Roll out groups for each certificate

README.md

@@ -143,7 +143,14 @@ The environment creation runs in the context of the project user.
 * `settings` **no default**
   Specify django settings in yaml - they are written into a file in the project.
   This fits our django settings approach.
-  `STATIC_URL` and `STATIC_PATH` will be set automagically for you.
+
+#### `deploy.projects.[...].user_groups`
+
+Each project receives a user that should be used to run the project (if it is runnable somehow...).
+By default this user is member of the groups: `deployer`, `[project_name]` and `virtualenv`.
+With `user_groups` you can define additional groups the user should belojng to.
+This is especially interesting for access to cert data.
+If your run user needs to read a cert, you might add him into the corresponding group.
 
 ### `deploy.certs`
 
@@ -153,9 +160,11 @@ Each cert may have the following fields:
   The X.509 certificate.
 * `key` **required**
   The key for the certificate.
-* `chain` **recommended**
-  The certificate chain.
-* `dhparam` **recommended**
+* `chain`
+  The certificate chain - usually without the root certificate.
+* `cacert`
+  The root certificate - this is usually not necessary, except you roll out your own PKI.
+* `dhparam`
   The diffie hellman parameter.
 
 The states will create a bunch of files in the `deploy.config.cert_directory`.
@@ -163,8 +172,13 @@ The states will create a bunch of files in the `deploy.config.cert_directory`.
 * `certname.pem`
 * `certname.key`
 * `certname.chain.pem`
+* `certname.cacert.pem`
 * `certname.dhparam.pem`
 * `certname.fullchain.pem`
   `pem` + `chain`
 * `certname.fullchain.dhparam.pem`
   `pem` + `chain` + `dhparam`
+
+There is group created for each certificate based on the name and prefixed with `cert-`.
+If your cert is called `helloworld` this leads to a group called `cert-helloworld`.
+Put users that should read them into those groups.

deploy/bundle/django-uwsgi-nginx.sls

 include:
   - deploy.bundle.django
-  - deploy.certs
   - uwsgi.install
   - uwsgi.plugins
   - uwsgi.application_config

deploy/bundle/python.sls

 include:
+  - deploy.certs
   - deploy.gitlab
   - deploy.venv
\ No newline at end of file

deploy/certs.sls

 {% from "deploy/map.jinja" import deploy with context %}
 
-deploy_cert_create_custom_group:
-  group.present:
+deploy_cert_ensure_removal_of_group:
+  group.absent:
     - name: hsh-certs
-    - gid: 4443
 
 deploy_cert_create_dir:
   file.directory:
     - name: {{ deploy.config.cert_directory }}
     - user: root
-    - group: hsh-certs
-    - mode: 750
-    - require:
-      - group: deploy_cert_create_custom_group
+    - group: root
+    - mode: 755
 
 {% for name, cert in deploy.certs.iteritems() %}
 
+{% set cert_group_name = 'cert-' + name %}
+
+deploy_cert_{{ name }}_group:
+  group.present:
+    - name: {{ cert_group_name }}
+    - system: True
+
 deploy_cert_{{ name }}_pem:
   file.managed:
     - name: {{ deploy.config.cert_directory }}/{{ name }}.pem
     - user: root
-    - group: hsh-certs
+    - group: {{ cert_group_name }}
     - mode: 640
     - show_diff: False
     - contents: {{ cert.pem.split("\n") }}
     - requires:
       - file: deploy_cert_create_dir
-
+      - group: deploy_cert_{{ name }}_group
 
 deploy_cert_{{ name }}_key:
   file.managed:
     - name: {{ deploy.config.cert_directory }}/{{ name }}.key
     - user: root
-    - group: hsh-certs
+    - group: {{ cert_group_name }}
     - mode: 640
     - template: jinja
     - show_diff: False
     - contents: {{ cert.key.split("\n") }}
     - requires:
       - file: deploy_cert_create_dir
+      - group: deploy_cert_{{ name }}_group
 
 {% if cert.chain is defined %}
 deploy_cert_{{ name }}_chain:
   file.managed:
     - name: {{ deploy.config.cert_directory }}/{{ name }}.chain.pem
     - user: root
-    - group: hsh-certs
+    - group: {{ cert_group_name }}
     - mode: 640
     - template: jinja
     - show_diff: False
     - contents: {{ cert.chain.split("\n") }}
     - requires:
       - file: deploy_cert_create_dir
+      - group: deploy_cert_{{ name }}_group
 
 deploy_cert_{{ name }}_fullchain:
   file.managed:
     - name: {{ deploy.config.cert_directory }}/{{ name }}.fullchain.pem
     - user: root
-    - group: hsh-certs
+    - group: {{ cert_group_name }}
     - mode: 640
     - template: jinja
     - show_diff: False
     - contents: {{ cert.pem.split("\n") + cert.chain.split("\n") }}
     - requires:
       - file: deploy_cert_create_dir
+      - group: deploy_cert_{{ name }}_group
 {% endif %}
 
 {% if cert.dhparam is defined %}
@@ -71,13 +78,29 @@ deploy_cert_{{ name }}_dhparam:
   file.managed:
     - name: {{ deploy.config.cert_directory }}/{{ name }}.dhparam.pem
     - user: root
-    - group: hsh-certs
+    - group: {{ cert_group_name }}
     - mode: 640
     - template: jinja
     - show_diff: False
     - contents: {{ cert.dhparam.split("\n") }}
     - requires:
       - file: deploy_cert_create_dir
+      - group: deploy_cert_{{ name }}_group
+{% endif %}
+
+{% if cert.cacert is defined %}
+deploy_cert_{{ name }}_cacert:
+  file.managed:
+    - name: {{ deploy.config.cert_directory }}/{{ name }}.cacert.pem
+    - user: root
+    - group: {{ cert_group_name }}
+    - mode: 640
+    - template: jinja
+    - show_diff: False
+    - contents: {{ cert.cacert.split("\n") }}
+    - requires:
+      - file: deploy_cert_create_dir
+      - group: deploy_cert_{{ name }}_group
 {% endif %}
 
 {% if cert.dhparam is defined and cert.chain is defined %}
@@ -85,13 +108,14 @@ deploy_cert_{{ name }}_fullchain_dhparam:
   file.managed:
     - name: {{ deploy.config.cert_directory }}/{{ name }}.fullchain.dhparam.pem
     - user: root
-    - group: hsh-certs
+    - group: {{ cert_group_name }}
     - mode: 640
     - template: jinja
     - show_diff: False
     - contents: {{ cert.pem.split("\n") + cert.chain.split("\n") + cert.dhparam.split("\n") }}
     - requires:
       - file: deploy_cert_create_dir
+      - group: deploy_cert_{{ name }}_group
 {% endif %}
 
 {% endfor %}

deploy/defaults.yaml

@@ -4,6 +4,6 @@ deploy:
     venv_directory: /srv/venv
     cert_directory: /etc/hsh-certs
     static_directory: /srv/static
-    static_url: https://static.it.hs-hannover.de
+    sqlite_directory: /srv/sqlite
   projects: {}
   certs: {}

deploy/django.sls

@@ -2,7 +2,7 @@
 
 deploy_static_directory:
   file.directory:
-    - name: /srv/static
+    - name: {{ deploy.config.static_directory }}
     - user: deployer
     - group: www-data
     - mode: 2770
@@ -11,7 +11,7 @@ deploy_static_directory:
 
 deploy_sqlite_directory:
   file.directory:
-    - name: /srv/sqlite
+    - name: {{ deploy.config.sqlite_directory }}
     - user: deployer
     - group: deployer
     - mode: 2770
@@ -58,4 +58,4 @@ deploy_django_{{ project_name }}_collectstatic:
 
 fix_sqlite3_permissions:
   cmd.run:
-    - name: chmod -R g+w /srv/sqlite
+    - name: chmod -R g+w {{ deploy.config.sqlite_directory }}

deploy/user.sls

@@ -36,12 +36,17 @@ deploy_key:
 
 {% for project_name, project_config in deploy.projects.iteritems() %}
 
+{% set config_user_groups = project_config.get('user_groups', []) %}
+{% set default_user_groups = [project_name, 'deployer'] %}
+{% set user_groups = config_user_groups + default_user_groups %}
+
 {{ project_name }}:
   group.present:
-    - system: False
+    - system: True
   user.present:
-    - groups:
-      - {{ project_name }}
-      - deployer
+    - createhome: False
+    - system: True
+    - shell: /bin/false
+    - groups: {{ user_groups }}
 
 {% endfor %}
\ No newline at end of file

pillar.example

@@ -10,10 +10,9 @@ deploy:
       -----END OPENSSH PRIVATE KEY-----
     deploy_directory: /srv/repo
     venv_directory: /srv/venv
-    static_directory: /srv/static
-    static_url: https://static.it.hs-hannover.de
   projects:
     project_name:
+      user_groups: ['custom_group']
       gitlab:
         url: foo
         rev: bar