Restructure deployment/development infrastructure

The new unified development and deployment infrastructure continues to
rely on on Ansible, but is heavily refactored to accustom three use
cases:

- local development with Vagrant
- AWS staging
- AWS production

.gitignore

@@ -5,3 +5,5 @@
 .project
 .settings
 
+# secrets of all kinds
+/aws-secrets.include

ansible/.gitignore

@@ -0,0 +1,3 @@
+# secrets of all kinds
+/*.secrets.yml
+

ansible/README.md

@@ -0,0 +1,4 @@
+# Ansible automation for LibreCores
+
+ec2.py: EC2 external inventory script
+https://raw.github.com/ansible/ansible/devel/contrib/inventory/ec2.py

ansible/aws-setup.yml

@@ -0,0 +1,72 @@
+---
+# Initial setup of AWS environment to host all LibreCores instances
+- name: Create AWS initial setup
+  hosts: localhost
+  connection: local
+  gather_facts: False
+
+  tasks:
+    - name: "Create EC2 security group"
+      ec2_group:
+        name: librecores-web
+        description: "Librecores web security group"
+        region: "{{ aws_region }}"
+        rules:
+          # allow incoming traffic for HTTP(S) and SSH
+          - proto: tcp
+            from_port: 80
+            to_port: 80
+            cidr_ip: 0.0.0.0/0
+          - proto: tcp
+            from_port: 22
+            to_port: 22
+            cidr_ip: 0.0.0.0/0
+          - proto: tcp
+            from_port: 443
+            to_port: 443
+            cidr_ip: 0.0.0.0/0
+        rules_egress:
+          # allow all outgoing traffic
+          - proto: -1
+            from_port: 0
+            to_port: 0
+            cidr_ip: 0.0.0.0/0
+
+    - name: "Staging: Provision EC2 instance"
+      ec2:
+         instance_type: t2.micro
+         region: "{{ aws_region }}"
+         image: "{{ ami_id }}"
+         # XXX: replace this with a shared key for the ubuntu user
+         key_name: "philipp"
+         group: librecores-web
+         wait: true
+         exact_count: 1
+         count_tag:
+            group: librecores-staging
+         instance_tags:
+            group: librecores-staging
+      register: instance_staging_ec2_web
+
+    - name: "Staging: Assign Elastic IP (public)"
+      ec2_eip:
+        region: "{{ aws_region }}"
+        public_ip: "{{ ip_staging }}"
+        reuse_existing_ip_allowed: yes
+        state: present
+        instance_id: "{{ instance_staging_ec2_web.tagged_instances[0].id }}"
+
+
+#    name: Add all instance public IPs to host group
+#      add_host: hostname={{ item.public_ip }} groups=librecores-staging
+#      with_items: ec2.instances
+  vars:
+    # get current AMI ID from http://cloud-images.ubuntu.com/locator/ec2/
+    # search for trusty amd64 hvm:ebs eu-west-1
+    - ami_id: "ami-a11dbfd2"
+    - aws_region: "eu-west-1"
+
+    # Public IPs (EC2 Elastic IPs)
+    # Make sure to update the DNS entries with those IPs as well!
+    # stage.librecores.org
+    - ip_staging: "52.19.183.36"

ansible/dev-vagrant.secrets.yml.dist

@@ -0,0 +1,9 @@
+---
+# GitHub OAuth secrets
+# get it from https://github.com/settings/applications/
+site_github_app_id: "INSERT_OAUTH_ID_HERE"
+site_github_app_secret: "INSERT_OAUTH_SECRET_HERE"
+
+# Google OAuth secrets
+site_google_app_id: "INSERT_OAUTH_ID_HERE"
+site_google_app_secret: "INSERT_OAUTH_SECRET_HERE"

ansible/dev-vagrant.yml

@@ -0,0 +1,18 @@
+---
+# Development environment on a single machine with dummy credentials
+- hosts: all
+  sudo: yes
+  roles:
+    - dev-vagrant
+  vars:
+    - librecores_domain: "librecores.devel"
+    - mysql_host: "localhost"
+    - web_user: "{{ ansible_ssh_user }}"
+
+    # all secrets have dummy values for the local development setup
+    - rabbitmq_admin_password: "password"
+    - site_mysql_password: "password"
+    - site_symfony_secret_token: "ThisTokenIsNotSoSecretChangeIt"
+    - site_rabbitmq_password: "password"
+    - blog_mysql_password: "password"
+    - mysql_root_password: "password"

ansible/ec2.ini

@@ -0,0 +1,152 @@
+# Ansible EC2 external inventory script settings
+#
+
+[ec2]
+
+# to talk to a private eucalyptus instance uncomment these lines
+# and edit edit eucalyptus_host to be the host name of your cloud controller
+#eucalyptus = True
+#eucalyptus_host = clc.cloud.domain.org
+
+# AWS regions to make calls to. Set this to 'all' to make request to all regions
+# in AWS and merge the results together. Alternatively, set this to a comma
+# separated list of regions. E.g. 'us-east-1,us-west-1,us-west-2'
+regions = eu-west-1
+regions_exclude = us-gov-west-1,cn-north-1
+
+# When generating inventory, Ansible needs to know how to address a server.
+# Each EC2 instance has a lot of variables associated with it. Here is the list:
+#   http://docs.pythonboto.org/en/latest/ref/ec2.html#module-boto.ec2.instance
+# Below are 2 variables that are used as the address of a server:
+#   - destination_variable
+#   - vpc_destination_variable
+
+# This is the normal destination variable to use. If you are running Ansible
+# from outside EC2, then 'public_dns_name' makes the most sense. If you are
+# running Ansible from within EC2, then perhaps you want to use the internal
+# address, and should set this to 'private_dns_name'. The key of an EC2 tag
+# may optionally be used; however the boto instance variables hold precedence
+# in the event of a collision.
+destination_variable = public_dns_name
+
+# For server inside a VPC, using DNS names may not make sense. When an instance
+# has 'subnet_id' set, this variable is used. If the subnet is public, setting
+# this to 'ip_address' will return the public IP address. For instances in a
+# private subnet, this should be set to 'private_ip_address', and Ansible must
+# be run from within EC2. The key of an EC2 tag may optionally be used; however
+# the boto instance variables hold precedence in the event of a collision.
+# WARNING: - instances that are in the private vpc, _without_ public ip address 
+# will not be listed in the inventory until You set:
+# vpc_destination_variable = 'private_ip_address'
+vpc_destination_variable = ip_address
+
+# To tag instances on EC2 with the resource records that point to them from
+# Route53, uncomment and set 'route53' to True.
+route53 = False
+
+# To exclude RDS instances from the inventory, uncomment and set to False.
+rds = False
+
+# To exclude ElastiCache instances from the inventory, uncomment and set to False.
+elasticache = False
+
+# Additionally, you can specify the list of zones to exclude looking up in
+# 'route53_excluded_zones' as a comma-separated list.
+# route53_excluded_zones = samplezone1.com, samplezone2.com
+
+# By default, only EC2 instances in the 'running' state are returned. Set
+# 'all_instances' to True to return all instances regardless of state.
+all_instances = False
+
+# By default, only EC2 instances in the 'running' state are returned. Specify
+# EC2 instance states to return as a comma-separated list. This
+# option is overriden when 'all_instances' is True.
+# instance_states = pending, running, shutting-down, terminated, stopping, stopped
+
+# By default, only RDS instances in the 'available' state are returned.  Set
+# 'all_rds_instances' to True return all RDS instances regardless of state.
+all_rds_instances = False
+
+# By default, only ElastiCache clusters and nodes in the 'available' state
+# are returned. Set 'all_elasticache_clusters' and/or 'all_elastic_nodes'
+# to True return all ElastiCache clusters and nodes, regardless of state.
+#
+# Note that all_elasticache_nodes only applies to listed clusters. That means
+# if you set all_elastic_clusters to false, no node will be return from
+# unavailable clusters, regardless of the state and to what you set for
+# all_elasticache_nodes.
+all_elasticache_replication_groups = False
+all_elasticache_clusters = False
+all_elasticache_nodes = False
+
+# API calls to EC2 are slow. For this reason, we cache the results of an API
+# call. Set this to the path you want cache files to be written to. Two files
+# will be written to this directory:
+#   - ansible-ec2.cache
+#   - ansible-ec2.index
+cache_path = ~/.ansible/tmp
+
+# The number of seconds a cache file is considered valid. After this many
+# seconds, a new API call will be made, and the cache file will be updated.
+# To disable the cache, set this value to 0
+cache_max_age = 300
+
+# Organize groups into a nested/hierarchy instead of a flat namespace.
+nested_groups = False
+
+# Replace - tags when creating groups to avoid issues with ansible
+replace_dash_in_groups = True
+
+# If set to true, any tag of the form "a,b,c" is expanded into a list
+# and the results are used to create additional tag_* inventory groups.
+expand_csv_tags = False
+
+# The EC2 inventory output can become very large. To manage its size,
+# configure which groups should be created.
+group_by_instance_id = True
+group_by_region = True
+group_by_availability_zone = True
+group_by_ami_id = True
+group_by_instance_type = True
+group_by_key_pair = True
+group_by_vpc_id = True
+group_by_security_group = True
+group_by_tag_keys = True
+group_by_tag_none = True
+group_by_route53_names = True
+group_by_rds_engine = True
+group_by_rds_parameter_group = True
+group_by_elasticache_engine = True
+group_by_elasticache_cluster = True
+group_by_elasticache_parameter_group = True
+group_by_elasticache_replication_group = True
+
+# If you only want to include hosts that match a certain regular expression
+# pattern_include = staging-*
+
+# If you want to exclude any hosts that match a certain regular expression
+# pattern_exclude = staging-*
+
+# Instance filters can be used to control which instances are retrieved for
+# inventory. For the full list of possible filters, please read the EC2 API
+# docs: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-DescribeInstances.html#query-DescribeInstances-filters
+# Filters are key/value pairs separated by '=', to list multiple filters use
+# a list separated by commas. See examples below.
+
+# Retrieve only instances with (key=value) env=staging tag
+# instance_filters = tag:env=staging
+
+# Retrieve only instances with role=webservers OR role=dbservers tag
+# instance_filters = tag:role=webservers,tag:role=dbservers
+
+# Retrieve only t1.micro instances OR instances with tag env=staging
+# instance_filters = instance-type=t1.micro,tag:env=staging
+
+# You can use wildcards in filter values also. Below will list instances which
+# tag Name value matches webservers1*
+# (ex. webservers15, webservers1a, webservers123 etc) 
+# instance_filters = tag:Name=webservers1*
+
+# A boto configuration profile may be used to separate out credentials
+# see http://boto.readthedocs.org/en/latest/boto_config_tut.html
+# boto_profile = some-boto-profile-name