Skip to content

Commit f951233

Browse files
znzznz
committed
Support Vagrant
- Based on ruby#36 - Update TLS configurations using https://ssl-config.mozilla.org/#server=nginx&server-version=1.10.3&config=intermediate&openssl-version=1.1.0l&hsts=false - Provision using ansible - Use bash instead of zsh in `system/update-rurema-index`
1 parent 85deaad commit f951233

File tree

7 files changed

+251
-12
lines changed

7 files changed

+251
-12
lines changed

README.md

+25
Original file line numberDiff line numberDiff line change
@@ -22,3 +22,28 @@
2222
## Related repos
2323

2424
* https://github.com/ruby/rurema-search
25+
26+
## Vagrant Environment
27+
28+
Usage:
29+
30+
```
31+
git clone https://github.com/ruby/docs.ruby-lang.org
32+
git clone https://github.com/ruby/rurema-search
33+
cd docs.ruby-lang.org
34+
vagrant up
35+
vagrant ssh-config >> ~/.ssh/config
36+
bundle install
37+
cap vagrant deploy
38+
cp config/deploy/vagrant.rb ../rurema-search/config/deploy/vagrant.rb
39+
cd ../rurema-search
40+
cap vagrant deploy
41+
cd ../docs.ruby-lang.org
42+
vagrant ssh
43+
sudo systemctl restart nginx
44+
sudo su - rurema
45+
crontab -l
46+
```
47+
48+
- Run commands in crontab as rurema user (ignore error of `system/fastly-purge-key`)
49+
- Open `https://localhost:10443/` in browser (ignore certificate error (`NET::ERR_CERT_AUTHORITY_INVALID`) because of using self signed certificate generated by `provision/selfsigned.yml`)

conf/docs.ruby-lang.org

+16-11
Original file line numberDiff line numberDiff line change
@@ -20,32 +20,37 @@
2020
}
2121

2222
server {
23-
listen 443 ssl;
23+
listen 443 ssl http2;
24+
listen [::]:443 ssl http2;
25+
2426
server_name docs.ruby-lang.org docs-origin.ruby-lang.org;
2527

2628
ssl on;
2729
ssl_certificate /etc/letsencrypt/live/docs-origin.ruby-lang.org/fullchain.pem;
2830
ssl_certificate_key /etc/letsencrypt/live/docs-origin.ruby-lang.org/privkey.pem;
31+
ssl_session_timeout 1d;
32+
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
33+
ssl_session_tickets off;
2934

30-
ssl_buffer_size 4k;
35+
ssl_dhparam /etc/nginx/dhparam.pem;
3136

32-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
33-
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
34-
ssl_prefer_server_ciphers on;
37+
# intermediate configuration
38+
ssl_protocols TLSv1.2;
39+
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
40+
ssl_prefer_server_ciphers off;
3541

36-
ssl_trusted_certificate /etc/letsencrypt/live/docs-origin.ruby-lang.org/chain.pem;
42+
# OCSP stapling
3743
ssl_stapling on;
3844
ssl_stapling_verify on;
39-
resolver 8.8.8.8;
4045

41-
ssl_session_cache shared:SSL:5m;
42-
ssl_session_timeout 5m;
43-
ssl_session_tickets off;
46+
# verify chain of trust of OCSP response using Root CA and Intermediate certs
47+
ssl_trusted_certificate /etc/letsencrypt/live/docs-origin.ruby-lang.org/chain.pem;
4448

45-
ssl_dhparam /etc/nginx/dhparam.pem;
49+
resolver 8.8.8.8;
4650

4751
proxy_set_header X-Forwarded-Host $host;
4852
proxy_set_header X-Forwarded-Proto https;
53+
proxy_set_header X-Forwarded-Port 443;
4954

5055
location / {
5156
root /var/www/docs.ruby-lang.org/current/public;

config/deploy/vagrant.rb

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
role :web, %w{rurema@default}
2+
server 'default', user: 'rurema', roles: %w{web}

provision/playbook.yml

+147
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
---
2+
- hosts: default
3+
become: yes
4+
gather_facts: no
5+
vars:
6+
ansible_python_interpreter: '/usr/bin/python'
7+
tasks:
8+
- name: 'Setup packages'
9+
apt:
10+
name:
11+
# for setup
12+
- nginx
13+
- git
14+
- bundler
15+
- apt-transport-https
16+
- ca-certificates
17+
- curl
18+
- lv
19+
# for convenience
20+
- w3m
21+
22+
# https://groonga.org/ja/docs/install/debian.html#stretch
23+
- name: 'Download groonga-archive-keyring.gpg'
24+
get_url:
25+
url: 'https://packages.groonga.org/debian/groonga-archive-keyring.gpg'
26+
dest: '/usr/share/keyrings/groonga-archive-keyring.gpg'
27+
- name: 'Add groonga repository'
28+
apt_repository:
29+
repo: 'deb [signed-by=/usr/share/keyrings/groonga-archive-keyring.gpg] https://packages.groonga.org/debian/ stretch main'
30+
- name: 'Install groonga'
31+
apt:
32+
name:
33+
- 'groonga={{ groonga_version }}'
34+
- 'groonga-bin={{ groonga_version }}'
35+
- 'groonga-plugin-suggest={{ groonga_version }}'
36+
- 'groonga-doc={{ groonga_version }}'
37+
- 'libgroonga0={{ groonga_version }}'
38+
- 'libgroonga-dev={{ groonga_version }}'
39+
vars:
40+
groonga_version: '7.1.1-1'
41+
42+
# https://www.phusionpassenger.com/library/install/nginx/install/oss/stretch/
43+
- name: 'Add apt key of Passenger packages'
44+
apt_key:
45+
keyserver: keyserver.ubuntu.com
46+
id: 561F9B9CAC40B2F7
47+
- name: 'Add Passenger repository'
48+
apt_repository:
49+
repo: 'deb https://oss-binaries.phusionpassenger.com/apt/passenger stretch main'
50+
- name: 'Install passenger'
51+
apt:
52+
name: libnginx-mod-http-passenger
53+
54+
- name: 'User rurema'
55+
user:
56+
name: 'rurema'
57+
create_home: yes
58+
shell: '/bin/bash'
59+
groups: 'sudo'
60+
append: yes
61+
- name: 'Copy .ssh'
62+
copy:
63+
remote_src: yes
64+
src: '/home/vagrant/.ssh'
65+
dest: '/home/rurema'
66+
owner: 'rurema'
67+
group: 'rurema'
68+
mode: 'preserve'
69+
70+
- name: 'Create directories'
71+
file:
72+
path: '{{ item }}'
73+
state: directory
74+
owner: 'rurema'
75+
group: 'rurema'
76+
with_items:
77+
- '/var/www/docs.ruby-lang.org'
78+
- '/var/rubydoc'
79+
- '/var/rubydoc/rurema-search/shared'
80+
81+
- name: 'Cron: rdoc'
82+
cron:
83+
name: 'rdoc'
84+
minute: '20'
85+
hour: '13'
86+
job: 'cd /var/www/docs.ruby-lang.org/current; ruby system/rdoc-static-all'
87+
user: 'rurema'
88+
- name: 'Cron: bitclust'
89+
cron:
90+
name: 'bitclust'
91+
minute: '15'
92+
hour: '0'
93+
job: 'cd /var/www/docs.ruby-lang.org/current; ruby system/bc-setup-all; ruby system/bc-static-all'
94+
user: 'rurema'
95+
- name: 'Cron: update-rurema-index'
96+
cron:
97+
name: 'update-rurema-index'
98+
minute: '15'
99+
hour: '2'
100+
job: 'cd /var/www/docs.ruby-lang.org/current; system/update-rurema-index'
101+
user: 'rurema'
102+
103+
- name: 'git clone rurema/doctree'
104+
git:
105+
repo: 'https://github.com/rurema/doctree.git'
106+
dest: '/var/rubydoc/doctree'
107+
depth: 1
108+
become: yes
109+
become_user: 'rurema'
110+
vars:
111+
ansible_ssh_pipelining: yes
112+
113+
- name: 'Copy nginx site'
114+
copy:
115+
src: '../conf/docs.ruby-lang.org'
116+
dest: '/etc/nginx/sites-available/docs.ruby-lang.org'
117+
- name: 'Copy vagrant nginx site'
118+
copy:
119+
remote_src: yes
120+
src: '/etc/nginx/sites-available/docs.ruby-lang.org'
121+
dest: '/etc/nginx/sites-available/docs.ruby-lang.org.vagrant'
122+
when: docs_https_port is defined
123+
changed_when: no
124+
- name: 'Change port in vagrant nginx site'
125+
lineinfile:
126+
path: '/etc/nginx/sites-available/docs.ruby-lang.org.vagrant'
127+
regexp: '^(.*)proxy_set_header X-Forwarded-Port 443;$'
128+
line: '\1proxy_set_header X-Forwarded-Port {{ docs_https_port }};'
129+
backrefs: yes
130+
when: docs_https_port is defined
131+
changed_when: no
132+
- name: 'Enable docs.ruby-lang.org site'
133+
file:
134+
src: '../sites-available/docs.ruby-lang.org'
135+
dest: '/etc/nginx/sites-enabled/docs.ruby-lang.org'
136+
state: link
137+
when: docs_https_port is not defined
138+
- name: 'Enable docs.ruby-lang.org vagrant site'
139+
file:
140+
src: '../sites-available/docs.ruby-lang.org.vagrant'
141+
dest: '/etc/nginx/sites-enabled/docs.ruby-lang.org'
142+
state: link
143+
when: docs_https_port is defined
144+
- name: 'Disable default site'
145+
file:
146+
dest: '/etc/nginx/sites-enabled/default'
147+
state: absent

provision/rurema-search.yml

+23
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
---
2+
- hosts: default
3+
become: yes
4+
gather_facts: no
5+
vars:
6+
ansible_python_interpreter: '/usr/bin/python'
7+
tasks:
8+
- name: 'Copy rurema-search/shared/document.yaml'
9+
copy:
10+
dest: '/var/rubydoc/rurema-search/shared/document.yaml'
11+
content: |
12+
base_url:
13+
https://localhost:10443/
14+
remove_dot_from_version:
15+
false
16+
tracking_id:
17+
UA-XXXXXX-X
18+
- name: 'Copy rurema-search/shared/production.yaml'
19+
copy:
20+
dest: '/var/rubydoc/rurema-search/shared/production.yaml'
21+
content: |
22+
use_log: false
23+
use_cache: false

provision/selfsigned.yml

+37
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
---
2+
- hosts: default
3+
become: yes
4+
gather_facts: no
5+
vars:
6+
ansible_python_interpreter: '/usr/bin/python'
7+
tasks:
8+
- name: 'Install crypto backend'
9+
apt:
10+
name: python-cryptography
11+
- name: 'Create /etc/letsencrypt/live/docs-origin.ruby-lang.org'
12+
file:
13+
path: '/etc/letsencrypt/live/docs-origin.ruby-lang.org'
14+
state: directory
15+
- name: 'Generate private key'
16+
openssl_privatekey:
17+
path: '/etc/letsencrypt/live/docs-origin.ruby-lang.org/privkey.pem'
18+
- name: 'Generate CSR'
19+
openssl_csr:
20+
path: '/etc/letsencrypt/docs-origin.ruby-lang.org.csr'
21+
privatekey_path: '/etc/letsencrypt/live/docs-origin.ruby-lang.org/privkey.pem'
22+
common_name: 'localhost'
23+
- name: 'Generate a Self Signed OpenSSL certificate'
24+
openssl_certificate:
25+
path: '/etc/letsencrypt/live/docs-origin.ruby-lang.org/fullchain.pem'
26+
privatekey_path: '/etc/letsencrypt/live/docs-origin.ruby-lang.org/privkey.pem'
27+
csr_path: '/etc/letsencrypt/docs-origin.ruby-lang.org.csr'
28+
provider: selfsigned
29+
- name: 'Generate Diffie-Hellman parameters'
30+
openssl_dhparam:
31+
path: '/etc/nginx/dhparam.pem'
32+
size: 2048
33+
- name: 'Create /etc/letsencrypt/live/docs-origin.ruby-lang.org/chain.pem'
34+
copy:
35+
remote_src: yes
36+
src: '/etc/letsencrypt/live/docs-origin.ruby-lang.org/fullchain.pem'
37+
dest: '/etc/letsencrypt/live/docs-origin.ruby-lang.org/chain.pem'

system/update-rurema-index

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
#! /bin/zsh
1+
#! /bin/bash
22
SCRIPT_DIR=$(dirname $0)
33
BASE_DIR=/var/rubydoc
44
APP_DIR=$BASE_DIR/rurema-search

0 commit comments

Comments
 (0)