aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTrygve Laugstøl <trygvis@inamo.no>2018-08-28 15:37:55 +0200
committerTrygve Laugstøl <trygvis@inamo.no>2018-08-28 15:37:55 +0200
commita5705d3f44cb86b216277c6311f313963d4f9c49 (patch)
treeb9a6343a8c730b83e37138bb09461b5a4cf007bc
parent1f677dfeded1f52dc75c34c93f9ef1d6b3b948be (diff)
downloadinfra-a5705d3f44cb86b216277c6311f313963d4f9c49.tar.gz
infra-a5705d3f44cb86b216277c6311f313963d4f9c49.tar.bz2
infra-a5705d3f44cb86b216277c6311f313963d4f9c49.tar.xz
infra-a5705d3f44cb86b216277c6311f313963d4f9c49.zip
o sz-ds: wip.
Diffstat
-rw-r--r--ansible/group_vars/all/sz_ds.yml10
-rw-r--r--ansible/host_vars/knot.yml6
-rw-r--r--ansible/host_vars/sz-prod/main.yml1
-rw-r--r--ansible/host_vars/sz-prod/sz_ds_secret.yml11
-rw-r--r--ansible/host_vars/sz-test/main.yml1
-rw-r--r--ansible/knot.yml4
-rw-r--r--ansible/roles/java8/handlers/main.yml2
-rw-r--r--ansible/roles/knot-apache/tasks/main.yml21
-rw-r--r--ansible/roles/knot-apache/templates/etc/apache2/sites-enabled/sz-ds.trygvis.io.conf31
-rw-r--r--ansible/roles/lxc-host/tasks/main.yml2
-rw-r--r--ansible/roles/lxc-machine/tasks/main.yml31
-rw-r--r--ansible/roles/sz-ds/files/etc/systemd/system/sz-ds.service14
-rw-r--r--ansible/roles/sz-ds/handlers/main.yml5
-rw-r--r--ansible/roles/sz-ds/tasks/flyway.yml30
-rw-r--r--ansible/roles/sz-ds/tasks/main.yml67
-rw-r--r--ansible/roles/sz-ds/tasks/sz-ds-app.yml41
-rw-r--r--ansible/roles/sz-ds/tasks/sz-ds-pg.yml28
-rw-r--r--ansible/roles/sz-ds/templates/etc/sz-ds/env.conf.j23
-rw-r--r--ansible/roles/sz-ds/templates/opt/sz-ds/bin/flyway.j24
-rw-r--r--ansible/secrets.yml22
-rw-r--r--ansible/sz-ds.yml14
21 files changed, 265 insertions, 83 deletions
diff --git a/ansible/group_vars/all/sz_ds.yml b/ansible/group_vars/all/sz_ds.yml
new file mode 100644
index 0000000..2f1d235
--- /dev/null
+++ b/ansible/group_vars/all/sz_ds.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+38623764363231303163656636386339653034663164353139393033356362633731336666653337
+3935633730626438393031373564313630643266383761650a653766363761313639663739373034
+62326664633231323063386530386137616138313563663665393833633337316366653438326636
+6564386334646563330a386133363466633533373238396364363566383166356333363062623234
+32653035306538616232656261346237306634346165333032613463636533643036363733383535
+30346265336361653866643665303164656566303439396563636664303762666562653763363330
+36663336346431623032353039396132383065323131306434343762653162643536313939623430
+31323436343663346537653433306438663537653165633530383231373234326534346135366335
+65653739646332363033313930383766393161343032653930323166343537323863
diff --git a/ansible/host_vars/knot.yml b/ansible/host_vars/knot.yml
index ec97b6a..f7bc64a 100644
--- a/ansible/host_vars/knot.yml
+++ b/ansible/host_vars/knot.yml
@@ -1,9 +1,11 @@
lxc_containers:
sz-prod:
ipv4:
- address: 10.0.3.3/24
+ address: 10.0.3.3
+ netmask: 24
gateway: 10.0.3.1
sz-test:
ipv4:
- address: 10.0.3.4/24
+ address: 10.0.3.4
+ netmask: 24
gateway: 10.0.3.1
diff --git a/ansible/host_vars/sz-prod/main.yml b/ansible/host_vars/sz-prod/main.yml
new file mode 100644
index 0000000..88da296
--- /dev/null
+++ b/ansible/host_vars/sz-prod/main.yml
@@ -0,0 +1 @@
+sz_ds_env: sz-prod
diff --git a/ansible/host_vars/sz-prod/sz_ds_secret.yml b/ansible/host_vars/sz-prod/sz_ds_secret.yml
new file mode 100644
index 0000000..c14eac2
--- /dev/null
+++ b/ansible/host_vars/sz-prod/sz_ds_secret.yml
@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+66656333353364366431623463613930373331333161313736306365623738613738353734333530
+3163653733313734663935613033623637393861356237310a323034396266373862323535633666
+35623963386536303637336337653637346262376634613065653763653735653532353331386233
+3863383365656166330a643666366138343734393833383337613530653462366361663764303862
+65636137333036633637663831613535316161303838616434343162383439616338313336643930
+64623534373062346434643436386230393437656262333435643131333938666337623339623636
+35636635323037316163346130643531633366663266303935303138393464643363313136616137
+63303531643633393131643362333565306430393734346435353730363561343736363139326261
+39653066363161633436343666313734613834653566633831353566373562323162376365653961
+3735313062356662356262663036633863376534663239363765
diff --git a/ansible/host_vars/sz-test/main.yml b/ansible/host_vars/sz-test/main.yml
new file mode 100644
index 0000000..3f1cd48
--- /dev/null
+++ b/ansible/host_vars/sz-test/main.yml
@@ -0,0 +1 @@
+sz_ds_env: sz-test
diff --git a/ansible/knot.yml b/ansible/knot.yml
index 05207b8..4821271 100644
--- a/ansible/knot.yml
+++ b/ansible/knot.yml
@@ -14,3 +14,7 @@
import_role: name=lxc-host
tags: lxc-host
become: true
+ - name: knot-apache
+ import_role: name=knot-apache
+ tags: knot-apache
+ become: true
diff --git a/ansible/roles/java8/handlers/main.yml b/ansible/roles/java8/handlers/main.yml
index 0298ff9..90bca76 100644
--- a/ansible/roles/java8/handlers/main.yml
+++ b/ansible/roles/java8/handlers/main.yml
@@ -1,5 +1,5 @@
---
-- name: update apt cache
+- name: apt update
become: yes
apt:
update_cache: yes
diff --git a/ansible/roles/knot-apache/tasks/main.yml b/ansible/roles/knot-apache/tasks/main.yml
new file mode 100644
index 0000000..a3d1be6
--- /dev/null
+++ b/ansible/roles/knot-apache/tasks/main.yml
@@ -0,0 +1,21 @@
+- name: /etc/apache2/sites-enabled/{{ item.hostname }}.trygvis.io.conf
+ template:
+ src: etc/apache2/sites-enabled/sz-ds.trygvis.io.conf
+ dest: /etc/apache2/sites-enabled/{{ item.hostname }}.trygvis.io.conf
+ with_items: &backends
+ - hostname: sz
+ backend: sz-prod
+# - hostname: sz-test
+# backend: sz-test
+
+- name: "mkdir /var/www/{{ item.hostname }}.trygvis.io"
+ file:
+ dest: "/var/www/{{ item.hostname }}.trygvis.io"
+ state: directory
+ with_items: *backends
+
+- name: "mkdir /var/www/{{ item.hostname }}.trygvis.io/htdocs"
+ file:
+ dest: "/var/www/{{ item.hostname }}.trygvis.io/htdocs"
+ state: directory
+ with_items: *backends
diff --git a/ansible/roles/knot-apache/templates/etc/apache2/sites-enabled/sz-ds.trygvis.io.conf b/ansible/roles/knot-apache/templates/etc/apache2/sites-enabled/sz-ds.trygvis.io.conf
new file mode 100644
index 0000000..0172ff5
--- /dev/null
+++ b/ansible/roles/knot-apache/templates/etc/apache2/sites-enabled/sz-ds.trygvis.io.conf
@@ -0,0 +1,31 @@
+# Ansible
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+ ServerAdmin root@trygvis.io
+ ServerName {{ item.hostname }}.trygvis.io
+
+ LogLevel warn
+ ErrorLog ${APACHE_LOG_DIR}/{{ item.hostname }}.trygvis.io-error.log
+ CustomLog ${APACHE_LOG_DIR}/{{ item.hostname }}.trygvis.io-access.log combined
+
+ DocumentRoot /var/www/{{ item.hostname }}.trygvis.io/htdocs
+ <Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ </Directory>
+ <Directory /var/www/{{ item.hostname }}.trygvis.io/htdocs/>
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
+
+ ProxyTimeout 600
+ ProxyPreserveHost On
+ ProxyPass / http://{{ lxc_containers[item.backend].ipv4.address }}:5000/
+
+ SSLCertificateFile /etc/letsencrypt/live/{{ item.hostname }}.trygvis.io/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/{{ item.hostname }}.trygvis.io/privkey.pem
+ Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>
+</IfModule>
diff --git a/ansible/roles/lxc-host/tasks/main.yml b/ansible/roles/lxc-host/tasks/main.yml
index a043d4c..676e27e 100644
--- a/ansible/roles/lxc-host/tasks/main.yml
+++ b/ansible/roles/lxc-host/tasks/main.yml
@@ -6,7 +6,7 @@
lineinfile:
path: "/var/lib/lxc/{{ item.key }}/config"
regexp: "lxc.network.ipv4 *="
- line: "lxc.network.ipv4 = {{ item.value.ipv4.address }}"
+ line: "lxc.network.ipv4 = {{ item.value.ipv4.address }}/{{ item.value.ipv4.netmask }}"
with_dict: "{{ lxc_containers }}"
- name: Set IPv4 gateway
lineinfile:
diff --git a/ansible/roles/lxc-machine/tasks/main.yml b/ansible/roles/lxc-machine/tasks/main.yml
index b4f4aee..e75dcd9 100644
--- a/ansible/roles/lxc-machine/tasks/main.yml
+++ b/ansible/roles/lxc-machine/tasks/main.yml
@@ -1,17 +1,3 @@
-- name: system setup
- tags:
- - packages
- block:
- - name: misc packages
- apt:
- name: "{{ item }}"
- install_recommends: no
- with_items:
- - systemd-cron
- - ca-certificates
- - unzip
- - sudo
-
- name: disable ipv6
tags:
- disable-ipv6
@@ -32,4 +18,19 @@
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-# TODO: postfix client
+- name: system setup
+ tags:
+ - packages
+ block:
+ - name: misc packages
+ apt:
+ name: "{{ item }}"
+ install_recommends: no
+ with_items:
+ - systemd-cron
+ - ca-certificates
+ - unzip
+ - sudo
+ - vim
+ - less
+ - ack
diff --git a/ansible/roles/sz-ds/files/etc/systemd/system/sz-ds.service b/ansible/roles/sz-ds/files/etc/systemd/system/sz-ds.service
new file mode 100644
index 0000000..5e55de4
--- /dev/null
+++ b/ansible/roles/sz-ds/files/etc/systemd/system/sz-ds.service
@@ -0,0 +1,14 @@
+[Unit]
+After=network.target postgresql.service
+
+[Service]
+ExecStart=/opt/sz-ds/src/SweetzpotCentral/infrastructure/run-data-server
+WorkingDirectory=/opt/sz-ds
+KillMode=process
+Restart=on-failure
+User=sz-ds
+Group=sz-ds
+EnvironmentFile=/etc/sz-ds/env.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible/roles/sz-ds/handlers/main.yml b/ansible/roles/sz-ds/handlers/main.yml
new file mode 100644
index 0000000..846f076
--- /dev/null
+++ b/ansible/roles/sz-ds/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: restart sz-ds
+ service:
+ name: sz-ds
+ state: restarted
+
diff --git a/ansible/roles/sz-ds/tasks/flyway.yml b/ansible/roles/sz-ds/tasks/flyway.yml
new file mode 100644
index 0000000..c34ef44
--- /dev/null
+++ b/ansible/roles/sz-ds/tasks/flyway.yml
@@ -0,0 +1,30 @@
+- name: mkdir /opt/sz-ds/flyway
+ file:
+ state: directory
+ path: /opt/sz-ds/flyway
+- template:
+ src: opt/sz-ds/bin/flyway.j2
+ dest: /opt/sz-ds/bin/flyway
+ become: no
+# mode: a=rx
+- name: /etc/sz-ds/flyway.conf
+ tags: update-password
+ file:
+ dest: /etc/sz-ds/flyway.conf
+ content: |
+ flyway.url=jdbc:postgresql://localhost/sz-ds
+ flyway.user=sz-ds-flyway
+ flyway.password={{ sz_ds_secret.db_password_flyway }}
+
+ flyway.locations=filesystem:/opt/sz-ds/src/SweetzpotCentral/data-server/migrations
+ flyway.schemas=public
+
+- name: Download and extract Flyway {{ flyway_version }}
+ unarchive:
+ src: "https://repo1.maven.org/maven2/org/flywaydb/flyway-commandline/{{ flyway_version }}/flyway-commandline-{{ flyway_version }}.zip"
+ dest: /opt/sz-ds/flyway
+ creates: "/opt/sz-ds/flyway/flyway-{{ flyway_version }}"
+ remote_src: yes
+- file:
+ path: "/opt/sz-ds/flyway/flyway-{{ flyway_version }}/flyway"
+ mode: a=rx
diff --git a/ansible/roles/sz-ds/tasks/main.yml b/ansible/roles/sz-ds/tasks/main.yml
index 9e55292..559937c 100644
--- a/ansible/roles/sz-ds/tasks/main.yml
+++ b/ansible/roles/sz-ds/tasks/main.yml
@@ -4,8 +4,10 @@
name: "{{ item }}"
install_recommends: no
with_items:
+ - git
- python-psycopg2
- python3-psycopg2
+ - virtualenv
- name: accounts for sz-ds
tags: user
@@ -17,12 +19,18 @@
createhome: no
home: /opt/sz-ds
system: yes
- - file:
+ - name: mkdir /etc/sz-ds
+ file:
+ state: directory
+ path: /etc/sz-ds
+ - name: mkdir /opt/sz-ds
+ file:
state: directory
path: /opt/sz-ds
owner: sz-ds
mode: u=rwx,go=
- - file:
+ - name: mkdir /opt/sz-ds/bin
+ file:
state: directory
path: /opt/sz-ds/bin
- copy:
@@ -31,57 +39,16 @@
- name: flyway for sz-ds
tags: flyway
- block:
- - name: mkdir /opt/sz-ds/flyway
- file:
- state: directory
- path: /opt/sz-ds/flyway
- - template:
- src: opt/sz-ds/bin/flyway.j2
- dest: /opt/sz-ds/bin/flyway
- mode: a=rx
- - name: Download and extract Flyway {{ flyway_version }}
- unarchive:
- src: "https://repo1.maven.org/maven2/org/flywaydb/flyway-commandline/{{ flyway_version }}/flyway-commandline-{{ flyway_version }}.zip"
- dest: /opt/sz-ds/flyway
- creates: "/opt/sz-ds/flyway/flyway-{{ flyway_version }}"
- remote_src: yes
- - file:
- path: "/opt/sz-ds/flyway/flyway-{{ flyway_version }}/flyway"
- mode: a=rx
- # flyway.conf is created later
+ include: flyway.yml
+
- name: sz-ds database
tags: sz-ds-pg
become: yes
become_user: postgres
vars:
ansible_ssh_pipelining: true
- block:
- - name: sz-ds
- postgresql_user:
- name: sz-ds
- role_attr_flags: "NOLOGIN"
- - name: sz-ds-flyway
- tags: update-password
- postgresql_user:
- name: sz-ds-flyway
- password: "{{ sz_ds_secret.db_password_flyway }}"
- encrypted: yes
- - name: sz-ds-web
- tags: update-password
- postgresql_user:
- name: sz-ds-web
- password: "{{ sz_ds_secret.db_password_web }}"
- encrypted: yes
- - name: sz-ds db
- postgresql_db:
- name: "sz-ds"
- encoding: "utf-8"
- owner: "sz-ds"
- - postgresql_privs:
- database: sz-ds
- state: present
- privs: USAGE
- type: schema
- objs: public
- roles: sz-ds-web,sz-ds-flyway
+ include: sz-ds-pg.yml
+
+- name: sz-ds app
+ tags: sz-ds-app
+ include: sz-ds-app.yml
diff --git a/ansible/roles/sz-ds/tasks/sz-ds-app.yml b/ansible/roles/sz-ds/tasks/sz-ds-app.yml
new file mode 100644
index 0000000..78e300c
--- /dev/null
+++ b/ansible/roles/sz-ds/tasks/sz-ds-app.yml
@@ -0,0 +1,41 @@
+- name: /etc/sz-ds/env.conf
+ tags: update-password
+ template:
+ src: etc/sz-ds/env.conf.j2
+ dest: /etc/sz-ds/env.conf
+ mode: a=r
+ notify:
+ - restart sz-ds
+- name: /etc/systemd/system/sz-ds.service
+ copy:
+ src: etc/systemd/system/sz-ds.service
+ dest: /etc/systemd/system/sz-ds.service
+- name: git pull
+ tags: sz-ds-pull
+ notify:
+# - flyway migrate
+ - restart sz-ds
+ register: git_checkout
+ git:
+ repo: "https://{{ sz_ds_secrets.github.username }}:{{ sz_ds_secrets.github.password }}@github.com/SweetzpotAS/SweetzpotCentral"
+ dest: /opt/sz-ds/src/SweetzpotCentral
+ version: master
+
+- name: Update GIT_REVISION
+ tags: sz-ds-pull
+ lineinfile:
+ path: "/etc/sz-ds/env.conf"
+ regexp: "^GIT_REVISION="
+ line: "GIT_REVISION={{ git_checkout.after }}"
+
+- name: sz-ds pip
+ notify: restart sz-ds
+ tags: sz-ds-pull
+ pip:
+ virtualenv: /opt/sz-ds/env
+ virtualenv_python: python3
+ chdir: /opt/sz-ds/src/SweetzpotCentral/data-server
+ requirements: requirements.txt
+# editable: true
+ extra_args: --trusted-host github.com --process-dependency-links
+
diff --git a/ansible/roles/sz-ds/tasks/sz-ds-pg.yml b/ansible/roles/sz-ds/tasks/sz-ds-pg.yml
new file mode 100644
index 0000000..48c6500
--- /dev/null
+++ b/ansible/roles/sz-ds/tasks/sz-ds-pg.yml
@@ -0,0 +1,28 @@
+- name: sz-ds
+ postgresql_user:
+ name: sz-ds
+ role_attr_flags: "NOLOGIN"
+- name: sz-ds-flyway
+ tags: update-password
+ postgresql_user:
+ name: sz-ds-flyway
+ password: "{{ sz_ds_secret.db_password_flyway }}"
+ encrypted: yes
+- name: sz-ds-web
+ tags: update-password
+ postgresql_user:
+ name: sz-ds-web
+ password: "{{ sz_ds_secret.db_password_web }}"
+ encrypted: yes
+- name: sz-ds db
+ postgresql_db:
+ name: "sz-ds"
+ encoding: "utf-8"
+ owner: "sz-ds"
+- postgresql_privs:
+ database: sz-ds
+ state: present
+ privs: USAGE
+ type: schema
+ objs: public
+ roles: sz-ds-web,sz-ds-flyway
diff --git a/ansible/roles/sz-ds/templates/etc/sz-ds/env.conf.j2 b/ansible/roles/sz-ds/templates/etc/sz-ds/env.conf.j2
new file mode 100644
index 0000000..1e2cebb
--- /dev/null
+++ b/ansible/roles/sz-ds/templates/etc/sz-ds/env.conf.j2
@@ -0,0 +1,3 @@
+GIT_REVISION=
+SQLALCHEMY_DATABASE_URI="postgresql://sz-ds-web:{{ sz_ds_secret.db_password_web }}@localhost/sz-ds"
+SZ_CONFIG=/opt/sz-ds/src/SweetzpotCentral/data-server/config/config-{{ sz_ds_env }}.py
diff --git a/ansible/roles/sz-ds/templates/opt/sz-ds/bin/flyway.j2 b/ansible/roles/sz-ds/templates/opt/sz-ds/bin/flyway.j2
index 8113d96..2481feb 100644
--- a/ansible/roles/sz-ds/templates/opt/sz-ds/bin/flyway.j2
+++ b/ansible/roles/sz-ds/templates/opt/sz-ds/bin/flyway.j2
@@ -3,5 +3,5 @@
set -e
v="{{ flyway_version }}"
-flyway="/opt/p2k16/flyway/flyway-$v/flyway"
-exec "$flyway" -configFile=/etc/p2k16/flyway.conf "$@"
+flyway="/opt/sz-ds/flyway/flyway-$v/flyway"
+exec "$flyway" -configFile=/etc/sz-ds/flyway.conf "$@"
diff --git a/ansible/secrets.yml b/ansible/secrets.yml
index 66268d4..3284771 100644
--- a/ansible/secrets.yml
+++ b/ansible/secrets.yml
@@ -1,12 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
-38666438656330623934626438306434326239326264613465336665346630663564643939393938
-3633356531623065363432336634373037613161393465330a393761613838666135376362643331
-63636534336133613035633835343030396466343866373131643330613831623931343639663337
-6134353932326462310a383536646533396339316163383734316432633933646164323535623330
-34643962343732623930386466353631623230633531336630623461343935636266393763613264
-39306638356464346339663166306438636234616331383964656538623362353332663662636136
-64633463383933346566613161303562323939303665316164366638313065353739613431356164
-64613661303239313638396231323635653136366531666233613932353133353965653130373762
-38303839346439653662653533363436353436663637633464656163343636396162326331643166
-31363164346361333966323666633365353666373035643333366539623039656131306363396261
-353935653035633035626436623862353062
+63326262383165613634636232363636363666616339653063346164373131386230373466666337
+6634373236646365356432306630623332663336353230340a313065313138353465663635393432
+63653931653437353536343933613033613230316561663837656638353864303334613138353839
+3133656139303531310a626461393131323831653139393235613438323665373330653839626265
+61323266356137303834376166323437323538643333363731363533303862643862633234343038
+32306536383731636533666437363539623636343763343164353031363435383564303734393761
+39326261333962313563313564383634663465356339373937333036393165396238666134656463
+32386264663362326365306231353437633134663231303164373830303930356165323462663261
+31343235316538323733633562303661393034353966343432653835353565306233313563303163
+64663433343961333231663464316163323830646633633130386432643363343565356438666139
+363430656261616130323637626364326636
diff --git a/ansible/sz-ds.yml b/ansible/sz-ds.yml
index 2566f4c..354a069 100644
--- a/ansible/sz-ds.yml
+++ b/ansible/sz-ds.yml
@@ -4,9 +4,21 @@
- sz-test
roles:
- timezone
- - lxc-machine
tasks:
+ - name: lxc-machine
+ import_role: name=lxc-machine
+ tags: lxc-machine
+
- name: postgresql-server
import_role: name=postgresql-server
+ tags: postgresql-server
+
+ - name: java8
+ tags: java8
+ import_role: name=java8
+
- name: sz-ds
+ tags: sz-ds
import_role: name=sz-ds
+
+# TODO: postfix client
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-20 15:51:17 +0000