Setup gvafile using new mechanisms

2020-03-04 16:20:34 +01:00 · 2020-03-04 16:20:34 +01:00 · ed4e371ccb
parent 50cbea2abe
commit ed4e371ccb
6 changed files with 103 additions and 26 deletions
--- a/pillar/gnuviechadmin/gvafile.sls
+++ b/pillar/gnuviechadmin/gvafile.sls
@ -4,9 +4,15 @@ include:
  - gnuviechadmin.queues.gvafile

 gnuviechadmin:
-  component:
-    name: gvafile
+  appname: gvafile
+  gvafile:
    amqp_user: file
-  sftp_directory: /home/www
-  mail_directory: /home/mail
-  sftp_authkeys_directory: /srv/sftp/authorized_keys
+    celery_module: fileservertasks
+    fullname: File Server
+    git_branch: master
+    git_url: https://git.dittberner.info/gnuviech/gvafile.git
+    mail_directory: /home/mail
+    web_directory: /home/www
+    sftp_authkeys_directory: /srv/sftp/authorized_keys
+    sftp_chroot: /srv/sftp
+    sftp_group: sftponly
--- a/states/gnuviechadmin/gvafile.sls
+++ b/states/gnuviechadmin/gvafile.sls
@ -1,3 +1,85 @@
+{% set gvaappname = salt['pillar.get']('gnuviechadmin:appname') %}
+{% set purpose = "for file server configuration management" %}
+{% set mail_directory = salt['pillar.get']('gnuviechadmin:gvafile:mail_directory', '/home/mail') %}
+{% set web_directory = salt['pillar.get']('gnuviechadmin:gvafile:web_directory', '/home/www') %}
+{% set nfs_root = salt['pillar.get']('nfsserver:nfsroot', '/srv/nfs4') %}
+{% set sftp_chroot = salt['pillar.get']('gnuviechadmin:gvafile:sftp_chroot', '/srv/sftp') %}
+{% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %}
 include:
-  - gnuviechadmin.base
-  - gnuviechadmin.celery
+  - base
+  - python.pipenv
+  - python.virtualenv
+  - nfsserver
+
+{{ mail_directory }}:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 0751
+
+{{ web_directory }}:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 0751
+
+{{ sftp_chroot }}:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 0755
+
+{{ sftp_chroot }}/home:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 0751
+    - require:
+      - file: {{ sftp_chroot }}
+
+bind_mount_nfs_mail:
+  mount.fstab_present:
+    - name: {{ mail_directory }}
+    - fs_file: {{ nfs_root }}/mail
+    - fs_vfstype: none
+    - fs_mntops: bind
+    - require:
+      - file: {{ mail_directory }}
+      - file: {{ nfs_root }}/mail
+    - watch_in:
+      - service: nfs-kernel-server
+
+bind_mount_nfs_web:
+  mount.fstab_present:
+    - name: {{ web_directory }}
+    - fs_file: {{ nfs_root }}/web
+    - fs_vfstype: none
+    - fs_mntops: bind
+    - require:
+      - file: {{ web_directory }}
+      - file: {{ nfs_root }}/web
+    - watch_in:
+      - service: nfs-kernel-server
+
+bind_mount_sftp_chroot:
+  mount.fstab_present:
+    - name: {{ web_directory }}
+    - fs_file: {{ sftp_chroot }}/home
+    - fs_vfstype: none
+    - fs_mntops: bind
+    - require:
+      - file: {{ web_directory }}
+      - file: {{ sftp_chroot }}/home
+
+{{ create_celery_worker(gvaappname, purpose) }}
+
+/etc/sudoers.d/{{ gvaappname }}:
+  file.managed:
+    - user: root
+    - group: root
+    - source: salt://gnuviechadmin/{{ gvaappname }}/sudoers
+    - template: jinja
+    - context:
+        app_user: {{ salt['grains.get']('gnuviechadmin:user', gvaappname) }}
+    - require:
+      - pkg: sudo
--- a/states/gnuviechadmin/gvafile/celery-worker.env
+++ b/states/gnuviechadmin/gvafile/celery-worker.env
@ -0,0 +1,5 @@
+GVAFILE_BROKER_URL="{{ broker_url }}"
+GVAFILE_RESULTS_REDIS_URL="{{ result_url }}"
+GVAFILE_SFTP_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:gvafile:web_directory') }}"
+GVAFILE_MAIL_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:gvafile:mail_directory') }}"
+GVAFILE_SFTP_AUTHKEYS_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:gvafile:sftp_authkeys_directory') }}"
--- a/states/gnuviechadmin/gvafile/run_celery.sh
+++ b/states/gnuviechadmin/gvafile/run_celery.sh
@ -1,12 +0,0 @@
-#!/bin/sh
-
-set -ex
-
-. {{ home }}/gvasettings.sh
-
-unset LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY \
-    LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT \
-    LC_IDENTIFICATION LC_ALL
-
-cd {{ appdir }}
-{{ virtualenv }}/bin/celery worker -A gvafile -Q file --loglevel=INFO
--- a/states/gnuviechadmin/gvafile/settings.sh
+++ b/states/gnuviechadmin/gvafile/settings.sh
@ -1,7 +0,0 @@
-#!/bin/sh
-
-export GVAFILE_BROKER_URL='{{ broker_url }}'
-export GVAFILE_RESULTS_REDIS_URL="redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0"
-export GVAFILE_SFTP_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:sftp_directory') }}"
-export GVAFILE_MAIL_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:mail_directory') }}"
-export GVAFILE_SFTP_AUTHKEYS_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:sftp_authkeys_directory') }}"
--- a/states/gnuviechadmin/gvafile/sudoers
+++ b/states/gnuviechadmin/gvafile/sudoers
@ -0,0 +1,3 @@
+Cmnd_Alias GVAFILE_CMDS = /usr/bin/install, /usr/bin/setfacl, /bin/rm, /usr/sbin/setquota
+
+{{ app_user }}  ALL = (root) NOPASSWD: GVAFILE_CMDS