From a03244138262b378433d6f1bc0a30df606941375 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Jan 24 2020 00:30:58 +0000 Subject: Merge branch 'hellcp-configure-jekyll' into 'production' Configure jekyll See merge request infra/salt!311 --- diff --git a/pillar/id/jekyll_infra_opensuse_org.sls b/pillar/id/jekyll_infra_opensuse_org.sls index ea5e0b7..0c04e65 100644 --- a/pillar/id/jekyll_infra_opensuse_org.sls +++ b/pillar/id/jekyll_infra_opensuse_org.sls @@ -5,6 +5,7 @@ grains: - news.o.o - planet.o.o roles: + - jekyll_master - web_jekyll reboot_safe: yes salt_cluster: opensuse diff --git a/pillar/role/jekyll_master.sls b/pillar/role/jekyll_master.sls new file mode 100644 index 0000000..1321fbe --- /dev/null +++ b/pillar/role/jekyll_master.sls @@ -0,0 +1,16 @@ +{% if salt['grains.get']('include_secrets', True) %} +include: + - secrets.role.jekyll_master +{% endif %} + +profile: + web_jekyll: + git_repos: + news.opensuse.org: + repo: https://github.com/openSUSE/news-o-o.git + planet.opensuse.org: + repo: https://github.com/openSUSE/planet-o-o.git + server_list: + - jekyll.infra.opensuse.org + ssh_known_hosts: | + 192.168.47.61,jekyll.infra.opensuse.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDIQrbRoDfhX4IYr5qALDKfslpvvJ8SJRLBqkUiHifEq05SMbsqWxoylIYrQRvHw5v0jl3UNWgISWRZ1AtBDVVQ= diff --git a/pillar/role/web_jekyll.sls b/pillar/role/web_jekyll.sls index 5dc3bec..9df8168 100644 --- a/pillar/role/web_jekyll.sls +++ b/pillar/role/web_jekyll.sls @@ -51,3 +51,8 @@ nginx: - error_log: /var/log/nginx/{{ website }}.error.log enabled: True {% endfor %} + +profile: + web_jekyll: + ssh_pubkey: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINNg3043py2Oe/LfLU0+mE+ehe7gI3e2QajbSUI6p4Zm web_jekyll@salt' + websites: {{ websites }} diff --git a/pillar/secrets/role/jekyll_master.sls b/pillar/secrets/role/jekyll_master.sls new file mode 100644 index 0000000..13777f0 --- /dev/null +++ b/pillar/secrets/role/jekyll_master.sls @@ -0,0 +1,88 @@ +#!yaml|gpg + +profile: + web_jekyll: + ssh_private_key: | + -----BEGIN PGP MESSAGE----- + + hQQOA7A9CHm0S6RyEA/+IR8z+kAXdw2yc5JeDryTK8l6qzTZFgcDrTrklGIg/zOj + 7JO94D+D05LuEeXqNexFM/4hKNNo7Z9FIDAmx+PfTTcw4bnHtEBQ3FGlMmIcgxok + XJoIOtcZNyoHq3t40VDmJq4+p9XCAdXqQvuWOkydzAF2Gi3ZD65EgL1EKNTHtvJe + Flb41S2M+ktlLs/TboYTYMaVhZpQsI9MjF+GDQyQbTadoXNQEOuIt4+qLYir1LZt + Mq499ujf3JfsLcTYvv9ki2VYK1Kvbi7RsJNewh/4HCPbw/SCMAPnAWCnWtFuFRZz + StcOk5oteF46pGVSgdHnbf8n+kHSapFk12x3NA66X7SHxrsm40qlr2Rw4mY4QCH3 + L1kJAWMXWAZkdcipL08jgeu8WHDelXGxsa+iqAkEFwPKkYdpgnkWHrhw/EbTEX+o + bIBz7l6pt/SpXA7NaSGkXhyBV8M6Vss8KmHG/IK7aIWc/ZdyQAGLct03dXXB1GGr + 5cwSUJ/L3PypNtev4L4WI8lHXedUrI94xetTuSdlmHoRr8xu5mt12tjf0NxSMCjw + mpJWjrag3yLT/RqCoqflVPN1Cjl4nmEkb40AfrSyKzGmbB+n3+EHjnZwkUGS7P3B + dqDF5ieY+8VBJ9+TV8Z+r+x9b7BKRGahKrMfQiFU90wCt1kf9Lj/51ETwwSWbAEP + /As9pKHgJCJ+I+j/DcrDtmCYPqsn2P1sHXk3leE6RjERPsHJLq3PZbwkGGN84g0c + NfOb0ZHnnAwTC9ofHb3X4yjtVwz49NCDmzL0qZeHjDLOvt5JEAsOTtwZlpK2uaHa + 2+oWct662pQ6fmlzygfGsJgYlWkSGp8xTEwjp/PHLoSTCyOj7MrZgLSxZxAAMjCu + d9N+rUdvgN9c9nSeSXRikGCkyo3N4ymS/QGAQeD+n0pHtxjYFlGKXDd41QsDQvsb + oQWafnyXtcwYFIfEncdf0uO4XriSyLoH4aqZ5sT7OGxLBi3+VqvPlav8eDsgbIo1 + +E+mEbiX1QBM57MM57trGjG3A7TnMiCKTSkRmV18ivol+TETFVRkdkSjJnnapRmU + eange17GLWMEMbIMmvtd+zMuzhl9aJ/xlY7r1XEOAOSl+NjSxnA8pTct0VTcQ4l/ + PJqyQ4lKqbVPA9id+Bid1b8aY+7VZ6ufBvq6sp9sAJahmUTjJYQ7EGt3lo3iBkI9 + 6P2grB88zAHEBuIo8qnxLeP46+nlLZO0jf20N3iXK8CWxV7k3VMVDEqH5/JCbQG3 + 7sUED8OeKGCf62adtbjVYkE0Ul8xaGzFvf8WeEVF68HaX7yWbu4NFomOSJqWnE+6 + 56fqC92mKs7cEyaG65iPLtRRjfsoxguOEiG4D89UQCArhQIMA8amgupjyC8cAQ// + ZNutiWSUNFOHowoejRpPxL2cT1GmHzyJshD6eGUCa+t3/ugZmbHlZ7WvkeckX9W0 + mbVn74OZAeHpXtX6ZFcWN4geWlI6LuA+3hZKWdBJlviKt/ptbx/+YWqnbme18wRW + tyvR1rw2VLkmFecRqd/cKKajIbtRHT+eVC3kA/CrwJZu7nel5hJpSvtNKUgtigJU + VdLy5c9ECtZnl3K78e3EHzi1PytSOPRG3pCL69SsE033bZgpun4t4Gn0nIQheivO + 0jDI7htplmj0T5XRH/t3pNWS1h2z8Y1qzMdQbY+SXsoKtHgyBj+gBNscMBh9KaLL + lOSkmtgkr/5Goq/9rRoM+LSkoUyxpN0Y4slgFUC/xL2+JVoj8bvw1HWsZnnu8naZ + DJdActwt7JOLjFbX9cHR9FOBcOlQXNDAsSNtr81ksUcWeBga0IHg9fh1PmabO1gR + LU4Mt6lN1s8j8CZ2QC48oKf/yo4kDYpvSsnOo7bF785HHDIx7j2XkCUityv4k2D1 + hV5NR6wUN8B5xcTdA8yVuy63M4KIsfwA1Iu6xBfBKvDmyS5SWeoAWtNjgj9Q7O83 + IPxrA3EbTN5rDMQXlTk/3VfrS/pzjv7NUgl4O4eDxFgUyNYH96AenI7BtBigwaDe + 5mmp3vfA8bWFa4uZsmmKrpS97p936TWkhN1Rn64ApMCFAQ4DslgfDDfB4G8QA/40 + N0tUmS6pf0VFqBVz+3/3LIhazzuflQ8q/eOBaXUQ9hueB/8Y/j5DcKvRmM7N4tWg + rZT5eghjW2ci5xFMt7b7/31Pwzmwmj0kTUhtXsigZtaN3BKZVKiFQVj0/xvoAcUh + bCK3YOoNIL1tblTLVmVnYuGHs/F8QEjWTewCUJYX5wP9GZWjSligEiAqWtqQZzll + VJtV1DsuDd8Rtf0DTXvL+rEDqFtY0iUKtqltVkH1lv100BY8g7aNn7rauTW1AFq5 + lepSCpFriOnRI9KLHF4d1BjhI8wkZB5Kia+l6tspcsjug/KeqcVzrIA76oYGSERJ + SOagRdSpw2FkASnxqXd3pFyFAg4DiLcKbyvsTOYQCACFeu1QUGL4m+Ssk0rTjULi + MAlaUAiXPX4sv73Bfj3cUXj3rnJAoD9EMuxq9ahb0ypgGoss762PqKGZS5jzIEZf + RxAkh9SUqmf8Q24SxlNPvu7oxXUpY//TSemh3WrzdBl2urhQFQL2QKBf6ERp+hNo + KD/vA7We3q6DNOGVRNgQqlP48wttC9uTn8+3urdMA53ef+xUTkEfb/z8d39ReAkH + OcTgopL9+GQTOP7pnAkK1wKsvT40eZE0WP3cG6jTKYiiGPEjav2Bb9nbEqY/Va0J + yRbyuZ37/bBZS1n7QE0PiNNj8jgGQiBTuj4v6FpiEjffiTg45TVxqoehQQsIwffk + B/4kqgEd/byNE5PCKOuLeuLCQbuJ7i+uUTe01Cz5AmB1u5nm24F9EeuW5iKMy0TF + ZLrNqatnYGL8xsJ2ECYgFF8eQ5ZJrFt3DbMTf/NmQfbCRN6wCb/NAyqkiUL0zxXX + /VoYkGh9Jb4UB8Q6yizDQOE7Gp03hJzvDounrzNAt5dtJkB3AOBpMtCC52/eA10g + CoyPCnCPpGrfTUrGeHw0yEXzNOCy8R+2PLO4Wlit9q9CHmueIiMYMvsbhOhO9lhK + vbZ2+4B+FT6srmlDn1ChXKCkVvGkZk1ky00enE2TD7fK3Cei+JtjQ1SLOmWmEyNE + NDNGZHqfYo0T2Oh4f03ju4llhQIMA1tQWD9t5xGsAQ/8C8bXSa4tvNqWs2UDDkJe + CpgeonA8Dd+hbqpvOnp2osJaYZWQsm/2h1wx5mx7qJOe4cuztlmwx3PQcntvAk72 + yUzpm4FW/G5SGXe/ZhfvstSUNMM7YzizSjLZkXlTjI5RS26mlkk/+aVhyzDukOSc + C2tASli9crRrbi1xp1et+xp1ZRfQIMKf7yjazRNBD4o3o4ZcG61wumJ2Xn9hdyf9 + 4GlGBDZf1/NfvlAczl1W5lBmh7pD+vTUnhkTMIi3OtIyARQpB6JnsPDvGhp993LT + 6A0VlIH/Oe5siN6mA0RwCEYO25E6YQcU48h3uzYdYXcRFz6vKM39igrjqmqcLuwy + BZevkQk+dtcd5SbRJ4G1kSSyUepspIeG1es7a0V4glvo1mxCz3xEcLJQIrARF7ta + 5J2LIdVpOEDQzwrPXtCd/u9MCyFrpalKdTCnTyFqOPtxxaFB82cnOCsLYV4m/cTQ + jD+rYrg9k69Pe2ecVILL7luEFr1Cy905nPlyJqrMz6YyjH0KCZzTjfOL6SJhPAmL + 8u0yAoejrt1OuDNWAAWDqQx+Poxan+lqWmETHgSkAb3fhMXpSk0mWLpU+5axdqCS + hvRE3ZWk+frAMNfrd9lJ5M9KNQqwYik3kx7XvfgUyWLl6sLM9CPcWyTEg83byspM + HVySjVIaa/5e7J9C9WDoqrGFAgwDrPDOChusaZEBD/9jXOsFCc/VxYX8Z2m8tYFz + qijwmxfqqjxjtQ5NNDNY4RN+7BSOvDt1BnJ38zLNU+U/3TDddQADdGMOVoaXs75i + 8eXROgtRS43JMS/LljqOb0WEZrKJ5+HJeKSGcfnbK83afAUwQIpsZIH4PmDmlA6V + kB4vi30iojIFW/9MZo2rDkot14JiBRJdyvkhUyY9p+Q/aQPUb76naZpnCM7U5aJt + imJTJTcDpSWPZPZPq/+4yzRhe8z/UIkl6Yka13ltRppKCEbJjEwellGwoJdHMjOr + VN0D4DlippwuVzZE5QH20nOizvWUGrzYgjemPnDowXlHT6Ml2N6xP0JUl4CjCBBj + gk+p6OukFOOuxOyIiV3StiQb9dr2ghjzYv0Jp5ZqLpmbH469ro12a0A7F4O35/41 + 0aqzb0jfC90qePqY8HfssXJTM2oYuoxj/C1iPw8T3eyMAaU+jIpWGp13ZH5+xMwB + jdYzUkdAYW89wPJKmWV6lSRGZYt2tBmK7IFLiVuez8gmlo5/WJX1dDA4gD/CXKwq + nF9KbGW7jhLUMJ+Glc0m0GaUIzwZqG3UTVuZzoBF9zTNbTIgYKBt2f2vkucNW6b6 + 9CIN4a7FivPkna5XdwCoRpkZFkW1bfPrxLPrTIeC8JC4m4bMuxnVxXLRtVLy7iRw + 438RkWyKVWBJoaHFJn4RRdLAiQE4+n/pWIqHVFwSDc29qFieKtP/TLvv/P34jbny + VUgEshkZ/iuNLYFXAUjbT6eX+8N2Tc5n5yrxn+Nl2FF5OmPcbf5CHZuUdZc3LjTT + 9WO9WvtBmxxKESrhJin+NSAgSdpGR86WMRXlx5NwryEoTsAhYK3fqx3uzrnJlojR + g+yWJbiYEg1g3Y09so/TrV535T9uCvC1zsmdMzmWm9YQ8mvMvy+jIZ8g3yvye0Fv + feQQETDa8GaPmc+EFZR9r7NP74/uf5/kgaMhNRASyurh3z4nv0Bwjv1lS3ODe3tx + lfg6z4JVjGtDwWZb49Lj7D5OftIwcrGRVZoo0/OqfIKUv4jqmXTmi8Lk9HZG91/V + yo4Y9FKtaSBUhd1sFxdgC5oJM1DpfTIfDbDswVd6qPAmdJdveTgh3FqRYmUmouVx + GWu7SkFCidWECqdV + =lIhx + -----END PGP MESSAGE----- diff --git a/salt/profile/jekyll/docroot.sls b/salt/profile/jekyll/docroot.sls new file mode 100644 index 0000000..c8ffe2f --- /dev/null +++ b/salt/profile/jekyll/docroot.sls @@ -0,0 +1,11 @@ +{% set websites = salt['pillar.get']('profile:web_jekyll:websites') %} + +jekyll_vhosts_dir: + file.directory: + - name: /srv/www/vhosts/ + +{% for website in websites %} +/srv/www/vhosts/{{ website }}.opensuse.org: + file.directory: + - user: web_jekyll +{% endfor %} diff --git a/salt/profile/jekyll/files/git_pull_and_update.sh b/salt/profile/jekyll/files/git_pull_and_update.sh new file mode 100644 index 0000000..b79c966 --- /dev/null +++ b/salt/profile/jekyll/files/git_pull_and_update.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# managed by salt - do not edit + +BASEDIR=/home/web_jekyll/git +DESTDIR=/home/web_jekyll/jekyll + +SERVERS='{% for server in server_list %} + {{ server }} +{%- endfor %}' + +GIT_DIRS='{% for dir in git_dirs.keys() %} + {{ dir }} +{%- endfor %}' + +# update all git repos, exit if one of them fails (better outdated than inconsistent) +cd "$BASEDIR" || exit 1 +for dir in $GIT_DIRS ; do + cd "$BASEDIR/$dir" && git pull -q || exit 1 +done + +# build all of the sites +cd $BASEDIR || exit 1 +for dir in $GIT_DIRS ; do + cd "$BASEDIR/$dir" || exit 1 + current_md5=$(md5sum "Gemfile.lock" | cut -d " " -f1) + [[ $(cat Gemfile.lock.md5) != $current_md5 ]] && rm -rf vendor + bundle install --deployment || exit 1 + [[ -f "update.sh" ]] && ./update.sh + bundle exec jekyll build -d "$DESTDIR/$dir/" && echo $current_md5 > Gemfile.lock.md5 || exit 1 +done + +# sync to all servers +cd $DESTDIR || exit 1 +for dir in *.opensuse.org ; do + for server in $SERVERS ; do + rsync -az --exclude '.git' --delete-after "$@" -e ssh "$DESTDIR/$dir/" "web_jekyll@$server:/srv/www/vhosts/$dir/" + done +done + +# vim: ts=4 expandtab diff --git a/salt/profile/jekyll/master.sls b/salt/profile/jekyll/master.sls new file mode 100644 index 0000000..b8aaa27 --- /dev/null +++ b/salt/profile/jekyll/master.sls @@ -0,0 +1,71 @@ +{% set git_repos = salt['pillar.get']('profile:web_jekyll:git_repos') %} + +jekyll_master_pgks: + pkg.installed: + - pkgs: + - git + - rsync + # To find out the package name in the repo, run `zypper se --provides rubygem\(bundler\)` + - ruby2.5-rubygem-bundler + - ruby-devel + # Needed for planet to work with its database + - sqlite3-devel + - libopenssl-devel + - gcc + - gcc-c++ + - make + - tar + +/home/web_jekyll/.ssh/id_ed25519: + file.managed: + - contents_pillar: profile:web_jekyll:ssh_private_key + - mode: 600 + - user: web_jekyll + +/home/web_jekyll/.ssh/known_hosts: + file.managed: + - contents_pillar: profile:web_jekyll:ssh_known_hosts + - mode: 644 + - user: root + +/home/web_jekyll/bin: + file.directory: + - user: root + +/home/web_jekyll/bin/fetch_build_and_rsync_jekyll: + cron.present: + - user: web_jekyll + - minute: 0 + file.managed: + - context: + git_dirs: {{ git_repos }} + server_list: {{ pillar['profile']['web_jekyll']['server_list'] }} + - mode: 755 + - source: salt://profile/jekyll/files/git_pull_and_update.sh + - template: jinja + - user: root + +/home/web_jekyll/git: + file.directory: + - user: web_jekyll + +/home/web_jekyll/jekyll: + file.directory: + - user: web_jekyll + +# clone git repos +{% for dir, data in git_repos.items() %} +{{ data.repo }}: + # salt 2018.3.3 introduced git.cloned - switch once our salt is new enough + git.latest: + - branch: {{ data.get('branch', 'master') }} + - target: /home/web_jekyll/git/{{ dir }} + # When checking out a non-default branch, salt will create a local branch based on HEAD by default. + # We need to specify "rev" to ensure we get the branch we want, and to make it tracking the branch from origin. + - rev: {{ data.get('branch', 'master') }} + - user: web_jekyll + +/home/web_jekyll/jekyll/{{ dir }}: + file.directory: + - user: web_jekyll +{% endfor %} diff --git a/salt/profile/jekyll/user.sls b/salt/profile/jekyll/user.sls new file mode 100644 index 0000000..1b792d1 --- /dev/null +++ b/salt/profile/jekyll/user.sls @@ -0,0 +1,23 @@ +{% set roles = salt['grains.get']('roles', []) %} + +web_jekyll: + user.present: + - createhome: False + - home: /home/web_jekyll + - shell: /bin/bash + +/home/web_jekyll: + file.directory: + - user: web_jekyll + +/home/web_jekyll/.ssh: + file.directory: + - user: root + +{% if 'web_jekyll' in roles %} +/home/web_jekyll/.ssh/authorized_keys: + file.managed: + - contents_pillar: profile:web_jekyll:ssh_pubkey + - mode: 644 + - user: root +{% endif %} diff --git a/salt/role/jekyll_master.sls b/salt/role/jekyll_master.sls new file mode 100644 index 0000000..364801d --- /dev/null +++ b/salt/role/jekyll_master.sls @@ -0,0 +1,3 @@ +include: + - profile.jekyll.user + - profile.jekyll.master diff --git a/salt/role/web_jekyll.sls b/salt/role/web_jekyll.sls index a5b1924..1a8cc5b 100644 --- a/salt/role/web_jekyll.sls +++ b/salt/role/web_jekyll.sls @@ -1,2 +1,4 @@ include: - profile.web.server.nginx + - profile.jekyll.user + - profile.jekyll.docroot