From acdb34027b361cccfe6200ed8f087aa146d0ab55 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 11 Feb 2020 21:52:57 +0100 Subject: [PATCH 1/3] WIP: update mysql/seafile to use their own ldap user in ou=services --- consul/configuration/.gitignore | 1 + .../seafile/conf/{ccnet.conf.sample => ccnet.conf} | 8 ++++---- nomad/seafile.hcl | 14 ++++++++++---- 3 files changed, 15 insertions(+), 8 deletions(-) rename consul/configuration/seafile/conf/{ccnet.conf.sample => ccnet.conf} (63%) diff --git a/consul/configuration/.gitignore b/consul/configuration/.gitignore index 8c55cc6..d54ae44 100644 --- a/consul/configuration/.gitignore +++ b/consul/configuration/.gitignore @@ -10,6 +10,7 @@ # Whitelist specific files !seafile/conf/seafdav.conf +!seafile/conf/ccnet.conf !seafile/ccnet/seafile.ini !email/dkim/keytable diff --git a/consul/configuration/seafile/conf/ccnet.conf.sample b/consul/configuration/seafile/conf/ccnet.conf similarity index 63% rename from consul/configuration/seafile/conf/ccnet.conf.sample rename to consul/configuration/seafile/conf/ccnet.conf index 76f4da9..2395a9b 100644 --- a/consul/configuration/seafile/conf/ccnet.conf.sample +++ b/consul/configuration/seafile/conf/ccnet.conf @@ -1,6 +1,6 @@ [General] USER_NAME = deuxfleurs -ID = +ID = {{ key "secrets/seafile/ccnet/seafile_id" | trimSpace }} NAME = deuxfleurs SERVICE_URL = https://cloud.deuxfleurs.fr @@ -13,9 +13,9 @@ PORT = 13418 [LDAP] HOST = ldap://bottin2.service.2.cluster.deuxfleurs.fr/ BASE = ou=users,dc=deuxfleurs,dc=fr -USER_DN = cn=,dc=deuxfleurs,dc=fr +USER_DN = {{ key "secrets/seafile/ccnet/ldap_binddn" | trimSpace }} FILTER = memberOf=CN=seafile,OU=groups,DC=deuxfleurs,DC=fr -PASSWORD = +PASSWORD = {{ key "secrets/seafile/ccnet/ldap_bindpwd" | trimSpace }} LOGIN_ATTR = mail [Database] @@ -23,7 +23,7 @@ ENGINE = mysql HOST = mariadb.service.2.cluster.deuxfleurs.fr PORT = 3306 USER = seafile -PASSWD = +PASSWD = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} DB = ccnet-db CONNECTION_CHARSET = utf8 diff --git a/nomad/seafile.hcl b/nomad/seafile.hcl index c930396..1ffd1a1 100644 --- a/nomad/seafile.hcl +++ b/nomad/seafile.hcl @@ -111,6 +111,16 @@ job "seafile" { } } + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/ccnet.conf?raw" + destination = "secrets/conf/ccnet.conf.tpl" + mode = "file" + } + template { + source = "secrets/conf/ccnet.conf.tpl" + destination = "secrets/conf/ccnet.conf" + } + template { data = "{{ key \"configuration/seafile/ccnet/mykey.peer\" }}" destination = "secrets/ccnet/mykey.peer" @@ -119,10 +129,6 @@ job "seafile" { data = "{{ key \"configuration/seafile/ccnet/seafile.ini\" }}" destination = "secrets/ccnet/seafile.ini" } - template { - data = "{{ key \"configuration/seafile/conf/ccnet.conf\" }}" - destination = "secrets/conf/ccnet.conf" - } template { data = "{{ key \"configuration/seafile/conf/mykey.peer\" }}" destination = "secrets/conf/mykey.peer" From 6da7ecfa9f001f3a51a1bb183c782821934dec0c Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 11 Feb 2020 22:36:45 +0100 Subject: [PATCH 2/3] Move ccnet.conf to ccnet.conf.tpl --- consul/configuration/.gitignore | 1 - .../configuration/seafile/conf/{ccnet.conf => ccnet.conf.tpl} | 0 nomad/seafile.hcl | 2 +- 3 files changed, 1 insertion(+), 2 deletions(-) rename consul/configuration/seafile/conf/{ccnet.conf => ccnet.conf.tpl} (100%) diff --git a/consul/configuration/.gitignore b/consul/configuration/.gitignore index d54ae44..8c55cc6 100644 --- a/consul/configuration/.gitignore +++ b/consul/configuration/.gitignore @@ -10,7 +10,6 @@ # Whitelist specific files !seafile/conf/seafdav.conf -!seafile/conf/ccnet.conf !seafile/ccnet/seafile.ini !email/dkim/keytable diff --git a/consul/configuration/seafile/conf/ccnet.conf b/consul/configuration/seafile/conf/ccnet.conf.tpl similarity index 100% rename from consul/configuration/seafile/conf/ccnet.conf rename to