:bug: fix assets server deploy

deploy/README.md

@@ -18,11 +18,11 @@ ssh-copy-id -i .ssh/id_ed25519 USER@HOST
 
 ```bash
 # test ssh connections
-peony -i staging ping.yml
+peony -i clients/CLUSTER ping.yml
 # run on all hosts
-peony -i staging pi.yml
+peony -i clients/CLUSTER ping.yml
 # run on only group
-peony -i staging pi.yml -l GROUP
+peony -i clients/CLUSTER ping.yml -l GROUP
 ```
 
 ## System image

deploy/group_vars/all.yml

@@ -3,6 +3,8 @@ ansible_python_interpreter: /usr/bin/python3
 ansible_ssh_private_key_file: "{{ inventory_dir }}/.ssh/id_ed25519"
 #ansible_ssh_private_key_file: "{{inventory_dir}}/.ssh/id_rsa"
 
-app_www_deploy_target: "/var/www/{{ inventory_hostname }}/{{ ansible_date_time.iso8601_basic }}"
+app_deploy_target: "/var/www/{{ inventory_hostname }}/{{ ansible_date_time.iso8601_basic }}"
+app_downloads: "{{ ansible_env.HOME }}/downloads"
+app_backup: "{{ ansible_env.HOME }}/backups"
 app_python_version: "3.11"
 app_php_version: "8.0"

deploy/mint.yml

@@ -1,18 +1,20 @@
 - hosts: all
   roles:
-    - os
     - ubuntu
+    - os
     - python3
     - php
-    - mint-clone
 
 - hosts: www
   roles:
+    - mint-clone
     - mint-www
+    - certbot-nginx
 
 - hosts: assets
   roles:
     - mint-assets
+    - certbot-nginx
 
 - hosts: db
   roles:

deploy/roles/certbot-nginx/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: Remove file nginx default host
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+
+- name: add Let's Encrypt support
+  become: true
+  ansible.builtin.shell:
+    cmd: certbot --non-interactive --agree-tos -m {{ app_master_email }}
+
+- name: restart nginx
+  become: true
+  ansible.builtin.systemd:
+    state: restarted
+    name: nginx
+
+- name: enable certbot sync
+  become: true
+  ansible.builtin.cron:
+    name: "renew certbot every month"
+    special_time: monthly
+    job: "/usr/bin/certbot renew --force-renewal"
+

deploy/roles/mint-assets/tasks/main.yml

@@ -1,16 +1,21 @@
+# - name: Upload assets folder
+#   become: true
+#   ansible.builtin.copy:
+#     src: public
+#     dest: /var/www/{{ inventory_hostname }}
+#     owner: www-data
+#     group: www-data
+
 - name: Upload assets folder
-  become: true
-  ansible.builtin.copy:
+  ansible.posix.synchronize:
     src: public
     dest: /var/www/{{ inventory_hostname }}
-    owner: www-data
-    group: www-data
 
 - name: upload nginx.conf
-  bacame: true
+  become: true
   ansible.builtin.template:
     src: nginx.conf.j2
-    dest: "/etc/nginx/sites-enabled/{{ inventory_hostname }}"
+    dest: "/etc/nginx/sites-enabled/{{ inventory_hostname }}.conf"
     owner: www-data
     group: www-data
     mode: '0400'

deploy/roles/mint-assets/templates/nginx.conf.j2

@@ -3,7 +3,7 @@ server {
 
     gzip on;
     server_name {{ inventory_hostname }};
-    root /var/www/{{ inventory_hostname }};
+    root /var/www/{{ inventory_hostname }}/public;
 
     access_log off;
     error_log /var/log/nginx/{{ inventory_hostname }}.error.log warn;

deploy/roles/mint-clone/main.yml

@@ -1,4 +1,4 @@
-- name: Creates directory
+- name: Creates deploy directory
   become: true
   file:
     path: "/var/www/{{ inventory_hostname }}"
@@ -8,36 +8,36 @@
 - name: Git checkout source code
   ansible.builtin.git:
     repo: 'https://github.com/iapt-platform/mint.git'
-    dest: "{{ app_www_deploy_target }}"
+    dest: "{{ app_deploy_target }}"
     version: laravel
 
 - name: Install v2 php dependencies
   ansible.builtin.shell: composer install
   args:
-    chdir: "{{ app_www_deploy_target }}"
+    chdir: "{{ app_deploy_target }}"
 
 - name: Install v2 nodejs dependencies
   ansible.builtin.shell: npm install
   args:
-    chdir: "{{ app_www_deploy_target }}"
+    chdir: "{{ app_deploy_target }}"
 
 # TODO will remove in future
 - name: Install v1 php dependencies
   ansible.builtin.shell: composer install
   args:
-    chdir: "{{ app_www_deploy_target }}/public"
+    chdir: "{{ app_deploy_target }}/public"
 
 # TODO will remove in future
 - name: Install v1 nodejs dependencies
   ansible.builtin.shell: npm install
   args:
-    chdir: "{{ app_www_deploy_target }}/public"
+    chdir: "{{ app_deploy_target }}/public"
 
 - name: .env(v2)
   bacame: true
   ansible.builtin.template:
     src: env-v2.j2
-    dest: "{{ app_www_deploy_target }}/.env"
+    dest: "{{ app_deploy_target }}/.env"
     owner: www-data
     group: www-data
     mode: '0400'
@@ -47,7 +47,7 @@
   bacame: true
   ansible.builtin.template:
     src: config-v1.php.j2
-    dest: "{{ app_www_deploy_target }}/public/app/config.php"
+    dest: "{{ app_deploy_target }}/public/app/config.php"
     owner: www-data
     group: www-data
     mode: '0400'
@@ -57,7 +57,7 @@
   bacame: true
   ansible.builtin.template:
     src: config-v1.js.j2
-    dest: "{{ app_www_deploy_target }}/public/app/config.js"
+    dest: "{{ app_deploy_target }}/public/app/config.js"
     owner: www-data
     group: www-data
     mode: '0400'

deploy/roles/mint-www/tasks/main.yml

@@ -1,8 +1,8 @@
 - name: upload nginx.conf
-  bacame: true
+  become: true
   ansible.builtin.template:
     src: nginx.conf.j2
-    dest: "/etc/nginx/sites-enabled/{{ inventory_hostname }}"
+    dest: "/etc/nginx/sites-enabled/{{ inventory_hostname }}.conf"
     owner: www-data
     group: www-data
     mode: '0400'

deploy/roles/mint-www/templates/nginx.conf.j2

@@ -3,7 +3,7 @@ server {
 
     gzip on;
     server_name {{ inventory_hostname }};
-    root {{ app_www_deploy_target }};
+    root {{ app_deploy_target }};
     client_max_body_size 16M;
 
     access_log off;

deploy/roles/os/tasks/init.yml

@@ -1,10 +1,3 @@
-- name: create deploy folder
-  become: true
-  ansible.builtin.file:
-    path: "{{ app_deploy_target }}"
-    state: directory
-    owner: "{{ ansible_user }}"
-
 - name: create downloads folder
   become: true
   ansible.builtin.file:

deploy/roles/os/tasks/main.yml

@@ -1,8 +1,8 @@
-- include: init.yml
-- include: sshd.yml
-- include: ulimits.yml
+- import_tasks: init.yml
+- import_tasks: sshd.yml
+- import_tasks: ulimits.yml
 
-- name: Setup sudo without password 
+- name: Setup sudo without password
   become: true
   ansible.builtin.template:
     src: sudo.conf.j2
@@ -25,7 +25,7 @@
   become: true
   shell: timedatectl set-timezone UTC
 
-- name: Setup journald storage 
+- name: Setup journald storage
   become: true
   lineinfile:
     path: /etc/systemd/journald.conf

deploy/roles/os/tasks/ulimits.yml

@@ -56,17 +56,17 @@
     path: /etc/security/limits.conf
     line: root        soft nofile 10240
 
-- name: Set user level ppen file limits for {{ansible_user}}
+- name: Set user level open file limits for {{ ansible_user }}
   become: true
   lineinfile:
     path: /etc/security/limits.conf
-    line: "{{ansible_user}}        soft nofile 10240"
+    line: "{{ ansible_user }}        soft nofile 10240"
 
 # https://docs.oracle.com/en/database/oracle/oracle-database/12.2/ladbi/changing-kernel-parameter-values.html#GUID-FB0CC366-61C9-4AA2-9BE7-233EB6810A31
 - name: Setup file max
   become: true
   lineinfile:
-    path: "/etc/sysctl.d/100-{{app_vendor}}.conf"
+    path: "/etc/sysctl.d/100-fs.conf"
     state: present
     line: fs.file-max = 6815744
     create: true
@@ -74,7 +74,7 @@
 - name: Setup file max
   become: true
   lineinfile:
-    path: "/etc/sysctl.d/100-{{app_vendor}}.conf"
+    path: "/etc/sysctl.d/100-fs.conf"
     state: present
     line: fs.inotify.max_user_watches = 512000
     create: true

deploy/roles/php/tasks/main.yml

@@ -24,14 +24,17 @@
       - php{{ app_php_version }}-redis
       - php{{ app_php_version }}-bcmath
 
+- name: Creates composer install directory
+  file:
+    path: "{{ ansible_env.HOME }}/.local/bin"
+    state: directory
+
 # https://getcomposer.org/doc/00-intro.md#installation-linux-unix-macos
 - name: Download composer
   get_url:
     url: https://getcomposer.org/download/latest-stable/composer.phar
     dest: "{{ ansible_env.HOME }}/.local/bin/composer"
     mode: 0755
-  args:
-    creates: "{{ ansible_env.HOME }}/.local/bin/composer"
 
 - name: Restart php-fpm
   become: true

deploy/roles/ubuntu/tasks/main.yml

@@ -95,7 +95,7 @@
       - libmysqlclient-dev
 
 
-- include: locales.yml
+- import_tasks: locales.yml
 
 - name: Set default editor to vim
   become: true
@@ -109,7 +109,7 @@
   become: true
   shell: git config --global pull.rebase false
 
-- include: zsh.yml
+- import_tasks: zsh.yml
 
 # ---------------------------------------------------
 
@@ -118,7 +118,7 @@
     path: /etc/friendlyelec-release
   register: app_os_friendlyelec
 
-- include: friendly-core.yml
+- import_tasks: friendly-core.yml
   when: app_os_friendlyelec.stat.islnk is defined and app_os_friendlyelec.stat.isreg
 
 - name: check if armbian
@@ -126,13 +126,13 @@
     path: /etc/armbian-release
   register: app_os_armbian
 
-- include: armbian.yml
+- import_tasks: armbian.yml
   when: app_os_armbian.stat.islnk is defined and app_os_armbian.stat.isreg
 
-- include: raspbian.yml
+- import_tasks: raspbian.yml
   when: ansible_distribution == 'Raspbian'
 
-- include: pi.yml
+- import_tasks: pi.yml
   when: ansible_distribution == 'Raspbian' or (app_os_armbian.stat.islnk is defined and app_os_armbian.stat.isreg) or (app_os_friendlyelec.stat.islnk is defined and app_os_friendlyelec.stat.isreg)
 
 # ---------------------------------------------------
@@ -147,16 +147,10 @@
 - name: enable cron service
   become: true
   ansible.builtin.systemd:
-    name: cron-target
+    name: cron
     enabled: yes
     masked: no
 
-- name: enable certbot sync
-  ansible.builtin.cron:
-    name: "renew certbot"
-    special_time: monthly
-    job: "/usr/bin/certbot renew --force-renewal"
-
 - name: enable ssh service
   become: true
   ansible.builtin.systemd:
@@ -172,4 +166,4 @@
     masked: no
 
 
-- include: clean.yml
+- import_tasks: clean.yml