Page MenuHomeDevCentral
Files F4793484

No OneTemporary
Actions

View Options

diff --git a/_modules/notifications.py b/_modules/notifications.py
new file mode 100644
index 0000000..ce7ca19
--- /dev/null
+++ b/_modules/notifications.py
@@ -0,0 +1,28 @@
+# -------------------------------------------------------------
+# Salt — Node execution module
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: Build Notifications center configuration
+# License: BSD-2-Clause
+# -------------------------------------------------------------
+
+
+import copy
+
+
+def get_credentials():
+ try:
+ services = __pillar__["notifications_credentials"]["services"]
+ except KeyError:
+ services = []
+
+ return {"services": [_build_service_config(service) for service in services]}
+
+
+def _build_service_config(service):
+ built_service = copy.deepcopy(service)
+
+ if "secret" in service:
+ built_service["secret"] = __salt__["credentials.get_token"](service["secret"])
+
+ return built_service
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
index f2f58e7..5d8b63c 100644
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -1,163 +1,170 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Vault configuration
#
# :: vault_policies_path: path on vault server where to store policies
#
# :: vault_policies_source: path to fetch policies from
# if starting by salt://, from salt files server
#
# :: vault_mount_paths: translates secrets paths in policies paths
#
# Generally, Vault paths are the same for policies and data access.
#
# For kv secrets engine, version 2, writing and reading versions
# of a kv value are prefixed with the data/ path.
#
# credentials.build_policies_by_node will use this dictionary
# to be able to rewrite secrets paths in data paths.
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies_path: /srv/policies/vault
vault_policies_source: salt://roles/vault/policies/files
vault_mount_paths:
ops/secrets: ops/data/secrets
ops/privacy: ops/data/privacy
# -------------------------------------------------------------
# Vault policies to deploy as-is, ie without templating.
#
# Entries of vault_policies must match a .hcl file in
# roles/vault/policies/files folder.
#
# If you need a template, create a new pillar entry instead
# and add the parsing logic either:
# - directly to roles/vault/policies/
#
# - through _modules/credentials.py for policies to apply
# to Salt nodes, like e.g. vault_secrets_by_role
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies:
- salt-primary
- viperserv
# -------------------------------------------------------------
# Vault policies for Salt
#
# Declare the extra policies each nodes need.
#
# In adition of those extra policies, the vault_secrets_by_role
# will be parsed for the keys.
#
# IMPORTANT: as grains['roles'] can be modified by the node,
# roles are extracted directly from the pillar.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_extra_policies_by_role:
salt-primary:
- salt-primary
# -------------------------------------------------------------
# Vault secrets by role
#
# Paths of the keys the specified role needs access to.
#
# Avoid * notation as this namespace is shared between Vault
# and the applications. As such, only secrets the Salt nodes
# needs in a state they need to deploy should be listed here.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_role:
opensearch:
- ops/secrets/nasqueron.opensearch.infra-logs.internal_users.admin
- ops/secrets/nasqueron.opensearch.infra-logs.internal_users.dashboards
paas-docker-prod:
#
# Personal data or personally identifiable information (PII)
# related to Nasqueron Operations SIG members.
#
- ops/privacy/ops-cidr
#
# Credentials used by Nasqueron services
# Format: ops/secrets/nasqueron.<service>.<type>
#
- ops/secrets/nasqueron.acquisitariat.mysql
- ops/secrets/nasqueron.auth-grove.mysql
- ops/secrets/nasqueron.cachet.app_key
- ops/secrets/nasqueron.cachet.mysql
- ops/secrets/nasqueron.etherpad.api
- ops/secrets/nasqueron.notifications.broker
- ops/secrets/nasqueron.notifications.mailgun
- ops/secrets/nasqueron.notifications.sentry
+ - ops/secrets/nasqueron.notifications.credentials_github_nasqueron
+ - ops/secrets/nasqueron.notifications.credentials_github_wolfplex
+ - ops/secrets/nasqueron.notifications.credentials_github_keruald
+ - ops/secrets/nasqueron.notifications.credentials_github_trustspace
+ - ops/secrets/nasqueron.notifications.credentials_github_eglide
+ - ops/secrets/nasqueron.notifications.credentials_phabricator_nasqueron
+
- ops/secrets/nasqueron.pixelfed.app_key
- ops/secrets/nasqueron.pixelfed.mailgun
- ops/secrets/nasqueron.pixelfed.mysql
- ops/secrets/nasqueron.sentry.app_key
- ops/secrets/nasqueron.sentry.postgresql
#
# Credentials used by Nasqueron members private services
# Format: <username>.<service>.<type>
#
- ops/secrets/dereckson.phabricator.mysql
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>.<service>.<type>
#
- ops/secrets/espacewin.phpbb.mysql_root
- ops/secrets/wolfplex.phabricator.mailgun
- ops/secrets/wolfplex.phabricator.mysql
- ops/secrets/zed.phabricator.mysql
- ops/secrets/zed.phabricator.sendgrid
paas-docker-dev:
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>.<service>.<type>
#
- ops/secrets/espacewin.bugzilla.mysql
- ops/secrets/espacewin.bugzilla.mysql_root
viperserv:
- ops/secrets/nasqueron.viperserv.vault
# -------------------------------------------------------------
# Vault secrets by dbserver cluster
#
# Paths of the keys the specified role needs access to.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_secrets_by_dbserver_cluster:
# Main PostgreSQL cluster
A:
- ops/secrets/dbserver/cluster-A/users/*
diff --git a/pillar/notifications/config.sls b/pillar/notifications/config.sls
new file mode 100644
index 0000000..3e5d95f
--- /dev/null
+++ b/pillar/notifications/config.sls
@@ -0,0 +1,153 @@
+# -------------------------------------------------------------
+# Notifications center
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Credentials
+#
+# The secret key value is the Vault key path for this secret,
+# it will be passed to the credentials.get_token method.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+notifications_credentials:
+ services:
+
+ # Nasqueron
+
+ - gate: GitHub
+ door: Nasqueron
+ secret: nasqueron.notifications.credentials_github_nasqueron
+
+ - gate: GitHub
+ door: Wolfplex
+ secret: nasqueron.notifications.credentials_github_wolfplex
+
+ - gate: GitHub
+ door: Keruald
+ secret: nasqueron.notifications.credentials_github_keruald
+
+ - gate: GitHub
+ door: TrustSpace
+ secret: nasqueron.notifications.credentials_github_trustspace
+
+ - gate: GitHub
+ door: Eglide
+ secret: nasqueron.notifications.credentials_github_eglide
+
+ - gate: Phabricator
+ door: Nasqueron
+ instance: https://devcentral.nasqueron.org
+ secret: nasqueron.notifications.credentials_phabricator_nasqueron
+
+# Docker Hub build triggers URL can't currently been automated easily.
+
+# -------------------------------------------------------------
+# Payload analyzer configuration
+#
+# The content of notifications_configuration will be split
+# into folders and JSON files, converted from YAML objects.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+notifications_configuration:
+ GitHubPayloadAnalyzer:
+ default: &default
+ administrativeGroup: orgz
+ defaultGroup: ''
+ map: []
+
+ Nasqueron:
+ administrativeGroup: orgz
+ defaultGroup: nasqueron
+ map:
+ - group: docker
+ items:
+ - docker-*
+
+ - group: tasacora
+ items:
+ - tasacora-*
+
+ - group: devtools
+ items:
+ - notifications
+ - notifications-cli-client
+
+ - group: ops
+ items:
+ - decommission
+ - discourse-config
+ - ftp
+ - operations
+ - servers-*
+ - zemke-rhyne
+
+ JenkinsPayloadAnalyzer:
+ default:
+ defaultGroup: ci
+ map: []
+ notifyOnlyOnFailure: []
+
+ Nasqueron:
+ defaultGroup: ci
+ map:
+ - group: wikidata
+ items:
+ - deploy-irc-daeghrefn-wikidata
+
+ - group: ops
+ items:
+ - deploy-website-*
+ - test-prod-env
+
+ - group: devtools
+ items:
+ - test-notifications-*
+
+ notifyOnlyOnFailure:
+ - test-prod-env
+
+ PhabricatorPayloadAnalyzer:
+ default: *default
+
+ Nasqueron:
+ administrativeGroup: orgz
+ defaultGroup: nasqueron
+ map:
+ - group: docker
+ items:
+ - Docker images
+ - Nasqueron Docker deployment squad
+ words:
+ - Docker
+
+ - group: tasacora
+ items:
+ - Tasacora
+ words:
+ - Tasacora
+ - cartography
