From 933fa6387e18cacbc6ef9fc6542dc11aaa1545fd Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 1 Nov 2021 22:49:09 +0100 Subject: [PATCH] pretix: new role --- group_vars/all/vars.yml | 6 + group_vars/all/vault.yml | 138 +++++++++--------- roles/pretix/defaults/main.yml | 4 + roles/pretix/handlers/main.yml | 13 ++ roles/pretix/meta/main.yml | 5 + roles/pretix/tasks/main.yml | 127 ++++++++++++++++ roles/pretix/templates/certs.j2 | 15 ++ roles/pretix/templates/pretix-web.service.j2 | 18 +++ .../pretix/templates/pretix-worker.service.j2 | 15 ++ roles/pretix/templates/pretix.cfg.j2 | 34 +++++ roles/pretix/templates/vhost.j2 | 58 ++++++++ site.yml | 5 + 12 files changed, 369 insertions(+), 69 deletions(-) create mode 100644 roles/pretix/defaults/main.yml create mode 100644 roles/pretix/handlers/main.yml create mode 100644 roles/pretix/meta/main.yml create mode 100644 roles/pretix/tasks/main.yml create mode 100644 roles/pretix/templates/certs.j2 create mode 100644 roles/pretix/templates/pretix-web.service.j2 create mode 100644 roles/pretix/templates/pretix-worker.service.j2 create mode 100644 roles/pretix/templates/pretix.cfg.j2 create mode 100644 roles/pretix/templates/vhost.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 2e98b81..0aac530 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -127,6 +127,12 @@ nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de +pretix_domain: pretix.rc3.binary-kitchen.de +pretix_dbname: pretix +pretix_dbuser: pretix +pretix_dbpass: "{{ vault_pretix_dbpass }}" +pretix_mail: rc3@binary-kitchen.de + prometheus_pve_user: prometheus@pve prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 97607c3..f3e9bc7 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,70 +1,70 @@ $ANSIBLE_VAULT;1.1;AES256 -39316232613634343830643461396530306634313466313837613964663431373865373035653433 -6265376565646564306666623636313130666437343230640a663762663137333466343732666635 -63666363393037316430393738636462313162346465316237666566613337306538366432326462 -6631323763636237350a613837366362386663356463333161643837666664353938633432623662 -33656566633435343964313966333063313432666531633962636533326262346166356237373261 -35323463323364643734356630366539346534323838653237383632363861633434306166306363 -37363362656337623966323933653266393835346136306337663030336266336261366465393465 -36336530633334356435616639623935313437663435366464663462393465336461313236633461 -63303436393361326163396636386137393261366266363066623633383734376435636666356663 -61663730623332356636643434393466356265383136656562633035616232613662353063643138 -64323665366438306339623064393661633939306136313235643465653635623363376239393965 -31623039373330333534396133363663316364316463653733393539633439653934613035626366 -39636164633061303665353732363038643435393430666438646633383638343839633336313338 -32316163663838323730356336636666336165643636313665363032303765653435633831356338 -36626666333432323031373131396466663233373266333635336566313837366137376536376138 -64333764366536343137613532616431643532653364343763343138633735303030393066383938 -36626633323634613538383762666239653865363033303338666638323839386461393037313562 -31643365303833363265353663383365336231636562626536663330623163633063623961346139 -39353432366235663033623930656463323032333034326562343139376439366230356261616233 -34363464376133623232666334663366333833326531313363393935356666323739353030613666 -36383861323664613833613034616264636538353762376661336431373735376563343137376230 -37383066373439336564353639633736373161346465323965323330616233386366633366356636 -39663361313865346634313764636137363265343466626437643434633266316137613233383138 -66313634303164643662386339396163313335373863656462323561666464636632616436346230 -35376536393235366134363234333638396134633635636132643031346461343266643137666365 -34666165623837343865313265653762363531646230333033373730623866343539663030306563 -38353761656162623561643038653461323361323362383335316562323036373564623632353061 -31363337316131323561633264353233666135393633623962346464653261653065316337333835 -38656233316532336336353331303131353033386233633862316561343563326636303539663866 -64373563666463616335393865623063653462626133643763366239623239663430616539336637 -64333866623733363930313562346231346238623132393862623130393637343265343835383133 -63643037333531666366323965333333643133663330666434316536306165396365623063356530 -62383638616630333163353833376239633839653565346531366539383339376464326437326337 -66363238336462336634613163303037646138323865613237656163386162353666616334323435 -33343133366138636538613939363434343930333265663861346366353863383830313231333938 -62323962333433303539646661363930393136616635343262383739623162616561393335313865 -36643536633466656635653836636161356365303239343036363335326232353931343138353263 -36396331643930663731656432353462613933623733343333343338323831343232393139323664 -34393634323437313162613465376563616636326639643061386362373365323637343262333238 -31383438663933373765646561666233636263373561656336313133616334373766356436303863 -36643730383330633561313131396635653330663837316662383762373932306164336637396530 -63666639366136646364333039373630643662613837356335653334383836373862636539336261 -33663462316666306662323161373161653664333566623437383865373862323836633436636238 -64376661363731306330326631663130366365373564313435633962353137343738363835336464 -61303963386130353230393733663937613336616161353438623531613662363930616433343535 -62633963623037343831353531306537613437663339383064376566366463363461336262633131 -38633031346666393235666464613066353537323134386163333965376638613534623764396635 -34633339663234386562663636626661383839306333616362316264366132343634363761633438 -61616432326465306366333962626164383238373161306533323737326532616166616636393735 -37303032653630666537643238613637626261386536306534643734623430376231633939376263 -35396235633538386632383166653865653535643663353431366361633661306561346137383930 -36626262346165396238626336616437636332386335306135396665333639363165383563616538 -38623330643661646162613734656630633337353638343666613939353063316434656530386262 -65393439333663323063356633616665666535386539323536366535356466353938663035326333 -61303265373136333536653732306231636263343831323532306132653465383732303931386161 -36393564313039336636613562363066373461336439343434333937343664373437386236633332 -33376136613837336365396339396463363665373865323265653438656537613566616531373536 -30313834396564323861386335383863353730663831373262653636373734323232343866303061 -62613534326261383263613535363364663739393836393963346562366339323338373237636661 -61393032366362373236626536663231343566313739386531656434386635336237396632663231 -36303135356539323665333037386237663730643737653962633161663834306538326532303566 -61316563373632643836613831613362613936633630623263363963373132356437303934333035 -35323039386231363265303738643638643864313037386632386539346465643539383533366131 -30313565613161663730626433383334623939323161393061353062333931643930353832626561 -32643134306533386139633837316134653239656334306662653061646331353865343864343730 -38623035376631646662626131333061306331336538636230626535393631343038323962346137 -39346561646361373735326565363936366263376330326334616231636232343862303564383237 -65363334663734313532393338363933646432396434613665316163373838613064663331373536 -3465 +34303237313431646264363034353637613836633432633638333963363037663435626166663630 +6338393164366434386334313664386166373031326538350a396639373163646666376462373662 +36623863356436356635303263643239666162333863613831326630303363346137653234323838 +3639623464303131350a653162336338626665393534623063623330323162373935353939303631 +64333363373563343336643764306563376461393430643631366133353836646363363166653233 +38323331386165366334656630626138383131323664333266353164323164373364303161653365 +30333339646139626434636365653666636534346266636262613938656665343634363563663366 +32306663653930613762663534613635616663613130613933626331663861643439323664353739 +31316531653562646363376233636464396262313132343234303933343066373862633235383333 +31313431336464663163343835646430323664373166363465343037333130343636646363393231 +34613162386637306539663431636137353039383037333937613035393332353933333134346335 +31616561636533383639366634316164343466613634643130353437393664336332316132363934 +61333961613530333536613034386332646136313939356339633334353333326661393231343261 +62653463316662376134663965383030636639356637393237653362616561616238653637623039 +65653139373633323766356362613239316165393966623932346561363363393138653032366439 +64303463306132363261333936653763353833386337303763316362666134306264306464306362 +30343364393539636565633861386261373661623061333733353635336133373162636465376137 +61316465306534623337383631663538336632383832343132333862316336323961623637383838 +65363832646138376233653264373535633437376162326361313863333839343236343966393839 +32323361666264373466396130666465303032393364633134343264643731323438646562333361 +63376266616430643135326430366266633332633333646134313736316139386232333965346331 +61663964653931333730643435303637666563316133373831336566303361383736666139626562 +38623031303533396632613361323533313334333631316434646232383136393433323466383330 +65666530616466623933393936613963663766653361643733326330643162346635613835633736 +64393064326233313035316130353563623639303665623064303831376332353264633930363364 +33623137353130353962323964396130646230393335386434346130663064613434643136656466 +63623666376165653961666539383335356163316131353966613036643530663835313766366533 +31656633633331636535316234653561326465623562393632623062383935336530383133626236 +66323366306366623631373861346635303063376264613734643039363137613837333534616362 +37633462373538313562666639613031343866383234633438373936623437333666343731633735 +33386666313531613734643431333332346439386465303531306365386537613933623636643237 +35653434303433633533356662623965383133383838613361303832326130343938393561393935 +38313533643830633432303464306561643233303866316130616531623230393366323264626165 +33653230366138376533376166393466656233353061343338393433386332333361353063323634 +66366561646466616566336265363037616433616231353739613538633765343235323637303535 +34373739306130313536633338353130656632666536356535636265333335303730333031323436 +39633466353139663361646265656334633461346564616633643030383662353762643237333761 +31326435313361366163353836633535303462623533373363376433613139373135393566333937 +64313838373366383432376430643236633030623736643435363038616261333364366139666435 +66623661643032633931623539383136373138636333323737323165333831333764363137393562 +62663335353265353535643666356632663736343039333965653639653764646261323736313430 +39656366356130326363363133383062333530316165643430383161306135346663623861313030 +65346430353230363561633239623330623265666336616133326263323063333132323764343735 +63346230373339343062393035356565376265643463326366326535313130663163366435323339 +62363339313332663333653336633331343161363432393639316630633365643037653739613132 +63316662336630626366363662333061353539333133653732646330643065333430316333316131 +33363662653465306531666435363932663432373932353466383364383634643634313736303931 +63353632353836663263616137353031643238663632363563656137313961656534663137613061 +37636530306334613639326363383665373061383634326630653366386632636634653638653330 +32366438623635363833343566353365373762646162393637326433656438663066663766333761 +65363136666238623439663764363266363731613261326566653035303265623736353331376562 +36646435353134613363316236383938613032626562646237366337376433326334386330646266 +66333365323133616466646164353262653830313764376562636164326163623463373863373630 +31623264373330386136396130626133323762363262336337396562613166646132386362383635 +61333637373462316463303962396162383039373265303939306132323533393236343965613835 +32646361383938383337653264323766363130613264613463386432306238316531653437323939 +39353866313834393933623630303539633334663239343865313264616664656464646631623934 +33623230643633353361343965396236393939343765653161643530626133663236383135343934 +37353231626339323866613237663463656239326335643035313730363133616538613866386162 +65623335393462633130353965343533616261636261656162626639323231623934663765386166 +37353665643363386662646538306530326161653461393236616531343935393639386432633437 +63643561646337616138633063646261323937333262333535626235373561336339346661353365 +30396365376566616538353866383266666436636131656535363062633237313266366639373536 +64316435316234313365306332383637636263376563393464303566313566636238626434393364 +62316263353733636136393034616362643764346536373533363937633938383037376261656330 +30333738616232616566643335353161636466643830393464643263653633373662623437643332 +61396430636631396134393064633131636233653664373363386638366138343435613438303330 +61366234663461333331623961393834643233623862323861346163343934303838666232626639 +6139 diff --git a/roles/pretix/defaults/main.yml b/roles/pretix/defaults/main.yml new file mode 100644 index 0000000..1c344b3 --- /dev/null +++ b/roles/pretix/defaults/main.yml @@ -0,0 +1,4 @@ +--- + +pretix_user: pretix +pretix_group: pretix diff --git a/roles/pretix/handlers/main.yml b/roles/pretix/handlers/main.yml new file mode 100644 index 0000000..a709c72 --- /dev/null +++ b/roles/pretix/handlers/main.yml @@ -0,0 +1,13 @@ +--- + +- name: Run acertmgr + command: /usr/bin/acertmgr + +- name: Reload systemd + systemd: daemon_reload=yes + +- name: Restart pretix-web + service: name=pretix-web state=restarted + +- name: Restart pretix-worker + service: name=pretix-worker state=restarted diff --git a/roles/pretix/meta/main.yml b/roles/pretix/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/pretix/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/pretix/tasks/main.yml b/roles/pretix/tasks/main.yml new file mode 100644 index 0000000..68d9dbd --- /dev/null +++ b/roles/pretix/tasks/main.yml @@ -0,0 +1,127 @@ +--- + +- name: Create group + group: name={{ pretix_group }} + +- name: Create user + user: name={{ pretix_user }} home=/home/{{ pretix_user }} group={{ pretix_group }} + +- name: Create pretix directories + file: path={{ item }} state=directory owner={{ pretix_user }} group={{ pretix_group }} + with_items: + - /etc/pretix + - /opt/pretix + - /opt/pretix/data + - /opt/pretix/data/media + +- name: Install dependencies + apt: + name: + - build-essential + - gettext + - libffi-dev + - libpq-dev + - libssl-dev + - libxml2-dev + - libxslt1-dev + - nodejs + - python3-setuptools + - python3-dev + - python3-pip + - python3-venv + - zlib1g-dev + +- name: Install PostgreSQL + apt: + name: + - postgresql + - python3-psycopg2 + +- name: Configure PostgreSQL database + postgresql_db: name={{ pretix_dbname }} + become: true + become_user: postgres + +- name: Configure PostgreSQL user + postgresql_user: db={{ pretix_dbname }} name={{ pretix_dbuser }} password={{ pretix_dbpass }} priv=ALL state=present + become: true + become_user: postgres + +- name: Install redis + apt: name=redis-server + +- name: Install pretix + pip: + name: + - gunicorn + - pretix + virtualenv: /opt/pretix/venv + virtualenv_command: "python3 -m venv" + become: true + become_user: "{{ pretix_user }}" + register: pretix_install + +- name: Configure pretix + template: + src: pretix.cfg.j2 + dest: /etc/pretix/pretix.cfg + owner: "{{ pretix_user }}" + group: "{{ pretix_group }}" + notify: + - Restart pretix-web + - Restart pretix-worker + +- name: Run migration script + command: + cmd: "./venv/bin/python3 -m pretix migrate" + chdir: "/opt/pretix" + become: true + become_user: "{{ pretix_user }}" + when: pretix_install.changed + +- name: Run rebuild script + command: + cmd: "./venv/bin/python3 -m pretix rebuild" + chdir: "/opt/pretix" + become: true + become_user: "{{ pretix_user }}" + when: pretix_install.changed + +- name: Enable pretix cronjob + cron: + user: "{{ pretix_user }}" + name: pretix + minute: "*/5" + job: "export PATH=/opt/pretix/venv/bin:$PATH && cd /opt/pretix && python -m pretix runperiodic" + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ pretix_domain }}.key -out /etc/nginx/ssl/{{ pretix_domain }}.crt -days 730 -subj "/CN={{ pretix_domain }}" creates=/etc/nginx/ssl/{{ pretix_domain }}.crt + notify: Restart nginx + +- name: Configure certificate manager for pretix + template: src=certs.j2 dest=/etc/acertmgr/{{ pretix_domain }}.conf + notify: Run acertmgr + +- name: Configure vhost + template: src=vhost.j2 dest=/etc/nginx/sites-available/pretix + notify: Restart nginx + +- name: Enable vhost + file: src=/etc/nginx/sites-available/pretix dest=/etc/nginx/sites-enabled/pretix state=link + notify: Restart nginx + +- name: Install systemd units + template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service + with_items: + - pretix-web + - pretix-worker + notify: + - Reload systemd + - Restart pretix-web + - Restart pretix-worker + +- name: Enable services + service: name={{ item }} state=started enabled=yes + with_items: + - pretix-web + - pretix-worker diff --git a/roles/pretix/templates/certs.j2 b/roles/pretix/templates/certs.j2 new file mode 100644 index 0000000..749c7e1 --- /dev/null +++ b/roles/pretix/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ pretix_domain }}: +- path: /etc/nginx/ssl/{{ pretix_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ pretix_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/roles/pretix/templates/pretix-web.service.j2 b/roles/pretix/templates/pretix-web.service.j2 new file mode 100644 index 0000000..93da7d1 --- /dev/null +++ b/roles/pretix/templates/pretix-web.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description=pretix web service +After=network.target + +[Service] +User={{ pretix_user }} +Group={{ pretix_group }} +Environment="VIRTUAL_ENV=/opt/pretix/venv" +Environment="PATH=/opt/pretix/venv/bin:/usr/local/bin:/usr/bin:/bin" +ExecStart=/opt/pretix/venv/bin/gunicorn pretix.wsgi \ + --name pretix --workers 5 \ + --max-requests 1200 --max-requests-jitter 50 \ + --log-level=info --bind=127.0.0.1:8345 +WorkingDirectory=/opt/pretix +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/pretix/templates/pretix-worker.service.j2 b/roles/pretix/templates/pretix-worker.service.j2 new file mode 100644 index 0000000..258d7e6 --- /dev/null +++ b/roles/pretix/templates/pretix-worker.service.j2 @@ -0,0 +1,15 @@ +[Unit] +Description=pretix background worker +After=network.target + +[Service] +User={{ pretix_user }} +Group={{ pretix_group }} +Environment="VIRTUAL_ENV=/opt/pretix/venv" +Environment="PATH=/opt/pretix/venv/bin:/usr/local/bin:/usr/bin:/bin" +ExecStart=/opt/pretix/venv/bin/celery -A pretix.celery_app worker -l info +WorkingDirectory=/opt/pretix +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/pretix/templates/pretix.cfg.j2 b/roles/pretix/templates/pretix.cfg.j2 new file mode 100644 index 0000000..1161a6b --- /dev/null +++ b/roles/pretix/templates/pretix.cfg.j2 @@ -0,0 +1,34 @@ +[pretix] +instance_name=Binary Kitchen RC3 Pretix +url=https://pretix.rc3.binary-kitchen.de +currency=EUR +datadir=/opt/pretix/data +trust_x_forwarded_for=on +trust_x_forwarded_proto=on + +[database] +; For MySQL, replace with "mysql" +backend=postgresql +name={{ pretix_dbname }} +user={{ pretix_dbuser }} +; For MySQL, enter the user password. For PostgreSQL on the same host, +; we don't need one because we can use peer authentification if our +; PostgreSQL user matches our unix user. +password={{ pretix_dbpass }} +; For MySQL, use local socket, e.g. /var/run/mysqld/mysqld.sock +; For a remote host, supply an IP address +; For local postgres authentication, you can leave it empty +host= + +[mail] +; See config file documentation for more options +from={{ pretix_mail }} +host={{ mail_server }} + +[redis] +location=redis://127.0.0.1/0 +sessions=true + +[celery] +backend=redis://127.0.0.1/1 +broker=redis://127.0.0.1/2 diff --git a/roles/pretix/templates/vhost.j2 b/roles/pretix/templates/vhost.j2 new file mode 100644 index 0000000..768ca56 --- /dev/null +++ b/roles/pretix/templates/vhost.j2 @@ -0,0 +1,58 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ pretix_domain }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://{{ pretix_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ pretix_domain }}; + + ssl_certificate_key /etc/nginx/ssl/{{ pretix_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ pretix_domain }}.crt; + + add_header Referrer-Policy same-origin; + add_header X-Content-Type-Options nosniff; + + location / { + proxy_pass http://localhost:8345; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + } + + location /media/ { + alias /var/pretix/data/media/; + expires 7d; + access_log off; + } + + location ^~ /media/cachedfiles { + deny all; + return 404; + } + + location ^~ /media/invoices { + deny all; + return 404; + } + + location /static/ { + alias /opt/pretix/venv/lib/python3.9/site-packages/pretix/static.dist/; + access_log off; + expires 365d; + add_header Cache-Control "public"; + } +} diff --git a/site.yml b/site.yml index dc9d83f..95da451 100644 --- a/site.yml +++ b/site.yml @@ -116,6 +116,11 @@ roles: - web_mc +- name: Setup RC3 pretix server + hosts: rhodium.binary-kitchen.net + roles: + - pretix + - name: Setup WorkAdventure host hosts: barium.binary-kitchen.net roles: