From bc270519b0ee798ae3699b3ece96014c1f69e682 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 20 Mar 2017 16:54:01 +0100 Subject: [PATCH] Begin work on directory-self-service role. --- .../files/systemd/system/uwsgi-app@.service | 15 +++++++ .../files/systemd/system/uwsgi-app@.socket | 11 +++++ roles/dss/files/uwsgi/apps-available/dss.ini | 6 +++ roles/dss/handlers/main.yml | 4 ++ roles/dss/meta/main.yml | 5 +++ roles/dss/tasks/main.yml | 41 +++++++++++++++++++ roles/dss/templates/certs.j2 | 15 +++++++ roles/dss/templates/vhost.j2 | 34 +++++++++++++++ 8 files changed, 131 insertions(+) create mode 100644 roles/dss/files/systemd/system/uwsgi-app@.service create mode 100644 roles/dss/files/systemd/system/uwsgi-app@.socket create mode 100644 roles/dss/files/uwsgi/apps-available/dss.ini create mode 100644 roles/dss/handlers/main.yml create mode 100644 roles/dss/meta/main.yml create mode 100644 roles/dss/tasks/main.yml create mode 100644 roles/dss/templates/certs.j2 create mode 100644 roles/dss/templates/vhost.j2 diff --git a/roles/dss/files/systemd/system/uwsgi-app@.service b/roles/dss/files/systemd/system/uwsgi-app@.service new file mode 100644 index 0000000..2535df3 --- /dev/null +++ b/roles/dss/files/systemd/system/uwsgi-app@.service @@ -0,0 +1,15 @@ +[Unit] +Description=%i uWSGI app +After=syslog.target + +[Service] +ExecStart=/usr/bin/uwsgi \ + --ini /etc/uwsgi/apps-available/%i.ini \ + --socket /var/run/uwsgi/%i.socket +User=www-data +Group=www-data +Restart=on-failure +KillSignal=SIGQUIT +Type=notify +StandardError=syslog +NotifyAccess=all diff --git a/roles/dss/files/systemd/system/uwsgi-app@.socket b/roles/dss/files/systemd/system/uwsgi-app@.socket new file mode 100644 index 0000000..65aff27 --- /dev/null +++ b/roles/dss/files/systemd/system/uwsgi-app@.socket @@ -0,0 +1,11 @@ +[Unit] +Description=Socket for uWSGI app %i + +[Socket] +ListenStream=/var/run/uwsgi/%i.socket +SocketUser=www-data +SocketGroup=www-data +SocketMode=0660 + +[Install] +WantedBy=sockets.target diff --git a/roles/dss/files/uwsgi/apps-available/dss.ini b/roles/dss/files/uwsgi/apps-available/dss.ini new file mode 100644 index 0000000..91068ef --- /dev/null +++ b/roles/dss/files/uwsgi/apps-available/dss.ini @@ -0,0 +1,6 @@ +[uwsgi] +chdir = /var/www/dss +wsgi-file = index.py +callable = app +processes = 4 +threads = 2 diff --git a/roles/dss/handlers/main.yml b/roles/dss/handlers/main.yml new file mode 100644 index 0000000..44975c4 --- /dev/null +++ b/roles/dss/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: Restart nginx + service: name=nginx state=restarted diff --git a/roles/dss/meta/main.yml b/roles/dss/meta/main.yml new file mode 100644 index 0000000..8d2c010 --- /dev/null +++ b/roles/dss/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: certmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/dss/tasks/main.yml b/roles/dss/tasks/main.yml new file mode 100644 index 0000000..d236c07 --- /dev/null +++ b/roles/dss/tasks/main.yml @@ -0,0 +1,41 @@ +--- + +- name: Install dependencies + apt: name={{ item }} state=present + with_items: + - python-flask + - python-flaskext.wtf + - python-ldap + - python-passlib + - python-redis + - redis-server + - uwsgi + +#- name: Install bk-dss +# git: repo=https://github.com/moepman/bk-diss.git dest=/var/www/dss depth=1 version=b1e0035e83dcf533610423a1cf4374e6c6dbf3d8 + +# TODO Configure bk-dss + +# TODO Configure redis + +#- name: Configure uwsgi service +# copy: src={{ item }} dest=/etc/{{ item }} +# with_items: +# - uwsgi/apps-available/dss.ini +# - systemd/system/uwsgi-app@.socket +# - systemd/system/uwsgi-app@.service +# notify: Restart uwsgi-app@dss + +#- name: Configure certificate manager for dss +# template: src=certs.j2 dest=/etc/acme/domains.d/{{ dss_domain }}.conf + +#- name: Configure vhost +# template: src=vhost.j2 dest=/etc/nginx/sites-available/dss +# notify: Restart nginx + +#- name: Enable vhost +# file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link +# notify: Restart nginx + +#- name: Start uwsgi +# service: name=uwsgi-app@dss state=started enabled=yes diff --git a/roles/dss/templates/certs.j2 b/roles/dss/templates/certs.j2 new file mode 100644 index 0000000..8924657 --- /dev/null +++ b/roles/dss/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ dss_domain }}: +- path: /etc/nginx/ssl/{{ dss_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ dss_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/roles/dss/templates/vhost.j2 b/roles/dss/templates/vhost.j2 new file mode 100644 index 0000000..dda6409 --- /dev/null +++ b/roles/dss/templates/vhost.j2 @@ -0,0 +1,34 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ dss_domain }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://{{ dss_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ dss_domain }}; + + ssl_certificate_key /etc/nginx/ssl/{{ dss_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ dss_domain }}.crt; + + root /var/www/dss/; + + uwsgi_pass /var/run/uwsgi/dss.socket; + include uwsgi_params; + + location /static { + root /var/www/dss/; + } +}