Browse Source

Prepping for Heroku.

master
Nick Sergeant 6 years ago
parent
commit
909112b4bc
  1. 2
      Procfile
  2. 18
      pillar/production.sls
  3. 5
      pillar/top.sls
  4. 13
      pillar/vagrant.sls
  5. 1
      requirements.txt
  6. 85
      salt/application/init.sls
  7. 131
      salt/application/snipt.nginx.conf
  8. 7
      salt/application/snipt.supervisor.conf
  9. 0
      salt/cron/init.sls
  10. 24
      salt/elasticsearch/init.sls
  11. 103
      salt/fish/config.fish
  12. 35
      salt/fish/init.sls
  13. 46
      salt/fish/virtualenv.fish
  14. 195
      salt/fish/z.fish
  15. 27
      salt/iptables/init.sls
  16. 2
      salt/iptables/iptables-restore.sh
  17. 43
      salt/iptables/iptables.up.rules
  18. 46
      salt/nginx/init.sls
  19. 26
      salt/nginx/nginx.conf
  20. 29
      salt/postgresql/init.sls
  21. 99
      salt/postgresql/pg_hba.conf
  22. 596
      salt/postgresql/postgresql.conf
  23. 20
      salt/ssh/init.sls
  24. 90
      salt/ssh/sshd_config
  25. 35
      salt/supervisor/init.sls
  26. 17
      salt/supervisor/supervisord.conf
  27. 187
      salt/supervisor/supervisord.init.d
  28. 25
      salt/system/init.sls
  29. 13
      salt/top.sls
  30. 1
      salt/users/deploy.authorized_keys
  31. 58
      salt/users/init.sls
  32. 1
      salt/users/known_hosts
  33. 1
      salt/users/nick.pub
  34. 32
      salt/users/sudoers

2
Procfile

@ -1 +1 @@
web: gunicorn wsgi:application --log-file -
web: gunicorn wsgi --log-file -

18
pillar/production.sls

@ -1,18 +0,0 @@
env_name: production
hostname: snipt.net
deploy_user: deploy
users:
-
name: deploy
groups:
- deploy
- wheel
-
name: nick
groups:
- deploy
- wheel
ssh:
port: 55555

5
pillar/top.sls

@ -1,5 +0,0 @@
base:
'*':
- production
'local.snipt.net':
- vagrant

13
pillar/vagrant.sls

@ -1,13 +0,0 @@
env_name: vagrant
hostname: local.snipt.net
deploy_user: vagrant
users:
-
name: vagrant
groups:
- deploy
- wheel
ssh:
port: 22

1
requirements.txt

@ -29,3 +29,4 @@ six==1.9.0
smartypants==1.8.6
stripe==1.41.1
urllib3==1.11
whitenoise==3.2.2

85
salt/application/init.sls

@ -1,85 +0,0 @@
python-virtualenv:
pkg.installed
virtualenvwrapper:
pip.installed
/var/www:
file.directory:
- user: {{ pillar.deploy_user }}
- group: deploy
- mode: 775
- require:
- user: {{ pillar.deploy_user }}
- group: deploy
/var/www/.virtualenvs:
file.directory:
- user: {{ pillar.deploy_user }}
- group: deploy
- mode: 775
- require:
- group: deploy
{% if pillar.env_name != 'vagrant' %}
/var/www/snipt:
file.directory:
- user: {{ pillar.deploy_user }}
- group: deploy
- mode: 775
- require:
- group: deploy
git.latest:
- name: https://github.com/nicksergeant/snipt.git
- rev: master
- target: /var/www/snipt
- user: deploy
{% endif %}
/var/www/.virtualenvs/snipt:
file.directory:
- user: {{ pillar.deploy_user }}
- group: deploy
- mode: 775
- require:
- group: deploy
virtualenv.managed:
- system_site_packages: False
- requirements: /var/www/snipt/requirements.txt
/home/{{ pillar.deploy_user }}/tmp:
file.absent
/etc/supervisor/conf.d/snipt.conf:
file.managed:
- source: salt://application/snipt.supervisor.conf
- template: jinja
- makedirs: True
cmd.run:
- name: supervisorctl restart snipt
snipt-site:
file.managed:
- name: /etc/nginx/sites-available/snipt
- source: salt://application/snipt.nginx.conf
- template: jinja
- group: deploy
- mode: 755
- require:
- pkg: nginx-extras
- group: deploy
enable-snipt-site:
file.symlink:
- name: /etc/nginx/sites-enabled/snipt
- target: /etc/nginx/sites-available/snipt
- force: false
- require:
- pkg: nginx-extras
cmd.run:
- name: service nginx restart
- require:
- pkg: nginx-extras

131
salt/application/snipt.nginx.conf

@ -1,131 +0,0 @@
upstream backend_snipt {
server 127.0.0.1:8000;
}
{% if pillar.env_name != 'vagrant' %}
server {
listen 80;
server_name *.{{ pillar.hostname }};
if ($host ~* "^([^.]+(\.[^.]+)*)\.{{ pillar.hostname }}$"){
set $subd $1;
rewrite ^(.*)$ https://$subd.{{ pillar.hostname }}$1 permanent;
break;
}
}
server {
listen 80;
server_name {{ pillar.hostname }} www.{{ pillar.hostname }} beta.{{ pillar.hostname }};
rewrite ^(.*) https://{{ pillar.hostname }}$1 permanent;
}
server {
listen 443;
server_name www.{{ pillar.hostname }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_certificate /etc/certs/{{ pillar.hostname }}.crt;
ssl_certificate_key /etc/certs/{{ pillar.hostname }}.key;
rewrite ^(.*) https://{{ pillar.hostname }}$1 permanent;
}
server {
listen 443;
server_name {{ pillar.hostname }} *.{{ pillar.hostname }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_certificate /etc/certs/{{ pillar.hostname }}.crt;
ssl_certificate_key /etc/certs/{{ pillar.hostname }}.key;
location ~* /favicon.ico {
root /var/www/snipt/static/img/;
expires max;
}
location / {
# Open CORS config from https://gist.github.com/michiel/1064640.
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
rewrite_by_lua '
if string.find(ngx.var.host, "_") then
local newHost, n = ngx.re.gsub(ngx.var.host, "_", "-")
ngx.redirect(ngx.var.scheme .. "://" .. newHost .. ngx.var.uri)
end
';
proxy_pass http://backend_snipt;
proxy_set_header Host $host;
}
location /static/ {
alias /var/www/snipt/static/;
expires max;
}
location /public/feed/ {
rewrite ^/public/feed/$ https://{{ pillar.hostname }}/public/?rss permanent;
}
}
server {
listen 80 default_server;
location / {
proxy_pass http://backend_snipt;
proxy_set_header Host $host;
}
location /static/ {
alias /var/www/snipt/static/;
expires max;
}
location ~* /favicon.ico {
root /var/www/snipt/static/img/;
expires max;
}
}
{% else %}
server {
listen 80 default_server;
location / {
proxy_pass http://backend_snipt;
proxy_set_header Host $host;
}
location /static/ {
alias /var/www/snipt/media/;
expires max;
}
location ~* /favicon.ico {
root /var/www/snipt/media/img/;
expires max;
}
}
{% endif %}

7
salt/application/snipt.supervisor.conf

@ -1,7 +0,0 @@
[program:snipt]
directory=/var/www/snipt
user={{ pillar.deploy_user }}
command={% if pillar.env_name != 'vagrant' %}/var/www/.virtualenvs/snipt/bin/gunicorn wsgi:application{% else %}/var/www/.virtualenvs/snipt/bin/python /var/www/snipt/manage.py runserver{% endif %}
autostart=true
autorestart=true
stopasgroup=true

0
salt/cron/init.sls

24
salt/elasticsearch/init.sls

@ -1,24 +0,0 @@
elasticsearch-file:
file.managed:
- name: /tmp/elasticsearch-1.3.4.deb
- source: https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.4.deb
- unless: test -d /usr/local/elasticsearch/bin
- source_hash: sha1=6a4b6a12825f141245bb581c76052464d17de874
elasticsearch-install:
cmd:
- cwd: /tmp
- names:
- dpkg -i elasticsearch-1.3.4.deb
- unless: test -d /usr/local/elasticsearch/bin
- run
- require:
- file: elasticsearch-file
elasticsearch:
service:
- running
- enable: True
- reload: True
- require:
- file: elasticsearch-file

103
salt/fish/config.fish

@ -1,103 +0,0 @@
# Directories {{{
function l
tree --dirsfirst -ChFL 1 $args
end
function ll
tree --dirsfirst -ChFupDaL 1 $args
end
# }}}
# Directories {{{
set -g -x fish_greeting ''
set -g -x EDITOR vim
# }}}
# Git and Mercurial functions {{{
function gca
git commit -a $argv
end
function gco
git checkout $argv
end
function gd
git diff HEAD
end
function gl
git pull $argv
end
function gp
git push $argv
end
function gst
git status $argv
end
# }}}
# Programs {{{
function logs
sudo supervisorctl tail -f snipt stdout
end
function pm
python manage.py $argv
end
function run
sudo supervisorctl restart snipt
sudo supervisorctl tail -f snipt stdout
end
function rs
sudo supervisorctl restart snipt
end
function ssc
sudo supervisorctl $argv
end
function wo
workon (cat .venv) $argv
end
# }}}
# Prompt {{{
set -x fish_color_command 005fd7\x1epurple
set -x fish_color_search_match --background=purple
function prompt_pwd --description 'Print the current working directory, shortend to fit the prompt'
echo $PWD | sed -e "s|^$HOME|~|"
end
function virtualenv_prompt
if [ -n "$VIRTUAL_ENV" ]
printf '\033[0;37m(%s) ' (basename "$VIRTUAL_ENV") $argv
end
end
function fish_prompt
z --add "$PWD"
echo ' '
printf '\033[0;31m%s\033[0;37m on ' (whoami)
printf '\033[0;31m%s ' (hostname -f)
printf '\033[0;32m%s' (prompt_pwd)
echo
virtualenv_prompt
printf '\033[0;37m> '
end
# }}}
# Virtualenv {{{
set -x WORKON_HOME '/var/www/.virtualenvs'
. ~/.config/fish/virtualenv.fish
# }}}
# Z {{{
. /etc/z.fish
function j
z $argv
end
# }}}

35
salt/fish/init.sls

@ -1,35 +0,0 @@
fish:
pkgrepo.managed:
- ppa: fish-shell/release-2
- require_in:
- pkg: fish
pkg.latest:
- name: fish
- refresh: True
/etc/z.fish:
file.managed:
- source: salt://fish/z.fish
- mode: 755
{% for user in pillar.users %}
fish-{{ user.name }}:
file.managed:
- name: /home/{{ user.name }}/.config/fish/config.fish
- user: {{ user.name }}
- source: salt://fish/config.fish
- makedirs: True
- require:
- user: {{ user.name }}
fish-{{ user.name }}-virtualenv:
file.managed:
- name: /home/{{ user.name }}/.config/fish/virtualenv.fish
- user: {{ user.name }}
- source: salt://fish/virtualenv.fish
- makedirs: True
- require:
- user: {{ user.name }}
{% endfor %}

46
salt/fish/virtualenv.fish

@ -1,46 +0,0 @@
# mostly from http://coderseye.com/2010/using-virtualenv-with-fish-shell.html
function workon -d "Activate virtual environment in $WORKON_HOME"
set tgt {$WORKON_HOME}/$argv[1]
if [ ! -d $tgt ]
mkdir -p "$WORKON_HOME"
virtualenv $tgt
end
if [ -d $tgt ]
cd $tgt
deactivate
set -gx VIRTUAL_ENV "$tgt"
set -gx _OLD_VIRTUAL_PATH $PATH
set -gx PATH "$VIRTUAL_ENV/bin" $PATH
# unset PYTHONHOME if set
if set -q PYTHONHOME
set -gx _OLD_VIRTUAL_PYTHONHOME $PYTHONHOME
set -e PYTHONHOME
end
cd -
echo "activated $tgt"
else
echo "$tgt not found"
end
end
complete -c workon -a "(cd $WORKON_HOME; ls -d *)"
function deactivate -d "Exit virtualenv and return to normal shell environment"
# reset old environment variables
if test -n "$_OLD_VIRTUAL_PATH"
set -gx PATH $_OLD_VIRTUAL_PATH
set -e _OLD_VIRTUAL_PATH
end
if test -n "$_OLD_VIRTUAL_PYTHONHOME"
set -gx PYTHONHOME $_OLD_VIRTUAL_PYTHONHOME
set -e _OLD_VIRTUAL_PYTHONHOME
end
set -e VIRTUAL_ENV
end

195
salt/fish/z.fish

@ -1,195 +0,0 @@
# maintains a jump-list of the directories you actually use
#
# INSTALL:
# * put something like this in your config.fish:
# . /path/to/z.fish
# * put something like this in your fish_prompt function:
# z --add "$PWD"
# * cd around for a while to build up the db
# * PROFIT!!
#
# USE:
# * z foo # goes to most frecent dir matching foo
# * z foo bar # goes to most frecent dir matching foo and bar
# * z -r foo # goes to highest ranked dir matching foo
# * z -t foo # goes to most recently accessed dir matching foo
# * z -l foo # list all dirs matching foo (by frecency)
function z -d "Jump to a recent directory."
set -l datafile "$HOME/.z"
# add entries
if [ "$argv[1]" = "--add" ]
set -e argv[1]
# $HOME isn't worth matching
[ "$argv" = "$HOME" ]; and return
set -l tempfile (mktemp $datafile.XXXXXX)
test -f $tempfile; or return
# maintain the file
awk -v path="$argv" -v now=(date +%s) -F"|" '
BEGIN {
rank[path] = 1
time[path] = now
}
$2 >= 1 {
if( $1 == path ) {
rank[$1] = $2 + 1
time[$1] = now
} else {
rank[$1] = $2
time[$1] = $3
}
count += $2
}
END {
if( count > 1000 ) {
for( i in rank ) print i "|" 0.9*rank[i] "|" time[i] # aging
} else for( i in rank ) print i "|" rank[i] "|" time[i]
}
' $datafile ^/dev/null > $tempfile
mv -f $tempfile $datafile
# tab completion
else
if [ "$argv[1]" = "--complete" ]
awk -v q="$argv[2]" -F"|" '
BEGIN {
if( q == tolower(q) ) nocase = 1
split(q,fnd," ")
}
{
if( system("test -d \"" $1 "\"") ) next
if( nocase ) {
for( i in fnd ) tolower($1) !~ tolower(fnd[i]) && $1 = ""
if( $1 ) print $1
} else {
for( i in fnd ) $1 !~ fnd[i] && $1 = ""
if( $1 ) print $1
}
}
' "$datafile" 2>/dev/null
else
# list/go
set -l last ''
set -l list 0
set -l typ ''
set -l fnd ''
while [ (count $argv) -gt 0 ]
switch "$argv[1]"
case -- '-h'
echo "z [-h][-l][-r][-t] args" >&2
return
case -- '-l'
set list 1
case -- '-r'
set typ "rank"
case -- '-t'
set typ "recent"
case -- '--'
while [ "$argv[1]" ]
set -e argv[1]
set fnd "$fnd $argv[1]"
end
case '*'
set fnd "$fnd $argv[1]"
end
set last $1
set -e argv[1]
end
[ "$fnd" ]; or set list 1
# if we hit enter on a completion just go there
[ -d "$last" ]; and cd "$last"; and return
# no file yet
[ -f "$datafile" ]; or return
set -l tempfile (mktemp $datafile.XXXXXX)
test -f $tempfile; or return
set -l target (awk -v t=(date +%s) -v list="$list" -v typ="$typ" -v q="$fnd" -v tmpfl="$tempfile" -F"|" '
function frecent(rank, time) {
dx = t-time
if( dx < 3600 ) return rank*4
if( dx < 86400 ) return rank*2
if( dx < 604800 ) return rank/2
return rank/4
}
function output(files, toopen, override) {
if( list ) {
if( typ == "recent" ) {
cmd = "sort -nr >&2"
} else cmd = "sort -n >&2"
for( i in files ) if( files[i] ) printf "%-10s %s\n", files[i], i | cmd
if( override ) printf "%-10s %s\n", "common:", override > "/dev/stderr"
} else {
if( override ) toopen = override
print toopen
}
}
function common(matches, fnd, nc) {
for( i in matches ) {
if( matches[i] && (!short || length(i) < length(short)) ) short = i
}
if( short == "/" ) return
for( i in matches ) if( matches[i] && i !~ short ) x = 1
if( x ) return
if( nc ) {
for( i in fnd ) if( tolower(short) !~ tolower(fnd[i]) ) x = 1
} else for( i in fnd ) if( short !~ fnd[i] ) x = 1
if( !x ) return short
}
BEGIN { split(q, a, " ") }
{
if( system("test -d \"" $1 "\"") ) next
print $0 >> tmpfl
if( typ == "rank" ) {
f = $2
} else if( typ == "recent" ) {
f = t-$3
} else f = frecent($2, $3)
wcase[$1] = nocase[$1] = f
for( i in a ) {
if( $1 !~ a[i] ) delete wcase[$1]
if( tolower($1) !~ tolower(a[i]) ) delete nocase[$1]
}
if( wcase[$1] > oldf ) {
cx = $1
oldf = wcase[$1]
} else if( nocase[$1] > noldf ) {
ncx = $1
noldf = nocase[$1]
}
}
END {
if( cx ) {
output(wcase, cx, common(wcase, a, 0))
} else if( ncx ) output(nocase, ncx, common(nocase, a, 1))
}
' "$datafile")
if [ $status -gt 0 ]
rm -f "$tempfile"
else
mv -f "$tempfile" "$datafile"
[ "$target" ]; and cd "$target"
end
end
end
end
function __z_init -d 'Set up automatic population of the directory list for z'
functions fish_prompt | grep -q 'z --add'
if [ $status -gt 0 ]
functions fish_prompt | sed -e '$ i\\
z --add "$PWD"' | .
end
end
__z_init

27
salt/iptables/init.sls

@ -1,27 +0,0 @@
/etc/iptables.up.rules:
file.managed:
- source: salt://iptables/iptables.up.rules
- template: jinja
- require:
- pkg: iptables
flush-iptables:
cmd.run:
- names:
- /sbin/iptables -F
- /sbin/iptables-restore < /etc/iptables.up.rules
- watch:
- file: /etc/iptables.up.rules
- require:
- pkg: iptables
/etc/network/if-pre-up.d/iptables:
file.managed:
- mode: 644
- source: salt://iptables/iptables-restore.sh
- require:
- pkg: iptables
cmd.run:
- name: chmod +x /etc/network/if-pre-up.d/iptables
- require:
- pkg: iptables

2
salt/iptables/iptables-restore.sh

@ -1,2 +0,0 @@
#!/bin/sh
sudo sh -c '/sbin/iptables-restore < /etc/iptables.up.rules'

43
salt/iptables/iptables.up.rules

@ -1,43 +0,0 @@
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport {{ pillar.ssh.port }} -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

46
salt/nginx/init.sls

@ -1,46 +0,0 @@
nginx-extras:
pkg:
- installed
nginx:
service:
- running
- enable: True
- require:
- pkg: nginx-extras
- watch:
- file: /etc/nginx/nginx.conf
- file: /etc/nginx/sites-enabled/*
/etc/nginx/sites-available:
file.directory:
- mode: 755
- require:
- pkg: nginx-extras
/etc/nginx/sites-enabled:
file.directory:
- mode: 755
- require:
- pkg: nginx-extras
{% if pillar.env_name != 'vagrant' %}
/etc/certs:
file.directory:
- mode: 644
- require:
- pkg: nginx-extras
{% endif %}
/etc/nginx/nginx.conf:
file.managed:
- source: salt://nginx/nginx.conf
- mode: 400
- template: jinja
- require:
- pkg: nginx-extras
/etc/nginx/sites-enabled/default:
file.absent

26
salt/nginx/nginx.conf

@ -1,26 +0,0 @@
user {% if pillar.env_name == 'vagrant' %}vagrant{% else %}www-data{% endif %};
worker_processes 4;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
include /etc/nginx/sites-enabled/*;
types_hash_max_size 4096;
server_names_hash_bucket_size 64;
}

29
salt/postgresql/init.sls

@ -1,29 +0,0 @@
postgresql:
pkg:
- installed
service.running:
- watch:
- file: /etc/postgresql/9.3/main/pg_hba.conf
- require:
- pkg: postgresql
pg_hba.conf:
file.managed:
- name: /etc/postgresql/9.3/main/pg_hba.conf
- source: salt://postgresql/pg_hba.conf
- user: postgres
- group: postgres
- mode: 644
- require:
- pkg: postgresql
postgresql.conf:
file.managed:
- name: /etc/postgresql/9.3/main/postgresql.conf
- source: salt://postgresql/postgresql.conf
- template: jinja
- user: postgres
- group: postgres
- mode: 644
- require:
- pkg: postgresql

99
salt/postgresql/pg_hba.conf

@ -1,99 +0,0 @@
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
# "password" sends passwords in clear text; "md5" is preferred since
# it sends encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can
# use "pg_ctl reload" to do that.
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 md5
#host replication postgres ::1/128 md5

596
salt/postgresql/postgresql.conf

@ -1,596 +0,0 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, or use "pg_ctl reload". Some
# parameters, which are marked below, require a server shutdown and restart to
# take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
data_directory = '/var/lib/postgresql/9.3/main' # use data in another directory
# (change requires restart)
hba_file = '/etc/postgresql/9.3/main/pg_hba.conf' # host-based authentication file
# (change requires restart)
ident_file = '/etc/postgresql/9.3/main/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
external_pid_file = '/var/run/postgresql/9.3-main.pid' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
#listen_addresses = 'localhost' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
port = 5432 # (change requires restart)
max_connections = 100 # (change requires restart)
# Note: Increasing max_connections costs ~400 bytes of shared memory per
# connection slot, plus lock space (see max_locks_per_transaction).
#superuser_reserved_connections = 3 # (change requires restart)
unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - Security and Authentication -
#authentication_timeout = 1min # 1s-600s
ssl = true # (change requires restart)
#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
# (change requires restart)
#ssl_renegotiation_limit = 512MB # amount of data between renegotiations
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' # (change requires restart)
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' # (change requires restart)
#ssl_ca_file = '' # (change requires restart)
#ssl_crl_file = '' # (change requires restart)
#password_encryption = on
#db_user_namespace = off
# Kerberos and GSSAPI
#krb_server_keyfile = ''
#krb_srvname = 'postgres' # (Kerberos only)
#krb_caseins_users = off
# - TCP Keepalives -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 128MB # min 128kB
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Note: Increasing max_prepared_transactions costs ~600 bytes of shared memory
# per transaction slot, plus lock space (see max_locks_per_transaction).
# It is not advisable to set max_prepared_transactions nonzero unless you
# actively intend to use prepared transactions.
#work_mem = 1MB # min 64kB
#maintenance_work_mem = 16MB # min 1MB
#max_stack_depth = 2MB # min 100kB
# - Disk -
#temp_file_limit = -1 # limits per-session temp file space
# in kB, or -1 for no limit
# - Kernel Resource Usage -
#max_files_per_process = 1000 # min 25
# (change requires restart)
#shared_preload_libraries = '' # (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#------------------------------------------------------------------------------
# WRITE AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = minimal # minimal, archive, or hot_standby
# (change requires restart)
#fsync = on # turns forced synchronization on or off
#synchronous_commit = on # synchronization level;
# off, local, remote_write, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_segments = 3 # in logfile segments, min 1, 16MB each
#checkpoint_timeout = 5min # range 30s-1h
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # allows archiving to be done
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Server(s) -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 0 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments, 16MB each; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#hot_standby = off # "on" allows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#effective_cache_size = 128MB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#------------------------------------------------------------------------------
# ERROR REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'pg_log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
# This is only relevant when logging to eventlog (win32):
#event_source = 'PostgreSQL'
# - When to Log -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
log_line_prefix = '%t ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'UTC'
#------------------------------------------------------------------------------
# RUNTIME STATISTICS
#------------------------------------------------------------------------------
# - Query/Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
#update_process_title = on
#stats_temp_directory = 'pg_stat_tmp'
# - Statistics Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM PARAMETERS
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum Multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#search_path = '"$user",public' # schema names
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
# - Locale and Formatting -
datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
timezone = 'UTC'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 0 # min -15, max 3
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
lc_messages = 'en_US.UTF-8' # locale for system error message
# strings
lc_monetary = 'en_US.UTF-8' # locale for monetary formatting
lc_numeric = 'en_US.UTF-8' # locale for number formatting
lc_time = 'en_US.UTF-8' # locale for time formatting
# default configuration for text search
default_text_search_config = 'pg_catalog.english'
# - Other Defaults -
#dynamic_library_path = '$libdir'
#local_preload_libraries = ''
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
# Note: Each lock table slot uses ~270 bytes of shared memory, and there are
# max_locks_per_transaction * (max_connections + max_prepared_transactions)
# lock table slots.
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#------------------------------------------------------------------------------
# VERSION/PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#default_with_oids = off
#escape_string_warning = on
#lo_compat_privileges = off
#quote_all_identifiers = off
#sql_inheritance = on
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf.
#include_dir = 'conf.d' # include files ending in '.conf' from
# directory 'conf.d'
#include_if_exists = 'exists.conf' # include file only if it exists
#include = 'special.conf' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

20
salt/ssh/init.sls