From d59a2ace4a1b72b29ae91ffcd4f283bcc096dbc9 Mon Sep 17 00:00:00 2001 From: Hoan To Date: Fri, 22 Sep 2023 10:08:10 +0000 Subject: [PATCH] DEV-1161 added cockpit vm to demostage --- group_vars/stage_demompmx/firewall.yml | 29 ++++++++++- hcloud_firewall.yml | 9 ++++ host_vars/demompmx-cockpit-01/plain.yml | 6 +++ roles/nginx/defaults/main.yml | 4 ++ roles/nginx/files/nginx.conf | 15 ++++++ roles/nginx/tasks/main.yml | 67 +++++++++++++++++++++++++ roles/nginx/vars/main.yml | 37 ++++++++++++++ smardigo.yml | 3 ++ stage-demompmx | 4 ++ users/paul.zinke/ssh.pub | 1 + 10 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 host_vars/demompmx-cockpit-01/plain.yml create mode 100644 roles/nginx/defaults/main.yml create mode 100644 roles/nginx/files/nginx.conf create mode 100644 roles/nginx/tasks/main.yml create mode 100644 roles/nginx/vars/main.yml create mode 100644 users/paul.zinke/ssh.pub diff --git a/group_vars/stage_demompmx/firewall.yml b/group_vars/stage_demompmx/firewall.yml index 8c99601..2b0111f 100644 --- a/group_vars/stage_demompmx/firewall.yml +++ b/group_vars/stage_demompmx/firewall.yml @@ -140,4 +140,31 @@ hcloud_firewall_objects_keycloak: - type: label_selector label_selector: - selector: 'stage={{ stage }},service=keycloak' \ No newline at end of file + selector: 'stage={{ stage }},service=keycloak' + +hcloud_firewall_objects_cockpit: + - + name: "{{ stage }}-access-to-cockpit" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: + - '0.0.0.0/0' + destination_ips: [] + description: "Whitelisting ALL(also from UNTRUST) incoming HTTPS traffic for cockpit-instance(s))" + - + direction: in + protocol: tcp + port: '80' + source_ips: + - '0.0.0.0/0' + destination_ips: [] + description: "Whitelisting ALL(also from UNTRUST) incoming HTTPS traffic for cockpit-instance(s))" + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }},service=cockpit' diff --git a/hcloud_firewall.yml b/hcloud_firewall.yml index 2c2bff7..d442e5b 100644 --- a/hcloud_firewall.yml +++ b/hcloud_firewall.yml @@ -131,5 +131,14 @@ loop: "{{ hcloud_firewall_objects_management }}" loop_control: loop_var: firewall_object + + - name: "Setup hcloud firewalls for cockpit..." + include_role: + name: hetzner-ansible-hcloud + tasks_from: configure-firewall2 + loop: "{{ hcloud_firewall_objects_cockpit }}" + loop_control: + loop_var: firewall_object + when: stage == 'demompmx' # end of BLOCK when: hcloud_firewall_app_specific_stuff | default(True) diff --git a/host_vars/demompmx-cockpit-01/plain.yml b/host_vars/demompmx-cockpit-01/plain.yml new file mode 100644 index 0000000..fdaea8e --- /dev/null +++ b/host_vars/demompmx-cockpit-01/plain.yml @@ -0,0 +1,6 @@ +--- +hetzner_server_type: cpx21 +hetzner_server_labels: "stage={{ stage }} service=cockpit" + +custom_stage_platform_users: + - 'paul.zinke' diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml new file mode 100644 index 0000000..6c8d686 --- /dev/null +++ b/roles/nginx/defaults/main.yml @@ -0,0 +1,4 @@ +--- + + +nginx_image: "nginx" \ No newline at end of file diff --git a/roles/nginx/files/nginx.conf b/roles/nginx/files/nginx.conf new file mode 100644 index 0000000..83126be --- /dev/null +++ b/roles/nginx/files/nginx.conf @@ -0,0 +1,15 @@ +server { + listen 80; + server_name localhost; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + try_files $uri $uri/ /index.html; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } +} \ No newline at end of file diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..70d1c52 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,67 @@ +- name: "Setup DNS configuration for {{ inventory_hostname }}" + include_role: + name: hetzner-ansible-dns + vars: + record_data: "{{ stage_server_ip }}" + record_name: "{{ inventory_hostname }}" + + +- name: Create a directory dist if it does not exist + ansible.builtin.file: + path: "{{ service_base_path }}/{{ inventory_hostname }}/dist" + state: directory + mode: '0777' + +- name: Create a directory conf if it does not exist + ansible.builtin.file: + path: "{{ service_base_path }}/{{ inventory_hostname }}/conf" + state: directory + mode: '0755' + +- name: "Providing nginx.conf" + become: yes + copy: + src: '{{ item }}' + dest: '{{ service_base_path }}/{{ inventory_hostname }}/conf' + mode: '0755' + with_items: + - nginx.conf + + +- name: "Check if {{ inventory_hostname }}/docker-compose.yml exists" + stat: + path: '{{ service_base_path }}/{{ inventory_hostname }}/docker-compose.yml' + register: check_docker_compose_file + tags: + - update_deployment + +- name: "Stop {{ inventory_hostname }}" + community.docker.docker_compose: + project_src: '{{ service_base_path }}/{{ inventory_hostname }}' + state: absent + when: check_docker_compose_file.stat.exists + tags: + - update_deployment + +- name: "Deploy docker templates for {{ inventory_hostname }}" + include_role: + name: hetzner-ansible-sma-deploy + tasks_from: templates + vars: + current_config: "_docker" + current_base_path: "{{ service_base_path }}" + current_destination: "{{ inventory_hostname }}" + current_owner: "{{ docker_owner }}" + current_group: "{{ docker_group }}" + current_docker: "{{ nginx_docker }}" + tags: + - update_deployment + + +- name: "Start {{ inventory_hostname }}" + community.docker.docker_compose: + project_src: '{{ service_base_path }}/{{ inventory_hostname }}' + state: present + pull: yes + tags: + - update_deployment \ No newline at end of file diff --git a/roles/nginx/vars/main.yml b/roles/nginx/vars/main.yml new file mode 100644 index 0000000..88751f7 --- /dev/null +++ b/roles/nginx/vars/main.yml @@ -0,0 +1,37 @@ +--- + +nginx_id: "{{ inventory_hostname }}-nginx" + +nginx_labels: [ + '"traefik.enable=true"', + '"traefik.http.routers.{{ nginx_id }}.service={{ nginx_id }}"', + '"traefik.http.routers.{{ nginx_id }}.rule=Host(`{{ stage_server_domain }}`)"', + '"traefik.http.routers.{{ nginx_id }}.entrypoints=websecure"', + '"traefik.http.routers.{{ nginx_id }}.tls=true"', + '"traefik.http.routers.{{ nginx_id }}.tls.certresolver=letsencrypt"', + '"traefik.http.services.{{ nginx_id }}.loadbalancer.server.port={{ http_port }}"', +] + +nginx_docker: { + networks: [ + { + name: front-tier, + external: true, + }, + ], + services: [ + { + name: "{{ nginx_id }}", + image_name: "{{ nginx_image }}", + image_version: alpine, + labels: "{{ nginx_labels }}", + volumes: [ + "{{ service_base_path }}/{{ inventory_hostname }}/dist:/usr/share/nginx/html", + "{{ service_base_path }}/{{ inventory_hostname }}/conf/nginx.conf:/etc/nginx/conf.d/default.conf" + ], + networks: [ + '"front-tier"', + ], + } + ], +} diff --git a/smardigo.yml b/smardigo.yml index ab9774a..d558a8e 100644 --- a/smardigo.yml +++ b/smardigo.yml @@ -75,3 +75,6 @@ - role: mpmx when: "'mpmx' in group_names" + + - role: nginx + when: "'nginx' in group_names" diff --git a/stage-demompmx b/stage-demompmx index 3d4696b..61138b1 100644 --- a/stage-demompmx +++ b/stage-demompmx @@ -29,6 +29,9 @@ demompmx-management-01 [maria] demompmx-maria-01 +[nginx] +demompmx-cockpit-01 + [pgadmin4] demompmx-pgadmin4-01 @@ -85,6 +88,7 @@ kibana logstash management maria +nginx pgadmin4 postfix postgres diff --git a/users/paul.zinke/ssh.pub b/users/paul.zinke/ssh.pub new file mode 100644 index 0000000..f3599af --- /dev/null +++ b/users/paul.zinke/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClbMV7J5W6F9rAo5h7m04Og8TclBsshZfIOgBPu7V9p nso\paul.zinke@NSO-NB01576 \ No newline at end of file