playbook: kdbox deployment automation with signed certificate

playbook/kdbox-deploy.yml

+---
+
+- name: a play that runs entirely on the ansible host
+  hosts: 127.0.0.1
+  connection: local
+  vars_files:
+  - settings/kdbox.yml
+
+  roles:
+    - kdbox
+

playbook/kdbox-playbook.yml

@@ -11,12 +11,11 @@
 
   vars_prompt:
     - name: "re6sttoken"
-      prompt: "\n\n  You are running the Grandenet Installer\n\n
-            Please insert your token from Grandenet to configure your computer.\n
-            If you don't have a token, please access http://www.grandenet.cn/en \n
-            and request one. \n\n
-            Move informations at http://www.grandenet.cn/en/documentation/user \n\n 
-            Your token "
+      prompt: "\n\n  You are running the KDBox Installer\n\n
+              Please request a re6stnet token on https://slapos.vifib.com. \n\n
+              You will also need computer and account token, please get them on https://slapos.vifib.com. \n\n
+              A domain name will be required for kdbox slave frontend, to access erp5 later. \n\n
+              Enter your re6stnet token: "
 
       private: no 
       default: "notoken"
@@ -37,25 +36,34 @@
       default: "noname"
 
     - name: "slapostoken"
-      prompt: "If you have slapos token if you have (ignore if you already have a configured slapos):"
+      prompt: "What is the server token ?:"
       private: no
       default: "notoken"
 
-    - name : "Token"
-      prompt: "Credential account token"
+    - name: "Token"
+      prompt: "What is your credential account token"
       private: no 
       default: "notoken"
 
     - name: "domain_name"
-      prompt: "enter domain name for CDN"
+      prompt: "Enter domain name for CDN main instance"
       private: no
-      default: ""
+      default: "kdbox.slapos-example.com"
 
     - name: "custom_domain"
-      prompt: "enter custom domain name for CDN slave instance"
+      prompt: "Enter custom domain name for CDN slave instance"
       private: no
       default: ""
 
+  pre_tasks:
+    - file: path=/opt/kdbox state=directory mode=0755
+    - copy: content="{{ domain_name }}" dest=/opt/kdbox/cdn_domain_name
+      when:
+        domain_name != ""
+    - copy: content="{{ custom_domain }}" dest=/opt/kdbox/cdn_custom_domain
+      when:
+        custom_domain != ""
+
   roles:
     - re6stnet
     - role: routeadv

playbook/roles/kdbox/files/challenge

+#!/bin/bash
+
+domain=$1
+CODE=$(curl -s -n -k -L -o /dev/null -w "%{http_code}" "https://$domain/.well-known/manage_main")
+
+if [ "$CODE" == "200" ]; then
+  echo "Code=$CODE, .well-know exists already!"
+  exit 0
+else
+  curl -k -L -n -X POST -d "id=.well-known&submit=Add" http://$domain/portal_skins/custom/manage_addProduct/OFSP/manage_addFolder
+fi

playbook/roles/kdbox/files/kdbox-param

+#!/bin/bash
+
+if [ -z "$1" ]; then
+  echo "Argument 1 should be instance name and Argument 2 should be 'url' or 'pwd'"
+  exit 3
+fi
+
+for file in `grep -l -R "$1" /srv/slapgrid/slappart*/buildout*.cfg 2>/dev/null`; do
+  Folder=$(dirname $file)
+  # search runner0 partition
+  if [ -f "$Folder/bin/exporter" ]; then
+    PARTITION=$Folder
+  fi
+done
+
+DB="$PARTITION/srv/runner/proxy.db"
+if [ ! -f "$DB" ]; then
+  echo "ERP5 instance not ready"
+  exit 2
+fi
+
+# get parameters from database
+DB_PARTITION_TABLE=$(sqlite3 $DB ".table partition__")
+CONNECTION=$(sqlite3 $DB "select connection_xml from $DB_PARTITION_TABLE where reference='slappart0';")
+
+if [ -z "$CONNECTION" ]; then
+  echo "ERP5 instance not ready"
+  exit 1
+else
+  if [ "$2" == "pwd" ]; then
+    echo $CONNECTION | egrep -o 'inituser-password\"\:\s*\"[a-z,A-Z,0-9]+' | cut -d '"' -f 3
+  elif [ "$2" == "url" ]; then
+    echo $CONNECTION | egrep -o 'family-default-v6\"\:\s*\"https\:\/\/\[.*\]:[0-9]+' | cut -d '"' -f 3
+  else
+    echo "Argument 1 should be instance name and Argument 2 should be 'url' or 'pwd'"
+    exit 3
+  fi
+fi

playbook/roles/kdbox/files/port-forwarding

 #!/bin/bash
 ps aux | grep socat | grep TCP:$2:$3 > /dev/null
 if [ $? -eq 0 ]
-then 
- echo "port forwarding process already running" 
-else 
+then
+ echo "port forwarding process already running"
+else
  echo "no process running ,executing port forwarding for selectet port"
- socat TCP6-LISTEN:$1,fork TCP:$2:$3 & 
+ socat TCP6-LISTEN:$1,fork TCP:$2:$3 &
 fi
 
 #script for port forwarding 

playbook/roles/kdbox/meta/main.yml

+---
+dependencies:
+  - role: package
+    package_name: socat
+    package_state: present
+  - role: package
+    package_name: sqlite3
+    package_state: present
+  - role: package
+    package_name: curl
+    package_state: present
+  - role: package
+    package_name: git
+    package_state: present
+

playbook/roles/kdbox/tasks/dehydrated.yml

+---
+
+  - stat: path=/opt/kdbox/dehydrated
+    register: dehydrated
+
+  - stat: path=/opt/kdbox/dehydrated/zope-hook.sh
+    register: hook_file
+
+  - name: Get Dehydrated
+    shell: "git clone https://github.com/lukas2511/dehydrated.git /opt/kdbox/dehydrated"
+    when: dehydrated.stat.exists == False
+
+  - copy: content="{{ custom_domain}}" dest=/opt/kdbox/dehydrated/domains.txt
+
+  - template: src=config.j2 dest=/opt/kdbox/dehydrated/config mode=644
+
+  - name: Get Dehydrated zope hook
+    get_url:
+      url: https://lab.nexedi.com/nexedi/dehydrated-zope-hook/raw/master/zope-hook.sh
+      dest: /opt/kdbox/dehydrated/zope-hook.sh
+      mode: 0755
+    when: hook_file.stat.exists == False
+
+  - shell: "{{ role_path }}/files/kdbox-param '{{ webrunner_instance_name }}' pwd"
+    register: erp5_pwd
+
+  - name: Add .netrc file
+    blockinfile:
+      dest: "~/.netrc"
+      mode: 0600
+      create: yes
+      state: present
+      block: |
+        machine {{ custom_domain }}
+        login zope
+        password {{ erp5_pwd.stdout }} 
+
+  - stat: path="/opt/kdbox/dehydrated/certs/{{ custom_domain }}"
+    register: cert_folder
+
+  - name: Get signed certificate for slave instance
+    shell: ./dehydrated -c --accept-terms
+    when: cert_folder.stat.exists == False
+    args:
+      chdir: /opt/kdbox/dehydrated

playbook/roles/kdbox/tasks/deploy.yml

+---
+
+  - stat: path=/opt/slapos.playbook/
+    register: playbook_folder
+
+  # temp part to use playbook from branch
+  - name: Download playbook
+    shell: git clone https://lab.nexedi.com/nexedi/slapos.package.git /tmp/kdbox-playbook
+    when: playbook_folder.stat.exists == False
+
+  - shell: cd /tmp/kdbox-playbook/; git checkout alain-kdbox
+    when: playbook_folder.stat.exists == False
+
+  - name: Copy slapos.playbook
+    shell: cp -ax /tmp/kdbox-playbook/playbook /opt/slapos.playbook/
+    when: playbook_folder.stat.exists == False
+
+  # part to use
+  #- name: Download the playbook 
+  #  shell: slapcache-download --destination=/opt/kdbox/archive.tar.gz
+
+  #- name: Copy slapos.playbook
+  #  unarchive: src=/opt/kdbox/archive.tar.gz dest=/opt/slapos.playbook
+
+  - stat: path=/usr/local/bin/kdbox-deploy
+    register: bin_file
+
+  - name: Set deploy script
+    copy:
+      content: "cd /opt/slapos.playbook; ansible-playbook kdbox-deploy.yml -i  hosts --connection=local"
+      dest: /usr/local/bin/kdbox-deploy
+      mode: 0755
+    when: bin_file.stat.exists == False
+
+  - name: Remove kdbox deploy
+    file: path=/usr/local/bin/kdbox-deploy state=absent
+    when: kdbox_ok == True
+
+  - name: Start deploy cron
+    cron: job="bash -lc /usr/local/bin/kdbox-deploy >> /var/log/kdbox.log 2>&1"
+          cron_file=ansible-kdbox-deploy
+          user="root"
+          name="Start kdbox deploy"
+          minute="*/1"
+
+  - name: Remove cron task
+    cron: name="Start kdbox deploy"
+          cron_file=ansible-kdbox-deploy
+          state=absent
+    when: kdbox_ok == True
+
+  - stat: path=/usr/local/bin/kdbox-state
+    register: kdbox_state
+
+  - name: Add check state script
+    template: src=kdbox-state.j2 dest=/usr/local/bin/kdbox-state mode=755
+    when: kdbox_state.stat.exists == False

