From ccd75528ed0ee7fd9d9fa45d9c5822fb8b6ddbfe Mon Sep 17 00:00:00 2001 From: Oli Date: Sat, 21 Oct 2023 13:13:20 +0000 Subject: [PATCH] sync roles with changes from OWS --- group_vars/hcloud.yml | 1 - host_vars/localhost.yml | 1 - roles/lego/tasks/main.yml | 29 ++++---- roles/mariadb/tasks/mariadb.yml | 12 +++- roles/mariadb/tasks/mysqld_exporter.yml | 14 +++- roles/nextcloud/tasks/configure.yml | 32 ++++----- roles/nextcloud/tasks/dependencies.yml | 2 +- roles/nextcloud/tasks/nextcloud.yml | 19 ++++-- .../templates/nextcloud.config.json.j2 | 7 +- .../templates/nextcloud_exporter.service.j2 | 2 +- .../rclone_mount_nextcloud.service.j2 | 8 +-- roles/nextcloud/vars/main.yml | 2 +- roles/nginx/tasks/main.yml | 25 ++++++- roles/nginx/vars/main.yml | 2 + roles/nginx_exporter/handlers/main.yml | 7 ++ roles/nginx_exporter/meta/main.yml | 3 + roles/nginx_exporter/tasks/main.yml | 66 +++++++++++++++++++ .../templates/nginx_exporter.service.j2 | 17 +++++ .../templates/sub_status.conf.j2 | 12 ++++ roles/nginx_exporter/vars/main.yml | 6 ++ roles/node_exporter/tasks/main.yml | 19 ++++-- roles/php/tasks/main.yml | 4 +- roles/php_fpm_exporter/handlers/main.yml | 7 ++ roles/php_fpm_exporter/meta/main.yml | 3 + roles/php_fpm_exporter/tasks/main.yml | 66 +++++++++++++++++++ .../templates/php-fpm_exporter.service.j2 | 16 +++++ roles/php_fpm_exporter/vars/main.yml | 5 ++ roles/postgresql/tasks/postgres_exporter.yml | 29 +++++--- roles/postgresql/tasks/postgresql.yml | 15 ++++- roles/rclone/tasks/main.yml | 19 ++++-- roles/rclone/vars/main.yml | 2 +- roles/redis/defaults/main.yml | 5 +- roles/redis/tasks/main.yml | 13 ++-- roles/redis/vars/main.yml | 6 +- roles/systemd_exporter/tasks/main.yml | 19 ++++-- roles/webserver/meta/main.yml | 4 +- roles/webserver/tasks/main.yml | 1 + roles/webserver/tasks/nginx.yml | 2 +- roles/webserver/tasks/volume.yml | 3 +- .../webserver/templates/conf.d/cloud.conf.j2 | 11 +++- .../templates/conf.d/twirling.conf.j2 | 14 +++- roles/webserver/templates/header.conf.j2 | 13 ++-- site.yml | 43 ++++++++++-- 43 files changed, 479 insertions(+), 107 deletions(-) create mode 100644 roles/nginx_exporter/handlers/main.yml create mode 100644 roles/nginx_exporter/meta/main.yml create mode 100644 roles/nginx_exporter/tasks/main.yml create mode 100644 roles/nginx_exporter/templates/nginx_exporter.service.j2 create mode 100644 roles/nginx_exporter/templates/sub_status.conf.j2 create mode 100644 roles/nginx_exporter/vars/main.yml create mode 100644 roles/php_fpm_exporter/handlers/main.yml create mode 100644 roles/php_fpm_exporter/meta/main.yml create mode 100644 roles/php_fpm_exporter/tasks/main.yml create mode 100644 roles/php_fpm_exporter/templates/php-fpm_exporter.service.j2 create mode 100644 roles/php_fpm_exporter/vars/main.yml diff --git a/group_vars/hcloud.yml b/group_vars/hcloud.yml index 252c14d..b3bd0bd 100644 --- a/group_vars/hcloud.yml +++ b/group_vars/hcloud.yml @@ -1,6 +1,5 @@ --- # Hetzner Cloud Node Variables -deb_architecture: "amd64" # Main User from Terraform cloud-init main_user: oli # SSH Private Key diff --git a/host_vars/localhost.yml b/host_vars/localhost.yml index 47c93e4..6b8d404 100644 --- a/host_vars/localhost.yml +++ b/host_vars/localhost.yml @@ -1,3 +1,2 @@ --- -deb_architecture: "amd64" main_user: oli diff --git a/roles/lego/tasks/main.yml b/roles/lego/tasks/main.yml index 3c3fd16..51fd2ba 100644 --- a/roles/lego/tasks/main.yml +++ b/roles/lego/tasks/main.yml @@ -1,4 +1,5 @@ --- + - name: Get latest lego version github_release: user: go-acme @@ -9,12 +10,23 @@ run_once: true register: lego_version -- name: Download lego {{ lego_version.tag }} from GitHub +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + +- name: "Download lego from GitHub ({{ lego_version.tag }})" get_url: url: "https://github.com/go-acme/lego/releases/download/\ {{ lego_version.tag }}/lego_{{ lego_version.tag }}\ - _linux_{{ deb_architecture }}.tar.gz" + _linux_{{ architecture_alias }}.tar.gz" dest: "/var/tmp/lego.tar.gz" + mode: "0644" register: lego_download_archive until: lego_download_archive is succeeded retries: 3 @@ -24,8 +36,7 @@ unarchive: remote_src: true src: "/var/tmp/lego.tar.gz" - dest: "/var/tmp" - mode: "0755" + dest: "{{ lego_install_dir }}" extra_opts: - --one-top-level include: @@ -37,21 +48,17 @@ mode: "0755" state: directory -- name: Check lego registration - stat: - path: "{{ lego_config_dir }}/accounts" - register: account_dir - - name: Register lego and create cert command: | {{ lego_install_dir }}/lego --accept-tos {% for dns in certificate_domains %} --domains="{{ dns }}" {% endfor %} - {{ lego_cli_params|join(' ') }} + {{ lego_cli_params | join(' ') }} run + args: + creates: "/etc/lego/accounts" environment: '{ "{{ lego_provider|upper }}_API_KEY": "{{ vault_ionos_token_dns }}" }' - when: not account_dir.stat.exists - name: Copy lego systemd service template: diff --git a/roles/mariadb/tasks/mariadb.yml b/roles/mariadb/tasks/mariadb.yml index 44bacad..8397356 100644 --- a/roles/mariadb/tasks/mariadb.yml +++ b/roles/mariadb/tasks/mariadb.yml @@ -1,4 +1,14 @@ --- +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + - name: Add MariaDB GPG apt key apt_key: url: https://mariadb.org/mariadb_release_signing_key.asc @@ -7,7 +17,7 @@ - name: Add MariaDB Repository apt_repository: - repo: "deb [arch={{ deb_architecture }} signed-by=/usr/share/keyrings/mariadb_release_signing_key.gpg] \ + repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/mariadb_release_signing_key.gpg] \ https://mirrors.n-ix.net/mariadb/repo/{{ mariadb_server_version }}/ubuntu {{ ansible_distribution_release }} main/debug" state: present update_cache: true diff --git a/roles/mariadb/tasks/mysqld_exporter.yml b/roles/mariadb/tasks/mysqld_exporter.yml index aa8bf56..8838f0c 100644 --- a/roles/mariadb/tasks/mysqld_exporter.yml +++ b/roles/mariadb/tasks/mysqld_exporter.yml @@ -14,11 +14,21 @@ mysqld_exporter_version: "{{ mysqld_exporter_version | replace ('v', '', 1) | trim }}" run_once: true +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + - name: Download mysqld_exporter {{ mysqld_exporter_version.tag }} from GitHub get_url: url: "https://github.com/prometheus/mysqld_exporter/releases/download/\ v{{ mysqld_exporter_version.tag }}/mysqld_exporter-{{ mysqld_exporter_version.tag }}\ - .linux-{{ deb_architecture }}.tar.gz" + .linux-{{ architecture_alias }}.tar.gz" dest: "/var/tmp/mysqld_exporter.tar.gz" register: mysqld_exporter_download_archive until: mysqld_exporter_download_archive is succeeded @@ -35,7 +45,7 @@ extra_opts: --strip-components=1 include: - - "mysqld_exporter-{{ mysqld_exporter_version.tag }}.linux-{{ deb_architecture }}/mysqld_exporter" + - "mysqld_exporter-{{ mysqld_exporter_version.tag }}.linux-{{ architecture_alias }}/mysqld_exporter" notify: Restart mysqld_exporter - name: Copy the mysqld_exporter systemd service file diff --git a/roles/nextcloud/tasks/configure.yml b/roles/nextcloud/tasks/configure.yml index 5d5ae4b..a667e8f 100644 --- a/roles/nextcloud/tasks/configure.yml +++ b/roles/nextcloud/tasks/configure.yml @@ -46,11 +46,21 @@ nextcloud_exporter_version: "{{ nextcloud_exporter_version | replace('v', '', 1) | trim }}" run_once: true +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + - name: "Download nextcloud_exporter from GitHub (v{{ nextcloud_exporter_version.tag }})" get_url: url: "https://github.com/xperimental/nextcloud-exporter/releases/download/\ - v{{ nextcloud_exporter_version.tag }}/nextcloud-exporter-{{ nextcloud_exporter_version.tag }}\ - -{{ deb_architecture }}.bz2" + v{{ nextcloud_exporter_version.tag }}/nextcloud-exporter_{{ nextcloud_exporter_version.tag }}\ + _{{ architecture_alias }}.bz2" dest: "/var/tmp/nextcloud-exporter.bz2" mode: "0644" register: nextcloud_exporter_download_archive @@ -60,7 +70,7 @@ - name: Decompress nextcloud_exporter command: - cmd: "bzip2 -dk nextcloud-exporter.bz2" + cmd: "bzip2 -dkf nextcloud-exporter.bz2" args: chdir: /var/tmp/ register: nextcloud_exporter_decompress_archive @@ -91,21 +101,11 @@ nextcloud_notify_push_version: "{{ nextcloud_notify_push_version | replace('v', '', 1) | trim }}" run_once: true -- name: Set deb_architecture alias and filename - set_fact: - notify_push_filename: "x86_64-unknown-linux-musl" # noqa: var-naming[no-role-prefix] - when: deb_architecture == "amd64" - -- name: Set deb_architecture alias and filename - set_fact: - notify_push_filename: "armv7-unknown-linux-musleabihf" # noqa: var-naming[no-role-prefix] - when: deb_architecture == "arm64" - - name: "Download nextcloud_notify_push from GitHub (v{{ nextcloud_notify_push_version.tag }})" get_url: url: "https://github.com/nextcloud/notify_push/releases/download/v{{ nextcloud_notify_push_version.tag }}\ - /notify_push-{{ notify_push_filename }}" - dest: "/var/tmp/notify_push" + /notify_push-{{ ansible_architecture }}-unknown-linux-musl" + dest: "/var/tmp/nextcloud_notify_push" mode: "0700" register: nextcloud_notify_push_download_file until: nextcloud_notify_push_download_file is succeeded @@ -115,7 +115,7 @@ - name: Copy nextcloud_notify_push copy: remote_src: true - src: "/var/tmp/notify_push" + src: "/var/tmp/nextcloud_notify_push" dest: "{{ nextcloud_notify_push_install_dir }}/nextcloud_notify_push" owner: "{{ webserver_user }}" group: "{{ webserver_group }}" diff --git a/roles/nextcloud/tasks/dependencies.yml b/roles/nextcloud/tasks/dependencies.yml index 2e4ade1..4c4d1f3 100644 --- a/roles/nextcloud/tasks/dependencies.yml +++ b/roles/nextcloud/tasks/dependencies.yml @@ -9,7 +9,7 @@ - name: Install required python packages pip: - name: gtar # needed for latest nextcloud tar.bz archive + name: gtar # needed for latest nextcloud tar.bz2 archiv state: latest - name: Enable APCu diff --git a/roles/nextcloud/tasks/nextcloud.yml b/roles/nextcloud/tasks/nextcloud.yml index 6793685..68fd133 100644 --- a/roles/nextcloud/tasks/nextcloud.yml +++ b/roles/nextcloud/tasks/nextcloud.yml @@ -1,5 +1,5 @@ --- -# flush handlers to Restart code-server before install extensions +# flush handlers to restart code-server before install extensions - name: Flush handlers befor continue meta: flush_handlers @@ -9,6 +9,7 @@ register: nextcloud_dir_stat - name: Install Nextcloud + when: not nextcloud_dir_stat.stat.exists block: - name: Create nextcloud directory file: @@ -23,6 +24,7 @@ get_url: url: "https://download.nextcloud.com/server/releases/latest.tar.bz2" dest: "/var/tmp/nextcloud.tar.gz" + mode: "0644" register: nextcloud_download_archive until: nextcloud_download_archive is succeeded retries: 3 @@ -79,17 +81,20 @@ become_user: "{{ webserver_user }}" command: cmd: php occ config:import /tmp/nextcloud.config.json + args: chdir: "{{ nextcloud_dir }}" - - when: not nextcloud_dir_stat.stat.exists + register: nextcloud_occ_config_import_output + changed_when: nextcloud_occ_config_import_output.rc != 0 - name: Update Nextcloud + when: nextcloud_updater block: - name: Run nextcloud's updater.phar in non-interactive way become: true become_user: "{{ webserver_user }}" command: cmd: 'php updater/updater.phar --no-interaction' + args: chdir: "{{ nextcloud_dir }}" register: nextcloud_update_result changed_when: "'Start update' in nextcloud_update_result.stdout" @@ -97,17 +102,19 @@ - name: Update result debug: msg: "{{ nextcloud_update_result.stdout_lines }}" - when: nextcloud_update_result.changed + when: nextcloud_update_result.changed # noqa: no-handler - name: DB tuning after update become: true become_user: "{{ webserver_user }}" command: cmd: php occ {{ item }} + args: chdir: "{{ nextcloud_dir }}" loop: - db:add-missing-indices - db:convert-filecache-bigint - integrity:check-core - when: nextcloud_update_result.changed - when: nextcloud_updater + register: nextcloud_occ_update_tuning_output + changed_when: nextcloud_occ_update_tuning_output.rc != 0 + when: nextcloud_update_result.changed # noqa: no-handler diff --git a/roles/nextcloud/templates/nextcloud.config.json.j2 b/roles/nextcloud/templates/nextcloud.config.json.j2 index 477bf0a..354f768 100644 --- a/roles/nextcloud/templates/nextcloud.config.json.j2 +++ b/roles/nextcloud/templates/nextcloud.config.json.j2 @@ -13,6 +13,7 @@ "dbtableprefix": "oc_", "dbuser": "{{ nextcloud_db_user }}", "dbpassword": "{{ vault_nextcloud_db_pass }}", + "installed": true, "skeletondirectory": "", "default_language": "de", "default_phone_region": "DE", @@ -46,9 +47,9 @@ "tempdirectory": {{ nextcloud_temp_dir | to_json }}, "cache_path": {{ nextcloud_cache_dir | to_json }}, "localstorage.allowsymlinks": true, - "enable_previews": "true", - "preview_max_x": "2048", - "preview_max_y": "2048", + "enable_previews": true, + "preview_max_x": 2048, + "preview_max_y": 2048, "preview_max_scale_factor": 1 } } diff --git a/roles/nextcloud/templates/nextcloud_exporter.service.j2 b/roles/nextcloud/templates/nextcloud_exporter.service.j2 index 5b64f41..4866f69 100644 --- a/roles/nextcloud/templates/nextcloud_exporter.service.j2 +++ b/roles/nextcloud/templates/nextcloud_exporter.service.j2 @@ -5,7 +5,7 @@ Description=Nextcloud Exporter After=network-online.target [Service] -Environment=NEXTCLOUD_AUTH_TOKEN={{ vault_nextcloud_exporter_token }} +Environment=NEXTCLOUD_AUTH_TOKEN={{ vault_nextcloud_exporter_token }} NEXTCLOUD_TIMEOUT=30s User={{ nextcloud_exporter_system_user }} Group={{ nextcloud_exporter_system_group }} Type=simple diff --git a/roles/nextcloud/templates/rclone_mount_nextcloud.service.j2 b/roles/nextcloud/templates/rclone_mount_nextcloud.service.j2 index d8415ec..5577a97 100644 --- a/roles/nextcloud/templates/rclone_mount_nextcloud.service.j2 +++ b/roles/nextcloud/templates/rclone_mount_nextcloud.service.j2 @@ -20,16 +20,16 @@ ExecStart=/usr/bin/rclone mount DTSV_crypt:cloud_data {{ nextcloud_rclone_mount_ --file-perms 0660 \ --dir-cache-time 8760h \ --poll-interval 12h \ - --buffer-size 64M \ + --buffer-size 32M \ --drive-chunk-size 256M \ - --drive-pacer-min-sleep 10ms \ - --drive-pacer-burst 1000 \ + --drive-pacer-min-sleep 20ms \ + --drive-pacer-burst 200 \ --vfs-cache-max-age 720h \ --vfs-cache-mode full \ --vfs-cache-min-free-space 10G \ --vfs-read-chunk-size 128M \ --vfs-read-chunk-size-limit off \ - --vfs-write-back 20s \ + --vfs-write-back 5s \ --cache-dir={{ rclone_cache_dir }} \ --log-file={{ rclone_log_dir }}/mount_nextcloud.log \ --log-level=INFO \ diff --git a/roles/nextcloud/vars/main.yml b/roles/nextcloud/vars/main.yml index 49eeb7a..0f5ec93 100644 --- a/roles/nextcloud/vars/main.yml +++ b/roles/nextcloud/vars/main.yml @@ -24,7 +24,7 @@ trusted_proxies: - "{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }}" nextcloud_trashbin_retention_obligation: "auto, 90" nextcloud_versions_retention_obligation: "auto, 30" -nextcloud_max_upload_size: "10G" +nextcloud_max_upload_size: "25G" # database nextcloud_db_host: "{{ pgsql_server_ip }}" nextcloud_db_port: "{{ pgsql_server_port }}" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 0afc16f..b21142d 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,4 +1,15 @@ --- + +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + - name: Add Nginx GPG apt Key apt_key: url: https://nginx.org/keys/nginx_signing.key @@ -7,7 +18,7 @@ - name: Add Nginx Mainline Repository apt_repository: - repo: "deb [arch={{ deb_architecture }} signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" state: present update_cache: true @@ -41,4 +52,16 @@ get_url: url: https://github.com/internetstandards/dhe_groups/raw/main/ffdhe4096.pem dest: "{{ nginx_ssl_dhparam }}" + mode: "0644" + register: nginx_ffdhe4096_download_file + until: nginx_ffdhe4096_download_file is succeeded + retries: 3 + delay: 5 + notify: Reload nginx + +- name: Set nginx user to www-data + replace: + path: /etc/nginx/nginx.conf + regexp: "user nginx;" + replace: "user www-data;" notify: Reload nginx diff --git a/roles/nginx/vars/main.yml b/roles/nginx/vars/main.yml index d61236c..655e3db 100644 --- a/roles/nginx/vars/main.yml +++ b/roles/nginx/vars/main.yml @@ -1,5 +1,7 @@ --- +nginx_user: "www-data" +nginx_group: "www-data" nginx_ssl_ciphers: "ALL:!AES128:!CAMELLIA128:!CAMELLIA:!ARIA128:!RSA:!SEED:!aNULL:!eNULL:!EXPORT:\ !DES:!RC4:!3DES:!MD5:!PSK:!DHE-RSA-AES256:!ECDHE-RSA-AES256-SHA384:\ !DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:@STRENGTH" diff --git a/roles/nginx_exporter/handlers/main.yml b/roles/nginx_exporter/handlers/main.yml new file mode 100644 index 0000000..892315b --- /dev/null +++ b/roles/nginx_exporter/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: Restart nginx_exporter + systemd: + daemon_reload: true + enabled: true + name: nginx_exporter.service + state: restarted diff --git a/roles/nginx_exporter/meta/main.yml b/roles/nginx_exporter/meta/main.yml new file mode 100644 index 0000000..8b662c9 --- /dev/null +++ b/roles/nginx_exporter/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: nginx diff --git a/roles/nginx_exporter/tasks/main.yml b/roles/nginx_exporter/tasks/main.yml new file mode 100644 index 0000000..8da32a4 --- /dev/null +++ b/roles/nginx_exporter/tasks/main.yml @@ -0,0 +1,66 @@ +--- + +- name: Get latest nginx_exporter version + github_release: + user: nginxinc + repo: nginx-prometheus-exporter + action: latest_release + token: "{{ vault_github_token }}" + delegate_to: localhost + run_once: true + register: nginx_exporter_version +- name: "{{ nginx_exporter_version }}" + set_fact: + nginx_exporter_version: "{{ nginx_exporter_version | replace('v', '', 1) | trim }}" + run_once: true + +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + +- name: "Download nginx_exporter from GitHub (v{{ nginx_exporter_version.tag }})" + get_url: + url: "https://github.com/nginxinc/nginx-prometheus-exporter/releases/download/\ + v{{ nginx_exporter_version.tag }}/nginx-prometheus-exporter_{{ nginx_exporter_version.tag }}\ + _linux_{{ architecture_alias }}.tar.gz" + dest: "/var/tmp/nginx-prometheus-exporter.tar.gz" + mode: "0644" + register: nginx_exporter_download_archive + until: nginx_exporter_download_archive is succeeded + retries: 3 + delay: 5 + +- name: Unpack nginx_exporter + unarchive: + remote_src: true + src: "/var/tmp/nginx-prometheus-exporter.tar.gz" + dest: "{{ nginx_exporter_install_dir }}" + extra_opts: + - --one-top-level + owner: "{{ nginx_exporter_system_user }}" + group: "{{ nginx_exporter_system_group }}" + include: + - nginx-prometheus-exporter + notify: Restart nginx_exporter + +- name: Copy sub_status.conf to nginx conf.d + template: + src: sub_status.conf.j2 + dest: /etc/nginx/conf.d/sub_status.conf + mode: "0644" + notify: Reload nginx + +- name: Copy nginx_exporter systemd service + template: + src: nginx_exporter.service.j2 + dest: /etc/systemd/system/nginx_exporter.service + owner: root + group: root + mode: "0644" + notify: Restart nginx_exporter diff --git a/roles/nginx_exporter/templates/nginx_exporter.service.j2 b/roles/nginx_exporter/templates/nginx_exporter.service.j2 new file mode 100644 index 0000000..735abf6 --- /dev/null +++ b/roles/nginx_exporter/templates/nginx_exporter.service.j2 @@ -0,0 +1,17 @@ +## Managed by Ansible ## + +[Unit] +Description=Prometheus Nginx Exporter +Requires=nginx.service +After=nginx.service + +[Service] +Type=simple +User={{ nginx_exporter_system_user }} +Group={{ nginx_exporter_system_group }} +ExecStart={{ nginx_exporter_install_dir }}/nginx-prometheus-exporter -nginx.scrape-uri=unix:{{ nginx_stub_status_socket }}:/stub_status +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/nginx_exporter/templates/sub_status.conf.j2 b/roles/nginx_exporter/templates/sub_status.conf.j2 new file mode 100644 index 0000000..f858db6 --- /dev/null +++ b/roles/nginx_exporter/templates/sub_status.conf.j2 @@ -0,0 +1,12 @@ +## Managed by Ansible ## + +# stub_status module provides access to basic status information +server { + listen unix:{{ nginx_stub_status_socket }}; + server_name _; + access_log off; + + location /stub_status { + stub_status; + } +} \ No newline at end of file diff --git a/roles/nginx_exporter/vars/main.yml b/roles/nginx_exporter/vars/main.yml new file mode 100644 index 0000000..9c18845 --- /dev/null +++ b/roles/nginx_exporter/vars/main.yml @@ -0,0 +1,6 @@ +--- +# Variables +nginx_exporter_install_dir: "/usr/local/bin" +nginx_exporter_system_group: "node-exporter" +nginx_exporter_system_user: "{{ nginx_exporter_system_group }}" +nginx_stub_status_socket: "/var/run/nginx_status.sock" diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index 2407ea4..1a1d8f0 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -28,15 +28,26 @@ register: node_exporter_version - name: "{{ node_exporter_version }}" set_fact: - node_exporter_version: "{{ node_exporter_version | replace ('v', '', 1) | trim }}" + node_exporter_version: "{{ node_exporter_version | replace('v', '', 1) | trim }}" run_once: true -- name: Download node_exporter {{ node_exporter_version.tag }} from GitHub +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + +- name: "Download node_exporter from GitHub (v{{ node_exporter_version.tag }})" get_url: url: "https://github.com/prometheus/node_exporter/releases/download/\ v{{ node_exporter_version.tag }}/node_exporter-{{ node_exporter_version.tag }}\ - .linux-{{ deb_architecture }}.tar.gz" + .linux-{{ architecture_alias }}.tar.gz" dest: "/var/tmp/node_exporter.tar.gz" + mode: "0644" register: node_exporter_download_archive until: node_exporter_download_archive is succeeded retries: 3 @@ -52,7 +63,7 @@ extra_opts: - --strip-components=1 include: - - "node_exporter-{{ node_exporter_version.tag }}.linux-{{ deb_architecture }}/node_exporter" + - "node_exporter-{{ node_exporter_version.tag }}.linux-{{ architecture_alias }}/node_exporter" notify: Restart node_exporter - name: Copy node_exporter systemd service diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 10c2e93..0d20352 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,11 +1,11 @@ --- - name: Add Sury PHP Repository - shell: add-apt-repository -y ppa:ondrej/php + command: add-apt-repository -y ppa:ondrej/php args: creates: "/etc/apt/sources.list.d/ondrej-ubuntu-php-jammy.list" when: php_version is defined # add repo when version is specified, otherwise use default repo -- name: "Uninstall old PHP version" +- name: Uninstall old PHP version apt: name: "php{{ php_old_version }}*" state: absent diff --git a/roles/php_fpm_exporter/handlers/main.yml b/roles/php_fpm_exporter/handlers/main.yml new file mode 100644 index 0000000..3521f01 --- /dev/null +++ b/roles/php_fpm_exporter/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: Restart php_fpm_exporter + systemd: + daemon_reload: true + enabled: true + name: php-fpm_exporter.service + state: restarted diff --git a/roles/php_fpm_exporter/meta/main.yml b/roles/php_fpm_exporter/meta/main.yml new file mode 100644 index 0000000..68a1a3b --- /dev/null +++ b/roles/php_fpm_exporter/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: php diff --git a/roles/php_fpm_exporter/tasks/main.yml b/roles/php_fpm_exporter/tasks/main.yml new file mode 100644 index 0000000..e939810 --- /dev/null +++ b/roles/php_fpm_exporter/tasks/main.yml @@ -0,0 +1,66 @@ +--- +- name: Enable real-time FPM status monitoring + lineinfile: + path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf + regexp: '^;pm.status_path\s' + line: 'pm.status_path = /status' + notify: Restart php-fpm + +- name: Get latest php_fpm_exporter version + github_release: + user: hipages + repo: php-fpm_exporter + action: latest_release + token: "{{ vault_github_token }}" + delegate_to: localhost + run_once: true + register: php_fpm_exporter_version +- name: "{{ php_fpm_exporter_version }}" + set_fact: + php_fpm_exporter_version: "{{ php_fpm_exporter_version | replace('v', '', 1) | trim }}" + run_once: true + +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + +- name: "Download php_fpm_exporter from GitHub (v{{ php_fpm_exporter_version.tag }})" + get_url: + url: "https://github.com/hipages/php-fpm_exporter/releases/download/\ + v{{ php_fpm_exporter_version.tag }}/php-fpm_exporter_{{ php_fpm_exporter_version.tag }}\ + _linux_{{ architecture_alias }}.tar.gz" + dest: "/var/tmp/php-fpm_exporter.tar.gz" + mode: "0644" + register: php_fpm_exporter_download_archive + until: php_fpm_exporter_download_archive is succeeded + retries: 3 + delay: 5 + +- name: Unpack php_fpm_exporter + unarchive: + remote_src: true + src: "/var/tmp/php-fpm_exporter.tar.gz" + dest: "{{ php_fpm_exporter_install_dir }}" + owner: "{{ php_fpm_exporter_system_user }}" + group: "{{ php_fpm_exporter_system_group }}" + mode: "0755" + extra_opts: + - --one-top-level + include: + - php-fpm_exporter + notify: Restart php_fpm_exporter + +- name: Copy php_fpm_exporter systemd service + template: + src: php-fpm_exporter.service.j2 + dest: /etc/systemd/system/php-fpm_exporter.service + owner: root + group: root + mode: "0644" + notify: Restart php_fpm_exporter diff --git a/roles/php_fpm_exporter/templates/php-fpm_exporter.service.j2 b/roles/php_fpm_exporter/templates/php-fpm_exporter.service.j2 new file mode 100644 index 0000000..07f5300 --- /dev/null +++ b/roles/php_fpm_exporter/templates/php-fpm_exporter.service.j2 @@ -0,0 +1,16 @@ +## Managed by Ansible ## + +[Unit] +Description=Prometheus PHP-FPM Exporter +After=network-online.target + +[Service] +Type=simple +User={{ php_fpm_exporter_system_user }} +Group={{ php_fpm_exporter_system_group }} +ExecStart={{ php_fpm_exporter_install_dir }}/php-fpm_exporter server --phpfpm.fix-process-count --phpfpm.scrape-uri unix:{{ php_socket }};/status +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/php_fpm_exporter/vars/main.yml b/roles/php_fpm_exporter/vars/main.yml new file mode 100644 index 0000000..f1fac3a --- /dev/null +++ b/roles/php_fpm_exporter/vars/main.yml @@ -0,0 +1,5 @@ +--- +# Variables +php_fpm_exporter_install_dir: "/usr/local/bin" +php_fpm_exporter_system_group: "www-data" +php_fpm_exporter_system_user: "{{ php_fpm_exporter_system_group }}" diff --git a/roles/postgresql/tasks/postgres_exporter.yml b/roles/postgresql/tasks/postgres_exporter.yml index 0978c7d..63fae46 100644 --- a/roles/postgresql/tasks/postgres_exporter.yml +++ b/roles/postgresql/tasks/postgres_exporter.yml @@ -8,20 +8,31 @@ token: "{{ vault_github_token }}" delegate_to: localhost run_once: true - register: postgres_exporter_version -- name: "{{ postgres_exporter_version }}" + register: postgresql_exporter_version +- name: "{{ postgresql_exporter_version }}" set_fact: - postgres_exporter_version: "{{ postgres_exporter_version | replace ('v', '', 1) | trim }}" + postgresql_exporter_version: "{{ postgresql_exporter_version | replace('v', '', 1) | trim }}" run_once: true -- name: Download postgres_exporter {{ postgres_exporter_version.tag }} from GitHub +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + +- name: "Download postgres_exporter from GitHub (v{{ postgresql_exporter_version.tag }})" get_url: url: "https://github.com/prometheus-community/postgres_exporter/releases/download/\ - v{{ postgres_exporter_version.tag }}/postgres_exporter-{{ postgres_exporter_version.tag }}\ - .linux-{{ deb_architecture }}.tar.gz" + v{{ postgresql_exporter_version.tag }}/postgres_exporter-{{ postgresql_exporter_version.tag }}\ + .linux-{{ architecture_alias }}.tar.gz" dest: "/var/tmp/postgres_exporter.tar.gz" - register: postgres_exporter_download_archive - until: postgres_exporter_download_archive is succeeded + mode: "0644" + register: postgresql_exporter_download_archive + until: postgresql_exporter_download_archive is succeeded retries: 3 delay: 5 @@ -35,7 +46,7 @@ extra_opts: --strip-components=1 include: - - "postgres_exporter-{{ postgres_exporter_version.tag }}.linux-{{ deb_architecture }}/postgres_exporter" + - "postgres_exporter-{{ postgresql_exporter_version.tag }}.linux-{{ architecture_alias }}/postgres_exporter" notify: Restart postgres_exporter - name: Copy the postgres_exporter systemd service file diff --git a/roles/postgresql/tasks/postgresql.yml b/roles/postgresql/tasks/postgresql.yml index e544473..4e292f2 100644 --- a/roles/postgresql/tasks/postgresql.yml +++ b/roles/postgresql/tasks/postgresql.yml @@ -1,4 +1,15 @@ --- + +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + - name: Add PostgreSQL GPG apt key apt_key: url: https://www.postgresql.org/media/keys/ACCC4CF8.asc @@ -7,7 +18,7 @@ - name: Add PostgreSQL Repository apt_repository: - repo: "deb [arch={{ deb_architecture }} signed-by=/usr/share/keyrings/apt.postgresql.org.gpg] \ + repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/apt.postgresql.org.gpg] \ http://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main" state: present update_cache: true @@ -46,5 +57,5 @@ rules_behavior: combine contype: host # custom rules - rules: "{{ pgsql_client_auth }}" + rules: "{{ pgsql_client_auth }}" # noqa: args notify: Reload postgresql diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index d3a0a29..178d5cc 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -11,14 +11,25 @@ rclone_version - name: "{{ rclone_version.content }}" set_fact: - rclone_version: "{{ rclone_version.content | replace ('rclone v', '', 1) | trim }}" + rclone_version: "{{ rclone_version.content | replace('rclone v', '', 1) | trim }}" run_once: true -- name: Download rclone {{ rclone_version }} +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + +- name: "Download rclone from rclone.org (v{{ rclone_version }})" get_url: url: "https://downloads.rclone.org/v{{ rclone_version }}/\ - rclone-v{{ rclone_version }}-linux-{{ deb_architecture }}.deb" + rclone-v{{ rclone_version }}-linux-{{ architecture_alias }}.deb" dest: "/var/tmp/rclone.deb" + mode: "0644" register: rclone_download_deb until: rclone_download_deb is succeeded retries: 3 @@ -60,7 +71,7 @@ home: / register: rclone_created_user -- name: adding existing user {{ main_user }} to group rclone +- name: Add user to rclone group user: name: "{{ main_user }}" groups: "{{ rclone_system_group }}" diff --git a/roles/rclone/vars/main.yml b/roles/rclone/vars/main.yml index edef7fb..b4f8138 100644 --- a/roles/rclone/vars/main.yml +++ b/roles/rclone/vars/main.yml @@ -6,7 +6,7 @@ rclone_config_dir: "/root/.config/rclone" rclone_config_file: "{{ rclone_config_dir }}/rclone.conf" rclone_cache_dir: "/var/cache/rclone" rclone_log_dir: "/var/log/rclone" -rclone_user_agent_gd: 