subspace 2.5.4 β 2.5.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/CHANGELOG.md +20 -1
- data/README.md +26 -7
- data/ansible/roles/common/defaults/main.yml +1 -0
- data/ansible/roles/common/files/sudoers-service +1 -1
- data/ansible/roles/common/tasks/main.yml +11 -6
- data/ansible/roles/letsencrypt/tasks/modern.yml +7 -0
- data/ansible/roles/puma/templates/puma.rb +8 -0
- data/ansible/roles/resque/tasks/main.yml +15 -0
- data/ansible/roles/resque/templates/resque-monit-rc +4 -0
- data/ansible/roles/resque/templates/resque-systemd.service +47 -0
- data/ansible/roles/sidekiq/defaults/main.yml +1 -1
- data/lib/subspace/commands/ansible.rb +6 -0
- data/lib/subspace/version.rb +1 -1
- data/template/provision/ansible.cfg.erb +9 -2
- data/template/provision/playbook.yml.erb +1 -2
- metadata +6 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 82942611925eb85847f321e3fc375f02fcd3c49fdde254012aa276792c309437
|
|
4
|
+
data.tar.gz: 58a200b894ab4a697c57a8db271ad36db1ba3cf304ee9045f903e872ec52cb14
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4c8e6dc1a37b42a77c44bcb3ce8a9a794b662505a06aa838af810151e25e283d673358e8062fbc6da2e342aa5d00de336d8d38633e4a2e4027f0a81800ccc35e
|
|
7
|
+
data.tar.gz: 24a4eccfcb22e0e9a70b3fe9030ec3303add72ef1a97a4bec9d3c2ce0e30c881f37bee9c80f0b3d691be8649574c445035fdc5666ea6686eab345b8b22b93885
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.
|
|
1
|
+
2.7.4
|
data/CHANGELOG.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
This is a [changelog](https://keepachangelog.com/en/0.3.0/).
|
|
4
4
|
|
|
5
|
-
This project attempts to follow [semantic versioning](https://semver.org/)
|
|
5
|
+
This project attempts to follow [semantic versioning](https://semver.org/).
|
|
6
6
|
|
|
7
7
|
## Known Bugs
|
|
8
8
|
|
|
@@ -10,6 +10,25 @@ This project attempts to follow [semantic versioning](https://semver.org/)
|
|
|
10
10
|
* Not working on OSX - macs don't read from /etc/profile.d/
|
|
11
11
|
* Stops showing color if you `sudo su`
|
|
12
12
|
|
|
13
|
+
## Unreleased
|
|
14
|
+
|
|
15
|
+
## 2.5.8
|
|
16
|
+
* Add a new role for configuring a monit-based resque server
|
|
17
|
+
* Auto-detect mitogen for speed
|
|
18
|
+
|
|
19
|
+
## 2.5.7
|
|
20
|
+
* Add ability to set the timezone for servers instead of forcing to Central Time
|
|
21
|
+
* Update puma configuration to support puma 5 with puma-daemon
|
|
22
|
+
* Update letsencrypt to add certbot-nginx support for newer ubuntu
|
|
23
|
+
|
|
24
|
+
## 2.5.6
|
|
25
|
+
* Fix sending security stats
|
|
26
|
+
* Make sure apt package acl is installed in common role so ansible can become a non-privileged user
|
|
27
|
+
|
|
28
|
+
## 2.5.5
|
|
29
|
+
* Remove duplicate nginx role from playbook templates
|
|
30
|
+
* Don't send stats if there have been no upgrades
|
|
31
|
+
|
|
13
32
|
## 2.5.4
|
|
14
33
|
* certbox => certbot
|
|
15
34
|
|
data/README.md
CHANGED
|
@@ -283,11 +283,11 @@ Installs logrotate and lets you configure logs for automatic rotation. Example
|
|
|
283
283
|
## newrelic
|
|
284
284
|
|
|
285
285
|
## newrelic-infra
|
|
286
|
-
This role will install the next-gen "Newrelic One" infrastructure agent which can perform a few different functions for newrelic. The previous "newrelic" role is deprecated.
|
|
286
|
+
This role will install the next-gen "Newrelic One" infrastructure agent which can perform a few different functions for newrelic. The previous "newrelic" role is deprecated.
|
|
287
287
|
|
|
288
|
-
Variables:
|
|
289
|
-
# Required, the newrelic license key you get after signing up.
|
|
290
|
-
newrelic_license: "longhashthingyougetfromnewrelichere"
|
|
288
|
+
Variables:
|
|
289
|
+
# Required, the newrelic license key you get after signing up.
|
|
290
|
+
newrelic_license: "longhashthingyougetfromnewrelichere"
|
|
291
291
|
# Optional - send logs to newrelic one's log aggregator.
|
|
292
292
|
newrelic_logs:
|
|
293
293
|
- name: rails-production
|
|
@@ -373,6 +373,14 @@ Installs redis on the server.
|
|
|
373
373
|
# Change to * if you want tthis available everywhere.
|
|
374
374
|
redis_bind: 127.0.0.1
|
|
375
375
|
|
|
376
|
+
## resque
|
|
377
|
+
|
|
378
|
+
Install monitoring and automatic startup for resque workers via monit. You MUST set the `job_queues` variable as follows:
|
|
379
|
+
|
|
380
|
+
job_queues:
|
|
381
|
+
- default
|
|
382
|
+
- mailers
|
|
383
|
+
- exports
|
|
376
384
|
## ruby-common
|
|
377
385
|
|
|
378
386
|
Installs ruby on the machine. YOu can set a version by picking off the download url and sha hash from ruby-lang.org
|
|
@@ -387,10 +395,14 @@ Installs ruby on the machine. YOu can set a version by picking off the download
|
|
|
387
395
|
|
|
388
396
|
This will install a monit script that keeps sidekiq running. We spawn one sidekiq instance that manages as many queues as you need. Varaibles of note:
|
|
389
397
|
|
|
398
|
+
# Process these background job queues
|
|
390
399
|
job_queues:
|
|
391
400
|
- default
|
|
392
401
|
- mailers
|
|
393
402
|
|
|
403
|
+
# Number of sidekiq *processes* to run
|
|
404
|
+
sidekiq_concurrency: 1
|
|
405
|
+
|
|
394
406
|
* Note that as of v0.4.13, we now also add a unique job queue for each host with its hostname. This is handy if you need to assign a job to a specific host. In general you should use named queues, but occasionally this is useful and there's no harm in having it there unused.
|
|
395
407
|
|
|
396
408
|
Sidekiq uses redis by default, and rails connects to a redis running on localhost by default. However, this role does not depend on redis since in production it's likely redis will be running elsewhere. If you're provisioning a standalone server, make sure to include the redis role.
|
|
@@ -407,7 +419,14 @@ Thanks to the following repositories for making their roles available:
|
|
|
407
419
|
* https://github.com/mtpereira/ansible-passenger
|
|
408
420
|
|
|
409
421
|
|
|
410
|
-
#
|
|
422
|
+
# Mitogen
|
|
423
|
+
|
|
424
|
+
In order to dramatically speed up ansible, you can install Mitogen: https://github.com/mitogen-hq/mitogen/blob/master/docs/ansible_detailed.rst
|
|
425
|
+
|
|
426
|
+
pip install -g mitogen
|
|
427
|
+
|
|
428
|
+
Subspace will automatically detect this and update your ansible.cfg file so it is blazing fast.
|
|
429
|
+
|
|
411
430
|
|
|
412
431
|
## Directory Structure
|
|
413
432
|
|
|
@@ -428,8 +447,8 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
|
|
|
428
447
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version:
|
|
429
448
|
|
|
430
449
|
1. update the version number in `version.rb`
|
|
431
|
-
2.
|
|
432
|
-
3.
|
|
450
|
+
2. `gem build subspace.gemspec`
|
|
451
|
+
3. `gem push subspace-x.y.z.gem`
|
|
433
452
|
|
|
434
453
|
This will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
|
435
454
|
|
|
@@ -1 +1 @@
|
|
|
1
|
-
deploy ALL=(root) NOPASSWD: /usr/sbin/service
|
|
1
|
+
deploy ALL=(root) NOPASSWD: /usr/bin/systemctl, /usr/sbin/service
|
|
@@ -125,6 +125,12 @@
|
|
|
125
125
|
- maintenance
|
|
126
126
|
- upgrade
|
|
127
127
|
|
|
128
|
+
- name: Install acl so ansible can become a non-privileged user
|
|
129
|
+
apt:
|
|
130
|
+
pkg: acl
|
|
131
|
+
state: present
|
|
132
|
+
become: true
|
|
133
|
+
|
|
128
134
|
- name: Get os_upgrades stats
|
|
129
135
|
shell:
|
|
130
136
|
cmd: |
|
|
@@ -153,7 +159,7 @@
|
|
|
153
159
|
key: os_upgrades
|
|
154
160
|
value: "{{stats_os_upgrades.stdout}}"
|
|
155
161
|
hostname: "{{hostname}}"
|
|
156
|
-
when: send_stats == true and stats_url is defined and stats_api_key is defined
|
|
162
|
+
when: (send_stats == true) and (stats_url is defined) and (stats_api_key is defined) and (stats_os_upgrades.stdout | length > 0)
|
|
157
163
|
tags:
|
|
158
164
|
- maintenance
|
|
159
165
|
- stats
|
|
@@ -197,9 +203,8 @@
|
|
|
197
203
|
- name: Get os_security_upgrades stats
|
|
198
204
|
shell:
|
|
199
205
|
cmd: |
|
|
200
|
-
|
|
206
|
+
grep -A 1 $(date +%Y-%m) updates.log | # Groups of lines from the current month
|
|
201
207
|
grep 'security' | # Only lines matching 'security'
|
|
202
|
-
grep -P -o '(^\d+)' | #Extract the numbers at the beginning of the lines
|
|
203
208
|
awk '{s+=$1} END {print s}' # Sum all the lines
|
|
204
209
|
args:
|
|
205
210
|
chdir: /opt/subspace
|
|
@@ -222,7 +227,7 @@
|
|
|
222
227
|
key: os_security_upgrades
|
|
223
228
|
value: "{{stats_os_security_upgrades.stdout}}"
|
|
224
229
|
hostname: "{{hostname}}"
|
|
225
|
-
when: send_stats == true and stats_url is defined and stats_api_key is defined
|
|
230
|
+
when: (send_stats == true) and (stats_url is defined) and (stats_api_key is defined) and (stats_os_security_upgrades.stdout | length > 0)
|
|
226
231
|
tags:
|
|
227
232
|
- maintenance
|
|
228
233
|
- stats
|
|
@@ -236,9 +241,9 @@
|
|
|
236
241
|
- maintenance
|
|
237
242
|
- stats
|
|
238
243
|
|
|
239
|
-
- name: set timezone
|
|
244
|
+
- name: set timezone
|
|
240
245
|
timezone:
|
|
241
|
-
name:
|
|
246
|
+
name: "{{timezone}}"
|
|
242
247
|
tags:
|
|
243
248
|
- maintenance
|
|
244
249
|
|
|
@@ -1,3 +1,11 @@
|
|
|
1
|
+
begin
|
|
2
|
+
# Needed for Puma 5 + puma-damon, but built in to Puma 4
|
|
3
|
+
# https://github.com/kigster/puma-daemon
|
|
4
|
+
require 'puma/daemon'
|
|
5
|
+
rescue LoadError => e
|
|
6
|
+
# Puma 4 has `daemonize` built in
|
|
7
|
+
end
|
|
8
|
+
|
|
1
9
|
# Change to match your CPU core count
|
|
2
10
|
workers {{puma_workers}}
|
|
3
11
|
# Min and Max threads per worker
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
---
|
|
2
|
+
- name: Install resque monit script
|
|
3
|
+
template:
|
|
4
|
+
src: resque-monit-rc
|
|
5
|
+
dest: /etc/monit/conf-available/resque_{{project_name}}_{{rails_env}}
|
|
6
|
+
become: true
|
|
7
|
+
|
|
8
|
+
- name: Enable resque monit script
|
|
9
|
+
file:
|
|
10
|
+
src: /etc/monit/conf-available/resque_{{project_name}}_{{rails_env}}
|
|
11
|
+
dest: /etc/monit/conf-enabled/resque_{{project_name}}_{{rails_env}}
|
|
12
|
+
state: link
|
|
13
|
+
notify:
|
|
14
|
+
- reload_monit
|
|
15
|
+
- restart_monit
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
check process resque
|
|
2
|
+
with pidfile /u/apps/{{project_name}}/shared/tmp/pids/resque.pid
|
|
3
|
+
start program = "/bin/su - deploy -c 'cd /u/apps/{{project_name}}/current && RAILS_ENV={{rails_env}} QUEUES={{hostname}},{{ job_queues | join(',') }} BACKGROUND=yes PIDFILE=/u/apps/{{project_name}}/shared/tmp/pids/resque.pid bundle exec rake resque:work'" with timeout 30 seconds
|
|
4
|
+
stop program = "/bin/su - deploy -c 'kill -s TERM `cat /u/apps/{{project_name}}/shared/tmp/pids/resque.pid`'" with timeout 30 seconds
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
[Unit]
|
|
2
|
+
Description=resque
|
|
3
|
+
# consider adding redis-server.service if Redis is local and systemd-managed.
|
|
4
|
+
After=syslog.target network.target
|
|
5
|
+
|
|
6
|
+
# See these pages for lots of options:
|
|
7
|
+
#
|
|
8
|
+
# https://www.freedesktop.org/software/systemd/man/systemd.service.html
|
|
9
|
+
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
|
10
|
+
#
|
|
11
|
+
# THOSE PAGES ARE CRITICAL FOR ANY LINUX DEVOPS WORK; read them multiple
|
|
12
|
+
# times! systemd is a critical tool for all developers to know and understand.
|
|
13
|
+
#
|
|
14
|
+
[Service]
|
|
15
|
+
#
|
|
16
|
+
# !!!! !!!! !!!!
|
|
17
|
+
#
|
|
18
|
+
Type=simple
|
|
19
|
+
|
|
20
|
+
WorkingDirectory=/u/apps/{{project_name}}/current
|
|
21
|
+
|
|
22
|
+
ExecStart="RAILS_ENV={{rails_env}} COUNT={{resque_concurrency}} QUEUES={{hostname}},{{ job_queues | join(',') }} BACKGROUND=yes PIDFILE=/u/apps/{{project_name}}/shared/tmp/pids/resque.pid bundle exec rake resque:work"
