pbsready.cfg.in 7.67 KB
Newer Older
1 2
[buildout]

3
parts =
4 5
  logrotate
  logrotate-entry-cron
6
  logrotate-entry-equeue
7 8 9
  cron
  cron-entry-logrotate
  sshkeys-authority
10 11 12 13 14
  sshd-graceful
  sshkeys-sshd
  sshd-promise
  resilient-sshkeys-sshd-promise
  sshd-pbs-authorized-key
15
  notifier
16

17 18 19 20 21

#----------------
#--
#-- Creation of all needed directories.

22 23 24 25 26 27 28
[rootdirectory]
recipe = slapos.cookbook:mkdirectory
etc = $${buildout:directory}/etc
var = $${buildout:directory}/var
srv = $${buildout:directory}/srv
bin = $${buildout:directory}/bin

29
[basedirectory]
30 31 32 33
recipe = slapos.cookbook:mkdirectory
log = $${rootdirectory:var}/log
services = $${rootdirectory:etc}/service
run = $${rootdirectory:var}/run
34
scripts = $${rootdirectory:etc}/run
35 36
backup = $${rootdirectory:srv}/backup
promises = $${rootdirectory:etc}/promise
37
services = $${rootdirectory:etc}/service
Marco Mariani's avatar
Marco Mariani committed
38 39
cache = $${rootdirectory:var}/cache
notifier = $${rootdirectory:etc}/notifier
40 41

[directory]
42
recipe = slapos.cookbook:mkdirectory
43 44 45
backup = $${basedirectory:backup}/$${slap-parameter:namebase}
ssh = $${rootdirectory:etc}/ssh/
sshkeys = $${rootdirectory:srv}/sshkeys
Marco Mariani's avatar
Marco Mariani committed
46 47
notifier-feeds = $${basedirectory:notifier}/feeds
notifier-callbacks = $${basedirectory:notifier}/callbacks
48 49 50 51 52
cron-entries = $${rootdirectory:etc}/cron.d
crontabs = $${rootdirectory:etc}/crontabs
cronstamps = $${rootdirectory:etc}/cronstamps
logrotate-entries = $${rootdirectory:etc}/logrotate.d
logrotate-backup = $${basedirectory:backup}/logrotate
53
cgi-bin = $${rootdirectory:srv}/cgi-bin
54
monitor-resilient = $${monitor-directory:private}/resilient
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124

#----------------
#--
#-- Deploy cron.

[cron]
recipe = slapos.cookbook:cron
dcrond-binary = ${dcron:location}/sbin/crond
cron-entries = $${directory:cron-entries}
crontabs = $${directory:crontabs}
cronstamps = $${directory:cronstamps}
catcher = $${cron-simplelogger:wrapper}
binary = $${basedirectory:services}/crond

[cron-simplelogger]
recipe = slapos.cookbook:simplelogger
wrapper = $${rootdirectory:bin}/cron_simplelogger
log = $${basedirectory:log}/crond.log


#----------------
#--
#-- Deploy logrotate.

[cron-entry-logrotate]
<= cron
recipe = slapos.cookbook:cron.d
name = logrotate
frequency = 0 0 * * *
command = $${logrotate:wrapper}

[logrotate]
recipe = slapos.cookbook:logrotate
# Binaries
logrotate-binary = ${logrotate:location}/usr/sbin/logrotate
gzip-binary = ${gzip:location}/bin/gzip
gunzip-binary = ${gzip:location}/bin/gunzip
# Directories
wrapper = $${rootdirectory:bin}/logrotate
conf = $${rootdirectory:etc}/logrotate.conf
logrotate-entries = $${directory:logrotate-entries}
backup = $${directory:logrotate-backup}
state-file = $${rootdirectory:srv}/logrotate.status

[logrotate-entry-mariadb]
<= logrotate
recipe = slapos.cookbook:logrotate.d
name = mariadb
log = $${mariadb:error-log}
frequency = daily
rotate-num = 30
post = $${mariadb:logrotate-post}
sharedscripts = true
notifempty = true
create = true

[logrotate-entry-cron]
<= logrotate
recipe =slapos.cookbook:logrotate.d
name = crond
log = $${cron-simplelogger:log}
frequency = daily
rotate-num = 30
notifempty = true
create = true

[logrotate-entry-equeue]
<= logrotate
recipe = slapos.cookbook:logrotate.d
name = equeue
125
log = $${equeue:log} $${sshd-server:log}
126 127
frequency = daily
rotate-num = 30
128 129 130 131


#----------------
#--
132
#-- Sets up an rdiff-backup server (with a openssh server for ssh)
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148

[rdiff-backup-server]
recipe = slapos.cookbook:pbs
client = false
path = $${directory:backup}
wrapper = $${rootdirectory:bin}/rdiffbackup-server
rdiffbackup-binary = ${buildout:bin-directory}/rdiff-backup


#----------------
#--
#-- Set up the equeue and notifier.

[equeue]
recipe = slapos.cookbook:equeue
socket = $${basedirectory:run}/equeue.sock
149
lockfile = $${basedirectory:run}/equeue.lock
150 151 152 153 154 155 156 157
log = $${basedirectory:log}/equeue.log
database = $${rootdirectory:srv}/equeue.db
wrapper = $${basedirectory:services}/equeue
equeue-binary = ${buildout:bin-directory}/equeue

# notifier.notify adds the [exporter, notifier] to the execution queue
# notifier.notify.callback sets up a callback
[notifier]
158 159 160 161 162
recipe = slapos.recipe.template:jinja2
template = ${template-wrapper:output}
rendered = $${:wrapper}
wrapper = $${basedirectory:services}/notifier
mode = 0700
163 164
feeds = $${directory:notifier-feeds}
callbacks = $${directory:notifier-callbacks}
165 166
command = ${buildout:bin-directory}/pubsubserver --callbacks $${directory:notifier-callbacks} --feeds $${directory:notifier-feeds} --equeue-socket $${equeue:socket} --logfile $${basedirectory:log}/notifier.log $${:host} $${:port}
notifier-binary = ${buildout:bin-directory}/pubsubnotifier
167
host = $${slap-network-information:global-ipv6}
168
port = $${notifier-port:port}
169 170
context =
  key content notifier:command
171 172


173 174
#----------------
#--
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194
#-- OpenSSH.
[resilient-sshd-config]
# XXX: Add timeout support
recipe = slapos.recipe.template:jinja2
rendered = $${directory:etc}/resilient-sshd.conf
path_pid = $${directory:run}/resilient-sshd.pid
template = inline:
 PidFile $${:path_pid}
 Port $${sshd-port:port}
 ListenAddress $${slap-network-information:global-ipv6}
 Protocol 2
 UsePrivilegeSeparation no
 HostKey $${directory:ssh}/server_key.rsa
 AuthorizedKeysFile $${directory:ssh}/.ssh/authorized_keys
 PasswordAuthentication no
 PubkeyAuthentication yes
 ForceCommand $${rdiff-backup-server:wrapper}

[sshd-raw-server]
recipe = slapos.cookbook:wrapper
195 196
host = $${slap-network-information:global-ipv6}
rsa-keyfile = $${directory:ssh}/server_key.rsa
197 198 199
home = $${directory:ssh}
command-line = ${openssh:location}/sbin/sshd -D -e -f $${resilient-sshd-config:rendered}
wrapper-path = $${rootdirectory:bin}/raw_sshd
200

201 202
[sshd-pbs-authorized-key]
<= sshd-raw-server
203 204 205
recipe = slapos.cookbook:dropbear.add_authorized_key
key = $${slap-parameter:authorized-key}

206
[sshd-server]
207 208 209
recipe = collective.recipe.template
log = $${basedirectory:log}/sshd.log
input = inline:#!/bin/sh
210
    exec $${sshd-raw-server:wrapper-path} >> $${:log} 2>&1
211 212 213

output = $${rootdirectory:bin}/raw_sshd_log
mode = 700
214

215 216
[sshd-graceful]
recipe = slapos.cookbook:wrapper
217
command-line = $${directory:bin}/killpidfromfile $${resilient-sshd-config:path_pid} SIGHUP
218 219 220 221 222 223 224 225
wrapper-path = $${basedirectory:scripts}/sshd-graceful

[sshd-promise]
recipe = slapos.cookbook:check_port_listening
path = $${basedirectory:promises}/sshd
hostname = $${slap-network-information:global-ipv6}
port = $${sshd-port:port}

226 227 228 229
#----------------
#--
#-- sshkeys

230 231
[sshkeys-directory]
recipe = slapos.cookbook:mkdirectory
232 233
requests = $${directory:sshkeys}/requests
keys = $${directory:sshkeys}/keys
234 235 236 237 238 239

[sshkeys-authority]
recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
wrapper = $${basedirectory:services}/sshkeys_authority
240
keygen-binary = ${openssh:location}/bin/ssh-keygen
241

242
[sshkeys-sshd]
243 244
<= sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request
245
name = sshd
246
type = rsa
247 248 249
executable = $${sshd-server:output}
public-key = $${sshd-raw-server:rsa-keyfile}.pub
private-key = $${sshd-raw-server:rsa-keyfile}
250 251
wrapper = $${basedirectory:services}/sshd

252
[resilient-sshkeys-sshd-promise]
253 254
# Check that public key file exists and is not empty
recipe = collective.recipe.template
255
input = inline:#!${bash:location}/bin/bash
256
  PUBLIC_KEY_CONTENT="$${sshkeys-sshd:public-key-value}"
257
  if [[ ! -n "$PUBLIC_KEY_CONTENT" || "$PUBLIC_KEY_CONTENT" == *None* ]]; then
258 259 260 261
    exit 1
  fi
output = $${basedirectory:promises}/public-key-existence
mode = 700
262

263 264
#----------------
#--
265
#-- Connection informations to re-use.
266 267 268 269

[user-info]
recipe = slapos.cookbook:userinfo

270 271 272
# XXX-Cedric: when "aggregation" system is done in libslap, directly publish.
[resilient-publish-connection-parameter]
recipe = slapos.cookbook:publish
273
ssh-public-key = $${sshkeys-sshd:public-key-value}
274
ssh-url = ssh://$${user-info:pw-name}@[$${sshd-raw-server:host}]:$${sshd-port:port}/$${rdiff-backup-server:path}
275
ip = $${slap-network-information:global-ipv6}