Playbook deployment characteristics¶
Purpose¶
This is an Ansible playbook for automatically deploying a single server Websauna website from a git repository for Ubuntu 14.04 Linux. It allows you to do deploy your Websauna application to a fresh server, where you just received SSH credentials, within 30 minutes. Alternatively you can gracefully upgrade any existing running site.
Note
The current version of the playbook is designed for a single server setup. It is, however, easy to extend to cover groups of different servers.
Installed software¶
Automatic installation sets up
Email out via Mandrill
Supervisor startup scripts
Database migration and hot deploy aware¶
Playbook runs migrations safely: Run database migrations first and then update codebase with compatible model files. This allows graceful deploys and avoids breaking any running sites.
Filesystem Hierarchy Standard layout¶
The application is deployed in the folder /srv/pyramid/yoursitename per Filesystem Hierarchy Standard.
Default firewalls¶
A Linux firewall is set up to allow only inbound SSH, HTTP, HTTPS. This for the cases where any process would accidentally bind itself to public Internet facing IP addresses.
No private keys leaked¶
All communication happens over SSH agent. No private keys are placed on a server in any point.
Privilege separation¶
The deployed UNIX processes run under corresponding user accounts. This reduces the risk of a compromised data in the case any of the processes has a remote exploit, like Heartbleed vulnerability in the past.
Websauna application files and uWSGI processes are deployment under a normal UNIX user
wsgiNginx runs under UNIX user
www-data.uWSGI, Celery runs under user
wsgi.PostgreSQL runs under user
postgres.Redis runs under user
redis.Postfix runs under user
postfix./srv/pyramid/myappis writable and readable bywsgionly.