Commit f5e4d15a authored by Steve Weber's avatar Steve Weber
Browse files

rt1183126

parent d05f9613
#!/bin/bash
# SYNC: {{vars.settings.databases.default.HOST}}/{{vars.settings.databases.default.NAME}}
# USING: {{vars.database_sync.HOST}}/{{vars.database_sync.NAME}}
command -v apt && apt -y install postgresql-client
#echo '{{vars.database_sync.HOST}}:{{vars.database_sync.PORT}}:{{vars.database_sync.NAME}}:{{vars.database_sync.USER}}:{{vars.database_sync.PASSWORD}}' > ./.pgpass
#echo '{{vars.settings.databases.default.HOST}}:{{vars.settings.databases.default.PORT}}:{{vars.settings.databases.default.NAME}}:{{vars.settings.databases.default.USER}}:{{vars.settings.databases.default.PASSWORD}}' >> ./.pgpass
#chmod 0700 ./.pgpass
#export PGPASSFILE=./.pgpass
echo ""
echo "**** WIPE DATABASE (tables) ****"
PGPASSWORD={{vars.settings.databases.default.PASSWORD}} psql \
--host={{vars.settings.databases.default.HOST}} \
--username={{vars.settings.databases.default.USER}} \
--dbname={{vars.settings.databases.default.NAME}} \
-t -c 'DROP SCHEMA public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO postgres; GRANT ALL ON SCHEMA public TO public;' \
| PGPASSWORD={{vars.settings.databases.default.PASSWORD}} psql \
--host={{vars.settings.databases.default.HOST}} \
--username={{vars.settings.databases.default.USER}} \
--dbname={{vars.settings.databases.default.NAME}}
# another way to drop objects...
# -c "select 'drop table \"' || tablename || '\" cascade;' from pg_tables where schemaname='public'" \
# -c 'DROP SCHEMA public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO postgres; GRANT ALL ON SCHEMA public TO public;' \
echo ""
echo "**** SYNC DATABASE ****"
PGPASSWORD={{vars.database_sync.PASSWORD}} pg_dump \
--host={{vars.database_sync.HOST}} \
--username={{vars.database_sync.USER}} \
--dbname={{vars.database_sync.NAME}} \
--no-owner --clean \
| PGPASSWORD={{vars.settings.databases.default.PASSWORD}} psql \
--host={{vars.settings.databases.default.HOST}} \
--username={{vars.settings.databases.default.USER}} \
--dbname={{vars.settings.databases.default.NAME}}
#!/usr/bin/env bash
set -e
set -x
# runas root!
#test "x$USER" = "xroot" || exit 400
# if missing venv: create venv dir
test -e '{{vars.dir_venv}}' || (mkdir '{{vars.dir_venv}}' ; chown -R '{{vars.user}}' '{{vars.dir_venv}}')
bash ./requirements.sh
#sudo apt install -y python3 python3-dev python3-venv
sudo -Hu {{vars.user}} bash << "EOF_user_tasks"
set -e
set -x
#cd '{{vars.dir_src}}'
#D="$(dirname "$(realpath "$0")")"
#export LC_LANG=en_US.UTF-8
#export LC_ALL=en_US.UTF-8
#export LANG=en_US.UTF-8
# you can use any of python3 python or python2
python_bin={{vars.python_bin}}
test -e '{{vars.dir_venv}}/bin/activate' || $python_bin -m venv '{{vars.dir_venv}}'
source '{{vars.dir_venv}}/bin/activate'
python --version
python -m pip install --upgrade pip
python -m pip install --upgrade -r ./requirements-uw.txt
# python -m pip install --no-binary psycopg2 psycopg2
python ./manage.py collectstatic --noinput
python ./manage.py migrate
python -m pip install --upgrade safety
LC_ALL=C.UTF-8 LANG=C.UTF-8 safety check -r ./requirements.txt
EOF_user_tasks
import os
from {{vars.module_settings_base}} import *
# WARN: be sure to run:
# export DJANGO_SETTINGS_MODULE=settings
# Note: env varable like
# SECRET_KEY = os.environ.setdefault('DJANGO_SECRET_KEY', 'YYYYYY')
# might seem like a good idea however they are also landmines
# when not working an a container like docker.
# Services like systemd might use /etc/defaults/app or have env hardcoded
ALLOWED_HOSTS = {{vars.settings.allowed_hosts|json}}
SECRET_KEY = '{{vars.settings.secret_key}}'
DATABASES = {
"default": {
"ENGINE": "django.db.backends.sqlite3",
"NAME": "{{dir_vol}}/db.sqlite3",
}
}
{% if vars.settings.get('databases') %}
DATABASES = {{vars.settings.databases|json}}
{% endif %}
# optional other settings
{{vars.settings.raw|safe}}
[Unit]
Description={{vars.service_name}}
[Service]
Type=simple
SyslogIdentifier={{vars.service_name}}-asgi
WorkingDirectory={{vars.dir_src}}
ExecStart=DJANGO_SETTINGS_MODULE={{vars.module_settings}} {{vars.dir_venv}}/bin/gunicorn {{vars.module_asgi}}:application -k uvicorn.workers.UvicornWorker -w 6 -b 127.0.0.1 -u {{vars.user}} -g {{vars.group}}
ExecStartPost=/bin/sleep 2
Restart=on-failure
RestartSec=15s
[Install]
WantedBy=multi-user.target
# ------ VARS ------
{% from 'uwl/systemd/init.sls' import vars as _systemd %}
{% load_yaml as vars %}
default:
user: root
group: root
service_name: app
module_settings: settings
module_settings_base: gsa.settings
module_asgi: gsa.asgi
settings_file: /srv/app/src/settings.py
dir_src: /srv/app/src
dir_vol: /srv/app/vol
dir_venv: /srv/app/env
dir_uwsgi: /srv/app/wsgi
python_bin: python3
{% endload %}
{% set vars = salt.uwl.solve_vars(vars, tplfile) %}
# ------------------
include:
- {{_systemd.sls}}
{{sls}}:
pkg.installed:
- pkgs:
- git
file.directory:
- name: {{vars.dir_src}}
- user: {{vars.user}}
- group: {{vars.group}}
- mode: '0775'
git.latest:
- name: {{vars.repo}}
- target: {{vars.dir_src}}
- force_clone: True
- user: {{vars.user}}
{% if vars.get('repo_https_user') %}
- https_user: {{vars.repo_https_user|json}}
- https_pass: {{vars.repo_https_pass|json}}
{% endif %}
- rev: {{vars.repo_branch}}
- branch: {{vars.repo_branch}}
- watch_in:
- service: {{sls}} service
- require_in:
- service: {{sls}} service
- require:
- file: {{sls}}
- pkg: {{sls}}
{{sls}} static_root:
file.directory:
- name: {{vars.dir_vol}}/static
- makedirs: True
- user: {{vars.user}}
- group: {{vars.group}}
- dir_mode: '0755'
#- recurse:
# - user
# - group
# - mode
{{sls}} media_root:
file.directory:
- name: {{vars.dir_vol}}/media
- makedirs: True
- user: {{vars.user}}
- group: {{vars.group}}
- dir_mode: '0755'
#- recurse:
# - user
# - group
# - mode
{% if vars.get('database_sync') %}
{{sls}} database_sync script:
file.managed:
- name: {{vars.dir_src}}/../database_sync_core.sh
- source: salt://{{tpldir}}/_data/database_sync.sh
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0740'
- user: {{vars.user}}
- group: {{vars.group}}
{% endif %}
{{sls}} config:
file.managed:
- name: {{vars.settings_file}}
- source: salt://{{tpldir}}/_data/settings.py
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0640'
- user: {{vars.user}}
- group: {{vars.group}}
- require_in:
- service: {{sls}} service
- watch_in:
- service: {{sls}} service
{{sls}} post_update:
pkg.installed:
- pkgs:
- python3-venv
- gcc
- clang
- python3-dev
- libpq-dev
- libssl-dev
- python3-wheel
cmd.script:
- name: post_update.sh
- source: salt://{{tpldir}}/_data/post_update.sh
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0700'
- cwd: {{vars.dir_src}}
- require_in:
- service: {{sls}} service
- require:
- git: {{sls}}
#- file: {{sls}} static_root
#- file: {{sls}} media_root
- file: {{sls}} config
{{sls}} service:
file.managed:
- name: {{_systemd.unit_path}}/{{vars.service_name}}.service
- source: salt://{{tpldir}}/_data/systemd
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0644'
- watch_in:
- service: {{sls}} service
- cmd: {{_systemd.sls}} reload units
service.running:
- name: {{vars.service_name}}
- enable: True
- require:
- file: {{sls}} service
if too many failed attempts your log will have errors about rate limit. So Ensure the firewall is open befor requesting cert or you might get banned!
```
cat /var/log/letsencrypt/letsencrypt.log
...
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
```
Example Pillar:
certbot:
domain: outline.uwaterloo.ca
{{sls}}.certbot:
# WARN: changes to aliases and testcert require old cert be deleted "certbot delete -d $DOMAIN"
testcert: True
domain: dbhub.math.uwaterloo.ca
admin_email: s8weber@uwaterloo.ca
# pre_hook: (defaults to stop nginx)
pre_hook: systemctl stop apache2
# post_hook: (defaults to start nginx)
post_hook: systemctl start apache2
# WARN: changes to aliases require old cert be deleted "certbot delete -d $DOMAIN"a
aliases:
- outline-p02.uwaterloo.ca
# nginx is the default service that has hooks.
certbot:
domain: outline.uwaterloo.ca
admin_email: s8weber@uwaterloo.ca
# WARN: changes to aliases require old cert be deleted "certbot delete -d $DOMAIN"a
aliases:
- outline-p02.uwaterloo.ca
aliases: []
- dbhub-p01.math.uwaterloo.ca
Cert files are created at:
......@@ -26,6 +28,10 @@ Cert files are created at:
ssl_certificate_key: /etc/letsencrypt/live/{{domain}}/privkey.pem
ssl_certificate_pem: /etc/letsencrypt/live/{{domain}}/fullchain.pem
SSLCertificateFile: /etc/letsencrypt/live/{{domain}}/fullchain.pem
SSLCertificateKeyFile: /etc/letsencrypt/live/{{domain}}/privkey.pem
SSLCACertificateFile: /etc/letsencrypt/live/{{domain}}/fullchain.pem
Deleting old cert
# simple
......
......@@ -4,11 +4,11 @@
default:
pre_hook: systemctl stop nginx
post_hook: systemctl start nginx
deploy_hook: systemctl reload nginx
#domain: xxxxxxx.uwaterloo.ca
#admin_email: xxxxxxx@uwaterloo.ca
# WARN: changes to aliases require old cert be deleted "certbot delete -d $DOMAIN"
# WARN: changes to aliases and testcert require old cert be deleted "certbot delete -d $DOMAIN"
aliases: []
testcert: False
{% endload %}
{% set vars = salt.uwl.solve_vars(vars, tplfile) %}
# ------------------
......@@ -38,6 +38,10 @@ include:
# WARN: changes to aliases require old cert be deleted "certbot delete -d $DOMAIN"
- aliases: {{vars.aliases}}
# WARN: changes to test_cert require old cert be deleted "certbot delete -d $DOMAIN"
{%- if vars.testcert %}
- test_cert: True
{%- else %}
- test_cert: False
{%- endif %}
- require:
- pkg: {{_certbot.sls}}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment