From 61c12b7938bd8fd8c17155b646b08fd1caf3cd6c Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 7 Aug 2018 18:47:37 +0300 Subject: Change: use haproxy role from debian-ansible, add ickweb, etc --- group_vars/ickhost.yml | 51 ++++++++++++++- ick-cluster.yml | 4 -- ick2.yml | 5 -- ickweb.yml | 18 ++++++ roles/apt_repository/templates/apache-http.conf | 2 +- roles/haproxy/tasks/main.yml | 37 ----------- roles/haproxy/templates/haproxy.cfg.j2 | 79 ------------------------ roles/ickweb/files/haproxy.cfg | 47 ++++++++++++++ roles/ickweb/tasks/main.yml | 72 +++++++++++++++++++++ roles/ickweb/templates/ickweb.service | 13 ++++ roles/ickweb/templates/start_ickweb | 6 ++ roles/letsencrypt/defaults/main.yml | 10 --- roles/letsencrypt/tasks/main.yml | 79 ------------------------ roles/letsencrypt/templates/deploy_certs_haproxy | 8 --- run-ickweb.yml | 31 ++++++++++ 15 files changed, 238 insertions(+), 224 deletions(-) create mode 100644 ickweb.yml delete mode 100644 roles/haproxy/tasks/main.yml delete mode 100644 roles/haproxy/templates/haproxy.cfg.j2 create mode 100644 roles/ickweb/files/haproxy.cfg create mode 100644 roles/ickweb/tasks/main.yml create mode 100644 roles/ickweb/templates/ickweb.service create mode 100644 roles/ickweb/templates/start_ickweb delete mode 100644 roles/letsencrypt/defaults/main.yml delete mode 100644 roles/letsencrypt/tasks/main.yml delete mode 100644 roles/letsencrypt/templates/deploy_certs_haproxy create mode 100755 run-ickweb.yml diff --git a/group_vars/ickhost.yml b/group_vars/ickhost.yml index c33d718..a92b3a2 100644 --- a/group_vars/ickhost.yml +++ b/group_vars/ickhost.yml @@ -8,17 +8,19 @@ debian_mirror_src: deb.debian.org ci_prefix: "" sources_lists: + - repo: "deb http://deb.debian.org/debian stretch-backports main" - repo: "deb http://code.liw.fi/debian stretch main ickhost" keyring_package: code.liw.fi-keyring signing_key: "{{ code_liw_fi_signing_key }}" - repo: "deb http://ick-controller.h.qvarnlabs.eu/debian stretch-ci main" - signing_key: "{{ ql_ick_apt_fi_signing_key }}" + signing_key: "{{ ql_ick_apt_signing_key }}" controller_port: 12765 artifact_store_port: 12766 qvisqve_port: 10000 notify_port: 12767 ickweb_port: 10001 +apache_port: 8080 controller_url: "https://{{ controller_domain }}" artifact_store_url: "https://{{ artifact_store_domain }}" @@ -34,3 +36,50 @@ apt_admin_email: FIXME wm_ssh_key: FIXME wm_ssh_key_pub: FIXME + + +haproxy_domain: "{{ controller_domain }}" +haproxy_rules: + - name: ickweb + path: /web + backends: ["127.0.0.1:{{ ickweb_port }}"] + + - name: blobs + path: /blobs + backends: ["127.0.0.1:{{ artifact_store_port }}"] + + - name: token + path: /token + backends: ["127.0.0.1:{{ qvisqve_port }}"] + + - name: login + path: /login + backends: ["127.0.0.1:{{ qvisqve_port }}"] + + - name: auth + path: /auth + backends: ["127.0.0.1:{{ qvisqve_port }}"] + + - name: clients + path: /clients + backends: ["127.0.0.1:{{ qvisqve_port }}"] + + - name: users + path: /users + backends: ["127.0.0.1:{{ qvisqve_port }}"] + + - name: applications + path: /applications + backends: ["127.0.0.1:{{ qvisqve_port }}"] + + - name: notify + path: /notify + backends: ["127.0.0.1:{{ notify_port }}"] + + - name: debian + path: /debian + backends: ["127.0.0.1:{{ apache_port }}"] + + - name: controller + path: / + backends: ["127.0.0.1:{{ controller_port }}"] diff --git a/ick-cluster.yml b/ick-cluster.yml index 55b9c5b..fb8fa7f 100644 --- a/ick-cluster.yml +++ b/ick-cluster.yml @@ -16,7 +16,6 @@ - sane_debian_system - unix_users - comfortable - - letsencrypt - haproxy - qvisqve - ick-controller @@ -26,6 +25,3 @@ - ickweb vars: hostname: ick - - verify_tls: no - letsencrypt: no diff --git a/ick2.yml b/ick2.yml index afb74fb..98211f5 100644 --- a/ick2.yml +++ b/ick2.yml @@ -5,7 +5,6 @@ - sane_debian_system - comfortable - unix_users - - letsencrypt - haproxy - qvisqve - ick-controller @@ -16,7 +15,3 @@ - ickweb vars: hostname: ick - - verify_tls: no - letsencrypt: no - tls_certificate: FIXME diff --git a/ickweb.yml b/ickweb.yml new file mode 100644 index 0000000..a78a82c --- /dev/null +++ b/ickweb.yml @@ -0,0 +1,18 @@ +- hosts: demo + remote_user: root + become: yes + roles: + - sane_debian_system + - unix_users + - ickweb + vars: + hostname: ickweb + locales: + - fi_FI.UTF-8 + - en_GB.UTF-8 + debian_codename: stretch + sources_lists: + - repo: "deb http://deb.debian.org/debian stretch-backports main" + qvisqve_token_public_key: "{{ lookup('pipe', 'pass show qvisqve/token_key_pub') }}" + + letsencrypt_email: liw@liw.fi diff --git a/roles/apt_repository/templates/apache-http.conf b/roles/apt_repository/templates/apache-http.conf index b7aa353..46a54ed 100644 --- a/roles/apt_repository/templates/apache-http.conf +++ b/roles/apt_repository/templates/apache-http.conf @@ -1,5 +1,5 @@ Listen 8080 - + ServerAdmin {{ apt_admin_email }} DocumentRoot /srv/http diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml deleted file mode 100644 index 2161b3b..0000000 --- a/roles/haproxy/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: install haproxy - apt: - name: haproxy - -- name: create config dir - file: - state: directory - path: "{{ item }}" - owner: root - group: root - mode: 0755 - with_items: - - /etc/haproxy - -- name: install haproxy config - template: - src: haproxy.cfg.j2 - dest: /etc/haproxy/haproxy.cfg - owner: root - group: root - mode: 0644 - -- name: install TLS certificate - copy: - content: "{{ tls_certificate }}" - dest: /etc/ssl/ick.pem - owner: root - group: root - mode: 0600 - -- name: enable and start haproxy - service: - name: "{{ item }}" - state: restarted - enabled: yes - with_items: - - haproxy diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 deleted file mode 100644 index 0a6ec70..0000000 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ /dev/null @@ -1,79 +0,0 @@ -global - log 127.0.0.1 local4 - chroot /var/lib/haproxy - stats socket /run/haproxy/admin.sock mode 660 level admin - stats timeout 30s - user haproxy - group haproxy - daemon - - ca-base /etc/ssl/certs - crt-base /etc/ssl/private - tune.ssl.default-dh-param 2048 - ssl-default-bind-options no-tls-tickets - ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK - -defaults - log global - mode http - option httplog - option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 - errorfile 400 /etc/haproxy/errors/400.http - errorfile 403 /etc/haproxy/errors/403.http - errorfile 408 /etc/haproxy/errors/408.http - errorfile 500 /etc/haproxy/errors/500.http - errorfile 502 /etc/haproxy/errors/502.http - errorfile 503 /etc/haproxy/errors/503.http - errorfile 504 /etc/haproxy/errors/504.http - - -frontend http-in - bind *:80 - bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/haproxy.pem - - rspadd Strict-Transport-Security:\ max-age=15768000 - - acl ickweb path_beg /web - acl blobs path_beg /blobs - acl token path_beg /token - acl login path_beg /login - acl auth path_beg /auth - acl clients path_beg /clients - acl users path_beg /users - acl applications path_beg /applications - acl notify path_beg /notify - acl debian path_beg /debian - acl any method GET HEAD POST PUT DELETE - - use_backend apache if debian - use_backend ickweb if ickweb - use_backend notification_service if notify - use_backend artifact_store if blobs - use_backend qvisqve if token - use_backend qvisqve if login - use_backend qvisqve if auth - use_backend qvisqve if clients - use_backend qvisqve if users - use_backend qvisqve if applications - use_backend controller if any - -backend apache - server apache_1 127.0.0.1:8080 - -backend ickweb - server ickweb_1 127.0.0.1:{{ ickweb_port }} - -backend controller - server controller_1 127.0.0.1:{{ controller_port }} - -backend artifact_store - server artifact_store_1 127.0.0.1:{{ artifact_store_port }} - -backend qvisqve - server qvisqve_1 127.0.0.1:{{ qvisqve_port }} - -backend notification_service - server notify_1 127.0.0.1:{{ notify_port }} diff --git a/roles/ickweb/files/haproxy.cfg b/roles/ickweb/files/haproxy.cfg new file mode 100644 index 0000000..6191bcc --- /dev/null +++ b/roles/ickweb/files/haproxy.cfg @@ -0,0 +1,47 @@ +# haproxy.cfg +# HAProxy configuration for Qvisqve. + +global + log 127.0.0.1 local4 + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + tune.ssl.default-dh-param 2048 + ssl-default-bind-options no-tls-tickets + ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +frontend http-in + bind *:80 + bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem + + rspadd Strict-Transport-Security:\ max-age=15768000 + + acl methods method GET HEAD POST PUT DELETE + use_backend ickweb if methods + +backend ickweb + server ickweb_1 127.0.0.1:8080 diff --git a/roles/ickweb/tasks/main.yml b/roles/ickweb/tasks/main.yml new file mode 100644 index 0000000..163e436 --- /dev/null +++ b/roles/ickweb/tasks/main.yml @@ -0,0 +1,72 @@ +- name: "install packages" + apt: + name: "{{ item }}" + with_items: + - git + - haproxy + - python3-bottle + - python3-requests + +- name: "create ickweb user" + user: + name: _ickweb + comment: Ickweb user + system: yes + +- name: "create ickweb group" + group: + name: _ickweb + system: yes + +- name: "install ickweb code" + shell: | + rm -rf /var/lib/ickweb + git clone git://git.liw.fi/ickweb /var/lib/ickweb + chown -R root:root /var/lib/ickweb + chmod -R ugo=rX /var/lib/ickweb + +- name: "create /etc/ickweb" + file: + state: directory + path: /etc/ickweb + owner: _ickweb + group: _ickweb + mode: 0755 + +- name: "install ickweb config" + copy: + content: "{{ ickweb_secret }}" + dest: /etc/ickweb/secret + owner: _ickweb + group: _ickweb + mode: 0700 + +- name: "install ickweb script" + template: + src: start_ickweb + dest: /usr/local/bin + owner: root + group: root + mode: 0755 + +- name: "install ickweb systemd unit" + template: + src: ickweb.service + dest: /lib/systemd/system/ickweb.service + owner: root + group: root + mode: 0755 + +- name: "reload systemd" + systemd: + name: haproxy + state: reloaded + +- name: "enable and restart services" + systemd: + name: "{{ item }}" + enabled: yes + state: restarted + with_items: + - haproxy + - ickweb diff --git a/roles/ickweb/templates/ickweb.service b/roles/ickweb/templates/ickweb.service new file mode 100644 index 0000000..208ac09 --- /dev/null +++ b/roles/ickweb/templates/ickweb.service @@ -0,0 +1,13 @@ +[Unit] +Description=Ick web app +Requires=network.target +After=network.target + +[Service] +Type=simple +User=_ickweb +Group=_ickweb +ExecStart=/usr/local/bin/start_ickweb /etc/ickweb/secret + +[Install] +WantedBy=multi-user.target diff --git a/roles/ickweb/templates/start_ickweb b/roles/ickweb/templates/start_ickweb new file mode 100644 index 0000000..a6e93f7 --- /dev/null +++ b/roles/ickweb/templates/start_ickweb @@ -0,0 +1,6 @@ +#!/bin/sh + +set -eu + +cd /var/lib/ickweb +./run "{{ controller_url }}" /etc/ickweb/secret "{{ ickweb_port }}" prod diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml deleted file mode 100644 index ce1a2d3..0000000 --- a/roles/letsencrypt/defaults/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -# Enable letsencrypt? -letsencrypt: yes - -# Specify a properly configured and functional domain name -letsencrypt_domain: FIXME - -# Specify a working email address -letsencrypt_email: FIXME - -letsencrypt_server_haproxy_crt: /etc/haproxy/haproxy.pem diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml deleted file mode 100644 index b7d0df0..0000000 --- a/roles/letsencrypt/tasks/main.yml +++ /dev/null @@ -1,79 +0,0 @@ -- name: check required variables - fail: - msg: "value of {{ item }} should no be FIXME!" - with_items: - - letsencrypt_domain - - letsencrypt_email - - letsencrypt_server - when: item == "FIXME" - -- name: install deploy_certs_haproxy - template: - src: deploy_certs_haproxy - dest: /usr/local/sbin/deploy_certs_haproxy - owner: root - group: root - mode: 0755 - when: letsencrypt - -- name: install certbot - apt: - name: certbot - default_release: stretch-backports - when: letsencrypt - -- name: install haproxy - apt: - name: haproxy - -- name: install ssl-cert - apt: - name: ssl-cert - when: not letsencrypt - -- name: stop haproxy - ignore_errors: true - systemd: - name: haproxy - state: stopped - -- name: install snakeoil certificate for haproxy - shell: | - cat /etc/ssl/certs/ssl-cert-snakeoil.pem \ - /etc/ssl/private/ssl-cert-snakeoil.key \ - > /etc/haproxy/haproxy.pem - when: not letsencrypt - -- name: fetch new certificate - command: > - certbot certonly - --standalone - --noninteractive - --domain "{{ letsencrypt_domain }}" - --email "{{ letsencrypt_email }}" - --agree-tos - when: letsencrypt - -- name: install new cert for haproxy - command: /usr/local/sbin/deploy_certs_haproxy - when: letsencrypt - -- name: start haproxy - ignore_errors: true - systemd: - name: haproxy - state: started - -- name: add cron job - cron: - name: letsencrypt - hour: 23 - minute: 42 - user: root - job: > - certbot renew - --standalone - --quiet - --pre-hook "systemctl stop haproxy" - --post-hook "/usr/local/sbin/deploy_certs_haproxy && systemctl start haproxy" - when: letsencrypt diff --git a/roles/letsencrypt/templates/deploy_certs_haproxy b/roles/letsencrypt/templates/deploy_certs_haproxy deleted file mode 100644 index 6c93a80..0000000 --- a/roles/letsencrypt/templates/deploy_certs_haproxy +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -set -eu - -cat "/etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem" \ - "/etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem" \ - > "{{ letsencrypt_server_haproxy_crt }}" -chmod 600 "{{ letsencrypt_server_haproxy_crt }}" diff --git a/run-ickweb.yml b/run-ickweb.yml new file mode 100755 index 0000000..82fdace --- /dev/null +++ b/run-ickweb.yml @@ -0,0 +1,31 @@ +#!/bin/bash + +set -eu + + +getaddr() +{ + awk -v "name=$1" '$1 == name { print $2 }' "$hosts_in" | + sed 's/ansible_ssh_host=//' +} + + +mkhosts() +{ + cat < hosts.tmp +ansible-playbook \ + ickweb.yml \ + -i hosts.tmp \ + -e ickweb_domain_name="$(getaddr demo)" \ + "$@" -- cgit v1.2.1