From 23fd00ce5f8aa6d8419d56166f658361c1321add Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 26 Feb 2019 12:43:27 +0100 Subject: Change last_backup location for backup --- .../templates/backup/backup_dirname_tail.sh.erb | 2 +- .../role/templates/backup/backup_immae_eu.sh.erb | 79 ---------------------- 2 files changed, 1 insertion(+), 80 deletions(-) delete mode 100644 modules/role/templates/backup/backup_immae_eu.sh.erb diff --git a/modules/role/templates/backup/backup_dirname_tail.sh.erb b/modules/role/templates/backup/backup_dirname_tail.sh.erb index 6b16c9d..5027992 100644 --- a/modules/role/templates/backup/backup_dirname_tail.sh.erb +++ b/modules/role/templates/backup/backup_dirname_tail.sh.erb @@ -1,4 +1,4 @@ - ssh $DEST sh -c "date > .last_backup" + ssh $DEST sh -c "date > .cache/last_backup" fi # [ "$skip" != "$DEST" ] ##### End <%= @dirname %> ##### diff --git a/modules/role/templates/backup/backup_immae_eu.sh.erb b/modules/role/templates/backup/backup_immae_eu.sh.erb deleted file mode 100644 index 4fab30e..0000000 --- a/modules/role/templates/backup/backup_immae_eu.sh.erb +++ /dev/null @@ -1,79 +0,0 @@ -#!/bin/bash -DEST="<%= @dest %>" -MAILTO="<%= @mailto %>" -BASE="<%= @base %>" -OLD_BAK_BASE=$BASE/older/j -BAK_BASE=${OLD_BAK_BASE}0 -RSYNC_OUTPUT=$BASE/rsync_output -NBR=7 - -TMP=`mktemp` -TMP_STDERR=`mktemp` - -trap "rm -f $TMP $TMP_STDERR" EXIT - -exec 2> "$TMP_STDERR" - -set -e -if ! `ssh -o ClearAllForwardings=yes $DEST backup`; then - echo "Fichier de verrouillage backup sur $DEST" - exit 1 -fi - -rm -rf ${OLD_BAK_BASE}${NBR} -for j in `seq -w $(($NBR-1)) -1 0`; do - [ ! -d ${OLD_BAK_BASE}$j ] && continue - mv ${OLD_BAK_BASE}$j ${OLD_BAK_BASE}$(($j+1)) -done -mkdir $BAK_BASE -mv $RSYNC_OUTPUT $BAK_BASE -mkdir $RSYNC_OUTPUT - -############## -NAME="home" -FOLDER="/home/immae" - -cd $BASE/$NAME -cat > $TMP < $OUT || true - -############## -NAME="system" -FOLDER="/" - -cd $BASE/$NAME -cat > $TMP < $OUT || true - -############## -ssh $DEST sh -c "date > .last_backup" - -if [ -s "$TMP_STDERR" ]; then - cat "$TMP_STDERR" | mail -Ssendwait -s "save_distant rsync error" "$MAILTO" -fi -- cgit v1.2.3 From a25b5f82989b0e1c4abbfe0feca7f836a608c7e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 19 Mar 2019 01:10:27 +0100 Subject: Caldance updates --- environments/global/roles/caldance.yaml | 8 + environments/integration/roles/caldance.yaml | 8 + modules/role/manifests/caldance.pp | 165 +++++++++++++++++++++ .../role/templates/caldance/local_settings.py.erb | 25 ++++ modules/role/templates/caldance/manage.py.erb | 9 ++ 5 files changed, 215 insertions(+) create mode 100644 environments/integration/roles/caldance.yaml create mode 100644 modules/role/templates/caldance/local_settings.py.erb create mode 100644 modules/role/templates/caldance/manage.py.erb diff --git a/environments/global/roles/caldance.yaml b/environments/global/roles/caldance.yaml index 1dc7fa8..98382bf 100644 --- a/environments/global/roles/caldance.yaml +++ b/environments/global/roles/caldance.yaml @@ -2,3 +2,11 @@ classes: role::caldance: ~ letsencrypt::hosts: "%{lookup('base_installation::system_hostname')}" +role::caldance::user: "caldance" +role::caldance::group: "caldance" +role::caldance::home: "/home/caldance" +role::caldance::web_host: "%{lookup('base_installation::system_hostname')}" +base_installation::system_users: + - username: "%{lookup('role::caldance::user')}" + system: true + password: "!!" diff --git a/environments/integration/roles/caldance.yaml b/environments/integration/roles/caldance.yaml new file mode 100644 index 0000000..6a8ef9a --- /dev/null +++ b/environments/integration/roles/caldance.yaml @@ -0,0 +1,8 @@ +--- +role::caldance::caldance_version: ~ # Overriden in LDAP +role::caldance::caldance_sha256: ~ +role::caldance::pg_db: "caldev" +role::caldance::pg_user: "caldev" +role::caldance::mail_from: "caldev-nepasrepondre@mail.immae.eu" +role::caldance::smtp_host: "mail.immae.eu" +role::caldance::smtp_port: "465" diff --git a/modules/role/manifests/caldance.pp b/modules/role/manifests/caldance.pp index 63dda1f..1cda69c 100644 --- a/modules/role/manifests/caldance.pp +++ b/modules/role/manifests/caldance.pp @@ -1,5 +1,20 @@ class role::caldance ( + String $user, + String $group, + String $home, + String $web_host, + String $pg_user, + String $pg_db, + String $mail_from, + String $smtp_host, + String $smtp_port, + Optional[String] $pg_hostname = "/run/postgresql", + Optional[String] $pg_port = "5432", + Optional[String] $caldance_version = undef, + Optional[String] $caldance_sha256 = undef, ) { + $password_seed = lookup("base_installation::puppet_pass_seed") + $web_home = "/home/simon_descarpentries" include "base_installation" include "profile::tools" @@ -10,9 +25,105 @@ class role::caldance ( ensure_packages(["python-pip", "python-virtualenv", "python-django"]) + $caldance_app = "${home}/app" + + file { $caldance_app: + ensure => "directory", + mode => "0755", + owner => $user, + group => $group, + require => User["$user:"], + } + + exec { "initialize_venv": + user => $user, + require => User["$user:"], + command => "/usr/bin/virtualenv ${home}/virtualenv", + creates => "${home}/virtualenv", + } + -> + archive { "${home}/caldance_${caldance_version}.tar.gz": + path => "${home}/caldance_${caldance_version}.tar.gz", + source => "https://release.immae.eu/caldance/caldance_${caldance_version}.tar.gz", + checksum_type => "sha256", + checksum => $caldance_sha256, + cleanup => false, + extract => true, + user => $user, + username => lookup("base_installation::ldap_cn"), + password => generate_password(24, $password_seed, "ldap"), + extract_path => $caldance_app, + require => [User["$user:"], File[$caldance_app]], + } ~> + exec { "py-requirements": + cwd => $caldance_app, + user => $user, + environment => ["HOME=${home}"], + command => "${home}/virtualenv/bin/pip install -r requirements.txt", + require => User["$user:"], + refreshonly => true, + } ~> + exec { "py-migrate": + cwd => $caldance_app, + user => $user, + environment => ["HOME=${home}"], + command => "$caldance_app/manage.py migrate", + require => [User["$user:"], File["$caldance_app/manage.py"], File["$caldance_app/main_app/local_settings.py"]], + refreshonly => true, + } ~> + exec { "py-static": + cwd => $caldance_app, + user => $user, + environment => ["HOME=${home}"], + command => "$caldance_app/manage.py collectstatic --no-input", + require => [User["$user:"], File["$caldance_app/manage.py"], File["$caldance_app/main_app/local_settings.py"]], + refreshonly => true, + } ~> + exec { "reload httpd": + command => "/usr/bin/systemctl reload httpd", + require => [User["$user:"], File["$caldance_app/manage.py"], File["$caldance_app/main_app/local_settings.py"]], + refreshonly => true, + } + + $pg_password = generate_password(24, $password_seed, "postgres_caldance") + $secret_key = generate_password(24, $password_seed, "secret_key_caldance") + file { "$caldance_app/main_app/local_settings.py": + owner => $user, + group => $group, + mode => "0644", + content => template("role/caldance/local_settings.py.erb"), + require => [ + User["$user:"], + Archive[ "${home}/caldance_${caldance_version}.tar.gz"], + ], + } + + $python_path = "${home}/virtualenv/bin/python" + file { "$caldance_app/manage.py": + owner => $user, + group => $group, + mode => "0755", + content => template("role/caldance/manage.py.erb"), + require => [ + User["$user:"], + Archive[ "${home}/caldance_${caldance_version}.tar.gz"], + ], + } + + profile::postgresql::master { "postgresql master for caldance": + letsencrypt_host => $web_host, + backup_hosts => ["backup-1"], + } + + postgresql::server::db { $pg_db: + user => $pg_user, + password => postgresql_password($pg_user, $pg_password), + } + # pour le script de génération de mdp ensure_packages(["perl-digest-sha1"]) + ensure_packages(["postgis", "python-gdal", "ripgrep"]) file { "/usr/local/bin/ldap_ssha": owner => "root", group => "root", @@ -20,4 +131,58 @@ class role::caldance ( source => "puppet:///modules/base_installation/scripts/ldap_ssha", require => Package["perl-digest-sha1"], } + + sudo::conf { 'wheel_nopasswd': + priority => 99, + content => "%wheel ALL=(ALL) NOPASSWD: ALL", + require => Package["sudo"], + } + + ensure_packages(["mod_wsgi"]) + class { 'apache::mod::wsgi': + wsgi_python_home => "$web_home/caldev_virtualenv", + wsgi_python_path => "$web_home/caldev/www.cal-dance.com/", + require => Package["mod_wsgi"], + } + class { 'apache::mod::authn_file': } + class { 'apache::mod::authn_core': } + class { 'apache::mod::authz_user': } + class { 'apache::mod::auth_basic': } + + apache::vhost { $web_host: + port => '443', + docroot => false, + manage_docroot => false, + ssl => true, + ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", + ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", + ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", + require => Letsencrypt::Certonly[$web_host], + directories => [ + { + path => "$web_home/caldev/www.cal-dance.com/main_app", + require => "all granted", + }, + { + path => "$web_home/caldev/www.cal-dance.com/www/static", + require => "all granted", + }, + { + path => "/", + provider => "location", + require => "valid-user", + auth_type => "Basic", + auth_name => "Authentification requise", + auth_user_file => "$web_home/caldev/.htpasswd", + }, + ], + aliases => [ + { + alias => "/static/", + path => "$web_home/caldev/www.cal-dance.com/www/static/", + }, + ], + wsgi_script_aliases => { "/" => "$web_home/caldev/www.cal-dance.com/main_app/wsgi.py" }; + default: * => $::profile::apache::apache_vhost_default; + } } diff --git a/modules/role/templates/caldance/local_settings.py.erb b/modules/role/templates/caldance/local_settings.py.erb new file mode 100644 index 0000000..4da53f6 --- /dev/null +++ b/modules/role/templates/caldance/local_settings.py.erb @@ -0,0 +1,25 @@ +import os +DATABASES = { + 'default': { + 'ENGINE': 'django.contrib.gis.db.backends.postgis', + 'NAME': '<%= @pg_db %>', + 'USER': '<%= @pg_user %>', + 'PASSWORD': u'<%= @pg_password %>', + 'HOST': '<%= @pg_hostname %>', + 'PORT': '<%= @pg_port %>', + } +} + +# SECURITY WARNING: keep the secret key used in production secret! +SECRET_KEY = os.environ.get('SECRET_KEY', '<%= @secret_key %>') +DEBUG = False +SECURE_HSTS_PRELOAD = True # moved from local settings as local runserver don't do SSL +SECURE_HSTS_SECONDS = 1 +SECURE_SSL_REDIRECT = True +LOG_FILE = '<%= @home %>/caldev_django.log' + +DEFAULT_FROM_EMAIL = '<%= @mail_from %>' +EMAIL_USE_SSL = True +EMAIL_HOST = "<%= @smtp_host %>" +EMAIL_PORT = <%= @smtp_port %> + diff --git a/modules/role/templates/caldance/manage.py.erb b/modules/role/templates/caldance/manage.py.erb new file mode 100644 index 0000000..dc06eab --- /dev/null +++ b/modules/role/templates/caldance/manage.py.erb @@ -0,0 +1,9 @@ +#!<%= @python_path %> -O +import os +import sys + +if __name__ == "__main__": + os.environ.setdefault("DJANGO_SETTINGS_MODULE", "main_app.settings") + + from django.core.management import execute_from_command_line + execute_from_command_line(sys.argv) -- cgit v1.2.3 From d3948290aadf6050d4ad89b4fb1be99c7451f0c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 23 Mar 2019 03:42:59 +0100 Subject: Move app to caldance --- modules/role/manifests/caldance.pp | 68 +++++++++++++--------- .../role/templates/caldance/local_settings.py.erb | 25 -------- 2 files changed, 42 insertions(+), 51 deletions(-) delete mode 100644 modules/role/templates/caldance/local_settings.py.erb diff --git a/modules/role/manifests/caldance.pp b/modules/role/manifests/caldance.pp index 1cda69c..df8b56f 100644 --- a/modules/role/manifests/caldance.pp +++ b/modules/role/manifests/caldance.pp @@ -26,6 +26,34 @@ class role::caldance ( ensure_packages(["python-pip", "python-virtualenv", "python-django"]) $caldance_app = "${home}/app" + $pg_password = generate_password(24, $password_seed, "postgres_caldance") + $secret_key = generate_password(24, $password_seed, "secret_key_caldance") + + $environment = { + "DB_NAME" => $pg_db, + "DB_USER" => $pg_user, + "DB_PASSWORD" => $pg_password, + "DB_HOST" => $pg_hostname, + "DB_PORT" => $pg_port, + "SECRET_KEY" => $secret_key, + "DEBUG" => "False", + "LOG_FILE" => "$home/caldev_django.log", + "FROM_EMAIL" => $mail_from, + "EMAIL_HOST" => $smtp_host, + "EMAIL_PORT" => $smtp_port, + } + $shell_env = $environment.map |$key, $value| { "$key=$value" } + $apache_env = $environment.map |$key, $value| { "CALDANCE_$key $value" } + + file { $home: + mode => "0755", + } + file { "${home}/caldev_django.log": + mode => "0664", + owner => $user, + group => "http", + content => "", + } file { $caldance_app: ensure => "directory", @@ -58,46 +86,33 @@ class role::caldance ( exec { "py-requirements": cwd => $caldance_app, user => $user, - environment => ["HOME=${home}"], - command => "${home}/virtualenv/bin/pip install -r requirements.txt", + environment => concat(["HOME=${home}"], $shell_env), + command => "/usr/bin/sed -i -e '/GDAL/d' requirements.txt && ${home}/virtualenv/bin/pip install -r requirements.txt", require => User["$user:"], refreshonly => true, } ~> exec { "py-migrate": cwd => $caldance_app, user => $user, - environment => ["HOME=${home}"], + environment => concat(["HOME=${home}"], $shell_env), command => "$caldance_app/manage.py migrate", - require => [User["$user:"], File["$caldance_app/manage.py"], File["$caldance_app/main_app/local_settings.py"]], + require => [User["$user:"], File["$caldance_app/manage.py"]], refreshonly => true, } ~> exec { "py-static": cwd => $caldance_app, user => $user, - environment => ["HOME=${home}"], + environment => concat(["HOME=${home}"], $shell_env), command => "$caldance_app/manage.py collectstatic --no-input", - require => [User["$user:"], File["$caldance_app/manage.py"], File["$caldance_app/main_app/local_settings.py"]], + require => [User["$user:"], File["$caldance_app/manage.py"]], refreshonly => true, } ~> exec { "reload httpd": command => "/usr/bin/systemctl reload httpd", - require => [User["$user:"], File["$caldance_app/manage.py"], File["$caldance_app/main_app/local_settings.py"]], + require => [User["$user:"], File["$caldance_app/manage.py"]], refreshonly => true, } - $pg_password = generate_password(24, $password_seed, "postgres_caldance") - $secret_key = generate_password(24, $password_seed, "secret_key_caldance") - file { "$caldance_app/main_app/local_settings.py": - owner => $user, - group => $group, - mode => "0644", - content => template("role/caldance/local_settings.py.erb"), - require => [ - User["$user:"], - Archive[ "${home}/caldance_${caldance_version}.tar.gz"], - ], - } - $python_path = "${home}/virtualenv/bin/python" file { "$caldance_app/manage.py": owner => $user, @@ -140,8 +155,8 @@ class role::caldance ( ensure_packages(["mod_wsgi"]) class { 'apache::mod::wsgi': - wsgi_python_home => "$web_home/caldev_virtualenv", - wsgi_python_path => "$web_home/caldev/www.cal-dance.com/", + wsgi_python_home => "${home}/virtualenv", + wsgi_python_path => $caldance_app, require => Package["mod_wsgi"], } class { 'apache::mod::authn_file': } @@ -160,11 +175,11 @@ class role::caldance ( require => Letsencrypt::Certonly[$web_host], directories => [ { - path => "$web_home/caldev/www.cal-dance.com/main_app", + path => "$caldance_app/main_app", require => "all granted", }, { - path => "$web_home/caldev/www.cal-dance.com/www/static", + path => "$caldance_app/www/static", require => "all granted", }, { @@ -179,10 +194,11 @@ class role::caldance ( aliases => [ { alias => "/static/", - path => "$web_home/caldev/www.cal-dance.com/www/static/", + path => "$caldance_app/www/static/", }, ], - wsgi_script_aliases => { "/" => "$web_home/caldev/www.cal-dance.com/main_app/wsgi.py" }; + setenv => $apache_env, + wsgi_script_aliases => { "/" => "$caldance_app/main_app/wsgi.py" }; default: * => $::profile::apache::apache_vhost_default; } } diff --git a/modules/role/templates/caldance/local_settings.py.erb b/modules/role/templates/caldance/local_settings.py.erb deleted file mode 100644 index 4da53f6..0000000 --- a/modules/role/templates/caldance/local_settings.py.erb +++ /dev/null @@ -1,25 +0,0 @@ -import os -DATABASES = { - 'default': { - 'ENGINE': 'django.contrib.gis.db.backends.postgis', - 'NAME': '<%= @pg_db %>', - 'USER': '<%= @pg_user %>', - 'PASSWORD': u'<%= @pg_password %>', - 'HOST': '<%= @pg_hostname %>', - 'PORT': '<%= @pg_port %>', - } -} - -# SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = os.environ.get('SECRET_KEY', '<%= @secret_key %>') -DEBUG = False -SECURE_HSTS_PRELOAD = True # moved from local settings as local runserver don't do SSL -SECURE_HSTS_SECONDS = 1 -SECURE_SSL_REDIRECT = True -LOG_FILE = '<%= @home %>/caldev_django.log' - -DEFAULT_FROM_EMAIL = '<%= @mail_from %>' -EMAIL_USE_SSL = True -EMAIL_HOST = "<%= @smtp_host %>" -EMAIL_PORT = <%= @smtp_port %> - -- cgit v1.2.3