chore: add support for new aas version

ansible/group_vars/production/vars.yml

@@ -79,13 +79,10 @@ secret_static_sticky:
   aws_access_key_id: "{{ vault_secret_static_sticky.aws_access_key_id }}"
   aws_secret_access_key: "{{ vault_secret_static_sticky.aws_secret_access_key }}"
   aws_default_region: "eu-central-1"
+  aas_pre_shared_key: "{{ vault_secret_static_sticky.aas_pre_shared_key }}"
 
-secret_aas:
-  github_secret: "{{ vault_secret_aas.github_secret }}"
-  sentry_endpoint: "{{ vault_secret_aas.sentry_endpoint }}"
-  contentful_endpoint: "{{ vault_secret_aas.contentful_endpoint }}"
-  pretix_token: "{{ vault_secret_aas.pretix_token }}"
-  nix_pin: "/nix/store/rglps2x0p70d3p7hmnnhiki8vsi2pxmg-python3-3.9.6-env"
+aas_env:
+  nix_pin: "/nix/store/h78dwxmqfjx5qpwfsl25lvk643jk221x-python3-3.9.6-env"
 
 static_sticky_env:
   git_ref: "master"

ansible/group_vars/staging/vars.yml

@@ -70,13 +70,10 @@ secret_static_sticky:
   aws_access_key_id: "{{ vault_secret_static_sticky.aws_access_key_id }}"
   aws_secret_access_key: "{{ vault_secret_static_sticky.aws_secret_access_key }}"
   aws_default_region: "eu-central-1"
+  aas_pre_shared_key: "{{ vault_secret_static_sticky.aas_pre_shared_key }}"
 
-secret_aas:
-  github_secret: "{{ vault_secret_aas.github_secret }}"
-  sentry_endpoint: "{{ vault_secret_aas.sentry_endpoint }}"
-  contentful_endpoint: "{{ vault_secret_aas.contentful_endpoint }}"
-  pretix_token: "{{ vault_secret_aas.pretix_token }}"
-  nix_pin: "/nix/store/rglps2x0p70d3p7hmnnhiki8vsi2pxmg-python3-3.9.6-env"
+aas_env:
+  nix_pin: "/nix/store/h78dwxmqfjx5qpwfsl25lvk643jk221x-python3-3.9.6-env"
 
 static_sticky_env:
   git_ref: "development"

ansible/roles/aas/tasks/main.yml

@@ -7,7 +7,7 @@
     home: "/var/www/aas"
     system: true
 
-- name: "permit aas user to start static-sticky deploy service"
+- name: "permit aas user to start systemd services"
   ansible.builtin.template:
     src: "sudoers.j2"
     dest: "/etc/sudoers.d/aas"
@@ -19,18 +19,14 @@
 
 - name: "fetch the aas binaries"
   ansible.builtin.command:
-    cmd: "nix-store --realize --add-root /nix/var/nix/gcroots/aas-env {{ secret_aas.nix_pin }}"
+    cmd: "nix-store --realize --add-root /nix/var/nix/gcroots/aas-env {{ aas_env.nix_pin }}"
 
-- name: "ensure config directory exists"
-  ansible.builtin.file:
-    path: "/etc/aas"
-    state: "directory"
-
-- name: "create environment file"
+- name: "create config file"
+  become_user: "aas"
+  become: true
   ansible.builtin.template:
-    src: ".env.j2"
-    dest: "/etc/aas/.env"
-    owner: "root"
+    src: "config.json.j2"
+    dest: "~/config.json"
     mode: "0600"
   notify: "restart aas"
 
@@ -47,8 +43,7 @@
     state: "link"
   notify: "reload nginx"
 
-- name:
-    "copy systemd service of aas"
+- name: "copy systemd service of aas"
   ansible.builtin.template:
     src: "aas.service.j2"
     dest: "/etc/systemd/system/aas.service"

ansible/roles/aas/templates/aas.service.j2

@@ -11,11 +11,12 @@ User=aas
 Group=www-data
 Restart=always
 
-RuntimeDirectory=aas
-RuntimeDirectoryMode=0770
+# This is also where the config.json is, the home folder of aas
+WorkingDirectory=~
+RuntimeDirectory=aas # Run under nix folders, needed for the --bind flag below
 
-EnvironmentFile=/etc/aas/.env
-ExecStart={{ secret_aas.nix_pin }}/bin/gunicorn aas:aas \
+ExecStart={{ aas_env.nix_pin }}/bin/gunicorn aas:aas \
+                                      --capture-output --log-level=debug \
                                       --workers 4 \
                                       --bind unix:/run/aas/gunicorn.sock
 

ansible/roles/aas/templates/config.json.j2

@@ -0,0 +1,11 @@
+{
+	"webhookHandlers": {
+		"runSystemd": [
+			{
+				"serviceName": "deploy-static-sticky.service",
+				"endpoint": "/webhook/github",
+				"pre-sharedKey": "{{ secret_static_sticky.aas_pre_shared_key }}"
+			}
+		]
+	}
+}

ansible/roles/aas/templates/sudoers.j2

@@ -1,3 +1,4 @@
 # {{ ansible_managed }}
 
 aas ALL=(root) NOPASSWD: /usr/bin/systemd-run --no-block --property After=deploy-static-sticky.service -- systemctl start deploy-static-sticky.service
+