jaseg/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix playbooks for clean re-deploy

Browse source
This commit is contained in:
jaseg 2021-12-07 16:53:18 +01:00
parent ab91420bb6
commit 591b7b8aac
14 changed files with 364 additions and 320 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitmodules vendored
View file

@ -13,3 +13,6 @@
[submodule "checkouts/vcd-render"] [submodule "checkouts/vcd-render"]
path = checkouts/vcd-render path = checkouts/vcd-render
url = git@git.jaseg.de:vcd-render.git url = git@git.jaseg.de:vcd-render.git
[submodule "checkouts/gitolite-admin"]
path = checkouts/gitolite-admin
url = git@git.jaseg.de:gitolite-admin.git

4
bootstrap_arch_container.yml
View file

@ -13,9 +13,9 @@
- name: Download arch bootstrap image - name: Download arch bootstrap image
get_url: get_url:
url: http://mirror.rackspace.com/archlinux/iso/2021.02.01/archlinux-bootstrap-2021.02.01-x86_64.tar.gz url: http://mirror.rackspace.com/archlinux/iso/2021.12.01/archlinux-bootstrap-2021.12.01-x86_64.tar.gz
dest: /tmp/arch-bootstrap.tar.xz dest: /tmp/arch-bootstrap.tar.xz
checksum: sha256:90afa6b420f5d171de71fdd11fc4f10a4ef30fdf61e4f3733958bea7bdbc0fa9 checksum: sha256:d3d6d346001cd8a202fe5cc895897b54cc0edfc96790dd8d56888389d8a810e7
when: create_container is changed when: create_container is changed
- name: Create container image filesystem - name: Create container image filesystem

1
checkouts/gitolite-admin Submodule

@ -0,0 +1 @@
Subproject commit ed4120795750731d9b05c5e24f09be5ad72ef216

2
inventory.yml
View file

@ -2,7 +2,7 @@
all: all:
hosts: hosts:
wendelstein: wendelstein:
ansible_host: wendelstein.jaseg.net ansible_host: wendelstein.jaseg.de
ansible_ssh_identity_file: ~/.ssh/id_ed25519 ansible_ssh_identity_file: ~/.ssh/id_ed25519
ansible_user: root ansible_user: root
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3

396
nginx.conf
View file

@ -38,51 +38,51 @@ http {
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name .jaseg.net; server_name .jaseg.de;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
server { # server {
listen 443 ssl http2 default_server; # listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server; # listen [::]:443 ssl http2 default_server;
server_name gerbolyze.jaseg.net; # server_name gerbolyze.jaseg.net;
root /usr/share/nginx/html; # root /usr/share/nginx/html;
#
ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem"; # ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem"; # ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem";
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; # ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
include /etc/letsencrypt/options-ssl-nginx.conf; # include /etc/letsencrypt/options-ssl-nginx.conf;
#
ssl_stapling on; # ssl_stapling on;
ssl_stapling_verify on; # ssl_stapling_verify on;
#
resolver 67.207.67.2 67.207.67.3 valid=300s; # resolver 67.207.67.2 67.207.67.3 valid=300s;
resolver_timeout 10s; # resolver_timeout 10s;
#
add_header Strict-Transport-Security "max-age=86400"; # add_header Strict-Transport-Security "max-age=86400";
#
# Load configuration files for the default server block. # # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf; # include /etc/nginx/default.d/*.conf;
#
location ^~ /static/ { # location ^~ /static/ {
root /var/lib/gerboweb; # root /var/lib/gerboweb;
} # }
#
location / { # location / {
include uwsgi_params; # include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/gerboweb.socket; # uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
} # }
#
error_page 404 /404.html; # error_page 404 /404.html;
location = /40x.html { # location = /40x.html {
root /usr/share/nginx/html; # root /usr/share/nginx/html;
} # }
#
error_page 500 502 503 504 /50x.html; # error_page 500 502 503 504 /50x.html;
location = /50x.html { # location = /50x.html {
root /usr/share/nginx/html; # root /usr/share/nginx/html;
} # }
} # }
server { server {
listen 443 ssl http2; listen 443 ssl http2;
@ -188,170 +188,170 @@ http {
} }
} }
server { # server {
listen 443 ssl http2; # listen 443 ssl http2;
listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
server_name kochbuch.jaseg.net; # server_name kochbuch.jaseg.de;
root /usr/share/nginx/html; # root /usr/share/nginx/html;
#
# ssl_certificate "/etc/letsencrypt/live/kochbuch.jaseg.de/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/kochbuch.jaseg.de/privkey.pem";
# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
# include /etc/letsencrypt/options-ssl-nginx.conf;
#
# ssl_stapling on;
# ssl_stapling_verify on;
#
# resolver 67.207.67.2 67.207.67.3 valid=300s;
# resolver_timeout 10s;
#
# add_header Strict-Transport-Security "max-age=86400";
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# auth_basic "blubb";
# auth_basic_user_file /etc/nginx/kochbuch.htpasswd;
# root /var/www/kochbuch.jaseg.de;
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# root /usr/share/nginx/html;
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/share/nginx/html;
# }
# }
ssl_certificate "/etc/letsencrypt/live/kochbuch.jaseg.net/fullchain.pem"; # server {
ssl_certificate_key "/etc/letsencrypt/live/kochbuch.jaseg.net/privkey.pem"; # listen 443 ssl http2;
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; # listen [::]:443 ssl http2;
include /etc/letsencrypt/options-ssl-nginx.conf; # server_name pogojig.jaseg.net;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/letsencrypt/live/pogojig.jaseg.net/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/pogojig.jaseg.net/privkey.pem";
# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
# include /etc/letsencrypt/options-ssl-nginx.conf;
#
# ssl_stapling on;
# ssl_stapling_verify on;
#
# resolver 67.207.67.2 67.207.67.3 valid=300s;
# resolver_timeout 10s;
# client_max_body_size 10M;
#
# add_header Strict-Transport-Security "max-age=86400";
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location ^~ /pogospace/ {
# root /var/lib/pogojig/pogospace;
# }
#
# location / {
# include uwsgi_params;
# uwsgi_pass unix:/run/uwsgi/pogojig.socket;
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# root /usr/share/nginx/html;
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/share/nginx/html;
# }
# }
ssl_stapling on; # server {
ssl_stapling_verify on; # listen 443 ssl http2;
# listen [::]:443 ssl http2;
resolver 67.207.67.2 67.207.67.3 valid=300s; # server_name tracespace.jaseg.net;
resolver_timeout 10s; # root /usr/share/nginx/html;
#
add_header Strict-Transport-Security "max-age=86400"; # ssl_certificate "/etc/letsencrypt/live/tracespace.jaseg.net/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/tracespace.jaseg.net/privkey.pem";
# Load configuration files for the default server block. # ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
include /etc/nginx/default.d/*.conf; # include /etc/letsencrypt/options-ssl-nginx.conf;
#
location / { # ssl_stapling on;
auth_basic "blubb"; # ssl_stapling_verify on;
auth_basic_user_file /etc/nginx/kochbuch.htpasswd; #
root /var/www/kochbuch.jaseg.net; # resolver 67.207.67.2 67.207.67.3 valid=300s;
} # resolver_timeout 10s;
#
error_page 404 /404.html; # add_header Strict-Transport-Security "max-age=86400";
location = /40x.html { #
root /usr/share/nginx/html; # # Load configuration files for the default server block.
} # include /etc/nginx/default.d/*.conf;
#
error_page 500 502 503 504 /50x.html; # location / {
location = /50x.html { # root /var/www/tracespace.jaseg.net;
root /usr/share/nginx/html; # }
} #
} # error_page 404 /404.html;
# location = /40x.html {
# root /usr/share/nginx/html;
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/share/nginx/html;
# }
# }
#
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name openjscad.jaseg.net;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/letsencrypt/live/openjscad.jaseg.net/fullchain.pem";
# ssl_certificate_key "/etc/letsencrypt/live/openjscad.jaseg.net/privkey.pem";
# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
# include /etc/letsencrypt/options-ssl-nginx.conf;
#
# ssl_stapling on;
# ssl_stapling_verify on;
#
# resolver 67.207.67.2 67.207.67.3 valid=300s;
# resolver_timeout 10s;
#
# add_header Strict-Transport-Security "max-age=86400";
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# root /var/www/openjscad.jaseg.net;
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# root /usr/share/nginx/html;
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/share/nginx/html;
# }
# }
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name pogojig.jaseg.net; server_name vcdrender.jaseg.de;
root /usr/share/nginx/html; root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/pogojig.jaseg.net/fullchain.pem"; ssl_certificate "/etc/letsencrypt/live/vcdrender.jaseg.de/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/pogojig.jaseg.net/privkey.pem"; ssl_certificate_key "/etc/letsencrypt/live/vcdrender.jaseg.de/privkey.pem";
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_stapling on;
ssl_stapling_verify on;
resolver 67.207.67.2 67.207.67.3 valid=300s;
resolver_timeout 10s;
client_max_body_size 10M;
add_header Strict-Transport-Security "max-age=86400";
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location ^~ /pogospace/ {
root /var/lib/pogojig/pogospace;
}
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/pogojig.socket;
}
error_page 404 /404.html;
location = /40x.html {
root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name tracespace.jaseg.net;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/tracespace.jaseg.net/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/tracespace.jaseg.net/privkey.pem";
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_stapling on;
ssl_stapling_verify on;
resolver 67.207.67.2 67.207.67.3 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=86400";
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
root /var/www/tracespace.jaseg.net;
}
error_page 404 /404.html;
location = /40x.html {
root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name openjscad.jaseg.net;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/openjscad.jaseg.net/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/openjscad.jaseg.net/privkey.pem";
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_stapling on;
ssl_stapling_verify on;
resolver 67.207.67.2 67.207.67.3 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=86400";
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
root /var/www/openjscad.jaseg.net;
}
error_page 404 /404.html;
location = /40x.html {
root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vcdrender.jaseg.net;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/vcdrender.jaseg.net/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/vcdrender.jaseg.net/privkey.pem";
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
include /etc/letsencrypt/options-ssl-nginx.conf; include /etc/letsencrypt/options-ssl-nginx.conf;

155
playbook.yml
View file

@ -1,34 +1,34 @@
- name: DNS setup #- name: DNS setup
hosts: localhost # hosts: localhost
tags: dns # tags: dns
module_defaults: # module_defaults:
inwx: # inwx:
username: "{{lookup('ini', 'user section=inwx file=credentials.ini')}}" # username: "{{lookup('ini', 'user section=inwx file=credentials.ini')}}"
password: "{{lookup('ini', 'pass section=inwx file=credentials.ini')}}" # password: "{{lookup('ini', 'pass section=inwx file=credentials.ini')}}"
vars: # vars:
subdomains: # subdomains:
- git.jaseg.net # - git.jaseg.net
- git.jaseg.de # - git.jaseg.de
- blog.jaseg.net # - blog.jaseg.net
- blog.jaseg.de # - blog.jaseg.de
- kochbuch.jaseg.net # - kochbuch.jaseg.net
- gerbolyze.jaseg.net # - gerbolyze.jaseg.net
- tracespace.jaseg.net # - tracespace.jaseg.net
- openjscad.jaseg.net # - openjscad.jaseg.net
- pogojig.jaseg.net # - pogojig.jaseg.net
- automation.jaseg.de # - automation.jaseg.de
- dyndns.jaseg.de # - dyndns.jaseg.de
fastmail_domains: # fastmail_domains:
- jaseg.net # - jaseg.net
- jaseg.de # - jaseg.de
tasks: # tasks:
- name: Gather wendelstein facts # - name: Gather wendelstein facts
setup: # setup:
delegate_to: wendelstein # delegate_to: wendelstein
delegate_facts: True # delegate_facts: True
#
- name: Setup DNS # - name: Setup DNS
include_tasks: dns.yml # include_tasks: dns.yml
- name: Wendelstein setup - name: Wendelstein setup
@ -37,7 +37,7 @@
- name: Set hostname - name: Set hostname
tags: setup tags: setup
hostname: hostname:
name: wendelstein.jaseg.net name: wendelstein.jaseg.de
- name: Install common admin tools - name: Install common admin tools
tags: setup tags: setup
@ -48,7 +48,7 @@
- name: Install host requisites - name: Install host requisites
tags: setup tags: setup
dnf: dnf:
name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,python3-libselinux,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators,nsd name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,python3-libselinux,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators,nsd,python3-virtualenv
state: latest state: latest
- name: Disable password-based root login - name: Disable password-based root login
@ -82,17 +82,17 @@
enabled: yes enabled: yes
state: started state: started
- name: Create containers # - name: Create containers
tags: setup # tags: setup
include_tasks: # include_tasks:
file: setup_containers.yml # file: setup_containers.yml
apply: # apply:
tags: setup # tags: setup
vars: # vars:
containers: # containers:
- gerboweb # - gerboweb
- clippy # - clippy
- pogojig # - pogojig
- name: Setup web server - name: Setup web server
tags: www tags: www
@ -101,19 +101,19 @@
apply: apply:
tags: www tags: www
- name: Setup gerboweb # - name: Setup gerboweb
tags: gerboweb # tags: gerboweb
include_tasks: # include_tasks:
file: setup_gerboweb.yml # file: setup_gerboweb.yml
apply: # apply:
tags: gerboweb # tags: gerboweb
- name: Setup clippy # - name: Setup clippy
tags: clippy # tags: clippy
include_tasks: # include_tasks:
file: setup_clippy.yml # file: setup_clippy.yml
apply: # apply:
tags: clippy # tags: clippy
- name: Setup secure download - name: Setup secure download
tags: secure-download tags: secure-download
@ -122,26 +122,26 @@
apply: apply:
tags: secure-download tags: secure-download
- name: Setup tracespace # - name: Setup tracespace
tags: pogojig # tags: pogojig
include_tasks: # include_tasks:
file: setup_tracespace.yml # file: setup_tracespace.yml
apply: # apply:
tags: pogojig # tags: pogojig
- name: Setup openjscad # - name: Setup openjscad
tags: pogojig # tags: pogojig
include_tasks: # include_tasks:
file: setup_openjscad.yml # file: setup_openjscad.yml
apply: # apply:
tags: pogojig # tags: pogojig
- name: Setup pogojig # - name: Setup pogojig
tags: pogojig # tags: pogojig
include_tasks: # include_tasks:
file: setup_pogojig.yml # file: setup_pogojig.yml
apply: # apply:
tags: pogojig # tags: pogojig
- name: Setup notification proxy - name: Setup notification proxy
tags: notification-proxy tags: notification-proxy
@ -164,3 +164,10 @@
file: setup_dyndns.yml file: setup_dyndns.yml
apply: apply:
tags: dyndns tags: dyndns
- name: Setup vcd-to-8-segment-svg render thingy for TUD's WS2021 LE course
tags: vcdrender
include_tasks:
file: setup_vcd_render.yml
apply:
tags: vcdrender

6
setup_dyndns.yml
View file

@ -11,6 +11,12 @@
group: root group: root
mode: 0644 mode: 0644
- name: Disable systemd-resolved
systemd:
name: systemd-resolved.service
enabled: no
state: stopped
- name: Enable and launch nsd systemd service - name: Enable and launch nsd systemd service
systemd: systemd:
name: nsd.service name: nsd.service

71
setup_git.yml
View file

@ -1,6 +1,10 @@
- name: Set local facts
set_fact:
gitolite_ssh_key: ~/.ssh/id_ed25519.gitolite
- name: Install host requisites - name: Install host requisites
dnf: dnf:
name: cgit,gitolite3,python3-pygments,python3-docutils,nodejs-markdown,python3-markdown name: cgit,gitolite3,python3-pygments,python3-docutils,python3-markdown
state: latest state: latest
- name: Copy cgit logo - name: Copy cgit logo
@ -47,6 +51,7 @@
daemon-reload: yes daemon-reload: yes
name: uwsgi-app@cgit.socket name: uwsgi-app@cgit.socket
enabled: yes enabled: yes
state: started
- name: Check if gitolite ssh config exists - name: Check if gitolite ssh config exists
stat: stat:
@ -57,7 +62,7 @@
block: block:
- name: Copy gitolite admin pubkey - name: Copy gitolite admin pubkey
copy: copy:
src: ~/.ssh/id_ed25519.gitolite.pub src: "{{gitolite_ssh_key}}.pub"
dest: /tmp/jaseg-gitolite.pub dest: /tmp/jaseg-gitolite.pub
owner: gitolite3 owner: gitolite3
group: gitolite3 group: gitolite3
@ -90,16 +95,6 @@
groups: gitolite3 groups: gitolite3
append: yes append: yes
- name: Allow cgit uwsgi user to access gitolite repos
file:
path: /var/lib/gitolite3/repositories
mode: 0750
- name: Allow cgit uwsgi user to gitolite repo list
file:
path: /var/lib/gitolite3/projects.list
mode: 0640
- name: Copy gitolite rc - name: Copy gitolite rc
copy: copy:
src: gitolite.rc src: gitolite.rc
@ -108,6 +103,30 @@
group: gitolite3 group: gitolite3
mode: 0600 mode: 0600
- name: Query system user account info
getent:
database: passwd
key: gitolite3
- name: Create git alias user
user:
name: git
create_home: no
group: gitolite3
password: '!'
comment: Alias for gitolite3 user
shell: "{{ getent_passwd['gitolite3'][5] }}"
system: yes
non_unique: yes
home: "{{ getent_passwd['gitolite3'][4] }}"
uid: "{{ getent_passwd['gitolite3'][1] }}"
- name: Upload gitolite-admin repo
command: env "GIT_SSH_COMMAND=ssh -i {{gitolite_ssh_key}}" git push --force git@{{ansible_hostname}}:gitolite-admin.git master
args:
chdir: checkouts/gitolite-admin
delegate_to: localhost
- name: Create gitolite hook dir - name: Create gitolite hook dir
file: file:
path: /var/lib/gitolite3/local/hooks/repo-specific path: /var/lib/gitolite3/local/hooks/repo-specific
@ -132,27 +151,19 @@
group: gitolite3 group: gitolite3
mode: 0570 mode: 0570
- name: Query system user account info
getent:
database: passwd
key: gitolite3
- name: Create git alias user
user:
name: git
create_home: no
group: gitolite3
password: '!'
comment: Alias for gitolite3 user
shell: "{{ getent_passwd['gitolite3'][5] }}"
system: yes
non_unique: yes
home: "{{ getent_passwd['gitolite3'][4] }}"
uid: "{{ getent_passwd['gitolite3'][1] }}"
- name: Hack to fix cgit handling for restructuredtext readmes - name: Hack to fix cgit handling for restructuredtext readmes
file: file:
src: /usr/bin/rst2html src: /usr/bin/rst2html
dest: /usr/bin/rst2html.py dest: /usr/bin/rst2html.py
state: link state: link
- name: Allow cgit uwsgi user to access gitolite repos
file:
path: /var/lib/gitolite3/repositories
mode: 0750
- name: Allow cgit uwsgi user to gitolite repo list
file:
path: /var/lib/gitolite3/projects.list
mode: 0640

2
setup_secure_download.yml
View file

@ -5,7 +5,7 @@
- name: Copy webapp sources - name: Copy webapp sources
synchronize: synchronize:
src: checkouts/secure_download/ src: checkouts/secure-download/
dest: /var/lib/secure_download/ dest: /var/lib/secure_download/
group: no group: no
owner: no owner: no

21
setup_vcd_render.yml
View file

@ -3,6 +3,11 @@
set_fact: set_fact:
vcdrender_cache: /var/cache/vcd-render vcdrender_cache: /var/cache/vcd-render
- name: Install host requisites
dnf:
name: python3-lxml
state: latest
- name: Copy webapp sources - name: Copy webapp sources
synchronize: synchronize:
src: checkouts/vcd-render/ src: checkouts/vcd-render/
@ -11,6 +16,15 @@
group: no group: no
owner: no owner: no
- name: Setup webapp python requirements
pip:
name:
- beautifulsoup4
- flask
- vcdvcd
virtualenv: /var/lib/vcd-render/venv
virtualenv_site_packages: true
- name: Create uwsgi worker user and group - name: Create uwsgi worker user and group
user: user:
name: uwsgi-vcdrender name: uwsgi-vcdrender
@ -23,8 +37,8 @@
- name: Template webapp config - name: Template webapp config
template: template:
src: vcdrender.cfg.j2 src: vcdrender.cfg.j2
dest: /var/lib/pogojig/pogojig_prod.cfg dest: /var/lib/vcd-render/vcdrender_prod.cfg
owner: uwsgi-pogojig owner: uwsgi-vcdrender
group: root group: root
mode: 0660 mode: 0660
@ -41,6 +55,7 @@
daemon-reload: yes daemon-reload: yes
name: uwsgi-app@vcdrender.socket name: uwsgi-app@vcdrender.socket
enabled: yes enabled: yes
state: started
# FIXME the socket doesn't seem to work properly # FIXME the socket doesn't seem to work properly
- name: Enable uwsgi systemd service - name: Enable uwsgi systemd service
@ -49,7 +64,7 @@
name: uwsgi-app@vcdrender.service name: uwsgi-app@vcdrender.service
enabled: yes enabled: yes
- name: Copy pogojig cache dir tmpfiles.d config - name: Copy vcdrender cache dir tmpfiles.d config
template: template:
src: tmpfiles-vcdrender.conf.j2 src: tmpfiles-vcdrender.conf.j2
dest: /etc/tmpfiles.d/vcdrender.conf dest: /etc/tmpfiles.d/vcdrender.conf

16
setup_webserver.yml
View file

@ -20,8 +20,8 @@
- git.jaseg.de - git.jaseg.de
- blog.jaseg.de - blog.jaseg.de
- kochbuch.jaseg.net - kochbuch.jaseg.net
- tracespace.jaseg.net # - tracespace.jaseg.net
- openjscad.jaseg.net # - openjscad.jaseg.net
- automation.jaseg.de - automation.jaseg.de
- name: Create blog content dir - name: Create blog content dir
@ -61,15 +61,15 @@
- git.jaseg.de - git.jaseg.de
- blog.jaseg.net - blog.jaseg.net
- blog.jaseg.de - blog.jaseg.de
- kochbuch.jaseg.net
- kochbuch.jaseg.de
- gerbolyze.jaseg.net
- tracespace.jaseg.net
- openjscad.jaseg.net
- pogojig.jaseg.net
- automation.jaseg.de - automation.jaseg.de
- dyndns.jaseg.de - dyndns.jaseg.de
- vcdrender.jaseg.de - vcdrender.jaseg.de
# - kochbuch.jaseg.de
# - kochbuch.jaseg.net
# - gerbolyze.jaseg.net
# - tracespace.jaseg.net
# - openjscad.jaseg.net
# - pogojig.jaseg.net
- name: Copy final nginx config - name: Copy final nginx config
copy: copy:

2
tmpfiles-secure-download.conf.j2
View file

@ -1 +1 @@
d {{secure_download_dir}} 770 uwsgi-download uwsgi 45d d {{secure_download_dir}} 770 uwsgi-secure-download uwsgi 45d

3
uwsgi-vcdrender.ini
View file

@ -5,6 +5,7 @@ die-on-idle = False
manage-script-name = True manage-script-name = True
plugins = python3 plugins = python3
chdir = /var/lib/vcd-render chdir = /var/lib/vcd-render
mount = /=pogojig:app mount = /=8seg_vcd_render:app
env = VCD8SEG_SETTINGS=vcdrender_prod.cfg env = VCD8SEG_SETTINGS=vcdrender_prod.cfg
home = /var/lib/vcd-render/venv

2
vcdrender.cfg.j2
View file

@ -1,2 +1,2 @@
SECRET_KEY="{{lookup('password', 'vcdrender_flask_secret.txt length=32')}}" SECRET_KEY="{{lookup('password', 'vcdrender_flask_secret.txt length=32')}}"
UPLOAD_PATH="{{pogojig_cache}}/upload" UPLOAD_PATH="{{vcdrender_cache}}/upload"