roles: run ansible-lint --write
This commit is contained in:
parent
7a9a24ef5d
commit
06416a3b64
@ -18,7 +18,7 @@
|
||||
dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
register: download_caddy_signing_key
|
||||
when: not caddy_signing_key_stat.stat.exists
|
||||
tags:
|
||||
@ -27,7 +27,7 @@
|
||||
|
||||
- name: Add Caddy stable repo
|
||||
ansible.builtin.apt_repository:
|
||||
repo: 'deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main'
|
||||
repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
|
||||
filename: caddy-stable
|
||||
state: present
|
||||
register: add_caddy_apt_repository
|
||||
@ -38,9 +38,7 @@
|
||||
- name: Update apt cache
|
||||
ansible.builtin.apt: # noqa no-handler
|
||||
update_cache: true
|
||||
when:
|
||||
(download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or
|
||||
add_caddy_apt_repository is changed
|
||||
when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
|
||||
tags:
|
||||
- packages
|
||||
- caddy
|
||||
@ -59,7 +57,7 @@
|
||||
ansible.builtin.template:
|
||||
src: etc/caddy/Caddyfile.j2
|
||||
dest: /etc/caddy/Caddyfile
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: root
|
||||
notify:
|
||||
@ -70,7 +68,7 @@
|
||||
ansible.builtin.file:
|
||||
path: /etc/caddy/conf.d
|
||||
state: directory
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
|
@ -1,10 +1,9 @@
|
||||
---
|
||||
|
||||
- name: Configure vhosts
|
||||
ansible.builtin.template:
|
||||
src: etc/caddy/conf.d/vhost.j2
|
||||
dest: /etc/caddy/conf.d/{{ item.domain_name }}
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: Remove MariaDB key from apt-key
|
||||
ansible.builtin.apt_key:
|
||||
id: 0x177F4010FE56CA3336300305F1656F24C74CD1D8
|
||||
id: "013577200103762554506315430003013705453362230723150730"
|
||||
state: absent
|
||||
tags:
|
||||
- packages
|
||||
@ -21,7 +21,7 @@
|
||||
dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
register: download_mariadb_signing_key
|
||||
when: not mariadb_signing_key_stat.stat.exists
|
||||
tags:
|
||||
@ -30,7 +30,8 @@
|
||||
|
||||
- name: Add MariaDB 10.6 repo
|
||||
ansible.builtin.apt_repository:
|
||||
repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release }} main'
|
||||
repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release
|
||||
}} main
|
||||
filename: mariadb
|
||||
state: present
|
||||
register: add_mariadb_apt_repository
|
||||
@ -41,16 +42,14 @@
|
||||
- name: Update apt cache
|
||||
ansible.builtin.apt: # noqa no-handler
|
||||
update_cache: true
|
||||
when:
|
||||
(download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or
|
||||
add_mariadb_apt_repository is changed
|
||||
when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
|
||||
tags:
|
||||
- packages
|
||||
- mariadb
|
||||
|
||||
- name: Install mariadb-server
|
||||
ansible.builtin.apt:
|
||||
name: ['mariadb-server', 'python3-pymysql']
|
||||
name: [mariadb-server, python3-pymysql]
|
||||
state: present
|
||||
cache_valid_time: 3600
|
||||
tags: mariadb, packages
|
||||
@ -61,7 +60,7 @@
|
||||
dest: /etc/mysql/my.cnf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
notify:
|
||||
- restart mariadb
|
||||
tags: mariadb
|
||||
@ -83,7 +82,7 @@
|
||||
src: .my.cnf.j2
|
||||
dest: /root/.my.cnf
|
||||
owner: root
|
||||
mode: 0600
|
||||
mode: "0600"
|
||||
tags: mariadb
|
||||
|
||||
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
|
||||
|
@ -14,11 +14,11 @@ nginx_ssl_session_cache: shared:SSL:10m
|
||||
# 1400 bytes to fit in one MTU (default is 16k!)
|
||||
nginx_ssl_buffer_size: 1400
|
||||
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
|
||||
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
|
||||
nginx_ssl_protocols: TLSv1.2 TLSv1.3
|
||||
|
||||
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
|
||||
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
|
||||
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
|
||||
nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
|
||||
|
||||
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
|
||||
# in seconds, see: https://hstspreload.org/
|
||||
|
@ -1,5 +1,4 @@
|
||||
---
|
||||
|
||||
# Use acme.sh instead of certbot because they only support installation via
|
||||
# snap now.
|
||||
- block:
|
||||
@ -25,7 +24,7 @@
|
||||
ansible.builtin.get_url:
|
||||
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
|
||||
dest: "{{ letsencrypt_acme_script_temp }}"
|
||||
mode: 0700
|
||||
mode: "0700"
|
||||
register: acme_download
|
||||
when: not acme_home.stat.exists
|
||||
|
||||
@ -64,7 +63,7 @@
|
||||
ansible.builtin.template:
|
||||
src: renew-letsencrypt.service.j2
|
||||
dest: /etc/systemd/system/renew-letsencrypt.service
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
@ -72,7 +71,7 @@
|
||||
ansible.builtin.copy:
|
||||
src: renew-letsencrypt.timer
|
||||
dest: /etc/systemd/system/renew-letsencrypt.timer
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
@ -84,8 +83,8 @@
|
||||
enabled: true
|
||||
daemon_reload: true
|
||||
|
||||
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
|
||||
or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>='))
|
||||
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
|
||||
is version('11', '>='))
|
||||
tags: letsencrypt
|
||||
|
||||
# vim: set ts=2 sw=2:
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: Remove nginx apt signing key from apt-key
|
||||
ansible.builtin.apt_key:
|
||||
id: 0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
|
||||
id: "053473772654754373614404074646527257655730117366337542"
|
||||
state: absent
|
||||
tags:
|
||||
- packages
|
||||
@ -21,7 +21,7 @@
|
||||
dest: /usr/share/keyrings/nginx_signing.key
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
register: download_nginx_signing_key
|
||||
when: not nginx_signing_key_stat.stat.exists
|
||||
tags:
|
||||
@ -34,7 +34,7 @@
|
||||
dest: /etc/apt/sources.list.d/nginx_org_sources.list
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
register: add_nginx_apt_repository
|
||||
tags:
|
||||
- nginx
|
||||
@ -43,9 +43,7 @@
|
||||
- name: Update apt cache
|
||||
ansible.builtin.apt: # noqa no-handler
|
||||
update_cache: true
|
||||
when:
|
||||
(download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or
|
||||
add_nginx_apt_repository is changed
|
||||
when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
|
||||
|
||||
- name: Install nginx
|
||||
ansible.builtin.apt:
|
||||
@ -60,7 +58,7 @@
|
||||
ansible.builtin.template:
|
||||
src: nginx.conf.j2
|
||||
dest: /etc/nginx/nginx.conf
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
notify:
|
||||
@ -70,8 +68,8 @@
|
||||
- name: Copy extra nginx configs
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/nginx/{{ item }}"
|
||||
mode: 0644
|
||||
dest: /etc/nginx/{{ item }}
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
loop:
|
||||
@ -93,7 +91,7 @@
|
||||
state: directory
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
tags: nginx
|
||||
|
||||
- name: Configure nginx virtual hosts
|
||||
@ -110,7 +108,7 @@
|
||||
ansible.builtin.template:
|
||||
src: blank-vhost.conf.j2
|
||||
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
notify:
|
||||
@ -121,7 +119,7 @@
|
||||
ansible.builtin.copy:
|
||||
src: munin.conf
|
||||
dest: /etc/nginx/conf.d/munin.conf
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
notify:
|
||||
|
@ -1,5 +1,4 @@
|
||||
---
|
||||
|
||||
- block:
|
||||
- name: Configure https vhosts
|
||||
ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
|
||||
@ -8,7 +7,8 @@
|
||||
- reload nginx
|
||||
|
||||
- name: Generate self-signed TLS cert
|
||||
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
|
||||
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
|
||||
-out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
|
||||
notify:
|
||||
- reload nginx
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
|
||||
- block:
|
||||
- name: Install WordPress
|
||||
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
|
||||
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
|
||||
}} depth=1 force=true
|
||||
when:
|
||||
- item.has_wordpress is defined
|
||||
- item.has_wordpress
|
||||
|
@ -1,5 +1,4 @@
|
||||
---
|
||||
|
||||
- block:
|
||||
- name: Set php-fpm packages
|
||||
ansible.builtin.set_fact:
|
||||
@ -24,7 +23,7 @@
|
||||
dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
|
||||
notify: reload php8.2-fpm
|
||||
@ -42,7 +41,7 @@
|
||||
dest: /etc/php/8.2/fpm/php.ini
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
notify: reload php8.2-fpm
|
||||
|
||||
tags: php-fpm
|
||||
|
@ -1,5 +1,4 @@
|
||||
---
|
||||
|
||||
- block:
|
||||
- name: Set php-fpm packages
|
||||
ansible.builtin.set_fact:
|
||||
|
@ -11,13 +11,13 @@
|
||||
- name: Check if any vhost needs WordPress
|
||||
ansible.builtin.set_fact:
|
||||
install_php: true
|
||||
when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0"
|
||||
when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
|
||||
|
||||
# Legacy, was only for Piwik, but leaving for now.
|
||||
- name: Check if any vhost needs PHP
|
||||
ansible.builtin.set_fact:
|
||||
install_php: true
|
||||
when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0"
|
||||
when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
|
||||
|
||||
# If install_php has not been set, then we assume no vhosts need PHP. This is
|
||||
# a bit hacky, but it's the closest we come to an if/then/else.
|
||||
@ -31,7 +31,7 @@
|
||||
when:
|
||||
- ansible_distribution == 'Ubuntu'
|
||||
- ansible_distribution_version is version('20.04', '==')
|
||||
- install_php == true
|
||||
- install_php
|
||||
tags: php-fpm
|
||||
|
||||
- name: Configure php-fpm on Debian 11
|
||||
@ -39,7 +39,7 @@
|
||||
when:
|
||||
- ansible_distribution == 'Debian'
|
||||
- ansible_distribution_major_version is version('11', '==')
|
||||
- install_php == true
|
||||
- install_php
|
||||
tags: php-fpm
|
||||
|
||||
- name: Configure php-fpm on Debian 12
|
||||
@ -47,7 +47,7 @@
|
||||
when:
|
||||
- ansible_distribution == 'Debian'
|
||||
- ansible_distribution_major_version is version('12', '==')
|
||||
- install_php == true
|
||||
- install_php
|
||||
tags: php-fpm
|
||||
|
||||
# vim: set ts=2 sw=2:
|
||||
|
Loading…
Reference in New Issue
Block a user