def setup_config(ctx, app_dir, user, context): with template_local_file( "../repondeur/production.ini.template", "../repondeur/production.ini", context ): sudo_put( ctx, "../repondeur/production.ini", f"{app_dir}/production.ini", chown=user )
def setup_webapp_service(ctx): # Clean up old service ctx.sudo( " && ".join( [ "[ -f /etc/systemd/system/repondeur.service ]", "systemctl stop repondeur", "systemctl disable repondeur", "rm -f /etc/systemd/system/repondeur.service", ] ) + " || exit 0" ) with template_local_file( "files/zam_webapp.service.template", "files/zam_webapp.service", { "gunicorn_workers": (cpu_count(ctx) * 2) + 1, "gunicorn_timeout": ctx.config["request_timeout"], }, ): sudo_put( ctx, "files/zam_webapp.service", "/etc/systemd/system/zam_webapp.service" ) ctx.sudo("systemctl daemon-reload") ctx.sudo("systemctl enable zam_webapp")
def _munin_setup_redis_plugin(ctx): sudo_put(ctx, "files/munin/munin-redis.sh", "/usr/share/munin/plugins/redis_") ctx.sudo("chmod +x /usr/share/munin/plugins/redis_") ctx.sudo( "ln -sf '/usr/share/munin/plugins/redis_' '/etc/munin/plugins/redis_127.0.0.1_6379'" )
def setup_redis(ctx): install_packages(ctx, "redis-server") sudo_put( ctx, "files/redis/sysctl.conf", "/etc/sysctl.d/60-redis-server.conf", chown="root", ) ctx.sudo("sudo service procps reload")
def setup_postgres(ctx): install_packages(ctx, "postgresql", "libpq-dev") sudo_put( ctx, "files/postgres.conf", "/etc/postgresql/10/main/conf.d/zam.conf", chown="postgres", ) ctx.sudo("systemctl reload postgresql@10-main")
def _munin_setup_nginx_plugin(ctx): sudo_put(ctx, "files/munin/munin-nginx.conf", "/etc/munin/plugin-conf.d/munin-nginx.conf") ctx.sudo( "ln -sf '/usr/share/munin/plugins/nginx_request' '/etc/munin/plugins/nginx_request'" ) ctx.sudo( "ln -sf '/usr/share/munin/plugins/nginx_status' '/etc/munin/plugins/nginx_status'" )
def monitoring(ctx): """ Setup basic system monitoring using munin """ install_packages(ctx, "munin", "munin-node", "libdbd-pg-perl", "libparse-http-useragent-perl") sudo_put(ctx, "files/munin/munin.conf", "/etc/munin/munin.conf") sudo_put(ctx, "files/munin/munin-node.conf", "/etc/munin/munin-node.conf") _munin_setup_nginx_plugin(ctx) _munin_setup_postgres_plugin(ctx) _munin_setup_redis_plugin(ctx) ctx.sudo("systemctl restart munin-node")
def setup_webapp_service(ctx): # Clean up old service ctx.sudo(" && ".join([ "[ -f /etc/systemd/system/repondeur.service ]", "systemctl stop repondeur", "systemctl disable repondeur", "rm -f /etc/systemd/system/repondeur.service", ]) + " || exit 0") sudo_put(ctx, "files/zam_webapp.service", "/etc/systemd/system/zam_webapp.service") ctx.sudo("systemctl daemon-reload") ctx.sudo("systemctl enable zam_webapp") ctx.sudo("systemctl restart zam_webapp")
def setup_unattended_upgrades(ctx): install_packages(ctx, "unattended-upgrades", "bsd-mailx") admins = ctx.config.get("admins", []) with template_local_file( "files/unattended-upgrades.conf.template", "files/unattended-upgrades.conf", {"email": ",".join(admins)}, ): sudo_put( ctx, "files/unattended-upgrades.conf", "/etc/apt/apt.conf.d/50unattended-upgrades", )
def setup_postgres(ctx): install_packages(ctx, "postgresql") shared_buffers = total_memory(ctx) // 4 # 25% total RAM with template_local_file( "files/postgres.conf.template", "files/postgres.conf", {"shared_buffers": shared_buffers}, ): sudo_put( ctx, "files/postgres.conf", "/etc/postgresql/10/main/conf.d/zam.conf", chown="postgres", ) ctx.sudo("systemctl reload postgresql@10-main")
def letsencrypt(ctx): ctx.sudo("add-apt-repository ppa:certbot/certbot") install_packages(ctx, "certbot", "software-properties-common") hostname = ctx.run("hostname").stdout.strip() with template_local_file( "files/letsencrypt/certbot.ini.template", "files/letsencrypt/certbot.ini", {"host": hostname}, ): sudo_put(ctx, "files/letsencrypt/certbot.ini", "/srv/zam/certbot.ini") sudo_put(ctx, "files/letsencrypt/ssl-renew", "/etc/cron.weekly/ssl-renew") ctx.sudo("chmod +x /etc/cron.weekly/ssl-renew") ctx.sudo( "certbot certonly -c /srv/zam/certbot.ini --non-interactive --agree-tos" )
def setup_backups( ctx, os_storage_url="", os_tenant_id="", os_tenant_name="", os_username="", os_password="", ): ctx.sudo("python3 -m pip install rotate-backups") with template_local_file( "files/cron-zam-backups.sh.template", "files/cron-zam-backups.sh", { "os_storage_url": os_storage_url, "os_tenant_id": os_tenant_id, "os_tenant_name": os_tenant_name, "os_username": os_username, "os_password": os_password, }, ): sudo_put(ctx, "files/cron-zam-backups.sh", "/etc/cron.hourly/zam-backups") ctx.sudo("chmod 755 /etc/cron.hourly/zam-backups")
def http(ctx, ssl=False): sudo_put( ctx, "files/letsencrypt/letsencrypt.conf", "/etc/nginx/snippets/letsencrypt.conf", ) sudo_put(ctx, "files/nginx/ssl.conf", "/etc/nginx/snippets/ssl.conf") hostname = ctx.run("hostname").stdout.strip() if ssl: ssl_cert = f"/etc/letsencrypt/live/{hostname}/fullchain.pem" ssl_key = f"/etc/letsencrypt/live/{hostname}/privkey.pem" if not ctx.sudo(f"[ -f {quote(ssl_cert)} ]", warn=True).ok: ssl_cert = "/etc/nginx/self-signed.crt" ssl_key = "/etc/nginx/self-signed.key" htpasswd_exists = ctx.sudo(f"[ -f /etc/nginx/.htpasswd ]", warn=True).ok with template_local_file( "files/nginx/https.conf.template", "files/nginx/https.conf", { "host": hostname, "timeout": ctx.config["request_timeout"], "ssl_cert": ssl_cert, "ssl_key": ssl_key, "basic_auth_mode": '"Restricted"' if htpasswd_exists else "off", }, ): sudo_put(ctx, "files/nginx/https.conf", "/etc/nginx/sites-available/default") else: # Before letsencrypt. with template_local_file( "files/nginx/http.conf.template", "files/nginx/http.conf", {"host": hostname}, ): sudo_put(ctx, "files/nginx/http.conf", "/etc/nginx/sites-available/default") ctx.sudo("systemctl restart nginx")
def deploy_changelog(ctx, source="../CHANGELOG.md"): content = commonmark(Path(source).read_text()) with template_local_file("index.html.template", "index.html", {"content": content}): sudo_put(ctx, "index.html", "/srv/zam/index.html", chown="zam")
def setup_worker_service(ctx): sudo_put(ctx, "files/zam_worker.service", "/etc/systemd/system/zam_worker.service") ctx.sudo("systemctl daemon-reload") ctx.sudo("systemctl enable zam_worker")