fukata/playbook.yml

## playbook.yml
#
# fukata.org
# ansible v1.8.2
#
- hosts: all
  sudo: yes
  vars:
    swap_count: 1024
    nginx_version: 1.9.1
    ngx_cache_purge_version: 2.3
    backup_bucket: BACKUP_BUCKET
    backup_version: BACKUP_VERSION
  tasks:
    - include_vars: vars/aws.yml
    - include_vars: vars/db.yml
    - include_vars: vars/mackerel.yml
    - include_vars: vars/user.yml

    # see: https://help.cybozu.com/ja/general/admin/timezone.html
    - name: ensure Etc/GMT timezone
      copy: content=Etc/GMT dest=/etc/timezone backup=yes
      register: timezone

    - name: ensure timezone is updated
      command: dpkg-reconfigure --frontend noninteractive tzdata
      when: timezone.changed

    - apt: upgrade=dist update_cache=yes

    - group: name=ubuntu state=present
    - user: name=ubuntu append=yes groups=ubuntu password={{ user_password }} shell=/bin/bash # password=python -c 'import crypt; print crypt.crypt("This is my Password", "$1$SomeSalt$")'
    - authorized_key: user=ubuntu key="{{ lookup('file', '~/.ssh/digital_ocean_id_rsa.pub') }}"

    - name: Install some basic packages
      apt: pkg={{ item }} state=latest
      with_items:
        - build-essential
        - sysv-rc-conf
        - git
        - gettext
        - libpcre3
        - libpcre3-dev
        - libxml2-dev
        - libxslt-dev
        - libgd-dev
        - libgeoip-dev
        - python-boto # for s3 module
        - python-mysqldb # for mysql_db module

    ##################################################################
    # swap
    ##################################################################
    - name: Create swap space
      command: dd if=/dev/zero of=/extraswap bs=1M count={{ swap_count }}
      when: ansible_swaptotal_mb < 1
      tags: swap

    - name: Make swap
      command: mkswap /extraswap
      when: ansible_swaptotal_mb < 1
      tags: swap

    - name: Add to fstab
      action: lineinfile dest=/etc/fstab regexp="extraswap" line="/extraswap none swap sw 0 0" state=present
      tags: swap

    - name: Turn swap on
      command: swapon -a
      tags: swap

    - name: Set swapiness
      shell: echo 0 | sudo tee /proc/sys/vm/swappiness
      tags: swap

    ##################################################################
    # ufw
    ##################################################################
    - ufw: state=enabled policy=allow
      tags: ufw
    - ufw: logging=on
      tags: ufw
    - ufw: rule=allow name=OpenSSH
      tags: ufw
    - ufw: rule=limit port=ssh proto=tcp
      tags: ufw
    - ufw: rule=allow port=80
      tags: ufw

    ##################################################################
    # ssh
    ##################################################################
    - template: src=templates/ssh/sshd_config dest=/etc/ssh/sshd_config
      tags: ssh

    - command: service ssh restart
      tags: ssh

    ##################################################################
    # mysql
    ##################################################################
    - name: Install mysql packages
      apt: pkg={{ item }} state=latest
      with_items:
        - mysql-server
        - mysql-client
      tags: mysql

    - name: Be sure mysql is running and enabled
      service: name=mysql state=running enabled=yes
      tags: mysql

    - template: src=templates/mysql/my.cnf dest=/etc/mysql/
      tags: mysql

    - command: service mysql restart
      tags: mysql

    ##################################################################
    # php
    ##################################################################
    - name: Install php packages
      apt: pkg={{ item }} state=latest
      with_items:
        - php5
        - php5-cli
        - php5-cgi
        - php5-curl
        - php5-dbg
        - php5-gd
        - php5-dev
        - php5-json
        - php5-mcrypt
        - php5-memcache
        - php5-memcached
        - php5-mysql
        - php5-readline
        - php5-xmlrpc
      tags: php

    ##################################################################
    # nginx
    ##################################################################
    - file: dest=/usr/local/src/nginx state=directory recurse=yes
      tags: nginx

    - name: Download nginx module nginx_ngx_cache_purge
      get_url: url=http://labs.frickle.com/files/ngx_cache_purge-{{ ngx_cache_purge_version }}.tar.gz dest=/usr/local/src/nginx mode=0644
      tags: nginx

    - unarchive: src=/usr/local/src/nginx/ngx_cache_purge-{{ ngx_cache_purge_version }}.tar.gz dest=/usr/local/src/nginx copy=no
      tags: nginx

