pretix: new role

2021-11-01 22:49:09 +01:00 · 2021-11-01 22:49:09 +01:00 · 933fa6387e
parent 966e96f2f9
commit 933fa6387e
12 changed files with 369 additions and 69 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -127,6 +127,12 @@ nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
 nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
 nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de

+pretix_domain: pretix.rc3.binary-kitchen.de
+pretix_dbname: pretix
+pretix_dbuser: pretix
+pretix_dbpass: "{{ vault_pretix_dbpass }}"
+pretix_mail: rc3@binary-kitchen.de
+
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"

--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,70 +1,70 @@
 $ANSIBLE_VAULT;1.1;AES256
-39316232613634343830643461396530306634313466313837613964663431373865373035653433
-6265376565646564306666623636313130666437343230640a663762663137333466343732666635
-63666363393037316430393738636462313162346465316237666566613337306538366432326462
-6631323763636237350a613837366362386663356463333161643837666664353938633432623662
-33656566633435343964313966333063313432666531633962636533326262346166356237373261
-35323463323364643734356630366539346534323838653237383632363861633434306166306363
-37363362656337623966323933653266393835346136306337663030336266336261366465393465
-36336530633334356435616639623935313437663435366464663462393465336461313236633461
-63303436393361326163396636386137393261366266363066623633383734376435636666356663
-61663730623332356636643434393466356265383136656562633035616232613662353063643138
-64323665366438306339623064393661633939306136313235643465653635623363376239393965
-31623039373330333534396133363663316364316463653733393539633439653934613035626366
-39636164633061303665353732363038643435393430666438646633383638343839633336313338
-32316163663838323730356336636666336165643636313665363032303765653435633831356338
-36626666333432323031373131396466663233373266333635336566313837366137376536376138
-64333764366536343137613532616431643532653364343763343138633735303030393066383938
-36626633323634613538383762666239653865363033303338666638323839386461393037313562
-31643365303833363265353663383365336231636562626536663330623163633063623961346139
-39353432366235663033623930656463323032333034326562343139376439366230356261616233
-34363464376133623232666334663366333833326531313363393935356666323739353030613666
-36383861323664613833613034616264636538353762376661336431373735376563343137376230
-37383066373439336564353639633736373161346465323965323330616233386366633366356636
-39663361313865346634313764636137363265343466626437643434633266316137613233383138
-66313634303164643662386339396163313335373863656462323561666464636632616436346230
-35376536393235366134363234333638396134633635636132643031346461343266643137666365
-34666165623837343865313265653762363531646230333033373730623866343539663030306563
-38353761656162623561643038653461323361323362383335316562323036373564623632353061
-31363337316131323561633264353233666135393633623962346464653261653065316337333835
-38656233316532336336353331303131353033386233633862316561343563326636303539663866
-64373563666463616335393865623063653462626133643763366239623239663430616539336637
-64333866623733363930313562346231346238623132393862623130393637343265343835383133
-63643037333531666366323965333333643133663330666434316536306165396365623063356530
-62383638616630333163353833376239633839653565346531366539383339376464326437326337
-66363238336462336634613163303037646138323865613237656163386162353666616334323435
-33343133366138636538613939363434343930333265663861346366353863383830313231333938
-62323962333433303539646661363930393136616635343262383739623162616561393335313865
-36643536633466656635653836636161356365303239343036363335326232353931343138353263
-36396331643930663731656432353462613933623733343333343338323831343232393139323664
-34393634323437313162613465376563616636326639643061386362373365323637343262333238
-31383438663933373765646561666233636263373561656336313133616334373766356436303863
-36643730383330633561313131396635653330663837316662383762373932306164336637396530
-63666639366136646364333039373630643662613837356335653334383836373862636539336261
-33663462316666306662323161373161653664333566623437383865373862323836633436636238
-64376661363731306330326631663130366365373564313435633962353137343738363835336464
-61303963386130353230393733663937613336616161353438623531613662363930616433343535
-62633963623037343831353531306537613437663339383064376566366463363461336262633131
-38633031346666393235666464613066353537323134386163333965376638613534623764396635
-34633339663234386562663636626661383839306333616362316264366132343634363761633438
-61616432326465306366333962626164383238373161306533323737326532616166616636393735
-37303032653630666537643238613637626261386536306534643734623430376231633939376263
