Add Ansible playbook for deployments

2020-02-07 07:43:17 +00:00 · 2020-02-07 07:43:17 +00:00 · f2e458ca13
commit f2e458ca13
parent 4299ca3ae7
14 changed files with 293 additions and 12 deletions
--- a/tools/ansible/vars/deploy_vars.yml
+++ b/tools/ansible/vars/deploy_vars.yml
@ -0,0 +1,36 @@
+---
+ansistrano_allow_anonymous_stats: false
+ansistrano_deploy_via: git
+ansistrano_deploy_to: '{{ project_root_path }}'
+ansistrano_git_identity_key_path: '{{ playbook_dir }}/id_deploy'
+ansistrano_git_repo: git@github.com:opdavies/oliverdavies-uk.git
+ansistrano_git_branch: master
+ansistrano_keep_releases: 5
+ansistrano_shared_paths:
+  - '{{ project_web_dir }}/sites/default/files'
+
+# Hooks
+ansistrano_after_symlink_shared_tasks_file: '{{ playbook_dir }}/deploy/after-symlink-shared.yml'
+ansistrano_after_update_code_tasks_file: '{{ playbook_dir }}/deploy/after-update-code.yml'
+
+app_hash_salt: '{{ vault_app_hash_salt }}'
+
+drupal_settings:
+  - drupal_root: '{{ ansistrano_release_path.stdout }}/{{ project_web_dir }}'
+    sites:
+      - name: default
+        settings:
+          base_url: http://d8.oliverdavies.uk
+          hash_salt: '{{ app_hash_salt }}'
+          databases:
+            default:
+              default:
+                driver: mysql
+                host: localhost
+                database: oliverdavies_uk
+                username: '{{ app_mysql_user }}'
+                password: '{{ app_mysql_password }}'
+          config_directories:
+            sync: ../config/sync
+          trusted_hosts:
+            - '^d8\.oliverdavies\.uk$'
--- a/tools/ansible/vars/deploy_vault.yml
+++ b/tools/ansible/vars/deploy_vault.yml
@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+39323539326634383533336262633230666630366666363935643462306538366338666436663235
+6231616134366432633965376535303635396134333661640a393961633431383165653439343436
+39303333346162386436393133303633636565323730643732396431623464623631396138343434
+3166346130643937340a343433393831396638643434653933343033353430326633376333396462
+66363461363435373462643037353661346435383336336137613837633933393931613833313037
+33393064383939666335323733346164643036366232656362326461373031303365386266663133
+343633356331333831633730396562616634
--- a/tools/ansible/vars/provision_vars.yml
+++ b/tools/ansible/vars/provision_vars.yml
@ -34,27 +34,91 @@ nginx_vhosts:
    root: '{{ project_root_path }}/{{ ansistrano_current_dir }}/{{ project_web_dir }}'
    index: index.php
    extra_parameters: |
+      location = /favicon.ico {
+          log_not_found off;
+          access_log off;
+      }
+
+      location = /robots.txt {
+          allow all;
+          log_not_found off;
+          access_log off;
+      }
+
+      # Very rarely should these ever be accessed outside of your lan
+      location ~* \.(txt|log)$ {
+          allow 192.168.0.0/16;
+          deny all;
+      }
+
+      location ~ \..*/.*\.php$ {
+          return 403;
+      }
+
+      location ~ ^/sites/.*/private/ {
+          return 403;
+      }
+
+      # Block access to scripts in site files directory
+      location ~ ^/sites/[^/]+/files/.*\.php$ {
+          deny all;
+      }
+
+      # Allow "Well-Known URIs" as per RFC 5785
+      location ~* ^/.well-known/ {
+          allow all;
+      }
+
+      # Block access to "hidden" files and directories whose names begin with a
+      # period. This includes directories used by version control systems such
+      # as Subversion or Git to store control files.
+      location ~ (^|/)\. {
+          return 403;
+      }
+
      location / {
-        try_files $uri /index.php?$query_string;
+          try_files $uri /index.php?$query_string; # For Drupal >= 7
      }

      location @rewrite {
-        rewrite ^/(.*)$ /index.php?q=$1;
+          rewrite ^/(.*)$ /index.php?q=$1;
      }

      # Don't allow direct access to PHP files in the vendor directory.
      location ~ /vendor/.*\.php$ {
-        deny all;
-        return 404;
+          deny all;
+          return 404;
      }

      location ~ '\.php$|^/update.php' {
-        try_files $uri =404;
-        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-        include fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
-        fastcgi_param QUERY_STRING $query_string;
-        fastcgi_intercept_errors on;
-        fastcgi_pass localhost:9000;
+          try_files $uri =404;
+          fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+          include fastcgi_params;
+          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          fastcgi_param PATH_INFO $fastcgi_path_info;
+          fastcgi_param QUERY_STRING $query_string;
+          fastcgi_intercept_errors on;
+          fastcgi_pass localhost:9000;
+      }
+
+      # Fighting with Styles? This little gem is amazing.
+      # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
+      location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
+          try_files $uri @rewrite;
+      }
+
+      # Handle private files through Drupal.
+      location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
+          try_files $uri /index.php?$query_string;
+      }
+
+      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+          try_files $uri @rewrite;
+          expires max;
+          log_not_found off;
+      }
+
+      # Enforce clean URLs
+      if ($request_uri ~* "^(.*/)index\.php(.*)") {
+          return 307 $1$2;
      }