Skip to content

Installation sur Debian 12

Prérequis

Serveur web

apt install apache2 libapache2-mod-wsgi-py3
systemctl enable apache2

Bases de données

apt install postgresql
systemctl enable postgresql
cat /etc/postgresql/15/main/pg_hba.conf
local all postgres peer
local db user md5

Création d'un utilisateur:

sudo -u postgres createuser --pwprompt user 
sudo -u postgres createdb --owner=user db

Accès à la socket Postgres:

adduser www-data postgres
systemctl restart postgresql

Application web

Pour l'installation, vous pouvez soit récupérer la dernière version disponible ou utiliser directement le dépôt git.

Utilisation d'une version

La liste des versions se trouve ici: https://gitlab.insa-rouen.fr/dsi/dev/activation/-/releases

La dernière version git

cd /opt
git clone https://gitlab.insa-rouen.fr/dsi/dev/activation.git

Configuration

Toute la configuration doit être dans le fichier conf/local_settings.py (nouveau fichier). Cette configuration va remplacer la configuration se trouvant dans conf/settings.py. Voici un exemple de contenu:

DATABASES = {
    "default": {
        "ENGINE": "django.db.backends.postgresql_psycopg2",
        "NAME": "db",
        "USER": "user",
        "PASSWORD": "PASS",
        "HOST": "/var/run/postgresql",
    }
}
DEBUG = False
SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_HSTS_PRELOAD = True
ALLOWED_HOSTS = ["activation.example.com"]
SECRET_KEY = "django-insecure--9w@7o0@qn^o$fby#equd3&()qfzyean3ew75(+lytfr0(+n*7"

ADMINS = [
    ("Admin", "admin@example.com"),
]
EMAIL_HOST = "smtp.example.com"
EMAIL_PORT = 25
SERVER_EMAIL = "noreply@example.com"
EMAIL_SUBJECT_PREFIX = "[ACHATS] "

CAS_SERVER_URL = "https://cas.example.com/cas/"

LDAP_SERVER = "ldap://ldap.example.com"
LDAP_USER = "cn=manager,dc=example,dc=com"
LDAP_PASSWD = "admin"
# PosixGroups
LDAP_GROUPS = "ou=SambaGroups,dc=example,dc=com"
LDAP_GROUP_ATTR = "cn"
LDAP_USERS = "ou=people,dc=example,dc=com"
LDAP_USER_ATTR = "uid"

GROUPES_DSI = ['dsi', 'dsi-externe']
GROUPES_STRUCTURE = ['secrétariat']

Python

apt install python3-pip python3-poetry
cd /opt/activation
poetry config virtualenvs.in-project true
./oto.sh prod_up_2

Activation d'un compte administrateur

Il faut d'abord valider une authentification en utilisant le CAS. Ensuite:

cd /opt/activation
./oto.sh prod_sh
> user = User.objects.get(username="votre_login")
> user.is_staff = True
> user.is_superuser = True
> user.save()

Ensuite via l'interface d'administration il faudra ajouter une charte informatique au format PDF.

Import des utilisateurs

On peut maintenant importer les utilisateurs autorisés depuis le LDAP:

/opt/activation/.venv/bin/python /opt/activation/manage.py sync_users

Configuration des tâches automatiques (crontab)

30 6 * * 1-5 /opt/activation/.venv/bin/python /opt/activation/manage.py sync_users > /dev/null

Configuration Apache

Référence: https://docs.djangoproject.com/en/4.2/howto/deployment/wsgi/modwsgi/

Exemple de configuration Apache (/etc/apache2/sites-available/activation.conf):

ServerSignature off
ServerTokens prod
ServerAdmin admin@example.com

<VirtualHost activation.example.com:80>
    Redirect permanent / https://activation.example.com/
</VirtualHost>

<VirtualHost activation.example.com:443>
    ServerName activation.example.com
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off
    SSLOptions +StrictRequire
    SSLCertificateFile /etc/apache2/ssl/activation.crt
    SSLCertificateKeyFile /etc/apache2/ssl/activation.key
    SSLCertificateChainFile /etc/apache2/ssl/activation.ac

    DocumentRoot /var/www/html/
    Alias /favicon.ico /opt/activation/static/images/favicon.ico

    Alias /static/ /opt/activation/static/

    <Directory /opt/activation/static>
        Require all granted
    </Directory>

    WSGIDaemonProcess activation python-home=/opt/activation/.venv python-path=/opt/activation
    WSGIProcessGroup activation
    WSGIScriptAlias / /opt/activation/conf/wsgi.py process-group=activation

    <Directory /opt/activation/conf>
        <Files wsgi.py>
            Require all granted
            </Files>
    </Directory>
</VirtualHost>

a2dissite 000-default
a2ensite activation
a2enmod ssl
systemctl restart apache2