playbook/roles/kdbox/tasks/frontend-slave-instance.yml

-- name : requesting CDN slave instance for ERP5
-  shell: echo "request('{{ frontend_software_release_url }}', '{{ frontend_instance_slave_name }}',filter_kw={'computer_guid':'{{ computer_id }}'},partition_parameter_kw={'custom_domain':'{{ custom_domain }}','enable_cache':'true','type':'zope','url':'{{ frontend_slave_backend_url }}',},shared='True', software_type='custom-personal',)" | slapos console 
+---
+
+   # get ERP5 URL will fail if erp5 instance is not ready
+ - name: Get ERP5 backend URL
+   shell: "{{ role_path }}/files/kdbox-param '{{ webrunner_instance_name }}' url"
+   register: erp5_url
+
+ - stat: path="/opt/kdbox/dehydrated/certs/{{ custom_domain }}"
+   register: cert_folder
+
+ - name : requesting CDN slave instance for ERP5
+   shell: echo "request('{{ frontend_software_release_url }}', '{{ custom_domain }}-slave',filter_kw={'computer_guid':'{{ computer_id }}'},partition_parameter_kw={'custom_domain':'{{ custom_domain }}','enable_cache':'true','type':'zope','url':'{{ erp5_url.stdout }}', 'path':'erp5/',},shared=True, software_type='custom-personal',)" | slapos console 
+   when: cert_folder.stat.exists == False
+   register: request_slave
+   failed_when: "'error' in request_slave.stdout"
+
+ - template: src=request-slave-frontend.j2 dest=/opt/kdbox/request_slave_frontend.py mode=644
+   vars:
+     ssl_key_content: "{{ lookup('file', '/opt/kdbox/dehydrated/certs/{{ custom_domain }}/privkey.pem') }}" 
+     ssl_crt_content: "{{ lookup('file', '/opt/kdbox/dehydrated/certs/{{ custom_domain }}/cert.pem') }}"
+     ssl_ca_crt_content: "{{ lookup('file', '/opt/kdbox/dehydrated/certs/{{ custom_domain }}/chain.pem') }}"
+   when: cert_folder.stat.exists == True
+
+ - name: Update slave frontend certificate
+   shell: "cat /opt/kdbox/request_slave_frontend.py | slapos console"
+   register: output
+   when: cert_folder.stat.exists == True and kdbox_ok == False
+   failed_when: "'error' in output.stderr.lower()"
+
+ - debug: msg="{{ output }}"
+
+ - file: path=/opt/kdbox/kdbox_ok state=touch
+   when: cert_folder.stat.exists == True

playbook/roles/kdbox/tasks/frontend.yml

-- name: Caddy frontend supply 
-  shell: slapos supply {{ frontend_software_release_url }} {{ computer_id }}
-  when : slapos_cfg.stat.exists == True
-  args: 
-    creates: /opt/supply_check_file
-
-- name : requesting Caddy frontend istance
-  shell: echo "request('{{ frontend_software_release_url }}', '{{ frontend_instance_name }}',filter_kw={'computer_guid':'{{ computer_id}}'}, partition_parameter_kw={'-sla-1-computer_guid':'{{ computer_id }}','domain':'{{ domain_name }}','public-ipv4':'{{ ansible_default_ipv4.address }}',}, software_type='custom-personal',)" | slapos console
-  when: supply_is_done == True
+---
+
+ - stat: path=/opt/kdbox/frontend_requested
+   register: frontend_requested
+
+ - stat: path=/opt/kdbox/frontend_supplied
+   register: frontend_supplied
+
+ - name: Caddy frontend supply 
+   shell: slapos supply {{ frontend_software_release_url }} {{ computer_id }}
+   when: slapos_cfg.stat.exists == True  and frontend_supplied.stat.exists == False
+
+ - name: Frontend is supplied
+   file: path=/opt/kdbox/frontend_supplied state=touch
+
+ - name: Requesting Caddy frontend instance
+   shell: echo "request('{{ frontend_software_release_url }}', '{{ frontend_instance_name }}', filter_kw={'computer_guid':'{{ computer_id}}'}, partition_parameter_kw={'-sla-1-computer_guid':'{{ computer_id }}','domain':'{{ domain_name }}','public-ipv4':'{{ ansible_default_ipv4.address }}',}, software_type='custom-personal',)" | slapos console
+   when: frontend_supplied.stat.exists == True and frontend_requested.stat.exists == False
+   register: output
+   failed_when: "'error' in output.stderr.lower()"
+
+ - name: Frontend is requested
+   file: path=/opt/kdbox/frontend_requested state=touch
+

playbook/roles/kdbox/tasks/main.yml

 ---
 
+  - file: path=/opt/kdbox state=directory mode=0755
+
+  - stat: path="/opt/kdbox/kdbox_ok"
+    register: kdbox_is_ok
+
+  - name: register needed variables
+    set_fact:
+      computer_id: "{{ lookup('ini','computer_id section=slapos file=/etc/opt/slapos/slapos.cfg') }}"
+      domain_name: "{{ lookup('file', '/opt/kdbox/cdn_domain_name') }}"
+      custom_domain: "{{ lookup('file', '/opt/kdbox/cdn_custom_domain') }}"
+      kdbox_ok: "{{ kdbox_is_ok.stat.exists }}"
+
+  - include: deploy.yml
+
   - name: Check if client configuration exists already
     stat: path=/etc/opt/slapos/slapos.cfg
     register: slapos_cfg
     failed_when: slapos_cfg.stat.exists == False
-    
-  - name: check if supply is done 
-    stat: path=/opt/supply_check_file
-    register: supply_check
 
-  - name: register computer ID
-    set_fact:
-      computer_id: "{{ lookup('ini','computer_id section=slapos file=/etc/opt/slapos/slapos.cfg') }}"
-   
-  # verify software supply 
-  - name: register supply status
-    set_fact:
-      supply_is_done: "{{ supply_check.stat.exists }}"
+  - name: check if request is done
+    stat: path=/opt/kdbox/request_is_done
+    register: request_done
 
   - include: webrunner.yml
   - include: frontend.yml
   - include: frontend-slave-instance.yml
- 
+
   # find Caddy ip to be used for port forwarding
   - name: Get Caddy local IP
     shell: grep bind /srv/slapgrid/slappart*/etc/Caddyfile | cut -d ' ' -f4 | head -n1 
@@ -39,8 +44,6 @@
     register: forward_result
     changed_when: forward_result.stdout != "port forwarding process already running"
 
-  # file created when software supply is done
-  - name: "create software_supply_check_file"
-    file:   
-        path: "/opt/supply_check_file"
-        state: touch 
+  # generate signed certificate with letsencrypt
+  - include: dehydrated.yml
+

playbook/roles/kdbox/tasks/webrunner.yml

-- name: webrunner supply 
-  shell: slapos supply {{ webrunner_software_release_url }} {{ computer_id }}
-  when : slapos_cfg.stat.exists == True
-  args: 
-    creates: /opt/supply_check_file
-
-- name: requesting webrunner instance 
-  shell: echo "request('{{ webrunner_software_release_url }}', '{{ webrunner_instance_name }}', partition_parameter_kw={'-sla-runner0-computer_guid':'{{ computer_id }}','-sla-runner1-computer_guid':'{{ computer_id }}',}, software_type='resilient',)" | slapos console
-  when: supply_is_done == True
+---
+
+ - stat: path=/opt/kdbox/webrunner_requested
+   register: webrunner_requested
+
+ - stat: path=/opt/kdbox/webrunner_supplied
+   register: webrunner_supplied
+
+ - name: webrunner supply 
+   shell: slapos supply {{ webrunner_software_release_url }} {{ computer_id }}
+   when : slapos_cfg.stat.exists == True and webrunner_supplied.stat.exists == False
+ 
+ - name: Webrunner is supplied
+   file: path=/opt/kdbox/webrunner_supplied state=touch
+
+ - name: requesting webrunner instance
+   shell: echo "request('{{ webrunner_software_release_url }}', '{{ webrunner_instance_name }}', partition_parameter_kw={'-sla-runner0-computer_guid':'{{ computer_id }}','-sla-runner1-computer_guid':'{{ computer_id }}', 'auto-deploy':'true', 'auto-deploy-instance':'true', 'autorun':'true', 'slapos-software':'software/erp5',}, software_type='resilient',)" | slapos console
+   when: webrunner_supplied.stat.exists == True and webrunner_requested.stat.exists == False
+   failed_when: "'error' in output.stderr.lower()"
+   register: output
+
+ - name: webrunner is requested
+   file: path=/opt/kdbox/webrunner_requested state=touch
+   when: output is defined

playbook/roles/kdbox/templates/config.j2

+WELLKNOWN="${BASEDIR}"
+HOOK="${BASEDIR}/zope-hook.sh"
+DOMAINS_TXT="${BASEDIR}/domains.txt"

playbook/roles/kdbox/templates/kdbox-state.j2

+#!/bin/bash
+
+PWD=$({{ role_path }}/files/kdbox-param '{{ webrunner_instance_name }}' pwd)
+
+if [ -z "$PWD" ]; then
+  echo "ERP5 KDBox is not ready yet!"
+  exit 1
+fi
+echo "KDBOX is ready"
+echo "URL: https://{{ custom_domain }}/"
+echo "Init username: zope"
+echo "Init password: $PWD"

playbook/roles/kdbox/templates/request-slave-frontend.j2

+parameters = {
+  "custom_domain": "{{ custom_domain }}",
+  "enable_cache": "true",
+  "path": "erp5/",
+  "type": "zope",
+  "url": "{{ erp5_url.stdout }}",
+  "https-only": "true"
+}
+
+parameters["ssl_key"] = """{{ ssl_key_content }}"""
+parameters["ssl_crt"] = """{{ ssl_crt_content }}"""
+parameters["ssl_ca_crt"] = """{{ ssl_ca_crt_content }}"""
+
+request(
+  "{{ frontend_software_release_url }}",
+  "{{ custom_domain }}-slave",
+  partition_parameter_kw=parameters,
+  shared=True,
+  software_type='custom-personal',
+  filter_kw={'computer_guid':'{{ computer_id }}'}
+)

playbook/settings/kdbox.yml

-frontend_software_release_url: https://lab.node.vifib.com/nexedi/slapos/raw/1.0.82/software/caddy-frontend/software.cfg
-frontend_slave_backend_url: https://[2401:5180:0:38::7377]:2152
-#recupuration de frontend_slave_backend_url à automatiser
+frontend_software_release_url: https://lab.node.vifib.com/nexedi/slapos/raw/1.0.95.2/software/caddy-frontend/software.cfg
 re6st_annon: False
 #variable crée pour desactiver le RADVD 
 enable_router_advertisement: False
 re6st_fingerprint: sha256:499a44702d687e968c047d28e33f59e5c3bae71a38619dc730152a3557c20301
 re6st_registry_url: http://re6stnet.gnet.erp5.cn/
-webrunner_software_release_url: https://lab.node.vifib.com/nexedi/slapos/raw/1.0.75/software/slaprunner/software.cfg
-frontend_instance_name: FRONTEND-kdboxtest
-webrunner_instance_name: webrunner-1
-frontend_instance_slave_name : My-ERP5
-
+webrunner_software_release_url: https://lab.nexedi.com/nexedi/slapos/raw/1.0.100/software/slaprunner/software.cfg
+frontend_instance_name: kdbox-main-FRONTEND
+webrunner_instance_name: kdbox-resilient-webrunner