aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjaseg <code@jaseg.net>2021-12-07 16:53:18 +0100
committerjaseg <code@jaseg.net>2021-12-07 16:53:18 +0100
commit591b7b8aacab0400d057043761e1870205573de1 (patch)
tree85f3e90a9d436a961e1e137c2539a36ce687e804
parentab91420bb64c8b0edde838cc3073ef8f361162ae (diff)
downloadinfra-591b7b8aacab0400d057043761e1870205573de1.tar.gz
infra-591b7b8aacab0400d057043761e1870205573de1.tar.bz2
infra-591b7b8aacab0400d057043761e1870205573de1.zip
Fix playbooks for clean re-deploy
-rw-r--r--.gitmodules3
-rw-r--r--bootstrap_arch_container.yml4
m---------checkouts/gitolite-admin0
-rw-r--r--inventory.yml2
-rw-r--r--nginx.conf400
-rw-r--r--playbook.yml159
-rw-r--r--setup_dyndns.yml6
-rw-r--r--setup_git.yml71
-rw-r--r--setup_secure_download.yml2
-rw-r--r--setup_vcd_render.yml21
-rw-r--r--setup_webserver.yml16
-rw-r--r--tmpfiles-secure-download.conf.j22
-rw-r--r--uwsgi-vcdrender.ini3
-rw-r--r--vcdrender.cfg.j22
14 files changed, 367 insertions, 324 deletions
diff --git a/.gitmodules b/.gitmodules
index 1419d27..7b38f5b 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -13,3 +13,6 @@
[submodule "checkouts/vcd-render"]
path = checkouts/vcd-render
url = git@git.jaseg.de:vcd-render.git
+[submodule "checkouts/gitolite-admin"]
+ path = checkouts/gitolite-admin
+ url = git@git.jaseg.de:gitolite-admin.git
diff --git a/bootstrap_arch_container.yml b/bootstrap_arch_container.yml
index c115539..a5a1123 100644
--- a/bootstrap_arch_container.yml
+++ b/bootstrap_arch_container.yml
@@ -13,9 +13,9 @@
- name: Download arch bootstrap image
get_url:
- url: http://mirror.rackspace.com/archlinux/iso/2021.02.01/archlinux-bootstrap-2021.02.01-x86_64.tar.gz
+ url: http://mirror.rackspace.com/archlinux/iso/2021.12.01/archlinux-bootstrap-2021.12.01-x86_64.tar.gz
dest: /tmp/arch-bootstrap.tar.xz
- checksum: sha256:90afa6b420f5d171de71fdd11fc4f10a4ef30fdf61e4f3733958bea7bdbc0fa9
+ checksum: sha256:d3d6d346001cd8a202fe5cc895897b54cc0edfc96790dd8d56888389d8a810e7
when: create_container is changed
- name: Create container image filesystem
diff --git a/checkouts/gitolite-admin b/checkouts/gitolite-admin
new file mode 160000
+Subproject ed4120795750731d9b05c5e24f09be5ad72ef21
diff --git a/inventory.yml b/inventory.yml
index 913ea5f..8ac77fe 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -2,7 +2,7 @@
all:
hosts:
wendelstein:
- ansible_host: wendelstein.jaseg.net
+ ansible_host: wendelstein.jaseg.de
ansible_ssh_identity_file: ~/.ssh/id_ed25519
ansible_user: root
ansible_python_interpreter: /usr/bin/python3
diff --git a/nginx.conf b/nginx.conf
index cbae89b..5f70d96 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -38,51 +38,51 @@ http {
server {
listen 80;
listen [::]:80;
- server_name .jaseg.net;
+ server_name .jaseg.de;
return 301 https://$host$request_uri;
}
- server {
- listen 443 ssl http2 default_server;
- listen [::]:443 ssl http2 default_server;
- server_name gerbolyze.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location ^~ /static/ {
- root /var/lib/gerboweb;
- }
-
- location / {
- include uwsgi_params;
- uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
+# server {
+# listen 443 ssl http2 default_server;
+# listen [::]:443 ssl http2 default_server;
+# server_name gerbolyze.jaseg.net;
+# root /usr/share/nginx/html;
+#
+# ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem";
+# ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem";
+# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+# include /etc/letsencrypt/options-ssl-nginx.conf;
+#
+# ssl_stapling on;
+# ssl_stapling_verify on;
+#
+# resolver 67.207.67.2 67.207.67.3 valid=300s;
+# resolver_timeout 10s;
+#
+# add_header Strict-Transport-Security "max-age=86400";
+#
+# # Load configuration files for the default server block.
+# include /etc/nginx/default.d/*.conf;
+#
+# location ^~ /static/ {
+# root /var/lib/gerboweb;
+# }
+#
+# location / {
+# include uwsgi_params;
+# uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
+# }
+#
+# error_page 404 /404.html;
+# location = /40x.html {
+# root /usr/share/nginx/html;
+# }
+#
+# error_page 500 502 503 504 /50x.html;
+# location = /50x.html {
+# root /usr/share/nginx/html;
+# }
+# }
server {
listen 443 ssl http2;
@@ -188,170 +188,170 @@ http {
}
}
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name kochbuch.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/kochbuch.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/kochbuch.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location / {
- auth_basic "blubb";
- auth_basic_user_file /etc/nginx/kochbuch.htpasswd;
- root /var/www/kochbuch.jaseg.net;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name pogojig.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/pogojig.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/pogojig.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
- client_max_body_size 10M;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location ^~ /pogospace/ {
- root /var/lib/pogojig/pogospace;
- }
-
- location / {
- include uwsgi_params;
- uwsgi_pass unix:/run/uwsgi/pogojig.socket;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name tracespace.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/tracespace.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/tracespace.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location / {
- root /var/www/tracespace.jaseg.net;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name openjscad.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/openjscad.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/openjscad.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location / {
- root /var/www/openjscad.jaseg.net;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
+# server {
+# listen 443 ssl http2;
+# listen [::]:443 ssl http2;
+# server_name kochbuch.jaseg.de;
+# root /usr/share/nginx/html;
+#
+# ssl_certificate "/etc/letsencrypt/live/kochbuch.jaseg.de/fullchain.pem";
+# ssl_certificate_key "/etc/letsencrypt/live/kochbuch.jaseg.de/privkey.pem";
+# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+# include /etc/letsencrypt/options-ssl-nginx.conf;
+#
+# ssl_stapling on;
+# ssl_stapling_verify on;
+#
+# resolver 67.207.67.2 67.207.67.3 valid=300s;
+# resolver_timeout 10s;
+#
+# add_header Strict-Transport-Security "max-age=86400";
+#
+# # Load configuration files for the default server block.
+# include /etc/nginx/default.d/*.conf;
+#
+# location / {
+# auth_basic "blubb";
+# auth_basic_user_file /etc/nginx/kochbuch.htpasswd;
+# root /var/www/kochbuch.jaseg.de;
+# }
+#
+# error_page 404 /404.html;
+# location = /40x.html {
+# root /usr/share/nginx/html;
+# }
+#
+# error_page 500 502 503 504 /50x.html;
+# location = /50x.html {
+# root /usr/share/nginx/html;
+# }
+# }
+
+# server {
+# listen 443 ssl http2;
+# listen [::]:443 ssl http2;
+# server_name pogojig.jaseg.net;
+# root /usr/share/nginx/html;
+#
+# ssl_certificate "/etc/letsencrypt/live/pogojig.jaseg.net/fullchain.pem";
+# ssl_certificate_key "/etc/letsencrypt/live/pogojig.jaseg.net/privkey.pem";
+# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+# include /etc/letsencrypt/options-ssl-nginx.conf;
+#
+# ssl_stapling on;
+# ssl_stapling_verify on;
+#
+# resolver 67.207.67.2 67.207.67.3 valid=300s;
+# resolver_timeout 10s;
+# client_max_body_size 10M;
+#
+# add_header Strict-Transport-Security "max-age=86400";
+#
+# # Load configuration files for the default server block.
+# include /etc/nginx/default.d/*.conf;
+#
+# location ^~ /pogospace/ {
+# root /var/lib/pogojig/pogospace;
+# }
+#
+# location / {
+# include uwsgi_params;
+# uwsgi_pass unix:/run/uwsgi/pogojig.socket;
+# }
+#
+# error_page 404 /404.html;
+# location = /40x.html {
+# root /usr/share/nginx/html;
+# }
+#
+# error_page 500 502 503 504 /50x.html;
+# location = /50x.html {
+# root /usr/share/nginx/html;
+# }
+# }
+
+# server {
+# listen 443 ssl http2;
+# listen [::]:443 ssl http2;
+# server_name tracespace.jaseg.net;
+# root /usr/share/nginx/html;
+#
+# ssl_certificate "/etc/letsencrypt/live/tracespace.jaseg.net/fullchain.pem";
+# ssl_certificate_key "/etc/letsencrypt/live/tracespace.jaseg.net/privkey.pem";
+# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+# include /etc/letsencrypt/options-ssl-nginx.conf;
+#
+# ssl_stapling on;
+# ssl_stapling_verify on;
+#
+# resolver 67.207.67.2 67.207.67.3 valid=300s;
+# resolver_timeout 10s;
+#
+# add_header Strict-Transport-Security "max-age=86400";
+#
+# # Load configuration files for the default server block.
+# include /etc/nginx/default.d/*.conf;
+#
+# location / {
+# root /var/www/tracespace.jaseg.net;
+# }
+#
+# error_page 404 /404.html;
+# location = /40x.html {
+# root /usr/share/nginx/html;
+# }
+#
+# error_page 500 502 503 504 /50x.html;
+# location = /50x.html {
+# root /usr/share/nginx/html;
+# }
+# }
+#
+# server {
+# listen 443 ssl http2;
+# listen [::]:443 ssl http2;
+# server_name openjscad.jaseg.net;
+# root /usr/share/nginx/html;
+#
+# ssl_certificate "/etc/letsencrypt/live/openjscad.jaseg.net/fullchain.pem";
+# ssl_certificate_key "/etc/letsencrypt/live/openjscad.jaseg.net/privkey.pem";
+# ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+# include /etc/letsencrypt/options-ssl-nginx.conf;
+#
+# ssl_stapling on;
+# ssl_stapling_verify on;
+#
+# resolver 67.207.67.2 67.207.67.3 valid=300s;
+# resolver_timeout 10s;
+#
+# add_header Strict-Transport-Security "max-age=86400";
+#
+# # Load configuration files for the default server block.
+# include /etc/nginx/default.d/*.conf;
+#
+# location / {
+# root /var/www/openjscad.jaseg.net;
+# }
+#
+# error_page 404 /404.html;
+# location = /40x.html {
+# root /usr/share/nginx/html;
+# }
+#
+# error_page 500 502 503 504 /50x.html;
+# location = /50x.html {
+# root /usr/share/nginx/html;
+# }
+# }
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
- server_name vcdrender.jaseg.net;
+ server_name vcdrender.jaseg.de;
root /usr/share/nginx/html;
- ssl_certificate "/etc/letsencrypt/live/vcdrender.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/vcdrender.jaseg.net/privkey.pem";
+ ssl_certificate "/etc/letsencrypt/live/vcdrender.jaseg.de/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/vcdrender.jaseg.de/privkey.pem";
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
include /etc/letsencrypt/options-ssl-nginx.conf;
diff --git a/playbook.yml b/playbook.yml
index a34e8fe..d09aeb6 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -1,34 +1,34 @@
-- name: DNS setup
- hosts: localhost
- tags: dns
- module_defaults:
- inwx:
- username: "{{lookup('ini', 'user section=inwx file=credentials.ini')}}"
- password: "{{lookup('ini', 'pass section=inwx file=credentials.ini')}}"
- vars:
- subdomains:
- - git.jaseg.net
- - git.jaseg.de
- - blog.jaseg.net
- - blog.jaseg.de
- - kochbuch.jaseg.net
- - gerbolyze.jaseg.net
- - tracespace.jaseg.net
- - openjscad.jaseg.net
- - pogojig.jaseg.net
- - automation.jaseg.de
- - dyndns.jaseg.de
- fastmail_domains:
- - jaseg.net
- - jaseg.de
- tasks:
- - name: Gather wendelstein facts
- setup:
- delegate_to: wendelstein
- delegate_facts: True
-
- - name: Setup DNS
- include_tasks: dns.yml
+#- name: DNS setup
+# hosts: localhost
+# tags: dns
+# module_defaults:
+# inwx:
+# username: "{{lookup('ini', 'user section=inwx file=credentials.ini')}}"
+# password: "{{lookup('ini', 'pass section=inwx file=credentials.ini')}}"
+# vars:
+# subdomains:
+# - git.jaseg.net
+# - git.jaseg.de
+# - blog.jaseg.net
+# - blog.jaseg.de
+# - kochbuch.jaseg.net
+# - gerbolyze.jaseg.net
+# - tracespace.jaseg.net
+# - openjscad.jaseg.net
+# - pogojig.jaseg.net
+# - automation.jaseg.de
+# - dyndns.jaseg.de
+# fastmail_domains:
+# - jaseg.net
+# - jaseg.de
+# tasks:
+# - name: Gather wendelstein facts
+# setup:
+# delegate_to: wendelstein
+# delegate_facts: True
+#
+# - name: Setup DNS
+# include_tasks: dns.yml
- name: Wendelstein setup
@@ -37,7 +37,7 @@
- name: Set hostname
tags: setup
hostname:
- name: wendelstein.jaseg.net
+ name: wendelstein.jaseg.de
- name: Install common admin tools
tags: setup
@@ -48,7 +48,7 @@
- name: Install host requisites
tags: setup
dnf:
- name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,python3-libselinux,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators,nsd
+ name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,python3-libselinux,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators,nsd,python3-virtualenv
state: latest
- name: Disable password-based root login
@@ -82,17 +82,17 @@
enabled: yes
state: started
- - name: Create containers
- tags: setup
- include_tasks:
- file: setup_containers.yml
- apply:
- tags: setup
- vars:
- containers:
- - gerboweb
- - clippy
- - pogojig
+# - name: Create containers
+# tags: setup
+# include_tasks:
+# file: setup_containers.yml
+# apply:
+# tags: setup
+# vars:
+# containers:
+# - gerboweb
+# - clippy
+# - pogojig
- name: Setup web server
tags: www
@@ -101,19 +101,19 @@
apply:
tags: www
- - name: Setup gerboweb
- tags: gerboweb
- include_tasks:
- file: setup_gerboweb.yml
- apply:
- tags: gerboweb
+# - name: Setup gerboweb
+# tags: gerboweb
+# include_tasks:
+# file: setup_gerboweb.yml
+# apply:
+# tags: gerboweb
- - name: Setup clippy
- tags: clippy
- include_tasks:
- file: setup_clippy.yml
- apply:
- tags: clippy
+# - name: Setup clippy
+# tags: clippy
+# include_tasks:
+# file: setup_clippy.yml
+# apply:
+# tags: clippy
- name: Setup secure download
tags: secure-download
@@ -122,26 +122,26 @@
apply:
tags: secure-download
- - name: Setup tracespace
- tags: pogojig
- include_tasks:
- file: setup_tracespace.yml
- apply:
- tags: pogojig
-
- - name: Setup openjscad
- tags: pogojig
- include_tasks:
- file: setup_openjscad.yml
- apply:
- tags: pogojig
-
- - name: Setup pogojig
- tags: pogojig
- include_tasks:
- file: setup_pogojig.yml
- apply:
- tags: pogojig
+# - name: Setup tracespace
+# tags: pogojig
+# include_tasks:
+# file: setup_tracespace.yml
+# apply:
+# tags: pogojig
+
+# - name: Setup openjscad
+# tags: pogojig
+# include_tasks:
+# file: setup_openjscad.yml
+# apply:
+# tags: pogojig
+
+# - name: Setup pogojig
+# tags: pogojig
+# include_tasks:
+# file: setup_pogojig.yml
+# apply:
+# tags: pogojig
- name: Setup notification proxy
tags: notification-proxy
@@ -164,3 +164,10 @@
file: setup_dyndns.yml
apply:
tags: dyndns
+
+ - name: Setup vcd-to-8-segment-svg render thingy for TUD's WS2021 LE course
+ tags: vcdrender
+ include_tasks:
+ file: setup_vcd_render.yml
+ apply:
+ tags: vcdrender
diff --git a/setup_dyndns.yml b/setup_dyndns.yml
index d9735c7..c79944f 100644
--- a/setup_dyndns.yml
+++ b/setup_dyndns.yml
@@ -11,6 +11,12 @@
group: root
mode: 0644
+- name: Disable systemd-resolved
+ systemd:
+ name: systemd-resolved.service
+ enabled: no
+ state: stopped
+
- name: Enable and launch nsd systemd service
systemd:
name: nsd.service
diff --git a/setup_git.yml b/setup_git.yml
index 4cad914..4b88101 100644
--- a/setup_git.yml
+++ b/setup_git.yml
@@ -1,6 +1,10 @@
+- name: Set local facts
+ set_fact:
+ gitolite_ssh_key: ~/.ssh/id_ed25519.gitolite
+
- name: Install host requisites
dnf:
- name: cgit,gitolite3,python3-pygments,python3-docutils,nodejs-markdown,python3-markdown
+ name: cgit,gitolite3,python3-pygments,python3-docutils,python3-markdown
state: latest
- name: Copy cgit logo
@@ -47,6 +51,7 @@
daemon-reload: yes
name: uwsgi-app@cgit.socket
enabled: yes
+ state: started
- name: Check if gitolite ssh config exists
stat:
@@ -57,7 +62,7 @@
block:
- name: Copy gitolite admin pubkey
copy:
- src: ~/.ssh/id_ed25519.gitolite.pub
+ src: "{{gitolite_ssh_key}}.pub"
dest: /tmp/jaseg-gitolite.pub
owner: gitolite3
group: gitolite3
@@ -90,16 +95,6 @@
groups: gitolite3
append: yes
-- name: Allow cgit uwsgi user to access gitolite repos
- file:
- path: /var/lib/gitolite3/repositories
- mode: 0750
-
-- name: Allow cgit uwsgi user to gitolite repo list
- file:
- path: /var/lib/gitolite3/projects.list
- mode: 0640
-
- name: Copy gitolite rc
copy:
src: gitolite.rc
@@ -108,6 +103,30 @@
group: gitolite3
mode: 0600
+- name: Query system user account info
+ getent:
+ database: passwd
+ key: gitolite3
+
+- name: Create git alias user
+ user:
+ name: git
+ create_home: no
+ group: gitolite3
+ password: '!'
+ comment: Alias for gitolite3 user
+ shell: "{{ getent_passwd['gitolite3'][5] }}"
+ system: yes
+ non_unique: yes
+ home: "{{ getent_passwd['gitolite3'][4] }}"
+ uid: "{{ getent_passwd['gitolite3'][1] }}"
+
+- name: Upload gitolite-admin repo
+ command: env "GIT_SSH_COMMAND=ssh -i {{gitolite_ssh_key}}" git push --force git@{{ansible_hostname}}:gitolite-admin.git master
+ args:
+ chdir: checkouts/gitolite-admin
+ delegate_to: localhost
+
- name: Create gitolite hook dir
file:
path: /var/lib/gitolite3/local/hooks/repo-specific
@@ -132,27 +151,19 @@
group: gitolite3
mode: 0570
-- name: Query system user account info
- getent:
- database: passwd
- key: gitolite3
-
-- name: Create git alias user
- user:
- name: git
- create_home: no
- group: gitolite3
- password: '!'
- comment: Alias for gitolite3 user
- shell: "{{ getent_passwd['gitolite3'][5] }}"
- system: yes
- non_unique: yes
- home: "{{ getent_passwd['gitolite3'][4] }}"
- uid: "{{ getent_passwd['gitolite3'][1] }}"
-
- name: Hack to fix cgit handling for restructuredtext readmes
file:
src: /usr/bin/rst2html
dest: /usr/bin/rst2html.py
state: link
+- name: Allow cgit uwsgi user to access gitolite repos
+ file:
+ path: /var/lib/gitolite3/repositories
+ mode: 0750
+
+- name: Allow cgit uwsgi user to gitolite repo list
+ file:
+ path: /var/lib/gitolite3/projects.list
+ mode: 0640
+
diff --git a/setup_secure_download.yml b/setup_secure_download.yml
index 7fe37de..12e0085 100644
--- a/setup_secure_download.yml
+++ b/setup_secure_download.yml
@@ -5,7 +5,7 @@
- name: Copy webapp sources
synchronize:
- src: checkouts/secure_download/
+ src: checkouts/secure-download/
dest: /var/lib/secure_download/
group: no
owner: no
diff --git a/setup_vcd_render.yml b/setup_vcd_render.yml
index 0a8ed5d..db43b1b 100644
--- a/setup_vcd_render.yml
+++ b/setup_vcd_render.yml
@@ -3,6 +3,11 @@
set_fact:
vcdrender_cache: /var/cache/vcd-render
+- name: Install host requisites
+ dnf:
+ name: python3-lxml
+ state: latest
+
- name: Copy webapp sources
synchronize:
src: checkouts/vcd-render/
@@ -11,6 +16,15 @@
group: no
owner: no
+- name: Setup webapp python requirements
+ pip:
+ name:
+ - beautifulsoup4
+ - flask
+ - vcdvcd
+ virtualenv: /var/lib/vcd-render/venv
+ virtualenv_site_packages: true
+
- name: Create uwsgi worker user and group
user:
name: uwsgi-vcdrender
@@ -23,8 +37,8 @@
- name: Template webapp config
template:
src: vcdrender.cfg.j2
- dest: /var/lib/pogojig/pogojig_prod.cfg
- owner: uwsgi-pogojig
+ dest: /var/lib/vcd-render/vcdrender_prod.cfg
+ owner: uwsgi-vcdrender
group: root
mode: 0660
@@ -41,6 +55,7 @@
daemon-reload: yes
name: uwsgi-app@vcdrender.socket
enabled: yes
+ state: started
# FIXME the socket doesn't seem to work properly
- name: Enable uwsgi systemd service
@@ -49,7 +64,7 @@
name: uwsgi-app@vcdrender.service
enabled: yes
-- name: Copy pogojig cache dir tmpfiles.d config
+- name: Copy vcdrender cache dir tmpfiles.d config
template:
src: tmpfiles-vcdrender.conf.j2
dest: /etc/tmpfiles.d/vcdrender.conf
diff --git a/setup_webserver.yml b/setup_webserver.yml
index 3c6c868..8e5657f 100644
--- a/setup_webserver.yml
+++ b/setup_webserver.yml
@@ -20,8 +20,8 @@
- git.jaseg.de
- blog.jaseg.de
- kochbuch.jaseg.net
- - tracespace.jaseg.net
- - openjscad.jaseg.net
+# - tracespace.jaseg.net
+# - openjscad.jaseg.net
- automation.jaseg.de
- name: Create blog content dir
@@ -61,15 +61,15 @@
- git.jaseg.de
- blog.jaseg.net
- blog.jaseg.de
- - kochbuch.jaseg.net
- - kochbuch.jaseg.de
- - gerbolyze.jaseg.net
- - tracespace.jaseg.net
- - openjscad.jaseg.net
- - pogojig.jaseg.net
- automation.jaseg.de
- dyndns.jaseg.de
- vcdrender.jaseg.de
+# - kochbuch.jaseg.de
+# - kochbuch.jaseg.net
+# - gerbolyze.jaseg.net
+# - tracespace.jaseg.net
+# - openjscad.jaseg.net
+# - pogojig.jaseg.net
- name: Copy final nginx config
copy:
diff --git a/tmpfiles-secure-download.conf.j2 b/tmpfiles-secure-download.conf.j2
index 84d7add..0dad15e 100644
--- a/tmpfiles-secure-download.conf.j2
+++ b/tmpfiles-secure-download.conf.j2
@@ -1 +1 @@
-d {{secure_download_dir}} 770 uwsgi-download uwsgi 45d
+d {{secure_download_dir}} 770 uwsgi-secure-download uwsgi 45d
diff --git a/uwsgi-vcdrender.ini b/uwsgi-vcdrender.ini
index c4df516..999239c 100644
--- a/uwsgi-vcdrender.ini
+++ b/uwsgi-vcdrender.ini
@@ -5,6 +5,7 @@ die-on-idle = False
manage-script-name = True
plugins = python3
chdir = /var/lib/vcd-render
-mount = /=pogojig:app
+mount = /=8seg_vcd_render:app
env = VCD8SEG_SETTINGS=vcdrender_prod.cfg
+home = /var/lib/vcd-render/venv
diff --git a/vcdrender.cfg.j2 b/vcdrender.cfg.j2
index 2026606..0f8efde 100644
--- a/vcdrender.cfg.j2
+++ b/vcdrender.cfg.j2
@@ -1,2 +1,2 @@
SECRET_KEY="{{lookup('password', 'vcdrender_flask_secret.txt length=32')}}"
-UPLOAD_PATH="{{pogojig_cache}}/upload"
+UPLOAD_PATH="{{vcdrender_cache}}/upload"