From e4be47792a1322198020e0c1d4fa6d2919bef07c Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Feb 27 2018 22:05:21 +0000 Subject: helios setup Fully salted helios setup, the ony manual steps are - creating the helios database on postgresql.infra.opensuse.org - init the database (as described in salt/profile/helios/init.sls) Also adjust pillar/id/sarabi_infra_opensuse_org.sls - replace the word "future" (which is no longer correct there ;-) with the helios role. --- diff --git a/pillar/id/sarabi_infra_opensuse_org.sls b/pillar/id/sarabi_infra_opensuse_org.sls index 0a13e81..e913b5e 100644 --- a/pillar/id/sarabi_infra_opensuse_org.sls +++ b/pillar/id/sarabi_infra_opensuse_org.sls @@ -2,6 +2,8 @@ grains: city: nuremberg country: de hostusage: - - future elections.o.o + - elections.o.o + roles: + - helios salt_cluster: opensuse virt_cluster: atreju diff --git a/pillar/role/helios.sls b/pillar/role/helios.sls new file mode 100644 index 0000000..4fc34c9 --- /dev/null +++ b/pillar/role/helios.sls @@ -0,0 +1,57 @@ +include: + - role.common.nginx + {% if salt['grains.get']('include_secrets', True) %} + - secrets.role.helios + {% endif %} + +nginx: + ng: + servers: + managed: + elections.opensuse.org.conf: + config: + - upstream helios: + - server: + - unix:/srv/www/vhosts/helios-server/tmp/sockets/helios.sock + - fail_timeout=0 + - server: + - listen: 80 + - location /: + - include: /etc/nginx/uwsgi_params + - uwsgi_pass: helios + - server_name: elections.opensuse.org + - try_files: $uri/index.html $uri.html $uri @helios + - access_log: /var/log/nginx/elections.access.log combined + - error_log: /var/log/nginx/elections.error.log + enabled: True + +# postgres:users:helios:password included from pillar/secrets/role/helios.sls + +profile: + helios: + database_host: postgresql.infra.opensuse.org + database_name: helios + database_user: helios + default_from_email: election-officials@opensuse.org + default_from_name: openSUSE Election Officials + election_creators: + # admins + - cboltz + - tampakrap + # election commitee 2018 + - terrorpup + - warlordfff + email_host: relay.infra.opensuse.org + help_email_address: election-officials@opensuse.org + # secret_key included from pillar/secrets/role/helios.sls + url_host: https://elections.opensuse.org + +zypper: + packages: + helios-server: {} + helios-server-uwsgi: {} + repositories: + openSUSE:infrastructure:elections.opensuse.org: + baseurl: http://download.infra.opensuse.org/repositories/openSUSE:/infrastructure:/elections.opensuse.org/openSUSE_Leap_{{ salt['grains.get']('osrelease') }}/ + priority: 100 + refresh: True diff --git a/pillar/secrets/role/helios.sls b/pillar/secrets/role/helios.sls new file mode 100644 index 0000000..905fd83 --- /dev/null +++ b/pillar/secrets/role/helios.sls @@ -0,0 +1,157 @@ +#!yaml|gpg + +postgres: + users: + helios: + password: | + -----BEGIN PGP MESSAGE----- + + hQIMA8amgupjyC8cAQ/8CrNly7RzK3ZoV+BYEemK3jFkr/xhgSImbOWHrOC42zrH + pVO9CrRb02IHxAjensYJYvE7RdYg3Hm/CcIpZLBxWAZetT9ohtK0Y1xau2exns7E + +Yj4mu1SRvfLqdaAPDlg3xOxU/3xBnnIE5ZfDwHBLSZSeq0lq9yTAOmx3C+GVz/O + mpt05Le0VHTrC/o+WonNaTcWQzIZoDy74b0CnkU33/2wOPLiYuCV1r0vG6I2zLMu + mCTYhNVASv9QpZfqumJ633KtE0Av9p3klJ8Co43n0tbr4gbePmt+OFE1PIwM26mD + n4Nxn57elqMDEIbdA9pGsWfeej4T8ts7RBcuPZ3vVjYJ8CEJfh1bBxaUqfB7yI/P + NRptvZ+0vtrQaVlePZmIPZMVo4mkDmP2k3z1XbGZ6eeUTB9yoMnFnDOuOYidFoF/ + S5tVSa0nnnVouQqcLjbN5v2EfKjHUQP1qGklKdbBEvsxnBe3AnRQkF4cMcAy8LYm + /djafcejt18c6Ldexm65jE0qSebZuhz74YsVVsiCra5DhwLA0I+RC34SaPNUBX/5 + zV9mIhvw+Ke03AjzMGjQmvbqx9PCN1QlONWx+sISLAbcNrAqIAzgcXV8M2LewpUl + +vBxxoLTn3HutFIw/E9Xea1bruysA/rUpjfb6BSPz65RPnorcXnV6QbaWmzICZeF + AQ4DslgfDDfB4G8QA/9a6Rd53bIhK3DRgm+TTEeaYMcteE562+OE9tvT5thWv1JO + yY//eDb+HmyVkU59E7qaFAqK/xVMFQr9Npd+U4lc0U8rUrZz7D2buuUbLTTEB55D + wNq+M24+UV80x9Why4AVojTPKfqeyy+RVX2d4ppOTZXgVOmYkVegAV52JbNKHwP/ + XyD+muYM+9/KLS0EgsQa+bZg99sMRu9Ya4qgh/cIhpTRk5E5f4fA+JZvSKILYZC+ + KyyPmushXYkCtuofg/ikZRnIitdQXTzo0tM47FsKAscTAjIas4KzSArECSjFSIF6 + 0RHHbjvqQdtLBGl49viUHFn6QY4zNqR0/npicOJEFYCFAg4DiLcKbyvsTOYQCAC2 + nkF5FLXvWimXNKWRGCMREGk0rLOZryx4ESc5aBmY2a8F/idH3KBZzkMKBUxaXrxX + pTRmYfBJay2pHTqjXpy2ngfH2yzjYtVKZ3r8yZeiOrJL47PnGArfVAmWLbCIGT0H + /Ou5Nfs/PqcY8UCgqLfphjZEthD+3BH6SDwVPrVdorI9pAESAKacT37vVjeUknai + b8ODCGv2WIdcFztkerLPMUkdEcyeynai3iwAfW4WM1+SbI3tCU+8q13RkcjKj8Qo + EPiak+7TI0d/CrHKkSXqluJPkmSPx+Vw0K6rdxCJFyk5LTrS1lZz4GooKyujMq1H + VCc2ZOCUfXvnl+0ra0/IB/sEJ8btiLRI3spnx3oFj0eEpxpTNW3Paq15RPENcgw0 + yhS6Zp6/hnMz5OATUwdwg9B2k1+lzW3Fo4gXO/YhVND/GW8lm9FjLj6Pe4hKzHKK + dlTrGVWItfzxEQo2Fu40OdpMr4X1HYoWuvsPkwGU19K1hmq4ZMRISu7ZyZBPdayt + ynqizmXGmXdMWDKkltTcYmy3jPuY/dyfQgHYOj370uJ2DxZM5Yl7cBMF7A80XXZv + FkFg5hzdKyt2FTP5W/mOn2ZhzOz8pSUeTu6OIFcrTz1oUwNyZoL2brJcuvfS6rQ9 + XbahChtjYGH6qY/twrQFjkq8dr7khOZry+I7MEMtovHFhQEMA1H2Gg3i02J9AQf/ + VfIUS58SlY0x6XXworVEFwCd7bUrUarqOE8K+SJLloA1C+ybjV0q0+v9rh8KsMig + bRn5dmb+3pVukID2L6HVC/45sr8qBjndijrZN805bS3CgloTuLhBGmPW4kiEr+JC + RKmQ+QhVnHg2Rw5aTeYSvJcAGzFFPCyWuHSlKzPRWFSjdNRnG/UvdapiS5NgqyXa + ldsLUVZzPC7N40vFGx0q0WGq+a9SV8dy4wIHW6Y3Q6a9B3OFSxYWuxcM+WaFjs6W + 6tqDNUfot2CFrebBuUv0ZsiGY8Ivmdg988C0fwnPfJrFwXh/NQldcELgCFO2ndau + Ez/X3AhiCBG9Ld7rgsOqC4UCDAP/8/F+qY2A9QEP/0Thd+FiJUMHkPZWsrllQL3N + Ju/9ATRMn5NHAgWD7V+DPB5veDPnE3ysZraQiAy99wFfN7v8EqUwZu6B4SDZio01 + D23GtbmAByLvL3cMDcN3bLysRr/Jop6AZyRo+FCKQ5GkvGDyOvhueTHk+TvBWk2E + 8C07CtdyMWmkVAjkri9n8DzAbVz8T3AodsDEt+DIzK3Klrf3ne+WJ7lU9y/SV87B + fCeGROCHkHNHVtOJ/RRKM0/dnjRADE38whXicQqkaDSd7qW5t4ecyb1PNkqWf251 + KcWdLTAeIdunWh7l6W1b+b9h7oJiWARytycYliWQvQs6p7yjbVYM+wmBODBpkCFx + 0EtM8LHnbgFs08my54UQOTDG/npBcA3cz181lt33DaD+ZRxvFSpuO4yDqFTDPq2M + ILPdZnTfV1ux2PsmmkYkVwycbwXJo0IiKQOnpzwx92h+Z4A9nwgMDi3yFxK3TWp+ + 06GfbgFywPWhR+3348nxGJ1e5nVDmOgX37K+HzIoYwdF3YFkM6+QmvoCfdLPXMDn + rm0t+IQhByLkqGqCBhSlO1A3RsgOrHIYE+5DqUVDQpjTt4+S7BsWYiv5IByEs5sJ + 4Lm8wSK5d1lMj8Yq7HIOPWygWAUUM/lzkF6Bo+1DIBBXwVvTKnT+dzW1B/Kjh7ha + klVVUbtLvVtEFQr0qkE0hQIMA2dWijyei9AnAQ/8CGQYZEbZFyeMc8KymIBc8lHV + PtctqAQgJzJKfRWbB4wqqH00bl9bbtpV0nhvyvEjybT2M43orjFgmP+4M++cz9xi + flO+zPP+bDDiNg/HbmHHPTLBQE1U8BwPEXIF5iPENoWx83xspbiAjIedJ4oEiqTW + KEl3upTNX/3MVe9TSvcuywETgbmLOImH+Q3RnRM6UOCQVIpxDIUo14NLdsln4CsV + pOh2tJEUtQdYSrW5TQJ90d9PHge6J/SxOGaUqz5v2VCwy1jLBIWmNEt5s+qROzkF + w2idLKsSGHfI50QmKuSHSRKZ8dr4ywWuGcakkN57pqJBD3u2hKWt7LPf7YhaRnUq + 3Zi4mksjPOHsXIyaPFXmFbOOeGWqXQ5fqZqss5FgV5wtZYQ4T/7T4MY7P0pmsK6/ + S/AzvOEz9rljWd6IKbNxry+clz1a0nxf68RlA84p/NvEakal2XFJgxldJ+zfJR14 + vDGWueEu3ilCXlnBjJ5QCzpg/N6++b61AS+2TkPCc729C6LA2Bc0tFW7A5+e2fCE + WqfCyYmdP1EDwIG0K1mRrDz9t1i/WxdJKFbZDBhUdFT65PNNzmkOTEMubcW0IAsx + 8jjdt+hcWbKBlKQmSapnoa3Tam1eUKk24IzSuYvHFdwBxrOk+vMM3KNU+AjUqfEA + zwla+zRaJSHEvxDlgSiFAgwDrPDOChusaZEBD/0Zd2Qii6AAklN29yPZAWkvk3rp + 136ypD0Bb7vvvSK+UrXgTQXIzkTeaNvPdY39G1Mfls2I4AD4jQBV1DJcFcbbwPgB + +EMoIQQ9tWpOTHAJGakvUcfvC/U1gyAzmcadhvLWDPxkmXT4vxsLghYlBbJNZhk+ + kcVAD8DQjRdkPLQW/gC5Qg/G4Kb6PGCAJTPYdQsK462w+ua82q9RhNVnnqFJNdw1 + NMLRCETiRS1cOMUNOM2/XVQR4zpZGaw88mUK3vi7XGif2qdTCaOydcDa7UbyZrCC + g6nTObd0AXLPekk7vcKFzuXFZ2ETjcj9Gh5VHmX9YrLzXGyt/qxadk87A2IdJvWa + esvyLdQXZ1yb6fng6Z8vVu6YjsEpT9vpaTQeDNCJDEesY3Avf1/Kt8D5hGV3R0NO + q8XdMiBESvTYbtauH7Ek3ORy+J4im7Cwz4bav711hybGTmNefBFLZmxOtO01VauB + T0Qj2ci7WBtAqbg1lFxmi5/BDxIdUyW4EPuQ4DAxF5U8ZqTQIFciwYZyuxEB7ZYE + CBwvvW89/B1vLVCi0dk47TeQh1cOlLa7BVaQ73hr1xhlYnKYDYdlrGIiO587y6Jy + yNr/HgZkv0DQGKzMO3BdebGifjUiZe6BAGvY92Me0m9gn3iJSDu7vJTnYFDIxDRa + m0jEeu1xVGBiLHmNdNJjAeCeAMzG4W0u3e4Iw8vN+Q9E4tom+hu3ZNW779NRLtlQ + 3mSc7Dk1ycpQ1WEdQH2CVyc2eW8l5cpPOjaPks9ZV8O6Q0rLCKZQmSYqjTyaQx4e + CjWm31AAaTLa+jhsRZ1LKemF + =0rEK + -----END PGP MESSAGE----- + + +profile: + helios: + secret_key: | + -----BEGIN PGP MESSAGE----- + + hQIMA8amgupjyC8cAQ/6A0o6yu0LYvw1wY0gBj5IvUs4vbp1wgOeBAxJHx6YcPkp + 4UVEP5O4+0VEHHQAVldRRrasZP2RmAAHJXisQ0K0QIdPz42EBP2tq+WPgFDgyZWB + 0dFanck3FFvM7Wcw2h3//JNs7Q+m3RVUFFc/MjZZY42uyhSdes8sK0haiTG5v0HA + vZMK7BAagxL2C+9Naf2BMnFfOJ39igrQZlGJDD1LjUKg2qNLW+7DIpQC9muNX5l2 + hNNjVsKWlS73amyOPO4ZL3wvUZxURLrQTFIR0y11S6Ofbi7ZzaAOHlyHiR5j2dg6 + kac1heqDGxg1n1UMHw9N6acwE2RYUr7rWDJRcR0a47LgA0uQRo3lA6U3M9DD9TdT + K8sHm+EYqSgxzLMlvIedaudiBxoNKiTLSG3s3JeSSRc9bcsI+6yXGRdBJ5YE9wJL + ra+X5v98yJ0+XT6OSQ72iSGcy4ymHBYKYOeqQgN28YkcmUGA+FNYLxkKNxG97Xn2 + nuCiricN6ezBrZa0/shuotgZIsdTUSqLmIOslYNNtEjp71l8NOOnA/4b21f1B3X7 + 7Y7oupTlU3G2FDANjcVActes526FjAfqDO+wIcJd8zL4bIHJMb/gvoF4qOTTUy1j + NEkYTuMtk5qUYv1JHMczbQzMwoV7mnwPDXYn7DIjjcIX3pFw3JuPv+FhCH4JhHaF + AQ4DslgfDDfB4G8QA/4oxI6+FEzRO1daZ0wRvjhziIIK2xpNUZU56vaKuES7EcLg + nfpPc4xaY3J+FUf+BwtSiy1qEdrEa14zViMV6BJbNU6nyyQGiP6ctwDJad9d2V/L + E73IiJzyHKP/TruRRaeX1mCiAUBpBSqz5UgkbJ7M0QGj7mUHMdkm/TTGNbAHbgP/ + eEuM8vRGrUjvoeeJp8fAA8yyGWShYxoJ1rhP4ItyLDai3Fhqxzv47QaId/uKkPIv + zXgXUYqVCKoVlnqfgO2a4Q15bQFgytqx6AAquROtBf0t8sWIgAYGF/e+XbOfNVe+ + 9wEzZT+mH58Uz68boEQDUU0jPEDAyVtNsfi/Tl47zcKFAg4DiLcKbyvsTOYQCACY + fmFVdJc4WEymLaWLsbN9H6WhTIX+LBOLAtDY+KFVDdTCfMRvTh0BUJd+Uz5Fit6P + ZpQGCa/e0ap/DI2/udApyvb1iKfpguLe31dge4j8dLV6ZVwW4WEBTr+T9swSJPSr + yUYMhJY6VcD6nSEEBc0Lb/8FWzF7F40Xvk7mvFtUoQL2oWIsxXtk35utWU5PfGUM + xHS2TvC1HMNQMemGnjOxWiopg1x1Q70u19au5CWD2QqhRAd7hT074cjPJPI91MQH + duTm5amdF/7HOAE1GUHXsYgLs8Dou7s+6utbgmumufJzjvUa0tOqqGRzaSPh/5wz + gkizdWI5CXAqIDJDNaoYCAC4PyfkkoR6I6hlvvfCZlAAFuTZ5u2hxHS+bL0c/pve + ozGYCzK7ONRoyea4+K5Q2luJSUihtPYCCLR7a9NaanXoHKP8u/MgQqNZJXsQCHj4 + CXMXI/RHOk1nuSBhxfeWtmozghRO1UTYZ/mna+e1K4esAPjUPNJXtpOBGKLwaFPa + dr797XtsVdVyovoLYcTsGSge/oF8jqw5X6yVALKhUet5Nhd8gCw+FS3BDOgC+EOs + I4y1367c86XOV3kAr7GpQuRIrfAGE9m185K9K/rFPZC+grUGLlcs4HKRkOK2FVf2 + NGgZzhVOV8El1JS8DmfqEtfug9e7Zkvmpvc3rM7uEyk7hQEMA1H2Gg3i02J9AQgA + hRicCSEnEApEWYg+v2jabnTb9R33e7r5uoBOk5jjwgXFEbEQNHVeje4kSBhCsvNf + qgSBgwIb03wR6UoeEPDvMXO6XQ+Qf4R20zh6qNpw3lZv0QufrXgosm9AZGjVJab/ + iIl3ozx1tyIYIwMdBtqRFSn8aY3FEkyUer2rpBQIYbjT/3ZScoWEqQjEllMssTgr + EzJTjtGxlzUxzinRVXxSb8yixG64hdNj4I/tDkWXgyA8W7oIbV7SzJ5xHSav7r15 + 358OC0nqGnHJPjatEwOiRixmd1NKZk2lIYl2hi7/bivI85jo+pLPKfqg9ZWuQKIi + eHRZrSC+pISr0z6l60ppnYUCDAP/8/F+qY2A9QEP/0vb27jLJBu5/2BavqsLDSgq + Tsjg9WJbJaD4xD4gOh+/qhh5vWw18zdDmwRKqz5cmFQHjo7ULfg1NKBdeRuqEL72 + /Kp2fJzlkwRjTO2v+o84/9shHmA2aHSVhzbzYl5p8ww0Us9rOIdYmV9yQlz4nhYN + IMaIlr7wLw5yIHSGuSvAgSifzRN39rOjssNihaupCSxUYXtTFxIF8Vx2aOYzrLIa + XgenuWtO6tjh1jXr8GmZdZ+Pmii1ljSc64WFOfOZPYJWNmvI8EG/Y83ri9WDa3U+ + kmAEGQhaz1VlhAbQrPckpfqxfmcl8apOwGWVl1iJfr39L6vVgyzw86nrg9yaLGC1 + F61H+twq7XV/hyPRslVlGcRnjE5d6uZYCHhZLr1bhlS6N05BCUj1RHAQXuUXYnHb + SLnca9yO/fKSOGbrowCpAwHZMN6Eu90YDvkoOg0+H8Nau7suUlz9Nw8Ai/eQGnSR + tmsuNbkXVsSxMdvIExTT2QNbJS8KuhrsnWYAsXXNYzYZDpBL3TRi5btZqM+XRlan + iS4s98I+yVeMzAIsKm2yRZ5XtRSIwOyurhjqSkQdxF0DiTMCJnY3I1MFL9FHu8AU + 74P8P0P7xAAQXmbBv67mz/F49YqsJPN1dEfyhWL4j9BPk4umUJZT2hyv/+P9RdEj + z3DLIo1RoJoP8ritC8+OhQIMA2dWijyei9AnAQ//SKMp4Ry+Q1sVX0QVsX+5i3DZ + 8NcMAmA7jL7lYYDbAChTRpeouTAlyahG903LG5dXI8KVpfPHkt88wGOSezSZ/+Mx + YFh06j5SPQF5UyeCk0yMQfCup0Y9/94jugk/Cekfge+pxP6vFbBw8FRLJ4kYUd/u + GeUbNYIwS/K90HPRa77TG843e8+jc9SvKSJLX4bSjMJIOSiajvJOnAxMFZWYEOfN + bS12rBP0FoX7lv7qge2dczlDnjEaf14//5oql4f3gYJcRunu0rFBdhuZwzRywb39 + f2ycqsLYIhJxlTnamHCXkYkKlh6/psuOOJHbiZpomv/6q3CuVY7csbGKWGA0+1SU + iW2uepWIjCuCqziVTDUykuThbhnUNVQNT7fYhuD/xQAtL4m+aJyeIMiq394hkMxY + GpZi8L1KTbfNfcVEtrQLYgfNU1ScxVkbrHtSpr+bcM5oLryEzMQt/wmyGZRMDhyq + +7UA2JhzSZaWGXzPuEETH9BZoRmNbrEdLCiKRtlVD/63GdXxQ7bYeZ5l3mqF+WCX + 17R0575oyh2gk6gCv/lP/tzTRn4elNlL1Sl4VihagD2WAzGXGye+jRucmBeTG7yx + GG+pZwM01hZaNPV254V2ZmjVyisLQnuW8/QZFTBxT/ERPqPIFD33u/zA9JavZZ+K + Rsz8+Z6IyMrxgIpVsqiFAgwDrPDOChusaZEBEACsRtumpSokY2J7NUMlau3OhriS + zcDvp8+99ou+3RUsJ5eXFMQI7jp2hi+JsnnbsZEO9w6YJyOoukOZ0TcWDkmaPeh/ + Xby5HJefBb8SIb3tAUDqgTydU7N4rPEY0e/7YSfBw2fX8WilkItn1+mwQgiyf/Ja + lZ0uZwldTAGO+P/2xblO/x/ovHnJVRAJiLF00EQH1B+g+uHZzjtj3og4/m70Yv2R + u5AFajrsk3OCFHFe4qmnsIrWEX4g9ZnMd2eR6HLN4pzpoHHYqsko4N9gIWZIEsao + g0Hsr0l7C0HC1HVOWINsRJoNflcb++PnugsPz1h9Rx8E76TeaOx3SzSy8NTwydvS + 6eyFeJatjZVshgXip7Ou4StXMe4DRe/Wuz9u7H5vO6sQqJEwgZNDlbcv+0UtNeb3 + BGw/CjQf9uMfmqwJ85ySPAp+ePXwbMu/XyH4m+H540g2zJxGrYAwqQoWGiHclhJi + UsqL3URecMLRvaAAQABP8vhdDhlW5G50K4Dwdma31VYqG/Ws5tkGx2Rt9WzieFrU + F+pV3vdcedBoqsxwHAsNLcYZ/mRDcs/eykn34ss9fJyw7G7DlzvbYwOZy23WTGtd + djjGXk/k4z8L446GHP2H19b8nRZQI4WO8HoE16K1Wn6rM7NXRfzW62OZh7fvtOtL + 0W2gpkRmXKuFAgM2kNJjAer5qmQvpnXVfp+TpVGEOubzuhWvR6kfqdzYWHIX9fL8 + z3SlrXnZK0xtsW/YaUVs+YJFJmVHXsgFATT60I/jpcsnb4LKvgwHUUOglXnIbZNF + rtcJGZnfU8IJeRC9cXfxAS3r + =vuyq + -----END PGP MESSAGE----- diff --git a/salt/profile/helios/files/helios-celeryd.service b/salt/profile/helios/files/helios-celeryd.service new file mode 100644 index 0000000..f34b5c0 --- /dev/null +++ b/salt/profile/helios/files/helios-celeryd.service @@ -0,0 +1,13 @@ +[Unit] +Description=Celery Service +After=network.target + +[Service] +Type=simple +User=celery +Group=celery +WorkingDirectory=/usr/lib/python2.7/site-packages/helios-server +ExecStart=/usr/bin/python manage.py celeryd + +[Install] +WantedBy=multi-user.target diff --git a/salt/profile/helios/files/settings.py b/salt/profile/helios/files/settings.py new file mode 100644 index 0000000..2f0bb7c --- /dev/null +++ b/salt/profile/helios/files/settings.py @@ -0,0 +1,298 @@ +{% set helios = salt['pillar.get']('profile:helios', {}) %} + +import os, json + +# a massive hack to see if we're testing, in which case we use different settings +import sys +TESTING = 'test' in sys.argv + +# go through environment variables and override them +def get_from_env(var, default): + if not TESTING and os.environ.has_key(var): + return os.environ[var] + else: + return default + +DEBUG = (get_from_env('DEBUG', '1') == '1') +TEMPLATE_DEBUG = DEBUG + +# add admins of the form: +# ('Ben Adida', 'ben@adida.net'), +# if you want to be emailed about errors. +ADMINS = ( +) + +MANAGERS = ADMINS + +# is this the master Helios web site? +MASTER_HELIOS = (get_from_env('MASTER_HELIOS', '0') == '1') + +# show ability to log in? (for example, if the site is mostly used by voters) +# if turned off, the admin will need to know to go to /auth/login manually +SHOW_LOGIN_OPTIONS = (get_from_env('SHOW_LOGIN_OPTIONS', '1') == '1') + +# sometimes, when the site is not that social, it's not helpful +# to display who created the election +SHOW_USER_INFO = (get_from_env('SHOW_USER_INFO', '1') == '1') + +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.postgresql_psycopg2', + 'NAME': '{{ helios.database_name }}', + 'HOST': '{{ helios.database_host }}', + 'USER': '{{ helios.database_user }}', + 'PASSWORD': '{{ salt['pillar.get']('postgres:users:helios:password') }}', + } +} + +SOUTH_DATABASE_ADAPTERS = {'default':'south.db.postgresql_psycopg2'} + +# override if we have an env variable +if get_from_env('DATABASE_URL', None): + import dj_database_url + DATABASES['default'] = dj_database_url.config() + DATABASES['default']['ENGINE'] = 'django.db.backends.postgresql_psycopg2' + DATABASES['default']['CONN_MAX_AGE'] = 600 + +# Local time zone for this installation. Choices can be found here: +# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name +# although not all choices may be available on all operating systems. +# If running in a Windows environment this must be set to the same as your +# system time zone. +TIME_ZONE = 'UTC' + +# Language code for this installation. All choices can be found here: +# http://www.i18nguy.com/unicode/language-identifiers.html +LANGUAGE_CODE = 'en-us' + +SITE_ID = 1 + +# If you set this to False, Django will make some optimizations so as not +# to load the internationalization machinery. +USE_I18N = True + +# Absolute path to the directory that holds media. +# Example: "/home/media/media.lawrence.com/" +MEDIA_ROOT = '' + +# URL that handles the media served from MEDIA_ROOT. Make sure to use a +# trailing slash if there is a path component (optional in other cases). +# Examples: "http://media.lawrence.com", "http://example.com/media/" +MEDIA_URL = '' + +# URL prefix for admin media -- CSS, JavaScript and images. Make sure to use a +# trailing slash. +# Examples: "http://foo.com/media/", "/media/". +STATIC_URL = '/media/' + +# Make this unique, and don't share it with anybody. +SECRET_KEY = get_from_env('SECRET_KEY', '{{ helios.secret_key }}') + +# If debug is set to false and ALLOWED_HOSTS is not declared, django raises "CommandError: You must set settings.ALLOWED_HOSTS if DEBUG is False." +# If in production, you got a bad request (400) error +#More info: https://docs.djangoproject.com/en/1.7/ref/settings/#allowed-hosts (same for 1.6) + +ALLOWED_HOSTS = get_from_env('ALLOWED_HOSTS', 'localhost').split(",") + +# Secure Stuff +if (get_from_env('SSL', '0') == '1'): + SECURE_SSL_REDIRECT = True + SESSION_COOKIE_SECURE = True + + # tuned for Heroku + SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") + +SESSION_COOKIE_HTTPONLY = True + +# let's go with one year because that's the way to do it now +STS = False +if (get_from_env('HSTS', '0') == '1'): + STS = True + # we're using our own custom middleware now + # SECURE_HSTS_SECONDS = 31536000 + # not doing subdomains for now cause that is not likely to be necessary and can screw things up. + # SECURE_HSTS_INCLUDE_SUBDOMAINS = True + +SECURE_BROWSER_XSS_FILTER = True +SECURE_CONTENT_TYPE_NOSNIFF = True + +# List of callables that know how to import templates from various sources. +TEMPLATE_LOADERS = ( + 'django.template.loaders.filesystem.Loader', + 'django.template.loaders.app_directories.Loader' +) + +MIDDLEWARE_CLASSES = ( + # make all things SSL + #'sslify.middleware.SSLifyMiddleware', + + # secure a bunch of things + 'djangosecure.middleware.SecurityMiddleware', + 'helios.security.HSTSMiddleware', + 'django.middleware.clickjacking.XFrameOptionsMiddleware', + + 'django.middleware.common.CommonMiddleware', + 'django.contrib.sessions.middleware.SessionMiddleware', + 'django.contrib.auth.middleware.AuthenticationMiddleware' +) + +ROOT_URLCONF = 'urls' + +ROOT_PATH = os.path.dirname(__file__) +TEMPLATE_DIRS = ( + ROOT_PATH, + os.path.join(ROOT_PATH, 'templates') +) + +INSTALLED_APPS = ( +# 'django.contrib.auth', +# 'django.contrib.contenttypes', + 'djangosecure', + 'django.contrib.sessions', + #'django.contrib.sites', + ## needed for queues + 'djcelery', + 'kombu.transport.django', + ## in Django 1.7 we now use built-in migrations, no more south + ## 'south', + ## HELIOS stuff + 'helios_auth', + 'helios', + 'server_ui', +) + +## +## HELIOS +## + + +MEDIA_ROOT = ROOT_PATH + "media/" + +# a relative path where voter upload files are stored +VOTER_UPLOAD_REL_PATH = "voters/%Y/%m/%d" + + +# Change your email settings +DEFAULT_FROM_EMAIL = get_from_env('DEFAULT_FROM_EMAIL', '{{ helios.default_from_email }}') +DEFAULT_FROM_NAME = get_from_env('DEFAULT_FROM_NAME', '{{ helios.default_from_name }}') +SERVER_EMAIL = '%s <%s>' % (DEFAULT_FROM_NAME, DEFAULT_FROM_EMAIL) + +LOGIN_URL = '/auth/' +LOGOUT_ON_CONFIRMATION = True + +# The two hosts are here so the main site can be over plain HTTP +# while the voting URLs are served over SSL. +#URL_HOST = get_from_env("URL_HOST", "http://localhost:8000").rstrip("/") +URL_HOST = get_from_env("URL_HOST", "{{ helios.url_host }}").rstrip("/") + +# IMPORTANT: you should not change this setting once you've created +# elections, as your elections' cast_url will then be incorrect. +# SECURE_URL_HOST = "https://localhost:8443" +SECURE_URL_HOST = get_from_env("SECURE_URL_HOST", URL_HOST).rstrip("/") + +# election stuff +SITE_TITLE = get_from_env('SITE_TITLE', 'openSUSE Voting') +MAIN_LOGO_URL = get_from_env('MAIN_LOGO_URL', '/static/logo.png') +ALLOW_ELECTION_INFO_URL = (get_from_env('ALLOW_ELECTION_INFO_URL', '0') == '1') + +# FOOTER links +FOOTER_LINKS = json.loads(get_from_env('FOOTER_LINKS', '[]')) +FOOTER_LOGO_URL = get_from_env('FOOTER_LOGO_URL', None) + +WELCOME_MESSAGE = get_from_env('WELCOME_MESSAGE', "Welcome to the openSUSE election platform!") + +HELP_EMAIL_ADDRESS = get_from_env('HELP_EMAIL_ADDRESS', '{{ helios.help_email_address }}') + +AUTH_TEMPLATE_BASE = "server_ui/templates/base.html" +HELIOS_TEMPLATE_BASE = "server_ui/templates/base.html" +HELIOS_ADMIN_ONLY = False +HELIOS_VOTERS_UPLOAD = True +HELIOS_VOTERS_EMAIL = True + +# are elections private by default? +HELIOS_PRIVATE_DEFAULT = False + +# authentication systems enabled +#AUTH_ENABLED_AUTH_SYSTEMS = ['password','facebook','twitter', 'google', 'yahoo'] +AUTH_ENABLED_AUTH_SYSTEMS = 'opensuse' +# AUTH_DEFAULT_AUTH_SYSTEM = get_from_env('AUTH_DEFAULT_AUTH_SYSTEM', None) +AUTH_DEFAULT_AUTH_SYSTEM = 'opensuse' + +# who can create an election? +# (parameter specific to openSUSE auth) +ELECTION_CREATORS = [ {% for election_creator in helios.election_creators %}'{{ election_creator }}', {% endfor %} ] + +# google +GOOGLE_CLIENT_ID = get_from_env('GOOGLE_CLIENT_ID', '') +GOOGLE_CLIENT_SECRET = get_from_env('GOOGLE_CLIENT_SECRET', '') + +# facebook +FACEBOOK_APP_ID = get_from_env('FACEBOOK_APP_ID','') +FACEBOOK_API_KEY = get_from_env('FACEBOOK_API_KEY','') +FACEBOOK_API_SECRET = get_from_env('FACEBOOK_API_SECRET','') + +# twitter +TWITTER_API_KEY = '' +TWITTER_API_SECRET = '' +TWITTER_USER_TO_FOLLOW = 'heliosvoting' +TWITTER_REASON_TO_FOLLOW = "we can direct-message you when the result has been computed in an election in which you participated" + +# the token for Helios to do direct messaging +TWITTER_DM_TOKEN = {"oauth_token": "", "oauth_token_secret": "", "user_id": "", "screen_name": ""} + +# LinkedIn +LINKEDIN_API_KEY = '' +LINKEDIN_API_SECRET = '' + +# CAS (for universities) +CAS_USERNAME = get_from_env('CAS_USERNAME', "") +CAS_PASSWORD = get_from_env('CAS_PASSWORD', "") +CAS_ELIGIBILITY_URL = get_from_env('CAS_ELIGIBILITY_URL', "") +CAS_ELIGIBILITY_REALM = get_from_env('CAS_ELIGIBILITY_REALM', "") + +# Clever +CLEVER_CLIENT_ID = get_from_env('CLEVER_CLIENT_ID', "") +CLEVER_CLIENT_SECRET = get_from_env('CLEVER_CLIENT_SECRET', "") + +# email server +EMAIL_HOST = get_from_env('EMAIL_HOST', '{{ helios.email_host }}') +EMAIL_PORT = int(get_from_env('EMAIL_PORT', "25")) +EMAIL_HOST_USER = get_from_env('EMAIL_HOST_USER', '') +EMAIL_HOST_PASSWORD = get_from_env('EMAIL_HOST_PASSWORD', '') +EMAIL_USE_TLS = (get_from_env('EMAIL_USE_TLS', '0') == '1') + +# to use AWS Simple Email Service +# in which case environment should contain +# AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY +if get_from_env('EMAIL_USE_AWS', '0') == '1': + EMAIL_BACKEND = 'django_ses.SESBackend' + +# set up logging +import logging +logging.basicConfig( + level = logging.DEBUG, + format = '%(asctime)s %(levelname)s %(message)s' +) + + +# set up django-celery +# BROKER_BACKEND = "kombu.transport.DatabaseTransport" +BROKER_URL = "django://" +CELERY_RESULT_DBURI = DATABASES['default'] +import djcelery +djcelery.setup_loader() + + +# for testing +TEST_RUNNER = 'djcelery.contrib.test_runner.CeleryTestSuiteRunner' +# this effectively does CELERY_ALWAYS_EAGER = True + +# Rollbar Error Logging +ROLLBAR_ACCESS_TOKEN = get_from_env('ROLLBAR_ACCESS_TOKEN', None) +if ROLLBAR_ACCESS_TOKEN: + print "setting up rollbar" + MIDDLEWARE_CLASSES += ('rollbar.contrib.django.middleware.RollbarNotifierMiddleware',) + ROLLBAR = { + 'access_token': ROLLBAR_ACCESS_TOKEN, + 'environment': 'development' if DEBUG else 'production', + } diff --git a/salt/profile/helios/init.sls b/salt/profile/helios/init.sls new file mode 100644 index 0000000..daf8d59 --- /dev/null +++ b/salt/profile/helios/init.sls @@ -0,0 +1,34 @@ +helios-server-uwsgi: + service.running: + - enable: True + +/usr/lib/python2.7/site-packages/helios-server/settings.py: + file.managed: + - listen_in: + - service: helios-server-uwsgi + - source: salt://profile/helios/files/settings.py + - template: jinja + +celery: + group.present: + - system: True + user.present: + - gid: celery + - system: True + +/etc/systemd/system/helios-celeryd.service: + file.managed: + - source: salt://profile/helios/files/helios-celeryd.service + module.run: + - name: service.systemctl_reload + - onchanges: + - file: /etc/systemd/system/helios-celeryd.service + +helios-celeryd.service: + service.running: + - enable: True + - watch: + - module: /etc/systemd/system/helios-celeryd.service + +# manual steps for database setup: +# run the two "python manage.py" commands listed in /usr/lib/python2.7/site-packages/helios-server/reset.sh diff --git a/salt/role/helios.sls b/salt/role/helios.sls new file mode 100644 index 0000000..925562d --- /dev/null +++ b/salt/role/helios.sls @@ -0,0 +1,3 @@ +include: + - profile.web.server.nginx + - profile.helios