Page MenuHomeDevCentral

No OneTemporary

diff --git a/PORTS b/PORTS
index 6514d5d..fafaf04 100644
--- a/PORTS
+++ b/PORTS
@@ -1,53 +1,56 @@
+webserver-alkane
+ 9253 php-fpm metrics
+
reserved-for-legacy-docker-migration-medium-priority
3000 Mastodon public HTTP
4000 Mastodon streaming HTTP
15674 RabbitMQ
41080 Nasqueron Tools HTTP
reserved-for-legacy-docker-migration-low-priority
4440 Rundeck HTTP
21080 Drupal CRM HTTP
22080 Zammad HTTP
27080 Grafana HTTP
28080 phragile HTTP
29080 etcd HTTP
32080 Discourse HTTP
40080 RocketChat HTTP
paas-docker
5000 Docker registry HTTP
9090 Openfire HTTP
16080 Orbeon HTTP
17080 Penpot - back-end
17300 Penpot - exporter
19080 Nasqueron API - Datasources
20080 Nasqueron API - Docker registry API
22220 Phabricator Aphlict (client)
22221 Phabricator Aphlict (admin)
23080 Phabricator HTTP - River Sector
24080 Tommy HTTP - CI
24180 Tommy HTTP - CD
25080 Auth Grove HTTP
26080 Sentry HTTP
26300 Sentry - Relay
30080 Pixelfed HTTP
31080 Phabricator HTTP - DevCentral
33080 Bugzilla HTTP - Espace Win
34080 Etherpad
35080 Phabricator HTTP - Wolfplex
36080 Phabricator HTTP - Zed
37080 Notifications center HTTP
38080 Jenkins HTTP - CD
39080 Cachet HTTP
41080 ACME DNS server HTTP
42080 Jenkins HTTP - CI
43080 Hauk
44080 Hound
# 45080 should be reserved for OpenGrok to compare with Hound
46080 Airflow - HTTP
46555 Airflow - Flower
47080 Jenkins HTTP - Test
48080 Vault - Notifications - Integration
50000 Jenkins controller's port for JNLP-based Jenkins agents - CD
52000 Jenkins controller's port for JNLP-based Jenkins agents - Test
55000 Jenkins controller's port for JNKP-based Jenkins agents - CI
diff --git a/UIDs b/UIDs
index d4e0e86..b070164 100644
--- a/UIDs
+++ b/UIDs
@@ -1,15 +1,16 @@
830 odderon
831 builder
832 chaton LEGACY
833 viperserv
834 tc2
835 opensearch
3004 mediawiki
6000 mailbox
+8000 web-admin
9001 salt
9002 deploy
8900 zr LEGACY
# Web app
12000 web-org-nasqueron-mail #reserved for it
12001 web-org-nasqueron-mail-admin
diff --git a/pillar/observability/prometheus.sls b/pillar/observability/prometheus.sls
index 9eb45d4..f271ad7 100644
--- a/pillar/observability/prometheus.sls
+++ b/pillar/observability/prometheus.sls
@@ -1,69 +1,75 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# Description: Prometheus configuraiton
# -------------------------------------------------------------
# -------------------------------------------------------------
# Scrape jobs
#
# Options supported from Prometheus scrape_config syntax:
# - name
# - scheme
# - metrics_path
#
# Options mapped with pillar/services/table.sls for services:
# - services_targets: list of services dictionaries
# - service: name in nasqueron_services pillar
# - port
#
# - services_targets_list will have the same behavior
# but will read a list of services in nasqueron_services
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
prometheus_scrape_jobs:
prometheus_itself:
name: prometheus
services_targets:
- service: prometheus
port: 9090
node_exporter:
name: node
services_targets_list:
- service: "all"
port: 9100
dovecot:
name: dovecot
scheme: http
services_targets:
- service: "mail:dovecot:exporter"
port: 9900
netbox:
name: netbox
scheme: https
services_targets:
- service: netbox_domain
port: 443
paas_docker:
name: docker
services_targets_list:
- service: "docker:all"
port: 9323
+ php-fpm:
+ name: php-fpm
+ services_targets_list:
+ - service: "alkane"
+ port: 9253
+
postfix:
name: postfix
services_targets:
- service: "mail:postfix:exporter"
port: 9154
rabbitmq:
name: rabbitmq
services_targets:
- service: "rabbitmq:white-rabbit"
port: 15692
diff --git a/pillar/services/table.sls b/pillar/services/table.sls
index 455decf..8cee9af 100644
--- a/pillar/services/table.sls
+++ b/pillar/services/table.sls
@@ -1,56 +1,62 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# Description: Table of the services to use in configuration
# -------------------------------------------------------------
nasqueron_services:
# Complector services
salt_primary: 172.27.27.7
salt_api_url: https://172.27.27.7:8300
vault: 172.27.27.7
vault_url: https://172.27.27.7:8200
# PaaS Docker
docker:
api: 172.27.27.5
cd: 172.27.27.5
notifications: 172.27.27.5
all:
- 172.27.27.4
- 172.27.27.5
+ # Alkane
+ alkane:
+ - 172.27.27.3 # hervil for webmail clients
+ - 172.27.27.10 # web-001
+ - 172.27.27.35 # windriver
+
# Databases
db-A: 172.27.27.8
db-B: 172.27.27.9
# Mail
mail:
dovecot:
exporter: 172.27.27.3
postfix:
exporter: 172.27.27.3
# NetBox
netbox_domain: netbox.nasqueron.org
# RabbitMQ
rabbitmq:
white-rabbit: 172.27.27.5
# Observability
prometheus: 172.27.27.35
all:
- 172.27.27.1 # router-001
- 172.27.27.3 # hervil
- 172.27.27.4 # dwellers
- 172.27.27.5 # docker-002
- 172.27.27.7 # complector
- 172.27.27.8 # db-A-001
- 172.27.27.9 # db-B-001
- 172.27.27.10 # web-001
- 172.27.27.35 # windriver
diff --git a/roles/webserver-alkane/monitoring/files/rc/phpfpm_exporter.conf b/roles/webserver-alkane/monitoring/files/rc/phpfpm_exporter.conf
new file mode 100644
index 0000000..0cafae4
--- /dev/null
+++ b/roles/webserver-alkane/monitoring/files/rc/phpfpm_exporter.conf
@@ -0,0 +1,21 @@
+# -------------------------------------------------------------
+# phpfpm_exporter :: php-fpm metrics
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/webserver-alkane/monitoring/files/rc/phpfpm_exporter.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+phpfpm_exporter_enable="YES"
+phpfpm_exporter_user="web-admin"
+phpfpm_exporter_sockets_root="/var/run/web"
+phpfpm_exporter_sockets_pattern="php-fpm.sock"
+phpfpm_exporter_status="/php-fpm-status"
+phpfpm_exporter_address="{{ ip }}:9253"
diff --git a/roles/webserver-alkane/monitoring/init.sls b/roles/webserver-alkane/monitoring/init.sls
new file mode 100644
index 0000000..a5076ca
--- /dev/null
+++ b/roles/webserver-alkane/monitoring/init.sls
@@ -0,0 +1,9 @@
+# -------------------------------------------------------------
+# Salt :: Alkane :: Nasqueron PaaS for static and PHP sites
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+include:
+ - .php-fpm
diff --git a/roles/webserver-alkane/monitoring/php-fpm.sls b/roles/webserver-alkane/monitoring/php-fpm.sls
new file mode 100644
index 0000000..f39fee9
--- /dev/null
+++ b/roles/webserver-alkane/monitoring/php-fpm.sls
@@ -0,0 +1,28 @@
+# -------------------------------------------------------------
+# Salt :: Alkane :: Nasqueron PaaS for static and PHP sites
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs, services with context %}
+
+{% set network = salt["node.resolve_network"]() %}
+
+# -------------------------------------------------------------
+# Export php-fpm metrics
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+phpfpm_exporter_lusitaniae:
+ pkg.installed
+
+{% if services["manager"] == "rc" %}
+
+/etc/rc.conf.d/phpfpm_exporter.conf:
+ file.managed:
+ - source: salt://roles/webserver-alkane/monitoring/files/rc/phpfpm_exporter.conf
+ - template: jinja
+ - context:
+ ip: {{ network.private_ipv4_address }}
+
+{% endif %}
diff --git a/roles/webserver-alkane/php/files/php-fpm-pool.conf b/roles/webserver-alkane/php/files/php-fpm-pool.conf
index 30a17ef..e9e424d 100644
--- a/roles/webserver-alkane/php/files/php-fpm-pool.conf
+++ b/roles/webserver-alkane/php/files/php-fpm-pool.conf
@@ -1,57 +1,59 @@
; -------------------------------------------------------------
; php-fpm pool configuration
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
; Project: Nasqueron
; License: Trivial work, not eligible to copyright
; Source file: roles/webserver-alkane/php/files/php-fpm-pool.conf
; -------------------------------------------------------------
;
; <auto-generated>
; This file is managed by our rOPS SaltStack repository.
;
; Changes to this file may cause incorrect behavior
; and will be lost if the state is redeployed.
; </auto-generated>
[{{ user }}]
listen = /var/run/web/{{ fqdn }}/php-fpm.sock
listen.owner = {{ user }}
listen.group = web
listen.mode = 0660
user = {{ user }}
group = web
pm = ondemand
pm.max_children = 8
pm.process_idle_timeout = 10s
pm.max_requests = 50
+pm.status_path = /php-fpm-status
+
slowlog = /var/log/www/{{ domain }}/{{ subdomain }}-php-slow.log
request_slowlog_timeout = {{ slow_delay }}
catch_workers_output = yes
php_admin_value[error_log] = /var/log/www/{{ domain }}/{{ subdomain }}-php.log
php_flag[display_errors] = {{ display_errors }}
php_flag[display_startup_errors] = {{ display_errors }}
php_admin_flag[log_errors] = on
{% for key, value in php_flags.items() -%}
php_flag[{{ key }}] = {{ value }}
{% endfor -%}
{% for key, value in php_values.items() -%}
php_value[{{ key }}] = {{ value }}
{% endfor -%}
{% if 'wordpress' in capabilities -%}
; Allow Wordpress to process large images
php_value[memory_limit] = 1024M
{%- endif %}
; Don't flood /tmp (T417)
php_value[session.save_path] = /var/tmp/php/sessions/{{ fqdn }}
{%- for key, value in env.items() %}
env["{{ key }}"] = {{ value }}
{%- endfor -%}
diff --git a/roles/webserver-core/nginx/config.sls b/roles/webserver-core/nginx/config.sls
index b9f7d2a..a2521c8 100644
--- a/roles/webserver-core/nginx/config.sls
+++ b/roles/webserver-core/nginx/config.sls
@@ -1,119 +1,128 @@
# -------------------------------------------------------------
# Salt — Webserver core units for all webservers roles
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% from "roles/webserver-core/map.jinja" import options with context %}
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
# -------------------------------------------------------------
# Accounts - web group
#
# A group shared between nginx, back-end and content directories
# to allow ACL giving access to the nginx process.
#
# This group will so be used by:
# - nginx process (configured in nginx.conf)
# - back-end UNIX sockets like php-fpm sockets can be 660
# - more private folders can use 007 as umask
+#
+# An user is created in that group to run tools needing access
+# to those resources.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_group:
group.present:
- name: web
- gid: 9003
- system: True
+webserver_core_user:
+ user.present:
+ - name: web-admin
+ - uid: 8000
+ - gid: 9003
+
# -------------------------------------------------------------
# Base configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/nginx.conf:
file.managed:
- source: salt://roles/webserver-core/nginx/files/nginx.conf
- template: jinja
- context:
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
# -------------------------------------------------------------
# includes folder
#
# :: general configuration
# :: application-specific code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_nginx_includes:
file.recurse:
- name: {{ dirs.etc }}/nginx/includes
- source: salt://roles/webserver-core/nginx/files/includes
- dir_mode: 755
- file_mode: 644
- template: jinja
- context:
nginx_version: {{ salt["nginx.version"]() }}
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
certbot_dir: /var/letsencrypt-auto
# -------------------------------------------------------------
# Parameters for Diffie-Hellman
#
# Some ciphers still require DH exchange. They contain "DHE" in
# the name, e.g. DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_nginx_dh:
cmd.run:
- name: openssl dhparam -out {{ dirs.etc }}/nginx/dhparams.pem 4096
- creates: {{ dirs.etc }}/nginx/dhparams.pem
# -------------------------------------------------------------
# OCSP - Online Certificate Status Protocol
#
# To allow nginx to verify TLS certificate presented by CA
# when it makes requests to the CRL, a bundle of CA certificates
# should be available.
#
# To generate the bundle file on this repository, use `make`.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/share/certs/ocsp-ca-certs.pem:
file.managed:
- source: salt://roles/webserver-core/nginx/files/ocsp-ca-certs.pem
- makedirs: True
- mode: 644
# -------------------------------------------------------------
# Logs
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/var/log/www:
file.directory:
- user: {{ options["www_user"] }}
- group: web
- dir_mode: 711
{% if has_selinux %}
selinux_context_nginx_logs:
selinux.fcontext_policy_present:
- name: /var/log/www
- sel_type: httpd_log_t
selinux_context_nginx_logs_applied:
selinux.fcontext_policy_applied:
- name: /var/log/www
{% endif %}
# -------------------------------------------------------------
# vhost folder
#
# To be filled by the specific web role or unit
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/vhosts:
file.directory

File Metadata

Mime Type
text/x-diff
Expires
Sun, Nov 24, 19:44 (7 h, 20 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2256348
Default Alt Text
(15 KB)

Event Timeline