Deployment scripts improved and updated for installation on RHEL9 (#1169

)

The deployment scripts are updated for RHEL9 and improved using Ansible
mechanisms.

.deployment/deploy.yml

@@ -42,12 +42,15 @@
         name: tobira-{{ id }}
         owner: tobira-{{ id }}
 
-    - name: add pgcrypto extension
+    - name: add postgres extensions
       become: true
       become_user: postgres
       community.postgresql.postgresql_ext:
-        name: pgcrypto
+        name: "{{ item }}"
         db: tobira-{{ id }}
+      loop:
+          - hstore
+          - pgcrypto
 
     # TOBIRA
 
@@ -134,15 +137,7 @@
         # The ending `pgc` is important so that `pg_restore` (and not psql) is used.
         target: /opt/tobira/{{ id }}/db-dump.pgc
         name:  tobira-{{ id }}
-        target_opts: '--no-owner --role=tobira-{{ id }}'
-      # Unfortunately, we have to add this here as the command fails when adding
-      # comments to the 'public' schema and to two extensions. That fails
-      # because the user can't access those. In the future, with a newer
-      # `pg_restore` function we can specify `--no-comments` which should fix
-      # this. Also note: despite those errors, the dump is correctly restored.
-      # Of course this now ignores all errors, so we might miss other stuff
-      # that goes wrong.
-      ignore_errors: true
+        target_opts: '--no-comments --no-owner --role=tobira-{{ id }}'
 
     # We don't need it anymore and it takes quite a bit of storage space.
     - name: Delete DB dump file
@@ -151,13 +146,6 @@
         path: /opt/tobira/{{ id }}/db-dump.pgc
         state: absent
 
-    - name: add hstore extension
-      become: true
-      become_user: postgres
-      community.postgresql.postgresql_ext:
-        name: hstore
-        db: tobira-{{ id }}
-
     - name: run database migration
       become: true
       become_user: tobira

.deployment/monitoring/requirements.yml

@@ -1,5 +1,6 @@
 ---
-
-roles:
-  - cloudalchemy.prometheus
-  - cloudalchemy.grafana
+collections:
+  - name: prometheus.prometheus
+    version: 0.16.3
+  - name: grafana.grafana
+    version: 5.2.0

.deployment/monitoring/setup.yml

@@ -2,8 +2,8 @@
 
 - hosts: all
   roles:
-    - cloudalchemy.prometheus
-    - cloudalchemy.grafana
+    - prometheus.prometheus.prometheus
+    - grafana.grafana.grafana
   vars:
     prometheus_scrape_configs:
       - job_name: 'tobira'
@@ -22,6 +22,10 @@
           34313337343261363739653632663736613763613763636561363633653362613238333638313733
           3265616634663435390a306566656530373362623562333232373364393261353864636665316339
           36303161333735313639333735613132626364346536613133626534633063376139
+    # The latest grafana ansible role does not support grafana version 11 (or later) for now
+    # due to braking configuration changes. Please update the grafana ansible collection
+    # and remove this setting to upgrade to the newest grafana version.
+    grafana_version: 10.4.3
 
   tasks:
     - name: deploy nginx vhosts
@@ -32,6 +36,7 @@
       with_items:
         - grafana.conf
         - prometheus.conf
+      notify: reload nginx
 
     - name: install ansible dependencies
       become: true
@@ -52,3 +57,10 @@
             30653565646262336134646339313735643564396532633464353234346239393730313032346339
             3162363337383162360a393065646565316330396162653365366436666562666437663163303038
             31336237343537393836633735656530306263316132396136383763393037363365
+
+  handlers:
+    - name: reload nginx
+      become: true
+      service:
+        name: nginx
+        state: reloaded

.deployment/requirements.yml

@@ -0,0 +1,4 @@
+---
+roles:
+  - name: lkiesow.certbot_cloudflare
+    version: 0.2.0

.deployment/setup-server.yml

@@ -31,8 +31,16 @@
         url: https://github.com/meilisearch/meilisearch/releases/download/v1.4.2/meilisearch-linux-amd64
         dest: /opt/meili/meilisearch
         mode: '0755'
-        checksum: sha256:b54b9ace213b0d45558c5d0e79710f718b63d2e29c190fb95be01dc27eb1ca5c
+        checksum: 'sha256:b54b9ace213b0d45558c5d0e79710f718b63d2e29c190fb95be01dc27eb1ca5c'
       register: meili_updated
+      notify: restart MeiliSearch
+
+    - name: remove MeiliSearch indexes
+      become: true
+      file:
+        path: /opt/meili/data.ms
+        state: absent
+      when: meili_updated.changed
 
     - name: install MeiliSearch service file
       become: true
@@ -42,30 +50,19 @@
         mode: '0644'
         owner: root
         group: root
-      register: meili_changed
+      register: meili_service_changed
+      notify: restart MeiliSearch
 
-    - name: start and enable Meili
+    - name: reload systemd due to service file changes
       become: true
-      service:
-        name: meili
-        state: started
-        enabled: yes
-
-    - name: remove Meili indexes
-      become: true
-      file:
-        path: /opt/meili/data.ms
-        state: absent
-      when: meili_updated.changed
-
-    - name: restart Meili
-      become: true
-      service:
+      systemd:
+        daemon_reload: true
         name: meili
-        state: restarted
-        enabled: yes
-      when: meili_changed.changed or meili_updated.changed
+        enabled: true
+      when: meili_service_changed.changed
 
+    - name: Flush handlers
+      meta: flush_handlers
 
     # DATABASE
 
@@ -74,24 +71,18 @@
       command:
         cmd: postgresql-setup --initdb
         creates: /var/lib/pgsql/data/postgresql.conf
-
-    - name: configure postgres access
-      become: true
-      copy:
-        src: pg_hba.conf
-        dest: /var/lib/pgsql/data/pg_hba.conf
-        owner: postgres
-        group: postgres
-        mode: '0644'
+      environment:
+        PGSETUP_INITDB_OPTIONS: "--auth-local=peer --auth-host=scram-sha-256"
       notify: restart postgresql
 
-    - name: start and enable database
+    - name: enable database
       become: true
       service:
         name: postgresql
-        state: started
         enabled: yes
 
+    - name: Flush handlers
+      meta: flush_handlers
 
     # Tobira
 
@@ -140,14 +131,43 @@
         force: false
         mode: '0640'
       loop:
-        - src: certificate.pem
-          dest: '{{ inventory_hostname }}.crt'
-        - src: key.pem
-          dest: '{{ inventory_hostname }}.key'
         - src: dhparam.pem
           dest: dhparam.pem
       notify: reload nginx
 
+    - name: acquire SSL certificate
+      become: true
+      import_role:
+        name: lkiesow.certbot_cloudflare
+      vars:
+        certbot_cloudflare_email: cloud@opencast.org
+        certbot_cloudflare_api_token: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65366633353265363462656262346364613564666164653239306335343736666636386639636635
+          6232313465626334353362633766376533363532663532340a653365353563346235393665666430
+          30666635376132376338313037653163383538623039333935616665396238333730613531633664
+          6235393165376338640a363430393638346236663265616235633563393862336261666564333163
+          31323466376464613738626435306633376633633266653263386165346166646238313232326339
+          6537666639376535656563653563653533356166653666643233
+        certbot_cloudflare_domains:
+          - "tobira.opencast.org"
+          - "*.tobira.opencast.org"
+        certbot_cloudflare_post_hook: '--post-hook "systemctl reload nginx"'
+
+    - name: link certificate
+      become: true
+      file:
+        src: /etc/letsencrypt/live/tobira.opencast.org/{{ item.src }}
+        dest: /etc/nginx/ssl/{{ item.dest  }}
+        state: link
+        force: true
+      loop:
+        - src: fullchain.pem
+          dest: tobira.opencast.org.crt
+        - src: privkey.pem
+          dest: tobira.opencast.org.key
+      notify: reload nginx
+
     - name: configure firewall
       become: true
       firewalld:
@@ -168,6 +188,12 @@
 
 
   handlers:
+    - name: restart MeiliSearch
+      become: true
+      service:
+        name: meili
+        state: restarted
+
     - name: restart postgresql
       become: true
       service: