taperole 1.6.0 → 1.7.0

data/lib/taperole/notifiers/slack.rb

@@ -0,0 +1,83 @@
+require 'slack-notifier'
+
+module Taperole
+  module Notifiers
+    class Slack
+      def initialize(webhook_url, deploy_info)
+        @notifier = ::Slack::Notifier.new webhook_url
+        @notifier.username = 'Tape'
+        @deploy_info = deploy_info
+      end
+
+      def update(status)
+        @status = status
+        @notifier.ping(
+          "",
+          # TODO: Fill in real icon url
+          icon_url: 'https://image.freepik.com/free-icon/adhesive-tape_318-42276.png',
+          attachments: attachments
+        )
+      end
+
+      private
+
+      def attachments
+        a = {}
+        a[:text] = message
+        a[:color] = color
+        a[:fields] = fields unless @status == :start
+        [a]
+      end
+
+      def fields
+        [
+          {
+            title: "Project",
+            value: project_link,
+            short: true
+          },
+          {
+            title: "Hosts/Env",
+            value: @deploy_info[:hosts],
+            short: true
+          },
+          {
+            title: "Author",
+            value: @deploy_info[:user],
+            short: true
+          }
+        ]
+      end
+
+      def color
+        case @status
+        when :start   then "#a9a9a9"
+        when :success then "good"
+        when :fail    then "danger"
+        end
+      end
+
+      def gh_link_base
+        @deploy_info[:repo].sub(/^git@github.com:/, 'http://github.com/').sub(/.git$/, '')
+      end
+
+      def project_link
+        "<#{gh_link_base}|#{@deploy_info[:app_name]}>"
+      end
+
+      def message
+        case @status
+        when :start
+          user  = @deploy_info[:user]
+          app   = @deploy_info[:app_name]
+          hosts = @deploy_info[:hosts]
+          "#{user} started deploying #{app} to #{hosts}"
+        when :success
+          "The deploy was successful!"
+        when :fail
+          "The deploy failed!"
+        end
+      end
+    end
+  end
+end

data/lib/taperole/version.rb

@@ -0,0 +1,3 @@
+module Taperole
+  VERSION = '1.7.0'.freeze
+end

data/lib/taperole.rb

@@ -0,0 +1,24 @@
+require 'thor'
+require 'colorize'
+
+module Taperole
+  autoload :VERSION, 'taperole/version'
+  autoload :AnsibleRunner, 'taperole/core/ansible_runner'
+  autoload :Installer, 'taperole/core/installer'
+  autoload :Notifier, 'taperole/core/notifier'
+
+  module Commands
+    autoload :Tape, 'taperole/commands/tape'
+    autoload :Installer, 'taperole/commands/installer'
+    autoload :Ansible, 'taperole/commands/ansible'
+  end
+
+  module Helpers
+    autoload :Files, 'taperole/helpers/files'
+    autoload :Logging, 'taperole/helpers/logging'
+  end
+
+  module Notifiers
+    autoload :Slack, 'taperole/notifiers/slack'
+  end
+end

data/requirements.yml

@@ -8,7 +8,7 @@
 
 - src: https://github.com/ANXS/postgresql
   name: ANXS.postgresql
-  version: v1.3.0
+  version: v1.6.2
 
 - src: geerlingguy.memcached
   version: 1.0.4

data/roles/backend_checkout/tasks/main.yml

@@ -18,6 +18,7 @@
   tags: [be_deploy]
 
 - name: Check out application
+  sudo: false
   remote_user: "{{ deployer_user.name }}"
   git: dest={{ be_app_path }}
        repo={{ be_app_repo }}

data/roles/delayed_job/tasks/main.yml

@@ -1,18 +1,3 @@
-# - name: Install DJ monit bin command
-#   template: src=dj_monit_runner.j2
-#             dest=/usr/bin/dj_monit_runner
-#             mode=u=rwx,g=rwx,o=r
-#
-# - name: Install DJ monit config
-#   template: src=dj_monit_config.j2
-#             dest=/etc/monit/conf.d/delayed_job
-#             mode=u=rw,g=r,o=r
-#   register: dj_monit_config
-#
-# - name: Reload Monit
-#   command: bash -lc "monit reload"
-#   when: dj_monit_config.changed
-
 - name: Stop Delayed Job
   remote_user: "{{ deployer_user.name }}"
   command: bash -lc "cd {{be_app_path}} && RAILS_ENV={{be_app_env}} bin/delayed_job stop -n {{dj_runners}}"

data/roles/deployer_user/tasks/keys.yml

@@ -2,9 +2,9 @@
   file: path=/home/{{ deployer_user.name }}/.ssh
     state=directory
     owner={{ deployer_user.name }}
+    group=users
     mode=744
 
-
 - name: Copy of root ssh keys
   command: "cp /root/.ssh/authorized_keys /home/{{ deployer_user.name }}/.ssh/authorized_keys"
 
@@ -12,12 +12,12 @@
   file: path="/home/{{ deployer_user.name }}/.ssh/authorized_keys"
     state=file
     owner={{ deployer_user.name }}
+    group=users
     mode=600
 
-
 - name: Ensure devs keys are present
-  authorized_key: key={{ lookup('file', item) }}
-                  user={{ deployer_user.name }}
-                  state=present
+  authorized_key: key="{{ lookup('file', item) }}"
+    user={{ deployer_user.name }}
+    state=present
   with_fileglob:
-    - "./dev_keys/*"
+    - "{{ playbook_dir }}/../dev_keys/*"

data/roles/deployer_user/tasks/main.yml

@@ -9,9 +9,6 @@
   user: name={{ deployer_user.name }} groups={{ item }} state=present append=yes shell=/bin/bash
   with_items: deployer_user.groups
 
-# It's possible for the deployer's homedir to get created on accident by
-# a deploy script or something getting run before this.  This just ensures
-# the env is sane moving forward
 - name: Ensure deployer user owns its own homedir
   file: path=/home/deployer state=directory owner=deployer
 

data/roles/monit_install/tasks/main.yml

@@ -1,6 +1,12 @@
 - name: Install monit
   apt: name=monit state=present
 
+- name: Register monit config files
+  template: src=monitrc.j2
+            dest=/etc/monitrc
+            mode=700
+  register: web_interface_monit_config
+
 - name: Register monit config files
   template: src={{ item }}.j2
             dest=/etc/monit/conf.d/{{ item }}

data/roles/monit_install/templates/monitrc.j2

@@ -0,0 +1,290 @@
+###############################################################################
+## Monit control file
+###############################################################################
+##
+## Comments begin with a '#' and extend through the end of the line. Keywords
+## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
+##
+## Below you will find examples of some frequently used statements. For
+## information about the control file and a complete list of statements and
+## options, please have a look in the Monit manual.
+##
+##
+###############################################################################
+## Global section
+###############################################################################
+##
+## Start Monit in the background (run as a daemon):
+#
+  set daemon 120            # check services at 2-minute intervals
+#   with start delay 240    # optional: delay the first check by 4-minutes (by
+#                           # default Monit check immediately after Monit start)
+#
+#
+## Set syslog logging. If you want to log to a standalone log file instead,
+## specify the full path to the log file
+#
+    set logfile /var/log/monit.log
+#
+#
+## Set the location of the Monit lock file which stores the process id of the
+## running Monit instance. By default this file is stored in $HOME/.monit.pid
+#
+# set pidfile /var/run/monit.pid
+#
+## Set the location of the Monit id file which stores the unique id for the
+## Monit instance. The id is generated and stored on first Monit start. By
+## default the file is placed in $HOME/.monit.id.
+#
+# set idfile /var/.monit.id
+      set idfile /var/lib/monit/id
+#
+## Set the location of the Monit state file which saves monitoring states
+## on each cycle. By default the file is placed in $HOME/.monit.state. If
+## the state file is stored on a persistent filesystem, Monit will recover
+## the monitoring state across reboots. If it is on temporary filesystem, the
+## state will be lost on reboot which may be convenient in some situations.
+#
+        set statefile /var/lib/monit/state
+#
+#
+
+## Set limits for various tests. The following example shows the default values:
+##
+# set limits {
+#     programOutput:     512 B,    # check program's output truncate limit
+#     sendExpectBuffer:  256 B,    # limit for send/expect protocol test
+#     fileContentBuffer: 512 B,    # limit for file content test
+#     httpContentBuffer: 1 MB,     # limit for HTTP content test
+#     networkTimeout:    5 seconds # timeout for network I/O
+# }
+
+## Set global SSL options (just most common options showed, see manual for
+## full list).
+#
+# set ssl {
+#     verify     : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
+#     selfsigned : allow   # allow self signed SSL certificates (reject by default)
+# }
+#
+#
+## Set the list of mail servers for alert delivery. Multiple servers may be
+## specified using a comma separator. If the first mail server fails, Monit
+# will use the second mail server in the list and so on. By default Monit uses
+# port 25 - it is possible to override this with the PORT option.
+#
+# set mailserver mail.bar.baz,               # primary mailserver
+#                backup.bar.baz port 10025,  # backup mailserver on port 10025
+#                localhost                   # fallback relay
+#
+#
+## By default Monit will drop alert events if no mail servers are available.
+## If you want to keep the alerts for later delivery retry, you can use the
+## EVENTQUEUE statement. The base directory where undelivered alerts will be
+## stored is specified by the BASEDIR option. You can limit the queue size
+## by using the SLOTS option (if omitted, the queue is limited by space
+## available in the back end filesystem).
+#
+  set eventqueue
+        basedir /var/lib/monit/events # set the base directory where events will be stored
+              slots 100                     # optionally limit the queue size
+#
+#
+## Send status and events to M/Monit (for more informations about M/Monit
+## see http://mmonit.com/). By default Monit registers credentials with
+## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
+## have to register Monit credentials manually in M/Monit. It is possible to
+## disable credential registration using the commented out option below.
+## Though, if safety is a concern we recommend instead using https when
+## communicating with M/Monit and send credentials encrypted.
+#
+# set mmonit http://monit:monit@192.168.1.10:8080/collector
+#     # and register without credentials     # Don't register credentials
+#
+#
+## Monit by default uses the following format for alerts if the the mail-format
+## statement is missing::
+## --8<--
+## set mail-format {
+##   from:    monit@$HOST
+##   subject: monit alert --  $EVENT $SERVICE
+##   message: $EVENT Service $SERVICE
+##                 Date:        $DATE
+##                 Action:      $ACTION
+##                 Host:        $HOST
+##                 Description: $DESCRIPTION
+##
+##            Your faithful employee,
+##            Monit
+## }
+## --8<--
+##
+## You can override this message format or parts of it, such as subject
+## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
+## are expanded at runtime. For example, to override the sender, use:
+#
+# set mail-format { from: monit@foo.bar }
+#
+#
+## You can set alert recipients whom will receive alerts if/when a
+## service defined in this file has errors. Alerts may be restricted on
+## events by using a filter as in the second example below.
+#
+# set alert sysadm@foo.bar                       # receive all alerts
+#
+## Do not alert when Monit starts, stops or performs a user initiated action.
+## This filter is recommended to avoid getting alerts for trivial cases.
+#
+# set alert your-name@your.domain not on { instance, action }
+#
+#
+## Monit has an embedded HTTP interface which can be used to view status of
+## services monitored and manage services from a web interface. The HTTP
+## interface is also required if you want to issue Monit commands from the
+## command line, such as 'monit status' or 'monit restart service' The reason
+## for this is that the Monit client uses the HTTP interface to send these
+## commands to a running Monit daemon. See the Monit Wiki if you want to
+## enable SSL for the HTTP interface.
+#
+# set httpd port 2812 and
+#     use address localhost  # only accept connection from localhost
+#     allow localhost        # allow localhost to connect to the server and
+#     allow admin:monit      # require user 'admin' with password 'monit'
+#
+###############################################################################
+## Services
+###############################################################################
+##
+## Check general system resources such as load average, cpu and memory
+## usage. Each test specifies a resource, conditions and the action to be
+## performed should a test fail.
+#
+#  check system $HOST
+#    if loadavg (1min) > 4 then alert
+#    if loadavg (5min) > 2 then alert
+#    if cpu usage > 95% for 10 cycles then alert
+#    if memory usage > 75% then alert
+#    if swap usage > 25% then alert
+#
+#
+## Check if a file exists, checksum, permissions, uid and gid. In addition
+## to alert recipients in the global section, customized alert can be sent to
+## additional recipients by specifying a local alert handler. The service may
+## be grouped using the GROUP option. More than one group can be specified by
+## repeating the 'group name' statement.
+#
+#  check file apache_bin with path /usr/local/apache/bin/httpd
+#    if failed checksum and
+#       expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
+#    if failed permission 755 then unmonitor
+#    if failed uid root then unmonitor
+#    if failed gid root then unmonitor
+#    alert security@foo.bar on {
+#           checksum, permission, uid, gid, unmonitor
+#        } with the mail-format { subject: Alarm! }
+#    group server
+#
+#
+## Check that a process is running, in this case Apache, and that it respond
+## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
+## and number of children. If the process is not running, Monit will restart
+## it by default. In case the service is restarted very often and the
+## problem remains, it is possible to disable monitoring using the TIMEOUT
+## statement. This service depends on another service (apache_bin) which
+## is defined above.
+#
+#  check process apache with pidfile /usr/local/apache/logs/httpd.pid
+#    start program = "/etc/init.d/httpd start" with timeout 60 seconds
+#    stop program  = "/etc/init.d/httpd stop"
+#    if cpu > 60% for 2 cycles then alert
+#    if cpu > 80% for 5 cycles then restart
+#    if totalmem > 200.0 MB for 5 cycles then restart
+#    if children > 250 then restart
+#    if loadavg(5min) greater than 10 for 8 cycles then stop
+#    if failed host www.tildeslash.com port 80 protocol http
+#       and request "/somefile.html"
+#    then restart
+#    if failed port 443 protocol https with timeout 15 seconds then restart
+#    if 3 restarts within 5 cycles then unmonitor
+#    depends on apache_bin
+#    group server
+#
+#
+## Check filesystem permissions, uid, gid, space and inode usage. Other services,
+## such as databases, may depend on this resource and an automatically graceful
+## stop may be cascaded to them before the filesystem will become full and data
+## lost.
+#
+#  check filesystem datafs with path /dev/sdb1
+#    start program  = "/bin/mount /data"
+#    stop program  = "/bin/umount /data"
+#    if failed permission 660 then unmonitor
+#    if failed uid root then unmonitor
+#    if failed gid disk then unmonitor
+#    if space usage > 80% for 5 times within 15 cycles then alert
+#    if space usage > 99% then stop
+#    if inode usage > 30000 then alert
+#    if inode usage > 99% then stop
+#    group server
+#
+#
+## Check a file's timestamp. In this example, we test if a file is older
+## than 15 minutes and assume something is wrong if its not updated. Also,
+## if the file size exceed a given limit, execute a script
+#
+#  check file database with path /data/mydatabase.db
+#    if failed permission 700 then alert
+#    if failed uid data then alert
+#    if failed gid data then alert
+#    if timestamp > 15 minutes then alert
+#    if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
+#
+#
+## Check directory permission, uid and gid.  An event is triggered if the
+## directory does not belong to the user with uid 0 and gid 0.  In addition,
+## the permissions have to match the octal description of 755 (see chmod(1)).
+#
+#  check directory bin with path /bin
+#    if failed permission 755 then unmonitor
+#    if failed uid 0 then unmonitor
+#    if failed gid 0 then unmonitor
+#
+#
+## Check a remote host availability by issuing a ping test and check the
+## content of a response from a web server. Up to three pings are sent and
+## connection to a port and an application level network check is performed.
+#
+#  check host myserver with address 192.168.1.1
+#    if failed ping then alert
+#    if failed port 3306 protocol mysql with timeout 15 seconds then alert
+#    if failed port 80 protocol http
+#       and request /some/path with content = "a string"
+#    then alert
+#
+#
+## Check a network link status (up/down), link capacity changes, saturation
+## and bandwidth usage.
+#
+#  check network public with interface eth0
+#    if failed link then alert
+#    if changed link then alert
+#    if saturation > 90% then alert
+#    if download > 10 MB/s then alert
+#    if total upload > 1 GB in last hour then alert
+#
+#
+## Check custom program status output.
+#
+#  check program myscript with path /usr/local/bin/myscript.sh
+#    if status != 0 then alert
+#
+#
+###############################################################################
+## Includes
+###############################################################################
+##
+## It is possible to include additional configuration parts from other files or
+## directories.
+#
+  include /etc/monit/conf.d/*
+  include /etc/monit/conf-enabled/*

data/roles/nginx/tasks/main.yml

@@ -18,10 +18,11 @@
   command: bash -lc "openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout self-signed.key -out self-signed.crt -subj '/CN=localhost'"
   args:
     chdir: /etc/nginx/ssl
+    creates: /etc/nginx/ssl/self-signed.*
   tags: [nginx]
 
 - name: Create Diffie Hellman Ephemeral Parameters (this will take some time)
-  command: bash -lc "openssl dhparam -out dhparam.pem 2048"
+  command: bash -lc "openssl dhparam -out dhparam.pem 2048" creates=/etc/nginx/ssl/dhparam.pem
   args:
     chdir: /etc/nginx/ssl
   tags: [nginx]
@@ -31,9 +32,7 @@
   tags: [nginx]
 
 - name: Install monit nginx config
-  template: src=nginx_monit.j2
-            dest=/etc/monit/conf.d/nginx
-            mode=u=rw,g=r,o=r
+  file: src=/etc/monit/conf-available/nginx dest=/etc/monit/conf-enabled/nginx owner=root group=root state=link
   register: nginx_monit_config
 
 - name: Reload Monit

data/roles/nginx/templates/nginx_unicorn.j2

@@ -53,6 +53,7 @@ server {
     gzip_static on;
     expires max;
     add_header Cache-Control public;
+    root {{ be_app_path }}/public;
   }
 
 {% if be_app_repo is defined %}

data/roles/node/tasks/main.yml

@@ -11,7 +11,8 @@
 
 - name: Import the NodeSource GPG key into apt
   apt_key:
-    url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
+    url: https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280
+    id: "68576280"
     state: present
 
 - name: Add NodeSource deb repository

data/roles/ruby/tasks/main.yml

@@ -9,8 +9,7 @@
   set_fact: 'rbenv_owner={{ rbenv_owner | default("root", true) }}'
 
 - name: checkout rbenv_repo for system
-  become: yes
-  become_user: '{{ rbenv_owner }}'
+  remote_user: '{{ rbenv_owner }}'
   git: >
     repo={{ rbenv_repo }}
     dest={{ rbenv_root }}
@@ -22,16 +21,14 @@
     - rbenv
 
 - name: create plugins directory for system
-  become: yes
-  become_user: '{{ rbenv_owner }}'
+  remote_user: '{{ rbenv_owner }}'
   file: state=directory path={{ rbenv_root }}/plugins
   when: rbenv.env == "system"
   tags:
     - rbenv
 
 - name: install plugins for system
-  become: yes
-  become_user: '{{ rbenv_owner }}'
+  remote_user: '{{ rbenv_owner }}'
   git: >
     repo=https://github.com/rbenv/ruby-build.git
     dest={{ rbenv_root }}/plugins/ruby-build
@@ -46,7 +43,6 @@
       \( -iname ".git" -prune \) -o
       ! -group '{{ item }}'
       -exec chgrp -v '{{ item }}' {} + | head -n 1
-  become: yes
   with_items: '{{ rbenv_group }}'
   when:
     - rbenv.env == "system"
@@ -63,7 +59,6 @@
       \( -iname ".git" -prune \) -o
       -type d ! -perm -g+s
       -exec chmod -v g+rwxs {} + | head -n 1
-  become: yes
   when:
     - rbenv.env == "system"
     - rbenv_group is defined
@@ -75,7 +70,6 @@
 
 - name: add rbenv initialization to profile system-wide
   template: src=rbenv.sh.j2 dest=/etc/profile.d/rbenv.sh owner=root group=root mode=0755
-  become: yes
   when:
     - ansible_os_family != 'OpenBSD'
   tags:
@@ -93,7 +87,6 @@
 
 - name: install ruby {{ rbenv.ruby_version }} for system
   shell: bash -lc "rbenv install {{ rbenv.ruby_version }}"
-  become: yes
   when:
     - rbenv.env == "system"
     - ruby_installed.rc != 0
@@ -111,7 +104,6 @@
     - rbenv
 
 - name: set ruby {{ rbenv.ruby_version }} for system
-  become: yes
   shell: bash -lc "rbenv global {{ rbenv.ruby_version }} && rbenv rehash"
   when:
     - rbenv.env == "system"

data/roles/unicorn_install/tasks/main.yml

@@ -3,9 +3,6 @@
             dest=/etc/init.d/unicorn_{{app_name}}
             mode=u=rw,g=rx,o=rx
 
-- name: register unicorn init.d script
-  command: initctl reload-configuration
-
 - name: Set up unicorn log dir
   file: path={{be_app_path}}/log state=directory owner=deployer
 

data/roles/unicorn_install/templates/unicorn.rb.j2

@@ -1,6 +1,6 @@
 worker_processes {{ unicorn_workers }}
 working_directory "{{ be_app_path }}"
-pid "{{ be_app_path }}/tmp/unicorn.pid"
+pid "{{ be_app_path }}/tmp/unicorn/unicorn.pid"
 stderr_path "{{ be_app_path }}/log/unicorn.log"
 stdout_path "{{ be_app_path }}/log/unicorn.log"
 

data/roles/unicorn_install/templates/unicorn_init.j2

@@ -7,7 +7,7 @@ RBENV_ROOT="{{ rbenv_root }}"
 PATH="$RBENV_ROOT/bin:$RBENV_ROOT/shims:$PATH"
 APP_ROOT="{{be_app_path}}"
 APP_USER="{{ deployer_user.name }}"
-PID="$APP_ROOT/tmp/unicorn.pid"
+PID="$APP_ROOT/tmp/unicorn/unicorn.pid"
 CMD="bundle exec unicorn -E {{be_app_env}} -D -c $APP_ROOT/config/unicorn.rb"
 
 action="$1"

data/roles/unicorn_install/templates/unicorn_monit.j2

@@ -1,4 +1,4 @@
-check process unicorn with pidfile {{ be_app_path }}/tmp/unicorn.pid
+check process unicorn with pidfile {{ be_app_path }}/tmp/unicorn/unicorn.pid
   start program "/etc/init.d/unicorn_{{ app_name }} start" as uid deployer and gid deployer with timeout 90 seconds
   restart program "/etc/init.d/unicorn_{{ app_name }} restart" as uid deployer and gid deployer with timeout 90 seconds
   stop program "/etc/init.d/unicorn_{{ app_name }} stop" as uid deployer and gid deployer with timeout 90 seconds