diff --git a/sbin/build_image b/ansible/sbin/build_image similarity index 100% rename from sbin/build_image rename to ansible/sbin/build_image diff --git a/sbin/diagnose b/ansible/sbin/diagnose similarity index 100% rename from sbin/diagnose rename to ansible/sbin/diagnose diff --git a/sbin/make_changelog b/ansible/sbin/make_changelog similarity index 100% rename from sbin/make_changelog rename to ansible/sbin/make_changelog diff --git a/sbin/make_volatile b/ansible/sbin/make_volatile similarity index 100% rename from sbin/make_volatile rename to ansible/sbin/make_volatile diff --git a/sbin/update_images b/ansible/sbin/update_images similarity index 100% rename from sbin/update_images rename to ansible/sbin/update_images diff --git a/doc/README.md b/doc/README.md index fb2b79c..f096916 100644 --- a/doc/README.md +++ b/doc/README.md @@ -2,4 +2,8 @@ # Risotto -![Schéma](schema.png "Schéma") +![Schema](schema.png "Schéma") + +# A dataset + +[Dataset example](dataset_example/README.md) diff --git a/doc/dataset_example/README.md b/doc/dataset_example/README.md new file mode 100644 index 0000000..cf2c8d6 --- /dev/null +++ b/doc/dataset_example/README.md @@ -0,0 +1,146 @@ +# Risotto dataset simple examples + +This tutorial aims to show how to deploy a [Caddy](https://caddyserver.com/) server via Risotto. + +Attention it has no other virtues than to be educational. It is not intended for production use. + +## Application services + +The project can be divided into three application services: + +- caddy-common: an application service containing the information common to the two other application services +- caddy-https: a standalone http/https server +- caddy-https-rp: a https only server served behind a reverse proxy + +### caddy-common + +Start by creating the project tree: + +seed/caddy-common/ +├── dictionaries +├── templates +└── manual +    └── image +    └── preinstall + +Then describe the application service in [seed/caddy-common/applicationservice.yml](seed/caddy-common/applicationservice.yml). + +Also a dictionary [seed/caddy-common/dictionaries/20-caddy.yml](seed/caddy-common/dictionaries/20-caddy.yml) with + +- the activation of the caddy service in the "multi-user" target. This service needs some templates: + + - the main configuration's [/etc/caddy/Caddyfile](seed/caddy-common/templates/Caddyfile) to include other /etc/caddy/Caddyfile.d/\*.caddyfile + - /etc/caddy/Caddyfile.d/risotto.caddyfile with appropriate configuration (this file is not part of this application service) + - a [sysusers](https://www.freedesktop.org/software/systemd/man/sysusers.d.html) file [/sysusers.d/0caddy.conf](seed/caddy-common/templates/sysuser-caddy.conf) to create the system user "caddy" + - a [tmpfiles](https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html) file [/tmpfiles.d/0caddy.conf](seed/caddy-common/templates/tmpfile-caddy.conf) to create the directory "caddy_root_directory" and volatile directory "/var/lib/caddy" + +- a family "caddy" (Caddy web server) with a filename variable "caddy_root_directory" (The root path of the site) with default value "/srv/caddy". This variable is not used in this service application + +Finally, create a script to build the image with the caddy package: [seed/caddy-common/manual/image/preinstall/caddy.sh](seed/caddy-common/manual/image/preinstall/caddy.sh). + +### caddy-https + +Start by creating the project tree: + +seed/caddy-https-rp/ +├── dictionaries +└── templates + +Then describe the application service in [seed/caddy-https/applicationservice.yml](seed/caddy-https/applicationservice.yml) with OS and caddy-common dependencies. + +Also create a dictionary [seed/caddy-https/dictionaries/25-caddy.yml](seed/caddy-https/dictionaries/25-caddy.yml) to define the variables: + +- caddy_domain: the domain where Caddy should listen to +- caddy_ca_file, caddy_crt_file and caddy_key_file: certificat for this domain +- redefine the variable incoming_ports to open the ports 80 and 443 + +And new templates: + +- [seed/caddy-https/templates/risotto.caddyfile](seed/caddy-https/templates/risotto.caddyfile) +- [seed/caddy-https/templates/ca_HTTP.crt](seed/caddy-https/templates/ca_HTTP.crt) +- [seed/caddy-https/templates/caddy.key](seed/caddy-https/templates/caddy.key) +- [seed/caddy-https/templates/caddy.crt](seed/caddy-https/templates/caddy.crt) + +### caddy-https-rp + +Start by creating the project tree: + +seed/caddy-https-rp/ +├── dictionaries +└── patches +└── templates + +Then describe the application service in [seed/caddy-https-rp/applicationservice.yml](seed/caddy-https-rp/applicationservice.yml) with OS, caddy-common and reverse-proxy-client dependencies. + +By default, reverse proxy certificate is only readable by "root" user. In the dictionary [seed/caddy-https-rp/dictionaries/25-caddy.yml](seed/caddy-https-rp/dictionaries/25-caddy.yml) we change the user to "caddy". + +And add Caddy configuration's file [seed/caddy-https-rp/templates/risotto.caddyfile](seed/caddy-https-rp/templates/risotto.caddyfile). + +Finally add a patch to modify Caddyfile to not starts Caddy in port 80: [seed/caddy-https-rp/patches/Caddyfile.patch](seed/caddy-https-rp/patches/Caddyfile.patch). +Patches should only use if a template file is define in an other dataset. You should instead add a condition in the template. But for educational reasons we made a patch in this case. + +## Infrastructure + +The infrastructure is define in a uniq YAML file: servers.yml: + +### Zones + +The idea: + +- separate the networks according to the uses +- there is no route to each other + +Ideally only one area has an Internet access. +Internet access is, in fact, firewall rules. +This network is usually called "external". + +The other networks are only there for the communication between server and client. + +The host must have an IP in this network. +IP inside this network are deliver automaticly. + +A network is call a "zone". + +### Modules + +A module is simply a list of application services. An system image is build with informations define in application service. + +### Hosts + +A host is a server on which container or VM are running. +Define the host means define: + +- application services to configure the host and VM +- application service provider to define the provider to apply on each VM +- values to adapt the configuration +- servers, the list of VM with : + + - the corresponding module + - informations (like zone) + - values + +Host must only be a Debian 11 (Bullseye) from now. + +### Examples + +- Caddy as HTTPS server: [servers.yml](servers.yml.caddy-https) +- Caddy behind a Nginx reverse proxy: [servers.yml](servers.yml.caddy-https-rp) + +You must add a index.html file in "/var/lib/risotto/srv/caddy.in.example.net/caddy/". + +## risotto.conf + +```toml +[directories] +datasets = ['/seed', 'seed'] +dest = 'installations' +dest_templates = 'templates' + +[cert_authority] +email = '' +country = 'FR' +locality = 'Dijon' +state = 'France' +org_name = 'Silique' +org_unit_name = 'Cloud' +``` diff --git a/doc/dataset_example/seed/caddy-common/applicationservice.yml b/doc/dataset_example/seed/caddy-common/applicationservice.yml new file mode 100644 index 0000000..aee978d --- /dev/null +++ b/doc/dataset_example/seed/caddy-common/applicationservice.yml @@ -0,0 +1,2 @@ +format: '0.1' +description: Caddy's common files diff --git a/doc/dataset_example/seed/caddy-common/dictionaries/20-caddy.yml b/doc/dataset_example/seed/caddy-common/dictionaries/20-caddy.yml new file mode 100644 index 0000000..298ec27 --- /dev/null +++ b/doc/dataset_example/seed/caddy-common/dictionaries/20-caddy.yml @@ -0,0 +1,25 @@ +services: +- service: + - name: caddy + target: multi-user + file: + - text: /etc/caddy/Caddyfile + engine: 'none' + - text: /etc/caddy/Caddyfile.d/risotto.caddyfile + - text: /sysusers.d/0caddy.conf + source: sysuser-caddy.conf + engine: 'none' + - text: /tmpfiles.d/0caddy.conf + source: tmpfile-caddy.conf + engine: 'none' +variables: +- family: + - name: caddy + description: Caddy web server + variables: + - variable: + - name: caddy_root_directory + type: filename + description: The root path of the site + value: + - text: /srv/caddy diff --git a/doc/dataset_example/seed/caddy-common/manual/image/preinstall/caddy.sh b/doc/dataset_example/seed/caddy-common/manual/image/preinstall/caddy.sh new file mode 100644 index 0000000..b78ac30 --- /dev/null +++ b/doc/dataset_example/seed/caddy-common/manual/image/preinstall/caddy.sh @@ -0,0 +1 @@ +PKG="$PKG caddy" diff --git a/doc/dataset_example/seed/caddy-common/templates/Caddyfile b/doc/dataset_example/seed/caddy-common/templates/Caddyfile new file mode 100644 index 0000000..b29bfac --- /dev/null +++ b/doc/dataset_example/seed/caddy-common/templates/Caddyfile @@ -0,0 +1,43 @@ +# The Caddyfile is an easy way to configure your Caddy web server. +# +# https://caddyserver.com/docs/caddyfile + +#>GNUNUX +# Global options +{ + # remove administration tool + admin off +} +#GNUNUX +#http:// { +#listen only in https +{ + admin off +} + +%for %%domain in %%revprox_client_external_domainnames +https://%%domain { + tls %%revprox_client_cert_file %%revprox_client_key_file { + ca_root %%revprox_client_ca_file + } + log { + output stdout + format console + level info + } +#GNUNUX +# root * /usr/share/caddy + root * /srv/caddy +# + inkscape:zoom="0.38930277" + inkscape:cx="188.79907" + inkscape:cy="724.37194" + inkscape:window-width="1920" + inkscape:window-height="1011" + inkscape:window-x="0" + inkscape:window-y="0" + inkscape:window-maximized="1" + inkscape:current-layer="layer1" + inkscape:showpageshadow="2" + inkscape:deskcolor="#d1d1d1" /> @@ -208,7 +210,7 @@ x2="86.82" y1="14.793" x1="98.330002" - gradientTransform="matrix(0.25589145,0,0,0.25589145,4.141502,17.61046)" + gradientTransform="matrix(0.25589145,0,0,0.25589145,160.88925,-128.76529)" gradientUnits="userSpaceOnUse" id="I" /> @@ -826,7 +828,7 @@ gradientUnits="userSpaceOnUse" cy="441.76999" cx="272.06" - gradientTransform="matrix(0.16746778,0,0,0.13928169,-84.555398,-142.19997)" + gradientTransform="matrix(0.16746778,0,0,0.13928169,-53.438081,-96.738971)" r="103.31" inkscape:collect="always"> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + transform="translate(56.083038,244.94272)"> + width="397.836" + height="271.96536" + x="-56.083038" + y="-244.94272" /> user nginx;worker_processes auto;error_log syslog:server=unix:/dev/log;pid /run/nginx.pid;include /usr/share/nginx/modules/*.conf;events {worker_connections 1024;}http {log_format main '$remote_addr - $remote_user'$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log syslog:server=unix:/dev/log combined;error_log syslog:server=unix:/dev/log error;sendfile on;tcp_nopush on;tcp_nodelay on; user nginx;worker_processes auto;error_log syslog:server=unix:/dev/log;pid /run/nginx.pid;include /usr/share/nginx/modules/*.conf;events {worker_connections 1024;}http {log_format main '$remote_addr - $remote_user'$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log syslog:server=unix:/dev/log combined;error_log syslog:server=unix:/dev/log error;sendfile on;tcp_nopush on;tcp_nodelay on; IRAMISU + transform="matrix(0.27056412,0,0,0.27056412,213.06054,-163.45275)"> + transform="matrix(0,-0.27056412,0.27056412,0,234.74769,-107.55541)"> + + + + - - - + style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Arrow1Lstart-5-4-3-7-1);marker-mid:url(#Arrow1Lend-9-0-6-9-9)" + d="m 56.213335,-204.28829 -24.959422,0.27477" + id="path1591-36-6-2-2-9" /> Cheetah + x="224.00247" + y="-5.7337823">Cheetah version: '0.10'# describe a first service with a single fileservices:- service:- name: my_servicefile:- engine: jinjatext: /etc/filename# describe a variable my_first_variable# and a family with a variable my_second_variablevariables:- variable:- name: my_first_variablevalue:- text: my_value- family:- name: my_familyvariables:- variable:- name: my_second_variabletype: numbermandatory: truevalue:- text: 1 version: '0.10'# describe a first service with a single fileservices:- service:- name: my_servicefile:- engine: jinjatext: /etc/filename# describe a variable my_first_variable# and a family with a variable my_second_variablevariables:- variable:- name: my_first_variablevalue:- text: my_value- family:- name: my_familyvariables:- variable:- name: my_second_variabletype: numbermandatory: truevalue:- text: 1 # For more information on configuration,# * Official English Documentation: http:# * Official Russian Documentation: http:%if %%os_name == 'Fedora'user nginx;%elseuser www-data;%end ifworker_processes auto;#GNUNUX error_log /var/log/nginx/error.log;#>GNUNUXerror_log syslog:server=unix:/dev/log;#<GNUNUXpid /run/nginx.pid;# Load dynamic modules. See /usr/share/doc/nginx%if %%os_name == 'Fedora'include /usr/share/nginx/modules/*.conf;%elseinclude /etc/nginx/modules-enabled/*.conf;%end if # For more information on configuration,# * Official English Documentation: http:# * Official Russian Documentation: http:%if %%os_name == 'Fedora'user nginx;%elseuser www-data;%end ifworker_processes auto;#GNUNUX error_log /var/log/nginx/error.log;#>GNUNUXerror_log syslog:server=unix:/dev/log;#<GNUNUXpid /run/nginx.pid;# Load dynamic modules. See /usr/share/doc/nginx%if %%os_name == 'Fedora'include /usr/share/nginx/modules/*.conf;%elseinclude /etc/nginx/modules-enabled/*.conf;%end if user nginx;worker_processes auto;error_log syslog:server=unix:/dev/log;pid /run/nginx.pid;include /usr/share/nginx/modules/*.conf;events {worker_connections 1024;}http {log_format main '$remote_addr - $remote_user'$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log syslog:server=unix:/dev/log combined;error_log syslog:server=unix:/dev/log error;sendfile on;tcp_nopush on;tcp_nodelay on; - - - RISOTTO + d="m -25.714268,-52.802947 5.475011,-0.16233 9.577676,-0.25496 15.6759526,-0.4173 -0.304316,24.322799 -28.7579176,5.532196 -1.144804,-14.509932 -0.426431,-5.404893 z" /> @@ -2791,11 +3165,11 @@ sodipodi:nodetypes="ccccccccc" style="fill:#e6e6e6;stroke:#a1a1a1;stroke-width:0.164917;enable-background:new" inkscape:connector-curvature="0" - d="m -50.600154,-90.425271 0.02234,-7.64447 8.79867,-0.61124 15.675957,-0.4173 -0.304312,24.322801 -28.757919,5.532193 -1.144804,-14.509928 0.508309,-4.514196 z" /> + d="m -19.482837,-44.964347 0.02234,-7.64447 8.79867,-0.61124 15.6759556,-0.4173 -0.304312,24.322801 -28.7579176,5.532193 -1.144804,-14.509928 0.508309,-4.514196 z" /> + d="m -17.092549,-41.741437 5.475011,-0.16233 9.5776747,-0.25496 15.6759553,-0.4173 -0.304316,24.322802 -28.757919,5.53219 -1.144804,-14.50993 -0.426431,-5.40489 z" /> @@ -2864,11 +3238,11 @@ sodipodi:nodetypes="ccccccccc" style="fill:#e6e6e6;stroke:#a1a1a1;stroke-width:0.164917;enable-background:new" inkscape:connector-curvature="0" - d="m -41.978435,-79.363759 0.02234,-7.644472 8.79867,-0.61124 15.675957,-0.4173 -0.304312,24.322802 -28.757919,5.53219 -1.144804,-14.50992 0.508309,-4.5142 z" /> + d="m -10.861118,-33.902835 0.02234,-7.644472 8.7986687,-0.61124 15.6759583,-0.4173 -0.304312,24.322802 -28.757919,5.53219 -1.144804,-14.50992 0.508309,-4.5142 z" /> + d="m -8.4708309,-30.679892 5.4750106,-0.16233 9.577676,-0.25496 15.6759503,-0.4173 -0.304316,24.3227972 -28.7579146,5.5321956 -1.1448046,-14.5099298 -0.426431,-5.404893 z" /> @@ -2937,11 +3311,11 @@ sodipodi:nodetypes="ccccccccc" style="fill:#e6e6e6;stroke:#a1a1a1;stroke-width:0.164917;enable-background:new" inkscape:connector-curvature="0" - d="m -33.356716,-68.302216 0.02234,-7.64447 8.79867,-0.61124 15.6759566,-0.4173 -0.304312,24.322801 -28.7579186,5.532193 -1.144804,-14.509928 0.508309,-4.514196 z" /> + d="m -2.2394003,-22.841292 0.02234,-7.64447 8.79867,-0.61124 15.6759533,-0.4173 -0.304312,24.3227992 -28.7579146,5.5321926 -1.1448046,-14.5099258 0.5083093,-4.514196 z" /> + transform="translate(83.056654,118.48232)"> Rougail + + + + + + + # For more information on configuration,# * Official English Documentation: http:# * Official Russian Documentation: http:%if %%os_name == 'Fedora'user nginx;%elseuser www-data;%end ifworker_processes auto;#GNUNUX error_log /var/log/nginx/error.log;#>GNUNUXerror_log syslog:server=unix:/dev/log;#<GNUNUXpid /run/nginx.pid;# Load dynamic modules. See /usr/share/doc/nginx%if %%os_name == 'Fedora'include /usr/share/nginx/modules/*.conf;%elseinclude /etc/nginx/modules-enabled/*.conf;%end if + servers.json + + + + Dataset + + + + + RISOTTO + + + + + + + + + + + + + + + + + + + diff --git a/logo.png b/logo.png index dd4b631..05df3f7 100644 Binary files a/logo.png and b/logo.png differ diff --git a/logo.svg b/logo.svg index 61ef796..704ecf3 100644 --- a/logo.svg +++ b/logo.svg @@ -2,13 +2,16 @@ + inkscape:zoom="4.404458" + inkscape:cx="63.685475" + inkscape:cy="75.378174" + inkscape:window-width="1920" + inkscape:window-height="1011" + inkscape:window-x="0" + inkscape:window-y="0" + inkscape:window-maximized="1" + inkscape:current-layer="layer1" + inkscape:showpageshadow="2" + inkscape:deskcolor="#d1d1d1" /> + width="29.788723" + height="6.963315" + x="78.625404" + y="40.178349" /> + RISOTTO + id="tspan2082">OTTO + + + +