rciam · ioigoume · Jan 12, 2022
diff --git a/pyffservers.yml b/pyffservers.yml
@@ -0,0 +1,8 @@
+# file: pyffservers.yml
+#
+---
+
+- hosts: pyff
+  roles:
+    - { role: git, tags: git }
+    - { role: pyff, tags: pyff }
diff --git a/roles/pyff/defaults/main.yml b/roles/pyff/defaults/main.yml
@@ -0,0 +1,19 @@
+---
+# defaults file for pyff
+pyff_bind_port: 8080
+pyff_bind_url: 127.0.0.1
+pyff_public_url: 127.0.0.1
+pyff_public_port: 8080
+pyff_pipeline: 127.0.0.1
+pyff_working_directory: pyff-service
+pyff_virtual_environment: "{{ pyff_working_directory }}/.venv"
+pyff_update_frequency: 300
+# OS
+pyff_version: 2.0.0
+
+#  SSL Key used to sign the metadata
+# pyff_ssl_cert:
+# pyff_ssl_cert_key:
+
+metadata_urls:
+  - http://mds.edugain.org
diff --git a/roles/pyff/files/debug.ini b/roles/pyff/files/debug.ini
@@ -0,0 +1,67 @@
+[server:main]
+use = egg:pyFF#pyffs
+
+[app:main]
+use = egg:pyFF#pyffapp
+
+[loggers]
+keys = root, pyff, xmlsec, pyff.pipes, pyff.store, pyff.builtins, pyff.api, pyff.parse
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = DEBUG
+handlers = console
+
+[logger_pyff]
+level = DEBUG
+handlers =
+qualname = pyff
+
+[logger_pyff.parse]
+level = DEBUG
+handlers =
+qualname = pyff.parse
+
+[logger_xmlsec]
+level = INFO
+handlers =
+qualname = xmlsec
+
+[logger_pyff.pipes]
+level = DEBUG
+handlers =
+qualname = pyff.pipes
+
+[logger_pyff.store]
+level = DEBUG
+handlers =
+qualname = pyff.store
+
+[logger_pyff.builtins]
+level = DEBUG
+handlers =
+qualname = pyff.builtins
+
+[logger_pyff.api]
+level = DEBUG
+handlers =
+qualname = pyff.api
+
+[logger_apscheduler]
+level = DEBUG
+handlers =
+qualname = apscheduler
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = DEBUG
+formatter = generic
+
+[formatter_generic]
+format = pyff.service %(asctime)s %(levelname)-5.5s [%(name)s:%(lineno)s][%(threadName)s] %(message)s
diff --git a/roles/pyff/files/warn.ini b/roles/pyff/files/warn.ini
@@ -0,0 +1,67 @@
+[server:main]
+use = egg:pyFF#pyffs
+
+[app:main]
+use = egg:pyFF#pyffapp
+
+[loggers]
+keys = root, pyff, xmlsec, pyff.pipes, pyff.store, pyff.builtins, pyff.api, pyff.parse
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+
+[logger_pyff]
+level = WARN
+handlers =
+qualname = pyff
+
+[logger_pyff.parse]
+level = WARN
+handlers =
+qualname = pyff.parse
+
+[logger_xmlsec]
+level = INFO
+handlers =
+qualname = xmlsec
+
+[logger_pyff.pipes]
+level = WARN
+handlers =
+qualname = pyff.pipes
+
+[logger_pyff.store]
+level = WARN
+handlers =
+qualname = pyff.store
+
+[logger_pyff.builtins]
+level = WARN
+handlers =
+qualname = pyff.builtins
+
+[logger_pyff.api]
+level = DEBUG
+handlers =
+qualname = pyff.api
+
+[logger_apscheduler]
+level = WARN
+handlers =
+qualname = apscheduler
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = WARN
+formatter = generic
+
+[formatter_generic]
+format = pyff.service %(asctime)s %(levelname)-5.5s [%(name)s:%(lineno)s][%(threadName)s] %(message)s
diff --git a/roles/pyff/handlers/main.yml b/roles/pyff/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+# handlers file for pyff
+
+- name: pyff.service restart
+  systemd:
+    name: pyff
+    state: restarted
+    enabled: yes
+    daemon_reload: yes
+  become: yes
diff --git a/roles/pyff/tasks/configure.yml b/roles/pyff/tasks/configure.yml
@@ -0,0 +1,77 @@
+---
+
+- name: Ensure pyff SSL certificate is copied
+  copy:
+    content: '{{ item.content }}'
+    dest: "{{ item.dest }}"
+    owner: "{{ pyff_default_user }}"
+    group: "{{ pyff_default_group }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - content: "{{ pyff_ssl_cert }}"
+      dest: "{{ pyff_working_directory }}/sign.crt"
+      mode: "0644"
+    - content: "{{ pyff_ssl_cert_key }}"
+      dest: "{{ pyff_working_directory }}/sign.key"
+      mode: "0600"
+  become: yes
+  notify: pyff.service restart
+  tags:
+    - certificates
+
+- name: Ensure files are copied
+  copy:
+    src: "{{ item }}"
+    dest: "{{ pyff_working_directory }}/{{ item }}"
+    owner: "{{ pyff_default_user }}"
+    group: "{{ pyff_default_group }}"
+    mode: 0644
+    backup: yes
+  with_items:
+    - debug.ini
+    - warn.ini
+  become: yes
+  notify: pyff.service restart
+  tags:
+    - files:copy
+
+- name: Deploy pipeline.yml template
+  template:
+     owner: "{{ pyff_default_user }}"
+     group: "{{ pyff_default_group }}"
+     mode: 0644
+     src: "templates/{{ item }}.j2"
+     dest: "{{ pyff_working_directory }}/{{ item }}"
+     backup: yes
+  with_items:
+    - pipeline.yml
+  become: yes
+  notify: pyff.service restart
+  tags:
+    - files:templates
+
+- name: Ensure publish directory has a symbolik link under /var/www/html
+  file:
+    src: "{{ pyff_working_directory }}/publish"
+    dest: "/var/www/html/publish"
+    force: yes
+    state: link
+    owner: root
+    group: root
+    follow: false
+  become: yes
+  tags:
+    - metadata:publish
+
+- name: pyff systemd setup
+  template:
+     owner: "{{ pyff_default_user }}"
+     group: "{{ pyff_default_group }}"
+     mode: 0644
+     src: templates/pyff.service.j2
+     dest: /etc/systemd/system/pyff.service
+     backup: yes
+  notify: pyff.service restart
+  become: yes
+  tags:
+    - pyff_service
diff --git a/roles/pyff/tasks/install-Debian.yml b/roles/pyff/tasks/install-Debian.yml
@@ -0,0 +1,42 @@
+# file: pyff/tasks/install-Debian.yml
+
+---
+
+- name: Ensure dependencies are installed
+  apt:
+    name:
+      - git
+      - python3-venv
+      - python3-pip
+    state: present
+    install_recommends: no
+    update_cache: yes
+    cache_valid_time: 86400
+  become: yes
+
+- name: Ensure pyff directory exists
+  file:
+    state: directory
+    path: "{{ pyff_working_directory }}"
+    owner: "{{ pyff_default_user }}"
+    group: "{{ pyff_default_group }}"
+    mode: "0750"
+  become: yes
+
+- name: Upgrade pip3
+  pip:
+    name: pip
+    state: latest
+    virtualenv: "{{ pyff_virtual_environment }}"
+    extra_args: --upgrade
+  become: yes
+  become_user: "{{ pyff_default_user }}"
+
+- name: Ensure pyFF is installed in venv
+  pip:
+    name: "pyff=={{ pyff_version }}"
+    virtualenv: "{{ pyff_virtual_environment }}"
+    virtualenv_python: python3
+  become: yes
+  become_user: "{{ pyff_default_user }}"
+
diff --git a/roles/pyff/tasks/main.yml b/roles/pyff/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+# tasks file for pyff
+# Include OS-specific installation tasks
+- include: install-Debian.yml
+  when: ansible_os_family == 'Debian'
+#- include: install-RedHat.yml
+#  when: ansible_os_family == 'RedHat'
+  tags:
+    - pyff:install
+
+# Include OS-independent configuration tasks
+- include: configure.yml
+  tags:
+    - pyff:config
diff --git a/roles/pyff/templates/pipeline.yml.j2 b/roles/pyff/templates/pipeline.yml.j2
@@ -0,0 +1,33 @@
+- when update:
+    - load:
+{% for url in metadata_urls %}
+        - {{ url }}
+{% endfor %}
+    - select
+    - store:
+        directory: "{{ pyff_working_directory }}/store"
+    - publish:
+        output: "{{ pyff_working_directory }}/publish/metadata.xml"
+        update_store: true
+        hash_link: true
+        urlencode_filenames: true
+    - break
+- when request:
+    - select
+    - pipe:
+        - when accept application/samlmetadata+xml application/xml:
+             - xslt:
+                 stylesheet: tidy.xsl
+             - first
+             - finalize:
+                cacheDuration: PT12H
+                validUntil: P10D
+             - sign:
+                 key: sign.key
+                 cert: sign.crt
+             - emit application/xml
+             - break
+        - when accept application/json:
+             - discojson:
+             - emit application/json:
+             - break
diff --git a/roles/pyff/templates/pyff.service.j2 b/roles/pyff/templates/pyff.service.j2
@@ -0,0 +1,32 @@
+[Unit]
+Description=pyff service
+After=network.target
+
+[Service]
+Environment=PYFF_PIPELINE={{ pyff_working_directory }}/pipeline.yml
+Environment=PYFF_UPDATE_FREQUENCY={{ pyff_update_frequency }}
+Environment=PYFF_PUBLIC_URL=http://{{ pyff_public_url }}:{{ pyff_public_port }}
+Type=notify
+# the specific user that our service will run as
+User={{ pyff_default_user }}
+Group={{ pyff_default_group }}
+RuntimeDirectory=pyff
+WorkingDirectory={{ pyff_working_directory }}
+ExecStart={{ pyff_virtual_environment }}/bin/gunicorn \
+    --log-config debug.ini \
+    --workers=1 \
+    --reload \
+    --preload \
+    --bind {{ pyff_bind_url }}:{{ pyff_bind_port }} \
+    --threads 4 \
+    --worker-tmp-dir=/dev/shm \
+    pyff.wsgi:app
+ExecStop=/bin/kill -9 HUP $MAINPID
+ExecReload=/bin/kill -s HUP $MAINPID
+Restart=on-failure
+RestartSec=10s
+TimeoutStartSec=600
+TimeoutStopSec=600
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/pyff/vars/main.yml b/roles/pyff/vars/main.yml
@@ -0,0 +1,4 @@
+---
+# vars file for pyff
+pyff_default_group: www-data
+pyff_default_user: www-data