pbsready-import.cfg.in

[buildout]

extends = ${pbsready:output}

# Explicitely define extended parts from pbsready
# then add local parts
parts =
  logrotate
  logrotate-entry-cron
  logrotate-entry-equeue
  logrotate-entry-notifier
  logrotate-entry-resilient
  cron
  cron-entry-logrotate
  cron-entry-notifier-status-feed
  notifier-feed-status-promise
  notifier-stalled-promise
  resilient-sshkeys-authority
  sshd-raw-server
  sshd-graceful
  sshkeys-sshd
  sshd-promise
  resilient-sshkeys-sshd-promise
  sshd-pbs-authorized-key
  notifier

  resiliency-takeover-script
  resilient-web-takeover-cgi-script
  resilient-web-takeover-httpd-wrapper
  resilient-web-takeover-httpd-promise

  check-backup-integrity-on-notification
  import-on-notification
  backup-checksum-integrity-promise
  resilient-publish-connection-parameter

  backup-signature-link

[resilient-publish-connection-parameter]
notification-url = http://[$${notifier:host}]:$${notifier:port}/notify
takeover-url = http://[$${resilient-web-takeover-httpd-configuration-file:listening-ip}]:$${resilient-web-takeover-httpd-configuration-file:listening-port}/
takeover-password = $${resilient-web-takeover-password:passwd}

# Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...)
[sshd-port]
recipe = slapos.cookbook:free_port
minimum = 22210
maximum = 22219
ip = $${slap-network-information:global-ipv6}

# Define port of notifier (same reason)
[notifier-port]
recipe = slapos.cookbook:free_port
minimum = 65516
maximum = 65525
ip = $${notifier:host}

[import-on-notification]
# notifier.callback runs a script when a notification (sent by a parent PBS)
# is received
<= notifier
recipe = slapos.cookbook:notifier.callback
on-notification-id = $${slap-parameter:on-notification}
callback = $${importer:wrapper}

[post-notification-run]
recipe = collective.recipe.template
diff-file = $${basedirectory:backup}/backup.diff
proof-signature-file = $${basedirectory:backup}/proof.signature
input = inline:
  #!/${bash:location}/bin/bash
  cd $${directory:backup}
  find -type f ! -name backup.signature ! -wholename "./rdiff-backup-data/*" -print0 | xargs -0 sha256sum  | LC_ALL=C sort -k 66 > $${:proof-signature-file}
  diff -ruw backup.signature $${:proof-signature-file} > $${:diff-file}
output = $${rootdirectory:bin}/post-notification-run
mode = 0700

[check-backup-integrity-on-notification]
<= notifier
recipe = slapos.cookbook:notifier.callback
on-notification-id = $${slap-parameter:on-notification}
callback = $${post-notification-run:output}

[backup-checksum-integrity-promise]
recipe = slapos.recipe.template:jinja2
template = inline:
  #!/${bash:location}/bin/bash
  backup_diff_file=$${post-notification-run:diff-file}
  if [ -f "$backup_diff_file" ]; then
    if [ $(wc -l "$backup_diff_file" | cut -d \  -f1) -eq 0 ]; then
      exit 0;
    else
      exit 1;
    fi
  else
    # If file doesn't exist, promise shouldnt raise false positive
    exit 0;
  fi
rendered = $${basedirectory:promises}/backup-checksum-integrity
mode = 700

###########
# Generate the takeover script
###########
[resiliency-takeover-script]
recipe = slapos.cookbook:addresiliency
wrapper-takeover = $${rootdirectory:bin}/takeover
takeover-triggered-file-path = $${rootdirectory:srv}/takeover_triggered

# Add path of file created by takeover script when takeover is triggered
# Takeover script will create this file
# equeue process will watch for file existence.
[equeue]
takeover-triggered-file-path = $${resiliency-takeover-script:takeover-triggered-file-path}

###########
# Deploy a webserver allowing to do takeover from a web browser.
###########
[resilient-web-takeover-password]
recipe = slapos.cookbook:generate.password
storage-path = $${directory:srv}/passwd
bytes = 8

[resilient-web-takeover-cgi-script]
recipe = collective.recipe.template
input = ${resilient-web-takeover-cgi-script-download:destination}
output = $${directory:cgi-bin}/web-takeover.cgi
password = $${resilient-web-takeover-password:passwd}
mode = 700
proof-signature-url = $${publish:monitor-base-url}/private/resilient/backup.signature

# XXX could it be something lighter?
# XXX Add SSL
[resilient-web-takeover-httpd-configuration-file]
recipe = collective.recipe.template
input = inline:
  PidFile "$${:pid-file}"
  Listen [$${:listening-ip}]:$${:listening-port}
  ServerAdmin someone@email
  DocumentRoot "$${:document-root}"
  ErrorLog "$${:error-log}"
  LoadModule unixd_module modules/mod_unixd.so
  LoadModule access_compat_module modules/mod_access_compat.so
  LoadModule authz_core_module modules/mod_authz_core.so
  LoadModule authz_host_module modules/mod_authz_host.so
  LoadModule mime_module modules/mod_mime.so
  LoadModule cgid_module modules/mod_cgid.so
  LoadModule dir_module modules/mod_dir.so
  ScriptSock $${:cgid-pid-file}
  <Directory $${:document-root}>
    # XXX: security????
    Options +ExecCGI
    AddHandler cgi-script .cgi
    DirectoryIndex web-takeover.cgi
  </Directory>
output = $${directory:etc}/resilient-web-takeover-httpd.conf
# md5sum =
listening-ip = $${slap-network-information:global-ipv6}
# XXX: randomize-me
listening-port = 9263
htdocs = $${directory:cgi-bin}
pid-file = $${directory:run}/resilient-web-takeover-httpd.pid
cgid-pid-file = $${directory:run}/resilient-web-takeover-httpd-cgid.pid
document-root = $${directory:cgi-bin}
error-log = $${directory:log}/resilient-web-takeover-httpd-error-log

[resilient-web-takeover-httpd-wrapper]
recipe = slapos.cookbook:wrapper
apache-executable = ${apache:location}/bin/httpd
command-line = $${:apache-executable} -f $${resilient-web-takeover-httpd-configuration-file:output} -DFOREGROUND
wrapper-path = $${basedirectory:services}/resilient-web-takeover-httpd

[resilient-web-takeover-httpd-promise]
recipe = slapos.cookbook:check_url_available
path = $${basedirectory:promises}/resilient-web-takeover-httpd
url = http://[$${resilient-web-takeover-httpd-configuration-file:listening-ip}]:$${resilient-web-takeover-httpd-configuration-file:listening-port}/
dash_path = ${dash:location}/bin/dash
curl_path = ${curl:location}/bin/curl

###########
# Symlinks
###########
[backup-signature-link]
recipe = cns.recipe.symlink
symlink = $${post-notification-run:proof-signature-file} = $${directory:monitor-resilient}/backup.signature