Page MenuHomeDevCentral
Files F3607039

D2761.id7579.diff
No OneTemporary
Actions

D2761.id7579.diff
View Options

diff --git a/PORTS b/PORTS
--- a/PORTS
+++ b/PORTS
@@ -17,6 +17,8 @@
paas-docker
5000 Docker registry HTTP
9090 Openfire HTTP
+ 17080 Penpot - back-end
+ 17300 Penpot - exporter
19080 Nasqueron API - Datasources
20080 Nasqueron API - Docker registry API
22220 Phabricator Aphlict (client)
@@ -44,6 +46,7 @@
46080 Airflow - HTTP
46555 Airflow - Flower
47080 Jenkins HTTP - Test
+ 48080 Vault - Notifications - Integration
50000 Jenkins controller's port for JNLP-based Jenkins agents - CD
52000 Jenkins controller's port for JNLP-based Jenkins agents - Test
55000 Jenkins controller's port for JNKP-based Jenkins agents - CI
diff --git a/_modules/convert.py b/_modules/convert.py
--- a/_modules/convert.py
+++ b/_modules/convert.py
@@ -80,3 +80,10 @@
return salt.serializers.yaml.serialize(
_to_dictionary(data, root), default_flow_style=False
)
+
+
+def to_flags(data, enable_prefix="enable-", separator=" "):
+ """
+ A function to convert a list of flags in a string to enable them.
+ """
+ return separator.join([enable_prefix + item for item in data])
diff --git a/_modules/paas_docker.py b/_modules/paas_docker.py
--- a/_modules/paas_docker.py
+++ b/_modules/paas_docker.py
@@ -91,6 +91,20 @@
]
+# -------------------------------------------------------------
+# Nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def resolve_vhost_config_file(service, dir="roles/paas-docker/nginx/files/vhosts"):
+ candidate = f"{dir}/{service}.conf"
+
+ if __salt__["slsutil.file_exists"](candidate):
+ return candidate
+
+ return f"{dir}/_default.conf"
+
+
# -------------------------------------------------------------
# Monitoring
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/_tests/data/empty.conf b/_tests/data/empty.conf
new file mode 100644
diff --git a/_tests/modules/test_convert.py b/_tests/modules/test_convert.py
new file mode 100755
--- /dev/null
+++ b/_tests/modules/test_convert.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+
+from importlib.machinery import SourceFileLoader
+import unittest
+
+salt_test_case = SourceFileLoader("salt_test_case", "salt_test_case.py").load_module()
+convert = SourceFileLoader("rust", "../_modules/convert.py").load_module()
+
+
+class Testinstance(unittest.TestCase, salt_test_case.SaltTestCase):
+ def setUp(self):
+ self.initialize_mocks()
+ self.instance = convert
+
+ def test_to_flags(self):
+ features = ["foo", "bar"]
+
+ self.assertEqual("enable-foo enable-bar", convert.to_flags(features))
+
+
+if __name__ == "__main__":
+ unittest.main()
diff --git a/_tests/modules/test_paas_docker.py b/_tests/modules/test_paas_docker.py
--- a/_tests/modules/test_paas_docker.py
+++ b/_tests/modules/test_paas_docker.py
@@ -1,6 +1,7 @@
#!/usr/bin/env python3
from importlib.machinery import SourceFileLoader
+import os
import unittest
