servers/roles/friwall/tasks/main.yml

114 lines
2.3 KiB
YAML

- name: Create friwall group
group:
name: friwall
system: yes
- name: Create friwall user
user:
name: friwall
system: yes
home: /srv/friwall
shell: /sbin/nologin
generate_ssh_key: yes
ssh_key_comment: "{{ inventory_hostname }}"
ssh_key_type: ed25519
- name: Install packages
package:
name: git,inotify-tools,py3-pip,procps-ng,rsync,uwsgi,uwsgi-python3,wireguard-tools
- name: Clone web files
become: yes
become_user: friwall
become_method: su
become_flags: "-s /bin/sh"
git:
repo: '{{ password.friwall_repo }}'
dest: /srv/friwall/app
force: yes
notify: reload uwsgi
- name: Install requirements
become: yes
become_user: friwall
become_method: su
become_flags: '-s /bin/sh'
pip:
requirements: /srv/friwall/app/requirements.txt
extra_args: --user --break-system-packages --no-warn-script-location
notify: restart uwsgi
- name: Configure base settings
template:
dest: "/srv/friwall/{{ item }}"
src: "{{ item }}.j2"
owner: friwall
group: friwall
mode: 0600
force: no
loop:
- nodes.json
- settings.json
notify: restart uwsgi
- name: Configure list of networks
template:
dest: "/srv/friwall/networks.json"
src: "networks.json.j2"
owner: friwall
group: friwall
mode: 0600
- name: Configure uwsgi
copy:
dest: /etc/uwsgi/
src: uwsgi.ini
notify: restart uwsgi
- name: Configure uwsgi instance
copy:
dest: /etc/uwsgi/conf.d/
src: friwall.ini
owner: friwall
group: friwall
- name: Enable uwsgi
service:
name: uwsgi
enabled: yes
state: started
- name: Configure nginx instance
template:
dest: /etc/nginx/http.d/friwall.conf
src: nginx.conf.j2
notify: reload nginx
- name: Install config pusher initscript
copy:
dest: /etc/init.d/pusher
src: pusher.initd
mode: 0755
notify: restart pusher
- name: Enable config pusher service
service:
name: pusher
enabled: true
state: started
- name: Regenerate config daily
cron:
name: "regenerate config"
job: "cd ~/app ; FLASK_APP=web python3 -m flask generate"
user: friwall
hour: "3"
minute: "33"
- name: Try (re-)pushing config periodically
cron:
name: "push config"
job: "cd ~/app ; FLASK_APP=web python3 -m flask push"
user: friwall
minute: "*/15"