├── .gitignore ├── README.md ├── Vagrantfile └── provisioning ├── group_vars └── all ├── roles ├── celery │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── celery.sh ├── common │ ├── handlers │ │ └── main.yml │ └── tasks │ │ └── main.yml ├── gunicorn │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── gunicorn.conf.py │ │ └── gunicorn.sh ├── nginx │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── django ├── postgresql │ ├── handlers │ │ └── main.yml │ └── tasks │ │ └── main.yml ├── python-utils │ └── tasks │ │ └── main.yml ├── redis │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── redis.conf ├── supervisor │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── celery.conf │ │ ├── gunicorn.conf │ │ └── redis.conf ├── users │ ├── handlers │ │ └── main.yml │ └── tasks │ │ └── main.yml └── webapp │ └── tasks │ └── main.yml └── site.yml /.gitignore: -------------------------------------------------------------------------------- 1 | # Django configuration and keys 2 | config_keys 3 | 4 | # Ignore bundler config 5 | /bin 6 | /.bundle 7 | /.vagrant 8 | /.vagrantfile 9 | 10 | # Ignore virtualenv 11 | /venv 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | About 2 | ===== 3 | 4 | This repo is an [in-house project](http://dgnest.com) made with ♥ that tries to make our live easier. You don't know how much time we wasted doing this stuff by hand few years ago. So, be patient, we are still working on it. 5 | 6 | Features: 7 | 8 | + Deployment server: **Ubuntu 12.04 LTS** 9 | 10 | 11 | Getting started 12 | =============== 13 | 14 | In order to provision. First we have to [generate our ssh keys.](https://help.github.com/articles/generating-ssh-keys) 15 | Then copy your SSH public key and put into your remote repository for SSH deployment. 16 | I forgot, we will use [SSH agent forwarding](https://developer.github.com/guides/managing-deploy-keys/#ssh-agent-forwarding) strategy to deploy our keys. 17 | 18 | ```bash 19 | $ cat ~/.ssh/id_rsa.pub 20 | ``` 21 | 22 | This procedure is executed just once. 23 | 24 | 25 | 26 | Prepare the Nest 27 | ================ 28 | 29 | Set your local environment with the variables below. I strongly recommend 30 | to use [virtualenvwrapper](http://virtualenvwrapper.readthedocs.org/en/latest/) 31 | for this purpose. I am using it and all my virtualenv variables are set into 32 | the *postactivate* script. 33 | 34 | ```bash 35 | # Linux User. 36 | export USER=mynewuser 37 | ... 38 | ``` 39 | Check [this](http://docs.ansible.com/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module) out in order to generate user passwords. 40 | 41 | ```bash 42 | ... 43 | export PASSWORD='$6$rounds=100000$.8vhLbNWv7YaHkVb$ALN9H7/4qzVPO83eT1tiT5o4EI9EpBuOo6B53JYcDEXU5Tn2ZMbdlxOCkCaHDnDeJenURpZaX5L3GGlW03s/d1' 44 | export ROOT_PASSWORD='$6$rounds=100000$.8vhLbNWv7YaHkVb$ALN9H7/4qzVPO83eT1tiT5o4EI9EpBuOo6B53JYcDEXU5Tn2ZMbdlxOCkCaHDnDeJenURpZaX5L3GGlW03s/d1' 45 | 46 | # Api keys local filepath. 47 | export API_KEY_LOCALPATH='~/projects/django-provision/provisioning/config_keys' 48 | # RSA keys for SSH authentication. 49 | export RSA_PUB_KEY_LOCALPATH='~/.ssh/id_rsa.pub' 50 | export RSA_PRIV_KEY_LOCALPATH='~/.ssh/id_rsa' 51 | 52 | # Postgres rol. 53 | export POSTGRES_ROLE=mynewrol 54 | ... 55 | ``` 56 | 57 | Check [this](http://docs.ansible.com/postgresql_user_module.html) out to generate encrypted passwords. 58 | 59 | ```bash 60 | ... 61 | export POSTGRES_ROLE_PASSWORD=mypassword 62 | # Postgres database. 63 | export DB_NAME=mydb 64 | export DB_HOST=localhost 65 | export DB_PORT=5432 66 | 67 | # Git Repo. 68 | export REPOSITORY="git@remote-host.com:username/myrepo.git" 69 | export REPOSITORY_NAME="myrepo" 70 | export DEPLOYMENT_BRANCH="master" 71 | export REMOTE_HOST="remote-host.com" 72 | ``` 73 | 74 | All these enviroment variables are mapped into the file 75 | *provisioning/group_vars/all*. So you are free to modify it. 76 | 77 | 78 | Provisioning with Ansible into a Virtual Machine (VM) using vagrant: 79 | ==================================================================== 80 | 81 | ```bash 82 | # Bringing VM 'default' up with 'virtualbox' provider. 83 | $ vagrant up 84 | # Provision our VM with ansible. 85 | $ vagrant provision 86 | ``` 87 | 88 | More info: 89 | 90 | + [Ansible DOC](http://docs.ansible.com/guide_vagrant.html) 91 | + [Vagran DOC](http://docs.vagrantup.com/v2/provisioning/ansible.html) 92 | 93 | Provisioning with Ansible into a VPS: 94 | ===================================== 95 | 96 | Before this step, you need to [set your inventory](http://docs.ansible.com/intro_inventory.html). 97 | Then, go inside the directory named **provisioning** and 98 | *let the hacking begin* with this command. 99 | 100 | ```bash 101 | $ ansible-playbook -vvvv -u remote_user_name --sudo site.yml 102 | # Examples: 103 | $ ansible-playbook -vvvv -u root --sudo site.yml 104 | $ ansible-playbook -vvvv -u dgnest --sudo site.yml 105 | ``` 106 | 107 | Running our Django Project 108 | ========================= 109 | 110 | Inside out guest machine (vagrant) run *su newuser* to login as our 111 | deployment user (newuser). Finally enter to the virtualenv and run the basics. 112 | 113 | ```bash 114 | $ cd ~ && source venv/bin/activate 115 | # Go inside your repo. 116 | $ python manage.py runserver localhost:9000 117 | ``` 118 | 119 | To check in the browser's host machine: 120 | 121 | ```bash 122 | 192.168.33.10 123 | ``` 124 | --- 125 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # *- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | # Vagrantfile API/syntax version. Don't touch unless you know what you're doing! 5 | VAGRANTFILE_API_VERSION = "2" 6 | 7 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| 8 | # All Vagrant configuration is done here. The most common configuration 9 | # options are documented and commented below. For a complete reference, 10 | # please see the online documentation at vagrantup.com. 11 | 12 | # Every Vagrant virtual environment requires a box to build off of. 13 | config.vm.box = "hashicorp/precise64" 14 | 15 | # Disable automatic box update checking. If you disable this, then 16 | # boxes will only be checked for updates when the user runs 17 | # `vagrant box outdated`. This is not recommended. 