    - name: Download nginx
      get_url: url=http://nginx.org/download/nginx-{{ nginx_version }}.tar.gz dest=/usr/local/src/nginx mode=0644
      tags: nginx

    - unarchive: src=/usr/local/src/nginx/nginx-{{ nginx_version }}.tar.gz dest=/usr/local/src/nginx copy=no
      tags: nginx

    - name: Configure nginx
      command: ./configure \
                  --prefix=/etc/nginx \
                  --conf-path=/etc/nginx/nginx.conf \
                  --error-log-path=/var/log/nginx/error.log \
                  --http-client-body-temp-path=/var/lib/nginx/body \
                  --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
                  --http-log-path=/var/log/nginx/access.log \
                  --http-proxy-temp-path=/var/lib/nginx/proxy \
                  --http-scgi-temp-path=/var/lib/nginx/scgi \
                  --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
                  --lock-path=/var/lock/nginx.lock \
                  --pid-path=/var/run/nginx.pid \
                  --with-debug \
                  --with-http_addition_module \
                  --with-http_dav_module \
                  --with-http_geoip_module \
                  --with-http_gzip_static_module \
                  --with-http_image_filter_module \
                  --with-http_realip_module \
                  --with-http_stub_status_module \
                  --with-http_ssl_module \
                  --with-http_sub_module \
                  --with-http_xslt_module \
                  --with-ipv6 \
                  --with-sha1=/usr/include/openssl \
                  --with-md5=/usr/include/openssl \
                  --with-mail --with-mail_ssl_module \
                  --add-module=/usr/local/src/nginx/ngx_cache_purge-{{ ngx_cache_purge_version }}
      args:
        chdir: /usr/local/src/nginx/nginx-{{ nginx_version }}
      tags: nginx

    - name: Make nginx
      command: make
      args:
        chdir: /usr/local/src/nginx/nginx-{{ nginx_version }}
      tags: nginx

    - name: Install nginx
      command: make install
      args:
        chdir: /usr/local/src/nginx/nginx-{{ nginx_version }}
      tags: nginx

    - file: dest=/var/log/nginx/fukata.org state=directory recurse=yes
      tags: nginx
    - file: dest=/var/log/nginx/camera.fukata.org state=directory recurse=yes
      tags: nginx
    - file: dest=/var/log/nginx/tabearuki.fukata.org state=directory recurse=yes
      tags: nginx
    - file: dest=/var/log/nginx/travel.fukata.org state=directory recurse=yes
      tags: nginx
    - file: dest=/etc/nginx/sites-available state=directory recurse=yes
      tags: nginx
    - file: dest=/etc/nginx/sites-enabled state=directory recurse=yes
      tags: nginx
    - file: dest=/var/cache/nginx state=directory recurse=yes owner=www-data group=www-data
      tags: nginx
    - file: dest=/var/lib/nginx state=directory recurse=yes owner=www-data group=www-data
      tags: nginx

    - template: src=templates/nginx/nginx.conf dest=/etc/nginx/nginx.conf
      tags: nginx
    - template: src=templates/nginx/fastcgi_params dest=/etc/nginx/fastcgi_params
      tags: nginx

    # sites
    - template: src=templates/nginx/sites-available/fukata.org dest=/etc/nginx/sites-available/fukata.org
      tags: nginx
    - file: src=/etc/nginx/sites-available/fukata.org dest=/etc/nginx/sites-enabled/fukata.org state=link
      tags: nginx

    ##################################################################
    # www
    ##################################################################
    - file: dest=/usr/local/src/www state=directory recurse=yes
      tags: www
    - file: dest=/var/www state=directory recurse=yes
      tags: www

    # fukata.org
    - s3: mode=get
          aws_access_key={{ aws_access_key }}
          aws_secret_key={{ aws_secret_key }}
          overwrite=False
          bucket={{ backup_bucket }}
          object=/services/fukata.org/www/fukata.org.{{ backup_version }}.tar.gz
          dest=/usr/local/src/www/fukata.org.{{ backup_version }}.tar.gz
      tags: www
    - unarchive: src=/usr/local/src/www/fukata.org.{{ backup_version }}.tar.gz dest=/var/www copy=no owner=www-data group=www-data
      tags: www
    ##################################################################
    # db
    ##################################################################
    - file: dest=/usr/local/src/db state=directory recurse=yes
      tags: db

    # wp
    - s3: mode=get
          aws_access_key={{ aws_access_key }}
          aws_secret_key={{ aws_secret_key }}
          overwrite=False
          bucket={{ backup_bucket }}
          object=/services/fukata.org/db/wp.{{ backup_version }}.sql.gz
          dest=/usr/local/src/db/wp.{{ backup_version }}.sql.gz
      tags: db
    - mysql_user: name={{ wp_db_user }} password={{ wp_db_password }} priv={{ wp_db_name }}.*:ALL state=present
      tags: db
    - mysql_db: name={{ wp_db_name }} state=present collation=utf8_general_ci encoding=utf8
      register: wp_db_created
      tags: db
    - mysql_db: state=import name={{ wp_db_name }} target=/usr/local/src/db/wp.{{ backup_version }}.sql.gz
      when: wp_db_created.changed
      tags: db

    ##################################################################
    # supervisor
    ##################################################################
    - name: Install supervisor packages
      apt: pkg={{ item }} state=latest
      with_items:
        - supervisor
      tags: supervisor

    - name: Be sure supervisor is running and enabled
      service: name=supervisor state=running enabled=yes
      tags: supervisor

    - template: src=templates/supervisor/supervisord.conf dest=/etc/supervisor/supervisord.conf
      tags: supervisor

    # programs
    - template: src=templates/supervisor/conf.d/nginx.conf dest=/etc/supervisor/conf.d/nginx.conf
      tags: supervisor
    - template: src=templates/supervisor/conf.d/php-fastcgi.conf dest=/etc/supervisor/conf.d/php-fastcgi.conf
      tags: supervisor

    - command: service supervisor restart
      tags: supervisor

    ##################################################################
    # memcached
    ##################################################################
    - name: Install memcached packages
      apt: pkg={{ item }} state=latest
      with_items:
        - memcached
      tags: memcached

    - name: Be sure memcached is running and enabled
      service: name=memcached state=running enabled=yes
      tags: memcached

    ##################################################################
    # mackerel
    ##################################################################
    - get_url: url=https://mackerel.io/assets/files/scripts/setup-apt.sh dest=/usr/local/src/ mode=0755
      tags: mackerel

    - command: /usr/local/src/setup-apt.sh
      tags: mackerel

    - name: Install mackerel packages
      apt: pkg={{ item }} state=latest
      with_items:
        - mackerel-agent
        - mackerel-agent-plugins
      tags: mackerel

    - template: src=templates/mackerel-agent/mackerel-agent.conf dest=/etc/mackerel-agent/
      tags: mackerel

    - command: service mackerel-agent restart
      tags: mackerel
	#
	# fukata.org
	# ansible v1.8.2
	#
	- hosts: all
	sudo: yes
	vars:
	swap_count: 1024
	nginx_version: 1.9.1
	ngx_cache_purge_version: 2.3
	backup_bucket: BACKUP_BUCKET
	backup_version: BACKUP_VERSION
	tasks:
	- include_vars: vars/aws.yml
	- include_vars: vars/db.yml
	- include_vars: vars/mackerel.yml
	- include_vars: vars/user.yml

	# see: https://help.cybozu.com/ja/general/admin/timezone.html
	- name: ensure Etc/GMT timezone
	copy: content=Etc/GMT dest=/etc/timezone backup=yes
	register: timezone

	- name: ensure timezone is updated
	command: dpkg-reconfigure --frontend noninteractive tzdata
	when: timezone.changed

	- apt: upgrade=dist update_cache=yes

	- group: name=ubuntu state=present
	- user: name=ubuntu append=yes groups=ubuntu password={{ user_password }} shell=/bin/bash # password=python -c 'import crypt; print crypt.crypt("This is my Password", "$1$SomeSalt$")'
	- authorized_key: user=ubuntu key="{{ lookup('file', '~/.ssh/digital_ocean_id_rsa.pub') }}"

	- name: Install some basic packages
	apt: pkg={{ item }} state=latest
	with_items:
	- build-essential
	- sysv-rc-conf
	- git
	- gettext
	- libpcre3
	- libpcre3-dev
	- libxml2-dev
	- libxslt-dev
	- libgd-dev
	- libgeoip-dev
	- python-boto # for s3 module
	- python-mysqldb # for mysql_db module

	##################################################################
	# swap
	##################################################################
	- name: Create swap space
	command: dd if=/dev/zero of=/extraswap bs=1M count={{ swap_count }}
	when: ansible_swaptotal_mb < 1
	tags: swap

	- name: Make swap
	command: mkswap /extraswap
	when: ansible_swaptotal_mb < 1
	tags: swap

	- name: Add to fstab
	action: lineinfile dest=/etc/fstab regexp="extraswap" line="/extraswap none swap sw 0 0" state=present
	tags: swap

	- name: Turn swap on
	command: swapon -a
	tags: swap

	- name: Set swapiness
	shell: echo 0 \| sudo tee /proc/sys/vm/swappiness
	tags: swap

	##################################################################
	# ufw
	##################################################################
	- ufw: state=enabled policy=allow
	tags: ufw
	- ufw: logging=on
	tags: ufw
	- ufw: rule=allow name=OpenSSH
	tags: ufw
	- ufw: rule=limit port=ssh proto=tcp
	tags: ufw
	- ufw: rule=allow port=80
	tags: ufw

	##################################################################
	# ssh
	##################################################################
	- template: src=templates/ssh/sshd_config dest=/etc/ssh/sshd_config
	tags: ssh

	- command: service ssh restart
	tags: ssh

	##################################################################
	# mysql
	##################################################################
	- name: Install mysql packages
	apt: pkg={{ item }} state=latest
	with_items:
	- mysql-server
	- mysql-client
	tags: mysql

	- name: Be sure mysql is running and enabled
	service: name=mysql state=running enabled=yes
	tags: mysql

	- template: src=templates/mysql/my.cnf dest=/etc/mysql/
	tags: mysql

	- command: service mysql restart
	tags: mysql

	##################################################################
	# php
	##################################################################
	- name: Install php packages
	apt: pkg={{ item }} state=latest
	with_items:
	- php5
	- php5-cli
	- php5-cgi
	- php5-curl
	- php5-dbg
	- php5-gd
	- php5-dev
	- php5-json
	- php5-mcrypt
	- php5-memcache
	- php5-memcached
	- php5-mysql
	- php5-readline
	- php5-xmlrpc
	tags: php

	##################################################################
	# nginx
	##################################################################
	- file: dest=/usr/local/src/nginx state=directory recurse=yes
	tags: nginx

	- name: Download nginx module nginx_ngx_cache_purge
	get_url: url=http://labs.frickle.com/files/ngx_cache_purge-{{ ngx_cache_purge_version }}.tar.gz dest=/usr/local/src/nginx mode=0644
	tags: nginx

	- unarchive: src=/usr/local/src/nginx/ngx_cache_purge-{{ ngx_cache_purge_version }}.tar.gz dest=/usr/local/src/nginx copy=no
	tags: nginx

	- name: Download nginx
	get_url: url=http://nginx.org/download/nginx-{{ nginx_version }}.tar.gz dest=/usr/local/src/nginx mode=0644
	tags: nginx

	- unarchive: src=/usr/local/src/nginx/nginx-{{ nginx_version }}.tar.gz dest=/usr/local/src/nginx copy=no
	tags: nginx

	- name: Configure nginx
	command: ./configure \
	--prefix=/etc/nginx \
	--conf-path=/etc/nginx/nginx.conf \
	--error-log-path=/var/log/nginx/error.log \
	--http-client-body-temp-path=/var/lib/nginx/body \
	--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
	--http-log-path=/var/log/nginx/access.log \
	--http-proxy-temp-path=/var/lib/nginx/proxy \
	--http-scgi-temp-path=/var/lib/nginx/scgi \
	--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
	--lock-path=/var/lock/nginx.lock \
	--pid-path=/var/run/nginx.pid \
	--with-debug \
	--with-http_addition_module \
	--with-http_dav_module \
	--with-http_geoip_module \
	--with-http_gzip_static_module \
	--with-http_image_filter_module \
	--with-http_realip_module \
	--with-http_stub_status_module \
	--with-http_ssl_module \
	--with-http_sub_module \
	--with-http_xslt_module \
	--with-ipv6 \
	--with-sha1=/usr/include/openssl \
	--with-md5=/usr/include/openssl \
	--with-mail --with-mail_ssl_module \
	--add-module=/usr/local/src/nginx/ngx_cache_purge-{{ ngx_cache_purge_version }}
	args:
	chdir: /usr/local/src/nginx/nginx-{{ nginx_version }}
	tags: nginx

	- name: Make nginx
	command: make
	args:
	chdir: /usr/local/src/nginx/nginx-{{ nginx_version }}
	tags: nginx

	- name: Install nginx
	command: make install
	args:
	chdir: /usr/local/src/nginx/nginx-{{ nginx_version }}
	tags: nginx

