Merge branch 'main' into live

zestedesavoir · Jul 21, 2024 · 92ed466 · 92ed466
2 parents 5be681c + d03f82a
commit 92ed466
Show file tree

Hide file tree

Showing 16 changed files with 796 additions and 34 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -2,7 +2,7 @@ GEM
   remote: https://rubygems.org/
   specs:
     bcrypt_pbkdf (1.1.0)
-    bigdecimal (3.1.7)
+    bigdecimal (3.1.8)
     builder (3.2.4)
     chef-utils (18.4.12)
       concurrent-ruby
@@ -40,21 +40,23 @@ GEM
     multi_json (1.15.0)
     net-scp (4.0.0)
       net-ssh (>= 2.6.5, < 8.0.0)
-    net-ssh (7.2.1)
+    net-ssh (7.2.3)
     net-ssh-gateway (2.0.0)
       net-ssh (>= 4.0.0)
     nori (2.7.0)
       bigdecimal
     pastel (0.8.0)
       tty-color (~> 0.5)
-    rexml (3.2.6)
+    rexml (3.2.8)
+      strscan (>= 3.0.9)
     rubyntlm (0.6.3)
     rubyzip (2.3.2)
     strings (0.2.1)
       strings-ansi (~> 0.2)
       unicode-display_width (>= 1.5, < 3.0)
       unicode_utils (~> 1.4)
     strings-ansi (0.2.0)
+    strscan (3.1.0)
     test-kitchen (3.6.0)
       bcrypt_pbkdf (~> 1.0)
       chef-utils (>= 16.4.35)

diff --git a/docs/backup.md b/docs/backup.md
@@ -254,7 +254,10 @@ borg list beta-backup:/chemin | less
 # mensuelle des 6 derniers mois.
 # `-n` pour simuler la suppression et voir les sauvegardes qui vont être
 # supprimées.
-borg prune --keep-within 3m -m 6 --list --stats -n beta-backup:/chemin
+borg prune --keep-within 3m -m 6 --list --stats --progress -n beta-backup:/chemin
+# Enlever l'éventuel --append-only dans .ssh/authorized_keys
+borg compact --progress beta-backup:/chemin # pour vraiment libérer l'espace
+# Remettre l'éventuel --append-only dans .ssh/authorized_keys
 ```
 
 

diff --git a/docs/install.md b/docs/install.md
@@ -2,14 +2,14 @@
 
 ## Version simple, rapide et efficace
 
-```shell
+```sh
 make install
 source venv/bin/activate
 ```
 
 ## Version détaillée
 
-```shell
+```sh
 # Création de l'environnement virtuel
 python3 -m venv venv
 # Activation de l'environnement
@@ -24,16 +24,32 @@ pre-commit install
 ```
 
 
-## Pour exécuter localement kitchen
+## Ruby
 
-Pour exécuter localement ce qui est exécuté par GitHub Actions:
-```shell
+Surtout utile pour lancer localement ce qui est exécuté par GitHub Actions.
+
+
+### Installation
+
+```sh
 sudo apt install bundler
 bundle config set --local path 'vendor/bundle'
 bundle install
 ```
 
+
+### Exécuter localement kitchen
+
 Pour lancer les tests:
-```shell
+```sh
 LANG=C.UTF-8 bundle exec kitchen test
 ```
+Il y a un bug qui fait échouer les tests si la langue du système n'est pas l'anglais, d'où la variable d'environnement `LANG`.
+
+
+### Mettre à jour les dépendances
+
+```sh
+bundle update
+```
+Cela modifie le fichier `Gemfile.lock`, qu'il faut committer.
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
@@ -9,3 +9,7 @@ zmarkdown_dir: "{{ appdir }}/zmd"
 zds_antispam_dir: /opt/zds-antispam
 logdir: /var/log/zds
 appuser: zds
+latex_template_version: c285c1c1a60807b732472b036ecb204ac2cb48f3
+pass_manager_user: vaultwarden
+pass_manager_dir: /opt/vaultwarden
+pass_manager_port: 8081
diff --git a/group_vars/production/vars.yml b/group_vars/production/vars.yml
@@ -10,3 +10,7 @@ certificate:
 munin_certificate:
   cert: /etc/letsencrypt/live/munin.zestedesavoir.com/fullchain.pem
   key: /etc/letsencrypt/live/munin.zestedesavoir.com/privkey.pem
+pass_manager_host: "vault-ro.{{ http_host }}"
+pass_manager_certificate:
+  cert: "/etc/letsencrypt/live/{{ pass_manager_host }}/fullchain.pem"
+  key: "/etc/letsencrypt/live/{{ pass_manager_host }}/privkey.pem"
diff --git a/playbook.yml b/playbook.yml
@@ -22,3 +22,6 @@
       when: env == "beta"
     - role: munin
       tags: bootstrap
+    # - role: vaultwarden  # not used in practice
+      # tags: bootstrap
+      # when: (env == "prod") or (env == "vagrant")
diff --git a/roles/backup/files/prod/backups.sh b/roles/backup/files/prod/backups.sh
@@ -4,9 +4,10 @@ set -eu
 
 readonly BORG126=/usr/local/bin/borg1.2.6
 readonly BORG1117=/usr/local/bin/borg
-BACKUP_DATE=`date '+%Y%m%d-%H%M'`
-DATA_SAVED_DIR=/opt/zds/data
-DB_SAVED_DIR=/var/backups/mysql
+readonly BORG_OPTIONS="--list --verbose --filter AME --show-rc --compression zstd,6 --exclude-caches --info" # --stats
+readonly BACKUP_DATE=`date '+%Y%m%d-%H%M'`
+readonly DATA_SAVED_DIR=/opt/zds/data
+readonly DB_SAVED_DIR=/var/backups/mysql
 
 db_local_backup()
 {
@@ -46,29 +47,22 @@ db_local_backup()
 backup2beta2023()
 {
 	echo "Backup data to the 2023 beta server..."
-	$BORG126 create                                         \
-	    --verbose                                           \
-	    --filter AME                                        \
-	    --list                                              \
-	    --stats                                             \
-	    --show-rc                                           \
-	    --compression zstd,6                                \
-	    --exclude-caches                                    \
+	date
+	$BORG126 create $BORG_OPTIONS                           \
 	    beta-backup-2023:/opt/sauvegarde/data::$BACKUP_DATE \
 	    $DATA_SAVED_DIR
+	rc_data=$?
+	date
 
 	echo "Backup database to the 2023 beta server..."
-	$BORG126 create                                       \
-	    --verbose                                         \
-	    --filter AME                                      \
-	    --list                                            \
-	    --stats                                           \
-	    --show-rc                                         \
-	    --compression zstd,6                              \
-	    --exclude-caches                                  \
-	    --info                                            \
+	date
+	$BORG126 create $BORG_OPTIONS                         \
 	    beta-backup-2023:/opt/sauvegarde/db::$BACKUP_DATE \
 	    $DB_SAVED_DIR
+	rc_db=$?
+	date
+
+	return $((rc_data+rc_db))
 }
 
 
@@ -132,3 +126,6 @@ fi
 echo "End of script ($(date))"
 # Big separator in log between executions of the script:
 echo "#######################################################################################################################"
+echo
+echo
+echo
diff --git a/roles/backup/templates/beta/cleaning.sh.j2 b/roles/backup/templates/beta/cleaning.sh.j2
@@ -2,13 +2,16 @@
 
 set -e
 
-echo "Starting script ($(date))"
 
 readonly DATA_DB_RULES="--keep-within 30d -w 6 -m 3"
 readonly BORG_BINARY=/usr/local/bin/borg1.2.6
 readonly BORG_PRUNE="$BORG_BINARY prune --list --stats"
 readonly BORG_COMPACT="$BORG_BINARY compact --verbose"
 
+
+echo "##########################################################################"
+echo "Starting script ($(date))"
+
 echo "** data ** ($(date))"
 sudo -u zds-prod $BORG_PRUNE $DATA_DB_RULES /opt/sauvegarde/data/
 sudo -u zds-prod $BORG_COMPACT /opt/sauvegarde/data/
@@ -25,3 +28,7 @@ curl -s -m 10 --retry 5 {{ secrets.healthcheck_urls.backup_cleaning }}
 echo # to make a newline after the "OK" written by curl
 
 echo "End of script ($(date))"
+echo "##########################################################################"
+echo
+echo
+echo
diff --git a/roles/latex/tasks/main.yml b/roles/latex/tasks/main.yml
@@ -21,12 +21,13 @@
   tags:
     - bootstrap
 
-- name: clone the template # noqa latest[git]
+- name: clone the template
   become: true
   become_user: "{{ appuser }}"
   ansible.builtin.git:
     repo: https://github.com/zestedesavoir/latex-template/
     dest: "{{ workdir }}/texmf/tex/generic/latex-template"
+    version: "{{ latex_template_version }}"
   notify: run texhash
   tags:
     - bootstrap

diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: should have a user named {{ pass_manager_user }}
+  ansible.builtin.user:
+    name: "{{ pass_manager_user }}"
+    shell: /bin/false
+    home: "{{ pass_manager_dir }}"
+    comment: Vaultwarden
+
+- name: create the needed directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ pass_manager_user }}"
+    group: "{{ pass_manager_user }}"
+    mode: "0750"
+  with_items:
+    - "{{ pass_manager_dir }}"
+    - "{{ pass_manager_dir }}/data"
+
+- name: create environment file
+  ansible.builtin.template:
+    src: templates/vaultwarden.env.j2
+    dest: "{{ pass_manager_dir }}/vaultwarden.env"
+    mode: "0640"
+
+- name: create service file
+  ansible.builtin.template:
+    src: templates/vaultwarden.service.j2
+    dest: /etc/systemd/system/vaultwarden.service
+    mode: u=rw,g=r,o=r
+
+- name: start service
+  ansible.builtin.systemd:
+    state: started
+    name: vaultwarden.service
+    enabled: true
+    daemon_reload: true