Merge branch 'main' of github.com:usegalaxy-au/galaxy-media-site

usegalaxy-au · Nov 6, 2024 · 95c66de · 95c66de
2 parents 5bf19cb + 12a9ab4
commit 95c66de
Show file tree

Hide file tree

Showing 46 changed files with 485 additions and 446 deletions.
diff --git a/.env.sample b/.env.sample
@@ -7,15 +7,18 @@ HOSTNAME=localhost:8000
 CSRF_COOKIE_DOMAIN=.mysite.com
 
 # Postgres database credentials
-DB_NAME=webapp
-DB_USER=webapp
+DB_NAME=gms
+DB_USER=gms
 DB_PASSWORD="secret"
 
 # Credentials for your SMTP mail server
 MAIL_FROM_ADDRESS=[email protected]
 MAIL_TO_ADDRESS=[email protected]
 MAIL_USE_TLS=true
 
+# Optional: Send error emails to a different address than MAIL_FROM_ADDRESS
+SERVER_EMAIL=[email protected]
+
 MAIL_SMTP_PORT=25
 MAIL_HOSTNAME=mail.mysite.com
 MAIL_SMTP_USERNAME=admin

diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
@@ -23,6 +23,6 @@ jobs:
         echo "${{ secrets.SSH_PRIVATE_KEY_DEV }}" > ~/.ssh/id_rsa
         ssh-keyscan -H ${{ secrets.SSH_HOST_DEV }} > ~/.ssh/known_hosts
     - name: connect and pull
-      run: ssh ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST_DEV }} "./update.sh && exit"
+      run: ssh ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST_DEV }} "sudo ./update.sh && exit"
     - name: cleanup
       run: rm -rf ~/.ssh
diff --git a/deploy/ansible/.gitignore b/deploy/ansible/.gitignore
@@ -1,2 +1,2 @@
 roles/*
-!roles/webapp
+!roles/galaxy_media_site
diff --git a/deploy/ansible/README.md b/deploy/ansible/README.md
@@ -37,7 +37,7 @@ python -m pip install ansible
    - *Optional* - Host installation paths:
      - `project_root` - where this git repository will be cloned
      - `server_root` - where server configuration will be saved
-     - `web_root` - where the application will be served from
+     - `django_root` - where the application will be served from
      - `venv_root` - where the virtual env will be created
 
 

diff --git a/deploy/ansible/dev.yml b/deploy/ansible/dev.yml
@@ -6,7 +6,10 @@
     - group_vars/secrets.yml
     - group_vars/webservers.yml
   roles:
-    - geerlingguy.nginx
+    - role: geerlingguy.nginx
+      tags: init
     - role: geerlingguy.postgresql
       become: true
-    - webapp
+      tags: init,postgresql
+    - role: galaxy_media_site
+      tags: gms
diff --git a/deploy/ansible/files/webapp.socket b/deploy/ansible/files/webapp.socket
@@ -1,6 +1,6 @@
 [Unit]
 Description=Galaxy content site socket
 [Socket]
-ListenStream=/run/webapp.sock
+ListenStream=/run/gms.sock
 [Install]
 WantedBy=sockets.target
diff --git a/deploy/ansible/group_vars/webservers.yml b/deploy/ansible/group_vars/webservers.yml
@@ -16,8 +16,8 @@ gunicorn:
   web_workers: 4
 
 # Postgres database conf
-postgres_db_name: webapp
-postgres_db_user: webapp
+postgres_db_name: gms
+postgres_db_user: gms
 
 postgresql_locales:
   - 'en_US.UTF-8'
@@ -30,25 +30,26 @@ postgresql_users:
   - name: "{{ postgres_db_user }}"
     password: "{{ postgres_db_password }}"
     db: "{{ postgres_db_name }}"
+    priv: ALL
 
 postgres_users_no_log: false
 
 # GMS Webapp configuration
 # -----------------------------------------------------------------------------
 
 # Will git clone galaxy-content-site to here
-project_root: /home/ubuntu/galaxy-content-site
+project_root: /srv/sites/galaxy-media-site
 
 # This is where service files will be created
-server_root: /home/ubuntu/serve
+server_root: /srv/config
 
 # App will be served from here
-web_root: /srv/webapp
+django_root: "{{ project_root }}/webapp"
 
 # Virtual environment will be created here
-venv_root: "{{ project_root }}/.venv"
+venv_root: "{{ project_root }}/venv"
 
-# Admin user login for the admin portal
+# Login for django admin portal
 admin_user:
   first_name: admin
   last_name: admin

diff --git a/deploy/ansible/group_vars/webservers.yml.sample b/deploy/ansible/group_vars/webservers.yml.sample
@@ -19,8 +19,8 @@ gunicorn:
   web_workers: 4
 
 # Postgres database conf
-postgres_db_name: webapp
-postgres_db_user: webapp
+postgres_db_name: gms
+postgres_db_user: gms
 
 postgresql_locales:
   - 'en_US.UTF-8'
@@ -46,7 +46,7 @@ project_root: /home/ubuntu/galaxy-content-site
 server_root: /home/ubuntu/serve
 
 # App will be served from here
-web_root: /srv/webapp
+django_root: /srv/webapp
 
 # Virtual environment will be created here
 venv_root: "{{ project_root }}/.venv"

diff --git a/deploy/ansible/host_vars/site.usegalaxy.org.au.yml b/deploy/ansible/host_vars/site.usegalaxy.org.au.yml
diff --git a/deploy/ansible/hosts b/deploy/ansible/hosts
@@ -1,5 +1,5 @@
 [webservers]
-site.usegalaxy.org.au  ansible_connection=ssh  ansible_user=ubuntu
+site.usegalaxy.org.au  ansible_connection=ssh  ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/galaxy
 
 [dev_webservers]
-dev-site.gvl.org.au  ansible_connection=ssh  ansible_user=ubuntu
+dev-site.gvl.org.au  ansible_connection=ssh  ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/galaxy
diff --git a/deploy/ansible/prod.yml b/deploy/ansible/prod.yml
@@ -6,7 +6,10 @@
     - group_vars/secrets.yml
     - group_vars/webservers.yml
   roles:
-    - geerlingguy.nginx
+    - role: geerlingguy.nginx
+      tags: init
     - role: geerlingguy.postgresql
       become: true
-    - webapp
+      tags: init,postgresql
+    - role: galaxy_media_site
+      tags: gms
diff --git a/...oy/ansible/roles/webapp/defaults/main.yml → ...roles/galaxy_media_site/defaults/main.yml b/...oy/ansible/roles/webapp/defaults/main.yml → ...roles/galaxy_media_site/defaults/main.yml
@@ -1,15 +1,15 @@
 ---
-project_root: /home/ubuntu/galaxy-content-site
-server_root: /home/ubuntu/server
-web_root: /srv/webapp
+project_root: /srv/galaxy-media-site
+server_root: /srv/config
+django_root: "{{ project_root }}/webapp"
 venv_root: "{{ project_root }}/venv"
 
-webapp:
+gms:
   templates:
     - src: "{{ role_path }}/templates/gunicorn.py.j2"
       dest: "{{ server_root }}/gunicorn.py"
-    - src: "{{ role_path }}/templates/webapp.service.j2"
-      dest: /etc/systemd/system/webapp.service
+    - src: "{{ role_path }}/templates/gms.service.j2"
+      dest: /etc/systemd/system/gms.service
     - src: "{{ role_path }}/templates/setup.sh.j2"
       dest: "{{ server_root }}/setup.sh"
     - src: "{{ role_path }}/templates/nginx.vhost.j2"
@@ -20,8 +20,8 @@ webapp:
       dest: "/home/ubuntu/update.sh"
 
   files:
-    - src: "{{ role_path }}/files/webapp.socket"
-      dest: /etc/systemd/system/webapp.socket
+    - src: "{{ role_path }}/files/gms.socket"
+      dest: /etc/systemd/system/gms.socket
 
 certbot_ssl: true
 

diff --git a/.../ansible/roles/webapp/files/webapp.socket → .../roles/galaxy_media_site/files/gms.socket b/.../ansible/roles/webapp/files/webapp.socket → .../roles/galaxy_media_site/files/gms.socket
@@ -1,6 +1,6 @@
 [Unit]
 Description=Galaxy content site socket
 [Socket]
-ListenStream=/run/webapp.sock
+ListenStream=/run/gms.sock
 [Install]
 WantedBy=sockets.target
diff --git a/deploy/ansible/roles/webapp/tasks/main.yml → ...le/roles/galaxy_media_site/tasks/main.yml b/deploy/ansible/roles/webapp/tasks/main.yml → ...le/roles/galaxy_media_site/tasks/main.yml
@@ -1,5 +1,15 @@
 ---
 
+- name: Check whether SSL certificate is already installed
+  ansible.builtin.shell: "certbot certificates"
+  register: certbot_certificates
+  changed_when: false
+
+- name: Set ssl_cert_exists fact from certbot output
+  ansible.builtin.set_fact:
+    ssl_cert_exists: "{{ true if inventory_hostname in certbot_certificates.stdout else false }}"
+  changed_when: false
+
 - name: create server directory
   file:
     path: "{{ server_root }}"
@@ -19,45 +29,47 @@
     name:
       - gcc
       - python3.12
-      - python3.12-pip
-      - python3.12-venv
+      - python3-pip
+      - python3-virtualenv
       - python3.12-dev
       - python3-certbot-nginx
 
+- name: Grant database privileges to postgres_db_user
+  ansible.builtin.shell: >
+    sudo -u postgres psql -c
+    "GRANT ALL ON SCHEMA public TO {{ postgres_db_user }};
+    GRANT USAGE, CREATE ON SCHEMA public TO {{ postgres_db_user }};
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO gms;"
+  become: yes
+
 - name: clone git repository for galaxy-content-site
   ansible.builtin.git:
     repo: https://github.com/neoformit/galaxy-content-site.git
     dest: "{{ project_root }}"
     clone: yes
     force: yes
 
-- name: link webapp to /srv/sites
-  ansible.builtin.file:
-    src: "{{ project_root }}/webapp"
-    dest: "{{ web_root }}"
-    state: link
-
-- name: create webapp media directory
+- name: create gms media directory
   file:
-    path: "{{ web_root }}/webapp/media"
+    path: "{{ django_root }}/webapp/media"
     state: directory
 
-- name: create webapp logs directory
+- name: create gms logs directory
   file:
-    path: "{{ web_root }}/webapp/logs"
+    path: "{{ django_root }}/webapp/logs"
     state: directory
 
 - name: template webserver configuration
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-  loop: "{{ webapp.templates }}"
+  loop: "{{ gms.templates }}"
 
 - name: copy webserver configuration
   copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-  loop: "{{ webapp.files }}"
+  loop: "{{ gms.files }}"
 
 - name: link to enable nginx virtualhost
   ansible.builtin.file:
@@ -71,16 +83,16 @@
     virtualenv: "{{ venv_root }}"
     virtualenv_python: python3.12
 
-- name: run webapp setup script
+- name: run gms setup script
   command: "bash {{ server_root }}/setup.sh"
 
 - name: create and install SSL certificate with letsencrypt
   command: "certbot --nginx --noninteractive --agree-tos --redirect --email {{ certbot_renew_email }} -d {{ inventory_hostname }}"
   when: certbot_ssl
 
-- name: Ensure webapp superuser login
+- name: Ensure gms superuser login
   shell: |
-    cd {{ web_root }} && \
+    cd {{ django_root }} && \
     export DJANGO_SUPERUSER_PASSWORD={{ admin_user.password }} && \
     {{ venv_root }}/bin/python manage.py createsuperuser --noinput \
       --email {{ admin_user.email }} \
@@ -98,18 +110,18 @@
     group: ubuntu
 
 - name: update media file ownership
-  file: dest={{ web_root }}/webapp/media owner=www-data group=www-data mode=u=rwX,g=rwX,o=rwX recurse=yes
+  file: dest={{ django_root }}/webapp/media owner=www-data group=www-data mode=u=rwX,g=rwX,o=rwX recurse=yes
 
 - name: update log file ownership
-  file: dest={{ web_root }}/webapp/logs owner=www-data group=www-data mode=u=rwX,g=rwX,o=rwX recurse=yes
+  file: dest={{ django_root }}/webapp/logs owner=www-data group=www-data mode=u=rwX,g=rwX,o=rwX recurse=yes
 
 - name: make update.sh executable
   file: dest=/home/ubuntu/update.sh mode=a+x
 
 - name: check whether news scraper in GMS version
   ansible.builtin.shell: "{{ venv_root }}/bin/python manage.py scrape_news --help"
   args:
-    chdir: "{{ web_root }}"
+    chdir: "{{ django_root }}"
   register: check_scraper
 
 - name: add cron job to scrape news feed
@@ -118,5 +130,5 @@
     user: ubuntu
     hour: 9
     minute: 0
-    job: "cd {{ web_root }} && {{ venv_root }}/bin/python manage.py scrape_news"
+    job: "cd {{ django_root }} && {{ venv_root }}/bin/python manage.py scrape_news"
   when: check_scraper.rc == 0
diff --git a/...oy/ansible/roles/webapp/templates/.env.j2 → ...roles/galaxy_media_site/templates/.env.j2 b/...oy/ansible/roles/webapp/templates/.env.j2 → ...roles/galaxy_media_site/templates/.env.j2
diff --git a/.../roles/webapp/templates/webapp.service.j2 → ...alaxy_media_site/templates/gms.service.j2 b/.../roles/webapp/templates/webapp.service.j2 → ...alaxy_media_site/templates/gms.service.j2
@@ -1,17 +1,17 @@
 [Unit]
 Description=Gunicorn for Galaxy Media Site
-Requires=webapp.socket
+Requires=gms.socket
 After=network.target
 
 [Service]
 PIDFile=/run/gunicorn/pid
 User = www-data
 Group = www-data
 RuntimeDirectory=gunicorn
-WorkingDirectory={{ web_root }}
-Environment="PATH={{ venv_root }}/.venv/bin:$PATH"
+WorkingDirectory={{ django_root }}
+Environment="PATH={{ venv_root }}/bin:$PATH"
 ExecStart={{ venv_root }}/bin/gunicorn --pid /run/gunicorn/pid   \
-          --bind unix:/run/webapp.sock       \
+          --bind unix:/run/gms.sock       \
           -c {{ server_root }}/gunicorn.py webapp.wsgi
 ExecReload=/bin/kill -s HUP $MAINPID
 ExecStop=/bin/kill -s TERM $MAINPID

diff --git a/...ble/roles/webapp/templates/gunicorn.py.j2 → ...alaxy_media_site/templates/gunicorn.py.j2 b/...ble/roles/webapp/templates/gunicorn.py.j2 → ...alaxy_media_site/templates/gunicorn.py.j2