Kris Lamoureux
d2473533d5
- Upgrade base OS from Debian 11 to Rocky Linux 9 - Configure 100GB XFS filesystem with auto-expansion - Replace Docker with rootless Podman for improved security - Add nginx reverse proxy for non-privileged port handling - Move the Traefik dashboard from port 8443 to 9443 - Configure SELinux contexts for container operations
97 lines
2.2 KiB
YAML
97 lines
2.2 KiB
YAML
- name: Install MariaDB Server
|
|
ansible.builtin.dnf:
|
|
name: mariadb-server
|
|
state: present
|
|
|
|
- name: Change the bind-address to allow Docker
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/my.cnf.d/mariadb-server.cnf
|
|
regex: "^bind-address"
|
|
line: "bind-address = 0.0.0.0"
|
|
notify: restart_mariadb
|
|
|
|
- name: Start and enable MariaDB service
|
|
ansible.builtin.systemd:
|
|
name: mariadb
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: Install MySQL Support for Python 3
|
|
ansible.builtin.dnf:
|
|
name: python3-PyMySQL
|
|
state: present
|
|
|
|
- name: Create MariaDB databases
|
|
community.mysql.mysql_db:
|
|
name: "{{ item.name }}"
|
|
state: present
|
|
login_unix_socket: /var/lib/mysql/mysql.sock
|
|
loop: "{{ databases }}"
|
|
no_log: true
|
|
|
|
- name: Create MariaDB users
|
|
community.mysql.mysql_user:
|
|
name: "{{ item.name }}"
|
|
password: "{{ item.pass }}"
|
|
host: "%"
|
|
state: present
|
|
priv: "{{ item.name }}.*:ALL"
|
|
login_unix_socket: /var/lib/mysql/mysql.sock
|
|
loop: "{{ databases }}"
|
|
no_log: true
|
|
|
|
- name: Create webserver stack directory
|
|
ansible.builtin.file:
|
|
path: /home/oci/webserver
|
|
state: directory
|
|
mode: "700"
|
|
owner: oci
|
|
group: oci
|
|
|
|
- name: Install webserver compose file
|
|
ansible.builtin.copy:
|
|
src: docker-compose.yml
|
|
dest: /home/oci/webserver/compose.yml
|
|
mode: "600"
|
|
owner: oci
|
|
group: oci
|
|
notify: Start podman compose project
|
|
|
|
- name: Generate webserver environment configuration
|
|
ansible.builtin.template:
|
|
src: compose-env.j2
|
|
dest: /home/oci/webserver/.env
|
|
mode: "400"
|
|
owner: oci
|
|
group: oci
|
|
notify: Start podman compose project
|
|
|
|
- name: Install nginx
|
|
ansible.builtin.dnf:
|
|
name: ["nginx", "nginx-mod-stream"]
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Deploy nginx proxy config
|
|
ansible.builtin.copy:
|
|
src: nginx.conf
|
|
dest: /etc/nginx/nginx.conf
|
|
mode: "644"
|
|
notify: Restart nginx
|
|
|
|
- name: Allow HTTP and HTTPS in firewall
|
|
ansible.posix.firewalld:
|
|
service: "{{ item }}"
|
|
permanent: true
|
|
state: enabled
|
|
immediate: true
|
|
loop:
|
|
- http
|
|
- https
|
|
|
|
- name: Start and enable nginx
|
|
ansible.builtin.systemd:
|
|
name: nginx
|
|
state: started
|
|
enabled: true
|