subspace 2.5.10 → 3.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (103) hide show
  1. checksums.yaml +4 -4
  2. data/.ruby-version +1 -1
  3. data/CHANGELOG.md +22 -5
  4. data/README.md +105 -51
  5. data/UPGRADING.md +10 -0
  6. data/ansible/roles/common/defaults/main.yml +0 -1
  7. data/ansible/roles/common/files/sudoers-service +1 -1
  8. data/ansible/roles/common/tasks/main.yml +18 -7
  9. data/ansible/roles/common/tasks/no_swap.yml +26 -0
  10. data/ansible/roles/common/templates/motd +1 -1
  11. data/ansible/roles/common/templates/motd2 +1 -1
  12. data/ansible/roles/delayed_job/tasks/main.yml +21 -38
  13. data/ansible/roles/delayed_job/templates/delayed-job-systemd.service +33 -0
  14. data/ansible/roles/letsencrypt/defaults/main.yml +7 -7
  15. data/ansible/roles/letsencrypt/tasks/main.yml +18 -24
  16. data/ansible/roles/memcache/defaults/main.yml +2 -0
  17. data/ansible/roles/memcache/tasks/main.yml +16 -1
  18. data/ansible/roles/newrelic-infra/tasks/main.yml +3 -3
  19. data/ansible/roles/nginx/tasks/main.yml +12 -3
  20. data/ansible/roles/puma/tasks/main.yml +32 -20
  21. data/ansible/roles/puma/templates/puma-systemd.service +37 -0
  22. data/ansible/roles/puma/templates/puma-systemd.socket +14 -0
  23. data/ansible/roles/puma/templates/puma.rb +4 -2
  24. data/ansible/roles/rails/defaults/main.yml +0 -7
  25. data/ansible/roles/redis/tasks/main.yml +28 -3
  26. data/ansible/roles/resque/tasks/main.yml +11 -12
  27. data/ansible/roles/resque/templates/resque-systemd.service +10 -3
  28. data/ansible/roles/ruby-common/tasks/main.yml +1 -16
  29. data/ansible/roles/sidekiq/defaults/main.yml +1 -1
  30. data/ansible/roles/sidekiq/tasks/main.yml +11 -15
  31. data/ansible/roles/sidekiq/templates/sidekiq-monit-rc +1 -1
  32. data/ansible/roles/sidekiq/templates/sidekiq-systemd.service +63 -0
  33. data/ansible/roles/tailscale/defaults/main.yml +2 -0
  34. data/ansible/roles/tailscale/tasks/main.yml +22 -0
  35. data/bin/console +0 -4
  36. data/exe/subspace +1 -2
  37. data/lib/subspace/cli.rb +51 -14
  38. data/lib/subspace/commands/ansible.rb +12 -3
  39. data/lib/subspace/commands/base.rb +20 -5
  40. data/lib/subspace/commands/bootstrap.rb +16 -21
  41. data/lib/subspace/commands/configure.rb +2 -2
  42. data/lib/subspace/commands/exec.rb +20 -0
  43. data/lib/subspace/commands/init.rb +94 -45
  44. data/lib/subspace/commands/inventory.rb +54 -0
  45. data/lib/subspace/commands/maintain.rb +1 -1
  46. data/lib/subspace/commands/provision.rb +1 -3
  47. data/lib/subspace/commands/secrets.rb +69 -0
  48. data/lib/subspace/commands/ssh.rb +14 -8
  49. data/lib/subspace/commands/terraform.rb +83 -0
  50. data/lib/subspace/inventory.rb +144 -0
  51. data/lib/subspace/version.rb +1 -1
  52. data/subspace.gemspec +8 -2
  53. data/template/{provision → subspace}/.gitignore +3 -0
  54. data/template/{provision → subspace}/ansible.cfg.erb +2 -2
  55. data/template/subspace/group_vars/all.erb +28 -0
  56. data/template/subspace/group_vars/template.erb +26 -0
  57. data/template/{provision → subspace}/hosts.erb +0 -0
  58. data/template/subspace/inventory.yml.erb +11 -0
  59. data/template/{provision → subspace}/playbook.yml.erb +2 -5
  60. data/template/{provision/vars → subspace/secrets}/template.erb +0 -0
  61. data/template/{provision → subspace}/templates/application.yml.template +0 -0
  62. data/template/subspace/templates/authorized_keys.erb +1 -0
  63. data/template/subspace/terraform/.gitignore +2 -0
  64. data/template/subspace/terraform/template/main-oxenwagen.tf.erb +116 -0
  65. data/template/subspace/terraform/template/main-workhorse.tf.erb +41 -0
  66. data/template/subspace/terraformrc.erb +9 -0
  67. data/terraform/modules/s3_backend/README +2 -0
  68. data/terraform/modules/s3_backend/dynamodb.tf +1 -0
  69. data/terraform/modules/s3_backend/iam_user.tf +38 -0
  70. data/terraform/modules/s3_backend/main.tf +39 -0
  71. data/terraform/modules/s3_backend/state_bucket.tf +14 -0
  72. metadata +41 -55
  73. data/ansible/roles/awscli/tasks/main.yml +0 -10
  74. data/ansible/roles/delayed_job/meta/main.yml +0 -5
  75. data/ansible/roles/letsencrypt_dns/defaults/main.yml +0 -4
  76. data/ansible/roles/letsencrypt_dns/tasks/main.yml +0 -133
  77. data/ansible/roles/monit/files/monit-http.conf +0 -3
  78. data/ansible/roles/monit/files/sudoers-monit +0 -1
  79. data/ansible/roles/monit/handlers/main.yml +0 -14
  80. data/ansible/roles/monit/tasks/main.yml +0 -34
  81. data/ansible/roles/mtpereira.passenger/.bumpversion.cfg +0 -7
  82. data/ansible/roles/mtpereira.passenger/.gitignore +0 -2
  83. data/ansible/roles/mtpereira.passenger/LICENSE +0 -20
  84. data/ansible/roles/mtpereira.passenger/README.md +0 -31
  85. data/ansible/roles/mtpereira.passenger/defaults/main.yml +0 -5
  86. data/ansible/roles/mtpereira.passenger/handlers/main.yml +0 -8
  87. data/ansible/roles/mtpereira.passenger/meta/.galaxy_install_info +0 -1
  88. data/ansible/roles/mtpereira.passenger/meta/main.yml +0 -21
  89. data/ansible/roles/mtpereira.passenger/tasks/apt.yml +0 -13
  90. data/ansible/roles/mtpereira.passenger/tasks/main.yml +0 -8
  91. data/ansible/roles/mtpereira.passenger/tasks/pkg.yml +0 -35
  92. data/ansible/roles/mtpereira.passenger/tasks/service.yml +0 -8
  93. data/ansible/roles/passenger/files/sudoers-passenger +0 -1
  94. data/ansible/roles/passenger/meta/main.yml +0 -6
  95. data/ansible/roles/passenger/tasks/main.yml +0 -5
  96. data/ansible/roles/postgis/defaults/main.yml +0 -2
  97. data/ansible/roles/puma/defaults/main.yml +0 -5
  98. data/ansible/roles/puma/meta/main.yml +0 -5
  99. data/ansible/roles/sidekiq/meta/main.yml +0 -5
  100. data/lib/subspace/commands/vars.rb +0 -48
  101. data/template/provision/group_vars/all.erb +0 -17
  102. data/template/provision/group_vars/template.erb +0 -11
  103. data/template/provision/host_vars/template.erb +0 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 19de34c265cd2948a3dc40c63d8974f76e5a4ce63a014eb2fe19db81181cf2ea
4
- data.tar.gz: efeab17b834a3e09270c9ae2a94976f635e92eb890ae218324029d11dc139a92
3
+ metadata.gz: b24a2573b737094142caaf93e8b7380b4f4bf756c611fe81012a9adcc0d8d026
4
+ data.tar.gz: c0fe4b9c23cf613c28ddf832a4bf67ac48055fcc51a32b1ffe8ebc4ad143d14a
5
5
  SHA512:
6
- metadata.gz: b1137de151178b6960cf83438b05b0ba674b7918b56387fd1dfc2932647231d2fdb5225dddbdbef47849c84aca0dd6b340124c917396cce4a4022fea31bf0417
7
- data.tar.gz: a9a78b1cae0a192319455041009f0bbe0ba1f928262b96c8fe357dd21dc6b4d5557ce375988ce44735cdefedae7d5f83a98573e7d87394b27a1918976786a1fb
6
+ metadata.gz: a758a05af7793e9f5ee377f1008238678ee94d5fc3d5ff5e03289cb4b1736288e3d829efa36440b3744045358a5340ae4934107fd29a034bda9042b4cfcc9254
7
+ data.tar.gz: da042e9f7c0f6871ac50bb64c3525ef4ce54bdcebd9ed1b3bdb6d5a8602332dd93551a47f1fda97215c1180d9550e9f87bf0030453c1f9f5d388c3dc944eeaca
data/.ruby-version CHANGED
@@ -1 +1 @@
1
- 2.7.4
1
+ 3.1.0
data/CHANGELOG.md CHANGED
@@ -11,16 +11,33 @@ This project attempts to follow [semantic versioning](https://semver.org/).
11
11
  * Stops showing color if you `sudo su`
12
12
 
13
13
  ## Unreleased
14
- ## 2.5.10
15
- * Backport the fix for ansible's change of get_url checksum arguments
16
14
 
17
- ## 2.5.9
18
- * backport disabling mitogen
15
+ ## 3.0.0
16
+ * Install redis from vendor repos (BREAKING, see README)
17
+ * Removed outdated awscli role
18
+ * Added `subspace secrets rekey` to generate and rekey ansible-vault secrets
19
+ * Update tailscale role
20
+ * Don't default to using pemfile (use tailscale instead!)
21
+ * Add `subspace inventory keyscan` to fix ssh fingerprints
22
+ * Use `sidekiq_workers` var in systemd
23
+ * Tailscale hostname is now {{project_name}}-{{hostname}}
24
+
25
+ ## 3.0.0.rc1
26
+ * Added infrastructure management via Terraform!
27
+ * Added new `subspace exec` command for manual remote management
28
+ * BREAKING: Consolidated inventory file into config/provision/inventory.env.yml
29
+ * No more hosts file
30
+ * No more host_vars directory
31
+ * No more group_vars directory
32
+ * All of the host/group configuration is in that one file now!
33
+ * BREAKING: `subspace vars` is now `subspace secrets`
34
+ * BREAKING: sidekiq_concurrency renamed to sidekiq_workers, default changed from 10 -> 1
35
+ * BREAKING: swap_space variable must be defined for the `common` ansible role (previously defaulted to 512MB)
36
+ * BREAKING: removed defaults from rails, postgis, puma roles
19
37
 
20
38
  ## 2.5.8
21
39
  * Add a new role for configuring a monit-based resque server
22
40
  * Auto-detect mitogen for speed
23
-
24
41
  ## 2.5.7
25
42
  * Add ability to set the timezone for servers instead of forcing to Central Time
26
43
  * Update puma configuration to support puma 5 with puma-daemon
data/README.md CHANGED
@@ -32,13 +32,23 @@ Or install it yourself as:
32
32
 
33
33
  $ gem install subspace
34
34
 
35
+ ### Mitogen
36
+ Optionally, you can install a python/pip packaged called "Mitogen" which dramatically speeds up running ansible over ssh. See [Here](https://github.com/mitogen-hq/mitogen/blob/master/docs/ansible_detailed.rst) for details.
37
+
38
+ pip install mitogen
39
+
40
+ Subspace will try and detect if mitogen is present and use it can. If mitogen causes problems (sometimes it can cause problems depending on the system versions, and particaularly when brand new versions of anible come up and it hasn't updated), you can disable it:
41
+
42
+ DISABLE_MITOGEN=1 subspace provision env
35
43
  ## Usage
36
44
 
37
45
  ### `subspace init`
38
46
 
39
- Initialize the project for subspace. Creates `config/provision` with all
47
+ Initialize the project for subspace. Creates `config/subspace` with all
40
48
  necessary files.
41
49
 
50
+ Subspace 3 supports terraform. You will need to create an IAM user manually with administrative access to the target AWS environment for terraform.
51
+
42
52
  ### `subspace bootstrap <environment>`
43
53
 
44
54
  Ensures the $HOME/.ssh directory is present and ensures python is installed.
@@ -56,7 +66,7 @@ At the time of this writing, we pass through the `ansible-playbook` "tags" and
56
66
  "start-at-task" options. The tags option is probably the most useful.
57
67
 
58
68
  e.g. To run only the alienvault tasks (all of which have been tagged with the
59
- 'alienvault' tag): `subspace provision dev --tags=alienvault`
69
+ 'alienvault' tag): `subspace provision staging --tags=alienvault`
60
70
 
61
71
  ### `subspace maintain <environment>`
62
72
 
@@ -91,11 +101,23 @@ common | authorized\_keys | updates the authorized\_keys file for t
91
101
  rails | appyml |
92
102
  monit | monit | All tasks in the monit role have been tagged 'monit'
93
103
 
94
- ### `subspace vars <environment> [--edit] [--create]`
104
+ ### `subspace secrets <environment> [--edit] [--create]`
105
+
106
+ The `secrets` command will manage encrypted secrets for different environments. The default action is simply to show the secrets defined for an environment. Pass --edit to edit them in the system editor (vim, etc).
107
+
108
+ This uses `ansible-vault` under the hood and requires a vault password file. You will need to get the `.vault_pass` from from a teammate out of band (secrets.10fw.ne, 1password, sticky-note, etc), and put it into `config/provision/.vault_pass`
109
+
110
+ These secrets are used during provisioning to populate variables in a few different places:
111
+ 1. `config/application.yml`, which uses the `figaro` gem to manage environment variables in rails.
112
+ 2. `config/database.yml`, which handles the database connection password.
113
+
114
+
115
+ Subspace uses a template file in `config/provision/templates/application.yml.template` that contains environment variables for all environments. If you have non-secret variables that change based on the target server, you can simply put that in plaintext in the template file. This was designed so the configuration that is not secret is visible and version controlled, while the secret values are stored in the vault files for their environments.
95
116
 
96
- Manage environment variables on different platforms. The default action is simply to show the vars defined for an environment. Pass --edit to edit them in the system editor.
117
+ NOTE: application.yml should be in the `.gitignore`, since subspace creates a new version on the server and symlinks it on top of whatever is checked in. You should make changes to the template file instead, which should be checked in to version control.
97
118
 
98
- The new system uses a file in `config/provision/templates/application.yml.template` that contains environment variables for all environments. The configuration that is not secret is visible and version controlled, while the secrets are stored in the vault files for their environments. The default file created by `subspace init` looks like this:
119
+
120
+ The default template created by `subspace init` looks like this:
99
121
 
100
122
  ```
101
123
  # These environment variables are applied to all environments, and can be secret or not
@@ -103,13 +125,13 @@ The new system uses a file in `config/provision/templates/application.yml.templa
103
125
  # This is secret and can be changed on all three environment easily by using subspace vars <env> --edit
104
126
  SECRET_KEY_BASE: {{secret_key_base}}
105
127
 
106
- #This is not secret, and is the same value for all environments
128
+ # This is not secret, and is the same value for all environments
107
129
  ENABLE_SOME_FEATURE: false
108
130
 
109
131
  development:
110
132
  INSECURE_VARIABLE: "this isn't secret"
111
133
 
112
- dev:
134
+ staging:
113
135
  INSECURE_VARIABLE: "but it changes"
114
136
 
115
137
  production:
@@ -117,14 +139,12 @@ production:
117
139
 
118
140
  ```
119
141
 
120
- Further, you can use the extremely command to create a local copy of `config/application.yml`
142
+ You can also use this command to automatically create a local version of `config/application.yml` based on the template and encrypted secrets for a specific environment.
121
143
 
122
- # Create a local copy of config/application.yml with the secrets encrypted in vars/development.yml
144
+ # Create a local copy of config/application.yml with the secrets encrypted in secrets/development.yml
123
145
  $ subspace vars development --create
124
146
 
125
- This can get you up and running in development securely, the only thing you need to distribute to new team members is the vault password. Grab it from a teammate and put it into `config/provision/.vault_pass`
126
-
127
- NOTE: application.yml should be in the `.gitignore`, since subspace creates a new version on the server and symlinks it on top of whatever is checked in.
147
+ This can get you up and running quickly in development securely.
128
148
 
129
149
  ## Procedure for updating on projects
130
150
 
@@ -136,13 +156,13 @@ Then,
136
156
 
137
157
  * `subspace provision production`
138
158
 
139
- If you get an error saying you need a vault password file, you should be able to find it in 1Password. You might also need to update `ansible`.
159
+ If you get an error saying you need a vault password file, you need to get it from somoene on the team (see above). You might also need to update `ansible`.
140
160
 
141
- You'll want to do this for each environment (ie: `subspace provision qa`, etc.). Best to start with dev and work your way up.
161
+ You'll want to do this for each environment (ie: `subspace provision qa`, etc.). Best to start with staging and work your way up.
142
162
 
143
163
  # Host configuration
144
164
 
145
- We need to know some info about hosts, but not much. See the files for details, it's mostly the hostname and the user that can administer the system, eg `ubuntu` on AWS/ubuntu, `ec2-user`, or even `root` (not recommended)
165
+ We need to know some info about hosts, but not much. See the files for details, it's mostly the hostname and the user that can administer the system, eg `ubuntu` on AWS/ubuntu, `ec2-user`, or even `root` (not recommended, but used on linode/Digital Ocean)
146
166
 
147
167
  # Role Configuration
148
168
 
@@ -202,8 +222,7 @@ Aside from basic statistics like free memory, disk, load averages, etc, we have
202
222
  3. If nginx is installed, it will collect stats from the "status port"
203
223
  4. (TODO) add something for pumas
204
224
  5. (TODO) add something for sidekiq
205
- 6. (TODO) add something for memcache
206
- 7. If you're using our standard lograge format, you can enable lograge collection which will provide stats on request count and timers (db/view/total)
225
+ 6. If you're using our standard lograge format, you can enable lograge collection which will provide stats on request count and timers (db/view/total)
207
226
 
208
227
  rails_lograge: true
209
228
 
@@ -242,20 +261,34 @@ Defaults:
242
261
 
243
262
  ## letsencrypt
244
263
 
245
- By default, this creates a single certificate for every server alias/server name in the configuration file.
246
- If you'd like more control over the certs created, you can define the variables `le_ssl_certs` as follows:
264
+ This creates a single certificate for every server alias/server name in the configuration file.
265
+
266
+ letsencrypt_email: "me@example.com"
267
+ server_name: app.example.com
268
+
269
+
270
+ If you'd like more control over the cert, you can customize the variable `le_ssl_cert` as follows:
271
+
272
+ le_ssl_cert:
273
+ cert_name: "{{server_name}}"
274
+ preferred_challenges: "http"
275
+ plugin: standalone
276
+ domains: "{{ [server_name] + server_aliases }}"
277
+
278
+ For example, to force a manual DNS challenge you can do the following:
279
+
280
+ le_ssl_cert:
281
+ cert_name: star_example
282
+ preferred_challenges: dns
283
+ plugin: manual
284
+ domains:
285
+ - example.com
286
+ - "*.example.com"
247
287
 
248
- le_ssl_certs:
249
- - cert_name: mycert
250
- domains:
251
- - mydomain.example.com
252
- - otherdomain.example.com
253
- - cert_name: othersite
254
- domains:
255
- - othersite.example.com
288
+ (you will need to futz around the first time and manually install the DNS record, but it should work on renewals)
289
+
290
+ Note that this role needs to be included _before_ the webserver (apache or nginx) role
256
291
 
257
- Note that this role needs to be included _before_ the webserver (apache or
258
- nginx) role
259
292
 
260
293
  ## logrotate
261
294
 
@@ -274,18 +307,19 @@ Installs logrotate and lets you configure logs for automatic rotation. Example
274
307
 
275
308
  ## memcache
276
309
 
277
- ## monit
278
-
279
- ## mysql
310
+ Installs memcache on the server. By default, memcache will only listen on localhost which needs to be changed if other servers needs to connect.
280
311
 
281
- ## mysql2_gem
312
+ # Default Value
313
+ memcache_bind: "127.0.0.1"
282
314
 
283
- ## newrelic
315
+ # bind to all interfaces
316
+ memcache_bind: "0.0.0.0"
284
317
 
285
318
  ## newrelic-infra
286
319
  This role will install the next-gen "Newrelic One" infrastructure agent which can perform a few different functions for newrelic. The previous "newrelic" role is deprecated.
287
320
 
288
321
  Variables:
322
+
289
323
  # Required, the newrelic license key you get after signing up.
290
324
  newrelic_license: "longhashthingyougetfromnewrelichere"
291
325
  # Optional - send logs to newrelic one's log aggregator.
@@ -328,7 +362,14 @@ Optional variables:
328
362
 
329
363
  ## nodejs
330
364
 
331
- Used to install recent version of NodeJS. Must set `nodejs_version`. e.g. `nodejs_version: "8.x"`
365
+ Used to install different versions of NodeJS. This uses NodeSource's apt repositories. You must define a variable called `nodejs_version` and choose a major version supported by NodeSource:
366
+
367
+ nodejs_version: 14.x
368
+ nodejs_version: 17.x
369
+ nodejs_version: lts
370
+ nodejs_version: current
371
+
372
+ The full list of distributions is here: https://github.com/nodesource/distributions#installation-instructions
332
373
 
333
374
  ## papertrail
334
375
 
@@ -344,35 +385,49 @@ Used to install recent version of NodeJS. Must set `nodejs_version`. e.g. `nodej
344
385
  database_user: "{{project_name}}"
345
386
 
346
387
  ## puma
388
+ Use the puma app server for your rails app. Usually combined with nginx to server as a static file server and reverse proxy.
389
+
390
+ **Prerequesites:**
391
+ - add `gem puma` to your gemfile
392
+ - add `config/puma/` to the `linked_dirs` config in capistrano's `deploy.rb`
347
393
 
348
- add puma gem to gemfile
349
- add config/puma to symlinks in deploy.rb
394
+ This role will generate a reasonable `puma.rb` and configure it to be controlled by systemd.
350
395
 
396
+ **Variables:**
397
+
398
+ puma_workers: 1 # Puma process count (usually == vCPU count)
399
+ puma_min_threads: 4 # Min threads/process
400
+ puma_max_threads: 16 # Max threads/process
351
401
 
352
402
  ## rails
353
403
 
354
404
  Provisions for a rails app. This one is probably pretty important.
355
405
 
356
- Default values (these are usually fine)
406
+ We no longer provider default values, so make sure to define all the following variables:
357
407
 
408
+ rails_env: production
358
409
  database_pool: 5
359
410
  database_name: "{{project_name}}_{{rails_env}}"
360
411
  database_user: "{{project_name}}"
412
+ database_host: localhost
413
+ database_adapter: postgresql
414
+ database_password: # usually defined in the encrypted vault
361
415
  job_queues:
362
416
  - default
363
417
  - mailers
364
418
 
365
- Customize:
366
-
367
- rails_env: [whatever]
368
-
369
419
  ## redis
370
420
 
371
421
  Installs redis on the server.
372
422
 
373
- # Change to * if you want tthis available everywhere.
423
+ # Change to * if you want this available everywhere instead of localhost
374
424
  redis_bind: 127.0.0.1
375
425
 
426
+ As of Subspace 3.0, this uses the official redis apt repo instead of the debian/ubuntu ones. If you previously had installed redis from the distro, you will need to manually uninstall, purge, and reinstall. This should not delete any data but back it up just in case.
427
+
428
+ sudo apt-get purge redis-server
429
+ sudo apt-get install redis-server
430
+
376
431
  ## resque
377
432
 
378
433
  Install monitoring and automatic startup for resque workers via monit. You MUST set the `job_queues` variable as follows:
@@ -381,12 +436,15 @@ Install monitoring and automatic startup for resque workers via monit. You MUST
381
436
  - default
382
437
  - mailers
383
438
  - exports
439
+
440
+ redis_bind: "*"
441
+
384
442
  ## ruby-common
385
443
 
386
444
  Installs ruby on the machine. YOu can set a version by picking off the download url and sha hash from ruby-lang.org
387
445
 
388
446
  ruby_version: ruby-2.4.1
389
- ruby_checksum: sha256:a330e10d5cb5e53b3a0078326c5731888bb55e32c4abfeb27d9e7f8e5d000250
447
+ ruby_checksum: a330e10d5cb5e53b3a0078326c5731888bb55e32c4abfeb27d9e7f8e5d000250
390
448
  ruby_download_location: 'https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.1.tar.gz'
391
449
  bundler_version: 2.0.1
392
450
 
@@ -395,13 +453,13 @@ Installs ruby on the machine. YOu can set a version by picking off the download
395
453
 
396
454
  This will install a monit script that keeps sidekiq running. We spawn one sidekiq instance that manages as many queues as you need. Varaibles of note:
397
455
 
398
- # Process these background job queues
456
+ # Process these queues on this server
399
457
  job_queues:
400
458
  - default
401
459
  - mailers
402
460
 
403
461
  # Number of sidekiq *processes* to run
404
- sidekiq_concurrency: 1
462
+ sidekiq_workers: 1
405
463
 
406
464
  * Note that as of v0.4.13, we now also add a unique job queue for each host with its hostname. This is handy if you need to assign a job to a specific host. In general you should use named queues, but occasionally this is useful and there's no harm in having it there unused.
407
465
 
@@ -425,11 +483,7 @@ In order to dramatically speed up ansible, you can install Mitogen: https://gith
425
483
 
426
484
  pip install -g mitogen
427
485
 
428
- Subspace will automatically detect this and update your ansible.cfg file so it is blazing fast. Sometimes this can cause issues with older servers that have weird pythons, so if you have mitogen installed locally but dont wan't to use it, you can set an environment variable:
429
-
430
- DISABLE_MITOGEN=1 subspace provision staging
431
-
432
-
486
+ Subspace will automatically detect this and update your ansible.cfg file so it is blazing fast.
433
487
 
434
488
 
435
489
  ## Directory Structure
data/UPGRADING.md ADDED
@@ -0,0 +1,10 @@
1
+ # Subspace Upgrade Guide
2
+
3
+
4
+ # 2.x -> 3.0
5
+
6
+ - Run subspace init
7
+ - Someone write subspace upgrade3 please
8
+
9
+ # 2.x -> 2.y
10
+ We strive to follow semver so upgrading from 2.x to 2.y should be safe. However, since use of this tool can affect your production infrastructure, we highly recommend reviewing the [CHANGELOG](CHANGELOG.md) when upgrading.
@@ -1,5 +1,4 @@
1
1
  ---
2
- swap_space: 512M
3
2
  deploy_user: deploy
4
3
  send_stats: false
5
4
  timezone: America/Chicago
@@ -1 +1 @@
1
- deploy ALL=(root) NOPASSWD: /usr/bin/systemctl, /usr/sbin/service
1
+ deploy ALL=(root) NOPASSWD: /usr/bin/systemctl, /usr/sbin/service, /bin/systemctl
@@ -64,6 +64,14 @@
64
64
  tags:
65
65
  - maintenance
66
66
 
67
+ - name: apt-get update
68
+ apt: update_cache=yes cache_valid_time=86400
69
+ become: true
70
+ tags:
71
+ - upgrade
72
+ - maintenance
73
+ ignore_errors: yes
74
+
67
75
  - name: install aptitude
68
76
  apt:
69
77
  pkg: aptitude
@@ -72,12 +80,11 @@
72
80
  tags:
73
81
  - maintenance
74
82
 
75
- - name: apt-get update
76
- apt: update_cache=yes cache_valid_time=86400
77
- become: true
78
- tags:
79
- - upgrade
80
- - maintenance
83
+ - name: "Ensure systemd is installed"
84
+ apt:
85
+ name: systemd
86
+ state: latest
87
+ update_cache: yes
81
88
 
82
89
  - name: Add ppa:ondrej/nginx apt repository for TLS 1.3
83
90
  apt_repository:
@@ -276,7 +283,7 @@
276
283
 
277
284
  - name: Update authorized_keys for deploy user
278
285
  copy:
279
- src: authorized_keys
286
+ src: templates/authorized_keys
280
287
  dest: "/home/{{deploy_user}}/.ssh/authorized_keys"
281
288
  owner: "{{deploy_user}}"
282
289
  become: true
@@ -320,3 +327,7 @@
320
327
  - stats
321
328
 
322
329
  - import_tasks: swap.yml
330
+ when: swap_space is defined
331
+
332
+ - import_tasks: no_swap.yml
333
+ when: swap_space is not defined
@@ -0,0 +1,26 @@
1
+ ---
2
+ - name: turn off swap
3
+ become: true
4
+ command: swapoff -a
5
+
6
+ - name: set swapiness
7
+ become: true
8
+ sysctl:
9
+ name: vm.swappiness
10
+ value: "0"
11
+
12
+ - name: delete swap file
13
+ become: true
14
+ file:
15
+ path: /swapfile
16
+ state: absent
17
+
18
+ - name: remove from fstab
19
+ become: true
20
+ lineinfile:
21
+ dest: /etc/fstab
22
+ regexp: /swapfile
23
+ line: "/swapfile none swap sw 0 0"
24
+ state: absent
25
+
26
+
@@ -8,6 +8,6 @@ This server brought to you by:
8
8
  ~~~ https://github.com/tenforwardconsulting/subspace ~~~
9
9
 
10
10
  If you need to make configuration changes to the server, please modify the
11
- config/provision directory in the app or risk the changes disappearing.
11
+ config/subspace directory in the app or risk the changes disappearing.
12
12
 
13
13
  Last subspace run: {{ansible_date_time.iso8601}}
@@ -21,4 +21,4 @@
21
21
  https://github.com/tenforwardconsulting/subspace
22
22
 
23
23
  If you need to make configuration changes to the server, please modify the
24
- config/provision directory in the app or risk the changes dissapearing.
24
+ config/subspace directory in the app or risk the changes dissapearing.
@@ -1,45 +1,28 @@
1
1
  ---
2
2
  - set_fact: delayed_job_installed="true"
3
3
 
4
- - name: Monit Stop All
5
- shell: monit stop all
4
+ - name: Install systemd delayed_job script
6
5
  become: true
7
- ignore_errors: yes
8
-
9
- - name: Wait for monit to stop
10
- shell: monit status | grep Monitored | wc -l | awk '{print $1 $2}'
11
- register: monit_stopped
12
- retries: 10
13
- until: monit_stopped.stdout == "0"
14
- delay: 10
15
- become: true
16
-
17
- - name: Install delayed_job monit script
6
+ vars:
7
+ job_queue: "{{ item }}"
8
+ loop_index: "{{ loop_index }}"
18
9
  template:
19
- src: delayed-job-monit-rc
20
- dest: /etc/monit/conf.d/delayed_job_{{project_name}}_{{rails_env}}
10
+ src: delayed-job-systemd.service
11
+ dest: /etc/systemd/system/delayed_job_{{ item }}{{ loop_index }}.service
12
+ loop: "{{ job_queues }}"
13
+ loop_control:
14
+ index_var: loop_index
15
+ loop_var: item
16
+
17
+ - name: Enable systemd delayed_job service
21
18
  become: true
19
+ systemd:
20
+ name: "delayed_job_{{ item }}{{ loop_index }}"
21
+ daemon_reload: true
22
+ enabled: yes
23
+ state: started
24
+ loop: "{{ job_queues }}"
25
+ loop_control:
26
+ loop_var: item
27
+ index_var: loop_index
22
28
 
23
- - name: Remove old upstart files
24
- file:
25
- path: /etc/init/delayed-job.conf
26
- state: absent
27
- become: true
28
-
29
- - name: Remove old monit files
30
- file:
31
- path: /etc/monit/conf.d/delayed_job
32
- state: absent
33
- become: true
34
-
35
- - name: reload_monit
36
- shell: monit reload
37
- become: true
38
-
39
- - name: wait
40
- pause:
41
- seconds: 3
42
-
43
- - name: restart_monit
44
- shell: monit restart all
45
- become: true
@@ -0,0 +1,33 @@
1
+ [Unit]
2
+ Description=Start delayed_job_{{job_queue}}{{loop_index}} instance
3
+ After=syslog.target network.target
4
+
5
+ [Service]
6
+ Type=simple
7
+
8
+ # Uncomment this if you are going to use this as a system service
9
+ # if using as a user service then leave commented out, or you will get an error trying to start the service
10
+ # !!! Change this to your deploy user account if you are using this as a system service !!!
11
+ User=deploy
12
+ Group=deploy
13
+ UMask=0002
14
+
15
+ Environment=RAILS_ENV={{rails_env}}
16
+
17
+ WorkingDirectory=/u/apps/{{project_name}}/current
18
+ ExecStart=/usr/local/bin/bundle exec {{delayed_job_command}} --identifier={{job_queue}}{{loop_index}} --queue={{job_queue}} start
19
+ ExecStop=/usr/local/bin/bundle exec {{delayed_job_command}} --identifier={{job_queue}}{{loop_index}} --queue={{job_queue}} stop
20
+ TimeoutSec=120
21
+ PIDFile=/u/apps/{{project_name}}/shared/tmp/pids/delayed_job_{{job_queue}}{{loop_index}}.pid
22
+
23
+ # if we crash, restart
24
+ RestartSec=1
25
+ Restart=on-failure
26
+
27
+ StandardOutput=syslog
28
+ StandardError=syslog
29
+ # This will default to "bundler" if we don't specify it
30
+ SyslogIdentifier=delayed_job
31
+
32
+ [Install]
33
+ WantedBy=multi-user.target
@@ -1,12 +1,12 @@
1
1
  ---
2
2
  certbot_dir: "/opt/certbot"
3
- apache_ssl_config: |
4
- SSLCertificateFile /etc/letsencrypt/live/{{server_name}}/cert.pem
5
- SSLCertificateKeyFile /etc/letsencrypt/live/{{server_name}}/privkey.pem
6
- Include /etc/letsencrypt/options-ssl-apache.conf
7
- SSLCertificateChainFile /etc/letsencrypt/live/{{server_name}}/chain.pem
3
+ le_ssl_cert:
4
+ cert_name: "{{server_name}}"
5
+ preferred_challenges: "http"
6
+ plugin: standalone
7
+ domains: "{{ [server_name] + server_aliases }}"
8
8
 
9
9
  nginx_ssl_config: |
10
- ssl_certificate /etc/letsencrypt/live/{{server_name}}/fullchain.pem;
11
- ssl_certificate_key /etc/letsencrypt/live/{{server_name}}/privkey.pem;
10
+ ssl_certificate /etc/letsencrypt/live/{{le_ssl_cert.cert_name}}/fullchain.pem;
11
+ ssl_certificate_key /etc/letsencrypt/live/{{le_ssl_cert.cert_name}}/privkey.pem;
12
12
  include /etc/letsencrypt/options-ssl-nginx.conf;
@@ -41,15 +41,25 @@
41
41
  delay: 1
42
42
  state: stopped
43
43
 
44
- - name: Run default
45
- when: le_ssl_certs is not defined
44
+ - name: Generate SSL Certificate
46
45
  become: true
47
- command: "{{certbot_bin}} certonly --email {{letsencrypt_email}} --domains {{([server_name] + server_aliases) | join(',')}} --cert-name {{server_name}} --standalone --agree-tos --expand --non-interactive"
48
-
49
- - name: Generate SSL Certificates
50
- become: true
51
- with_items: "{{le_ssl_certs|default([])}}"
52
- command: "{{certbot_bin}} certonly --email {{letsencrypt_email}} --domains {{item.domains | join(',')}} --cert-name {{item.cert_name}} --standalone --agree-tos --expand --non-interactive"
46
+ command:
47
+ argv:
48
+ - "{{ certbot_bin }}"
49
+ - certonly
50
+ - "--email"
51
+ - "{{ letsencrypt_email }}"
52
+ - "--domains"
53
+ - "{{ le_ssl_cert.domains | join(',') }}"
54
+ - "--preferred-challenges"
55
+ - "{{ le_ssl_cert.preferred_challenges }}"
56
+ - "--cert-name"
57
+ - "{{ le_ssl_cert.cert_name }}"
58
+ - "--{{ le_ssl_cert.plugin }}"
59
+ - "--manual-auth-hook=/bin/yes"
60
+ - "--agree-tos"
61
+ - "--expand"
62
+ - "--non-interactive"
53
63
 
54
64
  - name: Update nginx default options
55
65
  when: "'nginx' in role_names"
@@ -57,12 +67,6 @@
57
67
  url: https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
58
68
  dest: /etc/letsencrypt/options-ssl-nginx.conf
59
69
 
60
- - name: Update apache default options
61
- when: "'apache' in role_names"
62
- get_url:
63
- url: https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
64
- dest: /etc/letsencrypt/options-ssl-apache.conf
65
-
66
70
  - name: start webserver after standalone mode
67
71
  debug: msg="Startup webserver"
68
72
  notify: start webserver
@@ -74,16 +78,6 @@
74
78
  env: yes
75
79
  job: /usr/bin:/bin:/usr/sbin
76
80
 
77
- - name: Setup cron job to auto renew
78
- become: true
79
- when: "'apache' in role_names"
80
- cron:
81
- name: Auto-renew SSL
82
- job: "{{certbot_bin}} renew --no-self-upgrade --apache >> /var/log/cron.log 2>&1"
83
- hour: "0"
84
- minute: "33"
85
- state: present
86
-
87
81
  - name: Setup cron job to auto renew
88
82
  become: true
89
83
  when: "'nginx' in role_names"