Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

taiga: retire old taiga cloud instances, everything should be using teams.fedoraproject.org now.

Browse source 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2019-05-02 22:03:09 +00:00
parent e3f561c9b3
commit c71a31b220
25 changed files with 0 additions and 846 deletions
Download patch file Download diff file Expand all files Collapse all files

1
inventory/backups
View file

@ -22,7 +22,6 @@ copr-fe.cloud.fedoraproject.org
copr-keygen.cloud.fedoraproject.org copr-keygen.cloud.fedoraproject.org
#copr-dist-git.fedorainfracloud.org #copr-dist-git.fedorainfracloud.org
value01.phx2.fedoraproject.org value01.phx2.fedoraproject.org
taiga.fedorainfracloud.org
tang01.phx2.fedoraproject.org tang01.phx2.fedoraproject.org
taskotron01.qa.fedoraproject.org taskotron01.qa.fedoraproject.org
nuancier01.phx2.fedoraproject.org nuancier01.phx2.fedoraproject.org

2
inventory/cloud
View file

@ -73,8 +73,6 @@ ppc64-test.fedorainfracloud.org
rawhide-test.fedorainfracloud.org rawhide-test.fedorainfracloud.org
regcfp2.fedorainfracloud.org regcfp2.fedorainfracloud.org
respins.fedorainfracloud.org respins.fedorainfracloud.org
taiga.fedorainfracloud.org
taigastg.fedorainfracloud.org
telegram-irc.fedorainfracloud.org telegram-irc.fedorainfracloud.org
testdays.fedorainfracloud.org testdays.fedorainfracloud.org
twisted-fedora26-1.fedorainfracloud.org twisted-fedora26-1.fedorainfracloud.org

26
inventory/host_vars/taiga.fedorainfracloud.org
View file

@ -1,26 +0,0 @@
---
image: "{{ fedora25_x86_64 }}"
instance_type: m1.medium
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]
inventory_tenant: persistent
inventory_instance_name: taiga
hostbase: taiga
public_ip: 209.132.184.50
root_auth_users: ralph maxamillion kellin
description: taiga frontend server
db_backup_dir: ['/backups']
dbs_to_backup: ['taiga']
volumes:
- volume_id: 8878d26e-a296-4c81-b636-3eb4dca15ed0
device: /dev/vdc
cloud_networks:
# persistent-net
- net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"

23
inventory/host_vars/taigastg.fedorainfracloud.org
View file

@ -1,23 +0,0 @@
---
image: "{{ fedora28_x86_64 }}"
instance_type: m1.small
keypair: fedora-admin-20130801
security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
zone: nova
tcp_ports: [22, 80, 443]
inventory_tenant: persistent
inventory_instance_name: taigastg
hostbase: taigastg
public_ip: 209.132.184.232
root_auth_users: ralph maxamillion doteast kellin abompard
description: stg instance of the taiga frontend server
volumes:
- volume_id: 5babf722-0046-4535-a6e5-398f9c67b844
device: /dev/vdc
cloud_networks:
# persistent-net
- net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"

3
inventory/inventory
View file

@ -1108,9 +1108,6 @@ copr-keygen.cloud.fedoraproject.org
# copr dev instances # copr dev instances
copr-be-dev.cloud.fedoraproject.org copr-be-dev.cloud.fedoraproject.org
copr-fe-dev.cloud.fedoraproject.org copr-fe-dev.cloud.fedoraproject.org
# taiga for kanban-style project planning
taiga.fedorainfracloud.org
taigastg.fedorainfracloud.org
# glittergallery GSoC dev work # glittergallery GSoC dev work
glittergallery-dev.fedorainfracloud.org glittergallery-dev.fedorainfracloud.org
# fas2-dev # fas2-dev

2
master.yml
View file

@ -144,7 +144,5 @@
- import_playbook: /srv/web/infra/ansible/playbooks/hosts/ansiblemagazine.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/ansiblemagazine.fedorainfracloud.org.yml
- import_playbook: /srv/web/infra/ansible/playbooks/hosts/regcfp2.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/regcfp2.fedorainfracloud.org.yml
- import_playbook: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml
- import_playbook: /srv/web/infra/ansible/playbooks/hosts/taiga.fedorainfracloud.org.yml
- import_playbook: /srv/web/infra/ansible/playbooks/hosts/taigastg.fedorainfracloud.org.yml
- import_playbook: /srv/web/infra/ansible/playbooks/hosts/testdays.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/testdays.fedorainfracloud.org.yml
- import_playbook: /srv/web/infra/ansible/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml

34
playbooks/hosts/taiga.fedorainfracloud.org.yml
View file

@ -1,34 +0,0 @@
- name: check/create instance
hosts: taiga.fedorainfracloud.org
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/fedora-cloud.yml
- /srv/private/ansible/files/openstack/passwords.yml
tasks:
- import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: setup all the things
hosts: taiga.fedorainfracloud.org
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
- name: set hostname (required by some services, at least postfix need it)
hostname: name="{{inventory_hostname}}"
roles:
- basessh
- role: taiga
taiga_back_version: stable
taiga_front_version: stable

36
playbooks/hosts/taigastg.fedorainfracloud.org.yml
View file

@ -1,36 +0,0 @@
- name: check/create instance
hosts: taigastg.fedorainfracloud.org
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/fedora-cloud.yml
- /srv/private/ansible/files/openstack/passwords.yml
tasks:
- import_tasks: "{{ tasks_path }}/persistent_cloud.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: setup all the things
hosts: taigastg.fedorainfracloud.org
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
- name: set hostname (required by some services, at least postfix need it)
hostname: name="{{inventory_hostname}}"
roles:
- basessh
- role: certbot
- role: taiga
taiga_back_version: stable
taiga_front_version: stable

10
roles/apps-fp-o/files/apps.yaml
View file

@ -695,16 +695,6 @@ children:
engineering *should* be producing and 2) all of the artifacts engineering *should* be producing and 2) all of the artifacts
taht release engineering *did* produce. The web interface isn't taht release engineering *did* produce. The web interface isn't
much to write home about, but the API is where it's at. much to write home about, but the API is where it's at.
- name: Taiga
data:
icon: taiga.png
url: https://taiga.fedorainfracloud.org/
description: >
Taiga is a very pretty project management platform that we've
been messing around with. Feel free to use it. We backup the
database, but we don't necessarily support it yet with the same
kind of focus that we dedicate to our other services. If you
run into problems with it, let us know!
- name: Ipsilon - name: Ipsilon
data: data:
icon: icon:

10
roles/taiga/files/backup-database
View file

@ -1,10 +0,0 @@
#!/bin/bash
# Backup a database *locally* to /backups/.
DB=$1
# Make our latest backup
/usr/bin/pg_dump -C $DB | /usr/bin/xz > /backups/$DB-$(date +%F).dump.xz
# Also, delete the backup from a few days ago.
rm -f /backups/$DB-$(date --date="3 days ago" +%F).dump.xz

1
roles/taiga/files/cron-renew-cert
View file

@ -1 +0,0 @@
* * * * 0 root /usr/local/bin/renew-cert.sh

BIN
roles/taiga/files/fedora-logo.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 504 B

72
roles/taiga/files/nginx.conf
View file

@ -1,72 +0,0 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
index index.html index.htm;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
#server {
# listen 80 default_server;
# server_name localhost;
# root /usr/share/nginx/html;
# #charset koi8-r;
# #access_log /var/log/nginx/host.access.log main;
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
# location / {
# }
# # redirect server error pages to the static page /40x.html
# #
# error_page 404 /404.html;
# location = /40x.html {
# }
# # redirect server error pages to the static page /50x.html
# #
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
#}
}

74
roles/taiga/files/pg_hba.conf
View file

@ -1,74 +0,0 @@
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the PostgreSQL Administrator's Guide, chapter "Client
# Authentication" for a complete description. A short synopsis
# follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTION]
# host DATABASE USER CIDR-ADDRESS METHOD [OPTION]
# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain socket,
# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", a database name, or
# a comma-separated list thereof.
#
# USER can be "all", a user name, a group name prefixed with "+", or
# a comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names from
# a separate file.
#
# CIDR-ADDRESS specifies the set of hosts the record matches.
# It is made up of an IP address and a CIDR mask that is an integer
# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
# the number of significant bits in the mask. Alternatively, you can write
# an IP address and netmask in separate columns to specify the set of hosts.
#
# METHOD can be "trust", "reject", "md5", "crypt", "password",
# "krb5", "ident", or "pam". Note that "password" sends passwords
# in clear text; "md5" is preferred since it sends encrypted passwords.
#
# OPTION is the ident map or the name of the PAM service, depending on METHOD.
#
# Database and user names containing spaces, commas, quotes and other special
# characters must be quoted. Quoting one of the keywords "all", "sameuser" or
# "samerole" makes the name lose its special character, and just match a
# database or username with that name.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can use
# "pg_ctl reload" to do that.
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL listen
# on a non-local interface via the listen_addresses configuration parameter,
# or via the -i or -h command line switches.
#
#@authcomment@
# TYPE DATABASE USER CIDR-ADDRESS METHOD
#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
#@remove-line-for-nolocal@local all all @authmethod@
# IPv4 local connections:
#host all all 127.0.0.1/32 @authmethod@
# IPv6 local connections:
#host all all ::1/128 @authmethod@
local all all trust
#host all all 0.0.0.0 0.0.0.0 md5

5
roles/taiga/files/renew-cert.sh
View file

@ -1,5 +0,0 @@
#!/bin/bash
#renew letsencrypt certificate. it checks if cert need renewal. if not nginx will not stop
# check and renew if required, quietly. if so do it in standalone mode
/usr/bin/certbot renew -q --pre-hook "/usr/bin/systemctl stop nginx" --post-hook "/usr/bin/systemctl start nginx"

15
roles/taiga/files/taiga-back.service
View file

@ -1,15 +0,0 @@
[Unit]
Description=taiga backend, run by gunicorn
After=network.target
Documentation=https://github.com/taigaio/taiga-back
[Service]
ExecStart=/srv/taiga/venv/bin/python /usr/bin/gunicorn-3 -w 3 -t 60 --pythonpath=. -b 127.0.0.1:8001 taiga.wsgi
WorkingDirectory=/srv/taiga/taiga-back/
Type=simple
User=taiga
Group=taiga
Restart=on-failure
[Install]
WantedBy=multi-user.target

4
roles/taiga/files/urls.py
View file

@ -1,4 +0,0 @@
from taiga.urls import *
urlpatterns += [
url(r"^api/oidc/", include("mozilla_django_oidc.urls")),
]

19
roles/taiga/handlers/main.yml
View file

@ -1,19 +0,0 @@
---
- name: restart postgresql
service: name=postgresql state=restarted
- name: restart taiga-back
service: name=taiga-back state=restarted
- name: reload systemd service files
command: systemctl daemon-reload
- name: restart nginx
service: name=nginx state=restarted
- name: restart postfix
service: name=postfix state=restarted
- name: restart crond
service: name=crond state=restarted

341
roles/taiga/tasks/main.yml
View file

@ -1,341 +0,0 @@
# This is mostly following
# http://taigaio.github.io/taiga-doc/dist/setup-production.html#circus-and-gunicorn
#
# It is just for dev/testing.. we're installing stuff from git/pip, etc..
#
- dnf: name={{item}} state=present
with_items:
- postfix
- cronie
- nginx
- libsemanage-python
- postgresql-server
# Need this to use the postgresql ansible module
- python-psycopg2
- python3-gunicorn
- python3-psycopg2
# So we don't have to rebuild them in the virtualenv
- python3-cairo
- python3-cryptography
- python3-pyOpenSSL
- gettext
- git
- python3
- python3-devel
- python3-pip
- redhat-rpm-config
- gcc
- freetype-devel
- libxml2-devel
- libxslt-devel
- libjpeg-turbo-devel
- postgresql-devel
# To build the frontend
- npm
# need this for letsencrypt cert
- certbot
- python3-certbot-nginx
tags: taiga
- user: name=taiga comment="Taiga System Account"
tags: taiga
### Real quick, let's setup postfix for mail on the side.
### if we ever move this internally, we'll just use bastion.
- name: Set postfix to run on boot
service: name=postfix state=started enabled=yes
tags: taiga
### FIRST, there is a lot of postgres db stuff to setup ###
- name: Initialize postgres if necessary
command: /usr/bin/postgresql-setup initdb
creates=/var/lib/pgsql/data/base
notify: restart postgresql
tags: taiga
- name: Add our postgres config file.
copy: >
src=pg_hba.conf
dest=/var/lib/pgsql/data/pg_hba.conf
owner=postgres
notify: restart postgresql
tags: taiga
# No need to let postgres talk to the world, right?
#- name: Let postgresql listen to '*'
# command: sed -i -e "s|#listen_addresses = 'localhost'|listen_addresses = '*'|" /var/lib/pgsql/data/postgresql.conf
# notify: restart postgresql
# tags: taiga
- name: Ensure postgres has a place to backup to
file: dest=/backups state=directory owner=postgres
tags: taiga
- name: Copy over backup scriplet
copy: src=backup-database dest=/usr/local/bin/backup-database mode=0755
tags: taiga
- name: Set up some cronjobs to backup databases as configured
template: >
src=cron-backup-database
dest=/etc/cron.d/cron-backup-database-{{ item }}
with_items:
- taiga
tags: taiga
- name: Set postgresql-server to run on boot
service: name=postgresql state=started enabled=yes
tags: taiga
# Make sure we have db users
- postgresql_user: name=taiga
# password={{ taiga_db_pass }}
tags: taiga
- postgresql_db: name=taiga owner=taiga encoding=UTF-8
tags: taiga
### DONE with db stuff
- become: yes
become_user: taiga
tags: taiga
block:
# Create the python virtualenv
- name: setup the virtualenv
pip:
name: pip
state: latest
chdir: /srv/taiga
virtualenv: /srv/taiga/venv
virtualenv_command: pyvenv
virtualenv_site_packages: yes
- name: install Gunicorn
pip:
name: gunicorn
virtualenv: /srv/taiga/venv
# Install our plugin for the backend first
- name: install the OIDC auth plugin
git:
dest: /srv/taiga/taiga-contrib-oidc-auth
repo: https://github.com/fedora-infra/taiga-contrib-oidc-auth.git
tags: taiga
- pip:
name: .
editable: yes
chdir: /srv/taiga/taiga-contrib-oidc-auth/back
virtualenv: /srv/taiga/venv
tags: taiga
# setup taiga-back from git
- git:
repo: https://github.com/taigaio/taiga-back.git
dest: /srv/taiga/taiga-back
version: "{{taiga_back_version}}"
# We modify the requirements.txt, we need to force here.
force: yes
- name: remove some versionned dependencies
replace:
path: /srv/taiga/taiga-back/requirements.txt
regexp: '^(CairoSVG|cryptography)==.*$'
replace: '\1'
- name: install taiga-back dependencies
pip:
requirements: /srv/taiga/taiga-back/requirements.txt
virtualenv: /srv/taiga/venv
tags: taiga
- name: copy in our taiga backend config
template: src=local.py dest=/srv/taiga/taiga-back/settings/local.py
mode=0640 owner=taiga group=taiga
notify: restart taiga-back
tags: taiga
- name: copy in our taiga backend URLs config
copy: src=urls.py dest=/srv/taiga/taiga-back/settings/urls.py
mode=0640 owner=taiga group=taiga
notify: restart taiga-back
tags: taiga
- file: dest=/srv/taiga/taiga-back/locale state=directory
owner=taiga group=taiga
tags: taiga
# change default admin password
- name: copy in our initial_user fixture
template: src=initial_user.json dest=/srv/taiga/initial_user.json
mode=0640 owner=taiga group=taiga
tags: taiga
- become: yes
become_user: taiga
tags: taiga
block:
- django_manage:
app_path: /srv/taiga/taiga-back
virtualenv: /srv/taiga/venv
command: migrate
- django_manage:
app_path: /srv/taiga/taiga-back
virtualenv: /srv/taiga/venv
command: loaddata
fixtures: /srv/taiga/initial_user.json initial_project_templates
- django_manage:
app_path: /srv/taiga/taiga-back
virtualenv: /srv/taiga/venv
command: compilemessages
- django_manage:
app_path: /srv/taiga/taiga-back
virtualenv: /srv/taiga/venv
command: collectstatic
### DONE with taiga-back
### Setup taiga-front-dist from git
- git:
repo: https://github.com/taigaio/taiga-front-dist.git
dest: /srv/taiga/taiga-front-dist
version: "{{taiga_front_version}}"
- name: install the frontend configuration file
template:
src: conf.json
dest: /srv/taiga/taiga-front-dist/dist/conf.json
mode: 0644
owner: taiga
group: taiga
tags: taiga
# create plugins directory - new in taiga 3.0.0
- file: dest=/srv/taiga/taiga-front-dist/dist/plugins state=directory owner=taiga group=taiga
tags: taiga
# Build the frontend
# npm config set strict-ssl false
# npm install
# npm install gulp
# ./node_modules/.bin/gulp build
- become: yes
become_user: taiga
tags: taiga
block:
# Build our plugin
- npm:
path: /srv/taiga/taiga-contrib-oidc-auth/front
- npm:
path: /srv/taiga/taiga-contrib-oidc-auth/front
name: gulp
- command: ./node_modules/.bin/gulp build
args:
chdir: /srv/taiga/taiga-contrib-oidc-auth/front
creates: /srv/taiga/taiga-contrib-oidc-auth/front/dist/oidc_auth.js
- name: copy the Fedora logo
copy:
src: fedora-logo.png
dest: /srv/taiga/taiga-front-dist/dist/plugins/oidc-auth/images/contrib/fedora-logo.png
owner: taiga
group: taiga
tags: taiga
- name: link our plugin pieces in place
file: src=/srv/taiga/taiga-contrib-oidc-auth/front/dist
dest=/srv/taiga/taiga-front-dist/dist/plugins/oidc-auth
state=link
owner=taiga
group=taiga
tags: taiga
- name: set selinux labels
file:
path: "/srv/taiga/{{ item }}"
state: directory
setype: httpd_sys_content_rw_t
recurse: yes
with_items:
- taiga-front-dist/dist
- taiga-back/static
- taiga-back/media
### DONE with taiga-front
## taiga-back service
- name: copy systemd service file in for taiga
copy: src=taiga-back.service dest=/usr/lib/systemd/system/taiga-back.service
notify: reload systemd service files
tags: taiga
- name: set taiga-back to start
service: name=taiga-back state=started enabled=yes
tags: taiga
# Letsencrypt
- name: get the letsencrypt cert
command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ inventory_hostname }} --agree-tos --email admin@fedoraproject.org
args:
creates: "/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem"
notify: restart nginx
- name: copy cert renew script
copy: src=renew-cert.sh dest=/usr/local/bin/renew-cert.sh mode=0755
tags:
- taiga
- cron
- letsencrypt
- name: install cron for cert renewal
copy: src=cron-renew-cert dest=/etc/cron.d/cron-renew-cert
notify: restart crond
tags:
- taiga
- cron
### FINALLY, nginx to serve/proxy it all
- template: src=default.nginx dest=/etc/nginx/default.d/taiga.conf
mode=0644 owner=nginx group=nginx
notify: restart nginx
tags:
- taiga
- nginx
- template: src=taiga-ssl.nginx dest=/etc/nginx/conf.d/taiga-ssl.conf
mode=0644 owner=nginx group=nginx
notify: restart nginx
tags:
- taiga
- nginx
# Add nginx to the taiga group so it gets rights to read all our static stuff
- user: name=nginx groups=taiga append=yes
tags: taiga
- file: dest=/srv/taiga mode=0750
tags: taiga
- seboolean: name="{{item}}" state=true persistent=true
with_items:
# So we can read static content at all
- httpd_read_user_content
# So we can follow the symlink to our FAS plugin
- httpd_enable_homedirs
# So we can reverse proxy stuff locally to gunicorn
- httpd_can_network_connect
tags: taiga
- service: name=nginx state=started enabled=yes
tags: taiga

15
roles/taiga/templates/conf.json
View file

@ -1,15 +0,0 @@
{
"api": "https://{{inventory_hostname}}/api/v1/",
"eventsUrl": "wss://{{inventory_hostname}}/events",
"debug": true,
"publicRegisterEnabled": false,
"feedbackEnabled": true,
"privacyPolicyUrl": null,
"termsOfServiceUrl": null,
"maxUploadFileSize": null,
"contribPlugins": ["/plugins/oidc-auth/oidc-auth.json"],
"oidcMountPoint": "/api/oidc",
"oidcButtonText": "Fedora",
"oidcButtonImage": "fedora-logo.png",
"debugInfo": false
}

1
roles/taiga/templates/cron-backup-database
View file

@ -1 +0,0 @@
0 0 * * * postgres /usr/local/bin/backup-database {{ item }}

5
roles/taiga/templates/default.nginx
View file

@ -1,5 +0,0 @@
large_client_header_buffers 4 32k;
client_max_body_size 50M;
charset utf-8;
return 302 https://{{ inventory_hostname }}$request_uri;

22
roles/taiga/templates/initial_user.json
View file

@ -1,22 +0,0 @@
[
{
"model": "users.user",
"fields": {
"username": "admin",
"full_name": "Administrator",
"bio": "",
"lang": "",
"color": "",
"photo": "",
"is_active": true,
"colorize_tags": false,
"timezone": "",
"is_superuser": true,
"token": "",
"last_login": "2013-04-04T07:36:09.880Z",
"password": "{{ taiga_admin_pw }}",
"email": "admin@fedoraproject.org",
"date_joined": "2013-04-01T13:48:21.711Z"
}
}
]

63
roles/taiga/templates/local.py
View file

@ -1,63 +0,0 @@
from .common import *
MEDIA_URL = "https://{{ inventory_hostname }}/media/"
STATIC_URL = "https://{{ inventory_hostname }}/static/"
ADMIN_MEDIA_PREFIX = "https://{{ inventory_hostname }}/static/admin/"
SITES["front"]["scheme"] = "https"
SITES["front"]["domain"] = "{{ inventory_hostname }}"
SECRET_KEY = "{{ taiga_secret_key }}"
DEBUG = False
TEMPLATE_DEBUG = False
PUBLIC_REGISTER_ENABLED = True
DEFAULT_FROM_EMAIL = "nobody@fedoraproject.org"
SERVER_EMAIL = DEFAULT_FROM_EMAIL
INSTALLED_APPS += [
"mozilla_django_oidc",
"taiga_contrib_oidc_auth",
]
AUTHENTICATION_BACKENDS = list(AUTHENTICATION_BACKENDS) + [
"taiga_contrib_oidc_auth.oidc.TaigaOIDCAuthenticationBackend",
]
# OIDC Settings
OIDC_CALLBACK_CLASS = "taiga_contrib_oidc_auth.views.TaigaOIDCAuthenticationCallbackView"
OIDC_RP_SCOPES = "openid profile email"
OIDC_RP_SIGN_ALGO = "RS256"
# Set the OIDC provider here.
OIDC_BASE_URL = "https://id{{ env_suffix }}.fedoraproject.org/openidc"
# Those URL values work for Ipsilon.
OIDC_OP_JWKS_ENDPOINT = OIDC_BASE_URL + "/Jwks"
OIDC_OP_AUTHORIZATION_ENDPOINT = OIDC_BASE_URL + "/Authorization"
OIDC_OP_TOKEN_ENDPOINT = OIDC_BASE_URL + "/Token"
OIDC_OP_USER_ENDPOINT = OIDC_BASE_URL + "/UserInfo"
# These two are private! Don't commit them to VCS.
OIDC_RP_CLIENT_ID = "{{ taiga_stg_oidc_client_id }}"
OIDC_RP_CLIENT_SECRET = "{{ taiga_stg_oidc_client_secret }}"
# Add the OIDC urls
ROOT_URLCONF = "settings.urls"
## Uncomment all this stuff to get the async celery stuff working.
## It is not necessary.. it just makes everything snappier.
#EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend"
#EVENTS_PUSH_BACKEND_OPTIONS = {"url": "amqp://taiga:{{ taiga_events_password }}@localhost:5672/taiga"}
#
#from .celery import *
#
#BROKER_URL = 'amqp://guest:guest@localhost:5672//'
#CELERY_RESULT_BACKEND = 'redis://localhost:6379/0'
#CELERY_ENABLED = True
# Uncomment and populate with proper connection parameters
# for enable email sending.
EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
EMAIL_USE_TLS = False
EMAIL_HOST = "localhost"
EMAIL_HOST_USER = ""
EMAIL_HOST_PASSWORD = ""
EMAIL_PORT = 25

62
roles/taiga/templates/taiga-ssl.nginx
View file

@ -1,62 +0,0 @@
server {
listen 443 ssl;
server_name {{ inventory_hostname }};
ssl_certificate /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
add_header Strict-Transport-Security "max-age=31536000;";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_prefer_server_ciphers on;
large_client_header_buffers 4 32k;
client_max_body_size 50M;
charset utf-8;
types_hash_max_size 4096;
# Langdon wanted his project renamed... so we redirect.
rewrite ^/project/langdon-modularity/(.*)$ /project/modularity/$1 redirect;
# Frontend
location / {
root /srv/taiga/taiga-front-dist/dist/;
try_files $uri $uri/ /index.html;
disable_symlinks off;
}
# Backend
location /api {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8001/api;
proxy_redirect off;
}
### no more admiin access
# # Django admin access (/admin/)
# location /admin {
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_pass http://127.0.0.1:8001$request_uri;
# proxy_redirect off;
# }
# Static files
location /static {
alias /srv/taiga/taiga-back/static;
}
# Media files
location /media {
alias /srv/taiga/taiga-back/media;
}
}