From 74d3c1b091ea4e3059d930bdae264749981f8e3d Mon Sep 17 00:00:00 2001
From: James Graham <J.Graham@software.ac.uk>
Date: Mon, 30 Mar 2020 17:18:19 +0100
Subject: [PATCH] deploy: Use RedHat Software Collections

RHSCL provides patched versions of Python and Nginx
---
 .gitignore                                 |  3 +-
 Makefile                                   |  4 +--
 roles/database/tasks/main.yml              |  1 +
 roles/webserver/defaults/main.yml          |  2 +-
 roles/webserver/tasks/main.yml             | 40 ++++++++++++++--------
 roles/webserver/templates/uwsgi-service.j2 |  4 +--
 6 files changed, 34 insertions(+), 20 deletions(-)

diff --git a/.gitignore b/.gitignore
index 5a7cc0c..0d631fd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,7 @@ deployment-key
 deployment-key.pub
 
 # Deployment
+/.dbbackup/
 .vagrant/
 staging.yml
-/.dbbackup/
+production.yml
diff --git a/Makefile b/Makefile
index adc709c..4187306 100644
--- a/Makefile
+++ b/Makefile
@@ -9,8 +9,8 @@ lint:
 
 .PHONY: staging
 staging:
-	ansible-playbook -v -i staging.yml playbook.yml -u jag1e17 -K
+	env ANSIBLE_STDOUT_CALLBACK=debug ansible-playbook -v -i staging.yml playbook.yml -u jag1e17 -K
 
 .PHONY: production
 production:
-	ansible-playbook -v -i production.yml playbook.yml -u jag1e17 -K
+	env ANSIBLE_STDOUT_CALLBACK=debug ansible-playbook -v -i production.yml playbook.yml -u jag1e17 -K
diff --git a/roles/database/tasks/main.yml b/roles/database/tasks/main.yml
index 24c5fff..6bc72b9 100644
--- a/roles/database/tasks/main.yml
+++ b/roles/database/tasks/main.yml
@@ -22,6 +22,7 @@
     name: mariadb
     state: restarted
     enabled: yes
+    daemon_reload: yes
 
 - name: Create database
   mysql_db:
diff --git a/roles/webserver/defaults/main.yml b/roles/webserver/defaults/main.yml
index cfb895e..5d9fbcf 100644
--- a/roles/webserver/defaults/main.yml
+++ b/roles/webserver/defaults/main.yml
@@ -5,7 +5,7 @@ deploy_mode_dict:
   3: Development
 deploy_mode: 3
 
-secret_key: '{{ lookup("password", "/tmp/secretkeyfile") }}'
+secret_key: '{{ lookup("password", "/dev/null") }}'
 
 project_name: 'breccia-mapper'
 project_full_name: 'breccia_mapper'
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
index 74c6ab5..cc1504c 100644
--- a/roles/webserver/tasks/main.yml
+++ b/roles/webserver/tasks/main.yml
@@ -12,6 +12,17 @@
     name: '*'
     state: latest
 
+- name: Enable RedHat Software Collections - RHEL
+  rhsm_repository:
+    name: rhel-server-rhscl-7-rpms
+  when: ansible_distribution == "RedHat"
+
+- name: Enable RedHat Software Collections - CentOS
+  yum:
+    name: centos-release-scl
+    state: latest
+  when: ansible_distribution == "CentOS"
+
 - name: Install system prerequisites
   yum:
     name: '{{ packages }}'
@@ -20,12 +31,8 @@
     packages:
       - gcc
       - git
-      - nginx
-      - python36
-      - python36-devel
-      - python36-pip
-      - python36-setuptools
-      - python36-virtualenv
+      - rh-nginx114
+      - rh-python36
       - policycoreutils-python
       - python
       - python-setuptools
@@ -86,11 +93,15 @@
     group: '{{ web_group }}'
     recurse: yes
 
+- name: Create venv
+  shell: |
+    source scl_source enable rh-python36
+    python3 -m venv {{ venv_dir }}
+
 - name: Install pip requirements
   pip:
     requirements: '{{ project_dir }}/requirements.txt'
     virtualenv: '{{ venv_dir }}'
-    virtualenv_command: virtualenv-3
 
 - name: Create static directory
   file:
@@ -124,10 +135,9 @@
   when: deploy_mode > 1
 
 - name: Install uWSGI
-  pip:
-    name: uwsgi
-    state: latest
-    executable: pip3
+  shell: |
+    source scl_source enable rh-python36
+    pip3 install uwsgi
 
 - name: Setup uWSGI config
   file:
@@ -145,6 +155,7 @@
     name: uwsgi
     state: started
     enabled: yes
+    daemon_reload: yes
 
 - name: Copy web config files
   template:
@@ -189,7 +200,7 @@
     - name: Copy Nginx site
       template:
         src: nginx-site-ssl.j2
-        dest: '/etc/nginx/conf.d/{{ project_name }}-ssl.conf'
+        dest: '/etc/opt/rh/rh-nginx114/nginx/conf.d/{{ project_name }}-ssl.conf'
         owner: '{{ web_user }}'
         group: '{{ web_group }}'
 
@@ -198,7 +209,7 @@
 - name: Copy Nginx site
   template:
     src: nginx-site.j2
-    dest: '/etc/nginx/conf.d/{{ project_name }}.conf'
+    dest: '/etc/opt/rh/rh-nginx114/nginx/conf.d/{{ project_name }}.conf'
     owner: '{{ web_user }}'
     group: '{{ web_group }}'
 
@@ -207,9 +218,10 @@
     name: "{{ item }}"
     state: restarted
     enabled: yes
+    daemon_reload: yes
   with_items:
     - uwsgi
-    - nginx
+    - rh-nginx114-nginx
 
 - name: Open webserver ports on firewall
   firewalld:
diff --git a/roles/webserver/templates/uwsgi-service.j2 b/roles/webserver/templates/uwsgi-service.j2
index fffb99c..97f5738 100644
--- a/roles/webserver/templates/uwsgi-service.j2
+++ b/roles/webserver/templates/uwsgi-service.j2
@@ -2,8 +2,8 @@
 Description=uWSGI Emperor Service
 
 [Service]
-ExecStartPre=/bin/bash -c 'mkdir -p /run/uwsgi; chown {{ web_user }}:{{ web_group }} /run/uwsgi'
-ExecStart=/usr/local/bin/uwsgi --emperor /etc/uwsgi/sites
+ExecStartPre=/bin/bash -c 'mkdir -p /run/uwsgi; chown {{ web_user }}:{{ web_group }} /run/uwsgi; source scl_source rh-python36'
+ExecStart=/bin/scl enable rh-python36 "uwsgi --emperor /etc/uwsgi/sites"
 Restart=always
 KillSignal=SIGQUIT
 Type=notify