1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
- name: Gerbolyze container setup playbook
hosts: wendelstein
tasks:
- name: Set hostname
hostname:
name: wendelstein.jaseg.net
- name: Install common admin tools
dnf:
name: htop,tmux,fish,mosh,neovim
state: latest
- name: Install host requisites
dnf:
name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python
state: latest
- name: Disable password-based root login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin without-password'
register: disable_root_pw_ssh
- name: Restart sshd
systemd:
name: sshd
state: restarted
when: disable_root_pw_ssh is changed
- name: Create container image file
command: truncate -s 4G /var/cache/gerbolyze_container.img
args:
creates: /var/cache/gerbolyze_container.img
register: create_container
- name: Download arch bootstrap image
get_url:
url: http://mirror.rackspace.com/archlinux/iso/2019.03.01/archlinux-bootstrap-2019.03.01-x86_64.tar.gz
dest: /tmp/arch-bootstrap.tar.xz
checksum: sha256:865c8a25312b663e724923eecf0dfc626f4cd621e2cfcb19eafc69a4fc666756
when: create_container is changed
- name: Create container image filesystem
filesystem:
dev: /var/cache/gerbolyze_container.img
fstype: btrfs
- name: Create container image fstab entry
mount:
src: /var/cache/gerbolyze_container.img
path: /var/cache/gerbolyze_container
state: mounted
fstype: btrfs
opts: loop
- name: Unpack bootstrap image
unarchive:
remote_src: yes
src: /tmp/arch-bootstrap.tar.xz
dest: /var/cache/gerbolyze_container
extra_opts: --strip-components=1
creates: /var/cache/gerbolyze_container/etc
- name: Copy mirrorlist into container
copy:
src: mirrorlist
dest: /var/cache/gerbolyze_container/etc/pacman.d/mirrorlist
- name: Copy render script
copy:
src: render.sh
dest: /usr/local/sbin/gerbolyze_render.sh
mode: ug+x
- name: Copy vector script
copy:
src: vector.sh
dest: /usr/local/sbin/gerbolyze_vector.sh
mode: ug+x
- name: Initialize container pacman keyring
shell: arch-chroot /var/cache/gerbolyze_container pacman-key --init && arch-chroot /var/cache/gerbolyze_container pacman-key --populate archlinux
args:
creates: /var/cache/gerbolyze_container/etc/pacman.d/gnupg
- name: Fixup pacman.conf for pacman to work in chroot without its own root fs
lineinfile:
path: /var/cache/gerbolyze_container/etc/pacman.conf
regexp: '^CheckSpace'
line: '#CheckSpace'
- name: Update container and install software
shell: arch-chroot /var/cache/gerbolyze_container pacman -Syu --noconfirm python3 opencv hdf5 gtk3 python-numpy python-pip imagemagick unzip zip
# TODO maybe install directly from local git checkout?
- name: Install gerbolyze
shell: arch-chroot /var/cache/gerbolyze_container pip install -U --upgrade-strategy=eager gerbolyze
- name: Cleanup bootstrap image
file:
path: /tmp/arch-bootstrap.tar.xz
state: absent
- name: Copy webapp sources
synchronize:
# FIXME: make this path configurable
src: ~/gerbolyze/gerboweb/
dest: /var/lib/gerboweb/
group: no
owner: no
- name: Copy first stage nginx config
copy:
src: nginx_nossl.conf
dest: /etc/nginx/nginx.conf
- name: Create uwsgi worker user and group
user:
name: uwsgi-gerboweb
create_home: no
group: uwsgi
password: '!'
shell: /sbin/nologin
system: yes
- name: Add nginx user to uwsgi group for access to uwsgi socket
user:
name: nginx
groups: uwsgi
append: yes
- name: Copy uwsgi config
copy:
src: uwsgi-gerboweb.ini
dest: /etc/uwsgi.d/gerboweb.ini
owner: uwsgi-gerboweb
group: uwsgi
mode: 440
- name: Copy uwsgi systemd socket config
copy:
src: uwsgi-app@.socket
dest: /etc/systemd/system/
- name: Copy uwsgi systemd service config
copy:
src: uwsgi-app@.service
dest: /etc/systemd/system/
- name: Copy job processor systemd service config
copy:
src: gerboweb-job-processor.service
dest: /etc/systemd/system/
- name: Set SELinux to permissive mode # FIXME
selinux:
state: permissive
policy: targeted
- name: Enable uwsgi systemd socket
systemd:
daemon-reload: yes
name: uwsgi-app@gerboweb.socket
enabled: yes
- name: Copy gerboweb cache dir tmpfiles.d config
copy:
src: tmpfiles-gerboweb.conf
dest: /etc/tmpfiles.d/gerboweb.conf
owner: root
group: root
mode: 0644
register: tmpfiles_config
- name: Kick systemd tmpfiles service to create cache dir
command: systemd-tmpfiles --create
when: tmpfiles_config is changed
- name: Create job queue db
file:
path: /var/cache/gerboweb/job_queue.sqlite3
owner: root
group: uwsgi
mode: 0660
state: touch
- name: Enable and launch job processor
systemd:
name: gerboweb-job-processor.service
enabled: yes
state: restarted
- name: Enable and launch nginx systemd service
systemd:
name: nginx.service
enabled: yes
state: restarted
- name: Create letsencrypt certificate
command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
args:
creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
- name: Copy final nginx config
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
- name: Restart nginx to load new cert
systemd:
name: nginx.service
state: restarted
- name: Enable certbot renewal timer
systemd:
name: certbot-renew.timer
enabled: yes
|
