Complete ansible playbook.

Change-Id: I5a1554823ef6848ed93f611b17a942bcc7aab19b
author: Milo Casagrande <milo.casagrande@linaro.org> 2014-06-10 18:25:53 +0200
committer: Milo Casagrande <milo.casagrande@linaro.org> 2014-06-10 18:25:53 +0200
commit: d1f475549708c76850045ad1d8b82346e3b3a432 (patch)
tree: 608c57d391683c8d1210b87060669310f51e8758
parent: 123aa016f3c2fc8991e3b03bb3514eac426089bd (diff)
12 files changed, 371 insertions, 5 deletions
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index e536154..1eaeced 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -2,3 +2,7 @@ install_base: /srv
 web_user: www-data
 app_user: www-data
 git_head: HEAD
+db_driver: mysql
+db_host: localhost
+db_name: bugzilla
+db_user: bugzilla
diff --git a/ansible/host_vars/bugs.linaro.org b/ansible/host_vars/bugs.linaro.org
index 05dd155..a679f27 100644
--- a/ansible/host_vars/bugs.linaro.org
+++ b/ansible/host_vars/bugs.linaro.org
@@ -1,2 +1,3 @@
 hostname: bugs.linaro.org
 nickname: production-bugs
+role: production
diff --git a/ansible/host_vars/staging.bugs.linaro.org b/ansible/host_vars/staging.bugs.linaro.org
index 87c2bd8..96a2515 100644
--- a/ansible/host_vars/staging.bugs.linaro.org
+++ b/ansible/host_vars/staging.bugs.linaro.org
@@ -1,2 +1,3 @@
 hostname: staging.bugs.linaro.org
 nickname: staging-bugs
+role: staging
diff --git a/ansible/roles/configure-apache/tasks/main.yml b/ansible/roles/configure-apache/tasks/main.yml
new file mode 100644
index 0000000..dbfd3aa
--- /dev/null
+++ b/ansible/roles/configure-apache/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: Enable necessary Apache modules
+  command:  a2enmod {{ item }}
+            creates=/etc/apache2/mods-enabled/{{ item }}.load
+  with_items: 
+    - ssl
+    - expires
+    - headers
+    - rewrite
+    - cgi
+  notify:
+    - restart-apache
+  tags: 
+    - web-server
+
+- name: Install Apache VirtualHost configuration (production)
+  template: src=production.conf
+            dest=/etc/apache2/sites-available/{{ hostname }}.conf
+            owner=root
+            group=root
+            mode=0444
+  when: role == "production"
+  notify:
+    - reload-apache
+  tags:
+    - web-server
+
+- name: Install Apache VirtualHost configuration (staging)
+  template: src=staging.conf
+            dest=/etc/apache2/sites-available/{{ hostname }}.conf
+            owner=root
+            group=root
+            mode=0444
+  when: role == "staging"
+  notify:
+    - reload-apache
+  tags:
+    - web-server
+
+- name: Disable Apache default website
+  command:  a2dissite 000-default.conf
+            removes=/etc/apache2/sites-enabled/000-default.conf
+  notify:
+    - restart-apache
+  tags: 
+    - web-server
+
+- name: Enable Apache bugzilla web site
+  command: a2ensite {{ hostname }}
+            creates=/etc/apache2/sites-enabled/{{ hostname }}
+  notify:
+    - restart-apache
+  tags:
+    - web-server
diff --git a/ansible/roles/configure-apache/templates/production.conf b/ansible/roles/configure-apache/templates/production.conf
new file mode 100644
index 0000000..afb365d
--- /dev/null
+++ b/ansible/roles/configure-apache/templates/production.conf
@@ -0,0 +1,88 @@
+# Managed via ansbile, do not edit!
+
+<VirtualHost *:80>
+    ServerName {{ hostname }}
+
+    Redirect permanent / https://{{ hostname }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ hostname }}
+    ServerAdmin webmaster@linaro.org
+
+    DocumentRoot {{ install_base }}/{{ hostname }}
+
+    Alias /bugzilla {{ install_base }}/{{ hostname }}/
+    <Directory "{{ install_base }}/{{ hostname }}">
+        AddHandler cgi-script cgi
+        Options +ExecCGI +FollowSymLinks +Indexes
+        DirectoryIndex index.cgi
+        AllowOverride Limit FileInfo Indexes Options
+        Require all granted
+    </Directory>
+
+    CustomLog ${APACHE_LOG_DIR}/{{ hostname }}-access.log combined
+    ErrorLog ${APACHE_LOG_DIR}/{{ hostname }}-error.log
+    LogLevel info
+
+    KeepAlive On
+    KeepAliveTimeout 9
+    MaxKeepAliveRequests 150
+
+    SSLEngine On
+    SSLProtocol All -SSLv2 -SSLv3
+    SSLCompression Off
+    SSLHonorCipherOrder On
+    SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
+        EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
+        !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
+        CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
+
+    SSLCertificateFile /etc/ssl/certs/{{ hostname }}.pem
+    SSLCertificateKeyFile /etc/ss/private/{{ hostname }}.key
+
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
+        SSLOptions +StdEnvVars
+    </FilesMatch>
+    <Directory /usr/lib/cgi-bin>
+        SSLOptions +StdEnvVars 
+    </Directory>
+
+    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown \
+        downgrade-1.0 force-response-1.0
+    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown 
+
+    ExpiresActive   On
+    ExpiresDefault  "access plus 300 seconds"
+
+    ExpiresByType   image/png       "access plus 1 month"
+    ExpiresByType   image/jpg       "access plus 1 month"
+    ExpiresByType   image/jpeg      "access plus 1 month"
+    ExpiresByType   image/x-icon    "access plus 1 month"
+
+    Header always set Strict-Transport-Security "max-age=63072000"
+    Header append Cache-Control "no-transform"
+
+    <FilesMatch "\.(html|htm)$">
+        Header add Cache-Control "must-revalidate"
+        SetOutputFilter DEFLATE
+
+        BrowserMatch ^Mozilla/4 gzip-only-text/html
+        BrowserMatch ^Mozilla/4\.0[678] no-gzip
+        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+        Header append Vary User-Agent env=!dont-vary
+    </FilesMatch>
+
+    <FilesMatch "\.(js|css)$">
+        Header add Cache-Control "max-age=5356800"
+        SetOutputFilter DEFLATE
+
+        BrowserMatch ^Mozilla/4 gzip-only-text/html
+        BrowserMatch ^Mozilla/4\.0[678] no-gzip
+        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+        Header append Vary User-Agent env=!dont-vary
+    </FilesMatch>
+
+</VirtualHost>
diff --git a/ansible/roles/configure-apache/templates/staging.conf b/ansible/roles/configure-apache/templates/staging.conf
new file mode 100644
index 0000000..8e840b0
--- /dev/null
+++ b/ansible/roles/configure-apache/templates/staging.conf
@@ -0,0 +1,137 @@
+# Managed via ansbile, do not edit!
+
+<VirtualHost *:80>
+    ServerName {{ hostname }}
+    ServerAdmin webmaster@linaro.org
+
+    CustomLog ${APACHE_LOG_DIR}/{{ hostname }}-access.log combined
+    ErrorLog ${APACHE_LOG_DIR}/{{ hostname }}-error.log
+    LogLevel info
+
+    DocumentRoot {{ install_base }}/{{ hostname }}
+
+    Alias /bugzilla {{ install_base }}/{{ hostname }}/
+    <Directory "{{ install_base }}/{{ hostname }}">
+        AddHandler cgi-script cgi
+        Options +ExecCGI +FollowSymLinks +Indexes
+        DirectoryIndex index.cgi
+        AllowOverride Limit FileInfo Indexes Options
+        Require all granted
+    </Directory>
+
+    ExpiresActive   On
+    ExpiresDefault  "access plus 300 seconds"
+
+    ExpiresByType   image/png       "access plus 1 month"
+    ExpiresByType   image/jpg       "access plus 1 month"
+    ExpiresByType   image/jpeg      "access plus 1 month"
+    ExpiresByType   image/x-icon    "access plus 1 month"
+
+    Header append Cache-Control "no-transform"
+
+    <FilesMatch "\.(html|htm)$">
+        Header add Cache-Control "must-revalidate"
+        SetOutputFilter DEFLATE
+
+        BrowserMatch ^Mozilla/4 gzip-only-text/html
+        BrowserMatch ^Mozilla/4\.0[678] no-gzip
+        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+        Header append Vary User-Agent env=!dont-vary
+    </FilesMatch>
+
+    <FilesMatch "\.(js|css)$">
+        Header add Cache-Control "max-age=5356800"
+        SetOutputFilter DEFLATE
+
+        BrowserMatch ^Mozilla/4 gzip-only-text/html
+        BrowserMatch ^Mozilla/4\.0[678] no-gzip
+        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+        Header append Vary User-Agent env=!dont-vary
+    </FilesMatch>
+
+    KeepAlive On
+    KeepAliveTimeout 9
+    MaxKeepAliveRequests 150
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ hostname }}
+    ServerAdmin webmaster@linaro.org
+
+    DocumentRoot {{ install_base }}/{{ hostname }}
+
+    <Directory "{{ install_base }}/{{ hostname }}">
+        AddHandler cgi-script cgi
+        Options +ExecCGI +FollowSymLinks +Indexes
+        DirectoryIndex index.cgi index.html
+        AllowOverride Limit FileInfo Indexes Options
+        Require all granted
+    </Directory>
+
+    CustomLog ${APACHE_LOG_DIR}/{{ hostname }}-access.log combined
+    ErrorLog ${APACHE_LOG_DIR}/{{ hostname }}-error.log
+    LogLevel info
+
+    KeepAlive On
+    KeepAliveTimeout 9
+    MaxKeepAliveRequests 150
+
+    SSLEngine On
+    SSLProtocol All -SSLv2 -SSLv3
+    SSLCompression Off
+    SSLHonorCipherOrder On
+    SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
+        EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
+        !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
+        CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
+
+    SSLCertificateFile /etc/ssl/certs/{{ hostname }}.pem
+    SSLCertificateKeyFile /etc/ssl/private/{{ hostname }}.key
+
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
+        SSLOptions +StdEnvVars
+    </FilesMatch>
+    <Directory /usr/lib/cgi-bin>
+        SSLOptions +StdEnvVars 
+    </Directory>
+
+    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown \
+        downgrade-1.0 force-response-1.0
+    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown 
+
+    ExpiresActive   On
+    ExpiresDefault  "access plus 300 seconds"
+
+    ExpiresByType   image/png       "access plus 1 month"
+    ExpiresByType   image/jpg       "access plus 1 month"
+    ExpiresByType   image/jpeg      "access plus 1 month"
+    ExpiresByType   image/x-icon    "access plus 1 month"
+
+    Header always set Strict-Transport-Security "max-age=63072000"
+    Header append Cache-Control "no-transform"
+
+    <FilesMatch "\.(html|htm)$">
+        Header add Cache-Control "must-revalidate"
+        SetOutputFilter DEFLATE
+
+        BrowserMatch ^Mozilla/4 gzip-only-text/html
+        BrowserMatch ^Mozilla/4\.0[678] no-gzip
+        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+        Header append Vary User-Agent env=!dont-vary
+    </FilesMatch>
+
+    <FilesMatch "\.(js|css)$">
+        Header add Cache-Control "max-age=5356800"
+        SetOutputFilter DEFLATE
+
+        BrowserMatch ^Mozilla/4 gzip-only-text/html
+        BrowserMatch ^Mozilla/4\.0[678] no-gzip
+        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+        Header append Vary User-Agent env=!dont-vary
+    </FilesMatch>
+
+</VirtualHost>
diff --git a/ansible/roles/configure-app/tasks/main.yml b/ansible/roles/configure-app/tasks/main.yml
new file mode 100644
index 0000000..3bc3ff8
--- /dev/null
+++ b/ansible/roles/configure-app/tasks/main.yml
@@ -0,0 +1,24 @@
+---
+- name: Install bugzilla configuration file
+  template: src=localconfig
+            dest="{{ install_base }}/{{ hostname }}/localconfig"
+            owner={{ web_user }}
+            group={{ web_user }}
+            mode=0444
+  tags:
+    - app
+    - config
+    - secrets
+
+- name: Create bugzilla documentation
+  command: creates="{{ install_base }}/{{ hostname }}/docs/bugzilla.ent"
+           "{{ install_base }}/{{ hostname }}/docs/makedocs.pl" 
+  tags:
+    - app
+
+- name: Fix documentation permissions
+  file: path="{{ install_base }}/{{ hostname }}/docs"
+        owner=root
+        group="{{ web_user }}"
+  tags:
+    - app
diff --git a/ansible/roles/configure-app/templates/localconfig b/ansible/roles/configure-app/templates/localconfig
new file mode 100644
index 0000000..c614299
--- /dev/null
+++ b/ansible/roles/configure-app/templates/localconfig
@@ -0,0 +1,16 @@
+$create_htaccess = 1;
+$webservergroup = '{{ web_user }}';
+$use_suexec = 0;
+$db_driver = '{{ db_driver }}';
+$db_host = '{{ db_host }}';
+$db_name = '{{ db_name }}';
+$db_user = '{{ db_user }}';
+$db_pass = '{{ db_pass }}';
+$db_port = 0;
+$db_sock = '';
+$db_check = 1;
+$index_html = 0;
+$cvsbin = '';
+$interdiffbin = '';
+$diffpath = '/usr/bin';
+$site_wide_secret = '{{ site_wide_secret }}';
diff --git a/ansible/roles/configure-db/tasks/main.yml b/ansible/roles/configure-db/tasks/main.yml
new file mode 100644
index 0000000..1d3a233
--- /dev/null
+++ b/ansible/roles/configure-db/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Create MySQL bugzilla database
+  mysql_db: name={{ db_name }}
+            state=present
+
+- name: Create MySQL bugzilla user
+  mysql_user: name={{ db_user }}
+              password={{ db_pass }}
+              priv={{ db_name }}.*:ALL
+              state=present
+
diff --git a/ansible/roles/install-app/tasks/main.yml b/ansible/roles/install-app/tasks/main.yml
index f7cf0e0..5f51202 100644
--- a/ansible/roles/install-app/tasks/main.yml
+++ b/ansible/roles/install-app/tasks/main.yml
@@ -1,6 +1,31 @@
 ---
 - name: Checkout bugzilla code
-  git:  repo=http://git.linaro.org/git/infrastructure/bugs.linaro.org.git
-        dest={{ install_base }}/{{ hostname }}
+  git:  repo=git://git.linaro.org/infrastructure/bugs.linaro.org.git
+        dest="{{ install_base }}/{{ hostname }}"
         version={{ git_head }}
         update=yes
+        recursive=no
+  notify:
+    - restart-apache
+  tags:
+    - install
+    - app
+
+- name: Create lib/ directory
+  file: state=directory
+        path="{{ install_base }}/{{ hostname }}/lib"
+        owner=root
+        group={{ web_user }}
+  tags:
+    - install
+    - app
+
+- name: Fix cloned repo permissions
+  file: path="{{ install_base }}/{{ hostname }}"
+        state=directory
+        recurse=yes
+        owner=root
+        group={{ web_user }}
+  tags:
+    - install
+    - app
diff --git a/ansible/roles/install-deps/tasks/main.yml b/ansible/roles/install-deps/tasks/main.yml
index 7873cf5..22f0ba7 100644
--- a/ansible/roles/install-deps/tasks/main.yml
+++ b/ansible/roles/install-deps/tasks/main.yml
@@ -8,6 +8,7 @@
     - bsd-mailx
     - git
     - ldap-utils
+    - libapache2-mod-perl2
     - libappconfig-perl
     - libauthen-radius-perl
     - libauthen-sasl-perl
@@ -25,10 +26,8 @@
     - libencode-detect-perl
     - libfile-mimeinfo-perl
     - libfile-slurp-perl
-    - libgd
+    - libgd-gd2-perl
     - libgd-graph-perl
-    - libgd2
-    - libgd2-xpm
     - libhtml-formattext-withlinks-perl
     - libhtml-scrubber-perl
     - libjson-rpc-perl
@@ -47,10 +46,13 @@
     - libxml-feed-perl
     - libxml-perl
     - libxml-twig-perl
+    - lynx
     - mysql-server
     - perlmagick
+    - python-mysqldb
     - tree
     - unzip
+    - xmlto
     - zsh
   tags:
     - install
diff --git a/ansible/site.yml b/ansible/site.yml
index 290f1c5..fe56f1f 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -6,3 +6,6 @@
     - common
     - install-deps
     - install-app
+    - configure-db
+    - configure-app
+    - configure-apache
author	Milo Casagrande <milo.casagrande@linaro.org>	2014-06-10 18:25:53 +0200
committer	Milo Casagrande <milo.casagrande@linaro.org>	2014-06-10 18:25:53 +0200
commit	d1f475549708c76850045ad1d8b82346e3b3a432 (patch)
tree	608c57d391683c8d1210b87060669310f51e8758
parent	123aa016f3c2fc8991e3b03bb3514eac426089bd (diff)