fix: résolution des conflits et prise en compte des retours d'ansible…

… linter

.github/workflows/pipeline.yaml → .github/workflows/cd.yml

@@ -1,19 +1,20 @@
-name: "Continuous Integration"
+name: "Continuous Deployment"
 on:
-  push:
-    branches: [main]
-  pull_request:
   workflow_dispatch:
+  push:
+    branches:
+      - dev
+      - main
+concurrency: ci-${{ github.ref }}
 
 env:
-  ECLIPSE_SSH_HOST: 51.91.16.19
+  ECLIPSE_SSH_HOST: eclipse.mes-aides.incubateur.net
   ECLIPSE_SSH_USER: debian
-  EQUINOXE_SSH_HOST: 5.135.137.147
+  EQUINOXE_SSH_HOST: equinoxe.mes-aides.1jeune1solution.beta.gouv.fr
   EQUINOXE_SSH_USER: debian
 
-
 jobs:
-  install:
+  install_python_requirements:
     name: Install Python requirements
     runs-on: ubuntu-20.04
     steps:
@@ -29,10 +30,10 @@ jobs:
           key: ${{ runner.os }}-python-dependencies-${{ hashFiles('**/requirements.txt') }}
       - name: Install dependencies
         run: pip install -r requirements.txt
-  lint:
+  lint_ansible_files:
     name: Lint ansible files
     runs-on: ubuntu-20.04
-    needs: [install]
+    needs: [install_python_requirements]
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -48,33 +49,31 @@ jobs:
         run: pip freeze
       - name: Run ansible lint
         run: ansible-lint --offline
-  deployment:
-    name: Continuous deployment
+
+  deploy_production:
+    name: Deploy production (Equinoxe)
     runs-on: ubuntu-20.04
-    needs: [install, lint]
+    needs: [install_python_requirements, lint_ansible_files]
     if: github.ref == 'refs/heads/main'
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Python
-        uses: actions/setup-python@v4
-      - name: Cache Python dependencies
-        uses: actions/cache@v3
-        id: python-dependencies
-        with:
-          path: ${{ env.pythonLocation }}
-          key: ${{ runner.os }}-python-dependencies-${{ hashFiles('**/requirements.txt') }}
-      - name: Eclipse Deployment
-        shell: bash
-        run: |
-          mkdir -p ~/.ssh/
-          echo "${{ secrets.ECLIPSE_PRIVATE_KEY }}" > ~/.ssh/eclipse
-          chmod 600 ~/.ssh/eclipse
-          ssh -o StrictHostKeyChecking=no ${{ env.ECLIPSE_SSH_USER }}@${{ env.ECLIPSE_SSH_HOST }} -i ~/.ssh/eclipse
       - name: Equinoxe Deployment
         shell: bash
         run: |
           mkdir -p ~/.ssh/
           echo "${{ secrets.EQUINOXE_PRIVATE_KEY }}" > ~/.ssh/equinoxe
           chmod 600 ~/.ssh/equinoxe
           ssh -o StrictHostKeyChecking=no ${{ env.EQUINOXE_SSH_USER }}@${{ env.EQUINOXE_SSH_HOST }} -i ~/.ssh/equinoxe
+
+  deploy_preproduction:
+    name: Deploy preproduction (Eclipse)
+    runs-on: ubuntu-20.04
+    needs: [install_python_requirements, lint_ansible_files]
+    if: github.ref == 'refs/heads/dev'
+    steps:
+      - name: Eclipse Deployment
+        shell: bash
+        run: |
+          mkdir -p ~/.ssh/
+          echo "${{ secrets.ECLIPSE_PRIVATE_KEY }}" > ~/.ssh/eclipse
+          chmod 600 ~/.ssh/eclipse
+          ssh -o StrictHostKeyChecking=no ${{ env.ECLIPSE_SSH_USER }}@${{ env.ECLIPSE_SSH_HOST }} -i ~/.ssh/eclipse

.github/workflows/ci.yml

@@ -0,0 +1,41 @@
+name: "Continuous Integration"
+on:
+  workflow_dispatch:
+  pull_request:
+
+jobs:
+  install_python_requirements:
+    name: Install Python requirements
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Python
+        uses: actions/setup-python@v4
+      - name: Cache Python dependencies
+        uses: actions/cache@v3
+        id: python-dependencies
+        with:
+          path: ${{ env.pythonLocation }}
+          key: ${{ runner.os }}-python-dependencies-${{ hashFiles('**/requirements.txt') }}
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+  lint_ansible_files:
+    name: Lint ansible files
+    runs-on: ubuntu-20.04
+    needs: [install_python_requirements]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Python
+        uses: actions/setup-python@v4
+      - name: Cache Python dependencies
+        uses: actions/cache@v3
+        id: python-dependencies
+        with:
+          path: ${{ env.pythonLocation }}
+          key: ${{ runner.os }}-python-dependencies-${{ hashFiles('**/requirements.txt') }}
+      - name: Check installed package
+        run: pip freeze
+      - name: Run ansible lint
+        run: ansible-lint --offline

README.md

@@ -30,7 +30,7 @@ virtualmachines:
       dns_root: leonides.org                                             # The root of domain name use by your server
       email: [email protected]                                   # The email used to register Certbot
       github_users:                                                      # The github users that will be able to connect to the server
-        - guillett
+        - github_username_example
       monitor:                                                           # If set, a monitoring service will be deployed on specified port
         port: 8887
       applications:                                                      # List all applications that will be deployed
@@ -80,6 +80,13 @@ ansible-playbook -i ./inventories/vps.yaml synchronize.yaml
 
 A copy of this repository will be created in the folder `/opt/mes-aides` of the server. This repository will be automatically updated and new modifications applied every time an ssh connection is made with the private key associated with the `update_key` defined in the inventory.
 
+Note:
+Private and public keys should be generated manually:
+- Private should be keys added to Github secrets variable (used [here](https://github.com/betagouv/aides-jeunes-ops/blob/9f5bd32001b1b889f580e7e14213397b7af2227b/.github/workflows/pipeline.yaml#L71) for instance)
+- Public keys added to `ops.update_key` variable in the inventory
+
+Warning: Launching the `synchronize.yaml` playbook alone will remove continuous deploiement of server stack. You will need to run the `bootstrap.yaml` playbook again to re-enable it.
+
 ### Bootstrap server stack
 
 Run the command `ansible-playbook -i ./inventories/vps.yaml bootstrap.yaml` in order to bootstrap the server basic configuration.
@@ -88,6 +95,17 @@ Once done, every applications should be up and running on the server.
 
 Note that you only need to run this command once, but you can re-run it if you modify either Nginx, Python, Mongo configuration or if the bootstrap process failed at some point. All unaltered steps that ran successfully will be automatically skipped by Ansible.
 
+#### First deployment
+
+In order to setup continuous deployment, you will need to:
+- Run manually the `synchronize.yaml` playbook
+- Run manually the `bootstrap.yaml` playbook
+- Connect to the server using one of the private keys associated to your Github account
+- switch user to `main`
+- run `cd ~/` and cd the application folder you want to deploy
+- get the private key (see `ansible_ssh_private_key_file` in inventory)
+- set it up in your Github repository as a secret (see [here](https://github.com/betagouv/aides-jeunes/blob/400ab5f90219141b438388d58cd4f27f8fb0ebd6/.github/workflows/cd.yml#L48))
+
 ### Backup mongodb collections
 
 It is possible to dump mongodb collections from a server and restore them on another.

inventories/eclipse.yaml

@@ -12,7 +12,7 @@ virtualmachines:
       dns_root: beta.gouv.fr
       email: [email protected]
       github_users:
-        - guillett
+        - jenovateurs
         - Shamzic
       monitor:
         port: 8887

inventories/equinoxe.yaml

@@ -11,7 +11,7 @@ virtualmachines:
       dns_root: beta.gouv.fr
       email: [email protected]
       github_users:
-        - guillett
+        - jenovateurs
         - Shamzic
       monitor:
         port: 8887

inventories/localhost.yaml

@@ -12,7 +12,7 @@ virtualmachines:
       dns_root: beta.gouv.fr
       email: [email protected]
       github_users:
-        - guillett
+        - jenovateurs
         - Shamzic
       monitor:
         port: 8887

local/Vagrantfile

@@ -12,25 +12,24 @@ Vagrant.configure("2") do |config|
   end
 
   config.vm.provider "docker" do |docker, override|
-		override.vm.box = nil
-		docker.build_dir = "."
-
-		platform = `uname -m`.strip
-		is_arm64 = platform == "arm64" || platform == "aarch64"
-
-        # Conditional arguments for ARM64 platform
-        if is_arm64
-          docker.build_args = "--platform=linux/arm64"
-          docker.create_args = ["--platform=linux/arm64"]
-        end
-
-		docker.build_args = "--platform=linux/arm64"
-		docker.name = "ctn_aides_jeunes_deb_12"
-		override.ssh.insert_key = true
-		docker.has_ssh = true
-		docker.privileged = true
-        docker.ports = ["8001:8001", "2001:2001", "8002:8002", "2002:2002", "8887:8887"]
-	end
+    override.vm.box = nil
+    docker.build_dir = "."
+
+    platform = `uname -m`.strip
+
+    # Conditional arguments for ARM64 platform
+    if platform == "arm64" || platform == "aarch64"
+      docker.build_args = "--platform=linux/arm64"
+      docker.create_args = ["--platform=linux/arm64"]
+    end
+
+    docker.build_args = "--platform=linux/arm64"
+    docker.name = "ctn_aides_jeunes_deb12"
+    override.ssh.insert_key = true
+    docker.has_ssh = true
+    docker.privileged = true
+    docker.ports = ["8001:8001", "2001:2001", "8002:8002", "2002:2002", "8887:8887"]
+  end
 
   # Faster startup
   config.vm.synced_folder ".", "/vagrant", disabled: true

roles/bootstrap/defaults/main.yaml

@@ -5,4 +5,4 @@ server_user_group: aides_jeunes
 webroot_path: /var/www
 is_default: false
 challenge_proxy: false
-node_version: "18"
+node_version: "18"

roles/bootstrap/tasks/install_node.yaml

@@ -1,32 +1,25 @@
 ---
 
 - name: Download node.js installation script
-  get_url:
+  ansible.builtin.get_url:
     url: https://deb.nodesource.com/setup_{{ node_version }}.x
     dest: /tmp/nodesource_setup.sh
-
-- name: make node script exectuable
-  file: dest=/tmp/nodesource_setup.sh mode=a+x
+    mode: '0755'
 
 - name: Run the nodesource setup script
   become: true
-  command: sh /tmp/nodesource_setup.sh
-
-- name: remove exisiting package
-  become: true
-  apt:
-    name: nodejs
-    state: absent
-    purge: true
+  ansible.builtin.command: sh /tmp/nodesource_setup.sh
+  args:
+    creates: /usr/bin/node
 
-- name: update and install nodejs
+- name: Update and install nodejs
   become: true
-  apt:
+  ansible.builtin.apt:
     name: nodejs
     state: present
     update_cache: true
 
 - name: Clean up NodeSource setup script
   ansible.builtin.file:
     path: /tmp/nodesource_setup.sh
-    state: absent
+    state: absent