Import friwall role from network ansible scripts

To reuse alpine and nginx roles. Probably going to merge repos at some point.
2024-07-04 15:01:47 +02:00 · 2024-07-04 15:01:47 +02:00 · 973522c373
commit 973522c373
parent bacfc66f7c
14 changed files with 249 additions and 1 deletions
--- a/roles/friwall/tasks/main.yml
+++ b/roles/friwall/tasks/main.yml
@ -0,0 +1,113 @@
+- name: Create friwall group
+  group:
+    name: friwall
+    system: yes
+
+- name: Create friwall user
+  user:
+    name: friwall
+    system: yes
+    home: /srv/friwall
+    shell: /sbin/nologin
+    generate_ssh_key: yes
+    ssh_key_comment: "{{ inventory_hostname }}"
+    ssh_key_type: ed25519
+
+- name: Install packages
+  package:
+    name: git,inotify-tools,py3-pip,procps-ng,rsync,uwsgi,uwsgi-python3,wireguard-tools
+
+- name: Clone web files
+  become: yes
+  become_user: friwall
+  become_method: su
+  become_flags: "-s /bin/sh"
+  git:
+    repo: '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="friwall_repo") }}'
+    dest: /srv/friwall/app
+    force: yes
+  notify: reload uwsgi
+
+- name: Install requirements
+  become: yes
+  become_user: friwall
+  become_method: su
+  become_flags: '-s /bin/sh'
+  pip:
+    requirements: /srv/friwall/app/requirements.txt
+    extra_args: --user --break-system-packages --no-warn-script-location
+  register: result
+
+- name: Configure base settings
+  template:
+    dest: "/srv/friwall/{{ item }}"
+    src: "{{ item }}.j2"
+    owner: friwall
+    group: friwall
+    mode: 0600
+    force: no
+  loop:
+    - nodes.json
+    - settings.json
+  notify: restart uwsgi
+
+- name: Configure list of networks
+  template:
+    dest: "/srv/friwall/networks.json"
+    src: "networks.json.j2"
+    owner: friwall
+    group: friwall
+    mode: 0600
+
+- name: Configure uwsgi
+  copy:
+    dest: /etc/uwsgi/
+    src: uwsgi.ini
+  notify: restart uwsgi
+
+- name: Configure uwsgi instance
+  copy:
+    dest: /etc/uwsgi/conf.d/
+    src: friwall.ini
+    owner: friwall
+    group: friwall
+
+- name: Enable uwsgi
+  service:
+    name: uwsgi
+    enabled: yes
+    state: started
+
+- name: Configure nginx instance
+  template:
+    dest: /etc/nginx/http.d/friwall.conf
+    src: nginx.conf.j2
+  notify: reload nginx
+
+- name: Install config pusher initscript
+  copy:
+    dest: /etc/init.d/pusher
+    src: pusher.initd
+    mode: 0755
+  notify: restart pusher
+
+- name: Enable config pusher service
+  service:
+    name: pusher
+    enabled: true
+    state: started
+
+- name: Regenerate config daily
+  cron:
+    name: "regenerate config"
+    job: "cd ~/app ; FLASK_APP=web python3 -m flask generate"
+    user: friwall
+    hour: "3"
+    minute: "33"
+
+- name: Try (re-)pushing config periodically
+  cron:
+    name: "push config"
+    job: "cd ~/app ; FLASK_APP=web python3 -m flask push"
+    user: friwall
+    minute: "*/15"