added ansible config for deployment

Author: artcz

deploy/ansible.cfg

@@ -0,0 +1,6 @@
+[ssh_connection]
+ssh_args = -o StrictHostKeyChecking=no -o ControlMaster=auto -o ControlPersist=30m
+pipelining = True
+
+[defaults]
+transport = ssh

deploy/hosts.yml

@@ -0,0 +1,22 @@
+all:
+  hosts:
+    intbot_setup:
+      ansible_host: internal.europython.eu
+      ansible_user: root
+      nginx_user: nginx_user
+      app_user: intbot_user
+
+    intbot_nginx:
+      ansible_host: internal.europython.eu
+      ansible_user: nginx_user
+      app_user: intbot_user
+      domain_name: internal.europython.eu
+      app_port: 4672
+      letsencrypt_email: "[email protected]"
+      letsencrypt_rsa_key_size: 4096
+
+    intbot_app:
+      ansible_host: internal.europython.eu
+      ansible_user: intbot_user
+      app_port: 4672
+      repository_url: [email protected]:europython/internal-bot.git

deploy/playbooks/01_setup.yml

@@ -0,0 +1,95 @@
+- name: Deploy nginx and Let's Encrypt SSL certificate
+  hosts: intbot_setup
+  become: yes
+  gather_facts: yes
+
+  tasks:
+    - name: Install Docker dependencies
+      apt:
+        name: "{{ package }}"
+        state: present
+        update_cache: yes
+      vars:
+        package:
+          - apt-transport-https
+          - ca-certificates
+          - curl
+          - gnupg
+          - lsb-release
+          - make
+
+    - name: Install Docker
+      block:
+        - name: Add Docker GPG key
+          apt_key:
+            url: https://download.docker.com/linux/ubuntu/gpg
+            state: present
+
+        - name: Add Docker repository
+          apt_repository:
+            repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename }} stable
+            state: present
+
+        - name: Install Docker
+          apt:
+            name: docker-ce
+            state: present
+
+    - name: Combine non-root users to a single list
+      set_fact:
+        non_root_user_names: ["{{ nginx_user }}", "{{ app_user }}"]
+
+    - name: Create non-root users
+      block:
+        - name: Add user
+          ansible.builtin.user:
+            name: "{{ username }}"
+            shell: "/bin/bash"
+            generate_ssh_key: yes
+            ssh_key_type: ed25519
+            ssh_key_comment: "{{ username }}@{{ inventory_hostname }}"
+            create_home: yes
+          loop: "{{ non_root_user_names }}"
+          loop_control:
+            loop_var: username
+
+        - name: Make sure that user has permissions to the their home
+          ansible.builtin.file:
+            path: "/home/{{ username }}"
+            state: directory
+            owner: "{{ username }}"
+            group: "{{ username }}"
+          loop: "{{ non_root_user_names }}"
+          loop_control:
+            loop_var: username
+
+        - name: Then copy the authorized_keys from root so you can ssh later to the user
+          copy:
+            src: "/root/.ssh/authorized_keys"
+            dest: "/home/{{ username }}/.ssh/authorized_keys"
+            owner: "{{ username }}"
+            group: "{{ username }}"
+            mode: "0600"
+            remote_src: "yes"
+          loop: "{{ non_root_user_names }}"
+          loop_control:
+            loop_var: username
+
+        - name: Add the non root users (both nginx and app) to docker group
+          user:
+            name: "{{ username }}"
+            groups: docker
+            append: yes
+          loop: "{{ non_root_user_names }}"
+          loop_control:
+            loop_var: username
+
+    - name: Read the deploy public key
+      slurp:
+        src: "/home/{{ app_user }}/.ssh/id_ed25519.pub"
+      register: deploy_key
+
+    - name: Display the public key
+      debug:
+        msg: "For private repositories, make sure to put this key as deploy key on github:  {{ deploy_key.content | b64decode }}"
+

deploy/playbooks/02_nginx.yml

@@ -0,0 +1,25 @@
+- name: Make sure that nginx and https work correctly for the app
+  hosts: intbot_nginx
+
+  tasks:
+    - name: Copy nginx configuration file
+      ansible.builtin.template:
+        src: ../templates/nginx/nginx.conf.j2
+        dest: ./nginx.conf
+
+    - name: Create a server Makefile (for nginx) to manage on-server tasks
+      ansible.builtin.template:
+        src: ../templates/nginx/Makefile.nginx.j2
+        dest: ./Makefile
+
+    - name: Set up docker-compose.yml on the remote server
+      ansible.builtin.template:
+        src: ../templates/nginx/docker-compose.nginx.yml.j2
+        dest: ./docker-compose.yml
+
+    - name: Make sure the directory structure for certs exist
+      shell: mkdir -p ./data/certbot/conf
+
+    - name: Display info at the end
+      debug:
+        msg: "Go to /home/{{ ansible_user }} and run make certbot/init-staging; then make certbot/upgrade-to-prod"

deploy/playbooks/03_app.yml

@@ -0,0 +1,50 @@
+- name: Deploy the bot/app/worker on remote host
+  hosts: intbot_app
+
+  tasks:
+    - name: Clone the repository to a specific version (to a temp location)
+      git:
+        repo: "{{ repository_url }}"
+        dest: /tmp/src
+        accept_hostkey: yes
+        version: "{{ app_version }}"
+
+    - name: Build with a given commit hash
+      # This will be stored in local registry, and available as version to docker-compose
+      # where we can just reference correct version
+      shell: "cd /tmp/src && make docker/build V={{ app_version }}"
+
+    - name: Create a server Makefile to manage app tasks
+      ansible.builtin.template:
+        src: ../templates/app/Makefile.app.j2
+        dest: ./Makefile
+
+    - name: Set up docker-compose.yml for the app
+      ansible.builtin.template:
+        src: ../templates/app/docker-compose.app.yml.j2
+        dest: ./docker-compose.yml
+
+    - name: Check if the env file exists
+      ansible.builtin.stat:
+        path: intbot.env
+      register: env_file
+
+    - name: If env file doesn't exist - copy the example
+      ansible.builtin.copy:
+        src: ../templates/app/intbot.env.example
+        dest: intbot.env.example
+      when: not env_file.stat.exists
+
+    - name: If the env file doesn't exist - fail with error message
+      ansible.builtin.fail:
+        msg: "The env file doesn't exist. Please ssh, copy the example and adjust"
+      when: not env_file.stat.exists
+
+    - name: Start docker compose to see if everything is running
+      shell: "docker compose up -d"
+
+    - name: Migrate on prod
+      shell: "make prod/migrate"
+
+    - name: Restart everything and finish
+      shell: "docker compose up -d"

deploy/templates/app/.env.example

@@ -0,0 +1,18 @@
+
+echo:
+	"Dummy target, to not run something accidentally"
+
+prod/migrate:
+	docker compose run app make in-container/migrate
+
+prod/shell:
+	docker compose run app make in-container/shell
+
+prod/db_shell:
+	docker compose run app make in-container/db_shell
+
+prod/manage:
+	docker compose run app make in-container/manage ARG=$(ARG)
+
+logs:
+	docker compose logs -f

deploy/templates/app/Makefile.app.j2

@@ -0,0 +1,52 @@
+
+services:
+  db:
+    image: postgres:16.4
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    env_file:
+      - intbot.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U intbot_user_prod -d intbot_database_prod"]
+      interval: 10s
+      retries: 5
+      start_period: 30s
+      timeout: 10s
+
+  app:
+    image: "intbot:{{ app_version }}"
+    command: "make in-container/gunicorn"
+    env_file:
+      - intbot.env
+    environment:
+      - APP_VERSION={{ app_version[:8] }}
+    expose:
+      - "{{ app_port }}"
+    networks:
+      - "shared_with_nginx_network"
+      - "default"
+    depends_on:
+      db:
+        condition: service_healthy
+        restart: true
+
+  bot:
+    image: "intbot:{{ app_version }}"
+    command: "make in-container/bot"
+    env_file:
+      - intbot.env
+    environment:
+      - APP_VERSION={{ app_version[:8] }}
+    depends_on:
+      db:
+        condition: service_healthy
+        restart: true
+
+volumes:
+  pgdata:
+
+
+networks:
+  shared_with_nginx_network:
+    name: shared_with_nginx_network
+    external: true

deploy/templates/app/docker-compose.app.yml.j2

@@ -0,0 +1,13 @@
+DJANGO_SETTINGS_MODULE="intbot.settings"
+DJANGO_ENV="prod"
+
+# Change this on production
+SECRET_KEY="asdf-asdf-asdf-1234-1234-1234"
+
+# Database settings
+POSTGRES_DB="intbot_database_prod"
+POSTGRES_USER="intbot_user_prod"
+POSTGRES_PASSWORD="RandomPasswordPleaseChange"
+
+# Discord
+DISCORD_BOT_TOKEN="Token Goes Here"

deploy/templates/app/intbot.env.example

@@ -0,0 +1,88 @@
+# Set a special docker-compose file for all the operations
+COMPOSE := docker compose
+
+CERT_PATH=/etc/letsencrypt/live/{{ domain_name }}
+DATA_PATH=./data/certbot
+SSL_NGINX_CONF_URL=https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
+SSL_DHPARAMS_URL=https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem
+
+echo:
+	"This is a first dummy target, so you don't accidentally run something :)"
+
+nginx/recreate:
+	$(COMPOSE) up --force-recreate -d nginx
+
+certbot/renew:
+	$(COMPOSE) run certbot renew
+	$(COMPOSE) restart nginx
+
+
+certbot/list:
+	$(COMPOSE) run certbot certificates
+
+
+certbot/init-staging: \
+	certbot/download-initial-parameters \
+	certbot/create-dummy-certificate \
+	nginx/recreate \
+	certbot/delete-dummy-certificate \
+	certbot/create-staging-certificate
+
+
+certbot/download-initial-parameters:
+	@echo "### Downloading recommended TLS parameters ... "
+	mkdir -p "$(DATA_PATH)/conf"
+	curl -s $(SSL_NGINX_CONF_URL) > "$(DATA_PATH)/conf/options-ssl-nginx.conf"
+	curl -s $(SSL_DHPARAMS_URL) > "$(DATA_PATH)/conf/ssl-dhparams.pem"
+
+
+certbot/create-dummy-certificate:
+	@echo "### Creating a dummy certificate for {{ domain_name }}"
+	mkdir -p "$(DATA_PATH)/conf/live/{{ domain_name }}"
+	$(COMPOSE) run --rm --entrypoint "\
+		openssl req -x509 -nodes -newkey rsa:{{ letsencrypt_rsa_key_size }} \
+		-days 1 \
+		-keyout '$(CERT_PATH)/privkey.pem' \
+		-out '$(CERT_PATH)/fullchain.pem' \
+		-subj '/CN=localhost'" \
+		certbot
+
+
+certbot/delete-dummy-certificate:
+	@echo "### Deleting dummy certificate for {{ domain_name }} ..."
+	$(COMPOSE) run --rm --entrypoint "\
+		rm -rf /etc/letsencrypt/live/{{ domain_name }} && \
+		rm -rf /etc/letsencrypt/archive/{{ domain_name }} && \
+		rm -rf /etc/letsencrypt/renewal/{{ domain_name }}.conf" \
+		certbot
+
+
+certbot/create-staging-certificate:
+	# First regenerate the certificate
+	$(COMPOSE) run certbot certonly \
+		--staging \
+		--webroot -w /var/www/certbot \
+		--email "{{ letsencrypt_email }}" \
+		-d "{{ domain_name }}" \
+		--rsa-key-size "{{ letsencrypt_rsa_key_size }}" \
+		--agree-tos \
+		--force-renewal
+	# And then restart nginx....
+	$(COMPOSE) exec nginx nginx -s reload
+
+
+certbot/force-reissue-PROD-certificate:
+	# First regenerate the certificate
+	$(COMPOSE) run certbot certonly \
+		--force-renewal \
+		--webroot -w /var/www/certbot \
+		--email "{{ letsencrypt_email }}" \
+		-d "{{ domain_name }}" \
+		--rsa-key-size "{{ letsencrypt_rsa_key_size }}" \
+		--agree-tos \
+		--force-renewal
+	# And then restart nginx....
+	$(COMPOSE) exec nginx nginx -s reload
+
+
+certbot/upgrade-to-prod: certbot/force-reissue-PROD-certificate