Create the archmanweb role

roles/archmanweb/defaults/main.yml

+---
+archmanweb_dir: '/srv/http/archmanweb'
+archmanweb_cache_dir: '{{ archmanweb_dir }}/cache'
+archmanweb_domain: 'man.archlinux.org'
+archmanweb_allowed_hosts: ["{{ archmanweb_domain }}"]
+archmanweb_nginx_conf: '/etc/nginx/nginx.d/archmanweb.conf'
+archmanweb_repository: 'https://github.com/lahwaacz/archmanweb.git'
+archmanweb_version: deployment
+archmanweb_django_settings_module: production.settings
+#archmanweb_pgp_key: ['932BA3FA0C86812A32D1F54DAB5964AEB9FEDDDC']   # Jakub Klinkovský (lahwaacz)
+archmanweb_forced_deploy: false
+
+archmanweb_db: 'archmanweb'
+archmanweb_db_host: 'localhost'
+archmanweb_db_user: 'archmanweb'

roles/archmanweb/tasks/main.yml

+---
+
+- name: install required packages
+  pacman:
+    state: present
+    name:
+      - git
+      - mandoc
+      - pyalpm
+      - python-chardet
+      - python-django
+      - python-psycopg2
+      - python-requests
+      - python-xtarfile
+      - uwsgi-plugin-python
+
+- name: make archmanweb user
+  user: name=archmanweb shell=/bin/false home="{{ archmanweb_dir }}"
+
+- name: fix home permissions
+  file: state=directory owner=archmanweb group=archmanweb mode=0755 path="{{ archmanweb_dir }}"
+
+- name: set archmanweb groups
+  user: name=archmanweb groups=uwsgi
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest="{{ archmanweb_nginx_conf }}" owner=root group=root mode=644
+  notify: reload nginx
+  tags: ['nginx']
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ archmanweb_domain }} state=directory owner=root group=root mode=0755
+
+- name: clone archmanweb repo
+  git: >
+    repo={{ archmanweb_repository }}
+    dest="{{ archmanweb_dir }}/repo"
+    version={{ archmanweb_version }}
+# TODO
+#    verify_commit=true
+#    gpg_whitelist={{ archmanweb_pgp_key }}
+  become: true
+  become_user: archmanweb
+  register: release
+
+- name: configure archmanweb
+  template: src=local_settings.py.j2 dest={{ archmanweb_dir }}/repo/production/local_settings.py owner=archmanweb group=archmanweb mode=0660
+  register: config
+  no_log: true
+
+- name: create archmanweb db user
+  postgresql_user: name={{ archmanweb_db_user }} password={{ vault_archmanweb_db_password }} login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
+  no_log: true
+
+- name: create archmanweb db
+  postgresql_db: name="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archmanweb_db_user }}"
+  register: db_created
+
+- name: add pg_trgm extension to the archmanweb db
+  postgresql_ext: name="pg_trgm" db="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}"
+  when: db_created.changed or archmanweb_forced_deploy
+
+- name: run Django management tasks
+  django_manage: app_path="{{ archmanweb_dir }}/repo" command="{{ item }}"
+  with_items:
+    - migrate
+    - collectstatic
+    - man_drop_cache
+  environment:
+    DJANGO_SETTINGS_MODULE: "{{ archmanweb_django_settings_module }}"
+  become: true
+  become_user: archmanweb
+  when: db_created.changed or release.changed or config.changed or archmanweb_forced_deploy
+
+- name: configure UWSGI for archmanweb
+  template: src=archmanweb.ini.j2 dest=/etc/uwsgi/vassals/archmanweb.ini owner=archmanweb group=http mode=0640
+
+- name: deploy new release
+  file: path=/etc/uwsgi/vassals/archmanweb.ini state=touch owner=archmanweb group=http mode=0640
+  when: release.changed or config.changed or archmanweb_forced_deploy
+
+- name: install systemd units
+  template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
+  with_items:
+    - archmanweb_update.service
+    - archmanweb_update.timer
+
+- name: start and enable archmanweb update timer
+  systemd: name="archmanweb_update.timer" enabled=yes state=started daemon_reload=yes

roles/archmanweb/templates/archmanweb.ini.j2

+[uwsgi]
+plugins = python
+chdir = {{ archmanweb_dir }}/repo
+env = DJANGO_SETTINGS_MODULE={{ archmanweb_django_settings_module }}
+module = wsgi:application
+socket = /run/uwsgi/archmanweb.sock
+chmod-socket = 660
+processes = 4
+threads = 1
+master = true
+uid = archmanweb
+gid = http
+thunder-lock = true
+daemonize = /var/log/uwsgi/archmanweb.log
+stats = /run/uwsgi/archmanweb-stats.sock

roles/archmanweb/templates/archmanweb_update.service.j2

+[Unit]
+Description=Update archmanweb database
+
+[Service]
+Type=oneshot
+User=archmanweb
+WorkingDirectory={{ archmanweb_dir }}/repo/
+Environment=DJANGO_SETTINGS_MODULE="{{ archmanweb_django_settings_module }}"
+ExecStart=/usr/bin/python3 manage.py man_update --cache-dir {{ archmanweb_cache_dir }}
+
+ProtectSystem=full
+PrivateTmp=true
+PrivateDevices=true
+
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+NoNewPrivileges=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true

roles/archmanweb/templates/archmanweb_update.timer.j2

+[Unit]
+Description=Timer for the archmanweb update
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=1h
+
+[Install]
+WantedBy=timers.target

roles/archmanweb/templates/local_settings.py.j2

+DEBUG = False
+
+# Make this unique, and don't share it with anybody.
+SECRET_KEY = '{{ vault_archmanweb_secret_key }}'
+
+# Hostnames we allow this site to be served under
+ALLOWED_HOSTS = [{% for host in archmanweb_allowed_hosts %}'{{ host }}', {% endfor -%}]
+
+DATABASES = {
+    'default': {
+        'ENGINE'  : 'django.db.backends.postgresql_psycopg2',
+        'PORT'    : 5432,
+{% if archmanweb_db_host != 'localhost' %}
+        'HOST'    : '{{ archmanweb_db_host }}',
+{% endif %}
+        'NAME'    : '{{ archmanweb_db }}',
+        'USER'    : '{{ archmanweb_db_user }}',
+        'PASSWORD': '{{ vault_archmanweb_db_password }}',
+        'OPTIONS' : {
+            'application_name': 'archmanweb',
+{% if archmanweb_db_host != 'localhost' %}
+            'sslmode': 'require',
+{% endif %}
+        }
+    },
+}

roles/archmanweb/templates/nginx.d.conf.j2

+upstream archmanweb {
+    server unix:///run/uwsgi/archmanweb.sock;
+}
+
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ archmanweb_domain }};
+
+    access_log   /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ archmanweb_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        access_log off;
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ archmanweb_domain }};
+
+    access_log   /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ archmanweb_domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ archmanweb_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ archmanweb_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ archmanweb_domain }}/chain.pem;
+
+    location /favicon.ico {
+        alias {{ archmanweb_dir }}/repo/collected_static/favicon.ico;
+    }
+
+    # Client-cache for Django's static assets
+    location /static {
+        expires 30d;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+        alias {{ archmanweb_dir }}/repo/collected_static;
+    }
+
+    location / {
+        access_log   /var/log/nginx/{{ archmanweb_domain }}/access.log main;
+        include uwsgi_params;
+        uwsgi_pass archmanweb;
+    }
+}