Compare commits
29 commits
6cfa2b3da7
...
98158e1be5
Author | SHA1 | Date | |
---|---|---|---|
|
98158e1be5 | ||
78bc2b3f7e | |||
26ee034887 | |||
d891874202 | |||
c11e95f5fe | |||
9596f9d210 | |||
e57349f011 | |||
02578640a9 | |||
c9bdb766eb | |||
9425d56716 | |||
b2d3b80f37 | |||
d67cc24318 | |||
efd05971b1 | |||
8dd5534b0f | |||
d24fa23262 | |||
84fc07cffe | |||
5b68f26771 | |||
dc59842fe8 | |||
a91bb85313 | |||
5f0c24865f | |||
8ee75b0601 | |||
62670483c1 | |||
ace56103fc | |||
4afec74a34 | |||
d4d998cf81 | |||
9794b03d44 | |||
45a44789a4 | |||
4201f18ce6 | |||
8057a2fa22 |
9 changed files with 68 additions and 28 deletions
|
@ -1,5 +1,9 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
if ! [[ $(hostname) =~ monitor ]]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
repo="/var/cache/cosmos/repo"
|
repo="/var/cache/cosmos/repo"
|
||||||
common="${repo}/global/overlay/etc/hiera/data/common.yaml"
|
common="${repo}/global/overlay/etc/hiera/data/common.yaml"
|
||||||
|
|
||||||
|
|
|
@ -33,6 +33,7 @@ define sunetdrive::app_type (
|
||||||
$dbhost = 'proxysql_proxysql_1'
|
$dbhost = 'proxysql_proxysql_1'
|
||||||
$dbname = 'nextcloud'
|
$dbname = 'nextcloud'
|
||||||
$dbuser = 'nextcloud'
|
$dbuser = 'nextcloud'
|
||||||
|
$full_backup_retention = hiera('full_backup_retention')
|
||||||
$instanceid = safe_hiera('instanceid')
|
$instanceid = safe_hiera('instanceid')
|
||||||
$mysql_user_password = safe_hiera('mysql_user_password')
|
$mysql_user_password = safe_hiera('mysql_user_password')
|
||||||
$passwordsalt = safe_hiera('passwordsalt')
|
$passwordsalt = safe_hiera('passwordsalt')
|
||||||
|
@ -91,6 +92,11 @@ define sunetdrive::app_type (
|
||||||
$lb_servers = hiera_hash($environment)['lb_servers']
|
$lb_servers = hiera_hash($environment)['lb_servers']
|
||||||
$document_servers = hiera_hash($environment)['document_servers']
|
$document_servers = hiera_hash($environment)['document_servers']
|
||||||
|
|
||||||
|
# Calculate some values
|
||||||
|
$expiration_months = max(12, $full_backup_retention)
|
||||||
|
$expiration_days_min = $expiration_months * 31
|
||||||
|
$expiration_days_max = $expiration_months * 31 + 93
|
||||||
|
|
||||||
unless $is_multinode{
|
unless $is_multinode{
|
||||||
user { 'www-data': ensure => present, system => true }
|
user { 'www-data': ensure => present, system => true }
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@ define sunetdrive::db_type(
|
||||||
$mariadb_dir = '/etc/mariadb'
|
$mariadb_dir = '/etc/mariadb'
|
||||||
$mycnf_path = 'sunetdrive/mariadb/my.cnf.erb'
|
$mycnf_path = 'sunetdrive/mariadb/my.cnf.erb'
|
||||||
$server_id = 1000 + Integer($facts['networking']['hostname'][-1])
|
$server_id = 1000 + Integer($facts['networking']['hostname'][-1])
|
||||||
ensure_resource('file',$mariadb_dir, { ensure => directory, recurse => true } )
|
ensure_resource('file',$mariadb_dir, { ensure => directory } )
|
||||||
$dirs = ['datadir', 'init', 'conf', 'backups', 'scripts' ]
|
$dirs = ['datadir', 'init', 'conf', 'backups', 'scripts' ]
|
||||||
$dirs.each |$dir| {
|
$dirs.each |$dir| {
|
||||||
ensure_resource('file',"${mariadb_dir}/${dir}", { ensure => directory, recurse => true } )
|
ensure_resource('file',"${mariadb_dir}/${dir}", { ensure => directory, recurse => true } )
|
||||||
|
|
|
@ -291,6 +291,15 @@ MACAddressPolicy=none'
|
||||||
if $customer_config['twofactor_enforced_excluded_groups'] {
|
if $customer_config['twofactor_enforced_excluded_groups'] {
|
||||||
$twofactor_enforced_excluded_groups = $customer_config['twofactor_enforced_excluded_groups']
|
$twofactor_enforced_excluded_groups = $customer_config['twofactor_enforced_excluded_groups']
|
||||||
}
|
}
|
||||||
|
if $customer_config['full_backup_retention'] {
|
||||||
|
$full_backup_retention = $customer_config['full_backup_retention']
|
||||||
|
} else {
|
||||||
|
$full_backup_retention = hiera('full_backup_retention')
|
||||||
|
}
|
||||||
|
# Calculate some values
|
||||||
|
$expiration_months = max(12, $full_backup_retention)
|
||||||
|
$expiration_days_min = $expiration_months * 31
|
||||||
|
$expiration_days_max = $expiration_months * 31 + 93
|
||||||
|
|
||||||
# Secrets from local.eyaml
|
# Secrets from local.eyaml
|
||||||
$admin_password = safe_hiera("${customer}_admin_password")
|
$admin_password = safe_hiera("${customer}_admin_password")
|
||||||
|
|
|
@ -12,6 +12,8 @@ class sunetdrive::proxysql (
|
||||||
$config = hiera_hash($environment)
|
$config = hiera_hash($environment)
|
||||||
$db_ip = $config['db']
|
$db_ip = $config['db']
|
||||||
$nextcloud_ip = $config['app']
|
$nextcloud_ip = $config['app']
|
||||||
|
$nextcloud_ipv6 = $config['app_v6']
|
||||||
|
$nextcloud_ip_all = $nextcloud_ip + $nextcloud_ipv6
|
||||||
$proxysql_ok_num = length($nextcloud_ip)
|
$proxysql_ok_num = length($nextcloud_ip)
|
||||||
$proxysql_warn_num = $proxysql_ok_num - 1
|
$proxysql_warn_num = $proxysql_ok_num - 1
|
||||||
|
|
||||||
|
@ -79,7 +81,7 @@ class sunetdrive::proxysql (
|
||||||
iif => 'ens3',
|
iif => 'ens3',
|
||||||
}
|
}
|
||||||
sunet::nftables::docker_expose { 'proxysql':
|
sunet::nftables::docker_expose { 'proxysql':
|
||||||
allow_clients => ['any'],
|
allow_clients => $nextcloud_ip_all,
|
||||||
port => 6032,
|
port => 6032,
|
||||||
iif => 'ens3',
|
iif => 'ens3',
|
||||||
}
|
}
|
||||||
|
|
|
@ -29,17 +29,23 @@ class sunetdrive::satosa($dehydrated_name=undef,$image='docker.sunet.se/satosa',
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
sunet::docker_run {'satosa':
|
$dehydrated_status = $dehydrated_name ? {
|
||||||
image => $image,
|
undef => 'absent',
|
||||||
imagetag => $tag,
|
default => 'present'
|
||||||
dns => ['89.32.32.32'],
|
}
|
||||||
volumes => ['/etc/satosa:/etc/satosa','/etc/dehydrated:/etc/dehydrated'],
|
file {'/opt/docker_run':
|
||||||
ports => ['443:8000'],
|
ensure => 'absent',
|
||||||
env => ['METADATA_DIR=/etc/satosa/metadata', 'WORKER_TIMEOUT=120']
|
}
|
||||||
|
sunet::docker_compose { 'satosa':
|
||||||
|
content => template('sunetdrive/satosa/docker-compose.yml.erb'),
|
||||||
|
service_name => 'satosa',
|
||||||
|
compose_dir => '/opt/',
|
||||||
|
compose_filename => 'docker-compose.yml',
|
||||||
|
description => 'Satosa',
|
||||||
}
|
}
|
||||||
file {'/etc/satosa/proxy_conf.yaml':
|
file {'/etc/satosa/proxy_conf.yaml':
|
||||||
content => inline_template("<%= @merged_conf.to_yaml %>\n"),
|
content => inline_template("<%= @merged_conf.to_yaml %>\n"),
|
||||||
notify => Sunet::Docker_run['satosa']
|
notify => Sunet::Docker_compose['satosa']
|
||||||
}
|
}
|
||||||
$plugins = hiera('satosa_config')
|
$plugins = hiera('satosa_config')
|
||||||
sort(keys($plugins)).each |$n| {
|
sort(keys($plugins)).each |$n| {
|
||||||
|
@ -47,23 +53,13 @@ class sunetdrive::satosa($dehydrated_name=undef,$image='docker.sunet.se/satosa',
|
||||||
$fn = $plugins[$n]
|
$fn = $plugins[$n]
|
||||||
file { $fn:
|
file { $fn:
|
||||||
content => inline_template("<%= @conf.to_yaml %>\n"),
|
content => inline_template("<%= @conf.to_yaml %>\n"),
|
||||||
notify => Sunet::Docker_run['satosa']
|
notify => Sunet::Docker_compose['satosa']
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
sunet::misc::ufw_allow { 'satosa-allow-https':
|
sunet::misc::ufw_allow { 'satosa-allow-https':
|
||||||
from => 'any',
|
from => 'any',
|
||||||
port => '443'
|
port => '443'
|
||||||
}
|
}
|
||||||
$dehydrated_status = $dehydrated_name ? {
|
|
||||||
undef => 'absent',
|
|
||||||
default => 'present'
|
|
||||||
}
|
|
||||||
sunet::docker_run {'alwayshttps':
|
|
||||||
ensure => $dehydrated_status,
|
|
||||||
image => 'docker.sunet.se/always-https',
|
|
||||||
ports => ['80:80'],
|
|
||||||
env => ['ACME_URL=http://acme-c.sunet.se']
|
|
||||||
}
|
|
||||||
sunet::misc::ufw_allow { 'satosa-allow-http':
|
sunet::misc::ufw_allow { 'satosa-allow-http':
|
||||||
ensure => $dehydrated_status,
|
ensure => $dehydrated_status,
|
||||||
from => 'any',
|
from => 'any',
|
||||||
|
@ -78,12 +74,6 @@ class sunetdrive::satosa($dehydrated_name=undef,$image='docker.sunet.se/satosa',
|
||||||
cert_file => '/etc/satosa/https.crt'
|
cert_file => '/etc/satosa/https.crt'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
file { '/opt/satosa':
|
|
||||||
ensure => directory,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0755',
|
|
||||||
}
|
|
||||||
-> file { '/opt/satosa/restart.sh':
|
-> file { '/opt/satosa/restart.sh':
|
||||||
ensure => file,
|
ensure => file,
|
||||||
owner => 'root',
|
owner => 'root',
|
||||||
|
|
|
@ -192,6 +192,9 @@ $CONFIG = array (
|
||||||
'secret' => '<%= @secret %>',
|
'secret' => '<%= @secret %>',
|
||||||
'skeletondirectory' => '<%= @skeletondirectory %>',
|
'skeletondirectory' => '<%= @skeletondirectory %>',
|
||||||
'templatedirectory' => '',
|
'templatedirectory' => '',
|
||||||
|
<% if @environment == 'test' -%>
|
||||||
|
'trashbin_retention_obligation' => 'auto, 30',
|
||||||
|
<% end -%>
|
||||||
'trusted_domains' =>
|
'trusted_domains' =>
|
||||||
array (
|
array (
|
||||||
<%- index = 0 -%>
|
<%- index = 0 -%>
|
||||||
|
@ -234,4 +237,7 @@ $CONFIG = array (
|
||||||
),
|
),
|
||||||
'updatechecker' => false,
|
'updatechecker' => false,
|
||||||
'version' => '<%= @nextcloud_version_string %>',
|
'version' => '<%= @nextcloud_version_string %>',
|
||||||
|
<% if @environment == 'test' -%>
|
||||||
|
'versions_retention_obligation' => '<%= @expiration_days_min %>, <%= @expiration_days_max %>',
|
||||||
|
<% end -%>
|
||||||
);
|
);
|
||||||
|
|
|
@ -13,7 +13,7 @@ dexec="docker exec ${container}"
|
||||||
|
|
||||||
password=$(${dexec} env | grep MYSQL_ROOT_PASSWORD | awk -F '=' '{print $2}')
|
password=$(${dexec} env | grep MYSQL_ROOT_PASSWORD | awk -F '=' '{print $2}')
|
||||||
|
|
||||||
mysql="${dexec} mysql -p${password}"
|
mysql="${dexec} mysql -p${password} -u root"
|
||||||
|
|
||||||
if [[ "$(${mysql} -NB -e 'select exists(select * from information_schema.TABLES where TABLE_SCHEMA = "nextcloud" and TABLE_NAME = "oc_global_scale_users")')" == "1" ]]
|
if [[ "$(${mysql} -NB -e 'select exists(select * from information_schema.TABLES where TABLE_SCHEMA = "nextcloud" and TABLE_NAME = "oc_global_scale_users")')" == "1" ]]
|
||||||
then
|
then
|
||||||
|
|
23
templates/satosa/docker-compose.yml.erb
Normal file
23
templates/satosa/docker-compose.yml.erb
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
services:
|
||||||
|
satosa:
|
||||||
|
environment:
|
||||||
|
- "METADATA_DIR=/etc/satosa/metadata"
|
||||||
|
- "WORKER_TIMEOUT=120"
|
||||||
|
dns:
|
||||||
|
- "89.32.32.32"
|
||||||
|
image: "<%= @image %><% if @tag %>:<%= @tag %><% end %>"
|
||||||
|
pull_policy: "always"
|
||||||
|
ports:
|
||||||
|
- "443:8000"
|
||||||
|
volumes:
|
||||||
|
- "/etc/satosa:/etc/satosa"
|
||||||
|
- "/etc/dehydrated:/etc/dehydrated"
|
||||||
|
alwayshttps:
|
||||||
|
environment:
|
||||||
|
- "ACME_URL=http://acme-c.sunet.se"
|
||||||
|
dns:
|
||||||
|
- "89.32.32.32"
|
||||||
|
image: "docker.sunet.se/always-https"
|
||||||
|
pull_policy: "always"
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
Loading…
Add table
Reference in a new issue