diff --git a/pillar/paas/docker.sls b/pillar/paas/docker.sls index 09a1067..9a739a7 100644 --- a/pillar/paas/docker.sls +++ b/pillar/paas/docker.sls @@ -1,405 +1,406 @@ # ------------------------------------------------------------- # Salt — Provision Docker engine # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2018-03-10 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- docker_aliases: - &ipv4_equatower 51.255.124.10 - &intra_equatower 10.0.1.1 # ------------------------------------------------------------- # Images # # You can append a :tag (by default, latest is used). # # It's not possible to specify Docker library images only by final name. # See https://docs.saltstack.com/en/latest/ref/states/all/salt.states.docker_image.html # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - docker_images: '*': - certbot/certbot dwellers: # Core services - nasqueron/mysql:5.7 - nasqueron/rabbitmq # Infrastructure and development services - dereckson/cachet - nasqueron/notifications equatower: # Core services - library/postgres - library/redis:3.2-alpine - library/registry - nasqueron/mysql # Nasqueron services - nasqueron/auth-grove # Nasqueron API microservices - nasqueron/docker-registry-api # Infrastructure and development services - nasqueron/aphlict - nasqueron/etherpad:production - nasqueron/phabricator # Continuous deployment jobs - jenkins/jenkins - nasqueron/jenkins-slave-node - nasqueron/jenkins-slave-php - nasqueron/jenkins-slave-rust - nasqueron/tommy # Sentry - - localhost:5000/sentry + - library/sentry - tianon/exim4 # ------------------------------------------------------------- # Networks # # Containers can be grouped by network, instead to use links. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - docker_networks: dwellers: bugzilla: subnet: 172.21.3.0/24 equatower: cd: subnet: 172.18.1.0/24 ci: subnet: 172.18.2.0/24 # ------------------------------------------------------------- # Docker engine configuration # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - docker_daemon: equatower: storage-driver: devicemapper storage-opts: - "dm.thinpooldev=/dev/mapper/wharf-thinpool" - "dm.use_deferred_removal=true" - "dm.use_deferred_deletion=true" docker_devicemapper: equatower: thinpool: wharf-thinpool # ------------------------------------------------------------- # Containers # # The docker_containers entry allow to declare # containers by image by servers # # The hierarchy is so as following. # # docker_containers: # server with the Docker engine: # service codename: # instance name: # container properties # # The service codename must match a state file in # the roles/paas-docker/containers/ directory. # # The container will be run with the specified instance name. # # **nginx** # # The container properties can also describe the information # needed to configure nginx with the host and app_port key. # # In such case, a matching vhost file should be declared as # roles/paas-docker/nginx/files/vhosts/.sls # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - docker_containers: # # Dwellers is the engine for Mastodon and CI intelligent bus services # dwellers: # # Core services # mysql: bugzilla_db: network: bugzilla version: 5.7 # # Bugzilla # bugzilla: ew_bugzilla: host: bugzilla.espace-win.org app_port: 33080 network: bugzilla mysql: host: bugzilla_db db: EspaceWin_Bugs credential: espacewin.bugzilla.mysql # # Equatower is the current production engine # equatower: # # Core services # mysql: acquisitariat: {} phpbb_db: {} postgresql: sentry_db: credential: nasqueron.sentry.postgresql redis: sentry_redis: {} registry: registry: app_port: 5000 ip: *intra_equatower # # CI and CD # jenkins: jenkins_cd: realm: cd host: cd.nasqueron.org app_port: 38080 jnlp_port: 50000 jenkins_ci: realm: ci host: ci.nasqueron.org app_port: 42080 jnlp_port: 55000 jenkins_slave: # Slaves for CD apsile: &php_for_cd image: php realm: cd elapsi: *php_for_cd rust_brown: image: rust realm: cd yarabokin: image: node realm: cd zateki: &php_for_ci image: php realm: ci zenerre: *php_for_ci tommy: tommy_ci: app_port: 24080 host: builds.nasqueron.org aliases: - build.nasqueron.org jenkins_url: https://ci.nasqueron.org tommy_cd: # No host definition, as this dashboard is mounted on infra.nasqueron.org app_port: 24180 jenkins_url: https://cd.nasqueron.org # Infrastructure and development services phabricator: # Nasqueron instance devcentral: app_port: 31080 host: devcentral.nasqueron.org aliases: - phabricator.nasqueron.org blogs: servers: host: servers.nasqueron.org aliases: - server.nasqueron.org - serveur.nasqueron.org - serveurs.nasqueron.org mailer: mailgun credentials: mysql: zed.phabricator.mysql static_host: phabricator-files-for-devcentral-nasqueron.spacetechnology.net title: Nasqueron DevCentral mysql_link: acquisitariat skip_container: True # Private instance for Dereckson river_sector: app_port: 23080 host: river-sector.dereckson.be static_host: phabricator-files-for-river-sector.nasqueron.org mailer: _ credentials: mysql: dereckson.phabricator.mysql storage: namespace: river_sector title: River Sector mysql_link: acquisitariat # Wolfplex instance wolfplex_phab: app_port: 35080 host: phabricator.wolfplex.be aliases: - phabricator.wolfplex.org static_host: phabricator-files-for-wolfplex.nasqueron.org mailer: mailgun credentials: mailgun: wolfplex.phabricator.mailgun mysql: wolfplex.phabricator.mysql storage: namespace: wolfphab title: Wolfplex Phabricator mysql_link: acquisitariat # Zed instance zed_code: app_port: 36080 host: code.zed.dereckson.be static_host: phabricator-files-for-zed.nasqueron.org mailer: sendgrid credentials: mysql: zed.phabricator.mysql sendgrid: zed.phabricator.sendgrid storage: namespace: zedphab title: Zed mysql_link: acquisitariat aphlict: aphlict: ports: client: 22280 admin: 22281 cachet: cachet: app_port: 39080 host: status.nasqueron.org credential: nasqueron.cachet.mysql app_key: nasqueron.cachet.app_key mysql_link: acquisitariat etherpad: pad: app_port: 34080 host: pad.nasqueron.org aliases: - pad.wolfplex.org - pad.wolfplex.be credential: nasqueron.etherpad.api mysql_link: acquisitariat auth-grove: login: app_port: 25080 host: login.nasqueron.org credential: nasqueron.auth-grove.mysql mysql_link: acquisitariat # API microservices docker-registry-api: api-docker-registry: app_port: 20080 api_entry_point: /docker/registry registry_instance: registry # phpBB SaaS # The SaaS uses a MySQL instance, declared in the MySQL section. # Openfire openfire: openfire: ip: *ipv4_equatower app_port: 9090 host: xmpp.nasqueron.org # Sentry # The Sentry instance uses a Redis and a PostgreSQL instance, # declared above. exim: sentry_smtp: host: mx.sentry.nasqueron.org sentry_worker: - sentry_worker_1: &sentry_links - postgresql_link: sentry_db - redis_link: sentry_redis - smtp_link: sentry_smtp + sentry_worker_1: + # As an instance is devided between a web, a cron and a worker + # containers, we need an identified to share a data volume. + realm: nasqueron sentry_cron: - sentry_cron: *sentry_links + sentry_cron: + realm: nasqueron sentry_web: sentry_web_1: - <<: *sentry_links + realm: nasqueron app_port: 26080 host: sentry.nasqueron.org # ------------------------------------------------------------- # Ports listened by XMPP # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - xmpp_ports: - 3478 - 5222 # Client to server - 5223 # Client to server (Encrypted (legacy-mode) connections) - 5262 # Connections managers - 5269 # Server to server - 5275 # External components - 5276 # External components (Encrypted (legacy-mode) connections) - 7070 # HTTP binding - 7443 # HTTP binding with TLS - 7777 # File transfer proxy - 9090 # Web administration server - 9091 # Web administration server with TLS # ------------------------------------------------------------- # Zemke-Rhyne clients # # This section should list all the Docker engines server # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - zr_clients: - key: 2 allowedConnectionFrom: - 172.27.26.49 - dwellers.nasqueron.drake - dwellers.nasqueron.org restrictCommand: comment: Zemke-Rhyne - key: 123 allowedConnectionFrom: - equatower.nasqueron.org restrictCommand: comment: Zemke-Rhyne diff --git a/pillar/saas/sentry.sls b/pillar/saas/sentry.sls new file mode 100644 index 0000000..c490130 --- /dev/null +++ b/pillar/saas/sentry.sls @@ -0,0 +1,20 @@ +# ------------------------------------------------------------- +# Salt — Sentry instances +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Created: 2018-11-10 +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +# ------------------------------------------------------------- +# Sentry realms +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +sentry_realms: + nasqueron: + links: + postgresql: sentry_db + redis: sentry_redis + smtp: sentry_smtp + credential: nasqueron.sentry.app_key + email_from: no-reply@sentry.nasqueron.org diff --git a/pillar/top.sls b/pillar/top.sls index a60899d..eebbc2a 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -1,39 +1,40 @@ # ------------------------------------------------------------- # Salt configuration for Nasqueron servers # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2016-04-10 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- base: '*': - core.users - core.groups - certificates.certificates - nodes.nodes - nodes.forests - hotfixes.roles - webserver.sites dwellers: - credentials.zr - paas.docker eglide: - shellserver.quassel equatower: - credentials.zr - paas.docker - saas.jenkins - saas.phpbb + - saas.sentry ysul: - devserver.repos - paas.docker - saas.mediawiki - viperserv.bots - viperserv.fantoir - webserver.labs - webserver.wwwroot51 diff --git a/roles/paas-docker/containers/files/sentry/sentry.sh.jinja b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja new file mode 100644 index 0000000..f6c24f0 --- /dev/null +++ b/roles/paas-docker/containers/files/sentry/sentry.sh.jinja @@ -0,0 +1,26 @@ +#!/bin/sh + +# ------------------------------------------------------------- +# PaaS Docker +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Created: 2018-11-10 +# License: Trivial work, not eligible to copyright +# Description: Wrapper for sentry command (local instance) +# Source file: roles/paas-docker/containers/files/sentry/sentry.sh.jinja +# ------------------------------------------------------------- +# +# +# This file is managed by our rOPS SaltStack repository. +# +# Changes to this file may cause incorrect behavior +# and will be lost if the state is redeployed. +# + +SECRET_KEY=$(zr getcredentials {{ credential_id }} token) + +docker run -it --rm \ + -e SENTRY_SECRET_KEY=$SECRET_KEY \ + --link {{ links.postgresql }}:postgres \ + --link {{ links.redis }}:redis \ + sentry "$@" diff --git a/roles/paas-docker/containers/sentry.sls b/roles/paas-docker/containers/sentry.sls new file mode 100644 index 0000000..431d091 --- /dev/null +++ b/roles/paas-docker/containers/sentry.sls @@ -0,0 +1,76 @@ +# ------------------------------------------------------------- +# Salt — Provision Docker engine +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Created: 2016-12-15 +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +{% set has_selinux = salt['grains.get']('selinux:enabled', False) %} +{% set containers = pillar['docker_containers'][grains['id']] %} + +# ------------------------------------------------------------- +# Data directory +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{% for realm, args in pillar['sentry_realms'].items() %} + +/srv/sentry/{{ realm }}: + file.directory: + - user: 999 + - group: 999 + - makedirs: True + +/srv/sentry/{{ realm }}/bin/sentry: + file.managed: + - source: salt://roles/paas-docker/containers/files/sentry/sentry.sh.jinja + - template: jinja + - mode: 755 + - makedirs: True + - context: + links: {{ args['links'] }} + credential_id: {{ salt['zr.get_credential_id'](args['credential']) }} + +{% if has_selinux %} +selinux_context_{{ realm }}_sentry_data: + selinux.fcontext_policy_present: + - name: /srv/sentry/{{ realm }} + - sel_type: container_file_t + +selinux_context_{{ realm }}_sentry_data_applied: + selinux.fcontext_policy_applied: + - name: /srv/sentry/{{ realm }} +{% endif %} + +{% endfor %} + +# ------------------------------------------------------------- +# Web application +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{% for instance, container in containers['sentry_web'].items() %} + +{% set args = pillar['sentry_realms'][container['realm']] %} + +{{ instance }}: + docker_container.running: + - detach: True + - interactive: True + - image: library/sentry + - binds: &binds /srv/sentry/{{ container['realm'] }}:/var/lib/sentry/files + - links: &links + - {{ args['links']['postgresql'] }}:postgres + - {{ args['links']['redis'] }}:redis + - {{ args['links']['smtp'] }}:smtp + - environment: &env + - SENTRY_SECRET_KEY: {{ salt['zr.get_token'](args['credential']) }} + - SENTRY_FILESTORE_DIR: + - SENTRY_USE_SSL: 1 + - SENTRY_SERVER_EMAIL: {{ args['email_from'] }} + - SENTRY_FILESTORE_DIR: /var/lib/sentry/files + - ports: + - 80 + - port_bindings: + - {{ container['app_port'] }}:9000 + +{% endfor %} diff --git a/roles/paas-docker/wrappers/files/sentry.sh b/roles/paas-docker/wrappers/files/sentry.sh new file mode 100644 index 0000000..7685fc8 --- /dev/null +++ b/roles/paas-docker/wrappers/files/sentry.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +# ------------------------------------------------------------- +# PaaS Docker +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Created: 2018-11-11 +# License: Trivial work, not eligible to copyright +# Source file: roles/paas-docker/wrappers/files/sentry.sh +# ------------------------------------------------------------- +# +# +# This file is managed by our rOPS SaltStack repository. +# +# Changes to this file may cause incorrect behavior +# and will be lost if the state is redeployed. +# + +if [ "$#" -lt 2 ]; then + echo "Usage: $0 [arguments]" 1>&2; + exit 1 +fi + +REALM=$1 +shift + +if [ ! -d "/srv/sentry/$REALM" ]; then + echo "Realm doesn't exist: $REALM" 1>&2; + exit 2 +fi + +DOCKER_RUN_SCRIPT=/srv/sentry/$REALM/bin/sentry + +if [ ! -f "$DOCKER_RUN_SCRIPT" ]; then + echo "File doesn't exist: $DOCKER_RUN_SCRIPT" 1>&2; + echo "You can generate it running 'deploy-container sentry' command on the Salt master. 1>&2;" + exit 4 +fi + +$DOCKER_RUN_SCRIPT "$@" diff --git a/roles/paas-docker/wrappers/init.sls b/roles/paas-docker/wrappers/init.sls index ddb3d9a..1f64ede 100644 --- a/roles/paas-docker/wrappers/init.sls +++ b/roles/paas-docker/wrappers/init.sls @@ -1,27 +1,27 @@ # ------------------------------------------------------------- # Salt — Provision Docker engine # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2018-03-15 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- {% from "map.jinja" import dirs with context %} # ------------------------------------------------------------- # Wrapper binaries # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -{% for command in ['certbot', 'phpbb', 'mysql'] %} +{% for command in ['certbot', 'phpbb', 'mysql', 'sentry'] %} {{ dirs.bin }}/{{ command }}: file.managed: - source: salt://roles/paas-docker/wrappers/files/{{ command }}.sh - mode: 755 {% endfor %} {% for command in ['pad-delete'] %} {{ dirs.bin }}/{{ command }}: file.managed: - source: salt://roles/paas-docker/wrappers/files/{{ command }}.py - mode: 755 {% endfor %}