Operations grimoire/Operations repository/FAQ: Difference between revisions

rOPS (repository OPS) is the Nasqueron operations repository. It contains the configuration of our infrastructure servers and follows the principle of Infrastructure as Code to offer documentation, reproducibility, transparency and to allow external contributions.

The repository is available at https://devcentral.nasqueron.org/diffusion/OPS/

The repository contains:

• Server configuration
• Deployment information for our applications and services

Combined with NetBox, it constitutes an exhaustive inventory and source of truth for our infrastructure.

We mainly rely on Salt (SaltStack) for deployment and automation. The repository also includes utilities for humans and Terraform provisioning.

The minimum Salt version is 3006.

Both Nasqueron servers and side projects we manage are in scope. For example, the Eglide service is configured through roles/core (common to every server) and roles/shellserver (specific).

The repository is organized into seven main areas:

A. Services

Configuration organized in roles and units

B. Structured data

Pillar data for configuration

C. SaltStack modules

Python modules for complex logic

D. UNIX resources assignments

UIDs, GIDs, and port assignments

E. Tests

Unit and integration tests

F. Resources

Templates and resources for automated tasks

G. Utilities

Scripts for operations team members

Roles are full high-level services (e.g., mailserver, paas-docker). They represent the goal a server accomplishes.

Units are components needed to achieve the service's goals (e.g., a userland software collection, a nginx server).

Directory structure follows roles/<role>/<unit>.

States (also called formulas) are the configuration files in the roles/ directory. They are generally written in YAML with Jinja2 templating.

The top.sls file defines which states are loaded by server, while the services.sls describes service configurations that aren't server-specific.

Pillar is structured data stored in the pillar/ directory. This data is structured cleanly and queried from states, directly or through functions. Each pillar .sls file is written in YAML.

The top.sls file defines which pillar files are loaded by server, while the tower.sls file acts similarly and allows more flexibility.

The map.jinja file provides "Omni-OS" configuration. Since we deploy onto several Linux distributions (Debian, Rocky) and FreeBSD, we need to provide a way to map packages and directories across different operating systems.

If configuration files for a unit should be stored, a subfolder files/ is created at unit level within the role/unit structure.

While states offer powerful templating capabilities, they can become too complex when evolving from declarations to full programs. Salt modules express more complex logic in Python. The Python functions can be called directly from states.

Modules are stored in:

• _modules/ for execution modules
• _states/ for states modules

If anything escapes the role and unit logic organization, like CVE hotfixes, the hotfixes/ directory is used.

This repository is the source of truth for service accounts, groups and ports:

• UIDs document unique usernames and the UIDs for system accounts
• GIDs document the same information for groups
• PORTS contain the list of reserved application ports

When a service needs any of those resources, they are assigned in those files.

Unit and integration tests are stored in _tests/

You can test the correctness of several repository aspects:

• Salt configuration files in _tests/config/
• Salt execution modules in _tests/modules/
• Salt pillar in _tests/pillar/
• Scripts deployed within this repository in _tests/scripts/

If you add a new directory, you should add a corresponding entry in Makefile.

Resources (_resources/) are used by automated tasks to generate repository files, such as templates for new services.

Utilities (utils/) are scripts and other utilities to be run by Nasqueron Operations SIG members.

Contributions are welcome, especially if you wish to:

1. Improve our infrastructure
2. Install or configure something on a Nasqueron server
3. Install or configure something on a project we manage (like Eglide)
4. Automate deployment of one of your Nasqueron projects

Follow the contributor guide to send a commit for review. This procedure is open to everyone.

Issues can be reported on the #Servers component on DevCentral, the Nasqueron Phabricator instance.

Documentation about the repository and tips for IDEs are available on Agora: https://agora.nasqueron.org/Operations_grimoire/Operations_repository

Support for contributors is provided on our IRC channel: #nasqueron-ops on Libera.

The repository uses inclusive terminology:

Salt primary server

A server that issues commands to other servers or itself

Node

A server, baremetal or VM configured by Salt

Nasqueron follows the inclusive language conventions to ensure that our community is welcoming to everyone.

Nasqueron follows inclusive language conventions. Instead of "master," we use "Salt primary server" to describe the server that issues commands.

A lot of configuration as code is trivial, and so ineligible for copyright per threshold of originality.

When this is not the case, the code is licensed under BSD-2-Clause if not otherwise specified.

1. Read this FAQ and the main README
2. Check the Operations grimoire for detailed documentation
3. Join our IRC channel #nasqueron-ops on Libera for support
4. Browse the roles/ directory to see how services are structured
5. Look at existing commits on DevCentral to understand the contribution workflow

Helpful knowledge includes:

• YAML syntax
• SaltStack basics
• Jinja2 templating
• Python (for writing modules)
• UNIX / Linux system administration

However, you can start contributing with basic YAML knowledge and learn as you go!