Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3763251
D2597.id7577.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
14 KB
Referenced Files
None
Subscribers
None
D2597.id7577.diff
View Options
diff --git a/PORTS b/PORTS
--- a/PORTS
+++ b/PORTS
@@ -17,6 +17,8 @@
paas-docker
5000 Docker registry HTTP
9090 Openfire HTTP
+ 17080 Penpot - back-end
+ 17300 Penpot - exporter
19080 Nasqueron API - Datasources
20080 Nasqueron API - Docker registry API
22220 Phabricator Aphlict (client)
diff --git a/_modules/convert.py b/_modules/convert.py
--- a/_modules/convert.py
+++ b/_modules/convert.py
@@ -80,3 +80,10 @@
return salt.serializers.yaml.serialize(
_to_dictionary(data, root), default_flow_style=False
)
+
+
+def to_flags(data, enable_prefix="enable-", separator=" "):
+ """
+ A function to convert a list of flags in a string to enable them.
+ """
+ return separator.join([enable_prefix + item for item in data])
diff --git a/_tests/modules/test_convert.py b/_tests/modules/test_convert.py
new file mode 100755
--- /dev/null
+++ b/_tests/modules/test_convert.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+
+from importlib.machinery import SourceFileLoader
+import unittest
+
+salt_test_case = SourceFileLoader("salt_test_case", "salt_test_case.py").load_module()
+convert = SourceFileLoader("rust", "../_modules/convert.py").load_module()
+
+
+class Testinstance(unittest.TestCase, salt_test_case.SaltTestCase):
+ def setUp(self):
+ self.initialize_mocks()
+ self.instance = convert
+
+ def test_to_flags(self):
+ features = ["foo", "bar"]
+
+ self.assertEqual("enable-foo enable-bar", convert.to_flags(features))
+
+
+if __name__ == "__main__":
+ unittest.main()
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -109,6 +109,10 @@
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
+ - ops/secrets/nasqueron/penpot/github
+ - ops/secrets/nasqueron/penpot/postgresql
+ - ops/secrets/nasqueron/penpot/secret_key
+
- ops/secrets/nasqueron/rabbitmq/white-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/white-rabbit/root
diff --git a/pillar/paas/docker/docker-002/penpot.sls b/pillar/paas/docker/docker-002/penpot.sls
new file mode 100644
--- /dev/null
+++ b/pillar/paas/docker/docker-002/penpot.sls
@@ -0,0 +1,85 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Service: Penpot
+# Note: If compared with upstream installation method,
+# the frontend part is skipped. This is to avoid
+# PaaS nginx -> frontend nginx -> backend server.
+# Frontend content is directly served by our nginx.
+# -------------------------------------------------------------
+
+docker_networks:
+ penpot:
+ subnet: 172.21.2.0/24
+
+docker_images:
+ - penpotapp/backend
+ - penpotapp/exporter
+
+docker_containers:
+
+ #
+ # Core services used by Penpot
+ #
+
+ exim:
+ penpot_smtp:
+ mailname: mx.design.nasqueron.org
+ network: penpot
+
+ postgresql:
+ penpot_db:
+ network: penpot
+ version: 15
+ credential: nasqueron/penpot/postgresql
+ db: penpot
+ initdb_args: --data-checksums
+
+ redis:
+ penpot_redis:
+ network: penpot
+ version: 7
+
+ #
+ # Penpot applications
+ #
+
+ penpot_web:
+ penpot_web:
+ realm: penpot
+ network: penpot
+ host: design.nasqueron.org
+ app_port: 17080
+ db:
+ uri: postgresql://penpot_db/penpot
+ services:
+ postgresql: penpot_db
+ redis: penpot_redis
+ smtp: penpot_smtp
+ exporter: http://localhost:17300
+ credentials:
+ github: nasqueron/penpot/github
+ postgresql: nasqueron/penpot/postgresql
+ secret_key: nasqueron/penpot/secret_key
+ features: &features
+ # Features relevant for both frontend and backend
+ - registration
+ - login-with-password
+ - login-with-github
+ - secure-session-cookies
+ - webhooks
+
+ # Features specific to the backend
+ - prepl-server
+ - smtp
+
+ penpot_exporter:
+ penpot_exporter:
+ realm: penpot
+ network: penpot
+ app_port: 17300
+ services:
+ frontend: https://design.nasqueron.org
+ redis: penpot_redis
diff --git a/roles/paas-docker/containers/penpot_exporter.sls b/roles/paas-docker/containers/penpot_exporter.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/penpot_exporter.sls
@@ -0,0 +1,32 @@
+# -------------------------------------------------------------
+# Salt — Provision Penpot
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set containers = pillar["docker_containers"] %}
+
+{% for instance, container in containers["penpot_exporter"].items() %}
+
+# -------------------------------------------------------------
+# Container
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: penpotapp/exporter
+ - networks:
+ - {{ container["network"] }}
+ - binds: /srv/{{ container["realm"] }}/assets:/opt/data/assets
+ - environment:
+ - PENPOT_PUBLIC_URI: {{ container["services"]["frontend"] }}
+ - PENPOT_REDIS_URI: redis://{{ container["services"]["redis"] }}/0
+ - ports:
+ - 80
+ - port_bindings:
+ - {{ container['app_port'] }}:80
+
+{% endfor %}
diff --git a/roles/paas-docker/containers/penpot_web.sls b/roles/paas-docker/containers/penpot_web.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/penpot_web.sls
@@ -0,0 +1,119 @@
+# -------------------------------------------------------------
+# Salt — Provision Penpot
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set has_selinux = salt["grains.get"]("selinux:enabled", False) %}
+{% set containers = pillar["docker_containers"] %}
+
+{% for instance, container in containers["penpot_web"].items() %}
+
+{% set flags = salt["convert.to_flags"](container["features"]) %}
+
+# -------------------------------------------------------------
+# Storage directory
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/{{ container["realm"] }}/assets:
+ file.directory:
+ - makedirs: True
+ - user: 1001
+ - group: 1001
+
+{% if has_selinux %}
+selinux_context_penpot_data:
+ selinux.fcontext_policy_present:
+ - name: /srv/{{ container["realm"] }}/assets
+ - sel_type: container_file_t
+
+selinux_context_penpot_data_applied:
+ selinux.fcontext_policy_applied:
+ - name: /srv/{{ container["realm"] }}/assets
+{% endif %}
+
+# -------------------------------------------------------------
+# Front-end assets
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/{{ container["realm"] }}/public:
+ file.directory:
+ - makedirs: True
+
+penpot_{{ container["realm"] }}_public_content:
+ cmd.run:
+ - name: |
+ wget https://artifacts.nasqueron.org/penpot/penpot.tar.gz && \
+ tar xzf penpot.tar.gz --strip 1 && \
+ rm penpot.tar.gz
+ - cwd: /srv/{{ container["realm"] }}/public
+ - creates: /srv/{{ container["realm"] }}/public/version.txt
+
+/srv/{{ container["realm"] }}/public/js/config.js:
+ file.managed:
+ - mode: 444
+ - contents: |
+ var penpotFlags = "{{ flags }}";
+
+{% if has_selinux %}
+selinux_context_penpot_public_data:
+ selinux.fcontext_policy_present:
+ - name: /srv/{{ container["realm"] }}/public
+ - sel_type: container_file_t
+
+selinux_context_penpot_public_data_applied:
+ selinux.fcontext_policy_applied:
+ - name: /srv/{{ container["realm"] }}/public
+{% endif %}
+
+# -------------------------------------------------------------
+# Container
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: penpotapp/backend
+ - networks:
+ - {{ container["network"] }}
+ - binds: /srv/{{ container["realm"] }}/assets:/opt/data/assets
+ - environment:
+ PENPOT_FLAGS: {{ flags }}
+ PENPOT_SECRET_KEY: {{ salt["credentials.get_password"](container["credentials"]["secret_key"]) }}
+
+ PENPOT_PREPL_HOST: 0.0.0.0
+ PENPOT_PUBLIC_URI: https://{{ container["host"] }}
+
+ PENPOT_DATABASE_URI: postgresql://{{ container["services"]["postgresql"] }}/penpot
+ PENPOT_DATABASE_USERNAME: {{ salt["credentials.get_username"](container["credentials"]["postgresql"]) }}
+ PENPOT_DATABASE_PASSWORD: {{ salt["credentials.get_password"](container["credentials"]["postgresql"]) }}
+
+ PENPOT_REDIS_URI: redis://{{ container["services"]["redis"] }}/0
+
+ PENPOT_ASSETS_STORAGE_BACKEND: assets-fs
+ PENPOT_STORAGE_ASSETS_FS_DIRECTORY: /opt/data/assets
+
+ # Our privacy policy explicitly states we don't transfer data
+ # to third parties.
+ PENPOT_TELEMETRY_ENABLED: "false"
+
+ {% if "smtp" in container["features"] %}
+ PENPOT_SMTP_HOST: {{ container["services"]["smtp"] }}
+ PENPOT_SMTP_PORT: 25
+ PENPOT_SMTP_TLS: "false"
+ {% endif %}
+ PENPOT_SMTP_DEFAULT_FROM: no-reply@{{ container["host"] }}
+ PENPOT_SMTP_DEFAULT_REPLY_TO: no-reply@{{ container["host"] }}
+
+ {% if "login-with-github" in container["features"] %}
+ PENPOT_GITHUB_CLIENT_ID: {{ salt["credentials.get_username"](container["credentials"]["github"]) }}
+ PENPOT_GITHUB_CLIENT_SECRET: {{ salt["credentials.get_password"](container["credentials"]["github"]) }}
+ {% endif %}
+ - ports:
+ - 6060
+ - port_bindings:
+ - {{ container['app_port'] }}:6060
+
+{% endfor %}
diff --git a/roles/paas-docker/containers/postgresql.sls b/roles/paas-docker/containers/postgresql.sls
--- a/roles/paas-docker/containers/postgresql.sls
+++ b/roles/paas-docker/containers/postgresql.sls
@@ -47,6 +47,15 @@
- environment:
POSTGRES_USER: {{ salt['credentials.get_username'](container['credential']) }}
POSTGRES_PASSWORD: {{ salt['credentials.get_password'](container['credential']) }}
+
+ {% if 'db' in container %}
+ POSTGRES_DB: {{ container['db'] }}
+ {% endif %}
+
+ {% if 'initdb_args' in container %}
+ POSTGRES_INITDB_ARGS: {{ container['initdb_args'] }}
+ {% endif %}
+
{% if 'network' in container %}
- networks:
- {{ container['network'] }}
diff --git a/roles/paas-docker/nginx/files/vhosts/penpot_web.conf b/roles/paas-docker/nginx/files/vhosts/penpot_web.conf
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/nginx/files/vhosts/penpot_web.conf
@@ -0,0 +1,106 @@
+# -------------------------------------------------------------
+# Configuration for Docker PaaS front-end nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Source file: roles/paas-docker/nginx/files/vhosts/penpot_web.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# -------------------------------------------------------------
+# Application - {{ fqdn }}
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ fqdn }};
+
+ include includes/letsencrypt;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+ server_name {{ fqdn }};
+
+ include includes/tls;
+ ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
+ ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+
+ include includes/letsencrypt;
+
+ client_max_body_size 100M;
+ charset utf-8;
+
+ proxy_http_version 1.1;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Scheme $scheme;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ etag off;
+
+ location @handle_redirect {
+ set $redirect_uri "$upstream_http_location";
+ set $redirect_host "$upstream_http_x_host";
+ set $redirect_cache_control "$upstream_http_cache_control";
+
+ proxy_buffering off;
+
+ proxy_set_header Host "$redirect_host";
+ proxy_hide_header etag;
+ proxy_pass $redirect_uri;
+
+ add_header x-internal-redirect "$redirect_uri";
+ add_header x-cache-control "$redirect_cache_control";
+ add_header cache-control "$redirect_cache_control";
+ }
+
+ location /assets {
+ proxy_pass http://localhost:{{ app_port }}/assets;
+ recursive_error_pages on;
+ proxy_intercept_errors on;
+ error_page 301 302 307 = @handle_redirect;
+ }
+
+ location /internal/assets {
+ internal;
+ alias /srv/{{ args["realm"] }}/assets;
+ add_header x-internal-redirect "$upstream_http_x_accel_redirect";
+ }
+
+ location /api/export {
+ proxy_pass {{ args["services"]["exporter"] }};
+ }
+
+ location /api {
+ proxy_pass http://localhost:{{ app_port }}/api;
+ }
+
+ location /ws/notifications {
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection 'upgrade';
+ proxy_pass http://localhost:{{ app_port }}/ws/notifications;
+ }
+
+ location / {
+ location ~* \.(js|css).*$ {
+ add_header Cache-Control "max-age=86400" always; # 24 hours
+ }
+
+ location ~* \.(html).*$ {
+ add_header Cache-Control "no-cache, max-age=0" always;
+ }
+ root /srv/{{ args["realm"] }}/public;
+ }
+
+ root /var/wwwroot-502/_default;
+ error_page 502 /502.html;
+ location /502.html {}
+}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Fri, Nov 22, 21:52 (12 h, 6 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2256304
Default Alt Text
D2597.id7577.diff (14 KB)
Attached To
Mode
D2597: Deploy Penpot
Attached
Detach File
Event Timeline
Log In to Comment