From a249ab3e59afb6a786d679299fc7ceb0a553591f Mon Sep 17 00:00:00 2001 From: Disassembler Date: Mon, 11 Sep 2017 16:19:46 +0200 Subject: [PATCH] Move Pandora heredoc to separate files, add nginx configuration --- 50-pandora.sh | 67 +++--------------- pandora/etc/nginx/sites-available/pandora | 69 +++++++++++++++++++ pandora/pandora.gpg | 13 ++++ pandora/srv/pandora/pandora/local_settings.py | 15 ++++ pandora/tmp/pandora-createdb.sql | 6 ++ 5 files changed, 114 insertions(+), 56 deletions(-) create mode 100644 pandora/etc/nginx/sites-available/pandora create mode 100644 pandora/pandora.gpg create mode 100644 pandora/srv/pandora/pandora/local_settings.py create mode 100644 pandora/tmp/pandora-createdb.sql diff --git a/50-pandora.sh b/50-pandora.sh index 0799d69..39963e9 100644 --- a/50-pandora.sh +++ b/50-pandora.sh @@ -1,22 +1,10 @@ #!/bin/bash +SOURCE_DIR=$(realpath $(dirname "${0}")) + # Add pandora repository echo "deb http://ppa.launchpad.net/j/pandora/ubuntu zesty main" > /etc/apt/sources.list.d/pandora.list -apt-key add - </tmp/pandora-createdb.sql -CREATE ROLE pandora NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED PASSWORD '${PANDORA_PWD}'; -CREATE DATABASE pandora; -REVOKE ALL ON DATABASE pandora FROM public; -ALTER DATABASE pandora OWNER TO pandora; -\c pandora; -CREATE EXTENSION pg_trgm; -EOF +envsubst <${SOURCE_DIR}/pandora/tmp/pandora-createdb.sql >/tmp/pandora-createdb.sql sudo -u postgres psql -f /tmp/pandora-createdb.sql rm -f /tmp/pandora-createdb.sql @@ -58,36 +39,8 @@ export PANDORA_BROKER_URL="amqp://pandora:${PANDORA_RABBIT_PWD}@localhost:5672// # Configure Pandora mkdir /srv/pandora/data cp /srv/pandora/pandora/config.pandora.jsonc /srv/pandora/pandora/config.jsonc -sed 's/127.0.0.1/0.0.0.0/' /srv/pandora/pandora/gunicorn_config.py.in >/srv/pandora/pandora/gunicorn_config.py - -cat </srv/pandora/pandora/local_settings.py -DATABASES = { - 'default': { - 'NAME': 'pandora', - 'ENGINE': 'django.db.backends.postgresql_psycopg2', - 'USER': 'pandora', - 'PASSWORD': '${PANDORA_PWD}', - } -} -DB_GIN_TRGM = True -BROKER_URL = '${PANDORA_BROKER_URL}' - -XACCELREDIRECT = True -MEDIA_URL = '/pandora/data/' -STATIC_URL = '/pandora/static/' - -WEBSOCKET = True -WEBSOCKET_ADDRESS = "0.0.0.0" - -DEBUG = False -TEMPLATE_DEBUG = DEBUG -JSON_DEBUG = False -EOF - -sed -i "s|url(r'^|url(r'^pandora/|g" /srv/pandora/pandora/urls.py -sed -i 's|href="/|href="/pandora/|g' /srv/pandora/pandora/templates/*.html -sed -i 's|src="/|src="/pandora/|g' /srv/pandora/pandora/templates/*.html -sed -i "s|build_absolute_uri('/|build_absolute_uri('/pandora/|g" ./item/views.py ./item/tasks.py ./archive/views.py ./user/views.py ./app/views.py ./text/views.py +cp /srv/pandora/pandora/gunicorn_config.py.in /srv/pandora/pandora/gunicorn_config.py +envsubst <${SOURCE_DIR}/pandora/srv/pandora/pandora/local_settings.py >/srv/pandora/pandora/local_settings.py # Create OS user adduser --system --group --home /srv/pandora --shell /bin/false pandora @@ -102,11 +55,13 @@ cp /srv/pandora/etc/tmpfiles.d/pandora.conf /etc/tmpfiles.d/ systemd-tmpfiles --create /etc/tmpfiles.d/pandora.conf systemctl daemon-reload +# Create nginx site definition +cp ${SOURCE_DIR}/pandora/etc/nginx/sites-available/pandora /etc/nginx/sites-available/pandora +ln -s /etc/nginx/sites-available/pandora /etc/nginx/sites-enabled/pandora + # Start services for SERVICE in "pandora pandora-tasks pandora-encoding pandora-cron pandora-websocketd"; do systemctl enable ${SERVICE} systemctl start ${SERVICE} done - -# TODO: LXC -# TODO: nginx configuration +systemctl restart nginx diff --git a/pandora/etc/nginx/sites-available/pandora b/pandora/etc/nginx/sites-available/pandora new file mode 100644 index 0000000..367b36c --- /dev/null +++ b/pandora/etc/nginx/sites-available/pandora @@ -0,0 +1,69 @@ +server { + listen 8001 ssl http2; + listen [::]:8001 ssl http2; + + ssl_certificate /etc/ssl/certs/services.pem; + ssl_certificate_key /etc/ssl/private/services.key; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 1d; + ssl_session_tickets off; + + access_log /var/log/nginx/pandora.access.log; + error_log /var/log/nginx/pandora.error.log; + + location /favicon.ico { + root /srv/pandora/static; + } + + location /static/ { + root /srv/pandora; + autoindex off; + } + + location /data/ { + internal; + root /srv/pandora; + } + + location /api/ws/ { + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Proxy ""; + proxy_redirect off; + proxy_buffering off; + proxy_read_timeout 999999999; + proxy_pass http://127.0.0.1:2622/; + } + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto http; + proxy_set_header Host $http_host; + proxy_set_header Proxy ""; + proxy_redirect off; + proxy_buffering off; + proxy_read_timeout 90; + proxy_connect_timeout 90; + if (!-f $request_filename) { + proxy_pass http://127.0.0.1:2620; + break; + } + client_max_body_size 32m; + } + + error_page 400 /; + error_page 404 /404.html; + location /404.html { + root /srv/pandora/static/html; + } + + error_page 500 502 503 504 /50x.html; + location /50x.html { + root /srv/pandora/static/html; + } +} diff --git a/pandora/pandora.gpg b/pandora/pandora.gpg new file mode 100644 index 0000000..1325978 --- /dev/null +++ b/pandora/pandora.gpg @@ -0,0 +1,13 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mI0ESXYhEgEEALl9jDTdmgpApPbjN+7b85dC92HisPUp56ifEkKJOBj0X5HhRqxs +Wjx/zlP4/XJGrHnxJyrdPxjSwAXz7bNdeggkN4JWdusTkr5GOXvggQnng0X7f/rX +oJwoEGtYOCODLPs6PC0qjh5yPzJVeiRsKUOZ7YVNnwNwdfS4D8RZvtCrABEBAAG0 +FExhdW5jaHBhZCBQUEEgZm9yIGpeiLYEEwECACAFAkl2IRICGwMGCwkIBwMCBBUC +CAMEFgIDAQIeAQIXgAAKCRAohRM8AZde82FfA/9OB/64/YLaCpizHZ8f6DK3rGgF +e6mX3rFK8yOKGGL06316VhDzfzMiZSauUZ0t+lKHR/KZYeSaFwEoUoblTG/s4IIo +9aBMHWhVXJW6eifKUmTGqEn2/0UxoWQq2C3F6njMkCaP+ALOD5uzaSYGdjqAUAwS +pAAGSEQ4uz6bYSeM4Q== +=SM2a +-----END PGP PUBLIC KEY BLOCK----- diff --git a/pandora/srv/pandora/pandora/local_settings.py b/pandora/srv/pandora/pandora/local_settings.py new file mode 100644 index 0000000..514542c --- /dev/null +++ b/pandora/srv/pandora/pandora/local_settings.py @@ -0,0 +1,15 @@ +DATABASES = { + 'default': { + 'NAME': 'pandora', + 'ENGINE': 'django.db.backends.postgresql_psycopg2', + 'USER': 'pandora', + 'PASSWORD': '${PANDORA_PWD}', + } +} +BROKER_URL = '${PANDORA_BROKER_URL}' +DB_GIN_TRGM = True +XACCELREDIRECT = True + +DEBUG = False +TEMPLATE_DEBUG = DEBUG +JSON_DEBUG = False diff --git a/pandora/tmp/pandora-createdb.sql b/pandora/tmp/pandora-createdb.sql new file mode 100644 index 0000000..b77b77c --- /dev/null +++ b/pandora/tmp/pandora-createdb.sql @@ -0,0 +1,6 @@ +CREATE ROLE pandora NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED PASSWORD '${PANDORA_PWD}'; +CREATE DATABASE pandora; +REVOKE ALL ON DATABASE pandora FROM public; +ALTER DATABASE pandora OWNER TO pandora; +\c pandora; +CREATE EXTENSION pg_trgm;