apache-custom-slave-list.cfg.in

{%- if software_type == slap_software_type %}
{%- set kedifa_updater_mapping = [] %}
{%- set cached_server_dict = {} %}
{%- set backend_slave_list = [] %}
{%- set part_list = [] %}
{%- set cache_port = caddy_configuration.get('cache-port') %}
{%- set cache_access = "http://%s:%s" % (instance_parameter_dict['ipv4-random'], cache_port) %}
{%- set ssl_cache_access = "http://%s:%s/HTTPS" % (instance_parameter_dict['ipv4-random'], cache_port) %}
{%- set backend_haproxy_http_url = 'http://%s:%s' % (instance_parameter_dict['ipv4-random'], backend_haproxy_configuration['http-port']) %}
{%- set backend_haproxy_https_url = 'http://%s:%s' % (instance_parameter_dict['ipv4-random'], backend_haproxy_configuration['https-port']) %}
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
{%- set generic_instance_parameter_dict = { 'cache_access': cache_access, 'local_ipv4': instance_parameter_dict['ipv4-random'], 'http_port': configuration['plain_http_port'], 'https_port': configuration['port']} %}
{%- set slave_log_dict = {} %}
{%- set slave_instance_information_list = [] %}
{%- set slave_instance_list = instance_parameter_dict['slave-instance-list'] %}
{%- if configuration['extra_slave_instance_list'] %}
{%-   do slave_instance_list.extend(json_module.loads(configuration['extra_slave_instance_list'])) %}
{%- endif %}
{%- if master_key_download_url %}
{%-   do kedifa_updater_mapping.append((master_key_download_url, caddy_configuration['master-certificate'], apache_certificate)) %}
{%- else %}
{%-   do kedifa_updater_mapping.append(('notreadyyet', caddy_configuration['master-certificate'], apache_certificate)) %}
{%- endif %}
{%- if kedifa_configuration['slave_kedifa_information'] %}
{%-   set slave_kedifa_information = json_module.loads(kedifa_configuration['slave_kedifa_information']) %}
{%- else %}
{%-   set slave_kedifa_information = {} %}
{%- endif -%}
[jinja2-template-base]
recipe = slapos.recipe.template:jinja2
extensions = jinja2.ext.do
extra-context =
context =
    raw profile_common {{ profile_common }}
    ${:extra-context}

# empty sections if no slaves are available
[slave-log-directory-dict]
[slave-password]
[slave-htpasswd]

{#- Loop thought slave list to set up slaves #}
{%- set DEFAULT_PORT = {'http': 80, 'https': 443, '': None} %}
{%- for slave_instance in slave_instance_list %}
{#- prepare backend parameters #}
{%- for key, prefix in [('url', 'http_backend'), ('https-url', 'https_backend')] %}
{%-   set parsed = urlparse_module.urlparse(slave_instance.get(key, '').strip()) %}
{%-   set info_dict = {'scheme': parsed.scheme, 'hostname': parsed.hostname, 'port': parsed.port or DEFAULT_PORT[parsed.scheme], 'path': parsed.path, 'fragment': parsed.fragment} %}
{%-   do slave_instance.__setitem__(prefix, info_dict) %}
{%- endfor %}
{%-   do slave_instance.__setitem__('ssl_proxy_verify', ('' ~ slave_instance.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES) %}
{#-   Manage ciphers #}
{%-   set slave_ciphers = slave_instance.get('ciphers', '').strip().split() %}
{%-   if slave_ciphers %}
{%-     set slave_cipher_list = ' '.join(slave_ciphers) %}
{%-   else %}
{%-     set slave_cipher_list = configuration['ciphers'].strip() %}
{%-   endif %}
{%-   do slave_instance.__setitem__('cipher_list', slave_cipher_list) %}
{#-   Manage common instance parameters #}
{%-   set slave_type = slave_instance.get('type', '') %}
{%-   set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_type != 'redirect') %}
{%-   set slave_reference = slave_instance.get('slave_reference') %}
{%-   set slave_kedifa = slave_kedifa_information.get(slave_reference) %}
{#-   Setup backend URLs for front facing Caddy #}
{%-   if slave_type == 'redirect' %}
{%-     do slave_instance.__setitem__('backend-http-url', slave_instance.get('url', '').rstrip('/')) %}
{%-     if slave_instance.get('https-url') %}
{%-       do slave_instance.__setitem__('backend-https-url', slave_instance.get['https-url'].rstrip('/')) %}
{%-     endif %}
{%-   elif enable_cache %}
{%-     if 'domain' in slave_instance %}
{%-       if not slave_instance.get('custom_domain') %}
{%-         do slave_instance.__setitem__('custom_domain', slave_instance.get('domain')) %}
{%-       endif %}
{%-     endif %}
{%-     do slave_instance.__setitem__('backend-http-url', cache_access) %}
{%-     if slave_instance.get('https-url') %}
{%-       do slave_instance.__setitem__('backend-https-url', ssl_cache_access) %}
{%-     endif %}
{%-     do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) %}
{%-   else %}
{%-     do slave_instance.__setitem__('backend-http-url', backend_haproxy_http_url) %}
{%-     if slave_instance.get('https-url') %}
{%-       do slave_instance.__setitem__('backend-https-url', backend_haproxy_https_url) %}
{%-     endif %}
{%-   endif %}
{%-   if slave_kedifa %}
{%-     set key_download_url = slave_kedifa.get('key-download-url') %}
{%-   else %}
{%-     set key_download_url = 'notreadyyet' %}
{%-   endif %}
{%-   set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference %}
{%-   set slave_parameter_dict = generic_instance_parameter_dict.copy() %}
{%-   set slave_publish_dict = {} %}
{%-   set slave_configuration_section_name = 'slave-instance-%s-configuration' % slave_reference %}
{%-   set slave_logrotate_section = slave_reference + "-logs" %}
{%-   set slave_log_directory_section = slave_reference + "-log-directory" %}
{%-   set slave_password_section = slave_reference + "-password" %}
{%-   set slave_htpasswd_section = slave_reference + "-htpasswd" %}
{%-   set slave_ln_section = slave_reference + "-ln" %}
{#-   extend parts #}
{%-   do part_list.extend([slave_ln_section]) %}
{%-   do part_list.extend([slave_section_title]) %}
{%-   set slave_log_folder = '${logrotate-directory:logrotate-backup}/' + slave_reference + "-logs" %}
{#-   Pass HTTP2 switch #}
{%-   do slave_instance.__setitem__('enable_http2_by_default', configuration['enable-http2-by-default']) %}
{%-   do slave_instance.__setitem__('global_disable_http2', configuration['global-disable-http2']) %}
{#-   Pass backend timeout values #}
{%-   for key in ['backend-connect-timeout', 'backend-connect-retries', 'request-timeout', 'authenticate-to-backend'] %}
{%-     if slave_instance.get(key, '') == '' %}
{%-       do slave_instance.__setitem__(key, configuration[key]) %}
{%-     endif %}
{%-   endfor %}
{%-   do slave_instance.__setitem__('authenticate-to-backend', ('' ~ slave_instance.get('authenticate-to-backend', '')).lower() in TRUE_VALUES) %}
{#-   Set Up log files #}
{%-   do slave_parameter_dict.__setitem__('access_log', '/'.join([caddy_log_directory, '%s_access_log' % slave_reference])) %}
{%-   do slave_parameter_dict.__setitem__('error_log', '/'.join([caddy_log_directory, '%s_error_log' % slave_reference])) %}
{%-   do slave_parameter_dict.__setitem__('backend_log', '/'.join([caddy_log_directory, '%s_backend_log' % slave_reference])) %}
{%-   do slave_instance.__setitem__('access_log', slave_parameter_dict.get('access_log')) %}
{%-   do slave_instance.__setitem__('error_log', slave_parameter_dict.get('error_log')) %}
{%-   do slave_instance.__setitem__('backend_log', slave_parameter_dict.get('backend_log')) %}
{#-   Add slave log directory to the slave log access dict #}
{%-   do slave_log_dict.__setitem__(slave_reference, slave_log_folder) %}
{%-   set furled = furl_module.furl(frontend_configuration['slave-introspection-secure_access']) %}
{%-   do furled.set(username = slave_reference.lower()) %}
{%-   do furled.set(password = '${'+ slave_password_section +':passwd}') %}
{%-   do furled.set(path = slave_reference.lower() + '/') %}
{#-   We unquote, as furl quotes automatically, but there is buildout value on purpose like ${...:...} in the passwod #}
{%-   set slave_log_access_url = urlparse_module.unquote(furled.tostr()) %}
{%-   do slave_publish_dict.__setitem__('log-access', slave_log_access_url) %}
{%-   do slave_publish_dict.__setitem__('slave-reference', slave_reference) %}
{%-   do slave_publish_dict.__setitem__('public-ipv4', configuration['public-ipv4']) %}
{%-   do slave_publish_dict.__setitem__('backend-client-caucase-url', backend_client_caucase_url) %}
{#-   Set slave domain if none was defined #}
{%-   if slave_instance.get('custom_domain', None) == None %}
{%-     set domain_prefix = slave_instance.get('slave_reference').replace("-", "").replace("_", "").lower() %}
{%-     do slave_instance.__setitem__('custom_domain', "%s.%s" % (domain_prefix, slapparameter_dict.get('domain'))) %}
{%-   endif %}
{%-   do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) %}
{%-   do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) %}
{%-   do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) %}
{%-   do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) %}

[slave-log-directory-dict]
{{slave_reference}} = {{ slave_log_folder }}

[slave-password]
{{ slave_reference }} = {{ '${' + slave_password_section + ':passwd}' }}

[slave-htpasswd]
{{ slave_reference }} = {{ '${' + slave_htpasswd_section + ':file}' }}

{#-   Set slave logrotate entry #}
[{{slave_log_directory_section}}]
recipe = slapos.cookbook:mkdirectory
log-directory = {{ '${slave-log-directory-dict:' + slave_reference.lower() + '}' }}

[{{slave_logrotate_section}}]
<= logrotate-entry-base
name = ${:_buildout_section_name_}
log = {{slave_parameter_dict.get('access_log')}} {{slave_parameter_dict.get('error_log')}} {{slave_parameter_dict.get('backend_log')}}
backup = {{ '${' + slave_log_directory_section + ':log-directory}' }}
rotate-num = {{ dumps('' ~ configuration['rotate-num']) }}
# disable delayed compression, as log filenames shall be stable
delaycompress =

{#-   integrate current logs inside #}

[{{slave_ln_section}}]
recipe = plone.recipe.command
stop-on-error = false
log-directory = {{ '${' + slave_logrotate_section + ':backup}' }}
command = ln -sf {{slave_parameter_dict.get('error_log')}} ${:log-directory}/error.log && ln -sf {{slave_parameter_dict.get('access_log')}} ${:log-directory}/access.log && ln -sf {{slave_parameter_dict.get('backend_log')}} ${:log-directory}/backend.log

{#-   Set password for slave #}

[{{slave_password_section}}]
recipe = slapos.cookbook:generate.password
storage-path = {{caddy_configuration_directory}}/.{{slave_reference}}.passwd
bytes = 8

[{{ slave_htpasswd_section }}]
recipe = plone.recipe.command
{#- Can be stopped on error, as does not rely on self provided service #}
stop-on-error = True
file = {{ caddy_configuration_directory }}/.{{ slave_reference }}.htpasswd
{#- update-command is not needed, as if the ${:password} would change, the whole part will be recalculated #}
password = {{ '${' + slave_password_section + ':passwd}' }}
command = {{ software_parameter_dict['htpasswd'] }} -cb ${:file} {{ slave_reference.lower() }} ${:password}

{#-   ################################################## #}
{#-   Set Slave Certificates if needed                   #}
{#-   Set certificate key for custom configuration       #}
{%-   set cert_name = slave_reference.replace('-','.') + '.pem' %}
{%-   set certificate = '%s/%s' % (autocert, cert_name) %}
{%-   do slave_parameter_dict.__setitem__('certificate', certificate )%}
{#-   Set ssl certificates for each slave #}
{%-     for cert_name in ('ssl_csr', 'ssl_proxy_ca_crt')%}
{%-       if cert_name in slave_instance %}
{%-         set cert_title = '%s-%s' % (slave_reference, cert_name.replace('ssl_', '')) %}
{%-         set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) %}
{%-         do part_list.append(cert_title) %}
{%-         do slave_parameter_dict.__setitem__(cert_name, cert_file) %}
{%-         do slave_instance.__setitem__('path_to_' + cert_name, cert_file) %}
{#-         Store certificates on fs #}
[{{ cert_title }}]
< = jinja2-template-base
template = {{ empty_template }}
rendered = {{ cert_file }}
extra-context =
    key content {{ cert_title + '-config:value' }}
{#-         BBB: SlapOS Master non-zero knowledge BEGIN #}
{#-         Store certificate in config #}
[{{ cert_title + '-config' }}]
value = {{ dumps(slave_instance.get(cert_name)) }}
{%-       endif %}
{%-     endfor %}
{#-   Set Up Certs #}
{%-   if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance %}
{%-     set cert_title = '%s-crt' % (slave_reference) %}
{%-     set cert_file = '/'.join([directory['bbb-ssl-dir'], cert_title.replace('-','.')]) %}
{%-     do kedifa_updater_mapping.append((key_download_url, certificate, cert_file)) %}
{%-     do part_list.append(cert_title) %}
{%-     do slave_parameter_dict.__setitem__("ssl_crt", cert_file) %}

[{{cert_title}}]
< = jinja2-template-base
template = {{ empty_template }}
rendered = {{ cert_file }}
cert-content = {{ dumps(slave_instance.get('ssl_crt') + '\n' + slave_instance.get('ssl_ca_crt', '') + '\n' + slave_instance.get('ssl_key')) }}
extra-context =
    key content :cert-content
{%-   else %}
{%-     do kedifa_updater_mapping.append((key_download_url, certificate, caddy_configuration['master-certificate'])) %}
{%-   endif %}
{#-   BBB: SlapOS Master non-zero knowledge END #}

{#-   ########################################## #}
{#-   Set Slave Configuration                    #}

[{{ slave_configuration_section_name }}]
certificate = {{ certificate }}
https_port = {{ dumps('' ~ configuration['port']) }}
http_port = {{ dumps('' ~ configuration['plain_http_port']) }}
local_ipv4 = {{ dumps('' ~ instance_parameter_dict['ipv4-random']) }}
{%-   for key, value in slave_instance.iteritems() %}
{%-     if value is not none %}
{{ key }} = {{ dumps('' ~ value) }}
{%-     endif %}
{%-   endfor %}

[{{ slave_section_title }}]
< = jinja2-template-base
rendered = {{ caddy_configuration_directory }}/${:filename}

template = {{ template_default_slave_configuration }}
extra-context =
    section slave_parameter {{ slave_configuration_section_name }}
    import urllib_module urllib

filename = {{ '%s.conf' % slave_reference }}
{{ '\n' }}


{%-   set monitor_ipv6_test = slave_instance.get('monitor-ipv6-test', '') %}
{%-   if monitor_ipv6_test %}
{%-     set monitor_ipv6_section_title = 'check-%s-ipv6-packet-list-test' % slave_instance.get('slave_reference') %}
{%-     do part_list.append(monitor_ipv6_section_title) %}
[{{ monitor_ipv6_section_title }}]
<= monitor-promise-base
module = check_icmp_packet_lost
name = {{ monitor_ipv6_section_title }}.py
config-address = {{ dumps(monitor_ipv6_test) }}
# promise frequency in minutes (2 times/day)
config-frequency = 720
{%-   endif %}
{%-   set monitor_ipv4_test = slave_instance.get('monitor-ipv4-test', '') %}
{%-   if monitor_ipv4_test %}
{%-     set monitor_ipv4_section_title = 'check-%s-ipv4-packet-list-test' % slave_instance.get('slave_reference') %}
{%-     do part_list.append(monitor_ipv4_section_title) %}
[{{ monitor_ipv4_section_title }}]
<= monitor-promise-base
module = check_icmp_packet_lost
name = {{ monitor_ipv4_section_title }}.py
config-address = {{ dumps(monitor_ipv4_test) }}
config-ipv4 = true
# promise frequency in minutes (2 times/day)
config-frequency = 720
{%-   endif %}

{#-   ###############################  #}
{#-   Publish Slave Information        #}
{%-   if not configuration['extra_slave_instance_list'] %}
{%-     set publish_section_title = 'publish-%s-connection-information' % slave_instance.get('slave_reference') %}
{%-     do part_list.append(publish_section_title) %}
[{{ publish_section_title }}]
recipe = slapos.cookbook:publish
{%-     for key, value in slave_publish_dict.iteritems() %}
{{ key }} = {{ value }}
{%-     endfor %}
{%-   else %}
{%-     do slave_instance_information_list.append(slave_publish_dict) %}
{%-   endif %}
{%-  if slave_type != 'redirect' %}
{%-    do backend_slave_list.append(slave_instance) %}
{%-  endif %}
{%- endfor %} {# Slave iteration ends for slave_instance in slave_instance_list #}

{%- do part_list.append('caddy-log-access') %}
{%- do part_list.append('slave-introspection') %}
{#- ############################################## #}
{#- ## Prepare virtualhost for slaves using cache  #}
{#- Define IPv6 to IPV4 tunneling #}
[tunnel-6to4-base]
recipe = slapos.cookbook:wrapper
ipv4 = ${slap-network-information:local-ipv4}
ipv6 = ${slap-network-information:global-ipv6}
wrapper-path = {{ directory['service'] }}/6tunnel-${:ipv6-port}
command-line = {{ software_parameter_dict['sixtunnel'] }}/bin/6tunnel -6 -4 -d -l ${:ipv6} ${:ipv6-port} ${:ipv4} ${:ipv4-port}
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg

[tunnel-6to4-base-http_port]
<= tunnel-6to4-base
ipv4-port = {{ configuration['plain_http_port'] }}
ipv6-port = {{ configuration['plain_http_port'] }}

[tunnel-6to4-base-https_port]
<= tunnel-6to4-base
ipv4-port = {{ configuration['port'] }}
ipv6-port = {{ configuration['port'] }}

{#- Define log access #}

[caddy-log-access-parameters]
caddy_log_directory = {{ dumps(caddy_log_directory) }}
caddy_configuration_directory = {{ dumps(caddy_configuration_directory) }}
local_ipv4 = {{ dumps(instance_parameter_dict['ipv4-random']) }}
global_ipv6 = {{ dumps(global_ipv6) }}
https_port = {{ dumps(configuration['port']) }}
http_port = {{ dumps(configuration['plain_http_port']) }}
ip_access_certificate = {{ frontend_configuration.get('ip-access-certificate') }}
access_log = {{ dumps(caddy_configuration['access-log']) }}
error_log = {{ dumps(caddy_configuration['error-log']) }}
not_found_file = {{ dumps(caddy_configuration['not-found-file']) }}

[caddy-log-access]
< = jinja2-template-base
template = {{ software_parameter_dict['template_log_access'] }}
rendered = {{frontend_configuration.get('log-access-configuration')}}
extra-context =
    section slave_log_directory slave-log-directory-dict
    section slave_password slave-password
    section parameter_dict caddy-log-access-parameters

[slave-introspection-parameters]
local-ipv4 = {{ dumps(instance_parameter_dict['ipv4-random']) }}
global-ipv6 = {{ dumps(global_ipv6) }}
https-port = {{ frontend_configuration['slave-introspection-https-port'] }}
ip-access-certificate = {{ frontend_configuration.get('ip-access-certificate') }}
nginx-mime = {{ software_parameter_dict['nginx_mime'] }}
access-log = {{ dumps(caddy_configuration['slave-introspection-access-log']) }}
error-log = {{ dumps(caddy_configuration['slave-introspection-error-log']) }}
var = {{ directory['slave-introspection-var'] }}
pid = {{ caddy_configuration['slave-introspection-pid-file'] }}

[slave-introspection-config]
<= jinja2-template-base
template = {{ software_parameter_dict['template_slave_introspection_httpd_nginx'] }}
rendered = {{ frontend_configuration['slave-introspection-configuration'] }}
extra-context =
    section slave_log_directory slave-log-directory-dict
    section slave_htpasswd slave-htpasswd
    section parameter_dict slave-introspection-parameters

[slave-introspection]
recipe = slapos.cookbook:wrapper
command-line = {{ software_parameter_dict['nginx'] }}
  -c ${slave-introspection-config:rendered}

wrapper-path = {{ directory['service'] }}/slave-instrospection-nginx
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg



{#- Publish information for the instance #}
[publish-caddy-information]
recipe = slapos.cookbook:publish.serialised
public-ipv4 = {{ configuration['public-ipv4'] }}
private-ipv4 = {{ instance_parameter_dict['ipv4-random'] }}
{%- if configuration['extra_slave_instance_list'] %}
{#-   sort_keys are important in order to avoid shuffling parameters on each run #}
slave-instance-information-list = {{ json_module.dumps(slave_instance_information_list, sort_keys=True) }}
{%- endif %}
monitor-base-url = {{ monitor_base_url }}
csr_id-url = https://[${expose-csr_id-configuration:ip}]:${expose-csr_id-configuration:port}/csr_id.txt
backend-client-csr_id-url = https://[${expose-csr_id-configuration:ip}]:${expose-csr_id-configuration:port}/backend-haproxy-csr_id.txt
csr_id-certificate = ${get-csr_id-certificate:certificate}
{%-   set furled = furl_module.furl(backend_haproxy_configuration['statistic-frontend-secure_access']) %}
{%-   do furled.set(username = backend_haproxy_configuration['statistic-username']) %}
{%-   do furled.set(password = backend_haproxy_configuration['statistic-password']) %}
{%-   do furled.set(path = '/') %}
{#-   We unquote, as furl quotes automatically, but there is buildout value on purpose like ${...:...} in the passwod #}
{%-   set statistic_url = urlparse_module.unquote(furled.tostr()) %}
backend-haproxy-statistic-url = {{ statistic_url }}

[kedifa-updater]
recipe = slapos.cookbook:wrapper
command-line = {{ software_parameter_dict['kedifa-updater'] }}
  --server-ca-certificate {{ kedifa_configuration['ca-certificate'] }}
  --identity {{ kedifa_configuration['certificate'] }}
  --master-certificate {{ caddy_configuration['master-certificate'] }}
  --on-update "{{ caddy_configuration['frontend-graceful-command'] }}"
  ${kedifa-updater-mapping:file}
  {{ kedifa_configuration['kedifa-updater-state-file'] }}

wrapper-path = {{ directory['service'] }}/kedifa-updater
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg

[kedifa-updater-run]
recipe = plone.recipe.command
{#- Can be stopped on error, as does not rely on self provided service but on service which comes from another partition #}
stop-on-error = True
command = {{ software_parameter_dict['kedifa-updater'] }} --prepare-only ${kedifa-updater-mapping:file} --on-update "{{ caddy_configuration['frontend-graceful-command'] }}"
update-command = ${:command}

[kedifa-updater-mapping]
recipe = slapos.recipe.template:jinja2
file = {{ kedifa_configuration['kedifa-updater-mapping-file'] }}
template = inline:
{%- for mapping in kedifa_updater_mapping %}
  {{ mapping[0] }} {{ mapping[1] }} {{ mapping[2] }}
{%- endfor %}

rendered = ${:file}

[caddy-log-access-empty]
# Caddy refuse to start if an `import`ed file is empty, so we prepend a header
# so that the file is never empty.
< = jinja2-template-base
template = inline: # This file contain directives to serve directories with log files for shared instances, but no shared instances are defined yet.
rendered = {{frontend_configuration.get('log-access-configuration')}}

##<Backend haproxy>
[backend-haproxy-configuration]
< = jinja2-template-base
template = {{ template_backend_haproxy_configuration }}
rendered = ${backend-haproxy-config:file}
backend_slave_list = {{ dumps(sorted(backend_slave_list)) }}
extra-context =
  key backend_slave_list :backend_slave_list
  section configuration backend-haproxy-config

[backend-haproxy-config]
{%- for key, value in backend_haproxy_configuration.items() %}
{{ key }} = {{ value }}
{%- endfor %}
local-ipv4 = {{ dumps('' ~ instance_parameter_dict['ipv4-random']) }}
global-ipv6 = ${slap-network-information:global-ipv6}
request-timeout = {{ dumps('' ~ configuration['request-timeout']) }}
backend-connect-timeout = {{ dumps('' ~ configuration['backend-connect-timeout']) }}
backend-connect-retries =  {{ dumps('' ~ configuration['backend-connect-retries']) }}

[store-backend-haproxy-csr_id]
recipe = plone.recipe.command

csr_id_path = {{ directory['csr_id'] }}/backend-haproxy-csr_id.txt
csr_work_path = {{ directory['tmp'] }}/${:_buildout_section_name_}

stop-on-error = False
update-command = ${:command}
command =
  {{ software_parameter_dict['bin_directory'] }}/caucase \
    --ca-url {{ backend_haproxy_configuration['caucase-url'] }} \
    --ca-crt {{ backend_haproxy_configuration['cas-ca-certificate'] }} \
    --crl {{ backend_haproxy_configuration['crl'] }} \
    --mode service \
    --send-csr {{ backend_haproxy_configuration['csr'] }} > ${:csr_work_path} && \
  cut -d ' ' -f 1 ${:csr_work_path} > ${:csr_id_path}

##<Backend haproxy>

[buildout]
extends =
  {{ profile_common }}
  {{ profile_logrotate_base }}
  {{ profile_monitor }}

parts +=
    kedifa-updater
    kedifa-updater-run
    backend-haproxy-configuration
    promise-logrotate-setup
{%- for part in part_list %}
{{ '    %s' % part }}
{%- endfor %}
{%- if 'caddy-log-access' not in part_list %}
    caddy-log-access-empty
{%- endif %}
    publish-caddy-information
    tunnel-6to4-base-http_port
    tunnel-6to4-base-https_port
    expose-csr_id
    promise-expose-csr_id-ip-port

cache-access = {{ cache_access }}

[store-csr_id]
recipe = plone.recipe.command

csr_id_path = {{ directory['csr_id'] }}/csr_id.txt
csr_work_path = {{ directory['tmp'] }}/${:_buildout_section_name_}

stop-on-error = False
update-command = ${:command}
command =
  {{ software_parameter_dict['bin_directory'] }}/caucase \
    --ca-url {{ kedifa_configuration['caucase-url'] }} \
    --ca-crt {{ kedifa_configuration['cas-ca-certificate'] }} \
    --crl {{ kedifa_configuration['crl'] }} \
    --mode service \
    --send-csr {{ kedifa_configuration['csr'] }} > ${:csr_work_path} && \
  cut -d ' ' -f 1 ${:csr_work_path} > ${:csr_id_path}

[certificate-csr_id]
recipe = plone.recipe.command
certificate = {{ directory['caddy-csr_id'] }}/certificate.pem
key = {{ directory['caddy-csr_id'] }}/key.pem

{#- Can be stopped on error, as does not rely on self provided service #}
stop-on-error = True
update-command = ${:command}
command =
  if ! [ -f ${:key} ] && ! [ -f ${:certificate} ] ; then
    openssl req -new -newkey rsa:2048 -sha256 -subj \
      "/O={{ expose_csr_id_organization }}/OU={{ expose_csr_id_organizational_unit }}/CN=${slap-network-information:global-ipv6}" \
      -days 5 -nodes -x509 -keyout ${:key} -out ${:certificate}
  fi

[expose-csr_id-configuration]
ip = ${slap-network-information:global-ipv6}
port = 17001
key = ${certificate-csr_id:key}
certificate = ${certificate-csr_id:certificate}
error-log = {{ directory['caddy-csr_id-log'] }}/expose-csr_id.log

[expose-csr_id-template]
recipe = slapos.recipe.template:jinja2
template = inline:
  https://:${expose-csr_id-configuration:port}/ {
    bind ${expose-csr_id-configuration:ip}
    tls ${expose-csr_id-configuration:certificate} ${expose-csr_id-configuration:key}
    log ${expose-csr_id-configuration:error-log}
  }

rendered = {{ directory['caddy-csr_id'] }}/Caddyfile

[promise-expose-csr_id-ip-port]
<= monitor-promise-base
module = check_port_listening
name = expose-csr_id-ip-port-listening.py
config-hostname = ${expose-csr_id-configuration:ip}
config-port = ${expose-csr_id-configuration:port}

[expose-csr_id]
depends =
  ${store-csr_id:command}
  ${store-backend-haproxy-csr_id:command}
recipe = slapos.cookbook:wrapper
command-line = {{ software_parameter_dict['caddy'] }}
  -conf ${expose-csr_id-template:rendered}
  -log ${expose-csr_id-configuration:error-log}
  -http2=true
  -disable-http-challenge
  -disable-tls-alpn-challenge
  -root {{ directory['csr_id'] }}

wrapper-path = {{ directory['service'] }}/expose-csr_id
hash-existing-files = ${buildout:directory}/software_release/buildout.cfg

[get-csr_id-certificate]
recipe = collective.recipe.shelloutput
commands =
  certificate = cat ${certificate-csr_id:certificate}

[promise-logrotate-setup]
<= monitor-promise-base
module = check_command_execute
name = ${:_buildout_section_name_}.py
config-command =
  ${logrotate:wrapper-path} -d
{%- endif %} {# if software_type == slap_software_type #}