Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F12239450
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
18 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/_modules/zr.py b/_modules/zr.py
index 4854f19..ce2e240 100644
--- a/_modules/zr.py
+++ b/_modules/zr.py
@@ -1,109 +1,122 @@
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Salt — Zemke-Rhyne module
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-09-11
# Description: Fetch Zemke-Rhyne credentials
# License: BSD-2-Clause
# -------------------------------------------------------------
from salt.utils.path import which as path_which
def __virtual__():
"""
Only load if zr exists on the system
"""
return path_which('zr') is not None,\
"The Zemke-Rhyne execution module cannot be loaded: zr not installed."
def _build_pillar_key(expression):
return "zr_credentials:" + expression.replace(".", ":")
def _get_credential_id_from_pillar_key(expression):
"""Gets credentials id from a dot pillar path, e.g. nasqueron.foo.bar"""
key = _build_pillar_key(expression)
return __salt__['pillar.get'](key)
def get_credential_id(expression):
try:
# Case I - expression is an integer
number = int(expression)
if number < 1:
raise ValueError(
expression, "A strictly positive integer was expected.")
return number
except ValueError:
# Case II - expression is a pillar key
id = _get_credential_id_from_pillar_key(expression)
if id is None or id == "":
raise ValueError(expression, "Pillar key not found")
return id
def get_password(credential_expression):
"""
A function to fetch credential through Zemke-Rhyne
CLI Example:
salt equatower zr.get_password 124
:param credential_expression: The credential number (K...) in Phabricator
or a key in zr_credentials pillar entry
:return: The secret value
"""
credential_id = get_credential_id(credential_expression)
zr_command = "zr getcredentials {0}".format(credential_id)
return __salt__['cmd.shell'](zr_command)
def get_username(credential_expression):
"""
A function to fetch the username associated to a credential
through Zemke-Rhyne
CLI Example:
salt equatower zr.get_username 124
:param credential_expression: The credential number (K...) in Phabricator
or a key in zr_credentials pillar entry
:return: The username
"""
credential_id = get_credential_id(credential_expression)
zr_command = "zr getcredentials {0} username".format(credential_id)
return __salt__['cmd.shell'](zr_command)
def get_token(credential_expression):
"""
A function to fetch credential through Zemke-Rhyne
CLI Example:
salt equatower zr.get_token 126
:param credential_expression: The credential number (K...) in Phabricator
or a key in zr_credentials pillar entry
:return: The secret value
"""
credential_id = get_credential_id(credential_expression)
zr_command = "zr getcredentials {0} token".format(credential_id)
return __salt__['cmd.shell'](zr_command)
+
+
+def get_sentry_dsn(args):
+ sentry_server = _get_sentry_server(args['realm'])
+
+ return "https://" + ":".join([
+ get_username(args['credential']),
+ get_password(args['credential']),
+ ]) + "@" + sentry_server + "/" + str(args['project_id'])
+
+
+def _get_sentry_server(realm):
+ return __pillar__['sentry_realms'][realm]['host']
diff --git a/pillar/paas/docker.sls b/pillar/paas/docker.sls
index 2cb9814..9d25be7 100644
--- a/pillar/paas/docker.sls
+++ b/pillar/paas/docker.sls
@@ -1,421 +1,424 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-03-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
docker_aliases:
- &ipv4_equatower 51.255.124.10
- &intra_equatower 10.0.1.1
# -------------------------------------------------------------
# Images
#
# You can append a :tag (by default, latest is used).
#
# It's not possible to specify Docker library images only by final name.
# See https://docs.saltstack.com/en/latest/ref/states/all/salt.states.docker_image.html
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_images:
'*':
- certbot/certbot
dwellers:
# Core services
- nasqueron/mysql:5.7
- nasqueron/rabbitmq
# Infrastructure and development services
- dereckson/cachet
- nasqueron/notifications
equatower:
# Core services
- library/postgres
- library/redis:3.2-alpine
- library/registry
- nasqueron/mysql
# Nasqueron services
- nasqueron/auth-grove
# Nasqueron API microservices
- nasqueron/docker-registry-api
# Infrastructure and development services
- nasqueron/aphlict
- nasqueron/etherpad:production
- nasqueron/phabricator
# Continuous deployment jobs
- jenkins/jenkins
- nasqueron/jenkins-slave-node
- nasqueron/jenkins-slave-php
- nasqueron/jenkins-slave-rust
- nasqueron/tommy
# Sentry
- library/sentry
- tianon/exim4
# -------------------------------------------------------------
# Networks
#
# Containers can be grouped by network, instead to use links.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_networks:
dwellers:
bugzilla:
subnet: 172.21.3.0/24
equatower:
cd:
subnet: 172.18.1.0/24
ci:
subnet: 172.18.2.0/24
# -------------------------------------------------------------
# Docker engine configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_daemon:
equatower:
storage-driver: devicemapper
storage-opts:
- "dm.thinpooldev=/dev/mapper/wharf-thinpool"
- "dm.use_deferred_removal=true"
- "dm.use_deferred_deletion=true"
docker_devicemapper:
equatower:
thinpool: wharf-thinpool
# -------------------------------------------------------------
# Containers
#
# The docker_containers entry allow to declare
# containers by image by servers
#
# The hierarchy is so as following.
#
# docker_containers:
# server with the Docker engine:
# service codename:
# instance name:
# container properties
#
# The service codename must match a state file in
# the roles/paas-docker/containers/ directory.
#
# The container will be run with the specified instance name.
#
# **nginx**
#
# The container properties can also describe the information
# needed to configure nginx with the host and app_port key.
#
# In such case, a matching vhost file should be declared as
# roles/paas-docker/nginx/files/vhosts/<service codename>.sls
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_containers:
#
# Dwellers is the engine for Mastodon and CI intelligent bus services
#
dwellers:
#
# Core services
#
mysql:
bugzilla_db:
network: bugzilla
version: 5.7
#
# Notifications center
#
notifications:
notifications:
host: notifications.nasqueron.org
app_port: 37080
broker_link: white-rabbit
credentials:
broker: nasqueron.notifications.broker
mailgun: nasqueron.notifications.mailgun
- sentry: nasqueron.notifications.sentry
+ sentry:
+ realm: nasqueron
+ project_id: 2
+ credential: nasqueron.notifications.sentry
#
# Bugzilla
#
bugzilla:
ew_bugzilla:
host: bugzilla.espace-win.org
app_port: 33080
network: bugzilla
mysql:
host: bugzilla_db
db: EspaceWin_Bugs
credential: espacewin.bugzilla.mysql
#
# Equatower is the current production engine
#
equatower:
#
# Core services
#
mysql:
acquisitariat: {}
phpbb_db: {}
postgresql:
sentry_db:
credential: nasqueron.sentry.postgresql
redis:
sentry_redis: {}
registry:
registry:
app_port: 5000
ip: *intra_equatower
#
# CI and CD
#
jenkins:
jenkins_cd:
realm: cd
host: cd.nasqueron.org
app_port: 38080
jnlp_port: 50000
jenkins_ci:
realm: ci
host: ci.nasqueron.org
app_port: 42080
jnlp_port: 55000
jenkins_slave:
# Slaves for CD
apsile: &php_for_cd
image: php
realm: cd
elapsi: *php_for_cd
rust_brown:
image: rust
realm: cd
yarabokin:
image: node
realm: cd
zateki: &php_for_ci
image: php
realm: ci
zenerre: *php_for_ci
tommy:
tommy_ci:
app_port: 24080
host: builds.nasqueron.org
aliases:
- build.nasqueron.org
jenkins_url: https://ci.nasqueron.org
tommy_cd:
# No host definition, as this dashboard is mounted on infra.nasqueron.org
app_port: 24180
jenkins_url: https://cd.nasqueron.org
# Infrastructure and development services
phabricator:
# Nasqueron instance
devcentral:
app_port: 31080
host: devcentral.nasqueron.org
aliases:
- phabricator.nasqueron.org
blogs:
servers:
host: servers.nasqueron.org
aliases:
- server.nasqueron.org
- serveur.nasqueron.org
- serveurs.nasqueron.org
mailer: mailgun
credentials:
mysql: zed.phabricator.mysql
static_host: phabricator-files-for-devcentral-nasqueron.spacetechnology.net
title: Nasqueron DevCentral
mysql_link: acquisitariat
skip_container: True
# Private instance for Dereckson
river_sector:
app_port: 23080
host: river-sector.dereckson.be
static_host: phabricator-files-for-river-sector.nasqueron.org
mailer: _
credentials:
mysql: dereckson.phabricator.mysql
storage:
namespace: river_sector
title: River Sector
mysql_link: acquisitariat
# Wolfplex instance
wolfplex_phab:
app_port: 35080
host: phabricator.wolfplex.be
aliases:
- phabricator.wolfplex.org
static_host: phabricator-files-for-wolfplex.nasqueron.org
mailer: mailgun
credentials:
mailgun: wolfplex.phabricator.mailgun
mysql: wolfplex.phabricator.mysql
storage:
namespace: wolfphab
title: Wolfplex Phabricator
mysql_link: acquisitariat
# Zed instance
zed_code:
app_port: 36080
host: code.zed.dereckson.be
static_host: phabricator-files-for-zed.nasqueron.org
mailer: sendgrid
credentials:
mysql: zed.phabricator.mysql
sendgrid: zed.phabricator.sendgrid
storage:
namespace: zedphab
title: Zed
mysql_link: acquisitariat
aphlict:
aphlict:
ports:
client: 22280
admin: 22281
cachet:
cachet:
app_port: 39080
host: status.nasqueron.org
credential: nasqueron.cachet.mysql
app_key: nasqueron.cachet.app_key
mysql_link: acquisitariat
etherpad:
pad:
app_port: 34080
host: pad.nasqueron.org
aliases:
- pad.wolfplex.org
- pad.wolfplex.be
credential: nasqueron.etherpad.api
mysql_link: acquisitariat
auth-grove:
login:
app_port: 25080
host: login.nasqueron.org
credential: nasqueron.auth-grove.mysql
mysql_link: acquisitariat
# API microservices
docker-registry-api:
api-docker-registry:
app_port: 20080
api_entry_point: /docker/registry
registry_instance: registry
# phpBB SaaS
# The SaaS uses a MySQL instance, declared in the MySQL section.
# Openfire
openfire:
openfire:
ip: *ipv4_equatower
app_port: 9090
host: xmpp.nasqueron.org
# Sentry
# The Sentry instance uses a Redis and a PostgreSQL instance,
# declared above.
exim:
sentry_smtp:
mailname: mx.sentry.nasqueron.org
sentry:
sentry_web_1:
app_port: 26080
host: sentry.nasqueron.org
# As an instance is divided between a web, a cron and a worker
# containers, we need an identified to share a data volume.
realm: nasqueron
sentry_worker:
sentry_worker_1:
realm: nasqueron
sentry_cron:
sentry_cron:
realm: nasqueron
# -------------------------------------------------------------
# Ports listened by XMPP
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
xmpp_ports:
- 3478
- 5222 # Client to server
- 5223 # Client to server (Encrypted (legacy-mode) connections)
- 5262 # Connections managers
- 5269 # Server to server
- 5275 # External components
- 5276 # External components (Encrypted (legacy-mode) connections)
- 7070 # HTTP binding
- 7443 # HTTP binding with TLS
- 7777 # File transfer proxy
- 9090 # Web administration server
- 9091 # Web administration server with TLS
# -------------------------------------------------------------
# Zemke-Rhyne clients
#
# This section should list all the Docker engines server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
zr_clients:
- key: 2
allowedConnectionFrom:
- 172.27.26.49
- dwellers.nasqueron.drake
- dwellers.nasqueron.org
restrictCommand:
comment: Zemke-Rhyne
- key: 123
allowedConnectionFrom:
- equatower.nasqueron.org
restrictCommand:
comment: Zemke-Rhyne
diff --git a/pillar/saas/sentry.sls b/pillar/saas/sentry.sls
index c490130..2443e7a 100644
--- a/pillar/saas/sentry.sls
+++ b/pillar/saas/sentry.sls
@@ -1,20 +1,21 @@
# -------------------------------------------------------------
# Salt — Sentry instances
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-11-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Sentry realms
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
sentry_realms:
nasqueron:
links:
postgresql: sentry_db
redis: sentry_redis
smtp: sentry_smtp
credential: nasqueron.sentry.app_key
email_from: no-reply@sentry.nasqueron.org
+ host: sentry.nasqueron.org
diff --git a/pillar/top.sls b/pillar/top.sls
index eebbc2a..2bee53a 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,40 +1,41 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
base:
'*':
- core.users
- core.groups
- certificates.certificates
- nodes.nodes
- nodes.forests
- hotfixes.roles
- webserver.sites
dwellers:
- credentials.zr
- paas.docker
+ - saas.sentry
eglide:
- shellserver.quassel
equatower:
- credentials.zr
- paas.docker
- saas.jenkins
- saas.phpbb
- saas.sentry
ysul:
- devserver.repos
- paas.docker
- saas.mediawiki
- viperserv.bots
- viperserv.fantoir
- webserver.labs
- webserver.wwwroot51
diff --git a/roles/paas-docker/containers/notifications.sls b/roles/paas-docker/containers/notifications.sls
index 78360df..22c15e2 100644
--- a/roles/paas-docker/containers/notifications.sls
+++ b/roles/paas-docker/containers/notifications.sls
@@ -1,46 +1,46 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-01-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set containers = pillar['docker_containers'][grains['id']] %}
{% for instance, container in containers['notifications'].items() %}
# -------------------------------------------------------------
# Container
#
# Image: nasqueron/notifications
# Description: Listen to webhooks, fire notifications to
# the broker. Used for CI / IRC notifications.
# Services used: RabbitMQ broker (white-rabbit)
# Docker volume (/data/notifications/storage)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/notifications
- binds: /srv/notifications/storage:/var/wwwroot/default/storage
- links:
- {{ container['broker_link'] }}:mq
- environment:
- BROKER_HOST: mq
- BROKER_USER: {{ salt['zr.get_username'](container['credentials']['broker']) }}
- BROKER_PASS: {{ salt['zr.get_password'](container['credentials']['broker']) }}
- BROKER_VHOST: dev
- MAILGUN_DOMAIN: {{ salt['zr.get_username'](container['credentials']['mailgun']) }}
- MAILGUN_APIKEY: {{ salt['zr.get_password'](container['credentials']['mailgun']) }}
- - SENTRY_DSN: https://{{ salt['zr.get_username'](container['credentials']['sentry']) }}:{{ salt['zr.get_password'](container['credentials']['sentry']) }}@sentry.nasqueron.org/2
+ - SENTRY_DSN: {{ salt['zr.get_sentry_dsn'](container['sentry']) }}
- ports:
- 80
- port_bindings:
- {{ container['app_port'] }}:80
{% endfor %}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Sat, Oct 11, 21:48 (1 d, 1 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3061355
Default Alt Text
(18 KB)
Attached To
Mode
rOPS Nasqueron Operations
Attached
Detach File
Event Timeline
Log In to Comment