fix: managed node installation fixes contentful backup (#467)

* fix: managed node installation fixes contentful backup

* chore: removed global yarn install

In the previous commit, we removed the global Nodejs install, replaced by a
global nvm install. Yarn should also be installed locally and not globally.

* chore: referenced node removal pr

ansible/group_vars/all/vars.yml

@@ -29,3 +29,9 @@ secret_deploy_key: "{{ vault_secret_deploy_key }}"
 # The API key for our Mailgun account.
 # Change? Refresh API key at https://app.mailgun.com/app/account/security
 secret_mailgun_token: "{{ vault_secret_mailgun_token }}"
+
+# The place where https://github.com/nvm-sh/nvm will be installed, to be globally used
+nvm:
+  directory: "/usr/local/bin/.nvm"
+  script: "/usr/local/bin/.nvm/nvm.sh"
+  version: "v0.40.0" # Derived from the git tag

ansible/main.yml

@@ -26,12 +26,12 @@
       tags: "docker"
     - role: "databases"
       tags: "databases"
+    - role: "nvm"
+      tags: "nvm"
     - role: "backups"
       tags: "backups"
     - role: "nginx"
       tags: "nginx"
-    - role: "node"
-      tags: "node"
     - role: "certbot"
       tags: "certbot"
     - role: "redis"
@@ -90,3 +90,4 @@
 #
 # - execut: #475
 # - php: #474
+# - node: #467

ansible/roles/backups/tasks/main.yml

@@ -5,6 +5,8 @@
     shell: "/usr/sbin/nologin"
     home: "/home/backup"
     system: true
+    groups: "nvm"
+    append: true
 
 - name: "install awscli"
   ansible.builtin.apt:

ansible/roles/backups/templates/backup-to-s3.sh.j2

@@ -104,11 +104,14 @@ case "${SOURCE}" in
           FILE_NAME="${FILE_TITLE}.tar.gz"
 
           sudo -u backup mkdir -p /tmp/contentful-export
-          sudo -u backup -H npx contentful-cli space export \
-            --management-token {{ secret_contentful_export.token }} \
-            --space-id {{ secret_contentful_export.space_id }} \
-            --download-assets \
-            --export-dir /tmp/contentful-export
+          sudo -Hu backup bash -c `
+          `'source {{ nvm.script }} && nvm install {{ backups_node_version }} &&'`
+          `' nvm exec {{ backups_node_version }} npx contentful-cli space export'`
+          `' --management-token {{ secret_contentful_export.token }}'`
+          `' --space-id {{ secret_contentful_export.space_id }}'`
+          `' --download-assets'`
+          `' --export-dir /tmp/contentful-export'
+
           upload_backup_to_s3 < <(tar \
             -c -f - -C /tmp contentful-export \
             | gzip -9)

ansible/roles/backups/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+backups_node_version: "22"

ansible/roles/nvm/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- name: "Install nvm"
+  ansible.builtin.git:
+    repo: "https://github.com/nvm-sh/nvm.git"
+    version: "{{ nvm.version }}"
+    dest: "{{ nvm.directory }}"
+    recursive: false # cloning submodules fails, but they are purely for testing
+  diff: false
+
+- name: "Test nvm install"
+  ansible.builtin.shell: "source {{ nvm.script }} && command -v nvm"
+  register: "nvm_command"
+  args:
+    executable: "/bin/bash"
+  changed_when: false
+
+- name: "Assert that nvm is installed correctly"
+  ansible.builtin.assert:
+    that: "nvm_command.stdout == 'nvm'"
+
+- name: "Create nvm group"
+  ansible.builtin.group:
+    name: "nvm"
+
+- name: "Allow nvm group to manage nodejs installs"
+  ansible.builtin.file:
+    path: "{{ nvm.directory }}"
+    group: "nvm"
+    mode: "0774"

ansible/roles/packages/templates/50unattended-upgrades.j2

@@ -9,7 +9,6 @@ Unattended-Upgrade::Allowed-Origins {
 	"${distro_id} stable";
 	"${distro_id} ${distro_codename}-updates";
 	"LP-PPA-certbot-certbot:${distro_codename}";
-	"yarn:stable";
 {% endif %}
 };
 

ansible/roles/radio/handlers/main.yml

@@ -1,33 +1,11 @@
 ---
-- name: "clone nvm"
-  listen: "radio repo updated"
-  become_user: "radio"
-  become: true
-  ansible.builtin.git:
-    repo: "https://github.com/nvm-sh/nvm.git"
-    dest: "/var/www/radio/.nvm"
-    recursive: false # cloning submodules fails, but they are purely for testing
-  diff: false
-
-- name: "checkout latest nvm version" # based on nvm manual installation guide
-  listen: "radio repo updated"
-  become_user: "radio"
-  become: true
-  ansible.builtin.shell:
-    cmd: git checkout `git describe --abbrev=0 --tags --match "v[0-9]*" $(git rev-list --tags --max-count=1)`
-    chdir: "/var/www/radio/.nvm"
-    executable: "/bin/bash"
-  tags:
-    - skip_ansible_lint
-    # Reason: linter wants us to use the git module, but that can't do this
-    # complicated stuff
 
 - name: "install node version"
   listen: "radio repo updated"
   become_user: "radio"
   become: true
   ansible.builtin.shell: |
-    source /var/www/radio/.nvm/nvm.sh
+    source {{ nvm.script }}
     nvm install $(cat /var/www/radio/radio/.nvmrc)
   args:
     chdir: "/var/www/radio/radio"
@@ -39,7 +17,7 @@
   become_user: "radio"
   become: true
   ansible.builtin.shell: |
-    source /var/www/radio/.nvm/nvm.sh
+    source {{ nvm.script }}
     nvm use
     npm rebuild
   args:

ansible/roles/radio/tasks/main.yml

@@ -6,6 +6,8 @@
     shell: "/usr/sbin/nologin"
     state: "present"
     system: true
+    groups: "nvm"
+    append: true
 
 - name: "copy nginx configuration"
   ansible.builtin.template:
@@ -53,7 +55,7 @@
 
   - name: "run npm install"
     ansible.builtin.shell: |
-      source /var/www/radio/.nvm/nvm.sh
+      source {{ nvm.script }}
       nvm use
       npm install
     args:
@@ -64,7 +66,7 @@
     block:
       - name: "build website"
         ansible.builtin.shell: |
-          source /var/www/radio/.nvm/nvm.sh
+          source {{ nvm.script }}
           nvm use
           npm run build
         args: