marrub
/
snipt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

Prepping for Heroku.

master
Nick Sergeant 6 years ago
parent
4565dacbcf
commit
909112b4bc
34 changed files with 2 additions and 2011 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      Procfile
  2. 18
      pillar/production.sls
  3. 5
      pillar/top.sls
  4. 13
      pillar/vagrant.sls
  5. 1
      requirements.txt
  6. 85
      salt/application/init.sls
  7. 131
      salt/application/snipt.nginx.conf
  8. 7
      salt/application/snipt.supervisor.conf
  9. 0
      salt/cron/init.sls
  10. 24
      salt/elasticsearch/init.sls
  11. 103
      salt/fish/config.fish
  12. 35
      salt/fish/init.sls
  13. 46
      salt/fish/virtualenv.fish
  14. 195
      salt/fish/z.fish
  15. 27
      salt/iptables/init.sls
  16. 2
      salt/iptables/iptables-restore.sh
  17. 43
      salt/iptables/iptables.up.rules
  18. 46
      salt/nginx/init.sls
  19. 26
      salt/nginx/nginx.conf
  20. 29
      salt/postgresql/init.sls
  21. 99
      salt/postgresql/pg_hba.conf
  22. 596
      salt/postgresql/postgresql.conf
  23. 20
      salt/ssh/init.sls
  24. 90
      salt/ssh/sshd_config
  25. 35
      salt/supervisor/init.sls
  26. 17
      salt/supervisor/supervisord.conf
  27. 187
      salt/supervisor/supervisord.init.d
  28. 25
      salt/system/init.sls
  29. 13
      salt/top.sls
  30. 1
      salt/users/deploy.authorized_keys
  31. 58
      salt/users/init.sls
  32. 1
      salt/users/known_hosts
  33. 1
      salt/users/nick.pub
  34. 32
      salt/users/sudoers

2
Procfile
Unescape View File

@ -1 +1 @@
web: gunicorn wsgi:application --log-file -
web: gunicorn wsgi --log-file -

18
pillar/production.sls
Unescape View File

@ -1,18 +0,0 @@
env_name: production
hostname: snipt.net
deploy_user: deploy
users:
-
name: deploy
groups:
- deploy
- wheel
-
name: nick
groups:
- deploy
- wheel
ssh:
port: 55555

5
pillar/top.sls
Unescape View File

@ -1,5 +0,0 @@
base:
'*':
- production
'local.snipt.net':
- vagrant

13
pillar/vagrant.sls
Unescape View File

@ -1,13 +0,0 @@
env_name: vagrant
hostname: local.snipt.net
deploy_user: vagrant
users:
-
name: vagrant
groups:
- deploy
- wheel
ssh:
port: 22

1
requirements.txt
Unescape View File

@ -29,3 +29,4 @@ six==1.9.0
smartypants==1.8.6
stripe==1.41.1
urllib3==1.11
whitenoise==3.2.2

85
salt/application/init.sls
Unescape View File

@ -1,85 +0,0 @@
python-virtualenv:
pkg.installed
virtualenvwrapper:
pip.installed
/var/www:
file.directory:
- user: {{ pillar.deploy_user }}
- group: deploy
- mode: 775
- require:
- user: {{ pillar.deploy_user }}
- group: deploy
/var/www/.virtualenvs:
file.directory:
- user: {{ pillar.deploy_user }}
- group: deploy
- mode: 775
- require:
- group: deploy
{% if pillar.env_name != 'vagrant' %}
/var/www/snipt:
file.directory:
- user: {{ pillar.deploy_user }}
- group: deploy
- mode: 775
- require:
- group: deploy
git.latest:
- name: https://github.com/nicksergeant/snipt.git
- rev: master
- target: /var/www/snipt
- user: deploy
{% endif %}
/var/www/.virtualenvs/snipt:
file.directory:
- user: {{ pillar.deploy_user }}
- group: deploy
- mode: 775
- require:
- group: deploy
virtualenv.managed:
- system_site_packages: False
- requirements: /var/www/snipt/requirements.txt
/home/{{ pillar.deploy_user }}/tmp:
file.absent
/etc/supervisor/conf.d/snipt.conf:
file.managed:
- source: salt://application/snipt.supervisor.conf
- template: jinja
- makedirs: True
cmd.run:
- name: supervisorctl restart snipt
snipt-site:
file.managed:
- name: /etc/nginx/sites-available/snipt
- source: salt://application/snipt.nginx.conf
- template: jinja
- group: deploy
- mode: 755
- require:
- pkg: nginx-extras
- group: deploy
enable-snipt-site:
file.symlink:
- name: /etc/nginx/sites-enabled/snipt
- target: /etc/nginx/sites-available/snipt
- force: false
- require:
- pkg: nginx-extras
cmd.run:
- name: service nginx restart
- require:
- pkg: nginx-extras

131
salt/application/snipt.nginx.conf
Unescape View File

@ -1,131 +0,0 @@
upstream backend_snipt {
server 127.0.0.1:8000;
}
{% if pillar.env_name != 'vagrant' %}
server {
listen 80;
server_name *.{{ pillar.hostname }};
if ($host ~* "^([^.]+(\.[^.]+)*)\.{{ pillar.hostname }}$"){
set $subd $1;
rewrite ^(.*)$ https://$subd.{{ pillar.hostname }}$1 permanent;
break;
}
}
server {
listen 80;
server_name {{ pillar.hostname }} www.{{ pillar.hostname }} beta.{{ pillar.hostname }};
rewrite ^(.*) https://{{ pillar.hostname }}$1 permanent;
}
server {
listen 443;
server_name www.{{ pillar.hostname }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_certificate /etc/certs/{{ pillar.hostname }}.crt;
ssl_certificate_key /etc/certs/{{ pillar.hostname }}.key;
rewrite ^(.*) https://{{ pillar.hostname }}$1 permanent;
}
server {
listen 443;
server_name {{ pillar.hostname }} *.{{ pillar.hostname }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_certificate /etc/certs/{{ pillar.hostname }}.crt;
ssl_certificate_key /etc/certs/{{ pillar.hostname }}.key;
location ~* /favicon.ico {
root /var/www/snipt/static/img/;
expires max;
}
location / {
# Open CORS config from https://gist.github.com/michiel/1064640.
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
rewrite_by_lua '
if string.find(ngx.var.host, "_") then
local newHost, n = ngx.re.gsub(ngx.var.host, "_", "-")
ngx.redirect(ngx.var.scheme .. "://" .. newHost .. ngx.var.uri)
end
';
proxy_pass http://backend_snipt;
proxy_set_header Host $host;
}
location /static/ {
alias /var/www/snipt/static/;
expires max;
}
location /public/feed/ {
rewrite ^/public/feed/$ https://{{ pillar.hostname }}/public/?rss permanent;
}
}
server {
listen 80 default_server;
location / {
proxy_pass http://backend_snipt;
proxy_set_header Host $host;
}
location /static/ {
alias /var/www/snipt/static/;
expires max;
}
location ~* /favicon.ico {
root /var/www/snipt/static/img/;
expires max;
}
}
{% else %}
server {
listen 80 default_server;
location / {
proxy_pass http://backend_snipt;
proxy_set_header Host $host;
}
location /static/ {
alias /var/www/snipt/media/;
expires max;
}
location ~* /favicon.ico {
root /var/www/snipt/media/img/;
expires max;
}
}
{% endif %}

7
salt/application/snipt.supervisor.conf
Unescape View File

@ -1,7 +0,0 @@
[program:snipt]
directory=/var/www/snipt
user={{ pillar.deploy_user }}
command={% if pillar.env_name != 'vagrant' %}/var/www/.virtualenvs/snipt/bin/gunicorn wsgi:application{% else %}/var/www/.virtualenvs/snipt/bin/python /var/www/snipt/manage.py runserver{% endif %}
autostart=true
autorestart=true
stopasgroup=true

0
salt/cron/init.sls
Unescape View File

24
salt/elasticsearch/init.sls
Unescape View File

@ -1,24 +0,0 @@
elasticsearch-file:
file.managed:
- name: /tmp/elasticsearch-1.3.4.deb
- source: https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.4.deb
- unless: test -d /usr/local/elasticsearch/bin
- source_hash: sha1=6a4b6a12825f141245bb581c76052464d17de874
elasticsearch-install:
cmd:
- cwd: /tmp
- names:
- dpkg -i elasticsearch-1.3.4.deb
- unless: test -d /usr/local/elasticsearch/bin
- run
- require:
- file: elasticsearch-file
elasticsearch:
service:
- running
- enable: True
- reload: True
- require:
- file: elasticsearch-file

103
salt/fish/config.fish
Unescape View File

@ -1,103 +0,0 @@
# Directories {{{
function l
tree --dirsfirst -ChFL 1 $args
end
function ll
tree --dirsfirst -ChFupDaL 1 $args
end
# }}}
# Directories {{{
set -g -x fish_greeting ''
set -g -x EDITOR vim
# }}}
# Git and Mercurial functions {{{
function gca
git commit -a $argv
end
function gco
git checkout $argv
end
function gd
git diff HEAD
end
function gl
git pull $argv
end
function gp
git push $argv
end
function gst
git status $argv
end
# }}}
# Programs {{{
function logs
sudo supervisorctl tail -f snipt stdout
end
function pm
python manage.py $argv
end
function run
sudo supervisorctl restart snipt
sudo supervisorctl tail -f snipt stdout
end
function rs
sudo supervisorctl restart snipt
end
function ssc
sudo supervisorctl $argv
end
function wo
workon (cat .venv) $argv
end
# }}}
# Prompt {{{
set -x fish_color_command 005fd7\x1epurple
set -x fish_color_search_match --background=purple
function prompt_pwd --description 'Print the current working directory, shortend to fit the prompt'
echo $PWD | sed -e "s|^$HOME|~|"
end
function virtualenv_prompt
if [ -n "$VIRTUAL_ENV" ]
printf '\033[0;37m(%s) ' (basename "$VIRTUAL_ENV") $argv
end
end
function fish_prompt
z --add "$PWD"
echo ' '
printf '\033[0;31m%s\033[0;37m on ' (whoami)
printf '\033[0;31m%s ' (hostname -f)
printf '\033[0;32m%s' (prompt_pwd)
echo
virtualenv_prompt
printf '\033[0;37m> '
end
# }}}
# Virtualenv {{{
set -x WORKON_HOME '/var/www/.virtualenvs'
. ~/.config/fish/virtualenv.fish
# }}}
# Z {{{
. /etc/z.fish
function j
z $argv
end
# }}}

35
salt/fish/init.sls
Unescape View File

@ -1,35 +0,0 @@
fish:
pkgrepo.managed:
- ppa: fish-shell/release-2
- require_in:
- pkg: fish
pkg.latest:
- name: fish
- refresh: True
/etc/z.fish:
file.managed:
- source: salt://fish/z.fish
- mode: 755
{% for user in pillar.users %}
fish-{{ user.name }}:
file.managed:
- name: /home/{{ user.name }}/.config/fish/config.fish
- user: {{ user.name }}
- source: salt://fish/config.fish
- makedirs: True
- require:
- user: {{ user.name }}
fish-{{ user.name }}-virtualenv:
file.managed:
- name: /home/{{ user.name }}/.config/fish/virtualenv.fish
- user: {{ user.name }}
- source: salt://fish/virtualenv.fish
- makedirs: True
- require:
- user: {{ user.name }}
{% endfor %}

46
salt/fish/virtualenv.fish
Unescape View File

@ -1,46 +0,0 @@
# mostly from http://coderseye.com/2010/using-virtualenv-with-fish-shell.html
function workon -d "Activate virtual environment in $WORKON_HOME"
set tgt {$WORKON_HOME}/$argv[1]
if [ ! -d $tgt ]
mkdir -p "$WORKON_HOME"
virtualenv $tgt
end
if [ -d $tgt ]
cd $tgt
deactivate
set -gx VIRTUAL_ENV "$tgt"
set -gx _OLD_VIRTUAL_PATH $PATH
set -gx PATH "$VIRTUAL_ENV/bin" $PATH
# unset PYTHONHOME if set
if set -q PYTHONHOME
set -gx _OLD_VIRTUAL_PYTHONHOME $PYTHONHOME
set -e PYTHONHOME
end
cd -
echo "activated $tgt"
else
echo "$tgt not found"
end
end
complete -c workon -a "(cd $WORKON_HOME; ls -d *)"
function deactivate -d "Exit virtualenv and return to normal shell environment"
# reset old environment variables
if test -n "$_OLD_VIRTUAL_PATH"
set -gx PATH $_OLD_VIRTUAL_PATH
set -e _OLD_VIRTUAL_PATH
end
if test -n "$_OLD_VIRTUAL_PYTHONHOME"
set -gx PYTHONHOME $_OLD_VIRTUAL_PYTHONHOME
set -e _OLD_VIRTUAL_PYTHONHOME
end
set -e VIRTUAL_ENV
end

195
salt/fish/z.fish
Unescape View File

@ -1,195 +0,0 @@
# maintains a jump-list of the directories you actually use
#
# INSTALL:
# * put something like this in your config.fish:
# . /path/to/z.fish
# * put something like this in your fish_prompt function:
# z --add "$PWD"
# * cd around for a while to build up the db
# * PROFIT!!
#
# USE:
# * z foo # goes to most frecent dir matching foo
# * z foo bar # goes to most frecent dir matching foo and bar
# * z -r foo # goes to highest ranked dir matching foo
# * z -t foo # goes to most recently accessed dir matching foo
# * z -l foo # list all dirs matching foo (by frecency)
function z -d "Jump to a recent directory."
set -l datafile "$HOME/.z"
# add entries
if [ "$argv[1]" = "--add" ]
set -e argv[1]
# $HOME isn't worth matching
[ "$argv" = "$HOME" ]; and return
set -l tempfile (mktemp $datafile.XXXXXX)
test -f $tempfile; or return
# maintain the file
awk -v path="$argv" -v now=(date +%s) -F"|" '
BEGIN {
rank[path] = 1
time[path] = now
}
$2 >= 1 {
if( $1 == path ) {
rank[$1] = $2 + 1
time[$1] = now
} else {
rank[$1] = $2
time[$1] = $3
}
count += $2
}
END {
if( count > 1000 ) {
for( i in rank ) print i "|" 0.9*rank[i] "|" time[i] # aging
} else for( i in rank ) print i "|" rank[i] "|" time[i]
}
' $datafile ^/dev/null > $tempfile
mv -f $tempfile $datafile
# tab completion
else
if [ "$argv[1]" = "--complete" ]
awk -v q="$argv[2]" -F"|" '
BEGIN {
if( q == tolower(q) ) nocase = 1
split(q,fnd," ")
}
{
if( system("test -d \"" $1 "\"") ) next
if( nocase ) {
for( i in fnd ) tolower($1) !~ tolower(fnd[i]) && $1 = ""
if( $1 ) print $1
} else {
for( i in fnd ) $1 !~ fnd[i] && $1 = ""
if( $1 ) print $1
}
}
' "$datafile" 2>/dev/null
else
# list/go
set -l last ''
set -l list 0
set -l typ ''
set -l fnd ''
while [ (count $argv) -gt 0 ]
switch "$argv[1]"
case -- '-h'
echo "z [-h][-l][-r][-t] args" >&2
return
case -- '-l'
set list 1
case -- '-r'
set typ "rank"
case -- '-t'
set typ "recent"
case -- '--'
while [ "$argv[1]" ]
set -e argv[1]
set fnd "$fnd $argv[1]"
end
case '*'
set fnd "$fnd $argv[1]"
end
set last $1
set -e argv[1]
end
[ "$fnd" ]; or set list 1
# if we hit enter on a completion just go there
[ -d "$last" ]; and cd "$last"; and return
# no file yet
[ -f "$datafile" ]; or return
set -l tempfile (mktemp $datafile.XXXXXX)
test -f $tempfile; or return
set -l target (awk -v t=(date +%s) -v list="$list" -v typ="$typ" -v q="$fnd" -v tmpfl="$tempfile" -F"|" '
function frecent(rank, time) {
dx = t-time
if( dx < 3600 ) return rank*4
if( dx < 86400 ) return rank*2
if( dx < 604800 ) return rank/2
return rank/4
}
function output(files, toopen, override) {
if( list ) {
if( typ == "recent" ) {
cmd = "sort -nr >&2"
} else cmd = "sort -n >&2"
for( i in files ) if( files[i] ) printf "%-10s %s\n", files[i], i | cmd
if( override ) printf "%-10s %s\n", "common:", override > "/dev/stderr"
} else {
if( override ) toopen = override
print toopen
}
}
function common(matches, fnd, nc) {
for( i in matches ) {
if( matches[i] && (!short || length(i) < length(short)) ) short = i
}
if( short == "/" ) return
for( i in matches ) if( matches[i] && i !~ short ) x = 1
if( x ) return
if( nc ) {
for( i in fnd ) if( tolower(short) !~ tolower(fnd[i]) ) x = 1
} else for( i in fnd ) if( short !~ fnd[i] ) x = 1
if( !x ) return short
}
BEGIN { split(q, a, " ") }
{
if( system("test -d \"" $1 "\"") ) next
print $0 >> tmpfl
if( typ == "rank" ) {
f = $2
} else if( typ == "recent" ) {
f = t-$3
} else f = frecent($2, $3)
wcase[$1] = nocase[$1] = f
for( i in a ) {
if( $1 !~ a[i] ) delete wcase[$1]
if( tolower($1) !~ tolower(a[i]) ) delete nocase[$1]
}
if( wcase[$1] > oldf ) {
cx = $1
oldf = wcase[$1]
} else if( nocase[$1] > noldf ) {
ncx = $1
noldf = nocase[$1]
}
}
END {
if( cx ) {
output(wcase, cx, common(wcase, a, 0))
} else if( ncx ) output(nocase, ncx, common(nocase, a, 1))
}
' "$datafile")
if [ $status -gt 0 ]
rm -f "$tempfile"
else
mv -f "$tempfile" "$datafile"
[ "$target" ]; and cd "$target"
end
end
end
end
function __z_init -d 'Set up automatic population of the directory list for z'
functions fish_prompt | grep -q 'z --add'
if [ $status -gt 0 ]
functions fish_prompt | sed -e '$ i\\
z --add "$PWD"' | .
end
end
__z_init

27
salt/iptables/init.sls
Unescape View File

@ -1,27 +0,0 @@
/etc/iptables.up.rules:
file.managed:
- source: salt://iptables/iptables.up.rules
- template: jinja
- require:
- pkg: iptables
flush-iptables:
cmd.run:
- names:
- /sbin/iptables -F
- /sbin/iptables-restore < /etc/iptables.up.rules
- watch:
- file: /etc/iptables.up.rules
- require:
- pkg: iptables
/etc/network/if-pre-up.d/iptables:
file.managed:
- mode: 644
- source: salt://iptables/iptables-restore.sh
- require:
- pkg: iptables
cmd.run:
- name: chmod +x /etc/network/if-pre-up.d/iptables
- require:
- pkg: iptables

2
salt/iptables/iptables-restore.sh
Unescape View File

@ -1,2 +0,0 @@
#!/bin/sh
sudo sh -c '/sbin/iptables-restore < /etc/iptables.up.rules'

43
salt/iptables/iptables.up.rules
Unescape View File

@ -1,43 +0,0 @@
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport {{ pillar.ssh.port }} -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

46
salt/nginx/init.sls
Unescape View File

@ -1,46 +0,0 @@
nginx-extras:
pkg:
- installed
nginx:
service:
- running
- enable: True
- require:
- pkg: nginx-extras
- watch:
- file: /etc/nginx/nginx.conf
- file: /etc/nginx/sites-enabled/*
/etc/nginx/sites-available:
file.directory:
- mode: 755
- require:
- pkg: nginx-extras
/etc/nginx/sites-enabled:
file.directory:
- mode: 755
- require:
- pkg: nginx-extras
{% if pillar.env_name != 'vagrant' %}
/etc/certs:
file.directory:
- mode: 644
- require:
- pkg: nginx-extras
{% endif %}
/etc/nginx/nginx.conf:
file.managed:
- source: salt://nginx/nginx.conf
- mode: 400
- template: jinja
- require:
- pkg: nginx-extras
/etc/nginx/sites-enabled/default:
file.absent

26
salt/nginx/nginx.conf
Unescape View File

@ -1,26 +0,0 @@
user {% if pillar.env_name == 'vagrant' %}vagrant{% else %}www-data{% endif %};
worker_processes 4;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
include /etc/nginx/sites-enabled/*;
types_hash_max_size 4096;
server_names_hash_bucket_size 64;
}

29
salt/postgresql/init.sls
Unescape View File

@ -1,29 +0,0 @@
postgresql:
pkg:
- installed
service.running:
- watch:
- file: /etc/postgresql/9.3/main/pg_hba.conf
- require:
- pkg: postgresql
pg_hba.conf:
file.managed:
- name: /etc/postgresql/9.3/main/pg_hba.conf
- source: salt://postgresql/pg_hba.conf
- user: postgres
- group: postgres
- mode: 644
- require:
- pkg: postgresql
postgresql.conf:
file.managed:
- name: /etc/postgresql/9.3/main/postgresql.conf
- source: salt://postgresql/postgresql.conf
- template: jinja
- user: postgres
- group: postgres
- mode: 644
- require:
- pkg: postgresql

99
salt/postgresql/pg_hba.conf
Unescape View File

@ -1,99 +0,0 @@
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
# "password" sends passwords in clear text; "md5" is preferred since
# it sends encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can
# use "pg_ctl reload" to do that.
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 md5
#host replication postgres ::1/128 md5

596
salt/postgresql/postgresql.conf
Unescape View File

@ -1,596 +0,0 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, or use "pg_ctl reload". Some
# parameters, which are marked below, require a server shutdown and restart to
# take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
data_directory = '/var/lib/postgresql/9.3/main' # use data in another directory
# (change requires restart)
hba_file = '/etc/postgresql/9.3/main/pg_hba.conf' # host-based authentication file
# (change requires restart)
ident_file = '/etc/postgresql/9.3/main/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
external_pid_file = '/var/run/postgresql/9.3-main.pid' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
#listen_addresses = 'localhost' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
port = 5432 # (change requires restart)
max_connections = 100 # (change requires restart)
# Note: Increasing max_connections costs ~400 bytes of shared memory per
# connection slot, plus lock space (see max_locks_per_transaction).
#superuser_reserved_connections = 3 # (change requires restart)
unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - Security and Authentication -
#authentication_timeout = 1min # 1s-600s
ssl = true # (change requires restart)
#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
# (change requires restart)
#ssl_renegotiation_limit = 512MB # amount of data between renegotiations
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' # (change requires restart)
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' # (change requires restart)
#ssl_ca_file = '' # (change requires restart)
#ssl_crl_file = '' # (change requires restart)
#password_encryption = on
#db_user_namespace = off
# Kerberos and GSSAPI
#krb_server_keyfile = ''
#krb_srvname = 'postgres' # (Kerberos only)
#krb_caseins_users = off
# - TCP Keepalives -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 128MB # min 128kB
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Note: Increasing max_prepared_transactions costs ~600 bytes of shared memory
# per transaction slot, plus lock space (see max_locks_per_transaction).
# It is not advisable to set max_prepared_transactions nonzero unless you
# actively intend to use prepared transactions.
#work_mem = 1MB # min 64kB
#maintenance_work_mem = 16MB # min 1MB
#max_stack_depth = 2MB # min 100kB
# - Disk -
#temp_file_limit = -1 # limits per-session temp file space
# in kB, or -1 for no limit
# - Kernel Resource Usage -
#max_files_per_process = 1000 # min 25
# (change requires restart)
#shared_preload_libraries = '' # (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#------------------------------------------------------------------------------
# WRITE AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = minimal # minimal, archive, or hot_standby
# (change requires restart)
#fsync = on # turns forced synchronization on or off
#synchronous_commit = on # synchronization level;
# off, local, remote_write, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_segments = 3 # in logfile segments, min 1, 16MB each
#checkpoint_timeout = 5min # range 30s-1h
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # allows archiving to be done
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Server(s) -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 0 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments, 16MB each; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#hot_standby = off # "on" allows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#effective_cache_size = 128MB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#------------------------------------------------------------------------------
# ERROR REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'pg_log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
# This is only relevant when logging to eventlog (win32):
#event_source = 'PostgreSQL'
# - When to Log -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
log_line_prefix = '%t ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'UTC'
#------------------------------------------------------------------------------
# RUNTIME STATISTICS
#------------------------------------------------------------------------------
# - Query/Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
#update_process_title = on
#stats_temp_directory = 'pg_stat_tmp'
# - Statistics Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM PARAMETERS
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum Multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#search_path = '"$user",public' # schema names
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
# - Locale and Formatting -
datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
timezone = 'UTC'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 0 # min -15, max 3
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
lc_messages = 'en_US.UTF-8' # locale for system error message
# strings
lc_monetary = 'en_US.UTF-8' # locale for monetary formatting
lc_numeric = 'en_US.UTF-8' # locale for number formatting
lc_time = 'en_US.UTF-8' # locale for time formatting
# default configuration for text search
default_text_search_config = 'pg_catalog.english'
# - Other Defaults -
#dynamic_library_path = '$libdir'
#local_preload_libraries = ''
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
# Note: Each lock table slot uses ~270 bytes of shared memory, and there are
# max_locks_per_transaction * (max_connections + max_prepared_transactions)
# lock table slots.
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#------------------------------------------------------------------------------
# VERSION/PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#default_with_oids = off
#escape_string_warning = on
#lo_compat_privileges = off
#quote_all_identifiers = off
#sql_inheritance = on
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf.
#include_dir = 'conf.d' # include files ending in '.conf' from
# directory 'conf.d'
#include_if_exists = 'exists.conf' # include file only if it exists
#include = 'special.conf' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

20
salt/ssh/init.sls
Unescape View File