From bc5a99a4ee180a9ff4446055bf0311af64c2bf9d Mon Sep 17 00:00:00 2001 From: Sam Thursfield Date: Fri, 20 Oct 2017 15:21:08 +0100 Subject: baserock_webserver: Update after redeployment It now only serves download.baserock.org; the docs are hosted on GitLab pages. It will also serve paste, IRC logging and IRC bots soon! --- README.md | 35 +++++++++++++++++- baserock_webserver/etc/cherokee/cherokee.conf | 13 ------- baserock_webserver/image-config.yml | 21 ++++++++--- baserock_webserver/instance-config.yml | 19 ++++++++++ .../instance-docs.baserock.org-config.yml | 43 ---------------------- 5 files changed, 68 insertions(+), 63 deletions(-) create mode 100644 baserock_webserver/instance-config.yml delete mode 100644 baserock_webserver/instance-docs.baserock.org-config.yml diff --git a/README.md b/README.md index 89a86200..0e327230 100644 --- a/README.md +++ b/README.md @@ -348,7 +348,7 @@ To deploy this system: --user-data ./baserock-ops-team.cloud-config ansible-playbook -i hosts baserock_frontend/image-config.yml ansible-playbook -i hosts baserock_frontend/instance-config.yml \ - --vault-password-file=... + --vault-password-file=~/vault-infra-pass ansible-playbook -i hosts baserock_frontend/instance-backup-config.yml ansible -i hosts -m service -a 'name=haproxy enabled=true state=started' \ @@ -376,6 +376,38 @@ usual haproxy.cfg file), use 'git grep' to find all of them. You'll need to update all the relevant config files. We really need some internal DNS system to avoid this hassle. +### General webserver + +The general-purpose webserver provides downloads, plus IRC logging and a +pastebin service. + +To deploy to production: + + openstack volume create \ + --description 'Webserver volume' \ + --size 150 \ + webserver-volume + + nova boot webserver \ + --key-name $keyname \ + --flavor 2C-8GB \ + --image $fedora_image_id \ + --nic "net-id=$network_id" \ + --security-groups default,web-server \ + --user-data ./baserock-ops-team.cloud-config + + nova volume-attach webserver /dev/vdb + + ansible-playbook -i hosts baserock_webserver/image-config.yml + ansible-playbook -i hosts baserock_webserver/instance-config.yml + +The webserver machine runs [Cherokee](http://cherokee-project.com/). You +can use the `cherokee-admin` configuration UI, by connecting to the webserver +over SSH and including this in your SSH commandlines: `-L9090:localhost:9090`. +When you run `sudo cherokee-admin` on the server, you'll be able to browse to +it locally on your machine at `https://localhost:9090/`. You also have to +modify the security groups temporarily to allow that port through. + ### Trove To deploy to production, run these commands in a Baserock 'devel' @@ -444,7 +476,6 @@ To deploy this system to production: ansible-playbook -i hosts baserock_ostree/instance-config.yml ansible-playbook -i hosts baserock_ostree/ostree-access-config.yml - SSL certificates ================ diff --git a/baserock_webserver/etc/cherokee/cherokee.conf b/baserock_webserver/etc/cherokee/cherokee.conf index 987f22ea..6b6a3d7a 100644 --- a/baserock_webserver/etc/cherokee/cherokee.conf +++ b/baserock_webserver/etc/cherokee/cherokee.conf @@ -61,19 +61,6 @@ vserver!2!rule!1!handler!rewrite!10!regex = ^.*$ vserver!2!rule!1!handler!rewrite!10!show = 1 vserver!2!rule!1!handler!rewrite!10!substring = /baserock/ vserver!2!rule!1!match = default -vserver!3!directory_index = index.html -vserver!3!document_root = /srv/docs.baserock.org -vserver!3!nick = docs.baserock.org -vserver!3!rule!3!document_root = /usr/share/cherokee/themes -vserver!3!rule!3!handler = file -vserver!3!rule!3!match = directory -vserver!3!rule!3!match!directory = /cherokee_themes -vserver!3!rule!2!document_root = /usr/share/cherokee/icons -vserver!3!rule!2!handler = file -vserver!3!rule!2!match = directory -vserver!3!rule!2!match!directory = /cherokee_icons -vserver!3!rule!1!handler = common -vserver!3!rule!1!match = default icons!default = page_white.png icons!directory = folder.png icons!file!bomb.png = core diff --git a/baserock_webserver/image-config.yml b/baserock_webserver/image-config.yml index 1244faac..29c1ba5f 100644 --- a/baserock_webserver/image-config.yml +++ b/baserock_webserver/image-config.yml @@ -1,11 +1,16 @@ # Configuration for Baserock webserver system image. # -# This expects to be run on a Fedora 22 cloud image. +# This expects to be run on a Fedora 26 cloud image. --- - hosts: webserver gather_facts: false - sudo: yes + become: yes + become_method: sudo tasks: + # see: https://fedoramagazine.org/getting-ansible-working-fedora-23/ + - name: install python2 and required deps for ansible modules + raw: dnf install -y python2 python2-dnf libselinux-python + - name: enable persistant journal shell: mkdir /var/log/journal args: @@ -14,11 +19,17 @@ - name: ensure system up to date dnf: name=* state=latest - - name: SELinux configuration (setting it to 'permissive' mode) - copy: src=etc/selinux/config dest=/etc/selinux/ - - name: Cherokee webserver package dnf: name=cherokee state=latest - name: Cherokee configuration copy: src=etc/cherokee/cherokee.conf dest=/etc/cherokee/ + + - name: install lvm2 tools + dnf: name=lvm2 state=latest + + - name: disable SELinux on subsequent boots + selinux: state=disabled + + - name: disable SELinux on current boot + command: setenforce 0 diff --git a/baserock_webserver/instance-config.yml b/baserock_webserver/instance-config.yml new file mode 100644 index 00000000..96f0ee01 --- /dev/null +++ b/baserock_webserver/instance-config.yml @@ -0,0 +1,19 @@ +# Instance configuration for Baserock general-purpose webserver. +# +# Tested against Fedora 26 base image. +--- +- hosts: webserver + gather_facts: false + become: yes + become_method: sudo + tasks: + - import_tasks: ../tasks/create-data-volume.yml lv_name=webserver lv_size=145g mountpoint=/srv + + - name: /srv/download.baserock.org/ + file: path=/srv/download.baserock.org/ owner=fedora state=directory + + - name: Cherokee configuration + copy: src=etc/cherokee/cherokee.conf dest=/etc/cherokee/ + + - name: (re)start Cherokee webserver + service: name=cherokee enabled=yes state=restarted diff --git a/baserock_webserver/instance-docs.baserock.org-config.yml b/baserock_webserver/instance-docs.baserock.org-config.yml deleted file mode 100644 index e5910579..00000000 --- a/baserock_webserver/instance-docs.baserock.org-config.yml +++ /dev/null @@ -1,43 +0,0 @@ -# Configuration for docs.baserock.org site. -# -# This expects to be run after image-config.yml. -- hosts: webserver - gather_facts: False - tasks: - - name: /srv/docs.baserock.org/ - file: path=/srv/docs.baserock.org/ owner=fedora state=directory - - - name: git - dnf: name=git state=latest - sudo: yes - - - name: mkdocs documentation generator - pip: name=mkdocs executable=pip3.4 extra_args="--user" - - # A lot of the mkdocs themes are totally broken without Javascript, which - # is stupid. This one looks a little bit ugly without Javascript, but it - # is mostly usable. - - name: mkdocs 'material' theme - pip: name=mkdocs-material executable=pip3.4 extra_args="--user" - - - name: generate-docs.baserock.org script - copy: src=generate-docs.baserock.org dest=/home/fedora/ mode=755 - - - name: generate-docs.baserock.org systemd unit - copy: src=etc/systemd/system/generate-docs.baserock.org.service dest=/etc/systemd/system/ - sudo: yes - - - name: generate-docs.baserock.org systemd timer - copy: src=etc/systemd/system/generate-docs.baserock.org.timer dest=/etc/systemd/system/ - sudo: yes - - # FIXME: it would be much cooler to monitor the output of `gerrit - # stream-events`, or have a git post-receive hook installed on - # git.baserock.org to trigger this. - - name: enable generate-docs.baserock.org timer - service: name=generate-docs.baserock.org.timer state=started enabled=yes - sudo: yes - - - name: enable generate-docs.baserock.org service - service: name=generate-docs.baserock.org.service enabled=yes - sudo: yes -- cgit v1.2.1