Files @ 9ca9c3ada58a
Branch filter:

Location: majic-ansible-roles/roles/wsgi_website/tasks/main.yml

9ca9c3ada58a 9.4 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-181: Use Debian-provided Prosody package for testing optional parameter:

- Still properly tests the role, while at the same time making it
possible to use custom apt repository for Debian Buster (due to
Prosody project dropping all repository archives for it).
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
---

- name: Create WSGI website group
  group:
    name: "{{ user }}"
    gid: "{{ uid | default(omit) }}"
    state: present

- name: Create WSGI website admin user
  user:
    name: "{{ admin }}"
    uid: "{{ admin_uid | default(omit) }}"
    group: "{{ user }}"
    shell: /bin/bash
    createhome: true
    home: "{{ home }}"
    state: present

- name: Set-up directory for storing user profile configuration files
  file:
    path: "{{ home }}/.profile.d"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 0750

- name: Deploy profile configuration file for auto-activating the virtual environment
  copy:
    src: "profile_virtualenv.sh"
    dest: "{{ home }}/.profile.d/virtualenv.sh"
    owner: root
    group: "{{ user }}"
    mode: 0640

- name: Deploy profile configuration file for setting environment variables
  template:
    src: "environment.sh.j2"
    dest: "{{ home }}/.profile.d/environment.sh"
    owner: root
    group: "{{ user }}"
    mode: 0640

- name: Create WSGI website user
  user:
    name: "{{ user }}"
    uid: "{{ uid | default(omit) }}"
    group: "{{ user }}"
    comment: "umask=0007"
    system: true
    createhome: false
    state: present
    home: "{{ home }}"
    # This is a workaround for a rather stupid bug that Debian seems
    # uninterested to backport -
    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
    shell: /bin/sh

- name: Add nginx user to website group
  user:
    name: www-data
    groups: "{{ user }}"
    append: true
  notify:
    - Restart nginx

# Ownership set to root so Postfix would not check if correct user owns the
# file.
- name: Set-up forwarding for mails delivered to local application user/admin
  template:
    src: "forward.j2"
    dest: "{{ home }}/.forward"
    owner: root
    group: "{{ user }}"
    mode: 0640

- name: Install extra packages for website
  apt:
    name: "{{ packages }}"
    state: present
  register: install_extra_packages
  notify:
    - Restart WSGI services

# Ignore failures - the virtual environment might not have been
# created yet. Don't use --version because Python 2 outputs to stderr,
# and Python 3 outputs to stdout.
- name: Check current version of Python used in virtual environment (if any)
  command: "{{ home }}/virtualenv/bin/python -c \"import sys; print(sys.version.split(' ')[0])\""
  failed_when: false
  changed_when: false
  register: current_python_version

- name: Remove existing Python virtual environment (wrong Python version)
  file:
    path: "{{ home }}/virtualenv"
    state: absent
  when: "current_python_version.rc == 0 and not current_python_version.stdout.startswith(python_version | string)"
  notify:
    - Restart WSGI services

- name: Create directory for storing the Python virtual environment
  file:
    path: "{{ home }}/virtualenv"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 02750

# @TODO: Get rid of this if possible in Debian Buster.
# Do not install setuptools when creating the virtual environment -
# otherwise it will also install Debian-specific pkg-resources
# package. The pkg-resources package can be removed, but this breaks
# the package downloading via pip.
#
# Install setuptools later on via separate pip invocation.
#
# The pkg-resources package is also annoying because it shows-up in
# the output of the pip freeze command, and also interferes with the
# virtual environment management using pip-tools.
#
# For more details, see:
#
# - https://github.com/pypa/pip/issues/4022
# - https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1635463
# - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871790

- name: Create Python virtual environment
  command: '/usr/bin/virtualenv --no-setuptools --python "{{ python_interpreter }}" --prompt "({{ fqdn }})" "{{ home }}/virtualenv"'
  args:
    creates: "{{ home }}/virtualenv/bin/{{ python_interpreter | basename }}"
  become: true
  become_user: "{{ admin }}"

# @TODO: Park of the pkg-resources described above.
- name: Install setuptools in virtual environment
  pip:
    name:
      - "setuptools"
    virtualenv: "{{ home }}/virtualenv"
  become: true
  become_user: "{{ admin }}"

# @TODO: Park of the pkg-resources described above.
- name: Remove the pkg-resources package from virtual environment (see comments above for details)
  pip:
    name: pkg-resources
    virtualenv: "{{ home }}/virtualenv"
    state: absent
  become: true
  become_user: "{{ admin }}"

- name: Configure project directory for the Python virtual environment
  template:
    src: "venv_project.j2"
    dest: "{{ home }}/virtualenv/.project"
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 0640

- name: Deploy virtualenv wrapper
  template:
    src: "venv_exec.j2"
    dest: "{{ home }}/virtualenv/bin/exec"
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 0750

- name: Set-up directory for storing requirements file for upgrade checks
  file:
    path: "{{ pip_check_requirements_upgrades_directory }}/{{ fqdn }}"
    state: directory
    owner: root
    group: pipreqcheck
    mode: 0750

- name: Deploy WSGI requirements files for upgrade checks
  template:
    src: "{{ item }}.j2"
    dest: "{{ pip_check_requirements_upgrades_directory }}/{{ fqdn }}/{{ item }}"
    owner: root
    group: pipreqcheck
    mode: 0640
  with_items:
    - wsgi_requirements.in
    - wsgi_requirements.txt

- name: Deploy Gunicorn requirements file for installation purposes
  template:
    src: "wsgi_requirements.txt.j2"
    dest: "{{ home }}/.wsgi_requirements.txt"
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 0640

- name: Install Gunicorn via requirements file
  become: true
  become_user: "{{ admin }}"
  pip:
    requirements: "{{ home }}/.wsgi_requirements.txt"
    state: present
    virtualenv: "{{ home }}/virtualenv"
  register: install_gunicorn_via_requirements
  notify:
    - Restart WSGI services

- name: Install additional packages in Python virtual environment
  become: true
  become_user: "{{ admin }}"
  pip:
    name: "{{ virtualenv_packages }}"
    state: present
    virtualenv: "{{ home }}/virtualenv"
  register: install_additional_packages_in_virtualenv
  when: virtualenv_packages | length > 0
  notify:
    - Restart WSGI services

- name: Deploy systemd socket configuration for website
  template:
    src: "systemd_wsgi_website.socket.j2"
    dest: "/etc/systemd/system/{{ fqdn }}.socket"
    owner: root
    group: root
    mode: 0644
  register: deploy_systemd_socket_configuration
  notify:
    - Reload systemd
    - Restart WSGI services

- name: Deploy systemd service configuration for website
  template:
    src: "systemd_wsgi_website.service.j2"
    dest: "/etc/systemd/system/{{ fqdn }}.service"
    owner: root
    group: root
    mode: 0644
  register: deploy_systemd_service_configuration
  notify:
    - Reload systemd
    - Restart WSGI services

- name: Enable the website service
  service:
    name: "{{ fqdn }}"
    enabled: true
    state: started

- name: Create directory where static files can be served from
  file:
    path: "{{ home }}/htdocs/"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 02750

- name: Deploy nginx TLS private key for website
  copy:
    dest: "/etc/ssl/private/{{ fqdn }}_https.key"
    content: "{{ https_tls_key }}"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart nginx

- name: Deploy nginx TLS certificate for website
  copy:
    dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    content: "{{ https_tls_certificate }}"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart nginx

- name: Deploy configuration file for checking certificate validity via cron
  copy:
    content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
    owner: root
    group: root
    mode: 0644

- name: Deploy nginx configuration file for website
  template:
    src: "nginx_site.j2"
    dest: "/etc/nginx/sites-available/{{ fqdn }}"
    owner: root
    group: root
    mode: 0640
    validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
  notify:
    - Restart nginx

- name: Enable nginx website
  file:
    src: "/etc/nginx/sites-available/{{ fqdn }}"
    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
    state: link
  notify:
    - Restart nginx

- name: Set-up empty list of WSGI services to restart
  set_fact:
    wsgi_services_to_restart: []
  when: "wsgi_services_to_restart is not defined"
  tags:
    - handlers

- name: Add service to list of WSGI services to restart  # noqa 503
  # [503] Tasks that run when changed should likely be handlers
  #   This specific task is used in order to work around inability of Ansible
  #   to provide properly parametrised handlers for reusable roles.
  set_fact:
    wsgi_services_to_restart: "{{ wsgi_services_to_restart + [ fqdn ] }}"
  when: |
    fqdn not in wsgi_services_to_restart and
    ((install_extra_packages is defined and install_extra_packages.changed) or
    (install_additional_packages_in_virtualenv is defined and install_additional_packages_in_virtualenv.changed) or
    (deploy_systemd_socket_configuration is defined and deploy_systemd_socket_configuration.changed) or
    (deploy_systemd_service_configuration is defined and deploy_systemd_service_configuration.changed) or
    (install_gunicorn_via_requirements is defined and install_gunicorn_via_requirements.changed) or
    (run_handlers | default(False) | bool()))
  tags:
    - handlers

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers
This site is powered by Kallithea 0.7.0, which is © 2010–2024 by various authors & licensed under GPLv3.