'GoogleDriveFS/64.0.4.0 (Windows;OSVer=10.0.22621;)' +rclone_user_agent_gd: 'GoogleDriveFS/81.0.5.0 (Windows;OSVer=10.0.22631;)' vault_td_dtsv_id: !vault | $ANSIBLE_VAULT;1.2;AES256;dtsv-dev diff --git a/roles/redis/defaults/main.yml b/roles/redis/defaults/main.yml index 43fef26..26297c6 100644 --- a/roles/redis/defaults/main.yml +++ b/roles/redis/defaults/main.yml @@ -1,4 +1,5 @@ --- -# If port 0 is specified Redis will not listen on a TCP socket. -redis_port: 0 +redis_port: 0 # If port 0 is specified Redis will not listen on a TCP socket. +redis_unixsocket: "/var/run/redis/redis.sock" +redis_unixsocketperm: 770 diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml index 4e5667c..ec98a1d 100644 --- a/roles/redis/tasks/main.yml +++ b/roles/redis/tasks/main.yml @@ -4,11 +4,10 @@ name: redis state: present -- name: Copy redis config - template: - src: redis.conf.j2 - dest: /etc/redis/redis.conf - owner: redis - group: redis - mode: "0640" +- name: Configure redis + lineinfile: + path: /etc/redis/redis.conf + regexp: '^#?{{ item.option }} .*' + line: '{{ item.option }} {{ item.value }}' + loop: "{{ redis_options }}" notify: Restart redis diff --git a/roles/redis/vars/main.yml b/roles/redis/vars/main.yml index 3ea0165..3ce1031 100644 --- a/roles/redis/vars/main.yml +++ b/roles/redis/vars/main.yml @@ -1,4 +1,6 @@ --- -redis_unixsocket: "/var/run/redis/redis.sock" -redis_unixsocketperm: 770 +redis_options: + - {option: port, value: "{{ redis_port }}"} + - {option: unixsocket, value: "{{ redis_unixsocket }}"} + - {option: unixsocketperm, value: "{{ redis_unixsocketperm }}"} diff --git a/roles/systemd_exporter/tasks/main.yml b/roles/systemd_exporter/tasks/main.yml index b073ccd..bc20dda 100644 --- a/roles/systemd_exporter/tasks/main.yml +++ b/roles/systemd_exporter/tasks/main.yml @@ -11,15 +11,26 @@ register: systemd_exporter_version - name: "{{ systemd_exporter_version }}" set_fact: - systemd_exporter_version: "{{ systemd_exporter_version | replace ('v', '', 1) | trim }}" + systemd_exporter_version: "{{ systemd_exporter_version | replace('v', '', 1) | trim }}" run_once: true -- name: Download systemd_exporter {{ systemd_exporter_version.tag }} from GitHub +- name: Set architecture alias + set_fact: + architecture_alias: "amd64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "x86_64" + +- name: Set architecture alias + set_fact: + architecture_alias: "arm64" # noqa: var-naming[no-role-prefix] + when: ansible_architecture == "aarch64" + +- name: "Download systemd_exporter from GitHub (v{{ systemd_exporter_version.tag }})" get_url: url: "https://github.com/povilasv/systemd_exporter/releases/download/\ v{{ systemd_exporter_version.tag }}/systemd_exporter-{{ systemd_exporter_version.tag }}\ - .linux-{{ deb_architecture }}.tar.gz" + .linux-{{ architecture_alias }}.tar.gz" dest: "/var/tmp/systemd_exporter.tar.gz" + mode: "0644" register: systemd_exporter_download_archive until: systemd_exporter_download_archive is succeeded retries: 3 @@ -35,7 +46,7 @@ extra_opts: - --strip-components=1 include: - - "systemd_exporter-{{ systemd_exporter_version.tag }}.linux-{{ deb_architecture }}/systemd_exporter" + - "systemd_exporter-{{ systemd_exporter_version.tag }}.linux-{{ architecture_alias }}/systemd_exporter" notify: Restart systemd_exporter - name: Copy the systemd_exporter systemd service file diff --git a/roles/webserver/meta/main.yml b/roles/webserver/meta/main.yml index 9a05f4a..0961c32 100644 --- a/roles/webserver/meta/main.yml +++ b/roles/webserver/meta/main.yml @@ -2,7 +2,7 @@ dependencies: - role: rclone - role: nginx -# - role: nginx_exporter + - role: nginx_exporter - role: php -# - role: php_fpm_exporter + - role: php_fpm_exporter - role: redis diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml index 1b0dfdc..4bf0207 100644 --- a/roles/webserver/tasks/main.yml +++ b/roles/webserver/tasks/main.yml @@ -1,4 +1,5 @@ --- + - name: Mount Volume import_tasks: volume.yml diff --git a/roles/webserver/tasks/nginx.yml b/roles/webserver/tasks/nginx.yml index 8b47c7b..d20d627 100644 --- a/roles/webserver/tasks/nginx.yml +++ b/roles/webserver/tasks/nginx.yml @@ -29,7 +29,7 @@ state: directory mode: "0755" -- name: Copy SSL certificates for {{ webserver_domain }} +- name: "Copy SSL certificates for {{ webserver_domain }}" copy: remote_src: true # make sure that ssl certs are available diff --git a/roles/webserver/tasks/volume.yml b/roles/webserver/tasks/volume.yml index ba8fade..88b3dc1 100644 --- a/roles/webserver/tasks/volume.yml +++ b/roles/webserver/tasks/volume.yml @@ -9,8 +9,9 @@ - name: Creates mount directory file: - path: "{{ hcloud_webserver_volume_path }}" state: directory + path: "{{ hcloud_webserver_volume_path }}" + mode: "0755" force: false - name: Mount hcloud volume diff --git a/roles/webserver/templates/conf.d/cloud.conf.j2 b/roles/webserver/templates/conf.d/cloud.conf.j2 index 9261d19..97d353e 100644 --- a/roles/webserver/templates/conf.d/cloud.conf.j2 +++ b/roles/webserver/templates/conf.d/cloud.conf.j2 @@ -22,7 +22,10 @@ server { server { listen 443 ssl; listen [::]:443 ssl; - http2 on; + # Enable QUIC and HTTP/3. + listen 443 quic; + listen [::]:443 quic; + server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }}; include global/cert.conf; @@ -35,7 +38,7 @@ server { # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - add_header Strict-Transport-Security "max-age=63072000" always; + add_header Strict-Transport-Security "max-age=15768000; preload" always; # set max upload size and increase upload timeout: client_max_body_size {{ nextcloud_max_upload_size }}; @@ -68,6 +71,10 @@ server { add_header X-Robots-Tag "noindex, nofollow" always; add_header X-XSS-Protection "1; mode=block" always; + # Add Alt-Svc header to negotiate HTTP/3. + add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always; + add_header x-quic 'h3' always; + # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; diff --git a/roles/webserver/templates/conf.d/twirling.conf.j2 b/roles/webserver/templates/conf.d/twirling.conf.j2 index 12c4d44..0939da5 100644 --- a/roles/webserver/templates/conf.d/twirling.conf.j2 +++ b/roles/webserver/templates/conf.d/twirling.conf.j2 @@ -9,9 +9,17 @@ server { } server { - # Enable HTTP/2 - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + http2 on; + # Enable QUIC and HTTP/3. + listen 443 quic reuseport default_server; + listen [::]:443 quic reuseport default_server; + http3 on; + http3_hq on; + quic_retry on; + quic_gso on; + server_name {{ webserver_domain }} www.{{ webserver_domain }}; include global/cert.conf; include global/header.conf; diff --git a/roles/webserver/templates/header.conf.j2 b/roles/webserver/templates/header.conf.j2 index 0750e5d..a7940dc 100644 --- a/roles/webserver/templates/header.conf.j2 +++ b/roles/webserver/templates/header.conf.j2 @@ -44,14 +44,17 @@ add_header X-XSS-Protection "1; mode=block" always; # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # directives for css and js(if you have inline css or js, you will need to keep it too). # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful -#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src to 'none'; frame-ancestors 'self' https://*.twirling.de https://twirling.de"; +#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' font-src 'self'; frame-src ; object-src 'none'"; +add_header Content-Security-Policy "frame-ancestors 'self' https://*.{{ webserver_domain }} https://{{ webserver_domain }}"; #add_header Referrer-Policy no-referrer; add_header Referrer-Policy "no-referrer" always; -add_header Feature-Policy "accelerometer 'none'; autoplay 'self'; geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self' https://*.twirling.de; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'"; -add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self 'https://*.twirling.de');microphone=(self);camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()"; +add_header Feature-Policy "accelerometer 'none'; autoplay 'self'; geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self' https://*.{{ webserver_domain }}; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'"; +add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self 'https://*.{{ webserver_domain }}');microphone=(self);camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()"; + +add_header X-Robots-Tag "noindex, noimageindex, nofollow, nosnippet, noarchive" always; # Add Alt-Svc header to negotiate HTTP/3. -#add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available -#add_header QUIC-Status $quic; # Sent when QUIC was used \ No newline at end of file +add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always; +add_header x-quic 'h3' always; diff --git a/site.yml b/site.yml index ed73e98..80ba761 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,7 @@ --- -## Main Playbook for the staging DTSV Infrastructure - -# waiting for terraform provisioning +## Main DTSV Infrastructure Playbook +# Waiting for terraform provisioning - name: Wait for provisioning hosts: label_env_prod gather_facts: false @@ -21,8 +20,7 @@ retries: 50 delay: 5 -# install terraformed servers - +# Install terraformed servers - name: Install common packages hosts: label_env_prod roles: @@ -30,5 +28,36 @@ - node_exporter become: true -- import_playbook: db.yml -- import_playbook: web.yml +- name: DB playbook + import_playbook: db.yml +- name: WEB playbook + import_playbook: web.yml + +- name: Maintenance + hosts: label_env_prod + become: true + tasks: + - name: Start apt upgrade + block: + - name: Perform upgrade + apt: + name: "*" + state: latest + update_cache: true + cache_valid_time: 3600 + + - name: Check if a reboot is required + stat: + path: /var/run/reboot-required + register: reboot_required_file # noqa: var-naming[no-role-prefix] + + - name: Reboot the server (if required) + reboot: + when: reboot_required_file.stat.exists + + - name: Wait for instance to become reachable/usable + wait_for_connection: # host_key_checking must be disabled + + - name: Remove dependencies that are no longer required. + apt: + autoremove: true