ignore: |
arvados/shell/config/files/default/shell-libpam-arvados.tmpl.jinja
test/salt/pillar/examples/nginx_webshell_configuration.sls
+ test/salt/pillar/examples/nginx_passenger.sls
skip_list:
# Using `salt-lint` for linting other files as well, such as Jinja macros/templates
- 205 # Use ".sls" as a Salt State file extension
- env: INSTANCE=workbench-ubuntu-1804-master-py3
- env: INSTANCE=api-debian-10-3001-py3
# - env: INSTANCE=keepstore-debian-10-3001-py3
- - env: INSTANCE=shell-debian-10-3001-py3
+ # - env: INSTANCE=shell-debian-10-3001-py3
# - env: INSTANCE=workbench-debian-10-3001-py3
# - env: INSTANCE=api-debian-9-3001-py3
# - env: INSTANCE=keepstore-debian-9-3001-py3
# - env: INSTANCE=workbench-ubuntu-1804-3001-py3
# - env: INSTANCE=api-centos-7-3001-py3
# - env: INSTANCE=keepstore-centos-7-3001-py3
- # - env: INSTANCE=shell-centos-7-3001-py3
+ - env: INSTANCE=shell-centos-7-3001-py3
# - env: INSTANCE=workbench-centos-7-3001-py3
# - env: INSTANCE=api-debian-10-3000-3-py3
# - env: INSTANCE=keepstore-debian-10-3000-3-py3
# - env: INSTANCE=shell-ubuntu-1804-3000-3-py3
# - env: INSTANCE=workbench-ubuntu-1804-3000-3-py3
# - env: INSTANCE=api-centos-7-3000-3-py3
- # - env: INSTANCE=keepstore-centos-7-3000-3-py3
+ - env: INSTANCE=keepstore-centos-7-3000-3-py3
# - env: INSTANCE=shell-centos-7-3000-3-py3
# - env: INSTANCE=workbench-centos-7-3000-3-py3
# - env: INSTANCE=api-ubuntu-1804-3000-3-py2
- - env: INSTANCE=keepstore-ubuntu-1804-3000-3-py2
+ # - env: INSTANCE=keepstore-ubuntu-1804-3000-3-py2
# - env: INSTANCE=shell-ubuntu-1804-3000-3-py2
# - env: INSTANCE=workbench-ubuntu-1804-3000-3-py2
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_config_file = tplroot ~ '.config.file' %}
+{%- set sls_ruby_install = tplroot ~ '.ruby.package.install' %}
{%- from tplroot ~ "/map.jinja" import arvados with context %}
-# The API server requires a valid config BEFORE installing...
+{%- if arvados.ruby.manage_ruby %}
+ {%- set ruby_dep = 'rvm' if arvados.ruby.use_rvm else 'pkg' %}
+{%- endif %}
+
include:
+ # The API server requires a valid config BEFORE installing...
- {{ sls_config_file }}
-
-arvados-api-package-install-ruby-pkg-installed:
- pkg.installed:
- - name: {{ arvados.ruby.pkg }}
- - only_if: test "{{ arvados.ruby.manage_ruby | lower }}" = "true"
+ - {{ sls_ruby_install }}
arvados-api-package-install-gems-deps-pkg-installed:
pkg.installed:
- name: {{ gm }}
- require:
- pkg: arvados-api-package-install-gems-deps-pkg-installed
+ {%- if arvados.ruby.manage_ruby %}
+ - {{ ruby_dep }}: arvados-ruby-package-install-ruby-{{ ruby_dep }}-installed
+ {%- endif %}
- require_in:
- pkg: arvados-api-package-install-pkg-installed
{% endfor %}
ruby:
manage_ruby: false
pkg: ruby
+ use_rvm: false
manage_gems_deps: false
gems_deps:
name: nginx
# just for reference, is where the upstream is configured
port: 9000
+
##### WORKBENCH2
workbench2:
pkg:
pkg.installed:
- name: {{ arvados.dispatcher.pkg.name }}
- version: {{ arvados.version }}
+
+# FIXME! Until https://dev.arvados.org/issues/16995 makes it to
+# a new release, this is required so the dependency is installed
+{%- if arvados.dispatcher.pkg.name == 'crunch-dispatch-local' %}
+arvados-dispatcher-package-install-crunch-run-pkg-installed:
+ pkg.installed:
+ - name: crunch-run
+ - require:
+ - pkg: arvados-dispatcher-package-install-pkg-installed
+ - version: {{ arvados.version }}
+{%- endif %}
### DATABASE CONFIGURATION
PostgreSQL:
- # FIXME!!!!!! ALL as database or using Arvados' PostgreSQL ??
ConnectionPool: {{ arvados.cluster.database.connection_pool_max }}
Connection:
# All parameters here are passed to the PG client library in a connection string;
password: {{ arvados.cluster.database.password | yaml_encode }}
user: {{ arvados.cluster.database.user }}
client_encoding: {{ arvados.cluster.database.client_encoding }}
- {%- if 'PostgreSQL' in arvados.cluster %}
- {{ arvados.cluster.PostgreSQL | yaml(False) | indent(6) }}
- {%- endif %}
+ {%- if arvados.cluster.database.extra_conn_params is defined %}
+ {{ arvados.cluster.database.extra_conn_params | yaml(False) | indent(8) }}
+ {%- endif %}
### SERVICES URLs
Services:
ruby:
manage_ruby: true
+ use_rvm: true
pkg: ruby-2.5.7
gems_deps:
- python3-devel
- ruby-devel
- zlib-devel
+ ##### SHELL
+ shell:
+ shellinabox:
+ config: /etc/sysconfig/shellinaboxd
+ service:
+ name: shellinaboxd
{%- from tplroot ~ "/map.jinja" import arvados with context %}
{%- if arvados.ruby.manage_ruby %}
+
+ {%- if arvados.ruby.use_rvm %}
+ # Centos 7 has no python3-gnupg package, so using gpg.present
+ # will fail when it can't list the existing keys.
+ # Doing it the hard way
+arvados-ruby-package-install-gpg-cmd-run-gpg-michal-papis:
+ cmd.run:
+ - name: /bin/gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
+ - unless:
+ - /bin/gpg --list-keys 409B6B1796C275462A1703113804BB82D39DC0E3
+
+arvados-ruby-package-install-gpg-cmd-run-gpg-piotr-kuczynski:
+ cmd.run:
+ - name: /bin/gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
+ - unless:
+ - /bin/gpg --list-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
+
+arvados-ruby-package-install-rvm-cmd-run-curl:
+ cmd.run:
+ - name: curl -s -L http://get.rvm.io | bash -s stable
+ - unless: test -f /usr/local/rvm/bin/rvm
+ - require:
+ - cmd: arvados-ruby-package-install-gpg-cmd-run-gpg-michal-papis
+ - cmd: arvados-ruby-package-install-gpg-cmd-run-gpg-piotr-kuczynski
+
+arvados-ruby-package-install-ruby-rvm-installed:
+ rvm.installed:
+ - name: {{ arvados.ruby.pkg }}
+ - default: true
+ - require:
+ - cmd: arvados-ruby-package-install-rvm-cmd-run-curl
+
+ {%- else %}
+
arvados-ruby-package-install-ruby-pkg-installed:
pkg.installed:
- name: {{ arvados.ruby.pkg }}
- - require_in: arvados-ruby-package-install-ruby-profile-installed
+ {%- endif %}
{%- endif %}
--- /dev/null
+########################################################################
+# File managed by Salt at <{{ source }}>.
+# Your changes will be overwritten.
+########################################################################
+USER=shellinabox
+GROUP=shellinabox
+CERTDIR=/var/lib/shellinabox
+# TCP port that shellinboxd's webserver listens on
+PORT={{ arvados.shell.shellinabox.service.port }}
+# SSL is disabled because it is terminated in Nginx. Adjust as needed.
+OPTS="--disable-ssl --no-beep --service=/shell.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}:SSH"
{%- set sls_ruby_install = tplroot ~ '.ruby.package.install' %}
{%- from tplroot ~ "/map.jinja" import arvados with context %}
+{%- if arvados.ruby.manage_ruby %}
+ {%- set ruby_dep = 'rvm' if arvados.ruby.use_rvm else 'pkg' %}
+{%- endif %}
+
include:
- {{ sls_ruby_install }}
gem.installed:
- name: {{ gm }}
- require:
- - pkg: arvados-shell-package-install-gems-deps-pkg-installed
{%- if arvados.ruby.manage_ruby %}
- {%- if salt['grains.get']('osfinger') != 'CentOS Linux-7' %}
- - pkg: arvados-ruby-package-install-ruby-pkg-installed
- {%- else %}
- # - rvm: arvados-ruby-package-install-ruby-gemset-present
- - rvm: arvados-ruby-package-install-ruby-rvm-installed
- # - rvm: gemset_present
- # - ruby: ruby-2.5.7@arvados
- {%- endif %}
+ - {{ ruby_dep }}: arvados-ruby-package-install-ruby-{{ ruby_dep }}-installed
{%- endif %}
+ - pkg: arvados-shell-package-install-gems-deps-pkg-installed
{% endfor %}
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_config_file = tplroot ~ '.config.file' %}
+{%- set sls_ruby_install = tplroot ~ '.ruby.package.install' %}
{%- from tplroot ~ "/map.jinja" import arvados with context %}
-# The workbench server requires a valid config BEFORE installing...
+{%- if arvados.ruby.manage_ruby %}
+ {%- set ruby_dep = 'rvm' if arvados.ruby.use_rvm else 'pkg' %}
+{%- endif %}
+
include:
+ # The workbench server requires a valid config BEFORE installing...
- {{ sls_config_file }}
-
-arvados-workbench-package-install-ruby-pkg-installed:
- pkg.installed:
- - name: {{ arvados.ruby.pkg }}
- - only_if: test "{{ arvados.ruby.manage_ruby | lower }}" = "true"
+ - {{ sls_ruby_install }}
arvados-workbench-package-install-gems-deps-pkg-installed:
pkg.installed:
driver:
image: saltimages/salt-master-py3:ubuntu-18.04
+ - name: amazonlinux-2-3001-py3
+ driver:
+ image: saltimages/salt-3001-py3:amazonlinux-2
+
## SALT `3001`
- name: debian-10-3001-py3
driver:
- nginx.passenger
- postgres
- arvados.repo
- # - arvados.config
- # - arvados.ruby
- arvados.api
- arvados.websocket
# keepproxy complains when using snakeoil certs, so we can't
# properly test it here until next version removes this limitation
- # - arvados.keepproxy
+ - arvados.keepproxy
- arvados.keepweb
- arvados.controller
- arvados.dispatcher
- example_nginx_controller
# keepproxy expects to retrieve a list of services from API, so
# installing/testing it without an api server running will fail
- # - example_nginx_keepproxy
+ - example_nginx_keepproxy
pillars_from_files:
# yamllint disable rule:line-length
arvados.sls: test/salt/pillar/arvados.sls
example_nginx_api.sls: test/salt/pillar/examples/nginx_api_configuration.sls
example_nginx_websocket.sls: test/salt/pillar/examples/nginx_websocket_configuration.sls
example_nginx_keepweb.sls: test/salt/pillar/examples/nginx_keepweb_configuration.sls
- # example_nginx_keepproxy.sls: test/salt/pillar/examples/nginx_keepproxy_configuration.sls
+ example_nginx_keepproxy.sls: test/salt/pillar/examples/nginx_keepproxy_configuration.sls
example_nginx_controller.sls: test/salt/pillar/examples/nginx_controller_configuration.sls
# yamllint enable rule:line-length
dependencies:
inspec_tests:
- path: test/integration/api
- path: test/integration/websocket
- # - path: test/integration/keepproxy
+ - path: test/integration/keepproxy
- path: test/integration/keepweb
- path: test/integration/controller
path: test/salt/states
- name: nginx
repo: git
- source: https://github.com/saltstack-formulas/nginx-formula.git
+ source: https://github.com/netmanagers/nginx-formula.git
verifier:
inspec_tests:
- path: test/integration/workbench
## We set these to `true` here for testing purposes.
## They both default to `false`.
manage_ruby: true
+ use_rvm: false # If you want to use rvm. Defaults to true for centos-7
+ # pkg: ruby # Can specify a version like ruby-2.5.7 for rvm
manage_gems_deps: true
- # pkg: ruby
# gems_deps:
# - curl
# - g++
user: arvados
encoding: en_US.utf8
client_encoding: UTF8
+ # You can pass extra database connections parameters here,
+ # which will be rendered as yaml.
+ # extra_conn_params:
+ # sslmode: prefer
+ # verify-ca: false
+
tls:
# certificate: ''
http://127.0.0.2:8004: {}
RAILS_STANZA
+group = case os[:name]
+ when 'centos'
+ 'nginx'
+ when 'debian', 'ubuntu'
+ 'www-data'
+ end
+
control 'arvados configuration' do
title 'should match desired api lines'
describe file('/etc/arvados/config.yml') do
it { should be_file }
it { should be_owned_by 'root' }
- it { should be_grouped_into 'www-data' }
+ it { should be_grouped_into group }
its('mode') { should cmp '0640' }
its('content') do
should include(
end
describe port(8004) do
+ proc = case os[:name]
+ when 'centos'
+ # Centos ps adds an extra colon and the end of the process
+ # probably a bug
+ 'nginx:'
+ when 'debian', 'ubuntu'
+ 'nginx'
+ end
+
it { should be_listening }
- its('processes') { should include 'nginx' }
+ its('processes') { should cmp proc }
end
end
Replication: 2
VOLUMES_STANZA
+group = case os[:name]
+ when 'centos'
+ 'nginx'
+ when 'debian', 'ubuntu'
+ 'www-data'
+ end
+
control 'arvados configuration' do
title 'should match desired controller lines'
it { should be_file }
it { should be_owned_by 'root' }
# We're testing it in the API instance, so group will be nginx's
- it { should be_grouped_into 'www-data' }
+ it { should be_grouped_into group }
its('mode') { should cmp '0640' }
its('content') do
should include(
it { should be_running }
end
describe port(8003) do
+ proc = case os[:name]
+ when 'centos'
+ 'arvados-contr'
+ when 'debian', 'ubuntu'
+ 'arvados-control'
+ end
+
it { should be_listening }
# The undelying tools inspec uses to get the process truncates their names
- its('processes') { should include 'arvados-control' }
+ its('processes') { should cmp proc }
end
end
http://fixme.example.net:9006: {}
DISPATCHER_STANZA
+group = case os[:name]
+ when 'centos'
+ 'nginx'
+ when 'debian', 'ubuntu'
+ 'www-data'
+ end
+
control 'arvados configuration' do
title 'should match desired dispatcher lines'
it { should be_file }
it { should be_owned_by 'root' }
# We're testing it in the API instance, so group will be nginx's
- it { should be_grouped_into 'www-data' }
+ it { should be_grouped_into group }
its('mode') { should cmp '0640' }
its('content') do
should include(
its('mode') { should cmp '0755' }
its('content') do
should include(
- # rubocop:disable Metrics/LineLength
+ # rubocop:disable Layout/LineLength
'File managed by Salt at <salt://arvados/dispatcher/service/files/default/crunch-run-sh.tmpl>.'
- # rubocop:enable Metrics/LineLength
+ # rubocop:enable Layout/LineLength
)
end
end
its('mode') { should cmp '0644' }
its('content') do
should include(
- # rubocop:disable Metrics/LineLength
+ # rubocop:disable Layout/LineLength
'File managed by Salt at <salt://arvados/dispatcher/service/files/default/crunch-dispatch-local-service.tmpl>.'
- # rubocop:enable Metrics/LineLength
+ # rubocop:enable Layout/LineLength
)
end
end
Replication: 2
VOLUMES_STANZA
+group = case os[:name]
+ when 'centos'
+ 'nginx'
+ when 'debian', 'ubuntu'
+ 'www-data'
+ end
+
control 'arvados configuration' do
title 'should match desired keepproxy lines'
it { should be_file }
it { should be_owned_by 'root' }
# We're testing it in the API instance, so group will be nginx's
- it { should be_grouped_into 'www-data' }
+ it { should be_grouped_into group }
its('mode') { should cmp '0640' }
its('content') do
should include(
it { should be_enabled }
it { should be_running }
end
- describe port(25_107) do
+ describe port(25_100) do
it { should be_listening }
- its('processes') { should include 'keepproxy' }
+ its('processes') { should cmp 'keepproxy' }
end
end
end
describe port(25_107) do
it { should be_listening }
- its('processes') { should include 'keepstore' }
+ its('processes') { should cmp 'keepstore' }
end
end
ExternalURL: https://download.fixme.example.net
KEEPWEB_STANZA
+group = case os[:name]
+ when 'centos'
+ 'nginx'
+ when 'debian', 'ubuntu'
+ 'www-data'
+ end
+
control 'arvados configuration' do
title 'should match desired keepweb lines'
it { should be_file }
it { should be_owned_by 'root' }
# We're testing it in the API instance, so group will be nginx's
- it { should be_grouped_into 'www-data' }
+ it { should be_grouped_into group }
its('mode') { should cmp '0640' }
its('content') do
should include(
end
describe port(9002) do
it { should be_listening }
- its('processes') { should include 'keep-web' }
+ its('processes') { should cmp 'keep-web' }
end
end
case os[:name]
when 'centos'
repo_file = '/etc/yum.repos.d/arvados.repo'
-
repo_url = 'baseurl=http://rpm.arvados.org/CentOS/$releasever/os/$basearch/'
-when 'debian'
+when 'debian', 'ubuntu'
repo_file = '/etc/apt/sources.list.d/arvados.list'
repo_url = 'deb http://apt.arvados.org buster main'
end
title 'should be configured'
desc 'Ensures arvados source is correctly configured'
describe file(repo_file) do
- its('content') { should match repo_url }
+ its('content') { should include repo_url }
end
end
# frozen_string_literal: true
-siab_stanza = <<~SIAB_STANZA
- SHELLINABOX_PORT=4200
- # SSL is disabled because it is terminated in Nginx. Adjust as needed.
- SHELLINABOX_ARGS="--disable-ssl --no-beep --service=/shell.fixme.example.net:AUTH:HOME:SHELL"
-SIAB_STANZA
-
-libpam_stanza = <<~LIBPAM_STANZA
- auth [success=1 default=ignore] /usr/lib/pam_arvados.so fixme.example.net shell.fixme.example.net
-LIBPAM_STANZA
-
control 'shellinabox configuration' do
title 'should match desired lines'
- describe file('/etc/default/shellinabox') do
+ case os[:name]
+ when 'centos'
+ file = '/etc/sysconfig/shellinaboxd'
+ tpl = 'RedHat'
+ siab_stanza = <<~SIAB_STANZA
+ PORT=4200
+ # SSL is disabled because it is terminated in Nginx. Adjust as needed.
+ OPTS="--disable-ssl --no-beep --service=/shell.fixme.example.net:SSH"
+ SIAB_STANZA
+ when 'debian', 'ubuntu'
+ file = '/etc/default/shellinabox'
+ tpl = 'default'
+ siab_stanza = <<~SIAB_STANZA
+ SHELLINABOX_PORT=4200
+ # SSL is disabled because it is terminated in Nginx. Adjust as needed.
+ SHELLINABOX_ARGS="--disable-ssl --no-beep --service=/shell.fixme.example.net:AUTH:HOME:SHELL"
+ SIAB_STANZA
+ end
+ describe file(file) do
it { should be_file }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
its('content') do
should include(
# rubocop:disable Layout/LineLength
- 'File managed by Salt at <salt://arvados/shell/config/files/default/shell-shellinabox.tmpl.jinja>.'
+ "File managed by Salt at <salt://arvados/shell/config/files/#{tpl}/shell-shellinabox.tmpl.jinja>."
# rubocop:enable Layout/LineLength
)
end
control 'libpam-arvados configuration' do
title 'should match desired lines'
+ libpam_stanza = <<~LIBPAM_STANZA
+ auth [success=1 default=ignore] /usr/lib/pam_arvados.so fixme.example.net shell.fixme.example.net
+ LIBPAM_STANZA
+
describe file('/etc/pam.d/arvados') do
it { should be_file }
it { should be_owned_by 'root' }
case os[:name]
when 'centos'
repo_file = '/etc/yum.repos.d/arvados.repo'
-
repo_url = 'baseurl=http://rpm.arvados.org/CentOS/$releasever/dev/$basearch/'
-when 'debian'
+when 'debian', 'ubuntu'
repo_file = '/etc/apt/sources.list.d/arvados.list'
repo_url = 'deb http://apt.arvados.org buster-dev main'
end
title 'should be configured'
desc 'Ensures arvados source is correctly configured'
describe file(repo_file) do
- its('content') { should match repo_url }
+ its('content') { should include repo_url }
end
end
impact 0.5
title 'should be running and enabled'
- describe service('shellinabox') do
+ serv = case os[:name]
+ when 'centos'
+ 'shellinaboxd'
+ when 'debian', 'ubuntu'
+ 'shellinabox'
+ end
+
+ describe service(serv) do
it { should be_enabled }
it { should be_running }
end
describe port(4200) do
it { should be_listening }
- its('processes') { should include 'shellinaboxd' }
+ its('processes') { should cmp 'shellinaboxd' }
end
end
http://127.0.0.2:8005: {}
WEBSOCKET_STANZA
+group = case os[:name]
+ when 'centos'
+ 'nginx'
+ when 'debian', 'ubuntu'
+ 'www-data'
+ end
+
control 'arvados configuration' do
title 'should match desired websocket lines'
it { should be_file }
it { should be_owned_by 'root' }
# We're testing it in the API instance, so group will be nginx's
- it { should be_grouped_into 'www-data' }
+ it { should be_grouped_into group }
its('mode') { should cmp '0640' }
its('content') do
should include(
describe port(8005) do
it { should be_listening }
- its('processes') { should include 'arvados-ws' }
+ its('processes') { should cmp 'arvados-ws' }
end
end
ExternalURL: https://workbench.fixme.example.net
WORKBENCH_SERVICE_STANZA
+group = case os[:name]
+ when 'centos'
+ 'nginx'
+ when 'debian', 'ubuntu'
+ 'www-data'
+ end
+
control 'arvados configuration' do
title 'should match desired workbench lines'
describe file('/etc/arvados/config.yml') do
it { should be_file }
it { should be_owned_by 'root' }
- it { should be_grouped_into 'www-data' }
+ it { should be_grouped_into group }
its('mode') { should cmp '0640' }
its('content') do
should include(
impact 0.5
title 'should be running and enabled'
- describe service('nginx') do
+ describe systemd_service('nginx') do
it { should be_enabled }
it { should be_running }
end
describe port(9000) do
+ proc = case os[:name]
+ when 'centos'
+ # Centos ps adds an extra colon and the end of the process
+ # probably a bug
+ 'nginx:'
+ when 'debian', 'ubuntu'
+ 'nginx'
+ end
+
it { should be_listening }
- its('processes') { should include 'nginx' }
+ its('processes') { should cmp proc }
end
end
ExternalURL: https://workbench2.fixme.example.net
WORKBENCH2_STANZA
+group = case os[:name]
+ when 'centos'
+ 'nginx'
+ when 'debian', 'ubuntu'
+ 'www-data'
+ end
+
control 'arvados configuration' do
title 'should match desired workbench2 lines'
describe file('/etc/arvados/config.yml') do
it { should be_file }
it { should be_owned_by 'root' }
- it { should be_grouped_into 'www-data' }
+ it { should be_grouped_into group }
its('mode') { should cmp '0640' }
its('content') do
should include(
user: arvados
encoding: en_US.utf8
client_encoding: UTF8
+ # Centos7 does not enable SSL by default, so we disable
+ # it here just for testing of the formula purposes only.
+ # You should not do this in production, and should
+ # configure Postgres certificates correctly
+ {%- if grains.os_family in ('RedHat',) %}
+ extra_conn_params:
+ sslmode: disable
+ {%- endif %}
tls:
# certificate: ''
---
+{%- if grains.os_family in ('RedHat',) %}
+ {%- set group = 'nginx' %}
+{%- else %}
+ {%- set group = 'www-data' %}
+{%- endif %}
+
### ARVADOS
arvados:
config:
- group: www-data
+ group: {{ group }}
### NGINX
nginx:
### SITES
servers:
managed:
- arvados_api:
+ arvados_api.conf:
enabled: true
overwrite: true
config:
servers:
managed:
### DEFAULT
- arvados_controller_default:
+ arvados_controller_default.conf:
enabled: true
overwrite: true
config:
- location /:
- return: '301 https://$host$request_uri'
- arvados_controller_ssl:
+ arvados_controller_ssl.conf:
enabled: true
overwrite: true
config:
- proxy_set_header: 'X-Real-IP $remote_addr'
- proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
- proxy_set_header: 'X-External-Client $external_client'
+ - include: 'snippets/ssl_hardening_default.conf'
# - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/snakeoil.conf'
+ - include: 'snippets/ssl_snakeoil.conf'
- access_log: /var/log/nginx/fixme.example.net.access.log combined
- error_log: /var/log/nginx/fixme.example.net.error.log
- client_max_body_size: 128m
servers:
managed:
### DEFAULT
- arvados_keepproxy_default:
+ arvados_keepproxy_default.conf:
enabled: true
overwrite: true
config:
- location /:
- return: '301 https://$host$request_uri'
- arvados_keepproxy_default:
+ arvados_keepproxy_ssl.conf:
enabled: true
overwrite: true
config:
- client_max_body_size: 64M
- proxy_http_version: '1.1'
- proxy_request_buffering: 'off'
+ - include: 'snippets/ssl_hardening_default.conf'
# - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/snakeoil.conf'
+ - include: 'snippets/ssl_snakeoil.conf'
- access_log: /var/log/nginx/keepproxy.fixme.example.net.access.log combined
- error_log: /var/log/nginx/keepproxy.fixme.example.net.error.log
servers:
managed:
### DEFAULT
- arvados_collections_download_default:
+ arvados_collections_download_default.conf:
enabled: true
overwrite: true
config:
- return: '301 https://$host$request_uri'
### COLLECTIONS / DOWNLOAD
- arvados_collections_download_ssl:
+ arvados_collections_download_ssl.conf:
enabled: true
overwrite: true
config:
- client_max_body_size: 0
- proxy_http_version: '1.1'
- proxy_request_buffering: 'off'
+ - include: 'snippets/ssl_hardening_default.conf'
# - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/snakeoil.conf'
+ - include: 'snippets/ssl_snakeoil.conf'
- access_log: /var/log/nginx/collections.fixme.example.net.access.log combined
- error_log: /var/log/nginx/collections.fixme.example.net.error.log
---
+{%- if grains.os_family in ('RedHat',) %}
+ {%- set passenger_pkg = 'nginx-mod-http-passenger' %}
+ {%- set passenger_mod = '/usr/lib64/nginx/modules/ngx_http_passenger_module.so' %}
+{%- else %}
+ {%- set passenger_pkg = 'libnginx-mod-http-passenger' %}
+ {%- set passenger_mod = '/usr/lib/nginx/modules/ngx_http_passenger_module.so' %}
+{%- endif %}
+
### NGINX
nginx:
install_from_phusionpassenger: true
lookup:
- passenger_package: libnginx-mod-http-passenger
- passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
-
+ passenger_package: {{ passenger_pkg }}
### SERVER
server:
config:
- include: 'modules-enabled/*.conf'
+ # This is required to get the passenger module loaded
+ # In Debian it can be done with this
+ # include: 'modules-enabled/*.conf'
+ load_module: {{ passenger_mod }}
+
worker_processes: 4
+ ### SNIPPETS
+ snippets:
+ # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
+ ssl_hardening_default.conf:
+ - ssl_session_timeout: 1d
+ - ssl_session_cache: 'shared:curiiSSL:10m'
+ - ssl_session_tickets: 'off'
+
+ # intermediate configuration
+ - ssl_protocols: TLSv1.2 TLSv1.3
+ - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ - ssl_prefer_server_ciphers: 'off'
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ - add_header: 'Strict-Transport-Security "max-age=63072000" always'
+
+ # OCSP stapling
+ - ssl_stapling: 'on'
+ - ssl_stapling_verify: 'on'
+
+ # verify chain of trust of OCSP response using Root CA and Intermediate certs
+ # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
+
+ # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ # - ssl_dhparam: /path/to/dhparam
+
+ # replace with the IP address of your resolver
+ # - resolver: 127.0.0.1
+
+ ssl_snakeoil.conf:
+ - ssl_certificate: /etc/ssl/certs/ssl-cert-snakeoil.pem
+ - ssl_certificate_key: /etc/ssl/private/ssl-cert-snakeoil.key
+
### SITES
servers:
managed:
### SITES
servers:
managed:
- arvados_webshell_default:
+ arvados_webshell_default.conf:
enabled: true
overwrite: true
config:
- location /:
- return: '301 https://$host$request_uri'
- arvados_webshell_ssl:
+ arvados_webshell_ssl.conf:
enabled: true
overwrite: true
config:
- add_header: "'Access-Control-Allow-Origin' '*'"
- add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
- add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
-
+ - include: 'snippets/ssl_hardening_default.conf'
# - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/snakeoil.conf'
+ - include: 'snippets/ssl_snakeoil.conf'
- access_log: /var/log/nginx/webshell.fixme.example.net.access.log combined
- error_log: /var/log/nginx/webshell.fixme.example.net.error.log
servers:
managed:
### DEFAULT
- arvados_websocket_default:
+ arvados_websocket_default.conf:
enabled: true
overwrite: true
config:
- location /:
- return: '301 https://$host$request_uri'
- arvados_websocket_ssl:
+ arvados_websocket_ssl.conf:
enabled: true
overwrite: true
config:
- client_max_body_size: 64M
- proxy_http_version: '1.1'
- proxy_request_buffering: 'off'
+ - include: 'snippets/ssl_hardening_default.conf'
# - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/snakeoil.conf'
+ - include: 'snippets/ssl_snakeoil.conf'
- access_log: /var/log/nginx/ws.fixme.example.net.access.log combined
- error_log: /var/log/nginx/ws.fixme.example.net.error.log
---
+{%- if grains.os_family in ('RedHat',) %}
+ {%- set group = 'nginx' %}
+{%- else %}
+ {%- set group = 'www-data' %}
+{%- endif %}
+
### ARVADOS
arvados:
config:
- group: www-data
+ group: {{ group }}
### NGINX
nginx:
servers:
managed:
### DEFAULT
- arvados_workbench2_default:
+ arvados_workbench2_default.conf:
enabled: true
overwrite: true
config:
- location /:
- return: '301 https://$host$request_uri'
- arvados_workbench2_ssl:
+ arvados_workbench2_ssl.conf:
enabled: true
overwrite: true
config:
- return: 503
- location /config.json:
- return: {{ "200 '" ~ '{"API_HOST":"fixme.example.net"}' ~ "'" }}
+ - include: 'snippets/ssl_hardening_default.conf'
# - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/snakeoil.conf'
+ - include: 'snippets/ssl_snakeoil.conf'
- access_log: /var/log/nginx/workbench2.fixme.example.net.access.log combined
- error_log: /var/log/nginx/workbench2.fixme.example.net.error.log
---
+{%- if grains.os_family in ('RedHat',) %}
+ {%- set group = 'nginx' %}
+{%- else %}
+ {%- set group = 'www-data' %}
+{%- endif %}
+
### ARVADOS
arvados:
config:
- group: www-data
+ group: {{ group }}
### NGINX
nginx:
servers:
managed:
### DEFAULT
- arvados_workbench_default:
+ arvados_workbench_default.conf:
enabled: true
overwrite: true
config:
- location /:
- return: '301 https://$host$request_uri'
- arvados_workbench_ssl:
+ arvados_workbench_ssl.conf:
enabled: true
overwrite: true
config:
- proxy_set_header: 'Host $http_host'
- proxy_set_header: 'X-Real-IP $remote_addr'
- proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
+ - include: 'snippets/ssl_hardening_default.conf'
# - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/snakeoil.conf'
+ - include: 'snippets/ssl_snakeoil.conf'
- access_log: /var/log/nginx/workbench.fixme.example.net.access.log combined
- error_log: /var/log/nginx/workbench.fixme.example.net.error.log
- arvados_workbench_upstream:
+ arvados_workbench_upstream.conf:
enabled: true
overwrite: true
config:
- postgresql-contrib
postgresconf: |-
listen_addresses = '*' # listen on all interfaces
+ #ssl = on
+ #ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ #ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
acls:
- ['local', 'all', 'postgres', 'peer']
- ['local', 'all', 'all', 'peer']
snake_oil_certs:
+{%- if grains.os_family in ('RedHat',) %}
+ pkg.installed:
+ - name: openssl
+ cmd.run:
+ - name: |
+ cat > /tmp/openssl.cnf <<-CNF
+ RANDFILE = /dev/urandom
+ [ req ]
+ default_bits = 2048
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ prompt = no
+ policy = policy_anything
+ req_extensions = v3_req
+ x509_extensions = v3_req
+ [ req_distinguished_name ]
+ commonName = {{ grains.fqdn }}
+ [ v3_req ]
+ basicConstraints = CA:FALSE
+ CNF
+ mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \
+ openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \
+ -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
+ -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1
+ - unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key
+ - require:
+ - pkg: openssl
+{%- else %}
pkg.installed:
- name: ssl-cert
+{%- endif %}