--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/playbook.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,12 @@
+---
+- hosts: all
+  sudo: yes
+  vars:
+    umbrella: localhost
+  pre_tasks:
+    - lineinfile: dest=/etc/hosts line="127.0.0.1 fruitbar.{{ umbrella }}"
+      when: ansible_virtualization_type == "virtualbox"
+    - apt: update_cache=yes cache_valid_time=3600
+  roles:
+    - role: fruitbar
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/fruitbar/files/.hgrc	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,2 @@
+[hostfingerprints]
+bitbucket.org = 46:de:34:e7:9b:18:cd:7f:ae:fd:8b:e3:bc:f4:1a:5e:38:d7:ac:24

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/fruitbar/handlers/main.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,4 @@
+---
+- name: restart fruitbar
+  command: supervisorctl restart fruitbar
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/fruitbar/meta/main.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,5 @@
+---
+dependencies:
+  - role: nginx
+  - role: supervisor
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/fruitbar/tasks/appinstall.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,28 @@
+---
+- name: Ensure ~/webapps/ exists with world-readable permissions
+  file: path=/home/{{ user }}/webapps/ state=directory mode=0755
+
+- name: Add .hgrc
+  copy: src=.hgrc dest=/home/{{ user }}/.hgrc
+
+- name: Pull code
+  hg: repo=https://bitbucket.org/av6/fruitbar dest=/home/{{ user }}/webapps/fruitbar/
+  notify:
+    - restart fruitbar
+
+- name: Set up venv
+  pip: requirements=/home/{{ user }}/webapps/fruitbar/REQUIREMENTS virtualenv=/home/{{ user }}/webapps/fruitbar/venv/
+  notify:
+    - restart fruitbar
+
+- name: Install wsgi stuff
+  pip: name={{ item }} state=latest virtualenv=/home/{{ user }}/webapps/fruitbar/venv/
+  with_items:
+    - eventlet
+    - gunicorn
+
+- name: Add gunicorn config
+  template: src=gunicorn.conf dest=/home/{{ user }}/webapps/fruitbar/gunicorn.conf
+  notify:
+    - restart fruitbar
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/fruitbar/tasks/main.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,48 @@
+---
+- name: Create user
+  user: name={{ user }}
+
+- name: Install packages
+  apt: pkg={{ item }} state=present
+  with_items:
+    - build-essential
+    - mercurial
+    - python-dev
+    - python-virtualenv
+
+- name: Install virtualenv
+  apt: pkg=virtualenv state=present
+  when: ansible_distribution_release == 'jessie'
+
+- include: appinstall.yml
+  sudo: yes
+  sudo_user: '{{ user }}'
+
+- name: Add supervisor app
+  template: src=etc/supervisor/conf.d/fruitbar.conf dest=/etc/supervisor/conf.d/fruitbar.conf
+  notify:
+    - reload supervisor
+
+- stat: path=/etc/ssl/local/fruitbar.{{ umbrella }}.pem
+  register: project_pemfile
+
+- stat: path=/etc/ssl/local/fruitbar.{{ umbrella }}.clean.key
+  register: project_keyfile
+
+- name: Extract information for HPKP header
+  shell: openssl rsa -in /etc/ssl/local/fruitbar.{{ umbrella }}.clean.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
+  register: hpkpinfo
+  when: project_pemfile.stat.exists and project_keyfile.stat.exists
+  always_run: yes
+  failed_when: "'unable' in hpkpinfo.stderr"
+
+- name: Add Nginx site
+  template: src=etc/nginx/sites-available/fruitbar dest=/etc/nginx/sites-available/fruitbar.{{ umbrella }}
+  notify:
+    - restart nginx
+
+- name: Enable Nginx site
+  file: src=/etc/nginx/sites-available/fruitbar.{{ umbrella }} dest=/etc/nginx/sites-enabled/{{ site_order }}fruitbar.{{ umbrella }} state=link
+  notify:
+    - restart nginx
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,74 @@
+upstream fruitbar {
+    server unix:/home/{{ user }}/webapps/fruitbar/socket fail_timeout=0;
+}
+
+{% if project_pemfile.stat.exists and project_keyfile.stat.exists %}
+server {
+    server_name fruitbar.{{ umbrella }};
+
+    listen 80;
+    listen [::]:80;
+
+    access_log /var/log/nginx/fruitbar.{{ umbrella }}.access.log;
+    error_log /var/log/nginx/fruitbar.{{ umbrella }}.error.log;
+
+    return 301 https://fruitbar.{{ umbrella }}$request_uri;
+}
+{% endif %}
+
+server {
+    server_name fruitbar.{{ umbrella }};
+
+{% if project_pemfile.stat.exists and project_keyfile.stat.exists %}
+    listen 443 ssl spdy;
+    listen [::]:443 ssl spdy;
+{% else %}
+    listen 80;
+    listen [::]:80;
+{% endif %}
+
+{% if project_pemfile.stat.exists and project_keyfile.stat.exists %}
+    ssl_certificate /etc/ssl/local/fruitbar.{{ umbrella }}.pem;
+    ssl_certificate_key /etc/ssl/local/fruitbar.{{ umbrella }}.clean.key;
+    ssl_dhparam /etc/nginx/dh-2048.pem;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_session_cache shared:SSL:1m;
+    ssl_session_timeout 10m;
+
+    # OCSP
+    ssl_stapling on;
+    resolver 8.8.8.8 [2001:4860:4860::8888] 8.8.4.4 [2001:4860:4860::8844];
+    resolver_timeout 5s;
+
+    # access from <frame | iframe | object>: DENY | SAMEORIGIN | ALLOW-FROM uri
+    add_header X-Frame-Options 'SAMEORIGIN';
+
+    # HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
+    add_header Strict-Transport-Security 'max-age=31536000';
+
+    add_header Cache-Control private;
+{% endif %}
+
+    access_log /var/log/nginx/fruitbar.{{ umbrella }}.access.log;
+    error_log /var/log/nginx/fruitbar.{{ umbrella }}.error.log;
+
+    client_max_body_size 1M;
+    keepalive_timeout 5;
+
+    location /static/ {
+        root /home/{{ user }}/webapps/fruitbar;
+        expires max;
+        access_log off;
+    }
+
+    location / {
+        proxy_pass http://fruitbar;
+        proxy_redirect off;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-Ip $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/fruitbar/templates/etc/supervisor/conf.d/fruitbar.conf	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,8 @@
+[program:fruitbar]
+command = /home/{{ user }}/webapps/fruitbar/venv/bin/gunicorn --config=/home/{{ user }}/webapps/fruitbar/gunicorn.conf app:app
+directory = /home/{{ user }}/webapps/fruitbar/
+process_name = fruitbar
+user = {{ user }}
+stopsignal = INT
+numprocs = 1
+autorestart = true

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/fruitbar/templates/gunicorn.conf	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,5 @@
+bind = 'unix:/home/{{ user }}/webapps/fruitbar/socket'
+workers = 1
+worker_class = 'eventlet'
+accesslog = '-'
+errorlog = '-'

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/fruitbar/vars/main.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,4 @@
+---
+user: projects
+site_order: 50
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/nginx/handlers/main.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,4 @@
+---
+- name: restart nginx
+  service: name=nginx state=restarted
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/nginx/tasks/main.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,22 @@
+---
+- name: Install package
+  apt: pkg=nginx state=present
+
+- name: Create a Diffie-Hellman key exchange parameters file
+  command: >
+    openssl dhparam
+    {% if ansible_virtualization_type == "virtualbox" %}-dsaparam{% endif %}
+    -out /etc/nginx/dh-2048.pem
+    2048
+  args:
+    creates: /etc/nginx/dh-2048.pem
+  notify:
+    - restart nginx
+
+- name: Allow HTTP and HTTPS
+  ufw: rule=allow name='{{ item }}'
+  with_items:
+    - Nginx HTTP
+    - Nginx HTTPS
+  tags: [ufw]
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/supervisor/handlers/main.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,4 @@
+---
+- name: reload supervisor
+  shell: supervisorctl reread && supervisorctl update
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/provision/roles/supervisor/tasks/main.yml	Fri Feb 05 16:46:33 2016 +0800
@@ -0,0 +1,4 @@
+---
+- name: Install package
+  apt: pkg=supervisor state=present
+...