浏览代码

add rudimentary gpodder role

Thomas Buck 1年前
父节点
当前提交
08462f5d86

+ 18
- 0
roles/gpodder/defaults/main.yml 查看文件

@@ -0,0 +1,18 @@
1
+gpodder_subdomain: "gpodder"
2
+gpodder_domain: "{{ gpodder_subdomain }}.{{ domain }}"
3
+
4
+gpodder_version: "80c41dc0c9a58dc0e85f6ef56662cdfd0d6e3b16"
5
+gpodder_release: "https://github.com/gpodder/mygpo/archive/{{ gpodder_version }}.zip"
6
+
7
+gpodder_internal_port: '2873'
8
+
9
+gpodder_db_username: gpodderuser
10
+gpodder_db_password: "{{ lookup('password', secret + '/' + 'gpodder_db_password length=32') }}"
11
+gpodder_db_database: gpodder
12
+
13
+gpodder_secret: "{{ lookup('password', secret + '/' + 'gpodder_secret length=16') }}"
14
+gpodder_staff_token: "{{ lookup('password', secret + '/' + 'gpodder_staff_token length=8 chars=ascii_lowercase,ascii_uppercase,digits') }}"
15
+
16
+# must match values in roles/common
17
+db_admin_username: 'postgres'
18
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"

+ 2
- 0
roles/gpodder/handlers/main.yml 查看文件

@@ -0,0 +1,2 @@
1
+- name: restart apache
2
+  service: name=apache2 state=restarted

+ 131
- 0
roles/gpodder/tasks/gpodder.yml 查看文件

@@ -0,0 +1,131 @@
1
+- name: Install gpodder dependencies
2
+  apt:
3
+    name: "{{ packages }}"
4
+    state: present
5
+  vars:
6
+    packages:
7
+    - libpq-dev
8
+    - libjpeg-dev
9
+    - zlib1g-dev
10
+    - libwebp-dev
11
+    - build-essential
12
+    - python3-dev
13
+    - virtualenv
14
+    - libffi-dev
15
+  tags:
16
+    - dependencies
17
+
18
+- name: Add gpodder user
19
+  user:
20
+    name: gpodder
21
+    home: /home/gpodder
22
+    create_home: yes
23
+    shell: /bin/bash
24
+    password_lock: yes
25
+    state: present
26
+    system: yes
27
+
28
+- name: Add gpodder postgres user
29
+  postgresql_user:
30
+    login_host=localhost
31
+    login_user={{ db_admin_username }}
32
+    login_password="{{ db_admin_password }}"
33
+    name={{ gpodder_db_username }}
34
+    password="{{ gpodder_db_password }}"
35
+    encrypted=yes
36
+    state=present
37
+
38
+- name: Create gpodder database
39
+  postgresql_db:
40
+    login_host=localhost
41
+    login_user={{ db_admin_username }}
42
+    login_password="{{ db_admin_password }}"
43
+    name={{ gpodder_db_database }}
44
+    state=present
45
+    owner={{ gpodder_db_username }}
46
+
47
+- name: Download gpodder {{ gpodder_version }} release
48
+  get_url:
49
+    url="{{ gpodder_release }}"
50
+    dest=/home/gpodder/gpodder-{{ gpodder_version }}.zip
51
+
52
+- name: Stop old gpodder instance
53
+  service: name=gpodder state=stopped
54
+  ignore_errors: True
55
+
56
+- name: Remove old gpodder directory
57
+  shell: rm -rf /home/gpodder/gpodder
58
+
59
+- name: Create gpodder directory
60
+  file: state=directory path=/home/gpodder/gpodder
61
+
62
+- name: Extract gpodder sources
63
+  unarchive:
64
+    src: /home/gpodder/gpodder-{{ gpodder_version }}.zip
65
+    dest: /home/gpodder/gpodder
66
+    remote_src: yes
67
+
68
+- name: Move sources in correct place
69
+  shell: mv mygpo-{{ gpodder_version }}/* . chdir=/home/gpodder/gpodder
70
+
71
+- name: Remove empty directory
72
+  shell: rm -rf /home/gpodder/gpodder/mygpo-{{ gpodder_version }}
73
+
74
+- name: Create virtualenv
75
+  shell: virtualenv venv chdir=/home/gpodder/gpodder
76
+
77
+- name: Install generic dependencies in virtualenv
78
+  shell: bash -c 'source venv/bin/activate && pip install -r requirements.txt' chdir=/home/gpodder/gpodder
79
+
80
+- name: Install dependencies for production in virtualenv
81
+  shell: bash -c 'source venv/bin/activate && pip install -r requirements-setup.txt' chdir=/home/gpodder/gpodder
82
+
83
+- name: Create gpodder media directory
84
+  file:
85
+    state: directory
86
+    path: "/data/gpodder"
87
+    owner: gpodder
88
+    group: gpodder
89
+    mode: 0750
90
+
91
+# TODO put env somewhere so we can use it for systemd unit, migration and cron
92
+
93
+- name: Run database migration script
94
+  shell: bash -c 'source venv/bin/activate && DATABASE_URL=postgres://{{ gpodder_db_username }}:{{ gpodder_db_password }}@localhost:5432/{{ gpodder_db_database }}?sslmode=disable SECRET_KEY={{ gpodder_secret }} python manage.py migrate' chdir=/home/gpodder/gpodder
95
+
96
+- name: Add systemd service to start gpodder automatically
97
+  template:
98
+    src=etc_systemd_system_gpodder.j2
99
+    dest=/etc/systemd/system/gpodder.service
100
+    owner=root
101
+    group=root
102
+
103
+- name: Register new gpodder service
104
+  systemd: name=gpodder daemon_reload=yes enabled=yes
105
+
106
+- name: Start new gpodder instance
107
+  service: name=gpodder state=started
108
+
109
+# TODO cron jobs
110
+# envdir envs/dev python manage.py update-toplist
111
+# envdir envs/dev python manage.py update-episode-toplist
112
+
113
+# envdir envs/dev python manage.py feed-downloader
114
+# envdir envs/dev python manage.py feed-downloader <feed-url> [...]
115
+# envdir envs/dev python manage.py feed-downloader --max <max-updates>
116
+# envdir envs/dev python manage.py feed-downloader --random --max <max-updates>
117
+# envdir envs/dev python manage.py feed-downloader --toplist --max <max-updates>
118
+# envdir envs/dev python manage.py feed-downloader --update-new --max <max-updates>
119
+
120
+- name: Create the Apache gpodder sites config files
121
+  template:
122
+    src=etc_apache2_sites-available_gpodder.j2
123
+    dest=/etc/apache2/sites-available/gpodder_{{ item.name }}.conf
124
+    owner=root
125
+    group=root
126
+  with_items: "{{ virtual_domains }}"
127
+
128
+- name: Enable Apache sites (creates new sites-enabled symlinks)
129
+  command: a2ensite gpodder_{{ item }}.conf creates=/etc/apache2/sites-enabled/gpodder_{{ item }}.conf
130
+  notify: restart apache
131
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"

+ 1
- 0
roles/gpodder/tasks/main.yml 查看文件

@@ -0,0 +1 @@
1
+- include: gpodder.yml tags=gpodder

+ 32
- 0
roles/gpodder/templates/etc_apache2_sites-available_gpodder.j2 查看文件

@@ -0,0 +1,32 @@
1
+<VirtualHost *:80>
2
+    ServerName {{ gpodder_subdomain }}.{{ item.name }}
3
+
4
+    Redirect temp / https://{{ gpodder_subdomain }}.{{ item.name }}/
5
+</VirtualHost>
6
+
7
+<VirtualHost *:443>
8
+    ServerName {{ gpodder_subdomain }}.{{ item.name }}
9
+
10
+    SSLEngine               On
11
+    DocumentRoot            "{{ item.doc_root }}"
12
+    DirectoryIndex          index.html
13
+    Options                 -Indexes
14
+    HostnameLookups         Off
15
+    LogLevel                warn
16
+    ErrorLog                /var/log/apache2/gpodder.info-error_log
17
+    CustomLog               /var/log/apache2/gpodder.info-access_log common
18
+
19
+    ProxyRequests           Off
20
+    ProxyPreserveHost       On
21
+
22
+    <Directory /home/gpodder/gpodder/static>
23
+        AllowOverride None
24
+        Require all granted
25
+    </Directory>
26
+
27
+    Alias                   /static /home/gpodder/gpodder/static
28
+    ProxyPassMatch          ^/static !
29
+
30
+    ProxyPass               / http://localhost:{{ gpodder_internal_port }}/
31
+    ProxyPassReverse        / http://localhost:{{ gpodder_internal_port }}/
32
+</VirtualHost>

+ 30
- 0
roles/gpodder/templates/etc_systemd_system_gpodder.j2 查看文件

@@ -0,0 +1,30 @@
1
+[Unit]
2
+Description=Starts the gPodder server
3
+Requires=network.target
4
+After=network.target
5
+After=syslog.target
6
+
7
+[Service]
8
+Type=simple
9
+User=gpodder
10
+Restart=always
11
+RestartSec=3
12
+WorkingDirectory=/home/gpodder/gpodder
13
+ExecStart=bash -c 'source venv/bin/activate && python manage.py runserver 127.0.0.1:{{ gpodder_internal_port }}'
14
+Environment=DATABASE_URL=postgres://{{ gpodder_db_username }}:{{ gpodder_db_password }}@localhost:5432/{{ gpodder_db_database }}?sslmode=disable
15
+Environment=DEFAULT_BASE_URL=https://{{ gpodder_subdomain }}.{{ domain }}
16
+Environment=SECRET_KEY={{ gpodder_secret }}
17
+Environment=MEDIA_ROOT=/data/gpodder
18
+Environment=DEBUG=False
19
+Environment=MAINTENANCE=False
20
+Environment=STAFF_TOKEN={{ gpodder_staff_token }}
21
+Environment=DEFAULT_FROM_EMAIL=noreply@{{ domain }}
22
+Environment=EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend
23
+Environment=EMAIL_HOST={{ domain }}
24
+Environment=EMAIL_PORT=587
25
+Environment=EMAIL_HOST_USER=noreply@{{ domain }}
26
+Environment=EMAIL_HOST_PASSWORD={{ lookup('password', secret + '/' + 'mail_noreply_password length=20 chars=ascii_lowercase,ascii_uppercase,digits') }}
27
+Environment=EMAIL_USE_TLS=True
28
+
29
+[Install]
30
+WantedBy=multi-user.target

+ 9
- 0
roles/monitoring/files/etc_monit_conf.d_gpodder 查看文件

@@ -0,0 +1,9 @@
1
+check process gpodder matching "python manage.py runserver"
2
+  group www
3
+  start program = "/bin/systemctl start gpodder"
4
+  stop program = "/bin/systemctl stop gpodder"
5
+  if failed port 2873 protocol http
6
+    with timeout 10 seconds
7
+    with retry 2
8
+    then restart
9
+  if 5 restarts within 5 cycles then timeout

+ 9
- 0
roles/monitoring/tasks/monit.yml 查看文件

@@ -145,6 +145,10 @@
145 145
   stat: path=/etc/tomcat9/server.xml
146 146
   register: tomcat10_config_file
147 147
 
148
+- name: Determine if gpodder is installed
149
+  stat: path=/home/gpodder/gpodder/manage.py
150
+  register: gpodder_config_file
151
+
148 152
 # ---------------------------------------
149 153
 
150 154
 - name: Copy ZNC monit service config files into place
@@ -287,6 +291,11 @@
287 291
   notify: restart monit
288 292
   when: pgsql11_config_file.stat.exists == True
289 293
 
294
+- name: Copy gpodder monit service config files into place
295
+  copy: src=etc_monit_conf.d_gpodder dest=/etc/monit/conf.d/gpodder
296
+  notify: restart monit
297
+  when: gpodder_config_file.stat.exists == True
298
+
290 299
 # ---------------------------------------
291 300
 
292 301
 # TODO add to fail2ban when monit_page_public == 1

+ 1
- 0
roles/sslletsencrypt/defaults/main.yml 查看文件

@@ -36,6 +36,7 @@ subdomains:
36 36
   - "chat"
37 37
   - "users"
38 38
   - "survey"
39
+  - "gpodder"
39 40
 
40 41
 # ntp
41 42
 ntp_servers:

+ 5
- 0
roles/sslselfsigned/DESIGN.md 查看文件

@@ -7,3 +7,8 @@ The CA cert is placed in the secret folder, you can install it eg. in Arch like
7 7
     sudo trust anchor --store secret/DOMAIN/sovereign-self-signed-cert/DOMAIN/etc/letsencrypt/live/DOMAIN/chain.pem
8 8
 
9 9
 It will then automatically be picked up by browsers like Firefox and Chrome.
10
+
11
+To trust the CA on the server itself (if you want to run some clients), do:
12
+
13
+    sudo cp /etc/letsencrypt/rootCA.crt /usr/local/share/ca-certificates/iot.fritz.box.crt
14
+    sudo update-ca-certificates

+ 6
- 1
roles/sslselfsigned/tasks/selfsigned.yml 查看文件

@@ -38,5 +38,10 @@
38 38
 
39 39
 - name: Retrieve the self signing CA to remove warning in users browser
40 40
   fetch: src=/etc/letsencrypt/live/{{ domain }}/chain.pem
41
-         dest="{{ secret }}/sovereign-self-signed-cert"
41
+         dest="{{ secret }}/sovereign-self-signed-ca"
42
+         fail_on_missing=yes
43
+
44
+- name: Retrieve the self signing CA and Cert to remove warning in users browser
45
+  fetch: src=/etc/letsencrypt/live/{{ domain }}/fullchain.pem
46
+         dest="{{ secret }}/sovereign-self-signed-chain"
42 47
          fail_on_missing=yes

正在加载...
取消
保存