deploy: add pogojig

14 files changed, 332 insertions, 22 deletions

diff --git a/bootstrap_arch_container.yml b/bootstrap_arch_container.yml
index 4126bbd..11bbf3d 100644
--- a/bootstrap_arch_container.yml
+++ b/bootstrap_arch_container.yml
@@ -13,9 +13,9 @@
 
 - name: Download arch bootstrap image
   get_url:
-      url: http://mirror.rackspace.com/archlinux/iso/2019.03.01/archlinux-bootstrap-2019.03.01-x86_64.tar.gz
+      url: http://mirror.rackspace.com/archlinux/iso/2019.09.01/archlinux-bootstrap-2019.09.01-x86_64.tar.gz
       dest: /tmp/arch-bootstrap.tar.xz
-      checksum: sha256:865c8a25312b663e724923eecf0dfc626f4cd621e2cfcb19eafc69a4fc666756
+      checksum: sha256:9fc9f178db6f5c188be8884c0abf10c69418e7cd38a4389e866fac5d9961297d
   when: create_container is changed
 
 - name: Create container image filesystem
diff --git a/checkouts/pogojig b/checkouts/pogojig
new file mode 160000
+Subproject 04b34f73c1e0023ce4abdb9f1c9f0d917524762
diff --git a/nginx.conf b/nginx.conf
index b6f13c0..6cf28cf 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -36,9 +36,9 @@ http {
     include /etc/nginx/conf.d/*.conf;
 
     server {
-        listen       80 default_server;
-        listen       [::]:80 default_server;
-        server_name  gerbolyze.jaseg.net;
+        listen       80;
+        listen       [::]:80;
+        server_name  .jaseg.net;
         return 301 https://$host$request_uri;
     }
 
@@ -85,13 +85,6 @@ http {
     }
 
     server {
-        listen       80;
-        listen       [::]:80;
-        server_name  blog.jaseg.net blog.jaseg.net;
-        return 301 https://$host$request_uri;
-    }
-
-    server {
         listen       443 ssl http2;
         listen       [::]:443 ssl http2;
         server_name  blog.jaseg.net blog.jaseg.net;
@@ -136,5 +129,120 @@ http {
         }
     }
 
+    server {
+        listen       443 ssl http2;
+        listen       [::]:443 ssl http2;
+        server_name  pogojig.jaseg.net;
+        root         /usr/share/nginx/html;
+
+        ssl_certificate "/etc/letsencrypt/live/pogojig.jaseg.net/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/pogojig.jaseg.net/privkey.pem";
+        ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 67.207.67.2 67.207.67.3 valid=300s;
+        resolver_timeout 10s;
+
+        add_header Strict-Transport-Security "max-age=86400";
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location ^~ /pogospace/ {
+              root /var/lib/pogojig/pogospace;
+        }
+
+        location / {
+              include uwsgi_params;
+              uwsgi_pass unix:/run/uwsgi/pogojig.socket;
+        }
+
+        error_page 404 /404.html;
+        location = /40x.html {
+            root         /usr/share/nginx/html;
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root         /usr/share/nginx/html;
+        }
+    }
+
+    server {
+        listen       443 ssl http2;
+        listen       [::]:443 ssl http2;
+        server_name  tracespace.jaseg.net;
+        root         /usr/share/nginx/html;
+
+        ssl_certificate "/etc/letsencrypt/live/tracespace.jaseg.net/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/tracespace.jaseg.net/privkey.pem";
+        ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 67.207.67.2 67.207.67.3 valid=300s;
+        resolver_timeout 10s;
+
+        add_header Strict-Transport-Security "max-age=86400";
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+            root /var/www/tracespace.jaseg.net;
+        }
+
+        error_page 404 /404.html;
+        location = /40x.html {
+            root         /usr/share/nginx/html;
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root         /usr/share/nginx/html;
+        }
+    }
+
+    server {
+        listen       443 ssl http2;
+        listen       [::]:443 ssl http2;
+        server_name  openjscad.jaseg.net;
+        root         /usr/share/nginx/html;
+
+        ssl_certificate "/etc/letsencrypt/live/openjscad.jaseg.net/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/openjscad.jaseg.net/privkey.pem";
+        ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 67.207.67.2 67.207.67.3 valid=300s;
+        resolver_timeout 10s;
+
+        add_header Strict-Transport-Security "max-age=86400";
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+            root /var/www/openjscad.jaseg.net;
+        }
+
+        error_page 404 /404.html;
+        location = /40x.html {
+            root         /usr/share/nginx/html;
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root         /usr/share/nginx/html;
+        }
+    }
 }
 
diff --git a/playbook.yml b/playbook.yml
index afea884..6d558d3 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -48,6 +48,7 @@
         containers:
           - gerboweb
           - clippy
+          - pogojig
 
     - name: Setup web server
       include_tasks: setup_webserver.yml
@@ -60,3 +61,13 @@
 
     - name: Setup secure download
       include_tasks: setup_secure_download.yml
+
+    - name: Setup tracespace
+      include_tasks: setup_tracespace.yml
+
+    - name: Setup openjscad
+      include_tasks: setup_openjscad.yml
+
+    - name: Setup pogojig
+      include_tasks: setup_pogojig.yml
+
diff --git a/pogojig-job-processor.service.j2 b/pogojig-job-processor.service.j2
new file mode 100644
index 0000000..5ca9a8b
--- /dev/null
+++ b/pogojig-job-processor.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Pogojig render job processor
+
+[Service]
+WorkingDirectory=/var/lib/pogojig
+ExecStart=/usr/bin/python3 job_processor.py {{pogojig_cache}}/job_queue.sqlite3
+
+[Install]
+WantedBy=uwsgi-app@pogojig.service
diff --git a/pogojig.cfg.j2 b/pogojig.cfg.j2
new file mode 100644
index 0000000..3dd7160
--- /dev/null
+++ b/pogojig.cfg.j2
@@ -0,0 +1,4 @@
+MAX_CONTENT_LENGTH=10000000
+SECRET_KEY="{{lookup('password', 'pogojig_flask_secret.txt length=32')}}"
+UPLOAD_PATH="{{pogojig_cache}}/upload"
+JOB_QUEUE_DB="{{pogojig_cache}}/job_queue.sqlite3"
diff --git a/pogojig_flask_secret.txt b/pogojig_flask_secret.txt
new file mode 100644
index 0000000..fc1e245
--- /dev/null
+++ b/pogojig_flask_secret.txt
@@ -0,0 +1 @@
+RhshDKyRVcg.5r4ulH:0f8Vhut0HoFS3
diff --git a/pogojig_generate.sh.j2 b/pogojig_generate.sh.j2
new file mode 100755
index 0000000..c1cc023
--- /dev/null
+++ b/pogojig_generate.sh.j2
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+[ $# != 1 ] && exit 1
+ID=$1
+egrep -x -q '^[-0-9A-Za-z]{36}$'<<<"$ID" || exit 2
+
+systemd-nspawn \
+    -D {{pogojig_root}} \
+    -x --bind={{pogojig_cache}}/upload/$ID:/mnt \
+    /bin/sh -c "set -euo pipefail
+cd /mnt
+
+date; echo 'Cleaning up previous output'
+rm -rf pcb_shape.dxf jig.stl kicad kicad.zip sources.zip
+
+date; echo 'Rendering'
+cp -r /var/lib/pogojig_renderer sources
+cp input.svg sources/
+make -C sources
+
+date; echo 'Packing source bundle'
+cp -r sources/out/pcb_shape.dxf sources/out/jig.stl sources/out/kicad ./
+zip -r sources.zip sources
+zip -r kicad.zip kicad
+rm -rf sources"
diff --git a/setup_openjscad.yml b/setup_openjscad.yml
new file mode 100644
index 0000000..dea4ad2
--- /dev/null
+++ b/setup_openjscad.yml
@@ -0,0 +1,9 @@
+---
+- name: Copy openjscad webapp sources
+  synchronize:
+    # FIXME: make this path configurable
+      src: ~/openjscad_dist/
+      dest: /var/www/openjscad.jaseg.net/
+      group: no
+      owner: no
+
diff --git a/setup_pogojig.yml b/setup_pogojig.yml
new file mode 100644
index 0000000..8a4c827
--- /dev/null
+++ b/setup_pogojig.yml
@@ -0,0 +1,118 @@
+---
+- name: Set local facts
+  set_fact:
+    pogojig_cache: /var/cache/pogojig
+
+- name: Copy render script
+  template:
+      src: pogojig_generate.sh.j2
+      dest: /usr/local/sbin/pogojig_generate.sh
+      mode: ug+x
+
+- name: Install packages into pogojig container
+  shell: arch-chroot "{{pogojig_root}}" pacman -Syu --noconfirm python3 python-pip imagemagick unzip zip openscad inkscape make python-lxml xorg-server-xvfb
+
+- name: Install python dependencies into pogojig container
+  shell: arch-chroot "{{pogojig_root}}" pip install -U --upgrade-strategy=eager ezdxf xvfbwrapper
+
+- name: Install pogojig
+  synchronize:
+    # FIXME: make this path configurable
+      src: checkouts/pogojig/renderer/
+      dest: "{{pogojig_root}}/var/lib/pogojig_renderer"
+      group: no
+
+- name: Copy webapp sources
+  synchronize:
+    # FIXME: make this path configurable
+      src: checkouts/pogojig/webapp/
+      dest: /var/lib/pogojig
+      group: no
+      owner: no
+
+- name: Create web home for modified tracespace
+  file:
+      path: /var/lib/pogojig/pogospace
+      state: directory
+      owner: nginx
+      group: nginx
+      mode: 0550
+
+- name: Unpack modified tracespace sources
+  unarchive:
+      src: resource/pogojig-tracespace.tar.gz
+      dest: /var/lib/pogojig/pogospace
+      extra_opts: [--strip-components=1]
+      owner: nginx
+      group: nginx
+
+- name: Create uwsgi worker user and group
+  user:
+      name: uwsgi-pogojig
+      create_home: no
+      group: uwsgi
+      password: '!'
+      shell: /sbin/nologin
+      system: yes
+
+- name: Template webapp config
+  template:
+    src: pogojig.cfg.j2
+    dest: /var/lib/pogojig/pogojig_prod.cfg
+    owner: uwsgi-pogojig
+    group: root
+    mode: 0660
+
+- name: Copy uwsgi config
+  copy:
+      src: uwsgi-pogojig.ini
+      dest: /etc/uwsgi.d/pogojig.ini
+      owner: uwsgi-pogojig
+      group: uwsgi
+      mode: 440
+
+- name: Copy job processor systemd service config
+  template:
+      src: pogojig-job-processor.service.j2
+      dest: /etc/systemd/system/pogojig-job-processor.service
+
+- name: Enable uwsgi systemd socket
+  systemd:
+      daemon-reload: yes
+      name: uwsgi-app@pogojig.socket
+      enabled: yes
+
+# FIXME the socket doesn't seem to work properly
+- name: Enable uwsgi systemd service
+  systemd:
+      daemon-reload: yes
+      name: uwsgi-app@pogojig.service
+      enabled: yes
+
+- name: Copy pogojig cache dir tmpfiles.d config
+  template:
+      src: tmpfiles-pogojig.conf.j2
+      dest: /etc/tmpfiles.d/pogojig.conf
+      owner: root
+      group: root
+      mode: 0644
+  register: pogojig_tmpfiles_config
+
+- name: Kick systemd tmpfiles service to create cache dir
+  command: systemd-tmpfiles --create
+  when: pogojig_tmpfiles_config is changed
+
+- name: Create job queue db
+  file:
+    path: "{{pogojig_cache}}/job_queue.sqlite3"
+    owner: root
+    group: uwsgi
+    mode: 0660
+    state: touch
+
+- name: Enable and launch job processor
+  systemd:
+      name: pogojig-job-processor.service
+      enabled: yes
+      state: restarted
+
diff --git a/setup_tracespace.yml b/setup_tracespace.yml
new file mode 100644
index 0000000..2975967
--- /dev/null
+++ b/setup_tracespace.yml
@@ -0,0 +1,9 @@
+---
+- name: Copy tracespace webapp sources
+  synchronize:
+    # FIXME: make this path configurable
+      src: ~/tracespace_dist/
+      dest: /var/www/tracespace.jaseg.net/
+      group: no
+      owner: no
+
diff --git a/setup_webserver.yml b/setup_webserver.yml
index ea821d8..671a699 100644
--- a/setup_webserver.yml
+++ b/setup_webserver.yml
@@ -9,13 +9,17 @@
       groups: uwsgi
       append: yes
 
-- name: Create blog.jaseg.net content dir
+- name: Create subdomain content dirs
   file:
-    path: /var/www/blog.jaseg.net
+    path: /var/www/{{item}}
     state: directory
     owner: nginx
     group: nginx
     mode: 0550
+  loop:
+      - blog.jaseg.net
+      - tracespace.jaseg.net
+      - openjscad.jaseg.net
 
 - name: Copy uwsgi systemd socket config
   copy:
@@ -38,15 +42,16 @@
       enabled: yes
       state: restarted
 
-- name: Create letsencrypt certificate for gerbolyze.jaseg.net
-  command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
+- name: Create subdomain letsencrypt certificates
+  command: certbot --nginx certonly -d {{item}} -n --agree-tos --email {{item}}-letsencrypt@jaseg.net
   args:
-      creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
-
-- name: Create letsencrypt certificate for blog.jaseg.net
-  command: certbot --nginx certonly -d blog.jaseg.net -n --agree-tos --email blog@jaseg.net
-  args:
-      creates: /etc/letsencrypt/live/blog.jaseg.net/fullchain.pem
+      creates: /etc/letsencrypt/live/{{item}}/fullchain.pem
+  loop:
+      - blog.jaseg.net
+      - gerbolyze.jaseg.net
+      - tracespace.jaseg.net
+      - openjscad.jaseg.net
+      - pogojig.jaseg.net
 
 - name: Copy final nginx config
   copy:
diff --git a/tmpfiles-pogojig.conf.j2 b/tmpfiles-pogojig.conf.j2
new file mode 100644
index 0000000..4e9fef1
--- /dev/null
+++ b/tmpfiles-pogojig.conf.j2
@@ -0,0 +1 @@
+d {{pogojig_cache}} 770 uwsgi-pogojig uwsgi 2d
diff --git a/uwsgi-pogojig.ini b/uwsgi-pogojig.ini
new file mode 100644
index 0000000..003702d
--- /dev/null
+++ b/uwsgi-pogojig.ini
@@ -0,0 +1,10 @@
+[uwsgi]
+master = True
+cheap = True
+die-on-idle = False
+manage-script-name = True
+plugins = python3
+chdir = /var/lib/pogojig
+mount = /=pogojig:app
+env = POGOJIG_SETTINGS=pogojig_prod.cfg
+