introduce waiverdb role
This commit is contained in:
parent
2ab4b9be13
commit
afb91f7ef6
9 changed files with 186 additions and 0 deletions
|
@ -24,3 +24,7 @@
|
|||
- include: "{{ tasks_path }}/cloud_setup_basic.yml"
|
||||
- name: set hostname (required by some services, at least postfix need it)
|
||||
hostname: name="{{inventory_hostname}}"
|
||||
|
||||
roles:
|
||||
- nginx
|
||||
- waiverdb
|
||||
|
|
6
roles/waiverdb/defaults/main.yml
Normal file
6
roles/waiverdb/defaults/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
waiverdb_db_port: 5432
|
||||
waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization'
|
||||
waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token'
|
||||
waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo'
|
||||
waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"'
|
29
roles/waiverdb/files/pg/pg_hba.conf
Normal file
29
roles/waiverdb/files/pg/pg_hba.conf
Normal file
|
@ -0,0 +1,29 @@
|
|||
# This file is managed by Ansible - changes may be lost
|
||||
#
|
||||
# PostgreSQL Client Authentication Configuration File
|
||||
# ===================================================
|
||||
#
|
||||
# Refer to the "Client Authentication" section in the PostgreSQL
|
||||
# documentation for a complete description of this file. A short
|
||||
# synopsis follows.
|
||||
#
|
||||
# This file controls: which hosts are allowed to connect, how clients
|
||||
# are authenticated, which PostgreSQL user names they can use, which
|
||||
# databases they can access. Records take one of these forms:
|
||||
#
|
||||
# local DATABASE USER METHOD [OPTIONS]
|
||||
# host DATABASE USER ADDRESS METHOD [OPTIONS]
|
||||
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
|
||||
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
|
||||
#
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
|
||||
# Default:
|
||||
#
|
||||
local all postgres trust
|
||||
# "local" is for Unix domain socket connections only
|
||||
local all all trust
|
||||
# IPv4 local connections:
|
||||
host all all 127.0.0.1/32 trust
|
||||
# IPv6 local connections:
|
||||
host all all ::1/128 trust
|
5
roles/waiverdb/handlers/main.yml
Normal file
5
roles/waiverdb/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: restart waiverdb
|
||||
systemd:
|
||||
name: waiverdb.service
|
||||
state: restarted
|
37
roles/waiverdb/tasks/main.yml
Normal file
37
roles/waiverdb/tasks/main.yml
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
- include: psql_setup.yml
|
||||
|
||||
- name: install needed packages
|
||||
dnf: pkg={{ item }} state=present
|
||||
with_items:
|
||||
- waiverdb
|
||||
- gunicorn
|
||||
notify:
|
||||
- restart waiverdb
|
||||
|
||||
- name: start waiverdb on boot
|
||||
systemd:
|
||||
name: waiverdb.socket
|
||||
enabled: yes
|
||||
|
||||
- name: copy client secrets
|
||||
template:
|
||||
src: etc/waiverdb/client_secrets.json
|
||||
dest: /etc/wavierdb/client_secrets.json
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify:
|
||||
- restart waiverdb
|
||||
|
||||
- name: generate the app config
|
||||
template:
|
||||
src: etc/waiverdb/settings.py.j2
|
||||
dest: /etc/waiverdb/settings.py
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0660
|
||||
backup: yes
|
||||
force: yes
|
||||
notify:
|
||||
- restart waiverdb
|
53
roles/waiverdb/tasks/psql_setup.yml
Normal file
53
roles/waiverdb/tasks/psql_setup.yml
Normal file
|
@ -0,0 +1,53 @@
|
|||
- name: install postresql
|
||||
yum: state=present pkg={{ item }}
|
||||
with_items:
|
||||
- "postgresql-server"
|
||||
- "postgresql-contrib"
|
||||
|
||||
- name: See if postgreSQL is installed
|
||||
stat: path=/var/lib/pgsql/initdb.log
|
||||
register: pgsql_installed
|
||||
|
||||
- name: init postgresql
|
||||
shell: "postgresql-setup initdb"
|
||||
when: not pgsql_installed.stat.exists
|
||||
|
||||
- name: copy pg_hba.conf
|
||||
copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
|
||||
notify:
|
||||
- restart postgresql
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Ensure postgres has a place to backup to
|
||||
file: dest=/backups state=directory owner=postgres
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Copy over backup scriplet
|
||||
copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Set up some cronjobs to backup databases as configured
|
||||
template: >
|
||||
src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database"
|
||||
dest="/etc/cron.d/cron-backup-database-{{ item }}"
|
||||
with_items:
|
||||
- "{{ dbs_to_backup }}"
|
||||
when: dbs_to_backup != []
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: enable Pg service
|
||||
service: state=started enabled=yes name=postgresql
|
||||
|
||||
- name: Create db
|
||||
postgresql_db: name="waiverdb" encoding='UTF-8'
|
||||
become: yes
|
||||
become_user: postgres
|
||||
|
||||
- name: Create db user
|
||||
postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE
|
||||
become: yes
|
||||
become_user: postgres
|
39
roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
Normal file
39
roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
Normal file
|
@ -0,0 +1,39 @@
|
|||
# HTTP server
|
||||
# rewrite to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
server_name {{service_name}};
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
# HTTPs server
|
||||
server {
|
||||
listen 443;
|
||||
server_name {{ service_name }};
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/nginx/conf.d/ssl.pem;
|
||||
ssl_certificate_key /etc/nginx/conf.d/ssl.key;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||
# modern configuration. tweak to your needs.
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
|
||||
location / {
|
||||
root /usr/share/nginx/html;
|
||||
index index.html index.htm;
|
||||
}
|
||||
location /api {
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass http://unix:/run/waiverdb/socket:/api;
|
||||
}
|
||||
}
|
11
roles/waiverdb/templates/etc/waiverdb/client_secrets.json
Normal file
11
roles/waiverdb/templates/etc/waiverdb/client_secrets.json
Normal file
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"web": {
|
||||
"auth_uri": "{{ waiverdb_oidc_auth_uri }}",
|
||||
"client_id": "{{ waiverdb_oidc_client_id }}",
|
||||
"client_secret": "{{ waiverdb_oidc_client_secret }}",
|
||||
"redirect_uris": [],
|
||||
"token_uri": "{{ waiverdb_oidc_token_uri }}",
|
||||
"token_introspection_uri": "{{ waiverdb_oidc_token_introspection_uri }}",
|
||||
"userinfo_uri": "{{ waiverdb_oidc_userinfo_uri }}"
|
||||
}
|
||||
}
|
2
roles/waiverdb/templates/etc/waiverdb/settings.py.j2
Normal file
2
roles/waiverdb/templates/etc/waiverdb/settings.py.j2
Normal file
|
@ -0,0 +1,2 @@
|
|||
SECRET_KEY = '{{ waiverdb_secret_key }}'
|
||||
SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb
|
Loading…
Add table
Add a link
Reference in a new issue