diff --git a/ansible/Jenkinsfile b/ansible/Jenkinsfile index 6c57f2e..26140ef 100644 --- a/ansible/Jenkinsfile +++ b/ansible/Jenkinsfile @@ -5,6 +5,10 @@ pipeline { VAULT_PASSWORD = credentials('vault_password') } + environment { + ANSIBLE_HOST_KEY_CHECKING = 'false' + } + parameters { choice(name: 'SITE_OPTION', choices: ['SiteA', 'SiteB', 'SiteA&B'], description: 'Select which site to deploy') string(name: 'ADDITIONAL_CONTENT', defaultValue: 'Новое сообщение', description: 'Additional content to be included in the site') @@ -38,19 +42,17 @@ pipeline { def sanitized_content = params.ADDITIONAL_CONTENT.replaceAll("'", "\\'").replaceAll('"', '\\"') def siteOption = params.SITE_OPTION - def hostsFile = env.HOSTS_FILE - def targetGroups = '' if (siteOption == 'SiteA') { - targetGroups = 'SiteA' + targetGroups = 'SiteA,proxy' } else if (siteOption == 'SiteB') { - targetGroups = 'SiteB' + targetGroups = 'SiteB,proxy' } else if (siteOption == 'SiteA&B') { targetGroups = 'SiteA,SiteB,proxy' } ansiblePlaybook( - playbook: 'ansible/playbook.yml', + playbook: 'ansible/playbooks/playbook.yml', inventory: "ansible/inventory.yml", extraVars: [ additional_content: sanitized_content, diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..a76aa31 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,4 @@ +[defaults] +inventory = inventory.yml +roles_path = ./roles +host_key_checking = False \ No newline at end of file diff --git a/ansible/playbook.yml b/ansible/playbook.yml deleted file mode 100644 index 4e129e9..0000000 --- a/ansible/playbook.yml +++ /dev/null @@ -1,240 +0,0 @@ -- hosts: SiteA - become: true - - tasks: - - name: Install Nginx - zypper: - name: nginx - state: present - force: yes - update_cache: yes - - - name: Create site directories - file: - path: /var/www/SiteA - state: directory - mode: '0755' - - - name: Deploy site content - copy: - content: | - - - - SiteA - - -

SiteA

-

{{ additional_content | string }}

- - - dest: /var/www/SiteA/index.html - - - name: Configure Nginx for SiteA - copy: - content: | - server { - listen 80; - server_name SiteA; - - location / { - root /var/www/SiteA; - index index.html; - } - } - dest: /etc/nginx/conf.d/SiteA.conf - - - name: Restart Nginx - service: - name: nginx - state: restarted - - - name: Start and enable firewalld - service: - name: firewalld - state: started - enabled: true - - - name: Open port 80 for HTTP - ansible.builtin.firewalld: - port: 80/tcp - permanent: true - state: enabled - immediate: yes - - - name: Open port 443 for HTTPS - ansible.builtin.firewalld: - port: 443/tcp - permanent: true - state: enabled - immediate: yes - - - name: Reload firewalld to apply changes - ansible.builtin.service: - name: firewalld - state: reloaded - -- hosts: SiteB - become: true - - tasks: - - name: Install Nginx - zypper: - name: nginx - state: present - force: yes - update_cache: yes - - - name: Create site directories - file: - path: /var/www/SiteB - state: directory - mode: '0755' - - - name: Deploy site content - copy: - content: | - - - - SiteB - - -

SiteB

-

{{ additional_content | string }}

- - - dest: /var/www/SiteB/index.html - - - name: Configure Nginx for SiteB - copy: - content: | - server { - listen 80; - server_name SiteB; - - location / { - root /var/www/SiteB; - index index.html; - } - } - dest: /etc/nginx/conf.d/SiteB.conf - - - name: Restart Nginx - service: - name: nginx - state: restarted - - - name: Start and enable firewalld - service: - name: firewalld - state: started - enabled: true - - - name: Open port 80 for HTTP - ansible.builtin.firewalld: - port: 80/tcp - permanent: true - state: enabled - immediate: yes - - - name: Open port 443 for HTTPS - ansible.builtin.firewalld: - port: 443/tcp - permanent: true - state: enabled - immediate: yes - - - name: Reload firewalld to apply changes - ansible.builtin.service: - name: firewalld - state: reloaded - -- hosts: proxy - become: true - - tasks: - - name: Install Nginx - zypper: - name: nginx - state: present - force: yes - update_cache: yes - - - name: Ensure SSL directory exists - file: - path: /etc/nginx/ssl - state: directory - mode: '0700' - - - name: Generate private key - openssl_privatekey: - path: /etc/nginx/ssl/vlad4.key - size: 2048 - type: RSA - mode: '0600' - owner: root - group: root - - - name: Generate self-signed SSL certificate - openssl_certificate: - path: /etc/nginx/ssl/vlad4.crt - privatekey_path: /etc/nginx/ssl/vlad4.key - owner: root - group: root - mode: '0600' - provider: selfsigned - - - name: Configure Nginx as HTTPS proxy - copy: - content: | - upstream backend_servers { - server 192.168.0.61:80; - server 192.168.0.62:80; - } - - server { - listen 80; - server_name vlad4; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl; - server_name vlad4; - - ssl_certificate /etc/nginx/ssl/vlad4.crt; - ssl_certificate_key /etc/nginx/ssl/vlad4.key; - - location / { - proxy_pass http://backend_servers; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - } - dest: /etc/nginx/conf.d/proxy.conf - - - name: Restart Nginx - service: - name: nginx - state: restarted - - - name: Start and enable firewalld - service: - name: firewalld - state: started - enabled: true - - - name: Open port 443 for HTTPS - ansible.builtin.firewalld: - port: 443/tcp - permanent: true - state: enabled - immediate: yes - - - name: Reload firewalld to apply changes - ansible.builtin.service: - name: firewalld - state: reloaded diff --git a/ansible/playbooks/playbook.yml b/ansible/playbooks/playbook.yml new file mode 100644 index 0000000..bd96fe0 --- /dev/null +++ b/ansible/playbooks/playbook.yml @@ -0,0 +1,5 @@ +--- +- hosts: all + become: true + roles: + - role: site_setup diff --git a/ansible/roles/site_setup/tasks/configure.yml b/ansible/roles/site_setup/tasks/configure.yml new file mode 100644 index 0000000..c26c5ea --- /dev/null +++ b/ansible/roles/site_setup/tasks/configure.yml @@ -0,0 +1,25 @@ +--- +- name: Create site directories + file: + path: "/var/www/html/{{ site_name }}" + state: directory + mode: '0755' + tags: configure + +- name: Deploy site content + template: + src: site_index.html.j2 + dest: "/var/www/html/{{ site_name }}/index.html" + tags: configure + +- name: Configure Nginx for {{ site_name }} + template: + src: nginx_site.conf.j2 + dest: "/etc/nginx/conf.d/{{ site_name }}.conf" + tags: configure + +- name: Restart Nginx + service: + name: nginx + state: restarted + tags: configure diff --git a/ansible/roles/site_setup/tasks/firewall.yml b/ansible/roles/site_setup/tasks/firewall.yml new file mode 100644 index 0000000..ffc5548 --- /dev/null +++ b/ansible/roles/site_setup/tasks/firewall.yml @@ -0,0 +1,29 @@ +--- +- name: Start and enable firewalld + service: + name: firewalld + state: started + enabled: true + tags: firewall + +- name: Open port 80 for HTTP + ansible.builtin.firewalld: + port: 80/tcp + permanent: true + state: enabled + immediate: yes + tags: firewall + +- name: Open port 443 for HTTPS + ansible.builtin.firewalld: + port: 443/tcp + permanent: true + state: enabled + immediate: yes + tags: firewall + +- name: Reload firewalld to apply changes + ansible.builtin.service: + name: firewalld + state: reloaded + tags: firewall diff --git a/ansible/roles/site_setup/tasks/generate_ssl.yml b/ansible/roles/site_setup/tasks/generate_ssl.yml new file mode 100644 index 0000000..aa0548b --- /dev/null +++ b/ansible/roles/site_setup/tasks/generate_ssl.yml @@ -0,0 +1,24 @@ +--- +- name: Ensure SSL directory exists + file: + path: /etc/nginx/ssl + state: directory + mode: '0755' + tags: ssl + +- name: Generate self-signed SSL certificate + openssl_certificate: + path: /etc/nginx/ssl/{{ proxy_name }}.crt + privatekey_path: /etc/nginx/ssl/{{ proxy_name }}.key + common_name: "{{ proxy_name }}" + state: present + selfsigned: yes + owner: root + group: root + mode: '0644' + subject: + - organizationName: "Example Company" + - organizationalUnitName: "IT" + - localityName: "City" + - countryName: "US" + tags: ssl diff --git a/ansible/roles/site_setup/tasks/install.yml b/ansible/roles/site_setup/tasks/install.yml new file mode 100644 index 0000000..416ed21 --- /dev/null +++ b/ansible/roles/site_setup/tasks/install.yml @@ -0,0 +1,8 @@ +--- +- name: Install Nginx + zypper: + name: nginx + state: present + force: yes + update_cache: yes + tags: install diff --git a/ansible/roles/site_setup/tasks/main.yml b/ansible/roles/site_setup/tasks/main.yml new file mode 100644 index 0000000..8920323 --- /dev/null +++ b/ansible/roles/site_setup/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- import_tasks: install.yml + tags: install + +- import_tasks: configure.yml + tags: configure + +- import_tasks: proxy.yml + tags: proxy + +- import_tasks: firewall.yml + tags: firewall diff --git a/ansible/roles/site_setup/tasks/proxy.yml b/ansible/roles/site_setup/tasks/proxy.yml new file mode 100644 index 0000000..a9d390e --- /dev/null +++ b/ansible/roles/site_setup/tasks/proxy.yml @@ -0,0 +1,26 @@ +--- +- name: Configure Nginx load balancer with SSL + template: + src: nginx_proxy_ssl.conf.j2 + dest: "/etc/nginx/conf.d/proxy.conf" + tags: proxy + +- name: Ensure SSL directory exists + file: + path: /etc/nginx/ssl + state: directory + mode: '0755' + tags: proxy + +- name: Copy Diffie-Hellman parameters + copy: + src: dhparam.pem + dest: /etc/nginx/ssl/dhparam.pem + mode: '0600' + tags: proxy + +- name: Restart Nginx after configuration + service: + name: nginx + state: restarted + tags: proxy diff --git a/ansible/roles/site_setup/templates/nginx_proxy.conf.j2 b/ansible/roles/site_setup/templates/nginx_proxy.conf.j2 new file mode 100644 index 0000000..472be35 --- /dev/null +++ b/ansible/roles/site_setup/templates/nginx_proxy.conf.j2 @@ -0,0 +1,31 @@ +upstream backend_servers { + server {{ backend_ip_1 }}:80; + server {{ backend_ip_2 }}:80; +} + +server { + listen 80; + server_name {{ proxy_name }}; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name {{ proxy_name }}; + + ssl_certificate /etc/nginx/ssl/{{ proxy_name }}.crt; + ssl_certificate_key /etc/nginx/ssl/{{ proxy_name }}.key; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"; + + location / { + proxy_pass http://backend_servers; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/ansible/roles/site_setup/templates/nginx_site.conf.j2 b/ansible/roles/site_setup/templates/nginx_site.conf.j2 new file mode 100644 index 0000000..e18b1e4 --- /dev/null +++ b/ansible/roles/site_setup/templates/nginx_site.conf.j2 @@ -0,0 +1,9 @@ +server { + listen 80; + server_name {{ site_name }}; + + location / { + root /var/www/html/{{ site_name }}; + index index.html; + } +} diff --git a/ansible/roles/site_setup/templates/site_index.html.j2 b/ansible/roles/site_setup/templates/site_index.html.j2 new file mode 100644 index 0000000..d66b1f0 --- /dev/null +++ b/ansible/roles/site_setup/templates/site_index.html.j2 @@ -0,0 +1,10 @@ + + + +{{ site_name }} + + +

{{ site_name }}

+

{{ additional_content }}

+ + diff --git a/ansible/roles/site_setup/vars/main.yml b/ansible/roles/site_setup/vars/main.yml new file mode 100644 index 0000000..ebc4ca7 --- /dev/null +++ b/ansible/roles/site_setup/vars/main.yml @@ -0,0 +1,6 @@ +--- +site_name: "example_site" +proxy_name: "proxy_server" +backend_ip_1: "192.168.0.61" +backend_ip_2: "192.168.0.62" +additional_content: "Welcome to {{ site_name }}"