diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls index 5a8a613..4d18c0c 100644 --- a/pillar/credentials/vault.sls +++ b/pillar/credentials/vault.sls @@ -1,263 +1,265 @@ # ------------------------------------------------------------- # Salt configuration for Nasqueron servers # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- # ------------------------------------------------------------- # Vault configuration # # :: vault_policies_path: path on vault server where to store policies # # :: vault_policies_source: path to fetch policies from # if starting by salt://, from salt files server # # :: vault_mount_paths: translates secrets paths in policies paths # # Generally, Vault paths are the same for policies and data access. # # For kv secrets engine, version 2, writing and reading versions # of a kv value are prefixed with the data/ path. # # credentials.build_policies_by_node will use this dictionary # to be able to rewrite secrets paths in data paths. # # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - vault_policies_path: /srv/policies/vault vault_policies_source: /srv/policies/vault vault_mount_paths: ops/secrets: ops/data/secrets ops/privacy: ops/data/privacy apps: apps/data # ------------------------------------------------------------- # Vault policies to deploy as-is, ie without templating. # # Entries of vault_policies must match a .hcl file in # roles/vault/policies/files folder. # # If you need a template, create a new pillar entry instead # and add the parsing logic either: # - directly to roles/vault/policies/ # # - through _modules/credentials.py for policies to apply # to Salt nodes, like e.g. vault_secrets_by_role # # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - vault_policies: - admin - salt-primary - sentry - vault_bootstrap - viperserv # ------------------------------------------------------------- # Vault policies for Salt # # Declare the extra policies each nodes need. # # In adition of those extra policies, the vault_secrets_by_role # will be parsed for the keys. # # IMPORTANT: as grains['roles'] can be modified by the node, # roles are extracted directly from the pillar. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - vault_extra_policies_by_role: salt-primary: - salt-primary # ------------------------------------------------------------- # Vault secrets by role # # Paths of the keys the specified role needs access to. # # Avoid * notation as this namespace is shared between Vault # and the applications. As such, only secrets the Salt nodes # needs in a state they need to deploy should be listed here. # # Use %%node%% as variable for node name. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - vault_secrets_by_role: devserver: - ops/secrets/nasqueron/notifications/notifications-cli/%%node%% - ops/secrets/nasqueron/deploy/deploy_keys/alken-orin - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/dereckson/www - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/ewosp/www - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/wolfplex/api-www opensearch: - ops/secrets/nasqueron.opensearch.infra-logs.internal_users.admin - ops/secrets/nasqueron.opensearch.infra-logs.internal_users.dashboards paas-docker-prod: # # Personal data or personally identifiable information (PII) # related to Nasqueron Operations SIG members. # - ops/privacy/ops-cidr # # Credentials used by Nasqueron services # Format: ops/secrets/nasqueron/service/<...> # - ops/secrets/nasqueron/airflow/admin_account - ops/secrets/nasqueron/airflow/fernet - ops/secrets/nasqueron/airflow/sentry - ops/secrets/dbserver/cluster-A/users/airflow - ops/secrets/nasqueron/etherpad/mysql - ops/secrets/nasqueron/etherpad/users/dereckson - ops/secrets/nasqueron/penpot/github - ops/secrets/nasqueron/penpot/postgresql - ops/secrets/nasqueron/penpot/secret_key - ops/secrets/nasqueron/rabbitmq/white-rabbit/erlang-cookie - ops/secrets/nasqueron/rabbitmq/white-rabbit/root - ops/secrets/nasqueron/sentry/geoipupdate # # Credentials used by Nasqueron services # Format: ops/secrets/nasqueron.. # - ops/secrets/nasqueron.acquisitariat.mysql - ops/secrets/nasqueron.auth-grove.mysql - ops/secrets/nasqueron.cachet.app_key - ops/secrets/nasqueron.cachet.mysql - ops/secrets/nasqueron.etherpad.api - ops/secrets/nasqueron.notifications.broker - ops/secrets/nasqueron.notifications.mailgun - ops/secrets/nasqueron.notifications.sentry - ops/secrets/nasqueron.notifications.credentials_github_nasqueron - ops/secrets/nasqueron.notifications.credentials_github_wolfplex - ops/secrets/nasqueron.notifications.credentials_github_keruald - ops/secrets/nasqueron.notifications.credentials_github_trustspace - ops/secrets/nasqueron.notifications.credentials_github_eglide - ops/secrets/nasqueron.notifications.credentials_phabricator_nasqueron - apps/notifications-center/dockerhub/notifications - apps/notifications-center/dockerhub/auth-grove - ops/secrets/nasqueron.pixelfed.app_key - ops/secrets/nasqueron.pixelfed.mailgun - ops/secrets/nasqueron.pixelfed.mysql - ops/secrets/nasqueron.sentry.app_key - ops/secrets/nasqueron.sentry.postgresql - ops/secrets/nasqueron.sentry.vault # # Credentials used by Nasqueron members private services # Format: .. # - ops/secrets/dereckson.phabricator.mysql # # Credentials used by projects hosted by Nasqueron # Format: .. # - ops/secrets/espacewin.phpbb.mysql_root - ops/secrets/wolfplex.phabricator.mailgun - ops/secrets/wolfplex.phabricator.mysql - ops/secrets/zed.phabricator.mysql - ops/secrets/zed.phabricator.sendgrid paas-docker-dev: # # Credentials used by Nasqueron services # Format: ops/secrets/nasqueron/service/<...> # - ops/secrets/nasqueron/airflow/admin_account - ops/secrets/nasqueron/airflow/fernet - ops/secrets/nasqueron/airflow/sentry - ops/secrets/dbserver/cluster-A/users/airflow - ops/secrets/nasqueron/orbeon/oxf.crypto.password - ops/secrets/nasqueron/orbeon/users/dereckson - ops/secrets/dbserver/cluster-A/users/orbeon - ops/secrets/nasqueron/rabbitmq/orange-rabbit/erlang-cookie - ops/secrets/nasqueron/rabbitmq/orange-rabbit/root - ops/secrets/nasqueron/rabbitmq/orange-rabbit/notifications - ops/secrets/nasqueron.notifications.sentry # # Credentials used by projects hosted by Nasqueron # Format: .. # - ops/secrets/espacewin.bugzilla.mysql - ops/secrets/espacewin.bugzilla.mysql_root saas-mediawiki: - ops/secrets/dbserver/cluster-B/users/saas-mediawiki - ops/secrets/nasqueron/mediawiki/secret_key saas-wordpress: - ops/secrets/dbserver/cluster-B/users/dereckson_blog - ops/secrets/dereckson/wordpress/secrets viperserv: - ops/secrets/nasqueron.viperserv.vault webserver-alkane: - ops/secrets/dbserver/cluster-B/users/dereckson_www - ops/secrets/dbserver/cluster-B/users/zed + - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/hypership/content_users + - ops/secrets/zed/hypership/secret_key # # Wolfplex credentials # - ops/secrets/nasqueron.etherpad.api webserver-legacy: # # Wolfplex credentials # - ops/secrets/nasqueron.etherpad.api # ------------------------------------------------------------- # Vault secrets by dbserver cluster # # Paths of the keys the specified role needs access to. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - vault_secrets_by_dbserver_cluster: # Main PostgreSQL cluster A: - ops/secrets/dbserver/cluster-A/users/* # Main MariaDB cluster - Alkane PaaS, ViperServ B: - ops/secrets/dbserver/cluster-B/users/* diff --git a/pillar/paas/alkane/web-001/main.sls b/pillar/paas/alkane/web-001/main.sls index 9b3799b..9542c9f 100644 --- a/pillar/paas/alkane/web-001/main.sls +++ b/pillar/paas/alkane/web-001/main.sls @@ -1,181 +1,167 @@ # ------------------------------------------------------------- # Salt — PaaS Alkane :: PHP and static sites [production] # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- web_aliases: services: - &db-B 172.27.27.9 # ------------------------------------------------------------- # Domains we deploy # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - web_domains: # # Directly managed by Nasqueron # nasqueron: - nasqueron.org - ook.space # # Nasqueron members # nasqueron_members: - dereckson.be - - hypership.space # # Projects ICT is managed by Nasqueron # espacewin: - espace-win.org wolfplex: - wolfplex.org # ------------------------------------------------------------- # Static sites # # Sites to deploy from the staging repository # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - web_static_sites: dereckson.be: - assets nasqueron.org: - www - assets - docker - ftp - launch - packages - trustspace wolfplex.org: - www - assets # ------------------------------------------------------------- # PHP sites # # Username must be unique and use max 31 characters. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - php_fpm_instances: # PHP current version, generally installed as package/port prod: command: /usr/local/sbin/php-fpm web_php_sites: # Nasqueron members www.dereckson.be: domain: dereckson.be subdomain: www user: web-be-dereckson-www source: wwwroot/dereckson.be/www target: /var/wwwroot/dereckson.be/www php-fpm: prod capabilities: - wordpress # Directly managed by Nasqueron api.nasqueron.org: domain: nasqueron.org subdomain: api user: web-org-nasqueron-api-serverslog php-fpm: prod env: SERVERS_LOG_FILE: /srv/api/data/servers-log-all.json wikis.nasqueron.org: domain: nasqueron.org subdomain: wikis user: mediawiki php-fpm: prod skipCreateUser: True env: MEDIAWIKI_ENTRY_POINT: /srv/mediawiki/index.php DB_HOST: *db-B DB_USER: saas-mediawiki # Espace Win www.espace-win.org: domain: espace-win.org subdomain: www user: web-org-espacewin-www source: wwwroot/espace-win.org/www target: /var/wwwroot/espace-win.org/www php-fpm: prod # Wolfplex Hackerspace www.wolfplex.org: domain: wolfplex.org subdomain: www user: web-org-wolfplex-www php-fpm: prod env: DATASTORE: /var/dataroot/wolfplex CREDENTIAL_PATH_DATASOURCES_SECURITYDATA: /var/dataroot/wolfplex/secrets.json - # Zed - HyperShip - hypership.space: - domain: hypership.space - subdomain: www - user: web-space-hypership-www - php-fpm: prod - env: - CACHE_DIR: /var/cache/zed/hypership.space - CONTENT_DIR: /srv/zed/content - # ------------------------------------------------------------- # nginx configuration # # Configuration files to provision to vhosts/ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - nginx_vhosts: dereckson.be: - assets - hg - mediawiki - scherzo - www espace-win.org: - cosmo - www - hypership.space: - - www - nasqueron.org: - api - assets - autoconfig - daeghrefn - docker - docs - ftp - infra - join - labs - launch - packages - rain - trustspace - www test.ook.space: - migration.mediawiki wolfplex.org: - api - assets - www diff --git a/pillar/paas/alkane/web-001/zed.sls b/pillar/paas/alkane/web-001/zed.sls new file mode 100644 index 0000000..c0a9d4d --- /dev/null +++ b/pillar/paas/alkane/web-001/zed.sls @@ -0,0 +1,51 @@ +# ------------------------------------------------------------- +# Salt — PaaS Alkane :: PHP and static sites [production] +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +# ------------------------------------------------------------- +# nginx, php-fpm +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +web_domains: + zed: + - hypership.space + +nginx_vhosts: + hypership.space: + - www + +web_php_sites: + hypership.space: + domain: hypership.space + subdomain: www + user: web-space-hypership-www + php-fpm: prod + env: + CACHE_DIR: /var/dataroot/zed/cache + CONTENT_DIR: /var/dataroot/zed/content + +# ------------------------------------------------------------- +# Credentials +# +# :: deployment +# :: .env +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +wwwroot_identities: + deploy-key-github-hypership-content_users: + secret: nasqueron/deploy/deploy_keys/by_repo/github/hypership/content_users + path: /opt/salt/security/id_zed_github_hypership_content_users + +webserver_content_dotenv: + /var/wwwroot/hypership.space/www/.env: + user: web-space-hypership-www + db: + service: db-B + credentials: dbserver/cluster-B/users/zed + extra_values: + DB_NAME: zed_prod + extra_credentials: + ZED_SECRET_KEY: zed/hypership/secret_key diff --git a/pillar/webserver/credentials.sls b/pillar/webserver/credentials.sls index f77e8c2..4e62843 100644 --- a/pillar/webserver/credentials.sls +++ b/pillar/webserver/credentials.sls @@ -1,64 +1,54 @@ # ------------------------------------------------------------- # Salt — Sites to provision on the legacy web server # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- # ------------------------------------------------------------- # Content of the .env files # # Those files allow site using DotEnv to read secrets. # # To ensure secrets can only be read by application user, use: # # ``` # user: # ``` # If your configuration can be read and stored in memory, # it's probably best to directly call Vault from the app # and only provision Vault AppRole credentials: # # ``` # vault: # ``` # # For PHP sites where the configuration file is read every # request, it's probably best to cache secrets in file # through this mechanism. # # If you need a database, you can use: # # ``` # db: # service: entry in nasqueron_services table # credentials: path to Vault secret # # To provision a secret key or other credentials, use: # # extra_credentials: # key: path to vault secret # # If you need to pass extra plain values use: # # extra_values: # key: value # ``` # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - webserver_content_dotenv: /var/wwwroot/dereckson.be/www/.env: user: web-be-dereckson-www db: service: db-B credentials: dbserver/cluster-B/users/dereckson_www - - /var/wwwroot/hypership.space/www/.env: - user: web-space-hypership-www - db: - service: db-B - credentials: dbserver/cluster-B/users/zed - extra_values: - DB_NAME: zed_prod - extra_credentials: - ZED_SECRET_KEY: zed/hypership/secret_key diff --git a/pillar/webserver/sites.sls b/pillar/webserver/sites.sls index e37bd73..4c70f0f 100644 --- a/pillar/webserver/sites.sls +++ b/pillar/webserver/sites.sls @@ -1,67 +1,69 @@ # ------------------------------------------------------------- # Salt — Sites to provision on the legacy web server # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- # ------------------------------------------------------------- # States # # Sites with states documenting how to build them # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - web_content_sls: # # Eglide # shellserver: # Directly managed by Eglide project - .org/eglide # # Nasqueron servers # mastodon: - .org/nasqueron/social - webserver-legacy: + webserver-legacy: &legacy_to_migrate_to_alkane # Nasqueron members - .be/dereckson # Projects hosted - .space/hypership # Directly managed by Nasqueron - .org/nasqueron/api - .org/nasqueron/autoconfig - .org/nasqueron/daeghrefn - .org/nasqueron/docs - .org/nasqueron/infra - .org/nasqueron/labs - .org/nasqueron/rain # Wolfplex Hackerspace - .org/wolfplex/api - .org/wolfplex/www + webserver-alkane: *legacy_to_migrate_to_alkane + # ------------------------------------------------------------- # Sites deployed through Jenkins CD # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - web_content_jenkins_cd: webserver-legacy: - api - assets - autoconfig - docker - docs - launch - www # ------------------------------------------------------------- # Tweaks # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - web_autochmod: - /var/wwwroot/dereckson.be/www diff --git a/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf b/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf index bc16b7b..63c55e8 100644 --- a/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf +++ b/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf @@ -1,114 +1,118 @@ # ------------------------------------------------------------- # Webserver # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Site: hypership.space # License: Trivial work, not eligible to copyright # Source file: roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf # ------------------------------------------------------------- # # # This file is managed by our rOPS SaltStack repository. # # Changes to this file may cause incorrect behavior # and will be lost if the state is redeployed. # # ------------------------------------------------------------- # Main application # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - server { server_name hypership.space; include includes/tls; ssl_certificate /usr/local/etc/letsencrypt/live/hypership.space/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/hypership.space/privkey.pem; error_log /var/log/www/hypership.space/www-error.log; access_log /var/log/www/hypership.space/www-access.log; location /content { return 403; } location /content/users { - alias /srv/zed/content/users; + alias /var/dataroot/zed/content/users; } location /content/scenes { - alias /srv/zed/content/scenes; + alias /var/dataroot/zed/content/scenes; location ~ \.tpl$ { # This folder contains templates intended to be rendered, # and not directly served. return 403; } } + location = /tour { + return 302 /tour.html; + } + location /buildergate { return 503; # Serve through Apache #rewrite /buildergate/(.*) /$1 break; #proxy_pass http://localhost:3200; #proxy_redirect off; #proxy_set_header Host builder.zed.dereckson.be; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location / { # Serves static files if they exists, with one month cache if (-f $request_filename) { expires 30d; break; } # Sends all non existing file or directory requests to index.php if (!-e request_filename) { rewrite ^/api\.php /api.php last; rewrite ^/do\.php /do.php last; rewrite ^(.+)$ /index.php last; } } location ~ \.php$ { fastcgi_pass unix:/var/run/web/hypership.space/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include includes/fastcgi; } } # ------------------------------------------------------------- # Redirects from port 80 and alternative domains # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - server { listen 80; listen [::]:80; server_name hypership.space; include includes/letsencrypt; location / { return 301 https://hypership.space$request_uri; } } server { listen 80; listen [::]:80; server_name www.hypership.space zed.dereckson.be; include includes/tls; ssl_certificate /usr/local/etc/letsencrypt/live/hypership.space/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/hypership.space/privkey.pem; include includes/letsencrypt; location / { return 301 https://hypership.space$request_uri; } } diff --git a/roles/webserver-content/space/hypership/www.sls b/roles/webserver-content/space/hypership/www.sls index ba9f2e6..d67115d 100644 --- a/roles/webserver-content/space/hypership/www.sls +++ b/roles/webserver-content/space/hypership/www.sls @@ -1,22 +1,68 @@ # ------------------------------------------------------------- # Salt — Hypership # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Zed # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- {% if salt['node.has_web_content'](".space/hypership") %} -/srv/zed: - file.directory +/var/dataroot/zed: + file.directory: + - user: deploy # ------------------------------------------------------------- # Content # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +{% if not salt["file.directory_exists"]("/var/dataroot/zed/content/.git") %} zed_content: + file.directory: + - name: /var/dataroot/zed/content + - user: deploy + - mode: 755 + git.latest: - name: https://github.com/hypership/content.git - - target: /srv/zed/content + - target: /var/dataroot/zed/content + - user: deploy +{% endif %} + +{% if not salt["file.directory_exists"]("/var/dataroot/zed/content/users") %} +zed_content_private: + file.directory: + - name: /var/dataroot/zed/content/users + - user: deploy + - mode: 711 + + git.latest: + - name: git@github.com:hypership/content_users.git + - target: /var/dataroot/zed/content/users + - user: deploy + - identity: {{ pillar["wwwroot_identities"]["deploy-key-github-hypership-content_users"]["path"] }} + - update_head: False +{% endif %} + +zed_content_rights: + file.directory: + - name: /var/dataroot/zed/content + - user: web-space-hypership-www + - recurse: + - user + - group + +# ------------------------------------------------------------- +# Cache +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +/var/dataroot/zed/cache: + file.directory: + - user: web-space-hypership-www + +{% for subdir in ['compiled', 'openid', 'sessions'] %} +/var/dataroot/zed/cache/{{ subdir }}: + file.directory: + - user: web-space-hypership-www +{% endfor %} {% endif %}