From 2a96a48ae6802cc53da96a26622705ae5c0896d5 2018-10-21 17:52:35 From: Branko Majic Date: 2018-10-21 17:52:35 Subject: [PATCH] MAR-132: Updated usage instructions for Debian Stretch: - Switch to Debian Stretch for showing role usage. - Updated TBG deployment to use the latest version. - Fixed a bunch of sample task definitions to use full expanded (YAML) syntax. - Updated commands used for backup client/server (invocation of GnuPG). --- diff --git a/docs/usage.rst b/docs/usage.rst index 63f1a4fc4d79c7c2bb5af25bbff97799bd70bded..6301e8851849cbcba26a94a09d9975eef53957ed 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -34,14 +34,15 @@ Pre-requisites For the set-up outlined in this usage guide you'll need the following: -* One server where Ansible will be installed at. Debian Jessie will be installed - on top of this server. The server will be set-up manually (this is currently - out of scope for the *Majic Ansible Roles* automated set-up). +* One server where Ansible will be installed at. Debian Stretch will + be installed on top of this server. The server will be set-up + manually (this is currently out of scope for the *Majic Ansible + Roles* automated set-up). * Three servers where the services will be set-up. All servers must be able to communicate over network with each-other, the Ansible servers, and with - Internet. Debian Jessie will be installed on top of this server as part of the + Internet. Debian Stretch will be installed on top of this server as part of the usage instructions. -* Debian Jessie network install CD. +* Debian Stretch network install CD. * All servers should be on the same network. * IP addresses for all servers should be known. * Netmask for all servers should be known. @@ -145,7 +146,7 @@ Ansible Roles: 1. Clone the git repository:: - git clone http://code.majic.rs/majic-ansible-roles ~/majic-ansible-roles + git clone https://code.majic.rs/majic-ansible-roles ~/majic-ansible-roles 2. Checkout the correct version of the roles:: @@ -307,10 +308,11 @@ So, let's set this up for start: Installing the servers with preseed files ----------------------------------------- -You have your preseed files now, so you can go ahead and install the servers -``comms.example.com``, ``www.example.com``, and ``bak.example.com`` using -them with network install CD. Have a look at `Debian -`_ instructions for +You have your preseed files now, so you can go ahead and install the +servers ``comms.example.com``, ``www.example.com``, and +``bak.example.com`` using them with network install CD. Have a look at +`Debian instructions +`_ for more details. If you need to, you can easily serve the preseed files from the Ansible server @@ -461,7 +463,7 @@ Let's take care of this common configuration right away: password: "{{ 'admin' | password_hash('sha512') }}" common_packages: - - emacs24-nox + - emacs25-nox .. note:: The ``common`` role comes with ability to set-up time @@ -1240,6 +1242,11 @@ server. 2. Now let's configure the role. This is rather simplistic, since we only need to set the database server root (admin) password. + .. note:: + Default MariaDB server configuration on Debian Stretch enables + the ``root`` OS user to login via Unix socket without providing + password as well. + :file:`~/mysite/group_vars/web.yml` :: @@ -1304,7 +1311,7 @@ Before we start, here is a couple of useful pointers regarding the * Static content (non-PHP) is served directly by *Nginx*. * Each web application gets distinct sub-directory under ``/var/www``, named after the FQDN. All sub-directories created under there are created with - ``2750`` permissions, with ownership set to admin user, and group set to the + ``02750`` permissions, with ownership set to admin user, and group set to the application's group. In other words, all directories will have ``SGID`` bit set, allowing you to create files/directories that will have their group automatically set to the group of the parent directory. @@ -1345,10 +1352,12 @@ Before we start, here is a couple of useful pointers regarding the fqdn: tbg.example.com # Some additional packages are required in order to deploy and use TBG. packages: - - php5-gd - - php5-curl + - php-gd + - php-curl + - php-mbstring + - php-xml - git - - php5-mysql + - php-mysql - expect # Set-up URL rewriting. This is based on public/.htaccess file from # TBG. @@ -1401,72 +1410,101 @@ Before we start, here is a couple of useful pointers regarding the --- - name: Define TBG version - set_fact: tbg_version=4.1.0 + set_fact: + tbg_version: "4.2.0" + tbg_archive_checksum: "ca3a8b9d8090ec5f75580803abf699c5e67bdea0ec043dd782e525a774cf0936" - name: Download the TBG archive - get_url: url=https://github.com/thebuggenie/thebuggenie/archive/v{{ tbg_version }}.tar.gz - dest="/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}.tar.gz" - sha256sum=0fd0a680ba281adc97d5d2c720e63b995225c99716a36eca6a198b8a5ebf8057 + get_url: + url: "https://github.com/thebuggenie/thebuggenie/archive/v{{ tbg_version }}.tar.gz" + dest: "/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}.tar.gz" + sha256sum: "{{ tbg_archive_checksum }}" become: yes become_user: admin-tbg_example_com - name: Download Composer - get_url: url=https://getcomposer.org/download/1.0.0-alpha10/composer.phar - dest="/usr/local/bin/composer" - sha256sum=9f2c7d0364bc743bcde9cfe1fe84749e5ac38c46d47cf42966ce499135fd4628 - owner=root group=root mode=755 + get_url: + url: "https://getcomposer.org/download/1.7.2/composer.phar" + dest: "/usr/local/bin/composer" + sha256sum: "ec3428d049ae8877f7d102c2ee050dbd51a160fc2dde323f3e126a3b3846750e" + owner: root + group: root + mode: 0755 - name: Unpack TBG - unarchive: src="/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}.tar.gz" - dest="/var/www/tbg.example.com/" copy=no - creates="/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}" + unarchive: + src: "/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}.tar.gz" + dest: "/var/www/tbg.example.com/" + copy: no + creates: "/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}" become: yes become_user: admin-tbg_example_com - name: Create TBG cache directory - file: path="/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/cache" state=directory mode=2770 + file: + path: "/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/cache" + state: directory + mode: 02770 become: yes become_user: admin-tbg_example_com - name: Set-up the necessary write permissions for TBG directories - file: path="{{ item }}" mode=g+w + file: + path: "{{ item }}" + mode: g+w with_items: - - /var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/ - - /var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/public/ - - /var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/core/config/ + - /var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/ + - /var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/public/ + - /var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/core/config/ - name: Create symbolic link to TBG application - file: src="/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/public" - path="/var/www/tbg.example.com/htdocs" - state=link - owner="admin-tbg_example_com" group="web-tbg_example_com" mode=2750 + file: + src: "/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/public" + path: "/var/www/tbg.example.com/htdocs" + state: link + owner: "admin-tbg_example_com" + group: "web-tbg_example_com" + mode: 02750 become: yes become_user: admin-tbg_example_com - name: Install TBG dependencies - composer: command=install working_dir="/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}" + composer: + command: install + working_dir: "/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}" become: yes become_user: admin-tbg_example_com - name: Deploy database configuration file for TBG - copy: src="b2db.yml" dest="/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/core/config/b2db.yml" - mode=640 owner=admin-tbg_example_com group=web-tbg_example_com + copy: + src: "b2db.yml" + dest: "/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/core/config/b2db.yml" + mode: 0640 + owner: admin-tbg_example_com + group: web-tbg_example_com - name: Install pexpect package - apt: name=python-pexpect state=installed + apt: + name: python-pexpect + state: present - name: Deploy expect script for installing TBG - copy: src="tbg_expect_install" dest="/var/www/tbg.example.com/tbg_expect_install" mode=750 - become: yes - become_user: admin-tbg_example_com + copy: + src: "tbg_expect_install" + dest: "/var/www/tbg.example.com/tbg_expect_install" + mode: 0750 + owner: admin-tbg_example_com + group: web-tbg_example_com - name: Run TBG installer via expect script command: /var/www/tbg.example.com/tbg_expect_install - chdir="/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}" - creates="/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/installed" + args: + chdir: "/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}" + creates: "/var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/installed" become: yes become_user: admin-tbg_example_com + 5. Set-up the files that are deployed by our role. :file:`~/mysite/roles/tbg/files/b2db.yml` @@ -1505,7 +1543,7 @@ Before we start, here is a couple of useful pointers regarding the install_process.sendline(u'') # Wait for application to finish. - install_process.expect(pexpect.EOF) + install_process.expect(pexpect.EOF, timeout=60) except pexpect.EOF as e: pass @@ -1639,7 +1677,7 @@ on the safe side: - libfreetype6-dev - liblcms2-dev - libwebp-dev - - libopenjpeg-dev + - libopenjp2-7-dev - libmariadb-client-lgpl-dev - libmariadb-client-lgpl-dev-compat # Here we specify that anything accessing our website with "/static/" @@ -1698,48 +1736,62 @@ on the safe side: --- - name: Create Django project directory - file: dest="/var/www/wiki.example.com/code" state=directory - owner=admin-wiki_example_com group=web-wiki_example_com - mode=2750 + file: + dest: "/var/www/wiki.example.com/code" + state: directory + owner: admin-wiki_example_com + group: web-wiki_example_com + mode: 02750 - name: Start Django project for the Wiki website - command: /var/www/wiki.example.com/virtualenv/bin/exec django-admin.py startproject wiki_example_com /var/www/wiki.example.com/code - chdir=/var/www/wiki.example.com - creates=/var/www/wiki.example.com/code/wiki_example_com + command: "/var/www/wiki.example.com/virtualenv/bin/exec django-admin.py startproject wiki_example_com /var/www/wiki.example.com/code" + args: + chdir: "/var/www/wiki.example.com" + creates: "/var/www/wiki.example.com/code/wiki_example_com" become: yes become_user: admin-wiki_example_com - name: Deploy settings for wiki website - copy: src="{{ item }}" dest="/var/www/wiki.example.com/code/wiki_example_com/{{ item }}" - mode=640 owner=admin group=web-wiki_example_com + copy: + src: "{{ item }}" + dest: "/var/www/wiki.example.com/code/wiki_example_com/{{ item }}" + mode: 0640 + owner: admin + group: web-wiki_example_com with_items: - - settings.py - - urls.py + - settings.py + - urls.py notify: - - Restart wiki + - Restart wiki - name: Deploy project database and deploy static files - django_manage: command="{{ item }}" - app_path="/var/www/wiki.example.com/code/" - virtualenv="/var/www/wiki.example.com/virtualenv/" + django_manage: + command: "{{ item }}" + app_path: "/var/www/wiki.example.com/code/" + virtualenv: "/var/www/wiki.example.com/virtualenv/" become: yes become_user: admin-wiki_example_com with_items: - - syncdb - - migrate - - collectstatic + - syncdb + - migrate + - collectstatic - name: Deploy the superadmin creation script - copy: src="create_superadmin.py" dest="/var/www/wiki.example.com/code/create_superadmin.py" - owner=admin-wiki_example_com group=web-wiki_example_com mode=750 + copy: + src: "create_superadmin.py" + dest: "/var/www/wiki.example.com/code/create_superadmin.py" + owner: admin-wiki_example_com + group: web-wiki_example_com + mode: 0750 - name: Create initial superuser - command: /var/www/wiki.example.com/virtualenv/bin/exec ./create_superadmin.py - chdir=/var/www/wiki.example.com/code/ + command: "/var/www/wiki.example.com/virtualenv/bin/exec ./create_superadmin.py" + args: + chdir: "/var/www/wiki.example.com/code/" become: yes become_user: admin-wiki_example_com register: wiki_superuser - changed_when: wiki_superuser.stdout == "Created superuser." + changed_when: "wiki_superuser.stdout == 'Created superuser.'" :file:`~/mysite/roles/wiki/handlers/main.yml` :: @@ -2081,7 +2133,7 @@ So, back to the business: :: enable_backup: yes - backup_encryption_key: "{{ lookup('pipe', 'gpg2 --homedir ~/mysite/gnupg/ --armour --export-secret-keys ' + ansible_fqdn ) }}" + backup_encryption_key: "{{ lookup('pipe', 'gpg --homedir ~/mysite/gnupg/ --armour --export-secret-keys ' + ansible_fqdn ) }}" backup_server: bak.example.com backup_server_host_ssh_public_keys: - "{{ lookup('file', inventory_dir + '/ssh/bak_dsa_key.pub') }}" @@ -2113,23 +2165,27 @@ So, back to the business: :: chmod 700 ~/mysite/gnupg - cat << EOF | gpg2 --homedir ~/mysite/gnupg --batch --gen-key + pkill gpg-agent + gpg --homedir ~/mysite/gnupg --batch --generate-key << EOF Key-Type:RSA Key-Length:1024 Name-Real:comms.example.com Expire-Date:0 + %no-protection %commit Key-Type:RSA Key-Length:1024 Name-Real:www.example.com Expire-Date:0 + %no-protection %commit Key-Type:RSA Key-Length:1024 Name-Real:bak.example.com Expire-Date:0 + %no-protection %commit EOF