majic-ansible-roles Changeset

@@ -115,7 +115,15 @@ packages, and to prepare the environment a bit on the Ansible server:

     apt-get install -y virtualenv virtualenvwrapper git python-pip python-dev

2. Set-up the virtual environment (using the ``ansible`` account)::

2. Set-up the virtual environment (using the ``ansible`` account):

   .. warning::

      If you are already logged-in as user ``ansible`` in the server, you will

      need to log-out and log-in again in order to be able to use

      ``virtualenvwrapper`` commands!

::

     mkdir ~/mysite/

     mkvirtualenv -a ~/mysite/ mysite

@@ -214,12 +222,11 @@ So, let's set this up for start:

2. And that is about it to be able to actually use this particular role! So

   let's try running it::

     workon mysite

     ansible-playbook playbooks/preseed.yml

     workon mysite && ansible-playbook playbooks/preseed.yml

3. If all went well, you should have two files now:

   * :file:`~/mysite/preseed_files/comms.example.com.cfg` and

   * :file:`~/mysite/preseed_files/comms.example.com.cfg`

   * :file:`~/mysite/preseed_files/www.example.com.cfg`

4. You can have a look at them, but you might notice the settings in the file

@@ -255,7 +262,7 @@ So, let's set this up for start:

5. Now re-run the preseed playbook::

     ansible-playbook playbooks/preseed.yml

     workon mysite && ansible-playbook playbooks/preseed.yml

6. The preseed files should have been updated now, and you should have the new

   customised configuration files in the ``preseed_files`` directory. You can

@@ -283,7 +290,7 @@ Bootstrapping servers for Ansible set-up

In order to effectively use Ansible, a small initial bootstrap always has to be

done for managed servers. This mainly involves set-up of Ansible users on the

destination machine, and distributing the SSH public keys for authroisation.

destination machine, and distributing the SSH public keys for authorisation.

When you use the preseed configuration files to deploy a server, you get the

benefit of having the authorized_keys set-up for the root operating system,

@@ -302,9 +309,9 @@ Let's bootstrap our two machines now:

        roles:

          - bootstrap

2. The ``bootstrap`` role actually has only one parameter - for specifying the

   SSH key to deploy to authorized_keys file for the Ansible user on managed

   server. This defaults to content of local file ``~/.ssh/id_rsa.pub``, so no

2. The ``bootstrap`` role has only one parameter - an SSH key which should be

   deployed for the Ansible user on managed server (in the ``authorized_keys``

   file). This defaults to content of local file ``~/.ssh/id_rsa.pub``, so no

   need to make any changes so far.

3. SSH into both machines at least once from the Ansible server in order to

@@ -315,12 +322,13 @@ Let's bootstrap our two machines now:

4. Now, simply run the bootstrap role against the two servers::

     ansible-playbook playbooks/bootstrap.yml

     workon mysite && ansible-playbook playbooks/bootstrap.yml

6. At this point you won't be able to ssh into the machines with root account

   anymore. You would be able to ssh into the machine via public key using the

   ``ansible`` user. The ``ansible`` user will also be granted password-less

   sudo privileges.

   anymore. You will be able to ssh into the machines using the private key of

   the ``ansible`` user (from the Ansible server). The ``ansible`` user will

   also be granted ability to run the ``sudo`` commands without providing

   password.

7. After this you can finally move on to configuring what you really want -

   common configuration and services for your site.

@@ -337,7 +345,8 @@ Let's take care of this common configuration right away:

1. Create playbook for the communications server:

   :file:`~/mysite/playbooks/communications.yml`::

   :file:`~/mysite/playbooks/communications.yml`

::

---

      - hosts: communications

@@ -348,7 +357,8 @@ Let's take care of this common configuration right away:

2. Create playbook for the web server:

   :file:`~/mysite/playbooks/web.yml`::

   :file:`~/mysite/playbooks/web.yml`

::

---

      - hosts: web

@@ -359,7 +369,8 @@ Let's take care of this common configuration right away:

3. Create the global site playbook:

   :file:`~/mysite/playbooks/site.yml`::

   :file:`~/mysite/playbooks/site.yml`

::

---

      - include: preseed.yml

@@ -370,7 +381,8 @@ Let's take care of this common configuration right away:

   set-up a common base, we'll set-up the variables file that applies to all

   roles:

   :file:`~/mysite/group_vars/all.yml`::

   :file:`~/mysite/group_vars/all.yml`

::

---

@@ -388,11 +400,12 @@ Let's take care of this common configuration right away:

5. That's all for configuration, time to apply the changes::

     ansible-playbook playbooks/site.yml

     workon mysite && ansible-playbook playbooks/site.yml

6. After this you should be able to ssh using the user ``admin`` via public

   key. The ``admin`` user's password has also been set to ``admin``, and the

   user will be member of ``sudo`` group.

6. After this you should be able to *ssh* from Ansible server onto the two

   managed servers using as user ``admin`` using the *SSH* private key. The

   ``admin`` user's password has also been set to ``admin``, and the user will

   be member of ``sudo`` group.

Introducing LDAP

@@ -404,7 +417,8 @@ one up first. This includes both the LDAP *server* and *client* configuration.

1. Update the playbook for communications server to include the LDAP client and

   server roles (``ldap_client`` and ``ldap_server``, respectively).

   :file:`~/mysite/playbooks/communications.yml`::

   :file:`~/mysite/playbooks/communications.yml`

::

---

      - hosts: communications

@@ -418,7 +432,8 @@ one up first. This includes both the LDAP *server* and *client* configuration.

2. Update the playbook for web server to include the LDAP client role

   (``ldap_client``). You never know when it might come in handy :)

   :file:`~/mysite/playbooks/web.yml`::

   :file:`~/mysite/playbooks/web.yml`

::

---

      - hosts: web

@@ -430,9 +445,10 @@ one up first. This includes both the LDAP *server* and *client* configuration.

3. Time to configure the roles. For start, let us configure the LDAP server

   role. Keep in mind that there is a lot of default variables set-up by the

   role itself, making our config rather super-short.

   role itself, making our config rather short.

   :file:`~/mysite/group_vars/communications.yml`::

   :file:`~/mysite/group_vars/communications.yml`

::

---

@@ -445,9 +461,10 @@ one up first. This includes both the LDAP *server* and *client* configuration.

   start off with global LDAP client configuration. In case of LDAP client,

   we've got to be a bit more explicit.

   :file:`~/mysite/group_vars/all.yml`::

   :file:`~/mysite/group_vars/all.yml`

::

      # Take note how we set the base DN. By default the ldap_server role

      # Observe how we set the base DN. By default the ldap_server role

      # (defined up there) will use server's domain to form the base for LDAP.

      ldap_client_config:

        - comment: Set the base DN

@@ -467,7 +484,8 @@ one up first. This includes both the LDAP *server* and *client* configuration.

   configuration on the communications server itself. Namely, on that one we

   should be able to connect to socket with LDAP clients instead over TCP port.

   :file:`~/mysite/group_vars/communications.yml`::

   :file:`~/mysite/group_vars/communications.yml`

::

      ldap_client_config:

        - comment: Set the base DN

@@ -495,19 +513,21 @@ one up first. This includes both the LDAP *server* and *client* configuration.

   of our own, plus the necessary server certificate for the LDAP service...

   1. Let's first install a couple of more tools on the Ansible server, since we

      will be using ``certtool`` for our improvised CA needs::

      will be using ``certtool`` for our improvised CA needs (run this as

      ``root``)::

        apt-get install gnutls-bin

        apt-get install -y gnutls-bin

   2. Create directory where the private keys and certificates will be stored

      at::

      at (you can switch back to the ``ansible`` user now)::

        mkdir ~/mysite/tls/

   3. It is time to create a couple of templates for the ``certtool`` so it

      would know what extensions and content to have in the certificates:

      :file:`~/mysite/tls/ca.cfg`::

      :file:`~/mysite/tls/ca.cfg`

::

         organization = "Example Inc."

         country = "SE"

@@ -517,7 +537,8 @@ one up first. This includes both the LDAP *server* and *client* configuration.

         cert_signing_key

         crl_signing_key

      :file:`~/mysite/tls/comms.example.com_ldap.cfg`::

      :file:`~/mysite/tls/comms.example.com_ldap.cfg`

::

         organization = "Example Inc."

         country = SE

@@ -544,10 +565,12 @@ one up first. This includes both the LDAP *server* and *client* configuration.

        cp ~/mysite/tls/ca.pem ~/mysite/tls/truststore.pem

7. With private keys and certificates in place, we are almost ready to re-run

   the playbooks! Now, just a *small* tweak to the general configuration, and

   all should be fine.

   the playbooks! Now, just a *small* tweak to the general configuration to set

   where the TLS private keys and certificates can be found at, and all should

   be fine.

   :file:`~/mysite/group_vars/all.yml`::

   :file:`~/mysite/group_vars/all.yml`

::

      tls_private_key_dir: "~/mysite/tls/"

      tls_certificate_dir: "~/mysite/tls/"

@@ -556,7 +579,7 @@ one up first. This includes both the LDAP *server* and *client* configuration.

8. And now as finishing touch, simply run the playbooks again::

     ansible-playbook playbooks/site.yml

     workon mysite && ansible-playbook playbooks/site.yml

Adding mail server

@@ -564,20 +587,20 @@ Adding mail server

The next thing in line is to implement the mail server capability. *Majic

Ansible Roles* come with two distinct mail server-related roles. One for

setting-up a mail server host (with authenticated IMAP, SMTP etc), and one for

setting-up a mail forwarder (for having the rest of your servers relay through

the mail server host).

setting-up a mail server host (with authenticated IMAP, SMTP, mail storage etc),

and one for setting-up a local SMTP mail forwarder (for having the rest of your

servers relay their mails to the mail server host).

The mail server role looks-up available mail domains, users, and aliases in the

LDAP directory. This has already been set-up on the server

``comms.example.com``, but some modifications will be necessary to

configuration.

``comms.example.com``, but some changes will be required.

1. Update the playbook for communications server to include the mail server

role.

    :file:`~/mysite/playbooks/communications.yml`::

    :file:`~/mysite/playbooks/communications.yml`

::

---

      - hosts: communications

@@ -591,7 +614,8 @@ role.

2. Let's configure the role next.

   :file:`~/mysite/group_vars/communications.yml`::

   :file:`~/mysite/group_vars/communications.yml`

::

      # Set the LDAP URL to connect through. Keep in mind TLS is required.

      mail_ldap_url: ldap://comms.example.com/

@@ -619,10 +643,11 @@ role.

   before accepting them as valid mail users. Once again, the LDAP server role

   comes with a simple option for creating groups.

   :file:`~/mysite/group_vars/communications.yml`::

   :file:`~/mysite/group_vars/communications.yml`

::

      # Don't forget, the passwords here must match with passwords specified

      # under for mail_ldap_postfix_password/mail_ldap_dovecot_password.

      # under options mail_ldap_postfix_password/mail_ldap_dovecot_password.

      ldap_server_consumers:

         - name: postfix

           password: postfix

@@ -643,10 +668,11 @@ role.

      other means than the ``ldap_entries`` option. The reason for this is

      because this type of data in LDAP directory can be considered more of an

      operational/application data than configuration data that frequently

      changes (especially the user passwords/info. Keep in mind that you shold

      changes (especially the user passwords/info). Keep in mind that you shold

      also be backing-up your LDAP directory on regular basis ;)

   :file:`~/mysite/group_vars/communications.yml`::

   :file:`~/mysite/group_vars/communications.yml`

::

      ldap_entries:

          # Create first a couple of user entries. Don't forget to set the

@@ -673,7 +699,7 @@ role.

          # ldap_entries option passes the provided entries directly to the

          # ldap_entry module. "state: append" will make sure we don't overwrite

          # the group, and instead add the attributes to it (in this case we add

          # the two users).

          # the two users from above).

          - dn: cn=mail,ou=groups,dc=example,dc=com

            uniqueMember:

              - uid=johndoe,ou=people,dc=example,dc=com

@@ -699,7 +725,8 @@ role.

   1. Create new templates for ``certtool``:

      :file:`~/mysite/tls/comms.example.com_smtp.cfg`::

      :file:`~/mysite/tls/comms.example.com_smtp.cfg`

::

         organization = "Example Inc."

         country = SE

@@ -710,7 +737,8 @@ role.

         signing_key

         encryption_key

      :file:`~/mysite/tls/comms.example.com_imap.cfg`::

      :file:`~/mysite/tls/comms.example.com_imap.cfg`

::

         organization = "Example Inc."

         country = SE

@@ -721,7 +749,7 @@ role.

         signing_key

         encryption_key

   2. Create the keys and certificates for SMATP/IMAP services based on the templates::

   2. Create the keys and certificates for SMTP/IMAP services based on the templates::

        certtool --sec-param normal --generate-privkey --outfile ~/mysite/tls/comms.example.com_smtp.key

        certtool --generate-certificate --load-ca-privkey ~/mysite/tls/ca.key --load-ca-certificate ~/mysite/tls/ca.pem --template ~/mysite/tls/comms.example.com_smtp.cfg --load-privkey ~/mysite/tls/comms.example.com_smtp.key --outfile ~/mysite/tls/comms.example.com_smtp.pem

@@ -730,19 +758,27 @@ role.

6. Configuration and TLS keys have ben set-up, so it is time to apply the changes::

     ansible-playbook playbooks/site.yml

     workon mysite && ansible-playbook playbooks/site.yml

7. If no errors have been reported, at this point you should have two mail

accounts - ``john.doe@example.com``, with password ``johndoe``, and

``jane.doe@example.com``, with password ``janedoe``. In this particular set-up,

the mail addresses are used as usernames. If you want to test it out, simply

install ``swaks`` on yout ansible machine, and run something along the lines of::

   accounts - ``john.doe@example.com``, with password ``johndoe``, and

   ``jane.doe@example.com``, with password ``janedoe``. In this particular

   set-up, the mail addresses are used as usernames. If you want to test it out,

   simply install ``swaks`` on your Ansible machine, and run something along the

   lines of

   .. warning::

      You may want to wait around five minutes or so at this point in order to

      let the ClamAV daemon download the latest virus database, otherwise mail

      delivery will fail.

  swaks --to john.doe@example.com --server comms.example.com

  swaks --to jane.doe@example.com --server comms.example.com

::

Of course, free feel to test out the mail server using mail client of your

choice.

     swaks --to john.doe@example.com --server comms.example.com

     swaks --to jane.doe@example.com --server comms.example.com

  Of course, free feel to also test out the mail server using any mail client of

  your choice.

Setting-up mail relaying from web server

@@ -751,11 +787,12 @@ Setting-up mail relaying from web server

With the mail server set-up, the next thing to do would be to set-up the SMTP

server on web server to relay mails via the communications server. This way we

can make sure that mail that gets sent via local SMTP to external addresses on

the web server goes through anti-virus scans and such.

the web server goes through our anti-virus scanner.

1. Update the web server list of roles to include the mail forwarder role.

1. Update the list of roles for web server to include the mail forwarder role.

   :file:`~/mysite/playbooks/web.yml`::

   :file:`~/mysite/playbooks/web.yml`

::

---

      - hosts: web

@@ -769,7 +806,8 @@ the web server goes through anti-virus scans and such.

   configuration has not been touched before, so this will be a new

   configuration file.

   :file:`~/mysite/group_vars/web.yml`::

   :file:`~/mysite/group_vars/web.yml`

::

---

@@ -779,8 +817,9 @@ the web server goes through anti-virus scans and such.

         root: root john.doe@example.com

      # Now signal the local SMTP to relay any non-local mails via our

      # communications server. Don't forget to specify your own IP address

      # here. Without this option, the SMTP would send out the mails directly.

      # communications server. Don't forget to specify your own IP address (or

      # FQDN) here. Without this option, the SMTP would send out the mails

      # directly.

      smtp_relay_host: comms.example.com

3. Although we have told our web server to use the communications server as

@@ -791,7 +830,8 @@ the web server goes through anti-virus scans and such.

   So, let's fix this a bit - we have a configuration option for the mail server

   for exactly this purpose.

   :file:`~/mysite/group_vars/communications.yml`::

   :file:`~/mysite/group_vars/communications.yml`

::

      # We want to allow relaying of mails from our web server here. Beware the

      # IP spoofing, though! Don't forget to change the bellow IP for your

@@ -801,11 +841,12 @@ the web server goes through anti-virus scans and such.

4. Let's apply the changes::

     ansible-playbook playbooks/site.yml

     workon mysite && ansible-playbook playbooks/site.yml

5. After this you may want to test out sending mail via web server's local SMTP

   to the root user (to see if the aliasing works), and to some external mail

   address - just run something along the lines of::

   address to check if forwarding works correctly too. Run some something

   similar to the following on your web server::

     swaks --to root@localhost --server localhost

     swaks --to YOUR_MAIL --server localhost

@@ -824,7 +865,8 @@ role.

1. Update the playbook for communications server to include the XMPP server

   role.

   :file:`~/mysite/playbooks/communications.yml`::

   :file:`~/mysite/playbooks/communications.yml`

::

---

      - hosts: communications

@@ -839,7 +881,8 @@ role.

2. Configure the role.

   :file:`~/mysite/group_vars/communications.yml`::

   :file:`~/mysite/group_vars/communications.yml`

::

      # Set one of the users to also be an XMPP administrator.

      xmpp_administrators:

@@ -866,7 +909,8 @@ role.

   Prosody itself. We should also create the group for granting the users right

   to use the service.

   :file:`~/mysite/group_vars/communications.yml`::

   :file:`~/mysite/group_vars/communications.yml`

::

      # Just make sure the new entry is added for the prosody user - you can

      # leave the postfix/dovecot intact in your file if you use different

@@ -895,7 +939,8 @@ role.

      Same warning applies here as for mail server role for managing the

      user/group entries! Scroll up and re-read it if you missed it!

   :file:`~/mysite/group_vars/communications.yml`::

   :file:`~/mysite/group_vars/communications.yml`

::

      # Don't replace the entire ldap_entries, just append the new group

      # modification.

@@ -912,12 +957,13 @@ role.

              - uid=janedoe,ou=people,dc=example,dc=com

            state: append

5. Do you know what it is time to do now? Yes! Create some more TLS private keys

5. Do you know what comes next? Yes! Create some more TLS private keys

   and certificates, this time for our XMPP server ;)

   1. Create new template for ``certtool``:

      :file:`~/mysite/tls/comms.example.com_xmpp.cfg`::

      :file:`~/mysite/tls/comms.example.com_xmpp.cfg`

::

         organization = "Example Inc."

         country = SE

@@ -935,26 +981,27 @@ role.

6. Apply the changes::

     ansible-playbook playbooks/site.yml

     workon mysite && ansible-playbook playbooks/site.yml

7. If no errors have been reported, at this point you should have two users

   capable of using the XMPP service - one with username

   ``john.doe@example.com`` and one with username ``jane.doe@example.com``. Same

   passwords are used as for when you were creating the two users for mail

   server. For testing you can turn to your favourite XMPP client (I don't know

   of any CLI-based tools to test the XMPP server functionality, unfortunately).

   of any quick CLI-based tools to test the XMPP server functionality,

   unfortunately, but you could try using `mcabber <https://mcabber.com/>`_).

Taking a step back - preparing for web server

---------------------------------------------

Up until now the usage instructions have touched almost exclisively on the

Up until now the usage instructions have dealt almost exclusively with the

communications server. That is, we haven't done anything beyond the basic set-up

of the web server.

Let us first define what we want to deploy on the web server. Since the goal is

to demonstrate the full spectrum of *Majic Ansible Roles*, we will stick to the

so far unused roles for this purpose. So, here is the plan:

to demonstrate the full spectrum of *Majic Ansible Roles*, we will cover the

remaining unused roles for this purpose. So, here is the plan:

1. First off, we will set-up the web server. This will be necessary no matter

   what web application we decide to deploy later on.

@@ -967,7 +1014,7 @@ so far unused roles for this purpose. So, here is the plan:

   setting-up a couple of web applications. For the purpose of the usage

   instructions, we will deploy the following two:

   1. `The Bug Genie <https://thebuggenie.org/>`_ - an issue tracker. To keep

   1. `The Bug Genie <http://thebuggenie.org/>`_ - an issue tracker. To keep

      things simple, we will not integrate it with our LDAP server (although

      this is supported and possible). Being written in PHP, this will

      demonstrate the role for PHP web application deployment.

@@ -979,7 +1026,7 @@ so far unused roles for this purpose. So, here is the plan:

It should be noted that the web application deployment roles are a bit more

complex - namely they are not meant to be used directly, but instead as a

dependency for a custom role. They do come with decent amount of batteries

included, and also play nice with the web server role, though.

included, and also play nice with the web server role.

With all the above noted, let us finally move on to the next step.

@@ -989,12 +1036,13 @@ Setting-up the web server

Finally we are moving on to the web server deployment, and we shell start

with... Well, erm, web server deployment! To be more precise, we will set-up

Nginx on the server.

Nginx.

1. Update the playbook for web server to include the web server role.

    :file:`~/mysite/playbooks/web.yml`::

    :file:`~/mysite/playbooks/web.yml`

::

---

      - hosts: web

@@ -1010,7 +1058,8 @@ Nginx on the server.

   server role parameters are all optional, and they default to some ok-ish

   values. But let us spicen up things a bit nevertheless.

   :file:`~/mysite/group_vars/web.yml`::

   :file:`~/mysite/group_vars/web.yml`

::

      web_default_title: "Welcome to default page!"

      web_default_message: "Nothing to see here, move along..."

@@ -1020,7 +1069,8 @@ Nginx on the server.

   1. Create new template for ``certtool``:

      :file:`~/mysite/tls/www.example.com_https.cfg`::

      :file:`~/mysite/tls/www.example.com_https.cfg`

::

         organization = "Example Inc."

         country = SE

@@ -1039,10 +1089,10 @@ Nginx on the server.

4. Apply the changes::

     ansible-playbook playbooks/site.yml

     workon mysite && ansible-playbook playbooks/site.yml

5. If no errors have been reported, at this point you should have a default web

   page available and visible at https://www.example.com/. Feel free to try it

   page available and visible at https://www.example.com/ and http://www.example.com/. Feel free to try it

   out with some browser. Keep in mind you will get a warning about the

   untrusted certificate!

@@ -1052,13 +1102,14 @@ Adding the database server

Since both of the web applications we want to deploy need a database, we will

proceed to set-up the database server role on the web server itself. *Majic

Ansible Roles* in particular comes with a role that will deploy MariaDB database

Ansible Roles* in particular come with a role that will deploy MariaDB database

server.

1. Update the playbook for web server to include the database server role.

    :file:`~/mysite/playbooks/web.yml`::

    :file:`~/mysite/playbooks/web.yml`

::

---

      - hosts: web

@@ -1074,18 +1125,19 @@ server.

2. Now let's configure the role. This is rather simplistic, since we only need

   to set the database server root (admin) password.

   :file:`~/mysite/group_vars/web.yml`::

   :file:`~/mysite/group_vars/web.yml`

::

      db_root_password: root

3. No TLS support has been implemented for this role (yet), so simply apply the

   changes::

     ansible-playbook playbooks/site.yml

     workon mysite && ansible-playbook playbooks/site.yml

4. If no errors have been reported, you should have a database server up and

   running on the web server. You should be able to log-in using password

   ``root`` via command::

   ``root`` by running the following command on the web server itself::

     mysql -uroot -p

@@ -1099,17 +1151,17 @@ Deploying a PHP web application (The Bug Genie)

We have some basic infrastructure up and running now on our web server, so we

shall move on to setting-up a PHP web application on it. As mentioned before, we

will take The Bug Genie as an example.

will take *The Bug Genie* as an example.

For this we will create a local role in our site to take care of it. This role

will in turn utilise two roles coming from *Majic Ansible Roles* that will make

our life (a little) easier.

To make the example a bit simpler, no parameters will be introducd to this role

(not even the password for database etc).

To make the example a bit simpler, no parameters will be introducd for this role

(not even the password for database, we'll hard-code everything).

Here is also a couple of useful pointers regarding the ``php_website`` role

we'll be using for the PHP part:

Before we start, here is a couple of useful pointers regarding the

``php_website`` role we'll be using for the PHP part:

* The role is designed to execute every application via dedicated user and

  group. The user/group name is automatically derived from the FQDN of website,

@@ -1149,7 +1201,8 @@ we'll be using for the PHP part:

2. Let's set-up role dependencies, reusing some common roles to make our life

   easier.

   :file:`~/mysite/roles/tbg/meta/main.yml`::

   :file:`~/mysite/roles/tbg/meta/main.yml`

::

---

@@ -1159,9 +1212,10 @@ we'll be using for the PHP part:

         - role: php_website

           # We shall let our admin account be able to read/write files

           # belonging to the application. This allows us to use regular user

           # (admin in this case) without sudo.

           # (admin in this case) without sudo for managing and accessing

           # application files.

           admin: admin

           # This will set-up a new virtual host for our app.

           # Our virtual host will for PHP website will respond to this name.

           fqdn: tbg.example.com

           # Some additional packages are required in order to deploy and use TBG.

           packages:

@@ -1184,17 +1238,18 @@ we'll be using for the PHP part:

           # This is both the database name, _and_ name of the database user

           # that will be granted full privileges on the database.

           db_name: tbg

           # This will be the password of our user 'tbg' to access the

           # This will be the password of our user 'tbg' for accessing the

           # database. Take note the user can only login from localhost.

           db_password: tbg

3. Now for my favourite part again - creating private keys certificates! Why?

   Because the ``php_website`` role requires a private key/certificate pair to

   be deployed. So... Moving on:

3. Now for my favourite part again - creating private keys and certificates!

   Why?  Because the ``php_website`` role requires a private key/certificate

   pair to be deployed. So... Moving on:

   1. Create new template for ``certtool``:

      :file:`~/mysite/tls/tbg.example.com_https.cfg`::

      :file:`~/mysite/tls/tbg.example.com_https.cfg`

::

         organization = "Example Inc."

         country = SE

@@ -1213,7 +1268,8 @@ we'll be using for the PHP part:

4. Time to get our hands a bit more dirty... Up until now we didn't have to write

   custom tasks, but at this point we need to.

   :file:`~/mysite/roles/tbg/tasks/main.yml`::

   :file:`~/mysite/roles/tbg/tasks/main.yml`

::

---

@@ -1245,7 +1301,7 @@ we'll be using for the PHP part:

        become: yes

        become_user: admin

      - name: Set-up writeable directories for TBG install

      - name: Set-up the necessary write permissions for TBG directories

        file: path="{{ item }}" mode=g+w

        with_items:

           - /var/www/tbg.example.com/thebuggenie-{{ tbg_version }}/

@@ -1281,9 +1337,10 @@ we'll be using for the PHP part:

        become: yes

        become_user: admin

5. Set-up the files that are deployed via task above.

5. Set-up the files that are deployed by our role.

   :file:`~/mysite/roles/tbg/files/b2db.yml`::

   :file:`~/mysite/roles/tbg/files/b2db.yml`

::

      b2db:

          username: "tbg"

@@ -1292,7 +1349,8 @@ we'll be using for the PHP part:

          tableprefix: ''

          cacheclass: '\thebuggenie\core\framework\Cache'

   :file:`~/mysite/roles/tbg/files/tbg_expect_install`::

   :file:`~/mysite/roles/tbg/files/tbg_expect_install`

::

      #!/usr/bin/expect

@@ -1306,7 +1364,8 @@ we'll be using for the PHP part:

6. And... Let's add the new role to our web server.

   :file:`~/mysite/playbooks/web.yml`::

   :file:`~/mysite/playbooks/web.yml`

::

---

      - hosts: web

@@ -1322,9 +1381,9 @@ we'll be using for the PHP part:

7. Apply the changes::

     ansible-playbook playbooks/site.yml

     workon mysite && ansible-playbook playbooks/site.yml

8. At this point TBG has been installed, and you should be able to open the URL

8. At this point *The Bug Genie* has been installed, and you should be able to open the URL

   https://tbg.example.com/ (or http://tbg.example.com/) and log-in into

   *The Bug Genie* with username ``administrator`` and password ``admin``.

@@ -1332,15 +1391,15 @@ we'll be using for the PHP part:

Deploying a WSGI application (Django Wiki)

------------------------------------------

Next thing up will be to deploy a WSGI Python application - our wiki website.

Next thing up will be to deploy a WSGI Python application.

Similar to the PHP application deployment, we will use a couple of roles to make

it easier to deploy it in a standardised manner, and we will not have any kind

of parameters for configuring the application role.

of parameters for configuring the role to keep things simple.

Most of the notes on how the application is deployed in case of ``php_website``

role also stand for the ``wsgi_website`` role, but we will reitarte and clarify

them a bit just to be on the safe side:

Most of the notes on how a ``php_website`` role is deployed also stand for the

``wsgi_website`` role, but we will reiterate and clarify them a bit just to be

on the safe side:

* The role is designed to execute every application via dedicated user and

  group. The user/group name is automatically derived from the FQDN of website,

@@ -1385,7 +1444,8 @@ them a bit just to be on the safe side:

2. Set-up some role dependencies, reusing the common role infrastructure.

   :file:`~/mysite/roles/wiki/meta/main.yml`::

   :file:`~/mysite/roles/wiki/meta/main.yml`

::

---

@@ -1393,7 +1453,8 @@ them a bit just to be on the safe side:

         - role: wsgi_website

           admin: admin

           fqdn: wiki.example.com

           # Most of these packages are needed for building Python packages.

           # In many cases you need to have some development packages available

           # in order to build Python packages installed via pip

           packages:

              - build-essential

              - python-dev

@@ -1406,13 +1467,25 @@ them a bit just to be on the safe side:

              - libopenjpeg-dev

              - libmariadb-client-lgpl-dev

              - libmariadb-client-lgpl-dev-compat

           # Here we specify that anything accessing our website with "/static/"

           # URL should be treated as request to a static file, to be served

           # directly by Nginx instead of the WSGI server.

           static_locations:

              - /static/

           # Again, not mandatory, but it is good to have some sort of policy

           # for assigning UIDs.

           uid: 2001

           # These are additional packages that should be installed in the

           # virtual environment.

           virtualenv_packages:

              - pillow

              - wiki

              - MySQL-python

           # This is the name of the WSGI application to

           # serve. wiki_example_com.wsgi will be the Python "module" that is

           # accesed, while application is the object instantiated within it (the

           # application itself). The module is referenced relative to the code

           # directory (in our case /var/www/wiki.example.com/code/).

           wsgi_application: wiki_example_com.wsgi:application

         - role: database

           db_name: wiki

@@ -1422,7 +1495,8 @@ them a bit just to be on the safe side:

   1. Create new template for ``certtool``:

      :file:`~/mysite/tls/wiki.example.com_https.cfg`::

      :file:`~/mysite/tls/wiki.example.com_https.cfg`

::

         organization = "Example Inc."

         country = SE

@@ -1441,14 +1515,11 @@ them a bit just to be on the safe side:

4. At this point we have exhausted what we can do with the built-in roles. Time

   to add some custom tasks.

   :file:`~/mysite/roles/wiki/tasks/main.yml`::

   :file:`~/mysite/roles/wiki/tasks/main.yml`

::

---

      - name: Set-up symbolic link for mysql_config for building MySQL-python

        file: src="/usr/bin/mariadb_config" dest="/usr/bin/mysql_config"

              state="link"

      - name: Create Django project directory

        file: dest="/var/www/wiki.example.com/code" state=directory

              owner=admin group=web-wiki_example_com

@@ -1496,7 +1567,8 @@ them a bit just to be on the safe side:

5. There is a couple of files that we are deploying through the above

   tasks. Let's create them as well.

   :file:`~/mysite/roles/wiki/files/settings.py`::

   :file:`~/mysite/roles/wiki/files/settings.py`

::

"""

      Django settings for wiki_example_com project.

@@ -1609,7 +1681,8 @@ them a bit just to be on the safe side:

      SITE_ID=1

   :file:`~/mysite/roles/wiki/files/urls.py`::

   :file:`~/mysite/roles/wiki/files/urls.py`

::

      from django.conf.urls import patterns, include, url

      from wiki.urls import get_pattern as get_wiki_pattern

@@ -1631,7 +1704,8 @@ them a bit just to be on the safe side:

          (r'', get_wiki_pattern())

   :file:`~/mysite/roles/wiki/files/create_superadmin.py`::

   :file:`~/mysite/roles/wiki/files/create_superadmin.py`

::

      #!/usr/bin/env python

@@ -1647,7 +1721,8 @@ them a bit just to be on the safe side:

6. Time to add the new role to our web server.

   :file:`~/mysite/playbooks/web.yml`::

   :file:`~/mysite/playbooks/web.yml`

::

---

      - hosts: web

@@ -1662,9 +1737,20 @@ them a bit just to be on the safe side:

          - tbg

          - wiki

7. Apply the changes::

7. Apply the changes:

   .. warning::

      Due to `Debian Bug 766996

      <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766996>`_ before

      applying the changes please manually run command ``sudo ln -s

      /usr/bin/mariadb_config /usr/local/bin/mysql_config`` on the web

      server. Otherwise the MySQL-python package will fail to build due to

      missing ``mysql_config`` binary.

::

     ansible-playbook playbooks/site.yml

     workon mysite && ansible-playbook playbooks/site.yml

8. At this point Django Wiki has been installed, and you should be able to open

   the URL https://wiki.example.com/ (or http://wiki.example.com/) and log-in