Commit c1303e25 authored by Chris Lamb's avatar Chris Lamb 💬

Initial commit.

Signed-off-by: Chris Lamb's avatarChris Lamb <lamby@debian.org>
parents
[run]
omit =
*/wsgi.py
*/tests.py
*/manage.py
*/tests/*
*/settings/*
*/migrations/*
*.deb
*.pyc
*.sqlite*
/trydiffoscope/settings/custom.py
/static/
/storage/
/.coverage
/coverage.xml
/pep8.txt
sudo: required
services:
- docker
script:
- wget -O- http://travis.debian.net/script.sh | sh -
deploy:
on:
branch: master
script:
- cp debian/buildd/*.deb config/roles/trydiffoscope/files/trydiffoscope.deb
- config/deploy
provider: script
skip_cleanup: true
This diff is collapsed.
#!/bin/sh
set -eu
TEMP="$(mktemp -d)"
sudo apt-get install --yes ansible
echo "${ANSIBLE_VAULT_PASSWORD}" > ${TEMP}/password
cp config/keys/${HOSTNAME} ${TEMP}/id_rsa
ansible-vault decrypt --vault-password-file=${TEMP}/password ${TEMP}/id_rsa
chmod 600 "${TEMP}/id_rsa"
cat > ${TEMP}/hosts <<EOF
${HOSTNAME} ansible_ssh_user=root ansible_ssh_private_key_file=${TEMP}/id_rsa
EOF
exec env ANSIBLE_HOST_KEY_CHECKING=0 ansible-playbook \
config/playbook.yml \
--verbose \
--inventory=${TEMP}/hosts \
--vault-password-file=${TEMP}/password \
"${@}"
---
base_dir: /usr/share/python/trydiffoscope
root_email: chris@chris-lamb.co.uk
storage_dir: /srv/storage.{{ inventory_hostname }}
site_packages: /usr/share/python/trydiffoscope/lib/python2.7/site-packages
debian_mirror: http://httpredir.debian.org
debian_release: jessie
$ANSIBLE_VAULT;1.1;AES256
62623766383731643063353836643066613038653165623365376231366431343862616238643761
3339613332333961363266663662363962373861316534380a336332333630633234313434643538
64343064656434303163653861663739353635346462336235323962353033666534363563353534
3433653131396334300a366633643534396331633036336264623139616434616231623439393431
35383966656563303131666130626435636336343965663134336264363534653665633238643162
32636561616636313238393139343139636135303561613137326234366366323135303031306161
646532373931383931633361646431333361
$ANSIBLE_VAULT;1.1;AES256
64303964393964323031333062636465326434626466353238383736663132326464623430393831
6332613234393664626666656164666536656534383938350a616432306539636165623463346631
66616661333836653536343439626132333131616163313035633935343837643461313330323336
3761626430353538350a313635373839336566663961663865643836353732373539333932613066
36336362333063363439623662613230623531313162633361346437333038393330313132666634
34653764343139386338316663616230666161303331643033646161666563323836366462323432
36313838373035653437343066363563303065636534346166323635303838333765656236326333
66383337313134303131656536376638623732393034333963323034396630643265353630366235
38393463323661366437646334313662623731326536346430393135663831356666326466353937
65663435643630323132643330343863636135636134383536323363366535656237636338656564
34303131313765643532336566326233326434336563613161623965646661363934313337623233
35326435623266383865666666333738373539356661393331323731313830613666373464623931
62373630363236396563386139643431653961363539313236336532366430393837303565333832
61303263303161323638363330313265643065353766663165383662613936386237613934326461
62333036353632343639343233306265316537343637343264323135623361383930663530643666
63666163643639616463623066626464623764336434396334376437313165656131323165643830
65393232313864366564306339333436373032393765396539663639343238396138326664326135
35643436303434343330363561633735353437326364306337656331356131306663333933373439
66306136613966643235353631303964356461313739613931633936653732323830636261376630
62653036633335376635653532376437663564613831646166323361393838386633626334376530
32643763303836313637396134633635306133373834393264373463363164393030356366616230
34323965333031306562383263376236373532363639383134653530616139666663346232643962
32346330353632323235363630386136386463316130366363386162383136396562623162306336
34336137656437373139623162393065666530643962386237313539316362303665393766323933
30356361316638353432313334343230653066643861633439613938363030373237373938303365
65326566663838326239616531646439376463393736633333633366663431346363616366343665
34386162366265313666663835663334636164626233336139323562346332616431346166306361
35616161346137336639323230373737313937333131323238356434333434396234373565653734
63353630626365626535313834346638383862393233356661343630383933393565326435323937
33343139373336303863613565333365373039333765666431333431343336353035616538343061
39306465306332636463616663643039393036626336386465333533363036376264616633323165
38643738303933613931616630303934376337373362653164313164633338643334363263303735
34383833376630376462636538346465613632343964376331323831646233626134623532303837
37643433323666336530363465633963346333333533316262343439353266353265623465633439
37376338336432613636363238356166316532626138343735316262396634346264656264316134
39656361643030303737653664306232643532363337306531333837383735356466636466643565
36313339313436656166623637353539333631373863383535623738353036356134383130653939
66336536366561396635623335386239666439363834316534356362323237333231636139653733
66663635393161383330326239386332643736666566613264306539383537366533393937656366
65323365646262316264353962316432663162303133386234653231663935326465306135363338
34303462333732646366636666333365636335633362393235333961316134656166633936376664
34303631323934623535333936313935376464386566306632306434306564386639336635326234
37626335303836323665356361633134333533343239646262666166303232653936366638373734
62323861646135666563386239343862613032656461656237343336643537383366343661356664
31373137636530643135613430643564383936666161316661366566376239616262636236663331
38313731343933393332393433366465313662356532323336393763626638623839333662633762
66343833633865316132643233623932616235333262663038383036643931656536666239373837
39316539306463626335353331636430626261623763343064386339333366633063376538656232
33653163316331313262343331323963343062623630313334616531353133613966313462303232
30363163383735633563643133646437633564376631386566623030343361623630313065313935
32643632636363323135336366336161373833626463636130626162633866363635316231303761
64373861336664393964373633623764316234346530636365613862636533373239376663376330
31333263343365336338613631376331393431653339363166636434623631376236316632346463
65613739303262393036343730663935623364353836636663376331323138303331353333376136
66313633383166623530316166666261663634383539343461363064313839376634653237616163
64396362383832356135343933626463333562363634633961623465373039316231343839323437
65323734383165373561303431386530646331373730663461396634366261343130663431353965
31383766346164356238366561643535646564383162313161343939393336613237383063393461
35306264336365633161366534333134636361623464626135643232643766393566636632373665
38393066366134333234333533303534376537363338666136613132313462633461396133303665
32356561363536636161663935643637616336613333366232643761303734353337356561326531
30313765666232396533396466313632373036366664643033613933373234353033633264383865
30363863656430326436663036386232303531336366626562613361343830306233363631643964
31663733623438313538353132333163333233353936323831636165393831633430393338366637
61383764656565346364376631623762393863303165383238323064373836353038366637383461
37623836393133333531363264646166313533313034623934303362666538313830383963616638
31623139313035353465393636363531633262623963643738376633626639383434356661333765
61306337616463353530363232666138633633353164626338663265373337623965663865633361
32393363633837373738306235376339616631333662613935613463316663313766336563373038
37353537613361396635336362333962333834306332626131393239323737613465643065356235
38353162376666333936626234343539333034666131373865393665303564386166636161316530
37643634373561666639633935616635316164623431306562303935363236323431363266623764
36383830316231646136346535633234316537343435333265626662386439616136393866363263
38656332366166343638393937643731313366373562346330373930373536343364613161396139
63663232643535633362626463646533396336313062346432643765356565623637616164633431
62613532373066393363633137303837343064633561303364643633396163373264366262376163
35323631613763343366356130323638356566666537373963646535326361396361666330363632
63363734393066366365393137633635343833633763376266373934366638383630633234343438
65313233393966313265633731333136376666653965396336363065353631363464313866336539
61356635386337353265613766303036336130656565663361313466333431323664393862313537
37346564383366313137373361303265333039643264353137626131646630396538303866316237
31653331383962376665366633323935343635396265346538646436386436646135623430326664
66393131313437663064306537323838336335326164383634346264636234656266623639303539
66376665356630396132333934633562326536353266306139356436306139643838623335626434
32366134636235383738343236646335623036353762613232303062613537313061316232373532
31393030346539306264306162306564626261336132643964323633373638373235643366653138
34653131346466646666313134366265623664353763353862326137356661306566316234383237
38653131653139393436
---
- name: bootstrap
gather_facts: false
hosts: all
roles:
- bootstrap
- name: setup
hosts: all
roles:
- apt
- hostname
- locale
- timezone
- mailx
- molly-guard
- firewall
- exim
- memcached
- postgresql
- redis
- nginx
- name: deploy
hosts: all
roles:
- trydiffoscope
Acquire {
Retries "0";
Pdiffs "false";
};
---
- name: apt-get update
command: apt-get update
---
- name: apt.conf.d
action: copy
src=apt.conf.d
dest=/etc/apt
mode=0644
notify:
apt-get update
- name: sources.list
template:
src=sources.list
dest=/etc/apt/sources.list
notify:
apt-get update
- name: /etc/cron.d/apt-get-clean
template:
src=apt-get-clean
dest=/etc/cron.d/apt-get-clean
mode=0644
- name: base packages
action: apt
pkg={{ item }}
state=installed
update_cache=yes
cache_valid_time=3600
with_items:
- ca-certificates
- ntp
# Sunday at 02:30
30 2 * * 0 root apt-get clean
deb {{ debian_mirror }}/debian {{ debian_release }} main
deb {{ debian_mirror }}/debian {{ debian_release }}-backports main
deb-src {{ debian_mirror }}/debian {{ debian_release }} main
deb http://security.debian.org/ {{ debian_release }}/updates main
---
- name: packages
raw:
sudo apt-get install --yes python python-simplejson python-psycopg2
---
- name: update-exim4.conf
command:
update-exim4.conf
notify:
restart exim
- name: restart exim
service:
name=exim4
state=restarted
- name: newaliases
command:
newaliases
---
- name: APT
apt:
pkg=exim4-daemon-light
- name: /etc/aliases
lineinfile:
'dest=/etc/aliases regexp="^root:.*" "line=root: {{ root_email }}"'
notify:
newaliases
- name: mailname
template:
src=mailname
dest=/etc/mailname
mode=0644
notify:
update-exim4.conf
- name: update
template:
src=update-exim4.conf.conf
dest=/etc/exim4/update-exim4.conf.conf
mode=0644
notify:
update-exim4.conf
- name: running
service:
name=exim4
state=started
enabled=yes
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='internet'
dc_other_hostnames=''
dc_local_interfaces='127.0.0.1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
---
- apt:
pkg=ufw
- ufw:
state=enabled
policy=reject
- action: ufw
app={{ item }}
rule=allow
with_items:
- OpenSSH
- WWW
---
- name: hostname
hostname:
name={{ inventory_hostname }}
- name: /etc/hosts
template:
src=hosts
dest=/etc/hosts
127.0.0.1 localhost localhost.localdomain
127.0.1.1 {{ inventory_hostname_short }} {{ inventory_hostname }}
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
---
- name: All locales
debconf:
name=locales
vtype=select
question=locales/locales_to_be_generated
value={{ locale }}
- name: Default locale
debconf:
name=locales
vtype=select
question=locales/default_environment_locale
value={{ locale }}
---
- name: pkg
apt:
pkg=bsd-mailx
- name: mailx
alternatives:
name=mailx
path=/usr/bin/bsd-mailx
---
- name: restart memcached
service:
name=memcached
state=restarted
---
- name: pkg
apt:
pkg=memcached
- name: config
template:
src=memcached.conf
dest=/etc/memcached.conf
mode=644
notify:
restart memcached
- name: running
service:
name=memcached
state=started
enabled=yes
# memcached default config file
# 2003 - Jay Bonci <jaybonci@debian.org>
# This configuration file is read by the start-memcached script provided as
# part of the Debian GNU/Linux distribution.
# Run memcached as a daemon. This command is implied, and is not needed for the
# daemon to run. See the README.Debian that comes with this package for more
# information.
-d
# Log memcached's output to /var/log/memcached
logfile /var/log/memcached.log
# Be verbose
# -v
# Be even more verbose (print client commands as well)
# -vv
# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
# Note that the daemon will grow to this size, but does not start out holding this much
# memory
-m 64
# Default connection port is 11211
-p 11211
# Run the daemon as root. The start-memcached will default to running as root if no
# -u command is present in this config file
-u nobody
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1
# Limit the number of simultaneous incoming connections. The daemon default is 1024
# -c 1024
# Lock down all paged memory. Consult with the README and homepage before you do this
# -k
# Return error when memory is exhausted (rather than removing items)
# -M
# Maximize core file limit
# -r
---
- name: pkg
apt:
pkg=molly-guard
- name: config
template:
src=rc
dest=/etc/molly-guard/rc
mode=0644
ALWAYS_QUERY_HOSTNAME=true
---
- name: restart nginx
service:
name=nginx
state=restarted
---
- name: pkg
apt:
pkg=nginx
- name: config
template:
src=nginx.conf
dest=/etc/nginx/nginx.conf
mode=644
notify:
restart nginx
- name: running
service:
name=nginx
state=started
enabled=yes
user www-data;
pid /run/nginx.pid;
worker_processes auto;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
keepalive_timeout 10;
types_hash_max_size 2048;
client_max_body_size 20M;
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type application/octet-stream;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
gzip on;
gzip_disable "msie6";
upstream trydiffoscope {
server 127.0.0.1:8000 fail_timeout=0;
}
server {
listen 80 default;
rewrite ^ http://{{ inventory_hostname }}$request_uri permanent;
}
server {
listen 80;
server_name {{ inventory_hostname }};
location /static {
root {{ base_dir }};
}
location ~ /(favicon\.ico|robots\.txt) {
root {{ base_dir }}/static;
}
location ~ /(\w+)\.(html|txt)$ {
root {{ storage_dir }};
rewrite /(\w+)\.(html|txt)$ /$1/output.$2 break;
}
location / {
proxy_pass http://trydiffoscope;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
---
- name: restart postgresql
service:
name=postgresql
state=restarted
---
- name: pkg
apt:
pkg=postgresql-{{ postgresql_version }}
- name: postgresql.conf
template:
src=postgresql.conf
dest=/etc/postgresql/{{ postgresql_version }}/main/postgresql.conf
mode=644
owner=postgres
group=postgres
notify:
restart postgresql
- name: pg_hba.conf
template:
src=pg_hba.conf
dest=/etc/postgresql/{{ postgresql_version }}/main/pg_hba.conf
mode=640
owner=postgres
group=postgres
notify:
restart postgresql
- name: running
service:
name=postgresql
state=started
enabled=yes
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
# "password" sends passwords in clear text; "md5" is preferred since
# it sends encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can
# use "pg_ctl reload" to do that.
# Put your actual configuration here