Files
@ b7de8e615ffd
Branch filter:
Location: majic-ansible-roles/roles/wsgi_website/tasks/main.yml
b7de8e615ffd
9.4 KiB
text/x-yaml
MAR-152: Drop support for Debian 8 Jessie from the wsgi_website role.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 | ---
- name: Create WSGI website group
group:
name: "{{ user }}"
gid: "{{ uid | default(omit) }}"
state: present
- name: Create WSGI website admin user
user:
name: "{{ admin }}"
uid: "{{ admin_uid | default(omit) }}"
group: "{{ user }}"
shell: /bin/bash
createhome: true
home: "{{ home }}"
state: present
- name: Set-up directory for storing user profile configuration files
file:
path: "{{ home }}/.profile.d"
state: directory
owner: "{{ admin }}"
group: "{{ user }}"
mode: 0750
- name: Deploy profile configuration file for auto-activating the virtual environment
copy:
src: "profile_virtualenv.sh"
dest: "{{ home }}/.profile.d/virtualenv.sh"
owner: root
group: "{{ user }}"
mode: 0640
- name: Deploy profile configuration file for setting environment variables
template:
src: "environment.sh.j2"
dest: "{{ home }}/.profile.d/environment.sh"
owner: root
group: "{{ user }}"
mode: 0640
- name: Create WSGI website user
user:
name: "{{ user }}"
uid: "{{ uid | default(omit) }}"
group: "{{ user }}"
comment: "umask=0007"
system: true
createhome: false
state: present
home: "{{ home }}"
# This is a workaround for a rather stupid bug that Debian seems
# uninterested to backport -
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
shell: /bin/sh
- name: Add nginx user to website group
user:
name: www-data
groups: "{{ user }}"
append: true
notify:
- Restart nginx
# Ownership set to root so Postfix would not check if correct user owns the
# file.
- name: Set-up forwarding for mails delivered to local application user/admin
template:
src: "forward.j2"
dest: "{{ home }}/.forward"
owner: root
group: "{{ user }}"
mode: 0640
- name: Install extra packages for website
apt:
name: "{{ packages }}"
state: present
register: install_extra_packages
notify:
- Restart WSGI services
- name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996)
file:
src: "/usr/bin/mariadb_config"
dest: "/usr/bin/mysql_config"
state: link
when: "'libmariadb-client-lgpl-dev-compat' in packages"
# Ignore failures - the virtual environment might not have been
# created yet. Don't use --version because Python 2 outputs to stderr,
# and Python 3 outputs to stdout.
- name: Check current version of Python used in virtual environment (if any)
command: "{{ home }}/virtualenv/bin/python -c \"import sys; print(sys.version.split(' ')[0])\""
failed_when: false
changed_when: false
register: current_python_version
- name: Remove existing Python virtual environment (wrong Python version)
file:
path: "{{ home }}/virtualenv"
state: absent
when: "current_python_version.rc == 0 and not current_python_version.stdout.startswith(python_version | string)"
notify:
- Restart WSGI services
- name: Create directory for storing the Python virtual environment
file:
path: "{{ home }}/virtualenv"
state: directory
owner: "{{ admin }}"
group: "{{ user }}"
mode: 02750
# setuptools is excluded on Stretch, because it would pull-in the
# pkg-resources package that then messes with pip freeze etc.
- name: Create Python virtual environment
command: '/usr/bin/virtualenv --no-setuptools --python "{{ python_interpreter }}" --prompt "({{ fqdn }})" "{{ home }}/virtualenv"'
args:
creates: "{{ home }}/virtualenv/bin/{{ python_interpreter | basename }}"
become: true
become_user: "{{ admin }}"
tags:
# [ANSIBLE0012] Commands should not change things if nothing needs doing
# This task will not fire if the virtual environment has already bene
# created (thanks to 'creates' parameter).
- skip_ansible_lint
- name: Install latest pip and setuptools in virtual environment
pip:
name:
- "pip>=18.0.0,<19.0.0"
- "setuptools>=40.0.0,<41.0.0"
virtualenv: "{{ home }}/virtualenv"
become: true
become_user: "{{ admin }}"
# Workaround for:
#
# - https://github.com/pypa/pip/issues/4022
# - https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1635463
# - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871790
- name: Remove the pkg-resources package from virtual environment (see comments above for details)
pip:
name: pkg-resources
virtualenv: "{{ home }}/virtualenv"
state: absent
become: true
become_user: "{{ admin }}"
- name: Configure project directory for the Python virtual environment
template:
src: "venv_project.j2"
dest: "{{ home }}/virtualenv/.project"
owner: "{{ admin }}"
group: "{{ user }}"
mode: 0640
- name: Deploy virtualenv wrapper
template:
src: "venv_exec.j2"
dest: "{{ home }}/virtualenv/bin/exec"
owner: "{{ admin }}"
group: "{{ user }}"
mode: 0750
- name: Install WSGI server
become: true
become_user: "{{ admin }}"
pip:
name: "{{ item.package }}"
version: "{{ item.version }}"
state: present
virtualenv: "{{ home }}/virtualenv"
with_items:
- package: gunicorn
version: "{{ gunicorn_version }}"
when: wsgi_requirements | length == 0
register: install_wsgi_server
notify:
- Restart WSGI services
- name: Install futures Python 2 backport (for WSGI server)
become: true
become_user: "{{ admin }}"
pip:
name: "{{ item.package }}"
version: "{{ item.version }}"
state: present
virtualenv: "{{ home }}/virtualenv"
with_items:
- package: futures
version: "{{ futures_version }}"
when: wsgi_requirements | length == 0
register: install_wsgi_server
notify:
- Restart WSGI services
- include: requirements.yml
when: wsgi_requirements | length > 0
- name: Install additional packages in Python virtual environment
become: true
become_user: "{{ admin }}"
pip:
name: "{{ virtualenv_packages }}"
state: present
virtualenv: "{{ home }}/virtualenv"
register: install_additional_packages_in_virtualenv
when: virtualenv_packages | length > 0
notify:
- Restart WSGI services
- name: Deploy systemd socket configuration for website
template:
src: "systemd_wsgi_website.socket.j2"
dest: "/etc/systemd/system/{{ fqdn }}.socket"
owner: root
group: root
mode: 0644
register: deploy_systemd_socket_configuration
notify:
- Reload systemd
- Restart WSGI services
- name: Deploy systemd service configuration for website
template:
src: "systemd_wsgi_website.service.j2"
dest: "/etc/systemd/system/{{ fqdn }}.service"
owner: root
group: root
mode: 0644
register: deploy_systemd_service_configuration
notify:
- Reload systemd
- Restart WSGI services
- name: Enable the website service
service:
name: "{{ fqdn }}"
enabled: true
state: started
- name: Create directory where static files can be served from
file:
path: "{{ home }}/htdocs/"
state: directory
owner: "{{ admin }}"
group: "{{ user }}"
mode: 02750
- name: Deploy nginx TLS private key for website
copy:
dest: "/etc/ssl/private/{{ fqdn }}_https.key"
content: "{{ https_tls_key }}"
owner: root
group: root
mode: 0640
notify:
- Restart nginx
- name: Deploy nginx TLS certificate for website
copy:
dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
content: "{{ https_tls_certificate }}"
owner: root
group: root
mode: 0644
notify:
- Restart nginx
- name: Deploy configuration file for checking certificate validity via cron
copy:
content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
owner: root
group: root
mode: 0644
- name: Deploy nginx configuration file for website
template:
src: "nginx_site.j2"
dest: "/etc/nginx/sites-available/{{ fqdn }}"
owner: root
group: root
mode: 0640
validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
notify:
- Restart nginx
- name: Enable nginx website
file:
src: "/etc/nginx/sites-available/{{ fqdn }}"
dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
state: link
notify:
- Restart nginx
- name: Set-up empty list of WSGI services to restart
set_fact:
wsgi_services_to_restart: []
when: "wsgi_services_to_restart is not defined"
tags:
- handlers
- name: Add service to list of WSGI services to restart
set_fact:
wsgi_services_to_restart: "{{ wsgi_services_to_restart + [ fqdn ] }}"
when: |
fqdn not in wsgi_services_to_restart and
((install_extra_packages is defined and install_extra_packages.changed) or
(install_wsgi_server is defined and install_wsgi_server.changed) or
(install_additional_packages_in_virtualenv is defined and install_additional_packages_in_virtualenv.changed) or
(deploy_systemd_socket_configuration is defined and deploy_systemd_socket_configuration.changed) or
(deploy_systemd_service_configuration is defined and deploy_systemd_service_configuration.changed) or
(install_gunciron_via_requirements is defined and install_gunciron_via_requirements.changed) or
(run_handlers | default(False) | bool()))
tags:
- handlers
# [ANSIBLE0016] Tasks that run when changed should likely be handlers
# This specific task is used in order to work around inability of Ansible
# to provide properly parametrised handlers for reusable roles.
- skip_ansible_lint
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|