forked from websauna/websauna.ansible
-
Notifications
You must be signed in to change notification settings - Fork 0
/
playbook-letsencrypt-japheth.yml
97 lines (77 loc) · 3.42 KB
/
playbook-letsencrypt-japheth.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# Let's encrypt example that install myapp tutorial git repository on Amazon EC2 server
#
# Requirements:
#
# ansible-galaxy install -r requirements-letsencrypt.yml
#
- hosts: kjvrvg_production
# - hosts: kjvrvg_development
gather_facts: true
vars:
- package_name: kjvrvg
- site_id: kjvrvg
- company_name: faithfulaudio
# Do we create Let's Encrypt HTTPS certificate for the site
- letsenrypt: on
# Websocket is only needed to connect to IPython Notebook running on the server
- websocket: off
# Install Postfix for email out
- smtp: on
# Is HTTPS traffic terminated by Nginx
- ssl: on
# Do we install Celery worker and beat to run background tasks
- celery: on
# Is the site proxied by Cloudflare security service
- cloudflare: off
# Do we need to support New Relic monitoring
- new_relic: off
# Do we enable Linux firewall
- firewall: on
# Do we set up Duplicity backup tasks
- backup: off
# - git_repository: git@github.com:websauna/myapp.git
- git_repository: git@github.com:FaithfulAudio/kjvrvg-server.git
# - git_repository: git@bitbucket.org:sidha/ccxact.git
- git_branch: all-scripture
- site_mode: production
# - ini_secrets_file: ../myapp/myapp/conf/production-secrets.ini
- ini_secrets_file: production-secrets.ini # This file is generated by scaffold
# Configured outbound domain for Postfix
- server_email_domain: japheth.ca
# System outgoing email address (cron others)
- server_email: no-reply@japheth.ca
# Receive messages from Cron and system scripts to this address
- notify_email: maz@japheth.ca
# Let's encrypt parameters
- server_name: japheth.ca # Your server fully qualified domain name
- letsencrypt_webroot_path: /var/www/html
- letsencrypt_email: maz@japheth.ca
- letsencrypt_cert_domains:
- "{{ server_name }}"
# TODO: This command is verbose and sends out cron email even if certificates have not changed
- letsencrypt_renewal_command_args: '--renew-hook "service nginx restart"' # Ubuntu 14.04 nginx restart
- nginx_ssl_certificate_path: "/etc/letsencrypt/live/{{ server_name }}/cert.pem"
- nginx_ssl_certificate_path_key: "/etc/letsencrypt/live/{{ server_name }}/privkey.pem"
- nginx_ssl_certificate_chain_path: "/etc/letsencrypt/live/{{ server_name }}/chain.pem"
- nginx_ssl_certificate_fullchain_path: "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem"
pre_tasks:
# Point to websauna.ansible/default.yml
- include_vars: default.yml
tags: site, smtp, psql, uwsgi, nginx
# Point to your secrets file
- include_vars: secrets.yml
tags: site, smtp, sql
roles:
- { role: websauna.preflight, tags: ['site'] }
- websauna.users
- { role: websauna.ssh, tags: ['site'] } # Needed to setup SSH auth socket for github/bitbucket
- websauna.shell
- websauna.harden
- websauna.smtp
- { role: ANXS.postgresql, become: yes, become_user: root, tags: ['psql'] }
- { role: Stouts.nginx, become: yes, become_user: root, tags: ['site'] } # websauna.site may override Nginx config
- { role: Stouts.redis, become: yes, become_user: root, tags: redis }
- { role: Stouts.python, become: yes, become_user: root }
- { role: ansible-letsencrypt, tags: 'letsencrypt' }
- { role: websauna.site, tags: ['site'] } # Core site update logic
- { role: websauna.postflight, tags: ['site'] } # Finalize: send out email, update motd