diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg new file mode 100644 index 0000000..33d5108 --- /dev/null +++ b/playbooks/ansible.cfg @@ -0,0 +1,10 @@ +[defaults] +forks = 25 +gathering = smart +fact_caching = jsonfile +fact_caching_connection = /tmp/ +fact_caching_timeout = 3600 +inventory = hosts + +[ssh_connection] +pipelining = True diff --git a/playbooks/hosts b/playbooks/hosts new file mode 100644 index 0000000..cf3ffca --- /dev/null +++ b/playbooks/hosts @@ -0,0 +1 @@ +demo.recordsansible.org ansible_host=139.178.83.37 ansible_user=fedora ansible_python_interpreter=/usr/bin/python3 diff --git a/playbooks/live-demo.yaml b/playbooks/live-demo.yaml new file mode 100644 index 0000000..a6ab77b --- /dev/null +++ b/playbooks/live-demo.yaml @@ -0,0 +1,15 @@ +- name: Provision demo.recordsansible.org + hosts: demo.recordsansible.org + gather_facts: yes + vars: + ara_api_frontend_server: nginx + ara_api_frontend_vhost: api.demo.recordsansible.org.conf.j2 + ara_api_wsgi_server: gunicorn + ara_api_fqdn: api.demo.recordsansible.org + ara_api_allowed_hosts: + - api.demo.recordsansible.org + ara_api_cors_origin_whitelist: + - web.demo.recordsansible.org + - logs.openstack.org + roles: + - ara_api diff --git a/playbooks/templates/api.demo.recordsansible.org.conf.j2 b/playbooks/templates/api.demo.recordsansible.org.conf.j2 new file mode 100644 index 0000000..bf16372 --- /dev/null +++ b/playbooks/templates/api.demo.recordsansible.org.conf.j2 @@ -0,0 +1,51 @@ +upstream ara_api { + # fail_timeout=0 means we always retry an upstream even if it failed + # to return a good HTTP response + server {{ ara_api_wsgi_bind }} fail_timeout=0; +} + +server { + listen 80; + server_name {{ ara_api_fqdn }}; + return 301 https://{{ ara_api_fqdn }}$request_uri; +} + +server { + listen 443; + server_name {{ ara_api_fqdn }}; + access_log /var/log/nginx/{{ ara_api_fqdn }}_access.log; + error_log /var/log/nginx/{{ ara_api_fqdn }}_error.log; + + ssl on; + ssl_certificate /etc/letsencrypt/live/{{ ara_api_fqdn }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ ara_api_fqdn }}/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + + # There's nothing at /, redirect it to the actual API for convenience + location / { + return 301 http://{{ ara_api_fqdn }}/api/v1/; + } + + location /static { + expires 7d; + add_header Cache-Control "public"; + } + + # Everything, including static files, is served by the backend + location ~ { + # checks if the file exists, if not found proxy to app + try_files $uri @proxy_to_app; + } + + location @proxy_to_app { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + + proxy_redirect off; + proxy_pass http://ara_api; + } +}