update cdh web test/prod for jammy (#170)

* add new jammy vms to the host inventory * add nfs mounted media path * Force snap refresh to change node version resolves #143 Co-authored-by: Ryan Heuser <[email protected]> * Move nfs mount command to common setup role * Update python-opencv package name for jammy * Do an npm production install, to skip installing dev dependencies * Fix syntax on conditional for bionic + nfs media path * Automate proprietary font handling for cdhweb * Update & expand readme for geniza setup role --------- Co-authored-by: Francis Kayiwa <[email protected]> Co-authored-by: Ryan Heuser <[email protected]>
Princeton-CDH · Dec 20, 2023 · 896189a · 896189a
1 parent f7c3a00
commit 896189a
Show file tree

Hide file tree

Showing 13 changed files with 674,385 additions and 27 deletions.
diff --git a/group_vars/cdhweb/vars.yml b/group_vars/cdhweb/vars.yml
@@ -43,7 +43,7 @@ django_local_settings_template: "cdhweb_settings.py.j2"
 # db_backup_path: "/home/{{ deploy_user }}/backups/pre-{{ version }}-{{ short_hash }}.sql"
 # app-specific system dependencies
 app_dependencies:
-  - python-opencv # for wagtail image feature detection
+  - python3-opencv # for wagtail image feature detection
 
 passenger_app_root: "/var/www/{{ app_name }}"
 passenger_server_name: "cdh.princeton.edu"
@@ -52,7 +52,10 @@ passenger_python: "{{ passenger_app_root }}/env/bin/python"
 
 # for passenger config, this MUST end with a trailing slash;
 # also used for replication
-media_root: /var/www/media/
+# media_root: /var/www/media/
+# media nfs path
+media_root: /mnt/nfs/cdh/cdhweb/media/
+
 
 # source host when replicating data/media (use host from inventory file)
 replication_source_host: cdhweb_prod

diff --git a/hosts b/hosts
@@ -29,8 +29,10 @@ derrida_prod
 
 [cdhweb_qa]
 cdh-test-web1.princeton.edu
+cdh-test-web2.princeton.edu
 [cdhweb_prod]
 cdh-web1.princeton.edu
+cdh-web2.princeton.edu
 
 [cdhweb:children]
 cdhweb_qa

diff --git a/playbooks/cdhweb.yml b/playbooks/cdhweb.yml
@@ -11,6 +11,7 @@
     - build_npm
     - configure_logging
     - django
+    - cdhweb_setup
     - django_compressor
     - finalize_deploy
     - close_deployment
diff --git a/playbooks/cdhweb_qa.yml b/playbooks/cdhweb_qa.yml
@@ -11,6 +11,7 @@
     - build_npm
     - configure_logging
     - django
+    - cdhweb_setup
     - django_compressor
     - finalize_deploy
     - close_deployment
diff --git a/roles/build_npm/tasks/main.yml b/roles/build_npm/tasks/main.yml
@@ -19,21 +19,24 @@
         channel: "{{ node_version }}/stable"
         state: present
       when: ansible_distribution == "Ubuntu"
+      register: snap_results
 
-    # NOTE: upgrading nodejs on cdh-geniza1 failed;
-    # was able to get it working with refresh
-    # instead of install:
-    #   sudo snap refresh node --channel=16
-    # We may want to run refresh as a command, see
-    # https://serverfault.com/a/1025300
+    # NOTE: upgrading nodejs with ansible snap fails, even though
+    # the documentation claims it should refresh when then channel changes.
+    # Manually run a refresh command to ensure version changes take effect, e.g.:
+    #   sudo snap refresh node --channel=18
+    # NOTE2: could add a node -v check and only refresh on mismatch
 
+    - name: Refresh nodejs to ensure version changes take effect
+      become: true
+      ansible.builtin.command: "snap refresh node --channel={{ node_version }}/stable"
 
     - name: install javascript dependencies with npm
       become: true
       become_user: "{{ deploy_user }}"
       npm:
         path: "{{ deploy }}"
-        ci: true
+        production: true
 
   rescue:
     - include_tasks: roles/create_deployment/tasks/fail.yml
diff --git a/roles/cdhweb_setup/README.md b/roles/cdhweb_setup/README.md
@@ -0,0 +1,15 @@
+# cdhweb setup
+
+Application setup specific to CDH web.
+
+Currently includes handling for licensed fonts. A vaulted archive file of the purchased fonts is included as a tar file, to be copied and extracted to the remote server.
+
+To update the font file:
+
+- decrypt with ansible-vault: `ansible-vault encrypt roles/cdhweb_setup/files/cdhweb_fonts.vault`
+- extract files to a temporary directory via `tar -xvf roles/cdhweb_setup/files/cdhweb_fonts.vault`
+- add/remove files as needed
+- update vault file from the directory with the font files
+  via `tar -cvf [path]roles/cdhweb_setup/files/cdhweb_fonts.vault *`  
+  (Needs to be included without any folder or additional path.)
+- re-encrypt with default vault key `ansible-vault encrypt --encrypt-vault-id default roles/cdhweb_setup/files/cdhweb_fonts.vault`  
diff --git a/roles/cdhweb_setup/defaults/main.yml b/roles/cdhweb_setup/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+# defaults for cdhweb_setup
+nginx_user: "www-data"
+font_path: "/var/www/fonts/"
diff --git a/roles/cdhweb_setup/files/cdhweb_fonts.vault b/roles/cdhweb_setup/files/cdhweb_fonts.vault
diff --git a/roles/cdhweb_setup/tasks/main.yml b/roles/cdhweb_setup/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+# tasks file for geniza_setup
+
+- name: Ensure fonts directory exists
+  become: true
+  ansible.builtin.file:
+    path: "{{ font_path }}"
+    state: directory
+    mode: '0775'
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}"
+
+- name: Extract licensed fonts
+  become: true
+  become_user: "{{ django_user }}"
+  ansible.builtin.unarchive:
+    src: cdhweb_fonts.vault
+    dest: "{{ font_path }}"
+    group: "{{ nginx_user }}"
diff --git a/roles/django/tasks/media.yml b/roles/django/tasks/media.yml
@@ -21,8 +21,8 @@
         group: "{{ media_group }}"
         state: directory
         recurse: true
-      # nfs config (owner/group) make this fail on bionic
-      when: "{{ 'nfs' not in media_root or ansible_distribution_version != '18.04' }}"
+      # nfs config (owner/group); this fails on bionic
+      when: ansible_distribution_version != "18.04" or "nfs" not in media_root
 
     - name: Give deploy acl rwx over all files in the directory as a fall back
       become: true

diff --git a/roles/geniza_setup/README.md b/roles/geniza_setup/README.md
@@ -1,10 +1,11 @@
-geniza_setup
-============
+# geniza_setup
 
-Application setup specific to geniza playbooks.
+Setup specific to geniza application.
 
 Currently includes handling for licensed fonts. A vaulted archive file of the purchased fonts is included as a tar file, to be copied and extracted to the remote server.
 
+This role also includes the setup for github access, git configuration, and data directory needed for pushing data exports from the web application to GitHub.
+
 To update the font file:
 
 - extract files to a temporary directory via `tar -xvf roles/geniza_setup/files/geniza_fonts.vault`

diff --git a/roles/prosody_setup/tasks/main.yml b/roles/prosody_setup/tasks/main.yml
@@ -37,19 +37,6 @@
   # with old nfs
   when:  "{{ ansible_distribution_version != '18.04' }}"
 
-- name: Ensure the presence of cdh nfs mount
-  tags:
-    - setup
-    - nfs
-    - never
-  ansible.posix.mount:
-    src: "{{ nfs_server }}:/var/nfs/cdh"
-    path: "/mnt/nfs/cdh"
-    state: mounted
-    fstype: nfs
-    opts: rw,sync,hard
-  become: true
-
 - name: Ensure prosody data directory
   tags:
     - setup

diff --git a/roles/setup/tasks/main.yml b/roles/setup/tasks/main.yml
@@ -13,3 +13,15 @@
     file: vars/vault.yml
   when: geniza_deploy_only is not defined or geniza_deploy_only == ""
 
+- name: Ensure the presence of cdh nfs mount
+  tags:
+    - setup
+    - nfs
+    - never
+  ansible.posix.mount:
+    src: "{{ nfs_server }}:/var/nfs/cdh"
+    path: "/mnt/nfs/cdh"
+    state: mounted
+    fstype: nfs
+    opts: rw,sync,hard
+  become: true