WIP Stanford playbook updates

playbooks/edx-west/cme-prod-worker.yml

@@ -43,6 +43,23 @@
       tags: xqueue
     - datadog
 
+- name: Deploy certs, notifier only to first util machine
+  hosts: ~tag_Name_util(1)_cme
+  sudo: True
+  gather_facts: True
+  vars:
+    secure_dir: '../../../configuration-secure/ansible'
+    local_dir: "{{secure_dir}}/local"
+    migrate_db: "no"
+  vars_files:
+    - "roles/common/defaults/main.yml"
+    - "roles/supervisor/defaults/main.yml"
+    - "{{ secure_dir }}/vars/edxapp_cme_vars.yml"
+    - "{{ secure_dir }}/vars/certs_cme_vars.yml"
+  roles:
+    - role: certs
+      tags: certs
+
 # run the certificate agent on the first util machine only
 #- hosts: ~tag_Name_util10_cme
 #  sudo: True

playbooks/edx-west/prod-jumpbox.yml

@@ -9,3 +9,14 @@
   roles:
     - common
     - supervisor
+    - role: gh_users
+      gh_users:
+        - sefk
+        - jbau
+        - jrbl
+        - ali123
+        - caesar2164
+        - dcadams
+        - jinpa
+        - gbruhns
+      tags: users

playbooks/edx-west/prod-worker.yml

@@ -24,6 +24,11 @@
         - sefk
         - jbau
         - jrbl
+        - ali123
+        - caesar2164
+        - dcadams
+        - jinpa
+        - gbruhns
       tags: users
     - role: 'common'
       tags: common
@@ -46,21 +51,21 @@
     #- splunkforwarder
 
 # run the certificate agent on the first util machine only
-#- hosts: ~tag_Name_util10_prod
-#  sudo: True
-#  vars:
-#    secure_dir: '../../../configuration-secure/ansible'
-#    migrate_db: "no"
-#  vars_files:
-#    - "{{ secure_dir }}/vars/edxapp_prod_vars.yml"
-#    - "{{ secure_dir }}/vars/certifier_prod_vars.yml"
-#  roles:
-#    - common
-#    - role: virtualenv
-#      virtualenv_user: "certifier"
-#      virtualenv_name: "certifier"
-#      virtualenv_user_home: "/opt/wwc/certifier"
-#    - certificates
+- hosts: ~tag_Name_util1_prod
+  sudo: True
+  vars:
+    secure_dir: '../../../configuration-secure/ansible'
+    migrate_db: "no"
+  vars_files:
+    - "roles/common/defaults/main.yml"
+    - "roles/supervisor/defaults/main.yml"
+    - "{{ secure_dir }}/vars/edxapp_prod_vars.yml"
+    - "{{ secure_dir }}/vars/certs_prod_vars.yml"
+  roles:
+    - role: gh_users # gh_users var intentionally unspecified
+      tags: users
+    - role: certs
+      tags: certs
 
 #
 # COMMENT OUT THE NOTIFIER UNTIL IT IS READY

playbooks/edx-west/stage-app.yml

@@ -20,6 +20,17 @@
   roles:
     - common
     - supervisor
+    - role: gh_users
+      gh_users:
+      - sefk
+      - jbau
+      - jrbl
+      - ali123
+      - dcadams
+      - caesar2164
+      - jinpa
+      - gbruhns
+      tags: users
     - role: nginx
       nginx_sites:
       - lms

playbooks/edx-west/stage-jumpbox.yml

@@ -8,3 +8,14 @@
     local_dir:  '../../../configuration-secure/ansible/local'
   roles:
     - common
+    - role: gh_users
+      gh_users:
+      - sefk
+      - jbau
+      - jrbl
+      - ali123
+      - caesar2164
+      - dcadams
+      - jinpa
+      - gbruhns
+      tags: users

playbooks/edx-west/stage-worker.yml

@@ -18,6 +18,17 @@
       tags: common
     - role: 'supervisor'
       tags: supervisor
+    - role: gh_users
+      gh_users:
+      - sefk
+      - jbau
+      - jrbl
+      - ali123
+      - dcadams
+      - caesar2164
+      - jinpa
+      - gbruhns
+      tags: users
     - role: 'edxapp'
       celery_worker: True
       devstack: false
@@ -33,23 +44,23 @@
       tags: xqueue
 
 #- name: Deploy certs, notifier only to first util machine
-#  hosts: ~tag_Name_util1_stage
-#  sudo: True
-#  gather_facts: True
-#  vars:
-#    secure_dir: '../../../configuration-secure/ansible'
-#    local_dir: "{{secure_dir}}/local"
-#    migrate_db: "no"
-#  vars_files:
-#    - "{{ secure_dir }}/vars/edxapp_stage_vars.yml"
-#    - "{{ secure_dir }}/vars/notifier_stage_vars.yml"
-#  roles:
-#    - certs
-#    - role: virtualenv
-#      virtualenv_user: "notifier"
-#      virtualenv_user_home: "/opt/wwc/notifier"
-#      virtualenv_name: "notifier"
-#    - notifier
+  hosts: ~tag_Name_util1_stage
+  sudo: True
+  gather_facts: True
+  vars:
+    secure_dir: '../../../configuration-secure/ansible'
+    local_dir: "{{secure_dir}}/local"
+    migrate_db: "no"
+  vars_files:
+    - "roles/common/defaults/main.yml"
+    - "roles/supervisor/defaults/main.yml"
+    - "{{ secure_dir }}/vars/edxapp_stage_vars.yml"
+    - "{{ secure_dir }}/vars/certs_stage_vars.yml"
+  roles:
+    - role: gh_users # gh_users var intentionally unspecified
+      tags: users 
+    - role: certs
+      tags: certs
 
 #- name: Deploy certs to first util machine
 #  hosts: ~tag_Name_util1_stage

playbooks/roles/certificates/handlers/main.yml

-- name: certifier | restart certificate-agent
-  supervisorctl: name=certificate-agent state=restarted

playbooks/roles/certificates/tasks/main.yml

-# requires:
-#  - group_vars/all
-#  - common/tasks/main.yml
-#  - nginx/tasks/main.yml
----
-
-- name: certificates | create certificates user {{ certs_user }}
-  user:
-    name={{certs_user}} state=present shell=/bin/bash home={{certs_home}} createhome=yes
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certificates | create location for gpg information
-  file: state=directory path={{certs_home}}/.gpg mode=0700 owner={{certs_user}} 
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certificates | put gpg information in place
-  copy: src={{secure_dir}}/files/{{item}} dest={{cert_gpg}}/{{item}} mode=0400 owner={{certs_user}} 
-  with_items:
-  - gpg.conf
-  - pubring.gpg
-  - secring.gpg
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certificates | create certificates log location
-  file: state=directory path={{certs_logs_dir}} mode=0770 owner={{certs_user}} group=adm
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certificates | upload ssh script
-  template: src=git_ssh.sh.j2 dest=/tmp/git_ssh.sh force=yes owner=root group=adm mode=750
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certificates | install read-only ssh key for the certs repo
-  copy: src={{secure_dir}}/files/git-identity dest=/{{certs_home}}/git-identity force=yes owner={{certs_user}} group=adm mode=600
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certificates | checkout certificate code
-  git: dest={{certs_home}}/src repo={{certs_repo}} version={{certs_ver}}
-  environment:
-    GIT_SSH: /tmp/git_ssh.sh
-  tags:
-  - certificates
-  - install
-  - deploy
-
-- name: certificates | fixup permissions on repo
-  # TODO: after remote_user is available in ansible dist, use that in the above task instead of manual perms fixup
-  file: path={{certs_home}}/src state=directory recurse=yes owner={{certs_user}} group=adm mode=755
-  tags:
-  - certificates
-  - install
-  - deploy
-  
-- name: certificates | install prerequisites
-  pip: requirements={{certs_home}}/src/requirements.txt virtualenv={{certs_venv_dir}} state=present
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certificates | install env
-  template: src=certificates.env.json.j2 dest={{certs_home}}/env.json mode=640 owner={{certs_user}} group=adm
-  tags:
-  - certificates
-  - install
-  - update
-  - deploy
-
-- name: certificates | install auth
-  template: src=certificates.auth.json.j2 dest={{certs_home}}/auth.json mode=640 owner={{certs_user}} group=adm
-  tags:
-  - certificates
-  - install
-  - update
-  - deploy
-
-- name: certifier | install bash_profile
-  copy: src=../../common/files/bash_profile dest={{certs_home}}/.bash_profile owner={{certs_user}} group={{certs_user}}
-  tags:
-  - certificates
-  - install
-  - update
-  - deploy
-
-- name: certifier | setup certifier shell environment
-  template: src=certifier_shell_env.j2 dest={{certs_home}}/certifier_env owner={{certs_user}} group={{certs_user}}
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certifier | ensure .bashrc exists and sources shell environment
-  lineinfile: 
-    dest={{certs_home}}/.bashrc create=yes state=present insertbefore=BOF
-    regexp='source {{certs_home}}/certifier_env' line='source {{certs_home}}/certifier_env' 
-    mode=640 owner={{certs_user}} group=adm
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certifier | add source venv to .bashrc
-  lineinfile:
-    dest={{certs_home}}/.bashrc create=yes state=present insertafter=EOF
-    regexp='source {{certs_venv_dir}}/bin/activate' line='source {{certs_venv_dir}}/bin/activate' 
-    mode=640 owner={{certs_user}} group=adm
-  tags:
-  - certificates
-  - install
-  - update
-
-- name: certifier | supervisord config for certificate-agent
-  template: src=certifier-cert-agent-supervisor.j2 dest=/etc/supervisor/conf.d/certifier-cert-agent.conf
-  notify: certifier | restart certificate-agent
-  tags:
-  - certificates
-  - install
-  - update
-

playbooks/roles/certificates/templates/certificates.auth.json.j2

-{{ certs_auth_config | to_nice_json }}

playbooks/roles/certificates/templates/certificates.env.json.j2

-{{ certs_env_config | to_nice_json }}

playbooks/roles/certificates/templates/certifier-cert-agent-supervisor.j2

-;
-;  {{ ansible_managed }}
-;
-[program:certificate-agent]
-
-command={{ certs_venv_dir }}/bin/python {{certs_home}}/src/certificate_agent.py
-
-priority=999
-user={{ certs_user }}
-stdout_logfile={{certs_logs_dir}}/certificate-agent-stdout.log
-stderr_logfile={{certs_logs_dir}}/certificate-agent-stderr.log
-environment=PID='/var/tmp/certifier-certificate-agent.pid',LANG=en_US.UTF-8,
-killasgroup=true
-stopasgroup=true
-startsecs=10
-autostart=true
-autorestart=true
-directory={{certs_home}}
-
-environment=PID='/var/tmp/certifier-certificate-agent.pid',LANG=en_US.UTF-8,
-{%- for name,value in certs_shell_env_vars.items() -%}
-{{name}}="{{value}}"{%- if not loop.last -%},{%- endif -%}
-{%- endfor -%}

playbooks/roles/certificates/templates/certifier_shell_env.j2

-# {{ ansible_managed }}
-
-{% for name,value in certs_shell_env_vars.items() %}
-{% if value %}
-export {{ name }}="{{ value }}"
-{% endif %}		 
-{% endfor %}

playbooks/roles/certificates/templates/git_ssh.sh.j2

-#!/bin/sh
-exec /usr/bin/ssh -o StrictHostKeyChecking=no -i /{{certs_home}}/git-identity "$@"

playbooks/roles/certificates/templates/notifier_env.j2

-# {{ ansible_managed }}
-
-{% for name,value in notifier_env_vars.items() %}
-{% if value %}
-export {{ name }}="{{ value }}"
-{% endif %}		 
-{% endfor %}