diff --git a/ansible/group_vars/production/vars.yml b/ansible/group_vars/production/vars.yml
index 73a5d012..c2482ede 100644
--- a/ansible/group_vars/production/vars.yml
+++ b/ansible/group_vars/production/vars.yml
@@ -69,6 +69,7 @@ secret_pretix:
# To change, generate a new secret using something like `pwgen 128 1`and
# re-deploy. Changing this value will invalidate all pretix sessions.
django_secret: "{{ vault_secret_pretix.django_secret }}"
+ pretix_maintenance_mode: true
secret_static_sticky:
contentful_space_id: "{{ vault_secret_static_sticky.contentful_space_id }}"
diff --git a/ansible/group_vars/staging/vars.yml b/ansible/group_vars/staging/vars.yml
index 599d9fa0..e5bc2857 100644
--- a/ansible/group_vars/staging/vars.yml
+++ b/ansible/group_vars/staging/vars.yml
@@ -61,6 +61,7 @@ secret_pretix:
# To change, generate a new secret using something like `pwgen 128 1`and
# re-deploy. Changing this value will invalidate all pretix sessions.
django_secret: "{{ vault_secret_pretix.django_secret }}"
+ pretix_maintenance_mode: true
secret_static_sticky:
contentful_space_id: "{{ vault_secret_static_sticky.contentful_space_id }}"
diff --git a/ansible/roles/pretix/tasks/main.yml b/ansible/roles/pretix/tasks/main.yml
index e22840bf..ca61a800 100644
--- a/ansible/roles/pretix/tasks/main.yml
+++ b/ansible/roles/pretix/tasks/main.yml
@@ -62,13 +62,19 @@
- name: "create virtualenv if not exists, update pip and tools"
ansible.builtin.pip:
- name:
- - "pip"
- - "setuptools"
- - "wheel"
- state: "latest"
+ name: "{{ item.name }}"
+ version: "{{ item.version }}"
virtualenv: "/var/www/pretix/venv"
virtualenv_python: "python3.8"
+ state: "present"
+ with_items:
+ # Change in pip's dependency resolver after 24.0 causes installation of pretix to fail
+ - name: pip
+ version: "24.0"
+ - name: "setuptools"
+ version: "latest"
+ - name: "wheel"
+ version: "latest"
become: true
become_user: "pretix"
@@ -92,6 +98,7 @@
state: "present"
virtualenv: "/var/www/pretix/venv"
virtualenv_python: "python3.9"
+
with_items:
- name: "gunicorn"
version: "20.1.0"
@@ -126,7 +133,46 @@
- "pretix-worker.service"
- "pretix-runperiodic.timer"
+# Maintenance directory, create if maintenance mode
+- name: "ensure pretix maintenance mode directory is present"
+ when: secret_pretix.pretix_maintenance_mode
+ ansible.builtin.file:
+ path: "/var/www/pretix-maintenance"
+ state: "directory"
+ owner: "pretix"
+ group: "pretix"
+
+# Maintenance directory, remove if not maintenance mode
+- name: "ensure pretix maintenance mode directory is present"
+ when: not secret_pretix.pretix_maintenance_mode
+ ansible.builtin.file:
+ path: "/var/www/pretix-maintenance"
+ state: "absent"
+ owner: "pretix"
+ group: "pretix"
+
+# Maintenance mode page
+- name: "Place Maintenance page if maintenance mode is enabled"
+ when: secret_pretix.pretix_maintenance_mode
+ ansible.builtin.template:
+ owner: "pretix"
+ group: "pretix"
+ src: "pretix_maintenance.html.j2"
+ dest: "/var/www/pretix-maintenance/pretix-maintenance.html"
+
+# Maintenance nginx configuration
+- name: "place pretix's maintenace nginx configuration"
+ when: secret_pretix.pretix_maintenance_mode
+ ansible.builtin.template:
+ src: "pretix_maintenance.conf.j2"
+ dest: "/etc/nginx/sites-available/{{ dest_filename }}"
+ vars:
+ dest_filename: "pretix.{{ canonical_hostname }}.conf"
+ notify: "reload nginx"
+
+# Regular nginx configuration
- name: "place pretix's nginx configuration"
+ when: not secret_pretix.pretix_maintenance_mode
ansible.builtin.template:
src: "pretix.conf.j2"
dest: "/etc/nginx/sites-available/{{ dest_filename }}"
@@ -134,6 +180,7 @@
dest_filename: "pretix.{{ canonical_hostname }}.conf"
notify: "reload nginx"
+# Does either maintenance mode or regular mode
- name: "enable pretix's nginx configuration"
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ filename }}"
diff --git a/ansible/roles/pretix/templates/pretix_maintenance.conf.j2 b/ansible/roles/pretix/templates/pretix_maintenance.conf.j2
new file mode 100644
index 00000000..fe358c0f
--- /dev/null
+++ b/ansible/roles/pretix/templates/pretix_maintenance.conf.j2
@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name ~^(pretix|tickets)\.{{ canonical_hostname }};
+
+ ssl_certificate /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/chain.pem;
+
+ include includes/block-cert-validation-path.conf;
+ add_header Referrer-Policy same-origin;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Content-Type-Options "nosniff";
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+ # Security header file not included because frames
+
+ root /var/www/pretix-maintenance;
+ index pretix-maintenance.html;
+}
diff --git a/ansible/roles/pretix/templates/pretix_maintenance.html.j2 b/ansible/roles/pretix/templates/pretix_maintenance.html.j2
new file mode 100644
index 00000000..028c886f
--- /dev/null
+++ b/ansible/roles/pretix/templates/pretix_maintenance.html.j2
@@ -0,0 +1,43 @@
+
+
+
+
+
+ Pretix Maintenance
+
+
+
+
+
+ 
+
+
+ Pretix is currently under maintenance
+ Purchasing tickets is currently not possible.
+ Het kopen van tickets is op dit moment niet mogelijk.
+
+
\ No newline at end of file