Enable memcached-formula

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

.pipeline.yml

@@ -3,15 +3,15 @@
 skip_clone: true
 
 pipeline:
-  commit_lint:
-    image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-gommit:latest
-    secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
-    when:
-      event: [push]
-    commands:
-      - git clone --single-branch -b $CI_COMMIT_BRANCH $CI_REPO_LINK ../salt-libertacasa-commit-linting
-      - cd ../salt-libertacasa-commit-linting
-      - bin/lint-commits.pl production
+  # commit_lint:
+  #   image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-gommit:latest
+  #   secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
+  #   when:
+  #     event: [push]
+  #   commands:
+  #     - git clone --single-branch -b $CI_COMMIT_BRANCH $CI_REPO_LINK ../salt-libertacasa-commit-linting
+  #     - cd ../salt-libertacasa-commit-linting
+  #     - bin/lint-commits.pl production
 
   code_lint:
     image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-lint:latest

pillar/formulas.yaml

@@ -1,6 +1,8 @@
 ---
+- apache
 - firewalld
 - keepalived
+- memcached
 - nginx
 - openssh
 - postfix

pillar/id/moni_lysergic_dev.sls

@@ -0,0 +1,110 @@
+prometheus:
+  pkg:
+    component:
+      prometheus:
+        config:
+          alerting:
+            alertmanagers:
+              - static_configs:
+                - targets:
+                  - localhost:9093
+
+          rule_files:
+            - /etc/prometheus/alerts/lysergic/*.yml
+
+          scrape_configs:
+            - job_name: 'prometheus'
+              static_configs:
+              - targets: ['localhost:9090']
+
+            - job_name: 'node_exporters_lysergic'
+              scrape_timeout: 1m
+              scrape_interval: 5m
+              file_sd_configs:
+              - files:
+                - '/etc/prometheus/targets/node-lysergic.json'
+
+            - job_name: 'blackbox-2xx'
+              metrics_path: /probe
+              params:
+                module: [http_2xx]
+              file_sd_configs:
+              - files: ['/etc/prometheus/targets/blackbox-2xx*.json']
+              relabel_configs:
+              - source_labels: [__address__]
+                target_label: __param_target
+              - source_labels: [__param_target]
+                target_label: instance
+              - target_label: __address__
+                replacement: 127.0.0.1:9115
+
+            - job_name: 'blackbox-3xx'
+              metrics_path: /probe
+              params:
+                module: [http_3xx]
+              file_sd_configs:
+              - files: ['/etc/prometheus/targets/blackbox-3xx*.json']
+              relabel_configs:
+              - source_labels: [__address__]
+                target_label: __param_target
+              - source_labels: [__param_target]
+                target_label: instance
+              - target_label: __address__
+                replacement: 127.0.0.1:9115
+
+            - job_name: 'certificate_exporter'
+              static_configs:
+              - targets: ['therapon.rigel.lysergic.dev:9793']
+
+      alertmanager:
+        config:
+          route:
+            group_by: ['alertname']
+            group_wait: 10s
+            group_interval: 10s
+            repeat_interval: 1h
+            receiver: 'smtp-local'
+            routes:
+            - receiver: 'lysergic'
+          #    continue: false
+              match:
+               project: LYSERGIC
+            - receiver: 'chillnet'
+              match:
+               project: CHILLNET
+
+          receivers:
+          - name: 'smtp-local'
+            email_configs:
+            - to: 'system@lysergic.dev'
+              from: 'alertmanager@moni.lysergic.dev'
+              require_tls: false
+          # !!! TO-DO
+              smarthost: 'zz0.email:465'
+              send_resolved: yes
+
+          - name: 'irc-libertacasa'
+            webhook_configs:
+            - url: 'http://127.0.0.1:2410/universe'
+              send_resolved: yes
+
+          - name: 'lysergic'
+            webhook_configs:
+            - url: 'http://127.0.0.1:2410/universe'
+              send_resolved: yes
+            - url: http://127.0.0.2:8081/prometheus/webhook
+              send_resolved: yes
+            email_configs:
+            - to: 'system@lysergic.dev'
+              from: 'alertmanager@moni.lysergic.dev'
+              require_tls: false
+              smarthost: 'zz0.email:465'
+              send_resolved: yes
+
+          - name: 'chillnet'
+            email_configs:
+            - to: 'team@chillnet.org'
+              from: 'alertmanager@moni.lysergic.dev'
+              require_tls: false
+              smarthost: 'zz0.email:465'
+              send_resolved: yes

pillar/id/themis_lysergic_dev.sls

@@ -0,0 +1,77 @@
+apache:
+  sites:
+    BookStack:
+      interface: '[fd29:8e45:f292:ff80::1]'
+      port: 443
+      ServerName: bookstack.themis.backend.syscid.com
+      DocumentRoot: /srv/www/BookStack/
+      DirectoryIndex: index.php
+      Directory:
+        /srv/www/BookStack/:
+          Options: 'Indexes FollowSymLinks -MultiViews'
+          AllowOverride: None
+          Require: all granted
+          Formula_Append: |
+            RewriteEngine On
+            RewriteCond '%{HTTP:Authorization} .'
+            RewriteCond '.* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]'
+            RewriteCond '%{REQUEST_FILENAME} !-d'
+            RewriteCond '%{REQUEST_URI} (.+)/$'
+            RewriteCond '^ %1 [L,R=301]'
+            RewriteCond '%{REQUEST_FILENAME} !-d'
+            RewriteCond '%{REQUEST_FILENAME} !-f'
+            RewriteCond '^ index.php [L]'
+      LogLevel: False
+      ErrorLog: False
+      LogFormat: False
+      CustomLog: False
+      ServerAdmin: False
+      ServerAlias: False
+      Formula_Append: |
+        Include /etc/apache2/snippets.d/ssl_themis.conf
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
+        SetOutputFilter DEFLATE
+        <FilesMatch '\.php$'>
+          SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack'
+        </FilesMatch>
+
+profile:
+  bookstack:
+    app_url: https://libertacasa.info
+    db_host: ${'secret_bookstack:db_host'}
+    db_database: ${'secret_bookstack:db_database'}
+    db_username: ${'secret_bookstack:db_username'}
+    db_password: ${'secret_bookstack:db_password'}
+    mail_driver: smtp
+    mail_from_name: LibertaCasa Documentation
+    mail_from: mail@libertacasa.info
+    mail_host: zz0.email
+    mail_port: 465
+    mail_username: mail@libertacasa.info
+    mail_password: ${'secret_bookstack:mail_password'}
+    mail_encryption: ssl
+    app_theme: lysergic
+    cache_driver: memcached
+    session_driver: memcached
+    memcached_servers: /run/memcached/memcached.sock
+    session_secure_cookie: true
+    session_cookie_name: libertacasa_megayummycookie
+    app_debug: false
+    session_lifetime: 240
+    auth_method: saml2
+    auth_auto_initiate: true
+    saml2_name: LibertaCasa SSO
+    saml2_email_attribute: email
+    saml2_external_id_attribute: uid
+    saml2_display_name_attributes: fullname
+    saml2_idp_entityid: https://libsso.net/realms/libertacasa
+    saml2_idp_sso: https://libsso.net/realms/libertacasa/protocol/saml
+    saml2_idp_slo: https://libsso.net/realms/libertacasa/protocol/saml
+    saml2_idp_x509: ${'secret_bookstack:saml2_idp_x509'}
+    saml2_autoload_metadata: false
+    saml2_sp_x509: ${'secret_bookstack:saml2_sp_x509'}
+    saml2_sp_x509_key: ${'secret_bookstack:saml2_sp_x509_key'}
+    saml2_user_to_groups: true
+    saml2_group_attribute: groups
+    saml2_remove_from_groups: true
+    queue_connection: database

pillar/role/memcached.sls

@@ -0,0 +1,2 @@
+memcached:
+  listen_address: /run/memcached/memcached.sock

pillar/role/monitoring/prometheus-alertmanager.sls

@@ -0,0 +1,11 @@
+prometheus:
+  wanted:
+    component:
+      - alertmanager
+  pkg:
+    component:
+      alertmanager:
+        config:
+          global:
+            resolve_timeout: 5m
+

pillar/role/monitoring/prometheus-exporter-blackbox.sls

@@ -0,0 +1,50 @@
+prometheus:
+  wanted:
+    component:
+      - blackbox_exporter
+  pkg:
+    component:
+      blackbox_exporter:
+        config:
+          modules:
+            http_2xx:
+              prober: http
+              timeout: 15s
+            http_post_2xx:
+              prober: http
+              http:
+                method: POST
+            http_3xx:
+              prober: http
+              timeout: 5s
+              http:
+                method: HEAD
+                no_follow_redirects: true
+                valid_status_codes: [301, 302]
+            tcp_connect:
+              prober: tcp
+            ssh_banner:
+              prober: tcp
+              tcp:
+                query_response:
+                - expect: "^SSH-2.0-"
+            irc_banner:
+              prober: tcp
+              tcp:
+                query_response:
+                - send: "NICK prober"
+                - send: "USER prober prober prober :prober"
+                - expect: "PING :([^ ]+)"
+                  send: "PONG ${1}"
+                - expect: "^:[^ ]+ 001"
+            icmp:
+              prober: icmp
+
+firewalld:
+  zones:
+    internal:
+      ports:
+        - comment: 'Prometheus Blackbox Exporter'
+          port: 9115
+          protocol: tcp
+

pillar/role/monitoring/prometheus.sls

@@ -0,0 +1,17 @@
+prometheus:
+  wanted:
+    component:
+      - prometheus
+  pkg:
+    component:
+      prometheus:
+        config:
+          global:
+            scrape_interval: 15s
+            evaluation_interval: 1m
+
+firewalld:
+  zones:
+    internal:
+      services:
+        - prometheus

pillar/role/web/apache-httpd.sls

@@ -0,0 +1,13 @@
+{%- set host = grains['host'] -%}
+{%- set fqdn = grains['fqdn'] -%}
+
+apache:
+  global:
+    ServerAdmin: system@lysergic.dev
+
+profile:
+  apache-httpd:
+   snippets:
+    ssl_{{ host }}:
+      - 'SSLCertificateFile    "/etc/ssl/{{ host }}/{{ fqdn }}.crt"'
+      - 'SSLCertificateKeyFile "/etc/ssl/{{ host }}/{{ fqdn }}.key"'

salt/common/suse.sls

@@ -2,7 +2,7 @@ include:
   - firewalld
   - profile.seccheck
   - profile.zypp
-  - profile.node_exporter
+  - profile.prometheus.node_exporter
   - users
   - .ssh
   - postfix.config

salt/profile/apache-httpd/init.sls

@@ -0,0 +1,31 @@
+{%- set snippetsdir = '/etc/apache2/snippets.d' -%}
+{%- set mypillar = salt['pillar.get']('profile:apache-httpd', {}) -%}
+
+{{ snippetsdir }}:
+  file.directory:
+    - makedirs: True
+
+{%- if 'snippets' in mypillar %}
+{%- for snippet, config in mypillar['snippets'].items() %}
+{{ snippetsdir }}/{{ snippet }}.conf:
+  file.managed:
+    - contents:
+      {%- for line in config %}
+      - {{ line }}
+      {%- endfor %}
+    - require:
+      - file: {{ snippetsdir }}
+    {#- formula dependencies #}
+    - require_in:
+      - module: apache-service-running-restart
+      - service: apache-service-running
+    - watch_in:
+      - module: apache-service-running-reload
+{%- endfor %}
+{%- endif %}
+
+include:
+  - apache.config
+
+
+

salt/profile/bookstack/init.sls

@@ -0,0 +1,70 @@
+{%- set mypillar = salt['pillar.get']('profile:bookstack', {}) -%}
+{%- set configfile = '/etc/sysconfig/BookStack' -%}
+
+bookstack_packages:
+  pkg.installed:
+    - names:
+      - BookStack-config-php-fpm-apache
+
+bookstack_permissions:
+  file.managed:
+    - mode: '0640'
+    - user: root
+    - group: wwwrun
+    - names:
+      - {{ configfile }}
+
+{%- if mypillar | length %}
+{{ configfile }}:
+  file.keyvalue:
+    - separator: '='
+    - show_changes: False
+    - require:
+      - pkg: bookstack_packages
+    - key_values:
+        {%- macro condconf(option) %}
+        {%- if option in mypillar %}
+        {{ option | upper }}: {{ mypillar[option] }}
+        {%- endif %}
+        {%- endmacro %}
+        {{ condconf('app_url') }}
+        {{ condconf('db_host') }}
+        {{ condconf('db_database') }}
+        {{ condconf('db_username') }}
+        {{ condconf('db_password') }}
+        {{ condconf('mail_driver') }}
+        {{ condconf('mail_from_name') }}
+        {{ condconf('mail_from') }}
+        {{ condconf('mail_host') }}
+        {{ condconf('mail_port') }}
+        {{ condconf('mail_username') }}
+        {{ condconf('mail_password') }}
+        {{ condconf('mail_encryption') }}
+        {{ condconf('app_theme') }}
+        {{ condconf('cache_driver') }}
+        {{ condconf('session_driver') }}
+        {{ condconf('memcached_servers') }}
+        {{ condconf('session_secure_cookie') }}
+        {{ condconf('session_cookie_name') }}
+        {{ condconf('app_debug') }}
+        {{ condconf('session_lifetime') }}
+        {{ condconf('auth_method') }}
+        {{ condconf('auth_auto_initiate') }}
+        {{ condconf('saml2_name') }}
+        {{ condconf('saml2_email_attribute') }}
+        {{ condconf('saml2_external_id_attribute') }}
+        {{ condconf('saml2_display_name_attributes') }}
+        {{ condconf('saml2_idp_entityid') }}
+        {{ condconf('saml2_idp_entityid') }}
+        {{ condconf('saml2_idp_sso') }}
+        {{ condconf('saml2_idp_slo') }}
+        {{ condconf('saml2_idp_x509') }}
+        {{ condconf('saml2_autoload_metadata') }}
+        {{ condconf('saml2_sp_x509') }}
+        {{ condconf('saml2_user_to_groups') }}
+        {{ condconf('saml2_group_attribute') }}
+        {{ condconf('saml2_remove_from_groups') }}
+        {{ condconf('saml2_dump_user_details') }}
+        {{ condconf('queue_connection') }}
+        {{ condconf('app_views_books') }}
+{%- endif %}

salt/profile/prometheus/targets.sls

@@ -0,0 +1,18 @@
+{%- set mypillar = salt['pillar.get']('profile:prometheus:targets') %}
+{%- set targetsdir = '/etc/prometheus/targets' %}
+
+{%- if mypillar | length %}
+{{ targetsdir }}:
+  file.directory:
+    - group: prometheus
+
+{%- for group, nodes in mypillar.items() %}
+{{ targetsdir }}/{{ group }}.json:
+  file.serialize:
+    - dataset: {{ nodes }}
+    - serializer: json
+{%- endfor %}
+
+{%- else %}
+{%- do salt.log.debug('profile.prometheus: no targets defined') %}
+{%- endif %}

salt/role/bookstack.sls

@@ -0,0 +1,4 @@
+include:
+  - role.web.apache-httpd
+  - role.memcached
+  - profile.bookstack

salt/role/memcached.sls

@@ -0,0 +1,2 @@
+include:
+  - memcached.config

salt/role/monitoring/prometheus-alertmanager.sls

@@ -0,0 +1,2 @@
+include:
+  - prometheus.config

salt/role/monitoring/prometheus-exporter-blackbox.sls

@@ -0,0 +1,2 @@
+include:
+  - prometheus.config

salt/role/monitoring/prometheus.sls

@@ -0,0 +1,3 @@
+include:
+  - prometheus.config
+  - profile.prometheus.targets

salt/role/web/apache-httpd.sls

@@ -0,0 +1,2 @@
+include:
+  - profile.apache-httpd