def setup_config(ctx, app_dir, user, context):
with template_local_file(
"../repondeur/production.ini.template", "../repondeur/production.ini", context
):
sudo_put(
ctx, "../repondeur/production.ini", f"{app_dir}/production.ini", chown=user
)
def setup_webapp_service(ctx):
# Clean up old service
ctx.sudo(
" && ".join(
[
"[ -f /etc/systemd/system/repondeur.service ]",
"systemctl stop repondeur",
"systemctl disable repondeur",
"rm -f /etc/systemd/system/repondeur.service",
]
)
+ " || exit 0"
)
with template_local_file(
"files/zam_webapp.service.template",
"files/zam_webapp.service",
{
"gunicorn_workers": (cpu_count(ctx) * 2) + 1,
"gunicorn_timeout": ctx.config["request_timeout"],
},
):
sudo_put(
ctx, "files/zam_webapp.service", "/etc/systemd/system/zam_webapp.service"
)
ctx.sudo("systemctl daemon-reload")
ctx.sudo("systemctl enable zam_webapp")
def _munin_setup_redis_plugin(ctx):
sudo_put(ctx, "files/munin/munin-redis.sh",
"/usr/share/munin/plugins/redis_")
ctx.sudo("chmod +x /usr/share/munin/plugins/redis_")
ctx.sudo(
"ln -sf '/usr/share/munin/plugins/redis_' '/etc/munin/plugins/redis_127.0.0.1_6379'"
)
def setup_redis(ctx):
install_packages(ctx, "redis-server")
sudo_put(
ctx,
"files/redis/sysctl.conf",
"/etc/sysctl.d/60-redis-server.conf",
chown="root",
)
ctx.sudo("sudo service procps reload")
def setup_postgres(ctx):
install_packages(ctx, "postgresql", "libpq-dev")
sudo_put(
ctx,
"files/postgres.conf",
"/etc/postgresql/10/main/conf.d/zam.conf",
chown="postgres",
)
ctx.sudo("systemctl reload postgresql@10-main")
def _munin_setup_nginx_plugin(ctx):
sudo_put(ctx, "files/munin/munin-nginx.conf",
"/etc/munin/plugin-conf.d/munin-nginx.conf")
ctx.sudo(
"ln -sf '/usr/share/munin/plugins/nginx_request' '/etc/munin/plugins/nginx_request'"
)
ctx.sudo(
"ln -sf '/usr/share/munin/plugins/nginx_status' '/etc/munin/plugins/nginx_status'"
)
def monitoring(ctx):
"""
Setup basic system monitoring using munin
"""
install_packages(ctx, "munin", "munin-node", "libdbd-pg-perl",
"libparse-http-useragent-perl")
sudo_put(ctx, "files/munin/munin.conf", "/etc/munin/munin.conf")
sudo_put(ctx, "files/munin/munin-node.conf", "/etc/munin/munin-node.conf")
_munin_setup_nginx_plugin(ctx)
_munin_setup_postgres_plugin(ctx)
_munin_setup_redis_plugin(ctx)
ctx.sudo("systemctl restart munin-node")
def setup_webapp_service(ctx):
# Clean up old service
ctx.sudo(" && ".join([
"[ -f /etc/systemd/system/repondeur.service ]",
"systemctl stop repondeur",
"systemctl disable repondeur",
"rm -f /etc/systemd/system/repondeur.service",
]) + " || exit 0")
sudo_put(ctx, "files/zam_webapp.service",
"/etc/systemd/system/zam_webapp.service")
ctx.sudo("systemctl daemon-reload")
ctx.sudo("systemctl enable zam_webapp")
ctx.sudo("systemctl restart zam_webapp")
def setup_unattended_upgrades(ctx):
install_packages(ctx, "unattended-upgrades", "bsd-mailx")
admins = ctx.config.get("admins", [])
with template_local_file(
"files/unattended-upgrades.conf.template",
"files/unattended-upgrades.conf",
{"email": ",".join(admins)},
):
sudo_put(
ctx,
"files/unattended-upgrades.conf",
"/etc/apt/apt.conf.d/50unattended-upgrades",
)
def setup_postgres(ctx):
install_packages(ctx, "postgresql")
shared_buffers = total_memory(ctx) // 4 # 25% total RAM
with template_local_file(
"files/postgres.conf.template",
"files/postgres.conf",
{"shared_buffers": shared_buffers},
):
sudo_put(
ctx,
"files/postgres.conf",
"/etc/postgresql/10/main/conf.d/zam.conf",
chown="postgres",
)
ctx.sudo("systemctl reload postgresql@10-main")
def letsencrypt(ctx):
ctx.sudo("add-apt-repository ppa:certbot/certbot")
install_packages(ctx, "certbot", "software-properties-common")
hostname = ctx.run("hostname").stdout.strip()
with template_local_file(
"files/letsencrypt/certbot.ini.template",
"files/letsencrypt/certbot.ini",
{"host": hostname},
):
sudo_put(ctx, "files/letsencrypt/certbot.ini", "/srv/zam/certbot.ini")
sudo_put(ctx, "files/letsencrypt/ssl-renew", "/etc/cron.weekly/ssl-renew")
ctx.sudo("chmod +x /etc/cron.weekly/ssl-renew")
ctx.sudo(
"certbot certonly -c /srv/zam/certbot.ini --non-interactive --agree-tos"
)
def setup_backups(
ctx,
os_storage_url="",
os_tenant_id="",
os_tenant_name="",
os_username="",
os_password="",
):
ctx.sudo("python3 -m pip install rotate-backups")
with template_local_file(
"files/cron-zam-backups.sh.template",
"files/cron-zam-backups.sh",
{
"os_storage_url": os_storage_url,
"os_tenant_id": os_tenant_id,
"os_tenant_name": os_tenant_name,
"os_username": os_username,
"os_password": os_password,
},
):
sudo_put(ctx, "files/cron-zam-backups.sh", "/etc/cron.hourly/zam-backups")
ctx.sudo("chmod 755 /etc/cron.hourly/zam-backups")
def http(ctx, ssl=False):
sudo_put(
ctx,
"files/letsencrypt/letsencrypt.conf",
"/etc/nginx/snippets/letsencrypt.conf",
)
sudo_put(ctx, "files/nginx/ssl.conf", "/etc/nginx/snippets/ssl.conf")
hostname = ctx.run("hostname").stdout.strip()
if ssl:
ssl_cert = f"/etc/letsencrypt/live/{hostname}/fullchain.pem"
ssl_key = f"/etc/letsencrypt/live/{hostname}/privkey.pem"
if not ctx.sudo(f"[ -f {quote(ssl_cert)} ]", warn=True).ok:
ssl_cert = "/etc/nginx/self-signed.crt"
ssl_key = "/etc/nginx/self-signed.key"
htpasswd_exists = ctx.sudo(f"[ -f /etc/nginx/.htpasswd ]",
warn=True).ok
with template_local_file(
"files/nginx/https.conf.template",
"files/nginx/https.conf",
{
"host": hostname,
"timeout": ctx.config["request_timeout"],
"ssl_cert": ssl_cert,
"ssl_key": ssl_key,
"basic_auth_mode":
'"Restricted"' if htpasswd_exists else "off",
},
):
sudo_put(ctx, "files/nginx/https.conf",
"/etc/nginx/sites-available/default")
else:
# Before letsencrypt.
with template_local_file(
"files/nginx/http.conf.template",
"files/nginx/http.conf",
{"host": hostname},
):
sudo_put(ctx, "files/nginx/http.conf",
"/etc/nginx/sites-available/default")
ctx.sudo("systemctl restart nginx")
def deploy_changelog(ctx, source="../CHANGELOG.md"):
content = commonmark(Path(source).read_text())
with template_local_file("index.html.template", "index.html", {"content": content}):
sudo_put(ctx, "index.html", "/srv/zam/index.html", chown="zam")
def setup_worker_service(ctx):
sudo_put(ctx, "files/zam_worker.service", "/etc/systemd/system/zam_worker.service")
ctx.sudo("systemctl daemon-reload")
ctx.sudo("systemctl enable zam_worker")