From aea0165d2472ed8c744e091bdbdcc1587ead364f Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 2 Apr 2024 21:43:22 +0100 Subject: [PATCH 01/19] Add helpdesk-system deployment --- .../kitsvcs.studentrobotics.org copy.yml | 7 ++ hosts | 3 + playbook.yml | 6 ++ roles/helpdesk-system/README.md | 5 ++ .../files/deploy-requirements.txt | 5 ++ roles/helpdesk-system/handlers/main.yml | 4 + roles/helpdesk-system/tasks/main.yml | 84 +++++++++++++++++++ .../templates/helpdesk-system.service | 15 ++++ roles/helpdesk-system/templates/nginx.conf | 9 ++ roles/helpdesk-system/vars/main.yml | 2 + 10 files changed, 140 insertions(+) create mode 100644 host_vars/kitsvcs.studentrobotics.org copy.yml create mode 100644 roles/helpdesk-system/README.md create mode 100644 roles/helpdesk-system/files/deploy-requirements.txt create mode 100644 roles/helpdesk-system/handlers/main.yml create mode 100644 roles/helpdesk-system/tasks/main.yml create mode 100644 roles/helpdesk-system/templates/helpdesk-system.service create mode 100644 roles/helpdesk-system/templates/nginx.conf create mode 100644 roles/helpdesk-system/vars/main.yml diff --git a/host_vars/kitsvcs.studentrobotics.org copy.yml b/host_vars/kitsvcs.studentrobotics.org copy.yml new file mode 100644 index 0000000..dd1e37a --- /dev/null +++ b/host_vars/kitsvcs.studentrobotics.org copy.yml @@ -0,0 +1,7 @@ +--- +canonical_hostname: kitsvcs.studentrobotics.org + +add_hsts_header: true +certbot_certs: + - domains: + - "{{ canonical_hostname }}" diff --git a/hosts b/hosts index 278afd1..dfd9812 100644 --- a/hosts +++ b/hosts @@ -6,3 +6,6 @@ monty.studentrobotics.org [competitorsvcs] competitorsvcs.studentrobotics.org + +[kitsvcs] +kitsvcs.studentrobotics.org diff --git a/playbook.yml b/playbook.yml index e9981dc..f3587b6 100644 --- a/playbook.yml +++ b/playbook.yml @@ -21,3 +21,9 @@ - competitor-services-nginx - code-submitter - discord-gated-entry + +- name: Kit services + hosts: kitsvcs + roles: + - competitor-services-nginx + - helpdesk-system diff --git a/roles/helpdesk-system/README.md b/roles/helpdesk-system/README.md new file mode 100644 index 0000000..92faa3b --- /dev/null +++ b/roles/helpdesk-system/README.md @@ -0,0 +1,5 @@ +# Helpdesk System + +App for managing a competition helpdesk. + +This is a deployment of . diff --git a/roles/helpdesk-system/files/deploy-requirements.txt b/roles/helpdesk-system/files/deploy-requirements.txt new file mode 100644 index 0000000..dadf0fc --- /dev/null +++ b/roles/helpdesk-system/files/deploy-requirements.txt @@ -0,0 +1,5 @@ +-r requirements.txt + +# Latest at the time of writing. Don't actually care about the version, +# only that we pin it for stability. +gunicorn==21.2.0 diff --git a/roles/helpdesk-system/handlers/main.yml b/roles/helpdesk-system/handlers/main.yml new file mode 100644 index 0000000..ff7540b --- /dev/null +++ b/roles/helpdesk-system/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart helpdesk-system + service: + name: helpdesk-system + state: restarted diff --git a/roles/helpdesk-system/tasks/main.yml b/roles/helpdesk-system/tasks/main.yml new file mode 100644 index 0000000..80c7179 --- /dev/null +++ b/roles/helpdesk-system/tasks/main.yml @@ -0,0 +1,84 @@ +- name: Install virtualenv system dependencies + apt: + pkg: + - python3-virtualenv + - python3-wheel + +- name: Create install directory + file: + path: "{{ install_dir }}" + state: directory + owner: www-data + mode: "755" + +- name: Download + git: + repo: https://github.com/srobo/helpdesk-system + dest: "{{ install_dir }}" + force: true + version: sr2024 # TODO: Pin to commit + notify: + Restart helpdesk-system + register: helpdesk_system_repo + become_user: www-data + +# NOTE: It is expected this configuration won't work as-is +- name: Create configuration if it doesn't exist + copy: + force: false + remote_src: true + src: "{{ install_dir }}/helpdesk/helpdesk/configuration.example.py" + dest: "{{ install_dir }}/helpdesk/helpdesk/configuration.py" + mode: "0600" + owner: www-data + notify: + Restart helpdesk-system + +- name: Install deploy requirements + copy: + src: deploy-requirements.txt + dest: "{{ install_dir }}/deploy-requirements.txt" + mode: "0600" + owner: www-data + notify: + Restart helpdesk-system + register: deploy_requirements + +- name: Install virtual environment + pip: + virtualenv: "{{ venv_dir }}" + requirements: "{{ deploy_requirements.dest }}" + notify: + Restart helpdesk-system + become_user: www-data + when: deploy_requirements.changed or helpdesk_system_repo.changed # noqa: no-handler - Use a handler to ensure execution order + +- name: Install systemd service + template: + src: helpdesk-system.service + dest: /etc/systemd/system/helpdesk-system.service + mode: "0644" + notify: + Restart helpdesk-system + +- name: Install nginx config + template: + src: nginx.conf + dest: /etc/nginx/locations-enabled/helpdesk-system + mode: "0644" + notify: + Reload nginx + +- name: Run migrations # noqa: no-changed-when - We want to always run this (it handles its own idempotency) + django_manage: + command: migrate --noinput -v0 + app_path: "{{ install_dir }}/helpdesk" + virtualenv: "{{ venv_dir }}" + become_user: www-data + when: helpdesk_system_repo.changed # noqa: no-handler - Use a handler to ensure execution order + +- name: Enable service + service: + name: helpdesk-system + state: started + enabled: true diff --git a/roles/helpdesk-system/templates/helpdesk-system.service b/roles/helpdesk-system/templates/helpdesk-system.service new file mode 100644 index 0000000..62fd6c2 --- /dev/null +++ b/roles/helpdesk-system/templates/helpdesk-system.service @@ -0,0 +1,15 @@ +[Unit] +Description=Helpdesk System +After=network.target + +[Service] +User=www-data + +Type=simple + +WorkingDirectory={{ install_dir }}/helpdesk +RuntimeDirectory=helpdesk-system +ExecStart={{ venv_dir }}/bin/gunicorn helpdesk.wsgi:app --bind unix:/var/run/helpdesk-system/helpdesk-system.socket --forwarded-allow-ips='*' + +[Install] +WantedBy=multi-user.target diff --git a/roles/helpdesk-system/templates/nginx.conf b/roles/helpdesk-system/templates/nginx.conf new file mode 100644 index 0000000..eabfd68 --- /dev/null +++ b/roles/helpdesk-system/templates/nginx.conf @@ -0,0 +1,9 @@ +# HACK: Expects to be run at the root +location / { + proxy_pass http://unix:/var/run/helpdesk-system/helpdesk-system.socket:/; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $host; +} diff --git a/roles/helpdesk-system/vars/main.yml b/roles/helpdesk-system/vars/main.yml new file mode 100644 index 0000000..4e8fad9 --- /dev/null +++ b/roles/helpdesk-system/vars/main.yml @@ -0,0 +1,2 @@ +install_dir: /srv/helpdesk-system +venv_dir: "{{ install_dir }}/venv" From ee64ad995a2409feca84ac55cae43f80e631ae9a Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 20:06:32 +0100 Subject: [PATCH 02/19] Fix host variables for kit services VM --- ...udentrobotics.org copy.yml => kitsvcs.studentrobotics.org.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename host_vars/{kitsvcs.studentrobotics.org copy.yml => kitsvcs.studentrobotics.org.yml} (100%) diff --git a/host_vars/kitsvcs.studentrobotics.org copy.yml b/host_vars/kitsvcs.studentrobotics.org.yml similarity index 100% rename from host_vars/kitsvcs.studentrobotics.org copy.yml rename to host_vars/kitsvcs.studentrobotics.org.yml From da86cc8ab814ccab9278715d3979bac3c276dac2 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 20:08:57 +0100 Subject: [PATCH 03/19] Give @raccube access to the kit services VM --- host_vars/kitsvcs.studentrobotics.org.yml | 6 ++++++ roles/users/files/authorized_keys/kkwaitek | 3 +++ 2 files changed, 9 insertions(+) create mode 100644 roles/users/files/authorized_keys/kkwaitek diff --git a/host_vars/kitsvcs.studentrobotics.org.yml b/host_vars/kitsvcs.studentrobotics.org.yml index dd1e37a..3cece19 100644 --- a/host_vars/kitsvcs.studentrobotics.org.yml +++ b/host_vars/kitsvcs.studentrobotics.org.yml @@ -5,3 +5,9 @@ add_hsts_header: true certbot_certs: - domains: - "{{ canonical_hostname }}" + +users: + - jhoward + - jsedensmith + - plaw + - kkwaitek diff --git a/roles/users/files/authorized_keys/kkwaitek b/roles/users/files/authorized_keys/kkwaitek new file mode 100644 index 0000000..544d09d --- /dev/null +++ b/roles/users/files/authorized_keys/kkwaitek @@ -0,0 +1,3 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjJRX+kUOwOioFgUp8A1OyR3450Lp0K4FB/ZW7aDOJL +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxOqjTyfHm5elbi5YqvZlCTC3X8lsY/rHsoXcfzix5b +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII+BGrcVW5MGbrBgYabpPlD5QvpRjJvPTjCahxWlHLga From 9efa3517211b806747dd62895fdeaa50cc7c0e39 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 21:19:30 +0100 Subject: [PATCH 04/19] Correctly run application --- roles/helpdesk-system/templates/helpdesk-system.service | 2 +- roles/helpdesk-system/templates/nginx.conf | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/helpdesk-system/templates/helpdesk-system.service b/roles/helpdesk-system/templates/helpdesk-system.service index 62fd6c2..385e486 100644 --- a/roles/helpdesk-system/templates/helpdesk-system.service +++ b/roles/helpdesk-system/templates/helpdesk-system.service @@ -9,7 +9,7 @@ Type=simple WorkingDirectory={{ install_dir }}/helpdesk RuntimeDirectory=helpdesk-system -ExecStart={{ venv_dir }}/bin/gunicorn helpdesk.wsgi:app --bind unix:/var/run/helpdesk-system/helpdesk-system.socket --forwarded-allow-ips='*' +ExecStart={{ venv_dir }}/bin/gunicorn helpdesk.wsgi:application --bind unix:/var/run/helpdesk-system/helpdesk-system.socket --forwarded-allow-ips='*' [Install] WantedBy=multi-user.target diff --git a/roles/helpdesk-system/templates/nginx.conf b/roles/helpdesk-system/templates/nginx.conf index eabfd68..398955e 100644 --- a/roles/helpdesk-system/templates/nginx.conf +++ b/roles/helpdesk-system/templates/nginx.conf @@ -1,9 +1,12 @@ -# HACK: Expects to be run at the root -location / { - proxy_pass http://unix:/var/run/helpdesk-system/helpdesk-system.socket:/; +location /helpdesk/ { + proxy_pass http://unix:/var/run/helpdesk-system/helpdesk-system.socket; proxy_pass_request_headers on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header Host $host; } + +location /helpdesk/static { + alias {{ install_dir }}/helpdesk/static; +} From bbceefe7e87ef3ab98e1f0286058e66c8cfc3565 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 21:47:18 +0100 Subject: [PATCH 05/19] Show access logs in gunicorn logs This makes tracking down errors a bit simpler --- roles/helpdesk-system/templates/helpdesk-system.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/helpdesk-system/templates/helpdesk-system.service b/roles/helpdesk-system/templates/helpdesk-system.service index 385e486..1ffe58f 100644 --- a/roles/helpdesk-system/templates/helpdesk-system.service +++ b/roles/helpdesk-system/templates/helpdesk-system.service @@ -9,7 +9,7 @@ Type=simple WorkingDirectory={{ install_dir }}/helpdesk RuntimeDirectory=helpdesk-system -ExecStart={{ venv_dir }}/bin/gunicorn helpdesk.wsgi:application --bind unix:/var/run/helpdesk-system/helpdesk-system.socket --forwarded-allow-ips='*' +ExecStart={{ venv_dir }}/bin/gunicorn helpdesk.wsgi:application --bind unix:/var/run/helpdesk-system/helpdesk-system.socket --forwarded-allow-ips='*' --access-logfile - [Install] WantedBy=multi-user.target From 74f218ee1a49b051c9379be3ba201f11e8a014f8 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 21:49:29 +0100 Subject: [PATCH 06/19] Run collect static on deploy --- roles/helpdesk-system/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/helpdesk-system/tasks/main.yml b/roles/helpdesk-system/tasks/main.yml index 80c7179..7c56362 100644 --- a/roles/helpdesk-system/tasks/main.yml +++ b/roles/helpdesk-system/tasks/main.yml @@ -77,6 +77,14 @@ become_user: www-data when: helpdesk_system_repo.changed # noqa: no-handler - Use a handler to ensure execution order +- name: Collect static # noqa: no-changed-when - We want to always run this (it handles its own idempotency) + django_manage: + command: collectstatic --noinput -v0 + app_path: "{{ install_dir }}/helpdesk" + virtualenv: "{{ venv_dir }}" + become_user: www-data + when: helpdesk_system_repo.changed # noqa: no-handler - Use a handler to ensure execution order + - name: Enable service service: name: helpdesk-system From 39cce7eefaafcf2ab7454b8b5bb3e61a97a4a6b2 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 22:03:27 +0100 Subject: [PATCH 07/19] Define gunicorn version in ansible This prevents polluting the git checkout, which causes issues when updating. --- .../files/deploy-requirements.txt | 5 ----- roles/helpdesk-system/tasks/main.yml | 20 +++++++++---------- 2 files changed, 10 insertions(+), 15 deletions(-) delete mode 100644 roles/helpdesk-system/files/deploy-requirements.txt diff --git a/roles/helpdesk-system/files/deploy-requirements.txt b/roles/helpdesk-system/files/deploy-requirements.txt deleted file mode 100644 index dadf0fc..0000000 --- a/roles/helpdesk-system/files/deploy-requirements.txt +++ /dev/null @@ -1,5 +0,0 @@ --r requirements.txt - -# Latest at the time of writing. Don't actually care about the version, -# only that we pin it for stability. -gunicorn==21.2.0 diff --git a/roles/helpdesk-system/tasks/main.yml b/roles/helpdesk-system/tasks/main.yml index 7c56362..2e42b3b 100644 --- a/roles/helpdesk-system/tasks/main.yml +++ b/roles/helpdesk-system/tasks/main.yml @@ -34,24 +34,24 @@ notify: Restart helpdesk-system -- name: Install deploy requirements - copy: - src: deploy-requirements.txt - dest: "{{ install_dir }}/deploy-requirements.txt" - mode: "0600" - owner: www-data +- name: Install virtual environment + pip: + virtualenv: "{{ venv_dir }}" + requirements: "{{ install_dir }}/requirements.txt" notify: Restart helpdesk-system - register: deploy_requirements + become_user: www-data + when: helpdesk_system_repo.changed # noqa: no-handler - Use a handler to ensure execution order -- name: Install virtual environment +- name: Install deploy requirements pip: + # Latest at the time of writing. Don't actually care about the version, + # only that we pin it for stability. + name: gunicorn==21.2.0 virtualenv: "{{ venv_dir }}" - requirements: "{{ deploy_requirements.dest }}" notify: Restart helpdesk-system become_user: www-data - when: deploy_requirements.changed or helpdesk_system_repo.changed # noqa: no-handler - Use a handler to ensure execution order - name: Install systemd service template: From a4e3611512b130e343d6138d12713353abb4347c Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 22:05:40 +0100 Subject: [PATCH 08/19] Run multiple processes --- roles/helpdesk-system/templates/helpdesk-system.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/helpdesk-system/templates/helpdesk-system.service b/roles/helpdesk-system/templates/helpdesk-system.service index 1ffe58f..df2be96 100644 --- a/roles/helpdesk-system/templates/helpdesk-system.service +++ b/roles/helpdesk-system/templates/helpdesk-system.service @@ -9,7 +9,7 @@ Type=simple WorkingDirectory={{ install_dir }}/helpdesk RuntimeDirectory=helpdesk-system -ExecStart={{ venv_dir }}/bin/gunicorn helpdesk.wsgi:application --bind unix:/var/run/helpdesk-system/helpdesk-system.socket --forwarded-allow-ips='*' --access-logfile - +ExecStart={{ venv_dir }}/bin/gunicorn helpdesk.wsgi:application --bind unix:/var/run/helpdesk-system/helpdesk-system.socket --forwarded-allow-ips='*' --access-logfile - --workers="{{ ansible_processor_nproc * 2 + 1 }}" --max-requests=500 --max-requests-jitter=20 --timeout=30 [Install] WantedBy=multi-user.target From 2aff3dc53cf734554af69f7b9c8002d727643625 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 22:15:37 +0100 Subject: [PATCH 09/19] Set up srobo.org/helpdesk proxy --- group_vars/all.yml | 5 +++++ host_vars/kitsvcs.studentrobotics.org.yml | 6 ++++++ roles/srobo-nginx/templates/nginx.conf | 12 ++++++++++++ 3 files changed, 23 insertions(+) diff --git a/group_vars/all.yml b/group_vars/all.yml index 5982e59..1f0dbee 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -28,6 +28,11 @@ enable_competition_homepage: false enable_competitor_services_proxy: true competitor_services_proxy_hostname: competitorsvcs.studentrobotics.org +# We typically only host the competitor services for the duration of the +# competition year. +enable_kit_services_proxy: true +kit_services_proxy_hostname: kitsvcs.studentrobotics.org + firewall_allowed_tcp_ports: - "22" - "80" diff --git a/host_vars/kitsvcs.studentrobotics.org.yml b/host_vars/kitsvcs.studentrobotics.org.yml index 3cece19..97229ba 100644 --- a/host_vars/kitsvcs.studentrobotics.org.yml +++ b/host_vars/kitsvcs.studentrobotics.org.yml @@ -1,5 +1,11 @@ --- canonical_hostname: kitsvcs.studentrobotics.org +secondary_hostnames: + # Include our primary canonical hostname so that requests via the proxy there + # aren't redirected. This is needed (rather than overriding the Host header + # with the actual domain) so that urls generated by services hosted services + # include the right domain. + - studentrobotics.org add_hsts_header: true certbot_certs: diff --git a/roles/srobo-nginx/templates/nginx.conf b/roles/srobo-nginx/templates/nginx.conf index 173d5b0..3b42d6f 100644 --- a/roles/srobo-nginx/templates/nginx.conf +++ b/roles/srobo-nginx/templates/nginx.conf @@ -128,6 +128,18 @@ http { } {% endif %} + {% if enable_kit_services_proxy %} + location /helpdesk/ { + # When the proxied service is not available NGINX will refuse to start. + # Use a variable to trick it into connecting lazily and thus always + # starting up, even if in a degraded mode. + set $kitsvcs '{{ kit_services_proxy_hostname }}'; + proxy_pass https://$kitsvcs$request_uri; + # Note: don't set a Host header as we want the helpdesk system to use our + # public hostname, not the hostname of the underlying machine. + } + {% endif %} + {% if enable_srcomp_proxy %} location /comp-api/ { # When the proxied service is not available NGINX will refuse to start. From 2df664a9aa5f4eb00639da0d5c09893fdbc76fcc Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 22:42:36 +0100 Subject: [PATCH 10/19] Fix linting issues --- host_vars/kitsvcs.studentrobotics.org.yml | 8 ++++---- roles/helpdesk-system/tasks/main.yml | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/host_vars/kitsvcs.studentrobotics.org.yml b/host_vars/kitsvcs.studentrobotics.org.yml index 97229ba..0ca9df6 100644 --- a/host_vars/kitsvcs.studentrobotics.org.yml +++ b/host_vars/kitsvcs.studentrobotics.org.yml @@ -13,7 +13,7 @@ certbot_certs: - "{{ canonical_hostname }}" users: - - jhoward - - jsedensmith - - plaw - - kkwaitek + - jhoward + - jsedensmith + - plaw + - kkwaitek diff --git a/roles/helpdesk-system/tasks/main.yml b/roles/helpdesk-system/tasks/main.yml index 2e42b3b..ae6ce21 100644 --- a/roles/helpdesk-system/tasks/main.yml +++ b/roles/helpdesk-system/tasks/main.yml @@ -16,7 +16,7 @@ repo: https://github.com/srobo/helpdesk-system dest: "{{ install_dir }}" force: true - version: sr2024 # TODO: Pin to commit + version: sr2024 # TODO: Pin to commit notify: Restart helpdesk-system register: helpdesk_system_repo @@ -70,7 +70,7 @@ Reload nginx - name: Run migrations # noqa: no-changed-when - We want to always run this (it handles its own idempotency) - django_manage: + community.general.django_manage: command: migrate --noinput -v0 app_path: "{{ install_dir }}/helpdesk" virtualenv: "{{ venv_dir }}" @@ -78,7 +78,7 @@ when: helpdesk_system_repo.changed # noqa: no-handler - Use a handler to ensure execution order - name: Collect static # noqa: no-changed-when - We want to always run this (it handles its own idempotency) - django_manage: + community.general.django_manage: command: collectstatic --noinput -v0 app_path: "{{ install_dir }}/helpdesk" virtualenv: "{{ venv_dir }}" From ab1f39d846e3d3201669351bc473cd031a2bf713 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 23:09:42 +0100 Subject: [PATCH 11/19] Be more verbose during management commands This might be helpful during debugging --- group_vars/all.yml | 2 +- roles/helpdesk-system/tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 1f0dbee..cacc9cc 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -28,7 +28,7 @@ enable_competition_homepage: false enable_competitor_services_proxy: true competitor_services_proxy_hostname: competitorsvcs.studentrobotics.org -# We typically only host the competitor services for the duration of the +# We typically only host the kit services for the duration of the # competition year. enable_kit_services_proxy: true kit_services_proxy_hostname: kitsvcs.studentrobotics.org diff --git a/roles/helpdesk-system/tasks/main.yml b/roles/helpdesk-system/tasks/main.yml index ae6ce21..3e37ed7 100644 --- a/roles/helpdesk-system/tasks/main.yml +++ b/roles/helpdesk-system/tasks/main.yml @@ -71,7 +71,7 @@ - name: Run migrations # noqa: no-changed-when - We want to always run this (it handles its own idempotency) community.general.django_manage: - command: migrate --noinput -v0 + command: migrate --noinput app_path: "{{ install_dir }}/helpdesk" virtualenv: "{{ venv_dir }}" become_user: www-data @@ -79,7 +79,7 @@ - name: Collect static # noqa: no-changed-when - We want to always run this (it handles its own idempotency) community.general.django_manage: - command: collectstatic --noinput -v0 + command: collectstatic --noinput app_path: "{{ install_dir }}/helpdesk" virtualenv: "{{ venv_dir }}" become_user: www-data From d1215eca4869e1b6468b3b292184cf3ba90810f3 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 23:10:01 +0100 Subject: [PATCH 12/19] Sort users --- host_vars/kitsvcs.studentrobotics.org.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/kitsvcs.studentrobotics.org.yml b/host_vars/kitsvcs.studentrobotics.org.yml index 0ca9df6..7a641ad 100644 --- a/host_vars/kitsvcs.studentrobotics.org.yml +++ b/host_vars/kitsvcs.studentrobotics.org.yml @@ -15,5 +15,5 @@ certbot_certs: users: - jhoward - jsedensmith - - plaw - kkwaitek + - plaw From 8adb831490fb9b9392016dafc99a1c8f257f0809 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 4 Apr 2024 23:25:42 +0100 Subject: [PATCH 13/19] Spell Karina's name right --- host_vars/kitsvcs.studentrobotics.org.yml | 2 +- roles/users/files/authorized_keys/{kkwaitek => kkwiatek} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename roles/users/files/authorized_keys/{kkwaitek => kkwiatek} (100%) diff --git a/host_vars/kitsvcs.studentrobotics.org.yml b/host_vars/kitsvcs.studentrobotics.org.yml index 7a641ad..0c3e7b5 100644 --- a/host_vars/kitsvcs.studentrobotics.org.yml +++ b/host_vars/kitsvcs.studentrobotics.org.yml @@ -15,5 +15,5 @@ certbot_certs: users: - jhoward - jsedensmith - - kkwaitek + - kkwiatek - plaw diff --git a/roles/users/files/authorized_keys/kkwaitek b/roles/users/files/authorized_keys/kkwiatek similarity index 100% rename from roles/users/files/authorized_keys/kkwaitek rename to roles/users/files/authorized_keys/kkwiatek From 117069b92b063e563f8ef3d45d7422307cae9c8f Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 5 Apr 2024 14:13:27 +0100 Subject: [PATCH 14/19] Generate secrets with Ansible --- roles/helpdesk-system/tasks/main.yml | 33 ++++++++++-- .../templates/configuration.py | 51 +++++++++++++++++++ roles/helpdesk-system/vars/main.yml | 1 + 3 files changed, 80 insertions(+), 5 deletions(-) create mode 100644 roles/helpdesk-system/templates/configuration.py diff --git a/roles/helpdesk-system/tasks/main.yml b/roles/helpdesk-system/tasks/main.yml index 3e37ed7..1777227 100644 --- a/roles/helpdesk-system/tasks/main.yml +++ b/roles/helpdesk-system/tasks/main.yml @@ -11,6 +11,13 @@ owner: www-data mode: "755" +- name: Create secrets directory + file: + path: "{{ helpdesk_secrets_dir }}" + state: directory + owner: www-data + mode: "0700" + - name: Download git: repo: https://github.com/srobo/helpdesk-system @@ -22,15 +29,31 @@ register: helpdesk_system_repo become_user: www-data -# NOTE: It is expected this configuration won't work as-is -- name: Create configuration if it doesn't exist +- name: Generate secret key copy: force: false - remote_src: true - src: "{{ install_dir }}/helpdesk/helpdesk/configuration.example.py" - dest: "{{ install_dir }}/helpdesk/helpdesk/configuration.py" + content: "{{ lookup('community.general.random_string', length=50) }}" + dest: "{{ helpdesk_secrets_dir }}/secret-key.txt" + owner: www-data mode: "0600" + notify: + Restart helpdesk-system + +- name: Generate volunteer signup code + copy: + force: false + content: "{{ lookup('community.general.random_string', length=10, ignore_similar_chars=True, special=False, upper=False) }}" + dest: "{{ helpdesk_secrets_dir }}/volunteer-signup-code.txt" owner: www-data + mode: "0600" + notify: + Restart helpdesk-system + +- name: Install configuration + template: + src: configuration.py + dest: "{{ install_dir }}/helpdesk/helpdesk/configuration.py" + mode: "0600" notify: Restart helpdesk-system diff --git a/roles/helpdesk-system/templates/configuration.py b/roles/helpdesk-system/templates/configuration.py new file mode 100644 index 0000000..95d5b55 --- /dev/null +++ b/roles/helpdesk-system/templates/configuration.py @@ -0,0 +1,51 @@ +from pathlib import Path + +SECRETS_DIR = Path("{{ helpdesk_secrets_dir }}") + +######################### +# # +# Required settings # +# # +######################### + +# Allow all hostnames - this validation is done by nginx instead. +ALLOWED_HOSTS = ["*"] + +# Database configuration. See the Django documentation for a complete list of available parameters: +# https://docs.djangoproject.com/en/stable/ref/settings/#databases +DATABASE = { + "ENGINE": "django.db.backends.sqlite3", + "NAME": "db.sqlite", + "CONN_MAX_AGE": 300, # Max database connection age +} + +# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file. +# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and +# symbols. Helpdesk will not run without this defined. For more information, see +# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY +SECRET_KEY = SECRETS_DIR.joinpath("secret-key.txt").read_text() + +######################### +# # +# Optional settings # +# # +######################### + +BASE_PATH = "helpdesk/" + +# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal +# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging +# on a production system. +DEBUG = False + +EMAIL = { + 'BACKEND': 'django.core.mail.backends.console.EmailBackend' +} + +# Title of the System +SYSTEM_TITLE = "Helpdesk" + +# Time zone (default: UTC) +TIME_ZONE = "Europe/London" + +VOLUNTEER_SIGNUP_CODE = SECRETS_DIR.joinpath("volunteer-signup-code.txt").read_text() diff --git a/roles/helpdesk-system/vars/main.yml b/roles/helpdesk-system/vars/main.yml index 4e8fad9..8c056a1 100644 --- a/roles/helpdesk-system/vars/main.yml +++ b/roles/helpdesk-system/vars/main.yml @@ -1,2 +1,3 @@ install_dir: /srv/helpdesk-system venv_dir: "{{ install_dir }}/venv" +helpdesk_secrets_dir: "{{ secrets_dir }}/helpdesk-system" From 91fa175f38e7b870357df9a299872a212ae7e42d Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 6 Apr 2024 15:41:20 +0100 Subject: [PATCH 15/19] Add todo for role rename See https://github.com/srobo/ansible/pull/64#discussion_r1552501701 --- playbook.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbook.yml b/playbook.yml index f3587b6..7590f43 100644 --- a/playbook.yml +++ b/playbook.yml @@ -25,5 +25,6 @@ - name: Kit services hosts: kitsvcs roles: + # TODO: Give this role a less machine-specific name - competitor-services-nginx - helpdesk-system From 3173c8076e7291b00b5fd0c5e41468a5c100780e Mon Sep 17 00:00:00 2001 From: Peter Law Date: Sun, 7 Apr 2024 12:39:36 +0100 Subject: [PATCH 16/19] Add local config for the kit services machine --- README.md | 1 + Vagrantfile | 10 ++++++++++ host_vars/sr-kitsvc.yml | 11 +++++++++++ 3 files changed, 22 insertions(+) create mode 100644 host_vars/sr-kitsvc.yml diff --git a/README.md b/README.md index c8f85e8..4ae4720 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,7 @@ to test any **HTTP** services they're running. Add the following line to ``` 192.168.56.56 sr-proxy sr-proxy.local 192.168.56.57 sr-compsvc sr-compsvc.local +192.168.56.58 sr-kitsvc sr-kitsvc.local ``` You'll then be able to access the machines as if they were hosted. For example diff --git a/Vagrantfile b/Vagrantfile index 28d7e17..e3e4ef2 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -35,4 +35,14 @@ Vagrant.configure(2) do |config| compsrv.vm.network "private_network", ip: "192.168.56.57" compsrv.vm.hostname = "sr-compsvc.local" end + + config.vm.define "sr-kitsvc" do |kitsrv| + kitsrv.vm.box = "ubuntu/jammy64" + + # This name is what's looked up in the Ansible host_vars. + kitsrv.vm.define "sr-kitsvc" + + kitsrv.vm.network "private_network", ip: "192.168.56.58" + kitsrv.vm.hostname = "sr-kitsvc.local" + end end diff --git a/host_vars/sr-kitsvc.yml b/host_vars/sr-kitsvc.yml new file mode 100644 index 0000000..c902e3e --- /dev/null +++ b/host_vars/sr-kitsvc.yml @@ -0,0 +1,11 @@ +--- +# This is a dev VM created by Vagrant. + +canonical_hostname: sr-kitsvc +secondary_hostnames: + # See explanation in host_vars/kitsvcs.studentrobotics.org.yml for why + # we include the proxy hostname here. + - sr-proxy + +add_hsts_header: false +certbot_create_if_missing: false From 3867b6e852fecd522c041d15dd2daf1a4c2ee9d7 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 7 Apr 2024 13:36:51 +0100 Subject: [PATCH 17/19] Correctly provision local kit services VM --- Vagrantfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrantfile b/Vagrantfile index e3e4ef2..f0f2031 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -15,6 +15,7 @@ Vagrant.configure(2) do |config| ansible.groups = { "webproxies" => ["sr-proxy"], "competitorsvcs" => ["sr-compsvc"], + "kitsvcs" => ["sr-kitsvc"], } end From 215c647a1d84b2ce06b7c13f5d4984aefa4fe891 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 7 Apr 2024 13:37:29 +0100 Subject: [PATCH 18/19] Fix owner of configuration --- roles/helpdesk-system/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/helpdesk-system/tasks/main.yml b/roles/helpdesk-system/tasks/main.yml index 1777227..0f9ab56 100644 --- a/roles/helpdesk-system/tasks/main.yml +++ b/roles/helpdesk-system/tasks/main.yml @@ -53,6 +53,7 @@ template: src: configuration.py dest: "{{ install_dir }}/helpdesk/helpdesk/configuration.py" + owner: www-data mode: "0600" notify: Restart helpdesk-system From e8a9942f966f759513f02b0e9fd38a453ad4130c Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 8 Apr 2024 10:27:02 +0100 Subject: [PATCH 19/19] Pin to specific version of helpdesk system --- roles/helpdesk-system/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/helpdesk-system/tasks/main.yml b/roles/helpdesk-system/tasks/main.yml index 0f9ab56..32e07ee 100644 --- a/roles/helpdesk-system/tasks/main.yml +++ b/roles/helpdesk-system/tasks/main.yml @@ -23,7 +23,7 @@ repo: https://github.com/srobo/helpdesk-system dest: "{{ install_dir }}" force: true - version: sr2024 # TODO: Pin to commit + version: dfbc34b66bfb6d6c9a811e141d59d81aad46dab1 notify: Restart helpdesk-system register: helpdesk_system_repo