From 5da32b9072b1f147ea50743dc6e5e5cdd5e6cc55 Mon Sep 17 00:00:00 2001 From: Emmanuel Cazenave Date: Tue, 9 Jan 2018 14:30:23 +0100 Subject: [PATCH] hobo, combo, authentic install --- .gitignore | 1 + README.rst | 82 +++++++++++++++---- clean.yml | 75 +++++++++++++++++ install.yml | 9 ++ inventory.yml | 47 +++++++++++ main.yml | 5 -- pip_install_source.yml | 7 ++ requirements.txt | 1 + roles/agent-setup/tasks/main.yml | 30 +++++++ .../templates/hobo-agent-settings.j2 | 9 ++ .../templates/hobo-agent-supervisor.j2 | 26 ++++++ roles/agent-setup/templates/hobo-agent.j2 | 2 + roles/app-setup/tasks/main.yml | 71 ++++++++++++++++ roles/app-setup/templates/app-manage.j2 | 2 + roles/app-setup/templates/app-server.j2 | 2 + roles/app-setup/templates/app-settings.j2 | 20 +++++ .../app-setup/templates/server-supervisor.j2 | 28 +++++++ roles/authentic/tasks/main.yml | 77 +++++++---------- roles/base/tasks/main.yml | 38 +++++++++ roles/base/templates/getlasso.j2 | 17 ++++ roles/combo/tasks/main.yml | 28 +++++++ roles/end/tasks/main.yml | 11 +++ roles/hobo/tasks/main.yml | 63 ++++++++++++++ roles/nginx-setup/tasks/main.yml | 13 +++ roles/nginx-setup/templates/nginx-server.j2 | 41 ++++++++++ roles/wcs/tasks/main.yml | 12 +++ 26 files changed, 646 insertions(+), 71 deletions(-) create mode 100644 .gitignore create mode 100644 clean.yml create mode 100644 install.yml create mode 100644 inventory.yml delete mode 100644 main.yml create mode 100644 pip_install_source.yml create mode 100644 requirements.txt create mode 100644 roles/agent-setup/tasks/main.yml create mode 100644 roles/agent-setup/templates/hobo-agent-settings.j2 create mode 100644 roles/agent-setup/templates/hobo-agent-supervisor.j2 create mode 100644 roles/agent-setup/templates/hobo-agent.j2 create mode 100644 roles/app-setup/tasks/main.yml create mode 100644 roles/app-setup/templates/app-manage.j2 create mode 100644 roles/app-setup/templates/app-server.j2 create mode 100644 roles/app-setup/templates/app-settings.j2 create mode 100644 roles/app-setup/templates/server-supervisor.j2 create mode 100644 roles/base/tasks/main.yml create mode 100644 roles/base/templates/getlasso.j2 create mode 100644 roles/combo/tasks/main.yml create mode 100644 roles/end/tasks/main.yml create mode 100644 roles/hobo/tasks/main.yml create mode 100644 roles/nginx-setup/tasks/main.yml create mode 100644 roles/nginx-setup/templates/nginx-server.j2 create mode 100644 roles/wcs/tasks/main.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2d50efe --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.retry \ No newline at end of file diff --git a/README.rst b/README.rst index b25b247..e72cd83 100644 --- a/README.rst +++ b/README.rst @@ -1,27 +1,75 @@ Dev install of publik ===================== -Description -+++++++++++ - -This will install a publik instance on localhost using sources (git) and pip. +Ansible playbook that install and setup a multitenant publik instance using sources. -Dependencies -++++++++++++ +Setup +===== -python-lasso, git, ansible. -Tested on debian testing. - - -Usage -+++++ - -Fill the varibles i the 'local' file : - pipexe: path of the pip executable to use (it can be the pip of a virtualenv) - srcdir: path of the directory where the sources are going to be cloned +Install dependencies +++++++++++++++++++++ .. code-block:: bash - ansible-playbook -i local -K main.yml + pip install --user -r requirements.txt + + +System requirements ++++++++++++++++++++ + + * postgresql server must be installed + * the system user used to run ansible must be a sudoer + * the system user used to run ansible must to be able to connect to the postgres server withpout authentication and must be authorized to create databases + * you need to have a valid SSL certificate ('ssl_certificate' and 'ssl_certificate_key' in configuration file) + + +Description +=========== + +The configuration file ('inventory' in ansible language) is inventory.yml, change it to suite your needs. + +Important configuration variables : + + * 'user' : must be the name of the system user used to run the playbook (DRY I know, but tell ansible about it) + * the 'ssl_certificate' used must be valid for the patterns delared in 'apps.host_pattern' and app.nginx_host_pattern + * 'apps.host_pattern' is used in the app server settings + * 'apps.nginx_host_pattern' is used in the nginx app settings + +The playbook will first : + + * install some system packages (see roles/base) + * create a virtualenv ('venv' variable) + +Then for each 'app' registered in the 'apps' section of the configuration file, the following events will occur: + + * git clone of the repository in 'src_dir' dir and install from sources + * create one configuration file for the app and one for its hobo agent (in 'venv_conf' directory) + * create app-manage, app-server and app-agent scripts in 'venv_bin' directory + * create app-server and app-agent supervisord configuration + * create /var/lib/app and /var/log/app directories + * create a nginx configuration for server-app + * create a database for the app and create its schema + + +Usage +===== + +Install publik + +.. code-block:: bash + + ansible-playbook -i inventory.yml -K install.yml + + +Send publik to the cemetery + +.. code-block:: bash + + ansible-playbook -i inventory.yml -K clean.yml + +Next +==== + +Help yourself with your DNS settings and create a tenant using cook diff --git a/clean.yml b/clean.yml new file mode 100644 index 0000000..b8904c9 --- /dev/null +++ b/clean.yml @@ -0,0 +1,75 @@ +--- +- hosts: local + tasks: + - name: delete venv + file: + path: "{{venv}}" + state: absent + + - name: delete app /var/lib directory + file: + path: "/var/lib/{{item.value.project_name}}" + state: absent + with_dict: "{{apps}}" + become: yes + + - name: delete server /var/log directory + file: + path: "/var/log/{{item.value.project_name}}-server" + state: absent + with_dict: "{{apps}}" + become: yes + + - name: delete agent /var/log directory + file: + path: "/var/log/{{item.value.project_name}}-agent" + state: absent + with_dict: "{{apps}}" + become: yes + + - name: delete supervisor server conf + file: + path: "/etc/supervisor/conf.d/{{item.value.project_name}}-server.conf" + state: absent + with_dict: "{{apps}}" + become: yes + + - name: delete supervisor agent conf + file: + path: "/etc/supervisor/conf.d/{{item.value.project_name}}-agent.conf" + state: absent + with_dict: "{{apps}}" + become: yes + + - name: reload supervisor + systemd: + name: supervisor + state: reloaded + become: yes + + - name: delete nginx app server link conf + file: + path: "/etc/nginx/sites-enabled/{{item.value.project_name}}" + state: absent + with_dict: "{{apps}}" + become: yes + + - name: delete nginx app server conf + file: + path: "/etc/nginx/sites-available/{{item.value.project_name}}" + state: absent + with_dict: "{{apps}}" + become: yes + + - name: reload nginx + systemd: + name: nginx + state: reloaded + become: yes + + - name: delete db + postgresql_db: + name: "{{item.value.db_name}}" + state: absent + with_dict: "{{apps}}" + diff --git a/install.yml b/install.yml new file mode 100644 index 0000000..f21dd9c --- /dev/null +++ b/install.yml @@ -0,0 +1,9 @@ +--- +- name: publik multitenant install + hosts: local + roles: + - base + - hobo + - authentic + - combo + - end diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..3ebcccb --- /dev/null +++ b/inventory.yml @@ -0,0 +1,47 @@ + +local: + hosts: + localhost: + ansible_connection: local + vars: + user: cazino + django_version: 1.8.18 + src_dir: "/home/{{user}}/src" + ssl_certificate: "/etc/ssl/certs/*.local.publik.crt" + ssl_certificate_key: "/etc/ssl/private/*.local.publik.key" + venv: "/home/{{user}}/envs/publik-env" + venv_bin: "{{venv}}/bin" + venv_conf: "{{venv}}/conf" + venv_pip: "{{venv_bin}}/pip" + venv_python: "{{venv_bin}}/python" + apps: + authentic: + name: authentic + db_name: authentic_multitenant + hobo_app: "hobo.agent.authentic2" + host_pattern: "*-authentic.local.publik" + manage_cmd: "{{venv_bin}}/authentic2-ctl" + nginx_host_pattern: '~^(.*)\-authentic\.local\.publik$' + project_name: authentic-multitenant + server_port: 8000 + settings_env_var: AUTHENTIC2_SETTINGS_FILE + combo: + name: combo + db_name: combo_multitenant + hobo_app: "hobo.agent.combo" + host_pattern: "*-combo.local.publik" + nginx_host_pattern: '~^(.*)\-combo\.local\.publik$' + project_name: combo-multitenant + server_port: 8004 + settings_env_var: COMBO_SETTINGS_FILE + hobo: + name: hobo + db_name: hobo_multitenant + hobo_app: "hobo.agent.hobo" + host_pattern: "*-hobo.local.publik" + nginx_host_pattern: '~^(.*)\-hobo\.local\.publik$' + project_name: hobo-multitenant + server_port: 8016 + settings_env_var: HOBO_SETTINGS_FILE + + diff --git a/main.yml b/main.yml deleted file mode 100644 index b757d38..0000000 --- a/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Authentic - hosts: all - roles: - - authentic diff --git a/pip_install_source.yml b/pip_install_source.yml new file mode 100644 index 0000000..df21b2a --- /dev/null +++ b/pip_install_source.yml @@ -0,0 +1,7 @@ +# Ugly hack to perform a simple 'pip install -e /some/source/dir' +- name: pip install source + pip: + name: django + version: "{{ django_version}}" + extra_args: "-e {{ source }}" + virtualenv: "{{venv}}" diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..e511c8f --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +ansible>2.4.0 diff --git a/roles/agent-setup/tasks/main.yml b/roles/agent-setup/tasks/main.yml new file mode 100644 index 0000000..426d98e --- /dev/null +++ b/roles/agent-setup/tasks/main.yml @@ -0,0 +1,30 @@ +- name: set ansible agent variables + set_fact: + agent_dash_name: "{{app['project_name']}}-agent" + agent_dot_name: "{{app['project_name']}}.agent" + agent_settings: "{{venv_conf}}/{{app['db_name']}}_agent_settings.py" + +- name: create hobo agent log directory + file: + path: "/var/log/{{agent_dash_name}}" + state: directory + owner: "{{user}}" + group: "{{user}}" + become: yes + +- name: hobo agent settings file + template: + src: hobo-agent-settings.j2 + dest: "{{agent_settings}}" + +- name: agent script + template: + src: hobo-agent.j2 + dest: "{{venv_bin}}/{{agent_dash_name}}" + mode: "u=rwx,g=rx,o=rx" + +- name: hobo agent supervisor configuration + template: + src: hobo-agent-supervisor.j2 + dest: "/etc/supervisor/conf.d/{{agent_dash_name}}.conf" + become: yes diff --git a/roles/agent-setup/templates/hobo-agent-settings.j2 b/roles/agent-setup/templates/hobo-agent-settings.j2 new file mode 100644 index 0000000..8620f9c --- /dev/null +++ b/roles/agent-setup/templates/hobo-agent-settings.j2 @@ -0,0 +1,9 @@ +BROKER_URL = 'amqp://' + + +AGENT_HOST_PATTERNS = { + "{{app['name']}}": ["{{app['host_pattern']}}"], +} + +{% filter upper %}{{app['name']}}{% endfilter %}_MANAGE_COMMAND = "{{venv_bin}}/{{app['project_name']}}-manage" +{% filter upper %}{{app['name']}}{% endfilter %}_MANAGE_TRY_COMMAND = {% filter upper %}{{app['name']}}{% endfilter %}_MANAGE_COMMAND diff --git a/roles/agent-setup/templates/hobo-agent-supervisor.j2 b/roles/agent-setup/templates/hobo-agent-supervisor.j2 new file mode 100644 index 0000000..1b47298 --- /dev/null +++ b/roles/agent-setup/templates/hobo-agent-supervisor.j2 @@ -0,0 +1,26 @@ +[program:{{agent_dash_name}}] +; Concurrency set to 1 because there is no lock around calls to hobo_notify +command={{venv_bin}}/celery worker --hostname={{agent_dot_name}}.%%h --app=hobo.agent.worker --loglevel=INFO --concurrency=1 +environment=HOBO_AGENT_SETTINGS_FILE="{{agent_settings}}" +process_name={{agent_dash_name}} +user={{user}} +numprocs=1 +stdout_logfile=/var/log/{{agent_dash_name}}/stdout.log +stderr_logfile=/var/log/{{agent_dash_name}}/stderr.log + +autostart=true +autorestart=true +startsecs=10 +; Need to wait for currently executing tasks to finish at shutdown. +; Increase this if you have very long running tasks. +stopwaitsecs = 600 + +; When resorting to send SIGKILL to the program to terminate it +; send SIGKILL to its whole process group instead, +; taking care of its children as well. +killasgroup=true + +; if rabbitmq is supervised, set its priority higher +; so it starts first +priority=998 + diff --git a/roles/agent-setup/templates/hobo-agent.j2 b/roles/agent-setup/templates/hobo-agent.j2 new file mode 100644 index 0000000..0020e1d --- /dev/null +++ b/roles/agent-setup/templates/hobo-agent.j2 @@ -0,0 +1,2 @@ +#!/bin/bash +HOBO_AGENT_SETTINGS_FILE="{{agent_settings}}" {{venv_bin}}/celery worker --hostname={{agent_dot_name}}.%%h --app=hobo.agent.worker --loglevel=INFO --concurrency=1 \ No newline at end of file diff --git a/roles/app-setup/tasks/main.yml b/roles/app-setup/tasks/main.yml new file mode 100644 index 0000000..22f5789 --- /dev/null +++ b/roles/app-setup/tasks/main.yml @@ -0,0 +1,71 @@ +- name: set ansible server variables + set_fact: + app_settings: "{{venv_conf}}/{{app['db_name']}}_settings.py" + manage_app_name: "{{app['project_name']}}-manage" + server_app_name: "{{app['project_name']}}-server" + +- name: create db + postgresql_db: + name: "{{app['db_name']}}" + owner: "{{user}}" + +- name: conf directory + file: + path: "{{venv_conf}}" + state: directory + owner: "{{user}}" + group: "{{user}}" + become: yes + +- name: app /var/lib directory + file: + path: "/var/lib/{{app['project_name']}}" + state: directory + owner: "{{user}}" + group: "{{user}}" + become: yes + +- name: app /var/lib tenants directory + file: + path: "/var/lib/{{app['project_name']}}/tenants" + state: directory + owner: "{{user}}" + group: "{{user}}" + become: yes + +- name: app settings file + template: + src: app-settings.j2 + dest: "{{app_settings}}" + +- name: manage script + template: + src: app-manage.j2 + dest: "{{venv_bin}}/{{manage_app_name}}" + mode: "u=rwx,g=rx,o=rx" + +- name: migrate schemas + command: "{{venv_bin}}/{{manage_app_name}} migrate_schemas" + +- name: collect statics + shell: "echo yes | {{venv_bin}}/{{manage_app_name}} collectstatic" + +- name: server script + template: + src: app-server.j2 + dest: "{{venv_bin}}/{{server_app_name}}" + mode: "u=rwx,g=rx,o=rx" + +- name: server log directory + file: + path: "/var/log/{{server_app_name}}" + state: directory + owner: "{{user}}" + group: "{{user}}" + become: yes + +- name: server supervisor configuration + template: + src: server-supervisor.j2 + dest: "/etc/supervisor/conf.d/{{server_app_name}}.conf" + become: yes diff --git a/roles/app-setup/templates/app-manage.j2 b/roles/app-setup/templates/app-manage.j2 new file mode 100644 index 0000000..9d9fc4a --- /dev/null +++ b/roles/app-setup/templates/app-manage.j2 @@ -0,0 +1,2 @@ +#!/bin/bash +{{app['settings_env_var']}}={{app_settings}} {% if 'manage_cmd' in app %}{{app['manage_cmd']}}{% else %}{{venv_python}} {{src_dir}}/{{app['name']}}/manage.py{% endif%} "$@" diff --git a/roles/app-setup/templates/app-server.j2 b/roles/app-setup/templates/app-server.j2 new file mode 100644 index 0000000..f062415 --- /dev/null +++ b/roles/app-setup/templates/app-server.j2 @@ -0,0 +1,2 @@ +#!/bin/bash +{{venv_bin}}/{{manage_app_name}} runserver {{app['server_port']}} diff --git a/roles/app-setup/templates/app-settings.j2 b/roles/app-setup/templates/app-settings.j2 new file mode 100644 index 0000000..e6ba95f --- /dev/null +++ b/roles/app-setup/templates/app-settings.j2 @@ -0,0 +1,20 @@ +import os + +PROJECT_NAME = '{{app['project_name']}}' +execfile('{{src_dir}}/hobo/debian/debian_config_common.py') + +# hobo don't use multitenant mellon adapter: IdP is detected in the local +# environnment +MELLON_ADAPTER = ('hobo.utils.MellonAdapter',) + +LOGGING['loggers']['']['handlers'] = ['syslog'] + +{% if 'hobo_app' in app %} +INSTALLED_APPS = ('{{app['hobo_app']}}', ) + INSTALLED_APPS +{% endif %} + +os.environ['REQUESTS_CA_BUNDLE'] = '{{ssl_certificate}}' + +ALLOWED_HOSTS = ['*'] + +DEBUG = True diff --git a/roles/app-setup/templates/server-supervisor.j2 b/roles/app-setup/templates/server-supervisor.j2 new file mode 100644 index 0000000..417d06a --- /dev/null +++ b/roles/app-setup/templates/server-supervisor.j2 @@ -0,0 +1,28 @@ +[program:{{server_app_name}}] +; Concurrency set to 1 because there is no lock around calls to hobo_notify +command={% if 'manage_cmd' in app %}{{app['manage_cmd']}}{% else %}{{venv_python}} {{src_dir}}/{{app['name']}}/manage.py{% endif%} runserver {{app['server_port']}} +environment={{app['settings_env_var']}}="{{app_settings}}" +process_name={{server_app_name}} +user={{user}} +numprocs=1 +stdout_logfile=/var/log/{{server_app_name}}/stdout.log +stderr_logfile=/var/log/{{server_app_name}}/stderr.log + +autostart=true +autorestart=true +startsecs=10 +; Need to wait for currently executing tasks to finish at shutdown. +; Increase this if you have very long running tasks. +stopwaitsecs = 600 + +stopsignal=KILL +; When resorting to send SIGKILL to the program to terminate it +; send SIGKILL to its whole process group instead, +; taking care of its children as well. +killasgroup=true +stopasgroup=true + +; if rabbitmq is supervised, set its priority higher +; so it starts first +priority=998 + diff --git a/roles/authentic/tasks/main.yml b/roles/authentic/tasks/main.yml index c615a8b..548135d 100644 --- a/roles/authentic/tasks/main.yml +++ b/roles/authentic/tasks/main.yml @@ -1,55 +1,34 @@ -- name: Install system depedencies - apt: - name: "{{ item }}" - state: installed - with_items: - - libsasl2-dev - - python-dev - - libldap2-dev - - libssl-dev - become: yes - -- name: Git clone django-mellon - git: - repo: ssh://git@git.entrouvert.org/django-mellon.git - dest: "{{ srcdir }}/django-mellon" - -- name: Pip install django - pip: - name: django - version: "{{ djangoversion}}" - executable: "{{ pipexe }}" - -- name: Pip install django-mellon - pip: - name: django - version: "{{ djangoversion}}" - extra_args: "-e {{ srcdir }}/django-mellon" - executable: "{{ pipexe }}" - -- name: Git clone gadjo - git: - repo: ssh://git@git.entrouvert.org/gadjo.git - dest: "{{ srcdir }}/gadjo" - -- name: Pip install gadjo - pip: - name: django - version: "{{ djangoversion}}" - extra_args: "-e {{ srcdir }}/gadjo" - executable: "{{ pipexe }}" - - -- name: Git clone authentic +- name: git clone authentic git: repo: ssh://git@git.entrouvert.org/authentic.git - dest: "{{ srcdir }}/authentic" + dest: "{{ src_dir }}/authentic" -- name: Pip install authentic +- name: pip install authentic + import_tasks: pip_install_source.yml + vars: + source: "{{src_dir}}/authentic" + +# FIXME: change authentic settings instead ? +- name: install python-memcached pip: - name: django - version: "{{ djangoversion}}" - extra_args: "-e {{ srcdir }}/authentic" - executable: "{{ pipexe }}" + name: python-memcached + virtualenv: "{{venv}}" +- name: authentic app setup + import_role: + name: app-setup + vars: + app: "{{apps['authentic']}}" + +- name: authentic hobo agent + import_role: + name: agent-setup + vars: + app: "{{apps['authentic']}}" + +- name: authentic nginx setup + import_role: + name: nginx-setup + vars: + app: "{{apps['authentic']}}" diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..01b5af3 --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Install system packages depedencies + apt: + name: "{{ item }}" + state: installed + with_items: + - libldap2-dev + - libsasl2-dev + - libssl-dev + - nginx + - python-dev + - python-lasso + - python-pip + - python-virtualenv + - rabbitmq-server + - supervisor + become: yes + +- name: create the virtualenv and install django + pip: + name: django + version: "{{ django_version}}" + virtualenv: "{{venv}}" + +# FIXME: needed by XXX, we should change XXX settings instead ? +- name: install raven + pip: + name: raven + virtualenv: "{{venv}}" + +- name: create getlasso script + template: + src: getlasso.j2 + dest: "{{venv_bin}}/getlasso.sh" + mode: "u=rwx,g=rx,o=rx" + +- name: execute getlasso + command: "{{venv_bin}}/getlasso.sh" diff --git a/roles/base/templates/getlasso.j2 b/roles/base/templates/getlasso.j2 new file mode 100644 index 0000000..ffeb3b0 --- /dev/null +++ b/roles/base/templates/getlasso.j2 @@ -0,0 +1,17 @@ +#!/bin/sh + +# Get venv site-packages path +DSTDIR=`{{venv_python}} -c 'from distutils.sysconfig import get_python_lib; print(get_python_lib())'` + +SRCDIR=`python -c 'from distutils.sysconfig import get_python_lib; print(get_python_lib())'` + +# Clean up +rm -f $DSTDIR/lasso.* +rm -f $DSTDIR/_lasso.* + +# Link +ln -sv $SRCDIR/lasso.py $DSTDIR +ln -sv $SRCDIR/_lasso.* $DSTDIR + +exit 0 + diff --git a/roles/combo/tasks/main.yml b/roles/combo/tasks/main.yml new file mode 100644 index 0000000..74d650f --- /dev/null +++ b/roles/combo/tasks/main.yml @@ -0,0 +1,28 @@ + +- name: Git clone combo + git: + repo: ssh://git@git.entrouvert.org/combo.git + dest: "{{ src_dir }}/combo" + +- name: Pip install combo + import_tasks: pip_install_source.yml + vars: + source: "{{src_dir}}/combo" + +- name: Combo app setup + import_role: + name: app-setup + vars: + app: "{{apps['combo']}}" + +- name: Combo hobo agent + import_role: + name: agent-setup + vars: + app: "{{apps['combo']}}" + +- name: combo nginx setup + import_role: + name: nginx-setup + vars: + app: "{{apps['combo']}}" diff --git a/roles/end/tasks/main.yml b/roles/end/tasks/main.yml new file mode 100644 index 0000000..83a2e57 --- /dev/null +++ b/roles/end/tasks/main.yml @@ -0,0 +1,11 @@ +- name: reload supervisor + systemd: + name: supervisor + state: reloaded + become: yes + +- name: reload nginx + systemd: + name: nginx + state: reloaded + become: yes diff --git a/roles/hobo/tasks/main.yml b/roles/hobo/tasks/main.yml new file mode 100644 index 0000000..f80587d --- /dev/null +++ b/roles/hobo/tasks/main.yml @@ -0,0 +1,63 @@ + +- name: git clone hobo + git: + repo: ssh://git@git.entrouvert.org/hobo.git + dest: "{{ src_dir }}/hobo" + +- name: get lasso + command: "bash getlasso.sh" + args: + chdir: "{{ src_dir }}/hobo/" + +- name: git clone django-mellon + git: + repo: ssh://git@git.entrouvert.org/django-mellon.git + dest: "{{ src_dir }}/django-mellon" + +- name: pip install django-mellon + import_tasks: pip_install_source.yml + vars: + source: "{{src_dir}}/django-mellon" + +- name: git clone gadjo + git: + repo: ssh://git@git.entrouvert.org/gadjo.git + dest: "{{ src_dir }}/gadjo" + +- name: pip install gadjo + import_tasks: pip_install_source.yml + vars: + source: "{{src_dir}}/gadjo" + +- name: git clone django-tenant-schemas + git: + repo: ssh://git@git.entrouvert.org/debian/django-tenant-schemas.git + dest: "{{ src_dir }}/django-tenant-schemas" + +- name: pip install django-tenant-schemas + import_tasks: pip_install_source.yml + vars: + source: "{{src_dir}}/django-tenant-schemas" + +- name: pip install hobo + import_tasks: pip_install_source.yml + vars: + source: "{{src_dir}}/hobo" + +- name: hobo app setup + import_role: + name: app-setup + vars: + app: "{{apps['hobo']}}" + +- name: hobo hobo agent + import_role: + name: agent-setup + vars: + app: "{{apps['hobo']}}" + +- name: hobo nginx setup + import_role: + name: nginx-setup + vars: + app: "{{apps['hobo']}}" diff --git a/roles/nginx-setup/tasks/main.yml b/roles/nginx-setup/tasks/main.yml new file mode 100644 index 0000000..416361c --- /dev/null +++ b/roles/nginx-setup/tasks/main.yml @@ -0,0 +1,13 @@ + +- name: nginx server settings + template: + src: nginx-server.j2 + dest: "/etc/nginx/sites-available/{{app['project_name']}}" + become: yes + +- name: a2ensite nginx server + file: + src: "/etc/nginx/sites-available/{{app['project_name']}}" + path: "/etc/nginx/sites-enabled/{{app['project_name']}}" + state: link + become: yes diff --git a/roles/nginx-setup/templates/nginx-server.j2 b/roles/nginx-setup/templates/nginx-server.j2 new file mode 100644 index 0000000..e4f78a7 --- /dev/null +++ b/roles/nginx-setup/templates/nginx-server.j2 @@ -0,0 +1,41 @@ +server { + listen 443 ssl; + server_name {{app['nginx_host_pattern']}}; + + ssl_certificate {{ssl_certificate}}; + ssl_certificate_key {{ssl_certificate_key}}; + + access_log /var/log/nginx/{{app['project_name']}}-access.log combined; + error_log /var/log/nginx/{{app['project_name']}}-error.log; + + location ~ ^/static/(.+)$ { + root /; + try_files /var/lib/{{app['project_name']}}/tenants/$host/static/$1 + /var/lib/{{app['project_name']}}/collectstatic/$1 + =404; + add_header Access-Control-Allow-Origin *; + } + + location ~ ^/media/(.+)$ { + alias /var/lib/{{app['project_name']}}/tenants/$host/media/$1; + } + + location / { + proxy_pass http://localhost:{{app['server_port']}}; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-SSL on; + proxy_set_header X-Forwarded-Protocol ssl; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} + +# catchall http → https +server { + listen 80; + server_name {{app['nginx_host_pattern']}}; + access_log /var/log/nginx/{{app['project_name']}}-access.log combined; + error_log /var/log/nginx/{{app['project_name']}}-error.log; + return 301 https://$host$request_uri; +} diff --git a/roles/wcs/tasks/main.yml b/roles/wcs/tasks/main.yml new file mode 100644 index 0000000..2a00a58 --- /dev/null +++ b/roles/wcs/tasks/main.yml @@ -0,0 +1,12 @@ + +- name: Git clone wcs + git: + repo: ssh://git@git.entrouvert.org/wcs.git + dest: "{{ srcdir }}/wcs" + +- name: Pip install wcs + pip: + name: django + version: "{{ djangoversion}}" + extra_args: "-e {{ srcdir }}/wcs" +