From ff4b027814e8bbcd584497064e7db8fce3104763 Mon Sep 17 00:00:00 2001
From: Oliver Davies <oliver@oliverdavies.uk>
Date: Sun, 14 Mar 2021 18:16:46 +0000
Subject: [PATCH] Re-add Ansible and DigitalOcean

---
 .platform.app.yaml                            | 126 -------------
 .platform/routes.yaml                         |  10 --
 .platform/services.yaml                       |   6 -
 tools/ansible/ansible.cfg                     |  10 ++
 tools/ansible/deploy.yml                      |  12 ++
 tools/ansible/deploy/after-update-code.yml    |  38 ++++
 tools/ansible/deploy/before-symlink.yml       |   6 +
 tools/ansible/hosts.yml                       |   9 +
 tools/ansible/includes/build-theme-assets.yml |  19 ++
 tools/ansible/main.yml                        |   3 +
 tools/ansible/provision.yml                   |  40 +++++
 tools/ansible/requirements.yml                |  27 +++
 .../roles/drupal-permissions/tasks/main.yml   |  29 +++
 tools/ansible/vars/deploy_vars.yml            |  69 +++++++
 tools/ansible/vars/deploy_vault.yml           |  19 ++
 tools/ansible/vars/digitalocean_vars.yml      |   3 +
 tools/ansible/vars/digitalocean_vault.yml     |  10 ++
 tools/ansible/vars/provision_vars.yml         | 157 ++++++++++++++++
 tools/ansible/vars/provision_vault.yml        |  17 ++
 tools/ansible/vars/vars.yml                   |   4 +
 web/sites/default/settings.platformsh.php     | 170 ------------------
 21 files changed, 472 insertions(+), 312 deletions(-)
 delete mode 100644 .platform.app.yaml
 delete mode 100644 .platform/routes.yaml
 delete mode 100644 .platform/services.yaml
 create mode 100644 tools/ansible/ansible.cfg
 create mode 100644 tools/ansible/deploy.yml
 create mode 100644 tools/ansible/deploy/after-update-code.yml
 create mode 100644 tools/ansible/deploy/before-symlink.yml
 create mode 100644 tools/ansible/hosts.yml
 create mode 100644 tools/ansible/includes/build-theme-assets.yml
 create mode 100644 tools/ansible/main.yml
 create mode 100644 tools/ansible/provision.yml
 create mode 100644 tools/ansible/requirements.yml
 create mode 100644 tools/ansible/roles/drupal-permissions/tasks/main.yml
 create mode 100644 tools/ansible/vars/deploy_vars.yml
 create mode 100644 tools/ansible/vars/deploy_vault.yml
 create mode 100644 tools/ansible/vars/digitalocean_vars.yml
 create mode 100644 tools/ansible/vars/digitalocean_vault.yml
 create mode 100644 tools/ansible/vars/provision_vars.yml
 create mode 100644 tools/ansible/vars/provision_vault.yml
 create mode 100644 tools/ansible/vars/vars.yml
 delete mode 100644 web/sites/default/settings.platformsh.php

diff --git a/.platform.app.yaml b/.platform.app.yaml
deleted file mode 100644
index c2ec3fc..0000000
--- a/.platform.app.yaml
+++ /dev/null
@@ -1,126 +0,0 @@
-name: 'app'
-type: 'php:7.4'
-
-variables:
-  env:
-    NODE_VERSION: v14.13.1
-    NVM_VERSION: v0.36.0
-
-dependencies:
-  nodejs:
-    npm: 6.14.10
-  php:
-    composer/composer: '^2'
-
-runtime:
-  extensions:
-    - redis
-
-relationships:
-  database: 'db:mysql'
-  redis: 'cache:redis'
-
-disk: 2048
-
-mounts:
-  '/web/images':
-    source: local
-    source_path: 'files/images'
-  '/web/sites/default/files':
-    source: local
-    source_path: 'files'
-  '/tmp':
-    source: local
-    source_path: 'tmp'
-  '/private':
-    source: local
-    source_path: 'private'
-  '/.drush':
-    source: local
-    source_path: 'drush'
-  '/drush-backups':
-    source: local
-    source_path: 'drush-backups'
-
-build:
-  flavor: none
-
-hooks:
-  build: |
-    set -e
-    export PATH=/app/bin:$PATH
-
-    curl -sS https://platform.sh/cli/installer | php
-    # source ~/.environment
-
-    composer --no-ansi --no-interaction install --no-progress --prefer-dist --optimize-autoloader --no-dev
-
-    # platform sql 'SELECT body_value FROM block_content__body UNION SELECT body_value FROM node__body' > /tmp/body-field-values.txt
-
-    cd web/themes/custom/opdavies
-
-    unset NPM_CONFIG_PREFIX
-    export NVM_DIR="$PLATFORM_APP_DIR/.nvm"
-    curl -f -o- https://raw.githubusercontent.com/nvm-sh/nvm/$NVM_VERSION/install.sh | bash
-    [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
-
-    npm clean-install
-    npm run production
-    rm -fr node_modules
-
-    unset NPM_CONFIG_PREFIX
-  deploy: |
-    set -e
-    export PATH=/app/bin:$PATH
-    drush -y cache-rebuild
-    drush -y updatedb
-    drush -y config-import
-
-web:
-  locations:
-    '/':
-      root: 'web'
-      expires: 5m
-      passthru: '/index.php'
-      allow: false
-      rules:
-        '\.(jpe?g|png|gif|svgz?|css|js|map|ico|bmp|eot|woff2?|otf|ttf)$':
-          allow: true
-        '^/robots\.txt$':
-          allow: true
-        '^/sitemap\.xml$':
-          allow: true
-        '^/sites/sites\.php$':
-          scripts: false
-        '^/sites/[^/]+/settings.*?\.php$':
-          scripts: false
-
-    '/sites/default/files':
-      allow: true
-      expires: 5m
-      passthru: '/index.php'
-      root: 'web/sites/default/files'
-      scripts: false
-      rules:
-        '^/sites/default/files/(css|js)':
-          expires: 2w
-
-crons:
-  drupal:
-    spec: '*/19 * * * *'
-    cmd: 'cd web && bin/drush core-cron'
-
-  snapshot:
-    spec: '0 5 * * *'
-    cmd: |
-        if [ "$PLATFORM_BRANCH" = production ]; then
-            platform snapshot:create --yes --no-wait
-        fi
-
-  renewcert:
-    # Force a redeploy at 5am (UTC) on the 1st and 15th of every month.
-    spec: '0 5 1,15 * *'
-    cmd: |
-      if [ "$PLATFORM_BRANCH" = production ]; then
-          platform redeploy --yes --no-wait
-      fi
diff --git a/.platform/routes.yaml b/.platform/routes.yaml
deleted file mode 100644
index cb9aaeb..0000000
--- a/.platform/routes.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-"https://www.{default}/":
-    type: upstream
-    upstream: "app:http"
-    cache:
-      enabled: true
-      cookies: ['/^SS?ESS/', '/^Drupal.visitor/']
-
-"https://{default}/":
-    type: redirect
-    to: "https://www.{default}/"
diff --git a/.platform/services.yaml b/.platform/services.yaml
deleted file mode 100644
index 6ffaa3b..0000000
--- a/.platform/services.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-db:
-    type: mariadb:10.4
-    disk: 2048
-
-cache:
-    type: redis:6.0
diff --git a/tools/ansible/ansible.cfg b/tools/ansible/ansible.cfg
new file mode 100644
index 0000000..ed8d947
--- /dev/null
+++ b/tools/ansible/ansible.cfg
@@ -0,0 +1,10 @@
+[defaults]
+bin_ansible_callbacks = True
+inventory = hosts.yml
+nocows = True
+roles_path = .roles
+stdout_callback = yaml
+verbosity = 1
+
+[ssh_connection]
+pipelining = True
diff --git a/tools/ansible/deploy.yml b/tools/ansible/deploy.yml
new file mode 100644
index 0000000..ae16fd9
--- /dev/null
+++ b/tools/ansible/deploy.yml
@@ -0,0 +1,12 @@
+---
+- hosts: web
+
+  vars_files:
+    - vars/vars.yml
+    - vars/provision_vault.yml
+    - vars/provision_vars.yml
+    - vars/deploy_vault.yml
+    - vars/deploy_vars.yml
+
+  roles:
+    - name: ansistrano.deploy
diff --git a/tools/ansible/deploy/after-update-code.yml b/tools/ansible/deploy/after-update-code.yml
new file mode 100644
index 0000000..4245e63
--- /dev/null
+++ b/tools/ansible/deploy/after-update-code.yml
@@ -0,0 +1,38 @@
+---
+- name: Install Composer dependencies
+  composer:
+    command: install
+    optimize_autoloader: true
+    working_dir: '{{ ansistrano_release_path.stdout }}'
+
+- name: Generate settings.php file
+  include_role:
+    name: opdavies.drupal_settings_files
+
+- name: Fix file permissions
+  include_role:
+    name: drupal-permissions
+
+- name: Clear Drush cache
+  command: >
+    {{ release_drush_path }}
+    cache-clear drush
+    chdir={{ release_web_path }}
+  changed_when: false
+
+- name: Run database updates
+  command: >
+    {{ release_drush_path }}
+    updatedb -y
+    chdir={{ release_web_path }}
+  register: update_database_result
+  changed_when: "'No pending updates' not in update_database_result.stderr"
+
+- name: Import configuration
+  command: >
+    {{ release_drush_path }} config-import -y
+    chdir={{ release_web_path }}
+  register: config_import_result
+  changed_when: "'There are no changes to import' not in config_import_result.stderr"
+
+- include: ../includes/build-theme-assets.yml
diff --git a/tools/ansible/deploy/before-symlink.yml b/tools/ansible/deploy/before-symlink.yml
new file mode 100644
index 0000000..48fbdc3
--- /dev/null
+++ b/tools/ansible/deploy/before-symlink.yml
@@ -0,0 +1,6 @@
+---
+- name: Rebuild Drupal cache
+  command: >
+    {{ release_drush_path }} cache-rebuild
+    chdir={{ release_web_path }}
+  changed_when: false
diff --git a/tools/ansible/hosts.yml b/tools/ansible/hosts.yml
new file mode 100644
index 0000000..66892eb
--- /dev/null
+++ b/tools/ansible/hosts.yml
@@ -0,0 +1,9 @@
+all:
+  children:
+    web:
+      hosts:
+        138.68.145.217:
+      vars:
+        ansible_port: 2849
+        ansible_python_interpreter: /usr/bin/python3
+        ansible_user: root
diff --git a/tools/ansible/includes/build-theme-assets.yml b/tools/ansible/includes/build-theme-assets.yml
new file mode 100644
index 0000000..206179e
--- /dev/null
+++ b/tools/ansible/includes/build-theme-assets.yml
@@ -0,0 +1,19 @@
+---
+- name: Install theme dependencies
+  command: >
+    npm ci
+    chdir={{ release_theme_path }}
+    creates={{ release_theme_path }}/node_modules
+
+- name: Generate front-end assets
+  command: >
+    npm run production
+    chdir={{ release_theme_path }}
+    creates={{ release_theme_path }}/dist
+
+- name: Remove files that are no longer needed
+  file:
+    path: "{{ release_theme_path }}/{{ item }}"
+    state: absent
+  with_items:
+    - node_modules
diff --git a/tools/ansible/main.yml b/tools/ansible/main.yml
new file mode 100644
index 0000000..139c08f
--- /dev/null
+++ b/tools/ansible/main.yml
@@ -0,0 +1,3 @@
+---
+- import_playbook: provision.yml
+- import_playbook: deploy.yml
diff --git a/tools/ansible/provision.yml b/tools/ansible/provision.yml
new file mode 100644
index 0000000..7a00087
--- /dev/null
+++ b/tools/ansible/provision.yml
@@ -0,0 +1,40 @@
+---
+- hosts: web
+
+  vars_files:
+    - vars/vars.yml
+    - vars/provision_vault.yml
+    - vars/provision_vars.yml
+
+  roles:
+    - name: geerlingguy.firewall
+    - name: geerlingguy.security
+    - name: geerlingguy.certbot
+    - name: geerlingguy.nginx
+    - name: geerlingguy.php-versions
+    - name: geerlingguy.php
+    - name: geerlingguy.php-mysql
+    - name: geerlingguy.composer
+    - name: geerlingguy.nodejs
+
+  pre_tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: true
+        cache_valid_time: 3600
+
+  tasks:
+    - name: Install packages
+      package:
+        name: [curl, zip]
+        state: present
+
+    - name: Add cron jobs
+      cron:
+        name: Drupal cron - oliverdavies.uk
+        minute: '*/5'
+        job: >
+          {{ project_root_path }}/{{ ansistrano_current_dir }}/bin/drush core-cron
+          --root={{ project_root_path }}/{{ ansistrano_current_dir }}/{{ project_web_dir }}
+          --uri https://www.oliverdavies.uk
+          --quiet
diff --git a/tools/ansible/requirements.yml b/tools/ansible/requirements.yml
new file mode 100644
index 0000000..593c7d4
--- /dev/null
+++ b/tools/ansible/requirements.yml
@@ -0,0 +1,27 @@
+---
+- name: ansistrano.deploy
+  version: 3.4.0
+- name: ansistrano.rollback
+  version: 3.0.0
+- name: geerlingguy.certbot
+  version: 3.0.3
+- name: geerlingguy.composer
+  version: 1.9.0
+- name: geerlingguy.firewall
+  version: 2.5.0
+- name: geerlingguy.mysql
+  version: 3.3.0
+- name: geerlingguy.nginx
+  version: 2.7.0
+- name: geerlingguy.nodejs
+  version: 5.1.1
+- name: geerlingguy.php
+  version: 3.7.0
+- name: geerlingguy.php-mysql
+  version: 2.1.0
+- name: geerlingguy.php-versions
+  version: 4.0.2
+- name: geerlingguy.security
+  version: 2.0.1
+- name: opdavies.drupal_settings_files
+  version: 0.2.0
diff --git a/tools/ansible/roles/drupal-permissions/tasks/main.yml b/tools/ansible/roles/drupal-permissions/tasks/main.yml
new file mode 100644
index 0000000..021a8f5
--- /dev/null
+++ b/tools/ansible/roles/drupal-permissions/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+- name: Set the permissions for each Drupal root directory.
+  file:
+    group: www-data
+    mode: ug=rX,o=
+    owner: "{{ drupal_permissions.user }}"
+    path: "{{ item.root }}"
+    recurse: true
+    state: directory
+  with_items: "{{ drupal_permissions.sites }}"
+
+- name: Set permissions for the defined settings files.
+  file:
+    mode: a-X
+    path: "{{ item.0.root }}/{{ item.1 }}"
+    state: file
+  with_subelements:
+    - "{{ drupal_permissions.sites }}"
+    - settings_files
+
+- name: Set permissions for the defined files directories.
+  file:
+    mode: ug=rwX,o=
+    path: "{{ item.0.root }}/{{ item.1 }}"
+    recurse: true
+    state: directory
+  with_subelements:
+    - "{{ drupal_permissions.sites }}"
+    - files_directories
diff --git a/tools/ansible/vars/deploy_vars.yml b/tools/ansible/vars/deploy_vars.yml
new file mode 100644
index 0000000..6321b76
--- /dev/null
+++ b/tools/ansible/vars/deploy_vars.yml
@@ -0,0 +1,69 @@
+---
+ansistrano_allow_anonymous_stats: false
+ansistrano_deploy_via: git
+ansistrano_deploy_to: '{{ project_root_path }}'
+ansistrano_git_repo: git@github.com:opdavies/oliverdavies-uk.git
+ansistrano_git_branch: production
+ansistrano_keep_releases: 5
+ansistrano_shared_paths:
+  - '{{ project_web_dir }}/sites/default/files'
+
+# Hooks
+ansistrano_after_update_code_tasks_file: '{{ playbook_dir }}/deploy/after-update-code.yml'
+# ansistrano_before_symlink_tasks_file: '{{ playbook_dir }}/deploy/before-symlink.yml'
+
+app_hash_salt: '{{ vault_app_hash_salt }}'
+
+integromat_webhook_url: '{{ vault_integromat_webhook_url }}'
+post_tweet_webhook_url: '{{ vault_post_tweet_webhook_url }}'
+
+release_drush_path: '{{ ansistrano_release_path.stdout }}/bin/drush'
+release_web_path: '{{ ansistrano_release_path.stdout }}/{{ project_web_dir }}'
+release_theme_path: '{{ release_web_path }}/themes/custom/opdavies'
+
+drupal_permissions:
+  sites:
+    - root: "{{ release_web_path }}"
+      files_directories:
+        - sites/default/files
+      settings_files:
+        - sites/default/settings.php
+        - sites/default/settings.local.php
+  user: root
+
+drupal_settings:
+  - drupal_root: '{{ release_web_path }}'
+    sites:
+      - name: default
+        filename: settings.local.php
+        settings:
+          hash_salt: '{{ app_hash_salt }}'
+          databases:
+            default:
+              default:
+                database: '{{ app_mysql_database }}'
+                driver: mysql
+                host: '{{ app_mysql_host }}'
+                password: '{{ app_mysql_password }}'
+                port: '{{ app_mysql_port }}'
+                username: '{{ app_mysql_user }}'
+          trusted_hosts:
+            - '^www\.oliverdavies\.uk$'
+          extra_parameters: |
+            $settings['deployment_identifier'] = '{{ ansistrano_release_version }}';
+
+            $settings['config_exclude_modules'] = [
+              'devel',
+              'stage_file_proxy',
+            ];
+
+            $config['config_split.config_split.live']['status'] = TRUE;
+
+            // Configure Cloudflare.
+            $settings['reverse_proxy'] = TRUE;
+            $settings['reverse_proxy_addresses'] = [$_SERVER['REMOTE_ADDR']];
+            $settings['reverse_proxy_header'] = 'CF-Connecting-IP';
+            $settings['omit_vary_cookie'] = TRUE;
+
+            $config['opdavies_blog.settings']['integromat_webhook_url'] = '{{ integromat_webhook_url }}';
+            $config['opdavies_blog.settings']['post_tweet_webhook_url'] = '{{ post_tweet_webhook_url }}';
diff --git a/tools/ansible/vars/deploy_vault.yml b/tools/ansible/vars/deploy_vault.yml
new file mode 100644
index 0000000..272a2ff
--- /dev/null
+++ b/tools/ansible/vars/deploy_vault.yml
@@ -0,0 +1,19 @@
+$ANSIBLE_VAULT;1.1;AES256
+30653362663533616334373532653633363838333932666137633662313431303763646433366238
+3464333531326134626361396661306130373461633536630a653637366565366462313335623561
+63653563653533306436663335623961343539366566633730306638323833373261363063363538
+3163326166353836300a373466646366663333353165323035613533636138383162663562343231
+38353362316136316434373362633839323135666536326662643666303838393635626333373339
+63313035633161626534323862346230386461363766666263323964666261636238333631393862
+30383638613964313165623732383866333064366136663131396166363737653961646166663664
+32346461396537663639303665646639636265646164373066633638396661323463343165633064
+66653734356463656462346364336262643761323935646331363864623865316631623239616136
+33616262663134323434316533303234643336616434393638393436396439346266353035343931
+61336366396237653235653834396237366664303737373766323230336162303763623761633836
+63326264643737333064363163353762326636646462363466343334353266303936616163326238
+65313235643866323730386363656233333132633837613235643237623130383334646439303839
+33383633653334643865623231333836383262303933303032653538636465663938623562336661
+63643435373161666331663861646431613236646564316238623736353762303533653835383230
+65306231303330376432306664623938386563646434633039313237643239316136656262346562
+63313462316338656137613634343034393534646162363464373830623335353564376338623636
+6630623238373438363732333834646432633435366165363066
diff --git a/tools/ansible/vars/digitalocean_vars.yml b/tools/ansible/vars/digitalocean_vars.yml
new file mode 100644
index 0000000..b04e5f3
--- /dev/null
+++ b/tools/ansible/vars/digitalocean_vars.yml
@@ -0,0 +1,3 @@
+---
+digitalocean_api_key: '{{ vault_digitalocean_api_key }}'
+    
\ No newline at end of file
diff --git a/tools/ansible/vars/digitalocean_vault.yml b/tools/ansible/vars/digitalocean_vault.yml
new file mode 100644
index 0000000..c5f4e08
--- /dev/null
+++ b/tools/ansible/vars/digitalocean_vault.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+36643735336232646262626537363631353061356565346664643261663565633364323932653232
+6639396262393839643437626338343930316439623633330a616566646533343063333166383136
+39353532316166623361626133326135383833643030663634376464663838353064663538343162
+3536373232623235620a303465306339653663306564383335643166323934393264633532616437
+33313231343432643030366565313135653163363434323632613361623339643137343361643135
+65666364346566356136383830366334326133633766313130653639626362366138663032653962
+39386364613838646133656230356564663564633537376435336438346434633161646436623137
+30666239343832663764303830616264643538346665353963383734373265663233303934666363
+6461
diff --git a/tools/ansible/vars/provision_vars.yml b/tools/ansible/vars/provision_vars.yml
new file mode 100644
index 0000000..1e05706
--- /dev/null
+++ b/tools/ansible/vars/provision_vars.yml
@@ -0,0 +1,157 @@
+---
+security_ssh_permit_root_login: 'yes'
+security_ssh_port: 2849
+
+php_default_version_debian: '{{ php_version }}'
+php_enable_php_fpm: true
+php_version: 7.4
+php_webserver_daemon: nginx
+php_packages:
+    - 'php{{ php_version }}-cli'
+    - 'php{{ php_version }}-common'
+    - 'php{{ php_version }}-fpm'
+    - 'php{{ php_version }}-gd'
+    - 'php{{ php_version }}-mbstring'
+    - 'php{{ php_version }}-mysql'
+    - 'php{{ php_version }}-pdo'
+    - 'php{{ php_version }}-xml'
+
+app_mysql_database: '{{ vault_app_mysql_database }}'
+app_mysql_host: '{{ vault_app_mysql_host }}'
+app_mysql_password: '{{ vault_app_mysql_password }}'
+app_mysql_port: '{{ vault_app_mysql_port }}'
+app_mysql_user: '{{ vault_app_mysql_user }}'
+
+mysql_packages:
+  - mysql-client
+  - python3-mysqldb
+mysql_users: []
+
+nginx_remove_default_vhost: true
+nginx_server_tokens: 'off'
+nginx_vhosts:
+  - listen: 80 default_server
+    server_name: oliverdavies.uk www.oliverdavies.uk
+    return: 301 https://www.oliverdavies.uk$request_uri
+    filename: www.oliverdavies.uk.80.conf
+
+  - listen: 443 ssl
+    server_name: oliverdavies.uk
+    return: 301 https://www.oliverdavies.uk$request_uri
+    filename: oliverdavies.uk.443.conf
+    extra_parameters: |
+      ssl_certificate     /etc/letsencrypt/live/oliverdavies.uk/fullchain.pem;
+      ssl_certificate_key /etc/letsencrypt/live/oliverdavies.uk/privkey.pem;
+
+  - listen: 443 ssl default_server
+    server_name: www.oliverdavies.uk
+    root: '{{ project_root_path }}/{{ ansistrano_current_dir }}/{{ project_web_dir }}'
+    index: index.php index.html
+    extra_parameters: |
+      ssl_certificate     /etc/letsencrypt/live/oliverdavies.uk/fullchain.pem;
+      ssl_certificate_key /etc/letsencrypt/live/oliverdavies.uk/privkey.pem;
+
+      location ~ ^/images/(.*) {
+         return 301 /sites/default/files/images/$1;
+      }
+
+      location = /favicon.ico {
+          log_not_found off;
+          access_log off;
+      }
+
+      location = /robots.txt {
+          allow all;
+          log_not_found off;
+          access_log off;
+      }
+
+      # Very rarely should these ever be accessed outside of your lan
+      location ~* \.(txt|log)$ {
+          allow 192.168.0.0/16;
+          deny all;
+      }
+
+      location ~ \..*/.*\.php$ {
+          return 403;
+      }
+
+      location ~ ^/sites/.*/private/ {
+          return 403;
+      }
+
+      # Block access to scripts in site files directory
+      location ~ ^/sites/[^/]+/files/.*\.php$ {
+          deny all;
+      }
+
+      # Allow "Well-Known URIs" as per RFC 5785
+      location ~* ^/.well-known/ {
+          allow all;
+      }
+
+      # Block access to "hidden" files and directories whose names begin with a
+      # period. This includes directories used by version control systems such
+      # as Subversion or Git to store control files.
+      location ~ (^|/)\. {
+          return 403;
+      }
+
+      location / {
+          try_files $uri /index.php?$query_string; # For Drupal >= 7
+      }
+
+      location @rewrite {
+          rewrite ^/(.*)$ /index.php?q=$1;
+      }
+
+      # Don't allow direct access to PHP files in the vendor directory.
+      location ~ /vendor/.*\.php$ {
+          deny all;
+          return 404;
+      }
+
+      location ~ '\.php$|^/update.php' {
+          try_files $uri =404;
+          fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+          include fastcgi_params;
+          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          fastcgi_param PATH_INFO $fastcgi_path_info;
+          fastcgi_param QUERY_STRING $query_string;
+          fastcgi_intercept_errors on;
+          fastcgi_pass localhost:9000;
+      }
+
+      # Fighting with Styles? This little gem is amazing.
+      # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
+      location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
+          try_files $uri @rewrite;
+      }
+
+      # Handle private files through Drupal.
+      location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
+          try_files $uri /index.php?$query_string;
+      }
+
+      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+          try_files $uri @rewrite;
+          expires max;
+          log_not_found off;
+      }
+
+      # Enforce clean URLs
+      if ($request_uri ~* "^(.*/)index\.php(.*)") {
+          return 307 $1$2;
+      }
+
+certbot_create_if_missing: true
+certbot_create_method: standalone
+certbot_admin_email: oliver+certbot@oliverdavies.uk
+certbot_certs:
+  - domains:
+    - oliverdavies.uk
+    - www.oliverdavies.uk
+
+composer_version_branch: '--1'
+
+firewall_allowed_tcp_ports: [80, 443, 22, 2849]
diff --git a/tools/ansible/vars/provision_vault.yml b/tools/ansible/vars/provision_vault.yml
new file mode 100644
index 0000000..cc7c92b
--- /dev/null
+++ b/tools/ansible/vars/provision_vault.yml
@@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+38643961326665613966373635633766616361643263616137396238663431656462636166393631
+3635306262613533623337353730633434363364316361370a346333363738346430306539323133
+66396266643832323630666334343664303438613566373266353236333233323166643435663561
+6566623833343630350a396564333262633266636563663266613334303531393065303865343765
+64353365636565373238613130356262613535363165646535346664643536313238366331636636
+65613261663461323230656235356535393763653539386362356639616332376339326232643465
+31393436343264316539633761636334343030636136646135313863326363326539383936353063
+35323963626138386138316264303635376561353135386639353466663630633637326237346336
+34306335653039316239663233616331343365336331393030306631666161666334326161326335
+35353061303561626130613932356132626566353037313266626138663138343939396530313364
+38666631363665326561323333326537623032333763363231653866613935636633353437633134
+35623534386133363639346235356634313164656335366663326436336165643266366236626238
+33306664613638323832373535376565393063336234633035663961306635363432663431613531
+35346663616366653432633865663162353934376362363064303163366237663161353838373837
+61353463656437303561333537303835323239613232663761323136326266666263396363376262
+30646164353262316438
diff --git a/tools/ansible/vars/vars.yml b/tools/ansible/vars/vars.yml
new file mode 100644
index 0000000..99ac466
--- /dev/null
+++ b/tools/ansible/vars/vars.yml
@@ -0,0 +1,4 @@
+---
+ansistrano_current_dir: current
+project_root_path: /srv/oliverdavies-uk
+project_web_dir: web
diff --git a/web/sites/default/settings.platformsh.php b/web/sites/default/settings.platformsh.php
deleted file mode 100644
index adf5ec9..0000000
--- a/web/sites/default/settings.platformsh.php
+++ /dev/null
@@ -1,170 +0,0 @@
-<?php
-/**
- * @file
- * Platform.sh settings.
- */
-
-use Drupal\Core\Installer\InstallerKernel;
-
-$platformsh = new \Platformsh\ConfigReader\Config();
-
-// Configure the database.
-if ($platformsh->hasRelationship('database')) {
-  $creds = $platformsh->credentials('database');
-  $databases['default']['default'] = [
-    'driver' => $creds['scheme'],
-    'database' => $creds['path'],
-    'username' => $creds['username'],
-    'password' => $creds['password'],
-    'host' => $creds['host'],
-    'port' => $creds['port'],
-    'pdo' => [PDO::MYSQL_ATTR_COMPRESS => !empty($creds['query']['compression'])]
-  ];
-}
-
-// Enable verbose error messages on development branches, but not on the production branch.
-// You may add more debug-centric settings here if desired to have them automatically enable
-// on development but not production.
-if (isset($platformsh->branch)) {
-  // Production type environment.
-  if ($platformsh->branch == 'master' || $platformsh->onDedicated()) {
-    $config['system.logging']['error_level'] = 'hide';
-  } // Development type environment.
-  else {
-    $config['system.logging']['error_level'] = 'verbose';
-  }
-}
-
-// Enable Redis caching.
-if ($platformsh->hasRelationship('redis') && !InstallerKernel::installationAttempted() && extension_loaded('redis') && class_exists('Drupal\redis\ClientFactory')) {
-  $redis = $platformsh->credentials('redis');
-
-  // Set Redis as the default backend for any cache bin not otherwise specified.
-  $settings['cache']['default'] = 'cache.backend.redis';
-  $settings['redis.connection']['host'] = $redis['host'];
-  $settings['redis.connection']['port'] = $redis['port'];
-
-  // Apply changes to the container configuration to better leverage Redis.
-  // This includes using Redis for the lock and flood control systems, as well
-  // as the cache tag checksum. Alternatively, copy the contents of that file
-  // to your project-specific services.yml file, modify as appropriate, and
-  // remove this line.
-  $settings['container_yamls'][] = 'modules/contrib/redis/example.services.yml';
-
-  // Allow the services to work before the Redis module itself is enabled.
-  $settings['container_yamls'][] = 'modules/contrib/redis/redis.services.yml';
-
-  // Manually add the classloader path, this is required for the container cache bin definition below
-  // and allows to use it without the redis module being enabled.
-  $class_loader->addPsr4('Drupal\\redis\\', 'modules/contrib/redis/src');
-
-  // Use redis for container cache.
-  // The container cache is used to load the container definition itself, and
-  // thus any configuration stored in the container itself is not available
-  // yet. These lines force the container cache to use Redis rather than the
-  // default SQL cache.
