SSL_MODE="self-signed"
USE_LETSENCRYPT_ROUTE53="no"
-CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
+CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
## These are ARVADOS-related parameters
# For a stable release, change RELEASE "production" and VERSION to the
# Make sure that the value configured as IP_INT is a real IP on the system.
# If we don't error out early here when there is a mismatch, the formula will
# fail with hard to interpret nginx errors later on.
- ip addr list |grep -q "${IP_INT}/"
+ ip addr list |grep "${IP_INT}/" >/dev/null
if [[ $? -ne 0 ]]; then
echo "Unable to find the IP_INT address '${IP_INT}' on the system, please correct the value in local.params. Exiting..."
exit 1
yum install -y curl git jq
;;
"debian"|"ubuntu")
- DEBIAN_FRONTEND=noninteractive apt update
+ # Wait 2 minutes for any apt locks to clear
+ # This option is supported from apt 1.9.1 and ignored in older apt versions.
+ # Cf. https://blog.sinjakli.co.uk/2021/10/25/waiting-for-apt-locks-without-the-hacky-bash-scripts/
+ DEBIAN_FRONTEND=noninteractive apt -o DPkg::Lock::Timeout=120 update
DEBIAN_FRONTEND=noninteractive apt install -y curl git jq
;;
esac
fi
grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
else
- # Use custom certs, as both bring-your-own and self-signed are copied using this state
- # Copy certs to formula extra/files
- # In dev mode, the files will be created and put in the destination directory by the
- # snakeoil_certs.sls state file
mkdir -p /srv/salt/certs
- cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
- # We add the custom_certs state
- grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ if [ "${SSL_MODE}" = "bring-your-own" ]; then
+ # Copy certs to formula extra/files
+ cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
+ # We add the custom_certs state
+ grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ fi
+ # In self-signed mode, the certificate files will be created and put in the
+ # destination directory by the snakeoil_certs.sls state file
fi
echo " - postgres" >> ${S_DIR}/top.sls
echo " - arvados" >> ${S_DIR}/top.sls
echo " - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls
echo " - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls
+ echo " - extra.passenger_rvm" >> ${S_DIR}/top.sls
# Pillars
echo " - docker" >> ${P_DIR}/top.sls
fi
grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls
- # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
- for c in controller websocket workbench workbench2 webshell download collections keepproxy; do
- sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${c}.${CLUSTER}.${DOMAIN}*/g;
- s#__CERT_PEM__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
- s#__CERT_KEY__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
+ hosts=("controller" "websocket" "workbench" "workbench2" "webshell" "keepproxy")
+ if [ ${USE_SINGLE_HOSTNAME} = "no" ]; then
+ hosts+=("download" "collections")
+ else
+ hosts+=("keepweb")
+ fi
+
+ for c in "${hosts[@]}"; do
+ # Are we in a single-host-single-hostname env?
+ if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
+ # Are we in a single-host-single-hostname env?
+ CERT_NAME=${HOSTNAME_EXT}
+ else
+ # We are in a multiple-hostnames env
+ CERT_NAME=${c}.${CLUSTER}.${DOMAIN}
+ fi
+
+ # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
+ sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${CERT_NAME}*/g;
+ s#__CERT_PEM__#/etc/letsencrypt/live/${CERT_NAME}/fullchain.pem#g;
+ s#__CERT_KEY__#/etc/letsencrypt/live/${CERT_NAME}/privkey.pem#g" \
${P_DIR}/nginx_${c}_configuration.sls
done
else
else
echo " - nginx.passenger" >> ${S_DIR}/top.sls
fi
+ echo " - extra.passenger_rvm" >> ${S_DIR}/top.sls
### If we don't install and run LE before arvados-api-server, it fails and breaks everything
### after it. So we add this here as we are, after all, sharing the host for api and controller
if [ "${SSL_MODE}" = "lets-encrypt" ]; then
projects / arvados.git / blobdiff