{% if software_type == slap_software_type -%} {% set part_list = [] -%} {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%} {# XXX: This template only supports exactly one IPv4 and one IPv6 per partition. No more (undefined result), no less (IndexError). -#} # TODO: insert varnish between apache & haproxy. # And think of a way to specify which urls goe through varnish, which go # directly to haproxy. (maybe just passing literal configuration file chunk) {% set ipv4 = (ipv4_set | list)[0] -%} {% set ipv6 = (ipv6_set | list)[0] -%} [zope-tunnel-base] recipe = slapos.cookbook:ipv4toipv6 runner-path = ${directory:services}/${:base-name} tunnel6-path = {{ parameter_dict['tunnel6'] }}/bin/6tunnel shell-path = {{ parameter_dict['dash'] }}/bin/dash ipv4 = {{ ipv4 }} {% set zope_address_list = [] -%} {% set current_port = 9000 -%} {% set next_current_port = {'next_port': current_port} -%} {% for zope_name in json_module.loads(slapparameter_dict['zope-name-list']) -%} {% for zope_address in json_module.loads(slapparameter_dict['zope-' ~ zope_name ~ '-address-list']) -%} [{{ section('zope-tunnel-' ~ current_port) }}] < = zope-tunnel-base base-name = {{ 'zeo-tunnel-' ~ current_port }} ipv4-port = {{ current_port }} ipv6-port = {{ zope_address.split(']:')[1] }} ipv6 = {{ zope_address.split(']:')[0][1:] }} {% do zope_address_list.append(ipv4 ~ ":" ~ current_port) -%} {% set current_port = current_port + 1 -%} {% do next_current_port.__setitem__('next_port', current_port) -%} {% endfor -%} {% set current_port = next_current_port['next_port'] -%} {% endfor -%} {% set current_port = next_current_port['next_port'] -%} [haproxy] recipe = slapos.cookbook:haproxy name = haproxy conf-path = ${directory:etc}/haproxy.cfg ip = {{ ipv4 }} port = 8001 maxconn = {{ slapparameter_dict['haproxy-maxconn'] }} # XXX: should be optional (check recipe code) server-check-path = {{ slapparameter_dict['haproxy-server-check-path'] }} wrapper-path = ${directory:services}/haproxy binary-path = {{ parameter_dict['haproxy'] }}/sbin/haproxy backend-list = {{ json_module.dumps(zope_address_list) }} [apache] recipe = slapos.cookbook:apache.zope.backend backend = http://${haproxy:ip}:${haproxy:port} ip = {{ ipv6 }} port = 8000 wrapper = ${directory:bin}/apache scheme = https key-file = ${directory:apache-conf}/apache.key cert-file = ${directory:apache-conf}/apache.crt configuration-file = ${directory:apache-conf}/apache.conf access-control-string = {{ slapparameter_dict['apache-access-control-string'] }} pid-file = ${directory:run}/apache.pid lock-file = ${directory:run}/apache.lock ssl-session-cache = $${directory:log}/apache-ssl-session-cache error-log = ${directory:log}/apache-error.log access-log = ${directory:log}/apache-access.log apache-binary = {{ parameter_dict['apache'] }}/bin/httpd ssl-authentication = {{ slapparameter_dict['apache-ssl-authentication'] }} backend-path = {{ slapparameter_dict['apache-backend-path'] }} # Note: Without certificate-authority main certificate have to be hardcoded ssl-authentication-certificate = ${certificate-authority:ca-dir}/cacert.pem ssl-authentication-crl = ${certificate-authority:ca-crl} [certificate-authority] recipe = slapos.cookbook:certificate_authority openssl-binary = {{ parameter_dict['openssl'] }}/bin/openssl ca-dir = ${directory:ca-dir} requests-directory = ${directory:requests} wrapper = ${directory:services}/ca ca-private = ${directory:private} ca-certs = ${directory:certs} ca-newcerts = ${directory:newcerts} ca-crl = ${directory:crl} {% set ca = json_module.loads(slapparameter_dict['ca']) -%} country-code = {{ ca['country-code'] }} email = {{ ca['email'] }} state = {{ ca['state'] }} city = {{ ca['city'] }} company = {{ ca['company'] }} [ca-apache] < = certificate-authority recipe = slapos.cookbook:certificate_authority.request key-file = ${apache:key-file} cert-file = ${apache:cert-file} executable = ${apache:wrapper} wrapper = ${directory:services}/apache [logrotate-apache] recipe = slapos.cookbook:logrotate.d logrotate-entries = ${logrotate:logrotate-entries} backup = ${logrotate:logrotate-backup} name = apache log = ${apache:error-log} ${apache:access-log} post = {{ bin_directory }}/killpidfromfile ${apache:pid-file} SIGUSR1 [directory] recipe = slapos.cookbook:mkdirectory apache-conf = ${:etc}/apache bin = ${buildout:directory}/bin etc = ${buildout:directory}/etc services = ${:etc}/run var = ${buildout:directory}/var run = ${:var}/run log = ${:var}/log ca-dir = ${buildout:directory}/srv/ssl requests = ${:ca-dir}/requests private = ${:ca-dir}/private certs = ${:ca-dir}/certs newcerts = ${:ca-dir}/newcerts crl = ${:ca-dir}/crl [publish] recipe = slapos.cookbook:publish url = ${apache:scheme}://[${apache:ip}]:${apache:port} [buildout] extends = {{ parameter_dict['instance-logrotate-cfg'] }} parts = haproxy {{ part_list | join('\n ') }} publish ca-apache # cron-entry-logrotate # logrotate # logrotate-apache eggs-directory = {{ eggs_directory }} develop-eggs-directory = {{ develop_eggs_directory }} offline = true {% endif %}