From ef6683e0502be12d10dfabcf3f61438abbaf9235 Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Mon, 18 Dec 2023 15:17:31 +0100 Subject: [PATCH] Remove ansible --- .github/dependabot.yml | 12 -- LICENSE | 2 +- README.md | 10 +- deployment/README.md | 16 +-- infrastructure/.gitignore | 2 - infrastructure/README.md | 41 ------ infrastructure/ansible.cfg | 11 -- infrastructure/auto_updates/files/10periodic | 4 - infrastructure/auto_updates/tasks/main.yml | 11 -- infrastructure/common/tasks/main.yml | 17 --- infrastructure/docker/tasks/main.yml | 33 ----- infrastructure/group_vars/all.yml | 5 - .../host_vars/45.132.245.60/vars.yml | 27 ---- .../host_vars/45.132.245.60/vault.yml | 39 ------ infrastructure/https_proxy/files/Dockerfile | 2 - .../https_proxy/files/docker-compose.yml | 48 ------- infrastructure/https_proxy/files/traefik.toml | 18 --- infrastructure/https_proxy/tasks/main.yml | 31 ----- infrastructure/main-server.yml | 12 -- infrastructure/netdata/handlers/main.yml | 3 - infrastructure/netdata/tasks/main.yml | 27 ---- .../netdata/templates/netdata.conf.j2 | 29 ----- infrastructure/production | 2 - infrastructure/ssh/files/public_keys/bastian | 1 - infrastructure/ssh/files/public_keys/gerald | 1 - infrastructure/ssh/files/public_keys/github | 1 - infrastructure/ssh/files/sshd_config | 123 ------------------ infrastructure/ssh/handlers/main.yml | 3 - infrastructure/ssh/tasks/main.yml | 38 ------ infrastructure/ufw/handlers/main.yml | 4 - infrastructure/ufw/tasks/main.yml | 12 -- infrastructure/webapp/files/env-production.j2 | 14 -- infrastructure/webapp/files/env-staging.j2 | 14 -- infrastructure/webapp/tasks/main.yml | 29 ----- 34 files changed, 7 insertions(+), 635 deletions(-) delete mode 100644 infrastructure/.gitignore delete mode 100644 infrastructure/README.md delete mode 100644 infrastructure/ansible.cfg delete mode 100644 infrastructure/auto_updates/files/10periodic delete mode 100644 infrastructure/auto_updates/tasks/main.yml delete mode 100644 infrastructure/common/tasks/main.yml delete mode 100644 infrastructure/docker/tasks/main.yml delete mode 100644 infrastructure/group_vars/all.yml delete mode 100644 infrastructure/host_vars/45.132.245.60/vars.yml delete mode 100644 infrastructure/host_vars/45.132.245.60/vault.yml delete mode 100644 infrastructure/https_proxy/files/Dockerfile delete mode 100644 infrastructure/https_proxy/files/docker-compose.yml delete mode 100644 infrastructure/https_proxy/files/traefik.toml delete mode 100644 infrastructure/https_proxy/tasks/main.yml delete mode 100644 infrastructure/main-server.yml delete mode 100644 infrastructure/netdata/handlers/main.yml delete mode 100644 infrastructure/netdata/tasks/main.yml delete mode 100644 infrastructure/netdata/templates/netdata.conf.j2 delete mode 100644 infrastructure/production delete mode 100644 infrastructure/ssh/files/public_keys/bastian delete mode 100644 infrastructure/ssh/files/public_keys/gerald delete mode 100644 infrastructure/ssh/files/public_keys/github delete mode 100644 infrastructure/ssh/files/sshd_config delete mode 100644 infrastructure/ssh/handlers/main.yml delete mode 100644 infrastructure/ssh/tasks/main.yml delete mode 100644 infrastructure/ufw/handlers/main.yml delete mode 100644 infrastructure/ufw/tasks/main.yml delete mode 100644 infrastructure/webapp/files/env-production.j2 delete mode 100644 infrastructure/webapp/files/env-staging.j2 delete mode 100644 infrastructure/webapp/tasks/main.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4f64c3a1..def463f0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -30,18 +30,6 @@ updates: - "component/backend" registries: - dockerhub - # infrastructure - - package-ecosystem: "docker" - directory: "/infrastructure/https_proxy/files/" - schedule: - interval: "monthly" - reviewers: - - "bCyberBasti" - labels: - - "dependencies" - - "deployment" - registries: - - dockerhub registries: dockerhub: diff --git a/LICENSE b/LICENSE index 6a09f705..35184858 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2020 Code for Münster +Copyright (c) 2020 - 2023 Code for Münster Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index ef50d829..70b01f90 100644 --- a/README.md +++ b/README.md @@ -2,17 +2,17 @@ ## Deployment -We use GitHub Actions and docker-compose to deploy the master branch to a staging environment at +We use GitHub Actions to build and push the application container images to Docker Hub ([frontend](https://hub.docker.com/r/codeformuenster/muenster-jetzt-frontend), [backend](https://hub.docker.com/r/codeformuenster/muenster-jetzt-api)). The rest of the deployment is handeled on a kubernetes cluster ([Kustomization files](./deployment/)). + +Deployments live at https://staging.muenster-update.de ([Staging API](https://api.staging.muenster-update.de/)) and https://muenster-update.de ([Production API](https://api.muenster-update.de/)). ### Staging deployment -Each run of workflow [workflow 'Build and deploy'] on branch `master` builds and pushes container images [`docker.io/codeformuenster/muenster-jetzt-frontend:master`](https://hub.docker.com/r/codeformuenster/muenster-jetzt-frontend) and [`docker.io/codeformuenster/muenster-jetzt-api:master`](https://hub.docker.com/r/codeformuenster/muenster-jetzt-api). Then it deploys them in on our staging server environment. +Staging follows the `master` branch. ### Production deployment -The production deployment is deployed through CI triggered by pushes to the `production` branch. Check [`.github/workflows/build-and-deploy.yaml`](https://github.com/codeformuenster/muenster-jetzt/blob/master/.github/workflows/build-and-deploy.yaml). - -Easiest way to do so is to create a pull request from [master into production](https://github.com/codeformuenster/muenster-jetzt/compare/production...master) branches. +The production should run the lastest git tag. ## Dev Setup with VS Code diff --git a/deployment/README.md b/deployment/README.md index b21833ca..319f2a8d 100644 --- a/deployment/README.md +++ b/deployment/README.md @@ -2,20 +2,6 @@ ## Kustomize / Kubernetes -This method requires an external Postgres server. +This method requires an external Postgres server and kubernetes cluster. The kustomization in `dev` is an example for a deployment. Check out the `backend-secret.example.yaml` for required secrets for the backend. - -## Plain docker / docker-compose - -This document attempts to describe the deployment of Münster Update to a linux server. - -### Requirements - -- a linux server (we're using ubuntu 20.04 lts) with ssh access -- ansible on your local computer -- a fork of this repository (a local clone also works) - -### Installation - -The installation is described in the README file of the [infrastructure](../infrastructure/README.md) directory. diff --git a/infrastructure/.gitignore b/infrastructure/.gitignore deleted file mode 100644 index ca090dbd..00000000 --- a/infrastructure/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -debug.yml -vault-id diff --git a/infrastructure/README.md b/infrastructure/README.md deleted file mode 100644 index 9a9a681f..00000000 --- a/infrastructure/README.md +++ /dev/null @@ -1,41 +0,0 @@ -# Infrastructure - -The ansible scripts to setup the (production) server. - -## Quick Usage -``` -ansible-playbook -i production main-server.yml --vault-password-file ~/.vault-pass-ms-jetzt -# or only specific roles -ansible-playbook -i production main-server.yml --vault-password-file ~/.vault-pass-ms-jetzt --tags "common_role, ufw_role" -``` - -## Preparation - -Make sure you can access your server through ssh. Add your host to the ansible -inventory or create your own inventory file. Copy the `host_vars/45.132.245.60` directory -to a new directory in `host_vars` named like your host in the inventory. Modify the values -to your liking. - -Create a new `vault.yaml` in your `host_vars` directory and generate new secrets -for all variables starting with `vault_`. - -The ansible playbook will change sshd settings and install the ssh public keys -specified in the `grant_ssh_access_for` array. The array elements correspond to files -in `ssh/files/public_keys` which should contain a ssh public key. - -## Installation - -Execute ansible as described in [Quick Usage](#quick-usage). - -## Deployment of the application - -We're using Github Actions to deploy to our server by sshing into our server and executing some commands. -You can check the `deploy` job in [.github/workflows/build-and-deploy.yaml](../.github/workflows/build-and-deploy.yaml) to see the actual commands executed. - -## Create an admin user - -Optionally, you can create an admin user for management of events. - -- ssh into your server -- `cd` into `/root/muenster-jetzt/` -- `docker-compose exec api ./manage.py createsuperuser` diff --git a/infrastructure/ansible.cfg b/infrastructure/ansible.cfg deleted file mode 100644 index 6f729b0a..00000000 --- a/infrastructure/ansible.cfg +++ /dev/null @@ -1,11 +0,0 @@ -[defaults] -retry_files_enabled = False -collections_paths = ./ -roles_path = ./ -inventory = ./production - -[ssh_connection] -scp_if_ssh = True -pipelining = True -control_path = /tmp/ansible-ssh-%%h-%%p-%%r - diff --git a/infrastructure/auto_updates/files/10periodic b/infrastructure/auto_updates/files/10periodic deleted file mode 100644 index 75870203..00000000 --- a/infrastructure/auto_updates/files/10periodic +++ /dev/null @@ -1,4 +0,0 @@ -APT::Periodic::Update-Package-Lists "1"; -APT::Periodic::Download-Upgradeable-Packages "1"; -APT::Periodic::AutocleanInterval "7"; -APT::Periodic::Unattended-Upgrade "1"; \ No newline at end of file diff --git a/infrastructure/auto_updates/tasks/main.yml b/infrastructure/auto_updates/tasks/main.yml deleted file mode 100644 index 8d3879fa..00000000 --- a/infrastructure/auto_updates/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: install apt packages - apt: - name: ['unattended-upgrades', 'apticron'] - state: present - -- name: copy unattended-upgrades config - copy: - src: files/10periodic - dest: /etc/apt/apt.conf.d/10periodic - \ No newline at end of file diff --git a/infrastructure/common/tasks/main.yml b/infrastructure/common/tasks/main.yml deleted file mode 100644 index 7de3211c..00000000 --- a/infrastructure/common/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: set timezone to {{ tz }} - timezone: - name: "{{ tz }}" - -- name: Change locale to EN - command: update-locale LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 - -- name: Set hostname on server - hostname: - name: "{{ hostname }}" - when: hostname is defined - -- apt: - name: htop - state: present - update_cache: yes diff --git a/infrastructure/docker/tasks/main.yml b/infrastructure/docker/tasks/main.yml deleted file mode 100644 index fdaf648b..00000000 --- a/infrastructure/docker/tasks/main.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: Add Docker key - apt_key: - id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 - url: https://download.docker.com/linux/ubuntu/gpg - state: present - -- name: Add Docker apt repo - apt_repository: - repo: "{{ docker_apt_repository }}" - update_cache: true - -- name: install docker and dependencies - apt: - pkg: - - docker-ce - - docker-ce-cli - - containerd.io - - python3-pip - state: present - -- name: python docker / docker-compse module - pip: - name: - - docker-compose - -- name: check loki plugin installed - shell: docker plugin ls | grep -q loki - ignore_errors: true - register: loki_check - -- name: install loki docker log plugin - command: docker plugin install grafana/loki-docker-driver:latest --alias loki --grant-all-permissions - when: loki_check.rc == 1 diff --git a/infrastructure/group_vars/all.yml b/infrastructure/group_vars/all.yml deleted file mode 100644 index 8f2edad2..00000000 --- a/infrastructure/group_vars/all.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -docker_apt_repository: > - deb [arch=amd64] - https://download.docker.com/linux/{{ ansible_distribution | lower }} - {{ ansible_distribution_release }} stable \ No newline at end of file diff --git a/infrastructure/host_vars/45.132.245.60/vars.yml b/infrastructure/host_vars/45.132.245.60/vars.yml deleted file mode 100644 index 80f043b9..00000000 --- a/infrastructure/host_vars/45.132.245.60/vars.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -ansible_python_interpreter: /usr/bin/python3 -tz: "Europe/Berlin" -grant_ssh_access_for: - - bastian - - github - - gerald - -is_webserver: true - -application_domain: "muenster-update.de" - -db_user_staging: "{{vault_db_user_staging}}" -db_password_staging: "{{vault_db_password_staging}}" -db_name_staging: "{{vault_db_name_staging}}" -db_user_production: "{{vault_db_user_production}}" -db_password_production: "{{vault_db_password_production}}" -db_name_production: "{{vault_db_name_production}}" - -api_secret_key_staging: "{{vault_api_secret_key_staging}}" -api_secret_key_production: "{{vault_api_secret_key_production}}" - -api_token_muensterland: "{{vault_api_token_muensterland}}" -api_user_datenportal: "{{vault_api_user_datenportal}}" -api_password_datenportal: "{{vault_api_password_datenportal}}" - -loki_url: "{{vault_loki_url}}" diff --git a/infrastructure/host_vars/45.132.245.60/vault.yml b/infrastructure/host_vars/45.132.245.60/vault.yml deleted file mode 100644 index c3f83e26..00000000 --- a/infrastructure/host_vars/45.132.245.60/vault.yml +++ /dev/null @@ -1,39 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -30366430353562316533376638343637313463323338646630636430303466636330306362643338 -6166373730356366356664323833356433323036613439320a653265316261313464666533366262 -33326665396464643238336362653731663833663965623830323233383130353135333137643334 -3833316336346238370a343161653335393361363539393032653366636230306161383365613461 -37366539623366306362356538643861663066646634336535663830366639623532363462336562 -33313531383963656463346231386335626564353462623338383539666330366231663232643962 -39313037663631636530653566326635333235316566326433643434393536366166396436343265 -66306530643066616663313338333138636166353431343438393538633965376462323530656633 -30376132326136343935636435626130313138303365313630613534323633643964653133303035 -36663630363964623735643039323466393531336364333932326562323937393531653836656238 -64613764626638383537363464343836653636363765396638303231333962666631333466306637 -31313264656136313034366361666663656434653330393064336230316139623861343165633563 -38636464353933386339393162393766316364383636313135323037353830646330353938313335 -62386135626462316239303365343839323432326435383839633232633434323765626432373531 -64326334616539363736303134316566613933363665346561313934323162633234303232663264 -65316635376339636661333962333039383437376165346231346237366638643265613337383266 -38643630626634666330333235633233613163323139646532393035653366376435313061663531 -39343432653930316366663734373136616631346163326536306539353539393464336565303062 -37666638623763333830633038393062616636336437313038353233303666623830323463353664 -34376236653264333365616339326237333933666666326238363736393739363931623836383031 -34336634326230343534656632633864613161396566383561633130333636383535363130613938 -36343037313136366466373737313831313766643063383661653664313765636365316632336465 -30363034393862353362636561343730626632343465633062643437646661623264666436643565 -31363731303232303562633831643433616239633133393264613834326461383335643166376563 -37386236636461643535643130316236356663306530643961313331356161653336373964653739 -37353034623435343832306332353063383837656439653232613663656262396430333938663833 -32343731663065633365653234366233346237613139666266623437623263373233656133313162 -31636466373061383538616663613336346432626166313731306666656636383137376135623166 -62396361613137333330313836316433626637303537343961356435653532616131363563356562 -66386138346339303533383336613430333465373836306333646665656165386139346230333262 -34303832646532656135353732356236643831626137333738633739643332336132646533643230 -61363036316666396339363030336464383939623462623630666233326134393137346335323561 -35326362656633373139633664366332323862303961313938396137333464366433333663633936 -35343562663138303162393766323733366532323663613865643166653161303064353732333662 -61623838633233336537656534663365353762623462363439356331373839316637393931633831 -61313866343936353435303636366339373561303161623261663939336661316563343962663038 -66353035323261666531663333323638366534653436616566653233646163396534393966626430 -3935366535613166633464393164336439343831333863653837 diff --git a/infrastructure/https_proxy/files/Dockerfile b/infrastructure/https_proxy/files/Dockerfile deleted file mode 100644 index 16a171c0..00000000 --- a/infrastructure/https_proxy/files/Dockerfile +++ /dev/null @@ -1,2 +0,0 @@ -# this is only a docker file to allow dependabot version checking -FROM traefik:v2.8.5 diff --git a/infrastructure/https_proxy/files/docker-compose.yml b/infrastructure/https_proxy/files/docker-compose.yml deleted file mode 100644 index aae48321..00000000 --- a/infrastructure/https_proxy/files/docker-compose.yml +++ /dev/null @@ -1,48 +0,0 @@ -version: "3.6" -networks: - default: - driver: bridge - traefik: - internal: true - docker-socket-proxy: - internal: true - -services: - socket-proxy: - image: tecnativa/docker-socket-proxy - restart: unless-stopped - volumes: - - /var/run/docker.sock:/var/run/docker.sock - environment: - CONTAINERS: 1 - NETWORKS: 1 - networks: - - docker-socket-proxy - traefik: - build: "." - restart: unless-stopped - ports: - - 80:80 - - 443:443 - volumes: - - "./traefik.toml:/etc/traefik/traefik.toml" - - "./letsencrypt:/letsencrypt" - depends_on: - - socket-proxy - networks: - - docker-socket-proxy - - default - - traefik - labels: - - "traefik.enable=true" - - "traefik.http.routers.https-redirect.entrypoints=web" - - "traefik.docker.network=https-proxy_traefik" - - "traefik.http.routers.https-redirect.rule=HostRegexp(`{any:.*}`)" - - "traefik.http.routers.https-redirect.middlewares=https-redirect" - - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https" - - "traefik.http.routers.msj-redirect.rule=Host(`www.muenster.jetzt`) || Host(`muenster.jetzt`) || Host(`app.muenster.jetzt`)" - - "traefik.http.routers.msj-redirect.tls.certresolver=letsencrypt" - - "traefik.http.routers.msj-redirect.middlewares=msj-main-redirect" - - "traefik.http.middlewares.msj-main-redirect.redirectRegex.regex=.*" - - "traefik.http.middlewares.msj-main-redirect.redirectRegex.replacement=https://muenster-update.de" - - "traefik.http.middlewares.msj-main-redirect.redirectRegex.permanent=true" diff --git a/infrastructure/https_proxy/files/traefik.toml b/infrastructure/https_proxy/files/traefik.toml deleted file mode 100644 index 34fe77f7..00000000 --- a/infrastructure/https_proxy/files/traefik.toml +++ /dev/null @@ -1,18 +0,0 @@ -[providers.docker] - endpoint = "tcp://socket-proxy:2375" - exposedByDefault = false - -[entryPoints] - [entryPoints.web] - address = ":80" - - [entryPoints.web-secure] - address = ":443" - -[certificatesResolvers.letsencrypt.acme] - email = "basti@bcyber.de" - storage = "/letsencrypt/acme.json" - httpchallenge = true - [certificatesResolvers.letsencrypt.acme.httpChallenge] - # used during the challenge - entryPoint = "web" \ No newline at end of file diff --git a/infrastructure/https_proxy/tasks/main.yml b/infrastructure/https_proxy/tasks/main.yml deleted file mode 100644 index be7d2061..00000000 --- a/infrastructure/https_proxy/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: create directory - file: - path: /root/https-proxy - state: directory - -- name: Copy traefik.toml - copy: - src: files/traefik.toml - dest: /root/https-proxy/traefik.toml - owner: root - group: root - -- name: Copy docker-compose.yml - copy: - src: files/docker-compose.yml - dest: /root/https-proxy/docker-compose.yml - owner: root - group: root - -- name: Copy Dockerfile - copy: - src: files/Dockerfile - dest: /root/https-proxy/Dockerfile - owner: root - group: root - -- name: start proxy - command: docker-compose up -d - args: - chdir: /root/https-proxy/ \ No newline at end of file diff --git a/infrastructure/main-server.yml b/infrastructure/main-server.yml deleted file mode 100644 index 3d94dbf9..00000000 --- a/infrastructure/main-server.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - - hosts: main - roles: - - { role: common, tags: common_role } - - { role: auto_updates, tags: auto_updates_role } - - { role: ufw, tags: ufw_role } - - { role: ssh, tags: ssh_role } - - { role: docker, tags: docker_role } - - { role: https_proxy, tags: https_proxy_role } - - { role: webapp, tags: webapp_role } - - { role: netdata, tags: netdata_role } - diff --git a/infrastructure/netdata/handlers/main.yml b/infrastructure/netdata/handlers/main.yml deleted file mode 100644 index 11c6c8b9..00000000 --- a/infrastructure/netdata/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: restart netdata - service: name=netdata state=restarted \ No newline at end of file diff --git a/infrastructure/netdata/tasks/main.yml b/infrastructure/netdata/tasks/main.yml deleted file mode 100644 index 6d5de9a4..00000000 --- a/infrastructure/netdata/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Add Apt Key - apt_key: - url: https://packagecloud.io/netdata/netdata/gpgkey - state: present - -- name: add apt repo - apt_repository: - repo: deb https://packagecloud.io/netdata/netdata/ubuntu/ {{ansible_distribution_release}} main - state: present - -- name: install netdata - apt: - name: netdata - -- name: copy config - template: - src: netdata.conf.j2 - dest: "/etc/netdata/netdata.conf" - notify: restart netdata - -- name: Make sure service is running - systemd: - daemon_reload: yes - state: started - enabled: yes - name: netdata \ No newline at end of file diff --git a/infrastructure/netdata/templates/netdata.conf.j2 b/infrastructure/netdata/templates/netdata.conf.j2 deleted file mode 100644 index 369b2505..00000000 --- a/infrastructure/netdata/templates/netdata.conf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -# netdata configuration -# -# You can download the latest version of this file, using: -# -# wget -O /etc/netdata/netdata.conf http://localhost:19999/netdata.conf -# or -# curl -o /etc/netdata/netdata.conf http://localhost:19999/netdata.conf -# -# You can uncomment and change any of the options below. -# The value shown in the commented settings, is the default value. -# - -[global] - run as user = netdata - - # the default database size - 1 hour - history = 3600 - - # some defaults to run netdata with least priority - process scheduling policy = idle - OOM score = 1000 - hostname = {{application_domain}} - -[web] - web files owner = root - web files group = netdata - - # by default do not expose the netdata port - bind to = localhost \ No newline at end of file diff --git a/infrastructure/production b/infrastructure/production deleted file mode 100644 index abe8a914..00000000 --- a/infrastructure/production +++ /dev/null @@ -1,2 +0,0 @@ -[main] -45.132.245.60 ansible_user=root \ No newline at end of file diff --git a/infrastructure/ssh/files/public_keys/bastian b/infrastructure/ssh/files/public_keys/bastian deleted file mode 100644 index 2efbe55e..00000000 --- a/infrastructure/ssh/files/public_keys/bastian +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/NndGCvlqzfX8Hy5VnXv6i5lswoy79vDJot2HKLi37WKzN3vo7WYqUU66kn0ldlJCPW3Obrgr6KfkotUNlOWIM4iGWVAd6mjuyaNa/C5edTxgWzgJ8i+aJWf7SupATN5VHUuCXbY9xJ9MwygBkjKRHKKEjugPSZn0dpF8Dqgpx+ZnZm6eGbklVPX1I1tcRJv+OzwpgOH+jdvOV0zxiiyxorkq1SBQYcB0LbavozmH+8vhO3g595lQc9Wy43sE9j1zMmUIXXqfiFMdlXm5T0m4x32pQWZ6WxuKTusnkxwB73jawrVwZ0V5Dyu5YGr+QKziKM+QmyJdpouAHG2CTpzqoJJukEktBzk/weqGOccNCW+k3h3HkRsX9h63W8Gm1AGmFrWl6X6vvmOD/TW6FjzC2UCnRds3XiQqthO4YCuo8VGtCqOB7uaCppH5KitY2JDMxZA1Kf9Erg4YchuOOEp39f+rxKBAd+5rUJzYwlqU4584bpcRbQbEZ7EeLXHXEHXetrTtH6lpgm8vNS3VD11DtccoqoPEuUVnR1HaYoV4EOtOy2HE2w3HtN5cDGceS6QW5FSYa2j3HWzrtPcRT4gg5xCxRE1UIMMIcv9uoLCaLqQvsveV1z2umtyCdS4TTTPX26fbVeN3tVGMrOesBx/FP6TIonTn8FljUesCpGzkSQ== bastian \ No newline at end of file diff --git a/infrastructure/ssh/files/public_keys/gerald b/infrastructure/ssh/files/public_keys/gerald deleted file mode 100644 index 7e8e5ccc..00000000 --- a/infrastructure/ssh/files/public_keys/gerald +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxzJe7EMCjqtmnbGC0knbWCXTJh/1zYEgbZh4jIPs9t gerald diff --git a/infrastructure/ssh/files/public_keys/github b/infrastructure/ssh/files/public_keys/github deleted file mode 100644 index 41dc5145..00000000 --- a/infrastructure/ssh/files/public_keys/github +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDS81fpvd0rOEskHjqkt8asxNISKZR0gg6Haix5o9FnEixhKDl9PfIpvyuMCTmTYAw2q0ySvjCrYdH8fDwiPMMvXOPB3qvHzgimDEBqq2X9X0LMDmtTa3815w4V7yhUnusmhjPLbbFIkuvEJH7VzIQJFew2VLiGdJPAfx7KK/VULmj+dI+V6TmG/19NHQPUU8Pv1PPgUQWvvUKSo8gGrYO4BYFnPUtd8a3oVinF1ttwajOtmIURKyY5M3dC7nmafND4hMXqysXjAYGSTqjjXRdycDkrgLyvX/OGUZ0RV8r7ZPtYszrHiYyqWooKlS5qoWxVWPh4bGmaDbkXnPmpyRlYlf6hO0aleJHJqiIfRrB62bvW5iSEiD+IVCCKKKP190+eldPNamnsyGurKiHQqody+II5EOXbITEzrsMDf94lGsUQUmfvmkvGnwPdcvmPbVyllyV2WrdxokL/glae2Jl5SM6HVHxV1bEcZllw16QqNwumHLXv+S145LcVv+Hvgg4NOxy5WkLYApQGllv9Tz9SnYPNLosj0qcrBf9ANfDt341Jx4lV2+fxl56561K3IO2dNYllq4iTBtuxsPlxe+Seo3NCLyf2bBUM8/+1WC65wL4PmLD5kbHGnrEGsf9Fefi0gQEHmKTwj8zT3VYegkYsCrEybMk+UmKGGMnrLN/EXQ== muenster-jetzt-github \ No newline at end of file diff --git a/infrastructure/ssh/files/sshd_config b/infrastructure/ssh/files/sshd_config deleted file mode 100644 index 8ebbf23a..00000000 --- a/infrastructure/ssh/files/sshd_config +++ /dev/null @@ -1,123 +0,0 @@ -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -Include /etc/ssh/sshd_config.d/*.conf - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin without-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server \ No newline at end of file diff --git a/infrastructure/ssh/handlers/main.yml b/infrastructure/ssh/handlers/main.yml deleted file mode 100644 index 9543900c..00000000 --- a/infrastructure/ssh/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: restart sshd - service: name=sshd state=reloaded \ No newline at end of file diff --git a/infrastructure/ssh/tasks/main.yml b/infrastructure/ssh/tasks/main.yml deleted file mode 100644 index 8dfd38d5..00000000 --- a/infrastructure/ssh/tasks/main.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -- name: Copy sshd config - copy: - src: files/sshd_config - dest: /etc/ssh/sshd_config - owner: root - group: root - mode: 0644 - notify: restart sshd - -- ufw: - rule: limit - port: "22" - proto: tcp - -- name: Set up authorized_keys exclusively with many keys - set_fact: pubkey_list="{{ lookup('file', 'files/public_keys/' + item) }}" - register: pubkeys - with_items: "{{ grant_ssh_access_for }}" - -- set_fact: pubkey_string="{{ pubkeys.results | map(attribute='ansible_facts.pubkey_list') | join('\n') }}" -- authorized_key: user=root key="{{ pubkey_string }}" exclusive=yes - -- name: Install root private key - copy: - content: "{{ root_prkey }}" - dest: /root/.ssh/id_rsa - owner: root - mode: 0600 - when: root_prkey is defined - -- name: Install root public key - copy: - content: "{{ root_pubkey }}" - dest: /root/.ssh/id_rsa.pub - owner: root - mode: 0622 - when: root_pubkey is defined \ No newline at end of file diff --git a/infrastructure/ufw/handlers/main.yml b/infrastructure/ufw/handlers/main.yml deleted file mode 100644 index e5edad62..00000000 --- a/infrastructure/ufw/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: restart ufw - service: name=ufw state=restarted - listen: "restart ufw" \ No newline at end of file diff --git a/infrastructure/ufw/tasks/main.yml b/infrastructure/ufw/tasks/main.yml deleted file mode 100644 index e3803521..00000000 --- a/infrastructure/ufw/tasks/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: enable ufw - ufw: - state: enabled - policy: deny - -- name: open web ports - ufw: - rule: allow - port: "80,443" - proto: tcp - when: is_webserver|bool == True \ No newline at end of file diff --git a/infrastructure/webapp/files/env-production.j2 b/infrastructure/webapp/files/env-production.j2 deleted file mode 100644 index a55163a5..00000000 --- a/infrastructure/webapp/files/env-production.j2 +++ /dev/null @@ -1,14 +0,0 @@ -COMPOSE_PROJECT_NAME=muenster-jetzt-production -DOMAIN={{application_domain}} -TAG_NAME=production -DB_HOST=db -DB_PORT=5432 -DB_USER={{db_user_production}} -DB_PASSWORD={{db_password_production}} -DB_NAME={{db_name_production}} -MUENSTERLAND_API_TOKEN={{api_token_muensterland}} -DATENPORTAL_USER={{api_user_datenportal}} -DATENPORTAL_PASSWORD={{api_password_datenportal}} -LOKI_URL={{loki_url}} -DJANGO_SECRET_KEY={{api_secret_key_production}} -DJANGO_HOSTS=api.{{application_domain}} diff --git a/infrastructure/webapp/files/env-staging.j2 b/infrastructure/webapp/files/env-staging.j2 deleted file mode 100644 index aca34e1e..00000000 --- a/infrastructure/webapp/files/env-staging.j2 +++ /dev/null @@ -1,14 +0,0 @@ -COMPOSE_PROJECT_NAME=muenster-jetzt-staging -DOMAIN=staging.{{application_domain}} -TAG_NAME=master -DB_HOST=db -DB_PORT=5432 -DB_USER={{db_user_staging}} -DB_PASSWORD={{db_password_staging}} -DB_NAME={{db_name_staging}} -MUENSTERLAND_API_TOKEN={{api_token_muensterland}} -DATENPORTAL_USER={{api_user_datenportal}} -DATENPORTAL_PASSWORD={{api_password_datenportal}} -LOKI_URL={{loki_url}} -DJANGO_SECRET_KEY={{api_secret_key_staging}} -DJANGO_HOSTS=api.staging.{{application_domain}} diff --git a/infrastructure/webapp/tasks/main.yml b/infrastructure/webapp/tasks/main.yml deleted file mode 100644 index 8aaeebf4..00000000 --- a/infrastructure/webapp/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: create uploads dir - file: - path: /root/muenster-jetzt/uploads/ - state: directory - -- name: create staging dir - file: - path: /root/muenster-jetzt/staging - state: directory - -- name: Copy staging .env - template: - src: files/env-staging.j2 - dest: /root/muenster-jetzt/staging/.env - owner: root - group: root - -- name: create production dir - file: - path: /root/muenster-jetzt/production - state: directory - -- name: Copy production .env - template: - src: files/env-production.j2 - dest: /root/muenster-jetzt/production/.env - owner: root - group: root \ No newline at end of file