group_vars: Added the archweb_db_password.

roles/archweb: Nginx deployment, domain variable and other improvements.

group_vars/all/archweb.yml

 $ANSIBLE_VAULT;1.1;AES256
-32336337623936643161653739636138303332326366363963393436396465633137616266653463
-3663343535306333323332366338623463363030663534630a326336333065633333333230663130
-32656537326537313336343136316338346464386237626230663236343865336562363562363739
-6163396332343032340a653739353436656139396336623539643431366462363164646361336436
-36316238336535323864383537613964373666656465636562613530356566303139383230643761
-65663030323464623230626330633538303436363664383839623334333837666435323466666638
-64353061613234373966636266613763366364386334323333663933616534333937396539376562
-38623139323463336363
+61373130666134363630336235326331396634393437353839653163313238633833353661613662
+3562663866666337656161663330383665643839626139300a376437613930303562623264363664
+63323236383034616566316334323439663166636361333338383536333866323437306264623363
+3362663536623735320a313434643866363336346636303431306230383665663566636530666432
+38333932353535646666626637363431316631356439623134336439396631323162613432323137
+64653534616263623139373561306461353739613963303639636139386131383861363338313636
+30653234643865343833663835663662383636353535623063333162356533643430306134326239
+39343462623962643830623131326138353865306137343137333338323738373666623361336332
+66386334376537313162373564386534656135343266303239333662643938653330616638333337
+6437383736313733663062663230663530633361376633373631

roles/archweb/tasks/main.yml

@@ -4,28 +4,36 @@
   pacman: name=git,memcached,python2,python2-virtualenv,uwsgi-plugin-python2 state=present
 
 - name: make archweb user
-  user: name=archweb shell=/bin/false home="{{ archweb_home }}" createhome=no groups=uwsgi
+  user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no groups=uwsgi
 
 - name: fix home permissions
-  file: state=directory owner=archweb group=archweb path="{{ archweb_home }}"
+  file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/archweb.conf owner=root group=root mode=644
+  notify:
+    - restart nginx
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=http group=log mode=755
 
 - name: clone archweb repo
-  git: repo=git://git.archlinux.org/archweb.git dest="{{ archweb_home }}"
+  git: repo=git://git.archlinux.org/archweb.git dest="{{ archweb_dir }}"
   become: true
   become_user: archweb
 
 - name: make virtualenv
-  command: virtualenv2 "{{ archweb_home }}"/env creates="{{ archweb_home }}/env/bin/python"
+  command: virtualenv2 "{{ archweb_dir }}"/env creates="{{ archweb_dir }}/env/bin/python"
   become: true
   become_user: archweb
 
 - name: install stuff into virtualenv
-  pip: requirements="{{ archweb_home }}/requirements_prod.txt" virtualenv="{{ archweb_home }}/env"
+  pip: requirements="{{ archweb_dir }}/requirements_prod.txt" virtualenv="{{ archweb_dir }}/env"
   become: true
   become_user: archweb
 
 - name: fix home permissions
-  file: state=directory owner=archweb group=archweb path="{{ archweb_home }}"
+  file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
 
 - name: copy archweb services
   copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644

roles/archweb/templates/local_settings.py.j2

 # Django settings for archlinux project.
 
+## Debug settings
+DEBUG = False
+TEMPLATE_DEBUG = False
+
+## Notification admins
+ADMINS = (
+    ('Archweb Bugs', 'dan@archlinux.org'),
+)
+
+SERVER_EMAIL = 'archweb@archlinux.org'
 
-## Database settings
 DATABASES = {
     'default': {
         'ENGINE'  : 'django.db.backends.postgresql_psycopg2',
+        'PORT'    : 5432,
         'NAME'    : 'archweb',
-        'USER'    : 'archweb_update',
-        'PASSWORD': '{{ postgres_users.archweb_update }}',
-        'HOST'    : 'gudrun.archlinux.org',
-        'OPTIONS' : {
-            'autocommit': True,
-            'application_name': 'archweb',
-            'sslmode': 'require',
-        }
+        'USER'    : 'archweb',
+        'PASSWORD': '{{ archweb_db_password }}',
+        'OPTIONS' : {'autocommit': True, 'application_name': 'archweb'},
+    },
+}
+
+## Define cache settings
+CACHES = {
+    'default': {
+        'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
+        'LOCATION': '127.0.0.1:11211',
     }
 }
 
-## Make this unique, and don't share it with anybody.
-SECRET_KEY = '{{ archweb_secret_key }}'
+## Use secure session cookies? Make this true if you want all
+## logged-in actions to take place over HTTPS only. If developing
+## locally, you will want to use False.
+SESSION_COOKIE_SECURE = True
+
+## static files URL
+STATIC_URL = '/static/'
+STATIC_URL = 'https://d11xdyzr0div58.cloudfront.net/static/'
+
+## location for saving dev pictures
+MEDIA_ROOT = '/srv/http/vhosts/archlinux.org/img'
+
+## web url for serving image files
+MEDIA_URL = '/img/'
+MEDIA_URL = 'https://d11xdyzr0div58.cloudfront.net/img/'
+
+# Make this unique, and don't share it with anybody.
+SECRET_KEY = {{ archweb_secret_key }}
+
+# Hostnames we allow this site to be served under
+ALLOWED_HOSTS = ['{{ archweb_domain }}']
 
-## Cache settings
-CACHE_BACKEND = 'memcached://gudrun.archlinux.org:11211'
-CACHE_MIDDLEWARE_SECONDS = 300
-CACHE_MIDDLEWARE_KEY_PREFIX = 'arch'
+## CDN settings
+CDN_ENABLED = True
 
 # vim: set ts=4 sw=4 et:

roles/archweb/templates/nginx.d.conf.j2

+upstream archweb {
+    server unix:///run/uwsgi/archweb.sock;
+}
+
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ archweb_domain }};
+
+    access_log   /var/log/nginx/{{ archweb_domain }}/access.log;
+    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        rewrite ^(.*) https://$server_name$1 permanent;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ archweb_domain }};
+
+    access_log   /var/log/nginx/{{ archweb_domain }}/access.log;
+    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;
+
+    location / {
+        include uwsgi_params;
+        uwsgi_pass archweb;
+    }
+}

roles/uwsgi/templates/archweb.j2

-[uwsgi]
-project = archweb 
-base = /srv/http/archweb
-
-chdir = %(base)
-home = /srv/http/archweb
-module = %(project).wsgi
-
-master = true
-processes = 4
-threads = 2
-reload-on-rss = 600
-
-socket = /run/uwsgi/%(project).sock
-chown-socket = root:nginx
-chmod-socket = 660
-vacuum = true
-logto = /var/log/archweb.log
-
-plugins = python2