Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3786474
D3094.id7912.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
7 KB
Referenced Files
None
Subscribers
None
D3094.id7912.diff
View Options
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -87,6 +87,11 @@
devserver:
- ops/secrets/nasqueron/notifications/notifications-cli/%%node%%
+ - ops/secrets/nasqueron/deploy/deploy_keys/alken-orin
+ - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/dereckson/www
+ - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/ewosp/www
+ - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/wolfplex/api-www
+
opensearch:
- ops/secrets/nasqueron.opensearch.infra-logs.internal_users.admin
- ops/secrets/nasqueron.opensearch.infra-logs.internal_users.dashboards
diff --git a/pillar/webserver/wwwroot51.sls b/pillar/webserver/wwwroot51.sls
--- a/pillar/webserver/wwwroot51.sls
+++ b/pillar/webserver/wwwroot51.sls
@@ -7,21 +7,41 @@
wwwroot51_basedir: /var/51-wwwroot
+wwwroot51_identities:
+ alken-orin:
+ secret: nasqueron/deploy/deploy_keys/alken-orin
+ path: /opt/salt/security/id_alken_orin_ed25519
+
+ deploy-key-bitbucket-dereckson-www:
+ secret: nasqueron/deploy/deploy_keys/by_repo/bitbucket/dereckson/www
+ path: /opt/salt/security/id_bitbucket_dereckson_www
+
+ deploy-key-bitbucket-espacewin-www:
+ secret: nasqueron/deploy/deploy_keys/by_repo/bitbucket/ewosp/www
+ path: /opt/salt/security/id_bitbucket_espacewin_www
+
+ deploy-key-github-wolfplex-api-www:
+ secret: nasqueron/deploy/deploy_keys/by_repo/github/wolfplex/api-www
+ path: /opt/salt/security/id_github_wolfplex_api_www
+
wwwroot51_directories:
api:
user: dereckson
group: dereckson
repository: ssh://vcs@devcentral.nasqueron.org:5022/source/api.git
+ identity: alken-orin
dereckson-www:
user: dereckson
group: dereckson
repository: git@bitbucket.org:dereckson/www.dereckson.be.git
+ identity: deploy-key-bitbucket-dereckson-www
espacewin-www:
user: dereckson
group: dereckson
repository: git@bitbucket.org:ewosp/www.espace-win.org.git
+ identity: deploy-key-bitbucket-espacewin-www
mediawiki-dereckson:
user: dereckson
@@ -35,18 +55,22 @@
user: dereckson
group: mediawiki
repository: ssh://vcs@devcentral.nasqueron.org:5022/source/saas-mediawiki.git
+ identity: alken-orin
tools:
user: dereckson
group: dereckson
repository: ssh://vcs@devcentral.nasqueron.org:5022/source/tools.git
+ identity: alken-orin
wolfplex-api:
user: dereckson
group: dereckson
repository: git@github.com:wolfplex/api-www.git
+ identity: deploy-key-github-wolfplex-api-www
www:
user: dereckson
group: dereckson
repository: ssh://vcs@devcentral.nasqueron.org:5022/source/www.git
+ identity: alken-orin
diff --git a/roles/devserver/webserver-wwwroot51/credentials.sls b/roles/devserver/webserver-wwwroot51/credentials.sls
new file mode 100644
--- /dev/null
+++ b/roles/devserver/webserver-wwwroot51/credentials.sls
@@ -0,0 +1,33 @@
+# -------------------------------------------------------------
+# Salt — Webserver wwwroot51 content
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+/opt/salt/security:
+ file.directory:
+ - user: deploy
+ - makedirs: True
+ - mode: 700
+
+{% for _, identity in pillar.get("wwwroot51_identities", {}).items() %}
+
+{{ identity["path"] }}:
+ file.managed:
+ - user: deploy
+ - mode: 400
+ - source: salt://roles/devserver/webserver-wwwroot51/files/id_private
+ - template: jinja
+ - context:
+ secret: {{ identity["secret"] }}
+ - show_changes: False
+
+{{ identity["path"] }}.pub:
+ file.managed:
+ - user: deploy
+ - mode: 444
+ - contents: |
+ {{ salt["credentials.get_username"](identity["secret"]) }}
+ - show_changes: False
+{% endfor %}
diff --git a/roles/devserver/webserver-wwwroot51/files/id_private b/roles/devserver/webserver-wwwroot51/files/id_private
new file mode 100644
--- /dev/null
+++ b/roles/devserver/webserver-wwwroot51/files/id_private
@@ -0,0 +1 @@
+{{ salt["credentials.get_password"](secret) }}
diff --git a/roles/devserver/webserver-wwwroot51/init.sls b/roles/devserver/webserver-wwwroot51/init.sls
--- a/roles/devserver/webserver-wwwroot51/init.sls
+++ b/roles/devserver/webserver-wwwroot51/init.sls
@@ -2,66 +2,9 @@
# Salt — Webserver wwwroot51 content
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-11
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-{% set basedir = pillar['wwwroot51_basedir'] %}
-
-# -------------------------------------------------------------
-# Base directory
-#
-# If ZFS is available, create a volume with frequent snapshots
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{{ basedir }}:
- file.directory:
- - dir_mode: 711
-
-{% if salt['node.has']('zfs:pool') %}
-{% set tank = salt['node.get']("zfs:pool") %}
-
-{{ tank }}/wwwroot51:
- zfs.filesystem_present:
- - properties:
- mountpoint: {{ basedir }}
- compression: zstd
- "com.sun:auto-snapshot": "true"
-
-{% endif %}
-
-# -------------------------------------------------------------
-# 51 sites
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{% for sitename, site in pillar['wwwroot51_directories'].items() %}
-{{ basedir }}/{{ sitename }}:
- file.directory:
- - dir_mode: 711
-{% if 'repository' not in site %}
- - user: {{ site['user'] }}
- - group: {{ site['group'] }}
-{% else %}
- # Credentials belong to deploy user
- - user: deploy
-
- git.latest:
- - name: {{ site['repository'] }}
- - target: {{ basedir }}/{{ sitename }}
- - user: deploy
- - identity: /opt/salt/security/id_ed25519
- - update_head: False
-
-fix_rights_{{ basedir }}/{{ sitename }}:
- file.directory:
- - name: {{ basedir }}/{{ sitename }}
- - user: {{ site['user'] }}
- - group: {{ site['group'] }}
- - recurse:
- - user
- - group
- - onchanges:
- - git: {{ basedir }}/{{ sitename }}
-
-{% endif %}
-{% endfor %}
+include:
+ - .credentials
+ - .sites
diff --git a/roles/devserver/webserver-wwwroot51/init.sls b/roles/devserver/webserver-wwwroot51/sites.sls
copy from roles/devserver/webserver-wwwroot51/init.sls
copy to roles/devserver/webserver-wwwroot51/sites.sls
--- a/roles/devserver/webserver-wwwroot51/init.sls
+++ b/roles/devserver/webserver-wwwroot51/sites.sls
@@ -2,7 +2,6 @@
# Salt — Webserver wwwroot51 content
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-02-11
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
@@ -17,6 +16,7 @@
{{ basedir }}:
file.directory:
- dir_mode: 711
+ - user: deploy
{% if salt['node.has']('zfs:pool') %}
{% set tank = salt['node.get']("zfs:pool") %}
@@ -34,6 +34,8 @@
# 51 sites
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+{% set identities = pillar["wwwroot51_identities"] %}
+
{% for sitename, site in pillar['wwwroot51_directories'].items() %}
{{ basedir }}/{{ sitename }}:
file.directory:
@@ -49,7 +51,7 @@
- name: {{ site['repository'] }}
- target: {{ basedir }}/{{ sitename }}
- user: deploy
- - identity: /opt/salt/security/id_ed25519
+ - identity: {{ identities[site["identity"]]["path"] }}
- update_head: False
fix_rights_{{ basedir }}/{{ sitename }}:
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Wed, Nov 27, 15:34 (21 h, 53 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2267112
Default Alt Text
D3094.id7912.diff (7 KB)
Attached To
Mode
D3094: Clone wwwroot51 repositories wih proper credentials
Attached
Detach File
Event Timeline
Log In to Comment