OpenNeo/impress-2020
OpenNeo/impress-2020
1
0
Fork 0
Code Pull requests Activity
impress-2020/deploy/playbooks/setup.yml
Matchu 9310a250d6 Fix some bugs running deploy-setup from scratch 
As an exercise, I've wiped the box clean, and I'm reinstalling from the scripts! :3

I added the SSH hardening rules to the playbook instead of doing them by hand this time.

I made a mistake with creating `/srv/impress-2020`, right, you need to *say* what it should be created *as* for the creation step to work!

I also guess my recent pm2 changes made it not actually be willing to start the app anymore, because `/srv/impress-2020/current` doesn't exist or have `node_modules` yet. I'm doing a cute thing where I create a placeholder app during setup, so there's always something to run, without introducing the complexities of a real deploy to the setup process.

And right, of course, we need to install nginx before running certbot! But we need to add certbot config *after* running certbot!

And then just some misc cleanups for consistency and correctness!
2021-11-03 23:11:50 -07:00

213 lines
6.5 KiB
YAML
Raw Blame History

---
- name: Set up the environment for the impress-2020 app
hosts: webserver
vars:
email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
tasks:
- name: Disable root SSH login
become: yes
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^#?PermitRootLogin
line: PermitRootLogin no
- name: Disable password-based SSH authentication
become: yes
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^#?PasswordAuthentication
line: PasswordAuthentication no
- name: Install fail2ban firewall with default settings
become: yes
apt:
update_cache: yes
name: fail2ban
- name: Create the app versions folder
become: yes
file:
path: /srv/impress-2020/versions
owner: "{{ ansible_user_id }}"
group: "{{ ansible_user_id }}"
state: directory
- name: Add Nodesource apt key
become: yes
apt_key:
id: 9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280
url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
- name: Add Node v16 apt repository
become: yes
apt_repository:
repo: deb https://deb.nodesource.com/node_16.x focal main
- name: Install Node v16
become: yes
apt:
update_cache: yes
name: nodejs
- name: Install Yarn
become: yes
npm:
name: yarn
global: yes
- name: Check for a current app version
stat:
path: /srv/impress-2020/current
register: current_app_version
- name: Check whether we already have a placeholder app
stat:
path: /srv/impress-2020/versions/initial-placeholder
register: existing_placeholder_app
when: not current_app_version.stat.exists
- name: Create a placeholder app, to run until we deploy a real version
command:
chdir: /srv/impress-2020/versions
cmd: yarn create next-app initial-placeholder
when: |
not current_app_version.stat.exists and
not existing_placeholder_app.stat.exists
- name: Build the placeholder app
command:
chdir: /srv/impress-2020/versions/initial-placeholder
cmd: yarn build
when: not current_app_version.stat.exists
- name: Set the placeholder app as the current version
file:
src: /srv/impress-2020/versions/initial-placeholder
dest: /srv/impress-2020/current
state: link
when: not current_app_version.stat.exists
- name: Install pm2
become: yes
npm:
name: pm2
global: yes
- name: Create pm2 startup script
# The current user is going to become the pm2 owner of the app server
# process. They'll be able to manage it without `sudo`, including during
# normal deploys, and run `pm2 monit` from their shell to see status.
become: yes
command: "pm2 startup systemd {{ ansible_user_id }} --hp /home/{{ ansible_user_id }}"
- name: Create pm2 ecosystem file
copy:
content: |
module.exports = {
apps: [
{
name: "impress-2020",
cwd: "/srv/impress-2020/current",
// Instead of `yarn start`, we specify the `next` binary
// directly, because it helps pm2 monitor our app correctly.
// https://github.com/vercel/next.js/discussions/10675#discussioncomment-34615
script: "./node_modules/.bin/next",
args: "start --port=3000",
instances: "max",
exec_mode: "cluster",
}
]
}
dest: "~/ecosystem.config.js"
# Create a temporary backup file, so we can use it to delete the old
# version of the services. (This is important if e.g. a service is
# removed or renamed, in which case deleting from the *new* config file
# wouldn't include it.)
backup: yes
register: pm2_ecosystem_file
- name: Delete old pm2 services if config file changed
command: "pm2 delete {{ pm2_ecosystem_file.backup_file | quote }}"
when: pm2_ecosystem_file is changed and pm2_ecosystem_file.backup_file is defined
- name: Delete old pm2 config file if it changed
file:
path: "{{ pm2_ecosystem_file.backup_file }}"
state: absent
when: pm2_ecosystem_file is changed and pm2_ecosystem_file.backup_file is defined
- name: Start pm2 services
command: "pm2 start ~/ecosystem.config.js"
- name: Save pm2 startup script
command: pm2 save
- name: Install nginx
become: yes
apt:
update_cache: yes
name: nginx
- name: Install core snap
become: yes
community.general.snap:
name: core
- name: Install certbot as a snap
become: yes
community.general.snap:
name: certbot
classic: yes
- name: Set up certbot
become: yes
command: "certbot certonly --nginx -n --agree-tos --email {{ email_address }} --domains impress-2020-box.openneo.net"
- name: Add impress-2020 config file to nginx
become: yes
copy:
content: |
server {
server_name impress-2020-box.openneo.net;
listen 80;
if ($host = impress-2020-box.openneo.net) {
return 301 https://$host$request_uri;
}
}
server {
server_name impress-2020-box.openneo.net;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/impress-2020-box.openneo.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/impress-2020-box.openneo.net/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_session_cache shared:SSL:10m; # https://superuser.com/q/1484466/14127
# TODO: Serve static files directly, instead of through the proxy
location / {
proxy_pass http://127.0.0.1:3000;
}
}
dest: /etc/nginx/sites-enabled/impress-2020
notify:
- Restart nginx
- name: Install dependencies for the npm module node-canvas
become: yes
apt:
update_cache: yes
name:
- build-essential
- libcairo2-dev
- libpango1.0-dev
- libjpeg-dev
- libgif-dev
- librsvg2-dev
handlers:
- name: Restart nginx
become: yes
systemd:
name: nginx
state: restarted
View git blame Copy permalink