WIP Add pyinfra for chatwoot.testrun.org

This commit is contained in:
Christian Hagenest 2024-03-11 16:59:17 +01:00
parent 80d0229e90
commit 97d00ad074
2 changed files with 43 additions and 16 deletions

View file

@ -1,7 +1,5 @@
"""
nginx deploy
"""
from io import StringIO from io import StringIO
import importlib.resources
from pyinfra import host from pyinfra import host
from pyinfra.api.deploy import deploy from pyinfra.api.deploy import deploy
@ -9,7 +7,7 @@ from pyinfra.operations import files, server, apt, systemd
from pyinfra.facts.deb import DebPackages from pyinfra.facts.deb import DebPackages
from pyinfra_acmetool import deploy_acmetool from pyinfra_acmetool import deploy_acmetool
def _install_nginx(): def deploy_nginx():
if not host.get_fact(DebPackages): if not host.get_fact(DebPackages):
raise DeployError(("Can't deploy prerequisites on non-deb system")) raise DeployError(("Can't deploy prerequisites on non-deb system"))
@ -18,15 +16,17 @@ def _install_nginx():
apt.packages( apt.packages(
name = "Install nginx-extras", name = "Install nginx-extras",
packages = ["nginx-extras"], packages = ["nginx-extras"],
_sudo = True,
) )
def add_nginx_domain(domain: str, config_path: str, enabled=True, acmetool=True):
def add_nginx_domain(domain: str, config_path: str = None, proxy_port: int = None, enabled=True, acmetool=True):
"""Let a domain be handled by nginx, create a Let's Encrypt certificate for it, and deploy the config. """Let a domain be handled by nginx, create a Let's Encrypt certificate for it, and deploy the config.
:param domain: the domain of the website :param domain: the domain of the website
:param config_path: the local path to the nginx config file :param config_path: the local path to the nginx config file
:param proxy_port: proxy_pass all HTTP traffic to some internal port
:param enabled: whether the site should be enabled at /etc/nginx/sites-enabled :param enabled: whether the site should be enabled at /etc/nginx/sites-enabled
:param acmetool: whether acmetool should fetch TLS certs for the domain
""" """
default_config_link = files.link( default_config_link = files.link(
path="/etc/nginx/sites-enabled/default", present=False path="/etc/nginx/sites-enabled/default", present=False
@ -37,6 +37,7 @@ def add_nginx_domain(domain: str, config_path: str, enabled=True, acmetool=True)
deploy_acmetool(nginx_hook=True, domains=[domain]) deploy_acmetool(nginx_hook=True, domains=[domain])
if enabled: if enabled:
if config_path:
config = files.put( config = files.put(
src=config_path, src=config_path,
dest=f"/etc/nginx/sites-available/{domain}", dest=f"/etc/nginx/sites-available/{domain}",
@ -44,6 +45,16 @@ def add_nginx_domain(domain: str, config_path: str, enabled=True, acmetool=True)
group="root", group="root",
mode="644", mode="644",
) )
elif proxy_port:
config = files.template(
src=importlib.resources.files(__package__) / "proxy_pass.nginx_config.j2",
dest=f"/etc/nginx/sites-available/{domain}",
user="root",
group="root",
mode="644",
domain=domain,
proxy_port=proxy_port,
)
config_link = files.link( config_link = files.link(
path=f"/etc/nginx/sites-enabled/{domain}", path=f"/etc/nginx/sites-enabled/{domain}",
target=f"/etc/nginx/sites-available/{domain}", target=f"/etc/nginx/sites-available/{domain}",
@ -62,6 +73,3 @@ def add_nginx_domain(domain: str, config_path: str, enabled=True, acmetool=True)
restarted=need_restart, restarted=need_restart,
) )
@deploy("Deploy nginx")
def deploy_nginx():
_install_nginx()

View file

@ -0,0 +1,19 @@
server {
server_name {{ domain }};
client_max_body_size 512m;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:{{ proxy_port }}/;
}
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /var/lib/acme/live/{{ domain }}/fullchain; # managed by acmetool
ssl_certificate_key /var/lib/acme/live/{{ domain }}/privkey; # managed by acmetool
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}