~verterok/canonical-identity-provider/bionic-support

---

- hosts: localhost

  vars:

    user: "ubunet"

    hostdir: /srv/{{ hostname }}

    basedir: /srv/{{ hostname }}/{{ deployment }}

    code_dir: "{{ basedir }}/code"

    archive_dir: "{{ basedir }}/code/archives"

    current_dir: "{{ code_dir }}/{{ build_label }}"

    venv: "{{ current_dir }}/env"

    python: "{{ venv }}/bin/python"

    wheel_dir: "{{ current_dir }}/branches/wheels"

    logs_dir: "{{ basedir }}/logs"

    sso_log: "{{ logs_dir }}/sso.log"

    oops_dir: "{{ basedir }}/logs/www-oops"

    conf_dir: "{{ basedir }}/etc"

    run_dir: "{{ basedir }}/run"

    bin_dir: "{{ basedir }}/bin"

    migrate_log_dir: "{{ logs_dir }}/schema-updates"

    db_readonly_path: "{{ run_dir }}"

    port: 8080

    conn_check_script: "{{ current_dir }}/scripts/settings-to-conncheck.py"

    google_saml_key_path: "{{ conf_dir }}/saml-google-key.pem"

    google_saml_cert_path: "{{ conf_dir }}/saml-google-cert.pem"

    user_authorized_key_dir: "/etc/ssh/user-authorized-keys/"

    user_authorized_key_path: "{{ user_authorized_key_dir }}/{{ user }}"

    manage: django_project/manage.py

    DJANGO_SETTINGS_MODULE: "{{ django_settings_module }}"

    syslog_keep_days: 90

  pre_tasks:

    - name: detect if talisker is available

      tags:

          - config-changed

          - wsgi-file-relation-changed

      stat: path={{ code_dir }}/current/env/bin/talisker

      register: talisker

  roles:

    - role: nrpe-external-master

      check_name: check_http

      check_params: "-I 127.0.0.1 -H {{ hostname }} -p {{ port }} -e ' 200 OK' -u '/'"

      service_description: "Verify sso is responding."

      service_context: "{{ relations['nrpe-external-master'][0].nagios_host_context }}"

      service_groups: "{{ nagios_servicegroups }}"

      when: relations['nrpe-external-master'] and 'nagios_host_context' in relations['nrpe-external-master'][0]

    - role: directories-and-permissions

      user: "ubunet"

      readonly_dirs:

        - "{{ code_dir }}"

        - "{{ archive_dir }}"

        - "{{ conf_dir }}"

        - "{{ bin_dir }}"

      writable_dirs:

        - "{{ logs_dir }}"

        - "{{ run_dir }}"

        - "{{ oops_dir }}"

        - "{{ migrate_log_dir }}"

    - role: payload

      group: "{{ user }}"

      payload_dir: "{{ code_dir }}"

      payload_archive: "{{ build_label }}/canonical-identity-provider.tbz2"

      base_uri: "{{ asset_base_uri }}"

      # passed through automatically, but documenting

      # swift_auth_url: "{{ swift_auth_url }}"

      # swift_credentials: "{{ swift_credentials }}"

      when: build_label != ""

    - role: wsgi-app

      current_symlink: "{{ build_label }}"

      service_name: "{{ hostname }}"

      listen_port: "{{ port }}"

      log_dir: "{{ logs_dir }}"

      wsgi_user: "{{ user }}"

      wsgi_group: "{{ user }}"

      wsgi_application: django_project.wsgi

      env_extra: "DJANGO_SETTINGS_MODULE={{ DJANGO_SETTINGS_MODULE }}"

      # clean up any old config in the relation

      wsgi_extra: ""

      wsgi_extra_config: |

            reload = {{ 'True' if deployment == 'devel' else 'False' }}

            statsd_prefix = '{{ statsd_prefix }}'

            {% if statsd_hostport %}statsd_host = '{{ statsd_hostport }}'{% endif %}

      python_path: "{{ conf_dir }}"

      # hardcode to always run the current symlink

      gunicorn_path: "{{ code_dir }}/current/env/bin/{{ 'talisker' if talisker.stat.exists else 'gunicorn' }}"

      when: build_label != ""

  tasks:

    - name: check we have a working payload

      tags: 

        - config-changed

        - memcached-relation-changed

        - conn-check-relation-changed

        - wsgi-file-relation-changed

        - preload

        - migrate

      stat: path={{ current_dir }}

      register: payload

    - name: install required charm packages

      tags:

        - install

        - upgrade-charm

      apt: pkg={{ item }}

      with_items:

        - unzip

        - python-pip

        # workaround to fix CI basing off broken staging missing libpq

        - libpq5

    - name: install virtualenv-tools

      tags: 

        - install

        - upgrade-charm

      pip:

        executable: pip2

        chdir: "{{ charm_dir }}"

        name: lib/virtualenv-tools

        extra_args: "--upgrade --no-index"

    - name: check postfix relayhost

      tags: config-changed

      shell: postconf relayhost

      when: email_hostport != ""

      register: relayhost

    - name: enable postfix forwarder

      tags: config-changed

      shell: postconf -e relayhost={{ email_hostport }} && service postfix restart

      when: email_hostport != "" and email_hostport not in relayhost.stdout

    - name: readonly file

      tags: 

        - config-changed

      file: 

        path: "{{ db_readonly_path }}/db.readonly"

        owner: "{{ user }}"

        group: "{{ user }}"

        state: "{% if readonly %}touch{% else %}absent{% endif %}"

    # temporary task to handle migration to talisker logging

    - name: test for linked logfile

      tags:

          - config-changed

      stat: path={{ sso_log }}

      register: log_file

      when: talisker.stat.exists

    # temporary task to handle migration to talisker logging

    - name: mv old log file

      tags:

          - config-changed

      command: mv {{ sso_log }} {{ sso_log }}.bak

      when: talisker.stat.exists and not log_file.stat.islnk

    - name: link log file

      tags:

          - config-changed

      file:

        path: "{{ logs_dir }}/sso.log"

        src: /var/log/upstart/gunicorn.log

        state: link

      # temporary when until migrated to talisker

      when: talisker.stat.exists

    # the next 2 tasks should really only run when the payload has *changed*

    - name: Install required sso packages

      tags:

        - config-changed

        - preload

      shell: xargs apt-get install -y < {{ current_dir }}/dependencies.txt

      when: build_label != "" and payload.stat.exists

    - name: relocate venv

      tags:

        - config-changed

        - preload

      shell: virtualenv-tools --update-path=auto {{ venv }}

      when: build_label != "" and payload.stat.exists 

    - name: Write charm config

      tags:

        - config-changed

        - memcached-relation-changed

        - memcached-relation-departed

        - migrate

      template:

        src: "{{ charm_dir }}/templates/settings.py.j2"

        dest: "{{ conf_dir }}/test_settings.py"

      when: build_label != "" and payload.stat.exists

    - name: verify settings (will fail if combined config does not parse)

      tags:

        - config-changed

        - memcached-relation-changed

        - memcached-relation-departed

        - migrate

      sudo: yes

      sudo_user: "{{ user }}"

      command: "{{ python }} {{ manage }} check --pythonpath={{ conf_dir }} --settings=test_settings"

      args:

        chdir: "{{ current_dir }}"

      when: build_label != "" and payload.stat.exists

    - name: set config file

      tags:

        - config-changed

        - memcached-relation-changed

        - memcached-relation-departed

        - migrate

      command: mv "{{ conf_dir }}/test_settings.py" "{{ conf_dir }}/settings.py"

      when: build_label != "" and payload.stat.exists

      notify: Restart wsgi

    - name: clean up test settings

      tags:

        - config-changed

        - memcached-relation-changed

        - memcached-relation-departed

        - migrate

      command: rm -f {{ conf_dir }}/test_settings.*

      when: build_label != "" and payload.stat.exists

    - name: Write manage.py runner

      tags:

        - config-changed

      template:

        src: "{{ charm_dir }}/templates/manage.j2"

        dest: "{{ bin_dir }}/manage"

        mode: 0750

      when: build_label != "" and payload.stat.exists

    - name: register leadership data

      tags:

        - config-changed

        - leader-elected

        - leader-settings-changed

      command: is-leader

      register: is_leader

    - name: create maintenance crontabs

      tags:

        - config-changed

        - leader-elected

        - leader-settings-changed

      cron:

        name: "sso maintenance tasks - {{item.name}}"

        special_time: '{{item.when}}'

        job: "IS_LEADER='{{ is_leader.stdout }}'; if [ $IS_LEADER = 'True' ]; then {{ bin_dir }}/manage {{ item.command }} 2>&1 | logger -t sso-maintenance; fi"

        cron_file: sso-periodic-maintenance

        user: "{{ user }}"

      with_items:

        - name: clean_old_authtokens

          command: "clean_old_authtokens"

          when: "daily"

        - name: cleanup --sessions

          command: "cleanup --sessions"

          when: "hourly"

        - name: cleanup --nonces

          command: "cleanup --nonces"

          when: "daily"

        - name: cleanup --testdata

          command: "cleanup --testdata"

          when: "daily"

        - name: check_unverified_accounts_consistency

          command: "check_unverified_accounts_consistency"

          when: "daily"

        - name: suspend_unverified_accounts

          command: "suspend_unverified_accounts"

          when: "daily"

        - name: delete_suspended_accounts

          command: "delete_suspended_accounts"

          when: "daily"

    - name: migration

      tags:

        - migrate

      include: roles/django/tasks/main.yaml

      sudo: yes

      sudo_user: "{{ user }}"

      vars:

        src_dir: "{{ current_dir }}"

        grant_user: "{{ db_user }}"

        migrate_env:

          DB_USER: "{{ migrate_user }}"

          DB_PASSWORD: "{{ migrate_password }}"

          SSO_LOGS_DIR: "{{ migrate_log_dir }}"

          PYTHONPATH: "{{ conf_dir }}"

          DJANGO_SETTINGS_MODULE: "{{ DJANGO_SETTINGS_MODULE }}"

      when: build_label != "" and payload.stat.exists

    - name: Write google SAML key from config

      tags: config-changed

      copy: 

        content: "{{ google_saml_key | b64decode }}"

        dest: "{{ google_saml_key_path }}"

        group: "{{ user }}"

        mode: 0440

      when: google_saml_key != ""

      notify: Restart wsgi

    - name: Write google SAML cert from config

      tags: config-changed

      copy:

        content: "{{ google_saml_cert | b64decode }}"

        dest: "{{ google_saml_cert_path }}"

        group: "{{ user }}"

        mode: 0440

      when: google_saml_cert != ""

      notify: Restart wsgi

    - name: website name

      tags:

        - website-relation-changed

      command: >

        relation-set -r {{ item.__relid__ }}

        hostname={{ local_unit.split('/')[0] }}

        port={{ port }}

      with_items: relations.website

    - name: write conn-check config

      tags:

        - config-changed

        - conn-check-relation-changed

      shell: >

          relation-set -r {{ item.__relid__ }} 

          config="$({{python }} {{ conn_check_script }} -m {{ DJANGO_SETTINGS_MODULE }} --print | grep -v WARNING)" 

          nagios_servicegroups={{ nagios_servicegroups }}

      args:

        chdir: "{{ current_dir }}"

      environment:

          PYTHONPATH: ".:lib:{{ conf_dir }}"

          DJANGO_SETTINGS_MODULE: "{{ DJANGO_SETTINGS_MODULE }}"

      with_items: relations['conn-check']

      when: build_label != "" and payload.stat.exists

    - name: Write rsyslog logrotate configuration

      tags:

        - config-changed

      template:

        src: "{{ charm_dir }}/templates/rsyslog.j2"

        dest: "/etc/logrotate.d/rsyslog"

        mode: 0644

    - name: Create authorized key directory 

      tags: config-changed

      file: 

        path: "{{ user_authorized_key_dir }}"

        state: directory

        mode: 0755

        owner: root

        group: root

      when: user_authorized_key != ""

    - name: Write authorized SSH key from config

      tags: config-changed

      copy: 

        content: "{{ user_authorized_key }}"

        dest: "{{ user_authorized_key_path }}"

        mode: 0444

      when: user_authorized_key != ""