(Deploy pack) Add a playbook for symfony secrets (#5)

* chore(faros-ng/deploy-pack): create version 1.5 * feat(faros-ng/deploy-pack): remove prod folder it's usually easier to duplicate preprod folder when preprod is ready * feat(faros-ng/deploy-pack): add a playbook to create decrypt key from ansible vault
le-phare · Apr 13, 2023 · 5918926 · 5918926
1 parent 4912468
commit 5918926
Show file tree

Hide file tree

Showing 11 changed files with 215 additions and 0 deletions.
diff --git a/faros-ng/deploy-pack/1.5/Makefile b/faros-ng/deploy-pack/1.5/Makefile
@@ -0,0 +1,24 @@
+SF = docker-compose run --rm php bin/console
+COMPOSER = docker-compose run --rm php composer
+NPM = $(DOCKER) node:lts npm
+
+start: install
+	docker-compose up -d
+	$(SF) do:mi:mi -n
+
+include ansible/Makefile.mk
+
+.PHONY: start install build watch
+
+clean:
+	rm var/database/*.dump
+
+install:
+	$(COMPOSER) install --quiet &\
+	$(NPM) ci
+
+build:
+	$(NPM) run build
+
+watch:
+	$(NPM) run watch
diff --git a/faros-ng/deploy-pack/1.5/ansible/Makefile.mk b/faros-ng/deploy-pack/1.5/ansible/Makefile.mk
@@ -0,0 +1,79 @@
+## =============================================================================
+##
+##                        NE PAS MODIFIER CE FICHIER !
+##
+##              /!\  Ce Makefile a pour objectif d'être générique !
+##
+## =============================================================================
+remote ?= preprod
+REMOTE ?= $(remote)
+
+app = app
+APP = $(app)
+application ?= $(APP)
+APPLICATION ?= $(application)
+
+UNAME_S := $(shell uname -s)
+ifneq ($(UNAME_S),Darwin)
+	DOCKER_USER=-u $(shell id -u):$(shell id -g)
+	ANSIBLE_VOLUMES=-v $(HOME)/.ssh/config:/home/ansible/.ssh/config:ro \
+		-v $(HOME)/.ssh/known_hosts:/home/ansible/.ssh/known_hosts
+else
+	ANSIBLE_VOLUMES=-v $(HOME)/.ssh:/home/ansible/.ssh:ro
+endif
+
+DOCKER = docker run --rm -i -t $(DOCKER_USER) -v $(shell pwd):/app -w /app
+mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
+current_dir := $(notdir $(patsubst %/,%,$(dir $(mkfile_path))))
+ansible_vars := $(current_dir)/$(REMOTE)/group_vars/$(APPLICATION)/vars
+
+REMOTE_SSH_USER = $(shell awk -F': ' '/ansible_user/ { print $$2 }' $(ansible_vars))
+REMOTE_SSH_HOST = $(shell awk -F': ' '/ansible_host/ { print $$2 }' $(ansible_vars))
+REMOTE_DIRECTORY = $(shell awk -F': ' '/ansistrano_deploy_to/ { print $$2 }' $(ansible_vars))
+REMOTE_SSH_PORT = $(shell awk -F': ' '/ansible_port/ { print $$2 }' $(ansible_vars))
+REMOTE_SSH_PORT := $(if $(REMOTE_SSH_PORT),$(REMOTE_SSH_PORT),22)
+REMOTE_SSH = $(REMOTE_SSH_USER)@$(REMOTE_SSH_HOST) -p $(REMOTE_SSH_PORT)
+
+database_container := $(shell awk -F': ' '/db_pull_local_database_host/ { print $$2 }' $(current_dir)/_variables.yml | xargs -I{} docker ps -fname={} -q )
+database_network := $(shell docker inspect $(database_container) -f {{.HostConfig.NetworkMode}} 2> /dev/null | uniq)
+
+DOCKER_NETWORKS += $(addprefix --network ,$(database_network))
+DOCKER_OPTION ?=
+ANSIBLE_IMAGE ?= lephare/ansible:latest
+ANSIBLE_VAULT_FILE ?= ~/.ansible/password/$(notdir $(abspath .)).txt
+ANSIBLE_STDOUT_CALLBACK ?= default
+ANSIBLE_PIPELINING ?= 1
+ANSIBLE_OPTION ?=
+ANSIBLE_ENV = $(DOCKER) \
+	$(DOCKER_OPTION) \
+	-v $(dir $(ANSIBLE_VAULT_FILE)):/tmp/ansible:ro \
+	-v $(SSH_AUTH_SOCK):/ssh-agent \
+	$(ANSIBLE_VOLUMES) \
+	$(DOCKER_NETWORKS) \
+	-e SSH_AUTH_SOCK=/ssh-agent \
+	-e ANSIBLE_VAULT_PASSWORD_FILE=/tmp/ansible/$(notdir $(ANSIBLE_VAULT_FILE)) \
+	-e ANSIBLE_STDOUT_CALLBACK=$(ANSIBLE_STDOUT_CALLBACK) \
+	-e ANSIBLE_PIPELINING=$(ANSIBLE_PIPELINING) \
+	$(ANSIBLE_IMAGE)
+
+ANSIBLE= $(ANSIBLE_ENV) ansible $(ANSIBLE_OPTION)
+VAULT= $(ANSIBLE_ENV) ansible-vault $(ANSIBLE_OPTION)
+PLAYBOOK= $(ANSIBLE_ENV) ansible-playbook $(ANSIBLE_OPTION)
+
+# Get the list of playbooks
+PLAYBOOKS = $(basename $(patsubst %/,%,$(sort $(notdir $(wildcard $(current_dir)/*.yml)))))
+
+facts:
+	$(ANSIBLE) all --inventory-file=$(current_dir)/$(REMOTE)/hosts --module-name=setup
+
+vault-encrypt:
+	$(VAULT) encrypt $(current_dir)/$(REMOTE)/group_vars/$(APPLICATION)/vault
+
+vault-decrypt:
+	$(VAULT) decrypt $(current_dir)/$(REMOTE)/group_vars/$(APPLICATION)/vault
+
+$(PLAYBOOKS):
+	$(PLAYBOOK) --inventory-file=$(current_dir)/$(REMOTE)/hosts $(current_dir)/$@.yml
+
+ssh:
+	ssh -t $(REMOTE_SSH) 'cd $(REMOTE_DIRECTORY); bash --login'
diff --git a/faros-ng/deploy-pack/1.5/ansible/_variables.yml b/faros-ng/deploy-pack/1.5/ansible/_variables.yml
@@ -0,0 +1,38 @@
+# (ansistrano) Deployment settings
+ansistrano_git_repo: <git_repository>
+ansible_ssh_common_args: " -o ForwardAgent=yes"
+ansistrano_shared_files:
+    - .env.local
+ansistrano_shared_paths:
+    - var/log
+    - var/database
+    - var/exchange
+    - public/build
+
+# (ansible-deploy) Deployment settings
+lephare_sentry_project: <sentry_project>
+lephare_http_basic_user: <admin_user>
+lephare_http_basic_password: <admin_password>
+lephare_sentry_notify: true
+lephare_sentry_token: <sentry api token>
+lephare_assets_build_path: "../public/build/"
+lephare_assets_web_path: "build/"
+lephare_assets_publish: false
+lephare_document_root_path: "{{ ansistrano_release_path.stdout }}/public"
+lephare_composer_options: "--no-dev --optimize-autoloader --apcu-autoloader --no-interaction"
+lephare_crontab_path: "{{ ansistrano_release_path.stdout }}/.crontab"
+lephare_crontab_install: true
+lephare_install_adminer: false
+
+# (db-pull) Database settings
+db_pull_local_database_host: <local_database_host>
+db_pull_local_database_name: <local_database_name>
+db_pull_local_database_user: <local_database_user>
+db_pull_local_database_password: <local_database_password>
+db_pull_local_database_port: <local_database_port> # MySQL/MariaDB: 3306, PostgreSQL: 5432
+
+db_pull_local_backup_path: ../var/database/
+db_pull_remote_backup_path: "{{ ansistrano_deploy_to }}/var/database"
+db_pull_remote_database_host: localhost
+db_pull_remote_database_port: 5432
+db_pull_remote_database_password: "{{ vault_database_password }}"
diff --git a/faros-ng/deploy-pack/1.5/ansible/database.yml b/faros-ng/deploy-pack/1.5/ansible/database.yml
@@ -0,0 +1,7 @@
+---
+- name: Sync local database with remote
+  hosts: app
+  roles:
+    - db-pull
+  vars_files:
+    - _variables.yml
diff --git a/faros-ng/deploy-pack/1.5/ansible/deploy.yml b/faros-ng/deploy-pack/1.5/ansible/deploy.yml
@@ -0,0 +1,21 @@
+---
+- name: Deploy app
+  hosts: app
+  roles:
+    - lephare.ansible-deploy
+  vars_files:
+    - _variables.yml
+  tasks:
+    - name: Check directory
+      delegate_to: localhost
+      stat:
+        path: ../public/build/
+      register: build_dir
+
+    - name: Upload assets
+      when: build_dir.stat.exists and build_dir.stat.isdir
+      synchronize:
+        src: ../public/build
+        dest: "{{ ansistrano_deploy_to }}/shared/public/"
+        recursive: true
+        delete: true
diff --git a/faros-ng/deploy-pack/1.5/ansible/preprod/group_vars/app/vars b/faros-ng/deploy-pack/1.5/ansible/preprod/group_vars/app/vars
@@ -0,0 +1,12 @@
+# deploy variables
+ansible_user: <remote_ssh_user>
+ansistrano_deploy_to: <remote_deploy_dir>
+application_environment: preprod
+lephare_default_git_branch: develop
+lephare_http_basic_secure: true
+lephare_prevent_robots_indexation: true
+
+# db-pull variables
+db_pull_remote_database_name: <remote_database_name>
+db_pull_remote_database_user: <remote_database_user>
+
diff --git a/faros-ng/deploy-pack/1.5/ansible/preprod/group_vars/app/vault b/faros-ng/deploy-pack/1.5/ansible/preprod/group_vars/app/vault
@@ -0,0 +1 @@
+vault_database_password: <remote_database_password>
diff --git a/faros-ng/deploy-pack/1.5/ansible/preprod/hosts b/faros-ng/deploy-pack/1.5/ansible/preprod/hosts
@@ -0,0 +1,2 @@
+[app]
+<preprod_domain>
diff --git a/faros-ng/deploy-pack/1.5/ansible/symfony-secrets.yml b/faros-ng/deploy-pack/1.5/ansible/symfony-secrets.yml
@@ -0,0 +1,16 @@
+---
+- name: Create symfony private key from ansible vault
+  hosts: app
+  vars_files:
+    - _variables.yml
+  tasks:
+    - name: Write symfony private key
+      delegate_to: localhost
+      ansible.builtin.copy:
+        dest: "../config/secrets/{{ symfony_env }}/{{ symfony_env }}.decrypt.private.php"
+        mode: "0600"
+        content: |
+            <?php // {{ symfony_env }}.decrypt.private on {{ ansible_date_time.iso8601 }}
+
+            // SYMFONY_DECRYPTION_SECRET={{ symfony_secret_private_key | b64encode }}
+            return "{{ symfony_secret_private_key }}";
diff --git a/faros-ng/deploy-pack/1.5/manifest.json b/faros-ng/deploy-pack/1.5/manifest.json
@@ -0,0 +1,8 @@
+{
+    "copy-from-recipe": {
+        "ansible/": "ansible/"
+    },
+    "gitignore": [
+        "!ansible/Makefile.mk"
+    ]
+}
diff --git a/faros-ng/deploy-pack/1.5/post-install.txt b/faros-ng/deploy-pack/1.5/post-install.txt
@@ -0,0 +1,7 @@
+<bg=blue;fg=white>                          </>
+<bg=blue;fg=white> Deployment configuration </>
+<bg=blue;fg=white>                          </>
+
+  * Modify project variables in ansible/_variables.yml </>
+
+  * Configure each environment ansible/<env>/group_vars/app/vars </>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		vault_database_password: <remote_database_password>