on the directory. This allows admin, with correct umask, to create necessary

  files and directories that should be readable (and eventually writeable) by

  the website user (running the WSGI application) without having to become root.

* All files placed in the website directory should be either created there

  directly, or copied to the directory in order to make sure the ``SGID`` gets

  honored. **Do not move the files, the permissions will not be set correctly.**

* Within the website directory, Python virtual environment can be found within

  the ``virtualenv`` sub-directory. The virtual environment is also symlinked to

  website admin's ``~/.virtualenvs/`` directory for easier access (and

  auto-completion with virtualenvwrapper).

* Within the website directory, nginx will expect to find the static files

  within the ``htdocs`` sub-directory (this can be symlink too). Locations/aliases

  can be configured for static file serving.

* Within the website directory, systemd service will expect to find the website

  code within the ``code`` sub-directory (this can be symlink too).

* nginx communicates with WSGI server over a dedicated Unix socket for each

  website.

Parameters

~~~~~~~~~~

**admin** (string, mandatory)

  Name of the operating system user in charge of maintaining the website. This

  user is capable of making modifications to website configuration anda data

  stored within the website directory.

**fqdn** (string, mandatory)

  Fully-qualified domain name where the website is reachable. This value is used

  for calculating the user/group name for dedicated website user, as well as

  home directory of the website user (where data/code should be stored at).

**https_tls_certificate** (string, mandatory)

  Path to file on Ansible host that contains the X.509 certificate used for TLS

  for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.

**https_tls_key** (string, mandatory)

  Path to file on Ansible host that contains the private key used for TLS for

  HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.

**packages** (list, optional)

  A list of additional packages to install for this particular WSGI

  website. This is usually going to be development libraries for building Python

  packages.

**rewrites** (list, optional)

  A list of rewrite rules that are applied to incoming requests. Each element of

  the list should be a string value compatible with the format of ``nginx``

  option ``rewrite``. The keyword ``rewrite`` itself should be omitted, as well

  as trailing semi-colon (``;``).

**static_locations** (list, optional)

  List of locations that should be treated as static-only, and not processed by

  the WSGI application at all. This is normally used for designating serving of

  static/media files by Nginx (for example, in case of Django projects for

  ``/static/`` and ``/media/``).

**uid** (integer, mandatory)

  UID/GID (they are set-up to be the same) of the dedicated website

  user/group.

**use_paste** (boolean, optional)

  Tell Gunicorn to assume that the passed-in ``wsgi_application`` value is a

  filename of a Python Paste ``ini`` file instead of WSGI application.

**virtuaelnv_packages** (list, optional)

  A list of additional packages to install for this particular PHP

  appliction. This is usually going to be different PHP extensions.

**wsgi_application** (string, mandatory)

  WSGI application that should be started by Gunicorn. The format should be

  conformant to what the ``gunicorn`` command-line tool accepts. If the

  ``use_paste`` option is enabled, the value should be equal to filename of the

  Python Paste ini file, located in the ``code`` sub-directory.

Examples

~~~~~~~~

Here is an example configuration for setting-up a (base) WSGI website (for

running a bare Django project):

.. code-block:: yaml

    - role: wsgi_website

      admin: admin

      fqdn: django.example.com

      static_locations:

        - /static

        - /media

      uid: 2004

      virtualenv_packages:

        - django

      wsgi_application: django_example_com.wsgi:application

      https_tls_key: "{{ inventory_dir }}/tls/wsgi.example.com_https.key"

      https_tls_certificate: "{{ inventory_dir }}/tls/wsgi.example.com_https.pem"

---

ldap_client_config:

  - comment: Set the base DN

    option: BASE

    value: dc=example,dc=com

  - comment: Set the default URI

    option: URI

    value: ldap://ldap.example.com/

  - comment: Set the LDAP TLS truststore

    option: TLS_CACERT

    value: /etc/ssl/certs/example_ca_chain.pem

local_mail_aliases:

  root: "root john.doe@example.com"

smtp_relay_host: mail.example.com

smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem

https_tls_key: "{{ inventory_dir }}/tls/web.example.com_https.key"

https_tls_certificate: "{{ inventory_dir }}/tls/web.example.com_https.pem"

web_default_title: "Welcome to Example Inc."

---

- hosts: web

  remote_user: ansible

  sudo: yes

  roles:

    - common

    - ldap_client

    - mail_forwarder

    - web_server

    - phpinfo

    - wsgihello