pbsready.cfg.in 8.21 KB
Newer Older
1 2
[buildout]

3
parts =
4 5
  logrotate
  logrotate-entry-cron
6
  logrotate-entry-equeue
7
  logrotate-entry-notifier
8
  logrotate-entry-resilient
9 10
  cron
  cron-entry-logrotate
11
  resilient-sshkeys-authority
12 13 14 15 16
  sshd-graceful
  sshkeys-sshd
  sshd-promise
  resilient-sshkeys-sshd-promise
  sshd-pbs-authorized-key
17
  notifier
18

19 20 21 22 23

#----------------
#--
#-- Creation of all needed directories.

24 25 26 27 28 29 30
[rootdirectory]
recipe = slapos.cookbook:mkdirectory
etc = $${buildout:directory}/etc
var = $${buildout:directory}/var
srv = $${buildout:directory}/srv
bin = $${buildout:directory}/bin

31
[basedirectory]
32 33 34 35
recipe = slapos.cookbook:mkdirectory
log = $${rootdirectory:var}/log
services = $${rootdirectory:etc}/service
run = $${rootdirectory:var}/run
36
scripts = $${rootdirectory:etc}/run
37 38
backup = $${rootdirectory:srv}/backup
promises = $${rootdirectory:etc}/promise
39
services = $${rootdirectory:etc}/service
Marco Mariani's avatar
Marco Mariani committed
40 41
cache = $${rootdirectory:var}/cache
notifier = $${rootdirectory:etc}/notifier
42 43

[directory]
44
recipe = slapos.cookbook:mkdirectory
45 46 47
backup = $${basedirectory:backup}/$${slap-parameter:namebase}
ssh = $${rootdirectory:etc}/ssh/
sshkeys = $${rootdirectory:srv}/sshkeys
Marco Mariani's avatar
Marco Mariani committed
48 49
notifier-feeds = $${basedirectory:notifier}/feeds
notifier-callbacks = $${basedirectory:notifier}/callbacks
50 51 52 53 54
cron-entries = $${rootdirectory:etc}/cron.d
crontabs = $${rootdirectory:etc}/crontabs
cronstamps = $${rootdirectory:etc}/cronstamps
logrotate-entries = $${rootdirectory:etc}/logrotate.d
logrotate-backup = $${basedirectory:backup}/logrotate
55
cgi-bin = $${rootdirectory:srv}/cgi-bin
56
monitor-resilient = $${monitor-directory:private}/resilient
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126

#----------------
#--
#-- Deploy cron.

[cron]
recipe = slapos.cookbook:cron
dcrond-binary = ${dcron:location}/sbin/crond
cron-entries = $${directory:cron-entries}
crontabs = $${directory:crontabs}
cronstamps = $${directory:cronstamps}
catcher = $${cron-simplelogger:wrapper}
binary = $${basedirectory:services}/crond

[cron-simplelogger]
recipe = slapos.cookbook:simplelogger
wrapper = $${rootdirectory:bin}/cron_simplelogger
log = $${basedirectory:log}/crond.log


#----------------
#--
#-- Deploy logrotate.

[cron-entry-logrotate]
<= cron
recipe = slapos.cookbook:cron.d
name = logrotate
frequency = 0 0 * * *
command = $${logrotate:wrapper}

[logrotate]
recipe = slapos.cookbook:logrotate
# Binaries
logrotate-binary = ${logrotate:location}/usr/sbin/logrotate
gzip-binary = ${gzip:location}/bin/gzip
gunzip-binary = ${gzip:location}/bin/gunzip
# Directories
wrapper = $${rootdirectory:bin}/logrotate
conf = $${rootdirectory:etc}/logrotate.conf
logrotate-entries = $${directory:logrotate-entries}
backup = $${directory:logrotate-backup}
state-file = $${rootdirectory:srv}/logrotate.status

[logrotate-entry-mariadb]
<= logrotate
recipe = slapos.cookbook:logrotate.d
name = mariadb
log = $${mariadb:error-log}
frequency = daily
rotate-num = 30
post = $${mariadb:logrotate-post}
sharedscripts = true
notifempty = true
create = true

[logrotate-entry-cron]
<= logrotate
recipe =slapos.cookbook:logrotate.d
name = crond
log = $${cron-simplelogger:log}
frequency = daily
rotate-num = 30
notifempty = true
create = true

[logrotate-entry-equeue]
<= logrotate
recipe = slapos.cookbook:logrotate.d
name = equeue
127
log = $${equeue:log} $${sshd-server:log}
128 129
frequency = daily
rotate-num = 30
130

131 132 133 134 135 136 137 138 139 140 141 142
[logrotate-entry-notifier]
recipe = collective.recipe.template
mode = 600
input = inline:
  $${notifier:feeds}/* {
    rotate 5
    weekly
    nocompress
    missingok
    olddir $${directory:logrotate-backup}
  }
output = $${logrotate:logrotate-entries}/notifier
143

144 145 146 147 148 149 150 151
[logrotate-entry-resilient]
<= logrotate
recipe = slapos.cookbook:logrotate.d
name = resilient_log
log = $${basedirectory:log}/resilient.log
frequency = weekly
rotate-num = 7

152 153
#----------------
#--
154
#-- Sets up an rdiff-backup server (with a openssh server for ssh)
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170

[rdiff-backup-server]
recipe = slapos.cookbook:pbs
client = false
path = $${directory:backup}
wrapper = $${rootdirectory:bin}/rdiffbackup-server
rdiffbackup-binary = ${buildout:bin-directory}/rdiff-backup


#----------------
#--
#-- Set up the equeue and notifier.

[equeue]
recipe = slapos.cookbook:equeue
socket = $${basedirectory:run}/equeue.sock
171
lockfile = $${basedirectory:run}/equeue.lock
172 173 174 175 176 177 178 179
log = $${basedirectory:log}/equeue.log
database = $${rootdirectory:srv}/equeue.db
wrapper = $${basedirectory:services}/equeue
equeue-binary = ${buildout:bin-directory}/equeue

# notifier.notify adds the [exporter, notifier] to the execution queue
# notifier.notify.callback sets up a callback
[notifier]
180 181 182 183 184
recipe = slapos.recipe.template:jinja2
template = ${template-wrapper:output}
rendered = $${:wrapper}
wrapper = $${basedirectory:services}/notifier
mode = 0700
185 186
feeds = $${directory:notifier-feeds}
callbacks = $${directory:notifier-callbacks}
187 188
command = ${buildout:bin-directory}/pubsubserver --callbacks $${directory:notifier-callbacks} --feeds $${directory:notifier-feeds} --equeue-socket $${equeue:socket} --logfile $${basedirectory:log}/notifier.log $${:host} $${:port}
notifier-binary = ${buildout:bin-directory}/pubsubnotifier
189
host = $${slap-network-information:global-ipv6}
190
port = $${notifier-port:port}
191 192
context =
  key content notifier:command
193 194


195 196
#----------------
#--
197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216
#-- OpenSSH.
[resilient-sshd-config]
# XXX: Add timeout support
recipe = slapos.recipe.template:jinja2
rendered = $${directory:etc}/resilient-sshd.conf
path_pid = $${directory:run}/resilient-sshd.pid
template = inline:
 PidFile $${:path_pid}
 Port $${sshd-port:port}
 ListenAddress $${slap-network-information:global-ipv6}
 Protocol 2
 UsePrivilegeSeparation no
 HostKey $${directory:ssh}/server_key.rsa
 AuthorizedKeysFile $${directory:ssh}/.ssh/authorized_keys
 PasswordAuthentication no
 PubkeyAuthentication yes
 ForceCommand $${rdiff-backup-server:wrapper}

[sshd-raw-server]
recipe = slapos.cookbook:wrapper
217 218
host = $${slap-network-information:global-ipv6}
rsa-keyfile = $${directory:ssh}/server_key.rsa
219 220 221
home = $${directory:ssh}
command-line = ${openssh:location}/sbin/sshd -D -e -f $${resilient-sshd-config:rendered}
wrapper-path = $${rootdirectory:bin}/raw_sshd
222

223 224
[sshd-pbs-authorized-key]
<= sshd-raw-server
225 226 227
recipe = slapos.cookbook:dropbear.add_authorized_key
key = $${slap-parameter:authorized-key}

228
[sshd-server]
229 230 231
recipe = collective.recipe.template
log = $${basedirectory:log}/sshd.log
input = inline:#!/bin/sh
232
    exec $${sshd-raw-server:wrapper-path} >> $${:log} 2>&1
233 234 235

output = $${rootdirectory:bin}/raw_sshd_log
mode = 700
236

237 238
[sshd-graceful]
recipe = slapos.cookbook:wrapper
239
command-line = $${directory:bin}/killpidfromfile $${resilient-sshd-config:path_pid} SIGHUP
240 241 242 243 244 245 246 247
wrapper-path = $${basedirectory:scripts}/sshd-graceful

[sshd-promise]
recipe = slapos.cookbook:check_port_listening
path = $${basedirectory:promises}/sshd
hostname = $${slap-network-information:global-ipv6}
port = $${sshd-port:port}

248 249 250 251
#----------------
#--
#-- sshkeys

252 253
[sshkeys-directory]
recipe = slapos.cookbook:mkdirectory
254 255
requests = $${directory:sshkeys}/resilient-requests
keys = $${directory:sshkeys}/resilient-keys
256

257
[resilient-sshkeys-authority]
258 259 260
recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
261
wrapper = $${basedirectory:services}/resilient_sshkeys_authority
262
keygen-binary = ${openssh:location}/bin/ssh-keygen
263

264
[sshkeys-sshd]
265
<= resilient-sshkeys-authority
266
recipe = slapos.cookbook:sshkeys_authority.request
267
name = sshd
268
type = rsa
269 270 271
executable = $${sshd-server:output}
public-key = $${sshd-raw-server:rsa-keyfile}.pub
private-key = $${sshd-raw-server:rsa-keyfile}
272 273
wrapper = $${basedirectory:services}/sshd

274
[resilient-sshkeys-sshd-promise]
275 276
# Check that public key file exists and is not empty
recipe = collective.recipe.template
277
input = inline:#!${bash:location}/bin/bash
278
  PUBLIC_KEY_CONTENT="$${sshkeys-sshd:public-key-value}"
279
  if [[ ! -n "$PUBLIC_KEY_CONTENT" || "$PUBLIC_KEY_CONTENT" == *None* ]]; then
280 281 282 283
    exit 1
  fi
output = $${basedirectory:promises}/public-key-existence
mode = 700
284

285 286
#----------------
#--
287
#-- Connection informations to re-use.
288 289 290 291

[user-info]
recipe = slapos.cookbook:userinfo

292 293 294
# XXX-Cedric: when "aggregation" system is done in libslap, directly publish.
[resilient-publish-connection-parameter]
recipe = slapos.cookbook:publish
295
ssh-public-key = $${sshkeys-sshd:public-key-value}
296
ssh-url = ssh://$${user-info:pw-name}@[$${sshd-raw-server:host}]:$${sshd-port:port}/$${rdiff-backup-server:path}
297
ip = $${slap-network-information:global-ipv6}