introduce waiverdb role

This commit is contained in:
Matt Jia 2017-04-27 14:19:22 +10:00 committed by Ralph Bean
parent 2ab4b9be13
commit afb91f7ef6
9 changed files with 186 additions and 0 deletions

View file

@ -24,3 +24,7 @@
- include: "{{ tasks_path }}/cloud_setup_basic.yml"
- name: set hostname (required by some services, at least postfix need it)
hostname: name="{{inventory_hostname}}"
roles:
- nginx
- waiverdb

View file

@ -0,0 +1,6 @@
---
waiverdb_db_port: 5432
waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization'
waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token'
waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo'
waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"'

View file

@ -0,0 +1,29 @@
# This file is managed by Ansible - changes may be lost
#
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# TYPE DATABASE USER ADDRESS METHOD
# Default:
#
local all postgres trust
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust

View file

@ -0,0 +1,5 @@
---
- name: restart waiverdb
systemd:
name: waiverdb.service
state: restarted

View file

@ -0,0 +1,37 @@
---
- include: psql_setup.yml
- name: install needed packages
dnf: pkg={{ item }} state=present
with_items:
- waiverdb
- gunicorn
notify:
- restart waiverdb
- name: start waiverdb on boot
systemd:
name: waiverdb.socket
enabled: yes
- name: copy client secrets
template:
src: etc/waiverdb/client_secrets.json
dest: /etc/wavierdb/client_secrets.json
owner: root
group: root
mode: 0640
notify:
- restart waiverdb
- name: generate the app config
template:
src: etc/waiverdb/settings.py.j2
dest: /etc/waiverdb/settings.py
owner: root
group: root
mode: 0660
backup: yes
force: yes
notify:
- restart waiverdb

View file

@ -0,0 +1,53 @@
- name: install postresql
yum: state=present pkg={{ item }}
with_items:
- "postgresql-server"
- "postgresql-contrib"
- name: See if postgreSQL is installed
stat: path=/var/lib/pgsql/initdb.log
register: pgsql_installed
- name: init postgresql
shell: "postgresql-setup initdb"
when: not pgsql_installed.stat.exists
- name: copy pg_hba.conf
copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
notify:
- restart postgresql
tags:
- config
- name: Ensure postgres has a place to backup to
file: dest=/backups state=directory owner=postgres
tags:
- config
- name: Copy over backup scriplet
copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755
tags:
- config
- name: Set up some cronjobs to backup databases as configured
template: >
src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database"
dest="/etc/cron.d/cron-backup-database-{{ item }}"
with_items:
- "{{ dbs_to_backup }}"
when: dbs_to_backup != []
tags:
- config
- name: enable Pg service
service: state=started enabled=yes name=postgresql
- name: Create db
postgresql_db: name="waiverdb" encoding='UTF-8'
become: yes
become_user: postgres
- name: Create db user
postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE
become: yes
become_user: postgres

View file

@ -0,0 +1,39 @@
# HTTP server
# rewrite to HTTPS
server {
listen 80;
server_name {{service_name}};
return 301 https://$server_name$request_uri;
}
# HTTPs server
server {
listen 443;
server_name {{ service_name }};
ssl on;
ssl_certificate /etc/nginx/conf.d/ssl.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl.key;
ssl_session_timeout 5m;
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /api {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/run/waiverdb/socket:/api;
}
}

View file

@ -0,0 +1,11 @@
{
"web": {
"auth_uri": "{{ waiverdb_oidc_auth_uri }}",
"client_id": "{{ waiverdb_oidc_client_id }}",
"client_secret": "{{ waiverdb_oidc_client_secret }}",
"redirect_uris": [],
"token_uri": "{{ waiverdb_oidc_token_uri }}",
"token_introspection_uri": "{{ waiverdb_oidc_token_introspection_uri }}",
"userinfo_uri": "{{ waiverdb_oidc_userinfo_uri }}"
}
}

View file

@ -0,0 +1,2 @@
SECRET_KEY = '{{ waiverdb_secret_key }}'
SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb