Initial Main commit
This commit is contained in:
commit
dfbd35725a
10
.gitignore
vendored
Normal file
10
.gitignore
vendored
Normal file
@ -0,0 +1,10 @@
|
||||
.idea/
|
||||
*.iml
|
||||
terraform/.secrets
|
||||
terraform_ghost/.secrets
|
||||
terraform/.tunnel
|
||||
**/*.tfplan
|
||||
**/*.tfstate*
|
||||
**/.terraform.lock.hcl
|
||||
**/.terraform/
|
||||
**/*.pem
|
10
group_vars/all/vault.yml
Normal file
10
group_vars/all/vault.yml
Normal file
@ -0,0 +1,10 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
66313862303134613964336532616465383364643134316563653537323236353132616161623730
|
||||
3763626335633066393138346662363334393735663231640a656137633834326237663162363339
|
||||
30343661373936646337653133623263346665383538643164653534646232613862346234373438
|
||||
3863653739373862350a383937623630303236376333373562656437663566623361653863623764
|
||||
62373931356462303138363634346663313665303162333533636265623166386637653434633636
|
||||
30646337373865323330363839346437643164376231613033643331633031643865356266383766
|
||||
64326536303762653839633431653831303637353235383033336337303437333264396138613835
|
||||
38633464373665666562616439646436373637373339393334346366336435366636663035653862
|
||||
3831
|
17
roles/flarum/files/composer_installer.sh
Normal file
17
roles/flarum/files/composer_installer.sh
Normal file
@ -0,0 +1,17 @@
|
||||
#!/bin/sh
|
||||
|
||||
EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
|
||||
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
|
||||
|
||||
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
|
||||
then
|
||||
>&2 echo 'ERROR: Invalid installer checksum'
|
||||
rm composer-setup.php
|
||||
exit 1
|
||||
fi
|
||||
|
||||
php composer-setup.php --quiet --install-dir /usr/bin
|
||||
RESULT=$?
|
||||
rm composer-setup.php
|
||||
exit $RESULT
|
92
roles/flarum/files/nginx.conf
Normal file
92
roles/flarum/files/nginx.conf
Normal file
@ -0,0 +1,92 @@
|
||||
server {
|
||||
listen 8544 ssl http2;
|
||||
listen [::]:8544 ssl http2;
|
||||
server_name flarum.bubblesthebunny.com;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
# Uncomment these lines once you acquire a certificate:
|
||||
ssl_certificate /etc/nginx/flarum.bubblesthebunny.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/flarum.bubblesthebunny.com/privkey.pem;
|
||||
|
||||
root /home/flarum/flarum/public
|
||||
# Pass requests that don't refer directly to files in the filesystem to index.php
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$query_string;
|
||||
}
|
||||
|
||||
# Uncomment the following lines if you are not using a `public` directory
|
||||
# to prevent sensitive resources from being exposed.
|
||||
# <!-- BEGIN EXPOSED RESOURCES PROTECTION -->
|
||||
# location ~* ^/(\.git|composer\.(json|lock)|auth\.json|config\.php|flarum|storage|vendor) {
|
||||
# deny all;
|
||||
# return 404;
|
||||
# }
|
||||
# <!-- END EXPOSED RESOURCES PROTECTION -->
|
||||
|
||||
# The following directives are based on best practices from H5BP Nginx Server Configs
|
||||
# https://github.com/h5bp/server-configs-nginx
|
||||
|
||||
# Expire rules for static content
|
||||
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
||||
add_header Cache-Control "max-age=0";
|
||||
}
|
||||
|
||||
location ~* \.(?:rss|atom)$ {
|
||||
add_header Cache-Control "max-age=3600";
|
||||
}
|
||||
|
||||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
|
||||
add_header Cache-Control "max-age=2592000";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location ~* \.(?:css|js)$ {
|
||||
