Commit 696397c3 authored by Steve Weber's avatar Steve Weber
Browse files

rt1183126

parent 76cd9757
from django.urls import path, include
urlpatterns = [
path('oauth2/', include('django_auth_adfs.urls')),
]
\ No newline at end of file
def verify_user(user, request):
if user.groups.filter(name__in=["IdM-HR-staff", "IdM-HR-faculty"]).count() < 1:
return "Only UW Staff and Faculty are able to access MarkBox.uwaterloo.ca"
return True
\ No newline at end of file
#!/usr/bin/env bash
set -exu
# runas root!
# test "x$USER" = "xroot" || exit 400
# if missing venv: create venv dir
test -e '{{vars.dir_venv}}' || (mkdir '{{vars.dir_venv}}' ; chown -R '{{vars.user}}' '{{vars.dir_venv}}')
......
from django.urls import path, include
urlpatterns = [
path('oauth2/', include('django_auth_adfs.urls')),
]
\ No newline at end of file
def verify_user(user, request):
if user.groups.filter(name__in=["IdM-HR-staff", "IdM-HR-faculty"]).count() < 1:
return "Only UW Staff and Faculty are able to access MarkBox.uwaterloo.ca"
return True
\ No newline at end of file
#!/bin/bash
# SYNC: {{vars.settings.databases.default.HOST}}/{{vars.settings.databases.default.NAME}}
# USING: {{vars.database_sync.HOST}}/{{vars.database_sync.NAME}}
command -v apt && apt -y install postgresql-client
#echo '{{vars.database_sync.HOST}}:{{vars.database_sync.PORT}}:{{vars.database_sync.NAME}}:{{vars.database_sync.USER}}:{{vars.database_sync.PASSWORD}}' > ./.pgpass
#echo '{{vars.settings.databases.default.HOST}}:{{vars.settings.databases.default.PORT}}:{{vars.settings.databases.default.NAME}}:{{vars.settings.databases.default.USER}}:{{vars.settings.databases.default.PASSWORD}}' >> ./.pgpass
#chmod 0700 ./.pgpass
#export PGPASSFILE=./.pgpass
echo ""
echo "**** WIPE DATABASE (tables) ****"
PGPASSWORD={{vars.settings.databases.default.PASSWORD}} psql \
--host={{vars.settings.databases.default.HOST}} \
--username={{vars.settings.databases.default.USER}} \
--dbname={{vars.settings.databases.default.NAME}} \
-t -c 'DROP SCHEMA public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO postgres; GRANT ALL ON SCHEMA public TO public;' \
| PGPASSWORD={{vars.settings.databases.default.PASSWORD}} psql \
--host={{vars.settings.databases.default.HOST}} \
--username={{vars.settings.databases.default.USER}} \
--dbname={{vars.settings.databases.default.NAME}}
# another way to drop objects...
# -c "select 'drop table \"' || tablename || '\" cascade;' from pg_tables where schemaname='public'" \
# -c 'DROP SCHEMA public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO postgres; GRANT ALL ON SCHEMA public TO public;' \
echo ""
echo "**** SYNC DATABASE ****"
PGPASSWORD={{vars.database_sync.PASSWORD}} pg_dump \
--host={{vars.database_sync.HOST}} \
--username={{vars.database_sync.USER}} \
--dbname={{vars.database_sync.NAME}} \
--no-owner --clean \
| PGPASSWORD={{vars.settings.databases.default.PASSWORD}} psql \
--host={{vars.settings.databases.default.HOST}} \
--username={{vars.settings.databases.default.USER}} \
--dbname={{vars.settings.databases.default.NAME}}
#!/usr/bin/env bash
set -exu
set -e
set -x
# runas root!
# test "x$USER" = "xroot" || exit 400
#test "x$USER" = "xroot" || exit 400
# if missing venv: create venv dir
test -e '{{vars.dir_venv}}' || (mkdir '{{vars.dir_venv}}' ; chown -R '{{vars.user}}' '{{vars.dir_venv}}')
{% if vars.get('requirements_sh') %}
bash ./{{vars.requirements_sh}} {{vars.user}}
{% endif %}
bash ./requirements.sh
#sudo apt install -y python3 python3-dev python3-venv
sudo -Hu {{vars.user}} bash << "EOF_user_tasks"
set -exu
test -e '{{vars.dir_venv}}/bin/activate' || {{vars.python_bin}} -m venv '{{vars.dir_venv}}'
set -e
set -x
#cd '{{vars.dir_src}}'
#D="$(dirname "$(realpath "$0")")"
#export LC_LANG=en_US.UTF-8
#export LC_ALL=en_US.UTF-8
#export LANG=en_US.UTF-8
# you can use any of python3 python or python2
python_bin={{vars.python_bin}}
test -e '{{vars.dir_venv}}/bin/activate' || $python_bin -m venv '{{vars.dir_venv}}'
source '{{vars.dir_venv}}/bin/activate'
python3 -m pip install --timeout=5 --upgrade pip
python3 -m pip install --timeout=5 --upgrade -r ./{{vars.requirements_pip}}
python3 ./manage.py collectstatic --noinput
python3 ./manage.py migrate
python3 -m pip install --timeout=5 --upgrade safety
LC_ALL=C.UTF-8 LANG=C.UTF-8 safety check -r ./{{vars.requirements_pip}}
python --version
python -m pip install --upgrade pip
python -m pip install --upgrade -r ./requirements-uw.txt
# python -m pip install --no-binary psycopg2 psycopg2
python ./manage.py collectstatic --noinput
python ./manage.py migrate
python -m pip install --upgrade safety
LC_ALL=C.UTF-8 LANG=C.UTF-8 safety check -r ./requirements.txt
EOF_user_tasks
from .settings_base import * # pylint: disable=unused-wildcard-import
from collections import OrderedDict
TIME_ZONE = 'America/Toronto'
DEBUG = {{vars.debug|python}}
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
ALLOWED_HOSTS = {{vars.allowed_hosts|python}}
SECRET_KEY = '{{vars.secret_key}}'
STATIC_ROOT = '{{vars.dir_vol}}/static'
MEDIA_ROOT = '{{vars.dir_vol}}/media'
STATIC_URL = '/static/'
MEDIA_URL = '/media/'
import os
from {{vars.module_settings_base}} import *
# WARN: be sure to run:
# export DJANGO_SETTINGS_MODULE=settings
# Note: env varable like
# SECRET_KEY = os.environ.setdefault('DJANGO_SECRET_KEY', 'YYYYYY')
# might seem like a good idea however they are also landmines
# when not working an a container like docker.
# Services like systemd might use /etc/defaults/app or have env hardcoded
ALLOWED_HOSTS = {{vars.settings.allowed_hosts|json}}
SECRET_KEY = '{{vars.settings.secret_key}}'
DATABASES = {
"default": {
"ENGINE": "django.db.backends.sqlite3",
"NAME": "{{dir_vol}}/db.sqlite3",
}
}
{% if vars.get('databases') %}
DATABASES = {{vars.databases|python}}
{% if vars.settings.get('databases') %}
DATABASES = {{vars.settings.databases|json}}
{% endif %}
MARKSET_DIR = '{{vars.dir_vol}}/markset'
CELERY_BROKER_URL = 'redis://'
LOGIN_URL = 'django_auth_adfs:login'
LOGOUT_URL = 'django_auth_adfs:logout'
PUBLIC_PATHS = [
r'^/oauth.*'
]
INSTALLED_APPS.append('django_auth_adfs')
AUTHENTICATION_BACKENDS = {
'django_auth_adfs.backend.AdfsAuthCodeBackend',
}
AUTH_ADFS = {
'SERVER': '{{vars.adfs_server}}',
'CLIENT_ID': '{{vars.adfs_client_id}}',
'RELYING_PARTY_ID': '{{vars.adfs_client_id}}',
'AUDIENCE': 'microsoft:identityserver:{{vars.adfs_client_id}}',
'CLAIM_MAPPING': {
'first_name': 'given_name',
'last_name': 'family_name',
},
'USERNAME_CLAIM': 'winaccountname',
'GROUP_CLAIM': 'group',
'MIRROR_GROUPS': True
}
# optional other settings
{{vars.settings.raw|safe}}
VERIFY_SITE_ACCESS = 'markbox.custom_verification.verify_user'
......@@ -3,8 +3,9 @@ Description={{vars.service_name}}
[Service]
Type=simple
SyslogIdentifier={{vars.service_name}}-uwsgi
ExecStart={{vars.uwsgi_bin}} --emperor '{{vars.dir_uwsgi}}' --uid={{vars.user}} --gid={{vars.group}}
SyslogIdentifier={{vars.service_name}}-asgi
WorkingDirectory={{vars.dir_src}}
ExecStart=DJANGO_SETTINGS_MODULE={{vars.module_settings}} {{vars.dir_venv}}/bin/gunicorn {{vars.module_asgi}}:application -k uvicorn.workers.UvicornWorker -w 6 -b 127.0.0.1 -u {{vars.user}} -g {{vars.group}}
ExecStartPost=/bin/sleep 2
Restart=on-failure
RestartSec=15s
......
[uwsgi]
plugin = python3
virtualenv = {{vars.dir_venv}}
uid = {{vars.user}}
gid = {{vars.group}}
chdir = {{vars.dir_src}}
module = {{vars.uwsgi_module}}
master = true
processes = 5
socket = :{{vars.uwsgi_port}}
vacuum = true
die-on-term = true
buffer-size = 32768
# todo do we need this>
#env LANG=en_US.utf8
#env LC_ALL=en_US.UTF-8
#env LC_LANG=en_US.UTF-8
#env = PYTHONIOENCODING=UTF-8
......@@ -2,18 +2,16 @@
{% from 'uwl/systemd/init.sls' import vars as _systemd %}
{% load_yaml as vars %}
default:
#service_name: webapp
#dir_src: /srv/webapp/src
#dir_vol: /srv/webapp/vol
#dir_venv: /srv/webapp/env
#dir_uwsgi: /srv/webapp/wsgi
# uwsgi_module: core.wsgi
uwsgi_port: 8000
enable_emailer_cron: False
python_bin: /opt/local/python/3.8.2/bin/python
uwsgi_bin: /usr/bin/uwsgi
requirements_pip: requirements-uw.txt
requirements_sh: requirements-uw.sh
service_name: app
module_settings: settings
module_settings_base: gsa.settings
module_asgi: gsa.asgi
settings_file: /srv/app/src/settings.py
dir_src: /srv/app/src
dir_vol: /srv/app/vol
dir_venv: /srv/app/env
dir_uwsgi: /srv/app/wsgi
python_bin: python3
{% endload %}
{% set vars = salt.uwl.solve_vars(vars, tplfile) %}
# ------------------
......@@ -33,30 +31,25 @@ include:
- user: {{vars.user}}
- group: {{vars.group}}
- mode: '0775'
- makedirs: True
git.latest:
- name: {{vars.repo}}
- target: {{vars.dir_src}}
- user: {{vars.user}}
- rev: {{vars.repo_branch}}
- branch: {{vars.repo_branch}}
- watch_in:
- service: {{sls}} service
git.latest:
- name: {{vars.repo}}
- target: {{vars.dir_src}}
- force_clone: True
- user: {{vars.user}}
- rev: {{vars.repo_branch}}
- branch: {{vars.repo_branch}}
{% if vars.get('repo_https_user') %}
- https_user: {{vars.repo_https_user|json}}
- https_pass: {{vars.repo_https_pass|json}}
{% endif %}
- rev: {{vars.repo_branch}}
- branch: {{vars.repo_branch}}
- watch_in:
- service: {{sls}} service
- require_in:
- service: {{sls}} service
- require:
- file: {{sls}}
- pkg: {{sls}}
{{sls}} static_root:
......@@ -66,10 +59,10 @@ include:
- user: {{vars.user}}
- group: {{vars.group}}
- dir_mode: '0755'
- recurse:
- user
- group
- mode
#- recurse:
# - user
# - group
# - mode
{{sls}} media_root:
......@@ -79,60 +72,57 @@ include:
- user: {{vars.user}}
- group: {{vars.group}}
- dir_mode: '0755'
- recurse:
- user
- group
- mode
#- recurse:
# - user
# - group
# - mode
{{sls}} settings:
{% if vars.get('database_sync') %}
{{sls}} database_sync script:
file.managed:
- name: {{vars.dir_src}}/{{vars.app_module}}/settings.py
- source: salt://{{tpldir}}/_data/settings.py
- name: {{vars.dir_src}}/../database_sync_core.sh
- source: salt://{{tpldir}}/_data/database_sync.sh
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0640'
- mode: '0740'
- user: {{vars.user}}
- group: {{vars.group}}
- watch_in:
- service: {{sls}} service
{% endif %}
{{sls}} urls:
{{sls}} config:
file.managed:
- name: {{vars.dir_src}}/{{vars.app_module}}/custom_urls.py
- source: salt://{{tpldir}}/_data/custom_urls.py
- name: {{vars.settings_file}}
- source: salt://{{tpldir}}/_data/settings.py
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0640'
- user: {{vars.user}}
- group: {{vars.group}}
- watch_in:
- require_in:
- service: {{sls}} service
{{sls}} verification:
file.managed:
- name: {{vars.dir_src}}/{{vars.app_module}}/custom_verification.py
- source: salt://{{tpldir}}/_data/custom_verification.py
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0640'
- user: {{vars.user}}
- group: {{vars.group}}
- watch_in:
- service: {{sls}} service
{{sls}} post_update:
pkg.installed:
- pkgs:
- python3-venv
- gcc
- clang
- python3-dev
- libpq-dev
- libssl-dev
- python3-wheel
cmd.script:
- name: post_update.sh
- source: salt://{{tpldir}}/_data/post_update.sh
- template: jinja
- user: root
- context:
vars: {{vars|json}}
- mode: '0700'
......@@ -141,24 +131,9 @@ include:
- service: {{sls}} service
- require:
- git: {{sls}}
- file: {{sls}} static_root
- file: {{sls}} media_root
- file: {{sls}} settings
{{sls}} uwsgi config:
file.managed:
- name: {{vars.dir_uwsgi}}/wsgi.ini
- source: salt://{{tpldir}}/_data/wsgi.ini
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0640'
- user: {{vars.user}}
- group: {{vars.group}}
- makedirs: True
- watch_in:
- service: {{sls}} service
#- file: {{sls}} static_root
#- file: {{sls}} media_root
- file: {{sls}} config
{{sls}} service:
......@@ -176,32 +151,6 @@ include:
service.running:
- name: {{vars.service_name}}
- enable: True
{% if vars.enable_crons %}
{{sls}} cron webapp_send_reports:
cron.present:
- name: systemd-cat -t webapp_emailer {{vars.dir_venv}}/bin/python {{vars.dir_src}}/manage.py send_reports
- identifier: webapp_send_reports
- user: {{vars.user}}
- minute: '15'
- hour: '7'
{{sls}} cron webapp_purge:
cron.present:
- name: systemd-cat -t webapp_emailer {{vars.dir_venv}}/bin/python {{vars.dir_src}}/manage.py purge
- identifier: webapp_purge
- user: {{vars.user}}
- minute: '15'
- hour: '5'
- dayweek: '1'
{% else %}
{{sls}} cron webapp_send_reports:
cron.absent:
- name: systemd-cat -t webapp_emailer {{vars.dir_venv}}/bin/python {{vars.dir_src}}/manage.py send_reports
{{sls}} cron webapp_purge:
cron.absent:
- name: systemd-cat -t webapp_emailer {{vars.dir_venv}}/bin/python {{vars.dir_src}}/manage.py purge
{% endif %}
- require:
- file: {{sls}} service
# ------ VARS ------
{% from 'uwl/systemd/init.sls' import vars as _systemd %}
{% load_yaml as vars %}
default:
user: root
group: root
#repo: 'https://git.uwaterloo.ca/example/woot.git'
#repo_branch: p01
#https_user:
#https_pass:
dir_src: /srv/docker-compose-app
service_name: docker-compose-app
#service_exec: /usr/bin/docker-compose --file=docker-compose.yml --file=docker-compose-certbot.yml up --build
service_exec: docker-compose up --build
cron_salt_state_apply: False
{% endload %}
{% set vars = salt.uwl.solve_vars(vars, tplfile) %}
# ------------------
include:
- {{_systemd.sls}}
{{sls}} pkg:
pkg.installed:
- pkgs:
- git
- docker-compose
git.latest:
- name: {{vars.repo}}
- target: {{vars.dir_src}}
- user: {{vars.user}}
- rev: {{vars.repo_branch}}
- branch: {{vars.repo_branch}}
{% if vars.get('repo_https_user') %}
- https_user: {{vars.repo_https_user|json}}
- https_pass: {{vars.repo_https_pass|json}}
{% endif %}
- watch_in:
- service: {{sls}} service
{% if vars.get('env') %}
{{sls}} config env:
file.managed:
- name: {{vars.dir_src}}/.env
- user: {{vars.user}}
- group: {{vars.group}}
- mode: '0640'
- contents: {{vars.env|json}}
- require_in:
- service: {{sls}} service
- watch_in:
- service: {{sls}} service
{% endif %}
{% if vars.get('service_environment') %}
{{sls}} service environment:
file.managed:
- name: /etc/default/{{vars.service_name}}
- user: {{vars.user}}
- group: {{vars.group}}
- mode: '0640'
- contents: {{vars.service_environment|json}}
- require_in:
- service: {{sls}} service
- watch_in:
- service: {{sls}} service
{% endif %}
{{sls}} service:
file.managed:
- name: {{_systemd.unit_path}}/{{vars.service_name}}.service
- contents: |
[Unit]
Description={{vars.service_name}}
[Service]
Type=simple
SyslogIdentifier={{vars.service_name}}
EnvironmentFile=-/etc/default/{{vars.service_name}}
WorkingDirectory={{vars.dir_src}}
ExecStart={{vars.service_exec}}
ExecStartPost=/bin/sleep 2
Restart=on-failure
RestartSec=30s
[Install]
WantedBy=multi-user.target
- mode: '0644'
- watch_in:
- service: {{sls}} service
- cmd: {{_systemd.sls}} reload units
service.running:
- name: {{vars.service_name}}
- enable: True
- require:
- file: {{sls}} service
......@@ -11,5 +11,5 @@ include:
- .certbot
- .nginx
#- .apache
- docker-compose-app
- .app
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment