Add deployment for Hermes

[nel0x]

Summary by CodeRabbit

• Infrastructure & Configuration
  • Added Hermes service setup with configurable version, working directory and port 17333.
  • Enabled APNS certificate support and Google application credentials, both sourced from secure credential storage.
  • Added Hermes hosts to the deployment inventory (production and staging).
  • Added push_notification_relay and artemis_redis_client_name configuration entries for staging environments.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new Ansible play targeting hosts: hermes invoking role ls1intum.artemis.hermes with setup_system: true and Hermes variables (version: latest, APNS cert path/password/content from Vault, Google credentials path/content from Vault, working_dir, port: 17333); adds [hermes] inventory group with prod and staging hosts; adds push_notification_relay and artemis_redis_client_name variables in staging group_vars.

Changes

Cohort / File(s)	Summary
Hermes Playbook Setup playbooks/hermes/hermes.yml	New play for hosts: hermes using role ls1intum.artemis.hermes with setup_system: true; sets version: latest, APNS cert path, cert_password and apns_cert_content via Vault lookups, Google credentials path and content via Vault lookups, working_dir, and port: 17333.
Inventory: Hermes Hosts hosts	Adds [hermes] group with two entries: hermes-prod.artemis.cit.tum.de var_hermes_environment=production hermes_apns_prod_environment=true, and hermes-staging.artemis.cit.tum.de var_hermes_environment=test hermes_apns_prod_environment=false.
Group variables: staging configs group_vars/artemis_staging1.yml, group_vars/artemis_staging2.yml	Adds push_notification_relay: "https://hermes-prod.artemis.cit.tum.de" to both staging files; adds artemis_redis_client_name: "artemis-{{ node_id }}" to artemis_staging2.yml.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Dev / CI
  participant Ansible as Ansible Controller
  participant Vault as HashiCorp Vault
  participant Hermes as Hermes Host

  rect rgba(240,248,255,0.5)
  Dev->>Ansible: run playbook playbooks/hermes/hermes.yml
  end

  rect rgba(255,250,240,0.5)
  Ansible->>Vault: lookup APNS cert path, cert_password, apns_cert_content
  Ansible->>Vault: lookup google_application_credentials path, content
  Vault-->>Ansible: return secrets
  end

  rect rgba(240,255,240,0.5)
  Ansible->>Hermes: apply role ls1intum.artemis.hermes (setup_system: true) with vars
  Hermes-->>Ansible: acknowledge / configure service, write certs, set port 17333
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped a playbook thru the night,
Vault-held keys tucked in tight,
Relay set and Redis named,
Hermes listens—port proclaimed,
Off we go on a hoppity flight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add deployment for Hermes' accurately describes the main purpose of the changeset, which adds a new Hermes deployment across multiple configuration files and playbooks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-hermes-deployment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e418dbd and 01b4efc.

📒 Files selected for processing (1)

• playbooks/hermes/hermes.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: otoriphoenix
Repo: ls1intum/artemis-ansible PR: 33
File: group_vars/artemistests_common_config.yml:60-69
Timestamp: 2025-10-13T13:13:14.474Z
Learning: The artemis-ansible repository (ls1intum/artemis-ansible) provides configuration values for the Artemis Ansible Collection (ls1intum/artemis-ansible-collection). The values in files like group_vars/artemistests_common_config.yml are concrete settings consumed by the collection, not variables requiring defaults.

🪛 GitHub Check: 🕵️‍♀️ Ansible Lint

playbooks/hermes/hermes.yml

[failure] 6-6: syntax-check[specific]
the role 'ls1intum.artemis.hermes' was not found in /home/runner/work/artemis-ansible/artemis-ansible/playbooks/hermes/roles:/home/runner/work/artemis-ansible/artemis-ansible/.ansible/roles:/home/runner/work/artemis-ansible/artemis-ansible/roles:/home/runner/work/artemis-ansible/artemis-ansible/roles:/home/runner/work/artemis-ansible/artemis-ansible/roles/community:/home/runner/work/artemis-ansible/artemis-ansible/playbooks/hermes

🔇 Additional comments (3)

playbooks/hermes/hermes.yml (3)

10-10: Clarify path resolution for certificate and credentials files.

The relative paths key/artemis-ios-apns-prod.p12 and key/artemis.json lack context about where they are resolved from. Confirm whether:

1. These paths are resolved relative to the hermes_working_directory (/opt/hermes)?
2. Are they resolved relative to the playbook directory?
3. Do they need to be absolute paths instead?

Document the expected path resolution or update to absolute paths if needed for clarity.

Also applies to: 14-14

---

11-12: Verify Vault secret keys match the stored structure.

The playbook retrieves three secrets from Vault path kv/data/artemis/production/hermes:

• apns_certificate_password (line 11)
• apns_certificate_base64 (line 12)
• google_certificate (line 15)

Confirm these key names match exactly what is stored in Vault. A key mismatch will cause .get() to return None, leading to configuration failures. No documentation or test configuration in the codebase references this Vault path or its expected structure, so manual verification against Vault or infrastructure documentation is required.

---

6-6: The original review comment is incorrect.

The ls1intum.artemis collection is properly declared in requirements.yml, and the collection includes the Hermes role. The playbook uses the correct namespaced reference format (ls1intum.artemis.hermes). There is no "role not found" issue in the codebase—the role will be resolvable when the collection is installed as specified in the dependencies. The original ansible-playbook command failure was due to the sandbox environment lacking Ansible tools, not a code problem.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

hosts (1)

129-131: Consider adding a section header for consistency.

Other major sections in this file have descriptive comment headers (e.g., lines 1-3 for Artemis Tests, lines 132-134 for Artemis Staging LocalCI). Adding a similar header for the Hermes section would improve maintainability.

+###############################
+# Hermes
+###############################
 [hermes]
 hermes.artemis.cit.tum.de

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 01b4efc and 96bed80.

📒 Files selected for processing (1)

• hosts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-13T13:13:14.474Z

Learnt from: otoriphoenix
Repo: ls1intum/artemis-ansible PR: 33
File: group_vars/artemistests_common_config.yml:60-69
Timestamp: 2025-10-13T13:13:14.474Z
Learning: The artemis-ansible repository (ls1intum/artemis-ansible) provides configuration values for the Artemis Ansible Collection (ls1intum/artemis-ansible-collection). The values in files like group_vars/artemistests_common_config.yml are concrete settings consumed by the collection, not variables requiring defaults.

Applied to files:

• hosts

🔇 Additional comments (1)

hosts (1)

129-131: Code configuration verified; DNS and Vault backend setup remains operational concern.

The hermes host group addition is properly configured. Verification confirms:

• Playbook playbooks/hermes/hermes.yml exists and correctly references the ls1intum.artemis.hermes role
• All required vault secrets are properly configured with lookup('hashi_vault', 'kv/data/artemis/production/hermes') for APNS and Google credentials
• Service configuration (port 17333, working directory, certificate paths) is complete

The infrastructure team should verify DNS resolution of hermes.artemis.cit.tum.de and confirm vault backend secrets are populated, but the code changes are ready.

[Mtze]

Already looking good :) Would you mind adding the test env as well? And there seems to be a linter issue

[bensofficial]

Apparently, the lint issue is that ls1intum/artemis-ansible-collection#170 has not been merged yet.

[Mtze]

I think we need to bump the version in the requirements.yml for the runnter to see the new role + inline