subspace 0.1.3 → 0.2.1

data/ansible/roles/letsencrypt/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
   - name: Install certbot dependencies
+    become: true
     apt:
       pkg: "{{item}}"
       state: present
@@ -19,75 +20,78 @@
       - python-virtualenv
       - python2.7-dev
 
+  - name: "Create certbot dir"
+    become: true
+    file:
+      path: "{{certbot_dir}}"
+      state: directory
+      mode: 0750
+
   - name: Get certbot
+    become: true
     get_url:
       url: "https://dl.eff.org/certbot-auto"
-      dest: "{{certbot_dir}}"
+      dest: "{{certbot_dir}}/certbot-auto"
       mode: a+x
 
-  - name: Run certbot
-    command: "{{certbot_dir}}/certbot-auto certonly --email {{letsencrypt_email}} --domains {{([server_name] + server_aliases) | join(',')}} --apache --agree-tos --non-interactive"
+  - name: Run default
+    become: true
+    command: "{{certbot_dir}}/certbot-auto certonly --email {{letsencrypt_email}} --domains {{([server_name] + server_aliases) | join(',')}} --apache --agree-tos --expand --non-interactive"
     args:
       creates: /etc/letsencrypt/live/{{server_name}}/cert.pem
 
   - name: Enable mod_rewrite
+    become: true
     apache2_module:
       name: rewrite
       state: present
-    sudo: true
+
 
   - name: Enable mod_ssl
+    become: true
     apache2_module:
       name: ssl
       state: present
-    sudo: true
 
   - name: Create SSL Apache config
+    become: true
     template:
       src: project-le-ssl.conf
       dest: /etc/apache2/sites-available/{{project_name}}-le-ssl.conf
-    sudo: true
     notify: apache restart
 
   - name: Symlink {{project_name}}-le-ssl.conf to sites-enabled
+    become: true
     file:
       src: /etc/apache2/sites-available/{{project_name}}-le-ssl.conf
       dest: /etc/apache2/sites-enabled/{{project_name}}-le-ssl.conf
       state: link
-    sudo: true
     notify: apache restart
 
-  - name: Force redirect to https (1/3)
+  - name: Force redirect to https (1/2)
+    become: true
     lineinfile:
       dest: /etc/apache2/sites-available/{{project_name}}.conf
       line: "RewriteEngine on"
       state: present
       insertbefore: "</VirtualHost>"
-    sudo: true
-    notify: apache restart
-
-  - name: Force redirect to https (2/3)
-    lineinfile:
-      dest: /etc/apache2/sites-available/{{project_name}}.conf
-      line: "RewriteCond %{SERVER_NAME} ={{server_name}}"
-      state: present
-      insertbefore: "</VirtualHost>"
-    sudo: true
     notify: apache restart
 
-  - name: Force redirect to https (3/3)
+  - name: Force redirect to https (2/2)
+    become: true
     lineinfile:
       dest: /etc/apache2/sites-available/{{project_name}}.conf
-      line: "RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]"
+      line: "RewriteCond %{SERVER_NAME} ={{item}}\nRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,NE,R=permanent]"
       state: present
       insertbefore: "</VirtualHost>"
-    sudo: true
+    with_items: "{{ ([server_name] + server_aliases) }}"
     notify: apache restart
 
   - name: Setup cron job to auto renew
+    become: true
     cron:
       name: Auto-renew SSL
       job: "{{certbot_dir}}/certbot-auto renew --quiet --no-self-upgrade"
-      minute: 30
-      hour: "0,12"
+      hour: 0
+      minute: 33
       state: present

data/ansible/roles/logrotate/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2016-14, Nick Hammond
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of ansiblebit nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/ansible/roles/logrotate/README.md

@@ -0,0 +1,70 @@
+# logrotate
+
+![Build Status](https://travis-ci.org/nickhammond/ansible-logrotate.svg?branch=master)
+
+Installs logrotate and provides an easy way to setup additional logrotate scripts by
+specifying a list of directives.
+
+## Requirements
+
+None
+
+## Role Variables
+
+**logrotate_scripts**: A list of logrotate scripts and the directives to use for the rotation.
+
+* name - The name of the script that goes into /etc/logrotate.d/
+* path - Path to point logrotate to for the log rotation
+* options - List of directives for logrotate, view the logrotate man page for specifics
+* scripts - Dict of scripts for logrotate (see Example below)
+
+```
+logrotate_scripts:
+  - name: rails
+    path: "/srv/current/log/*.log"
+    options:
+      - weekly
+      - size 25M
+      - missingok
+      - compress
+      - delaycompress
+      - copytruncate
+```
+
+## Dependencies
+
+None
+
+## Example Playbook
+
+Setting up logrotate for additional Nginx logs, with postrotate script (assuming this role is located in `roles/logrotate`).
+
+```
+- role: logrotate
+  logrotate_scripts:
+    - name: nginx
+      path: /var/log/nginx/*.log
+      options:
+        - weekly
+        - size 25M
+        - rotate 7
+        - missingok
+        - compress
+        - delaycompress
+        - copytruncate
+      scripts:
+        postrotate: "[ -s /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid`"
+```
+
+## License
+
+[BSD](https://raw.githubusercontent.com/nickhammond/logrotate/master/LICENSE)
+
+## Author Information
+
+* [nickhammond](https://github.com/nickhammond) | [www](http://www.nickhammond.com) | [twitter](http://twitter.com/nickhammond)
+* [bigjust](https://github.com/bigjust)
+* [steenzout](https://github.com/steenzout)
+* [jeancornic](https://github.com/jeancornic)
+* [duhast](https://github.com/duhast)
+* [kagux](https://github.com/kagux)

data/ansible/roles/logrotate/defaults/main.yml

@@ -0,0 +1,2 @@
+logrotate_conf_dir: "/etc/logrotate.d/"
+logrotate_scripts: []

data/ansible/roles/logrotate/meta/main.yml

@@ -0,0 +1,18 @@
+---
+galaxy_info:
+  author: Nick Hammond
+  description: Role to configure logrotate scripts
+  license: BSD
+  min_ansible_version: 1.9
+  platforms:
+  - name: Ubuntu
+    versions:
+    - lucid
+    - precise
+    - trusty
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - system
+dependencies: []

data/ansible/roles/logrotate/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: logrotate | Install logrotate
+  become: true
+  apt:
+    name: logrotate
+    state: present
+  when: logrotate_scripts is defined and logrotate_scripts|length > 0
+
+- name: logrotate | Setup logrotate.d scripts
+  become: true
+  template:
+    src: logrotate.d.j2
+    dest: "{{ logrotate_conf_dir }}{{ item.name }}"
+  with_items: "{{ logrotate_scripts }}"
+  when: logrotate_scripts is defined

data/ansible/roles/logrotate/templates/logrotate.d.j2

@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+
+"{{ item.path }}" {
+  {% if item.options is defined -%}
+  {% for option in item.options -%}
+  {{ option }}
+  {% endfor -%}
+  {% endif %}
+  {%- if item.scripts is defined -%}
+  {%- for name, script in item.scripts.iteritems() -%}
+  {{ name }}
+    {{ script }}
+  endscript
+  {% endfor -%}
+  {% endif -%}
+}

data/ansible/roles/monit/files/sudoers-monit

@@ -0,0 +1 @@
+deploy ALL=(root) NOPASSWD: /usr/bin/monit

data/ansible/roles/monit/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+  - name: monit
+    shell: monit stop all && monit reload && monit start all

data/ansible/roles/monit/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+  - name: Install monit
+    apt:
+      name: monit
+      state: present
+    sudo: true
+
+  - name: Copy sudoers file so that deploy can use monit without entering password.
+    copy:
+      src: sudoers-monit
+      dest: /etc/sudoers.d/monit
+    sudo: true
+
+  - name: Copy monit config to enable http from localhost
+    copy:
+      src: monit-http.conf
+      dest: /etc/monit/conf.d/monit-http.conf
+    sudo: true
+    notify: monit

data/ansible/roles/mtpereira.passenger/.bumpversion.cfg

@@ -0,0 +1,7 @@
+[bumpversion]
+current_version = 1.0.2
+commit = True
+tag = True
+tag_name = {new_version}
+message = "Bump version: {current_version} -> {new_version} [skip ci]"
+

data/ansible/roles/mtpereira.passenger/.gitignore

@@ -0,0 +1,2 @@
+*.vagrant/
+*vagrant_ansible_inventory*

data/ansible/roles/mtpereira.passenger/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Manuel Tiago Pereira
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/ansible/roles/mtpereira.passenger/README.md

@@ -0,0 +1,31 @@
+Passenger
+========
+
+Installs or updates Pushion Passenger.
+
+It will install apache, nginx or standalone modes, depending on **passenger_webserver** variable value (defaults to standalone).
+
+In the `tests` folder, there are a set of tests for this role, that will provision a VM using Vagrant and setup a simple hello world app. To use them, `cd` into the `tests/{passenger_webserver}/` and execute `vagrant up`. At the moment, only `apache` tests are done.
+
+Requirements
+------------
+
+Assumes that the host is ansible-ready (check **mtpereira.common** role).
+
+Role Variables
+--------------
+
+* `passenger_webserver`: Specifies the webserver to be used by passenger. Possible values: `apache`, `nginx` and `standalone`. Defaults to `standalone`.
+* `passenger_pkgs_state`: Specifies if this role will garantee that the packages are installed or installed and updated. Possible values: `installed` and `latest`. Defaults to `installed`.
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+[GitHub project page](https://github.com/mtpereira/ansible-passenger)
+
+[Manuel Tiago Pereira](http://mtpereira.github.io)

data/ansible/roles/mtpereira.passenger/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+passenger_webserver: "standalone"
+passenger_pkgs_state: "installed"
+passenger_pkgs_fix_shebang: no
+become: true

data/ansible/roles/mtpereira.passenger/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: apache restart
+  service: name=apache2 state=restarted
+  sudo: yes
+
+- name: nginx restart
+  service: name=nginx state=restarted
+  sudo: yes

data/ansible/roles/mtpereira.passenger/meta/.galaxy_install_info

@@ -0,0 +1 @@
+{install_date: 'Mon Jan  2 18:15:18 2017', version: 1.0.2}

data/ansible/roles/mtpereira.passenger/meta/main.yml

@@ -0,0 +1,21 @@
+---
+galaxy_info:
+  author: Manuel Tiago Pereira
+  description: Installs Phusion Passenger.
+  license: MIT
+  min_ansible_version: 1.4
+  platforms:
+  - name: Debian
+    versions:
+    - wheezy
+    - jessie
+  - name: Ubuntu
+    versions:
+    - lucid
+    - precise
+    - saucy
+    - trusty
+  categories:
+    - web
+dependencies: []
+

data/ansible/roles/mtpereira.passenger/tasks/apt.yml

@@ -0,0 +1,13 @@
+---
+- name: apt - add key for passenger repos
+  apt_key: url=http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x561F9B9CAC40B2F7 id=AC40B2F7 state=present
+
+- name: apt - add support for https
+  apt: pkg={{ item }} state={{ passenger_pkgs_state }} update_cache=yes cache_valid_time=3600
+  with_items:
+  - apt-transport-https
+  - ca-certificates
+
+- name: apt - add passenger repo
+  apt_repository: repo='deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ ansible_lsb.codename }} main' state=present update_cache=yes
+

data/ansible/roles/mtpereira.passenger/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- include: apt.yml
+  tags: passenger_apt
+- include: pkg.yml
+  tags: passenger_pkg
+- include: service.yml
+  tags: passenger_service
+  when: passenger_webserver != "standalone"

data/ansible/roles/mtpereira.passenger/tasks/pkg.yml

@@ -0,0 +1,35 @@
+---
+- name: pkg - install apache passenger packages
+  apt: pkg={{ item }} state={{ passenger_pkgs_state }}
+  with_items:
+    - libapache2-mod-passenger
+    - apache2
+  notify: apache restart
+  when: passenger_webserver == "apache"
+
+- name: pkg - install nginx passenger packages
+  apt: pkg={{ item }} state={{ passenger_pkgs_state }}
+  with_items:
+    - nginx-extras
+    - passenger
+  notify: nginx restart
+  when: passenger_webserver == "nginx"
+
+- name: pkg - install standalone passenger packages
+  apt: pkg={{ item }} state={{ passenger_pkgs_state }}
+  with_items:
+    - passenger
+  when: passenger_webserver == "standalone"
+
+- name: pkg - fix passenger utils shebang
+  lineinfile:
+    dest: "{{ item }}"
+    regexp: '^#\!/usr/bin/ruby\s*'
+    line: "#!/usr/bin/env ruby"
+    backrefs: yes
+    state: present
+  with_items:
+    - /usr/sbin/passenger-memory-stats
+    - /usr/sbin/passenger-status
+  when: passenger_pkgs_fix_shebang
+

data/ansible/roles/mtpereira.passenger/tasks/service.yml

@@ -0,0 +1,8 @@
+---
+- name: service - ensure apache is running
+  service: name=apache2 state=started enabled=yes
+  when: passenger_webserver == "apache"
+
+- name: service - ensure nginx is running
+  service: name=nginx state=started enabled=yes
+  when: passenger_webserver == "nginx"

data/ansible/roles/newrelic/tasks/main.yml

@@ -3,18 +3,21 @@
     apt_repository:
       repo: deb http://apt.newrelic.com/debian/ newrelic non-free
       state: present
+    sudo: true
 
   - name: Add New Relic apt key
     apt_key:
       url: https://download.newrelic.com/548C16BF.gpg
       state: present
+    sudo: true
 
   - name: Install New Relic server agent
     apt:
       pkg: newrelic-sysmond
       state: present
       update_cache: true
-      cache_valid_time: 86400
+    sudo: true
 
   - shell: "nrsysmond-config --set license_key={{newrelic_licence}}"
+    sudo: true
     notify: start newrelic agent

data/ansible/roles/nginx/tasks/main.yml

@@ -1,20 +1,27 @@
 - name: Install nginx
   apt: pkg=nginx state=latest
+  become: true
 
 - name: Remove the default app
   command: rm -rf /etc/nginx/sites-enabled/default
+  become: true
 
 - name: Remove the app's config, if exists
   command: rm -rf /etc/nginx/sites-enabled/default
+  become: true
 
 - name: Remove the app's symlink, if exists
   command: rm -rf /etc/nginx/sites-enabled/{{project_name}}
+  become: true
 
 - name: Configure nginx for the app
   template: src=nginx-project dest=/etc/nginx/sites-available/{{project_name}} group=www-data owner=www-data force=yes
+  become: true
 
 - name: Enable the app
   command: ln -s /etc/nginx/sites-available/{{project_name}} /etc/nginx/sites-enabled/{{project_name}}
+  become: true
 
 - name: Restart nginx
-  action: service name=nginx state=restarted
+  action: service name=nginx state=restarted
+  become: true

data/ansible/roles/papertrail/tasks/main.yml

@@ -1,12 +1,27 @@
 ---
   - name: Install remote_syslog from papertrail
     command: wget -O /tmp/remote_syslog.tar.gz https://github.com/papertrail/remote_syslog2/releases/download/v0.13/remote_syslog_linux_amd64.tar.gz  creates=/usr/bin/remote_syslog
+
   - command: tar xzf /tmp/remote_syslog.tar.gz chdir=/tmp/ creates=/usr/bin/remote_syslog
+
   - command: mv /tmp/remote_syslog/remote_syslog /usr/bin/remote_syslog creates=/usr/bin/remote_syslog
+    sudo: true
+
   - file: path=/usr/bin/remote_syslog owner=root group=root mode=0755
+    sudo: true
+
   - command: wget -O /etc/init.d/remote_syslog https://raw.githubusercontent.com/papertrail/remote_syslog2/v0.13/examples/remote_syslog.init.d creates=/etc/init.d/remote_syslog
+    sudo: true
+
   - file: path=/etc/init.d/remote_syslog owner=root group=root mode=0755
+    sudo: true
+
   - file: path=/tmp/remote_syslog/ state=absent
+
   - file: path=/tmp/remote_syslog.tar.gz state=absent
+
   - service: name=remote_syslog state=restarted enabled=yes
-  - template: src=log_files.yml dest=/etc/log_files.yml owner=root group=root mode=0644
+    sudo: true
+
+  - template: src=log_files.yml dest=/etc/log_files.yml owner=root group=root mode=0644
+    sudo: true

data/ansible/roles/passenger/meta/main.yml

@@ -0,0 +1,6 @@
+---
+  dependencies:
+    - {
+      role: mtpereira.passenger,
+      become: true
+    }

data/ansible/roles/postgresql/README.md

@@ -0,0 +1,15 @@
+Attach this as a bucket policy to allow unauthenticated writes. Then you can set "s3_db_backup_bucket" to upload backups to your s3 bucket instead of keeping backups on the local machine.
+#TODO: add authentication option
+{
+    "Version": "2012-10-17",
+    "Id": "Policy1477442935689",
+    "Statement": [
+        {
+            "Sid": "Stmt1477442933718",
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
+        }
+    ]
+}

data/ansible/roles/postgresql/defaults/main.yml

@@ -1,2 +1,5 @@
 ---
   backups_enabled: true
+  s3_db_backup_bucket: disabled
+  s3_db_backup_prefix: "{{project_name}}/{{rails_env}}"
+  database_user: "{{project_name}}"

data/ansible/roles/postgresql/meta/main.yml

@@ -2,6 +2,6 @@
   dependencies:
     - {
       role: zenoamaro.postgresql,
-      sudo: true,
+      become: true,
       notify: postgresql restart
     }

data/ansible/roles/postgresql/tasks/main.yml

@@ -4,8 +4,8 @@
       name: "{{database_user}}"
       password: "{{database_password}}"
       state: present
-    sudo: yes
-    sudo_user: postgres
+    become: true
+    become_user: postgres
 
   - name: Create postgresql database
     postgresql_db:
@@ -13,8 +13,8 @@
       owner: "{{database_user}}"
       template: template1
       state: present
-    sudo: yes
-    sudo_user: postgres
+    become: true
+    become_user: postgres
 
   - name: Grant all privileges on database to user
     postgresql_privs:
@@ -23,15 +23,16 @@
       roles: "{{database_user}}"
       state: present
       type: database
-    sudo: yes
-    sudo_user: postgres
+    become: true
+    become_user: postgres
 
   - name: "Enable postgres hstore"
-    sudo: yes
-    sudo_user: postgres
+    become: true
+    become_user: postgres
     postgresql_ext:
       db: "{{database_name}}"
       name: hstore
       state: present
 
   - include: backups.yml
+    become: true