subspace 2.3.2 → 2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d70ec4242c8be2ce016722c2d9898127ae130ebca3e83de4c315dea753ee22f0
-  data.tar.gz: 53f5b0d0ab09490196682e46a12b9d2e77994ff979fd8b5556ad8c8013a0f177
+  metadata.gz: 93091e9b151184634d780b924930692e79ba48fcf0ba21c565a4ab8583bf04e8
+  data.tar.gz: 43a0cc1057b2cc8805c52a646de12c841b79f4388966c0fe2a6bf25d34e0d7fe
 SHA512:
-  metadata.gz: 937e805b162030f75968f34a265dd67570bc9787d117b3f8548fcb490c2444b0cb07bb1506614e9910d4b07e87b22a38780381a779e81c4f1e78bbf0f499aa91
-  data.tar.gz: 476d91fd00279a70ca8b7a922fde12710c9324ec67ce9a4ef4e991b2c7fdb72e949cac89cd121105239ca075fd32eac34c4cf89adb237c981e3e1f1e32d46f84
+  metadata.gz: e8a80cd668afcbc735bdde1e1067f2428f936a1ea4cb3c5f09d921e14630f61e01e5fd2d09ecf651a2338e94b9c9dc7c1d504f0d87773a4385ac4e5c62d589cd
+  data.tar.gz: 39a99a8d46d0e7b3b794ddffc5eda3873c445cd3df8083d95a3fc888ba1b29ce3808bbad2bbeba0a9619637b9c2e78baafd9ae581b8a7355417df80cb21afc1b

data/CHANGELOG.md

@@ -10,6 +10,37 @@ This project attempts to follow [semantic versioning](https://semver.org/)
   * Not working on OSX - macs don't read from /etc/profile.d/
   * Stops showing color if you `sudo su`
 
+## 2.5
+  * Get actual os version number along with kernal name
+  * Update MOTD version automatically!
+  * Get and upload unattended security updates
+
+## 2.4.2
+  * Update deprecated syntax for ansible
+  * Fix postgresql-client for python 3
+
+## 2.4.1
+  * Allow extra nginx options via extra_nginx_config eg:
+    ```
+    extra_nginx_config: |
+      proxy_http_version 1.1;
+      chunked_transfer_encoding off;
+      proxy_buffering off;
+      proxy_cache off;
+    ```
+  * Add keepalive_timeout for nginx
+
+## 2.4
+  Lots of modifications for ubuntu 20.04, which has python3 as a default
+
+  * Change letsencrypt to pull from apt instead of build from source (backwards compatible)
+  * Change postgres to a cleaner install and deprecate the old zenoamaro role
+  * postgresql_version is now a required variable and no longer defaults to 9.4
+  * Better detection of web servers
+
+## 2.3.3
+  * Tweak the way that different roles are detected to be more reliable
+
 ## 2.3.2
   * Update papertrail to latest version of remote_syslog2 and add support for nginx logs
 

data/README.md

@@ -291,6 +291,10 @@ Configures nginx to look at localhost:9292 for the socket/backend connection.  I
 defaults are here, we'll probably add more:
 
     client_max_body_size: 4G
+    ssl_force_redirect: true
+    default_server: true
+    keepalive_timeout: 10
+    extra_nginx_config: ""
 
 Optional variables:
 
@@ -300,6 +304,12 @@ Optional variables:
     nginx_proxy_read_timeout: Set [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout). This is in seconds. You probably only want to change this if using rack-timeout (although I may be wrong). If using rack-timeout, it should be slightly higher than the rack-timeout timeout. I'm doing 5 seconds higher, but that was arbitrarily chosen.
 
     ssl_force_redirect: redirect all HTTP traffic to HTTPS on the same host.  Defaults to true and only applies if ssl_enabled is also true.
+    extra_nginx_config: anything else you want to configure in the main nginx config block, formatted like:
+    extra_nginx_config: |
+      proxy_http_version 1.1;
+      chunked_transfer_encoding off;
+      proxy_buffering off;
+      proxy_cache off;
 
 ## nodejs
 

data/ansible/roles/apache/tasks/main.yml

@@ -52,3 +52,7 @@
       state: link
     become: true
     notify: apache restart
+
+  - name: Apache is installed
+    set_fact:
+      apache_installed: true

data/ansible/roles/collectd/tasks/main.yml

@@ -47,7 +47,7 @@
       dest: /etc/collectd/collectd.conf.d/apache2.conf
     become: true
     notify: restart collectd
-    when: "'apache' in role_names"
+    when: apache_installed is defined
 
   - name: create puma config
     template:
@@ -70,7 +70,7 @@
       dest: /etc/collectd/collectd.conf.d/nginx.conf
     become: true
     notify: restart collectd
-    when: "'nginx' in role_names"
+    when: nginx_installed is defined
 
   - name: create rails_lograge config
     template:

data/ansible/roles/common/tasks/main.yml

@@ -72,10 +72,6 @@
     tags:
       - maintenance
 
-  - name: Add ppa:ondrej/nginx apt repository for TLS 1.3
-    apt_repository:
-      repo: ppa:ondrej/nginx
-
   - name: apt-get update
     apt: update_cache=yes cache_valid_time=86400
     become: true
@@ -83,6 +79,10 @@
       - upgrade
       - maintenance
 
+  - name: Add ppa:ondrej/nginx apt repository for TLS 1.3
+    apt_repository:
+      repo: ppa:ondrej/nginx
+
   - name: /usr/lib/update-notifier/apt-check --human-readable
     command: /usr/lib/update-notifier/apt-check --human-readable
     tags:
@@ -158,6 +158,42 @@
       - maintenance
       - stats
 
+  - name: Get unattended security updates
+    shell:
+      cmd: cat /var/log/unattended-upgrades/unattended-upgrades.log | grep "Packages that will be upgraded:" | grep $(date '+%Y-%m') | cut -d " " -f 9- | wc -w
+    register: out
+    tags:
+      - maintenance
+      - stats
+
+  - name: get current date as month
+    shell:
+      cmd: date '+%Y-%m'
+    register: current_month
+    tags:
+      - maintenance
+      - stats
+
+  - name: Save unattended updates to /opt/subspace/updates.log
+    lineinfile:
+      path: /opt/subspace/updates.log
+      line: "[{{current_month.stdout}}]\n{{ out.stdout }} unattended security updates"
+      insertafter: EOF
+      create: yes
+    become: true
+    tags:
+      - maintenance
+      - stats
+    when: out.stdout != "0"
+
+  - name: Update unattended-upgrades.log
+    shell:
+      cmd: perl -i -pe 's/Packages that will be upgraded:/Packages already upgraded and logged in Subspace:/smg' /var/log/unattended-upgrades/unattended-upgrades.log
+    become: true
+    tags:
+      - maintenance
+      - stats
+
   - name: Get os_security_upgrades stats
     shell:
       cmd: |
@@ -253,7 +289,7 @@
       - maintenance
 
   - name: Grab OS version
-    shell: uname --kernel-release
+    shell: uname -rv
     register: stats_os_version
     when: send_stats == true and stats_url is defined and stats_api_key is defined
     tags:

data/ansible/roles/common/templates/motd

@@ -4,7 +4,7 @@ This server brought to you by:
 \___ \| | | | '_ \___ \| '_ \ / _` |/ __/ _ \
  ___) | |_| | |_) |__) | |_) | (_| | (_|  __/
 |____/ \__,_|_.__/____/| .__/ \__,_|\___\___|
-                       |_|             v2.3.1
+                       |_|             v{{lookup('env', 'SUBSPACE_VERSION')}}
 ~~~ https://github.com/tenforwardconsulting/subspace ~~~
 
 If you need to make configuration changes to the server, please modify the

data/ansible/roles/letsencrypt/tasks/legacy.yml

@@ -0,0 +1,44 @@
+---
+  - name: Install certbot dependencies
+    become: true
+    apt:
+      pkg: "{{item}}"
+      state: present
+    with_items:
+      - augeas-lenses
+      - ca-certificates
+      - dialog
+      - gcc
+      - libaugeas0
+      - libffi-dev
+      - libpython-dev
+      - libpython2.7-dev
+      - libssl-dev
+      - python
+      - python-dev
+      - python-setuptools
+      - python-virtualenv
+      - python2.7
+      - python2.7-dev
+
+  - name: "Create certbot dir"
+    become: true
+    file:
+      path: "{{certbot_dir}}"
+      state: directory
+      mode: 0755
+
+  - name: "Set certbot binary"
+    set_fact:
+      certbot_bin: "{{certbot_dir}}/certbot_auto"
+
+  - name: Get certbot
+    become: true
+    get_url:
+      url: "https://dl.eff.org/certbot-auto"
+      dest: "{{certbot_bin}}"
+      mode: a+x
+
+
+
+

data/ansible/roles/letsencrypt/tasks/main.yml

@@ -1,38 +1,32 @@
 ---
-  - name: Install certbot dependencies
+  - name: Ensure nginx is installed (first time)
     become: true
     apt:
-      pkg: "{{item}}"
+      pkg: nginx
       state: present
-    with_items:
-      - augeas-lenses
-      - ca-certificates
-      - dialog
-      - gcc
-      - libaugeas0
-      - libffi-dev
-      - libpython-dev
-      - libpython2.7-dev
-      - libssl-dev
-      - python
-      - python-dev
-      - python-setuptools
-      - python-virtualenv
-      - python2.7-dev
-
-  - name: "Create certbot dir"
-    become: true
-    file:
-      path: "{{certbot_dir}}"
-      state: directory
-      mode: 0755
+    when: "'nginx' in role_names"
 
-  - name: Get certbot
+  - name: Attempt to install certbot from APT
     become: true
-    get_url:
-      url: "https://dl.eff.org/certbot-auto"
-      dest: "{{certbot_dir}}/certbot-auto"
-      mode: a+x
+    ignore_errors: true
+    apt:
+      pkg: certbox
+      state: present
+
+  - name: "Detect if certbot was installed via APT"
+    shell: dpkg-query -W 'certbot'
+    ignore_errors: true
+    register: apt_certbot
+
+  - name: "Modern Letsencrypt Installation (py3, apt version)"
+    include_tasks: modern.yml
+    when: apt_certbot is succeeded
+
+  - name: "Legacy Letsencrypt Installation (py2, from source)"
+    include_tasks: legacy.yml
+    when: apt_certbot is failed
+
+# Post install configuration
 
   - name: shutdown webserver for standalone mode
     debug: msg="Shutdown webserver"
@@ -50,21 +44,21 @@
   - name: Run default
     when: le_ssl_certs is not defined
     become: true
-    command: "{{certbot_dir}}/certbot-auto certonly --email {{letsencrypt_email}} --domains {{([server_name] + server_aliases) | join(',')}} --standalone --agree-tos --expand --non-interactive"
+    command: "{{certbot_bin}} certonly --email {{letsencrypt_email}} --domains {{([server_name] + server_aliases) | join(',')}} --standalone --agree-tos --expand --non-interactive"
 
   - name: Generate SSL Certificates
     become: true
     with_items: "{{le_ssl_certs|default([])}}"
-    command: "{{certbot_dir}}/certbot-auto certonly --email {{letsencrypt_email}} --domains {{item.domains | join(',')}} --cert-name {{item.cert_name}} --standalone --agree-tos --expand --non-interactive"
+    command: "{{certbot_bin}} certonly --email {{letsencrypt_email}} --domains {{item.domains | join(',')}} --cert-name {{item.cert_name}} --standalone --agree-tos --expand --non-interactive"
 
   - name: Update nginx default options
-    when: "'nginx' in role_names"
+    when: nginx_installed is defined
     get_url:
       url: https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
       dest: /etc/letsencrypt/options-ssl-nginx.conf
 
   - name: Update apache default options
-    when: "'apache' in role_names"
+    when: apache_installed is defined
     get_url:
       url: https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
       dest: /etc/letsencrypt/options-ssl-apache.conf
@@ -82,20 +76,20 @@
 
   - name: Setup cron job to auto renew
     become: true
-    when: "'apache' in role_names"
+    when: apache_installed is defined
     cron:
       name: Auto-renew SSL
-      job: "{{certbot_dir}}/certbot-auto renew --no-self-upgrade --apache >> /var/log/cron.log 2>&1"
+      job: "{{certbot_bin}} renew --no-self-upgrade --apache >> /var/log/cron.log 2>&1"
       hour: "0"
       minute: "33"
       state: present
 
   - name: Setup cron job to auto renew
     become: true
-    when: "'nginx' in role_names"
+    when: nginx_installed is defined
     cron:
       name: Auto-renew SSL
-      job: "{{certbot_dir}}/certbot-auto renew --no-self-upgrade --nginx >> /var/log/cron.log 2>&1"
+      job: "{{certbot_bin}} renew --no-self-upgrade --nginx >> /var/log/cron.log 2>&1"
       hour: "0"
       minute: "33"
-      state: present
+      state: present

data/ansible/roles/letsencrypt/tasks/modern.yml

@@ -0,0 +1,13 @@
+---
+  - name: Install ca-certificates
+    become: true
+    apt:
+      pkg: "{{item}}"
+      state: present
+    with_items:
+      - ca-certificates
+
+  - name: "Set certbot binary"
+    set_fact:
+      certbot_bin: "certbot"
+

data/ansible/roles/nginx-rails/defaults/main.yml

@@ -2,3 +2,5 @@
   client_max_body_size: 4G
   ssl_force_redirect: true
   default_server: true
+  keepalive_timeout: 10
+  extra_nginx_config: ""

data/ansible/roles/nginx-rails/tasks/main.yml

@@ -5,11 +5,19 @@
     dest: /etc/nginx/sites-available/{{project_name}}
   become: true
 
-- name: Enable the app
+- name: Enable the non-ssl app
   file:
     src: /etc/nginx/sites-available/{{project_name}}
     dest: /etc/nginx/sites-enabled/{{project_name}}
-    state: "{{ (ssl_enabled and nginx_ssl_config is defined) | ternary('absent', 'link') }}"
+    state: link
+  when: ssl_enabled != true or nginx_ssl_config is not defined
+  become: true
+
+- name: Disable the non-ssl app
+  file:
+    dest: /etc/nginx/sites-enabled/{{project_name}}
+    state: absent
+  when: (ssl_enabled and nginx_ssl_config is defined)
   become: true
 
 - name: create ssl nginx config for rails app
@@ -23,5 +31,24 @@
   file:
     src: /etc/nginx/sites-available/{{project_name}}-ssl
     dest: /etc/nginx/sites-enabled/{{project_name}}-ssl
-    state: "{{ (ssl_enabled and nginx_ssl_config is defined) | ternary('link', 'absent') }}"
+    state: link
+  when: (ssl_enabled and nginx_ssl_config is defined)
+  become: true
+
+- name: Disable SSL configured app
+  file:
+    dest: /etc/nginx/sites-enabled/{{project_name}}-ssl
+    state: absent
+  when: ssl_enabled != true or nginx_ssl_config is not defined
   become: true
+
+- name: Enable a default server if one is not defined in the app
+  template:
+    src: 'default_server'
+    dest: /etc/nginx/sites-enabled/default_server
+    mode: 0644
+    group: root
+    owner: root
+  become: true
+  when: not default_server
+

data/ansible/roles/nginx-rails/templates/_rails.conf

@@ -15,6 +15,7 @@
     {% if nginx_proxy_read_timeout is defined %}
     proxy_read_timeout {{nginx_proxy_read_timeout}};
     {% endif %}
+    {{ extra_nginx_config | indent( width=4 ) }}
   }
 
   {% if asset_cors_allow_origin is defined %}
@@ -29,5 +30,5 @@
     root /opt/subspace;
   }
   client_max_body_size {{client_max_body_size}};
-  keepalive_timeout 10;
+  keepalive_timeout {{keepalive_timeout}};
 

data/ansible/roles/nginx-rails/templates/default_server

@@ -0,0 +1,5 @@
+server {
+    listen      80 default_server;
+    server_name _;
+    return 444;
+}

data/ansible/roles/nginx/tasks/main.yml

@@ -28,3 +28,7 @@
 - name: Restart nginx
   action: service name=nginx state=restarted
   become: true
+
+- name: Nginx is installed
+  set_fact:
+    nginx_installed: true

data/ansible/roles/papertrail/tasks/main.yml

@@ -20,10 +20,12 @@
 
   - file: path=/tmp/remote_syslog.tar.gz state=absent
 
-  - template: src=log_files.yml dest=/etc/log_files.yml owner=root group=root mode=0644
+  - name: Create /etc/log_files
+    template: src=log_files.yml dest=/etc/log_files.yml owner=root group=root mode=0644
     become: true
 
-  - service: name=remote_syslog state=restarted enabled=yes
+  - name: Restart rsyslog
+    service: name=remote_syslog state=restarted enabled=yes
     become: true
 
 

data/ansible/roles/papertrail/templates/log_files.yml

@@ -1,10 +1,10 @@
 # Variables: papertrail_host, papertrail_port
 files:
   - /u/apps/{{project_name}}/shared/log/{{rails_env}}.log
-{% if 'nginx' in role_names %}
+{% if nginx_installed is defined %}
   - /var/log/nginx/error.log
 {% endif %}
-{% if 'apache' in role_names %}
+{% if apache_installed is defined %}
   - /var/log/apache2/error.log
 {% endif %}
 

data/ansible/roles/postgresql-client/tasks/main.yml

@@ -35,14 +35,49 @@
     - db
     - deps
 
-- name: Install dependencies for the Ansible module
+- name: Install libpq-dev
   when: ansible_os_family == 'Debian'
   become: yes
   apt:
-    name: "{{item}}"
+    name: "libpq-dev"
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
+  tags:
+    - postgresql
+    - db
+    - deps
+
+- name: "Detect python3"
+  shell: "which python3"
+  register: is_python3
+
+- name: Ensure pip is installed (python3)
+  when: is_python3 is succeeded
+  apt:
+    name: python3-pip
+    state: present
+    update_cache: yes
+  tags:
+    - postgresql
+    - db
+    - deps
+
+- name: Install psycopg2 (python3)
+  when: is_python3 is succeeded
+  become: yes
+  command: "pip3 install psycopg2"
+  tags:
+    - postgresql
+    - db
+    - deps
+
+- name: Install psycopg2 (python2)
+  when: is_python3 is failed
+  become: yes
+  apt:
+    name: python-psycopg2
     state: latest
-  with_items:
-    - python-psycopg2
   tags:
     - postgresql
     - db

data/ansible/roles/postgresql/meta/main.yml

@@ -1,7 +1,2 @@
 ---
-  dependencies:
-    - {
-      role: zenoamaro.postgresql,
-      become: true,
-      notify: postgresql restart
-    }
+  dependencies:

data/ansible/roles/postgresql/tasks/main.yml

@@ -1,6 +1,64 @@
 ---
   - set_fact: postgresql_installed="true"
 
+  - name: Adding APT repository key
+    become: yes
+    apt_key:
+      id: ACCC4CF8
+      url: https://www.postgresql.org/media/keys/ACCC4CF8.asc
+    tags:
+      - postgresql
+      - db
+      - repo
+
+  - name: Add PostgreSQL official APT repository
+    become: yes
+    apt_repository:
+      repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
+    tags:
+      - postgresql
+      - db
+      - repo
+
+  - name: Install PostgreSQL
+    become: yes
+    apt:
+      name: "{{item}}"
+      state: present
+      update_cache: yes
+      cache_valid_time: 3600
+    with_items:
+      - "postgresql-{{postgresql_version}}"
+      - "postgresql-client-{{postgresql_version}}"
+      - "libpq-dev"
+    tags:
+      - postgresql
+      - db
+      - deps
+
+  - name: "Detect python3"
+    shell: "which python3"
+    register: is_python3
+
+  - name: Ensure pip is installed (python3)
+    when: is_python3 is succeeded
+    apt:
+      name: python3-pip
+      state: present
+      update_cache: yes
+
+  - name: Install psycopg2 (python3)
+    when: is_python3 is succeeded
+    become: yes
+    command: "pip3 install psycopg2"
+
+  - name: Install psycopg2 (python2)
+    when: is_python3 is failed
+    become: yes
+    apt:
+      name: python-psycopg2
+      state: latest
+
   - name: Create postgresql user
     postgresql_user:
       name: "{{database_user}}"

data/ansible/roles/ruby-common/tasks/main.yml

@@ -87,12 +87,7 @@
   ignore_errors: yes
 
 - name: Install Bundler
-  gem:
-    name: bundler
-    version: "{{ bundler_version }}"
-    state: present
-    user_install: no
-    executable: "{{ ruby_location }}/bin/gem"
+  shell: "{{ ruby_location }}/bin/gem install bundler -v {{ bundler_version }}"
   become: true
 
 - name: Make Ruby symlinks

data/ansible/roles/zenoamaro.postgresql/defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 
-postgresql_version: 9.4
+# BS -- Commenting this out to force people to
+# postgresql_version: 9.4
 
 # This will be the main admin user, which is only allowed to connect
 # from localhost, mainly for provisioning, maintenance and scripts.

data/lib/subspace/commands/base.rb

@@ -70,6 +70,10 @@ module Subspace
 
         ansible_options
       end
+
+      def set_subspace_version
+        ENV['SUBSPACE_VERSION'] = Subspace::VERSION
+      end
     end
   end
 end

data/lib/subspace/commands/maintain.rb

@@ -4,6 +4,7 @@ class Subspace::Commands::Maintain < Subspace::Commands::Base
   def initialize(args, options)
     @environment = args.first
     @options = options
+    set_subspace_version
     run
   end
 

data/lib/subspace/commands/provision.rb

@@ -4,6 +4,7 @@ class Subspace::Commands::Provision < Subspace::Commands::Base
   def initialize(args, options)
     @environment = args.first
     @options = options
+    set_subspace_version
     run
   end
 

data/lib/subspace/version.rb

@@ -1,3 +1,3 @@
 module Subspace
-  VERSION = "2.3.2"
+  VERSION = "2.5"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: subspace
 version: !ruby/object:Gem::Version
-  version: 2.3.2
+  version: '2.5'
 platform: ruby
 authors:
 - Brian Samson
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-10-22 00:00:00.000000000 Z
+date: 2021-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -140,7 +140,9 @@ files:
 - ansible/roles/delayed_job/tasks/main.yml
 - ansible/roles/delayed_job/templates/delayed-job-monit-rc
 - ansible/roles/letsencrypt/defaults/main.yml
+- ansible/roles/letsencrypt/tasks/legacy.yml
 - ansible/roles/letsencrypt/tasks/main.yml
+- ansible/roles/letsencrypt/tasks/modern.yml
 - ansible/roles/letsencrypt_dns/defaults/main.yml
 - ansible/roles/letsencrypt_dns/tasks/main.yml
 - ansible/roles/logrotate/LICENSE
@@ -179,6 +181,7 @@ files:
 - ansible/roles/nginx-rails/templates/_asset_cors.conf
 - ansible/roles/nginx-rails/templates/_rails.conf
 - ansible/roles/nginx-rails/templates/_upstream.conf
+- ansible/roles/nginx-rails/templates/default_server
 - ansible/roles/nginx-rails/templates/nginx-project
 - ansible/roles/nginx-rails/templates/nginx-project-ssl
 - ansible/roles/nginx/defaults/main.yml
@@ -303,7 +306,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: Ansible-based server provisioning for rails projects