├── .gitignore
├── README.md
├── Vagrantfile
└── provisioning
    └── salt
        ├── minion
            ├── backup
            │   └── server
            ├── monitoring
            │   └── server
            └── web
            │   ├── mirror
            │   ├── pypi
            │   ├── pypi_dev
            │   └── pypi_log
        └── roots
            ├── pillar
                ├── backup
                │   └── server.sls
                ├── monitoring
                │   ├── client
                │   │   └── init.sls
                │   └── server
                │   │   └── init.sls
                ├── networking.sls
                ├── postgresql
                │   └── postgresql.sls
                ├── pypi-deploys
                │   └── pypi-dev.sls
                ├── pypi-mirror
                │   └── init.sls
                ├── pypi
                │   ├── log.sls
                │   └── web.sls
                ├── salt-master
                │   └── init.sls
                ├── secrets
                │   ├── backup
                │   │   └── pypi-dev.sls
                │   ├── monitoring.sls
                │   └── pypi-dev.sls
                ├── sudoers
                │   └── init.sls
                ├── top.sls
                ├── users
                │   ├── admin.sls
                │   └── init.sls
                ├── warehouse-deploys
                │   └── warehouse-dev.sls
                └── warehouse
                │   └── web.sls
            ├── prod-pillar
                ├── backup
                │   └── server.sls
                ├── monitoring
                │   ├── client
                │   │   ├── dfw.sls
                │   │   └── init.sls
                │   └── server
                │   │   └── init.sls
                ├── networking.sls
                ├── postgresql
                │   └── postgresql.sls
                ├── pypi-deploys
                │   ├── pypi.sls
                │   └── testpypi.sls
                ├── pypi-mirror
                │   └── init.sls
                ├── pypi
                │   ├── log.sls
                │   └── web.sls
                ├── salt-master
                │   └── init.sls
                ├── sudoers
                │   └── init.sls
                ├── top.sls
                ├── users
                │   ├── admin.sls
                │   └── init.sls
                ├── warehouse-deploys
                │   ├── pypi.sls
                │   └── testpypi.sls
                └── warehouse
                │   └── web.sls
            └── salt
                ├── _grains
                    └── xenstore_datadog_tags.py
                ├── _modules
                    └── ip_picker.py
                ├── auto-security
                    └── init.sls
                ├── backup
                    ├── base.sls
                    ├── client
                    │   ├── README.md
                    │   ├── init.sls
                    │   └── templates
                    │   │   ├── backup.bash.jinja
                    │   │   └── cron.jinja
                    └── server
                    │   ├── README.md
                    │   ├── init.sls
                    │   └── templates
                    │       └── cron.jinja
                ├── base
                    ├── auto-highstate.sls
                    ├── config
                    │   └── salt-logrotate.conf
                    └── sanity.sls
                ├── datadog
                    ├── config
                    │   └── RPM-GPG-KEY-DATADOG
                    ├── files
                    │   └── datadog-nginx-status-codes.py
                    └── init.sls
                ├── elasticsearch
                    └── init.sls
                ├── firewall
                    ├── config
                    │   └── iptables.jinja
                    └── init.sls
                ├── monitoring
                    ├── client
                    │   ├── base.sls
                    │   ├── config
                    │   │   ├── bucky.conf.jinja
                    │   │   ├── bucky.ini
                    │   │   ├── collectd.conf.jinja
                    │   │   └── collectd.d
                    │   │   │   ├── base.conf
                    │   │   │   ├── nginx.conf
                    │   │   │   ├── postgresql.conf.jinja
                    │   │   │   ├── pypi-backend.conf
                    │   │   │   ├── pypi-mirror.conf
                    │   │   │   └── redis.conf
                    │   ├── init.sls
                    │   ├── nginx.sls
                    │   ├── plugins
                    │   │   └── python
                    │   │   │   ├── pypi_backend.py
                    │   │   │   ├── pypi_mirror.py
                    │   │   │   ├── redis_info.py
                    │   │   │   └── uwsgi_stats.py
                    │   ├── postgresql.sls
                    │   ├── pypi-backend.sls
                    │   ├── pypi-mirror.sls
                    │   └── redis.sls
                    └── server
                    │   ├── carbon.sls
                    │   ├── config
                    │       ├── carbon.conf.jinja
                    │       ├── graphite-web-app.conf.jinja
                    │       ├── graphite-web-nginx.conf.jinja
                    │       ├── graphite-web.ini.jinja
                    │       ├── local_settings.py.jinja
                    │       ├── riemann.config.jinja
                    │       └── storage-schemas.conf.jinja
                    │   ├── graphite-web.sls
                    │   ├── init.sls
                    │   └── riemann.sls
                ├── nginx
                    ├── config
                    │   ├── RPM-GPG-KEY-NGINX
                    │   ├── nginx.conf.jinja
                    │   ├── nginx.logrotate
                    │   └── nginx.ssl.conf.jinja
                    └── init.sls
                ├── openvpn
                    └── routing.sls
                ├── pkg
                    └── git.sls
                ├── postgresql
                    └── 93
                    │   ├── RPM-GPG-KEY-PGDG-93
                    │   ├── init.sls
                    │   └── repo.sls
                ├── pypi-mirror
                    ├── config
                    │   ├── bandersnatch.conf.jinja
                    │   ├── bandersnatch.logrotate.conf
                    │   ├── bandersnatch.nginx.app.conf
                    │   ├── bandersnatch.nginx.conf
                    │   ├── crontab.jinja
                    │   └── index.html.jinja
                    └── init.sls
                ├── pypi
                    ├── base.sls
                    ├── config
                    │   ├── pypi-cdn-log-archiver-wrapper.sh.jinja
                    │   ├── pypi-docs-proxy.ini.jinja
                    │   ├── pypi-syslog.logrotate.conf
                    │   ├── pypi-worker.ini.jinja
                    │   ├── pypi.ini.jinja
                    │   ├── pypi.initd.jinja
                    │   ├── pypi.logrotate.conf
                    │   ├── pypi.nginx.app.conf.jinja
                    │   ├── pypi.nginx.conf.jinja
                    │   ├── pypi.nginx.ratelimit.conf.jinja
                    │   ├── pypi.rsyslog.conf.jinja
                    │   └── test-pg_hba.conf
                    ├── dev-db.sls
                    ├── files
                    │   ├── dogstatsd_plugin.so
                    │   └── error.html
                    ├── log.sls
                    └── web.sls
                ├── python
                    ├── 27
                    │   ├── init.sls
                    │   └── virtualenv.sls
                    ├── 34
                    │   └── init.sls
                    ├── 35
                    │   └── init.sls
                    └── copr
                    │   ├── config
                    │       └── ewdurbin-pythons-el6.gpgkey
                    │   └── init.sls
                ├── redis
                    ├── copr
                    │   ├── config
                    │   │   └── jlaska-redis-28.gpgkey
                    │   └── init.sls
                    └── init.sls
                ├── sudoers
                    ├── config
                    │   └── salt.jinja
                    └── init.sls
                ├── supervisor
                    ├── config
                    │   ├── supervisord.conf
                    │   └── supervisord.init
                    └── init.sls
                ├── tls
                    └── init.sls
                ├── top.sls
                ├── users
                    ├── config
                    │   └── authorized_keys.jinja
                    └── init.sls
                └── warehouse
                    ├── base.sls
                    ├── config
                        ├── nginx.app.conf.jinja
                        ├── nginx.conf.jinja
                        ├── supervisor.ini.jinja
                        └── unicorn.py.template
                    └── web.sls


/.gitignore:
--------------------------------------------------------------------------------
1 | .vagrant
2 | 
3 | /provisioning/salt/roots/prod-pillar/secrets
4 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # pypi-salt
 2 | 
 3 | **note**
 4 | 
 5 | data in `provisioning/salt/roots/pillar` is strictly for development environments.
 6 | 
 7 | ## OSX Setup
 8 | 
 9 | - Download and Install [Virtual Box](https://www.virtualbox.org/wiki/Downloads).
10 | 
11 | - Download and Install [Vagrant](http://downloads.vagrantup.com/) version 1.3.0 or greater.
12 | 
13 | - Start some servers!
14 |   - An all in one PyPI development instance:
15 |     - `vagrant up`
16 |     - navigate to http://192.168.57.9/pypi
17 |     - to hop into the environment:
18 |       - `vagrant ssh`
19 |       - `sudo -u devpypi -i`
20 |       - `cd src`
21 | 


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
  1 | # -*- mode: ruby -*-
  2 | # vi: set ft=ruby :
  3 | 
  4 | Vagrant.configure("2") do |config|
  5 |   config.vm.provider :virtualbox do |vb|
  6 |     vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
  7 |     vb.customize ["modifyvm", :id, "--natdnsproxy1", "on"]
  8 |   end
  9 | 
 10 |   config.vm.box_url = "https://github.com/CommanderK5/packer-centos-template/releases/download/0.6.8/vagrant-centos-6.8.box"
 11 |   config.vm.box = "centos-min"
 12 |   config.vm.provision "shell", inline: "yum -y update nss\*"
 13 | 
 14 |   # Fix for https://bugs.centos.org/view.php?id=9212
 15 |   config.vm.provision "shell", inline: "yum -y update python"
 16 | 
 17 |   config.vm.synced_folder "provisioning/salt/roots/", "/srv/"
 18 | 
 19 |   unless ENV['VAGRANT_SKIP_PYPI_DEV'] == '1'
 20 |     config.vm.define "pypi_dev" do |pypi_dev|
 21 | 
 22 |       pypi_dev.vm.hostname = "pypi-dev"
 23 |       pypi_dev.vm.network "private_network", ip: "192.168.57.9"
 24 |       pypi_dev.vm.network "private_network", ip: "172.16.57.9"
 25 | 
 26 |       pypi_dev.vm.provision :salt do |s|
 27 |         s.verbose = true
 28 |         s.minion_config = "provisioning/salt/minion/web/pypi_dev"
 29 |         s.run_highstate = true
 30 |       end
 31 |     end
 32 |   end
 33 | 
 34 |   if ENV['VAGRANT_BACKUP'] == '1'
 35 | 
 36 |     config.vm.define "backup" do |backup|
 37 |       backup.vm.network "private_network", ip: "192.168.57.201"
 38 |       backup.vm.network "private_network", ip: "172.16.57.201"
 39 | 
 40 |       backup.vm.provider :virtualbox do |vm|
 41 |         file_to_disk = '.vagrant/tmp/backup.vdi'
 42 |         vm.customize ['createhd', '--filename', file_to_disk, '--size', 10 * 1024]
 43 |         vm.customize ['storageattach', :id, '--storagectl', 'SATA Controller', '--port', 1, '--device', 0, '--type', 'hdd', '--medium', file_to_disk]
 44 |       end
 45 | 
 46 |       backup.vm.provision :salt do |s|
 47 |         s.verbose = true
 48 |         s.install_type = "git v0.17.2"
 49 |         s.minion_config = "provisioning/salt/minion/backup/server"
 50 |         s.run_highstate = true
 51 |       end
 52 |     end
 53 | 
 54 |   end
 55 | 
 56 |   if ENV['VAGRANT_MONITORING'] == '1'
 57 |     config.vm.define "monitoring_server" do |monitoring_server|
 58 | 
 59 |       monitoring_server.vm.hostname = "pypi-monitoring"
 60 |       monitoring_server.vm.network "private_network", ip: "192.168.57.200"
 61 |       monitoring_server.vm.network "private_network", ip: "172.16.57.200"
 62 | 
 63 |       monitoring_server.vm.provision :salt do |s|
 64 |         s.verbose = true
 65 |         s.install_type = "git v0.17.2"
 66 |         s.minion_config = "provisioning/salt/minion/monitoring/server"
 67 |         s.run_highstate = true
 68 |       end
 69 |     end
 70 |   end
 71 | 
 72 |   if ENV['VAGRANT_PYPI'] == '1'
 73 |     config.vm.define "pypi" do |pypi|
 74 | 
 75 |       pypi.vm.network "private_network", ip: "192.168.57.10"
 76 |       pypi.vm.network "private_network", ip: "172.16.57.10"
 77 | 
 78 |       pypi.vm.provision :salt do |s|
 79 |         s.verbose = true
 80 |         s.install_type = "git v0.17.2"
 81 |         s.minion_config = "provisioning/salt/minion/web/pypi"
 82 |         s.run_highstate = true
 83 |       end
 84 |     end
 85 | 
 86 |     config.vm.define "pypi_log" do |pypi_log|
 87 | 
 88 |       pypi_log.vm.network "private_network", ip: "192.168.57.15"
 89 |       pypi_log.vm.network "private_network", ip: "172.16.57.15"
 90 | 
 91 |       pypi_log.vm.provision :salt do |s|
 92 |         s.verbose = true
 93 |         s.install_type = "git v0.17.2"
 94 |         s.minion_config = "provisioning/salt/minion/web/pypi_log"
 95 |         s.run_highstate = true
 96 |       end
 97 |     end
 98 | 
 99 |     config.vm.define "mirror" do |mirror|
100 | 
101 |       mirror.vm.network "private_network", ip: "192.168.57.20"
102 | 
103 |       mirror.vm.provision :salt do |s|
104 |         s.verbose = true
105 |         s.install_type = "git v0.17.2"
106 |         s.minion_config = "provisioning/salt/minion/web/mirror"
107 |         s.run_highstate = true
108 |       end
109 |     end
110 |   end
111 | 
112 | end
113 | 


--------------------------------------------------------------------------------
/provisioning/salt/minion/backup/server:
--------------------------------------------------------------------------------
1 | file_client: local
2 | file_roots:
3 |   base:
4 |     - /srv/salt
5 | grains:
6 |   roles:
7 |     - backup_server
8 | 


--------------------------------------------------------------------------------
/provisioning/salt/minion/monitoring/server:
--------------------------------------------------------------------------------
1 | file_client: local
2 | file_roots:
3 |   base:
4 |     - /srv/salt
5 | grains:
6 |   roles:
7 |     - monitoring_server
8 | 


--------------------------------------------------------------------------------
/provisioning/salt/minion/web/mirror:
--------------------------------------------------------------------------------
1 | file_client: local
2 | file_roots:
3 |   base:
4 |     - /srv/salt
5 | grains:
6 |   roles:
7 |     - develop
8 |     - pypi-mirror
9 | 


--------------------------------------------------------------------------------
/provisioning/salt/minion/web/pypi:
--------------------------------------------------------------------------------
1 | file_client: local
2 | file_roots:
3 |   base:
4 |     - /srv/salt
5 | grains:
6 |   roles:
7 |     - pypi
8 | 


--------------------------------------------------------------------------------
/provisioning/salt/minion/web/pypi_dev:
--------------------------------------------------------------------------------
 1 | file_client: local
 2 | file_roots:
 3 |   base:
 4 |     - /srv/salt
 5 | grains:
 6 |   roles:
 7 |     - develop
 8 |     - pypi
 9 |   datadog_tags:
10 |     - foo:bar
11 |     - fizz:buzz
12 |     - wu
13 | 


--------------------------------------------------------------------------------
/provisioning/salt/minion/web/pypi_log:
--------------------------------------------------------------------------------
1 | file_client: local
2 | file_roots:
3 |   base:
4 |     - /srv/salt
5 | grains:
6 |   roles:
7 |     - develop
8 |     - pypi_log
9 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/backup/server.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | backup-server:
 3 |   volumes:
 4 |     /dev/sdb: /backup
 5 |   backups:
 6 |     devpypi-files:
 7 |       directory: /backup/devpypi/files
 8 |       user: devpypi
 9 |       increment_retention: 10m
10 |       authorized_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxqABhu46JE5zT68uNwpBdmqI/eYfepfA9PU8AxbGR96u5rPd8xyKJ2ZzTUgjrCKWLim4jutFgAtfCwkfjm/FrHQWNJZhZtQ1gT8a/bpIjHddjOFlELja1vFKkQsU6dsmYGTZxwByeMQl1+TWE5xmGrmqsgNnK+Twi01TCUmYs36M8OQGXle664XAapfc+4cAU4Clf3mH7xFIBJnCS12v5ES1J4pmnfBVMT85lGJMDW/vDI5Yx2A85bKOCwle1XpGsxLLfvvg7faNiCBjpj//pSEAI52tSq0hLtYSS5WJBz1tfJQPECCXVxa6LHKJB6RDT3eYyMQSugFSCrHxQ8j/F
11 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/monitoring/client/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | bucky:
 3 |   graphite_ip: 172.16.57.200
 4 |   graphite_port: 2002
 5 |   graphite_max_reconnects: 3
 6 |   graphite_reconnect_delay: 5
 7 | 
 8 | monitoring_client:
 9 |   collectd_host: 127.0.0.1
10 |   collectd_port: 25826
11 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/monitoring/server/init.sls:
--------------------------------------------------------------------------------
 1 | include:
 2 |   - secrets.monitoring:
 3 |       defaults:
 4 |         server_names:
 5 |           - '_'
 6 |         secret_key: deadbeef
 7 |       key: monitoring_secrets
 8 | 
 9 | firewall:
10 |   riemann_ports:
11 |     port: 5555:5556
12 |     source: 172.16.57.0/24
13 |   riemann_udp_ports:
14 |     port: 5556
15 |     source: 172.16.57.0/24
16 |   riemann_graphite:
17 |     port: 2002
18 |     source: 172.16.57.0/24
19 |   graphite_ports:
20 |     port: 2003:2004
21 |     source: 172.16.57.0/24
22 |   graphite_query_port:
23 |     port: 7002
24 |     source: 172.16.57.0/24
25 |   http:
26 |     port: 80
27 |   https:
28 |     port: 443
29 | 
30 | riemann:
31 |   host: 0.0.0.0
32 |   graphite_host: 0.0.0.0
33 |   graphite_port: 2002
34 |   graphite_downstream_host: 127.0.0.1
35 |   graphite_downstream_port: 2003
36 | 
37 | graphite:
38 |   allowed_hosts: '*'
39 |   sqlite3_path: /var/lib/graphite-web/graphite.db
40 |   https_only: true
41 | 
42 | carbon:
43 |   line_receiver_interface: 0.0.0.0
44 |   line_reciver_port: 2003
45 |   pickle_receiver_interface: 0.0.0.0
46 |   pickle_receiver_port: 2004
47 |   cache_query_interface: 0.0.0.0
48 |   cache_query_port: 7002
49 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/networking.sls:
--------------------------------------------------------------------------------
1 | psf_internal_network: 192.168.57.0/24
2 | pypi_internal_network: 172.16.57.0/24
3 | vpn0_internal_network: 10.8.0.0/24
4 | vpn1_internal_network: 10.9.0.0/24
5 | rackspace_iad_service_net: 10.0.0.0/8
6 | 
7 | psf_internal_vpn_gateway: 192.168.57.1
8 | pypi_internal_vpn_gateway: 172.16.57.1
9 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/postgresql/postgresql.sls:
--------------------------------------------------------------------------------
1 | 
2 | firewall:
3 |   postgresql:
4 |     port: 5432
5 | 
6 | 
7 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/pypi-deploys/pypi-dev.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | pypi-deploy-devpypi:
 3 |   name: devpypi
 4 |   user: devpypi
 5 |   group: devpypi
 6 |   user_uid: 6666
 7 |   group_gid: 6666
 8 | 
 9 |   source_uri: https://github.com/pypa/pypi-legacy.git
10 |   source_rev: master
11 | 
12 |   fastly_syslog_name: pypi-dev
13 |   path: /opt/devpypi
14 |   data_mount: /data/devpypi
15 |   data_device:
16 |     type: local
17 |     uri: None
18 | 
19 |   docs_bucket: pypi-docs
20 |   files_bucket: pypi-files
21 | 
22 |   server_names:
23 |     - 192.168.57.9
24 |   tls_port: 8999
25 |   docs_port: 8989
26 |   internal_pypi_port: 40713
27 |   internal_docs_port: 40715
28 |   url: https://192.168.57.9
29 | 
30 |   statuspage_id: 928bjjg42vzc
31 | 
32 |   rate_limit:
33 |     enable: True
34 |     zone_size: 30m
35 |     max_rate: 5r/s
36 |     burst: 10
37 |     nodelay: False
38 | 
39 |   cdn_log_archiver:
40 |     pypi_log_bucket: testpypi-cdn-logs
41 |     s3_host: objects.dreamhost.com
42 |     debug: true
43 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/pypi-mirror/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | firewall:
 3 |   http:
 4 |     port: 80
 5 |   https:
 6 |     port: 443
 7 |   pypi-mirror:
 8 |     port: 9000
 9 |   testpypi-mirror:
10 |     port: 9001
11 | 
12 | bandersnatch:
13 |   pypi:
14 |     mirror:
15 |       directory: /data/pypi-mirror
16 |       master: https://pypi.python.org
17 |       timeout: 60
18 |       workers: 20
19 |       stop-on-error: false
20 |       delete-packages: true
21 |     statistics:
22 |       access-log-pattern: /var/log/nginx/pypi-mirror/access*.log
23 |     server_names:
24 |       - 192.168.57.20
25 |       - pypi.python.org
26 |     tls_port: 9000
27 |   testpypi:
28 |     mirror:
29 |       directory: /data/testpypi-mirror
30 |       master: https://testpypi.python.org
31 |       timeout: 30
32 |       workers: 20
33 |       stop-on-error: false
34 |       delete-packages: true
35 |     statistics:
36 |       access-log-pattern: /var/log/nginx/testpypi-mirror/access*.log
37 |     server_names:
38 |       - testpypi.python.org
39 |     tls_port: 9001
40 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/pypi/log.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | firewall:
 3 |   syslog_tcp_72:
 4 |     source: 199.27.72.0/24
 5 |     port: 514
 6 |   syslog_tcp_77:
 7 |     source: 199.27.77.0/24
 8 |     port: 514
 9 |   syslog_udp_72:
10 |     source: 199.27.72.0/24
11 |     port: 514
12 |     protocol: udp
13 |   syslog_udp_77:
14 |     source: 199.27.77.0/24
15 |     port: 514
16 |     protocol: udp
17 |   redis:
18 |     source: 172.16.57.0/24
19 |     port: 6379
20 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/pypi/web.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | datadog_tags:
 3 |   - lol:wut
 4 |   - tang
 5 |   - wu
 6 | 
 7 | datadog_dogstreams:
 8 |   - /var/log/nginx/pypi/access.log:/usr/share/datadog/datadog-nginx-status-codes.py:parse
 9 | 
10 | firewall:
11 |   http:
12 |     port: 80
13 |   https:
14 |     port: 443
15 |   http_dev:
16 |     port: 8999
17 |   http_docs:
18 |     port: 8989
19 |   internal-pypi-port:
20 |     port: 40713
21 |     src: {{ salt['pillar.get']('pypi_internal_network', '127.0.0.0/24') }}
22 |   internal-testpypi-port:
23 |     port: 40714
24 |     src: {{ salt['pillar.get']('pypi_internal_network', '127.0.0.0/24') }}
25 |   internal-docs-port:
26 |     port: 40715
27 |     src: {{ salt['pillar.get']('pypi_internal_network', '127.0.0.0/24') }}
28 |   internal-testdocs-port:
29 |     port: 40716
30 |     src: {{ salt['pillar.get']('pypi_internal_network', '127.0.0.0/24') }}
31 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/salt-master/init.sls:
--------------------------------------------------------------------------------
1 | 
2 | firewall:
3 |   salt_master:
4 |     port: 4505:4506
5 |     source: 172.16.57.0/24
6 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/secrets/backup/pypi-dev.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | backup:
 3 |   directories:
 4 |     pypi-data:
 5 |       source_directory: /data/devpypi
 6 |       target_host: 172.16.57.201
 7 |       target_directory: /backup/devpypi/files
 8 |       target_user: devpypi
 9 |       frequency: hourly
10 |       user: devpypi
11 |       ssh_key: |
12 |         -----BEGIN RSA PRIVATE KEY-----
13 |         MIIEowIBAAKCAQEAsagAYbuOiROc0+vLjcKQXZqiP3mH3qXwPT1PAMWxkferuaz3
14 |         fMciidmc01II6wili4puI7rRYALXwsJH45vxax0FjSWYWbUNYE/Gv26SIx3XYzhZ
15 |         RC42tbxSpELFOnbJmBk2ccAcnjEJdfk1hOcZhq5qrIDZyvk8ItNUwlJmLN+jPDkB
16 |         l5XuuuFwGqX3PuHAFOApX95h+8RSASZwktdr+REtSeKZp3wVTE/OZRiTA1v7wyOW
17 |         MdgPOWyjgsJXtV6RrMSy3774O32jYggY6Y//6UhACOdrUqtIS7WEkuViQc9bXyUD
18 |         xAgl1cWuixyiQekQ093mMjEEroBUgqx8UPI/xQIDAQABAoIBACigXa374SWRuZxw
19 |         4LTDWJY/RXk0hpCw69ZlTcrEas4RkFC+sD31n/1cKVPd/7IX4RufBX7gOv80xzh/
20 |         i0cOo0+2bE2R2lwxXiS3OaEPXRXwvg+vlCJWWyaGMXPk3Qt4nLNOmLe8kg7O8fXr
21 |         joSdAKZe/oACW0viYREpuMlTZJBAFpqCq95j1t2dCA0moPQVjxhR4QAhLkT4siHv
22 |         Ed3qgYT4Vj9nTiXW6cGbz9O8WjTg9ttW0llWBpRLsChLfx8fa0yiCv5qMNGOnH0D
23 |         POf+0rAHq6ijuqqOBDeKqH/887/Tqx3mEEYjQhynIGhSOlFCp43MGegfMmwfvTVm
24 |         LzvaHoUCgYEA2YUDnUFIEjHyGFMs4AriyJaByFAb1K5jJJkcp31IJ7pmLj6WQz2O
25 |         usBosNuuK9c4Xm00848ukSOXdOLMXViyG0XK2eXbObAUt19RD5+soC7F/mTiYPPA
26 |         EOUqqgZ+VcxqII6tLIxKeS4HQpz0Zc2zncl8BPAR3eOqg9IG+GSJRR8CgYEA0RWq
27 |         Fgjcm2Dhcb1q4Ie812Htr+0zeILym3OZUxGOY1MvbNknlf0Q33uQLiou8YLkmwZF
28 |         CehDPolmwn/ahVxFhbkzSCbPjM7BNxtvwbaZaqVoNmVS9gE7fHOPhCgKijdU0L7s
29 |         IN6eJ6SzApkqf0BQ1Yqrik9OixbYUguvHxLn2psCgYBzyooFAUZjYTEV39kInuLg
30 |         krYdsv9NtVNTnSoSwu9RLrnMLkcBHljHczuHwjmyXsxD//BrIzJP0tmCQGU338pY
31 |         GEwGuIR97gzpHJVjMsXLM3r0lDGqGLeKhuOyROiltb5c/HaVO009utHklPbI5rqR
32 |         6Trayg1IyDPyHjDVs3cbUwKBgQCQnUxsOyri6WplMh9HN3tc+aXdxdGQ6/mDnbwR
33 |         4ZW7i2DFB5nCuyu9d4hs9c5MSz11ICwGQzine3+wzZ/GF+EaMdOPdxCdErA/PmHY
34 |         +UQ5qDhhT0nHT2jmlkNQpCVOHiEy1KsbvP5k6xzJkkj7hO+kE2q8mkf4Gg/7B4vT
35 |         kU7+OwKBgEfjMJIvGt2xhS3tZZgYKVlh3/gymzD0eoa4DPwVmjWnQgLVtRmV25X2
36 |         5FWJLq+ryEbJNI6Rl3LG3c/K15I8jNQpuVRgeK7ydf2U3g4pzFPOlsb5UgJEETdi
37 |         pqMI3F6ButHsMcwjZotivkf3baM1FmnjIJ4oeTFPyagaLZdRCuiT
38 |         -----END RSA PRIVATE KEY-----
39 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/secrets/monitoring.sls:
--------------------------------------------------------------------------------
1 | secret_key: foobarbaz
2 | server_names:
3 |   - 172.16.57.200
4 |   - wow.so.secret.com
5 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/secrets/pypi-dev.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | datadog_api_key: bizzfuzz
 3 | 
 4 | secrets-pypi-deploy-devpypi:
 5 |   database_url: postgresql://testpypi:testpypi@localhost/testpypi
 6 |   database_download_statistics_url: postgresql://testpypi:testpypi@localhost/testpypi
 7 |   elasticsearch:
 8 |     host: localhost
 9 |     port: 9200
10 |   postgresql:
11 |     host: 127.0.0.1
12 |     database: testpypi
13 |     user: testpypi
14 |     password: testpypi
15 |   redis:
16 |     queue_redis_url: redis://localhost:6379/0
17 |     count_redis_url: redis://localhost:6379/1
18 |     cache_redis_url: redis://localhost:6379/2
19 |   aws:
20 |     aws_access_key_id: deadbeef
21 |     aws_secret_access_key: deadbeef
22 |   webui:
23 |     cheescake_password: secret
24 |     reset_secret: secret
25 |   logging:
26 |     fromaddr: foo@bar.com
27 |     toaddrs: fiz@bar.com
28 |   sentry:
29 |     dsn: ''
30 |   fastly:
31 |     api_key: ''
32 |     service_id: ''
33 |   uwsgi:
34 |     processes: 2
35 |   smtp:
36 |     hostname: localhost
37 |     starttls: 'off'
38 |     auth: 'off'
39 |     login: None
40 |     password: None
41 |   pubkey: |
42 |     -----BEGIN PUBLIC KEY-----
43 |     publiclolnope
44 |     -----END PUBLIC KEY-----
45 |   privkey: |
46 |     -----BEGIN DSA PRIVATE KEY-----
47 |     privatelolnope
48 |     -----END DSA PRIVATE KEY-----
49 |   cdn_log_archiver:
50 |     secret_key: lmsecretao
51 |     access_key: accesslol
52 |   authomatic:
53 |     secure: 'true'
54 |     secret: randodataz
55 |   google:
56 |     client_id: deadbeef-deadbeef.googleusercontent.com
57 |     client_secret: deadbeef
58 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/sudoers/init.sls:
--------------------------------------------------------------------------------
1 | sudoer_groups:
2 |   psf-admin:
3 |     commands:
4 |       - "ALL=(ALL)       NOPASSWD: ALL"
5 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/top.sls:
--------------------------------------------------------------------------------
 1 | base:
 2 | 
 3 |   '*':
 4 |     - networking
 5 |     - users
 6 |     - sudoers
 7 |     - monitoring.client
 8 | 
 9 |   'roles:salt-master':
10 |     - match: grain
11 |     - salt-master
12 | 
13 |   'roles:pypi-mirror':
14 |     - match: grain
15 |     - pypi-mirror
16 | 
17 |   'G@roles:pypi not G@roles:develop':
18 |     - match: compound
19 |     - pypi.web
20 |     - pypi-deploys.testpypi
21 |     - secrets.testpypi
22 | 
23 |   'G@roles:pypi_log not G@roles:develop':
24 |     - match: compound
25 |     - pypi.log
26 |     - pypi-deploys.testpypi
27 |     - secrets.testpypi
28 | 
29 |   'G@roles:pypi and G@roles:develop':
30 |     - match: compound
31 |     - pypi.web
32 |     - pypi-deploys.pypi-dev
33 |     - secrets.pypi-dev
34 |     - secrets.backup.pypi-dev
35 |     - warehouse-deploys.warehouse-dev
36 | 
37 |   'G@roles:pypi_log and G@roles:develop':
38 |     - match: compound
39 |     - pypi.log
40 |     - pypi-deploys.pypi-dev
41 |     - secrets.pypi-dev
42 |     - warehouse-deploys.warehouse-dev
43 | 
44 |   'roles:monitoring_server':
45 |     - match: grain
46 |     - monitoring.server
47 | 
48 |   'roles:backup_server':
49 |     - match: grain
50 |     - backup.server
51 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/users/admin.sls:
--------------------------------------------------------------------------------
1 | users-admin:
2 |   vagrant-user:
3 |     add_group:
4 |       - psf-admin
5 |     ssh_keys:
6 |       - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==
7 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/users/init.sls:
--------------------------------------------------------------------------------
1 | include:
2 |   - users.admin
3 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/warehouse-deploys/warehouse-dev.sls:
--------------------------------------------------------------------------------
 1 | warehouse-deploy-devpypi:
 2 |   name: devwarehouse
 3 |   user: devwarehouse
 4 |   group: devwarehouse
 5 |   user_uid: 7666
 6 |   group_gid: 7666
 7 |   path: /opt/devwarehouse
 8 | 
 9 |   port: 9000
10 | 
11 |   source_uri: https://github.com/pypa/warehouse.git
12 |   source_rev: werkzeug
13 | 
14 |   config:
15 |     debug: true
16 |     site:
17 |       name: Warehouse (dev)
18 |     assets:
19 |       directory: "data/static"
20 |     database:
21 |       url: "{{ salt['pillar.get']('secrets-pypi-deploy-devpypi:database_url', "postgresql://testpypi:testpypi@localhost/testpypi") }}"
22 |       download_statistics_url: "{{ salt['pillar.get']('secrets-pypi-deploy-devpypi:database_download_statistics_url', "postgresql://testpypi:testpypi@localhost/testpypi") }}"
23 |     redis:
24 |       url: "{{ salt['pillar.get']('secrets-pypi-deploy-devpypi:redis:count_redis_url', "redis://localhost:6379/1") }}"
25 |     search:
26 |       hosts:
27 |         - host: {{ salt['pillar.get']('secrets-pypi-deploy-devpypi:elasticsearch:host', "127.0.0.1") }}
28 |           port: {{ salt['pillar.get']('secrets-pypi-deploy-devpypi:elasticsearch:port', "9200") }}
29 |     paths:
30 |       documentation: "/data/devpypi/packagedocs"
31 |       packages: "/data/devpypi/packages"
32 |     urls:
33 |       documentation: "http://pythonhosted.org/"
34 |     security:
35 |       csp:
36 |         default-src:
37 |           - "'self'"
38 |         style-src:
39 |           - "'self'"
40 |           - cloud.typography.com
41 |         font-src:
42 |           - "'self'"
43 |           - "data:"
44 |     logging:
45 |       formatters:
46 |         console:
47 |           format: '[%(asctime)s %(levelname)s] %(message)s'
48 |           datefmt: '%Y-%m-%d %H:%M:%S'
49 |       handlers:
50 |         console:
51 |           class: logging.StreamHandler
52 |           formatter: console
53 |           level: DEBUG
54 |           stream: ext://sys.stdout
55 |       loggers:
56 |         warehouse:
57 |           level: DEBUG
58 |         elasticsearch:
59 |           level: DEBUG
60 |         elasticsearch.trace:
61 |           level: DEBUG
62 |       root:
63 |         level: INFO
64 |         handlers: [console]
65 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/pillar/warehouse/web.sls:
--------------------------------------------------------------------------------
1 | 
2 | firewall:
3 |   http_test:
4 |     port: 9000
5 |   http_pypi:
6 |     port: 9001
7 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/backup/server.sls:
--------------------------------------------------------------------------------
1 | 
2 | backup-server:
3 |   volumes:
4 |     /dev/xvdb: /backup
5 |   backups: {}
6 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/monitoring/client/dfw.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | bucky:
 3 |   graphite_ip: 162.242.222.99
 4 |   graphite_port: 2002
 5 |   graphite_max_reconnects: 3
 6 |   graphite_reconnect_delay: 5
 7 | 
 8 | monitoring_client:
 9 |   collectd_host: 127.0.0.1
10 |   collectd_port: 25826
11 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/monitoring/client/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | bucky:
 3 |   graphite_ip: 172.16.57.10
 4 |   graphite_port: 2002
 5 |   graphite_max_reconnects: 3
 6 |   graphite_reconnect_delay: 5
 7 | 
 8 | monitoring_client:
 9 |   collectd_host: 127.0.0.1
10 |   collectd_port: 25826
11 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/monitoring/server/init.sls:
--------------------------------------------------------------------------------
 1 | include:
 2 |   - secrets.monitoring:
 3 |       defaults:
 4 |         server_names:
 5 |           - '_'
 6 |         secret_key: deadbeef
 7 |       key: monitoring_secrets
 8 | 
 9 | datadog_tags:
10 |   - service:pypi
11 |   - role:monitoring
12 | 
13 | firewall:
14 |   riemann_ports:
15 |     port: 5555:5556
16 |     source: 172.16.57.0/24
17 |   riemann_udp_ports:
18 |     port: 5556
19 |     source: 172.16.57.0/24
20 |   riemann_graphite:
21 |     port: 2002
22 |     source: 172.16.57.0/24
23 |   graphite_ports:
24 |     port: 2003:2004
25 |     source: 172.16.57.0/24
26 |   graphite_query_port:
27 |     port: 7002
28 |     source: 172.16.57.0/24
29 |   http:
30 |     port: 80
31 |   https:
32 |     port: 443
33 |   riemann_graphite_from_backup:
34 |     port: 2002
35 |     source: 166.78.184.219
36 |   graphite_ports_from_backup:
37 |     port: 2003:2004
38 |     source: 166.78.184.219
39 |   riemann_graphite_from_ord_mirror:
40 |     port: 2002
41 |     source: 23.253.174.176
42 |   graphite_ports_from_ord_mirror:
43 |     port: 2003:2004
44 |     source: 23.253.174.176
45 | 
46 | 
47 | riemann:
48 |   host: 0.0.0.0
49 |   graphite_host: 0.0.0.0
50 |   graphite_port: 2002
51 |   graphite_downstream_host: 127.0.0.1
52 |   graphite_downstream_port: 2003
53 | 
54 | graphite:
55 |   allowed_hosts: '*'
56 |   sqlite3_path: /var/lib/graphite-web/graphite.db
57 |   https_only: true
58 | 
59 | carbon:
60 |   line_receiver_interface: 0.0.0.0
61 |   line_reciver_port: 2003
62 |   pickle_receiver_interface: 0.0.0.0
63 |   pickle_receiver_port: 2004
64 |   cache_query_interface: 0.0.0.0
65 |   cache_query_port: 7002
66 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/networking.sls:
--------------------------------------------------------------------------------
1 | psf_internal_network: 192.168.5.0/24
2 | pypi_internal_network: 172.16.57.0/24
3 | vpn0_internal_network: 10.8.0.0/24
4 | vpn1_internal_network: 10.9.0.0/24
5 | rackspace_iad_service_net: 10.0.0.0/8
6 | 
7 | psf_internal_vpn_gateway: 192.168.5.10
8 | pypi_internal_vpn_gateway: 172.16.57.17
9 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/postgresql/postgresql.sls:
--------------------------------------------------------------------------------
1 | 
2 | firewall:
3 |   postgresql:
4 |     source: 172.16.57.0/24
5 |     port: 5432
6 | 
7 | 
8 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/pypi-deploys/pypi.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | pypi-deploy-pypi:
 3 |   name: pypi
 4 |   user: pypi
 5 |   group: pypi
 6 |   user_uid: 7000
 7 |   group_gid: 7000
 8 | 
 9 |   source_uri: https://github.com/pypa/pypi-legacy.git
10 |   source_rev: production
11 | 
12 |   fastly_syslog_name: counterpypicdn
13 |   path: /opt/pypi
14 |   site_packages: False
15 |   data_mount: /data/pypi
16 |   data_device:
17 |     type: local
18 |     uri: None
19 | 
20 |   docs_bucket: pypi-docs
21 |   files_bucket: pypi-files
22 | 
23 |   server_names:
24 |     - pypi.python.org
25 |     - legacy.pypi.org
26 |     - pypi.a.ssl.fastly.net
27 |   tls_port: 9000
28 |   docs_port: 9010
29 |   internal_pypi_port: 40713
30 |   internal_docs_port: 40715
31 |   url: https://pypi.python.org
32 | 
33 |   statuspage_id: 2p66nmmycsj3
34 | 
35 |   cdn_log_archiver:
36 |     pypi_log_bucket: pypi-cdn-logs
37 |     s3_host: objects-us-west-1.dream.io
38 |     debug: false
39 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/pypi-deploys/testpypi.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | pypi-deploy-testpypi:
 3 |   name: testpypi
 4 |   user: testpypi
 5 |   group: testpypi
 6 |   user_uid: 6666
 7 |   group_gid: 6666
 8 | 
 9 |   source_uri: https://github.com/pypa/pypi-legacy.git
10 |   source_rev: master
11 | 
12 |   fastly_syslog_name: testpypicdn
13 |   path: /opt/testpypi
14 |   site_packages: False
15 |   data_mount: /data/testpypi
16 |   data_device:
17 |     type: local
18 |     uri: None
19 | 
20 |   docs_bucket: pypi-docs-staging
21 |   files_bucket: pypi-files-staging
22 | 
23 |   server_names:
24 |     - testpypi.python.org
25 |     - testpypi.a.ssl.fastly.net
26 |   tls_port: 9001
27 |   docs_port: 9011
28 |   internal_pypi_port: 40714
29 |   internal_docs_port: 40716
30 |   url: https://testpypi.python.org
31 | 
32 |   statuspage_id: 928bjjg42vzc
33 | 
34 |   rate_limit:
35 |     enable: True
36 |     zone_size: 10m
37 |     max_rate: 3r/s
38 |     burst: 6
39 |     nodelay: False
40 | 
41 |   cdn_log_archiver:
42 |     pypi_log_bucket: testpypi-cdn-logs
43 |     s3_host: objects-us-west-1.dream.io
44 |     debug: true
45 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/pypi-mirror/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | datadog_tags:
 3 |   - service:pypi
 4 |   - role:mirror
 5 | 
 6 | firewall:
 7 |   http:
 8 |     port: 80
 9 |   https:
10 |     port: 443
11 |   pypi-mirror:
12 |     port: 9000
13 |   testpypi-mirror:
14 |     port: 9001
15 | 
16 | bandersnatch:
17 |   pypi:
18 |     mirror:
19 |       directory: /data/pypi-mirror
20 |       master: https://pypi.python.org
21 |       timeout: 10
22 |       workers: 10
23 |       stop-on-error: false
24 |       delete-packages: true
25 |     statistics:
26 |       access-log-pattern: /var/log/nginx/pypi-mirror/access*.log
27 |     server_names:
28 |       - mirror0.pypi.io
29 |       - pypi.python.org
30 |     tls_port: 9000
31 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/pypi/log.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | datadog_tags:
 3 |   - service:pypi
 4 |   - role:counter
 5 | 
 6 | firewall:
 7 |   syslog_tcp_72:
 8 |     source: 199.27.72.0/24
 9 |     port: 514
10 |   syslog_tcp_77:
11 |     source: 199.27.77.0/24
12 |     port: 514
13 |   syslog_udp_72:
14 |     source: 199.27.72.0/24
15 |     port: 514
16 |     protocol: udp
17 |   syslog_udp_77:
18 |     source: 199.27.77.0/24
19 |     port: 514
20 |     protocol: udp
21 |   redis:
22 |     source: 172.16.57.0/24
23 |     port: 6379
24 |   elasticsearch:
25 |     source: 172.16.57.0/24
26 |     port: 9200
27 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/pypi/web.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | datadog_tags:
 3 |   - service:pypi
 4 |   - role:web
 5 | 
 6 | datadog_dogstreams:
 7 |   - /var/log/nginx/pypi/access.log:/usr/share/datadog/datadog-nginx-status-codes.py:parse
 8 | 
 9 | firewall:
10 |   http:
11 |     port: 80
12 |   https:
13 |     port: 443
14 |   pypi-port:
15 |     port: 9000
16 |   testpypi-port:
17 |     port: 9001
18 |   pythonhosted-port:
19 |     port: 9010
20 |   test-pythonhosted-port:
21 |     port: 9011
22 |   internal-pypi-port:
23 |     port: 40713
24 |     src: {{ salt['pillar.get']('pypi_internal_network', '127.0.0.0/24') }}
25 |   internal-testpypi-port:
26 |     port: 40714
27 |     src: {{ salt['pillar.get']('pypi_internal_network', '127.0.0.0/24') }}
28 |   internal-docs-port:
29 |     port: 40715
30 |     src: {{ salt['pillar.get']('pypi_internal_network', '127.0.0.0/24') }}
31 |   internal-testdocs-port:
32 |     port: 40716
33 |     src: {{ salt['pillar.get']('pypi_internal_network', '127.0.0.0/24') }}
34 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/salt-master/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | datadog_tags:
 3 |   - service:pypi
 4 |   - role:salt-master
 5 | 
 6 | firewall:
 7 |   salt_master_pypi_internal:
 8 |     port: 4505:4506
 9 |     source: 172.16.57.0/24
10 |   salt_master_remote_backup:
11 |     port: 4505:4506
12 |     source: 166.78.184.219
13 |   salt_master_ord_mirror:
14 |     port: 4505:4506
15 |     source: 23.253.174.176
16 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/sudoers/init.sls:
--------------------------------------------------------------------------------
1 | sudoer_groups:
2 |   psf-admin:
3 |     commands:
4 |       - "ALL=(ALL)       NOPASSWD: ALL"
5 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/top.sls:
--------------------------------------------------------------------------------
 1 | base:
 2 | 
 3 |   '*':
 4 |     - networking
 5 |     - users
 6 |     - sudoers
 7 |     - monitoring.client
 8 |     - secrets.monitoring.datadog
 9 | 
10 |   'roles:salt-master':
11 |     - match: grain
12 |     - salt-master
13 | 
14 |   'roles:pypi-mirror':
15 |     - match: grain
16 |     - pypi-mirror
17 |     - monitoring.client.dfw
18 | 
19 |   'G@roles:pypi not G@roles:develop':
20 |     - match: compound
21 |     - pypi.web
22 |     - pypi-deploys.testpypi
23 |     - secrets.testpypi
24 |     - pypi-deploys.pypi
25 |     - secrets.pypi
26 | 
27 |   'G@roles:pypi_log not G@roles:develop':
28 |     - match: compound
29 |     - pypi.log
30 |     - pypi-deploys.testpypi
31 |     - secrets.testpypi
32 |     - pypi-deploys.pypi
33 |     - secrets.pypi
34 | 
35 |   'G@roles:warehouse not G@roles:develop':
36 |     - match: compound
37 |     - secrets.testpypi
38 |     - warehouse-deploys.testpypi
39 |     - secrets.pypi
40 |     - warehouse-deploys.pypi
41 |     - warehouse.web
42 | 
43 | 
44 |   'G@roles:pypi and G@roles:develop':
45 |     - match: compound
46 |     - pypi.web
47 |     - pypi-deploys.pypi-dev
48 |     - secrets.pypi-dev
49 | 
50 |   'G@roles:pypi_log and G@roles:develop':
51 |     - match: compound
52 |     - pypi.log
53 |     - pypi-deploys.pypi-dev
54 |     - secrets.pypi-dev
55 | 
56 |   'roles:monitoring_server':
57 |     - match: grain
58 |     - monitoring.server
59 | 
60 |   'roles:backup_server':
61 |     - match: grain
62 |     - backup.server
63 |     - monitoring.client.dfw
64 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/users/admin.sls:
--------------------------------------------------------------------------------
 1 | users-admin:
 2 |   ernestd:
 3 |     add_group:
 4 |       - psf-admin
 5 |     ssh_keys:
 6 |       - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZOuPNmBeKubAvLrnZlVGzp49Duw/qn8cq4IsOmxKsiVtiTDdLLKr6YBA67CPu/QrVEZYMU/N7RpNOKRfqueYdw8aNB+KgGOy8B/OIiX2obi854q0B81NaYTxdjUmuo67q9gNcdrEv6GmJJzBFqx//d4Nl4F4pcQLFTmxfZg3MDB1zyo2qP8ZpW5jttNty7LpvFlReSHEB/87o7wlNrhnrwSg68NykC2x/DzPv5ZOY5ccW4YiatjS5R2P7MDWv+aabbzZD4G0r3ElaXyW4fRV4KWuyh0ow/5djG0ZIWQSSuqqsnxcmRiV67IV28X6c2uw2zoFO5LLYly8UKMC6OLuFJlrmUPuzXvEeB/AcudgPPFxaip0aSzhowih7Ij0i+rVgma535q6pPqSkPCAcOLpmSi0yk23V9Mr38zg2d33poqV+bFbtSOE3a2gA52rDj4+YMcHQZqxZrgUv0KrSuKwcEm5WyBSOYI1VUoGCxiF27HY+9NaTqfMSHF0AJIVGHsv31uAWa4wqynQVrbZfH4wxlC6yC447HKjizp2LIoZx16LqSHMFfCGQBI4trZPGwZb+OBq2rhFY0GxgQaowrIK0E+VgTiDjcq6VtraglEHJsysK7jj4NiEWiIFVEv0WNW5e2DKVQKZ9BrN7sILcVp+g9VUSRirAZTXzheHLb6+8Hw== ewd3yubikey2018
 7 |   dstufft:
 8 |     add_group:
 9 |       - psf-admin
10 |     ssh_keys:
11 |       - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5md5DAPib7J+uGHanzgQOJ9GwGYAi7RLbG+rB/0NRk8UbUnwzn0JwkqNTXzeomUapO5Z3cOxQ98jzb0k03hGOzhzjIQpaKI1uKxPPquDevf/PwM5ZQaJzlx/8ah76GzJtEQpIIIbw/fofzywv9pZKTBCDL3wBHB94oByQjr0BG9CfjbMZq6FXcBKfo89L56nLQ8cdvxg2tjNJQElva5gL/xnqjpowtQYjA9MPKFmDwJPcrRF2AstBg5Zpkg+8K4JhJltucXTPEva97alK9prshGFY6XLtVD0mtgbwpHFXjFm7cIQYr8XG3pJdtWki0fLg0o3W1YBukQ+reDblT8SnFaDscgF1gStTra5zXfVF5OJaaRFE8zaYuwC01DQT9sN9G4fV4eK8HRbgpObCJcxnCyTs/SYGVhO1PpOiQYmyswGUlV4vU8G3gl3u0D+gkcpHRkdko0HlFbNUt1wKIZWcGLJcKkNWMKGSf1TaciU+6+2A4QVDxtdab8HdjnbuugX9/FckqjZypaUOwl8U4fYc4JbdUQ78PvcQrSQvhRPZB+1KSvm8rwRuBnFWiNlYmThLhGmKDBXegNF8eFRe4dApzv2DyshasHs4tNv46YIox6FdFEw0voRNPqhbTCF3XIdOQvxkHeZRyGGWv4WCTImM5+3GhXrbOQUtB9NjfM7rhQ== donald@stufft.io
12 |   benjaminws:
13 |     add_group:
14 |       - psf-admin
15 |     ssh_keys:
16 |       - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1BJUpRtzq1fCntjuNm4YeIDcefBFbkjzFCvN7Zot4UVWpExWqOLJynRYmaAUAFnJNQd5QuXsBIEmC9ySPV0gs+ueX9yg+RLieXcPoym2fMQ7UgmkaJloYgLnWJM3apG0UnGEDRO6Bz4cm+PC5NPfuZlOdYeOmNVKZoOe3via2RABec+hsWRdr2mD7OVL4PUR3AL3IPa9r8WlLhIBG53MkiVU2su8RVnEEyHmc61YQL8sFnI2zt6aSNiFuHvo6sHL3cMsP9XNArOtONZCc3NPvzN9Lh9jCk+JEe47ox/17CxMCOVhn3B9nRh2oGXydYf6LWH2wkhQ5y07dIjULKi9T benjaminws@macbuntu
17 |       - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcY/+b32IynLZhF/fjBfGjUjGlS1XCaMYKNxPZNekBv0hWteBh185k3A1yAZWRWAgLsvpHpe5Srs3Wxoz+NF51UWHMYVtpPzXEmpcjsqOe96rKrixFSlrYt89iHklW4FdAV3oJbbQpvXb8c6eFD6dantzmHj8FFRg+f5Bb+lsGhLIzxDcjcKJbySGLHHS+SgQvaXMFd1XE+Gs/SXgQxpbWV347BdOETJplA96jVB74bxoIP+GuCImO34VCu4eG+klnhMeY2MscYgmBa3ePjD86qef0StBu9zzruR5s+y4cYQK8h5Xm2+sC6RdZbZaSeQL+yfYXhPhfvEv4v5WT/QDb bsmith@bsmith-laptop
18 |   coderanger:
19 |     add_group:
20 |       - psf-admin
21 |     ssh_keys:
22 |       - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvV0vQo3OpzqDFDBHW5o5abdbNJNNg9YkiawTpSnOusB+E9Hp2Pae1jT3r+7ZUqIIutXuNOPOefIy6oR0YuZhL6d9uhRIl9LMTB0XXzj5aW5ZbbGO6nsaERQUU3ALYzrwxgX8kLvCcAQmrVhhRH88Zqo4lkRkxXpN1LdPANh9qa0= coderanger@alfred
23 |   richard:
24 |     add_group:
25 |       - psf-admin
26 |     ssh_keys:
27 |       - ssh-dss AAAAB3NzaC1kc3MAAACBAOBHkGxDowSpIqTioMKmYP8Vu0AXvcLZTsDETOWM4ak6LM8mxjgLWaZ3JoOES+tBJL26ygvugRzZNVfbM5xeN3s8OoYLnsXwJPn3FX9viQ5MSHX2fD9nu6MCNuxWjvhezMHHTWF/Hdop2uFxwizlnectGIwtGwj0s6wue7TZcsxFAAAAFQClEEy3n0dYb0JSHtWH1LA2PgY1LQAAAIAiG1xyHajn9/fRXRvflSltwG0RmIwf1e1Hmw9Fno3SUdWmPvLRWAc7uUSxXiifCRDlvfzhERMw07ra1hTye1GjPMxG144ooF1peCEEIsLBvv9LbsP+9+byR/yHg7TOeNjYpbEZLdaY/EG4T94cLp/y939MPI/+JZV5s1p69+UKPwAAAIEAhbOSvfz4ge03In/asws0YkS1VMranFGCAUKXqckVcEPbCMYxHAA3aEWLvNSXXWgSHl1zcvntfE1spZyHYpfC0Iif+0HE+zOF4TTsybbVHMqsyCd21U7H86CGWo0B5CdG9/zYcgfRx+++fltfr8jSRwGHz8WE1e36K2rEK+MD7ZI= richard@localhost
28 |       - ssh-dss AAAAB3NzaC1kc3MAAACBAO/XIk/r+XOXy3w9+kDPtcoPa+pgtWtKAWVfQtTxBGzrGe9HEHZgvTaoBV0EPkT6WxhycS2SZoOWAG/yYtn7z9BMUrXVITSKXxjkZhQ5KIPLDhJ7GzRKHpRUVQOinIDJLo6AhcVd9LH3fsp3j7pDgTMylmqcTfaCjKTTCZVwo14XAAAAFQCBOydEbfYGOJXWIR8k0SbRJbL57QAAAIEAr3Mez9ACqpM/xraoEofQPZy+gSKq27fj3UuqKd3q9Xp5B21+8j8TU7u0GqpRIVdTGXEV2TJ+KRgAlxyTZKCheSfDRklOa7V3Iu+GZYFRxU2J5sVJ2hmLZX6JIZodBHJsCIZkZtV4/Qv+XBIkvYeFXUktTOlJLGn8dLrbp5/OYesAAACBAMxwv3wmJwabwnIvaFwR0trgSJ36lBOZjRqtxKGK2d2rp7JgGkUsXBbyefvn1H7uvJhT/gsQHLPGbPPt2HkJeQvTgXMhoEZgxDJSeMJeNEKoDVriX0/RO2ttWqXAnsZqD72tP2yIJnPYBB6b7vCKI0GUDO2Y2ADVdEMxNnRytXWc richard@ximinez.python.org
29 |       - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIhQoc4+cQys7cZdhdzxCYjMN4sm3FKZNOwibX/4nN5ld0xWPVZ0TNByBzZAD8IEHWhyqKCLXNMhzsSoTXuRAD67ayEOEL4YjpNzOarcbdDQcCMN4RwvegK4ToHMCUaPjM/KT2Kg+GfhUdf5AtniqI2NeGOzUYiL3f0AnxCA6E9lcqpG4Vp2Tswtov474w4+Yq4oZmn1vWFq5i91OFr37HeuVwIuSY4FTL0XXGfAoL1n+Ge5vTp5vNv/nqINrykT1raWimhboFGOVg0nn26lAnFZFsCzUv7p/K9oORIb8aTGwDJzSOuEJ+PB4Z9/nC+2zUeRJqpxRKLWgIM5eH33bv rjones@mhs
30 |   benjamin:
31 |     add_group:
32 |       - psf-admin
33 |     ssh_keys:
34 |       - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubCE0Iou9q1duI1FEDPCRMPBrT8+9X5iFOz5L/acwKa1BjzmCF2N91z4sox+H8VxN9kVkYcaizEm/4x91UDWo4oTjo+UOTHuoInrTAMYgq2EskSt1YA64PaPQ8xx0WuK+5LWvyPi0RTTXEtinriy0XCoGtXl/fDaYNjtB8V7JIqTqqyO0rAZExYBRbQed6ZpLeO8vGwc4cN/9xMmkbAoB0G4NekuGBCvvioBO5d2/MO93YdjRh/PzYNQSqycC7X6o7C4PoYy39aFc4fbDubl937MlG44R/8BAI9dKXsQu8hLqAm7XZcTdwR5kVAndXuwmzERznSZKldZmtyw9AvDWw== Benjamin Peterson
35 |   apollo13:
36 |     add_group:
37 |       - psf-admin
38 |     ssh_keys:
39 |       - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrtvKWmfzYa6o6dsk6iFDGeMaMnSDKNn9Bj9PedVTSzjhrg1j8wAnFdbgwFRo9atyiqmZcTbAlDyiyJjfRV3ajmfsCQbWljK49TfMzLH2MVl7/1Uze5z4cuJNaeIUTR18Uu49S4D6ChEW3Oqt2UyDA5iZgtd/MDrtUSLXyZ4N4h3C1wwKR03YkJO8eBPKIV149FLUL9yYakuOKX4pAiflIsz7sm1Qyij4hFY5vNo3qlMzgErhNPQwV/Hl6vP/TcXWfkhatusw2AUEIzqXGMQqtGu92kGPbRwd1vVtWoiqe+BFEDCDuGPohSWIOwAN6FoAwD9zylElQ9yKiNsoF2NMx7OhpOFA4qDKVGkES6QoakKJrwI0NyD97xefZYP5D8y3CWtobDrVaeYpj0gtqzJTHVkvWKtFlm0AZ44ELecW1a18jHCIT/fkHsbkivfn5pPSsHyKzR49IskvgJKQApy/JUV4qr9smzUHrpEThZyYh41/yzZnz/a5fqFhoE7ioPfzVeiPzYguiMz9WVV0FC9ByVJMI3P3UTpaRgXhIv2hxsmjs3opuYKrjrG7UC+Jh7XStgms8ZLWkGcqXE2chtCnqzDT1YbJHJgfZyfY9xMN9askT5pYLSPRYqdz9oMErBHCM/u61/1GUqtFBWVnqtV44+TPmgGUoQoXrCLDRcqegcQ== florian@apollo13
40 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/users/init.sls:
--------------------------------------------------------------------------------
1 | include:
2 |   - users.admin
3 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/warehouse-deploys/pypi.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | warehouse-deploy-pypi:
 3 |   name: warehouse-pypi
 4 |   user: warehouse-pypi
 5 |   group: warehouse-pypi
 6 |   user_uid: 7000
 7 |   group_gid: 7000
 8 |   path: /opt/warehouse-pypi
 9 | 
10 |   port: 9001
11 | 
12 |   secrets_key: secrets-warehouse-pypi
13 | 
14 |   source_uri: https://github.com/pypa/warehouse.git
15 |   source_rev: werkzeug
16 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/warehouse-deploys/testpypi.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | warehouse-deploy-testpypi:
 3 |   name: warehouse-testpypi
 4 |   user: warehouse-testpypi
 5 |   group: warehouse-testpypi
 6 |   user_uid: 6666
 7 |   group_gid: 6666
 8 |   path: /opt/warehouse-testpypi
 9 | 
10 |   port: 9000
11 | 
12 |   secrets_key: secrets-warehouse-testpypi
13 | 
14 |   source_uri: https://github.com/pypa/warehouse.git
15 |   source_rev: werkzeug
16 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/prod-pillar/warehouse/web.sls:
--------------------------------------------------------------------------------
1 | 
2 | firewall:
3 |   http_test:
4 |     port: 9000
5 |   http_pypi:
6 |     port: 9001
7 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/_grains/xenstore_datadog_tags.py:
--------------------------------------------------------------------------------
 1 | import salt.utils
 2 | import salt.modules.cmdmod
 3 | 
 4 | __salt__ = {
 5 |     'cmd.run_all': salt.modules.cmdmod._run_all_quiet,
 6 | }
 7 | 
 8 | KEYS = {
 9 |     'provider_hostname': 'vm-data/hostname',
10 |     'provider': 'vm-data/provider_data/provider',
11 |     'region': 'vm-data/provider_data/region',
12 | }
13 | 
14 | def xenstore():
15 |     data = dict()
16 |     cmd = salt.utils.which('xenstore-read')
17 |     if not cmd:
18 |         return data
19 |     try:
20 |         command = '{0} domid'.format(cmd)
21 |         ret = __salt__['cmd.run_all'](command)
22 |         domid = ret['stdout'].rstrip()
23 |     except Exception as e:
24 |         return data
25 | 
26 |     found = {}
27 |     for key, xkey in KEYS.iteritems():
28 |         try:
29 |             command = '{0} /local/domain/{1}/{2}'.format(cmd, domid, xkey)
30 |             ret = __salt__['cmd.run_all'](command)
31 |             if ret and ret['retcode'] == 0:
32 |                 found[key] = ret['stdout']
33 |         except Exception:
34 |             pass
35 |     data['datadog_tags_from_metadata'] = ['%s:%s' % (k, v) for k, v in found.items()]
36 |     return data
37 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/_modules/ip_picker.py:
--------------------------------------------------------------------------------
 1 | import salt
 2 | from salt.utils.network import in_subnet
 3 | import socket
 4 | import struct
 5 | 
 6 | 
 7 | def __virtual__():
 8 |     '''
 9 |     Only work on POSIX-like systems
10 |     '''
11 |     # Disable on Windows, a specific file module exists:
12 |     if salt.utils.is_windows():
13 |         return False
14 | 
15 |     return True
16 | 
17 | def ip_addrs(interface=None, include_loopback=False, cidr=None):
18 |     '''
19 |     Returns a list of IPv4 addresses assigned to the host. 127.0.0.1 is
20 |     ignored, unless 'include_loopback=True' is indicated. If 'interface' is
21 |     provided, then only IP addresses from that interface will be returned.
22 |     Providing a CIDR via 'cidr="10.0.0.0/8"' will return only the addresses
23 |     which are within that subnet.
24 | 
25 |     CLI Example:
26 | 
27 |     .. code-block:: bash
28 | 
29 |         salt '*' network.ip_addrs
30 |     '''
31 |     addrs = salt.utils.network.ip_addrs(interface=interface,
32 |                                         include_loopback=include_loopback)
33 |     if cidr:
34 |         return sorted([i for i in addrs if in_subnet(cidr, [i])],
35 |                       key=lambda item: socket.inet_aton(item))
36 |     else:
37 |         return addrs
38 | 
39 | def interfaces_for_cidr(cidr='0.0.0.0/0'):
40 |     '''
41 |     Return a dictionary of information about all the interfaces on the minion
42 |     which have an address in the givin CIDR.
43 | 
44 |     CLI Example:
45 | 
46 |     .. code-block:: bash
47 | 
48 |         salt '*' network.interfaces_for_cidr cidr="192.168.1.1/24"
49 |     '''
50 |     interfaces = salt.utils.network.interfaces()
51 |     matched = []
52 |     for interface, data in interfaces.iteritems():
53 |         for net in data.get('inet'):
54 |             if salt.utils.network.in_subnet(cidr, [net['address']]):
55 |                 matched.append(interface)
56 |     return list(set(matched))
57 | 
58 | 
59 | def subnet_mask_for_cidr(cidr="0.0.0.0/0"):
60 |     """
61 |     Returns the ip address and subnet mask for a given CIDR.
62 |     """
63 |     ip, cidr_mask = cidr.split("/")
64 |     subnet_mask = socket.inet_ntoa(
65 |         struct.pack(">I", (0xffffffff << (32 - int(cidr_mask))) & 0xffffffff)
66 |     )
67 |     return {"address": ip, "subnet": subnet_mask}
68 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/auto-security/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | security_yum_extensions:
 3 |   pkg.installed:
 4 |     - pkgs:
 5 |       - yum-plugin-security
 6 |       - yum-cron
 7 | 
 8 | yum_cron_security_only:
 9 |   file.replace:
10 |     - name: /etc/sysconfig/yum-cron
11 |     - path: /etc/sysconfig/yum-cron
12 |     - pattern: '^YUM_PARAMETER=$'
13 |     - repl: 'YUM_PARAMETER="--security"'
14 |     - require:
15 |       - pkg: security_yum_extensions
16 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/backup/base.sls:
--------------------------------------------------------------------------------
1 | 
2 | rdiff-backup:
3 |   pkg.installed
4 | 
5 | rsync:
6 |   pkg.installed
7 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/backup/client/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | Format for pillar data:
 3 | 
 4 |     # Root Key, enables the state
 5 |     backup:
 6 |       # Dictionary of directories to backup
 7 |       directories:
 8 |         # A backup configuration
 9 |         postgres-archives:
10 |           # Frequency of backup, currently {hourly, daily} are supported
11 |           frequency: hourly
12 |           # User to run backup as
13 |           user: devpypi
14 |           # Source Directory to backup
15 |           source_directory: /var/lib/pgsql/9.3/backup/archives
16 |           # Target backup server
17 |           target_host: 172.16.57.201
18 |           # Target directory on backup server
19 |           target_directory: /backup/postgres/archives
20 |           # Target user on backup server
21 |           target_user: devpypi
22 |           # SSH Private Key for backup server access as target_user
23 |           ssh_key: |
24 |             -----BEGIN RSA PRIVATE KEY-----
25 |             MIIEowIBAAKCAQEAsagAYbuOiROc0+vLjcKQXZqiP3mH3qXwPT1PAMWxkferuaz3
26 |             ...
27 |             pqMI3F6ButHsMcwjZotivkf3baM1FmnjIJ4oeTFPyagaLZdRCuiT
28 |             -----END RSA PRIVATE KEY-----
29 |         # Backup example with pre/post/cleanup scripts
30 |         postgres-base:
31 |           frequency: daily
32 |           user: postgres
33 |           source_directory: /var/lib/pgsql/9.3/backups/base
34 |           target_host: 172.16.57.201
35 |           target_directory: /backup/postgres/base
36 |           target_user: postgres
37 |           # Script to run before rdiff-backup command
38 |           pre_script: 'pg_basebackup -D /var/lib/pgsql/9.3/backups/base/$(date --iso-8601=seconds)'
39 |           # Script to run after rdiff-backup command
40 |           post_script: '/usr/local/backup/postgres-archives/scripts/backup.bash'
41 |           # Cleanup script to remove old backups
42 |           cleanup_script: 'find /var/lib/pgsql/9.3/backups/base -maxdepth 1 -type d -mtime +7 -execdir rm -rf {} \;'
43 |           ssh_key: |
44 |             -----BEGIN RSA PRIVATE KEY-----
45 |             MIIEowIBAAKCAQEAsagAYbuOiROc0+vLjcKQXZqiP3mH3qXwPT1PAMWxkferuaz3
46 |             ...
47 |             pqMI3F6ButHsMcwjZotivkf3baM1FmnjIJ4oeTFPyagaLZdRCuiT
48 |             -----END RSA PRIVATE KEY-----
49 | 
50 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/backup/client/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | include:
 3 |   - backup.base
 4 | 
 5 | /etc/backup:
 6 |   file.directory:
 7 |     - user: root
 8 |     - group: root
 9 |     - mode: 755
10 | 
11 | /etc/backup/.ssh:
12 |   file.directory:
13 |     - user: root
14 |     - group: root
15 |     - mode: 755
16 | 
17 | {% for backup, config in salt['pillar.get']('backup:directories', {}).iteritems() %}
18 | 
19 | {{ backup }}-ssh-key:
20 |   file.managed:
21 |     - name: /etc/backup/.ssh/id_rsa_{{ backup }}
22 |     - contents_pillar: backup:directories:{{ backup }}:ssh_key
23 |     - user: {{ config['user'] }}
24 |     - mode: 600
25 | 
26 | {{ backup }}-script-dir:
27 |   file.directory:
28 |     - name: /usr/local/backup/{{ backup }}/scripts
29 |     - makedirs: True
30 | 
31 | {{ backup }}-script:
32 |   file.managed:
33 |     - name: /usr/local/backup/{{ backup }}/scripts/backup.bash
34 |     - user: {{ config['user'] }}
35 |     - mode: 500
36 |     - source: salt://backup/client/templates/backup.bash.jinja
37 |     - template: jinja
38 |     - context:
39 |       pre_script: '{{ config.get('pre_script', ":") }}'
40 |       remote_command: '/usr/bin/rdiff-backup --no-eas --remote-schema "ssh -i /etc/backup/.ssh/id_rsa_{{ backup }} -C %s rdiff-backup --server" {{ config['source_directory'] }} {{ config['target_user'] }}@{{ config['target_host'] }}::{{ config['target_directory'] }}'
41 |       post_script: '{{ config.get('post_script', ":") }}'
42 |       cleanup_script: '{{ config.get('cleanup_script', ":") }}'
43 | 
44 | {{ backup }}-cron:
45 |   file.managed:
46 |     - name: /etc/cron.d/{{ backup }}-backup
47 |     - template: jinja
48 |     - source: salt://backup/client/templates/cron.jinja
49 |     - context:
50 |       job_frequency: {{ config['frequency'] }}
51 |       job_user: {{ config['user'] }}
52 |       job_command: /usr/local/backup/{{ backup }}/scripts/backup.bash
53 | 
54 | {% endfor %}
55 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/backup/client/templates/backup.bash.jinja:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | exec 200<$0
 4 | flock -n 200 || exit 1
 5 | 
 6 | {{ pre_script }}
 7 | {{ remote_command }}
 8 | {{ post_script }}
 9 | 
10 | {{ cleanup_script }}
11 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/backup/client/templates/cron.jinja:
--------------------------------------------------------------------------------
1 | {% if job_frequency == 'hourly' %}
2 | {% set cron = '0 * * * *' %}
3 | {% elif job_frequency == 'daily' %}
4 | {% set cron = '0 0 * * *' %}
5 | {% else %}
6 | {% set cron = '0 * * * *' %}
7 | {% endif %}
8 | {{ cron }} {{ job_user }} {{ job_command }}
9 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/backup/server/README.md:
--------------------------------------------------------------------------------
 1 | Format for pillar data:
 2 | 
 3 |     # Root Key, enables the state
 4 |     backup-server:
 5 |       # Volumes to format and mount
 6 |       volumes:
 7 |         # device  mount point
 8 |         /dev/sdb: /backup
 9 |       # Dictionary of directories for backup clients
10 |       directories:
11 |         # Directory for backup client
12 |         /backup/postgres/archives:
13 |           # Retention Period for backup increments (see rdiff-backup --remove-older-than)
14 |           increment_retention: 10d
15 |           # User the client can access the backup server as
16 |           user: postgres
17 |           # Authorized Key for client access
18 |           authorized_key: ssh-rsa AAAAB3NzaC1y.. ...CXVxa6LHKJB6RDT3eYyMQSugFSCrHxQ8j/F
19 | 
20 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/backup/server/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | include:
 3 |   - backup.base
 4 | 
 5 | {% for volume, mount in salt['pillar.get']('backup-server:volumes').iteritems() %}
 6 | {{ volume }}-mkfs:
 7 |   cmd.run:
 8 |     - name: 'yes y | mkfs.ext4 {{ volume }}'
 9 |     - unless: 'file -s {{ volume }} | grep ext4'
10 | 
11 | {{ mount }}:
12 |   mount.mounted:
13 |     - device: {{ volume }}
14 |     - fstype: ext4
15 |     - mkmnt: True
16 |     - opts:
17 |       - defaults
18 | {% endfor %}
19 | 
20 | {% for backup, config in salt['pillar.get']('backup-server:backups').iteritems() %}
21 | 
22 | {{ backup }}-user:
23 |   user.present:
24 |     - name: {{ config['user'] }}
25 | 
26 | {{ backup }}-ssh:
27 |   ssh_auth:
28 |     - present
29 |     - user: {{ config['user'] }}
30 |     - names:
31 |       - {{ config['authorized_key'] }}
32 |     - options:
33 |       - command="rdiff-backup --server"
34 |       - no-pty
35 |       - no-port-forwarding
36 |       - no-agent-forwarding
37 |       - no-X11-forwarding
38 |     - require:
39 |       - user: {{ config['user'] }}
40 | 
41 | {{ backup }}:
42 |   file.directory:
43 |     - name: {{ config['directory'] }}
44 |     - user: {{ config['user'] }}
45 |     - makedirs: True
46 |     - require:
47 |       - user: {{ config['user'] }}
48 | 
49 | {{ backup }}-increment-cleanup:
50 |   file.managed:
51 |     - name: /etc/cron.d/{{ backup }}-backup-cleanup
52 |     - user: root
53 |     - group: root
54 |     - template: jinja
55 |     - source: salt://backup/server/templates/cron.jinja
56 |     - context:
57 |       cron: '0 3 * * *'
58 |       job_user: root
59 |       job_command: 'rdiff-backup --force --remove-older-than {{ config['increment_retention'] }} {{ config['directory'] }}'
60 | 
61 | {% endfor %}
62 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/backup/server/templates/cron.jinja:
--------------------------------------------------------------------------------
1 | {{ cron }} {{ job_user }} {{ job_command }}
2 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/base/auto-highstate.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | 15m-interval-highstate:
 3 |   cron.present:
 4 |     - name: salt-call state.highstate >> /var/log/salt/cron-highstate.log 2>&1
 5 |     - minute: '*/15'
 6 | 
 7 | /etc/logrotate.d/salt:
 8 |   file.managed:
 9 |     - source: salt://base/config/salt-logrotate.conf
10 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/base/config/salt-logrotate.conf:
--------------------------------------------------------------------------------
1 | /var/log/salt/* {
2 |     daily
3 |     rotate 7
4 |     missingok
5 |     notifempty
6 |     compress
7 |     delaycompress
8 | }
9 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/base/sanity.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | niceties:
 3 |   pkg.installed:
 4 |     - pkgs:
 5 |       - htop
 6 |       - tmux
 7 |       - tree
 8 |       - bash-completion
 9 |       - vim-enhanced
10 | 
11 | time-sync:
12 |   pkg.installed:
13 |     - pkgs:
14 |       - ntp
15 |       - ntpdate
16 | 
17 | ntpd:
18 |   service:
19 |     - running
20 |     - enable: True 
21 | 
22 | /etc/profile.d/yum.sh:
23 |   file.absent
24 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/datadog/config/RPM-GPG-KEY-DATADOG:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP PUBLIC KEY BLOCK-----
 2 | Version: GnuPG v1
 3 | 
 4 | mQGiBFXdFPYRBAD5s5lh5teo4g84NEFWhb7HuVpuaZVRhIiYkrxM2vh8yEXJPP5f
 5 | Ay9W2wYaO4eJpOiS1zm9lQ9iEwsSufJtkzhgeL9FWVt2pNa3Ev/8h7I25TVOOww5
 6 | K+Jb/n276cAly2dEOafifwow1MrBWQ2hkCmQOGVxSMth95+hTPdcsInEKwCg+tFp
 7 | diYlo5ROP0qTE1WfLILkwpsD/0WWrN5PjO2wk00Ze7DrEhwpUcJOk3UeVeNZft1O
 8 | cUXGwHyKLe8rSHWjyUjL70msSYdBVFIhT0D/edZ8+Stusu1Wg+eOz76cRD+3L7bk
 9 | SkkRKhjvykRiK1p5mg4O5/KGhMRS6oVTyoRJCxJx/rEnEKoV/lTgiNBRXSOJZYJo
10 | QnEYBACjTp0gVzoppS4HAzo/LydDZVHS8bQLAlgMvvc8gvHvbvp2LLGVzgkOQhc9
11 | zrE4IpdonMJcuT+Y494qgO4R9Erxo+rMIblEyk5TXlNSrKnJZ7hGULJXmUjtIGon
12 | dt5GWYDyw7wEf3U3GyxrO+fT2yLY441oJaAT+AIQf85XH/v7C7QoRGF0YWRvZyBQ
13 | YWNrYWdlcyA8cGFja2FnZUBkYXRhZG9naHEuY29tPohiBBMRAgAiBQJV3RT2AhsD
14 | BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAGm1b1QXKiMJemAKDc8pVqUQZi
15 | bJ42iSumpysXd4RhfQCdHnf39vCylNbLT8wcLL3rFUOJtVu5AQ0EVd0U9hAEAJbK
16 | uVM2j4i+in3azrkjeE0JbHImWkj0i9nGt2U+ivkTKYvUS8Z7NvOLvkfp41HzeC1c
17 | yQ+6MuhJQsvazGwBTNcq08XKpnVc7UwsZ0G3e+faGCKmhnFIMiYFtzcOkdim2UPu
18 | 1JztJaz+BMVY0jRAaT5icLtAK1HGLmTUsq1VHEnLAAMFA/9BmhW80bFjm0u/F+xE
19 | knXZZ4AG4ajzPBcodzbRRnKnDh2e97XvE5euiQUz0kLolRk5gQHWCybRQo5BR1Hv
20 | teerNmsopW9k8s0dFA3FUidiwsePb+UUwEeTzmqNjWFJ72ktXkaHBmDR+rhrrSmv
21 | bIsP1/Y0wO6jhtNPUzS7gAmKdIhJBBgRAgAJBQJV3RT2AhsMAAoJEAabVvVBcqIw
22 | jV4AoLxp7gWBrU+FARqEuajGuz4ZDRwcAKDANItJowyw3QXAizU2m7jiyJgkzw==
23 | =rswC
24 | -----END PGP PUBLIC KEY BLOCK-----
25 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/datadog/files/datadog-nginx-status-codes.py:
--------------------------------------------------------------------------------
 1 | """
 2 | Lifted from https://gist.github.com/technovangelist/6090e4a66bc60b99c566
 3 | """
 4 | 
 5 | from datetime import datetime
 6 | import time
 7 | import re
 8 | 
 9 | METRIC_TYPES = {
10 |     '5': 'nginx.net.5xx_status',
11 |     '4': 'nginx.net.4xx_status',
12 |     '3': 'nginx.net.3xx_status',
13 |     '2': 'nginx.net.2xx_status',
14 |     '1': 'nginx.net.1xx_status'
15 | }
16 | 
17 | def parse(log, line):
18 |     if len(line) == 0:
19 |         log.info("Skipping empty line")
20 |         return None
21 |     timestamp = getTimestamp(line)
22 |     status = line.split()[8]
23 |     objToReturn = []
24 |     try:
25 |         objToReturn.append((METRIC_TYPES[status[0]], timestamp, 1, {'metric_type': 'counter'}))
26 |     except KeyError:
27 |         pass
28 |     return objToReturn
29 | 
30 | def getTimestamp(line):
31 |     line_parts = line.split()
32 |     dt = line_parts[3]
33 |     date = datetime.strptime(dt, "[%d/%b/%Y:%H:%M:%S")
34 |     date = time.mktime(date.timetuple())
35 |     return date
36 | 
37 | if __name__ == "__main__":
38 |     import sys
39 |     import pprint
40 |     import logging
41 |     logging.basicConfig()
42 |     log = logging.getLogger()
43 |     lines = open(sys.argv[1]).readlines()
44 |     pprint.pprint([parse(log, line) for line in lines])
45 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/datadog/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | /etc/pki/rpm-gpg/RPM-GPG-KEY-DATADOG:
 3 |   file.managed:
 4 |     - source: salt://datadog/config/RPM-GPG-KEY-DATADOG
 5 |     - user: root
 6 |     - group: root
 7 |     - mode: 444
 8 | 
 9 | datadog_repo:
10 |   pkgrepo.managed:
11 |     - humanname: Datadog, Inc.
12 |     - baseurl: https://yum.datadoghq.com/rpm/$basearch/
13 |     - gpgcheck: 1
14 |     - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-DATADOG
15 |     - require:
16 |       - file: /etc/pki/rpm-gpg/RPM-GPG-KEY-DATADOG
17 | 
18 | {% set in_datadog_tags = pillar.get('datadog_tags', []) + grains.get('datadog_tags', []) + grains.get('datadog_tags_from_metadata', []) %}
19 | {% set datadog_tags = [] %}
20 | {% for tag in in_datadog_tags if tag not in datadog_tags %}
21 |   {% do datadog_tags.append(tag) %}
22 | {% endfor %}
23 | 
24 | {% set dogstreams = pillar.get('datadog_dogstreams') %}
25 | 
26 | /usr/share/datadog:
27 |   file.recurse:
28 |     - source: salt://datadog/files
29 | 
30 | {% if 'datadog_api_key' in pillar %}
31 | datadog-agent:
32 |   pkg:
33 |     - installed
34 |     - require:
35 |       - pkgrepo: datadog_repo
36 |   service:
37 |     - running
38 |     - enable: True
39 |     - require:
40 |       - ini: /etc/dd-agent/datadog.conf
41 |       - pkg: datadog-agent
42 |     - watch:
43 |       - ini: /etc/dd-agent/datadog.conf
44 | 
45 | /etc/dd-agent/datadog.conf:
46 |   file.managed:
47 |     - user: root
48 |     - group: root
49 |     - mode: 0644
50 |     - replace: False
51 |   ini.options_present:
52 |     - sections:
53 |         Main:
54 |             dd_url: https://app.datadoghq.com
55 |             api_key: {{ pillar.get('datadog_api_key') }}
56 |             tags: {{ datadog_tags|join(", ") }}
57 |             use_dogstatsd: yes
58 |             dogstatsd_port: 18125
59 |             dogstreams: "{{ dogstreams|join(", ") if dogstreams else ''}}"
60 |     - require:
61 |       - file: /etc/dd-agent/datadog.conf
62 | 
63 | {% endif %}
64 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/elasticsearch/init.sls:
--------------------------------------------------------------------------------
 1 | java-1.7.0-openjdk:
 2 |   pkg.installed
 3 | 
 4 | elasticsearch:
 5 |   pkg.installed:
 6 |     - sources:
 7 |       - elasticsearch: https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.5.2.noarch.rpm
 8 |     - require:
 9 |       - pkg: java-1.7.0-openjdk
10 |   service.running:
11 |     - require:
12 |       - pkg: elasticsearch
13 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/firewall/config/iptables.jinja:
--------------------------------------------------------------------------------
 1 | # Firewall configuration written by salt
 2 | # Manual customization of this file is not cool.
 3 | 
 4 | {% set rules = salt['pillar.get']('firewall', {}) %}
 5 | 
 6 | *filter
 7 | :INPUT ACCEPT [0:0]
 8 | :FORWARD ACCEPT [0:0]
 9 | :OUTPUT ACCEPT [0:0]
10 | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
11 | -A INPUT -p icmp -j ACCEPT
12 | -A INPUT -i lo -j ACCEPT
13 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
14 | {% for rule, config in rules.iteritems() -%}
15 | {% set port = config.get('port', 22) -%}
16 | {% set proto = config.get('protocol', 'tcp') -%}
17 | {% set source = config.get('source', '0.0.0.0/0') -%}
18 | # {{ rule }}
19 | -A INPUT -m state --state NEW -m {{ proto }} -p {{ proto }} -s {{ source }} --dport {{ port }} -j ACCEPT
20 | {% endfor -%}
21 | -A INPUT -j REJECT --reject-with icmp-host-prohibited
22 | -A FORWARD -j REJECT --reject-with icmp-host-prohibited
23 | COMMIT
24 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/firewall/init.sls:
--------------------------------------------------------------------------------
 1 | /etc/sysconfig/iptables:
 2 |   file.managed:
 3 |     - source: salt://firewall/config/iptables.jinja
 4 |     - user: root
 5 |     - group: root
 6 |     - mode: 600
 7 |     - template: jinja
 8 | 
 9 | iptables:
10 |   service:
11 |   - running
12 |   - watch:
13 |     - file: /etc/sysconfig/iptables
14 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/base.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | {% set client_config = pillar.get('monitoring_client', {}) %}
 3 | {% set bucky_config = pillar.get('bucky', {}) %}
 4 | 
 5 | include:
 6 |   - supervisor
 7 | 
 8 | /etc/bucky/bucky.conf:
 9 |   file.managed:
10 |     - source: salt://monitoring/client/config/bucky.conf.jinja
11 |     - template: jinja
12 |     - context:
13 |       graphite_ip: {{ bucky_config.get('graphite_ip', '127.0.0.1') }}
14 |       graphite_port: {{ bucky_config.get('graphite_port', 2003) }}
15 |       graphite_max_reconnects: {{ bucky_config.get('graphite_max_reconnects', 3) }}
16 |       graphite_reconnect_delay: {{ bucky_config.get('graphite_reconnect_delay', 5) }}
17 | 
18 | python-bucky:
19 |   pkg.installed
20 | 
21 | /etc/supervisord.d/bucky.ini:
22 |   file.managed:
23 |     - source: salt://monitoring/client/config/bucky.ini
24 | 
25 | bucky-supervisor:
26 |   cmd.wait:
27 |     - name: supervisorctl reread && supervisorctl update
28 |     - require:
29 |       - file: /etc/supervisord.d/bucky.ini
30 |       - file: /etc/bucky/bucky.conf
31 |       - pkg: python-bucky
32 |     - watch:
33 |       - file: /etc/supervisord.d/bucky.ini
34 | 
35 | /etc/collectd.conf:
36 |   file.managed:
37 |     - source: salt://monitoring/client/config/collectd.conf.jinja
38 |     - template: jinja
39 |     - context:
40 |       hostname: {{ grains['fqdn'] }}
41 |       collectd_host: {{ client_config.get('collectd_host', '127.0.0.1') }}
42 |       collectd_port: {{ client_config.get('collectd_port', 25826) }}
43 | 
44 | /usr/local/lib/collectd/plugins:
45 |   file.recurse:
46 |     - source: salt://monitoring/client/plugins
47 | 
48 | /etc/collectd.d/base.conf:
49 |   file.managed:
50 |     - source: salt://monitoring/client/config/collectd.d/base.conf
51 | 
52 | collectd:
53 |   pkg:
54 |     - installed
55 |   service:
56 |     - running
57 |     - enable: True
58 |     - restart: True
59 |     - watch:
60 |       - file: /etc/collectd.conf
61 |       - file: /etc/collectd.d/*
62 |     - require:
63 |       - file: /etc/collectd.conf
64 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/config/bucky.conf.jinja:
--------------------------------------------------------------------------------
 1 | debug = False
 2 | log_level = "INFO"
 3 | full_trace = False
 4 | 
 5 | graphite_ip = "{{ graphite_ip }}"
 6 | graphite_port = {{ graphite_port }}
 7 | graphite_max_reconnects = {{ graphite_max_reconnects }}
 8 | graphite_reconnect_delay = {{ graphite_reconnect_delay }}
 9 | 
10 | name_prefix = None
11 | name_postfix = None
12 | name_replace_char = '_'
13 | name_strip_duplicates = True
14 | name_host_trim = []
15 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/config/bucky.ini:
--------------------------------------------------------------------------------
 1 | [program:bucky]
 2 | command          = /usr/bin/bucky /etc/bucky/bucky.conf
 3 | autostart        = true
 4 | autorestart      = true
 5 | user             = bucky
 6 | log_stdout       = true
 7 | log_stderr       = true
 8 | logfile          = /var/log/bucky/bucky.log
 9 | environment  = HOME=/,USER=bucky
10 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/config/collectd.conf.jinja:
--------------------------------------------------------------------------------
1 | Hostname {{ hostname }}
2 | LoadPlugin syslog
3 | LoadPlugin network
4 | <Plugin network>
5 |   Server "{{ collectd_host }} {% if collectd_port %}{{ collectd_port }}{% endif %}"
6 | </Plugin>
7 | Include "/etc/collectd.d/*.conf"
8 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/config/collectd.d/base.conf:
--------------------------------------------------------------------------------
 1 | LoadPlugin cpu
 2 | LoadPlugin disk
 3 | LoadPlugin df
 4 | LoadPlugin interface
 5 | LoadPlugin load
 6 | LoadPlugin memory
 7 | LoadPlugin swap
 8 | <Plugin disk>
 9 | 	Disk "/^[hs]?d[a-z][a-z]??$/"
10 | 	Disk "/^xvd[a-z][a-z]??$/"
11 | 	IgnoreSelected false
12 | </Plugin>
13 | <Plugin df>
14 |        ReportReserved true
15 |        ReportInodes true
16 | </Plugin>
17 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/config/collectd.d/nginx.conf:
--------------------------------------------------------------------------------
1 | LoadPlugin nginx
2 | 
3 | <Plugin nginx>
4 |        URL "http://localhost/nginx_status?auto"
5 | </Plugin>
6 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/config/collectd.d/postgresql.conf.jinja:
--------------------------------------------------------------------------------
 1 | LoadPlugin postgresql
 2 | 
 3 | <Plugin postgresql>
 4 | 
 5 |   <Query master_xlog_postition>
 6 |     Statement "SELECT pg_xlog_location_diff(pg_current_xlog_location(), '0/0') AS offset;"
 7 |     <Result>
 8 |       Type gauge
 9 |       InstancePrefix "master_xlog_postition"
10 |       ValuesFrom offset
11 |     </Result>
12 |   </Query>
13 | 
14 |   <Query standby_xlog_rec>
15 |     Statement "SELECT pg_xlog_location_diff(pg_last_xlog_receive_location(), '0/0') AS receive;"
16 |     <Result>
17 |       Type gauge
18 |       InstancePrefix "standby_xlog_rec"
19 |       ValuesFrom receive
20 |     </Result>
21 |   </Query>
22 | 
23 |   <Query standby_xlog_rep>
24 |     Statement "SELECT pg_xlog_location_diff(pg_last_xlog_replay_location(), '0/0') AS replay;"
25 |     <Result>
26 |       Type gauge
27 |       InstancePrefix "standby_xlog_rep"
28 |       ValuesFrom replay
29 |     </Result>
30 |   </Query>
31 | 
32 |   <Query standby_approx_lag>
33 |     Statement "SELECT EXTRACT(EPOCH FROM (SELECT NOW() - pg_last_xact_replay_timestamp())) AS replication_delay;"
34 |     <Result>
35 |       Type gauge
36 |       InstancePrefix "standby_approx_lag"
37 |       ValuesFrom replication_delay
38 |     </Result>
39 |   </Query>
40 | 
41 |   <Query connections>
42 |     Statement "SELECT COUNT(*) as connection_count FROM pg_stat_activity;"
43 |     <Result>
44 |       Type gauge
45 |       InstancePrefix "connection_count"
46 |       ValuesFrom connection_count
47 |     </Result>
48 |   </Query>
49 | 
50 |   <Database postgres>
51 |     Host "{{ monitor_host }}"
52 |     Port "{{ monitor_port }}"
53 |     User "{{ monitor_user }}"
54 |     Password "{{ monitor_password }}"
55 |     {% if 'primary' in grains['roles'] %}
56 |     Query master_xlog_postition
57 |     {% endif %}
58 |     {% if 'standby' in grains['roles'] %}
59 |     Query standby_xlog_rec
60 |     Query standby_xlog_rep
61 |     Query standby_approx_lag
62 |     {% endif %}
63 |     Query connections
64 |   </Database>
65 | 
66 | </Plugin>
67 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/config/collectd.d/pypi-backend.conf:
--------------------------------------------------------------------------------
 1 | <LoadPlugin python>
 2 |   Globals true
 3 | </LoadPlugin>
 4 | 
 5 | <Plugin python>
 6 |   ModulePath "/usr/local/lib/collectd/plugins/python"
 7 |   Import "pypi_backend"
 8 | 
 9 |   <Module pypi_backend>
10 |     Host "127.0.0.1"
11 |     Port "9000"
12 |   </Module>
13 | </Plugin>
14 | 
15 | <Plugin python>
16 |   ModulePath "/usr/local/lib/collectd/plugins/python"
17 |   Import "uwsgi_stats"
18 | 
19 |   <Module uwsgi_stats>
20 |     SocketPath "/var/run/pypi/pypi-stats.sock"
21 |   </Module>
22 | </Plugin>
23 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/config/collectd.d/pypi-mirror.conf:
--------------------------------------------------------------------------------
 1 | <LoadPlugin python>
 2 |   Globals true
 3 | </LoadPlugin>
 4 | 
 5 | <Plugin python>
 6 |   ModulePath "/usr/local/lib/collectd/plugins/python"
 7 |   Import "pypi_mirror"
 8 | 
 9 |   <Module pypi_mirror>
10 |     MirrorDir "/data/pypi-mirror"
11 |   </Module>
12 | </Plugin>
13 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/config/collectd.d/redis.conf:
--------------------------------------------------------------------------------
 1 | <LoadPlugin python>
 2 |   Globals true
 3 | </LoadPlugin>
 4 | 
 5 | <Plugin python>
 6 |   ModulePath "/usr/local/lib/collectd/plugins/python"
 7 |   Import "redis_info"
 8 | 
 9 |   <Module redis_info>
10 |     Host "localhost"
11 |     Port 6379
12 |     Verbose false
13 |   </Module>
14 | </Plugin>
15 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/init.sls:
--------------------------------------------------------------------------------
1 | 
2 | include:
3 |   - monitoring.client.base
4 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/nginx.sls:
--------------------------------------------------------------------------------
1 | 
2 | /etc/collectd.d/nginx.conf:
3 |   file.managed:
4 |     - source: salt://monitoring/client/config/collectd.d/nginx.conf
5 | 
6 | collectd-nginx:
7 |   pkg:
8 |     - installed
9 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/plugins/python/pypi_backend.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import calendar
 3 | from datetime import datetime
 4 | import urllib2
 5 | 
 6 | import collectd
 7 | 
 8 | # Mirror Directory to read. Override in config by specifying 'MirrorDir'.
 9 | HOST = 'localhost'
10 | PORT = 9000
11 | 
12 | def configure_callback(conf):
13 |     global HOST, PORT
14 |     for node in conf.children:
15 |         if node.key == 'Host':
16 |             HOST = node.values[0]
17 |         if node.key == 'Port':
18 |             PORT = int(node.values[0])
19 |         else:
20 |             collectd.warning('pypi_backend plugin: Unknown config key: %s.'
21 |                              % node.key)
22 | 
23 | def read_callback():
24 |     SERIAL_URL = "https://%s:%s/serial" % (HOST, PORT)
25 |     TIME_URL = "https://%s:%s/daytime" % (HOST, PORT)
26 | 
27 |     handler = urllib2.urlopen(SERIAL_URL)
28 |     current_serial = handler.read().rstrip('\n')
29 | 
30 |     handler = urllib2.urlopen(TIME_URL)
31 |     last_modified_timestamp = handler.read().rstrip('\n')
32 | 
33 |     cur_serial = collectd.Values(type='gauge')
34 |     cur_serial.plugin='pypi_backend.current_serial'
35 |     cur_serial.dispatch(values=[int(current_serial)])
36 | 
37 |     last_modified_unix = calendar.timegm(datetime.strptime(last_modified_timestamp, "%Y%m%dT%H:%M:%S").utctimetuple())
38 |     last_mod = collectd.Values(type='gauge')
39 |     last_mod.plugin='pypi_backend.last_modified'
40 |     last_mod.dispatch(values=[int(last_modified_unix)])
41 | 
42 | # register callbacks
43 | collectd.register_config(configure_callback)
44 | collectd.register_read(read_callback)
45 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/plugins/python/pypi_mirror.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import calendar
 3 | from datetime import datetime
 4 | 
 5 | import collectd
 6 | 
 7 | # Mirror Directory to read. Override in config by specifying 'MirrorDir'.
 8 | MIRROR_DIR = '/data/pypi-mirror'
 9 | 
10 | def configure_callback(conf):
11 |     global MIRROR_DIR
12 |     for node in conf.children:
13 |         if node.key == 'MirrorDir':
14 |             MIRROR_DIR = node.values[0]
15 |         else:
16 |             collectd.warning('pypi_mirror plugin: Unknown config key: %s.'
17 |                              % node.key)
18 | 
19 | def read_callback():
20 |     with open(os.path.join(MIRROR_DIR, 'status'), 'r') as f:
21 |         current_serial = f.read()
22 | 
23 |     with open(os.path.join(MIRROR_DIR, 'web', 'last-modified'), 'r') as f:
24 |         last_modified_timestamp = f.read().rstrip('\n')
25 | 
26 |     cur_serial = collectd.Values(type='gauge')
27 |     cur_serial.plugin='pypi_mirror.current_serial'
28 |     cur_serial.dispatch(values=[int(current_serial)])
29 | 
30 |     last_modified_unix = calendar.timegm(datetime.strptime(last_modified_timestamp, "%Y%m%dT%H:%M:%S").utctimetuple())
31 |     last_mod = collectd.Values(type='gauge')
32 |     last_mod.plugin='pypi_mirror.last_modified'
33 |     last_mod.dispatch(values=[int(last_modified_unix)])
34 | 
35 | # register callbacks
36 | collectd.register_config(configure_callback)
37 | collectd.register_read(read_callback)
38 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/plugins/python/redis_info.py:
--------------------------------------------------------------------------------
  1 | # redis-collectd-plugin - redis_info.py
  2 | #
  3 | # This program is free software; you can redistribute it and/or modify it
  4 | # under the terms of the GNU General Public License as published by the
  5 | # Free Software Foundation; only version 2 of the License is applicable.
  6 | #
  7 | # This program is distributed in the hope that it will be useful, but
  8 | # WITHOUT ANY WARRANTY; without even the implied warranty of
  9 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 10 | # General Public License for more details.
 11 | #
 12 | # You should have received a copy of the GNU General Public License along
 13 | # with this program; if not, write to the Free Software Foundation, Inc.,
 14 | # 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
 15 | #
 16 | # Authors:
 17 | #   Garret Heaton <powdahound at gmail.com>
 18 | #
 19 | # About this plugin:
 20 | #   This plugin uses collectd's Python plugin to record Redis information.
 21 | #
 22 | # collectd:
 23 | #   http://collectd.org
 24 | # Redis:
 25 | #   http://redis.googlecode.com
 26 | # collectd-python:
 27 | #   http://collectd.org/documentation/manpages/collectd-python.5.shtml
 28 | 
 29 | import collectd
 30 | import socket
 31 | 
 32 | 
 33 | # Host to connect to. Override in config by specifying 'Host'.
 34 | REDIS_HOST = 'localhost'
 35 | 
 36 | # Port to connect on. Override in config by specifying 'Port'.
 37 | REDIS_PORT = 6379
 38 | 
 39 | # Verbose logging on/off. Override in config by specifying 'Verbose'.
 40 | VERBOSE_LOGGING = False
 41 | 
 42 | 
 43 | def fetch_info():
 44 |     """Connect to Redis server and request info"""
 45 |     try:
 46 |         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 47 |         s.connect((REDIS_HOST, REDIS_PORT))
 48 |         log_verbose('Connected to Redis at %s:%s' % (REDIS_HOST, REDIS_PORT))
 49 |     except socket.error, e:
 50 |         collectd.error('redis_info plugin: Error connecting to %s:%d - %r'
 51 |                        % (REDIS_HOST, REDIS_PORT, e))
 52 |         return None
 53 |     fp = s.makefile('r')
 54 |     log_verbose('Sending info command')
 55 |     s.sendall('info\r\n')
 56 | 
 57 |     status_line = fp.readline()
 58 |     content_length = int(status_line[1:-1]) # status_line looks like: $<content_length>
 59 |     data = fp.read(content_length)
 60 |     log_verbose('Received data: %s' % data)
 61 |     s.close()
 62 | 
 63 |     linesep = '\r\n' if '\r\n' in data else '\n'
 64 |     return parse_info(data.split(linesep))
 65 | 
 66 | 
 67 | def parse_info(info_lines):
 68 |     """Parse info response from Redis"""
 69 |     info = {}
 70 |     for line in info_lines:
 71 |         if "" == line or line.startswith('#'):
 72 |             continue
 73 | 
 74 |         if ':' not in line:
 75 |             collectd.warning('redis_info plugin: Bad format for info line: %s'
 76 |                              % line)
 77 |             continue
 78 | 
 79 |         key, val = line.split(':')
 80 | 
 81 |         # Handle multi-value keys (for dbs).
 82 |         # db lines look like "db0:keys=10,expire=0"
 83 |         if ',' in val:
 84 |             split_val = val.split(',')
 85 |             val = {}
 86 |             for sub_val in split_val:
 87 |                 k, _, v = sub_val.rpartition('=')
 88 |                 val[k] = v
 89 | 
 90 |         info[key] = val
 91 |     info["changes_since_last_save"] = info.get("changes_since_last_save", info.get("rdb_changes_since_last_save"))
 92 |     return info
 93 | 
 94 | 
 95 | def configure_callback(conf):
 96 |     """Receive configuration block"""
 97 |     global REDIS_HOST, REDIS_PORT, VERBOSE_LOGGING
 98 |     for node in conf.children:
 99 |         if node.key == 'Host':
100 |             REDIS_HOST = node.values[0]
101 |         elif node.key == 'Port':
102 |             REDIS_PORT = int(node.values[0])
103 |         elif node.key == 'Verbose':
104 |             VERBOSE_LOGGING = bool(node.values[0])
105 |         else:
106 |             collectd.warning('redis_info plugin: Unknown config key: %s.'
107 |                              % node.key)
108 |     log_verbose('Configured with host=%s, port=%s' % (REDIS_HOST, REDIS_PORT))
109 | 
110 | 
111 | def dispatch_value(info, key, type, type_instance=None):
112 |     """Read a key from info response data and dispatch a value"""
113 |     if key not in info:
114 |         collectd.warning('redis_info plugin: Info key not found: %s' % key)
115 |         return
116 | 
117 |     if not type_instance:
118 |         type_instance = key
119 | 
120 |     value = int(info[key])
121 |     log_verbose('Sending value: %s=%s' % (type_instance, value))
122 | 
123 |     val = collectd.Values(plugin='redis_info')
124 |     val.type = type
125 |     val.type_instance = type_instance
126 |     val.values = [value]
127 |     val.dispatch()
128 | 
129 | 
130 | def read_callback():
131 |     log_verbose('Read callback called')
132 |     info = fetch_info()
133 | 
134 |     if not info:
135 |         collectd.error('redis plugin: No info received')
136 |         return
137 | 
138 |     # send high-level values
139 |     dispatch_value(info, 'uptime_in_seconds','gauge')
140 |     dispatch_value(info, 'connected_clients', 'gauge')
141 |     dispatch_value(info, 'connected_slaves', 'gauge')
142 |     dispatch_value(info, 'blocked_clients', 'gauge')
143 |     dispatch_value(info, 'evicted_keys', 'gauge')
144 |     dispatch_value(info, 'used_memory', 'bytes')
145 |     dispatch_value(info, 'used_memory_peak', 'bytes')
146 |     dispatch_value(info, 'changes_since_last_save', 'gauge')
147 |     dispatch_value(info, 'total_connections_received', 'counter',
148 |                    'connections_received')
149 |     dispatch_value(info, 'total_commands_processed', 'counter',
150 |                    'commands_processed')
151 | 
152 |     # database and vm stats
153 |     for key in info:
154 |         if key.startswith('vm_stats_'):
155 |             dispatch_value(info, key, 'gauge')
156 |         if key.startswith('db'):
157 |             dispatch_value(info[key], 'keys', 'gauge', '%s-keys' % key)
158 | 
159 | 
160 | def log_verbose(msg):
161 |     if not VERBOSE_LOGGING:
162 |         return
163 |     collectd.info('redis plugin [verbose]: %s' % msg)
164 | 
165 | 
166 | # register callbacks
167 | collectd.register_config(configure_callback)
168 | collectd.register_read(read_callback)
169 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/plugins/python/uwsgi_stats.py:
--------------------------------------------------------------------------------
 1 | 
 2 | import json
 3 | import socket
 4 | 
 5 | import collectd
 6 | 
 7 | # uWSGI stat sock to read. Override in config by specifying 'SocketPath'.
 8 | SOCK = '/var/run/pypi/pypi-stats.sock'
 9 | 
10 | def configure_callback(conf):
11 |     global SOCK
12 |     for node in conf.children:
13 |         if node.key == 'SocketPath':
14 |             SOCK = node.values[0]
15 |         else:
16 |             collectd.warning('uwsgi_stats plugin: Unknown config key: %s.'
17 |                              % node.key)
18 | 
19 | def read_callback():
20 |     s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
21 |     s.connect(SOCK)
22 | 
23 |     js = ''
24 |     while True:
25 |         data = s.recv(4096)
26 |         if len(data) < 1:
27 |             break
28 |         js += data.decode('utf8')
29 | 
30 |     s.close()
31 | 
32 |     dd = json.loads(js)
33 | 
34 |     worker_statuses = [w['status'] for w in dd['workers']]
35 |     counter = {'total': len(worker_statuses), 'idle': 0, 'busy': 0}
36 |     for status in worker_statuses:
37 |         counter[status] += 1
38 | 
39 |     idle = collectd.Values(type='gauge')
40 |     idle.plugin='pypi_backend.uwsgi.idle'
41 |     idle.dispatch(values=[int(counter['idle'])])
42 | 
43 |     busy = collectd.Values(type='gauge')
44 |     busy.plugin='pypi_backend.uwsgi.busy'
45 |     busy.dispatch(values=[int(counter['busy'])])
46 | 
47 |     total = collectd.Values(type='gauge')
48 |     total.plugin='pypi_backend.uwsgi.total'
49 |     total.dispatch(values=[int(counter['total'])])
50 | 
51 | # register callbacks
52 | collectd.register_config(configure_callback)
53 | collectd.register_read(read_callback)
54 | 
55 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/postgresql.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | /etc/collectd.d/postgresql.conf:
 3 |   file.managed:
 4 |     - source: salt://monitoring/client/config/collectd.d/postgresql.conf.jinja
 5 |     - template: jinja
 6 |     - context:
 7 |       monitor_host: {{ salt['pillar.get']('monitoring-client-postgresql:host', '127.0.0.1') }}
 8 |       monitor_port: {{ salt['pillar.get']('monitoring-client-postgresql:port', '5432') }}
 9 |       monitor_user: {{ salt['pillar.get']('monitoring-client-postgresql:user', 'monitoring') }}
10 |       monitor_password: {{ salt['pillar.get']('monitoring-client-postgresql:password', "") }}
11 | 
12 | collectd-postgresql:
13 |   pkg:
14 |     - installed
15 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/pypi-backend.sls:
--------------------------------------------------------------------------------
1 | 
2 | /etc/collectd.d/pypi-backend.conf:
3 |   file.managed:
4 |     - source: salt://monitoring/client/config/collectd.d/pypi-backend.conf
5 |     - require:
6 |       - file: /usr/local/lib/collectd/plugins
7 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/pypi-mirror.sls:
--------------------------------------------------------------------------------
1 | 
2 | /etc/collectd.d/pypi-mirror.conf:
3 |   file.managed:
4 |     - source: salt://monitoring/client/config/collectd.d/pypi-mirror.conf
5 |     - require:
6 |       - file: /usr/local/lib/collectd/plugins
7 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/client/redis.sls:
--------------------------------------------------------------------------------
1 | 
2 | /etc/collectd.d/redis.conf:
3 |   file.managed:
4 |     - source: salt://monitoring/client/config/collectd.d/redis.conf
5 |     - require:
6 |       - file: /usr/local/lib/collectd/plugins
7 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/carbon.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | {% set carbon_config = pillar.get('carbon', {}) %}
 3 | {% set graphite_config = pillar.get('graphite', {}) %}
 4 | 
 5 | graphite-pkgs:
 6 |   pkg.installed:
 7 |     - pkgs:
 8 |       - graphite-web
 9 |       - python-carbon
10 |       - httpd
11 | 
12 | /etc/carbon/carbon.conf:
13 |   file.managed:
14 |     - source: salt://monitoring/server/config/carbon.conf.jinja
15 |     - template: jinja
16 |     - context:
17 |       line_receiver_interface: {{ carbon_config.get('line_receiver_interface', '0.0.0.0') }}
18 |       line_reciver_port: {{ carbon_config.get('line_reciver_port', 2003) }}
19 |       pickle_receiver_interface: {{ carbon_config.get('pickle_receiver_interface', '0.0.0.0') }}
20 |       pickle_receiver_port: {{ carbon_config.get('pickle_receiver_port', 2004) }}
21 |       cache_query_interface: {{ carbon_config.get('cache_query_interface', '0.0.0.0') }}
22 |       cache_query_port: {{ carbon_config.get('cache_query_port', 7002) }}
23 | 
24 | /etc/carbon/storage-schemas.conf:
25 |   file.managed:
26 |     - source: salt://monitoring/server/config/storage-schemas.conf.jinja
27 |     - template: jinja
28 | 
29 | carbon-cache:
30 |   service:
31 |     - running
32 |     - enable: True
33 |     - restart: True
34 |     - watch:
35 |       - file: /etc/carbon/carbon.conf
36 |       - file: /etc/carbon/storage-schemas.conf
37 |     - require:
38 |       - file: /etc/carbon/carbon.conf
39 |       - file: /etc/carbon/storage-schemas.conf
40 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/config/carbon.conf.jinja:
--------------------------------------------------------------------------------
  1 | [cache]
  2 | STORAGE_DIR    = /var/lib/carbon/
  3 | LOCAL_DATA_DIR = /var/lib/carbon/whisper/
  4 | WHITELISTS_DIR = /var/lib/carbon/lists/
  5 | CONF_DIR       = /etc/carbon/
  6 | LOG_DIR        = /var/log/carbon/
  7 | PID_DIR        = /var/run/
  8 | 
  9 | ENABLE_LOGROTATION = True
 10 | USER = carbon
 11 | MAX_CACHE_SIZE = inf
 12 | MAX_UPDATES_PER_SECOND = 500
 13 | MAX_UPDATES_PER_SECOND_ON_SHUTDOWN = 1000
 14 | MAX_CREATES_PER_MINUTE = 50
 15 | 
 16 | LINE_RECEIVER_INTERFACE = {{ line_receiver_interface }}
 17 | LINE_RECEIVER_PORT = {{ line_reciver_port }}
 18 | 
 19 | PICKLE_RECEIVER_INTERFACE = {{ pickle_receiver_interface }}
 20 | PICKLE_RECEIVER_PORT = {{ pickle_receiver_port }}
 21 | 
 22 | LOG_LISTENER_CONNECTIONS = True
 23 | USE_INSECURE_UNPICKLER = False
 24 | 
 25 | CACHE_QUERY_INTERFACE = {{ cache_query_interface }}
 26 | CACHE_QUERY_PORT = {{ cache_query_port }}
 27 | 
 28 | USE_FLOW_CONTROL = True
 29 | 
 30 | LOG_UPDATES = False
 31 | LOG_CACHE_HITS = False
 32 | LOG_CACHE_QUEUE_SORTS = True
 33 | 
 34 | CACHE_WRITE_STRATEGY = sorted
 35 | 
 36 | WHISPER_AUTOFLUSH = False
 37 | 
 38 | # WHISPER_SPARSE_CREATE = False
 39 | WHISPER_FALLOCATE_CREATE = True
 40 | # WHISPER_LOCK_WRITES = False
 41 | # USE_WHITELIST = False
 42 | # CARBON_METRIC_PREFIX = carbon
 43 | # CARBON_METRIC_INTERVAL = 60
 44 | 
 45 | [relay]
 46 | USER = carbon
 47 | LINE_RECEIVER_INTERFACE = 0.0.0.0
 48 | LINE_RECEIVER_PORT = 2013
 49 | PICKLE_RECEIVER_INTERFACE = 0.0.0.0
 50 | PICKLE_RECEIVER_PORT = 2014
 51 | 
 52 | LOG_LISTENER_CONNECTIONS = True
 53 | 
 54 | #RELAY_METHOD = rules
 55 | #RELAY_METHOD = consistent-hashing
 56 | #RELAY_METHOD = aggregated-consistent-hashing
 57 | RELAY_METHOD = rules
 58 | 
 59 | REPLICATION_FACTOR = 1
 60 | 
 61 | DESTINATIONS = 127.0.0.1:2004
 62 | 
 63 | MAX_DATAPOINTS_PER_MESSAGE = 500
 64 | MAX_QUEUE_SIZE = 10000
 65 | 
 66 | USE_FLOW_CONTROL = True
 67 | 
 68 | # CARBON_METRIC_PREFIX = carbon
 69 | # CARBON_METRIC_INTERVAL = 60
 70 | 
 71 | [aggregator]
 72 | USER = carbon
 73 | LINE_RECEIVER_INTERFACE = 0.0.0.0
 74 | LINE_RECEIVER_PORT = 2023
 75 | 
 76 | PICKLE_RECEIVER_INTERFACE = 0.0.0.0
 77 | PICKLE_RECEIVER_PORT = 2024
 78 | 
 79 | LOG_LISTENER_CONNECTIONS = True
 80 | 
 81 | FORWARD_ALL = True
 82 | 
 83 | DESTINATIONS = 127.0.0.1:2004
 84 | 
 85 | REPLICATION_FACTOR = 1
 86 | 
 87 | MAX_QUEUE_SIZE = 10000
 88 | 
 89 | USE_FLOW_CONTROL = True
 90 | 
 91 | MAX_DATAPOINTS_PER_MESSAGE = 500
 92 | 
 93 | MAX_AGGREGATION_INTERVALS = 5
 94 | 
 95 | # WRITE_BACK_FREQUENCY = 0
 96 | 
 97 | # USE_WHITELIST = False
 98 | 
 99 | # CARBON_METRIC_PREFIX = carbon
100 | # CARBON_METRIC_INTERVAL = 60
101 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/config/graphite-web-app.conf.jinja:
--------------------------------------------------------------------------------
 1 | client_max_body_size 64M;
 2 | keepalive_timeout 5;
 3 | 
 4 | access_log /var/log/nginx/graphite-web/access.log;
 5 | error_log /var/log/nginx/graphite-web/error.log;
 6 | 
 7 | root /usr/share/graphite/webapp;
 8 | 
 9 | location /media/ {
10 |   root /usr/lib/python2.6/site-packages/django/contrib/admin/media;
11 | }
12 | 
13 | try_files $uri/index.html $uri.html $uri @app;
14 | 
15 | location @app {
16 |   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
17 |   proxy_set_header Host $http_host;
18 |   proxy_redirect off;
19 |   proxy_pass http://graphite_web_server;
20 | }
21 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/config/graphite-web-nginx.conf.jinja:
--------------------------------------------------------------------------------
 1 | upstream graphite_web_server {
 2 |   server unix:/var/run/graphite-web/gunicorn.sock fail_timeout=0;
 3 | }
 4 | 
 5 | server {
 6 |   listen 80;
 7 |   server_name {{ server_names }};
 8 | 
 9 |   {% if https_only %}
10 |   location / {
11 |     return 301 https://$server_name$request_uri;
12 |   }
13 |   location /.well-known/acme-challenge/ {
14 |     alias /etc/lego/.well-known/acme-challenge/;
15 |     try_files $uri =404;
16 |   }
17 |   {% else %}
18 |   include conf.d/graphite-web/app.conf;
19 |   {% endif %}
20 | }
21 | 
22 | server {
23 |   listen 443;
24 |   server_name {{ server_names }};
25 |   include nginx.ssl.conf;
26 |   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
27 |   include conf.d/graphite-web/app.conf;
28 | }
29 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/config/graphite-web.ini.jinja:
--------------------------------------------------------------------------------
 1 | [program:{{ program_name }}]
 2 | command = gunicorn_django -w 8 --bind unix:/var/run/graphite-web/gunicorn.sock --pythonpath=/usr/lib/python2.6/site-packages/graphite --settings=settings settings.py
 3 | autostart = true
 4 | autorestart = true
 5 | stopwaitsecs = 15
 6 | stopsignal = TERM
 7 | stdout_logfile = /var/log/{{ program_name }}/gunicorn-stdout.log
 8 | stderr_logfile = /var/log/{{ program_name }}/gunicorn-stderr.log
 9 | user = {{ user }}
10 | directory = /usr/lib/python2.6/site-packages/graphite
11 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/config/local_settings.py.jinja:
--------------------------------------------------------------------------------
 1 | SECRET_KEY = '{{ secret_key }}'
 2 | ALLOWED_HOSTS = [ '{{ allowed_hosts }}' ]
 3 | TIME_ZONE = 'Etc/UTC'
 4 | 
 5 | LOG_RENDERING_PERFORMANCE = True
 6 | LOG_CACHE_PERFORMANCE = True
 7 | LOG_METRIC_ACCESS = True
 8 | 
 9 | DEBUG = False
10 | 
11 | GRAPHITE_ROOT = '/usr/share/graphite'
12 | CONF_DIR = '/etc/graphite-web'
13 | STORAGE_DIR = '/var/lib/graphite-web'
14 | CONTENT_DIR = '/usr/share/graphite/webapp/content'
15 | #DASHBOARD_CONF = '/etc/graphite-web/dashboard.conf'
16 | #GRAPHTEMPLATES_CONF = '/etc/graphite-web/graphTemplates.conf'
17 | 
18 | WHISPER_DIR = '/var/lib/carbon/whisper/'
19 | RRD_DIR = '/var/lib/carbon/rrd'
20 | DATA_DIRS = [WHISPER_DIR, RRD_DIR] # Default: set from the above variables
21 | LOG_DIR = '/var/log/graphite-web/'
22 | INDEX_FILE = '/var/lib/graphite-web/index'  # Search index file
23 | 
24 | #USE_REMOTE_USER_AUTHENTICATION = True
25 | #LOGIN_URL = '/account/login'
26 | 
27 | DATABASES = {
28 |     'default': {
29 |         'NAME': '{{ sqlite3_path }}',
30 |         'ENGINE': 'django.db.backends.sqlite3',
31 |         'USER': '',
32 |         'PASSWORD': '',
33 |         'HOST': '',
34 |         'PORT': ''
35 |     }
36 | }
37 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/config/riemann.config.jinja:
--------------------------------------------------------------------------------
 1 | ; -*- mode: clojure; -*-
 2 | ; vim: filetype=clojure
 3 | 
 4 | (logging/init :file "/var/log/riemann/riemann.log")
 5 | 
 6 | ; Listen on the local interface over TCP (5555), UDP (5555), and websockets
 7 | ; (5556)
 8 | (let [host "{{ host }}"]
 9 |   (tcp-server :host host)
10 |   (udp-server :host host)
11 |   (ws-server  :host host))
12 | 
13 | (graphite-server :host "{{ graphite_host }}" :port {{ graphite_port }})
14 | 
15 | (def graph (graphite {:host "{{ graphite_downstream_host }}" :port {{ graphite_downstream_port }}}))
16 | 
17 | ; Expire old events from the index every 5 seconds.
18 | (periodically-expire 5)
19 | 
20 | ; Keep events in the index for 5 minutes by default.
21 | (let [index (default :ttl 300 (update-index (index)))]
22 | 
23 |   ; Inbound events will be passed to these streams:
24 |   (streams
25 | 
26 |     ; Index all events immediately.
27 |     index
28 |     ; Forward to graphite immediately.
29 |     graph
30 | 
31 |     ; Calculate an overall rate of events.
32 |     (with {:metric 1 :host nil :state "ok" :service "events/sec"}
33 |       (rate 5 index))
34 | 
35 |     ; Log expired events.
36 |     (expired
37 |       (fn [event] (info "expired" event)))
38 | ))
39 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/config/storage-schemas.conf.jinja:
--------------------------------------------------------------------------------
 1 | [carbon]
 2 | pattern = ^carbon\.
 3 | retentions = 60:90d
 4 | 
 5 | [downloads]
 6 | pattern = ^stats\.downloads
 7 | retentions = 10s:1h,1m:1d,1h:7d,1d:28d,28d:5y
 8 | 
 9 | [downloads_counts]
10 | pattern = ^stats_counts\.downloads
11 | retentions = 10s:1h,1m:1d,1h:7d,1d:28d,28d:5y
12 | 
13 | [default_10s_for_90d]
14 | pattern = .*
15 | retentions = 10s:90d
16 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/graphite-web.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | include:
 3 |   - nginx
 4 |   - supervisor
 5 | 
 6 | graphite:
 7 |   user:
 8 |     - present
 9 | 
10 | {% set graphite_config = pillar.get('graphite', {}) %}
11 | {% set secrets = pillar.get('monitoring_secrets', {}) %}
12 | 
13 | {% for dir in ['log', 'lib', 'run'] %}
14 | /var/{{ dir }}/graphite-web:
15 |   file.directory:
16 |     - user: graphite
17 |     - group: graphite
18 |     - mode: 755
19 |     - require:
20 |       - pkg: graphite-pkgs
21 |       - user: graphite
22 | {% endfor %}
23 | 
24 | graphite-web-gunicorn:
25 |   pkg.installed:
26 |     - pkgs:
27 |       - python-gunicorn
28 |       - python-setuptools
29 | 
30 | /etc/graphite-web/local_settings.py:
31 |   file.managed:
32 |     - source: salt://monitoring/server/config/local_settings.py.jinja
33 |     - template: jinja
34 |     - context:
35 |       secret_key: '{{ secrets.get('secret_key') }}'
36 |       allowed_hosts: '{{ graphite_config.get('allowed_hosts', '*') }}'
37 |       sqlite3_path: {{ graphite_config.get('sqlite3_path', '/var/lib/graphite-web/graphite.db') }}
38 | 
39 | graphite-web-init-db:
40 |   cmd.run:
41 |     - name: '/usr/lib/python2.6/site-packages/graphite/manage.py syncdb --noinput'
42 |     - user: graphite
43 |     - cwd: /usr/lib/python2.6/site-packages/graphite
44 | 
45 | /etc/supervisord.d/graphite-web.ini:
46 |   file.managed:
47 |     - source: salt://monitoring/server/config/graphite-web.ini.jinja
48 |     - template: jinja
49 |     - context:
50 |       program_name: graphite-web
51 |       user: graphite
52 |     - require:
53 |       - service: supervisord
54 | 
55 | graphite-web-supervisor:
56 |   cmd.wait:
57 |     - name: supervisorctl reread && supervisorctl update
58 |     - require:
59 |       - file: /etc/supervisord.d/graphite-web.ini
60 |       - cmd: graphite-web-init-db
61 |     - watch:
62 |       - file: /etc/supervisord.d/graphite-web.ini
63 | 
64 | graphite-web-reload:
65 |   cmd.wait:
66 |     - name: 'supervisorctl restart graphite-web'
67 |     - require:
68 |       - cmd: graphite-web-supervisor
69 |     - watch:
70 |       - file: /etc/graphite-web/local_settings.py
71 | 
72 | /var/log/nginx/graphite-web:
73 |   file.directory
74 | 
75 | /etc/nginx/conf.d/graphite-web:
76 |   file.directory
77 | 
78 | /etc/nginx/conf.d/graphite-web/app.conf:
79 |   file.managed:
80 |     - source: salt://monitoring/server/config/graphite-web-app.conf.jinja
81 |     - template: jinja
82 | 
83 | /etc/nginx/conf.d/graphite-web.conf:
84 |   file.managed:
85 |     - source: salt://monitoring/server/config/graphite-web-nginx.conf.jinja  
86 |     - template: jinja
87 |     - context:
88 |       server_names: {{ ", ".join(secrets.get('server_names')) }}
89 |       https_only: {{ graphite_config.get('https_only', False) }}
90 |     - require:
91 |       - file: /var/log/nginx/graphite-web
92 |       - file: /etc/nginx/conf.d/graphite-web/app.conf
93 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/init.sls:
--------------------------------------------------------------------------------
1 | 
2 | include:
3 |   - monitoring.server.carbon
4 |   - monitoring.server.riemann
5 |   - monitoring.server.graphite-web
6 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/monitoring/server/riemann.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | {% set riemann_config = pillar.get('riemann', {}) %}
 3 | 
 4 | riemann-pkg:
 5 |   pkg.installed:
 6 |     - sources:
 7 |       - riemann: http://aphyr.com/riemann/riemann-0.2.4-1.noarch.rpm
 8 | 
 9 | riemann:
10 |   service:
11 |     - running
12 |     - enable: True
13 |     - reload: True
14 |     - watch:
15 |       - file: /etc/riemann/riemann.config
16 |     - require:
17 |       - pkg: riemann-pkg
18 | 
19 | /etc/riemann/riemann.config:
20 |   file.managed:
21 |     - source: salt://monitoring/server/config/riemann.config.jinja
22 |     - template: jinja
23 |     - context:
24 |       host: {{ riemann_config.get('host', '0.0.0.0') }}
25 |       graphite_host: {{ riemann_config.get('graphite_host', '0.0.0.0') }}
26 |       graphite_port: {{ riemann_config.get('graphite_port', 2002) }}
27 |       graphite_downstream_host: {{ riemann_config.get('graphite_downstream_host', '127.0.0.1') }}
28 |       graphite_downstream_port: {{ riemann_config.get('graphite_downstream_port', 2003) }}
29 |     - user: 
30 |     - group: riemann
31 |     - require:
32 |       - pkg: riemann-pkg
33 | 
34 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/nginx/config/RPM-GPG-KEY-NGINX:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP PUBLIC KEY BLOCK-----
 2 | Version: GnuPG v1.4.11 (FreeBSD)
 3 | 
 4 | mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
 5 | W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I
 6 | QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE
 7 | fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt
 8 | 97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5
 9 | XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg
10 | a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoBQJOTjJiAhsDBQkJ
11 | ZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCr9b2Ce9m/YpvjB/98uV4t
12 | 94d0oEh5XlqEZzVMrcTgPQ3BZt05N5xVuYaglv7OQtdlErMXmRWaFZEqDaMHdniC
13 | sF63jWMd29vC4xpzIfmsLK3ce9oYo4t9o4WWqBUdf0Ff1LMz1dfLG2HDtKPfYg3C
14 | 8NESud09zuP5NohaE8Qzj/4p6rWDiRpuZ++4fnL3Dt3N6jXILwr/TM/Ma7jvaXGP
15 | DO3kzm4dNKp5b5bn2nT2QWLPnEKxvOg5Zoej8l9+KFsUnXoWoYCkMQ2QTpZQFNwF
16 | xwJGoAz8K3PwVPUrIL6b1lsiNovDgcgP0eDgzvwLynWKBPkRRjtgmWLoeaS9FAZV
17 | ccXJMmANXJFuCf26iQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S
18 | YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx
19 | JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/
20 | Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk
21 | RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J
22 | SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf
23 | Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6
24 | cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f
25 | YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y
26 | Va3l3WuB+rgKjsQ=
27 | =A015
28 | -----END PGP PUBLIC KEY BLOCK-----
29 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/nginx/config/nginx.conf.jinja:
--------------------------------------------------------------------------------
 1 | user              nginx;
 2 | worker_processes  4;
 3 | 
 4 | error_log  /var/log/nginx/error.log;
 5 | pid        /var/run/nginx.pid;
 6 | 
 7 | events {
 8 |     worker_connections  1024;
 9 | }
10 | 
11 | http {
12 |     include       /etc/nginx/mime.types;
13 |     default_type  application/octet-stream;
14 | 
15 |     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
16 |                       '$status $body_bytes_sent "$http_referer" '
17 |                       '"$http_user_agent" "$http_x_forwarded_for"';
18 | 
19 |     access_log  /var/log/nginx/access.log  main;
20 |     sendfile        on;
21 |     keepalive_timeout  65;
22 | 
23 |     include /etc/nginx/conf.d/*.conf;
24 | 
25 |     server {
26 |         listen 80 default;
27 |         location /nginx_status {
28 |             stub_status on;
29 |             access_log off;
30 |             allow 127.0.0.1;
31 |             allow {{ salt['pillar.get']('pypi_internal_network', '127.0.0.0/24') }};
32 |             deny all;
33 |         }
34 |         location /.well-known/acme-challenge/ {
35 |             alias /etc/lego/.well-known/acme-challenge/;
36 |             try_files $uri =404;
37 |         }
38 |     }
39 | }
40 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/nginx/config/nginx.logrotate:
--------------------------------------------------------------------------------
 1 | /var/log/nginx/*.log {
 2 |     daily
 3 |     rotate 10
 4 |     missingok
 5 |     notifempty
 6 |     compress
 7 |     sharedscripts
 8 |     postrotate
 9 |         /bin/kill -USR1 $(cat /var/run/nginx.pid 2>/dev/null) 2>/dev/null || :
10 |     endscript
11 | }
12 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/nginx/config/nginx.ssl.conf.jinja:
--------------------------------------------------------------------------------
 1 | ssl on;
 2 | ssl_certificate     /etc/lego/certificates/{{ grains['fqdn'] }}.crt;
 3 | ssl_certificate_key /etc/lego/certificates/{{ grains['fqdn'] }}.key;
 4 | 
 5 | 
 6 | ssl_protocols TLSv1.2;
 7 | ssl_dhparam /etc/pki/tls/private/dhparams.pem;
 8 | ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESG;
 9 | ssl_prefer_server_ciphers   on;
10 | 
11 | ssl_session_timeout  60m;
12 | ssl_session_cache shared:SSL:32m;
13 | ssl_buffer_size 8k;
14 | 
15 | ssl_stapling on;
16 | ssl_stapling_verify on;
17 | resolver 8.8.8.8 8.8.4.4 valid=300s;
18 | resolver_timeout 1s;
19 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/nginx/init.sls:
--------------------------------------------------------------------------------
  1 | 
  2 | include:
  3 |   - tls
  4 | 
  5 | /etc/pki/rpm-gpg/RPM-GPG-KEY-NGINX:
  6 |   file.managed:
  7 |     - source: salt://nginx/config/RPM-GPG-KEY-NGINX
  8 |     - user: root
  9 |     - group: root
 10 |     - mode: 444
 11 | 
 12 | nginx-release:
 13 |   pkgrepo.managed:
 14 |     - humanname: nginx CentOS YUM repository
 15 |     - baseurl: http://nginx.org/packages/centos/$releasever/$basearch/
 16 |     - gpgcheck: 1
 17 |     - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-NGINX
 18 |     - require:
 19 |       - file: /etc/pki/rpm-gpg/RPM-GPG-KEY-NGINX
 20 | 
 21 | nginx:
 22 |   user.present:
 23 |     - system: True
 24 |     - shell: /sbin/nologin
 25 |     - groups:
 26 |       - nginx
 27 |     - require:
 28 |       - group: nginx
 29 |   group.present:
 30 |     - system: True
 31 |   pkg:
 32 |     - installed
 33 |     - require:
 34 |       - pkgrepo: nginx-release
 35 |   service:
 36 |     - running
 37 |     - enable: True
 38 |     - reload: True
 39 |     - watch:
 40 |       - file: /etc/nginx/nginx.conf
 41 |       - file: /etc/nginx/nginx.ssl.conf
 42 |       - file: /etc/nginx/conf.d/*
 43 |     - require:
 44 |       - file: /etc/nginx/nginx.conf
 45 |       - pkg: nginx
 46 |       - user: nginx
 47 | 
 48 | /etc/nginx/nginx.conf:
 49 |   file.managed:
 50 |     - source: salt://nginx/config/nginx.conf.jinja
 51 |     - template: jinja
 52 |     - user: root
 53 |     - group: root
 54 |     - mode: 644
 55 |     - require:
 56 |       - file: /var/log/nginx
 57 | 
 58 | /etc/nginx/nginx.ssl.conf:
 59 |   file.managed:
 60 |     - source: salt://nginx/config/nginx.ssl.conf.jinja
 61 |     - template: jinja
 62 |     - user: root
 63 |     - group: root
 64 |     - mode: 644
 65 |     - require:
 66 |       - sls: tls
 67 | 
 68 | /etc/logrotate.d/nginx:
 69 |   file.managed:
 70 |     - source: salt://nginx/config/nginx.logrotate
 71 |     - user: root
 72 |     - group: root
 73 |     - mode: 644
 74 | 
 75 | /var/log/nginx:
 76 |   file.directory:
 77 |     - user: nginx
 78 |     - group: root
 79 |     - mode: 0755
 80 | 
 81 | /etc/nginx/conf.d/default.conf:
 82 |   file.absent
 83 | 
 84 | /etc/nginx/conf.d/virtual.conf:
 85 |   file.absent
 86 | 
 87 | /etc/nginx/conf.d/ssl.conf:
 88 |   file.absent
 89 | 
 90 | {% if 'datadog_api_key' in pillar %}
 91 | /etc/dd-agent/conf.d/nginx.yaml:
 92 |   file.managed:
 93 |     - user: root
 94 |     - group: root
 95 |     - mode: '0644'
 96 |     - contents: |
 97 |         init_config:
 98 |         instances:
 99 |             -   nginx_status_url: http://127.0.0.1/nginx_status/
100 | {% endif %}
101 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/openvpn/routing.sls:
--------------------------------------------------------------------------------
 1 | {% set vpn0_internal = salt["pillar.get"]("vpn0_internal_network") %}
 2 | {% set vpn1_internal = salt["pillar.get"]("vpn1_internal_network") %}
 3 | 
 4 | {% set vpn0_internal = salt["ip_picker.subnet_mask_for_cidr"](cidr=vpn0_internal) %}
 5 | {% set vpn1_internal = salt["ip_picker.subnet_mask_for_cidr"](cidr=vpn1_internal) %}
 6 | 
 7 | {% set psf_internal = salt["pillar.get"]("psf_internal_network") %}
 8 | {% set pypi_internal = salt["pillar.get"]("pypi_internal_network") %}
 9 | 
10 | {% set interfaces = salt["ip_picker.interfaces_for_cidr"](cidr=psf_internal) %}
11 | {% set gateway = salt["pillar.get"]("psf_internal_vpn_gateway") %}
12 | 
13 | {% if not interfaces %}
14 | {% set interfaces = salt["ip_picker.interfaces_for_cidr"](cidr=pypi_internal) %}
15 | {% set gateway = salt["pillar.get"]("pypi_internal_vpn_gateway") %}
16 | {% endif %}
17 | 
18 | 
19 | {% for interface in interfaces %}
20 | {{ interface }}:
21 |   network.routes:
22 |     - routes:
23 |       - name: vpn
24 |         ipaddr: {{ vpn0_internal.address }}
25 |         netmask: {{ vpn0_internal.subnet }}
26 |         gateway: {{ gateway }}
27 |       - name: vpn-https
28 |         ipaddr: {{ vpn1_internal.address }}
29 |         netmask: {{ vpn1_internal.subnet }}
30 |         gateway: {{ gateway }}
31 | {% endfor %}
32 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pkg/git.sls:
--------------------------------------------------------------------------------
1 | git:
2 |   pkg.installed
3 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/postgresql/93/RPM-GPG-KEY-PGDG-93:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP PUBLIC KEY BLOCK-----
 2 | Version: GnuPG v1.4.7 (GNU/Linux)
 3 | 
 4 | mQGiBEeD8koRBACC1VBRsUwGr9gxFFRho9kZpdRUjBJoPhkeOTvp9LzkdAQMFngr
 5 | BFi6N0ov1kCX7LLwBmDG+JPR7N+XcH9YR1coSHpLVg+JNy2kFDd4zAyWxJafjZ3a
 6 | 9zFg9Yx+0va1BJ2t4zVcmKS4aOfbgQ5KwIOWUujalQW5Y+Fw39Gn86qjbwCg5dIo
 7 | tkM0l19h2sx50D027pV5aPsD/2c9pfcFTbMhB0CcKS836GH1qY+NCAdUwPs646ee
 8 | Ex/k9Uy4qMwhl3HuCGGGa+N6Plyon7V0TzZuRGp/1742dE8IO+I/KLy2L1d1Fxrn
 9 | XOTBZd8qe6nBwh12OMcKrsPBVBxn+iSkaG3ULsgOtx+HHLfa1/p22L5+GzGdxizr
10 | peBuA/90cCp+lYcEwdYaRoFVR501yDOTmmzBc1DrsyWP79QMEGzMqa393G0VnqXt
11 | L4pGmunq66Agw2EhPcIt3pDYiCmEt/obdVtSJH6BtmSDB/zYhbE8u3vLP3jfFDa9
12 | KXxgtYj0NvuUVoRmxSKm8jtfmj1L7zoKNz3jl+Ba3L0WxIv4+bRBUG9zdGdyZVNR
13 | TCBSUE0gQnVpbGRpbmcgUHJvamVjdCA8cGdzcWxycG1zLWhhY2tlcnNAcGdmb3Vu
14 | ZHJ5Lm9yZz6IYAQTEQIAIAUCR4PySgIbIwYLCQgHAwIEFQIIAwQWAgMBAh4BAheA
15 | AAoJEB8W0uFELfD4jnkAoMqd6ZwwsgYHZ3hP9vt+DJt1uDW7AKDbRwP8ESKFhwdJ
16 | 8m91RPBeJW/tMLkCDQRHg/JKEAgA64+ZXgcERPYfZYo4p+yMTJAAa9aqnE3U4Ni6
17 | ZMB57GPuEy8NfbNya+HiftO8hoozmJdcI6XFyRBCDUVCdZ8SE+PJdOx2FFqZVIu6
18 | dKnr8ykhgLpNNEFDG3boK9UfLj/5lYQ3Y550Iym1QKOgyrJYeAp6sZ+Nx2PavsP3
19 | nMFCSD67BqAbcLCVQN7a2dAUXfEbfXJjPHXTbo1/kxtzE+KCRTLdXEbSEe3nHO04
20 | K/EgTBjeBUOxnciH5RylJ2oGy/v4xr9ed7R1jJtshsDKMdWApwoLlCBJ63jg/4T/
21 | z/OtXmu4AvmWaJxaTl7fPf2GqSqqb6jLCrQAH7AIhXr9V0zPZwADBQgAlpptNQHl
22 | u7euIdIujFwwcxyQGfee6BG+3zaNSEHMVQMuc6bxuvYmgM9r7aki/b0YMfjJBk8v
23 | OJ3Eh1vDH/woJi2iJ13vQ21ot+1JP3fMd6NPR8/qEeDnmVXu7QAtlkmSKI9Rdnjz
24 | FFSUJrQPHnKsH4V4uvAM+njwYD+VFiwlBPTKNeL8cdBb4tPN2cdVJzoAp57wkZAN
25 | VA2tKxNsTJKBi8wukaLWX8+yPHiWCNWItvyB4WCEp/rZKG4A868NM5sZQMAabpLd
26 | l4fTiGu68OYgK9qUPZvhEAL2C1jPDVHPkLm+ZsD+90Pe66w9vB00cxXuHLzm8Pad
27 | GaCXCY8h3xi6VIhJBBgRAgAJBQJHg/JKAhsMAAoJEB8W0uFELfD4K4cAoJ4yug8y
28 | 1U0cZEiF5W25HDzMTtaDAKCaM1m3Cbd+AZ0NGWNg/VvIX9MsPA==
29 | =au6K
30 | -----END PGP PUBLIC KEY BLOCK-----
31 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/postgresql/93/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | include:
 3 |   - postgresql.93.repo
 4 | 
 5 | postgresql93-server:
 6 |   pkg:
 7 |     - installed
 8 |     - require:
 9 |       - pkgrepo: pgdg-93-centos
10 |   service:
11 |     - name: postgresql-9.3
12 |     - running
13 |     - enable: True
14 |     - reload: True
15 |     - watch:
16 |       - file: /var/lib/pgsql/9.3/data/pg_hba.conf
17 |     - require:
18 |       - pkg: postgresql93-server
19 |   cmd.wait:
20 |     - name: service postgresql-9.3 initdb
21 |     - watch:
22 |       - pkg: postgresql93-server
23 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/postgresql/93/repo.sls:
--------------------------------------------------------------------------------
 1 | /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG-93:
 2 |   file.managed:
 3 |     - source: salt://postgresql/93/RPM-GPG-KEY-PGDG-93
 4 |     - user: root
 5 |     - group: root
 6 |     - mode: 444
 7 | 
 8 | pgdg-93-centos:
 9 |   pkgrepo.managed:
10 |     - humanname: PostgreSQL 9.3 $releasever - $basearch
11 |     - baseurl: http://yum.postgresql.org/9.3/redhat/rhel-$releasever-$basearch
12 |     - gpgcheck: 1
13 |     - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG-93
14 |     - require:
15 |       - file: /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG-93
16 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi-mirror/config/bandersnatch.conf.jinja:
--------------------------------------------------------------------------------
 1 | 
 2 | [mirror]
 3 | directory = {{ directory }}
 4 | json = true
 5 | master = {{ master }}
 6 | timeout = {{ timeout }}
 7 | workers = {{ workers }}
 8 | stop-on-error = {{ stop_on_error }}
 9 | delete-packages = {{ delete_packages }}
10 | 
11 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi-mirror/config/bandersnatch.logrotate.conf:
--------------------------------------------------------------------------------
 1 | /var/log/nginx/{{ mirror }}-mirror/*.log {
 2 |     daily
 3 |     rotate 14
 4 |     missingok
 5 |     notifempty
 6 |     compress
 7 |     delaycompress
 8 |     sharedscripts
 9 |     postrotate
10 |         /bin/kill -USR1 $(cat /var/run/nginx.pid 2>/dev/null) 2>/dev/null || :
11 |     endscript
12 | }
13 | 
14 | /data/{{ mirror }}-mirror/*.log {
15 |     daily
16 |     rotate 7
17 |     missingok
18 |     notifempty
19 |     compress
20 |     delaycompress
21 | }
22 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi-mirror/config/bandersnatch.nginx.app.conf:
--------------------------------------------------------------------------------
 1 |     autoindex on;
 2 |     charset utf-8;
 3 | 
 4 |     add_header Surrogate-Control max-age=60;
 5 | 
 6 |     error_page 503 /index.html;
 7 | 
 8 |     location = /last-modified {
 9 |         access_log off;
10 |     }
11 | 
12 |     location = /index.html {
13 |         root /usr/share/www/mirror/{{ mirror }};
14 |     }
15 | 
16 |     location = /daytime {
17 |         return 501;
18 |     }
19 | 
20 |     root /data/{{ mirror }}-mirror/web;
21 | 
22 |     location /local-stats {}
23 |     location /packages {}
24 |     location /simple {}
25 |     location /serversig {}
26 | 
27 |     location / {
28 |         return 503;
29 |     }
30 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi-mirror/config/bandersnatch.nginx.conf:
--------------------------------------------------------------------------------
 1 | 
 2 | log_format {{ mirror }}_fastly_backend '$remote_addr $http_x_forwarded_for $remote_user [$time_local]  '
 3 |                                        '"$request" $status $body_bytes_sent '
 4 |                                        '"$http_referer" "$http_user_agent"';
 5 | 
 6 | server {
 7 |     listen 80;
 8 |     server_name {{ server_names }};
 9 | 
10 |     access_log /var/log/nginx/{{ mirror }}-mirror/access.log {{ mirror }}_fastly_backend;
11 |     error_log /var/log/nginx/{{ mirror }}-mirror/error.log;
12 | 
13 |     include conf.d/{{ mirror }}-mirror/app.conf;
14 | }
15 | 
16 | server {
17 |     listen 443;
18 |     server_name {{ server_names }};
19 |     include nginx.ssl.conf;
20 | 
21 |     access_log /var/log/nginx/{{ mirror }}-mirror/access.log {{ mirror }}_fastly_backend;
22 |     error_log /var/log/nginx/{{ mirror }}-mirror/error.log;
23 | 
24 |     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
25 |     include conf.d/{{ mirror }}-mirror/app.conf;
26 | }
27 | 
28 | 
29 | server {
30 |     listen {{ tls_port }};
31 |     include nginx.ssl.conf;
32 | 
33 |     access_log /var/log/nginx/{{ mirror }}-mirror/access.log {{ mirror }}_fastly_backend;
34 |     error_log /var/log/nginx/{{ mirror }}-mirror/error.log;
35 | 
36 |     port_in_redirect off;
37 | 
38 |     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
39 |     include conf.d/{{ mirror }}-mirror/app.conf;
40 | }
41 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi-mirror/config/crontab.jinja:
--------------------------------------------------------------------------------
1 | {% if 'develop' in grains['roles'] %}
2 | #*/1 * * * * pypi-mirror /opt/bandersnatch/bin/bandersnatch -c /etc/bandersnatch/{{ mirror }}-mirror.conf mirror |& logger -t bandersnatch[{{ mirror }}-mirror]
3 | {% else %}
4 | */1 * * * * pypi-mirror /opt/bandersnatch/bin/bandersnatch -c /etc/bandersnatch/{{ mirror }}-mirror.conf mirror |& logger -t bandersnatch[{{ mirror }}-mirror]
5 | {% endif %}
6 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi-mirror/init.sls:
--------------------------------------------------------------------------------
  1 | 
  2 | include:
  3 |   - nginx
  4 |   - monitoring.client.pypi-mirror
  5 |   - python.35
  6 | 
  7 | pypi-mirror:
  8 |   user.present:
  9 |     - home: /home/pypi-mirror
 10 | 
 11 | /etc/bandersnatch:
 12 |   file.directory
 13 | 
 14 | /opt/bandersnatch:
 15 |   file.directory:
 16 |     - mode: 755
 17 |     - makedirs: True
 18 |   virtualenv.managed:
 19 |     - venv_bin: /usr/bin/pyvenv-3.5
 20 |     - system_site_packages: False
 21 |     - require:
 22 |       - file: /opt/bandersnatch
 23 | 
 24 | bandersnatch:
 25 |   pip.installed:
 26 |     - name: bandersnatch==2.1.3
 27 |     - bin_env: /opt/bandersnatch
 28 |     - require:
 29 |       - virtualenv: /opt/bandersnatch
 30 | 
 31 | {% for mirror, config in salt['pillar.get']('bandersnatch').iteritems() %}
 32 | 
 33 | /usr/share/www/mirror/{{ mirror }}/index.html:
 34 |   file.managed:
 35 |     - makedirs: True
 36 |     - source: salt://pypi-mirror/config/index.html.jinja
 37 |     - template: jinja
 38 |     - context:
 39 |       source_url: {{ config.get('mirror', {}).get('master', 'https://pypi.python.org') }}
 40 | 
 41 | /data/{{ mirror }}-mirror:
 42 |   file.directory:
 43 |     - user: pypi-mirror
 44 |     - group: pypi-mirror
 45 |     - mode: 755
 46 |     - makedirs: True
 47 |     - require:
 48 |       - user: pypi-mirror
 49 | 
 50 | /var/log/nginx/{{ mirror }}-mirror:
 51 |   file.directory:
 52 |     - user: root
 53 |     - group: root
 54 |     - makedirs: True
 55 | 
 56 | /etc/nginx/conf.d/{{ mirror }}-mirror:
 57 |   file.directory
 58 | 
 59 | /etc/nginx/conf.d/{{ mirror }}-mirror/app.conf:
 60 |   file.managed:
 61 |     - source: salt://pypi-mirror/config/bandersnatch.nginx.app.conf
 62 |     - template: jinja
 63 |     - context:
 64 |       mirror: {{ mirror }}
 65 |     - user: root
 66 |     - group: root
 67 |     - mode: 640
 68 |     - makedirs: True
 69 |     - require:
 70 |       - file: /etc/nginx/conf.d/{{ mirror }}-mirror
 71 | 
 72 | /etc/nginx/conf.d/{{ mirror }}-mirror.conf:
 73 |   file.managed:
 74 |     - source: salt://pypi-mirror/config/bandersnatch.nginx.conf
 75 |     - template: jinja
 76 |     - context:
 77 |       mirror: {{ mirror }}
 78 |       server_names: {{ " ".join(config.get('server_names')) }}
 79 |       tls_port: {{ config.get('tls_port', '8989') }}
 80 |     - user: root
 81 |     - group: root
 82 |     - mode: 640
 83 |     - makedirs: True
 84 |     - require:
 85 |       - file: /etc/nginx/conf.d/{{ mirror }}-mirror/app.conf
 86 |       - file: /var/log/nginx/{{ mirror }}-mirror
 87 | 
 88 | /etc/logrotate.d/{{ mirror }}-mirror:
 89 |   file.managed:
 90 |     - source: salt://pypi-mirror/config/bandersnatch.logrotate.conf
 91 |     - template: jinja
 92 |     - context:
 93 |       mirror: {{ mirror }}
 94 |     - user: root
 95 |     - group: root
 96 |     - mode: 644
 97 |     - makedirs: True
 98 | 
 99 | /etc/bandersnatch/{{ mirror }}-mirror.conf:
100 |   file.managed:
101 |     - source: salt://pypi-mirror/config/bandersnatch.conf.jinja
102 |     - template: jinja
103 |     - context:
104 |       directory: {{ config.get('mirror', {}).get('directory', '/data/pypi') }}
105 |       master: {{ config.get('mirror', {}).get('master', 'https://pypi.python.org') }}
106 |       timeout: {{ config.get('mirror', {}).get('timeout', '10') }}
107 |       workers: {{ config.get('mirror', {}).get('workers', '3') }}
108 |       stop_on_error: {{ config.get('mirror', {}).get('stop-on-error', 'false') }}
109 |       delete_packages: {{ config.get('mirror', {}).get('delete-packages', 'true') }}
110 |       access_log_pattern: {{ config.get('statistics', {}).get('access-log-pattern', '/var/log/nginx/pypi-mirror/access*.log') }}
111 |     - require:
112 |       - file: /etc/bandersnatch
113 | 
114 | {% if 'develop' in grains['roles'] %}
115 | {% if not salt['file.directory_exists']('/data/' + mirror + '-mirror/web') %}
116 | bandersnatch_short_sync:
117 |   cmd.run:
118 |     - name: '( /opt/bandersnatch/bin/bandersnatch -c /etc/bandersnatch/{{ mirror }}-mirror.conf mirror ) & sleep 30; kill $!'
