This repository has been archived by the owner on Feb 19, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
site.yml
149 lines (136 loc) · 3.82 KB
/
site.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
---
#==============================================================================
# Base installation
#==============================================================================
#------------------------------
# db-*
#------------------------------
- hosts: "db-*"
tasks:
- name: Install system packages
apt: name={{ item }} state=present
with_items:
- postgresql
- libpq-dev
- python-pip
- python-dev
- name: Install python packages
pip: name={{ item }}
with_items:
- psycopg2
- service: name=postgresql state=started
#------------------------------
# db-secret
#------------------------------
- hosts: db-secret
sudo: yes
sudo_user: postgres
tasks:
- postgresql_db: name=secret
- postgresql_user: name=secret
db=secret
password=secret
- postgresql_privs: >
db=secret
roles=secret
privs=ALL
objs=ALL_IN_SCHEMA
#------------------------------
# db-app
#------------------------------
- hosts: db-app
sudo: yes
sudo_user: postgres
tasks:
- postgresql_db: name=app
- postgresql_user: name=app
db=app
password=app
- postgresql_privs: >
db=app
roles=app
privs=ALL
objs=ALL_IN_SCHEMA
#------------------------------
# rabbit
#------------------------------
- hosts: rabbit
tasks:
- apt: name=rabbitmq-server
- service: name=rabbitmq-server state=started
#------------------------------
# worker
#------------------------------
- hosts: worker
tasks:
- name: worker user
user: name=worker
comment="Bank Access Worker"
append=yes
home=/home/worker
# XXX I don't like manually keeping this up to date from the Dockerfile
# in the bank-access repo. Perhaps I'll convert the Dockerfile to an
# ansible role.
- name: Install system packages
apt: name={{ item }} state=present
with_items:
- python-dev
- python-virtualenv
- build-essential
- git
- libsqlite3-dev
- curl
- libz-dev
- libxml2-dev
- libxslt1-dev
- x11vnc
- xvfb
- firefox
- xfonts-100dpi
- xfonts-75dpi
- xfonts-scalable
- xfonts-cyrillic
# Xvfb
- name: Init xvfb
copy: dest=/etc/init.d/xvfb
src=util/xvfb.init.d
mode=u+x
- name: Start xvfb
service: name=xvfb state=started
# x11vnc
- file: path=/home/root/.vnc/passwd
owner=root
group=root
state=directory
- name: Configure x11vnc
command: x11vnc -storepasswd foo /home/root/.vnc/passwd
creates="/home/root/.vnc/passwd"
- name: Init x11vnc
copy: dest=/etc/init.d/x11vnc
src=util/x11vnc.init.d
mode=u+x
- name: Start x11vnc
service: name=x11vnc state=started
#==============================================================================
# Security
#==============================================================================
# - hosts: all
# tasks:
# - name: Firewall | install ufw
# apt: name=ufw state=present
# tags: security
# - ufw: state=enabled policy=allow
# tags: security
#==============================================================================
# Application code
#==============================================================================
- hosts: worker
remote_user: worker
tasks:
- name: Get bank-access repo
git: repo=https://github.com/simplefin/bank-access.git
dest=/home/worker/bank-access
version=master
- name: Upgrade python dependencies
pip: virtualenv=/home/worker/venv
requirements=/home/worker/bank-access/requirements.txt