add role files

Signed-off-by: Jakub Sokołowski <jakub@status.im>
2019-03-06 15:03:25 +01:00 · 2019-03-06 15:03:25 +01:00 · 6971bc1010
parent 1a7ca9c909
commit 6971bc1010
13 changed files with 1870 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,15 @@
+# Description
+
+This role configures Status [Open Bounty](https://github.com/status-im/open-bounty) service which sets bounties for GitHub issues and pais out Eth rewards.
+
+# Usage
+
+Made available at domain configured the `sob_domain` variable.
+Currently only two installations exist:
+
+* https://openbounty.status.im/ - `sob-test` host group.
+* https://test-openbounty.status.im/ - `sob-prod` host group.
+
+# Configuration
+
+Configured via `host_vars`, for example configuration see [`ansible/group_vars/sob-test.yml`](/ansible/group_vars/sob-test.yml).
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,30 @@
+---
+sob_domain: 'test-openbounty.status.im'
+# for multiple stages
+sob_branch: 'deploy-test'
+# if anable dummy data will be loaded into the database
+sob_testing: false
+
+cont_image: 'statusteam/openbounty-app:{{ sob_branch }}'
+cont_name: 'openbounty'
+cont_vol: '/docker/{{ cont_name }}'
+cont_port: 3000
+
+cont_state: started
+cont_recreate: false
+cont_restart: false
+
+# PostgreSQL database for SOB
+db_cont_image: 'postgres:9.6-alpine'
+db_cont_name: '{{ cont_name }}-db'
+db_cont_port: 5432
+db_cont_uid: 70
+db_host_uid: '{{ 100000 + db_cont_uid - 1 }}'
+db_cont_vol: '/docker/{{ db_cont_name }}'
+db_backup_dir: '/var/tmp/backups/sob'
+sob_backup_script_dir: '/var/lib/backups'
+sob_backup_script: '{{ sob_backup_script_dir }}/sob_db_backup.sh'
+
+dba_cont_image: 'adminer:4.6.3-standalone'
+dba_cont_name: '{{ cont_name }}-db-admin'
+dba_cont_port: 8080
--- a/files/openbounty_test_data.sql
+++ b/files/openbounty_test_data.sql
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,6 @@
+---
+- name: Save iptables rules
+  shell: iptables-save > /etc/iptables/rules.v4
+
+- name: Restart nginx
+  service: name=nginx state=restarted
--- a/tasks/backup.yml
+++ b/tasks/backup.yml
@ -0,0 +1,43 @@
+---
+- name: Create directory for backup script
+  file:
+    path: '{{ item }}'
+    state: directory
+    group: adm
+    mode: 0775
+  with_items:
+    - '{{ sob_backup_script_dir }}'
+    - '{{ db_backup_dir }}'
+
+- name: Create PostgreSQL dump script
+  copy:
+    dest: '{{ sob_backup_script }}'
+    content: |
+      #!/usr/bin/env bash
+      TSTAMP=$(date -u +%Y%m%d%H%M%S)
+      /usr/bin/docker exec -i {{ db_cont_name }} \
+          pg_dump -U {{ sob_db_user }} {{ sob_db_name }} \
+          > {{ db_backup_dir }}/{{ cont_name }}_dump_${TSTAMP}.sql
+    group: adm
+    mode: 0750
+
+- name: Configure PostgreSQL dump cron kob
+  cron:
+    name: PostgreSQL DB Dump
+    minute: 0
+    hour: 4
+    user: root
+    job: '{{ sob_backup_script }}'
+
+- name: Configure Discourse backups
+  include_role:
+    name: s3cmd-backup
+  vars:
+    backup_name: sob
+    backup_hour: 5
+    backup_directory: '/var/tmp/backups/sob'
+    backup_base_domain: ams3.digitaloceanspaces.com
+    backup_bucket_name: 's3://sob-backups'
+    backup_encryption_pass: '{{lookup("passwordstore", "services/openbounty/backup-pass")}}'
+    backup_access_key: '{{lookup("passwordstore", "cloud/DigitalOcean/spaces/sob-backups.key")}}'
+    backup_secret_key: '{{lookup("passwordstore", "cloud/DigitalOcean/spaces/sob-backups.secret")}}'
--- a/tasks/consul.yml
+++ b/tasks/consul.yml
@ -0,0 +1,15 @@
+---
+- name: Create Consul service definition
+  include_role: name=consul-service
+  vars:
+    consul_config_name: '{{ cont_name }}'
+    consul_services:
+      - name: '{{ cont_name }}'
+        tags: ['logging']
+        # we advertise the port with basic auth
+        port: '{{ cont_port }}'
+        checks:
+          - id: openbounty-status
+            name: Kibana Healthcheck
+            type: http
+            http: 'http://localhost:{{ cont_port }}/api/top-hunters'
--- a/tasks/container.yml
+++ b/tasks/container.yml
@ -0,0 +1,48 @@
+---
+- name: Create directory for config files
+  file:
+    path: '{{ item }}'
+    state: directory
+    owner: dockremap
+    group: docker
+    recurse: true
+  with_items:
+    - '{{ cont_vol }}/conf'
+    - '{{ cont_vol }}/wallet'
+
+- name: Generate OpenBounty configuration
+  template:
+    src: config.edn.j2
+    dest: '{{ cont_vol }}/conf/config.edn'
+    owner: dockremap
+    group: docker
+    mode: 0640
+  register: config
+
+- name: Create container for OpenBounty
+  docker_container:
+    name: '{{ cont_name }}'
+    image: '{{ cont_image }}'
+    pull: true
+    restart_policy: always
+    state: '{{ cont_state }}'
+    recreate: '{{ cont_recreate }}'
+    restart: '{{ config.changed | default(cont_restart) }}'
+    entrypoint: '/usr/bin/java'
+    # enable automatic container updates
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true' 
+    command: |
+      -Duser.timezone=UTC
+      -Dconf=/root/config.edn
+      -jar /root/commiteth.jar
+    links:
+      - '{{ db_cont_name }}:database'
+    ports:
+      - '{{ cont_port }}:{{ cont_port }}'
+    env:
+      server_address: 'https://{{ sob_domain }}'
+      jdbc-database-url: '{{ sob_jdbc_url }}'
+    volumes:
+      - '{{ cont_vol }}/conf/config.edn:/root/config.edn'
+      - '{{ cont_vol }}/wallet/default:/root/ethereum-wallet'
--- a/tasks/database.yml
+++ b/tasks/database.yml
@ -0,0 +1,54 @@
+---
+- name: Create directory for DB data
+  file:
+    path: '{{ item }}'
+    state: directory
+    owner: '{{ db_host_uid }}'
+    group: docker
+    recurse: true
+  with_items:
+    - '{{ db_cont_vol }}/data'
+    - '{{ db_cont_vol }}/backups'
+
+- name: Start PostgreSQL container
+  docker_container:
+    name: '{{ db_cont_name }}'
+    image: '{{ db_cont_image }}'
+    pull: true
+    restart_policy: always
+    state: '{{ cont_state }}'
+    recreate: '{{ cont_recreate }}'
+    restart: '{{ cont_restart }}'
+    env:
+      POSTGRES_DB:       '{{ sob_db_name }}'
+      POSTGRES_USER:     '{{ sob_db_user }}'
+      POSTGRES_PASSWORD: '{{ sob_db_pass }}'
+    ports:
+      - '0.0.0.0:{{ db_cont_port }}:{{ db_cont_port }}'
+    volumes:
+      - '{{ db_cont_vol }}/data:/var/lib/postgresql'
+      - '{{ db_cont_vol }}/backups:/var/tmp/backups'
+
+- name: Start PostgreSQL Adminer container
+  docker_container:
+    name: '{{ dba_cont_name }}'
+    image: '{{ dba_cont_image }}'
+    pull: true
+    restart_policy: always
+    state: '{{ cont_state }}'
+    recreate: '{{ cont_recreate }}'
+    restart: '{{ cont_restart }}'
+    ports:
+      - '0.0.0.0:{{ dba_cont_port }}:{{ dba_cont_port }}'
+    links:
+      - '{{ db_cont_name }}:db'
+
+- name: Copy over Dummy DB SQL
+  copy:
+    src: openbounty_test_data.sql
+    dest: '/var/tmp/'
+  when: sob_testing
+
+- name: Import dummy data into PostgreSQL
+  shell: cat /var/tmp/openbounty_test_data.sql | docker exec -i {{ db_cont_name }} psql -U {{ sob_db_user }}
+  when: sob_testing
--- a/tasks/firewall.yml
+++ b/tasks/firewall.yml
@ -0,0 +1,26 @@
+---
+- name: Enable OpenBounty HTTP & HTTPS ports
+  iptables:
+    comment: OpenBounty
+    chain: INPUT
+    jump: ACCEPT
+    source: '0.0.0.0/0'
+    protocol: 'tcp'
+    destination_port: '{{ item }}'
+  with_items:
+    - 80
+    - 443
+  notify:
+    - Save iptables rules
+
+- name: Enable Postgres Admin UI ports
+  iptables:
+    comment: Postgres ADM
+    action: insert
+    chain: DOCKER-USER
+    jump: ACCEPT
+    source: '0.0.0.0/0'
+    protocol: 'tcp'
+    destination_port: 8080
+  notify:
+    - Save iptables rules
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- import_tasks: database.yml
+- import_tasks: container.yml
+- import_tasks: consul.yml
+- import_tasks: firewall.yml
+- import_tasks: proxy.yml
+- import_tasks: backup.yml
+  when: not sob_testing
--- a/tasks/proxy.yml
+++ b/tasks/proxy.yml
@ -0,0 +1,13 @@
+---
+- name: Install Nginx
+  apt:
+    package: nginx
+
+- name: Generate OpenBounty Nginx proxy
+  template:
+    src: nginx_proxy.conf.j2
+    dest: '/etc/nginx/sites-enabled/openbounty_proxy.conf'
+    mode: 0644
+  notify:
+    - Restart nginx
+
--- a/templates/config.edn.j2
+++ b/templates/config.edn.j2
@ -0,0 +1,26 @@
+; WARNING: This file is generated by an Ansible role:
+; https://github.com/status-im/infra-misc/tree/master/ansible/roles/open-bounty
+{
+{% for key, value in sob_settings.items() %}
+{% if value is string and value.startswith(':') %}
+  :{{ '%-22s'|format(key) }}  {{ value }}
+{% else %}
+  :{{ '%-22s'|format(key) }}  {{ value | to_json }}
+{% endif %}
+{% endfor %}
+  :token-blacklist #{
+{% for token in sob_token_blacklist %}
+    :{{ token }}
+{% endfor %}
+  }
+  :user-whitelist #{
+{% for user in sob_users_whitelist %}
+    "{{ user }}"
+{% endfor %}
+  }
+  :testnet-token-data {
+{% for token_data in sob_testnet_token_data %}
+    {{ token_data }}
+{% endfor %}
+  }
+}
--- a/templates/nginx_proxy.conf.j2
+++ b/templates/nginx_proxy.conf.j2
@ -0,0 +1,18 @@
+server {
+  listen 80;
+  server_name {{ sob_domain }};
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443 ssl;
+
+  server_name {{ sob_domain }};
+
+  ssl_certificate     /certs/origin.crt;
+  ssl_certificate_key /certs/origin.key;
+
+  location / {
+    proxy_pass http://127.0.0.1:{{ cont_port }}/;
+  }
+}