subspace 2.5.10 → 3.0.0.rc1

data/template/{provision → subspace}/playbook.yml.erb

@@ -3,19 +3,16 @@
     become: yes
 
     vars_files:
-      - ./vars/<%= @env %>.yml
+      - ./secrets/<%= @env %>.yml
 
     roles:
       - common
-      - yarn
       - nodejs
+      - yarn
       - ruby-common
       - rails
       - puma
       - letsencrypt
       - nginx
       - postgresql
-      - monit
       - logrotate
-      - collectd
-      - delayed_job

data/template/subspace/templates/authorized_keys.erb

@@ -0,0 +1 @@
+<%= `cat $HOME/.ssh/id_rsa.pub` %>

data/template/subspace/terraform/.gitignore

@@ -0,0 +1,2 @@
+credentials.auto.tfvars
+.subspace-tf-modules

data/template/subspace/terraform/template/main-oxenwagen.tf.erb

@@ -0,0 +1,116 @@
+terraform {
+  # Default backend is just local.
+
+  # Uncomment to use s3
+  # backend "s3" {
+  #   bucket = "subspace-backend-<%= project_name %>"
+  #   key    = "subspace.<%= @env %>.tfstate"
+  #   region = "us-west-2"
+  # }
+
+  # Uncomment to use Terraform Cloud
+  # cloud {
+  #   organization = "<%= project_name %>"
+  #
+  #   workspaces {
+  #     name = "<%= @env %>"
+  #   }
+  # }
+
+}
+
+provider aws {
+  region = "us-west-2"
+  profile = "subspace-<%= project_name %>"
+  default_tags {
+    tags = {
+      Environment = "<%= @env %>"
+      Project     = "<%= project_name %>"
+    }
+  }
+}
+
+variable database_password { type = string }
+
+module oxenwagen {
+  source = "github.com/tenforwardconsulting/terraform-subspace-oxenwagen?ref=v2.1.0"
+  project_name = "<%= project_name %>"
+  project_environment =  "<%= @env %>"
+  aws_region = ## "us-west-2"
+  lb_health_check_path = "/"
+  subspace_public_key = file("../../subspace.pem.pub")
+
+  # Ubuntu Server 20.04 LTS (HVM), SSD Volume Type
+  instance_ami = "<%= @latest_ami %>"
+  web_instance_type = "t3.small"
+  web_instance_count = 2
+  worker_instance_type = "t3.medium"
+  worker_instance_count = 1
+  worker_volume_size = 100
+  ssh_cidr_blocks = [] # Put office/local/vpn IP addresses here
+
+  database_engine = "postgres"
+  database_engine_version = ## "14.1"
+  database_instance_class = "db.t3.medium"
+  database_name = "<%= "#{project_name}_#{@env}" %>"
+  database_username = "<%= project_name %>"
+  database_password = var.database_password
+  database_allocated_storage = 100
+  database_max_allocated_storage = 1000
+  database_iops = 1000
+
+  # lb_domain_name = "www.<%= project_name %>.com"
+  # lb_alternate_names = []
+}
+
+output "oxenwagen" {
+  value = module.oxenwagen
+}
+
+resource "aws_s3_bucket" "bucket" {
+  bucket               = "<%= "#{project_name}-#{@env}-assets" %>"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_public_access_block" "block_public_acls" {
+  bucket                  = aws_s3_bucket.bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_iam_user" "s3_user" {
+  name = "<%= "#{project_name}-#{@env}-assets" %>-subspace-s3-user"
+}
+
+resource "aws_iam_user_policy" "s3-upload" {
+  name = "test"
+  user = aws_iam_user.s3_user.name
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+            "s3:PutObject",
+            "s3:PutObjectAcl",
+            "s3:GetObject",
+            "s3:GetObjectVersion",
+            "s3:GetBucketAcl",
+            "s3:DeleteObject",
+            "s3:DeleteObjectVersion"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+                "arn:aws:s3:::<%= "#{project_name}-#{@env}-assets" %>",
+                "arn:aws:s3:::<%= "#{project_name}-#{@env}-assets" %>/*"
+            ]
+        }
+    ]
+}
+EOF
+}
+

