subspace 2.5.10 → 3.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/CHANGELOG.md +22 -5
- data/README.md +105 -51
- data/UPGRADING.md +10 -0
- data/ansible/roles/common/defaults/main.yml +0 -1
- data/ansible/roles/common/files/sudoers-service +1 -1
- data/ansible/roles/common/tasks/main.yml +18 -7
- data/ansible/roles/common/tasks/no_swap.yml +26 -0
- data/ansible/roles/common/templates/motd +1 -1
- data/ansible/roles/common/templates/motd2 +1 -1
- data/ansible/roles/delayed_job/tasks/main.yml +21 -38
- data/ansible/roles/delayed_job/templates/delayed-job-systemd.service +33 -0
- data/ansible/roles/letsencrypt/defaults/main.yml +7 -7
- data/ansible/roles/letsencrypt/tasks/main.yml +18 -24
- data/ansible/roles/memcache/defaults/main.yml +2 -0
- data/ansible/roles/memcache/tasks/main.yml +16 -1
- data/ansible/roles/newrelic-infra/tasks/main.yml +3 -3
- data/ansible/roles/nginx/tasks/main.yml +12 -3
- data/ansible/roles/puma/tasks/main.yml +32 -20
- data/ansible/roles/puma/templates/puma-systemd.service +37 -0
- data/ansible/roles/puma/templates/puma-systemd.socket +14 -0
- data/ansible/roles/puma/templates/puma.rb +4 -2
- data/ansible/roles/rails/defaults/main.yml +0 -7
- data/ansible/roles/redis/tasks/main.yml +28 -3
- data/ansible/roles/resque/tasks/main.yml +11 -12
- data/ansible/roles/resque/templates/resque-systemd.service +10 -3
- data/ansible/roles/ruby-common/tasks/main.yml +1 -16
- data/ansible/roles/sidekiq/defaults/main.yml +1 -1
- data/ansible/roles/sidekiq/tasks/main.yml +11 -15
- data/ansible/roles/sidekiq/templates/sidekiq-monit-rc +1 -1
- data/ansible/roles/sidekiq/templates/sidekiq-systemd.service +63 -0
- data/ansible/roles/tailscale/defaults/main.yml +2 -0
- data/ansible/roles/tailscale/tasks/main.yml +22 -0
- data/bin/console +0 -4
- data/exe/subspace +1 -2
- data/lib/subspace/cli.rb +51 -14
- data/lib/subspace/commands/ansible.rb +12 -3
- data/lib/subspace/commands/base.rb +20 -5
- data/lib/subspace/commands/bootstrap.rb +16 -21
- data/lib/subspace/commands/configure.rb +2 -2
- data/lib/subspace/commands/exec.rb +20 -0
- data/lib/subspace/commands/init.rb +94 -45
- data/lib/subspace/commands/inventory.rb +54 -0
- data/lib/subspace/commands/maintain.rb +1 -1
- data/lib/subspace/commands/provision.rb +1 -3
- data/lib/subspace/commands/secrets.rb +69 -0
- data/lib/subspace/commands/ssh.rb +14 -8
- data/lib/subspace/commands/terraform.rb +83 -0
- data/lib/subspace/inventory.rb +144 -0
- data/lib/subspace/version.rb +1 -1
- data/subspace.gemspec +8 -2
- data/template/{provision → subspace}/.gitignore +3 -0
- data/template/{provision → subspace}/ansible.cfg.erb +2 -2
- data/template/subspace/group_vars/all.erb +28 -0
- data/template/subspace/group_vars/template.erb +26 -0
- data/template/{provision → subspace}/hosts.erb +0 -0
- data/template/subspace/inventory.yml.erb +11 -0
- data/template/{provision → subspace}/playbook.yml.erb +2 -5
- data/template/{provision/vars → subspace/secrets}/template.erb +0 -0
- data/template/{provision → subspace}/templates/application.yml.template +0 -0
- data/template/subspace/templates/authorized_keys.erb +1 -0
- data/template/subspace/terraform/.gitignore +2 -0
- data/template/subspace/terraform/template/main-oxenwagen.tf.erb +116 -0
- data/template/subspace/terraform/template/main-workhorse.tf.erb +41 -0
- data/template/subspace/terraformrc.erb +9 -0
- data/terraform/modules/s3_backend/README +2 -0
- data/terraform/modules/s3_backend/dynamodb.tf +1 -0
- data/terraform/modules/s3_backend/iam_user.tf +38 -0
- data/terraform/modules/s3_backend/main.tf +39 -0
- data/terraform/modules/s3_backend/state_bucket.tf +14 -0
- metadata +41 -55
- data/ansible/roles/awscli/tasks/main.yml +0 -10
- data/ansible/roles/delayed_job/meta/main.yml +0 -5
- data/ansible/roles/letsencrypt_dns/defaults/main.yml +0 -4
- data/ansible/roles/letsencrypt_dns/tasks/main.yml +0 -133
- data/ansible/roles/monit/files/monit-http.conf +0 -3
- data/ansible/roles/monit/files/sudoers-monit +0 -1
- data/ansible/roles/monit/handlers/main.yml +0 -14
- data/ansible/roles/monit/tasks/main.yml +0 -34
- data/ansible/roles/mtpereira.passenger/.bumpversion.cfg +0 -7
- data/ansible/roles/mtpereira.passenger/.gitignore +0 -2
- data/ansible/roles/mtpereira.passenger/LICENSE +0 -20
- data/ansible/roles/mtpereira.passenger/README.md +0 -31
- data/ansible/roles/mtpereira.passenger/defaults/main.yml +0 -5
- data/ansible/roles/mtpereira.passenger/handlers/main.yml +0 -8
- data/ansible/roles/mtpereira.passenger/meta/.galaxy_install_info +0 -1
- data/ansible/roles/mtpereira.passenger/meta/main.yml +0 -21
- data/ansible/roles/mtpereira.passenger/tasks/apt.yml +0 -13
- data/ansible/roles/mtpereira.passenger/tasks/main.yml +0 -8
- data/ansible/roles/mtpereira.passenger/tasks/pkg.yml +0 -35
- data/ansible/roles/mtpereira.passenger/tasks/service.yml +0 -8
- data/ansible/roles/passenger/files/sudoers-passenger +0 -1
- data/ansible/roles/passenger/meta/main.yml +0 -6
- data/ansible/roles/passenger/tasks/main.yml +0 -5
- data/ansible/roles/postgis/defaults/main.yml +0 -2
- data/ansible/roles/puma/defaults/main.yml +0 -5
- data/ansible/roles/puma/meta/main.yml +0 -5
- data/ansible/roles/sidekiq/meta/main.yml +0 -5
- data/lib/subspace/commands/vars.rb +0 -48
- data/template/provision/group_vars/all.erb +0 -17
- data/template/provision/group_vars/template.erb +0 -11
- data/template/provision/host_vars/template.erb +0 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b24a2573b737094142caaf93e8b7380b4f4bf756c611fe81012a9adcc0d8d026
|
4
|
+
data.tar.gz: c0fe4b9c23cf613c28ddf832a4bf67ac48055fcc51a32b1ffe8ebc4ad143d14a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a758a05af7793e9f5ee377f1008238678ee94d5fc3d5ff5e03289cb4b1736288e3d829efa36440b3744045358a5340ae4934107fd29a034bda9042b4cfcc9254
|
7
|
+
data.tar.gz: da042e9f7c0f6871ac50bb64c3525ef4ce54bdcebd9ed1b3bdb6d5a8602332dd93551a47f1fda97215c1180d9550e9f87bf0030453c1f9f5d388c3dc944eeaca
|
data/.ruby-version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
3.1.0
|
data/CHANGELOG.md
CHANGED
@@ -11,16 +11,33 @@ This project attempts to follow [semantic versioning](https://semver.org/).
|
|
11
11
|
* Stops showing color if you `sudo su`
|
12
12
|
|
13
13
|
## Unreleased
|
14
|
-
## 2.5.10
|
15
|
-
* Backport the fix for ansible's change of get_url checksum arguments
|
16
14
|
|
17
|
-
##
|
18
|
-
*
|
15
|
+
## 3.0.0
|
16
|
+
* Install redis from vendor repos (BREAKING, see README)
|
17
|
+
* Removed outdated awscli role
|
18
|
+
* Added `subspace secrets rekey` to generate and rekey ansible-vault secrets
|
19
|
+
* Update tailscale role
|
20
|
+
* Don't default to using pemfile (use tailscale instead!)
|
21
|
+
* Add `subspace inventory keyscan` to fix ssh fingerprints
|
22
|
+
* Use `sidekiq_workers` var in systemd
|
23
|
+
* Tailscale hostname is now {{project_name}}-{{hostname}}
|
24
|
+
|
25
|
+
## 3.0.0.rc1
|
26
|
+
* Added infrastructure management via Terraform!
|
27
|
+
* Added new `subspace exec` command for manual remote management
|
28
|
+
* BREAKING: Consolidated inventory file into config/provision/inventory.env.yml
|
29
|
+
* No more hosts file
|
30
|
+
* No more host_vars directory
|
31
|
+
* No more group_vars directory
|
32
|
+
* All of the host/group configuration is in that one file now!
|
33
|
+
* BREAKING: `subspace vars` is now `subspace secrets`
|
34
|
+
* BREAKING: sidekiq_concurrency renamed to sidekiq_workers, default changed from 10 -> 1
|
35
|
+
* BREAKING: swap_space variable must be defined for the `common` ansible role (previously defaulted to 512MB)
|
36
|
+
* BREAKING: removed defaults from rails, postgis, puma roles
|
19
37
|
|
20
38
|
## 2.5.8
|
21
39
|
* Add a new role for configuring a monit-based resque server
|
22
40
|
* Auto-detect mitogen for speed
|
23
|
-
|
24
41
|
## 2.5.7
|
25
42
|
* Add ability to set the timezone for servers instead of forcing to Central Time
|
26
43
|
* Update puma configuration to support puma 5 with puma-daemon
|
data/README.md
CHANGED
@@ -32,13 +32,23 @@ Or install it yourself as:
|
|
32
32
|
|
33
33
|
$ gem install subspace
|
34
34
|
|
35
|
+
### Mitogen
|
36
|
+
Optionally, you can install a python/pip packaged called "Mitogen" which dramatically speeds up running ansible over ssh. See [Here](https://github.com/mitogen-hq/mitogen/blob/master/docs/ansible_detailed.rst) for details.
|
37
|
+
|
38
|
+
pip install mitogen
|
39
|
+
|
40
|
+
Subspace will try and detect if mitogen is present and use it can. If mitogen causes problems (sometimes it can cause problems depending on the system versions, and particaularly when brand new versions of anible come up and it hasn't updated), you can disable it:
|
41
|
+
|
42
|
+
DISABLE_MITOGEN=1 subspace provision env
|
35
43
|
## Usage
|
36
44
|
|
37
45
|
### `subspace init`
|
38
46
|
|
39
|
-
Initialize the project for subspace. Creates `config/
|
47
|
+
Initialize the project for subspace. Creates `config/subspace` with all
|
40
48
|
necessary files.
|
41
49
|
|
50
|
+
Subspace 3 supports terraform. You will need to create an IAM user manually with administrative access to the target AWS environment for terraform.
|
51
|
+
|
42
52
|
### `subspace bootstrap <environment>`
|
43
53
|
|
44
54
|
Ensures the $HOME/.ssh directory is present and ensures python is installed.
|
@@ -56,7 +66,7 @@ At the time of this writing, we pass through the `ansible-playbook` "tags" and
|
|
56
66
|
"start-at-task" options. The tags option is probably the most useful.
|
57
67
|
|
58
68
|
e.g. To run only the alienvault tasks (all of which have been tagged with the
|
59
|
-
'alienvault' tag): `subspace provision
|
69
|
+
'alienvault' tag): `subspace provision staging --tags=alienvault`
|
60
70
|
|
61
71
|
### `subspace maintain <environment>`
|
62
72
|
|
@@ -91,11 +101,23 @@ common | authorized\_keys | updates the authorized\_keys file for t
|
|
91
101
|
rails | appyml |
|
92
102
|
monit | monit | All tasks in the monit role have been tagged 'monit'
|
93
103
|
|
94
|
-
### `subspace
|
104
|
+
### `subspace secrets <environment> [--edit] [--create]`
|
105
|
+
|
106
|
+
The `secrets` command will manage encrypted secrets for different environments. The default action is simply to show the secrets defined for an environment. Pass --edit to edit them in the system editor (vim, etc).
|
107
|
+
|
108
|
+
This uses `ansible-vault` under the hood and requires a vault password file. You will need to get the `.vault_pass` from from a teammate out of band (secrets.10fw.ne, 1password, sticky-note, etc), and put it into `config/provision/.vault_pass`
|
109
|
+
|
110
|
+
These secrets are used during provisioning to populate variables in a few different places:
|
111
|
+
1. `config/application.yml`, which uses the `figaro` gem to manage environment variables in rails.
|
112
|
+
2. `config/database.yml`, which handles the database connection password.
|
113
|
+
|
114
|
+
|
115
|
+
Subspace uses a template file in `config/provision/templates/application.yml.template` that contains environment variables for all environments. If you have non-secret variables that change based on the target server, you can simply put that in plaintext in the template file. This was designed so the configuration that is not secret is visible and version controlled, while the secret values are stored in the vault files for their environments.
|
95
116
|
|
96
|
-
|
117
|
+
NOTE: application.yml should be in the `.gitignore`, since subspace creates a new version on the server and symlinks it on top of whatever is checked in. You should make changes to the template file instead, which should be checked in to version control.
|
97
118
|
|
98
|
-
|
119
|
+
|
120
|
+
The default template created by `subspace init` looks like this:
|
99
121
|
|
100
122
|
```
|
101
123
|
# These environment variables are applied to all environments, and can be secret or not
|
@@ -103,13 +125,13 @@ The new system uses a file in `config/provision/templates/application.yml.templa
|
|
103
125
|
# This is secret and can be changed on all three environment easily by using subspace vars <env> --edit
|
104
126
|
SECRET_KEY_BASE: {{secret_key_base}}
|
105
127
|
|
106
|
-
#This is not secret, and is the same value for all environments
|
128
|
+
# This is not secret, and is the same value for all environments
|
107
129
|
ENABLE_SOME_FEATURE: false
|
108
130
|
|
109
131
|
development:
|
110
132
|
INSECURE_VARIABLE: "this isn't secret"
|
111
133
|
|
112
|
-
|
134
|
+
staging:
|
113
135
|
INSECURE_VARIABLE: "but it changes"
|
114
136
|
|
115
137
|
production:
|
@@ -117,14 +139,12 @@ production:
|
|
117
139
|
|
118
140
|
```
|
119
141
|
|
120
|
-
|
142
|
+
You can also use this command to automatically create a local version of `config/application.yml` based on the template and encrypted secrets for a specific environment.