-35396235633538386632383166653865653535643663353431366361633661306561346137383930
-36626262346165396238626336616437636332386335306135396665333639363165383563616538
-38623330643661646162613734656630633337353638343666613939353063316434656530386262
-65393439333663323063356633616665666535386539323536366535356466353938663035326333
-61303265373136333536653732306231636263343831323532306132653465383732303931386161
-36393564313039336636613562363066373461336439343434333937343664373437386236633332
-33376136613837336365396339396463363665373865323265653438656537613566616531373536
-30313834396564323861386335383863353730663831373262653636373734323232343866303061
-62613534326261383263613535363364663739393836393963346562366339323338373237636661
-61393032366362373236626536663231343566313739386531656434386635336237396632663231
-36303135356539323665333037386237663730643737653962633161663834306538326532303566
-61316563373632643836613831613362613936633630623263363963373132356437303934333035
-35323039386231363265303738643638643864313037386632386539346465643539383533366131
-30313565613161663730626433383334623939323161393061353062333931643930353832626561
-32643134306533386139633837316134653239656334306662653061646331353865343864343730
-38623035376631646662626131333061306331336538636230626535393631343038323962346137
-39346561646361373735326565363936366263376330326334616231636232343862303564383237
-65363334663734313532393338363933646432396434613665316163373838613064663331373536
-3465
+34303237313431646264363034353637613836633432633638333963363037663435626166663630
+6338393164366434386334313664386166373031326538350a396639373163646666376462373662
+36623863356436356635303263643239666162333863613831326630303363346137653234323838
+3639623464303131350a653162336338626665393534623063623330323162373935353939303631
+64333363373563343336643764306563376461393430643631366133353836646363363166653233
+38323331386165366334656630626138383131323664333266353164323164373364303161653365
+30333339646139626434636365653666636534346266636262613938656665343634363563663366
+32306663653930613762663534613635616663613130613933626331663861643439323664353739
+31316531653562646363376233636464396262313132343234303933343066373862633235383333
+31313431336464663163343835646430323664373166363465343037333130343636646363393231
+34613162386637306539663431636137353039383037333937613035393332353933333134346335
+31616561636533383639366634316164343466613634643130353437393664336332316132363934
+61333961613530333536613034386332646136313939356339633334353333326661393231343261
+62653463316662376134663965383030636639356637393237653362616561616238653637623039
+65653139373633323766356362613239316165393966623932346561363363393138653032366439
+64303463306132363261333936653763353833386337303763316362666134306264306464306362
+30343364393539636565633861386261373661623061333733353635336133373162636465376137
+61316465306534623337383631663538336632383832343132333862316336323961623637383838
+65363832646138376233653264373535633437376162326361313863333839343236343966393839
+32323361666264373466396130666465303032393364633134343264643731323438646562333361
+63376266616430643135326430366266633332633333646134313736316139386232333965346331
+61663964653931333730643435303637666563316133373831336566303361383736666139626562
+38623031303533396632613361323533313334333631316434646232383136393433323466383330
+65666530616466623933393936613963663766653361643733326330643162346635613835633736
+64393064326233313035316130353563623639303665623064303831376332353264633930363364
+33623137353130353962323964396130646230393335386434346130663064613434643136656466
+63623666376165653961666539383335356163316131353966613036643530663835313766366533
+31656633633331636535316234653561326465623562393632623062383935336530383133626236
+66323366306366623631373861346635303063376264613734643039363137613837333534616362
+37633462373538313562666639613031343866383234633438373936623437333666343731633735
+33386666313531613734643431333332346439386465303531306365386537613933623636643237
+35653434303433633533356662623965383133383838613361303832326130343938393561393935
+38313533643830633432303464306561643233303866316130616531623230393366323264626165
+33653230366138376533376166393466656233353061343338393433386332333361353063323634
+66366561646466616566336265363037616433616231353739613538633765343235323637303535
+34373739306130313536633338353130656632666536356535636265333335303730333031323436
+39633466353139663361646265656334633461346564616633643030383662353762643237333761
+31326435313361366163353836633535303462623533373363376433613139373135393566333937
+64313838373366383432376430643236633030623736643435363038616261333364366139666435
+66623661643032633931623539383136373138636333323737323165333831333764363137393562
+62663335353265353535643666356632663736343039333965653639653764646261323736313430
+39656366356130326363363133383062333530316165643430383161306135346663623861313030
+65346430353230363561633239623330623265666336616133326263323063333132323764343735
+63346230373339343062393035356565376265643463326366326535313130663163366435323339
+62363339313332663333653336633331343161363432393639316630633365643037653739613132
+63316662336630626366363662333061353539333133653732646330643065333430316333316131
+33363662653465306531666435363932663432373932353466383364383634643634313736303931
+63353632353836663263616137353031643238663632363563656137313961656534663137613061
+37636530306334613639326363383665373061383634326630653366386632636634653638653330
+32366438623635363833343566353365373762646162393637326433656438663066663766333761
+65363136666238623439663764363266363731613261326566653035303265623736353331376562
+36646435353134613363316236383938613032626562646237366337376433326334386330646266
+66333365323133616466646164353262653830313764376562636164326163623463373863373630
+31623264373330386136396130626133323762363262336337396562613166646132386362383635
+61333637373462316463303962396162383039373265303939306132323533393236343965613835
+32646361383938383337653264323766363130613264613463386432306238316531653437323939
+39353866313834393933623630303539633334663239343865313264616664656464646631623934
+33623230643633353361343965396236393939343765653161643530626133663236383135343934
+37353231626339323866613237663463656239326335643035313730363133616538613866386162
+65623335393462633130353965343533616261636261656162626639323231623934663765386166
+37353665643363386662646538306530326161653461393236616531343935393639386432633437
+63643561646337616138633063646261323937333262333535626235373561336339346661353365
+30396365376566616538353866383266666436636131656535363062633237313266366639373536
+64316435316234313365306332383637636263376563393464303566313566636238626434393364
+62316263353733636136393034616362643764346536373533363937633938383037376261656330
+30333738616232616566643335353161636466643830393464643263653633373662623437643332
+61396430636631396134393064633131636233653664373363386638366138343435613438303330
+61366234663461333331623961393834643233623862323861346163343934303838666232626639
+6139
--- a/roles/pretix/defaults/main.yml
+++ b/roles/pretix/defaults/main.yml
@ -0,0 +1,4 @@
+---
+
+pretix_user: pretix
+pretix_group: pretix
--- a/roles/pretix/handlers/main.yml
+++ b/roles/pretix/handlers/main.yml
@ -0,0 +1,13 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart pretix-web
+  service: name=pretix-web state=restarted
+
+- name: Restart pretix-worker
+  service: name=pretix-worker state=restarted
--- a/roles/pretix/meta/main.yml
+++ b/roles/pretix/meta/main.yml
@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }
--- a/roles/pretix/tasks/main.yml
+++ b/roles/pretix/tasks/main.yml
@ -0,0 +1,127 @@
+---
+
+- name: Create group
+  group: name={{ pretix_group }}
+
+- name: Create user
+  user: name={{ pretix_user }} home=/home/{{ pretix_user }} group={{ pretix_group }}
+
+- name: Create pretix directories
+  file: path={{ item }} state=directory owner={{ pretix_user }} group={{ pretix_group }}
+  with_items:
+  - /etc/pretix
+  - /opt/pretix
+  - /opt/pretix/data
+  - /opt/pretix/data/media
+
+- name: Install dependencies
+  apt:
+    name:
+    - build-essential
+    - gettext
+    - libffi-dev
+    - libpq-dev
+    - libssl-dev
+    - libxml2-dev
+    - libxslt1-dev
+    - nodejs
+    - python3-setuptools
+    - python3-dev
+    - python3-pip
+    - python3-venv
+    - zlib1g-dev
+
+- name: Install PostgreSQL
+  apt:
+    name:
+    - postgresql
+    - python3-psycopg2
+
+- name: Configure PostgreSQL database
+  postgresql_db: name={{ pretix_dbname }}
+  become: true
+  become_user: postgres
+
+- name: Configure PostgreSQL user
+  postgresql_user: db={{ pretix_dbname }} name={{ pretix_dbuser }} password={{ pretix_dbpass }} priv=ALL state=present
+  become: true
+  become_user: postgres
+
+- name: Install redis
+  apt: name=redis-server
+
+- name: Install pretix
+  pip:
+    name:
+    - gunicorn
+    - pretix
+    virtualenv: /opt/pretix/venv
+    virtualenv_command: "python3 -m venv"
+  become: true
+  become_user: "{{ pretix_user }}"
+  register: pretix_install
+
+- name: Configure pretix
+  template:
+    src: pretix.cfg.j2
+    dest: /etc/pretix/pretix.cfg
+    owner: "{{ pretix_user }}"
+    group: "{{ pretix_group }}"
+  notify:
+  - Restart pretix-web
+  - Restart pretix-worker
+
+- name: Run migration script
+  command:
+    cmd: "./venv/bin/python3 -m pretix migrate"
+    chdir: "/opt/pretix"
+  become: true
+  become_user: "{{ pretix_user }}"
+  when: pretix_install.changed
+
+- name: Run rebuild script
+  command:
+    cmd: "./venv/bin/python3 -m pretix rebuild"
+    chdir: "/opt/pretix"
+  become: true
+  become_user: "{{ pretix_user }}"
+  when: pretix_install.changed
+
+- name: Enable pretix cronjob
+  cron:
+    user: "{{ pretix_user }}"
+    name: pretix
+    minute: "*/5"
+    job: "export PATH=/opt/pretix/venv/bin:$PATH && cd /opt/pretix && python -m pretix runperiodic"
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ pretix_domain }}.key -out /etc/nginx/ssl/{{ pretix_domain }}.crt -days 730 -subj "/CN={{ pretix_domain }}" creates=/etc/nginx/ssl/{{ pretix_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for pretix
+  template: src=certs.j2 dest=/etc/acertmgr/{{ pretix_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/pretix
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/pretix dest=/etc/nginx/sites-enabled/pretix state=link
+  notify: Restart nginx
+
+- name: Install systemd units
+  template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
+  with_items:
+  - pretix-web
+  - pretix-worker
+  notify:
+  - Reload systemd
+  - Restart pretix-web
+  - Restart pretix-worker
+
+- name: Enable services
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+  - pretix-web
+  - pretix-worker
--- a/roles/pretix/templates/certs.j2
+++ b/roles/pretix/templates/certs.j2
@ -0,0 +1,15 @@
+---
+
+{{ pretix_domain }}:
+- path: /etc/nginx/ssl/{{ pretix_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ pretix_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
--- a/roles/pretix/templates/pretix-web.service.j2
+++ b/roles/pretix/templates/pretix-web.service.j2
@ -0,0 +1,18 @@
+[Unit]
+Description=pretix web service
+After=network.target
+
+[Service]
+User={{ pretix_user }}
+Group={{ pretix_group }}
+Environment="VIRTUAL_ENV=/opt/pretix/venv"
+Environment="PATH=/opt/pretix/venv/bin:/usr/local/bin:/usr/bin:/bin"
+ExecStart=/opt/pretix/venv/bin/gunicorn pretix.wsgi \
+                      --name pretix --workers 5 \
+                      --max-requests 1200  --max-requests-jitter 50 \
+                      --log-level=info --bind=127.0.0.1:8345
+WorkingDirectory=/opt/pretix
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/pretix/templates/pretix-worker.service.j2
+++ b/roles/pretix/templates/pretix-worker.service.j2
@ -0,0 +1,15 @@
+[Unit]
+Description=pretix background worker
+After=network.target
+
+[Service]
+User={{ pretix_user }}
+Group={{ pretix_group }}
+Environment="VIRTUAL_ENV=/opt/pretix/venv"
+Environment="PATH=/opt/pretix/venv/bin:/usr/local/bin:/usr/bin:/bin"
+ExecStart=/opt/pretix/venv/bin/celery -A pretix.celery_app worker -l info
+WorkingDirectory=/opt/pretix
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/pretix/templates/pretix.cfg.j2
+++ b/roles/pretix/templates/pretix.cfg.j2
@ -0,0 +1,34 @@
+[pretix]
+instance_name=Binary Kitchen RC3 Pretix
+url=https://pretix.rc3.binary-kitchen.de
+currency=EUR
+datadir=/opt/pretix/data
+trust_x_forwarded_for=on
+trust_x_forwarded_proto=on
+
+[database]
+; For MySQL, replace with "mysql"
+backend=postgresql
+name={{ pretix_dbname }}
+user={{ pretix_dbuser }}
+; For MySQL, enter the user password. For PostgreSQL on the same host,
+; we don't need one because we can use peer authentification if our
+; PostgreSQL user matches our unix user.
+password={{ pretix_dbpass }}
+; For MySQL, use local socket, e.g. /var/run/mysqld/mysqld.sock
+; For a remote host, supply an IP address
+; For local postgres authentication, you can leave it empty
+host=
+
+[mail]
+; See config file documentation for more options
+from={{ pretix_mail }}
+host={{ mail_server }}
+
+[redis]
+location=redis://127.0.0.1/0
+sessions=true
+
+[celery]
+backend=redis://127.0.0.1/1
+broker=redis://127.0.0.1/2
--- a/roles/pretix/templates/vhost.j2
+++ b/roles/pretix/templates/vhost.j2
@ -0,0 +1,58 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ pretix_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ pretix_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ pretix_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ pretix_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ pretix_domain }}.crt;
+
+	add_header Referrer-Policy same-origin;
+	add_header X-Content-Type-Options nosniff;
+
+	location / {
+		proxy_pass http://localhost:8345;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto https;
+		proxy_set_header Host $http_host;
+	}
+
+	location /media/ {
+		alias /var/pretix/data/media/;
+		expires 7d;
+		access_log off;
+	}
+
+	location ^~ /media/cachedfiles {
+		deny all;
+		return 404;
+	}
+
+	location ^~ /media/invoices {
+		deny all;
+		return 404;
+	}
+
+	location /static/ {
+		alias /opt/pretix/venv/lib/python3.9/site-packages/pretix/static.dist/;
+		access_log off;
+		expires 365d;
+		add_header Cache-Control "public";
+	}
+}
--- a/site.yml
+++ b/site.yml
@ -116,6 +116,11 @@
  roles:
  - web_mc

+- name: Setup RC3 pretix server
+  hosts: rhodium.binary-kitchen.net
+  roles:
+  - pretix
+
 - name: Setup WorkAdventure host
  hosts: barium.binary-kitchen.net
  roles: