recordsansible
/
ara-infra
Code Issues Proposed changes

Add role to deploy the website and Zuul job to test it 

This adds a role which:
- Sets up user/group/logging for Hugo
- Retrieves and installs the hugo from upstream release
- Sets up a systemd unit file to keep the hugo server running
- Installs and configure nginx as a reverse proxy to the hugo server
  to serve ara.recordsansible.org

I'm not sure yet if keeping the hugo server running is the way to
go or if we should regenerate the static files every time.

It sort of goes against the point of hugo to use the server but
the fact that it reloads automatically when the source changes could
come in handy for automated updates.

Change-Id: I40e833a27117f9ec5003007bb08a677e16734e55
This commit is contained in:
David Moreau Simard 2018-11-21 12:15:48 -05:00
parent 0952b570ea
commit dda029ec43
No known key found for this signature in database
GPG Key ID: CBEB466764A9E621
14 changed files with 432 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
.zuul.yaml
View File

@ -1,5 +1,22 @@
- project:
name: openstack/ara-infra
templates:
- noop-jobs
- nodeset:
name: ara-infra-fedora-28
nodes:
- name: infra.recordsansible.org
label: fedora-28
- job:
name: ara-infra-website
parent: base
nodeset: ara-infra-fedora-28
pre-run: tests/website-pre.yaml
run: playbooks/website.yaml
post-run: tests/website-post.yaml
success-url: logs/build/
- project:
check:
jobs:
- ara-infra-website
gate:
jobs:
- ara-infra-website

1
playbooks/roles Symbolic link
View File

@ -0,0 +1 @@
../roles

7
playbooks/website.yaml Normal file
View File

@ -0,0 +1,7 @@
- name: Set up the ara.recordsansible.org website
hosts: infra.recordsansible.org
gather_facts: yes
tasks:
- name: Include the website role
include_role:
name: website

22
roles/website/defaults/main.yaml Normal file
View File

@ -0,0 +1,22 @@
---
# Copyright (c) 2018 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA. If not, see <http://www.gnu.org/licenses/>.
hugo_release: https://github.com/gohugoio/hugo/releases/download/v0.51/hugo_0.51_Linux-64bit.tar.gz
hugo_directory: /opt/hugo
hugo_theme: https://github.com/jpescador/hugo-future-imperfect
hugo_theme_directory: "{{ hugo_directory }}/themes/hugo-future-imperfect"

60
roles/website/files/ara.recordsansible.org.conf Normal file
View File

@ -0,0 +1,60 @@
upstream hugo {
server 127.0.0.1:1313;
}
server {
server_name www.getara.org www.recordsansible.org;
return 301 $scheme://ara.recordsansible.org$request_uri;
}
server {
listen 80;
server_name www.getara.org getara.org www.recordsansible.org ara.recordsansible.org;
location / {
return 301 https://ara.recordsansible.org$request_uri;
}
}
server {
listen 443;
server_name ara.recordsansible.org;
ssl on;
ssl_certificate /etc/letsencrypt/live/ara.recordsansible.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ara.recordsansible.org/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
access_log /var/log/nginx/ara.recordsansible.org_access.log;
error_log /var/log/nginx/ara.recordsansible.org_error.log;
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
access_log off;
add_header Cache-Control "max-age=2592000";
}
# CSS and Javascript
location ~* \.(?:css|js)$ {
add_header Cache-Control "max-age=2592000";
access_log off;
}
location ^~ {
# checks for static file, if not found proxy to server
try_files $uri @proxy_to_server;
}
location @proxy_to_server {
# Redefine the header fields that NGINX sends to the upstream server
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Define the location of the proxy server to send the request to
proxy_pass http://hugo;
}
}

7
roles/website/files/hugo.logrotate Normal file
View File

@ -0,0 +1,7 @@
/var/log/hugo/*.log {
rotate 14
size 10M
missingok
compress
copytruncate
}

23
roles/website/handlers/main.yaml Normal file
View File

@ -0,0 +1,23 @@
---
# Copyright (c) 2018 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA. If not, see <http://www.gnu.org/licenses/>.
- name: Restart nginx
become: yes
service:
name: nginx
state: restarted

94
roles/website/tasks/hugo.yaml Normal file
View File

@ -0,0 +1,94 @@
---
# Copyright (c) 2018 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA. If not, see <http://www.gnu.org/licenses/>.
- become: yes
block:
- name: Install git
package:
name: git
state: present
- name: Create user for Hugo
become: true
user:
name: hugo
comment: User for Hugo
shell: /sbin/nologin
home: "{{ hugo_directory }}"
- name: Create log directory for Hugo
file:
path: /var/log/hugo
state: directory
owner: hugo
group: hugo
mode: 0750
- name: Set up logrotate for Hugo
copy:
src: hugo.logrotate
dest: /etc/logrotate.d/hugo
- name: Download Hugo release tarball
get_url:
url: "{{ hugo_release }}"
dest: "{{ hugo_directory }}"
register: hugo_download
- name: Extract Hugo release tarball
unarchive:
src: "{{ hugo_download.dest }}"
dest: "{{ hugo_directory }}"
remote_src: yes
when: hugo_download is changed
- name: Symlink Hugo in PATH
file:
src: "{{ hugo_directory }}/hugo"
dest: /usr/local/bin/hugo
owner: hugo
group: hugo
state: link
- name: Clone Hugo theme
become_user: hugo
git:
repo: "{{ hugo_theme }}"
dest: "{{ hugo_theme_directory }}"
force: yes
update: yes
- name: Configure Hugo server systemd service
template:
src: hugo.service.j2
dest: /etc/systemd/system/hugo.service
owner: root
group: root
mode: 0644
register: hugo_systemd
- when: hugo_systemd is changed
block:
- name: Reload systemctl
systemd:
daemon_reload: yes
- name: Restart Hugo
service:
name: hugo
state: restarted

42
roles/website/tasks/main.yaml Normal file
View File

@ -0,0 +1,42 @@
---
# Copyright (c) 2018 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA. If not, see <http://www.gnu.org/licenses/>.
# Zuul already prepares the src repository on the remote node and
# Zuul doesn't let you run pipe lookups on executors for security purposes
- name: Symlink ara-infra to persistent location with Zuul
become: yes
file:
src: "{{ ansible_user_dir }}/{{ zuul.project.src_dir }}"
dest: /opt/ara-infra
state: link
when: zuul is defined
# git rev-parse --show-toplevel returns the root git directory
- name: Copy ara-infra to persistent location
become: yes
synchronize:
src: "{{ lookup('pipe', 'git rev-parse --show-toplevel') }}"
dest: /opt/
delete: yes
when: zuul is not defined
- name: Set up Hugo
include_tasks: hugo.yaml
- name: Set up nginx
include_tasks: nginx.yaml

43
roles/website/tasks/nginx.yaml Normal file
View File

@ -0,0 +1,43 @@
---
# Copyright (c) 2018 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA. If not, see <http://www.gnu.org/licenses/>.
- become: yes
block:
- name: Install nginx
package:
name: nginx
state: present
- name: Set selinux boolean to allow nginx to reverse proxy
seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
- name: Set up nginx vhost
copy:
src: ara.recordsansible.org.conf
dest: /etc/nginx/conf.d/ara.recordsansible.org.conf
notify:
- Restart nginx
- name: Start and enable nginx
service:
name: nginx
state: started
enabled: yes

16
roles/website/templates/hugo.service.j2 Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=Hugo internal server
After=network.target
[Service]
User=hugo
Group=hugo
Type=simple
ExecStart=/usr/local/bin/hugo server --source /opt/ara-infra/website --themesDir {{ hugo_directory }}/themes --log --logFile /var/log/hugo/hugo.log --baseURL "https://ara.recordsansible.org/" --appendPort=false
ProtectSystem=yes
ProtectHome=no
NoNewPrivileges=yes
PrivateTmp=yes
[Install]
WantedBy=multi-user.target

42
tests/website-post.yaml Normal file
View File

@ -0,0 +1,42 @@
---
# Copyright (c) 2018 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA. If not, see <http://www.gnu.org/licenses/>.
- name: Website post-run
hosts: infra.recordsansible.org
gather_facts: yes
tasks:
- name: Create artifact directories
file:
path: "{{ ansible_user_dir }}/workspace/logs/build"
state: directory
recurse: yes
- name: Generate static version of the website
become: yes
command: |
/usr/local/bin/hugo \
--source /opt/ara-infra/website \
--themesDir /opt/hugo/themes \
--destination {{ ansible_user_dir }}/workspace/logs/build
- name: Upload log artifacts
synchronize:
src: "{{ ansible_user_dir }}/workspace/logs"
dest: "{{ zuul.executor.log_root }}"
mode: pull
verify_host: true

53
tests/website-pre.yaml Normal file
View File

@ -0,0 +1,53 @@
---
# Copyright (c) 2018 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA. If not, see <http://www.gnu.org/licenses/>.
- name: Website pre-run
hosts: infra.recordsansible.org
vars:
domain: ara.recordsansible.org
ansible_python_interpreter: /usr/bin/python3
tasks:
- become: true
block:
- name: Install python3-pyOpenSSL
package:
name: python3-pyOpenSSL
state: present
- name: Create expected letsencrypt directories
file:
path: "/etc/letsencrypt/live/{{ domain }}"
state: directory
recurse: yes
- name: Generate an OpenSSL private key
openssl_privatekey:
path: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
- name: Generate an OpenSSL CSR
openssl_csr:
path: /etc/letsencrypt/live/{{ domain }}/request.csr
privatekey_path: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
common_name: "{{ domain }}"
- name: Generate a self signed SSL certificate
openssl_certificate:
path: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
privatekey_path: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
csr_path: /etc/letsencrypt/live/{{ domain }}/request.csr
provider: selfsigned

2
website/config.toml
View File

@ -9,8 +9,8 @@ disqusShortname = ""
googleAnalytics = "UA-119558821-1"
pluralizeListTitles = false
enableRobotsTXT = true
canonifyURLs = true
enableGitInfo = true
relativeURLs = true
[params]
# Sets the meta tag description