Merge branch 'master' of https://gitlab.rrz.uni-hamburg.de/bax1489/otree-ansible

46b2d790 · Gallenkamp, Fabian · 3ae9bd34 · 146ec995 · 46b2d790 · 46b2d790
Commit 46b2d790 authored 5 years ago by Gallenkamp, Fabian
--- a/configure_nginx.yml
+++ b/configure_nginx.yml
@@ -32,6 +32,26 @@
        - absent
        - directory

+    # add and enable default_server entry; on http: 302->https, on https throw 403 per default
+    - name: setup nginx vhosts
+      template:
+        src: templates/nginx_default_site.conf.j2
+        dest: "{{ nginx_sites_available }}/default.{{ otree_domain }}"
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: create symlinks for nginx vhosts confs
+      file:
+        state: link
+        src: "{{ nginx_sites_available }}/default.{{ otree_domain }}"
+        dest: "{{ nginx_sites_enabled }}/default.{{ otree_domain }}"
+        owner: root
+        group: root
+        mode: "0644"
+      notify: restart nginx
+
+
    # add new vhost configs and enable them
    - name: setup nginx vhosts
      template:
@@ -62,22 +82,6 @@
        group: root
        mode: "0644"
      notify: restart nginx
-    # TLS certificates
-    # Unfourtunately not scriptable due to security considerations
-    #- name: copy over certificate key files
-    #  copy:
-    #    src: "{{ item.src }}"
-    #    dest: "{{ item.dest }}"
-    #    group: root
-    #    mode: "{{ item.mode }}"
-    #  no_log: yes
-    #  with_items:
-    #    - src: "ssl/certs/localhost.crt"
-    #      dest: "/etc/ssl/certs/localhost.crt"
-    #      mode: "0644"
-    #    - src: "ssl/private/localhost.key"
-    #      dest: "/etc/ssl/private/localhost.key"
-    #      mode: "0600"

  handlers:
    - name: restart nginx

--- a/configure_otree.yml
+++ b/configure_otree.yml
@@ -115,20 +115,3 @@
      become_user: "{{ item.key }}"
      with_dict: "{{ otree_users }}"
      when: item.value.override
-
-    - name: create supervisor-config for otree instances from template 
-      template:
-        src: templates/supervisor_otree.conf.j2
-        dest: "/etc/supervisor/conf.d/{{ item.key }}.conf"
-        owner: root
-        group: root
-        mode: "0644"
-      with_dict: "{{ otree_users }}"
-      when: item.value.override
-
-    - name: make sure services are created and (re)-started
-      supervisorctl:
-        name: "{{ item.key }}"
-        state: restarted
-      with_dict: "{{ otree_users }}"
-    # TODO: set up otree (create venv, install pip packages, adapt .bashrc, run resetdb
--- a/configure_supervisor.yml
+++ b/configure_supervisor.yml
-FIXME: TODO
+---
+- name: setup otree
+  become: true
+  hosts: all
+  tasks:
+    # create current supervisor configs and start it
+    - name: create supervisor-config for otree instances from template
+      template:
+        src: templates/supervisor_otree.conf.j2
+        dest: "/etc/supervisor/conf.d/{{ item.key }}.conf"
+        owner: root
+        group: root
+        mode: "0640"
+      with_dict: "{{ otree_users }}"
+      when: item.value.override
+
+    - name: make sure services are created and (re)-started
+      supervisorctl:
+        name: "{{ item.key }}"
+        state: restarted
+      with_dict: "{{ otree_users }}"
+      when: item.value.override
--- a/site.yml
+++ b/site.yml
@@ -22,6 +22,15 @@
      - postgresql
      - postgresql-contrib
  tasks:
+   # install all apt packages
+    - name: update package information
+      apt: update_cache=yes
+
+    - name: install required packages
+      apt:
+        name: "{{ prereq_packages }}"
+        state: latest
+
    # create/delete users as specified in group_vars/otree_users.yml
    - name: Create group for otreeusers
      group:
@@ -45,11 +54,10 @@
      set_fact:
        removed_users: "{{existing_users.stdout_lines | difference(otree_users) }}"

-    - name: Delete removed user accounts
-      user:
+    - name: stop supervisor services
+      supervisorctl:
        name: "{{ item }}"
-        state: absent
-        remove: yes
+        state: stopped
      with_items: "{{ removed_users }}"

    - name: remove supervisor services
@@ -57,23 +65,22 @@
        name: "{{ item }}"
        state: absent
      with_items: "{{ removed_users }}"
-    # FIXME: remove supervisor configs for deleted users
-
-    # add python repos, FIXME should be avoided by using recent unbuntu version
-    #- name: add ppa repository with python versions
-    #  apt_repository: "ppa:deadsnakes/ppa"
-    #  state: present

-    # install all apt packages
-    - name: update package information
-      apt: update_cache=yes
+    - name: remove supervisor config files
+      file:
+        state: absent
+        path: "/etc/supervisor/conf.d/{{ item }}.conf"
+      with_items: "{{ removed_users }}"

-    - name: install required packages
-      apt:
-        name: "{{ prereq_packages }}"
-        state: latest
+    - name: Delete removed user accounts
+      user:
+        name: "{{ item }}"
+        state: absent
+        remove: yes
+      with_items: "{{ removed_users }}"

 - import_playbook: "configure_nginx.yml"
 - import_playbook: "configure_postgresql.yml"
 - import_playbook: "configure_otree.yml"
+- import_playbook: "configure_supervisor.yml"
 - import_playbook: "configure_ufw.yml"
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -29,7 +29,7 @@ http {

 	##
 	# SSL Settings
-	# keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d={{ otree_domain }}
+	# keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d=otree.{{ otree_domain }}
 	##
 	ssl_dhparam /etc/nginx/dhparam.pem; 
 	# assumes command executed: openssl dhparam -out /etc/nginx/dhparam.pem 4096

--- a/templates/nginx_default_site.conf.j2
+++ b/templates/nginx_default_site.conf.j2
+# Default server configuration for http
+# Redirect http to https
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        server_name _;
+
+        return 301 https://$host$request_uri;
+}
+
+# Default server configuration for https
+# Throw 403 if no specific domain is matched
+# FIXME: Custom 403
+server {
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+        server_name _;
+
+        ssl_certificate {{ ssl_certificate_path }};
+        ssl_certificate_key {{ ssl_certificate_key_path }};
+
+        location / {
+                return 403;
+        }
+}
+
--- a/templates/nginx_site.conf.j2
+++ b/templates/nginx_site.conf.j2
@@ -3,32 +3,19 @@ map $http_upgrade $connection_upgrade {
 	''	close;
 }

-{% if item.key == otree_master %}
-# Default server configuration for http
-# Redirect http to https
 server {
-        listen 80 default_server;
-	listen [::]:80 default_server;

-        server_name _;
+	listen 443 ssl;
+	listen [::]:443 ssl;

-        return 301 https://$host$request_uri;
-}
-{% endif %}
-
-server {
-
-	listen 443 ssl{% if item.key == otree_master  %} default_server{% endif %};
-	listen [::]:443 ssl{% if item.key == otree_master %} default_server{% endif %};
-
-	server_name {% if item.key == otree_master %}{{ otree_domain }} *.{{otree_domain}}{% else %}{{ item.key }}.{{otree_domain}}{% endif %};
+	server_name {{ item.key }}.{{ otree_domain }};

 	ssl_certificate {{ ssl_certificate_path }};
 	ssl_certificate_key {{ ssl_certificate_key_path }};

 	location / {
 		access_log off;
-		proxy_pass http://localhost:{{ item.value.port }};
+		proxy_pass http://127.0.0.1:{{ item.value.port }};
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;