Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
42f5ceb4
Commit
42f5ceb4
authored
Jan 10, 2021
by
Sven-Hendrik Haase
Browse files
Merge branch 'archmanweb' into 'master'
add archmanweb role See merge request
!159
parents
1f9f07bc
bc7d28c7
Pipeline
#4533
passed with stage
in 43 seconds
Changes
7
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
roles/archmanweb/defaults/main.yml
0 → 100644
View file @
42f5ceb4
---
archmanweb_dir
:
'
/srv/http/archmanweb'
archmanweb_cache_dir
:
'
{{
archmanweb_dir
}}/cache'
archmanweb_domain
:
'
man.archlinux.org'
archmanweb_allowed_hosts
:
[
"
{{
archmanweb_domain
}}"
]
archmanweb_nginx_conf
:
'
/etc/nginx/nginx.d/archmanweb.conf'
archmanweb_repository
:
'
https://gitlab.archlinux.org/archlinux/archmanweb.git'
#archmanweb_pgp_key: ['932BA3FA0C86812A32D1F54DAB5964AEB9FEDDDC'] # Jakub Klinkovský (lahwaacz)
archmanweb_forced_deploy
:
false
archmanweb_db
:
'
archmanweb'
archmanweb_db_host
:
'
localhost'
archmanweb_db_user
:
'
archmanweb'
roles/archmanweb/tasks/main.yml
0 → 100644
View file @
42f5ceb4
---
-
name
:
install required packages
pacman
:
state
:
present
name
:
-
git
-
mandoc
-
pyalpm
-
python-chardet
-
python-django
-
python-psycopg2
-
python-requests
-
python-xtarfile
-
uwsgi-plugin-python
-
make
-
sassc
-
name
:
make archmanweb user
user
:
name=archmanweb shell=/bin/false home="{{ archmanweb_dir }}"
-
name
:
fix home permissions
file
:
state=directory owner=archmanweb group=archmanweb mode=0755 path="{{ archmanweb_dir }}"
-
name
:
set archmanweb groups
user
:
name=archmanweb groups=uwsgi
-
name
:
set up nginx
template
:
src=nginx.d.conf.j2 dest="{{ archmanweb_nginx_conf }}" owner=root group=root mode=644
notify
:
reload nginx
tags
:
[
'
nginx'
]
-
name
:
make nginx log dir
file
:
path=/var/log/nginx/{{ archmanweb_domain }} state=directory owner=root group=root mode=0755
-
name
:
clone archmanweb repo
git
:
>
repo={{ archmanweb_repository }}
dest="{{ archmanweb_dir }}/repo"
version={{ archmanweb_version }}
# TODO
# verify_commit=true
# gpg_whitelist={{ archmanweb_pgp_key }}
become
:
true
become_user
:
archmanweb
register
:
release
-
name
:
build archlinux-common-style
command
:
cmd
:
make SASS=sassc
chdir
:
"
{{
archmanweb_dir
}}/repo/archlinux-common-style"
become
:
true
become_user
:
archmanweb
when
:
release.changed or archmanweb_forced_deploy
-
name
:
configure archmanweb
template
:
src=local_settings.py.j2 dest={{ archmanweb_dir }}/repo/local_settings.py owner=archmanweb group=archmanweb mode=0660
register
:
config
no_log
:
true
-
name
:
create archmanweb db user
postgresql_user
:
name={{ archmanweb_db_user }} password={{ vault_archmanweb_db_password }} login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" encrypted=yes
no_log
:
true
-
name
:
create archmanweb db
postgresql_db
:
name="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}" owner="{{ archmanweb_db_user }}"
register
:
db_created
-
name
:
add pg_trgm extension to the archmanweb db
postgresql_ext
:
name="pg_trgm" db="{{ archmanweb_db }}" login_host="{{ archmanweb_db_host }}" login_password="{{ vault_postgres_users.postgres }}"
when
:
db_created.changed or archmanweb_forced_deploy
-
name
:
run Django management tasks
django_manage
:
app_path="{{ archmanweb_dir }}/repo" command="{{ item }}"
with_items
:
-
migrate
-
collectstatic
-
man_drop_cache
become
:
true
become_user
:
archmanweb
when
:
db_created.changed or release.changed or config.changed or archmanweb_forced_deploy
-
name
:
configure UWSGI for archmanweb
template
:
src=archmanweb.ini.j2 dest=/etc/uwsgi/vassals/archmanweb.ini owner=archmanweb group=http mode=0640
-
name
:
deploy new release
file
:
path=/etc/uwsgi/vassals/archmanweb.ini state=touch owner=archmanweb group=http mode=0640
when
:
release.changed or config.changed or archmanweb_forced_deploy
-
name
:
install systemd units
template
:
src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
with_items
:
-
archmanweb_update.service
-
archmanweb_update.timer
-
name
:
start and enable archmanweb update timer
systemd
:
name="archmanweb_update.timer" enabled=yes state=started daemon_reload=yes
roles/archmanweb/templates/archmanweb.ini.j2
0 → 100644
View file @
42f5ceb4
[uwsgi]
plugins = python
chdir = {{ archmanweb_dir }}/repo
module = wsgi:application
socket = /run/uwsgi/archmanweb.sock
chmod-socket = 660
processes = 4
threads = 1
master = true
uid = archmanweb
gid = http
thunder-lock = true
daemonize = /var/log/uwsgi/archmanweb.log
stats = /run/uwsgi/archmanweb-stats.sock
roles/archmanweb/templates/archmanweb_update.service.j2
0 → 100644
View file @
42f5ceb4
[Unit]
Description=Update archmanweb database
[Service]
Type=oneshot
User=archmanweb
WorkingDirectory={{ archmanweb_dir }}/repo/
ExecStart=/usr/bin/python3 manage.py man_update --cache-dir {{ archmanweb_cache_dir }}
ProtectSystem=full
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
NoNewPrivileges=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
roles/archmanweb/templates/archmanweb_update.timer.j2
0 → 100644
View file @
42f5ceb4
[Unit]
Description=Timer for the archmanweb update
[Timer]
OnCalendar=daily
Persistent=true
RandomizedDelaySec=1h
[Install]
WantedBy=timers.target
roles/archmanweb/templates/local_settings.py.j2
0 → 100644
View file @
42f5ceb4
# Import the common settings, which may be overridden in this file.
from settings import *
DEBUG = False
# Make this unique, and don't share it with anybody.
SECRET_KEY = '{{ vault_archmanweb_secret_key }}'
# Hostnames we allow this site to be served under
ALLOWED_HOSTS = [{% for host in archmanweb_allowed_hosts %}'{{ host }}', {% endfor -%}]
DATABASES = {
'default': {
'ENGINE' : 'django.db.backends.postgresql_psycopg2',
'PORT' : 5432,
{% if archmanweb_db_host != 'localhost' %}
'HOST' : '{{ archmanweb_db_host }}',
{% endif %}
'NAME' : '{{ archmanweb_db }}',
'USER' : '{{ archmanweb_db_user }}',
'PASSWORD': '{{ vault_archmanweb_db_password }}',
'OPTIONS' : {
'application_name': 'archmanweb',
{% if archmanweb_db_host != 'localhost' %}
'sslmode': 'require',
{% endif %}
}
},
}
roles/archmanweb/templates/nginx.d.conf.j2
0 → 100644
View file @
42f5ceb4
upstream archmanweb {
server unix:///run/uwsgi/archmanweb.sock;
}
server {
listen 80;
listen [::]:80;
server_name {{ archmanweb_domain }};
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
error_log /var/log/nginx/{{ archmanweb_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
access_log off;
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ archmanweb_domain }};
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
error_log /var/log/nginx/{{ archmanweb_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ archmanweb_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ archmanweb_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ archmanweb_domain }}/chain.pem;
location /favicon.ico {
alias {{ archmanweb_dir }}/repo/collected_static/favicon.ico;
}
# Client-cache for Django's static assets
location /static {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
alias {{ archmanweb_dir }}/repo/collected_static;
}
location / {
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log main;
include uwsgi_params;
uwsgi_pass archmanweb;
}
}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment