OpenTermsArchive · Ndpnt · May 31, 2024 · May 6, 2024 · May 6, 2024 · May 6, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,7 +2,32 @@
 
 All changes that impact users of this module are documented in this file, in the [Common Changelog](https://common-changelog.org) format with some additional specifications defined in the CONTRIBUTING file. This codebase adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## Unreleased
+## Unreleased [major]
+
+_Full changeset and discussions: [#41](https://github.com/OpenTermsArchive/deployment/pull/41)._
+
+> Development of this release was supported by the [French Ministry for Foreign Affairs](https://www.diplomatie.gouv.fr/fr/politique-etrangere-de-la-france/diplomatie-numerique/) through its ministerial [State Startups incubator](https://beta.gouv.fr/startups/open-terms-archive.html) under the aegis of the Ambassador for Digital Affairs.
+
+### Changed
+
+- **Breaking:** Replace all playbooks with a single `deploy` playbook; update your scripts by using `ansible-playbook opentermsarchive.deployment.deploy` and use [tags to refine execution](./README.md#refining-playbook-execution)
+- **Breaking:** Change the `federation-api` deployment process to be a dependency of the source repository
+- **Breaking:** Require `engine>=2` and `federation-api>=v2`
+- **Breaking:** Make `ota_source_repository` variable mandatory
+- **Breaking:** Define environment variables in a `.env` file instead of in inventory variables; move `ota_engine_github_token`, `ota_engine_smtp_password`, `ota_engine_sendinblue_api_key`, and `ota_federated_api_smtp_password` to a `.env` file placed next to the inventory file and rename them according to the new naming conventions in `engine` v2 and `federation-api` v2
+- **Breaking:** Rename `ota_engine_declarations_branch` to `ota_source_repository_branch`
+- **Breaking:** Rename `ota_engine_declarations_directory` to `ota_directory`
+- **Breaking:** Extract the PM2 config file `pm2.config.cjs`; provide this file next to the inventory file
+- **Breaking:** Remove the `ota_engine_restart_delay` variable; define this setting directly in the `pm2.config.cjs`
+- **Breaking:** Remove the `ota_engine_github_bot_private_key` variable in favor of the `github-bot-private-key` file; define the GitHub SSH private key in the `github-bot-private-key`
+
+### Removed
+
+- **Breaking:** Remove `ota_reverse_proxy_federated_api_path` config; define this path in your `config/production.json` under the key `@opentermsarchive/federation-api: { basePath: "" }`
+- **Breaking:** Remove `ota_reverse_proxy_engine_path` config; define this path in your `config/production.json` under the key `@opentermsarchive/engine: { collection-api: { basePath: "" } }`
+- **Breaking:** Remove obsolete `ota_engine_config_path`, `ota_federated_api_branch`, `ota_federated_api_directory`, and `ota_federated_api_repo` configs
+- **Breaking:** Remove obsolete `update-declarations` tag
+
 
 ## 1.2.1 - 2024-05-22
 

diff --git a/README.md b/README.md
diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
@@ -0,0 +1,108 @@
+---
+- name: Deploy Open Terms Archive applications
+  hosts: all
+  tasks:
+    - name: Load OTA applications configs
+      ansible.builtin.include_role:
+        name: ota/apps
+        public: true # ensure that the role's variables and defaults are accessible to the play
+      vars:
+        ota_apps_read_config_only: true
+
+    - name: Set required variables
+      set_fact:
+        chromium_required: "{{ ota_apps_config['@opentermsarchive/engine'] is defined }}"
+        # Skip Debian 11 with ARM architecture as it is not currently supported by MongoDB; see https://www.mongodb.com/docs/manual/installation/#supported-platforms
+        mongo_required:
+          "{{ 
+            (ansible_distribution != 'Debian' or (ansible_distribution == 'Debian' and ansible_facts['architecture'] != 'aarch64')) 
+            and (
+              (ota_apps_config['@opentermsarchive/engine'].recorder.versions.storage.type is defined and ota_apps_config['@opentermsarchive/engine'].recorder.versions.storage.type == 'mongo') 
+              or
+              (ota_apps_config['@opentermsarchive/engine'].recorder.snapshots.storage.type is defined and ota_apps_config['@opentermsarchive/engine'].recorder.snapshots.storage.type == 'mongo')
+            ) | bool 
+          }}"
+
+        snapshots_repository: "{{ ota_apps_config['@opentermsarchive/engine'].recorder.snapshots.storage.git.repository is defined and ota_apps_config['@opentermsarchive/engine'].recorder.snapshots.storage.git.repository }}"
+        snapshots_path: "{{ ota_apps_config['@opentermsarchive/engine'].recorder.snapshots.storage.git.path is defined and ota_apps_config['@opentermsarchive/engine'].recorder.snapshots.storage.git.path }}"
+
+        versions_repository: "{{ ota_apps_config['@opentermsarchive/engine'].recorder.versions.storage.git.repository is defined and ota_apps_config['@opentermsarchive/engine'].recorder.versions.storage.git.repository }}"
+        versions_path: "{{ ota_apps_config['@opentermsarchive/engine'].recorder.versions.storage.git.path is defined and ota_apps_config['@opentermsarchive/engine'].recorder.versions.storage.git.path }}"
+
+        collection_api_basePath: "{{ ota_apps_config['@opentermsarchive/engine']['collection-api'].basePath is defined and ota_apps_config['@opentermsarchive/engine']['collection-api'].basePath }}"
+        collection_api_port: "{{ ota_apps_config['@opentermsarchive/engine']['collection-api'].port is defined and ota_apps_config['@opentermsarchive/engine']['collection-api'].port }}"
+
+        federation_api_basePath: "{{ ota_apps_config['@opentermsarchive/federation-api'].basePath is defined and ota_apps_config['@opentermsarchive/federation-api'].basePath }}"
+        federation_api_port: "{{ ota_apps_config['@opentermsarchive/federation-api'].port is defined and ota_apps_config['@opentermsarchive/federation-api'].port }}"
+
+    - name: Install infrastructure
+      become: true
+      tags: [infrastructure]
+      block:
+        - name: Install Node
+          ansible.builtin.include_role:
+            name: node
+
+        - name: Install PM2
+          ansible.builtin.include_role:
+            name: pm2/install
+
+        - name: Install Chromium
+          ansible.builtin.include_role:
+            name: chromium
+          when: chromium_required
+
+        - name: Install Nginx 
+          ansible.builtin.include_role:
+            name: nginx/install
+
+        - name: Install Mongo
+          ansible.builtin.include_role:
+            name: mongo/install
+          when:
+            - mongo_required
+
+    - name: Configure Mongo
+      ansible.builtin.include_role:
+        name: mongo/configure
+        apply:
+          become: true
+      when:
+        - mongo_required
+
+    - name: Setup Git-based versions database
+      ansible.builtin.include_role:
+        name: ota/git-database
+      vars:
+        ota_git_database_repository: "{{ versions_repository }}"
+        ota_git_database_directory: "{{ versions_path }}"
+        ota_git_database_branch: main
+      when:
+        - versions_repository and versions_path
+
+    - name: Setup Git-based snapshots database
+      ansible.builtin.include_role:
+        name: ota/git-database
+      vars:
+        ota_git_database_repository: "{{ snapshots_repository }}"
+        ota_git_database_directory: "{{ snapshots_path }}"
+        ota_git_database_branch: main
+      when:
+        - snapshots_repository and snapshots_path
+
+    - name: Setup OTA applications
+      ansible.builtin.include_role:
+        name: ota/apps
+
+    - name: Start OTA applications
+      ansible.builtin.include_role:
+        name: pm2/manage
+
+    - name: Configure NGINX
+      ansible.builtin.include_role:
+        name: nginx/configure
+        apply:
+          become: true
+      vars:
+        ota_nginx_config_template: ./templates/nginx.conf.j2
+        ota_nginx_reverse_proxy_config_template: ./templates/nginx-reverse-proxy-conf.j2
diff --git a/playbooks/engine/all.yml b/playbooks/engine/all.yml
diff --git a/playbooks/engine/application.yml b/playbooks/engine/application.yml
diff --git a/playbooks/engine/infrastructure.yml b/playbooks/engine/infrastructure.yml
diff --git a/playbooks/engine_and_federated_api/all.yml b/playbooks/engine_and_federated_api/all.yml
diff --git a/playbooks/engine_and_federated_api/application.yml b/playbooks/engine_and_federated_api/application.yml
diff --git a/playbooks/engine_and_federated_api/infrastructure.yml b/playbooks/engine_and_federated_api/infrastructure.yml
diff --git a/playbooks/federated_api/all.yml b/playbooks/federated_api/all.yml
diff --git a/playbooks/federated_api/application.yml b/playbooks/federated_api/application.yml
diff --git a/playbooks/federated_api/infrastructure.yml b/playbooks/federated_api/infrastructure.yml
diff --git a/...and_federated_api/templates/nginx-conf.j2 → ...oks/templates/nginx-reverse-proxy-conf.j2 b/...and_federated_api/templates/nginx-conf.j2 → ...oks/templates/nginx-reverse-proxy-conf.j2
@@ -3,20 +3,22 @@
 server {
   listen 80;
   server_name {{ inventory_hostname }};
-
-  location {{ ota_reverse_proxy_engine_path }} {
+
+{% if collection_api_basePath and collection_api_port %}  
+  location {{ collection_api_basePath }} {
     # Allowing for a `burst` of up to 5 requests beyond the specified rate limit. The `nodelay` parameter ensures that excessive requests beyond the burst limit are immediately rejected with a 429 error response instead of being queued. See https://www.nginx.com/blog/rate-limiting-nginx/.
     limit_req zone=limited burst=5 nodelay;
-    rewrite ^{{ ota_reverse_proxy_engine_path }}/(.*)$ /$1 break;
-    proxy_pass http://localhost:{{ ota_engine_app_config.api.port }};
+    proxy_pass http://localhost:{{ collection_api_port }};
     proxy_redirect off;
   }
+{% endif %}
 
-  location {{ ota_reverse_proxy_federated_api_path }} {
+{% if federation_api_basePath and federation_api_port %}
+  location {{ federation_api_basePath }} {
     # Allowing for a `burst` of up to 5 requests beyond the specified rate limit. The `nodelay` parameter ensures that excessive requests beyond the burst limit are immediately rejected with a 429 error response instead of being queued. See https://www.nginx.com/blog/rate-limiting-nginx/.
     limit_req zone=limited burst=5 nodelay;
-    rewrite ^{{ ota_reverse_proxy_federated_api_path }}/(.*)$ /$1 break;
-    proxy_pass http://localhost:{{ ota_federated_api_app_config.port }};
+    proxy_pass http://localhost:{{ federation_api_port }};
     proxy_redirect off;
   }
+{% endif %}
 }
diff --git a/...rastructure/nginx/templates/nginx.conf.j2 → playbooks/templates/nginx.conf.j2 b/...rastructure/nginx/templates/nginx.conf.j2 → playbooks/templates/nginx.conf.j2
diff --git a/roles/chromium/meta/main.yml b/roles/chromium/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: common }
diff --git a/roles/infrastructure/chromium/tasks/main.yml → roles/chromium/tasks/main.yml b/roles/infrastructure/chromium/tasks/main.yml → roles/chromium/tasks/main.yml
@@ -15,7 +15,7 @@
     state: latest
   when: ansible_distribution == 'Ubuntu'
 
-  # See https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#recommended-enable-user-namespace-cloning
+# See https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#recommended-enable-user-namespace-cloning
 - name: Enable user namespace cloning to allow running Chromium in a sandbox
   ansible.builtin.command: sysctl -w kernel.unprivileged_userns_clone=1
   when: ansible_facts['architecture'] != 'aarch64'
diff --git a/roles/infrastructure/common/tasks/main.yml → roles/common/tasks/main.yml b/roles/infrastructure/common/tasks/main.yml → roles/common/tasks/main.yml
@@ -10,3 +10,4 @@
       - zip
     update_cache: true
     state: latest
+  become: true
diff --git a/roles/engine/README.md b/roles/engine/README.md
diff --git a/roles/engine/defaults/main.yml b/roles/engine/defaults/main.yml
diff --git a/roles/engine/handlers/main.yml b/roles/engine/handlers/main.yml
diff --git a/roles/engine/tasks/database.yml b/roles/engine/tasks/database.yml