network/roles/firewall_master/tasks/web.yml

---
- name: Install packages
  package:
    name: git,inotify-tools,nginx,py3-pip,procps-ng,rsync,uwsgi,uwsgi-python3,wireguard-tools

- name: Clone web files
  become: yes
  become_user: friwall
  become_method: su
  become_flags: "-s /bin/sh"
  git:
    repo: "{{ friwall_repo }}"
    dest: /srv/friwall/app
    force: yes
  notify: reload uwsgi

- name: Install requirements
  become: yes
  become_user: friwall
  become_method: su
  become_flags: '-s /bin/sh'
  pip:
    requirements: /srv/friwall/app/requirements.txt
    extra_args: --user

- name: Configure base settings
  template:
    dest: "/srv/friwall/{{ item }}"
    src: "{{ item }}.j2"
    owner: friwall
    group: friwall
    mode: 0600
    force: no
  loop:
    - nodes.json
    - settings.json
  notify: restart uwsgi

- name: Configure list of networks
  template:
    dest: "/srv/friwall/networks.json"
    src: "networks.json.j2"
    owner: friwall
    group: friwall
    mode: 0600

- name: Configure uwsgi
  copy:
    dest: /etc/uwsgi/
    src: uwsgi.ini
  notify: restart uwsgi

- name: Configure uwsgi instance
  copy:
    dest: /etc/uwsgi/conf.d/
    src: friwall.ini
    owner: friwall
    group: friwall

- name: Enable uwsgi
  service:
    name: uwsgi
    enabled: yes
    state: started

- name: Configure nginx instance
  template:
    dest: /etc/nginx/http.d/friwall.conf
    src: nginx.conf.j2
  notify: reload nginx

- name: Run nginx in default VRF
  lineinfile:
    path: /etc/conf.d/nginx
    line: "vrf=\"default\""
  notify: restart nginx

- name: Enable nginx
  service:
    name: nginx
    enabled: yes
    state: started

- name: Install config pusher initscript
  copy:
    dest: /etc/init.d/pusher
    src: pusher.initd
    mode: 0755
  notify: restart pusher

- name: Enable config pusher service
  service:
    name: pusher
    enabled: true
    state: started

- name: Regenerate config daily
  cron:
    name: "regenerate config"
    job: "cd ~/app ; FLASK_APP=web python3 -m flask generate"
    user: friwall
    hour: "3"
    minute: "33"

- name: Try (re-)pushing config periodically
  cron:
    name: "push config"
    job: "cd ~/app ; FLASK_APP=web python3 -m flask push"
    user: friwall
    minute: "*/15"
Initial commit, squashed 2023-12-18 10:22:14 +00:00			`---`
			`- name: Install packages`
			`package:`
			`name: git,inotify-tools,nginx,py3-pip,procps-ng,rsync,uwsgi,uwsgi-python3,wireguard-tools`

			`- name: Clone web files`
			`become: yes`
			`become_user: friwall`
			`become_method: su`
			`become_flags: "-s /bin/sh"`
			`git:`
			`repo: "{{ friwall_repo }}"`
			`dest: /srv/friwall/app`
			`force: yes`
			`notify: reload uwsgi`

			`- name: Install requirements`
			`become: yes`
			`become_user: friwall`
			`become_method: su`
			`become_flags: '-s /bin/sh'`
			`pip:`
			`requirements: /srv/friwall/app/requirements.txt`
			`extra_args: --user`

			`- name: Configure base settings`
			`template:`
			`dest: "/srv/friwall/{{ item }}"`
			`src: "{{ item }}.j2"`
			`owner: friwall`
			`group: friwall`
			`mode: 0600`
			`force: no`
			`loop:`
			`- nodes.json`
			`- settings.json`
			`notify: restart uwsgi`

			`- name: Configure list of networks`
			`template:`
			`dest: "/srv/friwall/networks.json"`
			`src: "networks.json.j2"`
			`owner: friwall`
			`group: friwall`
			`mode: 0600`

			`- name: Configure uwsgi`
			`copy:`
			`dest: /etc/uwsgi/`
			`src: uwsgi.ini`
			`notify: restart uwsgi`

			`- name: Configure uwsgi instance`
			`copy:`
			`dest: /etc/uwsgi/conf.d/`
			`src: friwall.ini`
			`owner: friwall`
			`group: friwall`

			`- name: Enable uwsgi`
			`service:`
			`name: uwsgi`
			`enabled: yes`
			`state: started`

			`- name: Configure nginx instance`
			`template:`
			`dest: /etc/nginx/http.d/friwall.conf`
			`src: nginx.conf.j2`
			`notify: reload nginx`

			`- name: Run nginx in default VRF`
			`lineinfile:`
			`path: /etc/conf.d/nginx`
			`line: "vrf=\"default\""`
			`notify: restart nginx`

			`- name: Enable nginx`
			`service:`
			`name: nginx`
			`enabled: yes`
			`state: started`

			`- name: Install config pusher initscript`
			`copy:`
			`dest: /etc/init.d/pusher`
			`src: pusher.initd`
			`mode: 0755`
			`notify: restart pusher`

			`- name: Enable config pusher service`
			`service:`
			`name: pusher`
			`enabled: true`
			`state: started`

			`- name: Regenerate config daily`
			`cron:`
			`name: "regenerate config"`
			`job: "cd ~/app ; FLASK_APP=web python3 -m flask generate"`
			`user: friwall`
			`hour: "3"`
			`minute: "33"`

			`- name: Try (re-)pushing config periodically`
			`cron:`
			`name: "push config"`
			`job: "cd ~/app ; FLASK_APP=web python3 -m flask push"`
			`user: friwall`
			`minute: "*/15"`