data/template/subspace/terraform/template/main-workhorse.tf.erb

@@ -0,0 +1,41 @@
+terraform {
+  # Default backend is just local.
+
+  # Uncomment to use s3
+  # backend "s3" {
+  #   bucket = "subspace-backend-<%= project_name %>"
+  #   key    = "subspace.<%= @env %>.tfstate"
+  #   region = "us-west-2"
+  # }
+
+  # Uncomment to use Terraform Cloud
+  # cloud {
+  #   organization = "<%= project_name %>"
+  #
+  #   workspaces {
+  #     name = "<%= @env %>"
+  #   }
+  # }
+
+}
+
+module workhorse {
+  source = "github.com/tenforwardconsulting/terraform-subspace-workhorse?ref=v1.0.0"
+  project_name = "<%= project_name %>"
+  project_environment = "<%= @env %>"
+  aws_region = "us-west-2"
+  subspace_public_key = file("../../subspace.pem.pub")
+  # zone_id = "ZOJ6811VRVYBT" # 10fw.net
+  # subdomain = "<%= project_name.gsub("_", "-") %>"
+
+  # Ubuntu Server 20.04 LTS (HVM), SSD Volume Type
+  instance_ami = "ami-0f81e6e71078b75b6"
+  instance_user = "ubuntu"
+  instance_type = "t3.medium"
+  instance_hostname = "${var.project_environment}-app1"
+  instance_volume_size = 20
+}
+
+output "workhorse" {
+  value = module.workhorse
+}

data/template/subspace/terraformrc.erb

@@ -0,0 +1,9 @@
+provider_installation {
+  filesystem_mirror {
+    path    = "<%= File.join(gem_path, 'terraform', 'modules') %>"
+    include = ["subspace/*/*"]
+  }
+  direct {
+    exclude = ["subspace/*/*"]
+  }
+}

data/terraform/modules/s3_backend/README

@@ -0,0 +1,2 @@
+This terraform configuration is used solely to provision the tfstate backend.  
+It makes an s3 bucket and a user and you should not need to really mess with this after the project is bootstrapped. 

data/terraform/modules/s3_backend/dynamodb.tf

@@ -0,0 +1 @@
+# Maybe later

data/terraform/modules/s3_backend/iam_user.tf

@@ -0,0 +1,38 @@
+resource "aws_iam_user" "ss" {
+  name = "subspace"
+  path = "/"
+
+  tags = {
+    Name = "Subspace IAM user"
+    Environment = "Global"
+  }
+}
+
+resource "aws_iam_access_key" "ss" {
+  user = aws_iam_user.ss.name
+
+  pgp_key = data.local_file.pgp_key.content_base64
+}
+
+resource "aws_iam_user_policy" "ss_s3" {
+  name = "ss_s3_user_policy"
+  user = aws_iam_user.ss.name
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${local.state_bucket_name}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["s3:GetObject", "s3:PutObject"],
+      "Resource": "arn:aws:s3:::${local.state_bucket_name}/*"
+    }
+  ]
+}
+EOF
+}

data/terraform/modules/s3_backend/main.tf

@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}
+
+# Variables
+variable aws_region {
+  type = string
+}
+
+variable project_name {
+  type = string
+}
+
+locals {
+  state_bucket_name = "subspace-backend-${var.project_name}"
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+data "local_file" "pgp_key" {
+  filename = "../public-key-binary.gpg"
+}
+
+# Outputs
+
+output "subspace_aws_access_key_id" {
+  value = aws_iam_access_key.ss.id
+}
+
+output "subspace_aws_encrypted_secret_access_key" {
+  value = aws_iam_access_key.ss.encrypted_secret
+}

data/terraform/modules/s3_backend/state_bucket.tf

@@ -0,0 +1,14 @@
+# S3 Bucket for storing state
+resource "aws_s3_bucket" "state_bucket" {
+  bucket = local.state_bucket_name
+  acl    = "private"
+
+  versioning {
+    enabled = true
+  }
+
+  tags = {
+    Name        = "Subspace Terraform State"
+    Environment = "Global"
+  }
+}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: subspace
 version: !ruby/object:Gem::Version
-  version: 2.5.10
+  version: 3.0.0.rc1
 platform: ruby
 authors:
 - Brian Samson
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-01-02 00:00:00.000000000 Z
+date: 2022-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -80,20 +80,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: ed25519
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 description: WIP -- don't use this :)
 email:
 - brian@tenforwardconsulting.com
@@ -114,6 +100,7 @@ files:
 - README.md
 - Rakefile
 - TODO
+- UPGRADING.md
 - ansible/playbooks/local_template.yml
 - ansible/playbooks/maintenance_mode.yml
 - ansible/roles/alienvault/tasks/main.yml
@@ -143,6 +130,7 @@ files:
 - ansible/roles/common/files/sudoers-service
 - ansible/roles/common/handlers/main.yml
 - ansible/roles/common/tasks/main.yml
+- ansible/roles/common/tasks/no_swap.yml
 - ansible/roles/common/tasks/swap.yml
 - ansible/roles/common/templates/motd
 - ansible/roles/common/templates/motd2
@@ -165,23 +153,8 @@ files:
 - ansible/roles/logrotate/meta/main.yml
 - ansible/roles/logrotate/tasks/main.yml
 - ansible/roles/logrotate/templates/logrotate.d.j2
+- ansible/roles/memcache/defaults/main.yml
 - ansible/roles/memcache/tasks/main.yml
-- ansible/roles/monit/files/monit-http.conf
-- ansible/roles/monit/files/sudoers-monit
-- ansible/roles/monit/handlers/main.yml
-- ansible/roles/monit/tasks/main.yml
-- ansible/roles/mtpereira.passenger/.bumpversion.cfg
-- ansible/roles/mtpereira.passenger/.gitignore
-- ansible/roles/mtpereira.passenger/LICENSE
-- ansible/roles/mtpereira.passenger/README.md
-- ansible/roles/mtpereira.passenger/defaults/main.yml
-- ansible/roles/mtpereira.passenger/handlers/main.yml
-- ansible/roles/mtpereira.passenger/meta/.galaxy_install_info
-- ansible/roles/mtpereira.passenger/meta/main.yml
-- ansible/roles/mtpereira.passenger/tasks/apt.yml
-- ansible/roles/mtpereira.passenger/tasks/main.yml
-- ansible/roles/mtpereira.passenger/tasks/pkg.yml
-- ansible/roles/mtpereira.passenger/tasks/service.yml
 - ansible/roles/mysql/meta/main.yml
 - ansible/roles/mysql/tasks/main.yml
 - ansible/roles/mysql/templates/mysql_database.yml
@@ -209,14 +182,10 @@ files:
 - ansible/roles/nodejs/tasks/main.yml
 - ansible/roles/papertrail/tasks/main.yml
 - ansible/roles/papertrail/templates/log_files.yml
-- ansible/roles/passenger/files/sudoers-passenger
-- ansible/roles/passenger/meta/main.yml
-- ansible/roles/passenger/tasks/main.yml
 - ansible/roles/postgis/.gitignore
 - ansible/roles/postgis/CHANGELOG.md
 - ansible/roles/postgis/LICENSE
 - ansible/roles/postgis/README.md
-- ansible/roles/postgis/defaults/main.yml
 - ansible/roles/postgis/meta/main.yml
 - ansible/roles/postgis/tasks/main.yml
 - ansible/roles/postgresql-client/tasks/main.yml
@@ -227,11 +196,11 @@ files:
 - ansible/roles/postgresql/tasks/backups.yml
 - ansible/roles/postgresql/tasks/main.yml
 - ansible/roles/postgresql/templates/backup.sh
-- ansible/roles/puma/defaults/main.yml
-- ansible/roles/puma/meta/main.yml
 - ansible/roles/puma/tasks/main.yml
 - ansible/roles/puma/templates/etc-puma.conf
 - ansible/roles/puma/templates/puma-monit-rc
+- ansible/roles/puma/templates/puma-systemd.service
+- ansible/roles/puma/templates/puma-systemd.socket
 - ansible/roles/puma/templates/puma.rb
 - ansible/roles/rails/defaults/main.yml
 - ansible/roles/rails/tasks/main.yml
@@ -252,9 +221,11 @@ files:
 - ansible/roles/ruby-common/vars/main.yml
 - ansible/roles/sidekiq/README.md
 - ansible/roles/sidekiq/defaults/main.yml
-- ansible/roles/sidekiq/meta/main.yml
 - ansible/roles/sidekiq/tasks/main.yml
 - ansible/roles/sidekiq/templates/sidekiq-monit-rc
+- ansible/roles/sidekiq/templates/sidekiq-systemd.service
+- ansible/roles/tailscale/defaults/main.yml
+- ansible/roles/tailscale/tasks/main.yml
 - ansible/roles/yarn/tasks/main.yml
 - ansible/roles/zenoamaro.postgresql/.gitignore
 - ansible/roles/zenoamaro.postgresql/.travis.yml
@@ -287,32 +258,50 @@ files:
 - lib/subspace/commands/base.rb
 - lib/subspace/commands/bootstrap.rb
 - lib/subspace/commands/configure.rb
+- lib/subspace/commands/exec.rb
 - lib/subspace/commands/init.rb
+- lib/subspace/commands/inventory.rb
 - lib/subspace/commands/maintain.rb
 - lib/subspace/commands/maintenance_mode.rb
 - lib/subspace/commands/override.rb
 - lib/subspace/commands/provision.rb
+- lib/subspace/commands/secrets.rb
 - lib/subspace/commands/ssh.rb
-- lib/subspace/commands/vars.rb
+- lib/subspace/commands/terraform.rb
 - lib/subspace/configuration.rb
+- lib/subspace/inventory.rb
 - lib/subspace/version.rb
 - subspace.gemspec
 - template/provision.rb.erb
-- template/provision/.gitignore
-- template/provision/ansible.cfg.erb
-- template/provision/group_vars/all.erb
-- template/provision/group_vars/template.erb
-- template/provision/host_vars/template.erb
-- template/provision/hosts.erb
-- template/provision/playbook.yml.erb
-- template/provision/templates/application.yml.template
-- template/provision/vars/template.erb
+- template/subspace/.gitignore
+- template/subspace/ansible.cfg.erb
+- template/subspace/group_vars/all.erb
+- template/subspace/group_vars/template.erb
+- template/subspace/hosts.erb
+- template/subspace/inventory.yml.erb
+- template/subspace/playbook.yml.erb
+- template/subspace/secrets/template.erb
+- template/subspace/templates/application.yml.template
+- template/subspace/templates/authorized_keys.erb
+- template/subspace/terraform/.gitignore
+- template/subspace/terraform/template/main-oxenwagen.tf.erb
+- template/subspace/terraform/template/main-workhorse.tf.erb
+- template/subspace/terraformrc.erb
+- terraform/modules/s3_backend/README
+- terraform/modules/s3_backend/dynamodb.tf
+- terraform/modules/s3_backend/iam_user.tf
+- terraform/modules/s3_backend/main.tf
+- terraform/modules/s3_backend/state_bucket.tf
 homepage: https://github.com/tenforwardconsulting/subspace
 licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org
-post_install_message:
+post_install_message: |
+  *** Subspace 3 has many breaking changes
+  Primarily, the entire configuration directory structure has moved from config/provision to config/subspace.
+  You will need to migrate your old configuration to the new location, or downgrade to Subspace 2 if this was not intentional.
+  Please review the Upgrade guide: https://github.com/tenforwardconsulting/subspace/UPGRADING.md
 rdoc_options: []
 require_paths:
 - lib
@@ -323,11 +312,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.3.4
+rubygems_version: 3.3.18
 signing_key:
 specification_version: 4
 summary: Ansible-based server provisioning for rails projects

data/ansible/roles/monit/files/monit-http.conf

@@ -1,3 +0,0 @@
-set httpd port 2812 and
-  use address localhost  # Only accept connection from localhost.
-  allow localhost        # Allow localhost to connect to the server.

data/ansible/roles/monit/files/sudoers-monit

@@ -1 +0,0 @@
-deploy ALL=(root) NOPASSWD: /usr/bin/monit

data/ansible/roles/monit/handlers/main.yml

@@ -1,14 +0,0 @@
----
-  - name: reload_monit
-    shell: monit reload
-    become: true
-
-  - name: restart_monit
-    service:
-      name: monit
-      state: restarted
-    become: true
-
-  - name: validate_monit
-    shell: monit validate
-    become: true

data/ansible/roles/monit/tasks/main.yml

@@ -1,34 +0,0 @@
----
-  - name: Configure monit to install instead of pin
-    dpkg_selections:
-      name: monit
-      selection: install
-    become: true
-    tags:
-      - monit
-
-  - name: install monit
-    apt:
-      name: monit
-      state: present
-    become: true
-    tags:
-      - monit
-
-  - name: Copy sudoers file so that deploy can use monit without entering password.
-    copy:
-      src: sudoers-monit
-      dest: /etc/sudoers.d/monit
-    become: true
-    tags:
-      - monit
-
-  - name: Copy monit config to enable http from localhost
-    copy:
-      src: monit-http.conf
-      dest: /etc/monit/conf.d/monit-http.conf
-    become: true
-    notify:
-      - restart_monit
-    tags:
-      - monit

data/ansible/roles/mtpereira.passenger/.bumpversion.cfg

@@ -1,7 +0,0 @@
-[bumpversion]
-current_version = 1.0.2
-commit = True
-tag = True
-tag_name = {new_version}
-message = "Bump version: {current_version} -> {new_version} [skip ci]"
-

data/ansible/roles/mtpereira.passenger/.gitignore

@@ -1,2 +0,0 @@
-*.vagrant/
-*vagrant_ansible_inventory*

data/ansible/roles/mtpereira.passenger/LICENSE

@@ -1,20 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2014 Manuel Tiago Pereira
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/ansible/roles/mtpereira.passenger/README.md

@@ -1,31 +0,0 @@
-Passenger
-========
-
-Installs or updates Pushion Passenger.
-
-It will install apache, nginx or standalone modes, depending on **passenger_webserver** variable value (defaults to standalone).
-
-In the `tests` folder, there are a set of tests for this role, that will provision a VM using Vagrant and setup a simple hello world app. To use them, `cd` into the `tests/{passenger_webserver}/` and execute `vagrant up`. At the moment, only `apache` tests are done.
-
-Requirements
-------------
-
-Assumes that the host is ansible-ready (check **mtpereira.common** role).
-
-Role Variables
---------------
-
-* `passenger_webserver`: Specifies the webserver to be used by passenger. Possible values: `apache`, `nginx` and `standalone`. Defaults to `standalone`.
-* `passenger_pkgs_state`: Specifies if this role will garantee that the packages are installed or installed and updated. Possible values: `installed` and `latest`. Defaults to `installed`.
-
-License
--------
-
-MIT
-
-Author Information
-------------------
-
-[GitHub project page](https://github.com/mtpereira/ansible-passenger)
-
-[Manuel Tiago Pereira](http://mtpereira.github.io)

data/ansible/roles/mtpereira.passenger/defaults/main.yml

@@ -1,5 +0,0 @@
----
-passenger_webserver: "standalone"
-passenger_pkgs_state: "present"
-passenger_pkgs_fix_shebang: no
-become: true

data/ansible/roles/mtpereira.passenger/handlers/main.yml

@@ -1,8 +0,0 @@
----
-- name: apache restart
-  service: name=apache2 state=restarted
-  become: yes
-
-- name: nginx restart
-  service: name=nginx state=restarted
-  become: yes

data/ansible/roles/mtpereira.passenger/meta/.galaxy_install_info

@@ -1 +0,0 @@
-{install_date: 'Mon Jan  2 18:15:18 2017', version: 1.0.2}

data/ansible/roles/mtpereira.passenger/meta/main.yml

@@ -1,21 +0,0 @@
----
-galaxy_info:
-  author: Manuel Tiago Pereira
-  description: Installs Phusion Passenger.
-  license: MIT
-  min_ansible_version: 1.4
-  platforms:
-  - name: Debian
-    versions:
-    - wheezy
-    - jessie
-  - name: Ubuntu
-    versions:
-    - lucid
-    - precise
-    - saucy
-    - trusty
-  categories:
-    - web
-dependencies: []
-

data/ansible/roles/mtpereira.passenger/tasks/apt.yml

@@ -1,13 +0,0 @@
----
-- name: apt - add key for passenger repos
-  apt_key: url=http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x561F9B9CAC40B2F7 id=AC40B2F7 state=present
-
-- name: apt - add support for https
-  apt: pkg={{ item }} state={{ passenger_pkgs_state }} update_cache=yes cache_valid_time=3600
-  with_items:
-  - apt-transport-https
-  - ca-certificates
-
-- name: apt - add passenger repo
-  apt_repository: repo='deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ ansible_lsb.codename }} main' state=present update_cache=yes
-