WIP: add sozu software release

software/sozu/buildout.hash.cfg

+# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
+# The only allowed lines here are (regexes):
+# - "^#" comments, copied verbatim
+# - "^[" section beginings, copied verbatim
+# - lines containing an "=" sign which must fit in the following categorie.
+#   - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
+#     Copied verbatim.
+#   - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
+#     by the re-generation script.
+#     Re-generated.
+# - other lines are copied verbatim
+# Substitution (${...:...}), extension ([buildout] extends = ...) and
+# section inheritance (< = ...) are NOT supported (but you should really
+# not need these here).
+[instance.cfg]
+filename = instance.cfg.in
+md5sum = 5b6d18ff660516bf583cf4fe2c2b8059
+
+[template-sozu]
+filename = instance-sozu.cfg.jinja2.in
+md5sum = 54c9b0eee8b29d2a8084291ca4e9b643
+
+[config.toml]
+filename = config.toml.in
+md5sum = f5551578f81b01eadc68fe3da2191013
+
+[publish-sozu-slave-parameters.cfg]
+filename = publish-sozu-slave-parameters.cfg.in
+md5sum = 92f4dc0e8c08d9a66a2833ed035a07f6

software/sozu/config.toml.in

+# sozu proxy test config file
+
+# top level options
+
+# path to a file sozu can use to load an initial configuration state for its
+# routing. You can generate this file from sozu's current routing by running
+# the command `sozu state save -f state.json`
+# this must be RELATIVE to config.toml
+# saved_state = "./state.json"
+
+# save the configuration to the saved_state file every time we receive a
+# configuration message on the configuration socket
+# defaults to false, and will not work if the 'saved_state' option is not set
+# automatic_state_save = false
+
+# logging verbosity. Possible values are "error", "warn", "info", "debug" and
+# "trace". For performance reasons, the logs at "debug" or "trace" level are
+# not compiled by default. To activate them, pass the "logs-debug" and
+# "logs-trace" compilation options to cargo
+log_level = "{{ parameter_dict.get('log-level', 'info') }}"
+
+# where the logs will be sent. It defaults to sending the logs on standard output,
+# but they could be written to a UDP address:
+# log_target     = "udp://127.0.0.1:9876"
+# to a TCP address:
+# log_target     = "tcp://127.0.0.1:9876"
+# to a unix socket
+# log_target = "unix:///var/sozu/logs
+# to a file
+# log_target = "file:///var/log/sozu.log"
+# to_stdout
+log_target = "file://{{ parameter_dict['log-file'] }}"
+
+# optional different target for access logs (IP addresses, domains, URI, HTTP status, etc)
+# It supports the same options as log_target
+log_access_target = "file://{{ parameter_dict['access-log-file'] }}"
+
+# path to the unix socket file used to send commands to sozu
+# default value points to "sozu.sock" file in the current directory
+command_socket = "{{ parameter_dict['socket-file'] }}"
+
+# size in bytes of the buffer used by the command socket protocol. If the message
+# sent to sozu is too large, or the data that sozu must return is too large, the
+# buffer will grow up to max_command_buffer_size. If the buffer is still not large
+# enough sozu will close the connection
+# defaults to 1000000
+command_buffer_size = 16384
+# defaults to command_buffer_size * 2
+max_command_buffer_size = {{ parameter_dict["max-buffer-size"] }}
+
+# the number of worker processes that will handle traffic
+# defaults to 2 workers
+worker_count = {{ parameter_dict["worker-count"] }}
+
+# indicates if workers should be automatically restarted if they crash / hang
+# should be true for production and false for development
+# defaults to true
+worker_automatic_restart = true
+
+# indicates if worker process will be pinned on a core. If you activate this, be sure
+# that you do not have more workers than CPU cores (and leave at least one core for
+# the kernel and the main process)
+handle_process_affinity = false
+
+# maximum number of connections to a worker. If it reached that number and
+# there are new connections available, the worker will accept and close them
+# immediately to indicate it is too busy to handle traffic
+# defaults to 10000 maximum connections
+max_connections = {{ parameter_dict["max-connections"] }}
+
+# maximum number of buffers in the pool used by the protocol implementations
+# for active connections (ie currently serving a request). For now, you should
+# estimate that max_buffers = number of concurrent requests * 2
+# defaults to 1000
+# max_buffers = 1000
+
+# minimum number of buffers preallocated in the pool
+# cannot be larger than max_buffers
+# defaults to 1
+# min_buffers = 1
+
+# size of the buffers used by the protocol implementations. Each worker will
+# preallocate max_buffers * 2 * buffer_size bytes, so you should plan for this
+# memory usage. If you plan to use sozu's runtime upgrade feature, you should
+# leave enough memory for one more worker (also for the kernel, etc), so total
+# RAM should be larger than (worker count + 1) * max_buffers * 2 * buffer_size bytes
+# defaults to 16393 (minimum size for HTTP/2 is a 16384 bytes frame + 9 bytes of header
+buffer_size = 16393
+
+# how much time (in milliseconds) sozu command line will wait for a command to complete.
+# Defaults to 1000 milliseconds
+ctl_command_timeout = {{ parameter_dict["ctl-timeout"] }}
+
+# PID file is a file containing the PID of the main process of sozu.
+# It can be helpful to help systemd or any other service system to keep track
+# of the main process across upgrades. PID file is not created unless this option
+# is set or if SOZU_PID_FILE_PATH environment variable was defined at build time.
+pid_file_path = "{{ parameter_dict['pid-file'] }}"
+
+# maximum time of inactivity for a frontend socket, in seconds
+# defaults to 60 seconds, can be specified at the listener level
+front_timeout = {{ parameter_dict["front-timeout"] }}
+
+# maximum time of inactivity for a backend socket, in seconds
+# defaults to 30 seconds, can be specified at the listener level
+back_timeout = {{ parameter_dict["back-timeout"] }}
+
+# maximum time to connect to a backend server, in seconds
+# defaults to 3 seconds, can be specified at the listener level
+connect_timeout = {{ parameter_dict["connect-timeout"] }}
+
+# maximum time to receive a request since the connection started
+# defaults to 10 seconds, can be specified at the listener level
+request_timeout = {{ parameter_dict["request-timeout"] }}
+#
+# duration between zombie checks, in seconds
+# defaults to 30 minutes
+# in case of bugs in sozu's event loop and protocol implementations, some client
+# sessions could be stuck, not receiving any more event, and consuming resources.
+# sozu verifies regularly if there are such zombie sessions, logs their state
+# and removes them
+# zombie_check_interval = 1800
+
+# by default, all listeners start a TCP listen socket o startup
+# if set to false, this option will prevent them from listening. You can then add
+# the complete configuration, and send an ActivateListener message afterwards
+activate_listeners = true
+
+# various statistics can be sent to a server that supports the statsd protocol
+# You can see those statistics with the command line, like this: `sozu metrics get` or
+# `sozu metrics get --json` for machine consumption
+#
+#[metrics]
+# address = "127.0.0.1:8125"
+# use InfluxDB's statsd protocol flavor to add tags
+# tagged_metrics = false
+# metrics key prefix
+# prefix = "sozu"
+
+# Listeners
+# configuration options specific to a TCP listen socket
+
+# Example for a HTTP (plaintext) listener
+[[listeners]]
+protocol = "http"
+
+# listening address
+address = "[{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }}"
+
+# specify a different IP than the one the socket sees, for logs and forwarded headers
+# this option is incompatible with expect_proxy
+# public_address = "1.2.3.4:80"
+
+# path to custom 404 and 503 answers
+# a 404 response is sent when sozu does not know about the requested domain or path
+# a 503 response is sent if there are no backend servers available
+#answer_404 = "../lib/assets/404.html"
+#answer_503 = "../lib/assets/503.html"
+
+# defines the sticky session cookie's name, if `sticky_session` is activated for
+# a cluster. Defaults to "SOZUBALANCEID"
+# sticky_name = "SOZUBALANCEID"
+#
+# Configures the client socket to receive a PROXY protocol header
+# this option is incompatible with public_address
+# expect_proxy = false
+
+# Example for a HTTPS listener
+[[listeners]]
+protocol = "https"
+
+# listening address
+address = "[{{ parameter_dict['ip'] }}]:{{ parameter_dict['https-port'] }}"
+
+# specify a different IP than the one the socket sees, for logs and forwarded headers
+# this option is incompatible with expect_proxy
+# public_address = "1.2.3.4:80"
+
+# answer_404 = "../lib/assets/404.html"
+# answer_503 = "../lib/assets/503.html"
+# sticky_name = "SOZUBALANCEID"
+
+# Configures the client socket to receive a PROXY protocol header
+# this option is incompatible with public_address
+# expect_proxy = false
+
+# Supported TLS versions. Possible values are "SSL_V2", "SSL_V3", "TLSv1", "TLS_V11", "TLS_V12", "TLS_V13".
+# Defaults to `["TLS_V12", "TLS_V13"]`. Besides, `rustls` tls provider only support "TLS_V12" and "TLS_V13" values.
+tls_versions = ["TLS_V12", "TLS_V13"]
+
+# TLS ciphers considered as secure can be retrieved on the ANSSI document located here:
+# https://www.ssi.gouv.fr/uploads/2020/03/anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf
+#
+# When using `Rustls` TLS provider:
+# * Sets the lists of availables ciphers (TLSv1.2 and TLSv1.3). Supported ciphers names are specified at
+#   https://docs.rs/rustls/latest/rustls/static.ALL_CIPHER_SUITES.html
+#
+cipher_list = [
+    # TLS 1.3 cipher suites
+    "TLS13_AES_256_GCM_SHA384",
+    "TLS13_AES_128_GCM_SHA256",
+    "TLS13_CHACHA20_POLY1305_SHA256",
+    # TLS 1.2 cipher suites
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+]
+
+# default certificate and key
+# in case you want to set up TLS without SNI, you can define the default
+# certificate here
+certificate = "{{ parameter_dict['cert-file'] }}"
+key = "{{ parameter_dict['key-file'] }}"
+certificate_chain = "{{ parameter_dict['cert-chain-file'] }}"
+
+# options specific to a TCP proxy listener
+#[[listeners]]
+# protocol = "tcp"
+# address = "127.0.0.1:8081"
+#
+# specify a different IP than the one the socket sees, for logs and forwarded headers
+# this option is incompatible with expect_proxy
+# public_address = "1.2.3.4:81"
+#
+# Configures the client socket to receive a PROXY protocol header
+# this option is incompatible with public_address
+# expect_proxy = false
+
+# static configuration for cluster
+#
+# A cluster is a set of frontends, routing rules, and backends.
+# These clusters will be routed by sozu directly from start
+[clusters]
+
+{% for name, cluster_dict in cluster_definition_dict.items() %}
+# every cluster has a "cluster id", here it is "MyCluster"
+# this is an example of a routing configuration for the HTTP and HTTPS proxies
+[clusters.{{ name }}]
+
+# the protocol option indicates if we will use HTTP or TCP proxying
+# possible options are "http" or "tcp"
+protocol = "{{ cluster_dict['protocol'] }}"
+
+# per cluster load balancing algorithm. The possible values are
+# "ROUND_ROBIN", "RANDOM", "LEAST_LOADED" and "POWER_OF_TWO". Defaults to "ROUND_ROBIN"
+load_balancing = "{{ cluster_dict['load-balancing'] }}"
+# metric evaluating the load on the backend. available options: connections, requests, connection_time
+load_metric = "{{ cluster_dict['load-metric'] }}"
+
+# frontends configuration
+# this specifies which listeners; domains, certificates that will be configured for a cluster
+# each element of the array must be specified on one line (toml format limitation)
+# possible frontend options:
+# - address: TCP listener
+# - hostname: host name of the cluster
+# - path = "/api" # optional. A routing rule for incoming requests. The path of the request must match it. Can be a prefix (default), a regex, or a strictly equal path.
+# - path_type = PREFIX | REGEX | EQUALS # defaults to PREFIX
+# - sticky_session = false # activates sticky sessions for this cluster
+# - https_redirect = false #  activates automatic redirection to HTTPS for this cluster
+# - custom_tag: a tag to retrieve a frontend with the CLI or in the logs
+frontends = [
+{%  for _, frontend_dict in cluster_dict['frontend-dict'].items() -%}
+{%    set enable_https = frontend_dict.get("certificate") and frontend_dict.get("key") and frontend_dict.get("chain") -%}
+{%    set tag_dict = {} -%}
+{%    for tag in frontend_dict['tag-list'] -%}
+{%      set k, v = tag.split('=') -%}
+        do tag_dict.__setitem__(k.strip(), v.strip()) -%}
+{%    endfor -%}
+    { address = "{{ frontend_dict['address'] }}", hostname = "{{ frontend_dict.get('hostname') }}", tags = tag_dict, path = "{{ frontend_dict.get('path', '') }}", path_type = {{ frontend_dict.get("path-type", "PREFIX") }}, sticky_session = {{ frontend_dict.get("sticky-session", "false") }}, https_redirect = {{ frontend_dict.get("https-redirect", "false") }}{% if enable_https -%}, tls_versions = {{ frontend_dict.get("tls-versions", []) }}, certificate = "{{ frontend_dict['certificate'] }}", key = "{{ frontend_dict['key'] }}", certificate_chain = "{{ frontend_dict['chain'] }}" {% endif -%} },
+{%  endfor -%}
+]
+
+# backends configuration
+# this indicates the backend servers used by the cluster
+# possible options:
+# - address: IP and port of the backend server
+# - weight: weight used by the load balancing algorithm
+# - sticky-id: sticky session identifier
+backends = [
+{%  for _, backend_dict in cluster_dict['backend-dict'].items() -%}
+    { address = "{{ backend_dict['address'] }}", backend_id = "{{ backend_dict['backend-id'] }}"{% if backend_dict.get("weight") %}, weight = {{ backend_dict["weight"] }} {% endif -%}{% if backend_dict.get("sticky-id") %}, sticky-id = {{ backend_dict["sticky-id"] }} {% endif -%} }
+{%  endfor -%}
+]
+
+{% endfor -%}

software/sozu/instance-sozu-slave-input-schema.json

+{
+  "type": "object",
+  "$schema": "http://json-schema.org/draft-04/schema",
+  "title": "Input Parameters",
+  "properties": {
+    "protocol": {
+      "title": "Protocol for cluster",
+      "description": "The protocol option indicates if we will use HTTP or TCP proxying",
+      "type": "string",
+      "default": "http",
+      "enum": [
+        "http",
+        "tcp"
+      ]
+    },
+    "load-balancing": {
+      "title": "Load balancing algorithm",
+      "description": "The possible values are ROUND_ROBIN, RANDOM, LEAST_LOADED and POWER_OF_TWO. Defaults to ROUND_ROBIN",
+      "type": "string",
+      "default": "ROUND_ROBIN",
+      "enum": [
+        "ROUND_ROBIN",
+        "RANDOM",
+        "LEAST_LOADED",
+        "POWER_OF_TWO"
+      ]
+    },
+    "load-metric": {
+      "title": "Load metric",
+      "description": "Metric evaluating the load on the backend. available options: connections, requests, connection_time.",
+      "type": "string",
+      "default": "connections",
+      "enum": [
+        "connections",
+        "requests",
+        "connection_time"
+      ]
+    },
+    "frontend-dict": {
+      "title": "Sozu frontends configuration",
+      "description": "A cluster is a set of frontends, routing rules, and backends.",
+      "patternProperties": {
+        ".*": {
+          "properties": {
+            "address": {
+              "title": "TCP listener",
+              "description": "TCP address listener (ip and port). Something like: 0.0.0.0:8080",
+              "type": "string"
+            },
+            "hostname": {
+              "title": "Hostname",
+              "description": "host name of the cluster.",
+              "type": "string"
+            },
+            "path": {
+              "title": "Path",
+              "description": "A routing rule for incoming requests. The path of the request must match it. Can be a prefix (default), a regex, or a strictly equal path.",
+              "type": "string",
+              "default": ""
+            },
+            "path-type": {
+              "title": "Path type",
+              "description": "This is useful if \"path\" is set. Values are PREFIX | REGEX | EQUALS # defaults to PREFIX.",
+              "type": "string",
+              "default": "PREFIX",
+              "enum": [
+                "PREFIX",
+                "REGEX",
+                "EQUALS"
+              ]
+            },
+            "sticky-session": {
+              "title": "Sticky session",
+              "description": "Activates sticky sessions for this cluster.",
+              "type": "boolean",
+              "default": false
+            },
+            "https-redirect": {
+              "title": "https redirect",
+              "description": "Activates automatic redirection to HTTPS for this cluster.",
+              "type": "boolean",
+              "default": false
+            },
+            "tag-list": {
+              "title": "Custom tags",
+              "description": "Key=value list of custom tag to retrieve a frontend with the CLI or in the logs.",
+              "type": "array",
+              "items": {
+                "type": "string"
+              },
+              "default": []
+            },
+            "tls-versions": {
+              "title": "Supported TLS versions",
+              "description": "Possible values are SSL_V2, SSL_V3, TLSv1, TLS_V11, TLS_V12, TLS_V13. Ex: [\"TLS_V12\", \"TLS_V13\"].",
+              "type": "array",
+              "items": {
+                "type": "string"
+              },
+              "default": []
+            },
+            "deploy-certificate": {
+              "title": "Deploy self-signed certificate",
+              "description": "Use a self-signed certificate with this frontend. If set to true, frontend listen on https, certificate and key are ignored.",
+              "type": "boolean",
+              "default": true
+            },
+            "certificate": {
+              "title": "Certificate for HTTPS frontend",
+              "description": "Enable HTTPS frontend and use this certificate.",
+              "textarea": true,
+              "type": "string"
+            },
+            "key": {
+              "title": "SSL key for HTTPS frontend",
+              "description": "Enable HTTPS frontend and use this SSL key.",
+              "textarea": true,
+              "type": "string"
+            },
+            "certificate-chain": {
+              "title": "Certificate chain for HTTPS frontend",
+              "description": "Certificate chain for HTTPS frontend.",
+              "textarea": true,
+              "type": "string"
+            }
+          },
+          "type": "object"
+        }
+      },
+      "type": "object"
+    },
+    "backend-dict": {
+      "title": "Sozu backends configuration",
+      "description": "Indicates the backend servers used by the cluster.",
+      "patternProperties": {
+        ".*": {
+          "properties": {
+            "address": {
+              "title": "TCP listener",
+              "description": "TCP address listener (ip and port). Something like: 0.0.0.0:8080",
+              "type": "string"
+            },
+            "backend-id": {
+              "title": "Backend ID",
+              "description": "Backend unique identifier, ex: my-app-backend.",
+              "type": "string"
+            },
+            "weight": {
+              "title": "Weight",
+              "description": "Optional: weight used by the load balancing algorithm.",
+              "type": "integer"
+            },
+            "sticky-id": {
+              "title": "Sticky-id",
+              "description": "Optional: sticky session identifier.",
+              "type": "string"
+            }
+          },
+          "type": "object"
+        }
+      },
+      "type": "object"
+    }
+  }
+}

software/sozu/instance-sozu.cfg.jinja2.in

+{% set publish_dict = {} -%}
+{% set part_list = [] -%}
+{% set ipv6 = (ipv6_set | list)[0] -%}
+{% set ipv4 = (ipv4_set | list)[0] -%}
+{% set cluster_definition_dict = {} -%}
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+home = ${buildout:directory}
+etc = ${:home}/etc
+var = ${:home}/var
+run = ${:var}/run
+scripts = ${:etc}/run
+service = ${:etc}/service
+promise = ${:etc}/promise
+log = ${:var}/log
+nginx-prefix = ${:var}/nginx
+tmp = ${:home}/tmp
+ssl = ${:etc}/ssl
+dssl = ${:etc}/ssl-downloaded
+
+[createfile]
+recipe = slapos.recipe.template:jinja2
+inline =
+  {{ '{{ content }}' }}
+
+{% macro createfile(section_name, file_path, content, mode='') -%}
+[{{  section_name }}]
+< = createfile
+output = {{ file_path }}
+context = key content :content
+mode = {{ mode }}
+content = {{ dumps(content) }}
+{%- endmacro %}
+
+[ca-certificate-base]
+<= certificate-authority
+recipe = slapos.cookbook:certificate_authority.request
+key-file = ${ca-directory:certs}/${:name}.crt
+cert-file = ${ca-directory:certs}/${:name}.key
+executable = echo "request certificate"
+wrapper = ${directory:tmp}/ca-${:name}
+
+{% for instance_dict in slave_instance_list -%}
+{% set name = instance_dict['slave_reference'] -%}
+{% set cert_section_name = '${' ~ name ~ '-ssl:cert-file}' -%}
+{% set key_section_name = '${' ~ name ~ '-ssl:key-file}' -%}
+{% set slave_dict = {
+  'name': name.replace('-', '_').lower(),
+  'protocol': instance_dict.get('protocol', 'http'),
+  'load-balancing': instance_dict.get('load-balancing', 'ROUND_ROBIN'),
+  'load-metric': instance_dict.get('load-metric', 'connections'),
+  'frontend-dict': instance_dict['frontend-dict'],
+  'backend-dict': instance_dict['backend-dict']
+  } -%}
+
+[{{ name }}-ssl]
+<= ca-certificate-base
+name = {{ name }}
+
+{%  for cluster_name, cluster_dict in slave_dict['frontend-dict'].items() %}
+{%    if cluster_dict.get('deploy-certificate') -%}
+{%      do slave_dict['frontend-dict'][cluster_name].__setitem__('certificate', '${' ~ name ~ '-ssl:cert-file}') -%}
+{%      do slave_dict['frontend-dict'][cluster_name].__setitem__('key', '${' ~ name ~ '-ssl:key-file}') -%}
+{%      do slave_dict['frontend-dict'][cluster_name].__setitem__('certificate-chain', '${' ~ name ~ '-ssl:chain-file}') -%}
+
+{%    elif cluster_dict.get('certificate') and cluster_dict.get('key') and cluster_dict.get('certificate-chain') -%}
+{{ createfile(name ~ cluster_name ~ "-crt", "${directory:dssl}/" ~ name ~ cluster_name ~ ".crt", cluster_dict['certificate']) }}
+{{ createfile(name ~ cluster_name ~ "-key", "${directory:dssl}/" ~ name ~ cluster_name ~ ".key", cluster_dict['key']) }}
+{{ createfile(name ~ cluster_name ~ "-chain", "${directory:dssl}/" ~ name ~ cluster_name ~ "-chain.crt", cluster_dict['certificate-chain']) }}
+
+{%      do slave_dict['frontend-dict'][cluster_name].__setitem__('certificate', '${' ~ name ~ cluster_name~ '-crt:output}') -%}
+{%      do slave_dict['frontend-dict'][cluster_name].__setitem__('key', '${' ~ name ~ cluster_name~ '-key:output}') -%}
+{%      do slave_dict['frontend-dict'][cluster_name].__setitem__('certificate-chain', '${' ~ name ~ cluster_name~ '-chain:output}') -%}
+{%    endif -%}
+{%  endfor -%}
+{%  do cluster_definition_dict.__setitem__(slave_dict['name'], slave_dict) -%}
+{% endfor -%}
+
+[sozu-parameters]
+#warn, info, debug, trace
+log-level = info
+log-file = ${directory:log}/sozu.log
+access-log-file = ${directory:log}/sozu-access.log
+socket-file = ${directory:run}/sozu.sock
+max-buffer-size = 163840
+worker-count = 2
+max-connections = 500
+# wait for a command to complete timeout
+ctl-timeout = 1000
+pid-file = ${directory:run}/sozu.pid
+# maximum time (seconds) of inactivity for a frontend socket
+front-timeout = 60
+# maximum time of inactivity for a backend socket, in seconds
+back-timeout = 30
+# maximum time to connect to a backend server, in seconds
+connect-timeout = 3
+# maximum time to receive a request since the connection started
+request-timeout = 10
+ip = {{ ipv6 }}
+port = 8090
+https-port = 4453
+cert-file = ${ca-directory:certs}/sozu-cert.crt
+key-file = ${ca-directory:certs}/sozu.key
+cert-chain-file = ${ca-directory:root}/cacert.pem
+
+[sozu-config.toml]
+recipe = slapos.recipe.template:jinja2
+url = {{ config_toml_in }}
+extensions = jinja2.ext.do
+output = ${directory:etc}/config.toml
+context =
+  section parameter_dict              sozu-parameters
+  section cluster_definition_dict     sozu-slave-information
+
+[sozu-wrapper]
+recipe = slapos.cookbook:wrapper
+command-line =
+  {{ sozu_bin }} start -c ${sozu-config.toml:output}
+wrapper-path = ${directory:bin}/sozu
+
+[ca-sozu-wrapper]
+<= certificate-authority
+recipe = slapos.cookbook:certificate_authority.request
+key-file = ${sozu-parameters:key-file}
+cert-file = ${sozu-parameters:cert-file}
+executable = ${sozu-wrapper:wrapper-path}
+wrapper = ${directory:bin}/ca-sozu
+
+[sozu-service]
+recipe = slapos.cookbook:wrapper
+command-line = ${ca-sozu-wrapper:wrapper}
+wrapper-path = ${directory:services}/sozu
+hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
+hash-files = ${sozu-config.toml:output}
+url = http://[${sozu-parameters:ip}]:${sozu-parameters:port}
+https-url = https://[${sozu-parameters:ip}]:${sozu-parameters:https-port}
+wait-for-files =
+  ${ca-directory:certs}/sozu-cert.crt
+
+[sozu-https-promise]
+<= monitor-promise-base
+promise = check_socket_listening
+name = sozu-https-backend-port-listening.py
+config-port = ${sozu-parameters:https-port}
+config-host = ${sozu-parameters:ip}
+
+[sozu-http-promise]
+<= monitor-promise-base
+promise = check_socket_listening
+name = sozu-http-backend-port-listening.py
+config-port = ${sozu-parameters:port}
+config-host = ${sozu-parameters:ip}
+
+[sozu-frontend]
+<= slap-connection
+recipe = slapos.cookbook:requestoptional
+name = Sozu Frontend
+# XXX We have hardcoded SR URL here.
+software-url = http://git.erp5.org/gitweb/slapos.git/blob_plain/HEAD:/software/apache-frontend/software.cfg
+shared = true
+config-url = ${sozu-service:url}
+config-https-url = ${sozu-service:https-url}
+config-https-only = true
+return = domain secure_access
+
+[sozu-frontend-promise]
+<= monitor-promise-base
+promise = check_url_available
+name = check_sozu_secure_frontend.py
+config-url = ${sozu-frontend:connection-secure_access}
+
+[sozu-http-frontend-promise]
+<= monitor-promise-base
+promise = check_url_available
+name = check_sozu_frontend.py
+config-url = http://${sozu-frontend:connection-domain}
+
+[publish-connection-information]
+<= monitor-publish
+recipe = slapos.cookbook:publish
+backend-url = ${sozu-service:url}
+url = ${sozu-frontend:connection-secure_access}
+
+[sozu-publish-slave-information]
+recipe = slapos.cookbook:switch-softwaretype
+default = dynamic-sozu-publish-slave-information:output
+RootSoftwareInstance = ${:default}
+
+[dynamic-sozu-publish-slave-information]
+recipe = slapos.recipe.template:jinja2
+output = ${buildout:directory}/sozu-publish-slave-information.cfg
+extensions = jinja2.ext.do
+url = {{ template_publish_slave }}
+context =
+    import json_module          json
+    raw eggs_directory          {{ eggs_directory }}
+    raw develop_eggs_directory  {{ develop_eggs_directory }}
+    raw ipv6                    {{ ipv6 }}
+    raw ipv4                    {{ ipv4 }}
+    section slave_dict          sozu-slave-information
+
+[sozu-slave-information]
+{% for name, cluster_dict in cluster_definition_dict.items() -%}
+{{ name }} = {{ dumps(cluster_dict) }}
+{% endfor -%}
+
+[buildout]
+extends = {{ template_monitor }}
+
+parts =
+  sozu-https-promise
+  sozu-http-promise
+  sozu-frontend-promise
+  sozu-http-frontend-promise
+  sozu-service
+  publish-connection-information
+  sozu-publish-slave-information
+
+# Complete parts with sections
+  {{ part_list | join('\n  ') }}
+
+eggs-directory = {{ eggs_directory }}
+develop-eggs-directory = {{ develop_eggs_directory }}
+offline = true

software/sozu/instance.cfg.in

+[buildout]
+parts = switch-softwaretype
+
+eggs-directory = {{ buildout_egg_directory }}
+develop-eggs-directory = {{ buildout_develop_directory }}
+offline = true
+
+
+[switch-softwaretype]
+recipe = slapos.cookbook:switch-softwaretype
+default = template-instance-sozu.cfg:output
+RootSoftwareInstance = ${:default}
+
+
+[slap-configuration]
+recipe = slapos.cookbook:slapconfiguration.serialised
+computer = ${slap-connection:computer-id}
+partition = ${slap-connection:partition-id}
+url = ${slap-connection:server-url}
+key = ${slap-connection:key-file}
+cert = ${slap-connection:cert-file}
+
+
+[jinja2-template-base]
+recipe  = slapos.recipe.template:jinja2
+extensions = jinja2.ext.do
+output= ${buildout:directory}/${:_buildout_section_name_}
+context =
+    key slapparameter_dict      slap-configuration:configuration
+    key computer_id             slap-configuration:computer
+    key ipv4_set                slap-configuration:ipv4
+    key ipv6_set                slap-configuration:ipv6
+    raw buildout_directory      {{ buildout_directory }}
+    raw buildout_bin_directory  {{ buildout_bin_directory }}
+    raw eggs_directory          {{ buildout_egg_directory }}
+    raw develop_eggs_directory  {{ buildout_develop_directory }}
+    raw template_monitor        {{ template_monitor_cfg }}
+    raw openssl_bin             {{ openssl_location }}/bin/openssl
+    ${:extra-context}
+extra-context =
+
+[template-instance-sozu.cfg]
+<= jinja2-template-base
+url = {{ template_sozu_cfg }}
+extra-context =
+    key slave_instance_list         slap-configuration:slave-instance-list
+    raw sozu_bin                    {{ sozu_location }}/bin/sozu
+
+# config files
+    raw config_toml_in             {{ config_toml }}
+    raw template_publish_slave     {{ template_publish_slave }}
+

software/sozu/publish-sozu-slave-parameters.cfg.in

+{% set part_list = [] -%}
+
+[slap_connection]
+# Kept for backward compatibility
+computer_id = ${slap-connection:computer-id}
+partition_id = ${slap-connection:partition-id}
+server_url = ${slap-connection:server-url}
+software_release_url = ${slap-connection:software-release-url}
+key_file = ${slap-connection:key-file}
+cert_file = ${slap-connection:cert-file}
+
+
+{% for _, cluster in slave_dict.items() -%}
+{% set slave_reference = cluster['slave_reference'] -%}
+{% do part_list.append('publish-slave-' ~ slave_reference) -%}
+
+[publish-slave-{{ slave_reference }}]
+recipe = slapos.cookbook:publish
+-slave-reference = {{ slave_reference }}
+{% endfor %}
+
+[buildout]
+eggs-directory = {{ eggs_directory }}
+develop-eggs-directory = {{ develop_eggs_directory }}
+offline = true
+
+parts =
+{% for part in part_list -%}
+{{ '  %s' % part }}
+{% endfor -%}

software/sozu/software.cfg

+[buildout]
+
+extends =
+  ../../component/rust/buildout.cfg
+  ../../stack/monitor/buildout.cfg
+  buildout.hash.cfg
+
+parts =
+  slapos-cookbook
+  instance.cfg
+
+[sozu]
+recipe = plone.recipe.command
+stop-on-error = true
+update-command = ${:command}
+location = ${buildout:parts-directory}/${:_buildout_section_name_}
+command =
+  INSTALL_DIR=${:location}
+  mkdir -p $INSTALL_DIR && cd $INSTALL_DIR
+  PATH=${rustc:location}/bin:$PATH
+  cargo install --root=${:location} sozu
+
+[sozu-d]
+recipe = slapos.recipe.cmmi
+url = https://github.com/sozu-proxy/sozu/archive/refs/tags/0.15.6.tar.gz
+md5sum = 4cd4386b64c652af5ad416b10b6ca246
+configure-command = :
+make-binary = cargo install --root=%(location)s --path . --locked
+make-targets =
+environment =
+  PATH=${rustc:location}/bin:%(PATH)s
+
+[dl-template]
+recipe = slapos.recipe.build:download
+url = ${:_profile_base_location_}/${:filename}
+
+[instance.cfg]
+recipe = slapos.recipe.template:jinja2
+output = ${buildout:directory}/instance.cfg
+url = ${:_profile_base_location_}/${:filename}
+context =
+    key buildout_bin_directory buildout:bin-directory
+    key buildout_egg_directory buildout:eggs-directory
+    key buildout_develop_directory buildout:develop-eggs-directory
+    key buildout_directory buildout:directory
+    key template_monitor_cfg monitor2-template:output
+    key logrotate_cfg template-logrotate-base:output
+    key config_toml   config.toml:target
+    key openssl_location openssl:location
+    key sozu_location  sozu:location
+    key template_sozu_cfg template-sozu:target
+    key template_publish_slave publish-sozu-slave-parameters.cfg:target
+
+[template-sozu]
+<= dl-template
+
+[config.toml]
+<= dl-template
+
+[publish-sozu-slave-parameters.cfg]
+<= dl-template

software/sozu/software.cfg.json

+{
+  "name": "Sozu reverse proxy server",
+  "description": "Sōzu is a lightweight, fast, always-up reverse proxy server.",
+  "serialisation": "xml",
+  "software-type": {
+    "default": {
+      "title": "Default",
+      "description": "Replication Manager",
+      "request": "instance-sozu-input-schema.json",
+      "response": "instance-sozu-output-schema.json",
+      "index": 0
+    },
+    "default-slave": {
+      "title": "Cluster definition",
+      "description": "Sozu cluster definition",
+      "serialisation": "json-in-xml",
+      "software-type": "default",
+      "request": "instance-sozu-slave-input-schema.json",
+      "response": "instance-sozu-output-schema.json",
+      "shared": true,
+      "index": 1
+    }
+  }
+}