debops.etesync default variables¶
Sections
- Domain name configuration
- APT packages
- Application user, group, home
- Directory paths
- Application sources and deployment
- Python virtualenv configuration
- EteSync configuration options
- Initial superuser account
- Internal application settings
- Other variables
- Configuration variables for other Ansible roles
Domain name configuration¶
-
etesync__domain¶
The DNS domain used by other variables in the debops.etesync role.
etesync__domain: '{{ ansible_domain }}'
-
etesync__fqdn¶
String of the Fully Qualified domain names on which the EteSync application will be available, used by the webserver.
etesync__fqdn: 'etesync.{{ etesync__domain }}'
APT packages¶
-
etesync__base_packages¶
List of APT packages which are required by the EteSync server.
etesync__base_packages:
- 'git'
#
-
etesync__packages¶
List of additional APT packages to install with EteSync.
etesync__packages: []
Application user, group, home¶
-
etesync__user¶
Name of the UNIX system account used to manage EteSync.
etesync__user: 'etesync'
-
etesync__group¶
Name of the UNIX primary group used to manage EteSync.
etesync__group: 'etesync'
-
etesync__gecos¶
Contents of the GECOS field set for the EteSync account.
etesync__gecos: 'EteSync'
-
etesync__shell¶
The default shell set on the EteSync account.
etesync__shell: '/usr/sbin/nologin'
Directory paths¶
-
etesync__home¶
The EteSync account home directory.
etesync__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+ "/" + etesync__user }}'
-
etesync__etc¶
Directory where the role stores EteSync configuration.
etesync__etc: '/etc/etesync-server'
-
etesync__src¶
Directory where the role stores EteSync version control sources.
etesync__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+ "/" + etesync__user }}'
-
etesync__lib¶
Directory where the EteSync server directory is located.
etesync__lib: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+ "/" + etesync__user }}'
-
etesync__data¶
Directory where EteSync data is stored.
etesync__data: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/" + etesync__user }}'
Application sources and deployment¶
-
etesync__git_gpg_key_id¶
The GPG ID of the key used for signing EteSync releases.
etesync__git_gpg_key_id: '9E21 F091 FC39 5F36 6A47 43E2 D2E5 84C3 7C47 7933'
-
etesync__git_repo¶
The URI of the EteSync git source repository.
etesync__git_repo: 'https://github.com/etesync/server.git'
-
etesync__git_version¶
The git branch or tag which will be installed. git commit hash lock to release 0.2.2. Note that this hash locking is not very effective because the main implementation of EteSync is in additional Python packages.
etesync__git_version: 'b026643cceae07b039942bf0c990ccf917eb072a'
-
etesync__git_dest¶
Path where the git source bare repository will be stored.
etesync__git_dest: '{{ etesync__src + "/" + etesync__git_repo.split("://")[1] }}'
-
etesync__git_checkout¶
Path where EteSync sources will be checked out (installation path).
etesync__git_checkout: '{{ etesync__lib + "/app" }}'
Python virtualenv configuration¶
-
etesync__virtualenv¶
Path where the EteSync virtualenv directory will be stored.
etesync__virtualenv: '{{ etesync__lib + "/virtualenv" }}'
EteSync configuration options¶
-
etesync__config_allowed_hosts¶
List of domain names under which the EteSync server will accept
connections. Specify * to accept connections to any domain name.
etesync__config_allowed_hosts:
- '{{ ansible_hostname }}'
- '{{ ansible_fqdn }}'
- '{{ etesync__fqdn }}'
- 'localhost'
- '[::1]'
- '127.0.0.1'
-
etesync__config_secret_key¶
The Django secret key used by the EteSync server. It will be shared by all hosts on the same domain.
etesync__config_secret_key: '{{ lookup("password", secret + "/etesync/" +
etesync__domain + "/config/secret_key length=64") }}'
-
etesync__config_secret_key_filepath¶
File path where the Django secret key will be stored on the remote host.
etesync__config_secret_key_filepath: '{{ etesync__etc + "/secret.txt" }}'
Initial superuser account¶
-
etesync__superuser_name¶
Name of the initial admin account created by the role.
etesync__superuser_name: '{{ ansible_local.core.admin_users[0]
if (ansible_local.core.admin_users|d())
else "admin" }}'
-
etesync__superuser_email¶
E-mail address of the initial admin account created by the role.
etesync__superuser_email: '{{ ansible_local.core.admin_private_email[0]
if (ansible_local.core.admin_private_email|d())
else ("root@" + etesync__domain) }}'
-
etesync__superuser_password¶
Password set for the initial admin account created by the role.
etesync__superuser_password: '{{ lookup("password", secret + "/etesync/" +
inventory_hostname + "/superuser/" +
etesync__superuser_name + "/password") }}'
Internal application settings¶
-
etesync__app_name¶
Name of the EteSync server processes (workers) set by the master process.
etesync__app_name: '{{ etesync__user }}'
-
etesync__app_runtime_dir¶
Name of the subdirectory in the /run/ directory where the EteSync
application will bind its UNIX socket. The default is selected so that
configuration of the gunicorn service is idempotent.
etesync__app_runtime_dir: '{{ "gunicorn"
if (ansible_distribution_release in
[ "wheezy", "jessie", "precise", "trusty", "xenial" ])
else "gunicorn-etesync" }}'
-
etesync__app_bind¶
Specify either an UNIX or TCP socket on which the EteSync server should bind and listen for connections.
etesync__app_bind: 'unix:/run/{{ etesync__app_runtime_dir }}/etesync.sock'
-
etesync__app_workers¶
Number of worker threads to start for EteSync server.
etesync__app_workers: '{{ ansible_processor_vcpus|int + 1 }}'
-
etesync__app_timeout¶
Number of seconds after which non-responsive worker threads will be killed and restarted. EteSync installations with lots of objects might require longer timeouts for API access.
etesync__app_timeout: '900'
-
etesync__app_params¶
List of parameters passed to the gunicorn process manager.
etesync__app_params:
- '--name={{ etesync__app_name }}'
- '--bind={{ etesync__app_bind }}'
- '--workers={{ etesync__app_workers }}'
- '--timeout={{ etesync__app_timeout }}'
- 'etesync_server.wsgi'
Other variables¶
-
etesync__max_file_size¶
Maximum upload size, in MB.
etesync__max_file_size: '5'
-
etesync__python_version¶
Python version, needed to refer to static files as installed by Python modules.
etesync__python_version: '{{ ansible_local.python.version3|d("3.x") }}'
-
etesync__http_psk_subpath_enabled¶
Whether EteSync should be deployed on a random subpath that acts as a protection of the web app/API from people not knowing this PSK. For a discussion in which scenarios this can make sense, refer to RFC: Support subpath/subdir hosting for additional security.
etesync__http_psk_subpath_enabled: False
-
etesync__http_psk_subpath¶
PSK used as subpath that acts as the first layer of defense in a security in depth concept if enabled.
etesync__http_psk_subpath: '{{ lookup("password", secret + "/etesync/" +
inventory_hostname + "/config/subpath chars=ascii_letters,digits length=23")
if etesync__http_psk_subpath_enabled|bool
else "" }}'
-
etesync__url¶
The URL where the EteSync server will be reachable. Exposed as variable here as you might want to use it in your custom user password lookup for integrating into your password manager.
etesync__url: '{{ "https://" + etesync__fqdn + "/" + etesync__http_psk_subpath }}'
-
etesync__admin_auth_basic_realm¶
A string which will be displayed as the realm in the browser user/password dialog box during HTTP Basic Authentication for the admin interface.
etesync__admin_auth_basic_realm: 'Access to EteSync admin interface is restricted'
-
etesync__admin_auth_basic_filename¶
Absolute path to the file that contains usernames and passwords for HTTP Basic Authentication for the admin interface.
etesync__admin_auth_basic_filename: ''
-
etesync__mail_to¶
List of recipients to which a mail will be send with the full URL of the
EteSync server in case etesync__http_psk_subpath is set.
etesync__mail_to: [ 'root@{{ ansible_domain }}' ]
-
etesync__mail_subject¶
Subject of the Email to be send with the full service URL.
etesync__mail_subject: 'PSK subpath URL to EteSync on {{ ansible_fqdn }}'
-
etesync__mail_body¶
Body of the Email to be send with the full service URL.
etesync__mail_body: |
EteSync has been deployed for the first time on {{ ansible_fqdn }}.
You have chosen to deploy the service on a random subpath thus the URL is
needed to access the service.
URL: {{ etesync__url }}
You can continue the user setup in the Django administration interface of EteSync over at:
{{ etesync__url }}/admin
Have a nice day :)
Configuration variables for other Ansible roles¶
-
etesync__keyring__dependent_gpg_keys¶
Configuration for the debops.keyring Ansible role.
etesync__keyring__dependent_gpg_keys:
- user: '{{ etesync__user }}'
group: '{{ etesync__group }}'
home: '{{ etesync__home }}'
id: '{{ etesync__git_gpg_key_id }}'
-
etesync__python__dependent_packages3¶
Configuration for the debops.python Ansible role.
etesync__python__dependent_packages3:
- 'python3-setproctitle'
- 'python3-dev'
## Django>=2.1.7,<2.1.999 is required which is currently only in Debian sid.
## We install this with pip in a virtualenv for now.
# - 'python3-django'
- 'python3-tz'
-
etesync__gunicorn__dependent_applications¶
Configuration for the debops.gunicorn Ansible role.
etesync__gunicorn__dependent_applications:
- name: 'etesync'
mode: 'wsgi'
working_dir: '{{ etesync__git_checkout }}'
python: '{{ etesync__virtualenv + "/bin/python3" }}'
user: '{{ etesync__user }}'
group: '{{ etesync__group }}'
home: '{{ etesync__home }}'
system: True
timeout: '{{ etesync__app_timeout }}'
workers: '{{ etesync__app_workers }}'
args: '{{ etesync__app_params }}'
-
etesync__nginx__dependent_upstreams¶
Upstream configuration for the debops.nginx Ansible role.
etesync__nginx__dependent_upstreams:
- name: 'etesync'
server: '{{ etesync__app_bind }}'
-
etesync__nginx__dependent_servers¶
Server configuration for the debops.nginx Ansible role.
etesync__nginx__dependent_servers:
- name: '{{ etesync__fqdn }}'
by_role: 'debops.etesync'
filename: 'debops.etesync'
favicon: False
http_referrer_policy: 'same-origin'
options: |
client_max_body_size {{ etesync__max_file_size }}M;
location_list:
- pattern: '/'
options: |-
deny all;
enabled: '{{ etesync__http_psk_subpath_enabled|bool }}'
- pattern: '/static/admin/'
options: |-
alias {{ etesync__virtualenv + "/lib/python" + (etesync__python_version.split('.')[:2] | join('.')) }}/site-packages/django/contrib/admin/static/admin/;
- pattern: '/static/rest_framework/'
options: |-
alias {{ etesync__virtualenv + "/lib/python" + (etesync__python_version.split('.')[:2] | join('.')) }}/site-packages/rest_framework/static/rest_framework/;
- pattern: '/{{ etesync__http_psk_subpath }}'
options: |-
proxy_pass http://etesync;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
{% if etesync__http_psk_subpath %}
proxy_set_header SCRIPT_NAME /{{ etesync__http_psk_subpath }};
{% endif %}
proxy_connect_timeout {{ etesync__app_timeout }};
proxy_send_timeout {{ etesync__app_timeout }};
proxy_read_timeout {{ etesync__app_timeout }};
- pattern: '{{ (("/" + etesync__http_psk_subpath)
if (etesync__http_psk_subpath_enabled | bool)
else "") + "/admin" }}'
options: |-
proxy_pass http://etesync;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
{% if etesync__http_psk_subpath_enabled | bool %}
proxy_set_header SCRIPT_NAME /{{ etesync__http_psk_subpath }};
{% endif %}
proxy_connect_timeout {{ etesync__app_timeout }};
proxy_send_timeout {{ etesync__app_timeout }};
proxy_read_timeout {{ etesync__app_timeout }};
auth_basic "{{ etesync__admin_auth_basic_realm }}";
auth_basic_user_file {{ etesync__admin_auth_basic_filename }};
enabled: '{{ True if (etesync__admin_auth_basic_filename != "") else False }}'