Devops stuff.

devops/ansible/roles/mjb-profile-buildserver/files/ansible/deploy-website.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Deploy Website
+  remote_user: root
+  hosts: all
+  vars:
+    ansible_ssh_common_args: -oControlMaster=auto -oControlPersist=60s -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no -i/home/minion/.ssh/id_rsa_ansible
+    site: "{{ lookup('file', lookup('env', 'MARKDOWNSITE_CONFIG') ) | from_yaml }}"
+  roles:
+    - deploy-website

devops/ansible/roles/mjb-profile-buildserver/files/ansible/purge-website.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Deploy Website
+  remote_user: root
+  hosts: all
+  vars:
+    ansible_ssh_common_args: -oControlMaster=auto -oControlPersist=60s -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no -i/home/minion/.ssh/id_rsa_ansible
+  roles:
+    - purge-website

devops/ansible/roles/mjb-profile-buildserver/files/ansible/roles/deploy-website/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- name: Install /etc/nginx/sites-enabled/{{ site.domain }}
+  template:
+    src: "{{ role_path }}/templates/sites-available-config.j2"
+    dest: "/etc/nginx/sites-enabled/{{ site.domain }}"
+    owner: root
+    group: root
+    mode: '0644'
+  ignore_errors: yes # Custom config with chattr +i, don't fail on error.
+
+- name: Remove any prexisting /var/www/{{ site.domain }}.
+  file:
+    path: "/var/www/{{ site.domain }}"
+    state: absent
+
+- name: Ensure /var/www/{{ site.domain }} is populated.
+  copy:
+    src: "{{ site.www_dir }}"
+    dest: "/var/www/{{ site.domain }}"
+    mode: '0644'
+    directory_mode: '0755'
+    owner: 'www-data'
+    group: 'www-data'
+
+- name: Reload nginx to begin serving the website.
+  systemd:
+    name: nginx
+    state: reloaded
+

devops/ansible/roles/mjb-profile-buildserver/files/ansible/roles/deploy-website/templates/lighttpd-conf-domain.j2

@@ -0,0 +1,22 @@
+$HTTP["host"] =~ "^{% raw %}{{ site.domain }}{% endraw %}$" {
+    $SERVER["socket"] == ":443" {
+        # SSL Settings
+        ssl.engine  = "enable"
+        ssl.pemfile = "/etc/letsencrypt/live/{{ domain.hosted }}/cert.pem"
+        ssl.ca-file = "/etc/letsencrypt/live/{{ domain.hosted }}/fullchain.pem"
+        ssl.privkey = "/etc/letsencrypt/live/{{ domain.hosted }}/privkey.pem"
+
+        # Docroot & Logs.
+        server.document-root = "/var/www/{% raw %}{{ site.domain }}{% endraw %}/html"
+        server.errorlog      = "/var/log/lighttpd/{% raw %}{{ site.domain }}{% endraw %}.error.log"
+        accesslog.filename   = "/var/log/lighttpd/{% raw %}{{ site.domain }}{% endraw %}.access.log"
+
+        # Pass to Markdown::CGI if there is no static file to serve.
+        magnet.attract-physical-path-to = ( "/etc/lighttpd/rewrite.lua" )
+    }
+
+    # Redirect http -> https
+    $SERVER["socket"] == ":80" {
+        url.redirect = ( "^/(.*)" => "https://{% raw %}{{ site.domain }}{% endraw %}/$1" )
+    }
+}

devops/ansible/roles/mjb-profile-buildserver/files/ansible/roles/deploy-website/templates/markdownsite-config.yml.j2

@@ -0,0 +1,3 @@
+---
+domain: {{ site.domain }}
+

devops/ansible/roles/mjb-profile-buildserver/files/ansible/roles/deploy-website/templates/sites-available-config.j2

@@ -0,0 +1,36 @@
+server {
+    server_name {{ site.domain }};
+    root /var/www/{{ site.domain }}/html;
+    index index.html;
+
+    error_log  /var/log/nginx/{{ site.domain }}symkat.com.error.log warn;
+    access_log /var/log/nginx/{{ site.domain }}symkat.com.access.log combined;
+
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/live/{{ site.domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ site.domain }}/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:10m;
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
+    ssl_dhparam /etc/nginx/ssl-dhparams.pem;
+
+}
+
+server {
+    if ($host = {{ site.domain }}) {
+        return 301 https://$host$request_uri;
+    }
+
+    listen 80;
+    server_name {{ site.domain }}
+    return 404;
+}
+
+

devops/ansible/roles/mjb-profile-buildserver/files/ansible/roles/purge-website/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: "Remove /etc/lighttpd/conf.d/{{ domain }}."
+  file:
+    path: "/etc/lighttpd/conf.d/{{ domain }}"
+    state: absent
+
+- name: "Remove any prexisting /var/www/{{ domain }}."
+  file:
+    path: "/var/www/{{ domain }}"
+    state: absent
+
+- name: "Reload lighttpd to stop serving {{ domain }}."
+  systemd:
+    name: lighttpd
+    state: reloaded

devops/ansible/roles/mjb-profile-buildserver/files/mjb.worker.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=MJB Worker Service
+After=postgresql.target
+
+[Service]
+User=manager
+Group=manager
+
+Environment="PERL5LIB=/home/manager/perl5/lib/perl5"
+Environment="PERL_MB_OPT=--install_base \"/home/manager/perl5\""
+Environment="PERL_MM_OPT=INSTALL_BASE=/home/manager/perl5"
+Environment="PERL_LOCAL_LIB_ROOT=/home/manager/perl5"
+Environment="PATH=/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
+
+ExecStart=/home/manager/mjb/Web/script/mjb minion worker
+WorkingDirectory=/home/manager/mjb/Web
+SyslogIdentifier=mjb.worker
+Restart=on-failure
+Type=simple
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
+

devops/ansible/roles/mjb-profile-buildserver/tasks/ansible.yml

@@ -0,0 +1,71 @@
+- name: Install packages
+  apt:
+    name: [ 'gnupg2', 'curl' ]
+
+- name: Add the ansible key.
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: 93C4A3FD7BB9C367
+
+- name: Install ansible.list for apt.
+  copy:
+    dest: /etc/apt/sources.list.d/ansible.list
+    content: "deb http://ppa.launchpad.net/ansible/ansible/ubuntu focal main"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Reload apt with new source
+  apt:
+    name: "*"
+    state: latest
+    update_cache: yes
+
+- name: Install packages
+  apt:
+    name: [
+      'ansible',
+      'ansible-core',
+      'podman',
+    ]
+    state: present
+
+- name: Install ansible roles for deployment
+  copy:
+    src: "{{ role_path }}/files/ansible/"
+    dest: "/etc/ansible"
+    mode: '0644'
+    directory_mode: '0755'
+    owner: 'root'
+    group: 'root'
+
+- name: "Delete /etc/ansible/hosts."
+  file:
+    path: /etc/ansible/hosts
+    state: absent
+
+- name: "Create /etc/ansible/hosts."
+  copy:
+    dest: /etc/ansible/hosts
+    content: "[webservers]"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: "Add hosts to /etc/ansible/hosts"
+  lineinfile:
+    path: /etc/ansible/hosts
+    line: "{{ item }}"
+    owner: root
+    group: root
+    mode: '0644'
+  with_items: "{{ deploy_addresses }}"
+
+- name: "Install SSH Key for manager to use ansible"
+  copy:
+    dest: /home/manager/.ssh/id_rsa
+    src: "{{ inventory_dir }}/files/ssh/id_rsa"
+    owner: manager
+    group: manager
+    mode: 0600
+

devops/ansible/roles/mjb-profile-buildserver/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+- name: Update all packages to their latest version
+  apt:
+    name: "*"
+    state: latest
+    update_cache: yes
+
+- name: Support running MJB::Web
+  include_role:
+    name: mjb-role-webapp
+
+- name: Support using ansible locally
+  include_tasks: 
+    file: ansible.yml
+
+- name: Install mjb.worker.service file.
+  copy:
+    dest: /etc/systemd/system/mjb.worker.service
+    src: "{{ role_path }}/files/mjb.worker.service"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Start & enable mjb.worker
+  service:
+    name: mjb.worker
+    state: started
+    enabled: true

devops/ansible/roles/mjb-profile-certbot/files/mjb.certbot.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=MJB Certbot Service
+After=postgresql.target
+
+[Service]
+User=manager
+Group=manager
+
+Environment="PERL5LIB=/home/manager/perl5/lib/perl5"
+Environment="PERL_MB_OPT=--install_base \"/home/manager/perl5\""
+Environment="PERL_MM_OPT=INSTALL_BASE=/home/manager/perl5"
+Environment="PERL_LOCAL_LIB_ROOT=/home/manager/perl5"
+Environment="PATH=/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
+
+ExecStart=/home/manager/mjb/Web/script/mjb minion worker -q certbot
+WorkingDirectory=/home/manager/mjb/Web
+SyslogIdentifier=mjb.worker
+Restart=on-failure
+Type=simple
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
+

devops/ansible/roles/mjb-profile-certbot/tasks/main.yml

@@ -0,0 +1,75 @@
+- name: Update all packages to their latest version
+  apt:
+    name: "*"
+    state: latest
+    update_cache: yes
+
+- name: Install packages for webserver support
+  apt:
+    name: [
+      'certbot',
+      'rsync',
+    ]
+    state: present
+
+- name: Support running MJB::Web
+  include_role:
+    name: mjb-role-webapp
+
+- name: Allow manager to have sudo access for certbot
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^manager'
+    line: 'manager ALL=(ALL) NOPASSWD: ALL'
+    validate: 'visudo -cf %s'
+
+- name: Install mjb.certbot.service file.
+  copy:
+    dest: /etc/systemd/system/mjb.certbot.service
+    src: "{{ role_path }}/files/mjb.certbot.service"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Start & enable mjb.certbot
+  service:
+    name: mjb.certbot
+    state: started
+    enabled: true
+
+- name: "Ensure /usr/bin/letsencrypt-cert-push"
+  copy:
+    dest: /usr/bin/letsencrypt-cert-push
+    content: "#!/bin/bash"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: "Populatge rsync entires for letsencrypt-cert-push"
+  lineinfile:
+    path: /usr/bin/letsencrypt-cert-push
+    line: "rsync -rLptgoD -e \"ssh -o StrictHostKeyChecking=no\" /etc/letsencrypt/live root@{{ item }}:/etc/letsencrypt"
+  with_items: "{{ deploy_addresses }}"
+
+- name: Create keypair for syncing
+  openssh_keypair:
+    path: "/root/.ssh/id_rsa"
+    type: rsa
+    size: 4096
+    owner: root
+    group: root
+    state: present
+    force: no
+
+- name: Get private key from host
+  fetch:
+    src: /root/.ssh/id_rsa
+    dest: "{{ inventory_dir }}/files/ssh/id_rsa"
+    flat: true
+
+- name: Get public key from host
+  fetch:
+    src: /root/.ssh/id_rsa.pub
+    dest: "{{ inventory_dir }}/files/ssh/id_rsa.pub"
+    flat: true

devops/ansible/roles/mjb-profile-panel/files/mjb-web.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=MJB Web Service
+After=postgresql.target
+
+[Service]
+User=manager
+Group=manager
+
+Environment="PERL5LIB=/home/manager/perl5/lib/perl5"
+Environment="PERL_MB_OPT=--install_base \"/home/manager/perl5\""
+Environment="PERL_MM_OPT=INSTALL_BASE=/home/manager/perl5"
+Environment="PERL_LOCAL_LIB_ROOT=/home/manager/perl5"
+Environment="PATH=/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
+
+ExecStart=/home/manager/perl5/bin/hypnotoad -f script/mjb
+WorkingDirectory=/home/manager/mjb/Web
+SyslogIdentifier=mjb-web
+Restart=on-failure
+Type=simple
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
+

devops/ansible/roles/mjb-profile-panel/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: Restart nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: Restart postgres
+  service:
+    name: postgres
+    state: restarted

devops/ansible/roles/mjb-profile-panel/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+- name: Update all packages to their latest version
+  apt:
+    name: "*"
+    state: latest
+    update_cache: yes
+
+- name: Support running MJB::Web
+  include_role:
+    name: mjb-role-webapp
+
+- name: Install mjb-web.service file.
+  copy:
+    dest: /etc/systemd/system/mjb-web.service
+    src: "{{ role_path }}/files/mjb-web.service"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: "Install SSH Key for Gitea Store IO"
+  copy:
+    dest: /home/manager/.ssh/id_rsa
+    src: "{{ inventory_dir }}/files/ssh/id_rsa"
+    owner: manager
+    group: manager
+    mode: 0600
+
+- name: Start & enable mjb-web
+  service:
+    name: mjb-web
+    state: started
+    enabled: true
+
+- name: Support an nginx web server for MJB::Web
+  include_tasks: 
+    file: webserver.yml
+
+# Need to import the database TODO: Make the store server do this instead.

devops/ansible/roles/mjb-profile-panel/tasks/webserver.yml

@@ -0,0 +1,32 @@
+- name: Install packages for webserver support
+  apt:
+    name: [
+      'nginx',
+      'certbot',
+      'python3-certbot-nginx',
+    ]
+    state: present
+
+- name: Start & enable nginx
+  service:
+    name: nginx
+    state: started
+    enabled: true
+
+- name: "Install /etc/nginx/sites-enabled/{{ domain_name }}"
+  template:
+    src: "{{ role_path }}/templates/nginx-domain.j2"
+    dest: "/etc/nginx/sites-enabled/{{ domain_name }}"
+    force: no
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Restart nginx
+
+- name: Setup SSL Certificates
+  shell: certbot run --nginx -d {{ domain_name }} {{ '-d www.' + domain_name if redirect_www }} --agree-tos --register-unsafely-without-email
+  args:
+    creates: /etc/letsencrypt/live/{{ domain_name }}/cert.pem
+  notify:
+    - Restart nginx

devops/ansible/roles/mjb-profile-panel/templates/nginx-domain.j2

@@ -0,0 +1,24 @@
+upstream myapp {
+    server 127.0.0.1:8080;
+}
+
+server {
+    server_name {{ domain_name }};
+
+    location / {
+        proxy_pass http://myapp;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+}
+
+server {
+    server_name www.{{ domain_name }};
+    return 301 $scheme://{{ domain_name }}$request_uri;
+}
+

devops/ansible/roles/mjb-profile-store/files/gitea.service

@@ -0,0 +1,90 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+###
+# Don't forget to add the database service dependencies
+###
+#
+#Wants=mysql.service
+#After=mysql.service
+#
+#Wants=mariadb.service
+#After=mariadb.service
+#
+#Wants=postgresql.service
+#After=postgresql.service
+#
+#Wants=memcached.service
+#After=memcached.service
+#
+#Wants=redis.service
+#After=redis.service
+#
+###
+# If using socket activation for main http/s
+###
+#
+#After=gitea.main.socket
+#Requires=gitea.main.socket
+#
+###
+# (You can also provide gitea an http fallback and/or ssh socket too)
+#
+# An example of /etc/systemd/system/gitea.main.socket
+###
+##
+## [Unit]
+## Description=Gitea Web Socket
+## PartOf=gitea.service
+##
+## [Socket]
+## Service=gitea.service
+## ListenStream=<some_port>
+## NoDelay=true
+##
+## [Install]
+## WantedBy=sockets.target
+##
+###
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/gitea/
+# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
+# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
+#RuntimeDirectory=gitea
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+# If you install Git to directory prefix other than default PATH (which happens
+# for example if you install other versions of Git side-to-side with
+# distribution version), uncomment below line and add that prefix to PATH
+# Don't forget to place git-lfs binary on the PATH below if you want to enable
+# Git LFS support
+#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to
+# set the following value to false to allow capabilities to be applied on gitea process. The following
+# value if set to true sandboxes gitea service and prevent any processes from running with privileges
+# in the host user namespace.
+###
+#PrivateUsers=false
+###
+
+[Install]
+WantedBy=multi-user.target

devops/ansible/roles/mjb-profile-store/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: Restart nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: Restart postgresql
+  service:
+    name: postgresql
+    state: restarted

devops/ansible/roles/mjb-profile-store/tasks/database.yml

@@ -0,0 +1,60 @@
+- name: Install packages to support postgres
+  apt:
+    name: [
+      'libssl-dev',
+      'libpq-dev',
+      'libz-dev',
+      'libexpat1-dev',
+      'postgresql-client',
+      'postgresql-contrib',
+      'postgresql',
+      'python3-psycopg2',
+    ]
+    state: present
+
+- name: Start & enable postgres
+  service:
+    name: postgresql
+    state: started
+    enabled: true
+
+- name: Create database users
+  postgresql_user:
+    name: "{{ item.value.user }}"
+    password: "{{ item.value.pass }}"
+    state: present
+  become_user: postgres
+  become: true
+  with_dict: "{{ databases }}"
+
+- name: Create databases
+  postgresql_db:
+    name: "{{ item.value.name }}"
+    owner: "{{ item.value.user }}"
+    state: present
+  become_user: postgres
+  become: true
+  with_dict: "{{ databases }}"
+
+- name: Add auth lines to pgsql hba config
+  postgresql_pg_hba:
+    dest: /etc/postgresql/13/main/pg_hba.conf
+    contype: host
+    source: "{{ item }}/32" 
+    method: md5
+    create: true
+  with_items: "{{ database.allow_addresses }}"
+  notify: Restart postgresql
+
+- name: "Bind PSQL to localhost and {{ database.bind }}"
+  lineinfile:
+    path: /etc/postgresql/13/main/postgresql.conf
+    regexp: '^listen_addresses '
+    insertafter: '^#listen_addresses'
+    line: "listen_addresses = 'localhost,{{ database.bind_address }}'"
+  notify: Restart postgresql
+
+- name: "Restart PSQL if notified."
+  meta: flush_handlers
+
+

devops/ansible/roles/mjb-profile-store/tasks/gitea.yml

@@ -0,0 +1,98 @@
+- name: Create gitea user
+  user:
+    name: git
+    shell: /bin/bash
+    password_lock: yes
+    comment: Git Version Control
+
+- name: Create /var/lib/gitea
+  file:
+    state: directory
+    path: /var/lib/gitea
+    owner: git
+    group: git
+    mode: 0750
+
+- name: Create /var/lib/gitea/custom
+  file:
+    state: directory
+    path: /var/lib/gitea/custom
+    owner: git
+    group: git
+    mode: 0750
+
+- name: Create /var/lib/gitea/data
+  file:
+    state: directory
+    path: /var/lib/gitea/data
+    owner: git
+    group: git
+    mode: 0750
+
+- name: Create /var/lib/gitea/log
+  file:
+    state: directory
+    path: /var/lib/gitea
+    owner: git
+    group: git
+    mode: 0750
+
+- name: Create /etc/gitea
+  file:
+    state: directory
+    path: /etc/gitea
+    owner: root
+    group: git
+    mode: 0770
+
+- name: Install /usr/local/bin/gitea
+  copy:
+    dest: /usr/local/bin/gitea
+    src: "{{ role_path }}/files/gitea-1.17.1-linux-amd64"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Install /etc/systemd/system/gitea.service
+  copy:
+    dest: /etc/systemd/system/gitea.service
+    src: "{{ role_path }}/files/gitea.service"
+    owner: root
+    group: root
+    mode: 0744
+
+#- name: Generate internal token secret for gitea
+#  shell: /usr/local/bin/gitea generate secret INTERNAL_TOKEN
+#  register: internal_token
+#
+#- name: Generate jwt token secret for gitea
+#  shell: /usr/local/bin/gitea generate secret JWT_SECRET
+#  register: jwt_token
+
+- name: "Install /etc/gitea/app.ini"
+  template:
+    src: "{{ role_path }}/templates/app.ini.j2"
+    dest: "/etc/gitea/app.ini"
+    force: no
+    owner: root
+    group: git
+    mode: 0640
+
+- name: Enable Gitea
+  service:
+    name: gitea
+    state: started
+    enabled: true
+
+- name: Create admin user for gitea
+  shell: gitea -c /etc/gitea/app.ini admin user create --admin --username {{ gitea.user }} --password {{ gitea.pass }} --email {{ gitea.email }} > /home/git/.first
+  environment:
+    GITEA_WORK_DIR: /var/lib/gitea/
+  args:
+    creates: /home/git/.first
+  become: true
+  become_user: git
+
+
+
+

devops/ansible/roles/mjb-profile-store/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+- name: Update all packages to their latest version
+  apt:
+    name: "*"
+    state: latest
+    update_cache: yes
+
+- name: Install packages
+  apt:
+    name: [
+      'git',
+    ]
+    state: present
+
+- name: Setup the databases
+  include_tasks: database.yml
+
+- name: Support running MJB::Web
+  include_role:
+    name: mjb-role-webapp
+
+- name: Populate the MJB Database
+  shell: /home/manager/mjb/Web/script/mjb dbc < /home/manager/mjb/DB/etc/schema.sql > /home/manager/mjb/DB/etc/schema.log 2>&1
+  args:
+    creates: /home/manager/mjb/DB/etc/schema.log
+  environment:
+    PATH:                '/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin'
+    PERL5LIB:            '/home/manager/perl5/lib/perl5'
+    PERL_MB_OPT:         '--install_base "/home/manager/perl5"'
+    PERL_MM_OPT:         'INSTALL_BASE=/home/manager/perl5'
+    PERL_LOCAL_LIB_ROOT: '/home/manager/perl5'
+  become: true
+  become_user: manager
+
+- name: Setup the webserver
+  include_tasks: webserver.yml
+
+- name: Setup the gitea service
+  include_tasks: gitea.yml
+

devops/ansible/roles/mjb-profile-store/tasks/webserver.yml

@@ -0,0 +1,32 @@
+- name: Install packages for webserver support
+  apt:
+    name: [
+      'nginx',
+      'certbot',
+      'python3-certbot-nginx',
+    ]
+    state: present
+
+- name: Start & enable nginx
+  service:
+    name: nginx
+    state: started
+    enabled: true
+
+- name: "Install /etc/nginx/sites-enabled/{{ domain_name }}"
+  template:
+    src: "{{ role_path }}/templates/nginx-domain.j2"
+    dest: "/etc/nginx/sites-enabled/{{ domain_name }}"
+    force: no
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Restart nginx
+
+- name: Setup SSL Certificates
+  shell: certbot run --nginx -d {{ domain_name }} --agree-tos --register-unsafely-without-email
+  args:
+    creates: /etc/letsencrypt/live/{{ domain_name }}/cert.pem
+  notify:
+    - Restart nginx

devops/ansible/roles/mjb-profile-store/templates/app.ini.j2

@@ -0,0 +1,82 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_USER = git
+RUN_MODE = prod
+
+[database]
+DB_TYPE  = postgres
+HOST     = 127.0.0.1:5432
+NAME     = {{ databases.gitea.name }}
+USER     = {{ databases.gitea.user }}
+PASSWD   = {{ databases.gitea.pass }}
+SCHEMA   =
+SSL_MODE = disable
+CHARSET  = utf8
+PATH     = /var/lib/gitea/data/gitea.db
+LOG_SQL  = false
+
+[repository]
+ROOT = /var/lib/gitea/data/gitea-repositories
+ENABLE_PUSH_CREATE_USER = true
+ENABLE_PUSH_CREATE_ORG = true
+
+
+[server]
+SSH_DOMAIN       = {{ domain_name }}
+DOMAIN           = {{ domain_name }}
+HTTP_PORT        = 3000
+ROOT_URL         = https://{{ domain_name }}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET   = {{ gitea.jwt_token }}
+OFFLINE_MODE     = true
+
+[lfs]
+PATH = /var/lib/gitea/data/lfs
+
+[mailer]
+ENABLED = true
+HOST    = {{ smtp.host }}
+FROM    = {{ smtp.from }}
+USER    = {{ smtp.user }}
+PASSWD  = {{ smtp.pass }}
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = true
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = {{ domain_name }}
+
+[picture]
+DISABLE_GRAVATAR        = true
+ENABLE_FEDERATED_AVATAR = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = true
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = console
+LEVEL     = info
+ROOT_PATH = /var/lib/gitea/log
+ROUTER    = console
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[security]
+INSTALL_LOCK       = true
+INTERNAL_TOKEN     = {{ gitea.internal_token }}
+PASSWORD_HASH_ALGO = pbkdf2

devops/ansible/roles/mjb-profile-store/templates/nginx-domain.j2

@@ -0,0 +1,12 @@
+server {
+    listen 80;
+    server_name {{ domain_name }};
+
+    location / {
+        proxy_pass http://localhost:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

devops/ansible/roles/mjb-profile-webserver/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart nginx
+  service:
+    name: nginx
+    state: restarted

devops/ansible/roles/mjb-profile-webserver/tasks/main.yml

@@ -0,0 +1,44 @@
+- name: Update all packages to their latest version
+  apt:
+    name: "*"
+    state: latest
+    update_cache: yes
+
+- name: Install packages for webserver support
+  apt:
+    name: [
+      'nginx',
+      'rsync', # for letsencrypt-cert-push
+    ]
+    state: present
+
+- name: "Install /etc/nginx/sites-available/default"
+  template:
+    src: "{{ role_path }}/templates/default.j2"
+    dest: "/etc/nginx/sites-available/default"
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart nginx
+
+- name: Generate /etc/nginx/ssl-dhparams.pem
+  shell: openssl dhparam -out /etc/nginx/ssl-dhparams.pem 4096
+  args:
+    creates: /etc/nginx/ssl-dhparams.pem
+
+- name: Start & enable nginx
+  service:
+    name: nginx
+    state: started
+    enabled: true
+
+- name: Get public key contents
+  set_fact:
+    public_key: "{{ lookup('file', inventory_dir + '/files/ssh/id_rsa.pub' ) }}"
+
+- name: "Install ssh public key for builder/certbot"
+  lineinfile:
+    path:   "/root/.ssh/authorized_keys"
+    line:   "{{ public_key }}"
+    search_string: "{{ public_key }}"
+    state: present

devops/ansible/roles/mjb-profile-webserver/templates/default.j2

@@ -0,0 +1,20 @@
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+	# certbot passthrough
+	location /.well-known/acme-challenge {
+    		proxy_pass http://{{ certbot_domain }};
+	}
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+}

devops/ansible/roles/mjb-role-webapp/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: Setup environment for manager user
+  include_tasks:
+    file: manager_user.yml
+
+- name: Setup the web application
+  include_tasks: 
+    file: webapp.yml

devops/ansible/roles/mjb-role-webapp/tasks/manager_user.yml

@@ -0,0 +1,77 @@
+- name: Install packages
+  apt:
+    name: [
+      'git',
+      'build-essential',
+      'libssl-dev',
+      'libz-dev',
+      'cpanminus',
+      'vim',
+      'curl',
+      'ack',
+      'tree',
+      'perl-doc',
+    ]
+    state: present
+
+- name: Create manager user
+  user:
+    name: manager
+    shell: /bin/bash
+    comment: Manager User Account
+
+- name: Create ~manager/.ssh
+  file:
+    state: directory
+    path: /home/manager/.ssh
+    owner: manager
+    group: manager
+    mode: 0700
+
+- name: Create ~manager/.ssh/authorized_keys from ~root
+  copy:
+    dest: /home/manager/.ssh/authorized_keys
+    src: /root/.ssh/authorized_keys
+    remote_src: true
+    owner: manager
+    group: manager
+    mode: 0600
+
+- name: Create ~manager/.ssh/config
+  copy:
+    dest: /home/manager/.ssh/config
+    content: "host *.{{ service_domain }}\n   StrictHostKeyChecking no\n"
+    owner: manager
+    group: manager
+    mode: 0600
+
+- name: Create ~manager/.gitconfig
+  copy:
+    dest: /home/manager/.gitconfig
+    content: "[user]\n\temail = manager@{{ service_domain }}\n\tname = Manager Bot\n"
+    owner: manager
+    group: manager
+    mode: 0600
+
+- name: Ensure that local::lib is used when logging in
+  lineinfile:
+    path: /home/manager/.bashrc
+    regexp: '^eval \$\(perl'
+    line: eval $(perl -Mlocal::lib)
+
+- name: Install Dist::Zilla
+  shell: cpanm Dist::Zilla
+  args:
+    creates: /home/manager/perl5/lib/perl5/Dist/Zilla.pm
+  environment:
+    PATH:                '/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin'
+    PERL5LIB:            '/home/manager/perl5/lib/perl5'
+    PERL_MB_OPT:         '--install_base "/home/manager/perl5"'
+    PERL_MM_OPT:         'INSTALL_BASE=/home/manager/perl5'
+    PERL_LOCAL_LIB_ROOT: '/home/manager/perl5'
+  become: true
+  become_user: manager
+  register: result
+  until: result is success
+  retries: 5
+

devops/ansible/roles/mjb-role-webapp/tasks/webapp.yml

@@ -0,0 +1,96 @@
+- name: Install packages to support postgres
+  apt:
+    name: [
+      'libpq-dev',
+      'postgresql-client',
+      'postgresql-contrib',
+    ]
+    state: present
+
+- name: Install /etc/mjb.yml
+  template:
+    src: "{{ role_path }}/templates/mjb.yml.j2"
+    dest: /etc/mjb.yml
+    owner: root
+    group: root
+    mode: 0644
+
+- name: "Git clone from {{ repo }}"
+  git:
+    repo: "{{ repo }}"
+    dest: /home/manager/mjb
+    accept_hostkey: true
+  become: true
+  become_user: manager
+
+- name: Build MJB::Backend::Jekyll
+  shell: dzil build > build.log 2>&1
+  args:
+    chdir: /home/manager/mjb/libs/MJB-Backend-Jekyll
+    creates: /home/manager/mjb/libs/MJB-Backend-Jekyll/build.log
+  environment:
+    PATH:                '/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin'
+    PERL5LIB:            '/home/manager/perl5/lib/perl5'
+    PERL_MB_OPT:         '--install_base "/home/manager/perl5"'
+    PERL_MM_OPT:         'INSTALL_BASE=/home/manager/perl5'
+    PERL_LOCAL_LIB_ROOT: '/home/manager/perl5'
+  become: true
+  become_user: manager
+
+- name: Install MJB::Backend::Jekyll
+  shell: cpanm MJB-Backend-Jekyll-*.tar.gz
+  args:
+    chdir: /home/manager/mjb/libs/MJB-Backend-Jekyll
+    creates: /home/manager/perl5/lib/perl5/MJB/Backend/Jekyll.pm
+  environment:
+    PATH:                '/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin'
+    PERL5LIB:            '/home/manager/perl5/lib/perl5'
+    PERL_MB_OPT:         '--install_base "/home/manager/perl5"'
+    PERL_MM_OPT:         'INSTALL_BASE=/home/manager/perl5'
+    PERL_LOCAL_LIB_ROOT: '/home/manager/perl5'
+  become: true
+  become_user: manager
+
+- name: Build MJB::DB
+  shell: dzil build > build.log 2>&1
+  args:
+    chdir: /home/manager/mjb/DB
+    creates: /home/manager/mjb/DB/build.log
+  environment:
+    PATH:                '/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin'
+    PERL5LIB:            '/home/manager/perl5/lib/perl5'
+    PERL_MB_OPT:         '--install_base "/home/manager/perl5"'
+    PERL_MM_OPT:         'INSTALL_BASE=/home/manager/perl5'
+    PERL_LOCAL_LIB_ROOT: '/home/manager/perl5'
+  become: true
+  become_user: manager
+
+- name: Install MJB::DB
+  shell: cpanm MJB-DB-*.tar.gz
+  args:
+    chdir: /home/manager/mjb/DB
+    creates: /home/manager/perl5/lib/perl5/MJB/DB.pm
+  environment:
+    PATH:                '/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin'
+    PERL5LIB:            '/home/manager/perl5/lib/perl5'
+    PERL_MB_OPT:         '--install_base "/home/manager/perl5"'
+    PERL_MM_OPT:         'INSTALL_BASE=/home/manager/perl5'
+    PERL_LOCAL_LIB_ROOT: '/home/manager/perl5'
+  become: true
+  become_user: manager
+
+- name: Install MJB::Web Dependencies
+  shell: cpanm --installdeps . > build.log 2>&1
+  args:
+    chdir: /home/manager/mjb/Web
+    creates: /home/manager/mjb/Web/build.log
+  environment:
+    PATH:                '/home/manager/perl5/bin:/usr/local/bin:/usr/bin:/bin'
+    PERL5LIB:            '/home/manager/perl5/lib/perl5'
+    PERL_MB_OPT:         '--install_base "/home/manager/perl5"'
+    PERL_MM_OPT:         'INSTALL_BASE=/home/manager/perl5'
+    PERL_LOCAL_LIB_ROOT: '/home/manager/perl5'
+
+  become: true
+  become_user: manager
+

devops/ansible/roles/mjb-role-webapp/templates/mjb.yml.j2

@@ -0,0 +1,14 @@
+---
+customer_domain: {{ customer_domain_name }}
+
+jekyll_init_repo: {{ mjb_web.jekyll_init_repo }}
+store_repo_base: {{ mjb_web.store_repo_base }}
+
+database:
+  mjb:    postgresql://{{ databases.mjb.user }}:{{ databases.mjb.pass }}@{{ databases.mjb.host }}/{{ databases.mjb.name }}
+  minion: postgresql://{{ databases.minion.user }}:{{ databases.minion.pass }}@{{ databases.minion.host }}/{{ databases.minion.name }}
+
+secrets:
+{% for secret in secrets %}
+  - {{ secret }}
+{% endfor %}

devops/ansible/site.yml

@@ -0,0 +1,39 @@
+- name: Configure Store Server
+  remote_user: root
+  hosts: store
+  vars:
+    ansible_ssh_common_args: -oControlMaster=auto -oControlPersist=60s -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no
+  roles:
+    - mjb-profile-store
+
+- name: Configure Certbot Server
+  remote_user: root
+  hosts: certbot
+  vars:
+    ansible_ssh_common_args: -oControlMaster=auto -oControlPersist=60s -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no
+  roles:
+    - mjb-profile-certbot
+
+- name: Configure Build Servers
+  remote_user: root
+  hosts: buildservers
+  vars:
+    ansible_ssh_common_args: -oControlMaster=auto -oControlPersist=60s -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no
+  roles:
+    - mjb-profile-buildserver
+
+- name: Configure The Panel Server
+  remote_user: root
+  hosts: panel
+  vars:
+    ansible_ssh_common_args: -oControlMaster=auto -oControlPersist=60s -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no
+  roles:
+    - mjb-profile-panel
+
+- name: Configure Web Servers
+  remote_user: root
+  hosts: webservers
+  vars:
+    ansible_ssh_common_args: -oControlMaster=auto -oControlPersist=60s -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no
+  roles:
+    - mjb-profile-webserver