[WIP] Cleaning up the www setup to match production

setup/www/README.md

@@ -18,6 +18,8 @@ Note that the *host_vars/iojs-www* file needs to be created, the *host_vars/iojs
 
 An SSL certificate should also be provided along with a key. The certificate, along with chain, should be placed in *resources/iojs_chained.crt* and the key in *resources/iojs.key*.
 
+Additionally, you'll need the private SSH keys for `staging` and `dist`, which should be `resources/keys/staging/id_rsa` and `resources/keys/dist/id_rsa`.
+
 To set up the web server, run:
 
 ```text

setup/www/ansible-playbook.yaml

@@ -7,6 +7,8 @@
     - include_vars: ansible-vars.yaml
       tags: vars
 
+    ### configure machine and core packages
+
     - name: General | APT Update
       apt: update_cache=yes
       tags: general
@@ -24,8 +26,14 @@
       with_items: packages
       tags: general
 
-    - name: User | Add {{ server_user }} user
-      user: name="{{ server_user }}" shell=/bin/bash
+    ### setup the users
+
+    - name: User | Add system users
+      user: name="{{ item }}" shell=/bin/bash
+      with_items:
+        - "{{ server_user }}"
+        - "{{ staging_user }}"
+        - "{{ dist_user }}"
       tags: user
 
     - name: User | Download pubkey(s)
@@ -39,17 +47,33 @@
       with_items: ssh_users
       tags: user
 
-    - name: General | Create authorized_keys for {{ server_user }}
-      authorized_key: user="{{ server_user }}" key="{{ lookup('file', '/tmp/' + item + '.keys') }}"
-      with_items: ssh_users
+    - name: General | authorized_keys for users
+      authorized_key: user="{{ item[0] }}" key="{{ lookup('file', '/tmp/' + item[1] + '.keys') }}"
+      with_nested:
+        - [ '{{ dist_user }}', '{{ server_user }}', '{{ staging_user }}' ]
+        - ssh_users
       tags: user
 
+    - name: General | place ssh keys
+      copy: owner="{{ item[0] }}" group="{{ item[0] }}" src=resources/keys/{{ item[0] }}/{{ item[1].name }} dest=/home/{{ item[0] }}/.ssh/{{ item[1].name }} mode={{item[1].perms}}
+      with_nested:
+        - [ "{{ dist_user }}", "{{ staging_user }}" ]
+        - [ { name: 'id_rsa', perms: '0600' }, { name: 'id_rsa.pub', perms: '0644' } ]
+
+    - name: General | add id_rsa.pub to staging, dist authorized_keys
+      authorized_key: user="{{ item }}" key="{{ lookup('file', 'resources/keys/' + item + '/id_rsa.pub') }}"
+      with_items:
+        [ "{{ staging_user }}", "{{ dist_user }}" ]
+      tags: user
+
+    ### setup git and git webhooks
+
     - name: GitHub Webhook | Install github-webhook
       command: "npm install github-webhook -g"
       tags: webhook
 
     - name: GitHub Webhook | Copy config
-      copy: src=./resources/github-webhook.json dest=/etc/github-webhook.json mode=0644
+      copy: src=resources/github-webhook.json dest=/etc/github-webhook.json mode=0644
       tags: webhook
 
     - name: GitHub Webhook | Copy secret to config
@@ -61,7 +85,7 @@
       tags: webhook
 
     - name: GitHub Webhook | Copy Upstart config
-      copy: src=./resources/github-webhook.conf dest=/etc/init/github-webhook.conf mode=0644
+      copy: src=resources/github-webhook.conf dest=/etc/init/github-webhook.conf mode=0644
       tags: webhook
 
     - name: GitHub Webhook | Start service
@@ -78,20 +102,53 @@
       command: "bash -c '{{ update_command }}'"
       tags: setup
 
+    ### configure cron and utility capabilities
+
+    - name: Configure | setup download-stats script
+      copy: src=../../dist/update-download-stats.sh dest="/home/{{ server_user }}" mode=0755
+      tags: setup
+
+    - name: Configure | setup dist-indexer directory
+      file: path="/home/{{ dist_user }}/dist-indexer" state=directory
+      tags: setup
+
+    - name: Configure | setup dist-indexer
+      copy: src="../../dist/dist-indexer/{{ item.name }}" dest="/home/{{ dist_user }}/dist-indexer/{{ item.name }}" mode={{ item.perms }}
+      with_items:
+        - [ { name: 'package.json', perms: '0644' }, { name: 'dist-indexer.js', perms: '0755' } ]
+
+    - name: Configure | npm install for dist-indexer
+      command: npm install chdir="/home/{{ dist_user }}/dist-indexer"
+      tags: setup
+
+    - name: Configure | setup cron for nightly
+      cron: name="promote_nightly" minute="*/5" job="/home/staging/promote/promote_nightly.sh" user="{{ dist_user }}"
+      tags: setup
+
+    - name: Configure | setup cron for download-stats
+      cron: name="update_download_stats" minute="30" hour="1" job="/home/iojs/update-download-stats.sh" user="root"
+      tags: setup
+
+    ### configure nginx
+
     - name: nginx | Copy site config
-      copy: src=./resources/iojs.org dest=/etc/nginx/sites-available/iojs.org mode=0644
+      copy: src=resources/iojs.org dest=/etc/nginx/sites-available/iojs.org mode=0644
       tags: nginx
 
     - name: nginx | Create config symlink
       file: src=/etc/nginx/sites-available/iojs.org dest=/etc/nginx/sites-enabled/00-iojs.org state=link
       tags: nginx
 
+    - name: nginx | Creates ssl directory
+      file: path=/etc/nginx/ssl/ state=directory
+      tags: nginx
+
     - name: nginx | Generate DH params
-      command: "bash -c 'mkdir -p /etc/nginx/ssl/ && openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096'"
+      command: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 creates=/etc/nginx/ssl/dhparam.pem
       tags: nginx
 
     - name: nginx | Copy site certificates
-      copy: src=./resources/{{ item }} dest=/etc/nginx/ssl/{{ item }} mode=0644
+      copy: src=resources/{{ item }} dest=/etc/nginx/ssl/{{ item }} mode=0644
       with_items:
         - iojs_chained.crt
         - iojs.key

setup/www/ansible-vars.yaml

@@ -1,8 +1,11 @@
 ---
+dist_user: dist
 server_user: iojs
+staging_user: staging
 ssh_users:
   - rvagg
   - indutny
+  - kenperkins
 packages:
   - nodejs
   - nginx

setup/www/resources/iojs.org

@@ -51,4 +51,26 @@ server {
         index index.html;
         default_type text/plain;
     }
-}
+
+    location /download {
+        alias /home/dist/public;
+        autoindex on;
+        default_type text/plain;
+    }
+
+    location /dist {
+        alias /home/dist/public/release/;
+        autoindex on;
+        default_type text/plain;
+    }
+
+    location /api {
+        alias /home/dist/public/release/latest/doc/api;
+        autoindex on;
+        default_type text/plain;
+    }
+
+    location /download-stats.json {
+        alias /home/iojs/download-stats.json;
+    }
+}

setup/www/resources/keys/dist/.gitignore

@@ -0,0 +1,2 @@
+id_rsa
+

setup/www/resources/keys/dist/id_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCozo6s06UvMAJ4qryE860Hq1j+LgEPVXk8AWm8LjeUviUUTa2DOGCNbB8KFWqExn0rAfRDXapnyZ3Q96syFcJXCqwHhqfB+FKS1iApozlagwy9+dBzLgSvx4BQ3vqbiqFDyigycZNAnkzgK+gTp5nChhRsReJKNajy9mOzqG3dsRP277qZmU+/Hi3D5fO3lAvPPYmrCSYEWe/9NarlLWT9+dT4cArUJnLNoO8HvopGGJNHrK0tWFAcNl9LY2gzzyrl8onDq5stkgb4laaxDTYInTSsgtFh0nG65lq+8yOCLPXYiuLuWeJm8jZ14lQgWX7Ym3xoy4D58PnffGdyWDfr dist@iojs-www

setup/www/resources/keys/staging/.gitignore

@@ -0,0 +1,2 @@
+id_rsa
+

setup/www/resources/keys/staging/id_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClQAc4DccrN86Rd5OrnjM8sikQRoU05NauvQUGziUK6cSKnx42So5pAyMcQDfzcN3bpabyRORge/T3svngMINP0CidAYhezg+yK6vWqhJPBJm4ijWpgAcUH/OvVWi7aPao4Uq4GlkZOtvr2BUsYCFzS/kK4yaLdXpO6rdAsrnLZpBPAcU1oU7zQ2YFHYDmU1eR32EQcswhP+NJ14zu04rGHUUlp6C8ZHpfnvRpD57j35FNTr42FxGMPB00kMWHPecXrPbQJx2/FyWZ6LBG8XNdT4W/XansuwfO/UXWMQWpjAz75mmB0cusRaliHG0ch52i9DYwYbAkwWsvDyytvCv3 staging@iojs-www