Page MenuHomeDevCentral
Files F25450528

No OneTemporary
Actions

View Options

diff --git a/pillar/paas/docker.sls b/pillar/paas/docker.sls
index 09a1067..9a739a7 100644
--- a/pillar/paas/docker.sls
+++ b/pillar/paas/docker.sls
@@ -1,405 +1,406 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-03-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
docker_aliases:
- &ipv4_equatower 51.255.124.10
- &intra_equatower 10.0.1.1
# -------------------------------------------------------------
# Images
#
# You can append a :tag (by default, latest is used).
#
# It's not possible to specify Docker library images only by final name.
# See https://docs.saltstack.com/en/latest/ref/states/all/salt.states.docker_image.html
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_images:
'*':
- certbot/certbot
dwellers:
# Core services
- nasqueron/mysql:5.7
- nasqueron/rabbitmq
# Infrastructure and development services
- dereckson/cachet
- nasqueron/notifications
equatower:
# Core services
- library/postgres
- library/redis:3.2-alpine
- library/registry
- nasqueron/mysql
# Nasqueron services
- nasqueron/auth-grove
# Nasqueron API microservices
- nasqueron/docker-registry-api
# Infrastructure and development services
- nasqueron/aphlict
- nasqueron/etherpad:production
- nasqueron/phabricator
# Continuous deployment jobs
- jenkins/jenkins
- nasqueron/jenkins-slave-node
- nasqueron/jenkins-slave-php
- nasqueron/jenkins-slave-rust
- nasqueron/tommy
# Sentry
- - localhost:5000/sentry
+ - library/sentry
- tianon/exim4
# -------------------------------------------------------------
# Networks
#
# Containers can be grouped by network, instead to use links.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_networks:
dwellers:
bugzilla:
subnet: 172.21.3.0/24
equatower:
cd:
subnet: 172.18.1.0/24
ci:
subnet: 172.18.2.0/24
# -------------------------------------------------------------
# Docker engine configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_daemon:
equatower:
storage-driver: devicemapper
storage-opts:
- "dm.thinpooldev=/dev/mapper/wharf-thinpool"
- "dm.use_deferred_removal=true"
- "dm.use_deferred_deletion=true"
docker_devicemapper:
equatower:
thinpool: wharf-thinpool
# -------------------------------------------------------------
# Containers
#
# The docker_containers entry allow to declare
# containers by image by servers
#
# The hierarchy is so as following.
#
# docker_containers:
# server with the Docker engine:
# service codename:
# instance name:
# container properties
#
# The service codename must match a state file in
# the roles/paas-docker/containers/ directory.
#
# The container will be run with the specified instance name.
#
# **nginx**
#
# The container properties can also describe the information
# needed to configure nginx with the host and app_port key.
#
# In such case, a matching vhost file should be declared as
# roles/paas-docker/nginx/files/vhosts/<service codename>.sls
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker_containers:
#
# Dwellers is the engine for Mastodon and CI intelligent bus services
#
dwellers:
#
# Core services
#
mysql:
bugzilla_db:
network: bugzilla
version: 5.7
#
# Bugzilla
#
bugzilla:
ew_bugzilla:
host: bugzilla.espace-win.org
app_port: 33080
network: bugzilla
mysql:
host: bugzilla_db
db: EspaceWin_Bugs
credential: espacewin.bugzilla.mysql
#
# Equatower is the current production engine
#
equatower:
#
# Core services
#
mysql:
acquisitariat: {}
phpbb_db: {}
postgresql:
sentry_db:
credential: nasqueron.sentry.postgresql
redis:
sentry_redis: {}
registry:
registry:
app_port: 5000
ip: *intra_equatower
#
# CI and CD
#
jenkins:
jenkins_cd:
realm: cd
host: cd.nasqueron.org
app_port: 38080
jnlp_port: 50000
jenkins_ci:
realm: ci
host: ci.nasqueron.org
app_port: 42080
jnlp_port: 55000
jenkins_slave:
# Slaves for CD
apsile: &php_for_cd
image: php
realm: cd
elapsi: *php_for_cd
rust_brown:
image: rust
realm: cd
yarabokin:
image: node
realm: cd
zateki: &php_for_ci
image: php
realm: ci
zenerre: *php_for_ci
tommy:
tommy_ci:
app_port: 24080
host: builds.nasqueron.org
aliases:
- build.nasqueron.org
jenkins_url: https://ci.nasqueron.org
tommy_cd:
# No host definition, as this dashboard is mounted on infra.nasqueron.org
app_port: 24180
jenkins_url: https://cd.nasqueron.org
# Infrastructure and development services
phabricator:
# Nasqueron instance
devcentral:
app_port: 31080
host: devcentral.nasqueron.org
aliases:
- phabricator.nasqueron.org
blogs:
servers:
host: servers.nasqueron.org
aliases:
- server.nasqueron.org
- serveur.nasqueron.org
- serveurs.nasqueron.org
mailer: mailgun
credentials:
mysql: zed.phabricator.mysql
static_host: phabricator-files-for-devcentral-nasqueron.spacetechnology.net
title: Nasqueron DevCentral
mysql_link: acquisitariat
skip_container: True
# Private instance for Dereckson
river_sector:
app_port: 23080
host: river-sector.dereckson.be
static_host: phabricator-files-for-river-sector.nasqueron.org
mailer: _
credentials:
mysql: dereckson.phabricator.mysql
storage:
namespace: river_sector
title: River Sector
mysql_link: acquisitariat
# Wolfplex instance
wolfplex_phab:
app_port: 35080
host: phabricator.wolfplex.be
aliases:
- phabricator.wolfplex.org
static_host: phabricator-files-for-wolfplex.nasqueron.org
mailer: mailgun
credentials:
mailgun: wolfplex.phabricator.mailgun
mysql: wolfplex.phabricator.mysql
storage:
namespace: wolfphab
title: Wolfplex Phabricator
mysql_link: acquisitariat
# Zed instance
zed_code:
app_port: 36080
host: code.zed.dereckson.be
static_host: phabricator-files-for-zed.nasqueron.org
mailer: sendgrid
credentials:
mysql: zed.phabricator.mysql
sendgrid: zed.phabricator.sendgrid
storage:
namespace: zedphab
title: Zed
mysql_link: acquisitariat
aphlict:
aphlict:
ports:
client: 22280
admin: 22281
cachet:
cachet:
app_port: 39080
host: status.nasqueron.org
credential: nasqueron.cachet.mysql
app_key: nasqueron.cachet.app_key
mysql_link: acquisitariat
etherpad:
pad:
app_port: 34080
host: pad.nasqueron.org
aliases:
- pad.wolfplex.org
- pad.wolfplex.be
credential: nasqueron.etherpad.api
mysql_link: acquisitariat
auth-grove:
login:
app_port: 25080
host: login.nasqueron.org
credential: nasqueron.auth-grove.mysql
mysql_link: acquisitariat
# API microservices
docker-registry-api:
api-docker-registry:
app_port: 20080
api_entry_point: /docker/registry
registry_instance: registry
# phpBB SaaS
# The SaaS uses a MySQL instance, declared in the MySQL section.
# Openfire
openfire:
openfire:
ip: *ipv4_equatower
app_port: 9090
host: xmpp.nasqueron.org
# Sentry
# The Sentry instance uses a Redis and a PostgreSQL instance,
# declared above.
exim:
sentry_smtp:
host: mx.sentry.nasqueron.org
sentry_worker:
- sentry_worker_1: &sentry_links
- postgresql_link: sentry_db
- redis_link: sentry_redis
- smtp_link: sentry_smtp
+ sentry_worker_1:
+ # As an instance is devided between a web, a cron and a worker
+ # containers, we need an identified to share a data volume.
+ realm: nasqueron
sentry_cron:
- sentry_cron: *sentry_links
+ sentry_cron:
+ realm: nasqueron
sentry_web:
sentry_web_1:
- <<: *sentry_links
+ realm: nasqueron
app_port: 26080
host: sentry.nasqueron.org
# -------------------------------------------------------------
# Ports listened by XMPP
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
xmpp_ports:
- 3478
- 5222 # Client to server
- 5223 # Client to server (Encrypted (legacy-mode) connections)
- 5262 # Connections managers
- 5269 # Server to server
- 5275 # External components
- 5276 # External components (Encrypted (legacy-mode) connections)
- 7070 # HTTP binding
- 7443 # HTTP binding with TLS
- 7777 # File transfer proxy
- 9090 # Web administration server
- 9091 # Web administration server with TLS
# -------------------------------------------------------------
# Zemke-Rhyne clients
#
# This section should list all the Docker engines server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
zr_clients:
- key: 2
allowedConnectionFrom:
- 172.27.26.49
- dwellers.nasqueron.drake
- dwellers.nasqueron.org
restrictCommand:
comment: Zemke-Rhyne
- key: 123
allowedConnectionFrom:
- equatower.nasqueron.org
restrictCommand:
comment: Zemke-Rhyne
diff --git a/pillar/saas/sentry.sls b/pillar/saas/sentry.sls
new file mode 100644
index 0000000..c490130
--- /dev/null
+++ b/pillar/saas/sentry.sls
@@ -0,0 +1,20 @@
+# -------------------------------------------------------------
+# Salt — Sentry instances
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2018-11-10
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Sentry realms
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+sentry_realms:
+ nasqueron:
+ links:
+ postgresql: sentry_db
+ redis: sentry_redis
+ smtp: sentry_smtp
+ credential: nasqueron.sentry.app_key
+ email_from: no-reply@sentry.nasqueron.org
diff --git a/pillar/top.sls b/pillar/top.sls
index a60899d..eebbc2a 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,39 +1,40 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
base:
'*':
- core.users
- core.groups
- certificates.certificates
- nodes.nodes
- nodes.forests
- hotfixes.roles
- webserver.sites
dwellers:
- credentials.zr
- paas.docker
eglide:
- shellserver.quassel
equatower:
- credentials.zr
- paas.docker
- saas.jenkins
- saas.phpbb
+ - saas.sentry
ysul:
- devserver.repos
- paas.docker
- saas.mediawiki
- viperserv.bots
- viperserv.fantoir
- webserver.labs
- webserver.wwwroot51
diff --git a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
new file mode 100644
index 0000000..f6c24f0
--- /dev/null
+++ b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# -------------------------------------------------------------
+# PaaS Docker
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2018-11-10
+# License: Trivial work, not eligible to copyright
+# Description: Wrapper for sentry command (local instance)
+# Source file: roles/paas-docker/containers/files/sentry/sentry.sh.jinja
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+SECRET_KEY=$(zr getcredentials {{ credential_id }} token)
+
+docker run -it --rm \
+ -e SENTRY_SECRET_KEY=$SECRET_KEY \
+ --link {{ links.postgresql }}:postgres \
+ --link {{ links.redis }}:redis \
+ sentry "$@"
diff --git a/roles/paas-docker/containers/sentry.sls b/roles/paas-docker/containers/sentry.sls
new file mode 100644
index 0000000..431d091
--- /dev/null
+++ b/roles/paas-docker/containers/sentry.sls
@@ -0,0 +1,76 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2016-12-15
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
+{% set containers = pillar['docker_containers'][grains['id']] %}
+
+# -------------------------------------------------------------
+# Data directory
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for realm, args in pillar['sentry_realms'].items() %}
+
+/srv/sentry/{{ realm }}:
+ file.directory:
+ - user: 999
+ - group: 999
+ - makedirs: True
+
+/srv/sentry/{{ realm }}/bin/sentry:
+ file.managed:
+ - source: salt://roles/paas-docker/containers/files/sentry/sentry.sh.jinja
+ - template: jinja
+ - mode: 755
+ - makedirs: True
+ - context:
+ links: {{ args['links'] }}
+ credential_id: {{ salt['zr.get_credential_id'](args['credential']) }}
+
+{% if has_selinux %}
+selinux_context_{{ realm }}_sentry_data:
+ selinux.fcontext_policy_present:
+ - name: /srv/sentry/{{ realm }}
+ - sel_type: container_file_t
+
+selinux_context_{{ realm }}_sentry_data_applied:
+ selinux.fcontext_policy_applied:
+ - name: /srv/sentry/{{ realm }}
+{% endif %}
+
+{% endfor %}
+
+# -------------------------------------------------------------
+# Web application
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for instance, container in containers['sentry_web'].items() %}
+
+{% set args = pillar['sentry_realms'][container['realm']] %}
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: library/sentry
+ - binds: &binds /srv/sentry/{{ container['realm'] }}:/var/lib/sentry/files
+ - links: &links
+ - {{ args['links']['postgresql'] }}:postgres
+ - {{ args['links']['redis'] }}:redis
+ - {{ args['links']['smtp'] }}:smtp
+ - environment: &env
+ - SENTRY_SECRET_KEY: {{ salt['zr.get_token'](args['credential']) }}
+ - SENTRY_FILESTORE_DIR:
+ - SENTRY_USE_SSL: 1
+ - SENTRY_SERVER_EMAIL: {{ args['email_from'] }}
+ - SENTRY_FILESTORE_DIR: /var/lib/sentry/files
+ - ports:
+ - 80
+ - port_bindings:
+ - {{ container['app_port'] }}:9000
+
+{% endfor %}
diff --git a/roles/paas-docker/wrappers/files/sentry.sh b/roles/paas-docker/wrappers/files/sentry.sh
new file mode 100644
index 0000000..7685fc8
--- /dev/null
+++ b/roles/paas-docker/wrappers/files/sentry.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# -------------------------------------------------------------
+# PaaS Docker
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2018-11-11
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/wrappers/files/sentry.sh
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+if [ "$#" -lt 2 ]; then
+ echo "Usage: $0 <realm> <command> [arguments]" 1>&2;
+ exit 1
+fi
+
+REALM=$1
+shift
+
+if [ ! -d "/srv/sentry/$REALM" ]; then
+ echo "Realm doesn't exist: $REALM" 1>&2;
+ exit 2
+fi
+
+DOCKER_RUN_SCRIPT=/srv/sentry/$REALM/bin/sentry
+
+if [ ! -f "$DOCKER_RUN_SCRIPT" ]; then
+ echo "File doesn't exist: $DOCKER_RUN_SCRIPT" 1>&2;
+ echo "You can generate it running 'deploy-container sentry' command on the Salt master. 1>&2;"
+ exit 4
+fi
+
+$DOCKER_RUN_SCRIPT "$@"
diff --git a/roles/paas-docker/wrappers/init.sls b/roles/paas-docker/wrappers/init.sls
index ddb3d9a..1f64ede 100644
--- a/roles/paas-docker/wrappers/init.sls
+++ b/roles/paas-docker/wrappers/init.sls
@@ -1,27 +1,27 @@
# -------------------------------------------------------------
# Salt — Provision Docker engine
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2018-03-15
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Wrapper binaries
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-{% for command in ['certbot', 'phpbb', 'mysql'] %}
+{% for command in ['certbot', 'phpbb', 'mysql', 'sentry'] %}
{{ dirs.bin }}/{{ command }}:
file.managed:
- source: salt://roles/paas-docker/wrappers/files/{{ command }}.sh
- mode: 755
{% endfor %}
{% for command in ['pad-delete'] %}
{{ dirs.bin }}/{{ command }}:
file.managed:
- source: salt://roles/paas-docker/wrappers/files/{{ command }}.py
- mode: 755
{% endfor %}

File Metadata

Mime Type
text/x-diff
Expires
Thu, Apr 16, 04:32 (4 h, 12 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3615885
Default Alt Text
(18 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator