Initial Main commit
This commit is contained in:
commit
dfbd35725a
10
.gitignore
vendored
Normal file
10
.gitignore
vendored
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
.idea/
|
||||||
|
*.iml
|
||||||
|
terraform/.secrets
|
||||||
|
terraform_ghost/.secrets
|
||||||
|
terraform/.tunnel
|
||||||
|
**/*.tfplan
|
||||||
|
**/*.tfstate*
|
||||||
|
**/.terraform.lock.hcl
|
||||||
|
**/.terraform/
|
||||||
|
**/*.pem
|
10
group_vars/all/vault.yml
Normal file
10
group_vars/all/vault.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
66313862303134613964336532616465383364643134316563653537323236353132616161623730
|
||||||
|
3763626335633066393138346662363334393735663231640a656137633834326237663162363339
|
||||||
|
30343661373936646337653133623263346665383538643164653534646232613862346234373438
|
||||||
|
3863653739373862350a383937623630303236376333373562656437663566623361653863623764
|
||||||
|
62373931356462303138363634346663313665303162333533636265623166386637653434633636
|
||||||
|
30646337373865323330363839346437643164376231613033643331633031643865356266383766
|
||||||
|
64326536303762653839633431653831303637353235383033336337303437333264396138613835
|
||||||
|
38633464373665666562616439646436373637373339393334346366336435366636663035653862
|
||||||
|
3831
|
17
roles/flarum/files/composer_installer.sh
Normal file
17
roles/flarum/files/composer_installer.sh
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
|
||||||
|
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||||
|
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
|
||||||
|
|
||||||
|
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
|
||||||
|
then
|
||||||
|
>&2 echo 'ERROR: Invalid installer checksum'
|
||||||
|
rm composer-setup.php
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
php composer-setup.php --quiet --install-dir /usr/bin
|
||||||
|
RESULT=$?
|
||||||
|
rm composer-setup.php
|
||||||
|
exit $RESULT
|
92
roles/flarum/files/nginx.conf
Normal file
92
roles/flarum/files/nginx.conf
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
server {
|
||||||
|
listen 8544 ssl http2;
|
||||||
|
listen [::]:8544 ssl http2;
|
||||||
|
server_name flarum.bubblesthebunny.com;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||||
|
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
# Uncomment these lines once you acquire a certificate:
|
||||||
|
ssl_certificate /etc/nginx/flarum.bubblesthebunny.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/nginx/flarum.bubblesthebunny.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/flarum/flarum/public
|
||||||
|
# Pass requests that don't refer directly to files in the filesystem to index.php
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php?$query_string;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Uncomment the following lines if you are not using a `public` directory
|
||||||
|
# to prevent sensitive resources from being exposed.
|
||||||
|
# <!-- BEGIN EXPOSED RESOURCES PROTECTION -->
|
||||||
|
# location ~* ^/(\.git|composer\.(json|lock)|auth\.json|config\.php|flarum|storage|vendor) {
|
||||||
|
# deny all;
|
||||||
|
# return 404;
|
||||||
|
# }
|
||||||
|
# <!-- END EXPOSED RESOURCES PROTECTION -->
|
||||||
|
|
||||||
|
# The following directives are based on best practices from H5BP Nginx Server Configs
|
||||||
|
# https://github.com/h5bp/server-configs-nginx
|
||||||
|
|
||||||
|
# Expire rules for static content
|
||||||
|
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
||||||
|
add_header Cache-Control "max-age=0";
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(?:rss|atom)$ {
|
||||||
|
add_header Cache-Control "max-age=3600";
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
|
||||||
|
add_header Cache-Control "max-age=2592000";
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(?:css|js)$ {
|
||||||
|
add_header Cache-Control "max-age=31536000";
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
|
||||||
|
add_header Cache-Control "max-age=2592000";
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Gzip compression
|
||||||
|
gzip on;
|
||||||
|
gzip_comp_level 5;
|
||||||
|
gzip_min_length 256;
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_types
|
||||||
|
application/atom+xml
|
||||||
|
application/javascript
|
||||||
|
application/json
|
||||||
|
application/ld+json
|
||||||
|
application/manifest+json
|
||||||
|
application/rss+xml
|
||||||
|
application/vnd.geo+json
|
||||||
|
application/vnd.ms-fontobject
|
||||||
|
application/x-font-ttf
|
||||||
|
application/x-web-app-manifest+json
|
||||||
|
application/xhtml+xml
|
||||||
|
application/xml
|
||||||
|
font/opentype
|
||||||
|
image/bmp
|
||||||
|
image/svg+xml
|
||||||
|
image/x-icon
|
||||||
|
text/cache-manifest
|
||||||
|
text/css
|
||||||
|
text/javascript
|
||||||
|
text/plain
|
||||||
|
text/vcard
|
||||||
|
text/vnd.rim.location.xloc
|
||||||
|
text/vtt
|
||||||
|
text/x-component
|
||||||
|
text/x-cross-domain-policy;
|
||||||
|
}
|
15
roles/flarum/tasks/add_to_cloudflare_tunnel.yml
Normal file
15
roles/flarum/tasks/add_to_cloudflare_tunnel.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
- name: Add Cloudflare Tunnel route
|
||||||
|
become: yes
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/cloudflared/config.yaml
|
||||||
|
regexp: "- hostname: flarum\.bubblesthebunny\.com[\W]*service: https:\/\/localhost:8544"
|
||||||
|
line: |-
|
||||||
|
- hostname: flarum.bubblesthebunny.com
|
||||||
|
service: https://localhost:8544
|
||||||
|
insertbefore: "- service: http_status:404"
|
||||||
|
- name: Restart Cloudflared
|
||||||
|
become: yes
|
||||||
|
systemd:
|
||||||
|
name: cloudflared
|
||||||
|
state: restarted
|
48
roles/flarum/tasks/main.yml
Normal file
48
roles/flarum/tasks/main.yml
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
---
|
||||||
|
- name: Add flarum group
|
||||||
|
become: yes
|
||||||
|
group:
|
||||||
|
name: flarum
|
||||||
|
state: present
|
||||||
|
- name: Add flarum user
|
||||||
|
become: yes
|
||||||
|
user:
|
||||||
|
create_home: yes
|
||||||
|
name: flarum
|
||||||
|
comment: For running flarum
|
||||||
|
shell: /bin/false
|
||||||
|
password: '!'
|
||||||
|
home: /home/flarum
|
||||||
|
- name: Create Flarum install dir
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
path: /home/flarum/flarum
|
||||||
|
state: directory
|
||||||
|
owner: flarum
|
||||||
|
group: flarum
|
||||||
|
- name: Install PHP
|
||||||
|
become: yes
|
||||||
|
zypper:
|
||||||
|
name: php81
|
||||||
|
state: latest
|
||||||
|
- name: Install Composer
|
||||||
|
become: yes
|
||||||
|
script:
|
||||||
|
command: composer_installer.sh
|
||||||
|
creates: /usr/bin/composer
|
||||||
|
- name: Create Flarum project
|
||||||
|
become: yes
|
||||||
|
become_user: flarum
|
||||||
|
community.general.composer:
|
||||||
|
command: create-project
|
||||||
|
arguments: flarum/flarum .
|
||||||
|
working-dir: /home/flarum/flarum
|
||||||
|
- name: Setup Nginx
|
||||||
|
import_tasks: setup_nginx.yml
|
||||||
|
- name: Add to CloudflareD tunnel
|
||||||
|
import_tasks: add_to_cloudflare_tunnel.yml
|
||||||
|
- name: Reload Nginx
|
||||||
|
become: yes
|
||||||
|
systemd:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
33
roles/flarum/tasks/setup_nginx.yml
Normal file
33
roles/flarum/tasks/setup_nginx.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
- name: Create cert dir
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/flarum.bubblesthebunny.com
|
||||||
|
state: directory
|
||||||
|
- name: Copy chain
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: fullchain.pem
|
||||||
|
dest: /etc/nginx/flarum.bubblesthebunny.com/fullchain.pem
|
||||||
|
owner: nginx
|
||||||
|
group: nginx
|
||||||
|
mode: 0640
|
||||||
|
- name: Copy key
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: privkey.pem
|
||||||
|
dest: /etc/nginx/flarum.bubblesthebunny.com/privkey.pem
|
||||||
|
owner: nginx
|
||||||
|
group: nginx
|
||||||
|
mode: 0640
|
||||||
|
- name: Copy nginx.conf
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: nginx.conf
|
||||||
|
dest: /etc/nginx/sites-available/flarum
|
||||||
|
- name: Link to sites-enabled
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
src: /etc/nginx/sites-available/flarum
|
||||||
|
path: /etc/nginx/sites-enabled/flarum
|
||||||
|
state: link
|
3
run.sh
Executable file
3
run.sh
Executable file
@ -0,0 +1,3 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
ansible-playbook -i hosts.yml site.yml --vault-password-file ~/.vault_pass.txt
|
5
site.yml
Normal file
5
site.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: Setup Flarum
|
||||||
|
hosts: server1
|
||||||
|
roles:
|
||||||
|
- role: flarum
|
5
terraform/hose.sh
Executable file
5
terraform/hose.sh
Executable file
@ -0,0 +1,5 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
terraform plan -destroy -out destroy.tfplan
|
||||||
|
|
||||||
|
terraform apply destroy.tfplan
|
61
terraform/main.tf
Normal file
61
terraform/main.tf
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
terraform {
|
||||||
|
required_providers {
|
||||||
|
acme = {
|
||||||
|
source = "vancluever/acme"
|
||||||
|
version = "~>2.0"
|
||||||
|
}
|
||||||
|
cloudflare = {
|
||||||
|
source = "cloudflare/cloudflare"
|
||||||
|
version = "~>4.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "acme" {
|
||||||
|
server_url = "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "cloudflare" {
|
||||||
|
api_token = var.cloudflare_token
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "tls_private_key" "private_key" {
|
||||||
|
algorithm = "RSA"
|
||||||
|
rsa_bits = 4096
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "acme_registration" "reg" {
|
||||||
|
account_key_pem = tls_private_key.private_key.private_key_pem
|
||||||
|
email_address = "admin@bubblesthebunny.com"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "acme_certificate" "certificate" {
|
||||||
|
account_key_pem = acme_registration.reg.account_key_pem
|
||||||
|
common_name = "bubblesthebunny.com"
|
||||||
|
subject_alternative_names = ["flarum.bubblesthebunny.com"]
|
||||||
|
|
||||||
|
dns_challenge {
|
||||||
|
provider = "cloudflare"
|
||||||
|
config = {
|
||||||
|
CF_DNS_API_TOKEN = var.cloudflare_token
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "cloudflare_record" "flarum" {
|
||||||
|
name = "flarum"
|
||||||
|
type = "CNAME"
|
||||||
|
zone_id = var.zone_id
|
||||||
|
value = var.cname_record
|
||||||
|
proxied = true
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "local_file" "public_cert" {
|
||||||
|
filename = "../roles/flarum/files/fullchain.pem"
|
||||||
|
content = "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "local_sensitive_file" "private_key" {
|
||||||
|
filename = "../roles/flarum/files/privkey.pem"
|
||||||
|
content = acme_certificate.certificate.private_key_pem
|
||||||
|
}
|
13
terraform/run.sh
Executable file
13
terraform/run.sh
Executable file
@ -0,0 +1,13 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
export TF_IN_AUTOMATION=true
|
||||||
|
|
||||||
|
terraform init -upgrade || exit
|
||||||
|
|
||||||
|
terraform fmt -recursive || exit
|
||||||
|
|
||||||
|
terraform validate || exit
|
||||||
|
|
||||||
|
terraform plan -out flarum_plan.tfplan || exit
|
||||||
|
|
||||||
|
terraform apply flarum_plan.tfplan || exit
|
19
terraform/variables.tf
Normal file
19
terraform/variables.tf
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
variable "cloudflare_token" {
|
||||||
|
type = string
|
||||||
|
description = "Cloudflare DNS:Edit token"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "zone_id" {
|
||||||
|
type = string
|
||||||
|
description = "The Cloudflare Zone ID"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "account_id" {
|
||||||
|
type = string
|
||||||
|
description = "The Cloudflare Account ID"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "cname_record" {
|
||||||
|
type = string
|
||||||
|
description = "The CNAME record used by the Cloudflared tunnel"
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user