consul/configuration/seafile/conf/ccnet.conf.tpl diff --git a/nomad/seafile.hcl b/nomad/seafile.hcl index 1ffd1a1..dc076c6 100644 --- a/nomad/seafile.hcl +++ b/nomad/seafile.hcl @@ -112,7 +112,7 @@ job "seafile" { } artifact { - source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/ccnet.conf?raw" + source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/ccnet.conf.tpl?raw" destination = "secrets/conf/ccnet.conf.tpl" mode = "file" } From afaf89f7512036318bd7a187c91e19601b7470d6 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sat, 15 Feb 2020 16:02:16 +0100 Subject: [PATCH 3/3] Add missing templated passwords --- .../{seafile.conf.sample => seafile.conf.tpl} | 2 +- ...tings.py.sample => seahub_settings.py.tpl} | 2 +- nomad/seafile.hcl | 30 +++++++++++++------ 3 files changed, 23 insertions(+), 11 deletions(-) rename consul/configuration/seafile/conf/{seafile.conf.sample => seafile.conf.tpl} (79%) rename consul/configuration/seafile/conf/{seahub_settings.py.sample => seahub_settings.py.tpl} (89%) diff --git a/consul/configuration/seafile/conf/seafile.conf.sample b/consul/configuration/seafile/conf/seafile.conf.tpl similarity index 79% rename from consul/configuration/seafile/conf/seafile.conf.sample rename to consul/configuration/seafile/conf/seafile.conf.tpl index cfe3592..f224234 100644 --- a/consul/configuration/seafile/conf/seafile.conf.sample +++ b/consul/configuration/seafile/conf/seafile.conf.tpl @@ -11,7 +11,7 @@ type = mysql host = mariadb.service.2.cluster.deuxfleurs.fr port = 3306 user = seafile -password = +password = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} db_name = seafile-db connection_charset = utf8 diff --git a/consul/configuration/seafile/conf/seahub_settings.py.sample b/consul/configuration/seafile/conf/seahub_settings.py.tpl similarity index 89% rename from consul/configuration/seafile/conf/seahub_settings.py.sample rename to consul/configuration/seafile/conf/seahub_settings.py.tpl index 06aa7d3..6c63ee4 100644 --- a/consul/configuration/seafile/conf/seahub_settings.py.sample +++ b/consul/configuration/seafile/conf/seahub_settings.py.tpl @@ -5,7 +5,7 @@ DATABASES = { 'ENGINE': 'django.db.backends.mysql', 'NAME': 'seahub-db', 'USER': 'seafile', - 'PASSWORD': '', + 'PASSWORD': '{{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}', 'HOST': 'mariadb.service.2.cluster.deuxfleurs.fr', 'PORT': '3306', 'OPTIONS': { diff --git a/nomad/seafile.hcl b/nomad/seafile.hcl index dc076c6..f118999 100644 --- a/nomad/seafile.hcl +++ b/nomad/seafile.hcl @@ -116,11 +116,31 @@ job "seafile" { destination = "secrets/conf/ccnet.conf.tpl" mode = "file" } - template { + template { source = "secrets/conf/ccnet.conf.tpl" destination = "secrets/conf/ccnet.conf" } + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/seafile.conf.tpl?raw" + destination = "secrets/conf/seafile.conf.tpl" + mode = "file" + } + template { + source = "secrets/conf/seafile.conf.tpl" + destination = "secrets/conf/seafile.conf" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/seahub_settings.py.tpl?raw" + destination = "secrets/conf/seahub_settings.py.tpl" + mode = "file" + } + template { + source = "secrets/conf/seahub_settings.py.tpl" + destination = "secrets/conf/seahub_settings.py" + } + template { data = "{{ key \"configuration/seafile/ccnet/mykey.peer\" }}" destination = "secrets/ccnet/mykey.peer" @@ -137,14 +157,6 @@ job "seafile" { data = "{{ key \"configuration/seafile/conf/seafdav.conf\" }}" destination = "secrets/conf/seafdav.conf" } - template { - data = "{{ key \"configuration/seafile/conf/seafile.conf\" }}" - destination = "secrets/conf/seafile.conf" - } - template { - data = "{{ key \"configuration/seafile/conf/seahub_settings.py\" }}" - destination = "secrets/conf/seahub_settings.py" - } template { data = "{{ key \"configuration/seafile/conf/gunicorn.conf\" }}" destination = "secrets/conf/gunicorn.conf"