diff --git a/pillar/gnuviechadmin/gvaldap.sls b/pillar/gnuviechadmin/gvaldap.sls index 4673a67..c10a272 100644 --- a/pillar/gnuviechadmin/gvaldap.sls +++ b/pillar/gnuviechadmin/gvaldap.sls @@ -2,10 +2,17 @@ include: - gnuviechadmin - gnuviechadmin.queues.common - gnuviechadmin.queues.gvaldap + - ldapserver gnuviechadmin: component: name: gvaldap amqp_user: ldap ldap_admin_user: ldapadmin + ldap_admin_password: NnVnGoWBVw6BKb9DhTwHAz0ICrdiDy+HL1A6F2Rz allowed_hosts: 127.0.0.1,gvaldap.local,localhost + gvaldap: + git_url: https://git.dittberner.info/gnuviech/gvaldap.git + git_branch: master + celery_module: ldaptasks + django_secret_key: IyOiTDt2DMo4gBVTwZ+E2p+mI1S/rNzZVIFlSr6TpgtxtsJODOVWHaxgVW3FqGZVaFU= diff --git a/pillar/gnuviechadmin/gvamysql.sls b/pillar/gnuviechadmin/gvamysql.sls index 748da10..903c235 100644 --- a/pillar/gnuviechadmin/gvamysql.sls +++ b/pillar/gnuviechadmin/gvamysql.sls @@ -8,3 +8,4 @@ gnuviechadmin: name: gvamysql amqp_user: mysql mysql_admin_user: gvamysql + mysql_admin_password: jSXstgT/AbWofdI2tJWYpQvFX1mtxt4tFMlrYxSA diff --git a/pillar/gnuviechadmin/gvapgsql.sls b/pillar/gnuviechadmin/gvapgsql.sls index 0be2eae..71171cf 100644 --- a/pillar/gnuviechadmin/gvapgsql.sls +++ b/pillar/gnuviechadmin/gvapgsql.sls @@ -7,4 +7,5 @@ gnuviechadmin: component: name: gvapgsql amqp_user: pgsql - postgresql_admin_user: gvapgsql + pgsql_admin_user: gvapgsql + pgsql_admin_password: AAv6d1t9p/vtX/kVorim2MJROQfQPWJoZP3mzyMW diff --git a/pillar/gnuviechadmin/init.sls b/pillar/gnuviechadmin/init.sls index 1fa8fcf..86b9378 100644 --- a/pillar/gnuviechadmin/init.sls +++ b/pillar/gnuviechadmin/init.sls @@ -1,4 +1,6 @@ gnuviechadmin: + ssh_known_hosts: | + nextgit.gnuviech-server.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESb6Q0nyvx82wJ0S6Jx7ZvY6wJzuwqh2zWOlXzLDcor8Pu5iLqUn5GywS0ooyl3Hkyn983R6Zdr49zgTroRwQA= deploymenttype: local mailfrom: admin@gnuviech-server.de adminemail: admin@gnuviech-server.de @@ -18,6 +20,7 @@ gnuviechadmin: ldap_users_ou: users redis_password: j2gfWeACPrj0R2xkgv4KAznCM9nCuUb4 redis_host: gva.local + django_secret_key: yBnbG4azhNaTxIW0/Rv2dEij9PcVU1KVR//1bR6LujmLBnZJw8OOrEi2dIqz3pyOdG8= machines: gva.local: ip: 172.16.3.2 diff --git a/pillar/ldapserver.sls b/pillar/ldapserver.sls new file mode 100644 index 0000000..7e34758 --- /dev/null +++ b/pillar/ldapserver.sls @@ -0,0 +1,2 @@ +slapd: + admin_password: W3HelITKNF1jR5YoCCsbQzkktf61ylXb8xEEAFqU diff --git a/states/gnuviechadmin/celery-worker.service b/states/gnuviechadmin/celery-worker.service new file mode 100644 index 0000000..6963b92 --- /dev/null +++ b/states/gnuviechadmin/celery-worker.service @@ -0,0 +1,12 @@ +[Unit] +Description={{ description }} + +[Service] +EnvironmentFile=-/etc/default/{{ appname }} +ExecStart={{ virtualenv }}/bin/celery worker -A {{ celery_module }} -Q {{ amqpname }} --loglevel=INFO +Restart=on-failure +User={{ app_user }} +WorkingDirectory={{ checkout }}/{{ appname }} + +[Install] +WantedBy=multi-user.target diff --git a/states/gnuviechadmin/gva/settings.sh b/states/gnuviechadmin/gva/settings.sh index 5249d76..35fad76 100644 --- a/states/gnuviechadmin/gva/settings.sh +++ b/states/gnuviechadmin/gva/settings.sh @@ -10,7 +10,7 @@ export GVA_PGSQL_HOSTNAME="{{ salt['pillar.get']('gnuviechadmin:database:host') export GVA_PGSQL_PORT={{ salt['pillar.get']('gnuviechadmin:database:port') }} export GVA_DOMAIN_NAME="{{ salt['pillar.get']('gnuviechadmin:domainname') }}" export GVA_SITE_NAME="{{ salt['pillar.get']('gnuviechadmin:sitename') }}" -export GVA_SITE_SECRET="{{ salt['grains.get_or_set_hash']('gnuviechadmin:SECRET_KEY', 50) }}" +export GVA_SITE_SECRET="{{ salt['pillar.get']('gnuviechadmin:django_secret_key') }}" export GVA_SITE_ADMINMAIL="{{ salt['pillar.get']('gnuviechadmin:adminemail') }}" export GVA_MIN_OS_UID={{ salt['pillar.get']('gnuviechadmin:minosuid') }} export GVA_MIN_OS_GID={{ salt['pillar.get']('gnuviechadmin:minosgid') }} diff --git a/states/gnuviechadmin/gvaapp_macros.sls b/states/gnuviechadmin/gvaapp_macros.sls new file mode 100644 index 0000000..69d8a71 --- /dev/null +++ b/states/gnuviechadmin/gvaapp_macros.sls @@ -0,0 +1,225 @@ +{% macro gvaapp_base(gvaappname, servicename) -%} +include: +- python.pipenv +- python.virtualenv + +{% set app_home = salt['grains.get']('gnuviechadmin:home', '/home/{}'.format(gvaappname)) %} +{% set app_user = salt['grains.get']('gnuviechadmin:user', gvaappname) %} +{% set app_group = salt['grains.get']('gnuviechadmin:group', gvaappname) %} +{% set venv = "{}/{}-venv".format(app_home, gvaappname) -%} + +{% set appfullname = 'GNUViech Admin {} User'.format(grains['gnuviechadmin']['fullname']) -%} +{% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %} +{% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%} +{% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%} +{% set deployment_key = '{}/.ssh/id_deployment'.format(app_home) -%} + +{{ gvaappname }}-group: + group.present: + - name: {{ app_group }} + +{{ gvaappname }}-user: + user.present: + - name: {{ app_user }} + - home: {{ app_home }} + - shell: /bin/bash + - fullname: {{ appfullname }} + - groups: + - {{ app_group }} + alias.present: + - target: root + +gvabase-dependencies: + pkg.installed: + - name: build-essential + +{% if update_git %} +{{ app_home }}/.ssh: + file.directory: + - user: {{ app_user }} + - group: {{ app_group }} + - mode: 0700 + - require: + - user: {{ gvaappname }}-user + +SSH Deployment Key: + cmd.run: + - name: ssh-keygen -t ed25519 -C "Deployment key for {{ gvaappname }}" -N "" -f {{ deployment_key }} + - creates: {{ deployment_key }} + - runas: {{ app_user }} + - requires: + - file: {{ app_home }}/.ssh + - require_in: + git: {{ gitrepo }} + +SSH known hosts configuration: + file.managed: + - name: {{ app_home }}/.ssh/known_hosts + - user: {{ app_user }} + - group: {{ app_group }} + - mode: 0600 + - contents_pillar: gnuviechadmin:ssh_known_hosts + - require: + - file: {{ app_home }}/.ssh + - require_in: + git: {{ gitrepo }} + +SSH configuration: + file.managed: + - name: {{ app_home }}/.ssh/config + - user: {{ app_user }} + - group: {{ app_group }} + - mode: 0600 + - source: salt://gnuviechadmin/ssh_deploy_config + - template: jinja + - context: + key: {{ deployment_key }} + - require: + - file: {{ app_home }}/.ssh + - require_in: + git: {{ gitrepo }} +{% endif %} + +{{ checkout }}: + file.directory: + - user: {{ app_user }} + - group: {{ app_group }} + - mode: 0755 + - require: + - user: {{ gvaappname }}-user + +{% if update_git %} +{{ gitrepo }}: + git.latest: + - user: {{ app_user }} + - target: {{ checkout }} + - rev: {{ salt['pillar.get']('gnuviechadmin:{}:git_branch'.format(gvaappname), 'production') }} + - require: + - file: {{ checkout }} + - watch_in: + - cmd: {{ gvaappname }}-requirements + - service: {{ servicename }} +{% endif %} + +rm -rf {{ venv }}: + cmd.run: + - runas: {{ app_user }} + - unless: test -f {{ venv }}/bin/python3 + - require: + - user: {{ gvaappname }}-user + +create-{{ gvaappname }}-venv: + cmd.run: + - name: python3 -m virtualenv --python=python3 {{ venv }} + - runas: {{ app_user }} + - unless: test -f {{ venv }}/bin/pip3 + - require: + - user: {{ gvaappname }}-user + - python3-virtualenv-packages + - watch_in: + - cmd: update-{{ gvaappname }}-pip + +update-{{ gvaappname }}-pip: + cmd.wait: + - name: {{ venv }}/bin/python3 -m pip install -U pip + - runas: {{ app_user }} + - require: + - user: {{ gvaappname }}-user + +{{ venv }}: + file.directory: + - user: {{ app_user }} + - group: {{ app_group }} + - require: + - cmd: create-{{ gvaappname }}-venv + - watch_in: + - cmd: {{ gvaappname }}-requirements + +{{ gvaappname }}-requirements: + cmd.wait: + - name: /usr/local/bin/pipenv install --deploy + - runas: {{ app_user }} + - cwd: {{ checkout }} + - env: + - VIRTUAL_ENV: "{{ venv }}" + - PIPENV_HIDE_EMOJIS: 1 + - PIPENV_NOSPIN: 1 + - PIPENV_COLORBLIND: 1 + - LC_ALL: C.UTF-8 + - LANG: C.UTF-8 + - require: + - cmd: install_pipenv + - file: {{ venv }} + {%- if update_git %} + - git: {{ gitrepo }} + {%- else %} + - file: {{ checkout }} + {%- endif %} + - pkg: gvabase-dependencies + - unless: test $(find {{ venv }} -type f -cnewer Pipfile.lock \! -name '*.pyc'|wc -l) -gt 0 + - watch_in: + - service: {{ servicename }} +{% endmacro %} + +{% macro create_celery_worker(gvaappname, purpose) %} +{% set app_home = salt['grains.get']('gnuviechadmin:home', '/home/{}'.format(gvaappname)) %} +{% set app_user = salt['grains.get']('gnuviechadmin:user', gvaappname) %} +{% set app_group = salt['grains.get']('gnuviechadmin:group', gvaappname) %} + +{% set venv = "{}/{}-venv".format(app_home, gvaappname) -%} +{% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%} +{% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%} +{% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %} + +{% set servicename = gvaappname + "-celery-worker" %} +{% set amqp_user = grains['gnuviechadmin']['amqpuser'] -%} +{{ gvaapp_base(gvaappname, servicename ) }} +/etc/default/{{ gvaappname }}: + file.managed: + - user: root + - group: root + - mode: 0640 + - source: salt://gnuviechadmin/{{ gvaappname }}/celery-worker.env + - template: jinja + - context: + virtualenv: {{ venv }} + checkout: {{ checkout }} + broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin-queues:users:' + amqp_user + ':password') }}@mq/{{ salt['pillar.get']('gnuviechadmin-queues:vhost') }} + - watch_in: + - service: {{ servicename }} + +/etc/systemd/system/{{ servicename }}.service: + file.managed: + - user: root + - group: root + - mode: 0640 + - source: salt://gnuviechadmin/celery-worker.service + - template: jinja + - context: + virtualenv: {{ venv }} + checkout: {{ checkout }} + app_user: {{ app_user }} + appname: {{ gvaappname }} + celery_module: {{ salt['pillar.get']('gnuviechadmin:{}:celery_module'.format(gvaappname), gvaappname) }} + amqpname: {{ amqp_user }} + description: Gnuviechadmin celery worker {{ purpose|default(gvaappname) }} + - watch_in: + - service: {{ servicename }} + +{{ servicename }}: + service.running: + - enable: True + - require: + - file: {{ venv }} + {%- if update_git %} + - git: {{ gitrepo }} + {%- else %} + - file: {{ checkout }} + {%- endif %} + - file: /etc/systemd/system/{{ servicename }}.service + - watch: + - cmd: {{ gvaappname }}-requirements + {%- if update_git %} + - git: {{ gitrepo }} + {%- endif %} +{% endmacro %} diff --git a/states/gnuviechadmin/gvaldap.sls b/states/gnuviechadmin/gvaldap.sls index 3832763..7b27170 100644 --- a/states/gnuviechadmin/gvaldap.sls +++ b/states/gnuviechadmin/gvaldap.sls @@ -1,15 +1,15 @@ -include: - - gnuviechadmin.base - - gnuviechadmin.django - - gnuviechadmin.celery +{% set gvaappname = salt['grains.get']('gnuviechadmin:appname') %} +{% set purpose = "for LDAP data management" %} +{% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %} +{{ create_celery_worker(gvaappname, purpose) }} -gvaldap-packages: +{{ gvaappname }}-dependencies: pkg.installed: - pkgs: - libldap2-dev - libsasl2-dev - require_in: - - pkg: gnuviechadmin-packages + - cmd: {{ gvaappname }}-requirements base-ldap-objects: cmd.script: diff --git a/states/gnuviechadmin/gvaldap/celery-worker.env b/states/gnuviechadmin/gvaldap/celery-worker.env new file mode 100644 index 0000000..4f07a9d --- /dev/null +++ b/states/gnuviechadmin/gvaldap/celery-worker.env @@ -0,0 +1,13 @@ +DJANGO_SETTINGS_MODULE="gvaldap.settings" +GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_email') }}" +GVALDAP_ADMIN_NAME="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_name') }}" +GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin-gvaldap:allowed_hosts') }}" +GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_group') }}" +GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_user') }}" +GVALDAP_BROKER_URL="{{ broker_url }}" +GVALDAP_RESULTS_REDIS_URL="{{ 'redis://:{}@{}/0'.format(salt['pillar.get']('gnviechadmin:redis_password'), salt['pillar.get']('gnuviechadmin:redis_host')) }}" +GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_password' ) }}" +GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_url') }}" +GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_user') }}" +GVALDAP_SECRETKEY="{{ salt['pillar.get']('gnuviechadmin-gvaldap:django_secret_key') }}" +GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:server_email') }}" diff --git a/states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh b/states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh index 748753b..50e7ec9 100644 --- a/states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh +++ b/states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh @@ -6,6 +6,7 @@ set -e {% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %} {% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %} {% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %} +{% set ldap_admin_password = salt['pillar.get']('gnuviechadmin:ldap_admin_password') %} # setup password hashing for cleartext input ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif @@ -48,7 +49,7 @@ olcAccess: {4}to * EOD # add OUs, groups and ldapadmin user -ldapmodify -v -H {{ salt['pillar.get']('gnuviechadmin:ldap_url') }} -x -D "cn=admin,{{ base_dn }}" -w '{{ salt["grains.get_or_set_hash"]("slapd:password", 16) }}' <