Implement salt states for gva webinterface

- setup listener and pg_hba.conf for PostgreSQL server - add state code for gva - add macros for nginx and uwsgi with Python 3 support - add pillar data for gva
2020-03-07 18:26:52 +01:00 · 2020-03-07 18:26:52 +01:00 · 2833b78c8a
commit 2833b78c8a
parent 7e246ec1a0
17 changed files with 400 additions and 19 deletions
--- a/states/gnuviechadmin/gva.sls
+++ b/states/gnuviechadmin/gva.sls
@ -0,0 +1,128 @@
+{% set gvaappname = salt['pillar.get']('gnuviechadmin:appname') %}
+{% set app_home = salt['grains.get']('gnuviechadmin:home', '/home/{}'.format(gvaappname)) %}
+{% set app_user = salt['grains.get']('gnuviechadmin:user', gvaappname) %}
+{% set app_group = salt['grains.get']('gnuviechadmin:group', gvaappname) %}
+{% set venv = "{}/{}-venv".format(app_home, gvaappname) -%}
+
+{% set amqp_user = salt['pillar.get']('gnuviechadmin:{}:amqp_user'.format(gvaappname), gvaappname) -%}
+{% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%}
+{% set domainname = salt['pillar.get']('gnuviechadmin:{}:domainname'.format(gvaappname), 'service.localhost') %}
+{% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %}
+{% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%}
+
+{% from 'gnuviechadmin/gvaapp_macros.sls' import gvaapp_base with context %}
+include:
+- base
+- python.pipenv
+- python.virtualenv
+- uwsgi.python3
+
+{{ gvaapp_base(gvaappname, 'uwsgi') }}
+
+{{ gvaappname }}-dependencies:
+  pkg.installed:
+    - pkgs:
+      - libpq-dev
+    - require_in:
+      - cmd: {{ gvaappname }}-requirements
+
+gettext:
+  pkg.installed
+
+{{ checkout }}/.env:
+  file.managed:
+    - user: {{ app_user }}
+    - group: {{ app_group }}
+    - mode: 0640
+    - source: salt://gnuviechadmin/{{ gvaappname }}/env-vars
+    - template: jinja
+    - context:
+        gvaappname: {{ gvaappname }}
+        broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin:queues:users:{}:password'.format(amqp_user)) }}@{{ salt['pillar.get']('gnuviechadmin:amqp_host', 'mq') }}/{{ salt['pillar.get']('gnuviechadmin:queues:vhost') }}
+        result_url: redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0
+    - require:
+      - user: {{ gvaappname }}-user
+      - group: {{ gvaappname }}-group
+      - file: {{ checkout }}
+
+{% for command in ['migrate --noinput', 'collectstatic --noinput', 'compilemessages'] %}
+{{ gvaappname }}-manage-{{ command }}:
+  cmd.wait:
+    - name: /usr/local/bin/pipenv run python3 manage.py {{ command }}
+    - runas: {{ app_user }}
+    - cwd: {{ checkout }}/gnuviechadmin
+    - env:
+      - VIRTUAL_ENV: "{{ venv }}"
+      - LC_ALL: C.UTF-8
+      - LANG: C.UTF-8
+    - watch:
+      - cmd: {{ gvaappname }}-requirements
+      - file: {{ checkout }}/.env
+      {%- if update_git %}
+      - git: {{ gitrepo }}
+      {%- endif %}
+{% endfor %}
+
+/etc/uwsgi/apps-available/{{ gvaappname }}.ini:
+  file.managed:
+    - user: root
+    - group: {{ app_group }}
+    - mode: 0640
+    - source: salt://gnuviechadmin/{{ gvaappname }}/uwsgi.ini
+    - template: jinja
+    - context:
+        gvaappname: {{ gvaappname }}
+        broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin:queues:users:{}:password'.format(amqp_user)) }}@{{ salt['pillar.get']('gnuviechadmin:amqp_host', 'mq') }}/{{ salt['pillar.get']('gnuviechadmin:queues:vhost') }}
+        result_url: redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0
+        workdir: {{ checkout }}/gnuviechadmin
+        venv: {{ venv }}
+    - require:
+      - pkg: uwsgi
+    - require_in:
+      - service: uwsgi
+    - watch_in:
+      - service: uwsgi
+
+/etc/uwsgi/apps-enabled/{{ gvaappname }}.ini:
+  file.symlink:
+    - target: /etc/uwsgi/apps-available/{{ gvaappname }}.ini
+    - require:
+      - file: /etc/uwsgi/apps-available/{{ gvaappname }}.ini
+    - require_in:
+      - service: uwsgi
+
+{% set letsencrypt = salt['pillar.get']('gnuviechadmin:{}:letsencrypt'.format(gvaappname), False) %}
+{% if not letsencrypt %}
+python3-cryptography:
+  pkg.installed
+
+{% from 'webserver/sslcert.macros.sls' import key_cert with context %}
+{{ key_cert(domainname) }}
+{% endif %}
+
+/etc/nginx/sites-available/{{ domainname }}:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0640
+    - source: salt://gnuviechadmin/{{ gvaappname }}/app.nginx
+    - template: jinja
+    - context:
+        domainname: {{ domainname }}
+        checkout: {{ checkout }}
+        letsencrypt: {{ letsencrypt }}
+        appname: {{ gvaappname }}
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - service: nginx
+
+/etc/nginx/sites-enabled/{{ domainname }}:
+  file.symlink:
+    - target: /etc/nginx/sites-available/{{ domainname }}
+    - require:
+      - file: /etc/nginx/sites-available/{{ domainname }}
+      - file: /etc/uwsgi/apps-enabled/{{ gvaappname }}.ini
+      - service: uwsgi
+    - watch_in:
+      - service: nginx
--- a/states/gnuviechadmin/gva/app.nginx
+++ b/states/gnuviechadmin/gva/app.nginx
@ -0,0 +1,32 @@
+{% import "webserver/site_macros.nginx" as nginx with context -%}
+
+{{ nginx.server_definition(domainname, letsencrypt=letsencrypt) }}
+}
+
+{{ nginx.server_definition(domainname, True, letsencrypt=letsencrypt) }}
+  server_name {{ domainname }};
+
+  if ( $host != '{{ domainname }}') {
+    return 301 https://{{ domainname }}$request_uri;
+  }
+
+  client_max_body_size 1M;
+  gzip on;
+  gzip_types text/javascript application/javascript application/x-javascript text/css;
+  add_header Strict-Transport-Security max-age=15552000; # 180 days
+
+  location /media {
+    alias {{ checkout }}/media;
+    expires 10m;
+  }
+
+  location /static {
+    alias {{ checkout }}/static;
+    expires 6M;
+  }
+
+  location / {
+    include uwsgi_params;
+    uwsgi_pass unix:/run/uwsgi/app/{{ appname }}/socket;
+  }
+}
--- a/states/gnuviechadmin/gva/env-vars
+++ b/states/gnuviechadmin/gva/env-vars
@ -0,0 +1,23 @@
+DJANGO_SETTINGS_MODULE=gnuviechadmin.settings
+GVA_ADMIN_EMAIL={{ salt['pillar.get']('gnuviechadmin:adminemail', 'admin@example.org') }}
+GVA_ADMIN_NAME={{ salt['pillar.get']('gnuviechadmin:adminname', 'Gnuviech Admin') }}
+GVA_BROKER_URL={{ broker_url }}
+GVA_DOMAIN_NAME={{ salt['pillar.get']('gnuviechadmin:{}:domainname'.format(gvaappname), 'service.localhost') }}
+GVA_MIN_OS_GID={{ salt['pillar.get']('gnuviechadmin:minosgid', 10000) }}
+GVA_MIN_OS_UID={{ salt['pillar.get']('gnuviechadmin:minosuid', 10000) }}
+GVA_OSUSER_DEFAULT_SHELL={{ salt['pillar.get']('gnuviechadmin:osuserdefaultshell', '/sbin/nologin') }}
+GVA_OSUSER_HOME_BASEPATH={{ salt['pillar.get']('gnuviechadmin:osuserhomedirbase', '/home') }}
+GVA_OSUSER_PREFIX={{ salt['pillar.get']('gnuviechadmin:osuserprefix', 'user') }}
+GVA_OSUSER_UPLOADSERVER={{ salt['pillar.get']('gnuviechadmin:uploadserver') }}
+GVA_PGSQL_DATABASE={{ salt['pillar.get']('gnuviechadmin:database:name') }}
+GVA_PGSQL_HOSTNAME={{ salt['pillar.get']('gnuviechadmin:database:host', 'localhost') }}
+GVA_PGSQL_PASSWORD={{ salt['pillar.get']('gnuviechadmin:database:owner:password') }}
+GVA_PGSQL_PORT={{ salt['pillar.get']('gnuviechadmin:database:port', 5432) }}
+GVA_PGSQL_USER={{ salt['pillar.get']('gnuviechadmin:database:owner:user', gvaappname ) }}
+GVA_RESULTS_REDIS_URL={{ result_url }}
+GVA_SITE_ADMINMAIL={{ salt['pillar.get']('gnuviechadmin:adminemail', 'admin@example.org') }}
+GVA_SITE_NAME={{ salt['pillar.get']('gnuviechadmin:sitename') }}
+GVA_SITE_SECRET={{ salt['pillar.get']('gnuviechadmin:{}:django_secret_key'.format(gvaappname)) }}
+GVA_URL_MYSQL_ADMIN={{ salt['pillar.get']('gnuviechadmin:{}:url_mysql_admin'.format(gvaappname)) }}
+GVA_URL_PGSQL_ADMIN={{ salt['pillar.get']('gnuviechadmin:{}:url_pgsql_admin'.format(gvaappname)) }}
+GVA_URL_WEBMAIL={{ salt['pillar.get']('gnuviechadmin:{}:url_webmail'.format(gvaappname)) }}
--- a/states/gnuviechadmin/gva/uwsgi.ini
+++ b/states/gnuviechadmin/gva/uwsgi.ini
@ -0,0 +1,35 @@
+[uwsgi]
+chdir = {{ workdir }}
+master = True
+max-requests = 5000
+module = django.core.wsgi:get_wsgi_application()
+plugin = python37
+processes = 4
+threads = 2
+uid = {{ gvaappname }}
+vacuum = True
+virtualenv = {{ venv }}
+
+env = DJANGO_SETTINGS_MODULE=gnuviechadmin.settings
+env = GVA_ADMIN_EMAIL={{ salt['pillar.get']('gnuviechadmin:adminemail', 'admin@example.org') }}
+env = GVA_ADMIN_NAME={{ salt['pillar.get']('gnuviechadmin:adminname', 'Gnuviech Admin') }}
+env = GVA_BROKER_URL={{ broker_url }}
+env = GVA_DOMAIN_NAME={{ salt['pillar.get']('gnuviechadmin:{}:domainname'.format(gvaappname), 'service.localhost') }}
+env = GVA_MIN_OS_GID={{ salt['pillar.get']('gnuviechadmin:minosgid', 10000) }}
+env = GVA_MIN_OS_UID={{ salt['pillar.get']('gnuviechadmin:minosuid', 10000) }}
+env = GVA_OSUSER_DEFAULT_SHELL={{ salt['pillar.get']('gnuviechadmin:osuserdefaultshell', '/sbin/nologin') }}
+env = GVA_OSUSER_HOME_BASEPATH={{ salt['pillar.get']('gnuviechadmin:osuserhomedirbase', '/home') }}
+env = GVA_OSUSER_PREFIX={{ salt['pillar.get']('gnuviechadmin:osuserprefix', 'user') }}
+env = GVA_OSUSER_UPLOADSERVER={{ salt['pillar.get']('gnuviechadmin:uploadserver') }}
+env = GVA_PGSQL_DATABASE={{ salt['pillar.get']('gnuviechadmin:database:name') }}
+env = GVA_PGSQL_HOSTNAME={{ salt['pillar.get']('gnuviechadmin:database:host', 'localhost') }}
+env = GVA_PGSQL_PASSWORD={{ salt['pillar.get']('gnuviechadmin:database:owner:password') }}
+env = GVA_PGSQL_PORT={{ salt['pillar.get']('gnuviechadmin:database:port', 5432) }}
+env = GVA_PGSQL_USER={{ salt['pillar.get']('gnuviechadmin:database:owner:user', gvaappname ) }}
+env = GVA_RESULTS_REDIS_URL={{ result_url }}
+env = GVA_SITE_ADMINMAIL={{ salt['pillar.get']('gnuviechadmin:adminemail', 'admin@example.org') }}
+env = GVA_SITE_NAME={{ salt['pillar.get']('gnuviechadmin:sitename') }}
+env = GVA_SITE_SECRET={{ salt['pillar.get']('gnuviechadmin:{}:django_secret_key'.format(gvaappname)) }}
+env = GVA_URL_MYSQL_ADMIN={{ salt['pillar.get']('gnuviechadmin:{}:url_mysql_admin'.format(gvaappname)) }}
+env = GVA_URL_PGSQL_ADMIN={{ salt['pillar.get']('gnuviechadmin:{}:url_pgsql_admin'.format(gvaappname)) }}
+env = GVA_URL_WEBMAIL={{ salt['pillar.get']('gnuviechadmin:{}:url_webmail'.format(gvaappname)) }}
--- a/states/gnuviechadmin/gvaapp_macros.sls
+++ b/states/gnuviechadmin/gvaapp_macros.sls
@ -10,6 +10,20 @@
 {% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%}
 {% set deployment_key = '{}/.ssh/id_deployment'.format(app_home) -%}

+{% for host in salt['pillar.get']('gnuviechadmin:machines', {}) %}
+{% if host != salt['grains.get']('host') %}
+{{ host }}:
+  host.present:
+    - ip: {{ salt['pillar.get']('gnuviechadmin:machines:{}:ip'.format(host)) }}
+{% if salt['pillar.get']('gnuviechadmin:machines:{}:names'.format(host)) %}
+    - names:
+{% for machine in salt['pillar.get']('gnuviechadmin:machines:{}:names'.format(host)) %}
+      - {{ machine }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endfor %}
+
 {{ gvaappname }}-group:
  group.present:
    - name: {{ app_group }}
@ -22,6 +36,8 @@
    - fullname: {{ appfullname }}
    - groups:
      - {{ app_group }}
+    - require:
+      - group: {{ gvaappname }}-group
  alias.present:
    - target: root

@ -169,7 +185,7 @@ update-{{ gvaappname }}-pip:

 {% set servicename = "{}-celery-worker".format(gvaappname) %}
 {% set amqp_user = salt['pillar.get']('gnuviechadmin:{}:amqp_user'.format(gvaappname)) -%}
-{{ gvaapp_base(gvaappname, servicename ) }}
+{{ gvaapp_base(gvaappname, servicename) }}
 /etc/default/{{ gvaappname }}:
  file.managed:
    - user: root