18 | # config.vm.box_check_update = false 19 | 20 | # Create a forwarded port mapping which allows access to a specific port 21 | # within the machine from a port on the host machine. In the example below, 22 | # accessing "localhost:8080" will access port 80 on the guest machine. 23 | # config.vm.network "forwarded_port", guest: 80, host: 8080 24 | 25 | # Create a private network, which allows host-only access to the machine 26 | # using a specific IP. 27 | config.vm.network "private_network", ip: "192.168.33.10" 28 | 29 | # Create a public network, which generally matched to bridged network. 30 | # Bridged networks make the machine appear as another physical device on 31 | # your network. 32 | # config.vm.network "public_network" 33 | 34 | # If true, then any SSH connections made will enable agent forwarding. 35 | # Default value: false 36 | # config.ssh.forward_agent = true 37 | 38 | # Share an additional folder to the guest VM. The first argument is 39 | # the path on the host to the actual folder. The second argument is 40 | # the path on the guest to mount the folder. And the optional third 41 | # argument is a set of non-required options. 42 | config.vm.synced_folder "data/", "/vagrant_data" 43 | 44 | # Ansible configuration. 45 | config.vm.provision "ansible" do |ansible| 46 | ansible.playbook = "provisioning/site.yml" 47 | ansible.verbose = 'vvvv' 48 | end 49 | 50 | # Provider-specific configuration so you can fine-tune various 51 | # backing providers for Vagrant. These expose provider-specific options. 52 | # Example for VirtualBox: 53 | # 54 | # config.vm.provider "virtualbox" do |vb| 55 | # # Don't boot with headless mode 56 | # vb.gui = true 57 | # 58 | # # Use VBoxManage to customize the VM. For example to change memory: 59 | # vb.customize ["modifyvm", :id, "--memory", "1024"] 60 | # end 61 | # 62 | # View the documentation for the provider you're using for more 63 | # information on available options. 64 | 65 | # Enable provisioning with CFEngine. CFEngine Community packages are 66 | # automatically installed. For example, configure the host as a 67 | # policy server and optionally a policy file to run: 68 | # 69 | # config.vm.provision "cfengine" do |cf| 70 | # cf.am_policy_hub = true 71 | # # cf.run_file = "motd.cf" 72 | # end 73 | # 74 | # You can also configure and bootstrap a client to an existing 75 | # policy server: 76 | # 77 | # config.vm.provision "cfengine" do |cf| 78 | # cf.policy_server_address = "10.0.2.15" 79 | # end 80 | 81 | # Enable provisioning with Puppet stand alone. Puppet manifests 82 | # are contained in a directory path relative to this Vagrantfile. 83 | # You will need to create the manifests directory and a manifest in 84 | # the file default.pp in the manifests_path directory. 85 | # 86 | # config.vm.provision "puppet" do |puppet| 87 | # puppet.manifests_path = "manifests" 88 | # puppet.manifest_file = "site.pp" 89 | # end 90 | 91 | # Enable provisioning with chef solo, specifying a cookbooks path, roles 92 | # path, and data_bags path (all relative to this Vagrantfile), and adding 93 | # some recipes and/or roles. 94 | # 95 | # config.vm.provision "chef_solo" do |chef| 96 | # chef.cookbooks_path = "../my-recipes/cookbooks" 97 | # chef.roles_path = "../my-recipes/roles" 98 | # chef.data_bags_path = "../my-recipes/data_bags" 99 | # chef.add_recipe "mysql" 100 | # chef.add_role "web" 101 | # 102 | # # You may also specify custom JSON attributes: 103 | # chef.json = { mysql_password: "foo" } 104 | # end 105 | 106 | # Enable provisioning with chef server, specifying the chef server URL, 107 | # and the path to the validation key (relative to this Vagrantfile). 108 | # 109 | # The Opscode Platform uses HTTPS. Substitute your organization for 110 | # ORGNAME in the URL and validation key. 111 | # 112 | # If you have your own Chef Server, use the appropriate URL, which may be 113 | # HTTP instead of HTTPS depending on your configuration. Also change the 114 | # validation key to validation.pem. 115 | # 116 | # config.vm.provision "chef_client" do |chef| 117 | # chef.chef_server_url = "https://api.opscode.com/organizations/ORGNAME" 118 | # chef.validation_key_path = "ORGNAME-validator.pem" 119 | # end 120 | # 121 | # If you're using the Opscode platform, your validator client is 122 | # ORGNAME-validator, replacing ORGNAME with your organization name. 123 | # 124 | # If you have your own Chef Server, the default validation client name is 125 | # chef-validator, unless you changed the configuration. 126 | # 127 | # chef.validation_client_name = "ORGNAME-validator" 128 | end 129 | -------------------------------------------------------------------------------- /provisioning/group_vars/all: -------------------------------------------------------------------------------- 1 | # Linux user. 2 | user: "{{ lookup('env','USER') }}" 3 | # User password. 4 | password: "{{ lookup('env','PASSWORD') }}" 5 | root_password: "{{ lookup('env','ROOT_PASSWORD') }}" 6 | 7 | # Api keys local filepath. 8 | api_key_filepath: "{{ lookup('env','API_KEY_LOCALPATH') }}" 9 | # RSA keys for SSH authentication. 10 | rsa_pub_key_filepath: "{{ lookup('env','RSA_PUB_KEY_LOCALPATH') }}" 11 | rsa_priv_key_filepath: "{{ lookup('env','RSA_PRIV_KEY_LOCALPATH') }}" 12 | 13 | # Postgres rol. 14 | psql_role: "{{ lookup('env','POSTGRES_ROLE') }}" 15 | psql_role_password: "{{ lookup('env','POSTGRES_ROLE_PASSWORD') }}" 16 | # Postgres database. 17 | db_name: "{{ lookup('env','DB_NAME') }}" 18 | db_host: "{{ lookup('env','DB_HOST') }}" 19 | db_port: "{{ lookup('env','DB_PORT') }}" 20 | 21 | # Git repository. 22 | repository: "{{ lookup('env','REPOSITORY') }}" 23 | repository_name: "{{ lookup('env','REPOSITORY_NAME') }}" 24 | deployment_branch: "{{ lookup('env','DEPLOYMENT_BRANCH') }}" 25 | remote_host: "{{ lookup('env','REMOTE_HOST') }}" -------------------------------------------------------------------------------- /provisioning/roles/celery/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: copy celery config files 4 | template: 5 | src: "celery.sh" 6 | dest: "/home/{{ user }}" 7 | mode: 0755 -------------------------------------------------------------------------------- /provisioning/roles/celery/templates/celery.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Starting celery" 3 | 4 | # Activate the virtual environment 5 | cd /home/{{ user }} 6 | source venv/bin/activate 7 | # Go to the main level of manage.py of your django project 8 | cd /home/{{ user }}/{{ repository_name }}/{{ repository_name }} 9 | 10 | # Change repository_name for the celery app instantiaded 11 | exec celery -A {{ repository_name }} worker --loglevel=info 12 | -------------------------------------------------------------------------------- /provisioning/roles/common/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: ensure fail2ban 4 | service: name=fail2ban state=restarted enabled=yes 5 | -------------------------------------------------------------------------------- /provisioning/roles/common/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: update apt cache and all packages to the latest version 4 | apt: upgrade=dist update_cache=yes cache_valid_time=43200 5 | 6 | - name: Install git 7 | apt: pkg=git state=latest 8 | 9 | - name: Install fail2ban 10 | apt: pkg=fail2ban state=latest 11 | notify: 12 | - ensure fail2ban 13 | 14 | - name: install packages 15 | apt: pkg={{ item }} state=latest 16 | with_items: 17 | - build-essential 18 | - tree 19 | - psmisc 20 | - chkrootkit 21 | - ufw 22 | - curl 23 | - gnupg 24 | - zip 25 | - rsync 26 | - wget 27 | - cron 28 | - keychain 29 | 30 | - name: Install vim 31 | apt: pkg=vim state=latest 32 | -------------------------------------------------------------------------------- /provisioning/roles/gunicorn/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: copy gunicorn config files 4 | template: 5 | src: "gunicorn.sh" 6 | dest: "/home/{{ user }}" 7 | mode: 0755 8 | 9 | - name: copy gunicorn config files 10 | template: 11 | src: "gunicorn.conf.py" 12 | dest: "/home/{{ user }}" -------------------------------------------------------------------------------- /provisioning/roles/gunicorn/templates/gunicorn.conf.py: -------------------------------------------------------------------------------- 1 | import multiprocessing 2 | 3 | 4 | bind = "127.0.0.1:9000" 5 | max_requests = 1000 6 | # worker_class = 'gevent' 7 | workers = multiprocessing.cpu_count() * 2 + 1 8 | -------------------------------------------------------------------------------- /provisioning/roles/gunicorn/templates/gunicorn.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Starting gunicorn" 3 | 4 | # Activate the virtual environment 5 | cd /home/{{ user }} 6 | source venv/bin/activate 7 | cd /home/{{ user }}/{{ repository_name }}/{{ repository_name }} 8 | 9 | exec gunicorn \ 10 | --name=django_project \ 11 | --config /home/{{ user }}/gunicorn.conf.py \ 12 | dgnest.wsgi:application 13 | -------------------------------------------------------------------------------- /provisioning/roles/nginx/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: start nginx 4 | service: name=nginx state=started 5 | 6 | - name: restart nginx 7 | service: name=nginx state=restarted 8 | -------------------------------------------------------------------------------- /provisioning/roles/nginx/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Installs nginx web server 4 | apt: pkg=nginx state=latest 5 | notify: 6 | - start nginx 7 | 8 | - name: setup nginx configuration 9 | template: src=django dest='/etc/nginx/sites-enabled/django' 10 | notify: 11 | - restart nginx 12 | -------------------------------------------------------------------------------- /provisioning/roles/nginx/templates/django: -------------------------------------------------------------------------------- 1 | upstream app_server { 2 | server 127.0.0.1:9000 fail_timeout=0; 3 | } 4 | 5 | server { 6 | listen 80 default_server; 7 | listen [::]:80 default_server ipv6only=on; 8 | 9 | root /usr/share/nginx/html; 10 | index index.html index.htm; 11 | 12 | client_max_body_size 4G; 13 | server_name _; 14 | 15 | keepalive_timeout 5; 16 | 17 | # Your Django project's media files - amend as required 18 | # location /media { 19 | # alias /home/django/django_project/django_project/media; 20 | # } 21 | 22 | # your Django project's static files - amend as required 23 | # location /static { 24 | # alias /home/django/django_project/django_project/static; 25 | # } 26 | 27 | location / { 28 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 29 | proxy_set_header Host $http_host; 30 | proxy_redirect off; 31 | proxy_pass http://app_server; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /provisioning/roles/postgresql/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart postgres 4 | service: name=postgresql state=restarted enabled=yes 5 | -------------------------------------------------------------------------------- /provisioning/roles/postgresql/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install postgresql 4 | apt: pkg={{ item }} state=latest 5 | with_items: 6 | - postgresql 7 | - postgresql-contrib 8 | - libpq-dev 9 | notify: 10 | - restart postgres 11 | 12 | - name: Required for python 13 | pip: name=psycopg2 14 | 15 | - name: Create a new database 16 | sudo_user: postgres 17 | postgresql_db: 18 | name: "{{ db_name }}" 19 | port: "{{ db_port }}" 20 | 21 | - name: Ensure user has access to database 22 | sudo_user: postgres 23 | postgresql_user: 24 | db: "{{ db_name }}" 25 | name: "{{ psql_role }}" 26 | password: "{{ psql_role_password }}" 27 | priv: ALL 28 | role_attr_flags: SUPERUSER 29 | -------------------------------------------------------------------------------- /provisioning/roles/python-utils/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install packages needed for python development 4 | apt: pkg={{ item }} state=latest 5 | with_items: 6 | - python-setuptools 7 | - python-dev 8 | - python2.7-dev 9 | - python-software-properties 10 | - libpq-dev 11 | 12 | - name: Install third-party libraries 13 | apt: pkg={{ item }} state=latest 14 | with_items: 15 | - libtiff4-dev 16 | - libjpeg8-dev 17 | - zlib1g-dev 18 | - libfreetype6-dev 19 | - liblcms2-dev 20 | - libwebp-dev 21 | - tcl8.5-dev 22 | - tk8.5-dev 23 | 24 | - name: Install pip 25 | apt: pkg=python-pip state=latest 26 | 27 | - name: Install pip 28 | pip: name=pip state=latest 29 | 30 | - name: Install virtualenv via pip 31 | pip: name=virtualenv -------------------------------------------------------------------------------- /provisioning/roles/redis/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart redis 4 | service: name=redis-server state=restarted enabled=yes 5 | -------------------------------------------------------------------------------- /provisioning/roles/redis/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: install packages 4 | apt: pkg={{ item }} state=latest 5 | register: redis_install 6 | with_items: 7 | - tcl8.5 8 | - redis-server 9 | notify: 10 | - restart redis 11 | 12 | - name: copy config template 13 | template: 14 | src: "redis.conf" 15 | dest: "/etc/redis/redis.conf" 16 | notify: 17 | - restart redis 18 | -------------------------------------------------------------------------------- /provisioning/roles/redis/templates/redis.conf: -------------------------------------------------------------------------------- 1 | # Redis configuration file example 2 | 3 | # Note on units: when memory size is needed, it is possible to specifiy 4 | # it in the usual form of 1k 5GB 4M and so forth: 5 | # 6 | # 1k => 1000 bytes 7 | # 1kb => 1024 bytes 8 | # 1m => 1000000 bytes 9 | # 1mb => 1024*1024 bytes 10 | # 1g => 1000000000 bytes 11 | # 1gb => 1024*1024*1024 bytes 12 | # 13 | # units are case insensitive so 1GB 1Gb 1gB are all the same. 14 | 15 | # By default Redis does not run as a daemon. Use 'yes' if you need it. 16 | # Note that Redis will write a pid file in /var/run/redis.pid when daemonized. 17 | daemonize yes 18 | 19 | # When running daemonized, Redis writes a pid file in /var/run/redis.pid by 20 | # default. You can specify a custom pid file location here. 21 | pidfile /var/run/redis/redis-server.pid 22 | 23 | # Accept connections on the specified port, default is 6379. 24 | # If port 0 is specified Redis will not listen on a TCP socket. 25 | port 6379 26 | 27 | # If you want you can bind a single interface, if the bind option is not 28 | # specified all the interfaces will listen for incoming connections. 29 | # 30 | bind 127.0.0.1 31 | 32 | # Specify the path for the unix socket that will be used to listen for 33 | # incoming connections. There is no default, so Redis will not listen 34 | # on a unix socket when not specified. 35 | # 36 | # unixsocket /var/run/redis/redis.sock 37 | 38 | # Close the connection after a client is idle for N seconds (0 to disable) 39 | timeout 300 40 | 41 | # Set server verbosity to 'debug' 42 | # it can be one of: 43 | # debug (a lot of information, useful for development/testing) 44 | # verbose (many rarely useful info, but not a mess like the debug level) 45 | # notice (moderately verbose, what you want in production probably) 46 | # warning (only very important / critical messages are logged) 47 | loglevel notice 48 | 49 | # Specify the log file name. Also 'stdout' can be used to force 50 | # Redis to log on the standard output. Note that if you use standard 51 | # output for logging but daemonize, logs will be sent to /dev/null 52 | logfile /var/log/redis/redis-server.log 53 | 54 | # To enable logging to the system logger, just set 'syslog-enabled' to yes, 55 | # and optionally update the other syslog parameters to suit your needs. 56 | # syslog-enabled no 57 | 58 | # Specify the syslog identity. 59 | # syslog-ident redis 60 | 61 | # Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. 62 | # syslog-facility local0 63 | 64 | # Set the number of databases. The default database is DB 0, you can select 65 | # a different one on a per-connection basis using SELECT where 66 | # dbid is a number between 0 and 'databases'-1 67 | databases 16 68 | 69 | ################################ SNAPSHOTTING ################################# 70 | # 71 | # Save the DB on disk: 72 | # 73 | # save 74 | # 75 | # Will save the DB if both the given number of seconds and the given 76 | # number of write operations against the DB occurred. 77 | # 78 | # In the example below the behaviour will be to save: 79 | # after 900 sec (15 min) if at least 1 key changed 80 | # after 300 sec (5 min) if at least 10 keys changed 81 | # after 60 sec if at least 10000 keys changed 82 | # 83 | # Note: you can disable saving at all commenting all the "save" lines. 84 | 85 | save 900 1 86 | save 300 10 87 | save 60 10000 88 | 89 | # Compress string objects using LZF when dump .rdb databases? 90 | # For default that's set to 'yes' as it's almost always a win. 91 | # If you want to save some CPU in the saving child set it to 'no' but 92 | # the dataset will likely be bigger if you have compressible values or keys. 93 | rdbcompression yes 94 | 95 | # The filename where to dump the DB 96 | dbfilename dump.rdb 97 | 98 | # The working directory. 99 | # 100 | # The DB will be written inside this directory, with the filename specified 101 | # above using the 'dbfilename' configuration directive. 102 | # 103 | # Also the Append Only File will be created inside this directory. 104 | # 105 | # Note that you must specify a directory here, not a file name. 106 | dir /var/lib/redis 107 | 108 | ################################# REPLICATION ################################# 109 | 110 | # Master-Slave replication. Use slaveof to make a Redis instance a copy of 111 | # another Redis server. Note that the configuration is local to the slave 112 | # so for example it is possible to configure the slave to save the DB with a 113 | # different interval, or to listen to another port, and so on. 114 | # 115 | # slaveof 116 | 117 | # If the master is password protected (using the "requirepass" configuration 118 | # directive below) it is possible to tell the slave to authenticate before 119 | # starting the replication synchronization process, otherwise the master will 120 | # refuse the slave request. 121 | # 122 | # masterauth 123 | 124 | # When a slave lost the connection with the master, or when the replication 125 | # is still in progress, the slave can act in two different ways: 126 | # 127 | # 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will 128 | # still reply to client requests, possibly with out of data data, or the 129 | # data set may just be empty if this is the first synchronization. 130 | # 131 | # 2) if slave-serve-stale data is set to 'no' the slave will reply with 132 | # an error "SYNC with master in progress" to all the kind of commands 133 | # but to INFO and SLAVEOF. 134 | # 135 | slave-serve-stale-data yes 136 | 137 | ################################## SECURITY ################################### 138 | 139 | # Require clients to issue AUTH before processing any other 140 | # commands. This might be useful in environments in which you do not trust 141 | # others with access to the host running redis-server. 142 | # 143 | # This should stay commented out for backward compatibility and because most 144 | # people do not need auth (e.g. they run their own servers). 145 | # 146 | # Warning: since Redis is pretty fast an outside user can try up to 147 | # 150k passwords per second against a good box. This means that you should 148 | # use a very strong password otherwise it will be very easy to break. 149 | # 150 | # requirepass foobared 151 | 152 | # Command renaming. 153 | # 154 | # It is possilbe to change the name of dangerous commands in a shared 155 | # environment. For instance the CONFIG command may be renamed into something 156 | # of hard to guess so that it will be still available for internal-use 157 | # tools but not available for general clients. 158 | # 159 | # Example: 160 | # 161 | # rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 162 | # 163 | # It is also possilbe to completely kill a command renaming it into 164 | # an empty string: 165 | # 166 | # rename-command CONFIG "" 167 | 168 | ################################### LIMITS #################################### 169 | 170 | # Set the max number of connected clients at the same time. By default there 171 | # is no limit, and it's up to the number of file descriptors the Redis process 172 | # is able to open. The special value '0' means no limits. 173 | # Once the limit is reached Redis will close all the new connections sending 174 | # an error 'max number of clients reached'. 175 | # 176 | # maxclients 128 177 | 178 | # Don't use more memory than the specified amount of bytes. 179 | # When the memory limit is reached Redis will try to remove keys with an 180 | # EXPIRE set. It will try to start freeing keys that are going to expire 181 | # in little time and preserve keys with a longer time to live. 182 | # Redis will also try to remove objects from free lists if possible. 183 | # 184 | # If all this fails, Redis will start to reply with errors to commands 185 | # that will use more memory, like SET, LPUSH, and so on, and will continue 186 | # to reply to most read-only commands like GET. 187 | # 188 | # WARNING: maxmemory can be a good idea mainly if you want to use Redis as a 189 | # 'state' server or cache, not as a real DB. When Redis is used as a real 190 | # database the memory usage will grow over the weeks, it will be obvious if 191 | # it is going to use too much memory in the long run, and you'll have the time 192 | # to upgrade. With maxmemory after the limit is reached you'll start to get 193 | # errors for write operations, and this may even lead to DB inconsistency. 194 | # 195 | # maxmemory 196 | 197 | # MAXMEMORY POLICY: how Redis will select what to remove when maxmemory 198 | # is reached? You can select among five behavior: 199 | # 200 | # volatile-lru -> remove the key with an expire set using an LRU algorithm 201 | # allkeys-lru -> remove any key accordingly to the LRU algorithm 202 | # volatile-random -> remove a random key with an expire set 203 | # allkeys->random -> remove a random key, any key 204 | # volatile-ttl -> remove the key with the nearest expire time (minor TTL) 205 | # noeviction -> don't expire at all, just return an error on write operations 206 | # 207 | # Note: with all the kind of policies, Redis will return an error on write 208 | # operations, when there are not suitable keys for eviction. 209 | # 210 | # At the date of writing this commands are: set setnx setex append 211 | # incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd 212 | # sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby 213 | # zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby 214 | # getset mset msetnx exec sort 215 | # 216 | # The default is: 217 | # 218 | # maxmemory-policy volatile-lru 219 | 220 | # LRU and minimal TTL algorithms are not precise algorithms but approximated 221 | # algorithms (in order to save memory), so you can select as well the sample 222 | # size to check. For instance for default Redis will check three keys and 223 | # pick the one that was used less recently, you can change the sample size 224 | # using the following configuration directive. 225 | # 226 | # maxmemory-samples 3 227 | 228 | ############################## APPEND ONLY MODE ############################### 229 | 230 | # By default Redis asynchronously dumps the dataset on disk. If you can live 231 | # with the idea that the latest records will be lost if something like a crash 232 | # happens this is the preferred way to run Redis. If instead you care a lot 233 | # about your data and don't want to that a single record can get lost you should 234 | # enable the append only mode: when this mode is enabled Redis will append 235 | # every write operation received in the file appendonly.aof. This file will 236 | # be read on startup in order to rebuild the full dataset in memory. 237 | # 238 | # Note that you can have both the async dumps and the append only file if you 239 | # like (you have to comment the "save" statements above to disable the dumps). 240 | # Still if append only mode is enabled Redis will load the data from the 241 | # log file at startup ignoring the dump.rdb file. 242 | # 243 | # IMPORTANT: Check the BGREWRITEAOF to check how to rewrite the append 244 | # log file in background when it gets too big. 245 | 246 | appendonly no 247 | 248 | # The name of the append only file (default: "appendonly.aof") 249 | # appendfilename appendonly.aof 250 | 251 | # The fsync() call tells the Operating System to actually write data on disk 252 | # instead to wait for more data in the output buffer. Some OS will really flush 253 | # data on disk, some other OS will just try to do it ASAP. 254 | # 255 | # Redis supports three different modes: 256 | # 257 | # no: don't fsync, just let the OS flush the data when it wants. Faster. 258 | # always: fsync after every write to the append only log . Slow, Safest. 259 | # everysec: fsync only if one second passed since the last fsync. Compromise. 260 | # 261 | # The default is "everysec" that's usually the right compromise between 262 | # speed and data safety. It's up to you to understand if you can relax this to 263 | # "no" that will will let the operating system flush the output buffer when 264 | # it wants, for better performances (but if you can live with the idea of 265 | # some data loss consider the default persistence mode that's snapshotting), 266 | # or on the contrary, use "always" that's very slow but a bit safer than 267 | # everysec. 268 | # 269 | # If unsure, use "everysec". 270 | 271 | # appendfsync always 272 | appendfsync everysec 273 | # appendfsync no 274 | 275 | # When the AOF fsync policy is set to always or everysec, and a background 276 | # saving process (a background save or AOF log background rewriting) is 277 | # performing a lot of I/O against the disk, in some Linux configurations 278 | # Redis may block too long on the fsync() call. Note that there is no fix for 279 | # this currently, as even performing fsync in a different thread will block 280 | # our synchronous write(2) call. 281 | # 282 | # In order to mitigate this problem it's possible to use the following option 283 | # that will prevent fsync() from being called in the main process while a 284 | # BGSAVE or BGREWRITEAOF is in progress. 285 | # 286 | # This means that while another child is saving the durability of Redis is 287 | # the same as "appendfsync none", that in pratical terms means that it is 288 | # possible to lost up to 30 seconds of log in the worst scenario (with the 289 | # default Linux settings). 290 | # 291 | # If you have latency problems turn this to "yes". Otherwise leave it as 292 | # "no" that is the safest pick from the point of view of durability. 293 | no-appendfsync-on-rewrite no 294 | 295 | ################################ VIRTUAL MEMORY ############################### 296 | 297 | # Virtual Memory allows Redis to work with datasets bigger than the actual 298 | # amount of RAM needed to hold the whole dataset in memory. 299 | # In order to do so very used keys are taken in memory while the other keys 300 | # are swapped into a swap file, similarly to what operating systems do 301 | # with memory pages. 302 | # 303 | # To enable VM just set 'vm-enabled' to yes, and set the following three 304 | # VM parameters accordingly to your needs. 305 | 306 | vm-enabled no 307 | # vm-enabled yes 308 | 309 | # This is the path of the Redis swap file. As you can guess, swap files 310 | # can't be shared by different Redis instances, so make sure to use a swap 311 | # file for every redis process you are running. Redis will complain if the 312 | # swap file is already in use. 313 | # 314 | # The best kind of storage for the Redis swap file (that's accessed at random) 315 | # is a Solid State Disk (SSD). 316 | # 317 | # *** WARNING *** if you are using a shared hosting the default of putting 318 | # the swap file under /tmp is not secure. Create a dir with access granted 319 | # only to Redis user and configure Redis to create the swap file there. 320 | vm-swap-file /var/lib/redis/redis.swap 321 | 322 | # vm-max-memory configures the VM to use at max the specified amount of 323 | # RAM. Everything that deos not fit will be swapped on disk *if* possible, that 324 | # is, if there is still enough contiguous space in the swap file. 325 | # 326 | # With vm-max-memory 0 the system will swap everything it can. Not a good 327 | # default, just specify the max amount of RAM you can in bytes, but it's 328 | # better to leave some margin. For instance specify an amount of RAM 329 | # that's more or less between 60 and 80% of your free RAM. 330 | vm-max-memory 0 331 | 332 | # Redis swap files is split into pages. An object can be saved using multiple 333 | # contiguous pages, but pages can't be shared between different objects. 334 | # So if your page is too big, small objects swapped out on disk will waste 335 | # a lot of space. If you page is too small, there is less space in the swap 336 | # file (assuming you configured the same number of total swap file pages). 337 | # 338 | # If you use a lot of small objects, use a page size of 64 or 32 bytes. 339 | # If you use a lot of big objects, use a bigger page size. 340 | # If unsure, use the default :) 341 | vm-page-size 32 342 | 343 | # Number of total memory pages in the swap file. 344 | # Given that the page table (a bitmap of free/used pages) is taken in memory, 345 | # every 8 pages on disk will consume 1 byte of RAM. 346 | # 347 | # The total swap size is vm-page-size * vm-pages 348 | # 349 | # With the default of 32-bytes memory pages and 134217728 pages Redis will 350 | # use a 4 GB swap file, that will use 16 MB of RAM for the page table. 351 | # 352 | # It's better to use the smallest acceptable value for your application, 353 | # but the default is large in order to work in most conditions. 354 | vm-pages 134217728 355 | 356 | # Max number of VM I/O threads running at the same time. 357 | # This threads are used to read/write data from/to swap file, since they 358 | # also encode and decode objects from disk to memory or the reverse, a bigger 359 | # number of threads can help with big objects even if they can't help with 360 | # I/O itself as the physical device may not be able to couple with many 361 | # reads/writes operations at the same time. 362 | # 363 | # The special value of 0 turn off threaded I/O and enables the blocking 364 | # Virtual Memory implementation. 365 | vm-max-threads 4 366 | 367 | ############################### ADVANCED CONFIG ############################### 368 | 369 | # Hashes are encoded in a special way (much more memory efficient) when they 370 | # have at max a given numer of elements, and the biggest element does not 371 | # exceed a given threshold. You can configure this limits with the following 372 | # configuration directives. 373 | hash-max-zipmap-entries 512 374 | hash-max-zipmap-value 64 375 | 376 | # Similarly to hashes, small lists are also encoded in a special way in order 377 | # to save a lot of space. The special representation is only used when 378 | # you are under the following limits: 379 | list-max-ziplist-entries 512 380 | list-max-ziplist-value 64 381 | 382 | # Sets have a special encoding in just one case: when a set is composed 383 | # of just strings that happens to be integers in radix 10 in the range 384 | # of 64 bit signed integers. 385 | # The following configuration setting sets the limit in the size of the 386 | # set in order to use this special memory saving encoding. 387 | set-max-intset-entries 512 388 | 389 | # Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in 390 | # order to help rehashing the main Redis hash table (the one mapping top-level 391 | # keys to values). The hash table implementation redis uses (see dict.c) 392 | # performs a lazy rehashing: the more operation you run into an hash table 393 | # that is rhashing, the more rehashing "steps" are performed, so if the 394 | # server is idle the rehashing is never complete and some more memory is used 395 | # by the hash table. 396 | # 397 | # The default is to use this millisecond 10 times every second in order to 398 | # active rehashing the main dictionaries, freeing memory when possible. 399 | # 400 | # If unsure: 401 | # use "activerehashing no" if you have hard latency requirements and it is 402 | # not a good thing in your environment that Redis can reply form time to time 403 | # to queries with 2 milliseconds delay. 404 | # 405 | # use "activerehashing yes" if you don't have such hard requirements but 406 | # want to free memory asap when possible. 407 | activerehashing yes 408 | 409 | ################################## INCLUDES ################################### 410 | 411 | # Include one or more other config files here. This is useful if you 412 | # have a standard template that goes to all redis server but also need 413 | # to customize a few per-server settings. Include files can include 414 | # other files, so use this wisely. 415 | # 416 | # include /path/to/local.conf 417 | # include /path/to/other.conf 418 | -------------------------------------------------------------------------------- /provisioning/roles/supervisor/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart supervisor 4 | service: name=supervisor state=restarted enabled=yes 5 | notify: 6 | - restart supervisor 7 | -------------------------------------------------------------------------------- /provisioning/roles/supervisor/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: installing supervisor 4 | apt: pkg=supervisor state=latest 5 | 6 | - name: create log directory 7 | file: 8 | path: "/home/{{ user }}/logs" 9 | state: "directory" 10 | 11 | - name: create log files 12 | file: 13 | path: "/home/{{ user }}/logs/{{ item }}" 14 | state: touch 15 | with_items: 16 | - 'gunicorn.err.log' 17 | - 'gunicorn.out.log' 18 | - 'celery.err.log' 19 | - 'celery.out.log' 20 | 21 | - name: copy test template 22 | template: 23 | src: "{{ item }}" 24 | dest: "/etc/supervisor/conf.d" 25 | with_items: 26 | - 'gunicorn.conf' 27 | - 'celery.conf' 28 | notify: 29 | - restart supervisor 30 | 31 | - name: manage the state of program to be in 'started' state. 32 | supervisorctl: 33 | name: "{{ item }}" 34 | state: started 35 | with_items: 36 | - 'gunicorn' 37 | - 'celery' -------------------------------------------------------------------------------- /provisioning/roles/supervisor/templates/celery.conf: -------------------------------------------------------------------------------- 1 | [program:celery] 2 | 3 | command=/home/{{ user }}/celery.sh 4 | 5 | numprocs=1 6 | stderr_logfile=/home/{{ user }}/logs/celery.err.log 7 | stdout_logfile=/home/{{ user }}/logs/celery.out.log 8 | 9 | autostart=true 10 | autorestart=true 11 | startsecs=10 12 | 13 | ; Need to wait for currently executing tasks to finish at shutdown. 14 | ; Increase this if you have very long running tasks. 15 | stopwaitsecs = 600 16 | 17 | ; When resorting to send SIGKILL to the program to terminate it 18 | ; send SIGKILL to its whole process group instead, 19 | ; taking care of its children as well. 20 | killasgroup=true 21 | 22 | ; if rabbitmq is supervised, set its priority higher 23 | ; so it starts first 24 | priority=998 -------------------------------------------------------------------------------- /provisioning/roles/supervisor/templates/gunicorn.conf: -------------------------------------------------------------------------------- 1 | [program:gunicorn] 2 | command=/home/{{ user }}/gunicorn.sh 3 | autostart=true 4 | autorestart=true 5 | stderr_logfile=/home/{{ user }}/logs/gunicorn.err.log 6 | stdout_logfile=/home/{{ user }}/logs/gunicorn.out.log -------------------------------------------------------------------------------- /provisioning/roles/supervisor/templates/redis.conf: -------------------------------------------------------------------------------- 1 | [program:redis] 2 | command=/usr/bin/redis-server /etc/redis/redis.conf 3 | autostart=true 4 | autorestart=true 5 | stdout_logfile=/home/{{ user }}/logs/redis.err.log 6 | stderr_logfile=/home/{{ user }}/logs/redis.out.log -------------------------------------------------------------------------------- /provisioning/roles/users/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart ssh 4 | service: name=ssh state=restarted -------------------------------------------------------------------------------- /provisioning/roles/users/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Change root password 4 | user: 5 | name: root 6 | password: '{{ root_password }}' 7 | shell: /bin/bash 8 | 9 | - name: Create new linux user 10 | user: 11 | name: "{{ user }}" 12 | password: "{{ password }}" 13 | shell: /bin/bash 14 | 15 | - name: Create a 2048-bit SSH key for the new user 16 | user: 17 | name: "{{ item }}" 18 | generate_ssh_key: yes 19 | ssh_key_bits: 2048 20 | with_items: 21 | - "{{ user }}" 22 | - root 23 | 24 | - name: Add user rsa public key to authorized users. 25 | authorized_key: 26 | user: "{{ item }}" 27 | key: "{{ lookup('file', 'rsa_pub_key_filepath') }}" 28 | with_items: 29 | - "{{ user }}" 30 | - root 31 | 32 | - name: Add new user to sudoers 33 | lineinfile: 34 | dest: '/etc/sudoers' 35 | line: '{{ user }} ALL=(ALL:ALL) ALL' 36 | notify: 37 | - restart ssh 38 | 39 | - name: Append a line of code in bashrc to use keychain. Avoid ssh passphrase. 40 | lineinfile: 41 | dest: "/home/{{ user }}/.bashrc" 42 | line: "eval `keychain --eval id_rsa`" 43 | 44 | # SSH agent forwarding for deploy user. 45 | - name: send private key to remote deploy user 46 | copy: 47 | src: '~/.ssh/id_rsa' 48 | dest: "/home/{{ user }}/.ssh/id_rsa" 49 | 50 | - name: send public key to remote deploy user 51 | copy: 52 | src: '~/.ssh/id_rsa.pub' 53 | dest: "/home/{{ user }}/.ssh/id_rsa.pub" 54 | 55 | # SSH agent forwarding for root user, not necessary just in case. 56 | - name: send private key to root user 57 | sudo_user: root 58 | copy: 59 | src: '{{ rsa_priv_key_filepath }}' 60 | dest: "/root/.ssh/id_rsa" 61 | 62 | - name: send public key to root user 63 | sudo_user: root 64 | copy: 65 | src: '{{ rsa_pub_key_filepath }}' 66 | dest: "/root/.ssh/id_rsa.pub" 67 | 68 | - name: add enviroment variables to user env 69 | sudo_user: "{{ user }}" 70 | raw: "ssh-keyscan -H {{ remote_host }} >> $HOME/.ssh/known_hosts" 71 | 72 | - name: add enviroment variables to user env 73 | raw: "ssh-keyscan -H {{ remote_host }} >> /etc/ssh/ssh_known_hosts" -------------------------------------------------------------------------------- /provisioning/roles/webapp/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: See if repo was cloned 4 | stat: 5 | path: "/home/{{ user }}/{{ repository_name }}" 6 | register: repo_cloned 7 | 8 | # Previously implemented SSH agent forwarding inside users role. 9 | - name: read-write git checkout from repo 10 | sudo_user: "{{ user }}" 11 | git: 12 | repo: "{{ repository }}" 13 | dest: "/home/{{ user }}/{{ repository_name }}" 14 | version: "{{ deployment_branch }}" 15 | key_file: "/home/{{ user }}/.ssh/id_rsa" 16 | accept_hostkey: yes 17 | when: repo_cloned.stat.isdir is not defined 18 | 19 | - name: See if virtualenv was created 20 | stat: 21 | path: "/home/{{ user }}/venv" 22 | register: venv_created 23 | 24 | - name: create virtualenv 25 | sudo_user: "{{ user }}" 26 | shell: "virtualenv venv" 27 | args: 28 | chdir: "/home/{{ user }}" 29 | when: venv_created.stat.isdir is not defined 30 | 31 | - name: See if virtualenv was created 32 | stat: 33 | path: "/home/{{ user }}/venv" 34 | register: venv_created 35 | 36 | - name: install requirements into virtualenv 37 | sudo_user: "{{ user }}" 38 | raw: "source /home/{{ user }}/venv/bin/activate && cd /home/{{ user }}/{{ repository_name }} && pip install -r requirements.txt" 39 | when: venv_created.stat.isdir is defined 40 | 41 | - name: copy api keys 42 | sudo_user: "{{ user }}" 43 | copy: 44 | src: '{{ api_key_filepath }}' 45 | dest: "/home/{{ user }}/venv/.env" 46 | when: venv_created.stat.isdir is defined 47 | 48 | # Add enviroment variables 49 | - name: add enviroment variables to virtualenv 50 | sudo_user: "{{ user }}" 51 | raw: "cat $HOME/venv/.env >> $HOME/venv/bin/activate" 52 | when: venv_created.stat.isdir is defined 53 | 54 | - name: add enviroment variables to user env 55 | sudo_user: "{{ user }}" 56 | raw: "cat $HOME/venv/.env >> $HOME/.bashrc" 57 | when: venv_created.stat.isdir is defined 58 | -------------------------------------------------------------------------------- /provisioning/site.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Defining users 4 | hosts: all 5 | sudo: yes 6 | roles: 7 | - role: users 8 | 9 | - name: Update server and install utils 10 | hosts: all 11 | sudo: yes 12 | roles: 13 | - role: common 14 | 15 | - name: Install packages needed for python development 16 | hosts: all 17 | sudo: yes 18 | roles: 19 | - role: python-utils 20 | 21 | - name: Setup nginx 22 | hosts: all 23 | sudo: yes 24 | roles: 25 | - role: nginx 26 | 27 | - name: Setup PostgreSQL 28 | hosts: all 29 | sudo: yes 30 | roles: 31 | - role: postgresql 32 | 33 | - name: Setup redis 34 | hosts: all 35 | sudo: yes 36 | roles: 37 | - role: redis 38 | 39 | - name: Setup webapp 40 | hosts: all 41 | sudo: yes 42 | roles: 43 | - role: webapp 44 | 45 | - name: Setup gunicorn scripts 46 | hosts: all 47 | sudo: yes 48 | roles: 49 | - role: gunicorn 50 | 51 | - name: Setup celery script 52 | hosts: all 53 | sudo: yes 54 | roles: 55 | - role: celery 56 | 57 | - name: Setup supervisor 58 | hosts: all 59 | sudo: yes 60 | roles: 61 | - role: supervisor --------------------------------------------------------------------------------