instance-apache-frontend.cfg.in 28.9 KB
Newer Older
1
{%- if slap_software_type == software_type -%}
2
{% import "caucase" as caucase with context %}
Łukasz Nowak's avatar
Łukasz Nowak committed
3
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
4 5 6 7
[buildout]
extends =
  {{ parameter_dict['common_profile'] }}
  {{ parameter_dict['monitor_template'] }}
8
  {{ parameter_dict['logrotate_base_instance'] }}
9 10 11 12 13 14

parts =
  directory
  logrotate-entry-caddy
  caddy-frontend
  switch-caddy-softwaretype
15
  caucase-updater
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
  frontend-caddy-graceful
  not-found-html
  port-redirection
  promise-frontend-caddy-configuration
  promise-caddy-frontend-v4-https
  promise-caddy-frontend-v4-http
  promise-caddy-frontend-v6-https
  promise-caddy-frontend-v6-http
  promise-caddy-frontend-cached
  promise-caddy-frontend-ssl-cached

  trafficserver-launcher
  trafficserver-reload
  trafficserver-configuration-directory
  trafficserver-records-config
  trafficserver-remap-config
  trafficserver-plugin-config
  trafficserver-storage-config
34 35
  trafficserver-ip-allow-config
  trafficserver-logging-config
36 37
  trafficserver-promise-listen-port
  trafficserver-promise-cache-availability
38
  cron-entry-logrotate-trafficserver
39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
## Monitor for Caddy
  monitor-base
  monitor-ats-cache-stats-wrapper
  monitor-traffic-summary-last-stats-wrapper
  monitor-caddy-server-status-wrapper
  monitor-verify-re6st-connectivity

# Create all needed directories
[directory]
recipe = slapos.cookbook:mkdirectory

bin = ${buildout:directory}/bin/
etc = ${buildout:directory}/etc/
srv = ${buildout:directory}/srv/
var = ${buildout:directory}/var/
54
tmp = ${:var}/tmp
55 56 57 58 59 60 61
template = ${buildout:directory}/template/

backup = ${:srv}/backup
log = ${:var}/log
run = ${:var}/run
service = ${:etc}/service
etc-run = ${:etc}/run
62
plugin = ${:etc}/plugin
63 64

ca-dir = ${:srv}/ssl
65 66 67
# BBB: SlapOS Master non-zero knowledge BEGIN
bbb-ssl-dir = ${:srv}/bbb-ssl
# BBB: SlapOS Master non-zero knowledge END
68

69 70
frontend_cluster = ${:var}/frontend_cluster

71 72 73 74 75
# csr_id publication
csr_id = ${:srv}/csr_id
caddy-csr_id = ${:etc}/caddy-csr_id
caddy-csr_id-log = ${:log}/httpd-csr_id

76 77 78 79 80 81 82 83
[switch-caddy-softwaretype]
recipe = slapos.cookbook:softwaretype
single-default = ${dynamic-custom-personal-template-slave-list:rendered}
single-custom-personal = ${dynamic-custom-personal-template-slave-list:rendered}

[frontend-configuration]
template-log-access = {{ parameter_dict['template_log_access'] }}
log-access-configuration = ${directory:etc}/log-access.conf
84
ip-access-certificate = ${self-signed-ip-access:certificate}
85 86 87 88
caddy-directory = {{ parameter_dict['caddy_location'] }}
caddy-ipv6 = {{ instance_parameter['ipv6-random'] }}
caddy-https-port = ${configuration:port}

89 90 91 92 93 94
[self-signed-ip-access]
# Self Signed certificate for HTTPS IP accesses to the frontend
recipe = plone.recipe.command
update-command = ${:command}
ipv6 = ${slap-network-information:global-ipv6}
ipv4 = {{instance_parameter['ipv4-random']}}
95
certificate = ${caddy-directory:master-autocert-dir}/ip-access-${:ipv6}-${:ipv4}.crt
96 97
stop-on-error = True
command =
98 99
  [ -f ${:certificate} ] && exit 0
  rm -f ${:certificate}
100
  /bin/bash -c ' \
101
  {{ parameter_dict['openssl'] }} req \
102 103
     -new -newkey rsa:2048 -sha256 \
     -nodes -x509 -days 36500 \
104
     -keyout ${:certificate} \
105 106 107
     -subj "/CN=Self Signed IP Access" \
     -reqexts SAN \
     -extensions SAN \
108
     -config <(cat {{ parameter_dict['openssl_cnf'] }} \
109 110 111
         <(printf "\n[SAN]\nsubjectAltName=IP:${:ipv6},IP:${:ipv4}")) \
     -out ${:certificate}'

112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130
[self-signed-fallback-access]
# Self Signed certificate for HTTPS access to the frontend with fallback certificate
recipe = plone.recipe.command
update-command = ${:command}
ipv6 = ${slap-network-information:global-ipv6}
ipv4 = {{instance_parameter['ipv4-random']}}
certificate = ${caddy-directory:master-autocert-dir}/fallback-access.crt
stop-on-error = True
command =
  [ -f ${:certificate} ] && exit 0
  rm -f ${:certificate}
  /bin/bash -c ' \
  {{ parameter_dict['openssl'] }} req \
     -new -newkey rsa:2048 -sha256 \
     -nodes -x509 -days 36500 \
     -keyout ${:certificate} \
     -subj "/CN=Fallback certificate/OU={{ instance_parameter['configuration.frontend-name'] }}" \
     -out ${:certificate}'

131 132 133
[jinja2-template-base]
recipe = slapos.recipe.template:jinja2
rendered = ${buildout:directory}/${:filename}
134
extensions = jinja2.ext.do
135 136 137 138 139 140
extra-context =
slapparameter_dict = {{ dumps(instance_parameter['configuration']) }}
slap_software_type = {{ dumps(instance_parameter['slap-software-type']) }}
context =
    import json_module json
    raw common_profile {{ parameter_dict['common_profile'] }}
141
    raw logrotate_base_instance {{ parameter_dict['logrotate_base_instance'] }}
142 143 144 145 146 147 148 149 150 151 152 153
    key slap_software_type :slap_software_type
    key slapparameter_dict :slapparameter_dict
    section directory directory
    ${:extra-context}

[software-release-path]
template-empty = {{ parameter_dict['template_empty'] }}
template-slave-configuration = {{ parameter_dict['template_slave_configuration'] }}
template-default-slave-virtualhost = {{ parameter_dict['template_default_slave_virtualhost'] }}
template-cached-slave-virtualhost = {{ parameter_dict['template_cached_slave_virtualhost'] }}
caddy-location = {{ parameter_dict['caddy_location'] }}

154 155
[kedifa-login-config]
d = ${directory:ca-dir}
156
template-csr = ${:d}/kedifa-login-template-csr.pem
157 158 159 160 161 162 163 164 165 166 167 168
key = ${:d}/kedifa-login-certificate.pem
certificate = ${:key}
ca-certificate = ${:d}/kedifa-caucase-ca.pem
cas-ca-certificate = ${:d}/kedifa-cas-caucase-ca.pem
crl = ${:d}/kedifa-login-crl.pem

[kedifa-login-csr]
recipe = plone.recipe.command
organization = {{ slapparameter_dict['cluster-identification'] }}
organizational_unit = {{ instance_parameter['configuration.frontend-name'] }}
command =
{% if slapparameter_dict['kedifa-caucase-url'] %}
169
  if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ]  ; then
170 171 172
    {{ parameter_dict['openssl'] }} req -new -sha256 \
      -newkey rsa:2048 -nodes -keyout ${:key} \
      -subj "/O=${:organization}/OU=${:organizational_unit}" \
173
      -out ${:template-csr}
174 175
  fi
{% endif %}
176
  test -f ${:key} && test -f ${:template-csr}
177
update-command = ${:command}
178
template-csr = ${kedifa-login-config:template-csr}
179 180 181 182 183 184 185 186 187 188 189 190 191
key = ${kedifa-login-config:key}
stop-on-error = True

{{ caucase.updater(
     prefix='caucase-updater',
     buildout_bin_directory=parameter_dict['bin_directory'],
     updater_path='${directory:service}/kedifa-login-certificate-caucase-updater',
     url=slapparameter_dict['kedifa-caucase-url'],
     data_dir='${directory:srv}/caucase-updater',
     crt_path='${kedifa-login-config:certificate}',
     ca_path='${kedifa-login-config:ca-certificate}',
     crl_path='${kedifa-login-config:crl}',
     key_path='${kedifa-login-csr:key}',
192
     template_csr='${kedifa-login-csr:template-csr}',
193 194 195
     openssl=parameter_dict['openssl'] ~ '/bin/openssl',
)}}

196 197 198 199 200
[dynamic-custom-personal-template-slave-list]
< = jinja2-template-base
template = {{ parameter_dict['template_slave_list'] }}
filename = custom-personal-instance-slave-list.cfg
slave_instance_list = {{ dumps(instance_parameter['slave-instance-list']) }}
201
extra_slave_instance_list = {{ dumps(instance_parameter.get('configuration.extra_slave_instance_list')) }}
202 203
master_key_download_url = {{ dumps(slapparameter_dict['master-key-download-url']) }}
slave_kedifa_information = {{ dumps(slapparameter_dict['slave-kedifa-information']) }}
204 205
local_ipv4 = {{ dumps(instance_parameter['ipv4-random']) }}
local_ipv6 = {{ dumps(instance_parameter['ipv6-random']) }}
206 207
software_type = single-custom-personal
bin_directory = {{ parameter_dict['bin_directory'] }}
208 209
caddy_executable = {{ parameter_dict['caddy'] }}
caucase_url = {{ slapparameter_dict['kedifa-caucase-url'] }}
210
sixtunnel_executable = {{ parameter_dict['sixtunnel'] }}/bin/6tunnel
211 212 213
kedifa-updater = {{ parameter_dict['kedifa-updater'] }}
kedifa-updater-mapping-file = ${directory:etc}/kedifa_updater_mapping.txt
kedifa-updater-state-file = ${directory:srv}/kedifa_updater_state.json
214
kedifa-csr = {{ parameter_dict['kedifa-csr'] }}
215
service_directory = ${directory:service}
216
extra-context =
217 218
    key kedifa_caucase_ca_certificate kedifa-login-config:ca-certificate
    key kedifa_login_certificate kedifa-login-config:certificate
219 220 221
    key caddy_configuration_directory caddy-directory:slave-configuration
    key caddy_cached_configuration_directory caddy-directory:slave-with-cache-configuration
    key slave_with_cache_configuration_directory caddy-directory:slave-with-cache-configuration
222 223 224
    key kedifa_updater :kedifa-updater
    key kedifa_updater_mapping_file :kedifa-updater-mapping-file
    key kedifa_updater_state_file :kedifa-updater-state-file
225
    key kedifa_csr :kedifa-csr
226 227 228 229 230 231 232 233 234 235 236
    key caddy_executable :caddy_executable
    key caucase_url :caucase_url
    key directory_csr_id directory:csr_id
    key directory_caddy_csr_id directory:caddy-csr_id
    key directory_tmp directory:tmp
    key directory_caddy_csr_id_log directory:caddy-csr_id-log
    key certificate_organization kedifa-login-csr:organization
    key certificate_organizational_unit kedifa-login-csr:organizational_unit
    key csr_id_csr caucase-updater-csr:csr
    key csr_crl kedifa-login-config:crl
    key csr_cas_ca_certificate kedifa-login-config:cas-ca-certificate
237 238 239 240 241
    key http_port configuration:plain_http_port
    key https_port configuration:port
    key public_ipv4 configuration:public-ipv4
    key slave_instance_list :slave_instance_list
    key extra_slave_instance_list :extra_slave_instance_list
242 243 244 245
    key master_key_download_url :master_key_download_url
    key slave_kedifa_information :slave_kedifa_information
    key autocert caddy-directory:autocert
    key master_certificate caddy-configuration:master-certificate
246
    key caddy_log_directory caddy-directory:slave-log
247
    key caddy_log_cache_direct_directory caddy-directory:slave-log-cache-direct
248 249 250 251 252 253 254
    key local_ipv4 :local_ipv4
    key local_ipv6 :local_ipv6
    key global_ipv6 slap-network-information:global-ipv6
    key empty_template software-release-path:template-empty
    key template_custom_slave_configuration software-release-path:template-slave-configuration
    key template_default_slave_configuration software-release-path:template-default-slave-virtualhost
    key template_cached_slave_configuration software-release-path:template-cached-slave-virtualhost
255
    key software_type :software_type
256
    key frontend_lazy_graceful_reload frontend-caddy-lazy-graceful:rendered
257
    key frontend_graceful_reload caddy-configuration:frontend-graceful-command
258 259 260
    section frontend_configuration frontend-configuration
    section caddy_configuration caddy-configuration
    key monitor_base_url monitor-instance-parameter:monitor-base-url 
261
    key plugin_directory directory:plugin
262
    key report_directory directory:bin
263
    key bin_directory :bin_directory
264
    key enable_http2_by_default configuration:enable-http2-by-default
265
    key global_disable_http2 configuration:global-disable-http2
266
    key ciphers configuration:ciphers
267 268
    key proxy_try_duration configuration:proxy-try-duration
    key proxy_try_interval configuration:proxy-try-interval
269 270
    key access_log caddy-configuration:access-log
    key error_log caddy-configuration:error-log
271 272
    key sixtunnel_executable :sixtunnel_executable
    key service_directory directory:service
273
    key run_directory directory:etc-run
274
    key not_found_file caddy-configuration:not-found-file
275
    key custom_ssl_directory caddy-directory:custom-ssl-directory
276 277
# BBB: SlapOS Master non-zero knowledge BEGIN
    key bbb_ssl_directory directory:bbb-ssl-dir
278 279
    key apache_certificate apache-certificate:rendered
# BBB: SlapOS Master non-zero knowledge END
280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303

[dynamic-virtualhost-template-slave]
<= jinja2-template-base
template = {{ parameter_dict['template_slave_configuration'] }}
rendered = ${directory:template}/slave-virtualhost.conf.in
# BBB: apache_custom_https and apache_custom_http
extra-context =
    key https_port configuration:port
    key http_port configuration:plain_http_port
    key apache_custom_https configuration:apache_custom_https
    key apache_custom_http configuration:apache_custom_http
    key caddy_custom_https configuration:caddy_custom_https
    key caddy_custom_http configuration:caddy_custom_http

# Deploy Caddy Frontend with Jinja power
[dynamic-caddy-frontend-template]
< = jinja2-template-base
template = {{ parameter_dict['template_caddy_frontend_configuration'] }}
rendered = ${caddy-configuration:frontend-configuration}
local_ipv4 =  {{ dumps(instance_parameter['ipv4-random']) }}
extra-context =
    key httpd_home software-release-path:caddy-location
    key httpd_mod_ssl_cache_directory caddy-directory:mod-ssl
    key instance_home buildout:directory
304
    key master_certificate caddy-configuration:master-certificate
305 306 307 308 309 310 311 312 313 314 315 316 317 318
    key access_log caddy-configuration:access-log
    key slave_configuration_directory caddy-directory:slave-configuration
    key cached_port caddy-configuration:cache-through-port
    key ssl_cached_port caddy-configuration:ssl-cache-through-port
    key slave_with_cache_configuration_directory caddy-directory:slave-with-cache-configuration
    section frontend_configuration frontend-configuration
    key http_port configuration:plain_http_port
    key https_port configuration:port
    key local_ipv4 :local_ipv4
    key global_ipv6 slap-network-information:global-ipv6
    key error_log caddy-configuration:error-log
    key not_found_file caddy-configuration:not-found-file
    key username monitor-instance-parameter:username
    key password monitor-htpasswd:passwd
319 320 321
# BBB: SlapOS Master non-zero knowledge BEGIN
    key apache_certificate apache-certificate:rendered
# BBB: SlapOS Master non-zero knowledge END
322 323

[caddy-wrapper]
324
recipe = slapos.cookbook:wrapper
325 326
environment =
  CADDYPATH=${directory:frontend_cluster}
327 328
command-line = {{ parameter_dict['caddy'] }}
  -conf ${dynamic-caddy-frontend-template:rendered}
329 330
  -log ${caddy-configuration:error-log}
  -log-roll-mb 0
331 332 333
{% if instance_parameter['configuration.global-disable-http2'].lower() in TRUE_VALUES %}
  -http2=false
{% else %}
334
  -http2=true
335
{% endif %}
Łukasz Nowak's avatar
Łukasz Nowak committed
336 337 338
{% if instance_parameter['configuration.enable-quic'].lower() in TRUE_VALUES %}
  -quic
{% endif %}
339 340
  -grace {{ instance_parameter['configuration.mpm-graceful-shutdown-timeout'] }}s
  -disable-http-challenge
341
  -disable-tls-alpn-challenge
342
wrapper-path = ${directory:bin}/caddy-wrapper
343 344 345

[caddy-frontend]
recipe = slapos.cookbook:wrapper
346
command-line = ${caddy-wrapper:wrapper-path} -pidfile ${caddy-configuration:pid-file}
347
wrapper-path = ${directory:service}/frontend_caddy
348 349 350
hash-files =
  ${buildout:directory}/software_release/buildout.cfg
  ${caddy-wrapper:wrapper-path}
351 352 353 354 355 356 357 358 359 360 361 362 363 364 365

[not-found-html]
recipe = slapos.cookbook:symbolic.link
target-directory = ${caddy-directory:document-root}
link-binary =
	    {{ parameter_dict['template_not_found_html'] }}

[caddy-directory]
recipe = slapos.cookbook:mkdirectory
document-root = ${directory:srv}/htdocs
slave-configuration = ${directory:etc}/caddy-slave-conf.d/
slave-with-cache-configuration = ${directory:etc}/caddy-slave-with-cache-conf.d/
cache = ${directory:var}/cache
mod-ssl = ${:cache}/httpd_mod_ssl
slave-log = ${directory:log}/httpd
366
slave-log-cache-direct = ${directory:log}/httpd-cache-direct
367 368
autocert = ${directory:srv}/autocert
master-autocert-dir = ${:autocert}/master-autocert
369
custom-ssl-directory = ${:slave-configuration}/ssl
370 371 372 373 374 375

[caddy-configuration]
frontend-configuration = ${directory:etc}/Caddyfile
access-log = ${directory:log}/frontend-access.log
error-log = ${directory:log}/frontend-error.log
pid-file = ${directory:run}/httpd.pid
376
frontend-graceful-command = ${frontend-caddy-validate:rendered} && kill -USR1 $(cat ${:pid-file})
377
not-found-file = ${caddy-directory:document-root}/notfound.html
378
master-certificate = ${caddy-directory:master-autocert-dir}/master.pem
379 380 381 382 383
# Communication with ATS
cache-port = ${trafficserver-variable:input-port}
cache-through-port = 26011
ssl-cache-through-port = 26012

384
# BBB: SlapOS Master non-zero knowledge BEGIN
385 386 387 388 389
[get-self-signed-fallback-access]
recipe = collective.recipe.shelloutput
commands =
  certificate = cat ${self-signed-fallback-access:certificate}

390
[apache-certificate]
391 392 393
recipe = slapos.recipe.template:jinja2
template = inline:
{% raw %}
394 395
  {{ certificate or fallback_certificate }}
  {{ key or '' }}
396 397 398 399
{% endraw %}
context =
  key certificate configuration:apache-certificate
  key key configuration:apache-key
400
  key fallback_certificate get-self-signed-fallback-access:certificate
401 402 403
rendered = ${directory:bbb-ssl-dir}/frontend.crt
# BBB: SlapOS Master non-zero knowledge END

404
[logrotate-entry-caddy]
405
<= logrotate-entry-base
406 407
name = caddy
log = ${caddy-configuration:error-log} ${caddy-configuration:access-log}
408
rotate-num = 30
409 410 411 412 413
# Note: Slaves do not define their own reload, as this would be repeated,
#       because sharedscripts work per entry, and each slave needs its own
#       olddir
#       Here we trust that there will be something to be rotated with error
#       or access log, and that this will trigger postrotate script.
414 415 416 417 418 419 420 421 422 423 424 425
post = ${frontend-caddy-lazy-graceful:rendered} &

#################
# Trafficserver
#################
[trafficserver-directory]
recipe = slapos.cookbook:mkdirectory
configuration = ${directory:etc}/trafficserver
local-state = ${directory:var}/trafficserver
bin_path = {{ parameter_dict['trafficserver'] }}/bin
log = ${directory:log}/trafficserver
cache-path = ${directory:srv}/ats_cache
426
logrotate-backup = ${logrotate-directory:logrotate-backup}/trafficserver
427 428 429 430 431 432 433 434 435 436

[trafficserver-variable]
wrapper-path = ${directory:service}/trafficserver
reload-path = ${directory:etc-run}/trafficserver-reload
local-ip = {{ instance_parameter['ipv4-random'] }}
input-port = 23432
hostname = ${configuration:frontend-name}
remap = map /HTTPS/ http://{{ instance_parameter['ipv4-random'] }}:${caddy-configuration:ssl-cache-through-port}
  map / http://{{ instance_parameter['ipv4-random'] }}:${caddy-configuration:cache-through-port}

437 438
plugin-config =
ip-allow-config = src_ip=0.0.0.0-255.255.255.255 action=ip_allow
439 440
cache-path = ${trafficserver-directory:cache-path}
disk-cache-size = ${configuration:disk-cache-size}
441
synthetic-port = ${configuration:trafficserver-synthetic-port}
442 443
mgmt-port = ${configuration:trafficserver-mgmt-port}
ram-cache-size = ${configuration:ram-cache-size}
444
templates-dir = {{ parameter_dict['trafficserver'] }}/etc/trafficserver/body_factory
445 446 447 448 449 450 451 452 453 454 455

[trafficserver-configuration-directory]
recipe = plone.recipe.command
command = cp -rn {{ parameter_dict['trafficserver'] }}/etc/trafficserver/* ${:target}
target = ${trafficserver-directory:configuration}

[trafficserver-launcher]
recipe = slapos.cookbook:wrapper
command-line = {{ parameter_dict['trafficserver'] }}/bin/traffic_cop
wrapper-path = ${trafficserver-variable:wrapper-path}
environment = TS_ROOT=${buildout:directory}
456
hash-files = ${buildout:directory}/software_release/buildout.cfg
457 458 459

[trafficserver-reload]
recipe = slapos.cookbook:wrapper
460
command-line = {{ parameter_dict['trafficserver'] }}/bin/traffic_ctl config reload
461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486
wrapper-path = ${trafficserver-variable:reload-path}
environment = TS_ROOT=${buildout:directory}

# XXX Dedicated Jinja Section without slapparameter
[trafficserver-jinja2-template-base]
recipe = slapos.recipe.template:jinja2
rendered = ${trafficserver-directory:configuration}/${:filename}
extra-context =
mode = 600
context =
    section ats_directory trafficserver-directory
    section ats_configuration trafficserver-variable
    ${:extra-context}

[trafficserver-records-config]
< = trafficserver-jinja2-template-base
template = {{ parameter_dict['template_trafficserver_records_config_location'] }}/{{ parameter_dict['template_trafficserver_records_config_filename'] }}
filename = records.config
extra-context =
    import os_module os

[trafficserver-storage-config]
< = trafficserver-jinja2-template-base
template = {{ parameter_dict['template_trafficserver_storage_config_location'] }}/{{ parameter_dict['template_trafficserver_storage_config_filename'] }}
filename = storage.config

487 488 489 490 491
[trafficserver-logging-config]
< = trafficserver-jinja2-template-base
template = {{ parameter_dict['template_trafficserver_logging_config_location'] }}/{{ parameter_dict['template_trafficserver_logging_config_filename'] }}
filename = logging.config

492 493 494 495 496 497 498 499 500 501 502 503 504 505
[trafficserver-remap-config]
< = trafficserver-jinja2-template-base
template = {{ parameter_dict['template_empty'] }}
filename = remap.config
context =
    key content trafficserver-variable:remap

[trafficserver-plugin-config]
< = trafficserver-jinja2-template-base
template = {{ parameter_dict['template_empty'] }}
filename = plugin.config
context =
    key content trafficserver-variable:plugin-config

506 507 508 509 510 511 512
[trafficserver-ip-allow-config]
< = trafficserver-jinja2-template-base
template = {{ parameter_dict['template_empty'] }}
filename = ip_allow.config
context =
    key content trafficserver-variable:ip-allow-config

513 514 515 516 517 518 519 520 521
[promise-plugin-base]
recipe = slapos.cookbook:promise.plugin
eggs =
  slapos.toolbox
content =
  from slapos.promise.plugin.${:module} import RunPromise
output = ${directory:plugin}/${:name}


522
[trafficserver-promise-listen-port]
523 524 525 526 527
<= promise-plugin-base
module = check_port_listening
name = trafficserver-port-listening.py
config-hostname = ${trafficserver-variable:local-ip}
config-port = ${trafficserver-variable:input-port}
528

529
[trafficserver-ctl]
530
recipe = slapos.cookbook:wrapper
531 532
command-line = {{ parameter_dict['trafficserver'] }}/bin/traffic_ctl
wrapper-path = ${directory:bin}/traffic_ctl
533 534 535
environment = TS_ROOT=${buildout:directory}

[trafficserver-promise-cache-availability]
536 537 538
<= promise-plugin-base
module = trafficserver_cache_availability
name = trafficserver-cache-availability.py
539
config-wrapper-path = ${trafficserver-ctl:wrapper-path}
540

541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564
[trafficserver-rotate-script]
< = jinja2-template-base
template = {{ parameter_dict['template_rotate_script'] }}
rendered = ${directory:bin}/trafficserver-rotate
mode = 0700
xz_binary = {{ parameter_dict['xz_location'] ~ '/bin/xz' }}
pattern = *.old
# days to keep log files
keep_days = 365

extra-context =
  key log_dir trafficserver-directory:log
  key rotate_dir trafficserver-directory:logrotate-backup
  key xz_binary :xz_binary
  key keep_days :keep_days
  key pattern :pattern

[cron-entry-logrotate-trafficserver]
recipe = slapos.cookbook:cron.d
cron-entries = ${directory:etc}/cron.d
name = trafficserver-logrotate
frequency = 0 0 * * *
command = ${trafficserver-rotate-script:rendered}

565 566 567
### End of ATS sections

### Caddy Graceful and promises
568
[frontend-caddy-configuration-state]
569
< = jinja2-template-base
570 571
template = {{ parameter_dict['template_configuration_state_script'] }}
rendered = ${directory:bin}/${:_buildout_section_name_}
572
mode = 0700
573

574
path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:master-autocert-dir}/*.key ${caddy-directory:master-autocert-dir}/*.crt ${caddy-directory:master-autocert-dir}/*.pem ${caddy-directory:autocert}/*.pem ${caddy-directory:custom-ssl-directory}/*.proxy_ca_crt ${directory:bbb-ssl-dir}/*.crt
575
sha256sum = {{ parameter_dict['sha256sum'] }}
576

577
extra-context =
578 579 580
    key path_list :path_list
    key sha256sum :sha256sum
    key signature_file :signature_file
581

582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599
[frontend-caddy-configuration-state-graceful]
< = frontend-caddy-configuration-state
signature_file = ${directory:run}/graceful_configuration_state_signature

[frontend-caddy-configuration-state-validate]
< = frontend-caddy-configuration-state
signature_file = ${directory:run}/validate_configuration_state_signature

[frontend-caddy-graceful]
< = jinja2-template-base
template = {{ parameter_dict['template_graceful_script'] }}
rendered = ${directory:etc-run}/frontend-caddy-safe-graceful
mode = 0700

extra-context =
    key graceful_reload_command caddy-configuration:frontend-graceful-command
    key caddy_configuration_state frontend-caddy-configuration-state-graceful:rendered

600 601 602 603 604
[frontend-caddy-validate]
< = jinja2-template-base
template = {{ parameter_dict['template_validate_script'] }}
rendered = ${directory:bin}/frontend-caddy-validate
mode = 0700
605
last_state_file = ${directory:run}/caddy_configuration_last_state
606 607
extra-context =
    key wrapper caddy-wrapper:wrapper-path
608 609
    key caddy_configuration_state frontend-caddy-configuration-state-validate:rendered
    key last_state_file :last_state_file
610

611 612 613 614 615 616
[frontend-caddy-lazy-graceful]
< = jinja2-template-base
template = {{ parameter_dict['template_caddy_lazy_script_call'] }}
rendered = ${directory:bin}/frontend-caddy-lazy-graceful
mode = 0700
pid-file = ${directory:run}/lazy-graceful.pid
617
wait_time = 60
618 619
extra-context =
    key pid_file :pid-file
620
    key wait_time :wait_time
621 622 623
    key lazy_command caddy-configuration:frontend-graceful-command

# Promises checking configuration:
624 625 626 627 628 629 630 631 632 633 634
[promise-helper-last-configuration-state]
< = jinja2-template-base
template = {{ parameter_dict['template_empty'] }}
rendered = ${directory:bin}/frontend-read-last-configuration-state
mode = 0700
content =
  #!/bin/sh
  exit `cat ${frontend-caddy-validate:last_state_file}`
context =
    key content :content

635
[promise-frontend-caddy-configuration]
636 637 638
<= promise-plugin-base
module = validate_frontend_configuration
name = frontend-caddy-configuration-promise.py
639
config-verification-script = ${promise-helper-last-configuration-state:rendered}
640 641

[promise-caddy-frontend-v4-https]
642 643 644 645 646
<= promise-plugin-base
module = check_port_listening
name = caddy_frontend_ipv4_https.py
config-hostname = {{ instance_parameter['ipv4-random'] }}
config-port = ${configuration:port}
647 648

[promise-caddy-frontend-v4-http]
649 650 651 652 653
<= promise-plugin-base
module = check_port_listening
name = caddy_frontend_ipv4_http.py
config-hostname = {{ instance_parameter['ipv4-random'] }}
config-port = ${configuration:plain_http_port}
654 655

[promise-caddy-frontend-v6-https]
656 657 658 659 660
<= promise-plugin-base
module = check_port_listening
name = caddy_frontend_ipv6_https.py
config-hostname = {{ instance_parameter['ipv6-random'] }}
config-port = ${configuration:port}
661 662

[promise-caddy-frontend-v6-http]
663 664 665 666 667
<= promise-plugin-base
module = check_port_listening
name = caddy_frontend_ipv6_http.py
config-hostname = {{ instance_parameter['ipv6-random'] }}
config-port = ${configuration:plain_http_port}
668 669

[promise-caddy-frontend-cached]
670 671 672 673 674
<= promise-plugin-base
module = check_port_listening
name = caddy_cached.py
config-hostname = {{ instance_parameter['ipv4-random'] }}
config-port = ${caddy-configuration:cache-through-port}
675 676

[promise-caddy-frontend-ssl-cached]
677 678 679 680 681
<= promise-plugin-base
module = check_port_listening
name = caddy_ssl_cached.py
config-hostname = {{ instance_parameter['ipv4-random'] }}
config-port = ${caddy-configuration:ssl-cache-through-port}
682 683 684 685 686 687

#######
# Monitoring sections
#

[monitor-instance-parameter]
688 689 690 691 692 693 694
# Note: Workaround for monitor stack, which uses monitor-httpd-port parameter
#       directly, and in our case it can come from the network, thus resulting
#       with need to strip !py!'u'
{% set monitor_httpd_port = instance_parameter.get('configuration.monitor-httpd-port') %}
{% if monitor_httpd_port %}
monitor-httpd-port = {{ monitor_httpd_port | int }}
{% endif -%}
695 696 697

[monitor-conf-parameters]
private-path-list += 
698
  ${logrotate-directory:logrotate-backup}
699 700 701 702 703


[monitor-traffic-summary-last-stats-wrapper]
< = jinja2-template-base
template = {{ parameter_dict['template_wrapper'] }}
704
rendered = ${directory:bin}/traffic-summary-last-stats_every_1_hour
705 706 707 708 709 710 711 712 713
mode = 0700
command = export TS_ROOT=${buildout:directory} && echo "<pre>$({{ parameter_dict['trafficserver'] }}/bin/traffic_logstats -f ${trafficserver-directory:log}/squid.blog)</pre>"
extra-context =
  key content monitor-traffic-summary-last-stats-wrapper:command

# Produce ATS Cache stats
[monitor-ats-cache-stats-wrapper]
< = jinja2-template-base
template = {{ parameter_dict['template_wrapper'] }}
714
rendered = ${directory:bin}/ats-cache-stats_every_1_hour
715 716 717 718 719 720 721 722
mode = 0700
command = export TS_ROOT=${buildout:directory} && echo "<pre>$({{ parameter_dict['trafficserver'] }}/bin/traffic_shell ${monitor-ats-cache-stats-config:rendered})</pre>"
extra-context =
  key content monitor-ats-cache-stats-wrapper:command

[monitor-caddy-server-status-wrapper]
< = jinja2-template-base
template = {{ parameter_dict['template_wrapper'] }}
723
rendered = ${directory:bin}/monitor-caddy-server-status-wrapper
724 725 726 727 728 729 730 731 732 733 734 735 736 737
mode = 0700
command = {{ parameter_dict['curl'] }}/bin/curl -s http://{{ instance_parameter['ipv4-random'] }}:${configuration:plain_http_port}/server-status -u ${monitor-instance-parameter:username}:${monitor-htpasswd:passwd} 2>&1
extra-context =
  key content monitor-caddy-server-status-wrapper:command

[monitor-ats-cache-stats-config]
< = jinja2-template-base
template = {{ parameter_dict['template_empty'] }}
rendered = ${trafficserver-configuration-directory:target}/cache-config.stats
mode = 644
context =
    raw content show:cache-stats

[monitor-verify-re6st-connectivity]
738 739 740 741
<= promise-plugin-base
module = check_url_available
name = re6st-connectivity.py
config-url = ${configuration:re6st-verification-url}
742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758

[port-redirection]
<= jinja2-template-base
template = inline:
  [{"srcPort": 80, "destPort": {{ '{{' }} http_port {{ '}}' }}}, {"srcPort": 443, "destPort": {{ '{{' }} https_port {{ '}}' }}}]
rendered = ${buildout:directory}/.slapos-port-redirect
mode = 0644
extra-context =
    key http_port configuration:plain_http_port
    key https_port configuration:port

[configuration]
{%- for key, value in instance_parameter.iteritems() -%}
{%-   if key.startswith('configuration.') %}
{{ key.replace('configuration.', '') }} = {{ dumps(value) }}
{%-   endif -%}
{%- endfor -%}
759
{%- endif -%} {# if slap_software_type == software_type #}