blob: 3789c2198c2cdd5fb36d3e8d23a359ce43fbd01c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
- name: Gerbolyze container setup playbook
hosts: all
tasks:
- name: Create container image file
command: truncate -s 4G /var/cache/gerbolyze_container.img
args:
creates: /var/cache/gerbolyze_container.img
register: create_container
- name: Download arch bootstrap image
get_url:
url: http://mirror.rackspace.com/archlinux/iso/2019.03.01/archlinux-bootstrap-2019.03.01-x86_64.tar.gz
dest: /tmp/arch-bootstrap.tar.xz
checksum: sha256:865c8a25312b663e724923eecf0dfc626f4cd621e2cfcb19eafc69a4fc666756
when: create_container is changed
- name: Install host requisites
dnf:
name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3,certbot,python3-certbot-nginx
state: latest
- name: Create container image filesystem
filesystem:
dev: /var/cache/gerbolyze_container.img
fstype: btrfs
- name: Create container image fstab entry
mount:
src: /var/cache/gerbolyze_container.img
path: /var/cache/gerbolyze_container
state: mounted
fstype: btrfs
opts: loop
- name: Unpack bootstrap image
unarchive:
remote_src: yes
src: /tmp/arch-bootstrap.tar.xz
dest: /var/cache/gerbolyze_container
extra_opts: --strip-components=1
creates: /var/cache/gerbolyze_container/etc
- name: Copy mirrorlist into container
copy:
src: mirrorlist
dest: /var/cache/gerbolyze_container/etc/pacman.d/mirrorlist
- name: Copy render script
copy:
src: render.sh
dest: /usr/local/sbin/gerbolyze_render.sh
mode: ug+x
- name: Copy vector script
copy:
src: vector.sh
dest: /usr/local/sbin/gerbolyze_vector.sh
mode: ug+x
- name: Initialize container pacman keyring
shell: arch-chroot /var/cache/gerbolyze_container pacman-key --init && arch-chroot /var/cache/gerbolyze_container pacman-key --populate archlinux
args:
creates: /var/cache/gerbolyze_container/etc/pacman.d/gnupg
- name: Fixup pacman.conf for pacman to work in chroot without its own root fs
lineinfile:
path: /var/cache/gerbolyze_container/etc/pacman.conf
regexp: '^CheckSpace'
line: '#CheckSpace'
- name: Update container and install software
shell: arch-chroot /var/cache/gerbolyze_container pacman -Syu --noconfirm python3 opencv hdf5 gtk3 python-numpy python-pip imagemagick unzip zip
# TODO maybe install directly from local git checkout?
- name: Install gerbolyze
shell: arch-chroot /var/cache/gerbolyze_container pip install -U --upgrade-strategy=eager gerbolyze
- name: Cleanup bootstrap image
file:
path: /tmp/arch-bootstrap.tar.xz
state: absent
- name: Copy webapp sources
synchronize:
# FIXME: make this path configurable
src: ~/gerbolyze/gerboweb/
dest: /var/lib/gerboweb/
group: no
owner: no
- name: Copy nginx config
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
- name: Create uwsgi worker user and group
user:
name: uwsgi-gerboweb
create_home: no
group: uwsgi
password: '!'
shell: /sbin/nologin
system: yes
- name: Add nginx user to uwsgi group for access to uwsgi socket
user:
name: nginx
groups: uwsgi
append: yes
- name: Copy uwsgi config
copy:
src: uwsgi-gerboweb.ini
dest: /etc/uwsgi.d/gerboweb.ini
owner: uwsgi-gerboweb
group: uwsgi
mode: 440
- name: Copy uwsgi systemd socket config
copy:
src: uwsgi-app@.socket
dest: /etc/systemd/system/
- name: Copy uwsgi systemd service config
copy:
src: uwsgi-app@.service
dest: /etc/systemd/system/
- name: Copy job processor systemd service config
copy:
src: gerboweb-job-processor.service
dest: /etc/systemd/system/
- name: Set SELinux to permissive mode # FIXME
selinux:
state: permissive
policy: targeted
- name: Create letsencrypt certificate
command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
args:
creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
- name: Enable certbot renewal timer
systemd:
name: certbot-renew.timer
enabled: yes
- name: Enable uwsgi systemd socket
systemd:
daemon-reload: yes
name: uwsgi-app@gerboweb.socket
enabled: yes
- name: Enable and launch uwsgi systemd service
systemd:
name: uwsgi-app@gerboweb.service
enabled: yes
state: restarted
- name: Enable and launch job processor
systemd:
name: gerboweb-job-processor.service
enabled: yes
state: restarted
- name: Enable and launch nginx systemd service
systemd:
name: nginx.service
enabled: yes
state: restarted
- name: Copy gerboweb cache dir tmpfiles.d config
copy:
src: tmpfiles-gerboweb.conf
dest: /etc/tmpfiles.d/gerboweb.conf
owner: root
group: root
mode: 0644
|
