From ed4e371ccbbea094f4b6aa98d26414aeaccfe694 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Wed, 4 Mar 2020 16:20:34 +0100 Subject: [PATCH] Setup gvafile using new mechanisms --- pillar/gnuviechadmin/gvafile.sls | 16 ++-- states/gnuviechadmin/gvafile.sls | 86 ++++++++++++++++++- .../gnuviechadmin/gvafile/celery-worker.env | 5 ++ states/gnuviechadmin/gvafile/run_celery.sh | 12 --- states/gnuviechadmin/gvafile/settings.sh | 7 -- states/gnuviechadmin/gvafile/sudoers | 3 + 6 files changed, 103 insertions(+), 26 deletions(-) create mode 100644 states/gnuviechadmin/gvafile/celery-worker.env delete mode 100644 states/gnuviechadmin/gvafile/run_celery.sh delete mode 100644 states/gnuviechadmin/gvafile/settings.sh create mode 100644 states/gnuviechadmin/gvafile/sudoers diff --git a/pillar/gnuviechadmin/gvafile.sls b/pillar/gnuviechadmin/gvafile.sls index 76b39cc..a3e1a7a 100644 --- a/pillar/gnuviechadmin/gvafile.sls +++ b/pillar/gnuviechadmin/gvafile.sls @@ -4,9 +4,15 @@ include: - gnuviechadmin.queues.gvafile gnuviechadmin: - component: - name: gvafile + appname: gvafile + gvafile: amqp_user: file - sftp_directory: /home/www - mail_directory: /home/mail - sftp_authkeys_directory: /srv/sftp/authorized_keys + celery_module: fileservertasks + fullname: File Server + git_branch: master + git_url: https://git.dittberner.info/gnuviech/gvafile.git + mail_directory: /home/mail + web_directory: /home/www + sftp_authkeys_directory: /srv/sftp/authorized_keys + sftp_chroot: /srv/sftp + sftp_group: sftponly diff --git a/states/gnuviechadmin/gvafile.sls b/states/gnuviechadmin/gvafile.sls index 4ac4fb5..baa8dcb 100644 --- a/states/gnuviechadmin/gvafile.sls +++ b/states/gnuviechadmin/gvafile.sls @@ -1,3 +1,85 @@ +{% set gvaappname = salt['pillar.get']('gnuviechadmin:appname') %} +{% set purpose = "for file server configuration management" %} +{% set mail_directory = salt['pillar.get']('gnuviechadmin:gvafile:mail_directory', '/home/mail') %} +{% set web_directory = salt['pillar.get']('gnuviechadmin:gvafile:web_directory', '/home/www') %} +{% set nfs_root = salt['pillar.get']('nfsserver:nfsroot', '/srv/nfs4') %} +{% set sftp_chroot = salt['pillar.get']('gnuviechadmin:gvafile:sftp_chroot', '/srv/sftp') %} +{% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %} include: - - gnuviechadmin.base - - gnuviechadmin.celery + - base + - python.pipenv + - python.virtualenv + - nfsserver + +{{ mail_directory }}: + file.directory: + - user: root + - group: root + - mode: 0751 + +{{ web_directory }}: + file.directory: + - user: root + - group: root + - mode: 0751 + +{{ sftp_chroot }}: + file.directory: + - user: root + - group: root + - mode: 0755 + +{{ sftp_chroot }}/home: + file.directory: + - user: root + - group: root + - mode: 0751 + - require: + - file: {{ sftp_chroot }} + +bind_mount_nfs_mail: + mount.fstab_present: + - name: {{ mail_directory }} + - fs_file: {{ nfs_root }}/mail + - fs_vfstype: none + - fs_mntops: bind + - require: + - file: {{ mail_directory }} + - file: {{ nfs_root }}/mail + - watch_in: + - service: nfs-kernel-server + +bind_mount_nfs_web: + mount.fstab_present: + - name: {{ web_directory }} + - fs_file: {{ nfs_root }}/web + - fs_vfstype: none + - fs_mntops: bind + - require: + - file: {{ web_directory }} + - file: {{ nfs_root }}/web + - watch_in: + - service: nfs-kernel-server + +bind_mount_sftp_chroot: + mount.fstab_present: + - name: {{ web_directory }} + - fs_file: {{ sftp_chroot }}/home + - fs_vfstype: none + - fs_mntops: bind + - require: + - file: {{ web_directory }} + - file: {{ sftp_chroot }}/home + +{{ create_celery_worker(gvaappname, purpose) }} + +/etc/sudoers.d/{{ gvaappname }}: + file.managed: + - user: root + - group: root + - source: salt://gnuviechadmin/{{ gvaappname }}/sudoers + - template: jinja + - context: + app_user: {{ salt['grains.get']('gnuviechadmin:user', gvaappname) }} + - require: + - pkg: sudo diff --git a/states/gnuviechadmin/gvafile/celery-worker.env b/states/gnuviechadmin/gvafile/celery-worker.env new file mode 100644 index 0000000..3baba8d --- /dev/null +++ b/states/gnuviechadmin/gvafile/celery-worker.env @@ -0,0 +1,5 @@ +GVAFILE_BROKER_URL="{{ broker_url }}" +GVAFILE_RESULTS_REDIS_URL="{{ result_url }}" +GVAFILE_SFTP_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:gvafile:web_directory') }}" +GVAFILE_MAIL_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:gvafile:mail_directory') }}" +GVAFILE_SFTP_AUTHKEYS_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:gvafile:sftp_authkeys_directory') }}" diff --git a/states/gnuviechadmin/gvafile/run_celery.sh b/states/gnuviechadmin/gvafile/run_celery.sh deleted file mode 100644 index cc8af9c..0000000 --- a/states/gnuviechadmin/gvafile/run_celery.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -set -ex - -. {{ home }}/gvasettings.sh - -unset LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY \ - LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT \ - LC_IDENTIFICATION LC_ALL - -cd {{ appdir }} -{{ virtualenv }}/bin/celery worker -A gvafile -Q file --loglevel=INFO diff --git a/states/gnuviechadmin/gvafile/settings.sh b/states/gnuviechadmin/gvafile/settings.sh deleted file mode 100644 index 425f337..0000000 --- a/states/gnuviechadmin/gvafile/settings.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh - -export GVAFILE_BROKER_URL='{{ broker_url }}' -export GVAFILE_RESULTS_REDIS_URL="redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0" -export GVAFILE_SFTP_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:sftp_directory') }}" -export GVAFILE_MAIL_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:mail_directory') }}" -export GVAFILE_SFTP_AUTHKEYS_DIRECTORY="{{ salt['pillar.get']('gnuviechadmin:sftp_authkeys_directory') }}" diff --git a/states/gnuviechadmin/gvafile/sudoers b/states/gnuviechadmin/gvafile/sudoers new file mode 100644 index 0000000..4920cde --- /dev/null +++ b/states/gnuviechadmin/gvafile/sudoers @@ -0,0 +1,3 @@ +Cmnd_Alias GVAFILE_CMDS = /usr/bin/install, /usr/bin/setfacl, /bin/rm, /usr/sbin/setquota + +{{ app_user }} ALL = (root) NOPASSWD: GVAFILE_CMDS