-
-
Save srugano/57a130f8d6c9802c30402bc4130d2902 to your computer and use it in GitHub Desktop.
Setup a load-balanced, two-node Django cluster
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: SSH tightening | |
| hosts: all | |
| sudo: True | |
| tasks: | |
| - name: Disable root's ssh account | |
| action: > | |
| lineinfile | |
| dest=/etc/ssh/sshd_config | |
| regexp="^PermitRootLogin" | |
| line="PermitRootLogin no" | |
| state=present | |
| notify: Restart ssh | |
| - name: Disable password authentication | |
| action: > | |
| lineinfile | |
| dest=/etc/ssh/sshd_config | |
| regexp="^PasswordAuthentication" | |
| line="PasswordAuthentication no" | |
| state=present | |
| notify: Restart ssh | |
| handlers: | |
| - name: Restart ssh | |
| action: service name=ssh state=restarted | |
| - name: Update APT package cache | |
| hosts: all | |
| gather_facts: False | |
| sudo: True | |
| tasks: | |
| - name: Update APT package cache | |
| action: apt update_cache=yes | |
| - name: Set timezone to UTC | |
| hosts: all | |
| gather_facts: False | |
| sudo: True | |
| tasks: | |
| - name: Set timezone variables | |
| copy: > | |
| content='Etc/UTC' | |
| dest=/etc/timezone | |
| owner=root | |
| group=root | |
| mode=0644 | |
| backup=yes | |
| notify: | |
| - Update timezone | |
| handlers: | |
| - name: Update timezone | |
| command: > | |
| dpkg-reconfigure | |
| --frontend noninteractive | |
| tzdata | |
| - name: Syncronise clocks | |
| hosts: all | |
| sudo: True | |
| tasks: | |
| - name: install ntp | |
| apt: name=ntp | |
| - name: copy ntp config | |
| copy: src=files/ntp.conf dest=/etc/ntp.conf | |
| - name: restart ntp | |
| service: name=ntp state=restarted | |
| - name: Setup unattended upgrades | |
| hosts: all | |
| gather_facts: False | |
| sudo: True | |
| tasks: | |
| - name: Install unattended upgrades package | |
| apt: name=unattended-upgrades | |
| notify: | |
| - dpkg reconfigure | |
| handlers: | |
| - name: dpkg reconfigure | |
| command: > | |
| dpkg-reconfigure | |
| --frontend noninteractive | |
| -plow unattended-upgrades | |
| - name: Setup App Server(s) | |
| hosts: app_servers | |
| sudo: True | |
| vars: | |
| home_folder: /home/mark | |
| venv: faulty | |
| tasks: | |
| - ufw: state=enabled logging=on | |
| - ufw: direction=incoming policy=deny | |
| - ufw: rule=limit port=ssh proto=tcp | |
| - ufw: rule=allow port=22 proto=tcp | |
| - ufw: > | |
| rule=allow | |
| port=80 | |
| proto=tcp | |
| from_ip={{ hostvars['lb']['ansible_default_ipv4']['address'] }} | |
| - name: Install python virtualenv | |
| apt: name=python-virtualenv | |
| - name: Install python dev | |
| apt: name=python-dev | |
| - name: Install git | |
| apt: name=git | |
| - name: Checkout Django code | |
| git: > | |
| repo=https://bitbucket.org/marklit/faulty.git | |
| dest={{ home_folder }}/faulty | |
| update=no | |
| - file: > | |
| path={{ home_folder }}/faulty | |
| owner=mark | |
| group=mark | |
| mode=755 | |
| state=directory | |
| recurse=yes | |
| - name: Install Python requirements | |
| pip: > | |
| requirements={{ home_folder }}/faulty/requirements.txt | |
| virtualenv={{ home_folder }}/.virtualenvs/{{ venv }} | |
| - template: > | |
| src=files/venv_activate.sh | |
| dest={{ home_folder }}/.virtualenvs/{{ venv }}/exec | |
| mode=755 | |
| - command: > | |
| {{ home_folder }}/.virtualenvs/{{ venv }}/exec | |
| python manage.py syncdb --noinput | |
| args: | |
| chdir: '{{ home_folder }}/faulty' | |
| - command: > | |
| {{ home_folder }}/.virtualenvs/{{ venv }}/exec | |
| python manage.py migrate | |
| args: | |
| chdir: '{{ home_folder }}/faulty' | |
| - name: Install supervisor | |
| apt: name=supervisor | |
| - template: > | |
| src=files/supervisord.conf | |
| dest=/etc/supervisor/conf.d/django_app.conf | |
| - command: /usr/bin/supervisorctl reload | |
| - supervisorctl: name=web_app state=restarted | |
| - supervisorctl: name=celeryd state=restarted | |
| - name: Install nginx | |
| apt: name=nginx | |
| - name: copy nginx config file | |
| template: > | |
| src=files/nginx-app.conf | |
| dest=/etc/nginx/sites-available/default | |
| - name: enable configuration | |
| file: > | |
| dest=/etc/nginx/sites-enabled/default | |
| src=/etc/nginx/sites-available/default | |
| state=link | |
| - service: name=nginx state=restarted | |
| - name: Setup Load balancer(s) | |
| hosts: load_balancers | |
| sudo: True | |
| tasks: | |
| - ufw: state=enabled logging=on | |
| - ufw: direction=incoming policy=deny | |
| - ufw: rule=limit port=ssh proto=tcp | |
| - ufw: rule=allow port=22 proto=tcp | |
| - ufw: rule=allow port=80 proto=tcp | |
| - ufw: rule=allow port=443 proto=tcp | |
| - apt: name=nginx | |
| - name: copy nginx config file | |
| template: > | |
| src=files/nginx-load-balancer.conf | |
| dest=/etc/nginx/sites-available/default | |
| - copy: src=files/nginx.key dest=/etc/nginx/ssl/ | |
| - copy: src=files/nginx.crt dest=/etc/nginx/ssl/ | |
| - name: enable configuration | |
| file: > | |
| dest=/etc/nginx/sites-enabled/default | |
| src=/etc/nginx/sites-available/default | |
| state=link | |
| - service: name=nginx state=restarted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment