--- - name: Install packages package: name: git,inotify-tools,nginx,py3-pip,procps-ng,rsync,uwsgi,uwsgi-python3,wireguard-tools - name: Clone web files become: yes become_user: friwall become_method: su become_flags: "-s /bin/sh" git: repo: '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="friwall_repo") }}' dest: /srv/friwall/app force: yes notify: reload uwsgi - name: Install requirements become: yes become_user: friwall become_method: su become_flags: '-s /bin/sh' pip: requirements: /srv/friwall/app/requirements.txt extra_args: --user --break-system-packages - name: Configure base settings template: dest: "/srv/friwall/{{ item }}" src: "{{ item }}.j2" owner: friwall group: friwall mode: 0600 force: no loop: - nodes.json - settings.json notify: restart uwsgi - name: Configure list of networks template: dest: "/srv/friwall/networks.json" src: "networks.json.j2" owner: friwall group: friwall mode: 0600 - name: Configure uwsgi copy: dest: /etc/uwsgi/ src: uwsgi.ini notify: restart uwsgi - name: Configure uwsgi instance copy: dest: /etc/uwsgi/conf.d/ src: friwall.ini owner: friwall group: friwall - name: Enable uwsgi service: name: uwsgi enabled: yes state: started - name: Configure nginx instance template: dest: /etc/nginx/http.d/friwall.conf src: nginx.conf.j2 notify: reload nginx - name: Run nginx in default VRF lineinfile: path: /etc/conf.d/nginx line: "vrf=\"default\"" notify: restart nginx - name: Enable nginx service: name: nginx enabled: yes state: started - name: Install config pusher initscript copy: dest: /etc/init.d/pusher src: pusher.initd mode: 0755 notify: restart pusher - name: Enable config pusher service service: name: pusher enabled: true state: started - name: Regenerate config daily cron: name: "regenerate config" job: "cd ~/app ; FLASK_APP=web python3 -m flask generate" user: friwall hour: "3" minute: "33" - name: Try (re-)pushing config periodically cron: name: "push config" job: "cd ~/app ; FLASK_APP=web python3 -m flask push" user: friwall minute: "*/15"