Page MenuHomeDevCentral
Files F3766661

No OneTemporary
Actions

View Options

diff --git a/pillar/services/table.sls b/pillar/services/table.sls
new file mode 100644
index 0000000..06a3ca0
--- /dev/null
+++ b/pillar/services/table.sls
@@ -0,0 +1,23 @@
+# -------------------------------------------------------------
+# Salt configuration for Nasqueron servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Description: Table of the services to use in configuration
+# -------------------------------------------------------------
+
+nasqueron_services:
+ # Complector services
+ salt_primary: 172.27.27.7
+ vault: 172.27.27.7
+ vault_url: https://172.27.27.7:8200
+
+ # PaaS Docker
+ docker:
+ api: 172.27.27.5
+ cd: 172.27.27.5
+ notifications: 172.27.27.5
+
+ # Databases
+ db-A: 172.27.27.8
+ db-B: 172.27.27.9
diff --git a/pillar/top.sls b/pillar/top.sls
index 657a5e2..526ed90 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,62 +1,63 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
base:
'*':
- core.users
- core.groups
- core.network
- certificates.certificates
- nodes.nodes
- nodes.forests
- hotfixes.roles
- services.monitoring-reporting
+ - services.table
- webserver.sites
cloudhugger:
- opensearch.software
- opensearch.clusters
complector:
- credentials.vault
# To provision services
- saas.rabbitmq
docker-002:
- notifications.config
- paas.docker
- saas.jenkins
- saas.phpbb
db-A-001:
- dbserver.cluster-A
db-B-001:
- dbserver.cluster-B
dwellers:
- paas.docker
- saas.jenkins
eglide:
- shellserver.quassel
ysul:
- devserver.repos
- saas.mediawiki
- viperserv.bots
- viperserv.fantoir
- webserver.labs
- webserver.wwwroot51
windriver:
- devserver.ports
- devserver.repos
- webserver.labs
- webserver.wwwroot51
diff --git a/roles/devserver/userland-software/files/notifications.conf b/roles/devserver/userland-software/files/notifications.conf
index 2be42fa..9a82e03 100644
--- a/roles/devserver/userland-software/files/notifications.conf
+++ b/roles/devserver/userland-software/files/notifications.conf
@@ -1,23 +1,23 @@
# -------------------------------------------------------------
# Notifications center CLI client configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-02-20
# License: Trivial work, not eligible to copyright
# Source file: roles/devserver/userland-software/files/notifications.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
[Broker]
-Host=172.27.27.5
+Host={{ host }}
User=notifications-{{ grains['id'] }}
Password={{ password }}
Vhost=dev
Exchange=notifications
diff --git a/roles/devserver/userland-software/notifications.sls b/roles/devserver/userland-software/notifications.sls
index 6a1e674..9bac4e9 100644
--- a/roles/devserver/userland-software/notifications.sls
+++ b/roles/devserver/userland-software/notifications.sls
@@ -1,42 +1,43 @@
# -------------------------------------------------------------
# Salt — Provision dev software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-02-20
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs, packages_prefixes with context %}
# -------------------------------------------------------------
# Software
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.bin }}/notifications:
file.managed:
- source: salt://software/notifications-cli-client/notifications
- mode: 755
# -------------------------------------------------------------
# Dependencies
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notifications_dependencies:
pkg.installed:
- pkgs:
- {{ packages_prefixes.python3 }}pika
# -------------------------------------------------------------
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# TODO: switch group to nasquenautes when deployed on devservers
/usr/local/etc/notifications.conf:
file.managed:
- source: salt://roles/devserver/userland-software/files/notifications.conf
- group: wheel
- mode: 640
- template: jinja
- context:
+ host: {{ pillar["nasqueron_services"]["docker"]["notifications"] }}
password: {{ salt['credentials.get_password']("nasqueron/notifications/notifications-cli/" + grains["id"]) }}
diff --git a/roles/paas-docker/containers/sentry.sls b/roles/paas-docker/containers/sentry.sls
index 7bb6657..97b8192 100644
--- a/roles/paas-docker/containers/sentry.sls
+++ b/roles/paas-docker/containers/sentry.sls
@@ -1,105 +1,105 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-12-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
# -------------------------------------------------------------
# Data directory
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for realm, realm_args in pillar['sentry_realms'].items() %}
/srv/sentry/{{ realm }}:
file.directory:
- user: 999
- group: 999
- makedirs: True
/srv/sentry/{{ realm }}/data:
file.directory:
- user: 999
- group: 999
/srv/sentry/{{ realm }}/data/files:
file.directory:
- user: 999
- group: 999
/srv/sentry/{{ realm }}/etc:
file.recurse:
- source: salt://roles/paas-docker/containers/files/sentry/etc
- user: 999
- group: 999
- dir_mode: 700
- file_mode: 400
- template: jinja
- context:
realm: {{ realm }}
args: {{ realm_args }}
vault:
approle: {{ salt["credentials.read_secret"](realm_args["credentials"]["vault"]) }}
- addr: https://172.27.27.7:8200
+ addr: {{ pillar{"nasqueron_services"]["vault_url"] }}
sentry_{{ realm }}_vault_certificate:
file.managed:
- name: /srv/sentry/{{ realm }}/etc/certificates/nasqueron-vault-ca.crt
- source: salt://roles/core/certificates/files/nasqueron-vault-ca.crt
- mode: 644
- makedirs: True
/srv/sentry/{{ realm }}/bin/sentry:
file.managed:
- source: salt://roles/paas-docker/containers/files/sentry/sentry.sh.jinja
- mode: 755
- template: jinja
- context:
realm: {{ realm }}
network: {{ realm_args["network"] }}
{% if has_selinux %}
selinux_context_{{ realm }}_sentry_data:
selinux.fcontext_policy_present:
- name: /srv/sentry/{{ realm }}
- sel_type: container_file_t
selinux_context_{{ realm }}_sentry_data_applied:
selinux.fcontext_policy_applied:
- name: /srv/sentry/{{ realm }}
{% endif %}
{% endfor %}
# -------------------------------------------------------------
# Web application
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for instance, container in pillar['docker_containers']['sentry'].items() %}
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/sentry
- command: {{ container["command"] }}
- binds:
- /srv/sentry/{{ container["realm"] }}/etc:/etc/sentry
- /srv/sentry/{{ container["realm"] }}/data:/data
- /srv/geoip:/usr/local/share/geoip:ro
- environment:
- PYTHONUSERBASE: /data/custom-packages
- SENTRY_EVENT_RETENTION_DAYS: 90
{% if "app_port" in container %}
- ports:
- 9000
- port_bindings:
- {{ container['app_port'] }}:9000
{% endif %}
- networks:
- {{ container['network'] }}
{% endfor %}
diff --git a/roles/viperserv/eggdrop/config.sls b/roles/viperserv/eggdrop/config.sls
index 3d7cb69..60a7700 100644
--- a/roles/viperserv/eggdrop/config.sls
+++ b/roles/viperserv/eggdrop/config.sls
@@ -1,104 +1,104 @@
# -------------------------------------------------------------
# Salt — Deploy eggdrop park
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-11-14
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Directory for configuration
#
# Each bot gets a directory to store userlist, chanlist, motd,
# and specific configuration file.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for botname, bot in pillar['viperserv_bots'].items() %}
/srv/viperserv/{{ botname }}:
file.directory:
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- dir_mode: 770
{% endfor %}
# -------------------------------------------------------------
# Logs
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for botname, bot in pillar['viperserv_bots'].items() %}
/srv/viperserv/logs/{{ botname }}:
file.directory:
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
/srv/viperserv/logs/{{ botname }}.log:
file.managed:
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- mode: 660
- replace: False
{% endfor %}
# -------------------------------------------------------------
# Configuration files
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/srv/viperserv/core.conf:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/eggdrop-core.conf
- user: viperserv
- group: nasqueron-irc
/srv/viperserv/.credentials:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/dot.credentials
- user: viperserv
- group: nasqueron-irc
- mode: 400
- template: jinja
- context:
# Database is on cluster B
db:
- host: 172.27.27.9
+ host: {{ pillar["nasqueron_services"]["db-B"] }}
database: Nasqueron
vault:
approle: {{ salt['credentials.read_secret']('nasqueron.viperserv.vault') }}
- addr: https://172.27.27.7:8200
+ addr: {{ pillar["nasqueron_services"]["vault_url"] }}
{% for botname, bot in pillar['viperserv_bots'].items() %}
/srv/viperserv/{{ botname }}/eggdrop.conf:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/eggdrop-bot.conf
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- mode: 755
- template: jinja
- context:
botname: {{ botname }}
realname: {{ bot['realname'] | default(botname) }}
scripts: {{ bot['scripts'] }}
modules: {{ bot['modules'] | default([]) }}
runas: {{ bot['runas'] | default('viperserv') }}
nickserv: {{ bot['nickserv'] | default(False) }}
/srv/viperserv/{{ botname }}/motd:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/motd/{{ botname }}
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
/srv/viperserv/{{ botname }}/banner:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/banner
- user: {{ bot['runas'] | default('viperserv') }}
- group: nasqueron-irc
- template: jinja
- context:
bot: {{ botname }}
server: {{ grains['id'] }}
{% endfor %}
diff --git a/roles/webserver-legacy/nginx/config.sls b/roles/webserver-legacy/nginx/config.sls
index 2202dbf..9577640 100644
--- a/roles/webserver-legacy/nginx/config.sls
+++ b/roles/webserver-legacy/nginx/config.sls
@@ -1,31 +1,34 @@
# -------------------------------------------------------------
# Salt — Sites to provision on the legacy web server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# includes folder
#
# :: general configuration
# :: application-specific code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/includes:
file.recurse:
- source: salt://roles/webserver-legacy/nginx/files/includes
- dir_mode: 755
- file_mode: 644
# -------------------------------------------------------------
# vhosts folder
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/vhosts:
file.recurse:
- source: salt://roles/webserver-legacy/nginx/files/vhosts
- dir_mode: 755
- file_mode: 644
+ - template: jinja
+ - context:
+ services: {{ pillar["nasqueron_services"] }}
diff --git a/roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/api.conf b/roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/api.conf
index 48a3b3a..e846cf1 100644
--- a/roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/api.conf
+++ b/roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/api.conf
@@ -1,153 +1,153 @@
# -------------------------------------------------------------
# Webserver
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Site: api.nasqueron.org
# License: Trivial work, not eligible to copyright
# Source file: roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/api.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
# -------------------------------------------------------------
# Back-end for API services
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
upstream docker-prod-datasources {
- server 172.27.27.5:19080;
+ server {{ services["docker"]["api"] }}:19080;
}
upstream docker-prod-registry {
- server 172.27.27.5:20080;
+ server {{ services["docker"]["api"] }}:20080;
}
upstream vault {
- server 172.27.27.7:8200;
+ server {{ services["vault"] }}:8200;
# 2 servers should be added for HA, with a quorum for a Raft consensus
}
# -------------------------------------------------------------
# api.nasqueron.org configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
server {
listen 80;
listen [::]:80;
server_name api.nasqueron.org;
return 301 https://api.nasqueron.org$request_uri;
}
server {
server_name api.nasqueron.org;
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/api.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/api.nasqueron.org/privkey.pem;
error_log /var/log/www/nasqueron.org/api-error.log;
access_log /var/log/www/nasqueron.org/api-access.log;
root /var/wwwroot/nasqueron.org/api;
include includes/letsencrypt;
location ~ [^/]\.json(/|$) {
include includes/cors-open;
}
location /datasources {
proxy_pass http://docker-prod-datasources;
include includes/proxy;
include includes/cors-open;
}
location = /servers-log/all.json {
include includes/cors-open-no-cache;
alias /srv/api/data/servers-log-all.json;
}
location /servers-log {
# Mount the microservice to /servers-log,
# removing the URL from the document URI.
rewrite ^/servers\-log/?(.*)$ /$1 break;
fastcgi_pass unix:/var/run/web/api.nasqueron.org/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME /srv/api/servers-log/src/public/index.php;
include fastcgi_params;
}
location ~ /docker/registry/?$ {
return 302 https://docs.nasqueron.org/docker-registry-api/;
}
location /docker/registry {
proxy_pass http://docker-prod-registry/;
include includes/proxy;
include includes/cors-open;
}
###
### Vault certificate information
###
location /infra/security/pki/root/crl {
proxy_pass https://vault/v1/pki_root/crl;
include includes/proxy;
}
location /infra/security/pki/vault/crl {
proxy_pass https://vault/v1/pki_vault/crl;
include includes/proxy;
}
location /infra/security/pki/root/ca {
proxy_pass https://vault/v1/pki_root/ca;
include includes/proxy;
}
location /infra/security/pki/vault/ca {
proxy_pass https://vault/v1/pki_vault/ca;
include includes/proxy;
}
}
server {
listen 80;
listen [::]:80;
server_name api51.nasqueron.org;
include includes/letsencrypt;
return 301 https://api51.nasqueron.org$request_uri;
}
server {
server_name api51.nasqueron.org;
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www51.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www51.nasqueron.org/privkey.pem;
error_log /var/log/www/nasqueron.org/api51-error.log;
access_log /var/log/www/nasqueron.org/api51-access.log;
root /var/51-wwwroot/api;
include includes/letsencrypt;
location ~ [^/]\.json(/|$) {
include includes/cors-open;
}
location = /servers-log/all.json {
include includes/cors-open;
alias /tmp/servers-log-all.json;
}
}
diff --git a/roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/infra.conf b/roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/infra.conf
index 199db9b..3d5aea9 100644
--- a/roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/infra.conf
+++ b/roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/infra.conf
@@ -1,63 +1,63 @@
# -------------------------------------------------------------
# Webserver
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Site: infra.nasqueron.org
# License: Trivial work, not eligible to copyright
# Source file: roles/webserver-legacy/nginx/files/vhosts/nasqueron.org/infra.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
upstream tommy_cd {
- server 172.27.27.5:24180;
+ server {{ services["docker"]["cd"] }}:24180;
}
server {
listen 80;
listen [::]:80;
server_name infra.nasqueron.org;
include includes/letsencrypt;
return 301 https://infra.nasqueron.org$request_uri;
}
server {
server_name infra.nasqueron.org;
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/infra.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/infra.nasqueron.org/privkey.pem;
error_log /var/log/www/nasqueron.org/infra-error.log;
access_log /var/log/www/nasqueron.org/infra-access.log;
root /var/wwwroot/nasqueron.org/infra;
include includes/letsencrypt;
location = / {
return 302 https://infra.nasqueron.org/servers-log/;
}
location = /cd {
return 302 https://infra.nasqueron.org/cd/dashboard/;
}
location = /cd/ {
return 302 https://infra.nasqueron.org/cd/dashboard/;
}
location /cd/dashboard {
rewrite ^/cd/dashboard/?(.*)$ /$1 break;
proxy_pass http://tommy_cd;
include includes/proxy;
}
}

File Metadata

Mime Type
text/x-diff
Expires
Sun, Nov 24, 19:31 (5 h, 42 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2258768
Default Alt Text
(20 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator