From 72487e9273f164f58dd5721781ca9100f2f99723 Mon Sep 17 00:00:00 2001 From: Pierre Sarret Date: Thu, 29 Jun 2023 18:46:05 +0200 Subject: [PATCH] Dolibarr SSL via acme.sh and tfvars.example update (not working yet) --- ansible/dolibarr-playbook.yml | 203 +++++++++--------------- ansible/dolibarr-playbook.yml.old | 138 ---------------- ansible/dolibarr-secrets.yml | 6 +- ansible/dolibarr-secrets.yml.example | 6 +- ansible/dolibarr/install.forced.php.j2 | 74 +++++++++ ansible/dolibarr/nginx_dolibarr.conf.j2 | 22 ++- ansible/dolibarr/s3fs.passwd.j2 | 1 - terraform.tfvars.example | 73 +++++++-- 8 files changed, 237 insertions(+), 286 deletions(-) delete mode 100644 ansible/dolibarr-playbook.yml.old create mode 100644 ansible/dolibarr/install.forced.php.j2 delete mode 100644 ansible/dolibarr/s3fs.passwd.j2 diff --git a/ansible/dolibarr-playbook.yml b/ansible/dolibarr-playbook.yml index c0efc4b..de6836f 100644 --- a/ansible/dolibarr-playbook.yml +++ b/ansible/dolibarr-playbook.yml @@ -1,5 +1,5 @@ --- -- name: Install Dolibarr ERP on Ubuntu 22.04 VM with PostgreSQL and Nginx +- name: Install Dolibarr ERP on Ubuntu 22.04 VM with Nginx and acme.sh for SSL hosts: tag_Name_vm_dolibarr become: true vars_files: @@ -14,8 +14,7 @@ ansible.builtin.apt: name: - nginx -# - postgresql -# - s3fs + - socat - php8.1-fpm - php-mysqli - php-mysql @@ -35,39 +34,11 @@ enabled: true loop: - nginx -# - postgresql - php8.1-fpm - # - name: Configure s3fs - # block: - # - name: Copy S3FS Creds Template - # template: - # src: ./dolibarr/s3fs.passwd.j2 - # dest: /etc/passwd-s3fs - # mode: 0600 - - # - name: Ensure /mnt/s3 and MySQL datadir paths exist - # ansible.builtin.file: - # path: "/mnt/s3" - # state: directory - - # - name: Mount S3 Bucket to /srv/s3 - # mount: - # path: /srv/s3 - # src: "s3fs#{{ scaleway_s3_bucket_name }}" - # fstype: fuse - # state: mounted - # opts: "allow_other,use_path_request_style,url=https://s3.fr-par.scw.cloud,allow_other" - # passno: 0 - # dump: 0 - # vars: - # s3fs_credentials: - # access_key: "{{ scaleway_s3_access_key }}" - # secret_key: "{{ scaleway_s3_secret_key }}" - - name: Ensure Dolibarr directory exists ansible.builtin.file: - path: /srv/dolibarr + path: "{{ dolibarr_install_dir }}" state: directory owner: www-data group: www-data @@ -76,18 +47,16 @@ - name: Install Dolibarr ansible.builtin.unarchive: src: https://github.com/Dolibarr/dolibarr/archive/refs/tags/17.0.2.tar.gz - dest: /srv/dolibarr - creates: /srv/dolibarr/dolibarr-17.0.2 + dest: "{{ dolibarr_install_dir }}" + creates: "{{ dolibarr_install_dir }}/dolibarr-17.0.2" remote_src: true owner: www-data group: www-data - name: Deploy Dolibarr configuration / forced install script ansible.builtin.template: -# src: ./dolibarr/conf.php.j2 -# dest: /srv/dolibarr/dolibarr-17.0.2/htdocs/conf/conf.php src: ./dolibarr/install.forced.php.j2 - dest: /srv/dolibarr/dolibarr-17.0.2/htdocs/install.forced.php + dest: "{{ dolibarr_install_dir }}/dolibarr-17.0.2/htdocs/install/install.forced.php" owner: www-data group: www-data mode: '0644' @@ -97,100 +66,82 @@ - name: Install Nginx configuration file ansible.builtin.template: src: ./dolibarr/nginx_dolibarr.conf.j2 - dest: /etc/nginx/sites-available/dolibarr + dest: /etc/nginx/sites-available/dolibarr.conf mode: '0644' - name: Enable Dolibarr Nginx site