From afb91f7ef639d16d906d161bcad02cbbfb5af6c5 Mon Sep 17 00:00:00 2001
From: Matt Jia <mjia@redhat.com>
Date: Thu, 27 Apr 2017 14:19:22 +1000
Subject: [PATCH] introduce waiverdb role

---
 .../waiverdb-dev.fedorainfracloud.org.yml     |  4 ++
 roles/waiverdb/defaults/main.yml              |  6 +++
 roles/waiverdb/files/pg/pg_hba.conf           | 29 ++++++++++
 roles/waiverdb/handlers/main.yml              |  5 ++
 roles/waiverdb/tasks/main.yml                 | 37 +++++++++++++
 roles/waiverdb/tasks/psql_setup.yml           | 53 +++++++++++++++++++
 .../etc/nginx/conf.d/waiverdb.conf.j2         | 39 ++++++++++++++
 .../etc/waiverdb/client_secrets.json          | 11 ++++
 .../templates/etc/waiverdb/settings.py.j2     |  2 +
 9 files changed, 186 insertions(+)
 create mode 100644 roles/waiverdb/defaults/main.yml
 create mode 100644 roles/waiverdb/files/pg/pg_hba.conf
 create mode 100644 roles/waiverdb/handlers/main.yml
 create mode 100644 roles/waiverdb/tasks/main.yml
 create mode 100644 roles/waiverdb/tasks/psql_setup.yml
 create mode 100644 roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
 create mode 100644 roles/waiverdb/templates/etc/waiverdb/client_secrets.json
 create mode 100644 roles/waiverdb/templates/etc/waiverdb/settings.py.j2

diff --git a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
index 9838e189d6..dae7fedfc7 100644
--- a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
@@ -24,3 +24,7 @@
   - include: "{{ tasks_path }}/cloud_setup_basic.yml"
   - name: set hostname (required by some services, at least postfix need it)
     hostname: name="{{inventory_hostname}}"
+
+  roles:
+  - nginx
+  - waiverdb
diff --git a/roles/waiverdb/defaults/main.yml b/roles/waiverdb/defaults/main.yml
new file mode 100644
index 0000000000..a034212670
--- /dev/null
+++ b/roles/waiverdb/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+waiverdb_db_port: 5432
+waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization'
+waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token'
+waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo'
+waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"'
diff --git a/roles/waiverdb/files/pg/pg_hba.conf b/roles/waiverdb/files/pg/pg_hba.conf
new file mode 100644
index 0000000000..9fcf023732
--- /dev/null
+++ b/roles/waiverdb/files/pg/pg_hba.conf
@@ -0,0 +1,29 @@
+# This file is managed by Ansible - changes may be lost
+#
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTIONS]
+# host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# Default:
+# 
+local  all  postgres    trust
+# "local" is for Unix domain socket connections only
+local  all  all    trust
+# IPv4 local connections:
+host  all  all  127.0.0.1/32  trust
+# IPv6 local connections:
+host  all  all  ::1/128  trust
diff --git a/roles/waiverdb/handlers/main.yml b/roles/waiverdb/handlers/main.yml
new file mode 100644
index 0000000000..63b9af2c6b
--- /dev/null
+++ b/roles/waiverdb/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart waiverdb
+  systemd:
+    name: waiverdb.service
+    state: restarted
diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml
new file mode 100644
index 0000000000..8ed0068400
--- /dev/null
+++ b/roles/waiverdb/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- include: psql_setup.yml
+
+- name: install needed packages
+  dnf: pkg={{ item }} state=present
+  with_items:
+  - waiverdb
+  - gunicorn
+  notify:
+  - restart waiverdb
+
+- name: start waiverdb on boot
+  systemd:
+    name: waiverdb.socket
+    enabled: yes
+
+- name: copy client secrets
+  template:
+    src: etc/waiverdb/client_secrets.json
+    dest: /etc/wavierdb/client_secrets.json
+    owner: root
+    group: root
+    mode: 0640
+  notify:
+  - restart waiverdb
+
+- name: generate the app config
+  template:
+    src: etc/waiverdb/settings.py.j2
+    dest: /etc/waiverdb/settings.py
+    owner: root
+    group: root
+    mode: 0660
+    backup: yes
+    force: yes
+  notify:
+  - restart waiverdb
diff --git a/roles/waiverdb/tasks/psql_setup.yml b/roles/waiverdb/tasks/psql_setup.yml
new file mode 100644
index 0000000000..04f93b5ae5
--- /dev/null
+++ b/roles/waiverdb/tasks/psql_setup.yml
@@ -0,0 +1,53 @@
+- name: install postresql
+  yum: state=present pkg={{ item }}
+  with_items:
+  - "postgresql-server"
+  - "postgresql-contrib"
+
+- name: See if postgreSQL is installed
+  stat: path=/var/lib/pgsql/initdb.log
+  register: pgsql_installed
+
+- name: init postgresql
+  shell: "postgresql-setup initdb"
+  when: not pgsql_installed.stat.exists
+
+- name: copy pg_hba.conf
+  copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
+  notify:
+  - restart postgresql
+  tags:
+  - config
+
+- name: Ensure postgres has a place to backup to
+  file: dest=/backups state=directory owner=postgres
+  tags:
+  - config
+
+- name: Copy over backup scriplet
+  copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755
+  tags:
+  - config
+
+- name: Set up some cronjobs to backup databases as configured
+  template: >
+    src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database"
+    dest="/etc/cron.d/cron-backup-database-{{ item }}"
+  with_items:
+  - "{{ dbs_to_backup }}"
+  when: dbs_to_backup != []
+  tags:
+  - config
+
+- name: enable Pg service
+  service: state=started enabled=yes name=postgresql
+
+- name: Create db
+  postgresql_db: name="waiverdb" encoding='UTF-8'
+  become: yes
+  become_user: postgres
+
+- name: Create db user
+  postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE
+  become: yes
+  become_user: postgres
diff --git a/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
new file mode 100644
index 0000000000..d5d013974a
--- /dev/null
+++ b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
@@ -0,0 +1,39 @@
+# HTTP server
+# rewrite to HTTPS
+server {
+  listen       80;
+  server_name  {{service_name}};
+  return       301 https://$server_name$request_uri;
+}
+# HTTPs server
+server {
+    listen       443;
+    server_name  {{ service_name }};
+
+    ssl                  on;
+    ssl_certificate      /etc/nginx/conf.d/ssl.pem;
+    ssl_certificate_key  /etc/nginx/conf.d/ssl.key;
+
+    ssl_session_timeout  5m;
+
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    # modern configuration. tweak to your needs.
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+    ssl_prefer_server_ciphers on;
+
+    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+    add_header Strict-Transport-Security max-age=15768000;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+    location /api {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://unix:/run/waiverdb/socket:/api;
+    }
+}
diff --git a/roles/waiverdb/templates/etc/waiverdb/client_secrets.json b/roles/waiverdb/templates/etc/waiverdb/client_secrets.json
new file mode 100644
index 0000000000..83dc8b0ed8
--- /dev/null
+++ b/roles/waiverdb/templates/etc/waiverdb/client_secrets.json
@@ -0,0 +1,11 @@
+{
+    "web": {
+        "auth_uri": "{{ waiverdb_oidc_auth_uri }}",
+        "client_id": "{{ waiverdb_oidc_client_id }}",
+        "client_secret": "{{ waiverdb_oidc_client_secret }}",
+        "redirect_uris": [],
+        "token_uri": "{{ waiverdb_oidc_token_uri }}",
+        "token_introspection_uri": "{{ waiverdb_oidc_token_introspection_uri }}",
+        "userinfo_uri": "{{ waiverdb_oidc_userinfo_uri }}"
+    }
+}
diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2
new file mode 100644
index 0000000000..67ce5c8b58
--- /dev/null
+++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2
@@ -0,0 +1,2 @@
+SECRET_KEY = '{{ waiverdb_secret_key }}'
+SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb