Merge branch 'master' into jarv/termination-support

playbooks/edx-east/feanil_deploy.yml

+---
 - hosts: tag_aws_cloudformation_stack-name_feanilpractice:&tag_group_edxapp
   sudo: True
   vars_files:
@@ -7,3 +8,13 @@
     - common
     - nginx
     - edxapp
+
+- hosts: tag_aws_cloudformation_stack-name_feanilpractice:&tag_group_xserver
+  sudo: True
+  vars_files:
+    - "{{ secure_dir }}/vars/edxapp_continuous_integration_vars.yml"
+    - "{{ secure_dir }}/vars/users.yml"
+  roles:
+    - common
+    - nginx
+    - xserver

playbooks/edx-west/edxapp_prod.yml

+# this gets all running prod webservers
 #- hosts: tag_environment_prod:&tag_function_webserver
+# or we can get subsets of them by name
 - hosts: ~tag_Name_app(10|20)_prod
-#- hosts: tag_environment_prod:&tag_function_webserver
+#- hosts: ~tag_Name_app(11|21)_prod
+## these are cold hosts:
+#- hosts: ~tag_Name_app(12|22)_prod
+## this is the test box
+#- hosts: ~tag_Name_app4_prod
+## you can also do security group, but don't do that
 #- hosts: security_group_edx-prod-EdxappServerSecurityGroup-NSKCQTMZIPQB
   sudo: True
-  vars_files:
-    - "{{ secure_dir }}/vars/edxapp_prod_vars.yml"
-    - "{{ secure_dir }}/vars/users.yml"
-    - "{{ secure_dir }}/vars/edxapp_prod_users.yml"
   vars:
     secure_dir: '../../../configuration-secure/ansible'
     # this indicates the path to site-specific (with precedence)
     # things like nginx template files
     local_dir:  '../../../configuration-secure/ansible/local'
-
+  vars_files:
+    - "{{ secure_dir }}/vars/edxapp_prod_vars.yml"
+    - "{{ secure_dir }}/vars/users.yml"
+    - "{{ secure_dir }}/vars/edxapp_prod_users.yml"
+    - "{{ secure_dir }}/vars/shib_prod_vars.yml"
   roles:
     - common
     - nginx
     - edxapp
+    - apache
+    - shibboleth
     # run this role last
     - in_production

playbooks/edx-west/edxapp_prod_apache.yml

@@ -6,6 +6,7 @@
     - "{{ secure_dir }}/vars/users.yml"
     - "{{ secure_dir }}/vars/edxapp_prod_users.yml"
     - "{{ secure_dir }}/vars/shib_prod_vars.yml"
+
   vars:
     secure_dir: '../../../configuration-secure/ansible'
     # this indicates the path to site-specific (with precedence)

playbooks/edx-west/edxapp_stage.yml

+- hosts: tag_environment_stage:&tag_function_webserver
+  sudo: True
+  vars:
+    secure_dir: ../../../edx-secret/ansible
+    local_dir: ../../../edx-secret/ansible/local
+  vars_files:
+    - "{{ secure_dir }}/vars/edxapp_stage_vars.yml"
+    - "{{ secure_dir }}/vars/users.yml"
+    - "{{ secure_dir }}/vars/edxapp_stage_users.yml"
+  roles:
+    - common
+    - nginx
+    # - gunicorn
+    - edxapp
+    #- in_production

playbooks/edx-west/jumpbox_prod.yml

+- hosts: tag_Name_jumpbox_prod
+  sudo: True
+  vars_files:
+    - "{{ secure_dir }}/vars/users.yml"
+  vars:
+    secure_dir: '../../../configuration-secure/ansible'
+    # this indicates the path to site-specific (with precedence)
+    # things like nginx template files
+    local_dir:  '../../../configuration-secure/ansible/local'
+
+  roles:
+    - common
\ No newline at end of file

playbooks/edx-west/stage-ansible.cfg

+# ansible reads $ANSIBLE_CONFIG, ansible.cfg, ~/.ansible.cfg or /etc/ansible/ansible.cfg
+
+[defaults]
+# Always have these for using the configuration repo
+jinja2_extensions=jinja2.ext.do
+hash_behaviour=merge
+
+# These are environment-specific defaults
+forks=10
+#forks=1
+log_path=stage-edx-ansible.log
+transport=ssh
+hostfile=./ec2.py
+extra_vars='key=deployment name=edx-stage group=edx-stage region=us-west-1'
+user=ubuntu
+
+[ssh_connection]
+# example from https://github.com/ansible/ansible/blob/devel/examples/ansible.cfg
+#ssh_args=-o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r
+ssh_args=-F stage-ssh-config
+scp_if_ssh=True

playbooks/edx-west/stage-ssh-config

+#### edx-stage VPC 
+
+Host 54.241.183.3
+#Host vpc-jumpbox
+    HostName 54.241.183.3
+    User ubuntu
+    ForwardAgent yes
+
+Host *.us-west-1.compute.internal
+    User ubuntu
+    ForwardAgent yes
+    ProxyCommand ssh -W %h:%p ubuntu@54.241.183.3
+
+Host *
+    ForwardAgent yes
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+

playbooks/edx-west/xqueue_prod.yml

+# this gets all running prod webservers
+- hosts: tag_environment_prod:&tag_function_xqueue
+# or we can get subsets of them by name
+#- hosts: ~tag_Name_xserver(1|2)_prod
+#- hosts: security_group_edx-prod-EdxappServerSecurityGroup-NSKCQTMZIPQB
+  sudo: True
+  vars:
+    secure_dir: '../../../configuration-secure/ansible'
+    # this indicates the path to site-specific (with precedence)
+    # things like nginx template files
+    local_dir:  '../../../configuration-secure/ansible/local'
+  vars_files:
+    - "{{ secure_dir }}/vars/edxapp_prod_vars.yml"
+    - "{{ secure_dir }}/vars/users.yml"
+    - "{{ secure_dir }}/vars/edxapp_prod_users.yml"
+  roles:
+    - common
+    - nginx
+    - xqueue

playbooks/edx-west/xserver_prod.yml

+# this gets all running prod webservers
+- hosts: tag_environment_prod:&tag_function_xserver
+# or we can get subsets of them by name
+#- hosts: ~tag_Name_xserver(1|2)_prod
+#- hosts: security_group_edx-prod-EdxappServerSecurityGroup-NSKCQTMZIPQB
+  sudo: True
+  vars:
+    secure_dir: '../../../configuration-secure/ansible'
+    # this indicates the path to site-specific (with precedence)
+    # things like nginx template files
+    local_dir:  '../../../configuration-secure/ansible/local'
+  vars_files:
+    - "{{ secure_dir }}/vars/edxapp_prod_vars.yml"
+    - "{{ secure_dir }}/vars/users.yml"
+    - "{{ secure_dir }}/vars/edxapp_prod_users.yml"
+  roles:
+    - common
+    - nginx
+    - xserver

playbooks/roles/apache/templates/lms.j2

@@ -15,9 +15,9 @@ WSGIRestrictEmbedded On
 
     SetEnv SERVICE_VARIANT lms
     
-    WSGIScriptAlias / {{platform_code_dir}}/lms/wsgi_apache_lms.py
+    WSGIScriptAlias / {{edx_platform_code_dir}}/lms/wsgi_apache_lms.py
 
-    <Directory {{platform_code_dir}}/lms>
+    <Directory {{edx_platform_code_dir}}/lms>
     <Files wsgi_apache_lms.py>
         Order deny,allow
         Allow from all
@@ -39,7 +39,7 @@ WSGIRestrictEmbedded On
         require valid-user
     </Location>
 
-    WSGIDaemonProcess lms user=www-data group=adm processes=1 python-path={{platform_code_dir}}:{{venv_dir}}/lib/python2.7/site-packages display-name=%{GROUP}
+    WSGIDaemonProcess lms user=www-data group=adm processes=1 python-path={{edx_platform_code_dir}}:{{venv_dir}}/lib/python2.7/site-packages display-name=%{GROUP}
     WSGIProcessGroup lms
     WSGIApplicationGroup %{GLOBAL}
     

playbooks/roles/common/tasks/create_users.yml

@@ -34,7 +34,7 @@
   - update
 
 - name: Creating env users
-  user: name={{ item.user }} groups={{ ",".join(item.groups) }} shell=/bin/bash
+  user: name={{ item.user }} {% if item.groups %}groups={{ ",".join(item.groups) }}{% endif %} shell=/bin/bash
   with_items: env_users
   when: env_users is defined
   tags:

playbooks/roles/common/tasks/main.yml

@@ -37,6 +37,7 @@
   - rsyslog
   - screen
   - tree
+  - git
   tags:
   - pre_install
   - update
@@ -77,6 +78,24 @@
   - logging
   - update
 
+# Install ssh keys for ubuntu account to be able to check out from edx-platform
+# Temprory behavior, not needed after June 1. Perhaps still useful as a recipe.
+# {{ secure_dir }} is relative to the top-level playbooks dir so there is some
+
+- name: install read-only ssh key for edx-platform repo (private)
+  copy: src={{ secure_dir }}/files/git-identity dest=/etc/git-identity force=yes owner=ubuntu group=adm mode=600
+  tags:
+  - lms
+  - cms
+  - update
+
+- name: upload ssh script
+  copy: src=git_ssh.sh dest=/tmp/git_ssh.sh force=yes owner=root group=adm mode=750
+  tags:
+  - lms
+  - cms
+  - update
+
 - include: create_venv.yml
 - include: edx_logging_base.yml
 

playbooks/roles/common/templates/edx-update.sh.j2

@@ -50,7 +50,6 @@ cd {{edx_platform_code_dir}}
 
 BRANCH="origin/feature/edx-west/stanford-theme"
 
-export GIT_SSH="/tmp/git_ssh.sh"
 run git fetch origin -p
 run git checkout $BRANCH
 

playbooks/roles/discern/tasks/main.yml

@@ -40,10 +40,6 @@
 - name: change memory commit settings -- needed for redis
   command: sysctl vm.overcommit_memory=1
 
-#Upload custom git ssh script
-- name: upload ssh script
-  copy: src=git_ssh.sh dest=/tmp/git_ssh.sh force=yes owner=root group=adm mode=750
-
 - name: set permissions on app_base_dir sgid for edx
   file: path={{app_base_dir}} owner=root group=edx mode=2775 state=directory
   file: path={{venv_dir}} owner=root group=edx mode=2775 state=directory
@@ -61,16 +57,12 @@
 #Grab both repos or update
 - name: git checkout discern repo into discern_dir
   git: dest={{discern_dir}} repo={{discern_source_repo}} version={{discern_branch}}
-  environment:
-    GIT_SSH: /tmp/git_ssh.sh
   notify:
     - restart celery
     - restart discern
 
 - name: git checkout ease repo into ease_dir
   git: dest={{ease_dir}} repo={{ease_source_repo}} version={{ease_branch}}
-  environment:
-    GIT_SSH: /tmp/git_ssh.sh
   notify:
     - restart celery
     - restart discern
@@ -133,4 +125,4 @@
 
 - name: Creating nginx config link {{ site_name }}
   file: src=/etc/nginx/sites-available/{{ site_name }} dest=/etc/nginx/sites-enabled/{{ site_name }} state=link owner=root group=root
-  notify: restart nginx
\ No newline at end of file
+  notify: restart nginx

playbooks/roles/discern/vars/main.yml

-discern_source_repo: git@github.com:edx/discern.git
-ease_source_repo: git@github.com:edx/ease.git
+discern_source_repo: https://github.com/edx/discern.git
+ease_source_repo: https://github.com/edx/ease.git
 ease_dir: $app_base_dir/ease
 discern_dir: $app_base_dir/discern
 discern_settings: discern.aws
@@ -9,4 +9,4 @@ discern_branch: dev
 nginx_listen_port: 80
 gunicorn_port: 7999
 discern_user: discern
-site_name: discern
\ No newline at end of file
+site_name: discern

playbooks/roles/edxapp/tasks/deploy.yml

@@ -11,8 +11,6 @@
 # Do A Checkout
 - name: git checkout edx-platform repo into $app_base_dir
   git: dest={{edx_platform_code_dir}} repo={{lms_source_repo}} version={{lms_version}}
-  environment:
-    GIT_SSH: /tmp/git_ssh.sh
   tags:
   - lms
   - cms

playbooks/roles/edxapp/tasks/main.yml

@@ -28,31 +28,6 @@
   - lms-env
   - update
 
-# Install ssh keys for ubuntu account to be able to check out from edx-platform
-# Temprory behavior, not needed after June 1. Perhaps still useful as a recipe.
-# {{ secure_dir }} is relative to the top-level playbooks dir so there is some
-
-- name: install read-only ssh key for edx-platform repo (private)
-  copy: src={{ secure_dir }}/files/git-identity dest=/etc/git-identity force=yes owner=ubuntu group=adm mode=600
-  tags:
-  - lms
-  - cms
-  - update
-
-- name: upload ssh script
-  copy: src=git_ssh.sh dest=/tmp/git_ssh.sh force=yes owner=root group=adm mode=750
-  tags:
-  - lms
-  - cms
-  - update
-
-# Check out edx-platform repo to $app_base_dir
-- name: install git and its recommends
-  apt: pkg=git state=present install_recommends=yes 
-  tags:
-  - lms
-  - cms
-
 - name: install a bunch of system packages on which LMS and CMS rely
   apt: pkg={{item}} state=present
   with_items: lms_debian_pkgs

playbooks/roles/edxapp/tasks/ruby.yml

@@ -29,7 +29,7 @@
   - install
 
 - name: rbenv | update rbenv repo
-  git: repo=git://github.com/sstephenson/rbenv.git dest=$rbenv_root version=v0.4.0
+  git: repo=https://github.com/sstephenson/rbenv.git dest=$rbenv_root version=v0.4.0
   tags:
   - ruby
   - install
@@ -63,7 +63,7 @@
   - install
 
 - name: rbenv | clone ruby-build repo
-  git: repo=git://github.com/sstephenson/ruby-build.git dest=${tempdir.stdout}/ruby-build
+  git: repo=https://github.com/sstephenson/ruby-build.git dest=${tempdir.stdout}/ruby-build
   when_failed: $rbuild_present
   tags:
   - ruby

playbooks/roles/edxapp/vars/main.yml

@@ -48,11 +48,11 @@ worker_core_mult:
 #To turn off theming, specify edxapp_theme_name: ''
 #Stanford, for example, uses edxapp_theme_name: 'stanford'
 edxapp_theme_name: ''
-edxapp_theme_source_repo: 'git://github.com/Stanford-Online/edx-theme.git'
+edxapp_theme_source_repo: 'https://github.com/Stanford-Online/edx-theme.git'
 edxapp_theme_version: 'HEAD'
 
 # make this the public URL instead of writable
-lms_source_repo: git://github.com/edx/edx-platform.git
+lms_source_repo: https://github.com/edx/edx-platform.git
 lms_version: 'HEAD'
 local_requirements_file:  "{{ edx_platform_code_dir }}/requirements/edx/local.txt"
 pre_requirements_file:    "{{ edx_platform_code_dir }}/requirements/edx/pre.txt"
@@ -73,7 +73,6 @@ lms_debian_pkgs:
   - gcc
   - gfortran
   - ghostscript
-  - git
   - github-cli
   - graphviz
   - graphviz-dev
@@ -101,6 +100,7 @@ lms_debian_pkgs:
   - libxml2-dev
   - libxml2-utils
   - libxslt1-dev
+  - lynx-cur
   - maven2
   - mongodb
   - mongodb-clients
@@ -150,4 +150,4 @@ deploy_environment:
   SKIP_WS_MIGRATIONS: 1
   RBENV_ROOT: "{{ rbenv_root }}"
   GEM_HOME: "{{ gem_home }}"
-  PATH: "{{ venv_dir }}/bin:{{ edx_platform_code_dir }}/bin:{{ rbenv_root }}/bin:{{ rbenv_root }}/shims:{{ gem_home }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
+  PATH: "{{ venv_dir }}/bin:{{ edx_platform_code_dir }}/bin:{{ rbenv_root }}/bin:{{ rbenv_root }}/shims:{{ gem_home }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

playbooks/roles/in_production/tasks/main.yml

@@ -6,27 +6,9 @@
 #  - ruby/tasks/main.yml
 #  - npm/tasks/main.yml
 ---
-- name: Make sure LMS is running
-  service: name=lms state=started
+- name: Make sure edxapp is running
+  service: name=edxapp state=started
   tags:
-  - lms
-  - lms-env
-  - production
-  - update
-
-- name: Make sure CMS is running
-  service: name=cms state=started
-  tags:
-  - cms
-  - cms-env
-  - production
-  - update
-
-- name: Make sure LMS-preview is running
-  service: name=lms-preview state=started
-  tags:
-  - lms-preview
-  - lms-preview-env
   - production
   - update
 

playbooks/roles/nginx/templates/xqueue.j2

 upstream app_server {
     # For a TCP configuration:
-    server 127.0.0.1:{{ xqueue.gunicorn_port }} fail_timeout=0;
+    server 127.0.0.1:{{ xqueue_gunicorn_port }} fail_timeout=0;
 }
 
 server {
-  listen {{ xqueue.nginx_port }} default_server;
+  listen {{ xqueue_nginx_port }} default_server;
 
   location / {
     try_files $uri @proxy_to_app;

playbooks/roles/xqueue/tasks/main.yml

@@ -21,19 +21,21 @@
   - xqueue
 
 - name: create xqueue application config
-  template: src=xqueue_env.json.j2 dest=$app_base_dir/env.json mode=640 owner=www-data group=adm
+  template: src=xqueue.env.json.j2 dest=$app_base_dir/env.json mode=0640 owner=www-data group=adm
   tags:
   - xqueue
 
 - name: create xqueue auth file
-  template: src=xqueue_auth.json.j2 dest=$app_base_dir/auth.json mode=640 owner=www-data group=adm
+  template: src=xqueue.auth.json.j2 dest=$app_base_dir/auth.json mode=0640 owner=www-data group=adm
   tags:
   - xqueue
 
 - name: creating xqueue upstart script
-  sudo: True
-  template: src=xqueue_conf.j2 dest=/etc/init/xqueue_conf owner=root group=root
+  template: src=xqueue.conf.j2 dest=/etc/init/xqueue.conf mode=0640 owner=root group=adm
   tags:
   - xqueue
 
+# Install nginx site
+- include: ../../nginx/tasks/nginx_site.yml state=link site_name=xqueue
+
 - include: deploy.yml

playbooks/roles/xqueue/templates/xqueue.conf.j2

-#/etc/init/xqueue_conf
+#/etc/init/xqueue.conf
 
 description "xqueue server"
 author "edX <info@edx.org>"
@@ -6,15 +6,15 @@ author "edX <info@edx.org>"
 respawn
 respawn limit 3 30
 
-env PID=/var/tmp/xqueue_pid
+env PID=/var/tmp/xqueue.pid
 env WORKERS={{ ansible_processor_cores * 2 }}
 env PORT={{ xqueue_gunicorn_port }}
 env LANG=en_US.UTF-8
-env DJANGO_SETTINGS_MODULE=xqueue_aws_settings
+env DJANGO_SETTINGS_MODULE=xqueue.aws_settings
 env SERVICE_VARIANT="xqueue"
 
 
 chdir {{ xqueue_code_dir }}
 setuid www-data
 
-exec {{ venv_dir }}/bin/gunicorn --preload -b 127.0.0.1:$PORT -w $WORKERS --timeout=300 --pythonpath={{ xqueue_code_dir }} xqueue_wsgi
+exec {{ venv_dir }}/bin/gunicorn --preload -b 127.0.0.1:$PORT -w $WORKERS --timeout=300 --pythonpath={{ xqueue_code_dir }} xqueue.wsgi

playbooks/roles/xqueue/vars/main.yml

@@ -14,7 +14,7 @@ xqueue_gunicorn_port: 8040
 xqueue_auth_config: {}
 xqueue_env_config: {}
 
-xqueue_source_repo: https://github.com/edx/xqueue_git
+xqueue_source_repo: https://github.com/edx/xqueue.git
 xqueue_version: 'HEAD'
 xqueue_pre_requirements_file:    "{{ xqueue_code_dir }}/pre-requirements.txt"
 xqueue_post_requirements_file:   "{{ xqueue_code_dir }}/requirements.txt"

playbooks/roles/xserver/files/sandbox.conf

+sandbox       hard   core  0
+sandbox       hard   data  100000
+sandbox       hard   fsize 10000
+sandbox       hard   memlock 10000
+sandbox       hard   nofile 20
+sandbox       hard   rss    10000
+sandbox       hard   stack  100000
+sandbox       hard   cpu    0
+sandbox       hard   nproc  8
+sandbox       hard   as     32000
+sandbox       hard   maxlogins  1
+sandbox       hard   priority  19
+sandbox       hard   locks     4
+sandbox       hard   sigpending  100
+sandbox       hard   msgqueue  100000
+sandbox       hard   nice     19

playbooks/roles/xserver/handlers/main.yml

+
+- name: restart nginx
+  service: name=nginx state=restarted
+

playbooks/roles/xserver/tasks/deploy.yml

+- name: stop xserver
+  service: name=xserver state=stopped
+  tags:
+  - deploy
+
+- name: checkout code
+  git: dest={{ xserver_code_dir }} repo={{ xserver_source_repo }} version={{ xserver_version }}
+  tags:
+  - deploy
+
+- name: install requirements
+  pip: requirements="{{ xserver_requirements_file }}" virtualenv="{{ venv_dir }}" state=present
+  tags:
+  - deploy
+
+- name: install sandbox requirements
+  pip: requirements="{{ xserver_requirements_file }}" virtualenv="{{ xserver_sandbox_venv_dir }}" state=present
+  tags:
+  - deploy
+
+- name: create xserver application config
+  template: src=xserver.env.json.j2 dest={{ app_base_dir }}/env.json mode=640 owner=www-data group=adm
+  tags:
+  - deploy
+
+- name: checkout grader code
+  git: dest={{ xserver_grader_dir }} repo={{ xserver_grader_source }} version={{ xserver_grader_version }}
+  environment:
+    GIT_SSH: /tmp/git_ssh.sh
+  tags:
+  - deploy
+
+- name: start xserver
+  service: name=xserver state=started
+  tags:
+  - deploy

playbooks/roles/xserver/tasks/main.yml

+# Provision and bring up xserver
+---
+
+- name: ensure sandbox group exists
+  group: name=sandbox
+
+- name: ensure sandbox user exists
+  user: name=sandbox group=sandbox
+
+- name: create sandbox python directory
+  file: path={{ xserver_sandbox_venv_dir }} owner=ubuntu group=adm mode=2775 state=directory
+
+- name: create sandbox python
+  command: /usr/local/bin/virtualenv {{ xserver_sandbox_venv_dir }} --distribute creates={{ xserver_sandbox_venv_dir }}/bin/activate
+
+# Make sure this line is in the common-session file.
+- name: ensure pam-limits module is loaded
+  lineinfile:
+    dest=/etc/pam.d/common-session
+    regexp="session required pam_limits.so"
+    line="session required pam_limits.so"
+
+- name: set sandbox limits
+  copy: src={{ item }} dest=/etc/security/limits.d/sandbox.conf
+  first_available_file:
+  - "{{ secure_dir }}/sandbox.conf"
+  - "sandbox.conf"
+
+- name: ensure apparmor package
+  apt: pkg=apparmor-utils state=present
+
+- name: load python-sandbox apparmor profile
+  template: src={{ item }} dest=/etc/apparmor.d/edx_apparmor_sandbox
+  first_available_file:
+  - "{{ secure_dir }}/files/edx_apparmor_sandbox.j2"
+  - "usr.bin.python-sandbox.j2"
+
+- name: enforce app-armor rules
+  command: aa-enforce {{ xserver_sandbox_venv_dir }}
+
+- name: setup upstart script
+  template: src=xserver.conf.j2 dest=/etc/init/xserver.conf owner=root group=root
+
+- name: install system dependencies of xserver
+  apt: pkg={{ item }} state=present
+  with_items: xserver_debian_pkgs
+
+- include: nginx.yml
+
+- include: deploy.yml

playbooks/roles/xserver/tasks/nginx.yml

+- name: add xserver nginx configuration
+  template: src=simple-proxy.j2 dest=/etc/nginx/sites-available/simple-proxy
+  notify:
+  - restart nginx
+
+- name: enable xserver nginx configuration
+  file: src=/etc/nginx/sites-available/simple-proxy dest=/etc/nginx/sites-enabled/simple-proxy state=link
+  notify:
+  - restart nginx

playbooks/roles/xserver/templates/simple-proxy.j2

+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# http://wiki.nginx.org/Pitfalls
+# http://wiki.nginx.org/QuickStart
+# http://wiki.nginx.org/Configuration
+#
+# Generally, you will want to move this file somewhere, and start with a clean
+# file but keep this around for reference. Or just disable in sites-enabled.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+upstream app_server {
+    # For a TCP configuration:
+    server 127.0.0.1:{{ xserver_port }} fail_timeout=0;
+}
+
+server {
+  listen {{ xserver_nginx_port }} default_server;
+
+  location / {
+    try_files $uri @proxy_to_app;
+  }
+
+
+location @proxy_to_app {
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
+    proxy_set_header X-Forwarded-For $http_x_forwarded_for;
+    proxy_set_header Host $http_host;
+
+    proxy_redirect off;
+    proxy_pass http://app_server;
+  }
+}

playbooks/roles/xserver/templates/usr.bin.python-sandbox.j2

+#include <tunables/global>
+
+/usr/bin/python-sandbox {
+  #include <abstractions/base>
+
+  /usr/bin/python-sandbox mr,
+  /usr/include/python2.7/** r,
+  /usr/local/lib/python2.7/** r,
+  /usr/lib/python2.7** rix,
+
+  /tmp/** rix,
+}
+

playbooks/roles/xserver/templates/xserver.conf.j2

+# gunicorn
+
+description "gunicorn server"
+author "Calen Pennington <cpennington@mitx.mit.edu>"
+
+start on started edxapp
+stop on stopped edxapp
+
+respawn
+respawn limit 3 30
+
+env PID=/var/tmp/xserver.pid
+env NEW_RELIC_CONFIG_FILE={{ app_base_dir }}/newrelic.ini
+env NEWRELIC={{ venv_dir }}/bin/newrelic-admin
+env WORKERS={{ ansible_processor|length }}
+env PORT={{ xserver_port }}
+env LANG=en_US.UTF-8
+env DJANGO_SETTINGS_MODULE=xserver_aws_settings
+env SERVICE_VARIANT="xserver"
+
+
+chdir {{ xserver_code_dir }}
+setuid www-data
+
+exec {{ venv_dir }}/bin/gunicorn --preload -b 127.0.0.1:$PORT -w $WORKERS --timeout=30 --pythonpath={{ xserver_code_dir }} pyxserver_wsgi:application
+

playbooks/roles/xserver/templates/xserver.env.json.j2

+{{ xserver_env_config | to_nice_json }} 

playbooks/roles/xserver/vars/main.yml

+# Variables for the xserver.
+---
+
+
+xserver_code_dir: "{{ app_base_dir }}/xserver"
+xserver_source_repo: "git://github.com/edx/xserver.git"
+# This should probably be overridden in the playbook or groupvars
+# with the default pointing to the head of master.
+xserver_version: HEAD
+
+xserver_grader_dir: "{{ app_base_dir }}/data/content-mit-600x~2012_Fall"
+xserver_grader_source: "git@github.com:/MITx/6.00x.git"
+xserver_grader_version: HEAD
+
+xserver_sandbox_venv_dir: "{{ venv_dir }}_apparmor_sandbox"
+
+xserver_requirements_file: "{{ xserver_code_dir }}/requirements.txt"
+
+xserver_port: 8050
+xserver_nginx_port: 18050
+
+xserver_debian_pkgs:
+  - build-essential
+  - gcc
+  - gfortran
+  - liblapack-dev
+  - libxml++2.6-dev
+  - libxml2-dev
+  - libxml2-utils
+  - libxslt1-dev
+  - python-dev

playbooks/secure_example/vars/edxapp_sandbox.yml

@@ -25,31 +25,30 @@
 #see http://atechie.net/2009/07/merging-hashes-in-yaml-conf-files/
 
 
-xqueue:
-  env_config:
-    'XQUEUES':
-      # push queue
-      - 'edX-DemoX': 'http://localhost:18050'
+xqueue_env_config:
+  'XQUEUES':
+    # push queue
+    'edX-DemoX': 'http://localhost:18050'
       # pull queues
-      - 'test-pull': !!null
-      - 'certificates': !!null
-      - 'open-ended': !!null
-    'XQUEUE_WORKERS_PER_QUEUE': 12
-    'LOGGING_ENV' : 'sandbox'
-    'LOG_DIR' : '/mnt/logs'
-    'SYSLOG_SERVER' : 'syslog.a.m.i4x.org'
-    'RABBIT_HOST' : 'localhost'
-    'S3_BUCKET_PREFIX' : 'sandbox-bucket'
+    'test-pull': !!null
+    'certificates': !!null
+    'open-ended': !!null
+  'XQUEUE_WORKERS_PER_QUEUE': 12
+  'LOGGING_ENV' : 'sandbox'
+  'LOG_DIR' : '/mnt/logs'
+  'SYSLOG_SERVER' : 'syslog.a.m.i4x.org'
+  'RABBIT_HOST' : 'localhost'
+  'S3_BUCKET_PREFIX' : 'sandbox-bucket'
 
-  auth_config:
-    'AWS_ACCESS_KEY_ID' : ''
-    'AWS_SECRET_ACCESS_KEY' : ''
-    'REQUESTS_BASIC_AUTH': ['edx', 'edx']
-    'USERS': {'lms': 'password'}
-    'RABBITMQ_USER': 'edx'
-    'RABBITMQ_PASS': 'edx'
-    'DATABASES':
-      'default': { 'ENGINE': 'django.db.backends.mysql', 'NAME': 'xqueue', 'USER': 'root', 'PASSWORD': '', 'HOST': 'localhost', 'PORT': '3306' }
+xqueue_auth_config:
+  'AWS_ACCESS_KEY_ID' : ''
+  'AWS_SECRET_ACCESS_KEY' : ''
+  'REQUESTS_BASIC_AUTH': ['edx', 'edx']
+  'USERS': {'lms': 'password'}
+  'RABBITMQ_USER': 'edx'
+  'RABBITMQ_PASS': 'edx'
+  'DATABASES':
+    'default': { 'ENGINE': 'django.db.backends.mysql', 'NAME': 'xqueue', 'USER': 'root', 'PASSWORD': '', 'HOST': 'localhost', 'PORT': '3306' }
 
 
 

playbooks/stage-ansible.cfg

+# ansible reads $ANSIBLE_CONFIG, ansible.cfg, ~/.ansible.cfg or /etc/ansible/ansible.cfg
+
+[defaults]
+# Always have these for using the configuration repo
+jinja2_extensions=jinja2.ext.do
+hash_behaviour=merge
+
+# These are environment-specific defaults
+forks=10
+#forks=1
+log_path=stage-edx-ansible.log
+transport=ssh
+hostfile=./ec2.py
+extra_vars='key=deployment name=edx-stage group=edx-stage region=us-west-1'
+user=ubuntu
+
+[ssh_connection]
+# example from https://github.com/ansible/ansible/blob/devel/examples/ansible.cfg
+#ssh_args=-o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r
+ssh_args=-F stage-ssh-config
+scp_if_ssh=True

playbooks/stage-ssh-config

+#### edx-stage VPC 
+
+Host 54.241.183.3
+#Host ec2-54-241-183-3.us-west-1.compute.amazonaws.com
+#Host vpc-jumpbox
+    #HostName ec2-54-241-183-3.us-west-1.compute.amazonaws.com
+    HostName 54.241.183.3
+    User ubuntu
+    ForwardAgent yes
+
+Host *.us-west-1.compute.internal
+    User ubuntu
+    ForwardAgent yes
+    #ProxyCommand ssh -W %h:%p ec2-54-241-183-3.us-west-1.compute.amazonaws.com
+    #ProxyCommand ssh -W %h:%p vpc-jumpbox
+    ProxyCommand ssh -W %h:%p ubuntu@54.241.183.3
+
+Host *
+    ForwardAgent yes
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+