GH NGINX 3 + introduce /etc/iiab/iiab_state.yml + begin breaking apart playbooks into (1) install.yml (2) setup.yml (3) enable.yml

[jvonau]

[builds on / combines PRs #2008, #2009, #2017, #2020, #2031]

[holta]

http://minutes.iiab.io call ongoing...rough conclusion for coming days:

• test this PR on BIG-sized VM's (George on Debian 10.2, Tim on Ubuntu 18.04)
• test this PR on BIG-sized RPi 4
• verify (Python 3 version?) of Admin Console runs on top of this
  • service (iiab-cmdsrv) is already running Python 3 (in one of Tim's WIP branches) but some adjustments will be nec

[holta]

Jerry's separate PR holta#314 seems to be tracking this PR #2042 (both show "Files changed 135"). I'm not sure its exact purpose, but @jvonau can explain if PR314 is important.

[holta]

I will announce http://d.iiab.io/install-test.txt to xsce-devel@googlegroups.com in coming minutes/hours...for hardcore testing volunteers.

(It attempts a full IIAB installation using @jvonau's experimental PR #2042, instead of the usual/master branch of iiab/iiab).

@tim-moody if http://d.iiab.io/install-test.txt should also use a new/experimental iiab/iiab-admin-console branch-or-tag (instead of iiab-admin-console's master branch) please LMK.

[tim-moody]

On UB 18.04 VM with minimal local vars:

TASK [nginx : Remove nginx support for sugarizer] ********************************************************************************************************************************************
fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "file (/etc/nginx/conf.d/sugarizer-nginx.conf) is absent, cannot continue", "path": "/etc/nginx/conf.d/sugarizer-nginx.conf"}

[jvonau]

pushed commits to correct.

root@box:/opt/iiab/iiab# tree /etc/nginx
/etc/nginx
├── conf.d
│   ├── admin-console.conf
│   ├── calibre-web-nginx.conf
│   ├── elgg-nginx.conf
│   ├── kiwix-nginx.conf
│   ├── kolibri-nginx.conf
│   ├── lokole-nginx.conf
│   ├── mediawiki-nginx.conf
│   ├── moodle-nginx.conf
│   ├── munin24-nginx.conf
│   ├── nextcloud-nginx.conf
│   ├── nodered-nginx.conf
│   ├── osm-vector-maps-nginx.conf
│   ├── sugarizer-nginx.conf
│   ├── usb-lib.conf
│   └── wordpress-nginx.conf
├── fastcgi.conf
├── fastcgi_params
├── koi-utf
├── koi-win
├── mime.types
├── modules-available
├── modules-enabled
│   ├── 10-mod-http-ndk.conf -> /usr/share/nginx/modules-available/mod-http-ndk.conf
│   ├── 50-mod-http-auth-pam.conf -> /usr/share/nginx/modules-available/mod-http-auth-pam.conf
│   ├── 50-mod-http-cache-purge.conf -> /usr/share/nginx/modules-available/mod-http-cache-purge.conf
│   ├── 50-mod-http-dav-ext.conf -> /usr/share/nginx/modules-available/mod-http-dav-ext.conf
│   ├── 50-mod-http-echo.conf -> /usr/share/nginx/modules-available/mod-http-echo.conf
│   ├── 50-mod-http-fancyindex.conf -> /usr/share/nginx/modules-available/mod-http-fancyindex.conf
│   ├── 50-mod-http-geoip.conf -> /usr/share/nginx/modules-available/mod-http-geoip.conf
│   ├── 50-mod-http-headers-more-filter.conf -> /usr/share/nginx/modules-available/mod-http-headers-more-filter.conf
│   ├── 50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.conf
│   ├── 50-mod-http-lua.conf -> /usr/share/nginx/modules-available/mod-http-lua.conf
│   ├── 50-mod-http-perl.conf -> /usr/share/nginx/modules-available/mod-http-perl.conf
│   ├── 50-mod-http-subs-filter.conf -> /usr/share/nginx/modules-available/mod-http-subs-filter.conf
│   ├── 50-mod-http-uploadprogress.conf -> /usr/share/nginx/modules-available/mod-http-uploadprogress.conf
│   ├── 50-mod-http-upstream-fair.conf -> /usr/share/nginx/modules-available/mod-http-upstream-fair.conf
│   ├── 50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
│   ├── 50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.conf
│   ├── 50-mod-nchan.conf -> /usr/share/nginx/modules-available/mod-nchan.conf
│   └── 50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.conf
├── nginx.conf
├── proxy_params
├── scgi_params
├── server.conf
├── sites-available
│   └── default
├── sites-enabled
├── snippets
│   ├── fastcgi-php.conf
│   └── snakeoil.conf
├── uwsgi_params
└── win-utf
6 directories, 47 files

Given there is sites-available/sites-enabled in nginx's config directory, I'm wondering if that is the correct (or better?) place for the snippets of code the defines the uri of the resources that are being proxied in place of using the conf.d directory, similar to how apache is laid out.

[holta]

Let's try to keep all Apache variables clustered together in one place within default_vars.yml
...a bit tighter than those scattered across Lines 225 to 251 would be great.

In any case, once these settle down and are a bit more readable, they should also be mentioned in...
https://github.com/iiab/iiab/blob/master/roles/httpd/defaults/main.yml

And those apache_* vars that matter most to implementers (which one or two do you recommend ?) can then be inserted into {local_vars_min.yml, local_vars_medium.yml, local_vars_big.yml}

[jvonau]

Just cleaned up the dups, final placement is your call. The apache_* vars are more of a place holder at the moment, but nginx_enabled: False in local_vars should disable nginx and run apache only. After the install is completed the quick test is: './runrole nginx' and look at netstat -natp

[jvonau]

There are some design discussions needed on the actual flow of the web traffic.

[tim-moody]

did a pull which did some sort of merge requiring a commit message?!

[tim-moody]

TASK [nginx : Disable /etc/apache2/sites-enabled/calibre-web.conf] ***************************************************************************************************************************
fatal: [127.0.0.1]: FAILED! => {"changed": true, "cmd": ["a2dissite", "calibre-web.conf"], "delta": "0:00:00.019569", "end": "2019-11-19 06:41:24.535382", "msg": "non-zero return code", "rc": 1, "start": "2019-11-19 06:41:24.515813", "stderr": "ERROR: Site calibre-web does not exist!", "stderr_lines": ["ERROR: Site calibre-web does not exist!"], "stdout": "", "stdout_lines": []}

[tim-moody]

re: sites_enabled I never like all our conf files there under apache and agree with their having been moved to conf.d sites should have different ports or domains imho

[jvonau]

Right, first pass so apache's sites-available is not populated yet, and a2dissite doesn't like it. Could use file: absent or move the role

[jvonau]

re: sites_enabled I never like all our conf files there under apache and agree with their having been moved to conf.d sites should have different ports or domains imho

Don't think it a matter of our opinion, it is a matter of customary practices while using Debian/Ubuntu, Redhat derivatives don't use sites-* and I'm used to that, but when in Rome....

At any rate I moved the role..

[jvonau]

apache only:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 15646/apache2
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 15646/apache2

apache & nginx:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 18296/nginx: master
tcp 0 0 127.0.0.1:8090 0.0.0.0:* LISTEN 18166/apache2

Which one do we want to serve ssl as there is no config present for nginx/ssl in the original #2009?

[tim-moody]

TASK [awstats : Create symlink awstats.conf from sites-enabled to sites-available (debuntu)] *************************************************************************************************
fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "src file does not exist, use "force=yes" if you really want to create the link: /etc/apache2/sites-available/awstats.conf", "path": "/etc/apache2/sites-enabled/awstats.conf", "src": "/etc/apache2/sites-available/awstats.conf"}

[jvonau]

corrective action:
git pull
./runrole --reinstall awstats
./iiab-install

[georgejhunt]

On raspbian lite, rpi4,
http://paste.debian.net/1117005/
error at roles/mysql/tasks/main.yml:138:- name: Update MySQL root password for localhost root accounts, if mysql_enabled
I ran install a second time, errorred out the same place

[holta]

On raspbian lite, rpi4,
http://paste.debian.net/1117005/
error at roles/mysql/tasks/main.yml:138:- name: Update MySQL root password for localhost root accounts, if mysql_enabled

Above bug report resembles #1714

[holta]

More complete error msg from the bottom of @georgejhunt's http://paste.debian.net/1117005/ :

2019-11-19 18:29:04,551 p=root u=26339 | TASK [mysql : Update MySQL root password for localhost root accounts, if mysql_enabled] ***
2019-11-19 18:29:05,671 p=root u=26339 | fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "The PyMySQL (Python 2.7 and Python 3.X) or MySQL-python (Python 2.X) module is required."}

[holta]

A fresh install of http://d.iiab.io/install-test.txt (this PR #2042, BIG-sized) failed on Ubuntu 19.10 VM @ 10.8.0.42 as follows:

TASK [kolibri : Supply /etc/nginx/conf.d/kolibri-nginx.conf when nginx_enabled] ***
failed: [127.0.0.1] (item={u'dest': u'/etc/nginx/conf.d/kolibri-nginx.conf', u'src': u'kolibri-nginx.conf.j2', u'mode': u'0644'}) => {"ansible_loop_var": "item", "changed": false, "checksum": "329ac1ba27c78eec4cc3337f349946d8d321df01", "item": {"dest": "/etc/nginx/conf.d/kolibri-nginx.conf", "mode": "0644", "src": "kolibri-nginx.conf.j2"}, "msg": "Destination directory /etc/nginx/conf.d does not exist"}

PLAY RECAP *********************************************************************
127.0.0.1 : ok=403 changed=309 unreachable=0 failed=1 skipped=110 rescued=0 ignored=1

[georgejhunt]

hand installation of python3-distutils did not clear my error.
BUT:
"apt install python3-pymysql" did clear the error

[jvonau]

review nginx configs against nginx's guide

[tim-moody]

nginx: /modules and below location needs autoindex

[jvonau]

nginx: /modules and below location needs autoindex

How about adding the suggested code to #2052? Closing this PR as 2052 is a replacement