|
Theo Chatzimichos |
79c2f8 |
#!/bin/bash
|
|
Theo Chatzimichos |
79c2f8 |
|
|
Theo Chatzimichos |
79c2f8 |
# Validate the salt-generated nginx configs
|
|
Theo Chatzimichos |
79c2f8 |
|
|
Theo Chatzimichos |
4a1ecb |
[[ $(whoami) == 'root' ]] || { echo 'Please run this script as root'; exit 1; }
|
|
Theo Chatzimichos |
79c2f8 |
|
|
Theo Chatzimichos |
f8666c |
source bin/get_colors.sh
|
|
Theo Chatzimichos |
f8666c |
|
|
Christian Boltz |
471c6a |
rpm -q nginx salt salt-master
|
|
Christian Boltz |
471c6a |
|
|
 |
37637c |
IDFILE="pillar/id/$(hostname).sls"
|
|
 |
37637c |
IDFILE_BASE="$IDFILE.base.sls"
|
|
 |
fb3cdf |
sed -i -e '/virtual/d' -e '/virt_cluster/d' /etc/salt/grains
|
|
 |
37637c |
cp "$IDFILE" "$IDFILE_BASE"
|
|
 |
37637c |
|
|
Theo Chatzimichos |
79c2f8 |
reset_nginx() {
|
|
 |
37637c |
cp "$IDFILE_BASE" "$IDFILE"
|
|
Theo Chatzimichos |
f6d741 |
rm -rf /etc/nginx
|
|
Theo Chatzimichos |
f6d741 |
cp -a /etc/nginx_orig /etc/nginx
|
|
 |
37637c |
printf "roles:\n- $role" >> "$IDFILE"
|
|
Theo Chatzimichos |
79c2f8 |
}
|
|
Theo Chatzimichos |
79c2f8 |
|
|
Theo Chatzimichos |
410475 |
reset_ip() {
|
|
Theo Chatzimichos |
410475 |
# Reset the grains-retrieved IPs to 127.0.0.1, as `nginx -t` actually tries
|
|
Theo Chatzimichos |
410475 |
# to bind to any configured listen IP
|
|
Theo Chatzimichos |
410475 |
|
|
Theo Chatzimichos |
410475 |
sed -i -e "s/{{ ip4_.* }}/127.0.0.1/g" pillar/role/$role.sls
|
|
Theo Chatzimichos |
410475 |
}
|
|
Theo Chatzimichos |
410475 |
|
|
Theo Chatzimichos |
8f3b0f |
create_fake_certs() {
|
|
Theo Chatzimichos |
8f3b0f |
# We are replacing both the cert/key pair because:
|
|
Theo Chatzimichos |
8f3b0f |
# - the key is encrypted and the CI worker can't decrypt it
|
|
Theo Chatzimichos |
8f3b0f |
# - the nginx validation command tries to match the pair
|
|
Theo Chatzimichos |
8f3b0f |
|
|
Theo Chatzimichos |
8f3b0f |
PRIVATE_KEYS=( $(grep ssl_certificate_key pillar/role/$role.sls | cut -d':' -f2) )
|
|
Theo Chatzimichos |
8f3b0f |
for key in ${PRIVATE_KEYS[@]}; do
|
|
Theo Chatzimichos |
6517ff |
if [[ ${key##*.} != 'key' ]]; then
|
|
Theo Chatzimichos |
6517ff |
echo "pillar/role/$role.sls \"ssl_certificate_key: $key\" should have extension .key"
|
|
Theo Chatzimichos |
6517ff |
STATUS=1
|
|
Theo Chatzimichos |
6517ff |
else
|
|
Theo Chatzimichos |
4a1ecb |
cp test/fixtures/domain.key $key
|
|
Theo Chatzimichos |
6517ff |
fi
|
|
Theo Chatzimichos |
8f3b0f |
done
|
|
Theo Chatzimichos |
8f3b0f |
|
|
Theo Chatzimichos |
8f3b0f |
PUBLIC_CERTS=( $(grep "ssl_certificate:" pillar/role/$role.sls | cut -d':' -f2) )
|
|
Theo Chatzimichos |
8f3b0f |
for cert in ${PUBLIC_CERTS[@]}; do
|
|
Theo Chatzimichos |
6517ff |
if [[ ${cert##*.} != 'crt' ]]; then
|
|
Theo Chatzimichos |
6517ff |
echo "pillar/role/$role.sls \"ssl_certificate: $cert\" should have extension .crt"
|
|
Theo Chatzimichos |
6517ff |
STATUS=1
|
|
Theo Chatzimichos |
6517ff |
else
|
|
Theo Chatzimichos |
4a1ecb |
cp test/fixtures/domain.crt $cert
|
|
Theo Chatzimichos |
6517ff |
fi
|
|
Theo Chatzimichos |
8f3b0f |
done
|
|
Theo Chatzimichos |
8f3b0f |
}
|
|
Theo Chatzimichos |
8f3b0f |
|
|
Christian Boltz |
00d792 |
touch_includes() {
|
|
Christian Boltz |
00d792 |
case "$1" in
|
|
Christian Boltz |
00d792 |
mailman3)
|
|
Christian Boltz |
00d792 |
touch /etc/nginx/mails.rewritemap
|
|
Christian Boltz |
00d792 |
touch /etc/nginx/lists.rewritemap
|
|
Christian Boltz |
00d792 |
touch /etc/nginx/feeds.rewritemap
|
|
Christian Boltz |
00d792 |
touch /etc/nginx/mboxs.rewritemap
|
|
Christian Boltz |
00d792 |
touch /etc/nginx/miscs.rewritemap
|
|
Christian Boltz |
00d792 |
;;
|
|
Christian Boltz |
00d792 |
pagure)
|
|
Christian Boltz |
00d792 |
touch /etc/nginx/acme-challenge
|
|
Christian Boltz |
00d792 |
mkdir -p /etc/ssl/services/letsencrypt
|
|
Christian Boltz |
00d792 |
cat test/fixtures/domain.{crt,key} > /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_rsa.pem
|
|
Christian Boltz |
00d792 |
cat test/fixtures/domain.{crt,key} > /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_ecdsa.pem
|
|
Christian Boltz |
00d792 |
sed '/ ssl_dhparam / d' -i /etc/nginx/ssl-config
|
|
Christian Boltz |
00d792 |
;;
|
|
Christian Boltz |
00d792 |
esac;
|
|
Christian Boltz |
00d792 |
}
|
|
Christian Boltz |
00d792 |
|
|
Theo Chatzimichos |
7357db |
cp -a /etc/nginx /etc/nginx_orig
|
|
Theo Chatzimichos |
7357db |
|
|
Christian Boltz |
be94f0 |
WEB_ROLES=( $(bin/get_roles.py) )
|
|
Theo Chatzimichos |
79c2f8 |
|
|
Theo Chatzimichos |
79c2f8 |
for role in ${WEB_ROLES[@]}; do
|
|
Christian Boltz |
10b736 |
rolestatus=0
|
|
Theo Chatzimichos |
79c2f8 |
if grep nginx salt/role/$role.sls > /dev/null; then
|
|
Theo Chatzimichos |
f8666c |
echo_INFO "Testing role: $role"
|
|
Theo Chatzimichos |
79c2f8 |
reset_nginx
|
|
Theo Chatzimichos |
410475 |
reset_ip
|
|
Theo Chatzimichos |
4a1ecb |
salt-call --local -l quiet state.apply role.$role > /dev/null
|
|
Theo Chatzimichos |
8f3b0f |
create_fake_certs
|
|
Christian Boltz |
00d792 |
touch_includes $role
|
|
Christian Boltz |
10b736 |
|
|
Christian Boltz |
10b736 |
# test config file syntax
|
|
Christian Boltz |
10b736 |
nginx -tq || rolestatus=1
|
|
Christian Boltz |
10b736 |
|
|
Christian Boltz |
10b736 |
# make sure all vhost config files are named *.conf (without that suffix, they get ignored)
|
|
Christian Boltz |
10b736 |
for file in /etc/nginx/vhosts.d/* ; do
|
|
Christian Boltz |
10b736 |
test "$file" == "/etc/nginx/vhosts.d/*" && continue # skip loop if no file exists in vhosts.d/
|
|
Christian Boltz |
10b736 |
echo "$file" | grep -q '\.conf$' || {
|
|
Christian Boltz |
10b736 |
echo "ERROR: $file is not named *.conf"
|
|
Christian Boltz |
10b736 |
rolestatus=1
|
|
Christian Boltz |
10b736 |
}
|
|
Christian Boltz |
10b736 |
done
|
|
Christian Boltz |
10b736 |
|
|
Christian Boltz |
10b736 |
if test $rolestatus = 0; then
|
|
Theo Chatzimichos |
f8666c |
echo_PASSED
|
|
Theo Chatzimichos |
79c2f8 |
else
|
|
Theo Chatzimichos |
f8666c |
echo_FAILED
|
|
Christian Boltz |
471c6a |
head -n1000 /etc/nginx/vhosts.d/*
|
|
Christian Boltz |
471c6a |
echo "### end of /etc/nginx/vhosts.d/* for role $role"
|
|
Theo Chatzimichos |
79c2f8 |
STATUS=1
|
|
Theo Chatzimichos |
79c2f8 |
fi
|
|
Theo Chatzimichos |
7357db |
echo
|
|
Theo Chatzimichos |
79c2f8 |
fi
|
|
Theo Chatzimichos |
79c2f8 |
done
|
|
Theo Chatzimichos |
79c2f8 |
|
|
Theo Chatzimichos |
79c2f8 |
exit $STATUS
|
|
Christian Boltz |
00d792 |
|
|
Christian Boltz |
00d792 |
vim:expandtab
|