rjhancock · April 18, 2024 00:04
diff --git a/nginx.j2 b/nginx.j2
 upstream {{ proxy_server }} {
  server {{ proxy_server_url }} fail_timeout=0;
 }

 server {
  listen 443 ssl http2 reuseport;
  listen [::]:443 ssl http2 reuseport;

  server_name {{ server_name }};
  server_tokens off;

  ssl_certificate /etc/letsencrypt/live/{{ cert_name }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ cert_name }}/privkey.pem;

  include snippets/security.conf;

  access_log /var/log/nginx/{{ server_name }}-access.log;
  error_log /var/log/nginx/{{ server_name }}-error.log;

  location / {
    try_files $uri @app;
  }

  location @app {
    client_max_body_size 10M;
    gzip on;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_pass http://{{ proxy_server }};
  }

  # additional config
  include snippets/general.conf;
 }

diff --git a/production.yml b/production.yml
 ---
 - name: Project Name
  hosts: "prod"
  user: deploy
  serial: 1

  vars:
    server_name: "FQDN"
    proxy_server: "Descriptive name for NGinx proxy"
    proxy_server_url: "localhost:8080"
    cert_name: "cert-domain-name"
    docker_image: "main"
    docker_url: <docker url>{{docker_image }}:latest
    username: "{{ lookup('file', './templates/username') }}"
    password: "{{ lookup('file', './templates/password') }}"
    database_host: "{{ lookup('file', './templates/database_host') }}"
    database_name: "{{ lookup('file', './templates/database_name') }}"
    database_password: "{{ lookup('file', './templates/database_password') }}"
    database_username: "{{ lookup('file', './templates/database_username') }}"
    sendgrid_api_key: "{{ lookup('file', './templates/sendgrid') }}"

  tasks:
    - name: Install Docker
      ansible.builtin.apt:
        pkg: ["docker-ce", "python3-pip"]
        state: present
        update_cache: true
      become: true

    - name: Install Docker Python Module
      ansible.builtin.pip:
        name: "docker"

    - name: Prune everything (including non-dangling images)
      community.docker.docker_prune:
        containers: true
        images: true
        images_filters:
          dangling: true
        networks: true
        volumes: true
        builder_cache: true

    - name: Log into private registry and force re-authorization
      community.docker.docker_login:
        registry_url: <registry url>
        username: "{{ username }}"
        password: "{{ password }}"
        reauthorize: true

    - name: Migrate DB
      community.docker.docker_container:
        name: <container name>-migrate
        image: "{{ docker_url }}"
        command: migrate -y
        pull: true
        env:
          DATABASE_HOST: "{{ database_host }}"
          DATABASE_USERNAME: "{{ database_username }}"
          DATABASE_PASSWORD: "{{ database_password }}"
          DATABASE_NAME: "{{ database_name }}"
          SENDGRID_API_KEY: "{{ sendgrid_api_key }}"

    - name: Start Container
      community.docker.docker_container:
        name: <container-name>
        image: "{{ docker_url }}"
        state: started
        restart: true
        restart_policy: unless-stopped
        pull: true
        ports:
          - "8080:8080"
        env:
          DATABASE_HOST: "{{ database_host }}"
          DATABASE_USERNAME: "{{ database_username }}"
          DATABASE_PASSWORD: "{{ database_password }}"
          DATABASE_NAME: "{{ database_name }}"
          SENDGRID_API_KEY: "{{ sendgrid_api_key }}"

    - name: Log out of Registry
      community.docker.docker_login:
        registry_url: <registry url>
        state: absent

    - name: Copy Nginx conf
      ansible.builtin.template:
        src: templates/<nginx-config>.j2
        dest: /etc/nginx/sites-available/<nginx-config>
        mode: "0400"
      become: true

    - name: Enable Site config
      ansible.builtin.file:
        src: /etc/nginx/sites-available/<nginx-config>
        dest: /etc/nginx/sites-enabled/<nginx-config>
        state: link
      become: true
      notify: reload nginx

  handlers:
    - name: Reload nginx
      ansible.builtin.service:
        name: nginx
        state: restarted
      become: true
	upstream {{ proxy_server }} {
	server {{ proxy_server_url }} fail_timeout=0;
	}

	server {
	listen 443 ssl http2 reuseport;
	listen [::]:443 ssl http2 reuseport;

	server_name {{ server_name }};
	server_tokens off;

	ssl_certificate /etc/letsencrypt/live/{{ cert_name }}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/{{ cert_name }}/privkey.pem;

	include snippets/security.conf;

	access_log /var/log/nginx/{{ server_name }}-access.log;
	error_log /var/log/nginx/{{ server_name }}-error.log;

	location / {
	try_files $uri @app;
	}

	location @app {
	client_max_body_size 10M;
	gzip on;

	proxy_read_timeout 300;
	proxy_connect_timeout 300;
	proxy_redirect off;

	proxy_http_version 1.1;

	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Ssl on;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_pass http://{{ proxy_server }};
	}

	# additional config
	include snippets/general.conf;
	}
	---
	- name: Project Name
	hosts: "prod"
	user: deploy
	serial: 1

	vars:
	server_name: "FQDN"
	proxy_server: "Descriptive name for NGinx proxy"
	proxy_server_url: "localhost:8080"
	cert_name: "cert-domain-name"
	docker_image: "main"
	docker_url: <docker url>{{docker_image }}:latest
	username: "{{ lookup('file', './templates/username') }}"
	password: "{{ lookup('file', './templates/password') }}"
	database_host: "{{ lookup('file', './templates/database_host') }}"
	database_name: "{{ lookup('file', './templates/database_name') }}"
	database_password: "{{ lookup('file', './templates/database_password') }}"
	database_username: "{{ lookup('file', './templates/database_username') }}"
	sendgrid_api_key: "{{ lookup('file', './templates/sendgrid') }}"

	tasks:
	- name: Install Docker
	ansible.builtin.apt:
	pkg: ["docker-ce", "python3-pip"]
	state: present
	update_cache: true
	become: true

	- name: Install Docker Python Module
	ansible.builtin.pip:
	name: "docker"

	- name: Prune everything (including non-dangling images)
	community.docker.docker_prune:
	containers: true
	images: true
	images_filters:
	dangling: true
	networks: true
	volumes: true
	builder_cache: true

	- name: Log into private registry and force re-authorization
	community.docker.docker_login:
	registry_url: <registry url>
	username: "{{ username }}"
	password: "{{ password }}"
	reauthorize: true

	- name: Migrate DB
	community.docker.docker_container:
	name: <container name>-migrate
	image: "{{ docker_url }}"
	command: migrate -y
	pull: true
	env:
	DATABASE_HOST: "{{ database_host }}"
	DATABASE_USERNAME: "{{ database_username }}"
	DATABASE_PASSWORD: "{{ database_password }}"
	DATABASE_NAME: "{{ database_name }}"
	SENDGRID_API_KEY: "{{ sendgrid_api_key }}"

	- name: Start Container
	community.docker.docker_container:
	name: <container-name>
	image: "{{ docker_url }}"
	state: started
	restart: true
	restart_policy: unless-stopped
	pull: true
	ports:
	- "8080:8080"
	env:
	DATABASE_HOST: "{{ database_host }}"
	DATABASE_USERNAME: "{{ database_username }}"
	DATABASE_PASSWORD: "{{ database_password }}"
	DATABASE_NAME: "{{ database_name }}"
	SENDGRID_API_KEY: "{{ sendgrid_api_key }}"

	- name: Log out of Registry
	community.docker.docker_login:
	registry_url: <registry url>
	state: absent

	- name: Copy Nginx conf
	ansible.builtin.template:
	src: templates/<nginx-config>.j2
	dest: /etc/nginx/sites-available/<nginx-config>
	mode: "0400"
	become: true

	- name: Enable Site config
	ansible.builtin.file:
	src: /etc/nginx/sites-available/<nginx-config>
	dest: /etc/nginx/sites-enabled/<nginx-config>
	state: link
	become: true
	notify: reload nginx

	handlers:
	- name: Reload nginx
	ansible.builtin.service:
	name: nginx
	state: restarted
	become: true