-  $settings['bootstrap_container_definition'] = [
-    'parameters' => [],
-    'services' => [
-      'redis.factory' => [
-        'class' => 'Drupal\redis\ClientFactory',
-      ],
-      'cache.backend.redis' => [
-        'class' => 'Drupal\redis\Cache\CacheBackendFactory',
-        'arguments' => ['@redis.factory', '@cache_tags_provider.container', '@serialization.phpserialize'],
-      ],
-      'cache.container' => [
-        'class' => '\Drupal\redis\Cache\PhpRedis',
-        'factory' => ['@cache.backend.redis', 'get'],
-        'arguments' => ['container'],
-      ],
-      'cache_tags_provider.container' => [
-        'class' => 'Drupal\redis\Cache\RedisCacheTagsChecksum',
-        'arguments' => ['@redis.factory'],
-      ],
-      'serialization.phpserialize' => [
-        'class' => 'Drupal\Component\Serialization\PhpSerialize',
-      ],
-    ],
-  ];
-}
-
-if ($platformsh->inRuntime()) {
-  // Configure private and temporary file paths.
-  if (!isset($settings['file_private_path'])) {
-    $settings['file_private_path'] = $platformsh->appDir . '/private';
-  }
-  if (!isset($settings['file_temp_path'])) {
-    $settings['file_temp_path'] = $platformsh->appDir . '/tmp';
-  }
-
-  // Configure the default PhpStorage and Twig template cache directories.
-  if (!isset($settings['php_storage']['default'])) {
-    $settings['php_storage']['default']['directory'] = $settings['file_private_path'];
-  }
-  if (!isset($settings['php_storage']['twig'])) {
-    $settings['php_storage']['twig']['directory'] = $settings['file_private_path'];
-  }
-
-  // Set the project-specific entropy value, used for generating one-time
-  // keys and such.
-  $settings['hash_salt'] = $settings['hash_salt'] ?? $platformsh->projectEntropy;
-
-  // Set the deployment identifier, which is used by some Drupal cache systems.
-  $settings['deployment_identifier'] = $settings['deployment_identifier'] ?? $platformsh->treeId;
-}
-
-// The 'trusted_hosts_pattern' setting allows an admin to restrict the Host header values
-// that are considered trusted.  If an attacker sends a request with a custom-crafted Host
-// header then it can be an injection vector, depending on how the Host header is used.
-// However, Platform.sh already replaces the Host header with the route that was used to reach
-// Platform.sh, so it is guaranteed to be safe.  The following line explicitly allows all
-// Host headers, as the only possible Host header is already guaranteed safe.
-$settings['trusted_host_patterns'] = ['.*'];
-
-// Import variables prefixed with 'd8settings:' into $settings
-// and 'd8config:' into $config.
-foreach ($platformsh->variables() as $name => $value) {
-  $parts = explode(':', $name);
-  list($prefix, $key) = array_pad($parts, 3, null);
-  switch ($prefix) {
-    // Variables that begin with `d8settings` or `drupal` get mapped
-    // to the $settings array verbatim, even if the value is an array.
-    // For example, a variable named d8settings:example-setting' with
-    // value 'foo' becomes $settings['example-setting'] = 'foo';
-    case 'd8settings':
-    case 'drupal':
-      $settings[$key] = $value;
-      break;
-    // Variables that begin with `d8config` get mapped to the $config
-    // array.  Deeply nested variable names, with colon delimiters,
-    // get mapped to deeply nested array elements. Array values
-    // get added to the end just like a scalar. Variables without
-    // both a config object name and property are skipped.
-    // Example: Variable `d8config:conf_file:prop` with value `foo` becomes
-    // $config['conf_file']['prop'] = 'foo';
-    // Example: Variable `d8config:conf_file:prop:subprop` with value `foo` becomes
-    // $config['conf_file']['prop']['subprop'] = 'foo';
-    // Example: Variable `d8config:conf_file:prop:subprop` with value ['foo' => 'bar'] becomes
-    // $config['conf_file']['prop']['subprop']['foo'] = 'bar';
-    // Example: Variable `d8config:prop` is ignored.
-    case 'd8config':
-      if (count($parts) > 2) {
-        $temp = &$config[$key];
-        foreach (array_slice($parts, 2) as $n) {
-          $prev = &$temp;
-          $temp = &$temp[$n];
-        }
-        $prev[$n] = $value;
-      }
-      break;
-  }
-}
-
-if (!empty($_ENV['PLATFORM_BRANCH'])) {
-  switch ($_ENV['PLATFORM_BRANCH']) {
-    case 'production':
-      $config['config_split.config_split.live']['status'] = TRUE;
-      break;
-  }
-}