WIP: config for new nodejs.org server

setup/ansible-inventory

@@ -69,6 +69,9 @@ iojs-ns-pi2-5
 [iojs-www]
 iojs-www
 
+[node-www]
+node-www
+
 [iojs-jenkins]
 iojs-jenkins
 
@@ -79,6 +82,7 @@ iojs-build-ubuntu1204
 iojs-build-debian8
 iojs-build-containers
 iojs-www
+node-www
 iojs-jenkins
 iojs-armv7-wheezy
 

setup/raspberry-pi/ansible-playbook.yaml

@@ -80,14 +80,19 @@
       tags: jenkins
 
     - name: git | Install required packages for git compile
-      apt: name=gettext update_cache=yes state=latest
+      apt: name={{ item }} update_cache=yes state=latest
+      with_items:
+        - gettext
+        - libcurl4-openssl-dev
       tags: git
 
     - name: git | Download, compile and install git 2.5
-      shell: curl https://www.kernel.org/pub/software/scm/git/git-2.5.0.tar.xz -O && \
+      shell: rm -rf git-2.5.0* && \
+        curl https://www.kernel.org/pub/software/scm/git/git-2.5.0.tar.xz -O && \
         tar -xvf git-2.5.0.tar.xz && \
         cd git-2.5.0/ && \
         ./configure --prefix=/usr --with-gitconfig=/etc/gitconfig && \
         make && \
-        sudo make install
+        sudo make install && \
+        rm -rf git-2.5.0*
       tags: git

setup/www/ansible-playbook.yaml

@@ -1,118 +1,38 @@
 ---
-- hosts: iojs-www
-
+- hosts: node-www
   remote_user: root
 
   tasks:
     - include_vars: ansible-vars.yaml
       tags: vars
 
-    - name: General | APT Update
-      apt: update_cache=yes
-      tags: general
-
-    - name: General | APT Upgrade
-      apt: upgrade=full
-      tags: general
-
-    - name: Node.js | Add the NodeSource Node.js repo
-      command: "bash -c 'curl -sL https://deb.nodesource.com/setup | bash -'"
-      tags: node
-
-    - name: General | Install required packages
-      apt: name={{ item }} update_cache=yes state=latest
-      with_items: packages
-      tags: general
-
-    - name: User | Add {{ server_user }} user
-      user: name="{{ server_user }}" shell=/bin/bash
-      tags: user
-
-    - name: User | Download pubkey(s)
-      get_url: url=https://github.com/{{ item }}.keys dest=/tmp/{{ item }}.keys
-      delegate_to: 127.0.0.1
-      with_items: ssh_users
-      tags: user
-
-    - name: General | Create authorized_keys for root
-      authorized_key: user="root" key="{{ lookup('file', '/tmp/' + item + '.keys') }}"
-      with_items: ssh_users
+    - include: tasks/user.yaml
       tags: user
 
-    - name: General | Create authorized_keys for {{ server_user }}
-      authorized_key: user="{{ server_user }}" key="{{ lookup('file', '/tmp/' + item + '.keys') }}"
-      with_items: ssh_users
-      tags: user
-
-    - name: GitHub Webhook | Install github-webhook
-      command: "npm install github-webhook -g"
-      tags: webhook
-
-    - name: GitHub Webhook | Copy config
-      copy: src=./resources/github-webhook.json dest=/etc/github-webhook.json mode=0644
-      tags: webhook
-
-    - name: GitHub Webhook | Copy secret to config
-      replace: dest=/etc/github-webhook.json regexp="\{\{github_secret\}\}" replace="{{ github_secret }}"
-      tags: webhook
-
-    - name: GitHub Webhook | Copy update command to config
-      replace: dest=/etc/github-webhook.json regexp="\{\{update_command\}\}" replace="{{ update_command }}"
-      tags: webhook
-
-    - name: GitHub Webhook | Copy Upstart config
-      copy: src=./resources/github-webhook.conf dest=/etc/init/github-webhook.conf mode=0644
-      tags: webhook
-
-    - name: GitHub Webhook | Start service
-      service: name=github-webhook state=started
-      tags: webhook
+    - include: tasks/docker.yaml
+      tags: docker
 
-    - name: Setup | Initial clone
-      remote_user: "{{ server_user }}"
-      command: "bash -c '{{ clone_command }}'"
+    - include: tasks/site-setup.yaml
       tags: setup
 
-    - name: Setup | Initial update
-      remote_user: "{{ server_user }}"
-      command: "bash -c '{{ update_command }}'"
-      tags: setup
-
-    - name: nginx | Copy site config
-      copy: src=./resources/iojs.org dest=/etc/nginx/sites-available/iojs.org mode=0644
-      tags: nginx
+    - include: tasks/cloudfuse.yaml
+      tags: cloudfuse
 
-    - name: nginx | Create config symlink
-      file: src=/etc/nginx/sites-available/iojs.org dest=/etc/nginx/sites-enabled/00-iojs.org state=link
-      tags: nginx
-
-    - name: nginx | Generate DH params
-      command: "bash -c 'mkdir -p /etc/nginx/ssl/ && openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096'"
-      tags: nginx
+    - include: tasks/webhook.yaml
+      tags: webhook
 
-    - name: nginx | Copy site certificates
-      copy: src=./resources/{{ item }} dest=/etc/nginx/ssl/{{ item }} mode=0644
-      with_items:
-        - iojs_chained.crt
-        - iojs.key
+    - include: tasks/nginx.yaml
       tags: nginx
 
-    - name: nginx | Delete default config
-      file: path=/etc/nginx/sites-enabled/default state=absent
-      tags: nginx
+    - include: tasks/dist-indexer.yaml
+      tags: dist-indexer
 
-    - name: nginx | Add .pkg mime-type
-      lineinfile: dest=/etc/nginx/mime.types line='application/octet-stream pkg;' insertafter='^types.*'
-      tags: nginx
+    - include: tasks/nightly-builder.yaml
+      tags: nightly-builder
 
-    - name: nginx | Add .xz mime-type
-      lineinfile: dest=/etc/nginx/mime.types line='application/x-xz xz;' insertafter='^types.*'
-      tags: nginx
+    - include: tasks/promote.yaml
+      tags: promote
 
-    - name: nginx | Use official .gz mime-type
-      lineinfile: dest=/etc/nginx/mime.types line='application/gzip gz;' insertafter='^types.*'
-      tags: nginx
+    - include: tasks/latest-linker.yaml
+      tags: latest-linker
 
-    - name: nginx | Restart service
-      service: name=nginx state=restarted
-      tags: webhook

setup/www/ansible-vars.yaml

@@ -1,9 +1,17 @@
 ---
-server_user: iojs
-ssh_users:
+server_user: nodejs
+root_users:
+  - rvagg
+  - jbergstroem
+  - orangemocha
+dist_users:
+  - cjihrig
+  - chrisdickinson
+  - sam-github
+  - fishrock123
+  - jasnell
   - rvagg
-  - indutny
 packages:
-  - nodejs
+  - iojs
   - nginx
   - git

setup/www/host_vars/.gitignore

@@ -1 +1 @@
-iojs-www
+node-www

setup/www/host_vars/node-www.tmpl

@@ -0,0 +1,8 @@
+---
+github_secret: "INSERT SECRET FROM WEBHOOK HERE"
+cdn_api_key: "INSERT CLOUDFLARE API KEY"
+cdn_api_email: "INSERT CLOUDFLARE API EMAIL"
+cdn_api_iojs_id: "INSERT CLOUDFLARE API iojs.org ID"
+cdn_api_nodejs_id: "INSERT CLOUDFLARE API nodejs.org ID"
+cloudfuse_user: "INSERT RACKSPACE CLOUD USERNAME"
+cloudfuse_key: "INSERT RACKSPACE CLOUD API KEY"

setup/www/resources/.gitignore

@@ -1,2 +1,3 @@
-iojs_chained.crt
-iojs.key
+*.crt
+*.key
+*.pem

setup/www/resources/config/.cloudfuse

@@ -0,0 +1,3 @@
+username={{ cloudfuse_user }}
+api_key={{ cloudfuse_key }}
+region=IAD

setup/www/resources/github-webhook.conf → setup/www/resources/config/github-webhook.conf

@@ -4,6 +4,6 @@ stop on runlevel [!2345]
 respawn
 respawn limit 10 5
 
-setuid iojs
+setuid nodejs
 
 exec github-webhook --config /etc/github-webhook.json

setup/www/resources/config/github-webhook.json

@@ -0,0 +1,18 @@
+{
+  "port": 9999,
+  "path": "/webhook",
+  "secret": "{{github_secret}}",
+  "log": "/home/nodejs/github-webhook.log",
+  "rules": [
+    {
+      "event": "push",
+      "match": "ref == \"refs/heads/master\" && repository.full_name == \"nodejs/new.nodejs.org\"",
+      "exec": "/home/nodejs/build-site.sh nodejs"
+    },
+    {
+      "event": "push",
+      "match": "ref == \"refs/heads/master\" && repository.full_name == \"nodejs/iojs.org\"",
+      "exec": "/home/nodejs/build-site.sh iojs"
+    }
+  ]
+}

setup/www/resources/config/iojs.org

@@ -0,0 +1,105 @@
+server {
+    listen 80;
+    listen iojs.org:80;
+    server_name iojs.org www.iojs.org;
+
+    return 301 https://iojs.org$request_uri;
+}
+
+server {
+    listen 443 ssl spdy;
+    listen iojs.org:443 ssl spdy;
+    server_name iojs.org www.iojs.org;
+
+    ssl_certificate ssl/iojs_chained.crt;
+    ssl_certificate_key ssl/iojs.key;
+    ssl_trusted_certificate ssl/iojs_chained.crt;
+    ssl_dhparam ssl/dhparam.pem;
+
+    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
+    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 24h;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    spdy_keepalive_timeout 300;
+    spdy_headers_comp 9;
+
+    keepalive_timeout 60;
+    server_tokens off;
+
+    resolver 8.8.4.4 8.8.8.8 valid=300s;
+    resolver_timeout 10s;
+
+    add_header Strict-Transport-Security max-age=63072000;
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+
+    access_log /var/log/nginx/iojs.org-access.log nodejs;
+    error_log /var/log/nginx/iojs.org-error.log;
+
+    gzip on;
+    gzip_static on;
+    gzip_disable "MSIE [1-6]\.";
+    gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+    if ($host ~* ^www\.){
+        rewrite ^(.*)$ https://iojs.org$1;
+    }
+
+    root /home/www/iojs;
+    default_type text/plain;
+    index index.html;
+
+    location / {
+        rewrite ^/$ /en/ redirect;
+
+        location ~ \.json$ {
+            add_header access-control-allow-origin *;
+        }
+    }
+
+    location /download {
+        alias /home/dist/iojs;
+        autoindex on;
+        default_type text/plain;
+
+        location ~ \.json$ {
+            add_header access-control-allow-origin *;
+        }
+    }
+
+    location /dist {
+        alias /home/dist/iojs/release/;
+        autoindex on;
+        default_type text/plain;
+
+        location ~ \.json$ {
+            add_header access-control-allow-origin *;
+        }
+    }
+
+    location /docs {
+        alias /home/dist/iojs/docs/;
+        autoindex on;
+        default_type text/html;
+
+        location ~ \.json$ {
+            add_header access-control-allow-origin *;
+        }
+    }
+
+    location /api {
+        alias /home/dist/iojs/docs/latest/api;
+        autoindex on;
+        default_type text/plain;
+
+        location ~ \.json$ {
+            add_header access-control-allow-origin *;
+        }
+    }
+}

setup/www/resources/config/logrotate-nginx

@@ -0,0 +1,24 @@
+/var/log/nginx/*.log {
+        daily
+        missingok
+        compresscmd /usr/bin/xz
+        uncompresscmd /usr/bin/unxz
+        compressext .xz
+        compress
+        delaycompress
+        notifempty
+        create 0640 www-data adm
+        dateext
+        dateformat .%Y%m%d.%s
+        dateyesterday
+        maxsize 500M
+        sharedscripts
+        prerotate
+                if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+                        run-parts /etc/logrotate.d/httpd-prerotate; \
+                fi \
+        endscript
+        postrotate
+                [ -s /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid`
+        endscript
+}