Merge branch 'master' of github.com:svsticky/sadserver

svsticky · Dec 25, 2024 · e9aacfc · e9aacfc
2 parents 3ea76d6 + 3cd4f8e
commit e9aacfc
Show file tree

Hide file tree

Showing 36 changed files with 157 additions and 1,173 deletions.
diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml
@@ -248,10 +248,10 @@ users:
     home_prefix: "/var/www"
     state: "present"
     github_accounts:
-      - username: "Siem2l"
-        state: "absent"
       - username: "SilasPeters"
         state: "present"
+      - username: "olafboekholt"
+        state: "present"
 
   - name: "hacc"
     admin: false

diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml
@@ -9,7 +9,7 @@ canonical_hostname: "{{ inventory_hostname }}"
 
 tmp_dir: "/tmp"
 
-# the upload limit for php-fpm and nginx in megabytes
+# the upload limit for nginx in megabytes
 upload_limit: 30
 
 slack_notifications:
@@ -29,3 +29,9 @@ secret_deploy_key: "{{ vault_secret_deploy_key }}"
 # The API key for our Mailgun account.
 # Change? Refresh API key at https://app.mailgun.com/app/account/security
 secret_mailgun_token: "{{ vault_secret_mailgun_token }}"
+
+# The place where https://github.com/nvm-sh/nvm will be installed, to be globally used
+nvm:
+  directory: "/usr/local/bin/.nvm"
+  script: "/usr/local/bin/.nvm/nvm.sh"
+  version: "v0.40.0" # Derived from the git tag
diff --git a/ansible/group_vars/all/websites.yml b/ansible/group_vars/all/websites.yml
@@ -91,14 +91,6 @@ websites:
     state: "present"
     authenticated: true
 
-  - name: "phpmyadmin.{{ canonical_hostname }}"
-    user: "phpmyadmin"
-    alternative_names:
-      - "pma.{{ canonical_hostname }}"
-    # You have to remove the task include of phpmyadmin.yml to remove this
-    # completely
-    state: "absent"
-
   - name: "pretix.{{ canonical_hostname }}"
     custom_config: true
     alternative_names:
@@ -183,91 +175,6 @@ websites:
     authenticated: true
     state: "present"
 
-  - name: "execut-speakers.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-partners.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "absent"
-
-  - name: "execut-survey.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-landing.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-     - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-2018.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-2019.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-2020.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-2023.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    custom_config: true
-    state: "present"
-
-  - name: "execut-aftermovie.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "present"
-
-  - name: "execut-app.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes:
-      - "execut-referer-tracking"
-    state: "absent"
-
-  - name: "execut-2021.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes: []
-    custom_config: true
-    state: "present"
-
-  - name: "execut.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    extra_includes: []
-    custom_config: true
-    state: "present"
-
   - name: "snic-preview.{{ canonical_hostname }}"
     user: "snic"
     alternative_names: []
@@ -286,16 +193,6 @@ websites:
     alternative_names: []
     state: "present"
 
-  - name: "execut-feedback.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    state: "present"
-
-  - name: "execut-qa.{{ canonical_hostname }}"
-    user: "symposium"
-    alternative_names: []
-    state: "present"
-
   - name: "files.{{ canonical_hostname }}"
     user: "bestuur"
     custom_config: true

diff --git a/ansible/group_vars/production/vars.yml b/ansible/group_vars/production/vars.yml
@@ -57,13 +57,6 @@ secret_backup_aws:
   access_key: "{{ vault_secret_backup_aws.access_key }}"
   secret_key: "{{ vault_secret_backup_aws.secret_key }}"
 
-secret_execut_website_aws:
-  access_key: "{{ vault_secret_execut_website_aws.access_key }}"
-  secret_key: "{{ vault_secret_execut_website_aws.secret_key }}"
-
-secret_execut_website_secretkey:
-  "{{ vault_secret_execut_website_secretkey }}"
-
 # To change, regenerate the token in Mollie's web interface.
 secret_mollie_token: "{{ vault_secret_mollie_token }}"
 
@@ -145,8 +138,6 @@ secret_outline:
 secret_koala_manual:
   password: "{{ vault_secret_koala_manual.password }}"
 
-freight_ssh_pub_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOXjzub9wBK7/eOu4sceuGu3JoAJAoulNtqlt+A4XvT [email protected]"
-
 secret_healthchecks_io:
   ping_key: "{{ vault_secret_healthchecks_io.ping_key }}"
 

diff --git a/ansible/group_vars/staging/vars.yml b/ansible/group_vars/staging/vars.yml
@@ -49,12 +49,6 @@ secret_backup_aws:
   access_key: "{{ vault_secret_backup_aws.access_key }}"
   secret_key: "{{ vault_secret_backup_aws.secret_key }}"
 
-secret_execut_website_aws:
-  access_key: "{{ vault_secret_execut_website_aws.access_key }}"
-  secret_key: "{{ vault_secret_execut_website_aws.secret_key }}"
-
-secret_execut_website_secretkey: "{{ vault_secret_execut_website_secretkey }}"
-
 # To change, regenerate the token in Mollie's web interface.
 secret_mollie_token: "{{ vault_secret_mollie_token }}"
 
@@ -136,8 +130,6 @@ secret_outline:
 secret_koala_manual:
   password: "{{ vault_secret_koala_manual.password }}"
 
-freight_ssh_pub_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQiL2YN1yBeUAwWZENc8lPK3Kj1kIG/57IbAuxL9yTk [email protected]"
-
 secret_healthchecks_io:
   ping_key: "{{ vault_secret_healthchecks_io.ping_key }}"
 
@@ -158,7 +150,7 @@ secret_chroma:
 
 fallacious_rooster:
   git_tag: "0.1.4"
-  
+
 digidecs:
   git_tag: "0.1.0"
-  server_port: 65437
+  server_port: 65437
diff --git a/ansible/main.yml b/ansible/main.yml
@@ -26,14 +26,12 @@
       tags: "docker"
     - role: "databases"
       tags: "databases"
+    - role: "nvm"
+      tags: "nvm"
     - role: "backups"
       tags: "backups"
     - role: "nginx"
       tags: "nginx"
-    - role: "php"
-      tags: "php"
-    - role: "node"
-      tags: "node"
     - role: "certbot"
       tags: "certbot"
     - role: "redis"
@@ -44,8 +42,6 @@
       tags: "websites"
     - role: "digidecs"
       tags: "digidecs"
-    - role: "freight"
-      tags: "freight"
     - role: "aas"
       tags: "aas"
     - role: "static_sticky"
@@ -62,8 +58,6 @@
       tags: "oauth"
     - role: "outline"
       tags: "outline"
-    - role: "execut"
-      tags: "execut"
     - role: "radio"
       tags: "radio"
     - role: "sodi"
@@ -87,3 +81,12 @@
       tags: "always"
     - role: "rooster"
       tags: "rooster"
+
+# Following is a list of removed roles, which we did have.
+# If, for some reason, we ever want to use on of the removed services again,
+# one can easily restore the role by reverting the following PRs:
+#
+# - execut: #475
+# - freight: #477
+# - php: #474
+# - node: #467
diff --git a/ansible/roles/backups/tasks/main.yml b/ansible/roles/backups/tasks/main.yml
@@ -5,6 +5,8 @@
     shell: "/usr/sbin/nologin"
     home: "/home/backup"
     system: true
+    groups: "nvm"
+    append: true
 
 - name: "install awscli"
   ansible.builtin.apt:

diff --git a/ansible/roles/backups/templates/backup-to-s3.sh.j2 b/ansible/roles/backups/templates/backup-to-s3.sh.j2
@@ -79,12 +79,11 @@ case "${SOURCE}" in
           S3PATH="${SOURCE}"
           FILE_NAME="${FILE_TITLE}.tar.gz"
 
-          # phpMyAdmin and SODI directories excluded because no other
+          # SODI directories excluded because no other
           # committee can write to these folders and they are deployed from \
           # git anyway.
           # Pretix's virtualenv is excluded as it only contains binaries.
           upload_backup_to_s3 < <(tar \
-            --exclude='var/www/phpmyadmin.{{ canonical_hostname }}' \
             --exclude='var/www/sodi.{{ canonical_hostname }}' \
             --exclude='var/www/pretix/venv' \
             -c -f - -C / var/www \
@@ -105,11 +104,14 @@ case "${SOURCE}" in
           FILE_NAME="${FILE_TITLE}.tar.gz"
 
           sudo -u backup mkdir -p /tmp/contentful-export
-          sudo -u backup -H npx contentful-cli space export \
-            --management-token {{ secret_contentful_export.token }} \
-            --space-id {{ secret_contentful_export.space_id }} \
-            --download-assets \
-            --export-dir /tmp/contentful-export
+          sudo -Hu backup bash -c `
+          `'source {{ nvm.script }} && nvm install {{ backups_node_version }} &&'`
+          `' nvm exec {{ backups_node_version }} npx contentful-cli space export'`
+          `' --management-token {{ secret_contentful_export.token }}'`
+          `' --space-id {{ secret_contentful_export.space_id }}'`
+          `' --download-assets'`
+          `' --export-dir /tmp/contentful-export'
+
           upload_backup_to_s3 < <(tar \
             -c -f - -C /tmp contentful-export \
             | gzip -9)

diff --git a/ansible/roles/backups/vars/main.yml b/ansible/roles/backups/vars/main.yml
@@ -0,0 +1,3 @@
+---
+
+backups_node_version: "22"
diff --git a/ansible/roles/docker/tasks/docker-apt-repo.yml b/ansible/roles/docker/tasks/docker-apt-repo.yml
diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml
@@ -6,7 +6,14 @@
   block:
 
   - name: "Add Docker apt repository"
-    ansible.builtin.include_tasks: "docker-apt-repo.yml"
+    ansible.builtin.deb822_repository: # See https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository
+      name: "docker"
+      types: "deb"
+      uris: "https://download.docker.com/linux/{{ ansible_distribution | lower }}"
+      suites: "{{ ansible_distribution_release }}"
+      components: "stable"
+      architectures: "amd64"
+      signed_by: "https://download.docker.com/linux/ubuntu/gpg"
 
   - name: "Install Docker packages"
     ansible.builtin.package:
@@ -16,6 +23,7 @@
         - "containerd.io"
         - "docker-buildx-plugin"
       state: "present"
+      update_cache: true
 
   - name: "Ensure Docker is started and enabled at boot"
     ansible.builtin.service: