regluit-provisioning/README.md

# Deploying Regluit to Production

The current provisioning setup uses [Ansible](https://www.ansible.com/resources/get-started) to deploy code to production servers.

## Pre-requisites 
Before attempting to deploy, ensure you have done the following:
1. git checkout https://github.com/EbookFoundation/regluit-provisioning
1. create `certs` and `decrypted` directories in `private`
1. Install `ansible` on your local machine
1. Obtain the `ansible-vault` password and save it to a file
1. Set the path to the `ansible-vault` file via environment variable e.g. `export NSIBLE_VAULT_PASSWORD_FILE=[path]`
1. Create/obtain the secret key needed to SSH into the server
1. (optional) Add the secret key to your ssh agent 
    ```
    $ ssh-agent bash
    $ ssh-add /path/to/secret.pem
    ``` 


## Deploy
Deploying is as simple as running the `setup-prod` ansible playbook.  
Navigate to the `regluit-provisioning/` directory and run the following:  
```
$ ansible-playbook -i hosts setup-prod.yml
```   
If you successfully completed all the pre-requisite steps, the playbook should begin running through deploy tasks and finally restart apache.


## Additional Configuration

### Variables and Secrets
The necessary variables are pulled from `regluit-provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`.  
The variables are split into two files to still allow for searching references in playbook tasks.
To add or view secret values, you must decrypt the file first: `$ ansible-vault decrypt vault.yml` however **always remember to encrypt secret files before pushing to git**.   This is done in a similar manner: `$ ansible-vault encrypt vault.yml`.   

Ansible also allows for overriding variables from the command line when running playbooks.  
This is useful for ad-hoc playbook runs without editing var files.   
For example, deploying code from another branch can be done as so:  
`$ ansible-playbook -i hosts setup-prod.yml -e git_branch=mybranch`  

### Inventory and Groups
Currently we are using a static inventory file `hosts` to define target server hosts and groups.  
This means that the `hosts` file must be manually updated to reflect things such as DNS changes or additional hosts being added.  
In the future, the static inventory file may be replaced with a dynamic inventory solution, such as ansible's [ec2 inventory script](http://docs.ansible.com/ansible/latest/user_guide/intro_dynamic_inventory.html#example-aws-ec2-external-inventory-script)  

One important aspect of the `hosts` file is that it defines the groups which a host or hosts are a part of.   
Currently, there is  one prod host called `regluit-prod` which is a member of the `production` group, and another called `regluit-ondeck` in the `ondeck` group intended to be a build target that can be swapped in to production.
These designations are important, as the `setup-prod` playbook specifically targets the `regluit-prod` host, and only that host will inherit the variables in `group_vars/production/`.
moved from regluit 2018-06-11 15:46:29 +00:00			`# Deploying Regluit to Production`

			`The current provisioning setup uses [Ansible](https://www.ansible.com/resources/get-started) to deploy code to production servers.`

			`## Pre-requisites`
			`Before attempting to deploy, ensure you have done the following:`
final touches 2019-01-31 19:29:02 +00:00			`1. git checkout https://github.com/EbookFoundation/regluit-provisioning`
			1. create `certs` and `decrypted` directories in `private`
moved from regluit 2018-06-11 15:46:29 +00:00			1. Install `ansible` on your local machine
			1. Obtain the `ansible-vault` password and save it to a file
			1. Set the path to the `ansible-vault` file via environment variable e.g. `export NSIBLE_VAULT_PASSWORD_FILE=[path]`
			`1. Create/obtain the secret key needed to SSH into the server`
			`1. (optional) Add the secret key to your ssh agent`
			```
			`$ ssh-agent bash`
			`$ ssh-add /path/to/secret.pem`
			```


			`## Deploy`
			Deploying is as simple as running the `setup-prod` ansible playbook.
final touches 2019-01-31 19:29:02 +00:00			Navigate to the `regluit-provisioning/` directory and run the following:
moved from regluit 2018-06-11 15:46:29 +00:00			```
			`$ ansible-playbook -i hosts setup-prod.yml`
			```
			`If you successfully completed all the pre-requisite steps, the playbook should begin running through deploy tasks and finally restart apache.`


			`## Additional Configuration`

			`### Variables and Secrets`
final touches 2019-01-31 19:29:02 +00:00			The necessary variables are pulled from `regluit-provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`.
moved from regluit 2018-06-11 15:46:29 +00:00			`The variables are split into two files to still allow for searching references in playbook tasks.`
			To add or view secret values, you must decrypt the file first: `$ ansible-vault decrypt vault.yml` however always remember to encrypt secret files before pushing to git. This is done in a similar manner: `$ ansible-vault encrypt vault.yml`.

			`Ansible also allows for overriding variables from the command line when running playbooks.`
			`This is useful for ad-hoc playbook runs without editing var files.`
			`For example, deploying code from another branch can be done as so:`
			`$ ansible-playbook -i hosts setup-prod.yml -e git_branch=mybranch`

			`### Inventory and Groups`
			Currently we are using a static inventory file `hosts` to define target server hosts and groups.
			This means that the `hosts` file must be manually updated to reflect things such as DNS changes or additional hosts being added.
			`In the future, the static inventory file may be replaced with a dynamic inventory solution, such as ansible's [ec2 inventory script](http://docs.ansible.com/ansible/latest/user_guide/intro_dynamic_inventory.html#example-aws-ec2-external-inventory-script)`

			One important aspect of the `hosts` file is that it defines the groups which a host or hosts are a part of.
			Currently, there is one prod host called `regluit-prod` which is a member of the `production` group, and another called `regluit-ondeck` in the `ondeck` group intended to be a build target that can be swapped in to production.
			These designations are important, as the `setup-prod` playbook specifically targets the `regluit-prod` host, and only that host will inherit the variables in `group_vars/production/`.