Skip to content

Commit

Permalink
Update ansible code from WIP branch
Browse files Browse the repository at this point in the history
  • Loading branch information
eternaltyro committed Mar 29, 2024
1 parent a0526a8 commit 4e06ed2
Show file tree
Hide file tree
Showing 4 changed files with 107 additions and 7 deletions.
65 changes: 65 additions & 0 deletions infra/ansible/postgres_acl.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
---
- name: Setup default roles in Azure PostgreSQL
hosts: all
become: yes
become_user: postgres
tasks:
- name: Create new read-only role
community.postgresql.postgresql_user:
db: "{{ PGDATABASE }}"
name: hot_readonly
role_attr_flags: NOLOGIN

- name: GRANT read-only privs for read-only role
community.postgresql.postgresql_privs:
GRANT SELECT
db: "{{ PGDATABASE }}"
name: hot_readonly
role_attr_flags: NOLOGIN

- name: Create new read-write role
community.postgresql.postgresql_user:
db: "{{ PGDATABASE }}"
name: hot_readwrite
role_attr_flags: NOLOGIN

- name: GRANT read-write privs for read-write role
community.postgresql.postgresql_privs:
GRANT INSERT UPDATE DELETE REFERENCES TRIGGER CREATE CONNECT TEMPORARY EXECUTE USAGE
db: "{{ PGDATABASE }}"
name: hot_readwrite
role_attr_flags: NOLOGIN

- name: Create new read-only app user
community.postgresql.postgresql_user:
db: "{{ PGDATABASE }}"
name: app_xyz_ro
password: xyz
expires: infinity
role_attr_flags: INHERIT

- name: Make read-only app user a member of the read-only role
community.postgresql.postgresql_membership:
groups: hot_readonly
target_roles: app_xyz_ro
db: "{{ PGDATABASE }}"
login_host:
login_user:
login_password:

- name: Create new read-write app user
community.postgresql.postgresql_user:
db: "{{ PGDATABASE }}"
name: app_xyz_rw
password: xyz
expires: infinity
role_attr_flags: INHERIT

- name: Make read-write app user a member of the read-write role
community.postgresql.postgresql_membership:
groups: hot_readwrite
target_roles: app_xyz_rw
login_db: {{ PGDATABASE }}
login_host: {{ PGHOST }}
login_user: {{ PGUSER }}
login_password: {{ PGPASSWORD }}
16 changes: 10 additions & 6 deletions infra/ansible/setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,12 @@
bind_port: '8000'

tasks:
- name: Update apt cache
ansible.builtin.apt:
update_cache: yes
cache_valid_time: 3600

- name: Upgrade apt packages
- name: Update apt cache and upgrade packages
ansible.builtin.apt:
update_cache: yes
upgrade: dist
dpkg_options: 'force-confold,force-confdef'
cache_valid_time: 14400

- name: Install generic packages
ansible.builtin.apt:
Expand Down Expand Up @@ -80,6 +76,14 @@
recurse: true
mode: u+rw,g-wx,o-rwx

- name: Generate config file for backend
ansible.builtin.template:
src: "{{ playbook_dir }}/templates/config.txt.j2"
dest: /opt/raw-data-api/config.txt
owner: "{{ LINUX_PROCESS_USER }}"
group: "{{ LINUX_PROCESS_GROUP }}"
mode: '0444'

- name: Generate env file containing PostgreSQL credentials
ansible.builtin.template:
src: "{{ playbook_dir }}/templates/database.env.j2"
Expand Down
30 changes: 30 additions & 0 deletions infra/ansible/templates/config.txt.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[DB]
PGPASSWORD={{ PGPASSWORD }}
PGUSER={{ PGUSER }}
PGHOST={{ PGHOST }}
PGPORT={{ PGPORT }}
PGDATABASE={{ PGDATABASE }}

; OAuth2 app registered at (whose?) OSM account
[OAUTH]
client_id={{ OSM_OAUTH_CLIENT_ID }}
client_secret={{ OSM_OAUTH_CLIENT_SECRET }}
url=https://www.openstreetmap.org
scope=read_prefs
login_redirect_uri=https://{{ app.base_uri }}/latest/auth/callback/
secret_key={{ APP_RANDOM_SECRET_KEY }}

[API_CONFIG]
RATE_LIMITER_STORAGE_URI=rediss://:{{ REDIS_PASSWORD }}@{{ REDIS_HOST }}:{{ REDIS_PORT }}/0?ssl_cert_reqs=required
RATE_LIMIT_PER_MIN=50
EXPORT_MAX_AREA_SQKM=1000000

[CELERY]
CELERY_BROKER_URL=rediss://:{{ REDIS_PASSWORD }}@{{ REDIS_HOST }}:{{ REDIS_PORT }}/0?ssl_cert_reqs=required
CELERY_RESULT_BACKEND=rediss://:{{ REDIS_PASSWORD }}@{{ REDIS_HOST }}:{{ REDIS_PORT }}/0?ssl_cert_reqs=required

[EXPORT_UPLOAD]
FILE_UPLOAD_METHOD=s3
BUCKET_NAME={{ EXPORT_UPLOAD_BUCKET_NAME }}
AWS_ACCESS_KEY_ID={{ AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY={{ AWS_SECRET_ACCESS_KEY }}
3 changes: 2 additions & 1 deletion infra/ansible/templates/database.env.j2
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
# Please quote passwords to accommodate for shell-unfriendly characters
# Ensure that new database names comply with recommended PGSQL / SQL convention for allowed characters
PGPASSWORD={{ PGPASSWORD }}
PGPASSWORD='{{ PGPASSWORD }}'
PGUSER={{ PGUSER }}
PGHOST={{ PGHOST }}
PGPORT={{ PGPORT }}
PGDATABASE={{ PGDATABASE }}
PGSSLMODE=require

0 comments on commit 4e06ed2

Please sign in to comment.