Initial commit

roles/newsreader/templates/celery.env.j2

@@ -0,0 +1,30 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+# Name of nodes to start
+CELERYD_NODES="worker1 worker2"
+
+CELERY_BIN="{{ app_dir }}/.venv/bin/celery"
+
+CELERY_APP="newsreader"
+
+# The scheduler to be used.
+# See https://docs.celeryproject.org/en/stable/userguide/configuration.html#beat-scheduler
+CELERY_SCHEDULER="django_celery_beat.schedulers:DatabaseScheduler"
+
+# How to call manage.py
+CELERYD_MULTI="multi"
+
+# Extra command-line arguments to the worker
+CELERYD_OPTS="--time-limit=300 --concurrency=8"
+
+# - %I will be replaced with the current child process index
+#   and is important when using the prefork pool to avoid race conditions.
+CELERYD_PID_FILE="/run/celery/%n.pid"
+
+CELERYD_LOG_LEVEL="INFO"
+CELERYD_LOG_FILE="/dev/null"
+
+# you may wish to add these options for Celery Beat
+CELERYBEAT_PID_FILE="/run/celery/beat.pid"
+
+DJANGO_SETTINGS_MODULE="newsreader.conf.production"

roles/newsreader/templates/celery.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+[Unit]
+Description=Celery Service
+After=systemd-networkd-wait-online.service
+
+[Service]
+Type=forking
+User=newsreader
+Group=newsreader
+SyslogIdentifier=celery
+EnvironmentFile=/home/newsreader/.config/conf.d/celery
+RuntimeDirectory=celery
+WorkingDirectory={{ app_dir }}/src
+ExecStart=/bin/sh -c '${CELERY_BIN} multi start ${CELERYD_NODES} \
+  -A ${CELERY_APP} --pidfile=${CELERYD_PID_FILE} \
+  --loglevel=${CELERYD_LOG_LEVEL} --logfile=${CELERYD_LOG_FILE} ${CELERYD_OPTS}'
+ExecStop=/bin/sh -c '${CELERY_BIN} multi stopwait ${CELERYD_NODES} \
+  --pidfile=${CELERYD_PID_FILE}'
+ExecReload=/bin/sh -c '${CELERY_BIN} multi restart ${CELERYD_NODES} \
+  -A ${CELERY_APP} --pidfile=${CELERYD_PID_FILE} \
+  --loglevel=${CELERYD_LOG_LEVEL} --logfile=${CELERYD_LOG_FILE} ${CELERYD_OPTS}'
+
+[Install]
+WantedBy=multi-user.target

roles/newsreader/templates/celerybeat.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+[Unit]
+Description=Celery Beat Service
+After=celery.service
+
+[Service]
+Type=simple
+User=newsreader
+Group=newsreader
+EnvironmentFile=/home/newsreader/.config/conf.d/celery
+RuntimeDirectory=celery
+WorkingDirectory={{ app_dir }}/src
+ExecStart=/bin/sh -c '${CELERY_BIN} beat  \
+  -A ${CELERY_APP} -S ${CELERY_SCHEDULER} --pidfile=${CELERYBEAT_PID_FILE} \
+  --loglevel=${CELERYD_LOG_LEVEL} --logfile=${CELERYD_LOG_FILE}'
+
+[Install]
+WantedBy=multi-user.target

roles/newsreader/templates/env.j2

@@ -0,0 +1,19 @@
+POSTGRES_HOST="{{ pgbouncer_listen_address }}"
+POSTGRES_PORT="{{ pgbouncer_port }}"
+POSTGRES_NAME="{{ pgbouncer_name }}"
+POSTGRES_USER="{{ pgbouncer_user }}"
+POSTGRES_PASSWORD="{{ pgbouncer_password }}"
+
+DJANGO_SETTINGS_MODULE="{{ django_settings_module }}"
+DJANGO_SECRET_KEY="{{ django_secret_key }}"
+
+REDDIT_CLIENT_ID="{{ reddit_client_id }}"
+REDDIT_CLIENT_SECRET="{{ reddit_client_secret }}"
+REDDIT_CALLBACK_URL="{{ reddit_callback_url }}"
+
+TWITTER_CONSUMER_ID="{{ twitter_client_id }}"
+TWITTER_CONSUMER_SECRET="{{ twitter_client_secret }}"
+TWITTER_REDIRECT_URL="{{ twitter_redirect_url }}"
+
+SENTRY_DSN="{{ sentry_dsn }}"
+ADMINS="{{ admins }}"

roles/newsreader/templates/gunicorn-socket.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+[Unit]
+Description=Gunicorn socket
+
+[Socket]
+ListenStream=/run/gunicorn.sock
+User=www-data
+
+[Install]
+WantedBy=sockets.target

roles/newsreader/templates/gunicorn.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+[Unit]
+Description=Gunicorn daemon
+Requires=gunicorn.socket
+After=network.target
+
+[Service]
+User=newsreader
+Group=www-data
+EnvironmentFile={{ app_dir }}/.env
+WorkingDirectory={{ app_dir }}/src
+ExecStart={{ app_dir }}/.venv/bin/gunicorn \
+					--workers 3 \
+					--bind unix:/run/gunicorn.sock \
+					newsreader.wsgi:application
+
+[Install]
+WantedBy=multi-user.target

roles/newsreader/templates/limits.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+# see https://www.rabbitmq.com/install-debian.html#kernel-resource-limits
+#
+[Service]
+LimitNOFILE=64000

roles/newsreader/templates/memcached.j2

@@ -0,0 +1,52 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+# memcached default config file
+# 2003 - Jay Bonci <jaybonci@debian.org>
+# This configuration file is read by the start-memcached script provided as
+# part of the Debian GNU/Linux distribution.
+
+# Run memcached as a daemon. This command is implied, and is not needed for the
+# daemon to run. See the README.Debian that comes with this package for more
+# information.
+-d
+
+# Log memcached's output to /var/log/memcached
+logfile /var/log/memcached.log
+
+# Be verbose
+# -v
+
+# Be even more verbose (print client commands as well)
+# -vv
+
+# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
+# Note that the daemon will grow to this size, but does not start out holding this much
+# memory
+-m 64
+
+# Default connection port is 11211
+-p 11211
+
+# Run the daemon as root. The start-memcached will default to running as root if no
+# -u command is present in this config file
+-u memcache
+
+# Specify which IP address to listen on. The default is to listen on all IP addresses
+# This parameter is one of the only security measures that memcached has, so make sure
+# it's listening on a firewalled interface.
+-l 127.0.0.1
+
+# Limit the number of simultaneous incoming connections. The daemon default is 1024
+# -c 1024
+
+# Lock down all paged memory. Consult with the README and homepage before you do this
+# -k
+
+# Return error when memory is exhausted (rather than removing items)
+# -M
+
+# Maximize core file limit
+# -r
+
+# Use a pidfile
+-P /var/run/memcached/memcached.pid

roles/newsreader/templates/nftables.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+
+		# accept any localhost traffic
+		iif lo accept
+
+		# accept traffic originated from us
+		ct state { established, related } accept
+
+		tcp dport { 22, 80, 443 } accept
+	}
+}

roles/newsreader/templates/nginx.j2

@@ -0,0 +1,30 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+server {
+	listen 80;
+	server_name {{ hostname }};
+	return 301 https://$server_name$request_uri;
+}
+
+server {
+	listen 443 ssl;
+	server_name {{ hostname }};
+
+	ssl_certificate /etc/ssl/{{ app_name }}/{{ app_name }}.crt;
+	ssl_certificate_key /etc/ssl/{{ app_name }}/local.pem;
+
+	access_log /var/log/nginx/{{ app_name }}.log;
+	error_log /var/log/nginx/{{ app_name }}.log;
+
+	location /static/ {
+		root /srv/sites/newsreader;
+	}
+
+	location / {
+		include proxy_params;
+
+		proxy_redirect off;
+
+		proxy_pass http://unix:/run/gunicorn.sock;
+	}
+}

roles/newsreader/templates/pgbouncer-users.j2

@@ -0,0 +1 @@
+"{{ pgbouncer_user }}" "{{ pgbouncer_password }}"

roles/newsreader/templates/pgbouncer.j2

@@ -0,0 +1,352 @@
+;; {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+;;
+;; database name = connect string
+;;
+;; connect string params:
+;;   dbname= host= port= user= password=
+;;   client_encoding= datestyle= timezone=
+;;   pool_size= connect_query=
+;;   auth_user=
+[databases]
+newsreader = host={{ postgres_host }} port={{ postgres_port }} dbname={{ postgres_db }} user={{ postgres_user }} password={{ postgres_password }}
+
+; foodb over Unix socket
+;foodb =
+
+; redirect bardb to bazdb on localhost
+;bardb = host=localhost dbname=bazdb
+
+; access to dest database will go with single user
+;forcedb = host=127.0.0.1 port=300 user=baz password=foo client_encoding=UNICODE datestyle=ISO connect_query='SELECT 1'
+
+; use custom pool sizes
+;nondefaultdb = pool_size=50 reserve_pool=10
+
+; use auth_user with auth_query if user not present in  auth_file
+; auth_user must exist in auth_file
+; foodb = auth_user=bar
+
+; fallback connect string
+;* = host=testserver
+
+;; Configuration section
+[pgbouncer]
+
+;;;
+;;; Administrative settings
+;;;
+
+logfile = /var/log/postgresql/pgbouncer.log
+pidfile = /var/run/postgresql/pgbouncer.pid
+
+;;;
+;;; Where to wait for clients
+;;;
+
+; IP address or * which means all IPs
+listen_addr = {{ pgbouncer_listen_address }}
+listen_port = {{ pgbouncer_port }}
+
+; Unix socket is also used for -R.
+; On Debian it should be /var/run/postgresql
+;unix_socket_dir = /tmp
+;unix_socket_mode = 0777
+;unix_socket_group =
+unix_socket_dir = /var/run/postgresql
+
+;;;
+;;; TLS settings for accepting clients
+;;;
+
+;; disable, allow, require, verify-ca, verify-full
+;client_tls_sslmode = disable
+
+;; Path to file that contains trusted CA certs
+;client_tls_ca_file = <system default>
+
+;; Private key and cert to present to clients.
+;; Required for accepting TLS connections from clients.
+;client_tls_key_file =
+;client_tls_cert_file =
+
+;; fast, normal, secure, legacy, <ciphersuite string>
+;client_tls_ciphers = fast
+
+;; all, secure, tlsv1.0, tlsv1.1, tlsv1.2
+;client_tls_protocols = all
+
+;; none, auto, legacy
+;client_tls_dheparams = auto
+
+;; none, auto, <curve name>
+;client_tls_ecdhcurve = auto
+
+;;;
+;;; TLS settings for connecting to backend databases
+;;;
+
+;; disable, allow, require, verify-ca, verify-full
+server_tls_sslmode = require
+
+;; Path to that contains trusted CA certs
+;server_tls_ca_file = <system default>
+
+;; Private key and cert to present to backend.
+;; Needed only if backend server require client cert.
+;server_tls_key_file =
+;server_tls_cert_file =
+
+;; all, secure, tlsv1.0, tlsv1.1, tlsv1.2
+server_tls_protocols = secure
+
+;; fast, normal, secure, legacy, <ciphersuite string>
+;server_tls_ciphers = fast
+
+;;;
+;;; Authentication settings
+;;;
+
+; any, trust, plain, crypt, md5, cert, hba, pam
+auth_type = trust
+auth_file = /etc/pgbouncer/userlist.txt
+
+;; Path to HBA-style auth config
+;auth_hba_file =
+
+;; Query to use to fetch password from database.  Result
+;; must have 2 columns - username and password hash.
+;auth_query = SELECT usename, passwd FROM pg_shadow WHERE usename=$1
+
+;;;
+;;; Users allowed into database 'pgbouncer'
+;;;
+
+; comma-separated list of users, who are allowed to change settings
+;admin_users = user2, someadmin, otheradmin
+
+; comma-separated list of users who are just allowed to use SHOW command
+;stats_users = stats, root
+
+;;;
+;;; Pooler personality questions
+;;;
+
+; When server connection is released back to pool:
+;   session      - after client disconnects
+;   transaction  - after transaction finishes
+;   statement    - after statement finishes
+pool_mode = session
+
+;
+; Query for cleaning connection immediately after releasing from client.
+; No need to put ROLLBACK here, pgbouncer does not reuse connections
+; where transaction is left open.
+;
+; Query for 8.3+:
+;   DISCARD ALL;
+;
+; Older versions:
+;   RESET ALL; SET SESSION AUTHORIZATION DEFAULT
+;
+; Empty if transaction pooling is in use.
+;
+server_reset_query = DISCARD ALL
+
+
+; Whether server_reset_query should run in all pooling modes.
+; If it is off, server_reset_query is used only for session-pooling.
+;server_reset_query_always = 0
+
+;
+; Comma-separated list of parameters to ignore when given
+; in startup packet.  Newer JDBC versions require the
+; extra_float_digits here.
+;
+;ignore_startup_parameters = extra_float_digits
+
+;
+; When taking idle server into use, this query is ran first.
+;   SELECT 1
+;
+;server_check_query = select 1
+
+; If server was used more recently that this many seconds ago,
+; skip the check query.  Value 0 may or may not run in immediately.
+;server_check_delay = 30
+
+; Close servers in session pooling mode after a RECONNECT, RELOAD,
+; etc. when they are idle instead of at the end of the session.
+;server_fast_close = 0
+
+;; Use <appname - host> as application_name on server.
+;application_name_add_host = 0
+
+;;;
+;;; Connection limits
+;;;
+
+; total number of clients that can connect
+max_client_conn = 100
+
+; default pool size.  20 is good number when transaction pooling
+; is in use, in session pooling it needs to be the number of
+; max clients you want to handle at any moment
+default_pool_size = 20
+
+;; Minimum number of server connections to keep in pool.
+;min_pool_size = 0
+
+; how many additional connection to allow in case of trouble
+;reserve_pool_size = 0
+
+; if a clients needs to wait more than this many seconds, use reserve pool
+;reserve_pool_timeout = 5
+
+; how many total connections to a single database to allow from all pools
+;max_db_connections = 0
+;max_user_connections = 0
+
+; If off, then server connections are reused in LIFO manner
+;server_round_robin = 0
+
+;;;
+;;; Logging
+;;;
+
+;; Syslog settings
+;syslog = 0
+;syslog_facility = daemon
+;syslog_ident = pgbouncer
+
+; log if client connects or server connection is made
+;log_connections = 1
+
+; log if and why connection was closed
+;log_disconnections = 1
+
+; log error messages pooler sends to clients
+;log_pooler_errors = 1
+
+;; Period for writing aggregated stats into log.
+;stats_period = 60
+
+;; Logging verbosity.  Same as -v switch on command line.
+;verbose = 0
+
+;;;
+;;; Timeouts
+;;;
+
+;; Close server connection if its been connected longer.
+;server_lifetime = 3600
+
+;; Close server connection if its not been used in this time.
+;; Allows to clean unnecessary connections from pool after peak.
+;server_idle_timeout = 600
+
+;; Cancel connection attempt if server does not answer takes longer.
+;server_connect_timeout = 15
+
+;; If server login failed (server_connect_timeout or auth failure)
+;; then wait this many second.
+;server_login_retry = 15
+
+;; Dangerous.  Server connection is closed if query does not return
+;; in this time.  Should be used to survive network problems,
+;; _not_ as statement_timeout. (default: 0)
+;query_timeout = 0
+
+;; Dangerous.  Client connection is closed if the query is not assigned
+;; to a server in this time.  Should be used to limit the number of queued
+;; queries in case of a database or network failure. (default: 120)
+;query_wait_timeout = 120
+
+;; Dangerous.  Client connection is closed if no activity in this time.
+;; Should be used to survive network problems. (default: 0)
+;client_idle_timeout = 0
+
+;; Disconnect clients who have not managed to log in after connecting
+;; in this many seconds.
+;client_login_timeout = 60
+
+;; Clean automatically created database entries (via "*") if they
+;; stay unused in this many seconds.
+; autodb_idle_timeout = 3600
+
+;; How long SUSPEND/-R waits for buffer flush before closing connection.
+;suspend_timeout = 10
+
+;; Close connections which are in "IDLE in transaction" state longer than
+;; this many seconds.
+;idle_transaction_timeout = 0
+
+;;;
+;;; Low-level tuning options
+;;;
+
+;; buffer for streaming packets
+;pkt_buf = 4096
+
+;; man 2 listen
+;listen_backlog = 128
+
+;; Max number pkt_buf to process in one event loop.
+;sbuf_loopcnt = 5
+
+;; Maximum PostgreSQL protocol packet size.
+;max_packet_size = 2147483647
+
+;; networking options, for info: man 7 tcp
+
+;; Linux: notify program about new connection only if there
+;; is also data received.  (Seconds to wait.)
+;; On Linux the default is 45, on other OS'es 0.
+;tcp_defer_accept = 0
+
+;; In-kernel buffer size (Linux default: 4096)
+;tcp_socket_buffer = 0
+
+;; whether tcp keepalive should be turned on (0/1)
+;tcp_keepalive = 1
+
+;; The following options are Linux-specific.
+;; They also require tcp_keepalive=1.
+
+;; count of keepalive packets
+;tcp_keepcnt = 0
+
+;; how long the connection can be idle,
+;; before sending keepalive packets
+;tcp_keepidle = 0
+
+;; The time between individual keepalive probes.
+;tcp_keepintvl = 0
+
+;; DNS lookup caching time
+;dns_max_ttl = 15
+
+;; DNS zone SOA lookup period
+;dns_zone_check_period = 0
+
+;; DNS negative result caching time
+;dns_nxdomain_ttl = 15
+
+;;;
+;;; Random stuff
+;;;
+
+;; Hackish security feature.  Helps against SQL-injection - when PQexec is disabled,
+;; multi-statement cannot be made.
+;disable_pqexec = 0
+
+;; Config file to use for next RELOAD/SIGHUP.
+;; By default contains config file from command line.
+;conffile
+
+;; Win32 service name to register as.  job_name is alias for service_name,
+;; used by some Skytools scripts.
+;service_name = pgbouncer
+;job_name = pgbouncer
+
+;; Read additional config from the /etc/pgbouncer/pgbouncer-other.ini file
+;%include /etc/pgbouncer/pgbouncer-other.ini

roles/newsreader/templates/rabbitmq.conf.j2

@@ -0,0 +1,18 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+# Defaults to rabbit. This can be useful if you want to run more than one node
+# per machine - RABBITMQ_NODENAME should be unique per erlang-node-and-machine
+# combination. See the clustering on a single machine guide for details:
+# http://www.rabbitmq.com/clustering.html#single-machine
+#NODENAME=rabbit
+
+# By default RabbitMQ will bind to all interfaces, on IPv4 and IPv6 if
+# available. Set this if you only want to bind to one network interface or#
+# address family.
+#NODE_IP_ADDRESS=127.0.0.1
+
+# Defaults to 5672.
+#NODE_PORT=5672
+
+# Fix rabbitmq name resolution
+HOSTNAME=localhost

roles/newsreader/templates/sudoers.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+ansible ALL = (newsreader:newsreader) NOPASSWD: ALL