From ff52a7f23e0249f14e7030dd4a69426987b65c43 Mon Sep 17 00:00:00 2001
From: Emmanuel Cazenave <ecazenave@entrouvert.com>
Date: Thu, 15 Nov 2018 11:24:03 +0100
Subject: [PATCH] switch to dev.publik.love domain (#27824)

Download the certifcate chain and adapt nginx configuration.
publik.love certificates beeing handled by letsencrypt,
we can also get rid of the hacks around request.
---
 group_vars/all                                | 60 +++++++++----------
 install.yml                                   |  1 +
 .../app-setup/templates/app-settings-base.j2  |  2 -
 roles/base/tasks/main.yml                     | 21 +++++++
 roles/bijoe/tasks/main.yml                    |  6 --
 .../templates/hobo-agent-settings.j2          |  2 +-
 tenants-inventory.yml.example                 | 20 +++----
 7 files changed, 63 insertions(+), 49 deletions(-)

diff --git a/group_vars/all b/group_vars/all
index 56cc28e..5549ace 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -3,73 +3,73 @@ django_version: 1.11.15
 git_ssh: false
 clone_repo: true
 src_dir: "/home/{{user}}/src"
-ssl_certificate: "/etc/ssl/certs/*.local.publik.crt"
-ssl_certificate_key: "/etc/ssl/private/*.local.publik.key"
+ssl_certificate: "{{venv_certs}}/dev.publik.love-fullchain.pem"
+ssl_certificate_key: "{{venv_certs}}/dev.publik.love-privkey.pem"
 venv: "/home/{{user}}/envs/publik-env"
 user: publik
 apps:
   authentic:
     db_name: authentic_multitenant
-    host_pattern: "*-authentic.local.publik"
-    nginx_host_pattern: '~^(.*)\-authentic\.local\.publik$'
+    host_pattern: "*authentic.dev.publik.love"
+    nginx_host_pattern: '~^(.*)authentic\.dev\.publik\.love$'
     project_name: authentic-multitenant
     server_port: 8000
   combo:
     db_name: combo
-    host_pattern: "*-combo.local.publik"
-    nginx_host_pattern: '~^(.*)\-combo\.local\.publik$'
+    host_pattern: "*combo.dev.publik.love"
+    nginx_host_pattern: '~^(.*)combo\.dev\.publik\.love$'
     project_name: combo
     server_port: 8004
   hobo:
     db_name: hobo
-    host_pattern: "*-hobo.local.publik"
-    nginx_host_pattern: '~^(.*)\-hobo\.local\.publik$'
+    host_pattern: "*hobo.dev.publik.love"
+    nginx_host_pattern: '~^(.*)hobo\.dev\.publik\.love$'
     project_name: hobo
     server_port: 8016
   passerelle:
     db_name: passerelle
-    host_pattern: "*-passerelle.local.publik"
-    nginx_host_pattern: '~^(.*)\-passerelle\.local\.publik$'
+    host_pattern: "*passerelle.dev.publik.love"
+    nginx_host_pattern: '~^(.*)passerelle\.dev\.publik\.love$'
     project_name: passerelle
     server_port: 8024
   fargo:
     db_name: fargo
-    host_pattern: "*-fargo.local.publik"
-    nginx_host_pattern: '~^(.*)\-fargo\.local\.publik$'
+    host_pattern: "*fargo.dev.publik.love"
+    nginx_host_pattern: '~^(.*)fargo\.dev\.publik\.love$'
     project_name: fargo
     server_port: 8036
   chrono:
     db_name: chrono
-    host_pattern: "*-chrono.local.publik"
-    nginx_host_pattern: '~^(.*)\-chrono\.local\.publik$'
+    host_pattern: "*chrono.dev.publik.love"
+    nginx_host_pattern: '~^(.*)chrono\.dev\.publik\.love$'
     project_name: chrono
     server_port: 8040
   bijoe:
     db_name: bijoe
-    host_pattern: "*-bijoe.local.publik"
-    nginx_host_pattern: '~^(.*)\-bijoe\.local\.publik$'
+    host_pattern: "*bijoe.dev.publik.love"
+    nginx_host_pattern: '~^(.*)bijoe\.dev\.publik\.love$'
     project_name: bijoe
     server_port: 8048
   wcs:
     db_name: wcs
-    host_pattern: "*-wcs.local.publik"
-    nginx_host_pattern: '~^(.*)\-wcs\.local\.publik$'
+    host_pattern: "*wcs.dev.publik.love"
+    nginx_host_pattern: '~^(.*)wcs\.dev\.publik\.love$'
     project_name: wcs
     server_port: 8032
   welco:
     db_name: welco
-    host_pattern: "*-welco.local.publik"
-    nginx_host_pattern: '~^(.*)\-welco\.local\.publik$'
+    host_pattern: "*welco.dev.publik.love"
+    nginx_host_pattern: '~^(.*)welco\.dev\.publik\.love$'
     project_name: welco
     server_port: 8052
 tenants_conf:
-  connexion-authentic: "connexion-authentic.local.publik"
-  agent-combo: "agent-combo.local.publik"
-  user-combo: "user-combo.local.publik"
-  dev-hobo: "dev-hobo.local.publik"
-  demarches-wcs: "demarches-wcs.local.publik"
-  dev-passerelle: "dev-passerelle.local.publik"
-  dev-fargo: "dev-fargo.local.publik"
-  dev-chrono: "dev-chrono.local.publik"
-  dev-bijoe: "dev-bijoe.local.publik"
-  dev-welco: # disabled by default -- could be "dev-welco.local.publik"
+  connexion-authentic: "authentic.dev.publik.love"
+  agent-combo: "agent-combo.dev.publik.love"
+  user-combo: "combo.dev.publik.love"
+  dev-hobo: "hobo.dev.publik.love"
+  demarches-wcs: "wcs.dev.publik.love"
+  dev-passerelle: "passerelle.dev.publik.love"
+  dev-fargo: "fargo.dev.publik.love"
+  dev-chrono: "chrono.dev.publik.love"
+  dev-bijoe: "bijoe.dev.publik.love"
+  dev-welco: # disabled by default -- could be "welco.dev.publik.love"
diff --git a/install.yml b/install.yml
index 25f6212..e77a15c 100644
--- a/install.yml
+++ b/install.yml
@@ -17,6 +17,7 @@
   vars:
     themes_dir: "{{venv}}/themes"
     venv_bin: "{{venv}}/bin"
+    venv_certs: "{{venv}}/certs"
     venv_conf: "{{venv}}/conf"
     venv_pip: "{{venv_bin}}/pip"
     venv_python: "{{venv_bin}}/python"
diff --git a/roles/app-setup/templates/app-settings-base.j2 b/roles/app-setup/templates/app-settings-base.j2
index 77c0cbb..d1ef0a8 100644
--- a/roles/app-setup/templates/app-settings-base.j2
+++ b/roles/app-setup/templates/app-settings-base.j2
@@ -10,8 +10,6 @@ execfile('{{src_dir}}/hobo/debian/debian_config_common.py')
 
 THEMES_DIRECTORY = '{{themes_dir}}'
 
-os.environ['REQUESTS_CA_BUNDLE'] = '/etc/ssl/certs/ca-certificates.crt'
-
 ALLOWED_HOSTS = ['*']
 
 LOGGING = {
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 7d7464d..8f7098e 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -98,3 +98,24 @@
     src: "{{ src_dir }}/publik-base-theme"
     path: "{{themes_dir}}/publik-base"
     state: link
+
+- name: create cert directory
+  file:
+    path: "{{venv_certs}}"
+    state: directory
+  tags:
+    - tls
+
+- name: Download fullchain.pem
+  get_url:
+    url: https://doc-publik.entrouvert.com/media/certificates/dev.publik.love/fullchain.pem
+    dest: "{{venv_certs}}/dev.publik.love-fullchain.pem"
+  tags:
+    - tls
+
+- name: Download privkey.pem
+  get_url:
+    url: https://doc-publik.entrouvert.com/media/certificates/dev.publik.love/privkey.pem
+    dest: "{{venv_certs}}/dev.publik.love-privkey.pem"
+  tags:
+    - tls
diff --git a/roles/bijoe/tasks/main.yml b/roles/bijoe/tasks/main.yml
index 4e5c556..ae6c1b9 100644
--- a/roles/bijoe/tasks/main.yml
+++ b/roles/bijoe/tasks/main.yml
@@ -24,9 +24,3 @@
     src: "{{ src_dir }}/bijoe/debian/import-wcs-data.sh"
     dest:  "{{ venv_bin }}/import-wcs-data.sh"
     mode: u+x
-
-- name: import-wcs-data wrapper script
-  template:
-    src: "bijoe-import-wcs-data.j2"
-    dest:  "{{ venv_bin }}/bijoe-import-wcs-data.sh"
-    mode: u+x
diff --git a/roles/hobo-agent/templates/hobo-agent-settings.j2 b/roles/hobo-agent/templates/hobo-agent-settings.j2
index a3dfca5..6ecbb20 100644
--- a/roles/hobo-agent/templates/hobo-agent-settings.j2
+++ b/roles/hobo-agent/templates/hobo-agent-settings.j2
@@ -12,7 +12,7 @@ AGENT_HOST_PATTERNS = {
 {% filter upper %}{{appkey}}{% endfilter %}_MANAGE_COMMAND = "{{venv_bin}}/{{app['project_name']}}-manage"
 {% filter upper %}{{appkey}}{% endfilter %}_MANAGE_TRY_COMMAND = {% filter upper %}{{appkey}}{% endfilter %}_MANAGE_COMMAND
 {% else %}
-WCS_MANAGE_COMMAND = "REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt {{venv_bin}}/wcsctl.py -f {{venv_conf}}/wcs.cfg"
+WCS_MANAGE_COMMAND = "{{venv_bin}}/wcsctl.py -f {{venv_conf}}/wcs.cfg"
 WCS_MANAGE_TRY_COMMAND = "{{venv_bin}}/wcsctl.py"
 {% endif %}
 {% endfor %}
\ No newline at end of file
diff --git a/tenants-inventory.yml.example b/tenants-inventory.yml.example
index dda6f05..4e86ce7 100644
--- a/tenants-inventory.yml.example
+++ b/tenants-inventory.yml.example
@@ -4,14 +4,14 @@ local:
     localhost:
       ansible_connection: local
       tenants_conf:
-        connexion-authentic: "customname-authentic.local.publik"
-        agent-combo: "customname-combo.local.publik"
-        user-combo: "customname-combo.local.publik"
-        dev-hobo: "customname-hobo.local.publik"
-        demarches-wcs: "customname-wcs.local.publik"
-        dev-passerelle: "customname-passerelle.local.publik"
-        dev-fargo: "customname-fargo.local.publik"
-        dev-chrono: "customname-chrono.local.publik"
-        dev-bijoe: "customname-bijoe.local.publik"
-        dev-welco: "customname-welco.local.publik"
+        connexion-authentic: "customname-authentic.dev.publik.love"
+        agent-combo: "customname-combo.dev.publik.love"
+        user-combo: "customname-combo.dev.publik.love"
+        dev-hobo: "customname-hobo.dev.publik.love"
+        demarches-wcs: "customname-wcs.dev.publik.love"
+        dev-passerelle: "customname-passerelle.dev.publik.love"
+        dev-fargo: "customname-fargo.dev.publik.love"
+        dev-chrono: "customname-chrono.dev.publik.love"
+        dev-bijoe: "customname-bijoe.dev.publik.love"
+        dev-welco: "customname-welco.dev.publik.love"
 
-- 
2.19.1