subspace 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 57b55c6f99d2144073f2601463e9945b60842550
-  data.tar.gz: 93c40a9e919c5c8a49745310ad042de16f54bf1f
+  metadata.gz: 034d9c344dce74224c40707ccc449f2b5c8ead6c
+  data.tar.gz: 3b98db5e3dcc6eb6d68ce023247e09c71b6ed43d
 SHA512:
-  metadata.gz: b67b94db7a8c7d5e70352f927bd944099f0abfe2a71bd51b6670af6b693976253d902f5054a56feea5ff8e200b17234ef5300f5a3500584c5d5add70d1a9a72c
-  data.tar.gz: 5a98c46e5f8547dd596fb55260ea9ab17156847854375585f7c0fd1834a16643213199d2b529a33ee1f7682c30c6732a3b16bbebfdd86e4e1ad835db18086e90
+  metadata.gz: aecec2d3c3ee233a08989db4ab8d803257580e25fbffeee3d661f1ad662e3a3795d8e322e3f4375f9f485357ddcc6769f817651fc93b2fc84b66bd6fcd6f2a3e
+  data.tar.gz: 49b8a85e81fcba46c5876ede4d86c036e14ed5c8734110706ebe2a01cdd3cbc98ed963aa7b7e20ec02fbf3ee62b738ca93eba67b91c734e4fe61bc3e96caada5

data/README.md

@@ -84,7 +84,7 @@ This is a description of all the roles that are included by installing subspace,
 This role should almost always be there.  It ties a bunch of stuff together, runs apt-get update or yum upgrade, sets hostnames, and generally makes the server sane.
 
     project_name: my_project
-    swap_space: 536870912
+    swap_space: 512M
     deploy_user: deploy
 
 Note: we grant the deploy user limited sudo access to run `service xyz restart` and also add it to the `adm` group so it can view logs in `/var/log`.
@@ -95,6 +95,12 @@ This is a description of all the roles that are included by installing subspace,
 
 ## apache
 
+The most important file for an apache install is the "project.conf" file that gets created in `sites-available` and symlinked to `sites-enabled`.  This is generated in a sensible way, but if you want to customize it you can do so by setting this variable to anything other than "project.conf":
+
+    apache_project_conf: my_custom_configuration.conf
+
+Then place my_custom_configuration.conf in config/provision/templates/my_custom_configuration.conf.  This will still get copied to the server as `sites-available/{project_name}.conf`
+
 ## collectd
 
 ## common
@@ -103,6 +109,20 @@ This is a description of all the roles that are included by installing subspace,
 
 ## letsencrypt
 
+By default, this creates a single certificate for every server alias/server name in the configuration file.
+If you'd like more control over the certs created, you can define the variables `le_ssl_certs` as follows:
+
+    le_ssl_certs:
+      - cert_name: mycert
+        domains:
+          - mydomain.example.com
+          - otherdomain.example.com
+      - cert_name: othersite
+        domains:
+          - othersite.example.com
+
+Note that this role needs to be defined /before/ the apache role
+
 ## logrotate
 
 Installs logrotate and lets you configure logs for automatic rotation.  Example config for rails:
@@ -136,6 +156,13 @@ Installs logrotate and lets you configure logs for automatic rotation.  Example
 
 ## postgresql
 
+  Sets up a postgres *server* - only use this on the database machine.
+
+    backups_enabled: true
+    s3_db_backup_bucket: disabled
+    s3_db_backup_prefix: "{{project_name}}/{{rails_env}}"
+    database_user: "{{project_name}}"
+
 ## puma
 
 ## rails
@@ -207,3 +234,6 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/tenfor
 ## License
 
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+# Roles and Variables
+

data/ansible/roles/apache-rails/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+  - name: Create Apache config
+    template:
+      src: "{{apache_project_conf}}"
+      dest: /etc/apache2/sites-available/{{project_name}}.conf
+    become: true
+
+  - name: Symlink {{project_name}}.conf to sites-enabled
+    file:
+      src: /etc/apache2/sites-available/{{project_name}}.conf
+      dest: /etc/apache2/sites-enabled/{{project_name}}.conf
+      state: "{{ ssl_enabled | ternary('absent', 'link')}}"
+    become: true
+
+  - name: Create Apache SSL config
+    template:
+      src: project-ssl.conf
+      dest: /etc/apache2/sites-available/{{project_name}}-ssl.conf
+    become: true
+
+  - name: Symlink {{project_name}}-ssl.conf to sites-enabled
+    file:
+      src: /etc/apache2/sites-available/{{project_name}}-ssl.conf
+      dest: /etc/apache2/sites-enabled/{{project_name}}-ssl.conf
+      state: "{{ ssl_enabled | ternary('link', 'absent')}}"
+    become: true

data/ansible/roles/apache-rails/templates/_rails.conf

@@ -0,0 +1,23 @@
+ServerName {{server_name}}
+{% for alias in server_aliases %}
+ServerAlias {{alias}}
+{% endfor %}
+RailsEnv {{rails_env}}
+DocumentRoot /u/apps/{{project_name}}/current/public
+# This is a test
+<Directory /u/apps/{{project_name}}/current/public>
+    # This relaxes Apache security settings.
+    AllowOverride all
+    # MultiViews must be turned off.
+    Options -MultiViews
+    # Uncomment this if you're on Apache >= 2.4:
+    Require all granted
+</Directory>
+<Location /assets/>
+    # Use of ETag is discouraged when Last-Modified is present
+    Header unset ETag
+    FileETag None
+    # RFC says only cache for 1 year
+    ExpiresActive On
+    ExpiresDefault "access plus 1 year"
+</Location>

data/ansible/roles/apache-rails/templates/project-ssl.conf

@@ -0,0 +1,16 @@
+<VirtualHost *:80>
+    ServerName {{server_name}}
+    {% for alias in server_aliases %}
+    ServerAlias {{alias}}
+    {% endfor %}
+    RewriteEngine On
+    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=302,L]
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+    <VirtualHost *:443>
+        {% include "_rails.conf" %}
+
+        {{apache_ssl_config}}
+    </VirtualHost>
+</IfModule>

data/ansible/roles/apache-rails/templates/project.conf

@@ -0,0 +1,3 @@
+<VirtualHost *:80>
+    {% include "_rails.conf" %}
+</VirtualHost>

data/ansible/roles/apache/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
   server_aliases: []
-  template_src_path: project.conf
-  # TODO Replace with LetsEncrypt.
-  #ssl_enabled: false
-  #ssl_server_crt: ./files/{{project_name}}/server.crt
-  #ssl_intermediate_crt: ./files/{{project_name}}/intermediate.crt
+  apache_project_conf: project.conf
+  ssl_enabled: false
+  apache_ssl_config: ""
+  #ssl_cert_path: /etc/letsencrypt/site/server.crt
+  #ssl_key_path: /etc/letsencrypt/site/server.key

data/ansible/roles/apache/handlers/main.yml

@@ -1,4 +1,12 @@
 ---
 - name: apache restart
   service: name=apache2 state=restarted
-  sudo: yes
+  become: true
+
+- name: stop webserver
+  service: name=apache2 state=stopped
+  become: true
+
+- name: start webserver
+  service: name=apache2 state=started
+  become: true

data/ansible/roles/apache/tasks/main.yml

@@ -1,4 +1,7 @@
 ---
+  - set_fact:
+      apache2_installed: true
+
   - name: Install apache2
     apt:
       pkg: apache2
@@ -17,17 +20,38 @@
       state: present
     become: true
 
-  - name: Create Apache config
-    template:
-      src: "{{template_src_path}}"
-      dest: /etc/apache2/sites-available/{{project_name}}.conf
-    notify: apache restart
+  - name: a2enmod rewrite
+    when: ssl_enabled
+    apache2_module:
+      name: rewrite
+      state: present
     become: true
 
-  - name: Symlink {{project_name}}.conf to sites-enabled
+  - name: Enable mod_ssl
+    when: ssl_enabled
+    apache2_module:
+      name: ssl
+      state: present
+    become: true
+
+  - name: "Configure rails_projects"
+    include_role:
+      name: apache-rails
+
+  - debug: msg="trigger apache restart"
+    notify: apache restart
+    changed_when: true
+
+  - name: create server-status conf
+    template:
+      src: server_status.conf
+      dest: /etc/apache2/conf-available/server_status.conf
+    sudo: true
+
+  - name: enable server-status conf
     file:
-      src: /etc/apache2/sites-available/{{project_name}}.conf
-      dest: /etc/apache2/sites-enabled/{{project_name}}.conf
+      src: /etc/apache2/conf-available/server_status.conf
+      dest: /etc/apache2/conf-enabled/server_status.conf
       state: link
+    sudo: true
     notify: apache restart
-    become: true

data/ansible/roles/apache/templates/server_status.conf

@@ -0,0 +1,6 @@
+<Location /server-status>
+    SetHandler server-status
+    Order deny,allow
+    Deny from all
+    Allow from localhost
+</Location>

data/ansible/roles/collectd/tasks/main.yml

@@ -39,5 +39,13 @@
       dest: /etc/collectd/collectd.conf.d/delayed_job_postgres.conf
     become: true
     notify: restart collectd
-    when: collectd_enable_djpg is defined
+    when: postgresql_installed is defined and delayed_job_installed is defined
+
+  - name: create apache2 config
+    template:
+      src: apache2.conf
+      dest: /etc/collectd/collectd.conf.d/apache2.conf
+    sudo: true
+    notify: restart collectd
+    when: apache2_installed is defined
 

data/ansible/roles/collectd/templates/apache2.conf

@@ -0,0 +1,6 @@
+LoadPlugin "apache"
+<Plugin "apache">
+   <Instance "server-status">
+       URL "http://localhost/server-status?auto"
+   </Instance>
+</Plugin>

data/ansible/roles/common/defaults/main.yml

@@ -1,3 +1,3 @@
 ---
-  swap_space: 536870912
+  swap_space: 512M
   deploy_user: deploy

data/ansible/roles/delayed_job/tasks/main.yml

@@ -1,4 +1,6 @@
 ---
+  - set_fact: delayed_job_installed="true"
+
   - name: Install delayed_job monit script
     template:
       src: delayed-job-monit-rc

data/ansible/roles/letsencrypt/defaults/main.yml

@@ -1,2 +1,12 @@
 ---
   certbot_dir: "/opt/certbot"
+  apache_ssl_config: |
+    SSLCertificateFile /etc/letsencrypt/live/{{server_name}}/cert.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/{{server_name}}/privkey.pem
+    Include /etc/letsencrypt/options-ssl-apache.conf
+    SSLCertificateChainFile /etc/letsencrypt/live/{{server_name}}/chain.pem
+
+  nginx_ssl_config: |
+    ssl_certificate /etc/letsencrypt/live/{{server_name}}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{server_name}}/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;

data/ansible/roles/letsencrypt/tasks/main.yml

@@ -34,56 +34,44 @@
       dest: "{{certbot_dir}}/certbot-auto"
       mode: a+x
 
-  - name: Run default
-    become: true
-    command: "{{certbot_dir}}/certbot-auto certonly --email {{letsencrypt_email}} --domains {{([server_name] + server_aliases) | join(',')}} --apache --agree-tos --expand --non-interactive"
+  - name: shutdown webserver for standalone mode
+    debug: msg="Shutdown webserver"
+    notify: stop webserver
+    changed_when: true
 
-  - name: Enable mod_rewrite
-    become: true
-    apache2_module:
-      name: rewrite
-      state: present
+  - meta: flush_handlers
 
+  - name: "wait for webserver to stop"
+    wait_for:
+      port: 80
+      delay: 1
+      state: stopped
 
-  - name: Enable mod_ssl
+  - name: Run default
+    when: le_ssl_certs is not defined
     become: true
-    apache2_module:
-      name: ssl
-      state: present
+    command: "{{certbot_dir}}/certbot-auto certonly --email {{letsencrypt_email}} --domains {{([server_name] + server_aliases) | join(',')}} --standalone --agree-tos --expand --non-interactive"
 
-  - name: Create SSL Apache config
+  - name: Generate SSL Certificates
+    when: le_ssl_certs is defined
     become: true
-    template:
-      src: project-le-ssl.conf
-      dest: /etc/apache2/sites-available/{{project_name}}-le-ssl.conf
-    notify: apache restart
+    with_items: "{{le_ssl_certs}}"
+    command: "{{certbot_dir}}/certbot-auto certonly --email {{letsencrypt_email}} --domains {{item.domains | join(',')}} --cert-name {{item.cert_name}} --standalone --agree-tos --expand --non-interactive"
 
-  - name: Symlink {{project_name}}-le-ssl.conf to sites-enabled
-    become: true
-    file:
-      src: /etc/apache2/sites-available/{{project_name}}-le-ssl.conf
-      dest: /etc/apache2/sites-enabled/{{project_name}}-le-ssl.conf
-      state: link
-    notify: apache restart
+  - name: "Re-run apache rails_project to get SSL configuration"
+    when: apache2_installed is defined
+    include_role:
+      name: apache-rails
 
-  - name: Force redirect to https (1/2)
-    become: true
-    lineinfile:
-      dest: /etc/apache2/sites-available/{{project_name}}.conf
-      line: "RewriteEngine on"
-      state: present
-      insertbefore: "</VirtualHost>"
-    notify: apache restart
+  - name: "Re-run nginx rails_project to get SSL configuration"
+    when: nginx_installed is defined
+    include_role:
+      name: nginx-rails
 
-  - name: Force redirect to https (2/2)
-    become: true
-    lineinfile:
-      dest: /etc/apache2/sites-available/{{project_name}}.conf
-      line: "RewriteCond %{SERVER_NAME} ={{item}}\nRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,NE,R=permanent]"
-      state: present
-      insertbefore: "</VirtualHost>"
-    with_items: "{{ ([server_name] + server_aliases) }}"
-    notify: apache restart
+  - name: start webserver after standalone mode
+    debug: msg="Startup webserver"
+    notify: start webserver
+    changed_when: true
 
   - name: Setup cron job to auto renew
     become: true

data/ansible/roles/monit/handlers/main.yml

@@ -1,3 +1,9 @@
 ---
-  - name: monit
+  - name: reload_monit
     shell: monit stop all && monit reload && monit start all
+    become: true
+
+  - name: validate_monit
+    shell: monit validate
+    become: true
+

data/ansible/roles/monit/tasks/main.yml

@@ -3,17 +3,19 @@
     apt:
       name: monit
       state: present
-    sudo: true
+    become: true
 
   - name: Copy sudoers file so that deploy can use monit without entering password.
     copy:
       src: sudoers-monit
       dest: /etc/sudoers.d/monit
-    sudo: true
+    become: true
 
   - name: Copy monit config to enable http from localhost
     copy:
       src: monit-http.conf
       dest: /etc/monit/conf.d/monit-http.conf
-    sudo: true
-    notify: monit
+    become: true
+    notify:
+      - reload_monit
+      - validate_monit

data/ansible/roles/nginx-rails/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Remove the app's symlink, if exists
+  command: rm -rf /etc/nginx/sites-enabled/{{project_name}}
+  become: true
+
+- name: create nginx config for rails app
+  template:
+    src: nginx-project
+    dest: /etc/nginx/sites-available/{{project_name}}
+  become: true
+
+- name: Enable the app
+  file:
+    src: /etc/nginx/sites-available/{{project_name}}
+    dest: /etc/nginx/sites-enabled/{{project_name}}
+    state: "{{ ssl_enabled | ternary('absent', 'link')}}"
+  become: true
+
+- name: create nginx config for rails app
+  template:
+    src: nginx-project-ssl
+    dest: /etc/nginx/sites-available/{{project_name}}-ssl
+  become: true
+
+- name: Enable SSL configured app
+  file:
+    src: /etc/nginx/sites-available/{{project_name}}-ssl
+    dest: /etc/nginx/sites-enabled/{{project_name}}-ssl
+    state: "{{ ssl_enabled | ternary('link', 'absent')}}"
+  become: true

data/ansible/roles/nginx-rails/templates/_rails.conf

@@ -0,0 +1,23 @@
+root /u/apps/{{project_name}}/current/public;
+try_files $uri/index.html $uri @app;
+
+location @app {
+    proxy_pass http://app;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    # pass the upgrade headers so websockets work
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_redirect off;
+}
+
+location /cable {
+    proxy_pass http://app;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+}
+
+error_page 500 502 503 504 /500.html;
+client_max_body_size 4G;
+keepalive_timeout 10;

data/ansible/roles/nginx-rails/templates/_upstream.conf

@@ -0,0 +1,4 @@
+upstream app {
+    # Path to Puma socket
+    server localhost:9292;
+}

data/ansible/roles/nginx-rails/templates/nginx-project

@@ -0,0 +1,9 @@
+{% include "_upstream.conf" %}
+
+server {
+    listen 80;
+    server_name {{server_name}} {{server_aliases | join(" ")}};
+
+    {% include "_rails.conf" %}
+}
+

data/ansible/roles/nginx-rails/templates/nginx-project-ssl

@@ -0,0 +1,18 @@
+{% include "_upstream.conf" %}
+
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name {{server_name}} {{server_aliases | join(" ")}};
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443 ssl;
+  server_name {{server_name}} {{server_aliases | join(" ")}};
+
+  {% include "_rails.conf" %}
+  {{nginx_ssl_config}}
+}
+
+

data/ansible/roles/nginx/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+  server_aliases: []
+  ssl_enabled: false
+  nginx_ssl_config: ""

data/ansible/roles/nginx/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: stop webserver
+  service: name=nginx state=stopped
+  become: true
+
+- name: start webserver
+  service: name=nginx state=started
+  become: true

data/ansible/roles/nginx/tasks/main.yml

@@ -1,3 +1,6 @@
+- set_fact:
+    nginx_installed: true
+
 - name: Install nginx
   apt: pkg=nginx state=latest
   become: true
@@ -6,21 +9,9 @@
   command: rm -rf /etc/nginx/sites-enabled/default
   become: true
 
-- name: Remove the app's config, if exists
-  command: rm -rf /etc/nginx/sites-enabled/default
-  become: true
-
-- name: Remove the app's symlink, if exists
-  command: rm -rf /etc/nginx/sites-enabled/{{project_name}}
-  become: true
-
-- name: Configure nginx for the app
-  template: src=nginx-project dest=/etc/nginx/sites-available/{{project_name}} group=www-data owner=www-data force=yes
-  become: true
-
-- name: Enable the app
-  command: ln -s /etc/nginx/sites-available/{{project_name}} /etc/nginx/sites-enabled/{{project_name}}
-  become: true
+- name: "Configure rails projects"
+  include_role:
+    name: nginx-rails
 
 - name: Restart nginx
   action: service name=nginx state=restarted

data/ansible/roles/postgresql/tasks/backups.yml

@@ -18,12 +18,6 @@
       dest: "/u/apps/{{project_name}}/shared/db/backup.sh"
       mode: 0755
 
-  - name: Remove old backup cron job because it had the wrong name
-    cron:
-      user: "{{deploy_user}}"
-      name: "check dirs"
-      state: "absent"
-
   - name: Install backup cron job
     when: backups_enabled
     cron:
@@ -31,3 +25,11 @@
       name: "Hourly backups"
       minute: "0"
       job: "/u/apps/{{project_name}}/shared/db/backup.sh"
+      state: "present"
+
+  - name: disable backup cron job
+    when: not backups_enabled
+    cron:
+      user: "{{deploy_user}}"
+      name: "Hourly backups"
+      state: "absent"

data/ansible/roles/postgresql/tasks/main.yml

@@ -1,4 +1,6 @@
 ---
+  - set_fact: postgresql_installed="true"
+
   - name: Create postgresql user
     postgresql_user:
       name: "{{database_user}}"

data/ansible/roles/puma/meta/main.yml

@@ -0,0 +1,5 @@
+---
+  dependencies:
+    - {
+      role: monit
+    }

data/ansible/roles/puma/tasks/main.yml

@@ -1,29 +1,19 @@
-- name: Add puma-manager
-  template: src=etc-init-puma-manager.conf dest=/etc/init/puma-manager.conf force=yes mode=755
+- name: Create shared/config/puma
+  file: path=/u/apps/{{project_name}}/shared/config/puma group=deploy owner=deploy state=directory
   tags: puma
 
-- name: Add puma config
-  template: src=etc-puma.conf dest=/etc/puma.conf force=yes mode=755
+- name: Add puma shared/config
+  template: src=puma.rb dest=/u/apps/{{project_name}}/shared/config/puma/{{rails_env}}.rb force=yes mode=755
   tags: puma
 
-- name: Add puma init script
-  template: src=etc-init-puma.conf dest=/etc/init/puma.conf force=yes mode=755
-  tags: puma
-
-# - name: Add puma shared/config
-#   template: src=puma_production.j2 dest=/u/apps/{{project_name}}/shared/config/puma/production.rb force=yes mode=755
-#   tags: puma
-
 - name: Make shared/tmp/sockets
   file: path=/u/apps/{{project_name}}/shared/tmp/sockets group=deploy owner=deploy state=directory
   tags: tmp
 
-- name: Restart puma-manager
-  action: service name=puma-manager state=restarted
+- name: Install puma monit script
+  template:
+    src: puma-monit-rc
+    dest: /etc/monit/conf.d/puma_{{project_name}}_{{rails_env}}
+  sudo: true
+  notify: validate_monit
 
-- name: Add Deploy user to sudoers
-  lineinfile:
-    dest: /etc/sudoers
-    state: present
-    regexp: "^{{deploy_user}}"
-    line: "{{deploy_user}} ALL=NOPASSWD: /usr/sbin/service puma-manager *"

data/ansible/roles/puma/templates/puma-monit-rc

@@ -0,0 +1,5 @@
+check process puma
+  with pidfile /u/apps/{{project_name}}/current/tmp/pids/puma.pid
+  start program = "/bin/su - {{deploy_user}} -c 'cd /u/apps/{{project_name}}/current && bundle exec pumactl -F config/puma/{{rails_env}}.rb start'"
+  stop program = "/bin/su - {{deploy_user}} -c 'cd /u/apps/{{project_name}}/current && bundle exec pumactl -F config/puma/{{rails_env}}.rb stop'"
+  group puma

data/ansible/roles/puma/templates/puma.rb

@@ -3,27 +3,31 @@ workers Integer(ENV['WEB_CONCURRENCY'] || 4)
 
 threads_count = Integer(ENV['MAX_THREADS'] || 5)
 # Min and Max threads per worker
-threads threads_count, threads_count
+threads 0, threads_count
 
-app_dir = File.expand_path("../..", __FILE__)
+app_dir = "/u/apps/{{project_name}}/current"
+directory app_dir
 
-# Default to production
-rails_env = ENV['RAILS_ENV'] || "production"
+rails_env = "{{rails_env}}"
 environment rails_env
 
 # Set up socket location
-bind "unix://#{app_dir}/tmp/sockets/puma.sock"
+bind "tcp://127.0.0.1:9292"
 
 # Logging
 stdout_redirect "#{app_dir}/log/puma.stdout.log", "#{app_dir}/log/puma.stderr.log", true
 
 # Set master PID and state locations
-pidfile "#{app_dir}/tmp/pids/puma.pid"
-state_path "#{app_dir}/tmp/pids/puma.state"
+daemonize
+pidfile "/u/apps/{{project_name}}/shared/tmp/pids/puma.pid"
+state_path "/u/apps/{{project_name}}/shared/tmp/pids/puma.state"
 activate_control_app
 
 on_worker_boot do
   require "active_record"
   ActiveRecord::Base.connection.disconnect! rescue ActiveRecord::ConnectionNotEstablished
   ActiveRecord::Base.establish_connection(YAML.load_file("#{app_dir}/config/database.yml")[rails_env])
-end
+end
+
+# Allow puma to be restarted by `rails restart` command.
+plugin :tmp_restart

data/ansible/roles/sidekiq/tasks/main.yml

@@ -4,4 +4,4 @@
       src: sidekiq-monit-rc
       dest: /etc/monit/conf.d/sidekiq_{{project_name}}_{{rails_env}}
     sudo: true
-    notify: monit
+    notify: validate_monit

data/lib/subspace/commands/bootstrap.rb

@@ -8,12 +8,25 @@ class Subspace::Commands::Bootstrap < Subspace::Commands::Base
 
   def run
     # ansible atlanta -m copy -a "src=/etc/hosts dest=/tmp/hosts"
-    copy_authorized_keys
     install_python
+    ensure_ssh_dir
+    copy_authorized_keys
   end
 
   private
 
+  def ensure_ssh_dir
+    cmd = ["ansible",
+      @host_spec,
+      "-m",
+      "file",
+      "-a",
+      "path=/home/{{ansible_ssh_user}}/.ssh state=directory mode=0700",
+      "-vvvv"
+    ]
+    bootstrap_command cmd
+  end
+
   def copy_authorized_keys
     # -m file -a "dest=/srv/foo/a.txt mode=600"
     cmd = ["ansible",
@@ -24,10 +37,7 @@ class Subspace::Commands::Bootstrap < Subspace::Commands::Base
       "src=authorized_keys dest=/home/{{ansible_ssh_user}}/.ssh/authorized_keys mode=600",
       "-vvvv"
     ]
-    if @ask_pass
-      cmd.push("--ask-pass")
-    end
-    ansible_command *cmd
+    bootstrap_command cmd
   end
 
   def install_python
@@ -35,12 +45,19 @@ class Subspace::Commands::Bootstrap < Subspace::Commands::Base
     cmd = ["ansible",
       @host_spec,
       "-m",
-      @yum ? "yum" : "apt",
+      "raw",
       "-a",
-      "name=python state=present",
+      "test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)",
       "--become",
       "-vvvv"
     ]
+    bootstrap_command cmd
+  end
+
+  def bootstrap_command(cmd)
+    if @ask_pass
+      cmd.push("--ask-pass")
+    end
     ansible_command *cmd
   end
 

data/lib/subspace/version.rb

@@ -1,3 +1,3 @@
 module Subspace
-  VERSION = "0.3.0"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: subspace
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Brian Samson
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-05-29 00:00:00.000000000 Z
+date: 2017-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -100,13 +100,18 @@ files:
 - Rakefile
 - TODO
 - ansible/playbooks/local_template.yml
+- ansible/roles/apache-rails/tasks/main.yml
+- ansible/roles/apache-rails/templates/_rails.conf
+- ansible/roles/apache-rails/templates/project-ssl.conf
+- ansible/roles/apache-rails/templates/project.conf
 - ansible/roles/apache/defaults/main.yml
 - ansible/roles/apache/handlers/main.yml
 - ansible/roles/apache/tasks/main.yml
-- ansible/roles/apache/templates/project.conf
+- ansible/roles/apache/templates/server_status.conf
 - ansible/roles/collectd/defaults/main.yml
 - ansible/roles/collectd/handlers/main.yml
 - ansible/roles/collectd/tasks/main.yml
+- ansible/roles/collectd/templates/apache2.conf
 - ansible/roles/collectd/templates/delayed_job_postgres.conf
 - ansible/roles/collectd/templates/df.conf
 - ansible/roles/collectd/templates/graphite.conf
@@ -157,8 +162,14 @@ files:
 - ansible/roles/mysql2_gem/tasks/main.yml
 - ansible/roles/newrelic/handlers/main.yml
 - ansible/roles/newrelic/tasks/main.yml
+- ansible/roles/nginx-rails/tasks/main.yml
+- ansible/roles/nginx-rails/templates/_rails.conf
+- ansible/roles/nginx-rails/templates/_upstream.conf
+- ansible/roles/nginx-rails/templates/nginx-project
+- ansible/roles/nginx-rails/templates/nginx-project-ssl
+- ansible/roles/nginx/defaults/main.yml
+- ansible/roles/nginx/handlers/main.yml
 - ansible/roles/nginx/tasks/main.yml
-- ansible/roles/nginx/templates/nginx-project
 - ansible/roles/papertrail/tasks/main.yml
 - ansible/roles/papertrail/templates/log_files.yml
 - ansible/roles/passenger/meta/main.yml
@@ -169,10 +180,10 @@ files:
 - ansible/roles/postgresql/tasks/backups.yml
 - ansible/roles/postgresql/tasks/main.yml
 - ansible/roles/postgresql/templates/backup.sh
+- ansible/roles/puma/meta/main.yml
 - ansible/roles/puma/tasks/main.yml
-- ansible/roles/puma/templates/etc-init-puma-manager.conf
-- ansible/roles/puma/templates/etc-init-puma.conf
 - ansible/roles/puma/templates/etc-puma.conf
+- ansible/roles/puma/templates/puma-monit-rc
 - ansible/roles/puma/templates/puma.rb
 - ansible/roles/rails/defaults/main.yml
 - ansible/roles/rails/tasks/main.yml

data/ansible/roles/apache/templates/project.conf

@@ -1,25 +0,0 @@
-<VirtualHost *:80>
-    ServerName {{server_name}}
-    {% for alias in server_aliases %}
-    ServerAlias {{alias}}
-    {% endfor %}
-    RailsEnv {{rails_env}}
-    # !!! Be sure to point DocumentRoot to 'public'!
-    DocumentRoot /u/apps/{{project_name}}/current/public
-    <Directory /u/apps/{{project_name}}/current/public>
-        # This relaxes Apache security settings.
-        AllowOverride all
-        # MultiViews must be turned off.
-        Options -MultiViews
-        # Uncomment this if you're on Apache >= 2.4:
-        Require all granted
-    </Directory>
-    <Location /assets/>
-        # Use of ETag is discouraged when Last-Modified is present
-        Header unset ETag
-        FileETag None
-        # RFC says only cache for 1 year
-        ExpiresActive On
-        ExpiresDefault "access plus 1 year"
-    </Location>
-</VirtualHost>

data/ansible/roles/nginx/templates/nginx-project

@@ -1,27 +0,0 @@
-upstream app {
-    # Path to Puma SOCK file, as defined previously
-    server unix:/u/apps/{{project_name}}/shared/tmp/sockets/puma.sock fail_timeout=0;
-}
-
-server {
-    listen 80;
-    server_name localhost;
-
-    root /u/apps/{{project_name}}/current/public;
-
-    try_files $uri/index.html $uri @app;
-
-    location @app {
-        proxy_pass http://app;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
-        # pass the upgrade headers so websockets work
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        proxy_redirect off;
-    }
-
-    error_page 500 502 503 504 /500.html;
-    client_max_body_size 4G;
-    keepalive_timeout 10;
-}

data/ansible/roles/puma/templates/etc-init-puma-manager.conf

@@ -1,31 +0,0 @@
-# /etc/init/puma-manager.conf - manage a set of Pumas
-
-# This example config should work with Ubuntu 12.04+.  It
-# allows you to manage multiple Puma instances with
-# Upstart, Ubuntu's native service management tool.
-#
-# See puma.conf for how to manage a single Puma instance.
-#
-# Use "stop puma-manager" to stop all Puma instances.
-# Use "start puma-manager" to start all instances.
-# Use "restart puma-manager" to restart all instances.
-# Crazy, right?
-#
-
-description "Manages the set of puma processes"
-
-# This starts upon bootup and stops on shutdown
-start on runlevel [2345]
-stop on runlevel [06]
-
-# Set this to the number of Puma processes you want
-# to run on this machine
-env PUMA_CONF="/etc/puma.conf"
-
-pre-start script
-  for i in `cat $PUMA_CONF`; do
-    app=`echo $i | cut -d , -f 1`
-    logger -t "puma-manager" "Starting $app"
-    start puma app=$app
-  done
-end script

data/ansible/roles/puma/templates/etc-init-puma.conf

@@ -1,69 +0,0 @@
-# /etc/init/puma.conf - Puma config
-
-# This example config should work with Ubuntu 12.04+.  It
-# allows you to manage multiple Puma instances with
-# Upstart, Ubuntu's native service management tool.
-#
-# See workers.conf for how to manage all Puma instances at once.
-#
-# Save this config as /etc/init/puma.conf then manage puma with:
-#   sudo start puma app=PATH_TO_APP
-#   sudo stop puma app=PATH_TO_APP
-#   sudo status puma app=PATH_TO_APP
-#
-# or use the service command:
-#   sudo service puma {start,stop,restart,status}
-#
-
-description "Puma Background Worker"
-
-# no "start on", we don't want to automatically start
-stop on (stopping puma-manager or runlevel [06])
-
-# change apps to match your deployment user if you want to use this as a less privileged user (recommended!)
-setuid {{deploy_user}}
-setgid {{deploy_user}}
-
-respawn
-respawn limit 3 30
-
-instance ${app}
-
-script
-# this script runs in /bin/sh by default
-# respawn as bash so we can source in rbenv/rvm
-# quoted heredoc to tell /bin/sh not to interpret
-# variables
-
-# source ENV variables manually as Upstart doesn't, eg:
-#. /etc/environment
-
-exec /bin/bash <<'EOT'
-  # set HOME to the setuid user's home, there doesn't seem to be a better, portable way
-  export HOME="$(eval echo ~$(id -un))"
-
-  if [ -d "/usr/local/rbenv/bin" ]; then
-    export PATH="/usr/local/rbenv/bin:/usr/local/rbenv/shims:$PATH"
-  elif [ -d "$HOME/.rbenv/bin" ]; then
-    export PATH="$HOME/.rbenv/bin:$HOME/.rbenv/shims:$PATH"
-  elif [ -f  /etc/profile.d/rvm.sh ]; then
-    source /etc/profile.d/rvm.sh
-  elif [ -f /usr/local/rvm/scripts/rvm ]; then
-    source /etc/profile.d/rvm.sh
-  elif [ -f "$HOME/.rvm/scripts/rvm" ]; then
-    source "$HOME/.rvm/scripts/rvm"
-  elif [ -f /usr/local/share/chruby/chruby.sh ]; then
-    source /usr/local/share/chruby/chruby.sh
-    if [ -f /usr/local/share/chruby/auto.sh ]; then
-      source /usr/local/share/chruby/auto.sh
-    fi
-    # if you aren't using auto, set your version here
-    # chruby 2.0.0
-  fi
-
-  cd $app
-  logger -t puma "Starting server: $app"
-
-  exec bundle exec puma -C config/puma.rb
-EOT
-end script