diff options
| author | jaseg <code@jaseg.net> | 2021-12-07 16:53:18 +0100 |
|---|---|---|
| committer | jaseg <code@jaseg.net> | 2021-12-07 16:53:18 +0100 |
| commit | 591b7b8aacab0400d057043761e1870205573de1 (patch) | |
| tree | 85f3e90a9d436a961e1e137c2539a36ce687e804 | |
| parent | ab91420bb64c8b0edde838cc3073ef8f361162ae (diff) | |
| download | infra-591b7b8aacab0400d057043761e1870205573de1.tar.gz infra-591b7b8aacab0400d057043761e1870205573de1.tar.bz2 infra-591b7b8aacab0400d057043761e1870205573de1.zip | |
Fix playbooks for clean re-deploy
| -rw-r--r-- | .gitmodules | 3 | ||||
| -rw-r--r-- | bootstrap_arch_container.yml | 4 | ||||
| m--------- | checkouts/gitolite-admin | 0 | ||||
| -rw-r--r-- | inventory.yml | 2 | ||||
| -rw-r--r-- | nginx.conf | 400 | ||||
| -rw-r--r-- | playbook.yml | 159 | ||||
| -rw-r--r-- | setup_dyndns.yml | 6 | ||||
| -rw-r--r-- | setup_git.yml | 71 | ||||
| -rw-r--r-- | setup_secure_download.yml | 2 | ||||
| -rw-r--r-- | setup_vcd_render.yml | 21 | ||||
| -rw-r--r-- | setup_webserver.yml | 16 | ||||
| -rw-r--r-- | tmpfiles-secure-download.conf.j2 | 2 | ||||
| -rw-r--r-- | uwsgi-vcdrender.ini | 3 | ||||
| -rw-r--r-- | vcdrender.cfg.j2 | 2 |
14 files changed, 367 insertions, 324 deletions
diff --git a/.gitmodules b/.gitmodules index 1419d27..7b38f5b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -13,3 +13,6 @@ [submodule "checkouts/vcd-render"] path = checkouts/vcd-render url = git@git.jaseg.de:vcd-render.git +[submodule "checkouts/gitolite-admin"] + path = checkouts/gitolite-admin + url = git@git.jaseg.de:gitolite-admin.git diff --git a/bootstrap_arch_container.yml b/bootstrap_arch_container.yml index c115539..a5a1123 100644 --- a/bootstrap_arch_container.yml +++ b/bootstrap_arch_container.yml @@ -13,9 +13,9 @@ - name: Download arch bootstrap image get_url: - url: http://mirror.rackspace.com/archlinux/iso/2021.02.01/archlinux-bootstrap-2021.02.01-x86_64.tar.gz + url: http://mirror.rackspace.com/archlinux/iso/2021.12.01/archlinux-bootstrap-2021.12.01-x86_64.tar.gz dest: /tmp/arch-bootstrap.tar.xz - checksum: sha256:90afa6b420f5d171de71fdd11fc4f10a4ef30fdf61e4f3733958bea7bdbc0fa9 + checksum: sha256:d3d6d346001cd8a202fe5cc895897b54cc0edfc96790dd8d56888389d8a810e7 when: create_container is changed - name: Create container image filesystem diff --git a/checkouts/gitolite-admin b/checkouts/gitolite-admin new file mode 160000 +Subproject ed4120795750731d9b05c5e24f09be5ad72ef21 diff --git a/inventory.yml b/inventory.yml index 913ea5f..8ac77fe 100644 --- a/inventory.yml +++ b/inventory.yml @@ -2,7 +2,7 @@ all: hosts: wendelstein: - ansible_host: wendelstein.jaseg.net + ansible_host: wendelstein.jaseg.de ansible_ssh_identity_file: ~/.ssh/id_ed25519 ansible_user: root ansible_python_interpreter: /usr/bin/python3 @@ -38,51 +38,51 @@ http { server { listen 80; listen [::]:80; - server_name .jaseg.net; + server_name .jaseg.de; return 301 https://$host$request_uri; } - server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - server_name gerbolyze.jaseg.net; - root /usr/share/nginx/html; - - ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem"; - ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem"; - ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; - include /etc/letsencrypt/options-ssl-nginx.conf; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 67.207.67.2 67.207.67.3 valid=300s; - resolver_timeout 10s; - - add_header Strict-Transport-Security "max-age=86400"; - - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; - - location ^~ /static/ { - root /var/lib/gerboweb; - } - - location / { - include uwsgi_params; - uwsgi_pass unix:/run/uwsgi/gerboweb.socket; - } - - error_page 404 /404.html; - location = /40x.html { - root /usr/share/nginx/html; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - } +# server { +# listen 443 ssl http2 default_server; +# listen [::]:443 ssl http2 default_server; +# server_name gerbolyze.jaseg.net; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem"; +# ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem"; +# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; +# include /etc/letsencrypt/options-ssl-nginx.conf; +# +# ssl_stapling on; +# ssl_stapling_verify on; +# +# resolver 67.207.67.2 67.207.67.3 valid=300s; +# resolver_timeout 10s; +# +# add_header Strict-Transport-Security "max-age=86400"; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# location ^~ /static/ { +# root /var/lib/gerboweb; +# } +# +# location / { +# include uwsgi_params; +# uwsgi_pass unix:/run/uwsgi/gerboweb.socket; +# } +# +# error_page 404 /404.html; +# location = /40x.html { +# root /usr/share/nginx/html; +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# root /usr/share/nginx/html; +# } +# } server { listen 443 ssl http2; @@ -188,170 +188,170 @@ http { } } - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name kochbuch.jaseg.net; - root /usr/share/nginx/html; - - ssl_certificate "/etc/letsencrypt/live/kochbuch.jaseg.net/fullchain.pem"; - ssl_certificate_key "/etc/letsencrypt/live/kochbuch.jaseg.net/privkey.pem"; - ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; - include /etc/letsencrypt/options-ssl-nginx.conf; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 67.207.67.2 67.207.67.3 valid=300s; - resolver_timeout 10s; - - add_header Strict-Transport-Security "max-age=86400"; - - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; - - location / { - auth_basic "blubb"; - auth_basic_user_file /etc/nginx/kochbuch.htpasswd; - root /var/www/kochbuch.jaseg.net; - } - - error_page 404 /404.html; - location = /40x.html { - root /usr/share/nginx/html; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name pogojig.jaseg.net; - root /usr/share/nginx/html; - - ssl_certificate "/etc/letsencrypt/live/pogojig.jaseg.net/fullchain.pem"; - ssl_certificate_key "/etc/letsencrypt/live/pogojig.jaseg.net/privkey.pem"; - ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; - include /etc/letsencrypt/options-ssl-nginx.conf; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 67.207.67.2 67.207.67.3 valid=300s; - resolver_timeout 10s; - client_max_body_size 10M; - - add_header Strict-Transport-Security "max-age=86400"; - - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; - - location ^~ /pogospace/ { - root /var/lib/pogojig/pogospace; - } - - location / { - include uwsgi_params; - uwsgi_pass unix:/run/uwsgi/pogojig.socket; - } - - error_page 404 /404.html; - location = /40x.html { - root /usr/share/nginx/html; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name tracespace.jaseg.net; - root /usr/share/nginx/html; - - ssl_certificate "/etc/letsencrypt/live/tracespace.jaseg.net/fullchain.pem"; - ssl_certificate_key "/etc/letsencrypt/live/tracespace.jaseg.net/privkey.pem"; - ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; - include /etc/letsencrypt/options-ssl-nginx.conf; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 67.207.67.2 67.207.67.3 valid=300s; - resolver_timeout 10s; - - add_header Strict-Transport-Security "max-age=86400"; - - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; - - location / { - root /var/www/tracespace.jaseg.net; - } - - error_page 404 /404.html; - location = /40x.html { - root /usr/share/nginx/html; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name openjscad.jaseg.net; - root /usr/share/nginx/html; - - ssl_certificate "/etc/letsencrypt/live/openjscad.jaseg.net/fullchain.pem"; - ssl_certificate_key "/etc/letsencrypt/live/openjscad.jaseg.net/privkey.pem"; - ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; - include /etc/letsencrypt/options-ssl-nginx.conf; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 67.207.67.2 67.207.67.3 valid=300s; - resolver_timeout 10s; - - add_header Strict-Transport-Security "max-age=86400"; - - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; - - location / { - root /var/www/openjscad.jaseg.net; - } - - error_page 404 /404.html; - location = /40x.html { - root /usr/share/nginx/html; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - } +# server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# server_name kochbuch.jaseg.de; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/letsencrypt/live/kochbuch.jaseg.de/fullchain.pem"; +# ssl_certificate_key "/etc/letsencrypt/live/kochbuch.jaseg.de/privkey.pem"; +# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; +# include /etc/letsencrypt/options-ssl-nginx.conf; +# +# ssl_stapling on; +# ssl_stapling_verify on; +# +# resolver 67.207.67.2 67.207.67.3 valid=300s; +# resolver_timeout 10s; +# +# add_header Strict-Transport-Security "max-age=86400"; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# location / { +# auth_basic "blubb"; +# auth_basic_user_file /etc/nginx/kochbuch.htpasswd; +# root /var/www/kochbuch.jaseg.de; +# } +# +# error_page 404 /404.html; +# location = /40x.html { +# root /usr/share/nginx/html; +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# root /usr/share/nginx/html; +# } +# } + +# server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# server_name pogojig.jaseg.net; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/letsencrypt/live/pogojig.jaseg.net/fullchain.pem"; +# ssl_certificate_key "/etc/letsencrypt/live/pogojig.jaseg.net/privkey.pem"; +# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; +# include /etc/letsencrypt/options-ssl-nginx.conf; +# +# ssl_stapling on; +# ssl_stapling_verify on; +# +# resolver 67.207.67.2 67.207.67.3 valid=300s; +# resolver_timeout 10s; +# client_max_body_size 10M; +# +# add_header Strict-Transport-Security "max-age=86400"; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# location ^~ /pogospace/ { +# root /var/lib/pogojig/pogospace; +# } +# +# location / { +# include uwsgi_params; +# uwsgi_pass unix:/run/uwsgi/pogojig.socket; +# } +# +# error_page 404 /404.html; +# location = /40x.html { +# root /usr/share/nginx/html; +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# root /usr/share/nginx/html; +# } +# } + +# server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# server_name tracespace.jaseg.net; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/letsencrypt/live/tracespace.jaseg.net/fullchain.pem"; +# ssl_certificate_key "/etc/letsencrypt/live/tracespace.jaseg.net/privkey.pem"; +# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; +# include /etc/letsencrypt/options-ssl-nginx.conf; +# +# ssl_stapling on; +# ssl_stapling_verify on; +# +# resolver 67.207.67.2 67.207.67.3 valid=300s; +# resolver_timeout 10s; +# +# add_header Strict-Transport-Security "max-age=86400"; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# location / { +# root /var/www/tracespace.jaseg.net; +# } +# +# error_page 404 /404.html; +# location = /40x.html { +# root /usr/share/nginx/html; +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# root /usr/share/nginx/html; +# } +# } +# +# server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# server_name openjscad.jaseg.net; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/letsencrypt/live/openjscad.jaseg.net/fullchain.pem"; +# ssl_certificate_key "/etc/letsencrypt/live/openjscad.jaseg.net/privkey.pem"; +# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; +# include /etc/letsencrypt/options-ssl-nginx.conf; +# +# ssl_stapling on; +# ssl_stapling_verify on; +# +# resolver 67.207.67.2 67.207.67.3 valid=300s; +# resolver_timeout 10s; +# +# add_header Strict-Transport-Security "max-age=86400"; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# location / { +# root /var/www/openjscad.jaseg.net; +# } +# +# error_page 404 /404.html; +# location = /40x.html { +# root /usr/share/nginx/html; +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# root /usr/share/nginx/html; +# } +# } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name vcdrender.jaseg.net; + server_name vcdrender.jaseg.de; root /usr/share/nginx/html; - ssl_certificate "/etc/letsencrypt/live/vcdrender.jaseg.net/fullchain.pem"; - ssl_certificate_key "/etc/letsencrypt/live/vcdrender.jaseg.net/privkey.pem"; + ssl_certificate "/etc/letsencrypt/live/vcdrender.jaseg.de/fullchain.pem"; + ssl_certificate_key "/etc/letsencrypt/live/vcdrender.jaseg.de/privkey.pem"; ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; include /etc/letsencrypt/options-ssl-nginx.conf; diff --git a/playbook.yml b/playbook.yml index a34e8fe..d09aeb6 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,34 +1,34 @@ -- name: DNS setup - hosts: localhost - tags: dns - module_defaults: - inwx: - username: "{{lookup('ini', 'user section=inwx file=credentials.ini')}}" - password: "{{lookup('ini', 'pass section=inwx file=credentials.ini')}}" - vars: - subdomains: - - git.jaseg.net - - git.jaseg.de - - blog.jaseg.net - - blog.jaseg.de - - kochbuch.jaseg.net - - gerbolyze.jaseg.net - - tracespace.jaseg.net - - openjscad.jaseg.net - - pogojig.jaseg.net - - automation.jaseg.de - - dyndns.jaseg.de - fastmail_domains: - - jaseg.net - - jaseg.de - tasks: - - name: Gather wendelstein facts - setup: - delegate_to: wendelstein - delegate_facts: True - - - name: Setup DNS - include_tasks: dns.yml +#- name: DNS setup +# hosts: localhost +# tags: dns +# module_defaults: +# inwx: +# username: "{{lookup('ini', 'user section=inwx file=credentials.ini')}}" +# password: "{{lookup('ini', 'pass section=inwx file=credentials.ini')}}" +# vars: +# subdomains: +# - git.jaseg.net +# - git.jaseg.de +# - blog.jaseg.net +# - blog.jaseg.de +# - kochbuch.jaseg.net +# - gerbolyze.jaseg.net +# - tracespace.jaseg.net +# - openjscad.jaseg.net +# - pogojig.jaseg.net +# - automation.jaseg.de +# - dyndns.jaseg.de +# fastmail_domains: +# - jaseg.net +# - jaseg.de +# tasks: +# - name: Gather wendelstein facts +# setup: +# delegate_to: wendelstein +# delegate_facts: True +# +# - name: Setup DNS +# include_tasks: dns.yml - name: Wendelstein setup @@ -37,7 +37,7 @@ - name: Set hostname tags: setup hostname: - name: wendelstein.jaseg.net + name: wendelstein.jaseg.de - name: Install common admin tools tags: setup @@ -48,7 +48,7 @@ - name: Install host requisites tags: setup dnf: - name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,python3-libselinux,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators,nsd + name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,python3-libselinux,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators,nsd,python3-virtualenv state: latest - name: Disable password-based root login @@ -82,17 +82,17 @@ enabled: yes state: started - - name: Create containers - tags: setup - include_tasks: - file: setup_containers.yml - apply: - tags: setup - vars: - containers: - - gerboweb - - clippy - - pogojig +# - name: Create containers +# tags: setup +# include_tasks: +# file: setup_containers.yml +# apply: +# tags: setup +# vars: +# containers: +# - gerboweb +# - clippy +# - pogojig - name: Setup web server tags: www @@ -101,19 +101,19 @@ apply: tags: www - - name: Setup gerboweb - tags: gerboweb - include_tasks: - file: setup_gerboweb.yml - apply: - tags: gerboweb +# - name: Setup gerboweb +# tags: gerboweb +# include_tasks: +# file: setup_gerboweb.yml +# apply: +# tags: gerboweb - - name: Setup clippy - tags: clippy - include_tasks: - file: setup_clippy.yml - apply: - tags: clippy +# - name: Setup clippy +# tags: clippy +# include_tasks: +# file: setup_clippy.yml +# apply: +# tags: clippy - name: Setup secure download tags: secure-download @@ -122,26 +122,26 @@ apply: tags: secure-download - - name: Setup tracespace - tags: pogojig - include_tasks: - file: setup_tracespace.yml - apply: - tags: pogojig - - - name: Setup openjscad - tags: pogojig - include_tasks: - file: setup_openjscad.yml - apply: - tags: pogojig - - - name: Setup pogojig - tags: pogojig - include_tasks: - file: setup_pogojig.yml - apply: - tags: pogojig +# - name: Setup tracespace +# tags: pogojig +# include_tasks: +# file: setup_tracespace.yml +# apply: +# tags: pogojig + +# - name: Setup openjscad +# tags: pogojig +# include_tasks: +# file: setup_openjscad.yml +# apply: +# tags: pogojig + +# - name: Setup pogojig +# tags: pogojig +# include_tasks: +# file: setup_pogojig.yml +# apply: +# tags: pogojig - name: Setup notification proxy tags: notification-proxy @@ -164,3 +164,10 @@ file: setup_dyndns.yml apply: tags: dyndns + + - name: Setup vcd-to-8-segment-svg render thingy for TUD's WS2021 LE course + tags: vcdrender + include_tasks: + file: setup_vcd_render.yml + apply: + tags: vcdrender diff --git a/setup_dyndns.yml b/setup_dyndns.yml index d9735c7..c79944f 100644 --- a/setup_dyndns.yml +++ b/setup_dyndns.yml @@ -11,6 +11,12 @@ group: root mode: 0644 +- name: Disable systemd-resolved + systemd: + name: systemd-resolved.service + enabled: no + state: stopped + - name: Enable and launch nsd systemd service systemd: name: nsd.service diff --git a/setup_git.yml b/setup_git.yml index 4cad914..4b88101 100644 --- a/setup_git.yml +++ b/setup_git.yml @@ -1,6 +1,10 @@ +- name: Set local facts + set_fact: + gitolite_ssh_key: ~/.ssh/id_ed25519.gitolite + - name: Install host requisites dnf: - name: cgit,gitolite3,python3-pygments,python3-docutils,nodejs-markdown,python3-markdown + name: cgit,gitolite3,python3-pygments,python3-docutils,python3-markdown state: latest - name: Copy cgit logo @@ -47,6 +51,7 @@ daemon-reload: yes name: uwsgi-app@cgit.socket enabled: yes + state: started - name: Check if gitolite ssh config exists stat: @@ -57,7 +62,7 @@ block: - name: Copy gitolite admin pubkey copy: - src: ~/.ssh/id_ed25519.gitolite.pub + src: "{{gitolite_ssh_key}}.pub" dest: /tmp/jaseg-gitolite.pub owner: gitolite3 group: gitolite3 @@ -90,16 +95,6 @@ groups: gitolite3 append: yes -- name: Allow cgit uwsgi user to access gitolite repos - file: - path: /var/lib/gitolite3/repositories - mode: 0750 - -- name: Allow cgit uwsgi user to gitolite repo list - file: - path: /var/lib/gitolite3/projects.list - mode: 0640 - - name: Copy gitolite rc copy: src: gitolite.rc @@ -108,6 +103,30 @@ group: gitolite3 mode: 0600 +- name: Query system user account info + getent: + database: passwd + key: gitolite3 + +- name: Create git alias user + user: + name: git + create_home: no + group: gitolite3 + password: '!' + comment: Alias for gitolite3 user + shell: "{{ getent_passwd['gitolite3'][5] }}" + system: yes + non_unique: yes + home: "{{ getent_passwd['gitolite3'][4] }}" + uid: "{{ getent_passwd['gitolite3'][1] }}" + +- name: Upload gitolite-admin repo + command: env "GIT_SSH_COMMAND=ssh -i {{gitolite_ssh_key}}" git push --force git@{{ansible_hostname}}:gitolite-admin.git master + args: + chdir: checkouts/gitolite-admin + delegate_to: localhost + - name: Create gitolite hook dir file: path: /var/lib/gitolite3/local/hooks/repo-specific @@ -132,27 +151,19 @@ group: gitolite3 mode: 0570 -- name: Query system user account info - getent: - database: passwd - key: gitolite3 - -- name: Create git alias user - user: - name: git - create_home: no - group: gitolite3 - password: '!' - comment: Alias for gitolite3 user - shell: "{{ getent_passwd['gitolite3'][5] }}" - system: yes - non_unique: yes - home: "{{ getent_passwd['gitolite3'][4] }}" - uid: "{{ getent_passwd['gitolite3'][1] }}" - - name: Hack to fix cgit handling for restructuredtext readmes file: src: /usr/bin/rst2html dest: /usr/bin/rst2html.py state: link +- name: Allow cgit uwsgi user to access gitolite repos + file: + path: /var/lib/gitolite3/repositories + mode: 0750 + +- name: Allow cgit uwsgi user to gitolite repo list + file: + path: /var/lib/gitolite3/projects.list + mode: 0640 + diff --git a/setup_secure_download.yml b/setup_secure_download.yml index 7fe37de..12e0085 100644 --- a/setup_secure_download.yml +++ b/setup_secure_download.yml @@ -5,7 +5,7 @@ - name: Copy webapp sources synchronize: - src: checkouts/secure_download/ + src: checkouts/secure-download/ dest: /var/lib/secure_download/ group: no owner: no diff --git a/setup_vcd_render.yml b/setup_vcd_render.yml index 0a8ed5d..db43b1b 100644 --- a/setup_vcd_render.yml +++ b/setup_vcd_render.yml @@ -3,6 +3,11 @@ set_fact: vcdrender_cache: /var/cache/vcd-render +- name: Install host requisites + dnf: + name: python3-lxml + state: latest + - name: Copy webapp sources synchronize: src: checkouts/vcd-render/ @@ -11,6 +16,15 @@ group: no owner: no +- name: Setup webapp python requirements + pip: + name: + - beautifulsoup4 + - flask + - vcdvcd + virtualenv: /var/lib/vcd-render/venv + virtualenv_site_packages: true + - name: Create uwsgi worker user and group user: name: uwsgi-vcdrender @@ -23,8 +37,8 @@ - name: Template webapp config template: src: vcdrender.cfg.j2 - dest: /var/lib/pogojig/pogojig_prod.cfg - owner: uwsgi-pogojig + dest: /var/lib/vcd-render/vcdrender_prod.cfg + owner: uwsgi-vcdrender group: root mode: 0660 @@ -41,6 +55,7 @@ daemon-reload: yes name: uwsgi-app@vcdrender.socket enabled: yes + state: started # FIXME the socket doesn't seem to work properly - name: Enable uwsgi systemd service @@ -49,7 +64,7 @@ name: uwsgi-app@vcdrender.service enabled: yes -- name: Copy pogojig cache dir tmpfiles.d config +- name: Copy vcdrender cache dir tmpfiles.d config template: src: tmpfiles-vcdrender.conf.j2 dest: /etc/tmpfiles.d/vcdrender.conf diff --git a/setup_webserver.yml b/setup_webserver.yml index 3c6c868..8e5657f 100644 --- a/setup_webserver.yml +++ b/setup_webserver.yml @@ -20,8 +20,8 @@ - git.jaseg.de - blog.jaseg.de - kochbuch.jaseg.net - - tracespace.jaseg.net - - openjscad.jaseg.net +# - tracespace.jaseg.net +# - openjscad.jaseg.net - automation.jaseg.de - name: Create blog content dir @@ -61,15 +61,15 @@ - git.jaseg.de - blog.jaseg.net - blog.jaseg.de - - kochbuch.jaseg.net - - kochbuch.jaseg.de - - gerbolyze.jaseg.net - - tracespace.jaseg.net - - openjscad.jaseg.net - - pogojig.jaseg.net - automation.jaseg.de - dyndns.jaseg.de - vcdrender.jaseg.de +# - kochbuch.jaseg.de +# - kochbuch.jaseg.net +# - gerbolyze.jaseg.net +# - tracespace.jaseg.net +# - openjscad.jaseg.net +# - pogojig.jaseg.net - name: Copy final nginx config copy: diff --git a/tmpfiles-secure-download.conf.j2 b/tmpfiles-secure-download.conf.j2 index 84d7add..0dad15e 100644 --- a/tmpfiles-secure-download.conf.j2 +++ b/tmpfiles-secure-download.conf.j2 @@ -1 +1 @@ -d {{secure_download_dir}} 770 uwsgi-download uwsgi 45d +d {{secure_download_dir}} 770 uwsgi-secure-download uwsgi 45d diff --git a/uwsgi-vcdrender.ini b/uwsgi-vcdrender.ini index c4df516..999239c 100644 --- a/uwsgi-vcdrender.ini +++ b/uwsgi-vcdrender.ini @@ -5,6 +5,7 @@ die-on-idle = False manage-script-name = True plugins = python3 chdir = /var/lib/vcd-render -mount = /=pogojig:app +mount = /=8seg_vcd_render:app env = VCD8SEG_SETTINGS=vcdrender_prod.cfg +home = /var/lib/vcd-render/venv diff --git a/vcdrender.cfg.j2 b/vcdrender.cfg.j2 index 2026606..0f8efde 100644 --- a/vcdrender.cfg.j2 +++ b/vcdrender.cfg.j2 @@ -1,2 +1,2 @@ SECRET_KEY="{{lookup('password', 'vcdrender_flask_secret.txt length=32')}}" -UPLOAD_PATH="{{pogojig_cache}}/upload" +UPLOAD_PATH="{{vcdrender_cache}}/upload" |