Merge branch 'casouley' into 'newinfra'

Casouley

See merge request nounous/ansible!88

all.yml

@@ -14,6 +14,7 @@
 - import_playbook: plays/monitoring.yml
 
 # Services that only apply to a subset of server
+- import_playbook: plays/cas.yml
 - import_playbook: plays/dhcp.yml
 - import_playbook: plays/dns.yml
 - import_playbook: plays/etherpad.yml

group_vars/reverseproxy.yml

@@ -29,9 +29,6 @@ nginx:
     #    - {from: roundcube.crans.org, to: 10.231.136.105}
     #    - {from: phabricator.crans.org, to: 10.231.136.123}
     #    - {from: trackerusercontent.crans.org, to: 10.231.136.123}
-    #    - {from: cas.crans.org, to: 10.231.136.18}
-    #    - {from: auth.crans.org, to: 10.231.136.18}
-    #    - {from: login.crans.org, to: 10.231.136.18}
     #    - {from: webmail.crans.org, to: 10.231.136.107}
     #    - {from: horde.crans.org, to: 10.231.136.107}
     #    - {from: owncloud.crans.org, to: 10.231.136.26}
@@ -49,6 +46,9 @@ nginx:
     #    - {from: webirc.crans.org, to: "10.231.136.1:9000"}
     - {from: framadate.crans.org, to: 172.16.10.109}
     - {from: stream.crans.org, to: 172.16.10.118}
+    - {from: cas.crans.org, to: 172.16.10.120}
+    - {from: auth.crans.org, to: 172.16.10.120}
+    - {from: login.crans.org, to: 172.16.10.120}
     #    - {from: mailman.crans.org, to: 10.231.136.180}
     #
     #    # Zamok

hosts

@@ -90,6 +90,8 @@ monitoring.adm.crans.org
 boeing.adm.crans.org
 fluxx.adm.crans.org
 unifi.adm.crans.org
+pastemoisa.adm.crans.org
+casouley.adm.crans.org
 
 [ovh_physical]
 sputnik.adm.crans.org

plays/cas.yml

@@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+# Django CAS server
+
+- hosts: casouley.adm.crans.org
+  vars:
+    cas_secret_key: "{{ vault_cas_secret_key }}"
+    cas_ldap_password: "{{ vault_cas_ldap_password }}"
+  roles: ["django-cas"]

roles/django-cas/README.md

@@ -0,0 +1,3 @@
+# Django CAS
+
+Une fois le rôle appliqué il faut aller dans `/var/local/django-cas` et faire un `./manage.py collectstatic`.

roles/django-cas/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Restart nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: Restart uwsgi
+  service:
+    name: uwsgi
+    state: restarted

roles/django-cas/tasks/main.yml

@@ -8,10 +8,62 @@
       - uwsgi-plugin-python3
       - python3-django
       - python3-django-cas-server
+      - python3-psycopg2
   register: apt_result
   retries: 3
   until: apt_result is succeeded
 
+- name: Upgrade to Bullseye Django CAS
+  apt:
+    deb: http://mirror.adm.crans.org/debian/pool/main/d/django-cas-server/python3-django-cas-server_1.1.0-2_all.deb
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+  when:
+    - ansible_lsb.codename == 'buster'
+
+- name: Clone Django CAS project repository
+  git:
+    repo: http://gitlab.adm.crans.org/nounous/django-cas.git
+    dest: /var/local/django-cas
+    version: master
+    umask: '002'
+
+- name: Configure Django CAS
+  template:
+    src: cas/settings_local.py.j2
+    dest: /var/local/django-cas/cas/settings_local.py
+    mode: 0600
+  notify: Restart uwsgi
+
+- name: Configure NGINX site
+  template:
+    src: nginx/sites-available/cas.j2
+    dest: /etc/nginx/sites-available/cas
+    mode: 0644
+  notify: Restart nginx
+
+- name: Enable nginx site
+  file:
+    src: /etc/nginx/sites-available/cas
+    dest: /etc/nginx/sites-enabled/cas
+    state: link
+  notify: Restart nginx
+
+- name: Configure UWSGI app
+  template:
+    src: uwsgi/apps-available/cas.ini.j2
+    dest: /etc/uwsgi/apps-available/cas.ini
+    mode: 0644
+  notify: Restart uwsgi
+
+- name: Enable uwsgi app
+  file:
+    src: /etc/uwsgi/apps-available/cas.ini
+    dest: /etc/uwsgi/apps-enabled/cas.ini
+    state: link
+  notify: Restart uwsgi
+
 - name: Install CAS crons
   template:
     src: cron.d/cas.j2

roles/django-cas/templates/cas/settings_local.py.j2

@@ -0,0 +1,9 @@
+{{ ansible_header | comment }}
+
+SECRET_KEY = '{{ cas_secret_key }}'
+
+# Settings for the CAS server
+CAS_LDAP_SERVER = "172.16.10.90"
+CAS_LDAP_USER = "cn=cas,ou=service-users,dc=crans,dc=org"
+CAS_LDAP_PASSWORD = "{{ cas_ldap_password }}"
+CAS_LDAP_BASE_DN = "cn=Utilisateurs,dc=crans,dc=org"

roles/django-cas/templates/cron.d/cas.j2

@@ -1,4 +1,4 @@
 {{ ansible_header | comment }}
-0   0  * * * www-data /usr/local/django/cas/manage.py clearsessions
+0   0  * * * www-data /var/local/django-cas/manage.py clearsessions
-*/5 *  * * * www-data /usr/local/django/cas/manage.py cas_clean_tickets
+*/5 *  * * * www-data /var/local/django-cas/manage.py cas_clean_tickets
-5   0  * * * www-data /usr/local/django/cas/manage.py cas_clean_sessions
+5   0  * * * www-data /var/local/django-cas/manage.py cas_clean_sessions

roles/django-cas/templates/nginx/sites-available/cas.j2

@@ -0,0 +1,25 @@
+{{ ansible_header | comment }}
+
+server {
+     server_name cas.crans.org cas.adm.crans.org login.crans.org login.adm.crans.org auth.crans.org auth.adm.crans.org;
+     listen 80;
+     listen [::]:80;
+
+     location /cas {
+         rewrite ^/cas$ / redirect;
+         rewrite ^/cas/(.*)$ /$1 redirect;
+     }
+
+     location /static {
+         alias /var/local/django-cas/cas/local_static;
+     }
+
+     set_real_ip_from 10.231.136.0/24;
+     set_real_ip_from 2a0c:700:0:2::/64;
+     real_ip_header P-Real-Ip;
+
+     location / {
+         uwsgi_pass unix:///var/run/uwsgi/app/cas/socket;
+         include uwsgi_params;
+     }
+}

roles/django-cas/templates/update-motd.d/05-service.j2

@@ -1,3 +1,3 @@
 #!/usr/bin/tail +14
 {{ ansible_header | comment }}
-> django-cas-server a été déployé sur cette machine. Voir /usr/local/django/cas/.
+> django-cas-server a été déployé sur cette machine. Voir /var/local/django-cas/.

roles/django-cas/templates/uwsgi/apps-available/cas.ini.j2

@@ -0,0 +1,17 @@
+{{ ansible_header | comment }}
+
+[uwsgi]
+plugin = python3
+chdir = /var/local/django-cas/
+wsgi-file = /var/local/django-cas/cas/wsgi.py
+max-request=50
+cheaper = 1
+cheaper-initial = 1
+workers = 2
+die-on-term = true
+memory-report = true
+reload-on-rss = 75M
+evil-reload-on-rss = 200M
+limit-as = 450M
+reload-on-as = 350M
+evil-reload-on-as = 500M