|
|
23
|
+
|
|
24
|
+
# Uncomment this if you are going to use this as a system service
|
|
25
|
+
# if using as a user service then leave commented out, or you will get an error trying to start the service
|
|
26
|
+
# !!! Change this to your deploy user account if you are using this as a system service !!!
|
|
27
|
+
User=deploy
|
|
28
|
+
Group=deploy
|
|
29
|
+
UMask=0002
|
|
30
|
+
|
|
31
|
+
# Greatly reduce Ruby memory fragmentation and heap usage
|
|
32
|
+
# https://www.mikeperham.com/2018/04/25/taming-rails-memory-bloat/
|
|
33
|
+
Environment=MALLOC_ARENA_MAX=2
|
|
34
|
+
|
|
35
|
+
# if we crash, restart
|
|
36
|
+
RestartSec=1
|
|
37
|
+
Restart=on-failure
|
|
38
|
+
|
|
39
|
+
# output goes to /var/log/syslog (Ubuntu) or /var/log/messages (CentOS)
|
|
40
|
+
StandardOutput=syslog
|
|
41
|
+
StandardError=syslog
|
|
42
|
+
|
|
43
|
+
# This will default to "bundler" if we don't specify it
|
|
44
|
+
SyslogIdentifier=resque
|
|
45
|
+
|
|
46
|
+
[Install]
|
|
47
|
+
WantedBy=multi-user.target
|
|
@@ -1,2 +1,2 @@
|
|
|
1
1
|
---
|
|
2
|
-
sidekiq_concurrency:
|
|
2
|
+
sidekiq_concurrency: 1
|
|
@@ -13,6 +13,12 @@ module Subspace
|
|
|
13
13
|
private
|
|
14
14
|
|
|
15
15
|
def update_ansible_cfg
|
|
16
|
+
if `pip show mitogen` =~ /^Location: (.*?)$/m
|
|
17
|
+
@mitogen_path = $1
|
|
18
|
+
puts "πππ
Mitogen found at #{@mitogen_path}. WARP 9!....ENGAGE!π"
|
|
19
|
+
else
|
|
20
|
+
puts "Mitogen not detected. Ansible will be slow. Run `pip install mitogen` to fix."
|
|
21
|
+
end
|
|
16
22
|
template! "ansible.cfg"
|
|
17
23
|
end
|
|
18
24
|
end
|
data/lib/subspace/version.rb
CHANGED
|
@@ -3,7 +3,14 @@ inventory = hosts
|
|
|
3
3
|
forks = 10
|
|
4
4
|
roles_path = ./roles:<%= File.join(gem_path, 'ansible', 'roles') %>:/etc/ansible/roles
|
|
5
5
|
vault_password_file = .vault_pass
|
|
6
|
+
# Uncomment to add timestamps to tasks to find slow ones.
|
|
7
|
+
# callback_whitelist = profile_tasks
|
|
8
|
+
|
|
9
|
+
<% if @mitogen_path %>
|
|
10
|
+
strategy_plugins = <%= @mitogen_path %>/ansible_mitogen/plugins/strategy
|
|
11
|
+
strategy = mitogen_linear
|
|
12
|
+
<% end %>
|
|
6
13
|
|
|
7
14
|
[ssh_connection]
|
|
8
|
-
pipelining=True
|
|
9
|
-
control_path =
|
|
15
|
+
pipelining = True
|
|
16
|
+
control_path = /tmp/subspace-control-%%h-%%p-%%r
|
|
@@ -12,9 +12,8 @@
|
|
|
12
12
|
- ruby-common
|
|
13
13
|
- rails
|
|
14
14
|
- puma
|
|
15
|
-
- nginx
|
|
16
15
|
- letsencrypt
|
|
17
|
-
- nginx
|
|
16
|
+
- nginx
|
|
18
17
|
- postgresql
|
|
19
18
|
- monit
|
|
20
19
|
- logrotate
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: subspace
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.5.
|
|
4
|
+
version: 2.5.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Brian Samson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-02-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -225,6 +225,9 @@ files:
|
|
|
225
225
|
- ansible/roles/rails/templates/database.yml
|
|
226
226
|
- ansible/roles/redis/defaults/main.yml
|
|
227
227
|
- ansible/roles/redis/tasks/main.yml
|
|
228
|
+
- ansible/roles/resque/tasks/main.yml
|
|
229
|
+
- ansible/roles/resque/templates/resque-monit-rc
|
|
230
|
+
- ansible/roles/resque/templates/resque-systemd.service
|
|
228
231
|
- ansible/roles/ruby-common/README.md
|
|
229
232
|
- ansible/roles/ruby-common/defaults/main.yml
|
|
230
233
|
- ansible/roles/ruby-common/meta/main.yml
|
|
@@ -310,7 +313,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
310
313
|
- !ruby/object:Gem::Version
|
|
311
314
|
version: '0'
|
|
312
315
|
requirements: []
|
|
313
|
-
rubygems_version: 3.
|
|
316
|
+
rubygems_version: 3.3.4
|
|
314
317
|
signing_key:
|
|
315
318
|
specification_version: 4
|
|
316
319
|
summary: Ansible-based server provisioning for rails projects
|