+
+ - group: trustspace
+ items:
+ - TrustSpace
+
+ - group: ops
+ items:
+ - Continous integration and delivery
+ - IPv6
+ - Mail
+ - Message queues
+ - Murasil
+ - Nasqueron security operations squad
+ - Servers
+ - Ops-sprint-*
+ - Salt
+ words:
+ - Ysul
+ - Dwellers
+ - Eglide
+ - pkg audit
+ wordsAreStrong: true
diff --git a/pillar/top.sls b/pillar/top.sls
index b5236e2..98b134c 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,60 +1,61 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
base:
'*':
- core.users
- core.groups
- core.network
- certificates.certificates
- nodes.nodes
- nodes.forests
- hotfixes.roles
- webserver.sites
cloudhugger:
- credentials.zr
- opensearch.software
- opensearch.clusters
complector:
- credentials.vault
docker-001:
- credentials.zr
+ - notifications.config
- paas.docker
- saas.jenkins
- saas.phpbb
- saas.sentry
db-A-001:
- dbserver.cluster-A
dwellers:
- credentials.zr
- paas.docker
- saas.jenkins
- saas.sentry
eglide:
- shellserver.quassel
ysul:
- devserver.repos
- credentials.zr
- saas.mediawiki
- viperserv.bots
- viperserv.fantoir
- webserver.labs
- webserver.wwwroot51
windriver:
- devserver.ports
- devserver.repos
- webserver.labs
- webserver.wwwroot51
diff --git a/roles/paas-docker/containers/notifications.sls b/roles/paas-docker/containers/notifications.sls
index 1334103..96360c7 100644
--- a/roles/paas-docker/containers/notifications.sls
+++ b/roles/paas-docker/containers/notifications.sls
@@ -1,44 +1,86 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-01-23
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
+{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
{% set containers = pillar['docker_containers'][grains['id']] %}
{% for instance, container in containers['notifications'].items() %}
+ # -------------------------------------------------------------
+ # Storage directory
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/{{ instance }}/storage:
+ file.directory:
+ - user: 431
+ - group: 433
+ - makedirs: True
+
+/srv/{{ instance }}/storage/app/credentials.json:
+ file.managed:
+ - user: 431
+ - group: 433
+ - makedirs: True
+ - contents: |
+ {{ salt['notifications.get_credentials']() | json }}
+
+{% for folder, configs in salt['pillar.get']("notifications_configuration", {}).items() %}
+{% for config_file, config in configs.items() %}
+/srv/{{ instance }}/storage/app/{{ folder }}/{{ config_file }}.json:
+ file.managed:
+ - user: 431
+ - group: 433
+ - makedirs: True
+ - contents: |
+ {{ config | json }}
+{% endfor %}
+{% endfor %}
+
+{% if has_selinux %}
+selinux_context_notifications_data_{{ instance }}:
+ selinux.fcontext_policy_present:
+ - name: /srv/{{ instance }}/storage
+ - sel_type: container_file_t
+
+selinux_context_notifications_data_applied_{{ instance }}:
+ selinux.fcontext_policy_applied:
+ - name: /srv/{{ instance }}/storage
+{% endif %}
+
# -------------------------------------------------------------
# Container
#
# Image: nasqueron/notifications
# Description: Listen to webhooks, fire notifications to
# the broker. Used for CI / IRC notifications.
# Services used: RabbitMQ broker (white-rabbit)
-# Docker volume (/data/notifications/storage)
+# Docker volume (/srv/notifications/storage)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/notifications
- - binds: /srv/notifications/storage:/var/wwwroot/default/storage
+ - binds: /srv/{{ instance }}/storage:/var/wwwroot/default/storage
- links:
- {{ container['broker_link'] }}:mq
- environment:
- BROKER_HOST: mq
- BROKER_USERNAME: {{ salt['credentials.get_username'](container['credentials']['broker']) }}
- BROKER_PASSWORD: {{ salt['credentials.get_password'](container['credentials']['broker']) }}
- BROKER_VHOST: dev
- MAILGUN_DOMAIN: {{ salt['credentials.get_username'](container['credentials']['mailgun']) }}
- MAILGUN_APIKEY: {{ salt['credentials.get_password'](container['credentials']['mailgun']) }}
- ports:
- 80
- port_bindings:
- {{ container['app_port'] }}:80
{% endfor %}

File Metadata

Mime Type
text/x-diff
Expires
Fri, Feb 28, 21:46 (1 d, 20 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2447901
Default Alt Text
(15 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator