Installation sur Debian 12
Prérequis
Serveur web
apt install apache2 libapache2-mod-wsgi-py3
systemctl enable apache2
Bases de données
apt install postgresql
systemctl enable postgresql
cat /etc/postgresql/15/main/pg_hba.conf
local all postgres peer
local db user md5
Création d'un utilisateur:
sudo -u postgres createuser --pwprompt user
sudo -u postgres createdb --owner=user db
Accès à la socket Postgres:
adduser www-data postgres
systemctl restart postgresql
Application web
Pour l'installation, vous pouvez soit récupérer la dernière version disponible ou utiliser directement le dépôt git.
Utilisation d'une version
La liste des versions se trouve ici: https://gitlab.insa-rouen.fr/dsi/dev/activation/-/releases
La dernière version git
cd /opt
git clone https://gitlab.insa-rouen.fr/dsi/dev/activation.git
Configuration
Toute la configuration doit être dans le fichier conf/local_settings.py (nouveau fichier). Cette configuration va remplacer la configuration se trouvant dans conf/settings.py. Voici un exemple de contenu:
DATABASES = {
"default": {
"ENGINE": "django.db.backends.postgresql_psycopg2",
"NAME": "db",
"USER": "user",
"PASSWORD": "PASS",
"HOST": "/var/run/postgresql",
}
}
DEBUG = False
SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_HSTS_PRELOAD = True
ALLOWED_HOSTS = ["activation.example.com"]
SECRET_KEY = "django-insecure--9w@7o0@qn^o$fby#equd3&()qfzyean3ew75(+lytfr0(+n*7"
ADMINS = [
("Admin", "admin@example.com"),
]
EMAIL_HOST = "smtp.example.com"
EMAIL_PORT = 25
SERVER_EMAIL = "noreply@example.com"
EMAIL_SUBJECT_PREFIX = "[ACHATS] "
CAS_SERVER_URL = "https://cas.example.com/cas/"
LDAP_SERVER = "ldap://ldap.example.com"
LDAP_USER = "cn=manager,dc=example,dc=com"
LDAP_PASSWD = "admin"
# PosixGroups
LDAP_GROUPS = "ou=SambaGroups,dc=example,dc=com"
LDAP_GROUP_ATTR = "cn"
LDAP_USERS = "ou=people,dc=example,dc=com"
LDAP_USER_ATTR = "uid"
GROUPES_DSI = ['dsi', 'dsi-externe']
GROUPES_STRUCTURE = ['secrétariat']
Python
apt install python3-pip python3-poetry
cd /opt/activation
poetry config virtualenvs.in-project true
./oto.sh prod_up_2
chown -R www-data:www-data media
Activation d'un compte administrateur
Il faut d'abord valider une authentification en utilisant le CAS. Ensuite:
cd /opt/activation
./oto.sh prod_sh
> user = User.objects.get(username="votre_login")
> user.is_staff = True
> user.is_superuser = True
> user.save()
Ensuite via l'interface d'administration il faudra ajouter une charte informatique au format PDF.
Configuration des tâches automatiques (crontab)
30 6 * * 1-5 /opt/activation/.venv/bin/python /opt/activation/manage.py sync_users > /dev/null
Configuration Apache
Référence: https://docs.djangoproject.com/en/4.2/howto/deployment/wsgi/modwsgi/
Exemple de configuration Apache (/etc/apache2/sites-available/activation.conf):
ServerSignature off
ServerTokens prod
ServerAdmin admin@example.com
<VirtualHost activation.example.com:80>
Redirect permanent / https://activation.example.com/
</VirtualHost>
<VirtualHost activation.example.com:443>
ServerName activation.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLCertificateFile /etc/apache2/ssl/activation.crt
SSLCertificateKeyFile /etc/apache2/ssl/activation.key
SSLCertificateChainFile /etc/apache2/ssl/activation.ac
DocumentRoot /var/www/html/
Alias /favicon.ico /opt/activation/static/images/favicon.ico
Alias /static/ /opt/activation/static/
<Directory /opt/activation/static>
Require all granted
</Directory>
WSGIDaemonProcess activation python-home=/opt/activation/.venv python-path=/opt/activation
WSGIProcessGroup activation
WSGIScriptAlias / /opt/activation/conf/wsgi.py process-group=activation
<Directory /opt/activation/conf>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>
a2dissite 000-default
a2ensite activation
a2enmod ssl
systemctl restart apache2