Commit 76cd9757 authored by Steve Weber's avatar Steve Weber
Browse files

cleaning

parent dc8a5e65
ErrorLog ${APACHE_LOG_DIR}/error.log
ErrorLog "|/usr/bin/systemd-cat --identifier=apache_error --priority=warning"
CustomLog ${APACHE_LOG_DIR}/access.log combined
LogFormat "%h %l %u \"%r\" %>s %O" systemd
CustomLog "|/usr/bin/systemd-cat --identifier=apache_access" systemd
<VirtualHost _default_:80>
ServerName {{vars.server_name}}
Redirect permanent / https://{{vars.server_name}}/
</VirtualHost>
<VirtualHost _default_:443>
ServerName {{vars.server_name}}
DocumentRoot /var/www/html
SSLEngine on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol -All +TLSv1.2
SSLCertificateFile {{vars.SSLCertificateFile}}
SSLCertificateKeyFile {{vars.SSLCertificateKeyFile}}
SSLCACertificateFile {{vars.SSLCACertificateFile}}
<Location />
{% if vars.get('require_vpn') %}
# Redirect none VPN users to vpncheck page.
RewriteEngine On
RewriteCond expr "!(-R '127.0.0.0/8' || -R '10.0.0.0/8' || -R '172.16.0.0/12' || -R '192.168.0.0/16')"
RewriteCond expr "!(-R '129.97.0.0/16')"
RewriteCond expr "!(-R '47.252.27.26/32')"
RewriteRule ^(.*) https://checkvpn.uwaterloo.ca/?callback=https://{{vars.server_name}}%{REQUEST_URI} [R]
{% endif %}
{% if vars.get('proxy_pass') %}
ProxyPass {{vars.proxy_pass}}
{% endif -%}
</Location>
</VirtualHost>
# ------ VARS ------
{% from 'uwl/apache/init.sls' import vars as _apache %}
{% load_yaml as vars %}
default:
_apache: {{_apache}}
require_vpn: True
SSLCertificateFile:
SSLCertificateKeyFile:
SSLCACertificateFile:
{% endload %}
{% set vars = salt.uwl.solve_vars(vars, tplfile) %}
# ------------------
include:
- {{_apache.sls}}
{{sls}}:
file.managed:
- name: {{_apache.config_d}}/site.conf
- source: salt://{{tpldir}}/apache_site.conf
- mode: '0655'
- context:
vars: {{vars|json}}
- template: jinja
- watch_in:
- service: {{_apache.sls}}
{{sls}} apache_module proxy_http:
apache_module.enabled:
- name: proxy_http
- watch_in:
- service: {{_apache.sls}}
{{sls}} apache_module headers:
apache_module.enabled:
- name: headers
- watch_in:
- service: {{_apache.sls}}
{{sls}} apache_module rewrite:
apache_module.enabled:
- name: rewrite
- watch_in:
- service: {{_apache.sls}}
{{sls}} apache_module ssl:
apache_module.enabled:
- name: ssl
- watch_in:
- service: {{_apache.sls}}
......@@ -127,7 +127,6 @@ include:
{{sls}} service environment:
file.managed:
- name: /etc/default/{{vars.service_name}}
#- name: {{vars.dir_src}}/.env
- user: {{vars.user}}
- group: {{vars.group}}
- mode: '0640'
......
from django.urls import path, include
urlpatterns = [
path('oauth2/', include('django_auth_adfs.urls')),
]
\ No newline at end of file
def verify_user(user, request):
if user.groups.filter(name__in=["IdM-HR-staff", "IdM-HR-faculty"]).count() < 1:
return "Only UW Staff and Faculty are able to access MarkBox.uwaterloo.ca"
return True
\ No newline at end of file
#!/usr/bin/env bash
set -exu
# runas root!
# test "x$USER" = "xroot" || exit 400
# if missing venv: create venv dir
test -e '{{vars.dir_venv}}' || (mkdir '{{vars.dir_venv}}' ; chown -R '{{vars.user}}' '{{vars.dir_venv}}')
{% if vars.get('requirements_sh') %}
bash ./{{vars.requirements_sh}} {{vars.user}}
{% endif %}
sudo -Hu {{vars.user}} bash << "EOF_user_tasks"
set -exu
test -e '{{vars.dir_venv}}/bin/activate' || {{vars.python_bin}} -m venv '{{vars.dir_venv}}'
source '{{vars.dir_venv}}/bin/activate'
python3 -m pip install --timeout=5 --upgrade pip
python3 -m pip install --timeout=5 --upgrade -r ./{{vars.requirements_pip}}
python3 ./manage.py collectstatic --noinput
python3 ./manage.py migrate
python3 -m pip install --timeout=5 --upgrade safety
LC_ALL=C.UTF-8 LANG=C.UTF-8 safety check -r ./{{vars.requirements_pip}}
EOF_user_tasks
from .settings_base import * # pylint: disable=unused-wildcard-import
from collections import OrderedDict
TIME_ZONE = 'America/Toronto'
DEBUG = {{vars.debug|python}}
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
ALLOWED_HOSTS = {{vars.allowed_hosts|python}}
SECRET_KEY = '{{vars.secret_key}}'
STATIC_ROOT = '{{vars.dir_vol}}/static'
MEDIA_ROOT = '{{vars.dir_vol}}/media'
STATIC_URL = '/static/'
MEDIA_URL = '/media/'
{% if vars.get('databases') %}
DATABASES = {{vars.databases|python}}
{% endif %}
MARKSET_DIR = '{{vars.dir_vol}}/markset'
CELERY_BROKER_URL = 'redis://'
LOGIN_URL = 'django_auth_adfs:login'
LOGOUT_URL = 'django_auth_adfs:logout'
PUBLIC_PATHS = [
r'^/oauth.*'
]
INSTALLED_APPS.append('django_auth_adfs')
AUTHENTICATION_BACKENDS = {
'django_auth_adfs.backend.AdfsAuthCodeBackend',
}
AUTH_ADFS = {
'SERVER': '{{vars.adfs_server}}',
'CLIENT_ID': '{{vars.adfs_client_id}}',
'RELYING_PARTY_ID': '{{vars.adfs_client_id}}',
'AUDIENCE': 'microsoft:identityserver:{{vars.adfs_client_id}}',
'CLAIM_MAPPING': {
'first_name': 'given_name',
'last_name': 'family_name',
},
'USERNAME_CLAIM': 'winaccountname',
'GROUP_CLAIM': 'group',
'MIRROR_GROUPS': True
}
VERIFY_SITE_ACCESS = 'markbox.custom_verification.verify_user'
[Unit]
Description={{vars.service_name}}
[Service]
Type=simple
SyslogIdentifier={{vars.service_name}}-uwsgi
ExecStart={{vars.uwsgi_bin}} --emperor '{{vars.dir_uwsgi}}' --uid={{vars.user}} --gid={{vars.group}}
ExecStartPost=/bin/sleep 2
Restart=on-failure
RestartSec=15s
[Install]
WantedBy=multi-user.target
[uwsgi]
plugin = python3
virtualenv = {{vars.dir_venv}}
uid = {{vars.user}}
gid = {{vars.group}}
chdir = {{vars.dir_src}}
module = {{vars.uwsgi_module}}
master = true
processes = 5
socket = :{{vars.uwsgi_port}}
vacuum = true
die-on-term = true
buffer-size = 32768
# todo do we need this>
#env LANG=en_US.utf8
#env LC_ALL=en_US.UTF-8
#env LC_LANG=en_US.UTF-8
#env = PYTHONIOENCODING=UTF-8
# ------ VARS ------
{% from 'uwl/systemd/init.sls' import vars as _systemd %}
{% load_yaml as vars %}
default:
#service_name: webapp
#dir_src: /srv/webapp/src
#dir_vol: /srv/webapp/vol
#dir_venv: /srv/webapp/env
#dir_uwsgi: /srv/webapp/wsgi
# uwsgi_module: core.wsgi
uwsgi_port: 8000
enable_emailer_cron: False
python_bin: /opt/local/python/3.8.2/bin/python
uwsgi_bin: /usr/bin/uwsgi
requirements_pip: requirements-uw.txt
requirements_sh: requirements-uw.sh
{% endload %}
{% set vars = salt.uwl.solve_vars(vars, tplfile) %}
# ------------------
include:
- {{_systemd.sls}}
{{sls}}:
pkg.installed:
- pkgs:
- git
file.directory:
- name: {{vars.dir_src}}
- user: {{vars.user}}
- group: {{vars.group}}
- mode: '0775'
- makedirs: True
git.latest:
- name: {{vars.repo}}
- target: {{vars.dir_src}}
- user: {{vars.user}}
- rev: {{vars.repo_branch}}
- branch: {{vars.repo_branch}}
- watch_in:
- service: {{sls}} service
git.latest:
- name: {{vars.repo}}
- target: {{vars.dir_src}}
- user: {{vars.user}}
- rev: {{vars.repo_branch}}
- branch: {{vars.repo_branch}}
{% if vars.get('repo_https_user') %}
- https_user: {{vars.repo_https_user|json}}
- https_pass: {{vars.repo_https_pass|json}}
{% endif %}
- watch_in:
- service: {{sls}} service
{{sls}} static_root:
file.directory:
- name: {{vars.dir_vol}}/static
- makedirs: True
- user: {{vars.user}}
- group: {{vars.group}}
- dir_mode: '0755'
- recurse:
- user
- group
- mode
{{sls}} media_root:
file.directory:
- name: {{vars.dir_vol}}/media
- makedirs: True
- user: {{vars.user}}
- group: {{vars.group}}
- dir_mode: '0755'
- recurse:
- user
- group
- mode
{{sls}} settings:
file.managed:
- name: {{vars.dir_src}}/{{vars.app_module}}/settings.py
- source: salt://{{tpldir}}/_data/settings.py
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0640'
- user: {{vars.user}}
- group: {{vars.group}}
- watch_in:
- service: {{sls}} service
{{sls}} urls:
file.managed:
- name: {{vars.dir_src}}/{{vars.app_module}}/custom_urls.py
- source: salt://{{tpldir}}/_data/custom_urls.py
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0640'
- user: {{vars.user}}
- group: {{vars.group}}
- watch_in:
- service: {{sls}} service
{{sls}} verification:
file.managed:
- name: {{vars.dir_src}}/{{vars.app_module}}/custom_verification.py
- source: salt://{{tpldir}}/_data/custom_verification.py
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0640'
- user: {{vars.user}}
- group: {{vars.group}}
- watch_in:
- service: {{sls}} service
{{sls}} post_update:
cmd.script:
- name: post_update.sh
- source: salt://{{tpldir}}/_data/post_update.sh
- template: jinja
- user: root
- context:
vars: {{vars|json}}
- mode: '0700'
- cwd: {{vars.dir_src}}
- require_in:
- service: {{sls}} service
- require:
- git: {{sls}}
- file: {{sls}} static_root
- file: {{sls}} media_root
- file: {{sls}} settings
{{sls}} uwsgi config:
file.managed:
- name: {{vars.dir_uwsgi}}/wsgi.ini
- source: salt://{{tpldir}}/_data/wsgi.ini
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0640'
- user: {{vars.user}}
- group: {{vars.group}}
- makedirs: True
- watch_in:
- service: {{sls}} service
{{sls}} service:
file.managed:
- name: {{_systemd.unit_path}}/{{vars.service_name}}.service
- source: salt://{{tpldir}}/_data/systemd
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0644'
- watch_in:
- service: {{sls}} service
- cmd: {{_systemd.sls}} reload units
service.running:
- name: {{vars.service_name}}
- enable: True
{% if vars.enable_crons %}
{{sls}} cron webapp_send_reports:
cron.present:
- name: systemd-cat -t webapp_emailer {{vars.dir_venv}}/bin/python {{vars.dir_src}}/manage.py send_reports
- identifier: webapp_send_reports
- user: {{vars.user}}
- minute: '15'
- hour: '7'
{{sls}} cron webapp_purge:
cron.present:
- name: systemd-cat -t webapp_emailer {{vars.dir_venv}}/bin/python {{vars.dir_src}}/manage.py purge
- identifier: webapp_purge
- user: {{vars.user}}
- minute: '15'
- hour: '5'
- dayweek: '1'
{% else %}
{{sls}} cron webapp_send_reports:
cron.absent:
- name: systemd-cat -t webapp_emailer {{vars.dir_venv}}/bin/python {{vars.dir_src}}/manage.py send_reports
{{sls}} cron webapp_purge:
cron.absent:
- name: systemd-cat -t webapp_emailer {{vars.dir_venv}}/bin/python {{vars.dir_src}}/manage.py purge
{% endif %}
Example Pillar:
certbot:
domain: outline.uwaterloo.ca
admin_email: s8weber@uwaterloo.ca
# pre_hook: (defaults to stop nginx)
pre_hook: systemctl stop apache2
# post_hook: (defaults to start nginx)
post_hook: systemctl start apache2
# WARN: changes to aliases require old cert be deleted "certbot delete -d $DOMAIN"a
aliases:
- outline-p02.uwaterloo.ca
# nginx is the default service that has hooks.
certbot:
domain: outline.uwaterloo.ca
admin_email: s8weber@uwaterloo.ca
# WARN: changes to aliases require old cert be deleted "certbot delete -d $DOMAIN"a
aliases:
- outline-p02.uwaterloo.ca
Cert files are created at:
ssl_certificate_key: /etc/letsencrypt/live/{{domain}}/privkey.pem
ssl_certificate_pem: /etc/letsencrypt/live/{{domain}}/fullchain.pem
Deleting old cert
# simple
certbot delete -d "$DOMAIN"
# more advanced
cp -r /etc/letsencrypt/ /etc/letsencrypt.backup
rm -rf /etc/letsencrypt/live/DOMAIN
rm -rf /etc/letsencrypt/renewal/DOMAIN.conf
rm -rf /etc/letsencrypt/archive/DOMAIN
What is run under the hood when getting a cert:
# simple
certbot certonly -d "$DOMAIN"
# more advanced settings can be set
certbot certonly \
--max-log-backups=0 --noninteractive --agree-tos \
--preferred-challenges=http-01 \
--email="$ADMIN_EMAIL" -d "$DOMAIN"
example: `/etc/letsencrypt/cli.ini`
max-log-backups = 0
deploy-hook = {{vars.deploy_hook}}
email = {{vars.admin_email}}
preferred-challenges = http-01
http-01-port = 80
renew-by-default = True
standalone
agree-tos = True
test-cert
# ------ VARS ------
{% from 'uwl/certbot/init.sls' import vars as _certbot %}
{% load_yaml as vars %}
default:
pre_hook: systemctl stop nginx
post_hook: systemctl start nginx
deploy_hook: systemctl reload nginx
#domain: xxxxxxx.uwaterloo.ca
#admin_email: xxxxxxx@uwaterloo.ca
# WARN: changes to aliases require old cert be deleted "certbot delete -d $DOMAIN"
aliases: []
{% endload %}
{% set vars = salt.uwl.solve_vars(vars, tplfile) %}
# ------------------
include:
- {{_certbot.sls}}
{{sls}} config:
file.managed:
- name: {{_certbot.config_file}}
- contents: |
max-log-backups = 0
# deploy-hook = {vars.deploy_hook}
pre-hook = {{vars.pre_hook}}
post-hook = {{vars.post_hook}}
agree-tos = True
- require:
- pkg: {{_certbot.sls}}
{{sls}} - {{vars.domain}}:
acme.cert:
- name: {{vars.domain}}
- email: {{vars.admin_email}}
# WARN: changes to aliases require old cert be deleted "certbot delete -d $DOMAIN"
- aliases: {{vars.aliases}}
# WARN: changes to test_cert require old cert be deleted "certbot delete -d $DOMAIN"
- test_cert: False
- require:
- pkg: {{_certbot.sls}}
# ------ VARS ------
{% from 'uwl/systemd/init.sls' import vars as _systemd %}
{% load_yaml as vars %}
default:
user: root
group: root
#repo: 'https://git.uwaterloo.ca/example/woot.git'
#repo_branch: p01
#https_user:
#https_pass:
dir_src: /srv/docker-compose-app
service_name: docker-compose-app
#service_exec: /usr/bin/docker-compose --file=docker-compose.yml --file=docker-compose-certbot.yml up --build
service_exec: docker-compose up --build
cron_salt_state_apply: False
{% endload %}
{% set vars = salt.uwl.solve_vars(vars, tplfile) %}
# ------------------
include:
- {{_systemd.sls}}
{{sls}} pkg:
pkg.installed:
- pkgs:
- git
- docker-compose
git.latest:
- name: {{vars.repo}}
- target: {{vars.dir_src}}
- user: {{vars.user}}
- rev: {{vars.repo_branch}}
- branch: {{vars.repo_branch}}
{% if vars.get('repo_https_user') %}
- https_user: {{vars.repo_https_user|json}}
- https_pass: {{vars.repo_https_pass|json}}
{% endif %}
- watch_in:
- service: {{sls}} service
{% if vars.get('env') %}
{{sls}} config env:
file.managed:
- name: {{vars.dir_src}}/.env
- user: {{vars.user}}
- group: {{vars.group}}
- mode: '0640'
- contents: {{vars.env|json}}
- require_in:
- service: {{sls}} service
- watch_in:
- service: {{sls}} service
{% endif %}
{% if vars.get('service_environment') %}
{{sls}} service environment:
file.managed: