From 4058d52114c3000faa0c6e601e56b312e2725952 Mon Sep 17 00:00:00 2001
From: Giancarlo Razzolini <grazzolini@archlinux.org>
Date: Fri, 2 Dec 2016 15:44:59 -0200
Subject: [PATCH] group_vars: Added the archweb_db_password. roles/archweb:
Nginx deployment, domain variable and other improvements.
---
group_vars/all/archweb.yml | 18 +++---
roles/archweb/tasks/main.yml | 20 +++++--
roles/archweb/templates/local_settings.py.j2 | 60 +++++++++++++++-----
roles/archweb/templates/nginx.d.conf.j2 | 36 ++++++++++++
roles/uwsgi/templates/archweb.j2 | 20 -------
5 files changed, 105 insertions(+), 49 deletions(-)
create mode 100644 roles/archweb/templates/nginx.d.conf.j2
delete mode 100644 roles/uwsgi/templates/archweb.j2
diff --git a/group_vars/all/archweb.yml b/group_vars/all/archweb.yml
index 72d63ecf1..44bdccadf 100644
--- a/group_vars/all/archweb.yml
+++ b/group_vars/all/archweb.yml
@@ -1,9 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
-32336337623936643161653739636138303332326366363963393436396465633137616266653463
-3663343535306333323332366338623463363030663534630a326336333065633333333230663130
-32656537326537313336343136316338346464386237626230663236343865336562363562363739
-6163396332343032340a653739353436656139396336623539643431366462363164646361336436
-36316238336535323864383537613964373666656465636562613530356566303139383230643761
-65663030323464623230626330633538303436363664383839623334333837666435323466666638
-64353061613234373966636266613763366364386334323333663933616534333937396539376562
-38623139323463336363
+61373130666134363630336235326331396634393437353839653163313238633833353661613662
+3562663866666337656161663330383665643839626139300a376437613930303562623264363664
+63323236383034616566316334323439663166636361333338383536333866323437306264623363
+3362663536623735320a313434643866363336346636303431306230383665663566636530666432
+38333932353535646666626637363431316631356439623134336439396631323162613432323137
+64653534616263623139373561306461353739613963303639636139386131383861363338313636
+30653234643865343833663835663662383636353535623063333162356533643430306134326239
+39343462623962643830623131326138353865306137343137333338323738373666623361336332
+66386334376537313162373564386534656135343266303239333662643938653330616638333337
+6437383736313733663062663230663530633361376633373631
diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml
index 8d33d3c96..92e4241d4 100644
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -4,28 +4,36 @@
pacman: name=git,memcached,python2,python2-virtualenv,uwsgi-plugin-python2 state=present
- name: make archweb user
- user: name=archweb shell=/bin/false home="{{ archweb_home }}" createhome=no groups=uwsgi
+ user: name=archweb shell=/bin/false home="{{ archweb_dir }}" createhome=no groups=uwsgi
- name: fix home permissions
- file: state=directory owner=archweb group=archweb path="{{ archweb_home }}"
+ file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
+
+- name: set up nginx
+ template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/archweb.conf owner=root group=root mode=644
+ notify:
+ - restart nginx
+
+- name: make nginx log dir
+ file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=http group=log mode=755
- name: clone archweb repo
- git: repo=git://git.archlinux.org/archweb.git dest="{{ archweb_home }}"
+ git: repo=git://git.archlinux.org/archweb.git dest="{{ archweb_dir }}"
become: true
become_user: archweb
- name: make virtualenv
- command: virtualenv2 "{{ archweb_home }}"/env creates="{{ archweb_home }}/env/bin/python"
+ command: virtualenv2 "{{ archweb_dir }}"/env creates="{{ archweb_dir }}/env/bin/python"
become: true
become_user: archweb
- name: install stuff into virtualenv
- pip: requirements="{{ archweb_home }}/requirements_prod.txt" virtualenv="{{ archweb_home }}/env"
+ pip: requirements="{{ archweb_dir }}/requirements_prod.txt" virtualenv="{{ archweb_dir }}/env"
become: true
become_user: archweb
- name: fix home permissions
- file: state=directory owner=archweb group=archweb path="{{ archweb_home }}"
+ file: state=directory owner=archweb group=archweb path="{{ archweb_dir }}"
- name: copy archweb services
copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
diff --git a/roles/archweb/templates/local_settings.py.j2 b/roles/archweb/templates/local_settings.py.j2
index 397061635..3292ff961 100644
--- a/roles/archweb/templates/local_settings.py.j2
+++ b/roles/archweb/templates/local_settings.py.j2
@@ -1,28 +1,58 @@
# Django settings for archlinux project.
+## Debug settings
+DEBUG = False
+TEMPLATE_DEBUG = False
+
+## Notification admins
+ADMINS = (
+ ('Archweb Bugs', 'dan@archlinux.org'),
+)
+
+SERVER_EMAIL = 'archweb@archlinux.org'
-## Database settings
DATABASES = {
'default': {
'ENGINE' : 'django.db.backends.postgresql_psycopg2',
+ 'PORT' : 5432,
'NAME' : 'archweb',
- 'USER' : 'archweb_update',
- 'PASSWORD': '{{ postgres_users.archweb_update }}',
- 'HOST' : 'gudrun.archlinux.org',
- 'OPTIONS' : {
- 'autocommit': True,
- 'application_name': 'archweb',
- 'sslmode': 'require',
- }
+ 'USER' : 'archweb',
+ 'PASSWORD': '{{ archweb_db_password }}',
+ 'OPTIONS' : {'autocommit': True, 'application_name': 'archweb'},
+ },
+}
+
+## Define cache settings
+CACHES = {
+ 'default': {
+ 'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
+ 'LOCATION': '127.0.0.1:11211',
}
}
-## Make this unique, and don't share it with anybody.
-SECRET_KEY = '{{ archweb_secret_key }}'
+## Use secure session cookies? Make this true if you want all
+## logged-in actions to take place over HTTPS only. If developing
+## locally, you will want to use False.
+SESSION_COOKIE_SECURE = True
+
+## static files URL
+STATIC_URL = '/static/'
+STATIC_URL = 'https://d11xdyzr0div58.cloudfront.net/static/'
+
+## location for saving dev pictures
+MEDIA_ROOT = '/srv/http/vhosts/archlinux.org/img'
+
+## web url for serving image files
+MEDIA_URL = '/img/'
+MEDIA_URL = 'https://d11xdyzr0div58.cloudfront.net/img/'
+
+# Make this unique, and don't share it with anybody.
+SECRET_KEY = {{ archweb_secret_key }}
+
+# Hostnames we allow this site to be served under
+ALLOWED_HOSTS = ['{{ archweb_domain }}']
-## Cache settings
-CACHE_BACKEND = 'memcached://gudrun.archlinux.org:11211'
-CACHE_MIDDLEWARE_SECONDS = 300
-CACHE_MIDDLEWARE_KEY_PREFIX = 'arch'
+## CDN settings
+CDN_ENABLED = True
# vim: set ts=4 sw=4 et:
diff --git a/roles/archweb/templates/nginx.d.conf.j2 b/roles/archweb/templates/nginx.d.conf.j2
new file mode 100644
index 000000000..e6de420b0
--- /dev/null
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -0,0 +1,36 @@
+upstream archweb {
+ server unix:///run/uwsgi/archweb.sock;
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ archweb_domain }};
+
+ access_log /var/log/nginx/{{ archweb_domain }}/access.log;
+ error_log /var/log/nginx/{{ archweb_domain }}/error.log;
+
+ include snippets/letsencrypt.conf;
+
+ location / {
+ rewrite ^(.*) https://$server_name$1 permanent;
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name {{ archweb_domain }};
+
+ access_log /var/log/nginx/{{ archweb_domain }}/access.log;
+ error_log /var/log/nginx/{{ archweb_domain }}/error.log;
+
+ ssl_certificate /etc/letsencrypt/live/{{ archweb_domain }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;
+
+ location / {
+ include uwsgi_params;
+ uwsgi_pass archweb;
+ }
+}
diff --git a/roles/uwsgi/templates/archweb.j2 b/roles/uwsgi/templates/archweb.j2
deleted file mode 100644
index 92d42161c..000000000
--- a/roles/uwsgi/templates/archweb.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-[uwsgi]
-project = archweb
-base = /srv/http/archweb
-
-chdir = %(base)
-home = /srv/http/archweb
-module = %(project).wsgi
-
-master = true
-processes = 4
-threads = 2
-reload-on-rss = 600
-
-socket = /run/uwsgi/%(project).sock
-chown-socket = root:nginx
-chmod-socket = 660
-vacuum = true
-logto = /var/log/archweb.log
-
-plugins = python2
--
GitLab