119 |     - cwd: /opt/bandersnatch
120 |     - user: pypi-mirror
121 |     - require:
122 |       - file: /etc/bandersnatch/{{ mirror }}-mirror.conf
123 |       - virtualenv: /opt/bandersnatch
124 | {% endif %}
125 | {% endif %}
126 | 
127 | /etc/cron.d/{{ mirror }}-mirror:
128 |   file.managed:
129 |     - source: salt://pypi-mirror/config/crontab.jinja
130 |     - template: jinja
131 |     - context:
132 |       mirror: {{ mirror }}
133 |     - require:
134 |       - file: /etc/bandersnatch/{{ mirror }}-mirror.conf
135 |       - virtualenv: /opt/bandersnatch
136 | 
137 | {% endfor %}
138 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/base.sls:
--------------------------------------------------------------------------------
  1 | 
  2 | include:
  3 |   - python.27.virtualenv
  4 |   - pkg.git
  5 | 
  6 | pypi-system-deps:
  7 |   pkg.installed:
  8 |     - pkgs:
  9 |       - python27-devel
 10 |       - postgresql-devel
 11 |       - gcc
 12 |       - openssl-devel
 13 |       - libffi-devel
 14 |     - require:
 15 |       - pkgrepo: ewdurbin-pythons-el6
 16 | 
 17 | 
 18 | # Fix an error with Elastcisearch's IPv6 going sideways
 19 | net.ipv6.conf.all.disable_ipv6:
 20 |   sysctl.present:
 21 |     - value: 1
 22 | 
 23 | {% set deploys = {} %}
 24 | {% for k,v in pillar.items() %}
 25 |   {% if k.startswith('pypi-deploy-') %}
 26 |     {% do deploys.update({k: v}) %}
 27 |   {% endif %}
 28 | {% endfor %}
 29 | 
 30 | {% for key, config in deploys.items() %}
 31 | 
 32 | {{ config['name'] }}-user:
 33 |   group.present:
 34 |     - name: {{ config['group'] }}
 35 |     - gid: {{ config['group_gid'] }}
 36 |   user.present:
 37 |     - name: {{ config['user'] }}
 38 |     - uid: {{ config['user_uid'] }}
 39 |     - gid: {{ config['group_gid'] }}
 40 |     - home: {{ config['path'] }}
 41 |     - createhome: True
 42 |     - require:
 43 |       - group: {{ config['group'] }}
 44 | 
 45 | {{ config['path'] }}:
 46 |   file.directory:
 47 |     - user: {{ config['user'] }}
 48 |     - group: {{ config['group'] }}
 49 |     - mode: 755
 50 | 
 51 | /var/log/{{ config['name'] }}:
 52 |   file.directory:
 53 |     - user: {{ config['user'] }}
 54 |     - group: {{ config['group'] }}
 55 |     - mode: 750
 56 | 
 57 | /var/run/{{ config['name'] }}:
 58 |   file.directory:
 59 |     - user: {{ config['user'] }}
 60 |     - group: {{ config['group'] }}
 61 |     - mode: 755
 62 | 
 63 | {{ config['name'] }}-source:
 64 |   git.latest:
 65 |     - name: {{ config.get('source_uri', "https://github.com/pypa/pypi-legacy.git") }}
 66 |     - rev: {{ config.get('source_rev', "master") }}
 67 |     - target: {{ config['path'] }}/src
 68 |     - user: {{ config['name'] }}
 69 |     - require:
 70 |       - user: {{ config['name'] }}
 71 |       - file: {{ config['path'] }}
 72 | 
 73 | /opt/{{ config['name'] }}/env:
 74 |   virtualenv.managed:
 75 |     - venv_bin: /usr/bin/virtualenv
 76 |     - python: /usr/bin/python2.7
 77 |     - system_site_packages: {{ config.get('site_packages', True) }}
 78 |     - user: {{ config['name'] }}
 79 |     - cwd: {{ config['path'] }}/src
 80 |     - requirements: {{ config['path'] }}/src/requirements.txt
 81 |     - require:
 82 |       - file: {{ config['path'] }}
 83 |       - git: {{ config['name'] }}-source
 84 |       - user: {{ config['user'] }}
 85 |       - pip: virtualenv-2.7
 86 |       - pkg: pypi-system-deps
 87 | 
 88 | /opt/{{ config['name'] }}/uwsgi/plugins:
 89 |   file.directory:
 90 |     - user: {{ config['user'] }}
 91 |     - group: {{ config['group'] }}
 92 |     - mode: 755
 93 |     - makedirs: True
 94 | 
 95 | {{ config['name'] }}_initial_build_dogstatsd_uwsgi:
 96 |   cmd.run:
 97 |     - creates: /opt/{{ config['name'] }}/uwsgi/plugins/dogstatsd_plugin.so
 98 |     - name: "/opt/{{ config['name'] }}/env/bin/uwsgi --build-plugin https://github.com/Datadog/uwsgi-dogstatsd"
 99 |     - user: {{ config['user'] }}
100 |     - cwd: /opt/{{ config['name'] }}/uwsgi/plugins
101 | 
102 | {{ config['name'] }}_build_dogstatsd_uwsgi:
103 |   cmd.run:
104 |     - onchanges:
105 |       - virtualenv: /opt/{{ config['name'] }}/env
106 |     - name: "/opt/{{ config['name'] }}/env/bin/uwsgi --build-plugin https://github.com/Datadog/uwsgi-dogstatsd"
107 |     - user: {{ config['user'] }}
108 |     - cwd: /opt/{{ config['name'] }}/uwsgi/plugins
109 | 
110 | {{ config['path'] }}/src/config.ini:
111 |   file.managed:
112 |     - source: salt://pypi/config/pypi.ini.jinja
113 |     - user: {{ config['name'] }}
114 |     - group: {{ config['name'] }}
115 |     - mode: 640
116 |     - template: jinja
117 |     - context:
118 |       app_key: {{ key }}
119 |     - require:
120 |       - file: /var/log/{{ config['name'] }}
121 |       - file: /var/run/{{ config['name'] }}
122 |       - virtualenv: {{ config['path'] }}/env
123 | 
124 | {% endfor %}
125 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi-cdn-log-archiver-wrapper.sh.jinja:
--------------------------------------------------------------------------------
 1 | {% set secrets = salt['pillar.get']("secrets-"+app_key) -%}
 2 | #!/bin/bash
 3 | export ACCESS_KEY={{ secrets['cdn_log_archiver']['access_key'] }}
 4 | export SECRET_KEY={{ secrets['cdn_log_archiver']['secret_key'] }}
 5 | export PYPI_LOG_BUCKET={{ pypi_log_bucket }}
 6 | export S3_HOST={{ s3_host }}
 7 | {% if debug -%}
 8 | export DEBUG=10
 9 | {%- endif %}
10 | 
11 | /opt/pypi-cdn-log-archiver/env/bin/pypi-cdn-log-archiver
12 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi-docs-proxy.ini.jinja:
--------------------------------------------------------------------------------
 1 | {% set config = salt['pillar.get'](app_key) %}
 2 | 
 3 | [program:{{ config['name'] }}-docs-proxy]
 4 | command = /opt/pypi-docs-proxy/env/bin/gunicorn -k eventlet -b 0.0.0.0:{{ config['docs_port'] }} --access-logfile - --error-logfile - docs_proxy:application
 5 | autostart = true
 6 | autorestart = true
 7 | stopwaitsecs = 15
 8 | stopsignal = TERM
 9 | stdout_logfile = /var/log/{{ config['name'] }}/docs-proxy.stdout.log
10 | stderr_logfile = /var/log/{{ config['name'] }}/docs-proxy.stderr.log
11 | user = {{ config['user'] }}
12 | environment = DOCS_PROXY_BUCKET={{ config['docs_bucket'] }}
13 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi-syslog.logrotate.conf:
--------------------------------------------------------------------------------
 1 | /var/log/cdn/{{ syslog_name }}/*.log {
 2 |     rotate 24
 3 |     missingok
 4 |     notifempty
 5 |     compress
 6 |     sharedscripts
 7 |     dateext
 8 |     dateformat -%Y-%m-%d-%s
 9 |     postrotate
10 |         /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
11 |     endscript
12 | }
13 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi-worker.ini.jinja:
--------------------------------------------------------------------------------
 1 | {% set config = salt['pillar.get'](app_key) %}
 2 | 
 3 | [program:{{ config['name'] }}-worker]
 4 | command = {{ config['path'] }}/env/bin/python {{ config['path'] }}/src/tools/worker.py
 5 | autostart = true
 6 | autorestart = true
 7 | stopwaitsecs = 15
 8 | stopsignal = TERM
 9 | stdout_logfile = /var/log/{{ config['name'] }}/worker.stdout.log
10 | stderr_logfile = /var/log/{{ config['name'] }}/worker.stderr.log
11 | user = {{ config['user'] }}
12 | directory = {{ config['path'] }}/src
13 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi.ini.jinja:
--------------------------------------------------------------------------------
  1 | {% set config = salt['pillar.get'](app_key) %}
  2 | {% set secrets = salt['pillar.get']("secrets-"+app_key) %}
  3 | 
  4 | [database]
  5 | 
  6 | ; Postgres Database
  7 | host = {{ secrets['postgresql']['host'] }}
  8 | port = {{ secrets['postgresql'].get('port', '5432') }}
  9 | name = {{ secrets['postgresql']['database'] }}
 10 | user = {{ secrets['postgresql']['user'] }}
 11 | password={{ secrets['postgresql']['password'] }}
 12 | 
 13 | ; Redis
 14 | {% for key, value in secrets['redis'].iteritems() %}
 15 | {{ key }} = {{ value }}
 16 | {% endfor %}
 17 | 
 18 | ; Storage Directories
 19 | files_dir = {{ config['data_mount'] }}/packages
 20 | docs_dir = {{ config['data_mount'] }}/packagedocs
 21 | 
 22 | ; S3 Buckets
 23 | files_bucket = {{ config['files_bucket'] }}
 24 | docs_bucket = {{ config['docs_bucket'] }}
 25 | 
 26 | ; AWS Key
 27 | aws_access_key_id = {{ secrets['aws']['aws_access_key_id'] }}
 28 | aws_secret_access_key = {{ secrets['aws']['aws_secret_access_key'] }}
 29 | 
 30 | ; ElasticSearch
 31 | {% if secrets.get('releases_index_url', False) and secrets.get('releases_index_name', False) %}
 32 | releases_index_url = {{ secrets['releases_index_url'] }}
 33 | releases_index_name = {{ secrets['releases_index_name'] }}
 34 | {% endif %}
 35 | 
 36 | ; Third-Party
 37 | pubsubhubbub = http://pubsubhubbub.appspot.com/
 38 | 
 39 | [webui]
 40 | 
 41 | ; PyPI config
 42 | debug_mode = no
 43 | rss_file = /tmp/{{ app_key }}-rss.xml
 44 | packages_rss_file = /tmp/{{ app_key }}-packages_rss.xml
 45 | 
 46 | ; Email
 47 | adminemail = PyPI Admin <admin@mail.pypi.python.org>
 48 | replyto = admin@mail.pypi.python.org
 49 | 
 50 | ; Secrets
 51 | sshkeys_update = {{ config['path'] }}/src/sshkeys_update
 52 | key_dir = {{ config['path'] }}/secret
 53 | cheesecake_password =  {{ secrets['webui']['cheescake_password'] }}
 54 | reset_secret = {{ secrets['webui']['reset_secret'] }}
 55 | 
 56 | ; URI Paths
 57 | simple_script = /simple
 58 | raw_package_prefix = /raw-packages
 59 | simple_sign_script = /serversig
 60 | 
 61 | ; URLs
 62 | url = {{ config['url'] }}/pypi
 63 | files_url = {{ config['url'] }}/packages/
 64 | pydotorg = https://www.python.org/
 65 | package_docs_url = http://pythonhosted.org/
 66 | 
 67 | ; StatusPage.io
 68 | statuspage_id = {{ config['statuspage_id'] }}
 69 | 
 70 | [smtp]
 71 | hostname = {{ secrets['smtp']['hostname'] }}
 72 | starttls = {{ secrets['smtp'].get('starttls', 'off') }}
 73 | auth = {{ secrets['smtp'].get('auth', 'off') }}
 74 | login = {{ secrets['smtp'].get('login', '') }}
 75 | password = {{ secrets['smtp'].get('password', '') }}
 76 | 
 77 | [passlib]
 78 | schemes = argon2, bcrypt_sha256, bcrypt, django_bcrypt, unix_disabled
 79 | argon2__time_cost=6
 80 | argon2__memory_cost=1024
 81 | argon2__parallelism=6
 82 | 
 83 | [logging]
 84 | file = /var/log/{{ config['name'] }}/pypi.log
 85 | mail_logger = {{ secrets['logging'].get('mail_logger', 'off') }}
 86 | fromaddr = {{ secrets['logging']['fromaddr'] }}
 87 | toaddrs = {{ secrets['logging']['toaddrs'] }}
 88 | 
 89 | [sentry]
 90 | dsn = {{ secrets['sentry']['dsn'] }}
 91 | 
 92 | [uwsgi]
 93 | uid={{ config['user'] }}
 94 | gid={{ config['group'] }}
 95 | wsgi-file = {{ config['path'] }}/src/pypi.wsgi
 96 | socket = /var/run/{{ config['name'] }}/pypi.sock
 97 | stats = /var/run/{{ config['name'] }}/pypi-stats.sock
 98 | pidfile = /var/run/{{ config['name'] }}/pypi.pid
 99 | daemonize = 127.0.0.1:8224
100 | processes = {{ secrets['uwsgi'].get('processes', 2) }}
101 | harakiri = 60
102 | reload-on-as = 400
103 | reload-on-rss = 128
104 | max-requests = 5000
105 | master = 1
106 | post-buffering = 8192
107 | chmod-socket = 666
108 | disable-logging = true
109 | log-5xx = true
110 | logto2 = /var/log/{{ config['name'] }}/uwsgi.log
111 | listen = 1024
112 | buffer-size = 16384
113 | ignore-sigpipe = true
114 | ignore-write-errors = true
115 | disable-write-exception = true
116 | plugins-dir = /opt/{{ config['name'] }}/uwsgi/plugins
117 | 
118 | {% if 'datadog_api_key' in pillar %}
119 | enable-metrics = true
120 | plugin = dogstatsd
121 | stats-push = dogstatsd:127.0.0.1:18125,{{ config['name'] }}
122 | {% endif %}
123 | 
124 | ; CDN API
125 | [fastly]
126 | api_domain = https://api.fastly.com/
127 | api_key = {{ secrets['fastly']['api_key'] }}
128 | service_id = {{ secrets['fastly']['service_id'] }}
129 | 
130 | [blocking]
131 | blocked_timeout = {{ secrets.get('blocking', {}).get('blocked_timeout', 600) }}
132 | blocked_attempts = {{ secrets.get('blocking', {}).get('blocked_attempts', 10) }}
133 | blocked_attempts_ip = {{ secrets.get('blocking', {}).get('blocked_attempts_ip', 20) }}
134 | blocked_attempts_user = {{ secrets.get('blocking', {}).get('blocked_attempts_user', 1000) }}
135 | 
136 | [xmlrpc]
137 | max_concurrent = {{ secrets.get('xmlrpc', {}).get('max_concurrent', 9999) }}
138 | enforce = {{ secrets.get('xmlrpc', {}).get('enforce', 'false') }}
139 | request_log_file = /var/log/{{ config['name'] }}/xmlrpc.log
140 | 
141 | [authomatic]
142 | secure = {{ secrets.get('authomatic', {}).get('secure', 'true') }}
143 | secret = {{ secrets.get('authomatic', {}).get('secret', 'randodata') }}
144 | 
145 | [google]
146 | client_id = {{ secrets.get('google', {}).get('client_id', '') }}
147 | client_secret = {{ secrets.get('google', {}).get('client_secret', '') }}
148 | 
149 | [datadog]
150 | dogstatsd_port = 18125
151 | tags = deployment:{{ config['name'] }}
152 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi.initd.jinja:
--------------------------------------------------------------------------------
 1 | {% set config = salt['pillar.get'](app_key) %}
 2 | #!/bin/sh
 3 | 
 4 | ### BEGIN INIT INFO
 5 | # Provides:          {{ config['name'] }}
 6 | # Required-Start:    $local_fs $remote_fs $network
 7 | # Required-Stop:     $local_fs $remote_fs $network
 8 | # Default-Start:     2 3 4 5
 9 | # Default-Stop:      0 1 6
10 | # Short-Description: starts the {{ config['name'] }} uwsgi server
11 | # Description:       starts the {{ config['name'] }} uwsgi server
12 | ### END INIT INFO
13 | 
14 | . /etc/rc.d/init.d/functions
15 | 
16 | daemon={{ config['path'] }}/env/bin/uwsgi
17 | pidfile=/var/run/{{ config['name'] }}/pypi.pid
18 | lockfile=/var/lock/subsys/{{ config['name'] }}
19 | 
20 | prog={{ config['name'] }}
21 | 
22 | daemon_opts="{{ config['path'] }}/src/config.ini"
23 | 
24 | start() {
25 |     [ -x $daemon ] || exit 5
26 |     echo -n $"Starting $prog: "
27 |     daemon $daemon $daemon_opts
28 |     retval=$?
29 |     echo
30 |     [ $retval -eq 0 ] && touch $lockfile
31 |     return $retval
32 | }
33 | 
34 | stop() {
35 |     echo -n $"Stopping $prog: "
36 |     killproc -p $pidfile $prog
37 |     retval=$?
38 |     echo
39 |     [ $retval -eq 0 ] && rm -f $lockfile
40 |     return $retval
41 | }
42 | 
43 | check_status() {
44 |     status -p $pidfile
45 | }
46 | 
47 | check_status_q() {
48 |     status -p $pidfile > /dev/null 2>&1
49 | }
50 | 
51 | reload() {
52 |     echo -n $"Reloading $prog: "
53 |     killproc -p $pidfile $prog -HUP
54 |     echo
55 | }
56 | 
57 | case "$1" in
58 |   start)
59 |         check_status_q && exit 0
60 |         start
61 |         ;;
62 |   stop)
63 |         check_status_q || exit 0
64 |         stop
65 |         ;;
66 |   status)
67 |         check_status
68 |         ;;
69 |   reload)
70 |         reload
71 |         ;;
72 |   force-reload)
73 |         reload
74 |         ;;
75 |   restart)
76 |         stop
77 |         start
78 |         ;;
79 |   *)
80 |         echo "Usage: $proc {start|stop|status|restart|reload|force-reload}" >&2
81 |         exit 1
82 |         ;;
83 | esac
84 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi.logrotate.conf:
--------------------------------------------------------------------------------
 1 | {% set config = salt['pillar.get'](app_key) %}
 2 | 
 3 | /var/log/nginx/{{ config['name'] }}/*.log {
 4 |     daily
 5 |     rotate 14
 6 |     missingok
 7 |     notifempty
 8 |     compress
 9 |     delaycompress
10 |     sharedscripts
11 |     postrotate
12 |         /bin/kill -USR1 $(cat /var/run/nginx.pid 2>/dev/null) 2>/dev/null || :
13 |     endscript
14 | }
15 | 
16 | /var/log/{{ config['name'] }}/*.log {
17 |     daily
18 |     rotate 14
19 |     missingok
20 |     notifempty
21 |     compress
22 |     delaycompress
23 |     sharedscripts
24 |     copytruncate
25 | }
26 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi.nginx.app.conf.jinja:
--------------------------------------------------------------------------------
 1 | {% set config = salt['pillar.get'](app_key) %}
 2 | 
 3 | access_log /var/log/nginx/{{ config['name'] }}/access.log;
 4 | error_log /var/log/nginx/{{ config['name'] }}/error.log;
 5 | 
 6 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 7 | 
 8 | set_real_ip_from 0.0.0.0/0;
 9 | real_ip_header X-Forwarded-For;
10 | 
11 | server_name_in_redirect off;
12 | port_in_redirect off;
13 | 
14 | rewrite ^/$ /pypi redirect;
15 | 
16 | client_max_body_size 100M;
17 | 
18 | location ~* ^/(daytime|serial).* {
19 |   access_log off;
20 |   include uwsgi_params;
21 |   uwsgi_pass unix:/var/run/{{ config['name'] }}/pypi.sock;
22 |   uwsgi_param SCRIPT_NAME /$1;
23 |   # the following magic stands for "UWSGI_MODIFIER_MANAGE_PATH_INFO"
24 |   # .. when setting the SCRIPT_NAME remove that bit from the PATH_INFO
25 |   uwsgi_modifier1 30;
26 | }
27 | 
28 | location ~* ^/pypi/.*/json$ {
29 |   include uwsgi_params;
30 |   {% if rate_limit is defined %}
31 |   limit_req zone={{ zone_name }} burst={{ burst }} {% if nodelay -%}nodelay{%- endif -%};
32 |   limit_req_status 429;
33 |   {% endif %}
34 |   uwsgi_pass unix:/var/run/{{ config['name'] }}/pypi.sock;
35 |   uwsgi_param SCRIPT_NAME /$1;
36 |   # the following magic stands for "UWSGI_MODIFIER_MANAGE_PATH_INFO"
37 |   # .. when setting the SCRIPT_NAME remove that bit from the PATH_INFO
38 |   uwsgi_modifier1 30;
39 | }
40 | 
41 | location ~* ^/(pypi|mirrors|oauth|security|tos|google_login|openid_login|openid_claim).* {
42 |   error_page 500 502 503 504 /static/error/500.html;
43 |   error_page 404 /static/error/400.html;
44 |   error_page 429 /static/error/429.html;
45 |   uwsgi_intercept_errors on;
46 |   include uwsgi_params;
47 |   {% if rate_limit is defined %}
48 |   limit_req zone={{ zone_name }} burst={{ burst }} {% if nodelay -%}nodelay{%- endif -%};
49 |   limit_req_status 429;
50 |   {% endif %}
51 |   uwsgi_pass unix:/var/run/{{ config['name'] }}/pypi.sock;
52 |   uwsgi_param SCRIPT_NAME /$1;
53 |   # the following magic stands for "UWSGI_MODIFIER_MANAGE_PATH_INFO"
54 |   # .. when setting the SCRIPT_NAME remove that bit from the PATH_INFO
55 |   uwsgi_modifier1 30;
56 | }
57 | 
58 | location ~* ^/(simple|serversig|packages).* {
59 |   include uwsgi_params;
60 |   uwsgi_pass unix:/var/run/{{ config['name'] }}/pypi.sock;
61 |   uwsgi_param SCRIPT_NAME /$1;
62 |   # the following magic stands for "UWSGI_MODIFIER_MANAGE_PATH_INFO"
63 |   # .. when setting the SCRIPT_NAME remove that bit from the PATH_INFO
64 |   uwsgi_modifier1 30;
65 | 
66 |   gzip on;
67 |   gzip_comp_level 9;
68 |   gzip_vary on;
69 | }
70 | 
71 | location /raw-packages {
72 |   alias {{ config['data_mount'] }}/packages;
73 | 
74 |   add_header X-PYPI-LAST-SERIAL $upstream_http_x_pypi_last_serial;
75 |   add_header Surrogate-Key $upstream_http_surrogate_key;
76 | 
77 |   internal;
78 | 
79 |   autoindex on;
80 | 
81 |   add_header Strict-Transport-Security "max-age=31536000";
82 | }
83 | 
84 | location ~* ^/(stats|local-stats).* {
85 |   autoindex on;
86 | }
87 | 
88 | location /static {
89 |   alias {{ config['path'] }}/src/static;
90 | 
91 |   add_header Cache-Control public;
92 |   expires    1d;
93 | }
94 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi.nginx.conf.jinja:
--------------------------------------------------------------------------------
 1 | {% set config = salt['pillar.get'](app_key) %}
 2 | 
 3 | server {
 4 |   listen 443;
 5 |   server_name {{ " ".join(config['server_names']) }};
 6 |   include nginx.ssl.conf;
 7 |   include conf.d/{{ config['name'] }}/app.conf;
 8 | }
 9 | 
10 | server {
11 |   listen {{ config['tls_port'] }};
12 |   include nginx.ssl.conf;
13 |   include conf.d/{{ config['name'] }}/app.conf;
14 | }
15 | 
16 | {% if serve_docs %}
17 | server {
18 |   listen {{ config['docs_port'] }};
19 |   server_name_in_redirect off;
20 |   port_in_redirect off;
21 |   root {{ config['data_mount'] }}/packagedocs;
22 |   rewrite ^([^.]*[^/])$ https://$http_host$request_uri/ permanent;
23 | }
24 | {% endif %}
25 | 
26 | server {
27 |   listen {{ config['internal_pypi_port']}};
28 |   include conf.d/{{ config['name'] }}/app.conf;
29 | }
30 | 
31 | server {
32 |   listen {{ config['internal_docs_port']}};
33 |   server_name_in_redirect off;
34 |   port_in_redirect off;
35 |   root {{ config['data_mount'] }}/packagedocs;
36 |   rewrite ^([^.]*[^/])$ https://$http_host$request_uri/ permanent;
37 | }
38 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi.nginx.ratelimit.conf.jinja:
--------------------------------------------------------------------------------
1 | limit_req_zone $binary_remote_addr zone={{ zone_name }}:{{ zone_size }} rate={{ max_rate }};
2 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/pypi.rsyslog.conf.jinja:
--------------------------------------------------------------------------------
 1 | # Provides UDP syslog reception
 2 | $ModLoad imudp
 3 | $UDPServerRun 514
 4 | 
 5 | # Provides TCP syslog reception
 6 | $ModLoad imtcp
 7 | $InputTCPServerRun 514
 8 | 
 9 | $ModLoad imtcp
10 | $InputTCPServerRun 514
11 | 
12 | # Don't rate-limit
13 | $SystemLogRateLimitInterval 0
14 | 
15 | # Don't filter duplicate lines
16 | $RepeatedMsgReduction off
17 | 
18 | $DirCreateMode 0755
19 | 
20 | # Log everything from the CDN to a file
21 | :app-name, isequal, "{{ syslog_name }}" /var/log/cdn/{{ syslog_name }}/access.log
22 | # Discard logs
23 | :app-name, isequal, "{{ syslog_name }}" ~
24 | 
25 | $DirCreateMode 0700
26 | 
27 | # Turn back on filtering duplicate lines
28 | $RepeatedMsgReduction on
29 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/config/test-pg_hba.conf:
--------------------------------------------------------------------------------
1 | local   all         all                               ident
2 | host    all         all         127.0.0.1/32          md5
3 | host    all         all         ::1/128               md5
4 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/dev-db.sls:
--------------------------------------------------------------------------------
  1 | {% set deploys = {} %}
  2 | {% for k,v in pillar.items() %}
  3 |   {% if k.startswith('pypi-deploy-') %}
  4 |     {% do deploys.update({k: v}) %}
  5 |   {% endif %}
  6 | {% endfor %}
  7 | 
  8 | postgresql:
  9 |   pkg.installed
 10 | 
 11 | pypi_postgres_contrib:
 12 |   pkg.installed:
 13 |     - name: postgresql93-contrib
 14 | 
 15 | pypi_postgres_pg_hba:
 16 |   file.managed:
 17 |     - name: /var/lib/pgsql/9.3/data/pg_hba.conf
 18 |     - source: salt://pypi/config/test-pg_hba.conf
 19 |     - user: postgres
 20 |     - group: postgres
 21 |     - mode: 600
 22 |     - require:
 23 |       - pkg: postgresql93-server
 24 |       - cmd: postgresql93-server
 25 | 
 26 | {% for key, config in deploys.items() %}
 27 | {% set secrets = salt['pillar.get']("secrets-"+key) %}
 28 | 
 29 | {{ config['name'] }}_dev_postgres_user:
 30 |   postgres_user.present:
 31 |     - name: {{ secrets['postgresql']['user'] }}
 32 |     - password: {{ secrets['postgresql']['password'] }}
 33 |     - user: postgres
 34 |     - require:
 35 |       - service: postgresql-9.3
 36 |       - pkg: postgresql
 37 | 
 38 | {{ config['name'] }}_postgres_database:
 39 |   postgres_database.present:
 40 |     - name: {{ secrets['postgresql']['database'] }}
 41 |     - owner: {{ secrets['postgresql']['user'] }}
 42 |     - require:
 43 |       - postgres_user: {{ config['name'] }}_dev_postgres_user
 44 | 
 45 | {{ config['name'] }}_postgres_citext:
 46 |   cmd.wait:
 47 |     - name: 'psql {{ secrets['postgresql']['database'] }} -c "CREATE EXTENSION IF NOT EXISTS citext WITH SCHEMA public;"'
 48 |     - user: postgres
 49 |     - require:
 50 |       - postgres_database: {{ config['name'] }}_postgres_database
 51 |       - postgres_user: {{ config['name'] }}_dev_postgres_user
 52 |       - pkg: pypi_postgres_contrib
 53 |     - watch:
 54 |       - postgres_database: {{ config['name'] }}_postgres_database
 55 |       - postgres_user: {{ config['name'] }}_dev_postgres_user
 56 |       - pkg: pypi_postgres_contrib
 57 | 
 58 | {{ config['name'] }}_postgres_plpgsql:
 59 |   cmd.wait:
 60 |     - name: 'psql {{ secrets['postgresql']['database'] }} -c "CREATE EXTENSION IF NOT EXISTS citext WITH SCHEMA public;"'
 61 |     - user: postgres
 62 |     - require:
 63 |       - postgres_database: {{ config['name'] }}_postgres_database
 64 |       - postgres_user: {{ config['name'] }}_dev_postgres_user
 65 |     - watch:
 66 |       - postgres_database: {{ config['name'] }}_postgres_database
 67 |       - postgres_user: {{ config['name'] }}_dev_postgres_user
 68 | 
 69 | {{ config['name'] }}_postgres_uuid-ossp:
 70 |   cmd.wait:
 71 |     - name: 'psql {{ secrets['postgresql']['database'] }} -c "CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\" WITH SCHEMA public;"'
 72 |     - user: postgres
 73 |     - require:
 74 |       - postgres_database: {{ config['name'] }}_postgres_database
 75 |       - postgres_user: {{ config['name'] }}_dev_postgres_user
 76 |     - watch:
 77 |       - postgres_database: {{ config['name'] }}_postgres_database
 78 |       - postgres_user: {{ config['name'] }}_dev_postgres_user
 79 | 
 80 | {{ config['path'] }}/.pgpass:
 81 |   file.managed:
 82 |     - contents: "{{ secrets['postgresql']['host'] }}:*:{{ secrets['postgresql']['database'] }}:{{ secrets['postgresql']['user'] }}:{{ secrets['postgresql']['password'] }}"
 83 |     - user: {{ config['user'] }}
 84 |     - group: {{ config['group'] }}
 85 |     - mode: 600
 86 |     - require:
 87 |       - user: {{ config['user'] }}
 88 |       - group: {{ config['group'] }}
 89 | 
 90 | {{ config['name'] }}_schema_load:
 91 |   cmd.wait:
 92 |     - name: 'psql {{ secrets['postgresql']['database'] }} -U {{ secrets['postgresql']['user'] }} -h {{ secrets['postgresql']['host'] }} -f {{ config['path'] }}/src/pkgbase_schema.sql'
 93 |     - user: {{ config['user'] }}
 94 |     - cwd: {{ config['path'] }}
 95 |     - env:
 96 |       PGPASSWORD: {{ secrets['postgresql']['password'] }}
 97 |     - require:
 98 |       - postgres_database: {{ config['name'] }}_postgres_database
 99 |       - postgres_user: {{ config['name'] }}_dev_postgres_user
100 |       - cmd: {{ config['name'] }}_postgres_uuid-ossp
101 |       - cmd: {{ config['name'] }}_postgres_plpgsql
102 |       - cmd: {{ config['name'] }}_postgres_citext
103 |       - git: {{ config['name'] }}-source
104 |       - file: {{ config['path'] }}/.pgpass
105 |     - watch:
106 |       - postgres_database: {{ config['name'] }}_postgres_database
107 | 
108 | {{ config['name'] }}_sample_data_load:
109 |   cmd.wait:
110 |     - name: '{{ config['path'] }}/env/bin/python {{ config['path'] }}/src/tools/demodata.py'
111 |     - user: {{ config['user'] }}
112 |     - cwd: {{ config['path'] }}/src
113 |     - require:
114 |       - cmd: {{ config['name'] }}_schema_load
115 |       - virtualenv: {{ config['path'] }}/env
116 |       - file: {{ config['path'] }}/src/config.ini
117 |       - file: {{ config['data_mount'] }}
118 |     - watch:
119 |       - postgres_database: {{ config['name'] }}_postgres_database
120 | 
121 | {% endfor %}
122 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/files/dogstatsd_plugin.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pypi/salt/907bbf1c4c9b831c03b4eba755d982a32e70589e/provisioning/salt/roots/salt/pypi/files/dogstatsd_plugin.so


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/files/error.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 |   <head>
 4 |     <meta http-equiv="Content-type" content="text/html; charset=utf-8">
 5 |     <title>Mirror of https://pypi.python.org</title>
 6 |     <style type="text/css" media="screen">
 7 |       body {
 8 |         background-color: #f1f1f1;
 9 |         margin: 0;
10 |         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
11 |         font-weight: 200;
12 |         color: #333;
13 |       }
14 | 
15 |       .container {
16 |         margin: 100px auto;
17 |         width: 600px;
18 |         text-align: center;
19 |       }
20 | 
21 |       h1 {
22 |         font-size: 24px;
23 |         font-weight: 300;
24 |         text-shadow: 0 1px 0 #fff;
25 |       }
26 | 
27 |       p { color: rgba(0, 0, 0, 0.5); margin: 10px 0 40px; font-size: 18px; font-weight: 200; line-height: 1.6em;}
28 | 
29 |       a {
30 |         color: #4183c4;
31 |         text-decoration: none;
32 |       }
33 |       a:hover {
34 |         text-decoration: underline;
35 |       }
36 | 
37 |       .logo { display: inline-block; margin-top: 35px; }
38 |     </style>
39 |   </head>
40 |   <body>
41 |     <div class="container">
42 |       <h1>Something is wrong with PyPI</h1>
43 |       <p id="message">
44 |         PyPI is down for maintenance or is having an outage.<br>
45 |         Packages and the simple index are still being served via our CDN.<br>
46 |         <br>
47 |         Check <a href="http://status.python.org">http://status.python.org</a> or
48 |         follow <a href="https://twitter.com/PythonStatus">@PythonStatus</a> for updates.
49 |       </p>
50 |       <a href="/" class="logo">
51 |         <img width="300" title="" alt=""
52 | src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAABXCAYAAAC+73jDAAAKQWlDQ1BJQ0MgUHJvZmlsZQAASA2dlndUU9kWh8+9N73QEiIgJfQaegkg0jtIFQRRiUmAUAKGhCZ2RAVGFBEpVmRUwAFHhyJjRRQLg4Ji1wnyEFDGwVFEReXdjGsJ7601896a/cdZ39nnt9fZZ+9917oAUPyCBMJ0WAGANKFYFO7rwVwSE8vE9wIYEAEOWAHA4WZmBEf4RALU/L09mZmoSMaz9u4ugGS72yy/UCZz1v9/kSI3QyQGAApF1TY8fiYX5QKUU7PFGTL/BMr0lSkyhjEyFqEJoqwi48SvbPan5iu7yZiXJuShGlnOGbw0noy7UN6aJeGjjAShXJgl4GejfAdlvVRJmgDl9yjT0/icTAAwFJlfzOcmoWyJMkUUGe6J8gIACJTEObxyDov5OWieAHimZ+SKBIlJYqYR15hp5ejIZvrxs1P5YjErlMNN4Yh4TM/0tAyOMBeAr2+WRQElWW2ZaJHtrRzt7VnW5mj5v9nfHn5T/T3IevtV8Sbsz55BjJ5Z32zsrC+9FgD2JFqbHbO+lVUAtG0GQOXhrE/vIADyBQC03pzzHoZsXpLE4gwnC4vs7GxzAZ9rLivoN/ufgm/Kv4Y595nL7vtWO6YXP4EjSRUzZUXlpqemS0TMzAwOl89k/fcQ/+PAOWnNycMsnJ/AF/GF6FVR6JQJhIlou4U8gViQLmQKhH/V4X8YNicHGX6daxRodV8AfYU5ULhJB8hvPQBDIwMkbj96An3rWxAxCsi+vGitka9zjzJ6/uf6Hwtcim7hTEEiU+b2DI9kciWiLBmj34RswQISkAd0oAo0gS4wAixgDRyAM3AD3iAAhIBIEAOWAy5IAmlABLJBPtgACkEx2AF2g2pwANSBetAEToI2cAZcBFfADXALDIBHQAqGwUswAd6BaQiC8BAVokGqkBakD5lC1hAbWgh5Q0FQOBQDxUOJkBCSQPnQJqgYKoOqoUNQPfQjdBq6CF2D+qAH0CA0Bv0BfYQRmALTYQ3YALaA2bA7HAhHwsvgRHgVnAcXwNvhSrgWPg63whfhG/AALIVfwpMIQMgIA9FGWAgb8URCkFgkAREha5EipAKpRZqQDqQbuY1IkXHkAwaHoWGYGBbGGeOHWYzhYlZh1mJKMNWYY5hWTBfmNmYQM4H5gqVi1bGmWCesP3YJNhGbjS3EVmCPYFuwl7ED2GHsOxwOx8AZ4hxwfrgYXDJuNa4Etw/XjLuA68MN4SbxeLwq3hTvgg/Bc/BifCG+Cn8cfx7fjx/GvyeQCVoEa4IPIZYgJGwkVBAaCOcI/YQRwjRRgahPdCKGEHnEXGIpsY7YQbxJHCZOkxRJhiQXUiQpmbSBVElqIl0mPSa9IZPJOmRHchhZQF5PriSfIF8lD5I/UJQoJhRPShxFQtlOOUq5QHlAeUOlUg2obtRYqpi6nVpPvUR9Sn0vR5Mzl/OX48mtk6uRa5Xrl3slT5TXl3eXXy6fJ18hf0r+pvy4AlHBQMFTgaOwVqFG4bTCPYVJRZqilWKIYppiiWKD4jXFUSW8koGStxJPqUDpsNIlpSEaQtOledK4tE20Otpl2jAdRzek+9OT6cX0H+i99AllJWVb5SjlHOUa5bPKUgbCMGD4M1IZpYyTjLuMj/M05rnP48/bNq9pXv+8KZX5Km4qfJUilWaVAZWPqkxVb9UU1Z2qbapP1DBqJmphatlq+9Uuq43Pp893ns+dXzT/5PyH6rC6iXq4+mr1w+o96pMamhq+GhkaVRqXNMY1GZpumsma5ZrnNMe0aFoLtQRa5VrntV4wlZnuzFRmJbOLOaGtru2nLdE+pN2rPa1jqLNYZ6NOs84TXZIuWzdBt1y3U3dCT0svWC9fr1HvoT5Rn62fpL9Hv1t/ysDQINpgi0GbwaihiqG/YZ5ho+FjI6qRq9Eqo1qjO8Y4Y7ZxivE+41smsImdSZJJjclNU9jU3lRgus+0zwxr5mgmNKs1u8eisNxZWaxG1qA5wzzIfKN5m/krCz2LWIudFt0WXyztLFMt6ywfWSlZBVhttOqw+sPaxJprXWN9x4Zq42Ozzqbd5rWtqS3fdr/tfTuaXbDdFrtOu8/2DvYi+yb7MQc9h3iHvQ732HR2KLuEfdUR6+jhuM7xjOMHJ3snsdNJp9+dWc4pzg3OowsMF/AX1C0YctFx4bgccpEuZC6MX3hwodRV25XjWuv6zE3Xjed2xG3E3dg92f24+ysPSw+RR4vHlKeT5xrPC16Il69XkVevt5L3Yu9q76c+Oj6JPo0+E752vqt9L/hh/QL9dvrd89fw5/rX+08EOASsCegKpARGBFYHPgsyCRIFdQTDwQHBu4IfL9JfJFzUFgJC/EN2hTwJNQxdFfpzGC4sNKwm7Hm4VXh+eHcELWJFREPEu0iPyNLIR4uNFksWd0bJR8VF1UdNRXtFl0VLl1gsWbPkRoxajCCmPRYfGxV7JHZyqffS3UuH4+ziCuPuLjNclrPs2nK15anLz66QX8FZcSoeGx8d3xD/iRPCqeVMrvRfuXflBNeTu4f7kufGK+eN8V34ZfyRBJeEsoTRRJfEXYljSa5JFUnjAk9BteB1sl/ygeSplJCUoykzqdGpzWmEtPi000IlYYqwK10zPSe9L8M0ozBDuspp1e5VE6JA0ZFMKHNZZruYjv5M9UiMJJslg1kLs2qy3mdHZZ/KUcwR5vTkmuRuyx3J88n7fjVmNXd1Z752/ob8wTXuaw6thdauXNu5Tnddwbrh9b7rj20gbUjZ8MtGy41lG99uit7UUaBRsL5gaLPv5sZCuUJR4b0tzlsObMVsFWzt3WazrWrblyJe0fViy+KK4k8l3JLr31l9V/ndzPaE7b2l9qX7d+B2CHfc3em681iZYlle2dCu4F2t5czyovK3u1fsvlZhW3FgD2mPZI+0MqiyvUqvakfVp+qk6oEaj5rmvep7t+2d2sfb17/fbX/TAY0DxQc+HhQcvH/I91BrrUFtxWHc4azDz+ui6rq/Z39ff0TtSPGRz0eFR6XHwo911TvU1zeoN5Q2wo2SxrHjccdv/eD1Q3sTq+lQM6O5+AQ4ITnx4sf4H++eDDzZeYp9qukn/Z/2ttBailqh1tzWibakNml7THvf6YDTnR3OHS0/m/989Iz2mZqzymdLz5HOFZybOZ93fvJCxoXxi4kXhzpXdD66tOTSna6wrt7LgZevXvG5cqnbvfv8VZerZ645XTt9nX297Yb9jdYeu56WX+x+aem172296XCz/ZbjrY6+BX3n+l37L972un3ljv+dGwOLBvruLr57/17cPel93v3RB6kPXj/Mejj9aP1j7OOiJwpPKp6qP6391fjXZqm99Oyg12DPs4hnj4a4Qy//lfmvT8MFz6nPK0a0RupHrUfPjPmM3Xqx9MXwy4yX0+OFvyn+tveV0auffnf7vWdiycTwa9HrmT9K3qi+OfrW9m3nZOjk03dp76anit6rvj/2gf2h+2P0x5Hp7E/4T5WfjT93fAn88ngmbWbm3/eE8/syOll+AAAACXBIWXMAABGIAAARiAE3kcxvAAACL2lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iCiAgICAgICAgICAgIHhtbG5zOnRpZmY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vdGlmZi8xLjAvIj4KICAgICAgICAgPHhtcDpDcmVhdG9yVG9vbD53d3cuaW5rc2NhcGUub3JnPC94bXA6Q3JlYXRvclRvb2w+CiAgICAgICAgIDx0aWZmOllSZXNvbHV0aW9uPjExNDwvdGlmZjpZUmVzb2x1dGlvbj4KICAgICAgICAgPHRpZmY6T3JpZW50YXRpb24+MTwvdGlmZjpPcmllbnRhdGlvbj4KICAgICAgICAgPHRpZmY6WFJlc29sdXRpb24+MTE0PC90aWZmOlhSZXNvbHV0aW9uPgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KhiBQ9AAAQABJREFUeAHtnQmcHkWZ/7vf950r9wkSCXJGDQRBFBY0EBQXBC9gk9U/xyo3IrKs64EHGfwooiK4ixfIoSAeievBrherMKgouOKFCcgR5AqBALkzM+/R/f/+nq56p9933jkzEyZJ10y/VV311FNVT1X9+qnqquowGH0TBu3t4cK5c8PVy2eGSq5j8YJKEIbxoJKO43DBJZfkg+CIYObc1fHS5ctj+EWDipsR7agSUDurtq/TTz99vzAM34jfP3FddO211962cOHC/NKlSys7qoC21XIXRivjCxcuyQcLFwZLF4UVACZemk6onRuA6KBr7ilMfGpDvnl8MR9V1hXGhS1R3JmrbAgmRKuD1dGy9oUlAVtHEJTT0eVe0N5e6GhfTIMbJPDVM8jut0sJxLQrTPzOd75z90KhcAaFPJrrwObm5jxhQbFYtIfmdln4HaBQIw5Y7e3tOcmtvX1RJQClwKrc7ybcNjuKg1eGUbxnFEWz4yDeLbjs1llhFE2Mm+JxcVcwLgjGt22K40qQCzrz8YauneKW7p0W37I2Dn7wRBBHT8ZR8CQN7rFcpXJPx2WLHupobwfE2sHEJTwpSSszmQSQwCWmjQflpqamY8ePH/+Rzs7OoFKpCKj00Bvx9p4JfetKYEQrcOGSJfn2RQl4HPvZ2w6hKCf+Lr7t6LgSz8nnC6251hYrXVQpB7riiJGdrtDbaPFxMCUIc+CWTIgTF/cxiFUpdgeVIC7Ov2jJPTwsv9b5/Jobll6zqKR0l7p0LVr2s8NLgIdbuaurS2BVwl1A69JFO6qOFHd4GW2LAhgxwPKg8dbP3TG7HMefB2tOKDSPCyolQKZc1BVXSsWKGkwcRGo5obUdu0/c1pjkiUPuiD/+nYewLBJ6NeeaWg4NcrlD26ZG7zn0g986B7D6TaZpbYvNb/TyTPvR0FAJ5Jw9eollnLeaBBJFZguT07BPGs6bL7/9ZSDSXU1tE05Ae4pLneuLAFYpjmzExqgwygFXBZCH+YQgR6PSPTbwRgNLQAzwkh8XDvIXixZgtXi5OGLcWOyqlDs3lcOmlnmg3p2Hvv/mhRoW2rzZFpYli55JIJPAVpOAniiNLmWg0VwjY60tNyEvASPNXYFINxVax80qblpXZLwXh7lCc765tUlJ5Jpa82G+ycZ2AJC0KEvZu6VR6ZIeZba7N6+UH3wFaLw1DAoAV1nDRcq25LD33Xx4Blom0u3qR+1K13ZVqKwwXgJJh1enr70ULr960EJr2ULDUNC0q/+bcOTb8s3Nryp2bkCdYs6g0JwDUJ6IS8VPojMtj7o692Z8dxEYtjf+YJtpWJD2AJXy2ANWSY5r/QhXOfQvJGNugrmtci7fVKhEXVe/8fwfH7D0qmO7CaCg2dvDLazaFzJ6uGDBgjyXHoTMC5hR46XSM7OdSCDkTe7Ora2t+VKp1JnP53PYbfTrDZs2bdo8c+bM5i996UsbU2UNTzvttAlb/OTya6sY7h2ey2vkxrx4Lp+LSt3PxnHTkT+76B+/cuuHjv7lrR85+vpiKZpfLnU/GuYLySx6CqwEQMKgBIyUTQMkD0zc9QIrCyNegWFnOdc87mXP5VefopgL2rVuKzPbogScNhV3dHSUBVasodqbhnooZcnAalus0N55Nq0JsGph2cllvBS5kjnG37J64L8BrS/hd/zkyZNP563uGup9lo9+xhlnnJbL5dZvMWAtCO5InoBRtFPE62MAJC40twl8rv3ZRUc+tKD99lbNLcnuaD9uFQFfZNJc4WhZCUJ5oJJnjx8uBXg/c+u2x89oFa75L3vbGLxVBexYrPVZmdnGJGANWSB17rnnTqWBvoPrOzTSB7nOV1kcmG1jxcqyWycBe/B87Wtf69p1111P++pXv7qI8L9yfYsFvW/mugF3U3NLc4F6P8rHBdTexL1bPeB9h24zf5Wo7CxA2Mkm1wEP0FIg8qjYbVj5QMWtk7LFn0zGPxbx1pDhobQs/VdBKQVAiq/oyWMVp24TP1EpXuIpm3+WZ5Wwo7kL3nlDq1tFbx3AmGQ/24IEYoaAhTPPPPMqhgZ/40n7Ta5FLPhU3ru2hQJkeRy2BFhYwLolZ3Dni93FO7n9B3mdddZZr8SvCK7ct8UalhguXMKbvCCaHvE2UGAig32g7D1nTQ0POuvqprZpnX6Y9gom3wUyvO8ToWLwpxu5na243i1bf8bVhxutqDByK+04mFbaKbJJftFmZpuRgD1c5s2bN466fjdANbNcLle4ulX3PF2zh882U5VDz6jqF+0pXccT4dLBtfOFF17YBlC9HvdvuTq3cNJdoBAGq5d3hG1tQT5ZWBXkS53MlcXxaUd/6qffX3rRMT+FyMzr2v/nMDSr88tdmwRAAJgDIhqlgY5sjH7TYGU+RuLpEhr9ejALGRWyLiLPcod0wY1f9rNtSIDJ1piG+zzzGjOoV5w5e8jhzup026jCYeWS+jWTitwEhq3kvmvdunX/TDuYg/sKrnO2ELB62pE0OlLVBW7xw5oGNK5b3vDJn1wPQt4LmLwU+wy827T4GELRCZlcvCS73s/8E+iSkwuNMSGHsCdeEigf8VFAZrZxCeSlUOnKzA4jgSb/cFKJ5QYHNBdwC+5bsH/I3NZ9zGlOGZEhoRIxI7hI0IV5rIrgo4nV7mc3tY7/QqFl/PlhkHNgxZoDo3PkLrIHK9mGPQ6gqrSGR4QoPEnH6MytMPllJpNAJoFtSgL036dQZtb6TONezQOrCEj9BT8tbbhDYdD9fQs1LLFJDMyYkzItK4ESfkNm2N26rARLoiiPQyPHBFrMkQBNAlCEJVBF7iyDDoScr6M3gJLbiJQ+LtG7vGRWJoFMAmNfAv6F3fr16y9cvXp1ddJ99uzZV/nc8yZxf083bty4I7YQsAQRTnWPg5aw0BSElXJePgmAsNhd22/sBlqtSsdtiGUgI7e87IcN0aUEdbj3fgZLLtz7qTBKWT/y02W5EJ3LjoK3E5MukRV7OylXVoy+JTDW6nxU88O5ZFo2UDUAlD9OqroKQYFXXXVV91AAi0zX9RfduqLw0u8xJrynomV1AiBuyQIEAhSl5oAl2cssTcw8tYMnCY21zCHYhTtWr8vPoMrAyMdNYogV4Y6f6OxfudM8l8tPe/sl4eLFitHYMEWiRMaSUeWEy5YtC/fdd1+Vwq/yruaTcoeLFi3KKXwxa81Qm6thW1CQkMPsbGpghA60s3KQv5q89ZNXo6fsMcfBhDoOpi/DYlJt0wnSvPvh2xebgfwtPyJSXchG3rHyh7OmTAobIVOtgyVLlkR1ZbKwujYxQsk2ZOPLn6P8MW1Cmk+63AOFN2Q6gKfknE7Dk8svHTbAzCZ7uBYER3Dd4TsP8RsbFoYWZgar+5wTW944WrDbc6vCCfNfVH5seXF8obNwb5jL7xaVORFE22scKGFhEk2qx0+eiZ/INEvLLp31zbnu2Xdf9d71fSRX9Y5j9qd1sA7tyPYKErEUqoFb0UFHkMzUEf1TpVfqrENpuuaaa1A/a42LG2BX1elair7vdOKmQtMgJX7D4dV3KkMLOf/881sArKeYaJ3KPIbqpMI6rALrsq5ngeHpg+FG/gtcZVbIn03crxBXi4glY1qI1hdHR1133XW/SJ84qnKLZqCHgOgEYmmZEW/YxqUbYPeqP/LXDEjZav+6BAzARioPjrcHRQFzr7yIRm1wzZo1UaN0tX6Oh4nkPOr9yJ4gLtM9FhWzcNlcKqbnYDytVt84f0JhbXljrmX9zF4ZA6x6FbQvkOpJKOgFWLwi2C0q8RYRwBJQCYs8SHk77WdgJpXLAKuyfkO+e/ZDAFb8SHtrUFgXBrtOrsvrc3GwdFU5XNRzPK7AKwwbV1Q6ryPpVodxT+6q3NiK8FI66zzSeTnXS7mmc02ieFMoniYln+B6jvvl3P+ASUndB67B9Al4ounLnHLKKeNbWlqOIPxkeN4EMPwk3Zn7iteXv1apsyxhIsBQLZfcgMRTqqL6eLz52Zkya5tGkfOrJuO+G7rJlFG0kU4KBXSWwuIctm5MEC/PQ+56vnS4QQOW+NRrNO9+97snsP5rZ5KfpuUVLq3V5O/vPDSedfdeK6zmxfkP1rK9knRyq7NTTz11OuU8isjzSfdF2DsjA6W9gWsVfqux/4j94+uvv34FbrpCHHJYofIx3DwYjyOPPDLv8yG+ANNkxKr2p3WU+5OPWaQ1FXs6dpHrKfyf5lJ93soc0y99Hrak3cBvUKZQT+XPtdKRxm/+7B17VMLK21jieSirm/YMOqPJU4KpTXGLVpUrJidWycG1Jh6faEQGMCbQgFp3gAOluZGt6GU5INowfudg/R+iuBDldaTMLjEH+2Fcy054IySLJ9vHk5dYiJ+FA71MloUP3ZtXUmGwasNPmDN7WfD0Bo0xqpofLy4r4RG7rYlXve9BMvLD8EVXfltgFccLeZ3eA2LEGRVD5VpesNkBsDSgwx5E/t9C5R9DggfSKZvoHFYm9U0rGwGE20WHNj/2Wl3KqvBbCf+43qaIL5eXSr9519N74sSJC+B1PITHkuZugFaAdvMjRWQCtPGDrB+uLv2IfH0afmdCqs4mLU6vrFefd955AmC98fG8YzVw7r9POQ8l3kbodN/qyiy6PP5YwQmU/zjoqnHxE99VdHZ1rk1cClP5B22kLUiuaGPqnJL/waR3MLbAgmoo2Pwr+eH1UfQ88r4T+wZA8geS9XA6qJeTQIK63590PsT1BtKagdykAVr9OhnoFb9duidvnyWOAP0qrv8i3rDyQDx7yMFDna2sckyZMuUo0jgVkD4a/+mc2GrtzedHcWTIzwGEWxj5ueiJJ574K/L7JhPnn0OexeHIJOE8uN8awNKKdZ3BzrlWM6Ig/GQUV05uap0wjtoKGKah89hewQRODDEQpgMMIYzmkKzVKCx1CWR09oyOt7KKSIgSGrUx8RADTbobnfNzvC3c2qL8fTTxS/6sqPib0bNIjTcMdg8mNr8o6KROUotolbTdN+cOCirR2+OVF5wf5HOnhOGVK0YbtFSZNFjb50glH05O3sf1Fnas2zG+PNljGkyJS9m0EzLVOGTwk6VhoZ6oCptIozqRRvMmOtK/wvcrIsAogpeGefgf35gmTZp0NHG1xiUgTfGuoN3kaZyWCDvlG8b3fPqzyVeLGnt3d/cE3FrBrDQmwD8pSO/ILeqoZKGVIBu69SYxf4V7o9P5tFanBeDti6+nrbFJS6BoQ2Hq4G3wEbgeA2Dn1DklD/hKxgIpycPyBJ068VvwewugocXQ7+RB8bSXKfcDGl//bPxthdfFpPPvaFZNSpNLK/tVv+qT1dNRSU/bVgQs8msF2I7g/gjy8N/c/zsa8QMLkiGZPekHyoQAU3OAxC2/613vmgm/0+B3EvU0T3WFNmssZENjYCkPyQa6iDyW8ZfMdUmc+1GWS/E6nhHCKWiAfxuKTMR7KKaqeWgOSmClo41RUP7c1Db+LHI8rrR5Q7nEkTGVUheiK3KyMSeHckUV2SW7NOdkfs42d0knjHJ2H34a4olWduImvvFxfgrjwhgEGUB5sPKg5IBKNOqP9id3iq6m4HHYHXTR3sosCCtS5+4KipUo6CxGwXqQbCPnaU1uOgygvCN+8t2zpWHZ3FYNo5G5UaPSEx2VewaNTfvk7qCxvkXc6dxdNJAYv5COo1W+arQbKSsnXsQP0lhWcN9JuLSvFsXBPwas1Hha4PNlQOvT8qdBDtiBidqsBkj8ErY6J2zsqTlgXKXRn4E32qrhne0PE3t499eZpgiwKXdBoFHPG14xnSKEJqdwd+Xb2FqBmd4PENaz8vfrAKq9qYNf0tG+z3UsATF1UKIvSq0KkGeOK49b4CaZ6KTcmDpSf62QB2ljd8JjD9WpOij3/RrfiUl7Gnx/CY+LiNCkOkRGZcAij18rtupeW5LWYHchuwJ5MX/86FIlAZuGym/m/o/k4Q3S1tS++s0AgQ4wbVKfeKci1z/B5zLseTwwVDaV3YAK8jXwvx//u7g0HNUQUPJvxtb2N8klJCyiDkrI8dXk/Y+0wyMGKxPiD9lYA9EwsKP9yPKbrvjlweSpI9fUPKu4eQMIorZnZ2bpaYaSpLd/ZLR62cS4hoJ2ASLOnRSGdoDehJ+7zK09NK6wvcLTAJQ0euERZPzj0KUbs+VO+dWXnJT91u6kKybVQP50zDJXFDHu4lrbVQS0dsXvKuNxST2nLb9XQ1GjojIPo3H+hUbxDhqHOoA9zrhvpRHo6XUHHecSynckDXl33LvTUefROeeSizmEn8L1exqH6kMZ0xvVCLqITvABGuFZAFY0UAeigQqkJEc1ctXHiBnKYfycXb2tS8Ayr/kj8vCpzZs3f5zyfpiG/wkidDoWiqJyqVP8kTJ+iPDF2BdD+zHitEP3gQ0bNnD+mRnj6dz1li9jGV4fI546KkcdlWFVjHEjknwTeXkU+f4Iv2tI56tUz6/FyAGX8ip55QkrEmcv7r8vbUkdFH+fhqLUGOokJxrqR3NTHcR9tTo58ZVngSO7QqLn8PsS9nF474f9EgBgP/JzNPm4knw/p3qHXumE5FEgx8dbgp/Srt6i9jVAvdvLArSgl5KPn8Dr6/lcfpbKQloB92pLj8D3k6T1Ou73gv/+aJGHsT3m1eRxDnSHQH8FdJucTLwG2kQeS8hQ51l9F/67qrwqN/kbUaPJknBpGFaOvuI308K4+B2k11ruRvPgMCuggcQSgDDRclvrJw/5JL5Yuk35uXB5OgbVcBwUrsrfwqt+kBubVPzEJ4ljdAkNZIMziZbv8mEav3c3B2vKlaAt/9b4sTPfHu7W/u2RHBqq0rgqPFkPJ6M/paLbaBQlGm6eBtFEI+C2eDXurzKpe28/hXmCsG/ookF8gQZ1Ho1ZBVGjENhhBVcT9hca2V1qvK4jyb/GIHcbqtV4vgA3yEDVfG06afL/bmShhq8wAZaGar9j6GMaZJp2qG5YFpDbcZIVMq9whEkzdjfXN8nLd+iMv77ppps0H1Y1dPBXQH8V8ebTJ728Fa/Iw+QVgMwnIX4f8jZQqkbscdjEOG2gmfmen9Dx5xFVDypp0tKqdXDdt0njQo5cWdUTzVyaB3yY61bazyeg+Tz5OIX4GtIJ5CrISg+vHyK3w6n3X/UxPBTIxfB4D/GugIcARmCjIZ+07VXwvgT3jbTBzfJPG9eONP/4O13I5BrovwWbAx0fAWkTQFdCA5tB/i7h/nSuETcFDkPPMcFeaYqLiwvjJu7evXEdwnRg5YDBsIIfgyUHKtae5FaW9OP8zRYl97V+dlv1S2LW0hkvY5XErcZ3/BKejo8SVRqDMVWwqgEqFx8/aYgKCuKL4yULwW8NDU0lG2QCA2eChvJ+GmubnmhQq7HqGJ5NNJJjaCT2JMdfjTufWv9SZayyn3322QVoSzTM99BAJ8LvVBqMhl56OurTVloCoI4ttdxKVGUwRh3qYMyZqbOXeMM4hfxXNRVERNVYG7Hxn5Y9IL9quWbNmqXX8P0NN3uVmo5WAiQ0b6QJ/euQ/+XI9P4UYXVNlGTInMyfCTuczv4z5PuPxFNHtw5KfDWSs+jAX4RuBXnptSzEA9mTTz75GTrzgeTfwAoeFfjpDehnqc8PKH3iF1T3ft0X99V1ebifh+RU8vEo8T5KPiQHgVUZzaYAWFzHG85X6pRO/NS8fNs1sIJWfmcRV2ClNqjzpvQwWME1n/xrs3E1D43aj8oyderUHPL6G5rl6yC/i7RfStrKix6cBcmE9E8855xzLiLPz+Dn08e55YZ5q0WV46781Z5MMp1e3CRAD6R10Xddf1aDcYAhfzUgC4fQJOL8zD+hTMLNP8mg6Hw8T5fmZSxF6nh5W+kqFcURjW7TforSl9FYNIkgWXIZA28rSP6yzc3XENn7mGc5wT+Mew0BvwyWajHllr81pNJIwIyp3rjU2HUUgYY6Tzuwqq6tgb5hB6SxiUnJa0402Au4X0CD2c01GIFVhc6ozrWQN1lLPa0ijlWjoQx5s0ZNZ9Ywp1FWTYbTp08vIR9V3LCN67C/h8H5AMVdYiQ5yXadVIslTfuQn18DB9j8C53xPuphCu1R+WHZTVzGXy8U/on7z3Ap89X8eflTH8dQrgugE5Jo/seD1fccWFn9+7onfUgMPKzcune8tIzjYzys5lKOE1Tf5KFAWyjz8NqH+8uJdo4WF2NXyyBezqwHnOTU0NYm1Gk7KwVW4u+AsmH7E72Ti+bsmtEG1yKbc0n/NoKsccrmXm17MrI6iHstkelL8yR46CZpHZXy8XzpZrxeAtCBk/VPDiHU78mDdWyzSUNSrPUzn5RfQqNfT4dDdxbbsTMi+SSOHlrFMVrZSRRI0n5JLIua/pGe9OxEBTKDbPNUOKkggVNfl7UvVSIfcR1v7fbNxnKh/Y7kj69UyUQVK955rYPC9iuKB0xPjUadSA2Gxv8lAEtxagSC/7/J0zUwOXd4g7zVkTQUvBKQeLXAStodIGEdysmqRo4SmjRaaApoLhqu3djcxKQ0c80Kw9hhlfA9XDfQeX/degCU82KlTb1YQ8OWZiXt2jSrwXRq5U90YgY+nUc5niO+NCzl2ZZ/4KRpnDVPtCqXaOtMo0+eNYnWxelV/rr4dgttUXGQze0A4B2Ap9q2L7tekuj14S4iHs4SGUukjx9fqKP1YVN6knWkRAYCC/LvrqR/6Tbtp/IldIl/Qi4/xfO0CdTIz4Ubs8TX06VpE8Ie2p74jmd9YZQN7VPkzUbwdCfq7lktLI+YxrtymLBEwLQpgZYIZavdOLsKZBW0LJZuRNGbeFPIK+RkWCimo2G07kKGivUVPehkrr76ansKIrObabgb1AGIrMLlacziczBPYa3xCfpouArakUwyRqL+kdUSFVxagrQ75KPGMJAxGuT91e5id5lWKA2F25iTbu11/1yGSK3y47KKhb/VCRPiR1HHhwJQ4iE/rd5X5K/T4R8mfXt7jP+AxoFKQXNdgNWX0aY9CCpNaVnqv+eIkVbkN2DYyw95+G1HDcj79bIOR/yfC4wxKruMZK3y2TCeh4J5jtRP7qjL/lerig/UB0+pCFJWug4YDHR8TtJ+uGvoLEqNHzyJmNDJKfJaPxduaSQE+k3oHK1xTOiMlzESUZ1Bs2JLj04QXBEEZ5eCx1t2QVuckACWuNJWqiDl772tdmTuMOBr5uzv2StYcd+elsIl7b0quC7lF+RWjYyEQ7SEJ7DvVsPFqCBqwGq4WvD4Nt3TKa01yZ0ZhBRFk5wcBv2gAFQk7+Dhhx/WXNfD0iAw1jGTthNMQea23EQBMhpeyaYeznb1Y/d4SbtS0Pf0ozkr2UMwvp6/xsOqSH3XPKxI7x3Mqc0SuOEetfZLu/JZfohhpdw17cy1UU8zYnaOt8ZzEOt0ViwKEwxUKKjVQyJJ8zR/ESjMwCrxTuiqfi7c4huVhft4urE/H+5slUZOT2fpizJFZ+F9FpuaAbAmN8e/EEklCA8Px+ebOf6Bx5++Mu0Ay0AL4fYCL8JZRc3isjhoDrTE17STYHHDp1SfudiaAXQi6zWk+ev0Ew6ZmZZMg3m98kPDkso1ag1XaWxLBrkMGqjqy+Vk+XidvEXWDCiZRpG0XXt5EjE8m0zYEU7r1UPE5i4BzUcBvd8qIsBiACT3YAz1bvTSzqC/24Gn/DQ81VvVqeRvvnhp243s0TB+cTFJrk0BVgIZJKh2OBrp5pjqmZdvaqOR61B0Oq0BBwnyVwMgBJifcmFBLtx8e2gVx8WujS86hbnL3Amrqn/i5+JX6Sw5R4nV20i7KlS6N6/bZXLpGwrO5Stv5v0JfLWBlrq0PMnu54JOiBW06UFRTgArGPoWld7ZGx0f/2SmA/5VHQLZ+cbJMMX65MtPOukkr02MTiZ2HK4aNnkN4nFkLk1WDbVqqINqB/VzTdTDK6CbSacWHc4wcgCzDMDR8gHFqeEjwoEMeTGVGn53eG3PxTH+tIWDB+IxguGmLo4gv35Z8Tn4iI9C6Fw9Qx6InUMe7koCLajHz9EZyBhdko7BjfuxMKuPhJfxsYQcLW75eX9L23jJLwlKOZJI6V9lFUTiq9LB9Kb40hvbL3is+MgFhzBCfFuwrovWwMR7VZtSoxFgWRRsf+9t8w8DLU+JAgdYHdbz00mOFbcfctBon6Cz2BwNeVMhbBsF1nTWCe2lexp4tTPpPjNDl0BqTkhzhjQjE3VDRtSNyRtN51DNV2FsYhHbJv6xH5An8zv+IaPbQRs0PaMlD39LaTfys4cV+TsEd+g0QqPdXn5ydNc5yWe3GErQ3nsAiApxlWJV44DEg5CnE01ClsT1/gmdWPT4e6d2QsvtkkvcjjTxVTTj6sL0NEtdihmwv4oHXb51fKG5tOn6X/znuXqtzIrd7k8G43SGYKIx9qlVGXgJrMTKgZZW5Nuavmhu/OAbW1y7HJOdfTH7wVwjfIwGml4drvzagks6zFzR0HC9duCiZNYWSGDA9uC1Xxrv7EbpUF+Py3+4E9LEU4OVeYj5MLUD1a+6jL21xL0bX5vRSwDrf7K3FyMNZEakIYTGnMIIIYlhBU5Kae6qn/mk/BIa/Xo6HLozCz9pKIxX+DOjcS3AaK/IDCDt3vxszJv4QZ7QOT+FVy9p4+wty7eMN7V4Qnnjpb/94rmni33l8bM/E0wovD7Y2K3hramNUpcSQFLZHDCpfHL3unijaGvgohmslLFHY5Lvsferp7wMcxZaPKfJV7t3P/5JrlMHht0x0gwzd1UCri1X72scOvIlpf3qaCCNBT2NAQpDxJrV9D5wqDZ8tN9QuyYsqre5mcgXiKz9Kj9D5TuW6YXM0zV1g9Jjk7XqyzI1AGSeAqHkEvwkZHJ4P2z9iZZjHpBhmG9uzeea2woCGJscUxgXtYZtc0Zm97hduKeDn6RdvTTGYw9qLi4/3lrZ9LX9p8WH3HHVuR+x/D5+7iW5tvz7gw1dZEFglQKnvkCr6u/BS3nXy4eIj7FW3yaJ/Zg17KUj04Ed02myT3JqgMX9BN2uXLlyu2q0SRHH7i9DcNWJ+oLOkJLt5W99DGAxwPJDu6GWxGvXaNCb4OWHm8ZG6eHXwgvEqUPluy3Qs6UjmKk3hEjVzSI60EkEbSBEIMEUx13ciV4VYZe5FUxPx2Lb+bg83x7sDoubfzEpH93eXIgf7coFz+Q4kiGKcuxji+LqTJ3txJAiljaqX9WDFgVDiZMeGMaVuLKqO7/6r9e0PBkE7+q6k9DOFee9pLW5/JlgfG4RmpVlFFWRCMpKks9Ey1LmBUyy3VVPI3+bp+djrPlYFU46mv9pV4QxaTjHqMw5VjYkpKEqn75zqOHapLu2sIzJzG+/mfLy7qWluz5jIOPftA1XDABWBS3Lp1VlQxo5FnP2SrtKsA07CnTgZgMgFSINQHKrA+tfInFhiR+/njahUniFbw7mpa2FzCntPbX06Rs//C82uTjS8onjBYXyo+cdCvCdkAtLZwYTmiYHG2wYiMbI08wynAKnemBKCgRpLahRJhRDPaE4xaESJk+opWN3aYOXq+qi3rj6sXkMP6dST5Pdj44ErB1pTBHH63ho1CSiey5bAjHcVeBumKdKH8fVaOJe+0vX1SS8ndwwDxQ/H4a5F0Wxyph0dgMlFdDAyn4MltJglYACJBKbwCpfyFeK3WtnNFVOvuXSU36k6Jse+8CspkLwJnSj/ai+6dQVJ0CI62CMyAAUe4Ak4AOPPEO1GcHKeLdCU2WPYCIa2Ea0s/U6+IqwGgBy8fsAJ5dxonnQ0uGDIpYMSLQSJkrgQi0ATPZ2DSbXW5tm7dq1Oi9Jn3gn9/5lIYVIOop22GsRo44W2dpZ22HT84CCBmSgQV2ob0kefm7RHiSadB/usNAJtxdgqd5Jq5M2YcNODR8Zojrybd/SERVrUIxelAjUQZW6bdIBKKH8zEOe+jcjK6FhkJdryldKxWf3mBi97uaLT7l32bL2CXNnbPwoOHZOOKF5cqBjfGwyOzVeSdg0+HVpWZoJUCkP1eGcNsvrQqFi6QIT+hWYC6wsRzh7AMji9fJP8Urz9fE0qoojtvfEz1nmLmlvkMex44Xqr/1h1gEcSClz6iGqH+sw2RzW1qsvAYRbsKmGuI4JEOsnLgf+QbLTSOSI+p0IH53UIXZS5XQ4n+x1nBdWM7clgu3BcHhwyJsGykipk75tDd0JOXFzY/eJXHr86O+oI2FOp4nu1Fp5+80Xn3zvymXtu82dtv72YGrrB8N8ODnYWKzEazrLMVrQoK51HJuwnsvbcrt7TgmtBJtBKg7KtBeQcUUaYqIYVSfQDXCoG28L9NR2+rAV5sNFkwBWiQ0UegMTBIsN1cw5ln782ira5zTy5c9B91n0r7cNsLI5LC+WrWP75Qp0qAcrTJFgquPCpJMFe7icqGEO2fg1YfCazcJR8fZ8/MuWB9hv2IW/w68hJzFmI/DSLXhC21oovJDIgMk6u9BICJV4u16b9jNAiHgLyOFO0Wd/8PGTf/Hw7y+bvMv0DT8Mpra9KnieTcgVG89JogW9NOz/0lbACJoYmyvAbbbuE3/yomGfTuoHaB3QeMBpZNeAFvn1cWr8VdcpXmyo593BpmDiRK1EHrPGN1pa5F5c9YDlN0E/pAJkc1hbvRoNQOg/97h1UppnUgO0c+Ox91GOeOiIrgpm8huM8QtT4b+n26do6RHXAIv2oONzxL/R/NZgkhizNCwcjf6UfJFZ+CSZJqDknMIr85PDwmUbDT85jhro2rTqgEmbrhDV7i9+9tJgWtsBwRqOHWZ/lQBe/gOaRmDTyM+AxQOPt1VXXKKvtxvxMD+eetUw+Jhb/HCgszHpvjyc9d8JYA2uBAMWcaQJGjRaPcqVWxt2UFcbGC7eq3Tr96vRoFXYGoOf6neMlrYmq2P+BqAw+fJpdW2Wfpa5LJ9nnYEm9zxtUPaeQ7VTD6C96+Lm3DatP8g/RVdHtu3eSpL3lrs3gz562yBQwseuBJgSP/njaWDlwpk8yjW1BM35+If/8ZEzn+5+9IP7Mrl+OmClbsNs+GCMeKaBpv6+DogMWOrApgpS6bi4q/51PHr5O37y1+Zn5TwOfqPcx7cvQDM0aeh2TJlUY+RtqXUIFVrGziPCfuArX/nKavOp+6kDJgM58eCyZRAeDOuiZbeDl4DtPeTT6ut5EHSktCDNLWq/30Rk/Q9i5/cdDp51YGez6/RVeL9WAIXxG6u1NecZ5qXvlGf9g0p+27rJ8Uy9l7Ow9A0mm71JQMmBlQDKXSqo9Ygev3zEkTRTmsq/UFihuXJCMJmP28X2SaJBPKkdwFS1Gw8szl+pVcFMKdeH6z4NXi7c+KXdqbjVsL54M9zcxMvBSvkulSlYMPzPXVn80ftJN9ojfaNVcjRiXoIYgP2U23hB8jUVCaFqqFN9AEG03s9rZbt6j7Fkk9ea/I+lvPWVFx4oJlzA4yanVXlh+wfKiX3F7c/fAxynl+4P3Ry/l5C61Gmz6q/fveGGG1b787j647UthuXWPfbESkr5KMM7MEEtI6VNqZ24tmJtRqF2GXbxmZdSubNc+JsKTm28OlmCYMOSfmThwMKDjQFRGnhS7hrQAoR6gZbjVfV3QFV/74Gqxt/nQ3FwK/McChmUynzmvvR/SQGGdvRHP4XuFSQ5y9DghjzP4OcmWC96HI10D3hIOImaxZG5rHLW/RLxB7DkNoPmZIlSh8+6BYe+E/mhyuEi5E0XlTBs43kOmQGbta0i6iPSGQepsdfHfOHuvXaDNvVT6ucBbNWP1ZM7D+t4zj3fHbq+TgdtmPmU9vsOt7Ha15Wds0U6NzaMuJ145u655mx2T0Y/zxU4BVECVed1wKQyqgWlwcp8rIMrNCr++vnyKrmYFtmZbwCaUz+NjXiLhisBCXef9vfhokmBlwedersG1JRbxROPPnhWwx1vu7ftOFGgxQFx/PNw3t1Px+18bpVpHXxG3NAB/evtiv9Ki39yDpQYdaEPVVgjxf0BR+/zqbPC5XUbh/v9Bdu+2OJoBERGhwb2OH6bnYYlP5uk534+J5XOV/44y2nQIKE8oVEw+2canq26tzYjjyEY9yreL7aEBZ+WYxsX+XkJbHxZhg2IQ8jKSJDaV5k5Rkbr+T7ntF7JWsNC1VMbmvFHXUL2sBkoUWlN1L2+GL0rPM5wwKe4dtoosvov0rsbmhE9R32gfG3N8ERQldxSm8fiLRyCSLCEXMhtN/KzvpuE+Tv6erTxuVb3XbhwXN/dW3wckAxki4kBjuhVvwMAUJ/8GoFdOh8p3vDgTWRogJvL3WQVsHjhaHYMv+xgpgBC6elJqwbpVPmGaSvMfWAgJt7HeMIeQqMXeHktzU+6tosn9DUdQUCEtz+p9K7U3IrI7SwlaK4iXps6GnYzbaBhXsRH+dGQU3zJfxGQ2w36V6eHqGI8WONexT8JP4uitAVY2HuRlq01GyyvsUDntSweHtcALjr7XPWkSSdpQxoano45RiAkWePfl6z9RyjsQYV89KmuichF93r46QMkjAzsS+JY26+xp+KMeV2/fubewn25fPPLmc6SeqJJPAMM2QZWyW0PiJlM8By/yYQsusbSdhENeHBXbfkrqfrwev/BxPHglo47SN5JHqKgOZcLuqNHgnXRz6xowegNB+Gvp6wamhrdHYDPdXTMT/H1khVJ2vZb/dyUhnI06kigphDOCT+fuB9PPWHlXWJI1cSXZ67myyp3Ckw8vQK9AWDso67Ev4Hr9fhLwDICOz35X8H+xFtPPfXUt994441V8NBT28/LuI5Y/boMn+eaSl7OpiwX0QknpYaonneSQt+/NtfGqm91Zn06aj550SJILWzWq/pdyNPBhN3BZHOz+3qO5+3tvrm/cCGmZakeKMcFyOgelQk5qXGqL3Eb3kj9vxFQuwcvaZH2qS+fZQ0B9YLF1yV1fykPmoXwEg89kCLqTF8Pv4h6f1TxuSTH7dIU9NVnferriI9+7wbOS/5MpWSf5dbyXAMqaw38IFz9IAT8ZQuddNuvURzk6uL1gFXKLwEMR9PIX/UiPkrM8avep+g9ENbz6xUnzUO8zTAcBLBK0bXhYb/tHMkPqfoEGtjSHtRi9eXhM5h3Opmn7Q+Q7Y00yN+g4azzjRQ7oBHm+LadPp30fjr0Qmkx0FqLx0+fChdY/Rnr35WWvqoMbzlrjAOFkA+T3kxH+X98pupY4rllKPbkF2i9FtZ/onNcTjrfZBL3cdKvCksM3TcCD6AMJ9J5TqEML8LW4YHqLPYgrEl4gBuANHLbVPRB0/c7HlbpAFZIPq4iv2/gzdvTA7AaU8GqQz08eBj9mfy/nTpZimwFNAIxabUzAfgOws4CtL5VDzaqexnmu16MDK6AfhFyllxk9EELzVl+DrD6ktpIffyEbPv55buEC60hjtup9T83rdp4Wq655WWVblamq9FZc3EABWDYnwEHAjCRebnVCwR/o0sBSj2QeACqARRlxceV7e+9rfQG4pkOT9OneHi+yja7BgGrQrC+vDxomfQ5eTFAE/FoG2kOIeCkz45LcwI7Wt5O49W1mgasJ+4TXFoPNp2vBu+LfQANVJ+qUv5o+4ZIJfya8FuJ35v0IU11EIJMG8Ovl6FR60murw6/C3DQp9NfTnzNtQhoNFzRF4VnEH4Zneti8vJn/B+Ap87e0teqd2HCf1/u91J+BFTE19RACx1KH/XEWWNUEf0a8hMp39I0SO/zaIv/ypswAz86qjr2PPj+hbAv4/4++Xvsvvvu2+AAuF/eL3SgBy3K9l0eAqfzQLiOsuQF7th66EygTN+kbP9GXpdw/yj20/JH/rO4dC78W4k3AVmr7nUVkFGO+rsavvaQUp3iv10bkD5EbV2S/8l7j+VslvCkcrGzGBaa9H5Ur75lEEAKrLiXn796Swd6AwRkanFlS75pf907/z4n1mn0imdXXVzvX+WZpk3xBot68uJ5KVxlMoujJZj/0Vr8OL4w3Ocn3Yl25QkSslH4NbBChs/QAL9Lw8zTGA24aMA6kG0m98cABmcAYu/FPokGfYDyATB4dd9QgTB9yXc5QUfRcJ9AUxnws1EeHFin9QygtACevyOdJtKVSib+0v4ipYXXOGh01O+/cL2HfJ3N9Rb89yL/FWgEboa2xOuMyuUHsc2ojThDFq2j+fuGNh1blRNQjgsBq+9riKs8YThjslIinZ3Iw2Ky9nv4Pbb33nvf9s7k81qKVqNOEofk1W7UCNjKzrlR8pC/iLfA2Lt04ktO+jKN+oKWFPTL14MWmu31lGURZXiGstgDgvglAKkMj1fh9xnK+R38OuD/P/hdg99JuAVWeiiEyF/xyoDVx+B3Du6AOpXW1m8eCLf8YivvkgeWyUf2sIyTs+Rq8oBJmbKJl/0Mi2k/kVRIJnwXVTQ0/NWlJ/6BKj2KjczPcPQwX49hB4xKpUqPk0JCTsY42kEH3em0u7Up7h5IBrQRlGiq2hJuuxd66WOu7vJuFkZV/WKt8/I03h8/xTF/504+CtsTT0cq40dxPIoFfHAiz3HKHCtR+UA47ze38pl6NJOer/6mSjbSTlWweG6kcy6kgl9Le72VvOVonE0CABqngRMdF0wodqvDQq8WVgC8RKfJbtF8kY79SvjcJw1lsBqH70ACrXXr1h0Gn0+TflF8xR/eahs230LeDJjoIAIxOzOeThNAq0lkLYm4n3x+ms61D6tPP4qNt23E9R2oOGPGjME04OrHHijPCfC8hDx1qYNyNeHWXA2WlMOCDic8EFk1fJtJ/qWxBk18+VRlEg/u8R7eEgl/FAxpjxdf0m8VX7nJwyTyan1JBe/LeJkz3F9K/HnI8hvQakqgSQVCzqpPgbN1DtpFJKBXmakTybuFtPRgux37lYDVJ5QWeZLGPBj5TjKZcFYW8miWG6Mv+wzbSJ7wMRB1cm6hPSpPo/KSxFqWcqt5rGQ+a+Gv5n/4pgMqnfHHOGXln1mfNY0TQ2nBya5zMiIJ0UxzQdS1aXJyfro4CAewaoBItJKji1MFqAb+oplQ4PgY6l38DaAdnQ354WP+8lNnT9tKA79qWgr39CIVP10stJKlh303V1f0F6J9LJx35y2QIPutAlZkJzndlZwU9OVnTZLjPpohwf40xnfgPoZrDo1yHJd9UlxyV4PGVoP+O235u1zfJu4foa15i6T7wRh1ID2ZuaSFfAht5TqEcAZpvJH7OVzqIPYCBj9JTnTrSPdh8vkAXr/j6lixYsUyD5SUoaahwo8oQWnNmjWKP6BRx3N5igCtduZuvkaHPRU+ryOyhqFaja8V3Wq769Wh00w1Qa178ricY4J/iFPHrEjdIqqpXU8qXC8yKL+cgzJorn6O7U5Oed2FSNpYLpASaHeSnobuakSy+jSSObwKelBAdArzlp9Glm/Fre9I7kd8lUsPDXswwFfaYYnyrqD+b6E6bqHObSeG+CB3hfcn23TYD1g6Ig2Y7ShUSqmkulomtzNpWu/X0PbyI39PUj9LkK/mTBU/hu943H9VRF8fDZkMw7OXdP0kvHgdfNHXp4flwiHU9osBgwn0FoYKBKj6I6AsrBTv+vzEq+N4UTlYdcGfaN7zgi4akE0qQuiBogokKo/3d7ZoKCdfXGb4EVxOLa0mYhMeBCgxRZHt3GbTb+w25QeN7vhuWTmhV0T1L1mEsG+IdFReen1uLXrB/eG+v/2dgvnSMxpFu2cmr5E0SlPLEL7HU+14KlNqOSf6FEJ28j+KdvNyGnGn76RKWJ2LuY4X49Rq5hlcOkZEQ/THaLCPT5gwYcWVV15pxyIrntZXDdBoid6vsTeS6kyikqY2ceLEl/DQn0WDnMRVJN2NpLEBEFg5Z86cdQKWNEcNzbQsgXKex5P2C3RC8bJnHZ3tfsr5Cvhrct/kkY7bh7smT6IhjSlYM8mLtIImOvX6F7/4xffV54WwwaYB6ZDMiPFVvSnlVN5DwHkW7WMnvHfmmkY51yO7Vch9NWVdqaUmioORRjVYrSqJ8cL8jpi8fPbFsLdBmAuXzWX7xyLX43uTpH30affgqWf/wJRrH4DlgMq0IrVz7g3McNMLpfiw5Lsz3PM7OpBsq5qt8EbQKq0vwOKp+TJ1dAptjVBLBzxw9CcIPV311E81+P7IBxUGL1u6MJj0RQtTXcqDFpoW1KEA2g8CWJfx1NWcBi+eC1oucRfa0mHcqyEMqRErHbQIXeI3FGPyrI8AvxqgrQ8fxP2I8vVyxB6wfKpzHas8mPppVA49CN3hgtXgEXjYBa4MVZ5y4Ke61jWipjFg+SQo4MJFS3Or910O3RHet2rP2eWB8JqzWSkvwHpy9R9425YAFipMz/BMeTZgwsbdA1TunjBpkjrmPap8CgX7GaYGazUsxdcly2tNaT/OiCc+nSfuDjZP+nqwgsWse67IBQdNVOK1psPd0tmBCKlcvWlqY2zpnXXQwQAWCfm8SIcNtEhUcyc0VMuD1Gu3Jkt0ntbCRvinCp6er9KV2zVEOWvSx7/ApVXYn2AO4yPM6Ugb0NniWkX/A+ZbjufeZIE9XNMLLEjTWsVwGY6heFbnAhQ9tFTvAqc6udfIfAzlfatlpTqH1TBFxqSM8it9nRB8O4Osa872Mb0yhkw1BPTApHbt3Wa78LS/HZsFSE3IX2zPbIuvti04cXVUnbdSeuIhW+FKC6xSSdYy4pj8zM3hors3E40xdUIlyt6mo7fX2PHxk/ImVLSLas54ulbdo+jQ5LcTfJLKQOmm5iq0GFaRDJwY1lCFseZrbOX9cLUDxcf0ylfivV38+jofkty3i5IPoRBS6UfGqJEaeAhA9NBzoJX2824DHE+Tsjcx77GeE0U3YOujEmmbk0sJK+NXCtbzan8jn2hWeGKXg7W88Y2jNc8/NzLFybgMTQJeEyDWZAEW8y5pBlojZmfLpz0zdyaBoUqgfw1rSNwEUERIg5UHrSpACdSMyNH5ewduNR+SEJClwrUTOowLpklpkzXfPiQt3tCIn05aoINUgvy0IeU5Ix4hCWiopgqTmcMkvbQqDXFsbyPgNSpvjJLkst8dSQIjq2El4OHAyIHQQFqVgZrauuj7sBXQGibveYuVJ3nr1xW0cS+gsjiuymoe6jtSNY6NsrJEQ2+45vJmSxni+5M5rdHiW5SRVsrbUgLZmckkMFwJjBhgJesxaagGUNKMPACl3H7Y2Cc4ufi14VHA2rygs3wr66/mBU/HewflcJ9gU/HaoNkWfkjFSkyPy/tk9laQgN4QKhkm249lkl1DQkMszV9h7l+/fv0jctTPi8kvM5kEhiKBEQMsm9+ugpQHqz7selDzQFa1FU9AB2GzgdUDQWv01nDfXywPj+zoCl/R8US4351nBsXox+F47aupvjrMdKyh1P4I0AJCtpxBC2Bh92ENBzGqh4glDXJ/TxPteiWPO3ukSCKZGbYERgiwFms+aZMtT6iClgBHjbcP0Krx1wO5ER0rPltp+1FlSbhHR1f84BttL0G8bN9mK3EcfkPRzCRQtSlo41NgmRl1CQBUOTSrJmxbP8T2jJsBqH0YAmphLNNWYYG1WJx8EX9DmQGwfE2Net6yBLZfCdgjcLjF07IB3jNr31kU//3kJwNOgdWCKGZbYekBS7buBUj1/mrDDejMz/tDE8a27SEoPiYGzJLMTBp/zBYDWxKBnxStSvxksP8JrADXYZuZGUEJ2OOAFfA53gbK7ResRoDWbmhV17FY9Ci3ul0nRegEzAJrsS5mG8lDWjkPsGUPkhGskB2V1RYBlgntiA5paQBI5TamWU9k7462wPQDUsIcyPsEr1S4ttJowXQcHUekT4X7LitqgzI7H5PGHwZv5OA97Qsssy2oEHTHd2iLzVZYvW5F355/pCWxiDHPSujqXjUN7fx6LPbAvQRgeidgdaHmrfxWHGRSQduSdvUNwOpyyYg4yQNmexZYVratIoEtB6wFHQl4VMo3sy32gwzhdgu6OEUhYAmCDQn7Ay+140bhDrQiPpy6mUmRlvxr4mWvvTyYW/gQG5RtCBIve805AOOZwQbWOIScxr6+XGTlw7WJ1LQqe6sssNwqlfQCJAIW6akTlNGMbG9hW1vbFLSmefgfApgdStjrudeRJ9pEa3XCJHte81ZoVl8FrM5Svt3wULwyk0lgiyWwxYBlw8LYjmVZFz+86Fxa6I/YXlPgRIQEtKraVCOtygFTvbZVjaPycXyDTlZoy70vWFZ6a/zX1+gV+Z5oVgfijzYH4k2iGGvLHwnn3XVfol2NveEHHdefo6QJHhU8mXVTEceQAaB0ekPERuN92HB7Onndi+zNIf+7454ESLG3PLKTI9CqWK2rwyS0A8eO6V2NZvU+wOomFUm8iJNpVxJGZkZEAiMy6a5jWQwo9lry46CzdHJQ5uym8QzRYtO0NCGvYR0Z9jb9tea+zt8ArK58nUzAN+f2ZvvOiQ6sithh0JbPo119iiNiLica/WPrHBFTl7s+b+noPmyiO3+IIS0rySg/ma0GeqKxYgNWE8ivNjL/E+79AaVJlKUCIHWhUdmpAYS1cOkEUgHVZewZ3F9gJaCiHOnFpGOlWFk+tnEJbLGG5ctvoKUD8PZZenP8wPF/YMvM1Wg+8wMdkNlpCzw1dKQh83UafaGm4VBQoNbQ0LGJUoyKQRFHgUPYJvNdsnXlhzks5r3hvnf+uGGsMeAJKFkusP+Do1kEUPPRRuycKzr5iDwwRrKYgI2B6OzZs//Mscx/EVhJowKwdOV1AUz6nuKz3aXuXzPN+HPu/4sTJ1YpH7wNLMDDhogjma+MVyYBSWDEhyXpCe/4wePOZfxwGt/geRUaF5PjYBbb/2xMoV4g0NLEeg2AKVdoHgl26egZDp9hWNhEVlvEg4Du6CGovhm0lD8X7nP3epuIX7h0gM3OKu4LZiRnA4LTTjttT8DrzVwn4Tedc6f2c2dbVWlesFy6hPVWTxPsnLzwBQDrPMDpUYL08YenuB7h6kDb+hXa1PO4zQiouPzbQ++d2ZkERlQC6iQjbuyo4UU9Q7N42dHz+YjUP9NnX8s1B/BpY2uNBkY9VwJQpoPZvkDpHlqqoK+OdUeaK3mYle53Y38vaJ34vzp/XRmPb+e7eEd2jPknukBAG4TRPnxJ9bmuOQDXI6mD2VSksWDULnTG1QxGf22A0+rdd9+9mM67Msm9akkHCFbfJMo/M5kERksCowJYyqzmk4KOBfk0mLBoKxfc98vZaFSvBqleCREnmcYzoNyJazpaVRF9ag3AxPGzsT4M+TAa2D1BvnBP8FTu8VpetrxhLGtVDevMd3LssQ6yBlp1hdDZXHl3iJyA17TGOprsNpPAti0BaVwaKvZVCsAtFz+yoFUr2A3o+iD0fPqj6SPqWPTWpLQ0lLFsdOKCgMtfYzmvWd4yCYysBAQ0yQWAMZSTxtUX+MTtgJjRQCu3NLbMZBLIJLBDS2BMgEANGJEj/rOhxg7dLLPCZxLIJJBJIJNAJoFMApkEMglkEsgksHUksLWHhDVfPdHXQXjd37CkfpOtPyvcfY5ItNlwsaHEMs9MAtu/BEYLsDww2TqdadOmhayGzo0fPz586qmncmykDXWx9SPkS7SWhylTpgSdnZ0hq78NkMaNGxfztWBtpI15jR5BF7uV4nqdHq1cuVLhUf3apu2/yrISZhLYcSUwYoCl199oRTlAJAco5QGnPIvZcwBRDqDJs+eMk2cigZU+rmluNs+GcrOauiYfOgNOVQLIxWwFibwtNwsZ9SnsCnGi559/Ppo0aVIFHnJr60+20nrHbctZyXcACdQAxXDL61Zxa52VtKg8mlNeIMW2kxzAYvvPOO87h7Yk4MrpglZBBlwATs16JIDNgEoAtXbtWnPjV4GHNt/ijCpoYwKyCulVoIm4r6DJVQRc2crr4dZkFi+TwNiWwBYDlhY/7rLLLg0MUMoAAAGmSURBVHlpVRQ1x6bZPB8dyLPBV4BkYKUNs2xBMbDCq0CYARbAxYLSWGcosc4qVpwArUvaFUpWJXKHwklzskugBJ1dgJ/ODC8DjNH48cVKuTxRYFbZddddjZavJsvOTCaBTALbkQRqNJvhlAvAiqdOnWrzSgzP4scffzzWPJS0I39JM9IFAEUAUVnAgpZUBnTKAFmRIV4RdxfgQ1B3t+7RnvR5qLLoCZJGZfEBvOoQUcND4qOFhTbHBVBqXitevnx5NjE/nMrM4mQSGOMS2GINy5fPbTPJMSzT8SM5DQs3bNggDSqnoSHgY/NXsnWhHdlwEACyPHhb/ACpGO0r1tyV3AI+QKsKgNKqBFQCL4Ef99Kmorlz51YYniosAyxfMZmdSWA7ksCIAVZKJjVvCPHPoXnpg5oetMytN4SAUAgwNcyDhoZoZaat6Y0hQ06BUMTwM7r//vvjPfbYI4JH9POf/zxasmRJBlKpCsicmQS2Vwk0BItRKKwHsQAtyNJk2BayNCE86KCDAsCoVz4AJg9SilMd5mkISv4yDWoUKiljmUlgrEvg/wOstPZ4un7abQAAAABJRU5ErkJggg=="
53 |       </a>
54 |     </div>
55 |   </body>
56 | </html>
57 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/log.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | include:
 3 |   - redis
 4 |   - pypi.base
 5 | 
 6 | rsyslog:
 7 |   service:
 8 |     - running
 9 |     - enable: True
10 |     - restart: True
11 |     - watch:
12 |       - file: /etc/rsyslog.d/*.conf
13 | 
14 | /etc/redis.conf:
15 |   file.comment:
16 |     - regex: "^bind 127.0.0.1$"
17 | 
18 | redis-bind-all:
19 |   file.append:
20 |     - name: /etc/redis.conf
21 |     - text: "bind 0.0.0.0"
22 | 
23 | vm.overcommit_memory:
24 |   sysctl.present:
25 |     - value: 1
26 | 
27 | redis-daemon:
28 |   service:
29 |     - name: redis
30 |     - running
31 |     - restart: True
32 |     - watch:
33 |       - file: /etc/redis.conf
34 |     - require:
35 |       - pkg: redis28
36 |       - file: /etc/redis.conf
37 |       - sysctl: vm.overcommit_memory
38 | 
39 | {% set deploys = {} %}
40 | {% for k,v in pillar.items() %}
41 |   {% if k.startswith('pypi-deploy-') %}
42 |     {% do deploys.update({k: v}) %}
43 |   {% endif %}
44 | {% endfor %}
45 | 
46 | {% for key, config in deploys.items() %}
47 | 
48 | /etc/rsyslog.d/{{ config['name'] }}.conf:
49 |   file.managed:
50 |     - source: salt://pypi/config/pypi.rsyslog.conf.jinja
51 |     - template: jinja
52 |     - context:
53 |       path: {{ config['path'] }}
54 |       syslog_name: {{ config['fastly_syslog_name'] }}
55 | 
56 | /etc/logrotate.d/{{ config['name'] }}-cdn:
57 |   file.absent
58 | 
59 | /etc/logrotate-{{config['name']}}-cdn.conf:
60 |   file.managed:
61 |     - source: salt://pypi/config/pypi-syslog.logrotate.conf
62 |     - template: jinja
63 |     - context:
64 |       syslog_name: {{ config['fastly_syslog_name'] }}
65 | 
66 | {{config['name']}}-hourly-logrotate-cron:
67 |   cron.present:
68 |     - name: /usr/sbin/logrotate -f /etc/logrotate-{{config['name']}}-cdn.conf
69 |     - minute: '0'
70 |     - user: root
71 | 
72 | {% if 'cron_workers' in grains['roles'] %}
73 | {{ config['user'] }}-index-for-search-cron:
74 |   cron.present:
75 |     - name: {{ config['path'] }}/env/bin/python {{ config['path'] }}/src/tools/index.py
76 |     - minute: '6'
77 |     - hour: '*/1'
78 |     - user: {{ config['user'] }}
79 | 
80 | {{ config['user'] }}-index-for-trove-cron:
81 |   cron.present:
82 |     - name: {{ config['path'] }}/env/bin/python {{ config['path'] }}/src/tools/index-trove.py
83 |     - minute: '36'
84 |     - hour: '*/1'
85 |     - user: {{ config['user'] }}
86 | {% endif %}
87 | 
88 | {% endfor %}
89 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/pypi/web.sls:
--------------------------------------------------------------------------------
  1 | 
  2 | include:
  3 |   - pypi.base
  4 |   - nginx
  5 |   - redis
  6 |   - supervisor
  7 |   - monitoring.client.pypi-backend
  8 | {% if 'develop' in grains['roles'] %}
  9 |   - postgresql.93
 10 |   - pypi.dev-db
 11 | {% endif %}
 12 | 
 13 | net.core.somaxconn:
 14 |   sysctl.present:
 15 |     - value: 1024
 16 | 
 17 | /opt/pypi-docs-proxy/env:
 18 |   virtualenv.managed:
 19 |     - venv_bin: /usr/bin/virtualenv
 20 |     - python: /usr/bin/python2.7
 21 |     - system_site_packages: False
 22 | 
 23 | pypi-docs-proxy-eventlet:
 24 |   pip.installed:
 25 |     - name: eventlet
 26 |     - bin_env: /opt/pypi-docs-proxy/env
 27 |     - require:
 28 |       - virtualenv: /opt/pypi-docs-proxy/env
 29 | 
 30 | pypi-docs-proxy:
 31 |   pip.installed:
 32 |     - name: pypi-docs-proxy == 1.4
 33 |     - bin_env: /opt/pypi-docs-proxy/env
 34 |     - require:
 35 |       - virtualenv: /opt/pypi-docs-proxy/env
 36 | 
 37 | {% set deploys = {} %}
 38 | {% for k,v in pillar.items() %}
 39 |   {% if k.startswith('pypi-deploy-') %}
 40 |     {% do deploys.update({k: v}) %}
 41 |   {% endif %}
 42 | {% endfor %}
 43 | 
 44 | {% for key, config in deploys.items() %}
 45 | 
 46 |   {% if config['data_device']['type'] == "local" %}
 47 | 
 48 | {{ config['data_mount'] }}:
 49 |   file.directory:
 50 |     - user: {{ config['user'] }}
 51 |     - group: {{ config['group'] }}
 52 |     - mode: 755
 53 |     - makedirs: True
 54 |     - require:
 55 |       - user: {{ config['user'] }}
 56 | 
 57 |   {% else %}
 58 | 
 59 | {{ config['data_mount'] }}:
 60 |   mount.mounted:
 61 |     - device: {{ config['data_device']['uri'] }}
 62 |     - fstype: {{ config['data_device']['type'] }}
 63 |     - mkmnt: True
 64 |     - opts:
 65 |       - defaults
 66 |   file.directory:
 67 |     - user: {{ config['user'] }}
 68 |     - group: {{ config['group'] }}
 69 |     - mode: 755
 70 |     - require:
 71 |       - user: {{ config['user'] }}
 72 | 
 73 |   {% endif %}
 74 | 
 75 | /var/log/nginx/{{ config['name'] }}:
 76 |   file.directory:
 77 |     - user: root
 78 |     - group: root
 79 | 
 80 | /etc/nginx/conf.d/{{ config['name'] }}.conf:
 81 |   file.managed:
 82 |     - source: salt://pypi/config/pypi.nginx.conf.jinja
 83 |     - template: jinja
 84 |     - context:
 85 |       app_key: {{ key }}
 86 | {% if config['docs_bucket'] %}
 87 |       serve_docs: False
 88 | {% else %}
 89 |       serve_docs: True
 90 | {% endif %}
 91 |     - user: root
 92 |     - group: root
 93 |     - mode: 640
 94 | 
 95 | /etc/nginx/conf.d/{{ config['name'] }}:
 96 |   file.directory
 97 | 
 98 | 
 99 | {% if config.get('rate_limit', False) %}
100 | /etc/nginx/conf.d/{{ config['name'] }}-ratelimit.conf:
101 |   file.managed:
102 |     - source: salt://pypi/config/pypi.nginx.ratelimit.conf.jinja
103 |     - template: jinja
104 |     - context:
105 |       zone_name: {{ config['name'] }}
106 |       zone_size: {{ config.get('rate_limit', {}).get('zone_size', '10m') }}
107 |       max_rate: {{ config.get('rate_limit', {}).get('max_rate', '1r/s') }}
108 | {% endif %}
109 | 
110 | /etc/nginx/conf.d/{{ config['name'] }}/app.conf:
111 |   file.managed:
112 |     - source: salt://pypi/config/pypi.nginx.app.conf.jinja
113 |     - template: jinja
114 |     - context:
115 |       app_key: {{ key }}
116 | {% if config.get('rate_limit', False) %}
117 |       rate_limit: True
118 |       zone_name: {{ config['name'] }}
119 |       burst: {{ config.get('rate_limit', {}).get('burst', 3) }}
120 |       nodelay: {{ config.get('rate_limit', {}).get('nodelay', False) }}
121 | {% endif %}
122 |     - user: root
123 |     - group: root
124 |     - mode: 640
125 |     - require:
126 |       - file: /etc/nginx/conf.d/{{ config['name'] }}
127 |       - file: /etc/nginx/conf.d/{{ config['name'] }}.conf
128 |       - file: /var/log/nginx/{{ config['name'] }}
129 | 
130 | /etc/logrotate.d/{{ config['name'] }}:
131 |   file.managed:
132 |     - source: salt://pypi/config/pypi.logrotate.conf
133 |     - template: jinja
134 |     - context:
135 |       app_key: {{ key }}
136 |     - user: root
137 |     - group: root
138 |     - mode: 644
139 | 
140 | {{ config['path'] }}/secret:
141 |   file.directory:
142 |     - user: {{ config['name'] }}
143 |     - group: {{ config['group'] }}
144 |     - mode: 700
145 | 
146 | {{ config['path'] }}/secret/pubkey:
147 |   file.managed:
148 |     - user: {{ config['name'] }}
149 |     - group: {{ config['group'] }}
150 |     - mode: 600
151 |     - contents_pillar: secrets-{{ key }}:pubkey
152 |     - require:
153 |       - file: {{ config['path'] }}/secret
154 | 
155 | {{ config['path'] }}/secret/privkey:
156 |   file.managed:
157 |     - user: {{ config['name'] }}
158 |     - group: {{ config['group'] }}
159 |     - mode: 600
160 |     - contents_pillar: secrets-{{ key }}:privkey
161 |     - require:
162 |       - file: {{ config['path'] }}/secret
163 | 
164 | /etc/init.d/{{ config['name'] }}:
165 |   file.managed:
166 |     - source: salt://pypi/config/pypi.initd.jinja
167 |     - template: jinja
168 |     - context:
169 |       app_key: {{ key }}
170 |     - user: root
171 |     - group: root
172 |     - mode: 755
173 |     - template: jinja
174 |     - require:
175 |       - file: {{ config['path'] }}/src/config.ini
176 | 
177 | /etc/supervisord.d/{{ config['name'] }}-worker.ini:
178 |   file.managed:
179 |     - source: salt://pypi/config/pypi-worker.ini.jinja
180 |     - user: root
181 |     - group: root
182 |     - mode: 640
183 |     - template: jinja
184 |     - context:
185 |       app_key: {{ key }}
186 |     - require:
187 |       - file: /var/log/{{ config['name'] }}
188 |       - file: {{ config['path'] }}/src/config.ini
189 |       - virtualenv: {{ config['path'] }}/env
190 | 
191 | {% if config['docs_bucket'] %}
192 | /etc/supervisord.d/{{ config['name'] }}-docs-proxy.ini:
193 |   file.managed:
194 |     - source: salt://pypi/config/pypi-docs-proxy.ini.jinja
195 |     - user: root
196 |     - group: root
197 |     - mode: 640
198 |     - template: jinja
199 |     - context:
200 |       app_key: {{ key }}
201 | {% else %}
202 | /etc/supervisord.d/{{ config['name'] }}-docs-proxy.ini:
203 |   file.absent
204 | {% endif %}
205 | 
206 | {{ config['name'] }}-supervisor:
207 |   cmd.wait:
208 |     - name: supervisorctl reread && supervisorctl update
209 |     - require:
210 |       - file: /etc/supervisord.d/{{ config['name'] }}-worker.ini
211 |       - file: /etc/supervisord.d/{{ config['name'] }}-docs-proxy.ini
212 |     - watch:
213 |       - file: /etc/supervisord.d/{{ config['name'] }}-worker.ini
214 |       - file: /etc/supervisord.d/{{ config['name'] }}-docs-proxy.ini
215 | 
216 | {{ config['name'] }}-service:
217 |   service:
218 |     - name: {{ config['name'] }}
219 |     - running
220 |     - enable: True
221 |     - require:
222 |       - file: /etc/init.d/{{ config['name'] }}
223 | 
224 | {{ config['name'] }}-reload:
225 |   cmd.wait:
226 |     - name: 'service {{ config['name'] }} reload && supervisorctl restart {{ config['name'] }}-worker'
227 |     - require:
228 |       - service: {{ config['name'] }}-service
229 |       - cmd: {{ config['name'] }}-supervisor
230 |     - watch:
231 |        - git: {{ config['name'] }}-source
232 |        - file: {{ config['path'] }}/src/config.ini
233 | 
234 | {% endfor %}
235 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/python/27/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | include:
 3 |   - python.copr
 4 | 
 5 | python27:
 6 |   pkg.installed:
 7 |     - require:
 8 |       - pkgrepo: ewdurbin-pythons-el6
 9 | 
10 | setuptools-2.7:
11 |   cmd.wait:
12 |     - name: 'curl https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py | python2.7'
13 |     - watch:
14 |       - pkg: python27
15 |     - require:
16 |       - pkg: python27
17 | 
18 | pip-2.7:
19 |   cmd.wait:
20 |     - name: 'curl https://bootstrap.pypa.io/get-pip.py | python2.7'
21 |     - watch:
22 |       - pkg: python27
23 |     - require:
24 |       - pkg: python27
25 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/python/27/virtualenv.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | include:
 3 |   - python.27
 4 | 
 5 | system-pip:
 6 |   pkg.installed:
 7 |     - name: python-pip
 8 | 
 9 | virtualenv-2.7:
10 |   pip.installed:
11 |     - name: virtualenv
12 |     - pip_bin: /usr/bin/pip2.7
13 |     - require:
14 |       - pkg: system-pip
15 |       - pkg: python27
16 |       - cmd: pip-2.7
17 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/python/34/init.sls:
--------------------------------------------------------------------------------
1 | include:
2 |   - python.copr
3 | 
4 | python34-devel:
5 |   pkg.installed:
6 |     - require:
7 |       - pkgrepo: ewdurbin-pythons-el6
8 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/python/35/init.sls:
--------------------------------------------------------------------------------
1 | include:
2 |   - python.copr
3 | 
4 | python35-devel:
5 |   pkg.installed:
6 |     - require:
7 |       - pkgrepo: ewdurbin-pythons-el6
8 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/python/copr/config/ewdurbin-pythons-el6.gpgkey:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP PUBLIC KEY BLOCK-----
 2 | Version: GnuPG v2
 3 | 
 4 | mQENBFeUm6YBCADIPcpT6tP0TNVwdqSjVD6AoVhnmwGwluye1wyNgLgXsVqvbQny
 5 | ZbhLUPlF+rbcKsua/KW8A3jKwGXbUaWqeaUZmKv3DYxRLSBouF4vmYDQ3D4RAhEY
 6 | Yl7RjHuQRL/iCJKrXwQTwiaQdnh7+dgLOX08VU+3uAR9naET5IbWntqEmEdK0vEI
 7 | R5e35gkWo1HBF6S4OoNFd5KHWzqXDmIkg+FU2EFQcTqoIxL4LEqLyaMJ5qhL3pKp
 8 | vhg6psbgmE+UOLqCfFbOQO8bUHc2KHzN65bj+f3QSSik3G2/CZRUH/6+F+/bCVnJ
 9 | CyYB2FpDGUHr+knMSJZ6G/u6teiOziX/eASNABEBAAG0SGV3ZHVyYmluX3B5dGhv
10 | bnMtZWw2IChOb25lKSA8ZXdkdXJiaW4jcHl0aG9ucy1lbDZAY29wci5mZWRvcmFo
11 | b3N0ZWQub3JnPokBPQQTAQgAJwUCV5SbpgIbLwUJCWYBgAULCQgHAgYVCAkKCwIE
12 | FgIDAQIeAQIXgAAKCRD3vr62A9myD/P9B/9z8l9dZHpFbJUB+CWOAsM4n2YKiN6w
13 | VWf7xZIjCfg0X1qdc5JOCYns6c3vatdogcWR/fN33VpvBcmAZc4M6m2dhnEguNkl
14 | y9eNO0BojKZ+T3gwvfk7Ej75Ny2B632b1xk1tAP7dunAQnP4IW+th2RDDyfZLw3q
15 | b7A2xwn8nvHDsnvV5fq6sVGvkZHVEjIvpM9aJTt5qsNTK/po3u28PDGLdE2WfACA
16 | +IjVhG8dKCVawi4LjlsUWSHK1P0xRHULxFnt3eu1z2nUVViSwJIGfwWAKjLWCpQf
17 | ILvgZ7LanqOJeE1vK4UuZlpaEeC19ugqpzn7wZ1bhd4sw9wC2Nle0fnY
18 | =vpqx
19 | -----END PGP PUBLIC KEY BLOCK-----
20 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/python/copr/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | ewdurbin-pythons-el6-repo-pkg-deps:
 3 |   pkg.installed:
 4 |     - pkgs:
 5 |       - pygpgme
 6 |       - yum-utils
 7 | 
 8 | /etc/pki/rpm-gpg/RPM-GPG-KEY-ewdurbin-pythons-el6:
 9 |   file.managed:
10 |     - source: salt://python/copr/config/ewdurbin-pythons-el6.gpgkey
11 |     - user: root
12 |     - group: root
13 |     - mode: 444
14 | 
15 | ewdurbin-pythons-el6:
16 |   pkgrepo.managed:
17 |     - humanname: Copr repo for pythons-el6 owned by ewdurbin
18 |     - baseurl: https://copr-be.cloud.fedoraproject.org/results/ewdurbin/pythons-el6/epel-6-$basearch/
19 |     - gpgcheck: 1
20 |     - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ewdurbin-pythons-el6
21 |     - skip_if_unavailable: 1
22 |     - sslverify: 1
23 |     - sslcacert: /etc/pki/tls/certs/ca-bundle.crt
24 |     - require:
25 |       - file: /etc/pki/rpm-gpg/RPM-GPG-KEY-ewdurbin-pythons-el6
26 |       - pkg: ewdurbin-pythons-el6-repo-pkg-deps
27 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/redis/copr/config/jlaska-redis-28.gpgkey:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP PUBLIC KEY BLOCK-----
 2 | Version: GnuPG v2
 3 | 
 4 | mQENBFTTfgoBCACsCAvryW1QpO6xyf+hdHtaeS8nVcAcfSgbtWjW0BJPbCQ7hFcz
 5 | Rn2xaB8n8rjUS2jELMQbIp94YJ0NoM4ezXqokSvTjWc/wv35lnbRWd3eIa4ST4c7
 6 | b/ihWrQX3RMbHYnCWMs8VSLG9FALXbijRVOUWBGszp8zcGmezCg5SpV8W6WVfE/X
 7 | 3bl9ZuBF66bkxy0V1bbwXmUaWh9H+L7S8uPEDPk157P1cnEDZfSaJCkiBbUaD+eB
 8 | p/cYOFch+z7bqiTwyU3jRUSYJwwMPUl1FxHuQz3MeMqiYLKiwvmbmNCt+HrGhCxi
 9 | jdK/zxyIpnoJ0bCnFZRSWYtajbIr199Xi1HbABEBAAG0PmpsYXNrYV9yZWRpcy0y
10 | OCAoTm9uZSkgPGpsYXNrYSNyZWRpcy0yOEBjb3ByLmZlZG9yYWhvc3RlZC5vcmc+
11 | iQE/BBMBAgApBQJU034KAhsvBQkJZgGABwsJCAcDAgEGFQgCCQoLBBYCAwECHgEC
12 | F4AACgkQnf23mNRPe7KDZQgAo8SmwrobQ7fZuKMCO4XWiAOOmhhsJn+SLMAFnU7a
13 | OP3VQcTnMzx8bu99r2NSO0IOCKnUvN+WuDyDCAfocxZrWp1I8/vdrP6AQLwG5sq2
14 | lgfecAy1j2VLOjBog+rS/ZypjGts1NfC6Qtvhk55roy5ikd29MZmI/gQFt119Ou0
15 | qZCbN1yRLE3axvK/7dF8YSpUrRKQkE0d/ZcmahQ0JNsoIiPnMdjWeqGA8PZXnNB+
16 | kKwVAXP1R+cMFrQ8vzzhPqL1WdeiGGjd4nvNqh811R8NuapZ3OAt/W5VNGSW8kKw
17 | xJG/RNVbVGRYBbYipraE4z2E9k+eJCVHEDBhFoR9/UbIFw==
18 | =8XbF
19 | -----END PGP PUBLIC KEY BLOCK-----
20 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/redis/copr/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | jlaska-redis-28-repo-pkg-deps:
 3 |   pkg.installed:
 4 |     - pkgs:
 5 |       - pygpgme
 6 |       - yum-utils
 7 | 
 8 | /etc/pki/rpm-gpg/RPM-GPG-KEY-jlaska-redis-28:
 9 |   file.managed:
10 |     - source: salt://redis/copr/config/jlaska-redis-28.gpgkey
11 |     - user: root
12 |     - group: root
13 |     - mode: 444
14 | 
15 | jlaska-redis-28:
16 |   pkgrepo.managed:
17 |     - humanname: Copr repo for redis-28 owned by jlaska
18 |     - baseurl: https://copr-be.cloud.fedoraproject.org/results/jlaska/redis-28/epel-6-$basearch/
19 |     - gpgcheck: 1
20 |     - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-jlaska-redis-28
21 |     - skip_if_unavailable: True
22 |     - sslverify: 1
23 |     - sslcacert: /etc/pki/tls/certs/ca-bundle.crt
24 |     - require:
25 |       - file: /etc/pki/rpm-gpg/RPM-GPG-KEY-jlaska-redis-28
26 |       - pkg: jlaska-redis-28-repo-pkg-deps
27 | 
28 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/redis/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | include:
 3 |   - redis.copr
 4 | 
 5 | redis28:
 6 |   pkg:
 7 |     - installed
 8 | 
 9 | redis:
10 |   service:
11 |     - running
12 |     - enable: True
13 |     - require:
14 |       - pkg: redis28
15 |   
16 | {% if 'datadog_api_key' in pillar %}
17 | /etc/dd-agent/conf.d/redisdb.yaml:
18 |   file.managed:
19 |     - user: root
20 |     - group: root
21 |     - mode: '0644'
22 |     - contents: |
23 |         init_config:
24 |         instances:
25 |             - host: localhost
26 |               port: 6379
27 | {% endif %}
28 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/sudoers/config/salt.jinja:
--------------------------------------------------------------------------------
1 | {% for sudoer_group in sudoers.split(',') %}
2 | {% for command in pillar['sudoer_groups'][sudoer_group]['commands'] %}
3 | %{{sudoer_group}}        {{command}}
4 | {% endfor %}
5 | {% endfor %}
6 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/sudoers/init.sls:
--------------------------------------------------------------------------------
 1 | {% if 'sudoer_groups' in pillar %}
 2 | {% for group in pillar.get('sudoer_groups', {}) %}
 3 | {{group}}-sudoer_group:
 4 |   group.present:
 5 |     - name: {{group}}
 6 | {% endfor %}
 7 | /etc/sudoers.d/salt:
 8 |   file.managed:
 9 |     - source: salt://sudoers/config/salt.jinja
10 |     - template: jinja
11 |     - context:
12 |       sudoers: {{ pillar.get('sudoer_groups', {}).keys()|join(',') }}
13 |     - user: root
14 |     - group: root
15 |     - mode: 640
16 | {% endif %}
17 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/supervisor/config/supervisord.conf:
--------------------------------------------------------------------------------
 1 | [unix_http_server]
 2 | file=/tmp/supervisor.sock   ; (the path to the socket file)
 3 | 
 4 | [supervisord]
 5 | logfile=/tmp/supervisord.log ; (main log file;default $CWD/supervisord.log)
 6 | logfile_maxbytes=50MB        ; (max main logfile bytes b4 rotation;default 50MB)
 7 | logfile_backups=10           ; (num of main logfile rotation backups;default 10)
 8 | loglevel=info                ; (log level;default info; others: debug,warn,trace)
 9 | pidfile=/tmp/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
10 | nodaemon=false               ; (start in foreground if true;default false)
11 | minfds=1024                  ; (min. avail startup file descriptors;default 1024)
12 | minprocs=200                 ; (min. avail process descriptors;default 200)
13 | 
14 | [rpcinterface:supervisor]
15 | supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
16 | 
17 | [supervisorctl]
18 | serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
19 | 
20 | [include]
21 | files = supervisord.d/*.ini
22 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/supervisor/config/supervisord.init:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # supervisord   This scripts turns supervisord on
 4 | #
 5 | # Author:       Mike McGrath <mmcgrath@redhat.com> (based off yumupdatesd)
 6 | #
 7 | # chkconfig:	- 95 04
 8 | #
 9 | # description:  supervisor is a process control utility.  It has a web based
10 | #               xmlrpc interface as well as a few other nifty features.
11 | # processname:  supervisord
12 | # config: /etc/supervisord.conf
13 | # pidfile: /var/run/supervisord.pid
14 | #
15 | 
16 | # source function library
17 | . /etc/rc.d/init.d/functions
18 | 
19 | RETVAL=0
20 | 
21 | start() {
22 | 	echo -n $"Starting supervisord: "
23 | 	daemon supervisord -c /etc/supervisord.conf
24 | 	RETVAL=$?
25 | 	echo
26 | 	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/supervisord
27 | }
28 | 
29 | stop() {
30 | 	echo -n $"Stopping supervisord: "
31 | 	killproc supervisord
32 | 	echo
33 | 	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/supervisord
34 | }
35 | 
36 | restart() {
37 | 	stop
38 | 	start
39 | }
40 | 
41 | case "$1" in
42 |   start)
43 | 	start
44 | 	;;
45 |   stop) 
46 | 	stop
47 | 	;;
48 |   restart|force-reload|reload)
49 | 	restart
50 | 	;;
51 |   condrestart)
52 | 	[ -f /var/lock/subsys/supervisord ] && restart
53 | 	;;
54 |   status)
55 | 	status supervisord
56 | 	RETVAL=$?
57 | 	;;
58 |   *)
59 | 	echo $"Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}"
60 | 	exit 1
61 | esac
62 | 
63 | exit $RETVAL
64 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/supervisor/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | supervisor-python-pip:
 3 |   pkg.installed:
 4 |     - name: python-pip
 5 | 
 6 | supervisor-python-argparse:
 7 |   pkg.installed:
 8 |     - name: python-argparse
 9 | 
10 | supervisor-python-psutil:
11 |   pkg.installed:
12 |     - name: python-psutil
13 | 
14 | supervisor==3.0:
15 |   pip.installed:
16 |     - bin_env: /usr/bin/pip
17 |     - require:
18 |       - pkg: supervisor-python-pip
19 |       - pkg: supervisor-python-psutil
20 |       - pkg: supervisor-python-argparse
21 | 
22 | /etc/init.d/supervisord:
23 |   file.managed:
24 |     - source: salt://supervisor/config/supervisord.init
25 |     - user: root
26 |     - group: root
27 |     - mode: 744
28 |     - mode: 755
29 |   cmd.wait:
30 |     - name: chkconfig --add supervisord
31 |     - watch:
32 |       - file: /etc/init.d/supervisord
33 | 
34 | /etc/supervisord.conf:
35 |   file.managed:
36 |     - source: salt://supervisor/config/supervisord.conf
37 |     - user: root
38 |     - group: root
39 |     - mode: 644
40 | 
41 | /var/log/supervisor:
42 |   file.directory:
43 |     - user: root
44 |     - group: root
45 |     - mode: 755
46 |     - mkdirs: True
47 | 
48 | /etc/supervisord.d:
49 |   file.directory:
50 |     - user: root
51 |     - group: root
52 |     - mode: 755
53 |     - mkdirs: True
54 | 
55 | supervisord:
56 |   service:
57 |     - enable: True
58 |     - running
59 |     - require:
60 |       - pip: supervisor==3.0
61 |       - file: /etc/init.d/supervisord
62 |       - file: /etc/supervisord.conf
63 |       - file: /var/log/supervisor
64 |       - file: /etc/supervisord.d
65 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/tls/init.sls:
--------------------------------------------------------------------------------
 1 | crypto_packages:
 2 |   pkg.installed:
 3 |     - pkgs:
 4 |       - openssl
 5 | 
 6 | generate_dhparams:
 7 |   cmd.run:
 8 |     - name: openssl dhparam -out /etc/pki/tls/private/dhparams.pem 4096
 9 |     - creates: /etc/pki/tls/private/dhparams.pem
10 |     - require:
11 |       - pkg: crypto_packages
12 | 
13 | lego_extract:
14 |   archive.extracted:
15 |     - name: /usr/local/bin/
16 |     - if_missing: /usr/local/bin/lego
17 |     - source: https://github.com/xenolf/lego/releases/download/v0.3.1/lego_linux_amd64.tar.xz
18 |     - source_hash: sha256=cee9511099e9864968ac9c68f2f8d77fd927cda17957546d99faaf93f310538a
19 |     - archive_format: tar
20 |     - tar_options: -J --strip-components=1 lego/lego
21 | 
22 | /etc/lego:
23 |   file.directory:
24 |     - user: root
25 |     - group: root
26 |     - mode: 0755
27 | 
28 | /etc/lego/.well-known/acme-challenge:
29 |   file.directory:
30 |     - user: nginx
31 |     - group: root
32 |     - mode: 0750
33 |     - makedirs: True
34 |     - require:
35 |       - file: /etc/lego
36 | 
37 | lego_bootstrap:
38 |   cmd.run:
39 |     - name: /usr/local/bin/lego -a --email="infrastructure-staff@python.org" --domains="{{ grains['fqdn'] }}" --webroot /etc/lego --path /etc/lego --key-type ec256 run
40 |     - creates: /etc/lego/certificates/{{ grains['fqdn'] }}.json
41 |     - require:
42 |       - file: /etc/lego/.well-known/acme-challenge
43 |       - archive: lego_extract
44 | 
45 | lego_renew:
46 |   cron.present:
47 |     - name: /usr/local/bin/lego -a --email="infrastructure-staff@python.org" --domains="{{ grains['fqdn'] }}" --webroot /etc/lego --path /etc/lego --key-type ec256  renew --days 30 && /sbin/service nginx reload
48 |     - hour: 0
49 |     - minute: random
50 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/top.sls:
--------------------------------------------------------------------------------
 1 | base:
 2 |   '*':
 3 |     - base.sanity
 4 |     - datadog
 5 |     - users
 6 |     - sudoers
 7 |     - backup.client
 8 |     - monitoring.client.base
 9 |     - openvpn.routing
10 | 
11 |   'roles:salt-master':
12 |     - match: grain
13 |     - firewall
14 | 
15 |   'roles:pypi-mirror':
16 |     - match: grain
17 |     - pypi-mirror
18 |     - firewall
19 |     - monitoring.client.nginx
20 | 
21 |   'roles:pypi':
22 |     - match: grain
23 |     - pypi.web
24 |     - firewall
25 |     - monitoring.client.nginx
26 |     - monitoring.client.redis
27 |     - base.auto-highstate
28 | 
29 |   'G@roles:warehouse':
30 |     - match: compound
31 |     - warehouse.web
32 |     - firewall
33 |     - monitoring.client.nginx
34 |     - base.auto-highstate
35 | 
36 |   'roles:pypi_log':
37 |     - match: grain
38 |     - pypi.log
39 |     - firewall
40 |     - monitoring.client.redis
41 |     - base.auto-highstate
42 |     - elasticsearch
43 | 
44 |   'roles:monitoring_server':
45 |     - match: grain
46 |     - firewall
47 |     - monitoring.server
48 |     - monitoring.client.nginx
49 | 
50 |   'roles:backup_server':
51 |     - match: grain
52 |     - firewall
53 |     - backup.server
54 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/users/config/authorized_keys.jinja:
--------------------------------------------------------------------------------
1 | {% for key in pillar[user_tree][user]['ssh_keys'] %}
2 | {{key}}{% endfor %}
3 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/users/init.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | {% set users = [] %}
 3 | {% for k,v in pillar.items() %}
 4 |   {% if k.startswith('users-') %}
 5 |     {% for user, config in v.items() %}
 6 |       {% do config.update({'user_tree': k}) %}
 7 |       {% do users.append((user, config)) %}
 8 |     {% endfor %}
 9 |   {% endif %}
10 | {% endfor %}
11 | 
12 | /home/psf-users:
13 |   file.directory:
14 |     - mode: 755
15 | 
16 | {% for user in users %}
17 | {% set (user_name, user_config) = user %}
18 | 
19 | {{ user_name }}-user:
20 |   user.present:
21 |     - name: {{ user_name }}
22 |     - home: /home/psf-users/{{ user_name }}
23 |     - createhome: True
24 |     {% if 'add_group' in user_config %}
25 |     - groups:
26 |       {% for group in user_config['add_group'] %}
27 |       - {{group}}
28 |       {% endfor %}
29 |     {% endif %}
30 |     - require:
31 |       - file: /home/psf-users
32 |     {% if 'add_group' in user_config %}
33 |       {% for group in user_config['add_group'] %}
34 |       - group: {{group}}
35 |       {% endfor %}
36 |     {% endif %}
37 | 
38 | {{ user_name }}-ssh_dir:
39 |   file.directory:
40 |     - name: /home/psf-users/{{ user_name }}/.ssh
41 |     - user: {{ user_name }}
42 |     - mode: 700
43 |     - require:
44 |       - user: {{ user_name }}
45 | 
46 | {{ user_name }}-ssh_key:
47 |   file.managed:
48 |     - name: /home/psf-users/{{ user_name }}/.ssh/authorized_keys
49 |     - user: {{ user_name }}
50 |     - mode: 600
51 |     - source: salt://users/config/authorized_keys.jinja
52 |     - template: jinja
53 |     - context:
54 |       user: {{ user_name }}
55 |       user_tree: {{ user_config['user_tree'] }}
56 |     - require:
57 |       - user: {{ user_name }}
58 | 
59 | {% endfor %}
60 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/warehouse/base.sls:
--------------------------------------------------------------------------------
 1 | 
 2 | include:
 3 |   - python.34
 4 | 
 5 | {% set deploys = {} %}
 6 | {% for k,v in pillar.items() %}
 7 |   {% if k.startswith('warehouse-deploy-') %}
 8 |     {% do deploys.update({k: v}) %}
 9 |   {% endif %}
10 | {% endfor %}
11 | 
12 | {% for key, config in deploys.items() %}
13 | 
14 | {{ config['name'] }}-user:
15 |   group.present:
16 |     - name: {{ config['group'] }}
17 |     - gid:  {{ config['group_gid'] }}
18 |   user.present:
19 |     - name: {{ config['user'] }}
20 |     - uid:  {{ config['user_uid'] }}
21 |     - gid:  {{ config['group_gid'] }}
22 |     - home: {{ config['path'] }}
23 |     - createhome: True
24 |     - require:
25 |       - group: {{ config['group'] }}
26 | 
27 | {{ config['path'] }}:
28 |   file.directory:
29 |     - user:  {{ config['user'] }}
30 |     - group: {{ config['group'] }}
31 |     - mode: 755
32 | 
33 | /var/log/{{ config['name'] }}:
34 |   file.directory:
35 |     - user:  {{ config['user'] }}
36 |     - group: {{ config['group'] }}
37 |     - mode: 750
38 | 
39 | /var/run/{{ config['name'] }}:
40 |   file.directory:
41 |     - user:  {{ config['user'] }}
42 |     - group: {{ config['group'] }}
43 |     - mode: 755
44 | 
45 | /opt/{{ config['name'] }}/env:
46 |   virtualenv.managed:
47 |     - venv_bin: pyvenv-3.4
48 |     - system_site_packages: False
49 |     - user: {{ config['name'] }}
50 |     - cwd:  {{ config['path'] }}/src
51 |     - require:
52 |       - file: {{ config['path'] }}
53 |       - user: {{ config['user'] }}
54 | 
55 | {{ config['name'] }}-source:
56 |   git.latest:
57 |     - name: {{ config.get('source_uri', "https://github.com/pypa/warehouse.git") }}
58 |     - rev: {{ config.get('source_rev', "werkzeug") }}
59 |     - user: {{ config['name'] }}
60 |     - target: /opt/{{ config['name'] }}/src
61 | 
62 | {{ config['name'] }}-package:
63 |   pip.installed:
64 |     - name: /opt/{{ config['name'] }}/src
65 |     - upgrade: True
66 |     - user: {{ config['name'] }}
67 |     - bin_env: /opt/{{ config['name'] }}/env
68 | 
69 | {% set secrets_key = config['secrets_key'] %}
70 | 
71 | /etc/warehouse/{{ config['name'] }}.yml:
72 |   file.serialize:
73 |     - formatter: json
74 |     - dataset: {{ pillar.get(secrets_key)['config'] }}
75 | 
76 | {% endfor %}
77 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/warehouse/config/nginx.app.conf.jinja:
--------------------------------------------------------------------------------
 1 | keepalive_timeout 5;
 2 | client_max_body_size 40M;
 3 | 
 4 | location / {
 5 |   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 6 |   proxy_set_header Host $http_host;
 7 |   proxy_redirect off;
 8 |   proxy_pass http://{{app_name}}_server;
 9 | }
10 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/warehouse/config/nginx.conf.jinja:
--------------------------------------------------------------------------------
 1 |   upstream {{ app_name }}_server {
 2 |     server unix:/var/run/{{ app_name }}/gunicorn.sock fail_timeout=0;
 3 |   }
 4 | 
 5 |   server {
 6 |     listen {{ port }} ;
 7 |     access_log /var/log/nginx/{{ app_name }}/access.log;
 8 |     error_log /var/log/nginx/{{ app_name }}/error.log;
 9 |     include nginx.ssl.conf;
10 |     include conf.d/{{ app_name }}/app.conf;
11 |   }
12 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/warehouse/config/supervisor.ini.jinja:
--------------------------------------------------------------------------------
 1 | [program:{{ app_name }}-gunicorn]
 2 | command = /opt/{{ app_name }}/env/bin/unicornherder -g /opt/{{ app_name }}/env/bin/gunicorn --pid /var/run/{{ app_name }}/gunicorn.pid -- -c /opt/{{ app_name }}/gunicorn.py {{ app_module }}
 3 | autostart = true
 4 | autorestart = true
 5 | stopsignal = QUIT
 6 | stdout_logfile = /var/log/{{ app_name }}/unicorn-herder.log
 7 | stderr_logfile = /var/log/{{ app_name }}/unicorn-herder.error.log
 8 | user = {{ app_name }}
 9 | directory = /opt/{{ app_name }}
10 | environment = WAREHOUSE_CONF=/etc/warehouse/{{ app_name }}.yml
11 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/warehouse/config/unicorn.py.template:
--------------------------------------------------------------------------------
1 | bind = "unix:/var/run/{{ app_name }}/gunicorn.sock"
2 | workers = {{ workers }}
3 | accesslog = "/var/log/{{ app_name }}/gunicorn.access.log"
4 | errorlog = "/var/log/{{ app_name }}/gunicorn.error.log"
5 | 


--------------------------------------------------------------------------------
/provisioning/salt/roots/salt/warehouse/web.sls:
--------------------------------------------------------------------------------
  1 | 
  2 | include:
  3 |   - nginx
  4 |   - supervisor
  5 |   - warehouse.base
  6 |   - elasticsearch
  7 | 
  8 | {% set deploys = {} %}
  9 | {% for k,v in pillar.items() %}
 10 |   {% if k.startswith('warehouse-deploy-') %}
 11 |     {% do deploys.update({k: v}) %}
 12 |   {% endif %}
 13 | {% endfor %}
 14 | 
 15 | {% for key, config in deploys.items() %}
 16 | 
 17 | /var/log/nginx/{{ config['name'] }}:
 18 |   file.directory
 19 | 
 20 | /etc/nginx/conf.d/{{ config['name'] }}:
 21 |   file.directory
 22 | 
 23 | /etc/nginx/conf.d/{{ config['name'] }}/app.conf:
 24 |   file.managed:
 25 |     - source: salt://warehouse/config/nginx.app.conf.jinja
 26 |     - template: jinja
 27 |     - context:
 28 |       app_name: {{ config['name'] }}
 29 | 
 30 | /etc/nginx/conf.d/{{ config['name'] }}.conf:
 31 |   file.managed:
 32 |     - source: salt://warehouse/config/nginx.conf.jinja
 33 |     - template: jinja
 34 |     - context:
 35 |       app_name: {{ config['name'] }}
 36 |       port: {{ config ['port'] }}
 37 | 
 38 | /opt/{{ config['name'] }}/gunicorn.py:
 39 |   file.managed:
 40 |     - source: salt://warehouse/config/unicorn.py.template
 41 |     - template: jinja
 42 |     - context:
 43 |       app_name: {{ config['name'] }}
 44 |       workers: {{ config.get('workers', 2) }}
 45 |     - require:
 46 |       - file: /var/log/{{ config['name'] }}
 47 |       - file: /var/run/{{ config['name'] }}
 48 | 
 49 | {{ config['name'] }}-psutil:
 50 |   pip.installed:
 51 |     - name: psutil
 52 |     - user: {{ config['name'] }}
 53 |     - bin_env: /opt/{{ config['name'] }}/env
 54 | 
 55 | {{ config['name'] }}-unicornherder:
 56 |   pip.installed:
 57 |     - name: unicornherder
 58 |     - user: {{ config['name'] }}
 59 |     - bin_env: /opt/{{ config['name'] }}/env
 60 | 
 61 | {{ config['name'] }}-gunicorn:
 62 |   pip.installed:
 63 |     - name: gunicorn
 64 |     - user: {{ config['name'] }}
 65 |     - bin_env: /opt/{{ config['name'] }}/env
 66 | 
 67 | /etc/supervisord.d/{{ config['name'] }}.ini:
 68 |   file.managed:
 69 |     - source: salt://warehouse/config/supervisor.ini.jinja
 70 |     - user: root
 71 |     - group: root
 72 |     - mode: 640
 73 |     - template: jinja
 74 |     - context:
 75 |       app_name: {{ config['name'] }}
 76 |       app_module: warehouse.wsgi
 77 |     - require:
 78 |       - file: /var/log/{{ config['name'] }}
 79 |       - virtualenv: {{ config['path'] }}/env
 80 | 
 81 | {{ config['name'] }}-supervisor:
 82 |   cmd.wait:
 83 |     - name: supervisorctl reread && supervisorctl update
 84 |     - require:
 85 |       - file: /etc/supervisord.d/{{ config['name'] }}.ini
 86 |     - watch:
 87 |       - file: /etc/supervisord.d/{{ config['name'] }}.ini
 88 | 
 89 | {{ config['name'] }}-reload:
 90 |   cmd.wait:
 91 |     - name: kill -HUP $(cat /var/run/{{ config['name'] }}/gunicorn.pid)
 92 |     - require:
 93 |       - git: {{ config['name'] }}-source
 94 |       - pip: /opt/{{ config['name'] }}/src
 95 |       - file: /etc/warehouse/{{ config['name'] }}.yml
 96 |     - watch:
 97 |       - git: {{ config['name'] }}-source
 98 |       - file: /etc/warehouse/{{ config['name'] }}.yml
 99 | 
100 | {{ config['name'] }}-reindex:
101 |   cron.present:
102 |     - name: "/opt/{{ config['name'] }}/env/bin/warehouse -c /etc/warehouse/{{ config['name'] }}.yml search reindex"
103 |     - minute: '0'
104 |     - user: {{ config['name'] }}
105 | 
106 | 
107 | {% endfor %}
108 | 


--------------------------------------------------------------------------------