Browse Source

readme.md with projects index

sys-systemd-and-upstart
Vladimir Smagin 1 year ago
parent
commit
2e25b00064
34 changed files with 10 additions and 408 deletions
  1. 0
    2
      keys-ansible/.gitignore
  2. 0
    4
      keys-ansible/ansible.cfg
  3. 0
    4
      keys-ansible/group_vars/hetzner-nodes.yml
  4. 0
    6
      keys-ansible/group_vars/hetzner.yml
  5. 0
    3
      keys-ansible/host_vars/monitor.yml
  6. 0
    15
      keys-ansible/inventory.ini
  7. 0
    41
      keys-ansible/readme.md
  8. 0
    1
      keys-ansible/roles/master_key/meta/main.yml
  9. 0
    7
      keys-ansible/roles/master_key/tasks/main.yml
  10. 0
    1
      keys-ansible/roles/preinstall/meta/main.yml
  11. 0
    18
      keys-ansible/roles/preinstall/tasks/main.yml
  12. 0
    1
      keys-ansible/roles/ssh_access/meta/main.yml
  13. 0
    21
      keys-ansible/roles/ssh_access/tasks/main.yml
  14. 0
    27
      keys-ansible/secrets/superkey.key
  15. 0
    1
      keys-ansible/secrets/superkey.pub
  16. 0
    3
      keys-ansible/ssh-keys.sh
  17. 0
    7
      keys-ansible/ssh-keys.yml
  18. 0
    3
      nginx+php-fpm7.1/ansible.cfg
  19. 0
    3
      nginx+php-fpm7.1/deploy.sh
  20. 0
    11
      nginx+php-fpm7.1/deploy.yml
  21. 0
    16
      nginx+php-fpm7.1/roles/nginx/tasks/main.yml
  22. 0
    65
      nginx+php-fpm7.1/roles/php/tasks/main.yml
  23. 0
    12
      nginx+php-fpm7.1/roles/preinstall/tasks/main.yml
  24. 10
    0
      readme.md
  25. 0
    17
      systemd-and-upstart/inventory.ini
  26. 0
    10
      systemd-and-upstart/roles/preinstall/tasks/main.yml
  27. 0
    13
      systemd-and-upstart/roles/set_service/files/app.py
  28. 0
    12
      systemd-and-upstart/roles/set_service/files/child_process.py
  29. 0
    30
      systemd-and-upstart/roles/set_service/tasks/main.yml
  30. 0
    15
      systemd-and-upstart/roles/set_service/templates/systemd-service.template.j2
  31. 0
    25
      systemd-and-upstart/roles/set_service/templates/upstart-service.template.j2
  32. 0
    4
      systemd-and-upstart/roles/set_service/vars/main.yml
  33. 0
    4
      systemd-and-upstart/roles/test/tasks/main.yml
  34. 0
    6
      systemd-and-upstart/services.yml

+ 0
- 2
keys-ansible/.gitignore View File

@@ -1,2 +0,0 @@
*.log
*.retry

+ 0
- 4
keys-ansible/ansible.cfg View File

@@ -1,4 +0,0 @@
[defaults]
log_path=ansible.log
nocows = 1
hash_behaviour = merge

+ 0
- 4
keys-ansible/group_vars/hetzner-nodes.yml View File

@@ -1,4 +0,0 @@
access_list:
git: { keypath: "../keys/project-git.pub", username: "root" }
dev1: { keypath: "../keys/developer1.pub", username: "root" }
dev2: { keypath: "../keys/developer2.pub", username: "root" }

+ 0
- 6
keys-ansible/group_vars/hetzner.yml View File

@@ -1,6 +0,0 @@
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }
interserver: { keypath: "../keys/interserver.pub", username: "root" }
secret_list:
interserver: { keypath: "../keys/interserver.pem", username: "root" }

+ 0
- 3
keys-ansible/host_vars/monitor.yml View File

@@ -1,3 +0,0 @@
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }

+ 0
- 15
keys-ansible/inventory.ini View File

@@ -1,15 +0,0 @@
[monitoring]
monitor ansible_host=44.165.225.144 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"

[hetzner:children]
hetzner-balancers
hetzner-nodes

[hetzner-nodes]
hetzner-node0 ansible_host=145.251.216.112 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
hetzner-node1 ansible_host=154.64.4.185 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
hetzner-node2 ansible_host=168.251.172.244 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"

[hetzner-balancers]
hetzner-balancer0 ansible_host=145.251.216.154 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
hetzner-balancer1 ansible_host=78.46.246.78 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"

+ 0
- 41
keys-ansible/readme.md View File

@@ -1,41 +0,0 @@
# Ansible centralized keys management

Dicts in parent group merges with dicts in child groups.

Warning! Playbook will delete all public keys in root's ```.ssh/authorized_keys``` file and setup own **super** key, only after this public keys in group_vars and host_vars will be added into assigned users ```.ssh/authorized_keys``` files.

**Security issue!** You need to generate your own super key! Run ```ssh-keygen -f superkey``` and replace keys in ```secret/``` directory.

Infrastructure:

```
--[ hetzner ]--\
|- hetzner-balancers
\- hetzner-nodes
```

All servers will be available to the administrator and assistant, servers must have own internal key for files copying. Configuring parent ```hetzner```group:

```
access_list:
admin: { keypath: "../keys/admin.pub", username: "root" }
techguy: { keypath: "../keys/techguy.pub", username: "root" }
interserver: { keypath: "../keys/interserver.pub", username: "root" }

secret_list:
interserver: { keypath: "../keys/interserver.pem", username: "root" }
```

You want to make additional access to all nodes for developer guy. Configuring child ```hetzner-nodes``` group:

```
access_list:
developer: { keypath: "../keys/developer.pub", username: "dev" }
```

No need to make additional config for ```hetzner-balancers``` because access list will be inherited, only admins accessible.

---
Copyright by Vladimir Smagin, 2018
http://blindage.org
21h@blindage.org

+ 0
- 1
keys-ansible/roles/master_key/meta/main.yml View File

@@ -1 +0,0 @@
allow_duplicates: true

+ 0
- 7
keys-ansible/roles/master_key/tasks/main.yml View File

@@ -1,7 +0,0 @@
---
- name: Set primary ansible key and remove others
authorized_key:
user: root
state: present
exclusive: True
key: "{{ lookup('file', 'secrets/superkey.pub') }}"

+ 0
- 1
keys-ansible/roles/preinstall/meta/main.yml View File

@@ -1 +0,0 @@
allow_duplicates: true

+ 0
- 18
keys-ansible/roles/preinstall/tasks/main.yml View File

@@ -1,18 +0,0 @@
---
- name: Minimum packages for Debian-like
apt: name="{{ item }}" state=present update_cache=yes
become: yes
with_items:
- mc
- htop
when: (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian') and preinstall is defined

- name: Minimum packages for RedHat-like
become: yes
yum: name="{{ item }}" state=present update_cache=yes
with_items:
- mc
- htop
when: (ansible_distribution == 'Red Hat' or ansible_distribution == 'Centos') and preinstall is defined



+ 0
- 1
keys-ansible/roles/ssh_access/meta/main.yml View File

@@ -1 +0,0 @@
allow_duplicates: true

+ 0
- 21
keys-ansible/roles/ssh_access/tasks/main.yml View File

@@ -1,21 +0,0 @@
---
#- debug:
# msg: "{{ access_list }}"
- name: Set public keys
become: true
become_user: "{{ item.value.username }}"
authorized_key: user="{{ item.value.username }}" key="{{ lookup('file', item.value.keypath) }}" state=present
with_dict: "{{ access_list }}"
when: access_list != None and access_list is defined

#- debug:
# msg: "{{ secret_list }}"

- name: Upload secret keys
become: true
become_user: "{{ item.value.username }}"
copy: src="{{ item.value.keypath }}" dest="~/.ssh/{{ item.value.keypath | basename }}" mode=0600
with_dict: "{{ secret_list }}"
when: secret_list != None and secret_list is defined


+ 0
- 27
keys-ansible/secrets/superkey.key View File

@@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwNv29GRDfroj6Ue5iPsj/E5nX7QWRPzfHIj8pMms3+YY/rt6
em077AXFGQITr874Y5tnjS7joO1LnOU71D/Yy80ty4kqL56U20OBGLrFxv/swJgf
QweSv9nFkj+sEONqu/kM7Ailu4sOkcAzH/aA8tLVpAyC5xf+wYhtX3twUkbSPgpG
N6hV/TaNMt27moWwOMui0Hm6EYriPYBD7c7wHwgLwkksq+SLLHDqJqiWrBSRnwCv
KBAIpMyqwhjLICk7LyuAZdXF+LdJXssXLnnpwl1HspkRt/QhbznRqyLqdD6pfVRv
yRalZxK7xv8akYlCzzWgCHGbw98KexUBLcw8oQIDAQABAoIBAFcjS7pyjth0bANc
B+Vva3v1RNnF+YXkJz6yWkxuXvCu+z4lIRqtvjRPCxXYjWKTBkGjFq+ArxKoBND3
9gdZba/vnbBn4iqv4RwMrQiqYvAd9C+0y/MyOcj7MTx6Dll3F2OlDISdB5zsIIIU
MEVR0ENmpWbAzGhzvARfiuNoV4CkfCMk8+1l5m0eLuFih74IW3Ka62tUx6DUIl9/
KTsgFqsGY7if6RomEWJssoDWYhfVpy2PyIR9Rvs3sTSKXKlHAZIewTbiwsjsknjw
8x6eJpi6KogZ2jsgmjOzAUkyAjFm5+Su7l0H58nJk6V0b4eskXGZD4nzzmUSmjEw
L1MmW90CgYEA59RpCp3t0MGX5IPkKezaCXC6uvP1cUPKIcz9MrYDDzX4mWUIiKza
hyPPllmV75sUk11/bMcwOlYiRlpwCRq6Wh5BV3D34/YSNF7gOyUkNrEWt04UAlSD
pwEP8RMv+GXhPGfWJrhuF3zTYoWy8347LKuKgkLxDgWYwvYaJTXMVDsCgYEA1Pds
Poup+X8eOOtF80w8T7joTEI4TM0h7LdJnK8Don99jG4dQdgXB/r8qsCSkjHG6nkn
6qsJXEULybxuc4qD444LwNWAVVxHE6e69plW5jtzO5ZXEEMFOpBawAZDIOtiePUr
ZrXp4X48o429XWBenZPJZmtCFCnd8943AEkLcNMCgYEAocEMNZMx3qllMNVxumr/
Svzz3QPhKlFRVLoxpFNo2REgTu82wB5TL12mNtJ1EkSTW6suAJkOpnV43ru1VjTm
94AKuVciL1V/KDlWnQ3yMZLoNaftwB516W2NUPjBTMDRIhOVUVj3v72hxCljTg+y
fB2IvBC3HsB68PVEEthxpAcCgYA+3N39xFojBGvWX1RhkcJHwgwH3pAh03dNGXlI
H70R7VIQ7rwCIJgDygllGbzqHHlb4vFuapgzvUnSfaWYw21U8Sv0+tCL4dY1LhCZ
FAA7q5bDIwiGC1JyzAONpQuRnwmNLMln4xCreAjMOl2IP5cOKn6LleOGcilK/+/6
TJVs8wKBgQDSOzTch2lQViWQhSFO2nnQ5Os7nLhQGhWLQP+L6JJiTIeAv0oITyQC
IVOzsysepQYnm/bSHDXRHpzYR/Cq2FJIIPKvBIHuh60zqhpfpG97+fCibRFfWcoe
DFR+2w5mcReEHjwAT5dVBfYVlLb75Zmu7P0/C4KG6DGtRNxEGSjUSw==
-----END RSA PRIVATE KEY-----

+ 0
- 1
keys-ansible/secrets/superkey.pub View File

@@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA2/b0ZEN+uiPpR7mI+yP8TmdftBZE/N8ciPykyazf5hj+u3p6bTvsBcUZAhOvzvhjm2eNLuOg7Uuc5TvUP9jLzS3LiSovnpTbQ4EYusXG/+zAmB9DB5K/2cWSP6wQ42q7+QzsCKW7iw6RwDMf9oDy0tWkDILnF/7BiG1fe3BSRtI+CkY3qFX9No0y3buahbA4y6LQeboRiuI9gEPtzvAfCAvCSSyr5IsscOomqJasFJGfAK8oEAikzKrCGMsgKTsvK4Bl1cX4t0leyxcueenCXUeymRG39CFvOdGrIup0Pql9VG/JFqVnErvG/xqRiULPNaAIcZvD3wp7FQEtzDyh demo key. do not use it!

+ 0
- 3
keys-ansible/ssh-keys.sh View File

@@ -1,3 +0,0 @@
#!/bin/bash

ansible-playbook ssh-keys.yml -i inventory.ini

+ 0
- 7
keys-ansible/ssh-keys.yml View File

@@ -1,7 +0,0 @@
---
- hosts: all
gather_facts: True
roles:
- master_key
- preinstall
- ssh_access

+ 0
- 3
nginx+php-fpm7.1/ansible.cfg View File

@@ -1,3 +0,0 @@
[defaults]
log_path=ansible.log
nocows = 1

+ 0
- 3
nginx+php-fpm7.1/deploy.sh View File

@@ -1,3 +0,0 @@
#!/bin/bash

ansible-playbook deploy.yml -i '10.0.2.46,' -T 30 -k -u root

+ 0
- 11
nginx+php-fpm7.1/deploy.yml View File

@@ -1,11 +0,0 @@
---
- hosts: all
gather_facts: True
vars:
ansible_python_interpreter: /usr/bin/python3
#validate_certs: False

roles:
- preinstall
- php
- nginx

+ 0
- 16
nginx+php-fpm7.1/roles/nginx/tasks/main.yml View File

@@ -1,16 +0,0 @@
---
- name: Add an apt signing key for nginx and repository
apt_key:
url: http://nginx.org/keys/nginx_signing.key
state: present

- apt_repository:
repo: deb http://nginx.org/packages/ubuntu/ {{ ansible_lsb.codename }} nginx
state: present
filename: nginx

- name: Install nginx
apt: name=nginx state=present

- name: Restart nginx
service: name=nginx state=restarted

+ 0
- 65
nginx+php-fpm7.1/roles/php/tasks/main.yml View File

@@ -1,65 +0,0 @@
---
- apt_repository:
validate_certs: False
repo: ppa:ondrej/php
state: present

- name: Install php-fpm and deps
apt: name={{ item }} state=present update_cache=yes
with_items:
- php7.1
- php7.1-fpm
- php7.1-mbstring
- php7.1-xml
- php7.1-curl
- php7.1-pgsql
- php7.1-mysql
- php7.1-gd
- php7.1-zip
- php7.1-opcache
- php7.1-memcached

- ini_file:
path: /etc/php/7.1/fpm/pool.d/www.conf
section: www
option: user
value: www-data
backup: no

- ini_file:
path: /etc/php/7.1/fpm/pool.d/www.conf
section: www
option: group
value: www-data
backup: no

- ini_file:
path: /etc/php/7.1/fpm/php.ini
section: PHP
option: short_open_tag
value: "On"
backup: no

- ini_file:
path: /etc/php/7.1/fpm/php.ini
section: PHP
option: max_execution_time
value: 300
backup: no

- ini_file:
path: /etc/php/7.1/fpm/php.ini
section: PHP
option: max_input_time
value: 300
backup: no

- ini_file:
path: /etc/php/7.1/fpm/php.ini
section: PHP
option: memory_limit
value: 512M
backup: no

- name: Restart php-fpm
service: name=php7.1-fpm state=restarted

+ 0
- 12
nginx+php-fpm7.1/roles/preinstall/tasks/main.yml View File

@@ -1,12 +0,0 @@
---
- name: Ensure packages are installed
apt: name={{ item }} state=present update_cache=yes
with_items:
- python
- mc
- htop
- iotop
- wget
- curl
- set_fact:
ansible_python_interpreter: /usr/bin/python

+ 10
- 0
readme.md View File

@@ -0,0 +1,10 @@
# My useful ansible playbooks

System management:

- [Centralized SSH keys management](https://git.blindage.org/21h/ansible-library/src/branch/keys-ansible)
- [Create systemd and upstart scripts](https://git.blindage.org/21h/ansible-library/src/branch/systemd-and-upstart)

Web deployment:

- [PHP 7.1 FPM + Nginx](https://git.blindage.org/21h/ansible-library/src/branch/nginx+php-fpm7.1)

+ 0
- 17
systemd-and-upstart/inventory.ini View File

@@ -1,17 +0,0 @@
[upstart:children]
upstart-desktops
upstart-servers

[upstart-desktops]
desk1204 ansible_host=10.9.0.50 ansible_user=vlad ansible_password=123 ansible_sudo_password=123
desk1404 ansible_host=10.9.0.51 ansible_user=vlad ansible_password=123 ansible_sudo_password=123

[upstart-servers]
serv1204 ansible_host=10.9.0.48 ansible_user=vlad ansible_password=123 ansible_sudo_password=123
serv1404 ansible_host=10.9.0.49 ansible_user=vlad ansible_password=123 ansible_sudo_password=123

[systemd:children]
systemd-desktops

[systemd-desktops]
desk1804 ansible_host=10.9.0.155 ansible_user=vlad ansible_password=123 ansible_sudo_password=123

+ 0
- 10
systemd-and-upstart/roles/preinstall/tasks/main.yml View File

@@ -1,10 +0,0 @@
---
- name: Minimum packages for Debian-like
apt: name="{{ item }}" state=present update_cache=yes
become: yes
become_method: sudo
with_items:
- python
- mc
- htop
when: preinstall is defined

+ 0
- 13
systemd-and-upstart/roles/set_service/files/app.py View File

@@ -1,13 +0,0 @@
import time
import multiprocessing
import child_process


print("Hello world")

processes = [None] * 4
for i in range(4):
processes[i] = multiprocessing.Process(target=child_process.run, args=(i,))
processes[i].start()
for i in range(4):
processes[i].join()

+ 0
- 12
systemd-and-upstart/roles/set_service/files/child_process.py View File

@@ -1,12 +0,0 @@
import time
import multiprocessing

def test(info):
while 1:
print 'TEST', info[0], info[1]

def run(proc_id):
pool = multiprocessing.Pool(processes=4)
pool.map(test, [(proc_id, i) for i in range(4)])
pool.close()
pool.join()

+ 0
- 30
systemd-and-upstart/roles/set_service/tasks/main.yml View File

@@ -1,30 +0,0 @@
---
- name: Install app.py
copy:
src: files/app.py
dest: /opt/app.py
owner: root
group: root
mode: 0644

- name: Install child_process.py
copy:
src: files/child_process.py
dest: /opt/child_process.py
owner: root
group: root
mode: 0644

- name: Create service file for upstart Ubuntu versions
template: src=upstart-service.template.j2 dest=/etc/init/{{service_name}}.conf backup=no mode=0644
when: ansible_distribution == 'Ubuntu' and (ansible_distribution_version == "14.04" or ansible_distribution_version == "12.04")

- name: Create service file for systemd Ubuntu versions
template: src=systemd-service.template.j2 dest=/etc/systemd/system/{{service_name}}.service backup=no mode=0644
when: ansible_distribution == 'Ubuntu' and (ansible_distribution_version == "16.04" or ansible_distribution_version == "18.04")

- name: Enable service {{ service_name }}
service: name={{ service_name }} enabled=yes

- name: Start service {{ service_name }}
service: name={{ service_name }} state=restarted

+ 0
- 15
systemd-and-upstart/roles/set_service/templates/systemd-service.template.j2 View File

@@ -1,15 +0,0 @@
[Unit]
Description={{service_description}}
Requires=network.target
After=syslog.target network.target
TimeoutStopSpec=60
[Service]
Type=simple
ExecStart={{interpretator}} {{installation_path}}/app.py
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory={{installation_path}}
User=vlad
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target

+ 0
- 25
systemd-and-upstart/roles/set_service/templates/upstart-service.template.j2 View File

@@ -1,25 +0,0 @@
description "{{ service_description }}"

start on runlevel [2345]
stop on runlevel [!2345]

expect fork
kill timeout 60 # when upstart issued a stop, send SIGTERM, wait 60 sec before sending SIGKILL

respawn
respawn limit 5 30 #try 5 times within 60 seconds, or giveup

script
echo $$ > {{installation_path}}/app.pid
exec {{ interpretator }} {{ installation_path}}/app.py
end script

pre-start script
touch {{installation_path}}/app.log
echo "\n[`date -u +%Y-%m-%dT%T.%3NZ`] (sys) Starting" >> {{installation_path}}/app.log
end script

pre-stop script
rm -f {{installation_path}}/app.pid
echo "[`date -u +%Y-%m-%dT%T.%3NZ`] (sys) Stopping" >> {{installation_path}}/app.log
end script

+ 0
- 4
systemd-and-upstart/roles/set_service/vars/main.yml View File

@@ -1,4 +0,0 @@
service_name: app
service_description: my app.py
installation_path: /opt
interpretator: /usr/bin/python

+ 0
- 4
systemd-and-upstart/roles/test/tasks/main.yml View File

@@ -1,4 +0,0 @@
---
- name: test
debug:
msg: "OS Version: {{ansible_distribution }} {{ansible_distribution_release}} {{ansible_distribution_version}}"

+ 0
- 6
systemd-and-upstart/services.yml View File

@@ -1,6 +0,0 @@
- hosts: all
roles:
- test
- preinstall
- { role: set_service, become: yes }


Loading…
Cancel
Save