diff --git a/debian-repository/tasks/main.yml b/debian-repository/tasks/main.yml
index 35bd3ff2a0e1c4fd885bf0c27241bb7d9f6435e6..bd45f5a4faf91aa5e3d3905bb050559c9233cbac 100644
--- a/debian-repository/tasks/main.yml
+++ b/debian-repository/tasks/main.yml
@@ -1,25 +1,36 @@
---
-# file: roles/repository/tasks/main.yml
+# file: debian-repository/tasks/main.yml
-- name: ensure we have a group
- group: name=repo system=yes state=present
+- name: ensure we have a repo group
+ group:
+ name: repo
+ system: yes
+ state: present
tags:
- - group
- - config
- - repository
+ - debian-repository
+ - webservices
-- name: ensure we have a user
- user: name=repo group=repo system=yes home=/srv/repo shell=/usr/bin/nologin createhome=no state=present
+- name: ensure we have a repo user
+ user:
+ name: repo
+ group: repo
+ system: yes
+ home: /srv/repo
+ shell: /usr/bin/nologin
+ createhome: no
+ state: present
tags:
- - user
- - config
- - repository
+ - debian-repository
+ - webservices
- name: ensure we have the packaging software installed
- apt: name={{item}} state=present
+ apt:
+ name: "{{ item }}"
+ state: present
with_items:
- mini-dinstall
tags:
- packages
- - repository
+ - debian-repository
+ - webservices
diff --git a/meckerkasten/defaults/main.yml b/meckerkasten/defaults/main.yml
index f9ce0e61c3430b6d2995e72b995c292885dd9362..e83bc41313c31a5767be4b1e28df407dde070b43 100644
--- a/meckerkasten/defaults/main.yml
+++ b/meckerkasten/defaults/main.yml
@@ -1,7 +1,7 @@
---
-# file: roles/meckerkasten/defaults/main.yml
+# file: meckerkasten/defaults/main.yml
-meckerkasten_web_root: /var/www/meckerkasten
+meckerkasten_web_root: /var/www/meckerkasten/program
meckerkasten_name: meckerkasten
meckerkasten_user: meckerkasten
meckerkasten_group: meckerkasten
@@ -9,3 +9,5 @@ meckerkasten_admins: [["FSMPI Admins", "admin@fsmpi.rwth-aachen.de"]]
meckerkasten_sender: meckerkasten@fsmpi.rwth-aachen.de
meckerkasten_mail_host: mail.fsmpi.rwth-aachen.de
meckerkasten_allowed_hosts: ["www.fsmpi.rwth-aachen.de"]
+
+meckerkasten_ldap_cert: /etc/ssl/certs/rwth_chain.pem
diff --git a/meckerkasten/handlers/main.yml b/meckerkasten/handlers/main.yml
index 05c45495ae69983785dd45b0c451c5610b82c6c6..056b2bd343bd402b896ea7e57cfb90e7260a9b55 100644
--- a/meckerkasten/handlers/main.yml
+++ b/meckerkasten/handlers/main.yml
@@ -1,13 +1,14 @@
---
-# file: roles/meckerkasten/handlers/main.yml
+# file: meckerkasten/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: restart uwsgi for meckerkasten
- service: name="{{item}}" state=restarted enabled=yes
- with_items:
- - "{{meckerkasten_name}}"
+ service:
+ name: "{{ meckerkasten_name }}"
+ state: restarted
+ enabled: yes
- name: create tmpfiles
command: systemd-tmpfiles --create
diff --git a/meckerkasten/meta/main.yml b/meckerkasten/meta/main.yml
index 82a6f858a6a4e9ea5ad3c56003b32eb50504f44c..417a6ee7d3f594f790e10851751fb7a73175e1f5 100644
--- a/meckerkasten/meta/main.yml
+++ b/meckerkasten/meta/main.yml
@@ -1,5 +1,4 @@
---
-# file:roles/meckerkasten/meta/main.yml
+# file: meckerkasten/meta/main.yml
dependencies:
- - { role: webserver }
- - { role: uwsgi-python, uwsgi_name: "{{meckerkasten_name}}", uwsgi_user: "{{meckerkasten_user}}", uwsgi_group: "{{meckerkasten_group}}", uwsgi_path: "{{meckerkasten_web_root}}/program", uwsgi_home: "{{meckerkasten_web_root}}", uwsgi_program: "meckerkasten/wsgi.py", uwsgi_callable: "application", uwsgi_command: "runserver", uwsgi_db: "sqlite", uwsgi_python: 2 }
+ - { role: uwsgi-python, uwsgi_name: "{{meckerkasten_name}}", uwsgi_user: "{{meckerkasten_user}}", uwsgi_group: "{{meckerkasten_group}}", uwsgi_path: "{{meckerkasten_web_root}}", uwsgi_home: "{{meckerkasten_web_root}}", uwsgi_program: "meckerkasten/wsgi.py", uwsgi_callable: "application", uwsgi_command: "runserver", uwsgi_db: "sqlite", uwsgi_python: 2 }
diff --git a/meckerkasten/tasks/main.yml b/meckerkasten/tasks/main.yml
index 902ea8751422cbf4d43b25f70c28f3df08472acc..0e4e42ec055c3d8c2dcc5bf32a7dd53027e7b23c 100644
--- a/meckerkasten/tasks/main.yml
+++ b/meckerkasten/tasks/main.yml
@@ -1,75 +1,70 @@
---
-# file: roles/meckerkasten/tasks/main.yml
+# file: meckerkasten/tasks/main.yml
-- name: ensure we have a folder for the program
- file: path="{{meckerkasten_web_root}}" state=directory owner="{{meckerkasten_user}}" group="{{meckerkasten_group}}" mode=0755
- tags:
- - directory
- - meckerkasten
-
-- name: ensure we have a .ssh directory
- file: path="{{meckerkasten_web_root}}/.ssh" state=directory owner="{{meckerkasten_user}}" group="{{meckerkasten_group}}" mode=0755
- tags:
- - directory
- - meckerkasten
-
-- name: ensure we have our deploy key
- copy: src="{{item}}" dest="{{meckerkasten_web_root}}/.ssh/" owner="{{meckerkasten_user}}" group="{{meckerkasten_group}}" mode=0600
- with_items:
- - deploy-key
- - deploy-key.pub
+- name: ensure the deploy key is available
+ copy:
+ src: "{{ meckerkasten_deploy_key }}"
+ dest: /root/.ssh/meckerkasten
+ owner: root
+ group: root
+ mode: 0600
tags:
- - ssh
- meckerkasten
+ - webservices
-- name: ensure we have our .ssh config
- template: src=config dest="{{meckerkasten_web_root}}/.ssh/config" owner="{{meckerkasten_user}}" group="{{meckerkasten_group}}" mode=0644
+# https://github.com/ansible/ansible/issues/27699
+- name: ensure fucking git module is able to clone
+ command: mount -o remount,exec /tmp
tags:
- - ssh
- meckerkasten
+ - webservices
- name: ensure we have the program
- git: repo=git@git.fsmpi.rwth-aachen.de:studi-systeme/meckerkasten.git dest="{{meckerkasten_web_root}}/program"
- become: yes
- become_user: "{{meckerkasten_user}}"
+ git:
+ repo: git@git.fsmpi.rwth-aachen.de:studi-systeme/meckerkasten.git
+ dest: "{{ meckerkasten_web_root }}"
+ key_file: /root/.ssh/meckerkasten
+ version: HEAD
notify:
- restart uwsgi for meckerkasten
tags:
- - git
- meckerkasten
+ - webservices
+
+- name: ensure fucking git module is not able to clone anymore
+ command: mount -o remount,noexec /tmp
+ tags:
+ - meckerkasten
+ - webservices
- name: ensure we have a virtualenv
pip:
- requirements: "{{meckerkasten_web_root}}/program/requirements.txt"
- virtualenv: "{{meckerkasten_web_root}}/program"
+ requirements: "{{ meckerkasten_web_root }}/requirements.txt"
+ virtualenv: "{{ meckerkasten_web_root }}"
virtualenv_python: python2
- become: yes
- become_user: "{{meckerkasten_user}}"
notify:
- restart uwsgi for meckerkasten
tags:
- - pip
- - python
- meckerkasten
+ - webservices
- name: ensure we have our config
template:
- src: settings.py
- dest: "{{meckerkasten_web_root}}/program/meckerkasten/settings.py"
- owner: "{{meckerkasten_user}}"
- group: "{{meckerkasten_group}}"
- mode: 0644
+ src: settings.py.j2
+ dest: "{{ meckerkasten_web_root }}/meckerkasten/settings.py"
+ owner: "{{ meckerkasten_user }}"
+ group: "{{ meckerkasten_group }}"
+ mode: 0640
notify:
- restart uwsgi for meckerkasten
tags:
- - config
- - python
- meckerkasten
+ - webservices
- name: ensure the unit file exists
template:
- src: meckerkasten.service
- dest: "/etc/systemd/system/{{meckerkasten_name}}.service"
+ src: meckerkasten.service.j2
+ dest: "/etc/systemd/system/{{ meckerkasten_name }}.service"
owner: root
group: root
mode: 0644
@@ -77,17 +72,16 @@
- reload systemd service files
- restart uwsgi for meckerkasten
tags:
- - config
- - systemd
- meckerkasten
+ - webservices
- meta: flush_handlers
-- name: ensure the services are enabled
- service: name="{{item}}" enabled=yes
- with_items:
- - "{{meckerkasten_name}}"
+- name: ensure the service is enabled
+ service:
+ name: "{{ meckerkasten_name }}"
+ enabled: yes
+ state: started
tags:
- - config
- - systemd
- meckerkasten
+ - webservices
diff --git a/meckerkasten/templates/config b/meckerkasten/templates/config
deleted file mode 100644
index 950461dd95d47aba0f2b26fb3b1a9b6bd6b915f3..0000000000000000000000000000000000000000
--- a/meckerkasten/templates/config
+++ /dev/null
@@ -1,4 +0,0 @@
-Host git.fsmpi.rwth-aachen.de
-HostName git.fsmpi.rwth-aachen.de
-User git
-IdentityFile {{meckerkasten_web_root}}/.ssh/deploy-key
diff --git a/meckerkasten/templates/meckerkasten.service b/meckerkasten/templates/meckerkasten.service.j2
similarity index 64%
rename from meckerkasten/templates/meckerkasten.service
rename to meckerkasten/templates/meckerkasten.service.j2
index 5d031f9ca3fd31461677866d6cca3f1ea9cfd73b..ea9b89cfe4a1a94155cfdbec07560f5c013f8cf7 100644
--- a/meckerkasten/templates/meckerkasten.service
+++ b/meckerkasten/templates/meckerkasten.service.j2
@@ -3,8 +3,10 @@ Description=Meckerkasten
After=network.target
[Service]
-Environment=LDAPTLS_CACERT=/etc/ssl/certs/rwth_chain.pem
-Environment=MECKERKASTEN_WEB_ROOT={{meckerkasten_web_root}}/program/
+{% if meckerkasten_ldap_cert %}
+Environment=LDAPTLS_CACERT={{ meckerkasten_ldap_cert }}
+{% endif %}
+Environment=MECKERKASTEN_WEB_ROOT={{meckerkasten_web_root}}/
Environment=MECKERKASTEN_WEB_SUBDIR=meckerkasten
ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{meckerkasten_name}}.ini
Restart=always
diff --git a/meckerkasten/templates/settings.py b/meckerkasten/templates/settings.py.j2
similarity index 82%
rename from meckerkasten/templates/settings.py
rename to meckerkasten/templates/settings.py.j2
index 6b17804d245deb00761ad1757f8b67c285763504..965b63f89d21b9f22b55c9328d817f30cc9fbb1e 100644
--- a/meckerkasten/templates/settings.py
+++ b/meckerkasten/templates/settings.py.j2
@@ -1,28 +1,29 @@
# Django settings for meckerkasten project.
-DEBUG = True
+DEBUG = False
ADMINS = (
{% for name, address in meckerkasten_admins %}
- ('{{name}}', '{{address}}'),
+ ('{{ name }}', '{{ address }}'),
{% endfor %}
)
-
-SERVER_EMAIL = "{{meckerkasten_sender}}"
-EMAIL_HOST = "{{meckerkasten_mail_host}}"
-EMAIL_HOST_USER = "{{meckerkasten_mail_user|default('')}}"
-EMAIL_HOST_PASSWORD = "{{meckerkasten_mail_password|default('')}}"
-
MANAGERS = ADMINS
+SERVER_EMAIL = "{{ meckerkasten_sender }}"
+EMAIL_HOST = "{{ meckerkasten_mail_host }}"
+EMAIL_HOST_USER = "{{ meckerkasten_mail_user|default('') }}"
+EMAIL_HOST_PASSWORD = "{{ meckerkasten_mail_password|default('') }}"
+EMAIL_PORT = {{ meckerkasten_mail_port|default('25') }}
+DEFAUL_FROM_EMAIL = "{{ meckerkasten_sender }}"
+
DATABASES = {
'default': {
- 'ENGINE': 'django.db.backends.sqlite3', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
- 'NAME': 'meckerkasten.sqlite3', # Or path to database file if using sqlite3.
- 'USER': '', # Not used with sqlite3.
- 'PASSWORD': '', # Not used with sqlite3.
- 'HOST': '', # Set to empty string for localhost. Not used with sqlite3.
- 'PORT': '', # Set to empty string for default. Not used with sqlite3.
+ 'ENGINE': 'django.db.backends.sqlite3',
+ 'NAME': 'meckerkasten.sqlite3',
+ 'USER': '',
+ 'PASSWORD': '',
+ 'HOST': '',
+ 'PORT': '',
}
}
@@ -30,7 +31,7 @@ DATABASES = {
# See https://docs.djangoproject.com/en/1.4/ref/settings/#allowed-hosts
ALLOWED_HOSTS = [
{% for host in meckerkasten_allowed_hosts %}
- "{{host}}"
+ "{{ host }}"
{% endfor %}
]
@@ -92,7 +93,7 @@ STATICFILES_FINDERS = (
)
# Make this unique, and don't share it with anybody.
-SECRET_KEY = '{{(2**2048)|random}}'
+SECRET_KEY = '{{ (2**2048)|random }}'
TEMPLATES = [
{
@@ -168,9 +169,3 @@ LOGGING = {
},
}
}
-
-EMAIL_HOST = "{{meckerkasten_mail_host}}"
-EMAIL_HOST_USER = ""
-EMAIL_HOST_PASSWORD = ""
-EMAIL_PORT = 25
-DEFAUL_FROM_EMAIL = "root@fsmpi.rwth-aachen.de"
diff --git a/mediawiki/defaults/main.yml b/mediawiki/defaults/main.yml
index 9c04cacfb90edae6130d401b2a1ad1c5ff878fce..4c2b7d243aed2371f4986da09c311863f14d057b 100644
--- a/mediawiki/defaults/main.yml
+++ b/mediawiki/defaults/main.yml
@@ -1,5 +1,5 @@
---
-# file: roles/mediawiki/defaults/main.yml
+# file: mediawiki/defaults/main.yml
mediawiki_web_root: /var/www
diff --git a/mediawiki/handlers/main.yml b/mediawiki/handlers/main.yml
index 0de5dcd788a2759ebedff7197a6df1eef31c304f..ae4e9283c5ed4e8fa6ec2ac017f8ea238ae9c8bb 100644
--- a/mediawiki/handlers/main.yml
+++ b/mediawiki/handlers/main.yml
@@ -1,11 +1,14 @@
---
-# file: roles/mediawiki/handlers/main.yml
+# file: mediawiki/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: "restart uwsgi for {{ mediawiki_name }}"
- service: "name=mediawiki-{{ mediawiki_name }} state=restarted enabled=yes"
+ service:
+ name: "mediawiki-{{ mediawiki_name }}"
+ state: restarted
+ enabled: yes
- name: create tmpfiles
shell: systemd-tmpfiles --create
diff --git a/mediawiki/meta/main.yml b/mediawiki/meta/main.yml
index 8c99dfce25159796ead9633182a9326f9238bb19..633491489b5015ce47f8c24361b8272808c8eb9b 100644
--- a/mediawiki/meta/main.yml
+++ b/mediawiki/meta/main.yml
@@ -1,5 +1,4 @@
---
-# file: roles/mediawiki/meta/main.yml
+# file: mediawiki/meta/main.yml
dependencies:
- { role: php-fpm, fpm_pool: "{{mediawiki_name}}", fpm_user: "{{mediawiki_user}}", fpm_group: "{{mediawiki_group}}", fpm_socket_user: "{{mediawiki_user}}", fpm_socket_group: www-data }
- - { role: postgres }
diff --git a/mediawiki/tasks/ldap.yml b/mediawiki/tasks/ldap.yml
index f1998a474068c168e77ec34e84615441c6eac53b..501c3096aba92a38e83ee3c5c5b558b5c9b3e207 100644
--- a/mediawiki/tasks/ldap.yml
+++ b/mediawiki/tasks/ldap.yml
@@ -1,11 +1,11 @@
---
-# file: roles/mediawiki/tasks/ldap.yml
+# file: mediawiki/tasks/ldap.yml
- name: ensure we have the auth extension
git:
repo: https://git.fsmpi.rwth-aachen.de/robin/mediawiki-remoteuser.git
dest: "/var/lib/mediawiki/extensions/AuthRemoteuser"
+ version: HEAD
tags:
- - git
- - packages
- mediawiki
+ - webservices
diff --git a/mediawiki/tasks/main.yml b/mediawiki/tasks/main.yml
index c794a6b51ceb7e9ffa8cae438ccac2a6aa6e4b44..305d34830af7143b4e0ad169957c2c1873f8e6a2 100644
--- a/mediawiki/tasks/main.yml
+++ b/mediawiki/tasks/main.yml
@@ -1,23 +1,24 @@
---
-# file: roles/mediawiki/tasks/main.yml
+# file: mediawiki/tasks/main.yml
- name: ensure packages for mediawiki are installed on jessie
- apt: name={{ item }} state=latest install_recommends=no
- with_items:
- - mediawiki
+ apt:
+ name: mediawiki
+ state: installed
+ install_recommends: no
when: debian_version == "jessie"
tags:
- - packages
- mediawiki
+ - webservices
- name: ensure packages for mediawiki are installed on stretch
- apt: name={{ item }} state=present
- with_items:
- - mediawiki
+ apt:
+ name: mediawiki
+ state: installed
when: debian_version == "stretch"
tags:
- - packages
- mediawiki
+ - webservices
- name: "ensure group for {{ mediawiki_name }} exists"
group:
@@ -25,9 +26,8 @@
state: present
system: yes
tags:
- - users
- - config
- mediawiki
+ - webservices
- name: "ensure user for {{ mediawiki_name }} exists"
user:
@@ -39,9 +39,8 @@
home: "{{ mediawiki_web_root }}"
createhome: no
tags:
- - users
- - config
- mediawiki
+ - webservices
- name: "ensure the wiki folder for {{ mediawiki_name }} exists"
file:
@@ -51,8 +50,8 @@
group: "{{ mediawiki_group }}"
path: "{{ mediawiki_web_root }}/{{ mediawiki_name }}"
tags:
- - config
- mediawiki
+ - webservices
- name: "ensure the wiki uploads folder for {{ mediawiki_name }} exists"
file:
@@ -62,15 +61,15 @@
group: "{{ mediawiki_group }}"
path: "{{ mediawiki_web_root }}/{{ mediawiki_name }}/images"
tags:
- - config
- mediawiki
+ - webservices
- name: "get other mediawiki files for {{ mediawiki_name }}"
shell: ls --hide=LocalSettings.php --hide=images /usr/share/mediawiki
register: mediawiki_other_files
tags:
- - config
- mediawiki
+ - webservices
- name: "ensure other mediawiki files for {{ mediawiki_name }} are linked"
file:
@@ -78,47 +77,40 @@
src: "/usr/share/mediawiki/{{ item }}"
dest: "{{ mediawiki_web_root }}/{{ mediawiki_name }}/{{ item }}"
force: yes
- with_items: "{{mediawiki_other_files.stdout_lines}}"
+ with_items: "{{ mediawiki_other_files.stdout_lines }}"
tags:
- - config
- mediawiki
+ - webservices
- name: ensure we have a unique temporary cache directory
- lineinfile:
- dest: /etc/tmpfiles.d/10-mediawiki.conf
- line: "d /tmp/{{mediawiki_name}} 0775 {{mediawiki_user}} {{mediawiki_group}} - -"
- create: yes
+ template:
+ src: tmpfiles.j2
+ dest: "/etc/tmpfiles.d/10-mediawiki-{{ mediawiki_name }}.conf"
+ owner: root
+ group: root
+ mode: 0644
notify:
- create tmpfiles
tags:
- - config
- mediawiki
-
-#- name: "ensure the library mediawiki uses for diffs is enabled"
-# file:
-# state: link
-# src: "../../mods-available/wikidiff2.ini"
-# dest: "/etc/php5/embed/conf.d/wikidiff2.ini"
-# tags:
-# - config
-# - mediawiki
-# - php
+ - webservices
- include: postgres.yml
when: mediawiki_dbtype == "postgres"
+- include: mysql.yml
+ when: mediawiki_dbtype == "mysql"
+
- include: ldap.yml
when: mediawiki_use_ldap
- name: ensure we are running maintenance regularly
- cron:
- name: "mediawiki maintenance"
- hour: "0"
- minute: "0"
- job: "/usr/bin/php {{mediawiki_web_root}}/{{mediawiki_name}}/maintenance/runJobs.php --conf {{mediawiki_web_root}}/{{mediawiki_name}}/LocalSettings.php"
- become: yes
- become_user: "{{mediawiki_user}}"
+ template:
+ src: crontab.j2
+ dest: "/etc/cron.d/mediawiki-{{ mediawiki_name }}-maint"
+ owner: root
+ group: root
+ mode: 0644
tags:
- - cron
- - config
- mediawiki
+ - webservices
diff --git a/mediawiki/tasks/mysql.yml b/mediawiki/tasks/mysql.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1405f249efa1a213009b270460eef94604a832f8
--- /dev/null
+++ b/mediawiki/tasks/mysql.yml
@@ -0,0 +1,21 @@
+---
+# file: mediawiki/tasks/mysql.yml
+
+- name: ensure php can talk with mysql on jessie
+ apt:
+ name: php5-mysql
+ state: installed
+ when: debian_version == "jessie"
+ tags:
+ - mediawiki
+ - webservices
+
+- name: ensure php can talk with mysql on stretch
+ apt:
+ name: php-mysql
+ state: installed
+ when: debian_version == "stretch"
+ tags:
+ - mediawiki
+ - webservices
+
diff --git a/mediawiki/tasks/postgres.yml b/mediawiki/tasks/postgres.yml
index a3de64e32776a794cfb62ffdb701517d6a32dbcb..2eb59091241b301bdf7ad30019e94629e7b038e5 100644
--- a/mediawiki/tasks/postgres.yml
+++ b/mediawiki/tasks/postgres.yml
@@ -1,21 +1,23 @@
---
-# file: roles/mediawiki/tasks/postgres.yml
+# file: mediawiki/tasks/postgres.yml
-- name: "ensure php can talk with postgres on jessie"
- apt: name=php5-pgsql state=latest
+- name: ensure php can talk with postgres on jessie
+ apt:
+ name: php5-pgsql
+ state: installed
when: debian_version == "jessie"
tags:
- - packages
- - postgresql
- mediawiki
+ - webservices
-- name: "ensure php can talk with postgres on stretch"
- apt: name=php-pgsql state=present
+- name: ensure php can talk with postgres on stretch
+ apt:
+ name: php-pgsql
+ state: installed
when: debian_version == "stretch"
tags:
- - packages
- - postgresql
- mediawiki
+ - webservices
- name: "ensure the database user for {{ mediawiki_name }} exists"
postgresql_user:
@@ -26,9 +28,8 @@
become: yes
become_user: postgres
tags:
- - postgresql
- - config
- mediawiki
+ - webservices
- name: "ensure the database for {{ mediawiki_name }} exists"
postgresql_db:
@@ -38,9 +39,8 @@
become: yes
become_user: postgres
tags:
- - postgresql
- - config
- mediawiki
+ - webservices
- name: "ensure the database user has priviliges for {{ mediawiki_name }}"
postgresql_privs:
@@ -52,6 +52,5 @@
become: yes
become_user: postgres
tags:
- - postgresql
- - config
- mediawiki
+ - webservices
diff --git a/mediawiki/templates/crontab.j2 b/mediawiki/templates/crontab.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d3a63cfe9e32781547745e759762db42cfd061cd
--- /dev/null
+++ b/mediawiki/templates/crontab.j2
@@ -0,0 +1 @@
+0 0 * * * {{ mediawiki_user }} /usr/bin/php {{ mediawiki_web_root }}/{{ mediawiki_name }}/maintenance/runJobs.php --conf {{ mediawiki_web_root }}/{{ mediawiki_name }}/LocalSettings.php
diff --git a/mediawiki/templates/mediawiki.ini.j2 b/mediawiki/templates/mediawiki.ini.j2
deleted file mode 100644
index 6684a59defbf81100fab9350cd0002deec024894..0000000000000000000000000000000000000000
--- a/mediawiki/templates/mediawiki.ini.j2
+++ /dev/null
@@ -1,23 +0,0 @@
-[uwsgi]
-uwsgi-socket = /run/uwsgi/app/mediawiki-{{ mediawiki_name }}/mediawiki-{{ mediawiki_name }}.sock
-chmod-socket = 660
-chown-socket = {{ mediawiki_user }}:www-data
-autoload =
-master =
-processes = 4
-workers = 4
-prio = -5
-harakiri = 5
-chdir = {{ mediawiki_web_root }}/{{ mediawiki_name }}
-uid = {{ mediawiki_user }}
-gid = {{ mediawiki_group }}
-logto = /var/log/uwsgi-mediawiki-{{ mediawiki_name }}.log
-logfile-chown = {{ mediawiki_user }}:{{ mediawiki_group }}
-logfile-chmod = 664
-log-date =
-log-4xx =
-log-5xx =
-log-x-forwarded-for =
-plugin = php
-php-index = index.php
-env = MW_INSTALL_PATH={{ mediawiki_web_root }}/{{ mediawiki_name }}
diff --git a/mediawiki/templates/mediawiki.service.j2 b/mediawiki/templates/mediawiki.service.j2
deleted file mode 100644
index 1dd799174a823a50bedd7cd4514e8d3c12643d93..0000000000000000000000000000000000000000
--- a/mediawiki/templates/mediawiki.service.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=MediaWiki {{ mediawiki_name }} forwarded by uwsgi
-After=network.target
-
-[Service]
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/mediawiki-{{ mediawiki_name }}.ini
-Restart=always
-KillSignal=SIGQUIT
-Type=notify
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
diff --git a/mediawiki/templates/tmpfiles.j2 b/mediawiki/templates/tmpfiles.j2
new file mode 100644
index 0000000000000000000000000000000000000000..cd6225d2b1e2cdcb8c0cbe88ed91db317e00be4c
--- /dev/null
+++ b/mediawiki/templates/tmpfiles.j2
@@ -0,0 +1 @@
+d /tmp/{{ mediawiki_name }} 0775 {{ mediawiki_user }} {{ mediawiki_group }} - -
diff --git a/php-fpm/defaults/main.yml b/php-fpm/defaults/main.yml
index ad1acfff87a8e19e6f17457dc59230a169ff86a0..4df56c336c8357b6ea8a06483c67b5b51f7a37a7 100644
--- a/php-fpm/defaults/main.yml
+++ b/php-fpm/defaults/main.yml
@@ -1,5 +1,5 @@
---
-# file: roles/php-fpm/defaults/mail.yml
+# file: php-fpm/defaults/mail.yml
fpm_pool: www
fpm_user: www-data
diff --git a/php-fpm/handlers/main.yml b/php-fpm/handlers/main.yml
index 3fd2471de3f8ede95c313fd3086121c5d26fed63..710c0f6116f490a2c1551624b7d87d9fae08fc9d 100644
--- a/php-fpm/handlers/main.yml
+++ b/php-fpm/handlers/main.yml
@@ -1,5 +1,5 @@
---
-# file: roles/php-fpm/handlers/main.yml
+# file: php-fpm/handlers/main.yml
- name: restart php-fpm
service: name=php7.0-fpm.service state=restarted
diff --git a/php-fpm/tasks/main.yml b/php-fpm/tasks/main.yml
index 50f5bf47aed9ab13e46aadc9fda39289c0dd9a16..fdea86362ab6a289d60a01607bf0e3ef5d6a76b4 100644
--- a/php-fpm/tasks/main.yml
+++ b/php-fpm/tasks/main.yml
@@ -1,8 +1,10 @@
---
-# file: roles/php-fpm/tasks/main.yml
+# file: php-fpm/tasks/main.yml
- name: ensure php-fpm is installed on stretch
- apt: name="{{item}}" state=present
+ apt:
+ name: "{{ item }}"
+ state: present
with_items:
- php
- php-fpm
@@ -10,25 +12,25 @@
notify:
- restart php-fpm
tags:
- - packages
- - php
- php-fpm
+ - webservices
- name: ensure php-fpm is installed on jessie
- apt: name="{{item}}" state=present
+ apt:
+ name: "{{ item }}"
+ state: present
with_items:
- php5
- php5-fpm
when: debian_version == "jessie"
tags:
- - packages
- - php
- php-fpm
+ - webservices
- name: ensure we have the pool we want
template:
- src: pool.conf
- dest: "/etc/php/7.0/fpm/pool.d/{{fpm_pool}}.conf"
+ src: pool.conf.j2
+ dest: "/etc/php/7.0/fpm/pool.d/{{ fpm_pool }}.conf"
owner: root
group: root
mode: 0644
@@ -36,7 +38,5 @@
notify:
- restart php-fpm
tags:
- - config
- - php
- php-fpm
-
+ - webservices
diff --git a/php-fpm/templates/pool.conf b/php-fpm/templates/pool.conf
deleted file mode 100644
index f7f846fdf4ee68aa43bf7d6a24b97fb951bba3bd..0000000000000000000000000000000000000000
--- a/php-fpm/templates/pool.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-[{{fpm_pool}}]
-user = {{fpm_user}}
-group = {{fpm_group}}
-
-listen = /run/php/{{fpm_pool}}-fpm.sock
-
-listen.owner = {{fpm_socket_user}}
-listen.group = {{fpm_socket_group}}
-
-pm = dynamic
-pm.max_children = 5
-pm.start_servers = 2
-pm.min_spare_servers = 1
-pm.max_spare_servers = 3
diff --git a/php-fpm/templates/pool.conf.j2 b/php-fpm/templates/pool.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2695e216c8d15be4a1f330bbef50ea0878f3bf5d
--- /dev/null
+++ b/php-fpm/templates/pool.conf.j2
@@ -0,0 +1,14 @@
+[{{ fpm_pool }}]
+user = {{ fpm_user }}
+group = {{ fpm_group }}
+
+listen = /run/php/{{ fpm_pool }}-fpm.sock
+
+listen.owner = {{ fpm_socket_user }}
+listen.group = {{ fpm_socket_group }}
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
diff --git a/protokollsystem/defaults/main.yml b/protokollsystem/defaults/main.yml
index 4f5aec1ee5c4b97741c7bdd7efa053041f7b288e..2ffb469e083f2bbe482b091c16e9002e4c7a4aad 100644
--- a/protokollsystem/defaults/main.yml
+++ b/protokollsystem/defaults/main.yml
@@ -1,8 +1,66 @@
---
-# file: roles/protokollsystem/defaults/main.yml
+# file: protokollsystem/defaults/main.yml
-protokolle_web_root: /var/www/protokollsystem
+protokolle_web_root: /var/www/protokollsystem/program
protokolle_name: protokollsystem
protokolle_user: protokolle
protokolle_group: protokolle
protokolle_celery_concurrency: 4
+protokolle_ldap_cert: /etc/ssl/certs/rwth_chain.pem
+
+protokolle_mail: True
+protokolle_mail_from: 'Gustav Geier <protokolle@fsmpi.rwth-aachen.de>'
+protokolle_mail_host: 'mail.fsmpi.rwth-aachen.de:25'
+protokolle_mail_user: ''
+protokolle_mail_password: ''
+protokolle_mail_tls: False # 'tls' or 'starttls'
+
+protokolle_celery_broker: 'redis://localhost:6379/0'
+
+protokolle_url_root: 'protokolle.fsmpi.rwth-aachen.de'
+protokolle_url_proto: 'https'
+protokolle_url_path: '/'
+
+protokolle_printing: True
+protokolle_printing_server: 'printsrv.fsmpi.rwth-aachen.de:631'
+protokolle_printing_user: 'protokolle'
+protokolle_printing_printers:
+ - printer: kopierer
+ options: ["ColorModel=Gray", "KCStaple=Center", "KCPunch=2HoleEUR", "Duplex=DuplexNoTumble"]
+ - printer: hoern_kopierer
+ options: ["Duplex=DuplexNoTumble"]
+
+protokolle_etherpad: True
+protokolle_etherpad_url: 'https://fachschaften.rwth-aachen.de/etherpad'
+
+protokolle_wiki: True
+protokolle_wiki_api: 'https://www.fsmpi.rwth-aachen.de/wiki/api.php'
+protokolle_wiki_anonymous: False
+protokolle_wiki_user: 'protocolpusher'
+protokolle_wiki_password: '0h3CjGju'
+protokolle_wiki_domain: 'fsmpi'
+
+protokolle_calendar: True
+protokolle_calendar_url: ''
+
+protokolle_admin_mail: 'admin@fsmpi.rwth-aachen.de'
+protokolle_admin_group: 'protokolladmin'
+
+protokolle_latex_local_templates: '' # local-templates
+protokolle_latex_logo_template: '' # asta-logo.tex
+protokolle_latex_geometry: '' # bottom=1.6cm,top=1.6cm,inner=2.5cm,outer=1.0cm,footskip=1.0cm,headsep=0.6cm
+protokolle_latex_pagestyle: '' # fancy
+protokolle_latex_packages: [] # ["[absolute]{textpos}", "{fancyheadings}"]
+protokolle_latex_header_footer: None # True
+
+protokolle_auth_max_duration: 86400
+protokolle_auth_backends:
+ - type: ADManager
+ host: auth.fsmpi.rwth-aachen.de
+ domain: FSMPI
+ user_dn: 'cn=users,dc=fsmpi,dc=rwth-aachen,dc=de'
+ group_dn: 'dc=fsmpi,dc=rwth-aachen,dc=de'
+ ca_cert: '/etc/ssl/certs/rwth_chain.pem'
+ obsolete: False
+protokolle_auth_obsoletion_warning: 'Bitte migriere deinen Fachschaftsaccount im <a href=\"https://migration.fsmpi.rwth-aachen.de\">Migrationstool</a>!'
+
diff --git a/protokollsystem/handlers/main.yml b/protokollsystem/handlers/main.yml
index a2a8db7cdb40321c7c44092bf3cc11b324e87b52..6a11f0a90f6e2fb5d6be19f0fff95a49061e22a5 100644
--- a/protokollsystem/handlers/main.yml
+++ b/protokollsystem/handlers/main.yml
@@ -1,14 +1,16 @@
---
-# file: roles/protokollsystem/handlers/main.yml
+# file: protokollsystem/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: restart uwsgi for protokollsystem
- service: name="{{item}}" state=restarted enabled=yes
+ service:
+ name: "{{ item }}"
+ state: restarted
with_items:
- - "{{protokolle_name}}"
- - "{{protokolle_name}}-celery"
+ - "{{ protokolle_name }}"
+ - "{{ protokolle_name }}-celery"
- name: create tmpfiles
command: systemd-tmpfiles --create
diff --git a/protokollsystem/meta/main.yml b/protokollsystem/meta/main.yml
index 561292b67b6826174e507d8591fb9928bf64dc0c..c8705ba558878478ea4096e0458d90983afff549 100644
--- a/protokollsystem/meta/main.yml
+++ b/protokollsystem/meta/main.yml
@@ -1,9 +1,6 @@
---
-# file:roles/protokollsystem/meta/main.yml
+# file: protokollsystem/meta/main.yml
dependencies:
- - { role: webserver }
- - { role: redis-server }
- - { role: postgres }
- { role: texlive }
- { role: cups-client }
- { role: uwsgi-python, uwsgi_name: "{{protokolle_name}}", uwsgi_user: "{{protokolle_user}}", uwsgi_group: "{{protokolle_group}}", uwsgi_path: "{{protokolle_web_root}}/program", uwsgi_home: "{{protokolle_web_root}}", uwsgi_program: "server.py", uwsgi_callable: "app", uwsgi_command: "runserver", uwsgi_db: "postgres", uwsgi_python: 3, uwsgi_mules: 1 }
diff --git a/protokollsystem/tasks/main.yml b/protokollsystem/tasks/main.yml
index 3ff8f512dfb35b86391b188af63c956f245ca3b4..a03f105bb0508dc23fccd217a21978f692e47eaa 100644
--- a/protokollsystem/tasks/main.yml
+++ b/protokollsystem/tasks/main.yml
@@ -1,84 +1,99 @@
---
-# file: roles/protokollsystem/tasks/main.yml
+# file: protokollsystem/tasks/main.yml
-- name: ensure we have the fonts
- apt: name="{{item}}" state=present
+- name: ensure we have all required software and fonts
+ apt:
+ name: "{{ item }}"
+ state: present
with_items:
+ - python3-virtualenv
+ - virtualenv
+ - libxml2-dev
+ - libxslt-dev
- fontconfig
- tex-gyre
tags:
- - packages
- protokollsystem
+ - webservices
-- name: ensure we have a folder for the program
- file: path="{{protokolle_web_root}}" state=directory owner="{{protokolle_user}}" group="{{protokolle_group}}" mode=0755
- tags:
- - directory
- - protokollsystem
-
-- name: ensure we have a .ssh directory
- file: path="{{protokolle_web_root}}/.ssh" state=directory owner="{{protokolle_user}}" group="{{protokolle_group}}" mode=0755
- tags:
- - directory
- - protokollsystem
-
-- name: ensure we have our deploy key
- copy: src="{{item}}" dest="{{protokolle_web_root}}/.ssh/" owner="{{protokolle_user}}" group="{{protokolle_group}}" mode=0600
- with_items:
- - deploy-key
- - deploy-key.pub
+- name: ensure the deploy key is available
+ copy:
+ src: "{{ protokolle_deploy_key }}"
+ dest: /root/.ssh/protokolle
+ owner: root
+ group: root
+ mode: 0600
tags:
- - ssh
- protokollsystem
+ - webservices
-- name: ensure we have our .ssh config
- template: src=config dest="{{protokolle_web_root}}/.ssh/config" owner="{{protokolle_user}}" group="{{protokolle_group}}" mode=0644
+# https://github.com/ansible/ansible/issues/27699
+- name: ensure fucking git module is able to clone
+ command: mount -o remount,exec /tmp
tags:
- - ssh
- protokollsystem
+ - webservices
- name: ensure we have the program
- git: repo=git@git.fsmpi.rwth-aachen.de:protokollsystem/proto3.git dest="{{protokolle_web_root}}/program"
- become: yes
- become_user: "{{protokolle_user}}"
+ git:
+ repo: git@git.fsmpi.rwth-aachen.de:protokollsystem/proto3.git
+ dest: "{{ protokolle_web_root }}"
+ accept_hostkey: True # TODO remove this
+ key_file: /root/.ssh/protokolle
notify:
- restart uwsgi for protokollsystem
tags:
- - git
- protokollsystem
+ - webservices
+
+- name: ensure fucking git module is not able to clone anymore
+ command: mount -o remount,noexec /tmp
+ tags:
+ - protokollsystem
+ - webservices
- name: ensure we have a virtualenv
pip:
- requirements: "{{protokolle_web_root}}/program/requirements.txt"
- virtualenv: "{{protokolle_web_root}}/program"
+ requirements: "{{ protokolle_web_root }}/requirements.txt"
+ virtualenv: "{{ protokolle_web_root }}"
virtualenv_python: python3
- become: yes
- become_user: "{{protokolle_user}}"
notify:
- restart uwsgi for protokollsystem
tags:
- - pip
- - python
- protokollsystem
+ - webservices
- name: ensure we have our config
template:
- src: config.py
- dest: "{{protokolle_web_root}}/program/config.py"
- owner: "{{protokolle_user}}"
- group: "{{protokolle_group}}"
+ src: config.py.j2
+ dest: "{{ protokolle_web_root }}/config.py"
+ owner: "{{ protokolle_user }}"
+ group: "{{ protokolle_group }}"
+ mode: 0640
+ notify:
+ - restart uwsgi for protokollsystem
+ tags:
+ - protokollsystem
+ - webservices
+
+- name: ensure we have our local templates
+ copy:
+ src: "{{ protokolle_local_templates }}"
+ dest: "{{ protokolle_web_root }}/"
+ owner: "{{ protokolle_user }}"
+ group: "{{ protokolle_group }}"
mode: 0644
+ when: protokolle_local_templates
notify:
- restart uwsgi for protokollsystem
tags:
- - config
- - python
- protokollsystem
+ - webservices
- name: ensure the unit file exists
template:
- src: protokollsystem.service
- dest: "/etc/systemd/system/{{protokolle_name}}.service"
+ src: protokollsystem.service.j2
+ dest: "/etc/systemd/system/{{ protokolle_name }}.service"
owner: root
group: root
mode: 0644
@@ -86,14 +101,13 @@
- reload systemd service files
- restart uwsgi for protokollsystem
tags:
- - config
- - systemd
- protokollsystem
+ - webservices
- name: ensure the celery unit file exists
template:
- src: celery.service
- dest: "/etc/systemd/system/{{protokolle_name}}-celery.service"
+ src: celery.service.j2
+ dest: "/etc/systemd/system/{{ protokolle_name }}-celery.service"
owner: root
group: root
mode: 0644
@@ -101,19 +115,19 @@
- reload systemd service files
- restart uwsgi for protokollsystem
tags:
- - config
- - systemd
- - celery
- protokollsystem
+ - webservices
- meta: flush_handlers
- name: ensure the services are enabled
- service: name="{{item}}" enabled=yes
+ service:
+ name: "{{ item }}"
+ enabled: yes
+ state: started
with_items:
- - "{{protokolle_name}}"
- - "{{protokolle_name}}-celery"
+ - "{{ protokolle_name }}"
+ - "{{ protokolle_name }}-celery"
tags:
- - config
- - systemd
- protokollsystem
+ - webservices
diff --git a/protokollsystem/templates/celery.service b/protokollsystem/templates/celery.service
deleted file mode 100644
index 360a975cf4fdf51d83d665ac76c8a1df9fc9d4af..0000000000000000000000000000000000000000
--- a/protokollsystem/templates/celery.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Protokollsystem-Celery
-After=network.target
-
-[Service]
-User={{protokolle_user}}
-Group={{protokolle_group}}
-WorkingDirectory={{protokolle_web_root}}/program
-Environment=VIRTUAL_ENV="{{protokolle_web_root}}/program"
-ExecStart={{protokolle_web_root}}/program/bin/celery -A server.celery worker --loglevel=DEBUG --concurrency={{protokolle_celery_concurrency}}
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
diff --git a/protokollsystem/templates/celery.service.j2 b/protokollsystem/templates/celery.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..512f08b503de9212034d44b02b1e9f3a39d9481c
--- /dev/null
+++ b/protokollsystem/templates/celery.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description={{ protokolle_name }}-Celery
+After=network.target
+
+[Service]
+User={{ protokolle_user }}
+Group={{ protokolle_group }}
+WorkingDirectory={{ protokolle_web_root }}
+Environment=VIRTUAL_ENV="{{ protokolle_web_root }}"
+ExecStart={{ protokolle_web_root }}/bin/celery -A server.celery worker --loglevel=DEBUG --concurrency={{ protokolle_celery_concurrency }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/protokollsystem/templates/config b/protokollsystem/templates/config
deleted file mode 100644
index 0998e43d453f18d9fef362788acc1e9682a2e783..0000000000000000000000000000000000000000
--- a/protokollsystem/templates/config
+++ /dev/null
@@ -1,4 +0,0 @@
-Host git.fsmpi.rwth-aachen.de
-HostName git.fsmpi.rwth-aachen.de
-User git
-IdentityFile {{protokolle_web_root}}/.ssh/deploy-key
diff --git a/protokollsystem/templates/config.py b/protokollsystem/templates/config.py
deleted file mode 100644
index 7f6cf84379e9e4a3405958ec0dba455b1b07e81c..0000000000000000000000000000000000000000
--- a/protokollsystem/templates/config.py
+++ /dev/null
@@ -1,135 +0,0 @@
-SQLALCHEMY_DATABASE_URI = "postgresql://{{protokolle_user}}:@/{{protokolle_name}}"
-SQLALCHEMY_TRACK_MODIFICATIONS = False
-
-SECRET_KEY = "{{protokolle_secret}}"
-
-DEBUG = False
-
-MAIL_ACTIVE = True
-MAIL_FROM = "Gustav Geier <protokolle@fsmpi.rwth-aachen.de>"
-MAIL_HOST = "mail.fsmpi.rwth-aachen.de:25"
-MAIL_USER = ""
-MAIL_PASSWORD = ""
-MAIL_USE_TLS = False
-
-CELERY_BROKER_URL = "redis://localhost:6379/0"
-CELERY_TASK_SERIALIZER = "pickle"
-CELERY_ACCEPT_CONTENT = ["pickle"]
-
-URL_ROOT = "protokolle.fsmpi.rwth-aachen.de"
-URL_PROTO = "https"
-URL_PATH = "/"
-URL_PARAMS = ""
-
-PRINTING_ACTIVE = True
-PRINTING_SERVER = "printsrv.fsmpi.rwth-aachen.de:631"
-PRINTING_USER = "protokolle"
-PRINTING_PRINTERS = {
- "kopierer": ["ColorModel=Gray", "KCStaple=Center", "KCPunch=2HoleEUR", "Duplex=DuplexNoTumble"],
- "hoern_kopierer": ["Duplex=DuplexNoTumble"]
-}
-
-ETHERPAD_ACTIVE = True
-ETHERPAD_URL = "https://fachschaften.rwth-aachen.de/etherpad"
-EMPTY_ETHERPAD = """Welcome to Etherpad!
-
-This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!
-
-Get involved with Etherpad at http://etherpad.org
-
-"""
-
-WIKI_ACTIVE = True
-WIKI_API_URL = "https://www.fsmpi.rwth-aachen.de/wiki/api.php"
-WIKI_ANONYMOUS = False
-WIKI_USER = "protocolpusher"
-WIKI_PASSWORD = "0h3CjGju"
-WIKI_DOMAIN = "fsmpi"
-
-CALENDAR_ACTIVE = True
-CALENDAR_URL = ""
-CALENDAR_DEFAULT_DURATION = 3
-CALENDAR_MAX_REQUESTS = 10
-
-SESSION_PROTECTION = "strong"
-
-SECURITY_KEY = "{{protokolle_security_key}}"
-from auth import LdapManager, ADManager
-AUTH_MAX_DURATION = 86400
-AUTH_BACKENDS = [
-# LdapManager(
-# host="rumo.fsmpi.rwth-aachen.de",
-# user_dn="uid={},ou=users,dc=fsmpi,dc=rwth-aachen,dc=de",
-# group_dn="dc=fsmpi,dc=rwth-aachen,dc=de",
-# obsolete=True),
- ADManager(
- host="auth.fsmpi.rwth-aachen.de",
- domain="FSMPI",
- user_dn="cn=users,dc=fsmpi,dc=rwth-aachen,dc=de",
- group_dn="dc=fsmpi,dc=rwth-aachen,dc=de",
- ca_cert="/etc/ssl/certs/rwth_chain.pem"),
-]
-
-OBSOLETION_WARNING = "Bitte migriere deinen Fachschaftsaccount im <a href=\"https://migration.fsmpi.rwth-aachen.de\">Migrationstool</a>!"
-
-ERROR_CONTEXT_LINES = 3
-
-PAGE_LENGTH = 20
-PAGE_DIFF = 3
-
-MAX_INDEX_DAYS = 14
-
-ADMIN_MAIL = "admin@fsmpi.rwth-aachen.de"
-ADMIN_GROUP = "protokolladmin"
-
-PARSER_LAZY = False
-
-FUZZY_MIN_SCORE = 90
-
-FONTS = {
- "main": {
- "extension": ".pfb",
- "path": "/usr/share/fonts/type1/gsfonts/",
- "regular": "n019003l",
- "bold": "n019004l",
- "italic": "n019023l",
- "bolditalic": "n019024l"
- },
- "roman": {
- "extension": ".pfb",
- "path": "/usr/share/fonts/type1/gsfonts/",
- "regular": "n021003l",
- "bold": "n021004l",
- "italic": "n021023l",
- "bolditalic": "n021024l"
- },
- "sans": {
- "extension": ".pfb",
- "path": "/usr/share/fonts/type1/gsfonts/",
- "regular": "n019003l",
- "bold": "n019004l",
- "italic": "n019023l",
- "bolditalic": "n019024l"
- },
- "mono": {
- "extension": ".pfb",
- "path": "/usr/share/fonts/type1/gsfonts/",
- "regular": "n022003l",
- "bold": "n022004l",
- "italic": "n022023l",
- "bolditalic": "n022024l"
- }
-}
-
-
-DOCUMENTS_PATH = "documents"
-
-PRIVATE_KEYWORDS = ["private", "internal", "privat", "intern"]
-
-LATEX_BULLETPOINTS = [
- r"\textbullet",
- r"\normalfont \bfseries \textendash",
- r"$\circ$",
- r"\textperiodcentered"
-]
-
diff --git a/protokollsystem/templates/config.py.j2 b/protokollsystem/templates/config.py.j2
new file mode 100644
index 0000000000000000000000000000000000000000..abe32780d738f8dc540e15a83c5bd7c9d23a3b95
--- /dev/null
+++ b/protokollsystem/templates/config.py.j2
@@ -0,0 +1,158 @@
+SQLALCHEMY_DATABASE_URI = "postgresql://{{ protokolle_user }}:@/{{ protokolle_name }}"
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+
+SECRET_KEY = "{{ protokolle_secret }}"
+
+DEBUG = False
+
+MAIL_ACTIVE = {{ protokolle_mail }}
+MAIL_FROM = "{{ protokolle_mail_from }}"
+MAIL_HOST = "{{ protokolle_mail_host }}"
+MAIL_USER = "{{ protokolle_mail_user }}"
+MAIL_PASSWORD = "{{ protokolle_mail_password }}"
+{% if protokolle_mail_tls == 'tls' %}
+MAIL_USE_TLS = True
+MAIL_USE_STARTTLS = False
+{% else if protokolle_mail_tls == 'starttls' %}
+MAIL_USE_TLS = False
+MAIL_USE_STARTTLS = True
+{% else %}
+MAIL_USE_TLS = False
+MAIL_USE_STARTTLS = False
+{% endif %}
+
+CELERY_BROKER_URL = "{{ protokolle_celery_broker }}"
+CELERY_TASK_SERIALIZER = "pickle"
+CELERY_ACCEPT_CONTENT = ["pickle"]
+
+URL_ROOT = "{{ protokolle_url_root }}"
+URL_PROTO = "{{ protokolle_url_proto }}"
+URL_PATH = "{{ protokolle_url_path }}"
+URL_PARAMS = ""
+
+PRINTING_ACTIVE = {{ protokolle_printing }}
+PRINTING_SERVER = "{{ protokolle_printing_server }}"
+PRINTING_USER = "{{ protokolle_printing_user }}"
+PRINTING_PRINTERS = {
+{% for p in protokolle_printing_printers %}
+ "{{ p.printer }}": [
+{% for o in p.options %}
+ "{{ o }}",
+{% endfor %}
+ ],
+{% endfor %}
+}
+
+ETHERPAD_ACTIVE = {{ protokolle_etherpad }}
+ETHERPAD_URL = "{{ protokolle_etherpad_url }}"
+EMPTY_ETHERPAD = """Welcome to Etherpad!
+
+This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!
+
+Get involved with Etherpad at http://etherpad.org
+
+"""
+
+WIKI_ACTIVE = {{ protokolle_wiki }}
+WIKI_API_URL = "{{ protokolle_wiki_api }}"
+WIKI_ANONYMOUS = {{ protokolle_wiki_anonymous }}
+WIKI_USER = "{{ protokolle_wiki_user }}"
+WIKI_PASSWORD = "{{ protokolle_wiki_password }}"
+WIKI_DOMAIN = "{{ protokolle_wiki_domain }}"
+
+CALENDAR_ACTIVE = {{ protokolle_calendar }}
+CALENDAR_URL = "{{ protokolle_calendar_url }}"
+CALENDAR_DEFAULT_DURATION = 3
+CALENDAR_MAX_REQUESTS = 10
+
+SESSION_PROTECTION = "strong"
+
+SECURITY_KEY = "{{ protokolle_security_key }}"
+from auth import LdapManager, ADManager
+AUTH_MAX_DURATION = {{ protokolle_auth_max_duration }}
+AUTH_BACKENDS = [
+{% for auth in protokolle_auth_backends %}
+ {{ auth.type }}(
+ host="{{ auth.host }}",
+ domain="{{ auth.domain }}",
+ user_dn="{{ auth.user_dn }}",
+ group_dn="{{ auth.group_dn }}",
+ ca_cert="{{ auth.ca_cert }}",
+ obsolete={{ auth.obsolete }}),
+{% endfor %}
+]
+
+OBSOLETION_WARNING = "{{ protokolle_auth_obsoletion_warning }}"
+
+ERROR_CONTEXT_LINES = 3
+
+PAGE_LENGTH = 20
+PAGE_DIFF = 3
+
+MAX_INDEX_DAYS = 14
+
+ADMIN_MAIL = "{{ protokolle_admin_mail }}"
+ADMIN_GROUP = "{{ protokolle_admin_group }}"
+
+PARSER_LAZY = False
+
+FUZZY_MIN_SCORE = 90
+
+FONTS = {
+ "main": {
+ "extension": ".pfb",
+ "path": "/usr/share/fonts/type1/gsfonts/",
+ "regular": "n019003l",
+ "bold": "n019004l",
+ "italic": "n019023l",
+ "bolditalic": "n019024l"
+ },
+ "roman": {
+ "extension": ".pfb",
+ "path": "/usr/share/fonts/type1/gsfonts/",
+ "regular": "n021003l",
+ "bold": "n021004l",
+ "italic": "n021023l",
+ "bolditalic": "n021024l"
+ },
+ "sans": {
+ "extension": ".pfb",
+ "path": "/usr/share/fonts/type1/gsfonts/",
+ "regular": "n019003l",
+ "bold": "n019004l",
+ "italic": "n019023l",
+ "bolditalic": "n019024l"
+ },
+ "mono": {
+ "extension": ".pfb",
+ "path": "/usr/share/fonts/type1/gsfonts/",
+ "regular": "n022003l",
+ "bold": "n022004l",
+ "italic": "n022023l",
+ "bolditalic": "n022024l"
+ }
+}
+
+
+DOCUMENTS_PATH = "documents"
+
+PRIVATE_KEYWORDS = ["private", "internal", "privat", "intern"]
+
+LATEX_BULLETPOINTS = [
+ r"\textbullet",
+ r"\normalfont \bfseries \textendash",
+ r"$\circ$",
+ r"\textperiodcentered"
+]
+
+LATEX_LOCAL_TEMPLATES = "{{ protokolle_latex_local_templates }}"
+LATEX_LOGO_TEMPLATE = "{{ protokolle_latex_logo_template }}"
+LATEX_GEOMETRY = "{{ protokolle_latex_geometry }}"
+LATEX_PAGESTYLE = "{{ protokolle_latex_pagestyle }}"
+LATEX_ADDITIONAL_PACKAGES = ["{{ protokolle_latex_packages|join('", "') }}"]
+{% if protokolle_latex_header_footer %}
+LATEX_HEADER_FOOTER = True
+{% else if protokolle_latex_header_footer == False %}
+LATEX_HEADER_FOOTER = False
+{% endif %}
+
diff --git a/protokollsystem/templates/protokollsystem.service b/protokollsystem/templates/protokollsystem.service
deleted file mode 100644
index 12c030a321489cef635d95dd80238e6926dddc4a..0000000000000000000000000000000000000000
--- a/protokollsystem/templates/protokollsystem.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=Protokollsystem
-After=network.target
-Wants=protokollsystem-celery.service
-
-[Service]
-Environment=LDAPTLS_CACERT=/etc/ssl/certs/rwth_chain.pem
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{protokolle_name}}.ini
-Restart=always
-KillSignal=SIGTERM
-Type=notify
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
diff --git a/protokollsystem/templates/protokollsystem.service.j2 b/protokollsystem/templates/protokollsystem.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..177b92f94a5f7077765a8300ce8f43ba5b07e1c0
--- /dev/null
+++ b/protokollsystem/templates/protokollsystem.service.j2
@@ -0,0 +1,17 @@
+[Unit]
+Description={{ protokolle_name }}
+After=network.target
+Wants=protokollsystem-celery.service
+
+[Service]
+{% if protokolle_ldap_cert %}
+Environment=LDAPTLS_CACERT={{ protokolle_ldap_cert }}
+{% endif %}
+ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{ protokolle_name }}.ini
+Restart=always
+KillSignal=SIGTERM
+Type=notify
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
diff --git a/schildergenerator/defaults/main.yml b/schildergenerator/defaults/main.yml
index 71b5b4161fa82337a6bd2e274f5411d6af7d90a0..b39cf2482fb6414073057d9db36c1a5cb0b4ac4b 100644
--- a/schildergenerator/defaults/main.yml
+++ b/schildergenerator/defaults/main.yml
@@ -1,7 +1,7 @@
---
-# file: roles/schildergenerator/defaults/main.yml
+# file: schildergenerator/defaults/main.yml
-schilder_web_root: /var/www/schilder
+schilder_web_root: /var/www/schilder/program
schilder_name: schilder
schilder_user: schilder
schilder_group: schilder
diff --git a/schildergenerator/handlers/main.yml b/schildergenerator/handlers/main.yml
index 297692941bc67e0cd709d05dce0f96fd0014c8fc..9453d1bfcfb93d3824cd9aeb4eecd642ff35da17 100644
--- a/schildergenerator/handlers/main.yml
+++ b/schildergenerator/handlers/main.yml
@@ -1,11 +1,13 @@
---
-# file: roles/schilder/handlers/main.yml
+# file: schildergenerator/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: restart uwsgi for schilder
- service: name="{{schilder_name}}" state=restarted enabled=yes
+ service:
+ name: "{{ schilder_name }}"
+ state: restarted
- name: create tmpfiles
command: systemd-tmpfiles --create
diff --git a/schildergenerator/meta/main.yml b/schildergenerator/meta/main.yml
index 891398649ba33ddeeb08c6b808f320402aede046..a2939c374ebf9e8c5871ec44def63b2d52c36774 100644
--- a/schildergenerator/meta/main.yml
+++ b/schildergenerator/meta/main.yml
@@ -1,8 +1,7 @@
---
-# file: roles/schildergenerator/meta/main.yml
+# file: schildergenerator/meta/main.yml
dependencies:
- - { role: webserver }
- { role: texlive }
- { role: cups-client }
- { role: uwsgi-python, uwsgi_name: "{{schilder_name}}", uwsgi_user: "{{schilder_user}}", uwsgi_group: "{{schilder_group}}", uwsgi_path: "{{schilder_web_root}}/program", uwsgi_home: "{{schilder_web_root}}", uwsgi_program: "schilder.py", uwsgi_callable: "app", uwsgi_command: "", uwsgi_db: "", uwsgi_python: 2, uwsgi_mules: 0 }
diff --git a/schildergenerator/tasks/main.yml b/schildergenerator/tasks/main.yml
index 4926a68d00cf7328a3ff802e768fcc7ac60653c1..ebaa0055128725d0f7017872a761f5ac404feaa4 100644
--- a/schildergenerator/tasks/main.yml
+++ b/schildergenerator/tasks/main.yml
@@ -1,66 +1,57 @@
---
-# file: roles/schildergenerator/tasks/main.yml
+# file: schildergenerator/tasks/main.yml
- name: ensure we have necessary software installed
- apt: name="{{item}}" state=present
+ apt:
+ name: "{{ item }}"
+ state: present
with_items:
- graphicsmagick
- python-pythonmagick
tags:
- - packages
- schildergenerator
+ - webservices
-- name: ensure we have the folders for the program
- file:
- path: "{{item}}"
- state: directory
- owner: "{{schilder_user}}"
- group: "{{schilder_group}}"
- mode: 0755
- with_items:
- - "{{schilder_web_root}}"
- - "{{schilder_web_root}}/program"
+- name: ensure the deploy key is available
+ copy:
+ src: "{{ schilder_deploy_key }}"
+ dest: /root/.ssh/schildergenerator
+ owner: root
+ group: root
+ mode: 0600
tags:
- - directory
- schildergenerator
+ - webservices
-- name: ensure we have a .ssh directory
- file: path="{{schilder_web_root}}/.ssh" state=directory owner="{{schilder_user}}" group="{{schilder_group}}" mode=0755
+# https://github.com/ansible/ansible/issues/27699
+- name: ensure fucking git module is able to clone
+ command: mount -o remount,exec /tmp
tags:
- - directory
- schildergenerator
+ - webservices
-- name: ensure we have our deploy key
- copy: src="{{item}}" dest="{{schilder_web_root}}/.ssh/" owner="{{schilder_user}}" group="{{schilder_group}}" mode=0600
- with_items:
- - deploy-key
- - deploy-key.pub
+- name: ensure the git is at the current revision
+ git:
+ repo: git@git.fsmpi.rwth-aachen.de:schilder/schildergenerator.git
+ dest: "{{ schilder_web_root }}"
+ key_file: /root/.ssh/schildergenerator
+ version: HEAD
+ notify:
+ - restart uwsgi for schilder
tags:
- - ssh
- schildergenerator
+ - webservices
-- name: ensure we have our .ssh config
- template: src=config dest="{{schilder_web_root}}/.ssh/config" owner="{{schilder_user}}" group="{{schilder_group}}" mode=0644
+- name: ensure fucking git module is not able to clone anymore
+ command: mount -o remount,noexec /tmp
tags:
- - ssh
- schildergenerator
-
-#- name: ensure we have the program
-# git:
-# repo: "git@git.fsmpi.rwth-aachen.de:schilder/schildergenerator.git"
-# dest: "{{schilder_web_root}}/program"
-# become: yes
-# become_user: "{{schilder_user}}"
-# notify:
-# - restart uwsgi for schilder
-# tags:
-# - git
-# - schildergenerator
+ - webservices
- name: ensure git ignores local files
lineinfile:
- dest: "{{schilder_web_root}}/program/.git/info/exclude"
- line: "{{item}}"
+ dest: "{{ schilder_web_root }}/.git/info/exclude"
+ line: "{{ item }}"
state: present
with_items:
- data/
@@ -69,66 +60,61 @@
- local/
- share/
tags:
- - git
- schildergenerator
+ - webservices
- name: ensure we have our requirements
copy:
src: requirements.txt
- dest: "{{schilder_web_root}}/requirements.txt"
- owner: "{{schilder_user}}"
- group: "{{schilder_group}}"
+ dest: "{{ schilder_web_root }}/requirements.txt"
+ owner: "{{ schilder_user }}"
+ group: "{{ schilder_group }}"
mode: 0644
tags:
- - pip
- - python
- schildergenerator
+ - webservices
- name: ensure we have a virtualenv
pip:
- requirements: "{{schilder_web_root}}/requirements.txt"
- virtualenv: "{{schilder_web_root}}/program"
+ requirements: "{{ schilder_web_root }}/requirements.txt"
+ virtualenv: "{{ schilder_web_root }}"
virtualenv_python: python2
virtualenv_site_packages: yes
- become: yes
- become_user: "{{schilder_user}}"
notify:
- restart uwsgi for schilder
tags:
- - pip
- - python
- schildergenerator
+ - webservices
- name: ensure we have our config
template:
- src: config.py
- dest: "{{schilder_web_root}}/program/config.py"
- owner: "{{schilder_user}}"
- group: "{{schilder_group}}"
+ src: config.py.j2
+ dest: "{{ schilder_web_root }}/config.py"
+ owner: "{{ schilder_user }}"
+ group: "{{ schilder_group }}"
mode: 0644
notify:
- restart uwsgi for schilder
tags:
- - config
- - python
- schildergenerator
+ - webservices
- name: ensure we have our templates
git:
- repo: "{{schilder_templates_url}}"
- dest: "{{schilder_web_root}}/tex"
- become: yes
- become_user: "{{schilder_user}}"
+ repo: "{{ schilder_templates_url }}"
+ dest: "{{ schilder_web_root }}/tex"
+ key_file: /root/.ssh/schildergenerator
+ version: HEAD
notify:
- restart uwsgi for schilder
tags:
- - git
- schildergenerator
+ - webservices
- name: ensure the unit file exists
template:
- src: schilder.service
- dest: "/etc/systemd/system/{{schilder_name}}.service"
+ src: schilder.service.j2
+ dest: "/etc/systemd/system/{{ schilder_name }}.service"
owner: root
group: root
mode: 0644
@@ -136,15 +122,16 @@
- reload systemd service files
- restart uwsgi for schilder
tags:
- - config
- - systemd
- schildergenerator
+ - webservices
- meta: flush_handlers
- name: ensure the service is enabled
- service: name="{{schilder_name}}.service" enabled=yes
+ service:
+ name: "{{ schilder_name }}"
+ enabled: yes
+ state: started
tags:
- - config
- - systemd
- schildergenerator
+ - webservices
diff --git a/schildergenerator/templates/config b/schildergenerator/templates/config
deleted file mode 100644
index ad5d5ca1a16dc7d2c6e2accf41ff16173e566564..0000000000000000000000000000000000000000
--- a/schildergenerator/templates/config
+++ /dev/null
@@ -1,4 +0,0 @@
-Host git.fsmpi.rwth-aachen.de
-HostName git.fsmpi.rwth-aachen.de
-User git
-IdentityFile {{schilder_web_root}}/.ssh/deploy-key
diff --git a/schildergenerator/templates/config.py b/schildergenerator/templates/config.py.j2
similarity index 87%
rename from schildergenerator/templates/config.py
rename to schildergenerator/templates/config.py.j2
index a237a96312123f0511512fa1104beccf6a9c0b6a..956b84cd52bc1aeaaf6cf837e21881ea12e6c342 100644
--- a/schildergenerator/templates/config.py
+++ b/schildergenerator/templates/config.py.j2
@@ -3,12 +3,12 @@
# Secret key (used for session cookie encryption). Needs to be set to some random string.
# Yes, just smash your keyboard for some random characters. No, don't publish them anywhere.
# Yes, you will need this. If you get random RuntimeErrors, you did not set this.
-app_secret = '{{range(10**15, 10**16)|random}}'
+app_secret = '{{ range(10**15, 10**16)|random }}'
## You will need to use absolute paths!
# Base directory. You need to set this again in schilder.wsgi if you use WSGI.
-basedir = '{{schilder_web_root}}/program'
+basedir = '{{ schilder_web_root }}'
# Temp directory for imagemagick/pdflatex work files (needs to be writeable)
tmpdir = '/tmp'
@@ -22,7 +22,7 @@ datadir = basedir + '/data'
templatedir = basedir + '/templates'
# TeX template directory
-textemplatedir = '{{schilder_web_root}}/tex'
+textemplatedir = '{{ schilder_web_root }}/tex'
# TeX support file directory (all files that might be needed by a tex template)
texsupportdir = textemplatedir + '/support'
@@ -48,15 +48,15 @@ allowed_extensions = set(['png', 'jpg', 'jpeg', 'gif', 'svg'])
# CUPS printer names
printers = {
{% for printer in schilder_printers %}
- '{{printer.description}}': '{{printer.name}}',
+ '{{ printer.description }}': '{{ printer.name }}',
{% endfor %}
}
-printserver = '{{schilder_printsrv}}'
+printserver = '{{ schilder_printsrv }}'
# additional lpr options. Use an empty list if not needed.
lproptions = [
{% for option in schilder_lproptions %}
- '{{option}}',
+ '{{ option }}',
{% endfor %}
]
diff --git a/schildergenerator/templates/schilder.service b/schildergenerator/templates/schilder.service.j2
similarity index 55%
rename from schildergenerator/templates/schilder.service
rename to schildergenerator/templates/schilder.service.j2
index 7921cb7a5d4baa7a96052ff96306f3e06e46b1e2..fdd6e0a06f0e831d4ca366e223bb0973ecd8c35e 100644
--- a/schildergenerator/templates/schilder.service
+++ b/schildergenerator/templates/schilder.service.j2
@@ -1,9 +1,9 @@
[Unit]
-Description=Protokollsystem
+Description={{ schilder_name }}
After=network.target
[Service]
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{schilder_name}}.ini
+ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{ schilder_name }}.ini
Restart=always
KillSignal=SIGQUIT
Type=notify
diff --git a/sso/defaults/main.yml b/sso/defaults/main.yml
index 1b4f14611b15f039b6eb26fde6014439383aa52c..4942386699f69c658ea627fddb28690a86a48978 100644
--- a/sso/defaults/main.yml
+++ b/sso/defaults/main.yml
@@ -1,5 +1,5 @@
---
-# file: roles/sso/defaults/main.yml
+# file: sso/defaults/main.yml
program_name: sso
program_user: sso
@@ -13,4 +13,6 @@ sso_auth_group_dn: "dc=fsmpi,dc=rwth-aachen,dc=de"
sso_auth_ca_cert: /etc/ssl/certs/rwth_chain.pem
sso_auth_domain: FSMPI
-sso_domain: "{{domain}}"
+sso_domain: "{{ domain }}"
+
+program_dir: "{{web_root}}/{{program_name}}/program"
diff --git a/sso/handlers/main.yml b/sso/handlers/main.yml
index a3d40451721753725ef0ab2c0aef36a3f569cb27..e1ae721b5051f231f71e53bc18f107c438dd6d4b 100644
--- a/sso/handlers/main.yml
+++ b/sso/handlers/main.yml
@@ -1,8 +1,10 @@
---
-# file: roles/sso/handlers/main.yml
+# file: sso/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: restart program
- service: name="{{program_name}}" state=restarted enabled=yes
+ service:
+ name: "{{ program_name }}"
+ state: restarted
diff --git a/sso/meta/main.yml b/sso/meta/main.yml
index 57ffb924047dc675c356eca7ab44af62134a4bf9..7c7a58297721b24cf275b4110bf03311595d64e5 100644
--- a/sso/meta/main.yml
+++ b/sso/meta/main.yml
@@ -1,7 +1,5 @@
---
-# file: roles/sso/meta/main.yml
+# file: sso/meta/main.yml
dependencies:
- - { role: webserver, tags: ["sso"] }
- - { role: git-deployed, tags: ["sso"] }
- { role: uwsgi-python, uwsgi_name: "{{program_name}}", uwsgi_user: "{{program_user}}", uwsgi_group: "{{program_group}}", uwsgi_path: "{{web_root}}/{{program_name}}/program", uwsgi_home: "{{web_root}}/{{program_name}}", uwsgi_program: "sso.py", uwsgi_callable: "app", uwsgi_command: "runserver", tags: ["sso"] }
diff --git a/sso/tasks/main.yml b/sso/tasks/main.yml
index 86c2e142b25034561f277b77ffcdd06e4dc57c72..1498efd0a554a62b46f5e2e863b5d2a6a72b9718 100644
--- a/sso/tasks/main.yml
+++ b/sso/tasks/main.yml
@@ -1,66 +1,93 @@
---
-# file: role/sso/tasks/main.yml
+# file: sso/tasks/main.yml
-- set_fact:
- program_dir: "{{web_root}}/{{program_name}}/program"
+- name: ensure the deploy key is available
+ copy:
+ src: "{{ sso_deploy_key }}"
+ dest: /root/.ssh/sso
+ owner: root
+ group: root
+ mode: 0600
+ tags:
+ - sso
+ - webservices
+
+# https://github.com/ansible/ansible/issues/27699
+- name: ensure fucking git module is able to clone
+ command: mount -o remount,exec /tmp
+ tags:
+ - sso
+ - webservices
+
+- name: ensure the git is at the current revision
+ git:
+ repo: git@git.fsmpi.rwth-aachen.de:infra/sso.git
+ dest: "{{ program_dir }}"
+ key_file: /root/.ssh/sso
+ version: HEAD
+ notify:
+ - restart program
+ tags:
+ - sso
+ - webservices
+
+- name: ensure fucking git module is not able to clone anymore
+ command: mount -o remount,noexec /tmp
+ tags:
+ - sso
+ - webservices
- name: ensure we have a virtualenv
pip:
- requirements: "{{program_dir}}/requirements.txt"
- virtualenv: "{{program_dir}}"
+ requirements: "{{ program_dir }}/requirements.txt"
+ virtualenv: "{{ program_dir }}"
virtualenv_python: python3
- become: yes
- become_user: "{{program_user}}"
notify:
- restart program
tags:
- - pip
- - python
- sso
+ - webservices
- name: ensure we have our config
template:
- src: config.py
- dest: "{{program_dir}}/config.py"
- owner: "{{program_user}}"
- group: "{{program_group}}"
+ src: config.py.j2
+ dest: "{{ program_dir }}/config.py"
+ owner: "{{ program_user }}"
+ group: "{{ program_group }}"
mode: 0644
notify:
- restart program
tags:
- - config
- - python
- - sso
+ - sso
+ - webservices
- name: ensure we have our secret config
template:
src: secret_config.py
- dest: "{{program_dir}}/secret_config.py"
- owner: "{{program_user}}"
- group: "{{program_group}}"
+ dest: "{{ program_dir }}/secret_config.py"
+ owner: "{{ program_user }}"
+ group: "{{ program_group }}"
mode: 0600
force: no
notify:
- restart program
tags:
- - config
- - python
- - sso
+ - sso
+ - webservices
- name: ensure git ignores our secret config
lineinfile:
- dest: "{{program_dir}}/.git/info/exclude"
+ dest: "{{ program_dir }}/.git/info/exclude"
line: "secret_config.py"
state: present
tags:
- - config
- - git
- sso
+ - webservices
- name: ensure the unit file exists
template:
- src: sso.service
- dest: "/etc/systemd/system/{{program_name}}.service"
+ src: sso.service.j2
+ dest: "/etc/systemd/system/{{ program_name }}.service"
owner: root
group: root
mode: 0644
@@ -68,15 +95,16 @@
- reload systemd service files
- restart program
tags:
- - config
- - systemd
- sso
+ - webservices
- meta: flush_handlers
- name: ensure the service is enabled
- service: name="{{program_name}}" enabled=yes
+ service:
+ name: "{{program_name}}"
+ enabled: yes
+ state: started
tags:
- - config
- - systemd
- sso
+ - webservices
diff --git a/sso/templates/config.py b/sso/templates/config.py.j2
similarity index 54%
rename from sso/templates/config.py
rename to sso/templates/config.py.j2
index 2b62397996e07c22987ede7087cd95c77901da7d..c9988a6fecbddaf057c8328819932318c165cf9b 100644
--- a/sso/templates/config.py
+++ b/sso/templates/config.py.j2
@@ -4,19 +4,19 @@ from auth import LdapManager, ADManager
{% if sso_auth_use_ad %}
AUTH_MANAGER = ADManager(
- host="{{sso_auth_host}}",
- domain="{{sso_auth_domain}}",
- user_dn="{{sso_auth_user_dn}}",
- group_dn="{{sso_auth_group_dn}}",
- ca_cert="{{sso_auth_ca_cert}}")
+ host="{{ sso_auth_host }}",
+ domain="{{ sso_auth_domain }}",
+ user_dn="{{ sso_auth_user_dn }}",
+ group_dn="{{ sso_auth_group_dn }}",
+ ca_cert="{{ sso_auth_ca_cert }}")
{% else %}
AUTH_MANAGER = LdapManager(
- host="{{sso_auth_host}}",
- user_dn="{{sso_auth_user_dn}}",
- group_dn="{{sso_auth_group_dn}}")
+ host="{{ sso_auth_host }}",
+ user_dn="{{ sso_auth_user_dn }}",
+ group_dn="{{ sso_auth_group_dn }}")
{% endif %}
-SESSION_COOKIE_DOMAIN = "{{sso_domain}}"
+SESSION_COOKIE_DOMAIN = "{{ sso_domain }}"
SESSION_COOKIE_NAME = "SSO-{}-SESSION".format(SESSION_COOKIE_DOMAIN.split(".")[0].upper())
SESSION_COOKIE_HTTPONLY = True
SESSION_REFRESH_EACH_REQUEST = True
diff --git a/sso/templates/secret_config.py b/sso/templates/secret_config.py
deleted file mode 100644
index 23fb517f5f040fad4aa5ba058966d3c92048f760..0000000000000000000000000000000000000000
--- a/sso/templates/secret_config.py
+++ /dev/null
@@ -1 +0,0 @@
-secret_key = '{{(2**2048)|random}}'
diff --git a/sso/templates/secret_config.py.j2 b/sso/templates/secret_config.py.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4fe5c96549857b61df5312e62a3283976da32ff7
--- /dev/null
+++ b/sso/templates/secret_config.py.j2
@@ -0,0 +1 @@
+secret_key = '{{ (2**2048)|random }}'
diff --git a/sso/templates/sso.service b/sso/templates/sso.service.j2
similarity index 67%
rename from sso/templates/sso.service
rename to sso/templates/sso.service.j2
index 439baef3d2a2cfe546197c8fc389866e53206fdb..a727ea3dce4ce8912283a67663e4250910e9bd42 100644
--- a/sso/templates/sso.service
+++ b/sso/templates/sso.service.j2
@@ -3,7 +3,7 @@ Description=Single sign-on
After=network.target
[Service]
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{program_name}}.ini
+ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{ program_name }}.ini
Restart=always
KillSignal=SIGTERM
Type=notify
diff --git a/uwsgi-php/meta/main.yml b/uwsgi-php/meta/main.yml
index 8a60ee77f32aa542f09e0d29224c262ec96e45ce..a378589dd46dd52ad42ab0ca36c2903a20d19441 100644
--- a/uwsgi-php/meta/main.yml
+++ b/uwsgi-php/meta/main.yml
@@ -1,4 +1,4 @@
---
-# file: roles/uwsgi-php/meta/main.yml
+# file: uwsgi-php/meta/main.yml
dependencies:
- { role: uwsgi }
diff --git a/uwsgi-php/tasks/main.yml b/uwsgi-php/tasks/main.yml
index a6e06db7f60e51e4d3a07b372233fb89c740153b..bfd49cdf871751675cf9f9aee50d5a53cd87582d 100644
--- a/uwsgi-php/tasks/main.yml
+++ b/uwsgi-php/tasks/main.yml
@@ -1,12 +1,14 @@
---
-# file: roles/uwsgi-php/tasks/main.yml
+# file: uwsgi-php/tasks/main.yml
- name: ensure packages for uwsgi-php are installed
- apt: name={{ item }} state=latest
+ apt:
+ name: "{{ item }}"
+ state: installed
with_items:
- php5
- php5-curl
- uwsgi-plugin-php
tags:
- uwsgi
- - packages
+ - webservices
diff --git a/uwsgi-python/defaults/main.yml b/uwsgi-python/defaults/main.yml
index 4165f0800b6338cce68c0b84f6b9997dee8ac47c..7df95ee169845893eaa2cae784a7d381a978fd0a 100644
--- a/uwsgi-python/defaults/main.yml
+++ b/uwsgi-python/defaults/main.yml
@@ -1,5 +1,5 @@
---
-# files: roles/uwsgi-python/defaults/main.yml
+# files: uwsgi-python/defaults/main.yml
uwsgi_name: uwsgi
uwsgi_user: uwsgi
diff --git a/uwsgi-python/handlers/main.yml b/uwsgi-python/handlers/main.yml
index 50114394bad956804d4748192bcf1136d60cb1ea..c28bb7dd9f2d88756bf3f99a344f849d9946a905 100644
--- a/uwsgi-python/handlers/main.yml
+++ b/uwsgi-python/handlers/main.yml
@@ -1,5 +1,5 @@
---
-# file: roles/uwsgi-python/handlers/main.yml
+# file: uwsgi-python/handlers/main.yml
- name: create tmpfiles
command: systemd-tmpfiles --create
diff --git a/uwsgi-python/meta/main.yml b/uwsgi-python/meta/main.yml
index f6ade0b85330e157e139c8a5a20fa4a8ed350d94..97abf43d219480c45fd9c13a3d68585dadacb4a3 100644
--- a/uwsgi-python/meta/main.yml
+++ b/uwsgi-python/meta/main.yml
@@ -1,4 +1,4 @@
---
-# file: roles/uwsgi-python/meta/main.yml
+# file: uwsgi-python/meta/main.yml
dependencies:
- { role: uwsgi }
diff --git a/uwsgi-python/tasks/main.yml b/uwsgi-python/tasks/main.yml
index 82c72a6ceddffb9bd13336333796b19f17a01284..a6c9a0819bbdcc7306cf866c0ce15a2538e5cb72 100644
--- a/uwsgi-python/tasks/main.yml
+++ b/uwsgi-python/tasks/main.yml
@@ -1,8 +1,10 @@
---
-# file: roles/uwsgi-python/tasks/main.yml
+# file: uwsgi-python/tasks/main.yml
- name: ensure we have python 2
- apt: name="{{item}}"
+ apt:
+ name: "{{ item }}"
+ state: installed
with_items:
- python
- python-dev
@@ -11,11 +13,13 @@
- virtualenv
when: uwsgi_python == 2
tags:
- - packages
- uwsgi-python
+ - webservices
- name: ensure we have python 3
- apt: name="{{item}}"
+ apt:
+ name: "{{ item }}"
+ state: installed
with_items:
- python3
- python3-dev
@@ -24,165 +28,72 @@
- virtualenv
when: uwsgi_python == 3
tags:
- - packages
- uwsgi-python
+ - webservices
- name: ensure we have the necessary libraries for ldap
- apt: name="{{item}}"
+ apt:
+ name: "{{ item }}"
+ state: installed
with_items:
- libsasl2-dev
- libssl-dev
- libldap2-dev
tags:
- - packages
- uwsgi-python
- - ldap
+ - webservices
-- name: ensure we have sqlite installed
- apt: name="{{item}}"
- with_items:
- - sqlite3
+- include: sqlite.yml
when: uwsgi_db == "sqlite"
- tags:
- - packages
- - uwsgi-python
- - sqlite
-- name: ensure we have python mysql packages
- apt: name="{{item}}"
- with_items:
- - python-mysqldb
- - python3-mysqldb
- - default-libmysqlclient-dev
+- include: mysql.yml
when: uwsgi_db == "mysql"
- tags:
- - packages
- - uwsgi-python
- - mysql
-- name: "get database password for mysql"
- local_action: pass name="db/{{ansible_hostname}}-mysql" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
- register: mysql_password
- when: uwsgi_db == "mysql"
- no_log: True
- tags:
- - config
- - uwsgi-python
- - mysql
- - password
-
-- name: "ensure the mysql database exists"
- mysql_db:
- name: "{{uwsgi_name}}"
- state: present
- login_user: root
- login_password: "{{mysql_password.password}}"
- when: uwsgi_db == "mysql"
- no_log: True
- tags:
- - config
- - mysql
- - uwsgi-python
-
-- name: "ensure we have a user password for mysql"
- local_action: pass name="db/{{ansible_hostname}}-mysql-{{uwsgi_user}}" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
- register: mysql_user_password
- when: uwsgi_db == "mysql"
- no_log: True
- tags:
- - config
- - uwsgi-python
- - mysql
- - password
-
-- name: ensure the database user for mysql exists
- mysql_user:
- name: "{{uwsgi_user}}"
- password: "{{mysql_user_password.password}}"
- state: present
- login_user: root
- login_password: "{{mysql_password.password}}"
- priv: "{{uwsgi_name}}.*:ALL"
- when: uwsgi_db == "mysql"
- no_log: True
- tags:
- - config
- - mysql
- - uwsgi-python
-
-- name: ensure we have a postgres database user
- postgresql_user:
- name: "{{uwsgi_user}}"
- state: present
- become: yes
- become_user: postgres
- when: uwsgi_db == "postgres"
- tags:
- - postgresql
- - config
- - uwsgi-python
-
-- name: ensure we have a postgres database
- postgresql_db:
- name: "{{uwsgi_name}}"
- owner: "{{uwsgi_user}}"
- state: present
- become: yes
- become_user: postgres
- when: uwsgi_db == "postgres"
- tags:
- - postgresql
- - config
- - uwsgi-python
-
-- name: ensure the database user has privileges
- postgresql_privs:
- database: "{{uwsgi_name}}"
- roles: "{{uwsgi_user}}"
- privs: ALL
- state: present
- type: database
- become: yes
- become_user: postgres
+- include: postgres.yml
when: uwsgi_db == "postgres"
- tags:
- - postgresql
- - config
- - uwsgi_python
- name: ensure we have a group
- group: name="{{uwsgi_group}}" system=yes state=present
+ group:
+ name: "{{ uwsgi_group }}"
+ system: yes
+ state: present
tags:
- - group
- - config
- uwsgi-python
+ - webservices
- name: ensure we have a user
- user: name="{{uwsgi_user}}" group="{{uwsgi_group}}" system=yes home="{{uwsgi_home}}" shell=/usr/bin/nologin createhome=no state=present
+ user:
+ name: "{{ uwsgi_user }}"
+ group: "{{ uwsgi_group }}"
+ system: yes
+ home: "{{ uwsgi_home }}"
+ shell: /usr/bin/nologin
+ createhome: no
+ state: present
tags:
- - user
- - config
- uwsgi-python
+ - webservices
- name: ensure a temporary directory exists
- lineinfile:
+ templates:
+ src: tmpfiles.conf.j2
dest: "/etc/tmpfiles.d/10-{{uwsgi_name}}.conf"
- line: "d /run/uwsgi/app/{{uwsgi_name}} 0775 {{uwsgi_user}} {{uwsgi_group}} - -"
- create: yes
+ owner: root
+ group: root
+ mode: 0644
notify:
- create tmpfiles
tags:
- - config
- uwsgi-python
+ - webservices
- name: ensure we have our uwsgi config file
template:
- src: uwsgi.ini
- dest: "/etc/uwsgi/apps-available/{{uwsgi_name}}.ini"
+ src: uwsgi.ini.j2
+ dest: "/etc/uwsgi/apps-available/{{ uwsgi_name }}.ini"
owner: root
group: root
mode: 0644
tags:
- - config
- - uwsgi
- uwsgi-python
+ - webservices
diff --git a/uwsgi-python/tasks/mysql.yml b/uwsgi-python/tasks/mysql.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0a676c28bdabb141af1365b083b0e32f588ec0df
--- /dev/null
+++ b/uwsgi-python/tasks/mysql.yml
@@ -0,0 +1,38 @@
+---
+# file: uwsgi-python/tasks/mysql.yml
+
+- name: ensure we have python mysql packages
+ apt:
+ name: "{{ item }}"
+ state: installed
+ with_items:
+ - python-mysqldb
+ - python3-mysqldb
+ - default-libmysqlclient-dev
+ tags:
+ - uwsgi-python
+ - webservices
+
+- name: ensure the mysql database exists
+ mysql_db:
+ name: "{{ uwsgi_name }}"
+ state: present
+ login_user: root
+ login_password: "{{db/{{ansible_hostname}}-mysql}}"
+ no_log: True
+ tags:
+ - uwsgi-python
+ - webservices
+
+- name: ensure the database user for mysql exists
+ mysql_user:
+ name: "{{uwsgi_user}}"
+ password: "{{db/{{ansible_hostname}}-mysql-{{uwsgi_user}}}}"
+ state: present
+ login_user: root
+ login_password: "{{}}"
+ priv: "{{uwsgi_name}}.*:ALL"
+ no_log: True
+ tags:
+ - uwsgi-python
+ - webservices
diff --git a/uwsgi-python/tasks/postgres.yml b/uwsgi-python/tasks/postgres.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5b0a5b5b8f7535f2f02ce5ce9f77d7dfe03f4d18
--- /dev/null
+++ b/uwsgi-python/tasks/postgres.yml
@@ -0,0 +1,36 @@
+---
+# file: uwsgi-python/tasks/postgres.yml
+
+- name: ensure we have a postgres database user
+ postgresql_user:
+ name: "{{ uwsgi_user }}"
+ state: present
+ become: yes
+ become_user: postgres
+ tags:
+ - uwsgi-python
+ - webservices
+
+- name: ensure we have a postgres database
+ postgresql_db:
+ name: "{{ uwsgi_name }}"
+ owner: "{{ uwsgi_user }}"
+ state: present
+ become: yes
+ become_user: postgres
+ tags:
+ - uwsgi-python
+ - webservices
+
+- name: ensure the database user has privileges
+ postgresql_privs:
+ database: "{{ uwsgi_name }}"
+ roles: "{{ uwsgi_user }}"
+ privs: ALL
+ state: present
+ type: database
+ become: yes
+ become_user: postgres
+ tags:
+ - uwsgi-python
+ - webservices
diff --git a/uwsgi-python/tasks/sqlite.yml b/uwsgi-python/tasks/sqlite.yml
new file mode 100644
index 0000000000000000000000000000000000000000..491657d734cb09b0b979c85c56ea00f7d09775c2
--- /dev/null
+++ b/uwsgi-python/tasks/sqlite.yml
@@ -0,0 +1,11 @@
+---
+# file: uwsgi-python/tasks/sqlite.yml
+
+- name: ensure we have sqlite installed
+ apt:
+ name: sqlite3
+ state: installed
+ tags:
+ - uwsgi-python
+ - webservices
+
diff --git a/uwsgi-python/templates/tmpfiles.conf.j2 b/uwsgi-python/templates/tmpfiles.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4dba06e9a3e556ed71bf92bee0797c52c9b521af
--- /dev/null
+++ b/uwsgi-python/templates/tmpfiles.conf.j2
@@ -0,0 +1 @@
+d /run/uwsgi/app/{{uwsgi_name}} 0775 {{uwsgi_user}} {{uwsgi_group}} - -
diff --git a/uwsgi-python/templates/uwsgi.ini b/uwsgi-python/templates/uwsgi.ini.j2
similarity index 100%
rename from uwsgi-python/templates/uwsgi.ini
rename to uwsgi-python/templates/uwsgi.ini.j2
diff --git a/uwsgi/files/tmpfiles.conf b/uwsgi/files/tmpfiles.conf
new file mode 100644
index 0000000000000000000000000000000000000000..50b2862b7b5bfbdf7fafd0f4e6a54f0280e8c743
--- /dev/null
+++ b/uwsgi/files/tmpfiles.conf
@@ -0,0 +1,2 @@
+d /run/uwsgi 0755 root root - -
+d /run/uwsgi/app 0755 root root - -
diff --git a/uwsgi/handlers/main.yml b/uwsgi/handlers/main.yml
index 97bfdde069bd77167e985951ac73e7ba03ea7819..66f7827fa119ae9bea42ffacb3eaca529fbef45e 100644
--- a/uwsgi/handlers/main.yml
+++ b/uwsgi/handlers/main.yml
@@ -1,5 +1,5 @@
---
-# file: roles/uwsgi/handlers/main.yml
+# file: uwsgi/handlers/main.yml
- name: create tmpfiles
shell: systemd-tmpfiles --create
diff --git a/uwsgi/tasks/main.yml b/uwsgi/tasks/main.yml
index 2a22fca04b453319eccf4efd19a2031e30270f70..d8ffa47e659449ce5439b991d94bfd8aa5e794a1 100644
--- a/uwsgi/tasks/main.yml
+++ b/uwsgi/tasks/main.yml
@@ -1,24 +1,24 @@
---
-# file: roles/uwsgi/tasks/main.yml
+# file: uwsgi/tasks/main.yml
- name: ensure uwsgi is installed
- apt: name=uwsgi state=latest
+ apt:
+ name: uwsgi
+ state: installed
tags:
- uwsgi
- - packages
+ - webservices
- name: ensure a temporary directory exists
- lineinfile: dest=/etc/tmpfiles.d/10-uwsgi.conf line="d /run/uwsgi 0755 root root - -" create=yes
+ copy:
+ src: tmpfiles.conf
+ dest: /etc/tmpfiles.d/10-uwsgi.conf
+ owner: root
+ group: root
+ mode: 0644
notify:
- create tmpfiles
tags:
- uwsgi
- - tmpdirs
+ - webservices
-- name: ensure a temporary subdirectory exists
- lineinfile: dest=/etc/tmpfiles.d/10-uwsgi.conf line="d /run/uwsgi/app 0755 root root - -" create=yes
- notify:
- - create tmpfiles
- tags:
- - uwsgi
- - tmpdirs
diff --git a/wahlhelfer/defaults/main.yml b/wahlhelfer/defaults/main.yml
index c62e365812ee0ce3cce44abd38555d93a9a120d0..8072db039a723494ee7441665fa81e27029b8010 100644
--- a/wahlhelfer/defaults/main.yml
+++ b/wahlhelfer/defaults/main.yml
@@ -1,7 +1,7 @@
---
-# file: roles/wahlhelfer/defaults/main.yml
+# file: wahlhelfer/defaults/main.yml
-wahlhelfer_web_root: /var/www/wahlhelfer
+wahlhelfer_web_root: /var/www/wahlhelfer/program
wahlhelfer_name: wahlhelfer
wahlhelfer_user: wahlhelfer
wahlhelfer_group: wahlhelfer
@@ -9,3 +9,5 @@ wahlhelfer_admins: [["Robin Sonnabend", "robin@fsmpi.rwth-aachen.de"]]
wahlhelfer_sender: wahlhelfer@fsmpi.rwth-aachen.de
wahlhelfer_mail_host: mail.fsmpi.rwth-aachen.de
wahlhelfer_allowed_hosts: ["wahlhelfer.stud.rwth-aachen.de"]
+
+wahlhelfer_ldap_cert: /etc/ssl/certs/rwth_chain.pem
diff --git a/wahlhelfer/handlers/main.yml b/wahlhelfer/handlers/main.yml
index 31d4abeea89c68f292e28d86b3782f8dccf096bf..47338d1870dc30cdd4422dc947f39d89795eb922 100644
--- a/wahlhelfer/handlers/main.yml
+++ b/wahlhelfer/handlers/main.yml
@@ -1,13 +1,13 @@
---
-# file: roles/wahlhelfer/handlers/main.yml
+# file: wahlhelfer/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: restart uwsgi for wahlhelfer
- service: name="{{item}}" state=restarted enabled=yes
- with_items:
- - "{{wahlhelfer_name}}"
+ service:
+ name: "{{ wahlhelfer_name }}"
+ state: restarted
- name: create tmpfiles
command: systemd-tmpfiles --create
diff --git a/wahlhelfer/meta/main.yml b/wahlhelfer/meta/main.yml
index a6bc815a8228932d814b35e7dcf1d7d49dbe36e2..93f17bf5fd4868a47b3e05a2ce222ccf1eb1ff36 100644
--- a/wahlhelfer/meta/main.yml
+++ b/wahlhelfer/meta/main.yml
@@ -1,6 +1,4 @@
---
-# file:roles/wahlhelfer/meta/main.yml
+# file: wahlhelfer/meta/main.yml
dependencies:
- - { role: webserver }
- - { role: mysql }
- { role: uwsgi-python, uwsgi_name: "{{wahlhelfer_name}}", uwsgi_user: "{{wahlhelfer_user}}", uwsgi_group: "{{wahlhelfer_group}}", uwsgi_path: "{{wahlhelfer_web_root}}/program", uwsgi_home: "{{wahlhelfer_web_root}}", uwsgi_program: "main/wsgi.py", uwsgi_callable: "application", uwsgi_command: "runserver", uwsgi_db: "mysql", uwsgi_python: 3 }
diff --git a/wahlhelfer/tasks/main.yml b/wahlhelfer/tasks/main.yml
index 538ffe86b14653def216163a4033036b9d7895b0..d264492e6200ea33710076a1f19b0669890ce466 100644
--- a/wahlhelfer/tasks/main.yml
+++ b/wahlhelfer/tasks/main.yml
@@ -1,89 +1,84 @@
---
-# file: roles/wahlhelfer/tasks/main.yml
+# file: wahlhelfer/tasks/main.yml
-- name: ensure we have a folder for the program
- file: path="{{wahlhelfer_web_root}}" state=directory owner="{{wahlhelfer_user}}" group="{{wahlhelfer_group}}" mode=0755
- tags:
- - directory
- - wahlhelfer
-
-- name: ensure we have a .ssh directory
- file: path="{{wahlhelfer_web_root}}/.ssh" state=directory owner="{{wahlhelfer_user}}" group="{{wahlhelfer_group}}" mode=0755
+- name: ensure the deploy key is available
+ copy:
+ src: "{{ wahlhelfer_deploy_key }}"
+ dest: /root/.ssh/wahlhelfer
+ owner: root
+ group: root
+ mode: 0600
tags:
- - directory
- wahlhelfer
+ - webservices
-- name: ensure we have our deploy key
- copy: src="{{item}}" dest="{{wahlhelfer_web_root}}/.ssh/" owner="{{wahlhelfer_user}}" group="{{wahlhelfer_group}}" mode=0600
- with_items:
- - deploy-key
- - deploy-key.pub
+# https://github.com/ansible/ansible/issues/27699
+- name: ensure fucking git module is able to clone
+ command: mount -o remount,exec /tmp
tags:
- - ssh
- wahlhelfer
+ - webservices
-- name: ensure we have our .ssh config
- template: src=config dest="{{wahlhelfer_web_root}}/.ssh/config" owner="{{wahlhelfer_user}}" group="{{wahlhelfer_group}}" mode=0644
+- name: ensure the git is at the current revision
+ git:
+ repo: git@git.fsmpi.rwth-aachen.de:wahl/wahlhelfer.git
+ dest: "{{ wahlhelfer_web_root }}"
+ key_file: /root/.ssh/wahlhelfer
+ version: HEAD
+ notify:
+ - restart uwsgi for wahlhelfer
tags:
- - ssh
- wahlhelfer
+ - webservices
-- name: ensure we have the program
- git: repo=git@git.fsmpi.rwth-aachen.de:wahl/wahlhelfer.git dest="{{wahlhelfer_web_root}}/program"
- become: yes
- become_user: "{{wahlhelfer_user}}"
- notify:
- - restart uwsgi for wahlhelfer
+- name: ensure fucking git module is not able to clone anymore
+ command: mount -o remount,noexec /tmp
tags:
- - git
- wahlhelfer
+ - webservices
- name: ensure we have a virtualenv
pip:
- requirements: "{{wahlhelfer_web_root}}/program/requirements.txt"
- virtualenv: "{{wahlhelfer_web_root}}/program"
+ requirements: "{{ wahlhelfer_web_root }}/requirements.txt"
+ virtualenv: "{{ wahlhelfer_web_root }}"
virtualenv_python: python3
- become: yes
- become_user: "{{wahlhelfer_user}}"
notify:
- restart uwsgi for wahlhelfer
tags:
- - pip
- - python
- wahlhelfer
+ - webservices
- name: ensure we have our config
template:
- src: settings.py
- dest: "{{wahlhelfer_web_root}}/program/main/settings.py"
- owner: "{{wahlhelfer_user}}"
- group: "{{wahlhelfer_group}}"
+ src: settings.py.j2
+ dest: "{{ wahlhelfer_web_root }}/main/settings.py"
+ owner: "{{ wahlhelfer_user }}"
+ group: "{{ wahlhelfer_group }}"
mode: 0644
notify:
- restart uwsgi for wahlhelfer
tags:
- - config
- - python
- wahlhelfer
+ - webservices
- name: ensure we have the linear solver
copy:
- src: "{{item}}"
- dest: "{{wahlhelfer_web_root}}/program/zibopt/"
- owner: "{{wahlhelfer_user}}"
- group: "{{wahlhelfer_group}}"
+ src: "{{ item }}"
+ dest: "{{ wahlhelfer_web_root }}/zibopt/"
+ owner: "{{ wahlhelfer_user }}"
+ group: "{{ wahlhelfer_group }}"
mode: 0755
with_items:
- scip
- zimpl
tags:
- - packages
- wahlhelfer
+ - webservices
- name: ensure the unit file exists
template:
- src: wahlhelfer.service
- dest: "/etc/systemd/system/{{wahlhelfer_name}}.service"
+ src: wahlhelfer.service.j2
+ dest: "/etc/systemd/system/{{ wahlhelfer_name }}.service"
owner: root
group: root
mode: 0644
@@ -91,17 +86,16 @@
- reload systemd service files
- restart uwsgi for wahlhelfer
tags:
- - config
- - systemd
- wahlhelfer
+ - webservices
- meta: flush_handlers
- name: ensure the services are enabled
- service: name="{{item}}" enabled=yes
- with_items:
- - "{{wahlhelfer_name}}"
+ service:
+ name: "{{ wahlhelfer_name }}"
+ enabled: yes
+ state: started
tags:
- - config
- - systemd
- wahlhelfer
+ - webservices
diff --git a/wahlhelfer/templates/config b/wahlhelfer/templates/config
deleted file mode 100644
index a13911a644d24b598274220ba33dd4227ae2f1f8..0000000000000000000000000000000000000000
--- a/wahlhelfer/templates/config
+++ /dev/null
@@ -1,4 +0,0 @@
-Host git.fsmpi.rwth-aachen.de
-HostName git.fsmpi.rwth-aachen.de
-User git
-IdentityFile {{wahlhelfer_web_root}}/.ssh/deploy-key
diff --git a/wahlhelfer/templates/settings.py b/wahlhelfer/templates/settings.py.j2
similarity index 84%
rename from wahlhelfer/templates/settings.py
rename to wahlhelfer/templates/settings.py.j2
index 4bbd12cac44c4561ea19d024cca9a1b3d993b175..243d062c7e8a2169c37b3e21ac498fd5420ddc7c 100644
--- a/wahlhelfer/templates/settings.py
+++ b/wahlhelfer/templates/settings.py.j2
@@ -4,28 +4,27 @@ DEBUG = True
ADMINS = (
{% for name, address in wahlhelfer_admins %}
- ('{{name}}', '{{address}}'),
+ ('{{ name }}', '{{ address }}'),
{% endfor %}
)
-
-SERVER_EMAIL = "{{wahlhelfer_sender}}"
-EMAIL_HOST = "{{wahlhelfer_mail_host}}"
-EMAIL_HOST_USER = "{{wahlhelfer_mail_user|default('')}}"
-EMAIL_HOST_PASSWORD = "{{wahlhelfer_mail_password|default('')}}"
-
MANAGERS = ADMINS
+SERVER_EMAIL = "{{ wahlhelfer_sender }}"
+EMAIL_HOST = "{{ wahlhelfer_mail_host }}"
+EMAIL_HOST_USER = "{{ wahlhelfer_mail_user|default('') }}"
+EMAIL_HOST_PASSWORD = "{{ wahlhelfer_mail_password|default('') }}"
+
LOGIN_URL = '/'
LOGIN_REDIRECT_URL = '/'
DATABASES = {
'default': {
- 'ENGINE': 'django.db.backends.mysql', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
- 'NAME': '{{wahlhelfer_name}}', # Or path to database file if using sqlite3.
- 'USER': '{{wahlhelfer_user}}', # Not used with sqlite3.
- 'PASSWORD': '{{mysql_user_password.password}}', # Not used with sqlite3.
- 'HOST': '', # Set to empty string for localhost. Not used with sqlite3.
- 'PORT': '', # Set to empty string for default. Not used with sqlite3.
+ 'ENGINE': 'django.db.backends.mysql',
+ 'NAME': '{{ wahlhelfer_name }}',
+ 'USER': '{{ wahlhelfer_user }}',
+ 'PASSWORD': '{{ mysql_user_password.password }}',
+ 'HOST': '',
+ 'PORT': '',
}
}
@@ -33,7 +32,7 @@ DATABASES = {
# See https://docs.djangoproject.com/en/1.4/ref/settings/#allowed-hosts
ALLOWED_HOSTS = [
{% for host in wahlhelfer_allowed_hosts %}
- "{{host}}"
+ "{{ host }}"
{% endfor %}
]
@@ -95,7 +94,7 @@ STATICFILES_FINDERS = (
)
# Make this unique, and don't share it with anybody.
-SECRET_KEY = '{{(2**2048)|random}}'
+SECRET_KEY = '{{ (2**2048)|random }}'
TEMPLATES = [
{
diff --git a/wahlhelfer/templates/wahlhelfer.service b/wahlhelfer/templates/wahlhelfer.service
deleted file mode 100644
index a27cd0442e2777514d95ee1cb353fe654a3df184..0000000000000000000000000000000000000000
--- a/wahlhelfer/templates/wahlhelfer.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=Wahlhelferorganisation
-After=network.target
-
-[Service]
-Environment=LDAPTLS_CACERT=/etc/ssl/certs/rwth_chain.pem
-Environment=WAHLHELFER_WEB_ROOT={{wahlhelfer_web_root}}/program/
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{wahlhelfer_name}}.ini
-Restart=always
-KillSignal=SIGQUIT
-Type=notify
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
diff --git a/wahlhelfer/templates/wahlhelfer.service.j2 b/wahlhelfer/templates/wahlhelfer.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..ea742dbed8d430d9d125985c0fa681b5c46245a3
--- /dev/null
+++ b/wahlhelfer/templates/wahlhelfer.service.j2
@@ -0,0 +1,17 @@
+[Unit]
+Description=Wahlhelferorganisation
+After=network.target
+
+[Service]
+{% if wahlhelfer_ldap_cert %}
+Environment=LDAPTLS_CACERT={{ wahlhelfer_ldap_cert }}
+{% endif %}
+Environment=WAHLHELFER_WEB_ROOT={{wahlhelfer_web_root}}/
+ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{ wahlhelfer_name }}.ini
+Restart=always
+KillSignal=SIGQUIT
+Type=notify
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
diff --git a/wahlsystem/defaults/main.yml b/wahlsystem/defaults/main.yml
index c3d626fb39a8666dd6d773bf1f31ec077e0828a9..9f7325682cb4ad931f55f101a42be90adb5c2594 100644
--- a/wahlsystem/defaults/main.yml
+++ b/wahlsystem/defaults/main.yml
@@ -1,8 +1,28 @@
---
-# file: roles/protokollsystem/defaults/main.yml
+# file: wahlsystem/defaults/main.yml
-wahl_web_root: /var/www/wahlsystem
+wahl_web_root: /var/www/wahlsystem/program
wahl_name: wahlsystem
wahl_user: wahl
wahl_group: wahl
wahl_celery_concurrency: 1
+wahl_ldap_cert: /etc/ssl/certs/rwth_chain.pem
+
+wahl_secret: '***REMOVED***'
+wahl_mail: True
+wahl_mail_from: 'wahl@fsmpi.rwth-aachen.de'
+wahl_mail_host: 'mail.fsmpi.rwth-aachen.de:25'
+wahl_mail_user: ''
+wahl_mail_password: ''
+wahl_mail_tls: False
+wahl_mail_prefix: 'Wahlsystem'
+wahl_celery_broker: 'redis://localhost:6379/0'
+wahl_server_name: 'wahl.stud.rwth-aachen.de'
+wahl_url_root: 'wahl.stud.rwth-aachen.de'
+wahl_url_proto: 'https'
+wahl_url_path: '/'
+wahl_mailman_api_url: 'https://lists.fsmpi.rwth-aachen.de/mailmanAPI'
+wahl_mailman_api_key: '***REMOVED***'
+wahl_mailman_default_newpw: 'LnbVEiblyk8qhzmvjJhS'
+wahl_mailman_host: 'lists.fsmpi.rwth-aachen.de'
+
diff --git a/wahlsystem/handlers/main.yml b/wahlsystem/handlers/main.yml
index 05605fd5dcc4e70d37c75b3f4aa257b285f07fe3..99db7419882837bc316f696f13b59b370fdc5b9f 100644
--- a/wahlsystem/handlers/main.yml
+++ b/wahlsystem/handlers/main.yml
@@ -1,14 +1,16 @@
---
-# file: roles/protokollsystem/handlers/main.yml
+# file: wahlsystem/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: restart uwsgi for wahlsystem
- service: name="{{item}}" state=restarted enabled=yes
+ service:
+ name: "{{ item }}"
+ state: restarted
with_items:
- - "{{wahl_name}}"
- - "{{wahl_name}}-celery"
+ - "{{ wahl_name }}"
+ - "{{ wahl_name }}-celery"
- name: create tmpfiles
command: systemd-tmpfiles --create
diff --git a/wahlsystem/meta/main.yml b/wahlsystem/meta/main.yml
index 775dd3a43578abb12025f375afb4ebca38557529..2a053bfa62096128bd41ac14e0cac65a7cac42ee 100644
--- a/wahlsystem/meta/main.yml
+++ b/wahlsystem/meta/main.yml
@@ -1,9 +1,6 @@
---
-# file:roles/protokollsystem/meta/main.yml
+# file: wahlsystem/meta/main.yml
dependencies:
- - { role: webserver }
- - { role: redis-server }
- - { role: postgres }
- { role: texlive }
- { role: cups-client }
- { role: uwsgi-python, uwsgi_name: "{{wahl_name}}", uwsgi_user: "{{wahl_user}}", uwsgi_group: "{{wahl_group}}", uwsgi_path: "{{wahl_web_root}}/program", uwsgi_home: "{{wahl_web_root}}", uwsgi_program: "server.py", uwsgi_callable: "app", uwsgi_command: "runserver", uwsgi_db: "postgres", uwsgi_python: 3, uwsgi_mules: 0, uwsgi_harakiri: 30 }
diff --git a/wahlsystem/tasks/main.yml b/wahlsystem/tasks/main.yml
index f099e781447ed4eadd02e61ef2c1842e316f754c..fd2f27c8e8c594ad5fe38232a493d96b46862797 100644
--- a/wahlsystem/tasks/main.yml
+++ b/wahlsystem/tasks/main.yml
@@ -1,98 +1,93 @@
---
-# file: roles/wahlsystem/tasks/main.yml
+# file: wahlsystem/tasks/main.yml
-- name: ensure we have the fonts
- apt: name="{{item}}" state=present
+- name: ensure we have the required software and fonts
+ apt:
+ name: "{{ item }}"
+ state: present
with_items:
- fontconfig
- tex-gyre
+ - virtualenv
tags:
- - packages
- wahlsystem
+ - webservices
-- name: ensure we have a folder for the program
- file: path="{{wahl_web_root}}" state=directory owner="{{wahl_user}}" group="{{wahl_group}}" mode=0755
- tags:
- - directory
- - wahlsystem
-
-- name: ensure we have a .ssh directory
- file: path="{{wahl_web_root}}/.ssh" state=directory owner="{{wahl_user}}" group="{{wahl_group}}" mode=0755
- tags:
- - directory
- - wahlsystem
-
-- name: ensure we have our deploy key
- copy: src="{{item}}" dest="{{wahl_web_root}}/.ssh/" owner="{{wahl_user}}" group="{{wahl_group}}" mode=0600
- with_items:
- - deploy-key
- - deploy-key.pub
+- name: ensure the deploy key is available
+ copy:
+ src: "{{ wahl_deploy_key }}"
+ dest: /root/.ssh/wahlsystem
+ owner: root
+ group: root
+ mode: 0600
tags:
- - ssh
- wahlsystem
+ - webservices
-- name: ensure we have our .ssh config
- template: src=config dest="{{wahl_web_root}}/.ssh/config" owner="{{wahl_user}}" group="{{wahl_group}}" mode=0644
+# https://github.com/ansible/ansible/issues/27699
+- name: ensure fucking git module is able to clone
+ command: mount -o remount,exec /tmp
tags:
- - ssh
- wahlsystem
+ - webservices
-- name: ensure we have the program
- git: repo=git@git.fsmpi.rwth-aachen.de:wahl/wahlsys.git dest="{{wahl_web_root}}/program"
- become: yes
- become_user: "{{wahl_user}}"
+- name: ensure the git is at the current revision
+ git:
+ repo: git@git.fsmpi.rwth-aachen.de:wahl/wahlsys.git
+ dest: "{{ wahl_web_root }}"
+ key_file: /root/.ssh/wahlsystem
+ version: HEAD
notify:
- restart uwsgi for wahlsystem
tags:
- - git
- wahlsystem
+ - webservices
-- name: ensure we have virtualenv installed
- apt: name=virtualenv state=present
+- name: ensure fucking git module is not able to clone anymore
+ command: mount -o remount,noexec /tmp
tags:
- - packages
- wahlsystem
+ - webservices
- name: ensure we have a virtualenv
pip:
- requirements: "{{wahl_web_root}}/program/requirements.txt"
- virtualenv: "{{wahl_web_root}}/program"
+ requirements: "{{ wahl_web_root }}/requirements.txt"
+ virtualenv: "{{ wahl_web_root }}"
virtualenv_python: python3
- become: yes
- become_user: "{{wahl_user}}"
notify:
- restart uwsgi for wahlsystem
tags:
- - pip
- - python
- wahlsystem
+ - webservices
-- name: ensure we have the necessary folders
- file: name={{item}} state=directory owner="{{wahl_user}}" group="{{wahl_group}}" mode=0755
- with_items:
- - "{{wahl_web_root}}/program/blogfiles"
+- name: ensure we have the necessary folder
+ file:
+ name: "{{ wahl_web_root }}/blogfiles"
+ state: directory
+ owner: "{{ wahl_user }}"
+ group: "{{ wahl_group }}"
+ mode: 0755
tags:
- - directories
- wahlsystem
+ - webservices
- name: ensure we have our config
template:
- src: config.py
- dest: "{{wahl_web_root}}/program/config.py"
- owner: "{{wahl_user}}"
- group: "{{wahl_group}}"
+ src: config.py.j2
+ dest: "{{ wahl_web_root }}/config.py"
+ owner: "{{ wahl_user }}"
+ group: "{{ wahl_group }}"
mode: 0644
notify:
- restart uwsgi for wahlsystem
tags:
- - config
- - python
- wahlsystem
+ - webservices
- name: ensure the unit file exists
template:
- src: wahlsystem.service
- dest: "/etc/systemd/system/{{wahl_name}}.service"
+ src: wahlsystem.service.j2
+ dest: "/etc/systemd/system/{{ wahl_name }}.service"
owner: root
group: root
mode: 0644
@@ -100,14 +95,13 @@
- reload systemd service files
- restart uwsgi for wahlsystem
tags:
- - config
- - systemd
- wahlsystem
+ - webservices
- name: ensure the celery unit file exists
template:
- src: celery.service
- dest: "/etc/systemd/system/{{wahl_name}}-celery.service"
+ src: celery.service.j2
+ dest: "/etc/systemd/system/{{ wahl_name }}-celery.service"
owner: root
group: root
mode: 0644
@@ -115,19 +109,19 @@
- reload systemd service files
- restart uwsgi for wahlsystem
tags:
- - config
- - systemd
- - celery
- wahlsystem
+ - webservices
- meta: flush_handlers
- name: ensure the services are enabled
- service: name="{{item}}" enabled=yes
+ service:
+ name: "{{ item }}"
+ enabled: yes
+ state: started
with_items:
- - "{{wahl_name}}"
- - "{{wahl_name}}-celery"
+ - "{{ wahl_name }}"
+ - "{{ wahl_name }}-celery"
tags:
- - config
- - systemd
- wahlsystem
+ - webservices
diff --git a/wahlsystem/templates/celery.service b/wahlsystem/templates/celery.service
deleted file mode 100644
index 0f46cf213b79e4d68845c85a79159d5e2c4592fd..0000000000000000000000000000000000000000
--- a/wahlsystem/templates/celery.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Wahlsystem-Celery
-After=network.target
-
-[Service]
-User={{wahl_user}}
-Group={{wahl_group}}
-WorkingDirectory={{wahl_web_root}}/program
-Environment=VIRTUAL_ENV="{{wahl_web_root}}/program"
-ExecStart={{wahl_web_root}}/program/bin/celery -A server.celery worker --loglevel=DEBUG --concurrency={{wahl_celery_concurrency}}
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
diff --git a/wahlsystem/templates/celery.service.j2 b/wahlsystem/templates/celery.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..8f14b5f35761cbeb8d455c64d6725995341838cb
--- /dev/null
+++ b/wahlsystem/templates/celery.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Wahlsystem-Celery
+After=network.target
+
+[Service]
+User={{ wahl_user }}
+Group={{ wahl_group }}
+WorkingDirectory={{ wahl_web_root }}
+Environment=VIRTUAL_ENV="{{ wahl_web_root }}"
+ExecStart={{ wahl_web_root }}/bin/celery -A server.celery worker --loglevel=DEBUG --concurrency={{ wahl_celery_concurrency }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/wahlsystem/templates/config b/wahlsystem/templates/config
deleted file mode 100644
index bbcaec7f106d833e9fafb36943d00f07e1df98c3..0000000000000000000000000000000000000000
--- a/wahlsystem/templates/config
+++ /dev/null
@@ -1,4 +0,0 @@
-Host git.fsmpi.rwth-aachen.de
-HostName git.fsmpi.rwth-aachen.de
-User git
-IdentityFile {{wahl_web_root}}/.ssh/deploy-key
diff --git a/wahlsystem/templates/config.py b/wahlsystem/templates/config.py
deleted file mode 100644
index 7597a1f26b8fc988c74769c4198d7e9a7f39a645..0000000000000000000000000000000000000000
--- a/wahlsystem/templates/config.py
+++ /dev/null
@@ -1,26 +0,0 @@
-SQLALCHEMY_DATABASE_URI = "postgresql://{{wahl_user}}:@/{{wahl_name}}"
-SQLALCHEMY_TRACK_MODIFICATIONS = False
-SECRET_KEY = "***REMOVED***"
-DEBUG = False
-MAIL_ACTIVE = True
-MAIL_FROM = "wahl@fsmpi.rwth-aachen.de"
-MAIL_HOST = "mail.fsmpi.rwth-aachen.de:25"
-MAIL_USER = None
-MAIL_PASSWORD = None
-MAIL_USE_TLS = False
-MAIL_PREFIX = "Wahlsystem"
-#CELERY_BROKER_URL = "sqla+postgresql://user:password@host/message-database"
-#CELERY_BROKER_URL = "redis+socket:///run/redis/redis.sock"
-CELERY_BROKER_URL = "redis://localhost:6379/0"
-CELERY_TASK_SERIALIZER = "pickle"
-CELERY_ACCEPT_CONTENT = ["pickle"]
-SERVER_NAME = "wahl.stud.rwth-aachen.de"
-PREFERRED_URL_SCHEME = "https"
-URL_ROOT = "wahl.stud.rwth-aachen.de"
-URL_PROTO = "https"
-URL_PATH = "/"
-URL_PARAMS = ""
-MAILMAN_API_URL = "https://lists.fsmpi.rwth-aachen.de/mailmanAPI"
-MAILMAN_API_KEY = "***REMOVED***"
-MAILMAN_DEFAULT_NEW_PASSWORD = "LnbVEiblyk8qhzmvjJhS"
-MAILMAN_HOST = "lists.fsmpi.rwth-aachen.de"
diff --git a/wahlsystem/templates/config.py.j2 b/wahlsystem/templates/config.py.j2
new file mode 100644
index 0000000000000000000000000000000000000000..155f62c3e85af3de2c992cb9f3f38788bdd7534b
--- /dev/null
+++ b/wahlsystem/templates/config.py.j2
@@ -0,0 +1,33 @@
+SQLALCHEMY_DATABASE_URI = "postgresql://{{ wahl_user }}:@/{{ wahl_name }}"
+SQLALCHEMY_TRACK_MODIFICATIONS = False
+SECRET_KEY = "{{ wahl_secret }}"
+DEBUG = False
+MAIL_ACTIVE = {{ wahl_mail }}
+MAIL_FROM = "{{ wahl_mail_from }}"
+MAIL_HOST = "{{ wahl_mail_host }}"
+MAIL_USER = "{{ wahl_mail_user }}"
+MAIL_PASSWORD = "{{ wahl_mail_password }}"
+{% if wahl_mail_tls == 'tls' %}
+MAIL_USE_TLS = True
+MAIL_USE_STARTTLS = False
+{% else if wahl_mail_tls == 'starttls' %}
+MAIL_USE_TLS = False
+MAIL_USE_STARTTLS = True
+{% else %}
+MAIL_USE_TLS = False
+MAIL_USE_STARTTLS = False
+{% endif %}
+MAIL_PREFIX = "{{ wahl_mail_prefix }}"
+CELERY_BROKER_URL = "{{ wahl_celery_broker }}"
+CELERY_TASK_SERIALIZER = "pickle"
+CELERY_ACCEPT_CONTENT = ["pickle"]
+SERVER_NAME = "{{ wahl_server_name }}"
+PREFERRED_URL_SCHEME = "{{ wahl_url_proto }}"
+URL_ROOT = "{{ wahl_url_root }}"
+URL_PROTO = "{{ wahl_url_proto }}"
+URL_PATH = "{{ wahl_url_path }}"
+URL_PARAMS = ""
+MAILMAN_API_URL = "{{ wahl_mailman_api_url }}"
+MAILMAN_API_KEY = "{{ wahl_mailman_api_key }}"
+MAILMAN_DEFAULT_NEW_PASSWORD = "{{ wahl_mailman_default_newpw }}"
+MAILMAN_HOST = "{{ wahl_mailman_host }}"
diff --git a/wahlsystem/templates/wahlsystem.service b/wahlsystem/templates/wahlsystem.service.j2
similarity index 54%
rename from wahlsystem/templates/wahlsystem.service
rename to wahlsystem/templates/wahlsystem.service.j2
index 29ea1679b07931e6b5d9a31e2683791eac9f947d..c035bba44baa5bb781a0cc80f3a683d36546082d 100644
--- a/wahlsystem/templates/wahlsystem.service
+++ b/wahlsystem/templates/wahlsystem.service.j2
@@ -4,8 +4,10 @@ After=network.target
Wants=wahlsystem-celery.service
[Service]
-Environment=LDAPTLS_CACERT=/etc/ssl/certs/rwth_chain.pem
-ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{wahl_name}}.ini
+{% if wahl_ldap_cert %}
+Environment=LDAPTLS_CACERT={{ wahl_ldap_cert }}
+{% endif %}
+ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/{{ wahl_name }}.ini
Restart=always
KillSignal=SIGQUIT
Type=notify
diff --git a/webserver/files/tmpfiles.conf b/webserver/files/tmpfiles.conf
new file mode 100644
index 0000000000000000000000000000000000000000..b13000cd1fca9fd84e606d0059f21757fd9c1a5c
--- /dev/null
+++ b/webserver/files/tmpfiles.conf
@@ -0,0 +1 @@
+d /run/nginx 0750 www-data nginx-proxy - -
diff --git a/webserver/handlers/main.yml b/webserver/handlers/main.yml
index e58a6acd99ca434391309b227b48723a5483f1f9..73b78fb0939591d3ac2a621b44cbc2b2e5794853 100644
--- a/webserver/handlers/main.yml
+++ b/webserver/handlers/main.yml
@@ -1,14 +1,18 @@
---
-# file: roles/webserver/handlers/main.yml
+# file: webserver/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: restart nginx
- service: name=nginx state=restarted
+ service:
+ name: nginx
+ state: restarted
- name: restart nginx-proxy
- service: name=nginx-proxy state=restarted
+ service:
+ name: nginx-proxy
+ state: restarted
- name: create tmpfiles
command: systemd-tmpfiles --create
diff --git a/webserver/tasks/main.yml b/webserver/tasks/main.yml
index 9738e07e4d1bdaf7c8c4350eb0d5a38b053448a5..8854d2198d38cad00fd2261a646b4e9c9b8d8e43 100644
--- a/webserver/tasks/main.yml
+++ b/webserver/tasks/main.yml
@@ -1,8 +1,10 @@
---
-# file: roles/webserver/tasks/main.yml
+# file: webserver/tasks/main.yml
- name: ensure nginx is installed
- apt: name={{ item }} state=latest
+ apt:
+ name: "{{ item }}"
+ state: installed
with_items:
- nginx
- nginx-full
@@ -10,116 +12,164 @@
- restart nginx
- restart nginx-proxy
tags:
- - packages
- nginx
+ - webservices
- name: ensure we got our nginx config
- copy: src=nginx.conf dest=/etc/nginx/nginx.conf owner=root group=root mode=0644
+ copy:
+ src: nginx.conf
+ dest: /etc/nginx/nginx.conf
+ owner: root
+ group: root
+ mode: 0644
notify:
- restart nginx
tags:
- - config
- nginx
+ - webservices
- name: ensure we got our nginx-proxy config
- template: src=nginx-proxy.conf dest=/etc/nginx/nginx-proxy.conf owner=root group=root mode=0644
+ template:
+ src: nginx-proxy.conf.j2
+ dest: /etc/nginx/nginx-proxy.conf
+ owner: root
+ group: root
+ mode: 0644
notify:
- restart nginx-proxy
tags:
- - config
- nginx
+ - webservices
- name: ensure there is the nginx-proxy group
- group: name=nginx-proxy state=present system=yes
+ group:
+ name: nginx-proxy
+ state: present
+ system: yes
tags:
- - config
- nginx
+ - webservices
- name: ensure there is the nginx-proxy user
- user: name=nginx-proxy state=present group=nginx-proxy system=yes shell=/usr/sbin/nologin home=/var/www createhome=no
+ user:
+ name: nginx-proxy
+ state: present
+ group: nginx-proxy
+ system: yes
+ shell: /usr/sbin/nologin
+ home: /var/www
+ createhome: no
tags:
- - config
- nginx
+ - webservices
- name: ensure there is some tls-proxy config
- template: src=tls-proxy.j2 dest=/etc/nginx/sites-available/tls-proxy owner=root group=root mode=0644 force=no
+ template:
+ src: tls-proxy.j2
+ dest: /etc/nginx/sites-available/tls-proxy
+ owner: root
+ group: root
+ mode: 0644
+ force: no
notify:
- restart nginx-proxy
tags:
- - config
- nginx
+ - webservices
- name: ensure there is some main config
- copy: src=main dest=/etc/nginx/sites-available/main owner=root group=root mode=0644 force=no
+ copy:
+ src: main
+ dest: /etc/nginx/sites-available/main
+ owner: root
+ group: root
+ mode: 0644
+ force: no
notify:
- restart nginx
tags:
- - config
- - nginx
-
-- name: ensure the main config is activated
- file: path=/etc/nginx/sites-enabled/main state=link src=/etc/nginx/sites-available/main
- notify:
- - restart nginx
- tags:
- - config
- nginx
+ - webservices
- name: ensure there is the sso example snippet
- copy: src="{{item}}" dest=/etc/nginx/snippets/ owner=root group=root mode=0644
+ copy:
+ src: "{{ item }}"
+ dest: /etc/nginx/snippets/
+ owner: root
+ group: root
+ mode: 0644
with_items:
- sso.conf
- sso-auth.conf
- sso-locations.conf
tags:
- - config
- nginx
+ - webservices
- name: ensure we have a directory for sockets
- lineinfile:
+ copy:
+ src: tmpfiles.conf
dest: /etc/tmpfiles.d/10-nginx.conf
- line: "d /run/nginx 0750 www-data nginx-proxy - -"
- create: yes
+ owner: root
+ group: root
+ mode: 0644
notify:
- create tmpfiles
tags:
- - config
- nginx
+ - webservices
- name: ensure the default config is not activated
- file: path=/etc/nginx/sites-enabled/default state=absent
+ file:
+ path: /etc/nginx/sites-enabled/default
+ state: absent
notify:
- restart nginx
tags:
- - config
- nginx
+ - webservices
- name: ensure there is a lib dir for nginx-proxy
- file: path=/var/lib/nginx-proxy state=directory owner=root group=root mode=0755
+ file:
+ path: /var/lib/nginx-proxy
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
tags:
- - config
- nginx
+ - webservices
- name: ensure there is a nginx-proxy service
- copy: src=nginx-proxy.service dest=/etc/systemd/system/nginx-proxy.service owner=root group=root mode=0644
+ copy:
+ src: nginx-proxy.service
+ dest: /etc/systemd/system/nginx-proxy.service
+ owner: root
+ group: root
+ mode: 0644
notify:
- reload systemd service files
- restart nginx-proxy
tags:
- - service
- nginx
+ - webservices
- meta: flush_handlers
- name: ensure nginx is enabled and running
- service: name=nginx state=running enabled=yes
+ service:
+ name: nginx
+ state: started
+ enabled: yes
tags:
- - service
- nginx
+ - webservices
- name: ensure nginx-proxy is enabled and running
- service: name=nginx-proxy state=running enabled=yes
+ service:
+ name: nginx-proxy
+ state: started
+ enabled: yes
tags:
- - service
- nginx
-
+ - webservices
diff --git a/webserver/templates/nginx-proxy.conf b/webserver/templates/nginx-proxy.conf.j2
similarity index 100%
rename from webserver/templates/nginx-proxy.conf
rename to webserver/templates/nginx-proxy.conf.j2
diff --git a/wordpress/defaults/main.yml b/wordpress/defaults/main.yml
index 4d3d5e4e35eebddc008cca1ea568b390bda03052..45f4a4b2197de4312d8f3c5d6c0ab47795db38ae 100644
--- a/wordpress/defaults/main.yml
+++ b/wordpress/defaults/main.yml
@@ -1,5 +1,5 @@
---
-# file: roles/wordpress/defaults/main.yml
+# file: wordpress/defaults/main.yml
wordpress_web_root: /var/www
diff --git a/wordpress/handlers/main.yml b/wordpress/handlers/main.yml
index a1d5ccf1a5cb678e7947fcf52bb129191d365b1e..54ac6b8afb92da3a29ae5f141a41b0fb54631fb3 100644
--- a/wordpress/handlers/main.yml
+++ b/wordpress/handlers/main.yml
@@ -1,11 +1,13 @@
---
-# file: roles/wordpress/handlers/main.yml
+# file: wordpress/handlers/main.yml
- name: reload systemd service files
command: systemctl daemon-reload
- name: "restart uwsgi for {{ wordpress_name }}"
- service: "name=wordpress-{{ wordpress_name }} state=restarted enabled=yes"
+ service:
+ name: "wordpress-{{ wordpress_name }}"
+ state: restarted
- name: create tmpfiles
shell: systemd-tmpfiles --create
diff --git a/wordpress/meta/main.yml b/wordpress/meta/main.yml
index 2324e43a8bb885912955537b9997c7f455060f01..a47367479c8a040299e933bf21c1a9c7372a1c51 100644
--- a/wordpress/meta/main.yml
+++ b/wordpress/meta/main.yml
@@ -1,6 +1,5 @@
---
-# file: roles/wordpress/meta/main.yml
+# file: wordpress/meta/main.yml
dependencies:
- { role: uwsgi-php }
- - { role: mysql }
diff --git a/wordpress/tasks/main.yml b/wordpress/tasks/main.yml
index afda9bac10902bca9f95429175dd5a66f6474856..2089dcab83e78cc1dede8cc8bd093dbf96d3e226 100644
--- a/wordpress/tasks/main.yml
+++ b/wordpress/tasks/main.yml
@@ -1,17 +1,35 @@
---
-# file: roles/wordpress/tasks/main.yml
+# file: wordpress/tasks/main.yml
- name: ensure we have aufs tools
- apt: name=aufs-tools state=latest install_recommends=no
+ apt:
+ name: aufs-tools
+ state: installed
+ install_recommends: no
tags:
- - packages
- wordpress
-
-- name: ensure the wordpress package from backports is installed
- apt: name=wordpress state=latest install_recommends=no default-release=jessie-backports
+ - webservices
+
+- name: ensure the wordpress package is installed
+ apt:
+ name: wordpress
+ state: installed
+ install_recommends: no
+ default-release: jessie-backports
+ when: debian_version == 'jessie'
+ tags:
+ - wordpress
+ - webservices
+
+- name: ensure the wordpress package is installed
+ apt:
+ name: wordpress
+ state: installed
+ install_recommends: no
+ when: debian_version == 'stretch'
tags:
- - packages
- wordpress
+ - webservices
- name: "ensure group for {{ wordpress_name }} exists"
group:
@@ -19,9 +37,8 @@
state: present
system: yes
tags:
- - users
- - config
- wordpress
+ - webservices
- name: "ensure user for {{ wordpress_name }} exists"
user:
@@ -33,9 +50,8 @@
home: "{{ wordpress_web_root }}"
createhome: no
tags:
- - users
- - config
- wordpress
+ - webservices
- name: "ensure the wordpress folders for {{ wordpress_name }} exists"
file:
@@ -48,8 +64,8 @@
- "{{ wordpress_name }}-files"
- "{{ wordpress_name }}"
tags:
- - config
- wordpress
+ - webservices
- name: "ensure local folders without write permissions for {{ wordpress_name }} exist"
file:
@@ -61,8 +77,8 @@
with_items:
- wp-content
tags:
- - config
- wordpress
+ - webservices
- name: "ensure local folders with write permissions for {{ wordpress_name }} exist"
file:
@@ -78,39 +94,40 @@
- wp-content/themes
- wp-content/upgrade
tags:
- - config
- wordpress
+ - webservices
- name: "ensure the directories for {{ wordpress_name }} are mounted above each other"
mount:
state: mounted
fstype: aufs
name: "{{ wordpress_web_root }}/{{ wordpress_name }}/"
- opts: "br={{ wordpress_web_root }}/{{ wordpress_name }}-files/:/usr/share/wordpress"
+ opts: "br={{ wordpress_web_root }}/{{ wordpress_name }}-files/:/usr/share/wordpress,udba=reval"
src: none
tags:
- - mount
- - config
- wordpress
+ - webservices
- name: "ensure temporary directories for {{ wordpress_name }} exist"
- lineinfile:
+ template:
+ src: tmpfiles.conf.j2
dest: "/etc/tmpfiles.d/10-wordpress-{{ wordpress_name }}.conf"
- line: "d /run/uwsgi/app/wordpress-{{ wordpress_name }} 0775 {{ wordpress_user }} {{ wordpress_group }} - -"
- create: yes
+ owner: root
+ group: root
+ mode: 0644
notify:
- - create tmpfiles
+ - create tmpfiles
tags:
- - config
- wordpress
+ - webservices
- name: "ensure the config for {{ wordpress_name }} exists"
template:
src: wp-config.php.j2
dest: "{{ wordpress_web_root }}/{{ wordpress_name }}-files/wp-config.php"
tags:
- - config
- wordpress
+ - webservices
- name: "get randomness for secrets for {{ wordpress_name }}"
set_fact:
@@ -129,8 +146,8 @@
dest: "{{ wordpress_web_root }}/{{ wordpress_name }}-files/secrets.php"
force: no
tags:
- - config
- wordpress
+ - webservices
- name: "ensure wordpress can access javascript files that debian places somewhere else"
file:
@@ -138,8 +155,8 @@
dest: "{{ wordpress_web_root }}/javascript"
state: link
tags:
- - config
- wordpress
+ - webservices
- include: mysql.yml
@@ -150,8 +167,8 @@
notify:
- "restart uwsgi for {{ wordpress_name }}"
tags:
- - config
- wordpress
+ - webservices
- name: "ensure the unit file for {{ wordpress_name }} exists"
template:
@@ -161,16 +178,14 @@
- reload systemd service files
- "restart uwsgi for {{ wordpress_name }}"
tags:
- - config
- wordpress
- - service
+ - webservices
- name: "ensure the service for {{ wordpress_name }} is running"
service:
name: "wordpress-{{ wordpress_name }}"
- state: running
+ state: started
enabled: yes
tags:
- - config
- wordpress
- - service
+ - webservices
diff --git a/wordpress/tasks/mysql.yml b/wordpress/tasks/mysql.yml
index 9e1fc51485ec444fed5caf97cc803c4aae19f7b8..903e40a11c9218d42c79533683f4012f15edeb88 100644
--- a/wordpress/tasks/mysql.yml
+++ b/wordpress/tasks/mysql.yml
@@ -1,35 +1,34 @@
---
-# file: roles/wordpress/tasks/mysql.yml
+# file: wordpress/tasks/mysql.yml
-- name: "ensure php can talk with mysql"
- apt: name=php5-mysql state=latest
+- name: ensure php can talk with mysql
+ apt:
+ name: php5-mysql
+ state: latest
+ when: debian_version == 'jessie'
tags:
- - packages
- - mysql
- wordpress
+ - webservices
-- name: "get database password for {{ wordpress_name }}"
- local_action: pass name="db/{{ wordpress_dbhost }}-{{ wordpress_dbtype }}" state=present generate=20 store=FSMPI_PASSWORD_STORE_DIR limit=yes
- #local_action: "pass store=FSMPI_PASSWORD_STORE_DIR name=db/{{ wordpress_dbhost }}-{{ wordpress_dbtype }} limit=True"
- register: wordpress_db_login_password
- no_log: True
+- name: ensure php can talk with mysql
+ apt:
+ name: php-mysql
+ state: latest
+ when: debian_version == 'stretch'
tags:
- - config
- - password
- wordpress
- - mysql
+ - webservices
- name: "ensure the database for {{ wordpress_name }} exists"
mysql_db:
name: "{{ wordpress_dbname }}"
state: present
login_user: root
- login_password: "{{ wordpress_db_login_password.password }}"
+ login_password: "{{ lookup('passwordstore', 'db/{{ wordpress_dbhost }}-{{ wordpress_dbtype }} create=true length=20')}}"
no_log: True
tags:
- - mysql
- - config
- wordpress
+ - webservices
- name: "ensure the database user for {{ wordpress_name }} exists"
mysql_user:
@@ -37,11 +36,10 @@
password: "{{ wordpress_dbpassword }}"
state: present
login_user: root
- login_password: "{{ wordpress_db_login_password.password }}"
+ login_password: "{{ lookup('passwordstore', 'db/{{ wordpress_dbhost }}-{{ wordpress_dbtype }} create=true length=20')}}"
priv: "{{ wordpress_dbname }}.*:ALL"
no_log: True
tags:
- - mysql
- - config
- wordpress
+ - webservices
diff --git a/wordpress/templates/tmpfiles.conf.j2 b/wordpress/templates/tmpfiles.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..20bc5ac775d3efa6f50ee42be7c7dca0867a337b
--- /dev/null
+++ b/wordpress/templates/tmpfiles.conf.j2
@@ -0,0 +1 @@
+d /run/uwsgi/app/wordpress-{{ wordpress_name }} 0775 {{ wordpress_user }} {{ wordpress_group }} - -