add basic ansible automation

ansible/ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+hostfile = hosts
+stdout_callback=debug
+stderr_callback=debug

ansible/hosts

@@ -0,0 +1,2 @@
+[madlambda]
+127.0.0.1

ansible/madlambda.yml

@@ -0,0 +1,120 @@
+---
+- hosts: all
+  connection: local
+  tasks:
+  - name: create madlambda group
+    group:
+      name: madlambda
+
+  - name: create i4k user
+    user:
+      name: i4k
+      uid: 1337
+      groups: madlambda
+      append: yes
+
+  - name: prepare src dir
+    file:
+      path: /root/src
+      state: directory
+      mode: '0755'
+
+  - name: clean unit source
+    file:
+      path: /root/src/unit
+      state: absent
+
+  - name: install basic dependencies
+    apt:
+      update_cache: yes
+      state: latest
+      pkg:
+        - mercurial
+        - git
+        - build-essential
+        - libssl-dev
+        - python-dev
+        - php-dev
+        - libphp-embed
+        - golang-go
+        - jq
+        - certbot
+        - wget
+
+  - name: configure mercurial
+    copy:
+      dest: /root/.hgrc
+      content: |
+        [ui]
+        username = root <[email protected]>
+
+        color =
+
+        [extensions]
+        mq =
+        purge =
+
+        [diff]
+        showfunc = True
+
+  - name: clone unit
+    shell: hg clone http://hg.nginx.org/unit/
+    args:
+      chdir: /root/src
+
+  - name: apply unit TLS patch
+    shell: |
+      wget -O tls-config.patch https://gist.githubusercontent.com/tiago4orion/a3a993c96813f691b9a417193a3ad54e/raw/280459007c2ee21b4b2895812cd9cb2652455530/tls-config.patch
+      hg qimport -n tls-config tls-config.patch
+      hg qpush
+    args:
+      chdir: /root/src/unit
+
+  - name: build unit (php, python and go)
+    shell: |
+      make clean || true
+      ./configure --cc-opt="-O3" --prefix=/usr/local/unit --tests --openssl
+      ./configure php
+      ./configure python
+      GOPATH=/root/src/unit/build/go ./configure go
+      make tests
+      ./build/tests
+      make
+      python3 ./test/run.py
+      make install
+    args:
+      chdir: /root/src/unit
+
+  - name: init i4k dir
+    become_user: i4k
+    file:
+      path: /home/i4k/src
+      state: directory
+      mode: '0755'
+
+  - name: remove i4k sources
+    become_user: i4k
+    file:
+      path: /home/i4k/src/i4k.madlambda.io
+      state: absent
+
+  - name: install i4k stuff
+    become_user: i4k
+    shell: git clone https://github.com/tiago4orion/i4k.madlambda.io.git
+    args:
+      chdir: /home/i4k/src
+
+  - name: install madlambda.io
+    shell: ./install.sh
+    args:
+      chdir: /root/src/madlambda.io
+
+  - name: stop && start unit
+    shell: |
+      systemctl stop unit || true
+      systemctl start unit
+
+  - name: configure madlambda.io
+    shell: ./unit/apply.sh
+    args:
+      chdir: /root/src/madlambda.io

unit/apply.sh

@@ -47,13 +47,23 @@ if ! $CURL -XGET 127.0/certificates/madlambda.io | jq -e ".chain" >/dev/null; th
 	fi
 fi
 
+cat > tls.json << EOF
+{
+	"certificate": "madlambda.io",
+	"protocols": ["SSLv2", "SSLv3", "TLSv1.2", "TLSv1.3"],
+	"ciphers": "HIGH:!aNULL:!MD5"
+}
+EOF
+
 if ! $CURL -XPUT '127.0/config/listeners/*:443/tls' \
-	--data-binary '{"certificate": "madlambda.io"}' | jq -e ".success"; then
+		--data-binary @tls.json | jq -e ".success"; then
 
 	echo "failed to apply certificate to listener *:443"
 	exit 1
 fi
 
+rm -f tls.json
+
 cd unit/apps
 
 for name in $(ls); do

unit/config.json

@@ -14,7 +14,7 @@
 			"user": "root",
 			"group": "root",
 			"module": "wsgi",
-			"path": "/root/madlambda.io/apps/redirect-to-https"
+			"path": "/root/src/madlambda.io/apps/redirect-to-https"
 		}
 	},
 	"settings": {

unit/routes.d/i4k.json

@@ -3,6 +3,6 @@
 		"host": "i4k.madlambda.io"
 	},
 	"action": {
-		"share": "/home/i4k/i4k.madlambda.io/www"
+		"share": "/home/i4k/src/i4k.madlambda.io/www"
 	}
 }