debops.etesync default variables
Sections
Domain name configuration
- etesync__domain
The DNS domain used by other variables in the debops.etesync
role.
etesync__domain: '{{ ansible_domain }}'
- etesync__fqdn
String of the Fully Qualified domain names on which the EteSync application will be available, used by the webserver.
etesync__fqdn: 'etesync.{{ etesync__domain }}'
APT packages
- etesync__base_packages
List of APT packages which are required by the EteSync server.
etesync__base_packages:
- 'git'
#
- etesync__packages
List of additional APT packages to install with EteSync.
etesync__packages: []
Application user, group, home
- etesync__user
Name of the UNIX system account used to manage EteSync.
etesync__user: 'etesync'
- etesync__group
Name of the UNIX primary group used to manage EteSync.
etesync__group: 'etesync'
- etesync__gecos
Contents of the GECOS field set for the EteSync account.
etesync__gecos: 'EteSync'
- etesync__shell
The default shell set on the EteSync account.
etesync__shell: '/usr/sbin/nologin'
Directory paths
- etesync__home
The EteSync account home directory.
etesync__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+ "/" + etesync__user }}'
- etesync__etc
Directory where the role stores EteSync configuration.
etesync__etc: '/etc/etesync-server'
- etesync__src
Directory where the role stores EteSync version control sources.
etesync__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+ "/" + etesync__user }}'
- etesync__lib
Directory where the EteSync server directory is located.
etesync__lib: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+ "/" + etesync__user }}'
- etesync__data
Directory where EteSync data is stored.
etesync__data: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/" + etesync__user }}'
Application sources and deployment
- etesync__git_gpg_key_id
The GPG ID of the key used for signing EteSync releases.
etesync__git_gpg_key_id: '9E21 F091 FC39 5F36 6A47 43E2 D2E5 84C3 7C47 7933'
- etesync__git_repo
The URI of the EteSync git source repository.
etesync__git_repo: 'https://github.com/etesync/server.git'
- etesync__git_version
The git branch or tag which will be installed. git commit hash lock to release 0.2.2. Note that this hash locking is not very effective because the main implementation of EteSync is in additional Python packages.
etesync__git_version: 'b026643cceae07b039942bf0c990ccf917eb072a'
- etesync__git_dest
Path where the git source bare repository will be stored.
etesync__git_dest: '{{ etesync__src + "/" + etesync__git_repo.split("://")[1] }}'
- etesync__git_checkout
Path where EteSync sources will be checked out (installation path).
etesync__git_checkout: '{{ etesync__lib + "/app" }}'
Python virtualenv configuration
- etesync__virtualenv
Path where the EteSync virtualenv
directory will be stored.
etesync__virtualenv: '{{ etesync__lib + "/virtualenv" }}'
EteSync configuration options
- etesync__config_allowed_hosts
List of domain names under which the EteSync server will accept
connections. Specify *
to accept connections to any domain name.
etesync__config_allowed_hosts:
- '{{ ansible_hostname }}'
- '{{ ansible_fqdn }}'
- '{{ etesync__fqdn }}'
- 'localhost'
- '[::1]'
- '127.0.0.1'
- etesync__config_secret_key
The Django secret key used by the EteSync server. It will be shared by all hosts on the same domain.
etesync__config_secret_key: '{{ lookup("password", secret + "/etesync/" +
etesync__domain + "/config/secret_key length=64") }}'
- etesync__config_secret_key_filepath
File path where the Django secret key will be stored on the remote host.
etesync__config_secret_key_filepath: '{{ etesync__etc + "/secret.txt" }}'
Initial superuser account
- etesync__superuser_name
Name of the initial admin account created by the role.
etesync__superuser_name: '{{ ansible_local.core.admin_users[0]
if (ansible_local.core.admin_users | d())
else "admin" }}'
- etesync__superuser_email
E-mail address of the initial admin account created by the role.
