Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F24894630
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
15 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
index 9d59faa..5225736 100644
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -1,304 +1,305 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Vault configuration
#
# :: vault_policies_path: path on vault server where to store policies
#
# :: vault_policies_source: path to fetch policies from
# if starting by salt://, from salt files server
#
# :: vault_mount_paths: translates secrets paths in policies paths
#
# Generally, Vault paths are the same for policies and data access.
#
# For kv secrets engine, version 2, writing and reading versions
# of a kv value are prefixed with the data/ path.
#
# credentials.build_policies_by_node will use this dictionary
# to be able to rewrite secrets paths in data paths.
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies_path: /srv/policies/vault
vault_policies_source: /srv/policies/vault
vault_mount_paths:
ops/secrets: ops/data/secrets
ops/privacy: ops/data/privacy
apps: apps/data
# -------------------------------------------------------------
# Vault policies to deploy as-is, i.e., without templating.
#
# Entries of vault_policies must match a .hcl file in
# the roles /vault/policies/files folder.
#
# If you need a template, create a new pillar entry instead
# and add the parsing logic either:
# - directly to roles/vault/policies/
#
# - through _modules/credentials.py for policies to apply
# to Salt nodes, like e.g., vault_secrets_by_role
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies:
- admin
- airflow
- monitoring
- salt-primary
- sentry
- vault_bootstrap
- viperserv
# -------------------------------------------------------------
# Vault policies for Salt itself
#
# The policy attached to the login method (e.g., approle)
# used by the Salt primary server to log in to Vault.
#
# Source is the name of a policy managed by the vault_policies
# section. Target is the name of the policy attached.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_salt_primary_policy:
source: salt-primary
target: salt
# -------------------------------------------------------------
# Vault full policies to include by role
#
# Declare the extra policies each node needs.
#
# In addition to those extra policies, the vault_secrets_by_role
# will be parsed for the keys.
#
# IMPORTANT: as grains['roles'] can be modified by the node,
# roles are extracted directly from the pillar.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_extra_policies_by_role:
salt-primary:
- salt-primary
# -------------------------------------------------------------
# Vault secrets by role
#
# Paths of the keys the specified role needs access to.
#
# Avoid * notation as this namespace is shared between Vault
# and the applications. As such, only secrets the Salt nodes
# need in a state they need to deploy should be listed here.
#
# Use %%node%% as variable for node name.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_role:
devserver:
- ops/secrets/dbserver/windriver-mariadb/users/*
- ops/secrets/dbserver/windriver-pgsql/users/*
- ops/secrets/nasqueron/notifications/notifications-cli/%%node%%
- ops/secrets/nasqueron/deploy/deploy_keys/alken-orin
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/dereckson/www
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/ewosp/www
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/wolfplex/api-www
mailserver:
- ops/secrets/dbserver/cluster-A/users/mailManagement
- ops/secrets/dbserver/cluster-A/users/dovecot
- ops/secrets/dbserver/cluster-A/users/postfix
- ops/secrets/mailserver/security
netbox:
- ops/secrets/dbserver/windriver-pgsql/users/netbox
- ops/secrets/nasqueron/netbox/key
opensearch:
- ops/secrets/nasqueron/opensearch/infra-logs/internal_users/admin
- ops/secrets/nasqueron/opensearch/infra-logs/internal_users/dashboards
paas-docker-prod:
#
# Personal data or personally identifiable information (PII)
# related to Nasqueron Operations SIG members.
#
- ops/privacy/ops-cidr
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron/service/<...>
#
- ops/secrets/nasqueron/acquisitariat/mysql
- ops/secrets/nasqueron/airflow/admin_account
- ops/secrets/nasqueron/airflow/fernet
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
- ops/secrets/nasqueron/auth-grove/mysql
- ops/secrets/nasqueron/cachet/app_key
- ops/secrets/nasqueron/cachet/mysql
- ops/secrets/nasqueron/devcentral/mailgun
- ops/secrets/nasqueron/devcentral/mail_local
- ops/secrets/nasqueron/devcentral/mysql
- ops/secrets/nasqueron/etherpad/api
- ops/secrets/nasqueron/etherpad/mysql
- ops/secrets/nasqueron/etherpad/users/dereckson
- ops/secrets/nasqueron/notifications/broker
- ops/secrets/nasqueron/notifications/mailgun
- ops/secrets/nasqueron/notifications/sentry
- ops/secrets/nasqueron/notifications/credentials/github/nasqueron
- ops/secrets/nasqueron/notifications/credentials/github/wolfplex
- ops/secrets/nasqueron/notifications/credentials/github/keruald
- ops/secrets/nasqueron/notifications/credentials/github/trustspace
- ops/secrets/nasqueron/notifications/credentials/github/eglide
- ops/secrets/nasqueron/notifications/credentials/phabricator/nasqueron
- apps/notifications-center/dockerhub/notifications
- apps/notifications-center/dockerhub/auth-grove
- ops/secrets/nasqueron/penpot/github
- ops/secrets/nasqueron/penpot/postgresql
- ops/secrets/nasqueron/penpot/secret_key
- ops/secrets/nasqueron/pixelfed/app_key
- ops/secrets/nasqueron/pixelfed/mailgun
- ops/secrets/nasqueron/pixelfed/mysql
- ops/secrets/nasqueron/rabbitmq/white-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/white-rabbit/root
- ops/secrets/nasqueron/reports/acquisitariat
- ops/secrets/nasqueron/sentry/app_key
- ops/secrets/nasqueron/sentry/geoipupdate
- ops/secrets/nasqueron/sentry/postgresql
- ops/secrets/nasqueron/sentry/vault
#
# Credentials used by Nasqueron members private services
# Format: <username>/<service>/<type>
#
- ops/secrets/dereckson/phabricator/mysql
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>/<service>/<type>
#
- ops/secrets/dbserver/cluster-A/users/corspat
- ops/secrets/espacewin/phpbb/mysql_root
- ops/secrets/wolfplex/phabricator/mailgun
- ops/secrets/wolfplex/phabricator/mysql
- ops/secrets/zed/phabricator/mysql
- ops/secrets/zed/phabricator/sendgrid
paas-docker-dev:
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron/service/<...>
#
- ops/secrets/nasqueron/airflow/admin_account
- ops/secrets/nasqueron/airflow/fernet
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/nasqueron/airflow/vault
- ops/secrets/dbserver/cluster-A/users/airflow
- ops/secrets/nasqueron/orbeon/oxf.crypto.password
- ops/secrets/nasqueron/orbeon/users/dereckson
- ops/secrets/nasqueron/orbeon/users/dorianvl
- ops/secrets/dbserver/cluster-A/users/orbeon
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/root
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/notifications
- ops/secrets/nasqueron/notifications/sentry
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>/<service>/<type>
#
- ops/secrets/espacewin/bugzilla/mysql
- ops/secrets/espacewin/bugzilla/mysql_root
reports:
- ops/secrets/nasqueron/rhyne-wyse/salt
saas-mediawiki:
- ops/secrets/dbserver/cluster-B/users/saas-mediawiki
- ops/secrets/dbserver/cluster-B/users/saas-mw-deploy
- ops/secrets/nasqueron/mediawiki/secret_key
saas-wordpress:
- ops/secrets/dbserver/cluster-B/users/dereckson_blog
- ops/secrets/dereckson/wordpress/secrets
viperserv:
- ops/secrets/nasqueron/viperserv/vault
webserver-alkane-prod:
- ops/secrets/dbserver/cluster-B/users/dereckson_www
- ops/secrets/dbserver/cluster-B/users/zed
- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/hypership/content_users
- ops/secrets/zed/hypership/secret_key
#
# Wolfplex credentials
#
- ops/secrets/nasqueron/etherpad/api
webserver-alkane-dev:
- ops/secrets/dbserver/cluster-B/users/dereckson_www51
+ - ops/secrets/dbserver/cluster-B/users/obsidian51
webserver-legacy:
#
# Wolfplex credentials
#
- ops/secrets/nasqueron/etherpad/api
# -------------------------------------------------------------
# Vault secrets by dbserver cluster
#
# Paths of the keys the specified role needs access to.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_dbserver_cluster:
# Main PostgreSQL cluster
A:
- ops/secrets/dbserver/cluster-A/users/*
# Main MariaDB cluster - Alkane PaaS, ViperServ
B:
- ops/secrets/dbserver/cluster-B/users/*
diff --git a/pillar/paas/alkane/windriver/obsidian.sls b/pillar/paas/alkane/windriver/obsidian.sls
new file mode 100644
index 0000000..ae4a316
--- /dev/null
+++ b/pillar/paas/alkane/windriver/obsidian.sls
@@ -0,0 +1,41 @@
+# -------------------------------------------------------------
+# Salt — PaaS Alkane :: PHP and static sites [development]
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Site: https://obsidian51.nasqueron.org
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# PHP sites
+#
+# Username must be unique and use max 31 characters.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+web_php_sites:
+ obsidian51.nasqueron.org:
+ domain: nasqueron.org
+ subdomain: obsidian51
+ user: web-org-nasqueron-obsidian51
+ php-fpm: prod
+
+# -------------------------------------------------------------
+# Vhosts
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+nginx_vhosts:
+ nasqueron.org:
+ - obsidian51
+
+# -------------------------------------------------------------
+# .env configuration files
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+webserver_content_dotenv:
+ /var/51-wwwroot/obsidian/.env:
+ user: web-org-nasqueron-obsidian51
+ db:
+ service: db-B
+ credentials: dbserver/cluster-B/users/obsidian51
+ extra_values:
+ DB_NAME: obsidian51
diff --git a/pillar/webserver/wwwroot51.sls b/pillar/webserver/wwwroot51.sls
index 66eefdb..f228c1d 100644
--- a/pillar/webserver/wwwroot51.sls
+++ b/pillar/webserver/wwwroot51.sls
@@ -1,76 +1,80 @@
# -------------------------------------------------------------
# Salt — Sites to provision on the devserver wwwroot51
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
wwwroot51_basedir: /var/51-wwwroot
wwwroot_identities:
alken-orin:
secret: nasqueron/deploy/deploy_keys/alken-orin
path: /opt/salt/security/id_alken_orin_ed25519
deploy-key-bitbucket-dereckson-www:
secret: nasqueron/deploy/deploy_keys/by_repo/bitbucket/dereckson/www
path: /opt/salt/security/id_bitbucket_dereckson_www
deploy-key-bitbucket-espacewin-www:
secret: nasqueron/deploy/deploy_keys/by_repo/bitbucket/ewosp/www
path: /opt/salt/security/id_bitbucket_espacewin_www
deploy-key-github-wolfplex-api-www:
secret: nasqueron/deploy/deploy_keys/by_repo/github/wolfplex/api-www
path: /opt/salt/security/id_github_wolfplex_api_www
wwwroot51_directories:
api:
user: dereckson
group: dereckson
repository: ssh://vcs@devcentral.nasqueron.org:5022/source/api.git
identity: alken-orin
dereckson-www:
user: dereckson
group: dereckson
repository: git@bitbucket.org:dereckson/www.dereckson.be.git
identity: deploy-key-bitbucket-dereckson-www
espacewin-www:
user: dereckson
group: dereckson
repository: git@bitbucket.org:ewosp/www.espace-win.org.git
identity: deploy-key-bitbucket-espacewin-www
mediawiki-dereckson:
user: dereckson
group: dereckson
+ obsidian:
+ user: dereckson
+ group: dereckson
+
rain:
user: dereckson
group: dereckson
saas-mediawiki:
user: dereckson
group: mediawiki
repository: ssh://vcs@devcentral.nasqueron.org:5022/source/saas-mediawiki.git
identity: alken-orin
tools:
user: dereckson
group: dereckson
repository: ssh://vcs@devcentral.nasqueron.org:5022/source/tools.git
identity: alken-orin
wolfplex-api:
user: dereckson
group: dereckson
repository: git@github.com:wolfplex/api-www.git
identity: deploy-key-github-wolfplex-api-www
www:
user: dereckson
group: dereckson
repository: ssh://vcs@devcentral.nasqueron.org:5022/source/www.git
identity: alken-orin
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/obsidian51.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/obsidian51.conf
new file mode 100644
index 0000000..4a4bd82
--- /dev/null
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/obsidian51.conf
@@ -0,0 +1,38 @@
+# -------------------------------------------------------------
+# Webserver
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Site: obsidian51.nasqueron.org
+# License: Trivial work, not eligible to copyright
+# Source file: roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/obsidian51.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+server {
+ # Maintained by Dereckson
+ # Development environment for Obsidian Workspaces
+
+ listen 80;
+ listen [::]:80;
+ server_name obsidian51.nasqueron.org;
+
+ include includes/tls;
+ ssl_certificate /usr/local/etc/letsencrypt/live/obsidian51.nasqueron.org/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/letsencrypt/live/obsidian51.nasqueron.org/privkey.pem;
+
+ error_log /var/log/www/nasqueron.org/obsidian51-error.log;
+ access_log /var/log/www/nasqueron.org/obsidian51-access.log;
+
+ include includes/letsencrypt;
+
+ root /var/51-wwwroot/obsidian/workspaces/src;
+ index index.html index.php index.htm;
+
+ include includes/pluton;
+}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Wed, Mar 18, 13:01 (1 d, 14 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3539904
Default Alt Text
(15 KB)
Attached To
Mode
rOPS Nasqueron Operations
Attached
Detach File
Event Timeline
Log In to Comment