From ce376696abc326386feac52b71fb234bca26320b Mon Sep 17 00:00:00 2001 From: Paul Trowbridge Date: Thu, 3 Aug 2023 15:57:00 -0400 Subject: [PATCH] update --- nginx_pg_subdomain.yml | 64 ++++++++++++++++++++++++++++++++++++++++++ use_tps_add.yml | 57 +++++++++++++++++++++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 nginx_pg_subdomain.yml create mode 100644 use_tps_add.yml diff --git a/nginx_pg_subdomain.yml b/nginx_pg_subdomain.yml new file mode 100644 index 0000000..719aec5 --- /dev/null +++ b/nginx_pg_subdomain.yml @@ -0,0 +1,64 @@ +--- +- name: Configure Nginx for Subdomain + hosts: servers + become: true + + tasks: + - name: Create Nginx sites-available directory if it doesn't exist + file: + path: /etc/nginx/sites-available + state: directory + mode: '0755' + become: yes + + - name: Create Nginx sites-enabled directory if it doesn't exist + file: + path: /etc/nginx/sites-enabled + state: directory + mode: '0755' + become: yes + + - name: Create empty pg.usmidsap02 file if it doesn't exist + file: + path: /etc/nginx/sites-available/pg.usmidsap02 + state: touch + mode: '0644' + become: yes + + - name: Create Nginx configuration for the subdomain + become: yes + blockinfile: + path: /etc/nginx/sites-available/pg.usmidsap02 + block: | + server { + listen 5432; + server_name pg.usmidsap02; + location / { + proxy_pass http://127.0.0.1:5432; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } + marker: "# {mark} ANSIBLE MANAGED BLOCK - pg.usmidsap02" + + - name: Create a symbolic link to enable the site + become: yes + file: + src: /etc/nginx/sites-available/pg.usmidsap02 + dest: /etc/nginx/sites-enabled/pg.usmidsap02 + state: link + + - name: Check Nginx configuration + become: yes + command: nginx -t + register: nginx_test + ignore_errors: true + + - name: Reload Nginx if configuration is valid + become: yes + systemd: + name: nginx + state: reloaded + when: nginx_test.rc == 0 + diff --git a/use_tps_add.yml b/use_tps_add.yml new file mode 100644 index 0000000..f71b25a --- /dev/null +++ b/use_tps_add.yml @@ -0,0 +1,57 @@ +--- +- name: Add user 'tps' with sudo ability and SSH key + hosts: servers + become: true + + vars_prompt: + - name: tps_password + prompt: "Enter the password for 'tps' user:" + private: yes + + tasks: + - name: Create the 'tps' user + user: + name: tps + state: present + shell: /bin/bash + createhome: yes + + - name: Set password for 'tps' user + ansible.builtin.shell: echo "tps:{{ tps_password | password_hash('sha512', 'mysecretsalt') }}" | chpasswd + + - name: Generate RSA SSH key pair for 'tps' user (if not already generated) + ansible.builtin.shell: ssh-keygen -t rsa -b 4096 -C "tps@{{ ansible_hostname }}" -f "/home/tps/.ssh/id_rsa" creates="/home/tps/.ssh/id_rsa" + + - name: Set appropriate permissions for 'tps' user's SSH directory + ansible.builtin.file: + path: /home/tps/.ssh + state: directory + mode: "0700" + owner: tps + group: tps + + - name: Read the public key content + ansible.builtin.slurp: + src: /home/tps/.ssh/id_rsa.pub + register: public_key_file + + - name: Add 'tps' user to sudoers + ansible.builtin.lineinfile: + path: /etc/sudoers + line: 'tps ALL=(ALL:ALL) ALL' + validate: 'visudo -cf %s' + + - name: Add the public key to Gitea using the API with the access token + ansible.builtin.uri: + url: "https://gitea.hptrow.me/api/v1/user/keys" + method: POST + headers: + Authorization: "a3b03005781823a4fc0c4b435269408d94e0e2f8" + Content-Type: "application/json" + body_format: json + body: + title: "tps-{{ ansible_hostname }}" + key: "{{ public_key_file.content | b64decode }}" + status_code: 201 + delegate_to: localhost +