def setup_config(ctx, app_dir, user, context):
with template_local_file(
"../repondeur/production.ini.template", "../repondeur/production.ini", context
):
sudo_put(
ctx, "../repondeur/production.ini", f"{app_dir}/production.ini", chown=user
)
def setup_webapp_service(ctx):
# Clean up old service
ctx.sudo(
" && ".join(
[
"[ -f /etc/systemd/system/repondeur.service ]",
"systemctl stop repondeur",
"systemctl disable repondeur",
"rm -f /etc/systemd/system/repondeur.service",
]
)
+ " || exit 0"
)
with template_local_file(
"files/zam_webapp.service.template",
"files/zam_webapp.service",
{
"gunicorn_workers": (cpu_count(ctx) * 2) + 1,
"gunicorn_timeout": ctx.config["request_timeout"],
},
):
sudo_put(
ctx, "files/zam_webapp.service", "/etc/systemd/system/zam_webapp.service"
)
ctx.sudo("systemctl daemon-reload")
ctx.sudo("systemctl enable zam_webapp")
def http(ctx, ssl=False):
sudo_put(
ctx,
"files/letsencrypt/letsencrypt.conf",
"/etc/nginx/snippets/letsencrypt.conf",
)
sudo_put(ctx, "files/nginx/ssl.conf", "/etc/nginx/snippets/ssl.conf")
hostname = ctx.run("hostname").stdout.strip()
if ssl:
ssl_cert = f"/etc/letsencrypt/live/{hostname}/fullchain.pem"
ssl_key = f"/etc/letsencrypt/live/{hostname}/privkey.pem"
if not ctx.sudo(f"[ -f {quote(ssl_cert)} ]", warn=True).ok:
ssl_cert = "/etc/nginx/self-signed.crt"
ssl_key = "/etc/nginx/self-signed.key"
htpasswd_exists = ctx.sudo(f"[ -f /etc/nginx/.htpasswd ]",
warn=True).ok
with template_local_file(
"files/nginx/https.conf.template",
"files/nginx/https.conf",
{
"host": hostname,
"timeout": ctx.config["request_timeout"],
"ssl_cert": ssl_cert,
"ssl_key": ssl_key,
"basic_auth_mode":
'"Restricted"' if htpasswd_exists else "off",
},
):
sudo_put(ctx, "files/nginx/https.conf",
"/etc/nginx/sites-available/default")
else:
# Before letsencrypt.
with template_local_file(
"files/nginx/http.conf.template",
"files/nginx/http.conf",
{"host": hostname},
):
sudo_put(ctx, "files/nginx/http.conf",
"/etc/nginx/sites-available/default")
ctx.sudo("systemctl restart nginx")
def setup_unattended_upgrades(ctx):
install_packages(ctx, "unattended-upgrades", "bsd-mailx")
admins = ctx.config.get("admins", [])
with template_local_file(
"files/unattended-upgrades.conf.template",
"files/unattended-upgrades.conf",
{"email": ",".join(admins)},
):
sudo_put(
ctx,
"files/unattended-upgrades.conf",
"/etc/apt/apt.conf.d/50unattended-upgrades",
)
def setup_postgres(ctx):
install_packages(ctx, "postgresql")
shared_buffers = total_memory(ctx) // 4 # 25% total RAM
with template_local_file(
"files/postgres.conf.template",
"files/postgres.conf",
{"shared_buffers": shared_buffers},
):
sudo_put(
ctx,
"files/postgres.conf",
"/etc/postgresql/10/main/conf.d/zam.conf",
chown="postgres",
)
ctx.sudo("systemctl reload postgresql@10-main")
def letsencrypt(ctx):
ctx.sudo("add-apt-repository ppa:certbot/certbot")
install_packages(ctx, "certbot", "software-properties-common")
hostname = ctx.run("hostname").stdout.strip()
with template_local_file(
"files/letsencrypt/certbot.ini.template",
"files/letsencrypt/certbot.ini",
{"host": hostname},
):
sudo_put(ctx, "files/letsencrypt/certbot.ini", "/srv/zam/certbot.ini")
sudo_put(ctx, "files/letsencrypt/ssl-renew", "/etc/cron.weekly/ssl-renew")
ctx.sudo("chmod +x /etc/cron.weekly/ssl-renew")
ctx.sudo(
"certbot certonly -c /srv/zam/certbot.ini --non-interactive --agree-tos"
)
def setup_backups(
ctx,
os_storage_url="",
os_tenant_id="",
os_tenant_name="",
os_username="",
os_password="",
):
ctx.sudo("python3 -m pip install rotate-backups")
with template_local_file(
"files/cron-zam-backups.sh.template",
"files/cron-zam-backups.sh",
{
"os_storage_url": os_storage_url,
"os_tenant_id": os_tenant_id,
"os_tenant_name": os_tenant_name,
"os_username": os_username,
"os_password": os_password,
},
):
sudo_put(ctx, "files/cron-zam-backups.sh", "/etc/cron.hourly/zam-backups")
ctx.sudo("chmod 755 /etc/cron.hourly/zam-backups")
def deploy_changelog(ctx, source="../CHANGELOG.md"):
content = commonmark(Path(source).read_text())
with template_local_file("index.html.template", "index.html", {"content": content}):
sudo_put(ctx, "index.html", "/srv/zam/index.html", chown="zam")