gerboweb: Fixup playbook to run from fresh install

2019-03-31 04:08:39 +09:00 · 2019-03-31 04:08:39 +09:00 · 6ece061902
commit 6ece061902
--- a/gerboweb/deploy/nginx_nossl.conf
+++ b/gerboweb/deploy/nginx_nossl.conf
@ -0,0 +1,45 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  gerbolyze.jaseg.net;
+        return 301 https://$host$request_uri;
+    }
+}
+
--- a/gerboweb/deploy/playbook.yml
+++ b/gerboweb/deploy/playbook.yml
@ -1,6 +1,33 @@
 - name: Gerbolyze container setup playbook
-  hosts: all
+  hosts: wendelstein
  tasks:
+    - name: Set hostname
+      hostname:
+        name: wendelstein.jaseg.net
+
+    - name: Install common admin tools
+      dnf:
+        name: htop,tmux,fish,mosh,neovim
+        state: latest
+
+    - name: Install host requisites
+      dnf:
+          name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python
+          state: latest
+
+    - name: Disable password-based root login
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitRootLogin'
+        line: 'PermitRootLogin without-password'
+      register: disable_root_pw_ssh
+
+    - name: Restart sshd
+      systemd:
+          name: sshd
+          state: restarted
+      when: disable_root_pw_ssh is changed
+
    - name: Create container image file
      command: truncate -s 4G /var/cache/gerbolyze_container.img
      args:
@ -14,11 +41,6 @@
          checksum: sha256:865c8a25312b663e724923eecf0dfc626f4cd621e2cfcb19eafc69a4fc666756
      when: create_container is changed

-    - name: Install host requisites
-      dnf:
-          name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3,certbot,python3-certbot-nginx
-          state: latest
-
    - name: Create container image filesystem
      filesystem:
          dev: /var/cache/gerbolyze_container.img
@ -88,9 +110,9 @@
          group: no
          owner: no

-    - name: Copy nginx config
+    - name: Copy first stage nginx config
      copy:
-          src: nginx.conf
+          src: nginx_nossl.conf
          dest: /etc/nginx/nginx.conf

    - name: Create uwsgi worker user and group
@ -136,22 +158,33 @@
        state: permissive
        policy: targeted

-    - name: Create letsencrypt certificate
-      command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
-      args:
-          creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
-
-    - name: Enable certbot renewal timer
-      systemd:
-          name: certbot-renew.timer
-          enabled: yes
-
    - name: Enable uwsgi systemd socket
      systemd:
          daemon-reload: yes
          name: uwsgi-app@gerboweb.socket
          enabled: yes

+    - name: Copy gerboweb cache dir tmpfiles.d config
+      copy:
+          src: tmpfiles-gerboweb.conf
+          dest: /etc/tmpfiles.d/gerboweb.conf
+          owner: root
+          group: root
+          mode: 0644
+      register: tmpfiles_config
+
+    - name: Kick systemd tmpfiles service to create cache dir
+      command: systemd-tmpfiles --create
+      when: tmpfiles_config is changed
+
+    - name: Create job queue db
+      file:
+        path: /var/cache/gerboweb/job_queue.sqlite3
+        owner: root
+        group: uwsgi
+        mode: 0660
+        state: touch
+
    - name: Enable and launch job processor
      systemd:
          name: gerboweb-job-processor.service
@ -164,11 +197,23 @@
          enabled: yes
          state: restarted

-    - name: Copy gerboweb cache dir tmpfiles.d config
-      copy:
-          src: tmpfiles-gerboweb.conf
-          dest: /etc/tmpfiles.d/gerboweb.conf
-          owner: root
-          group: root
-          mode: 0644
+    - name: Create letsencrypt certificate
+      command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
+      args:
+          creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
+
+    - name: Copy final nginx config
+      copy:
+          src: nginx.conf
+          dest: /etc/nginx/nginx.conf
+
+    - name: Restart nginx to load new cert
+      systemd:
+          name: nginx.service
+          state: restarted
+
+    - name: Enable certbot renewal timer
+      systemd:
+          name: certbot-renew.timer
+          enabled: yes

--- a/gerboweb/deploy/tmpfiles-gerboweb.conf
+++ b/gerboweb/deploy/tmpfiles-gerboweb.conf
@ -1 +1 @@
-d /var/cache/gerboweb 760 uwsgi-gerboweb uwsgi 2d
+d /var/cache/gerboweb 770 uwsgi-gerboweb uwsgi 2d
--- a/gerboweb/static/style.css
+++ b/gerboweb/static/style.css
@ -159,8 +159,7 @@ div.loading-message {
  left: 0;
  width: 60px;

-  line-height: 50px;
-  padding-top: 10px;
+  line-height: 60px;
 }

 .step > .description {