aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjaseg <code@jaseg.net>2019-09-29 16:28:11 +0200
committerjaseg <code@jaseg.net>2019-09-29 16:28:11 +0200
commit170ba6d418b7dc4676ea71678dd661da60e726d0 (patch)
tree50aedf934b3fd3c113d198683ced59bc1cbabc12
parent54944fcd3d8e480d57b389a6518db4952e89f49e (diff)
downloadinfra-170ba6d418b7dc4676ea71678dd661da60e726d0.tar.gz
infra-170ba6d418b7dc4676ea71678dd661da60e726d0.tar.bz2
infra-170ba6d418b7dc4676ea71678dd661da60e726d0.zip
deploy: add pogojig
-rw-r--r--bootstrap_arch_container.yml4
m---------checkouts/pogojig0
-rw-r--r--nginx.conf128
-rw-r--r--playbook.yml11
-rw-r--r--pogojig-job-processor.service.j29
-rw-r--r--pogojig.cfg.j24
-rw-r--r--pogojig_flask_secret.txt1
-rwxr-xr-xpogojig_generate.sh.j225
-rw-r--r--setup_openjscad.yml9
-rw-r--r--setup_pogojig.yml118
-rw-r--r--setup_tracespace.yml9
-rw-r--r--setup_webserver.yml25
-rw-r--r--tmpfiles-pogojig.conf.j21
-rw-r--r--uwsgi-pogojig.ini10
14 files changed, 332 insertions, 22 deletions
diff --git a/bootstrap_arch_container.yml b/bootstrap_arch_container.yml
index 4126bbd..11bbf3d 100644
--- a/bootstrap_arch_container.yml
+++ b/bootstrap_arch_container.yml
@@ -13,9 +13,9 @@
- name: Download arch bootstrap image
get_url:
- url: http://mirror.rackspace.com/archlinux/iso/2019.03.01/archlinux-bootstrap-2019.03.01-x86_64.tar.gz
+ url: http://mirror.rackspace.com/archlinux/iso/2019.09.01/archlinux-bootstrap-2019.09.01-x86_64.tar.gz
dest: /tmp/arch-bootstrap.tar.xz
- checksum: sha256:865c8a25312b663e724923eecf0dfc626f4cd621e2cfcb19eafc69a4fc666756
+ checksum: sha256:9fc9f178db6f5c188be8884c0abf10c69418e7cd38a4389e866fac5d9961297d
when: create_container is changed
- name: Create container image filesystem
diff --git a/checkouts/pogojig b/checkouts/pogojig
new file mode 160000
+Subproject 04b34f73c1e0023ce4abdb9f1c9f0d917524762
diff --git a/nginx.conf b/nginx.conf
index b6f13c0..6cf28cf 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -36,9 +36,9 @@ http {
include /etc/nginx/conf.d/*.conf;
server {
- listen 80 default_server;
- listen [::]:80 default_server;
- server_name gerbolyze.jaseg.net;
+ listen 80;
+ listen [::]:80;
+ server_name .jaseg.net;
return 301 https://$host$request_uri;
}
@@ -85,13 +85,6 @@ http {
}
server {
- listen 80;
- listen [::]:80;
- server_name blog.jaseg.net blog.jaseg.net;
- return 301 https://$host$request_uri;
- }
-
- server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name blog.jaseg.net blog.jaseg.net;
@@ -136,5 +129,120 @@ http {
}
}
+ server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name pogojig.jaseg.net;
+ root /usr/share/nginx/html;
+
+ ssl_certificate "/etc/letsencrypt/live/pogojig.jaseg.net/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/pogojig.jaseg.net/privkey.pem";
+ ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ resolver 67.207.67.2 67.207.67.3 valid=300s;
+ resolver_timeout 10s;
+
+ add_header Strict-Transport-Security "max-age=86400";
+
+ # Load configuration files for the default server block.
+ include /etc/nginx/default.d/*.conf;
+
+ location ^~ /pogospace/ {
+ root /var/lib/pogojig/pogospace;
+ }
+
+ location / {
+ include uwsgi_params;
+ uwsgi_pass unix:/run/uwsgi/pogojig.socket;
+ }
+
+ error_page 404 /404.html;
+ location = /40x.html {
+ root /usr/share/nginx/html;
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+ }
+
+ server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name tracespace.jaseg.net;
+ root /usr/share/nginx/html;
+
+ ssl_certificate "/etc/letsencrypt/live/tracespace.jaseg.net/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/tracespace.jaseg.net/privkey.pem";
+ ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ resolver 67.207.67.2 67.207.67.3 valid=300s;
+ resolver_timeout 10s;
+
+ add_header Strict-Transport-Security "max-age=86400";
+
+ # Load configuration files for the default server block.
+ include /etc/nginx/default.d/*.conf;
+
+ location / {
+ root /var/www/tracespace.jaseg.net;
+ }
+
+ error_page 404 /404.html;
+ location = /40x.html {
+ root /usr/share/nginx/html;
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+ }
+
+ server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name openjscad.jaseg.net;
+ root /usr/share/nginx/html;
+
+ ssl_certificate "/etc/letsencrypt/live/openjscad.jaseg.net/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/openjscad.jaseg.net/privkey.pem";
+ ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ resolver 67.207.67.2 67.207.67.3 valid=300s;
+ resolver_timeout 10s;
+
+ add_header Strict-Transport-Security "max-age=86400";
+
+ # Load configuration files for the default server block.
+ include /etc/nginx/default.d/*.conf;
+
+ location / {
+ root /var/www/openjscad.jaseg.net;
+ }
+
+ error_page 404 /404.html;
+ location = /40x.html {
+ root /usr/share/nginx/html;
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+ }
}
diff --git a/playbook.yml b/playbook.yml
index afea884..6d558d3 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -48,6 +48,7 @@
containers:
- gerboweb
- clippy
+ - pogojig
- name: Setup web server
include_tasks: setup_webserver.yml
@@ -60,3 +61,13 @@
- name: Setup secure download
include_tasks: setup_secure_download.yml
+
+ - name: Setup tracespace
+ include_tasks: setup_tracespace.yml
+
+ - name: Setup openjscad
+ include_tasks: setup_openjscad.yml
+
+ - name: Setup pogojig
+ include_tasks: setup_pogojig.yml
+
diff --git a/pogojig-job-processor.service.j2 b/pogojig-job-processor.service.j2
new file mode 100644
index 0000000..5ca9a8b
--- /dev/null
+++ b/pogojig-job-processor.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Pogojig render job processor
+
+[Service]
+WorkingDirectory=/var/lib/pogojig
+ExecStart=/usr/bin/python3 job_processor.py {{pogojig_cache}}/job_queue.sqlite3
+
+[Install]
+WantedBy=uwsgi-app@pogojig.service
diff --git a/pogojig.cfg.j2 b/pogojig.cfg.j2
new file mode 100644
index 0000000..3dd7160
--- /dev/null
+++ b/pogojig.cfg.j2
@@ -0,0 +1,4 @@
+MAX_CONTENT_LENGTH=10000000
+SECRET_KEY="{{lookup('password', 'pogojig_flask_secret.txt length=32')}}"
+UPLOAD_PATH="{{pogojig_cache}}/upload"
+JOB_QUEUE_DB="{{pogojig_cache}}/job_queue.sqlite3"
diff --git a/pogojig_flask_secret.txt b/pogojig_flask_secret.txt
new file mode 100644
index 0000000..fc1e245
--- /dev/null
+++ b/pogojig_flask_secret.txt
@@ -0,0 +1 @@
+RhshDKyRVcg.5r4ulH:0f8Vhut0HoFS3
diff --git a/pogojig_generate.sh.j2 b/pogojig_generate.sh.j2
new file mode 100755
index 0000000..c1cc023
--- /dev/null
+++ b/pogojig_generate.sh.j2
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+[ $# != 1 ] && exit 1
+ID=$1
+egrep -x -q '^[-0-9A-Za-z]{36}$'<<<"$ID" || exit 2
+
+systemd-nspawn \
+ -D {{pogojig_root}} \
+ -x --bind={{pogojig_cache}}/upload/$ID:/mnt \
+ /bin/sh -c "set -euo pipefail
+cd /mnt
+
+date; echo 'Cleaning up previous output'
+rm -rf pcb_shape.dxf jig.stl kicad kicad.zip sources.zip
+
+date; echo 'Rendering'
+cp -r /var/lib/pogojig_renderer sources
+cp input.svg sources/
+make -C sources
+
+date; echo 'Packing source bundle'
+cp -r sources/out/pcb_shape.dxf sources/out/jig.stl sources/out/kicad ./
+zip -r sources.zip sources
+zip -r kicad.zip kicad
+rm -rf sources"
diff --git a/setup_openjscad.yml b/setup_openjscad.yml
new file mode 100644
index 0000000..dea4ad2
--- /dev/null
+++ b/setup_openjscad.yml
@@ -0,0 +1,9 @@
+---
+- name: Copy openjscad webapp sources
+ synchronize:
+ # FIXME: make this path configurable
+ src: ~/openjscad_dist/
+ dest: /var/www/openjscad.jaseg.net/
+ group: no
+ owner: no
+
diff --git a/setup_pogojig.yml b/setup_pogojig.yml
new file mode 100644
index 0000000..8a4c827
--- /dev/null
+++ b/setup_pogojig.yml
@@ -0,0 +1,118 @@
+---
+- name: Set local facts
+ set_fact:
+ pogojig_cache: /var/cache/pogojig
+
+- name: Copy render script
+ template:
+ src: pogojig_generate.sh.j2
+ dest: /usr/local/sbin/pogojig_generate.sh
+ mode: ug+x
+
+- name: Install packages into pogojig container
+ shell: arch-chroot "{{pogojig_root}}" pacman -Syu --noconfirm python3 python-pip imagemagick unzip zip openscad inkscape make python-lxml xorg-server-xvfb
+
+- name: Install python dependencies into pogojig container
+ shell: arch-chroot "{{pogojig_root}}" pip install -U --upgrade-strategy=eager ezdxf xvfbwrapper
+
+- name: Install pogojig
+ synchronize:
+ # FIXME: make this path configurable
+ src: checkouts/pogojig/renderer/
+ dest: "{{pogojig_root}}/var/lib/pogojig_renderer"
+ group: no
+
+- name: Copy webapp sources
+ synchronize:
+ # FIXME: make this path configurable
+ src: checkouts/pogojig/webapp/
+ dest: /var/lib/pogojig
+ group: no
+ owner: no
+
+- name: Create web home for modified tracespace
+ file:
+ path: /var/lib/pogojig/pogospace
+ state: directory
+ owner: nginx
+ group: nginx
+ mode: 0550
+
+- name: Unpack modified tracespace sources
+ unarchive:
+ src: resource/pogojig-tracespace.tar.gz
+ dest: /var/lib/pogojig/pogospace
+ extra_opts: [--strip-components=1]
+ owner: nginx
+ group: nginx
+
+- name: Create uwsgi worker user and group
+ user:
+ name: uwsgi-pogojig
+ create_home: no
+ group: uwsgi
+ password: '!'
+ shell: /sbin/nologin
+ system: yes
+
+- name: Template webapp config
+ template:
+ src: pogojig.cfg.j2
+ dest: /var/lib/pogojig/pogojig_prod.cfg
+ owner: uwsgi-pogojig
+ group: root
+ mode: 0660
+
+- name: Copy uwsgi config
+ copy:
+ src: uwsgi-pogojig.ini
+ dest: /etc/uwsgi.d/pogojig.ini
+ owner: uwsgi-pogojig
+ group: uwsgi
+ mode: 440
+
+- name: Copy job processor systemd service config
+ template:
+ src: pogojig-job-processor.service.j2
+ dest: /etc/systemd/system/pogojig-job-processor.service
+
+- name: Enable uwsgi systemd socket
+ systemd:
+ daemon-reload: yes
+ name: uwsgi-app@pogojig.socket
+ enabled: yes
+
+# FIXME the socket doesn't seem to work properly
+- name: Enable uwsgi systemd service
+ systemd:
+ daemon-reload: yes
+ name: uwsgi-app@pogojig.service
+ enabled: yes
+
+- name: Copy pogojig cache dir tmpfiles.d config
+ template:
+ src: tmpfiles-pogojig.conf.j2
+ dest: /etc/tmpfiles.d/pogojig.conf
+ owner: root
+ group: root
+ mode: 0644
+ register: pogojig_tmpfiles_config
+
+- name: Kick systemd tmpfiles service to create cache dir
+ command: systemd-tmpfiles --create
+ when: pogojig_tmpfiles_config is changed
+
+- name: Create job queue db
+ file:
+ path: "{{pogojig_cache}}/job_queue.sqlite3"
+ owner: root
+ group: uwsgi
+ mode: 0660
+ state: touch
+
+- name: Enable and launch job processor
+ systemd:
+ name: pogojig-job-processor.service
+ enabled: yes
+ state: restarted
+
diff --git a/setup_tracespace.yml b/setup_tracespace.yml
new file mode 100644
index 0000000..2975967
--- /dev/null
+++ b/setup_tracespace.yml
@@ -0,0 +1,9 @@
+---
+- name: Copy tracespace webapp sources
+ synchronize:
+ # FIXME: make this path configurable
+ src: ~/tracespace_dist/
+ dest: /var/www/tracespace.jaseg.net/
+ group: no
+ owner: no
+
diff --git a/setup_webserver.yml b/setup_webserver.yml
index ea821d8..671a699 100644
--- a/setup_webserver.yml
+++ b/setup_webserver.yml
@@ -9,13 +9,17 @@
groups: uwsgi
append: yes
-- name: Create blog.jaseg.net content dir
+- name: Create subdomain content dirs
file:
- path: /var/www/blog.jaseg.net
+ path: /var/www/{{item}}
state: directory
owner: nginx
group: nginx
mode: 0550
+ loop:
+ - blog.jaseg.net
+ - tracespace.jaseg.net
+ - openjscad.jaseg.net
- name: Copy uwsgi systemd socket config
copy:
@@ -38,15 +42,16 @@
enabled: yes
state: restarted
-- name: Create letsencrypt certificate for gerbolyze.jaseg.net
- command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
+- name: Create subdomain letsencrypt certificates
+ command: certbot --nginx certonly -d {{item}} -n --agree-tos --email {{item}}-letsencrypt@jaseg.net
args:
- creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
-
-- name: Create letsencrypt certificate for blog.jaseg.net
- command: certbot --nginx certonly -d blog.jaseg.net -n --agree-tos --email blog@jaseg.net
- args:
- creates: /etc/letsencrypt/live/blog.jaseg.net/fullchain.pem
+ creates: /etc/letsencrypt/live/{{item}}/fullchain.pem
+ loop:
+ - blog.jaseg.net
+ - gerbolyze.jaseg.net
+ - tracespace.jaseg.net
+ - openjscad.jaseg.net
+ - pogojig.jaseg.net
- name: Copy final nginx config
copy:
diff --git a/tmpfiles-pogojig.conf.j2 b/tmpfiles-pogojig.conf.j2
new file mode 100644
index 0000000..4e9fef1
--- /dev/null
+++ b/tmpfiles-pogojig.conf.j2
@@ -0,0 +1 @@
+d {{pogojig_cache}} 770 uwsgi-pogojig uwsgi 2d
diff --git a/uwsgi-pogojig.ini b/uwsgi-pogojig.ini
new file mode 100644
index 0000000..003702d
--- /dev/null
+++ b/uwsgi-pogojig.ini
@@ -0,0 +1,10 @@
+[uwsgi]
+master = True
+cheap = True
+die-on-idle = False
+manage-script-name = True
+plugins = python3
+chdir = /var/lib/pogojig
+mount = /=pogojig:app
+env = POGOJIG_SETTINGS=pogojig_prod.cfg
+