filhocodes/.gitignore

## .gitignore
inventory.local.yml

## inventory.yml
all:
  children:
    production:
      hosts:
        __APPLICATION__DOMAIN__:
          ansible_host: __APPLICATION__IP__
          # ansible_ssh_private_key_file: ~/.ssh/id_rsa

## Makefile
ifeq ($(wildcard ./inventory.local.yml),)
	INVENTORY_FILE = inventory.yml
else
	INVENTORY_FILE = inventory.local.yml
endif

local-inventory:
	cp -vf ./inventory.yml ./inventory.local.yml

check-inventory:
	echo $(INVENTORY_FILE)

## == INFRA ============================================================================================================
prepare: playbook--prepare.yml
  ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--prepare.yml
	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--prepare.yml

software: playbook--software.yml
  ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--software.yml
	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--software.yml

after: playbook--after.yml
  ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--software.yml
	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--after.yml

## =====================================================================================================================

## playbook--after.yml
- hosts: production
  remote_user: app
  become: yes
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  roles:
    - role: geerlingguy.pip
    - role: geerlingguy.supervisor
    - role: manala.cron

## playbook--prepare.yml
- hosts: production
  remote_user: root
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  roles:
    - setup
    - oefenweb.fail2ban

## playbook--software.yml
- hosts: production
  remote_user: app
  become: yes
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  roles:
    - role: geerlingguy.git
    # - role: geerlingguy.postgresql
    - role: geerlingguy.redis
    - role: geerlingguy.php-versions
    - role: geerlingguy.php
    - role: geerlingguy.php-pgsql
    - role: geerlingguy.php-redis
    - role: geerlingguy.composer
    - role: geerlingguy.nodejs
    - role: ocha.yarn

- hosts: production
  remote_user: app
  become: yes
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  tasks:
    - name: Check NGINX Presence
      stat:
        path: /etc/nginx/nginx.conf
      register: nginx_conf_stat_result
    - name: Stop nginx
      when: nginx_conf_stat_result.stat.exists == True
      service:
        name: nginx
        state: stopped

- hosts: production
  remote_user: app
  become: yes
  vars_files:
    # - vars/production-secrets.yml
    - vars/production.yml
  roles:
    - role: geerlingguy.certbot
    - role: geerlingguy.nginx

## roles.setup.defaults.main.yml
### ssh.yml
security_ssh_config_path: /etc/ssh/sshd_config
security_sshd_name: ssh

security_ssh_port: 22
security_ssh_password_authentication: "no"
security_ssh_permit_root_login: "no"
security_ssh_usedns: "no"
security_ssh_permit_empty_password: "no"
security_ssh_challenge_response_auth: "no"
security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no"

security_sudoers_passwordless: []
security_sudoers_passworded: []

## roles.setup.handlers.main.yml
- name: restart ssh
  service: "name={{ security_sshd_name }} state=restarted"

## roles.setup.tasks.main.yml
- name: Set timezone
  timezone:
    name: America/Sao_Paulo

- name: apt update
  apt:
    update_cache: yes
    force: yes

- name: Setup groups
  group:
    name: "{{ item }}"
    state: present
  loop:
    - app
    - www-data

- name: Setup user app
  user:
    name: app
    state: present
    append: yes
    groups:
      - app
      - admin
      - www-data
    shell: /bin/bash
    home: /home/app
    generate_ssh_key: yes
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_rsa

- name: Copy authorized keys from root
  copy:
    remote_src: yes
    src: /root/.ssh/authorized_keys
    dest: /home/app/.ssh/authorized_keys
    owner: app
    group: app
    mode: '0644'

# Retrieved from geerlingguy.security
- include_tasks: ssh.yml

- name: Install unzip package
  apt:
    name: unzip
    state: present
    update_cache: yes

## roles.setup.tasks.ssh.yml
---
- name: Update SSH configuration to be more secure.
  lineinfile:
    dest: "{{ security_ssh_config_path }}"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
  with_items:
    - regexp: "^PasswordAuthentication"
      line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
    - regexp: "^PermitRootLogin"
      line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
    - regexp: "^Port"
      line: "Port {{ security_ssh_port }}"
    - regexp: "^UseDNS"
      line: "UseDNS {{ security_ssh_usedns }}"
    - regexp: "^PermitEmptyPasswords"
      line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
    - regexp: "^ChallengeResponseAuthentication"
      line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
    - regexp: "^GSSAPIAuthentication"
      line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
    - regexp: "^X11Forwarding"
      line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
  notify: restart ssh

- name: Add configured user accounts to passwordless sudoers.
  lineinfile:
    dest: /etc/sudoers
    regexp: '^{{ item }}'
    line: '{{ item }} ALL=(ALL) NOPASSWD: ALL'
    state: present
    validate: 'visudo -cf %s'
  with_items: "{{ security_sudoers_passwordless }}"
  when: security_sudoers_passwordless | length > 0

- name: Add configured user accounts to passworded sudoers.
  lineinfile:
    dest: /etc/sudoers
    regexp: '^{{ item }}'
    line: '{{ item }} ALL=(ALL) ALL'
    state: present
    validate: 'visudo -cf %s'
  with_items: "{{ security_sudoers_passworded }}"
  when: security_sudoers_passworded | length > 0

## roles.sh
ansible-galaxy -p roles oefenweb.fail2ban

ansible-galaxy -p roles geerlingguy.git
# ansible-galaxy -p roles geerlingguy.postgresql
ansible-galaxy -p roles geerlingguy.redis
ansible-galaxy -p roles geerlingguy.php-versions
ansible-galaxy -p roles geerlingguy.php
ansible-galaxy -p roles geerlingguy.php-pgsql
ansible-galaxy -p roles geerlingguy.php-redis
ansible-galaxy -p roles geerlingguy.composer
ansible-galaxy -p roles geerlingguy.nodejs
ansible-galaxy -p roles ocha.yarn
ansible-galaxy -p roles geerlingguy.certbot
ansible-galaxy -p roles geerlingguy.nginx


ansible-galaxy -p roles geerlingguy.pip
ansible-galaxy -p roles geerlingguy.supervisor
ansible-galaxy -p roles manala.cron

## vars.production.yml
### voxconexao.setup
security_sudoers_passwordless:
  - app

### oefenweb.fail2ban
fail2ban_loglevel: 2
fail2ban_bantime: 3600
fail2ban_services:
  - name: sshd
    port: 22
    maxretry: 5
    bantime: -1

### geerlingguy.redis
redis_appendonly: "yes"
redis_databases: 5

### geerlingguy.postgresql
# postgresql_locales:
#   - 'en_US.UTF-8'
#   - 'pt_BR.UTF-8'
# postgresql_users:
#   - name: __DB_USER__
#     password: "{{ postgresql_database_password }}"
# postgresql_databases:
#   - name: __DB_NAME__
#     owner: __DB_USER__
# postgresql_hba_entries:
#   - { type: local, database: all, user: postgres, auth_method: peer }
#   - { type: local, database: all, user: __DB_USER__, auth_method: peer }
#   - { type: local, database: all, user: all, auth_method: peer }
#   - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
#   - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }

### geerlingguy.php-versions
### geerlingguy.php
### geerlingguy.php-pgsql
php_version: '7.4'
php_default_version_debian: "7.4"
php_install_recommends: false
php_packages_extra:
  - php7.4-bcmath
  - php7.4-intl
  - php7.4-pspell
  - php7.4-soap
  - php7.4-zip
php_enable_webserver: false
php_enable_php_fpm: true
php_date_timezone: "America/Sao_Paulo"
php_upload_max_filesize: "20M"
php_post_max_size: "64M"
php_allow_url_fopen: "On"
php_expose_php: "Off"
php_pgsql_package: php7.4-pgsql

### geerlingguy.certbot
certbot_auto_renew: false
certbot_admin_email: __ADMIN__EMAIL__
certbot_create_if_missing: true
certbot_create_standalone_stop_services: []
certbot_certs:
  - domains:
      - __APPLICATION__DOMAIN__

### geerlingguy.nginx
nginx_remove_default_vhost: true
nginx_vhosts:
  - listen: 80
    root: /var/www/html
    server_name: __APPLICATION__DOMAIN__
    return: 301 https://__APPLICATION__DOMAIN__$request_uri
    filename: __APPLICATION__DOMAIN__.80.conf
  - listen: 443 ssl http2
    server_name: __APPLICATION__DOMAIN__
    root: /home/app/__APPLICATION__DOMAIN__/current/public
    index: index.php index.html index.htm
    access_log: /var/log/nginx/__APPLICATION__DOMAIN__-access.log
    error_log: /var/log/nginx/__APPLICATION__DOMAIN__-error.log
    filename: __APPLICATION__DOMAIN__.443.conf
    extra_parameters: |
      location / {
          try_files $uri $uri/ /index.php?$query_string;
      }
      location ~ \.php$ {
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_pass 127.0.0.1:9000;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          include fastcgi_params;
      }
      location ~ /\.ht {
          deny all;
      }
      ssl_certificate     /etc/letsencrypt/live/__APPLICATION__DOMAIN__/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/__APPLICATION__DOMAIN__/privkey.pem;
      ssl_protocols       TLSv1.1 TLSv1.2;
      ssl_ciphers         HIGH:!aNULL:!MD5;

### geerlingguy.supervisor
supervisor_started: false
supervisor_programs:
  - name: 'app-worker'
    # command: php /home/app/__APPLICATION__DOMAIN__/current/artisan queue:work --sleep=3
    command: php /home/app/__APPLICATION__DOMAIN__/current/artisan horizon
    state: present
    configuration: |
      process_name=%(program_name)s_%(process_num)02d
      autostart=true
      autorestart=true
      user=app
      numprocs=1
      redirect_stderr=true
      stdout_logfile=/home/app/__APPLICATION__DOMAIN__/shared/storage/logs/queue-worker.log
      stopwaitsecs=3600
# supervisor_password: "{{ supervisor_ctl_password }}"
supervisor_password: __SUPERVISOR__PASS__

### manala.cron
manala_cron_files:
  - file: app
    user: app
    jobs:
      - name: scheduler
        job: "cd /home/app/__APPLICATION__DOMAIN__/current/ && php artisan schedule:run >> /dev/null 2>&1"
  - file: root
    user: root
    jobs:
      - name: cerbot
        job: "systemctl stop nginx.service && certbot renew --quiet --no-self-upgrade && systemctl start nginx.service"
        minute: 30
        hour: 3
	all:
	children:
	production:
	hosts:
	__APPLICATION__DOMAIN__:
	ansible_host: __APPLICATION__IP__
	# ansible_ssh_private_key_file: ~/.ssh/id_rsa
	ifeq ($(wildcard ./inventory.local.yml),)
	INVENTORY_FILE = inventory.yml
	else
	INVENTORY_FILE = inventory.local.yml
	endif

	local-inventory:
	cp -vf ./inventory.yml ./inventory.local.yml

	check-inventory:
	echo $(INVENTORY_FILE)

	## == INFRA ============================================================================================================
	prepare: playbook--prepare.yml
	ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--prepare.yml
	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--prepare.yml

	software: playbook--software.yml
	ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--software.yml
	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--software.yml

	after: playbook--after.yml
	ansible-playbook -i $(INVENTORY_FILE) --limit production playbook--software.yml
	# ansible-playbook -i $(INVENTORY_FILE) --limit production --ask-vault-pass playbook--after.yml

	## =====================================================================================================================
	- hosts: production
	remote_user: app
	become: yes
	vars_files:
	# - vars/production-secrets.yml
	- vars/production.yml
	roles:
	- role: geerlingguy.pip
	- role: geerlingguy.supervisor
	- role: manala.cron
	- hosts: production
	remote_user: root
	vars_files:
	# - vars/production-secrets.yml
	- vars/production.yml
	roles:
	- setup
	- oefenweb.fail2ban
	### ssh.yml
	security_ssh_config_path: /etc/ssh/sshd_config
	security_sshd_name: ssh

	security_ssh_port: 22
	security_ssh_password_authentication: "no"
	security_ssh_permit_root_login: "no"
	security_ssh_usedns: "no"
	security_ssh_permit_empty_password: "no"
	security_ssh_challenge_response_auth: "no"
	security_ssh_gss_api_authentication: "no"
	security_ssh_x11_forwarding: "no"

	security_sudoers_passwordless: []
	security_sudoers_passworded: []
	- name: restart ssh
	service: "name={{ security_sshd_name }} state=restarted"
	- name: Set timezone
	timezone:
	name: America/Sao_Paulo

	- name: apt update
	apt:
	update_cache: yes
	force: yes

	- name: Setup groups
	group:
	name: "{{ item }}"
	state: present
	loop:
	- app
	- www-data

	- name: Setup user app
	user:
	name: app
	state: present
	append: yes
	groups:
	- app
	- admin
	- www-data
	shell: /bin/bash
	home: /home/app
	generate_ssh_key: yes
	ssh_key_bits: 2048
	ssh_key_file: .ssh/id_rsa

	- name: Copy authorized keys from root
	copy:
	remote_src: yes
	src: /root/.ssh/authorized_keys
	dest: /home/app/.ssh/authorized_keys
	owner: app
	group: app
	mode: '0644'

	# Retrieved from geerlingguy.security
	- include_tasks: ssh.yml

	- name: Install unzip package
	apt:
	name: unzip
	state: present
	update_cache: yes
	---
	- name: Update SSH configuration to be more secure.
	lineinfile:
	dest: "{{ security_ssh_config_path }}"
	regexp: "{{ item.regexp }}"
	line: "{{ item.line }}"
	state: present
	with_items:
	- regexp: "^PasswordAuthentication"
	line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
	- regexp: "^PermitRootLogin"
	line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
	- regexp: "^Port"
	line: "Port {{ security_ssh_port }}"
	- regexp: "^UseDNS"
	line: "UseDNS {{ security_ssh_usedns }}"
	- regexp: "^PermitEmptyPasswords"
	line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
	- regexp: "^ChallengeResponseAuthentication"
	line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
	- regexp: "^GSSAPIAuthentication"
	line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
	- regexp: "^X11Forwarding"
	line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
	notify: restart ssh

	- name: Add configured user accounts to passwordless sudoers.
	lineinfile:
	dest: /etc/sudoers
	regexp: '^{{ item }}'
	line: '{{ item }} ALL=(ALL) NOPASSWD: ALL'
	state: present
	validate: 'visudo -cf %s'
	with_items: "{{ security_sudoers_passwordless }}"
	when: security_sudoers_passwordless \| length > 0

	- name: Add configured user accounts to passworded sudoers.
	lineinfile:
	dest: /etc/sudoers
	regexp: '^{{ item }}'
	line: '{{ item }} ALL=(ALL) ALL'
	state: present
	validate: 'visudo -cf %s'
	with_items: "{{ security_sudoers_passworded }}"
	when: security_sudoers_passworded \| length > 0
	ansible-galaxy -p roles oefenweb.fail2ban

	ansible-galaxy -p roles geerlingguy.git
	# ansible-galaxy -p roles geerlingguy.postgresql
	ansible-galaxy -p roles geerlingguy.redis
	ansible-galaxy -p roles geerlingguy.php-versions
	ansible-galaxy -p roles geerlingguy.php
	ansible-galaxy -p roles geerlingguy.php-pgsql
	ansible-galaxy -p roles geerlingguy.php-redis
	ansible-galaxy -p roles geerlingguy.composer
	ansible-galaxy -p roles geerlingguy.nodejs
	ansible-galaxy -p roles ocha.yarn
	ansible-galaxy -p roles geerlingguy.certbot
	ansible-galaxy -p roles geerlingguy.nginx


	ansible-galaxy -p roles geerlingguy.pip
	ansible-galaxy -p roles geerlingguy.supervisor
	ansible-galaxy -p roles manala.cron
	### voxconexao.setup
	security_sudoers_passwordless:
	- app

	### oefenweb.fail2ban
	fail2ban_loglevel: 2
	fail2ban_bantime: 3600
	fail2ban_services:
	- name: sshd
	port: 22
	maxretry: 5
	bantime: -1

	### geerlingguy.redis
	redis_appendonly: "yes"
	redis_databases: 5

	### geerlingguy.postgresql
	# postgresql_locales:
	# - 'en_US.UTF-8'
	# - 'pt_BR.UTF-8'
	# postgresql_users:
	# - name: __DB_USER__
	# password: "{{ postgresql_database_password }}"
	# postgresql_databases:
	# - name: __DB_NAME__
	# owner: __DB_USER__
	# postgresql_hba_entries:
	# - { type: local, database: all, user: postgres, auth_method: peer }
	# - { type: local, database: all, user: __DB_USER__, auth_method: peer }
	# - { type: local, database: all, user: all, auth_method: peer }
	# - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
	# - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }

	### geerlingguy.php-versions
	### geerlingguy.php
	### geerlingguy.php-pgsql
	php_version: '7.4'
	php_default_version_debian: "7.4"
	php_install_recommends: false
	php_packages_extra:
	- php7.4-bcmath
	- php7.4-intl
	- php7.4-pspell
	- php7.4-soap
	- php7.4-zip
	php_enable_webserver: false
	php_enable_php_fpm: true
	php_date_timezone: "America/Sao_Paulo"
	php_upload_max_filesize: "20M"
	php_post_max_size: "64M"
	php_allow_url_fopen: "On"
	php_expose_php: "Off"
	php_pgsql_package: php7.4-pgsql

	### geerlingguy.certbot
	certbot_auto_renew: false
	certbot_admin_email: __ADMIN__EMAIL__
	certbot_create_if_missing: true
	certbot_create_standalone_stop_services: []
	certbot_certs:
	- domains:
	- __APPLICATION__DOMAIN__

	### geerlingguy.nginx
	nginx_remove_default_vhost: true
	nginx_vhosts:
	- listen: 80
	root: /var/www/html
	server_name: __APPLICATION__DOMAIN__
	return: 301 https://__APPLICATION__DOMAIN__$request_uri
	filename: __APPLICATION__DOMAIN__.80.conf
	- listen: 443 ssl http2
	server_name: __APPLICATION__DOMAIN__
	root: /home/app/__APPLICATION__DOMAIN__/current/public
	index: index.php index.html index.htm
	access_log: /var/log/nginx/__APPLICATION__DOMAIN__-access.log
	error_log: /var/log/nginx/__APPLICATION__DOMAIN__-error.log
	filename: __APPLICATION__DOMAIN__.443.conf
	extra_parameters: \|
	location / {
	try_files $uri $uri/ /index.php?$query_string;
	}
	location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass 127.0.0.1:9000;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	}
	location ~ /\.ht {
	deny all;
	}
	ssl_certificate /etc/letsencrypt/live/__APPLICATION__DOMAIN__/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/__APPLICATION__DOMAIN__/privkey.pem;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers HIGH:!aNULL:!MD5;

	### geerlingguy.supervisor
	supervisor_started: false
	supervisor_programs:
	- name: 'app-worker'
	# command: php /home/app/__APPLICATION__DOMAIN__/current/artisan queue:work --sleep=3
	command: php /home/app/__APPLICATION__DOMAIN__/current/artisan horizon
	state: present
	configuration: \|
	process_name=%(program_name)s_%(process_num)02d
	autostart=true
	autorestart=true
	user=app
	numprocs=1
	redirect_stderr=true
	stdout_logfile=/home/app/__APPLICATION__DOMAIN__/shared/storage/logs/queue-worker.log
	stopwaitsecs=3600
	# supervisor_password: "{{ supervisor_ctl_password }}"
	supervisor_password: __SUPERVISOR__PASS__

	### manala.cron
	manala_cron_files:
	- file: app
	user: app
	jobs:
	- name: scheduler
	job: "cd /home/app/__APPLICATION__DOMAIN__/current/ && php artisan schedule:run >> /dev/null 2>&1"
	- file: root
	user: root
	jobs:
	- name: cerbot
	job: "systemctl stop nginx.service && certbot renew --quiet --no-self-upgrade && systemctl start nginx.service"
	minute: 30
	hour: 3