draft: learned from koala

ansible/roles/pretix/handlers/main.yml

@@ -23,4 +23,4 @@
   ansible.builtin.service:
     name: "pretix-maintenance.service" # This service reloads nginx
     state: "started"
-  listen: "pretix deploy desired nginx"
+  listen: "pretix reload nginx"

ansible/roles/pretix/tasks/main.yml

@@ -1,8 +1,4 @@
 ---
-- name: "declare variables used in pretix tasks"
-  ansible.builtin.set_fact:
-    pretix_maintenance_directory: "/var/www/pretix-maintenance/"
-
 - name: "ensure pretix user is present"
   ansible.builtin.user:
     name: "pretix"
@@ -141,19 +137,12 @@
   # basically means nginx gives a 503 page, defined here.
 - name: "prepare maintenance mode files"
   block:
-  - name: "ensure pretix maintenance mode directory is present" # TODO move pretix itself and these files into /var/www/pretix and /var/www/pretix/pretix.svsticky.nl or something"
-    ansible.builtin.file:
-      path: "{{ pretix_maintenance_directory }}"
-      state: "directory"
-      owner: "pretix"
-      group: "pretix"
-
-  - name: "place maintenance page"
+  - name: "place maintenance page" # TODO: move this to the pretix repo
     ansible.builtin.template:
       owner: "pretix"
       group: "pretix"
       src: "pretix_maintenance.html.j2"
-      dest: "{{ pretix_maintenance_directory }}/pretix-maintenance.html"
+      dest: "/var/www/pretix/pretix-maintenance.html"
 
   - name: "prepare maintenance mode services"
     ansible.builtin.template:
@@ -170,48 +159,19 @@
       name: "pretix-maintenance.timer"
       state: "started"
       enabled: "yes"
-      # Deliberatly do not start the service itself yet
-
-  # To support easy maintenance mode toggling, we configure nginx slightly
-  # differently. Like usually, we have a symlink in 'sites-enabled' pointing to
-  # the config stored in 'sites-available'. However, this time the config in
-  # 'sites-available' is another symlink to either the maintenance config or
-  # regular config, stored in the maintenance directory. Toggling to
-  # maintenance mode means adjusting the second symlink, and reloading nginx.
-  #
-  # We further defined a systemd service earlier which ensures the maintenance mode is
-  # on or off, depending on if it should currently be on or off. This service
-  # is periodically triggered by a systemd timer.
-  #
-  # Lastly, when deploying, we do not want to configure nginx for either
-  # maintenance mode or regular mode, for both could be undesired in some
-  # scenarios. As a solution, rather than (manually) toggling the maintenance
-  # to the correct state immediatly afterwards and leaving a short gap, we let
-  # the script finish the nginx setup. We thus define in one place what mode
-  # should be deployed currently, and happen to trigger it periodically as well.
-  # This way, when the deployment is finished and pretix is accessible, it will
-  # always be in the desired state.
-- name: "set up nginx configs for pretix"
-  block:
-  - name: "place pretix's regular nginx configuration"
-    ansible.builtin.template:
-      src: "pretix.conf.j2"
-      dest: "{{ pretix_maintenance_directory }}/regular-nginx.conf"
-    notify: "pretix deploy desired nginx"
+      # We do not need to start the service itself yet
 
-  - name: "place pretix's maintenance nginx configuration"
+  # We do not simply reload nginx, but also run the previously defined systemd
+  # service to enable or disable maintenance mode - whichever is currently
+  # desired. This removes the need to specify during deploy whether we want
+  # maintenance mode on or off before we expose the service.
+- name: "set up nginx for pretix"
+  block:
+  - name: "place pretix's nginx configuration"
     ansible.builtin.template:
-      src: "pretix_maintenance.conf.j2"
-      dest: "{{ pretix_maintenance_directory }}/maintenance-nginx.conf"
-    notify: "pretix deploy desired nginx"
-
-  # This is what the systemd service does already (but sometimes for maintenance mode):
-  # - name: "use regular nginx conf"
-  #   ansible.builtin.file:
-  #     src: "{{ pretix_maintenance_directory }}/regular-nginx.conf"
-  #     dest: "/etc/nginx/sites-available/pretix.{{ canonical_hostname }}.conf"
-  #     state: "link"
-  #   notify: "reload nginx"
+      src: "nginx.conf.j2"
+      dest: "/etc/nginx/sites-available/pretix.{{ canonical_hostname }}.conf"
+    notify: "pretix reload nginx"
 
   - name: "enable pretix's nginx configuration"
     ansible.builtin.file:
@@ -220,4 +180,4 @@
       state: "link"
     vars:
       filename: "pretix.{{ canonical_hostname }}.conf"
-    notify: "pretix deploy desired nginx"
+    notify: "pretix reload nginx"

ansible/roles/pretix/templates/pretix_maintenance.conf.j2 → ansible/roles/pretix/templates/nginx.conf.j2

@@ -16,12 +16,19 @@ server {
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
   # Security header file not included because frames
 
-  root /var/www/pretix-maintenance;
-  index pretix-maintenance.html;
+  location / {
+		if (-f /var/www/pretix/MAINTENANCE_MODE) { # TODO abstract to variable
+		    error_page 503 /503.html;
+		    return 503;
+		}
 
-  error_page 404 =200 /pretix-maintenance.html;
+    proxy_pass http://localhost:8345/;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+  }
 
-  location ~ ^/(control|download) {
+  location ~ ^/(control|download) { # Available during maintenance mode
     proxy_pass http://localhost:8345;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;

ansible/roles/pretix/templates/pretix.conf.j2

@@ -17,12 +17,24 @@ server {
   # Security header file not included because frames
 
   location / {
+		if (-f /var/www/pretix/MAINTENANCE_MODE) {
+		    error_page 503 /var/www/pretix/pretix-maintenance.html;
+		    return 503;
+		}
+
     proxy_pass http://localhost:8345/;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;
     proxy_set_header Host $http_host;
   }
 
+  location ~ ^/(control|download) { # Available during maintenance mode
+    proxy_pass http://localhost:8345;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+  }
+
   location /media/ {
     alias /var/www/pretix/data/media/;
     expires 7d;

ansible/roles/pretix/templates/systemd/pretix-maintenance.service.j2

@@ -7,5 +7,6 @@ OnFailure=failure-notificator@%n.service
 [Service]
 # If, compared to UTC, we are between sunday 22:00 and monday 05:00, we want
 # maintenance mode and otherwise not.
-ExecStart=if [[ `date -u +%a` == "su" && `date -u +%H` > 21 || `date -u +%a` == "mo" && `date -u +%H` < 5` ]] then ln -sf {{ pretix_maintenance_directory }}/maintenance-nginx.conf /etc/nginx/sites-available/pretix.{{ canonical_hostname }}.conf; else ln -sf {{ pretix_maintenance_directory }}/regular-nginx.conf /etc/nginx/sites-available/pretix.{{ canonical_hostname }}.conf; fi && systemctl reload nginx
-#TODO use ternary on {maintenance,regular}-nginx.conf
+ExecStart=if [[ `date -u +%a` == "su" && `date -u +%H` > 21 || `date -u +%a` ==
+"mo" && `date -u +%H` < 5` ]] then touch '/var/www/pretix/MAINTENANCE_MODE';
+else rm '/var/www/pretix/MAINTENANCE_MODE'; fi && systemctl reload nginx

ansible/roles/pretix/templates/systemd/pretix-maintenance.timer.j2

@@ -5,8 +5,8 @@ Description=Weekly pretix maintenance
 #During week transitions, enable maintenance mode to make the treasurer's life easier
 
 [Timer]
-OnCalendar=Sun *-*-* 22:00:00
-OnCalendar=Mon *-*-* 05:00:00
+OnCalendar=Sun *-*-* 22:00:00 UTC
+OnCalendar=Mon *-*-* 05:00:00 UTC
 AccuracySec=5min
 
 [Install]