	- file: dest=/var/log/nginx/fukata.org state=directory recurse=yes
	tags: nginx
	- file: dest=/var/log/nginx/camera.fukata.org state=directory recurse=yes
	tags: nginx
	- file: dest=/var/log/nginx/tabearuki.fukata.org state=directory recurse=yes
	tags: nginx
	- file: dest=/var/log/nginx/travel.fukata.org state=directory recurse=yes
	tags: nginx
	- file: dest=/etc/nginx/sites-available state=directory recurse=yes
	tags: nginx
	- file: dest=/etc/nginx/sites-enabled state=directory recurse=yes
	tags: nginx
	- file: dest=/var/cache/nginx state=directory recurse=yes owner=www-data group=www-data
	tags: nginx
	- file: dest=/var/lib/nginx state=directory recurse=yes owner=www-data group=www-data
	tags: nginx

	- template: src=templates/nginx/nginx.conf dest=/etc/nginx/nginx.conf
	tags: nginx
	- template: src=templates/nginx/fastcgi_params dest=/etc/nginx/fastcgi_params
	tags: nginx

	# sites
	- template: src=templates/nginx/sites-available/fukata.org dest=/etc/nginx/sites-available/fukata.org
	tags: nginx
	- file: src=/etc/nginx/sites-available/fukata.org dest=/etc/nginx/sites-enabled/fukata.org state=link
	tags: nginx

	##################################################################
	# www
	##################################################################
	- file: dest=/usr/local/src/www state=directory recurse=yes
	tags: www
	- file: dest=/var/www state=directory recurse=yes
	tags: www

	# fukata.org
	- s3: mode=get
	aws_access_key={{ aws_access_key }}
	aws_secret_key={{ aws_secret_key }}
	overwrite=False
	bucket={{ backup_bucket }}
	object=/services/fukata.org/www/fukata.org.{{ backup_version }}.tar.gz
	dest=/usr/local/src/www/fukata.org.{{ backup_version }}.tar.gz
	tags: www
	- unarchive: src=/usr/local/src/www/fukata.org.{{ backup_version }}.tar.gz dest=/var/www copy=no owner=www-data group=www-data
	tags: www
	##################################################################
	# db
	##################################################################
	- file: dest=/usr/local/src/db state=directory recurse=yes
	tags: db

	# wp
	- s3: mode=get
	aws_access_key={{ aws_access_key }}
	aws_secret_key={{ aws_secret_key }}
	overwrite=False
	bucket={{ backup_bucket }}
	object=/services/fukata.org/db/wp.{{ backup_version }}.sql.gz
	dest=/usr/local/src/db/wp.{{ backup_version }}.sql.gz
	tags: db
	- mysql_user: name={{ wp_db_user }} password={{ wp_db_password }} priv={{ wp_db_name }}.*:ALL state=present
	tags: db
	- mysql_db: name={{ wp_db_name }} state=present collation=utf8_general_ci encoding=utf8
	register: wp_db_created
	tags: db
	- mysql_db: state=import name={{ wp_db_name }} target=/usr/local/src/db/wp.{{ backup_version }}.sql.gz
	when: wp_db_created.changed
	tags: db

	##################################################################
	# supervisor
	##################################################################
	- name: Install supervisor packages
	apt: pkg={{ item }} state=latest
	with_items:
	- supervisor
	tags: supervisor

	- name: Be sure supervisor is running and enabled
	service: name=supervisor state=running enabled=yes
	tags: supervisor

	- template: src=templates/supervisor/supervisord.conf dest=/etc/supervisor/supervisord.conf
	tags: supervisor

	# programs
	- template: src=templates/supervisor/conf.d/nginx.conf dest=/etc/supervisor/conf.d/nginx.conf
	tags: supervisor
	- template: src=templates/supervisor/conf.d/php-fastcgi.conf dest=/etc/supervisor/conf.d/php-fastcgi.conf
	tags: supervisor

	- command: service supervisor restart
	tags: supervisor

	##################################################################
	# memcached
	##################################################################
	- name: Install memcached packages
	apt: pkg={{ item }} state=latest
	with_items:
	- memcached
	tags: memcached

	- name: Be sure memcached is running and enabled
	service: name=memcached state=running enabled=yes
	tags: memcached

	##################################################################
	# mackerel
	##################################################################
	- get_url: url=https://mackerel.io/assets/files/scripts/setup-apt.sh dest=/usr/local/src/ mode=0755
	tags: mackerel

	- command: /usr/local/src/setup-apt.sh
	tags: mackerel

	- name: Install mackerel packages
	apt: pkg={{ item }} state=latest
	with_items:
	- mackerel-agent
	- mackerel-agent-plugins
	tags: mackerel

	- template: src=templates/mackerel-agent/mackerel-agent.conf dest=/etc/mackerel-agent/
	tags: mackerel

	- command: service mackerel-agent restart
	tags: mackerel