redis: create redis user in client

2023-06-23 08:10:03 +02:00 · 2023-06-23 08:10:03 +02:00 · 84e583f8a4
commit 84e583f8a4
parent cc56ea6286
16 changed files with 56 additions and 43 deletions
--- a/seed/redis-client/applicationservice.yml
+++ b/seed/redis-client/applicationservice.yml
@ -1,3 +1,5 @@
 format: '0.1'
 description: Application service needs interact with a Redis server
 website: https://redis.io/
+depends:
+  - redis-common
--- a/seed/redis-client/dictionaries/23_redis.xml
+++ b/seed/redis-client/dictionaries/23_redis.xml
@ -1,15 +1,17 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
-    <service name="redis-client" target="risotto" engine="cheetah">
+    <service name="redis-client" target="risotto" engine="ansible">
      <certificate authority="Redis" owner="redis_client_key_owner" owner_type="variable" server="redis_client_server_domainname">redis</certificate>
    </service>
  </services>
  <variables>
    <family name="redis" description="Redis">
-      <variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True" supplier="Redis"/>
+      <variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur Redis" mandatory="True" supplier="Redis"/>
      <variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True" supplier="Redis:username"/>
      <variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" supplier="Redis:password"/>
+      <variable name="redis_server" description="Remote" type="domainname" multi="True" provider="RedisClient" hidden="True"/>
+      <variable name="redis_client_index" type="number" description="Redis index" mandatory='True' provider="RedisClient:index"/>
      <variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
        <value>apache</value>
      </variable>
--- a/seed/redis-client/manual/image/preinstall/redis.sh
+++ b/seed/redis-client/manual/image/preinstall/redis.sh
@ -1 +0,0 @@
-PKG="$PKG redis"
--- a/seed/redis-client/templates/redis-client.service
+++ b/seed/redis-client/templates/redis-client.service
@ -4,5 +4,5 @@ Before=risotto.target

 [Service]
 Type=oneshot
-User=%%redis_client_key_owner
-ExecStart=/usr/bin/timeout 90 bash -c 'while ! /usr/bin/redis-cli --tls -a %%redis_client_password --cacert %%tls_ca_directory/Redis.crt  --cert %%tls_cert_directory/redis.crt --key %%tls_key_directory/redis.key -h %%redis_client_server_domainname -p 6380 PING; do sleep 1; done'
+User={{ general.redis.redis_client_key_owner }}
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! /usr/bin/redis-cli --tls -a {{ general.redis.redis_client_password }} --cacert {{ general.tls_ca_directory }}/Redis.crt  --cert {{ general.tls_cert_directory }}/redis.crt --key {{ general.tls_key_directory }}/redis.key -h {{ general.redis.redis_client_server_domainname }} -p 6380 PING; do sleep 1; done'
--- a/seed/redis-common/applicationservice.yml
+++ b/seed/redis-common/applicationservice.yml
@ -0,0 +1,3 @@
+format: '0.1'
+description: Redis, an in-memory data structure store
+website: https://redis.io/
--- a/seed/redis-common/dictionaries/90_redis-common.xml
+++ b/seed/redis-common/dictionaries/90_redis-common.xml
@ -0,0 +1,8 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="redis">
+      <file engine="none" source="sysuser-redis.conf">/sysusers.d/0redis.conf</file>
+    </service>
+  </services>
+</rougail>
--- a/seed/redis-common/manual/image/preinstall/redis-common.sh
+++ b/seed/redis-common/manual/image/preinstall/redis-common.sh
--- a/seed/redis-common/templates/sysuser-redis.conf
+++ b/seed/redis-common/templates/sysuser-redis.conf
--- a/seed/redis/applicationservice.yml
+++ b/seed/redis/applicationservice.yml
@ -2,4 +2,5 @@ format: '0.1'
 description: Redis, an in-memory data structure store
 website: https://redis.io/
 depends:
-  - base-fedora-37
+  - base-fedora-38
+  - redis-common
--- a/seed/redis/dictionaries/90_redis.xml
+++ b/seed/redis/dictionaries/90_redis.xml
@ -2,12 +2,11 @@
 <rougail version="0.10">
  <services>
    <service name="redis" target="multi-user">
-      <ip ip_type='variable'>account.remote_ip</ip>
+      <ip ip_type='variable'>accounts.remote_.ip_</ip>
      <certificate authority="Redis" owner="redis" type="server">redis</certificate>
-      <file>/etc/redis/redis.conf</file>
-      <file engine="none" source="sysuser-redis.conf">/sysusers.d/0redis.conf</file>
+      <file engine="ansible">/etc/redis/redis.conf</file>
      <file engine="none" source="tmpfile-redis.conf">/tmpfiles.d/0redis.conf</file>
-      <file filelist="copy_tests">/tests/redis.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/redis.yml</file>
    </service>
  </services>
  <variables>
--- a/seed/redis/extras/account/00_account.xml
+++ b/seed/redis/extras/account/00_account.xml
@ -1,17 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remote" description="Remote Redis client needing an account" type="domainname" provider="Redis" mandatory="True"/>
-    <variable name="remote_ip" description="Remote IP" type="ip" mandatory="True"/>
-    <variable name="username" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:username"/>
-    <variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:password"/>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">account.remote</param>
-      <target>account.remote_ip</target>
-    </fill>
-  </constraints>
-</rougail>
-
--- a/seed/redis/extras/accounts/00_accounts.xml
+++ b/seed/redis/extras/accounts/00_accounts.xml
--- a/seed/redis/funcs/redis.py
+++ b/seed/redis/funcs/redis.py
@ -0,0 +1,8 @@
+def redis_index_of(remotes, suffix):
+    return remotes.index(suffix)
+
+
+def redis_only_one(idx):
+    if idx:
+        # see https://github.com/redis/redis/issues/8099#issuecomment-741868975
+        raise Exception('Redis only works for one service')
--- a/seed/redis/manual/image/preinstall/redis-server.sh
+++ b/seed/redis/manual/image/preinstall/redis-server.sh
@ -1 +0,0 @@
-PKG="$PKG redis"
--- a/seed/redis/templates/redis.conf
+++ b/seed/redis/templates/redis.conf
@ -178,7 +178,7 @@ timeout 0
 # Redis default starting with Redis 3.2.1.
 #>GNUNUX
 #tcp-keepalive 300
-tcp-keepalive %%redis_tcp_keepalive
+tcp-keepalive {{ general.redis.redis_tcp_keepalive }}
 #<GNUNUX

 # Apply OS-specific mechanism to mark the listening socket with the specified
@ -243,9 +243,9 @@ tcp-keepalive %%redis_tcp_keepalive
 # tls-ca-cert-dir /etc/ssl/certs
 #>GNUNUX
 tls-port 6380
-tls-cert-file %%tls_cert_directory/redis.crt
-tls-key-file %%tls_key_directory/redis.key
-tls-ca-cert-file %%tls_ca_directory/Redis.crt
+tls-cert-file {{ general.tls_cert_directory }}/redis.crt
+tls-key-file {{ general.tls_key_directory }}/redis.key
+tls-ca-cert-file {{ general.tls_ca_directory }}/Redis.crt
 #<GNUNUX

 # By default, clients (including replica servers) on a TLS port are required
@ -396,7 +396,7 @@ syslog-enabled yes
 # Set the number of databases. The default database is DB 0, you can select
 # a different one on a per-connection basis using SELECT <dbid> where
 # dbid is a number between 0 and 'databases'-1
-databases 16
+databases {{ accounts.remotes | length }}

 # By default Redis shows an ASCII art logo only when started to log to the
 # standard output and if the standard output is a TTY and syslog logging is
@ -452,9 +452,9 @@ proc-title-template "{title} {listen-addr} {server-mode}"
 #
 # save 3600 1 300 100 60 10000
 #>GNUNUX
-%if %%redis_save
+{% if redis_save %}
 save 900 1 300 10 60 10000
-%end if
+{% endif %}
 #<GNUNUX

 # By default Redis will stop accepting writes if RDB snapshots are enabled
@ -1035,7 +1035,11 @@ replica-priority 100
 # For more information about ACL configuration please refer to
 # the Redis web site at https://redis.io/topics/acl
 #>GNUNUX
-user %%account.username on >%%account.password ~* &* +@all
+{% for remote in accounts.remotes %}
+{% set remote = remote|normalize_family %}
+{% set account = accounts['remote_' + remote] %}
+user {{ account['username_' + remote] }} on >{{ account['password_' + remote] }} ~* &* +@all
+{% endfor %}
 #<GNUNUX

 # ACL LOG
@ -1069,7 +1073,8 @@ acllog-max-len 128
 #
 # requirepass foobared
 #>GNUNUX
-requirepass %%account.password
+{% set remote = accounts.remotes[0]|normalize_family %}
+requirepass {{ accounts['remote_' + remote]['password_' + remote] }}
 #<GNUNUX

 # New users are initialized with restrictive permissions by default, via the
@ -1128,7 +1133,7 @@ requirepass %%account.password
 #
 # maxclients 10000
 #>GNUNUX
-maxclients %%redis_max_clients
+maxclients {{ general.redis.redis_max_clients }}
 #<GNUNUX

 ############################## MEMORY MANAGEMENT ################################
@ -1158,7 +1163,7 @@ maxclients %%redis_max_clients
 #
 # maxmemory <bytes>
 #>GNUNUX
-maxmemory %%{redis_max_memory}mb
+maxmemory {{ redis_max_memory }}mb
 #<GNUNUX

 # MAXMEMORY POLICY: how Redis will select what to remove when maxmemory
@ -1190,7 +1195,7 @@ maxmemory %%{redis_max_memory}mb
 #
 # maxmemory-policy noeviction
 #>GNUNUX
-maxmemory-policy %%redis_memory_policy
+maxmemory-policy {{ redis_memory_policy }}
 #<GNUNUX

 # LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated
--- a/seed/redis/templates/redis.yml
+++ b/seed/redis/templates/redis.yml
@ -1,3 +1,7 @@
-address: %%ip_eth0
-username: %%account.username
-password: %%account.password
+address: {{ general.network.interface_0.ip_eth0 }}
+{% for remote in accounts.remotes %}
+{% set remote = remote|normalize_family %}
+{% set account = accounts['remote_' + remote] %}
+username: {{ account['username_' + remote] }}
+password: {{ account['password_' + remote] }}
+{% endfor %}