add_header Cache-Control "max-age=31536000";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
|
||||
add_header Cache-Control "max-age=2592000";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Gzip compression
|
||||
gzip on;
|
||||
gzip_comp_level 5;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied any;
|
||||
gzip_vary on;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/ld+json
|
||||
application/manifest+json
|
||||
application/rss+xml
|
||||
application/vnd.geo+json
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/bmp
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/cache-manifest
|
||||
text/css
|
||||
text/javascript
|
||||
text/plain
|
||||
text/vcard
|
||||
text/vnd.rim.location.xloc
|
||||
text/vtt
|
||||
text/x-component
|
||||
text/x-cross-domain-policy;
|
||||
}
|
15
roles/flarum/tasks/add_to_cloudflare_tunnel.yml
Normal file
15
roles/flarum/tasks/add_to_cloudflare_tunnel.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
- name: Add Cloudflare Tunnel route
|
||||
become: yes
|
||||
lineinfile:
|
||||
path: /etc/cloudflared/config.yaml
|
||||
regexp: "- hostname: flarum\.bubblesthebunny\.com[\W]*service: https:\/\/localhost:8544"
|
||||
line: |-
|
||||
- hostname: flarum.bubblesthebunny.com
|
||||
service: https://localhost:8544
|
||||
insertbefore: "- service: http_status:404"
|
||||
- name: Restart Cloudflared
|
||||
become: yes
|
||||
systemd:
|
||||
name: cloudflared
|
||||
state: restarted
|
48
roles/flarum/tasks/main.yml
Normal file
48
roles/flarum/tasks/main.yml
Normal file
@ -0,0 +1,48 @@
|
||||
---
|
||||
- name: Add flarum group
|
||||
become: yes
|
||||
group:
|
||||
name: flarum
|
||||
state: present
|
||||
- name: Add flarum user
|
||||
become: yes
|
||||
user:
|
||||
create_home: yes
|
||||
name: flarum
|
||||
comment: For running flarum
|
||||
shell: /bin/false
|
||||
password: '!'
|
||||
home: /home/flarum
|
||||
- name: Create Flarum install dir
|
||||
become: yes
|
||||
file:
|
||||
path: /home/flarum/flarum
|
||||
state: directory
|
||||
owner: flarum
|
||||
group: flarum
|
||||
- name: Install PHP
|
||||
become: yes
|
||||
zypper:
|
||||
name: php81
|
||||
state: latest
|
||||
- name: Install Composer
|
||||
become: yes
|
||||
script:
|
||||
command: composer_installer.sh
|
||||
creates: /usr/bin/composer
|
||||
- name: Create Flarum project
|
||||
become: yes
|
||||
become_user: flarum
|
||||
community.general.composer:
|
||||
command: create-project
|
||||
arguments: flarum/flarum .
|
||||
working-dir: /home/flarum/flarum
|
||||
- name: Setup Nginx
|
||||
import_tasks: setup_nginx.yml
|
||||
- name: Add to CloudflareD tunnel
|
||||
import_tasks: add_to_cloudflare_tunnel.yml
|
||||
- name: Reload Nginx
|
||||
become: yes
|
||||
systemd:
|
||||
name: nginx
|
||||
state: reloaded
|
33
roles/flarum/tasks/setup_nginx.yml
Normal file
33
roles/flarum/tasks/setup_nginx.yml
Normal file
@ -0,0 +1,33 @@
|
||||
---
|
||||
- name: Create cert dir
|
||||
become: yes
|
||||
file:
|
||||
path: /etc/nginx/flarum.bubblesthebunny.com
|
||||
state: directory
|
||||
- name: Copy chain
|
||||
become: yes
|
||||
copy:
|
||||
src: fullchain.pem
|
||||
dest: /etc/nginx/flarum.bubblesthebunny.com/fullchain.pem
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0640
|
||||
- name: Copy key
|
||||
become: yes
|
||||
copy:
|
||||
src: privkey.pem
|
||||
dest: /etc/nginx/flarum.bubblesthebunny.com/privkey.pem
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0640
|
||||
- name: Copy nginx.conf
|
||||
become: yes
|
||||
copy:
|
||||
src: nginx.conf
|
||||
dest: /etc/nginx/sites-available/flarum
|
||||
- name: Link to sites-enabled
|
||||
become: yes
|
||||
file:
|
||||
src: /etc/nginx/sites-available/flarum
|
||||
path: /etc/nginx/sites-enabled/flarum
|
||||
state: link
|
3
run.sh
Executable file
3
run.sh
Executable file
@ -0,0 +1,3 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
ansible-playbook -i hosts.yml site.yml --vault-password-file ~/.vault_pass.txt
|
5
site.yml
Normal file
5
site.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
- name: Setup Flarum
|
||||
hosts: server1
|
||||
roles:
|
||||
- role: flarum
|
5
terraform/hose.sh
Executable file
5
terraform/hose.sh
Executable file
@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
terraform plan -destroy -out destroy.tfplan
|
||||
|
||||
terraform apply destroy.tfplan
|
61
terraform/main.tf
Normal file
61
terraform/main.tf
Normal file
@ -0,0 +1,61 @@
|
||||
terraform {
|
||||
required_providers {
|
||||
acme = {
|
||||
source = "vancluever/acme"
|
||||
version = "~>2.0"
|
||||
}
|
||||
cloudflare = {
|
||||
source = "cloudflare/cloudflare"
|
||||
version = "~>4.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "acme" {
|
||||
server_url = "https://acme-v02.api.letsencrypt.org/directory"
|
||||
}
|
||||
|
||||
provider "cloudflare" {
|
||||
api_token = var.cloudflare_token
|
||||
}
|
||||
|
||||
resource "tls_private_key" "private_key" {
|
||||
algorithm = "RSA"
|
||||
rsa_bits = 4096
|
||||
}
|
||||
|
||||
resource "acme_registration" "reg" {
|
||||
account_key_pem = tls_private_key.private_key.private_key_pem
|
||||
email_address = "admin@bubblesthebunny.com"
|
||||
}
|
||||
|
||||
resource "acme_certificate" "certificate" {
|
||||
account_key_pem = acme_registration.reg.account_key_pem
|
||||
common_name = "bubblesthebunny.com"
|
||||
subject_alternative_names = ["flarum.bubblesthebunny.com"]
|
||||
|
||||
dns_challenge {
|
||||
provider = "cloudflare"
|
||||
config = {
|
||||
CF_DNS_API_TOKEN = var.cloudflare_token
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "cloudflare_record" "flarum" {
|
||||
name = "flarum"
|
||||
type = "CNAME"
|
||||
zone_id = var.zone_id
|
||||
value = var.cname_record
|
||||
proxied = true
|
||||
}
|
||||
|
||||
resource "local_file" "public_cert" {
|
||||
filename = "../roles/flarum/files/fullchain.pem"
|
||||
content = "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
|
||||
}
|
||||
|
||||
resource "local_sensitive_file" "private_key" {
|
||||
filename = "../roles/flarum/files/privkey.pem"
|
||||
content = acme_certificate.certificate.private_key_pem
|
||||
}
|
13
terraform/run.sh
Executable file
13
terraform/run.sh
Executable file
@ -0,0 +1,13 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
export TF_IN_AUTOMATION=true
|
||||
|
||||
terraform init -upgrade || exit
|
||||
|
||||
terraform fmt -recursive || exit
|
||||
|
||||
terraform validate || exit
|
||||
|
||||
terraform plan -out flarum_plan.tfplan || exit
|
||||
|
||||
terraform apply flarum_plan.tfplan || exit
|
19
terraform/variables.tf
Normal file
19
terraform/variables.tf
Normal file
@ -0,0 +1,19 @@
|
||||
variable "cloudflare_token" {
|
||||
type = string
|
||||
description = "Cloudflare DNS:Edit token"
|
||||
}
|
||||
|
||||
variable "zone_id" {
|
||||
type = string
|
||||
description = "The Cloudflare Zone ID"
|
||||
}
|
||||
|
||||
variable "account_id" {
|
||||
type = string
|
||||
description = "The Cloudflare Account ID"
|
||||
}
|
||||
|
||||
variable "cname_record" {
|
||||
type = string
|
||||
description = "The CNAME record used by the Cloudflared tunnel"
|
||||
}
|
Loading…
Reference in New Issue
Block a user