From 7a1ebdd8c967f0c0059a18e679c76634cfe2aa73 Mon Sep 17 00:00:00 2001 From: Tobias de Bruijn Date: Tue, 15 Oct 2024 18:56:05 +0200 Subject: [PATCH 01/17] Bump koala --- ansible/group_vars/production/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/group_vars/production/vars.yml b/ansible/group_vars/production/vars.yml index 53e8c765..6ecc9adf 100644 --- a/ansible/group_vars/production/vars.yml +++ b/ansible/group_vars/production/vars.yml @@ -30,7 +30,7 @@ secret_oauth2_proxy: koala_env: environment: "production" oidc_signing_key_location: "/var/www/koala/signing-key.pem" - git_ref: "v2.26.0" + git_ref: "v2.27.0" secret_koala: # To change, generate new token using 'rake secret', and recompile + deploy From 5a64adfd97f6933c06abd5d8bc45ae09755328cf Mon Sep 17 00:00:00 2001 From: Sem van Nieuwenhuizen Date: Tue, 15 Oct 2024 20:42:55 +0200 Subject: [PATCH 02/17] chore: add mervin to commit --- ansible/group_vars/all/users.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml index 608cb7f0..f86a777a 100644 --- a/ansible/group_vars/all/users.yml +++ b/ansible/group_vars/all/users.yml @@ -44,6 +44,8 @@ users: state: "present" - username: "olafboekholt" state: "present" + - username: "spookyboy99" + state: "present" - name: "hugo" admin: true From 7560ed75c9bd95ece45bc90d270cdde33931c713 Mon Sep 17 00:00:00 2001 From: Silas <69711739+SilasPeters@users.noreply.github.com> Date: Wed, 16 Oct 2024 09:27:34 +0200 Subject: [PATCH 03/17] chore: cleaned up users --- ansible/group_vars/all/users.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml index f86a777a..bd8cf436 100644 --- a/ansible/group_vars/all/users.yml +++ b/ansible/group_vars/all/users.yml @@ -32,6 +32,8 @@ users: state: "present" - username: "TobiasDeBruijn" state: "present" + - username: "LucasDissie" + state: "absent" - username: "PrinceMordred" state: "absent" - username: "SanderHageman" @@ -159,6 +161,21 @@ users: - username: "sam32123" state: "present" + - name: "olaf" + admin: true + home_prefix: "/home" + state: "present" + github_accounts: + - username: "olafboekholt" + state: "present" + + - name: "mervin" + admin: true + home_prefix: "/home" + state: "present" + github_accounts: + - username: "spookyboy99" + state: "present" - name: "bestuur" From 11c9cf3779e3406d27f9aa981d3ff7d3dd80fb5d Mon Sep 17 00:00:00 2001 From: Tobias de Bruijn Date: Thu, 17 Oct 2024 15:13:33 +0200 Subject: [PATCH 04/17] Bump koala --- ansible/group_vars/production/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/group_vars/production/vars.yml b/ansible/group_vars/production/vars.yml index 6ecc9adf..a15b6b93 100644 --- a/ansible/group_vars/production/vars.yml +++ b/ansible/group_vars/production/vars.yml @@ -30,7 +30,7 @@ secret_oauth2_proxy: koala_env: environment: "production" oidc_signing_key_location: "/var/www/koala/signing-key.pem" - git_ref: "v2.27.0" + git_ref: "v2.28.0" secret_koala: # To change, generate new token using 'rake secret', and recompile + deploy From eaa6c65964b5816145871a19d1851772f1b8b08e Mon Sep 17 00:00:00 2001 From: Tobias de Bruijn Date: Sun, 27 Oct 2024 10:23:03 +0100 Subject: [PATCH 05/17] Setup new digidecs --- ansible/roles/digidecs/handlers/main.yml | 5 + ansible/roles/digidecs/tasks/main.yml | 105 +++++++++++------- .../roles/digidecs/templates/config.php.j2 | 27 ----- .../roles/digidecs/templates/digidecs.conf.j2 | 28 ++--- .../roles/digidecs/templates/digidecs.json.j2 | 12 ++ .../digidecs/templates/digidecs.service.j2 | 16 +++ ansible/roles/digidecs/templates/env.j2 | 1 + 7 files changed, 109 insertions(+), 85 deletions(-) create mode 100644 ansible/roles/digidecs/handlers/main.yml delete mode 100644 ansible/roles/digidecs/templates/config.php.j2 create mode 100644 ansible/roles/digidecs/templates/digidecs.json.j2 create mode 100644 ansible/roles/digidecs/templates/digidecs.service.j2 create mode 100644 ansible/roles/digidecs/templates/env.j2 diff --git a/ansible/roles/digidecs/handlers/main.yml b/ansible/roles/digidecs/handlers/main.yml new file mode 100644 index 00000000..7c7f872c --- /dev/null +++ b/ansible/roles/digidecs/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: "restart digidecs" + ansible.builtin.service: + name: "digidecs" + state: "restarted" diff --git a/ansible/roles/digidecs/tasks/main.yml b/ansible/roles/digidecs/tasks/main.yml index 7fc45c6d..0f6eca92 100644 --- a/ansible/roles/digidecs/tasks/main.yml +++ b/ansible/roles/digidecs/tasks/main.yml @@ -1,60 +1,83 @@ --- -- name: "create user for digidecs" +- name: "Create user for digidecs" ansible.builtin.user: - name: "digidecs" - home: "/var/www/digidecs/" + name: digidecs + home: "/var/www/digidecs" shell: "/usr/sbin/nologin" system: true + state: "present" + +- name: "Create digidecs frontend directory" + ansible.builtin.file: + name: "/var/www/digidecs/frontend" + owner: "digidecs" + group: "digidecs" + mode: "2775" + state: "directory" + +- name: "Create digidecs server directory" + ansible.builtin.file: + name: "/var/www/digidecs/server" + owner: "digidecs" + group: "digidecs" + mode: "2775" + state: "directory" -- name: "install composer" +- name: "install dependencies" ansible.builtin.apt: name: - - "composer" - - "php7.4-curl" - - "php7.4-bcmath" + - "python3-dotenv-cli" state: "present" - become: true -- name: "disable git safe directory feature for digidecs folder" # noqa command-instead-of-module - ansible.builtin.command: "git config --global --add safe.directory /var/www/digidecs.{{ canonical_hostname }}" - -- name: "clone digidecs repository" - ansible.builtin.git: - repo: "https://github.com/svsticky/digidecs.git" - dest: "/var/www/digidecs.{{ canonical_hostname }}" - version: "master" - diff: false +- name: "Download and extract digidecs frontend" + ansible.builtin.unarchive: + src: https://github.com/svsticky/digidecs/releases/download/{{ digidecs.git_tag }}/frontend.tar.gz + dest: "/var/www/digidecs/frontend" + remote_src: true + owner: "digidecs" + group: "digidecs" + mode: "775" + extra_opts: + - "--strip-components=1" -- name: "place config file" - ansible.builtin.template: - src: "config.php.j2" - dest: "/var/www/digidecs.{{ canonical_hostname }}/config.php" +- name: "Download and extract digidecs server" + ansible.builtin.get_url: + url: https://github.com/svsticky/digidecs/releases/download/{{ digidecs.git_tag }}/server-x86_64-unknown-linux-musl + dest: "/var/www/digidecs/server" owner: "digidecs" group: "digidecs" - mode: "660" + mode: "775" + notify: "restart digidecs" -- name: "copy nginx configuration" +- name: "Copy nginx configuration" ansible.builtin.template: src: "digidecs.conf.j2" - dest: "/etc/nginx/sites-available/digidecs.{{ canonical_hostname }}.conf" + dest: "/etc/nginx/sites-enabled/digidecs.{{ canonical_hostname }}.conf" notify: "reload nginx" -- name: "enable nginx configuration" - ansible.builtin.file: - src: "/etc/nginx/sites-available/digidecs.{{ canonical_hostname }}.conf" - path: "/etc/nginx/sites-enabled/digidecs.{{ canonical_hostname }}.conf" - state: "link" - notify: "reload nginx" +- name: "Template environment file for digidecs" + ansible.builtin.template: + src: "env.j2" + dest: "/var/www/digidecs/server/.env" + diff: false + notify: "restart digidecs" + +- name: "Template config file for digidecs" + ansible.builtin.template: + src: "digidecs.json.j2" + dest: "/var/www/digidecs/server/config.json" + diff: false + notify: "restart digidecs" -- name: "run composer" - community.general.composer: - working_dir: "/var/www/digidecs.{{ canonical_hostname }}" - command: "install" +- name: "template systemd service file for digidecs" + ansible.builtin.template: + src: "digidecs.service.j2" + dest: "/etc/systemd/system/digidecs.service" + notify: "restart digidecs" -- name: "set permissions on digidecs files" - ansible.builtin.file: - path: "/var/www/digidecs.{{ canonical_hostname }}" - owner: "digidecs" - group: "digidecs" - recurse: true - state: "directory" +- name: "run digidecs service" + ansible.builtin.systemd: + unit: "digidecs.service" + state: "started" + enabled: true + daemon-reload: true diff --git a/ansible/roles/digidecs/templates/config.php.j2 b/ansible/roles/digidecs/templates/config.php.j2 deleted file mode 100644 index 8cfcb4ad..00000000 --- a/ansible/roles/digidecs/templates/config.php.j2 +++ /dev/null @@ -1,27 +0,0 @@ - 'image/jpeg', - 'png' => 'image/png', - 'pdf' => 'application/pdf', - ); - -?> diff --git a/ansible/roles/digidecs/templates/digidecs.conf.j2 b/ansible/roles/digidecs/templates/digidecs.conf.j2 index 22644627..6264aa27 100644 --- a/ansible/roles/digidecs/templates/digidecs.conf.j2 +++ b/ansible/roles/digidecs/templates/digidecs.conf.j2 @@ -4,29 +4,23 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name - digidecs.{{ canonical_hostname }} - declaraties.{{ canonical_hostname }} - declareren.{{ canonical_hostname }}; + server_name digidecs.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/privkey.pem; + ssl_certificate /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/chain.pem; - root /var/www/digidecs.{{ canonical_hostname }}; - - index index.php - index.html index.htm; - include includes/security-headers.conf; - include includes/php-parameters.conf; - - location ~* /.git/ { - deny all; + location /api { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_intercept_errors on; + proxy_pass http://localhost:65437; } location / { - try_files $uri $uri/ /index.php?q=$uri&$args =404; + index index.html; + root /var/www/digidecs/frontend; } -} +} \ No newline at end of file diff --git a/ansible/roles/digidecs/templates/digidecs.json.j2 b/ansible/roles/digidecs/templates/digidecs.json.j2 new file mode 100644 index 00000000..4fe0a57b --- /dev/null +++ b/ansible/roles/digidecs/templates/digidecs.json.j2 @@ -0,0 +1,12 @@ +{ + "server": { + "port": 65437, + "domain": "digidecs.{{ canonical_hostname }}" + }, + "smtp": { + "from_email": "digidecs@svsticky.nl", + "from_name": "Sticky Digidecs", + "smtp_relay": "smtp-relay.gmail.com" + }, + "treasurer_email": "penningmeester@svsticky.nl" +} \ No newline at end of file diff --git a/ansible/roles/digidecs/templates/digidecs.service.j2 b/ansible/roles/digidecs/templates/digidecs.service.j2 new file mode 100644 index 00000000..18377500 --- /dev/null +++ b/ansible/roles/digidecs/templates/digidecs.service.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} + +[Unit] +Description=Run the digidecs backend +OnFailure=failure-notificator@%n.service + +[Service] +Type=simple +User=digidecs +Group=digidecs +Restart=always +WorkingDirectory=/var/www/digidecs/server +ExecStart=dotenv /var/www/digidecs/server/server-x86_64-unknown-linux-musl --config /var/www/digidecs/server/config.json + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/digidecs/templates/env.j2 b/ansible/roles/digidecs/templates/env.j2 new file mode 100644 index 00000000..f47d2893 --- /dev/null +++ b/ansible/roles/digidecs/templates/env.j2 @@ -0,0 +1 @@ +RUST_LOG=INFO \ No newline at end of file From fbc05f7b21a38c4726f15d204c122c2a11aa4703 Mon Sep 17 00:00:00 2001 From: Tobias de Bruijn Date: Sun, 27 Oct 2024 10:55:00 +0100 Subject: [PATCH 06/17] Add vars --- ansible/group_vars/production/vars.yml | 3 +++ ansible/group_vars/staging/vars.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/ansible/group_vars/production/vars.yml b/ansible/group_vars/production/vars.yml index a15b6b93..20367256 100644 --- a/ansible/group_vars/production/vars.yml +++ b/ansible/group_vars/production/vars.yml @@ -167,3 +167,6 @@ secret_chroma: fallacious_rooster: git_tag: "0.1.4" + +digidecs: + git_tag: "0.1.0" diff --git a/ansible/group_vars/staging/vars.yml b/ansible/group_vars/staging/vars.yml index 54e1e487..3d77ade7 100644 --- a/ansible/group_vars/staging/vars.yml +++ b/ansible/group_vars/staging/vars.yml @@ -158,3 +158,6 @@ secret_chroma: fallacious_rooster: git_tag: "0.1.4" + +digidecs: + git_tag: "0.1.0" From 306a418d3b1b943a27100561a6c6ca8b4d31cc61 Mon Sep 17 00:00:00 2001 From: Tobias de Bruijn Date: Sun, 27 Oct 2024 17:59:41 +0100 Subject: [PATCH 07/17] Set port in variable --- ansible/group_vars/production/vars.yml | 1 + ansible/group_vars/staging/vars.yml | 1 + ansible/roles/digidecs/templates/digidecs.conf.j2 | 2 +- ansible/roles/digidecs/templates/digidecs.json.j2 | 2 +- 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/production/vars.yml b/ansible/group_vars/production/vars.yml index 20367256..1ff3a52d 100644 --- a/ansible/group_vars/production/vars.yml +++ b/ansible/group_vars/production/vars.yml @@ -170,3 +170,4 @@ fallacious_rooster: digidecs: git_tag: "0.1.0" + server_port: 65437 diff --git a/ansible/group_vars/staging/vars.yml b/ansible/group_vars/staging/vars.yml index 3d77ade7..7cd69b26 100644 --- a/ansible/group_vars/staging/vars.yml +++ b/ansible/group_vars/staging/vars.yml @@ -161,3 +161,4 @@ fallacious_rooster: digidecs: git_tag: "0.1.0" + server_port: 65437 \ No newline at end of file diff --git a/ansible/roles/digidecs/templates/digidecs.conf.j2 b/ansible/roles/digidecs/templates/digidecs.conf.j2 index 6264aa27..1f3ba910 100644 --- a/ansible/roles/digidecs/templates/digidecs.conf.j2 +++ b/ansible/roles/digidecs/templates/digidecs.conf.j2 @@ -16,7 +16,7 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_intercept_errors on; - proxy_pass http://localhost:65437; + proxy_pass http://localhost:{{ digidecs.server_port }}; } location / { diff --git a/ansible/roles/digidecs/templates/digidecs.json.j2 b/ansible/roles/digidecs/templates/digidecs.json.j2 index 4fe0a57b..ee0236ab 100644 --- a/ansible/roles/digidecs/templates/digidecs.json.j2 +++ b/ansible/roles/digidecs/templates/digidecs.json.j2 @@ -1,6 +1,6 @@ { "server": { - "port": 65437, + "port": {{ digidecs.server_port }}, "domain": "digidecs.{{ canonical_hostname }}" }, "smtp": { From 15ed9d153ae50572e8d965dda166985ef86b8fb7 Mon Sep 17 00:00:00 2001 From: Silas <69711739+SilasPeters@users.noreply.github.com> Date: Wed, 30 Oct 2024 12:25:59 +0100 Subject: [PATCH 08/17] fix: install docker --- .../roles/docker/tasks/docker-apt-repo.yml | 23 ------------------- ansible/roles/docker/tasks/main.yml | 10 +++++++- ansible/roles/docker/vars/main.yml | 2 +- 3 files changed, 10 insertions(+), 25 deletions(-) delete mode 100644 ansible/roles/docker/tasks/docker-apt-repo.yml diff --git a/ansible/roles/docker/tasks/docker-apt-repo.yml b/ansible/roles/docker/tasks/docker-apt-repo.yml deleted file mode 100644 index 2739e317..00000000 --- a/ansible/roles/docker/tasks/docker-apt-repo.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Based on the offical docker documentation on https://docs.docker.com/engine/install/ubuntu/ - -- name: "Ensure dependencies are installed" - ansible.builtin.apt: - name: - - "ca-certificates" - - "curl" - state: "present" - -- name: "Add Docker apt key" - ansible.builtin.apt_key: - url: "https://download.docker.com/linux/ubuntu/gpg" - id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88" - state: "present" - # NOTE: this differs from the official documentation, as it does not install the keyring to /etc/apt/keyrings - -- name: "Add Docker repository" - ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" - state: "present" - update_cache: true - # NOTE: this differs from the official documentation, as it does not echo the string to /etc/apt/ as 'docker.list' diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml index 7671177f..f1042e5d 100644 --- a/ansible/roles/docker/tasks/main.yml +++ b/ansible/roles/docker/tasks/main.yml @@ -6,7 +6,14 @@ block: - name: "Add Docker apt repository" - ansible.builtin.include_tasks: "docker-apt-repo.yml" + ansible.builtin.deb822_repository: # See https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository + name: docker + types: deb + uris: "https://download.docker.com/linux/{{ ansible_distribution | lower }}" + suites: '{{ ansible_distribution_release }}' + components: stable + architectures: amd64 + signed_by: "https://download.docker.com/linux/ubuntu/gpg" - name: "Install Docker packages" ansible.builtin.package: @@ -16,6 +23,7 @@ - "containerd.io" - "docker-buildx-plugin" state: "present" + update_cache: true - name: "Ensure Docker is started and enabled at boot" ansible.builtin.service: diff --git a/ansible/roles/docker/vars/main.yml b/ansible/roles/docker/vars/main.yml index 6a74acf4..0316f6a3 100644 --- a/ansible/roles/docker/vars/main.yml +++ b/ansible/roles/docker/vars/main.yml @@ -1,4 +1,4 @@ --- # Possible docker engine versions can be obtained through the following # command: apt-cache madison docker-ce | awk '{ print $3 }' -docker_engine_version: "5:27.0.3-1~ubuntu.20.04~focal" +docker_engine_version: "5:27.0.3-1~ubuntu.22.04~jammy" From 06999273f3438d5a4ae625aa8b3ebb24f07a5c85 Mon Sep 17 00:00:00 2001 From: Silas <69711739+SilasPeters@users.noreply.github.com> Date: Wed, 30 Oct 2024 19:23:58 +0100 Subject: [PATCH 09/17] fix: adhire to linter --- ansible/roles/docker/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml index f1042e5d..843607bf 100644 --- a/ansible/roles/docker/tasks/main.yml +++ b/ansible/roles/docker/tasks/main.yml @@ -7,12 +7,12 @@ - name: "Add Docker apt repository" ansible.builtin.deb822_repository: # See https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository - name: docker - types: deb + name: "docker" + types: "deb" uris: "https://download.docker.com/linux/{{ ansible_distribution | lower }}" - suites: '{{ ansible_distribution_release }}' - components: stable - architectures: amd64 + suites: "{{ ansible_distribution_release }}" + components: "stable" + architectures: "amd64" signed_by: "https://download.docker.com/linux/ubuntu/gpg" - name: "Install Docker packages" From d7f4727328043f70b55f1a6f3fc368af5c38f434 Mon Sep 17 00:00:00 2001 From: Silas <69711739+SilasPeters@users.noreply.github.com> Date: Tue, 5 Nov 2024 19:17:38 +0100 Subject: [PATCH 10/17] added Olaf to pxl --- ansible/group_vars/all/users.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml index bd8cf436..b60a3d36 100644 --- a/ansible/group_vars/all/users.yml +++ b/ansible/group_vars/all/users.yml @@ -248,10 +248,10 @@ users: home_prefix: "/var/www" state: "present" github_accounts: - - username: "Siem2l" - state: "absent" - username: "SilasPeters" state: "present" + - username: "olafboekholt" + state: "present" - name: "hacc" admin: false From 8ada398005ec1e1eec0c95d659324eb81f889d35 Mon Sep 17 00:00:00 2001 From: Silas Peters <69711739+SilasPeters@users.noreply.github.com> Date: Thu, 14 Nov 2024 19:10:22 +0100 Subject: [PATCH 11/17] chore: remove execute role (#475) * chore: remove execute role * chore: adjusted PR number of execute removal reference --- ansible/group_vars/all/websites.yml | 95 --------------- ansible/group_vars/production/vars.yml | 7 -- ansible/group_vars/staging/vars.yml | 10 +- ansible/main.yml | 8 +- ansible/roles/execut/tasks/main.yml | 111 ------------------ .../roles/execut/templates/execut.service.j2 | 22 ---- .../roles/execut/templates/execut_www.env.j2 | 13 -- ansible/roles/execut/templates/nginx.conf.j2 | 71 ----------- ansible/roles/nginx/tasks/main.yml | 1 - .../includes/execut-referer-tracking.conf.j2 | 6 - ansible/roles/nginx/templates/nginx.conf.j2 | 20 ---- ansible/roles/pretix/templates/pretix.conf.j2 | 2 +- docs/deployment-new-production.md | 1 - 13 files changed, 9 insertions(+), 358 deletions(-) delete mode 100644 ansible/roles/execut/tasks/main.yml delete mode 100644 ansible/roles/execut/templates/execut.service.j2 delete mode 100644 ansible/roles/execut/templates/execut_www.env.j2 delete mode 100644 ansible/roles/execut/templates/nginx.conf.j2 delete mode 100644 ansible/roles/nginx/templates/includes/execut-referer-tracking.conf.j2 diff --git a/ansible/group_vars/all/websites.yml b/ansible/group_vars/all/websites.yml index 5f7138e7..c58ae165 100644 --- a/ansible/group_vars/all/websites.yml +++ b/ansible/group_vars/all/websites.yml @@ -183,91 +183,6 @@ websites: authenticated: true state: "present" - - name: "execut-speakers.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - state: "present" - - - name: "execut-partners.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - state: "absent" - - - name: "execut-survey.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - state: "present" - - - name: "execut-landing.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - state: "present" - - - name: "execut-2018.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - state: "present" - - - name: "execut-2019.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - state: "present" - - - name: "execut-2020.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - state: "present" - - - name: "execut-2023.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - custom_config: true - state: "present" - - - name: "execut-aftermovie.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - state: "present" - - - name: "execut-app.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: - - "execut-referer-tracking" - state: "absent" - - - name: "execut-2021.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: [] - custom_config: true - state: "present" - - - name: "execut.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - extra_includes: [] - custom_config: true - state: "present" - - name: "snic-preview.{{ canonical_hostname }}" user: "snic" alternative_names: [] @@ -286,16 +201,6 @@ websites: alternative_names: [] state: "present" - - name: "execut-feedback.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - state: "present" - - - name: "execut-qa.{{ canonical_hostname }}" - user: "symposium" - alternative_names: [] - state: "present" - - name: "files.{{ canonical_hostname }}" user: "bestuur" custom_config: true diff --git a/ansible/group_vars/production/vars.yml b/ansible/group_vars/production/vars.yml index 1ff3a52d..2d93b4a0 100644 --- a/ansible/group_vars/production/vars.yml +++ b/ansible/group_vars/production/vars.yml @@ -57,13 +57,6 @@ secret_backup_aws: access_key: "{{ vault_secret_backup_aws.access_key }}" secret_key: "{{ vault_secret_backup_aws.secret_key }}" -secret_execut_website_aws: - access_key: "{{ vault_secret_execut_website_aws.access_key }}" - secret_key: "{{ vault_secret_execut_website_aws.secret_key }}" - -secret_execut_website_secretkey: - "{{ vault_secret_execut_website_secretkey }}" - # To change, regenerate the token in Mollie's web interface. secret_mollie_token: "{{ vault_secret_mollie_token }}" diff --git a/ansible/group_vars/staging/vars.yml b/ansible/group_vars/staging/vars.yml index 7cd69b26..122d6261 100644 --- a/ansible/group_vars/staging/vars.yml +++ b/ansible/group_vars/staging/vars.yml @@ -49,12 +49,6 @@ secret_backup_aws: access_key: "{{ vault_secret_backup_aws.access_key }}" secret_key: "{{ vault_secret_backup_aws.secret_key }}" -secret_execut_website_aws: - access_key: "{{ vault_secret_execut_website_aws.access_key }}" - secret_key: "{{ vault_secret_execut_website_aws.secret_key }}" - -secret_execut_website_secretkey: "{{ vault_secret_execut_website_secretkey }}" - # To change, regenerate the token in Mollie's web interface. secret_mollie_token: "{{ vault_secret_mollie_token }}" @@ -158,7 +152,7 @@ secret_chroma: fallacious_rooster: git_tag: "0.1.4" - + digidecs: git_tag: "0.1.0" - server_port: 65437 \ No newline at end of file + server_port: 65437 diff --git a/ansible/main.yml b/ansible/main.yml index 4bfbc2ac..074bfc72 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -62,8 +62,6 @@ tags: "oauth" - role: "outline" tags: "outline" - - role: "execut" - tags: "execut" - role: "radio" tags: "radio" - role: "sodi" @@ -87,3 +85,9 @@ tags: "always" - role: "rooster" tags: "rooster" + +# Following is a list of removed roles, which we did have. +# If, for some reason, we ever want to use on of the removed services again, +# one can easily restore the role by reverting the following PRs: +# +# - execut: #475 diff --git a/ansible/roles/execut/tasks/main.yml b/ansible/roles/execut/tasks/main.yml deleted file mode 100644 index ccc86f8b..00000000 --- a/ansible/roles/execut/tasks/main.yml +++ /dev/null @@ -1,111 +0,0 @@ ---- -# - name: "add deadsnakes PPA" -# apt_repository: -# repo: "ppa:deadsnakes/ppa" - -# - name: "install Python 3.9" -# apt: -# pkg: -# - "python3.9" -# - "python3.9-venv" -# - "python3.9-dev" -# state: "present" - -# - name: "ensure database user exists" -# postgresql_user: -# name: "symposium" -# become_user: "postgres" -# become: true - -# - name: "ensure database exists" -# postgresql_db: -# name: "execut" -# owner: "symposium" -# become_user: "postgres" -# become: true - -# - name: "ensure database user has the right privileges" -# postgresql_user: -# db: "execut" -# name: "symposium" -# priv: "ALL" -# role_attr_flags: "CREATEDB,LOGIN" -# become_user: "postgres" -# become: true -# ignore_errors: "{{ ansible_check_mode }}" - -- name: "determine website folder" - ansible.builtin.set_fact: - execut_website_path: "/var/www/symposium/execut-2023.{{ canonical_hostname }}" - -- name: "make website directory" - ansible.builtin.file: - path: "{{ item }}" - owner: "symposium" - group: "symposium" - state: "directory" - with_items: - - "{{ execut_website_path }}" - - "/var/www/symposium/.local" - - "/var/www/symposium/.cache" - -- name: "perform stuff as `symposium`" - become_user: "symposium" - become: true - block: - - name: "clone website's repository" - ansible.builtin.git: - repo: "https://github.com/stichtingsticky/execut" - dest: "{{ execut_website_path }}" - version: "main" - diff: false - -# FIXME update pnpm in symposium -- name: "run pnpm install" - ansible.builtin.command: - cmd: > - nix --extra-experimental-features 'nix-command flakes' - shell nixpkgs#nodePackages.pnpm -c - pnpm install - chdir: "/var/www/symposium/execut-2023.{{ canonical_hostname }}/sites/static" - -- name: "run pnpm build" - ansible.builtin.command: - cmd: > - nix --extra-experimental-features 'nix-command flakes' - shell nixpkgs#nodePackages.pnpm -c - pnpm build - chdir: "/var/www/symposium/execut-2023.{{ canonical_hostname }}/sites/static" - -# - name: "install service file" -# template: -# src: "execut.service.j2" -# dest: "/etc/systemd/system/execut-django-website.service" -# mode: "0644" -# notify: "systemctl daemon-reload" - -- name: "install Nginx config" - ansible.builtin.template: - src: "nginx.conf.j2" - dest: "/etc/nginx/sites-available/execut-2023.{{ canonical_hostname }}.conf" - notify: "reload nginx" - -- name: "enable Nginx config" - ansible.builtin.file: - src: "/etc/nginx/sites-available/execut-2023.{{ canonical_hostname }}.conf" - dest: "/etc/nginx/sites-enabled/execut-2023.{{ canonical_hostname }}.conf" - state: "link" - notify: "reload nginx" - -- name: "test Nginx config" - ansible.builtin.command: "nginx -t" - changed_when: false - -- name: "Reload Nginx, systemd if needed" - ansible.builtin.meta: "flush_handlers" - -# - name: "Start and enable website service" -# systemd: -# name: "execut-django-website.service" -# state: "restarted" -# enabled: true diff --git a/ansible/roles/execut/templates/execut.service.j2 b/ansible/roles/execut/templates/execut.service.j2 deleted file mode 100644 index ed5cb4ea..00000000 --- a/ansible/roles/execut/templates/execut.service.j2 +++ /dev/null @@ -1,22 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=execut web service -After=network.target -OnFailure=failure-notificator@%n.service - -[Service] -User=symposium -Group=symposium -Environment="VIRTUAL_ENV={{ execut_website_path }}/venv" -Environment="PATH={{ execut_website_path }}/venv/bin:/usr/local/bin:/usr/bin:/bin" -EnvironmentFile={{ execut_website_path }}/execut_www.env -ExecStart={{ execut_website_path }}/venv/bin/gunicorn execut_www.wsgi \ - --name execut-django-website --workers 2 \ - --max-requests 1200 --max-requests-jitter 50 \ - --log-level=info --bind=127.0.0.1:6942 -WorkingDirectory={{ execut_website_path }}/execut_www -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/ansible/roles/execut/templates/execut_www.env.j2 b/ansible/roles/execut/templates/execut_www.env.j2 deleted file mode 100644 index bc95e643..00000000 --- a/ansible/roles/execut/templates/execut_www.env.j2 +++ /dev/null @@ -1,13 +0,0 @@ -# {{ ansible_managed }} -DEBUG="{% if 'staging' in group_names %}True{% else %}False{% endif %}" -DATABASE_URL="postgresql:///execut" -SECRET_KEY="{{ secret_execut_website_secretkey }}" -ALLOWED_HOSTS="execut-2021.{{ canonical_hostname }},execut.nl,www.execut.nl,execute.nl,www.execute.nl,2021.execut.nl,2022.execut.nl,execut.dev.svsticky.nl" - -AWS_ACCESS_KEY_ID="{{ secret_execut_website_aws.access_key }}" -AWS_SECRET_ACCESS_KEY="{{ secret_execut_website_aws.secret_key }}" -{% if 'staging' in group_names %} -AWS_BUCKET_NAME="execut-django-website-staging" -{% else %} -AWS_BUCKET_NAME="execut-django-website-prod" -{% endif %} diff --git a/ansible/roles/execut/templates/nginx.conf.j2 b/ansible/roles/execut/templates/nginx.conf.j2 deleted file mode 100644 index 4f96ffdf..00000000 --- a/ansible/roles/execut/templates/nginx.conf.j2 +++ /dev/null @@ -1,71 +0,0 @@ -# {{ ansible_managed }} -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name execut-2023.{{ canonical_hostname }} www.execut.nl execute.nl www.execute.nl; - - ssl_certificate /etc/letsencrypt/live/execut-2023.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/execut-2023.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/execut-2023.{{ canonical_hostname }}/chain.pem; - - include includes/block-cert-validation-path.conf; - add_header Referrer-Policy same-origin; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options "nosniff"; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - # Security header file not included because frames - -{% if ('production' in group_names) %} - location / { - return 302 https://execut.nl$request_uri; - } -{% else %} - location / { - return 302 https://execut.dev.svsticky.nl$request_uri; - } -{% endif %} -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name 2023.execut.nl execut.nl www.execut.nl execute.nl www.execute.nl; - - ssl_certificate /etc/letsencrypt/live/execut-2023.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/execut-2023.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/execut-2023.{{ canonical_hostname }}/chain.pem; - - include includes/block-cert-validation-path.conf; - add_header Referrer-Policy same-origin; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options "nosniff"; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - # Security header file not included because frames - - root /var/www/symposium/execut-2023.{{canonical_hostname}}/sites/static/dist/; - index index.html; -} - -{% if ('staging' in group_names) %} -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name execut.dev.svsticky.nl; - - ssl_certificate /etc/letsencrypt/live/execut.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/execut.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/execut.{{ canonical_hostname }}/chain.pem; - - include includes/block-cert-validation-path.conf; - add_header Referrer-Policy same-origin; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options "nosniff"; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; - # Security header file not included because frames - - - root /var/www/symposium/execut-2023.{{canonical_hostname}}/sites/static/dist/; - index index.html; - -} -{% endif %} diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml index 6e49964f..a0005239 100644 --- a/ansible/roles/nginx/tasks/main.yml +++ b/ansible/roles/nginx/tasks/main.yml @@ -29,7 +29,6 @@ dest: "/etc/nginx/includes/{{ item }}" loop: - "block-cert-validation-path.conf" - - "execut-referer-tracking.conf" - "php-parameters.conf" - "security-headers.conf" notify: "reload nginx" diff --git a/ansible/roles/nginx/templates/includes/execut-referer-tracking.conf.j2 b/ansible/roles/nginx/templates/includes/execut-referer-tracking.conf.j2 deleted file mode 100644 index 9f19a2ae..00000000 --- a/ansible/roles/nginx/templates/includes/execut-referer-tracking.conf.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# {{ ansible_managed }} - -# Include to enable Referer logging for Execut. See nginx.conf. - -access_log /var/log/nginx/execut_referer_tracking referer_tracking - if=$do_log_referer; diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2 index 66a887f7..ec178dc8 100644 --- a/ansible/roles/nginx/templates/nginx.conf.j2 +++ b/ansible/roles/nginx/templates/nginx.conf.j2 @@ -74,26 +74,6 @@ http { access_log off; error_log /var/log/nginx/error.log crit; - ## - # Execut referer tracking - ## - - # Enables logging Referer header to a separate logfile, if the Referer is not - # under *.execut.nl. - # Adapted from the docs at: - # http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log - # Note that this value is only evaluated if the execut-referer-tracking - # include is used. - - map $http_referer $do_log_referer { - ~^$ 0; - ~^https?:\/\/(.+\.)*execut\.nl 0; - default 1; - } - - log_format referer_tracking escape=json - '$http_referer\t$scheme://$host$request_uri\t$time_iso8601'; - ## # GZip Settings ## diff --git a/ansible/roles/pretix/templates/pretix.conf.j2 b/ansible/roles/pretix/templates/pretix.conf.j2 index fd918c12..72b2bcfa 100644 --- a/ansible/roles/pretix/templates/pretix.conf.j2 +++ b/ansible/roles/pretix/templates/pretix.conf.j2 @@ -3,7 +3,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name ~^(pretix|tickets)\.{{ canonical_hostname }} tickets.execut.nl; + server_name ~^(pretix|tickets)\.{{ canonical_hostname }}; ssl_certificate /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/privkey.pem; diff --git a/docs/deployment-new-production.md b/docs/deployment-new-production.md index 2590eb5d..636aa0d0 100644 --- a/docs/deployment-new-production.md +++ b/docs/deployment-new-production.md @@ -94,7 +94,6 @@ addresses of the new droplet. These are the following: - dgdarc.com - dgdarc.nl - - execut.nl - indievelopment.nl - intro-cs.nl - savadaba.nl From 2944d994c7bc58af3553685f98976af2fb7df59b Mon Sep 17 00:00:00 2001 From: Silas <69711739+SilasPeters@users.noreply.github.com> Date: Thu, 14 Nov 2024 19:51:38 +0100 Subject: [PATCH 12/17] fix: reverses docker version to match server ubuntu version --- ansible/roles/docker/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/docker/vars/main.yml b/ansible/roles/docker/vars/main.yml index 0316f6a3..6a74acf4 100644 --- a/ansible/roles/docker/vars/main.yml +++ b/ansible/roles/docker/vars/main.yml @@ -1,4 +1,4 @@ --- # Possible docker engine versions can be obtained through the following # command: apt-cache madison docker-ce | awk '{ print $3 }' -docker_engine_version: "5:27.0.3-1~ubuntu.22.04~jammy" +docker_engine_version: "5:27.0.3-1~ubuntu.20.04~focal" From e11f50a34f057bb58ed1d395c9ab49e01090a808 Mon Sep 17 00:00:00 2001 From: Silas Peters <69711739+SilasPeters@users.noreply.github.com> Date: Fri, 15 Nov 2024 09:45:20 +0100 Subject: [PATCH 13/17] chore: remove php role (#474) --- ansible/group_vars/all/vars.yml | 2 +- ansible/group_vars/all/websites.yml | 8 - ansible/main.yml | 3 +- .../backups/templates/backup-to-s3.sh.j2 | 3 +- ansible/roles/nginx/tasks/main.yml | 1 - .../templates/includes/php-parameters.conf.j2 | 35 -- ansible/roles/nginx/templates/nginx.conf.j2 | 3 +- ansible/roles/php/handlers/main.yml | 6 - ansible/roles/php/tasks/main.yml | 39 -- ansible/roles/php/templates/php.ini.j2 | 352 ------------------ .../roles/php/templates/pool-template.conf.j2 | 19 - 11 files changed, 5 insertions(+), 466 deletions(-) delete mode 100644 ansible/roles/nginx/templates/includes/php-parameters.conf.j2 delete mode 100644 ansible/roles/php/handlers/main.yml delete mode 100644 ansible/roles/php/tasks/main.yml delete mode 100644 ansible/roles/php/templates/php.ini.j2 delete mode 100644 ansible/roles/php/templates/pool-template.conf.j2 diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml index 30b9bec6..6e0969ce 100644 --- a/ansible/group_vars/all/vars.yml +++ b/ansible/group_vars/all/vars.yml @@ -9,7 +9,7 @@ canonical_hostname: "{{ inventory_hostname }}" tmp_dir: "/tmp" -# the upload limit for php-fpm and nginx in megabytes +# the upload limit for nginx in megabytes upload_limit: 30 slack_notifications: diff --git a/ansible/group_vars/all/websites.yml b/ansible/group_vars/all/websites.yml index c58ae165..8e5f0b19 100644 --- a/ansible/group_vars/all/websites.yml +++ b/ansible/group_vars/all/websites.yml @@ -91,14 +91,6 @@ websites: state: "present" authenticated: true - - name: "phpmyadmin.{{ canonical_hostname }}" - user: "phpmyadmin" - alternative_names: - - "pma.{{ canonical_hostname }}" - # You have to remove the task include of phpmyadmin.yml to remove this - # completely - state: "absent" - - name: "pretix.{{ canonical_hostname }}" custom_config: true alternative_names: diff --git a/ansible/main.yml b/ansible/main.yml index 074bfc72..4d9092ef 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -30,8 +30,6 @@ tags: "backups" - role: "nginx" tags: "nginx" - - role: "php" - tags: "php" - role: "node" tags: "node" - role: "certbot" @@ -91,3 +89,4 @@ # one can easily restore the role by reverting the following PRs: # # - execut: #475 +# - php: #474 diff --git a/ansible/roles/backups/templates/backup-to-s3.sh.j2 b/ansible/roles/backups/templates/backup-to-s3.sh.j2 index 8ddb3268..ba02decb 100755 --- a/ansible/roles/backups/templates/backup-to-s3.sh.j2 +++ b/ansible/roles/backups/templates/backup-to-s3.sh.j2 @@ -79,12 +79,11 @@ case "${SOURCE}" in S3PATH="${SOURCE}" FILE_NAME="${FILE_TITLE}.tar.gz" - # phpMyAdmin and SODI directories excluded because no other + # SODI directories excluded because no other # committee can write to these folders and they are deployed from \ # git anyway. # Pretix's virtualenv is excluded as it only contains binaries. upload_backup_to_s3 < <(tar \ - --exclude='var/www/phpmyadmin.{{ canonical_hostname }}' \ --exclude='var/www/sodi.{{ canonical_hostname }}' \ --exclude='var/www/pretix/venv' \ -c -f - -C / var/www \ diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml index a0005239..037f983d 100644 --- a/ansible/roles/nginx/tasks/main.yml +++ b/ansible/roles/nginx/tasks/main.yml @@ -29,7 +29,6 @@ dest: "/etc/nginx/includes/{{ item }}" loop: - "block-cert-validation-path.conf" - - "php-parameters.conf" - "security-headers.conf" notify: "reload nginx" diff --git a/ansible/roles/nginx/templates/includes/php-parameters.conf.j2 b/ansible/roles/nginx/templates/includes/php-parameters.conf.j2 deleted file mode 100644 index ed895645..00000000 --- a/ansible/roles/nginx/templates/includes/php-parameters.conf.j2 +++ /dev/null @@ -1,35 +0,0 @@ -# {{ ansible_managed }} - -location ~ \.php$ { - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/+)$; - fastcgi_pass unix:/var/run/php/php-fpm-$server_name.sock; - fastcgi_index index.php; - - fastcgi_param QUERY_STRING $query_string; - fastcgi_param REQUEST_METHOD $request_method; - fastcgi_param CONTENT_TYPE $content_type; - fastcgi_param CONTENT_LENGTH $content_length; - - fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_param REQUEST_URI $request_uri; - fastcgi_param DOCUMENT_URI $document_uri; - fastcgi_param DOCUMENT_ROOT $document_root; - fastcgi_param SERVER_PROTOCOL $server_protocol; - - fastcgi_param GATEWAY_INTERFACE CGI/1.1; - fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - - fastcgi_param REMOTE_ADDR $remote_addr; - fastcgi_param REMOTE_PORT $remote_port; - fastcgi_param SERVER_ADDR $server_addr; - fastcgi_param SERVER_PORT $server_port; - fastcgi_param SERVER_NAME $server_name; - - fastcgi_param HTTPS $https if_not_empty; - fastcgi_param HTTP_PROXY ""; - - # PHP only, required if PHP was built with --enable-force-cgi-redirect - fastcgi_param REDIRECT_STATUS 200; -} diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2 index ec178dc8..81f28064 100644 --- a/ansible/roles/nginx/templates/nginx.conf.j2 +++ b/ansible/roles/nginx/templates/nginx.conf.j2 @@ -30,7 +30,8 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - # Added this for phpMyAdmin + # Added this for phpMyAdmin. + # phpMyAdmin was removed but this line not, just to be sure server_names_hash_bucket_size 128; charset UTF-8; diff --git a/ansible/roles/php/handlers/main.yml b/ansible/roles/php/handlers/main.yml deleted file mode 100644 index c88dec3e..00000000 --- a/ansible/roles/php/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: "reload php" - ansible.builtin.service: - name: "php7.4-fpm" - state: "reloaded" diff --git a/ansible/roles/php/tasks/main.yml b/ansible/roles/php/tasks/main.yml deleted file mode 100644 index 6e06f552..00000000 --- a/ansible/roles/php/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: "install php-fpm" - ansible.builtin.apt: - name: "php-fpm" - state: "present" - -- name: "create directories for onfailure overrides for php-fpm" - ansible.builtin.file: - path: "/etc/systemd/system/php7.4-fpm.service.d" - state: "directory" - -- name: "copy onfailure override for php-fpm" - ansible.builtin.template: - src: "onfailure.conf.j2" - dest: "/etc/systemd/system/php7.4-fpm.service.d/onfailure.conf" - notify: "systemctl daemon-reload" - -- name: "copy general configuration for php" - ansible.builtin.template: - src: "php.ini.j2" - dest: "/etc/php/7.4/fpm/php.ini" - notify: "reload php" - -- name: "delete default php-fpm pool" - ansible.builtin.file: - path: "/etc/php/7.4/fpm/pool.d/www.conf" - state: "absent" - notify: "reload php" - -- name: "template php-fpm pool configurations" - ansible.builtin.template: - src: "pool-template.conf.j2" - dest: "/etc/php/7.4/fpm/pool.d/pool-{{ item.name }}.conf" - loop: - - name: "digidecs.{{ canonical_hostname }}" - user: "digidecs" - - name: "indievelopment.{{ canonical_hostname }}" - user: "indievelopment" - notify: "reload php" diff --git a/ansible/roles/php/templates/php.ini.j2 b/ansible/roles/php/templates/php.ini.j2 deleted file mode 100644 index c57d7249..00000000 --- a/ansible/roles/php/templates/php.ini.j2 +++ /dev/null @@ -1,352 +0,0 @@ -; {{ ansible_managed }} - -[PHP] - -;;;;;;;;;;;;;;;;;;;; -; Language Options ; -;;;;;;;;;;;;;;;;;;;; - -; Enable the PHP scripting language engine under Apache. -; http://php.net/engine -engine = On - -; http://php.net/short-open-tag -short_open_tag = Off - -; The number of significant digits displayed in floating point numbers. -; http://php.net/precision -precision = 14 - -; http://php.net/output-buffering -output_buffering = 4096 - -; http://php.net/zlib.output-compression -zlib.output_compression = Off - -; http://php.net/implicit-flush -implicit_flush = Off - -unserialize_callback_func = - -serialize_precision = 17 - - -; http://php.net/disable-functions -disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, - -; http://php.net/disable-classes -disable_classes = - -; http://php.net/zend.enable-gc -zend.enable_gc = On - -;;;;;;;;;;;;;;;;; -; Miscellaneous ; -;;;;;;;;;;;;;;;;; - -; http://php.net/expose-php -expose_php = Off - -;;;;;;;;;;;;;;;;;;; -; Resource Limits ; -;;;;;;;;;;;;;;;;;;; - -; http://php.net/max-execution-time -max_execution_time = 30 - -; http://php.net/max-input-time -max_input_time = 60 - -; http://php.net/memory-limit -memory_limit = 128M - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -; Error handling and logging ; -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -; http://php.net/display-errors -display_errors = Off - -; http://php.net/display-startup-errors -display_startup_errors = Off - -; http://php.net/log-errors -log_errors = On - -; http://php.net/log-errors-max-len -log_errors_max_len = 1024 - -; http://php.net/ignore-repeated-errors -ignore_repeated_errors = Off - -; http://php.net/ignore-repeated-source -ignore_repeated_source = Off - -; http://php.net/report-memleaks -report_memleaks = On - -; This setting is on by default. -;report_zend_debug = 0 - -; http://php.net/track-errors -track_errors = Off - -; http://php.net/html-errors -html_errors = On - - -;;;;;;;;;;;;;;;;; -; Data Handling ; -;;;;;;;;;;;;;;;;; - -; http://php.net/variables-order -variables_order = "GPCS" - -; http://php.net/request-order -request_order = "GP" - -; http://php.net/register-argc-argv -register_argc_argv = Off - -; http://php.net/auto-globals-jit -auto_globals_jit = On - -; http://php.net/enable-post-data-reading -;enable_post_data_reading = Off - -; http://php.net/post-max-size -post_max_size = {{ upload_limit }}M - -; http://php.net/auto-prepend-file -auto_prepend_file = - -; http://php.net/auto-append-file -auto_append_file = - -; http://php.net/default-mimetype -default_mimetype = "text/html" - -; http://php.net/default-charset -default_charset = "UTF-8" - -;;;;;;;;;;;;;;;;;;;;;;;;; -; Paths and Directories ; -;;;;;;;;;;;;;;;;;;;;;;;;; - -; http://php.net/doc-root -doc_root = - -; http://php.net/user-dir -user_dir = - -; http://php.net/enable-dl -enable_dl = Off - -;;;;;;;;;;;;;;;; -; File Uploads ; -;;;;;;;;;;;;;;;; - -; http://php.net/file-uploads -file_uploads = On - -; http://php.net/upload-max-filesize -upload_max_filesize = {{ upload_limit }}M - -max_file_uploads = 20 - -;;;;;;;;;;;;;;;;;; -; Fopen wrappers ; -;;;;;;;;;;;;;;;;;; - -; http://php.net/allow-url-fopen -allow_url_fopen = On - -; http://php.net/allow-url-include -allow_url_include = Off - -; http://php.net/default-socket-timeout -default_socket_timeout = 60 - -;;;;;;;;;;;;;;;;;;;;;; -; Dynamic Extensions ; -;;;;;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;; -; Module Settings ; -;;;;;;;;;;;;;;;;;;; - -[CLI Server] -cli_server.color = On - -[Date] -[filter] -[iconv] -[intl] -[sqlite3] -[Pcre] -[Pdo] - -[Phar] -[mail function] -SMTP = localhost -smtp_port = 25 -mail.add_x_header = On - -[SQL] -; http://php.net/sql.safe-mode -sql.safe_mode = Off - -[ODBC] - -; http://php.net/odbc.allow-persistent -odbc.allow_persistent = On - -; http://php.net/odbc.check-persistent -odbc.check_persistent = On - -; http://php.net/odbc.max-persistent -odbc.max_persistent = -1 - -; http://php.net/odbc.max-links -odbc.max_links = -1 - -; http://php.net/odbc.defaultlrl -odbc.defaultlrl = 4096 - -; http://php.net/odbc.defaultbinmode -odbc.defaultbinmode = 1 - -[Interbase] -; Allow or prevent persistent links. -ibase.allow_persistent = 1 - -; Maximum number of persistent links. -1 means no limit. -ibase.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -ibase.max_links = -1 - -; Default timestamp format. -ibase.timestampformat = "%Y-%m-%d %H:%M:%S" - -; Default date format. -ibase.dateformat = "%Y-%m-%d" - -; Default time format. -ibase.timeformat = "%H:%M:%S" - -[OCI8] - -[PostgreSQL] -pgsql.allow_persistent = On -pgsql.auto_reset_persistent = Off -pgsql.max_persistent = -1 -pgsql.max_links = -1 -pgsql.ignore_notice = 0 -pgsql.log_notice = 0 - -[bcmath] -bcmath.scale = 0 - -[browscap] -;browscap = extra/browscap.ini - -[Session] -session.save_handler = files -; https://wiki.php.net/rfc/strict_sessions -session.use_strict_mode = 0 - -; http://php.net/session.use-cookies -session.use_cookies = 1 - -; http://php.net/session.cookie-secure -;session.cookie_secure = - -; http://php.net/session.use-only-cookies -session.use_only_cookies = 1 - -; http://php.net/session.name -session.name = PHPSESSID - -; http://php.net/session.auto-start -session.auto_start = 0 - -; http://php.net/session.cookie-lifetime -session.cookie_lifetime = 0 - -; http://php.net/session.cookie-path -session.cookie_path = / - -; http://php.net/session.cookie-domain -session.cookie_domain = - -; http://php.net/session.cookie-httponly -session.cookie_httponly = - -; http://php.net/session.serialize-handler -session.serialize_handler = php -; http://php.net/session.gc-probability -session.gc_probability = 1 - -; http://php.net/session.gc-divisor -session.gc_divisor = 1000 - -; http://php.net/session.gc-maxlifetime -session.gc_maxlifetime = 1440 - -; http://php.net/session.referer-check -session.referer_check = - -; http://php.net/session.entropy-length -;session.entropy_length = 32 - -; http://php.net/session.cache-limiter -session.cache_limiter = nocache - -; http://php.net/session.cache-expire -session.cache_expire = 180 - -; http://php.net/session.use-trans-sid -session.use_trans_sid = 0 - -; http://php.net/session.hash-function -session.hash_function = 0 - -; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 - -; http://php.net/url-rewriter.tags -url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" - -[Assertion] -; http://php.net/zend.assertions -zend.assertions = -1 - -[COM] -[mbstring] -[gd] -[exif] -[Tidy] -; http://php.net/tidy.clean-output -tidy.clean_output = Off -[soap] -; http://php.net/soap.wsdl-cache-enabled -soap.wsdl_cache_enabled=1 -; http://php.net/soap.wsdl-cache-dir -soap.wsdl_cache_dir="{{ tmp_dir }}" -; http://php.net/soap.wsdl-cache-ttl -soap.wsdl_cache_ttl=86400 -soap.wsdl_cache_limit = 5 - -[sysvshm] -[ldap] -ldap.max_links = -1 -[mcrypt] -[dba] -[opcache] -; Prevent leaking data between php-fpm pools -; https://ma.ttias.be/mitigating-phps-long-standing-issue-opcache-leaking-sensitive-data/ -opcache.validate_permission = 1 -opcache.validate_root = 1 - -[openssl] diff --git a/ansible/roles/php/templates/pool-template.conf.j2 b/ansible/roles/php/templates/pool-template.conf.j2 deleted file mode 100644 index 9c28bea9..00000000 --- a/ansible/roles/php/templates/pool-template.conf.j2 +++ /dev/null @@ -1,19 +0,0 @@ -; {{ ansible_managed }} - -[{{ item.name }}] -user = {{ item.user }} -group = {{ item.user }} -listen = /var/run/php/php-fpm-{{ item.name }}.sock -listen.owner = www-data -listen.group = www-data -php_admin_value[disable_functions] = exec,passthru,shell_exec,system -php_admin_flag[allow_url_fopen] = off -pm = dynamic -pm.max_children = 5 -pm.start_servers = 2 -pm.min_spare_servers = 1 -pm.max_spare_servers = 3 -catch_workers_output = yes - -; Would be nice, but not very straightforward to implement -; chroot = /var/www/{{ item.user }}/{{ item.name }} From 08aa7c150794463a555d725eea76989729795759 Mon Sep 17 00:00:00 2001 From: Silas Peters <69711739+SilasPeters@users.noreply.github.com> Date: Fri, 15 Nov 2024 09:46:45 +0100 Subject: [PATCH 14/17] bump: nix 2.24 (#476) --- ansible/roles/nix/files/install | 79 ++++++++++++++++++++++++++++---- ansible/roles/nix/tasks/main.yml | 2 +- 2 files changed, 70 insertions(+), 11 deletions(-) diff --git a/ansible/roles/nix/files/install b/ansible/roles/nix/files/install index 3da09b11..05a6034e 100644 --- a/ansible/roles/nix/files/install +++ b/ansible/roles/nix/files/install @@ -1,5 +1,12 @@ #!/bin/sh +# NOTE +# This whole file, except for this note, is the official install script +# available from https://nixos.org/download/#nix-install-linux +# To update the nix-version, please see if the official install method has +# changed +# END NOTE + # This script installs the Nix package manager on your system by # downloading a binary distribution and running its installer script # (which in turn creates and populates /nix). @@ -25,26 +32,77 @@ require_util() { } case "$(uname -s).$(uname -m)" in - Linux.x86_64) system=x86_64-linux; hash=faf9f146a38a3836c807d97cd3eb9cd9c9073d498e3b685c5e3da9b02b4aa9da;; - Linux.i?86) system=i686-linux; hash=b027043444b5a8a4189549484876f3c3a65538349c7ced4b9a64bea1b5d68a5b;; - Linux.aarch64) system=aarch64-linux; hash=245fa43894c5f51df7debb657a19b7c4bb06926c5023ae615a99bd9ae3125cfe;; - Darwin.x86_64) system=x86_64-darwin; hash=f3902fec5e15786b13622467f73e4e8848f5b861bd3d58c48714bd775a315cb1;; - Darwin.arm64) system=aarch64-darwin; hash=35f3ccf27fccec857d622cf31e0d9307e2c145fb7cc59720b73bf081282ca917;; + Linux.x86_64) + hash=23ce50919b933b89b0dd4b0d5ba07d2dd6e4201a2f06b00de5388c0a4209b09c + path=1qcc15z77jqpdqsp5k0k6rjmkw7f4zfb/nix-2.25.2-x86_64-linux.tar.xz + system=x86_64-linux + ;; + Linux.i?86) + hash=3ce95b7ad138bebaaac2be79a44d5c2b43a3e2483e36bc1c0821a6a9fc0e15bf + path=lxb16gfx6bmnqdmy21c879pz8havz5bx/nix-2.25.2-i686-linux.tar.xz + system=i686-linux + ;; + Linux.aarch64) + hash=8744e31c075c31272e7bab6995d5f15623a5de94f935a7a7420026d36f9cc90e + path=idfaklsf96dbi7xy42a0bbmynvv4czsk/nix-2.25.2-aarch64-linux.tar.xz + system=aarch64-linux + ;; + Linux.armv6l) + hash=6fcf943f47e5b0af0285720ee9e0a83ed8770ca4315c20589e23d334b6eeba80 + path=39lnsjhvr8lh2vwfhicb2rr5cyjmbb77/nix-2.25.2-armv6l-linux.tar.xz + system=armv6l-linux + ;; + Linux.armv7l) + hash=e72bb87a8c78bc4d96710b742dfa841f342b038350ca265809df7a3eb50b2398 + path=b71slfhcs6i11q8zr15891j0ss7r4dv4/nix-2.25.2-armv7l-linux.tar.xz + system=armv7l-linux + ;; + Linux.riscv64) + hash=6d17a3c543ec14df59af59eeeb0ba89b02411754128f5a276ff70a6d3dca25b2 + path=cbpn7058y7m1v3xlal4i6qy212ddyffb/nix-2.25.2-riscv64-linux.tar.xz + system=riscv64-linux + ;; + Darwin.x86_64) + hash=94b601f9f6195d100da48b29cca21d0d81ab77c0fa3060554c3e46a07cabb179 + path=z8brwk78bgzvs56hbz77rgkvkv28h1nd/nix-2.25.2-x86_64-darwin.tar.xz + system=x86_64-darwin + ;; + Darwin.arm64|Darwin.aarch64) + hash=82355d662cae1f23ed1e22225203dca70c9012a2627b6a1c15bcfd3761849eb4 + path=pzpn97w5kgas9xfh4rir0b9rgh5v7j6w/nix-2.25.2-aarch64-darwin.tar.xz + system=aarch64-darwin + ;; *) oops "sorry, there is no binary distribution of Nix for your platform";; esac -url="https://releases.nixos.org/nix/nix-2.3.16/nix-2.3.16-$system.tar.xz" +# Use this command-line option to fetch the tarballs using nar-serve or Cachix +if [ "${1:-}" = "--tarball-url-prefix" ]; then + if [ -z "${2:-}" ]; then + oops "missing argument for --tarball-url-prefix" + fi + url=${2}/${path} + shift 2 +else + url=https://releases.nixos.org/nix/nix-2.25.2/nix-2.25.2-$system.tar.xz +fi -tarball="$tmpDir/$(basename "$tmpDir/nix-2.3.16-$system.tar.xz")" +tarball=$tmpDir/nix-2.25.2-$system.tar.xz -require_util curl "download the binary tarball" require_util tar "unpack the binary tarball" if [ "$(uname -s)" != "Darwin" ]; then require_util xz "unpack the binary tarball" fi -echo "downloading Nix 2.3.16 binary tarball for $system from '$url' to '$tmpDir'..." -curl -L "$url" -o "$tarball" || oops "failed to download '$url'" +if command -v curl > /dev/null 2>&1; then + fetch() { curl --fail -L "$1" -o "$2"; } +elif command -v wget > /dev/null 2>&1; then + fetch() { wget "$1" -O "$2"; } +else + oops "you don't have wget or curl installed, which I need to download the binary tarball" +fi + +echo "downloading Nix 2.25.2 binary tarball for $system from '$url' to '$tmpDir'..." +fetch "$url" "$tarball" || oops "failed to download '$url'" if command -v sha256sum > /dev/null 2>&1; then hash2="$(sha256sum -b "$tarball" | cut -c1-64)" @@ -67,6 +125,7 @@ tar -xJf "$tarball" -C "$unpack" || oops "failed to unpack '$url'" script=$(echo "$unpack"/*/install) [ -e "$script" ] || oops "installation script is missing from the binary tarball!" +export INVOKED_FROM_INSTALL_IN=1 "$script" "$@" } # End of wrapping diff --git a/ansible/roles/nix/tasks/main.yml b/ansible/roles/nix/tasks/main.yml index 4f0b2758..25c414e5 100644 --- a/ansible/roles/nix/tasks/main.yml +++ b/ansible/roles/nix/tasks/main.yml @@ -31,7 +31,7 @@ state: "link" become: true -- name: "Update Nix to the latest version" +- name: "Update Nix to the latest version" # See https://nix.dev/manual/nix/2.24/installation/upgrading.html ansible.builtin.shell: "nix-channel --update && nix-env -iA nixpkgs.nix nixpkgs.cacert" notify: - "systemctl daemon-reload" From 779a5d58b182429536a2a9f8a931cebcbd4dd4da Mon Sep 17 00:00:00 2001 From: Silas Peters <69711739+SilasPeters@users.noreply.github.com> Date: Fri, 15 Nov 2024 12:06:55 +0100 Subject: [PATCH 15/17] fix: managed node installation fixes contentful backup (#467) * fix: managed node installation fixes contentful backup * chore: removed global yarn install In the previous commit, we removed the global Nodejs install, replaced by a global nvm install. Yarn should also be installed locally and not globally. * chore: referenced node removal pr --- ansible/group_vars/all/vars.yml | 6 ++++ ansible/main.yml | 5 ++-- ansible/roles/backups/tasks/main.yml | 2 ++ .../backups/templates/backup-to-s3.sh.j2 | 13 +++++---- ansible/roles/backups/vars/main.yml | 3 ++ ansible/roles/node/tasks/main.yml | 25 ---------------- ansible/roles/nvm/tasks/main.yml | 29 +++++++++++++++++++ .../templates/50unattended-upgrades.j2 | 1 - ansible/roles/radio/handlers/main.yml | 26 ++--------------- ansible/roles/radio/tasks/main.yml | 6 ++-- 10 files changed, 57 insertions(+), 59 deletions(-) create mode 100644 ansible/roles/backups/vars/main.yml delete mode 100644 ansible/roles/node/tasks/main.yml create mode 100644 ansible/roles/nvm/tasks/main.yml diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml index 6e0969ce..61ebde9b 100644 --- a/ansible/group_vars/all/vars.yml +++ b/ansible/group_vars/all/vars.yml @@ -29,3 +29,9 @@ secret_deploy_key: "{{ vault_secret_deploy_key }}" # The API key for our Mailgun account. # Change? Refresh API key at https://app.mailgun.com/app/account/security secret_mailgun_token: "{{ vault_secret_mailgun_token }}" + +# The place where https://github.com/nvm-sh/nvm will be installed, to be globally used +nvm: + directory: "/usr/local/bin/.nvm" + script: "/usr/local/bin/.nvm/nvm.sh" + version: "v0.40.0" # Derived from the git tag diff --git a/ansible/main.yml b/ansible/main.yml index 4d9092ef..90e6b81e 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -26,12 +26,12 @@ tags: "docker" - role: "databases" tags: "databases" + - role: "nvm" + tags: "nvm" - role: "backups" tags: "backups" - role: "nginx" tags: "nginx" - - role: "node" - tags: "node" - role: "certbot" tags: "certbot" - role: "redis" @@ -90,3 +90,4 @@ # # - execut: #475 # - php: #474 +# - node: #467 diff --git a/ansible/roles/backups/tasks/main.yml b/ansible/roles/backups/tasks/main.yml index 8ecdd428..153bea44 100644 --- a/ansible/roles/backups/tasks/main.yml +++ b/ansible/roles/backups/tasks/main.yml @@ -5,6 +5,8 @@ shell: "/usr/sbin/nologin" home: "/home/backup" system: true + groups: "nvm" + append: true - name: "install awscli" ansible.builtin.apt: diff --git a/ansible/roles/backups/templates/backup-to-s3.sh.j2 b/ansible/roles/backups/templates/backup-to-s3.sh.j2 index ba02decb..9e65690b 100755 --- a/ansible/roles/backups/templates/backup-to-s3.sh.j2 +++ b/ansible/roles/backups/templates/backup-to-s3.sh.j2 @@ -104,11 +104,14 @@ case "${SOURCE}" in FILE_NAME="${FILE_TITLE}.tar.gz" sudo -u backup mkdir -p /tmp/contentful-export - sudo -u backup -H npx contentful-cli space export \ - --management-token {{ secret_contentful_export.token }} \ - --space-id {{ secret_contentful_export.space_id }} \ - --download-assets \ - --export-dir /tmp/contentful-export + sudo -Hu backup bash -c ` + `'source {{ nvm.script }} && nvm install {{ backups_node_version }} &&'` + `' nvm exec {{ backups_node_version }} npx contentful-cli space export'` + `' --management-token {{ secret_contentful_export.token }}'` + `' --space-id {{ secret_contentful_export.space_id }}'` + `' --download-assets'` + `' --export-dir /tmp/contentful-export' + upload_backup_to_s3 < <(tar \ -c -f - -C /tmp contentful-export \ | gzip -9) diff --git a/ansible/roles/backups/vars/main.yml b/ansible/roles/backups/vars/main.yml new file mode 100644 index 00000000..e15a09c4 --- /dev/null +++ b/ansible/roles/backups/vars/main.yml @@ -0,0 +1,3 @@ +--- + +backups_node_version: "22" diff --git a/ansible/roles/node/tasks/main.yml b/ansible/roles/node/tasks/main.yml deleted file mode 100644 index 5cab4f8e..00000000 --- a/ansible/roles/node/tasks/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: "add apt key for yarn repository" - ansible.builtin.apt_key: - url: "https://dl.yarnpkg.com/debian/pubkey.gpg" - state: "present" - -- name: "add yarn repository" - ansible.builtin.apt_repository: - repo: "deb https://dl.yarnpkg.com/debian/ stable main" - state: "present" - -- name: "Add Nodesource repository key" - ansible.builtin.apt_key: - url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" - -- name: "Add Nodesource repository for NodeJS 14" - ansible.builtin.apt_repository: - repo: "deb https://deb.nodesource.com/node_14.x {{ ansible_lsb.codename }} main" - -- name: "install Node.js and yarn" - ansible.builtin.apt: - name: - - "nodejs" - - "yarn" - state: "present" diff --git a/ansible/roles/nvm/tasks/main.yml b/ansible/roles/nvm/tasks/main.yml new file mode 100644 index 00000000..a4d20f33 --- /dev/null +++ b/ansible/roles/nvm/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: "Install nvm" + ansible.builtin.git: + repo: "https://github.com/nvm-sh/nvm.git" + version: "{{ nvm.version }}" + dest: "{{ nvm.directory }}" + recursive: false # cloning submodules fails, but they are purely for testing + diff: false + +- name: "Test nvm install" + ansible.builtin.shell: "source {{ nvm.script }} && command -v nvm" + register: "nvm_command" + args: + executable: "/bin/bash" + changed_when: false + +- name: "Assert that nvm is installed correctly" + ansible.builtin.assert: + that: "nvm_command.stdout == 'nvm'" + +- name: "Create nvm group" + ansible.builtin.group: + name: "nvm" + +- name: "Allow nvm group to manage nodejs installs" + ansible.builtin.file: + path: "{{ nvm.directory }}" + group: "nvm" + mode: "0774" diff --git a/ansible/roles/packages/templates/50unattended-upgrades.j2 b/ansible/roles/packages/templates/50unattended-upgrades.j2 index 4293b4f8..73af81d5 100644 --- a/ansible/roles/packages/templates/50unattended-upgrades.j2 +++ b/ansible/roles/packages/templates/50unattended-upgrades.j2 @@ -9,7 +9,6 @@ Unattended-Upgrade::Allowed-Origins { "${distro_id} stable"; "${distro_id} ${distro_codename}-updates"; "LP-PPA-certbot-certbot:${distro_codename}"; - "yarn:stable"; {% endif %} }; diff --git a/ansible/roles/radio/handlers/main.yml b/ansible/roles/radio/handlers/main.yml index 1c31bdcb..c439db3f 100644 --- a/ansible/roles/radio/handlers/main.yml +++ b/ansible/roles/radio/handlers/main.yml @@ -1,33 +1,11 @@ --- -- name: "clone nvm" - listen: "radio repo updated" - become_user: "radio" - become: true - ansible.builtin.git: - repo: "https://github.com/nvm-sh/nvm.git" - dest: "/var/www/radio/.nvm" - recursive: false # cloning submodules fails, but they are purely for testing - diff: false - -- name: "checkout latest nvm version" # based on nvm manual installation guide - listen: "radio repo updated" - become_user: "radio" - become: true - ansible.builtin.shell: - cmd: git checkout `git describe --abbrev=0 --tags --match "v[0-9]*" $(git rev-list --tags --max-count=1)` - chdir: "/var/www/radio/.nvm" - executable: "/bin/bash" - tags: - - skip_ansible_lint - # Reason: linter wants us to use the git module, but that can't do this - # complicated stuff - name: "install node version" listen: "radio repo updated" become_user: "radio" become: true ansible.builtin.shell: | - source /var/www/radio/.nvm/nvm.sh + source {{ nvm.script }} nvm install $(cat /var/www/radio/radio/.nvmrc) args: chdir: "/var/www/radio/radio" @@ -39,7 +17,7 @@ become_user: "radio" become: true ansible.builtin.shell: | - source /var/www/radio/.nvm/nvm.sh + source {{ nvm.script }} nvm use npm rebuild args: diff --git a/ansible/roles/radio/tasks/main.yml b/ansible/roles/radio/tasks/main.yml index 3c29ede2..e4e65a1c 100644 --- a/ansible/roles/radio/tasks/main.yml +++ b/ansible/roles/radio/tasks/main.yml @@ -6,6 +6,8 @@ shell: "/usr/sbin/nologin" state: "present" system: true + groups: "nvm" + append: true - name: "copy nginx configuration" ansible.builtin.template: @@ -53,7 +55,7 @@ - name: "run npm install" ansible.builtin.shell: | - source /var/www/radio/.nvm/nvm.sh + source {{ nvm.script }} nvm use npm install args: @@ -64,7 +66,7 @@ block: - name: "build website" ansible.builtin.shell: | - source /var/www/radio/.nvm/nvm.sh + source {{ nvm.script }} nvm use npm run build args: From 53704598f145cb7aab9e4675f101e4030976b92e Mon Sep 17 00:00:00 2001 From: Silas Peters <69711739+SilasPeters@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:50:30 +0100 Subject: [PATCH 16/17] chore: remove freight role (#477) --- ansible/group_vars/production/vars.yml | 2 - ansible/group_vars/staging/vars.yml | 2 - ansible/main.yml | 3 +- ansible/roles/freight/files/pubkey.gpg | 156 ------------------ ansible/roles/freight/tasks/main.yml | 63 ------- ansible/roles/freight/templates/nginx.conf.j2 | 27 --- 6 files changed, 1 insertion(+), 252 deletions(-) delete mode 100644 ansible/roles/freight/files/pubkey.gpg delete mode 100644 ansible/roles/freight/tasks/main.yml delete mode 100644 ansible/roles/freight/templates/nginx.conf.j2 diff --git a/ansible/group_vars/production/vars.yml b/ansible/group_vars/production/vars.yml index 2d93b4a0..3b007d9c 100644 --- a/ansible/group_vars/production/vars.yml +++ b/ansible/group_vars/production/vars.yml @@ -138,8 +138,6 @@ secret_outline: secret_koala_manual: password: "{{ vault_secret_koala_manual.password }}" -freight_ssh_pub_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOXjzub9wBK7/eOu4sceuGu3JoAJAoulNtqlt+A4XvT freight@svsticky.nl" - secret_healthchecks_io: ping_key: "{{ vault_secret_healthchecks_io.ping_key }}" diff --git a/ansible/group_vars/staging/vars.yml b/ansible/group_vars/staging/vars.yml index 122d6261..599d9fa0 100644 --- a/ansible/group_vars/staging/vars.yml +++ b/ansible/group_vars/staging/vars.yml @@ -130,8 +130,6 @@ secret_outline: secret_koala_manual: password: "{{ vault_secret_koala_manual.password }}" -freight_ssh_pub_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQiL2YN1yBeUAwWZENc8lPK3Kj1kIG/57IbAuxL9yTk freight@dev.svsticky.nl" - secret_healthchecks_io: ping_key: "{{ vault_secret_healthchecks_io.ping_key }}" diff --git a/ansible/main.yml b/ansible/main.yml index 90e6b81e..c98dbb87 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -42,8 +42,6 @@ tags: "websites" - role: "digidecs" tags: "digidecs" - - role: "freight" - tags: "freight" - role: "aas" tags: "aas" - role: "static_sticky" @@ -89,5 +87,6 @@ # one can easily restore the role by reverting the following PRs: # # - execut: #475 +# - freight: #477 # - php: #474 # - node: #467 diff --git a/ansible/roles/freight/files/pubkey.gpg b/ansible/roles/freight/files/pubkey.gpg deleted file mode 100644 index cbde530c..00000000 --- a/ansible/roles/freight/files/pubkey.gpg +++ /dev/null @@ -1,156 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQENBE45PsIBCAC2K2LRZPQIUmJlCDKcncfR6vok2wowDpGpHZffvEEoUj/DoocR -LLpPHR5RB1zMWIs2IjF8vOtXMCBguDgtEvQTh6p6DM3D1fTnYp3pPlQyyzAuC81v -CQo44h09R4Nh2e38oMRVztmAnacC4g5aiSEamrZ4PbWdAdPc4uZdCPOGmUDJw8+q -aAYvL/8pM7YqEu05FqE+aNcG02K+mDhA2bqRLLKoLEFpeMSO6vV8BrE7Vw1Rs1PM -VLDJt9HdXmC6vP+WWqDuj7/qfRb2wwlSIp5+aFyRHOUNyFKnWZYIObeV3+Y6oG6h -gmBtU1673mHDqVy26TwfjpJeudMKHVCrKXVXABEBAAG0QVNhbXVsaSBTZXBww6Ru -ZW4gKE9wZW5WUE4gVGVjaG5vbG9naWVzLCBJbmMpIDxzYW11bGlAb3BlbnZwbi5u -ZXQ+iQE+BBMBAgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCU+B6sAUJ -C0rWWQAKCRCObai04VjFaU2sB/9eB1ZhA7u0o1XsiJpKcoEmcFS9EmYt+RjeplJP -0ewYoGFOGbEupvBdhqg1tqBxFw046kAbbBxwxU6NCSSPsIRR7FMLzF7JbRmlJXJc -Frl2WZaAL9wwoGucpGhWITUaipCXOcAY74WYWIx01mx0RxK8uRIq8lhsC4LUzAmg -yA5H+nbF7A7FLtl9EUpnpqhnOC44ANlTSDo0whcrUoGaTvaepJrecypzQupMKYvd -cnraVXjTIr11CEXD8TS56sm9A3LPZTWD7jytUeRCh0kdixFI7ax1tkqDYtELfWg8 -0YRWmT30o/k5hMZKWF5uwddbebfPB3EVHUtxzrnsxHReEVZBiQFVBBMBCAA/AhsD -BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBDDr9Oc8zmPu4STdJ45tqLThWMVp -BQJfH7LvBQkaTHWtAAoJEI5tqLThWMVpwLkH/19yyUYxqoh2M53G7YZ/Uo3ihHYN -Nt4fAx6uRA0DHnrGD83EH1oNO6yQ15UazKXOlLKix+E3UN8rSP3eaZRoXusNpFZQ -o4CZ060fx5TJQk7d8N6mGpmLaf7rIZ9cjR9dtX3IY/c9PTryxPiJPkThg4GaZj0S -U3cpmWicK4EiRAhmPnNf1bI8qgdaEQTE8mnOFGTHmdwjKmg69P4r1AVO6GGTiPUl -2avInNDyQcDywRStmSYt1uXI0gTQGpO6tsqcu3GzO6I1qPGlssnKJEcRTYy3/SX+ -6kD4QS5qnpWGaUjmTfNp1QNCgMkyEtXxG/Aj+HO3AAUW1rLLEYLOSCQGB4SJARwE -EAEIAAYFAlVDl7cACgkQKwRyzuXQlJnMfQf9GhhvvpZzOSMqOSqlOwilr6Xoq+H+ -o4IyIc5UR7TlcxhuSu4PDmHXmINU3Qlm2SkmEMCjFvnqiQRPz2CEwgWPOOo5pGJ5 -Y5aTXLJ+7CpFI2/vB6J2xFyq54gNxRnix+n1+9OV90YowmzSMAgGdxo+akx5WIAM -2zPIcN7/CoUDmXWBovvTqCwb/i2YrdiCpQwY76umTk5g8GwY8Rx371hqd469Z/Jq -iIAAW4RF7oT+HjjGjpl9H5J/5Wr6SzPJ4I01UNdRJk/L+p+sGRAO6SUtuc3DWaMb -Yh9rQwuPO9NJJNIBF81j0WT2sA8/8GKm14ga4aL+mApyjLW/xzr5WNR/WIkBHAQQ -AQgABgUCVm262gAKCRBBCW2ponOmIW+PCAC4mTQ3lB1Q4TEBqMYmFAakNg4ZofBf -+dDDqoVdYz5SkgS7U62mXBRudzt2ww1esjnqN3snUtMl2S0yCNWDV1ut9xKedR8i -h1bs90vWOSTt13FXfgZuP6LksFq+nhVSXKPkFgunFXJykUELYv/1gWxgCnDrlSh4 -38bJZZzsYSfTuUGHPjQK9KGJPetoHKQVZNpM7EM0vLm+FJwLrAzQTyVJyRiCV2ob -K5+CV3vgVkjU97STrcunVOwNqXzRH1YwzBRchnPxni0winSqos6oItTIOPDo3fDb -+JKv01fKpDX0xdKvpf5s4q484zZEKn+/myHREagIwSaDZjLn1ZxfZZXWiQEcBBAB -CAAGBQJWeTLoAAoJEAwrK2U6ZdPRpxMH/1PxVwuyW4mKrpN34mI1QWnVBEWV8L4f -G0ejHrpZDWJw40Sqn/BThalqVJjt/SDzbBvyesjycd+BmOjPIk10JIK89CNthfFd -ya4xPSxz6E5MbX/w1FPc4axhVqNUpy02rbbvl072tsd1m+b0WMfq/+HbIU9Jm2ei -dEPdpp5OAJ3LZVam88IfvBRWgDp3NT37L1ZGoDsQXMlc4EP89vtxqH9Pc/wz66G2 -WAK0h47WxnFXpwe5D3zY1Ysn+FaUqJBSQgPE0HBAqh8lOGW67CcrqUZ9iJ/H8CpR -RhPOusKU4BDyUs1WmCA0u11VG4155g1Kbkm0TiPATFmKRmy9enFS09GJARwEEAEI -AAYFAlablJAACgkQULcymFDhYzLzrAf/ZYB9b+Q/khDFbebl5vQMJ1olD5Phaynk -uL5tz8Jv+9QUIC9i/Jgj0U79JlbYdZ798E53ZQcPwixiAOW8kzrjOv3jXHCjpzNO -Tr9zKLxObTAoM53OEoB3xFMXm/LsTWnOjZDa3iRk8/toK3mhzPzqFYtVEyVSkWUI -3Lt/f8L52AeDenMAzoZWm5G7L0iZb3kYOau1hHA0lho4WE2EvIfkCXz+aA47s4Mc -V3AZvmBaOk1iFVdUdAq5vNqpq9jvaGjojkhLEngTqtkAhoAcHbqu9yN1DzR6RovU -b6/cnlbES57nOd3C2EN6dKWWcVDDQbeBhP3vy+fuDQiIkDjXeyMY5YkBHAQQAQgA -BgUCVr4ugQAKCRCoyBY+CMzgYuXVB/9vao9PJD1tRPTtN0x+2Gr2VIXB5963Ghs4 -NB2YrRpfl8FSHs8k6E4SASWMHxxPSy1ZvEZhCN4D/IzTOQBHoj8qlvO7ulVE3CfJ -OgwNrVMkq9muOk8HiexUweQpHnWVhtVSZkRSd0lXUntqVcGKo6Z98tnOqjGk2ngo -Ha01hMHuG+3argEq3NZNDEOjfbOTYFD4x1SVTS0+nM1btuMmVOuthno+pURjcI5i -sIqA6sUdWKyil3UaV2ZvKDOBLyWJxjOKDB10cnCXd9y8O8wqnHX9uUf87JmGV1Xp -A84aWdOlh4+v8yMFxKYkPsDZBmUXeHuKkOodZ2H7ri67UQe6ia9wiQEcBBABCAAG -BQJYngo0AAoJECh/J03GgfleH4sH/1rt4VvZ+YkqhDDylxo/YKlThqZQEeTTxLNu -wokx0rUxIp/5UG2JybJyBgnW/znHKnJa8XHKetyscWY3bDbNFXURyl8VWCGEcxMt -vw2EuQciWg9HyYMkQBl+KRt+QM/77kCLXMJZ3SyX1t0/vUSIq0VbRnt6gouUDr03 -a6r7jhTOwR1qjYYn0ZmtaEkydBN3+qOfea49h1PfJagJUl8/jUk9C3KW1vV9KEtE -GbfcypCpDFibiMmwRoEzd6Anun/Et30CqgJ/zIXFZ9IIs2N/2RiAS4uVA8Wtc6pg -VdO0FcW9UxYVnQRgSk+je1pu8glQzYJDHLHbwnUyt03aKXHb1kGJAT4EEwECACgF -Ak45PsICGwMFCQWjmoAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEI5tqLTh -WMVpSMkH/27eO9gHJ/FTLEk46RS8OOUmO9ZBycfzovkLvx1WNWGp14gzT2f3uBED -80sxW2lGSbE30GRhgDGQMfE/vCZrJ5SMjfA2olc9+FNPHZfP7FBnPXnxYTM2bbGz -BhRA/7YHj0lk8sPE+ALS3kqgflEkJrLFkcxr3H8teudthxMQFaXG4burFjR6vTrx -knyYPlYMJc8XtQ6f6jHEysg693JyVmu0ShSe46XPIuTRv6CpAJxpDEyROiU2kKI5 -GfjPOUzQLQn9UbZZQxZm2jjN8tod07ogX8IQOtT8sJ8+sXVkTt9bOoYkAJpIXfAQ -U/k7uvvo7FlktdS4k9BqIZpJ4Vq0XvGJAhwEEAECAAYFAlOHUyAACgkQpIWg7VG4 -t8T1hg/8DDj9/KwjHTmbLstWaXypOXRzDMUMM9TMZAVD8darxsPqgFtWA6Bv431q -DAQnKPKI8RSi90VOOSv5LfDB8j20tHRH6hs1LVEfuQr7zfxuYh0MfqqiqtPv1BT7 -3Oxa2ETNoLi+LyzViM/E2bcTlygUrNM/h5T8T2YYWF7gbFtdhd991KCIsOUHKsOG -uVEo6lEvdgDZVs5SCnmsKgKAUKWD+nK8O7pW2K/wxPKJGwiLaJh9w1gHu0Sx4d8C -pm+7iwzhAvJzoSFvVGkGAjbNsQze32Bn9yw85D0qLEMAOis6jDIzTcU3UODkl41j -+TKn+W9Sv+Ldyz5WchmGtdZF+Gf20pFWRfPEso0NKFJ7PIcRPH38+wCNo2hg6lYq -+0xDnrGNjoHpmPCsiw82v/Zh05xhfb0bmIpRlB6wmA6OKvauRk8sMUHJ+4yk7Orq -upSWtzBc+Rut89Zhba5IFm92uY3utAh+EYnxoQEwTxgkfG6qZbhOlOPedHI/6gYx -Gwn1KsTl+S00lttsYPpsACNq9u+MCztKunbzoAMT6L3NBxItPAxR6u+clPFglOId -Ks+AO+E2eqinhAJ2s1SXNRhshXTz3eF1edBRorvXiy0XfZoXG26s7LSUKyghzWtD -Pa91aVhyzEmgst3wX0xPvJNPadXrQF49lIPYlhMAHkEs1MS4Z1iJAhwEEAECAAYF -AlYmU4wACgkQBOrlbTWPQ08eVQ//RSzf93kYYsmUIMEGKzQDnEVSMitRD6IFeIme -dKF2VluG7nkmo7B3Q6GPsOPYEDVFJ5+ZoY/0gN5O64IA0PE+1w772mz1khifGpQ8 -VeB9dcOpnclDJ6S/IYnuinUPvHoGo4JkaXAb0Yjrzp4iJjT4Fv2YmxZAFdCqMYp9 -zR0QAcZSl+mG6nAzhiC75BeIuLPlMDAPWRQkUL1tskB4Iu4ubX+XZkq45VUBDAz2 -14dTaA8y4/jhiNA61uCyLF5Xzx3h5qeO4Z64KMbVbwQ9GyDZjYETss1VWx2KseW6 -1wbJKekDG4OnzCDHDqV31z2vrsaAtCsSM8IXgP9dl/WKd9oZODOFQggBJX2UM7nH -jv645noDQ3bW07DPC4WIItDxPWj7ocQs1caFAh3HEMnJvqX5yaXRHqNCT/2iRfgF -+TZJvygJuA28hhPV2RnuOesaTzFy2Ghd6iOqpXM8zzjfaDhs9BgE7wiB3jccwE08 -UVVKkPYM1FpSJ4XupjHoShHi9POsMY2iD/QOAAOO+HxeFGzSSJ3LMp1A5xi05rYx -UUceNIMJPpESxAbx9Suzb6wGp7HRjoBecFkHrIx4SFv0A3ZCN39TZYtMl+eEBo61 -qRrJgyWGRNb+GIutWWpEMmzmq+kDE+6qmsuDL4zZ6bF4AP//WtJPYeadQPCdFdv8 -CWES182JAhwEEAEIAAYFAliZedsACgkQBZ5sZt7zN5ewYw//QJaLcPEyM5YuKccW -SNTDVAGjwB3TTy+SbG3Ref1b6Jie7B4bYOdRYU2gzMeitv85q2mTeHUV2YAHOisq -LQhsXMp2+CYM9Is2/Qd2cX24y8geKhGxGdkViG2mnVMYhwprUHsJfP8EHDZOikin -r9UGYJn1lmD9LGEaRWBM11o+6a+WKUk1MjmNBJydBlrGK4cr4PeoR7BEqQd7lTIq -iu3bVhY8VR5gObVwQjHW+tmMvgUHpB78Z+ZuOe24XDy7JPBJ5IJPKddYIp134sB3 -WHiD6WuVWJeNLajBwal/zgLZJ20nNoS7TVOwcTV+MIEXEQDfFwcyu1FT/gyjrmbW -7BuKspP7Gv0T3oTDGHjWfNAIB5FUa9NqzUq4s9B5Gj/i63AcdRcC3pm0lxlC7mmY -CsQIw7ZO5DV+tZlaBqJQ4lb77P/PpbIEzc+yRBjHjV9N6+0KOg81jnZWloSNqcCi -tenrpoRmz7zLldE4sLG04j7dRAl//ihonEEgczuiOstGNUKxuXTrDadJ7y8/WjtM -L8gq2MlbYIDhwBfB315WqsYNQdQ7vrRWQ88FakVsIIXR+jKF4qP96VJ3Hj+U2gMI -awxAVtDblMY6x+Vh+t6asXdnnJyhpzohWnSlRjCHlFpZ+OmzGGMT/TZwtSKnsg1L -rPg3YFWAl4kwWCp9uHf3iCDIzP6JAhwEEAEIAAYFAll3XHsACgkQ2zYzDZ7HxlVA -5g/+MKtdZNJBsZzt30Xrf27x7YcPnU9u99Cha2pOigv76hrADKAugwV64yq52p+v -WPcZLbeqGydxKzfNH4SKZ1QrjDFE9ynK1LbpjEZOnka61qxdBAeekBDImdtBbBVY -75faCr5Zge814Aw1/4m/y3Ua7s9I2PHGUHQaUTZiA2mU3Dex3YjaGH2ZdatmEo4q -iBBslHdiddukfzc30WCQtz1dDKs1UIuwsCNm527vwEajkn+QjdWggtVAHAr6EfLY -l0JnGL2sgngtduFhhUssuZ8nT+RVCTR9O19og2ahumRMYAzaIIKDQx+r/yjEGLRT -thlSRsY2jkkpY2qfJ4ygID1PRbx4Jg7FL915il4F9l5BtKEXQr3ESs9iXYJvDe7l -/2bmULQAzK41jMkVmw8dWrk/gmTSVLMoNFopdCKcUA8+PTOTh5Nk7KFWzLXe9yiP -BZ2KgTFjq8dQZeu2aeiF0VrAIe6GlmAIfM9ojOkWRiK8iP+xShY260+qXsGHr2Tl -T2ePaGeFI3sdV+roVie4OcwiDP61ZF7mgXjS+p+PV5BrYvEiKHNy/OZnJ+8icEqN -N+BhfCwkv5Zon/pck9i0FsX8H0DqpxQhEO9nyhQ/6t85SGiggYPKcOq34Siy0Chb -z2x6nmkTD9UL3//OPHQdGoTPW8CoEYnblBpaJBAc9d1x2+mJAjMEEAEKAB0WIQQZ -GDXtDq7GNipHOpJcG46CuAMPygUCWRyzUQAKCRBcG46CuAMPyu6wEACmGB3L7nkV -tWXzghepHxtRb95eATbUcDSKp5UkHFFVAABsvavUy1WsHQdIgcoByxNUcDiJ3E0p -uyRMOd1Tbp16RYZeBXLht6o1qYji2sMR+7ju9BpHBooBTyWXPDx97bUGeOSwLdo3 -pKsuk30jeLD/rYqS63k0d5dk2Tfxgek1FPKGwZWCGF2WJnfI4eDN3YnAt4gKlIeL -GjvdXcfQ2ZCNp4WW9Uzh6MrXvBvzUAmCNopEM2B4zHbnvXc7fEHCdH+mMCVblCiM -kbMbIEjO3YInahT2E0F7LeQjBarpQjTgz5dFSJqXawuMM2A051Cn3/1D3A88ecpa -cN2hqwsmoQ269xt+4wsNjFxf7p8j5aCD4lvBFv7A6f6RbbCkDpT1ilcVRqficT3H -1mWMVMCEfOhliZeBWGyXz3ZCzCNPxFWsPAF5QYAiTIEEKFdbWTUv/GF9/6uPv/c+ -DT2NuGJ3/6BL7dsSJq/u0FZ28RIYvGpWDGB8EDuoMG02jLbPAETLTTlT8F2p8YN0 -nv/65oUXY/vYNJGuR4+yU7zFunkASbac6VwQfmelc81AUh0k+v7j6/f1vF++YQR1 -+oeuXUMthYCpiTtGhWOvZZ/yTNwXw83HIYSoyjnJVWYxLZ4di56rR5UozRhHyQwD -Us3pMHa9RazC2yNU01biRBaQ4uoHMSthB4kCMwQQAQoAHRYhBNwe38uA0tosjq6u -IkljV0IYaftsBQJZLKjfAAoJEEljV0IYaftsScMP/0b32LbZJl27X37cfHkwr5v7 -XHkqkpYPmmiFpmMmnnfk2GqWmOT09Sjy5uAdMxCNz0Z+Lp15NMS33+73me+7u83R -Qg8ecycxOQETq+1tFzy3gBeqIByJKSCJRSjStBlkks3reLoOmWbKGyaE9eHG40z7 -4gMKnTv2Su6koVH0aMK0Q4kjdGUO7lec5EMfg2H2oI5m/PW/uSxxJHot5bk+e2UH -2zafxpcsFeI6DcBZPiPof5r5m/xGGDA6ZkehtBNnP4aAwEDdpzLJ5CBVDrTyszkn -i15BoAZPWtMnVPI6xnrZ/ae0B7T8/1THluHXb0hZTOhdmDEHEjYRIte3oXPkTkke -BGB2uqx327nwo2brETs3rtdbkvOGIFtbsoxVCnM0qKBOswkvkFX/6ijNFBpi1ekR -ejOxaJvuhpt4ttGrABO8Beh/CpjUbmzYtTgU4CztL/+aIMEG0DDfZipG/lpsktvP -It/RU4OVK6dDaLeEmAX4jYtPwAOLhGZ43xwclMnNgeSIT3CAYXMXWNFe3PPQ2A/H -jA9U40kO1SMbu7IQJJ2kZWS7/rQEQzBbYfpWcD9fy4+sKTFgLJDBRXhla553sz97 -KiyaTH0t+zb5dkUv619BRhLrmkbQiriy0n9a7p3upUAoGFNp3eAO/qG2JLMw/Ayv -RNK+zKVfI6cu3wj6gBVliQEzBBABCAAdFiEE+i7gS9aI2i6nUmgujfzQ7qCqWiAF -AlxWtEcACgkQjfzQ7qCqWiCIGQf/bjV3okhvC8RZr6o+qd+pOcwjEjEGQy+gP898 -gq50yVcq2ZKeqZWMqk7UFnUr/CPToUpJ7Or3jbgc4Fv8lP4UGifts+7AurCVfyP9 -ABXeAO5EPKcCWeKEmmulMBAntyCv+kUg+wC1bGX+CbLpIVfz4ipkGsHUrdsNDTPJ -a3dZwT8IokX+BPqW4x5ZNug2ay7dw1hGPBT96AeSLC/KYtyVynRCISfSOVD0MUgq -T3It0nKm0GgX6700ZxXgk6z/ApFniQjq1sF/Y3r3Acp6n+r3kvzBgw7j4+o/EtQK -yXq5jHeNlKIRZK7+TkmmHmCVDY1sRC6XIRINERXlq8WEFUxBRLkBDQROOT7CAQgA -6D4GOTxadvt9tvAEMNRqUuwgSAVSGytIsPlVVgHy06rt2OyFySn/cvB+RKyZTMS1 -cxfEhsNQ43W9sJBdmVAN7sTu5jkoU1bKLj5QnAsyuz6ip9525TMPFD6+ir/o0aX7 -aiWp3q9P9z+49v9E9mk52CgSSoUQ5MxFXPQNnADLPJgRYGvAMQI1sS2p58ws8hpQ -ZTNm9RzzQj4xgvoDNF7+60hZwGdnafJ1nRK9YpEnSU6zr17oqgVV4TlBfOZNeSPN -JtH143cAObaPQSMuem3/NHiEXyziXgct1F1Kfju0B29qGw1+BaY5+JAPxu2e7wOI -yIkx3wilWxlf/MIltJQKFwARAQABiQE8BBgBCAAmAhsMFiEEMOv05zzOY+7hJN0n -jm2otOFYxWkFAl8fs08FCRpMdg0ACgkQjm2otOFYxWnl3Qf9Hh/5jeNLtkYX7TdD -bY+XAdyC6Su7UfHD5EK5b8mQJsFZE1GOyw2f0apnPNPQduqhdzNi8/HAuuj6xWPX -98v7lnNUEaioPRo2TPOQEtgUc0/izMnLkYmKtUvldadsUIJYCr96vpa4M0AyeEAr -M3QmVZdJbnwKipTrgnIrAZ03S2nIzP/PKWYdbpM8Lypve8kI1qXxZhyyigP0YLW0 -f6iDZnVLF6A0tWWAzMsx22esfGCTmbD84DwUvbqjfAMDB8+ABoJhIv3g+Tw4FTM2 -7qzFzSzcRRS0+nFVAlC06MygX06f253BDh3+Jfjht1YMHtUVXcVN3FR8VcSTSq79 -f/xF/w== -=/vEq ------END PGP PUBLIC KEY BLOCK----- diff --git a/ansible/roles/freight/tasks/main.yml b/ansible/roles/freight/tasks/main.yml deleted file mode 100644 index 55881498..00000000 --- a/ansible/roles/freight/tasks/main.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -- name: "ensure freight user exists" - ansible.builtin.user: - name: "freight" - shell: "/bin/sh" - home: "/var/lib/freight" - system: true - -- name: "ensure that freight has .ssh folder" - ansible.builtin.file: - path: "/var/lib/freight/.ssh" - state: "directory" - owner: "freight" - group: "freight" - -- name: "add authorized github key" - ansible.builtin.copy: - dest: "/var/lib/freight/.ssh/authorized_keys" - content: "{{ freight_ssh_pub_key }}" - owner: "freight" - group: "freight" - mode: "0644" - -- name: "add apt key for freight" - ansible.builtin.apt_key: - data: "{{ lookup('file', 'pubkey.gpg') }}" - id: "30EBF4E73CCE63EEE124DD278E6DA8B4E158C569" - -- name: "add freight apt repository" - ansible.builtin.apt_repository: - repo: "deb http://build.openvpn.net/debian/freight_team {{ ansible_lsb.codename }} main" - -- name: "ensure freight is installed and manageable" - ansible.builtin.apt: - name: - - "freight" - tags: - - "packages" - -- name: "copy nginx template" - ansible.builtin.template: - src: "nginx.conf.j2" - dest: "/etc/nginx/sites-available/packages.{{ canonical_hostname }}.conf" - -- name: "symlink nginx template" - ansible.builtin.file: - src: "/etc/nginx/sites-available/packages.{{ canonical_hostname }}.conf" - dest: "/etc/nginx/sites-enabled/packages.{{ canonical_hostname }}.conf" - state: "link" - -- name: "request tls certificates" - ansible.builtin.command: >- - certbot certonly - --non-interactive - --agree-tos - --email "domreg@svsticky.nl" - --keep-until-expiring - --cert-name packages.{{ canonical_hostname }} - --webroot - --webroot-path /var/www/acme-challenges - --domain packages.{{ canonical_hostname }} - --deploy-hook "systemctl reload nginx" - when: true diff --git a/ansible/roles/freight/templates/nginx.conf.j2 b/ansible/roles/freight/templates/nginx.conf.j2 deleted file mode 100644 index 38c33dd5..00000000 --- a/ansible/roles/freight/templates/nginx.conf.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# {{ ansible_managed }} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name - packages.{{ canonical_hostname }}; - - ssl_certificate /etc/letsencrypt/live/packages.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/packages.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/packages.{{ canonical_hostname }}/chain.pem; - - root /var/lib/freight/var/cache; - - index index.html index.htm; - - include includes/security-headers.conf; - - location ~* /.git/ { - deny all; - } - - location / { - try_files $uri $uri/ =404; - } -} From 3cd4f8e891d04700fb70e7539109d99c628ad334 Mon Sep 17 00:00:00 2001 From: Job Vonk Date: Mon, 25 Nov 2024 13:31:05 +0100 Subject: [PATCH 17/17] fix: update radio/templates/.env.j2 (#478) * fix: update radio/templates/.env.j2 * fix: change koala api base url for radio --- ansible/roles/radio/templates/.env.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ansible/roles/radio/templates/.env.j2 b/ansible/roles/radio/templates/.env.j2 index 72348440..f5359e8d 100644 --- a/ansible/roles/radio/templates/.env.j2 +++ b/ansible/roles/radio/templates/.env.j2 @@ -3,10 +3,11 @@ # Contentful secrets VITE_CONTENTFUL_SPACE_ID={{ secret_radio.contentful_space_id }} VITE_CONTENTFUL_ACCESS_TOKEN={{ secret_radio.contentful_space_access_token }} +VITE_CONTENTFUL_ENVIRONMENT=master # Endpoints VITE_LOGO=https://public.svsticky.nl/logos/logo_compact_outline_wit.svg -VITE_ACTIVITY_ENDPOINT=https://koala.svsticky.nl/api/activities +VITE_KOALA_API_BASE=https://koala.svsticky.nl/api/ # Timers VITE_LOAD_INTERVAL=900000 # 15 * 60 * 1000 @@ -18,3 +19,5 @@ VITE_NEXT_INTERVAL_COMMITS=10000 VITE_GITHUB_REPOS=svsticky/radio svsticky/constipated-koala svsticky/static-sticky svsticky/sadserver svsticky/chroma svsticky/intro-website svsticky/crazy88bot VITE_GITHUB_API_TOKEN={{ secret_radio.github_api_token }} +# Snow height page +VITE_SNOW_HEIGHT_URL="https://www.sneeuwhoogte.nl/sneeuwhoogte-op-je-site/la plagne/big"