Skip to content

Instantly share code, notes, and snippets.

@srugano
Forked from marklit/playbook.yml
Created January 13, 2019 15:19
Show Gist options
  • Save srugano/57a130f8d6c9802c30402bc4130d2902 to your computer and use it in GitHub Desktop.
Save srugano/57a130f8d6c9802c30402bc4130d2902 to your computer and use it in GitHub Desktop.
Setup a load-balanced, two-node Django cluster
---
- name: SSH tightening
hosts: all
sudo: True
tasks:
- name: Disable root's ssh account
action: >
lineinfile
dest=/etc/ssh/sshd_config
regexp="^PermitRootLogin"
line="PermitRootLogin no"
state=present
notify: Restart ssh
- name: Disable password authentication
action: >
lineinfile
dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication no"
state=present
notify: Restart ssh
handlers:
- name: Restart ssh
action: service name=ssh state=restarted
- name: Update APT package cache
hosts: all
gather_facts: False
sudo: True
tasks:
- name: Update APT package cache
action: apt update_cache=yes
- name: Set timezone to UTC
hosts: all
gather_facts: False
sudo: True
tasks:
- name: Set timezone variables
copy: >
content='Etc/UTC'
dest=/etc/timezone
owner=root
group=root
mode=0644
backup=yes
notify:
- Update timezone
handlers:
- name: Update timezone
command: >
dpkg-reconfigure
--frontend noninteractive
tzdata
- name: Syncronise clocks
hosts: all
sudo: True
tasks:
- name: install ntp
apt: name=ntp
- name: copy ntp config
copy: src=files/ntp.conf dest=/etc/ntp.conf
- name: restart ntp
service: name=ntp state=restarted
- name: Setup unattended upgrades
hosts: all
gather_facts: False
sudo: True
tasks:
- name: Install unattended upgrades package
apt: name=unattended-upgrades
notify:
- dpkg reconfigure
handlers:
- name: dpkg reconfigure
command: >
dpkg-reconfigure
--frontend noninteractive
-plow unattended-upgrades
- name: Setup App Server(s)
hosts: app_servers
sudo: True
vars:
home_folder: /home/mark
venv: faulty
tasks:
- ufw: state=enabled logging=on
- ufw: direction=incoming policy=deny
- ufw: rule=limit port=ssh proto=tcp
- ufw: rule=allow port=22 proto=tcp
- ufw: >
rule=allow
port=80
proto=tcp
from_ip={{ hostvars['lb']['ansible_default_ipv4']['address'] }}
- name: Install python virtualenv
apt: name=python-virtualenv
- name: Install python dev
apt: name=python-dev
- name: Install git
apt: name=git
- name: Checkout Django code
git: >
repo=https://bitbucket.org/marklit/faulty.git
dest={{ home_folder }}/faulty
update=no
- file: >
path={{ home_folder }}/faulty
owner=mark
group=mark
mode=755
state=directory
recurse=yes
- name: Install Python requirements
pip: >
requirements={{ home_folder }}/faulty/requirements.txt
virtualenv={{ home_folder }}/.virtualenvs/{{ venv }}
- template: >
src=files/venv_activate.sh
dest={{ home_folder }}/.virtualenvs/{{ venv }}/exec
mode=755
- command: >
{{ home_folder }}/.virtualenvs/{{ venv }}/exec
python manage.py syncdb --noinput
args:
chdir: '{{ home_folder }}/faulty'
- command: >
{{ home_folder }}/.virtualenvs/{{ venv }}/exec
python manage.py migrate
args:
chdir: '{{ home_folder }}/faulty'
- name: Install supervisor
apt: name=supervisor
- template: >
src=files/supervisord.conf
dest=/etc/supervisor/conf.d/django_app.conf
- command: /usr/bin/supervisorctl reload
- supervisorctl: name=web_app state=restarted
- supervisorctl: name=celeryd state=restarted
- name: Install nginx
apt: name=nginx
- name: copy nginx config file
template: >
src=files/nginx-app.conf
dest=/etc/nginx/sites-available/default
- name: enable configuration
file: >
dest=/etc/nginx/sites-enabled/default
src=/etc/nginx/sites-available/default
state=link
- service: name=nginx state=restarted
- name: Setup Load balancer(s)
hosts: load_balancers
sudo: True
tasks:
- ufw: state=enabled logging=on
- ufw: direction=incoming policy=deny
- ufw: rule=limit port=ssh proto=tcp
- ufw: rule=allow port=22 proto=tcp
- ufw: rule=allow port=80 proto=tcp
- ufw: rule=allow port=443 proto=tcp
- apt: name=nginx
- name: copy nginx config file
template: >
src=files/nginx-load-balancer.conf
dest=/etc/nginx/sites-available/default
- copy: src=files/nginx.key dest=/etc/nginx/ssl/
- copy: src=files/nginx.crt dest=/etc/nginx/ssl/
- name: enable configuration
file: >
dest=/etc/nginx/sites-enabled/default
src=/etc/nginx/sites-available/default
state=link
- service: name=nginx state=restarted
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment