Enable the deployment of the Engine and the Federated API applications on a single server (#39)

Author: Ndpnt

CHANGELOG.md

@@ -2,7 +2,15 @@
 
 All changes that impact users of this module are documented in this file, in the [Common Changelog](https://common-changelog.org) format with some additional specifications defined in the CONTRIBUTING file. This codebase adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## Unreleased
+## Unreleased [minor]
+
+_Full changeset and discussions: [#39](https://github.com/OpenTermsArchive/deployment/pull/39)._
+
+> Development of this release was supported by the [French Ministry for Foreign Affairs](https://www.diplomatie.gouv.fr/fr/politique-etrangere-de-la-france/diplomatie-numerique/) through its ministerial [State Startups incubator](https://beta.gouv.fr/startups/open-terms-archive.html) under the aegis of the Ambassador for Digital Affairs.
+
+### Added
+
+- Enable the deployment of the Open Terms Archive Engine and Federated API applications on a single server; refer to the [added playbooks](https://github.com/OpenTermsArchive/deployment#engine-and-federated-api-applications)
 
 ## 1.1.1 - 2024-04-08
 

README.md

@@ -147,6 +147,27 @@ Available [tags](https://docs.ansible.com/ansible/latest/user_guide/playbooks_ta
 
 - - -
 
+### Engine and Federated API applications
+
+Available playbooks to deploy both the Open Terms Archive Engine and Federated API applications on a single server.
+
+| Playbook name | Description | Command example |
+| --- | --- | --- |
+| `engine_and_federated_api.infrastructure` | Set up and configure the infrastructure required by the Open Terms Archive engine and federated API applications | `ansible-playbook opentermsarchive.deployment.engine_and_federated_api.infrastructure` |
+| `engine_and_federated_api.application` | Deploy the Open Terms Archive engine and federated API applications | `ansible-playbook opentermsarchive.deployment.engine_and_federated_api.application` |
+| `engine_and_federated_api.all` | Set up infrastructure and deploy the Open Terms Archive engine and federated API applications | `ansible-playbook opentermsarchive.deployment.engine_and_federated_api.all` |
+
+#### Configuration
+
+Available variables are listed below, along with default values:
+
+| Variable | Description | Default value | Required |
+| --- | --- | --- | --- |
+| `ota_reverse_proxy_engine_path` | Path where the collection API embed with the engine will be available | `/collection-api` | - |
+| `ota_reverse_proxy_federated_api_path` | Path where the federated API will be available | `/federation-api` | - |
+
+- - -
+
 ## Encrypt sensitive configuration entries
 
 Certain configuration entries contain sensitive information that should be encrypted to ensure security. Ansible provides a convenient way to encrypt such strings using its built-in [vault feature](https://docs.ansible.com/ansible/2.9/user_guide/vault.html):

playbooks/engine/application.yml

@@ -5,7 +5,7 @@
   tasks:
     - name: Load the production config
       ansible.builtin.include_vars:
-        name: app_config
+        name: ota_engine_app_config
         file: "{{ inventory_dir }}/{{ ota_engine_config_path | default('../config/production.json') }}"
       tags: always
 

playbooks/engine_and_federated_api/all.yml

@@ -0,0 +1,6 @@
+---
+- name: Set up infrastructure and deploy the Open Terms Archive engine and federated API
+  hosts: all
+
+- import_playbook: infrastructure.yml
+- import_playbook: application.yml

playbooks/engine_and_federated_api/application.yml

@@ -0,0 +1,43 @@
+---
+- name: Deploy the Open Terms Archive engine and federated API
+  hosts: all
+  vars:
+    ota_reverse_proxy_engine_path: "/collection-api"
+    ota_reverse_proxy_federated_api_path: "/federation-api"
+  tasks:
+    - block:
+      - name: Load the engine production config
+        ansible.builtin.include_vars:
+          name: ota_engine_app_config
+          file: "{{ inventory_dir }}/{{ ota_engine_config_path | default('../config/production.json') }}"
+      
+      - ansible.builtin.include_role:
+          name: engine
+
+      - ansible.builtin.include_role:
+          name: federated_api
+      tags: always
+
+    - block:
+      - name: Add conf in NGINX sites-available
+        ansible.builtin.template:
+          src: nginx-conf.j2
+          dest: '/etc/nginx/sites-available/ota'
+          force: true
+          mode: "644"
+
+      - name: Link conf from sites-available to sites-enabled
+        ansible.builtin.file:
+          src: '/etc/nginx/sites-available/ota'
+          dest: '/etc/nginx/sites-enabled/ota'
+          state: link
+          force: true
+      become: true
+      notify: Restart NGINX
+  
+  handlers:
+  - name: Restart NGINX
+    become: true
+    ansible.builtin.service:
+      name: nginx
+      state: restarted

playbooks/engine_and_federated_api/infrastructure.yml

@@ -0,0 +1,7 @@
+---
+- name: Set up infrastructure
+  hosts: all
+  become: true
+
+- ansible.builtin.import_playbook: ../engine/infrastructure.yml
+- ansible.builtin.import_playbook: ../federated_api/infrastructure.yml

playbooks/engine_and_federated_api/templates/nginx-conf.j2

@@ -0,0 +1,22 @@
+{{ ansible_managed | comment }}
+
+server {
+  listen 80;
+  server_name {{ inventory_hostname }};
+  
+  location {{ ota_reverse_proxy_engine_path }} {
+    # Allowing for a `burst` of up to 5 requests beyond the specified rate limit. The `nodelay` parameter ensures that excessive requests beyond the burst limit are immediately rejected with a 429 error response instead of being queued. See https://www.nginx.com/blog/rate-limiting-nginx/.
+    limit_req zone=limited burst=5 nodelay;
+    rewrite ^{{ ota_reverse_proxy_engine_path }}/(.*)$ /$1 break;
+    proxy_pass http://localhost:{{ ota_engine_app_config.api.port }};
+    proxy_redirect off;
+  }
+
+  location {{ ota_reverse_proxy_federated_api_path }} {
+    # Allowing for a `burst` of up to 5 requests beyond the specified rate limit. The `nodelay` parameter ensures that excessive requests beyond the burst limit are immediately rejected with a 429 error response instead of being queued. See https://www.nginx.com/blog/rate-limiting-nginx/.
+    limit_req zone=limited burst=5 nodelay;
+    rewrite ^{{ ota_reverse_proxy_federated_api_path }}/(.*)$ /$1 break;
+    proxy_pass http://localhost:{{ ota_federated_api_app_config.port }};
+    proxy_redirect off;
+  }
+}

roles/engine/defaults/main.yml

@@ -1,4 +1,4 @@
-ota_engine_declarations_directory: "{{ app_config.name }}"
+ota_engine_declarations_directory: "{{ ota_engine_app_config.name }}"
 ota_engine_declarations_branch: main
 ota_engine_snapshots_branch: main
 ota_engine_versions_branch: main

roles/engine/tasks/main.yml

@@ -18,7 +18,7 @@
 
 - name: Install services declarations
   ansible.builtin.git:
-    repo: '{{ app_config.services.repository }}'
+    repo: '{{ ota_engine_app_config.services.repository }}'
     dest: '/home/{{ ansible_user }}/{{ ota_engine_declarations_directory }}'
     version: '{{ ota_engine_declarations_branch }}'
     force: true
@@ -60,37 +60,37 @@
   become: true
   ansible.builtin.template:
     src: nginx-conf.j2
-    dest: '/etc/nginx/sites-available/ota-engine-api'
+    dest: '/etc/nginx/sites-available/ota'
     force: true
     mode: "644"
   notify: Restart NGINX
 
 - name: Link conf from sites-available to sites-enabled
   become: true
   ansible.builtin.file:
-    src: '/etc/nginx/sites-available/ota-engine-api'
-    dest: '/etc/nginx/sites-enabled/ota-engine-api'
+    src: '/etc/nginx/sites-available/ota'
+    dest: '/etc/nginx/sites-enabled/ota'
     state: link
     force: true
   notify: Restart NGINX
 
 - name: Setup snapshots git repository
   ansible.builtin.include_tasks: database.yml
-  when: app_config.recorder.snapshots.storage.git.repository is defined
+  when: ota_engine_app_config.recorder.snapshots.storage.git.repository is defined
   vars:
     engine_database_name: snapshots
-    engine_database_repository: '{{ app_config.recorder.snapshots.storage.git.repository }}'
+    engine_database_repository: '{{ ota_engine_app_config.recorder.snapshots.storage.git.repository }}'
     engine_database_branch: '{{ ota_engine_snapshots_branch }}'
-    engine_database_directory: '/home/{{ ansible_user }}/{{ ota_engine_declarations_directory }}/{{ app_config.recorder.snapshots.storage.git.path }}'
+    engine_database_directory: '/home/{{ ansible_user }}/{{ ota_engine_declarations_directory }}/{{ ota_engine_app_config.recorder.snapshots.storage.git.path }}'
 
 - name: Setup versions git repository
   ansible.builtin.include_tasks: database.yml
-  when: app_config.recorder.versions.storage.git.repository is defined
+  when: ota_engine_app_config.recorder.versions.storage.git.repository is defined
   vars:
     engine_database_name: versions
-    engine_database_repository: '{{ app_config.recorder.versions.storage.git.repository }}'
+    engine_database_repository: '{{ ota_engine_app_config.recorder.versions.storage.git.repository }}'
     engine_database_branch: '{{ ota_engine_versions_branch }}'
-    engine_database_directory: '/home/{{ ansible_user }}/{{ ota_engine_declarations_directory }}/{{ app_config.recorder.versions.storage.git.path }}'
+    engine_database_directory: '/home/{{ ansible_user }}/{{ ota_engine_declarations_directory }}/{{ ota_engine_app_config.recorder.versions.storage.git.path }}'
 
 - name: Start Open Terms Archive schedulers
   ansible.builtin.command:

roles/engine/templates/nginx-conf.j2

@@ -7,7 +7,7 @@ server {
   location / {
     # Allowing for a `burst` of up to 5 requests beyond the specified rate limit. The `nodelay` parameter ensures that excessive requests beyond the burst limit are immediately rejected with a 429 error response instead of being queued. See https://www.nginx.com/blog/rate-limiting-nginx/.
     limit_req zone=limited burst=5 nodelay;
-    proxy_pass http://localhost:{{ app_config.api.port }};
+    proxy_pass http://localhost:{{ ota_engine_app_config.api.port }};
     proxy_redirect off;
   }
 }