From 5f77676bbbdb590aedd9f71394b45d4dfb1b62f3 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Fri, 27 Sep 2024 16:15:38 +0200 Subject: [PATCH] move playbook to role --- deployment/playbook.yaml | 91 +------------------ .../fedcloud-dashboard/defaults/main.yaml | 1 + .../fedcloud-dashboard/handlers/main.yaml | 18 ++++ .../roles/fedcloud-dashboard/tasks/main.yaml | 65 +++++++++++++ .../templates/nginx.motley_cue.j2 | 20 ++++ .../templates/pam-ssh-oidc-config.ini.j2 | 5 + 6 files changed, 111 insertions(+), 89 deletions(-) create mode 100644 deployment/roles/fedcloud-dashboard/defaults/main.yaml create mode 100644 deployment/roles/fedcloud-dashboard/handlers/main.yaml create mode 100644 deployment/roles/fedcloud-dashboard/tasks/main.yaml create mode 100644 deployment/roles/fedcloud-dashboard/templates/nginx.motley_cue.j2 create mode 100644 deployment/roles/fedcloud-dashboard/templates/pam-ssh-oidc-config.ini.j2 diff --git a/deployment/playbook.yaml b/deployment/playbook.yaml index eba6cad..7c200b9 100644 --- a/deployment/playbook.yaml +++ b/deployment/playbook.yaml @@ -1,13 +1,4 @@ --- -- hosts: all - gather_facts: no - tasks: - - name: Wait for ssh - # give it some time as the VM may take a while to start - wait_for_connection: - delay: 30 - timeout: 600 - - hosts: all become: yes gather_facts: yes @@ -15,83 +6,5 @@ - role: "grycap.motley_cue" ssh_oidc_other_vos_name: cloud.egi.eu ssh_oidc_other_vos_role: auditor - -- hosts: all - become: yes - gather_facts: yes - tasks: - - name: Disable default site in nginx - ansible.builtin.file: - path: /etc/nginx/sites-enabled/default - state: absent - - - name: Move motley-cue to a different port (nginx) - ansible.builtin.lineinfile: - path: /etc/nginx/sites-available/nginx.motley_cue - regexp: ".*listen 8080;$" - line: " listen 8181;" - - - name: No IPv6 for motley-cue (nginx) - ansible.builtin.lineinfile: - path: /etc/nginx/sites-available/nginx.motley_cue - search_string: "listen [::]:8080;" - state: absent - - - name: Move motley-cue to a different port (pam-ssh-oidc) - ansible.builtin.lineinfile: - path: /etc/pam.d/pam-ssh-oidc-config.ini - regexp: "^verify_endpoint = http://localhost:8080/verify_user$" - line: "verify_endpoint = http://localhost:8181/verify_user" - - - name: Restart nginx - ansible.builtin.service: - name: nginx - state: restarted - enabled: yes - - - name: Restart motley-cue - ansible.builtin.service: - name: motley-cue - state: restarted - enabled: yes - - - name: Checkout repo at VM - ansible.builtin.git: - repo: "https://github.com/EGI-Federation/fedcloud-dashboard.git" - version: "{{ git_ref }}" - dest: /fedcloud-dashboard - - - name: env file - ansible.builtin.copy: - content: | - DASHBOARD_HOSTNAME=dashboard.cloud.egi.eu - dest: /fedcloud-dashboard/.env - - - name: service file - ansible.builtin.copy: - content: | - # - # This manages the cloudkeeper OS backend - # - [Unit] - Description=Dashboard - After=docker.service - Requires=docker.service - [Service] - Type=oneshot - RemainAfterExit=true - WorkingDirectory=/fedcloud-dashboard - ExecStartPre=/usr/bin/docker pull python:3.10 - ExecStart=/usr/bin/docker-compose up -d --force-recreate --build --remove-orphans - ExecStop=/usr/bin/docker-compose down - - [Install] - WantedBy=multi-user.target - dest: /etc/systemd/system/dashboard.service - - - name: Run, baby run - ansible.builtin.systemd: - name: dashboard.service - enabled: yes - state: restarted - daemon_reload: yes + - role: "fedcloud-dashboard" + fedcloud_dashboard_dns: dashboard.test.fedcloud.eu diff --git a/deployment/roles/fedcloud-dashboard/defaults/main.yaml b/deployment/roles/fedcloud-dashboard/defaults/main.yaml new file mode 100644 index 0000000..dca5acc --- /dev/null +++ b/deployment/roles/fedcloud-dashboard/defaults/main.yaml @@ -0,0 +1 @@ +fedcloud_dashboard_dns: dashboard.cloud.egi.eu diff --git a/deployment/roles/fedcloud-dashboard/handlers/main.yaml b/deployment/roles/fedcloud-dashboard/handlers/main.yaml new file mode 100644 index 0000000..f2d6f57 --- /dev/null +++ b/deployment/roles/fedcloud-dashboard/handlers/main.yaml @@ -0,0 +1,18 @@ +- name: Restart motley-cue + ansible.builtin.service: + name: motley-cue + state: restarted + enabled: yes + +- name: Restart nginx + ansible.builtin.service: + name: nginx + state: restarted + enabled: yes + +- name: Run, baby run + ansible.builtin.systemd: + name: dashboard.service + enabled: yes + state: restarted + daemon_reload: yes diff --git a/deployment/roles/fedcloud-dashboard/tasks/main.yaml b/deployment/roles/fedcloud-dashboard/tasks/main.yaml new file mode 100644 index 0000000..2e46374 --- /dev/null +++ b/deployment/roles/fedcloud-dashboard/tasks/main.yaml @@ -0,0 +1,65 @@ + +- name: Checkout repo at VM + ansible.builtin.git: + repo: "https://github.com/EGI-Federation/fedcloud-dashboard.git" + #version: "{{ git_ref }}" + version: motley-https + dest: /fedcloud-dashboard + +- name: env file + ansible.builtin.copy: + content: | + DASHBOARD_HOSTNAME={{ fedcloud_dashboard_dns }} + dest: /fedcloud-dashboard/.env + +- name: service file + ansible.builtin.copy: + content: | + # + # This manages the cloudkeeper OS backend + # + [Unit] + Description=Dashboard + After=docker.service + Requires=docker.service + [Service] + Type=oneshot + RemainAfterExit=true + WorkingDirectory=/fedcloud-dashboard + ExecStartPre=/usr/bin/docker pull python:3.10 + ExecStart=/usr/bin/docker-compose up -d --force-recreate --build --remove-orphans + ExecStop=/usr/bin/docker-compose down + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/dashboard.service + +- name: Run, baby run + ansible.builtin.systemd: + name: dashboard.service + enabled: yes + state: restarted + daemon_reload: yes + +- name: Wait until the letsencrypt cert is available + ansible.builtin.wait_for: + path: /fedcloud-dashboard/letsencrypt/acme.json + search_regex: certificate + +- name: Disable default site in nginx + ansible.builtin.file: + path: /etc/nginx/sites-enabled/default + state: absent + notify: Restart nginx + +- name: Move motley-cue to a different port (nginx) + ansible.builtin.template: + src: nginx.motley_cue.j2 + dest: /etc/nginx/sites-available/nginx.motley_cue + notify: Restart nginx + +- name: Move motley-cue to a different port (pam-ssh-oidc) + ansible.builtin.template: + src: pam-ssh-oidc-config.ini.j2 + dest: /etc/pam.d/pam-ssh-oidc-config.ini + notify: Restart motley-cue diff --git a/deployment/roles/fedcloud-dashboard/templates/nginx.motley_cue.j2 b/deployment/roles/fedcloud-dashboard/templates/nginx.motley_cue.j2 new file mode 100644 index 0000000..eac79ed --- /dev/null +++ b/deployment/roles/fedcloud-dashboard/templates/nginx.motley_cue.j2 @@ -0,0 +1,20 @@ +server { + # # if you uncomment this block, make sure you remove the two directives above + # # also consider uncommenting the server block above for port 80 redirects to 443 + # # alternatively, you could use port 8443 instead of 443, as this port is also + # # checked by default by the mccli client software. + listen 8443 ssl; + ssl_certificate /fedcloud-dashboard/letsencrypt/certs/certs/{{ fedcloud_dashboard_dns }}.crt; + ssl_certificate_key /fedcloud-dashboard/letsencrypt/certs/private/{{ fedcloud_dashboard_dns }}.key; + + server_name _; + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; + proxy_pass http://unix:/run/motley_cue/motley-cue.sock; + } +} diff --git a/deployment/roles/fedcloud-dashboard/templates/pam-ssh-oidc-config.ini.j2 b/deployment/roles/fedcloud-dashboard/templates/pam-ssh-oidc-config.ini.j2 new file mode 100644 index 0000000..12d3367 --- /dev/null +++ b/deployment/roles/fedcloud-dashboard/templates/pam-ssh-oidc-config.ini.j2 @@ -0,0 +1,5 @@ +[user_verification] +; if local is set to false then user verification is based upon verify_endpoint. +; This could be the motley-cue endpoint +local = false +verify_endpoint = https://{{ fedcloud_dashboard_dns }}:8443/verify_user