diff --git a/pillar/gnuviechadmin/gva.sls b/pillar/gnuviechadmin/gva.sls new file mode 100644 index 0000000..cb455b2 --- /dev/null +++ b/pillar/gnuviechadmin/gva.sls @@ -0,0 +1,9 @@ +include: + - gnuviechadmin + - gnuviechadmin.queues.common + +gnuviechadmin: + appname: gva + gva: + django_secret_key: yBnbG4azhNaTxIW0/Rv2dEij9PcVU1KVR//1bR6LujmLBnZJw8OOrEi2dIqz3pyOdG8= + diff --git a/pillar/gnuviechadmin/gvaldap.sls b/pillar/gnuviechadmin/gvaldap.sls index c10a272..27199f7 100644 --- a/pillar/gnuviechadmin/gvaldap.sls +++ b/pillar/gnuviechadmin/gvaldap.sls @@ -2,17 +2,22 @@ include: - gnuviechadmin - gnuviechadmin.queues.common - gnuviechadmin.queues.gvaldap - - ldapserver gnuviechadmin: - component: - name: gvaldap - amqp_user: ldap - ldap_admin_user: ldapadmin - ldap_admin_password: NnVnGoWBVw6BKb9DhTwHAz0ICrdiDy+HL1A6F2Rz allowed_hosts: 127.0.0.1,gvaldap.local,localhost + appname: gvaldap + server_email: gvaldap@gnuviech-server.de + admin_email: jan@dittberner.info + admin_name: Jan Dittberner gvaldap: - git_url: https://git.dittberner.info/gnuviech/gvaldap.git - git_branch: master + ldap_groups_ou: groups + ldap_users_ou: users + allowed_hosts: localhost,ldap + amqp_user: ldap celery_module: ldaptasks django_secret_key: IyOiTDt2DMo4gBVTwZ+E2p+mI1S/rNzZVIFlSr6TpgtxtsJODOVWHaxgVW3FqGZVaFU= + fullname: LDAP + git_branch: master + git_url: https://git.dittberner.info/gnuviech/gvaldap.git + ldap_admin_password: NnVnGoWBVw6BKb9DhTwHAz0ICrdiDy+HL1A6F2Rz + ldap_admin_user: ldapadmin diff --git a/pillar/gnuviechadmin/gvaweb.sls b/pillar/gnuviechadmin/gvaweb.sls index 0174010..6c4dfd1 100644 --- a/pillar/gnuviechadmin/gvaweb.sls +++ b/pillar/gnuviechadmin/gvaweb.sls @@ -4,10 +4,10 @@ include: - gnuviechadmin.queues.gvaweb gnuviechadmin: - component: - name: gvaweb - amqp_user: web + appname: gvaweb gvaweb: + amqp_user: web + fullname: Web git_url: https://git.dittberner.info/gnuviech/gvaweb.git git_branch: master celery_module: webtasks diff --git a/pillar/gnuviechadmin/init.sls b/pillar/gnuviechadmin/init.sls index 86b9378..4d088d0 100644 --- a/pillar/gnuviechadmin/init.sls +++ b/pillar/gnuviechadmin/init.sls @@ -1,3 +1,6 @@ +include: + - gnuviechadmin.redis + gnuviechadmin: ssh_known_hosts: | nextgit.gnuviech-server.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESb6Q0nyvx82wJ0S6Jx7ZvY6wJzuwqh2zWOlXzLDcor8Pu5iLqUn5GywS0ooyl3Hkyn983R6Zdr49zgTroRwQA= @@ -12,15 +15,12 @@ gnuviechadmin: osuserprefix: usr osuserhomedirbase: /home osuserdefaultshell: /usr/bin/rssh - uploadserver: gvafile.local - ldap_domain: gva.local - ldap_url: ldap://gvaldap.local + uploadserver: file ldap_base_dn: dc=gva,dc=local - ldap_groups_ou: groups - ldap_users_ou: users - redis_password: j2gfWeACPrj0R2xkgv4KAznCM9nCuUb4 - redis_host: gva.local - django_secret_key: yBnbG4azhNaTxIW0/Rv2dEij9PcVU1KVR//1bR6LujmLBnZJw8OOrEi2dIqz3pyOdG8= + ldap_base_dn_groups: ou=groups,dc=gva,dc=local + ldap_base_dn_users: ou=groups,dc=gva,dc=local + ldap_domain: gva.local + ldap_url: ldap://ldap machines: gva.local: ip: 172.16.3.2 diff --git a/pillar/gnuviechadmin/redis.sls b/pillar/gnuviechadmin/redis.sls new file mode 100644 index 0000000..97bf6b0 --- /dev/null +++ b/pillar/gnuviechadmin/redis.sls @@ -0,0 +1,3 @@ +gnuviechadmin: + redis_password: j2gfWeACPrj0R2xkgv4KAznCM9nCuUb4 + redis_host: mq diff --git a/pillar/top.sls b/pillar/top.sls index 5182dfa..c02ea47 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -1,12 +1,10 @@ base: - '*': - - gnuviechadmin -{% for role in ('database', 'queues', 'webinterface', 'gvaldap', 'gvafile', 'gvamysql', 'gvapgsql', 'gvaweb') %} +{%- for role in ('database', 'redis', 'queues', 'gva', 'gvaldap', 'gvafile', 'gvamysql', 'gvapgsql', 'gvaweb') %} 'roles:gnuviechadmin.{{ role }}': - match: grain - gnuviechadmin.{{ role }} {% endfor %} -{% for role in ('fileserver', 'ldapclient') %} +{% for role in ('fileserver', 'ldapserver', 'ldapclient') %} 'roles:{{ role }}': - match: grain - {{ role }} diff --git a/states/base/init.sls b/states/base/init.sls index 960e4bd..754837f 100644 --- a/states/base/init.sls +++ b/states/base/init.sls @@ -1,6 +1,3 @@ -deb http://httpredir.debian.org/debian {{ salt['grains.get']('oscodename', 'buster') }} main: - pkgrepo.absent - debian-repo: pkgrepo.managed: - humanname: Debian @@ -19,6 +16,11 @@ debian-security-repo: - name: deb http://security.debian.org/ {{ salt['grains.get']('oscodename', 'buster') }}/updates main - file: /etc/apt/sources.list +httpredir-debian-repo: + pkgrepo.absent: + - name: deb http://httpredir.debian.org/debian {{ salt['grains.get']('oscodename', 'buster') }} main + - file: /etc/apt/sources.list + backports-repo: pkgrepo.managed: - humanname: Debian backports diff --git a/states/gnuviechadmin/gvaapp_macros.sls b/states/gnuviechadmin/gvaapp_macros.sls index a4a15e4..6c8ae9f 100644 --- a/states/gnuviechadmin/gvaapp_macros.sls +++ b/states/gnuviechadmin/gvaapp_macros.sls @@ -4,7 +4,7 @@ {% set app_group = salt['grains.get']('gnuviechadmin:group', gvaappname) %} {% set venv = "{}/{}-venv".format(app_home, gvaappname) -%} -{% set appfullname = 'GNUViech Admin {} User'.format(grains['gnuviechadmin']['fullname']) -%} +{% set appfullname = 'GNUViech Admin {} User'.format(salt['pillar.get']('gnuviechadmin:{}:fullname'.format(gvaappname))) -%} {% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %} {% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%} {% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%} @@ -46,7 +46,7 @@ SSH Deployment Key: - requires: - file: {{ app_home }}/.ssh - require_in: - git: {{ gitrepo }} + - git: {{ gitrepo }} SSH known hosts configuration: file.managed: @@ -58,7 +58,7 @@ SSH known hosts configuration: - require: - file: {{ app_home }}/.ssh - require_in: - git: {{ gitrepo }} + - git: {{ gitrepo }} SSH configuration: file.managed: @@ -73,7 +73,7 @@ SSH configuration: - require: - file: {{ app_home }}/.ssh - require_in: - git: {{ gitrepo }} + - git: {{ gitrepo }} {% endif %} {{ checkout }}: @@ -167,8 +167,8 @@ update-{{ gvaappname }}-pip: {% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%} {% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %} -{% set servicename = gvaappname + "-celery-worker" %} -{% set amqp_user = grains['gnuviechadmin']['amqpuser'] -%} +{% set servicename = "{}-celery-worker".format(gvaappname) %} +{% set amqp_user = salt['pillar.get']('gnuviechadmin:{}:amqpuser'.format(gvaappname)) -%} {{ gvaapp_base(gvaappname, servicename ) }} /etc/default/{{ gvaappname }}: file.managed: @@ -180,14 +180,15 @@ update-{{ gvaappname }}-pip: - context: virtualenv: {{ venv }} checkout: {{ checkout }} - broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin-queues:users:' + amqp_user + ':password') }}@mq/{{ salt['pillar.get']('gnuviechadmin-queues:vhost') }} + broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin-queues:users:{}:password'.format(amqp_user)) }}@mq/{{ salt['pillar.get']('gnuviechadmin-queues:vhost') }} + result_url: redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0 - watch_in: - service: {{ servicename }} /etc/systemd/system/{{ servicename }}.service: file.managed: - user: root - - group: root + - group: {{ app_group }} - mode: 0640 - source: salt://gnuviechadmin/celery-worker.service - template: jinja diff --git a/states/gnuviechadmin/gvaldap.sls b/states/gnuviechadmin/gvaldap.sls index 563a32b..b7da1f0 100644 --- a/states/gnuviechadmin/gvaldap.sls +++ b/states/gnuviechadmin/gvaldap.sls @@ -1,4 +1,4 @@ -{% set gvaappname = salt['grains.get']('gnuviechadmin:appname') %} +{% set gvaappname = salt['pillar.get']('gnuviechadmin:appname') %} {% set purpose = "for LDAP data management" %} {% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %} include: @@ -20,4 +20,4 @@ base-ldap-objects: - source: salt://gnuviechadmin/gvaldap/create_base_ldap_objects.sh - template: jinja - runas: root - - unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:ldap_admin_user') }}" | grep -q numEntries + - unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_user') }}" | grep -q numEntries diff --git a/states/gnuviechadmin/gvaldap/celery-worker.env b/states/gnuviechadmin/gvaldap/celery-worker.env index 4f07a9d..fda5f01 100644 --- a/states/gnuviechadmin/gvaldap/celery-worker.env +++ b/states/gnuviechadmin/gvaldap/celery-worker.env @@ -1,13 +1,13 @@ DJANGO_SETTINGS_MODULE="gvaldap.settings" -GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_email') }}" -GVALDAP_ADMIN_NAME="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_name') }}" -GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin-gvaldap:allowed_hosts') }}" -GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_group') }}" -GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_user') }}" +GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin:admin_email') }}" +GVALDAP_ADMIN_NAME="{{ salt['pillar.get']('gnuviechadmin:admin_name') }}" +GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin:gvaldap:allowed_hosts') }}" +GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn_groups') }}" +GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn_users') }}" GVALDAP_BROKER_URL="{{ broker_url }}" -GVALDAP_RESULTS_REDIS_URL="{{ 'redis://:{}@{}/0'.format(salt['pillar.get']('gnviechadmin:redis_password'), salt['pillar.get']('gnuviechadmin:redis_host')) }}" -GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_password' ) }}" -GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_url') }}" -GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_user') }}" -GVALDAP_SECRETKEY="{{ salt['pillar.get']('gnuviechadmin-gvaldap:django_secret_key') }}" -GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:server_email') }}" +GVALDAP_RESULTS_REDIS_URL="{{ result_url }}" +GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_password' ) }}" +GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin:ldap_url') }}" +GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_user') }}" +GVALDAP_SECRETKEY="{{ salt['pillar.get']('gnuviechadmin:gvaldap:django_secret_key') }}" +GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin:server_email') }}" diff --git a/states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh b/states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh index 50e7ec9..7f1e0ad 100644 --- a/states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh +++ b/states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh @@ -3,10 +3,10 @@ set -e {% set base_dn = salt['pillar.get']('gnuviechadmin:ldap_base_dn') %} -{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %} -{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %} -{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %} -{% set ldap_admin_password = salt['pillar.get']('gnuviechadmin:ldap_admin_password') %} +{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_user') %} +{% set ldap_admin_password = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_password') %} +{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_groups_ou') %} +{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_users_ou') %} # setup password hashing for cleartext input ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif diff --git a/states/gnuviechadmin/gvaweb.sls b/states/gnuviechadmin/gvaweb.sls index cbcf1fd..873cf29 100644 --- a/states/gnuviechadmin/gvaweb.sls +++ b/states/gnuviechadmin/gvaweb.sls @@ -1,4 +1,4 @@ -{% set gvaappname = salt['grains.get']('gnuviechadmin:appname') %} +{% set gvaappname = salt['pillar.get']('gnuviechadmin:appname') %} {% set purpose = "for website configuration management" %} {% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %} include: @@ -13,5 +13,8 @@ include: - user: root - group: root - source: salt://gnuviechadmin/{{ gvaappname }}/sudoers + - template: jinja + - context: + app_user: {{ salt['grains.get']('gnuviechadmin:user', gvaappname) }} - require: - pkg: sudo diff --git a/states/gnuviechadmin/gvaweb/celery-worker.env b/states/gnuviechadmin/gvaweb/celery-worker.env index a7ab606..af6b2d2 100644 --- a/states/gnuviechadmin/gvaweb/celery-worker.env +++ b/states/gnuviechadmin/gvaweb/celery-worker.env @@ -1,6 +1,5 @@ GVAWEB_BROKER_URL="{{ broker_url }}" -GVAWEB_RESULTS_REDIS_URL="{{ 'redis://:{}@{}/0'.format(salt['pillar.get']('gnviechadmin:redis_password'), salt['pillar.get']('gnuviechadmin:redis_host')) }}" -GVAWEB_NGINX_SITES_AVAILABLE="{{ salt['pillar.get']('gnuviechadmin-gvaweb:nginx_sites_available', '/etc/nginx/sites-available') }}" -GVAWEB_NGINX_SITES_ENABLED="{{ salt['pillar.get']('gnuviechadmin-gvaweb:nginx_sites_enabled', '/etc/nginx/sites-enabled') }}" -GVAWEB_PHPFPM_POOL="{{ salt['pillar.get']('gnuviechadmin-gvaweb:phpfpm_pool', '/etc/php5/fpm/pool.d') }}" -GVAWEB_WWWUSER_MOUNT="{{ salt['pillar.get']('gnuviechadmin-gvaweb:wwwuser_mount', '/srv/wwwfiles') }}" +GVAWEB_RESULTS_REDIS_URL="{{ result_url }}" +GVAWEB_NGINX_SITES_AVAILABLE="{{ salt['pillar.get']('gnuviechadmin:gvaweb:nginx_sites_available', '/etc/nginx/sites-available') }}" +GVAWEB_NGINX_SITES_ENABLED="{{ salt['pillar.get']('gnuviechadmin:gvaweb:nginx_sites_enabled', '/etc/nginx/sites-enabled') }}" +GVAWEB_WWWUSER_MOUNT="{{ salt['pillar.get']('gnuviechadmin:gvaweb:wwwuser_mount', '/srv/wwwfiles') }}" diff --git a/states/gnuviechadmin/gvaweb/sudoers b/states/gnuviechadmin/gvaweb/sudoers index 8db5048..49623b4 100644 --- a/states/gnuviechadmin/gvaweb/sudoers +++ b/states/gnuviechadmin/gvaweb/sudoers @@ -1,3 +1,3 @@ Cmnd_Alias GVAWEB_CMDS = /usr/bin/install, /bin/rm, /bin/ln, /bin/systemctl -gvaweb ALL = (root) NOPASSWD: GVAWEB_CMDS +{{ app_user }} ALL = (root) NOPASSWD: GVAWEB_CMDS diff --git a/states/vagrant/bashrc b/states/vagrant/bashrc index 4bc2a9f..9360f69 100644 --- a/states/vagrant/bashrc +++ b/states/vagrant/bashrc @@ -37,7 +37,7 @@ fi # set a fancy prompt (non-color, unless we know we "want" color) case "$TERM" in - xterm-color) color_prompt=yes;; + xterm-color|*-256color) color_prompt=yes;; esac # uncomment for a colored prompt, if the terminal has the capability; turned @@ -111,7 +111,3 @@ if ! shopt -oq posix; then . /etc/bash_completion fi fi - -if [ -f ~/.bash_functions ]; then - . ~/.bash_functions -fi