subspace 2.5.4 β 2.5.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/CHANGELOG.md +20 -1
- data/README.md +26 -7
- data/ansible/roles/common/defaults/main.yml +1 -0
- data/ansible/roles/common/files/sudoers-service +1 -1
- data/ansible/roles/common/tasks/main.yml +11 -6
- data/ansible/roles/letsencrypt/tasks/modern.yml +7 -0
- data/ansible/roles/puma/templates/puma.rb +8 -0
- data/ansible/roles/resque/tasks/main.yml +15 -0
- data/ansible/roles/resque/templates/resque-monit-rc +4 -0
- data/ansible/roles/resque/templates/resque-systemd.service +47 -0
- data/ansible/roles/sidekiq/defaults/main.yml +1 -1
- data/lib/subspace/commands/ansible.rb +6 -0
- data/lib/subspace/version.rb +1 -1
- data/template/provision/ansible.cfg.erb +9 -2
- data/template/provision/playbook.yml.erb +1 -2
- metadata +6 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 82942611925eb85847f321e3fc375f02fcd3c49fdde254012aa276792c309437
|
4
|
+
data.tar.gz: 58a200b894ab4a697c57a8db271ad36db1ba3cf304ee9045f903e872ec52cb14
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4c8e6dc1a37b42a77c44bcb3ce8a9a794b662505a06aa838af810151e25e283d673358e8062fbc6da2e342aa5d00de336d8d38633e4a2e4027f0a81800ccc35e
|
7
|
+
data.tar.gz: 24a4eccfcb22e0e9a70b3fe9030ec3303add72ef1a97a4bec9d3c2ce0e30c881f37bee9c80f0b3d691be8649574c445035fdc5666ea6686eab345b8b22b93885
|
data/.ruby-version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
2.
|
1
|
+
2.7.4
|
data/CHANGELOG.md
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
This is a [changelog](https://keepachangelog.com/en/0.3.0/).
|
4
4
|
|
5
|
-
This project attempts to follow [semantic versioning](https://semver.org/)
|
5
|
+
This project attempts to follow [semantic versioning](https://semver.org/).
|
6
6
|
|
7
7
|
## Known Bugs
|
8
8
|
|
@@ -10,6 +10,25 @@ This project attempts to follow [semantic versioning](https://semver.org/)
|
|
10
10
|
* Not working on OSX - macs don't read from /etc/profile.d/
|
11
11
|
* Stops showing color if you `sudo su`
|
12
12
|
|
13
|
+
## Unreleased
|
14
|
+
|
15
|
+
## 2.5.8
|
16
|
+
* Add a new role for configuring a monit-based resque server
|
17
|
+
* Auto-detect mitogen for speed
|
18
|
+
|
19
|
+
## 2.5.7
|
20
|
+
* Add ability to set the timezone for servers instead of forcing to Central Time
|
21
|
+
* Update puma configuration to support puma 5 with puma-daemon
|
22
|
+
* Update letsencrypt to add certbot-nginx support for newer ubuntu
|
23
|
+
|
24
|
+
## 2.5.6
|
25
|
+
* Fix sending security stats
|
26
|
+
* Make sure apt package acl is installed in common role so ansible can become a non-privileged user
|
27
|
+
|
28
|
+
## 2.5.5
|
29
|
+
* Remove duplicate nginx role from playbook templates
|
30
|
+
* Don't send stats if there have been no upgrades
|
31
|
+
|
13
32
|
## 2.5.4
|
14
33
|
* certbox => certbot
|
15
34
|
|
data/README.md
CHANGED
@@ -283,11 +283,11 @@ Installs logrotate and lets you configure logs for automatic rotation. Example
|
|
283
283
|
## newrelic
|
284
284
|
|
285
285
|
## newrelic-infra
|
286
|
-
This role will install the next-gen "Newrelic One" infrastructure agent which can perform a few different functions for newrelic. The previous "newrelic" role is deprecated.
|
286
|
+
This role will install the next-gen "Newrelic One" infrastructure agent which can perform a few different functions for newrelic. The previous "newrelic" role is deprecated.
|
287
287
|
|
288
|
-
Variables:
|
289
|
-
# Required, the newrelic license key you get after signing up.
|
290
|
-
newrelic_license: "longhashthingyougetfromnewrelichere"
|
288
|
+
Variables:
|
289
|
+
# Required, the newrelic license key you get after signing up.
|
290
|
+
newrelic_license: "longhashthingyougetfromnewrelichere"
|
291
291
|
# Optional - send logs to newrelic one's log aggregator.
|
292
292
|
newrelic_logs:
|
293
293
|
- name: rails-production
|
@@ -373,6 +373,14 @@ Installs redis on the server.
|
|
373
373
|
# Change to * if you want tthis available everywhere.
|
374
374
|
redis_bind: 127.0.0.1
|
375
375
|
|
376
|
+
## resque
|
377
|
+
|
378
|
+
Install monitoring and automatic startup for resque workers via monit. You MUST set the `job_queues` variable as follows:
|
379
|
+
|
380
|
+
job_queues:
|
381
|
+
- default
|
382
|
+
- mailers
|
383
|
+
- exports
|
376
384
|
## ruby-common
|
377
385
|
|
378
386
|
Installs ruby on the machine. YOu can set a version by picking off the download url and sha hash from ruby-lang.org
|
@@ -387,10 +395,14 @@ Installs ruby on the machine. YOu can set a version by picking off the download
|
|
387
395
|
|
388
396
|
This will install a monit script that keeps sidekiq running. We spawn one sidekiq instance that manages as many queues as you need. Varaibles of note:
|
389
397
|
|
398
|
+
# Process these background job queues
|
390
399
|
job_queues:
|
391
400
|
- default
|
392
401
|
- mailers
|
393
402
|
|
403
|
+
# Number of sidekiq *processes* to run
|
404
|
+
sidekiq_concurrency: 1
|
405
|
+
|
394
406
|
* Note that as of v0.4.13, we now also add a unique job queue for each host with its hostname. This is handy if you need to assign a job to a specific host. In general you should use named queues, but occasionally this is useful and there's no harm in having it there unused.
|
395
407
|
|
396
408
|
Sidekiq uses redis by default, and rails connects to a redis running on localhost by default. However, this role does not depend on redis since in production it's likely redis will be running elsewhere. If you're provisioning a standalone server, make sure to include the redis role.
|
@@ -407,7 +419,14 @@ Thanks to the following repositories for making their roles available:
|
|
407
419
|
* https://github.com/mtpereira/ansible-passenger
|
408
420
|
|
409
421
|
|
410
|
-
#
|
422
|
+
# Mitogen
|
423
|
+
|
424
|
+
In order to dramatically speed up ansible, you can install Mitogen: https://github.com/mitogen-hq/mitogen/blob/master/docs/ansible_detailed.rst
|
425
|
+
|
426
|
+
pip install -g mitogen
|
427
|
+
|
428
|
+
Subspace will automatically detect this and update your ansible.cfg file so it is blazing fast.
|
429
|
+
|
411
430
|
|
412
431
|
## Directory Structure
|
413
432
|
|
@@ -428,8 +447,8 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
|
|
428
447
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version:
|
429
448
|
|
430
449
|
1. update the version number in `version.rb`
|
431
|
-
2.
|
432
|
-
3.
|
450
|
+
2. `gem build subspace.gemspec`
|
451
|
+
3. `gem push subspace-x.y.z.gem`
|
433
452
|
|
434
453
|
This will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
435
454
|
|
@@ -1 +1 @@
|
|
1
|
-
deploy ALL=(root) NOPASSWD: /usr/sbin/service
|
1
|
+
deploy ALL=(root) NOPASSWD: /usr/bin/systemctl, /usr/sbin/service
|
@@ -125,6 +125,12 @@
|
|
125
125
|
- maintenance
|
126
126
|
- upgrade
|
127
127
|
|
128
|
+
- name: Install acl so ansible can become a non-privileged user
|
129
|
+
apt:
|
130
|
+
pkg: acl
|
131
|
+
state: present
|
132
|
+
become: true
|
133
|
+
|
128
134
|
- name: Get os_upgrades stats
|
129
135
|
shell:
|
130
136
|
cmd: |
|
@@ -153,7 +159,7 @@
|
|
153
159
|
key: os_upgrades
|
154
160
|
value: "{{stats_os_upgrades.stdout}}"
|
155
161
|
hostname: "{{hostname}}"
|
156
|
-
when: send_stats == true and stats_url is defined and stats_api_key is defined
|
162
|
+
when: (send_stats == true) and (stats_url is defined) and (stats_api_key is defined) and (stats_os_upgrades.stdout | length > 0)
|
157
163
|
tags:
|
158
164
|
- maintenance
|
159
165
|
- stats
|
@@ -197,9 +203,8 @@
|
|
197
203
|
- name: Get os_security_upgrades stats
|
198
204
|
shell:
|
199
205
|
cmd: |
|
200
|
-
|
206
|
+
grep -A 1 $(date +%Y-%m) updates.log | # Groups of lines from the current month
|
201
207
|
grep 'security' | # Only lines matching 'security'
|
202
|
-
grep -P -o '(^\d+)' | #Extract the numbers at the beginning of the lines
|
203
208
|
awk '{s+=$1} END {print s}' # Sum all the lines
|
204
209
|
args:
|
205
210
|
chdir: /opt/subspace
|
@@ -222,7 +227,7 @@
|
|
222
227
|
key: os_security_upgrades
|
223
228
|
value: "{{stats_os_security_upgrades.stdout}}"
|
224
229
|
hostname: "{{hostname}}"
|
225
|
-
when: send_stats == true and stats_url is defined and stats_api_key is defined
|
230
|
+
when: (send_stats == true) and (stats_url is defined) and (stats_api_key is defined) and (stats_os_security_upgrades.stdout | length > 0)
|
226
231
|
tags:
|
227
232
|
- maintenance
|
228
233
|
- stats
|
@@ -236,9 +241,9 @@
|
|
236
241
|
- maintenance
|
237
242
|
- stats
|
238
243
|
|
239
|
-
- name: set timezone
|
244
|
+
- name: set timezone
|
240
245
|
timezone:
|
241
|
-
name:
|
246
|
+
name: "{{timezone}}"
|
242
247
|
tags:
|
243
248
|
- maintenance
|
244
249
|
|
@@ -1,3 +1,11 @@
|
|
1
|
+
begin
|
2
|
+
# Needed for Puma 5 + puma-damon, but built in to Puma 4
|
3
|
+
# https://github.com/kigster/puma-daemon
|
4
|
+
require 'puma/daemon'
|
5
|
+
rescue LoadError => e
|
6
|
+
# Puma 4 has `daemonize` built in
|
7
|
+
end
|
8
|
+
|
1
9
|
# Change to match your CPU core count
|
2
10
|
workers {{puma_workers}}
|
3
11
|
# Min and Max threads per worker
|
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
- name: Install resque monit script
|
3
|
+
template:
|
4
|
+
src: resque-monit-rc
|
5
|
+
dest: /etc/monit/conf-available/resque_{{project_name}}_{{rails_env}}
|
6
|
+
become: true
|
7
|
+
|
8
|
+
- name: Enable resque monit script
|
9
|
+
file:
|
10
|
+
src: /etc/monit/conf-available/resque_{{project_name}}_{{rails_env}}
|
11
|
+
dest: /etc/monit/conf-enabled/resque_{{project_name}}_{{rails_env}}
|
12
|
+
state: link
|
13
|
+
notify:
|
14
|
+
- reload_monit
|
15
|
+
- restart_monit
|
@@ -0,0 +1,4 @@
|
|
1
|
+
check process resque
|
2
|
+
with pidfile /u/apps/{{project_name}}/shared/tmp/pids/resque.pid
|
3
|
+
start program = "/bin/su - deploy -c 'cd /u/apps/{{project_name}}/current && RAILS_ENV={{rails_env}} QUEUES={{hostname}},{{ job_queues | join(',') }} BACKGROUND=yes PIDFILE=/u/apps/{{project_name}}/shared/tmp/pids/resque.pid bundle exec rake resque:work'" with timeout 30 seconds
|
4
|
+
stop program = "/bin/su - deploy -c 'kill -s TERM `cat /u/apps/{{project_name}}/shared/tmp/pids/resque.pid`'" with timeout 30 seconds
|
@@ -0,0 +1,47 @@
|
|
1
|
+
[Unit]
|
2
|
+
Description=resque
|
3
|
+
# consider adding redis-server.service if Redis is local and systemd-managed.
|
4
|
+
After=syslog.target network.target
|
5
|
+
|
6
|
+
# See these pages for lots of options:
|
7
|
+
#
|
8
|
+
# https://www.freedesktop.org/software/systemd/man/systemd.service.html
|
9
|
+
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
10
|
+
#
|
11
|
+
# THOSE PAGES ARE CRITICAL FOR ANY LINUX DEVOPS WORK; read them multiple
|
12
|
+
# times! systemd is a critical tool for all developers to know and understand.
|
13
|
+
#
|
14
|
+
[Service]
|
15
|
+
#
|
16
|
+
# !!!! !!!! !!!!
|
17
|
+
#
|
18
|
+
Type=simple
|
19
|
+
|
20
|
+
WorkingDirectory=/u/apps/{{project_name}}/current
|
21
|
+
|
22
|
+
ExecStart="RAILS_ENV={{rails_env}} COUNT={{resque_concurrency}} QUEUES={{hostname}},{{ job_queues | join(',') }} BACKGROUND=yes PIDFILE=/u/apps/{{project_name}}/shared/tmp/pids/resque.pid bundle exec rake resque:work"
|
23
|
+
|
24
|
+
# Uncomment this if you are going to use this as a system service
|
25
|
+
# if using as a user service then leave commented out, or you will get an error trying to start the service
|
26
|
+
# !!! Change this to your deploy user account if you are using this as a system service !!!
|
27
|
+
User=deploy
|
28
|
+
Group=deploy
|
29
|
+
UMask=0002
|
30
|
+
|
31
|
+
# Greatly reduce Ruby memory fragmentation and heap usage
|
32
|
+
# https://www.mikeperham.com/2018/04/25/taming-rails-memory-bloat/
|
33
|
+
Environment=MALLOC_ARENA_MAX=2
|
34
|
+
|
35
|
+
# if we crash, restart
|
36
|
+
RestartSec=1
|
37
|
+
Restart=on-failure
|
38
|
+
|
39
|
+
# output goes to /var/log/syslog (Ubuntu) or /var/log/messages (CentOS)
|
40
|
+
StandardOutput=syslog
|
41
|
+
StandardError=syslog
|
42
|
+
|
43
|
+
# This will default to "bundler" if we don't specify it
|
44
|
+
SyslogIdentifier=resque
|
45
|
+
|
46
|
+
[Install]
|
47
|
+
WantedBy=multi-user.target
|
@@ -1,2 +1,2 @@
|
|
1
1
|
---
|
2
|
-
sidekiq_concurrency:
|
2
|
+
sidekiq_concurrency: 1
|
@@ -13,6 +13,12 @@ module Subspace
|
|
13
13
|
private
|
14
14
|
|
15
15
|
def update_ansible_cfg
|
16
|
+
if `pip show mitogen` =~ /^Location: (.*?)$/m
|
17
|
+
@mitogen_path = $1
|
18
|
+
puts "πππ
Mitogen found at #{@mitogen_path}. WARP 9!....ENGAGE!π"
|
19
|
+
else
|
20
|
+
puts "Mitogen not detected. Ansible will be slow. Run `pip install mitogen` to fix."
|
21
|
+
end
|
16
22
|
template! "ansible.cfg"
|
17
23
|
end
|
18
24
|
end
|
data/lib/subspace/version.rb
CHANGED
@@ -3,7 +3,14 @@ inventory = hosts
|
|
3
3
|
forks = 10
|
4
4
|
roles_path = ./roles:<%= File.join(gem_path, 'ansible', 'roles') %>:/etc/ansible/roles
|
5
5
|
vault_password_file = .vault_pass
|
6
|
+
# Uncomment to add timestamps to tasks to find slow ones.
|
7
|
+
# callback_whitelist = profile_tasks
|
8
|
+
|
9
|
+
<% if @mitogen_path %>
|
10
|
+
strategy_plugins = <%= @mitogen_path %>/ansible_mitogen/plugins/strategy
|
11
|
+
strategy = mitogen_linear
|
12
|
+
<% end %>
|
6
13
|
|
7
14
|
[ssh_connection]
|
8
|
-
pipelining=True
|
9
|
-
control_path =
|
15
|
+
pipelining = True
|
16
|
+
control_path = /tmp/subspace-control-%%h-%%p-%%r
|
@@ -12,9 +12,8 @@
|
|
12
12
|
- ruby-common
|
13
13
|
- rails
|
14
14
|
- puma
|
15
|
-
- nginx
|
16
15
|
- letsencrypt
|
17
|
-
- nginx
|
16
|
+
- nginx
|
18
17
|
- postgresql
|
19
18
|
- monit
|
20
19
|
- logrotate
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: subspace
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.5.
|
4
|
+
version: 2.5.8
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Brian Samson
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-02-09 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -225,6 +225,9 @@ files:
|
|
225
225
|
- ansible/roles/rails/templates/database.yml
|
226
226
|
- ansible/roles/redis/defaults/main.yml
|
227
227
|
- ansible/roles/redis/tasks/main.yml
|
228
|
+
- ansible/roles/resque/tasks/main.yml
|
229
|
+
- ansible/roles/resque/templates/resque-monit-rc
|
230
|
+
- ansible/roles/resque/templates/resque-systemd.service
|
228
231
|
- ansible/roles/ruby-common/README.md
|
229
232
|
- ansible/roles/ruby-common/defaults/main.yml
|
230
233
|
- ansible/roles/ruby-common/meta/main.yml
|
@@ -310,7 +313,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
310
313
|
- !ruby/object:Gem::Version
|
311
314
|
version: '0'
|
312
315
|
requirements: []
|
313
|
-
rubygems_version: 3.
|
316
|
+
rubygems_version: 3.3.4
|
314
317
|
signing_key:
|
315
318
|
specification_version: 4
|
316
319
|
summary: Ansible-based server provisioning for rails projects
|