From f47fc4000a937f88af10032e126dc2eab948dbae Mon Sep 17 00:00:00 2001
From: Sebastian Luna-Valero <sebastian-luna-valero@users.noreply.github.com>
Date: Fri, 20 Sep 2024 12:13:20 +0200
Subject: [PATCH] Change ports for motley-cue (#64)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* open ports for motley-cue

* revert bf972a1 and apply prettier

* add DASHBOARD_HOSTNAME back to traefik.http.routers.dashboard.rule in docker-compose.yaml

* move motley-cue to port 8181

* linting

* Dump DASHBOARD_HOSTNAME to .env file

Co-authored-by: Enol Fernández <enol.fernandez@egi.eu>

* add SSH explicitly to the motley-cue security group

* we should be using handlers

---------

Co-authored-by: Enol Fernández <enol.fernandez@egi.eu>
---
 README.md                |  6 ++++--
 deployment/main.tf       | 22 +++++++++++++++++++++-
 deployment/playbook.yaml | 36 +++++++++++++++++++++++++++++++++++-
 docker-compose.yaml      |  6 +++---
 4 files changed, 63 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index fd446c8..94d51b7 100644
--- a/README.md
+++ b/README.md
@@ -13,12 +13,14 @@ This code relies on docker-compose to run 3 containers:
 - some python code to generate the list of endpoints
 
 The existing docker-compose file assumes you will run the code on a publicly
-accessible host with a valid name:
+accessible host with a valid name. You can create a `.env` file with the
+`DASHBOARD_HOSTNAME` variable defined with the hostname of your server and just
+start the service:
 
 ```shell
 cd /path/to/working/directory
 git clone https://github.com/EGI-Federation/fedcloud-dashboard.git
-cd fedcloud-dashboard
+echo "DASHBOARD_HOSTNAME="<your host name>" > .env
 docker-compose up --build
 ```
 
diff --git a/deployment/main.tf b/deployment/main.tf
index 1b8a70c..7c73dbf 100644
--- a/deployment/main.tf
+++ b/deployment/main.tf
@@ -6,7 +6,7 @@ resource "openstack_compute_instance_v2" "dashboard" {
   network {
     uuid = var.net_id
   }
-  security_groups = [openstack_compute_secgroup_v2.secgroup.name, "default"]
+  security_groups = ["HTTP", "motley-cue"]
 }
 
 resource "openstack_compute_secgroup_v2" "secgroup" {
@@ -28,6 +28,26 @@ resource "openstack_compute_secgroup_v2" "secgroup" {
   }
 }
 
+resource "openstack_compute_secgroup_v2" "motley" {
+  name        = "motley-cue"
+  description = "Open access via ssh-oidc"
+
+  rule {
+    from_port   = 22
+    to_port     = 22
+    ip_protocol = "tcp"
+    cidr        = "0.0.0.0/0"
+  }
+
+  rule {
+    from_port   = 8181
+    to_port     = 8181
+    ip_protocol = "tcp"
+    cidr        = "0.0.0.0/0"
+  }
+
+}
+
 resource "openstack_networking_floatingip_v2" "fip" {
   pool = var.ip_pool
 }
diff --git a/deployment/playbook.yaml b/deployment/playbook.yaml
index a5db8ca..b703ed9 100644
--- a/deployment/playbook.yaml
+++ b/deployment/playbook.yaml
@@ -22,12 +22,47 @@
   become: yes
   gather_facts: yes
   tasks:
+    - name: Disable default site in nginx
+      ansible.builtin.file:
+        path: /etc/nginx/sites-enabled/default
+        state: absent
+
+    - name: Move motley-cue to a different port (nginx)
+      ansible.builtin.lineinfile:
+        path: /etc/nginx/sites-available/nginx.motley_cue
+        search_string: "8080;"
+        line: 8181;
+
+    - name: Move motley-cue to a different port (pam-ssh-oidc)
+      ansible.builtin.lineinfile:
+        path: /etc/pam.d/pam-ssh-oidc-config.ini
+        search_string: "http://localhost:8080/verify_user"
+        line: http://localhost:8181/verify_user
+
+    - name: Restart nginx
+      ansible.builtin.service:
+        name: nginx
+        state: restarted
+        enabled: yes
+
+    - name: Restart motley-cue
+      ansible.builtin.service:
+        name: motley-cue
+        state: restarted
+        enabled: yes
+
     - name: Checkout repo at VM
       ansible.builtin.git:
         repo: "https://github.com/EGI-Federation/fedcloud-dashboard.git"
         version: "{{ git_ref }}"
         dest: /fedcloud-dashboard
 
+    - name: env file
+      ansible.builtin.copy:
+        content: |
+          DASHBOARD_HOSTNAME=dashboard.cloud.egi.eu
+        dest: /fedcloud-dashboard/.env
+
     - name: service file
       ansible.builtin.copy:
         content: |
@@ -38,7 +73,6 @@
           Description=Dashboard
           After=docker.service
           Requires=docker.service
-
           [Service]
           Type=oneshot
           RemainAfterExit=true
diff --git a/docker-compose.yaml b/docker-compose.yaml
index e233e36..98617c1 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -3,7 +3,7 @@ services:
     image: "traefik:v2.11"
     container_name: "traefik"
     command:
-#      - "--log.level=DEBUG"
+      #- "--log.level=DEBUG"
       - "--api.insecure=true"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
@@ -14,7 +14,7 @@ services:
       - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
       - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
       - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
-#      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
       - "--certificatesresolvers.myresolver.acme.email=enol.fernandez@egi.eu"
       - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
     ports:
@@ -32,7 +32,7 @@ services:
     image: "b4bz/homer:v24.05.1"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=HostRegexp(`{any:.+}`)"
+      - "traefik.http.routers.dashboard.rule=Host(`${DASHBOARD_HOSTNAME}`)"
       - "traefik.http.routers.dashboard.entrypoints=websecure"
       - "traefik.http.routers.dashboard.tls.certresolver=myresolver"
     volumes_from: