Skip to content

Commit

Permalink
Prepare for deployment via HCU
Browse files Browse the repository at this point in the history
  • Loading branch information
@jchristgit
jchristgit committed Jun 11, 2023
1 parent f19ccdb commit de9016c
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 9 deletions.
5 changes: 4 additions & 1 deletion ansible/roles/bolt/defaults/main.yml
View file
Expand Up @@ -22,9 +22,12 @@ bolt_cookie: "{{ lookup('password', 'secrets/' + ansible_nodename + '/bolt/erlan
# The OS user to create for running bolt.
bolt_service_user: bolt

# Base directory below which to place bolt service user files.
bolt_base_directory: /opt/bolt

# In which directory to clone the repository, build the release,
# and manage the deployment.
bolt_directory: /opt/bolt
bolt_directory: "{{ bolt_base_directory }}/project"

# Whether to enable bolt's RRD functionality.
bolt_enable_rrd: true
Expand Down
11 changes: 6 additions & 5 deletions ansible/roles/bolt/tasks/main.yml
View file
Expand Up @@ -28,27 +28,28 @@
- role::bolt
- postgres

- name: ensure the bolt user is up-to-date
- name: create the bolt service user
user:
name: "{{ bolt_service_user }}"
home: "{{ bolt_directory }}"
home: "{{ bolt_base_directory }}"
system: true
state: present
tags:
- role::bolt

- name: make the bolt directory only readable for bolt
file:
path: "{{ bolt_directory }}"
path: "{{ bolt_base_directory }}"
mode: 0700
tags:
- role::bolt

- name: set up the deployment directory
become: true
become_user: "{{ bolt_service_user }}"
file:
path: "{{ bolt_directory }}"
owner: "{{ bolt_service_user }}"
group: root
mode: 0700
state: directory
tags:
- role::bolt
Expand Down
5 changes: 2 additions & 3 deletions ansible/roles/bolt/templates/bolt.service.j2
View file
Expand Up @@ -16,7 +16,7 @@ WatchdogSec=10s
# NOTE: The last path is used as the RRD destination path, see `config/releases.exs`.
StateDirectory=bolt bolt/rrd

WorkingDirectory={{ bolt_directory }}/current
WorkingDirectory={{ bolt_directory }}
EnvironmentFile=/etc/opt/bolt/bolt.env

MemoryHigh=180M
Expand Down Expand Up @@ -47,8 +47,7 @@ ProtectKernelTunables=true
ProtectProc=true
ProtectSystem=strict
RestrictSUIDSGID=true
# Allow the release entry point to create temporary files in here.
ReadWritePaths={{ deploy_helper.new_release_path }}
ReadWritePaths={{ bolt_directory }}/_build/prod/rel/bolt/
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
Expand Down

0 comments on commit de9016c

Please sign in to comment.