etesync__superuser_email: '{{ ansible_local.core.admin_private_email[0]
if (ansible_local.core.admin_private_email | d())
else ("root@" + etesync__domain) }}'
- etesync__superuser_password
Password set for the initial admin account created by the role.
etesync__superuser_password: '{{ lookup("password", secret + "/etesync/" +
inventory_hostname + "/superuser/" +
etesync__superuser_name + "/password") }}'
Internal application settings
- etesync__app_name
Name of the EteSync server processes (workers) set by the master process.
etesync__app_name: '{{ etesync__user }}'
- etesync__app_runtime_dir
Name of the subdirectory in the /run/
directory where the EteSync
application will bind its UNIX socket. The default is selected so that
configuration of the gunicorn
service is idempotent.
etesync__app_runtime_dir: '{{ "gunicorn"
if (ansible_distribution_release in
["trusty", "xenial"])
else "gunicorn-etesync" }}'
- etesync__app_bind
Specify either an UNIX or TCP socket on which the EteSync server should bind and listen for connections.
etesync__app_bind: 'unix:/run/{{ etesync__app_runtime_dir }}/etesync.sock'
- etesync__app_workers
Number of worker threads to start for EteSync server.
etesync__app_workers: '{{ ansible_processor_vcpus | int + 1 }}'
- etesync__app_timeout
Number of seconds after which non-responsive worker threads will be killed and restarted. EteSync installations with lots of objects might require longer timeouts for API access.
etesync__app_timeout: '900'
- etesync__app_params
List of parameters passed to the gunicorn
process manager.
etesync__app_params:
- '--name={{ etesync__app_name }}'
- '--bind={{ etesync__app_bind }}'
- '--workers={{ etesync__app_workers }}'
- '--timeout={{ etesync__app_timeout }}'
- 'etesync_server.wsgi'
Other variables
- etesync__max_file_size
Maximum upload size, in MB.
etesync__max_file_size: '5'
- etesync__python_version
Python version, needed to refer to static files as installed by Python modules.
etesync__python_version: '{{ ansible_local.python.version3 | d("3.x") }}'
- etesync__http_psk_subpath_enabled
Whether EteSync should be deployed on a random subpath that acts as a protection of the web app/API from people not knowing this PSK. For a discussion in which scenarios this can make sense, refer to RFC: Support subpath/subdir hosting for additional security.
etesync__http_psk_subpath_enabled: False
- etesync__http_psk_subpath
PSK used as subpath that acts as the first layer of defense in a security in depth concept if enabled.
etesync__http_psk_subpath: '{{ lookup("password", secret + "/etesync/" +
inventory_hostname + "/config/subpath chars=ascii_letters,digits length=23")
if etesync__http_psk_subpath_enabled | bool
else "" }}'
- etesync__url
The URL where the EteSync server will be reachable. Exposed as variable here as you might want to use it in your custom user password lookup for integrating into your password manager.
etesync__url: '{{ "https://" + etesync__fqdn + "/" + etesync__http_psk_subpath }}'
- etesync__admin_auth_basic_realm
A string which will be displayed as the realm in the browser user/password dialog box during HTTP Basic Authentication for the admin interface.
etesync__admin_auth_basic_realm: 'Access to EteSync admin interface is restricted'
- etesync__admin_auth_basic_filename
Absolute path to the file that contains usernames and passwords for HTTP Basic Authentication for the admin interface.
etesync__admin_auth_basic_filename: ''
- etesync__mail_to
List of recipients to which a mail will be send with the full URL of the
EteSync server in case etesync__http_psk_subpath
is set.
etesync__mail_to: [ 'root@{{ ansible_domain }}' ]
- etesync__mail_subject
Subject of the Email to be send with the full service URL.
etesync__mail_subject: 'PSK subpath URL to EteSync on {{ ansible_fqdn }}'
- etesync__mail_body
Body of the Email to be send with the full service URL.
etesync__mail_body: |
EteSync has been deployed for the first time on {{ ansible_fqdn }}.
You have chosen to deploy the service on a random subpath thus the URL is
needed to access the service.
URL: {{ etesync__url }}
You can continue the user setup in the Django administration interface of EteSync over at:
{{ etesync__url }}/admin
Have a nice day :)
Configuration variables for other Ansible roles
- etesync__keyring__dependent_gpg_keys
Configuration for the debops.keyring Ansible role.
etesync__keyring__dependent_gpg_keys:
- user: '{{ etesync__user }}'
group: '{{ etesync__group }}'
home: '{{ etesync__home }}'
id: '{{ etesync__git_gpg_key_id }}'
- etesync__python__dependent_packages3
Configuration for the debops.python Ansible role.
etesync__python__dependent_packages3:
- 'python3-setproctitle'
- 'python3-dev'
## Django>=2.1.7,<2.1.999 is required which is currently only in Debian sid.
## We install this with pip in a virtualenv for now.
# - 'python3-django'
- 'python3-tz'
- etesync__gunicorn__dependent_applications
Configuration for the debops.gunicorn Ansible role.
etesync__gunicorn__dependent_applications:
- name: 'etesync'
mode: 'wsgi'
working_dir: '{{ etesync__git_checkout }}'
python: '{{ etesync__virtualenv + "/bin/python3" }}'
user: '{{ etesync__user }}'
group: '{{ etesync__group }}'
home: '{{ etesync__home }}'
system: True
timeout: '{{ etesync__app_timeout }}'
workers: '{{ etesync__app_workers }}'
args: '{{ etesync__app_params }}'
- etesync__nginx__dependent_upstreams
Upstream configuration for the debops.nginx Ansible role.
etesync__nginx__dependent_upstreams:
- name: 'etesync'
server: '{{ etesync__app_bind }}'
- etesync__nginx__dependent_servers
Server configuration for the debops.nginx Ansible role.
etesync__nginx__dependent_servers:
- name: '{{ etesync__fqdn }}'
by_role: 'debops.etesync'
filename: 'debops.etesync'
favicon: False
http_referrer_policy: 'same-origin'
options: |
client_max_body_size {{ etesync__max_file_size }}M;
location_list:
- pattern: '/'
options: |-
deny all;
enabled: '{{ etesync__http_psk_subpath_enabled | bool }}'
- pattern: '/static/admin/'
options: |-
alias {{ etesync__virtualenv + "/lib/python" + (etesync__python_version.split('.')[:2] | join('.')) }}/site-packages/django/contrib/admin/static/admin/;
- pattern: '/static/rest_framework/'
options: |-
alias {{ etesync__virtualenv + "/lib/python" + (etesync__python_version.split('.')[:2] | join('.')) }}/site-packages/rest_framework/static/rest_framework/;
- pattern: '/{{ etesync__http_psk_subpath }}'
options: |-
proxy_pass http://etesync;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
{% if etesync__http_psk_subpath %}
proxy_set_header SCRIPT_NAME /{{ etesync__http_psk_subpath }};
{% endif %}
proxy_connect_timeout {{ etesync__app_timeout }};
proxy_send_timeout {{ etesync__app_timeout }};
proxy_read_timeout {{ etesync__app_timeout }};
- pattern: '{{ (("/" + etesync__http_psk_subpath)
if (etesync__http_psk_subpath_enabled | bool)
else "") + "/admin" }}'
options: |-
proxy_pass http://etesync;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
{% if etesync__http_psk_subpath_enabled | bool %}
proxy_set_header SCRIPT_NAME /{{ etesync__http_psk_subpath }};
{% endif %}
proxy_connect_timeout {{ etesync__app_timeout }};
proxy_send_timeout {{ etesync__app_timeout }};
proxy_read_timeout {{ etesync__app_timeout }};
auth_basic "{{ etesync__admin_auth_basic_realm }}";
auth_basic_user_file {{ etesync__admin_auth_basic_filename }};
enabled: '{{ True if (etesync__admin_auth_basic_filename != "") else False }}'