Round3 deployment fixes

.github/update-composer-json.php

@@ -0,0 +1,137 @@
+<?php
+
+// Load the composer.json and composer.lock files
+$composerJsonPath = 'composer.json';
+$composerLockPath = 'composer.lock';
+
+// Check if the files exist
+if (!file_exists($composerJsonPath) || !file_exists($composerLockPath)) {
+    echo "composer.json or composer.lock file is missing!";
+    exit(1);
+}
+
+// Read and decode the composer.json file
+$composerJson = json_decode(file_get_contents($composerJsonPath), true);
+if ($composerJson === null) {
+    echo "Error reading composer.json!";
+    exit(1);
+}
+
+// Read and decode the composer.lock file
+$composerLock = json_decode(file_get_contents($composerLockPath), true);
+if ($composerLock === null) {
+    echo "Error reading composer.lock!";
+    exit(1);
+}
+
+// Check if "repositories" exists in composer.json; if not, create it
+if (!isset($composerJson['repositories'])) {
+    $composerJson['repositories'] = [];
+}
+
+// Prepare to track any newly pinned packages
+$pinnedPackages = [];
+
+// Function to convert exact version to a range (caret operator with full version)
+function convertToVersionRange($version) {
+    // If version looks like an exact version (e.g., "2.0.53"), convert it to a range with caret
+    if (preg_match('/^(\d+)\.(\d+)\.(\d+)$/', $version, $matches)) {
+        return "^" . $matches[1] . "." . $matches[2] . "." . $matches[3];  // Convert to ^X.Y.Z (e.g., ^2.0.53)
+    }
+    // If already a version range (like "^2.0" or "~2.0"), just return it
+    return $version;
+}
+
+// Iterate through the packages in composer.lock
+foreach ($composerLock['packages'] as $package) {
+    $packageName = $package['name'];
+    $packageVersion = $package['version'];
+
+    // Convert exact version to a range using the convertToVersionRange function
+    $packageVersionRange = convertToVersionRange($packageVersion);
+
+    // Update the versions in the "require" section if the package exists
+    if (isset($composerJson['require'][$packageName])) {
+        $composerJson['require'][$packageName] = $packageVersionRange;
+    }
+
+    // If the package exists in "require-dev", update that as well
+    if (isset($composerJson['require-dev'][$packageName])) {
+        $composerJson['require-dev'][$packageName] = $packageVersionRange;
+    }
+
+    // Get the repository URL and dist type from composer.lock (either from 'dist' or 'source')
+    $repositoryUrl = null;
+    $packageHash = null;
+    $distType = 'tar'; // Default to 'tar' if no type is specified
+
+    if (isset($package['dist']['url'])) {
+        $repositoryUrl = $package['dist']['url'];
+        $packageHash = isset($package['dist']['reference']) ? $package['dist']['reference'] : null;
+        // Set the dist type based on the 'dist' section in composer.lock
+        if (isset($package['dist']['type'])) {
+            $distType = $package['dist']['type']; // Use the dist type from composer.lock
+        }
+    } elseif (isset($package['source']['url'])) {
+        $repositoryUrl = $package['source']['url'];
+        $packageHash = isset($package['source']['reference']) ? $package['source']['reference'] : null;
+        // If the package comes from a VCS, we can set type as 'vcs'
+        $distType = 'vcs';
+    }
+
+    // If no URL found, skip this package (you can handle this case as needed)
+    if (!$repositoryUrl) {
+        echo "No repository URL found for package: $packageName\n";
+        continue;
+    }
+
+    // Pin the package in the "repositories" section if it's not already pinned
+    $repositoryExists = false;
+
+    foreach ($composerJson['repositories'] as &$repo) {
+        if (isset($repo['package']) && $repo['package']['name'] === $packageName) {
+            // Update existing repository entry with the new version, URL, hash, and dist type
+            $repo['package']['version'] = $packageVersionRange;
+            $repo['package']['dist']['url'] = $repositoryUrl;
+            if ($packageHash) {
+                $repo['package']['dist']['reference'] = $packageHash;
+            }
+            $repo['package']['dist']['type'] = $distType;
+            $repositoryExists = true;
+            break;
+        }
+    }
+
+    // If repository entry does not exist, add a new one
+    if (!$repositoryExists) {
+        $composerJson['repositories'][] = [
+            'type' => 'package',  // The type is at the root level of the repository entry
+            'package' => [
+                'name' => $packageName,
+                'version' => $packageVersionRange,
+                'type' => 'library',  // Default type, you can adjust this if needed
+                'dist' => [
+                    'url' => $repositoryUrl,
+                    'type' => $distType,  // Use the dynamically derived dist type
+                    'reference' => $packageHash // Adding the hash (reference) if available
+                ]
+            ]
+        ];
+        // Track pinned package
+        $pinnedPackages[] = $packageName;
+    }
+}
+
+// Write the updated composer.json back to the file
+if (file_put_contents($composerJsonPath, json_encode($composerJson, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . PHP_EOL)) {
+    echo "composer.json has been updated with the versions from composer.lock.\n";
+    if (count($pinnedPackages) > 0) {
+        echo "The following packages were pinned to repositories:\n";
+        foreach ($pinnedPackages as $packageName) {
+            echo "  - $packageName\n";
+        }
+    }
+} else {
+    echo "Failed to update composer.json.\n";
+    exit(1);
+}

.github/workflows/auto-assign-pr.yml

@@ -0,0 +1,24 @@
+name: Auto-Assign PR
+
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  issues: write
+
+jobs:
+  assign:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Assign PR to repo owner
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.GH_ADMIN_TOKEN }}
+          script: |
+            await github.rest.issues.addAssignees({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              assignees: ["proditis"]
+            });

.markdownlint.yaml

@@ -3,4 +3,6 @@ MD012: false
 MD013: false
 # Disable required empty line after heading
 MD022: false
-MD033: false
+MD033: false
+MD040: false
+MD043: false

ansible/Dockerfiles/sanitycheck/variables.yml

@@ -12,6 +12,7 @@ writeup_allowed: 0
 headshot_spin: 0
 instance_allowed: 0
 TargetOndemand: false
+dynamic_treasures: 0
 container:
   name: "{{hostname}}"
   hostname: "{{fqdn}}"

ansible/files/pui.service.conf

@@ -1,16 +1,16 @@
 
 # Allow users to connect to port 80/443
 pass in quick on egress inet proto tcp from {<moderators>, <administrators>} to (egress:0) port 8888 rdr-to 127.0.0.1
+pass in quick on interconnect inet proto tcp from (interconnect:network) to (interconnect:0) port 8888 rdr-to 127.0.0.1
+
 pass quick from <administrators> label "administrators"
 
 pass quick inet proto tcp from <moderators> to (egress:0) port { 80 , 443 } label "www-moderators"
 
 # FOR DT OPERATIONS
 pass in quick inet proto tcp from <maintenance> to port 80 rdr-to 127.0.0.1 port 8080 label "maintenance"
 pass in quick inet proto tcp from <maintenance> to port 443 rdr-to 127.0.0.1 port 8443 label "maintenance"
-block in quick on egress inet proto tcp from <maintenance> to (egress:0) port 8888
 
 pass in on egress inet proto tcp from <venue> to port { 80, 443 } label "www-normal"
 pass in on egress inet proto tcp to port { 80, 443 } label "www-normal"
-pass in quick on egress inet proto tcp to (egress:0) port 8888 rdr-to 127.0.0.1
 

ansible/inventories/servers/host_vars/registry.yml

@@ -5,7 +5,7 @@ registry_storage: "/storage"
 registry_bind_ip: "0.0.0.0"
 registry_bind_port: "5000"
 registry_targets_if: if0
-registry_targets_cidr: 10.0.100.0/24
+registry_targets_cidr: 10.0.0.100/24
 backups:
   - { tgz: "/altroot/root.tgz", src: '/root' }
   - { tgz: "/altroot/etc.tgz", src: '/etc'  }

ansible/maintenance/authorized_keys.yml

@@ -0,0 +1,33 @@
+---
+- name: Update authorized SSH keys for a user
+  hosts: all
+  become: true
+
+  vars:
+    target_user: root
+
+  pre_tasks:
+    - name: Ensure ssh_keys_source is provided
+      ansible.builtin.fail:
+        msg: "You must provide ssh_keys_source (file path or URL)"
+      when: ssh_keys_source is not defined
+
+    - name: Load SSH public keys from file or URL
+      ansible.builtin.set_fact:
+        ssh_public_keys: >-
+          {{
+            lookup(
+              ssh_keys_source is match('^https?://')
+              | ternary('url', 'file'),
+              ssh_keys_source
+            )
+          }}
+
+  tasks:
+    - name: Update authorized_keys for user
+      ansible.posix.authorized_key:
+        user: "{{ target_user }}"
+        key: "{{ ssh_public_keys }}"
+        manage_dir: true
+        state: present
+        # exclusive: true   # uncomment to replace all existing keys

ansible/maintenance/sync-github.yml

@@ -0,0 +1,32 @@
+#!/usr/bin/env ansible-playbook
+---
+- name: Update deployed application from Git
+  hosts: all
+  tasks:
+    - name: Ensure repository is up to date
+      git:
+        repo: "{{ GITHUB_REPO }}"
+        dest: "{{ REPO }}"
+        version: "{{ GITHUB_REPO_BRANCH }}"
+        force: yes
+        accept_hostkey: yes
+        update: yes
+      notify: restart applications
+      register: git_result
+
+    - name: Clean untracked files (preserving paths)
+      shell: git clean -fd {{ '-n' if ansible_check_mode else '' }} {% for p in PRESERVE_PATHS %}-e {{ p }} {% endfor %}
+      args:
+        chdir: "{{ REPO }}"
+      register: clean_result
+      changed_when: clean_result.stdout != ""
+      when: git_result.changed and PRESERVE_PATHS is defined
+      notify: restart applications
+
+  handlers:
+    - name: restart applications
+      when: APP_SERVICES is defined
+      service:
+        name: "{{ item }}"
+        state: restarted
+      loop: "{{ APP_SERVICES }}"

ansible/runonce/db.yml

@@ -411,6 +411,27 @@
       group: wheel
       mode: '0555'
 
+  - name: copy watchdoger script
+    copy:
+      src: ../../contrib/watchdoger.py
+      dest: /usr/local/bin/watchdoger
+      owner: root
+      group: wheel
+      mode: '0555'
+
+  - name: Install watchdoger.ini for supervisord
+    copy:
+      dest: /etc/supervisord.d/watchdoger.ini
+      content: |
+        [program:watchdoger]
+        user = root
+        command = /usr/local/bin/watchdoger --file_path /tmp/event_finished --url {{ wsserver.url | default("http://10.7.0.200:8888/broadcast") }} --token {{ wsserver.token | default("server123token") }}
+        autorestart = false
+        startretries = 0
+        stdout_logfile=/var/log/watchdoger.log
+        stdout_logfile_maxbytes=0
+        redirect_stderr=true
+
   - name: Setting up sysctl.conf
     sysctl:
       name: "{{ item.key }}"

ansible/runonce/docker-registry.yml

@@ -137,7 +137,7 @@
       content: "{{item.content|default(omit)}}"
     with_items:
       - { dest: "/etc/pf.conf", src: "../files/pf.conf"}
-      - { dest: "/etc/service.pf.conf", content: "anchor \"dynamic\"\npass quick inet proto tcp from <service_clients> to port {{registry_bind_port}} label \"service_clients\"\n"}
+      - { dest: "/etc/service.pf.conf", content: "pass quick from <administrators> label \"administrators\"\nanchor \"dynamic\"\npass quick inet proto tcp from <service_clients> to port {{registry_bind_port}} label \"service_clients\"\n"}
       - { dest: "/etc/service_clients.conf", content: "{{registry_targets_cidr}}\n"}
 
   - name: Dump administrators PF table (if exists)