Cyber/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
infrastructure/roles/archwiki/tasks/main.yml
Jelle van der Waa 8391c7d514
Remove "failed" fail2ban rules 
This was an attempt to block too many requests from bots but it leads to
an increase of cpu usage and blocking wiki administrators.
2020-05-22 13:42:10 +02:00

125 lines
4.8 KiB
YAML
Raw Blame History

---
- name: run maintenance mode
include_role:
name: maintenance
vars:
service_name: "wiki"
service_domain: "{{ archwiki_domain }}"
service_alternate_domains: []
service_nginx_conf: "{{ archwiki_nginx_conf }}"
when: maintenance is defined
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ archwiki_domain }}' creates='/etc/letsencrypt/live/{{ archwiki_domain }}/fullchain.pem'
when: 'archwiki_domain is defined'
- name: install packages
pacman: name=git,php-intl state=present
- name: make archwiki user
user: name="{{ archwiki_user }}" shell=/bin/false home="{{ archwiki_dir }}" createhome=no
register: user_created
- name: fix home permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
- name: set up nginx
template: src=nginx.d.conf.j2 dest="{{ archwiki_nginx_conf }}" owner=root group=root mode=644
notify:
- reload nginx
when: maintenance is not defined
tags: ['nginx']
- name: configure robots.txt
copy: src=robots.txt dest="{{ archwiki_dir }}/robots.txt" owner=root group=root mode=0644
- name: make nginx log dir
file: path=/var/log/nginx/{{ archwiki_domain }} state=directory owner=root group=root mode=0755
- name: make debug log dir
file: path=/var/log/archwiki state=directory owner={{archwiki_user}} group=root mode=0700
- name: clone archwiki repo
git: repo={{ archwiki_repository }} dest="{{ archwiki_dir }}/public" version={{ archwiki_version }}
become: true
become_user: "{{ archwiki_user }}"
notify:
- run wiki updatescript
- name: fix home permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}"
- name: fix cache permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/cache"
- name: fix sessions permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/sessions"
- name: fix uploads permissions
file: state=directory owner="{{ archwiki_user }}" group="{{ archwiki_user }}" path="{{ archwiki_dir }}/uploads"
- name: configure archwiki
template: src=LocalSettings.php.j2 dest="{{ archwiki_dir }}/public/LocalSettings.php" owner="{{ archwiki_user }}" group="{{ archwiki_user }}" mode=0640
register: config
no_log: true
- name: create archwiki db
mysql_db: name="{{ archwiki_db }}" login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}"
register: db_created
- name: create archwiki db user
mysql_user: name={{ archwiki_db_user }} password={{ vault_archwiki_db_password }}
login_host="{{ archwiki_db_host }}" login_password="{{ vault_mariadb_users.root }}"
priv="{{ archwiki_db }}.*:ALL"
no_log: true
- name: configure php-fpm
template:
src=php-fpm.conf.j2 dest="/etc/php/php-fpm.d/{{ archwiki_user }}.conf"
owner=root group=root mode=0644
notify:
- restart php-fpm@{{ archwiki_user }}
- name: install archwiki memcached service
template: src="archwiki-memcached.service.j2" dest="/etc/systemd/system/archwiki-memcached.service" owner=root group=root mode=0644
- name: start and enable systemd socket
service: name=php-fpm@{{ archwiki_user }}.socket state=started enabled=true
- name: install systemd services/timers
template: src="{{item}}.j2" dest="/etc/systemd/system/{{item}}" owner=root group=root mode=0644
notify:
- daemon reload
loop:
- archwiki-runjobs.service
- archwiki-runjobs-wait.service
- archwiki-runjobs.timer
- archwiki-prune-cache.service
- archwiki-prune-cache.timer
- archwiki-question-updater.service
- archwiki-memcached.service
- name: start and enable archwiki runjobs timer
service: name="archwiki-runjobs.timer" enabled=yes state=started
- name: start and enable archwiki prune cache timer
service: name="archwiki-prune-cache.timer" enabled=yes state=started
- name: start and enable archwiki runjobs wait service
service: name="archwiki-runjobs-wait.service" enabled=yes state=started
- name: create question answer file
service: name=archwiki-question-updater.service state=started
- name: start and enable archwiki memcached
service: name=archwiki-memcached.service enabled=yes state=started
- name: ensure question answer file exists and set permissions
file: state=file path="{{archwiki_question_answer_file}}" owner=root group=root mode=0644
- name: create pacman.d hooks dir
file: state=directory owner=root group=root path=/etc/pacman.d/hooks
- name: install archwiki question updater hook
template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644
Reference in a new issue View git blame Copy permalink