feat: enhance Ansible playbook and Nginx configuration with authentication and logrotate setup

- Added environment variables for project configuration in env.template. - Updated Ansible playbook to use environment variables for project settings and added tasks for monitoring authentication setup. - Enhanced Nginx configuration for Alertmanager and Prometheus with HTTP Basic Authentication. - Introduced logrotate configuration for managing log files and set up cron for daily execution. - Removed obsolete Uptime Kuma docker-compose file.
2025-09-19 12:09:05 +03:00
parent 1eb11e454d
commit f7b08ae9e8
16 changed files with 959 additions and 51 deletions
--- a/infra/ansible/playbook.yml
+++ b/infra/ansible/playbook.yml
@@ -5,18 +5,23 @@

  vars:
    # Основная директория проекта
-    project_root: "/home/prod"
+    project_root: "{{ lookup('env', 'PROJECT_ROOT') | default('/home/prod') }}"
    # Пользователь и группа
-    deploy_user: "deploy"
-    uid: "1001"
-    gid: "1001"
+    deploy_user: "{{ lookup('env', 'DEPLOY_USER') | default('deploy') }}"
+    uid: "{{ lookup('env', 'DEPLOY_UID') | default('1001') }}"
+    gid: "{{ lookup('env', 'DEPLOY_GID') | default('1001') }}"
    # Старый сервер для копирования данных
-    old_server: "root@77.223.98.129"
+    old_server: "{{ lookup('env', 'OLD_SERVER') | default('root@77.223.98.129') }}"
    # Опция: пересоздавать папку /home/prod (по умолчанию — нет)
    recreate_project: false
    # Grafana настройки
    grafana_admin_user: "{{ lookup('env', 'GRAFANA_ADMIN_USER') | default('admin') }}"
    grafana_admin_password: "{{ lookup('env', 'GRAFANA_ADMIN_PASSWORD') | default('admin') }}"
+    # Мониторинг настройки
+    monitoring_username: "{{ lookup('env', 'MONITORING_USERNAME') | default('admin') }}"
+    monitoring_password: "{{ lookup('env', 'MONITORING_PASSWORD') | default('admin123') }}"
+    # SSL настройки
+    use_letsencrypt: "{{ lookup('env', 'USE_LETSENCRYPT') | default('false') | lower == 'true' }}"

  tasks:
    # ========================================
@@ -63,6 +68,7 @@
          - apache2-utils
          - certbot
          - python3-certbot-nginx
+          - logrotate
        state: present

    - name: "[1/10] Установить Python библиотеки для Ansible"
@@ -286,10 +292,10 @@
        key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
        state: present

-    - name: "[4/10] Настроить sudo для deploy (только Docker команды)"
+    - name: "[4/10] Настроить sudo для deploy (все команды без пароля)"
      lineinfile:
        path: /etc/sudoers.d/deploy
-        line: "{{ deploy_user }} ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/docker-compose, /usr/bin/make"
+        line: "{{ deploy_user }} ALL=(ALL) NOPASSWD: ALL"
        create: yes
        mode: '0440'
        validate: 'visudo -cf %s'
@@ -613,9 +619,30 @@
        - "{{ project_root }}/infra/nginx/ssl"
        - "{{ project_root }}/infra/nginx/conf.d"
        - "{{ project_root }}/infra/uptime-kuma"
+        - "{{ project_root }}/infra/uptime-kuma/backup"
        - "{{ project_root }}/infra/alertmanager"
        - "{{ project_root }}/infra/grafana/dashboards"
        - "{{ project_root }}/scripts"
+        - /etc/nginx/passwords
+
+    - name: "[8/10] Скопировать скрипт генерации паролей"
+      copy:
+        src: "{{ project_root }}/scripts/generate_auth_passwords.sh"
+        dest: /usr/local/bin/generate_auth_passwords.sh
+        owner: root
+        group: root
+        mode: '0755'
+        remote_src: yes
+
+    - name: "[8/10] Создать файл паролей для мониторинга"
+      htpasswd:
+        path: /etc/nginx/passwords/monitoring.htpasswd
+        name: "{{ monitoring_username | default('admin') }}"
+        password: "{{ monitoring_password | default('admin123') }}"
+        owner: root
+        group: www-data
+        mode: '0640'
+        create: yes

    - name: "[8/10] Сгенерировать самоподписанный SSL сертификат (fallback)"
      command: >
@@ -865,6 +892,68 @@
      debug:
        var: fail2ban_status.stdout_lines

+    # ========================================
+    # ЭТАП 9.5: НАСТРОЙКА LOGROTATE (ROOT)
+    # ========================================
+    
+    - name: "[9.5/10] Создать директорию для logrotate конфигураций"
+      file:
+        path: /etc/logrotate.d
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: "[9.5/10] Настроить logrotate для ботов"
+      template:
+        src: "{{ project_root }}/infra/logrotate/logrotate_bots.conf.j2"
+        dest: /etc/logrotate.d/bots
+        owner: root
+        group: root
+        mode: '0644'
+        backup: yes
+
+    - name: "[9.5/10] Настроить logrotate для системных сервисов"
+      template:
+        src: "{{ project_root }}/infra/logrotate/logrotate_system.conf.j2"
+        dest: /etc/logrotate.d/system
+        owner: root
+        group: root
+        mode: '0644'
+        backup: yes
+
+    - name: "[9.5/10] Создать директории для логов ботов"
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: "{{ deploy_user }}"
+        group: "{{ deploy_user }}"
+        mode: '0755'
+      loop:
+        - "{{ project_root }}/bots/AnonBot/logs"
+        - "{{ project_root }}/bots/telegram-helper-bot/logs"
+
+    - name: "[9.5/10] Проверить конфигурацию logrotate"
+      command: logrotate -d /etc/logrotate.conf
+      register: logrotate_test
+      changed_when: false
+
+    - name: "[9.5/10] Показать результат проверки logrotate"
+      debug:
+        var: logrotate_test.stdout_lines
+
+    - name: "[9.5/10] Включить и запустить logrotate"
+      systemd:
+        name: logrotate
+        enabled: yes
+        state: started
+
+    - name: "[9.5/10] Настроить cron для ежедневного запуска logrotate"
+      cron:
+        name: "Logrotate daily"
+        job: "0 2 * * * /usr/sbin/logrotate /etc/logrotate.conf"
+        user: root
+
    # ========================================
    # ЭТАП 10: ЗАПУСК ПРИЛОЖЕНИЙ И ПРОВЕРКИ (DEPLOY + ROOT)
    # ========================================
@@ -997,7 +1086,7 @@
      retries: 5
      delay: 10

-    - name: "[10/10] Проверить доступность Prometheus через Nginx"
+    - name: "[10/10] Проверить доступность Prometheus через Nginx (health check без авторизации)"
      uri:
        url: "https://{{ ansible_host }}/prometheus/-/healthy"
        method: GET
@@ -1017,6 +1106,13 @@
      retries: 5
      delay: 10

+    - name: "[10/10] Настроить Uptime Kuma мониторы"
+      copy:
+        src: "{{ project_root }}/infra/uptime-kuma/monitors.json"
+        dest: "/tmp/uptime-kuma-monitors.json"
+        mode: '0644'
+      when: ansible_connection == 'local'
+
    - name: "[10/10] Проверить доступность Uptime Kuma через Nginx"
      uri:
        url: "https://{{ ansible_host }}/status"
@@ -1027,12 +1123,14 @@
      retries: 5
      delay: 10

-    - name: "[10/10] Проверить доступность Alertmanager через Nginx"
+    - name: "[10/10] Проверить доступность Alertmanager через Nginx (с авторизацией)"
      uri:
-        url: "https://{{ ansible_host }}/alertmanager/"
+        url: "https://{{ ansible_host }}/alerts/"
        method: GET
        status_code: 200
        validate_certs: no
+        user: "{{ monitoring_username | default('admin') }}"
+        password: "{{ monitoring_password | default('admin123') }}"
      register: alertmanager_nginx_health
      retries: 5
      delay: 10