Fix some bugs running deploy-setup from scratch

As an exercise, I've wiped the box clean, and I'm reinstalling from the scripts! :3

I added the SSH hardening rules to the playbook instead of doing them by hand this time.

I made a mistake with creating `/srv/impress-2020`, right, you need to *say* what it should be created *as* for the creation step to work!

I also guess my recent pm2 changes made it not actually be willing to start the app anymore, because `/srv/impress-2020/current` doesn't exist or have `node_modules` yet. I'm doing a cute thing where I create a placeholder app during setup, so there's always something to run, without introducing the complexities of a real deploy to the setup process.

And right, of course, we need to install nginx before running certbot! But we need to add certbot config *after* running certbot!

And then just some misc cleanups for consistency and correctness!
This commit is contained in:
Emi Matchu 2021-11-03 23:04:25 -07:00
parent 1e3e8391b4
commit 9310a250d6
2 changed files with 63 additions and 10 deletions

View file

@ -4,11 +4,33 @@
vars: vars:
email_address: "emi@matchu.dev" # TODO: Extract this to personal config? email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
tasks: tasks:
- name: Create the app folder - name: Disable root SSH login
become: yes
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^#?PermitRootLogin
line: PermitRootLogin no
- name: Disable password-based SSH authentication
become: yes
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^#?PasswordAuthentication
line: PasswordAuthentication no
- name: Install fail2ban firewall with default settings
become: yes
apt:
update_cache: yes
name: fail2ban
- name: Create the app versions folder
become: yes become: yes
file: file:
path: /srv/impress-2020 path: /srv/impress-2020/versions
owner: "{{ ansible_user_id }}" owner: "{{ ansible_user_id }}"
group: "{{ ansible_user_id }}"
state: directory
- name: Add Nodesource apt key - name: Add Nodesource apt key
become: yes become: yes
@ -26,7 +48,6 @@
apt: apt:
update_cache: yes update_cache: yes
name: nodejs name: nodejs
state: present
- name: Install Yarn - name: Install Yarn
become: yes become: yes
@ -34,6 +55,38 @@
name: yarn name: yarn
global: yes global: yes
- name: Check for a current app version
stat:
path: /srv/impress-2020/current
register: current_app_version
- name: Check whether we already have a placeholder app
stat:
path: /srv/impress-2020/versions/initial-placeholder
register: existing_placeholder_app
when: not current_app_version.stat.exists
- name: Create a placeholder app, to run until we deploy a real version
command:
chdir: /srv/impress-2020/versions
cmd: yarn create next-app initial-placeholder
when: |
not current_app_version.stat.exists and
not existing_placeholder_app.stat.exists
- name: Build the placeholder app
command:
chdir: /srv/impress-2020/versions/initial-placeholder
cmd: yarn build
when: not current_app_version.stat.exists
- name: Set the placeholder app as the current version
file:
src: /srv/impress-2020/versions/initial-placeholder
dest: /srv/impress-2020/current
state: link
when: not current_app_version.stat.exists
- name: Install pm2 - name: Install pm2
become: yes become: yes
npm: npm:
@ -89,6 +142,12 @@
- name: Save pm2 startup script - name: Save pm2 startup script
command: pm2 save command: pm2 save
- name: Install nginx
become: yes
apt:
update_cache: yes
name: nginx
- name: Install core snap - name: Install core snap
become: yes become: yes
community.general.snap: community.general.snap:
@ -104,12 +163,6 @@
become: yes become: yes
command: "certbot certonly --nginx -n --agree-tos --email {{ email_address }} --domains impress-2020-box.openneo.net" command: "certbot certonly --nginx -n --agree-tos --email {{ email_address }} --domains impress-2020-box.openneo.net"
- name: Install nginx
become: yes
apt:
update_cache: yes
name: nginx
- name: Add impress-2020 config file to nginx - name: Add impress-2020 config file to nginx
become: yes become: yes
copy: copy:

View file

@ -66,7 +66,7 @@
"vercel-build": "yum install libuuid-devel libmount-devel && cp /lib64/{libuuid,libmount,libblkid}.so.1 node_modules/canvas/build/Release/", "vercel-build": "yum install libuuid-devel libmount-devel && cp /lib64/{libuuid,libmount,libblkid}.so.1 node_modules/canvas/build/Release/",
"test": "jest test --env=jsdom", "test": "jest test --env=jsdom",
"lint": "next lint --dir src --dir pages", "lint": "next lint --dir src --dir pages",
"deploy-setup": "echo $'Setup requires you to become the root user. You\\'ll need to enter the password for your account on the remote web server below, and you must be part of the `sudoers` user group.' && ansible-playbook -K -i deploy/inventory.cfg deploy/playbooks/setup.yml", "deploy-setup": "echo $'Setup requires you to become the root user. You\\'ll need to enter the password for your account on the remote web server below, and you must be part of the `sudo` user group.' && ansible-playbook -K -i deploy/inventory.cfg deploy/playbooks/setup.yml",
"deploy": "ansible-playbook -i deploy/inventory.cfg deploy/playbooks/deploy.yml", "deploy": "ansible-playbook -i deploy/inventory.cfg deploy/playbooks/deploy.yml",
"deploy-skip-build": "ansible-playbook -i deploy/inventory.cfg deploy/playbooks/deploy.yml --extra-vars='{\"skip_build\": true}'", "deploy-skip-build": "ansible-playbook -i deploy/inventory.cfg deploy/playbooks/deploy.yml --extra-vars='{\"skip_build\": true}'",
"cypress": "cypress open", "cypress": "cypress open",