Refactor Web front-end.

This moves most of the code into a standalone (at least in principle)
"http_frontend" role and invokes it from the main LOCKSS role.

README.md

@@ -32,6 +32,7 @@ This project provides Ansible roles and an example playbook for configuring
 * `lockss_ui_user` (default in `roles/lockss/defaults/main.yml`)
 * `lockss_data_dir` (default in `roles/lockss/defaults/main.yml`)
 * `lockss_configure_firewall` (default: true)
+* `lockss_frontend_port` (default in `roles/lockss/defaults/main.yml`)
 
 ## Ports
 These are the ports (all TCP) listened on by the various LOCKSS containers:
@@ -46,6 +47,8 @@ These are the ports (all TCP) listened on by the various LOCKSS containers:
 * pywb: 8080 ([Pywb](<https://pypi.org/project/pywb/>) Web console)
 * solr: 8983 (Solr Web console)
 
+The LOCKSS front-end (written by us) listens on port 80 by default.
+
 ## Running with Vagrant
 The included Vagrantfile will configure and run the example playbook against the
 machines defined in `vagrant-machines.yml`, currently Ubuntu 18.04 and CentOS 7.

dev.playbook.yml

@@ -26,7 +26,6 @@
     - minimum_memory
     - system-tweaks-nepeta
     - lockss
-    - lockss-config-frontend
   tasks:
     - debug:
         msg: "Web front-end: http://{{ hostname }}/"

roles/http_frontend/README.md

+# HTTP frontend
+
+## Role variables
+### Required variables
+* `http_frontend_backends`: An array of dictionaries, each of which has a
+  `memo` key (rendered as a title on the index page), a `name` key (used in the
+  URL path), and a `port` key.
+* `http_frontend_hostname`
+
+### Optional variables
+* `http_frontend_name`: The name used for the Docker image and stack. (Default in `defaults/main.yml`.)
+* `http_frontend_port`: The port on which the service will listen. (Default in
+  `defaults/main.yml`.)
+* `http_frontend_index_title`: Give the index page a title.

roles/http_frontend/defaults/main.yml

+---
+
+http_frontend_name: frontend
+http_frontend_port: 80

roles/lockss-config-frontend/tasks/main.yml → roles/http_frontend/tasks/main.yml

 ---
 
-- name: Add ferm rule.
-  template:
-    dest: /etc/ferm.d/11-in-lockss-frontend.ferm
-    src: 11-in-lockss-frontend.ferm.j2
-    validate: ferm -n %s
-
-- service:
-    name: ferm
-    state: restarted
+# FIXME: None of this is idempotent.
 
 - name: Create temporary directory.
   tempfile:
     state: directory
   register: tmpdir
 
-- name: Install configuration file.
+- name: Copy httpd configuration file.
   template:
     dest: "{{ tmpdir.path }}/httpd-frontend.conf"
     src: httpd-frontend.conf.j2
@@ -23,7 +15,7 @@
     mode: 0644
   when: tmpdir.path is defined
 
-- name: Install landing page.
+- name: Copy landing page.
   template:
     dest: "{{ tmpdir.path }}/index.html"
     src: index.html.j2
@@ -31,7 +23,7 @@
     mode: 0644
   when: tmpdir.path is defined
 
-- name: Install Dockerfile.
+- name: Copy Dockerfile.
   copy:
     dest: "{{ tmpdir.path }}/Dockerfile"
     src: Dockerfile
@@ -57,7 +49,7 @@
 
 - name: Build Docker image.
   docker_image:
-    name: lockss-config-frontend
+    name: "{{ http_frontend_name }}"
     source: build
     build:
       path: "{{ tmpdir.path }}"
@@ -68,18 +60,14 @@
   vars:
     ansible_python_interpreter: python3
   docker_stack:
-    name: lockss-config-frontend
+    name: "{{ http_frontend_name }}"
     state: present
     resolve_image: never
     compose:
       - version: "3.7"
         services:
           frontend:
-            image: lockss-config-frontend
-            ports:
-              - published: "{{ lockss_frontend_port }}"
-                target: 80
-                mode: host
+            image: "{{ http_frontend_name }}"
             configs:
               - source: httpd_frontend_config
                 target: /usr/local/apache2/conf/conf.d/frontend.conf

roles/lockss-config-frontend/templates/httpd-frontend.conf.j2 → roles/http_frontend/templates/httpd-frontend.conf.j2

@@ -5,8 +5,8 @@ ProxyRequests off
 LoadModule rewrite_module modules/mod_rewrite.so
 RewriteEngine on
 
-{% for b in lockss_frontend_backends %}
-ProxyPass /{{ b.name }}/ http://{{ lockss_hostname }}:{{ b.port }}/
+{% for b in http_frontend_backends %}
+ProxyPass /{{ b.name }}/ http://{{ http_frontend_hostname }}:{{ b.port }}/
 RewriteRule ^/{{ b.name }}$ /{{ b.name }}/ [R]
 {% endfor %}
 
@@ -14,7 +14,7 @@ LoadModule proxy_html_module modules/mod_proxy_html.so
 LoadModule xml2enc_module modules/mod_xml2enc.so
 Include conf/extra/proxy-html.conf
 
-{% for b in lockss_frontend_backends %}
+{% for b in http_frontend_backends %}
 <Location /{{ b.name }}/>
     ProxyPassReverse /
     ProxyPassReverseCookiePath / /{{ b.name }}/
@@ -25,8 +25,8 @@ Include conf/extra/proxy-html.conf
 
 <Location />
     ProxyHTMLEnable On
-{% for b in lockss_frontend_backends %}
-    ProxyHTMLURLMap http://{{ lockss_hostname }}:{{ b.port }} /{{ b.name }}
+{% for b in http_frontend_backends %}
+    ProxyHTMLURLMap http://{{ http_frontend_hostname }}:{{ b.port }} /{{ b.name }}
 {% endfor %}
     RequestHeader unset Accept-Encoding
 </Location>

roles/lockss-config-frontend/templates/index.html.j2 → roles/http_frontend/templates/index.html.j2

@@ -3,7 +3,9 @@
   <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>LOCKSS</title>
+{% if http_frontend_index_title is defined %}
+    <title>{{ http_frontend_index_title }}</title>
+{% endif %}
     <style type="text/css">
       li {
         margin-bottom: 0.5rem;
@@ -15,10 +17,12 @@
     </style>
   </head>
   <body>
-    <h1>LOCKSS</h1>
+{% if http_frontend_index_title is defined %}
+    <h1>{{ http_frontend_index_title }}</h1>
+{% endif %}
     <h2>Components available from this interface</h2>
     <ul class="main_nav">
-{% for b in lockss_frontend_backends %}
+{% for b in http_frontend_backends %}
       <li><a href="./{{ b.name }}">{{ b.memo }}</a></li>
 {% endfor %}
     </ul>

roles/lockss-config-frontend/defaults/main.yml

----
-
-lockss_frontend_port: 80

roles/lockss-config-frontend/tasks/main.yml-v_nginx

----
-
-- name: Place configuration file.
-  copy:
-    dest: /root/ingress.conf
-    owner: root
-    mode: 0644
-    content: |
-      server {
-          listen 80;
-          location /config/ {
-              sub_filter
-                  "{{ lockss_hostname }}:24621"
-                  "{{ lockss_hostname }}/config";
-              sub_filter
-                  "{{ lockss_hostname }}:24621"
-                  "{{ lockss_hostname }}/config";
-              sub_filter_once off;
-              proxy_pass http://127.0.0.1:24621/;
-              proxy_set_header Accept-Encoding "";
-          }
-      }
-
-- name: Add ferm rule.
-  copy:
-    dest: /etc/ferm.d/11-in-lockss-frontend.ferm
-    content: |
-      @def $MGMT_NET = ({{ lockss_admin_ips | join(" ") }});
-      domain (ip ip6) table filter chain INPUT
-          saddr $MGMT_NET proto tcp dport 80 ACCEPT;
-    validate: ferm -n %s
-
-- service:
-    name: ferm
-    state: restarted
-
-- name: Remove nginx Docker container.
-  command:
-    cmd: docker rm -f nginx
-  ignore_errors: true
-
-- name: Create nginx Docker container.
-  command:
-    cmd: docker run -d --rm
-         --name nginx
-         -p 80:80
-         --network host
-         -v /root/ingress.conf:/etc/nginx/conf.d/default.conf
-         nginx

roles/lockss-config-frontend/templates/11-in-lockss-frontend.ferm.j2

-@def $MGMT_NET = ({{ lockss_admin_ips | join(" ") }});
-domain (ip ip6) table filter chain INPUT
-    saddr $MGMT_NET proto tcp dport {{ lockss_frontend_port }} ACCEPT;

roles/lockss-config-frontend/vars/main.yml

----
-
-lockss_frontend_backends:
-  - name: config
-    memo: Configuration service
-    port: 24621
-  - name: api/config
-    memo: Configuration service API
-    port: 24620
-  - name: crawler
-    memo: Cralwer service
-    port: 24631
-  - name: api/crawler
-    memo: Crawler service API
-    port: 24630
-  - name: metadata-extraction
-    memo: Metadata extraction
-    port: 24641
-  - name: api/metadata-extraction
-    memo: Metadata extraction API
-    port: 24640
-  - name: metadata-query
-    memo: Metadata query
-    port: 24651
-  - name: api/metadata-query
-    memo: Metadata query API
-    port: 24650
-  - name: api/repo
-    memo: Repository API
-    port: 24610
-  - name: pywb
-    memo: Python Wayback Machine
-    port: 8080
-  - name: solr
-    memo: Solr console
-    port: 8983

roles/lockss/defaults/main.yml

@@ -6,4 +6,5 @@ lockss_data_dir: /var/lib/lockss
 lockss_ui_user: admin
 lockss_network_ips: []
 lockss_admin_ips: []
+lockss_frontend_port: 80
 lockss_props_url: http://props.lockss.org:8001/demo/lockss.xml

roles/lockss/tasks/main.yml

@@ -267,3 +267,13 @@
   become: true
   become_user: lockss
   when: not ansible_check_mode
+
+- name: Configure a Web front-end.
+  include_role:
+    name: http_frontend
+  vars:
+    http_frontend_name: lockss-config-frontend
+    http_frontend_index_title: LOCKSS
+    http_frontend_backends: "{{ lockss_frontend_backends }}"
+    http_frontend_port: "{{ lockss_frontend_port }}"
+    http_frontend_hostname: "{{ lockss_hostname }}"

roles/lockss/templates/ferm/10-in-lockss.ferm.j2

 @def $LOCKSS_NET = ({{ lockss_network_ips | join(" ") }});
 @def $MGMT_NET = ({{ lockss_admin_ips | join(" ") }});
 @def $LOCKSS_CONFIG_PORTS = (
-    24640 24641               # metadata-extraction-service
-    5432                      # postgres
-    24650 24651               # metadata-service
-    24610                     # repository-service
-    24620 24621               # configuration-service
-    9729 24630 24631 24680    # poller
-    8080                      # pywb
-    8983                      # solr
+    24640 24641                   # metadata-extraction-service
+    5432                          # postgres
+    24650 24651                   # metadata-service
+    24610                         # repository-service
+    24620 24621                   # configuration-service
+    9729 24630 24631 24680        # poller
+    8080                          # pywb
+    8983                          # solr
+
+    {{ lockss_frontend_port }}    # lockss-config-frontend
 );
 @def $LOCKSS_NET_PORTS = (
     9729    # poller

roles/lockss/vars/main.yml

 ---
 
 lockss_git_url: https://github.com/lockss/lockss-installer
+lockss_frontend_backends:
+  - name: config
+    memo: Configuration service
+    port: 24621
+  - name: api/config
+    memo: Configuration service API
+    port: 24620
+  - name: crawler
+    memo: Cralwer service
+    port: 24631
+  - name: api/crawler
+    memo: Crawler service API
+    port: 24630
+  - name: metadata-extraction
+    memo: Metadata extraction
+    port: 24641
+  - name: api/metadata-extraction
+    memo: Metadata extraction API
+    port: 24640
+  - name: metadata-query
+    memo: Metadata query
+    port: 24651
+  - name: api/metadata-query
+    memo: Metadata query API
+    port: 24650
+  - name: api/repo
+    memo: Repository API
+    port: 24610
+  - name: pywb
+    memo: Python Wayback Machine
+    port: 8080
+  - name: solr
+    memo: Solr console
+    port: 8983