From a797094b61d3dd5f7ccb25849499489ed40cafea Mon Sep 17 00:00:00 2001 From: David Moreau Simard Date: Thu, 7 Mar 2019 15:52:02 -0500 Subject: [PATCH] Add playbook for deploying live demos on demo.recordsansible.org This deploys api.demo.recordsansible.org as well as web.demo.recordsansible.org using the Ansible roles from ara. The only part not yet automated is the letsencrypt certificate generation. Change-Id: I6b436d3be32105fdf9d661d042bfb3d40e5e39a6 Depends-On: https://review.openstack.org/#/c/641859/ --- playbooks/ansible.cfg | 10 ++++ playbooks/hosts | 1 + playbooks/live-demo.yaml | 22 ++++++++ .../api.demo.recordsansible.org.conf.j2 | 51 +++++++++++++++++++ .../web.demo.recordsansible.org.conf.j2 | 46 +++++++++++++++++ 5 files changed, 130 insertions(+) create mode 100644 playbooks/ansible.cfg create mode 100644 playbooks/hosts create mode 100644 playbooks/live-demo.yaml create mode 100644 playbooks/templates/api.demo.recordsansible.org.conf.j2 create mode 100644 playbooks/templates/web.demo.recordsansible.org.conf.j2 diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg new file mode 100644 index 0000000..33d5108 --- /dev/null +++ b/playbooks/ansible.cfg @@ -0,0 +1,10 @@ +[defaults] +forks = 25 +gathering = smart +fact_caching = jsonfile +fact_caching_connection = /tmp/ +fact_caching_timeout = 3600 +inventory = hosts + +[ssh_connection] +pipelining = True diff --git a/playbooks/hosts b/playbooks/hosts new file mode 100644 index 0000000..cf3ffca --- /dev/null +++ b/playbooks/hosts @@ -0,0 +1 @@ +demo.recordsansible.org ansible_host=139.178.83.37 ansible_user=fedora ansible_python_interpreter=/usr/bin/python3 diff --git a/playbooks/live-demo.yaml b/playbooks/live-demo.yaml new file mode 100644 index 0000000..af3ab5f --- /dev/null +++ b/playbooks/live-demo.yaml @@ -0,0 +1,22 @@ +- name: Provision demo.recordsansible.org + hosts: demo.recordsansible.org + gather_facts: yes + vars: + # ara_api + ara_api_fqdn: api.demo.recordsansible.org + ara_api_frontend_server: nginx + ara_api_frontend_vhost: api.demo.recordsansible.org.conf.j2 + ara_api_wsgi_server: gunicorn + ara_api_allowed_hosts: + - api.demo.recordsansible.org + ara_api_cors_origin_whitelist: + - web.demo.recordsansible.org + - logs.openstack.org + # ara_web + ara_web_fqdn: web.demo.recordsansible.org + ara_web_api_endpoint: "https://api.demo.recordsansible.org" + ara_web_frontend_server: nginx + ara_web_frontend_vhost: web.demo.recordsansible.org.conf.j2 + roles: + - ara_api + - ara_web diff --git a/playbooks/templates/api.demo.recordsansible.org.conf.j2 b/playbooks/templates/api.demo.recordsansible.org.conf.j2 new file mode 100644 index 0000000..bf16372 --- /dev/null +++ b/playbooks/templates/api.demo.recordsansible.org.conf.j2 @@ -0,0 +1,51 @@ +upstream ara_api { + # fail_timeout=0 means we always retry an upstream even if it failed + # to return a good HTTP response + server {{ ara_api_wsgi_bind }} fail_timeout=0; +} + +server { + listen 80; + server_name {{ ara_api_fqdn }}; + return 301 https://{{ ara_api_fqdn }}$request_uri; +} + +server { + listen 443; + server_name {{ ara_api_fqdn }}; + access_log /var/log/nginx/{{ ara_api_fqdn }}_access.log; + error_log /var/log/nginx/{{ ara_api_fqdn }}_error.log; + + ssl on; + ssl_certificate /etc/letsencrypt/live/{{ ara_api_fqdn }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ ara_api_fqdn }}/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + + # There's nothing at /, redirect it to the actual API for convenience + location / { + return 301 http://{{ ara_api_fqdn }}/api/v1/; + } + + location /static { + expires 7d; + add_header Cache-Control "public"; + } + + # Everything, including static files, is served by the backend + location ~ { + # checks if the file exists, if not found proxy to app + try_files $uri @proxy_to_app; + } + + location @proxy_to_app { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + + proxy_redirect off; + proxy_pass http://ara_api; + } +} diff --git a/playbooks/templates/web.demo.recordsansible.org.conf.j2 b/playbooks/templates/web.demo.recordsansible.org.conf.j2 new file mode 100644 index 0000000..05fa2ee --- /dev/null +++ b/playbooks/templates/web.demo.recordsansible.org.conf.j2 @@ -0,0 +1,46 @@ +{% if ara_web_dev_server %} +upstream ara_web { + # fail_timeout=0 means we always retry an upstream even if it failed + # to return a good HTTP response + server {{ ara_web_dev_server_bind_address }}:{{ ara_web_dev_server_bind_port }} fail_timeout=0; +} +{% endif %} + +server { + listen 80; + server_name {{ ara_web_fqdn }}; + return 301 https://{{ ara_web_fqdn }}$request_uri; +} + +server { + listen 443; + server_name {{ ara_web_fqdn }}; + root {{ ara_web_static_dir }}; + access_log /var/log/nginx/{{ ara_web_fqdn }}_access.log; + error_log /var/log/nginx/{{ ara_web_fqdn }}_error.log; + + ssl on; + ssl_certificate /etc/letsencrypt/live/{{ ara_web_fqdn }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ ara_web_fqdn }}/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + + {% if ara_web_dev_server %} + location ~ { + # checks for static file, if not found proxy to server + try_files $uri @proxy_to_app; + } + + location @proxy_to_app { + # Redefine the header fields that NGINX sends to the upstream server + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # Define the location of the proxy server to send the request to + proxy_pass http://ara_web; + } + {% endif %} +}