No OneTemporary
Actions

Size

24 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
	index 5a8a613..4d18c0c 100644
	--- a/pillar/credentials/vault.sls
	+++ b/pillar/credentials/vault.sls
	@@ -1,263 +1,265 @@
	# -------------------------------------------------------------
	# Salt configuration for Nasqueron servers
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	# -------------------------------------------------------------
	# Vault configuration
	#
	# :: vault_policies_path: path on vault server where to store policies
	#
	# :: vault_policies_source: path to fetch policies from
	# if starting by salt://, from salt files server
	#
	# :: vault_mount_paths: translates secrets paths in policies paths
	#
	# Generally, Vault paths are the same for policies and data access.
	#
	# For kv secrets engine, version 2, writing and reading versions
	# of a kv value are prefixed with the data/ path.
	#
	# credentials.build_policies_by_node will use this dictionary
	# to be able to rewrite secrets paths in data paths.
	#
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	vault_policies_path: /srv/policies/vault
	vault_policies_source: /srv/policies/vault

	vault_mount_paths:
	ops/secrets: ops/data/secrets
	ops/privacy: ops/data/privacy
	apps: apps/data

	# -------------------------------------------------------------
	# Vault policies to deploy as-is, ie without templating.
	#
	# Entries of vault_policies must match a .hcl file in
	# roles/vault/policies/files folder.
	#
	# If you need a template, create a new pillar entry instead
	# and add the parsing logic either:
	# - directly to roles/vault/policies/
	#
	# - through _modules/credentials.py for policies to apply
	# to Salt nodes, like e.g. vault_secrets_by_role
	#
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	vault_policies:
	- admin
	- salt-primary
	- sentry
	- vault_bootstrap
	- viperserv

	# -------------------------------------------------------------
	# Vault policies for Salt
	#
	# Declare the extra policies each nodes need.
	#
	# In adition of those extra policies, the vault_secrets_by_role
	# will be parsed for the keys.
	#
	# IMPORTANT: as grains['roles'] can be modified by the node,
	# roles are extracted directly from the pillar.
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	vault_extra_policies_by_role:
	salt-primary:
	- salt-primary

	# -------------------------------------------------------------
	# Vault secrets by role
	#
	# Paths of the keys the specified role needs access to.
	#
	# Avoid * notation as this namespace is shared between Vault
	# and the applications. As such, only secrets the Salt nodes
	# needs in a state they need to deploy should be listed here.
	#
	# Use %%node%% as variable for node name.
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	vault_secrets_by_role:

	devserver:
	- ops/secrets/nasqueron/notifications/notifications-cli/%%node%%

	- ops/secrets/nasqueron/deploy/deploy_keys/alken-orin
	- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/dereckson/www
	- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/ewosp/www
	- ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/wolfplex/api-www

	opensearch:
	- ops/secrets/nasqueron.opensearch.infra-logs.internal_users.admin
	- ops/secrets/nasqueron.opensearch.infra-logs.internal_users.dashboards

	paas-docker-prod:

	#
	# Personal data or personally identifiable information (PII)
	# related to Nasqueron Operations SIG members.
	#

	- ops/privacy/ops-cidr

	#
	# Credentials used by Nasqueron services
	# Format: ops/secrets/nasqueron/service/<...>
	#

	- ops/secrets/nasqueron/airflow/admin_account
	- ops/secrets/nasqueron/airflow/fernet
	- ops/secrets/nasqueron/airflow/sentry
	- ops/secrets/dbserver/cluster-A/users/airflow

	- ops/secrets/nasqueron/etherpad/mysql
	- ops/secrets/nasqueron/etherpad/users/dereckson

	- ops/secrets/nasqueron/penpot/github
	- ops/secrets/nasqueron/penpot/postgresql
	- ops/secrets/nasqueron/penpot/secret_key

	- ops/secrets/nasqueron/rabbitmq/white-rabbit/erlang-cookie
	- ops/secrets/nasqueron/rabbitmq/white-rabbit/root

	- ops/secrets/nasqueron/sentry/geoipupdate

	#
	# Credentials used by Nasqueron services
	# Format: ops/secrets/nasqueron.<service>.<type>
	#

	- ops/secrets/nasqueron.acquisitariat.mysql

	- ops/secrets/nasqueron.auth-grove.mysql

	- ops/secrets/nasqueron.cachet.app_key
	- ops/secrets/nasqueron.cachet.mysql

	- ops/secrets/nasqueron.etherpad.api

	- ops/secrets/nasqueron.notifications.broker
	- ops/secrets/nasqueron.notifications.mailgun
	- ops/secrets/nasqueron.notifications.sentry

	- ops/secrets/nasqueron.notifications.credentials_github_nasqueron
	- ops/secrets/nasqueron.notifications.credentials_github_wolfplex
	- ops/secrets/nasqueron.notifications.credentials_github_keruald
	- ops/secrets/nasqueron.notifications.credentials_github_trustspace
	- ops/secrets/nasqueron.notifications.credentials_github_eglide
	- ops/secrets/nasqueron.notifications.credentials_phabricator_nasqueron

	- apps/notifications-center/dockerhub/notifications
	- apps/notifications-center/dockerhub/auth-grove

	- ops/secrets/nasqueron.pixelfed.app_key
	- ops/secrets/nasqueron.pixelfed.mailgun
	- ops/secrets/nasqueron.pixelfed.mysql

	- ops/secrets/nasqueron.sentry.app_key
	- ops/secrets/nasqueron.sentry.postgresql
	- ops/secrets/nasqueron.sentry.vault

	#
	# Credentials used by Nasqueron members private services
	# Format: <username>.<service>.<type>
	#

	- ops/secrets/dereckson.phabricator.mysql

	#
	# Credentials used by projects hosted by Nasqueron
	# Format: <project name>.<service>.<type>
	#

	- ops/secrets/espacewin.phpbb.mysql_root

	- ops/secrets/wolfplex.phabricator.mailgun
	- ops/secrets/wolfplex.phabricator.mysql

	- ops/secrets/zed.phabricator.mysql
	- ops/secrets/zed.phabricator.sendgrid

	paas-docker-dev:

	#
	# Credentials used by Nasqueron services
	# Format: ops/secrets/nasqueron/service/<...>
	#

	- ops/secrets/nasqueron/airflow/admin_account
	- ops/secrets/nasqueron/airflow/fernet
	- ops/secrets/nasqueron/airflow/sentry
	- ops/secrets/dbserver/cluster-A/users/airflow

	- ops/secrets/nasqueron/orbeon/oxf.crypto.password
	- ops/secrets/nasqueron/orbeon/users/dereckson
	- ops/secrets/dbserver/cluster-A/users/orbeon

	- ops/secrets/nasqueron/rabbitmq/orange-rabbit/erlang-cookie
	- ops/secrets/nasqueron/rabbitmq/orange-rabbit/root

	- ops/secrets/nasqueron/rabbitmq/orange-rabbit/notifications
	- ops/secrets/nasqueron.notifications.sentry

	#
	# Credentials used by projects hosted by Nasqueron
	# Format: <project name>.<service>.<type>
	#

	- ops/secrets/espacewin.bugzilla.mysql
	- ops/secrets/espacewin.bugzilla.mysql_root

	saas-mediawiki:
	- ops/secrets/dbserver/cluster-B/users/saas-mediawiki
	- ops/secrets/nasqueron/mediawiki/secret_key

	saas-wordpress:
	- ops/secrets/dbserver/cluster-B/users/dereckson_blog

	- ops/secrets/dereckson/wordpress/secrets

	viperserv:
	- ops/secrets/nasqueron.viperserv.vault

	webserver-alkane:
	- ops/secrets/dbserver/cluster-B/users/dereckson_www
	- ops/secrets/dbserver/cluster-B/users/zed

	+ - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/hypership/content_users
	+
	- ops/secrets/zed/hypership/secret_key

	#
	# Wolfplex credentials
	#

	- ops/secrets/nasqueron.etherpad.api

	webserver-legacy:

	#
	# Wolfplex credentials
	#

	- ops/secrets/nasqueron.etherpad.api

	# -------------------------------------------------------------
	# Vault secrets by dbserver cluster
	#
	# Paths of the keys the specified role needs access to.
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	vault_secrets_by_dbserver_cluster:

	# Main PostgreSQL cluster
	A:
	- ops/secrets/dbserver/cluster-A/users/*

	# Main MariaDB cluster - Alkane PaaS, ViperServ
	B:
	- ops/secrets/dbserver/cluster-B/users/*
	diff --git a/pillar/paas/alkane/web-001/main.sls b/pillar/paas/alkane/web-001/main.sls
	index 9b3799b..9542c9f 100644
	--- a/pillar/paas/alkane/web-001/main.sls
	+++ b/pillar/paas/alkane/web-001/main.sls
	@@ -1,181 +1,167 @@
	# -------------------------------------------------------------
	# Salt — PaaS Alkane :: PHP and static sites [production]
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	web_aliases:
	services:
	- &db-B 172.27.27.9

	# -------------------------------------------------------------
	# Domains we deploy
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	web_domains:

	#
	# Directly managed by Nasqueron
	#

	nasqueron:
	- nasqueron.org
	- ook.space

	#
	# Nasqueron members
	#

	nasqueron_members:
	- dereckson.be
	- - hypership.space

	#
	# Projects ICT is managed by Nasqueron
	#

	espacewin:
	- espace-win.org

	wolfplex:
	- wolfplex.org

	# -------------------------------------------------------------
	# Static sites
	#
	# Sites to deploy from the staging repository
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	web_static_sites:
	dereckson.be:
	- assets
	nasqueron.org:
	- www
	- assets
	- docker
	- ftp
	- launch
	- packages
	- trustspace
	wolfplex.org:
	- www
	- assets

	# -------------------------------------------------------------
	# PHP sites
	#
	# Username must be unique and use max 31 characters.
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	php_fpm_instances:
	# PHP current version, generally installed as package/port
	prod:
	command: /usr/local/sbin/php-fpm

	web_php_sites:
	# Nasqueron members
	www.dereckson.be:
	domain: dereckson.be
	subdomain: www
	user: web-be-dereckson-www
	source: wwwroot/dereckson.be/www
	target: /var/wwwroot/dereckson.be/www
	php-fpm: prod
	capabilities:
	- wordpress

	# Directly managed by Nasqueron
	api.nasqueron.org:
	domain: nasqueron.org
	subdomain: api
	user: web-org-nasqueron-api-serverslog
	php-fpm: prod
	env:
	SERVERS_LOG_FILE: /srv/api/data/servers-log-all.json

	wikis.nasqueron.org:
	domain: nasqueron.org
	subdomain: wikis
	user: mediawiki
	php-fpm: prod
	skipCreateUser: True
	env:
	MEDIAWIKI_ENTRY_POINT: /srv/mediawiki/index.php
	DB_HOST: *db-B
	DB_USER: saas-mediawiki

	# Espace Win
	www.espace-win.org:
	domain: espace-win.org
	subdomain: www
	user: web-org-espacewin-www
	source: wwwroot/espace-win.org/www
	target: /var/wwwroot/espace-win.org/www
	php-fpm: prod

	# Wolfplex Hackerspace
	www.wolfplex.org:
	domain: wolfplex.org
	subdomain: www
	user: web-org-wolfplex-www
	php-fpm: prod
	env:
	DATASTORE: /var/dataroot/wolfplex
	CREDENTIAL_PATH_DATASOURCES_SECURITYDATA: /var/dataroot/wolfplex/secrets.json

	- # Zed - HyperShip
	- hypership.space:
	- domain: hypership.space
	- subdomain: www
	- user: web-space-hypership-www
	- php-fpm: prod
	- env:
	- CACHE_DIR: /var/cache/zed/hypership.space
	- CONTENT_DIR: /srv/zed/content
	-
	# -------------------------------------------------------------
	# nginx configuration
	#
	# Configuration files to provision to vhosts/
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	nginx_vhosts:
	dereckson.be:
	- assets
	- hg
	- mediawiki
	- scherzo
	- www

	espace-win.org:
	- cosmo
	- www

	- hypership.space:
	- - www
	-
	nasqueron.org:
	- api
	- assets
	- autoconfig
	- daeghrefn
	- docker
	- docs
	- ftp
	- infra
	- join
	- labs
	- launch
	- packages
	- rain
	- trustspace
	- www

	test.ook.space:
	- migration.mediawiki

	wolfplex.org:
	- api
	- assets
	- www
	diff --git a/pillar/paas/alkane/web-001/zed.sls b/pillar/paas/alkane/web-001/zed.sls
	new file mode 100644
	index 0000000..c0a9d4d
	--- /dev/null
	+++ b/pillar/paas/alkane/web-001/zed.sls
	@@ -0,0 +1,51 @@
	+# -------------------------------------------------------------
	+# Salt — PaaS Alkane :: PHP and static sites [production]
	+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	+# Project: Nasqueron
	+# License: Trivial work, not eligible to copyright
	+# -------------------------------------------------------------
	+
	+# -------------------------------------------------------------
	+# nginx, php-fpm
	+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	+
	+web_domains:
	+ zed:
	+ - hypership.space
	+
	+nginx_vhosts:
	+ hypership.space:
	+ - www
	+
	+web_php_sites:
	+ hypership.space:
	+ domain: hypership.space
	+ subdomain: www
	+ user: web-space-hypership-www
	+ php-fpm: prod
	+ env:
	+ CACHE_DIR: /var/dataroot/zed/cache
	+ CONTENT_DIR: /var/dataroot/zed/content
	+
	+# -------------------------------------------------------------
	+# Credentials
	+#
	+# :: deployment
	+# :: .env
	+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	+
	+wwwroot_identities:
	+ deploy-key-github-hypership-content_users:
	+ secret: nasqueron/deploy/deploy_keys/by_repo/github/hypership/content_users
	+ path: /opt/salt/security/id_zed_github_hypership_content_users
	+
	+webserver_content_dotenv:
	+ /var/wwwroot/hypership.space/www/.env:
	+ user: web-space-hypership-www
	+ db:
	+ service: db-B
	+ credentials: dbserver/cluster-B/users/zed
	+ extra_values:
	+ DB_NAME: zed_prod
	+ extra_credentials:
	+ ZED_SECRET_KEY: zed/hypership/secret_key
	diff --git a/pillar/webserver/credentials.sls b/pillar/webserver/credentials.sls
	index f77e8c2..4e62843 100644
	--- a/pillar/webserver/credentials.sls
	+++ b/pillar/webserver/credentials.sls
	@@ -1,64 +1,54 @@
	# -------------------------------------------------------------
	# Salt — Sites to provision on the legacy web server
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	# -------------------------------------------------------------
	# Content of the .env files
	#
	# Those files allow site using DotEnv to read secrets.
	#
	# To ensure secrets can only be read by application user, use:
	#
	# ```
	# user: <php-fpm pool user>
	# ```
	# If your configuration can be read and stored in memory,
	# it's probably best to directly call Vault from the app
	# and only provision Vault AppRole credentials:
	#
	# ```
	# vault: <path to AppRole credential>
	# ```
	#
	# For PHP sites where the configuration file is read every
	# request, it's probably best to cache secrets in file
	# through this mechanism.
	#
	# If you need a database, you can use:
	#
	# ```
	# db:
	# service: entry in nasqueron_services table
	# credentials: path to Vault secret
	#
	# To provision a secret key or other credentials, use:
	#
	# extra_credentials:
	# key: path to vault secret
	#
	# If you need to pass extra plain values use:
	#
	# extra_values:
	# key: value
	# ```
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	webserver_content_dotenv:
	/var/wwwroot/dereckson.be/www/.env:
	user: web-be-dereckson-www
	db:
	service: db-B
	credentials: dbserver/cluster-B/users/dereckson_www
	-
	- /var/wwwroot/hypership.space/www/.env:
	- user: web-space-hypership-www
	- db:
	- service: db-B
	- credentials: dbserver/cluster-B/users/zed
	- extra_values:
	- DB_NAME: zed_prod
	- extra_credentials:
	- ZED_SECRET_KEY: zed/hypership/secret_key
	diff --git a/pillar/webserver/sites.sls b/pillar/webserver/sites.sls
	index e37bd73..4c70f0f 100644
	--- a/pillar/webserver/sites.sls
	+++ b/pillar/webserver/sites.sls
	@@ -1,67 +1,69 @@
	# -------------------------------------------------------------
	# Salt — Sites to provision on the legacy web server
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	# -------------------------------------------------------------
	# States
	#
	# Sites with states documenting how to build them
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	web_content_sls:
	#
	# Eglide
	#
	shellserver:
	# Directly managed by Eglide project
	- .org/eglide

	#
	# Nasqueron servers
	#
	mastodon:
	- .org/nasqueron/social

	- webserver-legacy:
	+ webserver-legacy: &legacy_to_migrate_to_alkane
	# Nasqueron members
	- .be/dereckson

	# Projects hosted
	- .space/hypership

	# Directly managed by Nasqueron
	- .org/nasqueron/api
	- .org/nasqueron/autoconfig
	- .org/nasqueron/daeghrefn
	- .org/nasqueron/docs
	- .org/nasqueron/infra
	- .org/nasqueron/labs
	- .org/nasqueron/rain

	# Wolfplex Hackerspace
	- .org/wolfplex/api
	- .org/wolfplex/www

	+ webserver-alkane: *legacy_to_migrate_to_alkane
	+
	# -------------------------------------------------------------
	# Sites deployed through Jenkins CD
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	web_content_jenkins_cd:
	webserver-legacy:
	- api
	- assets
	- autoconfig
	- docker
	- docs
	- launch
	- www

	# -------------------------------------------------------------
	# Tweaks
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	web_autochmod:
	- /var/wwwroot/dereckson.be/www
	diff --git a/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf b/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf
	index bc16b7b..63c55e8 100644
	--- a/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf
	+++ b/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf
	@@ -1,114 +1,118 @@
	# -------------------------------------------------------------
	# Webserver
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Site: hypership.space
	# License: Trivial work, not eligible to copyright
	# Source file: roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf
	# -------------------------------------------------------------
	#
	# <auto-generated>
	# This file is managed by our rOPS SaltStack repository.
	#
	# Changes to this file may cause incorrect behavior
	# and will be lost if the state is redeployed.
	# </auto-generated>

	# -------------------------------------------------------------
	# Main application
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	server {
	server_name hypership.space;

	include includes/tls;
	ssl_certificate /usr/local/etc/letsencrypt/live/hypership.space/fullchain.pem;
	ssl_certificate_key /usr/local/etc/letsencrypt/live/hypership.space/privkey.pem;

	error_log /var/log/www/hypership.space/www-error.log;
	access_log /var/log/www/hypership.space/www-access.log;

	location /content {
	return 403;
	}

	location /content/users {
	- alias /srv/zed/content/users;
	+ alias /var/dataroot/zed/content/users;
	}

	location /content/scenes {
	- alias /srv/zed/content/scenes;
	+ alias /var/dataroot/zed/content/scenes;

	location ~ \.tpl$ {
	# This folder contains templates intended to be rendered,
	# and not directly served.
	return 403;
	}
	}

	+ location = /tour {
	+ return 302 /tour.html;
	+ }
	+
	location /buildergate {
	return 503;

	# Serve through Apache

	#rewrite /buildergate/(.*) /$1 break;
	#proxy_pass http://localhost:3200;
	#proxy_redirect off;
	#proxy_set_header Host builder.zed.dereckson.be;
	#proxy_set_header X-Real-IP $remote_addr;
	#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	location / {
	# Serves static files if they exists, with one month cache
	if (-f $request_filename) {
	expires 30d;
	break;
	}

	# Sends all non existing file or directory requests to index.php
	if (!-e request_filename) {
	rewrite ^/api\.php /api.php last;
	rewrite ^/do\.php /do.php last;
	rewrite ^(.+)$ /index.php last;
	}
	}

	location ~ \.php$ {
	fastcgi_pass unix:/var/run/web/hypership.space/php-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include includes/fastcgi;
	}
	}

	# -------------------------------------------------------------
	# Redirects from port 80 and alternative domains
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	server {
	listen 80;
	listen [::]:80;
	server_name hypership.space;

	include includes/letsencrypt;

	location / {
	return 301 https://hypership.space$request_uri;
	}
	}

	server {
	listen 80;
	listen [::]:80;
	server_name www.hypership.space zed.dereckson.be;

	include includes/tls;
	ssl_certificate /usr/local/etc/letsencrypt/live/hypership.space/fullchain.pem;
	ssl_certificate_key /usr/local/etc/letsencrypt/live/hypership.space/privkey.pem;

	include includes/letsencrypt;

	location / {
	return 301 https://hypership.space$request_uri;
	}
	}
	diff --git a/roles/webserver-content/space/hypership/www.sls b/roles/webserver-content/space/hypership/www.sls
	index ba9f2e6..d67115d 100644
	--- a/roles/webserver-content/space/hypership/www.sls
	+++ b/roles/webserver-content/space/hypership/www.sls
	@@ -1,22 +1,68 @@
	# -------------------------------------------------------------
	# Salt — Hypership
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Zed
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	{% if salt['node.has_web_content'](".space/hypership") %}

	-/srv/zed:
	- file.directory
	+/var/dataroot/zed:
	+ file.directory:
	+ - user: deploy

	# -------------------------------------------------------------
	# Content
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	+{% if not salt["file.directory_exists"]("/var/dataroot/zed/content/.git") %}
	zed_content:
	+ file.directory:
	+ - name: /var/dataroot/zed/content
	+ - user: deploy
	+ - mode: 755
	+
	git.latest:
	- name: https://github.com/hypership/content.git
	- - target: /srv/zed/content
	+ - target: /var/dataroot/zed/content
	+ - user: deploy
	+{% endif %}
	+
	+{% if not salt["file.directory_exists"]("/var/dataroot/zed/content/users") %}
	+zed_content_private:
	+ file.directory:
	+ - name: /var/dataroot/zed/content/users
	+ - user: deploy
	+ - mode: 711
	+
	+ git.latest:
	+ - name: git@github.com:hypership/content_users.git
	+ - target: /var/dataroot/zed/content/users
	+ - user: deploy
	+ - identity: {{ pillar["wwwroot_identities"]["deploy-key-github-hypership-content_users"]["path"] }}
	+ - update_head: False
	+{% endif %}
	+
	+zed_content_rights:
	+ file.directory:
	+ - name: /var/dataroot/zed/content
	+ - user: web-space-hypership-www
	+ - recurse:
	+ - user
	+ - group
	+
	+# -------------------------------------------------------------
	+# Cache
	+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	+
	+/var/dataroot/zed/cache:
	+ file.directory:
	+ - user: web-space-hypership-www
	+
	+{% for subdir in ['compiled', 'openid', 'sessions'] %}
	+/var/dataroot/zed/cache/{{ subdir }}:
	+ file.directory:
	+ - user: web-space-hypership-www
	+{% endfor %}

	{% endif %}

File Metadata

Mime Type: text/x-diff
Expires: Sun, Nov 24, 19:43 (3 h, 51 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 2258817
Default Alt Text: (24 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions