Move some of the gvaldap and gvaweb data to pillars

This commit is contained in:
Jan Dittberner 2020-03-04 14:03:35 +01:00
parent 2da305fb5f
commit dd43bd4b31
15 changed files with 79 additions and 63 deletions

View file

@ -0,0 +1,9 @@
include:
- gnuviechadmin
- gnuviechadmin.queues.common
gnuviechadmin:
appname: gva
gva:
django_secret_key: yBnbG4azhNaTxIW0/Rv2dEij9PcVU1KVR//1bR6LujmLBnZJw8OOrEi2dIqz3pyOdG8=

View file

@ -2,17 +2,22 @@ include:
- gnuviechadmin
- gnuviechadmin.queues.common
- gnuviechadmin.queues.gvaldap
- ldapserver
gnuviechadmin:
component:
name: gvaldap
amqp_user: ldap
ldap_admin_user: ldapadmin
ldap_admin_password: NnVnGoWBVw6BKb9DhTwHAz0ICrdiDy+HL1A6F2Rz
allowed_hosts: 127.0.0.1,gvaldap.local,localhost
appname: gvaldap
server_email: gvaldap@gnuviech-server.de
admin_email: jan@dittberner.info
admin_name: Jan Dittberner
gvaldap:
git_url: https://git.dittberner.info/gnuviech/gvaldap.git
git_branch: master
ldap_groups_ou: groups
ldap_users_ou: users
allowed_hosts: localhost,ldap
amqp_user: ldap
celery_module: ldaptasks
django_secret_key: IyOiTDt2DMo4gBVTwZ+E2p+mI1S/rNzZVIFlSr6TpgtxtsJODOVWHaxgVW3FqGZVaFU=
fullname: LDAP
git_branch: master
git_url: https://git.dittberner.info/gnuviech/gvaldap.git
ldap_admin_password: NnVnGoWBVw6BKb9DhTwHAz0ICrdiDy+HL1A6F2Rz
ldap_admin_user: ldapadmin

View file

@ -4,10 +4,10 @@ include:
- gnuviechadmin.queues.gvaweb
gnuviechadmin:
component:
name: gvaweb
amqp_user: web
appname: gvaweb
gvaweb:
amqp_user: web
fullname: Web
git_url: https://git.dittberner.info/gnuviech/gvaweb.git
git_branch: master
celery_module: webtasks

View file

@ -1,3 +1,6 @@
include:
- gnuviechadmin.redis
gnuviechadmin:
ssh_known_hosts: |
nextgit.gnuviech-server.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESb6Q0nyvx82wJ0S6Jx7ZvY6wJzuwqh2zWOlXzLDcor8Pu5iLqUn5GywS0ooyl3Hkyn983R6Zdr49zgTroRwQA=
@ -12,15 +15,12 @@ gnuviechadmin:
osuserprefix: usr
osuserhomedirbase: /home
osuserdefaultshell: /usr/bin/rssh
uploadserver: gvafile.local
ldap_domain: gva.local
ldap_url: ldap://gvaldap.local
uploadserver: file
ldap_base_dn: dc=gva,dc=local
ldap_groups_ou: groups
ldap_users_ou: users
redis_password: j2gfWeACPrj0R2xkgv4KAznCM9nCuUb4
redis_host: gva.local
django_secret_key: yBnbG4azhNaTxIW0/Rv2dEij9PcVU1KVR//1bR6LujmLBnZJw8OOrEi2dIqz3pyOdG8=
ldap_base_dn_groups: ou=groups,dc=gva,dc=local
ldap_base_dn_users: ou=groups,dc=gva,dc=local
ldap_domain: gva.local
ldap_url: ldap://ldap
machines:
gva.local:
ip: 172.16.3.2

View file

@ -0,0 +1,3 @@
gnuviechadmin:
redis_password: j2gfWeACPrj0R2xkgv4KAznCM9nCuUb4
redis_host: mq

View file

@ -1,12 +1,10 @@
base:
'*':
- gnuviechadmin
{% for role in ('database', 'queues', 'webinterface', 'gvaldap', 'gvafile', 'gvamysql', 'gvapgsql', 'gvaweb') %}
{%- for role in ('database', 'redis', 'queues', 'gva', 'gvaldap', 'gvafile', 'gvamysql', 'gvapgsql', 'gvaweb') %}
'roles:gnuviechadmin.{{ role }}':
- match: grain
- gnuviechadmin.{{ role }}
{% endfor %}
{% for role in ('fileserver', 'ldapclient') %}
{% for role in ('fileserver', 'ldapserver', 'ldapclient') %}
'roles:{{ role }}':
- match: grain
- {{ role }}

View file

@ -1,6 +1,3 @@
deb http://httpredir.debian.org/debian {{ salt['grains.get']('oscodename', 'buster') }} main:
pkgrepo.absent
debian-repo:
pkgrepo.managed:
- humanname: Debian
@ -19,6 +16,11 @@ debian-security-repo:
- name: deb http://security.debian.org/ {{ salt['grains.get']('oscodename', 'buster') }}/updates main
- file: /etc/apt/sources.list
httpredir-debian-repo:
pkgrepo.absent:
- name: deb http://httpredir.debian.org/debian {{ salt['grains.get']('oscodename', 'buster') }} main
- file: /etc/apt/sources.list
backports-repo:
pkgrepo.managed:
- humanname: Debian backports

View file

@ -4,7 +4,7 @@
{% set app_group = salt['grains.get']('gnuviechadmin:group', gvaappname) %}
{% set venv = "{}/{}-venv".format(app_home, gvaappname) -%}
{% set appfullname = 'GNUViech Admin {} User'.format(grains['gnuviechadmin']['fullname']) -%}
{% set appfullname = 'GNUViech Admin {} User'.format(salt['pillar.get']('gnuviechadmin:{}:fullname'.format(gvaappname))) -%}
{% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %}
{% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%}
{% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%}
@ -46,7 +46,7 @@ SSH Deployment Key:
- requires:
- file: {{ app_home }}/.ssh
- require_in:
git: {{ gitrepo }}
- git: {{ gitrepo }}
SSH known hosts configuration:
file.managed:
@ -58,7 +58,7 @@ SSH known hosts configuration:
- require:
- file: {{ app_home }}/.ssh
- require_in:
git: {{ gitrepo }}
- git: {{ gitrepo }}
SSH configuration:
file.managed:
@ -73,7 +73,7 @@ SSH configuration:
- require:
- file: {{ app_home }}/.ssh
- require_in:
git: {{ gitrepo }}
- git: {{ gitrepo }}
{% endif %}
{{ checkout }}:
@ -167,8 +167,8 @@ update-{{ gvaappname }}-pip:
{% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%}
{% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %}
{% set servicename = gvaappname + "-celery-worker" %}
{% set amqp_user = grains['gnuviechadmin']['amqpuser'] -%}
{% set servicename = "{}-celery-worker".format(gvaappname) %}
{% set amqp_user = salt['pillar.get']('gnuviechadmin:{}:amqpuser'.format(gvaappname)) -%}
{{ gvaapp_base(gvaappname, servicename ) }}
/etc/default/{{ gvaappname }}:
file.managed:
@ -180,14 +180,15 @@ update-{{ gvaappname }}-pip:
- context:
virtualenv: {{ venv }}
checkout: {{ checkout }}
broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin-queues:users:' + amqp_user + ':password') }}@mq/{{ salt['pillar.get']('gnuviechadmin-queues:vhost') }}
broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin-queues:users:{}:password'.format(amqp_user)) }}@mq/{{ salt['pillar.get']('gnuviechadmin-queues:vhost') }}
result_url: redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0
- watch_in:
- service: {{ servicename }}
/etc/systemd/system/{{ servicename }}.service:
file.managed:
- user: root
- group: root
- group: {{ app_group }}
- mode: 0640
- source: salt://gnuviechadmin/celery-worker.service
- template: jinja

View file

@ -1,4 +1,4 @@
{% set gvaappname = salt['grains.get']('gnuviechadmin:appname') %}
{% set gvaappname = salt['pillar.get']('gnuviechadmin:appname') %}
{% set purpose = "for LDAP data management" %}
{% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %}
include:
@ -20,4 +20,4 @@ base-ldap-objects:
- source: salt://gnuviechadmin/gvaldap/create_base_ldap_objects.sh
- template: jinja
- runas: root
- unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:ldap_admin_user') }}" | grep -q numEntries
- unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_user') }}" | grep -q numEntries

View file

@ -1,13 +1,13 @@
DJANGO_SETTINGS_MODULE="gvaldap.settings"
GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_email') }}"
GVALDAP_ADMIN_NAME="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_name') }}"
GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin-gvaldap:allowed_hosts') }}"
GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_group') }}"
GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_user') }}"
GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin:admin_email') }}"
GVALDAP_ADMIN_NAME="{{ salt['pillar.get']('gnuviechadmin:admin_name') }}"
GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin:gvaldap:allowed_hosts') }}"
GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn_groups') }}"
GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn_users') }}"
GVALDAP_BROKER_URL="{{ broker_url }}"
GVALDAP_RESULTS_REDIS_URL="{{ 'redis://:{}@{}/0'.format(salt['pillar.get']('gnviechadmin:redis_password'), salt['pillar.get']('gnuviechadmin:redis_host')) }}"
GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_password' ) }}"
GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_url') }}"
GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_user') }}"
GVALDAP_SECRETKEY="{{ salt['pillar.get']('gnuviechadmin-gvaldap:django_secret_key') }}"
GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:server_email') }}"
GVALDAP_RESULTS_REDIS_URL="{{ result_url }}"
GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_password' ) }}"
GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin:ldap_url') }}"
GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_user') }}"
GVALDAP_SECRETKEY="{{ salt['pillar.get']('gnuviechadmin:gvaldap:django_secret_key') }}"
GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin:server_email') }}"

View file

@ -3,10 +3,10 @@
set -e
{% set base_dn = salt['pillar.get']('gnuviechadmin:ldap_base_dn') %}
{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %}
{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %}
{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %}
{% set ldap_admin_password = salt['pillar.get']('gnuviechadmin:ldap_admin_password') %}
{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_user') %}
{% set ldap_admin_password = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_password') %}
{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_groups_ou') %}
{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_users_ou') %}
# setup password hashing for cleartext input
ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif

View file

@ -1,4 +1,4 @@
{% set gvaappname = salt['grains.get']('gnuviechadmin:appname') %}
{% set gvaappname = salt['pillar.get']('gnuviechadmin:appname') %}
{% set purpose = "for website configuration management" %}
{% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %}
include:
@ -13,5 +13,8 @@ include:
- user: root
- group: root
- source: salt://gnuviechadmin/{{ gvaappname }}/sudoers
- template: jinja
- context:
app_user: {{ salt['grains.get']('gnuviechadmin:user', gvaappname) }}
- require:
- pkg: sudo

View file

@ -1,6 +1,5 @@
GVAWEB_BROKER_URL="{{ broker_url }}"
GVAWEB_RESULTS_REDIS_URL="{{ 'redis://:{}@{}/0'.format(salt['pillar.get']('gnviechadmin:redis_password'), salt['pillar.get']('gnuviechadmin:redis_host')) }}"
GVAWEB_NGINX_SITES_AVAILABLE="{{ salt['pillar.get']('gnuviechadmin-gvaweb:nginx_sites_available', '/etc/nginx/sites-available') }}"
GVAWEB_NGINX_SITES_ENABLED="{{ salt['pillar.get']('gnuviechadmin-gvaweb:nginx_sites_enabled', '/etc/nginx/sites-enabled') }}"
GVAWEB_PHPFPM_POOL="{{ salt['pillar.get']('gnuviechadmin-gvaweb:phpfpm_pool', '/etc/php5/fpm/pool.d') }}"
GVAWEB_WWWUSER_MOUNT="{{ salt['pillar.get']('gnuviechadmin-gvaweb:wwwuser_mount', '/srv/wwwfiles') }}"
GVAWEB_RESULTS_REDIS_URL="{{ result_url }}"
GVAWEB_NGINX_SITES_AVAILABLE="{{ salt['pillar.get']('gnuviechadmin:gvaweb:nginx_sites_available', '/etc/nginx/sites-available') }}"
GVAWEB_NGINX_SITES_ENABLED="{{ salt['pillar.get']('gnuviechadmin:gvaweb:nginx_sites_enabled', '/etc/nginx/sites-enabled') }}"
GVAWEB_WWWUSER_MOUNT="{{ salt['pillar.get']('gnuviechadmin:gvaweb:wwwuser_mount', '/srv/wwwfiles') }}"

View file

@ -1,3 +1,3 @@
Cmnd_Alias GVAWEB_CMDS = /usr/bin/install, /bin/rm, /bin/ln, /bin/systemctl
gvaweb ALL = (root) NOPASSWD: GVAWEB_CMDS
{{ app_user }} ALL = (root) NOPASSWD: GVAWEB_CMDS

View file

@ -37,7 +37,7 @@ fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color) color_prompt=yes;;
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
@ -111,7 +111,3 @@ if ! shopt -oq posix; then
. /etc/bash_completion
fi
fi
if [ -f ~/.bash_functions ]; then
. ~/.bash_functions
fi