From 707972b3103ffeb2b0dbd9762b86e55b925a6e0a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 4 Apr 2024 15:49:56 +0000
Subject: [PATCH 1/9] =?UTF-8?q?bump:=20version=201.0.0=20=E2=86=92=201.0.1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .cz.toml           |  2 +-
 CHANGELOG.md       | 54 ++++++++++++++++++++++++++++++++++++++++++++++
 api/pyproject.toml |  2 +-
 web/package.json   |  2 +-
 4 files changed, 57 insertions(+), 3 deletions(-)
 create mode 100644 CHANGELOG.md

diff --git a/.cz.toml b/.cz.toml
index e6d1a50..479bcbf 100644
--- a/.cz.toml
+++ b/.cz.toml
@@ -1,6 +1,6 @@
 [tool.commitizen]
 name = "cz_nhm"
-version = "1.0.0"
+version = "1.0.1"
 tag_format = "v$version"
 update_changelog_on_bump = true
 changelog_incremental = true
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..b3b11fe
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,54 @@
+## v1.0.1 (2024-04-04)
+
+### Fix
+
+- fix subnet address on docker config
+- use a compatible version of node-sass
+
+### Docs
+
+- update readme
+
+### Style
+
+- reformat ansible yaml
+- unignore and reformat build scripts
+- run pre-commit on ansible files
+- run pre-commit on frontend files
+- run pre-commit on api files
+
+### Build System(s)
+
+- get server ips from vault
+- update production servers
+- switch server OS to ubuntu
+- remove separate install of flower
+- explicitly add nginx user to lb image
+- add data migration to upsert tag data
+- use p10k cli script name
+- move requirements into separate file again
+- update node docker image
+- add cli script to pyproject.toml
+- move commitizen config to root
+- add black args to pc config
+- use mariadb and jammy for db docker
+- use jammy for lb docker
+- add pre-commit
+- migrate to pyproject.toml
+- update python images
+
+### Chores/Misc
+
+- add workflow files (bump and sync)
+- delete some old files
+
+## v1.0.0 (2023-04-26)
+
+### Fix
+
+- add password salt env var
+- add phpass to security config
+
+### Build System(s)
+
+- increase monit disk space check to 90GB
diff --git a/api/pyproject.toml b/api/pyproject.toml
index a756360..c28af26 100644
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "phenome10k"
-version = "1.0.0"
+version = "1.0.1"
 description = "Hosting of 3D biological models for the academic and educational community."
 requires-python = ">=3.8"
 license = { text = "GPL-3.0-or-later" }
diff --git a/web/package.json b/web/package.json
index 77eaa3b..6f70d7d 100644
--- a/web/package.json
+++ b/web/package.json
@@ -1,6 +1,6 @@
 {
   "name": "phenome-10k",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Hosting of 3D biological models for the academic and educational community.",
   "main": "index.js",
   "author": "Paul Kiddle <p.kiddle@nhm.ac.uk>",

From fc3c174a3d028172d7b03d7f628f20b1f0243b2b Mon Sep 17 00:00:00 2001
From: Alice Butcher <alycejenni@gmail.com>
Date: Tue, 9 Apr 2024 11:04:36 +0100
Subject: [PATCH 2/9] feat: update the gbif taxonomy script

- use canonical names, not vernacular
- add "unknown [rank]" items when gbif's api doesn't have a parent available (e.g. actinopterygii has been removed in the backbone so they're all now under "unknown class")
- add "gbif" column to taxonomy table to accomodate new non-gbif items (though it should be obvious because the ids are all over 1,000,000,000 - this is not the best idea but the only thing that relies on it is a manually updated ui element, so it should be fine)
- the taxonomy tree now shows species as well
---
 .../versions/8b76ef5c47ef_gbif_taxonomy.py    | 29 +++++++
 api/phenome10k/cli.py                         | 18 ++++-
 api/phenome10k/data/gbif.py                   | 80 ++++++++++++++++---
 api/phenome10k/models/taxonomy.py             | 10 +--
 4 files changed, 118 insertions(+), 19 deletions(-)
 create mode 100644 api/migrations/versions/8b76ef5c47ef_gbif_taxonomy.py

diff --git a/api/migrations/versions/8b76ef5c47ef_gbif_taxonomy.py b/api/migrations/versions/8b76ef5c47ef_gbif_taxonomy.py
new file mode 100644
index 0000000..473e8fe
--- /dev/null
+++ b/api/migrations/versions/8b76ef5c47ef_gbif_taxonomy.py
@@ -0,0 +1,29 @@
+"""
+Add gbif column to taxonomy.
+
+Revision ID: 8b76ef5c47ef
+Revises: 01816b2fcaea
+Create Date: 2024-04-05 16:19:09.627686
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '8b76ef5c47ef'
+down_revision = '01816b2fcaea'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    with op.batch_alter_table('taxonomy', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('gbif', sa.Boolean(), nullable=True))
+
+    op.execute("update taxonomy set gbif = 't'")
+    op.alter_column('taxonomy', 'gbif', nullable=False)
+
+
+def downgrade():
+    with op.batch_alter_table('taxonomy', schema=None) as batch_op:
+        batch_op.drop_column('gbif')
diff --git a/api/phenome10k/cli.py b/api/phenome10k/cli.py
index 4707af6..82e036b 100644
--- a/api/phenome10k/cli.py
+++ b/api/phenome10k/cli.py
@@ -5,6 +5,7 @@
 from phenome10k.extensions import db, security
 from phenome10k.models import User, Scan, Taxonomy
 from datetime import datetime as dt
+from sqlalchemy import select
 
 
 def create_cli_app(info):
@@ -51,10 +52,19 @@ def update_gbif_tags():
     Updates taxonomy tags from gbif backbone and deletes unused ones.
     """
     click.echo('Updating tags:')
-    for scan in Scan.query.filter(Scan.gbif_species_id).all():
-        tags = [db.session.merge(tag) for tag in pull_tags(scan.gbif_species_id)]
-        scan.taxonomy = tags
-        click.echo(' - ' + scan.scientific_name)
+    species_ids = db.session.execute(
+        select(Scan.gbif_species_id)
+        .where(Scan.gbif_species_id.isnot(None))
+        .group_by(Scan.gbif_species_id)
+    )
+    for sid in species_ids:
+        tags = [db.session.merge(tag) for tag in pull_tags(sid[0])]
+        db.session.commit()
+        if len(tags) == 0:
+            continue
+        for scan in Scan.query.filter(Scan.gbif_species_id == sid[0]):
+            scan.taxonomy = tags
+        click.echo(' - ' + tags[-1].name)
 
     click.echo('Deleting tags:')
     for tax in Taxonomy.query.filter(db.not_(Taxonomy.scans.any())):
diff --git a/api/phenome10k/data/gbif.py b/api/phenome10k/data/gbif.py
index 732d78d..cfc2e67 100644
--- a/api/phenome10k/data/gbif.py
+++ b/api/phenome10k/data/gbif.py
@@ -1,6 +1,7 @@
 import requests
 
 from phenome10k.models import Taxonomy
+from sqlalchemy import and_
 
 
 def fetch_json(url):
@@ -15,19 +16,80 @@ def pull_tags(gbif_species_id):
     if not validate_id('species', gbif_species_id):
         return []
 
-    gbif_api_url = 'https://api.gbif.org/v1/species/' + str(gbif_species_id)
+    species_url = 'https://api.gbif.org/v1/species/'
+    gbif_api_url = species_url + str(gbif_species_id)
     gbif_api_parents = gbif_api_url + '/parents'
 
-    tags = fetch_json(gbif_api_parents) + [fetch_json(gbif_api_url)]
+    parent_taxa = fetch_json(gbif_api_parents)
+    taxon = fetch_json(gbif_api_url)
+    tags = []
 
-    return [
-        Taxonomy(
-            id=tag['key'],
-            name=tag.get('vernacularName', tag['canonicalName']),
-            parent_id=tag.get('parentKey'),
+    def _make_taxonomy_model(json_taxon, is_gbif=True):
+        return Taxonomy(
+            id=json_taxon['key'],
+            name=json_taxon['canonicalName'],
+            parent_id=json_taxon.get('parentKey'),
+            gbif=is_gbif,
         )
-        for tag in tags
-    ]
+
+    # sense check rank vs number of parents
+    # variety and forma have not been tested; subspecies has
+    ranks = ['KINGDOM', 'PHYLUM', 'CLASS', 'ORDER', 'FAMILY', 'GENUS', 'SPECIES']
+
+    if (
+        taxon['rank'] == 'SUBSPECIES'
+        and len(parent_taxa) < len(ranks)
+        and taxon.get('speciesKey')
+    ):
+        # sometimes the parent for subspecies is genus not species, so add the species manually
+        parent_taxa.append(fetch_json(species_url + str(taxon['speciesKey'])))
+
+    try:
+        expected_parents = ranks.index(taxon['rank'])
+    except ValueError:
+        if taxon['rank'] in ['SUBSPECIES', 'VARIETY', 'FORMA']:
+            expected_parents = len(ranks)
+        else:
+            return []
+    if len(parent_taxa) == expected_parents:
+        tags += [_make_taxonomy_model(t) for t in parent_taxa]
+    if expected_parents > len(parent_taxa):
+        for r in ranks[:expected_parents]:
+            previous_parent = tags[-1].id if len(tags) > 0 else None
+            try:
+                parent_taxon = next(t for t in parent_taxa if t['rank'] == r)
+                parent = _make_taxonomy_model(parent_taxon)
+            except StopIteration:
+                # try and find an existing child
+                parent = Taxonomy.query.filter(
+                    and_(Taxonomy.parent_id == previous_parent, Taxonomy.gbif == False)
+                ).first()
+                if not parent:
+                    # create a new item with a very large id
+                    current_max = (
+                        Taxonomy.query.filter(
+                            and_(Taxonomy.id >= 1000000000, Taxonomy.gbif == False)
+                        )
+                        .order_by(Taxonomy.id.desc())
+                        .first()
+                    )
+                    if current_max:
+                        new_id = (
+                            current_max.id + 1
+                            if previous_parent < current_max.id
+                            else previous_parent + 1
+                        )
+                    else:
+                        new_id = 1000000000
+                    parent = _make_taxonomy_model(
+                        {'key': new_id, 'canonicalName': f'Unknown {r.lower()}'}, False
+                    )
+            parent.parent_id = previous_parent
+            tags.append(parent)
+
+    tags.append(_make_taxonomy_model(taxon))
+
+    return tags
 
 
 def validate_id(gbif_type, gbif_id):
diff --git a/api/phenome10k/models/taxonomy.py b/api/phenome10k/models/taxonomy.py
index 61c726f..e77a640 100644
--- a/api/phenome10k/models/taxonomy.py
+++ b/api/phenome10k/models/taxonomy.py
@@ -5,6 +5,7 @@ class Taxonomy(db.Model):
     id = db.Column(db.Integer, primary_key=True)
     name = db.Column(db.String(250), nullable=False)
     parent_id = db.Column(db.Integer, db.ForeignKey('taxonomy.id'))
+    gbif = db.Column(db.Boolean, nullable=False, default=True)
 
     children = db.relationship('Taxonomy')
 
@@ -19,12 +20,9 @@ def serialize_tree(self, depth=float('inf')):
         data = self.serialize()
 
         if depth > 0:
-            if len(self.children) == 1:
-                data['children'] = self.children[0].serialize_tree(depth)['children']
-            else:
-                data['children'] = [
-                    child.serialize_tree(depth - 1) for child in self.children
-                ]
+            data['children'] = [
+                child.serialize_tree(depth - 1) for child in self.children
+            ]
         else:
             data['children'] = []
         return data

From be79af3acea2cadba78289f046a673ee31941395 Mon Sep 17 00:00:00 2001
From: Ginger Butcher <alycejenni@gmail.com>
Date: Tue, 9 Apr 2024 11:06:21 +0100
Subject: [PATCH 3/9] build: add root mysql config earlier

---
 ansible/roles/mysql/tasks/main.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/ansible/roles/mysql/tasks/main.yml b/ansible/roles/mysql/tasks/main.yml
index e846aaf..740540c 100644
--- a/ansible/roles/mysql/tasks/main.yml
+++ b/ansible/roles/mysql/tasks/main.yml
@@ -20,6 +20,15 @@
       - cryptography<3.4
   become: true
 
+- name: Create root my.cnf
+  template:
+    src: my.cnf.root.j2
+    dest: /etc/mysql/conf.d/root.cnf
+    owner: root
+    group: root
+    mode: '0600'
+  become: true
+
 - name: Enable the service
   service:
     name: mysqld
@@ -29,6 +38,7 @@
 
 - name: set db root user password
   mysql_user:
+    login_password: '{{ mysql_root_password }}'
     name: root
     password: '{{ mysql_root_password }}'
     host: localhost
@@ -62,16 +72,6 @@
   notify:
     - restart mysql
 
-  # not sure if this actually does anything
-- name: Create root my.cnf
-  template:
-    src: my.cnf.root.j2
-    dest: /etc/mysql/conf.d/root.cnf
-    owner: root
-    group: root
-    mode: '0600'
-  become: true
-
 - name: Create backup script
   template:
     src: backup-db.j2

From 7bbffb13286036e3a6f039b8e2344f67f3ca49e6 Mon Sep 17 00:00:00 2001
From: Ginger Butcher <alycejenni@gmail.com>
Date: Tue, 9 Apr 2024 11:33:28 +0100
Subject: [PATCH 4/9] chore: fix versions

v2.0.0 mistakenly released as v1.0.1 so I'm now having to do git crimes to fix it
---
 .cz.toml           | 2 +-
 CHANGELOG.md       | 2 +-
 api/pyproject.toml | 2 +-
 web/package.json   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.cz.toml b/.cz.toml
index 479bcbf..83fa136 100644
--- a/.cz.toml
+++ b/.cz.toml
@@ -1,6 +1,6 @@
 [tool.commitizen]
 name = "cz_nhm"
-version = "1.0.1"
+version = "2.0.0"
 tag_format = "v$version"
 update_changelog_on_bump = true
 changelog_incremental = true
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b3b11fe..a5c5b1a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,4 @@
-## v1.0.1 (2024-04-04)
+## v2.0.0 (2024-04-04)
 
 ### Fix
 
diff --git a/api/pyproject.toml b/api/pyproject.toml
index c28af26..dad2698 100644
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "phenome10k"
-version = "1.0.1"
+version = "2.0.0"
 description = "Hosting of 3D biological models for the academic and educational community."
 requires-python = ">=3.8"
 license = { text = "GPL-3.0-or-later" }
diff --git a/web/package.json b/web/package.json
index 6f70d7d..d54716b 100644
--- a/web/package.json
+++ b/web/package.json
@@ -1,6 +1,6 @@
 {
   "name": "phenome-10k",
-  "version": "1.0.1",
+  "version": "2.0.0",
   "description": "Hosting of 3D biological models for the academic and educational community.",
   "main": "index.js",
   "author": "Paul Kiddle <p.kiddle@nhm.ac.uk>",

From 3c99090820491c2056a9126132009e4b3164c8dc Mon Sep 17 00:00:00 2001
From: Ginger Butcher <alycejenni@gmail.com>
Date: Tue, 9 Apr 2024 16:19:01 +0100
Subject: [PATCH 5/9] build: align nginx configs

---
 .../nginx/templates/phenome10k.org.conf.j2    | 29 +++++++++++++------
 .../templates/phenome10k.org.ssl.conf.j2      | 10 +++----
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/ansible/roles/nginx/templates/phenome10k.org.conf.j2 b/ansible/roles/nginx/templates/phenome10k.org.conf.j2
index ee333aa..4e69a55 100644
--- a/ansible/roles/nginx/templates/phenome10k.org.conf.j2
+++ b/ansible/roles/nginx/templates/phenome10k.org.conf.j2
@@ -2,12 +2,29 @@ upstream phenome10k {
 {% for server in app_servers %}  server {{ server }}:{{ gunicorn_port }};{% endfor %}
 }
 
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ monit_hostname }};
+
+    location / {
+      proxy_pass http://localhost:8080/;
+      proxy_set_header Host $http_host;
+    }
+}
+
 server {
     listen       80 default_server;
     listen       [::]:80 default_server;
     server_name  _;
+    access_log   /var/log/nginx/p10k.log;
 
     location / {
+      # if the maintenance page exists, return service unavailable
+      if (-f /usr/share/nginx/html/maintenance.html) {
+        return 503;
+      }
+
       proxy_pass http://phenome10k;
       proxy_connect_timeout 10s;
       proxy_read_timeout 10s;
@@ -18,15 +35,9 @@ server {
       # Allow large file uploads
       client_max_body_size {{ max_upload_size_mb }}M;
     }
-}
-
-server {
-    listen       80;
-    listen       [::]:80;
-    server_name  {{ monit_hostname }};
 
-    location / {
-      proxy_pass http://localhost:8080/;
-      proxy_set_header Host $http_host;
+    error_page 503 /maintenance.html;
+    location = /maintenance.html {
+      root  /usr/share/nginx/html/;
     }
 }
diff --git a/ansible/roles/nginx/templates/phenome10k.org.ssl.conf.j2 b/ansible/roles/nginx/templates/phenome10k.org.ssl.conf.j2
index 0858126..29dca77 100644
--- a/ansible/roles/nginx/templates/phenome10k.org.ssl.conf.j2
+++ b/ansible/roles/nginx/templates/phenome10k.org.ssl.conf.j2
@@ -16,9 +16,9 @@ server {
 }
 
 server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-    server_name _;
+    listen       80 default_server;
+    listen       [::]:80 default_server;
+    server_name  _;
 
     add_header Content-Security-Policy upgrade-insecure-requests;
 
@@ -26,8 +26,8 @@ server {
 }
 
 server {
-    listen	 443 ssl http2 default_server;
-    listen	 [::]:443 ssl http2 default_server;
+    listen	     443 ssl http2 default_server;
+    listen       [::]:443 ssl http2 default_server;
     server_name  _;
     access_log   /var/log/nginx/p10k.log;
 

From 836a501e79795c524817b0f0db8476358f3ccf5b Mon Sep 17 00:00:00 2001
From: Ginger Butcher <alycejenni@gmail.com>
Date: Tue, 9 Apr 2024 16:20:27 +0100
Subject: [PATCH 6/9] build: add .well-known folder

---
 .../files/.well-known/disclosure-policy.md    | 62 +++++++++++++++++++
 ansible/roles/nginx/tasks/main.yml            | 11 +++-
 .../nginx/templates/phenome10k.org.conf.j2    |  4 ++
 .../templates/phenome10k.org.ssl.conf.j2      |  4 ++
 4 files changed, 79 insertions(+), 2 deletions(-)
 create mode 100644 ansible/roles/nginx/files/.well-known/disclosure-policy.md

diff --git a/ansible/roles/nginx/files/.well-known/disclosure-policy.md b/ansible/roles/nginx/files/.well-known/disclosure-policy.md
new file mode 100644
index 0000000..f7e4e5e
--- /dev/null
+++ b/ansible/roles/nginx/files/.well-known/disclosure-policy.md
@@ -0,0 +1,62 @@
+# Introduction
+
+This policy applies to any vulnerabilities you are considering reporting to The Natural History Museum provided the vulnerable website has a published security.txt file that references this policy.
+
+Please read this vulnerability disclosure policy fully before you report a vulnerability and always act in compliance with it.
+
+We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer bug bounties for vulnerability disclosures.
+
+
+# Reporting
+
+If you believe you have found a security vulnerability relating to the Museum’s system, please submit a vulnerability report to the address defined in the Contact field of the published security.txt file.
+
+In your report please include details of:
+
+* The website, IP or page where the vulnerability can be observed.
+* A brief description of the type of vulnerability, for example; “XSS vulnerability” and its potential impact.
+* Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
+* Your name and/or handle and confirmation if you consent to be recognised in our acknowledgements.
+
+Do not include any
+
+* Personally identifiable information (PII)
+* Card holder data
+
+
+# What to expect
+
+After you have submitted your reporting
+
+* We will respond to your report within 5 working days.
+* We will aim to work with you understand and resolve the issue, and keep you informed of progress.
+* Keep information about any vulnerabilities you have discovered confidential between yourself and the Museum until we have had 90 days to resolve the issue.
+* We will recognise your contribution on our Disclosure Acknowledgements page if you give consent, are the first to report the issue, and we make a code or configuration change based on the issue.
+
+
+# Guidance
+
+You must NOT:
+* Break any applicable law or regulations.
+* Access unnecessary, excessive or significant amounts of data.
+* Modify or destroy data in the Museum's systems or services.
+* Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
+* Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
+* Disrupt the Museum's services or systems.
+* Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with "best practice", for example missing security headers.
+* Submit reports detailing TLS configuration weaknesses, for example "weak" cipher suite support or the presence of TLS1.0 support.
+* Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
+* Social engineer, ‘phish’ or physically test the Museum's staff or infrastructure.
+* Demand financial compensation in order to disclose any vulnerabilities.
+
+
+You must:
+* Always comply with data protection rules and must not violate the privacy of any data the Museum holds. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
+* Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
+
+
+# Legalities
+
+This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Museum or partner organisations to be in breach of any legal obligations.
+
+This text is a derivative of the UK government vulnerability disclosure policy https://github.com/ukncsc/Vulnerability-Disclosure/blob/master/UK-Government-Vulnerability-Disclosure-Policy.md and the "Open Source Responsible Disclosure Framework" by Bugcrowd, used under the CC BY licence: https://github.com/bugcrowd/disclosure-policy.
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
index 515dcd0..c26c083 100644
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@@ -8,8 +8,15 @@
   template:
     src: nginx.conf.j2
     dest: /etc/nginx/nginx.conf
-  notify:
-    - restart nginx
+  notify: restart nginx
+  become: true
+
+- name: Copy .well-known
+  copy:
+    src: .well-known
+    dest: /var/www/
+    mode: 0644
+  notify: restart nginx
   become: true
 
 - name: Copy nginx non-ssl config
diff --git a/ansible/roles/nginx/templates/phenome10k.org.conf.j2 b/ansible/roles/nginx/templates/phenome10k.org.conf.j2
index 4e69a55..e2d0ceb 100644
--- a/ansible/roles/nginx/templates/phenome10k.org.conf.j2
+++ b/ansible/roles/nginx/templates/phenome10k.org.conf.j2
@@ -19,6 +19,10 @@ server {
     server_name  _;
     access_log   /var/log/nginx/p10k.log;
 
+    location ^~ /.well-known {
+        root /var/www/;
+    }
+
     location / {
       # if the maintenance page exists, return service unavailable
       if (-f /usr/share/nginx/html/maintenance.html) {
diff --git a/ansible/roles/nginx/templates/phenome10k.org.ssl.conf.j2 b/ansible/roles/nginx/templates/phenome10k.org.ssl.conf.j2
index 29dca77..47e0eec 100644
--- a/ansible/roles/nginx/templates/phenome10k.org.ssl.conf.j2
+++ b/ansible/roles/nginx/templates/phenome10k.org.ssl.conf.j2
@@ -38,6 +38,10 @@ server {
 
     add_header Content-Security-Policy upgrade-insecure-requests;
 
+    location ^~ /.well-known {
+        root /var/www/;
+    }
+
     location / {
       # if the maintenance page exists, return service unavailable
       if (-f /usr/share/nginx/html/maintenance.html) {

From 94f0a9f6cca2f45885d36aba24fedf98e05edd84 Mon Sep 17 00:00:00 2001
From: Ginger Butcher <alycejenni@gmail.com>
Date: Tue, 9 Apr 2024 16:21:04 +0100
Subject: [PATCH 7/9] build: add maintenance page

---
 ansible/roles/nginx/files/maintenance.html | 103 +++++++++++++++++++++
 ansible/roles/nginx/tasks/main.yml         |   9 ++
 2 files changed, 112 insertions(+)
 create mode 100644 ansible/roles/nginx/files/maintenance.html

diff --git a/ansible/roles/nginx/files/maintenance.html b/ansible/roles/nginx/files/maintenance.html
new file mode 100644
index 0000000..b27cf1c
--- /dev/null
+++ b/ansible/roles/nginx/files/maintenance.html
@@ -0,0 +1,103 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <title>Phenome10k - Maintenance</title>
+    <link rel="icon" type="image/png" sizes="32x32" href="https://github.com/NaturalHistoryMuseum/phenome-10k/raw/main/static/icons/favicon-32x32.png">
+    <link rel="shortcut icon" href="https://github.com/NaturalHistoryMuseum/phenome-10k/raw/main/static/icons/favicon.ico">
+    <style>
+    @import url("https://fonts.googleapis.com/css2?family=Red+Hat+Text");
+    body {
+      font-family: "Red Hat Text", "Helvetica", Arial, sans-serif;
+      font-size: 15px;
+      line-height: 1.7em;
+      margin: 0;
+      padding: 0;
+      text-align: center;
+    }
+    .main {
+      display: grid;
+      grid-template-columns: 300px;
+      justify-content: center;
+      align-content: center;
+      position: absolute;
+      top: 0;
+      bottom: 0;
+      left: 0;
+      right: 0;
+    }
+    .main > * {
+      width: 100%;
+      padding: 10px;
+    }
+    path {
+      fill-opacity:1;
+    }
+    .outline {
+      display:inline;
+      fill:#ffffff;
+      stroke:#000000;
+      stroke-width:1;
+      stroke-linecap:round;
+      stroke-linejoin:round;
+      stroke-miterlimit:4;
+      stroke-opacity:1;
+      stroke-dasharray: 3;
+      animation: draw 10s linear infinite;
+    }
+    @keyframes draw {
+      from {
+        stroke-dashoffset: 100;
+      }
+      to {
+        stroke-dashoffset: 0;
+      }
+    }
+
+    .eye, .dashes > path {
+      display:inline;
+      fill:#555;
+      stroke-width:0.07;
+      animation: fade 5s linear infinite;
+    }
+    .nose {
+      fill:#555;
+      stroke:#555;
+      stroke-width:0.264583px;
+      stroke-linecap:butt;
+      stroke-linejoin:miter;
+      animation: fade 5s linear infinite;
+    }
+    @keyframes fade {
+      0% {
+        fill: #333;
+        stroke: #333;
+      }
+      50% {
+        fill: #666;
+        stroke: #666;
+      }
+      100% {
+        fill: #333;
+        stroke: #333;
+      }
+    }
+    </style>
+</head>
+<body>
+    <div class='main'>
+      <svg viewBox="0 0 105 82" xmlns="http://www.w3.org/2000/svg">
+        <g transform="translate(-50,-109)">
+          <path class="outline" d="m 56.590629,162.09785 c 0.665795,-1.77619 1.552429,-3.11358 3.449575,-5.6639 3.398008,-4.0535 6.794751,-8.35065 10.524576,-11.98388 9.862085,-9.28321 14.708531,-20.87079 19.643714,-26.4378 7.13548,-7.09028 15.944106,-7.65508 29.759286,-7.57663 4.43193,0.16051 17.74455,5.63062 23.59299,14.79224 4.58877,8.00645 4.93188,18.94438 9.02429,28.51952 0.34314,1.81071 0.056,3.65392 -2.23183,4.67686 -2.42177,1.15715 -3.41629,-0.0739 -5.47906,-0.0677 -3.8088,0.21315 -12.45992,9.47099 -21.87035,12.08698 -20.85783,6.47046 -45.394763,19.0631 -50.714744,19.34536 -3.787554,0.0295 -11.52585,-2.61633 -16.260459,-3.85561 -3.343356,-1.13295 -4.743577,-1.40135 -4.239742,-7.35245 0.572005,-3.45983 3.601151,-8.53599 5.401726,-12.80398 -0.446253,-0.61248 -0.998556,-2.24316 -0.599972,-3.67901 z"/>
+          <path class="eye" d="m 109.71952,168.48113 c -4.20909,-1.45973 -7.18077,-2.82716 -8.95454,-7.08245 -1.502074,-4.05126 -0.68007,-8.68131 -2.980934,-12.51754 -1.49547,-2.24815 -3.39171,-5.49801 -3.10392,-8.10468 0.3458,-3.59613 2.04113,-6.84089 5.18508,-9.49369 8.019634,-5.37118 17.337824,-2.18502 24.650484,1.96397 4.08404,2.56605 7.73088,6.91426 9.04823,10.61049 0.83936,2.37094 1.61702,9.57512 0.0872,13.21315 -2.66622,5.77553 -8.60818,8.68665 -11.35269,9.85955 -3.65724,1.35544 -8.32118,2.16809 -12.5789,1.5512 z"/>
+          <path class="nose" d="m 55.851842,163.93943 c 2.897436,0.1366 6.878314,-2.35606 9.140326,-1.99735 2.623618,0.90315 3.339945,7.04892 3.230402,9.20928 -0.227464,3.43673 -4.939213,9.30855 -6.591159,9.64969 -4.268348,-1.45481 -6.86042,-2.5843 -9.842536,-2.22022 0.352768,-3.68552 5.790195,-11.03333 5.401726,-12.80398 -0.329808,-0.9697 -0.88626,-0.90875 -1.338759,-1.83742 z"/>
+          <g class="dashes">
+            <path d="m 68.129529,152.974 c 4.030647,-3.65007 7.825898,-7.82542 11.321844,-12.09285 2.318256,-1.60515 -1.481095,4.65688 -2.460035,5.29841 -2.81745,2.11804 -5.507367,6.20493 -8.861809,6.79444 z m 13.986289,-15.46812 c 0.380709,-2.89198 1.592744,0.71741 0,0 z m 2.586749,-4.82675 c 1.863389,-2.88014 1.03337,1.61144 0,0 z m 2.334501,-3.40401 c 1.005337,-2.1322 3.515759,-3.35601 0.968586,-0.30671 -0.167791,0.0486 -0.771104,0.82146 -0.968586,0.30671 z m 2.566389,-3.50351 c 3.484303,-4.98218 7.765335,-9.81253 13.251623,-12.62675 0.98722,1.22512 -4.807812,3.57714 -5.967742,5.74948 -2.652318,1.47412 -4.932653,7.13949 -7.283881,6.87727 z"/>
+            <path d="m 59.178158,160.04755 c 1.181066,-1.92105 7.64374,-6.27923 3.619354,-1.8096 -1.200672,1.57628 -4.91062,4.93304 -5.542429,6.06987"/>
+          </g>
+        </g>
+      </svg>
+      <p>Phenome10k is temporarily down for maintenance. Check back later!</p>
+    </div>
+</body>
+</html>
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
index c26c083..d635fb8 100644
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@@ -11,6 +11,15 @@
   notify: restart nginx
   become: true
 
+- name: Copy maintenance file
+  copy:
+    src: maintenance.html
+    dest: /usr/share/nginx/html/maintenance.html.off
+    owner: root
+    group: root
+  notify: restart nginx
+  become: true
+
 - name: Copy .well-known
   copy:
     src: .well-known

From 33e39f2a1c7fa8e235aa168a82c6a1d4431285c8 Mon Sep 17 00:00:00 2001
From: Ginger Butcher <alycejenni@gmail.com>
Date: Tue, 9 Apr 2024 16:21:21 +0100
Subject: [PATCH 8/9] build: update virtual ip

---
 ansible/group_vars/production/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/group_vars/production/main.yml b/ansible/group_vars/production/main.yml
index 59bb894..328ee7a 100644
--- a/ansible/group_vars/production/main.yml
+++ b/ansible/group_vars/production/main.yml
@@ -19,7 +19,7 @@ trusted_networks:
   - 127.0.0.0/16
 
 # keepalived
-virtual_ip: 157.140.2.106
+virtual_ip: 157.140.2.191
 vrrp_interface: ens160
 vrrp_password: "{{ lookup('hashi_vault', 'secret=phenome10k/vrrp:password url=https://man-vault-2.nhm.ac.uk:8200')}}"
 

From 3b5aef99df5196364b0a7b75144689bff0217e9b Mon Sep 17 00:00:00 2001
From: Ginger Butcher <alycejenni@gmail.com>
Date: Tue, 9 Apr 2024 16:39:24 +0100
Subject: [PATCH 9/9] build: add letsencrypt tasks

this is very likely to change
---
 ansible/roles/nginx/tasks/letsencrypt.yml | 36 +++++++++++++++++++++++
 ansible/roles/nginx/tasks/main.yml        | 14 +++++++--
 2 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 ansible/roles/nginx/tasks/letsencrypt.yml

diff --git a/ansible/roles/nginx/tasks/letsencrypt.yml b/ansible/roles/nginx/tasks/letsencrypt.yml
new file mode 100644
index 0000000..3fbc73a
--- /dev/null
+++ b/ansible/roles/nginx/tasks/letsencrypt.yml
@@ -0,0 +1,36 @@
+---
+- name: Install certbot
+  snap:
+    name: certbot
+    state: present
+    classic: true
+  become: true
+
+- name: Link certbot snap executable to bin
+  file:
+    src: /snap/bin/certbot
+    dest: /usr/bin/certbot
+    state: link
+  become: true
+
+- name: Check for account
+  shell: 'certbot show_account'
+  become: true
+  register: cert_account
+  ignore_errors: true
+
+- name: Register certbot
+  shell: 'certbot -n register --agree-tos -m {{ sysadmin_email }}'
+  become: true
+  when: cert_account is failed
+
+- name: Check if certificates dir exists
+  stat:
+    path: '{{ letsencrypt_dir }}'
+  register: certdir
+
+- debug:
+    msg: |
+      Once the server is accessible over http, log on and run: certbot --nginx
+      Then run this playbook again.
+  when: certdir.stat.islnk is not defined
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
index d635fb8..345fa4d 100644
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@@ -28,6 +28,11 @@
   notify: restart nginx
   become: true
 
+- name: Check if certificates dir exists
+  stat:
+    path: '{{ letsencrypt_dir }}'
+  register: certdir
+
 - name: Copy nginx non-ssl config
   template:
     src: phenome10k.org.conf.j2
@@ -35,7 +40,12 @@
   notify:
     - restart nginx
   become: true
-  when: not use_ssl
+  when: (not use_ssl) or (not certdir.stat.islnk is defined)
+
+- import_tasks: letsencrypt.yml
+  tags:
+    - letsencrypt
+  when: use_ssl
 
 - name: Copy nginx ssl config
   template:
@@ -44,7 +54,7 @@
   notify:
     - restart nginx
   become: true
-  when: use_ssl
+  when: use_ssl and certdir.stat.islnk is defined
 
 - name: Start nginx
   systemd: