Add playbook for deploying live demos on demo.recordsansible.org

This deploys api.demo.recordsansible.org as well as web.demo.recordsansible.org using the Ansible roles from ara. The only part not yet automated is the letsencrypt certificate generation. Change-Id: I6b436d3be32105fdf9d661d042bfb3d40e5e39a6 Depends-On: https://review.openstack.org/#/c/641859/
ansible-community · Mar 8, 2019 · a797094 · a797094
1 parent 5592862
commit a797094
Show file tree

Hide file tree

Showing 5 changed files with 130 additions and 0 deletions.
diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg
@@ -0,0 +1,10 @@
+[defaults]
+forks = 25
+gathering = smart
+fact_caching = jsonfile
+fact_caching_connection = /tmp/
+fact_caching_timeout = 3600
+inventory = hosts
+
+[ssh_connection]
+pipelining = True
diff --git a/playbooks/hosts b/playbooks/hosts
@@ -0,0 +1 @@
+demo.recordsansible.org ansible_host=139.178.83.37 ansible_user=fedora ansible_python_interpreter=/usr/bin/python3
diff --git a/playbooks/live-demo.yaml b/playbooks/live-demo.yaml
@@ -0,0 +1,22 @@
+- name: Provision demo.recordsansible.org
+  hosts: demo.recordsansible.org
+  gather_facts: yes
+  vars:
+    # ara_api
+    ara_api_fqdn: api.demo.recordsansible.org
+    ara_api_frontend_server: nginx
+    ara_api_frontend_vhost: api.demo.recordsansible.org.conf.j2
+    ara_api_wsgi_server: gunicorn
+    ara_api_allowed_hosts:
+      - api.demo.recordsansible.org
+    ara_api_cors_origin_whitelist:
+      - web.demo.recordsansible.org
+      - logs.openstack.org
+    # ara_web
+    ara_web_fqdn: web.demo.recordsansible.org
+    ara_web_api_endpoint: "https://api.demo.recordsansible.org"
+    ara_web_frontend_server: nginx
+    ara_web_frontend_vhost: web.demo.recordsansible.org.conf.j2
+  roles:
+    - ara_api
+    - ara_web
diff --git a/playbooks/templates/api.demo.recordsansible.org.conf.j2 b/playbooks/templates/api.demo.recordsansible.org.conf.j2
@@ -0,0 +1,51 @@
+upstream ara_api {
+    # fail_timeout=0 means we always retry an upstream even if it failed
+    # to return a good HTTP response
+    server {{ ara_api_wsgi_bind }} fail_timeout=0;
+}
+
+server {
+    listen 80;
+    server_name {{ ara_api_fqdn }};
+    return 301 https://{{ ara_api_fqdn }}$request_uri;
+}
+
+server {
+    listen 443;
+    server_name {{ ara_api_fqdn }};
+    access_log /var/log/nginx/{{ ara_api_fqdn }}_access.log;
+    error_log  /var/log/nginx/{{ ara_api_fqdn }}_error.log;
+
+    ssl on;
+    ssl_certificate /etc/letsencrypt/live/{{ ara_api_fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ ara_api_fqdn }}/privkey.pem;
+    ssl_session_cache   shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    # There's nothing at /, redirect it to the actual API for convenience
+    location / {
+      return 301 http://{{ ara_api_fqdn }}/api/v1/;
+    }
+
+    location /static {
+        expires 7d;
+        add_header Cache-Control "public";
+    }
+
+    # Everything, including static files, is served by the backend
+    location ~ {
+      # checks if the file exists, if not found proxy to app
+      try_files $uri @proxy_to_app;
+    }
+
+    location @proxy_to_app {
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $http_host;
+
+        proxy_redirect off;
+        proxy_pass http://ara_api;
+    }
+}
diff --git a/playbooks/templates/web.demo.recordsansible.org.conf.j2 b/playbooks/templates/web.demo.recordsansible.org.conf.j2
@@ -0,0 +1,46 @@
+{% if ara_web_dev_server %}
+upstream ara_web {
+    # fail_timeout=0 means we always retry an upstream even if it failed
+    # to return a good HTTP response
+    server {{ ara_web_dev_server_bind_address }}:{{ ara_web_dev_server_bind_port }} fail_timeout=0;
+}
+{% endif %}
+
+server {
+    listen 80;
+    server_name {{ ara_web_fqdn }};
+    return 301 https://{{ ara_web_fqdn }}$request_uri;
+}
+
+server {
+    listen 443;
+    server_name {{ ara_web_fqdn }};
+    root {{ ara_web_static_dir }};
+    access_log /var/log/nginx/{{ ara_web_fqdn }}_access.log;
+    error_log /var/log/nginx/{{ ara_web_fqdn }}_error.log;
+
+    ssl on;
+    ssl_certificate /etc/letsencrypt/live/{{ ara_web_fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ ara_web_fqdn }}/privkey.pem;
+    ssl_session_cache   shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    {% if ara_web_dev_server %}
+    location ~ {
+      # checks for static file, if not found proxy to server
+      try_files $uri @proxy_to_app;
+    }
+
+    location @proxy_to_app {
+        # Redefine the header fields that NGINX sends to the upstream server
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # Define the location of the proxy server to send the request to
+        proxy_pass http://ara_web;
+   }
+   {% endif %}
+}