From 053504d099b8a15e5123a068bf38b1c7dbecb399 2023-09-14 08:14:22
From: Ben Sturmfels <ben@sturm.com.au>
Date: 2023-09-14 08:14:22
Subject: [PATCH] Update "cleanup" and "update" services for Python 3

---

diff --git a/README.md b/README.md
index 85a1b581dcdd9cfef9fe70acb28ebd40d6bb4f9b..809274f720cad79ede411cb77ad678961d7f6be0 100644
--- a/README.md
+++ b/README.md
@@ -11,8 +11,7 @@ this repository elsewhere, such as Github, are for backup purposes
 only..
 
 
-License
--------
+# License
 
 The software included herein, such as the Python source files, are generally
 licensed [AGPLv3](AGPLv3)-or-later.  The Javascript is a hodgepodge of
@@ -23,35 +22,29 @@ The content and text (such as the HTML files) is currently
 [CC-BY-SA-3.0](CC-By-SA-3.0).
 
 
-Server configuration
---------------------
+# Server configuration
 
-conservancy's webserver runs on a machine called aspen.sfconservancy.org, which
-is a standard Debian installation.
+Conservancy's webserver runs on a standard Debian installation. For
+configuration requirements, see `deploy/ansible/install.yml`.
 
-The following packages are installed to make Django and Apache work on a
-squeeze install:
 
-    $ aptitude install python-django apache2 sqlite3 python3-sqlite libapache2-mod-wsgi-py3
-
-
-Django setup
-------------
+# Django setup
 
 0. Make sure the Python module 'djangopw', with the global variable
    'djangoadmin_password' is somewhere importable in the default
    PYTHON_PATH.
 
 
-Local development
----------
+# Local development
+
+Python dependencies are tied to the versions available in Debian.
 
     python3 -m pip install -r requirements.txt
     cd www
     python manage.py runserver
 
-Deploying
----------
+
+# Deploying
 
 Changes pushed to the https://k.sfconservancy.org/website repository are
 automatically deployed to the production website by the `conservancy-www-update`
diff --git a/systemd/README.md b/systemd/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..0119860d6e21932473c3009f996e529f3a520c2f
--- /dev/null
+++ b/systemd/README.md
@@ -0,0 +1,17 @@
+Install with:
+
+    cp systemd/conservancy-www-*.{service,timer} /etc/systemd/system
+    systemctl enable conservancy-www-cleanup.service
+    systemctl start conservancy-www-cleanup.service
+    systemctl enable conservancy-www-update.timer
+    systemctl start conservancy-www-update.timer
+
+Monitor with:
+
+    systemctl list-timers --all
+    journalctl --catalog --follow --unit conservancy-www-update.service
+
+Updates will fail unless `/var/www/website` has a git upstream, so set that with:
+
+    git remote add upstream https://k.sfconservancy.org/website
+    git branch --set-upstream-to=upstream/master master
diff --git a/systemd/conservancy-www-cleanup.service b/systemd/conservancy-www-cleanup.service
index 8ce1e3253a318b07cbb30fe5cb45f03a1ad4560a..fe40af75b03b0624c6a1c935ca081700a9f49e28 100644
--- a/systemd/conservancy-www-cleanup.service
+++ b/systemd/conservancy-www-cleanup.service
@@ -4,8 +4,8 @@ Before=apache2.service
 
 [Service]
 Type=oneshot
-User=www
-ExecStart=/usr/bin/python /var/www/website/www/manage.py clearsessions --verbosity 0
+User=www-data
+ExecStart=/usr/bin/python3 /var/www/website/www/manage.py clearsessions --verbosity 0
 
 SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
 CapabilityBoundingSet=
diff --git a/systemd/conservancy-www-update.service b/systemd/conservancy-www-update.service
index a2f363b08343f267964eae28521ffbdfd6317d39..5ccaca8498457d48098c65438e7c4a6744f6ef4a 100644
--- a/systemd/conservancy-www-update.service
+++ b/systemd/conservancy-www-update.service
@@ -3,7 +3,7 @@ Description=Update Conservancy website checkout
 
 [Service]
 Type=oneshot
-User=www
+User=www-data
 WorkingDirectory=/var/www/website
 ExecStart=/var/www/website/systemd/conservancy-www-update.sh
 
diff --git a/systemd/conservancy-www-update.sh b/systemd/conservancy-www-update.sh
index 1e7b18f081eec125a6412cac37e5a033e3b9d653..da8f980be2baef5ad7fe887dfc9ec413510103f1 100755
--- a/systemd/conservancy-www-update.sh
+++ b/systemd/conservancy-www-update.sh
@@ -30,7 +30,7 @@ fi
 
 exitcode=0
 git merge --quiet --ff-only "$git_remote" "$git_refspec"
-python2 -m compileall -q -x - www || exitcode=$?
+python3 -m compileall -q -x - www || exitcode=$?
 chgrp -R www-data www || exitcode=$?
 chmod -R g+rX-w,o+X-w www || exitcode=$?
 chmod -R o+r www/conservancy/static || exitcode=$?
diff --git a/www/conservancy/settings.py b/www/conservancy/settings.py
index f0c2796bb57a5cc7a5fba652c7e9e081745a7270..a0b592dfb41a4e9353fa4a468f7e7e359301e8d3 100644
--- a/www/conservancy/settings.py
+++ b/www/conservancy/settings.py
@@ -28,7 +28,7 @@ FORCE_CANONICAL_HOSTNAME = False if DEBUG else 'sfconservancy.org'
 
 ALLOWED_HOSTS = [ 'www.sfconservancy.org', 'aspen.sfconservancy.org', 'sfconservancy.org',  '104.130.70.210' ]
 if DEBUG:
-    ALLOWED_HOSTS.append('localhost')
+    ALLOWED_HOSTS = ['*']
 
 REDIRECT_TABLE = {
     'www.sf-conservancy.org': 'sfconservancy.org',