From 51d5733578b02018ca4e54f338458aa902561039 Mon Sep 17 00:00:00 2001 From: Pierre-antoine Comby Date: Fri, 30 Oct 2020 16:58:49 +0100 Subject: [PATCH 1/7] less hardcoded ansible config --- .gitignore | 5 +++++ README.md | 20 +++++++++++++++++++- ansible/{hosts => hosts_example} | 0 3 files changed, 24 insertions(+), 1 deletion(-) rename ansible/{hosts => hosts_example} (100%) diff --git a/.gitignore b/.gitignore index f541ab85..affc851f 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,8 @@ backups/ env/ venv/ db.sqlite3 + +# ansibles customs host +ansible/host_vars/*.yaml +!ansible/host_vars/bde* +ansible/hosts diff --git a/README.md b/README.md index d9c436ec..6fed71e4 100644 --- a/README.md +++ b/README.md @@ -69,13 +69,31 @@ accessible depuis l'ensemble de votre réseau, pratique pour tester le rendu de la note sur un téléphone ! ## Installation d'une instance de production +Pour déployer facilement la note il est possible d'utiliser le playbook Ansible (sinon vous pouvez toujours le faire a la main, voir plus bas). +### Avec ansible +Il vous faudra un serveur sous debian ou ubuntu connecté à internet et que vous souhaiterez accéder à cette instance de la note sur `note.nomdedomaine.tld`. + +0. Installer Ansible sur votre machine personnelle. + +0. (bis) cloner le dépot sur votre machine personelle. + +1. Copier le fichier `ansible/host_example` +``` bash +$ cp ansible/hosts_example ansible/hosts +``` +et ajouter sous [dev] et/ou [prod] les serveurs sur lesquels vous souhaitez installer la note. +2. Créer un fichier `ansible/host_vars/` sur le modèle des fichiers existants dans `ansible/hosts` et compléter les variables nécessaires. + +3. lancer `ansible/base.yaml -l ` +4. Aller vous faire un café, ca peux durer un moment. + +### Installation manuelle **En production on souhaite absolument utiliser les modules Python packagées dans le gestionnaire de paquet.** Cela permet de mettre à jour facilement les dépendances critiques telles que Django. L'installation d'une instance de production néccessite **une installation de Debian Buster ou d'Ubuntu 20.04**. -Pour aller vite vous pouvez lancer le Playbook Ansible fournit dans ce dépôt en l'adaptant. Sinon vous pouvez suivre les étapes décrites ci-dessous. 0. Sous Debian Buster, **activer Debian Backports.** En effet Django 2.2 LTS n'est que disponible dans les backports. diff --git a/ansible/hosts b/ansible/hosts_example similarity index 100% rename from ansible/hosts rename to ansible/hosts_example From 78fe070cd35fc3391c1846a85fb19333ad9aa056 Mon Sep 17 00:00:00 2001 From: Pierre-antoine Comby Date: Fri, 30 Oct 2020 16:59:44 +0100 Subject: [PATCH 2/7] use debian backport only with debian --- ansible/roles/1-apt-basic/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/roles/1-apt-basic/tasks/main.yml b/ansible/roles/1-apt-basic/tasks/main.yml index 9c01dd97..7c57646f 100644 --- a/ansible/roles/1-apt-basic/tasks/main.yml +++ b/ansible/roles/1-apt-basic/tasks/main.yml @@ -3,11 +3,12 @@ apt_repository: repo: deb http://{{ mirror }}/debian buster-backports main state: present + when: ansible_facts['distribution'] == "Debian" - name: Install note_kfet APT dependencies apt: update_cache: true - default_release: buster-backports + default_release: "{{ 'buster-backports' if ansible_facts['distribution'] == 'Debian' }}" install_recommends: false name: # Common tools From 950922d0418288809cc5a9a65f690d72ba2fbe0e Mon Sep 17 00:00:00 2001 From: Pierre-antoine Comby Date: Fri, 30 Oct 2020 17:01:26 +0100 Subject: [PATCH 3/7] do not hardcode mail --- ansible/host_vars/bde-nk20-beta.adh.crans.org.yml | 1 + ansible/host_vars/bde-note.adh.crans.org.yml | 4 ++-- ansible/host_vars/bde3-virt.adh.crans.org.yml | 1 + .../roles/4-certbot/templates/letsencrypt/conf.d/nk20.ini.j2 | 4 ++-- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ansible/host_vars/bde-nk20-beta.adh.crans.org.yml b/ansible/host_vars/bde-nk20-beta.adh.crans.org.yml index d4ef70ef..d9d850da 100644 --- a/ansible/host_vars/bde-nk20-beta.adh.crans.org.yml +++ b/ansible/host_vars/bde-nk20-beta.adh.crans.org.yml @@ -3,3 +3,4 @@ note: server_name: note-beta.crans.org git_branch: beta cron_enabled: false + email: notekfet2020@lists.crans.org diff --git a/ansible/host_vars/bde-note.adh.crans.org.yml b/ansible/host_vars/bde-note.adh.crans.org.yml index ba085433..f6e4ff97 100644 --- a/ansible/host_vars/bde-note.adh.crans.org.yml +++ b/ansible/host_vars/bde-note.adh.crans.org.yml @@ -1,5 +1,5 @@ --- note: server_name: note.crans.org - git_branch: master - cron_enabled: true + git_branch: beta + cron_enabled: false diff --git a/ansible/host_vars/bde3-virt.adh.crans.org.yml b/ansible/host_vars/bde3-virt.adh.crans.org.yml index 477a4b7a..471f35f0 100644 --- a/ansible/host_vars/bde3-virt.adh.crans.org.yml +++ b/ansible/host_vars/bde3-virt.adh.crans.org.yml @@ -3,3 +3,4 @@ note: server_name: note-dev.crans.org git_branch: beta cron_enabled: false + email: notekfet2020@lists.crans.org diff --git a/ansible/roles/4-certbot/templates/letsencrypt/conf.d/nk20.ini.j2 b/ansible/roles/4-certbot/templates/letsencrypt/conf.d/nk20.ini.j2 index b02abf5a..272e160d 100644 --- a/ansible/roles/4-certbot/templates/letsencrypt/conf.d/nk20.ini.j2 +++ b/ansible/roles/4-certbot/templates/letsencrypt/conf.d/nk20.ini.j2 @@ -10,11 +10,11 @@ rsa-key-size = 4096 # server = https://acme-staging.api.letsencrypt.org/directory # Uncomment and update to register with the specified e-mail address -email = notekfet2020@lists.crans.org +email = {{ note.email }} # Uncomment to use a text interface instead of ncurses text = True # Use DNS-01 challenge -authenticator = nginx +authenticator = standalone From cbf7e6fe6cf93851ad84597fb814ea3dcde9a783 Mon Sep 17 00:00:00 2001 From: Pierre-antoine Comby Date: Fri, 30 Oct 2020 17:01:47 +0100 Subject: [PATCH 4/7] run certbot if necessary --- ansible/roles/4-certbot/tasks/main.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/ansible/roles/4-certbot/tasks/main.yml b/ansible/roles/4-certbot/tasks/main.yml index 52bc0d67..dbd6e477 100644 --- a/ansible/roles/4-certbot/tasks/main.yml +++ b/ansible/roles/4-certbot/tasks/main.yml @@ -9,6 +9,11 @@ retries: 3 until: pkg_result is succeeded +- name: Check if certificate already exists. + stat: + path: /etc/letsencrypt/live/{{note.server_name}}/cert.pem + register: letsencrypt_cert + - name: Create /etc/letsencrypt/conf.d file: path: /etc/letsencrypt/conf.d @@ -19,3 +24,17 @@ src: "letsencrypt/conf.d/nk20.ini.j2" dest: "/etc/letsencrypt/conf.d/nk20.ini" mode: 0644 + +- name: Stop services to allow certbot to generate a cert. + service: + name: nginx + state: stopped + +- name: Generate new certificate if one doesn't exist. + shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/nk20.ini -d {{note.server_name}}" + when: letsencrypt_cert.stat.exists == False + +- name: Restart services to allow certbot to generate a cert. + service: + name: nginx + state: started From 1072e227b84ab4d51fd4e65df5e44c4eb496e4c3 Mon Sep 17 00:00:00 2001 From: Pierre-antoine Comby Date: Fri, 30 Oct 2020 17:07:03 +0100 Subject: [PATCH 5/7] don't copy personal config on prod --- ansible/host_vars/bde-note.adh.crans.org.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/host_vars/bde-note.adh.crans.org.yml b/ansible/host_vars/bde-note.adh.crans.org.yml index f6e4ff97..ba085433 100644 --- a/ansible/host_vars/bde-note.adh.crans.org.yml +++ b/ansible/host_vars/bde-note.adh.crans.org.yml @@ -1,5 +1,5 @@ --- note: server_name: note.crans.org - git_branch: beta - cron_enabled: false + git_branch: master + cron_enabled: true From 39fd3a247166833ed24dc5cfe774b82e8a1c9324 Mon Sep 17 00:00:00 2001 From: Pierre-antoine Comby Date: Fri, 30 Oct 2020 20:54:41 +0100 Subject: [PATCH 6/7] set DB_PASSWORD in env file --- ansible/roles/2-nk20/tasks/main.yml | 2 +- ansible/roles/2-nk20/templates/env.j2 | 24 ++++++++++++++++++++++++ ansible/roles/6-psql/tasks/main.yml | 4 ++-- 3 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 ansible/roles/2-nk20/templates/env.j2 diff --git a/ansible/roles/2-nk20/tasks/main.yml b/ansible/roles/2-nk20/tasks/main.yml index 9652359d..3852894d 100644 --- a/ansible/roles/2-nk20/tasks/main.yml +++ b/ansible/roles/2-nk20/tasks/main.yml @@ -16,7 +16,7 @@ - name: Use default env vars (should be updated!) template: - src: "env_example" + src: "env.j2" dest: "/var/www/note_kfet/.env" mode: 0644 force: false diff --git a/ansible/roles/2-nk20/templates/env.j2 b/ansible/roles/2-nk20/templates/env.j2 new file mode 100644 index 00000000..fbef052d --- /dev/null +++ b/ansible/roles/2-nk20/templates/env.j2 @@ -0,0 +1,24 @@ +DJANGO_APP_STAGE=prod +# Only used in dev mode, change to "postgresql" if you want to use PostgreSQL in dev +DJANGO_DEV_STORE_METHOD=sqlite +DJANGO_DB_HOST=localhost +DJANGO_DB_NAME=note_db +DJANGO_DB_USER=note +DJANGO_DB_PASSWORD={{ DB_PASSWORD }} +DJANGO_DB_PORT= +DJANGO_SECRET_KEY=CHANGE_ME +DJANGO_SETTINGS_MODULE=note_kfet.settings +CONTACT_EMAIL=tresorerie.bde@localhost +NOTE_URL=localhost +DOMAIN=localhost + +# Config for mails. Only used in production +NOTE_MAIL=notekfet@localhost +EMAIL_HOST=smtp.localhost +EMAIL_PORT=25 +EMAIL_USER=notekfet@localhost +EMAIL_PASSWORD=CHANGE_ME + +# Wiki configuration +WIKI_USER=NoteKfet2020 +WIKI_PASSWORD= diff --git a/ansible/roles/6-psql/tasks/main.yml b/ansible/roles/6-psql/tasks/main.yml index c4349f5e..91da9132 100644 --- a/ansible/roles/6-psql/tasks/main.yml +++ b/ansible/roles/6-psql/tasks/main.yml @@ -11,14 +11,14 @@ until: pkg_result is succeeded - name: Create role note - when: "DB_PASSWORD|bool" # If the password is not defined, skip the installation + when: DB_PASSWORD|length > 0 # If the password is not defined, skip the installation postgresql_user: name: note password: "{{ DB_PASSWORD }}" become_user: postgres - name: Create NK20 database - when: "DB_PASSWORD|bool" + when: DB_PASSWORD|length >0 postgresql_db: name: note_db owner: note From e1f647bd0246d3f4fc804c71769cc575731c1d54 Mon Sep 17 00:00:00 2001 From: Pierre-antoine Comby Date: Fri, 30 Oct 2020 21:28:25 +0100 Subject: [PATCH 7/7] lesser hardcoded --- ansible/roles/2-nk20/templates/env.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/roles/2-nk20/templates/env.j2 b/ansible/roles/2-nk20/templates/env.j2 index fbef052d..84213ac7 100644 --- a/ansible/roles/2-nk20/templates/env.j2 +++ b/ansible/roles/2-nk20/templates/env.j2 @@ -9,8 +9,7 @@ DJANGO_DB_PORT= DJANGO_SECRET_KEY=CHANGE_ME DJANGO_SETTINGS_MODULE=note_kfet.settings CONTACT_EMAIL=tresorerie.bde@localhost -NOTE_URL=localhost -DOMAIN=localhost +NOTE_URL= {{note.server_name}} # Config for mails. Only used in production NOTE_MAIL=notekfet@localhost