|
121
143
|
|
122
|
-
# Create a local copy of config/application.yml with the secrets encrypted in
|
144
|
+
# Create a local copy of config/application.yml with the secrets encrypted in secrets/development.yml
|
123
145
|
$ subspace vars development --create
|
124
146
|
|
125
|
-
This can get you up and running in development securely
|
126
|
-
|
127
|
-
NOTE: application.yml should be in the `.gitignore`, since subspace creates a new version on the server and symlinks it on top of whatever is checked in.
|
147
|
+
This can get you up and running quickly in development securely.
|
128
148
|
|
129
149
|
## Procedure for updating on projects
|
130
150
|
|
@@ -136,13 +156,13 @@ Then,
|
|
136
156
|
|
137
157
|
* `subspace provision production`
|
138
158
|
|
139
|
-
If you get an error saying you need a vault password file, you
|
159
|
+
If you get an error saying you need a vault password file, you need to get it from somoene on the team (see above). You might also need to update `ansible`.
|
140
160
|
|
141
|
-
You'll want to do this for each environment (ie: `subspace provision qa`, etc.). Best to start with
|
161
|
+
You'll want to do this for each environment (ie: `subspace provision qa`, etc.). Best to start with staging and work your way up.
|
142
162
|
|
143
163
|
# Host configuration
|
144
164
|
|
145
|
-
We need to know some info about hosts, but not much. See the files for details, it's mostly the hostname and the user that can administer the system, eg `ubuntu` on AWS/ubuntu, `ec2-user`, or even `root` (not recommended)
|
165
|
+
We need to know some info about hosts, but not much. See the files for details, it's mostly the hostname and the user that can administer the system, eg `ubuntu` on AWS/ubuntu, `ec2-user`, or even `root` (not recommended, but used on linode/Digital Ocean)
|
146
166
|
|
147
167
|
# Role Configuration
|
148
168
|
|
@@ -202,8 +222,7 @@ Aside from basic statistics like free memory, disk, load averages, etc, we have
|
|
202
222
|
3. If nginx is installed, it will collect stats from the "status port"
|
203
223
|
4. (TODO) add something for pumas
|
204
224
|
5. (TODO) add something for sidekiq
|
205
|
-
6.
|
206
|
-
7. If you're using our standard lograge format, you can enable lograge collection which will provide stats on request count and timers (db/view/total)
|
225
|
+
6. If you're using our standard lograge format, you can enable lograge collection which will provide stats on request count and timers (db/view/total)
|
207
226
|
|
208
227
|
rails_lograge: true
|
209
228
|
|
@@ -242,20 +261,34 @@ Defaults:
|
|
242
261
|
|
243
262
|
## letsencrypt
|
244
263
|
|
245
|
-
|
246
|
-
|
264
|
+
This creates a single certificate for every server alias/server name in the configuration file.
|
265
|
+
|
266
|
+
letsencrypt_email: "me@example.com"
|
267
|
+
server_name: app.example.com
|
268
|
+
|
269
|
+
|
270
|
+
If you'd like more control over the cert, you can customize the variable `le_ssl_cert` as follows:
|
271
|
+
|
272
|
+
le_ssl_cert:
|
273
|
+
cert_name: "{{server_name}}"
|
274
|
+
preferred_challenges: "http"
|
275
|
+
plugin: standalone
|
276
|
+
domains: "{{ [server_name] + server_aliases }}"
|
277
|
+
|
278
|
+
For example, to force a manual DNS challenge you can do the following:
|
279
|
+
|
280
|
+
le_ssl_cert:
|
281
|
+
cert_name: star_example
|
282
|
+
preferred_challenges: dns
|
283
|
+
plugin: manual
|
284
|
+
domains:
|
285
|
+
- example.com
|
286
|
+
- "*.example.com"
|
247
287
|
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
- mydomain.example.com
|
252
|
-
- otherdomain.example.com
|
253
|
-
- cert_name: othersite
|
254
|
-
domains:
|
255
|
-
- othersite.example.com
|
288
|
+
(you will need to futz around the first time and manually install the DNS record, but it should work on renewals)
|
289
|
+
|
290
|
+
Note that this role needs to be included _before_ the webserver (apache or nginx) role
|
256
291
|
|
257
|
-
Note that this role needs to be included _before_ the webserver (apache or
|
258
|
-
nginx) role
|
259
292
|
|
260
293
|
## logrotate
|
261
294
|
|
@@ -274,18 +307,19 @@ Installs logrotate and lets you configure logs for automatic rotation. Example
|
|
274
307
|
|
275
308
|
## memcache
|
276
309
|
|
277
|
-
|
278
|
-
|
279
|
-
## mysql
|
310
|
+
Installs memcache on the server. By default, memcache will only listen on localhost which needs to be changed if other servers needs to connect.
|
280
311
|
|
281
|
-
|
312
|
+
# Default Value
|
313
|
+
memcache_bind: "127.0.0.1"
|
282
314
|
|
283
|
-
|
315
|
+
# bind to all interfaces
|
316
|
+
memcache_bind: "0.0.0.0"
|
284
317
|
|
285
318
|
## newrelic-infra
|
286
319
|
This role will install the next-gen "Newrelic One" infrastructure agent which can perform a few different functions for newrelic. The previous "newrelic" role is deprecated.
|
287
320
|
|
288
321
|
Variables:
|
322
|
+
|
289
323
|
# Required, the newrelic license key you get after signing up.
|
290
324
|
newrelic_license: "longhashthingyougetfromnewrelichere"
|
291
325
|
# Optional - send logs to newrelic one's log aggregator.
|
@@ -328,7 +362,14 @@ Optional variables:
|
|
328
362
|
|
329
363
|
## nodejs
|
330
364
|
|
331
|
-
Used to install
|
365
|
+
Used to install different versions of NodeJS. This uses NodeSource's apt repositories. You must define a variable called `nodejs_version` and choose a major version supported by NodeSource:
|
366
|
+
|
367
|
+
nodejs_version: 14.x
|
368
|
+
nodejs_version: 17.x
|
369
|
+
nodejs_version: lts
|
370
|
+
nodejs_version: current
|
371
|
+
|
372
|
+
The full list of distributions is here: https://github.com/nodesource/distributions#installation-instructions
|
332
373
|
|
333
374
|
## papertrail
|
334
375
|
|
@@ -344,35 +385,49 @@ Used to install recent version of NodeJS. Must set `nodejs_version`. e.g. `nodej
|
|
344
385
|
database_user: "{{project_name}}"
|
345
386
|
|
346
387
|
## puma
|
388
|
+
Use the puma app server for your rails app. Usually combined with nginx to server as a static file server and reverse proxy.
|
389
|
+
|
390
|
+
**Prerequesites:**
|
391
|
+
- add `gem puma` to your gemfile
|
392
|
+
- add `config/puma/` to the `linked_dirs` config in capistrano's `deploy.rb`
|
347
393
|
|
348
|
-
|
349
|
-
add config/puma to symlinks in deploy.rb
|
394
|
+
This role will generate a reasonable `puma.rb` and configure it to be controlled by systemd.
|
350
395
|
|
396
|
+
**Variables:**
|
397
|
+
|
398
|
+
puma_workers: 1 # Puma process count (usually == vCPU count)
|
399
|
+
puma_min_threads: 4 # Min threads/process
|
400
|
+
puma_max_threads: 16 # Max threads/process
|
351
401
|
|
352
402
|
## rails
|
353
403
|
|
354
404
|
Provisions for a rails app. This one is probably pretty important.
|
355
405
|
|
356
|
-
|
406
|
+
We no longer provider default values, so make sure to define all the following variables:
|
357
407
|
|
408
|
+
rails_env: production
|
358
409
|
database_pool: 5
|
359
410
|
database_name: "{{project_name}}_{{rails_env}}"
|
360
411
|
database_user: "{{project_name}}"
|
412
|
+
database_host: localhost
|
413
|
+
database_adapter: postgresql
|
414
|
+
database_password: # usually defined in the encrypted vault
|
361
415
|
job_queues:
|
362
416
|
- default
|
363
417
|
- mailers
|
364
418
|
|
365
|
-
Customize:
|
366
|
-
|
367
|
-
rails_env: [whatever]
|
368
|
-
|
369
419
|
## redis
|
370
420
|
|
371
421
|
Installs redis on the server.
|
372
422
|
|
373
|
-
# Change to * if you want
|
423
|
+
# Change to * if you want this available everywhere instead of localhost
|
374
424
|
redis_bind: 127.0.0.1
|
375
425
|
|
426
|
+
As of Subspace 3.0, this uses the official redis apt repo instead of the debian/ubuntu ones. If you previously had installed redis from the distro, you will need to manually uninstall, purge, and reinstall. This should not delete any data but back it up just in case.
|
427
|
+
|
428
|
+
sudo apt-get purge redis-server
|
429
|
+
sudo apt-get install redis-server
|
430
|
+
|
376
431
|
## resque
|
377
432
|
|
378
433
|
Install monitoring and automatic startup for resque workers via monit. You MUST set the `job_queues` variable as follows:
|
@@ -381,12 +436,15 @@ Install monitoring and automatic startup for resque workers via monit. You MUST
|
|
381
436
|
- default
|
382
437
|
- mailers
|
383
438
|
- exports
|
439
|
+
|
440
|
+
redis_bind: "*"
|
441
|
+
|
384
442
|
## ruby-common
|
385
443
|
|
386
444
|
Installs ruby on the machine. YOu can set a version by picking off the download url and sha hash from ruby-lang.org
|
387
445
|
|
388
446
|
ruby_version: ruby-2.4.1
|
389
|
-
ruby_checksum:
|
447
|
+
ruby_checksum: a330e10d5cb5e53b3a0078326c5731888bb55e32c4abfeb27d9e7f8e5d000250
|
390
448
|
ruby_download_location: 'https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.1.tar.gz'
|
391
449
|
bundler_version: 2.0.1
|
392
450
|
|
@@ -395,13 +453,13 @@ Installs ruby on the machine. YOu can set a version by picking off the download
|
|
395
453
|
|
396
454
|
This will install a monit script that keeps sidekiq running. We spawn one sidekiq instance that manages as many queues as you need. Varaibles of note:
|
397
455
|
|
398
|
-
# Process these
|
456
|
+
# Process these queues on this server
|
399
457
|
job_queues:
|
400
458
|
- default
|
401
459
|
- mailers
|
402
460
|
|
403
461
|
# Number of sidekiq *processes* to run
|
404
|
-
|
462
|
+
sidekiq_workers: 1
|
405
463
|
|
406
464
|
* Note that as of v0.4.13, we now also add a unique job queue for each host with its hostname. This is handy if you need to assign a job to a specific host. In general you should use named queues, but occasionally this is useful and there's no harm in having it there unused.
|
407
465
|
|
@@ -425,11 +483,7 @@ In order to dramatically speed up ansible, you can install Mitogen: https://gith
|
|
425
483
|
|
426
484
|
pip install -g mitogen
|
427
485
|
|
428
|
-
Subspace will automatically detect this and update your ansible.cfg file so it is blazing fast.
|
429
|
-
|
430
|
-
DISABLE_MITOGEN=1 subspace provision staging
|
431
|
-
|
432
|
-
|
486
|
+
Subspace will automatically detect this and update your ansible.cfg file so it is blazing fast.
|
433
487
|
|
434
488
|
|
435
489
|
## Directory Structure
|
data/UPGRADING.md
ADDED
@@ -0,0 +1,10 @@
|
|
1
|
+
# Subspace Upgrade Guide
|
2
|
+
|
3
|
+
|
4
|
+
# 2.x -> 3.0
|
5
|
+
|
6
|
+
- Run subspace init
|
7
|
+
- Someone write subspace upgrade3 please
|
8
|
+
|
9
|
+
# 2.x -> 2.y
|
10
|
+
We strive to follow semver so upgrading from 2.x to 2.y should be safe. However, since use of this tool can affect your production infrastructure, we highly recommend reviewing the [CHANGELOG](CHANGELOG.md) when upgrading.
|
@@ -1 +1 @@
|
|
1
|
-
deploy ALL=(root) NOPASSWD: /usr/bin/systemctl, /usr/sbin/service
|
1
|
+
deploy ALL=(root) NOPASSWD: /usr/bin/systemctl, /usr/sbin/service, /bin/systemctl
|
@@ -64,6 +64,14 @@
|
|
64
64
|
tags:
|
65
65
|
- maintenance
|
66
66
|
|
67
|
+
- name: apt-get update
|
68
|
+
apt: update_cache=yes cache_valid_time=86400
|
69
|
+
become: true
|
70
|
+
tags:
|
71
|
+
- upgrade
|
72
|
+
- maintenance
|
73
|
+
ignore_errors: yes
|
74
|
+
|
67
75
|
- name: install aptitude
|
68
76
|
apt:
|
69
77
|
pkg: aptitude
|
@@ -72,12 +80,11 @@
|
|
72
80
|
tags:
|
73
81
|
- maintenance
|
74
82
|
|
75
|
-
- name:
|
76
|
-
apt:
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
- maintenance
|
83
|
+
- name: "Ensure systemd is installed"
|
84
|
+
apt:
|
85
|
+
name: systemd
|
86
|
+
state: latest
|
87
|
+
update_cache: yes
|
81
88
|
|
82
89
|
- name: Add ppa:ondrej/nginx apt repository for TLS 1.3
|
83
90
|
apt_repository:
|
@@ -276,7 +283,7 @@
|
|
276
283
|
|
277
284
|
- name: Update authorized_keys for deploy user
|
278
285
|
copy:
|
279
|
-
src: authorized_keys
|
286
|
+
src: templates/authorized_keys
|
280
287
|
dest: "/home/{{deploy_user}}/.ssh/authorized_keys"
|
281
288
|
owner: "{{deploy_user}}"
|
282
289
|
become: true
|
@@ -320,3 +327,7 @@
|
|
320
327
|
- stats
|
321
328
|
|
322
329
|
- import_tasks: swap.yml
|
330
|
+
when: swap_space is defined
|
331
|
+
|
332
|
+
- import_tasks: no_swap.yml
|
333
|
+
when: swap_space is not defined
|
@@ -0,0 +1,26 @@
|
|
1
|
+
---
|
2
|
+
- name: turn off swap
|
3
|
+
become: true
|
4
|
+
command: swapoff -a
|
5
|
+
|
6
|
+
- name: set swapiness
|
7
|
+
become: true
|
8
|
+
sysctl:
|
9
|
+
name: vm.swappiness
|
10
|
+
value: "0"
|
11
|
+
|
12
|
+
- name: delete swap file
|
13
|
+
become: true
|
14
|
+
file:
|
15
|
+
path: /swapfile
|
16
|
+
state: absent
|
17
|
+
|
18
|
+
- name: remove from fstab
|
19
|
+
become: true
|
20
|
+
lineinfile:
|
21
|
+
dest: /etc/fstab
|
22
|
+
regexp: /swapfile
|
23
|
+
line: "/swapfile none swap sw 0 0"
|
24
|
+
state: absent
|
25
|
+
|
26
|
+
|
@@ -8,6 +8,6 @@ This server brought to you by:
|
|
8
8
|
~~~ https://github.com/tenforwardconsulting/subspace ~~~
|
9
9
|
|
10
10
|
If you need to make configuration changes to the server, please modify the
|
11
|
-
config/
|
11
|
+
config/subspace directory in the app or risk the changes disappearing.
|
12
12
|
|
13
13
|
Last subspace run: {{ansible_date_time.iso8601}}
|
@@ -21,4 +21,4 @@
|
|
21
21
|
https://github.com/tenforwardconsulting/subspace
|
22
22
|
|
23
23
|
If you need to make configuration changes to the server, please modify the
|
24
|
-
config/
|
24
|
+
config/subspace directory in the app or risk the changes dissapearing.
|
@@ -1,45 +1,28 @@
|
|
1
1
|
---
|
2
2
|
- set_fact: delayed_job_installed="true"
|
3
3
|
|
4
|
-
- name:
|
5
|
-
shell: monit stop all
|
4
|
+
- name: Install systemd delayed_job script
|
6
5
|
become: true
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
shell: monit status | grep Monitored | wc -l | awk '{print $1 $2}'
|
11
|
-
register: monit_stopped
|
12
|
-
retries: 10
|
13
|
-
until: monit_stopped.stdout == "0"
|
14
|
-
delay: 10
|
15
|
-
become: true
|
16
|
-
|
17
|
-
- name: Install delayed_job monit script
|
6
|
+
vars:
|
7
|
+
job_queue: "{{ item }}"
|
8
|
+
loop_index: "{{ loop_index }}"
|
18
9
|
template:
|
19
|
-
src: delayed-job-
|
20
|
-
dest: /etc/
|
10
|
+
src: delayed-job-systemd.service
|
11
|
+
dest: /etc/systemd/system/delayed_job_{{ item }}{{ loop_index }}.service
|
12
|
+
loop: "{{ job_queues }}"
|
13
|
+
loop_control:
|
14
|
+
index_var: loop_index
|
15
|
+
loop_var: item
|
16
|
+
|
17
|
+
- name: Enable systemd delayed_job service
|
21
18
|
become: true
|
19
|
+
systemd:
|
20
|
+
name: "delayed_job_{{ item }}{{ loop_index }}"
|
21
|
+
daemon_reload: true
|
22
|
+
enabled: yes
|
23
|
+
state: started
|
24
|
+
loop: "{{ job_queues }}"
|
25
|
+
loop_control:
|
26
|
+
loop_var: item
|
27
|
+
index_var: loop_index
|
22
28
|
|
23
|
-
- name: Remove old upstart files
|
24
|
-
file:
|
25
|
-
path: /etc/init/delayed-job.conf
|
26
|
-
state: absent
|
27
|
-
become: true
|
28
|
-
|
29
|
-
- name: Remove old monit files
|
30
|
-
file:
|
31
|
-
path: /etc/monit/conf.d/delayed_job
|
32
|
-
state: absent
|
33
|
-
become: true
|
34
|
-
|
35
|
-
- name: reload_monit
|
36
|
-
shell: monit reload
|
37
|
-
become: true
|
38
|
-
|
39
|
-
- name: wait
|
40
|
-
pause:
|
41
|
-
seconds: 3
|
42
|
-
|
43
|
-
- name: restart_monit
|
44
|
-
shell: monit restart all
|
45
|
-
become: true
|
@@ -0,0 +1,33 @@
|
|
1
|
+
[Unit]
|
2
|
+
Description=Start delayed_job_{{job_queue}}{{loop_index}} instance
|
3
|
+
After=syslog.target network.target
|
4
|
+
|
5
|
+
[Service]
|
6
|
+
Type=simple
|
7
|
+
|
8
|
+
# Uncomment this if you are going to use this as a system service
|
9
|
+
# if using as a user service then leave commented out, or you will get an error trying to start the service
|
10
|
+
# !!! Change this to your deploy user account if you are using this as a system service !!!
|
11
|
+
User=deploy
|
12
|
+
Group=deploy
|
13
|
+
UMask=0002
|
14
|
+
|
15
|
+
Environment=RAILS_ENV={{rails_env}}
|
16
|
+
|
17
|
+
WorkingDirectory=/u/apps/{{project_name}}/current
|
18
|
+
ExecStart=/usr/local/bin/bundle exec {{delayed_job_command}} --identifier={{job_queue}}{{loop_index}} --queue={{job_queue}} start
|
19
|
+
ExecStop=/usr/local/bin/bundle exec {{delayed_job_command}} --identifier={{job_queue}}{{loop_index}} --queue={{job_queue}} stop
|
20
|
+
TimeoutSec=120
|
21
|
+
PIDFile=/u/apps/{{project_name}}/shared/tmp/pids/delayed_job_{{job_queue}}{{loop_index}}.pid
|
22
|
+
|
23
|
+
# if we crash, restart
|
24
|
+
RestartSec=1
|
25
|
+
Restart=on-failure
|
26
|
+
|
27
|
+
StandardOutput=syslog
|
28
|
+
StandardError=syslog
|
29
|
+
# This will default to "bundler" if we don't specify it
|
30
|
+
SyslogIdentifier=delayed_job
|
31
|
+
|
32
|
+
[Install]
|
33
|
+
WantedBy=multi-user.target
|
@@ -1,12 +1,12 @@
|
|
1
1
|
---
|
2
2
|
certbot_dir: "/opt/certbot"
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
3
|
+
le_ssl_cert:
|
4
|
+
cert_name: "{{server_name}}"
|
5
|
+
preferred_challenges: "http"
|
6
|
+
plugin: standalone
|
7
|
+
domains: "{{ [server_name] + server_aliases }}"
|
8
8
|
|
9
9
|
nginx_ssl_config: |
|
10
|
-
ssl_certificate /etc/letsencrypt/live/{{
|
11
|
-
ssl_certificate_key /etc/letsencrypt/live/{{
|
10
|
+
ssl_certificate /etc/letsencrypt/live/{{le_ssl_cert.cert_name}}/fullchain.pem;
|
11
|
+
ssl_certificate_key /etc/letsencrypt/live/{{le_ssl_cert.cert_name}}/privkey.pem;
|
12
12
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
@@ -41,15 +41,25 @@
|
|
41
41
|
delay: 1
|
42
42
|
state: stopped
|
43
43
|
|
44
|
-
- name:
|
45
|
-
when: le_ssl_certs is not defined
|
44
|
+
- name: Generate SSL Certificate
|
46
45
|
become: true
|
47
|
-
command:
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
46
|
+
command:
|
47
|
+
argv:
|
48
|
+
- "{{ certbot_bin }}"
|
49
|
+
- certonly
|
50
|
+
- "--email"
|
51
|
+
- "{{ letsencrypt_email }}"
|
52
|
+
- "--domains"
|
53
|
+
- "{{ le_ssl_cert.domains | join(',') }}"
|
54
|
+
- "--preferred-challenges"
|
55
|
+
- "{{ le_ssl_cert.preferred_challenges }}"
|
56
|
+
- "--cert-name"
|
57
|
+
- "{{ le_ssl_cert.cert_name }}"
|
58
|
+
- "--{{ le_ssl_cert.plugin }}"
|
59
|
+
- "--manual-auth-hook=/bin/yes"
|
60
|
+
- "--agree-tos"
|
61
|
+
- "--expand"
|
62
|
+
- "--non-interactive"
|
53
63
|
|
54
64
|
- name: Update nginx default options
|
55
65
|
when: "'nginx' in role_names"
|
@@ -57,12 +67,6 @@
|
|
57
67
|
url: https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
|
58
68
|
dest: /etc/letsencrypt/options-ssl-nginx.conf
|
59
69
|
|
60
|
-
- name: Update apache default options
|
61
|
-
when: "'apache' in role_names"
|
62
|
-
get_url:
|
63
|
-
url: https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
|
64
|
-
dest: /etc/letsencrypt/options-ssl-apache.conf
|
65
|
-
|
66
70
|
- name: start webserver after standalone mode
|
67
71
|
debug: msg="Startup webserver"
|
68
72
|
notify: start webserver
|
@@ -74,16 +78,6 @@
|
|
74
78
|
env: yes
|
75
79
|
job: /usr/bin:/bin:/usr/sbin
|
76
80
|
|
77
|
-
- name: Setup cron job to auto renew
|
78
|
-
become: true
|
79
|
-
when: "'apache' in role_names"
|
80
|
-
cron:
|
81
|
-
name: Auto-renew SSL
|
82
|
-
job: "{{certbot_bin}} renew --no-self-upgrade --apache >> /var/log/cron.log 2>&1"
|
83
|
-
hour: "0"
|
84
|
-
minute: "33"
|
85
|
-
state: present
|
86
|
-
|
87
81
|
- name: Setup cron job to auto renew
|
88
82
|
become: true
|
89
83
|
when: "'nginx' in role_names"
|