-beieli.ch/fullchain.cer --reloadcmd "service nginx force-reload" +` + +### Influxdb Users + +mb1: + +admin: admin7355 +Org: minibeieliorg +Bucket: minibeielibucket +RW-Token: +RO-Token: + +mb2: + +admin: admin7355 +Org: minibeieliorg +Bucket: minibeielibucket +RW-Token: +RO-Token: + +## Redis Dump + +Backup/Restore Tool fuer Redis von https://github.com/yannh/redis-dump-go + +` +# cd /var/tmp && wget https://github.com/yannh/redis-dump-go/releases/download/v0.4.1/redis-dump-go-linux-amd64.tar.gz +# tar xzvf redis-dump-go-linux-amd64.tar.gz +# cp redis-dump-go /usr/local/bin + +Zum Backup: +$ redis-dump-go -output commands >redis-backup-$(date +%Y%m%W).out + +Zum Restore: +$ redis-cli --pipe < redis-backup.out +` diff --git a/ansible/mini-beieli-server.yml b/ansible/mini-beieli-server.yml new file mode 100644 index 0000000..acb4669 --- /dev/null +++ b/ansible/mini-beieli-server.yml @@ -0,0 +1,13 @@ +--- +# file: mini-beieli-server.yml +- hosts: mini_beieli_servers + vars: + ansible_ssh_pipelining: yes + roles: + - common + - aide + - nginx + - redis + - influxsw + - lorahandler + - mini-beieli-web diff --git a/ansible/production b/ansible/production new file mode 100644 index 0000000..fabd5e1 --- /dev/null +++ b/ansible/production @@ -0,0 +1,12 @@ +[all:vars] +ansible_user=root +my_domain=mini-beieli.ch +zabbix_server_ip=195.201.222.24 +mailserver=mail.nbit.ch +mail_forward_address=joerg.lehmann@nbit.ch +document_root=/home/beieli/mini-beieli-web + +[mini_beieli_servers] +mb1.mini-beieli.ch letsEncryptDomain=dev.mini-beieli.ch influx_token=XXX +mb2.mini-beieli.ch letsEncryptDomain=mini-beieli.ch influx_token=YYY + diff --git a/ansible/roles/aide/files/aide-update b/ansible/roles/aide/files/aide-update new file mode 100644 index 0000000..ddb8c66 --- /dev/null +++ b/ansible/roles/aide/files/aide-update @@ -0,0 +1,4 @@ +#!/bin/bash +/usr/sbin/aide -c /etc/aide.conf --init +/bin/cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + diff --git a/ansible/roles/aide/files/aide.conf.local b/ansible/roles/aide/files/aide.conf.local new file mode 100644 index 0000000..1aa3856 --- /dev/null +++ b/ansible/roles/aide/files/aide.conf.local @@ -0,0 +1 @@ +!/root/.ansible/tmp diff --git a/ansible/roles/aide/handlers/main.yml b/ansible/roles/aide/handlers/main.yml new file mode 100644 index 0000000..7825d8e --- /dev/null +++ b/ansible/roles/aide/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: update aide database + action: command /usr/local/bin/aide-update diff --git a/ansible/roles/aide/tasks/main.yml b/ansible/roles/aide/tasks/main.yml new file mode 100644 index 0000000..6a5c3cc --- /dev/null +++ b/ansible/roles/aide/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: Install aide + yum: + name: aide + +- name: Remove all the current ignore list in aide.conf + lineinfile: + dest: /etc/aide.conf + backup: yes + regexp: "^#!|!/" + state: absent + +- name: change up aide.conf to standards set in aide_ignore_list var + lineinfile: + dest: /etc/aide.conf + line: "@@include /etc/aide.conf.local" + insertafter: EOF + state: present + +- name: copy aide.conf.local + copy: + src: aide.conf.local + dest: /etc/aide.conf.local + mode: '0600' + +- name: copy aide-update script + copy: + src: aide-update + dest: /usr/local/bin/aide-update + mode: '0755' + +- name: Add crontab to check aide nightly + cron: + cron_file: aide_check + user: root + name: "Check Aide DB nightly" + hour: "23" + minute: "45" + job: "/usr/sbin/aide --check" + + notify: + - update aide database diff --git a/ansible/roles/common/files/jail.local b/ansible/roles/common/files/jail.local new file mode 100644 index 0000000..9eb356c --- /dev/null +++ b/ansible/roles/common/files/jail.local @@ -0,0 +1,2 @@ +[sshd] +enabled = true diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml new file mode 100644 index 0000000..ca31030 --- /dev/null +++ b/ansible/roles/common/handlers/main.yml @@ -0,0 +1,30 @@ +--- +- name: Restart ssh + service: + name=sshd + state=restarted + +- name: Restart zabbix-agent + service: + name=zabbix-agent + state=restarted + +- name: Restart postfix + service: + name=postfix + state=restarted + +- name: Restart fail2ban + service: + name=fail2ban + state=restarted + +- name: reload firewalld + systemd: + name=firewalld + state=reloaded + +- name: Restore selinux context + command: restorecon -irv /home/beieli/mini-beieli-web + + diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml new file mode 100644 index 0000000..7073460 --- /dev/null +++ b/ansible/roles/common/tasks/main.yml @@ -0,0 +1,172 @@ +--- +- name: install basic packages + yum: + name: "{{ packages }}" + vars: + packages: + - langpacks-en + - langpacks-de + - glibc-all-langpacks + - podman + - sysstat + - mailx + - bind-utils + - epel-release + - setroubleshoot-server + - socat + - unzip + - wget + - git + - bzip2 + +- name: Enable SELinux + selinux: + policy: targeted + state: enforcing + +- name: disable kdump + systemd: + name: kdump + enabled: no + +- name: Add Group beieli + group: + name: beieli + gid: 1000 + state: present + +- name: Add User beieli + user: + name: beieli + shell: /bin/bash + uid: 1000 + group: beieli + +- name: Change permission of /home/beieli + file: + path: /home/beieli + state: directory + owner: beieli + group: beieli + mode: '0755' + +- name: Create /home/beieli/mini-beieli-web + file: + path: /home/beieli/mini-beieli-web + state: directory + owner: beieli + group: beieli + mode: '0755' + +- name: Allow apache to read files in /home/beieli/mini-beieli-web + sefcontext: + target: '/home/beieli/mini-beieli-web(/.*)?' + setype: httpd_sys_content_t + state: present + notify: + - Restore selinux context + +- name: allow root SSH with key only + lineinfile: dest=/etc/ssh/sshd_config + regexp="^PermitRootLogin" + line="PermitRootLogin without-password" + state=present + notify: Restart ssh + +- name: create /etc/hosts from template + template: + src: hosts.j2 + dest: /etc/hosts + owner: root + group: root + backup: yes + mode: '0644' + +- name: install zabbix agent + yum: + name: zabbix40-agent + +- name: enable zabbix agent + systemd: + name: zabbix-agent + enabled: yes + +- name: zabbix config + lineinfile: dest=/etc/zabbix/zabbix_agentd.conf + regexp="^Server=" + line="Server={{ zabbix_server_ip }}" + state=present + notify: Restart zabbix-agent + +- name: install postfix + yum: + name: postfix + +- name: enable postfix + systemd: + name: postfix + enabled: yes + +- name: postfix config + lineinfile: dest=/etc/postfix/main.cf + regexp="^relayhost" + line="relayhost = [{{ mailserver }}]:25" + state=present + notify: Restart postfix + +- name: postfix config + lineinfile: dest=/etc/postfix/main.cf + regexp="^myhostname" + line="myhostname = {{ ansible_hostname }}.{{ my_domain }}" + state=present + notify: Restart postfix + +- name: create .forward file + copy: + dest: "/root/.forward" + content: "{{ mail_forward_address }}\n" + +- name: install fail2ban + yum: + name: fail2ban + +- name: enable fail2ban + systemd: + name: fail2ban + enabled: yes + +- name: copy fail2ban config + copy: + src: jail.local + dest: /etc/fail2ban/jail.local + mode: '0644' + notify: Restart fail2ban + +- name: setup firewalld rules - services + firewalld: + service: "{{ item }}" + permanent: yes + state: enabled + loop: + - ssh + - http + - https + notify: reload firewalld + +- name: setup firewalld rules - remove services + firewalld: + service: "{{ item }}" + permanent: yes + state: disabled + loop: + - cockpit + notify: reload firewalld + +- name: setup firewalld rules - ports + firewalld: + port: "{{ item }}" + permanent: yes + state: enabled + loop: + - 10050/tcp + notify: reload firewalld diff --git a/ansible/roles/common/templates/hosts.j2 b/ansible/roles/common/templates/hosts.j2 new file mode 100644 index 0000000..a2480d4 --- /dev/null +++ b/ansible/roles/common/templates/hosts.j2 @@ -0,0 +1,16 @@ +# Your system has configured 'manage_etc_hosts' as True. +# As a result, if you wish for changes to this file to persist +# then you will need to either +# a.) make changes to the master file in /etc/cloud/templates/hosts.redhat.tmpl +# b.) change or remove the value of 'manage_etc_hosts' in +# /etc/cloud/cloud.cfg or cloud-config from user-data +# +# The following lines are desirable for IPv4 capable hosts +{{ ansible_default_ipv4.address }} {{ ansible_hostname }}.{{ my_domain }} {{ ansible_hostname }} +127.0.0.1 localhost.localdomain localhost +127.0.0.1 localhost4.localdomain4 localhost4 + +# The following lines are desirable for IPv6 capable hosts +{{ ansible_default_ipv6.address }} {{ ansible_hostname }}.{{ my_domain }} {{ ansible_hostname }} +::1 localhost.localdomain localhost +::1 localhost6.localdomain6 localhost6 diff --git a/ansible/roles/influxsw/handlers/main.yml b/ansible/roles/influxsw/handlers/main.yml new file mode 100644 index 0000000..a6a8bf5 --- /dev/null +++ b/ansible/roles/influxsw/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart telegraf + service: + name=telegraf + state=restarted diff --git a/ansible/roles/influxsw/tasks/main.yml b/ansible/roles/influxsw/tasks/main.yml new file mode 100644 index 0000000..f5faa07 --- /dev/null +++ b/ansible/roles/influxsw/tasks/main.yml @@ -0,0 +1,33 @@ +--- +- name: Add repository + yum_repository: + name: influxrepo + description: InfluxDB Repository - RHEL + baseurl: https://repos.influxdata.com/rhel/8/x86_64/stable/ + gpgkey: https://repos.influxdata.com/influxdb.key + gpgcheck: yes + +- name: Install influx packages + yum: + name: "{{ item }}" + loop: + - telegraf + - influxdb2 + +- name: enable telegraf + systemd: + name: telegraf + enabled: yes + +- name: enable influxdb + systemd: + name: influxdb + enabled: yes + state: started + +- name: create telegraf config from template + template: + src: telegraf.conf.j2 + dest: /etc/telegraf/telegraf.conf + mode: '0644' + notify: Restart telegraf diff --git a/ansible/roles/influxsw/templates/telegraf.conf.j2 b/ansible/roles/influxsw/templates/telegraf.conf.j2 new file mode 100644 index 0000000..3e3315b --- /dev/null +++ b/ansible/roles/influxsw/templates/telegraf.conf.j2 @@ -0,0 +1,31 @@ +[global_tags] + +# Configuration for telegraf agent +[agent] + interval = "10s" + round_interval = true + metric_batch_size = 1000 + metric_buffer_limit = 100000 + collection_jitter = "0s" + flush_interval = "10s" + flush_jitter = "0s" + precision = "" + debug = false + quiet = false + logfile = "" + hostname = "" + omit_hostname = false + +[[inputs.tail]] + files = ["/home/beieli/mini-beieli-lorahandler/mini-beieli-lorahandler.log"] + from_beginning = false + pipe = false + tagexclude = ["path","host"] + data_format = "influx" + +# Configuration for sending metrics to InfluxDB 2.0 +[[outputs.influxdb_v2]] + urls = ["http://127.0.0.1:8086"] + token = "{{ influx_token }}" + organization = "minibeieliorg" + bucket = "minibeielibucket" diff --git a/ansible/roles/mini-beieli-lorahandler/handlers/main.yml b/ansible/roles/mini-beieli-lorahandler/handlers/main.yml new file mode 100644 index 0000000..f4085ad --- /dev/null +++ b/ansible/roles/mini-beieli-lorahandler/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: Restore selinux context + command: restorecon -irv /home/beieli diff --git a/ansible/roles/mini-beieli-lorahandler/tasks/main.yml b/ansible/roles/mini-beieli-lorahandler/tasks/main.yml new file mode 100644 index 0000000..44145a7 --- /dev/null +++ b/ansible/roles/mini-beieli-lorahandler/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Allow apache to read files in /home/beieli/mini-beieli-web + sefcontext: + target: '/home/beieli/mini-beieli-web(/.*)?' + setype: httpd_sys_content_t + state: present + notify: + - Restore selinux context + +- name: set SELinux permissions on binary + sefcontext: + target: "/home/beieli/mini-beieli-lorahandler/mini-beieli-lorahandler" + setype: bin_t + notify: + - Restore selinux context diff --git a/ansible/roles/mini-beieli-web/handlers/main.yml b/ansible/roles/mini-beieli-web/handlers/main.yml new file mode 100644 index 0000000..f4085ad --- /dev/null +++ b/ansible/roles/mini-beieli-web/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: Restore selinux context + command: restorecon -irv /home/beieli diff --git a/ansible/roles/mini-beieli-web/tasks/main.yml b/ansible/roles/mini-beieli-web/tasks/main.yml new file mode 100644 index 0000000..9987a0d --- /dev/null +++ b/ansible/roles/mini-beieli-web/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: set SELinux permissions on binary + sefcontext: + target: "/home/beieli/mini-beieli-web/mini-beieli-web" + setype: bin_t + notify: + - Restore selinux context diff --git a/ansible/roles/nginx/handlers/main.yml b/ansible/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..063aae3 --- /dev/null +++ b/ansible/roles/nginx/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart nginx + service: + name=nginx + state=restarted diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..498679d --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Install nginx + yum: + name: nginx + +- name: enable nginx + systemd: + name: nginx + enabled: yes + state: started + +- name: create /etc/nginx/nginx.conf from template + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + owner: root + group: root + mode: '0644' + notify: Restart nginx + +- name: Allow apache to read files in /etc/letsencrypt/{{ letsEncryptDomain }} + sefcontext: + target: '/etc/letsencrypt/{{ letsEncryptDomain }}(/.*)?' + setype: httpd_sys_content_t + state: present + notify: + - Restore selinux context diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..3a664fe --- /dev/null +++ b/ansible/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,74 @@ +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # GZip Settings + gzip on; + gzip_vary on; + gzip_min_length 10240; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/javascript; + gzip_disable "MSIE [1-6]\."; + + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + return 301 https://{{ letsEncryptDomain }}$request_uri; + + } + + + server { + server_name mini-beieli.ch; + root {{ document_root }}/static; + + error_page 502 /502.html; + + location /lorahandler { + proxy_pass http://127.0.0.1:8080; + } + + location /static { + autoindex off; + root {{ document_root }}/; + expires 30d; + } + + location / { try_files $uri @mini-beieli; } + location @mini-beieli { + proxy_pass http://127.0.0.1:4000; + } + + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/{{ letsEncryptDomain }}/fullchain.cer; + ssl_certificate_key /etc/letsencrypt/{{ letsEncryptDomain }}/{{ letsEncryptDomain }}.key; + } + +} diff --git a/ansible/roles/nginx/templates/vhost.j2 b/ansible/roles/nginx/templates/vhost.j2 new file mode 100644 index 0000000..249949c --- /dev/null +++ b/ansible/roles/nginx/templates/vhost.j2 @@ -0,0 +1,18 @@ +server { + server_name www.{{ my_domain }}; + root /opt/nginx/www.linuxtechwhiz.info; + + location / { + index index.html index.htm index.php; + } + + access_log /var/log/nginx/www.linuxtechwhiz.info.access.log; + error_log /var/log/nginx/www.linuxtechwhiz.info.error.log; + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } +} diff --git a/ansible/roles/nginx/templates/vserver.conf.j2 b/ansible/roles/nginx/templates/vserver.conf.j2 new file mode 100644 index 0000000..e66e55d --- /dev/null +++ b/ansible/roles/nginx/templates/vserver.conf.j2 @@ -0,0 +1,9 @@ +server { + listen 80; + listen [::]:80; + root {{ document_root }}; + server_name {{ ansible_hostname }}.{{ my_domain }}; + location / { + try_files $uri $uri/ =404; + } +} diff --git a/ansible/roles/redis/tasks/main.yml b/ansible/roles/redis/tasks/main.yml new file mode 100644 index 0000000..490c902 --- /dev/null +++ b/ansible/roles/redis/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- name: Install redis + yum: + name: redis + +- name: enable redis + systemd: + name: redis + enabled: yes + state: started