From 3481dc11be314cb412ee1e826e749a87beb881d9 Mon Sep 17 00:00:00 2001
From: Oleg Lavrovsky <oleg@utou.ch>
Date: Sat, 16 May 2020 15:12:07 +0200
Subject: [PATCH] Wagtail setup in Ansible

---
 README.md                                     | 16 +++-
 ansible.cfg                                   |  1 +
 ansible/files/cloudflare.key                  | 90 ++++++++++++++++++
 ansible/files/cloudflare.pem                  | 95 +++++++++++++++++++
 ansible/internet.yaml                         |  1 +
 ansible/roles/wagtail/tasks/install.yaml      | 12 ++-
 ansible/roles/wagtail/tasks/main.yaml         |  4 -
 .../templates => templates/web}/nginx.conf.j2 |  5 +-
 ansible/web.yaml                              | 19 +++-
 9 files changed, 228 insertions(+), 15 deletions(-)
 create mode 100644 ansible/files/cloudflare.key
 create mode 100644 ansible/files/cloudflare.pem
 rename ansible/{roles/web/templates => templates/web}/nginx.conf.j2 (92%)

diff --git a/README.md b/README.md
index 7c99169..7befb79 100644
--- a/README.md
+++ b/README.md
@@ -98,30 +98,36 @@ ansible-galaxy install \
 To check that the scripts and roles are correctly installed, use this command to do a "dry run":
 
 ```
-ansible-playbook -i ansible/inventories/production --syntax-check --list-tasks ansible/*.yaml
+ansible-playbook ansible/*.yaml -i ansible/inventories/production --list-tasks
+```
+
+If you only want to run a certain set of actions, subset the tags which you see in the output above. For example, to only update the NGINX configuration:
+
+```
+ansible-playbook ansible/web.yaml -i ansible/inventories/production --tags "nginx_template_config"
 ```
 
 To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site:
 
 ```
-ansible-playbook -i ansible/inventories/production ansible/*.yaml
+ansible-playbook ansible/*.yaml -i ansible/inventories/production
 ```
 
-For an update release with a specific version, use:
+For an update release with a specific version (tag or branch), use (the `-v` parameter showing output of commands):
 
 ```
-ansible-playbook -s ansible/site.yaml -i ansible/inventories/production --tags release  -e gitversion=<v*.*.*>
+ansible-playbook ansible/site.yaml -i ansible/inventories/production --tags release -v -e gitversion=<v*.*.*>
 ```
 
 Once the basic system set up, i.e. you have an `ansible` user in the sudoers and docker group, you are ready to run the playbook.
 
 The typical order of deployment is:
 
+- internet.yaml
 - docker.yaml
 - node.yaml
 - web.yaml
 - wagtail.yaml
-- internet.yaml
 
 ### Production releases
 
diff --git a/ansible.cfg b/ansible.cfg
index 30b1afe..2f3b3e3 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -2,3 +2,4 @@
 retry_files_enabled = False
 roles_path = ansible/roles:~/.ansible/roles
 vault_password_file = .keys/ansible.vault
+interpreter_python = /usr/bin/python3
diff --git a/ansible/files/cloudflare.key b/ansible/files/cloudflare.key
new file mode 100644
index 0000000..263dd71
--- /dev/null
+++ b/ansible/files/cloudflare.key
@@ -0,0 +1,90 @@
+$ANSIBLE_VAULT;1.1;AES256
+36383538613261333830346333313539383062333362643339656131393831326463623563636362
+3532393137343535313062636664626632303065343739610a633164383665623566353939373432
+38343937306164663238616439636331316630353764633963393233613663363330366539643535
+3661636364623732620a383561316265653264613234376539666265303232383263306633646663
+39343331636163623665316332326464613539376630633731643963376631333338316666343430
+32393436336565333463326138393132343336313034643061313265303930323361353163353334
+64626438656333336132653439383334376561333532313532633939323934623862363631373461
+63333862383265336638343563373836613633303330613735363935663539303535303065376339
+33306239373530353130353466353065366430666137626138666438616333623833326165656432
+65666137663833343333333566333132646164633135326237616164666663303634666231643039
+32373933396131343732376132336634373239343764326134303261353439393832336162643462
+37353435333434633233633634383139623733376636376233393830356164363032353437663938
+37393732383933323163386537346562633831353265363436393265306132303164646232326264
+64313330663131653530373662376464346639643533633961313063633362643132646330366430
+30316236316330633731636466323935376265633839373832663137336638346565613234363036
+33616131613761626231653236616332316330633330363039343634643732306138383830623430
+66323138306536613036623866326536303137666336626531313763396234613665636462333261
+34653039393839333031656634346630626335353665336430373437373537373533326135663662
+38656331633337613139633737393466666566303261666662626461323661636232303862386237
+39643161656561356630316439396331343538346234643562636137353463373266663634323839
+34356430313335306230333866366438623537633562373362316137363363396362343336386631
+32633939633339613338613834316365333932356561373334356563393061303635373733323764
+65633563363865633063343230316462646132623039353631386462383030303432643230616365
+61633437313739373865363362373737376365646461343733326366656165363463313466326530
+63613532303633663464623838363665313430323465323031343832363932626531613333376238
+39333235623635363565313935306164366237366433353437626237656133343630646238633633
+31656135356334356230613733346432643361333562373964303265333830643639373065383362
+36313765636362313431306238636431613566363863383737636638303833353032356332623239
+61363138383738333262383263326238366264313437653330323936646131623333336431333562
+34613938313036353935326433386535373338623165336663353566363132353961356539373962
+36653539656237306538626364343965313832323164346235313437666334353133313964656434
+32663037626537636266303337373234393431303639643036613166663631663465663664643239
+35376463656134616239353639356166363463306632666630666239376639336661323635313165
+62623166353365643832356461616330656638363333313262323430376139306161626433633434
+33653339363131313337646334373337313535366531626632636261346264326164643364653963
+37366233353866313530383662313537633639643336353266653733316662303365393861646462
+33346634303163663139373832623934626435323863353830336532313639343964623634393838
+65666436393731336366313864633761313335383838383437383666653665346266333562633035
+61333833373464663361383766326166333362383161636163326664636364383662333039386166
+37323765613233663934313264303438376131336266663331616564396233666666363937366433
+65663239343764616462363861633961333166636664343634613663663737363837353330636561
+64666266356466623436353464663830323262396663373330346635333433663733616132643761
+65326631613832353563303565613030316138666465646136323662363931633666306161626435
+34356666646262343330613435383563323333386366333937653835636363353934616332343765
+66386465393239653463653861353535633936636665643630366135613739336134353132373263
+62613932303239666439656238393932636330386439626133383761316233643834383031653061
+35386536393639376266383730323534633132633731643834306633613163383463323330393462
+65343233613966343863383561366133306666316233373463663538656336666237353739376466
+65663236346631333139386535333839663862386334356330373664616434363465643136343436
+30346636313936376362386163616332376333376333383865646661333465306562323533633035
+66353366326434363338373937333664663261343232366434656132363362343039353764653262
+65373739623863663837396137386539343661326433613439336265623561373466323466356330
+37326534383533663131613464633536373030346432633836636266393438316466613139663039
+32373736383364363066333766333839376131633539643561303466653438616539313338663032
+31666234343564343039656362633035326637306164656363393965336630623364653565343332
+62393431346139356136643430643637396565393862353236373235646138313435653965613939
+30653830656537303434363533383836656233663264643831643932376163343863656530666533
+38326230313839326263366433363332333238336162356130353937333561323530613565623861
+39653434356438623435316566323064313437353135333231373537343936326532623031393432
+35653334356464623565326336636239393133623730323035363436613033346630316264316631
+38383534313738393531643866366332336364623734306365323234323232396434303434633064
+31636333653335353931643763626135646663356366393763636664376565333861333430636236
+61303666326565396135386633316563356437313236343038363130636533396565656533663638
+38656631646231623062393030656334626564356566646666613036366336633865306337613862
+32356338393632636363373232373730316232353737333638636330386538613436333661613037
+61373764333337343733383861303532343563613433326461316330626234386331363039306563
+32613434636663313530326661333035363164636132316365323132633764306232333737356130
+61393139356362336131373730303734363965316431313839646639386336313663333562623432
+30636465343763663831333633643533376162336363346138616565633936343339643133653639
+65633332346437376431656566626565333031323764366165356439363137616166653737343536
+34326363663936333462386564343639386139613237626464623831393564616539386238643437
+61363433356238343033343031646230306139646332613061666638303538636635646666666237
+63343066663931616438396633376231313436313932306138376264616434353837656138666165
+63353464396364663338393634343234353232326666383064396363656438396435613334623634
+37666362636233656636376430636563303561356662376438663865653862326238323166656337
+32666534303863356138393462626266653461623636663534323739393630393635376263333332
+30306139313761393234336239326231376533353235633639363930393535616164316561613732
+37666565656363393061393162636366393866376136373534393138336665343266623933643932
+37343930626138633337396464373537373531326638316434353436393630633234633231356532
+64396334623066323862663033666565393966636430653364343438306633363136383634313132
+31366565356339386139333035366264616237303936383431653930636237383932633164616431
+64663035333833616631613363316230376461623730383537643237623765326132653437356530
+35323963353935363366323165343438616266353238336230666635336438666335383330636631
+33356433326432363263333530616238303738666161386636633165336436613239383138336234
+30376563396135303631653134313966316330383962376635313132666437313138313335333738
+31383932326338393164613535656362326236616161383432623563623861643566623335313464
+35363330663933613832313135356432393265616661346564396165373862363939316435386565
+61356538373061323264613166633165633537616564336161313064323164663366353963643634
+64613237396261356531306664663166356133663863313235306466656532376361
diff --git a/ansible/files/cloudflare.pem b/ansible/files/cloudflare.pem
new file mode 100644
index 0000000..e4f90b1
--- /dev/null
+++ b/ansible/files/cloudflare.pem
@@ -0,0 +1,95 @@
+$ANSIBLE_VAULT;1.1;AES256
+66656362343039396163383261626131396164623138383235326661396334323139343433373331
+6333616364656666396338313334633036343566386630390a373032303366666132376635376365
+35343932313764356433383664336461373132633066626163333930356634646532653465646164
+3637386264663834340a353937613135373531656134366635613430336434613062303262663136
+65323866636663333034356437613039313363663733316530613033383165303539646366346333
+39396532386333613738333335643738616630343932336565663762316232326662326439653537
+31663764346235613737306232336630623036623538343761343834363838323134623631633730
+31643434346231636337626639633830613534316663366637656630366532356134636161326462
+33383364376230303863663461633639383731376264313964313963393633646265623232323635
+63663361663565363738386337356166663031346533373731346463343739626262376236386464
+66363432316566363433393033613630626235333834386365663666323439316433643430663636
+61616236313038636165303330656466626135306431383934363564616663373761353437373165
+65393237363535336466646462343230623337646266303331363733356164623135643866626365
+39633663363261353432633938626161346433323636323866633534313434633935343339313763
+65653565343232643037396138663162616165613766363261663235323033346362323334343466
+36646538623730643364613236613038396664306461316434383533633734326565643265396637
+66636465316132333131656130326133336330633365373966303936633563613931343766663331
+32383366366564636665383962373764626566366233353931663833353161636661373630626532
+38376632636534646562663037313435373335343335336662313132333438343264393334343132
+32643732626138376662316339373330353632316131393763653030363638616239626135633131
+32646534633932313764633735666237326462363065663437393462313834316432616665643932
+39653764323438333239366363333038333963386535623965393430353035363363333366393737
+38633362643135356433383739333131313265333964313534323634306363346334363033396566
+37616463363430323730333233326134346666396361336237363730353962623337616362646436
+31626364353430666437373738343566663966366162633832333931336564356130663062363431
+62303161393963623262303738623739666263343939363438336361653632333635343765363536
+33373136386430356438636131323434626335326335363532626231373761353839633330373164
+66336337663766663333323032323166303036636532616633343863643938393663666164373237
+31316430643663343637373938336133383835313331623565393534333537633339343630396634
+36653963633030346365336165616430303237376262306539306339613839326566336436663134
+35303730356433663763393062623863323836646235376536323838366463643531613631316663
+33396161313464336639303865356166646532376563316564663231643536373464643861643063
+39353362376638643031343934303937313162343438623538663238333633323036366130356438
+38666463353832646666306134336136333066336636643466396530396532396632303632663738
+37323330613538353236623964613466316461313135363635633034306561333662343139366231
+37393764653533623533663935343537323930366639356365333132353562356537383439383839
+38373233363638366531353733323239393161653065326562636562613333383264656531306539
+39616166623234393539353430313439346662623335656530303264646539633466383031626633
+31343965633437353432343363333234623566613533316333363235646464626237363932303135
+63353034623761626433303865653732383764613939616236643665386165333633343237333261
+35316330663961323734653230393038303631363463666561613862653562356131616231346461
+39646462626365393163333735343733376363303635393136643935386664343930646135346162
+63383834653164336137356531383237653836356333613031653037373734663939376663656437
+31653865623830333663306538323264646632356533313862383334303237663033656532393733
+65356531373739353864656564623739653336653666333136396161366338333865663931656362
+64323135313736366330356665663966353633323239636339306566623236356237323837373266
+34336135646539666438663635653939323539346438356661333638666639353434643364303131
+36353433336161333562353239383239376335633263653966356333656230613134633638636338
+31303032393335323037396138303939353336363361393131323036653664346339363539646563
+37316238323231396233333665383630666561656631613163353763643938393462323332646562
+64303730663861623834616233316331316536336564323466633664633139363232363635326439
+62393536323032353033333038316166376632323936633834643337353036396532323338653466
+37376532356366393437303161636537636634326230616130383936663231626131393132663933
+38623639616262373930653262663232343333643039396531316466663862316164393233313663
+61643030396331643535353132373538366164393231653163333934636137646531346533316637
+64353136633934316434636432666339383933633366373638653261326532353733626238373365
+38396236323838363261366163626664303938343436356531396437326432353230643330616266
+62633639313435313637343464333633613932316634373262646565633463666532363230393536
+35363738326262343264383337316539336461623461366161363031623064353962366663623831
+35353061316334316137363966336565656662626339616465303661343766306332326562336432
+35343465356234613839613766326231643433383963663138313262333761303537303431306361
+64646538643565313838663430646634316239353739653839663966613339343633306131383431
+31383563353931303365633435393031356337376166613538383065353461386166653636643034
+39333330633234326438396161323864393936373563353134363838623165373064636239626533
+35333730616339363063306263663631626139666537353238623933643437656534386461366366
+66393038383035613030343830613061386636353962323764393762633936373935333734613361
+39623461343438343162306233316233376637626232353235393537613536383038373932663362
+64353133393631663662383537653039646663323838373061646531313263383339656265373039
+33336134656531333264313866373363633933363238376439633639346262373464356162333462
+30336535333161623837666664396331643535663130643332316561643663363339626161623333
+61343761393462623335306539376633373432366362373062613732613932616336336136643037
+34373833343262623262313630313536353663316665306332613237316562386332626237313063
+30323934373263323539653131623133313837666134303439626561306432653437656236633139
+33313464616565333238636337383363373932643939653061623363663938396633623162306662
+65333031383730356661313130643165653136326532386530313338396235653032396230383437
+61393335353561366562343838636231663236383733396564313536323833616335653966616330
+61616236656263373663616663656365643661383031323566336536346330396366353836633137
+36373762366130373233306438366566373632353065373434666132313162356239666630386137
+39616133303633633739646434353738356633363130373862643838333361386632653863613136
+66323837653231363466366461636563663233303432376530303361376339303861633439373135
+37396631333635393936386430643934386161326234333966653338663237323564666335656430
+38346661383336383538616161613865393731373666643037663364353932353861626234396562
+36326563633836306563633535636232373462643466333739343064336466333061653766623161
+39373762653739326130653031656566633337643337623531633761663534633139386438346132
+32326161376631356131333130326636353239663336666436346530306539363961393639666231
+35616435616130666563353031373362633834313031643866313538626338653435333064363366
+63316335616166353836393363333662356561363737393630663362373033643364346336376236
+33303961353437323739363436633762366664383939653061396266303635643437336465646461
+63303165336138663838656130376162616236373261626133346263623235643833303466333835
+32663534336336353532643963626130333938333530383062383061303439323339396261306532
+65383939613732333434386332386663653235366531336633386236383462646535323932636231
+39663837303164623864316133663039666263653537366365363462386336373535646266373363
+33343430373033363430346137623030363265373561613761663763653433383163303835653431
+6137653862376239353230323534353338356634306630333936
diff --git a/ansible/internet.yaml b/ansible/internet.yaml
index 7f18f4e..09b1d44 100644
--- a/ansible/internet.yaml
+++ b/ansible/internet.yaml
@@ -7,5 +7,6 @@
   roles:
     - role: dev-sec.os-hardening
     - role: dev-sec.ssh-hardening
+    - role: nginxinc.nginx
     - role: dev-sec.nginx-hardening
     - role: jnv.unattended-upgrades
diff --git a/ansible/roles/wagtail/tasks/install.yaml b/ansible/roles/wagtail/tasks/install.yaml
index de7edc4..25d42b1 100644
--- a/ansible/roles/wagtail/tasks/install.yaml
+++ b/ansible/roles/wagtail/tasks/install.yaml
@@ -4,6 +4,11 @@
   file: path={{ release_dir }} state=directory owner=ansible group=ansible
   become: true
 
+- name: Ensure Make is installed
+  become: true
+  apt:
+    pkg: make
+
 - name: Checkout code branch from git
   git:
     repo: 'https://github.com/datalets/public-health-ch'
@@ -15,7 +20,12 @@
     src: docker-compose.j2
     dest: "{{ release_dir }}/docker-compose.yml"
 
-- name: Deploy Docker site
+- name: Deploy Wagtail site on Docker
+  shell: make build
+  args:
+    chdir: "{{ release_dir }}"
+
+- name: Set up Wagtail site
   shell: make setup
   args:
     chdir: "{{ release_dir }}"
diff --git a/ansible/roles/wagtail/tasks/main.yaml b/ansible/roles/wagtail/tasks/main.yaml
index a63cfad..a6dc7f5 100644
--- a/ansible/roles/wagtail/tasks/main.yaml
+++ b/ansible/roles/wagtail/tasks/main.yaml
@@ -1,9 +1,5 @@
 ---
 
-- include: nginx.yaml
-  tags:
-    - setup
-
 - include: install.yaml
   tags:
     - install
diff --git a/ansible/roles/web/templates/nginx.conf.j2 b/ansible/templates/web/nginx.conf.j2
similarity index 92%
rename from ansible/roles/web/templates/nginx.conf.j2
rename to ansible/templates/web/nginx.conf.j2
index 4493a4e..d4ec28b 100644
--- a/ansible/roles/web/templates/nginx.conf.j2
+++ b/ansible/templates/web/nginx.conf.j2
@@ -14,9 +14,8 @@ server {
 	server_name _;
 	listen 443 ssl default_server;
 
-	ssl on;
-	ssl_certificate /etc/certs/public-health.ch/cloudflare.pem;
-	ssl_certificate_key /etc/certs/public-health.ch/cloudflare.key;
+	ssl_certificate /etc/ssl/certs/cloudflare.pem;
+	ssl_certificate_key /etc/ssl/certs/cloudflare.key;
 
 	client_max_body_size 16M;
 
diff --git a/ansible/web.yaml b/ansible/web.yaml
index c3f4ba1..ae7e2ad 100644
--- a/ansible/web.yaml
+++ b/ansible/web.yaml
@@ -1,13 +1,28 @@
-- hosts: webservers
+---
+
+- name: Deploy web server (NGINX) configuration
+  hosts: webservers
   become: true
   gather_facts: true
+  tasks:
+    - name: Copy certificate public key
+      tags: nginx_template_config
+      copy:
+        src: cloudflare.pem
+        dest: "/etc/ssl/certs/cloudflare.pem"
+    - name: Copy certificate private key
+      tags: nginx_template_config
+      copy:
+        src: cloudflare.key
+        dest: "/etc/ssl/certs/cloudflare.key"
   roles:
     - role: nginxinc.nginx
   vars:
+    release_dir: /opt/publichealth
     ipv4_addresses: "{{ ansible_all_ipv4_addresses }}"
     nginx_http_template_enable: true
     nginx_http_template:
       default:
-        template_file: web/templates/nginx.conf.j2
+        template_file: web/nginx.conf.j2
         conf_file_name: default.conf
         conf_file_location: /etc/nginx/conf.d/