summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <liw@liw.fi>2018-08-07 18:47:37 +0300
committerLars Wirzenius <liw@liw.fi>2018-08-07 18:47:37 +0300
commit61c12b7938bd8fd8c17155b646b08fd1caf3cd6c (patch)
treec233df31c843f2e178fbd8114d6e1af434d6ba76
parentc0f9a32ae8f092b7ba552798ea1ae2f2fdd9666a (diff)
downloadick2-ansible-61c12b7938bd8fd8c17155b646b08fd1caf3cd6c.tar.gz
Change: use haproxy role from debian-ansible, add ickweb, etc
-rw-r--r--group_vars/ickhost.yml51
-rw-r--r--ick-cluster.yml4
-rw-r--r--ick2.yml5
-rw-r--r--ickweb.yml18
-rw-r--r--roles/apt_repository/templates/apache-http.conf2
-rw-r--r--roles/haproxy/tasks/main.yml37
-rw-r--r--roles/ickweb/files/haproxy.cfg (renamed from roles/haproxy/templates/haproxy.cfg.j2)48
-rw-r--r--roles/ickweb/tasks/main.yml72
-rw-r--r--roles/ickweb/templates/ickweb.service13
-rw-r--r--roles/ickweb/templates/start_ickweb6
-rw-r--r--roles/letsencrypt/defaults/main.yml10
-rw-r--r--roles/letsencrypt/tasks/main.yml79
-rw-r--r--roles/letsencrypt/templates/deploy_certs_haproxy8
-rwxr-xr-xrun-ickweb.yml31
14 files changed, 199 insertions, 185 deletions
diff --git a/group_vars/ickhost.yml b/group_vars/ickhost.yml
index c33d718..a92b3a2 100644
--- a/group_vars/ickhost.yml
+++ b/group_vars/ickhost.yml
@@ -8,17 +8,19 @@ debian_mirror_src: deb.debian.org
ci_prefix: ""
sources_lists:
+ - repo: "deb http://deb.debian.org/debian stretch-backports main"
- repo: "deb http://code.liw.fi/debian stretch main ickhost"
keyring_package: code.liw.fi-keyring
signing_key: "{{ code_liw_fi_signing_key }}"
- repo: "deb http://ick-controller.h.qvarnlabs.eu/debian stretch-ci main"
- signing_key: "{{ ql_ick_apt_fi_signing_key }}"
+ signing_key: "{{ ql_ick_apt_signing_key }}"
controller_port: 12765
artifact_store_port: 12766
qvisqve_port: 10000
notify_port: 12767
ickweb_port: 10001
+apache_port: 8080
controller_url: "https://{{ controller_domain }}"
artifact_store_url: "https://{{ artifact_store_domain }}"
@@ -34,3 +36,50 @@ apt_admin_email: FIXME
wm_ssh_key: FIXME
wm_ssh_key_pub: FIXME
+
+
+haproxy_domain: "{{ controller_domain }}"
+haproxy_rules:
+ - name: ickweb
+ path: /web
+ backends: ["127.0.0.1:{{ ickweb_port }}"]
+
+ - name: blobs
+ path: /blobs
+ backends: ["127.0.0.1:{{ artifact_store_port }}"]
+
+ - name: token
+ path: /token
+ backends: ["127.0.0.1:{{ qvisqve_port }}"]
+
+ - name: login
+ path: /login
+ backends: ["127.0.0.1:{{ qvisqve_port }}"]
+
+ - name: auth
+ path: /auth
+ backends: ["127.0.0.1:{{ qvisqve_port }}"]
+
+ - name: clients
+ path: /clients
+ backends: ["127.0.0.1:{{ qvisqve_port }}"]
+
+ - name: users
+ path: /users
+ backends: ["127.0.0.1:{{ qvisqve_port }}"]
+
+ - name: applications
+ path: /applications
+ backends: ["127.0.0.1:{{ qvisqve_port }}"]
+
+ - name: notify
+ path: /notify
+ backends: ["127.0.0.1:{{ notify_port }}"]
+
+ - name: debian
+ path: /debian
+ backends: ["127.0.0.1:{{ apache_port }}"]
+
+ - name: controller
+ path: /
+ backends: ["127.0.0.1:{{ controller_port }}"]
diff --git a/ick-cluster.yml b/ick-cluster.yml
index 55b9c5b..fb8fa7f 100644
--- a/ick-cluster.yml
+++ b/ick-cluster.yml
@@ -16,7 +16,6 @@
- sane_debian_system
- unix_users
- comfortable
- - letsencrypt
- haproxy
- qvisqve
- ick-controller
@@ -26,6 +25,3 @@
- ickweb
vars:
hostname: ick
-
- verify_tls: no
- letsencrypt: no
diff --git a/ick2.yml b/ick2.yml
index afb74fb..98211f5 100644
--- a/ick2.yml
+++ b/ick2.yml
@@ -5,7 +5,6 @@
- sane_debian_system
- comfortable
- unix_users
- - letsencrypt
- haproxy
- qvisqve
- ick-controller
@@ -16,7 +15,3 @@
- ickweb
vars:
hostname: ick
-
- verify_tls: no
- letsencrypt: no
- tls_certificate: FIXME
diff --git a/ickweb.yml b/ickweb.yml
new file mode 100644
index 0000000..a78a82c
--- /dev/null
+++ b/ickweb.yml
@@ -0,0 +1,18 @@
+- hosts: demo
+ remote_user: root
+ become: yes
+ roles:
+ - sane_debian_system
+ - unix_users
+ - ickweb
+ vars:
+ hostname: ickweb
+ locales:
+ - fi_FI.UTF-8
+ - en_GB.UTF-8
+ debian_codename: stretch
+ sources_lists:
+ - repo: "deb http://deb.debian.org/debian stretch-backports main"
+ qvisqve_token_public_key: "{{ lookup('pipe', 'pass show qvisqve/token_key_pub') }}"
+
+ letsencrypt_email: liw@liw.fi
diff --git a/roles/apt_repository/templates/apache-http.conf b/roles/apt_repository/templates/apache-http.conf
index b7aa353..46a54ed 100644
--- a/roles/apt_repository/templates/apache-http.conf
+++ b/roles/apt_repository/templates/apache-http.conf
@@ -1,5 +1,5 @@
Listen 8080
-<VirtualHost _default_:8080>
+<VirtualHost _default_:{{ apache_port }}>
ServerAdmin {{ apt_admin_email }}
DocumentRoot /srv/http
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
deleted file mode 100644
index 2161b3b..0000000
--- a/roles/haproxy/tasks/main.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-- name: install haproxy
- apt:
- name: haproxy
-
-- name: create config dir
- file:
- state: directory
- path: "{{ item }}"
- owner: root
- group: root
- mode: 0755
- with_items:
- - /etc/haproxy
-
-- name: install haproxy config
- template:
- src: haproxy.cfg.j2
- dest: /etc/haproxy/haproxy.cfg
- owner: root
- group: root
- mode: 0644
-
-- name: install TLS certificate
- copy:
- content: "{{ tls_certificate }}"
- dest: /etc/ssl/ick.pem
- owner: root
- group: root
- mode: 0600
-
-- name: enable and start haproxy
- service:
- name: "{{ item }}"
- state: restarted
- enabled: yes
- with_items:
- - haproxy
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/ickweb/files/haproxy.cfg
index 0a6ec70..6191bcc 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/ickweb/files/haproxy.cfg
@@ -1,3 +1,6 @@
+# haproxy.cfg
+# HAProxy configuration for Qvisqve.
+
global
log 127.0.0.1 local4
chroot /var/lib/haproxy
@@ -13,6 +16,7 @@ global
ssl-default-bind-options no-tls-tickets
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
defaults
log global
mode http
@@ -32,48 +36,12 @@ defaults
frontend http-in
bind *:80
- bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/haproxy.pem
+ bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem
rspadd Strict-Transport-Security:\ max-age=15768000
- acl ickweb path_beg /web
- acl blobs path_beg /blobs
- acl token path_beg /token
- acl login path_beg /login
- acl auth path_beg /auth
- acl clients path_beg /clients
- acl users path_beg /users
- acl applications path_beg /applications
- acl notify path_beg /notify
- acl debian path_beg /debian
- acl any method GET HEAD POST PUT DELETE
-
- use_backend apache if debian
- use_backend ickweb if ickweb
- use_backend notification_service if notify
- use_backend artifact_store if blobs
- use_backend qvisqve if token
- use_backend qvisqve if login
- use_backend qvisqve if auth
- use_backend qvisqve if clients
- use_backend qvisqve if users
- use_backend qvisqve if applications
- use_backend controller if any
-
-backend apache
- server apache_1 127.0.0.1:8080
+ acl methods method GET HEAD POST PUT DELETE
+ use_backend ickweb if methods
backend ickweb
- server ickweb_1 127.0.0.1:{{ ickweb_port }}
-
-backend controller
- server controller_1 127.0.0.1:{{ controller_port }}
-
-backend artifact_store
- server artifact_store_1 127.0.0.1:{{ artifact_store_port }}
-
-backend qvisqve
- server qvisqve_1 127.0.0.1:{{ qvisqve_port }}
-
-backend notification_service
- server notify_1 127.0.0.1:{{ notify_port }}
+ server ickweb_1 127.0.0.1:8080
diff --git a/roles/ickweb/tasks/main.yml b/roles/ickweb/tasks/main.yml
new file mode 100644
index 0000000..163e436
--- /dev/null
+++ b/roles/ickweb/tasks/main.yml
@@ -0,0 +1,72 @@
+- name: "install packages"
+ apt:
+ name: "{{ item }}"
+ with_items:
+ - git
+ - haproxy
+ - python3-bottle
+ - python3-requests
+
+- name: "create ickweb user"
+ user:
+ name: _ickweb
+ comment: Ickweb user
+ system: yes
+
+- name: "create ickweb group"
+ group:
+ name: _ickweb
+ system: yes
+
+- name: "install ickweb code"
+ shell: |
+ rm -rf /var/lib/ickweb
+ git clone git://git.liw.fi/ickweb /var/lib/ickweb
+ chown -R root:root /var/lib/ickweb
+ chmod -R ugo=rX /var/lib/ickweb
+
+- name: "create /etc/ickweb"
+ file:
+ state: directory
+ path: /etc/ickweb
+ owner: _ickweb
+ group: _ickweb
+ mode: 0755
+
+- name: "install ickweb config"
+ copy:
+ content: "{{ ickweb_secret }}"
+ dest: /etc/ickweb/secret
+ owner: _ickweb
+ group: _ickweb
+ mode: 0700
+
+- name: "install ickweb script"
+ template:
+ src: start_ickweb
+ dest: /usr/local/bin
+ owner: root
+ group: root
+ mode: 0755
+
+- name: "install ickweb systemd unit"
+ template:
+ src: ickweb.service
+ dest: /lib/systemd/system/ickweb.service
+ owner: root
+ group: root
+ mode: 0755
+
+- name: "reload systemd"
+ systemd:
+ name: haproxy
+ state: reloaded
+
+- name: "enable and restart services"
+ systemd:
+ name: "{{ item }}"
+ enabled: yes
+ state: restarted
+ with_items:
+ - haproxy
+ - ickweb
diff --git a/roles/ickweb/templates/ickweb.service b/roles/ickweb/templates/ickweb.service
new file mode 100644
index 0000000..208ac09
--- /dev/null
+++ b/roles/ickweb/templates/ickweb.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Ick web app
+Requires=network.target
+After=network.target
+
+[Service]
+Type=simple
+User=_ickweb
+Group=_ickweb
+ExecStart=/usr/local/bin/start_ickweb /etc/ickweb/secret
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/ickweb/templates/start_ickweb b/roles/ickweb/templates/start_ickweb
new file mode 100644
index 0000000..a6e93f7
--- /dev/null
+++ b/roles/ickweb/templates/start_ickweb
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eu
+
+cd /var/lib/ickweb
+./run "{{ controller_url }}" /etc/ickweb/secret "{{ ickweb_port }}" prod
diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml
deleted file mode 100644
index ce1a2d3..0000000
--- a/roles/letsencrypt/defaults/main.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-# Enable letsencrypt?
-letsencrypt: yes
-
-# Specify a properly configured and functional domain name
-letsencrypt_domain: FIXME
-
-# Specify a working email address
-letsencrypt_email: FIXME
-
-letsencrypt_server_haproxy_crt: /etc/haproxy/haproxy.pem
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
deleted file mode 100644
index b7d0df0..0000000
--- a/roles/letsencrypt/tasks/main.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-- name: check required variables
- fail:
- msg: "value of {{ item }} should no be FIXME!"
- with_items:
- - letsencrypt_domain
- - letsencrypt_email
- - letsencrypt_server
- when: item == "FIXME"
-
-- name: install deploy_certs_haproxy
- template:
- src: deploy_certs_haproxy
- dest: /usr/local/sbin/deploy_certs_haproxy
- owner: root
- group: root
- mode: 0755
- when: letsencrypt
-
-- name: install certbot
- apt:
- name: certbot
- default_release: stretch-backports
- when: letsencrypt
-
-- name: install haproxy
- apt:
- name: haproxy
-
-- name: install ssl-cert
- apt:
- name: ssl-cert
- when: not letsencrypt
-
-- name: stop haproxy
- ignore_errors: true
- systemd:
- name: haproxy
- state: stopped
-
-- name: install snakeoil certificate for haproxy
- shell: |
- cat /etc/ssl/certs/ssl-cert-snakeoil.pem \
- /etc/ssl/private/ssl-cert-snakeoil.key \
- > /etc/haproxy/haproxy.pem
- when: not letsencrypt
-
-- name: fetch new certificate
- command: >
- certbot certonly
- --standalone
- --noninteractive
- --domain "{{ letsencrypt_domain }}"
- --email "{{ letsencrypt_email }}"
- --agree-tos
- when: letsencrypt
-
-- name: install new cert for haproxy
- command: /usr/local/sbin/deploy_certs_haproxy
- when: letsencrypt
-
-- name: start haproxy
- ignore_errors: true
- systemd:
- name: haproxy
- state: started
-
-- name: add cron job
- cron:
- name: letsencrypt
- hour: 23
- minute: 42
- user: root
- job: >
- certbot renew
- --standalone
- --quiet
- --pre-hook "systemctl stop haproxy"
- --post-hook "/usr/local/sbin/deploy_certs_haproxy && systemctl start haproxy"
- when: letsencrypt
diff --git a/roles/letsencrypt/templates/deploy_certs_haproxy b/roles/letsencrypt/templates/deploy_certs_haproxy
deleted file mode 100644
index 6c93a80..0000000
--- a/roles/letsencrypt/templates/deploy_certs_haproxy
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-cat "/etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem" \
- "/etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem" \
- > "{{ letsencrypt_server_haproxy_crt }}"
-chmod 600 "{{ letsencrypt_server_haproxy_crt }}"
diff --git a/run-ickweb.yml b/run-ickweb.yml
new file mode 100755
index 0000000..82fdace
--- /dev/null
+++ b/run-ickweb.yml
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -eu
+
+
+getaddr()
+{
+ awk -v "name=$1" '$1 == name { print $2 }' "$hosts_in" |
+ sed 's/ansible_ssh_host=//'
+}
+
+
+mkhosts()
+{
+ cat <<EOF
+demo ansible_ssh_host=$(getaddr demo)
+
+[ickwebhost]
+demo
+EOF
+}
+
+
+hosts_in="$1"
+shift 1
+mkhosts > hosts.tmp
+ansible-playbook \
+ ickweb.yml \
+ -i hosts.tmp \
+ -e ickweb_domain_name="$(getaddr demo)" \
+ "$@"