Setup Ansible config for web hosting

.github/workflows/lint.yml

@@ -58,3 +58,16 @@ jobs:
         with:
           fail_on_error: true
           tool_name: 'caddy fmt'
+
+  ansible:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python 3
+        uses: actions/setup-python@v3
+
+      - name: ansible-lint
+        uses: reviewdog/action-ansiblelint@v1

README.md

@@ -40,3 +40,37 @@ overrides in environment variables:
   interfaces)
 * The directory containing the git repositories with `SITE_DIR` (defaults to
   `sites` in the current directory)
+
+Ansible configuration
+=====================
+
+When running on DigitalOcean hosting, an Ansible playbook is used to configure
+the server with consistent settings.
+
+Setup
+-----
+
+Before you can run our ansible playbooks, you need to meet the following
+prerequisites:
+
+* Create a DigitalOcean API token, and pass it to the inventory generator by
+  setting the `DO_API_TOKEN` environment variable.
+* Set the vault decryption password of the ansible vaulted file with our
+  secrets. This may be done by setting the `ANSIBLE_VAULT_PASSWORD_FILE`
+  environment variable to point to a file containing the password.
+* Download all the collections the playbooks depend on with the following
+  command:
+  ```
+  ansible-galaxy collection install \
+    --requirements-file collections/requirements.yml
+  ```
+
+You may wish to use [direnv](https://direnv.net/) to set environment variables.
+
+Running
+-------
+
+There is currently only one playbook:
+
+* `matplotlib.org.yml`, for the main matplotlib.org hosting. This playbook
+  operates on droplets with the `website` tag in DigitalOcean.

ansible.cfg

@@ -0,0 +1,34 @@
+[defaults]
+
+inventory = {{CWD}}/inventories
+
+interpreter_python = auto
+
+# plays will gather facts by default, which contain information about
+# the remote system.
+#
+# smart - gather by default, but don't regather if already gathered
+# implicit - gather by default, turn off with gather_facts: False
+# explicit - do not gather by default, must say gather_facts: True
+gathering = smart
+
+# if set to a persistent type (not 'memory', for example 'redis') fact values
+# from previous runs in Ansible will be stored.  This may be useful when
+# wanting to use, for example, IP information from one group of servers
+# without having to talk to them in the same playbook run to get their
+# current IP information.
+fact_caching = jsonfile
+# This option tells Ansible where to cache facts. The value is plugin dependent.
+# For the jsonfile plugin, it should be a path to a local directory.
+# For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0
+fact_caching_connection = /tmp
+
+# Enabling pipelining reduces the number of SSH operations required to
+# execute a module on the remote server. This can result in a significant
+# performance improvement when enabled, however when using "sudo:" you must
+# first disable 'requiretty' in /etc/sudoers
+#
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+#
+pipelining = True

caddy/Caddyfile

@@ -14,6 +14,11 @@
 
 # Set this variable in the environment when running in production.
 {$SITE_ADDRESS::2015} {
+	# Set the variable in the environment to the Caddy directive for tls
+	# support. By default, this is empty so you can test it locally, but
+	# the Ansible config sets it up with the right certificate paths.
+	{$TLS_CONFIG:}
+
 	root * {$SITE_DIR:.}
 
 	# Setup a webhook

caddy/caddy.service.override

@@ -0,0 +1,4 @@
+[Service]
+Environment="SITE_DIR=/usr/share/caddy"
+Environment="SITE_ADDRESS=https://do.matplotlib.org, https://matplotlib.org"
+Environment="TLS_CONFIG=tls /etc/caddy/tls/cert.pem /etc/caddy/tls/privkey.pem"

collections/requirements.yml

@@ -0,0 +1,5 @@
+---
+collections:
+  - name: ansible.posix
+  - name: community.general
+  - name: community.digitalocean

files/fail2ban/jail.local

@@ -0,0 +1,10 @@
+[DEFAULT]
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 1d
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+findtime  = 1h
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5