Pillar

Warning

The Salt pillar data must be kept secure. Do not push to a public repository such as GitHub or BitBucket

SSL

Our nginx configuration includes default_server for port 80 and 443. For the SSL port (443), we need to create a default certificate. To create the default certificate, run the following in a temporary folder.

openssl req -x509 -nodes -days 20000 -newkey rsa:2048 -keyout default.key -out default.crt

Note

I entered a Country Name of GB, our county and town for the State and Locality, our company name for the Organization Name, a Common Name of default.co.uk and my own email address for the Email Address.

In your pillar, create a file called config/nginx.sls and copy the contents of the default.key and default.crt into the crt and key sections e.g:

nginx:
  http:
    - server_names_hash_bucket_size 64
    - types_hash_max_size 2048
  ssl:
    crt: |
      -----BEGIN CERTIFICATE-----
      MIID7zCCAtegAwIBAgIJAIMVRGYrFqHoMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
      ...
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDAZYErdinl7Ju9
      ...
      -----END PRIVATE KEY-----

You can now delete the default.key and default.crt files.

Sites

To set-up a new site (or sites) on a server, create or edit a file in the pillar, sites folder e.g. sites/mysites.sls. The file should contain details of the sites to be deployed onto this server e.g:

sites:
  www.hatherleigh.info:
    profile: django
    db_pass: password
    db_type: psql
    secret_key: 'my-secret-key-generated-by-django'
    ssl: False
    uwsgi_port: 3035
  www.another.site:
    profile: django
    db_pass: password2
    db_type: psql
    secret_key: 'another-secret-key-generated-by-django'
    ssl: True
    uwsgi_port: 3036
    ftp: True
    ftp_password: "generated-using-mkpasswd-see-ftp-notes"

If your Django project does not use a database, then set db_type to an empty string e.g:

sites:
  www.hatherleigh.info:
    profile: django
    db_type: ''

If your site needs additional information in ALLOWED_HOSTS or CSRF_TRUSTED_ORIGINS, then you can add allowed_hosts to the pillar:

sites:
  www.hatherleigh.info:
  allowed_hosts: www.hatherleigh.info,www.hatherleigh.co.uk

Note

If you have requests from multiple sub-domains (this might happen if you set-up a reverse proxy) then use . rather than * for the wildcard e.g. .hatherleigh.info.

cron

Warning

Probably better to use Celery. For details, see cron

To create and run a shell script in the /home/web/opt/ folder as a cron task:

sites:
  www.hatherleigh.info:
    profile: django
    cron:
      sync-files-to-web-server:
        schedule: "*/5     *       *       *       *"

Note

The salt state will add the .sh extension to the file name of the shell script, so in this example your shell script must be named sync-files-to-web-server.sh.

To create and run a Django management command as a cron task:

sites:
  www.hatherleigh.info:
    profile: django
    cron:
      prepare_graph_data:
        schedule: "30     23      *       *       *"
        django_management_command: True

Note

This is un-tested and has not been used on a live site.

Ember

Ember

FTP

FTP

Host Name

Salt will automatically generate a host_name for use in your Django settings.

If you want to override the automatically, then you can set the host_name in the pillar e.g:

sites:
  www.hatherleigh.info:
    package: hatherleigh_info
    profile: django
    host_name: https://www.hatherleigh.info

LAN

If you want to install a site to your local area network, then add the lan option to your site configuration e.g:

sites:
  www.hatherleigh.info:
    db_pass: password
    domain: pkimber.net
    lan: True
    secret_key: 'my-secret-key-generated-by-django'
    ssl: False
    uwsgi_port: 3038

Note

If you enable the lan option then you (currently) cannot use ssl.

nginx will be configured with an empty server name so only one site can be installed on the server.

Warning

If you enable the lan option, Django site will set ALLOWED_HOSTS to * This is a security risk for public web sites.

Mail

mail

pip and devpi

devpi

Secret Key

To generate a new secret key, use the Django extensions application:

pip install django-extensions
THIRD_PARTY_APPS = (
    'django_extensions',
django-admin generate_secret_key

Database

The fabric Release task uses a prefix parameter for identifying your modules. This prefix is also used to lookup the database IP address for your site when running the Deploy command. So, for example, if your prefix is kb, you should have a file in your pillar called:

db/settings.sls

This file should contain the IP address of your server (or localhost if your database is installed on the same server as your site) e.g:

postgres_settings:
  listen_address: localhost

Users

To create users on your server, add a users section to your pillar in the following format:

users:
  patrick:
    uid: 7501
    fullname: Patrick Kimber
    password: "abc"
    sudo: True
    keys:
      - ssh-rsa AAAAB3...patrick@hamm
      - ssh-rsa AAAAB3...patrick@rex
  greg:
    uid: 7504
    fullname: Greg Smith
    password: "xyz"
    sudo: True
    keys:
      - ssh-rsa AAAAB3...greg@buzz

To create the password hash (where <password> is your password):

mkpasswd -m sha-512 <password>

The keys are a list of public ssh keys.

Additional Users

To create additional users, create an sls file for the partner listing the users (in the same format as above).

Add this file to the pillar for your site e.g:

'cloud-a':
  - config.libreoffice_headless
  - global.additional_users_partner_name
  - sites.server

Salt combines the additional users with the default users in the default.user.sls state file…

Validate

To validate the pillar files, use the fabric valid task e.g:

cd fabric
fab valid:server_name=drop-temp,site_name=hatherleigh_net