.gitignore

@@ -1,7 +1,4 @@
-.ansible_vault
-.bitwarden
 environments
-*.log
 .playbook
 .vagrant
 .vscode

Makefile

@@ -1,9 +0,0 @@
-all: vagrant
-
-vagrant:
-	vagrant up --no-destroy-on-error --no-color | tee ./vagrantup.log
-	./scripts/forward-ssh.sh
-
-clean:
-	vagrant destroy -f --no-color
-	rm -rf .vagrant ./*.log

README.md

@@ -1,29 +1,15 @@
 # Free I.T. Athen's Infrastructure
 This project is used to develop Ansible for deploying and maintaining websites
-and services operated by Free I.T. Athens (FRITA).
+and services operated by Free I.T. Athens.
 
-- Requires GNU Make, Ansible, and Vagrant on the host
+- Requires Ansible and Vagrant on the host
 
 ## Quick Start
 1. Clone this project
-2. Run `make` to provision a Debian 11 base box
+2. Run `vagrant up` to provision a Debian 11 base box
-3. Go to
-    - [Traefik Dashboard](https://traefik.local.freeitathens.org:8443/dashboard/#/)
-    - [WordPress](https://www.local.freeitathens.org)
-4. Click through the HTTPS security warning
-
-## Production
-1. Clone [production-env](https://github.com/freeitathens/production-env/) to `./environments`
-2. Run `./scripts/vault-key.sh` from the root of the project to obtain the Ansible Vault password
-3. Enter the Bitwarden Master Password
-4. Run `ansible-playbook` against the production servers, e.g.,
-    ```
-    ansible-playbook -u root -i environments/production --vault-pass-file ./.ansible_vault webserver.yml --check
-    ```
-5. Delete the `.ansible_vault` file when you are done
 
 ## Authors
-* **Kris Lamoureux** - *Project Founder* - [@krislamo](https://github.com/krislamo)
+* **Kris Lamoureux** - *Project Founder* - @[krislamo](https://github.com/krislamo)
 
 ## Copyrights and Licenses
 Copyright (C) 2019, 2020, 2022  Free I.T. Athens

dev/vars/webserver.yml

@@ -1,46 +1,5 @@
-###############
-### Secrets ###
-###############
-secret:
-  WORDPRESS_DB_PASSWORD: WPpa55w0rd!
-
-##############
-### Docker ###
-##############
 docker_users:
   - vagrant
 
-################
+webserver_env:
-#### MariaDB ###
+  TRAEFIK_DOMAIN: traefik.example.org
-################
-databases:
-  - name: wordpress
-    pass: "{{ secret.WORDPRESS_DB_PASSWORD }}"
-
-#######################
-### Webserver Stack ###
-#######################
-webserver:
-  ###############
-  ### Traefik ###
-  ###############
-  #TRAEFIK_VERSION: latest
-  #TRAEFIK_ROOT_DOMAIN: local.freeitathens.org
-  #TRAEFIK_DOMAIN: traefik.local.freeitathens.org
-  #TRAEFIK_DASHBOARD: true
-  #TRAEFIK_EXPOSED_DEFAULT: false
-  #TRAEFIK_WEB_ENABLED: true
-  TRAEFIK_DEBUG: true
-  TRAEFIK_ACME_PROVIDER: dreamhost
-  TRAEFIK_ACME_CASERVER: https://acme-v02.api.letsencrypt.org/directory
-  TRAEFIK_ACME_EMAIL: frita@example.org
-
-  #################
-  ### WordPress ###
-  #################
-  #WORDPRESS_VERSION: latest
-  #WORDPRESS_DOMAIN: www.local.freeitathens.org
-  #WORDPRESS_DB_HOST: host.docker.internal
-  #WORDPRESS_DB_NAME: wordpress
-  #WORDPRESS_DB_USER: wordpress
-  WORDPRESS_DB_PASSWORD: "{{ secret.WORDPRESS_DB_PASSWORD }}"

dev/webserver.yml

@@ -4,6 +4,5 @@
   vars_files:
     - vars/webserver.yml
   roles:
-    - common
     - docker
     - webserver

roles/common/tasks/main.yml

@@ -1,30 +0,0 @@
-- name: Create Ansible's temporary remote directory
-  ansible.builtin.file:
-    path: "~/.ansible/tmp"
-    state: directory
-    mode: 0700
-
-- name: Install the Uncomplicated Firewall
-  ansible.builtin.apt:
-    name: ufw
-    state: present
-    update_cache: true
-
-- name: Deny incoming traffic by default
-  community.general.ufw:
-    default: deny
-    direction: incoming
-
-- name: Allow outgoing traffic by default
-  community.general.ufw:
-    default: allow
-    direction: outgoing
-
-- name: Allow OpenSSH with rate limiting
-  community.general.ufw:
-    name: ssh
-    rule: limit
-
-- name: Enable firewall
-  community.general.ufw:
-    state: enabled

roles/docker/tasks/main.yml

@@ -2,6 +2,7 @@
   ansible.builtin.apt:
     name: ['docker.io', 'docker-compose']
     state: present
+    update_cache: true
 
 - name: Create docker-compose root
   ansible.builtin.file:

roles/webserver/defaults/main.yml

@@ -1,4 +1 @@
 webserver_root: "{{ docker_compose_root }}/webserver"
-mariadb_trust:
-  - "172.16.0.0/12"
-  - "192.168.0.0/16"

roles/webserver/files/docker-compose.yml

@@ -1,8 +1,5 @@
 version: '3.5'
 
-volumes:
-  wordpress:
-
 networks:
   traefik:
     name: traefik
@@ -10,67 +7,26 @@ networks:
 services:
   traefik:
     image: traefik:${TRAEFIK_VERSION:-latest}
-    restart: always
     command:
       - --api.dashboard=${TRAEFIK_DASHBOARD:-true}
       - --api.debug=${TRAEFIK_DEBUG:-false}
-      - --log.level=${TRAEFIK_LOG_LEVEL:-ERROR}
       - --providers.docker=true
-      - --providers.docker.exposedbydefault=${TRAEFIK_EXPOSED_DEFAULT:-false}
       - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --entrypoints.local.address=:8443
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
       - --entrypoints.web.http.redirections.entrypoint.permanent=true
-      - --certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_ACME_EMAIL}
+      - --entrypoints.websecure.address=:443
-      - --certificatesresolvers.letsencrypt.acme.storage=/etc/letsencrypt/acme.json
+      - --entrypoints.local.address=:8443
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${TRAEFIK_ACME_PROVIDER}
-      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0
-      - --certificatesresolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-staging-v02.api.letsencrypt.org/directory}
-    environment:
-      DREAMHOST_API_KEY: ${TRAEFIK_DREAMHOST_APIKEY}
     ports:
       - 80:80
       - 443:443
       - "127.0.0.1:8443:8443"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - ./.acme:/etc/letsencrypt
     labels:
       traefik.http.routers.api.rule: Host(`${TRAEFIK_DOMAIN:-traefik.local.freeitathens.org}`)
       traefik.http.routers.api.entrypoints: local
       traefik.http.routers.api.service: api@internal
       traefik.http.routers.api.tls: true
-      traefik.http.routers.api.tls.certresolver: letsencrypt
-      traefik.http.routers.api.tls.domains[0].main: ${TRAEFIK_ACME_DOMAIN_MAIN:-local.freeitathens.org}
-      traefik.http.routers.api.tls.domains[0].sans: "${TRAEFIK_ACME_DOMAIN_SANS:-*.local.freeitathens.org}"
-      traefik.enable: ${TRAEFIK_WEB_ENABLED:-true}
     networks:
       - traefik
-
-  wordpress:
-    image: wordpress:${WORDPRESS_VERSION:-latest}
-    restart: always
-    environment:
-      WORDPRESS_DB_HOST: ${WORDPRESS_DB_HOST:-host.docker.internal}
-      WORDPRESS_DB_NAME: ${WORDPRESS_DB_NAME-wordpress}
-      WORDPRESS_DB_USER: ${WORDPRESS_DB_USER:-wordpress}
-      WORDPRESS_DB_PASSWORD: ${WORDPRESS_DB_PASSWORD}
-    labels:
-      traefik.http.routers.wordpress.rule: Host(`${WORDPRESS_DOMAIN:-www.local.freeitathens.org}`)
-      traefik.http.routers.wordpress.entrypoints: websecure
-      traefik.http.routers.wordpress.tls: true
-      traefik.http.routers.wordpress.tls.certresolver: letsencrypt
-      traefik.http.routers.wordpress.tls.domains[0].main: ${TRAEFIK_ACME_DOMAIN_MAIN:-local.freeitathens.org}
-      traefik.http.routers.wordpress.tls.domains[0].sans: "${TRAEFIK_ACME_DOMAIN_SANS:-*.local.freeitathens.org}"
-      traefik.http.services.wordpress.loadbalancer.server.port: 80
-      traefik.docker.network: traefik
-      traefik.enable: ${WORDPRESS_WEB_ENABLED:-true}
-    volumes:
-      - wordpress:/var/www/html
-    networks:
-      - traefik
-    extra_hosts:
-      - host.docker.internal:host-gateway

roles/webserver/handlers/main.yml

@@ -3,9 +3,3 @@
   args:
     chdir: "{{ webserver_root }}"
   listen: composeup_webserver
-
-- name: Restart MariaDB
-  ansible.builtin.service:
-    name: mariadb
-    state: restarted
-  listen: restart_mariadb

roles/webserver/tasks/main.yml

@@ -3,37 +3,6 @@
     name: mariadb-server
     state: present
 
-- name: Change the bind-address to allow Docker
-  ansible.builtin.lineinfile:
-    path: /etc/mysql/mariadb.conf.d/50-server.cnf
-    regex: "^bind-address"
-    line: "bind-address            = 0.0.0.0"
-  notify: restart_mariadb
-
-- name: Install MySQL Support for Python 3
-  ansible.builtin.apt:
-    name: python3-pymysql
-    state: present
-
-- name: Create MariaDB databases
-  community.mysql.mysql_db:
-    name: "{{ item.name }}"
-    state: present
-    login_unix_socket: /var/run/mysqld/mysqld.sock
-  loop: "{{ databases }}"
-  no_log: "{{ item.pass is defined }}"
-
-- name: Create MariaDB users
-  community.mysql.mysql_user:
-    name: "{{ item.name }}"
-    password: "{{ item.pass }}"
-    host: '%'
-    state: present
-    priv: "{{ item.name }}.*:ALL"
-    login_unix_socket: /var/run/mysqld/mysqld.sock
-  loop: "{{ databases }}"
-  no_log: "{{ item.pass is defined }}"
-
 - name: Create webserver docker-compose directory
   ansible.builtin.file:
     path: "{{ webserver_root }}"
@@ -53,20 +22,3 @@
     dest: "{{ webserver_root }}/.env"
     mode: 0600
   notify: composeup_webserver
-
-- name: Allow MariaDB database connections
-  community.general.ufw:
-    rule: allow
-    port: 3306
-    proto: tcp
-    src: "{{ item }}"
-  loop: "{{ mariadb_trust }}"
-
-- name: Add HTTP and HTTPS firewall rule
-  community.general.ufw:
-    rule: allow
-    port: "{{ item }}"
-    proto: tcp
-  loop:
-    - "80"
-    - "443"

roles/webserver/templates/compose-env.j2

@@ -1,4 +1,4 @@
 # {{ ansible_managed }}
-{% for key, value in webserver.items() %}
+{% for key, value in webserver_env.items() %}
 {{ key }}={{ value }}
 {% endfor %}

scripts/forward-ssh.sh

@@ -1,26 +0,0 @@
-#!/bin/bash
-
-# Finds the SSH private key under ./.vagrant and connects to
-# the Vagrant box, port forwarding localhost ports: 8443, 80, 443
-PRIVATE_KEY="$(find .vagrant -name "private_key")"
-HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f2" 2>/dev/null)"
-MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"
-
-function ssh_connect {
-  sudo ssh -fNT -i "$PRIVATE_KEY" \
-    -L 8443:localhost:8443 \
-    -L 80:localhost:80 \
-    -L 443:localhost:443 \
-    -o UserKnownHostsFile=/dev/null \
-    -o StrictHostKeyChecking=no \
-      vagrant@"${HOST_IP::-1}" 2>/dev/null
-}
-
-set -x
-if [ "$(pgrep -afc "$MATCH_PATTERN")" -eq 0 ]; then
-  ssh_connect
-else
-  pgrep -f "$MATCH_PATTERN" | xargs sudo kill -9
-  ssh_connect
-fi
-set +x

scripts/vault-key.sh

@@ -1,51 +0,0 @@
-#!/bin/bash
-BW_USERNAME="contact@freeitathens.org"
-ANSIBLE_VAULT_ITEM="e16b2542-f6c1-4e9f-8e33-af5201574a15"
-
-# Does the key already exist?
-if [ -f .ansible_vault ]; then
-  echo "Ansible Vault file already exists at ./.ansible_vault"
-  exit 1
-fi
-
-# Install Bitwarden CLI binary to ./.bitwarden/bw
-if [ ! -d .bitwarden ]; then
-  mkdir .bitwarden
-  cd .bitwarden || exit 1
-  wget "https://vault.bitwarden.com/download/?app=cli&platform=linux" -O bw-linux.zip
-  unzip bw-linux.zip
-  rm bw-linux.zip
-  chmod u+x bw
-else
-  cd .bitwarden || exit 1
-fi
-
-# Get Master Password to unlock vault
-read -rsp "Master Password: " BW_PASSWORD
-export BW_PASSWORD
-echo
-
-# Login
-LOGIN_RESPONSE=$(./bw login "$BW_USERNAME" "$BW_PASSWORD" --response --nointeraction)
-if [ ! "$(echo "$LOGIN_RESPONSE" | jq -r .success)" == "true" ]; then
-  echo "$LOGIN_RESPONSE" | jq -r .message
-  exit 1
-fi
-
-# Unlock
-UNLOCK_RESPONSE=$(./bw unlock --passwordenv BW_PASSWORD --response --nointeraction)
-if [ ! "$(echo "$UNLOCK_RESPONSE" | jq -r .success)" == "true" ]; then
-  echo "$UNLOCK_RESPONSE" | jq -r .message
-  exit 1
-fi
-
-# Trade password for session
-unset BW_PASSWORD
-BW_SESSION=$(echo "$UNLOCK_RESPONSE" | jq -r .data.raw)
-export BW_SESSION
-
-# Place Ansible Vault secret and logout
-./bw get password "$ANSIBLE_VAULT_ITEM" --response --nointeraction | jq -r .data.data > ../.ansible_vault
-truncate -s -1 ../.ansible_vault
-chmod 600 ../.ansible_vault
-./bw logout --quiet

webserver.yml

@@ -2,6 +2,5 @@
   hosts: all
   become: true
   roles:
-    - common
     - docker
     - webserver