chore(infra): permet d'installer les machines avec ansible (#97)

.gitignore

@@ -4,3 +4,4 @@ node_modules
 .env
 /.cache
 packages/ui/storybook-static/
+.vault

infra/Makefile

+dev:
+	ansible-playbook -i inventory_dev --ask-become-pass --vault-id camino@prompt deploy.yml
+preprod:
+	ansible-playbook -i inventory_preprod --ask-become-pass --vault-id camino@prompt  deploy.yml
+prod:
+	ansible-playbook -i inventory_prod --ask-become-pass --vault-id camino@prompt deploy.yml
\ No newline at end of file

infra/deploy.yml

+---
+- hosts: servers
+  tasks:
+    - name: Install rsync
+      ansible.builtin.apt:
+        name: rsync
+        state: present
+      become: True
+    - file:
+        path: /srv/www/camino/files
+        group: users
+        mode: u=rwx,g=rwx,o=r
+      become: True
+  roles:
+    - role: nginx
+    - role: camino
+    - role: devAndPreprod
+      when: env != 'prod'
+    - role: prod
+      when: env == 'prod'
+

infra/inventory_dev

+[servers]
+dev.camino.beta.gouv.fr env=dev ansible_port=212 ansible_python_interpreter=/usr/bin/python3
\ No newline at end of file

infra/inventory_preprod

+[servers]
+preprod.camino.beta.gouv.fr env=preprod ansible_port=212 ansible_python_interpreter=/usr/bin/python3
\ No newline at end of file

infra/inventory_prod

+[servers]
+camino.beta.gouv.fr env=prod ansible_port=212 ansible_python_interpreter=/usr/bin/python3
\ No newline at end of file

infra/roles/camino/tasks/main.yml

+---
+- name: Met en place le docker-compose
+  ansible.builtin.copy:
+    src: ../../../../docker-compose.yml
+    dest: /srv/www/camino/docker-compose.yml
+    owner: git
+    group: users
+    mode: u=rw,g=r,o=r
+  become: True
+- name: Ajoute les variables liées au bon environnement
+  ansible.builtin.include_vars:
+    file: "{{ env }}.yml"
+- name: Ajoute les variables chiffrées liées au bon environnement
+  ansible.builtin.include_vars:
+    file: "{{ env }}_crypt.yml"
+- name: Installe le fichier d'environnement
+  ansible.builtin.template:
+    src: env
+    dest: /srv/www/camino/.env
+    mode: u=rw,g=r,o=r
+    owner: git
+    group: users
+    backup: True
+  become: True
\ No newline at end of file

infra/roles/camino/templates/env

+ENV={{ env }}
+
+# node
+NODE_ENV=production
+API_PORT=4000
+UI_PORT=8080
+DOC_PORT=80
+STORYBOOK_PORT=80
+
+# url du serveur (docker-compose)
+API_HOST=api.{{ base_host }}
+API_URL=https://api.{{ base_host }}
+
+UI_HOST={{ base_host }}
+UI_URL=https://{{ base_host }}
+
+DOC_HOST=docs.{{ base_host }}
+DOC_URL=https://docs.{{ base_host }}
+
+API_OPENFISCA_URL="http://openfisca:8000"
+
+STORYBOOK_HOST=storybook.{{ base_host }}
+
+# certificat ssh (docker-compose)
+LETSENCRYPT_EMAIL=camino@beta.gouv.fr
+
+# postgres
+PGHOST=localhost
+PGPORT=5432
+PGDATABASE=camino
+PGUSER={{ pg_user }}
+PGPASSWORD={{ pg_password }}
+
+# tokens jwt
+JWT_SECRET={{ jwt_secret }}
+JWT_SECRET_REFRESH={{ jwt_secret_refresh }}
+
+# admin
+ADMIN_EMAIL=camino@beta.gouv.fr
+
+
+# API Mailjet
+API_MAILJET_EMAIL=camino@beta.gouv.fr
+API_MAILJET_KEY={{ mailjet_key }}
+API_MAILJET_SECRET={{ mailjet_secret }}
+API_MAILJET_SERVER=in-v3.mailjet.com
+API_MAILJET_CONTACTS_LIST_ID={{ mailjet_contact_list_id }}
+
+# UI Sentry
+SENTRY_DSN={{ ui_sentry_dns }}
+
+
+# API Géo
+API_GEO_URL={{ api_geo_url }}
+
+# API Administration
+API_ADMINISTRATION_URL="https://etablissements-publics.api.gouv.fr"
+
+# API Insee
+API_INSEE_KEY={{ api_insee_key }}
+API_INSEE_SECRET={{ api_insee_secret }}
+API_INSEE_URL="https://api.insee.fr"
+
+# API Cerbère
+API_CERBERE="https://authentification.din.developpement-durable.gouv.fr/cas/public/login"
+
+# API Matomo
+API_MATOMO_URL={{ matomo_url }}
+API_MATOMO_ID={{ matomo_id }}
+API_MATOMO_TOKEN={{ matomo_token }}
+API_MATOMO_MONTHS=24
+
+API_SENTRY_URL={{ api_sentry_url }}
\ No newline at end of file

infra/roles/camino/vars/dev.yml

+---
+base_host: dev.camino.beta.gouv.fr
+mailjet_contact_list_id: 19822
+matomo_url: https://stats.preprod.camino.beta.gouv.fr
\ No newline at end of file

infra/roles/camino/vars/dev_crypt.yml

+$ANSIBLE_VAULT;1.2;AES256;camino
+32353566303331326135623633653662613731623635633433313632623761376663396562643136
+3632386661646461646364613561303361363438626230360a663537373330653631636231646462
+62626335343338333936306634373333306161323463643363616339663965373733363430313235
+3032313135356631300a643261373134393330636262646136353632663637356432663962626133
+31626438356236353362626335643531353865346337373633373930626430663736326666636536
+39393836316238353963386563353766346136306331333631383135383565653465316562383738
+36323436613966623034363332616630623433386539626661636333333336323361643436613961
+64636264336561306436353636613530613135386338616632323537383636393964643239636238
+39383461623835646138633638316361653839383562366631366239363331303239316364313330
+35323239626139666632303236666666333263306237343133356565616665386565646265643830
+33643338393563306264646637343735383033646461303830633236653261396230336637353265
+65636630326461643338386564326239623430323830666365303532626430636239663863623465
+61363139616361636365353534633930643366333939346433316361396463633734323034623630
+36303865353335643264313263343862666636306534623035643062393165306332636536616433
+33323738663332343463343761323937633232613934633230373565383335376466636334363730
+38643361653564646365323163386432643863626334313634656638346431313539646637303561
+39633061623139316336336637646639636461613364306535653837323036313164613363613231
+31663162383263646536386538623332336133326631343163623465373764646336346130303438
+61306432313539383236616262323930363730376434373939393636313830303633323238306438
+30326535613863336238326332623362613435316136316539346438336266343566643062623966
+37613734356136613535623135613661323638323530306464613732643130616137343438626163
+37303166306632343937643666333765333939303732326263323563393331333830313733343735
+66343162303463366638333466303139303330383237366464393762623838386363663166383633
+39316533666465383633343536343630653632656563636237626564303833666165613038656339
+30386131343465656162613662376433313564393138396639346430363130363064666463666639
+34663538343833343064353537323465633431633630303864623365333138643939373638653232
+63666131393763653264616231373461636166306334636334666430623832303265373236343536
+36333132323830376334373730353366393166663065396165306630303134363131343131613833
+62323566393537343364383034616231623038376661656134346163383039313061623066346266
+61323138356130383864636235376365313262353330303638626631326634383136323561356635
+32333037386162343365386336613739376564346665396235636330356337373264363933373139
+36373262626530356162313930373131343432313335373338636262663265363861396466633065
+32656465336263336339393933386363316530376530343233643065336239313434

infra/roles/camino/vars/preprod.yml

+---
+base_host: preprod.camino.beta.gouv.fr
+mailjet_contact_list_id: 10250369
+matomo_url: https://stats.preprod.camino.beta.gouv.fr
\ No newline at end of file

infra/roles/camino/vars/preprod_crypt.yml

+$ANSIBLE_VAULT;1.2;AES256;camino
+30313764653036336262636363346634636331303432613235306433373666653466663633643939
+3930333764626337366161643762646664346464326235360a616331643738396666643439373331
+62306639333739363839663837323136336563316632306539373135396134346563366664376135
+6631656138663363610a633561353363376131613233383236303733623438386166613438663266
+39316561326666653061333765396230366233383461636431353339643036323831653434633563
+64623334643765366535333838616135663861306539373363666338396438643333633834316638
+38616132393063373031383364306336666632333361313037396330633832393739356465353839
+35356461313635653439333935643837303563336366366465386638656237333336663038333739
+37313339363034616566643665653161336363393330363734363863346537636166383065613735
+63626438373661393565656562323537356437643166306638333064313864363538663534396536
+61353364636631653631356662353036646466303038363431613065363935383164613339326464
+31613339323164323137643936633532333034613330356463343761343030363732323366386462
+37346235323532373735333264393263623134616339363833363862613133623966366666663430
+33303634373130633230353233666434373864386136636235646132303761393565386134656632
+61343931306164613364303531633632386530313065643061333934333763303937613066656630
+64636462626135626266653635663661613530396431326338353763643037316231626461363433
+33343766373765633333343135663936323234636434326230633864386532323865343433396532
+32363332396439373964373564313264386638663062613061626535373665383934306636383465
+62323334386431633837646266393632386238323761306134626432343062376235373165343533
+61353364613162353239326365373931346339666161393037336433353538663836323866386136
+35613834346365313366623235363935313065346466316136666333626262316635306536393061
+63393835643562396664343466383835653563663862313235346362313762373931626536303439
+65633161353536343737623536353638376230386338623466616230373132326238353434646531
+32646433643230643935346332623737336332616266663336623862633032353832346434616538
+63643165346331656438373738613439353061333437333431393661663464623937333362356430
+63633539353762333565346435636134323634633637643036666237346134353634663136396535
+32656532303133386134356263343430613266396436613062633036363038636333666130613562
+63336136363162393037626330623034353163303363303564623335643566613535326264393630
+62303233616430626166643735313864306363396561343963663361646131663764343237336236
+33666132633164323030393739656636386562666130306666323836383934636262666365666335
+31316462326564383738666366643965316232393535333166663539616136363537353934383536
+64363131366435356330313364383437316263383161653831303734313037613535303530363334
+33653665636632356661343035336662613437613132363735366261326364356631633164316164
+3733393961616661666364316138653139306263356433316233

infra/roles/camino/vars/prod.yml

+---
+base_host: camino.beta.gouv.fr
+mailjet_contact_list_id: 10250369
+matomo_url: https://stats.data.gouv.fr
\ No newline at end of file

infra/roles/camino/vars/prod_crypt.yml

+$ANSIBLE_VAULT;1.2;AES256;prod
+30313433623334653262356265313362353735316664646333303131366331326465393933626538
+6430623065666138613331653838626334366539333964320a323864656135363731346130313535
+35343863313166626431333736343263653963356265373462623439363535323536353065646363
+3735613134303961310a343535373230393035663132313261356162663231376531636630323734
+66316662643066363963376535626466646466373261313065336231326366353535343733393536
+35626662663138613962323237313831663437303930613537653430353733616136303135633436
+62353731653866613264653661656139306435303539623664623232303866363137323661316631
+62393633373264366636316530343264613837376361646334646162306330633535636636353636
+37623433633538363830646136383232343339636231373762613335653538366339643834663134
+31653563353736626665396566323764633430313039656436343864383636373062653262653130
+31353965623966306164353462343735363631366263306465336137633461646139383766326337
+64643336333434343135306566656138313532323064396464623636646664323466346465656637
+66383738346362626537643637313332643537303132356630356564643861323639643638333930
+32326439643163303130666566623734663865343761353662313932396436303638386233376534
+66343738653261666266383234353063666665383432306234656631646634376666306132333938
+37313131383661626334383039303961343439383537646330376431396331616363656662383230
+33313763336139386565376131356266376566306261323039393762633138666366333532393936
+33613833356535313536326365656363313432373363343663613062386165353535323862383466
+62623534393863656465633361346261333262353735626361383636616238663231386336306466
+38613039646638626234316534616138336533656133636133656632346533666638636663646436
+37626433313439393236663666636666336533353530333135353864343635383734336661346131
+65623735393963623135616365643162313737346530353236393862323466383530653165643766
+31393031333537393235363530613836386536313531353533323763346266646232313434313137
+31393335373338313737643233366663353732633838633232373633356162303363613335616333
+61633162396261643239616535336661346265656434626433383761636233326161623834303136
+62326562306430626565613532306363313531323539616461653866376439316166366362353735
+61376637313936306638323863323465663931663866666662326230613331623539636637666661
+63313364376363613238373737356337343038376165656263646661643664396632356666356662
+30666336653531613938366235623033643139333432393432356233396464326437363835663534
+31316630393863346436666431613138643161353332613864643062396530393330616434636535
+35623538363632393262333037636661383662373965333564313265343433303062333265336336
+39333236316165323465646334633361353037646638613561336134633137623064353636663764
+34636133666664613939306463316130383432333931396638623165656530623163

infra/roles/devAndPreprod/files/apply-prod

+#!/bin/bash
+
+echo 'Mise en place des fichiers de prod'
+rsync --delete -r /srv/backups/camino_prod/files/ /srv/www/camino/files
+echo "Arrêt de l'api"
+docker stop camino_api_app
+echo "Insertion du dump de la BDD"
+docker exec -i camino_api_db dropdb --username=postgres camino
+docker exec -i camino_api_db createdb  --username=postgres camino
+docker exec -i camino_api_db pg_restore --clean --if-exists --no-owner --no-privileges --dbname=camino < /srv/backups/camino_prod.sql
+echo "Redémarrage de l'api"
+docker restart camino_api_app

infra/roles/devAndPreprod/tasks/main.yml

+---
+- name: Ajoute le script pour pouvoir mettre les données de production sur cet environnement
+  copy:
+    src: apply-prod
+    dest: /srv/scripts/
+    mode: u=rwx,g=rx,o=r
+    owner: git
+    group: users
+  become: True
+- name: Ajoute l'utilisateur "prod"
+  ansible.builtin.user:
+    name: prod
+    group: users
+    home: /srv/backups
+  become: True
+- name: Donne les droits à la home de l'utilisateur "prod"
+  file:
+    path: /srv/backups
+    owner: prod
+  become: True
+- name: Autorize la prod à se connecter à cet utilisateur
+  ansible.posix.authorized_key:
+    user: prod
+    state: present
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD7mv4+VawmpFwFvwzyp4Iqt7xK+mO5WdgXBpaPbzBKL6kfv8nO5q2wf595T9mtmOX4RX2SFWozk0rL977sVPRONM5AVL0dqykp7PEdKQ9eaK9ZwK7e9vPqpJqwwCOJr40rX8Ztki6G75b3F7IZPEtf6keQQv6QGsTb2+Hn4Jr1rWBSOptcVxeyABXcV/UkaB+4PQ5aIP/ANGtskwtas/IrYi51VRxh8F/we8NeWdIuiJFheLQTXETrOMKzR9mnR1HA7TDD2IDEvEP2pZpFXvyRoVSyPQU3Mqosdb6TeVEtky92yOi0mH5I+ANe0fKirAZ3ntN1tWpXR7UBL7Kcz7T git@camino-prod
+  become: True
\ No newline at end of file

infra/roles/nginx/files/docker-compose.yml

+version: '3'
+
+services:
+
+  nginx:
+    image: nginx:1.22.0
+    labels: 
+      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
+    container_name: nginx
+    restart: unless-stopped
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /srv/www/nginx-proxy/conf.d:/etc/nginx/conf.d
+      - /srv/www/nginx-proxy/vhost.d:/etc/nginx/vhost.d
+      - /srv/www/nginx-proxy/html:/usr/share/nginx/html
+      - /srv/www/nginx-proxy/certs:/etc/nginx/certs:ro
+
+  nginx-gen:
+    image: jwilder/docker-gen:0.9-debian
+    command: -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    container_name: nginx-gen
+    restart: unless-stopped
+    volumes:
+      - /srv/www/nginx-proxy/conf.d:/etc/nginx/conf.d
+      - /srv/www/nginx-proxy/vhost.d:/etc/nginx/vhost.d
+      - /srv/www/nginx-proxy/html:/usr/share/nginx/html
+      - /srv/www/nginx-proxy/certs:/etc/nginx/certs:ro
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - /srv/www/nginx-proxy/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
+
+  nginx-letsencrypt:
+    image: jrcs/letsencrypt-nginx-proxy-companion:2.2.1
+    container_name: nginx-letsencrypt
+    restart: unless-stopped
+    volumes:
+      - /srv/www/nginx-proxy/conf.d:/etc/nginx/conf.d
+      - /srv/www/nginx-proxy/vhost.d:/etc/nginx/vhost.d
+      - /srv/www/nginx-proxy/html:/usr/share/nginx/html
+      - /srv/www/nginx-proxy/certs:/etc/nginx/certs:rw
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      NGINX_DOCKER_GEN_CONTAINER: "nginx-gen"
+      NGINX_PROXY_CONTAINER: "nginx"
+
+networks:
+
+  default:
+    external:
+      name: nginx-proxy

infra/roles/nginx/files/nginx.tmpl

+{{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }}
+
+{{ define "upstream" }}
+	{{ if .Address }}
+		{{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}}
+		{{ if and .Container.Node.ID .Address.HostPort }}
+			# {{ .Container.Node.Name }}/{{ .Container.Name }}
+			server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }};
+		{{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}}
+		{{ else if .Network }}
+			# {{ .Container.Name }}
+			server {{ .Network.IP }}:{{ .Address.Port }};
+		{{ end }}
+	{{ else if .Network }}
+		# {{ .Container.Name }}
+		{{ if .Network.IP }}
+			server {{ .Network.IP }} down;
+		{{ else }}
+			server 127.0.0.1 down;
+		{{ end }}
+	{{ end }}
+
+{{ end }}
+
+{{ define "ssl_policy" }}
+	{{ if eq .ssl_policy "Mozilla-Modern" }}
+		ssl_protocols TLSv1.3;
+		{{/* nginx currently lacks ability to choose ciphers in TLS 1.3 in configuration, see https://trac.nginx.org/nginx/ticket/1529 /*}}
+		{{/* a possible workaround can be modify /etc/ssl/openssl.cnf to change it globally (see https://trac.nginx.org/nginx/ticket/1529#comment:12 ) /*}}
+		{{/* explicitly set ngnix default value in order to allow single servers to override the global http value */}}
+		ssl_ciphers HIGH:!aNULL:!MD5;
+		ssl_prefer_server_ciphers off;
+	{{ else if eq .ssl_policy "Mozilla-Intermediate" }}
+		ssl_protocols TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+		ssl_prefer_server_ciphers off;
+	{{ else if eq .ssl_policy "Mozilla-Old" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }}
+		ssl_protocols TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }}
+		ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-2016-08" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-2015-05" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-2015-03" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-2015-02" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ end }}
+{{ end }}
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+
+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+
+# Default dhparam
+{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+{{ end }}
+
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+
+gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent"';
+
+access_log off;
+
+{{/* Get the SSL_POLICY defined by this container, falling back to "Mozilla-Intermediate" */}}
+{{ $ssl_policy := or ($.Env.SSL_POLICY) "Mozilla-Intermediate" }}
+{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
+
+{{ if $.Env.RESOLVERS }}
+resolver {{ $.Env.RESOLVERS }};
+{{ end }}
+
+{{ if (exists "/etc/nginx/proxy.conf") }}
+include /etc/nginx/proxy.conf;
+{{ else }}
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
+{{ end }}
+
+{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
+server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
+	listen 80;
+	{{ if $enable_ipv6 }}
+	listen [::]:80;
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+}
+
+{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
+	listen 443 ssl http2;
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2;
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+}
+{{ end }}
+
+{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
+
+{{ $host := trim $host }}
+{{ $is_regexp := hasPrefix "~" $host }}
+{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
+
+# {{ $host }}
+upstream {{ $upstream_name }} {
+
+{{ range $container := $containers }}
+	{{ $addrLen := len $container.Addresses }}
+
+	{{ range $knownNetwork := $CurrentContainer.Networks }}
+		{{ range $containerNetwork := $container.Networks }}
+			{{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
+				## Can be connected with "{{ $containerNetwork.Name }}" network
+
+				{{/* If only 1 port exposed, use that */}}
+				{{ if eq $addrLen 1 }}
+					{{ $address := index $container.Addresses 0 }}
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
+				{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}}
+				{{ else }}
+					{{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }}
+					{{ $address := where $container.Addresses "Port" $port | first }}
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
+				{{ end }}
+			{{ else }}
+				# Cannot connect to network of this container
+				server 127.0.0.1 down;
+			{{ end }}
+		{{ end }}
+	{{ end }}
+{{ end }}
+}
+
+{{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
+{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
+
+{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
+{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
+
+{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
+{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
+
+{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
+{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
+
+{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default) */}}
+{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }}
+
+{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
+{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
+
+{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
+{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
+
+
+{{/* Get the first cert name defined by containers w/ the same vhost */}}
+{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
+
+{{/* Get the best matching cert  by name for the vhost. */}}
+{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
+
+{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
+{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
+{{ $vhostCert := trimSuffix ".key" $vhostCert }}
+
+{{/* Use the cert specified on the container or fallback to the best vhost match */}}
+{{ $cert := (coalesce $certName $vhostCert) }}
+
+{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
+
+{{ if $is_https }}
+
+{{ if eq $https_method "redirect" }}
+server {
+	server_name {{ $host }};
+	listen 80 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 301 https://$host$request_uri;
+}
+{{ end }}
+
+server {
+	server_name {{ $host }};
+	listen 443 ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
+
+	ssl_session_timeout 5m;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
+
+	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
+	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
+
+	{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
+	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
+	{{ end }}
+
+	{{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
+	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
+	include /etc/nginx/vhost.d/default;
+	{{ end }}
+
+	location / {
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi_params;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else }}
+		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ end }}
+
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
+		auth_basic	"Restricted {{ $host }}";
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
+	}
+}
+
+{{ end }}
+
+{{ if or (not $is_https) (eq $https_method "noredirect") }}
+
+server {
+	server_name {{ $host }};
+	listen 80 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
+	include /etc/nginx/vhost.d/default;
+	{{ end }}
+
+	location / {
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi_params;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else }}
+		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
+		auth_basic	"Restricted {{ $host }}";
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
+	}
+}
+
+{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+server {
+	server_name {{ $host }};
+	listen 443 ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 500;
+
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+}
+{{ end }}
+
+{{ end }}
+{{ end }}
+

infra/roles/nginx/tasks/main.yml

+---
+- name: Met en place le docker-compose
+  ansible.builtin.copy:
+    src: docker-compose.yml
+    dest: /srv/www/nginx-proxy/docker-compose.yml
+    owner: git
+    group: users
+    mode: u=rw,g=r,o=r
+  become: True
+- name: Ajoute le fichier de template nginx
+  ansible.builtin.copy:
+    src: nginx.tmpl
+    dest: /srv/www/nginx-proxy/nginx.tmpl
+    owner: git
+    group: users
+    mode: u=rw,g=r,o=r
+  become: True
+
+- name: Install python-pip
+  ansible.builtin.apt:
+    name: python3-pip
+    state: present
+  become: True
+- name: Install docker support for python
+  ansible.builtin.pip:
+    name:
+      - docker
+      - docker-compose
+- name: Create and start services
+  community.docker.docker_compose:
+    project_src: /srv/www/nginx-proxy
\ No newline at end of file

infra/roles/prod/tasks/main.yml

+---
+- name: Ajoute le script de backup
+  ansible.builtin.template:
+    src: backup
+    dest: /srv/scripts/
+    mode: u=rwx,g=rx,o=r
+    owner: git
+    group: users
+    backup: yes
+  become: True
+- name: Ajoute le job de backup de la prod
+  ansible.builtin.cron:
+    name: "backup"
+    minute: "0"
+    hour: "2"
+    job: "/srv/scripts/backup"
+    user: git
+  become: True
+- name: Transfert des données de la prod vers les autres environnements
+  block:
+    - name: Ajoute le script pour pouvoir transférer les données de la prod vers les autres environnements
+      ansible.builtin.template:
+        src: transfer_data_to_dev_and_preprod
+        dest: /srv/scripts/
+        mode: u=rwx,g=rx,o=r
+        owner: git
+        group: users
+      become: True
+    - name: Ajoute le job de copie des données de la prod vers les autres environnements
+      ansible.builtin.cron:
+        name: "transfer_data"
+        minute: "0"
+        hour: "5"
+        job: "/srv/scripts/transfer_data_to_dev_and_preprod"
+        user: git
+      become: True
\ No newline at end of file