diff options
author | Trygve Laugstøl <trygvis@inamo.no> | 2018-08-28 15:37:55 +0200 |
---|---|---|
committer | Trygve Laugstøl <trygvis@inamo.no> | 2018-08-28 15:37:55 +0200 |
commit | a5705d3f44cb86b216277c6311f313963d4f9c49 (patch) | |
tree | b9a6343a8c730b83e37138bb09461b5a4cf007bc /ansible | |
parent | 1f677dfeded1f52dc75c34c93f9ef1d6b3b948be (diff) | |
download | infra-a5705d3f44cb86b216277c6311f313963d4f9c49.tar.gz infra-a5705d3f44cb86b216277c6311f313963d4f9c49.tar.bz2 infra-a5705d3f44cb86b216277c6311f313963d4f9c49.tar.xz infra-a5705d3f44cb86b216277c6311f313963d4f9c49.zip |
o sz-ds: wip.
Diffstat (limited to 'ansible')
21 files changed, 265 insertions, 83 deletions
diff --git a/ansible/group_vars/all/sz_ds.yml b/ansible/group_vars/all/sz_ds.yml new file mode 100644 index 0000000..2f1d235 --- /dev/null +++ b/ansible/group_vars/all/sz_ds.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +38623764363231303163656636386339653034663164353139393033356362633731336666653337 +3935633730626438393031373564313630643266383761650a653766363761313639663739373034 +62326664633231323063386530386137616138313563663665393833633337316366653438326636 +6564386334646563330a386133363466633533373238396364363566383166356333363062623234 +32653035306538616232656261346237306634346165333032613463636533643036363733383535 +30346265336361653866643665303164656566303439396563636664303762666562653763363330 +36663336346431623032353039396132383065323131306434343762653162643536313939623430 +31323436343663346537653433306438663537653165633530383231373234326534346135366335 +65653739646332363033313930383766393161343032653930323166343537323863 diff --git a/ansible/host_vars/knot.yml b/ansible/host_vars/knot.yml index ec97b6a..f7bc64a 100644 --- a/ansible/host_vars/knot.yml +++ b/ansible/host_vars/knot.yml @@ -1,9 +1,11 @@ lxc_containers: sz-prod: ipv4: - address: 10.0.3.3/24 + address: 10.0.3.3 + netmask: 24 gateway: 10.0.3.1 sz-test: ipv4: - address: 10.0.3.4/24 + address: 10.0.3.4 + netmask: 24 gateway: 10.0.3.1 diff --git a/ansible/host_vars/sz-prod/main.yml b/ansible/host_vars/sz-prod/main.yml new file mode 100644 index 0000000..88da296 --- /dev/null +++ b/ansible/host_vars/sz-prod/main.yml @@ -0,0 +1 @@ +sz_ds_env: sz-prod diff --git a/ansible/host_vars/sz-prod/sz_ds_secret.yml b/ansible/host_vars/sz-prod/sz_ds_secret.yml new file mode 100644 index 0000000..c14eac2 --- /dev/null +++ b/ansible/host_vars/sz-prod/sz_ds_secret.yml @@ -0,0 +1,11 @@ +$ANSIBLE_VAULT;1.1;AES256 +66656333353364366431623463613930373331333161313736306365623738613738353734333530 +3163653733313734663935613033623637393861356237310a323034396266373862323535633666 +35623963386536303637336337653637346262376634613065653763653735653532353331386233 +3863383365656166330a643666366138343734393833383337613530653462366361663764303862 +65636137333036633637663831613535316161303838616434343162383439616338313336643930 +64623534373062346434643436386230393437656262333435643131333938666337623339623636 +35636635323037316163346130643531633366663266303935303138393464643363313136616137 +63303531643633393131643362333565306430393734346435353730363561343736363139326261 +39653066363161633436343666313734613834653566633831353566373562323162376365653961 +3735313062356662356262663036633863376534663239363765 diff --git a/ansible/host_vars/sz-test/main.yml b/ansible/host_vars/sz-test/main.yml new file mode 100644 index 0000000..3f1cd48 --- /dev/null +++ b/ansible/host_vars/sz-test/main.yml @@ -0,0 +1 @@ +sz_ds_env: sz-test diff --git a/ansible/knot.yml b/ansible/knot.yml index 05207b8..4821271 100644 --- a/ansible/knot.yml +++ b/ansible/knot.yml @@ -14,3 +14,7 @@ import_role: name=lxc-host tags: lxc-host become: true + - name: knot-apache + import_role: name=knot-apache + tags: knot-apache + become: true diff --git a/ansible/roles/java8/handlers/main.yml b/ansible/roles/java8/handlers/main.yml index 0298ff9..90bca76 100644 --- a/ansible/roles/java8/handlers/main.yml +++ b/ansible/roles/java8/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: update apt cache +- name: apt update become: yes apt: update_cache: yes diff --git a/ansible/roles/knot-apache/tasks/main.yml b/ansible/roles/knot-apache/tasks/main.yml new file mode 100644 index 0000000..a3d1be6 --- /dev/null +++ b/ansible/roles/knot-apache/tasks/main.yml @@ -0,0 +1,21 @@ +- name: /etc/apache2/sites-enabled/{{ item.hostname }}.trygvis.io.conf + template: + src: etc/apache2/sites-enabled/sz-ds.trygvis.io.conf + dest: /etc/apache2/sites-enabled/{{ item.hostname }}.trygvis.io.conf + with_items: &backends + - hostname: sz + backend: sz-prod +# - hostname: sz-test +# backend: sz-test + +- name: "mkdir /var/www/{{ item.hostname }}.trygvis.io" + file: + dest: "/var/www/{{ item.hostname }}.trygvis.io" + state: directory + with_items: *backends + +- name: "mkdir /var/www/{{ item.hostname }}.trygvis.io/htdocs" + file: + dest: "/var/www/{{ item.hostname }}.trygvis.io/htdocs" + state: directory + with_items: *backends diff --git a/ansible/roles/knot-apache/templates/etc/apache2/sites-enabled/sz-ds.trygvis.io.conf b/ansible/roles/knot-apache/templates/etc/apache2/sites-enabled/sz-ds.trygvis.io.conf new file mode 100644 index 0000000..0172ff5 --- /dev/null +++ b/ansible/roles/knot-apache/templates/etc/apache2/sites-enabled/sz-ds.trygvis.io.conf @@ -0,0 +1,31 @@ +# Ansible +<IfModule mod_ssl.c> +<VirtualHost *:443> + ServerAdmin root@trygvis.io + ServerName {{ item.hostname }}.trygvis.io + + LogLevel warn + ErrorLog ${APACHE_LOG_DIR}/{{ item.hostname }}.trygvis.io-error.log + CustomLog ${APACHE_LOG_DIR}/{{ item.hostname }}.trygvis.io-access.log combined + + DocumentRoot /var/www/{{ item.hostname }}.trygvis.io/htdocs + <Directory /> + Options FollowSymLinks + AllowOverride None + </Directory> + <Directory /var/www/{{ item.hostname }}.trygvis.io/htdocs/> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + </Directory> + + ProxyTimeout 600 + ProxyPreserveHost On + ProxyPass / http://{{ lxc_containers[item.backend].ipv4.address }}:5000/ + + SSLCertificateFile /etc/letsencrypt/live/{{ item.hostname }}.trygvis.io/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ item.hostname }}.trygvis.io/privkey.pem + Include /etc/letsencrypt/options-ssl-apache.conf +</VirtualHost> +</IfModule> diff --git a/ansible/roles/lxc-host/tasks/main.yml b/ansible/roles/lxc-host/tasks/main.yml index a043d4c..676e27e 100644 --- a/ansible/roles/lxc-host/tasks/main.yml +++ b/ansible/roles/lxc-host/tasks/main.yml @@ -6,7 +6,7 @@ lineinfile: path: "/var/lib/lxc/{{ item.key }}/config" regexp: "lxc.network.ipv4 *=" - line: "lxc.network.ipv4 = {{ item.value.ipv4.address }}" + line: "lxc.network.ipv4 = {{ item.value.ipv4.address }}/{{ item.value.ipv4.netmask }}" with_dict: "{{ lxc_containers }}" - name: Set IPv4 gateway lineinfile: diff --git a/ansible/roles/lxc-machine/tasks/main.yml b/ansible/roles/lxc-machine/tasks/main.yml index b4f4aee..e75dcd9 100644 --- a/ansible/roles/lxc-machine/tasks/main.yml +++ b/ansible/roles/lxc-machine/tasks/main.yml @@ -1,17 +1,3 @@ -- name: system setup - tags: - - packages - block: - - name: misc packages - apt: - name: "{{ item }}" - install_recommends: no - with_items: - - systemd-cron - - ca-certificates - - unzip - - sudo - - name: disable ipv6 tags: - disable-ipv6 @@ -32,4 +18,19 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters -# TODO: postfix client +- name: system setup + tags: + - packages + block: + - name: misc packages + apt: + name: "{{ item }}" + install_recommends: no + with_items: + - systemd-cron + - ca-certificates + - unzip + - sudo + - vim + - less + - ack diff --git a/ansible/roles/sz-ds/files/etc/systemd/system/sz-ds.service b/ansible/roles/sz-ds/files/etc/systemd/system/sz-ds.service new file mode 100644 index 0000000..5e55de4 --- /dev/null +++ b/ansible/roles/sz-ds/files/etc/systemd/system/sz-ds.service @@ -0,0 +1,14 @@ +[Unit] +After=network.target postgresql.service + +[Service] +ExecStart=/opt/sz-ds/src/SweetzpotCentral/infrastructure/run-data-server +WorkingDirectory=/opt/sz-ds +KillMode=process +Restart=on-failure +User=sz-ds +Group=sz-ds +EnvironmentFile=/etc/sz-ds/env.conf + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/sz-ds/handlers/main.yml b/ansible/roles/sz-ds/handlers/main.yml new file mode 100644 index 0000000..846f076 --- /dev/null +++ b/ansible/roles/sz-ds/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart sz-ds + service: + name: sz-ds + state: restarted + diff --git a/ansible/roles/sz-ds/tasks/flyway.yml b/ansible/roles/sz-ds/tasks/flyway.yml new file mode 100644 index 0000000..c34ef44 --- /dev/null +++ b/ansible/roles/sz-ds/tasks/flyway.yml @@ -0,0 +1,30 @@ +- name: mkdir /opt/sz-ds/flyway + file: + state: directory + path: /opt/sz-ds/flyway +- template: + src: opt/sz-ds/bin/flyway.j2 + dest: /opt/sz-ds/bin/flyway + become: no +# mode: a=rx +- name: /etc/sz-ds/flyway.conf + tags: update-password + file: + dest: /etc/sz-ds/flyway.conf + content: | + flyway.url=jdbc:postgresql://localhost/sz-ds + flyway.user=sz-ds-flyway + flyway.password={{ sz_ds_secret.db_password_flyway }} + + flyway.locations=filesystem:/opt/sz-ds/src/SweetzpotCentral/data-server/migrations + flyway.schemas=public + +- name: Download and extract Flyway {{ flyway_version }} + unarchive: + src: "https://repo1.maven.org/maven2/org/flywaydb/flyway-commandline/{{ flyway_version }}/flyway-commandline-{{ flyway_version }}.zip" + dest: /opt/sz-ds/flyway + creates: "/opt/sz-ds/flyway/flyway-{{ flyway_version }}" + remote_src: yes +- file: + path: "/opt/sz-ds/flyway/flyway-{{ flyway_version }}/flyway" + mode: a=rx diff --git a/ansible/roles/sz-ds/tasks/main.yml b/ansible/roles/sz-ds/tasks/main.yml index 9e55292..559937c 100644 --- a/ansible/roles/sz-ds/tasks/main.yml +++ b/ansible/roles/sz-ds/tasks/main.yml @@ -4,8 +4,10 @@ name: "{{ item }}" install_recommends: no with_items: + - git - python-psycopg2 - python3-psycopg2 + - virtualenv - name: accounts for sz-ds tags: user @@ -17,12 +19,18 @@ createhome: no home: /opt/sz-ds system: yes - - file: + - name: mkdir /etc/sz-ds + file: + state: directory + path: /etc/sz-ds + - name: mkdir /opt/sz-ds + file: state: directory path: /opt/sz-ds owner: sz-ds mode: u=rwx,go= - - file: + - name: mkdir /opt/sz-ds/bin + file: state: directory path: /opt/sz-ds/bin - copy: @@ -31,57 +39,16 @@ - name: flyway for sz-ds tags: flyway - block: - - name: mkdir /opt/sz-ds/flyway - file: - state: directory - path: /opt/sz-ds/flyway - - template: - src: opt/sz-ds/bin/flyway.j2 - dest: /opt/sz-ds/bin/flyway - mode: a=rx - - name: Download and extract Flyway {{ flyway_version }} - unarchive: - src: "https://repo1.maven.org/maven2/org/flywaydb/flyway-commandline/{{ flyway_version }}/flyway-commandline-{{ flyway_version }}.zip" - dest: /opt/sz-ds/flyway - creates: "/opt/sz-ds/flyway/flyway-{{ flyway_version }}" - remote_src: yes - - file: - path: "/opt/sz-ds/flyway/flyway-{{ flyway_version }}/flyway" - mode: a=rx - # flyway.conf is created later + include: flyway.yml + - name: sz-ds database tags: sz-ds-pg become: yes become_user: postgres vars: ansible_ssh_pipelining: true - block: - - name: sz-ds - postgresql_user: - name: sz-ds - role_attr_flags: "NOLOGIN" - - name: sz-ds-flyway - tags: update-password - postgresql_user: - name: sz-ds-flyway - password: "{{ sz_ds_secret.db_password_flyway }}" - encrypted: yes - - name: sz-ds-web - tags: update-password - postgresql_user: - name: sz-ds-web - password: "{{ sz_ds_secret.db_password_web }}" - encrypted: yes - - name: sz-ds db - postgresql_db: - name: "sz-ds" - encoding: "utf-8" - owner: "sz-ds" - - postgresql_privs: - database: sz-ds - state: present - privs: USAGE - type: schema - objs: public - roles: sz-ds-web,sz-ds-flyway + include: sz-ds-pg.yml + +- name: sz-ds app + tags: sz-ds-app + include: sz-ds-app.yml diff --git a/ansible/roles/sz-ds/tasks/sz-ds-app.yml b/ansible/roles/sz-ds/tasks/sz-ds-app.yml new file mode 100644 index 0000000..78e300c --- /dev/null +++ b/ansible/roles/sz-ds/tasks/sz-ds-app.yml @@ -0,0 +1,41 @@ +- name: /etc/sz-ds/env.conf + tags: update-password + template: + src: etc/sz-ds/env.conf.j2 + dest: /etc/sz-ds/env.conf + mode: a=r + notify: + - restart sz-ds +- name: /etc/systemd/system/sz-ds.service + copy: + src: etc/systemd/system/sz-ds.service + dest: /etc/systemd/system/sz-ds.service +- name: git pull + tags: sz-ds-pull + notify: +# - flyway migrate + - restart sz-ds + register: git_checkout + git: + repo: "https://{{ sz_ds_secrets.github.username }}:{{ sz_ds_secrets.github.password }}@github.com/SweetzpotAS/SweetzpotCentral" + dest: /opt/sz-ds/src/SweetzpotCentral + version: master + +- name: Update GIT_REVISION + tags: sz-ds-pull + lineinfile: + path: "/etc/sz-ds/env.conf" + regexp: "^GIT_REVISION=" + line: "GIT_REVISION={{ git_checkout.after }}" + +- name: sz-ds pip + notify: restart sz-ds + tags: sz-ds-pull + pip: + virtualenv: /opt/sz-ds/env + virtualenv_python: python3 + chdir: /opt/sz-ds/src/SweetzpotCentral/data-server + requirements: requirements.txt +# editable: true + extra_args: --trusted-host github.com --process-dependency-links + diff --git a/ansible/roles/sz-ds/tasks/sz-ds-pg.yml b/ansible/roles/sz-ds/tasks/sz-ds-pg.yml new file mode 100644 index 0000000..48c6500 --- /dev/null +++ b/ansible/roles/sz-ds/tasks/sz-ds-pg.yml @@ -0,0 +1,28 @@ +- name: sz-ds + postgresql_user: + name: sz-ds + role_attr_flags: "NOLOGIN" +- name: sz-ds-flyway + tags: update-password + postgresql_user: + name: sz-ds-flyway + password: "{{ sz_ds_secret.db_password_flyway }}" + encrypted: yes +- name: sz-ds-web + tags: update-password + postgresql_user: + name: sz-ds-web + password: "{{ sz_ds_secret.db_password_web }}" + encrypted: yes +- name: sz-ds db + postgresql_db: + name: "sz-ds" + encoding: "utf-8" + owner: "sz-ds" +- postgresql_privs: + database: sz-ds + state: present + privs: USAGE + type: schema + objs: public + roles: sz-ds-web,sz-ds-flyway diff --git a/ansible/roles/sz-ds/templates/etc/sz-ds/env.conf.j2 b/ansible/roles/sz-ds/templates/etc/sz-ds/env.conf.j2 new file mode 100644 index 0000000..1e2cebb --- /dev/null +++ b/ansible/roles/sz-ds/templates/etc/sz-ds/env.conf.j2 @@ -0,0 +1,3 @@ +GIT_REVISION= +SQLALCHEMY_DATABASE_URI="postgresql://sz-ds-web:{{ sz_ds_secret.db_password_web }}@localhost/sz-ds" +SZ_CONFIG=/opt/sz-ds/src/SweetzpotCentral/data-server/config/config-{{ sz_ds_env }}.py diff --git a/ansible/roles/sz-ds/templates/opt/sz-ds/bin/flyway.j2 b/ansible/roles/sz-ds/templates/opt/sz-ds/bin/flyway.j2 index 8113d96..2481feb 100644 --- a/ansible/roles/sz-ds/templates/opt/sz-ds/bin/flyway.j2 +++ b/ansible/roles/sz-ds/templates/opt/sz-ds/bin/flyway.j2 @@ -3,5 +3,5 @@ set -e v="{{ flyway_version }}" -flyway="/opt/p2k16/flyway/flyway-$v/flyway" -exec "$flyway" -configFile=/etc/p2k16/flyway.conf "$@" +flyway="/opt/sz-ds/flyway/flyway-$v/flyway" +exec "$flyway" -configFile=/etc/sz-ds/flyway.conf "$@" diff --git a/ansible/secrets.yml b/ansible/secrets.yml index 66268d4..3284771 100644 --- a/ansible/secrets.yml +++ b/ansible/secrets.yml @@ -1,12 +1,12 @@ $ANSIBLE_VAULT;1.1;AES256 -38666438656330623934626438306434326239326264613465336665346630663564643939393938 -3633356531623065363432336634373037613161393465330a393761613838666135376362643331 -63636534336133613035633835343030396466343866373131643330613831623931343639663337 -6134353932326462310a383536646533396339316163383734316432633933646164323535623330 -34643962343732623930386466353631623230633531336630623461343935636266393763613264 -39306638356464346339663166306438636234616331383964656538623362353332663662636136 -64633463383933346566613161303562323939303665316164366638313065353739613431356164 -64613661303239313638396231323635653136366531666233613932353133353965653130373762 -38303839346439653662653533363436353436663637633464656163343636396162326331643166 -31363164346361333966323666633365353666373035643333366539623039656131306363396261 -353935653035633035626436623862353062 +63326262383165613634636232363636363666616339653063346164373131386230373466666337 +6634373236646365356432306630623332663336353230340a313065313138353465663635393432 +63653931653437353536343933613033613230316561663837656638353864303334613138353839 +3133656139303531310a626461393131323831653139393235613438323665373330653839626265 +61323266356137303834376166323437323538643333363731363533303862643862633234343038 +32306536383731636533666437363539623636343763343164353031363435383564303734393761 +39326261333962313563313564383634663465356339373937333036393165396238666134656463 +32386264663362326365306231353437633134663231303164373830303930356165323462663261 +31343235316538323733633562303661393034353966343432653835353565306233313563303163 +64663433343961333231663464316163323830646633633130386432643363343565356438666139 +363430656261616130323637626364326636 diff --git a/ansible/sz-ds.yml b/ansible/sz-ds.yml index 2566f4c..354a069 100644 --- a/ansible/sz-ds.yml +++ b/ansible/sz-ds.yml @@ -4,9 +4,21 @@ - sz-test roles: - timezone - - lxc-machine tasks: + - name: lxc-machine + import_role: name=lxc-machine + tags: lxc-machine + - name: postgresql-server import_role: name=postgresql-server + tags: postgresql-server + + - name: java8 + tags: java8 + import_role: name=java8 + - name: sz-ds + tags: sz-ds import_role: name=sz-ds + +# TODO: postfix client |