Bonjour,
Here are the steps to swtich from the current manually installed weblate to an ansible provisionned weblate:
Announce
- Announce 24h shutdown in the translation category 3 days before done
Prepare the ansible VM
- change weblate ttl to 30 minutes weblate 1800 IN A 145.239.12.117
- molecule converge -s ansible
- got to the horizon panel, update the default security group to only allow port 22, chante ansible-host to only use the default security group
- add ansible.securedrop.club to the DNS
- weblate login -s ansible --host ansible-host
- cd /srv/checkout
- : Copy OpenStack credentials into openrc.sh, using a project dedicated to production
- add to ~/.bashrc
source /srv/virtualenv/bin/activate source /srv/checkout/openrc.sh
- change the region on both openrc.sh and clouds.yml
- verify it works with
openstack image list
- verify it works with
openstack.py --list
- ssh-keygen -f infrastructure_key
- change the password at molecule/icinga/roles/icinga2/tasks/main.yml
Test the production
- molecule create -s weblate
- delegate test.securedrop.club zone to the bind-host IP by adding the following at the end of the zone (where 10.10.10.10 is the IP of bind-host).
ns1-test IN A 10.10.10.10 test IN NS ns1-test.securedrop.club.
- ansible-playbook --private-key infrastructure_key --user debian -i openstack.py -e ssh_private_keyfile=$(pwd)/infrastructure_key -e ssh_public_keyfile=$(pwd)/infrastructure_key.pub -e domain=test.securedrop.club securedrop-club-playbook.yml
- manually verify mail delivery works
- manually verify monitoring works
- manually verify weblate works via HTTPS
- configure contact@securedrop.club github account to allow weblate.test.securedrop.club as an application
- manually verify GitHub weblate login works
Prepare the production
- molecule create -s weblate
- ansible-playbook --private-key infrastructure_key --user debian -i openstack.py -e ssh_private_keyfile=$(pwd)/infrastructure_key -e ssh_public_keyfile=$(pwd)/infrastructure_key.pub securedrop-club-playbook.yml
- manually verify mail delivery works
- manually verify monitoring works
- manually verify weblate works via HTTPS
- manually verify GitHub weblate login works # the credentials are hard coded it should work out of the box
Switchover
- Block 443/80 via the OpenStack horizon panel
- Backup & Restore the content of weblate
cat /etc/hosts 54.36.100.196 weblate.securedrop.club 145.239.12.117 old-weblate.securedrop.club ssh ubuntu@old-weblate.securedrop.club cd /home/ubuntu/weblate-docker && sudo docker-compose exec --user postgres database pg_dump --clean --create weblate | gzip > weblate.dump.gz scp ubuntu@old-weblate.securedrop.club:/home/ubuntu/weblate-docker/weblate.dump.gz . scp weblate.dump.gz debian@weblate.securedrop.club ssh debian@weblate.securedrop.club cd /srv/weblate/ sudo docker-compose -f docker-compose-securedrop-club.yml stop weblate zcat /home/debian/weblate.dump.gz > /srv/weblate/weblate.dump sudo docker cp weblate.dump weblate_database_1:/srv sudo docker-compose -f docker-compose-securedrop-club.yml exec --user postgres database psql -f /srv/weblate.dump sudo docker-compose -f docker-compose-securedrop-club.yml start weblate
- update weblate.securedrop.club DNS entry with the IP of weblate-host
old-weblate 1800 IN A 145.239.12.117 weblate 1800 IN A 54.36.100.196
- stop + up -d the https-container after name propagation so letsencrypt gets configured
- manually verify monitoring of weblate SecureDrop project goes from red to green
Maintenance
- ssh debian@ansible.securedrop.club
Cheers