Merge pull request #1 from solutionDrive/initial-work

Files and directories from private repository

.gitignore

@@ -0,0 +1 @@
+.idea/

.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

README.md

@@ -1,2 +1,70 @@
-# ansible-role-deployment
-Role to prepare servers for deployment
+Role Name
+=========
+
+Role to prepare Servers for Deployment. Place ssh-key-Pairs for Authentication with Git-Repositorys
+
+Requirements
+------------
+
+none
+
+Role Variables
+--------------
+
+
+Dependencies
+------------
+
+none
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Files
+-----
+the following files are encrypted with our base password:
++ auth.json
++ id_rsa
++ id_rsa.pub
+
+This will only work in Projects which are using this insecure base-Password. To be able to use this
+role in Projects with greater security-needs (with different vaultpass), this files can be placed in the files-directory
+of the Ansible-Project and can be re-encrypted with the new Password. It is important that 
+1. the files are named differently
+2. the default-Variables of this role containing the standard-Filenames are overwritten with the new Filenames.
+
+
+SSH Host Keys
+-------------
+The public keys for the following SSH hosts are stored here:
+* github.com
+* bitbucket.org
+* packagist.org
+
+This is important to avoid scanning for ssh keys on each ansible run.
+
+They can be obtained/generated by:
+
+    ssh-keyscan -t rsa {bitbucket.org,github.com,packagist.org}
+
+Please make sure that they are up-to-date and correct(!).
+You can find the fingerprints here:
+* https://help.github.com/articles/github-s-ssh-key-fingerprints/
+* https://confluence.atlassian.com/bitbucket/troubleshoot-ssh-issues-271943403.html
+
+
+Author Information
+------------------
+
+Matthias Alt <[email protected]>

defaults/main.yml

@@ -0,0 +1,30 @@
+---
+# general settings
+deployment_src_path: files/
+
+# Settings for deployment-keys
+deployment_key_name_private: id_rsa
+deployment_key_name_public: id_rsa.pub
+deployment_key_destination_path: /var/www/.ssh/
+deployment_key_destination_path_root: /root/.ssh/
+deployment_global_ssh_known_hosts_file: /etc/ssh/ssh_known_hosts
+
+deployment_key_to_root_user: true
+deployment_key_remove_key_from_root: true
+
+deployment_local_environment: true
+
+deployment_install_composer_auth: true
+
+deployment_ssh_user: solution
+deployment_key_destination_path_ssh_user: "/home/{{ deployment_ssh_user }}/.ssh/"
+deployment_auth_destination_path_ssh_user: "/home/{{ deployment_ssh_user }}/.composer/"
+deployment_ssh_user_group: www-data
+
+deployment_enable_git: yes
+
+deployment_name_of_toran_auth_file: 'auth.json'
+
+deployment_bitbucket_public_host_key: "bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=="
+deployment_github_public_host_key: "github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
+deployment_packagist_public_host_key: "packagist.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3Sr1qq0PlqtH1MKLHX4KhF0wEaM3EccFb08o9w4H/sN+KfEzV+Brdcb5k2pBYiwL025F4iQYVdFA9Cmh7rjYSahW7Z2OHjnx7xu2mVqymVCrqzkrjzDT0BGlYBRoUNrbXOZ3RJ5UUeZP3oRcHfBjKp5zI4heNSTMeeOPvQVT89aAq019blEFfi0e4necgEDOPWfwGmbMaY5CzaL5Pec2N47yE1wTGCbBXGhARLGqFyee+B8hNQGLvmFNMKIHIdKzEVnHN1XQ2ffTcsJUMOUBkJpdfk9GWSosbA7fM8MQNZzsEIXQcMauWTeHwnxG9Sni4v6oHAMNejh7Ip4OgSRyB"

files/bash_profile.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+alias ls="ls -h --color"
+alias ll="ls -l"

handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: remove key from root
+  file:
+    path: "{{ deployment_key_destination_path_root }}"
+    state: absent
+  become: yes
+  when: deployment_key_to_root_user and deployment_key_remove_key_from_root

meta/main.yml

@@ -0,0 +1,19 @@
+galaxy_info:
+  author: solutionDrive GmbH
+  description: Role to prepare servers for deployment
+  company: solutionDrive GmbH
+  license: MIT
+
+  min_ansible_version: 1.2
+
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+
+  galaxy_tags:
+    - server
+    - deployment
+    - ssh
+
+dependencies: []

tasks/authentication.yml

@@ -0,0 +1,86 @@
+---
+- name: Copy Private Deployment-Key
+  copy:
+    src: "{{ deployment_src_path }}{{ deployment_key_name_private }}"
+    dest: "{{ deployment_key_destination_path_ssh_user }}{{ deployment_key_name_private }}"
+    owner: "{{ deployment_ssh_user }}"
+    group: www-data
+    mode: u=r,g=,o=
+  become: yes
+
+- name: Copy Public Deployment-Key
+  copy:
+    src: "{{ deployment_src_path }}{{ deployment_key_name_public }}"
+    dest: "{{ deployment_key_destination_path_ssh_user }}{{ deployment_key_name_public }}"
+    owner: "{{ deployment_ssh_user }}"
+    group: www-data
+    mode: u=rw,g=rw,o=r
+  become: yes
+
+- name: "create {{ deployment_auth_destination_path_ssh_user }} if it does not exist"
+  file:
+    state: directory
+    path: "{{ deployment_auth_destination_path_ssh_user }}"
+    owner: "{{ deployment_ssh_user }}"
+    group: www-data
+  become: yes
+
+- name: "Store Toran-Authentication for composer installation for User {{ deployment_ssh_user }}"
+  copy:
+    src: "{{ deployment_src_path }}{{ deployment_name_of_toran_auth_file }}"
+    dest: "{{ deployment_auth_destination_path_ssh_user }}/auth.json"
+    owner: "{{ deployment_ssh_user }}"
+    group: www-data
+    mode: 0600
+  become: yes
+  when: deployment_install_composer_auth
+
+- name: Copy Private Deployment-Key to root user if configured
+  copy:
+    src: "{{ deployment_src_path }}{{ deployment_key_name_private }}"
+    dest: "{{ deployment_key_destination_path_root }}{{ deployment_key_name_private }}"
+    owner: root
+    group: root
+    mode: u=r,g=,o=
+  become: yes
+  when: deployment_key_to_root_user
+  notify: remove key from root
+
+- name: Copy Public Deployment-Key to root user if configured
+  copy:
+    src: "{{ deployment_src_path }}{{ deployment_key_name_public }}"
+    dest: "{{ deployment_key_destination_path_root }}{{ deployment_key_name_public }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  become: yes
+  when: deployment_key_to_root_user
+  notify: remove key from root
+
+- name: Store Toran-Authentication for composer installation for User root
+  copy:
+    src: "{{ deployment_src_path }}{{ deployment_name_of_toran_auth_file }}"
+    dest: /root/.composer/auth.json
+    owner: root
+    group: root
+    mode: 0600
+  become: yes
+  when: deployment_install_composer_auth
+
+- name: Copy Private Deployment-Key to www-data user
+  copy:
+    src: "{{ deployment_src_path }}{{ deployment_key_name_private }}"
+    dest: "{{ deployment_key_destination_path }}{{ deployment_key_name_private }}"
+    owner: www-data
+    group: www-data
+    mode: u=r,g=,o=
+  become: yes
+
+- name: Copy Public Deployment-Key to www-data user
+  copy:
+    src: "{{ deployment_src_path }}{{ deployment_key_name_public }}"
+    dest: "{{ deployment_key_destination_path }}{{ deployment_key_name_public }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  become: yes

tasks/filesystem.yml

@@ -0,0 +1,25 @@
+---
+- name: Create .ssh-Directory for www-data
+  file:
+    path: /var/www/.ssh
+    state: directory
+    owner: www-data
+    group: www-data
+  become: yes
+
+- name: Create .ssh-Directory for root if configured
+  file:
+    path: /root/.ssh
+    state: directory
+    owner: root
+    group: root
+  become: yes
+  when: deployment_key_to_root_user
+
+- name: "Create bin-directory for user {{ deployment_ssh_user }}"
+  file:
+    path: "/home/{{ deployment_ssh_user }}/bin"
+    state: directory
+    owner: "{{ deployment_ssh_user }}"
+    group: www-data
+  become: yes

tasks/git.yml

@@ -0,0 +1,8 @@
+- name: "Add global git configuration (for convenience/comfort)"
+  template: >
+   src='gitconfig'
+   dest='/etc/gitconfig'
+   force=no
+  become: yes
+
+

tasks/known_hosts.yml

@@ -0,0 +1,24 @@
+---
+- name: Ensure global known_hosts files exist
+  file:
+    path: "{{ deployment_global_ssh_known_hosts_file }}"
+    state: touch
+    mode: 0644
+
+- name: Add bitbucket.org to global known_hosts
+  lineinfile:
+    path: "{{ deployment_global_ssh_known_hosts_file }}"
+    line: "{{ deployment_bitbucket_public_host_key }}"
+    state: present
+
+- name: Add packagist.org to global known_hosts
+  lineinfile:
+    path: "{{ deployment_global_ssh_known_hosts_file }}"
+    line: "{{ deployment_packagist_public_host_key }}"
+    state: present
+
+- name: Add github.com to global known_hosts
+  lineinfile:
+    path: "{{ deployment_global_ssh_known_hosts_file }}"
+    line: "{{ deployment_github_public_host_key }}"
+    state: present

tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- include: git.yml
+  when: deployment_enable_git
+- include: users.yml
+- include: filesystem.yml
+- include: authentication.yml
+- include: known_hosts.yml

tasks/users.yml

@@ -0,0 +1,31 @@
+---
+- name: Ensure 'wheel'-group is present
+  group:
+    name: wheel
+    state: present
+  become: yes
+
+- name: Ensure 'wheel'-group has passwordless sudo
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^%wheel'
+    line: '%wheel ALL=(ALL) NOPASSWD: ALL'
+    validate: visudo -cf %s
+  become: yes
+
+- name: "Create User {{ deployment_ssh_user }}"
+  user:
+    name: "{{ deployment_ssh_user }}"
+    group: "{{ deployment_ssh_user_group }}"
+    groups: www-data,wheel
+    #shell: "{{ deployment_ssh_user_shell }}"
+  become: yes
+
+- name: "Create .ssh-Directory for {{ deployment_ssh_user }}"
+  file:
+    path:  "{{ deployment_key_destination_path_ssh_user }}"
+    state: directory
+    owner: "{{ deployment_ssh_user }}"
+    group: www-data
+  become: yes

templates/gitconfig

@@ -0,0 +1,21 @@
+[color]
+        ui = true
+        branch = auto
+        status = auto
+        diff = auto
+[color "diff"]
+        meta = yellow
+        frag = cyan
+        old = red
+        new = green
+[color "branch"]
+        current = yellow reverse
+        local = yellow
+        remote = green
+[color "status"]
+        added = yellow
+        changed = green
+        untracked = cyan
+[core]
+        filemode = false
+

tests/inventory

@@ -0,0 +1 @@
+localhost

tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - solutiondrive.deployment

vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for solutiondrive.deployment