Page MenuHomeDevCentral
Files F11708222

No OneTemporary
Actions

View Options

diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
index 8eac137..a4a6d1f 100644
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -1,272 +1,265 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Vault configuration
#
# :: vault_policies_path: path on vault server where to store policies
#
# :: vault_policies_source: path to fetch policies from
# if starting by salt://, from salt files server
#
# :: vault_mount_paths: translates secrets paths in policies paths
#
# Generally, Vault paths are the same for policies and data access.
#
# For kv secrets engine, version 2, writing and reading versions
# of a kv value are prefixed with the data/ path.
#
# credentials.build_policies_by_node will use this dictionary
# to be able to rewrite secrets paths in data paths.
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies_path: /srv/policies/vault
vault_policies_source: /srv/policies/vault
vault_mount_paths:
ops/secrets: ops/data/secrets
ops/privacy: ops/data/privacy
apps: apps/data
# -------------------------------------------------------------
# Vault policies to deploy as-is, ie without templating.
#
# Entries of vault_policies must match a .hcl file in
# roles/vault/policies/files folder.
#
# If you need a template, create a new pillar entry instead
# and add the parsing logic either:
# - directly to roles/vault/policies/
#
# - through _modules/credentials.py for policies to apply
# to Salt nodes, like e.g. vault_secrets_by_role
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies:
- admin
- airflow
- salt-primary
- sentry
- vault_bootstrap
- viperserv
# -------------------------------------------------------------
# Vault policies for Salt
#
# Declare the extra policies each nodes need.
#
# In adition of those extra policies, the vault_secrets_by_role
# will be parsed for the keys.
#
# IMPORTANT: as grains['roles'] can be modified by the node,
# roles are extracted directly from the pillar.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_extra_policies_by_role:
salt-primary:
- salt-primary
# -------------------------------------------------------------
# Vault secrets by role
#
# Paths of the keys the specified role needs access to.
#
# Avoid * notation as this namespace is shared between Vault
# and the applications. As such, only secrets the Salt nodes
# needs in a state they need to deploy should be listed here.
#
# Use %%node%% as variable for node name.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_role:
devserver:
- ops/secrets/nasqueron/notifications/notifications-cli/%%node%%
- ops/secrets/nasqueron/deploy/deploy_keys/alken-orin
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/dereckson/www
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/ewosp/www
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/wolfplex/api-www
opensearch:
- - ops/secrets/nasqueron.opensearch.infra-logs.internal_users.admin
- - ops/secrets/nasqueron.opensearch.infra-logs.internal_users.dashboards
+ - ops/secrets/nasqueron/opensearch/infra-logs/internal_users/admin
+ - ops/secrets/nasqueron/opensearch/infra-logs/internal_users/dashboards
paas-docker-prod:
#
# Personal data or personally identifiable information (PII)
# related to Nasqueron Operations SIG members.
#
- ops/privacy/ops-cidr
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron/service/<...>
#
+ - ops/secrets/nasqueron/acquisitariat/mysql
+
- ops/secrets/nasqueron/airflow/admin_account
- ops/secrets/nasqueron/airflow/fernet
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
+ - ops/secrets/nasqueron/auth-grove/mysql
+
+ - ops/secrets/nasqueron/cachet/app_key
+ - ops/secrets/nasqueron/cachet/mysql
+
+ - ops/secrets/nasqueron/etherpad/api
- ops/secrets/nasqueron/etherpad/mysql
- ops/secrets/nasqueron/etherpad/users/dereckson
+ - ops/secrets/nasqueron/notifications/broker
+ - ops/secrets/nasqueron/notifications/mailgun
+ - ops/secrets/nasqueron/notifications/sentry
+
+ - ops/secrets/nasqueron/notifications/credentials/github/nasqueron
+ - ops/secrets/nasqueron/notifications/credentials/github/wolfplex
+ - ops/secrets/nasqueron/notifications/credentials/github/keruald
+ - ops/secrets/nasqueron/notifications/credentials/github/trustspace
+ - ops/secrets/nasqueron/notifications/credentials/github/eglide
+ - ops/secrets/nasqueron/notifications/credentials/phabricator/nasqueron
+
+ - apps/notifications-center/dockerhub/notifications
+ - apps/notifications-center/dockerhub/auth-grove
+
- ops/secrets/nasqueron/penpot/github
- ops/secrets/nasqueron/penpot/postgresql
- ops/secrets/nasqueron/penpot/secret_key
+ - ops/secrets/nasqueron/pixelfed/app_key
+ - ops/secrets/nasqueron/pixelfed/mailgun
+ - ops/secrets/nasqueron/pixelfed/mysql
+
- ops/secrets/nasqueron/rabbitmq/white-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/white-rabbit/root
+ - ops/secrets/nasqueron/sentry/app_key
- ops/secrets/nasqueron/sentry/geoipupdate
-
- #
- # Credentials used by Nasqueron services
- # Format: ops/secrets/nasqueron.<service>.<type>
- #
-
- - ops/secrets/nasqueron.acquisitariat.mysql
-
- - ops/secrets/nasqueron.auth-grove.mysql
-
- - ops/secrets/nasqueron.cachet.app_key
- - ops/secrets/nasqueron.cachet.mysql
-
- - ops/secrets/nasqueron.etherpad.api
-
- - ops/secrets/nasqueron.notifications.broker
- - ops/secrets/nasqueron.notifications.mailgun
- - ops/secrets/nasqueron.notifications.sentry
-
- - ops/secrets/nasqueron.notifications.credentials_github_nasqueron
- - ops/secrets/nasqueron.notifications.credentials_github_wolfplex
- - ops/secrets/nasqueron.notifications.credentials_github_keruald
- - ops/secrets/nasqueron.notifications.credentials_github_trustspace
- - ops/secrets/nasqueron.notifications.credentials_github_eglide
- - ops/secrets/nasqueron.notifications.credentials_phabricator_nasqueron
-
- - apps/notifications-center/dockerhub/notifications
- - apps/notifications-center/dockerhub/auth-grove
-
- - ops/secrets/nasqueron.pixelfed.app_key
- - ops/secrets/nasqueron.pixelfed.mailgun
- - ops/secrets/nasqueron.pixelfed.mysql
-
- - ops/secrets/nasqueron.sentry.app_key
- - ops/secrets/nasqueron.sentry.postgresql
- - ops/secrets/nasqueron.sentry.vault
+ - ops/secrets/nasqueron/sentry/postgresql
+ - ops/secrets/nasqueron/sentry/vault
#
# Credentials used by Nasqueron members private services
- # Format: <username>.<service>.<type>
+ # Format: <username>/<service>/<type>
#
- - ops/secrets/dereckson.phabricator.mysql
+ - ops/secrets/dereckson/phabricator/mysql
#
# Credentials used by projects hosted by Nasqueron
- # Format: <project name>.<service>.<type>
+ # Format: <project name>/<service>/<type>
#
- ops/secrets/dbserver/cluster-A/users/corspat
- - ops/secrets/espacewin.phpbb.mysql_root
+ - ops/secrets/espacewin/phpbb/mysql_root
- - ops/secrets/wolfplex.phabricator.mailgun
- - ops/secrets/wolfplex.phabricator.mysql
+ - ops/secrets/wolfplex/phabricator/mailgun
+ - ops/secrets/wolfplex/phabricator/mysql
- - ops/secrets/zed.phabricator.mysql
- - ops/secrets/zed.phabricator.sendgrid
+ - ops/secrets/zed/phabricator/mysql
+ - ops/secrets/zed/phabricator/sendgrid
paas-docker-dev:
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron/service/<...>
#
- ops/secrets/nasqueron/airflow/admin_account
- ops/secrets/nasqueron/airflow/fernet
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/nasqueron/airflow/vault
- ops/secrets/dbserver/cluster-A/users/airflow
- ops/secrets/nasqueron/orbeon/oxf.crypto.password
- ops/secrets/nasqueron/orbeon/users/dereckson
- ops/secrets/dbserver/cluster-A/users/orbeon
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/root
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/notifications
- - ops/secrets/nasqueron.notifications.sentry
+ - ops/secrets/nasqueron/notifications/sentry
#
# Credentials used by projects hosted by Nasqueron
- # Format: <project name>.<service>.<type>
+ # Format: <project name>/<service>/<type>
#
- - ops/secrets/espacewin.bugzilla.mysql
- - ops/secrets/espacewin.bugzilla.mysql_root
+ - ops/secrets/espacewin/bugzilla/mysql
+ - ops/secrets/espacewin/bugzilla/mysql_root
saas-mediawiki:
- ops/secrets/dbserver/cluster-B/users/saas-mediawiki
- ops/secrets/nasqueron/mediawiki/secret_key
saas-wordpress:
- ops/secrets/dbserver/cluster-B/users/dereckson_blog
- ops/secrets/dereckson/wordpress/secrets
viperserv:
- - ops/secrets/nasqueron.viperserv.vault
+ - ops/secrets/nasqueron/viperserv/vault
webserver-alkane-prod:
- ops/secrets/dbserver/cluster-B/users/dereckson_www
- ops/secrets/dbserver/cluster-B/users/zed
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/hypership/content_users
- ops/secrets/zed/hypership/secret_key
#
# Wolfplex credentials
#
- - ops/secrets/nasqueron.etherpad.api
+ - ops/secrets/nasqueron/etherpad/api
webserver-alkane-dev:
- ops/secrets/dbserver/cluster-B/users/dereckson_www51
webserver-legacy:
#
# Wolfplex credentials
#
- - ops/secrets/nasqueron.etherpad.api
+ - ops/secrets/nasqueron/etherpad/api
# -------------------------------------------------------------
# Vault secrets by dbserver cluster
#
# Paths of the keys the specified role needs access to.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_dbserver_cluster:
# Main PostgreSQL cluster
A:
- ops/secrets/dbserver/cluster-A/users/*
# Main MariaDB cluster - Alkane PaaS, ViperServ
B:
- ops/secrets/dbserver/cluster-B/users/*
diff --git a/pillar/notifications/config.sls b/pillar/notifications/config.sls
index 836d82a..16618e3 100644
--- a/pillar/notifications/config.sls
+++ b/pillar/notifications/config.sls
@@ -1,166 +1,166 @@
# -------------------------------------------------------------
# Notifications center
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Credentials
#
# The secret key value is the Vault key path for this secret,
# it will be passed to the credentials.get_token method.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notifications_credentials:
services:
# Nasqueron
- gate: GitHub
door: Nasqueron
- secret: nasqueron.notifications.credentials_github_nasqueron
+ secret: nasqueron/notifications/credentials/github/nasqueron
- gate: GitHub
door: Wolfplex
- secret: nasqueron.notifications.credentials_github_wolfplex
+ secret: nasqueron/notifications/credentials/github/wolfplex
- gate: GitHub
door: Keruald
- secret: nasqueron.notifications.credentials_github_keruald
+ secret: nasqueron/notifications/credentials/github/keruald
- gate: GitHub
door: TrustSpace
- secret: nasqueron.notifications.credentials_github_trustspace
+ secret: nasqueron/notifications/credentials/github/trustspace
- gate: GitHub
door: Eglide
- secret: nasqueron.notifications.credentials_github_eglide
+ secret: nasqueron/notifications/credentials/github/eglide
- gate: Phabricator
door: Nasqueron
instance: https://devcentral.nasqueron.org
- secret: nasqueron.notifications.credentials_phabricator_nasqueron
+ secret: nasqueron/notifications/credentials/phabricator/nasqueron
# -------------------------------------------------------------
# Docker Hub build triggers
#
# Key: the repository, the same in GitHub and Docker Hub
# Value: the *full* path to Vault secret
#
# This vault secret should use the following format:
# source: the UUID after /source/
# trigger: the UUID after /trigger/
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notifications_dockerhub_triggers:
nasqueron/auth-grove: apps/notifications-center/dockerhub/auth-grove
nasqueron/notifications: apps/notifications-center/dockerhub/notifications
# -------------------------------------------------------------
# Payload analyzer configuration
#
# The content of notifications_configuration will be split
# into folders and JSON files, converted from YAML objects.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notifications_configuration:
GitHubPayloadAnalyzer:
default: &default
administrativeGroup: orgz
defaultGroup: ''
map: []
Nasqueron:
administrativeGroup: orgz
defaultGroup: nasqueron
map:
- group: docker
items:
- docker-*
- group: tasacora
items:
- tasacora-*
- group: devtools
items:
- notifications
- notifications-cli-client
- group: ops
items:
- decommission
- discourse-config
- ftp
- operations
- servers-*
- zemke-rhyne
JenkinsPayloadAnalyzer:
default:
defaultGroup: ci
map: []
notifyOnlyOnFailure: []
Nasqueron:
defaultGroup: ci
map:
- group: wikidata
items:
- deploy-irc-daeghrefn-wikidata
- group: ops
items:
- deploy-website-*
- test-prod-env
- group: devtools
items:
- test-notifications-*
notifyOnlyOnFailure:
- test-prod-env
PhabricatorPayloadAnalyzer:
default: *default
Nasqueron:
administrativeGroup: orgz
defaultGroup: nasqueron
map:
- group: docker
items:
- Docker images
- Nasqueron Docker deployment squad
words:
- Docker
- group: tasacora
items:
- Tasacora
words:
- Tasacora
- cartography
- group: trustspace
items:
- TrustSpace
- group: ops
items:
- Continous integration and delivery
- IPv6
- Mail
- Message queues
- Murasil
- Nasqueron security operations squad
- Servers
- Ops-sprint-*
- Salt
words:
- Ysul
- Dwellers
- Eglide
- pkg audit
wordsAreStrong: true
diff --git a/pillar/opensearch/clusters.sls b/pillar/opensearch/clusters.sls
index cb0fa6a..19f25ee 100644
--- a/pillar/opensearch/clusters.sls
+++ b/pillar/opensearch/clusters.sls
@@ -1,19 +1,19 @@
#
# Currently, declare OpenSearch clusters as single-node, per machine.
#
opensearch_clusters:
#
# Infrastructure: logs and metrics
#
infra_logs:
cluster_name: infra-logs
cluster_type: single-node
nodes:
- cloudhugger
users:
- admin: nasqueron.opensearch.infra-logs.internal_users.admin
- dashboards: nasqueron.opensearch.infra-logs.internal_users.dashboards
+ admin: nasqueron/opensearch/infra-logs/internal_users/admin
+ dashboards: nasqueron/opensearch/infra-logs/internal_users/dashboards
heap_size: 26G
diff --git a/pillar/paas/docker/docker-002/etherpad.sls b/pillar/paas/docker/docker-002/etherpad.sls
index a4e6bde..2510839 100644
--- a/pillar/paas/docker/docker-002/etherpad.sls
+++ b/pillar/paas/docker/docker-002/etherpad.sls
@@ -1,41 +1,41 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
docker_images:
- nasqueron/etherpad:production
docker_containers:
etherpad:
pad:
app_port: 34080
host: pad.nasqueron.org
aliases:
- pad.wolfplex.org
- pad.wolfplex.be
- credential: nasqueron.etherpad.api
+ credential: nasqueron/etherpad/api
mysql_link: acquisitariat
etherpad_settings:
pad:
title: Nasqueron pad
defaultPadText: |
Welcome to this Etherpad instance, shared between Wolfplex and Nasqueron projects.
This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents.
Warning: the pad URL is public, it will be listed at https://www.wolfplex.org/pad/ and also available through a public API call to https://api.wolfplex.org/pads/
favicon: "https://www.wolfplex.org/favicon.ico"
mysql:
host: mysql
credential: nasqueron/etherpad/mysql
database: etherpad
users:
dereckson:
credential: nasqueron/etherpad/users/dereckson
is_admin: True
diff --git a/pillar/paas/docker/docker-002/main.sls b/pillar/paas/docker/docker-002/main.sls
index 6708012..631ae65 100644
--- a/pillar/paas/docker/docker-002/main.sls
+++ b/pillar/paas/docker/docker-002/main.sls
@@ -1,304 +1,304 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
docker_aliases:
- &ipv4_docker002 51.255.124.9
- &ipv4_docker002_restricted 172.27.27.5
# -------------------------------------------------------------
# Images
#
# You can append a :tag (by default, latest is used).
#
# It's not possible to specify Docker library images only by final name.
# See https://docs.saltstack.com/en/latest/ref/states/all/salt.states.docker_image.html
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_images:
- certbot/certbot
# Core services
- library/postgres
- library/redis:3.2-alpine
- library/registry
- nasqueron/mysql
- nasqueron/mysql:5.7
- nasqueron/rabbitmq
# ACME DNS server
- joohoi/acme-dns
# Nasqueron services
- nasqueron/auth-grove
# Nasqueron API microservices
- nasqueron/docker-registry-api
- nasqueron/api-datasources
# Infrastructure and development services
- nasqueron/aphlict
- nasqueron/cachet
- nasqueron/notifications
- nasqueron/phabricator
- ghcr.io/hound-search/hound
# Pixelfed
- nasqueron/pixelfed
# Hauk
- bilde2910/hauk
# -------------------------------------------------------------
# Docker engine configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_daemon:
data-root: /srv/docker
# -------------------------------------------------------------
# Containers
#
# The docker_containers entry allow to declare containers
# by service. Generally a service matches an image.
#
# The hierarchy is so as following.
#
# docker_containers:
# service codename:
# instance name:
# container properties
#
# The service codename must match a state file in
# the roles/paas-docker/containers/ directory.
#
# The container will be run with the specified instance name.
#
# **nginx**
#
# The container properties can also describe the information
# needed to configure nginx with the host and app_port key.
#
# In such case, a matching vhost file should be declared as
# roles/paas-docker/nginx/files/vhosts/<service codename>.sls
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_containers:
#
# Core services
#
mysql:
acquisitariat:
credentials:
- root: nasqueron.acquisitariat.mysql
+ root: nasqueron/acquisitariat/mysql
phpbb_db:
credentials:
- root: espacewin.phpbb.mysql_root
+ root: espacewin/phpbb/mysql_root
redis:
pixelfed_redis: {}
registry:
registry:
host: registry.nasqueron.org
app_port: 5000
allowed_ips:
# Localhost
- 127.0.0.1
# Dwellers
- 172.27.27.4
# docker-002
- 172.27.27.5
rabbitmq:
white-rabbit:
ip: *ipv4_docker002_restricted
host: white-rabbit.nasqueron.org
app_port: 15672
credentials:
erlang_cookie: nasqueron/rabbitmq/white-rabbit/erlang-cookie
root: nasqueron/rabbitmq/white-rabbit/root
#
# Phabricator
#
phabricator:
# Nasqueron instance
devcentral:
app_port: 31080
host: devcentral.nasqueron.org
aliases:
- phabricator.nasqueron.org
blogs:
servers:
host: servers.nasqueron.org
aliases:
- server.nasqueron.org
- serveur.nasqueron.org
- serveurs.nasqueron.org
mailer: mailgun
credentials:
- mysql: zed.phabricator.mysql
+ mysql: zed/phabricator/mysql
static_host: devcentral.nasqueron-user-content.org
title: Nasqueron DevCentral
mysql_link: acquisitariat
skip_container: True
# Private instance for Dereckson
river_sector:
app_port: 23080
host: river-sector.dereckson.be
static_host: river-sector.nasqueron-user-content.org
mailer: _
credentials:
- mysql: dereckson.phabricator.mysql
+ mysql: dereckson/phabricator/mysql
storage:
namespace: river_sector
title: River Sector
mysql_link: acquisitariat
# Wolfplex instance
wolfplex_phab:
app_port: 35080
host: phabricator.wolfplex.org
aliases:
- phabricator.wolfplex.be
static_host: wolfplex.phabricator.nasqueron-user-content.org
mailer: mailgun
credentials:
- mailgun: wolfplex.phabricator.mailgun
- mysql: wolfplex.phabricator.mysql
+ mailgun: wolfplex/phabricator/mailgun
+ mysql: wolfplex/phabricator/mysql
storage:
namespace: wolfphab
title: Wolfplex Phabricator
mysql_link: acquisitariat
# Zed instance
zed_code:
app_port: 36080
host: code.zed.dereckson.be
static_host: zed.phabricator.nasqueron-user-content.org
mailer: sendgrid
credentials:
- mysql: zed.phabricator.mysql
- sendgrid: zed.phabricator.sendgrid
+ mysql: zed/phabricator/mysql
+ sendgrid: zed/phabricator/sendgrid
storage:
namespace: zedphab
title: Zed
mysql_link: acquisitariat
aphlict:
aphlict:
ports:
client: 22280
admin: 22281
#
# Notifications center
#
notifications:
notifications:
host: notifications.nasqueron.org
app_port: 37080
broker_link: white-rabbit
credentials:
- broker: nasqueron.notifications.broker
- mailgun: nasqueron.notifications.mailgun
+ broker: nasqueron/notifications/broker
+ mailgun: nasqueron/notifications/mailgun
sentry:
realm: nasqueron
project_id: 2
- credential: nasqueron.notifications.sentry
+ credential: nasqueron/notifications/sentry
#
# Community and development services
#
# Hauk
hauk:
hauk:
app_port: 43080
host: geo.nasqueron.org
api_entry_point: /hauk
#
# Let's Encrypt
#
acme_dns:
acme:
ip: *ipv4_docker002
app_port: 41080
host: acme.nasqueron.org
nsadmin: ops.nasqueron.org
#
# CI and CD
#
#
# Infrastructure and development services
#
hound:
hound:
app_port: 44080
host: code.nasqueron.org
github_account: nasqueron
cachet:
cachet:
app_port: 39080
host: status.nasqueron.org
- credential: nasqueron.cachet.mysql
- app_key: nasqueron.cachet.app_key
+ credential: nasqueron/cachet/mysql
+ app_key: nasqueron/cachet/app_key
mysql_link: acquisitariat
auth-grove:
login:
app_port: 25080
host: login.nasqueron.org
- credential: nasqueron.auth-grove.mysql
+ credential: nasqueron/auth-grove/mysql
mysql_link: acquisitariat
# API microservices
docker-registry-api:
api-docker-registry:
app_port: 20080
api_entry_point: /docker/registry
registry_instance: registry
api-datasources:
api-datasources:
app_port: 19080
api_entry_point: /datasources
# phpBB SaaS
# The SaaS uses a MySQL instance, declared in the MySQL section.
# Pixelfed
pixelfed:
pixelfed:
app_port: 30080
host: photos.nasqueron.org
aliases:
- photo.nasqueron.org
links:
mysql: acquisitariat
redis: pixelfed_redis
credentials:
- app_key: nasqueron.pixelfed.app_key
- mailgun: nasqueron.pixelfed.mailgun
- mysql: nasqueron.pixelfed.mysql
+ app_key: nasqueron/pixelfed/app_key
+ mailgun: nasqueron/pixelfed/mailgun
+ mysql: nasqueron/pixelfed/mysql
app:
title: Nasqueron Photos
max_album_length: 16
diff --git a/pillar/paas/docker/docker-002/sentry.sls b/pillar/paas/docker/docker-002/sentry.sls
index 30d8193..b7bf732 100644
--- a/pillar/paas/docker/docker-002/sentry.sls
+++ b/pillar/paas/docker/docker-002/sentry.sls
@@ -1,255 +1,255 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# Service: Sentry
# -------------------------------------------------------------
docker_networks:
sentry:
subnet: 172.18.3.0/24
docker_images:
- library/redis:3.2-alpine
- getsentry/relay:nightly
- getsentry/snuba:nightly
- nasqueron/postgres-sentry
- nasqueron/sentry:nightly
- getsentry/symbolicator:nightly
- tianon/exim4
- yandex/clickhouse-server:20.3.9.70
docker_containers:
#
# Core services used by Sentry
#
exim:
sentry_smtp:
mailname: mx.sentry.nasqueron.org
network: sentry
memcached:
sentry_memcached:
version: 1.6.9-alpine
network: sentry
redis:
sentry_redis:
network: sentry
postgresql:
sentry_db:
image: nasqueron/postgres-sentry
- credential: nasqueron.sentry.postgresql
+ credential: nasqueron/sentry/postgresql
network: sentry
#
# Kafka instance
#
zookeeper:
sentry_zookeeper:
version: 5.5.7
network: sentry
kafka:
sentry_kafka:
version: 5.5.7
zookeeper: sentry_zookeeper
network: sentry
topics:
- ingest-attachments
- ingest-transactions
- ingest-events
- ingest-replay-recordings
#
# ClickHouse
#
clickhouse:
sentry_clickhouse:
version: 20.3.9.70
network: sentry
config: sentry.xml
max_memory_ratio: 0.2
#
# Snuba
#
snuba:
sentry_snuba_api:
network: sentry
api: True
services: &sentry_snuba_services
broker: sentry_kafka:9092
clickhouse: sentry_clickhouse
redis: sentry_redis
sentry_snuba_consumer:
command: consumer --storage errors --auto-offset-reset=latest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
sentry_snuba_outcomes_consumer:
command: consumer --storage outcomes_raw --auto-offset-reset=earliest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
sentry_snuba_replacer:
command: replacer --storage errors --auto-offset-reset=latest
network: sentry
services: *sentry_snuba_services
sentry_snuba_replays_consumer:
command: consumer --storage replays --auto-offset-reset=latest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
sentry_snuba_sessions_consumer:
command: consumer --storage sessions_raw --auto-offset-reset=latest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
sentry_snuba_subscription_consumer_events:
command: subscriptions-scheduler-executor --dataset events --entity events --auto-offset-reset=latest
--no-strict-offset-reset --consumer-group=snuba-events-subscriptions-consumers
--followed-consumer-group=snuba-consumers --delay-seconds=60 --schedule-ttl=60
--stale-threshold-seconds=900
network: sentry
services: *sentry_snuba_services
sentry_snuba_subscription_consumer_sessions:
command: subscriptions-scheduler-executor --dataset sessions --entity sessions
--auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-sessions-subscriptions-consumers
--followed-consumer-group=sessions-group --delay-seconds=60 --schedule-ttl=60
--stale-threshold-seconds=900
network: sentry
services: *sentry_snuba_services
sentry_snuba_subscription_consumer_transactions:
command: subscriptions-scheduler-executor --dataset transactions --entity transactions
--auto-offset-reset=latest --no-strict-offset-reset --consumer-group=snuba-transactions-subscriptions-consumers
--followed-consumer-group=transactions_group --delay-seconds=60 --schedule-ttl=60
--stale-threshold-seconds=900
network: sentry
services: *sentry_snuba_services
sentry_snuba_transactions_consumer:
command: consumer --storage transactions --consumer-group transactions_group
--auto-offset-reset=latest --max-batch-time-ms 750
network: sentry
services: *sentry_snuba_services
#
# Symbolicator
#
symbolicator:
sentry_symbolicator:
network: sentry
#
# Relay
#
relay:
sentry_relay:
app_port: 26300
kafka: sentry_kafka
redis: sentry_redis
web: sentry_web
network: sentry
#
# Sentry
#
sentry:
sentry_web:
app_port: 26080
relay_port: 26300
host: sentry.nasqueron.org
command: run web
realm: nasqueron
network: sentry
sentry_worker:
command: run worker
realm: nasqueron
network: sentry
sentry_cron:
command: run cron
realm: nasqueron
network: sentry
sentry_ingest_consumer:
command: run ingest-consumer --all-consumer-types
realm: nasqueron
network: sentry
sentry_ingest_replay_recordings:
command: run ingest-replay-recordings
realm: nasqueron
network: sentry
sentry_post_process_forwarder_errors:
command: run post-process-forwarder --entity errors
realm: nasqueron
network: sentry
sentry_post_process_forwarder_transactions:
command: run post-process-forwarder --entity transactions
--commit-log-topic=snuba-transactions-commit-log
--synchronize-commit-group transactions_group
realm: nasqueron
network: sentry
sentry_consumer_events:
command: run query-subscription-consumer --commit-batch-size 1
--topic events-subscription-results
realm: nasqueron
network: sentry
sentry_consumer_transactions:
command: run query-subscription-consumer --commit-batch-size 1
--topic transactions-subscription-results
realm: nasqueron
network: sentry
# -------------------------------------------------------------
# Services configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
kakfa_loggers:
kafka.cluster: WARN
kafka.controller: WARN
kafka.coordinator: WARN
kafka.log: WARN
kafka.server: WARN
kafka.zookeeper: WARN
state.change.logger: WARN
sentry_realms:
nasqueron:
network: sentry
services:
kafka: sentry_kafka
memcached: sentry_memcached
postgresql: sentry_db
redis: sentry_redis
smtp: sentry_smtp
snuba: sentry_snuba_api
symbolicator: sentry_symbolicator
web: sentry_web
credentials:
- secret_key: nasqueron.sentry.app_key
- postgresql: nasqueron.sentry.postgresql
- vault: nasqueron.sentry.vault
+ secret_key: nasqueron/sentry/app_key
+ postgresql: nasqueron/sentry/postgresql
+ vault: nasqueron/sentry/vault
hostname: sentry.nasqueron.org
email_from: noreply@sentry.nasqueron.org
diff --git a/pillar/paas/docker/dwellers/main.sls b/pillar/paas/docker/dwellers/main.sls
index 5e95d8c..93a867d 100644
--- a/pillar/paas/docker/dwellers/main.sls
+++ b/pillar/paas/docker/dwellers/main.sls
@@ -1,127 +1,127 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Images
#
# You can append a :tag (by default, latest is used).
#
# It's not possible to specify Docker library images only by final name.
# See https://docs.saltstack.com/en/latest/ref/states/all/salt.states.docker_image.html
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_images:
- certbot/certbot
# Core service
- nasqueron/mysql:5.7
# Continuous deployment jobs
- jenkins/jenkins
- nasqueron/jenkins-agent-php
# -------------------------------------------------------------
# Networks
#
# Containers can be grouped by network, instead to use links.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_networks:
bugzilla:
subnet: 172.21.3.0/24
jenkinsTest:
subnet: 172.21.5.0/24
# -------------------------------------------------------------
# Docker engine configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_daemon:
data-root: /srv/docker
group: nasqueron-dev-docker
# -------------------------------------------------------------
# Containers
#
# The docker_containers entry allow to declare
# containers by image by servers
#
# The hierarchy is so as following.
#
# docker_containers:
# service codename:
# instance name:
# container properties
#
# The service codename must match a state file in
# the roles/paas-docker/containers/ directory.
#
# The container will be run with the specified instance name.
#
# **nginx**
#
# The container properties can also describe the information
# needed to configure nginx with the host and app_port key.
#
# In such case, a matching vhost file should be declared as
# roles/paas-docker/nginx/files/vhosts/<service codename>.sls
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_containers:
#
# Core services
#
mysql:
bugzilla_db:
network: bugzilla
version: 5.7
credentials:
- root: espacewin.bugzilla.mysql_root
+ root: espacewin/bugzilla/mysql_root
#
# Bugzilla
#
bugzilla:
ew_bugzilla:
host: bugzilla.espace-win.org
app_port: 33080
network: bugzilla
mysql:
host: bugzilla_db
db: EspaceWin_Bugs
- credential: espacewin.bugzilla.mysql
+ credential: espacewin/bugzilla/mysql
#
# Jenkins
#
jenkins:
jenkins_test:
realm: test
host: jenkins.test.nasqueron.org
app_port: 47080
jnlp_port: 52000
jenkins_agent:
zosso:
image_flavour: php
realm: test
#
# Mastodon
#
# Mastodon is currently deployed manually through docker-compose
# and not yet integrated to the platform. This declaration is
# currently only used for extra utilities deployment.
mastodon_sidekiq:
mastodon_sidekiq_1:
realm: nasqueron
diff --git a/pillar/paas/docker/dwellers/notifications.sls b/pillar/paas/docker/dwellers/notifications.sls
index affca19..cdb536c 100644
--- a/pillar/paas/docker/dwellers/notifications.sls
+++ b/pillar/paas/docker/dwellers/notifications.sls
@@ -1,52 +1,52 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# Service: Sentry
# -------------------------------------------------------------
docker_aliases:
- &ipv4_dwellers_restricted 172.27.27.4
docker_images:
- nasqueron/notifications
- nasqueron/rabbitmq
- nasqueron/vault
docker_networks:
notifications-int:
subnet: 172.21.6.0/24
docker_containers:
rabbitmq:
orange-rabbit:
ip: *ipv4_dwellers_restricted
host: orange-rabbit.integration.nasqueron.org
app_port: 15672
network: notifications-int
credentials:
erlang_cookie: nasqueron/rabbitmq/orange-rabbit/erlang-cookie
root: nasqueron/rabbitmq/orange-rabbit/root
vault:
vault-notifications:
ip: *ipv4_dwellers_restricted
host: vault-notifications.integration.nasqueron.org
app_port: 48080
network: notifications-int
notifications:
notifications:
host: notifications.integration.nasqueron.org
app_port: 37080
network: notifications-int
broker: orange_rabbit
credentials:
broker: nasqueron/rabbitmq/orange-rabbit/notifications
sentry:
realm: nasqueron
project_id: 2
- credential: nasqueron.notifications.sentry
+ credential: nasqueron/notifications/sentry
environment: integration
diff --git a/pillar/saas/rabbitmq.sls b/pillar/saas/rabbitmq.sls
index 0d43393..6512105 100644
--- a/pillar/saas/rabbitmq.sls
+++ b/pillar/saas/rabbitmq.sls
@@ -1,154 +1,154 @@
# -------------------------------------------------------------
# Salt — RabbitMQ
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# RabbitMQ clusters
#
# Each cluster is defined by a deployment method (e.g. docker),
# and the node we can use to configure it.
#
# The cluster configuration is a collection of vhosts and users:
#
# vhosts:
# <vhost name>: <configuration>
#
# users:
# <user>: <password FULL secret path in Vault>
#
# In addition, a root account is managed by deployment states.
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#
# The vhost configuration allows to define the exchanges and queues,
# and the permissions users have on them.
#
# exchanges:
# type is 'direct', 'topic' or 'fanout'
#
# queues:
# Application can create their own ephemeral queue.
# For that, it needs configure permission on the vhost.
#
# If an application needs a stable one, it should be configured here,
# so we can drop the configure permission.
#
# permissions:
# See https://www.rabbitmq.com/access-control.html#authorisation
# for the needed permissions for an AMQP operation
#
# To give access to server-generated queue names, use amq\.gen.*
# To not give any access, use blank string
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
rabbitmq_clusters:
# Integration, used by Notifications center on Dwellers
orange-rabbit:
deployment: docker
node: dwellers
container: orange-rabbit
url: https://orange-rabbit.integration.nasqueron.org/
vhosts:
###
### Nasqueron dev services:
### - Notifications center
###
dev:
description: Nasqueron dev services
exchanges:
# Producer: Notifications center
# Consumers: any notifications client
notifications:
type: topic
durable: True
queues:
# Useful for developers to poke notifications streamed
all-notifications:
durable: True
bindings:
- exchange: notifications
queue: all-notifications
routing_key: '#'
permissions:
# Notifications center (paas-docker role / notifications container)
notifications:
configure: '.*'
read: '.*'
write: '.*'
users:
notifications: ops/secrets/nasqueron/rabbitmq/orange-rabbit/notifications
# Production, used by Notifications center ecosystem
white-rabbit:
deployment: docker
node: docker-002
container: white-rabbit
url: https://white-rabbit.nasqueron.org/
vhosts:
###
### Nasqueron dev services:
### - Notifications center
###
dev: &nasqueron-dev-services-vhost
description: Nasqueron dev services
exchanges:
# Producer: Notifications center
# Consumers: any notifications client
notifications:
type: topic
durable: True
queues:
# Used by Wearg to stream notifications to IRC
wearg-notifications:
durable: True
bindings:
- exchange: notifications
queue: wearg-notifications
routing_key: '#'
permissions:
# Notifications center (paas-docker role / notifications container)
notifications:
configure: '.*'
read: '.*'
write: '.*'
# Wearg (viperserv role)
wearg:
configure: '^$'
read: '^wearg\-notifications$'
write: '^$'
# Notifications CLI clients
notifications-ysul: &notifications-client-permissions
configure: '^(amq\.gen.*|notifications)$'
read: '^(amq\.gen.*|notifications)$'
write: '^(amq\.gen.*|notifications)$'
notifications-windriver: *notifications-client-permissions
users:
# Notifications center server and clients
- notifications: ops/secrets/nasqueron.notifications.broker
+ notifications: ops/secrets/nasqueron/notifications/broker
wearg: apps/viperserv/broker
notifications-ysul: ops/secrets/nasqueron/notifications/notifications-cli/ysul
notifications-windriver: ops/secrets/nasqueron/notifications/notifications-cli/windriver
diff --git a/roles/vault/policies/files/sentry.hcl b/roles/vault/policies/files/sentry.hcl
index e3feaa9..6355ea5 100644
--- a/roles/vault/policies/files/sentry.hcl
+++ b/roles/vault/policies/files/sentry.hcl
@@ -1,26 +1,26 @@
# -------------------------------------------------------------
# Vault configuration - Policy for Sentry
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# Source file: roles/vault/vault/files/sentry.hcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
path "apps/data/sentry/github" {
capabilities = [ "read" ]
}
-path "ops/data/secrets/nasqueron.sentry.app_key" {
+path "ops/data/secrets/nasqueron/sentry/app_key" {
capabilities = [ "read" ]
}
-path "ops/data/secrets/nasqueron.sentry.postgresql" {
+path "ops/data/secrets/nasqueron/sentry/postgresql" {
capabilities = [ "read" ]
}
diff --git a/roles/viperserv/eggdrop/config.sls b/roles/viperserv/eggdrop/config.sls
index 60a7700..1eba147 100644
--- a/roles/viperserv/eggdrop/config.sls
+++ b/roles/viperserv/eggdrop/config.sls
@@ -1,104 +1,104 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-11-14
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Directory for configuration
#
# Each bot gets a directory to store userlist, chanlist, motd,
# and specific configuration file.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for botname, bot in pillar['viperserv_bots'].items() %}
/srv/viperserv/{{ botname }}:
file.directory:
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- dir_mode: 770
{% endfor %}
# -------------------------------------------------------------
# Logs
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for botname, bot in pillar['viperserv_bots'].items() %}
/srv/viperserv/logs/{{ botname }}:
file.directory:
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
/srv/viperserv/logs/{{ botname }}.log:
file.managed:
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- mode: 660
- replace: False
{% endfor %}
# -------------------------------------------------------------
# Configuration files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/viperserv/core.conf:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/eggdrop-core.conf
- user: viperserv
- group: nasqueron-irc
/srv/viperserv/.credentials:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/dot.credentials
- user: viperserv
- group: nasqueron-irc
- mode: 400
- template: jinja
- context:
# Database is on cluster B
db:
host: {{ pillar["nasqueron_services"]["db-B"] }}
database: Nasqueron
vault:
- approle: {{ salt['credentials.read_secret']('nasqueron.viperserv.vault') }}
+ approle: {{ salt['credentials.read_secret']('nasqueron/viperserv/vault') }}
addr: {{ pillar["nasqueron_services"]["vault_url"] }}
{% for botname, bot in pillar['viperserv_bots'].items() %}
/srv/viperserv/{{ botname }}/eggdrop.conf:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/eggdrop-bot.conf
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- mode: 755
- template: jinja
- context:
botname: {{ botname }}
realname: {{ bot['realname'] | default(botname) }}
scripts: {{ bot['scripts'] }}
modules: {{ bot['modules'] | default([]) }}
runas: {{ bot['runas'] | default('viperserv') }}
nickserv: {{ bot['nickserv'] | default(False) }}
/srv/viperserv/{{ botname }}/motd:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/motd/{{ botname }}
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
/srv/viperserv/{{ botname }}/banner:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/banner
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- template: jinja
- context:
bot: {{ botname }}
server: {{ grains['id'] }}
{% endfor %}
diff --git a/roles/webserver-content/org/wolfplex/api.sls b/roles/webserver-content/org/wolfplex/api.sls
index b6501a1..9f3c7be 100644
--- a/roles/webserver-content/org/wolfplex/api.sls
+++ b/roles/webserver-content/org/wolfplex/api.sls
@@ -1,60 +1,60 @@
# -------------------------------------------------------------
# Salt — Provision api.wolfplex.org website
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Wolfplex
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if salt['node.has_web_content'](".org/wolfplex/api") %}
# -------------------------------------------------------------
# Data store
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/var/dataroot/wolfplex/secrets.json:
file.managed:
- source: salt://roles/webserver-content/org/wolfplex/files/secrets.json.jinja2
- mode: 400
- user: web-org-wolfplex-www
- group: web
- makedirs: True
- template: jinja
- show_changes: False
- context:
secrets:
- etherpad.api.key: {{ salt['credentials.get_token']("nasqueron.etherpad.api") }}
+ etherpad.api.key: {{ salt['credentials.get_token']("nasqueron/etherpad/api") }}
# -------------------------------------------------------------
# Base part
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/var/wwwroot/wolfplex.org/api:
file.recurse:
- source: salt://wwwroot/wolfplex.org/api
- exclude_pat: E@.git
- include_empty: True
- clean: False
- dir_mode: 755
- file_mode: 644
- user: web-org-wolfplex-www
- group: web
# -------------------------------------------------------------
# Deployment
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
wolfplex_api_dependencies:
cmd.run:
- name: composer install
- runas: web-org-wolfplex-www
- cwd: /var/wwwroot/wolfplex.org/api
- creates: /var/wwwroot/wolfplex.org/api/vendor
wolfplex_api_kibaone_accents:
cmd.run:
- name: make
- runas: web-org-wolfplex-www
- cwd: /var/wwwroot/wolfplex.org/api/design/kibaone/accents
- creates: /var/wwwroot/wolfplex.org/api/design/kibaone/accents/index.json
{% endif %}

File Metadata

Mime Type
text/x-diff
Expires
Mon, Sep 15, 05:17 (11 h, 13 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2983747
Default Alt Text
(50 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator