update to bw4

This commit is contained in:
Franzi 2020-08-18 15:27:55 +02:00
parent d7862918a6
commit 5e2fea8497
Signed by: kunsi
GPG key ID: 12E3D2136B818350
22 changed files with 223 additions and 501 deletions

View file

@ -1,52 +1,33 @@
from bundlewrap.metadata import atomic
@metadata_processor
def backups(metadata):
if metadata.get('bind', {}).get('zones_primary_dynamic', {}):
metadata.setdefault('backups', {}).setdefault('paths', set()).add(
'/var/lib/bind/primary.dynamic',
)
return metadata, RUN_ME_AGAIN
defaults = {
'icinga2_api': {
'bind': {
'services': {
'BIND PROCESS': {
'command_on_monitored_host': '/usr/lib/nagios/plugins/check_procs -C named -c 1:1',
},
},
},
},
}
@metadata_reactor
def port_checks(metadata):
services = {}
@metadata_processor
def monitoring(metadata):
icinga2_api = metadata.setdefault('icinga2_api', {})
node_metadata = icinga2_api.setdefault('bind', {})
services = node_metadata.setdefault('services', {})
services.setdefault('BIND PROCESS', {}).update({
'check_command': 'nrpe',
'vars.nrpe_command': 'check_bind_procs',
})
for interface in metadata.get('bind', {}).get('listen', []):
services.setdefault('BIND PORT {}'.format(interface), {}).update({
for interface in metadata.get('bind/listen', set()):
services[f'BIND PORT {interface}'] = {
'check_command': 'tcp',
'vars.tcp_address': metadata['interfaces'][interface]['ip_addresses'][0],
'vars.tcp_address': metadata.get(f'interfaces/{interface}/ip_addresses')[0],
'vars.tcp_port': 53,
})
nrpe_checks = metadata.setdefault('nrpe', {}).setdefault('custom_nrpe_checks', {})
nrpe_checks['check_bind_procs'] = '/usr/lib/nagios/plugins/check_procs -C named -c 1:1'
return metadata, DONE
@metadata_processor
def sperrfix(metadata):
per_bundle = metadata.get('bind', {}).get('sperrfix', {})
if per_bundle.get('ignore'):
return metadata, DONE
sources = per_bundle.get('sources', {'*'})
}
return {
'sperrfix': {
'bundle_rules': {
'53': atomic({'sources': sources}),
'53/udp': atomic({'sources': sources}),
'icinga2_api': {
'bind': {
'services': services,
},
},
}, OVERWRITE, RUN_ME_AGAIN
}

View file

@ -1,6 +1,4 @@
@metadata_processor
def jenkins_apt_repos(metadata):
return {
defaults = {
'apt': {
'repos': {
'jenkins': {
@ -24,4 +22,4 @@ def jenkins_apt_repos(metadata):
},
},
},
}, DEFAULTS, DONE
}

View file

@ -1,8 +1,6 @@
@metadata_processor
def crontab(metadata):
return {
defaults = {
'cron': {
'letsencrypt_renew': '20 4 * * * root /usr/bin/dehydrated --cron --accept-terms --challenge http-01 > /dev/null',
'letsencrypt_cleanup': '42 23 * * 0 root /usr/bin/dehydrated --cleanup > /dev/null',
},
}, DEFAULTS, DONE
}

View file

@ -1,6 +1,4 @@
@metadata_processor
def nodejs_apt_repos(metadata):
return {
defaults = {
'apt': {
'repos': {
'matrix': {
@ -19,11 +17,6 @@ def nodejs_apt_repos(metadata):
'matrix-synapse-py3': {},
},
},
}, DEFAULTS, DONE
@metadata_processor
def synapse_defaults(metadata):
return {
'matrix-synapse': {
'registration_shared_secret': repo.vault.human_password_for('{} matrix-synapse registration_shared_secret'.format(node.name)),
'database': {
@ -44,4 +37,4 @@ def synapse_defaults(metadata):
},
},
}
}, DEFAULTS, DONE
}

View file

@ -31,9 +31,6 @@ git_deploy = {
'/opt/mx-puppet-discord': {
'repo': 'https://github.com/matrix-discord/mx-puppet-discord.git',
'rev': 'master',
'needs': {
'directory:/opt/mx-puppet-discord',
},
'triggers': {
'action:mx-puppet-discord_chown',
'action:mx-puppet-discord_npm_install',

View file

@ -1,6 +1,4 @@
@metadata_processor
def mx_puppet_discord_user(metadata):
return {
defaults = {
'users': {
'mx-puppet-discord': {
'home': '/opt/mx-puppet-discord',
@ -8,21 +6,11 @@ def mx_puppet_discord_user(metadata):
'home-mode': '0755',
},
},
}, DEFAULTS, DONE
@metadata_processor
def add_mx_puppet_discord_to_synapse(metadata):
return {
'matrix-synapse': {
'appservice_configs': {
'/opt/mx-puppet-discord/registration.yaml',
},
},
}, DEFAULTS, DONE
@metadata_processor
def postgres(metadata):
return {
'mx-puppet-discord': {
'database': {
'user': 'mx-puppet-discord',
@ -42,5 +30,4 @@ def postgres(metadata):
},
},
},
}, DEFAULTS, DONE
}

View file

@ -1,6 +1,4 @@
@metadata_processor
def defaults(metadata):
return {
defaults = {
'apt': {
'repos': {
'nginx': {
@ -23,17 +21,17 @@ def defaults(metadata):
'worker_processes': 4,
'worker_connections': 1000,
},
}, DEFAULTS, DONE
}
@metadata_processor
@metadata_reactor
def letsencrypt(metadata):
if not node.has_bundle('letsencrypt'):
return metadata, DONE
raise DoNotRunAgain
domains = {}
for domain in metadata.get('nginx', {}).get('vhosts', {}).keys():
for domain in metadata.get('nginx/vhosts', {}).keys():
domains[domain] = set()
return {
@ -43,4 +41,4 @@ def letsencrypt(metadata):
'nginx',
},
},
}, DEFAULTS, RUN_ME_AGAIN
}

View file

@ -1,6 +1,4 @@
@metadata_processor
def nodejs_apt_repos(metadata):
return {
defaults = {
'apt': {
'repos': {
'yarn': {
@ -28,4 +26,4 @@ def nodejs_apt_repos(metadata):
'yarn': {},
},
},
}, DEFAULTS, DONE
}

View file

@ -10,9 +10,6 @@ directories = {
git_deploy = {
riot_web_root: {
'needs': {
'directory:' + riot_web_root,
},
'rev': 'master',
'repo': 'https://github.com/vector-im/riot-web.git',
'triggers': {

View file

@ -1,12 +1,12 @@
@metadata_processor
@metadata_reactor
def nginx_config(metadata):
return {
'nginx': {
'vhosts': {
metadata['riot-web']['url']: {
'webroot': '/var/www/chat.franzi.business/webapp/',
metadata.get('riot-web/url', None): {
'webroot': '/var/www/{}/webapp/'.format(metadata.get('riot-web/url', None)),
'extras': True,
},
},
},
}, DEFAULTS, DONE
}

View file

@ -1,6 +1,4 @@
@metadata_processor
def defaults(metadata):
return {
defaults = {
'apt': {
'packages': {
'mariadb-server': {},
@ -16,4 +14,4 @@ def defaults(metadata):
'home-mode': '0755',
},
},
}, DEFAULTS, DONE
}

View file

@ -6,6 +6,6 @@ Defaults secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bi
root ALL=(ALL) ALL
% for user in node.metadata['sudo']:
% for user in sorted(node.metadata['sudo']):
${user} ALL=(ALL) NOPASSWD:ALL
% endfor

View file

@ -1,11 +1,11 @@
@metadata_processor
@metadata_reactor
def sudo_users(metadata):
sudoers = []
sudoers = set()
for username, config in metadata.get('users', {}).items():
if 'sudo' in config and config['sudo']:
sudoers.append(username)
sudoers.add(username)
metadata['sudo'] = sudoers
return metadata, RUN_ME_AGAIN
return {
'sudo': sudoers,
}

View file

@ -1,6 +1,4 @@
@metadata_processor
def apt(metadata):
return {
defaults = {
'apt': {
'packages': {
'fish': {},
@ -8,4 +6,4 @@ def apt(metadata):
'vim': {},
},
},
}, DEFAULTS, DONE
}

View file

@ -1,6 +1,4 @@
@metadata_processor
def apt(metadata):
return {
defaults = {
'apt': {
'packages': {
'qemu-kvm': {},
@ -8,4 +6,4 @@ def apt(metadata):
'libvirt-daemon-system': {},
},
},
}, DEFAULTS, DONE
}

View file

@ -1,6 +1,4 @@
@metadata_processor
def add_voc_user(metadata):
return {
defaults = {
'apt': {
'packages': {
'ffmpeg': {},
@ -11,4 +9,4 @@ def add_voc_user(metadata):
'home': '/opt/voc-loudness-monitor',
},
},
}, DEFAULTS, DONE
}

View file

@ -1,208 +0,0 @@
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
from atexit import register as at_exit
from os import remove, setpgrp
from os.path import isfile, join
from pipes import quote
from shutil import rmtree
from subprocess import PIPE, Popen
from tempfile import mkdtemp, NamedTemporaryFile
from bundlewrap.exceptions import RepositoryError
from bundlewrap.items import Item
from bundlewrap.utils import cached_property
from bundlewrap.utils.text import mark_for_translation as _, randstr
from bundlewrap.utils.ui import io
REPO_MAP_FILENAME = "git_deploy_repos"
REMOTE_STATE_FILENAME = ".bundlewrap_git_deploy"
def is_ref(rev):
"""
Braindead check to see if our rev is a branch or tag name. False
negatives are OK since this is only used for optimization.
"""
for char in rev:
if char not in "0123456789abcdef":
return True
return False
def clone_to_dir(remote_url, rev):
"""
Clones the given URL to a temporary directory, using a shallow clone
if the given revision is definitely not a commit hash.
Returns the path to the directory.
"""
tmpdir = mkdtemp()
if is_ref(rev):
git_cmdline = ["clone", "--bare", "--depth", "1", "--no-single-branch", remote_url, "."]
else:
git_cmdline = ["clone", "--bare", remote_url, "."]
git_command(git_cmdline, tmpdir)
return tmpdir
def get_local_repo_path(bw_repo_path, repo_name):
"""
From the given BundleWrap repo, get the filesystem path to the git
repo associated with the given internal repo name.
"""
repo_map_path = join(bw_repo_path, REPO_MAP_FILENAME)
if not isfile(repo_map_path):
io.stderr(_("missing repo map for git_deploy at {}").format(repo_map_path))
io.stderr(_("you must create this file with the following format:"))
io.stderr(_(" <value of repo attribute on git_deploy item>: "
"<absolute path to local git repo>"))
io.stderr(_("since the path is local, you should also add the "
"{} file to your gitignore").format(REPO_MAP_FILENAME))
raise RepositoryError(_("missing repo map for git_deploy"))
with open(join(bw_repo_path, REPO_MAP_FILENAME)) as f:
repo_map = f.readlines()
for line in repo_map:
if not line.strip() or line.startswith("#"):
continue
try:
repo, path = line.split(":", 1)
except:
raise RepositoryError(_("unable to parse line from {path}: '{line}'").format(
line=line,
path=repo_map_path,
))
if repo_name == repo:
return path.strip()
raise RepositoryError(_("no path found for repo '{repo}' in {path}").format(
path=repo_map_path,
repo=repo_name,
))
def git_command(cmdline, repo_dir):
"""
Runs the given git command line in the given directory.
Returns stdout of the command.
"""
cmdline = ["git"] + cmdline
io.debug(_("running '{}' in {}").format(
" ".join(cmdline),
repo_dir,
))
git_process = Popen(
cmdline,
cwd=repo_dir,
preexec_fn=setpgrp,
stderr=PIPE,
stdout=PIPE,
)
stdout, stderr = git_process.communicate()
if git_process.returncode != 0:
io.stderr(_("failed command: {}").format(" ".join(cmdline)))
io.stderr(_("stdout:\n{}").format(stdout))
io.stderr(_("stderr:\n{}").format(stderr))
raise RuntimeError(_("`git {command}` failed in {dir}").format(
command=cmdline[1],
dir=repo_dir,
))
return stdout.decode('utf-8').strip()
class GitDeploy(Item):
"""
Facilitates deployment of a given rev from a local git repo to a
node.
"""
BUNDLE_ATTRIBUTE_NAME = "git_deploy"
ITEM_ATTRIBUTES = {
'repo': None,
'rev': None,
'use_xattrs': False,
}
ITEM_TYPE_NAME = "git_deploy"
REQUIRED_ATTRIBUTES = ['repo', 'rev']
def __repr__(self):
return "<GitDeploy path:{} repo:{} rev:{}>".format(
self.name,
self.attributes['repo'],
self.attributes['rev'],
)
@cached_property
def _expanded_rev(self):
git_cmdline = ["rev-parse", self.attributes['rev']]
return git_command(
git_cmdline,
self._repo_dir,
)
@cached_property
def _repo_dir(self):
if "://" in self.attributes['repo']:
repo_dir = clone_to_dir(self.attributes['repo'], self.attributes['rev'])
io.debug(_("registering {} for deletion on exit").format(repo_dir))
at_exit(rmtree, repo_dir)
else:
repo_dir = get_local_repo_path(self.node.repo.path, self.attributes['repo'])
return repo_dir
def cdict(self):
return {'rev': self._expanded_rev}
def fix(self, status):
archive_local = NamedTemporaryFile(delete=False)
try:
archive_local.close()
git_command(
["archive", "-o", archive_local.name, self._expanded_rev],
self._repo_dir,
)
temp_filename = ".bundlewrap_tmp_git_deploy_" + randstr()
try:
self.node.upload(
archive_local.name,
temp_filename,
)
self.node.run("find {} -mindepth 1 -delete".format(quote(self.name)))
self.node.run("tar -xf {} -C {}".format(temp_filename, quote(self.name)))
if self.attributes['use_xattrs']:
self.node.run("attr -q -s bw_git_deploy_rev -V {} {}".format(
self._expanded_rev,
quote(self.name),
))
else:
self.node.run("echo {} > {}".format(
self._expanded_rev,
quote(join(self.name, REMOTE_STATE_FILENAME)),
))
self.node.run("chmod 400 {}".format(
quote(join(self.name, REMOTE_STATE_FILENAME)),
))
finally:
self.node.run("rm -f {}".format(temp_filename))
finally:
remove(archive_local.name)
def sdict(self):
if self.attributes['use_xattrs']:
status_result = self.node.run(
"attr -q -g bw_git_deploy_rev {}".format(quote(self.name)),
may_fail=True,
)
else:
status_result = self.node.run(
"cat {}".format(quote(join(self.name, REMOTE_STATE_FILENAME))),
may_fail=True,
)
if status_result.return_code != 0:
return None
else:
return {'rev': status_result.stdout.decode('utf-8').strip()}

View file

@ -1,6 +1,5 @@
nodes['htz-cloud.pirmasens'] = {
'bundles': {
},
'bundles': set(),
'groups': {
'webserver',
},

View file

@ -2,9 +2,9 @@
# managed by bundlewrap.
nodes['htz-cloud.sewfile'] = {
'bundles': [
'bundles': {
'seafile',
],
},
'groups': {
'webserver',
},

View file

@ -1,5 +1,5 @@
nodes['htz.ex42-1048908'] = {
'bundles': [
'bundles': {
'jenkins-ci',
'matrix-synapse',
'mx-puppet-discord',
@ -8,7 +8,7 @@ nodes['htz.ex42-1048908'] = {
'postgresql',
'vmhost',
'voc-loudness-monitor',
],
},
'groups': {
'webserver',
},

View file

@ -1,8 +0,0 @@
{
"item_git_deploy": {
"files": {
"items/git_deploy.py": "111c81fe88c3e97168251fccf59e1aeb36af3d02"
},
"version": 6
}
}

View file

@ -1 +1 @@
bundlewrap<4.0.0
bundlewrap>=4.0.0