openid_provider: Get ready for production!

This includes some tweaks to how deployment is done. There is now an
'instance configuration' stage, where an Ansible playbook injects
instance-specific info like the database password into the machine, and
runs database migrations. It makes sense for this to be a separate stage
because it may need to be re-executed during the lifetime of the
instance, for example if the database passwords change.

6 files changed, 69 insertions, 46 deletions

diff --git a/README.mdwn b/README.mdwn
index deb3042d..46a5fe64 100644
--- a/README.mdwn
+++ b/README.mdwn
@@ -122,21 +122,21 @@ To deploy a development instance:
 To deploy this system to production:
 
     vim baserock_openid_provider/baserock_openid_provider/settings.py
-    # Edit the DATABASES['default']['HOST'] to point to the fixed IP of
-    # the 'database' machine.
-    packer build -only=production database/packer_template.json
-    nova boot openid_provider
-        --flavor dc1.1x1 --image 'baserock_openid_provider' \
-        --key-name=<your-keypair> openid.baserock.org \
-        --nic='net-id=d079fa3e-2558-4bcb-ad5a-279040c202b5'
 
-Now you need to SSH into the system (via the frontend system perhaps) and run
-the database migrations, before the app will work:
+Edit the DATABASES['default']['HOST'] to point to the fixed IP of the
+'database' machine, and check the settings. See:
+https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/
 
-    sudo -u cherokee python /srv/baserock_openid_provider/manage.py migrate
+    packer build -only=production baserock_openid_provider/packer_template.json
 
-FIXME: I guess this could be done with cloud-init.
+    nova boot openid.baserock.org \
+        --key-name <your-keypair> \
+        --flavor dc1.1x1 \
+        --image 'baserock_openid_provider' \
+        --nic 'net-id=d079fa3e-2558-4bcb-ad5a-279040c202b5',v4-fixed-ip=192.168.222.67 \
+        --user-data ./baserock-ops-team.cloud-config
 
+    ansible-playbook -i hosts baserock_openid_provider/instance-config.yml
 
 Storyboard
 ----------
@@ -160,6 +160,11 @@ To deploy the production version:
 Deployment to DataCentred
 -------------------------
 
+The following error from Packer means that you didn't set your credentials
+correctly in the `OS_...` environment variables, or they were not accepted.
+
+> Build 'production' errored: Missing or incorrect provider
+
 When instantiating a machine that will be public, remember that all operators
 who are responsible for security updates and maintenance must be given access
 to the machine. This can be done using a post-creation customisation script
@@ -167,7 +172,7 @@ that injecting all of their SSH keys: the Baserock Ops team use the file
 `baserock-ops-team.cloud-config` from this repo.
 
 The the Packer tool requires a floating IP to be available at the time a system
-is being deployed to OpenStack. Currently 85.199.252.152 should be used for
+is being deployed to OpenStack. Currently 185.43.218.169 should be used for
 this.  If you specify a floating IP that is in use by an existing instance, you
 will steal it for your own instance and probably break one of our web services.
 
diff --git a/baserock_openid_provider/baserock_openid_provider/settings.py b/baserock_openid_provider/baserock_openid_provider/settings.py
index 65092221..387c9013 100644
--- a/baserock_openid_provider/baserock_openid_provider/settings.py
+++ b/baserock_openid_provider/baserock_openid_provider/settings.py
@@ -18,14 +18,19 @@ BASE_DIR = os.path.dirname(os.path.dirname(__file__))
 # See https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = '#k9g0dclqiqxomjk2=&fu+$n-(b$d4**5usy!%(b3#k8m)qpif'
+secret_key_file = '/etc/baserock_openid_provider.secret_key.yml'
+with open(secret_key_file) as f:
+    data = yaml.load(f)
+    SECRET_KEY = data['baserock_openid_provider_secret_key']
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = False
 
 TEMPLATE_DEBUG = True
 
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = [
+    'openid.baserock.org',
+]
 
 
 # Application definition
@@ -105,11 +110,7 @@ DATABASES = {
 }
 
 
-# This file lives under /var/lib currently so that the user who runs
-# this code can read it. That user is 'uwsgi'. Putting it in /srv would
-# be fine except that it interferes with the way development deployments
-# are done.
-pw_file = '/var/lib/baserock_openid_provider.database_password.yml'
+pw_file = '/etc/baserock_openid_provider.database_password.yml'
 with open(pw_file) as f:
     data = yaml.load(f)
     password = data['baserock_openid_provider_password']
diff --git a/baserock_openid_provider/local.yml b/baserock_openid_provider/image-config.yml
index a09d03ba..bfae7cd5 100644
--- a/baserock_openid_provider/local.yml
+++ b/baserock_openid_provider/image-config.yml
@@ -1,3 +1,6 @@
+# Image configuration for Baserock OpenID provider.
+#
+# This playbook is run at image-creation time by Packer.
 ---
 - hosts: localhost
   tasks:
@@ -40,18 +43,10 @@
     yum: name=MySQL-python state=latest
 
   - name: install Cherokee configuration
-    file: src=/srv/baserock_openid_provider/cherokee.conf dest=/etc/cherokee/cherokee.conf state=link
+    file: src=/srv/baserock_openid_provider/cherokee.conf dest=/etc/cherokee/cherokee.conf state=link force=yes
 
   - name: create log directory for baserock_openid_provider
     file: path=/var/log/baserock_openid_provider owner=cherokee group=cherokee state=directory
 
   - name: create directory for static content
     file: path=/var/www/static owner=cherokee group=cherokee state=directory
-
-  - name: install static content
-    django_manage: app_path=/srv/baserock_openid_provider command=collectstatic
-
-  # Default configuration of Sendmail in Fedora is to only accept connections from
-  # localhost. This is what we want.
-  - name: enable and start sendmail service
-    service: name=sendmail enabled=yes state=started
diff --git a/baserock_openid_provider/instance-config.yml b/baserock_openid_provider/instance-config.yml
new file mode 100644
index 00000000..dc404594
--- /dev/null
+++ b/baserock_openid_provider/instance-config.yml
@@ -0,0 +1,35 @@
+# Instance configuration for Baserock OpenID provider.
+#
+# This playbook should be run after starting an instance of the Baserock
+# OpenID Provider image.
+---
+- hosts: openid.baserock.org
+  sudo: yes
+  tasks:
+  - name: ensure system up to date
+    yum: name=* state=latest
+
+  - name: install database password
+    copy: src=../database/baserock_openid_provider.database_password.yml dest=/etc owner=cherokee group=cherokee mode=400
+
+  - name: install Django secret key
+    copy: src=baserock_openid_provider.secret_key.yml dest=/etc owner=cherokee group=cherokee mode=400
+
+  # This step could be part of image creation, except that because the secret
+  # key file wouldn't be available at that time, the 'manage.py' script would
+  # fail to run.
+  - name: install static content
+    django_manage: app_path=/srv/baserock_openid_provider command=collectstatic
+    sudo_user: cherokee
+
+  - name: run database migrations
+    django_manage: app_path=/srv/baserock_openid_provider command=migrate
+    sudo_user: cherokee
+
+  # Default configuration of Sendmail in Fedora is to only accept connections from
+  # localhost. This is what we want, so no extra config required.
+  - name: enable and start sendmail service
+    service: name=sendmail enabled=yes state=started
+
+  - name: enable and start Cherokee service
+    service: name=cherokee enabled=yes state=restarted
diff --git a/baserock_openid_provider/packer_template.json b/baserock_openid_provider/packer_template.json
index a5f40761..0de9bc84 100644
--- a/baserock_openid_provider/packer_template.json
+++ b/baserock_openid_provider/packer_template.json
@@ -14,7 +14,7 @@
             "flavor": "f0577618-9125-4948-b450-474e225bbc4c",
             "source_image": "742e0414-c985-4994-b307-4aafade942b3",
             "networks": ["d079fa3e-2558-4bcb-ad5a-279040c202b5"],
-            "floating_ip": "85.199.252.164",
+            "floating_ip": "185.43.218.169",
             "use_floating_ip": true,
             "ssh_username": "fedora"
         }
@@ -29,17 +29,6 @@
         },
         {
             "type": "file",
-            "source": "database/baserock_openid_provider.database_password.yml",
-            "destination": "/var/tmp/baserock_openid_provider.database_password.yml"
-        },
-        {
-            "type": "shell",
-            "inline": [
-               "sudo mv /var/tmp/baserock_openid_provider.database_password.yml /var/lib"
-            ]
-        },
-        {
-            "type": "file",
             "source": "baserock_openid_provider",
             "destination": "/srv",
             "only": ["production"]
@@ -50,7 +39,7 @@
         },
         {
             "type": "ansible-local",
-            "playbook_file": "baserock_openid_provider/local.yml",
+            "playbook_file": "baserock_openid_provider/image-config.yml",
             "command": "sudo ansible-playbook"
         },
         {
@@ -65,9 +54,7 @@
             "inline": [
                 "sudo yum install -y libselinux-python",
                 "sudo ansible localhost -m selinux -a state=disabled",
-                "sudo setenforce 0",
-                "sudo systemctl enable cherokee",
-                "sudo systemctl start cherokee"
+                "sudo setenforce 0"
             ],
             "only": ["production"]
         },
diff --git a/hosts b/hosts
index 13b8d9f4..690e6677 100644
--- a/hosts
+++ b/hosts
@@ -18,7 +18,7 @@ mason-x86-64.baserock.org ansible_ssh_host=192.168.222.13
 [fedora]
 frontend-haproxy ansible_ssh_host=185.43.218.170
 database-mariadb ansible_ssh_host=192.168.222.30
-openid.baserock.org ansible_ssh_host=192.168.222.39
+openid.baserock.org ansible_ssh_host=192.168.222.67
 storyboard.baserock.org ansible_ssh_host=192.168.222.40
 
 [ubuntu]