salt_test_case = SourceFileLoader("salt_test_case", "salt_test_case.py").load_module()
@@ -17,6 +18,9 @@
self.mock_grains()
self.grains["id"] = "egladil"
+ self.mock_salt()
+ self.salt["slsutil.file_exists"] = lambda file: os.path.exists(file)
+
def test_get_image(self):
container = {"image": "foo", "version": "42"}
@@ -47,6 +51,16 @@
self.assertEqual("foo:2.5", docker.get_image("not_foo", container))
+ def test_resolve_vhost_config_file(self):
+ config_file = docker.resolve_vhost_config_file("empty", dir="data")
+
+ self.assertEqual("data/empty.conf", config_file)
+
+ def test_resolve_vhost_config_file_when_not_existing(self):
+ config_file = docker.resolve_vhost_config_file("foo", dir="notexisting")
+
+ self.assertEqual("notexisting/_default.conf", config_file)
+
def test_get_subnets(self):
expected = ["172.18.1.0/24", "172.18.2.0/24", "172.17.0.0/16"]
diff --git a/pillar/core/groups.sls b/pillar/core/groups.sls
--- a/pillar/core/groups.sls
+++ b/pillar/core/groups.sls
@@ -40,6 +40,7 @@
- dereckson
- dorianwinty
- erol
+ - fauve
- fluo
- harshcrop
- hlp
@@ -111,6 +112,7 @@
members:
- dereckson
- dorianwinty
+ - fauve
- fluo
- inidal
- rama
diff --git a/pillar/core/users.sls b/pillar/core/users.sls
--- a/pillar/core/users.sls
+++ b/pillar/core/users.sls
@@ -152,6 +152,7 @@
shell: zsh
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILQAhf4Du37UglM/hh9ZW2HCq3VtMfj+bgnbjvcIEwo0 fove48@OperateurNoir
+ - ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBABsfXPdhHqjAL7AOSCymUZU/7jXL95mfU+HeFuelF+Re+T35u6Qe5KSzQ1iT7lhLafGt6ARQgVvflQ1OgtvhlLhwwDb7MUNbThyr5SNbHfkZpDBGY5sNZfMPJLsYWvKXkxJ5ev8rxcCmER+g3qUAf5oKCDKY3cyODDAhMGKl1POemiaDQ== fauve@CrepusculeEcarlate
uid: 2030
fluo:
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -109,6 +109,10 @@
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
+ - ops/secrets/nasqueron/penpot/github
+ - ops/secrets/nasqueron/penpot/postgresql
+ - ops/secrets/nasqueron/penpot/secret_key
+
- ops/secrets/nasqueron/rabbitmq/white-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/white-rabbit/root
@@ -182,6 +186,12 @@
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
+ - ops/secrets/nasqueron/rabbitmq/orange-rabbit/erlang-cookie
+ - ops/secrets/nasqueron/rabbitmq/orange-rabbit/root
+
+ - ops/secrets/nasqueron/rabbitmq/orange-rabbit/notifications
+ - ops/secrets/nasqueron.notifications.sentry
+
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>.<service>.<type>
diff --git a/pillar/paas/docker/docker-002/penpot.sls b/pillar/paas/docker/docker-002/penpot.sls
new file mode 100644
--- /dev/null
+++ b/pillar/paas/docker/docker-002/penpot.sls
@@ -0,0 +1,85 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Service: Penpot
+# Note: If compared with upstream installation method,
+# the frontend part is skipped. This is to avoid
+# PaaS nginx -> frontend nginx -> backend server.
+# Frontend content is directly served by our nginx.
+# -------------------------------------------------------------
+
+docker_networks:
+ penpot:
+ subnet: 172.21.2.0/24
+
+docker_images:
+ - penpotapp/backend
+ - penpotapp/exporter
+
+docker_containers:
+
+ #
+ # Core services used by Penpot
+ #
+
+ exim:
+ penpot_smtp:
+ mailname: mx.design.nasqueron.org
+ network: penpot
+
+ postgresql:
+ penpot_db:
+ network: penpot
+ version: 15
+ credential: nasqueron/penpot/postgresql
+ db: penpot
+ initdb_args: --data-checksums
+
+ redis:
+ penpot_redis:
+ network: penpot
+ version: 7
+
+ #
+ # Penpot applications
+ #
+
+ penpot_web:
+ penpot_web:
+ realm: penpot
+ network: penpot
+ host: design.nasqueron.org
+ app_port: 17080
+ db:
+ uri: postgresql://penpot_db/penpot
+ services:
+ postgresql: penpot_db
+ redis: penpot_redis
+ smtp: penpot_smtp
+ exporter: http://localhost:17300
+ credentials:
+ github: nasqueron/penpot/github
+ postgresql: nasqueron/penpot/postgresql
+ secret_key: nasqueron/penpot/secret_key
+ features: &features
+ # Features relevant for both frontend and backend
+ - registration
+ - login-with-password
+ - login-with-github
+ - secure-session-cookies
+ - webhooks
+
+ # Features specific to the backend
+ - prepl-server
+ - smtp
+
+ penpot_exporter:
+ penpot_exporter:
+ realm: penpot
+ network: penpot
+ app_port: 17300
+ services:
+ frontend: https://design.nasqueron.org
+ redis: penpot_redis
diff --git a/pillar/paas/docker/docker-002/sentry.sls b/pillar/paas/docker/docker-002/sentry.sls
--- a/pillar/paas/docker/docker-002/sentry.sls
+++ b/pillar/paas/docker/docker-002/sentry.sls
@@ -11,10 +11,10 @@
subnet: 172.18.3.0/24
docker_images:
- - library/postgres
- library/redis:3.2-alpine
- getsentry/relay:nightly
- getsentry/snuba:nightly
+ - nasqueron/postgres-sentry
- nasqueron/sentry:nightly
- getsentry/symbolicator:nightly
- tianon/exim4
@@ -42,6 +42,7 @@
postgresql:
sentry_db:
+ image: nasqueron/postgres-sentry
credential: nasqueron.sentry.postgresql
network: sentry
@@ -201,7 +202,7 @@
realm: nasqueron
network: sentry
- sentry_post_process_forwarder_transations:
+ sentry_post_process_forwarder_transactions:
command: run post-process-forwarder --entity transactions
--commit-log-topic=snuba-transactions-commit-log
--synchronize-commit-group transactions_group
diff --git a/pillar/paas/docker/dwellers/notifications.sls b/pillar/paas/docker/dwellers/notifications.sls
new file mode 100644
--- /dev/null
+++ b/pillar/paas/docker/dwellers/notifications.sls
@@ -0,0 +1,52 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Service: Sentry
+# -------------------------------------------------------------
+
+docker_aliases:
+ - &ipv4_dwellers_restricted 172.27.27.4
+
+docker_images:
+ - nasqueron/notifications
+ - nasqueron/rabbitmq
+ - nasqueron/vault
+
+docker_networks:
+ notifications-int:
+ subnet: 172.21.6.0/24
+
+docker_containers:
+
+ rabbitmq:
+ orange-rabbit:
+ ip: *ipv4_dwellers_restricted
+ host: orange-rabbit.integration.nasqueron.org
+ app_port: 15672
+ network: notifications-int
+ credentials:
+ erlang_cookie: nasqueron/rabbitmq/orange-rabbit/erlang-cookie
+ root: nasqueron/rabbitmq/orange-rabbit/root
+
+ vault:
+ vault-notifications:
+ ip: *ipv4_dwellers_restricted
+ host: vault-notifications.integration.nasqueron.org
+ app_port: 48080
+ network: notifications-int
+
+ notifications:
+ notifications:
+ host: notifications.integration.nasqueron.org
+ app_port: 37080
+ network: notifications-int
+ broker: orange_rabbit
+ credentials:
+ broker: nasqueron/rabbitmq/orange-rabbit/notifications
+ sentry:
+ realm: nasqueron
+ project_id: 2
+ credential: nasqueron.notifications.sentry
+ environment: integration
diff --git a/roles/paas-docker/containers/files/vault/vault.hcl b/roles/paas-docker/containers/files/vault/vault.hcl
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/files/vault/vault.hcl
@@ -0,0 +1,31 @@
+# -------------------------------------------------------------
+# Vault configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/containers/files/vault/vault.hcl
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+
+listener "tcp" {
+ address = "0.0.0.0:8200"
+
+ tls_cert_file = "/vault/config/certificates/fullchain.pem"
+ tls_key_file = "/vault/config/certificates/private.key"
+}
+
+storage "raft" {
+ path = "/vault/storage"
+ node_id = "{{ id }}"
+}
+
+disable_mlock = true
+
+ui = true
diff --git a/roles/paas-docker/containers/notifications.sls b/roles/paas-docker/containers/notifications.sls
--- a/roles/paas-docker/containers/notifications.sls
+++ b/roles/paas-docker/containers/notifications.sls
@@ -72,25 +72,39 @@
# Docker volume (/srv/notifications/storage)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+{% if "network" in container %}
+{% set broker = container['broker'] %}
+{% else %}
+{% set broker = "mq" %}
+{% endif %}
+
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/notifications
- binds: /srv/{{ instance }}/storage:/var/wwwroot/default/storage
+ {% if "network" in container %}
+ - networks:
+ - {{ container['network'] }}
+ {% else %}
- links:
- {{ container['broker_link'] }}:mq
+ {% endif %}
- environment:
- - BROKER_HOST: mq
+ - BROKER_HOST: {{ broker }}
- BROKER_USERNAME: {{ salt['credentials.get_username'](container['credentials']['broker']) }}
- BROKER_PASSWORD: {{ salt['credentials.get_password'](container['credentials']['broker']) }}
- BROKER_VHOST: dev
+ {% if "mailgun" in container["credentials"] %}
- MAILGUN_DOMAIN: {{ salt['credentials.get_username'](container['credentials']['mailgun']) }}
- MAILGUN_APIKEY: {{ salt['credentials.get_password'](container['credentials']['mailgun']) }}
+ {% endif %}
- SENTRY_DSN: {{ salt['credentials.get_sentry_dsn'](container["sentry"]) }}
- SENTRY_TRACES_SAMPLE_RATE: 1.0
+ - SENTRY_ENVIRONMENT: {{ container["sentry"].get("environment", "production") }}
- ports:
- 80
- port_bindings:
diff --git a/roles/paas-docker/containers/penpot_exporter.sls b/roles/paas-docker/containers/penpot_exporter.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/penpot_exporter.sls
@@ -0,0 +1,32 @@
+# -------------------------------------------------------------
+# Salt — Provision Penpot
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set containers = pillar["docker_containers"] %}
+
+{% for instance, container in containers["penpot_exporter"].items() %}
+
+# -------------------------------------------------------------
+# Container
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: penpotapp/exporter
+ - networks:
+ - {{ container["network"] }}
+ - binds: /srv/{{ container["realm"] }}/assets:/opt/data/assets
+ - environment:
+ - PENPOT_PUBLIC_URI: {{ container["services"]["frontend"] }}
+ - PENPOT_REDIS_URI: redis://{{ container["services"]["redis"] }}/0
+ - ports:
+ - 80
+ - port_bindings:
+ - {{ container['app_port'] }}:80
+
+{% endfor %}
diff --git a/roles/paas-docker/containers/penpot_web.sls b/roles/paas-docker/containers/penpot_web.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/penpot_web.sls
@@ -0,0 +1,119 @@
+# -------------------------------------------------------------
+# Salt — Provision Penpot
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set has_selinux = salt["grains.get"]("selinux:enabled", False) %}
+{% set containers = pillar["docker_containers"] %}
+
+{% for instance, container in containers["penpot_web"].items() %}
+
+{% set flags = salt["convert.to_flags"](container["features"]) %}
+
+# -------------------------------------------------------------
+# Storage directory
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/{{ container["realm"] }}/assets:
+ file.directory:
+ - makedirs: True
+ - user: 1001
+ - group: 1001
+
+{% if has_selinux %}
+selinux_context_penpot_data:
+ selinux.fcontext_policy_present:
+ - name: /srv/{{ container["realm"] }}/assets
+ - sel_type: container_file_t
+
+selinux_context_penpot_data_applied:
+ selinux.fcontext_policy_applied:
+ - name: /srv/{{ container["realm"] }}/assets
+{% endif %}
+
+# -------------------------------------------------------------
+# Front-end assets
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/{{ container["realm"] }}/public:
+ file.directory:
+ - makedirs: True
+
+penpot_{{ container["realm"] }}_public_content:
+ cmd.run:
+ - name: |
+ wget https://artifacts.nasqueron.org/penpot/penpot.tar.gz && \
+ tar xzf penpot.tar.gz --strip 1 && \
+ rm penpot.tar.gz
+ - cwd: /srv/{{ container["realm"] }}/public
+ - creates: /srv/{{ container["realm"] }}/public/version.txt
+
+/srv/{{ container["realm"] }}/public/js/config.js:
+ file.managed:
+ - mode: 444
+ - contents: |
+ var penpotFlags = "{{ flags }}";
+
+{% if has_selinux %}
+selinux_context_penpot_public_data:
+ selinux.fcontext_policy_present:
+ - name: /srv/{{ container["realm"] }}/public
+ - sel_type: container_file_t
+
+selinux_context_penpot_public_data_applied:
+ selinux.fcontext_policy_applied:
+ - name: /srv/{{ container["realm"] }}/public
+{% endif %}
+
+# -------------------------------------------------------------
+# Container
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: penpotapp/backend
+ - networks:
+ - {{ container["network"] }}
+ - binds: /srv/{{ container["realm"] }}/assets:/opt/data/assets
+ - environment:
+ PENPOT_FLAGS: {{ flags }}
+ PENPOT_SECRET_KEY: {{ salt["credentials.get_password"](container["credentials"]["secret_key"]) }}
+
+ PENPOT_PREPL_HOST: 0.0.0.0
+ PENPOT_PUBLIC_URI: https://{{ container["host"] }}
+
+ PENPOT_DATABASE_URI: postgresql://{{ container["services"]["postgresql"] }}/penpot
+ PENPOT_DATABASE_USERNAME: {{ salt["credentials.get_username"](container["credentials"]["postgresql"]) }}
+ PENPOT_DATABASE_PASSWORD: {{ salt["credentials.get_password"](container["credentials"]["postgresql"]) }}
+
+ PENPOT_REDIS_URI: redis://{{ container["services"]["redis"] }}/0
+
+ PENPOT_ASSETS_STORAGE_BACKEND: assets-fs
+ PENPOT_STORAGE_ASSETS_FS_DIRECTORY: /opt/data/assets
+
+ # Our privacy policy explicitly states we don't transfer data
+ # to third parties.
+ PENPOT_TELEMETRY_ENABLED: "false"
+
+ {% if "smtp" in container["features"] %}
+ PENPOT_SMTP_HOST: {{ container["services"]["smtp"] }}
+ PENPOT_SMTP_PORT: 25
+ PENPOT_SMTP_TLS: "false"
+ {% endif %}
+ PENPOT_SMTP_DEFAULT_FROM: no-reply@{{ container["host"] }}
+ PENPOT_SMTP_DEFAULT_REPLY_TO: no-reply@{{ container["host"] }}
+
+ {% if "login-with-github" in container["features"] %}
+ PENPOT_GITHUB_CLIENT_ID: {{ salt["credentials.get_username"](container["credentials"]["github"]) }}
+ PENPOT_GITHUB_CLIENT_SECRET: {{ salt["credentials.get_password"](container["credentials"]["github"]) }}
+ {% endif %}
+ - ports:
+ - 6060
+ - port_bindings:
+ - {{ container['app_port'] }}:6060
+
+{% endfor %}
diff --git a/roles/paas-docker/containers/postgresql.sls b/roles/paas-docker/containers/postgresql.sls
--- a/roles/paas-docker/containers/postgresql.sls
+++ b/roles/paas-docker/containers/postgresql.sls
@@ -47,6 +47,15 @@
- environment:
POSTGRES_USER: {{ salt['credentials.get_username'](container['credential']) }}
POSTGRES_PASSWORD: {{ salt['credentials.get_password'](container['credential']) }}
+
+ {% if 'db' in container %}
+ POSTGRES_DB: {{ container['db'] }}
+ {% endif %}
+
+ {% if 'initdb_args' in container %}
+ POSTGRES_INITDB_ARGS: {{ container['initdb_args'] }}
+ {% endif %}
+
{% if 'network' in container %}
- networks:
- {{ container['network'] }}
diff --git a/roles/paas-docker/containers/vault.sls b/roles/paas-docker/containers/vault.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/vault.sls
@@ -0,0 +1,76 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set has_selinux = salt["grains.get"]("selinux:enabled", False) %}
+{% set containers = pillar["docker_containers"] %}
+
+{% for instance, container in containers["vault"].items() %}
+
+# -------------------------------------------------------------
+# Storage directory
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for dir in ["config", "config/certificates", "storage"] %}
+
+/srv/vault/{{ instance }}/{{ dir }}:
+ file.directory:
+ - user: 100
+ - group: 1000
+ - makedirs: True
+
+{% endfor %}
+
+/srv/vault/{{ instance }}/config/vault.hcl:
+ file.managed:
+ - source: salt://roles/paas-docker/containers/files/vault/vault.hcl
+ - mode: 644
+ - template: jinja
+ - context:
+ id: {{ instance }}
+
+{% if has_selinux %}
+selinux_context_vault_data_{{ instance }}:
+ selinux.fcontext_policy_present:
+ - name: /srv/vault/{{ instance }}
+ - sel_type: container_file_t
+
+selinux_context_vault_data_applied_{{ instance }}:
+ selinux.fcontext_policy_applied:
+ - name: /srv/vault/{{ instance }}
+ - recursive: True
+{% endif %}
+
+# -------------------------------------------------------------
+# Container
+#
+# Image: hashicorp/vault
+# Description: Vault
+# Services used: Docker volume
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: hashicorp/vault
+ - command: server
+ - cap_add:
+ - IPC_LOCK
+ - binds:
+ - /srv/vault/{{ instance }}/config:/vault/config
+ - /srv/vault/{{ instance }}/storage:/vault/storage
+ - networks:
+ - {{ container["network"] }}
+ - environment:
+ - VAULT_CLUSTER_INTERFACE: eth0
+ - VAULT_REDIRECT_INTERFACE: eth0
+ - ports:
+ - 8200
+ - port_bindings:
+ - {{ container["ip"] }}:{{ container["app_port"] }}:8200
+
+{% endfor %}
diff --git a/roles/paas-docker/nginx/config.sls b/roles/paas-docker/nginx/config.sls
--- a/roles/paas-docker/nginx/config.sls
+++ b/roles/paas-docker/nginx/config.sls
@@ -66,9 +66,11 @@
{% for instance, container in instances.items() %}
{% if 'host' in container %}
+{% set vhost_config = salt["paas_docker.resolve_vhost_config_file"](service) %}
+
{{ dirs.etc }}/nginx/vhosts/{{ service }}/{{ instance }}.conf:
file.managed:
- - source: salt://roles/paas-docker/nginx/files/vhosts/{{ service }}.conf
+ - source: salt://{{ vhost_config }}
- mode: 644
- makedirs: True
- template: jinja
diff --git a/roles/paas-docker/nginx/files/vhosts/hound.conf b/roles/paas-docker/nginx/files/vhosts/hound.conf
deleted file mode 100644
--- a/roles/paas-docker/nginx/files/vhosts/hound.conf
+++ /dev/null
@@ -1 +0,0 @@
-{% include 'roles/paas-docker/nginx/files/vhosts/_default.conf' %}
diff --git a/roles/paas-docker/nginx/files/vhosts/penpot_web.conf b/roles/paas-docker/nginx/files/vhosts/penpot_web.conf
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/nginx/files/vhosts/penpot_web.conf
@@ -0,0 +1,106 @@
+# -------------------------------------------------------------
+# Configuration for Docker PaaS front-end nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Source file: roles/paas-docker/nginx/files/vhosts/penpot_web.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# -------------------------------------------------------------
+# Application - {{ fqdn }}
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ fqdn }};
+
+ include includes/letsencrypt;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+ server_name {{ fqdn }};
+
+ include includes/tls;
+ ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
+ ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+
+ include includes/letsencrypt;
+
+ client_max_body_size 100M;
+ charset utf-8;
+
+ proxy_http_version 1.1;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Scheme $scheme;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ etag off;
+
+ location @handle_redirect {
+ set $redirect_uri "$upstream_http_location";
+ set $redirect_host "$upstream_http_x_host";
+ set $redirect_cache_control "$upstream_http_cache_control";
+
+ proxy_buffering off;
+
+ proxy_set_header Host "$redirect_host";
+ proxy_hide_header etag;
+ proxy_pass $redirect_uri;
+
+ add_header x-internal-redirect "$redirect_uri";
+ add_header x-cache-control "$redirect_cache_control";
+ add_header cache-control "$redirect_cache_control";
+ }
+
+ location /assets {
+ proxy_pass http://localhost:{{ app_port }}/assets;
+ recursive_error_pages on;
+ proxy_intercept_errors on;
+ error_page 301 302 307 = @handle_redirect;
+ }
+
+ location /internal/assets {
+ internal;
+ alias /srv/{{ args["realm"] }}/assets;
+ add_header x-internal-redirect "$upstream_http_x_accel_redirect";
+ }
+
+ location /api/export {
+ proxy_pass {{ args["services"]["exporter"] }};
+ }
+
+ location /api {
+ proxy_pass http://localhost:{{ app_port }}/api;
+ }
+
+ location /ws/notifications {
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection 'upgrade';
+ proxy_pass http://localhost:{{ app_port }}/ws/notifications;
+ }
+
+ location / {
+ location ~* \.(js|css).*$ {
+ add_header Cache-Control "max-age=86400" always; # 24 hours
+ }
+
+ location ~* \.(html).*$ {
+ add_header Cache-Control "no-cache, max-age=0" always;
+ }
+ root /srv/{{ args["realm"] }}/public;
+ }
+
+ root /var/wwwroot-502/_default;
+ error_page 502 /502.html;
+ location /502.html {}
+}
diff --git a/roles/paas-docker/nginx/files/vhosts/vault.conf b/roles/paas-docker/nginx/files/vhosts/vault.conf
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/nginx/files/vhosts/vault.conf
@@ -0,0 +1,43 @@
+# -------------------------------------------------------------
+# Configuration for Docker PaaS front-end nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Service: vault
+# Source file: roles/paas-docker/nginx/files/vhosts/vault.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ fqdn }};
+
+ include includes/letsencrypt;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+ server_name {{ fqdn }};
+
+ include includes/tls;
+ ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
+ ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+
+ include includes/letsencrypt;
+
+ location / {
+ proxy_pass https://{{ args['ip'] }}:{{ app_port }};
+ include includes/proxy_params;
+ }
+
+ root /var/wwwroot-502/_default;
+ error_page 502 /502.html;
+ location /502.html {}
+
+}

File Metadata

Mime Type
text/plain
Expires
Tue, Oct 1, 06:33 (22 h, 8 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2167903
Default Alt Text
D2761.id7579.diff (28 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator