diff --git a/pillar/role/static_master.sls b/pillar/role/static_master.sls new file mode 100644 index 0000000..6c2dfdb --- /dev/null +++ b/pillar/role/static_master.sls @@ -0,0 +1,42 @@ +{% if salt['grains.get']('include_secrets', True) %} +include: + - secrets.role.static_master +{% endif %} + +profile: + web_static: + expected_gitmodules: + # expected .gitmodules files and their sha256sum + # this ensures we notice .gitmodules changes and can update the salt code accordingly + ./static.opensuse.org/.gitmodules: 19479ebe1afda2dd4ba774f572546ef6c549822c0ebd4983b644bf4ea8183930 + ./static.opensuse.org/hosts/www.o.o/.gitmodules: e2da74eed7fcfed7f08669f6bff9d89e0d5f2f02ee8f2c6ad43afe4996cc57f1 + git_repos: + # branch defaults to 'master' if not specified + html5test.opensuse.org: + branch: opensuse + repo: https://github.com/openSUSE/HTML5test.git + shop.opensuse.org: + repo: https://github.com/openSUSE/shop.o.o.git + static.opensuse.org: + repo: https://github.com/openSUSE/static.opensuse.org.git + static.opensuse.org/hosts/www.o.o: + repo: https://github.com/openSUSE/old-landing-page.git + static.opensuse.org/login: + repo: https://github.com/openSUSE/openSUSE-login + static.opensuse.org/themes: + repo: https://github.com/openSUSE/opensuse-themes + static.opensuse.org/chameleon: + repo: https://github.com/openSUSE/opensuse-theme-chameleon + static.opensuse.org/hosts/www.o.o/searchPage: + branch: gh-pages + repo: https://github.com/opensuse/searchPage.git + studioexpress.opensuse.org: + repo: https://github.com/openSUSE/studioexpress-landing.git + server_list: + - narwal5.infra.opensuse.org + - narwal6.infra.opensuse.org + # ssh_known_hosts: use ssh-keyscan 192.168.122.x,narwalX.infra.opensuse.org | grep nist + ssh_known_hosts: | + KNOWN_HOSTS_HERE - fill when narwal5 and narwal6 are available + # ssh_private_key included from pillar/secrets/role/static_master.sls + # ssh_pubkey (for authorized_keys) is in pillar/role/web_static.sls diff --git a/pillar/secrets/role/static_master.sls b/pillar/secrets/role/static_master.sls new file mode 100644 index 0000000..ebc8bc6 --- /dev/null +++ b/pillar/secrets/role/static_master.sls @@ -0,0 +1,99 @@ +#!yaml|gpg + +profile: + web_static: + ssh_private_key: | + -----BEGIN PGP MESSAGE----- + + hQQOA7A9CHm0S6RyEA/+LtHW8V7iCEo7fZ/G8iVAtY3leU3g7MIroD/eRPRgSWx9 + ODN7lG7cNMZhjNAOk6ECnPJEqCaxehzZRxpGdCqN8jMnn/fxMykFptC2mXnXLGRh + Aj6OvhOEQXrkkSTFfgyCrx+odVHFTetLcPfYXxFmO3lAK0iF3ERXInjVYWtopDT5 + ohyHLijtRAcRnnCMuPzKSjr9rurYVd+0fvBPketaZDSC1N78SJm0Rx1HpXFD6gEM + qqsEZb6ZfyM2vAB46upoPkFvftovy410LveHJS8YbSjJ/RlJjLItbQ29skQnt0nc + IRls4gJ238TMLMiP7LZXGhjhG4WzYKs3N4s+zwjxNPF11mWbh67c6JGp4hvEdbLb + M4o4zcfhAJVINh4c/FixOcODYQojam9IAwWZoROYOlFDRRzTbkk8vPHjO35W0sod + 42F1fDSAkE4w2zB9e0ueRarjH6YypZ0b931Qw9kNsm4A6vNZSPFv22Y+7V30ZfLc + 8ZgUIXce9n9tsAoOVSh3DMOV4krJDL1/0dQ0rDvPkCRPUGn4kx67IlKZLPPXthJt + 96S07qjn7Tryt45IwUgV41ZrtbhdIQ01/TOcvzUyERSgfjV7D5bfbKwJY+yKyayP + 2yjOaCHAcT3p8Yie3dy08z4Qcu4k6wSnvLqjPSNsNWnTcnI+m8LlMgB/U4wBoQAP + +wRfMhGYXHzID9AUAh6feph8VBWvZd5DSdEim+u/dRahBYvqDo6elNuWLK6JEEhT + XzKQ3k4qDakoPsE/VZUjSJHx3TMxvxrzv5YtjYq9Dc7EGBaGICYkdn+xgNtOmTLW + IltUX980QPmIOmDZL/wepI2BX5iC/n7skAAENQx9qs5QN8gLdM7IcWjiZ3hSq8NP + GG7S4XeLx71IsnbmlBN1OjEVKgVHnq54cOlB5hCQaHRIJwPZi+70Iy1TMOhExul6 + dnDvFYH/rQ8hE03ubvqdFeeO7OsZ0cA4dJ5TajGk+rp2b+NZgA87AWBlAhwA1EK6 + XjjqoxfoN1YEFaemIxHYvBDCSX6R8P1cE9g5QOCjtK1k41KkhmlyuuG5RJ9dK5v8 + iNKbRABri/2smdBSGQ4NE1/J1AVoeE1ayOulhC9pOWP1Q82DDTeC7FaarEqqiYeB + I7WJ0NnehPVePg6v8/vlXYkPVF7Uz0BH3FH0MRRa/gt1rLctOE7eQbZYXxx/mMHT + UM3HuUaLXTY9GPq/UeX02z3nRoGhbm61wZ4+VLkwMGHzLWyY83HQ3y2Nid09cVVp + sgjY+CF3HjtvoAcTcSOdY+sFpSpUGhSQv0EUo4WlsX2B31MVzV+FW1o2ctzn9QXH + gVuNvP9QxANzQJkY5jyEZ/J9c7Dg/ngRGVIKg6BS+SA8hQIMA8amgupjyC8cARAA + vHUTCoqF47ZBSyy/CRCPtjkb/RSl8EPJ9urx963okyN+PmrxzzMPUGnRDhqT/30x + ClJua+8t7RcvO5MapQXO6XTuz8n0dKiVGZHp6qSPPv3mAKyoMyk+g2So3u49WWVl + xrymOBYJrXTpYnKSFEYOBTetHEkHrSklv33L4eR7l6NP+ziJuwu4+ZyH6cK67a8K + GurP72EnJuBG5OE09P3Hjzmkvkr695Ri6KPDzILoaaKNDKltSpoes3KygouuWtX/ + GzlXTzJx5RwdGBH8p8CXjQua1Blzhdp9MuAgCo1lhDLcLX7wzV6hTsxvvxQpRZxU + ybMhHgYDS7dJQdqvhEDjqW0XuCl/mrHAZ5h/ApWdl19O1+iKIKQSk7/O7zNYGHfs + a2ZXsx1RTNOzd17sLcBANab6O2tJuwoAMKksRGWCick40lPkxdJDcQW9GLltyBu2 + zLTfI4qxYcyM69wVZ8WM/FfZ8Ec6O0SswmVzqezMBA4rq40ZCAQ9iZ1QfazP0gQO + fhz887Uvj8XMhp7MId9I7l8hj80S5JVzo2XjixxQywckw48nheCoJeMYn4jPD1MS + 0i/bjNeKWZwMl+Nxuyb6EMtOWhz3k0SYxBhVh963mZc97I/sJB2wJsG2Wm/MJVOt + OER4Ht1l5i7A3AMHgI8lW/U0Hge5HPk/GvQbigcaL3qFAQ4DslgfDDfB4G8QBACz + tmdPCJmosCKahjZi6LEHew8FueSu3KrMG3CP8zbZDdtFyB7a6KS91IDBPypST7Bh + FEzdyG0uLduQxTnQzCh5huWAgwP9c1uNSaKLCPSgwjQi8X5IyYii2Zv7CW132xx2 + JLQoOUSmV4d5mcoEEbM5vK08w+Y02xgx3rwtx2hNkwP/cYr0+2Lg0BiPpbuGbM41 + AIIUeJbH5IdOCZkSfJh5ciOB+rWd5m5LvHrERiQ3j70nwsMaxBluzF4vRsGVlqCN + iB2f8Ad16HBCOmXnx05YepgU3am+6mGJsff5HM/ivNuUweOYM0EY8XbiGA9SKcd6 + P4AagGy707UnSAyGNOFmozCFAg4DiLcKbyvsTOYQCACJ1yi7esOesGv5NW06Tsx6 + 8s0IwMapkNE984Mf6fr0B76ok2SSrC3lD3fdeAzfeaqCK9Keav/5fH1dCiuGVmaO + S3zVR27PYkIdxl07iGPxteRUOcSVVUZxpk1gqkmzVWGRpD4G2GGFIfQT/Ev//qIP + WN+pS4v25P4Bo18eDwWBd96GzV2d86Xqh9Lm4P74a2PcGcLiVJyVGn28GlHAOW6B + oYYyoKFG+jcSXZqQnBRP13RqAzcWsXy+kKwPaCRI91z75KwqA5KkjooPoq0eiFDI + n7UAJJXp/3GM4kNl6Ch+quIBkMAcJDkmIgtmj4leoa7fnYU19E/VxvUyu1UO8qS5 + B/9f8o/OMmZjk7UeG689+UBATjHtO2uPaYPuagPHeRhFXr8klb/75OTHpadZ5BVs + CmTyLe7cp89mBrLa5gLxoedMO94qkrGY6AB251/AsReUmZ2TK+jUXjMZpWVzvWvJ + xwu/TDiAaOuxAj6UGNlVtU9i3grSeNnS2pN4uisOB6mvKUpicudvNO2pTJSGZCsT + F7iU/bM9NnRPzBzTDSN3RGMUz3MuwzlptMadlRhzZcdwlAQj6UBN3Nsk5hX9L2rJ + l8IUmSJaM7Pt9QrHasTRItRLzYVTvo8SxPclJ3SHZJ5iPHYQNCU8rz95KzkPbNUo + lxrcBvagBsWTPyJM+q3sQWDphQEMA1H2Gg3i02J9AQgAkFEnSQWEZ6unmZIKBFBU + XEhJEBkrb1WhtDZCOZ8biT+GfLPnSr9Rxwpf2l9gPrS3ovapTXfV+LzhydiwaPQX + 9HAZqWof0hMVHddt5N2LVuMnYV+NPS6yJF/S6BRxX2Ird2U3JMsHaHECNWHDJKyi + vUVc0dRw36FrlZnSTbSlm6XZiCEEiiiD0NyNIMI8SVkPbyI4REljqVy7tSyCgKki + VPb+ZX9qquJnnqv0KFlphly9kz/N4IxNXvYeJc4ZlWTae5sffwB35ZlV7H82/X1U + mAOahZyqKoj4QzsbZW6sYuZqNyNioZ/oI+CGUVg9xf+uBaj49ZoRx3V2vDNaH7rL + oYUCDAP/8/F+qY2A9QEP/ROd+XuI/2WZcupYyaXZQ/fX8IWbje83GxJvDBJZFjTb + 7S9AJ/P9uEGoDbOG0lR7zSwxVeSf82u2CY3ws4TokGSnbZ6dixE2dXUualMO8sf+ + wHMKLpieqni701kg4PsxkidxMob8OPTc2iAU7Mr3GLY++opSctgPjOggSQtC/EnY + hoJ3Bd/qk+mBUMx0wx7YDxgRceHYbzZfCH1stUC7BA8392PD0rmhKJ5PbrvsI5g5 + wpI8jAPNcJ14PE3PqeZJk6tcOUPQusQrVfPNWSB9SqV/40PulfeRTTumv9vJKLlO + DQf88nqfdqMwsSA/yvemiUMQi7DD2rUlYEFnO9G8aoCKx4w9tz5kbm958A96EC3X + Pic6e6m8H5sxvZk2rayGpNn5N+mCkVoOuPCbZJsA40uIm9hgjLbDsn+hxQGaFMvn + bJhirERmbKmttpkwBRjGyCpg3vw196TpxBAm7L8RVIOQ5BD0szpBWyXTJWl0bxk7 + GAuRw8vQbKItIwtivSpZXJ45tkqQGhM1PduiqqtMXm6rVr08wovLTVf6szz8n+IV + BQKvLsjsTVdxaxfGCLz2M9KLbh90TaUvk/L0kEA24EkCtvR9Tcvbun4u6Hn/mwR6 + xEBrvW1sO/vgdKfrlMcNKgYe6nMxwabXjhsAKU57RzOY8K5lT8NRS80uZVaVoA6n + hQIMA2dWijyei9AnAQ/+M/nWLegXgGBcYYSZL2bRYwOlHQ1uCFO/h4XVI7hl10BL + Fg0P9QO0e6YrKeyZ0e3KitIboB4AJ6kz376iXM+XVBSmZahRPs+M++CxSNuwxc1z + WxUA3sqEP47pIYMKNpYEhyATxh85GD3cAZZ8vEnIlze8duj1kdxp2mfAu1TQd3vE + 2WB22bdctYQAxXU5X3NRXar/VR3WP7V233MwyFjsvPeGSY5miZdxLwbCGQgH9b8k + pMFlMXufoq7aPYlshBxINbX1H3enEMSBkKaSxNJdFgKCujahH5i4aAVDYz1l1Tex + mhLdrsl2qMvouriltxqCgENxk4OiuRVRe973whtsgYSROPwSXuWg9Zbw1abID4g/ + 2p7bfN/Eus8dcvmeUGSzgaPcmybet9BgbS9Mmcg/eH/vwjxU1c8v+100Pybocde1 + ZBqUkZkynhBjT7vtijoBPvGRtRhu7QPbZY7BDxEBmyKEHcYiKgv/o3asXQkaXYP+ + MKHitz5GF6KKpKpB/VSsaAb3F8rbRWYUlB88eMj7QttZl/H+HrGscGZpiNJ/DfzD + rZAp4XyPe5mSuCUXFJfWhn7ckO12PQ0Wor3WRySTXEer/SIKhdRR67Sr9YpDa9H4 + mITSwIAiJmyL9H7fRFpYs5ZUr2xzhAeuDCiACx06gTDnxjmxMimQO5fKdy5nOkiF + AgwDrPDOChusaZEBD/9pzDs4+95cpo3XMegMnZTxQzeY3j28dfWGDl4yykQVbZhW + KdZtzEaR9ZFjORLX7vW0Gsg1v9IVYl3/vTM9tzOhSwiUTZrAak1qV74250LmUy94 + zYonS6THu/Lw9fsdVeOcV40yYtK0QI17y8FZoE20XVglhwscxbByAp9rwyLfbyjh + HFHvUgU/yGLT+m7hLPvm2ww6GZEbiJNXF9gBGakurn7VjcRE1tA65920ZSk0yThf + zd6H1RaP3B3TLIuE5gHS2xpTxLYqD1bZ6/rsUz/MnaKQnQJDYXKhWy1Rna7R2RdU + l5g0bX8DsCuQ6L1JafjlQchTvuSEWOzhEWX7MMYbyudqNbWl8+5VzzI0DofnWWKT + 8+rPuWF/Pt0rDyHi+EuZxTlEP6fjdU6vQVI2VJxlSqCPLr0etoPZ8T25V83rKYv9 + 6EwDMZQikwPbxHDx3sHVcSazjtASk7OJXl09/9Fu7i3RO5f42YW9/q3TzG7CmutD + t7PgoZGF1hJPJFfkEIINyDFdDjgp+e7cmIi7Z0bZzTTJnf9P6ICxHUd65nLj/h9f + NmKXN1KXnXcxOqTIY8EAtO9jfJEONwMfjwW3bNfy4PLn67Cg/uCm3p9bleyY4KDA + gzFSX/sb2emjO4QR2SOFV+Qk0RVgJDn5m3WrvRtAZQNUvcd219qfpexUni1V69JY + AQ1zeDpyr9vgHMwYgcpYrpOgWwUTB12fp9Hvmqgm+PfS1P1AOOcpUODEoCr+l4ZI + eZA2wTaXi2hz5QyuAuNCuA8ua/JXMhNEdvEuRPJljuRE72GkXIpw2A== + =e/ly + -----END PGP MESSAGE----- diff --git a/salt/profile/static/files/git_pull_and_update.sh b/salt/profile/static/files/git_pull_and_update.sh new file mode 100644 index 0000000..661491d --- /dev/null +++ b/salt/profile/static/files/git_pull_and_update.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# managed by salt - do not edit + +BASEDIR=/home/web_static/git + +SERVERS='{% for server in server_list %} + {{ server }} +{%- endfor %}' + +GIT_DIRS='{% for dir in git_dirs.keys() %} + {{ dir }} +{%- endfor %}' + +EXPECTED_GITMODULES="$(echo '{%- for file in expected_gitmodules.keys() %} +{{ file }} +{%- endfor %}' | grep .)" + +EXPECTED_SHA256="$(echo '{%- for file, sha256 in expected_gitmodules.items() %} +{{ sha256 }} {{ file }} +{%- endfor %}' | grep .)" + +# update all git repos, exit if one of them fails (better outdated than inconsistent) +cd "$BASEDIR" || exit 1 +for dir in $GIT_DIRS ; do + cd "$BASEDIR/$dir" && git fetch -q && git reset -q --hard || exit 1 +done + +# check if any .gitmodules appeared or disappeared +cd "$BASEDIR" || exit 1 +test "$(find -name .gitmodules | LANG=C sort)" == "$EXPECTED_GITMODULES" || { + echo ".gitmodules added or removed, please check manually" >&2 + exit 1 +} + +# check if content of .gitmodules matches the known ones +cd "$BASEDIR" || exit 1 +echo "$EXPECTED_SHA256" | sha256sum -c --quiet --strict || { + echo ".gitmodules were modified, please check manually" >&2 + exit 1 +} + +# sync to all servers +cd $BASEDIR || exit 1 +for dir in *.opensuse.org ; do + for server in $SERVERS ; do + rsync -az -C --delete-after "$@" -e ssh "$BASEDIR/$dir/" "web_static@$server:/srv/www/vhosts/$dir/" + done +done + +# vim: ts=4 expandtab diff --git a/salt/profile/static/master.sls b/salt/profile/static/master.sls new file mode 100644 index 0000000..ff318d9 --- /dev/null +++ b/salt/profile/static/master.sls @@ -0,0 +1,54 @@ +{% set git_repos = salt['pillar.get']('profile:web_static:git_repos') %} + +static_master_pgks: + pkg.installed: + - pkgs: + - git + - rsync + +/home/web_static/.ssh/id_ed25519: + file.managed: + - contents_pillar: profile:web_static:ssh_private_key + - mode: 600 + - user: web_static + +/home/web_static/.ssh/known_hosts: + file.managed: + - contents_pillar: profile:web_static:ssh_known_hosts + - mode: 644 + - user: root + +/home/web_static/bin: + file.directory: + - user: root + +/home/web_static/bin/fetch_and_rsync_static: + cron.present: + - user: web_static + - minute: 0 + file.managed: + - context: + expected_gitmodules: {{ pillar['profile']['web_static']['expected_gitmodules'] }} + server_list: {{ pillar['profile']['web_static']['server_list'] }} + git_dirs: {{ git_repos }} + - mode: 755 + - source: salt://profile/static/files/git_pull_and_update.sh + - template: jinja + - user: root + +/home/web_static/git: + file.directory: + - user: web_static + +# clone git repos +{% for dir, data in git_repos.items() %} +{{ data.repo }}: + # salt 2018.3.3 introduced git.cloned - switch once our salt is new enough + git.latest: + - branch: {{ data.get('branch', 'master') }} + - target: /home/web_static/git/{{ dir }} + # When checking out a non-default branch, salt will create a local branch based on HEAD by default. + # We need to specify "rev" to ensure we get the branch we want, and to make it tracking the branch from origin. + - rev: {{ data.get('branch', 'master') }} + - user: web_static +{% endfor %} diff --git a/salt/role/static_master.sls b/salt/role/static_master.sls new file mode 100644 index 0000000..280aa99 --- /dev/null +++ b/salt/role/static_master.sls @@ -0,0 +1,3 @@ +include: + - profile.static.user + - profile.static.master