-
Notifications
You must be signed in to change notification settings - Fork 5
/
app-vars.yml
156 lines (137 loc) · 4.39 KB
/
app-vars.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
---
app_name: YOUR_APP_NAME
deploy_user: deployer
deploy_group: "{{ deploy_user }}"
deploy_user_path: "/home/{{ deploy_user }}"
# App Git repo
app_git_repo: "[email protected]:pedropaf/rails-ansible-provision-deployment.git"
app_git_branch: "main"
# Rails app
app_root_path: "{{ deploy_user_path }}/{{ app_name }}"
app_current_path: "{{ app_root_path }}/current"
app_releases_path: "{{ app_root_path }}/releases"
app_shared_path: "{{ app_root_path }}/shared"
app_pids_path: "{{ app_shared_path }}/tmp/pids"
app_logs_path: "{{ app_shared_path }}/logs"
app_sockets_path: "{{ app_shared_path }}/sockets"
rails_db_pool: 20
rails_environment: production
# Puma
puma_service_file: "puma.service.j2"
puma_config_file: "{{ app_current_path }}/config/puma.rb"
puma_socket: "{{ app_sockets_path }}/puma.sock"
puma_web_concurrency: 2
# Sidekiq
sidekiq_service_file: "sidekiq.service.j2"
# Ansistrano
ansistrano_deploy_from: "{{ playbook_dir }}/../"
ansistrano_deploy_to: "{{ app_root_path }}"
ansistrano_keep_releases: 3
ansistrano_after_cleanup_tasks_file: "{{ playbook_dir }}/deploy_tasks/after_cleanup.yml"
ansistrano_git_repo: "{{ app_git_repo }}"
ansistrano_git_branch: "{{ app_git_branch }}"
ansistrano_git_identity_key_path: "~/.ssh/id_rsa"
ansistrano_ensure_shared_paths_exist: yes
ansistrano_ensure_basedirs_shared_files_exist: yes
ansistrano_shared_paths:
- log # log -> ../../shared/log
- tmp # tmp -> ../../shared/tmp
- vendor # vendor -> ../../shared/vendor
- public/assets # For rails asset pipeline
- public/packs # For webpacker
- node_modules # For webpacker node_modules -> ../../shared/node_modules
shared_files_to_copy:
- { src: database.yml.j2, dest: config/database.yml }
# Common
required_packages:
- zlib1g-dev
- build-essential
- libssl-dev
- libreadline-dev
- libyaml-dev
- libxml2-dev
- libxslt1-dev
- libcurl4-openssl-dev
- libffi-dev
- dirmngr
- gnupg
- autoconf
- bison
- libreadline6-dev
- libncurses5-dev
- libgdbm6
- libgdbm-dev
- libpq-dev # postgresql client
- libjemalloc-dev # jemalloc
- acl
- libsqlite3-dev
# Ruby
ruby_version: 2.7.2
rbenv_ruby_configure_opts: "RUBY_CONFIGURE_OPTS=--with-jemalloc"
rbenv_root_path: "{{ deploy_user_path }}/.rbenv"
rbenv_shell_rc_path: "{{ deploy_user_path }}/.bashrc"
rubies_path: "{{ rbenv_root_path }}/versions"
ruby_path: "{{ rubies_path }}/{{ ruby_version }}"
rbenv_bin: "{{ rbenv_root_path }}/bin/rbenv"
rbenv_bundle: "{{ rbenv_root_path }}/shims/bundle"
# Nodejs
nodejs_version: "15.x"
# Postgresql
postgresql_version: "13"
postgresql_db_user: "{{ deploy_user }}_postgresql_user"
postgresql_db_password: "{{ vault_postgresql_db_password }}" # from vault
postgresql_db_name: "{{ app_name }}_production"
postgresql_listen:
- "localhost"
- "{{ ansible_default_ipv4.address }}" # only if db is on a separate server
# nginx
nginx_https_enabled: true
nginx_conf_template: "nginx.conf.j2"
# certbot
certbot_email: "[email protected]"
certbot_domains:
- "demo-ansible.pedroalonso.net"
# PostgreSQL Backup to S3
aws_key: "{{ vault_aws_key }}"
aws_secret: "{{ vault_aws_secret }}"
postgresql_backup_dir: "{{ deploy_user_path }}/backups"
postgresql_backup_filename_format: >-
{{ app_name }}-%Y%m%d-%H%M%S.pgdump
postgresql_db_backup_healthcheck: "NOTIFICATION_URL (eg: https://healthcheck.io/)"
postgresql_s3_backup_bucket: "DB_BACKUP_BUCKET"
postgresql_s3_backup_hour: "3"
postgresql_s3_backup_minute: "*"
postgresql_s3_backup_delete_after: "7 days" # days after which old backups should be deleted
# fluentbit
fluentbit_inputs:
- Name: tail
Path: "{{ app_logs_path }}/production.log"
fluentbit_outputs:
- Name: http
Match: "*"
tls: On
Host: "" # e.g: loggly or sumologic logs endpoint
Port: 443
URI: "" # e.g: /receiver/v1/http/{{ vault_sumologic_token }}
Format: json_lines
Json_Date_Key: timestamp
Json_Date_Format: iso8601
Retry_Limit: False
logrotate_conf:
- path: "ansible"
conf: |
"{{ app_current_path }}/log/*.log" {
weekly
size 100M
missingok
rotate 12
compress
delaycompress
notifempty
copytruncate
}
# UFW
ufw_rules:
- { rule: "allow", proto: "tcp", from: "any", port: "80" }
- { rule: "allow", proto: "tcp", from: "any", port: "443" }
- { rule: "allow", proto: "tcp", from: "any", port: "22" }