Page MenuHomeDevCentral
Files F27206205

No OneTemporary
Actions

View Options

This file is larger than 256 KB, so syntax highlighting was skipped.
diff --git a/_modules/convert.py b/_modules/convert.py
index 0e52f52..4c07746 100644
--- a/_modules/convert.py
+++ b/_modules/convert.py
@@ -1,98 +1,97 @@
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Salt — Convert execution module
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-08
# Description: Functions related to data format conversions
# License: BSD-2-Clause
# -------------------------------------------------------------
import json
import salt.serializers.yaml
# -------------------------------------------------------------
# JSON
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def to_json_from_pillar_key(key):
"""
A function to output a pillar key in JSON.
CLI Example::
salt-call --local convert.to_json "Hello world"
"""
data = __pillar__.get(key, {})
return to_json(data)
def to_json(data):
"""
A function to convert data to JSON.
CLI Example::
salt-call --local convert.to_json "Hello world"
"""
return json.dumps(data, indent=4, sort_keys=True)
# -------------------------------------------------------------
# YAML
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def _to_dictionary(data, root=None):
if root is not None:
return {root: _to_dictionary(data)}
if type(data) is list:
dictionary = {}
for item in data:
dictionary.update(_to_dictionary(item))
return dictionary
if type(data) is tuple and len(data) == 2:
return dict({data})
return dict(data)
def to_yaml_dictionary(data, root=None):
"""
A function to convert data to YAML dictionary.
CLI Example::
salt * convert.to_yaml_dictionary '[{"a": "bar"}, {"b": "foo"}]'
That example will return:
```
a: bar
b: foo
```
"""
return salt.serializers.yaml.serialize(
_to_dictionary(data, root), default_flow_style=False
)
def to_flags(data, enable_prefix="enable-", separator=" "):
"""
A function to convert a list of flags in a string to enable them.
"""
return separator.join([enable_prefix + item for item in data])
# -------------------------------------------------------------
# Lists and dictionaries
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def to_list(data):
return list(data)
diff --git a/_modules/forest.py b/_modules/forest.py
index 0555ada..659ecf7 100644
--- a/_modules/forest.py
+++ b/_modules/forest.py
@@ -1,134 +1,133 @@
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Salt — Forest execution module
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-11
# Description: Functions related to forests
# License: BSD-2-Clause
# -------------------------------------------------------------
def exists(forest):
"""
A function to check if a forest exists.
CLI Example::
salt '*' forest.exists eglide
"""
return forest in __pillar__.get("forests", [])
def get():
"""
A function to get the forest of the current minion
CLI Example::
salt '*' forest.get
"""
nodes = __pillar__.get("nodes")
minion = __grains__["id"]
return nodes[minion]["forest"]
def list_groups(forest=None):
"""
A function to list groups for a forest.
CLI Example::
salt '*' forest.list_groups
"""
if forest is None:
forest = get()
groups = __pillar__.get("shellgroups_ubiquity", [])
groups_by_forest = __pillar__.get("shellgroups_by_forest", {})
if forest in groups_by_forest:
groups.extend(groups_by_forest[forest])
return groups
def get_groups(forest=None):
"""
A function to get groups for a forest as a dictionary,
including the group properties.
CLI Example::
salt '*' forest.get_groups
"""
groups = {}
for groupname in list_groups(forest):
groups[groupname] = __pillar__["shellgroups"][groupname]
return groups
def list_users(forest=None):
"""
A function to list groups for a forest.
CLI Example::
salt '*' forest.list_users
"""
users = []
for group in get_groups(forest).values():
if "members" in group:
users.extend(group["members"])
return list(set(users))
def _get_user(forest, username):
user = __pillar__["shellusers"][username]
if "ssh_keys" not in user:
user["ssh_keys"] = []
try:
user["ssh_keys"].extend(user["ssh_keys_by_forest"][forest])
except KeyError:
pass
return user
def get_users(forest=None):
"""
A function to get users for a forest as a dictionary,
including the users properties.
CLI Example::
salt '*' forest.get_users
"""
users = {}
if forest is None:
forest = get()
for username in list_users(forest):
users[username] = _get_user(forest, username)
return users
def get_wheel_users():
"""
A function to get users to provision to the wheel group.
CLI Example::
salt '*' forest.get_wheel_users
"""
return ["root", *__pillar__["shellgroups"]["ops"]["members"]]
diff --git a/_modules/jails.py b/_modules/jails.py
index 2780568..95fb128 100644
--- a/_modules/jails.py
+++ b/_modules/jails.py
@@ -1,138 +1,137 @@
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Salt — Jails execution module
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-21
# Description: Functions related to FreeBSD jails
# License: BSD-2-Clause
# -------------------------------------------------------------
import errno
def _get_all_jails():
return __pillar__.get("jails", {})
def _get_default_group():
"""
Gets the default group to use as key to
the pillar's jails dictionary.
"""
return __grains__["id"]
def list_jails(group=None):
"""
A function to list the jails for the specified group.
CLI Example::
salt '*' jails.list
"""
all_jails = _get_all_jails()
if group is None:
group = _get_default_group()
if group in all_jails:
return all_jails[group]
return []
def flatlist(group=None):
"""
A function to list the jails for the specified group.
Output is a string, ready to pass to jail_list in rc.
CLI Example::
salt-call --local jails.flatlist ysul
"""
return " ".join(sorted(list_jails(group)))
def _get_hardware_network_interfaces():
return [interface for interface in __grains__["hwaddr_interfaces"]]
def _get_ipv6_network_interfaces():
return [interface for interface in __grains__["ip6_interfaces"]]
def guess_ipv4_network_interface():
"""
A function tu guess to what network interface bind the
public IPv4 jail IP.
"""
interfaces = _get_hardware_network_interfaces()
if len(interfaces) < 1:
raise OSError(errno.ENODEV, "No network interface detected.")
# Nasqueron convention assigns the ICANN network
# to the first card.
return interfaces[0]
def guess_ipv6_network_interface():
"""
A function tu guess to what network interface bind the
public IPv6 jail IP.
"""
interfaces = _get_ipv6_network_interfaces()
for interface in interfaces:
ips = __grains__["ip6_interfaces"][interface]
# We want an interface with IPv6
if len(ips) < 1:
continue
# Ignore local loopback
if interface.startswith("lo"):
continue
return interface
raise OSError(errno.EAFNOSUPPORT, "No network interface detected.")
def get(jailname, group=None):
"""
A function to get a jail pillar configuration
CLI Example::
salt-call --local jails.get mumble ysul
"""
if group is None:
group = _get_default_group()
all_jails = _get_all_jails()
return all_jails[group][jailname]
def get_ezjail_ips_parameter(jailname, group=None):
"""
A function to get the parameters to describe the jail
IP configuration to `ezjail-admin create` command.
CLI Example::
salt * jails.get_ezjail_ips_parameter ftp
"""
jail = get(jailname, group)
config = [
["lo1", jail["lo"]],
[guess_ipv4_network_interface(), jail["ipv4"]],
[guess_ipv6_network_interface(), jail["ipv6"]],
]
return ",".join(["|".join(interface) for interface in config])
diff --git a/_modules/nano.py b/_modules/nano.py
index 3af728d..901049c 100644
--- a/_modules/nano.py
+++ b/_modules/nano.py
@@ -1,59 +1,58 @@
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Salt — Nano execution module
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-09
# Description: Allow to generate a nano configuration
# License: BSD-2-Clause
# -------------------------------------------------------------
import subprocess
def _get_rc_includes(nanorc_dir):
process = subprocess.run(
["find", nanorc_dir, "-type", "f"],
check=True,
stdout=subprocess.PIPE,
universal_newlines=True,
)
return ["include " + file for file in process.stdout.split()]
def _get_rc_content(nanorc_dir, extra_settings=[]):
nano_rc_includes = _get_rc_includes(nanorc_dir)
content = "\n".join(nano_rc_includes) + "\n"
if extra_settings:
content += "\n\n" + "\n".join(extra_settings) + "\n"
return content
def check_rc_up_to_date(
name="/etc/nanorc", nanorc_dir="/usr/share/nano", extra_settings=[]
):
expected_content = _get_rc_content(nanorc_dir, extra_settings)
try:
fd = open(name)
except OSError:
return False
actual_content = "".join(fd.readlines())
fd.close()
return actual_content == expected_content
def config_autogenerate(
name="/etc/nanorc", nanorc_dir="/usr/share/nano", extra_settings=[]
):
nano_rc_content = _get_rc_content(nanorc_dir, extra_settings)
fd = open(name, "w")
fd.write(nano_rc_content)
fd.close()
diff --git a/_modules/node.py b/_modules/node.py
index f9611e7..e224a18 100644
--- a/_modules/node.py
+++ b/_modules/node.py
@@ -1,543 +1,542 @@
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Salt — Node execution module
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-21
# Description: Functions related to the nodes' pillar entry
# License: BSD-2-Clause
# -------------------------------------------------------------
from salt.exceptions import CommandExecutionError, SaltCloudConfigError
from salt._compat import ipaddress
from collections import OrderedDict
DEPLOY_ROLES = [
"devserver",
"salt-primary",
"viperserv",
"webserver-alkane",
"webserver-legacy",
]
WITH_NGINX_ROLES = [
"webserver-alkane",
"webserver-core",
"paas-docker",
]
# Should switch to CIDR notation if anything else than /8 /16 or /24.
DRAKE_PREFIX = "172.27.27."
def _get_all_nodes():
return __pillar__.get("nodes", {})
def get_all_properties(nodename=None):
"""
A function to get a node pillar configuration.
CLI Example:
salt * node.get_all_properties
"""
if nodename is None:
nodename = __grains__["id"]
all_nodes = _get_all_nodes()
if nodename not in all_nodes:
raise CommandExecutionError(
SaltCloudConfigError("Node {0} not declared in pillar.".format(nodename))
)
return all_nodes[nodename]
def get(key, nodename=None):
"""
A function to get a node pillar configuration key.
CLI Example:
salt * node.get hostname
"""
return _get_property(key, nodename, None)
def _explode_key(k):
return k.split(":")
def _get_first_key(k):
return _explode_key(k)[0]
def _strip_first_key(k):
return ":".join(_explode_key(k)[1:])
def _get_property(key, nodename, default_value, parent=None):
if parent is None:
parent = get_all_properties(nodename)
if ":" in key:
first_key = _get_first_key(key)
if first_key in parent:
return _get_property(
_strip_first_key(key), nodename, default_value, parent[first_key]
)
elif key in parent:
return parent[key]
return default_value
def get_list(key, nodename=None):
"""
A function to get a node pillar configuration.
Returns a list if found, or an empty list if not found.
CLI Example:
salt * node.list network:ipv4_aliases
"""
return _get_property(key, nodename, [])
def has(key, nodename=None):
"""
A function to get a node pillar configuration.
Returns a boolean, False if not found.
CLI Example:
salt * node.has network:ipv6_tunnel
"""
value = _get_property(key, nodename, False)
return bool(value)
def has_role(role, nodename=None):
"""
A function to determine if a node has the specified role.
Returns a boolean, False if not found.
CLI Example:
salt * node.has_role devserver
"""
return role in get_list("roles", nodename)
def filter_by_role(pillar_key, nodename=None):
"""
A function to filter a dictionary by roles.
The dictionary must respect the following structure:
- keys are role to check the current node against
- values are list of items
If a key '*' is also present, it will be included
for every role.
Returns a list, extending all the filtered lists.
CLI Example:
salt * node.filter_by_role web_content_sls
"""
roles = get_list("roles", nodename)
dictionary = __pillar__.get(pillar_key, {})
filtered_list = []
for role, items in dictionary.items():
if role == "*" or role in roles:
filtered_list.extend(items)
return filtered_list
def filter_by_name(pillar_key, nodename=None):
"""
A function to filter a dictionary by node name.
The dictionary must respect the following structure:
- keys are names to check the current node against
- values are list of items
If a key '*' is also present, it will be included
for every node.
Returns a list, extending all the filtered lists.
CLI Example:
salt * node.filter_by_name mars
"""
if nodename is None:
nodename = __grains__["id"]
dictionary = __pillar__.get(pillar_key, {})
filtered_list = []
for name, items in dictionary.items():
if name == "*" or name == nodename:
filtered_list.extend(items)
return filtered_list
def has_deployment(nodename=None):
"""
A function to determine if this server does continuous delivery.
"""
return any(role in DEPLOY_ROLES for role in get_list("roles", nodename))
def has_nginx(nodename=None):
"""
A function to determine if this server role should include nginx.
"""
return any(role in WITH_NGINX_ROLES for role in get_list("roles", nodename))
def get_wwwroot(nodename=None):
"""
A function to determine the wwwroot folder to use.
Returns a string depending on the FQDN.
CLI Example:
salt * node.get_wwwroot
"""
hostname = _get_property("hostname", nodename, None)
if hostname is None:
raise CommandExecutionError(
SaltCloudConfigError(
"Node {0} doesn't have a hostname property".format(nodename)
)
)
if hostname.count(".") < 2:
return "wwwroot/{0}/www".format(hostname)
fqdn = hostname.split(".")
return "wwwroot/{1}/{0}".format(".".join(fqdn[0:-2]), ".".join(fqdn[-2:]))
def has_interface_flag(flag, nodename=None):
interfaces = _get_property("network:interfaces", nodename, None)
return any(
[
flag in interface["flags"]
for interface in interfaces.values()
if "flags" in interface
]
)
def get_ipv6_list():
"""
A function to get a list of IPv6, enclosed by [].
Returns a string depending on the IPv6 currently assigned.
CLI Example:
salt * node.get_ipv6_list
"""
ipv6 = __grains__.get("ipv6")
return " ".join(["[" + ip + "]" for ip in ipv6])
def get_public_ipv6():
"""
A function to get a list of public IPv6.
Returns a list depending on the IPv6 currently assigned.
CLI Example:
salt * node.get_public_ipv6
"""
ipv6 = __grains__.get("ipv6")
return [ip for ip in ipv6 if ip.startswith("2001")]
def get_all_ips():
"""
A function to get a list of IPv4, not enclosed,
and IPv6, enclosed by [].
Returns a string depending on the IPv6 currently assigned.
CLI Example:
salt * node.get_all_ips
"""
all_ips = []
for _interface, ips in __grains__.get("ip4_interfaces").items():
all_ips.extend(ips)
for _interface, ips in __grains__.get("ip6_interfaces").items():
ips = ["[" + ip + "]" for ip in ips]
all_ips.extend(ips)
return " ".join(set(all_ips))
def resolve_network():
"""
A function to determine canonical properties of networks
from the nodes pillar.
CLI Example:
salt * node.resolve_network
"""
network = {
"ipv4_address": "",
"public_ipv4_interface": "",
"ipv4_gateway": "",
}
private_network = network.copy()
is_private_network_stable = True
interfaces = _get_property("network:interfaces", __grains__["id"], {})
for interface_name, interface in interfaces.items():
if "ipv4" not in interface:
continue
ipv4 = interface["ipv4"]["address"]
if ipaddress.ip_address(ipv4).is_private:
if not ipv4.startswith(DRAKE_PREFIX):
continue
target = private_network
else:
target = network
target["public_ipv4_interface"] = interface_name
if target["ipv4_address"] != "":
continue
target["ipv4_address"] = ipv4
try:
target["ipv4_gateway"] = interface["ipv4"]["gateway"]
except KeyError:
pass
if network["ipv4_address"] == "":
main_network = private_network
else:
main_network = network
if private_network["ipv4_address"] == "":
is_private_network_stable = False
tunnels = resolve_gre_tunnels()
if tunnels:
tunnel = tunnels[0]
private_network = {
"ipv4_address": tunnel["src"],
"ipv4_gateway": tunnel["gateway"],
}
return main_network | {
"private_ipv4_address": private_network["ipv4_address"],
"private_ipv4_gateway": private_network["ipv4_gateway"],
"is_private_network_stable": is_private_network_stable,
}
def _resolve_gre_tunnels_for_router(network, netmask):
tunnels = []
for node, tunnel in __pillar__.get(f"{network}_gre_tunnels", {}).items():
tunnels.append(
{
"network": network,
"description": f"{network}_to_{node}",
"interface": tunnel["router"]["interface"],
"src": tunnel["router"]["addr"],
"dst": tunnel["node"]["addr"],
"netmask": netmask,
"icann_src": get("network")["canonical_public_ipv4"],
"icann_dst": get("network", node)["canonical_public_ipv4"],
}
)
return tunnels
def resolve_gre_tunnels():
"""
A function to get the GRE tunnels for a node
CLI Example:
salt * node.resolve_gre_tunnels
"""
gre_tunnels = []
for network, network_args in __pillar__.get("networks", {}).items():
if __grains__["id"] == network_args["router"]:
gre_tunnels += _resolve_gre_tunnels_for_router(
network, network_args["netmask"]
)
continue
tunnel = __salt__["pillar.get"](f"{network}_gre_tunnels:{__grains__['id']}")
if not tunnel:
continue
gre_tunnels.append(
{
"network": network,
"description": f"{network}_via_{network_args['router']}",
"interface": tunnel["node"].get("interface", "gre0"),
"src": tunnel["node"]["addr"],
"dst": tunnel["router"]["addr"],
"netmask": network_args["netmask"],
"gateway": network_args["default_gateway"],
"icann_src": get("network")["canonical_public_ipv4"],
"icann_dst": get("network", network_args["router"])[
"canonical_public_ipv4"
],
}
)
return gre_tunnels
def get_gateway(network):
# For tunnels, gateway is the tunnel endpoint
tunnel = __salt__["pillar.get"](f"{network}_gre_tunnels:{__grains__['id']}")
if tunnel:
return tunnel["router"]["addr"]
return __salt__["pillar.get"](f"networks:{network}:default_gateway")
def _get_static_route(cidr, gateway):
if __grains__["os_family"] == "FreeBSD":
return f"-net {cidr} {gateway}"
if __grains__["kernel"] == "Linux":
return f"{cidr} via {gateway}"
raise ValueError("No static route implementation for " + __grains__["os_family"])
def _get_default_route(gateway):
if __grains__["os_family"] == "FreeBSD":
return f"default {gateway}"
if __grains__["kernel"] == "Linux":
return f"default via {gateway}"
raise ValueError("No static route implementation for " + __grains__["os_family"])
def _get_interface_route(ip, interface):
if __grains__["os_family"] == "FreeBSD":
return f"-net {ip}/32 -interface {interface}"
if __grains__["kernel"] == "Linux":
return f"{ip} dev {interface}"
raise ValueError("No static route implementation for " + __grains__["os_family"])
def _get_routes_for_private_networks():
"""
Every node, excepted the routeur, should have a route
for the private network CIDR to the router.
For GRE tunnels, the gateway is the tunnel endpoint.
In other cases, the gateway is the main router (private) IP.
"""
routes = {}
for network, network_args in __pillar__.get("networks", {}).items():
if network_args["router"] == __grains__["id"]:
continue
gateway = get_gateway(network)
routes[f"private_{network}"] = _get_static_route(network_args["cidr"], gateway)
return routes
def get_routes():
routes = {}
interfaces = _get_property("network:interfaces", __grains__["id"], {})
for interface_name, interface in interfaces.items():
flags = interface.get("flags", [])
if "gateway" in interface.get("ipv4", {}):
gateway = interface["ipv4"]["gateway"]
if "ipv4_ovh_failover" in flags:
routes[f"{interface_name}_gateway"] = _get_interface_route(
gateway, interface["device"]
)
if __grains__["os_family"] != "RedHat":
# On RHEL/CentOS/Rocky, legacy network scripts take care of this with GATEWAY=
routes[f"{interface_name}_default"] = _get_default_route(gateway)
routes.update(_get_routes_for_private_networks())
return routes
def get_carp_entries():
network = get("network")
carp_entries = []
for interface_name, interface in network["interfaces"].items():
device = interface["device"]
for fhrp in interface.get("fhrp", []):
if fhrp["protocol"] == "carp":
vhid = fhrp.get("id")
# ignore invalid CARP entries
# when vhid or vip are empty in netbox,
# in the pillar configuration we'll see that entry carp fhrp = []
if vhid is None:
return []
# Salt will actually recreate a dictionary, so it won't respect the order
# even with OrderedDict
entry = OrderedDict()
entry["device"] = device
entry["interface_name"] = interface_name
entry["vhid"] = vhid
entry["vip"] = fhrp["vip"]
# peer is not always required, if we work in multicast, we won't have peer
if peer := fhrp.get("peer"):
entry["peer"] = peer
entry["advskew"] = fhrp["advskew"]
carp_entries.append(entry)
return carp_entries
diff --git a/_modules/paas_docker.py b/_modules/paas_docker.py
index 113ef5e..8c58a31 100644
--- a/_modules/paas_docker.py
+++ b/_modules/paas_docker.py
@@ -1,166 +1,165 @@
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Salt — PaaS Docker execution module
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-07
# Description: Functions related to data format conversions
# License: BSD-2-Clause
# -------------------------------------------------------------
def get_image(default_image, args):
"""
A function to output a pillar key in JSON.
State Example::
{% image = salt['paas_docker.get_image']("nasqueron/mysql", container) %}
"""
image = default_image
if "image" in args:
image = args["image"]
if "version" in args:
image += ":" + str(args["version"])
return image
def list_images():
"""
A function to get the list of images used on a Docker engine.
Example:
salt docker-002 paas_docker.list_images
"""
images = __pillar__.get("docker_images", [])
# Workaround for a merge issue for lists:
# Salt Tower concatenates them, a set will dedup them.
return set(images)
def get_subnets():
"""
A function to get the Docker subnets list.
CLI Example:
salt * paas_docker.get_subnets
"""
try:
networks = __pillar__["docker_networks"]
except KeyError:
networks = {}
# Defined Docker subnet
subnets = [network["subnet"] for network in networks.values()]
# Default Docker subnet
subnets.append("172.17.0.0/16")
return subnets
def _get_containers():
try:
return __pillar__["docker_containers"]
except KeyError:
return {}
def list_containers():
"""
A function to list all the containers provisionned on a Docker engine.
This function uses the pillar docker_containers as authoritative source,
so it documents the expected configuration, not the actual containers
running. That allows to compare both states.
CLI Example:
salt * paas_docker.list_containers
"""
return [
key
for service, service_containers in _get_containers().items()
for key in service_containers.keys()
]
# -------------------------------------------------------------
# Docker configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def build_daemon_config():
network = __salt__["node.resolve_network"]()
config = __pillar__.get("docker_daemon", {})
config["metrics-addr"] = network["private_ipv4_address"] + ":9323"
return config
# -------------------------------------------------------------
# Nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def resolve_vhost_config_file(service, dir="roles/paas-docker/nginx/files/vhosts"):
candidate = f"{dir}/{service}.conf"
if __salt__["slsutil.file_exists"](candidate):
return candidate
return f"{dir}/_default.conf"
def is_nginx_service(full_service):
return any(["host" in container for _, container in full_service.items()])
# -------------------------------------------------------------
# Monitoring
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def _get_health_check_url(check_type, container, url):
if check_type[-6:] == "_proxy":
return f"https://{container['host']}{url}"
return f"http://localhost:{container['app_port']}{url}"
def get_health_checks():
"""
A function to get a dictionary with health checks
for known containers to use with our monitoring.
CLI Example:
salt * paas_docker.get_health_checks
"""
containers = _get_containers()
monitoring = __pillar__["docker_containers_monitoring"]
return {
check_type: {
instance: _get_health_check_url(check_type, container, url)
for service, url in monitoring[check_type].items()
for instance, container in containers.get(service, {}).items()
}
for check_type in monitoring.keys()
}
# -------------------------------------------------------------
# Format
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def format_env_list(values, separator=",", assign_op="-"):
return separator.join([f"{k}{assign_op}{v}" for k, v in values.items()])
diff --git a/_states/nano.py b/_states/nano.py
index a7cc725..4832865 100644
--- a/_states/nano.py
+++ b/_states/nano.py
@@ -1,40 +1,39 @@
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Salt — Nano state
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-09
# Description: Allow to generate a nano configuration
# License: BSD-2-Clause
# -------------------------------------------------------------
def config_autogenerated(
name="/etc/nanorc", nanorc_dir="/usr/share/nano", extra_settings=[]
):
ret = {"name": name, "result": False, "changes": {}, "comment": ""}
if __salt__["nano.check_rc_up_to_date"](
name=name, nanorc_dir=nanorc_dir, extra_settings=extra_settings
):
ret["result"] = True
ret["comment"] = "{0} is already up to date".format(name)
return ret
if __opts__["test"]:
ret["result"] = None
ret["comment"] = "State nano will write config file {0}".format(name)
return ret
try:
__salt__["nano.config_autogenerate"](
name=name, nanorc_dir=nanorc_dir, extra_settings=extra_settings
)
except Exception as e:
ret["comment"] = e
return ret
ret["comment"] = "Configuration written"
ret["result"] = True
return ret
diff --git a/hotfixes/CVE-2017-6074.sls b/hotfixes/CVE-2017-6074.sls
index 895b605..37b8af3 100644
--- a/hotfixes/CVE-2017-6074.sls
+++ b/hotfixes/CVE-2017-6074.sls
@@ -1,25 +1,24 @@
# -------------------------------------------------------------
# Salt — Hotfixes to mitigate bugs and security issues
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-02-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# CVE-2017-6074
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'Debian' %}
/etc/modprobe.d/blocklist-dccp.conf:
file.managed:
- source: salt://hotfixes/files/CVE-2017-6074-blocklist-dccp.conf
- mode: 644
{% endif %}
{% if grains['os_family'] == 'RedHat' %}
/etc/modprobe.d/disable-dccp.conf:
file.managed:
- source: salt://hotfixes/files/CVE-2017-6074-disable-dccp.conf
- mode: 644
{% endif %}
diff --git a/hotfixes/T1261-srv-data.sls b/hotfixes/T1261-srv-data.sls
index 943365e..35a92fd 100644
--- a/hotfixes/T1261-srv-data.sls
+++ b/hotfixes/T1261-srv-data.sls
@@ -1,21 +1,20 @@
# -------------------------------------------------------------
# Salt — Hotfixes to mitigate bugs and security issues
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-17
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# T1261
# We now provision /srv/data instead of /data for Docker
# containers data. As such, we ensure a symlink exists
# on servers still using /data.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if not salt['file.directory_exists']('/srv/data') and salt['file.directory_exists']('/data') %}
srv_data_symlink:
file.symlink:
- name: /srv/data
- target: /data
{% endif %}
diff --git a/hotfixes/T1345-drop-jails-from-ysul.sls b/hotfixes/T1345-drop-jails-from-ysul.sls
index 2bcf076..133bd29 100644
--- a/hotfixes/T1345-drop-jails-from-ysul.sls
+++ b/hotfixes/T1345-drop-jails-from-ysul.sls
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Salt — Hotfixes to mitigate bugs and security issues
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-17
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# T1345
#
# Drop rc configuration launching jails.
# Keep jails directories' content.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['id'] in pillar['roles_disabled']['paas_jails'] %}
{% for jail_rc_config_file in ['jail', 'netif/jails', 'ezjail'] %}
/etc/rc.conf.d/{{ jail_rc_config_file }}:
file.absent
{% endfor %}
{% endif %}
diff --git a/hotfixes/init.sls b/hotfixes/init.sls
index ed20c6b..f963463 100644
--- a/hotfixes/init.sls
+++ b/hotfixes/init.sls
@@ -1,19 +1,18 @@
# -------------------------------------------------------------
# Salt — Hotfixes to mitigate bugs and security issues
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-02-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .salt
- .CVE-2017-6074
- .T1261-srv-data
- .T1345-drop-jails-from-ysul
- .MariaDB
- .leap-seconds
- .portsnap
- .python3
- .old-directories
- .tmux
diff --git a/hotfixes/old-directories.sls b/hotfixes/old-directories.sls
index 3074992..f53dbb6 100644
--- a/hotfixes/old-directories.sls
+++ b/hotfixes/old-directories.sls
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Salt — Hotfixes to mitigate bugs and security issues
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# T1325
# We now provision /var/wwwroot/<domain></<subdomain> for
# all servers and not only for the web servers.
#
# As such, /var/www/html nginx default directory on shellserver
# role can be pruned.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if salt['node.has_role']('shellserver') %}
/var/www/html:
file.absent
{% endif %}
diff --git a/pillar/core/groups.sls b/pillar/core/groups.sls
index 5350150..04ab42a 100644
--- a/pillar/core/groups.sls
+++ b/pillar/core/groups.sls
@@ -1,142 +1,141 @@
# -------------------------------------------------------------
# Salt — Users accounts list
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-09
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Users groups
#
# These groups will be deployed on each servers if included in
# shellgroups_ubiquity or in some servers forests if included
# in the state shellgroups_by_forest.
#
# As for users, the mere fact to add a group here is a no-op.
# These mapping are defined in the forests.sls pillar file.
#
# Sort the groups by GIDs.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
shellgroups:
shell:
gid: 200
title: Eglide shell users
description: >
Provide an account to use on the Eglide shell hosting project servers.
members:
- aceppaluni
- adrien
- akoe
- alinap
- amine
- amj
- ariel
- axe
- balaji
- bogani
- c2c
- chan
- dereckson
- dorianwinty
- duranzed
- erol
- fauve
- fluo
- harshcrop
- hlp
- ieli
- kazuya
- khmerboy
- kumkum
- mous
- pkuz
- ptdradmin
- rama
- rashk0
- ringa
- rix
- sandlayth
- sandrine
- shark
- thrx
- tomjerr
- vigilant
- whoami
- windu
- xcombelle
- xray
- yousra
chaton-dev:
gid: 827
description: Manage Bonjour chaton service
members:
- hlp
nasqueron-irc:
gid: 829
description: Manage IRC bots used for Nasqueron projects
members:
- dereckson
- sandlayth
nasqueron-dev-docker:
gid: 842
description: Docker development
members:
- aceppaluni
- amine
- dereckson
- dorianwinty
- duranzed
- mous
- ptdradmin
- sandlayth
- sandrine
ops:
gid: 3001
title: Nasqueron Operations
description: >
Maintain the servers infrastructure. As such, members of this
group have a root access everywhere.
members:
- dereckson
- dorianwinty
- duranzed
- sandlayth
- yousra
deployment:
gid: 3003
title: Nasqueron Deployment
description: >
Build software to be installed on the servers.
Deploy web sites and services files.
members:
- dereckson
nasquenautes:
gid: 3005
title: Nasqueron servers users
description: >
Provide an account on Nasqueron development servers.
members:
- aceppaluni
- amine
- dereckson
- duranzed
- dorianwinty
- fauve
- fluo
- ieli
- mous
- ptdradmin
- rama
- sandlayth
- sandrine
- xcombelle
- yousra
diff --git a/pillar/core/users.sls b/pillar/core/users.sls
index bddb8bc..2ddecee 100644
--- a/pillar/core/users.sls
+++ b/pillar/core/users.sls
@@ -1,345 +1,344 @@
# -------------------------------------------------------------
# Salt — Users accounts list
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-08
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Users accounts
#
# shellusers:
# When an account isn't included in a group, this is a no-op.
# As such, users hereby listed don't have access to any server.
#
# revokedusers:
# Users in this list will be removed from the servers.
#
# To rename a user:
# Edit the username in the shellusers section,
# add the former username to the revokedusers list.
#
# Sort the accounts by their username in alphabetic order.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
revokedusers:
# Account renamed to erol // T808
- fedai
# Temporary test account // D608, D609
- amjtest
# Account renamed to sandlayth // T789
- kalix
# Users who never have connected to Eglide's accounts (SSH key issues)
- tarik
# Account renamed to ieli // D3805
- inidal
shellusers:
aceppaluni:
fullname: Angelina Ceppaluni
shell: zsh
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0H8u9qxgVdchg/IU6uxDDD5ry0uux0HKyht5vtACvy Lenovo Thinkpad X1
uid: 2037
adrien:
fullname: Adrien
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID12BxPqs2pqkhJHZOVUzcbp3KlDsWOBWKxdwnjNFP7S adrien@Adrien-Latitude-E6510
uid: 2029
akoe:
fullname: akoe
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCY5PLKcpxx2TbM+gZGK7tiDFrPt9kGe5rwyg2hWbSBI+Qpj0BimxD7XKgqXU08mHLO3R3bfdFbr1QApLvHGKa2DKoj6kJfax8T1uodOcSf6F/q2jlmqnlIX8ezS9ysSHreEFrqjkge5/Z4v4TJd4co2hvF4Kg1H4ZL0wpuDavu20f6YpqmtV9CXHvotYhvwcYQEpykjJrR7mvmm2vGEuMpvcnXlbl3q6FGnhJ4q5u7o9hHoEA+HgEsM8TBAtFkiFS2bGfMOq8ulNyrkB8lMNgqtFf1g5YaCTfHVxbLyl19+KBb6AeReQK71OMWCLdYy/cpoWUq0EyUYNB9QVlVeEUb akoe
uid: 2024
alinap:
fullname: alina-precup
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA3mxUhsVuSdh7sMwKlXgUF1h9Rn/Sstt8V+mhbjRQE/joBL5K6blRzHaDEEBgYpcLexJVh7Z5GlAX7E/RU5UTF/I/fr+EfFue3pJAIGDVncjOGHO5tJGQ+InD/+dA7sPYrksBjnGHWpkilYrFwZXcNQjwacOc3OGOBjWZqnBE/rfPRAt8O/Q6BQgibAr7LeFVLepTengQx2kU0Nd9KJRf0v9NupQfU5l8MftSVKuRbjayXQTW3lg/tOdoAEo17sKuqFkRMXHgUSrjRNLFZ3shzNiXr29aNCausucIYwQ5NYs5j+k+nLVF1a8zx79ZP/zEUMiQ//hzPQMAyIKeVQ08EQ== alinap
uid: 2031
amine:
fullname: amine
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5huIoF74NC65tuUKuJXjVdFchXQhsBs5yFN02Wny+R chenani.be@gmail.com
uid: 2043
amj:
fullname: Amaury J.
shell: zsh
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHRDb+9juQM0Dr/lUKwVF0iYid6iZbO8ZFqshxklaIpnzOgKqpkjEE7JhgegDZW+zH+WqlvKXC0ce6KkHAbmCsnu3wdXVkKS2IAfLCa6rQYMXFc8GYU929UMj4LilVCgDi2sXEOSTI6uh2yc8WkVGEOguMt9E7f5za44q+kJGnLJRK/1gu/1eDbCOe/dFfZg7o4hBlMrFcCbb2r+iUevOj92K7jJcYm8x3wmt4FTJbh5/6LJ3lgstLWYmY2jzbxKeJ1ONGg9e1tDNqkKMHcsvMeEyMTdGykYYhEI7tGMoEoxJQIWILpO0h7o8dnxvm6jC7lfBYbZtZttBPBkEsac+RUCX2Zejib0GioOnOXCKSqdk383ZXbyXIHogCn8ya2R/399Fw/40QVTFTvX8A1alSXQUJShA2RgWucPkSaufUKu3uSjGN4pUdtAkuSdcs/78mbQZkGOs29YdVSZIR5TbTld2uPiID6VLu1oLZtoEPvCrr7G5fDv02P7DR7YPKcouMyJwHswWwIQ/WKPawdDNdGEw0Cr8It0dRpI7nNZh79hdlJsqSNa1ezND4qfbm89SlmwpkypaualzvUnxfffW4hpAJp4Y1M7CNkNWLO3mdM1z/5y7vZgIzKURAClCE6h/pJASnZjA/BBxoXg5fgDf+nEGx652GaKIEtyF3PdIoFQ== am@gentam
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTQ7Tt/wm+eDc6bTbWX2HHQbdMJVS40mlEfit6usDGKb9PUDtV2pn1KumnsevFge3OArnCLDqp0pmIuMy8loMjyyFeMMsrMNvE4i1Zl/xXcss3siwlqzMDozGBpxC3jMielUnm64BMCtnURfFZsIZfnpZoG6jsfLKWUSKJro9SNrxQptnSH5xkvEOF7gZS8HTkEvjE1sgfIEabZrYIIo5nLrz9yxmuiHIOqx1uyhJGw1dr4pJSGAMcYGGOpfy8uOy80+46MUW8ZtpSTspaTiHnUgs7gSPyCThrgdiNjiAj+mAeUKYytQDt5MQxp0FbUvv34bCJ9Q8G7hXVqBaXO7N/wyyiJ2WL8BbfZhoKM0vmn/oaYmomdlWF08YmkJyeqvf0N9/s6gyzjdj7Aqihi/02YiOqdL5m5WZAREiqIGo/HtlpCoShiqtNn545mD+KwanMdJbJp8ALn7yjJJEKpXVCcUaZOPR7kTF4fZ0eUTuVH3SeyCf3z3OpZ55MeGOkjKfVRkHS6FJ9Uhkjxi0K/2apROB/XCtS0Bv3AjOxt7f7HvabmYzx3J/43JLFKK5BkmqTBGUTowKU/40kxbWug1MAnSzbmDEucZ/eu34SE4R2oXarLrflH9kAIZ6+cftMpAAOKd5VVHeVJKnl4MTSU4C67iwsVpVoJ+mQOPHsf5Ekuw== am@debian-am
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0zIEBYPoa9jQLE1+vRv3oMCwn5VM1EpwCb/K5Utqb1+VOpamWEFy3tkJrkppKFxjst+rDl5ztPLKal6LMURuOQhcGmVux+hJM/ucVtzvx/LHJsBmFsZGRJ2Y2cUXwDzedWqvJybzDhLWcuxPSdvIIiv7bTCLLSIatwsGEnDJ1ffSRgkcrXAd8Pu6/ghPAQwkpIv+POB6kvu5mDHcV5xqliMvI3C4pznheFX603WZ4qA2n0sokQ+2bHSDQHZqziGw4vwQc692JauVEHUDoznTGgMlzuiC2f7Aw1q2V9WFPvOifSr+uhTU8DCDlnssSZ/3m7dnh0soFVodju3s2Wpr32fWocyNqay6FDRYQLuFPziGqlQ6wMJE6nDXr+dYTwZm6ktMGp12/Go3KROCr06Q23JSrT5uaQ+UImoU1Y6veejpU34uo1kMQnoV16OsYARa0Aza5S9S8I3evIOGxPGNAsTb+mlylRwqUm7QSpQGpn3ov7fefG4EvH6ytQlZDAou9GyaeVFfhToqQ8cSqyDU4MOLTfILXTB2tjIRnIjs9U0B6Vczv/sZ9rp/614A5mzXapsfhDyx4FieDtVkr/gFNhI1s3f8y5VJcvL7NX2ggeaqq+kfHkIxAwUUjaVCLB+E3LgUeTG5bzz/ErZbRuDqTKpHUaHKinTNoObR9xpz7+w== amj@dwabyam
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCKtSulhB9uva1RYOtwcLMcO+1V5oGti50OXntqG0OZfEauz/oLTQpt+nkKYNUN6MazL+9ienYQ8ZZPgZbOs9WGh0acxBcPM5Dw5b0ZWEJ8h9Dk2M7P144aeRS/HuHVvc/JyI3+gYHgqWGe5ycEzlrFeegX7/Zr76eaFDQPGMnsJCFZVga24TiSPiEBTuyszq0/emsLJe41zFY4J6Y2kbaWuJYbiAvA0mZAD+g6+ltEa6vdUOF1BI2kTPFeKXc2dCnbaJAz00I437zUGdaU4533iyLHygxLPjAsjxO8q4f163VR7Rd2jibvRUW2EXgVoY1mJjkNwi2XLQCCwgG/6G8IuQaMjPAx0v7bf+vAJ3x+esJtVFNa55sgU7uHWPaRAwtovspCFBpTRIsp6J5f+1WLqWQVBVBZHdR+5PC2H5Zwb5Hq33Jn8ksQoPMCWcbIbjgF78a/B4LgtsJpA2x8cGJi6p1DEKT5bC6ROGMxqPwA8pFgI3+0X5ukZvTMDH7BjiXkbdyCaFfwo7UofRrPHIUyPAYh/XD7rUddc/6rjVBzmkXTeyYvevOOlmTxM5BDJZI/w6Gc2/XQchCDoWT9ttw7VWX19fHaHtx8KE/I8JaSS5hW77Kl3PzWJxewOAcJMh9HNza3jBgqZFTHktPCPUBZbsjD27YWJcYPrhzpQErQ== amj@thinbiam
- ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGTsWhz2x/ONqeMupnd0kQi8aJmMSWDmviNwuZY1WeDuggTylFv9hDUxPUQ+gNydZHEmFRs5qTzcM/P9AYK+0CZOwGluJD5Nfd7LsqgxRVTJ1jb71kOHF2ektjW+OJufWGZv1bTJG5SU/bFXzIgxkDVjwitM0OSeKzERe2PKjQ/ydxqjw== amj@debiam
uid: 2005
ariel:
fullname: ariel
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwaTYlLZ90/oQ5tDYDkhI2mHa1L6Vh+zcekCt8D08N7/CrFI5sUVteTwMWw2ytQlWnyT3HVgHb4IS1EPjpjyuqseRcNW0HYsqBk3E36PCBQIqjLZ0nDAeHQtm6T6pXiKC5qUppghwrvDxVYFpF3lFzAzfYMrF7iugk0xRPTHZWm8df7dqIB/6FfbxSD95yQVAlJefxoFWbo3Yn+exEZQvWv6lQYXnjV5DSwMf8tPGDkc2DRjrnR52ZrXPRZFCqc9JGkA/l8QsYtjmqJdnOgq5raOb56aRulJYdP2j//B4lRJJlglMuj8dSZE/j04zub+P2QhfdqeEHmeaTUqbwcnZZw==
uid: 2021
axe:
fullname: axe
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjrcYXZ2/bfTdxVI1ZMXknB7WJa8uY1RLZ5Vrs2LPRTzBqaXzpY6/Iw5Ibiy8KMbVo/vQtAWrGY00ucHE+swS2VEtWIZc72kSznkL65bKtqHbZa+IqktRUBsg6ay/3Xups0DBfZ1T+SRSiLh0rya1dXd2NyIrvSo5eCxEPqAPm87rOrgC95GRxqlJUZ5ZOjV92K9v6TcTQWn61nGl2DQviAugNGtHGXhq0Xk98lWkLeGhDLedJOqFmHvqGrkSQpEps7ivlh3Mstv49pXqH1dIA7UhnyX5DTR6YjhIKehZnCfsl8wt6FMCs5QMor1giY4ZpUhY2D4ezvzFD2kqbOUvQQ== 2017-06-14
uid: 2019
balaji:
fullname: Balaji Ramasubramanian
shell: bash
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG9mJZLoqSiPgMxChZxkfkqLxjZw/WuqUC1m7jn93jZp Balaji@Balajis-MacBook-Air.local
uid: 2027
bogani:
fullname: bogani
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCW8ca/Agw6GuRTUHJpptRVunNJvqewQLV39uT0JIBiANFawI/SWkCm/dS78I4ELiJ61tpJhWMZuWjh3ebnJP/Zbv0AUAsMlilW1K2lIjgnOxpqkqHNzm5sUAccmUO/U6kRE7B1/t8ndY9fC31QPr13XY1hjCLl3vOM9BIWc6RkB4tU/W60o0hsFPkVFQ1RvOy/+oji1Q6L5Epqzz9pmm39XxlTsnP1+4zrt8NaCvH1oOQI1q4Hg0xYy5PADWj/C+AafvQ3rNy7MkdifdbM9mgEKUZAqpgEjmhjVMRhhjRVv2B3ZeMFqvYbB+h/AqXpT/H0/NIfuPdcXg8pzHtND1X9 rsa-key-20220325
uid: 2036
c2c:
fullname: c2c
shell: fish
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyoC7ekLYc7nsd1QsgfdEatYw1FC7z92miIdXvx0n8O c2c@ender
uid: 2012
chan:
fullname: Chanel
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvDcmKHfTrCBRpjJxYyIELMRknrMpDXfcKDhfXqmB09 chan@Calculon
uid: 2009
yousra:
fullname: yousra
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPHfTvCv5XhNV5XgXWfuTWswLzt1dfYL1PhTfFx8trpn yousra@yousra-Vivobook-ASUSLaptop-M1605YA-M1605YA
uid: 2042
dereckson:
fullname: Sebastien Santoro
shell: zsh
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINgiReRjBvGGZ7QZC9ATJ2UIWAd9yH0Is7Xqz1kG1QQt windriver.nasqueron.org
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzD5VzetMFTUHLWrLyBsnZ6bdwDa4Ip9WWAh5nLxKyR ysul.nasqueron.org
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFGIYBdz8pW4vaSyA/QPlcU81uLI8SHoq7I+K6FPO9oh graywell.dereckson.drake
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGV4p25jLQQHLgKH1SawoNLKuxkfyHuERRDUN9QZ7i5m yakin.dereckson.drake
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVY2Oeppn//0Jm4W3ejLDe+D/+4FMFZR9rzeVrnFkPE yakin.dereckson.drake
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeCWiov3TpAccZTYpez+ZPxsg3+ZZMzTOE3ZvjUCdWl voxbone-laptop-20240416
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhXyFekC8WTIn6qjguB813I79aJ6uLpu47Z8vX22ipc yggdrasil-20220419
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiur001u1XJkkKg6zBcjLttySPWSaZHDnJSKZuB8qh0 yggdrasil-20251201
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMfnieEOHNJ4a5blp8NN+O2xpK6IgyNf19dhng6H0Wxx dereckson@bluedrake
yubico_keys:
- ccccccbjncrt
devserver_tasks:
- deploy_dotfiles
- deploy_nanotab
- install_rustup
- install_diesel
everywhere_tasks:
- deploy_dotfiles
uid: 5001
dorianwinty:
fullname: Dorian Winty
shell: zsh
ssh_keys_by_forest:
nasqueron-dev: &dorianwintyDefault
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG04iMvqgusA7/3x+RlFCtZXhUEBMzNN58XIujnuO+Us dorianwinty@Portable_NasqUser
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTy1gvUMYwagFoj23dh04oIBYJKYHe6BkcUJ4j0i8nb dorianwinty@Tour_NasqUser
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINr1RIu110xdMtjnI2YbwLQVG3CbfXj+0HSBiQxs9vy8 dorianwinty@Windows_NasqUser
eglide: *dorianwintyDefault
nasqueron-dev-docker: *dorianwintyDefault
nasqueron-infra:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvsKoZ8zu6epX/t+5f376OMFjSEphnVkfIslORK7HWk dorianwinty@Portable_NasqOPS
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIATc5qI/lUp8JfEyqOJOrOy6rGd3hJUgrB1TEL01cVuY dorianwinty@Tour_NasqOPS
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAl6y6QLJM3vsw76dkhu91XUqHFzNIDi8MvpdP8vciT7 dorianwinty@Windows_NasqOPS
everywhere_tasks:
- deploy_dotfiles
uid: 2035
duranzed:
fullname: Sami Baghdadi
shell: bash
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbx5OmeenLlVYjqgxaWa68bJ7RaQurr85Qt/149UcOv
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFGB00xLAHeVAPhrQ/QhY6RGJ63OwYXQhz9KgiGtFPAM
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwZeby2eoLcKhMjvTOkwHOm3TEGJheHfVTIiaxp+BqQ
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxVYR3fbEP6znhHqi6Dbsq2B7Cg8XpKMspnb/8vC6tK
uid: 2041
erol:
fullname: Erol Unutmaz
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdHrSRJGwaGFTpoZIvkoWTMpnXgke77emVicMT8b37kcUepeD91pA3UPQ7UOEQl/Af3Ly7ePneymZ6NjAkM06oPeIjxE6Nz+i6p7rVIZhCb9qz+hdKgt4wSEQLWponegFNdCUs6HvMjDGlsI0kajHgIakXiKAwNyxhQzpBoGranO9c2PdAq2HGq7Kcq8ApC1kdKG0W3dT4PWborzmt1jWna2yosEn+TTHj5wi2p/E9BsCbmfokBO3xn491lr1P4shh4zg7Mv3SPD3j4/mZb9EMwD8cl4y9ZIoMEbL8p4s8J7Joqs3gK9hmMN5ZCNUFrNrJu3TCRZre2k7cV3+U3IXT erol@fedai
uid: 2002
fauve:
fullname: Fauve
shell: zsh
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILQAhf4Du37UglM/hh9ZW2HCq3VtMfj+bgnbjvcIEwo0 fove48@OperateurNoir
- ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBABsfXPdhHqjAL7AOSCymUZU/7jXL95mfU+HeFuelF+Re+T35u6Qe5KSzQ1iT7lhLafGt6ARQgVvflQ1OgtvhlLhwwDb7MUNbThyr5SNbHfkZpDBGY5sNZfMPJLsYWvKXkxJ5ev8rxcCmER+g3qUAf5oKCDKY3cyODDAhMGKl1POemiaDQ== fauve@CrepusculeEcarlate
uid: 2030
fluo:
fullname: fluo
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCf9bNQ8yL9Ej/RTA6QSD6iqSK89kVUcaR8KF6P4cc516we9VuEardtCvd9juOO5f2LwFW08qkxj7mgC180ue7unEK1C228gyyupQk3sPKgAaeBm1o2HWz6x2B86HxZj0vh6K228KMZkHHOGE9NThmfa29flqW6aOvElh9lyv13ki5Kw2dN5dg3i/SU2FmJrj2oDbv837ezkeVM7wczfy+ZVvh5/3G+RVLJVoL68E/m/9SjuX+zzUtWqCG9c/eb5eab36LD/LijIVn1rpN3179f8uh2jV8gFEc+NegPtk9rx/da3WWh/qH/UzIEJ4MvkvaGIud3qGXM5RxAEuSa/VnB mobile
uid: 2034
harshcrop:
fullname: Harsh Shah
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1ANaxVViiL8s2KTdb+p4FWBBZjXz3zH9/es0SSLuXzCjcs1opEeMeb4roQWWgxrZ3j0aOJAj0smSP1THtrwW1xUE5DidmueuqokgbQuvkrsvcDaJYbNjUr/3fAw7/JcWgh4lSSxCLgflpjBr5aTlMQZj/KPrGnlzjr/hPvb8cAomS2HD+hLuC2z26cvOhY811scTZWMoBrxSkmrXOTkutRdZm+TrYJyZy7xQ9ncfsARYzrOZ4be+0mfb6i4tJfMbBvadSu/gyJdOLCfV5SxdjpMLPqIXO9hWkRKYH8SFX5ZWVw8C06iJWcnFCIw1YMTFYe1MNqV8YICiYUmJ2CWaL harshcrop@Harshs-MacBook-Pro.local
uid: 2020
hlp:
fullname: hlp
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIP+04Jhq2toJ+RLx41NKrtDGgmSCfOsAY/BnJ6EzNXC hlp@sonny
uid: 2018
ieli:
fullname: ieli
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTjy3c0q4mdwXGFlVww+zDHxIJAlkObxW39FFQtGgEq ieli@windriver
uid: 2032
kazuya:
fullname: Kazuya
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtCcRQ6HVKD5mj602UJkpI/TMGVt1R0yYx1HxP6SWJb6FM2E4wzkxtf0sp2cxW/9Lz/0OsQV8fSSo/qfUhQXfRcL+rxsM+iixD0WMffMC8CrqsYS+VV32HR2sIm8J7yyMweJrfYneErdFisGmMgOFw8vBGX01XfdwGqbSflf3Tal7L3R0g65rclGsg7JckWE6RQMXnvGwXQxv4QahaNtZK74AlyeFgsXYlv14UeaGE4Pz+rkgZKoC4tvAOBQMNxWtCPMcydJOacoCZO7Jcxv0jMUo0y26mulQ6vbz5hqAPS612c47gh8VNDDkQaznQMeiSyIlnvDEkHmzvC8Z3UAeJ eglide
uid: 2004
khmerboy:
fullname: khmerboy
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxg4+y6QxyyeHvmcWHy5Q9pjh8YBNC+Q1w3+QHWH/7WKw9odKHgtpu2hixfOeZl5k/E9+XPw2oGmQzs3pInz/yyegGB57kb3xAftqJkHVuBKsrz+7q3fPjnoqk3VZ62k5II3oqEEjizdVhEVacU+149m3LJWo+FKoRAKxlX39KwEM+UMDfynck7OJvKRWTTP/cbPzR7kaMifQLWZF6stFilRnYBAesK2DzLgO37DovwxmQO1CbBuitgsHwLDXGW0gePyC39REIrntZSte1xdlEfC27rQnXcH3YPcTm9bwNBXnK1Jiwfp3fJ6q6FIz9IaybhO6CGNOOODHN4R4DTbbfQ== rsa-key-20170922
uid: 2023
kumkum:
fullname: Kumkum
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnCIiESqqsGOhaS16jwboLplQIP0FwKMhk0oRF7EP55 kumkum@kumkum-E200HA
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDjGAJrUHKDTNnd6fpypm2A09lScdK6jAA4w5BRQZvx mobile
uid: 2008
mous:
fullname: Moustapha Ait Salah
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3yPzly2A7D0C3bdA2wOwHMyV1JW1D974EfLWhucLAZvN8AiblIER/W5vO1er+6KMQOAeeuXfLs+mGNHBYYewjfQIcKI6puCrBUyschvDXLT2WJyB1wsgoXho8ilsQtTZeYNbxM7uoZUYl1N8FILk57ogVpoWZuhQAgf/Df2YbWSpW1mOOrD/WdHD/X4LCRN/BHJhBZ7YX9wQIIpdg3CO/eByJenxdXSDoa9znPwTG0F7/WNx+CKXRzqIxCUoo0sOLRZJBed4mXH4dboUDoxkJRlOjntyuHVZyFKdUmL8Youzi9EfHWR2/5egoGFXqnej+Jt7Spsp9hTIfYqIjPzGX+Sq2ArVXkmVDxaGfqbAv0CGHC3FatqZvz47pVGFrplOgbpTImCvlya2m3tDw2WdVUGfFLEe0DfUjfY/Qg8oQZOlfgsoaX6bc7A51mUfWASOxjwu9ZWXRKenSWKWbVY2XpwXRkO2RJMp+sk+upwveK0R79nJBludWV3xg9bZaVD8= mous@MacMous.local
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPO/ZVBy9fso4CV5OK/RnKE4gimpZxkpHEi6gI7VUSfT mouspro@MacMous.local
uid: 2038
pkuz:
fullname: PK of UZ
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+UZbXGwJ7OqxiwsQiTCbL13Vtia1dCPcj7OhiDOzvKGE376Ua2ZB3bNCl3LzPCvyKbNeYyglZe2lrab2e99GkNvdf8e2H2bvoubnB75ZGjz9IZenzz2YahLb7NyLq3kfKLYW8Yff9HqENJbVQCOouAZhP6yXR4fvoHQ+/bdxbHwtoMeetfQH9n5nywqtt0X0Se1qiSbGKLAO+59KRM+D3K4NMBgpkmEbnU1tVi6Bf8ti5Nie5vKKhHw5WGR8FTsuffE9WjbZcxWQvLnhPOu2Rbl3G5lLm8p68VWY9zZscIbcB6uhF8mKH2qazu95T2RJxEBCwFLLG9v6EHORtAWNL pkuz
uid: 2022
ptdradmin:
fullname: Doba gui
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2n2wxPI74EpjdpjVJHX9stxKer1BSfRlGdzxnvsZVR ptdradmin@PC-GUI
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAFtlR4OeXNHfJXNrvrLeU9nGu7ufcxc38xUGqlwiY5L doba.guimartinien@gmail.com
uid: 2040
rama:
fullname: Rama
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIADXRCZ9fFZJAJLOF0PakwhuU9b5Ne4PPr7ESwJzYndn
uid: 2013
rashk0:
fullname: Rashk0
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNr1VcyT8cSDsylMn4zHmfD4ulLbCM8gK+2GrXwlidMNX5pWOs3svSRbF62r9s8jGILzCGc/dOsYFxsX2CI378Io1ybBZsV2PpkBpjnAHSTHCSD5qbrzPWFoOyn7YLUXzKZ64Jss5Mb3x0SCTD0BNJ1xmNI+OCZNOtkw7yeXHgwCKOGVwiCViNsYt7j1N0st4tUMpFv5OPohs2f+AEKjDPsLODfzMR0MrFRSItmqPmE1er/noPFtHH4GOvyiENZeERClkeiM6XrLtQi+awD0Chf8c2++4BfNNwRrIkJuMkQ78kT0uU7vVO3WlcLdyv0Tokgc79CJ89yqnH4+tS/jzx campari@Alpha
uid: 2003
ringa:
fullname: Ringa
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAiTobf2i/IveVlpdntX9M6p9rOe60HuODq5FslTIFxA/RwKQbJKafCQZ3ci+Pt9BKAKtBGSJANNfbxxN7VRB+iO6UZUh2Qjb012CfigC5g1r9MEryqh8LBP27NqTkCqjMZrwUa6pYMBG1/ydbOA0BIr3C72QfpXC/qCSvXNgQzL7DGSR7cgjhGvMDn5ewJuxsvXAcajMLEORxeYooONG9ELGRUMFI4WcX6gmiYcrMVsMF+7ByshIngV5v9esWadi+RdTWUVOYt2yVS7hkYHZwUX/bN1AOfkRiuD1w3DFFiHhSoquCwaOOZjKxAw6VOrV6O/toLGe0kXXfRFzeB29/1w== rsa-key-20170111
uid: 2010
rix:
fullname: Rix
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjFnOi4rwBVdw69U9y1xgWXrfNNgxEXAmbXthzHae07COwN190xoWv8VeogKxfMdxE2Tj4E0BDFt2i7Jbk9BploFdNXG46lrnoszmgRsuRx5jERfvMyOPvCAQHbL0N53AL6zH9wXF/51a5bJJ3n4wkmO1nDj9WqrDNk0in+knICiPHQX4TxwRXqBuf61gQMxwy8Aoy1WCCfCeAesZxjdFM47C6X3PPHVaXvF6x6iX8OzIHqoVT18yQAQxbET+PWMtlmNFJFx76+Sov4eQm/d2KeRg0aqw49gKLpigYnHfd2uitmSQixBNl5jyvDMoR92vZmZnScmqA9cXQikQ9HCW6Q== rsa-key-20170110
uid: 2007
sandlayth:
fullname: Yassine Hadj Messaoud
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4H4SF3NZ0/o5uTYhIUKUEzP7hlZ0mGqMxs6wt/dhQs kalix@arch-laptop
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7FQwqZIT8htdXRy57NZqaYEcRBFbu1oOHuRbp7LwBb sandlayth@Thinkpad-t15
uid: 5002
sandrine:
fullname: Sandrine Defontaine
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAzWMrQ8ZKObZlLBj/vAPrG2SW+jJtOr3BmQsDictLnV acer@LAPTOP-7H3B0PT7
uid: 2039
shark:
fullname: Shark
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUpupNya3KCR9uwNICcQb3amYTeK0FjlsWS/ei+DcU4 shark
uid: 2006
thrx:
fullname: ThrX
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAqm65UgRA1ZJaGnam+PQiFmXKOKZHAUc5jN8zRQsAaFv5Kgxks857DPBX8eO7Wolh70C/UVXAqYgHS2yg74KKKzyjv2vd/de4vQuC4m24IRWkuGJ6xr+dgqNRMn3YklJ2W/SzMCLIFNWUlM3JnvIPElxrLVMSm9ZCACAvWGgy8uF+vBkJYsmfN5AokyzSZcAUqREBbnsC33erGz50it4Oxn4QpAGWtYBHz+kHz89rZBMbMRAoMyQ1EfnzH076jtufHuTdqibmQRB39GbY8bgJJk0tpntwTvx4pHAnMK6CUwbjtFU03LByYNiIzDjwHXqfwuQZl8WlQjx7oTVNHCJ9fw== rsa-key-20170221
uid: 2014
tomjerr:
fullname: Tommy Aditya
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7WGzb6h6i8H81nkw0E2PvFwi1yqODeltyGwFQxEwL4+bc75LlbxtpIsxS+D4vkervfGjMwgAJSFOv6uimRhubmp1I2Pf85APTf/a9xXmNzAuNnhR8ur93I08cQ2kKlY19q3EX4H4qj2HizRZxgusG8dYyBWuKuq6P7vIn5zn55IzFJKxCekydAjQsDUTOaio5brLD3sY8IfnWtKWDgrszozUOEqZdquJDS6LBEHHDTpWK/Mzuwd6YkpfdG2GVLwuN6Rj43jNoxcvk2W7oJyJQQ7xSpNR3QIFzTAu9VL9AAv4qak4o2AYpmg8HXsgGR2ARvJ0mFzWw8qy/c/5plPgp tomjerr
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwWJfo9s+Uqd/JPIYFEYJ3g/H9G9wPActHXJfKul/ImK7oTFqDADGx0pr26aL7tcjVIK7vK1EF41f2JhphjsiUj9H1y38qIWGdHHVJg/NBsA2ZRmIWtBi4G5TkV/0y8lPwBjLwFMh55C1HDFLgw9CG8fujuYFqmyFc/CmH+W4ffm31LX70zC1m/ApgWXjbKDfO1tm7fP2JdkzsWe+Rce5SQb/w+ieyymG9uJgkfOkG04TXA27uAffYTZ2nPBdz00x62u6Sxc8n1muE1k/3ofyOv5tMXMv4VYs//8kWWuRhfGLM/t7lO5HR5V+P7f8WkMDzcG72EyYqJOIep6uRoiSz tomjerr
uid: 2001
vigilant:
fullname: Anser Quraishi
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWSDaKgPYpbH2pz7Ohrt3ryzHSQyM6kPjjkJPPkFKmVamDq4+kVnR9ukXn5jD+WolvRlyhzBOhXk8wMiZ1zq3mTplYEXQDEMjr9LmFXSXt3odgbwXCjvyewAeXQvDhcGyoqh5txneEeBFQJNFaQ/YhNEYr27RLl46jGareM3GibAC/eudnOsxnyf6Rg+IA/2GrXj8r3d9p/Yxu/IhETiFltSQycrdrblEQ424zUNaUNtpDRoukZTnFqT/78KWpLgFQCYWWA/YXRRn86f6stA5bkyM8FXeUEi0a26M/9OEj3z9mWSw7zvTd+0tYlQ4B+4yS5ks/NvxaVUjY6eWIsNUOARnt7u2Qx6XPoijL1ywvyh/myWZkARjekl0ZqbhXWxYffIqYUG/91bE6qKlWJaf6gUnRdA3OSLz2iVqQAXkPzqmmcrASqD9bki8m9VbL1K94Vv0Bj+CUgyOCslDru7DULHlNBFkzKbuaE/BeuUxG3BbhMHHYDFaFcd7/kOUwik=
uid: 2025
xcombelle:
fullname: Xavier Combelle
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9KJQDTtuxGCOaeFtip+yel45zMNS4tvrYg0AzNhT22K8g3F8wiY1GKvYw6Czj8Zo+rqA5/Rt7BCQwNtZyI+Nh23Cvg5wZQ2A6dtzQI69HZVSi+FRA5o4/SG4wyp7AT6wuWn+7tTE/pH69D0keDmaNpLSzhkxKFQd2DuOD2BENobEIE9DzbRf2DeUJ15uCzX/mnEXykklYvQ5AontiwL7VNB1VpNebrfnecAaAua0RhuYp+XwxBaSM4KB4lIA6hTBYEOG6J3TaC3GofMtAANI/n8gcCQkadkqtQHrap2Wh9X6bzekwROVGui1TW6sM7+hS4P7PM80nK05iVnGzIfYR xavier.combelle@gmail.com
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwWF3cUmuc8CTt4/6z+wNtMld2MG4f0CAuAqYvOEfMHpJ1w7ufVvKTHRqxiWihqf+DYSoCDjvnZ32xOr0i+g38tsq9wRV6BTfT2L209K2cn/VfKOLeK4v6ZybVn7I2l9SKduk3KuzHqjQpI5DV5x9317lz5BgEh7ur1oiMdQbbLE4O81fKe1REVD+EvT6/0dYU0mNPY/bEk6AHLxo86yMEU0eaFgJWUAxrRTLMQ0gd+a4GpJ59MhyPO4zzD8YJ6TWQOD4UQRNjzVKU7LE3RoelDcEuTU+pZ72rKQh6ZOPr0D33o9qWIaQ1Ak4MwPPs6252s+hqHzjacvf73a824CDv
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOirrO7Mdgi+HVSSD1EaK0hx/nSKoseyIatvLb02/ouu Termius
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtzoAxYsC1O3Hw7a/JgHRa92pxWYS+L4+vc+A1FWUEj xavie@LAPTOP-6UJB32E3
uid: 2017
xray:
fullname: xray
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAzSj3sQYbrBBdceBRUAbuzCS9vZWycVV0OSZ0ofoWx/dOTIalhc3O+aett7J34GqwDgpcTEkEpa/MrlO/2TOGOFIsPlvbZW4fXXFADCbOWkRRNuYW5rv/Sg6ZliGtw4cj0dKEkn9+L/JAuGwKV5KJNTPcp5w8hZyQYczZ8KhcyNVv7mfzLnId03wPnuTTe+AmCTOitbVb3gxjdXDYeS46PkbV8m/23KpcdLigo3ClDwE/SIoA+YddaAbpWDMEwhnWyKmLGI6xkFcqSY1NT0eYnL2waZMEnfluxt+D0V0IT5NeOmQcTuVWPvjFdSKbKepPhdrFmzGNtytfZWoFOPiG+Q== rsa-key-20170119
uid: 2011
whoami:
fullname: whoami
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAi1xD6FNf+w9kOjLJU6yd6bt7T8t3q7WXBewpkqRk4eBdJhomyjiNWuspke8STOf0VGamoPqLfxr4wbDa3UfgfBOBITgscwR26hOjtJ8Wra7XfIJU3OH/GBlUBfvf1T/m0fZDY2fKVku4R73pClQ2UhoUxJsU8/PVdEnN88IWAUeUbFgjtRds2SKPgCd/sg6XvoIEuYo8hbkmzVY+vIlrACuCEXjnRF+30lSMluo6OvMYHulfiZk7TPzXrX0YZ+3vFHscgwiwV6PL7qnQvnzwqEF2SfQduyg+vnOC//X7fezU0CfDzdbDG1tj1CftSrLoejMmU8wTDllq7Rrux/lu9w== rsa-key-20200207
uid: 2033
windu:
fullname: Windu
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGW3uoDcVTmkF4zmdXfs9KhtkDGsWtCNK4bT99M6tqTd eddsa-key-20240709
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvna/bMLFjrHmT7wAUm9jHts6bAbtz2nb/MzNkUjmpjagK/Yukghf+oqZiaoDxhNW2lTcWfdDw5Rknz07i8nIfMNKEPDnsyaHrThvPwEh7+eYsd868Cn0v5dxJ66JiebYm2LFDqNWaLP99fOoMi9KsVMhHyhUnc/w4WceyFdio8X6x9VyIIIN1SZS7Gr7BAbdElCYwDQEKGbpvlud48/q9 rsa-key-20240704
uid: 2026
diff --git a/pillar/devserver/ports.sls b/pillar/devserver/ports.sls
index 963653e..7309b09 100644
--- a/pillar/devserver/ports.sls
+++ b/pillar/devserver/ports.sls
@@ -1,164 +1,163 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-01-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Ports to build manually
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ports:
ant:
category: devel
name: apache-ant
creates: /usr/local/bin/ant
options:
unset:
- DOCS
package_dependencies:
- openjdk17
xaos:
category: graphics
name: xaos
creates: /usr/local/bin/xaos
options:
set:
- NLS
- AALIB
unset:
- THREADS
- GTK2
- "X11"
ffmpeg:
category: multimedia
name: ffmpeg
creates: /usr/local/bin/ffmpeg
options:
set:
- AOM
- CACA
- DAV1D
- FONTCONFIG
- FREETYPE
- FREI0R
- ICONV
- LAME
- MMX
- OPENCV
- OPTIMIZED_CFLAGS
- OPUS
- RTCPU
- SSE
- THEORA
- V4L
- VAAPI
- VDPAU
- VORBIS
- VPX
- WEBP
- "X264"
- "X265"
- XCB
- XVID
- GMP
- GNUTLS
- GPL3
- NONFREE
unset:
- ALSA
- AMR_NB
- AMR_WB
- ASS
- BEIGNET
- BS2B
- CDIO
- CELT
- CODEC2
- DC1394
- DEBUG
- DOCS
- DRM
- FDK_AAC
- FLITE
- FRIBIDI
- GME
- GSM
- ILBC
- JACK
- KVAZAAR
- LADSPA
- LENSFUN
- LIBBLURAY
- LIBRSVG2
- LIBXML2
- LV2
- MODPLUG
- MYSOFA
- OPENAL
- OPENCL
- OPENGL
- OPENH264
- OPENJPEG
- OPENMPT
- POCKETSPHINX
- PULSEAUDIO
- RAV1E
- RUBBERBAND
- SDL
- SMB
- SNAPPY
- SNDIO
- SOXR
- SPEEX
- SSH
- SVTAV1
- SVTHEVC
- SVTVP9
- TESSERACT
- TWOLAME
- VAPOURSYNTH
- VIDSTAB
- VMAF
- VO_AMRWBENC
- WAVPACK
- XVIDEO
- ZIMG
- ZMQ
- ZVBI
- GCRYPT
- LIBRTMP
- MBEDTLS
- OPENSSL
node:
category: www
name: node
creates: /usr/local/bin/node
options:
set:
- BUNDLED_SSL
- NLS
unset:
- DOCS
- DTRACE
npm:
category: www
name: npm
creates: /usr/local/bin/npm
# -------------------------------------------------------------
# Poudriere
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
poudriere:
zfs_pool: arcology
tmpfs: wrkdir
ports:
usr-ports: /usr/ports
dereckson-dev: /home/dereckson/dev/freebsd/ports
diff --git a/pillar/devserver/repos.sls b/pillar/devserver/repos.sls
index 86b4528..0808bac 100644
--- a/pillar/devserver/repos.sls
+++ b/pillar/devserver/repos.sls
@@ -1,18 +1,17 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-08
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# Supported VCS: git/hg/svn (git by default)
user_repositories:
dereckson:
/home/dereckson/dev/dereckson/git-achievements:
source: git@github.com:dereckson/git-achievements.git
/home/dereckson/.software/hg-prompt:
source: https://hg.stevelosh.com/hg-prompt/
vcs: hg
diff --git a/pillar/hotfixes/roles.sls b/pillar/hotfixes/roles.sls
index 4fe5e01..02fd4b7 100644
--- a/pillar/hotfixes/roles.sls
+++ b/pillar/hotfixes/roles.sls
@@ -1,12 +1,11 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-22
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
roles_disabled:
paas_jails:
# T1345
- ysul
diff --git a/pillar/nodes/forests.sls b/pillar/nodes/forests.sls
index 87cb83c..54e9b31 100644
--- a/pillar/nodes/forests.sls
+++ b/pillar/nodes/forests.sls
@@ -1,52 +1,51 @@
# -------------------------------------------------------------
# Salt — Forests
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# Description: Groups nodes by forest to allow to apply
# a common configuration, like users/groups
# to a set of nodes (ie servers).
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Table of contents
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#
# :: Forests
# :: Shell groups
#
# -------------------------------------------------------------
# -------------------------------------------------------------
# Forests
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
forests:
- nasqueron-dev
- nasqueron-dev-docker
- nasqueron-infra
- eglide
# -------------------------------------------------------------
# Shell groups
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
shellgroups_ubiquity:
- ops
- deployment
shellgroups_by_forest:
nasqueron-dev:
- nasquenautes
- nasqueron-irc
nasqueron-dev-docker:
- nasqueron-dev-docker
nasqueron-infra: []
eglide:
- shell
- chaton-dev
- nasqueron-irc
diff --git a/pillar/nodes/nodes.sls b/pillar/nodes/nodes.sls
index 4b610bf..b8568bb 100644
--- a/pillar/nodes/nodes.sls
+++ b/pillar/nodes/nodes.sls
@@ -1,458 +1,457 @@
# -------------------------------------------------------------
# Salt — Nodes
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
nodes_aliases:
netmasks:
intranought: &intranought_netmask 255.255.255.224
nodes:
##
## Forest: Nasqueron
## Semantic field: https://devcentral.nasqueron.org/P27
##
cloudhugger:
forest: nasqueron-infra
hostname: cloudhugger.nasqueron.org
roles:
- opensearch
network:
ipv6_tunnel: False
canonical_public_ipv4: 188.165.200.229
interfaces:
eno1:
device: eno1
ipv4:
address: 188.165.200.229
netmask: 255.255.255.0
gateway: 188.165.200.254
ipv6:
address: fe80::ec4:7aff:fe6a:36e8
prefix: 64
gateway: fe80::ee30:91ff:fee0:df80
complector:
forest: nasqueron-infra
hostname: complector.nasqueron.org
roles:
- vault
- salt-primary
zfs:
pool: zroot
network:
ipv6_tunnel: False
interfaces:
intranought:
device: vmx0
ipv4:
address: 172.27.27.7
netmask: *intranought_netmask
gateway: 172.27.27.1
db-a-001:
forest: nasqueron-infra
hostname: db-a-001.nasqueron.drake
roles:
- dbserver-pgsql
zfs:
pool: arcology
dbserver:
cluster: A
network:
ipv6_tunnel: False
interfaces:
intranought:
device: vmx0
ipv4:
address: 172.27.27.8
netmask: *intranought_netmask
gateway: 172.27.27.1
db-b-001:
forest: nasqueron-infra
hostname: db-b-001.nasqueron.drake
roles:
- dbserver-mysql
zfs:
pool: arcology
dbserver:
cluster: B
network:
ipv6_tunnel: False
interfaces:
intranought:
device: vmx0
ipv4:
address: 172.27.27.9
netmask: *intranought_netmask
gateway: 172.27.27.1
dns-001:
forest: nasqueron-infra
hostname: dns-001.nasqueron.org
roles:
- dns
zfs:
pool: arcology
network:
ipv6_tunnel: False
canonical_public_ipv4: 178.32.70.109
interfaces:
public:
device: vmx0
ipv4:
address: 178.32.70.109
netmask: 255.255.255.255
ipv6:
address: 2001:41d0:303:d971::1057:da7a
prefix: 56
gateway: 2001:41d0:303:d9ff:ff:ff:ff:ff
flags:
- ipv4_ovh_failover
- hello_ipv6_ovh
intranought:
device: vmx1
ipv4:
address: 172.27.27.2
netmask: *intranought_netmask
gateway: 172.27.27.1
dwellers:
forest: nasqueron-dev-docker
hostname: dwellers.nasqueron.org
roles:
- paas-lxc
- paas-docker
- paas-docker-dev
- mastodon
flags:
install_docker_devel_tools: True
network:
ipv6_tunnel: True
canonical_public_ipv4: 51.255.124.11
interfaces:
public:
device: ens192
uuid: 6e05ebea-f2fd-4ca1-a21f-78a778664d8c
ipv4:
address: 51.255.124.11
netmask: 255.255.255.255
gateway: 51.210.99.254
flags:
- ipv4_ovh_failover
intranought:
device: ens224
uuid: 8e8ca793-b2eb-46d8-9266-125aba6d06c4
ipv4:
address: 172.27.27.4
netmask: *intranought_netmask
gateway: 172.27.27.1
docker-002:
forest: nasqueron-infra
hostname: docker-002.nasqueron.org
roles:
- paas-docker
- paas-docker-prod
network:
ipv6_tunnel: True
canonical_public_ipv4: 51.255.124.9
interfaces:
public:
device: ens192
uuid: d55e0fec-f90b-3014-a458-9067ff8f2520
ipv4:
address: 51.255.124.9
netmask: 255.255.255.255
gateway: 51.210.99.254
flags:
- ipv4_ovh_failover
intranought:
device: ens224
uuid: 57c04bcc-929b-3177-a2e3-88f84f210721
ipv4:
address: 172.27.27.5
netmask: *intranought_netmask
gateway: 172.27.27.1
hervil:
forest: nasqueron-infra
hostname: hervil.nasqueron.drake
roles:
- mailserver
- webserver-core
- webserver-alkane
network:
ipv6_tunnel: False
interfaces:
intranought:
device: vmx0
ipv4:
address: 172.27.27.3
netmask: *intranought_netmask
gateway: 172.27.27.1
public:
device: vmx1
ipv4:
address: 178.32.70.108
netmask: 255.255.255.255
flags:
- ipv4_ovh_failover
router-001:
forest: nasqueron-infra
hostname: router-001.nasqueron.org
roles:
- router
network:
ipv6_tunnel: False
canonical_public_ipv4: 51.255.124.8
interfaces:
public:
device: vmx0
ipv4:
address: 51.255.124.8
netmask: 255.255.255.255
gateway: 51.210.99.254
ipv6:
address: 2001:41d0:303:d971::6a7e
prefix: 56
gateway: 2001:41d0:303:d9ff:ff:ff:ff:ff
flags:
- ipv4_ovh_failover
- hello_ipv6_ovh
intranought:
device: vmx1
ipv4:
address: 172.27.27.1
netmask: *intranought_netmask
router-002:
forest: nasqueron-infra
hostname: router-002.nasqueron.org
roles:
- router
zfs:
pool: zroot
network:
ipv6_tunnel: False
interfaces:
intranought:
device: vmx0
ipv4:
address: 172.27.27.11
netmask: 255.255.255.224
public:
device: vmx1
ipv4:
address: 178.32.70.110
netmask: 255.255.255.255
gateway: 51.210.99.254
fhrp:
- protocol: carp
id: 2
vip: 51.68.252.230
peer: 178.32.70.111
advskew: 100
flags:
- ipv4_ovh_failover
router-003:
forest: nasqueron-infra
hostname: router-003.nasqueron.org
roles:
- router
zfs:
pool: zroot
network:
ipv6_tunnel: False
interfaces:
intranought:
device: vmx0
ipv4:
address: 172.27.27.12
netmask: 255.255.255.224
public:
device: vmx1
ipv4:
address: 178.32.70.111
netmask: 255.255.255.255
gateway: 51.210.99.254
fhrp:
- protocol: carp
id: 2
vip: 51.68.252.230
peer: 178.32.70.110
advskew: 0
flags:
- ipv4_ovh_failover
web-001:
forest: nasqueron-infra
hostname: web-001.nasqueron.org
roles:
- webserver-alkane
- webserver-alkane-prod
- saas-mediawiki
- saas-wordpress
network:
ipv6_tunnel: False
canonical_public_ipv4: 51.255.124.10
interfaces:
intranought:
device: vmx0
ipv4:
address: 172.27.27.10
netmask: *intranought_netmask
gateway: 172.27.27.1
public:
device: vmx1
ipv4:
address: 51.255.124.10
netmask: 255.255.255.255
gateway: 51.210.99.254
ipv6:
address: 2001:41d0:303:d971::517e:c0de
prefix: 56
gateway: 2001:41d0:303:d9ff:ff:ff:ff:ff
flags:
- ipv4_ovh_failover
- hello_ipv6_ovh
ysul:
forest: nasqueron-dev
hostname: ysul.nasqueron.org
roles:
- devserver
- dbserver-mysql
- webserver-legacy
zfs:
pool: arcology
network:
ipv6_tunnel: True
ipv6_gateway: 2001:470:1f12:9e1::1
canonical_public_ipv4: 212.83.187.132
interfaces:
public:
device: igb0
ipv4:
address: 163.172.49.16
netmask: 255.255.255.0
aliases:
- 212.83.187.132
gateway: 163.172.49.1
windriver:
forest: nasqueron-dev
hostname: windriver.nasqueron.org
roles:
- builder
- devserver
- dbserver-mysql
- dbserver-pgsql
- dns
- grafana
- netbox
- prometheus
- redis
- reports
- saas-nextcloud
- netbox
- viperserv
- webserver-alkane
- webserver-alkane-dev
zfs:
pool: arcology
network:
ipv6_tunnel: False
canonical_public_ipv4: 195.154.30.15
interfaces:
public:
device: igb0
ipv4:
address: 195.154.30.15
netmask: 255.255.255.0
gateway: 195.154.30.1
ipv6:
address: 2001:bc8:2e84:700::da7a:7001
prefix: 56
aliases:
- 2001:bc8:2e84:700:0:dead:c0de:b07 # ViperServ
gateway: fe80::a293:51ff:feb7:55ef
flags:
- ipv6_dhcp_duid
intranought:
device: ix0
ipv4:
address: 10.91.207.15
netmask: 255.255.255.0
##
## Forest: Eglide
## Semantic field: ? (P27 used for "Eglide" too)
##
## This forest is intended to separate credentials
## between Eglide and Nasqueron servers.
##
eglide:
forest: eglide
hostname: eglide.org
roles:
- shellserver
network:
ipv6_tunnel: True
canonical_public_ipv4: 51.159.150.221
interfaces:
ens2:
device: ens2
ipv4:
address: 51.159.150.221
gateway: ""
flags:
# This interface is configured by cloud-init
- skip_interface_configuration
fixes:
rsyslog_xconsole: True
diff --git a/pillar/paas/jails.sls b/pillar/paas/jails.sls
index 5e117c6..631b462 100644
--- a/pillar/paas/jails.sls
+++ b/pillar/paas/jails.sls
@@ -1,25 +1,24 @@
# -------------------------------------------------------------
# Salt — Jails
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
jails:
ysul:
ftp:
lo: 127.0.2.1
ipv4: 212.83.187.132
ipv6: 2001:470:1f13:9e1:0:c0ff:ee:1
mumble:
lo: 127.0.2.2
ipv4: 212.83.187.132
ipv6: 2001:470:1f13:9e1:0:c0ff:ee:1
# Test jail
tonderon:
lo: 127.0.2.3
ipv4: 212.83.187.132
ipv6: 2001:470:1f13:9e1:0:c0ff:ee:7
diff --git a/pillar/saas/jenkins.sls b/pillar/saas/jenkins.sls
index 4f5f700..f65af72 100644
--- a/pillar/saas/jenkins.sls
+++ b/pillar/saas/jenkins.sls
@@ -1,39 +1,38 @@
# -------------------------------------------------------------
# Salt — Jenkins instances
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-11
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Jenkins realms
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
jenkins_realms:
cd:
ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICiWLxPzS8X6NraVwsK95gFGe1pIuz+K0n7aw81nabcf jenkins-controller-equatower-cd
network: cd
ci:
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhhBMTjGguFBy2aOczmZ7NS14b57uoKnzepMtFHh7cpsmbp1Jvf7LOH0niyFOAMlVMqObXJ+8zsd+x9XqMlWUfVOF07D1/GUq09YA7DQsjMc6CdcW68VtcKcUdAnB3yUVX0fZ6bGwnTAnZvAq1oAxuLXE42eBQUti142ic0OF5y5ePs9gu9rOmUzLuydv2+iB34RuopF6VlzROlatyITvr4KPnAhEAuRiVBqWIIWvsT4EMYRlddXC21sPEqUHr3T7FgS2Kmp/1Iw4Hk98srC59lSYOmMLPlTSfuYIoRorGIv3UHeW5DHHeEN+wEnvTPAaO/fiWJfOQBHshWJFN4mOj jenkins@ci.nasqueron.org
network: ci
test:
ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxHVsr2GvbzlC1RDyXhJ71FeU8DeMUbjcdfcRgRluZ5 jenkins-controller-test
network: jenkinsTest
# -------------------------------------------------------------
# Jenkins images
#
# Each agent uses one Jenkins image.
#
# An image can be used by several agents, so we've more nodes
# available for parallel builds.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
jenkins_images:
barebone: nasqueron/jenkins-agent-barebone
node: nasqueron/jenkins-agent-node
php: nasqueron/jenkins-agent-php
rust: nasqueron/jenkins-agent-rust
diff --git a/pillar/saas/mediawiki.sls b/pillar/saas/mediawiki.sls
index ff71b50..eccb9e3 100644
--- a/pillar/saas/mediawiki.sls
+++ b/pillar/saas/mediawiki.sls
@@ -1,87 +1,86 @@
# -------------------------------------------------------------
# Salt — MediaWiki farm
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
mediawiki_extensions:
- AllowlistHTMLTags
- CategoryTree
- Cite
- CodeEditor
- ConfirmEdit
- ContactPage
- Echo
- FlaggedRevs
- Flow
- Gadgets
- ParserFunctions
- Poem
- ProofreadPage
- Scribunto
- SyntaxHighlight_GeSHi
- TemplateSandbox
- Thanks
- WarnNotRecentlyUpdated
- WikiEditor
mediawiki_skins:
- MinervaNeue
- MonoBook
- Timeless
- Vector
mediawiki_saas:
directory: /srv/saas/mediawiki
mediawiki_directory: /srv/mediawiki
main_fqdn: wikis.nasqueron.org
fastcgi_url: unix:/var/run/web/wikis.nasqueron.org/php-fpm.sock
db:
host: 172.27.27.9
user: saas-mediawiki
credentials:
db: dbserver/cluster-B/users/saas-mediawiki
maintenance: dbserver/cluster-B/users/saas-mw-deploy
secret_key: nasqueron/mediawiki/secret_key
mediawiki_datastores:
###
### Nasqueron
###
- agora.nasqueron.org
- wikis.nasqueron.org
###
### MediaWiki code tests
###
- migration.mediawiki.test.ook.space
###
### Other wikis hosted on the Nasqueron servers
###
- arsmagica.espace-win.org
- inidal.espace-win.org
- utopia.espace-win.org
- www.wolfplex.org
mediawiki_databases:
agora: nasqueron_wiki
wolfplex: wolfplex_wiki
mediawiki_interwikis:
# Interwikis for Nasqueron Agora
nasqueron_wiki:
wolfplex:
wiki_id: wolfplex_wiki
url: https://www.wolfplex.org/wiki/$1
# Interwikis for Wolfplex
wolfplex_wiki:
agora:
wiki_id: nasqueron_wiki
url: https://agora.nasqueron.org/$1
diff --git a/pillar/saas/phpbb.sls b/pillar/saas/phpbb.sls
index 6574bbb..1b55bc9 100644
--- a/pillar/saas/phpbb.sls
+++ b/pillar/saas/phpbb.sls
@@ -1,15 +1,14 @@
# -------------------------------------------------------------
# Salt — phpBB managed installations
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
phpbb_datastores:
# Staging installation
- phpbb.test.ook.space
# Forum hosted on Nasqueron
- forum.espace-win.org
- utopia.espace-win.org
diff --git a/pillar/shellserver/quassel.sls b/pillar/shellserver/quassel.sls
index 46c107c..419575b 100644
--- a/pillar/shellserver/quassel.sls
+++ b/pillar/shellserver/quassel.sls
@@ -1,10 +1,9 @@
# -------------------------------------------------------------
# Salt — Quassel managed installation
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2018-03-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
quassel_users:
- balaji
diff --git a/pillar/top.sls b/pillar/top.sls
index a7232a4..3cfd39d 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,79 +1,78 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
base:
'*':
- core.users
- core.groups
- core.network
- core.ntp
- nodes.nodes
- nodes.forests
- hotfixes.roles
- services.monitoring-reporting
- services.table
- webserver.sites
- credentials.vault
cloudhugger:
- opensearch.software
- opensearch.clusters
complector:
- credentials.vault
# To provision services
- saas.rabbitmq
docker-002:
- notifications.config
- paas.docker
- saas.jenkins
- saas.phpbb
db-a-001:
- dbserver.cluster-A
db-b-001:
- dbserver.cluster-B
dwellers:
- paas.docker
- saas.airflow
- saas.jenkins
eglide:
- shellserver.quassel
hervil:
- mailserver.vimbadmin
- mailserver.dovecot
- mailserver.postfix
ysul:
- devserver.repos
- saas.mediawiki
- webserver.labs
- webserver.wwwroot51
web-001:
- saas.mediawiki
- saas.wordpress
windriver:
- devserver.datacubes
- devserver.ports
- devserver.repos
- netbox.netbox
- observability.prometheus
- packages.freebsd
- viperserv.bots
- viperserv.fantoir
- webserver.labs
- webserver.wwwroot51
diff --git a/pillar/viperserv/fantoir.sls b/pillar/viperserv/fantoir.sls
index 1d4ff33..95de446 100644
--- a/pillar/viperserv/fantoir.sls
+++ b/pillar/viperserv/fantoir.sls
@@ -1,12 +1,11 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-14
# License: Trivial work, not eligible to copyright
# ------------------------------------------------------------
fantoir:
dataset_url: https://data.economie.gouv.fr/api/datasets/1.0/fichier-fantoir-des-voies-et-lieux-dits/attachments/fichier_national_fantoir_situation_avril_2023_zip/
dataset_hash: b2e8ecdb825de46c2bbd5e294e523b0a2dec48e73219211e45a0d22b151f6975
distname: FANTOIR0423
diff --git a/roles/bastion/init.sls b/roles/bastion/init.sls
index 88a4959..615225f 100644
--- a/roles/bastion/init.sls
+++ b/roles/bastion/init.sls
@@ -1,13 +1,12 @@
# -------------------------------------------------------------
# Salt — Bastion
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: This role allows to login through alternative
# ways, like traditional keys or with an OTP.
-# Created: 2018-02-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .sshd-otp
- .yubico
diff --git a/roles/bastion/pam/files/sshd-otp-freebsd b/roles/bastion/pam/files/sshd-otp-freebsd
index 5a93195..d7c4d9e 100644
--- a/roles/bastion/pam/files/sshd-otp-freebsd
+++ b/roles/bastion/pam/files/sshd-otp-freebsd
@@ -1,41 +1,40 @@
# -------------------------------------------------------------
# OpenSSH configuration - OTP SSHD for bastion servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-20
# License: Trivial work, not eligible to copyright
# Forked from: FreeBSD: releng/11.1/etc/pam.d/sshd
# 197769 2009-10-05 09:28:54Z des
# Source file: roles/bastion/pam/files/sshd-otp-freebsd
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# auth
# TODO: when Vault is installed, add key too here through a Vault pillar.
auth sufficient pam_opie.so no_warn no_fake_prompts
auth sufficient /usr/local/lib/security/pam_yubico.so no_warn try_first_pass id=36698
#auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
#auth required pam_unix.so no_warn try_first_pass
auth sufficient pam_deny.so
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
diff --git a/roles/bastion/pam/init.sls b/roles/bastion/pam/init.sls
index e06611d..9ab4dff 100644
--- a/roles/bastion/pam/init.sls
+++ b/roles/bastion/pam/init.sls
@@ -1,21 +1,20 @@
# -------------------------------------------------------------
# Salt — Bastion
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: This role allows to login through alternative
# ways, like traditional keys or with an OTP.
-# Created: 2018-02-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# FreeBSD
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/etc/pam.d/sshd-otp:
file.managed:
- source: salt://roles/bastion/pam/files/sshd-otp-freebsd
{% endif %}
diff --git a/roles/bastion/sshd-otp/files/sshd.rc b/roles/bastion/sshd-otp/files/sshd.rc
index daf03de..6084209 100755
--- a/roles/bastion/sshd-otp/files/sshd.rc
+++ b/roles/bastion/sshd-otp/files/sshd.rc
@@ -1,50 +1,49 @@
#!/bin/sh
# -------------------------------------------------------------
# OpenSSH configuration - OTP SSHD for bastion servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-19
# Forked from: FreeBSD: releng/11.1/etc/rc.d/sshd
# 303770 2016-08-05 15:32:35Z des
# Source file: roles/bastion/sshd-otp/files/sshd.rc
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# PROVIDE: sshd-otp
# REQUIRE: LOGIN FILESYSTEMS
# KEYWORD: shutdown
. /etc/rc.subr
name="sshd_otp"
rcvar="sshd_otp_enable"
load_rc_config $name
: ${sshd_config="/etc/ssh/sshd_otp_config"}
desc="Secure Shell Daemon (OTP)"
required_files="${sshd_config}"
command="/usr/sbin/sshd-otp"
command_args="${sshd_otp_flags} -f ${sshd_config}"
pidfile="/var/run/${name}.pid"
start_precmd="sshd_otp_configtest"
reload_precmd="sshd_otp_configtest"
restart_precmd="sshd_otp_configtest"
configtest_cmd="sshd_otp_configtest"
extra_commands="configtest reload"
sshd_otp_configtest()
{
echo "Performing sanity check on ${name} configuration."
eval ${command} ${command_args} -t
}
run_rc_command "$1"
diff --git a/roles/bastion/sshd-otp/files/sshd.service b/roles/bastion/sshd-otp/files/sshd.service
index 13c224e..6a5532e 100644
--- a/roles/bastion/sshd-otp/files/sshd.service
+++ b/roles/bastion/sshd-otp/files/sshd.service
@@ -1,37 +1,36 @@
# -------------------------------------------------------------
# OpenSSH configuration - OTP SSHD for bastion servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-19
# Forked from: Debian /etc/systemd/system/sshd.service
# Source file: roles/bastion/sshd-otp/files/sshd.service
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
[Unit]
Description=OpenBSD Secure Shell server (OTP)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre={{ executable }} -f /etc/ssh/sshd_otp_config -t
ExecStart={{ executable }} -D -f /etc/ssh/sshd_otp_config $SSHD_OPTS
ExecReload={{ executable }} -f /etc/ssh/sshd_otp_config -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd-otp
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd-otp.service
diff --git a/roles/bastion/sshd-otp/files/sshd_config b/roles/bastion/sshd-otp/files/sshd_config
index 883ee39..a8773a7 100644
--- a/roles/bastion/sshd-otp/files/sshd_config
+++ b/roles/bastion/sshd-otp/files/sshd_config
@@ -1,35 +1,34 @@
# -------------------------------------------------------------
# OpenSSH configuration - OTP SSHD for bastion servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-02-28
# License: Trivial work, not eligible to copyright
# Source file: roles/bastion/sshd-otp/files/sshd_config
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
Port 5022
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
# In this SSH configuration, we can use PAM modules with challenge/response.
# This allows to use PAM provided capabilities like OTP (Yubikey, OPIE).
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
# Misc options
PrintMotd {{ "yes" if print_motd else "no" }}
AcceptEnv LANG LC_*
PidFile /var/run/sshd_otp.pid
# SFTP
Subsystem sftp {{ sftp }}
diff --git a/roles/bastion/sshd-otp/init.sls b/roles/bastion/sshd-otp/init.sls
index 2c8e35b..bb0af5b 100644
--- a/roles/bastion/sshd-otp/init.sls
+++ b/roles/bastion/sshd-otp/init.sls
@@ -1,13 +1,12 @@
# -------------------------------------------------------------
# Salt — Bastion
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: This role allows to login through alternative
# ways, like traditional keys or with an OTP.
-# Created: 2018-02-19
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .software
- .service
diff --git a/roles/bastion/sshd-otp/service.sls b/roles/bastion/sshd-otp/service.sls
index 546802b..a218f2a 100644
--- a/roles/bastion/sshd-otp/service.sls
+++ b/roles/bastion/sshd-otp/service.sls
@@ -1,57 +1,56 @@
# -------------------------------------------------------------
# Salt — Bastion
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: This role allows to login through alternative
# ways, like traditional keys or with an OTP.
-# Created: 2018-02-19
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, paths, services with context %}
# -------------------------------------------------------------
# Service
#
# :: FreeBSD / rc
# :: * / systemd
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
sshd_otp_service:
file.managed:
- name: {{ dirs.etc }}/rc.d/sshd-otp
- source: salt://roles/bastion/sshd-otp/files/sshd.rc
- mode: 755
sshd_otp_service_enable:
file.managed:
- name: /etc/rc.conf.d/sshd_otp
- source: salt://roles/bastion/sshd-otp/files/sshd.rc.conf
sshd_otp_running:
service.running:
- name: sshd-otp
- watch:
- file: sshd_otp_service
{% elif services['manager'] == 'systemd' %}
sshd_otp_service:
file.managed:
- name: {{ dirs.etc }}/systemd/system/sshd-otp.service
- source: salt://roles/bastion/sshd-otp/files/sshd.service
- mode: 755
- template: jinja
- context:
executable: {{ paths.sshd }}-otp
sshd_otp_running:
service.running:
- name: sshd-otp
- enable: true
- watch:
- file: sshd_otp_service
{% endif %}
diff --git a/roles/bastion/sshd-otp/software.sls b/roles/bastion/sshd-otp/software.sls
index fe66c2b..063096f 100644
--- a/roles/bastion/sshd-otp/software.sls
+++ b/roles/bastion/sshd-otp/software.sls
@@ -1,33 +1,32 @@
# -------------------------------------------------------------
# Salt — Bastion
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: This role allows to login through alternative
# ways, like traditional keys or with an OTP.
-# Created: 2018-02-19
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import paths, capabilities with context %}
# -------------------------------------------------------------
# OpenSSH binary symbolic link
#
# Allows to get 'sshd-otp' in the logs, instead of 'sshd
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ paths.sshd }}-otp:
file.symlink:
- target: {{ paths.sshd }}
# -------------------------------------------------------------
# OpenSSH configuration — OTP
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/etc/ssh/sshd_otp_config:
file.managed:
- source: salt://roles/bastion/sshd-otp/files/sshd_config
- template: jinja
- context:
sftp: {{ paths.sftp }}
print_motd: {{ not capabilities['MOTD-printed-at-login'] }}
diff --git a/roles/bastion/yubico/authorized_yubikeys.sls b/roles/bastion/yubico/authorized_yubikeys.sls
index c02632f..51700b5 100644
--- a/roles/bastion/yubico/authorized_yubikeys.sls
+++ b/roles/bastion/yubico/authorized_yubikeys.sls
@@ -1,24 +1,23 @@
# -------------------------------------------------------------
# Salt — Bastion - Yubikeys
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% for username, user in salt['forest.get_users']().items() %}
{% if 'yubico_keys' in user %}
/home/{{ username }}/.yubico:
file.directory:
- user: {{ username }}
- mode: 700
/home/{{ username }}/.yubico/authorized_yubikeys:
file.managed:
- user: {{ username }}
- mode: 600
- contents: {{ username + ':' + ':'.join(user['yubico_keys']) }}
{% endif %}
{% endfor %}
diff --git a/roles/bastion/yubico/init.sls b/roles/bastion/yubico/init.sls
index 0aeddce..aa3cea6 100644
--- a/roles/bastion/yubico/init.sls
+++ b/roles/bastion/yubico/init.sls
@@ -1,14 +1,13 @@
# -------------------------------------------------------------
# Salt — Bastion
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: This role allows to login through alternative
# ways, like traditional keys or with an OTP.
-# Created: 2018-02-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .authorized_yubikeys
- .pam
- .selinux
diff --git a/roles/bastion/yubico/pam.sls b/roles/bastion/yubico/pam.sls
index 1d0cc36..3ecd951 100644
--- a/roles/bastion/yubico/pam.sls
+++ b/roles/bastion/yubico/pam.sls
@@ -1,18 +1,17 @@
# -------------------------------------------------------------
# Salt — Bastion - Yubikeys
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import packages with context %}
# -------------------------------------------------------------
# Install PAM module package
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
yubico_pam_software:
pkg.installed:
- pkgs:
- {{ packages['yubico-pam'] }}
diff --git a/roles/bastion/yubico/selinux.sls b/roles/bastion/yubico/selinux.sls
index f7a3ef9..179756f 100644
--- a/roles/bastion/yubico/selinux.sls
+++ b/roles/bastion/yubico/selinux.sls
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Salt — Bastion - Yubikeys
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if grains['os_family'] == 'RedHat' %}
# On Fedora and downstreams, SELinux restricts the capability
# of SSHD to connect to external servers.
#
# From Fedora 18, a flag to allow connection for Yubikeys
# authentication has been provided.
#
# Reference: https://bugzilla.redhat.com/show_bug.cgi?id=841693
selinux_authlogin_yubikey:
cmd.run:
- name: setsebool -P authlogin_yubikey 1
{% endif %}
diff --git a/roles/builder/account/files/builder.sudoers b/roles/builder/account/files/builder.sudoers
index 468c96b..0f8a288 100644
--- a/roles/builder/account/files/builder.sudoers
+++ b/roles/builder/account/files/builder.sudoers
@@ -1,17 +1,16 @@
# -------------------------------------------------------------
# Odderon
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-02-23
# License: Trivial work, not eligible to copyright
# Source file: roles/builder/account/files/builder.sudoers
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
%deployment ALL=(builder) NOPASSWD: ALL
diff --git a/roles/builder/account/init.sls b/roles/builder/account/init.sls
index d657e55..22bab64 100644
--- a/roles/builder/account/init.sls
+++ b/roles/builder/account/init.sls
@@ -1,34 +1,33 @@
# -------------------------------------------------------------
# Salt — Provision software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2017-02-23
# Description: Account to build applications from source code
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Service account
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
builder_account:
user.present:
- name: builder
- fullname: Software builder account for configure and make
- uid: 831
- gid: deployment
- home: /var/run/builder
# -------------------------------------------------------------
# Sudo capabilities
#
# Members of deployment should be able to sudo -u builder …
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
builder_sudo_capabilities_file:
file.managed:
- name: {{ dirs.etc }}/sudoers.d/builder
- source: salt://roles/builder/account/files/builder.sudoers
- template: jinja
diff --git a/roles/builder/init.sls b/roles/builder/init.sls
index 354a246..1bdf2bb 100644
--- a/roles/builder/init.sls
+++ b/roles/builder/init.sls
@@ -1,10 +1,9 @@
# -------------------------------------------------------------
# Salt — Builder role
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-13
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .account
diff --git a/roles/core/hostname/init.sls b/roles/core/hostname/init.sls
index 5aff86b..4b5199f 100644
--- a/roles/core/hostname/init.sls
+++ b/roles/core/hostname/init.sls
@@ -1,35 +1,34 @@
# -------------------------------------------------------------
# Salt — Set machine hostname
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-06-15
# Description: Set hostname
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Store hostname into a configuration file
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/etc/hostname:
file.managed:
- name: /etc/hostname
- contents: {{ salt['node.get']('hostname') }}
# -------------------------------------------------------------
# When the hostname is changed, what to run afterwards?
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
after_hostname_change:
cmd.run:
- name: hostname `cat /etc/hostname`
- onchanges:
- file: /etc/hostname
{% if grains['os_family'] == 'Debian' %}
after_hostname_change_debian:
cmd.run:
- name: invoke-rc.d hostname.sh start
- onchanges:
- file: /etc/hostname
{% endif %}
diff --git a/roles/core/login/files/login.conf b/roles/core/login/files/login.conf
index 1ecd180..40b5afe 100644
--- a/roles/core/login/files/login.conf
+++ b/roles/core/login/files/login.conf
@@ -1,104 +1,103 @@
# -------------------------------------------------------------
# Login class capabilities database
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-01-20
# License: Trivial work, not eligible to copyright
# Based on: FreeBSD releng/13.2/usr.bin/login/login.conf
# VCS info: 367690 2020-11-14 19:16:39Z bapt
# Source file: roles/core/login/files/login.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Default settings
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
default:\
:passwd_format=sha512:\
:copyright=/etc/COPYRIGHT:\
:welcome=/var/run/motd:\
:setenv=BLOCKSIZE=K:\
:mail=/var/mail/$:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\
:nologin=/var/run/nologin:\
:cputime=unlimited:\
:datasize=unlimited:\
:stacksize=unlimited:\
:memorylocked=64K:\
:memoryuse=unlimited:\
:filesize=unlimited:\
:coredumpsize=unlimited:\
:openfiles=unlimited:\
:maxproc=unlimited:\
:sbsize=unlimited:\
:vmemoryuse=unlimited:\
:swapuse=unlimited:\
:pseudoterminals=unlimited:\
:kqueues=unlimited:\
:umtxp=unlimited:\
:priority=0:\
:ignoretime@:\
:umask=022:\
:charset=UTF-8:\
:lang=C.UTF-8:
# -------------------------------------------------------------
# Common class names to forward to 'default'
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
standard:\
:tc=default:
xuser:\
:tc=default:
staff:\
:tc=default:
daemon:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\
:mail@:\
:memorylocked=128M:\
:tc=default:
news:\
:tc=default:
dialer:\
:tc=default:
# -------------------------------------------------------------
# Root class
#
# Root can always login.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root:\
:ignorenologin:\
:memorylocked=unlimited:\
:tc=default:
# -------------------------------------------------------------
# Users classes
#
# Provide proper UTF-8 environment
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
english|English Users Accounts:\
:charset=UTF-8:\
:lang=en_US.UTF-8:\
:tc=default:
french|French Users Accounts:\
:charset=UTF-8:\
:lang=fr_FR.UTF-8:\
:tc=default:
russian|Russian Users Accounts:\
:charset=UTF-8:\
:lang=ru_RU.UTF-8:\
:tc=default:
diff --git a/roles/core/login/init.sls b/roles/core/login/init.sls
index 9df4ae7..05feba4 100644
--- a/roles/core/login/init.sls
+++ b/roles/core/login/init.sls
@@ -1,51 +1,50 @@
# -------------------------------------------------------------
# Set login capabilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-01-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if grains['os'] == 'FreeBSD' %}
/etc/login.conf:
file.managed:
- source: salt://roles/core/login/files/login.conf
- mode: 644
compile_login_db:
cmd.run:
- name: cap_mkdb /etc/login.conf
- onchanges:
- file: /etc/login.conf
{% endif %}
# -------------------------------------------------------------
# Locales
#
# Each system should at least provide en_US.UTF-8.
#
# Two locales strategies exist:
# - install a package with all locales (Debian)
# - install locales packages (RHEL)
#
# In the second case, we need to list all the locales we need.
# Any being is welcome to add any locale in this section.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'RedHat' %}
locales_packages:
pkg.installed:
- pkgs:
- glibc-langpack-en
{% endif %}
{% if grains['os_family'] == 'Debian' %}
locales-all:
pkg.installed
{% endif %}
diff --git a/roles/core/memory/init.sls b/roles/core/memory/init.sls
index 6f4db7b..cd7d840 100644
--- a/roles/core/memory/init.sls
+++ b/roles/core/memory/init.sls
@@ -1,47 +1,46 @@
# -------------------------------------------------------------
# Salt — Memory configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-12
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Provide SWAP
#
# Some servers can't be set up without any swap, especially
# on Scaleway infrastructure. As a fallback, we can create
# a swap file in such cases.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% set swap_size = 8 * 1024 %}
{% if grains['swap_total'] == 0 %}
create_swap_file:
cmd.run:
# dd is here used, as fallocate compatibility with XFS and ext4
# hasn't been verified.
- name: dd if=/dev/zero of=/swapfile bs=1MiB count={{ swap_size }}
- creates: /swapfile
secure_swap_file:
file.managed:
- name: /swapfile
- mode: 600
- replace: False
enable_swap_file:
cmd.run:
- name: |
mkswap /swapfile
swapon /swapfile
touch /etc/.swap-enabled
- creates: /etc/.swap-enabled
configure_fstab_for_swap_file:
file.append:
- name: /etc/fstab
- text: /swapfile none swap sw 0 0
{% endif %}
diff --git a/roles/core/motd/files/motd.sh b/roles/core/motd/files/motd.sh
index 39c8e38..80fde73 100644
--- a/roles/core/motd/files/motd.sh
+++ b/roles/core/motd/files/motd.sh
@@ -1,23 +1,22 @@
#!/bin/sh
# -------------------------------------------------------------
# MOTD
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-10
# License: Trivial work, not eligible to copyright
# Source file: roles/core/motd/files/motd.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
if [ -f /etc/motd ]; then
cat /etc/motd
else
echo "No MOTD."
fi
diff --git a/roles/core/motd/init.sls b/roles/core/motd/init.sls
index a3d736b..44a57d7 100644
--- a/roles/core/motd/init.sls
+++ b/roles/core/motd/init.sls
@@ -1,59 +1,58 @@
# -------------------------------------------------------------
# Salt — MOTD
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set motd_path = salt['motd.get_path']() %}
{% set network = salt['node.resolve_network']() %}
motd:
file.managed:
- name: {{ motd_path }}
- source: salt://roles/core/motd/files/{{ grains['id'] }}
- template: jinja
- context:
ipv4_address: {{ network['ipv4_address'] }}
ipv4_gateway: {{ network['ipv4_gateway'] }}
os_info: {{ grains["osfinger"].replace("-", " ") }}
# -------------------------------------------------------------
# Provide a `motd` command to read /etc/motd
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/bin/motd:
file.managed:
- source: salt://roles/core/motd/files/motd.sh
- mode: 755
{% if motd_path != "/etc/motd" %}
/etc/motd:
file.symlink:
- target: {{ motd_path }}
{% endif %}
# -------------------------------------------------------------
# Scaleway instances
#
# Fixes T858.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
get_rid_of_scaleway_motd:
file.absent:
- name: /etc/update-motd.d/50-scw
# -------------------------------------------------------------
# Generate MOTD from templates
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'FreeBSD' and grains['osmajorrelease'] >= 13 %}
update_motd:
cmd.run:
- name: service motd restart
- onchanges:
- file: motd
{% endif %}
diff --git a/roles/core/network/files/ipv6-tunnels/docker-002.sh.jinja b/roles/core/network/files/ipv6-tunnels/docker-002.sh.jinja
index 6b05ac9..52c9bec 100644
--- a/roles/core/network/files/ipv6-tunnels/docker-002.sh.jinja
+++ b/roles/core/network/files/ipv6-tunnels/docker-002.sh.jinja
@@ -1,34 +1,33 @@
#!/bin/sh
# -------------------------------------------------------------
# IPv6 connectivity
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# License: Trivial work, not eligible to copyright
# Source file: roles/core/network/files/ipv6-tunnels/docker-002.sh.jinja
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Hurricane Electric tunnel
# tunnel503394.tunnel.tserv10.par1.ipv6.he.net
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.84.42
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:1f12:365::2/64
route -A inet6 add ::/0 dev sit1
# -------------------------------------------------------------
# Canonical IP
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ifconfig sit1 inet6 add 2001:470:1f13:365::50f7:ba11/64
diff --git a/roles/core/network/files/ipv6-tunnels/dwellers.sh.jinja b/roles/core/network/files/ipv6-tunnels/dwellers.sh.jinja
index 21ce255..6cf0154 100644
--- a/roles/core/network/files/ipv6-tunnels/dwellers.sh.jinja
+++ b/roles/core/network/files/ipv6-tunnels/dwellers.sh.jinja
@@ -1,34 +1,33 @@
#!/bin/sh
# -------------------------------------------------------------
# IPv6 connectivity
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# License: Trivial work, not eligible to copyright
# Source file: roles/core/network/files/ipv6-tunnels/dwellers.sh.jinja
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Hurricane Electric tunnel
# nasqueron-2.tunnel.tserv10.par1.ipv6.he.net
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.84.42
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:1f12:30b::2/64
route -A inet6 add ::/0 dev sit1
# -------------------------------------------------------------
# Canonical IP
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ifconfig sit1 inet6 add 2001:470:1f13:30b:ca5:cade:fab:1e/64
diff --git a/roles/core/network/files/ipv6-tunnels/eglide.sh.jinja b/roles/core/network/files/ipv6-tunnels/eglide.sh.jinja
index 92c5671..763ccbb 100644
--- a/roles/core/network/files/ipv6-tunnels/eglide.sh.jinja
+++ b/roles/core/network/files/ipv6-tunnels/eglide.sh.jinja
@@ -1,47 +1,46 @@
#!/bin/sh
# -------------------------------------------------------------
# IPv6 connectivity
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-06-15
# License: Trivial work, not eligible to copyright
# Source file: roles/core/network/files/ipv6-tunnels/eglide.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
IFCONFIG=/sbin/ifconfig
IP=/sbin/ip
ROUTE=/sbin/route
# -------------------------------------------------------------
# Hurricane Electric tunnel
# nasqueron-3.tunnel.tserv10.par1.ipv6.he.net
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$IFCONFIG sit0 up
$IFCONFIG sit0 inet6 tunnel ::216.66.84.42
$IFCONFIG sit1 up
$IFCONFIG sit1 inet6 add 2001:470:1f12:896::2/64
$ROUTE -A inet6 add ::/0 dev sit1
# -------------------------------------------------------------
# Canonical IP
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$IFCONFIG sit1 inet6 add 2001:470:1f13:896::c0de:15:11fe/64
# -------------------------------------------------------------
# Additional IP addresses
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Short block
{%- for n in range (1, 64) %}
$IP addr add 2001:470:1f13:896::{{ '%x' | format(n) }}/64 dev sit1 preferred_lft 0
{%- endfor %}
diff --git a/roles/core/network/files/ipv6-tunnels/ysul.sh.jinja b/roles/core/network/files/ipv6-tunnels/ysul.sh.jinja
index e66dd22..cd7f797 100644
--- a/roles/core/network/files/ipv6-tunnels/ysul.sh.jinja
+++ b/roles/core/network/files/ipv6-tunnels/ysul.sh.jinja
@@ -1,54 +1,53 @@
#!/bin/sh
# -------------------------------------------------------------
# IPv6 connectivity
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# License: Trivial work, not eligible to copyright
# Source file: roles/core/network/files/ipv6-tunnels/ysul.sh.jinja
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
IFCONFIG=/sbin/ifconfig
ROUTE=/sbin/route
# -------------------------------------------------------------
# Hurricane Electric tunnel
# nasqueron-1.tunnel.tserv10.par1.ipv6.he.net
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$IFCONFIG gif0 create
$IFCONFIG gif0 tunnel 212.83.187.132 216.66.84.42
$IFCONFIG gif0 inet6 2001:470:1f12:9e1::2 2001:470:1f12:9e1::1 prefixlen 128
$ROUTE -n add -inet6 default 2001:470:1f12:9e1::1
$IFCONFIG gif0 up
# -------------------------------------------------------------
# Canonical IP
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$IFCONFIG gif0 inet6 add 2001:470:1f13:9e1:0:c0ff:ee:1/64
# -------------------------------------------------------------
# Additional IP addresses
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Canonical block
{%- for n in range (2, 16) %}
$IFCONFIG gif0 inet6 add 2001:470:1f13:9e1:0:c0ff:ee:{{ '%x' | format(n) }}/64 alias
{%- endfor %}
# Short block
{%- for n in range (1, 26) %}
$IFCONFIG gif0 inet6 add 2001:470:1f13:9e1::{{ '%x' | format(n) }}/64 alias
{%- endfor %}
# Varnish cache
$IFCONFIG gif0 inet6 add 2001:470:1f13:9e1::cac:7e:1/64 alias
diff --git a/roles/core/network/gre.sls b/roles/core/network/gre.sls
index 2230c17..fb19b46 100644
--- a/roles/core/network/gre.sls
+++ b/roles/core/network/gre.sls
@@ -1,70 +1,69 @@
# -------------------------------------------------------------
# Salt — Network — GRE tunnels
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-09-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "roles/core/network/map.jinja" import gre with context %}
{% set boot_loader = namespace(gre=false) %}
{% set is_router = salt["node.has_role"]("router") %}
# -------------------------------------------------------------
# Tunnels network configuration files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for tunnel in salt['node.resolve_gre_tunnels']() %}
{% set boot_loader.gre = True %}
{{ gre.config_path }}{{ tunnel["description"] }}:
file.managed:
- source: salt://roles/core/network/files/{{ gre.source_path }}
- makedirs: True
- template: jinja
- defaults: {{ tunnel }}
{% if grains['os_family'] == 'Debian' %}
- context:
interface: gre-{{ tunnel["network"] }}
{% endif %}
{% if not is_router and grains['os'] == 'FreeBSD' %}
# Only once iteration of the loop is expected, as it's not a router
/usr/local/etc/rc.d/route-drake:
file.managed:
- source: salt://roles/core/network/files/FreeBSD/route-drake.service
- mode: 755
/etc/rc.conf.d/route_drake:
file.managed:
- source: salt://roles/core/network/files/FreeBSD/route_drake.rc
- template: jinja
- context:
tunnel_endpoint: {{ tunnel["dst"] }}
{% endif %}
{% endfor %}
# -------------------------------------------------------------
# Kernel configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if boot_loader.gre %}
{% if grains['os'] == 'FreeBSD' %}
/boot/loader.conf.d/gre.conf:
file.managed:
- source: salt://roles/core/network/files/FreeBSD/gre.conf
- mode: '0644'
{% endif %}
{% if grains['os_family'] == 'Debian' %}
ip_gre:
kmod.present:
- persist: True
{% endif %}
{% endif %}
diff --git a/roles/core/network/init.sls b/roles/core/network/init.sls
index 1c1f11b..dfc8697 100644
--- a/roles/core/network/init.sls
+++ b/roles/core/network/init.sls
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Salt — Network
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-09-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .ipv4
- .ipv6
- .ipv6_tunnel
- .ipv6_fixes
- .dhclient6
- .gre
- .routes
# Drake can be configured as:
#
# - ipv4 (e.g. IntraNought network cards on EXSi hypervisor VMs)
# - gre (e.g. isolated servers needing a tunnel)
#
# Both are needed for servers with router role.
diff --git a/roles/core/network/ipv4.sls b/roles/core/network/ipv4.sls
index 54dd006..69e8868 100644
--- a/roles/core/network/ipv4.sls
+++ b/roles/core/network/ipv4.sls
@@ -1,36 +1,35 @@
# -------------------------------------------------------------
# Salt — Network
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-06-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "roles/core/network/map.jinja" import interface_config with context %}
{% set network = salt['node.get']('network') %}
# -------------------------------------------------------------
# Interface
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for interface_name, interface in network["interfaces"].items() %}
{% if "skip_interface_configuration" not in interface.get("flags", []) %}
network_ipv4_{{ interface_name }}:
file.managed:
{% if interface_config["suffix"] == "interface" %}
- name : {{ interface_config["config_path"] }}{{ interface_name }}
{% else %}
- name : {{ interface_config["config_path"] }}{{ interface["device"] }}
{% endif %}
- source: salt://roles/core/network/files/{{ interface_config["source_path"] }}
- makedirs: True
- template: jinja
- defaults:
interface: {{ interface }}
{% if grains['os_family'] == 'RedHat' %}
prefix: {{ salt['network_utils.netmask_to_cidr_prefix'](interface['ipv4']['netmask']) }}
{% endif %}
{% endif %}
{% endfor %}
diff --git a/roles/core/rc/files/rc.local.sh b/roles/core/rc/files/rc.local.sh
index b60a2bb..e2b806f 100644
--- a/roles/core/rc/files/rc.local.sh
+++ b/roles/core/rc/files/rc.local.sh
@@ -1,32 +1,31 @@
#!/bin/sh -e
# -------------------------------------------------------------
# rc.local
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-06-15
# License: Trivial work, not eligible to copyright
# Source file: roles/core/rc/files/rc.local.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# IPv6
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/sbin/ipv6-setup-tunnel
# -------------------------------------------------------------
# Return value
#
# Should be 0 on success, not 0 on failure. Current rc process
# requires this value to be set accordingly.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
exit 0
diff --git a/roles/core/rc/init.sls b/roles/core/rc/init.sls
index d0a161d..e9c70cf 100644
--- a/roles/core/rc/init.sls
+++ b/roles/core/rc/init.sls
@@ -1,38 +1,37 @@
# -------------------------------------------------------------
# Salt — RC
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-06-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set use_zfs = salt['node.has']('zfs:pool') %}
# -------------------------------------------------------------
# IPv6
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'Debian' %}
rc:
file.managed:
- name : /etc/rc.local
- source: salt://roles/core/rc/files/rc.local.sh
- mode: 755
{% endif %}
# -------------------------------------------------------------
# Periodic tasks configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/etc/periodic.conf:
file.managed:
- source: salt://roles/core/rc/files/periodic.conf
- template: jinja
- context:
use_zfs: {{ use_zfs }}
/etc/locate.rc:
file.managed:
- source: salt://roles/core/rc/files/locate.rc
{% endif %}
diff --git a/roles/core/rsyslog/files/default.conf b/roles/core/rsyslog/files/default.conf
index ed664a6..bfcedd2 100644
--- a/roles/core/rsyslog/files/default.conf
+++ b/roles/core/rsyslog/files/default.conf
@@ -1,80 +1,79 @@
# -------------------------------------------------------------
# Default rules for rsyslog
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-09-11
# License: Trivial work, not eligible to copyright
# Source file: roles/core/rsyslog/files/default.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
#daemon.*;mail.*;\
# news.err;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole
diff --git a/roles/core/rsyslog/init.sls b/roles/core/rsyslog/init.sls
index b125078..dd9cb36 100644
--- a/roles/core/rsyslog/init.sls
+++ b/roles/core/rsyslog/init.sls
@@ -1,19 +1,18 @@
# -------------------------------------------------------------
# Salt — rsyslog
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-09-11
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Ensure xconsole pipeline isn't configured
#
# See http://kb.monitorware.com/kbeventdb-detail-id-6925.html
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if salt['node.has']('fixes:rsyslog_xconsole') %}
/etc/rsyslog.d/50-default.conf:
file.managed:
- source: salt://roles/core/rsyslog/files/default.conf
{% endif %}
diff --git a/roles/core/salt/init.sls b/roles/core/salt/init.sls
index 16f4a4c..044bb9b 100644
--- a/roles/core/salt/init.sls
+++ b/roles/core/salt/init.sls
@@ -1,62 +1,61 @@
# -------------------------------------------------------------
# Salt — Salt configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-06-12
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% from "roles/core/certificates/map.jinja" import certificates with context %}
salt_roles:
grains.list_present:
- name: roles
- value: {{ salt['node.get_list']("roles") }}
# -------------------------------------------------------------
# Repository
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'RedHat' %}
/etc/yum.repos.d/salt.repo:
file.managed:
- source: salt://roles/core/salt/files/salt.repo
{% endif %}
{% if grains['os_family'] == 'Debian' %}
/etc/apt/keyrings/salt-archive-keyring-2023.gpg:
file.managed:
- source: salt://roles/core/salt/files/SALT-PROJECT-GPG-PUBKEY-2023.gpg
- makedirs: True
/etc/apt/sources.list.d/salt.list:
file.managed:
- source: salt://roles/core/salt/files/salt.list
- makedirs: True
{% endif %}
# -------------------------------------------------------------
# Service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/etc/rc.conf.d/salt_minion:
file.managed:
- source: salt://roles/core/salt/files/rc.conf
{% endif %}
# -------------------------------------------------------------
# Vault
#
# For shellserver, set in roles/shellserver/vault unit instead.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if not salt["node.has_role"]("shellserver") %}
{{ dirs.etc }}/salt/minion.d/vault.conf:
file.managed:
- source: salt://roles/core/salt/files/vault.conf
- template: jinja
- context:
certificate: {{ certificates.dir }}/nasqueron-vault-ca.crt
{% endif %}
diff --git a/roles/core/src/init.sls b/roles/core/src/init.sls
index 1b09651..0c32784 100644
--- a/roles/core/src/init.sls
+++ b/roles/core/src/init.sls
@@ -1,22 +1,21 @@
# -------------------------------------------------------------
# Extract FreeBSD sources
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-01-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if grains['os'] == 'FreeBSD' %}
{% set version = grains['kernelrelease'].split("-")[0] %}
freebsd_src:
cmd.run:
{% if version < "13.0" %}
- name: svnlite checkout https://svn.freebsd.org/base/releng/{{ version }} /usr/src
{% else %}
- name: git clone --depth=1 --single-branch -b releng/{{ version }} https://git.freebsd.org/src.git /usr/src
{% endif %}
- creates: /usr/src/Makefile
{% endif %}
diff --git a/roles/core/sshd/files/sshd_config b/roles/core/sshd/files/sshd_config
index 89f2a2f..4320735 100644
--- a/roles/core/sshd/files/sshd_config
+++ b/roles/core/sshd/files/sshd_config
@@ -1,55 +1,54 @@
# -------------------------------------------------------------
# OpenSSH configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-02-28
# License: Trivial work, not eligible to copyright
# Source file: roles/core/sshd/files/sshd_config
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
{% if should_listen_to_private_address -%}
ListenAddress {{ listen_private_address }}
ListenAddress localhost
{%- endif %}
# Terrapin mitigation
# Those ciphers are fine if *BOTH* SSH client and server are patched.
# A up-to-date OpenSSH server isn't enough if the client don't support
# strict key exchange. As such, we still disable them.
Ciphers -chacha20-poly1305@openssh.com
MACs -*etm@openssh.com
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
{% if grains['os_family'] == 'RedHat' -%}
# Don't use host DSA key (CentOS by default uses it, see T1352)
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
{%- endif %}
# Nasqueron servers authentication should only occur through SSH keys
# but PAM can offer extra capabilities if needed like OTP.
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
# Once the core role has been applied to a server, ops users have been created
# and sudo configured. We can so forbid direct root login.
PermitRootLogin no
# Misc options
PrintMotd {{ "yes" if print_motd else "no" }}
AcceptEnv LANG LC_*
# SFTP
Subsystem sftp {{ sftp }}
diff --git a/roles/core/sshd/init.sls b/roles/core/sshd/init.sls
index f9befd7..5c174e0 100644
--- a/roles/core/sshd/init.sls
+++ b/roles/core/sshd/init.sls
@@ -1,51 +1,50 @@
# -------------------------------------------------------------
# Salt — OpenSSH configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-02-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import paths, capabilities with context %}
{% set network = salt["node.resolve_network"]() %}
# -------------------------------------------------------------
# OpenSSH
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/etc/ssh/sshd_config:
file.managed:
- source: salt://roles/core/sshd/files/sshd_config
- template: jinja
- context:
listen_private_address: {{ network["private_ipv4_address"] | default("localhost") }}
should_listen_to_private_address: {{ network["is_private_network_stable"] | default(false) }}
sftp: {{ paths.sftp }}
print_motd: {{ not capabilities['MOTD-printed-at-login'] }}
# -------------------------------------------------------------
# Service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/etc/rc.conf.d/sshd:
file.managed:
- source: salt://roles/core/sshd/files/rc.conf
{% endif %}
# -------------------------------------------------------------
# PAM
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# T1194 - Debian offers a nologin pam module avoiding people
# to log in when /run/nologin exists. OS can pop this file,
# for example at shutdown time or when systemd boot hasn't
# finished.
pam_disable_nologin:
file.comment:
- name: /etc/pam.d/sshd
- regex: ^account.*pam_nologin\.so
- ignore_missing: True
- backup: None
diff --git a/roles/core/sudo/files/ops b/roles/core/sudo/files/ops
index 5964d83..3bb46ba 100644
--- a/roles/core/sudo/files/ops
+++ b/roles/core/sudo/files/ops
@@ -1,17 +1,16 @@
# -------------------------------------------------------------
# SaltStack deployment
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-19
# License: Trivial work, not eligible to copyright
# Source file: roles/core/sudo/files/ops
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
%ops ALL = (ALL) NOPASSWD: ALL
diff --git a/roles/core/sudo/init.sls b/roles/core/sudo/init.sls
index e49b260..6629024 100644
--- a/roles/core/sudo/init.sls
+++ b/roles/core/sudo/init.sls
@@ -1,38 +1,37 @@
# -------------------------------------------------------------
# Salt — sudo configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-19
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
sudo:
pkg.installed
{% endif %}
# -------------------------------------------------------------
# Sudo capabilities
#
# Ops should be able to sudo …
# Acmesh should be able to sudo acmesh-nginxCheck
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/sudoers.d/ops:
file.managed:
- source: salt://roles/core/sudo/files/ops
- makedirs: True
{{ dirs.etc }}/sudoers.d/acme:
file.managed:
- source: salt://roles/core/sudo/files/acme
- template: jinja
- makedirs: True
- context:
dirs: {{ dirs }}
diff --git a/roles/core/sysctl/files/sysctl.conf b/roles/core/sysctl/files/sysctl.conf
index 2ad597a..bbc3986 100644
--- a/roles/core/sysctl/files/sysctl.conf
+++ b/roles/core/sysctl/files/sysctl.conf
@@ -1,48 +1,47 @@
# -------------------------------------------------------------
# Kernel state configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-06
# License: Trivial work, not eligible to copyright
# Source file: roles/core/sysctl/files/sysctl.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Interprocess Communication
#
# See T519
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
kern.ipc.somaxconn=1024
# -------------------------------------------------------------
# VFS — kernel interface to file systems
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Allow user to mount disks (required by FUSE or PEFS)
vfs.usermount=1
{%- if use_zfs %}
{% if mem < 4096 %}
# Maximum size of the Adaptive Replacement Cache (ARC).
vfs.zfs.arc_max = 2147483648
{% endif %}
# Keep prefetch: this works by reading larger blocks than were requested
# into the ARC in hopes that the data will be needed soon.
vfs.zfs.prefetch_disable=0
{% endif -%}
{% if is_router -%}
# Enable CARP preemption
net.inet.carp.preempt=1
{% endif -%}
diff --git a/roles/core/sysctl/init.sls b/roles/core/sysctl/init.sls
index 04a2585..6e84f80 100644
--- a/roles/core/sysctl/init.sls
+++ b/roles/core/sysctl/init.sls
@@ -1,22 +1,21 @@
# -------------------------------------------------------------
# Salt — Kernel state
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-06
# License: Trivial work, not eligible to copyright
#
# -------------------------------------------------------------
{% if grains['os'] == 'FreeBSD' %}
{% set use_zfs = salt['node.has']('zfs:pool') %}
/etc/sysctl.conf:
file.managed:
- source: salt://roles/core/sysctl/files/sysctl.conf
- template: jinja
- context:
use_zfs: {{ use_zfs }}
mem: {{ grains['mem_total'] }}
is_router: {{ salt[ "node.has_role" ]("router") }}
{% endif %}
diff --git a/roles/core/timezone/init.sls b/roles/core/timezone/init.sls
index 77a205a..5fdcfff 100644
--- a/roles/core/timezone/init.sls
+++ b/roles/core/timezone/init.sls
@@ -1,54 +1,53 @@
# -------------------------------------------------------------
# Salt — Time zone
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-23
# License: Trivial work, not eligible to copyright
#
# Dance, dance, to set timezone across OSes
#
# -------------------------------------------------------------
# -------------------------------------------------------------
# Just write the timezone somewhere style
# Well no, dpkg-reconfigure after
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'Debian' %}
/etc/timezone:
file.managed:
- contents: Etc/UTC
update_timezone:
cmd.run:
- name: dpkg-reconfigure -f noninteractive tzdata
- onchanges:
- file: /etc/timezone
{% endif %}
# -------------------------------------------------------------
# Symbolic link style
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'RedHat' %}
/etc/localtime:
file.symlink:
- target: /usr/share/zoneinfo/Etc/UTC
{% endif %}
# -------------------------------------------------------------
# Just let the OS set the files with a command style
# Okay, but WE need to know WHEN start this
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/var/db/zoneinfo:
file.managed:
- contents: Etc/UTC
update_timezone:
cmd.run:
- name: tzsetup Etc/UTC
- onchanges:
- file: /var/db/zoneinfo
{% endif %}
diff --git a/roles/core/users/init.sls b/roles/core/users/init.sls
index 492e866..1c8a220 100644
--- a/roles/core/users/init.sls
+++ b/roles/core/users/init.sls
@@ -1,146 +1,145 @@
# -------------------------------------------------------------
# Salt — Provision users accounts
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-09
# Description: Adds and revokes user accounts, in the relevant
# groups and with their stable SSH keys.
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Table of contents
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#
# :: Disabled accounts
# :: ZFS (before user account creation)
# :: Active accounts
# :: ZFS (after user account creation)
# :: Groups
# :: SSH keys
#
# -------------------------------------------------------------
{% from "map.jinja" import dirs, shells with context %}
{% set users = salt['forest.get_users']() %}
{% set zfs_tank = salt['node.get']("zfs:pool") %}
{% set forest = salt['node.get']['forest'] %}
# -------------------------------------------------------------
# Disabled accounts
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for username in pillar.get('revokedusers') %}
{{ username }}:
user.absent
{% endfor %}
# -------------------------------------------------------------
# ZFS datasets
#
# Where ZFS is available, home directories are created as separate
# datasets. That has several benefits, like allowing users to create
# snapshots or manage backups.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if zfs_tank %}
zfs_home_permissions_sets:
cmd.run:
- name: |
zfs allow -s @local allow,clone,create,diff,hold,mount,promote,receive,release,rollback,snapshot,send {{ zfs_tank }}{{ dirs.home }}
zfs allow -s @descendent allow,clone,create,diff,destroy,hold,mount,promote,receive,release,rename,rollback,snapshot,send {{ zfs_tank }}{{ dirs.home }}
touch {{ dirs.home }}/.zfs-permissions-set
- creates: {{ dirs.home }}/.zfs-permissions-set
{% for username in users %}
{% set home_directory = zfs_tank + dirs['home'] + '/' + username %}
{{ home_directory }}:
zfs.filesystem_present:
- properties:
"com.sun:auto-snapshot": "true"
zfs_permissions_home_local_{{ username }}:
cmd.run:
- name: zfs allow -lu {{ username }} @local {{ home_directory }}
- require:
- user: {{ username }}
- onchanges:
- zfs: {{ home_directory }}
zfs_permissions_home_descendant_{{ username }}:
cmd.run:
- name: zfs allow -du {{ username }} @descendent {{ home_directory }}
- require:
- user: {{ username }}
- onchanges:
- zfs: {{ home_directory }}
/home/{{ username }}:
file.directory:
- user: {{ username }}
- group: {{ username }}
- dir_mode: 700
- require:
- user: {{ username }}
{% endfor %}
{% endif %}
# -------------------------------------------------------------
# Active accounts
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for username, user in users.items() %}
{{ username }}:
user.present:
- fullname: {{ user['fullname'] }}
- shell: {{ shells[user['shell']|default('bash')] }}
- uid: {{ user['uid'] }}
- loginclass: {{ user['class']|default('english') }}
{% endfor %}
# -------------------------------------------------------------
# Groups
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for groupname, group in salt['forest.get_groups']().items() %}
group_{{ groupname }}:
group.present:
- name: {{ groupname }}
- gid: {{ group['gid'] }}
- members: {{ group['members'] }}
{% endfor %}
{% if grains["os"] == "FreeBSD" %}
group_wheel:
group.present:
- name: wheel
- gid: 0
- members: {{ salt["forest.get_wheel_users"]() }}
{% endif %}
# -------------------------------------------------------------
# SSH keys
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for username, user in users.items() %}
/home/{{ username }}/.ssh:
file.directory:
- user: {{ username }}
- group: {{ username }}
- dir_mode: 700
/home/{{ username }}/.ssh/authorized_keys:
file.managed:
- source: salt://roles/core/users/files/authorized_keys
- user: {{ username }}
- group: {{ username }}
- mode: 600
- template: jinja
- context:
keys: {{ user['ssh_keys'] }}
{% endfor %}
diff --git a/roles/dbserver-mysql/grc/init.sls b/roles/dbserver-mysql/grc/init.sls
index ca7a814..12562fa 100644
--- a/roles/dbserver-mysql/grc/init.sls
+++ b/roles/dbserver-mysql/grc/init.sls
@@ -1,37 +1,36 @@
# -------------------------------------------------------------
# Salt — Database server — MySQL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Credit: Jaime Crespo (@Jynus)
-# Created: 2017-11-09
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Coloration grc configuration file for MySQL client
#
# “ This is more than pure aesthetics- DBAs are looking at this output
# for long hours, a bit of color (disabled by default) will make
# their life easier.
#
# Enable with:
# mysql --pager='grcat /etc/mysql/grcat.config | less -RSFXin'
#
# ” -- Jaime Crespo
#
# Note it's deployed instead in share dir to be able to `grc mysql`.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.share }}/grc/conf.mysql:
file.managed:
- source: salt://roles/dbserver-mysql/grc/files/grcat.config
- makedirs: True
{{ dirs.etc }}/grc.conf:
file.append:
- text: |
# MySQL mysql command
(^|[/\w\.]+/)mysql\s?
conf.mysql
diff --git a/roles/dbserver-mysql/init.sls b/roles/dbserver-mysql/init.sls
index fe81844..a592ea7 100644
--- a/roles/dbserver-mysql/init.sls
+++ b/roles/dbserver-mysql/init.sls
@@ -1,16 +1,15 @@
# -------------------------------------------------------------
# Salt — Database server — MySQL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .mysql-server
- .grc
- .treasure-chest
- .salt
# Requires .mysql-server and .salt
- .content
diff --git a/roles/dbserver-mysql/mysql-server/cnf.sls b/roles/dbserver-mysql/mysql-server/cnf.sls
index ffaa617..a600e8f 100644
--- a/roles/dbserver-mysql/mysql-server/cnf.sls
+++ b/roles/dbserver-mysql/mysql-server/cnf.sls
@@ -1,68 +1,67 @@
# -------------------------------------------------------------
# Salt — Database server — MySQL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% set use_zfs = salt['node.has']('zfs:pool') %}
{% set is_devserver = salt['node.has_role']('devserver') %}
# -------------------------------------------------------------
# Required directories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/var/run/mysql:
file.directory:
- user: mysql
- group: mysql
- dir_mode: 755
{{ dirs.etc }}/mysql:
file.directory:
- user: root
- group: mysql
- dir_mode: 755
# -------------------------------------------------------------
# Configuration files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/mysql/conf.d:
file.recurse:
- source: salt://roles/dbserver-mysql/mysql-server/files/conf.d
- clean: True # remove wsrep.cnf values (and empty config files)
- template: jinja
- context:
nodename: {{ grains['id'] }}
etc: {{ dirs.etc }}
share: {{ dirs.share }}
use_zfs: {{ use_zfs }}
{% if is_devserver %}
listen_ip: 127.0.0.1
{% else %}
listen_ip: 0.0.0.0
{% endif %}
{{ dirs.etc }}/mysql/stopwords.txt:
file.managed:
- source: salt://roles/dbserver-mysql/mysql-server/files/stopwords.txt
# -------------------------------------------------------------
# Service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/etc/rc.conf.d/mysql:
file.managed:
- source: salt://roles/dbserver-mysql/mysql-server/files/mysql.rc
- template: jinja
- context:
use_zfs: {{ use_zfs }}
{% endif %}
diff --git a/roles/dbserver-mysql/mysql-server/files/mysql.rc b/roles/dbserver-mysql/mysql-server/files/mysql.rc
index 38e025e..2d17f5d 100644
--- a/roles/dbserver-mysql/mysql-server/files/mysql.rc
+++ b/roles/dbserver-mysql/mysql-server/files/mysql.rc
@@ -1,13 +1,12 @@
# -------------------------------------------------------------
# Database server — MySQL — rc configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-05
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
mysql_enable="YES"
mysql_rundir="/var/run/mysql"
mysql_pidfile="/var/run/mysql/mysqld.pid"
mysql_dbdir=/var/db/mysql/data
diff --git a/roles/dbserver-mysql/mysql-server/init.sls b/roles/dbserver-mysql/mysql-server/init.sls
index 4c9e1c2..942303f 100644
--- a/roles/dbserver-mysql/mysql-server/init.sls
+++ b/roles/dbserver-mysql/mysql-server/init.sls
@@ -1,12 +1,11 @@
# -------------------------------------------------------------
# Salt — Database server — MySQL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .software
- .zfs
- .cnf
diff --git a/roles/dbserver-mysql/mysql-server/software.sls b/roles/dbserver-mysql/mysql-server/software.sls
index 31a70bd..0a41943 100644
--- a/roles/dbserver-mysql/mysql-server/software.sls
+++ b/roles/dbserver-mysql/mysql-server/software.sls
@@ -1,30 +1,29 @@
# -------------------------------------------------------------
# Salt — Database server — MySQL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import packages with context %}
# -------------------------------------------------------------
# MySQL server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
mysql_server_software:
pkg.installed:
- pkgs:
- {{ packages.mariadb }}
# -------------------------------------------------------------
# Root directory for MySQL
#
# :: /var/db/mysql is required by both zfs and cnf states
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/var/db/mysql:
file.directory:
- user: mysql
- group: mysql
- dir_mode: 755
diff --git a/roles/dbserver-mysql/mysql-server/zfs.sls b/roles/dbserver-mysql/mysql-server/zfs.sls
index 00f8dd5..907cf74 100644
--- a/roles/dbserver-mysql/mysql-server/zfs.sls
+++ b/roles/dbserver-mysql/mysql-server/zfs.sls
@@ -1,45 +1,44 @@
# -------------------------------------------------------------
# Salt — Database server — MySQL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if salt['node.has']('zfs:pool') %}
{% set tank = salt['node.get']("zfs:pool") %}
{{ tank }}/mysql-root:
zfs.filesystem_present:
# This one is optimized for MyISAM
- properties:
mountpoint: /var/db/mysql/data
compression: lz4
recordsize: 8K
{% for mysqldir in ['innodb-data', 'innodb-logs'] %}
/var/db/mysql/mysql-{{ mysqldir }}:
file.directory:
- user: mysql
- group: mysql
- dir_mode: 711
{% endfor %}
{{ tank }}/mysql-innodb-data:
zfs.filesystem_present:
- properties:
mountpoint: /var/db/mysql/mysql-innodb-data
compression: lz4
recordsize: 16K
primarycache: metadata
{{ tank }}/mysql-innodb-logs:
zfs.filesystem_present:
- properties:
mountpoint: /var/db/mysql/mysql-innodb-logs
compression: lz4
recordsize: 128K
primarycache: metadata
{% endif %}
diff --git a/roles/devserver/dns/init.sls b/roles/devserver/dns/init.sls
index 8383987..7794066 100644
--- a/roles/devserver/dns/init.sls
+++ b/roles/devserver/dns/init.sls
@@ -1,24 +1,23 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Unbound
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
unbound:
pkg.installed
unbound_DNSSEC_trust_anchor:
cmd.run:
- name: {{ dirs.sbin }}/unbound-anchor ; true
- runas: unbound
- creates: {{ dirs.etc }}/unbound/root.key
- require:
- pkg: unbound
diff --git a/roles/devserver/init.sls b/roles/devserver/init.sls
index 7ff91c2..1cbd5de 100644
--- a/roles/devserver/init.sls
+++ b/roles/devserver/init.sls
@@ -1,22 +1,21 @@
# -------------------------------------------------------------
# Salt — Provision a development server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .datacube
- .dns
- .mail
- .pkg
- .userland-software
- .userland-home
- .poudriere
# Needs userland-software
- .api-exec
- .webserver-home
- .webserver-wwwroot51
diff --git a/roles/devserver/mail/init.sls b/roles/devserver/mail/init.sls
index d2f58a3..0402de8 100644
--- a/roles/devserver/mail/init.sls
+++ b/roles/devserver/mail/init.sls
@@ -1,19 +1,18 @@
# -------------------------------------------------------------
# Salt — Provision a development server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-30
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Enable incoming mail (T1317)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/etc/rc.conf.d/sendmail:
file.managed:
- source: salt://roles/devserver/mail/files/sendmail.rc
{% endif %}
diff --git a/roles/devserver/pkg/init.sls b/roles/devserver/pkg/init.sls
index 7ea6c89..a950bf1 100644
--- a/roles/devserver/pkg/init.sls
+++ b/roles/devserver/pkg/init.sls
@@ -1,35 +1,34 @@
# -------------------------------------------------------------
# Salt — Provision software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-30
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if grains['os'] == 'FreeBSD' %}
# -------------------------------------------------------------
# Declare repository
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/etc/pkg/repos:
file.directory:
- makedirs: True
/usr/local/etc/pkg/repos/nasqueron.conf:
file.managed:
- source: salt://roles/devserver/pkg/files/nasqueron.conf
# -------------------------------------------------------------
# Fingerprints
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/share/keys:
file.directory:
- makedirs: True
/usr/local/share/keys/pkg:
file.recurse:
- source: salt://roles/devserver/pkg/files/keys
{% endif %}
diff --git a/roles/devserver/userland-home/files/dereckson/.shell.yml b/roles/devserver/userland-home/files/dereckson/.shell.yml
index f2103bd..555d054 100644
--- a/roles/devserver/userland-home/files/dereckson/.shell.yml
+++ b/roles/devserver/userland-home/files/dereckson/.shell.yml
@@ -1,65 +1,64 @@
# -------------------------------------------------------------
# Shell launcher configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-21
# License: Trivial work, not eligible to copyright
# Source file: roles/devserver/userland-home/files/dereckson/.shell.yml
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Aliases
#
# Allow to quickly call a handler with extra arguments
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
aliases:
acquisitariat:
command: ['ssh', '-t', 'docker-002.nasqueron.org', 'sudo', 'docker', 'exec', '-it', 'acquisitariat', 'mysql']
cd:
handler: docker-002
args: ['jenkins_cd']
devcentral:
handler: docker-002
args: ['devcentral']
# -------------------------------------------------------------
# Handlers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
handlers:
dwellers:
server: "dwellers.nasqueron.org"
command: ['docker', 'exec', '-it', '{{%s}}', '{{%s-|bash}}']
interactive: True
docker-002:
server: "docker-002.nasqueron.org"
command: ['sudo', 'docker', 'exec', '-it', '{{%s}}', '{{%s-|bash}}']
interactive: True
mysql:
server: "docker-002.nasqueron.org"
command: ['sudo', 'docker', 'exec', '-it', '{{%s}}', '{{%s-|mysql}}']
interactive: True
phpbb:
server: "docker-002.nasqueron.org"
command: ['sudo', 'phpbb']
interactive: True
tools:
server: "dev.toolforge.org"
command: ['become', '{{%s}}', '{{%s-|}}']
interactive: True
diff --git a/roles/devserver/userland-home/homefiles.sls b/roles/devserver/userland-home/homefiles.sls
index 6c51a7b..a72ad68 100644
--- a/roles/devserver/userland-home/homefiles.sls
+++ b/roles/devserver/userland-home/homefiles.sls
@@ -1,67 +1,66 @@
# -------------------------------------------------------------
# Salt — Provision dotfiles and other personal content
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-08
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% set triplet = salt['rust.get_rustc_triplet']() %}
{% for username, user in salt['forest.get_users']().items() %}
{% set tasks = user.get('devserver_tasks', []) %}
{% if 'deploy_dotfiles' in tasks %}
dotfiles_to_devserver_{{ username }}:
file.recurse:
- name: /home/{{ username }}
- source: salt://roles/devserver/userland-home/files/{{ username }}
- include_empty: True
- clean: False
- user: {{ username }}
- group: {{ username }}
{% endif %}
{% if 'deploy_nanotab' in tasks %}
/home/{{ username }}/bin/nanotab:
file.managed:
- source: salt://roles/devserver/userland-home/files/_tasks/nanotab.sh
- user: {{ username }}
- group: {{ username }}
- mode: 755
/home/{{ username }}/.config/nano/nanorc-tab:
nano.config_autogenerated:
- nanorc_dir: {{ dirs.share }}/nano
- extra_settings:
- unset tabstospaces
{% endif %}
{% if 'install_rustup' in tasks %}
{% set rustup_path = '/home/' + username + '/.cargo/bin/rustup' %}
devserver_rustup_{{ username }}:
cmd.run:
- name: rustup-init -y
- runas: {{ username }}
- creates: {{ rustup_path }}
{% for toolchain in ['stable', 'nightly'] %}
devserver_rustup_{{ toolchain }}_{{ username }}:
cmd.run:
- name: {{ rustup_path }} install {{ toolchain }}
- runas: {{ username }}
- creates: /home/{{ username }}/.rustup/toolchains/{{ toolchain }}-{{ triplet }}
{% endfor %}
{% endif %}
{% if 'install_diesel' in tasks %}
devserver_diesel_{{ username }}:
cmd.run:
- name: /home/{{ username }}/.cargo/bin/cargo install diesel_cli --no-default-features --features postgres,sqlite
- runas: {{ username }}
- creates: /home/{{ username }}/.cargo/bin/diesel
{% endif %}
{% endfor %}
diff --git a/roles/devserver/userland-home/init.sls b/roles/devserver/userland-home/init.sls
index c2ca8a3..a9069fe 100644
--- a/roles/devserver/userland-home/init.sls
+++ b/roles/devserver/userland-home/init.sls
@@ -1,12 +1,11 @@
# -------------------------------------------------------------
# Salt — Provision user content
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-08
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .homefiles
- .repos
- .cron
diff --git a/roles/devserver/userland-home/repos.sls b/roles/devserver/userland-home/repos.sls
index 18eb218..dd2539f 100644
--- a/roles/devserver/userland-home/repos.sls
+++ b/roles/devserver/userland-home/repos.sls
@@ -1,33 +1,32 @@
# -------------------------------------------------------------
# Deploy user repositories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-09
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Clone user repositories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for username, user in salt['forest.get_users']().items() %}
{% set repositories = salt['pillar.get']('user_repositories:' + username, {}) %}
{% for target, repo in repositories.items() %}
{{ target }}:
file.directory:
- user: {{ username }}
- group: {{ username }}
{{ repo['vcs'] | default('git') }}.latest:
- name: {{ repo['source'] }}
- target: {{ target }}
- update_head: False
{% if salt['node.has_role']('salt-primary') %}
# TODO: find an alternative solution for other servers (suggest rSTAGING?)
- identity: /opt/salt/security/id_ed25519
{% endif %}
{% endfor %}
{% endfor %}
diff --git a/roles/devserver/userland-software/dev.sls b/roles/devserver/userland-software/dev.sls
index 6c18132..49bb4d2 100644
--- a/roles/devserver/userland-software/dev.sls
+++ b/roles/devserver/userland-software/dev.sls
@@ -1,275 +1,274 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages, packages_prefixes with context %}
# -------------------------------------------------------------
# C/C++
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_c:
pkg.installed:
- pkgs:
- {{ packages.boost }}
- cmocka
- doxygen
- {{ packages.librabbitmq }}
{% if grains["os_family"] == "FreeBSD" %}
- gcc14
{% endif %}
{% if grains["os_family"] == "FreeBSD" %}
/usr/local/bin/gcc:
file.symlink:
- target: /usr/local/bin/gcc14
{% endif %}
# -------------------------------------------------------------
# Haskell
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_haskell:
pkg.installed:
- pkgs:
- ghc
# -------------------------------------------------------------
# Java
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_java:
pkg.installed:
- pkgs:
- openjdk17
- apache-ant
- maven
devserver_software_dev_java_to_prune:
pkg.removed:
- pkgs:
- openjdk8
# -------------------------------------------------------------
# .Net languages
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_dotnet:
pkg.installed:
- pkgs:
- mono
# -------------------------------------------------------------
# Node
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_node:
pkg.installed:
- pkgs:
- {{ packages.node }}
- npm
devserver_node_packages:
npm.installed:
- pkgs:
- bower
- browserify
- csslint
- eslint
- gulp
- grunt
- jscs
- jshint
- jsonlint
- react-tools
- require:
- pkg: devserver_software_dev_node
# -------------------------------------------------------------
# PHP
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_php:
pkg.installed:
- pkgs:
- {{ packages_prefixes.pecl }}ast
- {{ packages_prefixes.pecl }}xdebug
# T1728 - xdebug should be disabled by default and invoked when needed
/usr/local/etc/php/ext-20-xdebug.ini:
file.absent
/opt/phpcpd.phar:
file.managed:
- source: https://phar.phpunit.de/phpcpd-6.0.3.phar
- source_hash: 2cbaea7cfda1bb4299d863eb075e977c3f49055dd16d88529fae5150d48a84cb
- mode: 755
/opt/phploc.phar:
file.managed:
- source: https://phar.phpunit.de/phploc-7.0.2.phar
- source_hash: 3d59778ec86faf25fd00e3a329b2f9ad4a3c751ca91601ea7dab70f887b0bf46
- mode: 755
phpdox:
cmd.run:
- name: |
git clone --depth 1 https://github.com/nasqueron/phpdox
cd phpdox && composer install
- cwd: /opt
- creates: /opt/phpdox/phpdox
phpunit:
cmd.run:
- name: |
curl --silent https://sebastian-bergmann.de/gpg.asc | gpg --import
wget -O /opt/phpunit.phar https://phar.phpunit.de/phpunit-10.phar
wget -O /opt/phpunit.phar.asc https://phar.phpunit.de/phpunit-10.phar.asc
cd /opt && gpg --verify ./phpunit.phar.asc
rm /opt/phpunit.phar.asc
- creates: /opt/phpunit.phar
{{ dirs.bin }}/run-php-script:
file.managed:
- source: salt://roles/devserver/userland-software/files/run-php-script.sh
- mode: 755
{% for command in ["phan", "phpcpd", "phpdox", "phploc", "phpmd", "phpstan", "phpunit", "psalm", "rector"] %}
{{ dirs.bin }}/{{ command }}:
file.managed:
- source: salt://roles/devserver/userland-software/files/run-php-script-alias.sh.jinja
- mode: 755
- template: jinja
- context:
command: {{ command }}
{% endfor %}
# -------------------------------------------------------------
# Python
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_python:
pkg.installed:
- pkgs:
- {{ packages_prefixes.python3 }}beautifulsoup
- {{ packages_prefixes.python3 }}nltk
- {{ packages_prefixes.python3 }}numpy
# -------------------------------------------------------------
# Ruby
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_ruby:
pkg.installed:
- pkgs:
- {{ packages_prefixes.rubygem }}rubocop
# -------------------------------------------------------------
# Rust
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_rust:
pkg.installed:
- pkgs:
- rust
{{ dirs.bin }}/rustup-init:
file.managed:
- source: salt://roles/devserver/userland-software/files/rustup-init.sh
- mode: 755
# -------------------------------------------------------------
# Shell
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_shell:
pkg.installed:
- pkgs:
- hs-ShellCheck
# -------------------------------------------------------------
# TCL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_tcl:
pkg.installed:
- pkgs:
- rlwrap
- tcllib
- tclsoap
- {{ packages.tcltls }}
- {{ packages.tdom }}
# -------------------------------------------------------------
# Web development
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_web:
pkg.installed:
- pkgs:
- memcached
# -------------------------------------------------------------
# Editors and IDE
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_vim:
pkg.installed:
- pkgs:
# Vim itself is already declared in core role.
# FreeBSD also offers nvi in base system.
# Neovim
- neovim
- {{ packages_prefixes.python3 }}pynvim
# -------------------------------------------------------------
# Tools like code review utilities
#
# Arcanist is installed in the Phabricator states
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_misctools:
pkg.installed:
- pkgs:
- git-review
# -------------------------------------------------------------
# Nasqueron development and operations
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_terraform:
pkg.installed:
- pkgs:
- opentofu
- terraform
{{ dirs.bin }}/create-vault-approle:
file.managed:
- source: salt://roles/devserver/userland-software/files/create-vault-approle.sh
- mode: 755
devserver_software_dev_vault:
pkg.installed:
- pkgs:
- {{ packages_prefixes.python3 }}pyhcl
- {{ packages_prefixes.python3 }}hvac
- vault-medusa
# -------------------------------------------------------------
# MediaWiki development
#
# Include tools for some extensions like ProofreadPage
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_dev_mediawiki:
pkg.installed:
- pkgs:
- netpbm
- {{ packages['djvulibre'] }}
diff --git a/roles/devserver/userland-software/files/notifications.conf b/roles/devserver/userland-software/files/notifications.conf
index 9a82e03..9f6966f 100644
--- a/roles/devserver/userland-software/files/notifications.conf
+++ b/roles/devserver/userland-software/files/notifications.conf
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Notifications center CLI client configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-20
# License: Trivial work, not eligible to copyright
# Source file: roles/devserver/userland-software/files/notifications.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
[Broker]
Host={{ host }}
User=notifications-{{ grains['id'] }}
Password={{ password }}
Vhost=dev
Exchange=notifications
diff --git a/roles/devserver/userland-software/files/shell.py b/roles/devserver/userland-software/files/shell.py
index 803ad8e..798628d 100755
--- a/roles/devserver/userland-software/files/shell.py
+++ b/roles/devserver/userland-software/files/shell.py
@@ -1,246 +1,245 @@
#!/usr/bin/env python3
# -------------------------------------------------------------
# Operations utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-03-08
# License: BSD-2-Clause
# Source file: roles/devserver/userland-software/files/shell.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
from collections import deque
import os
import re
import subprocess
import sys
import yaml
# -------------------------------------------------------------
# Configuration file locator
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_candidates_configuration_directories():
candidates = []
if "HOME" in os.environ:
candidates.append(os.environ["HOME"])
candidates.append("/usr/local/etc")
candidates.append("/etc")
return candidates
def get_candidates_configuration_files():
return [
directory + "/.shell.yml"
for directory in get_candidates_configuration_directories()
]
def find_configuration_file():
for candidate in get_candidates_configuration_files():
if os.path.isfile(candidate):
return candidate
# -------------------------------------------------------------
# Configuration file parser
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def parse_configuration_file(filename):
configuration_file = open(filename, "r")
configuration = yaml.safe_load(configuration_file)
configuration_file.close()
return configuration
# -------------------------------------------------------------
# Server connection
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
class ServerConnection:
"""Represents a server connection with a command to run."""
config = {}
args = []
def __init__(self, config, args):
self.config = config
self.args = deque(args)
def clear_args(self):
self.args = deque([])
def pop_all_args(self):
to_return = list(self.args)
self.clear_args()
return to_return
def get_default_command(self):
return ["ssh"]
def get_alias(self, alias_name):
return self.get_config_section("aliases", alias_name)
def get_handler(self, handler_name):
return self.get_config_section("handlers", handler_name)
def get_config_section(self, section, key):
if section in self.config:
if key in self.config[section]:
return self.config[section][key]
def parse_alias(self, alias):
if "args" in alias:
alias["args"].reverse()
self.args.extendleft(alias["args"])
if "handler" in alias:
handler = self.config["handlers"][alias["handler"]]
return self.parse_handler(handler)
if "command" in alias:
return self.parse_command(alias["command"])
raise ValueError("Unable to parse alias")
def parse_handler(self, handler):
command = self.get_default_command()
if "interactive" in handler and handler["interactive"]:
command.append("-t")
command.append(handler["server"])
command.extend(self.parse_command(handler["command"]))
command.extend(self.args)
return command
def parse_variable_fragment(self, variable):
# {{%s-|bash}} means %s-, with bash as default value if we don't
# have any more argument to substitute
matches = re.search("(.*)\|(.*)", variable)
if matches:
if not self.args:
return [matches.group(2)]
cleaned_fragment = matches.group(1)
return self.parse_variable_fragment(cleaned_fragment)
# Substitute with one argument
if variable == "%s":
return [self.args.popleft()]
# Substitute with all arguments
if variable == "%s-":
return self.pop_all_args()
raise ValueError("Can't parse " + variable)
def parse_fragment(self, fragment):
# If the fragment is {{something}}, this is a variable to substitute.
matches = re.search("{{(.*)}}", fragment)
if matches:
return self.parse_variable_fragment(matches.group(1))
return [fragment]
def parse_command(self, command):
parsed_command = []
fragments = [self.parse_fragment(fragment) for fragment in command]
for fragment in fragments:
parsed_command.extend(fragment)
return parsed_command
def parse_connection(self):
if not self.args:
raise ValueError("Expected arguments missing")
target = self.args.popleft()
# Is it an alias?
alias = self.get_alias(target)
if alias is not None:
return self.parse_alias(alias)
# Is it a handler?
handler = self.get_handler(target)
if handler is not None:
return self.parse_handler(handler)
raise ValueError(target + ": No such target")
# -------------------------------------------------------------
# Runner code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_program_name():
return os.path.basename(sys.argv[0])
def is_debug_mode_enabled():
return "DEBUG" in os.environ
def print_error(err):
print("{}: {}".format(get_program_name(), err), file=sys.stderr)
def get_configuration():
configuration_file = find_configuration_file()
if configuration_file is None:
print_error("No shell configuration file found")
exit(2)
return parse_configuration_file(configuration_file)
def usage():
print("usage: shell target [subtarget] [command ...]", file=sys.stderr)
def main():
if len(sys.argv) < 2:
usage()
exit(1)
config = get_configuration()
connection = ServerConnection(config, sys.argv[1:])
try:
subprocess_args = connection.parse_connection()
except IndexError:
print_error("Required argument is missing.")
exit(8)
except ValueError as e:
print_error(e)
exit(4)
if is_debug_mode_enabled():
print(subprocess_args, file=sys.stderr)
subprocess.run(subprocess_args)
if __name__ == "__main__":
main()
diff --git a/roles/devserver/userland-software/files/url.py b/roles/devserver/userland-software/files/url.py
index 2bca488..9526cdd 100755
--- a/roles/devserver/userland-software/files/url.py
+++ b/roles/devserver/userland-software/files/url.py
@@ -1,202 +1,201 @@
#!/usr/bin/env python3
# -------------------------------------------------------------
# Operations utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-09-22
# License: BSD-2-Clause
# Source file: roles/devserver/userland-software/files/url.py
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
import platform
import os
import sys
import yaml
# -------------------------------------------------------------
# Exceptions
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
class NotFoundException(Exception):
pass
# -------------------------------------------------------------
# Configuration file locator
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_candidates_configuration_files():
candidates = []
if "HOME" in os.environ:
candidates.append(os.environ["HOME"] + "/.urls.yml")
candidates.append("/usr/local/etc/urls.yml")
candidates.append("/etc/urls.yml")
return candidates
def find_configuration_file():
for candidate in get_candidates_configuration_files():
if os.path.isfile(candidate):
return candidate
# -------------------------------------------------------------
# Configuration file parser
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def parse_configuration_file(filename):
configuration_file = open(filename, "r")
configuration = yaml.safe_load(configuration_file)
configuration_file.close()
if "urls" not in configuration:
configuration["urls"] = {}
return configuration
def get_configuration():
configuration_file = find_configuration_file()
if configuration_file is None:
print_error("No shell configuration file found")
exit(2)
return parse_configuration_file(configuration_file)
# -------------------------------------------------------------
# URL resolver
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def extract_relative_url(base_directory, search_path):
n = len(base_directory) + 1
return search_path[n:]
def extract_relative_user_url(base_directory, search_path):
return extract_relative_url_in_fragments(base_directory, search_path, 1)
def extract_relative_wwwroot_url(base_directory, search_path):
return extract_relative_url_in_fragments(base_directory, search_path, 2)
def extract_relative_url_in_fragments(base_directory, search_path, fragments_count):
base_url = extract_relative_url(base_directory, search_path)
fragments = base_url.split("/", fragments_count)
expected_len = fragments_count + 1
actual_len = len(fragments)
delta_len = expected_len - actual_len
if delta_len > 1 or len(fragments[0]) == 0:
raise NotFoundException()
if delta_len == 1:
fragments.append("")
return tuple(fragments)
def resolve_url(base_directory, args, search_path):
if "static" in args:
return args["static"] + extract_relative_url(base_directory, search_path)
if "userdir" in args:
username, local_url = extract_relative_user_url(base_directory, search_path)
return "https://" + platform.node() + "/~" + username + "/" + local_url
if "wwwroot" in args:
domain, sub, local_url = extract_relative_wwwroot_url(
base_directory, search_path
)
return "https://" + sub + "." + domain + "/" + local_url
return None
def find_path(base_directory, search_path):
if os.path.isabs(search_path):
normalized_path = search_path
else:
normalized_path = os.path.normpath(os.path.join(base_directory, search_path))
return os.path.realpath(normalized_path)
def find_url(urls, base_directory, required_path):
path = find_path(base_directory, required_path)
for url_base_dir, url_args in urls.items():
url_base_dir = os.path.realpath(url_base_dir)
if path.startswith(url_base_dir):
try:
return resolve_url(url_base_dir, url_args, path)
except NotFoundException:
continue
return None
# -------------------------------------------------------------
# Runner code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_program_name():
return os.path.basename(sys.argv[0])
def print_error(err):
print("{}: {}".format(get_program_name(), err), file=sys.stderr)
def usage():
print("usage: url [path]", file=sys.stderr)
def parse_path_argument():
argc = len(sys.argv)
if argc == 1:
return "."
elif argc == 2:
return sys.argv[1]
else:
usage()
exit(1)
def main():
required_path = parse_path_argument()
config = get_configuration()
url = find_url(config["urls"], os.getcwd(), required_path)
if url is None:
print_error("No URL found.")
sys.exit(1)
else:
print(url)
if __name__ == "__main__":
main()
diff --git a/roles/devserver/userland-software/init.sls b/roles/devserver/userland-software/init.sls
index 62338e2..d2c1185 100644
--- a/roles/devserver/userland-software/init.sls
+++ b/roles/devserver/userland-software/init.sls
@@ -1,31 +1,30 @@
# -------------------------------------------------------------
# Salt — Provision software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
/opt:
file.directory
include:
# FreeBSD ports
- .ports
# Shell server content
- roles/shellserver/userland-software/base
- roles/shellserver/userland-software/irc
- roles/shellserver/userland-software/mail
- roles/shellserver/userland-software/web
# Builder role content
- roles/builder
# salt-primary content
- roles/salt-primary/salt-wrapper
# Software specific for development servers
- .dev
- .misc
- .notifications
- .phabricator
- .psysh
- .tex
- .wordpress
diff --git a/roles/devserver/userland-software/map.jinja b/roles/devserver/userland-software/map.jinja
index 7dbf0be..0eb48c3 100644
--- a/roles/devserver/userland-software/map.jinja
+++ b/roles/devserver/userland-software/map.jinja
@@ -1,20 +1,19 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-29
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set php = salt['grains.filter_by']({
'Debian': {
'current_api': '20170718',
'extension_dir': '/usr/lib/php/20170718',
'cli_conf_dir': '/etc/php/7.2/cli/conf.d/',
},
'FreeBSD' : {
'current_api': '20170718',
'extension_dir': '/usr/local/lib/php/20170718',
'cli_conf_dir': '/usr/local/etc/php/',
},
}, default='Debian') %}
diff --git a/roles/devserver/userland-software/misc.sls b/roles/devserver/userland-software/misc.sls
index fe5356c..73d9de2 100644
--- a/roles/devserver/userland-software/misc.sls
+++ b/roles/devserver/userland-software/misc.sls
@@ -1,188 +1,187 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages, packages_prefixes with context %}
devserver_software_misc_vcs:
pkg.installed:
- pkgs:
# VCS
- cvs
- fossil
- subversion
# Extra features
- gh
- git-filter-repo
devserver_software_misc_media:
pkg.installed:
- pkgs:
- opencore-amr
- opus
- speex
- speexdsp
- x265
devserver_software_misc_text_processing:
pkg.installed:
- pkgs:
- antiword
- odt2txt
devserver_software_misc_security:
pkg.installed:
- pkgs:
- aescrypt
- pwgen
- vault
devserver_software_misc_tools:
pkg.installed:
- pkgs:
- {{ packages["7zip"] }}
- {{ packages_prefixes.python3 }}awscli
- bat
- boxes
- cursive
- fd-find
- fusefs-s3fs
- fzf
- gist
- hexyl
- primegen
- rsync
- unix2dos
{% if grains['os'] == 'FreeBSD' %}
- gawk
{% endif %}
{% if grains['os'] == 'FreeBSD' %}
devserver_software_misc_ports:
pkg.installed:
- pkgs:
- ccache
- modules2tuple
- portmaster
- portshaker
- porttools
- portsearch
portsearch_database:
cmd.run:
- name: portsearch -u
- creates: /var/db/portsearch
- require:
- pkg: devserver_software_misc_ports
/var/cache/ccache:
file.directory
/var/cache/ccache/ccache.conf:
file.managed:
- source: salt://roles/devserver/userland-software/files/ccache.conf
{{ dirs.bin }}/ccache-metrics:
file.managed:
- source: salt://roles/devserver/userland-software/files/ccache-metrics.py
- mode: 755
/etc/make.conf:
file.managed:
- source: salt://roles/devserver/userland-software/files/make.conf
freebsd_kernel_modules:
pkg.installed:
- pkgs:
- pefs-kmod
freebsd_kernel_modules_enable:
module.wait:
- name: kmod.load
- mod: pefs
- persist: True
- watch:
- pkg: freebsd_kernel_modules
/boot/loader.conf.d/pefs.conf:
file.managed:
- source: salt://roles/devserver/userland-software/files/pefs.conf
{% endif %}
devserver_software_misc_p2p:
pkg.installed:
- pkgs:
- transmission-daemon
- transmission-web
devserver_software_misc_gadgets:
pkg.installed:
- pkgs:
- asciiquarium
- binclock
- ditaa
- epte
devserver_software_misc_games:
pkg.installed:
- pkgs:
- bsdgames
- textmaze
{% if grains['os'] == 'FreeBSD' %}
- roll
{% endif %}
devserver_software_misc_network:
pkg.installed:
- pkgs:
- getdns
- iftop
- trippy
{% if grains['os_family'] == 'Debian' %}
- sockstat
{% endif %}
# -------------------------------------------------------------
# Custom simple binaries
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
devserver_software_hardware:
pkg.installed:
- pkgs:
- btop
- smartmontools
# -------------------------------------------------------------
# Custom simple binaries
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.bin }}/shell:
file.managed:
- source: salt://roles/devserver/userland-software/files/shell.py
- mode: 755
{{ dirs.bin }}/url:
file.managed:
- source: salt://roles/devserver/userland-software/files/url.py
- mode: 755
# -------------------------------------------------------------
# Configuration files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/url.yml:
file.managed:
- source: salt://roles/devserver/userland-software/files/url.yml
- mode: 644
{% if grains['os'] == 'FreeBSD' %}
/etc/rc.conf.d/transmission:
file.managed:
- source: salt://roles/devserver/userland-software/files/transmission.rc
- mode: 644
{% endif %}
diff --git a/roles/devserver/userland-software/notifications.sls b/roles/devserver/userland-software/notifications.sls
index 56e086f..404fa35 100644
--- a/roles/devserver/userland-software/notifications.sls
+++ b/roles/devserver/userland-software/notifications.sls
@@ -1,41 +1,40 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages_prefixes with context %}
# -------------------------------------------------------------
# Software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.bin }}/notifications:
file.managed:
- source: salt://software/notifications-cli-client/notifications
- mode: 755
# -------------------------------------------------------------
# Dependencies
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notifications_dependencies:
pkg.installed:
- pkgs:
- {{ packages_prefixes.python3 }}pika
# -------------------------------------------------------------
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/etc/notifications.conf:
file.managed:
- source: salt://roles/devserver/userland-software/files/notifications.conf
- group: nasquenautes
- mode: 640
- template: jinja
- context:
host: {{ pillar["nasqueron_services"]["docker"]["notifications"] }}
password: {{ salt['credentials.get_password']("nasqueron/notifications/notifications-cli/" + grains["id"]) }}
diff --git a/roles/devserver/userland-software/phabricator.sls b/roles/devserver/userland-software/phabricator.sls
index 90fe839..e046bdf 100644
--- a/roles/devserver/userland-software/phabricator.sls
+++ b/roles/devserver/userland-software/phabricator.sls
@@ -1,54 +1,53 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-21
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Provision /opt/phabricator from Git repositories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
arcanist_repository:
git.latest:
- name: https://github.com/nasqueron/arcanist.git
- branch: production
- target: /opt/phabricator/arcanist
- update_head: False
phabricator_repository:
git.latest:
- name: https://secure.phabricator.com/source/phabricator.git
- target: /opt/phabricator/phabricator
- update_head: False
# -------------------------------------------------------------
# Extra phutil libraries
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
shellcheck_linter_repository:
git.latest:
- name: https://devcentral.nasqueron.org/source/shellcheck-linter.git
- target: /opt/phabricator/shellcheck-linter
clang_linter_repository:
git.latest:
- name: https://github.com/vhbit/clang-format-linter
- target: /opt/phabricator/clang-format-linter
# -------------------------------------------------------------
# Aliases
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.bin }}/arc:
file.symlink:
- target: /opt/phabricator/arcanist/bin/arc
devserver_aliases_clang-format:
cmd.script:
- source: salt://roles/devserver/userland-software/files/install-clang-format-alias.py
- args: {{ dirs.bin }}
- creates: {{ dirs.bin }}/clang-format
diff --git a/roles/devserver/userland-software/ports.sls b/roles/devserver/userland-software/ports.sls
index dac692b..042d277 100644
--- a/roles/devserver/userland-software/ports.sls
+++ b/roles/devserver/userland-software/ports.sls
@@ -1,50 +1,49 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-01-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if grains['os'] == 'FreeBSD' %}
{% for port, args in pillar.get("ports", {}).items() %}
# -------------------------------------------------------------
# Provision port options
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if 'options' in args %}
/var/db/ports/{{ args['category'] }}_{{ args['name'] }}/options:
file.managed:
- source: salt://roles/devserver/userland-software/files/port_options
- template: jinja
- mode: 644
- context:
args: {{ args }}
{% endif %}
# -------------------------------------------------------------
# Build and install package
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if 'package_dependencies' in args %}
port_{{ port }}_dependencies:
pkg.installed:
- pkgs: {{ args["package_dependencies"] }}
{% endif %}
port_{{ port }}:
cmd.run:
- name: |
make build package deinstall reinstall
pkg lock {{ port }}
- cwd: /usr/ports/{{ args['category'] }}/{{ args['name'] }}
- creates: {{ args['creates'] }}
{% endfor %}
{% endif %}
diff --git a/roles/devserver/userland-software/psysh.sls b/roles/devserver/userland-software/psysh.sls
index 2288313..e335063 100644
--- a/roles/devserver/userland-software/psysh.sls
+++ b/roles/devserver/userland-software/psysh.sls
@@ -1,53 +1,52 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-03
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Prepare for installation
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/share/psysh:
file.directory:
- dir_mode: 755
# -------------------------------------------------------------
# Fetch software and PHP manual
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
psysh_software:
archive.extracted:
- name: /opt/psysh
- enforce_toplevel: False
- source: https://github.com/bobthecow/psysh/releases/download/v0.11.15/psysh-v0.11.15.tar.gz
- source_hash: 93306871291df3bbd26403c76c4e43f6be571799695b6bd7a512dacf3feaf3af
/usr/local/share/psysh/php_manual.sqlite:
file.managed:
- source: https://psysh.org/manual/en/php_manual.sqlite
- skip_verify: True
- require:
- file: /usr/local/share/psysh
# -------------------------------------------------------------
# Install binary
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
psysh_permissions:
file.managed:
- name: /opt/psysh/psysh
- mode: 755
- replace: False
- require:
- archive: psysh_software
{{ dirs.bin }}/psysh:
file.symlink:
- target: /opt/psysh/psysh
- require:
- file: psysh_permissions
diff --git a/roles/devserver/userland-software/wordpress.sls b/roles/devserver/userland-software/wordpress.sls
index c84482a..3638dc6 100644
--- a/roles/devserver/userland-software/wordpress.sls
+++ b/roles/devserver/userland-software/wordpress.sls
@@ -1,28 +1,27 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Install phar and symlink to bin
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/opt/wp-cli:
file.directory
/opt/wp-cli/wp-cli.phar:
file.managed:
- source: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
- skip_verify: True
- mode: 755
{{ dirs.bin }}/wp:
file.symlink:
- target: /opt/wp-cli/wp-cli.phar
- require:
- file: /opt/wp-cli/wp-cli.phar
diff --git a/roles/mailserver/dkim/config.sls b/roles/mailserver/dkim/config.sls
index 9f3afc5..79de71f 100644
--- a/roles/mailserver/dkim/config.sls
+++ b/roles/mailserver/dkim/config.sls
@@ -1,59 +1,58 @@
# -------------------------------------------------------------
# Salt — OpenDKIM configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-14
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# OpenDKIM main configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/opendkim/opendkim.conf:
file.managed:
- source: salt://roles/mailserver/dkim/files/opendkim.conf
- template: jinja
- context:
dirs: {{ dirs }}
socket: /var/run/opendkim/opendkim.sock
user: opendkim
group: mail
# -------------------------------------------------------------
# OpenDKIM configuration tables
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
opendkim_config_files:
file.recurse:
- name: {{ dirs.etc }}/opendkim
- source: salt://roles/mailserver/dkim/files/etc
- include_empty: True
- clean: False
- dir_mode: 711
- file_mode: 644
opendkim_keys_directory:
file.directory:
- name: {{ dirs.etc }}/opendkim/keys
- dir_mode: 711
- user: opendkim
- group: opendkim
# -------------------------------------------------------------
# Clean up
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% set opendkim_package_leftovers = [
"/usr/local/etc/mail/opendkim.conf",
"/usr/local/etc/mail/opendkim.conf.sample",
"/usr/local/etc/mail",
]
%}
{% for path in opendkim_package_leftovers %}
{{ path }}:
file.absent
{% endfor %}
diff --git a/roles/mailserver/dkim/files/bin/get-dkim-dns-entries.sh b/roles/mailserver/dkim/files/bin/get-dkim-dns-entries.sh
index 622ffa1..385e26c 100755
--- a/roles/mailserver/dkim/files/bin/get-dkim-dns-entries.sh
+++ b/roles/mailserver/dkim/files/bin/get-dkim-dns-entries.sh
@@ -1,38 +1,37 @@
#!/bin/sh
# -------------------------------------------------------------
# Nasqueron mail services
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-14
# License: Trivial work, not eligible to copyright
# Source file: roles/mailserver/dkim/files/bin/get-dkim-dns-entries.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# Parses arguments
if [ $# -eq 0 ]
then
echo "Usage: $(basename "$0") <domain>"
exit 1
fi
DOMAIN=$1
DIR=/usr/local/etc/opendkim/keys/$DOMAIN
if [ ! -d "$DIR" ]
then
echo "Directory not found: $DIR"
exit 2
fi
for f in "$DIR"/*.txt
do
get-dkim-dns-entry "$f"
done
diff --git a/roles/mailserver/dkim/files/bin/get-dkim-dns-entry.php b/roles/mailserver/dkim/files/bin/get-dkim-dns-entry.php
index fba39f7..2a98cde 100755
--- a/roles/mailserver/dkim/files/bin/get-dkim-dns-entry.php
+++ b/roles/mailserver/dkim/files/bin/get-dkim-dns-entry.php
@@ -1,73 +1,72 @@
#!/usr/bin/env php
<?php
/* -------------------------------------------------------------
Nasqueron mail services
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Project: Nasqueron
- Created: 2017-01-14
License: Trivial work, not eligible to copyright
Source file: roles/mailserver/dkim/files/bin/get-dkim-dns-entry.php
-------------------------------------------------------------
<auto-generated>
This file is managed by our rOPS SaltStack repository.
Changes to this file may cause incorrect behavior
and will be lost if the state is redeployed.
</auto-generated>
*/
///
/// Parse arguments
///
if ($argc < 2) {
fwrite(STDERR, "Usage: $argv[0] $file\n");
exit(1);
}
$file = $argv[1];
if (!file_exists($file)) {
fwrite(STDERR, "File not found: $file\n");
exit(2);
}
///
/// Reads file
///
function to_one_line ($string) {
return str_replace(["\r", "\n"], "", trim($string));
}
function to_one_line_from_bind ($string) {
$toReturn = "";
foreach (explode('"', $string) as $fragment) {
if (trim($fragment) !== "") {
$toReturn .= $fragment;
}
}
return $toReturn;
}
function get_dns_record ($content) {
$record = to_one_line($content);
if (!preg_match("/(.*)\._domainkey/", $record, $matches)) {
throw new Exception("Can't parse file.");
}
$subdomain = $matches[0];
if (!preg_match("/\s+IN\s+TXT\s+\((.*)\)/", $record, $matches)) {
throw new Exception("Can't parse file.");
}
$value = to_one_line_from_bind($matches[1]);
return "$subdomain TXT $value";
}
try {
echo get_dns_record(file_get_contents($file)), "\n";
} catch (Exception $ex) {
fwrite(STDERR, $ex->getMessage());
}
diff --git a/roles/mailserver/dkim/files/bin/get-dkim-key-table.sh b/roles/mailserver/dkim/files/bin/get-dkim-key-table.sh
index 0182ddf..270af09 100755
--- a/roles/mailserver/dkim/files/bin/get-dkim-key-table.sh
+++ b/roles/mailserver/dkim/files/bin/get-dkim-key-table.sh
@@ -1,28 +1,27 @@
#!/bin/sh
# -------------------------------------------------------------
# Nasqueron mail services
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-14
# License: Trivial work, not eligible to copyright
# Source file: roles/mailserver/dkim/files/bin/get-dkim-key-table.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
for d in /usr/local/etc/opendkim/keys/*
do
DOMAIN=$(basename "$d")
for f in "$d"/*.private
do
SELECTOR=$(basename "$f" .private)
echo "$SELECTOR._domainkey.$DOMAIN $DOMAIN:$SELECTOR:$f"
done
done
diff --git a/roles/mailserver/dkim/files/bin/get-dkim-signing-table.sh b/roles/mailserver/dkim/files/bin/get-dkim-signing-table.sh
index 66f5284..f37d2e6 100755
--- a/roles/mailserver/dkim/files/bin/get-dkim-signing-table.sh
+++ b/roles/mailserver/dkim/files/bin/get-dkim-signing-table.sh
@@ -1,28 +1,27 @@
#!/bin/sh
# -------------------------------------------------------------
# Nasqueron mail services
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-14
# License: Trivial work, not eligible to copyright
# Source file: roles/mailserver/dkim/files/bin/get-dkim-signing-table.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
for d in /usr/local/etc/opendkim/keys/*
do
DOMAIN=$(basename "$d")
for f in "$d"/*.private
do
SELECTOR=$(basename "$f" .private)
echo "$DOMAIN $SELECTOR._domainkey.$DOMAIN"
done
done
diff --git a/roles/mailserver/dkim/files/etc/Makefile b/roles/mailserver/dkim/files/etc/Makefile
index 027e3dc..8188e01 100644
--- a/roles/mailserver/dkim/files/etc/Makefile
+++ b/roles/mailserver/dkim/files/etc/Makefile
@@ -1,28 +1,27 @@
# -------------------------------------------------------------
# Nasqueron mail services
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-14
# License: Trivial work, not eligible to copyright
# Source file: roles/mailserver/dkim/files/etc/Makefile
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
RM=rm -f
all: KeyTable SigningTable
clean:
${RM} KeyTable SigningTable
KeyTable:
get-dkim-key-table > KeyTable
SigningTable:
get-dkim-signing-table > SigningTable
diff --git a/roles/mailserver/dkim/service.sls b/roles/mailserver/dkim/service.sls
index 6aedbfb..66fdbd9 100644
--- a/roles/mailserver/dkim/service.sls
+++ b/roles/mailserver/dkim/service.sls
@@ -1,26 +1,25 @@
# -------------------------------------------------------------
# Salt — OpenDKIM configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-14
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, services with context %}
# -------------------------------------------------------------
# OpenDKIM service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if services["manager"] == "rc" %}
/etc/rc.conf.d/opendkim:
file.managed:
- source: salt://roles/mailserver/dkim/files/rc/opendkim.conf
/usr/local/etc/rc.d/opendkim:
file.managed:
- source: salt://roles/mailserver/dkim/files/rc/opendkim
- mode: 775
{% endif %}
diff --git a/roles/mailserver/dkim/software.sls b/roles/mailserver/dkim/software.sls
index 9bcd53a..4d09afe 100644
--- a/roles/mailserver/dkim/software.sls
+++ b/roles/mailserver/dkim/software.sls
@@ -1,48 +1,47 @@
# -------------------------------------------------------------
# Salt — OpenDKIM configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-14
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# OpenDKIM base software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
opendkim_software:
pkg.installed:
- pkgs:
- opendkim
{% if grains['os_family'] == 'Debian' %}
- opendkim-tools
{% endif %}
# -------------------------------------------------------------
# Keys management utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% set utilities = {
"get-dkim-dns-entries": "get-dkim-dns-entries.sh",
"get-dkim-dns-entry": "get-dkim-dns-entry.php",
"get-dkim-key-table": "get-dkim-key-table.sh",
"get-dkim-signing-table": "get-dkim-signing-table.sh",
}
%}
{% for target, source in utilities.items() %}
/usr/local/bin/{{ target }}:
file.managed:
- source: salt://roles/mailserver/dkim/files/bin/{{ source }}
- mode: 755
{% endfor %}
/usr/local/bin/add-dkim-domain:
file.managed:
- source: salt://roles/mailserver/dkim/files/bin/add-dkim-domain.sh
- mode: 755
- template: jinja
- context:
dirs: {{ dirs }}
diff --git a/roles/mumble/certificates/files/update-mumble-certificates.sh b/roles/mumble/certificates/files/update-mumble-certificates.sh
index 7833fe1..f94aafb 100755
--- a/roles/mumble/certificates/files/update-mumble-certificates.sh
+++ b/roles/mumble/certificates/files/update-mumble-certificates.sh
@@ -1,31 +1,30 @@
#!/bin/sh
# -------------------------------------------------------------
# Deploy Mumble certificate on Murmur
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-11-03
# License: Trivial work, not eligible to copyright
# Source file: roles/mumble/certificates/files/update-mumble-certificates.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
: ${JAIL_HOSTNAME='mumble.nasqueron.org'}
: ${CERT_DIR="/usr/local/etc/letsencrypt/live/$JAIL_HOSTNAME"}
: ${JAIL_DIR="/usr/local/jails/$JAIL_HOSTNAME"}
: ${JAIL_ID=`jls | grep $JAIL_HOSTNAME | awk '{print $1}'`}
cp $CERT_DIR/fullchain.pem $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.crt
cp $CERT_DIR/privkey.pem $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.key
# murmur has uid 338
chown 338:0 $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.key
chmod 400 $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.key
jexec $JAIL_ID service murmur restart
diff --git a/roles/mumble/certificates/init.sls b/roles/mumble/certificates/init.sls
index d9d813a..7b785e6 100644
--- a/roles/mumble/certificates/init.sls
+++ b/roles/mumble/certificates/init.sls
@@ -1,12 +1,11 @@
# -------------------------------------------------------------
# Salt — Deploy SSL certificate for Mumble server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-11-03
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
mumble_certificates_update_script:
file.managed:
- name: /usr/local/bin/update-mumble-certificates
- source: salt://roles/mumble/certificates/files/update-mumble-certificates.sh
diff --git a/roles/paas-docker/containers/acme_dns.sls b/roles/paas-docker/containers/acme_dns.sls
index c44f7ed..f518d00 100644
--- a/roles/paas-docker/containers/acme_dns.sls
+++ b/roles/paas-docker/containers/acme_dns.sls
@@ -1,83 +1,82 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-04
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['acme_dns'].items() %}
# -------------------------------------------------------------
# Storage directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}:
file.directory:
- makedirs: True
/srv/{{ instance }}/etc:
file.directory
/srv/{{ instance }}/lib:
file.directory
{% if has_selinux %}
selinux_context_acme_dns_data:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}
- sel_type: container_file_t
selinux_context_acme_dns_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}
{% endif %}
# -------------------------------------------------------------
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}/etc/config.cfg:
file.managed:
- source: salt://roles/paas-docker/containers/files/acme/config.cfg
- template: jinja
- context:
ip: {{ container['ip'] }}
domain: {{ container['host'] }}
nsadmin: {{ container['nsadmin'] }}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: joohoi/acme-dns
- binds:
- /srv/{{ instance }}/etc:/etc/acme-dns:ro
- /srv/{{ instance }}/lib:/var/lib/acme-dns
- ports:
- 53
- 53/udp
- 80
- port_bindings:
- 53:53
- 53:53/udp
- 127.0.0.1:{{ container['app_port'] }}:80
{% endfor %}
# -------------------------------------------------------------
# Troubleshoot
#
# Database uses sqlite3.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
acme_dns_host_software:
pkg.installed:
- pkgs:
- sqlite
diff --git a/roles/paas-docker/containers/aphlict.sls b/roles/paas-docker/containers/aphlict.sls
index 4c59be9..2c00402 100644
--- a/roles/paas-docker/containers/aphlict.sls
+++ b/roles/paas-docker/containers/aphlict.sls
@@ -1,31 +1,30 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-07
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% for instance, container in pillar['docker_containers']['aphlict'].items() %}
# -------------------------------------------------------------
# Container
#
# Image: nasqueron/aphlict
# Description: Node application to get real time notifications
# through websockets for Phabricator instances.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/aphlict
- ports:
- 22280
- 22281
- port_bindings:
- {{ container['ports']['client'] }}:22280
- {{ container['ports']['admin'] }}:22281
{% endfor %}
diff --git a/roles/paas-docker/containers/api-datasources.sls b/roles/paas-docker/containers/api-datasources.sls
index a312713..db6164c 100644
--- a/roles/paas-docker/containers/api-datasources.sls
+++ b/roles/paas-docker/containers/api-datasources.sls
@@ -1,27 +1,26 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-06-02
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% for instance, container in pillar['docker_containers']['api-datasources'].items() %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/api-datasources
- env:
- API_ENTRY_POINT: {{ container['api_entry_point'] }}
- ports:
- 80
- port_bindings:
- {{ container['app_port'] }}:80
{% endfor %}
diff --git a/roles/paas-docker/containers/auth-grove.sls b/roles/paas-docker/containers/auth-grove.sls
index 36a60e1..f534537 100644
--- a/roles/paas-docker/containers/auth-grove.sls
+++ b/roles/paas-docker/containers/auth-grove.sls
@@ -1,72 +1,71 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-05-21
# License: Trivial work, not eligible to copyright
# Description: SSO for Nasqueron services.
# Image: nasqueron/auth-grove
# Services used: MySQL server (acquisitariat)
# Docker volume (/data/login/storage)
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['auth-grove'].items() %}
# -------------------------------------------------------------
# Data directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}/storage:
file.directory:
- user: 431
- group: 433
- makedirs: True
{% for subdir in ["sessions", "views", "cache"] %}
/srv/{{ instance }}/storage/framework/{{ subdir }}:
file.directory:
- user: 431
- group: 433
- makedirs: True
{% endfor %}
{% if has_selinux %}
selinux_context_{{ instance }}_data:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}/storage
- sel_type: container_file_t
selinux_context_{{ instance }}_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}/storage
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/auth-grove
- links: {{ container['mysql_link'] }}:mysql
- environment:
- DB_DRIVER: mysql
- DB_HOST: mysql
- DB_PORT: 3306
- DB_DATABASE: {{ instance }}
- DB_USERNAME: {{ salt['credentials.get_username'](container['credential']) }}
- DB_PASSWORD: {{ salt['credentials.get_password'](container['credential']) }}
- CANONICAL_URL: https://{{ container['host'] }}
- TRUST_ALL_PROXIES: 1
- binds: /srv/{{ instance }}/storage:/var/wwwroot/default/storage
- ports:
- 80
- port_bindings:
- 127.0.0.1:{{ container['app_port'] }}:80
{% endfor %}
diff --git a/roles/paas-docker/containers/bugzilla.sls b/roles/paas-docker/containers/bugzilla.sls
index 7b21fe9..56d6227 100644
--- a/roles/paas-docker/containers/bugzilla.sls
+++ b/roles/paas-docker/containers/bugzilla.sls
@@ -1,33 +1,32 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-07
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% for instance, container in pillar['docker_containers']['bugzilla'].items() %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/bugzilla
- networks:
- {{ container['network'] }}
- environment:
DB_HOST: {{ container['mysql']['host'] }}
DB_DATABASE: {{ container['mysql']['db'] }}
DB_USER: {{ salt['credentials.get_username'](container['credential']) }}
DB_PASSWORD: {{ salt['credentials.get_password'](container['credential']) }}
BUGZILLA_URL: https://{{ container['host'] }}/
- ports:
- 80
- port_bindings:
- {{ container['app_port'] }}:80
{% endfor %}
diff --git a/roles/paas-docker/containers/cachet.sls b/roles/paas-docker/containers/cachet.sls
index fc4edc8..c199b92 100644
--- a/roles/paas-docker/containers/cachet.sls
+++ b/roles/paas-docker/containers/cachet.sls
@@ -1,41 +1,40 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-12-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% for instance, container in pillar['docker_containers']['cachet'].items() %}
# -------------------------------------------------------------
# Container
#
# Image: dereckson/cachet
# Description: PHP application to offer server status
# information
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/cachet:latest
- links: {{ container['mysql_link'] }}:mysql
- environment:
- DB_DRIVER: mysql
- DB_HOST: mysql
- DB_PORT: 3306
- DB_DATABASE: cachet
- DB_USERNAME: {{ salt['credentials.get_username'](container['credential']) }}
- DB_PASSWORD: {{ salt['credentials.get_password'](container['credential']) }}
- APP_KEY: {{ salt['credentials.get_token'](container['app_key']) }}
- APP_LOG: errorlog
- APP_DEBUG: "false"
- ports:
- 8000
- port_bindings:
- {{ container['app_port'] }}:80
{% endfor %}
diff --git a/roles/paas-docker/containers/docker-registry-api.sls b/roles/paas-docker/containers/docker-registry-api.sls
index 459ae3c..7a06dbc 100644
--- a/roles/paas-docker/containers/docker-registry-api.sls
+++ b/roles/paas-docker/containers/docker-registry-api.sls
@@ -1,28 +1,27 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['docker-registry-api'].items() %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/docker-registry-api
- binds: /srv/{{ container['registry_instance'] }}:/var/lib/registry
- ports:
- 8000
- port_bindings:
- {{ container['app_port'] }}:8000
{% endfor %}
diff --git a/roles/paas-docker/containers/etherpad.sls b/roles/paas-docker/containers/etherpad.sls
index d0f3e08..6e35d7b 100644
--- a/roles/paas-docker/containers/etherpad.sls
+++ b/roles/paas-docker/containers/etherpad.sls
@@ -1,96 +1,95 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-06-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['etherpad'].items() %}
# -------------------------------------------------------------
# Storage directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}:
file.directory:
- user: 9001
- makedirs: True
{% if has_selinux %}
selinux_context_{{ instance }}_data:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}
- sel_type: container_file_t
selinux_context_{{ instance }}_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}
{% endif %}
# -------------------------------------------------------------
# Configuration file
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% set settings = pillar["etherpad_settings"][instance] %}
/srv/{{ instance }}/var/settings.json:
file.managed:
- source: salt://roles/paas-docker/containers/files/etherpad/settings.json.jinja
- mode: 400
- user: 9001
- show_changes: False
- template: jinja
- context:
settings: {{ settings }}
mysql:
user: {{ salt["credentials.get_username"](settings["mysql"]["credential"]) }}
password: {{ salt["credentials.get_password"](settings["mysql"]["credential"]) }}
users:
{% for user, user_args in settings.get("users", {}).items() %}
{{ user }}:
password: {{ salt["credentials.get_password"](user_args["credential"]) }}
is_admin: {{ user_args["is_admin"] }}
{% endfor %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/etherpad:production
- links: {{ container['mysql_link'] }}:mysql
- binds: /srv/{{ instance }}/var:/opt/etherpad-lite/var
- ports:
- 9001
- port_bindings:
- {{ container['app_port'] }}:9001
# -------------------------------------------------------------
# API key
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% set api_key_path = "/srv/" + instance + "/APIKEY.txt" %}
{{ api_key_path }}:
file.managed:
- mode: 400
- user: 9001
- show_changes: False
- contents: {{ salt['credentials.get_token'](container['credential']) }}
deploy_api_key_{{ instance }}:
cmd.run:
- name: |
docker cp {{ api_key_path }} {{ instance }}:opt/etherpad-lite/APIKEY.txt
docker restart {{ instance }}
- onchanges:
- docker_container: {{ instance }}
- file: {{ api_key_path }}
{% endfor %}
diff --git a/roles/paas-docker/containers/exim.sls b/roles/paas-docker/containers/exim.sls
index cbaf7f3..7473877 100644
--- a/roles/paas-docker/containers/exim.sls
+++ b/roles/paas-docker/containers/exim.sls
@@ -1,72 +1,71 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-11-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['exim'].items() %}
# -------------------------------------------------------------
# Data directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/exim/{{ instance }}:
file.directory:
- user: 101
- group: 101
- makedirs: True
{% for subdir in ['spool', 'log'] %}
/srv/exim/{{ instance }}/{{ subdir }}:
file.directory:
- user: 101
- group: 101
{% endfor %}
{% if 'mailname' in container %}
/srv/exim/{{ instance }}/mailname:
file.managed:
- contents: {{ container['mailname'] }}
{% endif %}
{% if has_selinux %}
selinux_context_{{ instance }}_exim_data:
selinux.fcontext_policy_present:
- name: /srv/exim/{{ instance }}
- sel_type: container_file_t
selinux_context_{{ instance }}_exim_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/exim/{{ instance }}
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: tianon/exim4
- binds:
{% if 'mailname' in container %}
- /srv/exim/{{ instance }}/mailname:/etc/mailname:ro
{% endif %}
- /srv/exim/{{ instance }}/spool:/var/spool/exim4
- /srv/exim/{{ instance }}/log:/var/log/exim4
{% if 'host' in container %}
- hostname: {{ container['mailname'] }}
{% endif %}
{% if 'network' in container %}
- networks:
- {{ container['network'] }}
{% endif %}
{% endfor %}
diff --git a/roles/paas-docker/containers/files/mastodon/clear-video-queue.py b/roles/paas-docker/containers/files/mastodon/clear-video-queue.py
index 2e65ff2..78799fc 100755
--- a/roles/paas-docker/containers/files/mastodon/clear-video-queue.py
+++ b/roles/paas-docker/containers/files/mastodon/clear-video-queue.py
@@ -1,86 +1,85 @@
#!/usr/bin/env python3
# -------------------------------------------------------------
# Mastodon - clear stuck video tasks from queue
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-12-08
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/containers/files/mastodon/clear-video-queue.py
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
import subprocess
PS_COLUMN_PID = 0
PS_COLUMN_TIME = 3
PS_COLUMN_COMMAND = 4
SUSPECT_COMMANDS = ["ffmpeg"]
MAX_TIME = 30
def parse_time(time):
time_parts = [int(token) for token in time.split(":")]
return time_parts[0] * 60 + time_parts[1]
def process_time_is_up(time):
return parse_time(time) > MAX_TIME
def process_is_suspect(command):
for suspect_command in SUSPECT_COMMANDS:
if command.startswith(suspect_command):
return True
return False
def extract_pid(ps_output_line):
if not ps_output_line[0].isdigit():
return None
tokens = ps_output_line.split(None, 4)
extracted_pid = int(tokens[PS_COLUMN_PID])
time = tokens[PS_COLUMN_TIME]
command = tokens[PS_COLUMN_COMMAND]
if process_time_is_up(time) and process_is_suspect(command):
return extracted_pid
return None
def extract_pids(output):
extracted_pids = [extract_pid(line) for line in output]
return [
extracted_pid for extracted_pid in extracted_pids if extracted_pid is not None
]
def get_kill_command(pids_to_kill):
command = ["kill", "-9 "]
command.extend([str(pid_to_kill) for pid_to_kill in pids_to_kill])
return command
if __name__ == "__main__":
ps_output = subprocess.check_output(["ps", "x"])
ps_data = [line.strip() for line in ps_output.strip().split("\n")]
pids = extract_pids(ps_data)
kill_command = get_kill_command(pids)
subprocess.call(kill_command)
diff --git a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
index ee0b4f1..51e8715 100644
--- a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
+++ b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
@@ -1,28 +1,27 @@
#!/bin/sh
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-11-10
# License: Trivial work, not eligible to copyright
# Description: Wrapper for sentry command (local instance)
# Source file: roles/paas-docker/containers/files/sentry/sentry.sh.jinja
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
set -e
docker run -it --rm \
--network {{ network }} \
-v /srv/sentry/{{ realm }}/etc:/etc/sentry \
-v /srv/sentry/{{ realm }}/data:/data \
-v /srv/geoip:/usr/local/share/geoip:ro \
-e PYTHONUSERBASE=/data/custom-packages \
nasqueron/sentry "$@"
diff --git a/roles/paas-docker/containers/hauk.sls b/roles/paas-docker/containers/hauk.sls
index a4f3ed2..ba2b4d6 100644
--- a/roles/paas-docker/containers/hauk.sls
+++ b/roles/paas-docker/containers/hauk.sls
@@ -1,61 +1,60 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2021-07-30
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['hauk'].items() %}
# -------------------------------------------------------------
# Storage directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/hauk/{{ instance }}:
file.directory:
- user: 9001
- makedirs: True
/srv/hauk/{{ instance }}/config.php:
file.managed:
- source: salt:///roles/paas-docker/containers/files/hauk/config.php.jinja
- template: jinja
- mode: 644
- context:
url: https://{{ container['host'] }}{{ container['api_entry_point'] }}/
{% if has_selinux %}
selinux_context_{{ instance }}_data:
selinux.fcontext_policy_present:
- name: /srv/hauk/{{ instance }}
- sel_type: container_file_t
selinux_context_{{ instance }}_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/hauk/{{ instance }}
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: bilde2910/hauk
- binds: /srv/hauk/{{ instance }}:/etc/hauk
- ports:
- 80
- port_bindings:
- {{ container['app_port'] }}:80
# Prevent the container from using swap
# Privacy: data is so only stored on RAM, not on disk
- mem_limit: 256m
- memswap_limit: 256m
{% endfor %}
diff --git a/roles/paas-docker/containers/init.sls b/roles/paas-docker/containers/init.sls
index 7042803..5aa1300 100644
--- a/roles/paas-docker/containers/init.sls
+++ b/roles/paas-docker/containers/init.sls
@@ -1,18 +1,17 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-11
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set services = pillar.get('docker_containers', {}) %}
{% if services %}
include:
{% for service in services %}
- .{{ service }}
{% endfor %}
{% endif %}
diff --git a/roles/paas-docker/containers/jenkins.sls b/roles/paas-docker/containers/jenkins.sls
index 89cfb69..6b846d6 100644
--- a/roles/paas-docker/containers/jenkins.sls
+++ b/roles/paas-docker/containers/jenkins.sls
@@ -1,56 +1,55 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-11
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['jenkins'].items() %}
{% set realm = pillar['jenkins_realms'][container['realm']] %}
{% set home = "/srv/jenkins/" + container['realm'] + "/jenkins_home" %}
# -------------------------------------------------------------
# Home directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ home }}:
file.directory:
- user: 1000
- group: 1000
- makedirs: True
{% if has_selinux %}
selinux_context_jenkins_home_{{ instance }}:
selinux.fcontext_policy_present:
- name: {{ home }}
- sel_type: container_file_t
selinux_context_jenkins_home_applied_{{ instance }}:
selinux.fcontext_policy_applied:
- name: {{ home }}
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: jenkins/jenkins
- binds: {{ home }}:/var/jenkins_home
- networks:
- {{ realm['network'] }}
- ports:
- 8080
- 50000
- port_bindings:
- {{ container['app_port'] }}:8080 # HTTP
- {{ container['jnlp_port'] }}:50000 # Jenkins controller's port for JNLP-based Jenkins agents
{% endfor %}
diff --git a/roles/paas-docker/containers/jenkins_agent.sls b/roles/paas-docker/containers/jenkins_agent.sls
index 85b941f..46d3b1c 100644
--- a/roles/paas-docker/containers/jenkins_agent.sls
+++ b/roles/paas-docker/containers/jenkins_agent.sls
@@ -1,63 +1,62 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['jenkins_agent'].items() %}
{% set realm = pillar['jenkins_realms'][container['realm']] %}
{% set home = "/srv/jenkins/" + container['realm'] + "/agents_homes/" + instance %}
{% set image = pillar['jenkins_images'][container['image_flavour']] %}
{% set image = salt['paas_docker.get_image'](image, container) %}
# -------------------------------------------------------------
# Home directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ home }}:
file.directory:
- user: 431
- group: 433
- makedirs: True
{% if has_selinux %}
selinux_context_jenkins_agent_{{ instance }}_home:
selinux.fcontext_policy_present:
- name: {{ home }}
- sel_type: container_file_t
selinux_context_jenkins_agent_{{ instance }}_home_applied:
selinux.fcontext_policy_applied:
- name: {{ home }}
{% endif %}
{{ home }}/.ssh:
file.directory:
- user: 431
- group: 433
{{ home }}/.ssh/authorized_keys:
file.managed:
- contents: {{ realm['ssh_key'] }}
- user: 431
- group: 433
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: {{ image }}
- binds: {{ home }}:/home/app
- networks:
- {{ realm['network'] }}
{% endfor %}
diff --git a/roles/paas-docker/containers/mastodon_sidekiq.sls b/roles/paas-docker/containers/mastodon_sidekiq.sls
index 0450fe9..47492cf 100644
--- a/roles/paas-docker/containers/mastodon_sidekiq.sls
+++ b/roles/paas-docker/containers/mastodon_sidekiq.sls
@@ -1,34 +1,33 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-12-08
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Extra utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/mastodon/extra_utilities:
file.directory:
- makedirs: True
/srv/mastodon/extra_utilities/clear-video-queue:
file.managed:
- source: salt://roles/paas-docker/containers/files/mastodon/clear-video-queue.py
- mode: 755
# -------------------------------------------------------------
# Provision extra utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for instance in pillar['docker_containers']['mastodon_sidekiq'] %}
provision_clear_video_queue_{{ instance }}:
cmd.run:
- name: docker cp /srv/mastodon/extra_utilities/clear-video-queue {{ instance }}:/usr/bin/clear-video-queue
- require:
- file: /srv/mastodon/extra_utilities/clear-video-queue
{% endfor %}
diff --git a/roles/paas-docker/containers/mysql.sls b/roles/paas-docker/containers/mysql.sls
index 2ee635f..ad355af 100644
--- a/roles/paas-docker/containers/mysql.sls
+++ b/roles/paas-docker/containers/mysql.sls
@@ -1,53 +1,52 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['mysql'].items() %}
{% set image = salt['paas_docker.get_image']("nasqueron/mysql", container) %}
# -------------------------------------------------------------
# Home directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}/mysql:
file.directory:
- user: 999
- group: 999
- makedirs: True
{% if has_selinux %}
selinux_context_{{ instance }}_mysql_data:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}/mysql
- sel_type: container_file_t
selinux_context_{{ instance }}_mysql_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}/mysql
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: {{ image }}
- binds: /srv/{{ instance }}/mysql:/var/lib/mysql
- environment:
MYSQL_ROOT_PASSWORD: {{ salt['credentials.get_password'](container['credentials']['root']) }}
{% if 'network' in container %}
- networks:
- {{ container['network'] }}
{% endif %}
- cap_add:
- SYS_NICE # T1672
{% endfor %}
diff --git a/roles/paas-docker/containers/notifications.sls b/roles/paas-docker/containers/notifications.sls
index f444c8b..ee116e8 100644
--- a/roles/paas-docker/containers/notifications.sls
+++ b/roles/paas-docker/containers/notifications.sls
@@ -1,121 +1,120 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-01-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['notifications'].items() %}
# -------------------------------------------------------------
# Storage directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}/storage:
file.directory:
- user: 431
- group: 433
- makedirs: True
{% for subdir in ["sessions", "views", "cache"] %}
/srv/{{ instance }}/storage/framework/{{ subdir }}:
file.directory:
- user: 431
- group: 433
- makedirs: True
{% endfor %}
/srv/{{ instance }}/storage/app/credentials.json:
file.managed:
- user: 431
- group: 433
- mode: 400
- makedirs: True
- show_changes: False
- contents: |
{{ salt['notifications.get_credentials']() | json }}
/srv/{{ instance }}/storage/app/DockerHubTriggers.json:
file.managed:
- user: 431
- group: 433
- mode: 400
- show_changes: False
- contents: |
{{ salt['notifications.get_dockerhub_triggers']() | json }}
{% for folder, configs in salt['pillar.get']("notifications_configuration", {}).items() %}
{% for config_file, config in configs.items() %}
/srv/{{ instance }}/storage/app/{{ folder }}/{{ config_file }}.json:
file.managed:
- user: 431
- group: 433
- makedirs: True
- contents: |
{{ config | json }}
{% endfor %}
{% endfor %}
{% if has_selinux %}
selinux_context_notifications_data_{{ instance }}:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}/storage
- sel_type: container_file_t
selinux_context_notifications_data_applied_{{ instance }}:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}/storage
{% endif %}
# -------------------------------------------------------------
# Container
#
# Image: nasqueron/notifications
# Description: Listen to webhooks, fire notifications to
# the broker. Used for CI / IRC notifications.
# Services used: RabbitMQ broker (white-rabbit)
# Docker volume (/srv/notifications/storage)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if "network" in container %}
{% set broker = container['broker'] %}
{% else %}
{% set broker = "mq" %}
{% endif %}
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/notifications
- binds: /srv/{{ instance }}/storage:/var/wwwroot/default/storage
{% if "network" in container %}
- networks:
- {{ container['network'] }}
{% else %}
- links:
- {{ container['broker_link'] }}:mq
{% endif %}
- environment:
- BROKER_HOST: {{ broker }}
- BROKER_USERNAME: {{ salt['credentials.get_username'](container['credentials']['broker']) }}
- BROKER_PASSWORD: {{ salt['credentials.get_password'](container['credentials']['broker']) }}
- BROKER_VHOST: dev
{% if "mailgun" in container["credentials"] %}
- MAILGUN_DOMAIN: {{ salt['credentials.get_username'](container['credentials']['mailgun']) }}
- MAILGUN_APIKEY: {{ salt['credentials.get_password'](container['credentials']['mailgun']) }}
{% endif %}
- SENTRY_DSN: {{ salt['credentials.get_sentry_dsn'](container["sentry"]) }}
- SENTRY_TRACES_SAMPLE_RATE: 1.0
- SENTRY_ENVIRONMENT: {{ container["sentry"].get("environment", "production") }}
- ports:
- 80
- port_bindings:
- {{ container['app_port'] }}:80
{% endfor %}
diff --git a/roles/paas-docker/containers/openfire.sls b/roles/paas-docker/containers/openfire.sls
index bd649ae..6b9bff1 100644
--- a/roles/paas-docker/containers/openfire.sls
+++ b/roles/paas-docker/containers/openfire.sls
@@ -1,61 +1,60 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-06-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['openfire'].items() %}
# -------------------------------------------------------------
# Storage directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}:
file.directory:
- user: 999
- group: 999
- makedirs: True
{% if has_selinux %}
selinux_context_openfire_data:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}
- sel_type: container_file_t
selinux_context_openfire_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/openfire
- binds: /srv/{{ instance }}:/var/lib/openfire
- hostname: {{ container['host'] }}
- ports: {{ pillar['xmpp_ports'] }}
- port_bindings:
{% for port in pillar['xmpp_ports'] %}
- {{ container['ip'] }}:{{ port }}:{{ port }}
{% endfor %}
# -------------------------------------------------------------
# Certificate propagation
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/letsencrypt/etc/renewal/{{ container['host'] }}.conf:
file.append:
- text:
- "# Propagate certificates to Openfire container"
- post-hook = openfire propagate-certificate {{ instance }} {{ container['host'] }}
{% endfor %}
diff --git a/roles/paas-docker/containers/phabricator.sls b/roles/paas-docker/containers/phabricator.sls
index 0872057..9e0c0da 100644
--- a/roles/paas-docker/containers/phabricator.sls
+++ b/roles/paas-docker/containers/phabricator.sls
@@ -1,121 +1,120 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-06
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['phabricator'].items() %}
{% set create_container = "skip_container" not in container or not container['skip_container'] %}
# -------------------------------------------------------------
# Storage directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/phabricator/{{ instance }}:
file.directory:
- user: 431
- group: 433
- makedirs: True
/srv/phabricator/{{ instance }}/files:
file.directory:
- user: 431
- group: 433
{% if "config_managed" in container %}
/srv/phabricator/{{ instance }}/conf/local/local.json:
file.managed:
- source: salt://roles/paas-docker/containers/files/phabricator/{{ instance }}/config.json.jinja
- template: jinja
- context:
fqdn: {{ container["host"] }}
instance: {{ instance }}
static_host: {{ container["static_host"] }}
storage: {{ container["storage"] }}
db:
host: "mysql"
username: "{{ salt["credentials.get_username"](container["credentials"]["mysql"]) }}"
password: "{{ salt["credentials.get_password"](container["credentials"]["mysql"]) }}"
{% if "mailgun" in container["credentials"] %}
mailgun:
domain: {{ container["host"] }}
api-key: "{{ salt["credentials.get_password"](container["credentials"]["mailgun"]) }}"
{% endif %}
{% if "smtp" in container["credentials"] %}
smtp:
host: mail.nasqueron.org
port: 587
username: "{{ salt["credentials.get_username"](container["credentials"]["smtp"]) }}"
password: "{{ salt["credentials.get_password"](container["credentials"]["smtp"]) }}"
{% endif %}
{% endif %}
{% if has_selinux %}
selinux_context_{{ instance }}_data:
selinux.fcontext_policy_present:
- name: /srv/phabricator/{{ instance }}
- sel_type: container_file_t
selinux_context_{{ instance }}_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/phabricator/{{ instance }}
{% endif %}
# -------------------------------------------------------------
# Container
#
# /!\ DEVCENTRAL DEPLOYMENT ISSUE /!\
#
# The DevCentral container is currently not managed
# by a reproducible Dockerfile. As such, this container
# is deployed manually from the registry. See T1547.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if create_container %}
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/phabricator
- binds:
- /srv/phabricator/{{ instance }}/conf:/opt/phabricator/conf
- /srv/phabricator/{{ instance }}/repo:/var/repo
- /srv/phabricator/{{ instance }}/files:/var/files
- environment:
PHABRICATOR_URL: https://{{ container['host'] }}
PHABRICATOR_TITLE: {{ container['title'] }}
PHABRICATOR_DOMAIN: {{ container['host'] }}
PHABRICATOR_ALT_FILE_DOMAIN: https://{{ container['static_host'] }}
DB_USER: {{ salt['credentials.get_username'](container['credentials']['mysql']) }}
DB_PASS: {{ salt['credentials.get_password'](container['credentials']['mysql']) }}
PHABRICATOR_STORAGE_NAMESPACE: {{ container['storage']['namespace'] }}
{% if container['mailer'] == 'sendgrid' %}
PHABRICATOR_USE_SENDGRID: 1
PHABRICATOR_SENDGRID_APIUSER: {{ salt['credentials.get_username'](container['credentials']['sendgrid']) }}
PHABRICATOR_SENDGRID_APIKEY: {{ salt['credentials.get_password'](container['credentials']['sendgrid']) }}
{% elif container['mailer'] == 'mailgun' %}
PHABRICATOR_USE_MAILGUN: 1
PHABRICATOR_MAILGUN_APIKEY: {{ salt['credentials.get_token'](container['credentials']['mailgun']) }}
{% endif %}
- links: {{ container['mysql_link'] }}:mysql
- ports:
- 80
- port_bindings:
- {{ container['app_port'] }}:80
{% endif %}
{% endfor %}
diff --git a/roles/paas-docker/containers/phpbb.sls b/roles/paas-docker/containers/phpbb.sls
index 11b0927..722241a 100644
--- a/roles/paas-docker/containers/phpbb.sls
+++ b/roles/paas-docker/containers/phpbb.sls
@@ -1,45 +1,44 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
# -------------------------------------------------------------
# Data directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/phpbb/data:
file.directory:
- user: 431
- group: 433
- makedirs: True
{% if has_selinux %}
selinux_context_phpbb_datastores:
selinux.fcontext_policy_present:
- name: /srv/phpbb/data
- sel_type: container_file_t
selinux_context_phpbb_datastores_applied:
selinux.fcontext_policy_applied:
- name: /srv/phpbb/data
{% endif %}
{% for store in pillar['phpbb_datastores'] %}
/srv/phpbb/data/{{ store }}:
file.directory:
- user: 431
- group: 433
{% for subdir in ['cache', 'config', 'ext', 'files', 'images', 'store'] %}
/srv/phpbb/data/{{ store }}/{{ subdir }}:
file.recurse:
- source: salt://software/phpbb/phpBB/{{ subdir }}
- user: 431
- group: 433
{% endfor %}
{% endfor %}
diff --git a/roles/paas-docker/containers/pixelfed.sls b/roles/paas-docker/containers/pixelfed.sls
index 4a5e6de..0f0fca8 100644
--- a/roles/paas-docker/containers/pixelfed.sls
+++ b/roles/paas-docker/containers/pixelfed.sls
@@ -1,99 +1,98 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-11-12
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['pixelfed'].items() %}
# -------------------------------------------------------------
# Data directory
#
# The uid/gid pair depends on the image base:
#
# - library/php + fpm: 82:85
# - library/php + Apache: 33:33
# - nasqueron/nginx-php7-fpm: 431:433
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}/storage:
file.directory:
- user: 431
- group: 433
- makedirs: True
{% if has_selinux %}
selinux_context_{{ instance }}_data:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}/storage
- sel_type: container_file_t
selinux_context_{{ instance }}_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}/storage
{% endif %}
# -------------------------------------------------------------
# Web container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/pixelfed
- links:
- {{ container['links']['redis'] }}:redis
- {{ container['links']['mysql'] }}:mysql
- environment:
- DB_DRIVER: mysql
- DB_HOST: mysql
- DB_PORT: 3306
- DB_DATABASE: {{ instance }}
- DB_USERNAME: {{ salt['credentials.get_username'](container['credentials']['mysql']) }}
- DB_PASSWORD: {{ salt['credentials.get_password'](container['credentials']['mysql']) }}
# Port must be defined, as Docker link populates REDIS_PORT to tcp://...:6379
# That gives the following rather strange connection string:
# tcp://redis:tcp://172.17.0.29:6379
- REDIS_HOST: redis
- REDIS_PORT: 6379
- APP_DOMAIN: {{ container['host'] }}
- APP_KEY: {{ salt['credentials.get_token'](container['credentials']['app_key']) }}
- APP_NAME: {{ container['app']['title'] }}
- APP_URL: https://{{ container['host'] }}
- BROADCAST_DRIVER: redis
- CACHE_DRIVER: redis
- QUEUE_DRIVER: redis
- LOG_CHANNEL: 'daily'
- MAIL_DRIVER: smtp
- MAIL_HOST: smtp.eu.mailgun.org
- MAIL_PORT: 587
- MAIL_USERNAME: {{ salt['credentials.get_username'](container['credentials']['mailgun']) }}
- MAIL_PASSWORD: {{ salt['credentials.get_password'](container['credentials']['mailgun']) }}
- MAIL_FROM_ADDRESS: no-reply@{{ container['host'] }}
- MAIL_FROM_NAME: {{ container['app']['title'] }}
- SESSION_DRIVER: redis
- SESSION_DOMAIN: {{ container['host'] }}
- SESSION_SECURE_COOKIE: true
- TRUST_PROXIES: '*'
- HTTPS: 1
- MAX_ALBUM_LENGTH: {{ container['app']['max_album_length'] }}
- binds: /srv/{{ instance }}/storage:/var/wwwroot/default/storage
- ports:
- 80
- port_bindings:
- {{ container['app_port'] }}:80
{% endfor %}
diff --git a/roles/paas-docker/containers/postgresql.sls b/roles/paas-docker/containers/postgresql.sls
index bfe3e5c..d6f91a0 100644
--- a/roles/paas-docker/containers/postgresql.sls
+++ b/roles/paas-docker/containers/postgresql.sls
@@ -1,64 +1,63 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-11-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['postgresql'].items() %}
{% set image = salt['paas_docker.get_image']("library/postgres", container) %}
# -------------------------------------------------------------
# Home directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}/postgresql:
file.directory:
- user: 999
- group: 999
- makedirs: True
{% if has_selinux %}
selinux_context_{{ instance }}_postgresql_data:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}/postgresql
- sel_type: container_file_t
selinux_context_{{ instance }}_postgresql_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}/postgresql
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: {{ image }}
- binds: /srv/{{ instance }}/postgresql:/var/lib/postgresql/data
- environment:
POSTGRES_USER: {{ salt['credentials.get_username'](container['credential']) }}
POSTGRES_PASSWORD: {{ salt['credentials.get_password'](container['credential']) }}
{% if 'db' in container %}
POSTGRES_DB: {{ container['db'] }}
{% endif %}
{% if 'initdb_args' in container %}
POSTGRES_INITDB_ARGS: {{ container['initdb_args'] }}
{% endif %}
{% if 'network' in container %}
- networks:
- {{ container['network'] }}
{% endif %}
{% endfor %}
diff --git a/roles/paas-docker/containers/rabbitmq.sls b/roles/paas-docker/containers/rabbitmq.sls
index a16ddae..f011c4c 100644
--- a/roles/paas-docker/containers/rabbitmq.sls
+++ b/roles/paas-docker/containers/rabbitmq.sls
@@ -1,76 +1,75 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-09-30
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['rabbitmq'].items() %}
# -------------------------------------------------------------
# Storage directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/rabbitmq/{{ instance }}/lib:
file.directory:
- user: 999
- group: 999
- makedirs: True
/srv/rabbitmq/{{ instance }}/lib/.erlang.cookie:
file.managed:
- user: 999
- group: 999
- mode: 400
- show_changes: False
- contents: {{ salt['credentials.get_token'](container['credentials']['erlang_cookie']) }}
{% if has_selinux %}
selinux_context_rabbitmq_data_{{ instance }}:
selinux.fcontext_policy_present:
- name: /srv/rabbitmq/{{ instance }}/lib
- sel_type: container_file_t
selinux_context_rabbitmq_data_applied_{{ instance }}:
selinux.fcontext_policy_applied:
- name: /srv/rabbitmq/{{ instance }}/lib
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/rabbitmq
- binds:
- /srv/rabbitmq/{{ instance }}/lib:/var/lib/rabbitmq
- hostname: {{ container['host'] }}
- ports: {{ pillar['rabbitmq_ports'] }}
- port_bindings:
{% for port in pillar['rabbitmq_ports'] %}
- {{ container['ip'] }}:{{ port }}:{{ port }}
{% endfor %}
# -------------------------------------------------------------
# Credentials
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
rabbitmq_{{ instance }}_root_password:
cmd.script:
- source: salt://roles/paas-docker/containers/files/rabbitmq/add_user_root.sh.jinja
- template: jinja
- context:
instance: {{ instance }}
password: {{ salt['credentials.get_token'](container['credentials']['root']) }}
- require:
- {{ instance }}
- creates: /srv/rabbitmq/{{ instance }}/.auth-configured
{% endfor %}
diff --git a/roles/paas-docker/containers/redis.sls b/roles/paas-docker/containers/redis.sls
index 451ccb2..f93ac88 100644
--- a/roles/paas-docker/containers/redis.sls
+++ b/roles/paas-docker/containers/redis.sls
@@ -1,60 +1,59 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-30
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['redis'].items() %}
{% set image = salt['paas_docker.get_image']("library/redis", container) %}
# -------------------------------------------------------------
# Data directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/redis/{{ instance }}:
file.directory:
- user: 999
- group: 999
- makedirs: True
{% if has_selinux %}
selinux_context_{{ instance }}_redis_data:
selinux.fcontext_policy_present:
- name: /srv/redis/{{ instance }}
- sel_type: container_file_t
selinux_context_{{ instance }}_redis_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/redis/{{ instance }}
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: {{ image }}
- binds: /srv/redis/{{ instance }}:/data
- healthcheck:
Test: redis-cli ping
Interval: 30000000000
{% if 'network' in container %}
- networks:
- {{ container['network'] }}
{% endif %}
{% endfor %}
# -------------------------------------------------------------
# Host preparation
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vm.overcommit_memory:
sysctl.present:
- value: 1
diff --git a/roles/paas-docker/containers/registry.sls b/roles/paas-docker/containers/registry.sls
index a2cfbce..c26c91c 100644
--- a/roles/paas-docker/containers/registry.sls
+++ b/roles/paas-docker/containers/registry.sls
@@ -1,47 +1,46 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% for instance, container in pillar['docker_containers']['registry'].items() %}
# -------------------------------------------------------------
# Data directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/{{ instance }}:
file.directory:
- makedirs: True
{% if has_selinux %}
selinux_context_{{ instance }}:
selinux.fcontext_policy_present:
- name: /srv/{{ instance }}
- sel_type: container_file_t
selinux_context_{{ instance }}_applied:
selinux.fcontext_policy_applied:
- name: /srv/{{ instance }}
{% endif %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: library/registry
- binds: /srv/{{ instance }}:/var/lib/registry
- ports:
- 5000
- port_bindings:
- 127.0.0.1:{{ container['app_port'] }}:5000 # HTTP
{% endfor %}
diff --git a/roles/paas-docker/containers/sentry.sls b/roles/paas-docker/containers/sentry.sls
index 69eddfe..ef9b7b3 100644
--- a/roles/paas-docker/containers/sentry.sls
+++ b/roles/paas-docker/containers/sentry.sls
@@ -1,105 +1,104 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-12-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
# -------------------------------------------------------------
# Data directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for realm, realm_args in pillar['sentry_realms'].items() %}
/srv/sentry/{{ realm }}:
file.directory:
- user: 999
- group: 999
- makedirs: True
/srv/sentry/{{ realm }}/data:
file.directory:
- user: 999
- group: 999
/srv/sentry/{{ realm }}/data/files:
file.directory:
- user: 999
- group: 999
/srv/sentry/{{ realm }}/etc:
file.recurse:
- source: salt://roles/paas-docker/containers/files/sentry/etc
- user: 999
- group: 999
- dir_mode: 700
- file_mode: 400
- template: jinja
- context:
realm: {{ realm }}
args: {{ realm_args }}
vault:
approle: {{ salt["credentials.read_secret"](realm_args["credentials"]["vault"]) }}
addr: {{ pillar["nasqueron_services"]["vault_url"] }}
sentry_{{ realm }}_vault_certificate:
file.managed:
- name: /srv/sentry/{{ realm }}/etc/certificates/nasqueron-vault-ca.crt
- source: salt://roles/core/certificates/files/nasqueron-vault-ca.crt
- mode: 644
- makedirs: True
/srv/sentry/{{ realm }}/bin/sentry:
file.managed:
- source: salt://roles/paas-docker/containers/files/sentry/sentry.sh.jinja
- mode: 755
- template: jinja
- context:
realm: {{ realm }}
network: {{ realm_args["network"] }}
{% if has_selinux %}
selinux_context_{{ realm }}_sentry_data:
selinux.fcontext_policy_present:
- name: /srv/sentry/{{ realm }}
- sel_type: container_file_t
selinux_context_{{ realm }}_sentry_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/sentry/{{ realm }}
{% endif %}
{% endfor %}
# -------------------------------------------------------------
# Web application
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for instance, container in pillar['docker_containers']['sentry'].items() %}
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/sentry
- command: {{ container["command"] }}
- binds:
- /srv/sentry/{{ container["realm"] }}/etc:/etc/sentry
- /srv/sentry/{{ container["realm"] }}/data:/data
- /srv/geoip:/usr/local/share/geoip:ro
- environment:
- PYTHONUSERBASE: /data/custom-packages
- SENTRY_EVENT_RETENTION_DAYS: 90
{% if "app_port" in container %}
- ports:
- 9000
- port_bindings:
- {{ container['app_port'] }}:9000
{% endif %}
- networks:
- {{ container['network'] }}
{% endfor %}
diff --git a/roles/paas-docker/containers/tommy.sls b/roles/paas-docker/containers/tommy.sls
index d8b4a5b..e695263 100644
--- a/roles/paas-docker/containers/tommy.sls
+++ b/roles/paas-docker/containers/tommy.sls
@@ -1,31 +1,30 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% for instance, container in pillar['docker_containers']['tommy'].items() %}
# -------------------------------------------------------------
# Container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/tommy
- environment:
- JENKINS_URL: {{ container['jenkins_url'] }}
{% if "jenkins_multi_branch" in container %}
# We don't use default value, as Ruby idea of truthy is pretty large, including 0
- JENKINS_MULTI_BRANCH: {{ container['jenkins_multi_branch'] }}
{% endif %}
- ports:
- 4567
- port_bindings:
- {{ container['app_port'] }}:4567 # HTTP
{% endfor %}
diff --git a/roles/paas-docker/devel/account.sls b/roles/paas-docker/devel/account.sls
index 79ac4bf..0a56f0e 100644
--- a/roles/paas-docker/devel/account.sls
+++ b/roles/paas-docker/devel/account.sls
@@ -1,18 +1,17 @@
# -------------------------------------------------------------
# Salt — nasqueron-dev-docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2022-05-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Sudo capabilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
nasqueron_dev_docker_sudo_capabilities_file:
file.managed:
- name: {{ dirs.etc }}/sudoers.d/nasqueron-dev-docker
- source: salt://roles/paas-docker/devel/files/nasqueron-dev-docker.sudoers
diff --git a/roles/paas-docker/devel/config.sls b/roles/paas-docker/devel/config.sls
index b73cd13..023a706 100644
--- a/roles/paas-docker/devel/config.sls
+++ b/roles/paas-docker/devel/config.sls
@@ -1,13 +1,12 @@
# -------------------------------------------------------------
# Salt — Docker development
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2022-04-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
/etc/systemd/system/docker.socket.d/socket.conf:
file.managed:
- source: salt://roles/paas-docker/devel/files/socket.conf
- mode: 644
- makedirs: True
diff --git a/roles/paas-docker/devel/files/arc.sh b/roles/paas-docker/devel/files/arc.sh
index 633367b..2a9757f 100755
--- a/roles/paas-docker/devel/files/arc.sh
+++ b/roles/paas-docker/devel/files/arc.sh
@@ -1,117 +1,116 @@
#!/usr/bin/env bash
# -------------------------------------------------------------
# Phabricator — Arcanist Docker container wrapper
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
# Project: Nasqueron
-# Created: 2016-01-01
# Description: Wrapper to run Arcanist as a Docker container
# License: Trivial work, not eligible to copyright
# If copyright eligible, BSD-2-Clause
# Image: nasqueron/arcanist
# Source file: roles/paas-docker/devel/files/arc.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
BASE_IMAGE=nasqueron/arcanist
# -------------------------------------------------------------
# Parse arguments
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ -t 0 ]; then
# If a stdin entry is available
# launch the container in the
# interactive mode
FLAGS=-it
fi
# Logs are default disabled
PRINT_LOG=0
UPDATE_MODE=0
if [ "$1" = "shell" ]; then
# Launch commands
# in the container bash shell
shift
COMMAND=bash
elif [ "$1" = "update" ]; then
UPDATE_MODE=1
else
# Launch arc
mkdir -p ~/.arc
COMMAND=arc
if [ "$1" = "call-conduit" ]; then
# Enable log printing
PRINT_LOG=1
# Set a random name for the container
INSTANCE="arc-"$(openssl rand -hex 21)
FLAGS="-i -a=stdin --name=$INSTANCE"
fi
fi
# -------------------------------------------------------------
# Build image
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
build_user_image () {
BUILD_DIR=$(mktemp -d -t arc-build-XXXXXXXXXX)
pushd "$BUILD_DIR" > /dev/null || exit 1
>&2 echo "🔨 Building user-specific image $IMAGE for $USER"
echo "FROM $BASE_IMAGE" > Dockerfile
echo "RUN groupadd -r $USER -g $GID && mkdir /home/$USER && useradd -u $UID -r -g $USER -d /home/$USER -s /bin/bash $USER && cp /root/.bashrc /home/$USER/ && chown -R $USER:$USER /home/$USER && ln -s /opt/config/gitconfig /home/$USER/.gitconfig && ln -s /opt/config/arcrc /home/$USER/.arcrc" >> Dockerfile
docker build -t "$IMAGE" .
popd > /dev/null
rm -rf "$BUILD_DIR"
}
test -v $UID && UID=$(id -u)
test -v $GID && GID=$(id -g)
if [ $UPDATE_MODE -eq 1 ]; then
docker pull $BASE_IMAGE
# Rebuild user image
IMAGE=$BASE_IMAGE:$UID-$GID
test $UID -eq 0 || build_user_image
exit
fi
if [ $UID -eq 0 ]; then
IMAGE=$BASE_IMAGE
CONTAINER_USER_HOME=/root
else
IMAGE=$BASE_IMAGE:$UID-$GID
test ! -z $(docker images -q "$IMAGE") || build_user_image
CONTAINER_USER_HOME="/home/$USER"
fi
# -------------------------------------------------------------
# Run container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ -d ~/.arc/ssh ]; then
VOLUME_SSH="-v $HOME/.arc/ssh:$CONTAINER_USER_HOME/.ssh"
else
VOLUME_SSH=""
fi
if [ $PRINT_LOG -eq 0 ]; then
docker run $FLAGS --rm --user $UID:$GID -v ~/.arc:/opt/config -v "$PWD:/opt/workspace" $VOLUME_SSH $IMAGE $COMMAND "$@"
else
docker run $FLAGS --user $UID:$GID -v ~/.arc:/opt/config -v "$PWD:/opt/workspace" $VOLUME_SSH $IMAGE $COMMAND "$@" > /dev/null
sleep 3
docker logs "$INSTANCE"
docker rm "$INSTANCE" >/dev/null
fi
diff --git a/roles/paas-docker/devel/files/nasqueron-dev-docker.sudoers b/roles/paas-docker/devel/files/nasqueron-dev-docker.sudoers
index dc104a2..3a7f292 100644
--- a/roles/paas-docker/devel/files/nasqueron-dev-docker.sudoers
+++ b/roles/paas-docker/devel/files/nasqueron-dev-docker.sudoers
@@ -1,17 +1,16 @@
# -------------------------------------------------------------
# SaltStack deployment
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2022-05-23
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/devel/files/nasqueron-dev-docker.sudoers
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
%nasqueron-dev-docker ALL = (ALL) NOPASSWD: ALL
diff --git a/roles/paas-docker/devel/files/psysh.sh b/roles/paas-docker/devel/files/psysh.sh
index f037245..b0bc599 100755
--- a/roles/paas-docker/devel/files/psysh.sh
+++ b/roles/paas-docker/devel/files/psysh.sh
@@ -1,14 +1,13 @@
#!/bin/sh
# -------------------------------------------------------------
# PsySH container wrapper
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
# Project: Nasqueron
-# Created: 2020-02-24
# Description: Wrapper to run PsySH as a Docker container
# License: Trivial work, not eligible to copyright
# Image: nasqueron/php-cli
# -------------------------------------------------------------
docker run -it --rm nasqueron/php-cli psysh
diff --git a/roles/paas-docker/devel/files/socket.conf b/roles/paas-docker/devel/files/socket.conf
index b7e8d88..e51b623 100644
--- a/roles/paas-docker/devel/files/socket.conf
+++ b/roles/paas-docker/devel/files/socket.conf
@@ -1,21 +1,20 @@
# -------------------------------------------------------------
# Docker container config
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: dorianwinty
# Project: Nasqueron
-# Created: 2022-04-15
# Description: Set good group to the Docker container
# License: Trivial work, not eligible to copyright
# If copyright eligible, BSD-2-Clause
# Source file: roles/paas-docker/devel/files/socket.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
[Socket]
SocketGroup=nasqueron-dev-docker
diff --git a/roles/paas-docker/devel/init.sls b/roles/paas-docker/devel/init.sls
index 1bd149b..045c2d2 100644
--- a/roles/paas-docker/devel/init.sls
+++ b/roles/paas-docker/devel/init.sls
@@ -1,12 +1,11 @@
# -------------------------------------------------------------
# Salt — Docker development tools
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .software
- .config
- .account
diff --git a/roles/paas-docker/devel/software.sls b/roles/paas-docker/devel/software.sls
index 520765e..0688257 100644
--- a/roles/paas-docker/devel/software.sls
+++ b/roles/paas-docker/devel/software.sls
@@ -1,42 +1,41 @@
# -------------------------------------------------------------
# Salt — Docker development tools
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages_prefixes with context %}
# -------------------------------------------------------------
# Dependencies not required in production but useful in dev
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_development_utilities:
pkg.installed:
- pkgs:
- jq
- {{ packages_prefixes.python3 }}pip
- sqlite
# From Nasqueron repo
- dive
pip.installed:
- name: docker-compose
- require:
- pkg: docker_development_utilities
# -------------------------------------------------------------
# Tools
#
# :: Arcanist
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.bin }}/arc:
file.managed:
- source: salt://roles/paas-docker/devel/files/arc.sh
- mode: 755
{{ dirs.bin }}/psysh:
file.managed:
- source: salt://roles/paas-docker/devel/files/psysh.sh
- mode: 755
diff --git a/roles/paas-docker/docker/config.sls b/roles/paas-docker/docker/config.sls
index 954cef3..7784057 100644
--- a/roles/paas-docker/docker/config.sls
+++ b/roles/paas-docker/docker/config.sls
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Configure Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% set daemon = salt["paas_docker.build_daemon_config"]() %}
{{ dirs.etc }}/docker/daemon.json:
file.managed:
- source: salt://roles/paas-docker/docker/files/daemon.json.jinja
- template: jinja
- mode: 644
- context:
daemon: {{ daemon }}
diff --git a/roles/paas-docker/docker/files/thinpool.profile b/roles/paas-docker/docker/files/thinpool.profile
index 1afa549..f769f4d 100644
--- a/roles/paas-docker/docker/files/thinpool.profile
+++ b/roles/paas-docker/docker/files/thinpool.profile
@@ -1,26 +1,25 @@
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-18
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/docker/files/thinpool.profile
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Auto extend
#
# Reference: https://docs.docker.com/storage/storagedriver/device-mapper-driver/
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
activation {
thin_pool_autoextend_threshold=80
thin_pool_autoextend_percent=20
}
diff --git a/roles/paas-docker/docker/firewall.sls b/roles/paas-docker/docker/firewall.sls
index d15996b..3387d07 100644
--- a/roles/paas-docker/docker/firewall.sls
+++ b/roles/paas-docker/docker/firewall.sls
@@ -1,29 +1,28 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-05-24
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, services with context %}
# -------------------------------------------------------------
# Firewalld
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if services['firewall'] == 'firewalld' %}
{{ dirs.etc }}/firewalld/services/prometheus-docker.xml:
file.managed:
- source: salt://roles/paas-docker/docker/files/firewalld-services-prometheus-docker.xml
- makedirs: True
{{ dirs.etc }}/firewalld/zones/public.xml:
file.managed:
- source: salt://roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja
- template: jinja
- context:
subnets: {{ salt['paas_docker.get_subnets']() }}
{% endif %}
diff --git a/roles/paas-docker/docker/images.sls b/roles/paas-docker/docker/images.sls
index 0c972d7..dd9772a 100644
--- a/roles/paas-docker/docker/images.sls
+++ b/roles/paas-docker/docker/images.sls
@@ -1,18 +1,17 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set images = salt['paas_docker.list_images']() %}
# -------------------------------------------------------------
# Fetch Docker images
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for image in images %}
{{ image }}:
docker_image.present
{% endfor %}
diff --git a/roles/paas-docker/docker/init.sls b/roles/paas-docker/docker/init.sls
index 0893639..5bc580c 100644
--- a/roles/paas-docker/docker/init.sls
+++ b/roles/paas-docker/docker/init.sls
@@ -1,14 +1,13 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-09
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .software
- .config
- .images
- .firewall
- .networks
diff --git a/roles/paas-docker/docker/networks.sls b/roles/paas-docker/docker/networks.sls
index 385b664..6c5a607 100644
--- a/roles/paas-docker/docker/networks.sls
+++ b/roles/paas-docker/docker/networks.sls
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-11
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set networks = pillar.get("docker_networks", {}) %}
# -------------------------------------------------------------
# Bridge networks
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for network, args in networks.items() %}
docker_network_{{ network }}:
docker_network.present:
- name: {{ network }}
- driver: bridge
- subnet: {{ args['subnet'] }}
{% endfor %}
diff --git a/roles/paas-docker/docker/software.sls b/roles/paas-docker/docker/software.sls
index 43cce03..3f3b944 100644
--- a/roles/paas-docker/docker/software.sls
+++ b/roles/paas-docker/docker/software.sls
@@ -1,63 +1,62 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-05-24
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, services with context %}
# -------------------------------------------------------------
# Install Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'RedHat' and grains['os'] != 'Fedora' %}
remove_legacy_docker_packages:
pkg.removed:
- pkgs:
- docker-common
- docker-selinux
- docker-engine
install_docker_engine_dependencies:
file.managed:
- name: /etc/yum.repos.d/docker-ce.repo
- source: https://download.docker.com/linux/centos/docker-ce.repo
- source_hash: 8ab5599eef0afcac10cbd3e8670873efee20fcceb5fb3526a62edeade603cec7
pkg.installed:
- pkgs:
- device-mapper-persistent-data
- lvm2
- require:
- file: install_docker_engine_dependencies
# CentOS 8 can't install docker-ce last version if containerd.io isn't recent enough.
install_docker_engine:
cmd.run:
- name: dnf install -y docker-ce --nobest
- creates: /usr/bin/dockerd
{% endif %}
# -------------------------------------------------------------
# Service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
start_docker_service:
service.running:
- name: docker
- enable: true
# -------------------------------------------------------------
# Additional utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
install_docker_extra_packages:
pkg.installed:
- pkgs:
- docker-processes
{{ dirs.bin }}/docker-paas-list-containers:
file.managed:
- source: salt://roles/paas-docker/docker/files/docker-paas-list-containers.py
- mode: 755
diff --git a/roles/paas-docker/init.sls b/roles/paas-docker/init.sls
index c4bb679..640730e 100644
--- a/roles/paas-docker/init.sls
+++ b/roles/paas-docker/init.sls
@@ -1,26 +1,25 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-13
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
include:
- .kernel
- .salt
- .docker
- .containers
- .systemd-unit
- .systemd-timers
- .wwwroot-502
- .wwwroot-content
- .anubis
- .nginx
- .monitoring
- .wrappers
{% if salt['node.has']('flags:install_docker_devel_tools') %}
- .devel
{% endif %}
diff --git a/roles/paas-docker/kernel/files/tuned.conf b/roles/paas-docker/kernel/files/tuned.conf
index 363ce9c..015eac8 100644
--- a/roles/paas-docker/kernel/files/tuned.conf
+++ b/roles/paas-docker/kernel/files/tuned.conf
@@ -1,33 +1,32 @@
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-11-10
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/kernel/files/tuned.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Default settings
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[main]
include=virtual-guest
# -------------------------------------------------------------
# Database settings
#
# References:
# - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/s-memory-transhuge
# Transparent huge pages aren't suitable for databases
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[vm]
transparent_hugepages=never
diff --git a/roles/paas-docker/kernel/init.sls b/roles/paas-docker/kernel/init.sls
index ce06616..697517c 100644
--- a/roles/paas-docker/kernel/init.sls
+++ b/roles/paas-docker/kernel/init.sls
@@ -1,34 +1,33 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-11-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if grains['os_family'] == 'RedHat' %}
{% if salt['file.file_exists']("/etc/tuned") %}
/etc/tuned/paas-docker:
file.directory
/etc/tuned/paas-docker/tuned.conf:
file.managed:
- source: salt://roles/paas-docker/kernel/files/tuned.conf
apply_paas_docker_tuned_configuration:
cmd.run:
- name: tuned-adm profile paas-docker
- onchanges:
- file: /etc/tuned/paas-docker/tuned.conf
{% else %}
# /sys/kernel allows to write settings and display the selected one in []
restrict_hugepages:
cmd.run:
- name: echo madvise > /sys/kernel/mm/transparent_hugepage/enabled
- unless: grep -q "\[madvise\]" /sys/kernel/mm/transparent_hugepage/enabled
{% endif %}
{% endif %}
diff --git a/roles/paas-docker/nginx/config.sls b/roles/paas-docker/nginx/config.sls
index 6a4b29e..4d18b3e 100644
--- a/roles/paas-docker/nginx/config.sls
+++ b/roles/paas-docker/nginx/config.sls
@@ -1,78 +1,77 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% set containers = pillar.get('docker_containers', {}) %}
# -------------------------------------------------------------
# vhosts folder
#
# :: fallback when a domain isn't found
# :: server cover page
# :: containers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/vhosts/000-fallback.conf:
file.managed:
- source: salt://roles/paas-docker/nginx/files/vhosts/base/fallback.conf
{{ dirs.etc }}/nginx/vhosts/001-server.conf:
file.managed:
- source: salt://roles/paas-docker/nginx/files/vhosts/base/server.conf
- template: jinja
- context:
fqdn: {{ grains['fqdn'] }}
ipv4: {{ grains['ipv4'] | join(" ") }}
ipv6: "{{ salt['node.get_ipv6_list']() }}"
/var/log/www/_server:
file.directory:
- user: nginx
- group: root
{% for service, instances in containers.items() %}
{% if salt["paas_docker.is_nginx_service"](instances) %}
/var/log/www/{{ service }}:
file.directory:
- user: nginx
- group: root
{% for instance, container in instances.items() %}
{% if 'host' in container %}
{% set vhost_config = salt["paas_docker.resolve_vhost_config_file"](service) %}
{{ dirs.etc }}/nginx/vhosts/{{ service }}/{{ instance }}.conf:
file.managed:
- source: salt://{{ vhost_config }}
- mode: 644
- makedirs: True
- template: jinja
- context:
service: {{ service }}
instance: {{ instance }}
fqdn: {{ container['host'] }}
app_port: {{ container['app_port'] }}
aliases: {{ container['aliases'] | default('', true) | join(" ") }}
# If the nginx configuration needs more key,
# pass directly the container dictionary.
args: {{ container }}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
# -------------------------------------------------------------
# Log
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/etc/logrotate.d/nginx:
file.managed:
- source: salt://roles/paas-docker/nginx/files/logrotate/nginx.conf
diff --git a/roles/paas-docker/nginx/files/selinux/nginx.te b/roles/paas-docker/nginx/files/selinux/nginx.te
index b38d857..e6d5563 100644
--- a/roles/paas-docker/nginx/files/selinux/nginx.te
+++ b/roles/paas-docker/nginx/files/selinux/nginx.te
@@ -1,36 +1,35 @@
# -------------------------------------------------------------
# Configuration for Let's encrypt nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-27
# Description: SELinux policy for nginx
# Allow to serve containers generated files
# Source file: roles/paas-docker/nginx/files/selinux/nginx.te
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
policy_module(nginx, 1.1)
require {
type httpd_t;
type httpd_var_run_t;
type container_file_t;
type unconfined_service_t;
}
#============= httpd_t ==============
virt_exec_sandbox_files(httpd_t)
virt_read_sandbox_files(httpd_t)
allow httpd_t container_file_t:lnk_file read;
allow httpd_t container_file_t:file read;
# Allow to connect to UNIX sockets
allow httpd_t httpd_var_run_t:sock_file write;
allow httpd_t unconfined_service_t:unix_stream_socket connectto;
diff --git a/roles/paas-docker/nginx/files/vhosts/_default.conf b/roles/paas-docker/nginx/files/vhosts/_default.conf
index 3479e25..e33fe50 100644
--- a/roles/paas-docker/nginx/files/vhosts/_default.conf
+++ b/roles/paas-docker/nginx/files/vhosts/_default.conf
@@ -1,48 +1,47 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-09-11
# Source file: roles/paas-docker/nginx/files/vhosts/_default.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
root /var/wwwroot-502/_default;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/files/vhosts/acme_dns.conf b/roles/paas-docker/nginx/files/vhosts/acme_dns.conf
index 54d2448..2a587df 100644
--- a/roles/paas-docker/nginx/files/vhosts/acme_dns.conf
+++ b/roles/paas-docker/nginx/files/vhosts/acme_dns.conf
@@ -1,68 +1,67 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2020-02-04
# Source file: roles/paas-docker/nginx/files/vhosts/acme_dns.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
include includes/geo_nasqueron;
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
include includes/letsencrypt;
# ---------------------------------------------------------
# Public homepage
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root /var/wwwroot-502/acme.nasqueron.org;
location = / {
index index.html;
}
location = /index.html {
}
# ---------------------------------------------------------
# API
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
location / {
if ($not_a_nasqueron_server) {
return 403;
}
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
}
diff --git a/roles/paas-docker/nginx/files/vhosts/auth-grove.conf b/roles/paas-docker/nginx/files/vhosts/auth-grove.conf
index 03a18c9..22a097c 100644
--- a/roles/paas-docker/nginx/files/vhosts/auth-grove.conf
+++ b/roles/paas-docker/nginx/files/vhosts/auth-grove.conf
@@ -1,48 +1,47 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-09-22
# Source file: roles/paas-docker/nginx/files/vhosts/auth-grove.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
root /var/wwwroot-502/$server_name;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/files/vhosts/base/fallback.conf b/roles/paas-docker/nginx/files/vhosts/base/fallback.conf
index 9f6d077..bfccc73 100644
--- a/roles/paas-docker/nginx/files/vhosts/base/fallback.conf
+++ b/roles/paas-docker/nginx/files/vhosts/base/fallback.conf
@@ -1,30 +1,29 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2020-02-18
# Source file: roles/paas-docker/nginx/files/vhosts/base/fallback.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
server {
listen 80;
listen [::]:80;
server_name _;
location / {
root /var/wwwroot-content/_fallback;
index index.html;
error_log /var/log/www/_server/fallback-error.log;
access_log /var/log/www/_server/fallback-access.log;
try_files $uri $uri/ index.html;
}
}
diff --git a/roles/paas-docker/nginx/files/vhosts/base/server.conf b/roles/paas-docker/nginx/files/vhosts/base/server.conf
index 613c337..84baebd 100644
--- a/roles/paas-docker/nginx/files/vhosts/base/server.conf
+++ b/roles/paas-docker/nginx/files/vhosts/base/server.conf
@@ -1,70 +1,69 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2020-02-18
# Source file: roles/paas-docker/nginx/files/vhosts/base/server.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# TLS site
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://{{ fqdn }}$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
root /var/wwwroot-content/{{ fqdn }};
index index.html;
error_log /var/log/www/_server/base-error.log;
access_log /var/log/www/_server/base-access.log;
###
### API
###
location ~ [^/]\.json(/|$) {
include includes/cors-open;
}
}
# -------------------------------------------------------------
# Probably not any TLS certificate available, so serve on :80
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ ipv4 }} {{ ipv6 }} localhost;
error_log /var/log/www/_server/base-error.log;
access_log /var/log/www/_server/base-access.log;
location / {
root /var/wwwroot-content/{{ fqdn }};
index index.html;
}
}
diff --git a/roles/paas-docker/nginx/files/vhosts/cachet.conf b/roles/paas-docker/nginx/files/vhosts/cachet.conf
index 84ad0f6..59b05e0 100644
--- a/roles/paas-docker/nginx/files/vhosts/cachet.conf
+++ b/roles/paas-docker/nginx/files/vhosts/cachet.conf
@@ -1,48 +1,47 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-09-09
# Source file: roles/paas-docker/nginx/files/vhosts/cachet.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
root /var/wwwroot-502/{{ fqdn }};
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/files/vhosts/etherpad.conf b/roles/paas-docker/nginx/files/vhosts/etherpad.conf
index 142bc7f..bbac71d 100644
--- a/roles/paas-docker/nginx/files/vhosts/etherpad.conf
+++ b/roles/paas-docker/nginx/files/vhosts/etherpad.conf
@@ -1,52 +1,51 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-09-08
# Source file: roles/paas-docker/nginx/files/vhosts/etherpad.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }} {{ aliases }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }} {{ aliases }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
root /var/wwwroot-502/$server_name;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/files/vhosts/hauk.conf b/roles/paas-docker/nginx/files/vhosts/hauk.conf
index d0342cb..de93f8c 100644
--- a/roles/paas-docker/nginx/files/vhosts/hauk.conf
+++ b/roles/paas-docker/nginx/files/vhosts/hauk.conf
@@ -1,60 +1,59 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2021-07-30
# Source file: roles/paas-docker/nginx/files/vhosts/hauk.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Application - {{ fqdn }}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location {{ args['api_entry_point'] }}/ {
add_header Referrer-Policy same-origin always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag "noindex, nofollow" always;
rewrite ^{{ args['api_entry_point'] }}(/.*)$ $1 break;
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
root /var/wwwroot-502/_default;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/files/vhosts/jenkins.conf b/roles/paas-docker/nginx/files/vhosts/jenkins.conf
index 7f164a6..a1b848e 100644
--- a/roles/paas-docker/nginx/files/vhosts/jenkins.conf
+++ b/roles/paas-docker/nginx/files/vhosts/jenkins.conf
@@ -1,54 +1,53 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-03-12
# Source file: roles/paas-docker/nginx/files/vhosts/jenkins.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect http:// https://;
# Required for new HTTP-based CLI
# https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
}
root /var/wwwroot-502/_default;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/files/vhosts/openfire.conf b/roles/paas-docker/nginx/files/vhosts/openfire.conf
index 0f69865..1f8b4d3 100644
--- a/roles/paas-docker/nginx/files/vhosts/openfire.conf
+++ b/roles/paas-docker/nginx/files/vhosts/openfire.conf
@@ -1,76 +1,75 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-09-11
# Source file: roles/paas-docker/nginx/files/vhosts/openfire.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Application - {{ fqdn }}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://{{ args['ip'] }}:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
root /var/wwwroot-502/_default;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
{%- if aliases %}
# -------------------------------------------------------------
# Redirects for app aliases domains
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ aliases }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
return 301 https://{{ fqdn }}$request_uri;
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
{%- endif %}
diff --git a/roles/paas-docker/nginx/files/vhosts/phabricator.conf b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
index 8268d35..0c4df11 100644
--- a/roles/paas-docker/nginx/files/vhosts/phabricator.conf
+++ b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
@@ -1,206 +1,205 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-09-11
# Source file: roles/paas-docker/nginx/files/vhosts/phabricator.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
include includes/geo_flood_datacenter;
# -------------------------------------------------------------
# Application - {{ fqdn }}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/letsencrypt;
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/proxy_params;
proxy_redirect off;
if ($is_flood_datacenter) {
# Closes the connection - temporary mitigation
return 444;
}
location / {
proxy_pass http://localhost:{{ app_port }};
}
location ~ ^/maniphest/task/create {
rewrite ^/maniphest/task/create/?(.*) /maniphest/task/edit/form/1/$1;
}
location = /ws/ {
proxy_pass http://localhost:22280;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 999999999;
}
#502 error
root /var/wwwroot-502/{{ fqdn }};
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
# -------------------------------------------------------------
# Static content
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ args['static_host'] }};
return 301 https://$host$request_uri;
}
server {
server_name {{ args['static_host'] }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
{%- if 'blogs' in args %}
{%- for blog_name, blog in args['blogs'].items() %}
# -------------------------------------------------------------
# Phame domains for {{ blog_name }}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ blog['host'] }};
return 301 https://$host$request_uri;
}
server {
server_name {{ blog['host'] }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
# Fixes invalid URLs resolved to phame instead of DevCentral
location ~ T[0.9]* {
rewrite ^ http://{{ fqdn }}$request_uri? redirect;
}
# Fixes invalid URLs resolved to phame instead of DevCentral
location /tag/ {
rewrite ^ http://{{ fqdn }}$request_uri? redirect;
}
# 502 error
root /var/wwwroot-502/{{ fqdn }};
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
# -------------------------------------------------------------
# Phame domains for {{ blog_name }} — aliases
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ blog['aliases']|join(' ') }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
return 301 https://{{ blog['host'] }}$request_uri;
}
{%- endfor %}
{%- endif %}
{%- if aliases %}
# -------------------------------------------------------------
# Redirects for app aliases domains
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ aliases }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
return 301 https://{{ fqdn }}$request_uri;
}
{%- endif %}
diff --git a/roles/paas-docker/nginx/files/vhosts/pixelfed.conf b/roles/paas-docker/nginx/files/vhosts/pixelfed.conf
index 5856d23..e5e389a 100644
--- a/roles/paas-docker/nginx/files/vhosts/pixelfed.conf
+++ b/roles/paas-docker/nginx/files/vhosts/pixelfed.conf
@@ -1,57 +1,56 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-11-16
# Source file: roles/paas-docker/nginx/files/vhosts/pixelfed.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
location /.well-known/change-password {
return 301 /settings/password;
}
# Allow @username to be coherent with Mastodon
location ~ /@(.*) {
return 301 /$1;
}
root /var/wwwroot-502/_default;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/files/vhosts/rabbitmq.conf b/roles/paas-docker/nginx/files/vhosts/rabbitmq.conf
index 3b19a58..61448e0 100644
--- a/roles/paas-docker/nginx/files/vhosts/rabbitmq.conf
+++ b/roles/paas-docker/nginx/files/vhosts/rabbitmq.conf
@@ -1,52 +1,51 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2020-09-30
# Source file: roles/paas-docker/nginx/files/vhosts/rabbitmq.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Application - {{ fqdn }}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://{{ args['ip'] }}:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
root /var/wwwroot-502/_default;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/files/vhosts/registry.conf b/roles/paas-docker/nginx/files/vhosts/registry.conf
index ca72060..fa195d7 100644
--- a/roles/paas-docker/nginx/files/vhosts/registry.conf
+++ b/roles/paas-docker/nginx/files/vhosts/registry.conf
@@ -1,60 +1,59 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-11-13
# Source file: roles/paas-docker/nginx/files/vhosts/registry.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
{%- for ip in args['allowed_ips'] %}
allow {{ ip }};
{%- endfor %}
deny all;
# Allows large image uploads, with chunked transfers (avoids HTTP 411 and 413)
client_max_body_size 0;
chunked_transfer_encoding on;
proxy_pass http://localhost:{{ app_port }};
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
root /var/wwwroot-502/_default;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/files/vhosts/tommy.conf b/roles/paas-docker/nginx/files/vhosts/tommy.conf
index 7e45b61..b340686 100644
--- a/roles/paas-docker/nginx/files/vhosts/tommy.conf
+++ b/roles/paas-docker/nginx/files/vhosts/tommy.conf
@@ -1,48 +1,47 @@
# -------------------------------------------------------------
# Configuration for Docker PaaS front-end nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-09-20
# Source file: roles/paas-docker/nginx/files/vhosts/tommy.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
server {
listen 80;
listen [::]:80;
server_name {{ fqdn }} {{ aliases }};
include includes/letsencrypt;
return 301 https://$host$request_uri;
}
server {
server_name {{ fqdn }} {{ aliases }};
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
include includes/letsencrypt;
location / {
proxy_pass http://localhost:{{ app_port }};
include includes/proxy_params;
proxy_redirect off;
}
root /var/wwwroot-502/_default;
error_page 502 /502.html;
location /502.html {}
error_log /var/log/www/{{ service }}/{{ instance }}-error.log;
access_log /var/log/www/{{ service }}/{{ instance }}-access.log;
}
diff --git a/roles/paas-docker/nginx/firewall.sls b/roles/paas-docker/nginx/firewall.sls
index 8d74f24..428ce1c 100644
--- a/roles/paas-docker/nginx/firewall.sls
+++ b/roles/paas-docker/nginx/firewall.sls
@@ -1,26 +1,25 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if grains['os_family'] == 'RedHat' %}
nginx_enable_firewall:
firewalld.present:
- name: public
- prune_services: False
- services:
- http
- https
nginx_enable_firewall_reload:
service.running:
- name: firewalld
- reload: True
- watch:
- firewalld: nginx_enable_firewall
{% endif %}
diff --git a/roles/paas-docker/nginx/init.sls b/roles/paas-docker/nginx/init.sls
index 9b9000b..ee430bc 100644
--- a/roles/paas-docker/nginx/init.sls
+++ b/roles/paas-docker/nginx/init.sls
@@ -1,13 +1,12 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .software
- .config
- .selinux
- .firewall
diff --git a/roles/paas-docker/nginx/selinux.sls b/roles/paas-docker/nginx/selinux.sls
index ae33c40..e65f7cb 100644
--- a/roles/paas-docker/nginx/selinux.sls
+++ b/roles/paas-docker/nginx/selinux.sls
@@ -1,49 +1,48 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% if grains['os_family'] == 'RedHat' %}
# On Fedora and downstreams, SELinux restricts the capability
# of HTTP server to connect to external servers.
#
# This feature allows nginx to connect to other servers,
# and so to act as a front-end server through proxy_pass.
httpd_can_network_connect:
selinux.boolean:
- value: True
- persist: True
# -------------------------------------------------------------
# Custom SELinux policies
#
# :: Give access to container files Let's Encrypt (T1364)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
policycoreutils-devel:
pkg.installed
/usr/local/share/selinux/nginx.te:
file.managed:
- source: salt://roles/paas-docker/nginx/files/selinux/nginx.te
- makedirs: True
/usr/local/share/selinux/nginx.pp:
cmd.run:
- name: make -f /usr/share/selinux/devel/Makefile nginx.pp
- creates: /usr/local/share/selinux/nginx.pp
- cwd: /usr/local/share/selinux
install_selinux_nginx_module:
cmd.run:
- name: semodule -i nginx.pp
- cwd: /usr/local/share/selinux
- onchanges:
- cmd: /usr/local/share/selinux/nginx.pp
{% endif %}
diff --git a/roles/paas-docker/nginx/software.sls b/roles/paas-docker/nginx/software.sls
index 02c1287..c76eeeb 100644
--- a/roles/paas-docker/nginx/software.sls
+++ b/roles/paas-docker/nginx/software.sls
@@ -1,25 +1,24 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
nginx_software:
pkg.installed:
- pkgs:
- nginx
# -------------------------------------------------------------
# Service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
nginx_service:
service.running:
- name: nginx
- enable: true
diff --git a/roles/paas-docker/salt/init.sls b/roles/paas-docker/salt/init.sls
index f3b1a0a..a5b954a 100644
--- a/roles/paas-docker/salt/init.sls
+++ b/roles/paas-docker/salt/init.sls
@@ -1,35 +1,34 @@
# -------------------------------------------------------------
# Salt — Salt configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages_prefixes with context %}
# -------------------------------------------------------------
# Dependencies for Docker Salt minions
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
required_python_packages_for_docker_and_salt:
pkg.installed:
- name: {{ packages_prefixes.python3 }}pip
pip.installed:
- name: docker < 6.0
- reload_modules: True
- require:
- pkg: required_python_packages_for_docker_and_salt
# -------------------------------------------------------------
# Wrapper to fetch a credential
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
credential_dependencies:
pkg.installed:
- name: jq
{{ dirs.bin }}/credential:
file.managed:
- source: salt://roles/paas-docker/salt/files/credential.sh
- mode: 755
diff --git a/roles/paas-docker/systemd-unit/files/docker-containers.service b/roles/paas-docker/systemd-unit/files/docker-containers.service
index 9a9e785..6b9c70c 100644
--- a/roles/paas-docker/systemd-unit/files/docker-containers.service
+++ b/roles/paas-docker/systemd-unit/files/docker-containers.service
@@ -1,21 +1,20 @@
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2015-12-29
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/systemd-unit/files/docker-containers.service
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
[Service]
Type=simple
RemainAfterExit=yes
ExecStart=docker-paas-start-containers
ExecStop=docker-paas-stop-containers
diff --git a/roles/paas-docker/systemd-unit/files/docker-paas-start-containers.sh b/roles/paas-docker/systemd-unit/files/docker-paas-start-containers.sh
index 56a8594..dbe021a 100644
--- a/roles/paas-docker/systemd-unit/files/docker-paas-start-containers.sh
+++ b/roles/paas-docker/systemd-unit/files/docker-paas-start-containers.sh
@@ -1,19 +1,18 @@
#!/bin/sh
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2015-12-29
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/systemd-unit/files/docker-paas-start-containers.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
docker-paas-list-containers | xargs docker start
diff --git a/roles/paas-docker/systemd-unit/files/docker-paas-stop-containers.sh b/roles/paas-docker/systemd-unit/files/docker-paas-stop-containers.sh
index e062cbe..ff0c47a 100644
--- a/roles/paas-docker/systemd-unit/files/docker-paas-stop-containers.sh
+++ b/roles/paas-docker/systemd-unit/files/docker-paas-stop-containers.sh
@@ -1,19 +1,18 @@
#!/bin/sh
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2015-12-29
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/systemd-unit/files/docker-paas-stop-containers.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
docker-paas-list-containers | tac | xargs docker stop
diff --git a/roles/paas-docker/wrappers/files/mysql.sh b/roles/paas-docker/wrappers/files/mysql.sh
index 4b4e7d2..ae8eaa6 100755
--- a/roles/paas-docker/wrappers/files/mysql.sh
+++ b/roles/paas-docker/wrappers/files/mysql.sh
@@ -1,51 +1,50 @@
#!/bin/sh
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2015-04-21
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/wrappers/files/mysql.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
if [ "$#" -eq 0 ]; then
echo "Usage: $0 <container name>" 1>&2;
exit 1
fi
# -------------------------------------------------------------
# Determine and validate MySQL container
#
# Validation code by Erik Kristensen <erik@erikkristensen.com>
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CONTAINER=$1
shift
RUNNING=$(docker inspect --format="{{ .State.Running }}" "$CONTAINER" 2> /dev/null)
if [ $? -eq 1 ]; then
echo "$0: $CONTAINER does not exist."
exit 3
fi
if [ "$RUNNING" = "false" ]; then
echo "$0: $CONTAINER is not running."
exit 2
fi
# -------------------------------------------------------------
# Run container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker run -it --rm \
--link "$CONTAINER:mysql" \
nasqueron/mysql sh -c 'exec mysql -h"$MYSQL_PORT_3306_TCP_ADDR" -P"$MYSQL_PORT_3306_TCP_PORT" -uroot -p"$MYSQL_ENV_MYSQL_ROOT_PASSWORD"'
diff --git a/roles/paas-docker/wrappers/files/openfire.sh b/roles/paas-docker/wrappers/files/openfire.sh
index ef8c980..816132c 100644
--- a/roles/paas-docker/wrappers/files/openfire.sh
+++ b/roles/paas-docker/wrappers/files/openfire.sh
@@ -1,87 +1,86 @@
#!/bin/sh
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2019-01-01
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/wrappers/files/openfire.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Helper methods
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
getcommandname() {
basename "$0"
}
usage() {
echo "Usage: $(getcommandname) <command>"
exit 1
}
unknown_command() {
echo "$(getcommandname): $COMMAND: unknown command"
usage
}
# -------------------------------------------------------------
# Commands
#
# :: propagate-certificate: copy a certificate into a Java keystore file
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
propagate_certificate() {
DOMAIN=$1
SOURCE=/srv/letsencrypt/etc/live/$DOMAIN
TARGET=/srv/$INSTANCE/conf/security/tmp
# Per Openfire src/java/org/jivesoftware/multiplexer/net/SSLConfig.java
# This is used as a blank password.
PASS=changeit
if [ -z "$DOMAIN" ]; then
echo "Please append the FQDN of the certificate to propagate (CN, not alt name)" >&2
exit 2
fi
mkdir -p "$TARGET"
openssl pkcs12 -export -out "$TARGET/cert-to-import.p12" -in "$SOURCE/fullchain.pem" -inkey "$SOURCE/privkey.pem" -name "$DOMAIN" -password "pass:$PASS"
docker exec "$INSTANCE" keytool -delete -keystore /var/lib/openfire/conf/security/keystore -storepass "$PASS" -alias "$DOMAIN"
docker exec "$INSTANCE" keytool -importkeystore -deststorepass "$PASS" -srcstorepass "$PASS" -destkeystore /var/lib/openfire/conf/security/keystore -srckeystore "/var/lib/$INSTANCE/conf/security/tmp/cert-to-import.p12" -srcstoretype PKCS12 -deststoretype pkcs12
rm -R "$TARGET"
}
# -------------------------------------------------------------
# Check arguments
#
# $1: instance name
# $2: command
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ $# -lt 2 ]; then
usage
fi
COMMAND=$1
INSTANCE=$2
shift 2
# -------------------------------------------------------------
# Run command
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ "$COMMAND" = "propagate-certificate" ]; then
propagate_certificate "$1"
else
unknown_command
fi
diff --git a/roles/paas-docker/wrappers/files/pad-delete.py b/roles/paas-docker/wrappers/files/pad-delete.py
index 4184f84..fe6b606 100644
--- a/roles/paas-docker/wrappers/files/pad-delete.py
+++ b/roles/paas-docker/wrappers/files/pad-delete.py
@@ -1,38 +1,37 @@
#!/usr/bin/env python3
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-10
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/wrappers/files/pad-delete.py
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
from urllib.request import urlopen
import json
import sys
API_KEY_FILE = "/srv/pad/APIKEY.txt"
PAD_HOST = "pad.nasqueron.org"
# Read API key
with open(API_KEY_FILE) as api_file:
key = api_file.read().strip()
# Fire request
url = "https://" + PAD_HOST + "/api/1/deletePad?apikey=" + key + "&padID=" + pad
contents = urlopen(url).read()
# Report result
result = json.loads(contents)
print(result["message"])
sys.exit(result["code"])
diff --git a/roles/paas-docker/wrappers/files/phpbb.sh b/roles/paas-docker/wrappers/files/phpbb.sh
index b59704a..6bcd412 100755
--- a/roles/paas-docker/wrappers/files/phpbb.sh
+++ b/roles/paas-docker/wrappers/files/phpbb.sh
@@ -1,77 +1,76 @@
#!/bin/sh
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-27
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/wrappers/files/phpbb.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Configuration required by Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MYSQL_CONTAINER=phpbb_db
MYSQL_IMAGE=nasqueron/mysql
# -------------------------------------------------------------
# Helper methods
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
getcommandname() {
basename "$0"
}
usage() {
echo "Usage: $(getcommandname) <command>"
exit 1
}
unknown_command() {
echo "$(getcommandname): $COMMAND: unknown command"
usage
}
# -------------------------------------------------------------
# Commands
#
# :: phpbb storage: connects to MySQL database
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
phpbb_storage() {
docker run -it --rm --link $MYSQL_CONTAINER:mysql $MYSQL_IMAGE \
sh -c 'exec mysql -h"$MYSQL_PORT_3306_TCP_ADDR" -P"$MYSQL_PORT_3306_TCP_PORT" -uroot -p"$MYSQL_ENV_MYSQL_ROOT_PASSWORD"'
}
# -------------------------------------------------------------
# Check arguments
#
# $1: wiki name (database name or alias)
# $2: script to call
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ $# -lt 1 ]; then
usage
fi
COMMAND=$1
shift 1
# -------------------------------------------------------------
# Run command
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ "$COMMAND" = "storage" ]; then
phpbb_storage
else
unknown_command
fi
diff --git a/roles/paas-docker/wrappers/init.sls b/roles/paas-docker/wrappers/init.sls
index eda18dc..a2b2dfe 100644
--- a/roles/paas-docker/wrappers/init.sls
+++ b/roles/paas-docker/wrappers/init.sls
@@ -1,57 +1,56 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Wrapper binaries
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for command in ['jenkins', 'phpbb', 'mysql', 'openfire', 'geoipupdate', 'run-report'] %}
{{ dirs.bin }}/{{ command }}:
file.managed:
- source: salt://roles/paas-docker/wrappers/files/{{ command }}.sh
- mode: 755
{% endfor %}
{% for command in ['airflow', 'sentry'] %}
{{ dirs.bin }}/{{ command }}:
file.managed:
- source: salt://roles/paas-docker/wrappers/files/run-by-realm.sh.jinja
- mode: 755
- template: jinja
- context:
service: {{ command }}
{% endfor %}
{% for command in ['pad-delete'] %}
{{ dirs.bin }}/{{ command }}:
file.managed:
- source: salt://roles/paas-docker/wrappers/files/{{ command }}.py
- mode: 755
{% endfor %}
# -------------------------------------------------------------
# Required directories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
/srv/geoip:
file.directory
{% if has_selinux %}
selinux_context_geoip_data:
selinux.fcontext_policy_present:
- name: /srv/geoip
- sel_type: container_file_t
selinux_context_geoip_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/geoip
{% endif %}
diff --git a/roles/paas-docker/wwwroot-502/init.sls b/roles/paas-docker/wwwroot-502/init.sls
index 0b9570c..432ae2f 100644
--- a/roles/paas-docker/wwwroot-502/init.sls
+++ b/roles/paas-docker/wwwroot-502/init.sls
@@ -1,29 +1,28 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-08
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
/var/wwwroot-502:
file.recurse:
- source: salt://wwwroot/502
- exclude_pat: E@.git
- include_empty: True
- dir_mode: 755
- file_mode: 644
{% if has_selinux %}
wwwroot_502_selinux_context:
selinux.fcontext_policy_present:
- name: /var/wwwroot-502(/.*)?
- sel_type: httpd_sys_rw_content_t
wwwroot_502_selinux_context_applied:
selinux.fcontext_policy_applied:
- name: /var/wwwroot-502
- recursive: True
{% endif %}
diff --git a/roles/paas-docker/wwwroot-content/base.sls b/roles/paas-docker/wwwroot-content/base.sls
index 78986cd..1c5cab0 100644
--- a/roles/paas-docker/wwwroot-content/base.sls
+++ b/roles/paas-docker/wwwroot-content/base.sls
@@ -1,20 +1,19 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
/var/wwwroot-content/{{ grains['fqdn'] }}/index.html:
file.managed:
- contents: Welcome to {{ grains['fqdn'] }}.
- replace: False
- makedirs: True
- mode: 644
/var/wwwroot-content/_fallback/index.html:
file.managed:
- source: salt://roles/paas-docker/wwwroot-content/files/domain-not-found.html
- makedirs: True
- mode: 644
diff --git a/roles/paas-docker/wwwroot-content/init.sls b/roles/paas-docker/wwwroot-content/init.sls
index 22303cc..8f755e9 100644
--- a/roles/paas-docker/wwwroot-content/init.sls
+++ b/roles/paas-docker/wwwroot-content/init.sls
@@ -1,11 +1,10 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .base
- .selinux
diff --git a/roles/paas-docker/wwwroot-content/selinux.sls b/roles/paas-docker/wwwroot-content/selinux.sls
index 83642ca..ce3344b 100644
--- a/roles/paas-docker/wwwroot-content/selinux.sls
+++ b/roles/paas-docker/wwwroot-content/selinux.sls
@@ -1,21 +1,20 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-18
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% if has_selinux %}
wwwroot_content_selinux_context:
selinux.fcontext_policy_present:
- name: /var/wwwroot-content(/.*)?
- sel_type: httpd_sys_rw_content_t
wwwroot_content_selinux_context_applied:
selinux.fcontext_policy_applied:
- name: /var/wwwroot-content
- recursive: True
{% endif %}
diff --git a/roles/paas-jails/init.sls b/roles/paas-jails/init.sls
index 4af65f8..ca93ea1 100644
--- a/roles/paas-jails/init.sls
+++ b/roles/paas-jails/init.sls
@@ -1,11 +1,10 @@
# -------------------------------------------------------------
# Salt — Jails
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Notes: FreeBSD-only role
-# Created: 2017-10-21
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .jails
diff --git a/roles/paas-jails/jails/init.sls b/roles/paas-jails/jails/init.sls
index b5ab421..9bdfe19 100644
--- a/roles/paas-jails/jails/init.sls
+++ b/roles/paas-jails/jails/init.sls
@@ -1,63 +1,62 @@
# -------------------------------------------------------------
# Salt — Jails
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Notes: FreeBSD-only unit
-# Created: 2017-10-21
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Software to manage jails
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ezjail:
pkg.installed
# -------------------------------------------------------------
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
jails_rc_jail:
file.managed:
- name: /etc/rc.conf.d/jail
- source: salt://roles/paas-jails/jails/files/jail.rc
- template: jinja
- context:
jails: {{ salt['jails.flatlist']() }}
jails_rc_netif:
file.managed:
- name: /etc/rc.conf.d/netif/jails
- makedirs: True
- source: salt://roles/paas-jails/jails/files/netif.rc
jails_rc_ezjail:
file.managed:
- name: /etc/rc.conf.d/ezjail
- source: salt://roles/paas-jails/jails/files/ezjail.rc
# -------------------------------------------------------------
# Build master jail
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
generate_basejail:
cmd.run:
- name: ezjail-admin install -p
- creates: /usr/jails/basejail
/usr/jails/newjail/etc/resolv.conf:
file.managed:
- source: salt://roles/paas-jails/jails/files/resolv.conf
# -------------------------------------------------------------
# Build applications/services jails
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for jail in salt['jails.list_jails']() %}
{% set ips = salt['jails.get_ezjail_ips_parameter'](jail) %}
generate_jail_{{ jail }}:
cmd.run:
- name: ezjail-admin create {{ jail }} {{ ips | yaml_encode }}
- creates: /usr/jails/{{ jail }}
{% endfor %}
diff --git a/roles/paas-lxc/lxc/init.sls b/roles/paas-lxc/lxc/init.sls
index b0cc8c7..f8cfec1 100644
--- a/roles/paas-lxc/lxc/init.sls
+++ b/roles/paas-lxc/lxc/init.sls
@@ -1,20 +1,19 @@
# -------------------------------------------------------------
# Salt — LXC
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-04-29
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
lxc_packages:
pkg.installed:
- pkgs:
- lxc
{% if grains['os_family'] == 'RedHat' %}
- lxc-extra
- lxc-templates
{% endif %}
diff --git a/roles/phabricator/arcanist/files/arc.sh b/roles/phabricator/arcanist/files/arc.sh
index e91687a..190b3d8 100755
--- a/roles/phabricator/arcanist/files/arc.sh
+++ b/roles/phabricator/arcanist/files/arc.sh
@@ -1,73 +1,72 @@
#!/bin/sh
# -------------------------------------------------------------
# Phabricator — Arcanist Docker container wrapper
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
# Project: Nasqueron
-# Created: 2016-01-01
# Description: Wrapper to run Arcanist as a Docker container
# License: Trivial work, not eligible to copyright
# Image: nasqueron/arcanist
# Source file: roles/phabricator/arcanist/files/arc.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Parse arguments
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ -t 0 ]; then
# If a stdin entry is available
# launch the container in the
# interactive mode
FLAGS=-it
fi
# Logs are default disabled
PRINT_LOG=0
if [ "$1" = "shell" ]; then
# Launch commands
# in the container bash shell
shift
COMMAND=bash
else
# Launch arc
mkdir -p ~/.arc
COMMAND=arc
if [ "$1" = "call-conduit" ]; then
# Enable log printing
PRINT_LOG=1
# Set a random name for the container
INSTANCE="arc-"$(openssl rand -hex 21)
FLAGS="-i -a=stdin --name=$INSTANCE"
fi
fi
if [ -d ~/.arc/ssh ]; then
VOLUME_SSH="-v $HOME/.arc/ssh:/root/.ssh"
else
VOLUME_SSH=""
fi
# -------------------------------------------------------------
# Run container
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ $PRINT_LOG -eq 0 ]; then
docker run "$FLAGS" --rm -v ~/.arc:/opt/config -v "$PWD":/opt/workspace "$VOLUME_SSH" nasqueron/arcanist $COMMAND "$@"
else
docker run "$FLAGS" -v ~/.arc:/opt/config -v "$PWD":/opt/workspace "$VOLUME_SSH" nasqueron/arcanist $COMMAND "$@" > /dev/null
sleep 3
docker logs "$INSTANCE"
docker rm "$INSTANCE" >/dev/null
fi
diff --git a/roles/phabricator/containers/files/run-aphlict.sh b/roles/phabricator/containers/files/run-aphlict.sh
index 0076c04..41a7b14 100755
--- a/roles/phabricator/containers/files/run-aphlict.sh
+++ b/roles/phabricator/containers/files/run-aphlict.sh
@@ -1,33 +1,32 @@
#!/bin/sh
# -------------------------------------------------------------
# Phabricator — Aphlict notifications server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
# Project: Nasqueron
-# Created: 2016-03-28
# Description: Node application to get real time notifications
# through websockets for Phabricator instances.
# License: Trivial work, not eligible to copyright
# Image: nasqueron/aphlict
# Source file: roles/phabricator/containers/files/run-aphlict.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Container parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
INSTANCE_NAME=aphlict
# -------------------------------------------------------------
# Container launch
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker run -dt --name $INSTANCE_NAME -p 22280:22280 -p 22281:22281 nasqueron/aphlict
diff --git a/roles/phabricator/containers/files/run-devcentral.sh b/roles/phabricator/containers/files/run-devcentral.sh
index a182d20..fad5ece 100755
--- a/roles/phabricator/containers/files/run-devcentral.sh
+++ b/roles/phabricator/containers/files/run-devcentral.sh
@@ -1,101 +1,100 @@
#!/bin/sh
# -------------------------------------------------------------
# Phabricator — Nasqueron instance
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
# Project: Nasqueron
-# Created: 2015-04-22
# Description: Phabricator instance for Nasqueron
# License: Trivial work, not eligible to copyright
# Image: nasqueron/phabricator
# Source file: roles/phabricator/containers/files/run-devcentral.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Container parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#IMAGE=nasqueron/phabricator
IMAGE=nasqueron/devcentral:2025-10-02
INSTANCE_NAME=devcentral
PORT=31080
DOMAIN=$INSTANCE_NAME.nasqueron.org
DATA_DIRECTORY=/srv/phabricator/$INSTANCE_NAME
MYSQL_INSTANCE=acquisitariat
# -------------------------------------------------------------
# Phabricator parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PHABRICATOR_URL=https://$DOMAIN
PHABRICATOR_TITLE="Nasqueron DevCentral"
PHABRICATOR_ALT_FILE_DOMAIN="https://devcentral.nasqueron-user-content.org/"
# -------------------------------------------------------------
# Deployment of our Phabricator code parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
REPO_LOGIN=git
REPO_HOST=bitbucket.org
PHABRICATOR_PROD_REPO="ssh://git@bitbucket.org/nasqueron/devcentral-phabricator"
PHABRICATOR_PROD_BRANCH=production
# -------------------------------------------------------------
# Ensure container isn't already running
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker-container-status $INSTANCE_NAME > /dev/null
if [ "$?" -lt 2 ]; then
echo "Container is already running."
echo "To force relaunch, try docker stop $INSTANCE_NAME ; docker rm $INSTANCE_NAME ; $0"
exit 1
fi
# -------------------------------------------------------------
# Container launch
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker run -t -d \
--link $MYSQL_INSTANCE:mysql \
-v $DATA_DIRECTORY/repo:/var/repo \
-v $DATA_DIRECTORY/conf:/opt/phabricator/conf \
-v $DATA_DIRECTORY/files:/var/files \
-p $PORT:80 \
-p 5022:5022 \
-e PHABRICATOR_URL=$PHABRICATOR_URL \
-e PHABRICATOR_TITLE="$PHABRICATOR_TITLE" \
-e PHABRICATOR_ALT_FILE_DOMAIN="$PHABRICATOR_ALT_FILE_DOMAIN" \
-e PHABRICATOR_PROD_REPO=$PHABRICATOR_PROD_REPO \
-e PHABRICATOR_PROD_BRANCH=$PHABRICATOR_PROD_BRANCH \
-e PHABRICATOR_USE_MAILGUN=1 \
-e PHABRICATOR_DOMAIN=$DOMAIN \
--name $INSTANCE_NAME $IMAGE /usr/local/sbin/runsvdir-init
# -------------------------------------------------------------
# DevCentral specific branch deployment
#
# Deploys our version
# As we change static resources, restart php-fpm is a good idea:
# if someone asks the page while we were pulling our version,
# the old celerity map would be kept by APCu.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker exec $INSTANCE_NAME sh -c 'mkdir -p /root/.ssh && \
cp /opt/phabricator/conf/deploy-keys/* /root/.ssh'
docker exec $INSTANCE_NAME ssh -o StrictHostKeyChecking=no ${REPO_LOGIN}@${REPO_HOST}
docker exec $INSTANCE_NAME sh -c 'cd /opt/phabricator && \
git remote add private "$PHABRICATOR_PROD_REPO" && \
git fetch --all && \
git checkout $PHABRICATOR_PROD_BRANCH && \
sv restart php-fpm && sv restart phd'
echo "Deployment done at $(date)."
exit 0
diff --git a/roles/saas-mediawiki/account/init.sls b/roles/saas-mediawiki/account/init.sls
index 719c688..dc5dfb0 100644
--- a/roles/saas-mediawiki/account/init.sls
+++ b/roles/saas-mediawiki/account/init.sls
@@ -1,33 +1,32 @@
# -------------------------------------------------------------
# Salt — MediaWiki farm
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set fqdn = pillar["mediawiki_saas"]["main_fqdn"] %}
# -------------------------------------------------------------
# Service account
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
mediawiki_group:
group.present:
- name: mediawiki
- gid: 3004
- system: True
mediawiki_account:
user.present:
- name: mediawiki
- fullname: MediaWiki SaaS
- uid: 3004
- gid: 3004
- system: True
- home: /var/run/web/{{ fqdn }}
/var/tmp/php/sessions/{{ fqdn }}:
file.directory:
- mode: 700
- user: mediawiki
diff --git a/roles/saas-mediawiki/data/init.sls b/roles/saas-mediawiki/data/init.sls
index 96b72d5..e78300c 100644
--- a/roles/saas-mediawiki/data/init.sls
+++ b/roles/saas-mediawiki/data/init.sls
@@ -1,28 +1,27 @@
# -------------------------------------------------------------
# Salt — MediaWiki farm
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-19
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
/var/dataroot:
file.directory
{% for store in pillar['mediawiki_datastores'] %}
# $wgUploadDirectory
/var/dataroot/{{ store }}/images:
file.directory:
- user: mediawiki
- group: mediawiki
- makedirs: True
# $wgCacheDirectory
/var/cache/mediawiki/{{ store }}:
file.directory:
- user: mediawiki
- group: mediawiki
- makedirs: True
{% endfor %}
diff --git a/roles/saas-mediawiki/init.sls b/roles/saas-mediawiki/init.sls
index ff0fca9..e4a7ba7 100644
--- a/roles/saas-mediawiki/init.sls
+++ b/roles/saas-mediawiki/init.sls
@@ -1,14 +1,13 @@
# -------------------------------------------------------------
# Salt — MediaWiki farm
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .account
- .saas
- .mediawiki
- .software
- .nginx
diff --git a/roles/saas-mediawiki/mediawiki/files/LocalSettings.php b/roles/saas-mediawiki/mediawiki/files/LocalSettings.php
index 50818de..439238b 100644
--- a/roles/saas-mediawiki/mediawiki/files/LocalSettings.php
+++ b/roles/saas-mediawiki/mediawiki/files/LocalSettings.php
@@ -1,20 +1,19 @@
<?php
# -------------------------------------------------------------
# Salt — MediaWiki farm
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-17
# Description: Calls saas-mediawiki configuration directory
# License: Trivial work, not eligible to copyright
# Source file: roles/saas-mediawiki/mediawiki/init.sls
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
require '{{ directory }}/LocalSettings.php';
diff --git a/roles/saas-mediawiki/software/files/mw.sh.jinja b/roles/saas-mediawiki/software/files/mw.sh.jinja
index db89055..2ee8736 100755
--- a/roles/saas-mediawiki/software/files/mw.sh.jinja
+++ b/roles/saas-mediawiki/software/files/mw.sh.jinja
@@ -1,103 +1,102 @@
#!/bin/sh
# -------------------------------------------------------------
# mw
#
# Call a MediaWiki script
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-03-21
# Licence: BSD-2-Clause
# Source file: roles/saas-mediawiki/software/files/mw.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
MEDIAWIKI_DIRECTORY={{ saas.mediawiki_directory }}
# -------------------------------------------------------------
# Configuration required by the MediaWiki or the SaaS
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MEDIAWIKI_ENTRY_POINT={{ saas.mediawiki_directory }}/index.php
DB_HOST={{ saas.db.host }}
DB_USER={{ saas.db.user }}
# Allow to run arbitrary scripts outside the main directory
MW_INSTALL_PATH={{ saas.mediawiki_directory }}
# -------------------------------------------------------------
# Helper methods
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
getcommandname() {
basename "$0"
}
# -------------------------------------------------------------
# Check arguments
#
# $1: wiki name (database name or alias)
# $2: script to call
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ $# -lt 2 ]; then
echo "Usage: $0 <maintenance script to call> <wiki> [arguments]" >&2
exit 1
fi
SCRIPT=$1
WIKI=$2
# Other arguments are for the maintenance script
shift 2
# -------------------------------------------------------------
# Determine host
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HTTP_HOST=$(saas-mediawiki-get-host "$WIKI")
HTTP_HOST_EXIT_CODE=$?
if [ $HTTP_HOST_EXIT_CODE -ne 0 ]; then
exit $HTTP_HOST_EXIT_CODE
fi
SERVER_NAME=$HTTP_HOST
# -------------------------------------------------------------
# Determine script path
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Appends .php if string doesn't contain it
test "${SCRIPT#*.php}" != "$SCRIPT" || SCRIPT="$SCRIPT.php"
# By default, scripts are located in maintenance wgCacheDirectory
if [ "${SCRIPT#/}" == "$SCRIPT" ]; then
FULL_SCRIPT_PATH=$MEDIAWIKI_DIRECTORY/maintenance/$SCRIPT
else
FULL_SCRIPT_PATH=$SCRIPT
fi
if [ ! -f "$FULL_SCRIPT_PATH" ]; then
echo "$(getcommandname): $FULL_SCRIPT_PATH: No such file" >&2
exit 64
fi
# -------------------------------------------------------------
# Run script
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
export MEDIAWIKI_ENTRY_POINT
export DB_HOST
export DB_USER
export HTTP_HOST
export SERVER_NAME
export MW_INSTALL_PATH
rlwrap php "$MEDIAWIKI_DIRECTORY/maintenance/run.php" "$FULL_SCRIPT_PATH" "$@"
diff --git a/roles/saas-mediawiki/software/init.sls b/roles/saas-mediawiki/software/init.sls
index a5fda66..ef78950 100644
--- a/roles/saas-mediawiki/software/init.sls
+++ b/roles/saas-mediawiki/software/init.sls
@@ -1,38 +1,37 @@
# -------------------------------------------------------------
# Salt — MediaWiki farm
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages, packages_prefixes with context %}
# -------------------------------------------------------------
# Software required by MediaWiki or other tools
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
mediawiki_software_dependencies:
pkg.installed:
- pkgs:
- {{ packages.exiftool }}
- exiv2
- {{ packages.imagemagick }}
- {{ packages['jpeg-turbo'] }}
- librsvg2
- {{ packages.lua }}
- {{ packages['mariadb-client'] }}
- {{ packages_prefixes.php }}opcache
- rlwrap
# -------------------------------------------------------------
# Administration tool
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.bin }}/mw:
file.managed:
- source: salt://roles/saas-mediawiki/software/files/mw.sh.jinja
- mode: 755
- template: jinja
- context:
saas: {{ pillar['mediawiki_saas'] }}
diff --git a/roles/salt-primary/account/files/deploy b/roles/salt-primary/account/files/deploy
index e6ebc3c..ceb3df9 100644
--- a/roles/salt-primary/account/files/deploy
+++ b/roles/salt-primary/account/files/deploy
@@ -1,17 +1,16 @@
# -------------------------------------------------------------
# SaltStack deployment
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-09-28
# License: Trivial work, not eligible to copyright
# Source file: roles/salt-primary/account/files/deploy
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
%deploy ALL = (deploy) NOPASSWD: ALL
diff --git a/roles/salt-primary/account/files/salt b/roles/salt-primary/account/files/salt
index c2535d8..30b7e3c 100644
--- a/roles/salt-primary/account/files/salt
+++ b/roles/salt-primary/account/files/salt
@@ -1,26 +1,25 @@
# -------------------------------------------------------------
# SaltStack deployment
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# Source file: roles/salt-primary/account/files/salt
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
Cmnd_Alias SALT = /usr/local/bin/salt, /usr/local/bin/salt-api, /usr/local/bin/salt-call, /usr/local/bin/salt-cloud, /usr/local/bin/salt-cp, /usr/local/bin/salt-key, /usr/local/bin/salt-master, /usr/local/bin/salt-minion, /usr/local/bin/salt-proxy, /usr/local/bin/salt-run, /usr/local/bin/salt-ssh, /usr/local/bin/salt-syndic, /usr/local/etc/rc.d/salt_master
%salt ALL=(salt) NOPASSWD: SALT
%salt ALL=(ALL) NOPASSWD: /usr/local/bin/salt-call
# -------------------------------------------------------------
# Disclaimer: FreeBSD port for Salt still uses "salt_master".
# This service name is kept for compatibility,
# but isn't an endorsement of such terminology.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/roles/salt-primary/account/init.sls b/roles/salt-primary/account/init.sls
index 4a9d758..1018746 100644
--- a/roles/salt-primary/account/init.sls
+++ b/roles/salt-primary/account/init.sls
@@ -1,77 +1,76 @@
# -------------------------------------------------------------
# Salt — Salt configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-04-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Accounts
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Salt account
salt_account:
group.present:
- name: salt
- gid: 9001
user.present:
- name: salt
- fullname: SaltStack primary server account
- uid: 9001
- gid: 9001
- home: /var/run/salt
salt_account_ownership:
cmd.run:
- name: chown -R salt {{ dirs.etc }}/salt /var/cache/salt /var/log/salt /var/run/salt
- onchanges:
- user: salt_account
# -------------------------------------------------------------
# Directories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/opt/salt:
file.directory:
- makedirs: True
# -------------------------------------------------------------
# SSH key for deployment account
#
# This key should be added to:
#
# - zemke-rhyne account on devcentral
# https://devcentral.nasqueron.org/settings/user/zemke-rhyne/page/ssh/
#
# - alken-orin account on GitHub
# Credentials are stored in DevCentral passphrase application
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/opt/salt/security:
file.directory:
- user: deploy
- group: ops
- chmod: 770
deploy_account_ssh_key:
cmd.run:
- name: ssh-keygen -t ed25519 -N "" -f /opt/salt/security/id_ed25519
- runas: deploy
- creates: /opt/salt/security/id_ed25519
# -------------------------------------------------------------
# Sudo capabilities
#
# Ops should be able to sudo -u salt …
# Deployers should be able to sudo -u deploy <anything>
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for sudofile in ['salt', 'deploy'] %}
salt_sudo_capabilities_{{ sudofile }}:
file.managed:
- name: {{ dirs.etc }}/sudoers.d/{{ sudofile }}
- source: salt://roles/salt-primary/account/files/{{ sudofile }}
{% endfor %}
diff --git a/roles/salt-primary/cloud/init.sls b/roles/salt-primary/cloud/init.sls
index 88a652f..707b631 100644
--- a/roles/salt-primary/cloud/init.sls
+++ b/roles/salt-primary/cloud/init.sls
@@ -1,20 +1,19 @@
# -------------------------------------------------------------
# Salt — Salt configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-04-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Providers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
salt_cloud_providers:
file.recurse:
- name: {{ dirs.etc }}/salt/cloud.providers.d
- source: salt://roles/salt-primary/cloud/files/providers
- dir_mode: 755
- file_mode: 644
diff --git a/roles/salt-primary/init.sls b/roles/salt-primary/init.sls
index d6fd915..1e75668 100644
--- a/roles/salt-primary/init.sls
+++ b/roles/salt-primary/init.sls
@@ -1,18 +1,17 @@
# -------------------------------------------------------------
# Salt — Provision a salt primary server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-21
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .software
- .config
- .account
- .cloud
- .staging
- .salt-wrapper
- .api
- .reactor
- .opentofu
diff --git a/roles/salt-primary/salt-wrapper/init.sls b/roles/salt-primary/salt-wrapper/init.sls
index 4e6f290..c1d050a 100644
--- a/roles/salt-primary/salt-wrapper/init.sls
+++ b/roles/salt-primary/salt-wrapper/init.sls
@@ -1,49 +1,48 @@
# -------------------------------------------------------------
# Salt — Salt configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-04
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Wrapper binaries
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.bin }}/salt-wrapper:
file.managed:
- mode: 755
- source: salt://software/salt-wrapper/salt-wrapper.sh
{{ dirs.bin }}/salt-get-config-dir:
file.managed:
- mode: 755
- source: salt://software/salt-wrapper/salt-get-config-dir.py
# -------------------------------------------------------------
# Wrapper configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/salt-wrapper.conf:
file.managed:
- source: salt://roles/salt-primary/salt-wrapper/files/salt-wrapper.conf
# -------------------------------------------------------------
# Wrapper manual
#
# TODO: gzip those files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.man }}/man1/salt-get-config-dir.1:
file.managed:
- source: salt://software/salt-wrapper/man/salt-get-config-dir.1
{{ dirs.man }}/man1/salt-wrapper.1:
file.managed:
- source: salt://software/salt-wrapper/man/salt-wrapper.1
{{ dirs.man }}/man5/salt-wrapper.conf.5:
file.managed:
- source: salt://software/salt-wrapper/man/salt-wrapper.conf.5
diff --git a/roles/salt-primary/service/init.sls b/roles/salt-primary/service/init.sls
index 5f7c69d..125bce7 100644
--- a/roles/salt-primary/service/init.sls
+++ b/roles/salt-primary/service/init.sls
@@ -1,26 +1,25 @@
# -------------------------------------------------------------
# Salt — Service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, services with context %}
# -------------------------------------------------------------
# rc :: ensure primary service runs in UTF-8
#
# Disclaimer: FreeBSD port for Salt still uses "salt_master".
# This service name is kept for compatibility,
# but isn't an endorsement of such terminology.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if services['manager'] == "rc" %}
{{ dirs.etc }}/rc.d/salt_master:
file.patch:
- source: salt://roles/salt-primary/service/files/rc.patch
- hash: 08559af1d8b2d24f762085421a563602
{% endif %}
diff --git a/roles/salt-primary/software/files/staging-commit-message.py b/roles/salt-primary/software/files/staging-commit-message.py
index b727bfe..3af914f 100755
--- a/roles/salt-primary/software/files/staging-commit-message.py
+++ b/roles/salt-primary/software/files/staging-commit-message.py
@@ -1,101 +1,100 @@
#!/usr/bin/env python3
# -------------------------------------------------------------
# Staging :: write a commit message for submodule update
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-27
# License: Trivial work, not eligible to copyright
#
# Thanks to joki for the git diff-files and ls-tree hint
# https://stackoverflow.com/a/52908906/1930997
# -------------------------------------------------------------
from git import Repo
from os import path
import re
import subprocess
class SubmoduleCommit:
def __init__(self, repo_path, submodule_path):
self.repo_path = repo_path
self.submodule_path = submodule_path
self.repo = Repo(self.submodule_path)
def craft_commit(self):
lines = []
old_hash = self.get_old_hash()
new_hash = self.get_new_hash()
lines.append(
"Bump " + path.basename(self.submodule_path) + " to " + new_hash[:12]
)
lines.append("")
lines.extend(self.get_commits_lines(old_hash, new_hash))
return "\n".join(lines)
def get_old_hash(self):
output = subprocess.check_output(
["git", "ls-tree", "@", self.submodule_path],
cwd=self.repo_path,
encoding="utf-8",
)
matches = re.search(".*commit ([a-f0-9]*).*", output.strip())
return matches.group(1)
def get_new_hash(self):
return str(self.repo.head.commit)
@staticmethod
def format_commit_line(commit):
commit_hash = str(commit)[:12]
title = commit.message.split("\n")[0]
return " * {} {}".format(commit_hash, title)
def get_commits_lines(self, hash_base, hash_head):
commits_lines = []
for commit in self.repo.iter_commits(hash_head):
if str(commit) == hash_base:
break
line = self.format_commit_line(commit)
commits_lines.append(line)
return commits_lines
def has_submodule_been_updated(self):
process = subprocess.run(
["git", "diff-files", "--quiet", self.submodule_path], cwd=self.repo_path
)
return process.returncode != 0
def run(repo_path):
repo = Repo(repo_path)
submodules = [
SubmoduleCommit(repo_path, submodule.name) for submodule in repo.submodules
]
commits = [
submodule.craft_commit()
for submodule in submodules
if submodule.has_submodule_been_updated()
]
print("\n\n".join(commits))
def determine_current_repo():
return Repo(".", search_parent_directories=True).working_tree_dir
if __name__ == "__main__":
current_repo_path = determine_current_repo()
run(current_repo_path)
diff --git a/roles/salt-primary/software/init.sls b/roles/salt-primary/software/init.sls
index d7b16e2..6a733d1 100644
--- a/roles/salt-primary/software/init.sls
+++ b/roles/salt-primary/software/init.sls
@@ -1,35 +1,34 @@
# -------------------------------------------------------------
# Salt — Provision a salt primary server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-04
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages_prefixes with context %}
# -------------------------------------------------------------
# Additional software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
install_salt_primary_extra_software:
pkg.installed:
- pkgs:
# Jenkins execution module
- {{ packages_prefixes.python3 }}python-jenkins
# For staging-commit-message
- {{ packages_prefixes.python3 }}gitpython
# Pillar
- {{ packages_prefixes.python3 }}salt-tower
# For Vault helper scripts
- {{ packages_prefixes.python3 }}hvac
{{ dirs.bin }}/staging-commit-message:
file.managed:
- source: salt://roles/salt-primary/software/files/staging-commit-message.py
- mode: 755
{{ dirs.bin }}/autochmod-git:
file.managed:
- source: salt://roles/salt-primary/software/files/autochmod-git.sh
- mode: 755
diff --git a/roles/salt-primary/staging/init.sls b/roles/salt-primary/staging/init.sls
index 8e0e2f7..9f3c207 100644
--- a/roles/salt-primary/staging/init.sls
+++ b/roles/salt-primary/staging/init.sls
@@ -1,41 +1,40 @@
# -------------------------------------------------------------
# Salt — Provision a salt primary server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-21
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Git repositories for the staging area
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
staging_public_repository:
file.directory:
- name: /opt/salt/staging
- user: deploy
- group: deployment
- dir_mode: 775
- makedirs: True
git.latest:
- name: https://devcentral.nasqueron.org/source/staging.git
- target: /opt/salt/staging
- user: deploy
- update_head: False
- submodules: True
- identity: /opt/salt/security/id_ed25519
staging_private_repository:
file.directory:
- name: /opt/salt/private/staging
- user: deploy
- group: deployment
- dir_mode: 770
- makedirs: True
git.latest:
- name: ssh://vcs@devcentral.nasqueron.org:5022/source/private-staging.git
- target: /opt/salt/private/staging
- user: deploy
- identity: /opt/salt/security/id_ed25519
- update_head: False
- submodules: True
diff --git a/roles/shellserver/database/files/my.cnf b/roles/shellserver/database/files/my.cnf
index 9a50a40..05ca731 100644
--- a/roles/shellserver/database/files/my.cnf
+++ b/roles/shellserver/database/files/my.cnf
@@ -1,42 +1,41 @@
# -------------------------------------------------------------
# MySQL configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2017-01-23
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/database/files/my.cnf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysqld_safe]
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
explicit_defaults_for_timestamp
sql_mode =STRICT_ALL_TABLES
ft_stopword_file=/opt/stopwords.txt
ft_min_word_len =3
ft_boolean_syntax=' |-><()~*:""&^'
max_connections = 50
diff --git a/roles/shellserver/database/init.sls b/roles/shellserver/database/init.sls
index 6eac881..8553a2a 100644
--- a/roles/shellserver/database/init.sls
+++ b/roles/shellserver/database/init.sls
@@ -1,11 +1,10 @@
# -------------------------------------------------------------
# Salt — Provision software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2017-01-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .mysql
- .pgsql
diff --git a/roles/shellserver/database/mysql.sls b/roles/shellserver/database/mysql.sls
index 61d0752..0f04d02 100644
--- a/roles/shellserver/database/mysql.sls
+++ b/roles/shellserver/database/mysql.sls
@@ -1,28 +1,27 @@
# -------------------------------------------------------------
# Salt — Provision MySQL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2017-01-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages with context %}
# -------------------------------------------------------------
# Software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
mysql:
pkg.installed:
- pkgs:
- {{ packages.mariadb }}
full_text_search_stopwords_file:
file.managed:
- name: /opt/stopwords.txt
- source: salt://roles/shellserver/database/files/stopwords.txt
mysql_config:
file.managed:
- name: {{ dirs.etc }}/my.cnf
- source: salt://roles/shellserver/database/files/my.cnf
diff --git a/roles/shellserver/database/pgsql.sls b/roles/shellserver/database/pgsql.sls
index 84be97c..576996f 100644
--- a/roles/shellserver/database/pgsql.sls
+++ b/roles/shellserver/database/pgsql.sls
@@ -1,18 +1,17 @@
# -------------------------------------------------------------
# Salt — Provision PostgreSQL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2018-03-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import packages with context %}
# -------------------------------------------------------------
# Software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
postgresql:
pkg.installed:
- pkgs:
- {{ packages.postgresql }}
diff --git a/roles/shellserver/odderon/account.sls b/roles/shellserver/odderon/account.sls
index 86a713c..f4a1420 100644
--- a/roles/shellserver/odderon/account.sls
+++ b/roles/shellserver/odderon/account.sls
@@ -1,34 +1,33 @@
# -------------------------------------------------------------
# Salt — Deploy Odderon (darkbot)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-24
# Description: Darkbot
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Service account
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
odderon_account:
user.present:
- name: odderon
- fullname: Odderon
- uid: 830
- gid: 829
- home: /opt/odderon
# -------------------------------------------------------------
# Sudo capabilities
#
# Members of nasqueron-irc should be able to sudo -u odderon …
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
odderon_sudo_capabilities_file:
file.managed:
- name: {{ dirs.etc }}/sudoers.d/odderon
- source: salt://roles/shellserver/odderon/files/odderon.sudoers
- template: jinja
diff --git a/roles/shellserver/odderon/code.sls b/roles/shellserver/odderon/code.sls
index 4e70993..8a4a8d7 100644
--- a/roles/shellserver/odderon/code.sls
+++ b/roles/shellserver/odderon/code.sls
@@ -1,44 +1,43 @@
# -------------------------------------------------------------
# Salt — Deploy Odderon (darkbot)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-25
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import utilities with context %}
darkbot_repo:
file.directory:
- name: /opt/darkbot
- user: odderon
- group: nasqueron-irc
- dir_mode: 755
git.latest:
- name: https://devcentral.nasqueron.org/source/darkbot.git
- branch: production
- target: /opt/darkbot
- user: odderon
- unless: test -f /opt/odderon/LOCKED
darkbot_build:
cmd.script:
- source: salt://roles/shellserver/odderon/files/build.sh.jinja
- args: "--with-sleep=0 --with-add=0 --with-del=0 --with-random=0"
- template: jinja
- context:
gmake: {{ utilities.gmake }}
- cwd: /opt/darkbot
- runas: odderon
- onchanges:
- git: darkbot_repo
- unless: test -f /opt/odderon/LOCKED
darkbot_install:
cmd.run:
- name: make install
- cwd: /opt/darkbot/build
- runas: odderon
- onchanges:
- cmd: darkbot_build
- unless: test -f /opt/odderon/LOCKED
diff --git a/roles/shellserver/odderon/config.sls b/roles/shellserver/odderon/config.sls
index a249f48..3a174de 100644
--- a/roles/shellserver/odderon/config.sls
+++ b/roles/shellserver/odderon/config.sls
@@ -1,44 +1,43 @@
# -------------------------------------------------------------
# Salt — Deploy Odderon unit (darkbot)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-19
# Description: Darkbot
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Configuration files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% nickserv_secret = salt["vault.read_secret"]("kv/service/odderon/nickserv") %}
/opt/odderon/var/darkbot/setup.ini:
file.managed:
- name: salt://roles/shellserver/odderon/files/setup.ini
- user: odderon
- mode: 400
- show_changes: False
- template: jinja
- context:
sasl:
user: {{ nickserv_secret["username"] }}
pass: {{ nickserv_secret["password"] }}
/opt/odderon/var/darkbot/servers.ini:
file.managed:
- name: salt://roles/shellserver/odderon/files/servers.ini
- user: odderon
# -------------------------------------------------------------
# File permissions and ownership
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
odderon_fix_permissions_and_ownership:
file.managed:
- name: /opt/odderon/var/darkbot/userlist.db
- user: odderon
- group: nasqueron-irc
- chmod: 640
- show_changes: False
- replace: False
diff --git a/roles/shellserver/odderon/files/build.sh.jinja b/roles/shellserver/odderon/files/build.sh.jinja
index 1a2cd95..3d61eb6 100644
--- a/roles/shellserver/odderon/files/build.sh.jinja
+++ b/roles/shellserver/odderon/files/build.sh.jinja
@@ -1,25 +1,24 @@
#!/bin/sh
# -------------------------------------------------------------
# Salt — Deploy Odderon (darkbot)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-25
# Authors: David Seikel, Dereckson
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/odderon/files/build.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
PREFIX=/opt/odderon
test ! -r build/configure && sh bootstrap.sh
cd build || exit 2
sh configure -C --prefix=$PREFIX "$@"
{{ gmake }} clean all
diff --git a/roles/shellserver/odderon/files/odderon.service b/roles/shellserver/odderon/files/odderon.service
index 62fa01a..46b8ac7 100644
--- a/roles/shellserver/odderon/files/odderon.service
+++ b/roles/shellserver/odderon/files/odderon.service
@@ -1,28 +1,27 @@
# -------------------------------------------------------------
# Odderon
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-26
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/odderon/files/odderon.service
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
[Unit]
Description=Odderon darkbot
[Service]
User=odderon
Type=simple
WorkingDirectory=/opt/odderon
ExecStart=/opt/odderon/bin/darkbot
Restart=on-failure
[Install]
WantedBy=multi-user.target
diff --git a/roles/shellserver/odderon/files/odderon.sudoers b/roles/shellserver/odderon/files/odderon.sudoers
index 40f0da5..5573922 100644
--- a/roles/shellserver/odderon/files/odderon.sudoers
+++ b/roles/shellserver/odderon/files/odderon.sudoers
@@ -1,22 +1,21 @@
# -------------------------------------------------------------
# Odderon
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-24
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/odderon/files/odderon.sudoers
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
%nasqueron-irc ALL=(odderon) NOPASSWD: ALL
# Service management
{% for command in ["start", "stop", "restart", "reload"] %}
%nasqueron-irc ALL= NOPASSWD: /bin/systemctl {{ command }} odderon
{% endfor %}
diff --git a/roles/shellserver/odderon/init.sls b/roles/shellserver/odderon/init.sls
index 794ccc6..a251c6c 100644
--- a/roles/shellserver/odderon/init.sls
+++ b/roles/shellserver/odderon/init.sls
@@ -1,13 +1,12 @@
# -------------------------------------------------------------
# Salt — Deploy Odderon (darkbot)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-25
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .account
- .code
- .config
- .service
diff --git a/roles/shellserver/odderon/service.sls b/roles/shellserver/odderon/service.sls
index 9e879a5..dcb8ec8 100644
--- a/roles/shellserver/odderon/service.sls
+++ b/roles/shellserver/odderon/service.sls
@@ -1,36 +1,35 @@
# -------------------------------------------------------------
# Salt — Deploy Odderon unit (darkbot)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-01-25
# Description: Darkbot
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import services with context %}
# -------------------------------------------------------------
# Unit configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if services['manager'] == 'systemd' %}
odderon_unit:
file.managed:
- name: /etc/systemd/system/odderon.service
- source: salt://roles/shellserver/odderon/files/odderon.service
- mode: 644
module.run:
- service.force_reload:
- name: odderon
- onchanges:
- file: odderon_unit
odderon_running:
service.running:
- name: odderon
- enable: true
- watch:
- module: odderon_unit
{% endif %}
diff --git a/roles/shellserver/quassel-core/certificate.sls b/roles/shellserver/quassel-core/certificate.sls
index 7c3cd5a..1e88ca6 100644
--- a/roles/shellserver/quassel-core/certificate.sls
+++ b/roles/shellserver/quassel-core/certificate.sls
@@ -1,31 +1,30 @@
# -------------------------------------------------------------
# Salt — Provision Quassel core
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2018-03-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "roles/shellserver/quassel-core/map.jinja" import quassel with context %}
# -------------------------------------------------------------
# Certificate
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/var/lib/quassel:
file.directory:
- user: {{ quassel.user }}
- group: {{ quassel.group }}
quassel_certificate:
cmd.run:
- name: cat privkey.pem fullchain.pem > /var/lib/quassel/quasselCert.pem
- cwd: /etc/letsencrypt/live/quassel.eglide.org
quassel_certificate_rights:
file.managed:
- name: /var/lib/quassel/quasselCert.pem
- replace: False
- user: {{ quassel.user }}
- group: {{ quassel.group }}
- mode: 400
diff --git a/roles/shellserver/quassel-core/changepassword.sls b/roles/shellserver/quassel-core/changepassword.sls
index 43e439b..f1d4ac6 100644
--- a/roles/shellserver/quassel-core/changepassword.sls
+++ b/roles/shellserver/quassel-core/changepassword.sls
@@ -1,38 +1,37 @@
# -------------------------------------------------------------
# Salt — Provision Quassel core
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2018-03-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% from "roles/shellserver/quassel-core/map.jinja" import quassel with context %}
# -------------------------------------------------------------
# Wrapper for quasselcore --change-userpass
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.bin }}/chquasselpasswd:
file.managed:
- source: salt://roles/shellserver/quassel-core/files/chquasselpasswd.sh.jinja
- mode: 755
- template: jinja
- context:
quassel: {{ quassel }}
# -------------------------------------------------------------
# Sudo capabilities
#
# Quassel users can change their password
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
chquasselpasswd_sudo_capabilities_file:
file.managed:
- name: {{ dirs.etc }}/sudoers.d/chquasselpasswd
- source: salt://roles/shellserver/quassel-core/files/chquasselpasswd.sudoers
- template: jinja
- context:
dirs: {{ dirs }}
quassel: {{ quassel }}
users: {{ pillar['quassel_users'] }}
diff --git a/roles/shellserver/quassel-core/files/chquasselpasswd.sh.jinja b/roles/shellserver/quassel-core/files/chquasselpasswd.sh.jinja
index 2d2356d..bbcd2d7 100755
--- a/roles/shellserver/quassel-core/files/chquasselpasswd.sh.jinja
+++ b/roles/shellserver/quassel-core/files/chquasselpasswd.sh.jinja
@@ -1,59 +1,58 @@
#!/bin/sh
# -------------------------------------------------------------
# Quassel change password wrapper
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2018-03-28
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/quassel-core/files/chquasselpasswd.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
QUASSEL_CONFIG_DIR=/var/lib/quassel
QUASSEL_USER="{{ quassel.user }}"
# -------------------------------------------------------------
# Helper methods
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
error() {
echo "$@" 1>&2;
}
getcommandname() {
basename "$0"
}
usage() {
echo "Usage: $(getcommandname)"
echo " Change the Quassel user password"
exit 64
}
# -------------------------------------------------------------
# Check arguments
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
usage
elif [ $# -gt 0 ]; then
error "$(getcommandname): illegal option -- $*"
usage
fi
# -------------------------------------------------------------
# Call quassel core
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
sudo -u "$QUASSEL_USER" \
quasselcore --configdir="$QUASSEL_CONFIG_DIR" --change-userpass="$USER"
diff --git a/roles/shellserver/quassel-core/files/chquasselpasswd.sudoers b/roles/shellserver/quassel-core/files/chquasselpasswd.sudoers
index 0324241..5a0da5a 100644
--- a/roles/shellserver/quassel-core/files/chquasselpasswd.sudoers
+++ b/roles/shellserver/quassel-core/files/chquasselpasswd.sudoers
@@ -1,19 +1,18 @@
# -------------------------------------------------------------
# Quassel change password wrapper - sudo capabilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2018-03-28
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/quassel-core/files/chquasselpasswd.sudoers
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
{% for user in users -%}
{{ user }} ALL=({{ quassel.user }}) NOPASSWD: {{ dirs.bin }}/quasselcore --configdir=/var/lib/quassel --change-userpass={{ user }}
{% endfor -%}
diff --git a/roles/shellserver/quassel-core/init.sls b/roles/shellserver/quassel-core/init.sls
index a806de6..d785202 100644
--- a/roles/shellserver/quassel-core/init.sls
+++ b/roles/shellserver/quassel-core/init.sls
@@ -1,12 +1,11 @@
# -------------------------------------------------------------
# Salt — Provision Quassel core
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2018-03-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .certificate
- .software
- .changepassword
diff --git a/roles/shellserver/quassel-core/map.jinja b/roles/shellserver/quassel-core/map.jinja
index 841de20..3c4b798 100644
--- a/roles/shellserver/quassel-core/map.jinja
+++ b/roles/shellserver/quassel-core/map.jinja
@@ -1,18 +1,17 @@
# -------------------------------------------------------------
# Salt — Provision Quassel core
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2018-03-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set quassel = salt['grains.filter_by']({
'Arch' : {
'user': 'quassel',
'group': 'quassel',
},
'Debian': {
'user': 'quasselcore',
'group': 'quassel',
},
}, default='Arch') %}
diff --git a/roles/shellserver/quassel-core/software.sls b/roles/shellserver/quassel-core/software.sls
index 8f03ba7..37001cb 100644
--- a/roles/shellserver/quassel-core/software.sls
+++ b/roles/shellserver/quassel-core/software.sls
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Salt — Provision Quassel core
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2018-03-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
quassel-core:
pkg.installed
# -------------------------------------------------------------
# Dependencies
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'Debian' %}
libqt5sql5-psql:
pkg.installed
{% endif %}
diff --git a/roles/shellserver/user-session/files/csh.logout b/roles/shellserver/user-session/files/csh.logout
index a6d141c..a482e08 100644
--- a/roles/shellserver/user-session/files/csh.logout
+++ b/roles/shellserver/user-session/files/csh.logout
@@ -1,21 +1,20 @@
# -------------------------------------------------------------
# System-wide .logout file for csh(1)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2015-12-30
# Licence: Trivial work, not eligible to copyright
# Source file: roles/shellserver/user-session/files/csh.logout
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Cleans up whom-diff files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
whom-diff --clean
diff --git a/roles/shellserver/user-session/files/whom-diff.sh b/roles/shellserver/user-session/files/whom-diff.sh
index e3a084e..fdec196 100755
--- a/roles/shellserver/user-session/files/whom-diff.sh
+++ b/roles/shellserver/user-session/files/whom-diff.sh
@@ -1,77 +1,76 @@
#!/bin/sh
# -------------------------------------------------------------
# whom-diff
#
# Computes the diff between two `whom` invoke.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2015-12-30
# Licence: BSD-2-Clause
# Source file: roles/shellserver/user-session/files/whom-diff.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Determines session identifier and directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ "$SESSION_ID" = "" ]; then
SESSION_ID=$(who am I | md5 | cut -c1-8)
fi
DIR=/var/tmp/whom/$USER/$SESSION_ID
# -------------------------------------------------------------
# -s / --session
# Prints the session identifier
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ "$1" = "--session" ] || [ "$1" = "-s" ]; then
echo "$SESSION_ID"
exit 0
fi
# -------------------------------------------------------------
# Default mode
# Prints the diff between current `whom` and previous output
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ $# -eq 0 ]; then
# Creates working directory if needed
if [ ! -d "$DIR" ]; then
mkdir -p "$DIR"
touch "$DIR"/old
fi
# Let's diff
cd "$DIR" || exit
whom > current
diff old current | tail -n +2
mv current old
exit 0
fi
# -------------------------------------------------------------
# -c / --clean
# Cleans directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ "$1" = "--clean" ] || [ "$1" = "-c" ]; then
rm -rf "$DIR"
exit $?
fi
# -------------------------------------------------------------
# Usage
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>&2 echo "Usage: $0 [--setup|--clean|-s|-c]"
exit 1
diff --git a/roles/shellserver/user-session/files/whom.sh b/roles/shellserver/user-session/files/whom.sh
index 165f492..7e3ca1a 100755
--- a/roles/shellserver/user-session/files/whom.sh
+++ b/roles/shellserver/user-session/files/whom.sh
@@ -1,20 +1,19 @@
#!/bin/sh
# -------------------------------------------------------------
# Clean alternative to who
# Prints the usernames of connected users by alphabetical order
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2015-12-30
# Licence: Trivial work, not eligible to copyright
# Source file: roles/shellserver/user-session/files/whom.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
who | awk '{print $1}' | sort | uniq
diff --git a/roles/shellserver/userland-software/base.sls b/roles/shellserver/userland-software/base.sls
index 3e5fcfb..b534c7d 100644
--- a/roles/shellserver/userland-software/base.sls
+++ b/roles/shellserver/userland-software/base.sls
@@ -1,312 +1,311 @@
# -------------------------------------------------------------
# Salt — Provision base software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-04-09
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages, packages_prefixes with context %}
/opt:
file.directory
# -------------------------------------------------------------
# Editors
#
# Disclaimer: We don't caution the views of Richard Stallman
# or the Church of Emacs positions.
# See http://geekfeminism.wikia.com/wiki/EMACS_virgins_joke
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
editors:
pkg.installed:
- pkgs:
- joe
- vim
- emacs-nox
# -------------------------------------------------------------
# General UNIX utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
utilities:
pkg.installed:
- pkgs:
- cmatrix
- datamash
- figlet
- glow
- {{ packages.gpg }}
- grc
- mc
- moreutils
- mosh
- nmap
- {{ packages.pandoc }}
- reptyr
- toilet
- unrar
- whois
- zip
{% if grains['os_family'] == 'Debian' %}
- bsdmainutils
- dnsutils
- sockstat
- sysvbanner
- toilet-fonts
{% endif %}
{% if grains['os'] == 'FreeBSD' %}
- bind-tools
- coreutils
- figlet-fonts
- findutils
- gsed
- sudo
- wurf
{% endif %}
utilities_www:
pkg.installed:
- pkgs:
- links
- lynx
- w3m
# -------------------------------------------------------------
# Fortune data
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains["os"] == "FreeBSD" %}
fortune_data:
pkg.installed:
- pkgs:
- fortune-mod-bofh
- fortune-mod-epictetus
- fortune-mod-freebsd-classic
- fortune-mod-futurama
{% endif %}
# -------------------------------------------------------------
# More exotic shells
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
userland_software_shells:
pkg.installed:
- pkgs:
- fish
# -------------------------------------------------------------
# Development
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
dev:
pkg.installed:
- pkgs:
- {{ packages.ag }}
- autoconf
- automake
- {{ packages.bats }}
- cmake
- {{ packages.cppunit }}
- git-absorb
- git-lfs
- jq
- valgrind
{% if grains['os'] == 'FreeBSD' %}
- hub
# Recent clang/llvm versions
- llvm22
{% else %}
- arcanist
- clang
- llvm
- strace
{% endif %}
{% if grains['os_family'] == 'Debian' %}
dev_popular_libs:
pkg.installed:
- pkgs:
- libssl-dev
{% endif %}
# -------------------------------------------------------------
# Languages
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
languages_removed:
pkg.removed:
- pkgs:
{% if grains['os_family'] == 'Debian' %}
- php7.0
- php7.1
- php7.2
- php7.3
- php7.4
- php8.0
- php8.1
{% elif grains['os'] == 'FreeBSD' %}
- php70
- php71
- php72
- php73
- php74
- php80
- php81
{% endif %}
languages:
pkg.installed:
- pkgs:
- python3
- name: {{ packages_prefixes.python3 }}pip
- {{ packages.tcl }}
{% if grains['os_family'] == 'Debian' %}
- php8.2
{% elif grains['os'] == 'FreeBSD' %}
- php83
{% endif %}
# -------------------------------------------------------------
# De facto standard libraries for languages
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
languages_libs:
pkg.installed:
- pkgs:
# PHP extensions
- {{ packages_prefixes.php }}bcmath
- {{ packages_prefixes.php }}curl
- {{ packages_prefixes.php }}gd
- {{ packages_prefixes.php }}intl
- {{ packages_prefixes.php }}mbstring
- {{ packages_prefixes.php }}soap
- {{ packages_prefixes.php }}xml
- {{ packages_prefixes.php }}xsl
{% if grains['os_family'] == 'Debian' %}
- {{ packages_prefixes.php }}json
# On Debian, these PDO extensions doesn't follow regular names
# but are installed if you require the legacy extension name.
- {{ packages_prefixes.php }}mysql
- {{ packages_prefixes.php }}pgsql
- {{ packages_prefixes.php }}sqlite3
{% else %}
# On Debian, these extensions are now shipped by default:
- {{ packages_prefixes.php }}calendar
- {{ packages_prefixes.php }}ctype
- {{ packages_prefixes.php }}dom
- {{ packages_prefixes.php }}fileinfo
- {{ packages_prefixes.php }}filter
- {{ packages_prefixes.php }}gettext
- {{ packages_prefixes.php }}iconv
- {{ packages_prefixes.php }}mysqli
- {{ packages_prefixes.php }}pcntl
- {{ packages_prefixes.php }}pdo
- {{ packages_prefixes.php }}phar
- {{ packages_prefixes.php }}session
- {{ packages_prefixes.php }}simplexml
- {{ packages_prefixes.php }}sockets
- {{ packages_prefixes.php }}sodium
- {{ packages_prefixes.php }}tokenizer
- {{ packages_prefixes.php }}xmlreader
- {{ packages_prefixes.php }}xmlwriter
- {{ packages_prefixes.php }}zip
- {{ packages_prefixes.php }}zlib
# On Debian, these PDO extensions doesn't follow regular names:
- {{ packages_prefixes.php }}pdo_mysql
- {{ packages_prefixes.php }}pdo_pgsql
- {{ packages_prefixes.php }}pdo_sqlite
{% endif %}
# PECL extensions
- {{ packages_prefixes.pecl }}yaml
# PHP utilities
- {{ packages.composer }}
{% if grains['os'] != 'FreeBSD' %}
# On FreeBSD, PEAR is still a PHP 5.6 package (last tested 2018-02-17).
# Same for Composer (last tested 2018-02-28)
- {{ packages.pear }}
- {{ packages.phpcs }}
{% endif %}
# Standard Python modules
{% if grains['os'] == 'FreeBSD' %}
- {{ packages_prefixes.python3 }}gdbm
- {{ packages_prefixes.python3 }}sqlite3
{% endif %}
# TCL
- tcllib
- {{ packages.tcltls }}
languages_libs_removed_files:
file.absent:
- names:
- /usr/local/etc/php/ext-20-openssl.ini
# -------------------------------------------------------------
# Workaround : install phpcs on FreeBSD
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/opt/phpcs:
file.directory
{% for command in ['phpcs', 'phpcbf'] %}
/opt/phpcs/{{ command }}:
file.managed:
- source: https://squizlabs.github.io/PHP_CodeSniffer/{{ command }}.phar
- skip_verify: True
- mode: 755
{{ dirs.bin }}/{{ command }}:
file.symlink:
- target: /opt/phpcs/{{ command }}
- require:
- file: /opt/phpcs/{{ command }}
{% endfor %}
{% endif %}
# -------------------------------------------------------------
# Spelling and language utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
spelling:
pkg.installed:
- pkgs:
- {{ packages['aspell-en'] }}
- {{ packages['aspell-fr'] }}
- {{ packages.verbiste }}
# -------------------------------------------------------------
# Media utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
media:
pkg.installed:
- pkgs:
- {{ packages.exiftool }}
- gifsicle
- id3v2
- {{ packages.imagemagick }}
- mozjpeg
- optipng
- sox
# -------------------------------------------------------------
# Office utilities (bureautique)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
office_software:
pkg.installed:
- pkgs:
- gcal
- pdftk
- qpdf
diff --git a/roles/shellserver/userland-software/files/install-eggdrop.sh b/roles/shellserver/userland-software/files/install-eggdrop.sh
index 62a5dba..540fb94 100644
--- a/roles/shellserver/userland-software/files/install-eggdrop.sh
+++ b/roles/shellserver/userland-software/files/install-eggdrop.sh
@@ -1,58 +1,57 @@
#!/bin/sh
# -------------------------------------------------------------
# Install an eggdrop
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-11-06
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/userland-software/files/install-eggdrop.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# TCL and eggdrop versions
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EGGDROP_VERSION_MAJOR=1.10
EGGDROP_VERSION=1.10.1
TCL_VERSION=8.6
# -------------------------------------------------------------
# Fetch, extract
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
wget https://ftp.eggheads.org/pub/eggdrop/source/${EGGDROP_VERSION_MAJOR}/eggdrop-${EGGDROP_VERSION}.tar.gz
tar xzf eggdrop-${EGGDROP_VERSION}.tar.gz
cd eggdrop-${EGGDROP_VERSION} || exit 1
# -------------------------------------------------------------
# Configure step
#
# This is the tricky part, as we need to provide path to TCL
# header and library files, heavily OS/distro/arch dependant.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if [ -f /etc/debian_version ]; then
ARCH=$(dpkg-architecture -qDEB_HOST_MULTIARCH)
CFLAGS="-std=gnu99" ./configure --with-tclinc=/usr/include/tcl${TCL_VERSION}/tcl.h --with-tcllib="/usr/lib/$ARCH/libtcl${TCL_VERSION}.so"
elif [ "$(uname)" = "FreeBSD" ]; then
TCL_VERSION_LIB=$(echo $TCL_VERSION | tr -d .)
./configure --with-tclinc=/usr/local/include/tcl${TCL_VERSION}/tcl.h -with-tcllib="/usr/local/lib/libtcl${TCL_VERSION_LIB}.so"
else
./configure
fi
# -------------------------------------------------------------
# Build, install
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
make config
make
make install
diff --git a/roles/shellserver/userland-software/init.sls b/roles/shellserver/userland-software/init.sls
index ac085de..4aaaf32 100644
--- a/roles/shellserver/userland-software/init.sls
+++ b/roles/shellserver/userland-software/init.sls
@@ -1,15 +1,14 @@
# -------------------------------------------------------------
# Salt — Provision software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- roles/builder/account
- .base
- .openssl-legacy
- .irc
- .mail
- .web
diff --git a/roles/shellserver/userland-software/irc.sls b/roles/shellserver/userland-software/irc.sls
index 835f819..e5efd5f 100644
--- a/roles/shellserver/userland-software/irc.sls
+++ b/roles/shellserver/userland-software/irc.sls
@@ -1,118 +1,117 @@
# -------------------------------------------------------------
# Salt — Provision IRC software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-04-09
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages with context %}
# -------------------------------------------------------------
# IRC clients
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
irc_clients:
pkg.installed:
- pkgs:
- irssi
- irssi-scripts
- weechat
{% if grains['os'] != 'Debian' and grains['os'] != 'Ubuntu' %}
# Reference: supremetechs.com/tag/bitchx-removed-from-debian
- bitchx
{% endif %}
# -------------------------------------------------------------
# Bouncers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
irc_bouncers:
pkg.installed:
- pkgs:
- znc
shroudbnc_dependencies:
pkg.installed:
- pkgs:
- {{ packages["c-ares"] }}
- libtool
- swig
{% if grains['os_family'] == 'Debian' %}
- tcl-dev
{% endif %}
{% if grains['os_family'] == 'RedHat' %}
- tcl-devel
{% endif %}
shroudbnc_repo:
file.directory:
- name: /usr/local/src/shroudbnc
- user: builder
- group: deployment
- mode: 755
git.latest:
- name: https://github.com/gunnarbeutner/shroudbnc
- target: /usr/local/src/shroudbnc
- user: builder
shroudbnc_build:
cmd.run:
- name: |
./autogen.sh && \
./configure --prefix=/usr/local && \
make
- cwd: /usr/local/src/shroudbnc
- runas: builder
- require:
- git: shroudbnc_repo
- creates: /usr/local/src/shroudbnc/src/sbnc
shroudbnc_install:
cmd.run:
- name: make install
- cwd: /usr/local/src/shroudbnc
- onchanges:
- cmd: shroudbnc_build
# -------------------------------------------------------------
# Bots
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
eggdrop_installer:
file.managed:
- name: /usr/local/bin/install-eggdrop
- source: salt://roles/shellserver/userland-software/files/install-eggdrop.sh
- mode: 755
# -------------------------------------------------------------
# Misc
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
irc_misc:
pkg.installed:
- pkgs:
- bitlbee
- oidentd
- pisg
oidentd_config:
file.managed:
- name: {{ dirs.etc }}/oidentd.conf
- source: salt://roles/shellserver/userland-software/files/oidentd.conf
- mode: 644
oidentd_service_config:
service.running:
- name: oidentd
- enable: true
# -------------------------------------------------------------
# RC
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if services["manager"] == "rc" %}
/etc/rc.conf.d/oidentd:
file.managed:
- source: salt://roles/shellserver/userland-software/files/oidentd.rc
{% endif %}
diff --git a/roles/shellserver/userland-software/openssl-legacy.sls b/roles/shellserver/userland-software/openssl-legacy.sls
index 37c3a98..a7d74e1 100644
--- a/roles/shellserver/userland-software/openssl-legacy.sls
+++ b/roles/shellserver/userland-software/openssl-legacy.sls
@@ -1,71 +1,70 @@
# -------------------------------------------------------------
# Salt — Deploy legacy OpenSSL 1.0
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2017-02-25
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% set openssl_version = "1.0.2t" %}
{% set openssl_hash = "14cb464efe7ac6b54799b34456bd69558a749a4931ecfd9cf9f71d7881cac7bc" %}
{% set openssl_tarball = "openssl-" + openssl_version + ".tar.gz" %}
# -------------------------------------------------------------
# Source code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/src:
file.directory:
- dir_mode: 755
/usr/local/src/openssl-legacy:
file.directory:
- user: builder
- group: deployment
- dir_mode: 755
/usr/local/src/{{ openssl_tarball }}:
file.managed:
- source: https://www.openssl.org/source/{{ openssl_tarball }}
- source_hash: {{ openssl_hash }}
- user: builder
openssl_extract:
cmd.run:
- name: tar xfz ../{{ openssl_tarball }} --strip-components=1
- cwd: /usr/local/src/openssl-legacy
- runas: builder
- require:
- file: /usr/local/src/{{ openssl_tarball }}
- creates: /usr/local/src/openssl-legacy/Makefile
# -------------------------------------------------------------
# Build
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
openssl_build:
cmd.script:
- source: salt://roles/shellserver/userland-software/files/build-openssl-legacy.sh.jinja
- template: jinja
- context:
openssldir: {{ dirs.etc }}/ssl-legacy
builder_username: builder
- cwd: /usr/local/src/openssl-legacy
- runas: builder
- require:
- cmd: openssl_extract
- creates: /usr/local/src/openssl-legacy/libcrypto.so
# -------------------------------------------------------------
# Install
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
openssl_install:
cmd.run:
- name: make MANDIR=/opt/openssl-legacy/man MANSUFFIX=ssl install
- cwd: /usr/local/src/openssl-legacy
- require:
- cmd: openssl_build
- creates: /opt/openssl-legacy/bin/openssl
diff --git a/roles/shellserver/userland-software/web.sls b/roles/shellserver/userland-software/web.sls
index 95ec707..4bcc0ed 100644
--- a/roles/shellserver/userland-software/web.sls
+++ b/roles/shellserver/userland-software/web.sls
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Salt — Provision web software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-06-12
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Web utilities
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
web_utilities:
pkg.installed:
- pkgs:
- igal2
{{ dirs.bin }}/html-directories:
file.managed:
- source: salt://roles/shellserver/userland-software/files/html-directories.sh
- mode: 755
diff --git a/roles/shellserver/vhosts/files/vhosts.sh b/roles/shellserver/vhosts/files/vhosts.sh
index 8f6e30e..f2b1c3c 100644
--- a/roles/shellserver/vhosts/files/vhosts.sh
+++ b/roles/shellserver/vhosts/files/vhosts.sh
@@ -1,23 +1,22 @@
#!/bin/sh
# -------------------------------------------------------------
# List IP and reverse DNS
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2017-01-10
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/vhosts/files/vhosts.sh
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
if [ -f /etc/vhosts ]; then
cat /etc/vhosts
else
echo "No vhosts data file found. Please create /etc/vhosts file."
fi
diff --git a/roles/shellserver/vhosts/init.sls b/roles/shellserver/vhosts/init.sls
index d48e9c1..8719ad7 100644
--- a/roles/shellserver/vhosts/init.sls
+++ b/roles/shellserver/vhosts/init.sls
@@ -1,25 +1,24 @@
# -------------------------------------------------------------
# Salt — vhosts configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2017-01-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Configuration file
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/etc/vhosts:
file.managed:
- source: salt://roles/shellserver/vhosts/files/vhosts.{{ grains['id'] }}
- mode: 644
# -------------------------------------------------------------
# Command file
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/bin/vhosts:
file.managed:
- source: salt://roles/shellserver/vhosts/files/vhosts.sh
- mode: 755
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
index e6c9404..815298c 100644
--- a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
+++ b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
@@ -1,40 +1,39 @@
# -------------------------------------------------------------
# Eglide — nginx configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-07-26
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Default vhost as a catchall when Host: header value doesn't
# match any server name, ie the domain is unknown.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [2001:470:1f12:9e1::2]:80;
listen [2001:470:1f13:9e1:0:c0ff:ee:1]:80;
server_name _;
access_log /var/log/www/unknown_domains-access.log main;
error_log /var/log/www/unknown_domains-error.log;
location / {
return 404;
}
error_page 404 /unknown.html;
location = /unknown.html {
root /var/wwwroot/unknown_domains;
}
}
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
index bbe74dc..20c6c7d 100644
--- a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
+++ b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
@@ -1,64 +1,63 @@
# -------------------------------------------------------------
# Eglide — nginx configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-07-26
# License: Trivial work, not eligible to copyright
# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Main vhost receives special responsibilities like serving
# user directories.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name localhost eglide eglide.org eglide.nasqueron.org www.eglide.org [2001:470:1f12:896::2] [2001:470:1f13:896:0:c0de:15:11fe];
root /var/wwwroot/eglide.org/www;
access_log /var/log/www/eglide.org/www-access.log main;
error_log /var/log/www/eglide.org/www-error.log;
###
### SSL
###
include includes/letsencrypt;
include includes/tls;
ssl_certificate /etc/letsencrypt/live/www.eglide.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.eglide.org/privkey.pem;
###
### Main site
###
location / {
index index.html index.htm default.html default.htm;
}
error_page 500 502 503 504 /50x.html;
###
### public_html user directories
###
set $userdir public_html;
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/$userdir$2;
index index.html index.htm;
autoindex on;
}
}
diff --git a/roles/shellserver/web-hosting/files/eglide/wwwroot-unknown/unknown.html b/roles/shellserver/web-hosting/files/eglide/wwwroot-unknown/unknown.html
index 4c4c195..2535b5f 100644
--- a/roles/shellserver/web-hosting/files/eglide/wwwroot-unknown/unknown.html
+++ b/roles/shellserver/web-hosting/files/eglide/wwwroot-unknown/unknown.html
@@ -1,34 +1,33 @@
<!doctype html>
<!--
-------------------------------------------------------------
Nginx configuration
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Project: Nasqueron
- Created: 2016-11-08
License: Trivial work, not eligible to copyright
Source file: roles/shellserver/web-hosting/files/eglide/wwwroot-unknown/unknown.html
-------------------------------------------------------------
<auto-generated>
This file is managed by our rOPS SaltStack repository.
Changes to this file may cause incorrect behavior
and will be lost if the state is redeployed.
</auto-generated>
-->
<html class="no-js" lang="en">
<head>
<meta charset="utf-8"/>
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Eglide</title>
</head>
<body>
<h1>Eglide :: Unknown domain</h1>
<h2>HTTP 404 Not Found</h2>
<p>Eglide allows users to create accounts to host tmux/screen + irssi/weechat or bots for IRC purpose.</p>
<p>It also offers a small HTML web presence.</p>
<p>The domain you seek redirects to one of our IPs, but it hasn't been declared in our webserver.</p>
<p>Contact the domain owner for assistance.</p>
</body>
</html>
diff --git a/roles/shellserver/web-hosting/init.sls b/roles/shellserver/web-hosting/init.sls
index 2880b03..f295087 100644
--- a/roles/shellserver/web-hosting/init.sls
+++ b/roles/shellserver/web-hosting/init.sls
@@ -1,57 +1,56 @@
# -------------------------------------------------------------
# Salt — nginx configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-11-08
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% set wwwgroup = "www-data" %}
# -------------------------------------------------------------
# Nginx configuration files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
nginx_config_files:
file.recurse:
- name: {{ dirs.etc }}/nginx
- source: salt://roles/shellserver/web-hosting/files/{{ grains['id'] }}/nginx
- include_empty: True
- clean: False
- dir_mode: 755
- file_mode: 644
cmd.run:
- name: nginx -s reload
- onchanges:
- file: nginx_config_files
# -------------------------------------------------------------
# Nginx logs
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/var/log/www:
file.directory:
- user: root
- group: {{ wwwgroup }}
- dir_mode: 750
/var/log/www/eglide.org:
file.directory:
- user: root
- group: {{ wwwgroup }}
- dir_mode: 750
# -------------------------------------------------------------
# Site to serve when Host: header doesn't match a known vhost
#
# Typically, this occurs when a domain is configured in DNS,
# but not in nginx.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
unknown_domain_files:
file.recurse:
- name: /var/wwwroot/unknown_domains
- source: salt://roles/shellserver/web-hosting/files/{{ grains['id'] }}/wwwroot-unknown
- dir_mode: 755
- file_mode: 644
diff --git a/roles/viperserv/account/files/viperserv.sudoers b/roles/viperserv/account/files/viperserv.sudoers
index 8a4a19f..6f19906 100644
--- a/roles/viperserv/account/files/viperserv.sudoers
+++ b/roles/viperserv/account/files/viperserv.sudoers
@@ -1,27 +1,26 @@
# -------------------------------------------------------------
# ViperServ
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-14
# License: Trivial work, not eligible to copyright
# Source file: roles/viperserv/account/files/viperserv.sudoers
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
{% for account in accounts %}
%nasqueron-irc ALL=({{ account }}) NOPASSWD: ALL{% endfor %}
# Service management
{% for bot in bots %}
{% for command in ["start", "stop", "restart"] %}
%nasqueron-irc ALL= NOPASSWD: /usr/sbin/service {{ bot }} {{ command }}
%nasqueron-irc ALL= NOPASSWD: /usr/sbin/service {{ bot }} one{{ command }}
{% endfor %}
%nasqueron-irc ALL= NOPASSWD: /usr/local/etc/rc.d/{{ bot }}
{% endfor %}
diff --git a/roles/viperserv/account/init.sls b/roles/viperserv/account/init.sls
index d119c67..04f892f 100644
--- a/roles/viperserv/account/init.sls
+++ b/roles/viperserv/account/init.sls
@@ -1,52 +1,51 @@
# -------------------------------------------------------------
# Salt — Deploy ViperServ (eggdrop)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-14
# Description: Eggdrop on Libera
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Service accounts
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for username, user in pillar['viperserv_accounts'].items() %}
viperserv_account_{{ username }}:
user.present:
- name: {{ username }}
- fullname: {{ user['fullname'] }}
- uid: {{ user['uid'] }}
- gid: nasqueron-irc
- home: {{ dirs.share }}/{{ username }}
/var/run/{{ username }}:
file.directory:
- user: {{ user['uid'] }}
- group: nasqueron-irc
- dir_mode: 711
{{ dirs.share }}/{{ username }}/.gitconfig:
file.managed:
- source: salt://roles/viperserv/account/files/dot.gitconfig
- mode: 444
{% endfor %}
# -------------------------------------------------------------
# Sudo capabilities
#
# Members of nasqueron-irc should be able to sudo -u viperserv …
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
viperserv_sudo_capabilities_file:
file.managed:
- name: {{ dirs.etc }}/sudoers.d/viperserv
- source: salt://roles/viperserv/account/files/viperserv.sudoers
- template: jinja
- context:
accounts: {{ pillar['viperserv_accounts'] }}
bots: {{ pillar['viperserv_bots'] }}
diff --git a/roles/viperserv/eggdrop/config.sls b/roles/viperserv/eggdrop/config.sls
index b748783..734ba7e 100644
--- a/roles/viperserv/eggdrop/config.sls
+++ b/roles/viperserv/eggdrop/config.sls
@@ -1,108 +1,107 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-14
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Directory for configuration
#
# Each bot gets a directory to store userlist, chanlist, motd,
# and specific configuration file.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for botname, bot in pillar['viperserv_bots'].items() %}
/srv/viperserv/{{ botname }}:
file.directory:
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- dir_mode: 770
{% endfor %}
# -------------------------------------------------------------
# Logs
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for botname, bot in pillar['viperserv_bots'].items() %}
/srv/viperserv/logs/{{ botname }}:
file.directory:
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
/srv/viperserv/logs/{{ botname }}.log:
file.managed:
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- mode: 660
- replace: False
{% endfor %}
# -------------------------------------------------------------
# Configuration files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/viperserv/core.conf:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/eggdrop-core.conf
- user: viperserv
- group: nasqueron-irc
# This sls_id is declared in terraform/openbao/Makefile for secrets' rotation.
/srv/viperserv/.credentials:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/dot.credentials
- user: viperserv
- group: nasqueron-irc
- mode: 400
- show_changes: False
- template: jinja
- context:
# Database is on cluster B
db:
host: {{ pillar["nasqueron_services"]["db-b"] }}
database: Nasqueron
vault:
approle: {{ salt['credentials.read_secret']('nasqueron/viperserv/vault') }}
addr: {{ pillar["nasqueron_services"]["vault_url"] }}
{% for botname, bot in pillar['viperserv_bots'].items() %}
/srv/viperserv/{{ botname }}/eggdrop.conf:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/eggdrop-bot.conf
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- mode: 755
- template: jinja
- context:
botname: {{ botname }}
realname: {{ bot['realname'] | default(botname) }}
scripts: {{ bot['scripts'] }}
modules: {{ bot['modules'] | default([]) }}
runas: {{ bot['runas'] | default('viperserv') }}
nickserv: {{ bot['nickserv'] | default(False) }}
ip: {{ bot["ip"] | default(False) }}
listen: {{ bot['listen'] | default(False) }}
/srv/viperserv/{{ botname }}/motd:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/motd/{{ botname }}
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
/srv/viperserv/{{ botname }}/banner:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/banner
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- template: jinja
- context:
bot: {{ botname }}
server: {{ grains['id'] }}
{% endfor %}
diff --git a/roles/viperserv/eggdrop/cron.sls b/roles/viperserv/eggdrop/cron.sls
index cfe7ddf..a414bff 100644
--- a/roles/viperserv/eggdrop/cron.sls
+++ b/roles/viperserv/eggdrop/cron.sls
@@ -1,65 +1,64 @@
#!py
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-11-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Data helper methods
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_etc_dir():
if __grains__['os'] == 'FreeBSD':
return "/usr/local/etc"
return "/etc"
def get_bin_dir():
if __grains__['os'] == 'FreeBSD':
return "/usr/local/bin"
return "/bin"
def get_eggdrops():
'''Filter eggdrops to select the ones with ensure_is_live: True'''
return [botname
for botname, bot
in __pillar__['viperserv_bots'].items()
if 'ensure_is_live' in bot and bot['ensure_is_live']]
# -------------------------------------------------------------
# Configuration provider
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def run():
script = get_bin_dir() + '/ensure-eggdrops-are-live'
return {
get_etc_dir() + '/eggdrops-live.conf': {'file.managed': [
{'source': 'salt://roles/viperserv/eggdrop/files/eggdrops-live.conf'},
{'template': 'jinja'},
{'context': {
'eggdrops': get_eggdrops()
}},
]},
script: {'file.managed': [
{'source': 'salt://roles/viperserv/eggdrop/files/ensure-eggdrops-are-live.sh'},
{'mode': 755},
]},
'eggdrop_crontab': {'cron.present': [
{'name': script},
{'minute': '*/5'},
{'identifier': 'viperserv.eggdrop'},
]}
}
diff --git a/roles/viperserv/eggdrop/init.sls b/roles/viperserv/eggdrop/init.sls
index ba6abd3..e56573e 100644
--- a/roles/viperserv/eggdrop/init.sls
+++ b/roles/viperserv/eggdrop/init.sls
@@ -1,13 +1,12 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-05
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .software
- .config
- .service
- .cron
diff --git a/roles/viperserv/eggdrop/service.sls b/roles/viperserv/eggdrop/service.sls
index 5adb409..ed2971e 100644
--- a/roles/viperserv/eggdrop/service.sls
+++ b/roles/viperserv/eggdrop/service.sls
@@ -1,48 +1,47 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-19
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set bots = ' '.join(pillar['viperserv_bots'].keys()) %}
# -------------------------------------------------------------
# Install service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/usr/local/etc/rc.d/eggdrop:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/rc/eggdrop
- mode: 755
{% endif %}
# -------------------------------------------------------------
# Configure service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
/etc/rc.conf.d/eggdrop:
file.directory
/etc/rc.conf.d/eggdrop/instances:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/rc/instances
- template: jinja
- context:
bots: {{ bots }}
{% for botname, bot in pillar['viperserv_bots'].items() %}
/etc/rc.conf.d/eggdrop/{{ botname }}:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/rc/per_instance
- template: jinja
- context:
runas: {{ bot['runas'] | default('') }}
botname: {{ botname }}
{% endfor %}
{% endif %}
diff --git a/roles/viperserv/eggdrop/software.sls b/roles/viperserv/eggdrop/software.sls
index 154e3a5..bb66263 100644
--- a/roles/viperserv/eggdrop/software.sls
+++ b/roles/viperserv/eggdrop/software.sls
@@ -1,90 +1,89 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-05
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Build eggdrop
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% set manpage = dirs.man + "/man1/eggdrop.1.gz" %}
eggdrop_software:
file.directory:
- name: /opt/eggdrop
- user: builder
- group: deployment
cmd.run:
- name: install-eggdrop
- runas: builder
- env:
- DEST: /opt/eggdrop
- creates: /opt/eggdrop/eggdrop
{{ dirs.bin }}/eggdrop:
file.symlink:
- target: /opt/eggdrop/eggdrop
- require:
- cmd: eggdrop_software
eggdrop_man:
cmd.run:
- name: gzip < /opt/eggdrop/doc/man1/eggdrop.1 > {{ manpage }}
- creates: {{ manpage }}
- require:
- cmd: eggdrop_software
# -------------------------------------------------------------
# ViperServ directory
#
# Bots specific subdirectories are managed in config.sls
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/viperserv:
file.directory:
- user: viperserv
- group: nasqueron-irc
- dir_mode: 770
viperserv_scripts:
git.latest:
- name: https://devcentral.nasqueron.org/source/viperserv.git
- target: /srv/viperserv/scripts
- update_head: False
- user: viperserv
- require:
- file: /srv/viperserv
{% for eggdir in ['doc', 'help', 'language'] %}
/srv/viperserv/{{ eggdir }}:
file.symlink:
- target: /opt/eggdrop/{{ eggdir }}
- user: viperserv
- group: nasqueron-irc
- require:
- cmd: eggdrop_software
{% endfor %}
/srv/viperserv/lib:
file.directory:
- user: viperserv
- group: nasqueron-irc
- dir_mode: 770
/srv/viperserv/logs:
file.directory:
- user: viperserv
- group: nasqueron-irc
- dir_mode: 770
/srv/viperserv/filesys/incoming:
file.directory:
- user: viperserv
- group: nasqueron-irc
- makedirs: True
- dir_mode: 770
diff --git a/roles/viperserv/fantoir/files/extract_streets.py b/roles/viperserv/fantoir/files/extract_streets.py
index 78d2374..3b6d301 100644
--- a/roles/viperserv/fantoir/files/extract_streets.py
+++ b/roles/viperserv/fantoir/files/extract_streets.py
@@ -1,36 +1,35 @@
#!/usr/bin/env python3
# -------------------------------------------------------------
# FANTOIR — Extract streets
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-14
# License: Trivial work, not eligible to copyright
# Data license: FANTOIR is licensed under Licence Ouverte
# -------------------------------------------------------------
import sys
def extract_streets(filename_source, filename_out):
with open(filename_out, "w") as output, open(filename_source, "r") as input:
for line in input:
# Streets and other « voies » are the record where
# the 109th position (« type de voie ») is 1.
try:
if line[108] == "1":
output.write(line)
except IndexError:
pass
if __name__ == "__main__":
argc = len(sys.argv)
if argc != 3:
print(
"Usage: {} <FANTOIR filename> <street filename>".format(sys.argv[0]),
file=sys.stderr,
)
sys.exit(1)
extract_streets(sys.argv[1], sys.argv[2])
diff --git a/roles/viperserv/fantoir/init.sls b/roles/viperserv/fantoir/init.sls
index fcc3665..1cab23b 100644
--- a/roles/viperserv/fantoir/init.sls
+++ b/roles/viperserv/fantoir/init.sls
@@ -1,69 +1,68 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-14
# License: Trivial work, not eligible to copyright
# Data license: FANTOIR is licensed under Licence Ouverte
# -------------------------------------------------------------
# -------------------------------------------------------------
# Data directories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/viperserv/data:
file.directory:
- user: viperserv
- group: nasqueron-irc
- dir_mode: 770
/srv/viperserv/data/dist:
file.directory:
- user: viperserv
- group: nasqueron-irc
- dir_mode: 770
# -------------------------------------------------------------
# Fetch and extract data
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/viperserv/data/dist/fantoir.zip:
file.managed:
- source: {{ pillar['fantoir']['dataset_url'] }}
- source_hash: {{ pillar['fantoir']['dataset_hash'] }}
- user: viperserv
- group: nasqueron-irc
viperserv_fantoir_archive:
archive.extracted:
- name: /srv/viperserv/data
- source: /srv/viperserv/data/dist/fantoir.zip
- enforce_toplevel: False
- user: viperserv
- group: nasqueron-irc
- require:
- file: /srv/viperserv/data/dist/fantoir.zip
/srv/viperserv/data/FANTOIR.txt:
file.symlink:
- target: /srv/viperserv/data/{{ pillar['fantoir']['distname'] }}
- user: viperserv
- group: nasqueron-irc
- require:
- archive: viperserv_fantoir_archive
# -------------------------------------------------------------
# Street data
#
# If the 109th character is "1", this is a 'voie'.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
viperserv_fantoir_streets:
cmd.script:
- source: salt://roles/viperserv/fantoir/files/extract_streets.py
- args: FANTOIR.txt FANTOIR_STREETS.txt
- cwd: /srv/viperserv/data/
- creates: /srv/viperserv/data/FANTOIR_STREETS.txt
- runas: viperserv
- require:
- file: /srv/viperserv/data/FANTOIR.txt
diff --git a/roles/viperserv/fbsql/init.sls b/roles/viperserv/fbsql/init.sls
index 60a5b29..9ad73ae 100644
--- a/roles/viperserv/fbsql/init.sls
+++ b/roles/viperserv/fbsql/init.sls
@@ -1,40 +1,39 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-15
# License: Trivial work, not eligible to copyright
# Data license: FANTOIR is licensed under Licence Ouverte
# -------------------------------------------------------------
# -------------------------------------------------------------
# Build fbsql
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
fbsql_repo:
file.directory:
- name: /opt/fbsql
- user: builder
- group: deployment
- dir_mode: 755
git.latest:
- name: https://devcentral.nasqueron.org/source/fbsql.git
- target: /opt/fbsql
- user: builder
fbsql_build:
cmd.run:
- name: make
- runas: builder
- cwd: /opt/fbsql
- creates: /opt/fbsql/fbsql.so
# -------------------------------------------------------------
# Install fbsql
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/viperserv/lib/fbsql.so:
file.symlink:
- target: /opt/fbsql/fbsql.so
- user: viperserv
- group: nasqueron-irc
diff --git a/roles/viperserv/init.sls b/roles/viperserv/init.sls
index ce3e9d1..0562e48 100644
--- a/roles/viperserv/init.sls
+++ b/roles/viperserv/init.sls
@@ -1,25 +1,24 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-05
# License: Trivial work, not eligible to copyright
# _ ___ _____
# | | / (_)___ ___ _____/ ___/___ ______ __
# | | / / / __ \/ _ \/ ___/\__ \/ _ \/ ___/ | / /
# | |/ / / /_/ / __/ / ___/ / __/ / | |/ /
# |___/_/ .___/\___/_/ /____/\___/_/ |___/
# /_/
#
# [ 1993 technology for 2017 hackers ]
#
# -------------------------------------------------------------
include:
- .account
- .eggdrop
- .fbsql
- .fantoir
- .rabbitmq-tcl
- .software
- .wikidata-access-layer
diff --git a/roles/viperserv/rabbitmq-tcl/init.sls b/roles/viperserv/rabbitmq-tcl/init.sls
index 9db3e18..34e58b0 100644
--- a/roles/viperserv/rabbitmq-tcl/init.sls
+++ b/roles/viperserv/rabbitmq-tcl/init.sls
@@ -1,59 +1,58 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-17
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import packages with context %}
# -------------------------------------------------------------
# Build rabbitmq-tcl
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
rabbitmq-tcl_dependencies:
pkg.installed:
- pkgs:
- {{ packages.librabbitmq }}
rabbitmq-tcl_repo:
file.directory:
- name: /opt/rabbitmq-tcl
- user: builder
- group: deployment
- dir_mode: 755
git.latest:
- name: https://devcentral.nasqueron.org/source/rabbitmq-tcl.git
- target: /opt/rabbitmq-tcl
- user: builder
rabbitmq-tcl_build:
{% if grains['os'] == 'FreeBSD' %}
file.managed:
- name: /opt/rabbitmq-tcl/Makefile-FreeBSD.patch
- source: salt://roles/viperserv/rabbitmq-tcl/files/Makefile-FreeBSD.patch
- user: builder
- group: deployment
cmd.run:
- name: |
patch -p1 < Makefile-FreeBSD.patch
cd src/
gmake
{% else %}
cmd.run:
- name: cd src && make
{% endif %}
- runas: builder
- cwd: /opt/rabbitmq-tcl
- creates: /opt/rabbitmq-tcl/build/rabbitmq.so
# -------------------------------------------------------------
# Install rabbitmq-tcl
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/viperserv/lib/rabbitmq.so:
file.symlink:
- target: /opt/rabbitmq-tcl/build/rabbitmq.so
- user: viperserv
- group: nasqueron-irc
diff --git a/roles/viperserv/software/init.sls b/roles/viperserv/software/init.sls
index 1204fde..c669cad 100644
--- a/roles/viperserv/software/init.sls
+++ b/roles/viperserv/software/init.sls
@@ -1,36 +1,35 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-17
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Software used by Dæghrefn
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
daeghrefn_software:
pkg.installed:
- pkgs:
- tcl-Trf
- tcludp
- yt-dlp
# Dæghrefn also need php, ps, grep
# Gerrit code needs ssh, ssh-agent and ssh-add
# -------------------------------------------------------------
# Software used by TC2
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# TC2 needs logins, pw, mkdir, chown, hostname, id, sockstat, su, cat
# /usr/local/etc/rc.d/nginx, /usr/local/etc/rc.d/php-fpm,
# /usr/local/etc/rc.d/jenkins
# Those are expected to be on the system administrated.
# -------------------------------------------------------------
# Software used by vendor scripts
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# bseen requires cp
diff --git a/roles/viperserv/wikidata-access-layer/code.sls b/roles/viperserv/wikidata-access-layer/code.sls
index 0eb3619..61160b6 100644
--- a/roles/viperserv/wikidata-access-layer/code.sls
+++ b/roles/viperserv/wikidata-access-layer/code.sls
@@ -1,31 +1,30 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-06
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
daeghrefn_wikidata_access_layer:
file.directory:
- name: /srv/wikidata-access-layer
- user: deploy
git.latest:
- name: https://devcentral.nasqueron.org/source/Daeghrefn-Wikidata.git
- target: /srv/wikidata-access-layer
- user: deploy
{{ dirs.share }}/viperserv/bin:
file.directory:
- user: viperserv
- group: nasqueron-irc
{% for script in ['create_given_name', 'create_surname'] %}
{{ dirs.share }}/viperserv/bin/{{ script }}:
file.symlink:
- target: /srv/wikidata-access-layer/{{ script }}
- user: viperserv
- group: nasqueron-irc
{% endfor %}
diff --git a/roles/viperserv/wikidata-access-layer/config.sls b/roles/viperserv/wikidata-access-layer/config.sls
index b780103..09bf2c8 100644
--- a/roles/viperserv/wikidata-access-layer/config.sls
+++ b/roles/viperserv/wikidata-access-layer/config.sls
@@ -1,14 +1,13 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
/srv/viperserv/user-config.py:
file.managed:
- source: salt://roles/viperserv/wikidata-access-layer/files/user-config.py
- user: viperserv
- group: nasqueron-irc
- chmod: 644
diff --git a/roles/viperserv/wikidata-access-layer/files/user-config.py b/roles/viperserv/wikidata-access-layer/files/user-config.py
index 93b7f5b..e2243b1 100644
--- a/roles/viperserv/wikidata-access-layer/files/user-config.py
+++ b/roles/viperserv/wikidata-access-layer/files/user-config.py
@@ -1,20 +1,19 @@
# -------------------------------------------------------------
# Pywikibot
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Created: 2017-11-15
# License: Trivial work, not eligible to copyright
# Source file: roles/viperserv/wikidata-access-layer/files/user-config.py
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
mylang = "wikidata"
family = "wikidata"
usernames["wikidata"]["wikidata"] = "DæghrefnBot"
console_encoding = "utf-8"
diff --git a/roles/viperserv/wikidata-access-layer/init.sls b/roles/viperserv/wikidata-access-layer/init.sls
index 11c1100..044d4cb 100644
--- a/roles/viperserv/wikidata-access-layer/init.sls
+++ b/roles/viperserv/wikidata-access-layer/init.sls
@@ -1,12 +1,11 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-06
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .pywikibot
- .code
- .config
diff --git a/roles/viperserv/wikidata-access-layer/pywikibot.sls b/roles/viperserv/wikidata-access-layer/pywikibot.sls
index 52f8bcd..024d301 100644
--- a/roles/viperserv/wikidata-access-layer/pywikibot.sls
+++ b/roles/viperserv/wikidata-access-layer/pywikibot.sls
@@ -1,34 +1,33 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-06
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import packages_prefixes with context %}
pywikibot_dependencies:
pkg.installed:
- pkgs:
- {{ packages_prefixes.python3 }}requests
pywikibot_software:
file.directory:
- name: /opt/pywikibot
- user: deploy
git.latest:
- name: https://github.com/nasqueron/pywikibot.git
- branch: production
- submodules: True
- target: /opt/pywikibot
- user: deploy
- require:
- pkg: pywikibot_dependencies
pywikibot_install_package:
cmd.run:
- name: python3 setup.py install
- cwd: /opt/pywikibot
- onchanges:
- git: pywikibot_software
diff --git a/roles/webserver-alkane/nginx/files/includes/pluton b/roles/webserver-alkane/nginx/files/includes/pluton
index b104ad9..8ba0302 100644
--- a/roles/webserver-alkane/nginx/files/includes/pluton
+++ b/roles/webserver-alkane/nginx/files/includes/pluton
@@ -1,37 +1,36 @@
# -------------------------------------------------------------
# Configuration for Keruald/Pluton web sites
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
-# Created: 2017-11-24
# Project: Keruald
# Description: nginx
# License: Trivial work, not eligible for copyright.
# Source file: roles/webserver-alkane/nginx/files/includes/pluton
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
index index.html index.php index.htm;
location / {
try_files $uri @app;
}
location ~ \.html$ {
fastcgi_pass unix:/var/run/web/$server_name/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
include includes/fastcgi;
}
location @app {
fastcgi_pass unix:/var/run/web/$server_name/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
include includes/fastcgi;
}
diff --git a/roles/webserver-content/org/eglide/www.sls b/roles/webserver-content/org/eglide/www.sls
index 0536ac9..4597922 100644
--- a/roles/webserver-content/org/eglide/www.sls
+++ b/roles/webserver-content/org/eglide/www.sls
@@ -1,36 +1,35 @@
# -------------------------------------------------------------
# Salt — Provision www.eglide.org website
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Eglide
-# Created: 2016-09-12
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Deploy /opt/staging/wwwroot/eglide.org/www to www.eglide.org
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% set wwwroot = salt['node.get_wwwroot']() %}
{% set wwwuser = "www-data" %}
{% set wwwgroup = "www-data" %}
/var/{{ wwwroot }}:
file.directory:
- user: {{ wwwuser }}
- group: {{ wwwgroup }}
- dir_mode: 711
- makedirs: True
wwwroot_server:
file.recurse:
- name: /var/{{ wwwroot }}
- source: salt://{{ wwwroot }}
- exclude_pat: E@.git
- include_empty: True
- clean: True
- user: {{ wwwuser }}
- group: {{ wwwgroup }}
- dir_mode: 711
- file_mode: 644
{% endif %}
diff --git a/roles/webserver-content/org/nasqueron/social.sls b/roles/webserver-content/org/nasqueron/social.sls
index 6a6ac3d..ab17e21 100644
--- a/roles/webserver-content/org/nasqueron/social.sls
+++ b/roles/webserver-content/org/nasqueron/social.sls
@@ -1,16 +1,15 @@
# -------------------------------------------------------------
# Salt — Provision social.nasqueron.org public directories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-13
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
/srv/data/mastodon/public/support:
file.recurse:
- source: salt://wwwroot/nasqueron.org/mastodon/support
- exclude_pat: E@.git
- include_empty: True
- clean: True
- dir_mode: 711
- file_mode: 644
diff --git a/roles/webserver-content/org/wolfplex/www.sls b/roles/webserver-content/org/wolfplex/www.sls
index 3393d95..dff9a39 100644
--- a/roles/webserver-content/org/wolfplex/www.sls
+++ b/roles/webserver-content/org/wolfplex/www.sls
@@ -1,23 +1,22 @@
# -------------------------------------------------------------
# Salt — Provision www.wolfplex.org static subdirectories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-22
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
/var/wwwroot/wolfplex.org/www/2013:
file.recurse:
- source: salt://software/wolfplex/web-campaigns-2013
- exclude_pat: E@.git
- include_empty: True
- clean: True
- dir_mode: 755
- file_mode: 644
- user: wolfplex.org
- group: web
/var/dataroot/wolfplex:
file.directory:
- user: web-org-wolfplex-www
- group: web
diff --git a/roles/webserver-core/init.sls b/roles/webserver-core/init.sls
index f705861..138cc10 100644
--- a/roles/webserver-core/init.sls
+++ b/roles/webserver-core/init.sls
@@ -1,11 +1,10 @@
# -------------------------------------------------------------
# Salt — Webserver core units for all webservers roles
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-25
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .nginx
- .tools
diff --git a/roles/webserver-core/tools/files/autochmod.sh b/roles/webserver-core/tools/files/autochmod.sh
index de02bf7..bd72217 100644
--- a/roles/webserver-core/tools/files/autochmod.sh
+++ b/roles/webserver-core/tools/files/autochmod.sh
@@ -1,39 +1,38 @@
#!/bin/sh
# -------------------------------------------------------------
# Default permissions for a secure webserver installation
# Compliant with SuEXEC or php-fpm pools
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Created: 2017-01-24
# License: Trivial work, not eligible to copyright
# Source file: roles/webserver-legacy/files/autochmod.sh
# Usage: autochmod [for dirs] [for files] [for scripts]
# (by default use 711, 644 and 700)
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
DIR_CHMOD=${1:-711}
FILE_CHMOD=${2:-644}
SCRIPT_CHMOD=${3-700}
find . -type d -print0 | xargs -0 chmod "$DIR_CHMOD"
# By default, functions should be edited
find . -type f -print0 | xargs -0 chmod "$FILE_CHMOD"
# Avoid application code to be world-readable,
# to protect files with credentials exposure.
# They are marked executable to be allowed as CGI.
find . -type f -iname "*.php" -print0 | xargs -0 chmod "$SCRIPT_CHMOD"
find . -type f -iname "*.php3" -print0 | xargs -0 chmod "$SCRIPT_CHMOD"
find . -type f -iname "*.phps" -print0 | xargs -0 chmod "$SCRIPT_CHMOD"
find . -type f -iname "*.tcl" -print0 | xargs -0 chmod "$SCRIPT_CHMOD"
find . -type f -iname "*.cgi" -print0 | xargs -0 chmod "$SCRIPT_CHMOD"
find . -type f -iname "*.pl" -print0 | xargs -0 chmod "$SCRIPT_CHMOD"
find . -type f -iname "*.py" -print0 | xargs -0 chmod "$SCRIPT_CHMOD"
diff --git a/roles/webserver-core/tools/files/list-nginx-vhosts.tcl b/roles/webserver-core/tools/files/list-nginx-vhosts.tcl
index b7516c2..46f827c 100644
--- a/roles/webserver-core/tools/files/list-nginx-vhosts.tcl
+++ b/roles/webserver-core/tools/files/list-nginx-vhosts.tcl
@@ -1,61 +1,60 @@
#!/usr/bin/env tclsh8.6
# -------------------------------------------------------------
# List nginx vhosts configuration files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-24
# License: BSD-2-Clause
# Source file: roles/webserver-core/tools/files/list-nginx-vhosts.tcl
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# List
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
proc list_nginx_vhosts {} {
foreach file [get_vhosts_files] {
puts " include $file;"
}
}
proc get_vhosts_files {} {
lsort [glob [get_vhosts_path]]
}
proc get_vhosts_path {} {
join [list [get_local_etc] nginx vhosts *.conf] [file separator]
}
# -------------------------------------------------------------
# /etc or /usr/local/etc?
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
proc get_local_etc {} {
if {[is_bsd_os]} {
return "/usr/local/etc"
} {
return "/etc"
}
}
proc is_bsd_os {} {
lcontains [exec uname] {FreeBSD OpenBSD NetBSD DragonFly Darwin}
}
proc lcontains {needle haystack} {
expr [lsearch $haystack $needle] >= 0
}
# -------------------------------------------------------------
# Procedural code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
list_nginx_vhosts
diff --git a/roles/webserver-core/tools/init.sls b/roles/webserver-core/tools/init.sls
index d547fb1..71b240a 100644
--- a/roles/webserver-core/tools/init.sls
+++ b/roles/webserver-core/tools/init.sls
@@ -1,30 +1,29 @@
# -------------------------------------------------------------
# Salt — Helper tools for nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-10-24
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages with context %}
# -------------------------------------------------------------
# Dependencies
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ packages.tcl }}:
pkg.installed
# -------------------------------------------------------------
# Salt — Helper tools for nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.bin }}/list-nginx-vhosts-conf:
file.managed:
- mode: 755
- source: salt://roles/webserver-core/tools/files/list-nginx-vhosts.tcl
{{ dirs.bin }}/autochmod:
file.managed:
- mode: 755
- source: salt://roles/webserver-core/tools/files/autochmod.sh
diff --git a/roles/webserver-legacy/php-builder/init.sls b/roles/webserver-legacy/php-builder/init.sls
index 3ab43b9..0951fd9 100644
--- a/roles/webserver-legacy/php-builder/init.sls
+++ b/roles/webserver-legacy/php-builder/init.sls
@@ -1,11 +1,10 @@
# -------------------------------------------------------------
# Salt — Compile custom PHP builds
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .software
- .source
diff --git a/roles/webserver-legacy/php-builder/software.sls b/roles/webserver-legacy/php-builder/software.sls
index baf179d..dd3924e 100644
--- a/roles/webserver-legacy/php-builder/software.sls
+++ b/roles/webserver-legacy/php-builder/software.sls
@@ -1,16 +1,15 @@
# -------------------------------------------------------------
# Salt — Compile custom PHP builds
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-17
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# PHP dependencies
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
php_builder_dependencies:
pkg.installed:
- pkgs:
- libmcrypt
diff --git a/roles/webserver-legacy/php-builder/source.sls b/roles/webserver-legacy/php-builder/source.sls
index 6ae4dc5..d28a5d1 100644
--- a/roles/webserver-legacy/php-builder/source.sls
+++ b/roles/webserver-legacy/php-builder/source.sls
@@ -1,164 +1,163 @@
#!py
# -------------------------------------------------------------
# Salt — Compile custom PHP builds
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-16
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Builds and versions helper methods
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_custom_builds():
return __pillar__.get("php_custom_builds", {})
def get_release_builds():
return {
name: build
for (name, build) in get_custom_builds().items()
if build["mode"] == "release"
}
def get_release_versions():
versions = [
(build["version"], build["hash"]) for build in get_release_builds().values()
]
return set(versions)
def get_archive_path(version):
return "/opt/php/_archives/php-" + version + ".tar.bz2"
def get_build_directories():
return [get_build_directory(build) for build in get_custom_builds()]
def get_build_directory(build):
return "/opt/php/_builds/" + build
def get_install_directory(build):
return "/opt/php/" + build
def get_extract_archive_command(archive, directory):
return "tar xjf " + archive + " --strip-components=1 -C " + directory
# -------------------------------------------------------------
# ./configure
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_configure(version, build):
if version.startswith("5.6"):
cmd = (
"./configure --prefix=/opt/php/{target} --disable-cgi "
"--enable-fpm --with-fpm-user=app --with-fpm-group=app "
"--enable-mysqlnd --enable-bcmath --with-bz2 --enable-calendar "
"--with-curl --with-gd --with-jpeg-dir --enable-gd-native-ttf "
"--enable-mbstring --with-mcrypt --with-mysqli --with-pdo-mysql "
"--enable-pcntl --with-xsl --with-readline "
"--with-openssl=/opt/openssl-legacy "
"--with-zlib --enable-zip"
)
return cmd.format(target=build)
raise Exception("Unknown ./configure for PHP v" + version)
# -------------------------------------------------------------
# Configuration provider
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def run():
config = {}
builder_user = "builder"
build_directories = get_build_directories()
directories_to_create = ["/opt/php", "/opt/php/_archives", "/opt/php/_builds"]
# Task: create directories
directories_to_create.extend(build_directories)
for directory in directories_to_create:
config[directory] = {"file.directory": [{"user": builder_user}]}
# Task: fetch archives
for version, archive_hash in get_release_versions():
archive = get_archive_path(version)
url = "https://www.php.net/distributions/php-" + version + ".tar.bz2"
config[archive] = {
"file.managed": [
{"source": url},
{"source_hash": archive_hash},
{"user": builder_user},
]
}
# Task: extract archives to build directories
for build_name, build in get_release_builds().items():
archive = get_archive_path(build["version"])
directory = get_build_directory(build_name)
command = get_extract_archive_command(archive, directory)
config["php_build_" + build_name + "_phase1_extract"] = {
"cmd.run": [
{"name": command},
{"runas": builder_user},
{"creates": directory + "/configure.in"},
]
}
if build["version"] < "7":
# New versions of Onigurama requires a patch not merged in 5.6.38
# See https://bugs.php.net/bug.php?id=76113
config["php_build_" + build_name + "_phase1_patch"] = {
"file.patch": [
{"name": directory + "/ext/mbstring/php_mbregex.c"},
{
"source": "salt://roles/webserver-legacy/php-builder/files/fix-bug-76113.patch"
},
]
}
# Task: build PHP
# Task: install PHP
for build_name, build in get_custom_builds().items():
build_directory = get_build_directory(build_name)
install_directory = get_install_directory(build_name)
config["php_build_" + build_name + "_phase2_compile"] = {
"cmd.run": [
{
"names": [
get_configure(build["version"], build_name),
"make",
"touch .built",
]
},
{"cwd": build_directory},
{"runas": builder_user},
{"creates": build_directory + "/.built"},
]
}
config["php_build_" + build_name + "_phase2_install"] = {
"cmd.run": [
{"name": "make install"},
{"cwd": build_directory},
{"creates": install_directory + "/bin/php"},
]
}
return config
diff --git a/top.sls b/top.sls
index 48e985a..37ba6f7 100644
--- a/top.sls
+++ b/top.sls
@@ -1,67 +1,66 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
base:
'*':
- roles/core
- roles/webserver-content
'local':
- roles/salt-primary
'ysul':
- roles/builder
- roles/dbserver-mysql
- roles/devserver
- roles/webserver-core
- roles/webserver-legacy
- roles/webserver-varnish
'windriver':
- roles/builder
- roles/dbserver-mysql
- roles/dbserver-pgsql
- roles/devserver
- roles/dns
- roles/freebsd-repo # depends of devserver/datacube, builder
- roles/grafana
- roles/netbox
- roles/prometheus
- roles/redis
- roles/reports # depends of builder
- roles/saas-nextcloud
- roles/viperserv
- roles/webserver-alkane
- roles/webserver-core
'cloudhugger':
- roles/opensearch
'db-a-001':
- roles/dbserver-pgsql
'db-b-001':
- roles/dbserver-mysql
'dns-001':
- roles/dns
'docker-002':
- roles/paas-docker
'dwellers':
- roles/paas-docker
- roles/paas-lxc/lxc
- roles/saas-airflow
'eglide':
- roles/webserver-core
- roles/shellserver
'hervil':
- roles/mailserver
- roles/webserver-core
- roles/webserver-alkane
'router-002':
- roles/router
'router-003':
- roles/router
'web-001':
- roles/webserver-core
- roles/webserver-alkane
- roles/saas-mediawiki
- roles/saas-wordpress
diff --git a/utils/dump-py-state.py b/utils/dump-py-state.py
index 40d24f9..6140cdc 100755
--- a/utils/dump-py-state.py
+++ b/utils/dump-py-state.py
@@ -1,99 +1,98 @@
#!/usr/bin/env python3
# -------------------------------------------------------------
# rOPS — compile a #!py .sls file and dump the result in YAML
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-10-17
# Description: Read the web_content_sls pillar entry
# and regenerate the webserver-content include.
# License: BSD-2-Clause
# -------------------------------------------------------------
import os
import subprocess
import sys
import yaml
# -------------------------------------------------------------
# Pillar helper
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def get_pillar_files(pillar_directory):
pillar_files = []
for dir_path, dir_names, file_names in os.walk(pillar_directory):
files = [
os.path.join(dir_path, file_name)
for file_name in file_names
if file_name.endswith(".sls")
]
pillar_files.extend(files)
return pillar_files
def load_pillar(pillar_directory):
pillar = {}
for pillar_file in get_pillar_files(pillar_directory):
data = yaml.safe_load(open(pillar_file, "r"))
pillar.update(data)
return pillar
# -------------------------------------------------------------
# Grains helper
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def system(args):
result = subprocess.run(args, stdout=subprocess.PIPE)
return result.stdout.decode("utf-8").strip()
# -------------------------------------------------------------
# Source code helper
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def run_shim():
return "\n\nif __name__ == '__main__':\n\tprint(yaml.dump(run(), default_flow_style=False))"
def assemble_source_code(filename):
with open(filename, "r") as fd:
source_code = fd.read()
return source_code + run_shim()
# -------------------------------------------------------------
# Run task
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
if __name__ == "__main__":
argc = len(sys.argv)
if argc < 2:
print("Usage: dump-py-state.py <sls file>", file=sys.stderr)
exit(1)
sls_file = sys.argv[1]
try:
source_code_to_dump = assemble_source_code(sls_file)
except OSError as ex:
print(ex, file=sys.stderr)
exit(ex.errno)
__pillar__ = load_pillar("pillar")
__grains__ = {"os": system(["uname", "-o"])}
exec(source_code_to_dump)
diff --git a/utils/generate-freebsd-repo-fingerprint.sh b/utils/generate-freebsd-repo-fingerprint.sh
index f39c5a4..cf47262 100755
--- a/utils/generate-freebsd-repo-fingerprint.sh
+++ b/utils/generate-freebsd-repo-fingerprint.sh
@@ -1,28 +1,27 @@
#!/bin/sh
# -------------------------------------------------------------
# rOPS — regenerate FreeBSD Nasqueron repository fingerprint
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-03-30
# Description: Read the FreeBSD Nasqueron repository public key
# and regenerate the fingerprint.
# -------------------------------------------------------------
KEY=/usr/local/etc/freebsd-pkg-repo/key/repo.pub
KEYS_DIR=roles/devserver/pkg/files/keys/trusted
FINGERPRINT=$KEYS_DIR/packages.nasqueron.org.$(date '+%Y%m%d01')
usage() {
echo "You should run this script on the package builder server."
echo "If you need to first regenerate the repository keys,"
echo "invoke Salt with state.apply roles/freebsd-repo"
exit 1
}
[ -f $KEY ] || usage
command -v sha256 >/dev/null 2>&1 || usage
mkdir -p $KEYS_DIR
echo "function: sha256" > "$FINGERPRINT"
echo "fingerprint: $(sha256 -q $KEY)" >> "$FINGERPRINT"
diff --git a/utils/migrate-ssh-keys.py b/utils/migrate-ssh-keys.py
index c51a282..d549415 100755
--- a/utils/migrate-ssh-keys.py
+++ b/utils/migrate-ssh-keys.py
@@ -1,113 +1,112 @@
#!/usr/bin/env python3
# -------------------------------------------------------------
# rOPS — migrate SSH keys from file to Salt state
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-11-09
# Description: Read a dictionary, and for each key, find in
# a specified folder a data file. Add data from
# this file to the dictionary. Output in YAML.
# License: BSD-2-Clause
# -------------------------------------------------------------
# -------------------------------------------------------------
# Table of contents
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#
# :: Configuration
# :: YAML style
# :: Update code
# :: Run task
#
# -------------------------------------------------------------
import os
import yaml
# -------------------------------------------------------------
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Where is located the dictionary to update?
state_file = "pillar/core/users.sls"
state_key = "shellusers"
# Where are located the data fileS?
data_path = "roles/shellserver/users/files/ssh_keys/"
# What property should get the data and be added if missing in the dict?
state_data_property = "ssh_keys"
# -------------------------------------------------------------
# YAML style
#
# Allows indented lists in dump
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
class SaltStyleDumper(yaml.Dumper):
def increase_indent(self, flow=False, indentless=False):
return super(SaltStyleDumper, self).increase_indent(flow, False)
# -------------------------------------------------------------
# Update code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def do_update():
state = read_state()
update_state(state)
print(dump_state(state))
def read_state():
fd = open(state_file, "r")
states = yaml.safe_load(fd.read())
fd.close()
return states[state_key]
def update_state(state):
for key in state:
if state_data_property not in state[key]:
state[key][state_data_property] = read_data(key)
def read_data(key):
path = data_path + key
if not os.path.exists(path):
return []
return [line.strip() for line in open(path, "r") if is_value_line(line)]
def is_value_line(line):
if line.startswith("#"):
return False
if line.strip() == "":
return False
return True
def dump_state(state):
return yaml.dump(
{state_key: state}, default_flow_style=False, Dumper=SaltStyleDumper, width=1000
)
# -------------------------------------------------------------
# Run task
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
do_update()
diff --git a/utils/reformat.py b/utils/reformat.py
index 9f5b195..164710b 100755
--- a/utils/reformat.py
+++ b/utils/reformat.py
@@ -1,69 +1,68 @@
#!/usr/bin/env python3
# -------------------------------------------------------------
# Salt — Reformat Salt states and source code files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-26
# License: BSD-2-Clause
# Description: This script detects multi-lines patterns
# and rewrite them to apply the new style.
#
# Before: \n BLOCK_START [...] BLOCK_START
# After: \n BLOCK_START [...] BLOCK_END
# -------------------------------------------------------------
import sys
BLOCK_START = "# -------------------------------------------------------------\n"
BLOCK_END = "# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n"
def usage():
print(f"usage: {sys.argv[0]} <file to reformat>", file=sys.stderr)
class Reformater:
def __init__(self, file):
self.file = file
self.pattern_detection_counter = 0
def reformat_inline(self):
buffer = []
with open(self.file, "r+") as fd:
for line in fd:
buffer.append(self.reformat_line(line))
fd.seek(0)
fd.truncate()
fd.writelines(buffer)
def reformat_line(self, line):
if self.pattern_detection_counter == 0 and line == "\n":
self.pattern_detection_counter += 1
elif self.pattern_detection_counter == 1 and line == BLOCK_START:
self.pattern_detection_counter += 1
elif self.pattern_detection_counter == 2:
if line == BLOCK_END:
# We're probably in a header block or a correct one, so skip
self.pattern_detection_counter = 0
elif line == BLOCK_START:
# We've got a winner
self.pattern_detection_counter = 0
return BLOCK_END
elif not line.startswith("#"):
# Let's go on, it's a multiline comments block
self.pattern_detection_counter = 0
else:
self.pattern_detection_counter = 0
return line
if __name__ == "__main__":
if len(sys.argv) < 2:
usage()
sys.exit(1)
file_to_reformat = sys.argv[1]
Reformater(file_to_reformat).reformat_inline()

File Metadata

Mime Type
text/x-diff
Expires
Sun, May 3, 04:04 (5 h, 16 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3643026
Default Alt Text
(515 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator