readd directory

ansible-continuous-delivery/.gitignore

@@ -0,0 +1,2 @@
+*vault*pass*
+.vscode

ansible-continuous-delivery/README.md

@@ -0,0 +1,52 @@
+# Script Ansible qui permet de préparer des serveurs à recevoir des livraisons automatisées
+
+cf la [doc confluence sur le sujet de l'industrialisation](https://zextras.atlassian.net/wiki/spaces/ZST/pages/2750939160/Industrialisation)
+
+
+### Comment lancer une execution ? ###
+
+* Installer ansible sur votre machine
+  * pour ubuntu 20.04
+    ```bash
+    sudo apt-add-repository ppa:ansible/ansible
+    sudo apt update
+    sudo apt install ansible
+    ```
+
+  * puis éxecuter à la racine du projet:  
+    `ansible-playbook playbook.yml -i inventory --ask-become-pass --tag zimbra-lab-antoine`  
+
+**EXPLICATION**  
+`playbook.yml` -> va exécuter l'ensemble des roles définit dans ce fichier  
+`-i inventory` -> indique quel inventaire utiliser  
+`--ask-become-pass` -> vous met un prompt pour saisir le mot de passe sudo  
+`--tag zimbra-lab-antoine` -> permet de ne pas jouer l'ensemble du playbook  
+
+### Comment ajouter un serveur ? ###
+
+### Ajouter dans l'inventaire
+* Ajouter une ligne dans le fichier inventory à la racine du projet pour un serveur  
+
+##### Les paramètres
+`ansible_user` -> nom d'utilisateur ssh  
+`ansible_host` -> hostname ou ip du serveur  
+`ansible_become=true` -> a ajouter pour indiquer que l'utilisateur n'est pas root,  
+et doit le "devenir" via un sudo
+
+### Ajouter dans le playbook
+* Appliquer les roles que vous souhaitez appliquer a votre serveur  
+
+#### `add-user-zextras-cd`
+Créé un utilisateur "zextras-cd" sur la machine, et pose sa clé publique.  
+La clé privé est chiffré dans le dépot (../roles/add-user-zextras-cd/files/id_ecdsa)  
+Le pass pour le déchiffrer est le même que le pass de keepass interne.  
+Elle peut être fait via `ansible-vault view roles/add-user-zextras-cd/file/id_ecdsa`.  
+Cet utilisateur sera utilisé par l'outil de déploiement.  
+
+#### `user-zextras-need-restart-apache`
+Donne le droit à l'utilisateur "zextras-cd" de `restart` ou `reload` le service Apache  
+sans mot de passe.  
+
+#### `install-ruby`
+Installe le paquet ruby. Compatible pour les gestionnaires de paquets apt, yum et dnf.
+ 

ansible-continuous-delivery/ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+vault_password_file = vault_passwd ;set l'emplacement du mot de pass principal
+stdout_callback = yaml ;améliore la lisibilité des logs d'erreur ansible
+allow_world_readable_tmpfiles = true ; autorise les utilisateurs non root a lire le /tmp
+timeout = 40 ; les 12secondes par défaut génère parfois des timeout sur certain serveur lent ou avec un résau erratique

ansible-continuous-delivery/host_vars/lab-bitbucket-runner/main.yml

@@ -0,0 +1,3 @@
+---
+ruby_version: 2.6.6
+ruby_user: zextras

ansible-continuous-delivery/host_vars/test-ci-deploy/main.yml

@@ -0,0 +1,5 @@
+---
+db_user: zextras
+db_password: xxxxxx
+db_name: ruby_app
+ruby_version: 2.6.3

ansible-continuous-delivery/host_vars/ut3-preprod-zextras-back/main.yml

@@ -0,0 +1,7 @@
+---
+db_user: zextras
+db_name: ut3middleware_preprod
+https_proxy: http://proxy.univ-tlse3.fr:3128/
+http_proxy: http://proxy.univ-tlse3.fr:3128/
+nodejs_version: 16
+rubygems_version: 3.0.3.1

ansible-continuous-delivery/host_vars/ut3-preprod-zextras-back/vault_vars.yml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+66306430613739643837373632356262653538363464333435333466316337353935306264333731
+6134333737653065333230353639656234323130333434660a386266613762353966626462663931
+39383863383335656239376630616464656333326339343063303033313363623633643965646136
+3536356334363663630a333032396338386162626363373436343836623831313864373038393635
+65383936633532626136636331313735343463656635613233303233663166636634613038666131
+38646238363232663665336561633135626438363566396563633331653934663832346332393439
+32353531303035333837363436336530653563666130343865623932626166663365653262363335
+31326339633962326439663531663238663663663365663930633739393532656430373662383935
+64666230313134366431356164353534356436656130323435616530633135663663

ansible-continuous-delivery/host_vars/villiers-mig/main.yml

@@ -0,0 +1,6 @@
+---
+ansible_password: "{{ vault_ansible_ssh_password }}"
+db_user: zextras
+db_password: OWFhYmI2ZDA4MzNmNTUxNDUyNjRmZGYz
+db_name: zimbra_to_zimbra_production
+ruby_version: 2.6.3

ansible-continuous-delivery/host_vars/villiers-mig/vault.yml

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+36386137616563613263356330643763353966316134353534346430626637323238303161383837
+3034633039663565616638616133636464656531373837650a656361343565626330383130313566
+38626663343135343131313930356134626436386261363934613934333464656332343130636565
+3833633139306534370a383230346466666430306637316530306232663761663330343262616432
+37643231316633343730663639306431323033313462623836656366396666303335303566373466
+6466313731666663643261613032373138653530326333363234

ansible-continuous-delivery/host_vars/zimbra-lab-antoine/main.yml

@@ -0,0 +1,7 @@
+---
+ansible_become_pass: tototititata
+db_user: zextras
+db_password: xxxxxx
+db_name: ruby_app
+nodejs_version: 12
+ruby_version: 2.6.3

ansible-continuous-delivery/inventory

@@ -0,0 +1,13 @@
+[test]
+zimbra-lab-antoine ansible_user=antoine ansible_host=192.168.73.63 ansible_become=true
+test-ci-deploy ansible_user=zextras ansible_host=192.168.73.106 ansible_become=true ansible_become_pass='Zimbra to Zimbra'
+
+ut3-preprod-zextras-back ansible_become=true
+lab-bitbucket-runner ansible_user=zextras ansible_host=192.168.73.102
+zsm-prod ansible_user=antoine.ouvrard ansible_host=15.188.172.250 ansible_become=true
+
+[need_ub18]
+villiers-mig ansible_user=adminzextras ansible_host=172.18.11.57 ansible_become=true
+
+[need_ub18:vars]
+ansible_ssh_common_args='-J super@192.168.73.37'

ansible-continuous-delivery/playbook.yml

@@ -0,0 +1,44 @@
+---
+- name: Prépare le serveur zimbra-lab-antoine pour recevoir des déploiements ruby
+  hosts: zimbra-lab-antoine
+  tags: zimbra-lab-antoine
+  roles:
+    - role: add-user-zextras-ci
+    - role: install-ruby
+    - role: install-postgres
+
+- name: Prépare le serveur zsm-prod pour recevoir des déploiements ruby
+  hosts: zsm-prod
+  tags: zsm-prod
+  roles:
+    - role: add-user-zextras-ci
+    - role: install-ruby
+
+- name: Prépare le serveur PP UT3 pour recevoir des déploiements ruby
+  hosts: ut3-preprod-zextras-back
+  tags: ut3-preprod-zextras-back
+  roles:
+    - role: install-postgres
+    - role: install-ruby
+
+- name: Prépare le runner bitbucket a build des app ruby
+  hosts: lab-bitbucket-runner
+  tags: lab-bitbucket-runner
+  roles:
+    - role: install-ruby
+
+- name: Migration villiers94
+  hosts: villiers-mig
+  tags: villiers-mig
+  roles:
+    - role: add-user-zextras-ci
+    - role: install-ruby
+    - role: install-postgres
+
+- name: Prépare le serveur test-ci-deploy pour recevoir des déploiements ruby
+  hosts: test-ci-deploy
+  tags: test-ci-deploy
+  roles:
+    - role: add-user-zextras-ci
+    - role: install-ruby
+    - role: install-postgres

ansible-continuous-delivery/roles/add-user-zextras-ci/files/id_ecdsa

@@ -0,0 +1,31 @@
+$ANSIBLE_VAULT;1.1;AES256
+64363561373735623361616233656633386661313465633163623532393764303732343236646236
+6132643166626431356131653334343136353234363166640a396331306635336565393062643834
+34643165633463353865393464326262643766393366373261376536373533313365343666386436
+3134363764376532630a643932346134353235636632326365346464336464353932623063613334
+65663665396465633230643761313831393963653639653063666565306131656465313862623663
+33626139643630386562643166363232343130663566383634633161306235313536363561613963
+64666636316365393264613732633235306633353861613035306264356631643434323737393132
+61623433303063376330303736313337316563353338353835633465646333623435326139336138
+35303462316134343031373030323232383765313765393334343135666666356162386463333561
+34396433616638613834636164366666613366666237343563653466336137623766333633363765
+66623464333335396632366661623262393037656665333862663339653835613063336633616263
+64353033313239393730376332366163363332646439393763343665613739393566626538653663
+66353561303963353437646636363938616661613366353633303736396266616366626430336165
+38643035346539343931653335343933366265373735643437363433336564386265316232383564
+38353439346539653439353439616663333162383438643730653430646430386331646566373930
+65373065386266373434616161636531363264623133346238336664346535633033353033633634
+65386639376635623165633936373539633231626630366663623432383430626662333264396333
+34643132333832343437363634363232303035326131303264373137343866353836663466343662
+35356332323930353531393761386130396631633439393336353763623939373866386263313266
+61616165306163653436636163623935343037613563653261313236326538346534653433323237
+61333861636262613463656236663133313239326364653130656161353537623363643033353862
+39383239613538646263623864353635666530353263653430326566383564643534383264356639
+35633539613365346461336430376365623338333738616333346431383166366135386339623233
+62313535616139626138656631666531376336303935623562316366316564386137666631393539
+63396363643961616533376633373333646562336135353766326436623531323531353832346439
+39366232663862346235656331306464383965386262313762636263626539646230646133613139
+33306434616163373939633130313936383839373863393836633266313032356562333134383339
+33363433366438313239616365643334633937393830656264323438336138336136323261396464
+64396531366665353331656663653932623334323630653239653935653234333137346238356335
+3865346663396239643135383137386436663562323338373565

ansible-continuous-delivery/roles/add-user-zextras-ci/files/id_ecdsa.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCFfpwmFAsb9j0TovgvNSDXPzewLBrpZsOSpFuCU82fPBNoIq0JjFUPydtQH7x2Ft1C8Q1Uoph27QIKFLI6Ro+M= zextras-ci

ansible-continuous-delivery/roles/add-user-zextras-ci/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Add specific zextras-ci account
+  ansible.builtin.user:
+    name: zextras-ci
+    shell: /bin/bash
+
+- name: Set SSH key
+  ansible.posix.authorized_key:
+    user: zextras-ci
+    state: present
+    key: "{{ lookup('file', '../files/id_ecdsa.pub') }}"
+
+- name: Add environnement variable for systemd --user management
+  ansible.builtin.lineinfile:
+    path: /home/zextras-ci/.bashrc
+    line: 'export XDG_RUNTIME_DIR=/run/user/$(id -u $USER)'
+
+- name: Set credentials file
+  ansible.builtin.template:
+    src: credentials.j2
+    dest: /home/zextras-ci/credentials
+    owner: zextras-ci
+    group: zextras-ci
+    mode: 0600

ansible-continuous-delivery/roles/add-user-zextras-ci/templates/credentials.j2

@@ -0,0 +1 @@
+DATABASE_PASSWORD={{ db_password }}

ansible-continuous-delivery/roles/install-postgres/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Restart postgres
+  ansible.builtin.systemd:
+    name: postgresql
+    state: restarted
+    daemon_reload: true
+    enabled: true

ansible-continuous-delivery/roles/install-postgres/tasks/main.yml

@@ -0,0 +1,99 @@
+---
+- name: Vérification de la présence des paramètres d'entrées dans les variables
+  ansible.builtin.fail:
+    msg: |
+      La variable {{ item }} est obligatoire pour utiliser le role.
+      Veuillez la renseigner dans le dossier host_vars.
+  when:
+    - item is not defined
+  loop:
+    - db_user
+    - db_password
+    - db_name
+
+- name: Apt Update and Install Postgres
+  ansible.builtin.apt:
+    update_cache: true
+    name:
+      - postgresql
+      - acl
+      - python3-psycopg2
+    state: present
+  when: ansible_pkg_mgr == "apt"
+
+- name: Yum Update and Install Postgres
+  ansible.builtin.yum:
+    update_cache: true
+    name:
+      - postgresql
+      - postgresql-server
+      - postgresql-contrib
+      - acl
+      - python3-psycopg2
+    state: present
+  when: ansible_pkg_mgr == "yum"
+
+- name: Dnf Update and Install Postgres
+  ansible.builtin.dnf:
+    update_cache: true
+    name:
+      - postgresql
+      - postgresql-server
+      - postgresql-contrib
+      - acl
+      - python3-psycopg2
+    state: present
+  when: ansible_pkg_mgr == "dnf"
+
+- name: Yum/Dnf management
+  when: ansible_pkg_mgr == "dnf" or ansible_pkg_mgr == "yum"
+  block:
+    - name: Find out if PostgreSQL is initialized
+      ansible.builtin.stat:
+        path: "/var/lib/pgsql/data/pg_hba.conf"
+      register: postgres_data
+
+    - name: Init database only for Yum/Dnf OS
+      ansible.builtin.command: /usr/bin/postgresql-setup --initdb
+      when: not postgres_data.stat.exists
+
+- name: Start and enable services
+  ansible.builtin.service:
+    name: postgresql
+    state: started
+    enabled: true
+
+- name: Create db user
+  community.postgresql.postgresql_user:
+    state: present
+    name: "{{ db_user }}"
+    password: "{{ db_password }}"
+    role_attr_flags: CREATEDB
+  become: true
+  become_user: postgres
+
+- name: Allow md5 connection for the db user
+  community.postgresql.postgresql_pg_hba:
+    dest: "/etc/postgresql/12/main/pg_hba.conf"
+    contype: host
+    databases: all
+    method: md5
+    users: "{{ db_user }}"
+    create: true
+  become: true
+  become_user: postgres
+  notify: Restart postgres
+  when: ansible_pkg_mgr == "apt"
+
+- name: Allow md5 connection for the db user
+  community.postgresql.postgresql_pg_hba:
+    dest: "~/data/pg_hba.conf"
+    contype: host
+    databases: all
+    method: md5
+    users: "{{ db_user }}"
+    create: true
+  become: true
+  become_user: postgres
+  notify: Restart postgres
+  when: ansible_pkg_mgr == "dnf" or ansible_pkg_mgr == "yum"

ansible-continuous-delivery/roles/install-ruby/tasks/install-ruby-apt.yml

@@ -0,0 +1,58 @@
+---
+- name: Install prerequis
+  ansible.builtin.apt:
+    name:
+      - build-essential
+      - libz-dev
+      - libreadline-dev
+      - nodejs
+      - nginx
+    state: present
+
+- name: Become zextras-ci user
+  become: true
+  become_user: zextras-ci
+  block:
+    - name: Find out if ruby is initialized
+      ansible.builtin.stat:
+        path: /home/zextras-ci/.rbenv/versions/{{ ruby_version }}
+      register: ruby_version_install
+
+    - name: Get rbenv from github
+      ansible.builtin.git:
+        repo: https://github.com/sstephenson/rbenv.git
+        dest: /home/zextras-ci/.rbenv
+        single_branch: true
+        version: master
+      when: not ruby_version_install.stat.exists
+
+    - name: Get ruby build plugin for rbenv from github
+      ansible.builtin.git:
+        repo: https://github.com/sstephenson/ruby-build.git
+        dest: /home/zextras-ci/.rbenv/plugins/ruby-build
+        single_branch: true
+        version: master
+      when: not ruby_version_install.stat.exists
+
+    - name: Install ruby with rbenv
+      ansible.builtin.command: /home/zextras-ci/.rbenv/bin/rbenv install {{ ruby_version }}
+      when: not ruby_version_install.stat.exists
+
+    - name: Init rbenv in bashrc
+      ansible.builtin.lineinfile:
+        path: /home/zextras-ci/.bashrc
+        line: 'eval "$(/home/zextras-ci/.rbenv/bin/rbenv init - bash)"'
+
+    - name: Get setup version of ruby
+      ansible.builtin.command: /home/zextras-ci/.rbenv/bin/rbenv global
+      register: ruby_version_set
+      changed_when: false
+      check_mode: false
+
+    - name: Set version ruby with rbenv
+      ansible.builtin.command: /home/zextras-ci/.rbenv/bin/rbenv global {{ ruby_version }}
+      when: not ruby_version_set.stdout == ruby_version
+
+    - name: Install bundler
+      ansible.builtin.command: /home/zextras-ci/.rbenv/versions/{{ ruby_version }}/bin/gem install bundler
+      when: not ruby_version_set.stdout == ruby_version

ansible-continuous-delivery/roles/install-ruby/tasks/install-ruby-rh8.yml

@@ -0,0 +1,70 @@
+---
+- name: Add nodejs repo
+  ansible.builtin.copy:
+    dest: "/etc/dnf/modules.d/nodejs.module"
+    content: |
+      [nodejs]
+      name=nodejs
+      stream={{ nodejs_version }}
+      profiles=
+      state=enabled
+    mode: 0644
+    owner: root
+
+- name: Add yarn repo
+  ansible.builtin.copy:
+    dest: "/etc/yum.repos.d/yarn.repo"
+    content: |
+      [yarn]
+      name=Yarn Repository
+      baseurl=https://dl.yarnpkg.com/rpm/
+      enabled=1
+      gpgcheck=1
+      gpgkey=https://dl.yarnpkg.com/rpm/pubkey.gpg
+    mode: 0644
+    owner: root
+
+- name: Import yarn GPG signature
+  ansible.builtin.rpm_key:
+    key: https://dl.yarnpkg.com/rpm/pubkey.gpg
+  environment:
+    https_proxy: "{{ https_proxy }}"
+
+- name: Install packages
+  ansible.builtin.dnf:
+    update_cache: true
+    state: present
+    name:
+      - "@ruby:2.6"
+      - bison
+      - bzip2
+      - curl
+      - gcc-c++
+      - git
+      - libcurl-devel
+      - libffi-devel
+      - libpq
+      - libpq-devel
+      - libtool
+      - libyaml
+      - make
+      - nodejs
+      - openssl-devel
+      - patch
+      - readline
+      - readline-devel
+      - redhat-rpm-config
+      - ruby-devel
+      - yarn
+      - zlib
+      - zlib-devel
+
+- name: Execute gem command
+  ansible.builtin.command:
+    gem install bundler
+  environment:
+    https_proxy: "{{ https_proxy }}"
+  changed_when: false
+  check_mode: false
+  become: true
+  become_user: zextras-ci

ansible-continuous-delivery/roles/install-ruby/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Vérification de la présence des paramètres d'entrées dans les variables
+  ansible.builtin.fail:
+    msg: |
+      La variable {{ item }} est obligatoire pour utiliser le role.
+      Veuillez la renseigner dans le dossier host_vars.
+  when:
+    - item is not defined
+  loop:
+    - nodejs_version
+    - ruby_version
+
+- name: Install packages for RH8
+  ansible.builtin.include_tasks: install-ruby-rh8.yml
+  when: (ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] == 8)
+
+- name: Install packages for Debian/Ubuntu
+  ansible.builtin.include_tasks: install-ruby-apt.yml
+  when: ansible_pkg_mgr == "apt"