Merge pull request #111 from YPCrumble/replace_env_vars_with_group_vars

Use group_vars rather than env_vars for playbook variables.
jcalazan · Jul 5, 2021 · 437a815 · 437a815
2 parents 92437b3 + c20d479
commit 437a815
Show file tree

Hide file tree

Showing 14 changed files with 64 additions and 59 deletions.
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ production Django deployments:
 - RabbitMQ
 
 Default settings are stored in `roles/role_name/defaults/main.yml`.
-Environment-specific settings are in the `env_vars` directory.
+Environment-specific settings are in the `group_vars` directory.
 
 A `certbot` role is also included for automatically generating and renewing
 trusted SSL certificates with [Let's Encrypt][lets-encrypt].
@@ -58,7 +58,7 @@ sudo apt-get update
 
 ### Configuring your application
 
-The main settings to change are in the [`env_vars/base.yml`](env_vars/base.yml)
+The main settings to change are in the `group_vars/[environment_name]/vars.yml`
 file, where you can configure the location of your Git project, the project
 name, and the application name which will be used throughout the Ansible
 configuration.
@@ -230,8 +230,9 @@ The security module performs several basic server hardening tasks. Inspired by
 **Security role configuration**
 
 - Change the `server_user` from `root` to something else in `roles/base/defaults/main.yml`
-- Change the sudo password in `roles/security/defaults/main.yml`
+- Change the sudo password in `group_vars/[environment_name]/vars.yml`
 - Change variables in `./roles/security/vars/` per your desired configuration
+  by overriding them in `group_vars/[environment_name]/vars.yml`
 
 **Running the Security role**
 
@@ -251,9 +252,6 @@ Create an inventory file for the environment, for example:
 ```
 # development
 
-[all:vars]
-env=dev
-
 [webservers]
 webserver1.example.com
 webserver2.example.com
@@ -281,8 +279,6 @@ A few notes here:
   section of the inventory file.
 - The `webservers.yml` playbook will only provision servers in the
   `[webservers]` section of the inventory file.
-- An inventory var called `env` is also set which applies to `all` hosts in the
-  inventory. This is used in the playbook to determine which `env_var` file to use.
 - The `-K` flag is for adding the sudo password you created for a new sudoer in
   the Security role (if applicable)
 

diff --git a/Vagrantfile b/Vagrantfile
@@ -30,8 +30,8 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   # For local development, uncommenting and editing the line below will enable
   # a folder in the host machine containing your local git repo to be synced to
   # the guest machine. Ensure the Ansible playbook variable "setup_git_repo" is
-  # set to "no" (in env_vars/vagrant.yml) when enabling this.
-  #config.vm.synced_folder "../../../my-cool-app", "/webapps/django_default_project/django_default_project"
+  # set to "no" (in group_vars/vagrant/vars.yml) when enabling this.
+  #config.vm.synced_folder "../../../django_default_project", "/webapps/django_default_project/django_default_project"
 
   # Ansible provisioner.
   config.vm.provision "ansible" do |ansible|

diff --git a/dbservers.yml b/dbservers.yml
@@ -1,15 +1,12 @@
 ---
 
-- name: Provision a {{ application_name }} db server
+- name: Provision application db server
   hosts: dbservers
   become: true
   become_user: root
   remote_user: "{{ server_user }}"
   vars:
     update_apt_cache: true
-  vars_files:
-    - env_vars/base.yml
-    - env_vars/{{ env }}.yml
 
   module_defaults:
     apt:

diff --git a/development b/development
@@ -1,6 +1,3 @@
-[all:vars]
-env=development
-
 [webservers]
 dev.example.com nginx_use_letsencrypt=true
 

diff --git a/env_vars/base.yml b/env_vars/base.yml
diff --git a/env_vars/development.yml → group_vars/development/vars.yml b/env_vars/development.yml → group_vars/development/vars.yml
@@ -1,10 +1,28 @@
 ---
 
+git_repo: https://github.com/YPCrumble/django-default-project
+
+project_name: django_default_project
+application_name: django_default_project
+
+# Note that this PPA doesn't guarantee timely updates in case of security issues.
+# Simply remove these two vars below if you prefer to use the official PPA and
+# default Python version that came with your Linux distro.
+#
+# More info here: https://launchpad.net/~fkrull/+archive/ubuntu/deadsnakes
+enable_deadsnakes_ppa: true
+virtualenv_python_version: python3.9
+
+
 # Git settings.
 setup_git_repo: true
 git_branch: development
 
 
+# Security settings.
+sudo_user_password: $6$rounds=656000$ca2RWJgtEqDVpOp9$0S0N3GHjOIO1PwRZ0vDyr0Z5Pi8ZcEa8.r.T.Wsx.O8RZlpTV1w0BLoEWwDb.zTkJOmP1Re.zBfQsviZaP89m0
+
+
 # Database settings.
 db_user: "{{ application_name }}"
 db_name: "{{ application_name }}"
@@ -19,6 +37,7 @@ gunicorn_num_workers: 3
 # you make a request, basically reloading the code. Very handy
 # when developing. Set to 0 for unlimited requests (default).
 gunicorn_max_requests: 0
+gunicorn_timeout_seconds: 300
 
 
 # RabbitMQ settings.
@@ -42,6 +61,8 @@ django_secret_key: "akr2icmg1n8%z^3fe3c+)5d0(t^cy-2_25rrl35a7@!scna^1#"
 
 broker_url: "amqp://{{ rabbitmq_application_user }}:{{ rabbitmq_application_password }}@localhost/{{ rabbitmq_application_vhost }}"
 
+requirements_file: "{{ project_path }}/requirements.txt"
+
 run_django_db_migrations: true
 run_django_collectstatic: true
 

diff --git a/env_vars/vagrant.yml → group_vars/vagrant/vars.yml b/env_vars/vagrant.yml → group_vars/vagrant/vars.yml
@@ -1,10 +1,28 @@
 ---
 
+git_repo: https://github.com/YPCrumble/django-default-project
+
+project_name: django_default_project
+application_name: django_default_project
+
+# Note that this PPA doesn't guarantee timely updates in case of security issues.
+# Simply remove these two vars below if you prefer to use the official PPA and
+# default Python version that came with your Linux distro.
+#
+# More info here: https://launchpad.net/~fkrull/+archive/ubuntu/deadsnakes
+enable_deadsnakes_ppa: true
+virtualenv_python_version: python3.9
+
+
 # Git settings.
 setup_git_repo: true
 git_branch: main
 
 
+# Security settings.
+sudo_user_password: $6$rounds=656000$ca2RWJgtEqDVpOp9$0S0N3GHjOIO1PwRZ0vDyr0Z5Pi8ZcEa8.r.T.Wsx.O8RZlpTV1w0BLoEWwDb.zTkJOmP1Re.zBfQsviZaP89m0
+
+
 # Database settings.
 db_user: "{{ application_name }}"
 db_name: "{{ application_name }}"
@@ -19,7 +37,6 @@ gunicorn_num_workers: 3
 # you make a request, basically reloading the code. Very handy
 # when developing. Set to 0 for unlimited requests (default).
 gunicorn_max_requests: 0
-
 gunicorn_timeout_seconds: 300
 
 
@@ -51,8 +68,6 @@ run_django_collectstatic: true
 
 
 # Nginx settings.
-nginx_strong_dh_group: false
-
 ssl_crt: |
   -----BEGIN CERTIFICATE-----
   MIIDQjCCAiqgAwIBAgIBADANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFteS1j

diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -14,9 +14,6 @@
   vars:
     update_apt_cache: true
     force_ssh_authentication: false
-  vars_files:
-    - ../../env_vars/base.yml
-    - ../../env_vars/vagrant.yml
 
   tasks:
     - name: Install Python3

diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -7,10 +7,14 @@ lint: |
   yamllint .
 platforms:
   - name: instance-xenial
+    groups:
+      - vagrant
     image: ubuntu
     image_version: xenial
     privileged: true
   - name: instance-focal
+    groups:
+      - vagrant
     image: ubuntu
     image_version: focal
     privileged: true
@@ -20,6 +24,9 @@ provisioner:
     name: ansible-lint
   env:
     ANSIBLE_ROLES_PATH: ../../roles/
+  inventory:
+    links:
+      group_vars: ../../group_vars/
 verifier:
   name: testinfra
   lint:

diff --git a/roles/db/tasks/main.yml b/roles/db/tasks/main.yml
@@ -35,12 +35,13 @@
 - name: Ensure database is created
   become: true
   become_user: postgres
-  postgresql_db: name={{ db_name }}
-                 encoding='UTF-8'
-                 lc_collate='en_US.UTF-8'
-                 lc_ctype='en_US.UTF-8'
-                 template='template0'
-                 state=present
+  postgresql_db:
+    name: "{{ db_name }}"
+    encoding: UTF-8
+    lc_collate: en_US.UTF-8
+    lc_ctype: en_US.UTF-8
+    template: template0
+    state: present
 
 - name: Ensure user has access to the database
   become: true

diff --git a/roles/security/defaults/main.yml b/roles/security/defaults/main.yml
@@ -3,7 +3,7 @@
 # You can use the following Python script to adjust this value.
 # pip install passlib
 # python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
-server_user_password: $6$rounds=656000$ca2RWJgtEqDVpOp9$0S0N3GHjOIO1PwRZ0vDyr0Z5Pi8ZcEa8.r.T.Wsx.O8RZlpTV1w0BLoEWwDb.zTkJOmP1Re.zBfQsviZaP89m0
+server_user_password: "{{ sudo_user_password }}"
 
 perform_aptitude_dist_upgrade: true
 

diff --git a/security.yml b/security.yml
@@ -1,15 +1,13 @@
 ---
 
-- name: Initial configuration for a {{ application_name }} server
+- name: Initial configuration for application server
   hosts: all
   become: true
   become_user: root
   remote_user: root
   vars:
     - update_apt_cache: true
   vars_files:
-    - env_vars/base.yml
-    - env_vars/{{ env }}.yml
     - roles/base/defaults/main.yml
   module_defaults:
     apt:

diff --git a/vagrant.yml b/vagrant.yml
@@ -1,15 +1,12 @@
 ---
 
-- name: Create a {{ application_name }} virtual machine via vagrant
+- name: Create application virtual machine via vagrant
   hosts: all
   become: true
   become_user: root
   remote_user: vagrant
   vars:
     update_apt_cache: true
-  vars_files:
-    - env_vars/base.yml
-    - env_vars/vagrant.yml
   module_defaults:
     apt:
       force_apt_get: true

diff --git a/webservers.yml b/webservers.yml
@@ -1,15 +1,12 @@
 ---
 
-- name: Provision a {{ application_name }} web server
+- name: Provision application web server
   hosts: webservers
   become: true
   become_user: root
   remote_user: "{{ server_user }}"
   vars:
     update_apt_cache: true
-  vars_files:
-    - env_vars/base.yml
-    - env_vars/{{ env }}.yml
   module_defaults:
     apt:
       force_apt_get: true