From e28b73a2ec4ff78dfa85ae72ab9db38912abfe48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20P=C3=A9pin?= Date: Tue, 16 May 2017 19:52:59 +0100 Subject: [PATCH] Split the settings in two files, secrets system --- evenementiel/settings/.gitignore | 1 + .../{settings_dev.py => settings/common.py} | 122 ++++++++---------- evenementiel/settings/dev.py | 44 +++++++ evenementiel/settings/secret_example.py | 13 ++ provisioning/bootstrap.sh | 29 +++-- requirements-devel.txt | 1 + 6 files changed, 131 insertions(+), 79 deletions(-) create mode 100644 evenementiel/settings/.gitignore rename evenementiel/{settings_dev.py => settings/common.py} (58%) create mode 100644 evenementiel/settings/dev.py create mode 100644 evenementiel/settings/secret_example.py diff --git a/evenementiel/settings/.gitignore b/evenementiel/settings/.gitignore new file mode 100644 index 0000000..2142506 --- /dev/null +++ b/evenementiel/settings/.gitignore @@ -0,0 +1 @@ +secret.py diff --git a/evenementiel/settings_dev.py b/evenementiel/settings/common.py similarity index 58% rename from evenementiel/settings_dev.py rename to evenementiel/settings/common.py index 535c6c2..6519497 100644 --- a/evenementiel/settings_dev.py +++ b/evenementiel/settings/common.py @@ -1,36 +1,45 @@ +# -*- coding: utf-8 -*- """ -Django settings for evenementiel project. +Django common settings for GestionÉvénementiel -Generated by 'django-admin startproject' using Django 1.9.9. +Everything which is supposed to be identical between the production server and +the local development server should be here. -For more information on this file, see -https://docs.djangoproject.com/en/1.9/topics/settings/ - -For the full list of settings and their values, see -https://docs.djangoproject.com/en/1.9/ref/settings/ +We also load the secrets in this file. """ import os -from django.core.urlresolvers import reverse_lazy - -# Build paths inside the project like this: os.path.join(BASE_DIR, ...) -BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) +from . import secret -# Quick-start development settings - unsuitable for production -# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/ - -# SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = '0@=@$0*2x)x=$6qzf*1a(07she(33zr9vi0+=(yd%3i=i9gp+_' -CREATE_USER_KEY = 'lolilol' # Do not use this one on prod !! - -# SECURITY WARNING: don't run with debug turned on in production! -DEBUG = True - -ALLOWED_HOSTS = [] +def import_secret(name): + """ + Shorthand for importing a value from the secret module and raising an + informative exception if a secret is missing. + """ + try: + return getattr(secret, name) + except AttributeError: + raise RuntimeError("Secret missing: {}".format(name)) -# Application definition +SECRET_KEY = import_secret("SECRET_KEY") +ADMINS = import_secret("ADMINS") + +DBNAME = import_secret("DBNAME") +DBUSER = import_secret("DBUSER") +DBPASSWD = import_secret("DBPASSWD") + +REDIS_PASSWD = import_secret("REDIS_PASSWD") +REDIS_DB = import_secret("REDIS_DB") +REDIS_HOST = import_secret("REDIS_HOST") +REDIS_PORT = import_secret("REDIS_PORT") + + +BASE_DIR = os.path.dirname( + os.path.dirname(os.path.dirname(os.path.abspath(__file__))) +) + INSTALLED_APPS = [ 'equipment.apps.EquipmentConfig', @@ -45,12 +54,10 @@ INSTALLED_APPS = [ 'django.contrib.staticfiles', 'channels', 'bootstrapform', - 'debug_toolbar', 'widget_tweaks', ] MIDDLEWARE_CLASSES = [ - 'debug_toolbar.middleware.DebugToolbarMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', @@ -63,8 +70,11 @@ MIDDLEWARE_CLASSES = [ ROOT_URLCONF = 'evenementiel.urls' -LOGIN_REDIRECT_URL = reverse_lazy('shared:home') -LOGOUT_REDIRECT_URL = reverse_lazy('shared:home') +STATIC_URL = "/static/" +MEDIA_URL = "/media/" + +LOGIN_REDIRECT_URL = 'shared:home' +LOGOUT_REDIRECT_URL = 'shared:home' TEMPLATES = [ { @@ -83,19 +93,6 @@ TEMPLATES = [ }, ] -CHANNEL_LAYERS = { - "default": { - "BACKEND": "asgi_redis.RedisChannelLayer", - "CONFIG": { - "hosts": [( - "redis://:{passwd}@{host}:{port}/{db}" - .format(passwd="dummy", host="localhost", port=6379, db=0) - )], - }, - "ROUTING": "evenementiel.routing.channel_routing", - } -} - DATABASES = { 'default': { 'ENGINE': 'django.db.backends.postgresql', @@ -107,13 +104,22 @@ DATABASES = { } } -STATIC_ROOT = "/srv/GE/static/" -MEDIA_ROOT = "/srv/GE/media/" - +CHANNEL_LAYERS = { + "default": { + "BACKEND": "asgi_redis.RedisChannelLayer", + "CONFIG": { + "hosts": [( + "redis://:{passwd}@{host}:{port}/{db}" + .format(passwd=REDIS_PASSWD, host=REDIS_HOST, + port=REDIS_PORT, db=REDIS_DB) + )], + }, + "ROUTING": "evenementiel.routing.channel_routing", + } +} # Password validation # https://docs.djangoproject.com/en/1.9/ref/settings/#auth-password-validators - AUTH_PASSWORD_VALIDATORS = [ {'NAME': 'django.contrib.auth.password_validation' '.UserAttributeSimilarityValidator'}, @@ -124,9 +130,8 @@ AUTH_PASSWORD_VALIDATORS = [ '.NumericPasswordValidator'}, ] - # Internationalization -# https://docs.djangoproject.com/en/1.9/topics/i18n/ +# https://docs.djangoproject.com/en/1.8/topics/i18n/ LANGUAGE_CODE = 'en-us' @@ -137,28 +142,3 @@ USE_I18N = True USE_L10N = True USE_TZ = True - - -# Static files (CSS, JavaScript, Images) -# https://docs.djangoproject.com/en/1.9/howto/static-files/ - -STATIC_URL = '/static/' - - -def show_toolbar(request): - """ - On ne veut pas la vérification de INTERNAL_IPS faite par la debug-toolbar - car cela interfère avec l'utilisation de Vagrant. En effet, l'adresse de la - machine physique n'est pas forcément connue, et peut difficilement être - mise dans les INTERNAL_IPS. - """ - if not DEBUG: - return False - if request.is_ajax(): - return False - return True - - -DEBUG_TOOLBAR_CONFIG = { - 'SHOW_TOOLBAR_CALLBACK': show_toolbar, -} diff --git a/evenementiel/settings/dev.py b/evenementiel/settings/dev.py new file mode 100644 index 0000000..f65a54c --- /dev/null +++ b/evenementiel/settings/dev.py @@ -0,0 +1,44 @@ +""" +Django development settings for GestionÉvénementiel +The settings that are not listed here are imported from .common +""" + +from .common import * # NOQA + + +EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' + +DEBUG = True + +# Add some debugging tools +INSTALLED_APPS += ["debug_toolbar", "debug_panel"] # NOQA +MIDDLEWARE_CLASSES = ( + ["debug_panel.middleware.DebugPanelMiddleware"] + + MIDDLEWARE_CLASSES # NOQA +) + + +# --- +# Nginx static/media config +# --- + +STATIC_ROOT = "/srv/GE/static/" +MEDIA_ROOT = "/srv/GE/media/" + + +# --- +# Debug tool bar +# --- + +def show_toolbar(request): + """ + On ne veut pas la vérification de INTERNAL_IPS faite par la debug-toolbar + car cela interfère avec l'utilisation de Vagrant. En effet, l'adresse de la + machine physique n'est pas forcément connue, et peut difficilement être + mise dans les INTERNAL_IPS. + """ + return DEBUG # True + +DEBUG_TOOLBAR_CONFIG = { + 'SHOW_TOOLBAR_CALLBACK': show_toolbar, +} diff --git a/evenementiel/settings/secret_example.py b/evenementiel/settings/secret_example.py new file mode 100644 index 0000000..5c1aa0e --- /dev/null +++ b/evenementiel/settings/secret_example.py @@ -0,0 +1,13 @@ +SECRET_KEY = 'dummy_key3i%5cp4)f+ww4-28_w+ly3q9=6imw2ciu&_(5_4ah' +ADMINS = None + +# Postgres +DBNAME = "{{DBNAME}}" +DBUSER = "{{DBUSER}}" +DBPASSWD = "{{DBPASSWD}}" + +# Redis +REDIS_PASSWD = "{{REDIS_PASSWD}}" +REDIS_PORT = 6379 +REDIS_DB = 0 +REDIS_HOST = "127.0.0.1" diff --git a/provisioning/bootstrap.sh b/provisioning/bootstrap.sh index 2986efe..6483f30 100644 --- a/provisioning/bootstrap.sh +++ b/provisioning/bootstrap.sh @@ -10,7 +10,18 @@ DBPASSWD="4KZt3nGPLVeWSvtBZPsd9jdssdJMds78" REDIS_PASSWD="dummy" # It is used in quite a few places -SETTINGS="evenementiel.settings_dev" +SETTINGS="evenementiel.settings.dev" + +# Fills a "templated file" with the information specified in the variables above +# e.g. every occurrence of {{DBUSER}} in the file will be replaced by the value +# of the variable $DBUSER +function fill_template { + sed "s/{{DBUSER}}/$DBUSER/" -i $1 + sed "s/{{DBNAME}}/$DBNAME/" -i $1 + sed "s/{{DBPASSWD}}/$DBPASSWD/" -i $1 + sed "s/{{REDIS_PASSWD}}/$REDIS_PASSWD/" -i $1 + sed "s/{{SETTINGS}}/$SETTINGS/" -i $1 +} # --- # Installs the dependencies @@ -56,10 +67,7 @@ service nginx restart for service in {daphne,worker}.service do cp /vagrant/provisioning/$service /etc/systemd/system/$service - sed "s/{{DBUSER}}/$DBUSER/" -i /etc/systemd/system/$service - sed "s/{{DBNAME}}/$DBNAME/" -i /etc/systemd/system/$service - sed "s/{{DBPASSWD}}/$DBPASSWD/" -i /etc/systemd/system/$service - sed "s/{{SETTINGS}}/$SETTINGS/" -i /etc/systemd/system/$service + fill_template /etc/systemd/system/$service systemctl enable $service systemctl start $service done @@ -79,6 +87,14 @@ redis-cli -a $REDIS_PASSWD CONFIG REWRITE # Prepare Django # --- +cd /vagrant + +# Setup the secrets +sudo -H -u vagrant cp evenementiel/settings/secret_example.py \ + evenementiel/settings/secret.py +fill_template evenementiel/settings/secret.py + +# Run the usual django admin commands function venv_python { sudo -H -u vagrant DJANGO_SETTINGS_MODULE=$SETTINGS \ DBUSER=$DBUSER DBNAME=$DBNAME DBPASSWD=$DBPASSWD \ @@ -86,12 +102,9 @@ function venv_python { $@ } -cd /vagrant venv_python manage.py collectstatic --noinput venv_python manage.py migrate -unset venv_python - # --- # Setup a friendly environment for the user diff --git a/requirements-devel.txt b/requirements-devel.txt index 425dfc3..83053f7 100644 --- a/requirements-devel.txt +++ b/requirements-devel.txt @@ -1,3 +1,4 @@ -r requirements.txt django-debug-toolbar +django-debug-panel ipython