9 files changed, 186 insertions, 0 deletions

diff --git a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
index 9838e189d..dae7fedfc 100644
--- a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
@@ -24,3 +24,7 @@
   - include: "{{ tasks_path }}/cloud_setup_basic.yml"
   - name: set hostname (required by some services, at least postfix need it)
     hostname: name="{{inventory_hostname}}"
+
+  roles:
+  - nginx
+  - waiverdb
diff --git a/roles/waiverdb/defaults/main.yml b/roles/waiverdb/defaults/main.yml
new file mode 100644
index 000000000..a03421267
--- /dev/null
+++ b/roles/waiverdb/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+waiverdb_db_port: 5432
+waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization'
+waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token'
+waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo'
+waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"'
diff --git a/roles/waiverdb/files/pg/pg_hba.conf b/roles/waiverdb/files/pg/pg_hba.conf
new file mode 100644
index 000000000..9fcf02373
--- /dev/null
+++ b/roles/waiverdb/files/pg/pg_hba.conf
@@ -0,0 +1,29 @@
+# This file is managed by Ansible - changes may be lost
+#
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTIONS]
+# host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# Default:
+# 
+local  all  postgres    trust
+# "local" is for Unix domain socket connections only
+local  all  all    trust
+# IPv4 local connections:
+host  all  all  127.0.0.1/32  trust
+# IPv6 local connections:
+host  all  all  ::1/128  trust
diff --git a/roles/waiverdb/handlers/main.yml b/roles/waiverdb/handlers/main.yml
new file mode 100644
index 000000000..63b9af2c6
--- /dev/null
+++ b/roles/waiverdb/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart waiverdb
+  systemd:
+    name: waiverdb.service
+    state: restarted
diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml
new file mode 100644
index 000000000..8ed006840
--- /dev/null
+++ b/roles/waiverdb/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- include: psql_setup.yml
+
+- name: install needed packages
+  dnf: pkg={{ item }} state=present
+  with_items:
+  - waiverdb
+  - gunicorn
+  notify:
+  - restart waiverdb
+
+- name: start waiverdb on boot
+  systemd:
+    name: waiverdb.socket
+    enabled: yes
+
+- name: copy client secrets
+  template:
+    src: etc/waiverdb/client_secrets.json
+    dest: /etc/wavierdb/client_secrets.json
+    owner: root
+    group: root
+    mode: 0640
+  notify:
+  - restart waiverdb
+
+- name: generate the app config
+  template:
+    src: etc/waiverdb/settings.py.j2
+    dest: /etc/waiverdb/settings.py
+    owner: root
+    group: root
+    mode: 0660
+    backup: yes
+    force: yes
+  notify:
+  - restart waiverdb
diff --git a/roles/waiverdb/tasks/psql_setup.yml b/roles/waiverdb/tasks/psql_setup.yml
new file mode 100644
index 000000000..04f93b5ae
--- /dev/null
+++ b/roles/waiverdb/tasks/psql_setup.yml
@@ -0,0 +1,53 @@
+- name: install postresql
+  yum: state=present pkg={{ item }}
+  with_items:
+  - "postgresql-server"
+  - "postgresql-contrib"
+
+- name: See if postgreSQL is installed
+  stat: path=/var/lib/pgsql/initdb.log
+  register: pgsql_installed
+
+- name: init postgresql
+  shell: "postgresql-setup initdb"
+  when: not pgsql_installed.stat.exists
+
+- name: copy pg_hba.conf
+  copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
+  notify:
+  - restart postgresql
+  tags:
+  - config
+
+- name: Ensure postgres has a place to backup to
+  file: dest=/backups state=directory owner=postgres
+  tags:
+  - config
+
+- name: Copy over backup scriplet
+  copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755
+  tags:
+  - config
+
+- name: Set up some cronjobs to backup databases as configured
+  template: >
+    src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database"
+    dest="/etc/cron.d/cron-backup-database-{{ item }}"
+  with_items:
+  - "{{ dbs_to_backup }}"
+  when: dbs_to_backup != []
+  tags:
+  - config
+
+- name: enable Pg service
+  service: state=started enabled=yes name=postgresql
+
+- name: Create db
+  postgresql_db: name="waiverdb" encoding='UTF-8'
+  become: yes
+  become_user: postgres
+
+- name: Create db user
+  postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE
+  become: yes
+  become_user: postgres
diff --git a/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
new file mode 100644
index 000000000..d5d013974
--- /dev/null
+++ b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
@@ -0,0 +1,39 @@
+# HTTP server
+# rewrite to HTTPS
+server {
+  listen       80;
+  server_name  {{service_name}};
+  return       301 https://$server_name$request_uri;
+}
+# HTTPs server
+server {
+    listen       443;
+    server_name  {{ service_name }};
+
+    ssl                  on;
+    ssl_certificate      /etc/nginx/conf.d/ssl.pem;
+    ssl_certificate_key  /etc/nginx/conf.d/ssl.key;
+
+    ssl_session_timeout  5m;
+
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    # modern configuration. tweak to your needs.
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+    ssl_prefer_server_ciphers on;
+
+    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+    add_header Strict-Transport-Security max-age=15768000;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+    location /api {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://unix:/run/waiverdb/socket:/api;
+    }
+}
diff --git a/roles/waiverdb/templates/etc/waiverdb/client_secrets.json b/roles/waiverdb/templates/etc/waiverdb/client_secrets.json
new file mode 100644
index 000000000..83dc8b0ed
--- /dev/null
+++ b/roles/waiverdb/templates/etc/waiverdb/client_secrets.json
@@ -0,0 +1,11 @@
+{
+    "web": {
+        "auth_uri": "{{ waiverdb_oidc_auth_uri }}",
+        "client_id": "{{ waiverdb_oidc_client_id }}",
+        "client_secret": "{{ waiverdb_oidc_client_secret }}",
+        "redirect_uris": [],
+        "token_uri": "{{ waiverdb_oidc_token_uri }}",
+        "token_introspection_uri": "{{ waiverdb_oidc_token_introspection_uri }}",
+        "userinfo_uri": "{{ waiverdb_oidc_userinfo_uri }}"
+    }
+}
diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2
new file mode 100644
index 000000000..67ce5c8b5
--- /dev/null
+++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2
@@ -0,0 +1,2 @@
+SECRET_KEY = '{{ waiverdb_secret_key }}'
+SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb