gnuviech/gvasalt
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Move some of the gvaldap and gvaweb data to pillars

Browse source
This commit is contained in:
Jan Dittberner 2020-03-04 14:03:35 +01:00
parent 2da305fb5f
commit dd43bd4b31
15 changed files with 79 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

9
pillar/gnuviechadmin/gva.sls Normal file
View file

@ -0,0 +1,9 @@
include:
- gnuviechadmin
- gnuviechadmin.queues.common
gnuviechadmin:
appname: gva
gva:
django_secret_key: yBnbG4azhNaTxIW0/Rv2dEij9PcVU1KVR//1bR6LujmLBnZJw8OOrEi2dIqz3pyOdG8=

21
pillar/gnuviechadmin/gvaldap.sls
View file

@ -2,17 +2,22 @@ include:
- gnuviechadmin - gnuviechadmin
- gnuviechadmin.queues.common - gnuviechadmin.queues.common
- gnuviechadmin.queues.gvaldap - gnuviechadmin.queues.gvaldap
- ldapserver
gnuviechadmin: gnuviechadmin:
component:
name: gvaldap
amqp_user: ldap
ldap_admin_user: ldapadmin
ldap_admin_password: NnVnGoWBVw6BKb9DhTwHAz0ICrdiDy+HL1A6F2Rz
allowed_hosts: 127.0.0.1,gvaldap.local,localhost allowed_hosts: 127.0.0.1,gvaldap.local,localhost
appname: gvaldap
server_email: gvaldap@gnuviech-server.de
admin_email: jan@dittberner.info
admin_name: Jan Dittberner
gvaldap: gvaldap:
git_url: https://git.dittberner.info/gnuviech/gvaldap.git ldap_groups_ou: groups
git_branch: master ldap_users_ou: users
allowed_hosts: localhost,ldap
amqp_user: ldap
celery_module: ldaptasks celery_module: ldaptasks
django_secret_key: IyOiTDt2DMo4gBVTwZ+E2p+mI1S/rNzZVIFlSr6TpgtxtsJODOVWHaxgVW3FqGZVaFU= django_secret_key: IyOiTDt2DMo4gBVTwZ+E2p+mI1S/rNzZVIFlSr6TpgtxtsJODOVWHaxgVW3FqGZVaFU=
fullname: LDAP
git_branch: master
git_url: https://git.dittberner.info/gnuviech/gvaldap.git
ldap_admin_password: NnVnGoWBVw6BKb9DhTwHAz0ICrdiDy+HL1A6F2Rz
ldap_admin_user: ldapadmin

6
pillar/gnuviechadmin/gvaweb.sls
View file

@ -4,10 +4,10 @@ include:
- gnuviechadmin.queues.gvaweb - gnuviechadmin.queues.gvaweb
gnuviechadmin: gnuviechadmin:
component: appname: gvaweb
name: gvaweb
amqp_user: web
gvaweb: gvaweb:
amqp_user: web
fullname: Web
git_url: https://git.dittberner.info/gnuviech/gvaweb.git git_url: https://git.dittberner.info/gnuviech/gvaweb.git
git_branch: master git_branch: master
celery_module: webtasks celery_module: webtasks

16
pillar/gnuviechadmin/init.sls
View file

@ -1,3 +1,6 @@
include:
- gnuviechadmin.redis
gnuviechadmin: gnuviechadmin:
ssh_known_hosts: | ssh_known_hosts: |
nextgit.gnuviech-server.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESb6Q0nyvx82wJ0S6Jx7ZvY6wJzuwqh2zWOlXzLDcor8Pu5iLqUn5GywS0ooyl3Hkyn983R6Zdr49zgTroRwQA= nextgit.gnuviech-server.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESb6Q0nyvx82wJ0S6Jx7ZvY6wJzuwqh2zWOlXzLDcor8Pu5iLqUn5GywS0ooyl3Hkyn983R6Zdr49zgTroRwQA=
@ -12,15 +15,12 @@ gnuviechadmin:
osuserprefix: usr osuserprefix: usr
osuserhomedirbase: /home osuserhomedirbase: /home
osuserdefaultshell: /usr/bin/rssh osuserdefaultshell: /usr/bin/rssh
uploadserver: gvafile.local uploadserver: file
ldap_domain: gva.local
ldap_url: ldap://gvaldap.local
ldap_base_dn: dc=gva,dc=local ldap_base_dn: dc=gva,dc=local
ldap_groups_ou: groups ldap_base_dn_groups: ou=groups,dc=gva,dc=local
ldap_users_ou: users ldap_base_dn_users: ou=groups,dc=gva,dc=local
redis_password: j2gfWeACPrj0R2xkgv4KAznCM9nCuUb4 ldap_domain: gva.local
redis_host: gva.local ldap_url: ldap://ldap
django_secret_key: yBnbG4azhNaTxIW0/Rv2dEij9PcVU1KVR//1bR6LujmLBnZJw8OOrEi2dIqz3pyOdG8=
machines: machines:
gva.local: gva.local:
ip: 172.16.3.2 ip: 172.16.3.2

3
pillar/gnuviechadmin/redis.sls Normal file
View file

@ -0,0 +1,3 @@
gnuviechadmin:
redis_password: j2gfWeACPrj0R2xkgv4KAznCM9nCuUb4
redis_host: mq

6
pillar/top.sls
View file

@ -1,12 +1,10 @@
base: base:
'*': {%- for role in ('database', 'redis', 'queues', 'gva', 'gvaldap', 'gvafile', 'gvamysql', 'gvapgsql', 'gvaweb') %}
- gnuviechadmin
{% for role in ('database', 'queues', 'webinterface', 'gvaldap', 'gvafile', 'gvamysql', 'gvapgsql', 'gvaweb') %}
'roles:gnuviechadmin.{{ role }}': 'roles:gnuviechadmin.{{ role }}':
- match: grain - match: grain
- gnuviechadmin.{{ role }} - gnuviechadmin.{{ role }}
{% endfor %} {% endfor %}
{% for role in ('fileserver', 'ldapclient') %} {% for role in ('fileserver', 'ldapserver', 'ldapclient') %}
'roles:{{ role }}': 'roles:{{ role }}':
- match: grain - match: grain
- {{ role }} - {{ role }}

8
states/base/init.sls
View file

@ -1,6 +1,3 @@
deb http://httpredir.debian.org/debian {{ salt['grains.get']('oscodename', 'buster') }} main:
pkgrepo.absent
debian-repo: debian-repo:
pkgrepo.managed: pkgrepo.managed:
- humanname: Debian - humanname: Debian
@ -19,6 +16,11 @@ debian-security-repo:
- name: deb http://security.debian.org/ {{ salt['grains.get']('oscodename', 'buster') }}/updates main - name: deb http://security.debian.org/ {{ salt['grains.get']('oscodename', 'buster') }}/updates main
- file: /etc/apt/sources.list - file: /etc/apt/sources.list
httpredir-debian-repo:
pkgrepo.absent:
- name: deb http://httpredir.debian.org/debian {{ salt['grains.get']('oscodename', 'buster') }} main
- file: /etc/apt/sources.list
backports-repo: backports-repo:
pkgrepo.managed: pkgrepo.managed:
- humanname: Debian backports - humanname: Debian backports

17
states/gnuviechadmin/gvaapp_macros.sls
View file

@ -4,7 +4,7 @@
{% set app_group = salt['grains.get']('gnuviechadmin:group', gvaappname) %} {% set app_group = salt['grains.get']('gnuviechadmin:group', gvaappname) %}
{% set venv = "{}/{}-venv".format(app_home, gvaappname) -%} {% set venv = "{}/{}-venv".format(app_home, gvaappname) -%}
{% set appfullname = 'GNUViech Admin {} User'.format(grains['gnuviechadmin']['fullname']) -%} {% set appfullname = 'GNUViech Admin {} User'.format(salt['pillar.get']('gnuviechadmin:{}:fullname'.format(gvaappname))) -%}
{% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %} {% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %}
{% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%} {% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%}
{% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%} {% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%}
@ -46,7 +46,7 @@ SSH Deployment Key:
- requires: - requires:
- file: {{ app_home }}/.ssh - file: {{ app_home }}/.ssh
- require_in: - require_in:
git: {{ gitrepo }} - git: {{ gitrepo }}
SSH known hosts configuration: SSH known hosts configuration:
file.managed: file.managed:
@ -58,7 +58,7 @@ SSH known hosts configuration:
- require: - require:
- file: {{ app_home }}/.ssh - file: {{ app_home }}/.ssh
- require_in: - require_in:
git: {{ gitrepo }} - git: {{ gitrepo }}
SSH configuration: SSH configuration:
file.managed: file.managed:
@ -73,7 +73,7 @@ SSH configuration:
- require: - require:
- file: {{ app_home }}/.ssh - file: {{ app_home }}/.ssh
- require_in: - require_in:
git: {{ gitrepo }} - git: {{ gitrepo }}
{% endif %} {% endif %}
{{ checkout }}: {{ checkout }}:
@ -167,8 +167,8 @@ update-{{ gvaappname }}-pip:
{% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%} {% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%}
{% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %} {% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %}
{% set servicename = gvaappname + "-celery-worker" %} {% set servicename = "{}-celery-worker".format(gvaappname) %}
{% set amqp_user = grains['gnuviechadmin']['amqpuser'] -%} {% set amqp_user = salt['pillar.get']('gnuviechadmin:{}:amqpuser'.format(gvaappname)) -%}
{{ gvaapp_base(gvaappname, servicename ) }} {{ gvaapp_base(gvaappname, servicename ) }}
/etc/default/{{ gvaappname }}: /etc/default/{{ gvaappname }}:
file.managed: file.managed:
@ -180,14 +180,15 @@ update-{{ gvaappname }}-pip:
- context: - context:
virtualenv: {{ venv }} virtualenv: {{ venv }}
checkout: {{ checkout }} checkout: {{ checkout }}
broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin-queues:users:' + amqp_user + ':password') }}@mq/{{ salt['pillar.get']('gnuviechadmin-queues:vhost') }} broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin-queues:users:{}:password'.format(amqp_user)) }}@mq/{{ salt['pillar.get']('gnuviechadmin-queues:vhost') }}
result_url: redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0
- watch_in: - watch_in:
- service: {{ servicename }} - service: {{ servicename }}
/etc/systemd/system/{{ servicename }}.service: /etc/systemd/system/{{ servicename }}.service:
file.managed: file.managed:
- user: root - user: root
- group: root - group: {{ app_group }}
- mode: 0640 - mode: 0640
- source: salt://gnuviechadmin/celery-worker.service - source: salt://gnuviechadmin/celery-worker.service
- template: jinja - template: jinja

4
states/gnuviechadmin/gvaldap.sls
View file

@ -1,4 +1,4 @@
{% set gvaappname = salt['grains.get']('gnuviechadmin:appname') %} {% set gvaappname = salt['pillar.get']('gnuviechadmin:appname') %}
{% set purpose = "for LDAP data management" %} {% set purpose = "for LDAP data management" %}
{% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %} {% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %}
include: include:
@ -20,4 +20,4 @@ base-ldap-objects:
- source: salt://gnuviechadmin/gvaldap/create_base_ldap_objects.sh - source: salt://gnuviechadmin/gvaldap/create_base_ldap_objects.sh
- template: jinja - template: jinja
- runas: root - runas: root
- unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:ldap_admin_user') }}" | grep -q numEntries - unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_user') }}" | grep -q numEntries

22
states/gnuviechadmin/gvaldap/celery-worker.env
View file

@ -1,13 +1,13 @@
DJANGO_SETTINGS_MODULE="gvaldap.settings" DJANGO_SETTINGS_MODULE="gvaldap.settings"
GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_email') }}" GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin:admin_email') }}"
GVALDAP_ADMIN_NAME="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_name') }}" GVALDAP_ADMIN_NAME="{{ salt['pillar.get']('gnuviechadmin:admin_name') }}"
GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin-gvaldap:allowed_hosts') }}" GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin:gvaldap:allowed_hosts') }}"
GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_group') }}" GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn_groups') }}"
GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_user') }}" GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn_users') }}"
GVALDAP_BROKER_URL="{{ broker_url }}" GVALDAP_BROKER_URL="{{ broker_url }}"
GVALDAP_RESULTS_REDIS_URL="{{ 'redis://:{}@{}/0'.format(salt['pillar.get']('gnviechadmin:redis_password'), salt['pillar.get']('gnuviechadmin:redis_host')) }}" GVALDAP_RESULTS_REDIS_URL="{{ result_url }}"
GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_password' ) }}" GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_password' ) }}"
GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_url') }}" GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin:ldap_url') }}"
GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_user') }}" GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_user') }}"
GVALDAP_SECRETKEY="{{ salt['pillar.get']('gnuviechadmin-gvaldap:django_secret_key') }}" GVALDAP_SECRETKEY="{{ salt['pillar.get']('gnuviechadmin:gvaldap:django_secret_key') }}"
GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:server_email') }}" GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin:server_email') }}"

8
states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh
View file

@ -3,10 +3,10 @@
set -e set -e
{% set base_dn = salt['pillar.get']('gnuviechadmin:ldap_base_dn') %} {% set base_dn = salt['pillar.get']('gnuviechadmin:ldap_base_dn') %}
{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %} {% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_user') %}
{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %} {% set ldap_admin_password = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_admin_password') %}
{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %} {% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_groups_ou') %}
{% set ldap_admin_password = salt['pillar.get']('gnuviechadmin:ldap_admin_password') %} {% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:gvaldap:ldap_users_ou') %}
# setup password hashing for cleartext input # setup password hashing for cleartext input
ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif

5
states/gnuviechadmin/gvaweb.sls
View file

@ -1,4 +1,4 @@
{% set gvaappname = salt['grains.get']('gnuviechadmin:appname') %} {% set gvaappname = salt['pillar.get']('gnuviechadmin:appname') %}
{% set purpose = "for website configuration management" %} {% set purpose = "for website configuration management" %}
{% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %} {% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %}
include: include:
@ -13,5 +13,8 @@ include:
- user: root - user: root
- group: root - group: root
- source: salt://gnuviechadmin/{{ gvaappname }}/sudoers - source: salt://gnuviechadmin/{{ gvaappname }}/sudoers
- template: jinja
- context:
app_user: {{ salt['grains.get']('gnuviechadmin:user', gvaappname) }}
- require: - require:
- pkg: sudo - pkg: sudo

9
states/gnuviechadmin/gvaweb/celery-worker.env
View file

@ -1,6 +1,5 @@
GVAWEB_BROKER_URL="{{ broker_url }}" GVAWEB_BROKER_URL="{{ broker_url }}"
GVAWEB_RESULTS_REDIS_URL="{{ 'redis://:{}@{}/0'.format(salt['pillar.get']('gnviechadmin:redis_password'), salt['pillar.get']('gnuviechadmin:redis_host')) }}" GVAWEB_RESULTS_REDIS_URL="{{ result_url }}"
GVAWEB_NGINX_SITES_AVAILABLE="{{ salt['pillar.get']('gnuviechadmin-gvaweb:nginx_sites_available', '/etc/nginx/sites-available') }}" GVAWEB_NGINX_SITES_AVAILABLE="{{ salt['pillar.get']('gnuviechadmin:gvaweb:nginx_sites_available', '/etc/nginx/sites-available') }}"
GVAWEB_NGINX_SITES_ENABLED="{{ salt['pillar.get']('gnuviechadmin-gvaweb:nginx_sites_enabled', '/etc/nginx/sites-enabled') }}" GVAWEB_NGINX_SITES_ENABLED="{{ salt['pillar.get']('gnuviechadmin:gvaweb:nginx_sites_enabled', '/etc/nginx/sites-enabled') }}"
GVAWEB_PHPFPM_POOL="{{ salt['pillar.get']('gnuviechadmin-gvaweb:phpfpm_pool', '/etc/php5/fpm/pool.d') }}" GVAWEB_WWWUSER_MOUNT="{{ salt['pillar.get']('gnuviechadmin:gvaweb:wwwuser_mount', '/srv/wwwfiles') }}"
GVAWEB_WWWUSER_MOUNT="{{ salt['pillar.get']('gnuviechadmin-gvaweb:wwwuser_mount', '/srv/wwwfiles') }}"

2
states/gnuviechadmin/gvaweb/sudoers
View file

@ -1,3 +1,3 @@
Cmnd_Alias GVAWEB_CMDS = /usr/bin/install, /bin/rm, /bin/ln, /bin/systemctl Cmnd_Alias GVAWEB_CMDS = /usr/bin/install, /bin/rm, /bin/ln, /bin/systemctl
gvaweb ALL = (root) NOPASSWD: GVAWEB_CMDS {{ app_user }} ALL = (root) NOPASSWD: GVAWEB_CMDS

6
states/vagrant/bashrc
View file

@ -37,7 +37,7 @@ fi
# set a fancy prompt (non-color, unless we know we "want" color) # set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in case "$TERM" in
xterm-color) color_prompt=yes;; xterm-color|*-256color) color_prompt=yes;;
esac esac
# uncomment for a colored prompt, if the terminal has the capability; turned # uncomment for a colored prompt, if the terminal has the capability; turned
@ -111,7 +111,3 @@ if ! shopt -oq posix; then
. /etc/bash_completion . /etc/bash_completion
fi fi
fi fi
if [ -f ~/.bash_functions ]; then
. ~/.bash_functions
fi