Split the settings in two files, secrets system

2017-05-16 19:52:59 +01:00 · 2017-05-16 19:52:59 +01:00 · e28b73a2ec
commit e28b73a2ec
parent e64c3d0b37
6 changed files with 131 additions and 79 deletions
--- a/evenementiel/settings/.gitignore
+++ b/evenementiel/settings/.gitignore
@ -0,0 +1 @@
+secret.py
--- a/evenementiel/settings/common.py
+++ b/evenementiel/settings/common.py
@ -1,36 +1,45 @@
+# -*- coding: utf-8 -*-
 """
-Django settings for evenementiel project.
+Django common settings for GestionÉvénementiel

-Generated by 'django-admin startproject' using Django 1.9.9.
+Everything which is supposed to be identical between the production server and
+the local development server should be here.

-For more information on this file, see
-https://docs.djangoproject.com/en/1.9/topics/settings/
-
-For the full list of settings and their values, see
-https://docs.djangoproject.com/en/1.9/ref/settings/
+We also load the secrets in this file.
 """

 import os
-from django.core.urlresolvers import reverse_lazy
-
-# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
-BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+from . import secret


-# Quick-start development settings - unsuitable for production
-# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
-
-# SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = '0@=@$0*2x)x=$6qzf*1a(07she(33zr9vi0+=(yd%3i=i9gp+_'
-CREATE_USER_KEY = 'lolilol'  # Do not use this one on prod !!
-
-# SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
-
-ALLOWED_HOSTS = []
+def import_secret(name):
+    """
+    Shorthand for importing a value from the secret module and raising an
+    informative exception if a secret is missing.
+    """
+    try:
+        return getattr(secret, name)
+    except AttributeError:
+        raise RuntimeError("Secret missing: {}".format(name))


-# Application definition
+SECRET_KEY = import_secret("SECRET_KEY")
+ADMINS = import_secret("ADMINS")
+
+DBNAME = import_secret("DBNAME")
+DBUSER = import_secret("DBUSER")
+DBPASSWD = import_secret("DBPASSWD")
+
+REDIS_PASSWD = import_secret("REDIS_PASSWD")
+REDIS_DB = import_secret("REDIS_DB")
+REDIS_HOST = import_secret("REDIS_HOST")
+REDIS_PORT = import_secret("REDIS_PORT")
+
+
+BASE_DIR = os.path.dirname(
+    os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+)
+

 INSTALLED_APPS = [
    'equipment.apps.EquipmentConfig',
@ -45,12 +54,10 @@ INSTALLED_APPS = [
    'django.contrib.staticfiles',
    'channels',
    'bootstrapform',
-    'debug_toolbar',
    'widget_tweaks',
 ]

 MIDDLEWARE_CLASSES = [
-    'debug_toolbar.middleware.DebugToolbarMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
@ -63,8 +70,11 @@ MIDDLEWARE_CLASSES = [

 ROOT_URLCONF = 'evenementiel.urls'

-LOGIN_REDIRECT_URL = reverse_lazy('shared:home')
-LOGOUT_REDIRECT_URL = reverse_lazy('shared:home')
+STATIC_URL = "/static/"
+MEDIA_URL = "/media/"
+
+LOGIN_REDIRECT_URL = 'shared:home'
+LOGOUT_REDIRECT_URL = 'shared:home'

 TEMPLATES = [
    {
@ -83,19 +93,6 @@ TEMPLATES = [
    },
 ]

-CHANNEL_LAYERS = {
-    "default": {
-        "BACKEND": "asgi_redis.RedisChannelLayer",
-        "CONFIG": {
-            "hosts": [(
-                "redis://:{passwd}@{host}:{port}/{db}"
-                .format(passwd="dummy", host="localhost", port=6379, db=0)
-            )],
-        },
-        "ROUTING": "evenementiel.routing.channel_routing",
-    }
-}
-
 DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
@ -107,13 +104,22 @@ DATABASES = {
    }
 }

-STATIC_ROOT = "/srv/GE/static/"
-MEDIA_ROOT = "/srv/GE/media/"
-
+CHANNEL_LAYERS = {
+    "default": {
+        "BACKEND": "asgi_redis.RedisChannelLayer",
+        "CONFIG": {
+            "hosts": [(
+                "redis://:{passwd}@{host}:{port}/{db}"
+                .format(passwd=REDIS_PASSWD, host=REDIS_HOST,
+                        port=REDIS_PORT, db=REDIS_DB)
+            )],
+        },
+        "ROUTING": "evenementiel.routing.channel_routing",
+    }
+}

 # Password validation
 # https://docs.djangoproject.com/en/1.9/ref/settings/#auth-password-validators
-
 AUTH_PASSWORD_VALIDATORS = [
    {'NAME': 'django.contrib.auth.password_validation'
             '.UserAttributeSimilarityValidator'},
@ -124,9 +130,8 @@ AUTH_PASSWORD_VALIDATORS = [
             '.NumericPasswordValidator'},
 ]

-
 # Internationalization
-# https://docs.djangoproject.com/en/1.9/topics/i18n/
+# https://docs.djangoproject.com/en/1.8/topics/i18n/

 LANGUAGE_CODE = 'en-us'

@ -137,28 +142,3 @@ USE_I18N = True
 USE_L10N = True

 USE_TZ = True
-
-
-# Static files (CSS, JavaScript, Images)
-# https://docs.djangoproject.com/en/1.9/howto/static-files/
-
-STATIC_URL = '/static/'
-
-
-def show_toolbar(request):
-    """
-    On ne veut pas la vérification de INTERNAL_IPS faite par la debug-toolbar
-    car cela interfère avec l'utilisation de Vagrant. En effet, l'adresse de la
-    machine physique n'est pas forcément connue, et peut difficilement être
-    mise dans les INTERNAL_IPS.
-    """
-    if not DEBUG:
-        return False
-    if request.is_ajax():
-        return False
-    return True
-
-
-DEBUG_TOOLBAR_CONFIG = {
-    'SHOW_TOOLBAR_CALLBACK': show_toolbar,
-}
--- a/evenementiel/settings/dev.py
+++ b/evenementiel/settings/dev.py
@ -0,0 +1,44 @@
+"""
+Django development settings for GestionÉvénementiel
+The settings that are not listed here are imported from .common
+"""
+
+from .common import *  # NOQA
+
+
+EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+
+DEBUG = True
+
+# Add some debugging tools
+INSTALLED_APPS += ["debug_toolbar", "debug_panel"]  # NOQA
+MIDDLEWARE_CLASSES = (
+    ["debug_panel.middleware.DebugPanelMiddleware"]
+    + MIDDLEWARE_CLASSES  # NOQA
+)
+
+
+# ---
+# Nginx static/media config
+# ---
+
+STATIC_ROOT = "/srv/GE/static/"
+MEDIA_ROOT = "/srv/GE/media/"
+
+
+# ---
+# Debug tool bar
+# ---
+
+def show_toolbar(request):
+    """
+    On ne veut pas la vérification de INTERNAL_IPS faite par la debug-toolbar
+    car cela interfère avec l'utilisation de Vagrant. En effet, l'adresse de la
+    machine physique n'est pas forcément connue, et peut difficilement être
+    mise dans les INTERNAL_IPS.
+    """
+    return DEBUG  # True
+
+DEBUG_TOOLBAR_CONFIG = {
+    'SHOW_TOOLBAR_CALLBACK': show_toolbar,
+}
--- a/evenementiel/settings/secret_example.py
+++ b/evenementiel/settings/secret_example.py
@ -0,0 +1,13 @@
+SECRET_KEY = 'dummy_key3i%5cp4)f+ww4-28_w+ly3q9=6imw2ciu&_(5_4ah'
+ADMINS = None
+
+# Postgres
+DBNAME = "{{DBNAME}}"
+DBUSER = "{{DBUSER}}"
+DBPASSWD = "{{DBPASSWD}}"
+
+# Redis
+REDIS_PASSWD = "{{REDIS_PASSWD}}"
+REDIS_PORT = 6379
+REDIS_DB = 0
+REDIS_HOST = "127.0.0.1"
--- a/provisioning/bootstrap.sh
+++ b/provisioning/bootstrap.sh
@ -10,7 +10,18 @@ DBPASSWD="4KZt3nGPLVeWSvtBZPsd9jdssdJMds78"
 REDIS_PASSWD="dummy"

 # It is used in quite a few places
-SETTINGS="evenementiel.settings_dev"
+SETTINGS="evenementiel.settings.dev"
+
+# Fills a "templated file" with the information specified in the variables above
+# e.g. every occurrence of {{DBUSER}} in the file will be replaced by the value
+# of the variable $DBUSER
+function fill_template {
+  sed "s/{{DBUSER}}/$DBUSER/" -i $1
+  sed "s/{{DBNAME}}/$DBNAME/" -i $1
+  sed "s/{{DBPASSWD}}/$DBPASSWD/" -i $1
+  sed "s/{{REDIS_PASSWD}}/$REDIS_PASSWD/" -i $1
+  sed "s/{{SETTINGS}}/$SETTINGS/" -i $1
+}

 # ---
 # Installs the dependencies
@ -56,10 +67,7 @@ service nginx restart
 for service in {daphne,worker}.service
 do
  cp /vagrant/provisioning/$service /etc/systemd/system/$service
-  sed "s/{{DBUSER}}/$DBUSER/"     -i /etc/systemd/system/$service
-  sed "s/{{DBNAME}}/$DBNAME/"     -i /etc/systemd/system/$service
-  sed "s/{{DBPASSWD}}/$DBPASSWD/" -i /etc/systemd/system/$service
-  sed "s/{{SETTINGS}}/$SETTINGS/" -i /etc/systemd/system/$service
+  fill_template /etc/systemd/system/$service
  systemctl enable $service
  systemctl start $service
 done
@ -79,6 +87,14 @@ redis-cli -a $REDIS_PASSWD CONFIG REWRITE
 # Prepare Django
 # ---

+cd /vagrant
+
+# Setup the secrets
+sudo -H -u vagrant cp evenementiel/settings/secret_example.py \
+	              evenementiel/settings/secret.py
+fill_template evenementiel/settings/secret.py
+
+# Run the usual django admin commands
 function venv_python {
  sudo -H -u vagrant DJANGO_SETTINGS_MODULE=$SETTINGS \
                     DBUSER=$DBUSER DBNAME=$DBNAME DBPASSWD=$DBPASSWD \
@ -86,12 +102,9 @@ function venv_python {
                     $@
 }

-cd /vagrant
 venv_python manage.py collectstatic --noinput
 venv_python manage.py migrate

-unset venv_python
-

 # ---
 # Setup a friendly environment for the user
--- a/requirements-devel.txt
+++ b/requirements-devel.txt
@ -1,3 +1,4 @@
 -r requirements.txt
 django-debug-toolbar
+django-debug-panel
 ipython