Add support for Ubuntu 22 and Ubuntu 24

.github/workflows/build.yml

@@ -7,14 +7,14 @@ on:
 
 jobs:
   ansible-lint:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
 
       - uses: actions/setup-python@v4
         with:
-          python-version: '3.10.15'
+          python-version: '3.10.16'
 
       - name: Set up Ansible
         run: |
@@ -24,8 +24,18 @@ jobs:
       - name: Ansible Lint
         run: bin/lint
 
-  playbook-tests:
+  playbook-tests-lxc:
+    # Ubuntu 22 and newer install lxd via snap which complicates things.
+    # When we need to update from Ubuntu 20 then we can use incus which is
+    # now the better fork of lxd.
     runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          - "ubuntu:20.04"
+          - "ubuntu:22.04"
+          - "ubuntu:24.04"
     steps:
       - uses: actions/checkout@v3
 
@@ -48,8 +58,13 @@ jobs:
             ${{ runner.os }}-ruby-
             ${{ runner.os }}-
 
-      - name: Uninstall conflicting packages
-        run: sudo apt remove nginx libgd3
+      - name: Set up LXD
+        run: |
+          sudo apt-get install --yes lxd
+          sudo lxd init --auto
+          sudo usermod -aG lxd "$USER"
+          ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
+          sudo su -c "LXC_IMAGE='${{ matrix.image }}' `pwd`/bin/setup-lxc" - "$USER"
 
       - name: Test Playbooks
-        run: ansible-playbook tests/suite.yml --limit test --connection local
+        run: ansible-playbook tests/suite.yml --limit lxc

Vagrantfile

@@ -15,7 +15,9 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   # options are documented and commented below. For a complete reference,
   # please see the online documentation at vagrantup.com.
 
-  config.vm.box = "generic/ubuntu2004"
+  # Not available in the generic repository yet.
+  #config.vm.box = "generic/ubuntu2404"
+  config.vm.box = "alvistack/ubuntu-24.04"
 
   # VM network config.
   config.vm.network "forwarded_port", guest: 22, host: 2222

bin/requirements.yml

@@ -2,6 +2,8 @@
 - src: geerlingguy.security
   version: 1.5.0
 
+# TODO: replace with own role
+# Source repository has been archived without explanation.
 - src: jdauphant.nginx
   version: v2.21.2
 
@@ -13,7 +15,7 @@
   version: v2.0.14
 
 - src: geerlingguy.postgresql
-  version: 3.5.0
+  version: 3.5.2
 
 - src: libre_ops.multi_redis
   version: 1.0.1

bin/setup-lxc

@@ -18,21 +18,31 @@
 #
 #   https://github.com/libre-ops/lexi
 
-lxc launch ubuntu:20.04 ofn-dev
-lxc exec ofn-dev -- sh -c 'cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub
+set -e
 
-# Enable browsing the OFN app via https://localhost:4433
-lxc config device add ofn-dev myport4433 proxy listen=tcp:0.0.0.0:4433 connect=tcp:127.0.0.1:443
+: ${LXC_IMAGE='ubuntu:24.04'}
 
-ip_address="$(lxc list | grep ofn-dev | cut -d' ' -f6)"
-echo "
-Host ofn.local
-  Hostname $ip_address
-  User root
-  UserKnownHostsFile /dev/null
-  StrictHostKeyChecking no
-  PasswordAuthentication no
-  LogLevel FATAL
-" >> "$HOME/.ssh/config"
+echo "Launching $LXC_IMAGE container:"
+lxc launch "$LXC_IMAGE" ofn-dev
 
-ansible-playbook -l lxc site.yml
+# The launch can take some time.
+while ! lxc exec ofn-dev -- sh -c 'cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub; do
+  sleep 1
+done
+
+# Allow connection via SSH.
+# Your config could look like this:
+# ```
+# Host ofn-dev.lxc
+#   HostName 127.0.0.1
+#   Port 1122
+#   User root
+#   UserKnownHostsFile /dev/null
+#   StrictHostKeyChecking no
+#   PasswordAuthentication no
+#   LogLevel FATAL
+# ```
+lxc config device add ofn-dev myport1122 proxy listen=tcp:0.0.0.0:1122 connect=tcp:127.0.0.1:22
+
+# Enable browsing the OFN app via https://localhost:1443
+lxc config device add ofn-dev myport1443 proxy listen=tcp:0.0.0.0:1443 connect=tcp:127.0.0.1:443

inventory/group_vars/all.yml

@@ -82,7 +82,7 @@ postgres_encoding: en_US.utf8
 # Entries marked custom_* can be defined in /host_vars files, and will be appended
 # to the defaults if present. Make sure you use the "list" notation with the dashes!
 
-postgresql_version: "{% if ansible_distribution_major_version == '16' %}9.5{% elif ansible_distribution_major_version == '18' %}10{% else %}12{% endif %}"
+postgresql_version: "{% if ansible_distribution_major_version == '16' %}9.5{% elif ansible_distribution_major_version == '18' %}10{% elif ansible_distribution_major_version == '20' %}12{% elif ansible_distribution_major_version == '22' %}14{% else %}16{% endif %}"
 postgresql_data_dir: "/var/lib/postgresql/{{ postgresql_version }}/main"
 postgresql_bin_path: "/usr/lib/postgresql/{{ postgresql_version }}/bin"
 postgresql_config_path: "/etc/postgresql/{{ postgresql_version }}/main"
@@ -127,8 +127,6 @@ postgresql_global_config_options:
   - option: log_directory
     value: "log"
 
-debezium_version: "0.10.0.Final"
-
 #----------------------------------------------------------------------
 # App variables
 app: openfoodnetwork
@@ -244,9 +242,12 @@ ssl_certificate_key:  "/etc/letsencrypt/live/{{ certbot_cert_name | default(doma
 
 nginx_official_repo: True
 
-nginx_extra_root_params:
-  - load_module modules/ngx_http_brotli_filter_module.so
-  - load_module modules/ngx_http_brotli_static_module.so
+possible_nginx_extra_root_params:
+  - "{{ (ansible_distribution_major_version <= '20') | ternary('load_module modules/ngx_http_brotli_filter_module.so','') }}"
+  - "{{ (ansible_distribution_major_version <= '20') | ternary('load_module modules/ngx_http_brotli_static_module.so','') }}"
+
+# Filter out empty items:
+nginx_extra_root_params: "{{ possible_nginx_extra_root_params | select }}"
 
 nginx_http_params:
   - sendfile "on"
@@ -337,8 +338,10 @@ nginx_sites:
       gzip_types text/css text/javascript text/plain application/javascript application/x-javascript application/json;
       gzip_disable "msie6";
 
+      {% if ansible_distribution_major_version <= "20" %}
       brotli on;
       brotli_types text/css text/javascript text/plain application/javascript application/x-javascript application/json;
+      {% endif %}
 
       try_files $uri/index.html $uri @rails;
 
@@ -368,7 +371,9 @@ nginx_sites:
       location ~ ^/(assets)/ {
         {{ nginx_valid_methods }}
         gzip_static on;
+        {% if ansible_distribution_major_version <= "20" %}
         brotli_static on;
+        {% endif %}
         expires max;
         add_header Cache-Control public;
       }

inventory/hosts

@@ -5,7 +5,7 @@
 local_vagrant ansible_host=127.0.0.1 ansible_user=vagrant ansible_port=2222 ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 
 [lxc]
-ofn.local
+local_lxc ansible_host=127.0.0.1 ansible_user=root ansible_port=1122 ansible_ssh_common_args='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
 
 [lexi]
 local_lexi ansible_host=10.10.100.10 ansible_ssh_common_args='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=ERROR'

playbooks/provision.yml

@@ -81,6 +81,7 @@
       tags: certbot
 
     - role: brotli_nginx
+      when: ansible_distribution_major_version <= '20'
       tags: brotli
 
     - role: jdauphant.nginx

playbooks/setup.yml

@@ -5,21 +5,21 @@
 # Use: `ansible-playbook playbooks/setup.yml -e "ansible_user=ubuntu" --limit <server_tag>` if
 # provisioning an EC2 instance for the first time (this only needs to be run once).
 
-# Ensure python is set up and accessible on the server before starting.
-- name: python check
+# Make the machine ready for basic setup.
+- name: Ensure machine is ready as Ansible host
   hosts: ofn_servers
   gather_facts: no
   remote_user: root
   tasks:
-    - name: Install python
+    - name: apt update
       become: yes
-      raw: |
-        test -e /usr/bin/python3 || (
-          apt-get update -qq &&\
-          apt-get install -q --yes python3
-        )
+      raw: apt-get update -qq
+      changed_when: true
+    - name: Install python if missing
+      become: yes
+      raw: test -e /usr/bin/python3 || apt-get install -q --yes python3
       register: python_install
-      changed_when: python_install.stdout == ""
+      changed_when: python_install.stdout != ""
 
 # Add the default user and ssh keys as root
 - name: set up default_user

roles/app_user/tasks/main.yml

@@ -9,6 +9,12 @@
     shell: /bin/bash
   become: yes
 
+- name: Open home directory for reading by nginx
+  file:
+    path: "{{ app_user_home_path }}"
+    mode: "o+x" # Add execute to directory for other users.
+  become: yes
+
 - name: add ssh key
   authorized_key:
     user: "{{ app_user }}"

roles/common/tasks/main.yml

@@ -14,7 +14,7 @@
   vars:
     packages:
       # Ansible support
-      - python-pycurl
+      - python3-pycurl
       - python3-psycopg2
 
       # unknown why or if needed

roles/config/tasks/main.yml

@@ -3,6 +3,7 @@
   hostname:
     name: "{{ host_id }}"
   become: yes
+  when: inventory_hostname not in groups['lxc']
 
 - name: "Set journal log size limit" # to avoid hard drive filling up!
   lineinfile: