Merge branch 'master' into feat/outline-healthcheck

svsticky · Dec 3, 2024 · 68fa07e · 68fa07e
2 parents 12fcd01 + 3cd4f8e
commit 68fa07e
Show file tree

Hide file tree

Showing 43 changed files with 292 additions and 1,257 deletions.
diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml
@@ -32,6 +32,8 @@ users:
         state: "present"
       - username: "TobiasDeBruijn"
         state: "present"
+      - username: "LucasDissie"
+        state: "absent"
       - username: "PrinceMordred"
         state: "absent"
       - username: "SanderHageman"
@@ -44,6 +46,8 @@ users:
         state: "present"
       - username: "olafboekholt"
         state: "present"
+      - username: "spookyboy99"
+        state: "present"
 
   - name: "hugo"
     admin: true
@@ -157,6 +161,21 @@ users:
       - username: "sam32123"
         state: "present"
 
+  - name: "olaf"
+    admin: true
+    home_prefix: "/home"
+    state: "present"
+    github_accounts:
+      - username: "olafboekholt"
+        state: "present"
+
+  - name: "mervin"
+    admin: true
+    home_prefix: "/home"
+    state: "present"
+    github_accounts:
+      - username: "spookyboy99"
+        state: "present"
 
 
   - name: "bestuur"
@@ -229,10 +248,10 @@ users:
     home_prefix: "/var/www"
     state: "present"
     github_accounts:
-      - username: "Siem2l"
-        state: "absent"
       - username: "SilasPeters"
         state: "present"
+      - username: "olafboekholt"
+        state: "present"
 
   - name: "hacc"
     admin: false

diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml
@@ -9,7 +9,7 @@ canonical_hostname: "{{ inventory_hostname }}"
 
 tmp_dir: "/tmp"
 
-# the upload limit for php-fpm and nginx in megabytes
+# the upload limit for nginx in megabytes
 upload_limit: 30
 
 slack_notifications:
@@ -29,3 +29,9 @@ secret_deploy_key: "{{ vault_secret_deploy_key }}"
 # The API key for our Mailgun account.
 # Change? Refresh API key at https://app.mailgun.com/app/account/security
 secret_mailgun_token: "{{ vault_secret_mailgun_token }}"
+
+# The place where https://github.com/nvm-sh/nvm will be installed, to be globally used
+nvm:
+  directory: "/usr/local/bin/.nvm"
+  script: "/usr/local/bin/.nvm/nvm.sh"
+  version: "v0.40.0" # Derived from the git tag
diff --git a/ansible/group_vars/all/websites.yml b/ansible/group_vars/all/websites.yml
@@ -91,14 +91,6 @@ websites:
     state: "present"
     authenticated: true
 
-  - name: "phpmyadmin.{{ canonical_hostname }}"
-    user: "phpmyadmin"
-    alternative_names:
-      - "pma.{{ canonical_hostname }}"
-    # You have to remove the task include of phpmyadmin.yml to remove this
-    # completely
-    state: "absent"
-
   - name: "pretix.{{ canonical_hostname }}"
     custom_config: true
     alternative_names:
@@ -183,91 +175,6 @@ websites:
     authenticated: true
     state: "present"
 
-  - name: "execut-speakers.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-partners.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "absent"
-
-  - name: "execut-survey.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-landing.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-     - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-2018.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-2019.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-2020.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-2023.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    custom_config: true
-    state: "present"
-
-  - name: "execut-aftermovie.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-app.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "absent"
-
-  - name: "execut-2021.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes: []
-    custom_config: true
-    state: "present"
-
-  - name: "execut.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes: []
-    custom_config: true
-    state: "present"
-
   - name: "snic-preview.{{ canonical_hostname }}"
     user: "snic"
     alternative_names: []
@@ -286,16 +193,6 @@ websites:
     alternative_names: []
     state: "present"
 
-  - name: "execut-feedback.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    state: "present"
-
-  - name: "execut-qa.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    state: "present"
-
   - name: "files.{{ canonical_hostname }}"
     user: "bestuur"
     custom_config: true

diff --git a/ansible/group_vars/production/vars.yml b/ansible/group_vars/production/vars.yml
@@ -30,7 +30,7 @@ secret_oauth2_proxy:
 koala_env:
   environment: "production"
   oidc_signing_key_location: "/var/www/koala/signing-key.pem"
-  git_ref: "v2.26.0"
+  git_ref: "v2.28.0"
 
 secret_koala:
   # To change, generate new token using 'rake secret', and recompile + deploy
@@ -57,13 +57,6 @@ secret_backup_aws:
   access_key: "{{ vault_secret_backup_aws.access_key }}"
   secret_key: "{{ vault_secret_backup_aws.secret_key }}"
 
-secret_execut_website_aws:
-  access_key: "{{ vault_secret_execut_website_aws.access_key }}"
-  secret_key: "{{ vault_secret_execut_website_aws.secret_key }}"
-
-secret_execut_website_secretkey:
-  "{{ vault_secret_execut_website_secretkey }}"
-
 # To change, regenerate the token in Mollie's web interface.
 secret_mollie_token: "{{ vault_secret_mollie_token }}"
 
@@ -145,8 +138,6 @@ secret_outline:
 secret_koala_manual:
   password: "{{ vault_secret_koala_manual.password }}"
 
-freight_ssh_pub_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOXjzub9wBK7/eOu4sceuGu3JoAJAoulNtqlt+A4XvT [email protected]"
-
 secret_healthchecks_io:
   ping_key: "{{ vault_secret_healthchecks_io.ping_key }}"
 
@@ -167,3 +158,7 @@ secret_chroma:
 
 fallacious_rooster:
   git_tag: "0.1.4"
+
+digidecs:
+  git_tag: "0.1.0"
+  server_port: 65437
diff --git a/ansible/group_vars/staging/vars.yml b/ansible/group_vars/staging/vars.yml
@@ -49,12 +49,6 @@ secret_backup_aws:
   access_key: "{{ vault_secret_backup_aws.access_key }}"
   secret_key: "{{ vault_secret_backup_aws.secret_key }}"
 
-secret_execut_website_aws:
-  access_key: "{{ vault_secret_execut_website_aws.access_key }}"
-  secret_key: "{{ vault_secret_execut_website_aws.secret_key }}"
-
-secret_execut_website_secretkey: "{{ vault_secret_execut_website_secretkey }}"
-
 # To change, regenerate the token in Mollie's web interface.
 secret_mollie_token: "{{ vault_secret_mollie_token }}"
 
@@ -136,8 +130,6 @@ secret_outline:
 secret_koala_manual:
   password: "{{ vault_secret_koala_manual.password }}"
 
-freight_ssh_pub_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQiL2YN1yBeUAwWZENc8lPK3Kj1kIG/57IbAuxL9yTk [email protected]"
-
 secret_healthchecks_io:
   ping_key: "{{ vault_secret_healthchecks_io.ping_key }}"
 
@@ -158,3 +150,7 @@ secret_chroma:
 
 fallacious_rooster:
   git_tag: "0.1.4"
+
+digidecs:
+  git_tag: "0.1.0"
+  server_port: 65437
diff --git a/ansible/main.yml b/ansible/main.yml
@@ -26,14 +26,12 @@
       tags: "docker"
     - role: "databases"
       tags: "databases"
+    - role: "nvm"
+      tags: "nvm"
     - role: "backups"
       tags: "backups"
     - role: "nginx"
       tags: "nginx"
-    - role: "php"
-      tags: "php"
-    - role: "node"
-      tags: "node"
     - role: "certbot"
       tags: "certbot"
     - role: "redis"
@@ -44,8 +42,6 @@
       tags: "websites"
     - role: "digidecs"
       tags: "digidecs"
-    - role: "freight"
-      tags: "freight"
     - role: "aas"
       tags: "aas"
     - role: "static_sticky"
@@ -62,8 +58,6 @@
       tags: "oauth"
     - role: "outline"
       tags: "outline"
-    - role: "execut"
-      tags: "execut"
     - role: "radio"
       tags: "radio"
     - role: "sodi"
@@ -87,3 +81,12 @@
       tags: "always"
     - role: "rooster"
       tags: "rooster"
+
+# Following is a list of removed roles, which we did have.
+# If, for some reason, we ever want to use on of the removed services again,
+# one can easily restore the role by reverting the following PRs:
+#
+# - execut: #475
+# - freight: #477
+# - php: #474
+# - node: #467
diff --git a/ansible/roles/backups/tasks/main.yml b/ansible/roles/backups/tasks/main.yml
@@ -5,6 +5,8 @@
     shell: "/usr/sbin/nologin"
     home: "/home/backup"
     system: true
+    groups: "nvm"
+    append: true
 
 - name: "install awscli"
   ansible.builtin.apt:

diff --git a/ansible/roles/backups/templates/backup-to-s3.sh.j2 b/ansible/roles/backups/templates/backup-to-s3.sh.j2
@@ -79,12 +79,11 @@ case "${SOURCE}" in
           S3PATH="${SOURCE}"
           FILE_NAME="${FILE_TITLE}.tar.gz"
 
-          # phpMyAdmin and SODI directories excluded because no other
+          # SODI directories excluded because no other
           # committee can write to these folders and they are deployed from \
           # git anyway.
           # Pretix's virtualenv is excluded as it only contains binaries.
           upload_backup_to_s3 < <(tar \
-            --exclude='var/www/phpmyadmin.{{ canonical_hostname }}' \
             --exclude='var/www/sodi.{{ canonical_hostname }}' \
             --exclude='var/www/pretix/venv' \
             -c -f - -C / var/www \
@@ -105,11 +104,14 @@ case "${SOURCE}" in
           FILE_NAME="${FILE_TITLE}.tar.gz"
 
           sudo -u backup mkdir -p /tmp/contentful-export
-          sudo -u backup -H npx contentful-cli space export \
-            --management-token {{ secret_contentful_export.token }} \
-            --space-id {{ secret_contentful_export.space_id }} \
-            --download-assets \
-            --export-dir /tmp/contentful-export
+          sudo -Hu backup bash -c `
+          `'source {{ nvm.script }} && nvm install {{ backups_node_version }} &&'`
+          `' nvm exec {{ backups_node_version }} npx contentful-cli space export'`
+          `' --management-token {{ secret_contentful_export.token }}'`
+          `' --space-id {{ secret_contentful_export.space_id }}'`
+          `' --download-assets'`
+          `' --export-dir /tmp/contentful-export'
+
           upload_backup_to_s3 < <(tar \
             -c -f - -C /tmp contentful-export \
             | gzip -9)

diff --git a/ansible/roles/backups/vars/main.yml b/ansible/roles/backups/vars/main.yml
@@ -0,0 +1,3 @@
+---
+
+backups_node_version: "22"
diff --git a/ansible/roles/digidecs/handlers/main.yml b/ansible/roles/digidecs/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: "restart digidecs"
+  ansible.builtin.service:
+    name: "digidecs"
+    state: "restarted"