-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathansible.yml
189 lines (150 loc) · 5.77 KB
/
ansible.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
- hosts: all
gather_facts: no
sudo: yes
vars:
# This must EXACTLY match the host that the browser uses to access sync.
# For instance, "127.0.0.1" IS NOT the same as "localhost" in this context
# since the strings themselves are different.
server_hostname: "192.168.33.78"
sync_server_version: HEAD
auth_server_version: train-17
auth_db_server_version: train-17
content_server_version: train-17
verifier_version: HEAD
allow_#s: true
vars_files:
- [ secret.yml, secret.yml.example ]
tasks:
# -- Use NTP to set the local clock --
- name: Install ntpd
apt: name=ntp state=present install_recommends=no
- name: Ensure ntpd is running
service: name=ntp state=started enabled=yes
# -- Create a user to run the sync server --
- user: name=app state=present
# -- Install the sync server itself --
- name: Install dependencies
apt: name={{ item }} state=present install_recommends=no update_cache=yes
with_items:
- build-essential # gcc, make, etc.
- ca-certificates
- curl
- git
- libgmp-dev
- libzmq-dev
- mysql-server
- nodejs # 0.10.x
- nodejs-legacy # Provides a /usr/bin/node -> /usr/bin/nodejs symlink
- npm
- python-dev
- python-pip
- python-virtualenv
- name: Fetch all components from git
sudo_user: app
git: repo=https://github.com/{{ item.acct }}/{{ item.repo }}.git
dest=/home/app/{{ item.repo }}
version={{ item.ref }}
update=no # Do not update the repo on subsequent runs
with_items:
- { acct: 'mozilla', repo: 'fxa-auth-server',
ref: '{{ auth_server_version | default("HEAD") }}' }
- { acct: 'mozilla', repo: 'fxa-auth-db-server',
ref: '{{ auth_db_server_version | default("HEAD") }}' }
- { acct: 'mozilla', repo: 'fxa-content-server',
ref: '{{ content_server_version | default("HEAD") }}' }
- { acct: 'mozilla', repo: 'browserid-verifier',
ref: '{{ verifier_version | default("HEAD") }}' }
- { acct: 'mozilla-services', repo: 'syncserver',
ref: '{{ sync_server_version | default("HEAD") }}' }
- name: Create Python virtualenv for the syncserver
sudo_user: app
command: make build
chdir=/home/app/syncserver
creates=/home/app/syncserver/local
- name: Install Node.js dependencies for each FxA component
sudo_user: app
command: npm install --production
chdir=/home/app/{{ item }}
creates=/home/app/{{ item }}/node_modules
with_items:
- fxa-auth-server # Anomaly; has devDependencies in npm-shrinkwrap.json. Also relies on SQS?
- fxa-auth-db-server
- fxa-content-server
- browserid-verifier
- name: Add FxA configuration files
sudo_user: app
template: src=templates/{{ item.name }}.template
dest=/home/app/{{ item.name }}/{{ item.path }}
mode=0600
with_items:
- { name: 'fxa-auth-server', path: 'config/dev.json' }
- { name: 'fxa-content-server', path: 'server/config/local.json' }
notify:
- Restart all FxA components
- name: Create a self-signed SSL certificate
command: openssl req -new -nodes -x509 -days 3650
-subj "/CN={{ server_hostname }}"
-out "/etc/ssl/certs/{{ server_hostname }}.crt"
-keyout "/etc/ssl/private/{{ server_hostname }}.key"
-extensions v3_ca
creates="/etc/ssl/private/{{ server_hostname }}.key"
notify:
- Restart all FxA components
# -- Install Gunicorn to run the syncserver --
- name: Install gunicorn into the syncserver virtualenv
sudo_user: app
pip: name=gunicorn version=19 state=present
virtualenv=/home/app/syncserver/local
- name: Generate a random secret to use with the tokenserver
shell: head -c 32 /dev/urandom | shasum | awk '{{ print $1 }}'
register: generated_secret
when: secret is not defined
- name: Configure syncserver to use gunicorn
sudo_user: app
template: src=templates/gunicorn.template
dest=/home/app/syncserver/syncserver.ini
mode=0600
notify:
- Restart Gunicorn
# -- Start all services
- name: Create Upstart scripts
copy: src=templates/upstart-{{ item }}.template
dest=/etc/init/{{ item }}.conf
mode=0644
with_items:
- fxa-auth-server
- fxa-content-server
- browserid-verifier
- syncserver
- name: Ensure services are running
service: name={{ item }} state=started enabled=yes
with_items:
- fxa-auth-server
- fxa-content-server
- browserid-verifier
- syncserver
# -- Set up Nginx to reverse proxy to Gunicorn --
- name: Install nginx
apt: name=nginx state=present install_recommends=no
- name: Disable default nginx site
file: path=/etc/nginx/sites-enabled/default state=absent
- name: Configure nginx for the syncserver
template: src=templates/nginx.template
dest=/etc/nginx/sites-available/syncserver
mode=0644
- name: Enable syncserver
file: src=/etc/nginx/sites-available/syncserver
dest=/etc/nginx/sites-enabled/syncserver
state=link
notify:
- Restart Nginx
handlers:
- name: Restart Nginx
service: name=nginx state=restarted
- name: Restart Gunicorn
service: name=syncserver state=restarted
- name: Restart all FxA components
service: name={{ item }} state=restarted
with_items:
- fxa-content-server
- fxa-auth-server