taperole 1.4.3 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/Vagrantfile +1 -1
- data/bin/tape +5 -0
- data/lib/tape/ansible_runner.rb +8 -1
- data/roles/backend_checkout/tasks/main.yml +13 -0
- data/roles/deployer_user/tasks/keys.yml +2 -8
- data/roles/deployer_user/tasks/main.yml +1 -1
- data/roles/frontend_deploy/tasks/main.yml +13 -0
- data/roles/nginx/tasks/main.yml +16 -0
- data/roles/nginx/templates/nginx_unicorn.j2 +26 -1
- data/taperole.gemspec +1 -1
- data/templates/base/deploy.example.yml +0 -4
- data/templates/static_html/deploy.example.yml +0 -4
- data/vars/defaults.yml +5 -0
- metadata +2 -3
- data/roles/deployer_user/files/id_rsa_digital_ocean.pub +0 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1372e1110daa93edadf03db73b31b30ff6b462d9
|
|
4
|
+
data.tar.gz: 8f81436b6a573bb255cc5da1f9c5279a63b2f60a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4d1a4b5893e8ff6d5d7bb8bb3399239ba7acb8241ebcac35365a84f3b0af249ea55e329381270327cb279577f0b7939a7ef38c86bbad9faaa68b28d9a74bc6d1
|
|
7
|
+
data.tar.gz: 3dbc60ec192fed213447511417a05e57517b2c21fabfb0d00459353a44733260ec4788c77ece0b289fcf9ffd09a4c81fbcc310fdf4d44f28b0f897779f064c47
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
### 1.5.0
|
|
2
|
+
* Self-signed SSL is now on by default
|
|
3
|
+
* Port 80 redirects to 443
|
|
4
|
+
* You can now build custom playbooks with then `tape ansible playbook -b playbook.yml` command
|
|
5
|
+
* Dev Keys folder is working again!
|
|
6
|
+
|
|
1
7
|
### 1.4.3
|
|
2
8
|
* Update nodesource ansible galaxy role
|
|
3
9
|
* Install latest version of node 4.x
|
data/Vagrantfile
CHANGED
|
@@ -11,7 +11,7 @@ Vagrant.configure 2 do |config|
|
|
|
11
11
|
# config.vm.network(:private_network, :ip => private_ip)
|
|
12
12
|
|
|
13
13
|
# TODO free me from the bonds of this ip
|
|
14
|
-
config.vm.network 'forwarded_port', guest:
|
|
14
|
+
config.vm.network 'forwarded_port', guest: 443, host: 8080
|
|
15
15
|
config.vm.network 'private_network', type: 'dhcp'
|
|
16
16
|
|
|
17
17
|
config.ssh.insert_key = false
|
data/bin/tape
CHANGED
|
@@ -27,6 +27,11 @@ opt_parser = OptionParser.new do |opts|
|
|
|
27
27
|
options.port = p
|
|
28
28
|
end
|
|
29
29
|
|
|
30
|
+
opts.on('-bBOOK', "--book=PLAYBOOK",
|
|
31
|
+
String, "A custom playbook to run") do |p|
|
|
32
|
+
options.book = p
|
|
33
|
+
end
|
|
34
|
+
|
|
30
35
|
opts.on("-h", "--help", "Show this help") do
|
|
31
36
|
STDERR.puts opts
|
|
32
37
|
exit 0
|
data/lib/tape/ansible_runner.rb
CHANGED
|
@@ -23,7 +23,7 @@ class AnsibleRunner < ExecutionModule
|
|
|
23
23
|
"Restarts Nginx"
|
|
24
24
|
action :configure_deployer_user,
|
|
25
25
|
proc { ansible '-t deployer' },
|
|
26
|
-
"Ensures the deployer user is present and configures
|
|
26
|
+
"Ensures the deployer user is present and configures its SSH keys"
|
|
27
27
|
action :reset_db,
|
|
28
28
|
proc { ansible '-t db_reset -e force_db_reset=true' },
|
|
29
29
|
"wipes and re-seeds the DB"
|
|
@@ -43,6 +43,9 @@ class AnsibleRunner < ExecutionModule
|
|
|
43
43
|
action :everything,
|
|
44
44
|
proc { valid_preconfigs ? ansible : puts("Not a Rails or JS app") },
|
|
45
45
|
"This does it all."
|
|
46
|
+
action :playbook,
|
|
47
|
+
proc { ansible_custom_playbook },
|
|
48
|
+
"Run a custom playbook"
|
|
46
49
|
|
|
47
50
|
def initialize(*args)
|
|
48
51
|
super
|
|
@@ -83,6 +86,10 @@ class AnsibleRunner < ExecutionModule
|
|
|
83
86
|
exec_ansible("#{tapefiles_dir}/deploy.yml", cmd_str)
|
|
84
87
|
end
|
|
85
88
|
|
|
89
|
+
def ansible_custom_playbook(cmd_str = '')
|
|
90
|
+
exec_ansible("#{tapefiles_dir}/#{opts.book}", cmd_str)
|
|
91
|
+
end
|
|
92
|
+
|
|
86
93
|
def exec_ansible(playbook, args)
|
|
87
94
|
enforce_roles_path!
|
|
88
95
|
cmd = "ANSIBLE_CONFIG=#{local_dir}/.tape/ansible.cfg ansible-playbook -i #{inventory_file} #{playbook} #{args} #{hosts_flag} -e tape_dir=#{tape_dir}"
|
|
@@ -1,3 +1,16 @@
|
|
|
1
|
+
- name: Check if there are commited changes on {{ be_app_branch }}
|
|
2
|
+
remote_user: "{{ deployer_user.name }}"
|
|
3
|
+
command: bash -lc "git fetch origin && git diff --name-only origin/{{ be_app_branch }}"
|
|
4
|
+
args:
|
|
5
|
+
chdir: "{{be_app_path}}"
|
|
6
|
+
register: changes_on_remote
|
|
7
|
+
tags: [be_deploy]
|
|
8
|
+
|
|
9
|
+
- name: Inform User if there are no changes
|
|
10
|
+
debug: msg={{no_changes_found_error.split('\n')}}
|
|
11
|
+
when: changes_on_remote.stdout_lines == []
|
|
12
|
+
tags: [be_deploy]
|
|
13
|
+
|
|
1
14
|
- name: Check out application
|
|
2
15
|
remote_user: "{{ deployer_user.name }}"
|
|
3
16
|
git: dest={{ be_app_path }}
|
|
@@ -9,15 +9,9 @@
|
|
|
9
9
|
command: "cp /root/.ssh/authorized_keys /home/{{ deployer_user.name }}/.ssh/authorized_keys"
|
|
10
10
|
|
|
11
11
|
- name: Ensure devs keys are present
|
|
12
|
-
authorized_key: key=
|
|
12
|
+
authorized_key: key={{ lookup('file', item) }}
|
|
13
13
|
manage_dir=yes
|
|
14
14
|
state=present
|
|
15
15
|
user=deployer
|
|
16
16
|
with_fileglob:
|
|
17
|
-
- "
|
|
18
|
-
|
|
19
|
-
- name: Ensure DO pubkey is present
|
|
20
|
-
authorized_key: key="{{ lookup('file', 'id_rsa_digital_ocean.pub') }}"
|
|
21
|
-
manage_dir=yes
|
|
22
|
-
state=present
|
|
23
|
-
user=deployer
|
|
17
|
+
- "./dev_keys/*"
|
|
@@ -12,7 +12,7 @@
|
|
|
12
12
|
# It's possible for the deployer's homedir to get created on accident by
|
|
13
13
|
# a deploy script or something getting run before this. This just ensures
|
|
14
14
|
# the env is sane moving forward
|
|
15
|
-
- name: Ensure deployer user owns
|
|
15
|
+
- name: Ensure deployer user owns its own homedir
|
|
16
16
|
file: path=/home/deployer state=directory owner=deployer
|
|
17
17
|
|
|
18
18
|
- include: keys.yml
|
|
@@ -1,3 +1,16 @@
|
|
|
1
|
+
- name: Check if there are commited changes on {{ fe_app_branch }}
|
|
2
|
+
remote_user: "{{ deployer_user.name }}"
|
|
3
|
+
command: bash -lc "git fetch origin && git diff --name-only origin/{{ fe_app_branch }}"
|
|
4
|
+
args:
|
|
5
|
+
chdir: "{{fe_app_path}}"
|
|
6
|
+
register: changes_on_remote
|
|
7
|
+
tags: [fe_deploy]
|
|
8
|
+
|
|
9
|
+
- name: Inform User if there are no changes
|
|
10
|
+
debug: msg={{no_changes_found_error.split('\n')}}
|
|
11
|
+
when: changes_on_remote.stdout_lines == []
|
|
12
|
+
tags: [fe_deploy]
|
|
13
|
+
|
|
1
14
|
- name: clone the FE app
|
|
2
15
|
when: fe_app_repo is defined
|
|
3
16
|
remote_user: "{{ deployer_user.name }}"
|
data/roles/nginx/tasks/main.yml
CHANGED
|
@@ -10,6 +10,22 @@
|
|
|
10
10
|
file: path=/etc/nginx/sites-enabled/default state=absent
|
|
11
11
|
tags: [nginx]
|
|
12
12
|
|
|
13
|
+
- name: Create /etc/nginx/ssl
|
|
14
|
+
file: path=/etc/nginx/ssl state=directory
|
|
15
|
+
tags: [nginx]
|
|
16
|
+
|
|
17
|
+
- name: Create self signed SSL cert/key
|
|
18
|
+
command: bash -lc "openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout self-signed.key -out self-signed.crt -subj '/CN=localhost'"
|
|
19
|
+
args:
|
|
20
|
+
chdir: /etc/nginx/ssl
|
|
21
|
+
tags: [nginx]
|
|
22
|
+
|
|
23
|
+
- name: Create Diffie Hellman Ephemeral Parameters (this will take some time)
|
|
24
|
+
command: bash -lc "openssl dhparam -out dhparam.pem 2048"
|
|
25
|
+
args:
|
|
26
|
+
chdir: /etc/nginx/ssl
|
|
27
|
+
tags: [nginx]
|
|
28
|
+
|
|
13
29
|
- name: Configure App nginx
|
|
14
30
|
template: src=nginx_unicorn.j2 dest=/etc/nginx/sites-enabled/{{ app_name }}
|
|
15
31
|
tags: [nginx]
|
|
@@ -3,12 +3,37 @@ upstream unicorn {
|
|
|
3
3
|
server unix:{{unicorn_sockfile}} fail_timeout=0;
|
|
4
4
|
}
|
|
5
5
|
{% endif %}
|
|
6
|
+
server {
|
|
7
|
+
listen 80;
|
|
8
|
+
return 301 https://$host$request_uri;
|
|
9
|
+
}
|
|
10
|
+
|
|
6
11
|
|
|
7
12
|
server {
|
|
8
|
-
listen
|
|
13
|
+
listen 443 default deferred;
|
|
9
14
|
|
|
10
15
|
# server_name example.com;
|
|
11
16
|
|
|
17
|
+
ssl on;
|
|
18
|
+
ssl_certificate /etc/nginx/ssl/self-signed.crt;
|
|
19
|
+
ssl_certificate_key /etc/nginx/ssl/self-signed.key;
|
|
20
|
+
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
21
|
+
|
|
22
|
+
ssl_prefer_server_ciphers on;
|
|
23
|
+
ssl_session_cache shared:SSL:10m;
|
|
24
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
25
|
+
|
|
26
|
+
ssl_stapling on;
|
|
27
|
+
ssl_stapling_verify on;
|
|
28
|
+
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
|
29
|
+
resolver_timeout 5s;
|
|
30
|
+
|
|
31
|
+
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
|
32
|
+
|
|
33
|
+
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
|
34
|
+
add_header X-Frame-Options "DENY";
|
|
35
|
+
add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains';
|
|
36
|
+
|
|
12
37
|
{% if fe_app_repo is defined%}
|
|
13
38
|
root {{ fe_app_path }}/dist;
|
|
14
39
|
{% else %}
|
data/taperole.gemspec
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Gem::Specification.new do |spec|
|
|
2
2
|
spec.name = "taperole"
|
|
3
|
-
spec.version = '1.
|
|
3
|
+
spec.version = '1.5.0'
|
|
4
4
|
spec.authors = ['Jack Forrest', 'Smashing Boxes', 'Brandon Mathis']
|
|
5
5
|
spec.description = "General purpose server provisioning and application deployment toolkit"
|
|
6
6
|
spec.email = ['jack@smashingboxes.com', 'brandon@sbox.es']
|
data/vars/defaults.yml
CHANGED
|
@@ -36,3 +36,8 @@ fe_build_command: gulp build
|
|
|
36
36
|
allowed_ports:
|
|
37
37
|
- 80
|
|
38
38
|
- 443
|
|
39
|
+
|
|
40
|
+
no_changes_found_error: |
|
|
41
|
+
‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️
|
|
42
|
+
No Changes detected on remote branch proceeding with deploy anyway
|
|
43
|
+
‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️ ‼️
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: taperole
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jack Forrest
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2016-
|
|
13
|
+
date: 2016-03-08 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: slack-notifier
|
|
@@ -69,7 +69,6 @@ files:
|
|
|
69
69
|
- roles/delayed_job/tasks/main.yml
|
|
70
70
|
- roles/delayed_job/templates/dj_monit_config.j2
|
|
71
71
|
- roles/delayed_job/templates/dj_monit_runner.j2
|
|
72
|
-
- roles/deployer_user/files/id_rsa_digital_ocean.pub
|
|
73
72
|
- roles/deployer_user/tasks/keys.yml
|
|
74
73
|
- roles/deployer_user/tasks/main.yml
|
|
75
74
|
- roles/frontend_deploy/handlers/main.yml
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlxLbugDNrEg0fjchsaBG6XYLTOh5u3miY8gYMR0xQXFGsxipsyzYd2HSdSp1SPJyGs6aIXVfbeMsQVvDbWQcJTZYYviO2Rj6olf13gjA094CAlDCyTVgRYddiTrirFZiMCzLJrXfyGKiQcQ50BhpYYcO8QwPkwDo6Fs6AhuVMxlYc7MqHTxUwiuVsiC3xbgVnGszB8fI3v0531KOl7tJAxI1M53uexH3rQrEdpRwNqQAXoH9a8HQTaxvtSip1HrNvUumStt1Pu8tP6b3KwuHPwTnJtc2fXYatLjfbAf9KSCCPFhLfwVdAGTI/De6GU4D9lh39sFt2E63qV7mnSn+f
|