Rename roots to states

This commit renames the roots directory to states because it contains
salt states.

states/gnuviechadmin/base.sls

@@ -0,0 +1,83 @@
+{% from 'gnuviechadmin/vars.sls' import home, gva_component, gva_amqp_user, checkout, appdir, venv %}
+
+{% for host in salt['pillar.get']('gnuviechadmin:machines') %}
+{{ host }}:
+  host.present:
+    - ip: {{ salt['pillar.get']('gnuviechadmin:machines:%s:ip' % host) }}
+{% if salt['pillar.get']('gnuviechadmin:machines:%s:names' % host) %}
+    - names:
+{% for machine in salt['pillar.get']('gnuviechadmin:machines:%s:names' % host) %}
+      - {{ machine }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+
+gnuviechadmin-packages:
+  pkg.installed:
+    - pkgs:
+      - libyaml-dev
+      - python-virtualenv
+      - python-dev
+      - python-pip
+      - gettext
+
+{{ home }}/gvasettings.sh:
+  file.managed:
+    - user: vagrant
+    - group: vagrant
+    - mode: 0640
+    - source: salt://gnuviechadmin/{{ gva_component }}/settings.sh
+    - template: jinja
+    - context:
+        broker_url: {{ 'amqp://%s:%s@mq/%s' % (gva_amqp_user, salt['pillar.get']('gnuviechadmin:queues:users:%s:password' % gva_amqp_user), salt['pillar.get']('gnuviechadmin:queues:vhost')) }}
+
+gnuviechadmin-venv:
+  cmd.run:
+    - name: virtualenv {{ venv }}
+    - user: vagrant
+    - group: vagrant
+    - unless: test -f {{ venv }}/bin/pip
+
+gnuviechadmin-requires:
+  cmd.run:
+    - name: {{ venv }}/bin/pip install -U -r requirements/local.txt && touch {{ venv }}/lastinstall
+    - user: vagrant
+    - group: vagrant
+    - cwd: {{ checkout }}
+    - require:
+      - cmd: gnuviechadmin-venv
+      - pkg: gnuviechadmin-packages
+    - unless: test -e {{ venv }}/lastinstall && test {{ checkout }}/requirements/local.txt -ot {{ venv }}/lastinstall && test {{ checkout }}/requirements/base.txt -ot {{ venv }}/lastinstall
+
+gnuviechadmin-dbschema:
+  cmd.wait:
+    - name: . {{ home }}/gvasettings.sh ; unset LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME ; {{ venv }}/bin/python manage.py migrate --noinput
+    - user: vagrant
+    - group: vagrant
+    - cwd: {{ appdir }}
+    - watch:
+      - cmd: gnuviechadmin-requires
+      - file: {{ home }}/gvasettings.sh
+
+gnuviechadmin-locale-data-compile:
+  cmd.wait:
+    - name: . {{ home }}/gvasettings.sh ; {{ venv }}/bin/python {{ appdir }}/manage.py compilemessages
+    - user: vagrant
+    - group: vagrant
+    - cwd: {{ appdir }}
+    - require:
+      - pkg: gnuviechadmin-packages
+      - file: {{ home }}/gvasettings.sh
+      - cmd: gnuviechadmin-venv
+
+/home/vagrant/.bash_functions:
+  file.managed:
+    - user: vagrant
+    - group: vagrant
+    - mode: 0644
+    - source: salt://base/bash_functions
+    - template: jinja
+    - context:
+        home: {{ home }}
+        venv: {{ venv }}
+        appdir: {{ appdir }}

states/gnuviechadmin/bash_functions

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+function devenv
+{
+    . $HOME/gvasettings.sh
+    . $HOME/gva-venv/bin/activate
+    cd /vagrant/gnuviechadmin
+}
+
+function testenv
+{
+    devenv
+    export DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE%%.local}.test
+}
+
+function settitle
+{
+    if [ -n "$STY" ] ; then      # We are in a screen session
+        echo "Setting screen titles to $@"
+        printf "\033k%s\033\\" "$@"
+        screen -X eval "at \\# title $@" "shelltitle $@"
+    else
+        printf "\033]0;%s\007" "$@"
+    fi
+}

states/gnuviechadmin/celery.sls

@@ -0,0 +1,13 @@
+{% from 'gnuviechadmin/vars.sls' import home, gva_component, venv, appdir %}
+
+{{ home }}/bin/run_celery.sh:
+  file.managed:
+    - user: vagrant
+    - group: vagrant
+    - mode: 0750
+    - source: salt://gnuviechadmin/{{ gva_component }}/run_celery.sh
+    - template: jinja
+    - context:
+        home: {{ home }}
+        virtualenv: {{ venv }}
+        appdir: {{ appdir }}

states/gnuviechadmin/database.sls

@@ -0,0 +1,33 @@
+include:
+  - postgresql-server
+
+gnuviechadmin-database:
+  postgres_user.present:
+    - name: {{ salt['pillar.get']('gnuviechadmin:database:owner:user') }}
+    - user: postgres
+    - password: {{ salt['pillar.get']('gnuviechadmin:database:owner:password') }}
+    - login: True
+    - createdb: {% if salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') == 'local' %}True
+{%- else %}False
+{%- endif %}
+    - require:
+      - service: postgresql
+  postgres_database.present:
+    - name: {{ salt['pillar.get']('gnuviechadmin:database:name') }}
+    - user: postgres
+    - owner: {{ salt['pillar.get']('gnuviechadmin:database:owner:user') }}
+    - encoding: UTF8
+    - template: template0
+    - require:
+      - service: postgresql
+      - postgres_user: {{ salt['pillar.get']('gnuviechadmin:database:owner:user') }}
+
+{% for gnuviechadmin_db_role in salt['pillar.get']('gnuviechadmin:database:users') %}
+gnuviechadmin-dbuser-{{ gnuviechadmin_db_role }}:
+  postgres_user.present:
+    - name: {{ salt['pillar.get']('gnuviechadmin:database:users:%s:user' % gnuviechadmin_db_role) }}
+    - password: {{ salt['pillar.get']('gnuviechadmin:database:users:%s:password' % gnuviechadmin_db_role) }}
+    - login: True
+    - require:
+      - service: postgresql
+{% endfor %}

states/gnuviechadmin/gva/gnuviechadmin.nginx

@@ -0,0 +1,27 @@
+server {
+  server_name www.{{ domainname }};
+  listen 443 ssl;
+
+  ssl_certificate {{ ssl_certdir }}/{{ domainname }}.crt.pem;
+  ssl_certificate_key {{ ssl_keydir }}/{{ domainname }}.key.pem;
+
+  if ( $host != '{{ domainname }}') {
+    return 301 https://{{ domainname }}$request_uri;
+  }
+
+  client_max_body_size 1M;
+  gzip on;
+  gzip_types text/javascript application/x-javascript text/css;
+
+  location /media {
+    alias /vagrant/gnuviechadmin/media;
+  }
+
+  location /static {
+    alias /vagrant/gnuviechadmin/assets;
+  }
+
+  location / {
+    proxy_pass http://localhost:8000;
+  }
+}

states/gnuviechadmin/gva/settings.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+export DJANGO_SETTINGS_MODULE="gnuviechadmin.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}"
+export GVA_ADMIN_NAME="Jan Dittberner"
+export GVA_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin:adminemail') }}"
+export GVA_PGSQL_DATABASE="{{ salt['pillar.get']('gnuviechadmin:database:name') }}"
+export GVA_PGSQL_USER="{{ salt['pillar.get']('gnuviechadmin:database:owner:user') }}"
+export GVA_PGSQL_PASSWORD="{{ salt['pillar.get']('gnuviechadmin:database:owner:password') }}"
+export GVA_PGSQL_HOSTNAME="{{ salt['pillar.get']('gnuviechadmin:database:host') }}"
+export GVA_PGSQL_PORT={{ salt['pillar.get']('gnuviechadmin:database:port') }}
+export GVA_DOMAIN_NAME="{{ salt['pillar.get']('gnuviechadmin:domainname') }}"
+export GVA_SITE_NAME="{{ salt['pillar.get']('gnuviechadmin:sitename') }}"
+export GVA_SITE_SECRET="{{ salt['grains.get_or_set_hash']('gnuviechadmin:SECRET_KEY', 50) }}"
+export GVA_SITE_ADMINMAIL="{{ salt['pillar.get']('gnuviechadmin:adminemail') }}"
+export GVA_MIN_OS_UID={{ salt['pillar.get']('gnuviechadmin:minosuid') }}
+export GVA_MIN_OS_GID={{ salt['pillar.get']('gnuviechadmin:minosgid') }}
+export GVA_OSUSER_PREFIX="{{ salt['pillar.get']('gnuviechadmin:osuserprefix') }}"
+export GVA_OSUSER_HOME_BASEPATH="{{ salt['pillar.get']('gnuviechadmin:osuserhomedirbase') }}"
+export GVA_OSUSER_DEFAULT_SHELL="{{ salt['pillar.get']('gnuviechadmin:osuserdefaultshell') }}"
+export GVA_BROKER_URL="{{ broker_url }}"
+export GVA_OSUSER_UPLOADSERVER="{{ salt['pillar.get']('gnuviechadmin:uploadserver') }}"
+export GVA_WEBMAIL_URL="{{ salt['pillar.get']('gnuviechadmin:webmail_url') }}"
+export GVA_PHPMYADMIN_URL="{{ salt['pillar.get']('gnuviechadmin:phpmyadmin_url') }}"
+export GVA_PHPPGADMIN_URL="{{ salt['pillar.get']('gnuviechadmin:phppgadmin_url') }}"
+export GVA_RESULTS_REDIS_URL="redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0"

states/gnuviechadmin/gvaldap.sls

@@ -0,0 +1,19 @@
+include:
+  - gnuviechadmin.base
+  - gnuviechadmin.celery
+
+gvaldap-packages:
+  pkg.installed:
+    - pkgs:
+      - libldap2-dev
+      - libsasl2-dev
+    - require_in:
+      - pkg: gnuviechadmin-packages
+
+base-ldap-objects:
+  cmd.script:
+    - source: salt://gnuviechadmin/gvaldap/create_base_ldap_objects.sh
+    - template: jinja
+    - user: root
+    - group: root
+    - unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:ldap_admin_user') }}" | grep -q numEntries

states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh

@@ -0,0 +1,91 @@
+#!/bin/sh
+
+set -e
+
+{% set base_dn = salt['pillar.get']('gnuviechadmin:ldap_base_dn') %}
+{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %}
+{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %}
+{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %}
+
+# setup password hashing for cleartext input
+ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif
+
+ldapmodify -v -H ldapi:// -Y EXTERNAL <<EOD
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+
+dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: ppolicy
+olcPPolicyHashClearText: TRUE
+EOD
+
+# define ACLs on LDAP tree
+ldapmodify -v -H ldapi:// -Y EXTERNAL <<EOD
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to attrs=userPassword,shadowLastChange
+  by self write
+  by anonymous auth
+  by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
+  by * none
+olcAccess: {1}to dn.base=""
+  by * read
+olcAccess: {2}to dn.subtree="ou={{ ldap_users_ou }},{{ base_dn }}"
+  by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
+  by * read
+olcAccess: {3}to dn.subtree="ou={{ ldap_groups_ou }},{{ base_dn }}"
+  by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
+  by * read
+olcAccess: {4}to *
+  by self write
+  by * read
+EOD
+
+# add OUs, groups and ldapadmin user
+ldapmodify -v -H {{ salt['pillar.get']('gnuviechadmin:ldap_url') }} -x -D "cn=admin,{{ base_dn }}" -w '{{ salt["grains.get_or_set_hash"]("slapd.password") }}' <<EOD
+dn: ou={{ ldap_users_ou }},{{ base_dn }}
+changetype: add
+objectClass: top
+objectClass: organizationalUnit
+ou: {{ ldap_users_ou }}
+
+dn: ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: top
+objectClass: organizationalUnit
+ou: {{ ldap_groups_ou }}
+
+dn: cn=sftponly,ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: posixGroup
+cn: sftponly
+gidNumber: 2000
+description: SFTP users
+
+dn: cn=wwwusers,ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: posixGroup
+cn: wwwusers
+gidNumber: 2001
+
+dn: cn=webserver,ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: posixGroup
+cn: webserver
+gidNumber: 2002
+memberUid: www-data
+
+dn: cn={{ ldap_admin_user }},{{ base_dn }}
+changetype: add
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: {{ ldap_admin_user }}
+description: LDAP manager for celery worker
+userPassword:: {{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16).encode("base64") }}
+EOD

states/gnuviechadmin/gvaldap/run_celery.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -ex
+
+. {{ home }}/gvasettings.sh
+cd {{ appdir }}
+{{ virtualenv }}/bin/celery worker -A gvaldap -Q ldap --loglevel=INFO

states/gnuviechadmin/gvaldap/settings.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+export DJANGO_SETTINGS_MODULE='gvaldap.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}'
+export GVALDAP_ADMIN_NAME='Jan Dittberner'
+export GVALDAP_ADMIN_EMAIL='{{ salt['pillar.get']('gnuviechadmin:adminemail') }}'
+export GVALDAP_LDAP_URL='{{ salt['pillar.get']('gnuviechadmin:ldap_url') }}'
+export GVALDAP_LDAP_USER='{{ 'cn=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_admin_user'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
+export GVALDAP_LDAP_PASSWORD='{{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16) }}'
+export GVALDAP_BASEDN_GROUP='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_groups_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
+export GVALDAP_BASEDN_USER='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_users_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
+export GVALDAP_SECRETKEY='{{ salt['grains.get_or_set_hash']('gnuviechadmin.secret_key', 50) }}'
+export GVALDAP_BROKER_URL='{{ broker_url }}'
+export GVALDAP_ALLOWED_HOSTS='{{ salt['pillar.get']('gnuviechadmin:allowed_hosts') }}'
+export GVALDAP_SERVER_EMAIL='{{ salt['pillar.get']('gnuviechadmin:mailfrom') }}'
+export GVALDAP_RESULTS_REDIS_URL="redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0"

states/gnuviechadmin/queues.sls

@@ -0,0 +1,38 @@
+include:
+  - rabbitmq-server
+
+gnuviechadmin-queue-vhost:
+  rabbitmq_vhost.present:
+    - name: {{ salt['pillar.get']('gnuviechadmin:queues:vhost') }}
+
+gnuviechadmin_test-queue-vhost:
+  rabbitmq_vhost.present:
+    - name: {{ "%s_test" % salt['pillar.get']('gnuviechadmin:queues:vhost') }}
+
+{% for user in salt['pillar.get']('gnuviechadmin:queues:users') %}
+gnuviechadmin-queue-user-{{ user }}:
+  rabbitmq_user.present:
+    - name: {{ user }}
+    - password: {{ salt['pillar.get']('gnuviechadmin:queues:users:%s:password' % user) }}
+{% if salt['pillar.get']('gnuviechadmin:queues:users:%s:perms' % user) %}
+    - perms:
+{% for vhost, perms in salt['pillar.get']('gnuviechadmin:queues:users:%s:perms' % user).iteritems() %}
+      - {{ vhost }}:
+        - {{ perms[0] }}
+        - {{ perms[1] }}
+        - {{ perms[2] }}
+      - {{ vhost + "_test" }}:
+        - {{ perms[0] }}
+        - {{ perms[1] }}
+        - {{ perms[2] }}
+{% endfor %}
+{% endif %}
+{% if salt['pillar.get']('gnuviechadmin:queues:users:%s:tags' % user) %}
+    - tags:
+{% for tag in salt['pillar.get']('gnuviechadmin:queues:users:%s:tags' % user) %}
+      - {{ tag }}
+{% endfor %}
+{% endif %}
+    - require:
+      - rabbitmq_vhost: {{ salt['pillar.get']('gnuviechadmin:queues:vhost') }}
+{% endfor %}

states/gnuviechadmin/vars.sls

@@ -0,0 +1,7 @@
+{% set home = '/home/vagrant' %}
+{% set venv = home + '/gva-venv' %}
+{% set checkout = '/vagrant' %}
+{% set gva_component = salt['pillar.get']('gnuviechadmin:component:name') %}
+{% set gva_amqp_user = salt['pillar.get']('gnuviechadmin:component:amqp_user') %}
+{% set python_module = salt['pillar.get']('gnuviechadmin:component:python_module', gva_component) %}
+{% set appdir = checkout + '/' + python_module %}

states/gnuviechadmin/webinterface.sls

@@ -0,0 +1,39 @@
+include:
+  - gnuviechadmin.base
+  - webserver
+
+libpq-dev:
+  pkg.installed:
+    - require_in:
+      - pkg: gnuviechadmin-packages
+
+python-m2crypto:
+  pkg.installed:
+    - reload_modules: true
+
+{% import "webserver/sslcert.macros.sls" as sslcert %}
+
+{% set domainname = salt['pillar.get']('gnuviechadmin:domainname') %}
+{{ sslcert.key_cert(domainname) }}
+
+/etc/nginx/sites-available/{{ domainname }}:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0640
+    - source: salt://gnuviechadmin/gva/gnuviechadmin.nginx
+    - template: jinja
+    - context:
+        domainname: {{ domainname }}
+        ssl_keydir: {{ salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') }}
+        ssl_certdir: {{ salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') }}
+    - require:
+      - pkg: nginx
+
+/etc/nginx/sites-enabled/{{ domainname }}:
+  file.symlink:
+    - target: /etc/nginx/sites-available/{{ domainname }}
+    - require:
+      - file: /etc/nginx/sites-available/{{ domainname }}
+    - watch_in:
+      - service: nginx