diff options
author | Milo Casagrande <milo.casagrande@linaro.org> | 2014-06-10 18:25:53 +0200 |
---|---|---|
committer | Milo Casagrande <milo.casagrande@linaro.org> | 2014-06-10 18:25:53 +0200 |
commit | d1f475549708c76850045ad1d8b82346e3b3a432 (patch) | |
tree | 608c57d391683c8d1210b87060669310f51e8758 | |
parent | 123aa016f3c2fc8991e3b03bb3514eac426089bd (diff) |
Complete ansible playbook.
Change-Id: I5a1554823ef6848ed93f611b17a942bcc7aab19b
-rw-r--r-- | ansible/group_vars/all | 4 | ||||
-rw-r--r-- | ansible/host_vars/bugs.linaro.org | 1 | ||||
-rw-r--r-- | ansible/host_vars/staging.bugs.linaro.org | 1 | ||||
-rw-r--r-- | ansible/roles/configure-apache/tasks/main.yml | 54 | ||||
-rw-r--r-- | ansible/roles/configure-apache/templates/production.conf | 88 | ||||
-rw-r--r-- | ansible/roles/configure-apache/templates/staging.conf | 137 | ||||
-rw-r--r-- | ansible/roles/configure-app/tasks/main.yml | 24 | ||||
-rw-r--r-- | ansible/roles/configure-app/templates/localconfig | 16 | ||||
-rw-r--r-- | ansible/roles/configure-db/tasks/main.yml | 11 | ||||
-rw-r--r-- | ansible/roles/install-app/tasks/main.yml | 29 | ||||
-rw-r--r-- | ansible/roles/install-deps/tasks/main.yml | 8 | ||||
-rw-r--r-- | ansible/site.yml | 3 |
12 files changed, 371 insertions, 5 deletions
diff --git a/ansible/group_vars/all b/ansible/group_vars/all index e536154..1eaeced 100644 --- a/ansible/group_vars/all +++ b/ansible/group_vars/all @@ -2,3 +2,7 @@ install_base: /srv web_user: www-data app_user: www-data git_head: HEAD +db_driver: mysql +db_host: localhost +db_name: bugzilla +db_user: bugzilla diff --git a/ansible/host_vars/bugs.linaro.org b/ansible/host_vars/bugs.linaro.org index 05dd155..a679f27 100644 --- a/ansible/host_vars/bugs.linaro.org +++ b/ansible/host_vars/bugs.linaro.org @@ -1,2 +1,3 @@ hostname: bugs.linaro.org nickname: production-bugs +role: production diff --git a/ansible/host_vars/staging.bugs.linaro.org b/ansible/host_vars/staging.bugs.linaro.org index 87c2bd8..96a2515 100644 --- a/ansible/host_vars/staging.bugs.linaro.org +++ b/ansible/host_vars/staging.bugs.linaro.org @@ -1,2 +1,3 @@ hostname: staging.bugs.linaro.org nickname: staging-bugs +role: staging diff --git a/ansible/roles/configure-apache/tasks/main.yml b/ansible/roles/configure-apache/tasks/main.yml new file mode 100644 index 0000000..dbfd3aa --- /dev/null +++ b/ansible/roles/configure-apache/tasks/main.yml @@ -0,0 +1,54 @@ +--- +- name: Enable necessary Apache modules + command: a2enmod {{ item }} + creates=/etc/apache2/mods-enabled/{{ item }}.load + with_items: + - ssl + - expires + - headers + - rewrite + - cgi + notify: + - restart-apache + tags: + - web-server + +- name: Install Apache VirtualHost configuration (production) + template: src=production.conf + dest=/etc/apache2/sites-available/{{ hostname }}.conf + owner=root + group=root + mode=0444 + when: role == "production" + notify: + - reload-apache + tags: + - web-server + +- name: Install Apache VirtualHost configuration (staging) + template: src=staging.conf + dest=/etc/apache2/sites-available/{{ hostname }}.conf + owner=root + group=root + mode=0444 + when: role == "staging" + notify: + - reload-apache + tags: + - web-server + +- name: Disable Apache default website + command: a2dissite 000-default.conf + removes=/etc/apache2/sites-enabled/000-default.conf + notify: + - restart-apache + tags: + - web-server + +- name: Enable Apache bugzilla web site + command: a2ensite {{ hostname }} + creates=/etc/apache2/sites-enabled/{{ hostname }} + notify: + - restart-apache + tags: + - web-server diff --git a/ansible/roles/configure-apache/templates/production.conf b/ansible/roles/configure-apache/templates/production.conf new file mode 100644 index 0000000..afb365d --- /dev/null +++ b/ansible/roles/configure-apache/templates/production.conf @@ -0,0 +1,88 @@ +# Managed via ansbile, do not edit! + +<VirtualHost *:80> + ServerName {{ hostname }} + + Redirect permanent / https://{{ hostname }}/ +</VirtualHost> + +<VirtualHost *:443> + ServerName {{ hostname }} + ServerAdmin webmaster@linaro.org + + DocumentRoot {{ install_base }}/{{ hostname }} + + Alias /bugzilla {{ install_base }}/{{ hostname }}/ + <Directory "{{ install_base }}/{{ hostname }}"> + AddHandler cgi-script cgi + Options +ExecCGI +FollowSymLinks +Indexes + DirectoryIndex index.cgi + AllowOverride Limit FileInfo Indexes Options + Require all granted + </Directory> + + CustomLog ${APACHE_LOG_DIR}/{{ hostname }}-access.log combined + ErrorLog ${APACHE_LOG_DIR}/{{ hostname }}-error.log + LogLevel info + + KeepAlive On + KeepAliveTimeout 9 + MaxKeepAliveRequests 150 + + SSLEngine On + SSLProtocol All -SSLv2 -SSLv3 + SSLCompression Off + SSLHonorCipherOrder On + SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\ + EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\ + !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\ + CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" + + SSLCertificateFile /etc/ssl/certs/{{ hostname }}.pem + SSLCertificateKeyFile /etc/ss/private/{{ hostname }}.key + + <FilesMatch "\.(cgi|shtml|phtml|php)$"> + SSLOptions +StdEnvVars + </FilesMatch> + <Directory /usr/lib/cgi-bin> + SSLOptions +StdEnvVars + </Directory> + + BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + ExpiresActive On + ExpiresDefault "access plus 300 seconds" + + ExpiresByType image/png "access plus 1 month" + ExpiresByType image/jpg "access plus 1 month" + ExpiresByType image/jpeg "access plus 1 month" + ExpiresByType image/x-icon "access plus 1 month" + + Header always set Strict-Transport-Security "max-age=63072000" + Header append Cache-Control "no-transform" + + <FilesMatch "\.(html|htm)$"> + Header add Cache-Control "must-revalidate" + SetOutputFilter DEFLATE + + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + + Header append Vary User-Agent env=!dont-vary + </FilesMatch> + + <FilesMatch "\.(js|css)$"> + Header add Cache-Control "max-age=5356800" + SetOutputFilter DEFLATE + + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + + Header append Vary User-Agent env=!dont-vary + </FilesMatch> + +</VirtualHost> diff --git a/ansible/roles/configure-apache/templates/staging.conf b/ansible/roles/configure-apache/templates/staging.conf new file mode 100644 index 0000000..8e840b0 --- /dev/null +++ b/ansible/roles/configure-apache/templates/staging.conf @@ -0,0 +1,137 @@ +# Managed via ansbile, do not edit! + +<VirtualHost *:80> + ServerName {{ hostname }} + ServerAdmin webmaster@linaro.org + + CustomLog ${APACHE_LOG_DIR}/{{ hostname }}-access.log combined + ErrorLog ${APACHE_LOG_DIR}/{{ hostname }}-error.log + LogLevel info + + DocumentRoot {{ install_base }}/{{ hostname }} + + Alias /bugzilla {{ install_base }}/{{ hostname }}/ + <Directory "{{ install_base }}/{{ hostname }}"> + AddHandler cgi-script cgi + Options +ExecCGI +FollowSymLinks +Indexes + DirectoryIndex index.cgi + AllowOverride Limit FileInfo Indexes Options + Require all granted + </Directory> + + ExpiresActive On + ExpiresDefault "access plus 300 seconds" + + ExpiresByType image/png "access plus 1 month" + ExpiresByType image/jpg "access plus 1 month" + ExpiresByType image/jpeg "access plus 1 month" + ExpiresByType image/x-icon "access plus 1 month" + + Header append Cache-Control "no-transform" + + <FilesMatch "\.(html|htm)$"> + Header add Cache-Control "must-revalidate" + SetOutputFilter DEFLATE + + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + + Header append Vary User-Agent env=!dont-vary + </FilesMatch> + + <FilesMatch "\.(js|css)$"> + Header add Cache-Control "max-age=5356800" + SetOutputFilter DEFLATE + + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + + Header append Vary User-Agent env=!dont-vary + </FilesMatch> + + KeepAlive On + KeepAliveTimeout 9 + MaxKeepAliveRequests 150 +</VirtualHost> + +<VirtualHost *:443> + ServerName {{ hostname }} + ServerAdmin webmaster@linaro.org + + DocumentRoot {{ install_base }}/{{ hostname }} + + <Directory "{{ install_base }}/{{ hostname }}"> + AddHandler cgi-script cgi + Options +ExecCGI +FollowSymLinks +Indexes + DirectoryIndex index.cgi index.html + AllowOverride Limit FileInfo Indexes Options + Require all granted + </Directory> + + CustomLog ${APACHE_LOG_DIR}/{{ hostname }}-access.log combined + ErrorLog ${APACHE_LOG_DIR}/{{ hostname }}-error.log + LogLevel info + + KeepAlive On + KeepAliveTimeout 9 + MaxKeepAliveRequests 150 + + SSLEngine On + SSLProtocol All -SSLv2 -SSLv3 + SSLCompression Off + SSLHonorCipherOrder On + SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\ + EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\ + !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\ + CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" + + SSLCertificateFile /etc/ssl/certs/{{ hostname }}.pem + SSLCertificateKeyFile /etc/ssl/private/{{ hostname }}.key + + <FilesMatch "\.(cgi|shtml|phtml|php)$"> + SSLOptions +StdEnvVars + </FilesMatch> + <Directory /usr/lib/cgi-bin> + SSLOptions +StdEnvVars + </Directory> + + BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + ExpiresActive On + ExpiresDefault "access plus 300 seconds" + + ExpiresByType image/png "access plus 1 month" + ExpiresByType image/jpg "access plus 1 month" + ExpiresByType image/jpeg "access plus 1 month" + ExpiresByType image/x-icon "access plus 1 month" + + Header always set Strict-Transport-Security "max-age=63072000" + Header append Cache-Control "no-transform" + + <FilesMatch "\.(html|htm)$"> + Header add Cache-Control "must-revalidate" + SetOutputFilter DEFLATE + + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + + Header append Vary User-Agent env=!dont-vary + </FilesMatch> + + <FilesMatch "\.(js|css)$"> + Header add Cache-Control "max-age=5356800" + SetOutputFilter DEFLATE + + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + + Header append Vary User-Agent env=!dont-vary + </FilesMatch> + +</VirtualHost> diff --git a/ansible/roles/configure-app/tasks/main.yml b/ansible/roles/configure-app/tasks/main.yml new file mode 100644 index 0000000..3bc3ff8 --- /dev/null +++ b/ansible/roles/configure-app/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: Install bugzilla configuration file + template: src=localconfig + dest="{{ install_base }}/{{ hostname }}/localconfig" + owner={{ web_user }} + group={{ web_user }} + mode=0444 + tags: + - app + - config + - secrets + +- name: Create bugzilla documentation + command: creates="{{ install_base }}/{{ hostname }}/docs/bugzilla.ent" + "{{ install_base }}/{{ hostname }}/docs/makedocs.pl" + tags: + - app + +- name: Fix documentation permissions + file: path="{{ install_base }}/{{ hostname }}/docs" + owner=root + group="{{ web_user }}" + tags: + - app diff --git a/ansible/roles/configure-app/templates/localconfig b/ansible/roles/configure-app/templates/localconfig new file mode 100644 index 0000000..c614299 --- /dev/null +++ b/ansible/roles/configure-app/templates/localconfig @@ -0,0 +1,16 @@ +$create_htaccess = 1; +$webservergroup = '{{ web_user }}'; +$use_suexec = 0; +$db_driver = '{{ db_driver }}'; +$db_host = '{{ db_host }}'; +$db_name = '{{ db_name }}'; +$db_user = '{{ db_user }}'; +$db_pass = '{{ db_pass }}'; +$db_port = 0; +$db_sock = ''; +$db_check = 1; +$index_html = 0; +$cvsbin = ''; +$interdiffbin = ''; +$diffpath = '/usr/bin'; +$site_wide_secret = '{{ site_wide_secret }}'; diff --git a/ansible/roles/configure-db/tasks/main.yml b/ansible/roles/configure-db/tasks/main.yml new file mode 100644 index 0000000..1d3a233 --- /dev/null +++ b/ansible/roles/configure-db/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Create MySQL bugzilla database + mysql_db: name={{ db_name }} + state=present + +- name: Create MySQL bugzilla user + mysql_user: name={{ db_user }} + password={{ db_pass }} + priv={{ db_name }}.*:ALL + state=present + diff --git a/ansible/roles/install-app/tasks/main.yml b/ansible/roles/install-app/tasks/main.yml index f7cf0e0..5f51202 100644 --- a/ansible/roles/install-app/tasks/main.yml +++ b/ansible/roles/install-app/tasks/main.yml @@ -1,6 +1,31 @@ --- - name: Checkout bugzilla code - git: repo=http://git.linaro.org/git/infrastructure/bugs.linaro.org.git - dest={{ install_base }}/{{ hostname }} + git: repo=git://git.linaro.org/infrastructure/bugs.linaro.org.git + dest="{{ install_base }}/{{ hostname }}" version={{ git_head }} update=yes + recursive=no + notify: + - restart-apache + tags: + - install + - app + +- name: Create lib/ directory + file: state=directory + path="{{ install_base }}/{{ hostname }}/lib" + owner=root + group={{ web_user }} + tags: + - install + - app + +- name: Fix cloned repo permissions + file: path="{{ install_base }}/{{ hostname }}" + state=directory + recurse=yes + owner=root + group={{ web_user }} + tags: + - install + - app diff --git a/ansible/roles/install-deps/tasks/main.yml b/ansible/roles/install-deps/tasks/main.yml index 7873cf5..22f0ba7 100644 --- a/ansible/roles/install-deps/tasks/main.yml +++ b/ansible/roles/install-deps/tasks/main.yml @@ -8,6 +8,7 @@ - bsd-mailx - git - ldap-utils + - libapache2-mod-perl2 - libappconfig-perl - libauthen-radius-perl - libauthen-sasl-perl @@ -25,10 +26,8 @@ - libencode-detect-perl - libfile-mimeinfo-perl - libfile-slurp-perl - - libgd + - libgd-gd2-perl - libgd-graph-perl - - libgd2 - - libgd2-xpm - libhtml-formattext-withlinks-perl - libhtml-scrubber-perl - libjson-rpc-perl @@ -47,10 +46,13 @@ - libxml-feed-perl - libxml-perl - libxml-twig-perl + - lynx - mysql-server - perlmagick + - python-mysqldb - tree - unzip + - xmlto - zsh tags: - install diff --git a/ansible/site.yml b/ansible/site.yml index 290f1c5..fe56f1f 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -6,3 +6,6 @@ - common - install-deps - install-app + - configure-db + - configure-app + - configure-apache |