From 7b11bb43f6d30247232b07af6896f055fd78f82d Mon Sep 17 00:00:00 2001 From: Oliver Davies Date: Fri, 9 Oct 2020 16:27:44 +0100 Subject: [PATCH] Split web and DB onto different servers --- tools/ansible/deploy.yml | 2 +- tools/ansible/digitalocean.yml | 30 +++++++------ tools/ansible/hosts.yml | 20 ++++++--- tools/ansible/provision.yml | 52 +++++++++++++++++++++-- tools/ansible/requirements.yml | 10 +++-- tools/ansible/vars/deploy_vars.yml | 5 ++- tools/ansible/vars/digitalocean_vars.yml | 1 + tools/ansible/vars/digitalocean_vault.yml | 18 ++++---- tools/ansible/vars/provision_vars.yml | 9 +--- tools/ansible/vars/provision_vault.yml | 14 +++--- 10 files changed, 110 insertions(+), 51 deletions(-) diff --git a/tools/ansible/deploy.yml b/tools/ansible/deploy.yml index 87bdd72..ae16fd9 100644 --- a/tools/ansible/deploy.yml +++ b/tools/ansible/deploy.yml @@ -1,5 +1,5 @@ --- -- hosts: all +- hosts: web vars_files: - vars/vars.yml diff --git a/tools/ansible/digitalocean.yml b/tools/ansible/digitalocean.yml index 40448e0..97d1e36 100644 --- a/tools/ansible/digitalocean.yml +++ b/tools/ansible/digitalocean.yml @@ -6,16 +6,22 @@ - ./vars/digitalocean_vault.yml - ./vars/digitalocean_vars.yml - tasks: - - name: Create a Droplet - digital_ocean_droplet: - state: present - name: oliverdavies-uk - oauth_token: '{{ digitalocean_api_key }}' - size: 1gb - region: lon1 - image: ubuntu-16-04-x64 - wait_timeout: 500 - register: droplet + vars: + droplets: + - { name: "oliverdavies-uk-web2", group: "oliverdavies-uk" } + - { name: "oliverdavies-uk-db", group: "oliverdavies-uk" } - - debug: var=droplet + tasks: + - name: Provision DigitalOcean droplets + digital_ocean_droplet: + state: "{{ item.state | default('present') }}" + name: "{{ item.name }}" + oauth_token: "{{ digitalocean_api_key }}" + size: "{{ item.size | default('1gb') }}" + region: "{{ item.region | default('lon1') }}" + image: "{{ item.image | default('ubuntu-20-04-x64') }}" + unique_name: yes + ssh_keys: + - 28701873 + register: created_droplets + with_items: "{{ droplets }}" diff --git a/tools/ansible/hosts.yml b/tools/ansible/hosts.yml index 28b87b7..1a20768 100644 --- a/tools/ansible/hosts.yml +++ b/tools/ansible/hosts.yml @@ -1,6 +1,16 @@ all: - hosts: - 178.62.51.101: - vars: - ansible_ssh_port: 2849 - ansible_ssh_user: root + children: + db: + hosts: + 144.126.204.35: + vars: + ansible_python_interpreter: /usr/bin/python3 + ansible_ssh_port: 2849 + ansible_ssh_user: root + web: + hosts: + 64.227.46.2: + vars: + ansible_python_interpreter: /usr/bin/python3 + ansible_ssh_port: 2849 + ansible_ssh_user: root diff --git a/tools/ansible/provision.yml b/tools/ansible/provision.yml index 81f1778..6f22bd0 100644 --- a/tools/ansible/provision.yml +++ b/tools/ansible/provision.yml @@ -1,21 +1,67 @@ --- -- hosts: all +- hosts: db + become: true vars_files: - vars/vars.yml + - vars/provision_vault.yml - vars/provision_vars.yml + vars: + firewall_additional_rules: + - "iptables -A INPUT -p tcp --dport 3306 -s 10.131.0.2 -j ACCEPT" + firewall_allowed_tcp_ports: [2849] + mysql_bind_address: '10.131.0.3' + mysql_users: + - name: "{{ app_mysql_user }}" + password: "{{ app_mysql_password }}" + host: '10.131.0.2' + priv: "oliverdavies_uk.*:ALL" + mysql_databases: + - name: oliverdavies_uk + + pre_tasks: + - name: Update apt cache + apt: + update_cache: true + cache_valid_time: 3600 + roles: - name: geerlingguy.firewall - name: geerlingguy.security - - name: geerlingguy.certbot - name: geerlingguy.mysql + +- hosts: web + + vars_files: + - vars/vars.yml + - vars/provision_vault.yml + - vars/provision_vars.yml + + vars: + composer_version_branch: '--1' + firewall_allowed_tcp_ports: [80, 443, 2849] + mysql_packages: + - mariadb-client + mysql_users: [] + + roles: + - name: geerlingguy.firewall + - name: geerlingguy.security + - name: geerlingguy.certbot - name: geerlingguy.nginx + - name: geerlingguy.mysql - name: geerlingguy.php-versions - name: geerlingguy.php + - name: geerlingguy.php-mysql - name: geerlingguy.composer - name: geerlingguy.nodejs - tags: [nodejs] + + pre_tasks: + - name: Update apt cache + apt: + update_cache: true + cache_valid_time: 3600 tasks: - name: Install packages diff --git a/tools/ansible/requirements.yml b/tools/ansible/requirements.yml index c044f90..f9afc29 100644 --- a/tools/ansible/requirements.yml +++ b/tools/ansible/requirements.yml @@ -6,20 +6,22 @@ - name: geerlingguy.certbot version: 3.0.3 - name: geerlingguy.composer - version: 1.7.3 + version: 1.9.0 - name: geerlingguy.firewall - version: 2.4.3 + version: 2.5.0 - name: geerlingguy.mysql - version: 2.9.4 + version: 3.3.0 - name: geerlingguy.nginx version: 2.7.0 - name: geerlingguy.nodejs version: 5.1.1 - name: geerlingguy.php version: 3.7.0 +- name: geerlingguy.php-mysql + version: 2.1.0 - name: geerlingguy.php-versions version: 4.0.2 - name: geerlingguy.security - version: 1.9.0 + version: 2.0.1 - name: opdavies.drupal_settings_files version: 0.1.0 diff --git a/tools/ansible/vars/deploy_vars.yml b/tools/ansible/vars/deploy_vars.yml index e31ac9d..3b7341a 100644 --- a/tools/ansible/vars/deploy_vars.yml +++ b/tools/ansible/vars/deploy_vars.yml @@ -10,7 +10,7 @@ ansistrano_shared_paths: # Hooks ansistrano_after_update_code_tasks_file: '{{ playbook_dir }}/deploy/after-update-code.yml' -ansistrano_before_symlink_tasks_file: '{{ playbook_dir }}/deploy/before-symlink.yml' +# ansistrano_before_symlink_tasks_file: '{{ playbook_dir }}/deploy/before-symlink.yml' app_hash_salt: '{{ vault_app_hash_salt }}' @@ -41,11 +41,12 @@ drupal_settings: default: default: driver: mysql - host: localhost + host: '10.131.0.3' database: oliverdavies_uk username: '{{ app_mysql_user }}' password: '{{ app_mysql_password }}' trusted_hosts: + - '^new-www\.oliverdavies\.uk$' - '^www\.oliverdavies\.uk$' extra_parameters: | $settings['deployment_identifier'] = '{{ ansistrano_release_version }}'; diff --git a/tools/ansible/vars/digitalocean_vars.yml b/tools/ansible/vars/digitalocean_vars.yml index bcbda9a..b04e5f3 100644 --- a/tools/ansible/vars/digitalocean_vars.yml +++ b/tools/ansible/vars/digitalocean_vars.yml @@ -1,2 +1,3 @@ --- digitalocean_api_key: '{{ vault_digitalocean_api_key }}' + \ No newline at end of file diff --git a/tools/ansible/vars/digitalocean_vault.yml b/tools/ansible/vars/digitalocean_vault.yml index 368b1b5..c5f4e08 100644 --- a/tools/ansible/vars/digitalocean_vault.yml +++ b/tools/ansible/vars/digitalocean_vault.yml @@ -1,10 +1,10 @@ $ANSIBLE_VAULT;1.1;AES256 -38626265316535333565366130303464633230616533393961636362643132343838323934666162 -6436353232363239643235393539653431336638646163350a653864623362306366663638333637 -36666339333530623764313261393665383561303735373565323461353766366635383835623466 -6535373364306131350a613165666565613033383064393436613265633665393266613863323766 -30383238333833376265373530663532363063623535663066313836306332383836353165643134 -62653737386231306361353365643962356663343631353634383436353631323131363333663439 -30393965666230663565613039333733626231353530336666306663336430346538636365386264 -61636563386434376363653738393838303735356235306437643132613732653633363538383535 -3866 +36643735336232646262626537363631353061356565346664643261663565633364323932653232 +6639396262393839643437626338343930316439623633330a616566646533343063333166383136 +39353532316166623361626133326135383833643030663634376464663838353064663538343162 +3536373232623235620a303465306339653663306564383335643166323934393264633532616437 +33313231343432643030366565313135653163363434323632613361623339643137343361643135 +65666364346566356136383830366334326133633766313130653639626362366138663032653962 +39386364613838646133656230356564663564633537376435336438346434633161646436623137 +30666239343832663764303830616264643538346665353963383734373265663233303934666363 +6461 diff --git a/tools/ansible/vars/provision_vars.yml b/tools/ansible/vars/provision_vars.yml index 941bad1..1a32ceb 100644 --- a/tools/ansible/vars/provision_vars.yml +++ b/tools/ansible/vars/provision_vars.yml @@ -2,11 +2,6 @@ security_ssh_permit_root_login: 'yes' security_ssh_port: 2849 -firewall_allowed_tcp_ports: - - 80 - - 443 - - 2849 - php_default_version_debian: '{{ php_version }}' php_enable_php_fpm: true php_version: 7.4 @@ -27,10 +22,8 @@ app_mysql_password: '{{ vault_app_mysql_password }}' mysql_packages: - mariadb-client - mariadb-server - - python-mysqldb + - python3-mysqldb -mysql_databases: - - name: oliverdavies_uk nginx_remove_default_vhost: true nginx_server_tokens: 'off' diff --git a/tools/ansible/vars/provision_vault.yml b/tools/ansible/vars/provision_vault.yml index 04a10fe..ceb80f6 100644 --- a/tools/ansible/vars/provision_vault.yml +++ b/tools/ansible/vars/provision_vault.yml @@ -1,8 +1,8 @@ $ANSIBLE_VAULT;1.1;AES256 -37323435316139613034653439366634303930666535356238643362336536373834323330333436 -3134306366616438356639643133616635643534333533380a633062313561316636333039636563 -38363362626333383232336362386361373131376537356239323063343966393833396537356634 -3733326435336263390a303461623761386330653836646231613231613438626330363030393435 -62323038326163343464363465373937336363363534623963643235623963626161666165656336 -32613564383833626639353430383833646438323633326665646437366364393163373564613437 -333564613838633963663231666133623332 +36356435393662666564623838386330353664316261396361313737643836373861333939353532 +3739663861643162313633383662333531346537633364300a306633383236343331623638316233 +37666263356433666263343337363633316664376230323335316165303462316236613264323333 +6137353437376362310a316537666564363665336166366236333039356533316236383732636436 +39333766306663346461633463336337663033366461383533376230386665643934653766326135 +31623831306137653331326664623432346661633833323435613562376164376632316261333239 +643633396466643464663439353935666466