{% set part_list = [] -%} {% set ssl_parameter_dict = slapparameter_dict.get('ssl', {}) %} {% set caucase_url = slapparameter_dict.get('caucase-url', '') -%} {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%} {% set use_ipv6 = slapparameter_dict.get('use-ipv6', False) -%} {# XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6 per partition. No more (undefined result), no less (IndexError). -#} # TODO: insert varnish between apache & haproxy. # And think of a way to specify which urls goe through varnish, which go # directly to haproxy. (maybe just passing literal configuration file chunk) {% set ipv4 = (ipv4_set | list)[0] -%} {% set apache_ip_list = [ipv4] -%} {% if ipv6_set -%} {% set ipv6 = (ipv6_set | list)[0] -%} {% do apache_ip_list.append('[' ~ ipv6 ~ ']') -%} {% endif -%} [jinja2-template-base] recipe = slapos.recipe.template:jinja2 mode = 644 [simplefile] < = jinja2-template-base template = inline:{{ '{{ content }}' }} {% macro simplefile(section_name, file_path, content, mode='') -%} {% set content_section_name = section_name ~ '-content' -%} [{{ content_section_name }}] content = {{ dumps(content) }} [{{ section(section_name) }}] < = simplefile rendered = {{ file_path }} context = key content {{content_section_name}}:content mode = {{ mode }} {%- endmacro %} [certificate-request-base] recipe = slapos.cookbook:wrapper wrapper-path = ${directory:bin}/request-instance-certificate parameters-extra = true command-line = {{ parameter_dict['bin-directory'] }}/caucase-cliweb --crt-file ${apache-conf-ssl:cert} --key-file ${apache-conf-ssl:key} --crl-file ${apache-conf-ssl:crl} --ca-url {{ caucase_url }} --ca-crt-file ${apache-conf-ssl:ca-cert} {% macro request_cert(name, common_name) -%} {% set get_crl_periodicity = slapparameter_dict.get('crl-update-periodicity', 'daily') -%} [{{ section(name ~ '-certificate-request') }}] recipe = slapos.cookbook:wrapper wrapper-path = ${directory:services}/request-{{ name }}-certificate command-line = ${certificate-request-base:wrapper-path} --cn {{ common_name }} --request [{{ section(name ~ '-renew-cron-entry') }}] recipe = slapos.cookbook:cron.d cron-entries = ${cron:cron-entries} name = {{ name }}-certificate-auto-renew time = weekly # 2592000 = 30*24*60*60 equivalent to one month in seconds command = ${certificate-request-base:wrapper-path} --renew --threshold 2592000 --on-renew="${apache-graceful:output}" [{{ section(name ~ '-download-crl') }}] # download the crl for the first time recipe = plone.recipe.command command = if [ ! -s "${apache-conf-ssl:crl}" ]; then ${certificate-request-base:wrapper-path} --update-crl fi update-command = ${:command} stop-on-error = true [{{ section(name ~ '-update-crl-cron-entry') }}] recipe = slapos.cookbook:cron.d cron-entries = ${cron:cron-entries} name = {{ name }}-update-crl time = {{ get_crl_periodicity }} # XXX - Update crl call apache graceful restart, it's not recommended to check crl too often, Apache # has an issue with reload and can be frozen and stop responding. Default periodicity time = daily command = ${certificate-request-base:wrapper-path} --update-crl --on-crl-update="${apache-graceful:output}" {%- endmacro %} {% if use_ipv6 -%} [zope-tunnel-base] recipe = slapos.cookbook:ipv4toipv6 runner-path = ${directory:services}/${:base-name} 6tunnel-path = {{ parameter_dict['6tunnel'] }}/bin/6tunnel shell-path = {{ parameter_dict['dash'] }}/bin/dash ipv4 = {{ ipv4 }} {% endif -%} {% set haproxy_dict = {} -%} {% set apache_dict = {} -%} {% set next_port = itertools.count(slapparameter_dict['tcpv4-port']).next -%} {% for family_name, parameter_id_list in sorted( slapparameter_dict['zope-family-dict'].iteritems()) -%} {% set zope_family_address_list = [] -%} {% set has_webdav = [] -%} {% for parameter_id in parameter_id_list -%} {% set zope_address_list = slapparameter_dict[parameter_id] -%} {% for zope_address, maxconn, webdav in zope_address_list -%} {% if webdav -%} {% do has_webdav.append(None) %} {% endif -%} {% if use_ipv6 -%} {% set current_port = next_port() -%} [{{ section('zope-tunnel-' ~ current_port) }}] < = zope-tunnel-base base-name = {{ 'zeo-tunnel-' ~ current_port }} ipv4-port = {{ current_port }} ipv6-port = {{ zope_address.split(']:')[1] }} ipv6 = {{ zope_address.split(']:')[0][1:] }} {% set zope_effective_address = ipv4 ~ ":" ~ current_port -%} {% else -%} {% set zope_effective_address = zope_address -%} {% endif -%} {% do zope_family_address_list.append((zope_effective_address, maxconn, webdav)) -%} {% endfor -%} {% endfor -%} {# Make rendering fail artificially if any family has no known backend. # This is useful as haproxy's hot-reconfiguration mechanism is # supervisord-incompatible. # As jinja2 postpones KeyError until place-holder value is actually used, # do a no-op getitem. -#} {% do zope_family_address_list[0][0] -%} {% set haproxy_port = next_port() -%} {% set backend_path = slapparameter_dict['backend-path-dict'][family_name] -%} {% do haproxy_dict.__setitem__(family_name, (haproxy_port, zope_family_address_list)) -%} {% if has_webdav -%} {% set internal_scheme = 'http' -%}{# mod_rewrite does not recognise webdav scheme -#} {% set external_scheme = 'webdavs' -%} {% else %} {% set internal_scheme = 'http' -%} {% set external_scheme = 'https' -%} {% endif -%} {% set ssl_authentication = slapparameter_dict['ssl-authentication-dict'].get(family_name, False) -%} {% do apache_dict.__setitem__(family_name, (next_port(), external_scheme, internal_scheme ~ '://' ~ ipv4 ~ ':' ~ haproxy_port ~ backend_path, ssl_authentication)) -%} {% endfor -%} [haproxy-cfg-parameter-dict] socket-path = ${directory:run}/haproxy.sock server-check-path = {{ dumps(slapparameter_dict['haproxy-server-check-path']) }} backend-dict = {{ dumps(haproxy_dict) }} ip = {{ ipv4 }} [haproxy-cfg] < = jinja2-template-base template = {{ parameter_dict['template-haproxy-cfg'] }} rendered = ${directory:etc}/haproxy.cfg context = section parameter_dict haproxy-cfg-parameter-dict extensions = jinja2.ext.do [{{ section('haproxy') }}] recipe = slapos.cookbook:wrapper wrapper-path = ${directory:services}/haproxy command-line = "{{ parameter_dict['haproxy'] }}/sbin/haproxy" -f "${haproxy-cfg:rendered}" {# TODO: build socat and wrap it as "${directory:bin}/haproxy-ctl" to connect to "${haproxy-cfg-parameter-dict:socket-path}" #} [apache-conf-ssl] cert = ${directory:apache-conf}/apache.crt key = ${directory:apache-conf}/apache.pem ca-cert = ${directory:apache-conf}/ca.crt crl = ${directory:apache-conf}/crl.pem [apache-conf-parameter-dict] backend-list = {{ dumps(apache_dict.values()) }} ip-list = {{ dumps(apache_ip_list) }} pid-file = ${directory:run}/apache.pid log-dir = ${directory:log} error-log = ${directory:log}/apache-error.log access-log = ${directory:log}/apache-access.log # Apache 2.4's default value (60 seconds) can be a bit too short timeout = 300 # Basic SSL server configuration cert = ${apache-ssl:cert} key = ${apache-ssl:key} cipher = ssl-session-cache = ${directory:log}/apache-ssl-session-cache # Client x509 auth ca-cert = ${apache-ssl-client:cert} crl = ${apache-ssl-client:crl} [apache-conf] < = jinja2-template-base template = {{ parameter_dict['template-apache-conf'] }} rendered = ${directory:apache-conf}/apache.conf context = section parameter_dict apache-conf-parameter-dict [{{ section('apache') }}] recipe = slapos.cookbook:wrapper wrapper-path = ${directory:services}/apache command-line = "{{ parameter_dict['apache'] }}/bin/httpd" -f "${apache-conf:rendered}" -DFOREGROUND wait-for-files = ${apache-conf-ssl:cert} ${apache-conf-ssl:key} [apache-graceful] recipe = collective.recipe.template input = inline: #!/bin/sh kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')" output = ${directory:bin}/apache-httpd-graceful mode = 700 [{{ section('apache-promise') }}] # Check any apache port in ipv4, expect other ports and ipv6 to behave consistently recipe = slapos.cookbook:check_port_listening path = ${directory:promise}/apache hostname = {{ ipv4 }} port = {{ apache_dict.values()[0][0] }} [publish] recipe = slapos.cookbook:publish.serialised {% for family_name, (apache_port, scheme, _, _) in apache_dict.items() -%} {{ family_name ~ '-v6' }} = {% if ipv6_set %}{{ scheme ~ '://[' ~ ipv6 ~ ']:' ~ apache_port }}{% endif %} {{ family_name }} = {{ scheme ~ '://' ~ ipv4 ~ ':' ~ apache_port }} {% endfor -%} monitor-base-url = ${monitor-publish-parameters:monitor-base-url} [apache-ssl] {% if ssl_parameter_dict.get('key') -%} key = ${apache-ssl-key:rendered} cert = ${apache-ssl-cert:rendered} {{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }} {{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }} {% elif caucase_url -%} key = ${apache-conf-ssl:key} cert = ${apache-conf-ssl:cert} {{ request_cert('erp5', 'instance.apache@erp5') }} {% else %} recipe = plone.recipe.command command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}" key = ${apache-conf-ssl:key} cert = ${apache-conf-ssl:cert} {%- endif %} [apache-ssl-client] {% if ssl_parameter_dict.get('ca-cert') -%} cert = ${apache-ssl-ca:rendered} crl = ${apache-ssl-crl:rendered} {{ simplefile('apache-ssl-ca', '${apache-conf-ssl:ca-cert}', ssl_parameter_dict['ca-cert']) }} {{ simplefile('apache-ssl-crl', '${apache-conf-ssl:crl}', ssl_parameter_dict['crl']) }} {% elif caucase_url -%} cert = ${apache-conf-ssl:ca-cert} crl = ${apache-conf-ssl:crl} {% else %} cert = crl = {%- endif %} [logrotate-apache] < = logrotate-entry-base name = apache log = ${apache-conf-parameter-dict:error-log} ${apache-conf-parameter-dict:access-log} post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bin-directory'] }}/slapos-kill --pidfile ${apache-conf-parameter-dict:pid-file} -s USR1 [directory] recipe = slapos.cookbook:mkdirectory apache-conf = ${:etc}/apache bin = ${buildout:directory}/bin etc = ${buildout:directory}/etc promise = ${directory:etc}/promise services = ${:etc}/run var = ${buildout:directory}/var run = ${:var}/run log = ${:var}/log ca-dir = ${buildout:directory}/srv/ssl requests = ${:ca-dir}/requests private = ${:ca-dir}/private certs = ${:ca-dir}/certs newcerts = ${:ca-dir}/newcerts crl = ${:ca-dir}/crl apachedex = ${monitor-directory:private}/apachedex [monitor-generate-apachedex-report] recipe = slapos.cookbook:wrapper wrapper-path = ${monitor-directory:reports}/${:command} command-line = "{{ parameter_dict['run-apachedex-location'] }}" "{{ parameter_dict['apachedex-location'] }}" "${directory:apachedex}" --default "${apachedex-parameters:default}" --apache-log-list "${apachedex-parameters:apache-log-list}" --base-list "${apachedex-parameters:base-list}" --skip-base-list "${apachedex-parameters:skip-base-list}" --erp5-base-list "${apachedex-parameters:erp5-base-list}" command = apachedex_every_3_hour [apachedex-parameters] default_parameter = # XXX - Sample log file with curent date: apache_access.log-%(date)s.gz # which will be equivalent to apache_access.log-20150112.gz if the date is 2015-01-12 apache-log-list = ${apache-conf-parameter-dict:access-log} default = ${monitor-directory:etc}/apdex_default base-list = ${monitor-directory:etc}/apdex_base_list skip-base-list = ${monitor-directory:etc}/apdex_skip_base_list erp5-base-list = ${monitor-directory:etc}/apdex_erp5_base_list [monitor-instance-parameter] monitor-httpd-ipv6 = {{ (ipv6_set | list)[0] }} monitor-httpd-port = {{ next_port() }} monitor-title = {{ slapparameter_dict['name'] }} password = {{ slapparameter_dict['monitor-passwd'] }} instance-configuration = file apachedex-default ${apachedex-parameters:default} file apachedex-base-list ${apachedex-parameters:base-list} file apachedex-skip-base-list ${apachedex-parameters:skip-base-list} file apachedex-erp5-base-list ${apachedex-parameters:erp5-base-list} [buildout] extends = {{ logrotate_cfg }} {{ parameter_dict['template-monitor'] }} parts += publish logrotate-apache monitor-generate-apachedex-report {{ part_list | join('\n ') }}