ansible.builtin.file: - src: /etc/nginx/sites-available/dolibarr - dest: /etc/nginx/sites-enabled/dolibarr + src: /etc/nginx/sites-available/dolibarr.conf + dest: /etc/nginx/sites-enabled/dolibarr.conf state: link - name: Remove default Nginx site ansible.builtin.file: path: /etc/nginx/sites-enabled/default state: absent - - name: Reload Nginx - ansible.builtin.systemd: - name: nginx - state: reloaded - - # - name: Stop PostgreSQL service - # systemd: - # name: postgresql - # state: stopped - - # - name: Create PostgreSQL data directory in /srv/db #/srv/s3 - # file: - # path: /srv/db - # state: directory - # owner: postgres - # group: postgres - # mode: 0700 - - # - name: Move PostgreSQL data to /srv/s3 - # command: mv "{{ item }}" /srv/db/ - # loop: - # - /var/lib/postgresql/14/main - # become_user: postgres - - # - name: Configure pg_hba.conf to use md5 for local connections - # block: - # - name: Back up pg_hba.conf - # command: cp /etc/postgresql/14/main/pg_hba.conf /etc/postgresql/14/main/pg_hba.conf.backup - - # - name: Update pg_hba.conf for local connections to use md5 auth - # lineinfile: - # path: /etc/postgresql/14/main/pg_hba.conf - # regexp: '^local\s+\w+\s+\w+\s+' - # line: 'local all all md5' - - # - name: Update pg_hba.conf for localhost TCP/IP connections to use md5 auth - # lineinfile: - # path: /etc/postgresql/14/main/pg_hba.conf - # regexp: '^host\s+\w+\s+\w+\s+127\.0\.0\.*' - # line: 'host all all 127.0.0.1/32 md5' - - # - name: Update pg_hba.conf for IPv6 localhost connections to use md5 auth - # lineinfile: - # path: /etc/postgresql/14/main/pg_hba.conf - # regexp: '^host\s+\w+\s+\w+\s+::1/' - # line: 'host all all ::1/128 md5' - - # - name: Restart PostgreSQL - # systemd: - # name: postgresql - # state: restarted - - # - name: Update PostgreSQL data directory configuration - # lineinfile: - # path: /etc/postgresql/14/main/postgresql.conf - # regexp: '^data_directory =' - # line: 'data_directory = '/srv/db/main/'' - # notify: Restart PostgreSQL - - # - name: Create Dolibarr database user - # become: yes - # become_user: postgres - # postgresql_user: - # name: "dolibarrowner" - # password: "{{ dolibarr_database_password }}" - # role_attr_flags: - # - CREATEDB - # - CREATEROLE - # state: present - - # - name: Create Dolibarr database - # become: yes - # become_user: postgres - # postgresql_db: - # name: "{{ dolibarr_database_name }}" - # encoding: 'UTF-8' - # lc_collate: 'en_US.UTF-8' - # lc_ctype: 'en_US.UTF-8' - # owner: "dolibarrowner" - # state: present - - # handlers: - # - name: Restart PostgreSQL - # systemd: - # name: postgresql - # state: restarted + - name: Ensure SSL directory exist in /etc/nginx + ansible.builtin.file: + path: /etc/nginx/ssl + state: directory + owner: root + group: root + mode: '0755' + - name: Create dummy ssl certificate to have a valid nginx configuration + ansible.builtin.command: > + openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/dummy.key + -out /etc/nginx/ssl/dummy.cer -subj "/C=FR/ST=France/L=Paris/O=transexpress/OU=sys/CN={{ domain_name }}" + args: + creates: + /etc/nginx/ssl/dummy.cer + /etc/nginx/ssl/dummy.key + notify: Restart Nginx + + - name: Configure SSL cert with acme.sh for Nginx + block: + - name: Ensure acme.sh directory exists + ansible.builtin.file: + path: "{{ acme_install_dir }}" + state: directory + owner: root + group: root + mode: '0755' + - name: Install acme.sh + ansible.builtin.git: + repo: https://github.com/acmesh-official/acme.sh.git + dest: "{{ acme_install_dir }}" + version: master + - name: Initialize acme.sh + ansible.builtin.command: + cmd: '{{ acme_install_dir }}/acme.sh --install -m {{ acme_email }}' + chdir: '{{ acme_install_dir }}' + register: command_output + changed_when: command_output.rc != 0 + - name: Generate Let's Encrypt certificate for domain + ansible.builtin.command: + cmd: '{{ acme_install_dir }}/acme.sh --issue --nginx -d {{ domain_name }} --server letsencrypt' + chdir: '{{ acme_install_dir }}' + register: command_output + changed_when: command_output.rc != 0 + - name: Install SSL certificate + ansible.builtin.command: + cmd: > + '{{ acme_install_dir }}/acme.sh --install-cert -d {{ domain_name }} --key-file /etc/nginx/ssl/{{ domain_name }}.key + --fullchain-file /etc/nginx/ssl/{{ domain_name }}.cer --reloadcmd "service nginx force-reload"' + chdir: '{{ acme_install_dir }}' + register: command_output + changed_when: command_output.rc != 0 + args: + creates: + /root/.acme.sh/{{ domain_name }}/{{ domain_name }}.key + /root/.acme.sh/{{ domain_name }}/{{ domain_name }}.cer + - name: Replace dummy cert in nginx conf with the new certificate + ansible.builtin.replace: + path: /etc/nginx/sites-enabled/dolibarr.conf + regexp: 'dummy' + replace: '{{ item.fqdn }}' + loop: "{{ proxyservers }}" + notify: Restart Nginx + + handlers: + - name: Restart Nginx + ansible.builtin.service: + name: nginx + state: restarted diff --git a/ansible/dolibarr-playbook.yml.old b/ansible/dolibarr-playbook.yml.old deleted file mode 100644 index cb77d42..0000000 --- a/ansible/dolibarr-playbook.yml.old +++ /dev/null @@ -1,138 +0,0 @@ ---- -- name: Install Dolibarr on Ubuntu 22.04 VM with MySQL and Dolibarr data on S3 - hosts: tag_Name_vm_dolibarr - become: true - vars: - mysql_root_password: 'your_mysql_root_password' - dolibarr_db_name: 'dolibarr_db' - dolibarr_db_user: 'dolibarr_user' - dolibarr_db_password: 'your_dolibarr_user_password' - dolibarr_url_path: '/dolibarr' - mysql_datadir: '/mnt/s3/mysql' - - tasks: - - name: Update apt cache - ansible.builtin.apt: - update_cache: true - - - name: Install required packages - ansible.builtin.apt: - name: - - apache2 - - php - - libapache2-mod-php - - php-mysql - - mysql-server - - unzip - state: present - - - name: Ensure /mnt/s3 and MySQL datadir paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - loop: - - /mnt/s3 - - "{{ mysql_datadir }}" - - - name: Stop MySQL service - ansible.builtin.service: - name: mysql - state: stopped - - - name: Change MySQL datadir in my.cnf - ansible.builtin.lineinfile: - path: /etc/mysql/mysql.conf.d/mysqld.cnf - regexp: '^datadir' - line: "datadir = {{ mysql_datadir }}" - notify: restart mysql - - - name: Move MySQL data to /mnt/s3/mysql - ansible.builtin.command: mv /var/lib/mysql/* {{ mysql_datadir }} - args: - removes: /var/lib/mysql/* - - - name: Start and enable MySQL service - ansible.builtin.service: - name: mysql - state: started - enabled: true - - - name: Set MySQL root password - community.mysql.mysql_user: - name: root - password: "{{ mysql_root_password }}" - login_unix_socket: /var/run/mysqld/mysqld.sock - - - name: Create Dolibarr MySQL database - community.mysql.mysql_db: - name: "{{ dolibarr_db_name }}" - state: present - - - name: Create Dolibarr MySQL user and grant privileges - community.mysql.mysql_user: - name: "{{ dolibarr_db_user }}" - password: "{{ dolibarr_db_password }}" - priv: "{{ dolibarr_db_name }}.*:ALL" - state: present - - - name: Download Dolibarr - ansible.builtin.get_url: - url: https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/14.0.1/dolibarr-14.0.1.tgz - dest: /tmp/dolibarr.tgz - - - name: Unpack Dolibarr archive in /var/www/html{{ dolibarr_url_path }} - ansible.builtin.unarchive: - src: /tmp/dolibarr.tgz - dest: /var/www/html/ - remote_src: true - notify: restart apache2 - - - name: Copy Dolibarr configuration - ansible.builtin.copy: - src: /var/www/html{{ dolibarr_url_path }}/htdocs/conf/conf.php.example - dest: /mnt/s3/conf.php - remote_src: true - - - name: Update conf.php with MySQL credentials, paths, etc. - ansible.builtin.lineinfile: - path: /mnt/s3/conf.php - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - loop: - - { regexp: '^\$dolibarr_main_db_host\s*=', line: "$dolibarr_main_db_host='localhost';" } - - { regexp: '^\$dolibarr_main_db_name\s*=', line: "$dolibarr_main_db_name='{{ dolibarr_db_name }}';" } - - { regexp: '^\$dolibarr_main_db_user\s*=', line: "$dolibarr_main_db_user='{{ dolibarr_db_user }}';" } - - { regexp: '^\$dolibarr_main_db_pass\s*=', line: "$dolibarr_main_db_pass='{{ dolibarr_db_password }}';" } - - { regexp: '^\$dolibarr_main_data_root\s*=', line: "$dolibarr_main_data_root='/mnt/s3';" } - - { regexp: '^\$dolibarr_main_url_root\s*=', line: "$dolibarr_main_url_root='http://{{ ansible_fqdn }}{{ dolibarr_url_path }}/htdocs';" } - - - name: Set permissions on Dolibarr - ansible.builtin.file: - path: "{{ item }}" - owner: www-data - group: www-data - recurse: true - with_items: ["/var/www/html{{ dolibarr_url_path }}/htdocs", "/mnt/s3"] - - - name: Create symlink for Dolibarr config - ansible.builtin.file: - src: /mnt/s3/conf.php - dest: /var/www/html{{ dolibarr_url_path }}/htdocs/conf/conf.php - state: link - - - name: Ensure correct index file - ansible.builtin.copy: - src: /var/www/html{{ dolibarr_url_path }}/htdocs/index.php.index.html - dest: /var/www/html{{ dolibarr_url_path }}/htdocs/index.php - remote_src: true - - handlers: - - name: Restart apache2 - ansible.builtin.service: - name: apache2 - state: restarted - - - name: Restart mysql - ansible.builtin.service: - name: mysql - state: restarted diff --git a/ansible/dolibarr-secrets.yml b/ansible/dolibarr-secrets.yml index 8f7d301..b7288c2 100644 --- a/ansible/dolibarr-secrets.yml +++ b/ansible/dolibarr-secrets.yml @@ -2,4 +2,8 @@ MYSQL_HOST: 51.159.204.219 MYSQL_PORT: 4733 MYSQL_DATABASE: dolibarr MYSQL_USER: pa2023nextcloud -MYSQL_PASSWORD: FQQn0z9hQryg4sw7leZfSlZCH1! \ No newline at end of file +MYSQL_PASSWORD: FQQn0z9hQryg4sw7leZfSlZCH1! +domain_name: crm.transexpress.ovh +acme_install_dir: /srv/acme.sh +acme_email: sysadm@pierresarret.fr +dolibarr_install_dir: /srv/dolibarr \ No newline at end of file diff --git a/ansible/dolibarr-secrets.yml.example b/ansible/dolibarr-secrets.yml.example index faaa936..f6df02a 100644 --- a/ansible/dolibarr-secrets.yml.example +++ b/ansible/dolibarr-secrets.yml.example @@ -2,4 +2,8 @@ MYSQL_HOST: xx MYSQL_PORT: 4733 MYSQL_DATABASE: xx MYSQL_USER: xx -MYSQL_PASSWORD: xx \ No newline at end of file +MYSQL_PASSWORD: xx +domain_name: crm.transexpress.ovh +acme_install_dir: /etc/acme.sh +acme_email: xx@xxx.xx +dolibarr_install_dir: /srv/dolibarr \ No newline at end of file diff --git a/ansible/dolibarr/install.forced.php.j2 b/ansible/dolibarr/install.forced.php.j2 new file mode 100644 index 0000000..b12f9f3 --- /dev/null +++ b/ansible/dolibarr/install.forced.php.j2 @@ -0,0 +1,74 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +/** @var boolean $force_install_nophpinfo Hide PHP informations */ +$force_install_nophpinfo = true; + +/** @var int $force_install_noedit 1 = Lock and hide environment variables, 2 = Lock all set variables */ +$force_install_noedit = 2; + +/** @var string $force_install_message Information message */ +$force_install_message = 'Welcome to your Dolibarr install'; + +/** @var string $force_install_main_data_root Data root absolute path (documents folder) */ +$force_install_main_data_root = null; + +/** @var boolean $force_install_mainforcehttps Force HTTPS */ +$force_install_mainforcehttps = true; + +/** @var string $force_install_database Database name */ +$force_install_database = '{{ MYSQL_DATABASE }}'; + +/** @var string $force_install_type Database driver (mysql|mysqli|pgsql|mssql|sqlite|sqlite3) */ +$force_install_type = 'mysqli'; + +/** @var string $force_install_dbserver Database server host */ +$force_install_dbserver = '{{ MYSQL_HOST }}'; + +/** @var int $force_install_port Database server port */ +$force_install_port = '{{ MYSQL_PORT }}'; + +/** @var string $force_install_prefix Database tables prefix */ +$force_install_prefix = 'llx_'; + +/** @var bool $force_install_createdatabase Force database creation */ +$force_install_createdatabase = false; + +/** @var string $force_install_databaselogin Database username */ +$force_install_databaselogin = '{{ MYSQL_USER }}'; + +/** @var string $force_install_databasepass Database password */ +$force_install_databasepass = '{{ MYSQL_PASSWORD }}'; + +/** @var bool $force_install_createuser Force database user creation */ +$force_install_createuser = false; + +/** @var string $force_install_databaserootlogin Database root username */ +$force_install_databaserootlogin = 'root'; + +/** @var string $force_install_databaserootpass Database root password */ +$force_install_databaserootpass = ''; + + +/** @var string $force_install_dolibarrlogin Dolibarr super-administrator username */ +$force_install_dolibarrlogin = 'admin'; + +/** @var bool $force_install_lockinstall Force install locking */ +$force_install_lockinstall = true; + +/** @var string $force_install_module Enable module(s) (Comma separated class names list) */ +$force_install_module = 'modSociete,modFournisseur,modFacture'; \ No newline at end of file diff --git a/ansible/dolibarr/nginx_dolibarr.conf.j2 b/ansible/dolibarr/nginx_dolibarr.conf.j2 index 297c3df..7f39dc3 100644 --- a/ansible/dolibarr/nginx_dolibarr.conf.j2 +++ b/ansible/dolibarr/nginx_dolibarr.conf.j2 @@ -1,14 +1,30 @@ server { listen 80; - server_name crm.transexpress.ovh; - - root /srv/dolibarr/dolibarr-17.0.2/htdocs; + server_name {{ domain_name }}; + rewrite ^/(.*) https://{{ domain_name }}/$1 permanent; +} + +server { + listen 443 ssl; + server_name {{ domain_name }}; + + ssl_certificate /etc/nginx/ssl/dummy.cer; + ssl_certificate_key /etc/nginx/ssl/dummy.key; + +{# + ssl_certificate /etc/ssl/fullchain.cer; + ssl_certificate_key /etc/ssl/{{ domain_name }}.key; +#} + root {{ dolibarr_install_dir }}/dolibarr-17.0.2/htdocs; index index.php; location / { try_files $uri $uri/ =404; } + location /.well-known/ { + } + location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.1-fpm.sock; diff --git a/ansible/dolibarr/s3fs.passwd.j2 b/ansible/dolibarr/s3fs.passwd.j2 deleted file mode 100644 index 5da74ed..0000000 --- a/ansible/dolibarr/s3fs.passwd.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ s3fs_credentials.access_key }}:{{ s3fs_credentials.secret_key }} \ No newline at end of file diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 1a7eeb9..5df8002 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -1,39 +1,68 @@ # == CREDENTIALS == ## AWS -aws_region = "us-east-1" #us-east-1 +aws_region = "us-east-1" aws_access_key_id = "" aws_secret_access_key = "" aws_session_token = "" -## SCALEWAY +## SCALEWAY scaleway_access_key = "" scaleway_secret_key = "" scaleway_organization_id = "" scaleway_region = "" scaleway_project_id = "" -## CLOUDFLARE -cloudflare_api_token = "" -cloudflare_zone_id = "" - # == SETTINGS == -scaleway_bucket_initial_name = "bucket-pa-esgi" -scaleway_num_buckets = 1 -scaleway_bucket_name = "pa-esgi-2023-b1" +scaleway_bucket_initial_name = "bucket-pa-esgi" +scaleway_bucket_name = "pa-esgi-2023-b1" +scaleway_num_buckets = 1 # SSH Keys allowed in EC2s. First one will be added by default to all EC2s, other ones are added manually in the authorized_keys file ssh_public_keys = [ - "ssh-rsa AAAAAAAAA", - "ssh-rsa AAAAAAAAAZ", + "ssh-rsa truc", + "ssh-rsa bidule", ] +#BUCKET + VPC bucket_name = "pa-esgi-2023-b1" mount_point = "/mnt/bucket" -vpc_cidr_block = "" -vpc_subnet_cidr_block = "" +vpc_cidr_block = "10.7.0.0/16" +vpc_subnet_cidr_block = "10.7.1.0/24" vpc_instance_tenancy = "default" +#SNS TOPIC sns_phone_number = "+33xxxxxxxxx" -sns_email_address = "xx@xx.fr" +sns_email_address = "" + +#SNS TOPIC GuardDuty +sns_phone_number_guard = "+33xxxxxxxxx" +sns_email_address_guard = "" + +## CLOUDFLARE +cloudflare_api_token = "" +cloudflare_zone_id = "" +## EC2 - Nextcloud +mysql_host = "" +mysql_database = "nextcloud" +mysql_user = "pa2023nextcloud" +mysql_password = "" +redis_host = "redis" +acme_email = "" +acme_storage = "/acme.json" + +## EC2 - config.php +redis_password = "" +redis_port = "6379" +s3_bucket = "nextcloud-app-staging" +s3_key = "" +s3_secret = "" +s3_hostname = "s3.fr-par.scw.cloud" +s3_port = "443" +s3_region = "fr-par" +trusted_domain = "hosting.transexpress.ovh" +trusted_proxy = "172.19.0.254" + + +## INFORMATION ec2-config = { "vm-dolibarr" = { ports = [ @@ -70,17 +99,29 @@ ec2-config = { from = 80 to = 80 source="0.0.0.0/0" + }, + { + from = 4733 + to = 4733 + source="0.0.0.0/0" }, { from = 22 to = 22 source="0.0.0.0/0" } + ], ami_id = "ami-053b0d53c279acc90", instance_type = "t2.large", volume_size = 30, volume_type = "gp2", - dns_name = "cloud.transexpress.ovh", + dns_name = "hosting.transexpress.ovh", } -} \ No newline at end of file +} + +## EKS + +project_eks = "TransexpressWebsite" +vpc_cidr_eks = "10.0.0.0/16" +subnet_cidr_bits_eks = 8 \ No newline at end of file