Add playbook for deploying api.demo.recordsansible.org

This deploys api.demo.recordsansible.org using ansible-role-ara. The only part not yet automated is the letsencrypt certificate generation. Change-Id: I6b436d3be32105fdf9d661d042bfb3d40e5e39a6 Depends-On: https://review.openstack.org/#/c/641816/
2019-03-07 15:52:02 -05:00 · 2019-03-07 15:52:02 -05:00 · aadb834b94
parent f026c4e012
commit aadb834b94
4 changed files with 77 additions and 0 deletions
--- a/playbooks/ansible.cfg
+++ b/playbooks/ansible.cfg
@ -0,0 +1,10 @@
+[defaults]
+forks = 25
+gathering = smart
+fact_caching = jsonfile
+fact_caching_connection = /tmp/
+fact_caching_timeout = 3600
+inventory = hosts
+
+[ssh_connection]
+pipelining = True
--- a/playbooks/hosts
+++ b/playbooks/hosts
@ -0,0 +1 @@
+demo.recordsansible.org ansible_host=139.178.83.37 ansible_user=fedora ansible_python_interpreter=/usr/bin/python3
--- a/playbooks/live-demo.yaml
+++ b/playbooks/live-demo.yaml
@ -0,0 +1,15 @@
+- name: Provision demo.recordsansible.org
+  hosts: demo.recordsansible.org
+  gather_facts: yes
+  vars:
+    ara_api_frontend_server: nginx
+    ara_api_frontend_vhost: api.demo.recordsansible.org.conf.j2
+    ara_api_wsgi_server: gunicorn
+    ara_api_fqdn: api.demo.recordsansible.org
+    ara_api_allowed_hosts:
+      - api.demo.recordsansible.org
+    ara_api_cors_origin_whitelist:
+      - web.demo.recordsansible.org
+      - logs.openstack.org
+  roles:
+    - ara_api
--- a/playbooks/templates/api.demo.recordsansible.org.conf.j2
+++ b/playbooks/templates/api.demo.recordsansible.org.conf.j2
@ -0,0 +1,51 @@
+upstream ara_api {
+    # fail_timeout=0 means we always retry an upstream even if it failed
+    # to return a good HTTP response
+    server {{ ara_api_wsgi_bind }} fail_timeout=0;
+}
+
+server {
+    listen 80;
+    server_name {{ ara_api_fqdn }};
+    return 301 https://{{ ara_api_fqdn }}$request_uri;
+}
+
+server {
+    listen 443;
+    server_name {{ ara_api_fqdn }};
+    access_log /var/log/nginx/{{ ara_api_fqdn }}_access.log;
+    error_log  /var/log/nginx/{{ ara_api_fqdn }}_error.log;
+
+    ssl on;
+    ssl_certificate /etc/letsencrypt/live/{{ ara_api_fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ ara_api_fqdn }}/privkey.pem;
+    ssl_session_cache   shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    # There's nothing at /, redirect it to the actual API for convenience
+    location / {
+      return 301 http://{{ ara_api_fqdn }}/api/v1/;
+    }
+
+    location /static {
+        expires 7d;
+        add_header Cache-Control "public";
+    }
+
+    # Everything, including static files, is served by the backend
+    location ~ {
+      # checks if the file exists, if not found proxy to app
+      try_files $uri @proxy_to_app;
+    }
+
+    location @proxy_to_app {
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $http_host;
+
+        proxy_redirect off;
+        proxy_pass http://ara_api;
+    }
+}
				`@ -0,0 +1 @@`
				`demo.recordsansible.org ansible_host=139.178.83.37 ansible_user=fedora ansible_python_interpreter=/usr/bin/python3`