Merge branch 'master' into chore/remove-freight-role

svsticky · Nov 15, 2024 · 37a3f93 · 37a3f93
2 parents ccabab6 + 779a5d5
commit 37a3f93
Show file tree

Hide file tree

Showing 20 changed files with 132 additions and 536 deletions.
diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml
@@ -9,7 +9,7 @@ canonical_hostname: "{{ inventory_hostname }}"
 
 tmp_dir: "/tmp"
 
-# the upload limit for php-fpm and nginx in megabytes
+# the upload limit for nginx in megabytes
 upload_limit: 30
 
 slack_notifications:
@@ -29,3 +29,9 @@ secret_deploy_key: "{{ vault_secret_deploy_key }}"
 # The API key for our Mailgun account.
 # Change? Refresh API key at https://app.mailgun.com/app/account/security
 secret_mailgun_token: "{{ vault_secret_mailgun_token }}"
+
+# The place where https://github.com/nvm-sh/nvm will be installed, to be globally used
+nvm:
+  directory: "/usr/local/bin/.nvm"
+  script: "/usr/local/bin/.nvm/nvm.sh"
+  version: "v0.40.0" # Derived from the git tag
diff --git a/ansible/group_vars/all/websites.yml b/ansible/group_vars/all/websites.yml
@@ -91,14 +91,6 @@ websites:
     state: "present"
     authenticated: true
 
-  - name: "phpmyadmin.{{ canonical_hostname }}"
-    user: "phpmyadmin"
-    alternative_names:
-      - "pma.{{ canonical_hostname }}"
-    # You have to remove the task include of phpmyadmin.yml to remove this
-    # completely
-    state: "absent"
-
   - name: "pretix.{{ canonical_hostname }}"
     custom_config: true
     alternative_names:

diff --git a/ansible/main.yml b/ansible/main.yml
@@ -26,14 +26,12 @@
       tags: "docker"
     - role: "databases"
       tags: "databases"
+    - role: "nvm"
+      tags: "nvm"
     - role: "backups"
       tags: "backups"
     - role: "nginx"
       tags: "nginx"
-    - role: "php"
-      tags: "php"
-    - role: "node"
-      tags: "node"
     - role: "certbot"
       tags: "certbot"
     - role: "redis"
@@ -90,3 +88,5 @@
 #
 # - execut: #475
 # - freight: #477
+# - php: #474
+# - node: #467
diff --git a/ansible/roles/backups/tasks/main.yml b/ansible/roles/backups/tasks/main.yml
@@ -5,6 +5,8 @@
     shell: "/usr/sbin/nologin"
     home: "/home/backup"
     system: true
+    groups: "nvm"
+    append: true
 
 - name: "install awscli"
   ansible.builtin.apt:

diff --git a/ansible/roles/backups/templates/backup-to-s3.sh.j2 b/ansible/roles/backups/templates/backup-to-s3.sh.j2
@@ -79,12 +79,11 @@ case "${SOURCE}" in
           S3PATH="${SOURCE}"
           FILE_NAME="${FILE_TITLE}.tar.gz"
 
-          # phpMyAdmin and SODI directories excluded because no other
+          # SODI directories excluded because no other
           # committee can write to these folders and they are deployed from \
           # git anyway.
           # Pretix's virtualenv is excluded as it only contains binaries.
           upload_backup_to_s3 < <(tar \
-            --exclude='var/www/phpmyadmin.{{ canonical_hostname }}' \
             --exclude='var/www/sodi.{{ canonical_hostname }}' \
             --exclude='var/www/pretix/venv' \
             -c -f - -C / var/www \
@@ -105,11 +104,14 @@ case "${SOURCE}" in
           FILE_NAME="${FILE_TITLE}.tar.gz"
 
           sudo -u backup mkdir -p /tmp/contentful-export
-          sudo -u backup -H npx contentful-cli space export \
-            --management-token {{ secret_contentful_export.token }} \
-            --space-id {{ secret_contentful_export.space_id }} \
-            --download-assets \
-            --export-dir /tmp/contentful-export
+          sudo -Hu backup bash -c `
+          `'source {{ nvm.script }} && nvm install {{ backups_node_version }} &&'`
+          `' nvm exec {{ backups_node_version }} npx contentful-cli space export'`
+          `' --management-token {{ secret_contentful_export.token }}'`
+          `' --space-id {{ secret_contentful_export.space_id }}'`
+          `' --download-assets'`
+          `' --export-dir /tmp/contentful-export'
+
           upload_backup_to_s3 < <(tar \
             -c -f - -C /tmp contentful-export \
             | gzip -9)

diff --git a/ansible/roles/backups/vars/main.yml b/ansible/roles/backups/vars/main.yml
@@ -0,0 +1,3 @@
+---
+
+backups_node_version: "22"
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
@@ -29,7 +29,6 @@
     dest: "/etc/nginx/includes/{{ item }}"
   loop:
     - "block-cert-validation-path.conf"
-    - "php-parameters.conf"
     - "security-headers.conf"
   notify: "reload nginx"
 

diff --git a/ansible/roles/nginx/templates/includes/php-parameters.conf.j2 b/ansible/roles/nginx/templates/includes/php-parameters.conf.j2
diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2
@@ -30,7 +30,8 @@ http {
   include /etc/nginx/mime.types;
   default_type application/octet-stream;
 
-  # Added this for phpMyAdmin
+  # Added this for phpMyAdmin.
+  # phpMyAdmin was removed but this line not, just to be sure
   server_names_hash_bucket_size 128;
 
   charset UTF-8;

diff --git a/ansible/roles/nix/files/install b/ansible/roles/nix/files/install
@@ -1,5 +1,12 @@
 #!/bin/sh
 
+# NOTE
+# This whole file, except for this note, is the official install script
+# available from https://nixos.org/download/#nix-install-linux
+# To update the nix-version, please see if the official install method has
+# changed
+# END NOTE
+
 # This script installs the Nix package manager on your system by
 # downloading a binary distribution and running its installer script
 # (which in turn creates and populates /nix).
@@ -25,26 +32,77 @@ require_util() {
 }
 
 case "$(uname -s).$(uname -m)" in
-    Linux.x86_64) system=x86_64-linux; hash=faf9f146a38a3836c807d97cd3eb9cd9c9073d498e3b685c5e3da9b02b4aa9da;;
-    Linux.i?86) system=i686-linux; hash=b027043444b5a8a4189549484876f3c3a65538349c7ced4b9a64bea1b5d68a5b;;
-    Linux.aarch64) system=aarch64-linux; hash=245fa43894c5f51df7debb657a19b7c4bb06926c5023ae615a99bd9ae3125cfe;;
-    Darwin.x86_64) system=x86_64-darwin; hash=f3902fec5e15786b13622467f73e4e8848f5b861bd3d58c48714bd775a315cb1;;
-    Darwin.arm64) system=aarch64-darwin; hash=35f3ccf27fccec857d622cf31e0d9307e2c145fb7cc59720b73bf081282ca917;;
+    Linux.x86_64)
+        hash=23ce50919b933b89b0dd4b0d5ba07d2dd6e4201a2f06b00de5388c0a4209b09c
+        path=1qcc15z77jqpdqsp5k0k6rjmkw7f4zfb/nix-2.25.2-x86_64-linux.tar.xz
+        system=x86_64-linux
+        ;;
+    Linux.i?86)
+        hash=3ce95b7ad138bebaaac2be79a44d5c2b43a3e2483e36bc1c0821a6a9fc0e15bf
+        path=lxb16gfx6bmnqdmy21c879pz8havz5bx/nix-2.25.2-i686-linux.tar.xz
+        system=i686-linux
+        ;;
+    Linux.aarch64)
+        hash=8744e31c075c31272e7bab6995d5f15623a5de94f935a7a7420026d36f9cc90e
+        path=idfaklsf96dbi7xy42a0bbmynvv4czsk/nix-2.25.2-aarch64-linux.tar.xz
+        system=aarch64-linux
+        ;;
+    Linux.armv6l)
+        hash=6fcf943f47e5b0af0285720ee9e0a83ed8770ca4315c20589e23d334b6eeba80
+        path=39lnsjhvr8lh2vwfhicb2rr5cyjmbb77/nix-2.25.2-armv6l-linux.tar.xz
+        system=armv6l-linux
+        ;;
+    Linux.armv7l)
+        hash=e72bb87a8c78bc4d96710b742dfa841f342b038350ca265809df7a3eb50b2398
+        path=b71slfhcs6i11q8zr15891j0ss7r4dv4/nix-2.25.2-armv7l-linux.tar.xz
+        system=armv7l-linux
+        ;;
+    Linux.riscv64)
+        hash=6d17a3c543ec14df59af59eeeb0ba89b02411754128f5a276ff70a6d3dca25b2
+        path=cbpn7058y7m1v3xlal4i6qy212ddyffb/nix-2.25.2-riscv64-linux.tar.xz
+        system=riscv64-linux
+        ;;
+    Darwin.x86_64)
+        hash=94b601f9f6195d100da48b29cca21d0d81ab77c0fa3060554c3e46a07cabb179
+        path=z8brwk78bgzvs56hbz77rgkvkv28h1nd/nix-2.25.2-x86_64-darwin.tar.xz
+        system=x86_64-darwin
+        ;;
+    Darwin.arm64|Darwin.aarch64)
+        hash=82355d662cae1f23ed1e22225203dca70c9012a2627b6a1c15bcfd3761849eb4
+        path=pzpn97w5kgas9xfh4rir0b9rgh5v7j6w/nix-2.25.2-aarch64-darwin.tar.xz
+        system=aarch64-darwin
+        ;;
     *) oops "sorry, there is no binary distribution of Nix for your platform";;
 esac
 
-url="https://releases.nixos.org/nix/nix-2.3.16/nix-2.3.16-$system.tar.xz"
+# Use this command-line option to fetch the tarballs using nar-serve or Cachix
+if [ "${1:-}" = "--tarball-url-prefix" ]; then
+    if [ -z "${2:-}" ]; then
+        oops "missing argument for --tarball-url-prefix"
+    fi
+    url=${2}/${path}
+    shift 2
+else
+    url=https://releases.nixos.org/nix/nix-2.25.2/nix-2.25.2-$system.tar.xz
+fi
 
-tarball="$tmpDir/$(basename "$tmpDir/nix-2.3.16-$system.tar.xz")"
+tarball=$tmpDir/nix-2.25.2-$system.tar.xz
 
-require_util curl "download the binary tarball"
 require_util tar "unpack the binary tarball"
 if [ "$(uname -s)" != "Darwin" ]; then
     require_util xz "unpack the binary tarball"
 fi
 
-echo "downloading Nix 2.3.16 binary tarball for $system from '$url' to '$tmpDir'..."
-curl -L "$url" -o "$tarball" || oops "failed to download '$url'"
+if command -v curl > /dev/null 2>&1; then
+    fetch() { curl --fail -L "$1" -o "$2"; }
+elif command -v wget > /dev/null 2>&1; then
+    fetch() { wget "$1" -O "$2"; }
+else
+    oops "you don't have wget or curl installed, which I need to download the binary tarball"
+fi
+
+echo "downloading Nix 2.25.2 binary tarball for $system from '$url' to '$tmpDir'..."
+fetch "$url" "$tarball" || oops "failed to download '$url'"
 
 if command -v sha256sum > /dev/null 2>&1; then
     hash2="$(sha256sum -b "$tarball" | cut -c1-64)"
@@ -67,6 +125,7 @@ tar -xJf "$tarball" -C "$unpack" || oops "failed to unpack '$url'"
 script=$(echo "$unpack"/*/install)
 
 [ -e "$script" ] || oops "installation script is missing from the binary tarball!"
+export INVOKED_FROM_INSTALL_IN=1
 "$script" "$@"
 
 } # End of wrapping
diff --git a/ansible/roles/nix/tasks/main.yml b/ansible/roles/nix/tasks/main.yml
@@ -31,7 +31,7 @@
     state: "link"
   become: true
 
-- name: "Update Nix to the latest version"
+- name: "Update Nix to the latest version" # See https://nix.dev/manual/nix/2.24/installation/upgrading.html
   ansible.builtin.shell: "nix-channel --update && nix-env -iA nixpkgs.nix nixpkgs.cacert"
   notify:
     - "systemctl daemon-reload"

diff --git a/ansible/roles/node/tasks/main.yml b/ansible/roles/node/tasks/main.yml
diff --git a/ansible/roles/nvm/tasks/main.yml b/ansible/roles/nvm/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+- name: "Install nvm"
+  ansible.builtin.git:
+    repo: "https://github.com/nvm-sh/nvm.git"
+    version: "{{ nvm.version }}"
+    dest: "{{ nvm.directory }}"
+    recursive: false # cloning submodules fails, but they are purely for testing
+  diff: false
+
+- name: "Test nvm install"
+  ansible.builtin.shell: "source {{ nvm.script }} && command -v nvm"
+  register: "nvm_command"
+  args:
+    executable: "/bin/bash"
+  changed_when: false
+
+- name: "Assert that nvm is installed correctly"
+  ansible.builtin.assert:
+    that: "nvm_command.stdout == 'nvm'"
+
+- name: "Create nvm group"
+  ansible.builtin.group:
+    name: "nvm"
+
+- name: "Allow nvm group to manage nodejs installs"
+  ansible.builtin.file:
+    path: "{{ nvm.directory }}"
+    group: "nvm"
+    mode: "0774"
diff --git a/ansible/roles/packages/templates/50unattended-upgrades.j2 b/ansible/roles/packages/templates/50unattended-upgrades.j2
@@ -9,7 +9,6 @@ Unattended-Upgrade::Allowed-Origins {
 	"${distro_id} stable";
 	"${distro_id} ${distro_codename}-updates";
 	"LP-PPA-certbot-certbot:${distro_codename}";
-	"yarn:stable";
 {% endif %}
 };
 

diff --git a/ansible/roles/php/handlers/main.yml b/ansible/roles/php/handlers/main.yml
diff --git a/ansible/roles/php/tasks/main.yml b/ansible/roles/php/tasks/main.yml