Change: use haproxy role from debian-ansible, add ickweb, etc

author: Lars Wirzenius <liw@liw.fi> 2018-08-07 18:47:37 +0300
committer: Lars Wirzenius <liw@liw.fi> 2018-08-07 18:47:37 +0300
commit: 61c12b7938bd8fd8c17155b646b08fd1caf3cd6c (patch)
tree: c233df31c843f2e178fbd8114d6e1af434d6ba76 /roles
parent: c0f9a32ae8f092b7ba552798ea1ae2f2fdd9666a (diff)
download: ick2-ansible-61c12b7938bd8fd8c17155b646b08fd1caf3cd6c.tar.gz
9 files changed, 100 insertions, 175 deletions
diff --git a/roles/apt_repository/templates/apache-http.conf b/roles/apt_repository/templates/apache-http.conf
index b7aa353..46a54ed 100644
--- a/roles/apt_repository/templates/apache-http.conf
+++ b/roles/apt_repository/templates/apache-http.conf
@@ -1,5 +1,5 @@
 Listen 8080
-<VirtualHost _default_:8080>
+<VirtualHost _default_:{{ apache_port }}>
         ServerAdmin {{ apt_admin_email }}
 
         DocumentRoot /srv/http
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
deleted file mode 100644
index 2161b3b..0000000
--- a/roles/haproxy/tasks/main.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-- name: install haproxy
-  apt:
-    name: haproxy
-
-- name: create config dir
-  file:
-    state: directory
-    path: "{{ item }}"
-    owner: root
-    group: root
-    mode: 0755
-  with_items:
-    - /etc/haproxy
-
-- name: install haproxy config
-  template:
-    src: haproxy.cfg.j2
-    dest: /etc/haproxy/haproxy.cfg
-    owner: root
-    group: root
-    mode: 0644
-
-- name: install TLS certificate
-  copy:
-    content: "{{ tls_certificate }}"
-    dest: /etc/ssl/ick.pem
-    owner: root
-    group: root
-    mode: 0600
-
-- name: enable and start haproxy
-  service:
-    name: "{{ item }}"
-    state: restarted
-    enabled: yes
-  with_items:
-    - haproxy
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/ickweb/files/haproxy.cfg
index 0a6ec70..6191bcc 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/ickweb/files/haproxy.cfg
@@ -1,3 +1,6 @@
+# haproxy.cfg
+# HAProxy configuration for Qvisqve.
+
 global
     log        127.0.0.1 local4
     chroot     /var/lib/haproxy
@@ -13,6 +16,7 @@ global
     ssl-default-bind-options no-tls-tickets
     ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
 
+
 defaults
     log        global
     mode       http
@@ -32,48 +36,12 @@ defaults
 
 frontend http-in
     bind *:80
-    bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/haproxy.pem
+    bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem
 
     rspadd Strict-Transport-Security:\ max-age=15768000
 
-    acl ickweb path_beg /web
-    acl blobs path_beg /blobs
-    acl token path_beg /token
-    acl login path_beg /login
-    acl auth path_beg /auth
-    acl clients path_beg /clients
-    acl users path_beg /users
-    acl applications path_beg /applications
-    acl notify path_beg /notify
-    acl debian path_beg /debian
-    acl any method GET HEAD POST PUT DELETE
-
-    use_backend apache if debian
-    use_backend ickweb if ickweb
-    use_backend notification_service if notify
-    use_backend artifact_store if blobs
-    use_backend qvisqve if token
-    use_backend qvisqve if login
-    use_backend qvisqve if auth
-    use_backend qvisqve if clients
-    use_backend qvisqve if users
-    use_backend qvisqve if applications
-    use_backend controller if any
-
-backend apache
-    server apache_1 127.0.0.1:8080
+    acl methods method GET HEAD POST PUT DELETE
+    use_backend ickweb if methods
 
 backend ickweb
-    server ickweb_1 127.0.0.1:{{ ickweb_port }}
-
-backend controller
-    server controller_1 127.0.0.1:{{ controller_port }}
-
-backend artifact_store
-    server artifact_store_1 127.0.0.1:{{ artifact_store_port }}
-
-backend qvisqve
-    server qvisqve_1 127.0.0.1:{{ qvisqve_port }}
-
-backend notification_service
-    server notify_1 127.0.0.1:{{ notify_port }}
+    server ickweb_1 127.0.0.1:8080
diff --git a/roles/ickweb/tasks/main.yml b/roles/ickweb/tasks/main.yml
new file mode 100644
index 0000000..163e436
--- /dev/null
+++ b/roles/ickweb/tasks/main.yml
@@ -0,0 +1,72 @@
+- name: "install packages"
+  apt:
+    name: "{{ item }}"
+  with_items:
+    - git
+    - haproxy
+    - python3-bottle
+    - python3-requests
+
+- name: "create ickweb user"
+  user:
+    name: _ickweb
+    comment: Ickweb user
+    system: yes
+
+- name: "create ickweb group"
+  group:
+    name: _ickweb
+    system: yes
+
+- name: "install ickweb code"
+  shell: |
+    rm -rf /var/lib/ickweb
+    git clone git://git.liw.fi/ickweb /var/lib/ickweb
+    chown -R root:root /var/lib/ickweb
+    chmod -R ugo=rX /var/lib/ickweb
+
+- name: "create /etc/ickweb"
+  file:
+    state: directory
+    path: /etc/ickweb
+    owner: _ickweb
+    group: _ickweb
+    mode: 0755
+
+- name: "install ickweb config"
+  copy:
+    content: "{{ ickweb_secret }}"
+    dest: /etc/ickweb/secret
+    owner: _ickweb
+    group: _ickweb
+    mode: 0700
+
+- name: "install ickweb script"
+  template:
+    src: start_ickweb
+    dest: /usr/local/bin
+    owner: root
+    group: root
+    mode: 0755
+
+- name: "install ickweb systemd unit"
+  template:
+    src: ickweb.service
+    dest: /lib/systemd/system/ickweb.service
+    owner: root
+    group: root
+    mode: 0755
+
+- name: "reload systemd"
+  systemd:
+    name: haproxy
+    state: reloaded
+
+- name: "enable and restart services"
+  systemd:
+    name: "{{ item }}"
+    enabled: yes
+    state: restarted
+  with_items:
+    - haproxy
+    - ickweb
diff --git a/roles/ickweb/templates/ickweb.service b/roles/ickweb/templates/ickweb.service
new file mode 100644
index 0000000..208ac09
--- /dev/null
+++ b/roles/ickweb/templates/ickweb.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Ick web app
+Requires=network.target
+After=network.target
+
+[Service]
+Type=simple
+User=_ickweb
+Group=_ickweb
+ExecStart=/usr/local/bin/start_ickweb /etc/ickweb/secret
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/ickweb/templates/start_ickweb b/roles/ickweb/templates/start_ickweb
new file mode 100644
index 0000000..a6e93f7
--- /dev/null
+++ b/roles/ickweb/templates/start_ickweb
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eu
+
+cd /var/lib/ickweb
+./run "{{ controller_url }}" /etc/ickweb/secret "{{ ickweb_port }}" prod
diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml
deleted file mode 100644
index ce1a2d3..0000000
--- a/roles/letsencrypt/defaults/main.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-# Enable letsencrypt?
-letsencrypt: yes
-
-# Specify a properly configured and functional domain name
-letsencrypt_domain: FIXME
-
-# Specify a working email address
-letsencrypt_email: FIXME
-
-letsencrypt_server_haproxy_crt: /etc/haproxy/haproxy.pem
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
deleted file mode 100644
index b7d0df0..0000000
--- a/roles/letsencrypt/tasks/main.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-- name: check required variables
-  fail:
-    msg: "value of {{ item }} should no be FIXME!"
-  with_items:
-    - letsencrypt_domain
-    - letsencrypt_email
-    - letsencrypt_server
-  when: item == "FIXME"
-
-- name: install deploy_certs_haproxy
-  template:
-    src: deploy_certs_haproxy
-    dest: /usr/local/sbin/deploy_certs_haproxy
-    owner: root
-    group: root
-    mode: 0755
-  when: letsencrypt
-
-- name: install certbot
-  apt:
-    name: certbot
-    default_release: stretch-backports
-  when: letsencrypt
-
-- name: install haproxy
-  apt:
-    name: haproxy
-
-- name: install ssl-cert
-  apt:
-    name: ssl-cert
-  when: not letsencrypt
-
-- name: stop haproxy
-  ignore_errors: true
-  systemd:
-    name: haproxy
-    state: stopped
-
-- name: install snakeoil certificate for haproxy
-  shell:  |
-    cat /etc/ssl/certs/ssl-cert-snakeoil.pem \
-        /etc/ssl/private/ssl-cert-snakeoil.key \
-        > /etc/haproxy/haproxy.pem
-  when: not letsencrypt
-
-- name: fetch new certificate
-  command: >
-    certbot certonly
-    --standalone
-    --noninteractive
-    --domain "{{ letsencrypt_domain }}"
-    --email "{{ letsencrypt_email }}"
-    --agree-tos
-  when: letsencrypt
-
-- name: install new cert for haproxy
-  command: /usr/local/sbin/deploy_certs_haproxy
-  when: letsencrypt
-
-- name: start haproxy
-  ignore_errors: true
-  systemd:
-    name: haproxy
-    state: started
-
-- name: add cron job
-  cron:
-    name: letsencrypt
-    hour: 23
-    minute: 42
-    user: root
-    job: >
-      certbot renew
-      --standalone
-      --quiet
-      --pre-hook "systemctl stop haproxy"
-      --post-hook "/usr/local/sbin/deploy_certs_haproxy && systemctl start haproxy"
-  when: letsencrypt
diff --git a/roles/letsencrypt/templates/deploy_certs_haproxy b/roles/letsencrypt/templates/deploy_certs_haproxy
deleted file mode 100644
index 6c93a80..0000000
--- a/roles/letsencrypt/templates/deploy_certs_haproxy
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-cat "/etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem" \
-    "/etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem" \
-    > "{{ letsencrypt_server_haproxy_crt }}"
-chmod 600 "{{ letsencrypt_server_haproxy_crt }}"
author	Lars Wirzenius <liw@liw.fi>	2018-08-07 18:47:37 +0300
committer	Lars Wirzenius <liw@liw.fi>	2018-08-07 18:47:37 +0300
commit	61c12b7938bd8fd8c17155b646b08fd1caf3cd6c (patch)
tree	c233df31c843f2e178fbd8114d6e1af434d6ba76 /roles
parent	c0f9a32ae8f092b7ba552798ea1ae2f2fdd9666a (diff)
download	ick2-ansible-61c12b7938bd8fd8c17155b646b08fd1caf3cd6c.tar.gz