diff --git a/deploy/files/.gitignore b/deploy/files/.gitignore index c4cdf543..1cf821b0 100644 --- a/deploy/files/.gitignore +++ b/deploy/files/.gitignore @@ -1 +1,2 @@ -/production.env \ No newline at end of file +/production.env +/setup_secrets.yml diff --git a/deploy/setup.yml b/deploy/setup.yml index 31bbe18a..4487153a 100644 --- a/deploy/setup.yml +++ b/deploy/setup.yml @@ -6,6 +6,10 @@ vars: email_address: "emi@matchu.dev" # TODO: Extract this to personal config? impress_hostname: impress.openneo.net + vars_files: + # mysql_root_password, mysql_user_password, mysql_user_password_2020, + # dev_ips + - files/setup_secrets.yml tasks: - name: Create SSH folder for logged-in user become: no @@ -62,6 +66,22 @@ rule: allow port: "443" + - name: Configure ufw firewall to allow MySQL connections from impress-2020 + community.general.ufw: + rule: allow + port: "3306" + from_ip: "{{ item }}" + loop: + - "45.56.112.222" + - "2600:3c02::f03c:92ff:fe9a:4615" + + - name: Configure ufw firewall to allow MySQL connections from known devs + community.general.ufw: + rule: allow + port: "3306" + from_ip: "{{ item }}" + loop: "{{ dev_ips }}" + - name: Enable ufw firewall with all other ports closed by default community.general.ufw: state: enabled @@ -258,7 +278,7 @@ - name: Create service file for impress copy: src: files/impress.service - dest: /etc/systemd/system/impress.service + dest: /etc/systemd/system/impress.service notify: - Reload systemctl - Restart impress @@ -290,7 +310,7 @@ src: files/sites-available/impress.conf dest: /etc/nginx/sites-available/impress.conf notify: - - Restart nginx + - Reload nginx - name: Enable impress config file in nginx file: @@ -298,12 +318,84 @@ dest: /etc/nginx/sites-enabled/impress.conf state: link notify: - - Restart nginx + - Reload nginx + + - name: Install MariaDB + apt: + name: mariadb-server + + - name: Install a Python MySQL client, for Ansible to use when configuring + apt: + name: python3-mysqldb + + - name: Update MariaDB root password + community.mysql.mysql_user: + name: root + host_all: true + password: "{{mysql_root_password}}" + + - name: Create root's .my.cnf file + copy: + content: | + [client] + user=root + password='{{ mysql_root_password }}' + dest: /root/.my.cnf + mode: 0400 + + - name: Remove test database + community.mysql.mysql_db: + name: test + state: absent + login_unix_socket: "{{ login_unix_socket | default(omit) }}" + + - name: Remove anonymous users + community.mysql.mysql_user: + name: "" + state: absent + host_all: true + + - name: Remove remote root access + community.mysql.mysql_query: + query: + - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1') + + - name: Expose MariaDB to the internet (but ufw will block most clients) + copy: + dest: /etc/mysql/mariadb.conf.d/80-bind-address.cnf + content: | + [mysqld] + skip-networking=0 + skip-bind-address + notify: Restart MariaDB + + - name: Create MySQL databases + community.mysql.mysql_db: + name: + - openneo_impress + - openneo_id + + - name: Create MySQL user openneo_impress + community.mysql.mysql_user: + name: openneo_impress + password: "{{ mysql_user_password }}" + priv: "openneo_impress.*:ALL,openneo_id.*:ALL" + + - name: Create MySQL user impress2020 + community.mysql.mysql_user: + name: impress2020 + password: "{{ mysql_user_password_2020 }}" + priv: "openneo_impress.*:ALL,openneo_id.*:ALL" handlers: - - name: Restart nginx + - name: Reload nginx systemd: name: nginx + state: reloaded + + - name: Restart MariaDB + systemd: + name: mariadb state: restarted - name: Reload systemctl