Compare commits
16 Commits
496a76bbb5
...
ad11c8291f
Author | SHA1 | Date | |
---|---|---|---|
ad11c8291f | |||
761f8cb5c6 | |||
17c12f414b | |||
0229852a1e | |||
a249b83d37 | |||
7cfa10e082 | |||
6714154ccf | |||
906dd92d7e | |||
e58c63decc | |||
cc007e6470 | |||
ddb72f1cb3 | |||
0730cbb4c2 | |||
cade9c0aca | |||
8016f86164 | |||
2bafbeedd7 | |||
979021f5c4 |
@ -3,15 +3,15 @@
|
||||
skip_clone: true
|
||||
|
||||
pipeline:
|
||||
commit_lint:
|
||||
image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-gommit:latest
|
||||
secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
|
||||
when:
|
||||
event: [push]
|
||||
commands:
|
||||
- git clone --single-branch -b $CI_COMMIT_BRANCH $CI_REPO_LINK ../salt-libertacasa-commit-linting
|
||||
- cd ../salt-libertacasa-commit-linting
|
||||
- bin/lint-commits.pl production
|
||||
# commit_lint:
|
||||
# image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-gommit:latest
|
||||
# secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
|
||||
# when:
|
||||
# event: [push]
|
||||
# commands:
|
||||
# - git clone --single-branch -b $CI_COMMIT_BRANCH $CI_REPO_LINK ../salt-libertacasa-commit-linting
|
||||
# - cd ../salt-libertacasa-commit-linting
|
||||
# - bin/lint-commits.pl production
|
||||
|
||||
code_lint:
|
||||
image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-lint:latest
|
||||
|
@ -1,6 +1,8 @@
|
||||
---
|
||||
- apache
|
||||
- firewalld
|
||||
- keepalived
|
||||
- memcached
|
||||
- nginx
|
||||
- openssh
|
||||
- postfix
|
||||
|
110
pillar/id/moni_lysergic_dev.sls
Normal file
110
pillar/id/moni_lysergic_dev.sls
Normal file
@ -0,0 +1,110 @@
|
||||
prometheus:
|
||||
pkg:
|
||||
component:
|
||||
prometheus:
|
||||
config:
|
||||
alerting:
|
||||
alertmanagers:
|
||||
- static_configs:
|
||||
- targets:
|
||||
- localhost:9093
|
||||
|
||||
rule_files:
|
||||
- /etc/prometheus/alerts/lysergic/*.yml
|
||||
|
||||
scrape_configs:
|
||||
- job_name: 'prometheus'
|
||||
static_configs:
|
||||
- targets: ['localhost:9090']
|
||||
|
||||
- job_name: 'node_exporters_lysergic'
|
||||
scrape_timeout: 1m
|
||||
scrape_interval: 5m
|
||||
file_sd_configs:
|
||||
- files:
|
||||
- '/etc/prometheus/targets/node-lysergic.json'
|
||||
|
||||
- job_name: 'blackbox-2xx'
|
||||
metrics_path: /probe
|
||||
params:
|
||||
module: [http_2xx]
|
||||
file_sd_configs:
|
||||
- files: ['/etc/prometheus/targets/blackbox-2xx*.json']
|
||||
relabel_configs:
|
||||
- source_labels: [__address__]
|
||||
target_label: __param_target
|
||||
- source_labels: [__param_target]
|
||||
target_label: instance
|
||||
- target_label: __address__
|
||||
replacement: 127.0.0.1:9115
|
||||
|
||||
- job_name: 'blackbox-3xx'
|
||||
metrics_path: /probe
|
||||
params:
|
||||
module: [http_3xx]
|
||||
file_sd_configs:
|
||||
- files: ['/etc/prometheus/targets/blackbox-3xx*.json']
|
||||
relabel_configs:
|
||||
- source_labels: [__address__]
|
||||
target_label: __param_target
|
||||
- source_labels: [__param_target]
|
||||
target_label: instance
|
||||
- target_label: __address__
|
||||
replacement: 127.0.0.1:9115
|
||||
|
||||
- job_name: 'certificate_exporter'
|
||||
static_configs:
|
||||
- targets: ['therapon.rigel.lysergic.dev:9793']
|
||||
|
||||
alertmanager:
|
||||
config:
|
||||
route:
|
||||
group_by: ['alertname']
|
||||
group_wait: 10s
|
||||
group_interval: 10s
|
||||
repeat_interval: 1h
|
||||
receiver: 'smtp-local'
|
||||
routes:
|
||||
- receiver: 'lysergic'
|
||||
# continue: false
|
||||
match:
|
||||
project: LYSERGIC
|
||||
- receiver: 'chillnet'
|
||||
match:
|
||||
project: CHILLNET
|
||||
|
||||
receivers:
|
||||
- name: 'smtp-local'
|
||||
email_configs:
|
||||
- to: 'system@lysergic.dev'
|
||||
from: 'alertmanager@moni.lysergic.dev'
|
||||
require_tls: false
|
||||
# !!! TO-DO
|
||||
smarthost: 'zz0.email:465'
|
||||
send_resolved: yes
|
||||
|
||||
- name: 'irc-libertacasa'
|
||||
webhook_configs:
|
||||
- url: 'http://127.0.0.1:2410/universe'
|
||||
send_resolved: yes
|
||||
|
||||
- name: 'lysergic'
|
||||
webhook_configs:
|
||||
- url: 'http://127.0.0.1:2410/universe'
|
||||
send_resolved: yes
|
||||
- url: http://127.0.0.2:8081/prometheus/webhook
|
||||
send_resolved: yes
|
||||
email_configs:
|
||||
- to: 'system@lysergic.dev'
|
||||
from: 'alertmanager@moni.lysergic.dev'
|
||||
require_tls: false
|
||||
smarthost: 'zz0.email:465'
|
||||
send_resolved: yes
|
||||
|
||||
- name: 'chillnet'
|
||||
email_configs:
|
||||
- to: 'team@chillnet.org'
|
||||
from: 'alertmanager@moni.lysergic.dev'
|
||||
require_tls: false
|
||||
smarthost: 'zz0.email:465'
|
||||
send_resolved: yes
|
77
pillar/id/themis_lysergic_dev.sls
Normal file
77
pillar/id/themis_lysergic_dev.sls
Normal file
@ -0,0 +1,77 @@
|
||||
apache:
|
||||
sites:
|
||||
BookStack:
|
||||
interface: '[fd29:8e45:f292:ff80::1]'
|
||||
port: 443
|
||||
ServerName: bookstack.themis.backend.syscid.com
|
||||
DocumentRoot: /srv/www/BookStack/
|
||||
DirectoryIndex: index.php
|
||||
Directory:
|
||||
/srv/www/BookStack/:
|
||||
Options: 'Indexes FollowSymLinks -MultiViews'
|
||||
AllowOverride: None
|
||||
Require: all granted
|
||||
Formula_Append: |
|
||||
RewriteEngine On
|
||||
RewriteCond '%{HTTP:Authorization} .'
|
||||
RewriteCond '.* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]'
|
||||
RewriteCond '%{REQUEST_FILENAME} !-d'
|
||||
RewriteCond '%{REQUEST_URI} (.+)/$'
|
||||
RewriteCond '^ %1 [L,R=301]'
|
||||
RewriteCond '%{REQUEST_FILENAME} !-d'
|
||||
RewriteCond '%{REQUEST_FILENAME} !-f'
|
||||
RewriteCond '^ index.php [L]'
|
||||
LogLevel: False
|
||||
ErrorLog: False
|
||||
LogFormat: False
|
||||
CustomLog: False
|
||||
ServerAdmin: False
|
||||
ServerAlias: False
|
||||
Formula_Append: |
|
||||
Include /etc/apache2/snippets.d/ssl_themis.conf
|
||||
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
|
||||
SetOutputFilter DEFLATE
|
||||
<FilesMatch '\.php$'>
|
||||
SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack'
|
||||
</FilesMatch>
|
||||
|
||||
profile:
|
||||
bookstack:
|
||||
app_url: https://libertacasa.info
|
||||
db_host: ${'secret_bookstack:db_host'}
|
||||
db_database: ${'secret_bookstack:db_database'}
|
||||
db_username: ${'secret_bookstack:db_username'}
|
||||
db_password: ${'secret_bookstack:db_password'}
|
||||
mail_driver: smtp
|
||||
mail_from_name: LibertaCasa Documentation
|
||||
mail_from: mail@libertacasa.info
|
||||
mail_host: zz0.email
|
||||
mail_port: 465
|
||||
mail_username: mail@libertacasa.info
|
||||
mail_password: ${'secret_bookstack:mail_password'}
|
||||
mail_encryption: ssl
|
||||
app_theme: lysergic
|
||||
cache_driver: memcached
|
||||
session_driver: memcached
|
||||
memcached_servers: /run/memcached/memcached.sock
|
||||
session_secure_cookie: true
|
||||
session_cookie_name: libertacasa_megayummycookie
|
||||
app_debug: false
|
||||
session_lifetime: 240
|
||||
auth_method: saml2
|
||||
auth_auto_initiate: true
|
||||
saml2_name: LibertaCasa SSO
|
||||
saml2_email_attribute: email
|
||||
saml2_external_id_attribute: uid
|
||||
saml2_display_name_attributes: fullname
|
||||
saml2_idp_entityid: https://libsso.net/realms/libertacasa
|
||||
saml2_idp_sso: https://libsso.net/realms/libertacasa/protocol/saml
|
||||
saml2_idp_slo: https://libsso.net/realms/libertacasa/protocol/saml
|
||||
saml2_idp_x509: ${'secret_bookstack:saml2_idp_x509'}
|
||||
saml2_autoload_metadata: false
|
||||
saml2_sp_x509: ${'secret_bookstack:saml2_sp_x509'}
|
||||
saml2_sp_x509_key: ${'secret_bookstack:saml2_sp_x509_key'}
|
||||
saml2_user_to_groups: true
|
||||
saml2_group_attribute: groups
|
||||
saml2_remove_from_groups: true
|
||||
queue_connection: database
|
2
pillar/role/memcached.sls
Normal file
2
pillar/role/memcached.sls
Normal file
@ -0,0 +1,2 @@
|
||||
memcached:
|
||||
listen_address: /run/memcached/memcached.sock
|
11
pillar/role/monitoring/prometheus-alertmanager.sls
Normal file
11
pillar/role/monitoring/prometheus-alertmanager.sls
Normal file
@ -0,0 +1,11 @@
|
||||
prometheus:
|
||||
wanted:
|
||||
component:
|
||||
- alertmanager
|
||||
pkg:
|
||||
component:
|
||||
alertmanager:
|
||||
config:
|
||||
global:
|
||||
resolve_timeout: 5m
|
||||
|
50
pillar/role/monitoring/prometheus-exporter-blackbox.sls
Normal file
50
pillar/role/monitoring/prometheus-exporter-blackbox.sls
Normal file
@ -0,0 +1,50 @@
|
||||
prometheus:
|
||||
wanted:
|
||||
component:
|
||||
- blackbox_exporter
|
||||
pkg:
|
||||
component:
|
||||
blackbox_exporter:
|
||||
config:
|
||||
modules:
|
||||
http_2xx:
|
||||
prober: http
|
||||
timeout: 15s
|
||||
http_post_2xx:
|
||||
prober: http
|
||||
http:
|
||||
method: POST
|
||||
http_3xx:
|
||||
prober: http
|
||||
timeout: 5s
|
||||
http:
|
||||
method: HEAD
|
||||
no_follow_redirects: true
|
||||
valid_status_codes: [301, 302]
|
||||
tcp_connect:
|
||||
prober: tcp
|
||||
ssh_banner:
|
||||
prober: tcp
|
||||
tcp:
|
||||
query_response:
|
||||
- expect: "^SSH-2.0-"
|
||||
irc_banner:
|
||||
prober: tcp
|
||||
tcp:
|
||||
query_response:
|
||||
- send: "NICK prober"
|
||||
- send: "USER prober prober prober :prober"
|
||||
- expect: "PING :([^ ]+)"
|
||||
send: "PONG ${1}"
|
||||
- expect: "^:[^ ]+ 001"
|
||||
icmp:
|
||||
prober: icmp
|
||||
|
||||
firewalld:
|
||||
zones:
|
||||
internal:
|
||||
ports:
|
||||
- comment: 'Prometheus Blackbox Exporter'
|
||||
port: 9115
|
||||
protocol: tcp
|
||||
|
17
pillar/role/monitoring/prometheus.sls
Normal file
17
pillar/role/monitoring/prometheus.sls
Normal file
@ -0,0 +1,17 @@
|
||||
prometheus:
|
||||
wanted:
|
||||
component:
|
||||
- prometheus
|
||||
pkg:
|
||||
component:
|
||||
prometheus:
|
||||
config:
|
||||
global:
|
||||
scrape_interval: 15s
|
||||
evaluation_interval: 1m
|
||||
|
||||
firewalld:
|
||||
zones:
|
||||
internal:
|
||||
services:
|
||||
- prometheus
|
13
pillar/role/web/apache-httpd.sls
Normal file
13
pillar/role/web/apache-httpd.sls
Normal file
@ -0,0 +1,13 @@
|
||||
{%- set host = grains['host'] -%}
|
||||
{%- set fqdn = grains['fqdn'] -%}
|
||||
|
||||
apache:
|
||||
global:
|
||||
ServerAdmin: system@lysergic.dev
|
||||
|
||||
profile:
|
||||
apache-httpd:
|
||||
snippets:
|
||||
ssl_{{ host }}:
|
||||
- 'SSLCertificateFile "/etc/ssl/{{ host }}/{{ fqdn }}.crt"'
|
||||
- 'SSLCertificateKeyFile "/etc/ssl/{{ host }}/{{ fqdn }}.key"'
|
@ -2,7 +2,7 @@ include:
|
||||
- firewalld
|
||||
- profile.seccheck
|
||||
- profile.zypp
|
||||
- profile.node_exporter
|
||||
- profile.prometheus.node_exporter
|
||||
- users
|
||||
- .ssh
|
||||
- postfix.config
|
||||
|
31
salt/profile/apache-httpd/init.sls
Normal file
31
salt/profile/apache-httpd/init.sls
Normal file
@ -0,0 +1,31 @@
|
||||
{%- set snippetsdir = '/etc/apache2/snippets.d' -%}
|
||||
{%- set mypillar = salt['pillar.get']('profile:apache-httpd', {}) -%}
|
||||
|
||||
{{ snippetsdir }}:
|
||||
file.directory:
|
||||
- makedirs: True
|
||||
|
||||
{%- if 'snippets' in mypillar %}
|
||||
{%- for snippet, config in mypillar['snippets'].items() %}
|
||||
{{ snippetsdir }}/{{ snippet }}.conf:
|
||||
file.managed:
|
||||
- contents:
|
||||
{%- for line in config %}
|
||||
- {{ line }}
|
||||
{%- endfor %}
|
||||
- require:
|
||||
- file: {{ snippetsdir }}
|
||||
{#- formula dependencies #}
|
||||
- require_in:
|
||||
- module: apache-service-running-restart
|
||||
- service: apache-service-running
|
||||
- watch_in:
|
||||
- module: apache-service-running-reload
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
|
||||
include:
|
||||
- apache.config
|
||||
|
||||
|
||||
|
70
salt/profile/bookstack/init.sls
Normal file
70
salt/profile/bookstack/init.sls
Normal file
@ -0,0 +1,70 @@
|
||||
{%- set mypillar = salt['pillar.get']('profile:bookstack', {}) -%}
|
||||
{%- set configfile = '/etc/sysconfig/BookStack' -%}
|
||||
|
||||
bookstack_packages:
|
||||
pkg.installed:
|
||||
- names:
|
||||
- BookStack-config-php-fpm-apache
|
||||
|
||||
bookstack_permissions:
|
||||
file.managed:
|
||||
- mode: '0640'
|
||||
- user: root
|
||||
- group: wwwrun
|
||||
- names:
|
||||
- {{ configfile }}
|
||||
|
||||
{%- if mypillar | length %}
|
||||
{{ configfile }}:
|
||||
file.keyvalue:
|
||||
- separator: '='
|
||||
- show_changes: False
|
||||
- require:
|
||||
- pkg: bookstack_packages
|
||||
- key_values:
|
||||
{%- macro condconf(option) %}
|
||||
{%- if option in mypillar %}
|
||||
{{ option | upper }}: {{ mypillar[option] }}
|
||||
{%- endif %}
|
||||
{%- endmacro %}
|
||||
{{ condconf('app_url') }}
|
||||
{{ condconf('db_host') }}
|
||||
{{ condconf('db_database') }}
|
||||
{{ condconf('db_username') }}
|
||||
{{ condconf('db_password') }}
|
||||
{{ condconf('mail_driver') }}
|
||||
{{ condconf('mail_from_name') }}
|
||||
{{ condconf('mail_from') }}
|
||||
{{ condconf('mail_host') }}
|
||||
{{ condconf('mail_port') }}
|
||||
{{ condconf('mail_username') }}
|
||||
{{ condconf('mail_password') }}
|
||||
{{ condconf('mail_encryption') }}
|
||||
{{ condconf('app_theme') }}
|
||||
{{ condconf('cache_driver') }}
|
||||
{{ condconf('session_driver') }}
|
||||
{{ condconf('memcached_servers') }}
|
||||
{{ condconf('session_secure_cookie') }}
|
||||
{{ condconf('session_cookie_name') }}
|
||||
{{ condconf('app_debug') }}
|
||||
{{ condconf('session_lifetime') }}
|
||||
{{ condconf('auth_method') }}
|
||||
{{ condconf('auth_auto_initiate') }}
|
||||
{{ condconf('saml2_name') }}
|
||||
{{ condconf('saml2_email_attribute') }}
|
||||
{{ condconf('saml2_external_id_attribute') }}
|
||||
{{ condconf('saml2_display_name_attributes') }}
|
||||
{{ condconf('saml2_idp_entityid') }}
|
||||
{{ condconf('saml2_idp_entityid') }}
|
||||
{{ condconf('saml2_idp_sso') }}
|
||||
{{ condconf('saml2_idp_slo') }}
|
||||
{{ condconf('saml2_idp_x509') }}
|
||||
{{ condconf('saml2_autoload_metadata') }}
|
||||
{{ condconf('saml2_sp_x509') }}
|
||||
{{ condconf('saml2_user_to_groups') }}
|
||||
{{ condconf('saml2_group_attribute') }}
|
||||
{{ condconf('saml2_remove_from_groups') }}
|
||||
{{ condconf('saml2_dump_user_details') }}
|
||||
{{ condconf('queue_connection') }}
|
||||
{{ condconf('app_views_books') }}
|
||||
{%- endif %}
|
18
salt/profile/prometheus/targets.sls
Normal file
18
salt/profile/prometheus/targets.sls
Normal file
@ -0,0 +1,18 @@
|
||||
{%- set mypillar = salt['pillar.get']('profile:prometheus:targets') %}
|
||||
{%- set targetsdir = '/etc/prometheus/targets' %}
|
||||
|
||||
{%- if mypillar | length %}
|
||||
{{ targetsdir }}:
|
||||
file.directory:
|
||||
- group: prometheus
|
||||
|
||||
{%- for group, nodes in mypillar.items() %}
|
||||
{{ targetsdir }}/{{ group }}.json:
|
||||
file.serialize:
|
||||
- dataset: {{ nodes }}
|
||||
- serializer: json
|
||||
{%- endfor %}
|
||||
|
||||
{%- else %}
|
||||
{%- do salt.log.debug('profile.prometheus: no targets defined') %}
|
||||
{%- endif %}
|
4
salt/role/bookstack.sls
Normal file
4
salt/role/bookstack.sls
Normal file
@ -0,0 +1,4 @@
|
||||
include:
|
||||
- role.web.apache-httpd
|
||||
- role.memcached
|
||||
- profile.bookstack
|
2
salt/role/memcached.sls
Normal file
2
salt/role/memcached.sls
Normal file
@ -0,0 +1,2 @@
|
||||
include:
|
||||
- memcached.config
|
2
salt/role/monitoring/prometheus-alertmanager.sls
Normal file
2
salt/role/monitoring/prometheus-alertmanager.sls
Normal file
@ -0,0 +1,2 @@
|
||||
include:
|
||||
- prometheus.config
|
2
salt/role/monitoring/prometheus-exporter-blackbox.sls
Normal file
2
salt/role/monitoring/prometheus-exporter-blackbox.sls
Normal file
@ -0,0 +1,2 @@
|
||||
include:
|
||||
- prometheus.config
|
3
salt/role/monitoring/prometheus.sls
Normal file
3
salt/role/monitoring/prometheus.sls
Normal file
@ -0,0 +1,3 @@
|
||||
include:
|
||||
- prometheus.config
|
||||
- profile.prometheus.targets
|
2
salt/role/web/apache-httpd.sls
Normal file
2
salt/role/web/apache-httpd.sls
Normal file
@ -0,0 +1,2 @@
|
||||
include:
|
||||
- profile.apache-httpd
|
Loading…
x
Reference in New Issue
Block a user